From f80e3e66719a0a448f1c5d098880e8807d15f83e Mon Sep 17 00:00:00 2001
From: Vesselin Velichkov <vesselin@lancre>
Date: Thu, 18 Aug 2022 09:44:34 +0100
Subject: [PATCH] plonk: removed computation of the challenge u at the end of
 the prover process since u is not used by the prover anyway. removed the
 automatic clearing of the hasher buffer inside get_hash. the caller is now
 responsible to clear the buffer when reusing the same hasher object. see also
 PR comment
 https://github.com/clearmatics/libsnark/pull/61#discussion_r948822968 .

---
 libsnark/zk_proof_systems/plonk/prover.tcc    | 13 ---------
 libsnark/zk_proof_systems/plonk/srs.tcc       |  1 -
 .../plonk/tests/test_plonk.cpp                | 28 ++++++++++++++++++-
 3 files changed, 27 insertions(+), 15 deletions(-)

diff --git a/libsnark/zk_proof_systems/plonk/prover.tcc b/libsnark/zk_proof_systems/plonk/prover.tcc
index c1b23e011..fde6d1b94 100644
--- a/libsnark/zk_proof_systems/plonk/prover.tcc
+++ b/libsnark/zk_proof_systems/plonk/prover.tcc
@@ -1115,19 +1115,6 @@ plonk_proof<ppT> plonk_prover<ppT>::compute_proof(
         srs,
         hasher);
 
-    // TODO: activate this part when we implement actual hashing of
-    // communication transcripts
-#if 0
-    // u: multipoint evaluation challenge -- hash of transcript from
-    // rounds 1,2,3,4,5
-    const libff::Fr<ppT> u = hasher.get_hash();
-#else
-    // do the hash anyway in order to keep the correct count of the
-    // hasher istep member (which resets to 0 only after the last hash
-    // is performed which is hash of u)
-    hasher.get_hash();
-#endif
-
     // construct proof
     plonk_proof<ppT> proof(
         round_one_out.W_polys_blinded_at_secret_g1,
diff --git a/libsnark/zk_proof_systems/plonk/srs.tcc b/libsnark/zk_proof_systems/plonk/srs.tcc
index 8c5626a09..5b1553929 100644
--- a/libsnark/zk_proof_systems/plonk/srs.tcc
+++ b/libsnark/zk_proof_systems/plonk/srs.tcc
@@ -252,7 +252,6 @@ template<typename ppT> libff::Fr<ppT> transcript_hasher<ppT>::get_hash()
             __FILE__,
             __LINE__,
             (int)buffer_len);
-        this->buffer.clear();
         challenge = this->hash_values[5]; // u
     }
 
diff --git a/libsnark/zk_proof_systems/plonk/tests/test_plonk.cpp b/libsnark/zk_proof_systems/plonk/tests/test_plonk.cpp
index 237c1ecac..26c4766b6 100644
--- a/libsnark/zk_proof_systems/plonk/tests/test_plonk.cpp
+++ b/libsnark/zk_proof_systems/plonk/tests/test_plonk.cpp
@@ -54,6 +54,7 @@ void test_verify_invalid_proof(
     for (size_t i = 0; i < valid_proof.W_polys_blinded_at_secret_g1.size();
          ++i) {
         // re-initialize the manipulated proof
+        hasher.buffer_clear();
         proof = valid_proof;
         G1_noise = libff::G1<ppT>::random_element();
         proof.W_polys_blinded_at_secret_g1[i] =
@@ -62,6 +63,7 @@ void test_verify_invalid_proof(
         ASSERT_FALSE(b_accept);
     }
     // manipulate [z]_1
+    hasher.buffer_clear();
     proof = valid_proof;
     G1_noise = libff::G1<ppT>::random_element();
     proof.z_poly_at_secret_g1 = proof.z_poly_at_secret_g1 + G1_noise;
@@ -70,6 +72,7 @@ void test_verify_invalid_proof(
     // manipulate [t_lo]_1, [t_mi]_1, [t_hi]_1
     for (size_t i = 0; i < valid_proof.t_poly_at_secret_g1.size(); ++i) {
         // re-initialize the manipulated proof
+        hasher.buffer_clear();
         proof = valid_proof;
         G1_noise = libff::G1<ppT>::random_element();
         proof.t_poly_at_secret_g1[i] = proof.t_poly_at_secret_g1[i] + G1_noise;
@@ -77,54 +80,63 @@ void test_verify_invalid_proof(
         ASSERT_FALSE(b_accept);
     }
     // manipulate \bar{a}
+    hasher.buffer_clear();
     proof = valid_proof;
     Fr_noise = libff::Fr<ppT>::random_element();
     proof.a_zeta = proof.a_zeta + Fr_noise;
     b_accept = verifier.verify_proof(proof, srs, hasher);
     ASSERT_FALSE(b_accept);
     // manipulate \bar{b}
+    hasher.buffer_clear();
     proof = valid_proof;
     Fr_noise = libff::Fr<ppT>::random_element();
     proof.b_zeta = proof.b_zeta + Fr_noise;
     b_accept = verifier.verify_proof(proof, srs, hasher);
     ASSERT_FALSE(b_accept);
     // manipulate \bar{c}
+    hasher.buffer_clear();
     proof = valid_proof;
     Fr_noise = libff::Fr<ppT>::random_element();
     proof.c_zeta = proof.c_zeta + Fr_noise;
     b_accept = verifier.verify_proof(proof, srs, hasher);
     ASSERT_FALSE(b_accept);
     // manipulate \bar{S_sigma1}
+    hasher.buffer_clear();
     proof = valid_proof;
     Fr_noise = libff::Fr<ppT>::random_element();
     proof.S_0_zeta = proof.S_0_zeta + Fr_noise;
     b_accept = verifier.verify_proof(proof, srs, hasher);
     ASSERT_FALSE(b_accept);
     // manipulate \bar{S_sigma2}
+    hasher.buffer_clear();
     proof = valid_proof;
     Fr_noise = libff::Fr<ppT>::random_element();
     proof.S_1_zeta = proof.S_1_zeta + Fr_noise;
     b_accept = verifier.verify_proof(proof, srs, hasher);
     ASSERT_FALSE(b_accept);
     // manipulate \bar{z_w}
+    hasher.buffer_clear();
     proof = valid_proof;
     Fr_noise = libff::Fr<ppT>::random_element();
     proof.z_poly_xomega_zeta = proof.z_poly_xomega_zeta + Fr_noise;
     b_accept = verifier.verify_proof(proof, srs, hasher);
     ASSERT_FALSE(b_accept);
     // manipulate [W_zeta]_1
+    hasher.buffer_clear();
     proof = valid_proof;
     G1_noise = libff::G1<ppT>::random_element();
     proof.W_zeta_at_secret = proof.W_zeta_at_secret + G1_noise;
     b_accept = verifier.verify_proof(proof, srs, hasher);
     ASSERT_FALSE(b_accept);
     // manipulate [W_{zeta omega_roots}]_1
+    hasher.buffer_clear();
     proof = valid_proof;
     G1_noise = libff::G1<ppT>::random_element();
     proof.W_zeta_omega_at_secret = proof.W_zeta_omega_at_secret + G1_noise;
     b_accept = verifier.verify_proof(proof, srs, hasher);
     ASSERT_FALSE(b_accept);
     // manipulate r_zeta
+    hasher.buffer_clear();
     proof = valid_proof;
     Fr_noise = libff::Fr<ppT>::random_element();
     proof.r_zeta = proof.r_zeta + Fr_noise;
@@ -979,12 +991,18 @@ template<typename ppT> void test_plonk_verifier_steps()
     plonk_proof<ppT> proof =
         prover.compute_proof(srs, witness, blind_scalars, hasher);
 
+    // clear the hasher buffer in order to re-use the same transcript_hasher
+    // object for the verifier
+    hasher.buffer_clear();
+
     // Unit test verifier preprocessed input
     test_plonk_verifier_preprocessed_input(example, srs);
 
-    // unit test verifier step 5
+    // compute step 4
     const step_four_out_t<ppT> step_four_out =
         plonk_verifier<ppT>::step_four(proof, hasher);
+
+    // unit test verifier step 5
     test_plonk_verifier_step_five(example, step_four_out, srs);
 
     // unit test verifier step 6
@@ -1078,11 +1096,19 @@ template<typename ppT> void test_plonk_verifier()
     plonk_proof<ppT> proof =
         prover.compute_proof(srs, witness, blind_scalars, hasher);
 
+    // clear the hasher buffer in order to re-use the same transcript_hasher
+    // object for the verifier
+    hasher.buffer_clear();
+
     // initialize verifier
     plonk_verifier<ppT> verifier;
     // verify proof
     bool b_valid_proof = verifier.verify_proof(proof, srs, hasher);
     ASSERT_TRUE(b_valid_proof);
+
+    // clear the hasher buffer in order to re-use the same transcript_hasher
+    // object
+    hasher.buffer_clear();
     // assert that proof verification fails when the proof is
     // manipulated
     test_verify_invalid_proof(proof, srs, hasher);