-
Notifications
You must be signed in to change notification settings - Fork 3
Recursive verifier #440
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
gabriel-barrett
wants to merge
28
commits into
main
Choose a base branch
from
recursive-verifier
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Recursive verifier #440
Changes from all commits
Commits
Show all changes
28 commits
Select commit
Hold shift + click to select a range
7d89c79
multi-stark proof deserializer
gabriel-barrett 091733a
recursive verifier entrypoint
gabriel-barrett 880641e
keccak
gabriel-barrett 05a2a7e
recursive verifier keccak assertion
gabriel-barrett 04934d1
`keccak_f` -> `keccak_f_fold`
gabriel-barrett e1e6326
`[U8; 8]` -> `&[U8; 8]`
gabriel-barrett 1a99925
keccak state defined
gabriel-barrett 9d48fe5
recursive verifier stub
gabriel-barrett a644b60
`Ext` redefinition
gabriel-barrett fd05c59
Fiat-Shamir
gabriel-barrett 25f5bcd
OOD check scaffold
gabriel-barrett 354bdbd
Verifying key manual codec
gabriel-barrett c7409a6
System deserialize in Aiur
gabriel-barrett aa99a6c
OOD check
gabriel-barrett 9bea692
Claims
gabriel-barrett 4a314be
removed dead code
gabriel-barrett 3bc4702
PCS MMCS hash (sponge + compress)
gabriel-barrett 911a43d
PCS Merkle verify_batch
gabriel-barrett 4ceaa4e
PCS challenger sample_bits
gabriel-barrett 6c04ee0
PCS challenger continuation
gabriel-barrett e9aaf24
PCS FRI fold_row and reduced openings
gabriel-barrett eacc7bd
Goldilocks non-native arithmetic
gabriel-barrett fe7c15a
OOD check non-native arithmetic
gabriel-barrett 4832b74
PCS verifier finished
gabriel-barrett 1e36966
Fully non-deterministic proof
gabriel-barrett 409f7e5
Tests in a different toplevel
gabriel-barrett 8b2b461
fixup
gabriel-barrett 869af4d
clippy and fmt
gabriel-barrett File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,98 @@ | ||
| module | ||
| public import Ix.Aiur.Meta | ||
| public import Ix.IxVM.Core | ||
| public import Ix.IxVM.ByteStream | ||
| public import Ix.MultiStark.Goldilocks | ||
| public import Ix.MultiStark.Deserialize | ||
| public import Ix.MultiStark.Keccak | ||
| public import Ix.MultiStark.Pcs | ||
| public import Ix.MultiStark.SystemDeserialize | ||
| public import Ix.MultiStark.Verifier | ||
| public import Ix.MultiStark.Tests | ||
|
|
||
| /-! | ||
| # Multi-STARK proof verifier (Aiur) | ||
|
|
||
| The recursive verifier. Its public statement is purely existential: *"there | ||
| exists a valid multi-stark proof, under the FRI parameters given as public | ||
| input, for the constraint system with this keccak-256 digest and these public | ||
| claims."* The proof itself is **non-deterministic advice** (fed on IO channel 0, | ||
| never hashed or otherwise bound as a public input): the Fiat-Shamir transcript | ||
| replay plus the Merkle/OOD/FRI checks are exactly what make any accepted advice | ||
| a valid proof — a hash binding of the proof bytes would add nothing to the | ||
| statement, while costing one keccak-f per 136 bytes in-circuit. | ||
|
|
||
| The verifying key and claims, by contrast, ARE digest-bound (`system_digest`, | ||
| `claims_digest`): they determine *what was proven*. | ||
|
|
||
| Fixed protocol assumptions (our system): `queryProofOfWorkBits = 0`, | ||
| `capHeight = 0`, `maxLogArity = 1`, `logFinalPolyLen = 0`. The variable FRI | ||
| parameters (`num_queries`, `commit_pow_bits`, `log_blowup`) are public inputs. | ||
| -/ | ||
|
|
||
| public section | ||
|
|
||
| namespace MultiStark | ||
|
|
||
| def entrypoints := ⟦ | ||
| -- Public inputs: the keccak-256 digests of the verifying key and the claims | ||
| -- (4 little-endian u64 lanes each) plus the variable FRI parameters. The | ||
| -- proof is pure non-deterministic advice on IO channel 0 — see the module | ||
| -- docstring. One stream per channel (0 = proof, 1 = vk, 2 = claims), each | ||
| -- registered under key `[0]` on its channel. | ||
| pub fn verify_multi_stark_proof(system_digest: [[U8; 8]; 4], claims_digest: [[U8; 8]; 4], num_queries: G, commit_pow_bits: G, log_blowup: G) { | ||
| -- Proof advice from IO channel 0: deserialize, assert fully consumed. | ||
| let (idx, len) = io_get_info(0, [0]); | ||
| let bytes = #read_byte_stream(0, idx, len); | ||
| let (proof, rest) = read_proof(bytes); | ||
| assert_eq!(load(rest), ListNode.Nil); | ||
| -- Verifying key (`System<AiurCircuit>`) from IO channel 1: bind the bytes | ||
| -- to the public keccak-256 `system_digest`, then reconstruct the system. | ||
| let (sidx, slen) = io_get_info(1, [0]); | ||
| let sbytes = #read_byte_stream(1, sidx, slen); | ||
| assert_eq!(keccak256(sbytes), system_digest); | ||
| let (sys, srest) = read_system(sbytes); | ||
| assert_eq!(load(srest), ListNode.Nil); | ||
| -- Public claims (`&[&[Val]]`) from IO channel 2: bind the bytes to the | ||
| -- public keccak-256 `claims_digest`, then deserialize. Binding them as a | ||
| -- public input is what makes the lookup argument sound (a prover cannot | ||
| -- choose claims adaptively). | ||
| let (cidx, clen) = io_get_info(2, [0]); | ||
| let cbytes = #read_byte_stream(2, cidx, clen); | ||
| assert_eq!(keccak256(cbytes), claims_digest); | ||
| let (claims, crest) = read_claims(cbytes); | ||
| assert_eq!(load(crest), ListNode.Nil); | ||
| -- Structural + accumulator + PCS checks. | ||
| assert_eq!(verify(proof), 1); | ||
| -- Step 3 + 5: prover-faithful Fiat-Shamir replay and the out-of-domain | ||
| -- composition/quotient check, `composition(ζ)·inv_vanishing(ζ) == quotient(ζ)`. | ||
| assert_eq!(ood_verify(sys, proof, claims, num_queries, commit_pow_bits, log_blowup), 1); | ||
| () | ||
| } | ||
| ⟧ | ||
|
|
||
| /-- The standalone Multi-STARK verifier toplevel: `core` (lists/options) + | ||
| `byteStream` (`U64`, `flatten_u64`, `read_byte_stream`, …) + the deserializer, | ||
| the keccak-256 implementation, and the entrypoint. -/ | ||
| def multiStark : Except Aiur.Global Aiur.Source.Toplevel := do | ||
| let t ← IxVM.core.merge IxVM.byteStream | ||
| let t ← t.merge MultiStark.goldilocks | ||
| let t ← t.merge deserialize | ||
| let t ← t.merge keccak | ||
| let t ← t.merge systemDeserialize | ||
| let t ← t.merge pcs | ||
| let t ← t.merge verifier | ||
| t.merge entrypoints | ||
|
|
||
| /-- The verifier toplevel PLUS its self-test entrypoints | ||
| (`Ix/MultiStark/Tests.lean`). Kept separate from `multiStark` because every | ||
| `pub fn` adds a circuit to the compiled system — the production verifier should | ||
| not carry test-only width. Use this toplevel only to run the `*_test` | ||
| entrypoints. -/ | ||
| def multiStarkTests : Except Aiur.Global Aiur.Source.Toplevel := do | ||
| let t ← multiStark | ||
| t.merge tests | ||
|
|
||
| end MultiStark | ||
|
|
||
| end |
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This change needs to be undone.