2024-12-13 20:24:24 +01:00
|
|
|
|
|
|
|
|
A standalone Plonky2 verifier
|
|
|
|
|
-----------------------------
|
|
|
|
|
|
2024-12-15 14:03:44 +01:00
|
|
|
This is a (WIP) implementation of a Plonky2 verifier written in Haskell.
|
2024-12-13 20:24:24 +01:00
|
|
|
|
|
|
|
|
[Plonky2](https://github.com/0xPolygonZero/plonky2/) is a zero-knowledge proof
|
|
|
|
|
system developed by Polygon Zero, optimized for recursive proofs.
|
|
|
|
|
|
|
|
|
|
The goal here is to provide an executable specification (along a with less precise,
|
2025-01-26 17:22:40 +01:00
|
|
|
but still detailed [human language description](commentary/README.md)) of
|
2025-01-23 18:59:51 +01:00
|
|
|
the Plonky2 verification algorithm.
|
2024-12-13 20:24:24 +01:00
|
|
|
|
|
|
|
|
Another goal is to be a basis for further tooling (for example:
|
|
|
|
|
estimating verifier costs, helping the design of recursive circuits, generating
|
|
|
|
|
Plonky2 verifier circuits for other proof systems, etc)
|
|
|
|
|
|
2024-12-15 14:03:44 +01:00
|
|
|
Note: It's deliberately not a goal for this verifier to be efficient; instead we
|
2024-12-13 20:24:24 +01:00
|
|
|
try to focus on simplicity.
|
|
|
|
|
|
2025-02-08 17:51:21 +01:00
|
|
|
This code can be a bit ugly at some places. There is a reason for that, namely,
|
|
|
|
|
that the semantics we have to emulate, are _somewhat idiosyncratic_...
|
|
|
|
|
|
2024-12-13 20:24:24 +01:00
|
|
|
|
|
|
|
|
### Implementation status
|
|
|
|
|
|
|
|
|
|
- [x] Parsing the proof and verification key from JSON
|
2025-01-23 18:59:51 +01:00
|
|
|
- [ ] Parsing from Plonky2's custom binary serialization
|
2024-12-13 20:24:24 +01:00
|
|
|
- [x] Generating verifier challenges
|
|
|
|
|
- [ ] Recursive circuit subtle details (like [this](https://github.com/0xPolygonZero/plonky2/blob/356aefb6863ac881fb71f9bf851582c915428458/plonky2/src/fri/challenges.rs#L55-L64]))
|
2024-12-15 20:53:14 +01:00
|
|
|
- [x] Constraints check
|
2024-12-13 20:24:24 +01:00
|
|
|
- [ ] FRI check
|
2025-01-26 17:22:40 +01:00
|
|
|
- [x] Support lookup tables
|
2025-02-08 17:51:21 +01:00
|
|
|
- [ ] Support zero-knowledge
|
2025-01-21 21:27:43 +01:00
|
|
|
- [x] Documenting Plonky2 internals and the verifier algorithm (WIP)
|
2025-01-23 18:59:51 +01:00
|
|
|
- [ ] Cabalize
|
2024-12-13 20:24:24 +01:00
|
|
|
|
|
|
|
|
Supported gates:
|
|
|
|
|
|
|
|
|
|
- [x] ArithmeticGate
|
|
|
|
|
- [x] ArithmeticExtensionGate
|
|
|
|
|
- [x] BaseSumGate
|
2025-01-23 18:59:51 +01:00
|
|
|
- [x] CosetInterpolationGate
|
2024-12-13 20:24:24 +01:00
|
|
|
- [x] ConstantGate
|
|
|
|
|
- [x] ExponentiationGate
|
2025-01-26 17:22:40 +01:00
|
|
|
- [x] LookupGate
|
|
|
|
|
- [x] LookupTableGate
|
2024-12-13 20:24:24 +01:00
|
|
|
- [x] MulExtensionGate
|
|
|
|
|
- [x] NoopGate
|
|
|
|
|
- [x] PublicInputGate
|
2024-12-15 14:03:44 +01:00
|
|
|
- [x] PoseidonGate
|
2025-01-23 19:41:30 +01:00
|
|
|
- [x] PoseidonMdsGate
|
2025-01-23 18:59:51 +01:00
|
|
|
- [x] RandomAccessGate
|
2025-01-23 20:01:16 +01:00
|
|
|
- [x] ReducingGate
|
|
|
|
|
- [x] ReducingExtensionGate
|
2024-12-13 20:24:24 +01:00
|
|
|
|
|
|
|
|
Optional features:
|
|
|
|
|
|
2025-01-23 20:01:16 +01:00
|
|
|
- [ ] Supporting different hash functions
|
2025-01-26 17:22:40 +01:00
|
|
|
- [ ] Handle non-standard configurations
|
2024-12-13 20:24:24 +01:00
|
|
|
- [ ] Field extensions with degree higher than 2
|
|
|
|
|
- [ ] Being parametric over the field choice
|
|
|
|
|
|
