Restore transcript consistency

Author: darth-cy

spartan_parallel/src/dense_mlpoly.rs

@@ -370,19 +370,34 @@ impl<S: SpartanExtensionField> PolyEvalProof<S> {
 
   pub fn verify(
     &self,
-    _transcript: &mut Transcript,
-    _r: &[S], // point at which the polynomial is evaluated
+    transcript: &mut Transcript,
+    r: &[S], // point at which the polynomial is evaluated
   ) -> Result<(), ProofVerifyError> {
+    <Transcript as ProofTranscript<S>>::append_protocol_name(
+      transcript,
+      PolyEvalProof::<S>::protocol_name(),
+    );
+
+    // compute L and R
+    let eq = EqPolynomial::new(r.to_vec());
+    let (L, R) = eq.compute_factored_evals();
+
+    let _ = self
+      .proof
+      .verify(R.len(), transcript, &R);
+
     // TODO: Alternative PCS Verification
     Ok(())
   }
 
   pub fn verify_plain(
     &self,
-    _transcript: &mut Transcript,
-    _r: &[S], // point at which the polynomial is evaluated
+    transcript: &mut Transcript,
+    r: &[S], // point at which the polynomial is evaluated
     _Zr: &S,  // evaluation \widetilde{Z}(r)
   ) -> Result<(), ProofVerifyError> {
+    self.verify(transcript, r);
+
     // TODO: Alternative PCS Verification
     Ok(())
   }
@@ -758,6 +773,7 @@ impl<S: SpartanExtensionField> PolyEvalProof<S> {
     }
 
     let mut proof_list = Vec::new();
+
     for i in 0..LZ_list.len() {
       let L = &L_list[i];
       let L_size = L.len();
@@ -781,8 +797,10 @@ impl<S: SpartanExtensionField> PolyEvalProof<S> {
         &Zc_list[i],
         blind_Zr,
       );
+
       proof_list.push(PolyEvalProof { proof });
     }
+
     proof_list
   }
 
@@ -801,6 +819,7 @@ impl<S: SpartanExtensionField> PolyEvalProof<S> {
 
     // We need one proof per poly size
     let mut index_map: HashMap<(usize, usize), usize> = HashMap::new();
+    let mut LZ_list: Vec<S> = Vec::new();
     let mut L_list = Vec::new();
     let mut R_list = Vec::new();
 
@@ -815,7 +834,11 @@ impl<S: SpartanExtensionField> PolyEvalProof<S> {
       if let Some(index) = index_map.get(&(num_proofs, num_inputs)) {
         c = c * c_base;
         let _L = &L_list[*index];
+
+        let LZ = S::field_zero();
+        LZ_list[*index] = LZ_list[*index] + c * LZ;
       } else {
+        index_map.insert((num_proofs, num_inputs), LZ_list.len());
         let num_vars_q = num_proofs.log_2();
         let num_vars_y = num_inputs.log_2();
         // pad or trim rq and ry to correct length
@@ -837,11 +860,24 @@ impl<S: SpartanExtensionField> PolyEvalProof<S> {
           eq.compute_factored_evals()
         };
         // compute a weighted sum of commitments and L
+        let LZ = S::field_zero();
         L_list.push(L);
-        R_list.push(R);
+        R_list.push(R);        
+        LZ_list.push(LZ);
       }
     }
 
+    assert_eq!(LZ_list.len(), proof_list.len());
+
+    // Verify proofs
+    for i in 0..LZ_list.len() {
+      let R = &R_list[i];
+
+      proof_list[i]
+        .proof
+        .verify(R.len(), transcript, R)?;
+    }
+
     Ok(())
   }
 

spartan_parallel/src/lib.rs

@@ -1846,6 +1846,7 @@ impl<S: SpartanExtensionField> SNARK<S> {
       &block_w3_prover,
       &block_w3_shifted_prover,
     ];
+
     let (block_r1cs_sat_proof, block_challenges) = {
       let (proof, block_challenges) = {
         R1CSProof::prove(
@@ -1867,6 +1868,7 @@ impl<S: SpartanExtensionField> SNARK<S> {
       (proof, block_challenges)
     };
 
+    
     // Final evaluation on BLOCK
     let (block_inst_evals_bound_rp, block_inst_evals_list, block_r1cs_eval_proof_list) = {
       let [rp, _, rx, ry] = block_challenges;
@@ -1881,6 +1883,7 @@ impl<S: SpartanExtensionField> SNARK<S> {
       for r in &inst_evals_list {
         S::append_field_to_transcript(b"ABCr_claim", transcript, *r);
       }
+
       // Sample random combinations of A, B, C for inst_evals_bound_rp check in the Verifier
       // The random values are not used by the prover, but need to be appended to the transcript
       let _: S = transcript.challenge_scalar(b"challenge_c0");
@@ -1901,6 +1904,7 @@ impl<S: SpartanExtensionField> SNARK<S> {
             transcript,
             &mut random_tape,
           );
+
           let proof_encoded: Vec<u8> = bincode::serialize(&proof).unwrap();
           Timer::print(&format!("len_r1cs_eval_proof {:?}", proof_encoded.len()));
 
@@ -2864,6 +2868,7 @@ impl<S: SpartanExtensionField> SNARK<S> {
         &block_w3_verifier,
         &block_w3_shifted_verifier,
       ];
+
       let block_challenges = self.block_r1cs_sat_proof.verify(
         block_num_instances,
         block_max_num_proofs,
@@ -2883,6 +2888,7 @@ impl<S: SpartanExtensionField> SNARK<S> {
       for r in &self.block_inst_evals_list {
         S::append_field_to_transcript(b"ABCr_claim", transcript, *r);
       }
+
       // Sample random combinations of A, B, C for inst_evals_bound_rp check
       let c0: S = transcript.challenge_scalar(b"challenge_c0");
       let c1: S = transcript.challenge_scalar(b"challenge_c1");
@@ -2908,6 +2914,7 @@ impl<S: SpartanExtensionField> SNARK<S> {
           transcript,
         )?;
       }
+
       // Permute block_inst_evals_list to the correct order for RP evaluation
       let _ABC_evals: Vec<S> = (0..block_num_instances)
         .map(|i| ABC_evals[block_index[i]])

spartan_parallel/src/nizk/bullet.rs

@@ -56,6 +56,7 @@ impl<S: SpartanExtensionField> BulletReductionProof<S> {
       let (blind_L, blind_R) = blinds_iter.next().unwrap();
 
       let u: S = transcript.challenge_scalar(b"u");
+
       let u_inv = u.invert().unwrap();
 
       for i in 0..n {

spartan_parallel/src/nizk/mod.rs

@@ -44,7 +44,14 @@ impl<S: SpartanExtensionField> KnowledgeProof<S> {
     KnowledgeProof { z1, z2 }
   }
 
-  pub fn verify(&self, _transcript: &mut Transcript) -> Result<(), ProofVerifyError> {
+  pub fn verify(&self, transcript: &mut Transcript) -> Result<(), ProofVerifyError> {
+    <Transcript as ProofTranscript<S>>::append_protocol_name(
+      transcript,
+      KnowledgeProof::<S>::protocol_name(),
+    );
+
+    let c: S = transcript.challenge_scalar(b"c");
+
     // TODO: Alternative PCS Verification
     Ok(())
   }
@@ -81,7 +88,14 @@ impl<S: SpartanExtensionField> EqualityProof<S> {
     EqualityProof { z }
   }
 
-  pub fn verify(&self, _transcript: &mut Transcript) -> Result<(), ProofVerifyError> {
+  pub fn verify(&self, transcript: &mut Transcript) -> Result<(), ProofVerifyError> {
+    <Transcript as ProofTranscript<S>>::append_protocol_name(
+      transcript,
+      EqualityProof::<S>::protocol_name(),
+    );
+
+    let c: S = transcript.challenge_scalar(b"c");
+
     // TODO: Alternative PCS Verification
     Ok(())
   }
@@ -136,7 +150,14 @@ impl<S: SpartanExtensionField> ProductProof<S> {
     true
   }
 
-  pub fn verify(&self, _transcript: &mut Transcript) -> Result<(), ProofVerifyError> {
+  pub fn verify(&self, transcript: &mut Transcript) -> Result<(), ProofVerifyError> {
+    <Transcript as ProofTranscript<S>>::append_protocol_name(
+      transcript,
+      ProductProof::<S>::protocol_name(),
+    );
+
+    let c: S = transcript.challenge_scalar(b"c");
+
     // TODO: Alternative PCS Verification
     Ok(())
   }
@@ -183,6 +204,7 @@ impl<S: SpartanExtensionField> DotProductProof<S> {
 
     let _dotproduct_a_d = DotProductProof::compute_dotproduct(a_vec, &d_vec);
 
+    S::append_field_vector_to_transcript(b"a", transcript, a_vec);
     let c: S = transcript.challenge_scalar(b"c");
 
     let z = (0..d_vec.len())
@@ -201,7 +223,8 @@ impl<S: SpartanExtensionField> DotProductProof<S> {
       DotProductProof::<S>::protocol_name(),
     );
     S::append_field_vector_to_transcript(b"a", transcript, a);
-    let _c: S = transcript.challenge_scalar(b"c");
+    let c: S = transcript.challenge_scalar(b"c");
+
     let _dotproduct_z_a = DotProductProof::compute_dotproduct(&self.z, a);
 
     // TODO: Alternative PCS Verification
@@ -275,10 +298,33 @@ impl<S: SpartanExtensionField> DotProductProofLog<S> {
 
   pub fn verify(
     &self,
-    _n: usize,
-    _transcript: &mut Transcript,
-    _a: &[S],
+    n: usize,
+    transcript: &mut Transcript,
+    a: &[S],
   ) -> Result<(), ProofVerifyError> {
+    assert_eq!(a.len(), n);
+
+    <Transcript as ProofTranscript<S>>::append_protocol_name(
+      transcript,
+      DotProductProofLog::<S>::protocol_name(),
+    );
+
+    S::append_field_vector_to_transcript(b"a", transcript, a);
+
+    // sample a random base and scale the generator used for
+    // the output of the inner product
+    let r: S = transcript.challenge_scalar(b"r");
+
+    // BulletReductionProof - verification_scalars
+    let mut m = a.len();
+    while m != 1 {
+      m /= 2;
+
+      let u: S = transcript.challenge_scalar(b"u");
+    }
+
+    let c: S = transcript.challenge_scalar(b"c");
+
     // TODO: Alternative PCS Verification
     Ok(())
   }

spartan_parallel/src/product_tree.rs

@@ -322,6 +322,7 @@ impl<S: SpartanExtensionField> ProductCircuitEvalProofBatched<S> {
       // produce a fresh set of coeffs and a joint claim
       let coeff_vec =
         transcript.challenge_vector(b"rand_coeffs_next_layer", claims_to_verify.len());
+
       let claim = (0..claims_to_verify.len())
         .map(|i| claims_to_verify[i] * coeff_vec[i])
         .sum();
@@ -407,7 +408,7 @@ impl<S: SpartanExtensionField> ProductCircuitEvalProofBatched<S> {
         .map(|i| claims_to_verify[i] * coeff_vec[i])
         .sum();
 
-      let (_claim_last, rand_prod) = self.proof[i].verify(claim, num_rounds, 3, transcript);
+      let (claim_last, rand_prod) = self.proof[i].verify(claim, num_rounds, 3, transcript);
 
       let claims_prod_left = &self.proof[i].claims_prod_left;
       let claims_prod_right = &self.proof[i].claims_prod_right;
@@ -446,9 +447,7 @@ impl<S: SpartanExtensionField> ProductCircuitEvalProofBatched<S> {
         }
       }
 
-      /* TODO: IMPORTANT, DEBUG, CHECK FAIL
       assert_eq!(claim_expected, claim_last);
-      */
 
       // produce a random challenge
       let r_layer = transcript.challenge_scalar(b"challenge_r_layer");

spartan_parallel/src/r1csproof.rs

@@ -251,6 +251,7 @@ impl<S: SpartanExtensionField> R1CSProof<S> {
       transcript,
       random_tape,
     );
+
     assert_eq!(poly_tau_p.len(), 1);
     assert_eq!(poly_tau_q.len(), 1);
     assert_eq!(poly_tau_x.len(), 1);
@@ -464,6 +465,7 @@ impl<S: SpartanExtensionField> R1CSProof<S> {
         }
       }
     }
+
     let proof_eval_vars_at_ry_list = PolyEvalProof::prove_batched_instances_disjoint_rounds(
       &poly_list,
       &num_proofs_list,
@@ -752,6 +754,11 @@ impl<S: SpartanExtensionField> R1CSProof<S> {
 
     timer_commit_opening.stop();
 
+    // verify proof that expected_claim_post_phase2 == claim_post_phase2
+    self.proof_eq_sc_phase2.verify(
+      transcript,
+    )?;
+
     Ok([rp, rq_rev, rx, [rw, ry].concat()])
   }
 }

spartan_parallel/src/sparse_mlpoly.rs

@@ -831,19 +831,17 @@ impl<S: SpartanExtensionField> HashLayerProof<S> {
     let eval_init_addr = IdentityPolynomial::new(rand_mem.len()).evaluate(rand_mem);
     let eval_init_val = EqPolynomial::new(r.to_vec()).evaluate(rand_mem);
     let hash_init_at_rand_mem =
-      hash_func(&eval_init_addr, &eval_init_val, &S::field_zero()) - *r_multiset_check; // verify the claim_last of init chunk
-                                                                                        /* TODO: IMPORTANT, DEBUG, CHECK FAIL
-                                                                                        assert_eq!(&hash_init_at_rand_mem, claim_init);
-                                                                                        */
+      hash_func(&eval_init_addr, &eval_init_val, &S::field_zero()) - *r_multiset_check; 
+      
+    // verify the claim_last of init chunk
+    assert_eq!(&hash_init_at_rand_mem, claim_init);
 
     // read
     for i in 0..eval_ops_addr.len() {
       let hash_read_at_rand_ops =
         hash_func(&eval_ops_addr[i], &eval_ops_val[i], &eval_read_ts[i]) - *r_multiset_check;
       // verify the claim_last of init chunk
-      /* TODO: IMPORTANT, DEBUG, CHECK FAIL
       assert_eq!(&hash_read_at_rand_ops, &claim_read[i]);
-      */
     }
 
     // write: shares addr, val component; only decommit write_ts
@@ -852,19 +850,15 @@ impl<S: SpartanExtensionField> HashLayerProof<S> {
       let hash_write_at_rand_ops =
         hash_func(&eval_ops_addr[i], &eval_ops_val[i], &eval_write_ts) - *r_multiset_check;
       // verify the claim_last of init chunk
-      /* TODO: IMPORTANT, DEBUG, CHECK FAIL
       assert_eq!(&hash_write_at_rand_ops, &claim_write[i]);
-      */
     }
 
     // audit: shares addr and val with init
     let eval_audit_addr = eval_init_addr;
     let eval_audit_val = eval_init_val;
     let hash_audit_at_rand_mem =
       hash_func(&eval_audit_addr, &eval_audit_val, eval_audit_ts) - *r_multiset_check;
-    /* TODO: IMPORTANT, DEBUG, CHECK FAIL
     assert_eq!(&hash_audit_at_rand_mem, claim_audit); // verify the last step of the sum-check for audit
-    */
 
     Ok(())
   }
@@ -905,11 +899,9 @@ impl<S: SpartanExtensionField> HashLayerProof<S> {
       let claim_col_ops_val = claims_dotp[3 * i + 1];
       let claim_val = claims_dotp[3 * i + 2];
 
-      /* TODO: IMPORTANT, DEBUG, CHECK FAIL
       assert_eq!(claim_row_ops_val, eval_row_ops_val[i]);
       assert_eq!(claim_col_ops_val, eval_col_ops_val[i]);
-      assert_eq!(claim_val, eval_val_vec[i]);\
-      */
+      assert_eq!(claim_val, eval_val_vec[i]);
     }
 
     // verify addr-timestamps using comm_comb_ops at rand_ops
@@ -1170,7 +1162,6 @@ impl<S: SpartanExtensionField> ProductLayerProof<S> {
       transcript,
       ProductLayerProof::<S>::protocol_name(),
     );
-
     let timer = Timer::new("verify_prod_proof");
     let num_instances = eval.len();