A question about hyperplonk/src/snark.rs test

[Sophiamer2002]

I substituted the 673 line in hyperplonk/src/snark.rs with

let permutation = vec![
    E::ScalarField::from(1u128),
    E::ScalarField::from(2u128),
    E::ScalarField::from(3u128),
    E::ScalarField::from(4u128),
    E::ScalarField::from(5u128),
    E::ScalarField::from(6u128),
    E::ScalarField::from(7u128),
    E::ScalarField::from(0u128),
];

and ran the corresponding test test_hyperplonk_e2e, with the result _verify in line 716 being true. In my understanding, the permutation check shouldn't pass and we should have the result as false. I guess there might be vulnerability in the batch opening part of HyperPlonkSNARK::verify. Please let me know if I made any mistake here. Looking forward to your reply.

[chancharles92]

Hi @zhenfeizhang , this does seem to be a bad permutation given that the witness is w1 := [0, 1, 2, 3] and w2 := [0^5, 1^5, 2^5, 3^5]. Do you have time to take a look? Thanks!

[Sophiamer2002]

I've found the problem. In batch opening of multilinear kzg, we commit to a series of tuples of (multilinear polynomial, points, evaluation on the point). Also note that we have an inheritance relationship of Sumcheck < Zerocheck < Prodcheck < Permcheck, and so do their subclaims. The subclaim of sumcheck requires a check on some point of a polynomial, which gives relationships on evaluations of multilinear polynomials we committed. These relationships are checked by function hyperplonk::utils::eval_f for "wiring identity constraints" and eval_perm_gate for "gate identity constraints". However, we note that The subclaim of permcheck poses a further requirement, that the product polynomial should be evaluated to 1 at (0, 1, 1, ..., 1). The relationship isn't checked in verify function in hyperplonk/src/snark.rs. What's more, the relationship shall be also checked by prover, to ensure that the proof is correct.