fixup! WIP feat: add PLONK in-circuit verifier

Consensys · Oct 20, 2023 · 490a2eb · 490a2eb
1 parent adedad6
commit 490a2eb
Showing 1 changed file with 59 additions and 1 deletion.
diff --git a/std/recursion/plonk/verifier.go b/std/recursion/plonk/verifier.go
@@ -5,8 +5,11 @@ import (
 
 	backend_plonk "github.com/consensys/gnark/backend/plonk"
 	"github.com/consensys/gnark/constraint"
+	"github.com/consensys/gnark/frontend"
 	"github.com/consensys/gnark/std/algebra"
 	"github.com/consensys/gnark/std/commitments/kzg"
+	fiatshamir "github.com/consensys/gnark/std/fiat-shamir"
+	"github.com/consensys/gnark/std/hash"
 )
 
 type Proof[S algebra.ScalarT, G1El algebra.G1ElementT, G2El algebra.G2ElementT] struct {
@@ -79,11 +82,15 @@ func PlaceholderWitness[S algebra.ScalarT](ccs constraint.ConstraintSystem) Witn
 }
 
 type Verifier[S algebra.ScalarT, G1El algebra.G1ElementT, G2El algebra.G2ElementT, GtEl algebra.GtElementT] struct {
+	api     frontend.API
 	curve   algebra.Curve[S, G1El]
 	pairing algebra.Pairing[G1El, G2El, GtEl]
+	kzgHash hash.FieldHasher
+	fsHash  hash.FieldHasher
+	htfHash hash.FieldHasher
 }
 
-func NewVerifier[S algebra.ScalarT, G1El algebra.G1ElementT, G2El algebra.G2ElementT, GtEl algebra.GtElementT](curve algebra.Curve[S, G1El], pairing algebra.Pairing[G1El, G2El, GtEl]) *Verifier[S, G1El, G2El, GtEl] {
+func NewVerifier[S algebra.ScalarT, G1El algebra.G1ElementT, G2El algebra.G2ElementT, GtEl algebra.GtElementT](api frontend.API, curve algebra.Curve[S, G1El], pairing algebra.Pairing[G1El, G2El, GtEl]) *Verifier[S, G1El, G2El, GtEl] {
 	return &Verifier[S, G1El, G2El, GtEl]{
 		curve:   curve,
 		pairing: pairing,
@@ -94,4 +101,55 @@ func (v *Verifier[S, G1El, G2El, GtEl]) AssertProof(vk VerifyingKey[S, G1El, G2E
 	if len(proof.Bsb22Commitments) != len(vk.Qcp) {
 		return fmt.Errorf("BSB22 commitment number mismatch")
 	}
+	fs := fiatshamir.NewTranscript(v.api, v.fsHash, "gamma", "beta", "alpha", "zeta")
+
+	if err := v.bindPublicData(fs, "gamma", vk, witness); err != nil {
+		return fmt.Errorf("bind public data: %w", err)
+	}
+
+}
+
+func (v *Verifier[S, G1El, G2El, GtEl]) bindPublicData(fs *fiatshamir.Transcript, challenge string, vk VerifyingKey[S, G1El, G2El], witness Witness[S]) error {
+
+	// permutation
+	if err := fs.Bind(challenge, vk.S[0].Marshal()); err != nil {
+		return err
+	}
+	if err := fs.Bind(challenge, vk.S[1].Marshal()); err != nil {
+		return err
+	}
+	if err := fs.Bind(challenge, vk.S[2].Marshal()); err != nil {
+		return err
+	}
+
+	// coefficients
+	if err := fs.Bind(challenge, vk.Ql.Marshal()); err != nil {
+		return err
+	}
+	if err := fs.Bind(challenge, vk.Qr.Marshal()); err != nil {
+		return err
+	}
+	if err := fs.Bind(challenge, vk.Qm.Marshal()); err != nil {
+		return err
+	}
+	if err := fs.Bind(challenge, vk.Qo.Marshal()); err != nil {
+		return err
+	}
+	if err := fs.Bind(challenge, vk.Qk.Marshal()); err != nil {
+		return err
+	}
+	for i := range vk.Qcp {
+		if err := fs.Bind(challenge, vk.Qcp[i].Marshal()); err != nil {
+			return err
+		}
+	}
+
+	// public inputs
+	for i := 0; i < len(publicInputs); i++ {
+		if err := fs.Bind(challenge, publicInputs[i].Marshal()); err != nil {
+			return err
+		}
+	}
+
+	return nil
 }