back to the verifier

Author: mcalancea

Cargo.lock

@@ -61,7 +61,7 @@ rand_core = "0.6"
 rand_xorshift = "0.3"
 rayon = "1.10"
 secp = "0.4.1"
-serde = { version = "1.0", features = ["derive"] }
+serde = { version = "1.0", features = ["derive", "rc"] }
 serde_json = "1.0"
 strum = "0.26"
 strum_macros = "0.26"

Cargo.toml

@@ -99,6 +99,11 @@ where
         unimplemented!();
     }
 
+    // Returns index of `i-th` GKR-IOP output-eval in PCS
+    fn output_map(i: usize) -> usize {
+        unimplemented!();
+    }
+
     fn phase1_witness_from_steps(
         layout: &Self::Layout,
         steps: &[StepRecord],

ceno_zkvm/src/instructions.rs

@@ -112,6 +112,7 @@ impl<E: ExtensionField, S: SyscallSpec> Instruction<E> for LargeEcallDummy<E, S>
 
         // Assign memory.
         for ((addr, value, writer), op) in config.mem_writes.iter().zip_eq(&ops.mem_ops) {
+            dbg!(&op.value.before);
             set_val!(instance, value.before, op.value.before as u64);
             set_val!(instance, value.after, op.value.after as u64);
             set_val!(instance, addr, u64::from(op.addr));
@@ -173,9 +174,23 @@ impl<E: ExtensionField> GKRIOPInstruction<E> for LargeEcallDummy<E, KeccakSpec>
         partial_config.lookups = lookups;
         partial_config.aux_wits = aux_wits;
 
+        dbg!(&partial_config.mem_writes[0].1.after);
+        dbg!(&partial_config.mem_writes[1].1.before);
+        dbg!(&partial_config.lookups[0]);
+
         Ok(partial_config)
     }
 
+    fn output_map(i: usize) -> usize {
+        if i < 50 {
+            27 + 6 * i
+        } else if i < 100 {
+            26 + 6 * (i - 50)
+        } else {
+            326 + i - 100
+        }
+    }
+
     fn phase1_witness_from_steps(
         layout: &Self::Layout,
         steps: &[StepRecord],

ceno_zkvm/src/instructions/riscv/dummy/dummy_ecall.rs

@@ -1,11 +1,13 @@
 use ff_ext::ExtensionField;
+use gkr_iop::gkr::{Evaluation, GKRCircuit, GKRProverOutput};
 use itertools::Itertools;
 use mpcs::PolynomialCommitmentScheme;
 use p3::field::PrimeCharacteristicRing;
 use serde::{Deserialize, Serialize, de::DeserializeOwned};
 use std::{
     collections::BTreeMap,
     fmt::{self, Debug},
+    marker::PhantomData,
     ops::Div,
 };
 use sumcheck::structs::IOPProverMessage;
@@ -51,7 +53,15 @@ pub struct ZKVMOpcodeProof<E: ExtensionField, PCS: PolynomialCommitmentScheme<E>
     pub wits_opening_proof: PCS::Proof,
     pub wits_in_evals: Vec<E>,
 
-    pub gkr_out_evals: Option<Vec<E>>,
+    pub gkr_opcode_proof: Option<GKROpcodeProof<E, PCS>>,
+}
+
+#[derive(Clone, Serialize)]
+pub struct GKROpcodeProof<E: ExtensionField, PCS: PolynomialCommitmentScheme<E>> {
+    output_evals: Vec<E>,
+    prover_output: GKRProverOutput<E, Evaluation<E>>,
+    circuit: GKRCircuit,
+    _marker: PhantomData<PCS>,
 }
 
 #[derive(Clone, Serialize, Deserialize)]

ceno_zkvm/src/scheme.rs

@@ -3,6 +3,7 @@ use ff_ext::ExtensionField;
 use gkr_iop::{evaluation::PointAndEval, gkr::GKRCircuitWitness};
 use std::{
     collections::{BTreeMap, BTreeSet, HashMap},
+    marker::PhantomData,
     sync::Arc,
 };
 
@@ -31,6 +32,7 @@ use crate::{
         riscv::{dummy::LargeEcallDummy, ecall::EcallDummy},
     },
     scheme::{
+        GKROpcodeProof,
         constants::{MAINCONSTRAIN_SUMCHECK_BATCH_SIZE, NUM_FANIN, NUM_FANIN_LOGUP},
         utils::{
             infer_tower_logup_witness, infer_tower_product_witness, interleaving_mles_to_mles,
@@ -481,9 +483,6 @@ impl<E: ExtensionField, PCS: PolynomialCommitmentScheme<E>> ZKVMProver<E, PCS> {
                 );
             }
 
-            // dbg!(sel_r);
-            // panic!();
-
             let mut sel_w = build_eq_x_r_vec(&rt_w[log2_w_count..]);
             if num_instances < sel_w.len() {
                 sel_w.splice(
@@ -703,23 +702,11 @@ impl<E: ExtensionField, PCS: PolynomialCommitmentScheme<E>> ZKVMProver<E, PCS> {
         exit_span!(pcs_open_span);
         let wits_commit = PCS::get_pure_commitment(&wits_commit);
 
-        let gkr_out_evals = if let Some((gkr_iop_pk, gkr_wit)) = gkr_iop_pk {
-            let mut gkr_iop_pk = gkr_iop_pk.clone();
+        let gkr_opcode_proof = if let Some((gkr_iop_pk, gkr_wit)) = gkr_iop_pk {
+            let gkr_iop_pk = gkr_iop_pk.clone();
             let gkr_circuit = gkr_iop_pk.vk.get_state().chip.gkr_circuit();
 
             let point = Arc::new(input_open_point);
-            dbg!(&point);
-            // // let mut prover_transcript = transcript::BasicTranscript::<E>::new(b"protocol");
-            // let out_evals = chain!(
-            //     r_records_in_evals.clone(),
-            //     w_records_in_evals.clone(),
-            //     lk_records_in_evals.clone()
-            // )
-            // .map(|record| PointAndEval {
-            //     point: point.clone(),
-            //     eval: record,
-            // })
-            // .collect_vec();
 
             let out_evals = gkr_wit
                 .layers
@@ -735,11 +722,20 @@ impl<E: ExtensionField, PCS: PolynomialCommitmentScheme<E>> ZKVMProver<E, PCS> {
 
             // out_evals from point and output polynomials instead of *_records which is combined
 
-            let gkr_iop::gkr::GKRProverOutput { gkr_proof, .. } = gkr_circuit
+            let prover_output = gkr_circuit
                 .prove(gkr_wit, &out_evals, &vec![], transcript)
                 .expect("Failed to prove phase");
             // unimplemented!("cannot fully handle GKRIOP component yet")
-            Some(out_evals.into_iter().map(|pae| pae.eval).collect_vec())
+
+            dbg!(&prover_output.opening_evaluations.len());
+            let output_evals = out_evals.into_iter().map(|pae| pae.eval).collect_vec();
+
+            Some(GKROpcodeProof {
+                output_evals,
+                prover_output,
+                circuit: gkr_circuit,
+                _marker: PhantomData::default(),
+            })
         } else {
             None
         };
@@ -761,7 +757,7 @@ impl<E: ExtensionField, PCS: PolynomialCommitmentScheme<E>> ZKVMProver<E, PCS> {
             wits_commit,
             wits_opening_proof,
             wits_in_evals,
-            gkr_out_evals,
+            gkr_opcode_proof,
         })
     }
 

ceno_zkvm/src/scheme/prover.rs

@@ -1,6 +1,7 @@
-use std::marker::PhantomData;
+use std::{marker::PhantomData, sync::Arc};
 
 use ark_std::iterable::Iterable;
+use ceno_emul::{KeccakSpec, SyscallSpec};
 use ff_ext::ExtensionField;
 
 use itertools::{Itertools, chain, interleave, izip};
@@ -17,6 +18,7 @@ use witness::next_pow2_instance_padding;
 use crate::{
     error::ZKVMError,
     expression::{Instance, StructuralWitIn},
+    instructions::{GKRIOPInstruction, riscv::dummy::LargeEcallDummy},
     scheme::{
         constants::{NUM_FANIN, NUM_FANIN_LOGUP, SEL_DEGREE},
         utils::eval_by_expr_with_instance,
@@ -408,25 +410,51 @@ impl<E: ExtensionField, PCS: PolynomialCommitmentScheme<E>> ZKVMVerifier<E, PCS>
             )
         };
 
-        if let Some(evals) = &proof.gkr_out_evals {
-            dbg!(&sel_r);
-            // let gkr_reads = evals.iter().take(50).collect_vec();
-            let intersection_size = evals
-                .iter()
-                .counts()
+        if name == KeccakSpec::NAME {
+            // TODO: remove clone
+            let gkr_iop = proof
+                .gkr_opcode_proof
+                .clone()
+                .expect("Keccak syscall should contain GKR-IOP proof");
+
+            // Match output_evals with EcallDummy polynomials
+            let mut matches = 0;
+            for (i, gkr_out_eval) in gkr_iop.output_evals.iter().enumerate() {
+                // assert_eq!(
+                //     *gkr_out_eval,
+                //     proof.wits_in_evals[LargeEcallDummy::<E, KeccakSpec>::output_map(i)],
+                //     "{i}"
+                // );
+                if *gkr_out_eval
+                    == proof.wits_in_evals[LargeEcallDummy::<E, KeccakSpec>::output_map(i)]
+                {
+                    matches += 1;
+                } else {
+                    dbg!(i);
+                }
+            }
+            dbg!(matches);
+            panic!();
+            // Verify GKR proof
+            let point = Arc::new(input_opening_point.clone());
+            let out_evals = gkr_iop
+                .output_evals
                 .iter()
-                .map(|(val, count)| {
-                    let proof_count = proof
-                        .r_records_in_evals
-                        .iter()
-                        .enumerate()
-                        .filter(|(i, x)| *alpha_read * **val == **x)
-                        .count();
-                    *count.min(&proof_count)
+                .map(|eval| gkr_iop::evaluation::PointAndEval {
+                    point: point.clone(),
+                    eval: eval.clone(),
                 })
-                .sum::<usize>();
-            dbg!(&intersection_size);
-            // panic!();
+                .collect_vec();
+
+            gkr_iop
+                .circuit
+                .verify(
+                    gkr_iop.prover_output.gkr_proof.clone(),
+                    &out_evals,
+                    &vec![],
+                    transcript,
+                )
+                .expect("GKR IOP verify failure");
         }
 
         let computed_evals = [

ceno_zkvm/src/scheme/verifier.rs

@@ -20,6 +20,7 @@ p3-field.workspace = true
 p3-goldilocks.workspace = true
 rand.workspace = true
 rayon.workspace = true
+serde.workspace = true
 subprotocols = { path = "../subprotocols" }
 thiserror = "1"
 tiny-keccak.workspace = true

gkr_iop/Cargo.toml

@@ -1,22 +1,25 @@
 use std::sync::Arc;
 
 use ff_ext::ExtensionField;
-use itertools::{Itertools, izip};
+use itertools::{izip, Itertools};
 use multilinear_extensions::virtual_poly::build_eq_x_r_vec_sequential;
+use serde::Serialize;
 use subprotocols::expression::{Constant, Point};
 
-/// Evaluation expression for the gkr layer reduction and PCS opening preparation.
-#[derive(Clone, Debug)]
+/// Evaluation expression for the gkr layer reduction and PCS opening
+/// preparation.
+#[derive(Clone, Debug, Serialize)]
 pub enum EvalExpression {
     /// Single entry in the evaluation vector.
     Single(usize),
     /// Linear expression of an entry with the scalar and offset.
     Linear(usize, Constant, Constant),
     /// Merging multiple evaluations which denotes a partition of the original
     /// polynomial. `(usize, Constant)` denote the modification of the point.
-    /// For example, when it receive a point `(p0, p1, p2, p3)` from a succeeding
-    /// layer, `vec![(2, c0), (4, c1)]` will modify the point to `(p0, p1, c0, p2, c1, p3)`.
-    /// where the indices specify how the partition applied to the original polynomial.
+    /// For example, when it receive a point `(p0, p1, p2, p3)` from a
+    /// succeeding layer, `vec![(2, c0), (4, c1)]` will modify the point to
+    /// `(p0, p1, c0, p2, c1, p3)`. where the indices specify how the
+    /// partition applied to the original polynomial.
     Partition(Vec<Box<EvalExpression>>, Vec<(usize, Constant)>),
 }
 

gkr_iop/src/evaluation.rs

@@ -1,6 +1,7 @@
 use ff_ext::ExtensionField;
 use itertools::{chain, izip, Itertools};
 use layer::{Layer, LayerWitness};
+use serde::Serialize;
 use subprotocols::{expression::Point, sumcheck::SumcheckProof};
 use transcript::Transcript;
 
@@ -12,7 +13,7 @@ use crate::{
 pub mod layer;
 pub mod mock;
 
-#[derive(Clone, Debug)]
+#[derive(Clone, Debug, Serialize)]
 pub struct GKRCircuit {
     pub layers: Vec<Layer>,
 
@@ -27,13 +28,16 @@ pub struct GKRCircuitWitness<E: ExtensionField> {
     pub layers: Vec<LayerWitness<E>>,
 }
 
+#[derive(Clone, Serialize)]
 pub struct GKRProverOutput<E: ExtensionField, Evaluation> {
     pub gkr_proof: GKRProof<E>,
     pub opening_evaluations: Vec<Evaluation>,
 }
 
+#[derive(Clone, Serialize)]
 pub struct GKRProof<E: ExtensionField>(pub Vec<SumcheckProof<E>>);
 
+#[derive(Clone, Debug, Serialize)]
 pub struct Evaluation<E: ExtensionField> {
     pub value: E,
     pub point: Point<E>,

gkr_iop/src/gkr.rs

@@ -2,6 +2,7 @@ use ark_std::log2;
 use ff_ext::ExtensionField;
 use itertools::{chain, izip};
 use linear_layer::LinearLayer;
+use serde::Serialize;
 use subprotocols::{
     expression::{Constant, Expression, Point},
     sumcheck::{SumcheckClaims, SumcheckProof, SumcheckProverOutput},
@@ -20,14 +21,14 @@ pub mod linear_layer;
 pub mod sumcheck_layer;
 pub mod zerocheck_layer;
 
-#[derive(Clone, Debug)]
+#[derive(Clone, Debug, Serialize)]
 pub enum LayerType {
     Sumcheck,
     Zerocheck,
     Linear,
 }
 
-#[derive(Clone, Debug)]
+#[derive(Clone, Debug, Serialize)]
 pub struct Layer {
     pub name: String,
     pub ty: LayerType,