Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Arrabbiata: add a workflow reg. "two steps" challenges verification #3003

Merged
merged 1 commit into from
Feb 9, 2025
+139 −0
Merged

Arrabbiata: add a workflow reg. "two steps" challenges verification #3003

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
139 changes: 139 additions & 0 deletions arrabbiata/src/interpreter.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -429,6 +429,145 @@
//! | |
//! +----------------------------+
//! ```
//!
//! ### Workflow example for handling a challenge
//!
//! Handling challenges is performed in two steps. Let's take the example of the
//! verifier coin `u` used to homogenize the constraints/polynomials in the
//! accumulation protocol. For the sake of simplicity, we only focus on the work
//! related to the challenges. In addition to that, a verifier coin `r` is used
//! to accumulate the challenges. Therefore, we start with the following
//! diagram:
//!
//! ```text
//! +------------------------------------------+
//! | Instance n |
//! | (witness w_(p, n)) |
//! | ---------- |
//! | Vesta |
//! | (scalar field = Fp) |
//! | (base field = Fq) |
//! | (Sponge over Fq) |
//! | |
//! | Generate as output: |
//! | - u_(p, n) |
//! | - r |
//! | - "accumulated u": u_p + r * u_(p, n) |
//! | (note the operations are over Fp) |
//! +------------------------------------------+
//! ```
//!
//! The coins `u_(p, n)` and `r` are generated after absorbing a few committed
//! values (i.e. points over Fq). The verifier will have to check the following:
//! - `u_(p, n)` has been coined correctly (i.e. check a sponge state).
//! - `r` has been coined correctly (i.e. check a sponge staet).
//! - "accumulated u" has been computed correctly
//!
//! At the next iteration, the verifier is working over the field `Fq`, i.e. the
//! field that is used to generate the challenges. Therefore, it can perform the
//! first two checks. We have then the following diagram.
//!
//! ```text
//! +------------------------------------------+
//! | Instance n |
//! | (witness w_(p, n)) |
//! | ---------- |
//! | Vesta |
//! | (scalar field = Fp) |
//! | (base field = Fq) |
//! | (Sponge over Fq) |
//! | |
//! | Generate as output: |
//! | - u_(p, n) |
//! | - r |
//! | - "accumulated u": u_p + r * u_(p, n) |
//! | (note the operations are over Fp) |
//! +------------------------------------------+
//! |
//! |
//! |
//! | +-----------------------------+
//! | | Instance (n + 1) |
//! | | (witness w_(q, n)) |
//! |-------------> | ---------- |
//! | Pallas |
//! | (scalar field = Fq) |
//! | (base field = Fp) |
//! | (Sponge over Fp) |
//! | |
//! | Receive as (public) |
//! | inputs |
//! | --------------- |
//! | - commitments generated |
//! | by instance n (Fq elements) |
//! | - u_(p, n) |
//! | - r |
//! | - (more but unused by |
//! | the verifier) |
//! | |
//! | Verifier circuit |
//! | ---------------- |
//! | - run the sponge to |
//! | check the value u_(p, n) |
//! | and r |
//! +-----------------------------+
//! ```
//!
//! The last check, i.e. checking the accumulation of `u`, is "delayed" for the
//! instance (n + 2), to be able to perform the accumulation over Fp.
//!
//! Therefore, we end up with the following diagram:
//!
//! ```text
//! +------------------------------------------+ +-------------------------------------+
//! | Instance n | | Instance (n + 2) |
//! | (witness w_(p, n)) | | (witness w_(p, n + 1)) |
//! | ---------- | | ---------- |
//! | Vesta | | Vesta |
//! | (scalar field = Fp) | | (scalar field = Fp) |
//! | (base field = Fq) | | (base field = Fq) |
//! | (Sponge over Fq) | | (Sponge over Fq) |
//! | | | |
//! Generate as output: | | Receive as (public inputs) |
//! --------------- | | ------------------- |
//! | - u_(p, n) | | - `u_(p, n)` |
//! | - r | | - accumulated u, `acc_u` |
//! | - "accumulated u": u_p + r * u_(p, n) | | - random coin `r` |
//! | (note the operations are over Fp) | | - "old accumulated value" u_p |
//! +------------------------------------------+ | Verifier circuit |
//! | | ---------------- |
//! | | - check that |
//! | | `acc_u = u_p + r * u_(p, n)` |
//! | +-------------------------------------+
//! | ^
//! | |
//! | |
//! | +-----------------------------+ |
//! | | Instance (n + 1) | |
//! | | (witness w_(q, n)) | |
//! |-------------> | ---------- | ------------------
//! | Pallas |
//! | (scalar field = Fq) |
//! | (base field = Fp) |
//! | (Sponge over Fp) |
//! | |
//! | Receive as (public) |
//! | inputs |
//! | --------------- |
//! | - commitments generated |
//! | by instance n (Fq elements) |
//! | - u_(p, n) |
//! | - r |
//! | - (more but unused by |
//! | the verifier) |
//! | |
//! | Verifier circuit |
//! | ---------------- |
//! | - run the sponge to |
//! | check the value u_(p, n) |
//! | and r |
//! +-----------------------------+
//! ```

use crate::{
columns::Gadget, curve::PlonkSpongeConstants, MAXIMUM_FIELD_SIZE_IN_BITS, NUMBER_OF_COLUMNS,
Expand Down
Loading