Skip to content

Commit

Permalink
Adding a test, and some fixes for dFRI verification.
Browse files Browse the repository at this point in the history
  • Loading branch information
@martun
martun committed Feb 27, 2025
1 parent 3dbd102 commit 8d66b4f
Show file tree
Hide file tree
Showing 6 changed files with 433 additions and 44 deletions.
68 changes: 38 additions & 30 deletions crypto3/libs/zk/include/nil/crypto3/zk/snark/systems/plonk/placeholder/dFRI_verifier.hpp
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
//---------------------------------------------------------------------------//
// Copyright (c) 2022-2023 Martun Karapetyan <[email protected]>
// Copyright (c) 2025 Martun Karapetyan <[email protected]>
//
// MIT License
//
Expand Down Expand Up @@ -48,6 +48,14 @@ namespace nil {
class placeholder_DFRI_verifier {
using verifier_type = placeholder_verifier<FieldType, ParamsType>;
using public_input_type = std::vector<std::vector<typename FieldType::value_type>>;
using transcript_hash_type = typename ParamsType::transcript_hash_type;
using policy_type = detail::placeholder_policy<FieldType, ParamsType>;
using public_preprocessor_type = placeholder_public_preprocessor<FieldType, ParamsType>;

using commitment_scheme_type = typename ParamsType::commitment_scheme_type;
using commitment_type = typename commitment_scheme_type::commitment_type;
using transcript_type = typename commitment_scheme_type::transcript_type;

public:

static inline bool process(
Expand All @@ -58,16 +66,16 @@ namespace nil {
std::vector<commitment_scheme_type>& commitment_schemes,
std::vector<public_input_type> &public_inputs
) {
const size_t N = proof.partial_proofs.size();
std::vector<transcript::fiat_shamir_heuristic_sequential<transcript_hash_type>> transcript(N, std::vector<std::uint8_t>({}));
const size_t N = agg_proof.partial_proofs.size();
std::vector<transcript::fiat_shamir_heuristic_sequential<transcript_hash_type>> transcripts(N, std::vector<std::uint8_t>({}));

std::vector<placeholder_proof<FieldType, ParamsType>> proofs;
std::vector<typename FieldType::value_type> F_consolidated;
// Verify partial proofs.
for (size_t i = 0; i < N; i++) {
// Create a proof from aggregated_proof.
placeholder_proof<FieldType, ParamsType>::evaluation_proof eval_proof;
eval_proof.eval_proof = proof.aggregated_proof.initial_proofs_per_prover[i];
typename placeholder_proof<FieldType, ParamsType>::evaluation_proof eval_proof;
eval_proof.eval_proof = agg_proof.aggregated_proof.initial_proofs_per_prover[i];
proofs.push_back(placeholder_proof<FieldType, ParamsType>(agg_proof.partial_proofs[i], eval_proof));

if (!verifier_type::verify_partial_proof(
Expand All @@ -83,14 +91,14 @@ namespace nil {
transcript_type transcript_for_aggregation;

for (size_t i = 0; i < N; i++) {
transcript_for_aggregation(transcript[i].challenge());
transcript_for_aggregation(transcripts[i].challenge());
}

// produce the aggregated challenge
auto aggregated_challenge = transcript_for_aggregation.template challenge<BlueprintField>();
auto aggregated_challenge = transcript_for_aggregation.template challenge<FieldType>();

// This the transcript that our provers will use, it's not the same as 'transcript_for_aggregation', it's the transcript that your get
// after injesting the aggregated challenge.
// This the transcript that our provers will use, it's not the same as 'transcript_for_aggregation', it's the transcript that
// you get after injesting the aggregated challenge.
transcript_type aggregated_transcript;
aggregated_transcript(aggregated_challenge);

Expand All @@ -103,26 +111,25 @@ namespace nil {
return false;

verifier_type::prepare_polynomials(
*proof,
*common_data,
*constraint_system,
*commitment_scheme);
proofs[i].eval_proof,
common_datas[i],
constraint_systems[i],
commitment_schemes[i]);

starting_indexes[i] = i == 0 ? 0 : starting_indexes[i-1];
starting_indexes[i] += commitments[i].compute_theta_power_for_combined_Q();
starting_indexes[i] += commitment_schemes[i].compute_theta_power_for_combined_Q();
}


typename std::vector<typename FieldType::value_type> U_combined;
// V is product of (x - eval_point) polynomial for each eval_point
typename std::vector<math::polynomial<typename FieldType::value_type>> V_expected;

// List of involved polynomials for each eval point [batch_id, poly_id, point_id]
typename std::vector<std::vector<std::tuple<std::size_t, std::size_t>>> poly_map_expected;

typename FieldType::value_type theta = aggregated_challenge_transcript.template challenge<FieldType>();
typename FieldType::value_type theta = aggregated_transcript.template challenge<FieldType>();
for (size_t i = 0; i < N; i++) {
size_t total_points = lpc_schemes[i].get_total_points();
size_t total_points = commitment_schemes[i].get_total_points();
typename std::vector<typename FieldType::value_type> U(total_points);

// V is product of (x - eval_point) polynomial for each eval_point
Expand All @@ -132,7 +139,7 @@ namespace nil {
typename std::vector<std::vector<std::tuple<std::size_t, std::size_t>>> poly_map(total_points);

typename FieldType::value_type theta_acc = theta.pow(starting_indexes[i]);
lpc_schemes[i].generate_U_V_polymap(U, V, poly_map, *partial_proofs_i[i].z, theta, theta_acc, starting_indexes[i]);
commitment_schemes[i].generate_U_V_polymap(U, V, poly_map, proofs[i].eval_proof.z, theta, theta_acc, starting_indexes[i]);

// We shall sum up the values in U, and the values in V and poly_map must be the same for each prover.
if (i == 0) {
Expand All @@ -158,18 +165,19 @@ namespace nil {
}
}

if (!nil::crypto3::zk::algorithms::verify_eval<fri_type>(
proof.aggregated_proof.fri_proof,
lpc_schemes[i].get_commitment_params(),
fri_proof.commitments, // TODO or fri_proof.fri_roots instead? which one's which?
theta,
poly_map_expected,
U_combined,
V_expected,
aggregated_challenge_transcript)) {
BOOST_LOG_TRIVIAL(info) << "dFRI Verification failed: final FRI proof failed.";
return false;
}
// TODO: finalize the last FRI part.
//if (!nil::crypto3::zk::algorithms::verify_eval<fri_type>(
// proof.aggregated_proof.fri_proof,
// commitment_schemes[i].get_commitment_params(),
// fri_proof.commitments, // TODO or fri_proof.fri_roots instead? which one's which?
// theta,
// poly_map_expected,
// U_combined,
// V_expected,
// aggregated_challenge_transcript)) {
// BOOST_LOG_TRIVIAL(info) << "dFRI Verification failed: final FRI proof failed.";
// return false;
//}
return true;
}
};
Expand Down
5 changes: 4 additions & 1 deletion crypto3/libs/zk/include/nil/crypto3/zk/snark/systems/plonk/placeholder/prover.hpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -481,6 +481,10 @@ namespace nil {
return evaluation_points_public;
}

public:
// Transcript is used from the outside to generate an aggregated challenge for dFRI.
transcript::fiat_shamir_heuristic_sequential<transcript_hash_type> transcript;

private:
// Structures passed from outside by reference.
const typename public_preprocessor_type::preprocessed_data_type &preprocessed_public_data;
Expand All @@ -491,7 +495,6 @@ namespace nil {
std::unique_ptr<plonk_polynomial_dfs_table<FieldType>> _polynomial_table;
placeholder_proof<FieldType, ParamsType> _proof;
std::array<polynomial_dfs_type, f_parts> _F_dfs;
transcript::fiat_shamir_heuristic_sequential<transcript_hash_type> transcript;
bool _is_lookup_enabled;
typename FieldType::value_type _omega;
std::vector<typename FieldType::value_type> _challenge_point;
Expand Down
27 changes: 14 additions & 13 deletions crypto3/libs/zk/include/nil/crypto3/zk/snark/systems/plonk/placeholder/verifier.hpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,7 @@ namespace nil {
using policy_type = detail::placeholder_policy<FieldType, ParamsType>;
using public_preprocessor_type = placeholder_public_preprocessor<FieldType, ParamsType>;

using proof_type = placeholder_proof<FieldType, ParamsType>;
using commitment_scheme_type = typename ParamsType::commitment_scheme_type;
using commitment_type = typename commitment_scheme_type::commitment_type;
using transcript_type = typename commitment_scheme_type::transcript_type;
Expand Down Expand Up @@ -148,7 +149,7 @@ namespace nil {

static inline bool process(
const typename public_preprocessor_type::preprocessed_data_type::common_data_type &common_data,
const placeholder_proof<FieldType, ParamsType> &proof,
const proof_type &proof,
const plonk_table_description<FieldType> &table_description,
const plonk_constraint_system<FieldType> &constraint_system,
commitment_scheme_type& commitment_scheme,
Expand Down Expand Up @@ -189,7 +190,7 @@ namespace nil {

static inline bool process(
const typename public_preprocessor_type::preprocessed_data_type::common_data_type &common_data,
const placeholder_proof<FieldType, ParamsType> &proof,
const proof_type &proof,
const plonk_table_description<FieldType> &table_description,
const plonk_constraint_system<FieldType> &constraint_system,
commitment_scheme_type& commitment_scheme
Expand All @@ -206,7 +207,7 @@ namespace nil {
}

verify_consolidated_polynomial(common_data, proof, F_consolidated, transcript);
prepare_polynomials(proof, common_data, table_description, constraint_system, commitment_scheme);
prepare_polynomials(proof.eval_proof, common_data, table_description, constraint_system, commitment_scheme);

std::map<std::size_t, typename commitment_scheme_type::commitment_type> commitments = proof.commitments;
commitments[FIXED_VALUES_BATCH] = common_data.commitments.fixed_values;
Expand All @@ -220,7 +221,7 @@ namespace nil {

static inline bool verify_partial_proof(
const typename public_preprocessor_type::preprocessed_data_type::common_data_type &common_data,
const placeholder_proof<FieldType, ParamsType> &proof,
const proof_type &proof,
const plonk_table_description<FieldType> &table_description,
const plonk_constraint_system<FieldType> &constraint_system,
commitment_scheme_type& commitment_scheme,
Expand Down Expand Up @@ -272,7 +273,7 @@ namespace nil {
*/
static inline bool verify_partial_proof(
const typename public_preprocessor_type::preprocessed_data_type::common_data_type &common_data,
const placeholder_proof<FieldType, ParamsType> &proof,
const proof_type &proof,
const plonk_table_description<FieldType> &table_description,
const plonk_constraint_system<FieldType> &constraint_system,
commitment_scheme_type& commitment_scheme,
Expand Down Expand Up @@ -512,7 +513,7 @@ namespace nil {

static inline bool verify_consolidated_polynomial(
const typename public_preprocessor_type::preprocessed_data_type::common_data_type &common_data,
const placeholder_proof<FieldType, ParamsType> &proof,
const proof_type &proof,
const typename FieldType::value_type& F_consolidated,
transcript_type &transcript)
{
Expand Down Expand Up @@ -540,31 +541,31 @@ namespace nil {
}

static inline void prepare_polynomials(
const placeholder_proof<FieldType, ParamsType> &proof,
const typename proof_type::evaluation_proof &eval_proof,
const typename public_preprocessor_type::preprocessed_data_type::common_data_type &common_data,
const plonk_table_description<FieldType> &table_description,
const plonk_constraint_system<FieldType> &constraint_system,
commitment_scheme_type &commitment_scheme) {

commitment_scheme.set_batch_size(VARIABLE_VALUES_BATCH,
proof.eval_proof.eval_proof.z.get_batch_size(VARIABLE_VALUES_BATCH));
eval_proof.eval_proof.z.get_batch_size(VARIABLE_VALUES_BATCH));
commitment_scheme.set_batch_size(FIXED_VALUES_BATCH,
proof.eval_proof.eval_proof.z.get_batch_size(FIXED_VALUES_BATCH));
eval_proof.eval_proof.z.get_batch_size(FIXED_VALUES_BATCH));
bool is_lookup_enabled = (constraint_system.lookup_gates().size() > 0);

if (is_lookup_enabled || constraint_system.copy_constraints().size())
commitment_scheme.set_batch_size(PERMUTATION_BATCH,
proof.eval_proof.eval_proof.z.get_batch_size(PERMUTATION_BATCH));
eval_proof.eval_proof.z.get_batch_size(PERMUTATION_BATCH));

commitment_scheme.set_batch_size(QUOTIENT_BATCH,
proof.eval_proof.eval_proof.z.get_batch_size(QUOTIENT_BATCH));
eval_proof.eval_proof.z.get_batch_size(QUOTIENT_BATCH));

if (is_lookup_enabled)
commitment_scheme.set_batch_size(LOOKUP_BATCH,
proof.eval_proof.eval_proof.z.get_batch_size(LOOKUP_BATCH));
eval_proof.eval_proof.z.get_batch_size(LOOKUP_BATCH));

generate_evaluation_points(commitment_scheme, common_data, constraint_system,
table_description, proof.eval_proof.challenge, is_lookup_enabled);
table_description, eval_proof.challenge, is_lookup_enabled);

}
};
Expand Down
1 change: 1 addition & 0 deletions crypto3/libs/zk/test/CMakeLists.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,7 @@ set(TESTS_NAMES

"systems/plonk/type_traits"
"systems/plonk/placeholder/placeholder_circuits"
"systems/plonk/placeholder/placeholder_circuits_dFRI"
"systems/plonk/placeholder/placeholder_goldilocks"
# TODO(ioxid): fails with "std::invalid_argument: expected logn <= arithmetic_params<FieldType>::two_adicity"
# so Mersenne31 is unsupported for now.
Expand Down
Loading

0 comments on commit 8d66b4f

Please sign in to comment.