diff --git a/libsnark/zk_proof_systems/plonk/prover.hpp b/libsnark/zk_proof_systems/plonk/prover.hpp index 7a43a2a9a..d4a878e01 100644 --- a/libsnark/zk_proof_systems/plonk/prover.hpp +++ b/libsnark/zk_proof_systems/plonk/prover.hpp @@ -461,15 +461,8 @@ template class plonk_prover /// \param[in] blind_scalars: random blinding scalars b1, b2, ..., b9 /// used in prover rounds 1 and 2 (see Sect. 8.3, roumds /// 1,2 [GWC19]) - /// \param[in] transcript_hash: hashes of the communication transcript - /// after prover rounds 1,2,3,4,5. TODO: \attention - /// currently the structure is used as an input initialized - /// with hard-coded example values for debug purposes. In - /// the long run it should be modified to be used as an - /// output. More specifically, the hard-coded values should - /// be overwritten with the actual transcript hashes - /// produced after the respective rounds within \ref - /// compute_proof + /// \param[in] transcript_hasher: hashes of the communication + /// transcript after prover rounds 1,2,3,4,5. /// /// OUTPUT /// \param[out] proof: SNARK proof Pi (see above) @@ -477,7 +470,7 @@ template class plonk_prover const srs &srs, const std::vector &witness, const std::vector> &blind_scalars, - transcript_hash_t &transcript_hash); + transcript_hasher &hasher); }; } // namespace libsnark diff --git a/libsnark/zk_proof_systems/plonk/prover.tcc b/libsnark/zk_proof_systems/plonk/prover.tcc index 2b64baf62..ae61aeaa7 100644 --- a/libsnark/zk_proof_systems/plonk/prover.tcc +++ b/libsnark/zk_proof_systems/plonk/prover.tcc @@ -994,15 +994,8 @@ plonk_proof::plonk_proof( /// \param[in] blind_scalars: random blinding scalars b1, b2, ..., b9 /// used in prover rounds 1 and 2 (see Sect. 8.3, roumds /// 1,2 [GWC19]) -/// \param[in] transcript_hash: hashes of the communication transcript -/// after prover rounds 1,2,3,4,5. TODO: \attention -/// currently the structure is used as an input initialized -/// with hard-coded example values for debug purposes. In -/// the long run it should be modified to be used as an -/// output. More specifically, the hard-coded values should -/// be overwritten with the actual transcript hashes -/// produced after the respective rounds within \ref -/// compute_proof +/// \param[in] transcript_hasher: hashes of the communication +/// transcript after prover rounds 1,2,3,4,5. /// /// OUTPUT /// \param[out] proof: SNARK proof Pi (see above) @@ -1011,7 +1004,7 @@ plonk_proof plonk_prover::compute_proof( const srs &srs, const std::vector &witness, const std::vector> &blind_scalars, - transcript_hash_t &transcript_hash) + transcript_hasher &hasher) { // Prover Round 0 (initialization) printf("[%s:%d] Prover Round 0...\n", __FILE__, __LINE__); @@ -1024,27 +1017,28 @@ plonk_proof plonk_prover::compute_proof( printf("[%s:%d] Prover Round 2...\n", __FILE__, __LINE__); // - beta, gamma: permutation challenges - hashes of transcript of round 1 - const libff::Fr beta = transcript_hash.beta; - const libff::Fr gamma = transcript_hash.gamma; + const libff::Fr beta = hasher.get_hash(); + const libff::Fr gamma = hasher.get_hash(); + round_two_out_t round_two_out = plonk_prover::round_two( beta, gamma, round_zero_out, blind_scalars, witness, srs); printf("[%s:%d] Prover Round 3...\n", __FILE__, __LINE__); // - alpha: quotient challenge - hash of transcript of rounds 1,2 - libff::Fr alpha = transcript_hash.alpha; + const libff::Fr alpha = hasher.get_hash(); round_three_out_t round_three_out = plonk_prover::round_three( alpha, beta, gamma, round_zero_out, round_one_out, round_two_out, srs); printf("[%s:%d] Prover Round 4...\n", __FILE__, __LINE__); // - zeta: evaluation challenge - hash of transcriptof rounds 1,2,3 - libff::Fr zeta = transcript_hash.zeta; + const libff::Fr zeta = hasher.get_hash(); round_four_out_t round_four_out = plonk_prover::round_four(zeta, round_one_out, round_three_out, srs); printf("[%s:%d] Prover Round 5...\n", __FILE__, __LINE__); /// - nu: opening challenge -- hash of transcript (denoted by v in /// [GWC19]) - libff::Fr nu = transcript_hash.nu; + const libff::Fr nu = hasher.get_hash(); round_five_out_t round_five_out = plonk_prover::round_five( alpha, beta, @@ -1060,10 +1054,15 @@ plonk_proof plonk_prover::compute_proof( // TODO: activate this part when we implement actual hashing of // communication transcripts -#if 0 +#if 0 // u: multipoint evaluation challenge -- hash of transcript from // rounds 1,2,3,4,5 - libff::Fr u = transcript_hash.u; + const libff::Fr u = hasher.get_hash(); +#else + // do the hash anyway in order to keep the correct count of the + // hasher istep member (which resets to 0 only after the last hash + // is performed which is hash of u) + hasher.get_hash(); #endif // construct proof diff --git a/libsnark/zk_proof_systems/plonk/srs.hpp b/libsnark/zk_proof_systems/plonk/srs.hpp index 0fcf67b0e..5b34f3e47 100644 --- a/libsnark/zk_proof_systems/plonk/srs.hpp +++ b/libsnark/zk_proof_systems/plonk/srs.hpp @@ -179,32 +179,22 @@ template class plonk_keypair plonk_keypair(plonk_keypair &&other) = default; }; -/// Hashes of transcript after prover rounds 1,2,3,4,5 -template struct transcript_hash_t { - - /// - beta: permutation challenge - hashes of transcript after round 1 - libff::Fr beta; - /// - gamma: permutation challenge - hashes of transcript after round 1 - libff::Fr gamma; - /// - alpha: quotient challenge - hash of transcript after rounds 1,2 - libff::Fr alpha; - /// - zeta: evaluation challenge - hash of transcriptafter rounds 1,2,3 - libff::Fr zeta; - /// - nu: opening challenge - hash of transcript after rounds 1,2,3,4 - /// (denoted by v in [GWC19]) - libff::Fr nu; - /// - u: multipoint evaluation challenge -- hash of transcript after rounds - /// 1,2,3,4,5 - libff::Fr u; - - /// struct constructor - transcript_hash_t( - libff::Fr &beta, - libff::Fr &gamma, - libff::Fr &alpha, - libff::Fr &zeta, - libff::Fr &nu, - libff::Fr &u); +/// transcript hasher interface +template class transcript_hasher +{ +private: + // the current step of the hasher + size_t istep; + +public: + void add_element(const libff::Fr &element); + void add_element(const libff::G1 &element); + void add_element(const libff::G2 &element); + + libff::Fr get_hash(); + + // constructor + transcript_hasher(size_t &istep); }; } // namespace libsnark diff --git a/libsnark/zk_proof_systems/plonk/srs.tcc b/libsnark/zk_proof_systems/plonk/srs.tcc index 0ecc24ed9..2977770b0 100644 --- a/libsnark/zk_proof_systems/plonk/srs.tcc +++ b/libsnark/zk_proof_systems/plonk/srs.tcc @@ -70,19 +70,68 @@ plonk_keypair::plonk_keypair( { } -/// struct transcript_hash_t constructor +/// transcript_hasher constructor template -transcript_hash_t::transcript_hash_t( - libff::Fr &beta, - libff::Fr &gamma, - libff::Fr &alpha, - libff::Fr &zeta, - libff::Fr &nu, - libff::Fr &u) - : beta(beta), gamma(gamma), alpha(alpha), zeta(zeta), nu(nu), u(u) +transcript_hasher::transcript_hasher(size_t &istep) : istep(istep) { } +/// dummy implementation of get_hash that directly returns the +/// expected hard-coded hashes for the purposes of unit testing TODO +/// to be replaced by a call to a proper hash function e.g. SHA2, +/// BLAKE, etc. +template libff::Fr transcript_hasher::get_hash() +{ + assert((this->istep >= 0) && (this->istep <= 5)); + using Field = libff::Fr; + + Field beta = Field("3710899868510394644410941212967766116886736137326022751" + "891187938298987182388"); + Field gamma = Field("110379303840831945879077096653321168432672740458288022" + "49545114995763715746939"); + Field alpha = Field("379799789992747238930717819864848384921111623418803600" + "22719385400306128734648"); + Field zeta = Field("4327197228921839935583364394550235027071910395980312641" + "5018065799136107272465"); + Field nu = Field("275158598338697752421507265080923414294782807831923791651" + "55175653098691426347"); + Field u = Field("1781751143954696684632449211212056577828855388109883650570" + "6049265393896966778"); + if (this->istep == 0) { + printf("[%s:%d] istep %d\n", __FILE__, __LINE__, (int)istep); + this->istep++; + return beta; + } + if (this->istep == 1) { + printf("[%s:%d] istep %d\n", __FILE__, __LINE__, (int)istep); + this->istep++; + return gamma; + } + if (this->istep == 2) { + printf("[%s:%d] istep %d\n", __FILE__, __LINE__, (int)istep); + this->istep++; + return alpha; + } + if (this->istep == 3) { + printf("[%s:%d] istep %d\n", __FILE__, __LINE__, (int)istep); + this->istep++; + return zeta; + } + if (this->istep == 4) { + printf("[%s:%d] istep %d\n", __FILE__, __LINE__, (int)istep); + this->istep++; + return nu; + } + if (this->istep == 5) { + // reset step to 0 + printf("[%s:%d] istep %d\n", __FILE__, __LINE__, (int)istep); + this->istep = 0; + return u; + } + // error + return 0; +} + /// Compute a universal srs (usrs). It is composed *only* of encoded /// powers of the secret value in the group generator. Therefore a usrs /// is independent of any particular circuit. diff --git a/libsnark/zk_proof_systems/plonk/tests/test_plonk.cpp b/libsnark/zk_proof_systems/plonk/tests/test_plonk.cpp index e4330c478..9a41f8bbf 100644 --- a/libsnark/zk_proof_systems/plonk/tests/test_plonk.cpp +++ b/libsnark/zk_proof_systems/plonk/tests/test_plonk.cpp @@ -38,7 +38,7 @@ template void test_verify_invalid_proof( const plonk_proof &valid_proof, const srs &srs, - transcript_hash_t &transcript_hash) + transcript_hasher &hasher) { // initialize verifier plonk_verifier verifier; @@ -59,14 +59,14 @@ void test_verify_invalid_proof( G1_noise = libff::G1::random_element(); proof.W_polys_blinded_at_secret_g1[i] = proof.W_polys_blinded_at_secret_g1[i] + G1_noise; - b_accept = verifier.verify_proof(proof, srs, transcript_hash); + b_accept = verifier.verify_proof(proof, srs, hasher); ASSERT_FALSE(b_accept); } // manipulate [z]_1 proof = valid_proof; G1_noise = libff::G1::random_element(); proof.z_poly_at_secret_g1 = proof.z_poly_at_secret_g1 + G1_noise; - b_accept = verifier.verify_proof(proof, srs, transcript_hash); + b_accept = verifier.verify_proof(proof, srs, hasher); ASSERT_FALSE(b_accept); // manipulate [t_lo]_1, [t_mi]_1, [t_hi]_1 for (size_t i = 0; i < valid_proof.t_poly_at_secret_g1.size(); ++i) { @@ -74,62 +74,62 @@ void test_verify_invalid_proof( proof = valid_proof; G1_noise = libff::G1::random_element(); proof.t_poly_at_secret_g1[i] = proof.t_poly_at_secret_g1[i] + G1_noise; - b_accept = verifier.verify_proof(proof, srs, transcript_hash); + b_accept = verifier.verify_proof(proof, srs, hasher); ASSERT_FALSE(b_accept); } // manipulate \bar{a} proof = valid_proof; Fr_noise = libff::Fr::random_element(); proof.a_zeta = proof.a_zeta + Fr_noise; - b_accept = verifier.verify_proof(proof, srs, transcript_hash); + b_accept = verifier.verify_proof(proof, srs, hasher); ASSERT_FALSE(b_accept); // manipulate \bar{b} proof = valid_proof; Fr_noise = libff::Fr::random_element(); proof.b_zeta = proof.b_zeta + Fr_noise; - b_accept = verifier.verify_proof(proof, srs, transcript_hash); + b_accept = verifier.verify_proof(proof, srs, hasher); ASSERT_FALSE(b_accept); // manipulate \bar{c} proof = valid_proof; Fr_noise = libff::Fr::random_element(); proof.c_zeta = proof.c_zeta + Fr_noise; - b_accept = verifier.verify_proof(proof, srs, transcript_hash); + b_accept = verifier.verify_proof(proof, srs, hasher); ASSERT_FALSE(b_accept); // manipulate \bar{S_sigma1} proof = valid_proof; Fr_noise = libff::Fr::random_element(); proof.S_0_zeta = proof.S_0_zeta + Fr_noise; - b_accept = verifier.verify_proof(proof, srs, transcript_hash); + b_accept = verifier.verify_proof(proof, srs, hasher); ASSERT_FALSE(b_accept); // manipulate \bar{S_sigma2} proof = valid_proof; Fr_noise = libff::Fr::random_element(); proof.S_1_zeta = proof.S_1_zeta + Fr_noise; - b_accept = verifier.verify_proof(proof, srs, transcript_hash); + b_accept = verifier.verify_proof(proof, srs, hasher); ASSERT_FALSE(b_accept); // manipulate \bar{z_w} proof = valid_proof; Fr_noise = libff::Fr::random_element(); proof.z_poly_xomega_zeta = proof.z_poly_xomega_zeta + Fr_noise; - b_accept = verifier.verify_proof(proof, srs, transcript_hash); + b_accept = verifier.verify_proof(proof, srs, hasher); ASSERT_FALSE(b_accept); // manipulate [W_zeta]_1 proof = valid_proof; G1_noise = libff::G1::random_element(); proof.W_zeta_at_secret = proof.W_zeta_at_secret + G1_noise; - b_accept = verifier.verify_proof(proof, srs, transcript_hash); + b_accept = verifier.verify_proof(proof, srs, hasher); ASSERT_FALSE(b_accept); // manipulate [W_{zeta omega_roots}]_1 proof = valid_proof; G1_noise = libff::G1::random_element(); proof.W_zeta_omega_at_secret = proof.W_zeta_omega_at_secret + G1_noise; - b_accept = verifier.verify_proof(proof, srs, transcript_hash); + b_accept = verifier.verify_proof(proof, srs, hasher); ASSERT_FALSE(b_accept); // manipulate r_zeta proof = valid_proof; Fr_noise = libff::Fr::random_element(); proof.r_zeta = proof.r_zeta + Fr_noise; - b_accept = verifier.verify_proof(proof, srs, transcript_hash); + b_accept = verifier.verify_proof(proof, srs, hasher); ASSERT_FALSE(b_accept); } @@ -467,14 +467,6 @@ template void test_plonk_prover_rounds() // example circuit circuit_t circuit = plonk_circuit_description_from_example(example); - // get hard-coded values for the transcipt hash - transcript_hash_t transcript_hash( - example.beta, - example.gamma, - example.alpha, - example.zeta, - example.nu, - example.u); // hard-coded values for the "random" blinding constants from // example circuit std::vector> blind_scalars = example.prover_blind_scalars; @@ -485,6 +477,10 @@ template void test_plonk_prover_rounds() usrs usrs = plonk_usrs_derive_from_secret(secret, max_degree); srs srs = plonk_srs_derive_from_usrs(usrs, circuit); + // initialize hasher + size_t istep = 0; + transcript_hasher hasher(istep); + // Prover Round 0 (initialization) round_zero_out_t round_zero_out = plonk_prover::round_zero(srs); @@ -494,8 +490,8 @@ template void test_plonk_prover_rounds() // Unit test Prover Round 2 printf("[%s:%d] Unit test Prover Round 2...\n", __FILE__, __LINE__); - const libff::Fr beta = transcript_hash.beta; - const libff::Fr gamma = transcript_hash.gamma; + const libff::Fr beta = hasher.get_hash(); + const libff::Fr gamma = hasher.get_hash(); test_plonk_prover_round_two( example, beta, gamma, round_zero_out, blind_scalars, witness, srs); @@ -508,7 +504,7 @@ template void test_plonk_prover_rounds() round_zero_out, blind_scalars, witness, srs); round_two_out_t round_two_out = plonk_prover::round_two( beta, gamma, round_zero_out, blind_scalars, witness, srs); - libff::Fr alpha = transcript_hash.alpha; + const libff::Fr alpha = hasher.get_hash(); test_plonk_prover_round_three( example, alpha, @@ -523,7 +519,7 @@ template void test_plonk_prover_rounds() printf("[%s:%d] Prover Round 4...\n", __FILE__, __LINE__); round_three_out_t round_three_out = plonk_prover::round_three( alpha, beta, gamma, round_zero_out, round_one_out, round_two_out, srs); - libff::Fr zeta = transcript_hash.zeta; + const libff::Fr zeta = hasher.get_hash(); test_plonk_prover_round_four( example, zeta, round_one_out, round_three_out, srs); @@ -531,7 +527,7 @@ template void test_plonk_prover_rounds() printf("[%s:%d] Unit test Prover Round 5...\n", __FILE__, __LINE__); round_four_out_t round_four_out = plonk_prover::round_four( zeta, round_one_out, round_three_out, srs); - libff::Fr nu = transcript_hash.nu; + const libff::Fr nu = hasher.get_hash(); test_plonk_prover_round_five( example, alpha, @@ -604,14 +600,6 @@ template void test_plonk_prover() // example circuit circuit_t circuit = plonk_circuit_description_from_example(example); - // get hard-coded values for the transcipt hash - transcript_hash_t transcript_hash( - example.beta, - example.gamma, - example.alpha, - example.zeta, - example.nu, - example.u); // hard-coded values for the "random" blinding constants from // example circuit std::vector> blind_scalars = example.prover_blind_scalars; @@ -622,11 +610,15 @@ template void test_plonk_prover() usrs usrs = plonk_usrs_derive_from_secret(secret, max_degree); srs srs = plonk_srs_derive_from_usrs(usrs, circuit); + // initialize hasher + size_t istep = 0; + transcript_hasher hasher(istep); + // initialize prover plonk_prover prover; // compute proof plonk_proof proof = - prover.compute_proof(srs, witness, blind_scalars, transcript_hash); + prover.compute_proof(srs, witness, blind_scalars, hasher); // compare proof against test vector values (debug) ASSERT_EQ(proof.a_zeta, example.a_zeta); ASSERT_EQ(proof.b_zeta, example.b_zeta); @@ -886,14 +878,6 @@ template void test_plonk_verifier_steps() // example circuit circuit_t circuit = plonk_circuit_description_from_example(example); - // get hard-coded values for the transcipt hash - transcript_hash_t transcript_hash( - example.beta, - example.gamma, - example.alpha, - example.zeta, - example.nu, - example.u); // hard-coded values for the "random" blinding constants from // example circuit std::vector> blind_scalars = example.prover_blind_scalars; @@ -904,18 +888,22 @@ template void test_plonk_verifier_steps() usrs usrs = plonk_usrs_derive_from_secret(secret, max_degree); srs srs = plonk_srs_derive_from_usrs(usrs, circuit); + // initialize hasher + size_t istep = 0; + transcript_hasher hasher(istep); + // initialize prover plonk_prover prover; // compute proof plonk_proof proof = - prover.compute_proof(srs, witness, blind_scalars, transcript_hash); + prover.compute_proof(srs, witness, blind_scalars, hasher); // Unit test verifier preprocessed input test_plonk_verifier_preprocessed_input(example, srs); // unit test verifier step 5 const step_four_out_t step_four_out = - plonk_verifier::step_four(transcript_hash); + plonk_verifier::step_four(hasher); test_plonk_verifier_step_five(example, step_four_out, srs); // unit test verifier step 6 @@ -989,14 +977,6 @@ template void test_plonk_verifier() // example circuit circuit_t circuit = plonk_circuit_description_from_example(example); - // get hard-coded values for the transcipt hash - transcript_hash_t transcript_hash( - example.beta, - example.gamma, - example.alpha, - example.zeta, - example.nu, - example.u); // hard-coded values for the "random" blinding constants from // example circuit std::vector> blind_scalars = example.prover_blind_scalars; @@ -1007,20 +987,24 @@ template void test_plonk_verifier() usrs usrs = plonk_usrs_derive_from_secret(secret, max_degree); srs srs = plonk_srs_derive_from_usrs(usrs, circuit); + // initialize hasher + size_t istep = 0; + transcript_hasher hasher(istep); + // initialize prover plonk_prover prover; // compute proof plonk_proof proof = - prover.compute_proof(srs, witness, blind_scalars, transcript_hash); + prover.compute_proof(srs, witness, blind_scalars, hasher); // initialize verifier plonk_verifier verifier; // verify proof - bool b_valid_proof = verifier.verify_proof(proof, srs, transcript_hash); + bool b_valid_proof = verifier.verify_proof(proof, srs, hasher); ASSERT_TRUE(b_valid_proof); // assert that proof verification fails when the proof is // manipulated - test_verify_invalid_proof(proof, srs, transcript_hash); + test_verify_invalid_proof(proof, srs, hasher); } TEST(TestPlonk, BLS12_381) diff --git a/libsnark/zk_proof_systems/plonk/verifier.hpp b/libsnark/zk_proof_systems/plonk/verifier.hpp index e9f9f6631..81bdd4841 100644 --- a/libsnark/zk_proof_systems/plonk/verifier.hpp +++ b/libsnark/zk_proof_systems/plonk/verifier.hpp @@ -81,12 +81,12 @@ template struct step_four_out_t { libff::Fr nu; libff::Fr u; step_four_out_t( - libff::Fr &&beta, - libff::Fr &&gamma, - libff::Fr &&alpha, - libff::Fr &&zeta, - libff::Fr &&nu, - libff::Fr &&u); + libff::Fr &beta, + libff::Fr &gamma, + libff::Fr &alpha, + libff::Fr &zeta, + libff::Fr &nu, + libff::Fr &u); }; /// Verifier step 5 output @@ -186,12 +186,8 @@ template class plonk_verifier /// pi-SNARK. TODO: fixed to the test vectors for now /// /// INPUT - /// \param[in] transcript_hash: hashes of the communication transcript - /// after prover rounds 1,2,3,4,5. TODO: \attention - /// currently the hashes are pre-computed by the caller and - /// passed as input for the purpouses of unit testing. In - /// the long run this input can be removed and the hashes - /// can be computed directly inside verifier::step_four() + /// \param[in] transcript_hasher: hashes of the communication + /// transcript after prover rounds 1,2,3,4,5. /// /// OUTPUT /// \param[out] beta, gamma: permutation challenges - hashes of @@ -202,8 +198,7 @@ template class plonk_verifier /// v in [GWC19]) /// \param[out] u: multipoint evaluation challenge - hash of /// transcript - static step_four_out_t step_four( - const transcript_hash_t &transcript_hash); + static step_four_out_t step_four(transcript_hasher &hasher); /// Verifier Step 5: compute zero polynomial evaluation /// @@ -422,19 +417,15 @@ template class plonk_verifier /// \param[in] proof: SNARK proof produced by the prover /// \param[in] srs: structured reference string containing also /// circuit-specific information - /// \param[in] transcript_hash: hashes of the communication transcript - /// after prover rounds 1,2,3,4,5. TODO: \attention - /// currently the hashes are pre-computed by the caller and - /// passed as input for the purpouses of unit testing. In - /// the long run this input can be removed and the hashes - /// can be computed directly inside verifier::step_four() + /// \param[in] transcript_hasher: hashes of the communication + /// transcript after prover rounds 1,2,3,4,5. /// /// OUTPUT /// \param[out] boolean 1/0 = valid/invalid proof bool verify_proof( const plonk_proof &proof, const srs &srs, - transcript_hash_t &transcript_hash); + transcript_hasher &hasher); }; } // namespace libsnark diff --git a/libsnark/zk_proof_systems/plonk/verifier.tcc b/libsnark/zk_proof_systems/plonk/verifier.tcc index dbcd42796..8ad729a01 100644 --- a/libsnark/zk_proof_systems/plonk/verifier.tcc +++ b/libsnark/zk_proof_systems/plonk/verifier.tcc @@ -85,12 +85,12 @@ template void plonk_verifier::step_three(const srs &srs) /// struct step_four_out_t constructor template step_four_out_t::step_four_out_t( - libff::Fr &&beta, - libff::Fr &&gamma, - libff::Fr &&alpha, - libff::Fr &&zeta, - libff::Fr &&nu, - libff::Fr &&u) + libff::Fr &beta, + libff::Fr &gamma, + libff::Fr &alpha, + libff::Fr &zeta, + libff::Fr &nu, + libff::Fr &u) : beta(beta), gamma(gamma), alpha(alpha), zeta(zeta), nu(nu), u(u) { } @@ -100,12 +100,8 @@ step_four_out_t::step_four_out_t( /// pi-SNARK. TODO: fixed to the test vectors for now /// /// INPUT -/// \param[in] transcript_hash: hashes of the communication transcript -/// after prover rounds 1,2,3,4,5. TODO: \attention -/// currently the hashes are pre-computed by the caller and -/// passed as input for the purpouses of unit testing. In -/// the long run this input can be removed and the hashes -/// can be computed directly inside verifier::step_four() +/// \param[in] transcript_hasher: hashes of the communication +/// transcript after prover rounds 1,2,3,4,5. /// /// OUTPUT /// \param[out] beta, gamma: permutation challenges - hashes of @@ -118,16 +114,16 @@ step_four_out_t::step_four_out_t( /// transcript template step_four_out_t plonk_verifier::step_four( - const transcript_hash_t &transcript_hash) + transcript_hasher &hasher) { + libff::Fr beta = hasher.get_hash(); + libff::Fr gamma = hasher.get_hash(); + libff::Fr alpha = hasher.get_hash(); + libff::Fr zeta = hasher.get_hash(); + libff::Fr nu = hasher.get_hash(); + libff::Fr u = hasher.get_hash(); // step 4 output - step_four_out_t step_four_out( - Field(transcript_hash.beta), - Field(transcript_hash.gamma), - Field(transcript_hash.alpha), - Field(transcript_hash.zeta), - Field(transcript_hash.nu), - Field(transcript_hash.u)); + step_four_out_t step_four_out(beta, gamma, alpha, zeta, nu, u); return step_four_out; } @@ -601,12 +597,8 @@ bool plonk_verifier::step_twelve( /// \param[in] proof: SNARK proof produced by the prover /// \param[in] srs: structured reference string containing also /// circuit-specific information -/// \param[in] transcript_hash: hashes of the communication transcript -/// after prover rounds 1,2,3,4,5. TODO: \attention -/// currently the hashes are pre-computed by the caller and -/// passed as input for the purpouses of unit testing. In -/// the long run this input can be removed and the hashes -/// can be computed directly inside verifier::step_four() +/// \param[in] transcript_hasher: hashes of the communication +/// transcript after prover rounds 1,2,3,4,5. /// /// OUTPUT /// \param[out] boolean 1/0 = valid/invalid proof @@ -614,7 +606,7 @@ template bool plonk_verifier::verify_proof( const plonk_proof &proof, const srs &srs, - transcript_hash_t &transcript_hash) + transcript_hasher &hasher) { // compute verifier preprocessed input const verifier_preprocessed_input_t preprocessed_input = @@ -630,7 +622,7 @@ bool plonk_verifier::verify_proof( // Verifier Step 4: compute challenges hashed transcript as in // prover description, from the common inputs, public input, and // elements of pi-SNARK (fixed to the test vectors for now) - const step_four_out_t step_four_out = this->step_four(transcript_hash); + const step_four_out_t step_four_out = this->step_four(hasher); // Verifier Step 5: compute zero polynomial evaluation const step_five_out_t step_five_out =