fixes, cleanup, and deserialize ProofChallenges

plonky2_verifier/arithmetic_gate.go

@@ -51,7 +51,7 @@ func (g *ArithmeticGate) EvalUnfiltered(p *PlonkChip, vars EvaluationVars) []Qua
 			p.qeAPI.MulExtension(addend, const1),
 		)
 
-		constraints = append(constraints, p.qeAPI.SubExtension(computedOutput, output))
+		constraints = append(constraints, p.qeAPI.SubExtension(output, computedOutput))
 	}
 
 	return constraints

plonky2_verifier/data/dummy_2^14_gates/proof_challenges.json

@@ -0,0 +1,18 @@
+{
+    "plonk_betas": [
+        11216469004148781751,
+        6201977337075152249
+    ],
+    "plonk_gammas": [
+        8369751006669847974,
+        3610024170884289835
+    ],
+    "plonk_alphas": [
+        970160439138448145,
+        2402201283787401921
+    ],
+    "plonk_zeta": [
+        17377750363769967882,
+        11921191651424768462
+    ]
+}

plonky2_verifier/data/fibonacci/challenges.json

@@ -0,0 +1 @@
+{"plonk_betas":[12973916988745913043,10729509799707823061],"plonk_gammas":[13357786390712427342,13733012568509939467],"plonk_alphas":[4421334860622890213,11104346062293008527],"plonk_zeta":[4417665616040947721,6032065041495623027],"fri_challenges":{"fri_alpha":[13781247504304639195,11230825432264195234],"fri_betas":[],"fri_pow_response":38184296491435,"fri_query_indices":[51,25,2,2,7,2,50,30,48,56,44,52,34,3,4,59,0,1,53,63,60,42,12,56,53,7,37,39]}}

plonky2_verifier/data/fibonacci/proof_challenges.json

@@ -0,0 +1 @@
+{"plonk_betas":[12973916988745913043,10729509799707823061],"plonk_gammas":[13357786390712427342,13733012568509939467],"plonk_alphas":[4421334860622890213,11104346062293008527],"plonk_zeta":[4417665616040947721,6032065041495623027],"fri_challenges":{"fri_alpha":[13781247504304639195,11230825432264195234],"fri_betas":[],"fri_pow_response":38184296491435,"fri_query_indices":[51,25,2,2,7,2,50,30,48,56,44,52,34,3,4,59,0,1,53,63,60,42,12,56,53,7,37,39]}}

plonky2_verifier/data/fibonacci/verifier_only_circuit_data.json

@@ -1 +1 @@
-{"constants_sigmas_cap":[{"elements":[2913805118787558759,15605217703384212484,9293436862297178555,10529947991695419448]},{"elements":[1937331278189251620,17537260089483183877,10458485670158100707,4116443229550247591]},{"elements":[8142760542024755709,3845244796524514577,16191049345326767258,7348433903875207214]},{"elements":[18274477257392359471,9341197367296335592,14314312946600883535,17431979896521737468]},{"elements":[12713790163422286570,9838614764658999419,3024549327814176904,6544549858431318793]},{"elements":[17461063081201329467,1929790214678747830,14738190695567211833,4502436664569676311]},{"elements":[17446087997043032816,17518692693064701003,4915378766449394412,10675325761198739044]},{"elements":[11349186227918507635,7105572536043210156,13296927306801261929,6138189381388819111]},{"elements":[17427080957162886576,4310228111529328877,16109317445338921222,11923676504992192083]},{"elements":[11292141569337462929,7213981967192374125,4837353949249389782,13157524938508720907]},{"elements":[17221477633935993097,7905315334616496868,2950048088611741910,16851660641249290423]},{"elements":[1918571898367258879,14473285549490778842,16456257732802770188,16611801325745795527]},{"elements":[7880989808200689690,16935107633380717766,8956194191973051375,1103945341495739535]},{"elements":[4501339912027744074,12142665268233044767,9270990890291324944,45374981263348191]},{"elements":[13657768796246999470,2899654677720502418,7228867285602519410,3363587770111123806]},{"elements":[18227101298896629706,12986849723013952028,16815808278639394978,16460725848109409638]}]}
+{"constants_sigmas_cap":[{"elements":[2913805118787558759,15605217703384212484,9293436862297178555,10529947991695419448]},{"elements":[1937331278189251620,17537260089483183877,10458485670158100707,4116443229550247591]},{"elements":[8142760542024755709,3845244796524514577,16191049345326767258,7348433903875207214]},{"elements":[18274477257392359471,9341197367296335592,14314312946600883535,17431979896521737468]},{"elements":[12713790163422286570,9838614764658999419,3024549327814176904,6544549858431318793]},{"elements":[17461063081201329467,1929790214678747830,14738190695567211833,4502436664569676311]},{"elements":[17446087997043032816,17518692693064701003,4915378766449394412,10675325761198739044]},{"elements":[11349186227918507635,7105572536043210156,13296927306801261929,6138189381388819111]},{"elements":[17427080957162886576,4310228111529328877,16109317445338921222,11923676504992192083]},{"elements":[11292141569337462929,7213981967192374125,4837353949249389782,13157524938508720907]},{"elements":[17221477633935993097,7905315334616496868,2950048088611741910,16851660641249290423]},{"elements":[1918571898367258879,14473285549490778842,16456257732802770188,16611801325745795527]},{"elements":[7880989808200689690,16935107633380717766,8956194191973051375,1103945341495739535]},{"elements":[4501339912027744074,12142665268233044767,9270990890291324944,45374981263348191]},{"elements":[13657768796246999470,2899654677720502418,7228867285602519410,3363587770111123806]},{"elements":[18227101298896629706,12986849723013952028,16815808278639394978,16460725848109409638]}],"circuit_digest":{"elements":[15489309507512017401,16244437215982314072,10011620388767144997,15394117319313330212]}}

plonky2_verifier/deserialize.go

@@ -130,7 +130,6 @@ type CommonCircuitDataRaw struct {
 		DegreeBits         uint64   `json:"degree_bits"`
 		ReductionArityBits []uint64 `json:"reduction_arity_bits"`
 	} `json:"fri_params"`
-	DegreeBits    uint64   `json:"degree_bits"`
 	Gates         []string `json:"gates"`
 	SelectorsInfo struct {
 		SelectorIndices []uint64 `json:"selector_indices"`
@@ -156,6 +155,19 @@ type VerifierOnlyCircuitDataRaw struct {
 	} `json:"constants_sigmas_cap"`
 }
 
+type ProofChallengesRaw struct {
+	PlonkBetas    []uint64 `json:"plonk_betas"`
+	PlonkGammas   []uint64 `json:"plonk_gammas"`
+	PlonkAlphas   []uint64 `json:"plonk_alphas"`
+	PlonkZeta     []uint64 `json:"plonk_zeta"`
+	FriChallenges struct {
+		FriAlpha        []uint64   `json:"fri_alpha"`
+		FriBetas        [][]uint64 `json:"fri_betas"`
+		FriPowResponse  uint64     `json:"fri_pow_response"`
+		FriQueryIndices []uint64   `json:"fri_query_indices"`
+	} `json:"fri_challenges"`
+}
+
 func DeserializeMerkleCap(merkleCapRaw []struct{ Elements []uint64 }) MerkleCap {
 	n := len(merkleCapRaw)
 	merkleCap := make([]Hash, n)
@@ -341,12 +353,12 @@ func DeserializeCommonCircuitData(path string) CommonCircuitData {
 	commonCircuitData.Config.FriConfig.NumQueryRounds = raw.Config.FriConfig.NumQueryRounds
 
 	commonCircuitData.FriParams.DegreeBits = raw.FriParams.DegreeBits
+	commonCircuitData.DegreeBits = raw.FriParams.DegreeBits
 	commonCircuitData.FriParams.Config.RateBits = raw.FriParams.Config.RateBits
 	commonCircuitData.FriParams.Config.CapHeight = raw.FriParams.Config.CapHeight
 	commonCircuitData.FriParams.Config.ProofOfWorkBits = raw.FriParams.Config.ProofOfWorkBits
 	commonCircuitData.FriParams.Config.NumQueryRounds = raw.FriParams.Config.NumQueryRounds
 	commonCircuitData.FriParams.ReductionArityBits = raw.FriParams.ReductionArityBits
-	commonCircuitData.DegreeBits = raw.DegreeBits
 
 	commonCircuitData.Gates = []gate{}
 	for _, gate := range raw.Gates {
@@ -392,3 +404,32 @@ func DeserializeVerifierOnlyCircuitData(path string) VerifierOnlyCircuitData {
 		ConstantSigmasCap: DeserializeMerkleCap([]struct{ Elements []uint64 }(raw.ConstantsSigmasCap)),
 	}
 }
+
+func DeserializeProofChallenges(path string) ProofChallenges {
+	jsonFile, err := os.Open(path)
+	if err != nil {
+		panic(err)
+	}
+
+	defer jsonFile.Close()
+	rawBytes, _ := ioutil.ReadAll(jsonFile)
+
+	var raw ProofChallengesRaw
+	err = json.Unmarshal(rawBytes, &raw)
+	if err != nil {
+		panic(err)
+	}
+
+	var challenges ProofChallenges
+	challenges.PlonkBetas = utils.Uint64ArrayToFArray(raw.PlonkBetas)
+	challenges.PlonkGammas = utils.Uint64ArrayToFArray(raw.PlonkGammas)
+	challenges.PlonkAlphas = utils.Uint64ArrayToFArray(raw.PlonkAlphas)
+	challenges.PlonkZeta = utils.Uint64ArrayToQuadraticExtension(raw.PlonkZeta)
+
+	challenges.FriChallenges.FriAlpha = utils.Uint64ArrayToQuadraticExtension(raw.FriChallenges.FriAlpha)
+	challenges.FriChallenges.FriBetas = utils.Uint64ArrayToQuadraticExtensionArray(raw.FriChallenges.FriBetas)
+	challenges.FriChallenges.FriPowResponse = NewFieldElement(raw.FriChallenges.FriPowResponse)
+	challenges.FriChallenges.FriQueryIndicies = utils.Uint64ArrayToFArray(raw.FriChallenges.FriQueryIndices)
+
+	return challenges
+}

plonky2_verifier/deserialize_test.go

@@ -12,13 +12,19 @@ func TestDeserializeProofWithPublicInputs(t *testing.T) {
 }
 
 func TestDeserializeCommonCircuitData(t *testing.T) {
-	proofWithPis := DeserializeCommonCircuitData("./data/fibonacci/common_circuit_data.json")
-	fmt.Printf("%+v\n", proofWithPis)
+	commonCircuitData := DeserializeCommonCircuitData("./data/fibonacci/common_circuit_data.json")
+	fmt.Printf("%+v\n", commonCircuitData)
 	panic("look at stdout")
 }
 
 func TestDeserializeVerifierOnlyCircuitData(t *testing.T) {
-	proofWithPis := DeserializeVerifierOnlyCircuitData("./data/fibonacci/verifier_only_circuit_data.json")
-	fmt.Printf("%+v\n", proofWithPis)
+	verifierOnlyCircuitData := DeserializeVerifierOnlyCircuitData("./data/fibonacci/verifier_only_circuit_data.json")
+	fmt.Printf("%+v\n", verifierOnlyCircuitData)
+	panic("look at stdout")
+}
+
+func TestDeserializeProofChallenges(t *testing.T) {
+	challenges := DeserializeProofChallenges("./data/fibonacci/proof_challenges.json")
+	fmt.Printf("%+v\n", challenges)
 	panic("look at stdout")
 }

plonky2_verifier/gate.go

@@ -62,11 +62,11 @@ func (p *PlonkChip) computeFilter(
 			continue
 		}
 
-		product = p.qeAPI.MulExtension(product, p.qeAPI.SubExtension(p.qeAPI.FieldToQE(NewFieldElement(i)), s))
+		product = p.qeAPI.MulExtension(product, p.qeAPI.SubExtension(s, p.qeAPI.FieldToQE(NewFieldElement(i))))
 	}
 
 	if manySelector {
-		product = p.qeAPI.MulExtension(product, p.qeAPI.SubExtension(p.qeAPI.FieldToQE(NewFieldElement(UNUSED_SELECTOR)), s))
+		product = p.qeAPI.MulExtension(product, p.qeAPI.SubExtension(s, p.qeAPI.FieldToQE(NewFieldElement(UNUSED_SELECTOR))))
 	}
 
 	return product

plonky2_verifier/plonk.go

@@ -131,8 +131,8 @@ func (p *PlonkChip) evaluateGateConstraints(vars EvaluationVars) []QuadraticExte
 			p.commonData.SelectorsInfo.NumSelectors(),
 		)
 
-		for j, constraint := range gateConstraints {
-			if uint64(j) >= p.commonData.NumGateConstraints {
+		for i, constraint := range gateConstraints {
+			if uint64(i) >= p.commonData.NumGateConstraints {
 				panic("num_constraints() gave too low of a number")
 			}
 			constraints[i] = p.qeAPI.AddExtension(constraints[i], constraint)
@@ -202,7 +202,6 @@ func (p *PlonkChip) evalVanishingPoly(vars EvaluationVars, proofChallenges Proof
 	}
 
 	vanishingTerms := append(vanishingZ1Terms, vanishingPartialProductsTerms...)
-	vanishingTerms = append(vanishingTerms, []QuadraticExtension{p.qeAPI.ZERO_QE, p.qeAPI.ZERO_QE, p.qeAPI.ZERO_QE, p.qeAPI.ZERO_QE}...)
 	vanishingTerms = append(vanishingTerms, constraintTerms...)
 
 	reducedValues := make([]QuadraticExtension, p.commonData.Config.NumChallenges)

plonky2_verifier/plonk_test.go

@@ -12,27 +12,17 @@ import (
 type TestPlonkCircuit struct {
 	proofWithPIsFilename      string `gnark:"-"`
 	commonCircuitDataFilename string `gnark:"-"`
-
-	plonkBetas  []F
-	plonkGammas []F
-	plonkAlphas []F
-	plonkZeta   QuadraticExtension
+	ProofChallengesFilename   string `gnark:"-"`
 }
 
 func (circuit *TestPlonkCircuit) Define(api frontend.API) error {
 	proofWithPis := DeserializeProofWithPublicInputs(circuit.proofWithPIsFilename)
 	commonCircuitData := DeserializeCommonCircuitData(circuit.commonCircuitDataFilename)
+	proofChallenges := DeserializeProofChallenges(circuit.ProofChallengesFilename)
 
 	fieldAPI := NewFieldAPI(api)
 	qeAPI := NewQuadraticExtensionAPI(fieldAPI, commonCircuitData.DegreeBits)
 
-	proofChallenges := ProofChallenges{
-		PlonkBetas:  circuit.plonkBetas,
-		PlonkGammas: circuit.plonkGammas,
-		PlonkAlphas: circuit.plonkAlphas,
-		PlonkZeta:   circuit.plonkZeta,
-	}
-
 	plonkChip := NewPlonkChip(api, qeAPI, commonCircuitData)
 
 	poseidonChip := poseidon.NewPoseidonChip(api, fieldAPI, qeAPI)
@@ -49,23 +39,7 @@ func TestPlonkFibonacci(t *testing.T) {
 		circuit := TestPlonkCircuit{
 			proofWithPIsFilename:      "./data/fibonacci/proof_with_public_inputs.json",
 			commonCircuitDataFilename: "./data/fibonacci/common_circuit_data.json",
-
-			plonkBetas: []F{
-				NewFieldElementFromString("4678728155650926271"),
-				NewFieldElementFromString("13611962404289024887"),
-			},
-			plonkGammas: []F{
-				NewFieldElementFromString("13237663823305715949"),
-				NewFieldElementFromString("15389314098328235145"),
-			},
-			plonkAlphas: []F{
-				NewFieldElementFromString("14505919539124304197"),
-				NewFieldElementFromString("1695455639263736117"),
-			},
-			plonkZeta: QuadraticExtension{
-				NewFieldElementFromString("14887793628029982930"),
-				NewFieldElementFromString("1136137158284059037"),
-			},
+			ProofChallengesFilename:   "./data/fibonacci/proof_challenges.json",
 		}
 		witness := TestPlonkCircuit{}
 		err := test.IsSolved(&circuit, &witness, TEST_CURVE.ScalarField())
@@ -82,23 +56,7 @@ func TestPlonkDummy(t *testing.T) {
 		circuit := TestPlonkCircuit{
 			proofWithPIsFilename:      "./data/dummy_2^14_gates/proof_with_public_inputs.json",
 			commonCircuitDataFilename: "./data/dummy_2^14_gates/common_circuit_data.json",
-
-			plonkBetas: []F{
-				NewFieldElementFromString("11216469004148781751"),
-				NewFieldElementFromString("6201977337075152249"),
-			},
-			plonkGammas: []F{
-				NewFieldElementFromString("8369751006669847974"),
-				NewFieldElementFromString("3610024170884289835"),
-			},
-			plonkAlphas: []F{
-				NewFieldElementFromString("970160439138448145"),
-				NewFieldElementFromString("2402201283787401921"),
-			},
-			plonkZeta: QuadraticExtension{
-				NewFieldElementFromString("17377750363769967882"),
-				NewFieldElementFromString("11921191651424768462"),
-			},
+			ProofChallengesFilename:   "./data/dummy_2^14_gates/proof_challenges.json",
 		}
 		witness := TestPlonkCircuit{}
 		err := test.IsSolved(&circuit, &witness, TEST_CURVE.ScalarField())

plonky2_verifier/poseidon_gate.go

@@ -86,8 +86,8 @@ func (g *PoseidonGate) EvalUnfiltered(p *PlonkChip, vars EvaluationVars) []Quadr
 
 	// Assert that `swap` is binary.
 	swap := vars.localWires[g.WireSwap()]
-	notSwap := p.qeAPI.SubExtension(p.qeAPI.FieldToQE(ONE_F), swap)
-	constraints = append(constraints, p.qeAPI.MulExtension(swap, notSwap))
+	swapMinusOne := p.qeAPI.SubExtension(swap, p.qeAPI.FieldToQE(ONE_F))
+	constraints = append(constraints, p.qeAPI.MulExtension(swap, swapMinusOne))
 
 	// Assert that each delta wire is set properly: `delta_i = swap * (rhs - lhs)`.
 	for i := uint64(0); i < 4; i++ {
@@ -132,6 +132,7 @@ func (g *PoseidonGate) EvalUnfiltered(p *PlonkChip, vars EvaluationVars) []Quadr
 	// Partial rounds.
 	state = poseidonChip.PartialFirstConstantLayerExtension(state)
 	state = poseidonChip.MdsPartialLayerInitExtension(state)
+
 	for r := uint64(0); r < poseidon.N_PARTIAL_ROUNDS-1; r++ {
 		sBoxIn := vars.localWires[g.WirePartialSBox(r)]
 		constraints = append(constraints, p.qeAPI.SubExtension(state[0], sBoxIn))
@@ -147,14 +148,14 @@ func (g *PoseidonGate) EvalUnfiltered(p *PlonkChip, vars EvaluationVars) []Quadr
 
 	// Second set of full rounds.
 	for r := uint64(0); r < poseidon.HALF_N_FULL_ROUNDS; r++ {
-		poseidonChip.ConstantLayerExtension(state, &roundCounter)
+		state = poseidonChip.ConstantLayerExtension(state, &roundCounter)
 		for i := uint64(0); i < poseidon.SPONGE_WIDTH; i++ {
 			sBoxIn := vars.localWires[g.WireFullSBox1(r, i)]
 			constraints = append(constraints, p.qeAPI.SubExtension(state[i], sBoxIn))
 			state[i] = sBoxIn
 		}
-		state = poseidonChip.MdsLayerExtension(state)
 		state = poseidonChip.SBoxLayerExtension(state)
+		state = poseidonChip.MdsLayerExtension(state)
 		roundCounter++
 	}
 

plonky2_verifier/selectors.go

@@ -1,6 +1,6 @@
 package plonky2_verifier
 
-const UNUSED_SELECTOR = ^uint64(0) // max uint
+const UNUSED_SELECTOR = uint64(^uint32(0)) // max uint32
 
 type Range struct {
 	start uint64

poseidon/poseidon.go

@@ -119,14 +119,14 @@ func (c *PoseidonChip) ConstantLayerExtension(state PoseidonStateExtension, roun
 func (c *PoseidonChip) SBoxMonomial(x F) F {
 	x2 := c.fieldAPI.Mul(x, x)
 	x4 := c.fieldAPI.Mul(x2, x2)
-	x3 := c.fieldAPI.Mul(x2, x)
+	x3 := c.fieldAPI.Mul(x, x2)
 	return c.fieldAPI.Mul(x3, x4).(F)
 }
 
 func (c *PoseidonChip) SBoxMonomialExtension(x QuadraticExtension) QuadraticExtension {
-	x2 := c.qeAPI.MulExtension(x, x)
-	x4 := c.qeAPI.MulExtension(x2, x2)
-	x3 := c.qeAPI.MulExtension(x2, x)
+	x2 := c.qeAPI.SquareExtension(x)
+	x4 := c.qeAPI.SquareExtension(x2)
+	x3 := c.qeAPI.MulExtension(x, x2)
 	return c.qeAPI.MulExtension(x3, x4)
 }
 
@@ -310,7 +310,7 @@ func (c *PoseidonChip) MdsPartialLayerFast(state PoseidonState, r int) PoseidonS
 func (c *PoseidonChip) MdsPartialLayerFastExtension(state PoseidonStateExtension, r int) PoseidonStateExtension {
 	s0 := state[0]
 	mds0to0 := c.qeAPI.FieldToQE(NewFieldElement(MDS_MATRIX_CIRC[0] + MDS_MATRIX_DIAG[0]))
-	d := c.qeAPI.AddExtension(s0, mds0to0)
+	d := c.qeAPI.MulExtension(s0, mds0to0)
 	for i := 1; i < 12; i++ {
 		if i < SPONGE_WIDTH {
 			t := c.qeAPI.FieldToQE(NewFieldElement(FAST_PARTIAL_ROUND_W_HATS[r][i-1]))
@@ -323,7 +323,7 @@ func (c *PoseidonChip) MdsPartialLayerFastExtension(state PoseidonStateExtension
 	for i := 1; i < 12; i++ {
 		if i < SPONGE_WIDTH {
 			t := c.qeAPI.FieldToQE(NewFieldElement(FAST_PARTIAL_ROUND_VS[r][i-1]))
-			result[i] = c.qeAPI.AddExtension(state[i], c.qeAPI.MulExtension(state[0], t))
+			result[i] = c.qeAPI.AddExtension(c.qeAPI.MulExtension(state[0], t), state[i])
 		}
 	}
 

utils/utils.go

@@ -33,6 +33,10 @@ func Uint64ArrayToFArray(input []uint64) []F {
 	return output
 }
 
+func Uint64ArrayToQuadraticExtension(input []uint64) QuadraticExtension {
+	return [2]F{NewFieldElement(input[0]), NewFieldElement(input[1])}
+}
+
 func Uint64ArrayToQuadraticExtensionArray(input [][]uint64) []QuadraticExtension {
 	var output []QuadraticExtension
 	for i := 0; i < len(input); i++ {