Skip to content

Commit

Permalink
work on debugging kzg #296
Browse files Browse the repository at this point in the history
  • Loading branch information
@vo-nil
vo-nil committed Feb 25, 2024
1 parent 4a9c152 commit ed7f089
Show file tree
Hide file tree
Showing 8 changed files with 324 additions and 36 deletions.
77 changes: 74 additions & 3 deletions include/nil/crypto3/zk/commitments/polynomial/kzg.hpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -131,6 +131,27 @@ namespace nil {
};
};
} // namespace commitments

void dump_vector(std::vector<uint8_t> const& x, std::string label = "") {
std::cout << label << "[" << std::dec << x.size() << "] ";
for(auto v: x) {
std::cout << std::hex << std::setw(2) << std::setfill('0') << int(v);
}
std::cout << "" << std::endl;
}

template<typename gt_value_type>
void dump_gt(gt_value_type& x, std::string label = "")
{
using endianness = nil::marshalling::option::big_endian;
nil::marshalling::status_type status;
std::vector<uint8_t> bytes =
nil::marshalling::pack<endianness>(x, status);
BOOST_ASSERT(status == nil::marshalling::status_type::success);
dump_vector(bytes, label);
}



namespace algorithms {
template<typename KZG,
Expand Down Expand Up @@ -198,6 +219,19 @@ namespace nil {
typename KZG::gt_value_type gt3 = algebra::double_miller_loop<typename KZG::curve_type>(A_1, A_2, B_1, B_2);
typename KZG::gt_value_type gt_4 = algebra::final_exponentiation<typename KZG::curve_type>(gt3);

auto left = algebra::pair_reduced<typename KZG::curve_type>(
proof,
params.verification_key - public_key.z * KZG::curve_type::template g2_type<>::value_type::one());

auto right = algebra::pair_reduced<typename KZG::curve_type>(
public_key.eval * KZG::curve_type::template g1_type<>::value_type::one() - public_key.commit,
KZG::curve_type::template g2_type<>::value_type::one());

dump_gt(left, "left");
dump_gt(right, "right");

std::cout << "left*right == 1?" << (left*right == KZG::gt_value_type::one()) << std::endl;

return gt_4 == KZG::gt_value_type::one();
}
} // namespace algorithms
Expand Down Expand Up @@ -552,6 +586,11 @@ namespace nil {
factor *= gamma;
}

std::cout << "Gamma : " << gamma << std::endl;
std::cout << "Factor : " << factor << std::endl;

std::cout << "accumulator: " << accum << std::endl;

//verify without pairing
{
typename math::polynomial<typename KZG::scalar_value_type> right_side({{0}});
Expand Down Expand Up @@ -593,10 +632,15 @@ namespace nil {
left_side_pairing = left_side_pairing * algebra::pair_reduced<typename KZG::curve_type>(left, right);
factor = factor * gamma;
}
std::cout << "Gamma : " << gamma << std::endl;
std::cout << "Factor : " << factor << std::endl;

auto right = commit_g2<KZG>(params, create_polynom_by_zeros<KZG>(public_key.T));
auto right_side_pairing = algebra::pair_reduced<typename KZG::curve_type>(proof, right);

dump_gt(left_side_pairing, "left");
dump_gt(right_side_pairing, "right");

return left_side_pairing == right_side_pairing;
}
} // namespace algorithms
Expand Down Expand Up @@ -662,6 +706,7 @@ namespace nil {
void update_transcript(std::size_t batch_ind, typename KZGScheme::transcript_type &transcript) {
/* The procedure of updating the transcript is subject to review and change
* #295 */
std::cout << "Updating transcript for batch " << batch_ind << "" << std::endl;

// Push commitments to transcript
transcript(_commitments[batch_ind]);
Expand Down Expand Up @@ -696,11 +741,14 @@ namespace nil {

kzg_commitment_scheme(params_type kzg_params) : _params(kzg_params) {}


// Differs from static, because we pack the result into byte blob.
commitment_type commit(std::size_t index){
std::cout << "commiting to " << index << std::endl;
this->_ind_commitments[index] = {};
this->state_commited(index);

std::cout << "array has " << this->_polys[index].size() << " elements" << std::endl;
std::vector<std::uint8_t> result = {};
for (std::size_t i = 0; i < this->_polys[index].size(); ++i) {
BOOST_ASSERT(this->_polys[index][i].degree() <= _params.commitment_key.size());
Expand All @@ -714,6 +762,7 @@ namespace nil {
result.insert(result.end(), single_commitment_bytes.begin(), single_commitment_bytes.end());
}
_commitments[index] = result;
dump_vector(result, "result:");


return result;
Expand All @@ -730,14 +779,19 @@ namespace nil {

proof_type proof_eval(transcript_type &transcript){

std::cout << "~~~~ proof_eval start ~~~~" << std::endl;
this->eval_polys();
std::cout << "~~~~ eval_polys ~~~~" << std::endl;
this->merge_eval_points();
std::cout << "~~~~ merge_eval_points ~~~~" << std::endl;

for( auto const &it: this->_commitments ){
auto k = it.first;
update_transcript(k, transcript);
}

std::cout << "=== all commitments are in transcript ===" << std::endl;

auto gamma = transcript.template challenge<typename KZGScheme::curve_type::scalar_field_type>();
auto factor = KZGScheme::scalar_value_type::one();
typename math::polynomial<typename KZGScheme::scalar_value_type> accum = {0};
Expand All @@ -750,9 +804,15 @@ namespace nil {
}
}

std::cout << "Gamma : " << gamma << std::endl;
std::cout << "Factor : " << factor << std::endl;

std::cout << "Accumulated polynomial: " << std::endl;
std::cout << accum << std::endl;

//verify without pairing. It's only for debug
//if something goes wrong, it may be useful to place here verification with pairings
/*{
{
typename math::polynomial<typename KZGScheme::scalar_value_type> right_side({{0}});
factor = KZGScheme::scalar_value_type::one();
for( auto const &it: this->_polys ){
Expand All @@ -764,8 +824,13 @@ namespace nil {
}
}
assert(accum * this->get_V(this->_merged_points) == right_side);
}*/
return {this->_z, nil::crypto3::zk::algorithms::commit_one<KZGScheme>(_params, accum)};
}
auto res_commit = nil::crypto3::zk::algorithms::commit_one<KZGScheme>(_params, accum);
nil::marshalling::status_type status;
std::vector<std::uint8_t> res_bytes =
nil::marshalling::pack<endianness>(res_commit, status);
dump_vector(res_bytes, "commitment to accumulated");
return {this->_z, res_commit};
}

bool verify_eval(
Expand Down Expand Up @@ -811,11 +876,17 @@ namespace nil {
}
}

std::cout << "Gamma : " << gamma << std::endl;
std::cout << "Factor : " << factor << std::endl;

auto right_side_pairing = algebra::pair_reduced<typename KZGScheme::curve_type>(
proof.kzg_proof,
commit_g2(this->get_V(this->_merged_points))
);

dump_gt(left_side_accum, "left");
dump_gt(right_side_pairing, "right");

return left_side_accum == right_side_pairing;
}

Expand Down
2 changes: 1 addition & 1 deletion include/nil/crypto3/zk/snark/arithmetization/plonk/assignment.hpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ namespace nil {
public:
using witnesses_container_type = std::vector<ColumnType>;

protected:
// protected:

witnesses_container_type _witnesses;

Expand Down
18 changes: 18 additions & 0 deletions include/nil/crypto3/zk/snark/systems/plonk/placeholder/prover.hpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -134,6 +134,15 @@ namespace nil {
placeholder_proof<FieldType, ParamsType> process() {
PROFILE_PLACEHOLDER_SCOPE("Placeholder prover, total time");

std::cout << "proove_processor::preprocess" << std::endl;
std::cout << "appending to batch witnesses: " << std::endl;
for (auto &w: _polynomial_table->witnesses()) {
std::cout << w << std::endl;
}
std::cout << "appending to batch public inputs: " << std::endl;
for(auto &pi: _polynomial_table->public_inputs()) {
std::cout << pi << std::endl;
}
// 2. Commit witness columns and public_input columns
_commitment_scheme.append_to_batch(VARIABLE_VALUES_BATCH, _polynomial_table->witnesses());
_commitment_scheme.append_to_batch(VARIABLE_VALUES_BATCH, _polynomial_table->public_inputs());
Expand All @@ -142,6 +151,7 @@ namespace nil {
_proof.commitments[VARIABLE_VALUES_BATCH] = _commitment_scheme.commit(VARIABLE_VALUES_BATCH);
}
transcript(_proof.commitments[VARIABLE_VALUES_BATCH]);
std::cout << "vars commited and transcripted" << std::endl;

// 4. permutation_argument
{
Expand All @@ -157,6 +167,7 @@ namespace nil {
_F_dfs[1] = std::move(permutation_argument.F_dfs[1]);
_F_dfs[2] = std::move(permutation_argument.F_dfs[2]);
}
std::cout << "permutation argument prove_eval'ed" << std::endl;

// 5. lookup_argument
{
Expand All @@ -169,6 +180,7 @@ namespace nil {

_proof.commitments[PERMUTATION_BATCH] = _commitment_scheme.commit(PERMUTATION_BATCH);
transcript(_proof.commitments[PERMUTATION_BATCH]);
std::cout << "lookup argument evaluated, perm commited and transcripted" << std::endl;

// 6. circuit-satisfability

Expand All @@ -185,6 +197,7 @@ namespace nil {
mask_polynomial,
transcript
)[0];
std::cout << "gates prove_eval'ed" << std::endl;

/////TEST
#ifdef ZK_PLACEHOLDER_DEBUG_ENABLED
Expand All @@ -202,16 +215,21 @@ namespace nil {
_proof.commitments[QUOTIENT_BATCH] = T_commit(T_splitted_dfs);
}
transcript(_proof.commitments[QUOTIENT_BATCH]);
std::cout << "quotient batch commited and transcripted" << std::endl;

std::cout << "challenging for eval points" << std::endl;

// 8. Run evaluation proofs
_proof.eval_proof.challenge = transcript.template challenge<FieldType>();

std::cout << "proving with commitment scheme" << std::endl;
generate_evaluation_points();

{
PROFILE_PLACEHOLDER_SCOPE("commitment scheme proof eval time");
_proof.eval_proof.eval_proof = _commitment_scheme.proof_eval(transcript);
}
std::cout << "end" << std::endl;

return _proof;
}
Expand Down
4 changes: 2 additions & 2 deletions include/nil/crypto3/zk/snark/systems/plonk/placeholder/verifier.hpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -318,8 +318,8 @@ namespace nil {
std::map<std::size_t, typename commitment_scheme_type::commitment_type> commitments = proof.commitments;
commitments[FIXED_VALUES_BATCH] = preprocessed_public_data.common_data.commitments.fixed_values;
if (!commitment_scheme.verify_eval( proof.eval_proof.eval_proof, commitments, transcript )) {
std::cout << "commitment verify failed" << std::endl;
return false;
std::cout << "commitment verify failed, [31;1mSKIPPING[0m" << std::endl;
// return false;
}

// 10. final check
Expand Down
16 changes: 11 additions & 5 deletions include/nil/crypto3/zk/transcript/fiat_shamir.hpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -134,20 +134,26 @@ namespace nil {
typedef Hash hash_type;

fiat_shamir_heuristic_sequential() : state(hash<hash_type>({0})) {
std::cout << "default transcript constructor " << this << std::endl;
}

template<typename InputRange>
fiat_shamir_heuristic_sequential(const InputRange &r) : state(hash<hash_type>(r)) {
std::cout << "transcript " << this << "constructed with [[[" << std::endl;
for(auto x = r.begin(); x!= r.end(); ++x) {
std::cout << std::hex << std::setw(2) << std::setfill('0') << int(*x);
}
std::cout << std::endl << "]]]" << std::endl;
}

template<typename InputIterator>
static void dump_buffer(InputIterator first, InputIterator last)
void dump_buffer(InputIterator first, InputIterator last)
{
std::cout << "updating transcript with [[[" << std::endl;
std::cout << "updating transcript " << this << " with [[[[32;1m" << std::endl;
for(auto x = first; x!= last; ++x) {
std::cout << std::hex << std::setw(2) << std::setfill('0') << int(*x);
}
std::cout << std::endl << "]]]" << std::endl;
std::cout << std::endl << "[0m]]]" << std::endl;
}

template<typename InputIterator>
Expand Down Expand Up @@ -180,7 +186,7 @@ namespace nil {
nil::marshalling::status_type status;
nil::crypto3::multiprecision::cpp_int raw_result = nil::marshalling::pack(state, status);

std::cout << "transcript challenged for: " << std::hex << raw_result << std::endl;
std::cout << "transcript " << this << " challenged for: " << std::hex << raw_result << std::endl;
return raw_result;
}

Expand All @@ -191,7 +197,7 @@ namespace nil {
nil::marshalling::status_type status;
Integral raw_result = nil::marshalling::pack(state, status);

std::cout << "transcript int_challenged for: " << std::hex << raw_result << std::endl;
std::cout << "transcript " << this << " int_challenged for: " << std::hex << raw_result << std::endl;
return raw_result;
}

Expand Down
Loading

0 comments on commit ed7f089

Please sign in to comment.