Skip to content

Commit

Permalink
Arrabbiata: add a workflow reg. "two steps" challenges verification
Browse files Browse the repository at this point in the history
  • Loading branch information
@dannywillems
dannywillems committed Feb 5, 2025
1 parent f15858d commit a236be4
Showing 1 changed file with 139 additions and 0 deletions.
139 changes: 139 additions & 0 deletions arrabbiata/src/interpreter.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -429,6 +429,145 @@
//! | |
//! +----------------------------+
//! ```
//!
//! ### Workflow example for handling a challenge
//!
//! Handling challenges is performed in two steps. Let's take the example of the
//! verifier coin `u` used to homogenize the constraints/polynomials in the
//! accumulation protocol. For the sake of simplicity, we only focus on the work
//! related to the challenges. In addition to that, a verifier coin `r` is used
//! to accumulate the challenges. Therefore, we start with the following
//! diagram:
//!
//! ```text
//! +------------------------------------------+
//! | Instance n |
//! | (witness w_(p, n)) |
//! | ---------- |
//! | Vesta |
//! | (scalar field = Fp) |
//! | (base field = Fq) |
//! | (Sponge over Fq) |
//! | |
//! | Generate as output: |
//! | - u_(p, n) |
//! | - r |
//! | - "accumulated u": u_p + r * u_(p, n) |
//! | (note the operations are over Fp) |
//! +------------------------------------------+
//! ```
//!
//! The coins `u_(p, n)` and `r` are generated after absorbing a few committed
//! values (i.e. points over Fq). The verifier will have to check the following:
//! - `u_(p, n)` has been coined correctly (i.e. check a sponge state).
//! - `r` has been coined correctly (i.e. check a sponge staet).
//! - "accumulated u" has been computed correctly
//!
//! At the next iteration, the verifier is working over the field `Fq`, i.e. the
//! field that is used to generate the challenges. Therefore, it can perform the
//! first two checks. We have then the following diagram.
//!
//! ```text
//! +------------------------------------------+
//! | Instance n |
//! | (witness w_(p, n)) |
//! | ---------- |
//! | Vesta |
//! | (scalar field = Fp) |
//! | (base field = Fq) |
//! | (Sponge over Fq) |
//! | |
//! | Generate as output: |
//! | - u_(p, n) |
//! | - r |
//! | - "accumulated u": u_p + r * u_(p, n) |
//! | (note the operations are over Fp) |
//! +------------------------------------------+
//! |
//! |
//! |
//! | +-----------------------------+
//! | | Instance (n + 1) |
//! | | (witness w_(q, n)) |
//! |-------------> | ---------- |
//! | Pallas |
//! | (scalar field = Fq) |
//! | (base field = Fp) |
//! | (Sponge over Fp) |
//! | |
//! | Receive as (public) |
//! | inputs |
//! | --------------- |
//! | - commitments generated |
//! | by instance n (Fq elements) |
//! | - u_(p, n) |
//! | - r |
//! | - (more but unused by |
//! | the verifier) |
//! | |
//! | Verifier circuit |
//! | ---------------- |
//! | - run the sponge to |
//! | check the value u_(p, n) |
//! | and r |
//! +-----------------------------+
//! ```
//!
//! The last check, i.e. checking the accumulation of `u`, is "delayed" for the
//! instance (n + 2), to be able to perform the accumulation over Fp.
//!
//! Therefore, we end up with the following diagram:
//!
//! ```text
//! +------------------------------------------+ +-------------------------------------+
//! | Instance n | | Instance (n + 2) |
//! | (witness w_(p, n)) | | (witness w_(p, n + 1)) |
//! | ---------- | | ---------- |
//! | Vesta | | Vesta |
//! | (scalar field = Fp) | | (scalar field = Fp) |
//! | (base field = Fq) | | (base field = Fq) |
//! | (Sponge over Fq) | | (Sponge over Fq) |
//! | | | |
//! Generate as output: | | Receive as (public inputs) |
//! --------------- | | ------------------- |
//! | - u_(p, n) | | - `u_(p, n)` |
//! | - r | | - accumulated u, `acc_u` |
//! | - "accumulated u": u_p + r * u_(p, n) | | - random coin `r` |
//! | (note the operations are over Fp) | | - "old accumulated value" u_p |
//! +------------------------------------------+ | Verifier circuit |
//! | | ---------------- |
//! | | - check that |
//! | | `acc_u = u_p + r * u_(p, n)` |
//! | +-------------------------------------+
//! | ^
//! | |
//! | |
//! | +-----------------------------+ |
//! | | Instance (n + 1) | |
//! | | (witness w_(q, n)) | |
//! |-------------> | ---------- | ------------------
//! | Pallas |
//! | (scalar field = Fq) |
//! | (base field = Fp) |
//! | (Sponge over Fp) |
//! | |
//! | Receive as (public) |
//! | inputs |
//! | --------------- |
//! | - commitments generated |
//! | by instance n (Fq elements) |
//! | - u_(p, n) |
//! | - r |
//! | - (more but unused by |
//! | the verifier) |
//! | |
//! | Verifier circuit |
//! | ---------------- |
//! | - run the sponge to |
//! | check the value u_(p, n) |
//! | and r |
//! +-----------------------------+
//! ```
use crate::{
columns::Gadget, curve::PlonkSpongeConstants, MAXIMUM_FIELD_SIZE_IN_BITS, NUMBER_OF_COLUMNS,
Expand Down

0 comments on commit a236be4

Please sign in to comment.