mathcrypto
commented
2 years ago Tests should verify not only challenges but everything that needs to be appended to the transcript
Closed LukePearson1 closed 2 years ago
mathcrypto
commented
2 years ago Tests should verify not only challenges but everything that needs to be appended to the transcript
markulf
commented
2 years ago Indeed, only beta is added. Should all the challenges be added directly after generation.
https://github.com/ZK-Garage/plonk/blob/master/plonk-core/src/proof_system/prover.rs#L295
@LukePearson1 your point is that we should have an assert for the right number of challenges somewhere? We would have to instrument the code to count the challenges we add? Do we already do similar consistency checks for other aspects of the protocol?
The draft pull request contains an example for adding the challenge gamma. Any suggestion on how to do the testing. We could have an append_challenge function that does the counting, or is there an easier way. One option would be to have a function append_challenge_scalar that does both the generation and the appending.
markulf
commented
2 years ago After creating the pull-request I am having second thoughts about this. Maybe the challenges do not in fact need to be always added to the transcript. But the conservative thing to do is to add them.
My intuition why hashing the challenge isn't always needed is that multiple challenges in the same round are separated via their labels and that the next provers message would depend on the challenge in a non-trivial way anyway.
Still, I prefer to be conservative and follow the protocol specification.
At the moment, the amount of challenges on the transcript is not checked. All the transcripts are being generated, however only
betais appended. This does not cause failures as the challenges only need to equal in number and name for the prover & verifier - which they do.The test should check that the number of challenges matches the spec.