plonk: removed computation of the challenge u at the end of the prove…

…r process since u is not used by the prover anyway. removed the automatic clearing of the hasher buffer inside get_hash. the caller is now responsible to clear the buffer when reusing the same hasher object. see also PR comment #61 (comment) .
clearmatics · Aug 18, 2022 · f80e3e6 · f80e3e6
1 parent f4cdcf2
commit f80e3e6
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 15 deletions.
diff --git a/libsnark/zk_proof_systems/plonk/prover.tcc b/libsnark/zk_proof_systems/plonk/prover.tcc
@@ -1115,19 +1115,6 @@ plonk_proof<ppT> plonk_prover<ppT>::compute_proof(
         srs,
         hasher);
 
-    // TODO: activate this part when we implement actual hashing of
-    // communication transcripts
-#if 0
-    // u: multipoint evaluation challenge -- hash of transcript from
-    // rounds 1,2,3,4,5
-    const libff::Fr<ppT> u = hasher.get_hash();
-#else
-    // do the hash anyway in order to keep the correct count of the
-    // hasher istep member (which resets to 0 only after the last hash
-    // is performed which is hash of u)
-    hasher.get_hash();
-#endif
-
     // construct proof
     plonk_proof<ppT> proof(
         round_one_out.W_polys_blinded_at_secret_g1,

diff --git a/libsnark/zk_proof_systems/plonk/srs.tcc b/libsnark/zk_proof_systems/plonk/srs.tcc
@@ -252,7 +252,6 @@ template<typename ppT> libff::Fr<ppT> transcript_hasher<ppT>::get_hash()
             __FILE__,
             __LINE__,
             (int)buffer_len);
-        this->buffer.clear();
         challenge = this->hash_values[5]; // u
     }
 

diff --git a/libsnark/zk_proof_systems/plonk/tests/test_plonk.cpp b/libsnark/zk_proof_systems/plonk/tests/test_plonk.cpp
@@ -54,6 +54,7 @@ void test_verify_invalid_proof(
     for (size_t i = 0; i < valid_proof.W_polys_blinded_at_secret_g1.size();
          ++i) {
         // re-initialize the manipulated proof
+        hasher.buffer_clear();
         proof = valid_proof;
         G1_noise = libff::G1<ppT>::random_element();
         proof.W_polys_blinded_at_secret_g1[i] =
@@ -62,6 +63,7 @@ void test_verify_invalid_proof(
         ASSERT_FALSE(b_accept);
     }
     // manipulate [z]_1
+    hasher.buffer_clear();
     proof = valid_proof;
     G1_noise = libff::G1<ppT>::random_element();
     proof.z_poly_at_secret_g1 = proof.z_poly_at_secret_g1 + G1_noise;
@@ -70,61 +72,71 @@ void test_verify_invalid_proof(
     // manipulate [t_lo]_1, [t_mi]_1, [t_hi]_1
     for (size_t i = 0; i < valid_proof.t_poly_at_secret_g1.size(); ++i) {
         // re-initialize the manipulated proof
+        hasher.buffer_clear();
         proof = valid_proof;
         G1_noise = libff::G1<ppT>::random_element();
         proof.t_poly_at_secret_g1[i] = proof.t_poly_at_secret_g1[i] + G1_noise;
         b_accept = verifier.verify_proof(proof, srs, hasher);
         ASSERT_FALSE(b_accept);
     }
     // manipulate \bar{a}
+    hasher.buffer_clear();
     proof = valid_proof;
     Fr_noise = libff::Fr<ppT>::random_element();
     proof.a_zeta = proof.a_zeta + Fr_noise;
     b_accept = verifier.verify_proof(proof, srs, hasher);
     ASSERT_FALSE(b_accept);
     // manipulate \bar{b}
+    hasher.buffer_clear();
     proof = valid_proof;
     Fr_noise = libff::Fr<ppT>::random_element();
     proof.b_zeta = proof.b_zeta + Fr_noise;
     b_accept = verifier.verify_proof(proof, srs, hasher);
     ASSERT_FALSE(b_accept);
     // manipulate \bar{c}
+    hasher.buffer_clear();
     proof = valid_proof;
     Fr_noise = libff::Fr<ppT>::random_element();
     proof.c_zeta = proof.c_zeta + Fr_noise;
     b_accept = verifier.verify_proof(proof, srs, hasher);
     ASSERT_FALSE(b_accept);
     // manipulate \bar{S_sigma1}
+    hasher.buffer_clear();
     proof = valid_proof;
     Fr_noise = libff::Fr<ppT>::random_element();
     proof.S_0_zeta = proof.S_0_zeta + Fr_noise;
     b_accept = verifier.verify_proof(proof, srs, hasher);
     ASSERT_FALSE(b_accept);
     // manipulate \bar{S_sigma2}
+    hasher.buffer_clear();
     proof = valid_proof;
     Fr_noise = libff::Fr<ppT>::random_element();
     proof.S_1_zeta = proof.S_1_zeta + Fr_noise;
     b_accept = verifier.verify_proof(proof, srs, hasher);
     ASSERT_FALSE(b_accept);
     // manipulate \bar{z_w}
+    hasher.buffer_clear();
     proof = valid_proof;
     Fr_noise = libff::Fr<ppT>::random_element();
     proof.z_poly_xomega_zeta = proof.z_poly_xomega_zeta + Fr_noise;
     b_accept = verifier.verify_proof(proof, srs, hasher);
     ASSERT_FALSE(b_accept);
     // manipulate [W_zeta]_1
+    hasher.buffer_clear();
     proof = valid_proof;
     G1_noise = libff::G1<ppT>::random_element();
     proof.W_zeta_at_secret = proof.W_zeta_at_secret + G1_noise;
     b_accept = verifier.verify_proof(proof, srs, hasher);
     ASSERT_FALSE(b_accept);
     // manipulate [W_{zeta omega_roots}]_1
+    hasher.buffer_clear();
     proof = valid_proof;
     G1_noise = libff::G1<ppT>::random_element();
     proof.W_zeta_omega_at_secret = proof.W_zeta_omega_at_secret + G1_noise;
     b_accept = verifier.verify_proof(proof, srs, hasher);
     ASSERT_FALSE(b_accept);
     // manipulate r_zeta
+    hasher.buffer_clear();
     proof = valid_proof;
     Fr_noise = libff::Fr<ppT>::random_element();
     proof.r_zeta = proof.r_zeta + Fr_noise;
@@ -979,12 +991,18 @@ template<typename ppT> void test_plonk_verifier_steps()
     plonk_proof<ppT> proof =
         prover.compute_proof(srs, witness, blind_scalars, hasher);
 
+    // clear the hasher buffer in order to re-use the same transcript_hasher
+    // object for the verifier
+    hasher.buffer_clear();
+
     // Unit test verifier preprocessed input
     test_plonk_verifier_preprocessed_input(example, srs);
 
-    // unit test verifier step 5
+    // compute step 4
     const step_four_out_t<ppT> step_four_out =
         plonk_verifier<ppT>::step_four(proof, hasher);
+
+    // unit test verifier step 5
     test_plonk_verifier_step_five(example, step_four_out, srs);
 
     // unit test verifier step 6
@@ -1078,11 +1096,19 @@ template<typename ppT> void test_plonk_verifier()
     plonk_proof<ppT> proof =
         prover.compute_proof(srs, witness, blind_scalars, hasher);
 
+    // clear the hasher buffer in order to re-use the same transcript_hasher
+    // object for the verifier
+    hasher.buffer_clear();
+
     // initialize verifier
     plonk_verifier<ppT> verifier;
     // verify proof
     bool b_valid_proof = verifier.verify_proof(proof, srs, hasher);
     ASSERT_TRUE(b_valid_proof);
+
+    // clear the hasher buffer in order to re-use the same transcript_hasher
+    // object
+    hasher.buffer_clear();
     // assert that proof verification fails when the proof is
     // manipulated
     test_verify_invalid_proof(proof, srs, hasher);