permutation check for plonk works

plonky2_verifier/plonk.go

@@ -2,10 +2,13 @@ package plonky2_verifier
 
 import (
 	. "gnark-ed25519/field"
+
+	"github.com/consensys/gnark/frontend"
 )
 
 type PlonkChip struct {
-	qe *QuadraticExtensionAPI
+	api frontend.API
+	qe  *QuadraticExtensionAPI
 
 	commonData      CommonCircuitData
 	proofChallenges ProofChallenges
@@ -16,11 +19,12 @@ type PlonkChip struct {
 	DEGREE_QE     QuadraticExtension
 }
 
-func NewPlonkChip(qe *QuadraticExtensionAPI, commonData CommonCircuitData) *PlonkChip {
+func NewPlonkChip(api frontend.API, qe *QuadraticExtensionAPI, commonData CommonCircuitData) *PlonkChip {
 	// TODO:  Should degreeBits be verified that it fits within the field and that degree is within uint64?
 
 	return &PlonkChip{
-		qe: qe,
+		api: api,
+		qe:  qe,
 
 		commonData: commonData,
 
@@ -88,7 +92,7 @@ func (p *PlonkChip) checkPartialProducts(
 	return partialProductChecks
 }
 
-func (p *PlonkChip) evalVanishingPoly() []QuadraticExtension {
+func (p *PlonkChip) evalVanishingPoly(zetaPowN QuadraticExtension) []QuadraticExtension {
 	// Calculate the k[i] * x
 	sIDs := make([]QuadraticExtension, p.commonData.Config.NumRoutedWires)
 
@@ -96,9 +100,6 @@ func (p *PlonkChip) evalVanishingPoly() []QuadraticExtension {
 		sIDs[i] = p.qe.ScalarMulExtension(p.proofChallenges.PlonkZeta, p.commonData.KIs[i])
 	}
 
-	// Calculate zeta^n
-	zetaPowN := p.expPowerOf2Extension(p.proofChallenges.PlonkZeta)
-
 	// Calculate L_0(zeta)
 	l0Zeta := p.evalL0(p.proofChallenges.PlonkZeta, zetaPowN)
 
@@ -179,33 +180,46 @@ func (p *PlonkChip) evalVanishingPoly() []QuadraticExtension {
 	return reducedValues
 }
 
-func (p *PlonkChip) Verify() {
+func (p *PlonkChip) reduceWithPowers(terms []QuadraticExtension, scalar QuadraticExtension) QuadraticExtension {
-	vanishingPolysZeta := p.evalVanishingPoly()
+	sum := p.qe.ZERO_QE
 
-	for _, vp := range vanishingPolysZeta {
+	for i := len(terms) - 1; i >= 0; i-- {
-		p.qe.Println(vp)
+		sum = p.qe.AddExtension(
+			p.qe.MulExtension(
+				sum,
+				scalar,
+			),
+			terms[i],
+		)
 	}
 
-	/*
+	return sum
-			let alphas = &alphas.iter().map(|&a| a.into()).collect::<Vec<_>>();
+}
-		    plonk_common::reduce_with_powers_multi(&vanishing_terms, alphas)
+
-
+func (p *PlonkChip) Verify() {
-		    // Check each polynomial identity, of the form `vanishing(x) = Z_H(x) quotient(x)`, at zeta.
+	// Calculate zeta^n
-		    let quotient_polys_zeta = &proof.openings.quotient_polys;
+	zetaPowN := p.expPowerOf2Extension(p.proofChallenges.PlonkZeta)
-		    let zeta_pow_deg = challenges
+
-		        .plonk_zeta
+	vanishingPolysZeta := p.evalVanishingPoly(zetaPowN)
-		        .exp_power_of_2(common_data.degree_bits());
+
-		    let z_h_zeta = zeta_pow_deg - F::Extension::ONE;
+	// Calculate Z(H)
-		    // `quotient_polys_zeta` holds `num_challenges * quotient_degree_factor` evaluations.
+	zHZeta := p.qe.SubExtension(zetaPowN, p.qe.ONE)
-		    // Each chunk of `quotient_degree_factor` holds the evaluations of `t_0(zeta),...,t_{quotient_degree_factor-1}(zeta)`
+
-		    // where the "real" quotient polynomial is `t(X) = t_0(X) + t_1(X)*X^n + t_2(X)*X^{2n} + ...`.
+	// `quotient_polys_zeta` holds `num_challenges * quotient_degree_factor` evaluations.
-		    // So to reconstruct `t(zeta)` we can compute `reduce_with_powers(chunk, zeta^n)` for each
+	// Each chunk of `quotient_degree_factor` holds the evaluations of `t_0(zeta),...,t_{quotient_degree_factor-1}(zeta)`
-		    // `quotient_degree_factor`-sized chunk of the original evaluations.
+	// where the "real" quotient polynomial is `t(X) = t_0(X) + t_1(X)*X^n + t_2(X)*X^{2n} + ...`.
-		    for (i, chunk) in quotient_polys_zeta
+	// So to reconstruct `t(zeta)` we can compute `reduce_with_powers(chunk, zeta^n)` for each
-		        .chunks(common_data.quotient_degree_factor)
+	// `quotient_degree_factor`-sized chunk of the original evaluations.
-		        .enumerate()
+	for i := 0; i < len(p.openings.QuotientPolys); i += int(p.commonData.QuotientDegreeFactor) {
-		    {
+		prod := p.qe.MulExtension(
-		        ensure!(vanishing_polys_zeta[i] == z_h_zeta * reduce_with_powers(chunk, zeta_pow_deg));
+			zHZeta,
-		    }
+			p.reduceWithPowers(
-	*/
+				p.openings.QuotientPolys[i:i+int(p.commonData.QuotientDegreeFactor)],
+				zetaPowN,
+			),
+		)
+
+		// TODO: Uncomment this after adding in the custom gates evaluations
+		//p.api.AssertIsEqual(vanishingPolysZeta[i], prod)
+	}
 }

plonky2_verifier/plonk_test.go

@@ -37,7 +37,7 @@ func (circuit *TestPlonkCircuit) Define(api frontend.API) error {
 		},
 	}
 
-	plonkChip := NewPlonkChip(qe, commonCircuitData)
+	plonkChip := NewPlonkChip(api, qe, commonCircuitData)
 	plonkChip.proofChallenges = proofChallenges
 	plonkChip.openings = proofWithPis.Proof.Openings
 

plonky2_verifier/verifier.go

@@ -55,6 +55,8 @@ func (c *VerifierChip) GetChallenges(proofWithPis ProofWithPublicInputs, publicI
 }
 
 func (c *VerifierChip) Verify(proofWithPis ProofWithPublicInputs, verifierData VerifierOnlyCircuitData, commonData CommonCircuitData) {
+	// TODO: Verify shape of the proof?
+
 	publicInputsHash := c.GetPublicInputsHash(proofWithPis.PublicInputs)
 	proofChallenges := c.GetChallenges(proofWithPis, publicInputsHash, commonData)
 	fmt.Printf("%+v\n", proofChallenges)