Skip to content

EVM-verifiable ring-vrf #52

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 24 commits into from
Apr 7, 2025
Merged

EVM-verifiable ring-vrf #52

merged 24 commits into from
Apr 7, 2025

Conversation

@swasilyev
Copy link
Collaborator

@swasilyev swasilyev commented Mar 1, 2025

To check that the signer belongs to the ring we:

  1. compute pk1 = sk.G
  2. witness the index of the signer k=(0,...,0,1,0,...,0) and compute pk2 = <k, pks>
  3. check the equality between pk1 == pk2

@swasilyev swasilyev requested review from davxy and drskalman March 1, 2025 20:23
@swasilyev
Copy link
Collaborator Author

swasilyev commented Mar 1, 2025

atm to make it pass the test, set

ring-proof/w3f-plonk-common/src/verifier.rs

Line 77 in 9dc7c15

let lin_comm = CS::C::combine(&challenges.alphas[..3], &lin_pices);
to

    let lin_comm = CS::C::combine(&challenges.alphas[2..10], &lin_pices);

@swasilyev
Copy link
Collaborator Author

swasilyev commented Mar 1, 2025
edited
Loading

TODO:

  • Clean up params.
  • Constrain the vrf_in.
    Done, see here.
  • Constraintpk_from_sk to be equal pk_from_index.
    These 2 can be merged probably to smth like L1.(doublings_of_in - vrf_in)+Ln.(pk_from_sk - pk_from_index), if we use ec addition to compute pk_from_index (otherwise pk_from_sk = pk + seed).
    Done, see here.
  • Constrain pk_index to be unique.
    Done, see here.
  • Off-by-one here

    ring-proof/w3f-plonk-common/src/gadgets/ec/mod.rs

    Line 71 in 9dc7c15

    assert_eq!(points.points.len(), domain.capacity - 1);
    when using points computed with the doubling gadget.
    Mitigated in Column::constrained_len() #56
  • Fix plonk verifier here:

    ring-proof/w3f-plonk-common/src/verifier.rs

    Line 77 in 9dc7c15

    let lin_comm = CS::C::combine(&challenges.alphas[..3], &lin_pices);
    Done, now passes all the alphas to the piop.

swasilyev
swasilyev commented Mar 1, 2025
View reviewed changes
w3f-ring-vrf-snark/src/piop/verifier.rs
let (out_x_coeff, out_y_coeff) = self.out_from_in.acc_coeffs_2();
let out_from_in_c2_lin = out_x.mul(out_x_coeff) + out_y.mul(out_y_coeff);

let pk_from_index_x = &self.witness_columns_committed.pk_from_index[0];
Copy link
Collaborator Author

@swasilyev swasilyev Mar 1, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

todo: internalize this logic inside the gadget. Same for ec_add.

@swasilyev swasilyev marked this pull request as ready for review March 19, 2025 22:14
@swasilyev swasilyev changed the base branch from skalman--ring-vrf-snark to master March 19, 2025 22:15
@swasilyev
Copy link
Collaborator Author

swasilyev commented Mar 20, 2025
edited
Loading

@drskalman I think now it's fully constrained.

  • pk_index is boolean and the bits of pk_index[0..domain.capacity - 1] sum to 1. pk_index[domain.capacity - 1] doesn't participate in the ec add gadget.
  • sk is just boolean. I assume that computing PK = b0.G + b1.(2G) + ... + bn.(2^nG) is not less hard for any n than a dlog.
    @AlistairStewart? (he says that's ok)

@swasilyev swasilyev merged commit 7700526 into master Apr 7, 2025
5 checks passed
@swasilyev swasilyev mentioned this pull request Apr 7, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@davxy davxy Awaiting requested review from davxy

@drskalman drskalman Awaiting requested review from drskalman

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@swasilyev