mirror of https://github.com/zcash/halo2.git
WIP permutation checks in verifier
This commit is contained in:
parent
0bf73c5d08
commit
2472ec3291
|
@ -44,6 +44,10 @@ pub struct SRS<C: CurveAffine> {
|
|||
pub struct Proof<C: CurveAffine> {
|
||||
advice_commitments: Vec<C>,
|
||||
h_commitments: Vec<C>,
|
||||
permutation_product_commitments: Vec<C>,
|
||||
permutation_product_evals: Vec<C::Scalar>,
|
||||
permutation_product_inv_evals: Vec<C::Scalar>,
|
||||
permutation_evals: Vec<C::Scalar>,
|
||||
advice_evals: Vec<C::Scalar>,
|
||||
fixed_evals: Vec<C::Scalar>,
|
||||
h_evals: Vec<C::Scalar>,
|
||||
|
|
|
@ -111,6 +111,12 @@ impl<C: CurveAffine> Proof<C> {
|
|||
})
|
||||
.collect();
|
||||
|
||||
// Sample x_0 challenge
|
||||
let x_0: C::Scalar = get_challenge_scalar(Challenge(transcript.squeeze().get_lower_128()));
|
||||
|
||||
// Sample x_1 challenge
|
||||
let x_1: C::Scalar = get_challenge_scalar(Challenge(transcript.squeeze().get_lower_128()));
|
||||
|
||||
// Obtain challenge for keeping all separate gates linearly independent
|
||||
let x_2: C::Scalar = get_challenge_scalar(Challenge(transcript.squeeze().get_lower_128()));
|
||||
|
||||
|
@ -369,6 +375,10 @@ impl<C: CurveAffine> Proof<C> {
|
|||
Ok(Proof {
|
||||
advice_commitments,
|
||||
h_commitments,
|
||||
permutation_product_commitments: vec![C::default(); params.n as usize],
|
||||
permutation_product_evals: vec![C::Scalar::one(); params.n as usize],
|
||||
permutation_product_inv_evals: vec![C::Scalar::one(); params.n as usize],
|
||||
permutation_evals: vec![C::Scalar::one(); params.n as usize],
|
||||
advice_evals,
|
||||
fixed_evals,
|
||||
h_evals,
|
||||
|
|
|
@ -19,6 +19,41 @@ impl<C: CurveAffine> Proof<C> {
|
|||
.expect("proof cannot contain points at infinity");
|
||||
}
|
||||
|
||||
// Sample x_0 challenge
|
||||
let x_0: C::Scalar = get_challenge_scalar(Challenge(transcript.squeeze().get_lower_128()));
|
||||
|
||||
// Sample x_1 challenge
|
||||
let x_1: C::Scalar = get_challenge_scalar(Challenge(transcript.squeeze().get_lower_128()));
|
||||
|
||||
// Check permutations
|
||||
// Compute [omega^0, omega^1, ..., omega^{params.n - 1}]
|
||||
let mut omega_powers = Vec::with_capacity(params.n as usize);
|
||||
{
|
||||
let mut cur = C::Scalar::one();
|
||||
for _ in 0..params.n {
|
||||
omega_powers.push(cur);
|
||||
cur *= &srs.domain.get_omega();
|
||||
}
|
||||
}
|
||||
|
||||
// For each permutation
|
||||
for perm in &srs.meta.permutations {
|
||||
// Check permutation condition on all points
|
||||
for i in 0..params.n as usize {
|
||||
let left_perm_eval = self.permutation_product_inv_evals[i];
|
||||
let right_perm_eval = self.permutation_product_evals[i];
|
||||
|
||||
for wire in perm {
|
||||
// z(\omega^{-1} X) (a(X) + \beta X + \gamma) (b(X) + \delta \beta X + \gamma) (c(X) + \delta^2 \beta X + \gamma)
|
||||
|
||||
// z(X) (a(X) + \beta s_a(X) + \gamma) (b(X) + \beta s_b(X) + \gamma) (c(X) + \beta s_c(X) + \gamma)
|
||||
}
|
||||
if left_perm_eval != right_perm_eval {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Sample x_2 challenge, which keeps the gates linearly independent.
|
||||
let x_2: C::Scalar = get_challenge_scalar(Challenge(transcript.squeeze().get_lower_128()));
|
||||
|
||||
|
|
Loading…
Reference in New Issue