refactor!: refactored transcript traits and impls

plonk/src/circuit/plonk_verifier/gadgets.rs

@@ -43,7 +43,7 @@
 /// - poly_evals: zeta^n, zeta^n-1 and Lagrange evaluated at 1
 /// - batch_proof: batched proof inputs
 /// - non_native_field_info: aux information for non-native field
 /// Output
 /// - scalar and bases prepared for MSM
 /// - buffer info for u and v powers
 pub(super) fn aggregate_poly_commitments_circuit<E, F>(
@@ -225,25 +225,25 @@
         transcript_var.append_commitments_vars(b"witness_poly_comms", wires_poly_comms)?;
     }
 
-    let beta = transcript_var.get_and_append_challenge_var::<E>(b"beta", circuit)?;
-    let gamma = transcript_var.get_and_append_challenge_var::<E>(b"gamma", circuit)?;
+    let beta = transcript_var.get_challenge_var::<E>(b"beta", circuit)?;
+    let gamma = transcript_var.get_challenge_var::<E>(b"gamma", circuit)?;
     for prod_perm_poly_comm in batch_proof.prod_perm_poly_comms_vec.iter() {
         transcript_var.append_commitment_var(b"perm_poly_comms", prod_perm_poly_comm)?;
     }
 
-    let alpha = transcript_var.get_and_append_challenge_var::<E>(b"alpha", circuit)?;
+    let alpha = transcript_var.get_challenge_var::<E>(b"alpha", circuit)?;
     transcript_var
         .append_commitments_vars(b"quot_poly_comms", &batch_proof.split_quot_poly_comms)?;
-    let zeta = transcript_var.get_and_append_challenge_var::<E>(b"zeta", circuit)?;
+    let zeta = transcript_var.get_challenge_var::<E>(b"zeta", circuit)?;
     for poly_evals in batch_proof.poly_evals_vec.iter() {
         transcript_var.append_proof_evaluations_vars(circuit, poly_evals)?;
     }
 
-    let v = transcript_var.get_and_append_challenge_var::<E>(b"v", circuit)?;
+    let v = transcript_var.get_challenge_var::<E>(b"v", circuit)?;
     transcript_var.append_commitment_var(b"open_proof", &batch_proof.opening_proof)?;
     transcript_var
         .append_commitment_var(b"shifted_open_proof", &batch_proof.shifted_opening_proof)?;
-    let u = transcript_var.get_and_append_challenge_var::<E>(b"u", circuit)?;
+    let u = transcript_var.get_challenge_var::<E>(b"u", circuit)?;
 
     // convert challenge vars into FpElemVars
     let challenge_var = ChallengesVar {

plonk/src/circuit/transcript.rs

@@ -137,16 +137,6 @@ where
         Ok(())
     }
 
-    // Append a challenge variable to the transcript.
-    // For efficiency purpose, label is not used for rescue FS.
-    pub(crate) fn append_challenge_var(
-        &mut self,
-        _label: &'static [u8],
-        challenge_var: &Variable,
-    ) -> Result<(), CircuitError> {
-        self.append_variable(_label, challenge_var)
-    }
-
     // Append the proof evaluation to the transcript
     pub(crate) fn append_proof_evaluations_vars(
         &mut self,
@@ -171,7 +161,7 @@ where
     // For efficiency purpose, label is not used for rescue FS.
     // Note that this function currently only supports bls12-377
     // curve due to its decomposition method.
-    pub(crate) fn get_and_append_challenge_var<E>(
+    pub(crate) fn get_challenge_var<E>(
         &mut self,
         _label: &'static [u8],
         circuit: &mut PlonkCircuit<F>,
@@ -193,7 +183,7 @@ where
         // This algorithm takes in 3 steps
         // 1. state: [F: STATE_SIZE] = hash(state|transcript)
         // 2. challenge = state[0] in Fr
-        // 3. transcript = vec![challenge]
+        // 3. transcript = vec![]
         // ==================================
 
         // step 1. state: [F: STATE_SIZE] = hash(state|transcript)
@@ -210,7 +200,6 @@ where
         // finish and update the states
         self.state_var.copy_from_slice(&res_var[0..STATE_SIZE]);
         self.transcript_var = Vec::new();
-        self.append_challenge_var(_label, &challenge_var)?;
 
         Ok(challenge_var)
     }
@@ -267,10 +256,10 @@ mod tests {
                     .unwrap();
             }
 
-            let challenge = transcript.get_and_append_challenge::<E>(label).unwrap();
+            let challenge = transcript.get_challenge::<E>(label).unwrap();
 
             let challenge_var = transcript_var
-                .get_and_append_challenge_var::<E>(label, &mut circuit)
+                .get_challenge_var::<E>(label, &mut circuit)
                 .unwrap();
 
             assert_eq!(
@@ -329,10 +318,10 @@ mod tests {
             .append_vk_and_pub_input_vars::<E>(&mut circuit, &dummy_vk_var, &[])
             .unwrap();
 
-        let challenge = transcript.get_and_append_challenge::<E>(label).unwrap();
+        let challenge = transcript.get_challenge::<E>(label).unwrap();
 
         let challenge_var = transcript_var
-            .get_and_append_challenge_var::<E>(label, &mut circuit)
+            .get_challenge_var::<E>(label, &mut circuit)
             .unwrap();
 
         assert_eq!(
@@ -398,10 +387,10 @@ mod tests {
                 .append_vk_and_pub_input_vars::<E>(&mut circuit, &vk_var, &input_fp_elem_vars)
                 .unwrap();
 
-            let challenge = transcript.get_and_append_challenge::<E>(label).unwrap();
+            let challenge = transcript.get_challenge::<E>(label).unwrap();
 
             let challenge_var = transcript_var
-                .get_and_append_challenge_var::<E>(label, &mut circuit)
+                .get_challenge_var::<E>(label, &mut circuit)
                 .unwrap();
 
             assert_eq!(

plonk/src/constants.rs

@@ -18,3 +18,6 @@ pub(crate) const EXTRA_TRANSCRIPT_MSG_LABEL: &[u8] = b"extra info";
 pub(crate) const fn domain_size_ratio(n: usize, num_wire_types: usize) -> usize {
     (num_wire_types * (n + 1) + 2) / n + 1
 }
+
+/// Keccak-256 have a 32 byte state size.
+pub const KECCAK256_STATE_SIZE: usize = 32;

plonk/src/proof_system/snark.rs

@@ -255,7 +255,7 @@ where
         // Plookup: compute and interpolate the sorted concatenation of the (merged)
         // lookup table and the (merged) witness values
         if circuits.iter().any(|c| C::support_lookup(c)) {
-            challenges.tau = Some(transcript.get_and_append_challenge::<E>(b"tau")?);
+            challenges.tau = Some(transcript.get_challenge::<E>(b"tau")?);
         } else {
             challenges.tau = None;
         }
@@ -284,8 +284,8 @@ where
         }
 
         // Round 2
-        challenges.beta = transcript.get_and_append_challenge::<E>(b"beta")?;
-        challenges.gamma = transcript.get_and_append_challenge::<E>(b"gamma")?;
+        challenges.beta = transcript.get_challenge::<E>(b"beta")?;
+        challenges.gamma = transcript.get_challenge::<E>(b"gamma")?;
         let mut prod_perm_poly_comms_vec = vec![];
         for i in 0..circuits.len() {
             let (prod_perm_poly_comm, prod_perm_poly) =
@@ -318,7 +318,7 @@ where
         }
 
         // Round 3
-        challenges.alpha = transcript.get_and_append_challenge::<E>(b"alpha")?;
+        challenges.alpha = transcript.get_challenge::<E>(b"alpha")?;
         let (split_quot_poly_comms, split_quot_polys) = prover.run_3rd_round(
             prng,
             &prove_keys[0].commit_key,
@@ -330,7 +330,7 @@ where
         transcript.append_commitments(b"quot_poly_comms", &split_quot_poly_comms)?;
 
         // Round 4
-        challenges.zeta = transcript.get_and_append_challenge::<E>(b"zeta")?;
+        challenges.zeta = transcript.get_challenge::<E>(b"zeta")?;
         let mut poly_evals_vec = vec![];
         for i in 0..circuits.len() {
             let poly_evals = prover.compute_evaluations(
@@ -389,7 +389,7 @@ where
         }
 
         // Round 5
-        challenges.v = transcript.get_and_append_challenge::<E>(b"v")?;
+        challenges.v = transcript.get_challenge::<E>(b"v")?;
         let (opening_proof, shifted_opening_proof) = prover.compute_opening_proofs(
             &prove_keys[0].commit_key,
             prove_keys,

plonk/src/proof_system/verifier.rs

@@ -195,7 +195,7 @@
     /// - `Ai = [open_proof_i] + u_i * [shifted_open_proof_i]` and
     /// - `Bi = eval_point_i * [open_proof_i] + u_i * next_eval_point_i *
     ///   [shifted_open_proof_i] + comm_i - eval_i * [1]1`.
     /// By Schwartz-Zippel lemma, it's equivalent to check that for a random r:
     /// - `e(A0 + ... + r^{m-1} * Am, [x]2) = e(B0 + ... + r^{m-1} * Bm, [1]2)`.
     pub(crate) fn batch_verify_opening_proofs<T>(
         open_key: &OpenKey<E>,
@@ -214,9 +214,9 @@
             // protocol transcript. This approach is more secure as `r` depends not only
             // on the proofs, but also the list of public inputs and verifying keys.
             for pcs_info in pcs_infos {
-                transcript.append_challenge::<E>(b"u", &pcs_info.u)?;
+                transcript.append_field::<E>(b"u", &pcs_info.u)?;
             }
-            transcript.get_and_append_challenge::<E>(b"r")?
+            transcript.get_challenge::<E>(b"r")?
         };
 
         // Compute A := A0 + r * A1 + ... + r^{m-1} * Am
@@ -287,7 +287,7 @@
             transcript.append_commitments(b"witness_poly_comms", wires_poly_comms)?;
         }
         let tau = if verify_keys.iter().any(|vk| vk.plookup_vk.is_some()) {
-            Some(transcript.get_and_append_challenge::<E>(b"tau")?)
+            Some(transcript.get_challenge::<E>(b"tau")?)
         } else {
             None
         };
@@ -298,8 +298,8 @@
             }
         }
 
-        let beta = transcript.get_and_append_challenge::<E>(b"beta")?;
-        let gamma = transcript.get_and_append_challenge::<E>(b"gamma")?;
+        let beta = transcript.get_challenge::<E>(b"beta")?;
+        let gamma = transcript.get_challenge::<E>(b"gamma")?;
         for prod_perm_poly_comm in batch_proof.prod_perm_poly_comms_vec.iter() {
             transcript.append_commitment(b"perm_poly_comms", prod_perm_poly_comm)?;
         }
@@ -310,9 +310,9 @@
             }
         }
 
-        let alpha = transcript.get_and_append_challenge::<E>(b"alpha")?;
+        let alpha = transcript.get_challenge::<E>(b"alpha")?;
         transcript.append_commitments(b"quot_poly_comms", &batch_proof.split_quot_poly_comms)?;
-        let zeta = transcript.get_and_append_challenge::<E>(b"zeta")?;
+        let zeta = transcript.get_challenge::<E>(b"zeta")?;
         for poly_evals in batch_proof.poly_evals_vec.iter() {
             transcript.append_proof_evaluations::<E>(poly_evals)?;
         }
@@ -322,10 +322,10 @@
             }
         }
 
-        let v = transcript.get_and_append_challenge::<E>(b"v")?;
+        let v = transcript.get_challenge::<E>(b"v")?;
         transcript.append_commitment(b"open_proof", &batch_proof.opening_proof)?;
         transcript.append_commitment(b"shifted_open_proof", &batch_proof.shifted_opening_proof)?;
-        let u = transcript.get_and_append_challenge::<E>(b"u")?;
+        let u = transcript.get_challenge::<E>(b"u")?;
         Ok(Challenges {
             tau,
             alpha,

plonk/src/testing_apis.rs

@@ -12,6 +12,7 @@
 #![allow(missing_docs)]
 
 use crate::{
+    constants::KECCAK256_STATE_SIZE,
     errors::PlonkError,
     lagrange::LagrangeCoeffs,
     proof_system::{
@@ -379,12 +380,12 @@ where
 /// exposing the internal states for testing purposes
 impl SolidityTranscript {
     /// Create a new transcript from specific internal states.
-    pub fn from_internal(transcript: Vec<u8>) -> Self {
-        Self { transcript }
+    pub fn from_internal(state: [u8; KECCAK256_STATE_SIZE], transcript: Vec<u8>) -> Self {
+        Self { state, transcript }
     }
 
     /// Returns the internal states
-    pub fn internal(&self) -> Vec<u8> {
-        self.transcript.clone()
+    pub fn internal(&self) -> ([u8; KECCAK256_STATE_SIZE], Vec<u8>) {
+        (self.state.clone(), self.transcript.clone())
     }
 }