49 verify validity of subclaims in plonk verification (#51)

2026-01-11 16:41:28 +01:00 · 2022-08-09 12:40:28 -04:00
parent a6ea6ac26b
commit 066c370b3c
9 changed files with 342 additions and 144 deletions
--- a/poly-iop/src/perm_check/mod.rs
+++ b/poly-iop/src/perm_check/mod.rs
@@ -160,9 +160,9 @@ pub struct PermutationCheckSubClaim<F: PrimeField, ZC: ZeroCheck<F>> {

 #[derive(Debug, Clone)]
 pub struct PermutationChallenge<F: PrimeField> {
-    alpha: Option<F>,
-    beta: F,
-    gamma: F,
+    pub alpha: Option<F>,
+    pub beta: F,
+    pub gamma: F,
 }

 /// A PermutationCheck is derived from ZeroCheck.
--- a/poly-iop/src/sum_check/mod.rs
+++ b/poly-iop/src/sum_check/mod.rs
@@ -173,9 +173,8 @@ impl<F: PrimeField> SumCheck<F> for PolyIOP<F> {
            challenge = Some(transcript.get_and_append_challenge(b"Internal round")?);
        }
        // pushing the last challenge point to the state
-        match challenge {
-            Some(p) => prover_state.challenges.push(p),
-            None => (),
+        if let Some(p) = challenge {
+            prover_state.challenges.push(p)
        };

        end_timer!(start);
--- a/poly-iop/src/sum_check/verifier.rs
+++ b/poly-iop/src/sum_check/verifier.rs
@@ -105,12 +105,6 @@ impl<F: PrimeField> SumCheckVerifier<F> for IOPVerifierState<F> {
            ));
        }

-        println!(
-            "eval len {} max degree {}",
-            self.polynomials_received[0].len(),
-            self.max_degree + 1
-        );
-
        // the deferred check during the interactive phase:
        // 2. set `expected` to P(r)`
        #[cfg(feature = "parallel")]
--- a/poly-iop/src/zero_check/mod.rs
+++ b/poly-iop/src/zero_check/mod.rs
@@ -1,7 +1,9 @@
 //! Main module for the ZeroCheck protocol.

 use crate::{errors::PolyIOPErrors, sum_check::SumCheck, PolyIOP};
+use arithmetic::build_eq_x_r;
 use ark_ff::PrimeField;
+use ark_poly::MultilinearExtension;
 use ark_std::{end_timer, start_timer};
 use transcript::IOPTranscript;

@@ -12,6 +14,8 @@ use transcript::IOPTranscript;
 pub struct ZeroCheckSubClaim<F: PrimeField, SC: SumCheck<F>> {
    // the SubClaim from the SumCheck
    pub sum_check_sub_claim: SC::SumCheckSubClaim,
+    /// the expected evaluation
+    pub expected_evaluation: F,
    // the initial challenge r which is used to build eq(x, r)
    pub init_challenge: Vec<F>,
 }
@@ -119,9 +123,18 @@ impl<F: PrimeField> ZeroCheck<F> for PolyIOP<F> {
        let subclaim =
            <Self as SumCheck<F>>::verify(F::zero(), proof, &hat_fx_aux_info, transcript)?;

+        // expected_eval = sumcheck.expect_eval/eq(x, r)
+        // where x = sum_check_sub_claim.point
+        let eq_x_r = build_eq_x_r(&r)?;
+        let expected_evaluation = subclaim.expected_evaluation
+            / eq_x_r.evaluate(&subclaim.point).ok_or_else(|| {
+                PolyIOPErrors::InvalidParameters("evaluation dimension does not match".to_string())
+            })?;
+
        end_timer!(start);
        Ok(ZeroCheckSubClaim {
            sum_check_sub_claim: subclaim,
+            expected_evaluation,
            init_challenge: r,
        })
    }