chore: audit Permutation argument 3 #18657
Conversation
notnotraju
added
ci-full
| void set_tau_at_index(const uint32_t tag_index, const uint32_t tau_index) | ||
| { | ||
| this->_tau.insert({ tag_index, tau_index }); | ||
| this->current_tag++; // Why exactly? |
There was a problem hiding this comment.
unnecessary, as long as we only access tags by the get_new_tag() method.
| * @param tag_index_2 | ||
| * @return uint32_t | ||
| */ | ||
| void set_tau_transposition(const uint32_t tag_index_1, const uint32_t tag_index_2) |
There was a problem hiding this comment.
our
| * circuit fails. | ||
| * | ||
| */ | ||
| TEST_F(ComposerLibTests, TagCollisionFailure) |
There was a problem hiding this comment.
test might not belong here, the "composer" directory seems deprecated, we might want to refactor and move stuff elsewhere for clarity. still, for the time being, worth testing the code in the directory in the same directory.
| * @param tau_index | ||
| * @return uint32_t | ||
| */ | ||
| void set_tau_at_index(const uint32_t tag_index, const uint32_t tau_index) |
There was a problem hiding this comment.
create_tag is a bit misleading, what this does is set the
There was a problem hiding this comment.
This file is about half old tests, slightly rewritten.
| * @note There are no tags/multiset-equality checks in this test. | ||
| * @note We exclude ZK flavors because we manually tamper with precomputed polynomials. | ||
| */ | ||
| TYPED_TEST(PermutationNonZKTests, SigmaCorruptionFailure) |
| * | ||
| * @note We exclude ZK flavors because we manually tamper with relation parameters. | ||
| */ | ||
| TYPED_TEST(PermutationNonZKTests, PublicInputDeltaMismatch) |
|
|
||
| namespace bb { | ||
|
|
||
| // TODO(luke): This contains utilities for grand product computation and is not specific to the permutation grand |
| * @brief The permutation on variable tags | ||
| * @details See https://github.com/AztecProtocol/plonk-with-lookups-private/blob/new-stuff/GenPermuations.pdf | ||
| * @brief The permutation on variable tags, as a constituent of the generalized permutation argument. | ||
| * @details See S6 of https://github.com/AztecProtocol/plonk-with-lookups-private/blob/new-stuff/GenPermuations.pdf |
There was a problem hiding this comment.
link doesn't exist, not sure where we should permalink this.
There was a problem hiding this comment.
(plookup paper doesn't have the relevant S6)
| * the multiset of values with second_tag (after applying tau). Here both multisets are {x, y}, | ||
| * so the check passes. | ||
| */ | ||
| TYPED_TEST(PermutationTests, NonTrivialTagPermutation) |
| * The test verifies that both mechanisms can coexist: the grand product argument must account for | ||
| * both the wire permutation cycles AND the tag-based multiset equality check. | ||
| */ | ||
| TYPED_TEST(PermutationTests, NonTrivialGeneralizedPerm) |
| * The second sub-test creates the same circuit WITHOUT tags to confirm that the circuit's | ||
| * arithmetic constraints are satisfied, proving the failure above is due to multiset-equality mismatch. | ||
| */ | ||
| TYPED_TEST(PermutationTests, BadTagPermutation) |
| * @note This test does not use `prove_and_verify`. Indeed, there is no straightforward way to tamper with z_perm, | ||
| * created after finalization, using `prove_and_verify`. | ||
| */ | ||
| TYPED_TEST(PermutationNonZKTests, ZPermZeroedOutFailure) |
There was a problem hiding this comment.
old test (earlier part of this audit)
| * @note This test excludes ZK flavors because we manually tamper with z_perm, which would | ||
| * conflict with the ZK masking applied to witness polynomials. | ||
| */ | ||
| TYPED_TEST(PermutationNonZKTests, ZPermShiftNotZeroAtLagrangeLastFailure) |
There was a problem hiding this comment.
old test (earlier part of this audit)
| * real_variable_index[index] == index, i.e. it is the identity map | ||
| * real_variable_index[index] == index, i.e., it is the identity map. | ||
| * | ||
| * @note If there is a copy constraint between witness indices idx_a and idx_b, then their they will both point to |
There was a problem hiding this comment.
| * @note If there is a copy constraint between witness indices idx_a and idx_b, then their they will both point to | |
| * @note If there is a copy constraint between witness indices idx_a and idx_b, then they will both point to |
| * of space within the wire polynomials, regardless of how many actual constraints of each type exist. This is | ||
| * useful primarily for folding since it guarantees that the set of relations that must be executed at each row is | ||
| * consistent across all folding steps. | ||
| * @note By default, this method constructs an exectution trace that is sorted by gate type. |
There was a problem hiding this comment.
| * @note By default, this method constructs an exectution trace that is sorted by gate type. | |
| * @note By default, this method constructs an execution trace that is sorted by gate type. |
| * where ∏ := ∏_{j=0:i-1} | ||
| * | ||
| * The specific algebraic relation used by Z_perm is defined by Flavor::GrandProductRelations | ||
| * (Note that Z_perm[1] may be thought of as the quotient of the empty product by the empty product, and hence setting |
| * optimization having to do with public inputs.) | ||
| * | ||
| * For example, in Flavor::Standard the relation describes: | ||
| * The following is the classic, no-public-inputs PLONK permutation argument on 4 wires. This bears witness to the |
There was a problem hiding this comment.
This seems a little bit misleading since this indeed the method we use to compute z_perm for the fully general case (public inputs + generalized perms), not just trad copy constraints. Maybe with this comment you're interpreting \simga and id as the unadulterated entities that only account for copy constraints rather than the sigma and id polynomials which account for everything?
🧾 Audit Context
Part of the (generalized) permutation audit.
🛠️ Changes Made
✅ Checklist
📌 Notes for Reviewers
The diff misleadingly large because some tests were migrated and some boilerplate changed.