diff --git a/plonk/src/nightfall/mle/snark.rs b/plonk/src/nightfall/mle/snark.rs index e3f6ef8c..ea9021eb 100644 --- a/plonk/src/nightfall/mle/snark.rs +++ b/plonk/src/nightfall/mle/snark.rs @@ -382,12 +382,6 @@ impl MLEPlonk { permutation_evals.push(value); } - let evals = MLEProofEvals:: { - wire_evals, - selector_evals, - permutation_evals, - }; - // Now we handle lookup related subroutines if support lookup. let lookup_proof = if let (Some(m_poly), Some(m_commit)) = (m_poly, m_commit) { let m_poly_eval = @@ -532,6 +526,35 @@ impl MLEPlonk { None }; + // Append evals and lookup_proof.poly_evals to the transcript. + for eval in wire_evals + .iter() + .chain(&selector_evals) + .chain(&permutation_evals) + { + transcript.push_message(b"eval", eval)?; + } + if let Some(lookup_proof) = lookup_proof.clone() { + for eval in [ + lookup_proof.lookup_evals.m_poly_eval, + lookup_proof.lookup_evals.range_table_eval, + lookup_proof.lookup_evals.key_table_eval, + lookup_proof.lookup_evals.table_dom_sep_eval, + lookup_proof.lookup_evals.q_dom_sep_eval, + lookup_proof.lookup_evals.q_lookup_eval, + ] + .iter() + { + transcript.push_message(b"lookup eval", eval)?; + } + } + + let evals = MLEProofEvals:: { + wire_evals, + selector_evals, + permutation_evals, + }; + let delta = transcript.squeeze_scalar_challenge::

(b"delta")?; let mut combiner = P::ScalarField::one(); @@ -795,6 +818,29 @@ impl MLEPlonk { None }; + // Append evals and lookup_proof.poly_evals to the transcript. + for eval in wire_evals + .iter() + .chain(&selector_evals) + .chain(&permutation_evals) + { + transcript.push_message(b"eval", eval)?; + } + if let Some(lookup_proof) = lookup_proof.clone() { + for eval in [ + lookup_proof.lookup_evals.m_poly_eval, + lookup_proof.lookup_evals.range_table_eval, + lookup_proof.lookup_evals.key_table_eval, + lookup_proof.lookup_evals.table_dom_sep_eval, + lookup_proof.lookup_evals.q_dom_sep_eval, + lookup_proof.lookup_evals.q_lookup_eval, + ] + .iter() + { + transcript.push_message(b"lookup eval", eval)?; + } + } + let evals = MLEProofEvals:: { wire_evals, selector_evals, @@ -943,29 +989,6 @@ impl MLEPlonk { "Could not evaluate pi poly".to_string(), ))?; - let delta = transcript.squeeze_scalar_challenge::

(b"delta")?; - - let full_challenges = FullMLEChallenges::from_parts(challenges, delta, epsilon); - - let zero_check_calc_eval = build_zerocheck_eval( - &proof.evals, - proof - .lookup_proof - .as_ref() - .map(|lookup_proof| &lookup_proof.lookup_evals), - &vk.gate_info, - &full_challenges, - pi_poly_eval, - zc_eq_eval, - ); - - if zero_check_calc_eval != sumcheck_deferred_check.eval { - return Err(PlonkError::SnarkError(SnarkError::ParameterError(format!( - "ZeroCheck check failed. Expected {}, got {}", - sumcheck_deferred_check.eval, zero_check_calc_eval - )))); - } - let mut comms = Vec::new(); let mut evals = Vec::new(); @@ -1027,6 +1050,34 @@ impl MLEPlonk { evals.push(lookup_proof.lookup_evals.q_lookup_eval); } + // Append evals and lookup_proof.poly_evals to the transcript. + for eval in evals.iter() { + transcript.push_message(b"eval", eval)?; + } + + let delta = transcript.squeeze_scalar_challenge::

(b"delta")?; + + let full_challenges = FullMLEChallenges::from_parts(challenges, delta, epsilon); + + let zero_check_calc_eval = build_zerocheck_eval( + &proof.evals, + proof + .lookup_proof + .as_ref() + .map(|lookup_proof| &lookup_proof.lookup_evals), + &vk.gate_info, + &full_challenges, + pi_poly_eval, + zc_eq_eval, + ); + + if zero_check_calc_eval != sumcheck_deferred_check.eval { + return Err(PlonkError::SnarkError(SnarkError::ParameterError(format!( + "ZeroCheck check failed. Expected {}, got {}", + sumcheck_deferred_check.eval, zero_check_calc_eval + )))); + } + let delta_powers = (0..comms.len() as u64) .map(|i| delta.pow([i])) .collect::>(); @@ -1173,29 +1224,6 @@ impl MLEPlonk { "Could not evaluate pi poly".to_string(), ))?; - let delta = transcript.squeeze_scalar_challenge::

(b"delta")?; - - let full_challenges = FullMLEChallenges::from_parts(challenges, delta, epsilon); - - let zero_check_calc_eval = build_zerocheck_eval( - &proof.evals, - proof - .lookup_proof - .as_ref() - .map(|lookup_proof| &lookup_proof.lookup_evals), - &vk.gate_info, - &full_challenges, - pi_poly_eval, - zc_eq_eval, - ); - - if zero_check_calc_eval != sumcheck_deferred_check.eval { - return Err(PlonkError::SnarkError(SnarkError::ParameterError(format!( - "ZeroCheck check failed. Expected {}, got {}", - sumcheck_deferred_check.eval, zero_check_calc_eval - )))); - } - let mut comms = Vec::new(); let mut evals = Vec::new(); @@ -1257,6 +1285,34 @@ impl MLEPlonk { evals.push(lookup_proof.lookup_evals.q_lookup_eval); } + // Append evals and lookup_proof.poly_evals to the transcript. + for eval in evals.iter() { + transcript.push_message(b"eval", eval)?; + } + + let delta = transcript.squeeze_scalar_challenge::

(b"delta")?; + + let full_challenges = FullMLEChallenges::from_parts(challenges, delta, epsilon); + + let zero_check_calc_eval = build_zerocheck_eval( + &proof.evals, + proof + .lookup_proof + .as_ref() + .map(|lookup_proof| &lookup_proof.lookup_evals), + &vk.gate_info, + &full_challenges, + pi_poly_eval, + zc_eq_eval, + ); + + if zero_check_calc_eval != sumcheck_deferred_check.eval { + return Err(PlonkError::SnarkError(SnarkError::ParameterError(format!( + "ZeroCheck check failed. Expected {}, got {}", + sumcheck_deferred_check.eval, zero_check_calc_eval + )))); + } + let delta_powers = (0..comms.len() as u64) .map(|i| delta.pow([i])) .collect::>(); diff --git a/plonk/src/recursion/circuits/challenges.rs b/plonk/src/recursion/circuits/challenges.rs index 0c6788f4..13f25e08 100644 --- a/plonk/src/recursion/circuits/challenges.rs +++ b/plonk/src/recursion/circuits/challenges.rs @@ -199,6 +199,32 @@ where let final_sumcheck_challenges = circuit.recover_sumcheck_challenges::(&proof_var.sumcheck_proof, &mut transcript)?; + // Append evals and lookup_proof.poly_evals to the transcript. + for eval in proof_var + .poly_evals_var + .wire_evals + .iter() + .chain(&proof_var.poly_evals_var.selector_evals) + .chain(&proof_var.poly_evals_var.permutation_evals) + { + transcript.push_emulated_variable(eval, circuit)?; + } + + if let Some(lookup_proof) = &proof_var.lookup_proof_var { + for eval in [ + &lookup_proof.poly_evals_var.m_poly_eval, + &lookup_proof.poly_evals_var.range_table_eval, + &lookup_proof.poly_evals_var.key_table_eval, + &lookup_proof.poly_evals_var.table_dom_sep_eval, + &lookup_proof.poly_evals_var.q_dom_sep_eval, + &lookup_proof.poly_evals_var.q_lookup_eval, + ] + .iter() + { + transcript.push_emulated_variable(eval, circuit)?; + } + } + let delta = transcript.squeeze_scalar_challenge::

(circuit)?; let delta_var = circuit.to_emulated_variable(delta)?; diff --git a/plonk/src/recursion/circuits/emulated_mle_arithmetic.rs b/plonk/src/recursion/circuits/emulated_mle_arithmetic.rs index fb498ce7..3dc42631 100644 --- a/plonk/src/recursion/circuits/emulated_mle_arithmetic.rs +++ b/plonk/src/recursion/circuits/emulated_mle_arithmetic.rs @@ -332,6 +332,32 @@ pub(crate) fn verify_mleplonk_emulated_scalar_arithmetic( let zerocheck_eval = circuit.verify_emulated_proof::(&proof.sumcheck_proof, transcript)?; + // Append evals and lookup_proof.poly_evals to the transcript. + for eval in proof + .poly_evals_var + .wire_evals + .iter() + .chain(&proof.poly_evals_var.selector_evals) + .chain(&proof.poly_evals_var.permutation_evals) + { + transcript.push_emulated_variable(eval, circuit)?; + } + + if let Some(lookup_proof) = &proof.lookup_proof_var { + for eval in [ + &lookup_proof.poly_evals_var.m_poly_eval, + &lookup_proof.poly_evals_var.range_table_eval, + &lookup_proof.poly_evals_var.key_table_eval, + &lookup_proof.poly_evals_var.table_dom_sep_eval, + &lookup_proof.poly_evals_var.q_dom_sep_eval, + &lookup_proof.poly_evals_var.q_lookup_eval, + ] + .iter() + { + transcript.push_emulated_variable(eval, circuit)?; + } + } + let delta = transcript.squeeze_scalar_challenge::(circuit)?; let delta_var = circuit.to_emulated_variable(delta)?; diff --git a/plonk/src/recursion/circuits/mle_arithmetic.rs b/plonk/src/recursion/circuits/mle_arithmetic.rs index de645659..a0693123 100644 --- a/plonk/src/recursion/circuits/mle_arithmetic.rs +++ b/plonk/src/recursion/circuits/mle_arithmetic.rs @@ -770,6 +770,30 @@ mod tests { &mut transcript, ) .unwrap(); + // Append evals and lookup_proof.poly_evals to the transcript. + for eval in inner_proof + .evals + .wire_evals + .iter() + .chain(&inner_proof.evals.selector_evals) + .chain(&inner_proof.evals.permutation_evals) + { + transcript.push_message(b"eval", eval)?; + } + if let Some(lookup_proof) = inner_proof.lookup_proof.clone() { + for eval in [ + lookup_proof.lookup_evals.m_poly_eval, + lookup_proof.lookup_evals.range_table_eval, + lookup_proof.lookup_evals.key_table_eval, + lookup_proof.lookup_evals.table_dom_sep_eval, + lookup_proof.lookup_evals.q_dom_sep_eval, + lookup_proof.lookup_evals.q_lookup_eval, + ] + .iter() + { + transcript.push_message(b"lookup eval", eval)?; + } + } let delta = transcript.squeeze_scalar_challenge::

(b"delta").unwrap(); let (opening_proof, _eval) = PCS::open(