diff --git a/backend/plonk/bls12-377/prove.go b/backend/plonk/bls12-377/prove.go index f3e6b55b94..46346775c5 100644 --- a/backend/plonk/bls12-377/prove.go +++ b/backend/plonk/bls12-377/prove.go @@ -18,7 +18,6 @@ package plonk import ( "context" - "crypto/sha256" "errors" "fmt" "hash" @@ -185,9 +184,9 @@ type instance struct { spr *cs.SparseR1CS opt *backend.ProverConfig - fs fiatshamir.Transcript - hFunc hash.Hash // for Fiat-Shamir and KZG folding - htfFunc hash.Hash // hash to field function + fs fiatshamir.Transcript + kzgFoldingHash hash.Hash // for KZG folding + htfFunc hash.Hash // hash to field function // polynomials x []*iop.Polynomial // x stores tracks the polynomial we need @@ -232,7 +231,6 @@ func newInstance(ctx context.Context, spr *cs.SparseR1CS, pk *ProvingKey, fullWi if opts.HashToFieldFn == nil { opts.HashToFieldFn = hash_to_field.New([]byte("BSB22-Plonk")) } - hFunc := sha256.New() s := instance{ ctx: ctx, pk: pk, @@ -241,8 +239,8 @@ func newInstance(ctx context.Context, spr *cs.SparseR1CS, pk *ProvingKey, fullWi opt: opts, fullWitness: fullWitness, bp: make([]*iop.Polynomial, nb_blinding_polynomials), - fs: fiatshamir.NewTranscript(hFunc, "gamma", "beta", "alpha", "zeta"), - hFunc: hFunc, + fs: fiatshamir.NewTranscript(opts.ChallengeHash, "gamma", "beta", "alpha", "zeta"), + kzgFoldingHash: opts.KZGFoldingHash, htfFunc: opts.HashToFieldFn, chLRO: make(chan struct{}, 1), chQk: make(chan struct{}, 1), @@ -827,7 +825,7 @@ func (s *instance) batchOpening() error { polysToOpen, digestsToOpen, s.zeta, - s.hFunc, + s.kzgFoldingHash, s.pk.Kzg, s.proof.ZShiftedOpening.ClaimedValue.Marshal(), ) diff --git a/backend/plonk/bls12-377/verify.go b/backend/plonk/bls12-377/verify.go index ddeadafa63..8b7fbdf3a4 100644 --- a/backend/plonk/bls12-377/verify.go +++ b/backend/plonk/bls12-377/verify.go @@ -17,7 +17,6 @@ package plonk import ( - "crypto/sha256" "errors" "fmt" "io" @@ -55,11 +54,8 @@ func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector, opts ...bac return errors.New("BSB22 Commitment number mismatch") } - // pick a hash function to derive the challenge (the same as in the prover) - hFunc := sha256.New() - // transcript to derive the challenge - fs := fiatshamir.NewTranscript(hFunc, "gamma", "beta", "alpha", "zeta") + fs := fiatshamir.NewTranscript(cfg.ChallengeHash, "gamma", "beta", "alpha", "zeta") // The first challenge is derived using the public data: the commitments to the permutation, // the coefficients of the circuit, and the public inputs. @@ -268,7 +264,7 @@ func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector, opts ...bac digestsToFold, &proof.BatchedProof, zeta, - hFunc, + cfg.KZGFoldingHash, zu.Marshal(), ) if err != nil { diff --git a/backend/plonk/bls12-381/prove.go b/backend/plonk/bls12-381/prove.go index 4d5a09b12c..cd6282fcdf 100644 --- a/backend/plonk/bls12-381/prove.go +++ b/backend/plonk/bls12-381/prove.go @@ -18,7 +18,6 @@ package plonk import ( "context" - "crypto/sha256" "errors" "fmt" "hash" @@ -185,9 +184,9 @@ type instance struct { spr *cs.SparseR1CS opt *backend.ProverConfig - fs fiatshamir.Transcript - hFunc hash.Hash // for Fiat-Shamir and KZG folding - htfFunc hash.Hash // hash to field function + fs fiatshamir.Transcript + kzgFoldingHash hash.Hash // for KZG folding + htfFunc hash.Hash // hash to field function // polynomials x []*iop.Polynomial // x stores tracks the polynomial we need @@ -232,7 +231,6 @@ func newInstance(ctx context.Context, spr *cs.SparseR1CS, pk *ProvingKey, fullWi if opts.HashToFieldFn == nil { opts.HashToFieldFn = hash_to_field.New([]byte("BSB22-Plonk")) } - hFunc := sha256.New() s := instance{ ctx: ctx, pk: pk, @@ -241,8 +239,8 @@ func newInstance(ctx context.Context, spr *cs.SparseR1CS, pk *ProvingKey, fullWi opt: opts, fullWitness: fullWitness, bp: make([]*iop.Polynomial, nb_blinding_polynomials), - fs: fiatshamir.NewTranscript(hFunc, "gamma", "beta", "alpha", "zeta"), - hFunc: hFunc, + fs: fiatshamir.NewTranscript(opts.ChallengeHash, "gamma", "beta", "alpha", "zeta"), + kzgFoldingHash: opts.KZGFoldingHash, htfFunc: opts.HashToFieldFn, chLRO: make(chan struct{}, 1), chQk: make(chan struct{}, 1), @@ -827,7 +825,7 @@ func (s *instance) batchOpening() error { polysToOpen, digestsToOpen, s.zeta, - s.hFunc, + s.kzgFoldingHash, s.pk.Kzg, s.proof.ZShiftedOpening.ClaimedValue.Marshal(), ) diff --git a/backend/plonk/bls12-381/verify.go b/backend/plonk/bls12-381/verify.go index 78e228c7ff..2b3eeef6c1 100644 --- a/backend/plonk/bls12-381/verify.go +++ b/backend/plonk/bls12-381/verify.go @@ -17,7 +17,6 @@ package plonk import ( - "crypto/sha256" "errors" "fmt" "io" @@ -55,11 +54,8 @@ func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector, opts ...bac return errors.New("BSB22 Commitment number mismatch") } - // pick a hash function to derive the challenge (the same as in the prover) - hFunc := sha256.New() - // transcript to derive the challenge - fs := fiatshamir.NewTranscript(hFunc, "gamma", "beta", "alpha", "zeta") + fs := fiatshamir.NewTranscript(cfg.ChallengeHash, "gamma", "beta", "alpha", "zeta") // The first challenge is derived using the public data: the commitments to the permutation, // the coefficients of the circuit, and the public inputs. @@ -268,7 +264,7 @@ func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector, opts ...bac digestsToFold, &proof.BatchedProof, zeta, - hFunc, + cfg.KZGFoldingHash, zu.Marshal(), ) if err != nil { diff --git a/backend/plonk/bls24-315/prove.go b/backend/plonk/bls24-315/prove.go index 0af8de9708..09f0643a47 100644 --- a/backend/plonk/bls24-315/prove.go +++ b/backend/plonk/bls24-315/prove.go @@ -18,7 +18,6 @@ package plonk import ( "context" - "crypto/sha256" "errors" "fmt" "hash" @@ -185,9 +184,9 @@ type instance struct { spr *cs.SparseR1CS opt *backend.ProverConfig - fs fiatshamir.Transcript - hFunc hash.Hash // for Fiat-Shamir and KZG folding - htfFunc hash.Hash // hash to field function + fs fiatshamir.Transcript + kzgFoldingHash hash.Hash // for KZG folding + htfFunc hash.Hash // hash to field function // polynomials x []*iop.Polynomial // x stores tracks the polynomial we need @@ -232,7 +231,6 @@ func newInstance(ctx context.Context, spr *cs.SparseR1CS, pk *ProvingKey, fullWi if opts.HashToFieldFn == nil { opts.HashToFieldFn = hash_to_field.New([]byte("BSB22-Plonk")) } - hFunc := sha256.New() s := instance{ ctx: ctx, pk: pk, @@ -241,8 +239,8 @@ func newInstance(ctx context.Context, spr *cs.SparseR1CS, pk *ProvingKey, fullWi opt: opts, fullWitness: fullWitness, bp: make([]*iop.Polynomial, nb_blinding_polynomials), - fs: fiatshamir.NewTranscript(hFunc, "gamma", "beta", "alpha", "zeta"), - hFunc: hFunc, + fs: fiatshamir.NewTranscript(opts.ChallengeHash, "gamma", "beta", "alpha", "zeta"), + kzgFoldingHash: opts.KZGFoldingHash, htfFunc: opts.HashToFieldFn, chLRO: make(chan struct{}, 1), chQk: make(chan struct{}, 1), @@ -827,7 +825,7 @@ func (s *instance) batchOpening() error { polysToOpen, digestsToOpen, s.zeta, - s.hFunc, + s.kzgFoldingHash, s.pk.Kzg, s.proof.ZShiftedOpening.ClaimedValue.Marshal(), ) diff --git a/backend/plonk/bls24-315/verify.go b/backend/plonk/bls24-315/verify.go index a9aaf5d235..446c95ff42 100644 --- a/backend/plonk/bls24-315/verify.go +++ b/backend/plonk/bls24-315/verify.go @@ -17,7 +17,6 @@ package plonk import ( - "crypto/sha256" "errors" "fmt" "io" @@ -55,11 +54,8 @@ func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector, opts ...bac return errors.New("BSB22 Commitment number mismatch") } - // pick a hash function to derive the challenge (the same as in the prover) - hFunc := sha256.New() - // transcript to derive the challenge - fs := fiatshamir.NewTranscript(hFunc, "gamma", "beta", "alpha", "zeta") + fs := fiatshamir.NewTranscript(cfg.ChallengeHash, "gamma", "beta", "alpha", "zeta") // The first challenge is derived using the public data: the commitments to the permutation, // the coefficients of the circuit, and the public inputs. @@ -268,7 +264,7 @@ func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector, opts ...bac digestsToFold, &proof.BatchedProof, zeta, - hFunc, + cfg.KZGFoldingHash, zu.Marshal(), ) if err != nil { diff --git a/backend/plonk/bls24-317/prove.go b/backend/plonk/bls24-317/prove.go index bc03a8b91b..49412d739a 100644 --- a/backend/plonk/bls24-317/prove.go +++ b/backend/plonk/bls24-317/prove.go @@ -18,7 +18,6 @@ package plonk import ( "context" - "crypto/sha256" "errors" "fmt" "hash" @@ -185,9 +184,9 @@ type instance struct { spr *cs.SparseR1CS opt *backend.ProverConfig - fs fiatshamir.Transcript - hFunc hash.Hash // for Fiat-Shamir and KZG folding - htfFunc hash.Hash // hash to field function + fs fiatshamir.Transcript + kzgFoldingHash hash.Hash // for KZG folding + htfFunc hash.Hash // hash to field function // polynomials x []*iop.Polynomial // x stores tracks the polynomial we need @@ -232,7 +231,6 @@ func newInstance(ctx context.Context, spr *cs.SparseR1CS, pk *ProvingKey, fullWi if opts.HashToFieldFn == nil { opts.HashToFieldFn = hash_to_field.New([]byte("BSB22-Plonk")) } - hFunc := sha256.New() s := instance{ ctx: ctx, pk: pk, @@ -241,8 +239,8 @@ func newInstance(ctx context.Context, spr *cs.SparseR1CS, pk *ProvingKey, fullWi opt: opts, fullWitness: fullWitness, bp: make([]*iop.Polynomial, nb_blinding_polynomials), - fs: fiatshamir.NewTranscript(hFunc, "gamma", "beta", "alpha", "zeta"), - hFunc: hFunc, + fs: fiatshamir.NewTranscript(opts.ChallengeHash, "gamma", "beta", "alpha", "zeta"), + kzgFoldingHash: opts.KZGFoldingHash, htfFunc: opts.HashToFieldFn, chLRO: make(chan struct{}, 1), chQk: make(chan struct{}, 1), @@ -827,7 +825,7 @@ func (s *instance) batchOpening() error { polysToOpen, digestsToOpen, s.zeta, - s.hFunc, + s.kzgFoldingHash, s.pk.Kzg, s.proof.ZShiftedOpening.ClaimedValue.Marshal(), ) diff --git a/backend/plonk/bls24-317/verify.go b/backend/plonk/bls24-317/verify.go index c7439a80a7..ab64624d7c 100644 --- a/backend/plonk/bls24-317/verify.go +++ b/backend/plonk/bls24-317/verify.go @@ -17,7 +17,6 @@ package plonk import ( - "crypto/sha256" "errors" "fmt" "io" @@ -55,11 +54,8 @@ func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector, opts ...bac return errors.New("BSB22 Commitment number mismatch") } - // pick a hash function to derive the challenge (the same as in the prover) - hFunc := sha256.New() - // transcript to derive the challenge - fs := fiatshamir.NewTranscript(hFunc, "gamma", "beta", "alpha", "zeta") + fs := fiatshamir.NewTranscript(cfg.ChallengeHash, "gamma", "beta", "alpha", "zeta") // The first challenge is derived using the public data: the commitments to the permutation, // the coefficients of the circuit, and the public inputs. @@ -268,7 +264,7 @@ func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector, opts ...bac digestsToFold, &proof.BatchedProof, zeta, - hFunc, + cfg.KZGFoldingHash, zu.Marshal(), ) if err != nil { diff --git a/backend/plonk/bn254/prove.go b/backend/plonk/bn254/prove.go index 2628d7614a..1a237418d6 100644 --- a/backend/plonk/bn254/prove.go +++ b/backend/plonk/bn254/prove.go @@ -18,7 +18,6 @@ package plonk import ( "context" - "crypto/sha256" "errors" "fmt" "hash" @@ -185,9 +184,9 @@ type instance struct { spr *cs.SparseR1CS opt *backend.ProverConfig - fs fiatshamir.Transcript - hFunc hash.Hash // for Fiat-Shamir and KZG folding - htfFunc hash.Hash // hash to field function + fs fiatshamir.Transcript + kzgFoldingHash hash.Hash // for KZG folding + htfFunc hash.Hash // hash to field function // polynomials x []*iop.Polynomial // x stores tracks the polynomial we need @@ -232,7 +231,6 @@ func newInstance(ctx context.Context, spr *cs.SparseR1CS, pk *ProvingKey, fullWi if opts.HashToFieldFn == nil { opts.HashToFieldFn = hash_to_field.New([]byte("BSB22-Plonk")) } - hFunc := sha256.New() s := instance{ ctx: ctx, pk: pk, @@ -241,8 +239,8 @@ func newInstance(ctx context.Context, spr *cs.SparseR1CS, pk *ProvingKey, fullWi opt: opts, fullWitness: fullWitness, bp: make([]*iop.Polynomial, nb_blinding_polynomials), - fs: fiatshamir.NewTranscript(hFunc, "gamma", "beta", "alpha", "zeta"), - hFunc: hFunc, + fs: fiatshamir.NewTranscript(opts.ChallengeHash, "gamma", "beta", "alpha", "zeta"), + kzgFoldingHash: opts.KZGFoldingHash, htfFunc: opts.HashToFieldFn, chLRO: make(chan struct{}, 1), chQk: make(chan struct{}, 1), @@ -827,7 +825,7 @@ func (s *instance) batchOpening() error { polysToOpen, digestsToOpen, s.zeta, - s.hFunc, + s.kzgFoldingHash, s.pk.Kzg, s.proof.ZShiftedOpening.ClaimedValue.Marshal(), ) diff --git a/backend/plonk/bn254/verify.go b/backend/plonk/bn254/verify.go index e7737d568a..1e0d7ca4de 100644 --- a/backend/plonk/bn254/verify.go +++ b/backend/plonk/bn254/verify.go @@ -17,7 +17,6 @@ package plonk import ( - "crypto/sha256" "errors" "fmt" "io" @@ -55,11 +54,8 @@ func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector, opts ...bac return errors.New("BSB22 Commitment number mismatch") } - // pick a hash function to derive the challenge (the same as in the prover) - hFunc := sha256.New() - // transcript to derive the challenge - fs := fiatshamir.NewTranscript(hFunc, "gamma", "beta", "alpha", "zeta") + fs := fiatshamir.NewTranscript(cfg.ChallengeHash, "gamma", "beta", "alpha", "zeta") // The first challenge is derived using the public data: the commitments to the permutation, // the coefficients of the circuit, and the public inputs. @@ -268,7 +264,7 @@ func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector, opts ...bac digestsToFold, &proof.BatchedProof, zeta, - hFunc, + cfg.KZGFoldingHash, zu.Marshal(), ) if err != nil { diff --git a/backend/plonk/bw6-633/prove.go b/backend/plonk/bw6-633/prove.go index b77b30fea6..77d1a48644 100644 --- a/backend/plonk/bw6-633/prove.go +++ b/backend/plonk/bw6-633/prove.go @@ -18,7 +18,6 @@ package plonk import ( "context" - "crypto/sha256" "errors" "fmt" "hash" @@ -185,9 +184,9 @@ type instance struct { spr *cs.SparseR1CS opt *backend.ProverConfig - fs fiatshamir.Transcript - hFunc hash.Hash // for Fiat-Shamir and KZG folding - htfFunc hash.Hash // hash to field function + fs fiatshamir.Transcript + kzgFoldingHash hash.Hash // for KZG folding + htfFunc hash.Hash // hash to field function // polynomials x []*iop.Polynomial // x stores tracks the polynomial we need @@ -232,7 +231,6 @@ func newInstance(ctx context.Context, spr *cs.SparseR1CS, pk *ProvingKey, fullWi if opts.HashToFieldFn == nil { opts.HashToFieldFn = hash_to_field.New([]byte("BSB22-Plonk")) } - hFunc := sha256.New() s := instance{ ctx: ctx, pk: pk, @@ -241,8 +239,8 @@ func newInstance(ctx context.Context, spr *cs.SparseR1CS, pk *ProvingKey, fullWi opt: opts, fullWitness: fullWitness, bp: make([]*iop.Polynomial, nb_blinding_polynomials), - fs: fiatshamir.NewTranscript(hFunc, "gamma", "beta", "alpha", "zeta"), - hFunc: hFunc, + fs: fiatshamir.NewTranscript(opts.ChallengeHash, "gamma", "beta", "alpha", "zeta"), + kzgFoldingHash: opts.KZGFoldingHash, htfFunc: opts.HashToFieldFn, chLRO: make(chan struct{}, 1), chQk: make(chan struct{}, 1), @@ -827,7 +825,7 @@ func (s *instance) batchOpening() error { polysToOpen, digestsToOpen, s.zeta, - s.hFunc, + s.kzgFoldingHash, s.pk.Kzg, s.proof.ZShiftedOpening.ClaimedValue.Marshal(), ) diff --git a/backend/plonk/bw6-633/verify.go b/backend/plonk/bw6-633/verify.go index 54f6178718..71e7c2cc72 100644 --- a/backend/plonk/bw6-633/verify.go +++ b/backend/plonk/bw6-633/verify.go @@ -17,7 +17,6 @@ package plonk import ( - "crypto/sha256" "errors" "fmt" "io" @@ -55,11 +54,8 @@ func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector, opts ...bac return errors.New("BSB22 Commitment number mismatch") } - // pick a hash function to derive the challenge (the same as in the prover) - hFunc := sha256.New() - // transcript to derive the challenge - fs := fiatshamir.NewTranscript(hFunc, "gamma", "beta", "alpha", "zeta") + fs := fiatshamir.NewTranscript(cfg.ChallengeHash, "gamma", "beta", "alpha", "zeta") // The first challenge is derived using the public data: the commitments to the permutation, // the coefficients of the circuit, and the public inputs. @@ -268,7 +264,7 @@ func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector, opts ...bac digestsToFold, &proof.BatchedProof, zeta, - hFunc, + cfg.KZGFoldingHash, zu.Marshal(), ) if err != nil { diff --git a/backend/plonk/bw6-761/prove.go b/backend/plonk/bw6-761/prove.go index a64091c387..35d89a6e73 100644 --- a/backend/plonk/bw6-761/prove.go +++ b/backend/plonk/bw6-761/prove.go @@ -18,7 +18,6 @@ package plonk import ( "context" - "crypto/sha256" "errors" "fmt" "hash" @@ -185,9 +184,9 @@ type instance struct { spr *cs.SparseR1CS opt *backend.ProverConfig - fs fiatshamir.Transcript - hFunc hash.Hash // for Fiat-Shamir and KZG folding - htfFunc hash.Hash // hash to field function + fs fiatshamir.Transcript + kzgFoldingHash hash.Hash // for KZG folding + htfFunc hash.Hash // hash to field function // polynomials x []*iop.Polynomial // x stores tracks the polynomial we need @@ -232,7 +231,6 @@ func newInstance(ctx context.Context, spr *cs.SparseR1CS, pk *ProvingKey, fullWi if opts.HashToFieldFn == nil { opts.HashToFieldFn = hash_to_field.New([]byte("BSB22-Plonk")) } - hFunc := sha256.New() s := instance{ ctx: ctx, pk: pk, @@ -241,8 +239,8 @@ func newInstance(ctx context.Context, spr *cs.SparseR1CS, pk *ProvingKey, fullWi opt: opts, fullWitness: fullWitness, bp: make([]*iop.Polynomial, nb_blinding_polynomials), - fs: fiatshamir.NewTranscript(hFunc, "gamma", "beta", "alpha", "zeta"), - hFunc: hFunc, + fs: fiatshamir.NewTranscript(opts.ChallengeHash, "gamma", "beta", "alpha", "zeta"), + kzgFoldingHash: opts.KZGFoldingHash, htfFunc: opts.HashToFieldFn, chLRO: make(chan struct{}, 1), chQk: make(chan struct{}, 1), @@ -827,7 +825,7 @@ func (s *instance) batchOpening() error { polysToOpen, digestsToOpen, s.zeta, - s.hFunc, + s.kzgFoldingHash, s.pk.Kzg, s.proof.ZShiftedOpening.ClaimedValue.Marshal(), ) diff --git a/backend/plonk/bw6-761/verify.go b/backend/plonk/bw6-761/verify.go index 26a6a17623..e8b4ecd4c6 100644 --- a/backend/plonk/bw6-761/verify.go +++ b/backend/plonk/bw6-761/verify.go @@ -17,7 +17,6 @@ package plonk import ( - "crypto/sha256" "errors" "fmt" "io" @@ -55,11 +54,8 @@ func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector, opts ...bac return errors.New("BSB22 Commitment number mismatch") } - // pick a hash function to derive the challenge (the same as in the prover) - hFunc := sha256.New() - // transcript to derive the challenge - fs := fiatshamir.NewTranscript(hFunc, "gamma", "beta", "alpha", "zeta") + fs := fiatshamir.NewTranscript(cfg.ChallengeHash, "gamma", "beta", "alpha", "zeta") // The first challenge is derived using the public data: the commitments to the permutation, // the coefficients of the circuit, and the public inputs. @@ -268,7 +264,7 @@ func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector, opts ...bac digestsToFold, &proof.BatchedProof, zeta, - hFunc, + cfg.KZGFoldingHash, zu.Marshal(), ) if err != nil {