Remove single ring batch verifier#78
Conversation
| let mut ts = self.transcript.clone(); | ||
| ts._add_serializable(b"batch-entropy", &item.entropy); | ||
| self.acc | ||
| .accumulate(item.piop, item.proof, item.challenges, &mut ts.to_rng()); |
There was a problem hiding this comment.
I mainly want your attention here: we extend a clone of a shared vanilla transcript (stored in the main BatchVerifier object) with per-proof entropy before deriving the corresponding RNG.
Since entropy is obtained by squeezing the per-proof verifier transcript, it should be sufficient to use it directly rather than requiring access to the per-proof verifier transcript itself
| use crate::multi_ring_batch_verifier::MultiRingBatchVerifier; | ||
| let mut batch = MultiRingBatchVerifier::new(verifier_a.pcs_vk().clone()); | ||
| use crate::multi_ring_batch_verifier::BatchVerifier; | ||
| let mut batch = BatchVerifier::new( |
There was a problem hiding this comment.
So technically, BatchVerifier is RingVerifier that forgot his piop (almost).
| @@ -15,53 +15,33 @@ use crate::ring_verifier::RingVerifier; | |||
| use crate::RingProof; | |||
|
|
|||
| /// A ring proof preprocessed for multi-ring batch verification. | |||
| piop: PiopVerifier<E::ScalarField, <KZG<E> as PCS<E::ScalarField>>::C, Affine<J>>, | ||
| proof: RingProof<E::ScalarField, KZG<E>>, | ||
| challenges: Challenges<E::ScalarField>, | ||
| entropy: [u8; 32], |
There was a problem hiding this comment.
so this thing is an "almost evaluated verification clam". the challenges i guess don't depend on the batch, prover otherwise couldn't. what is the entropy then? Can we may be just hash twice to get the batch randomness so that we have simple security?
2 participants
Closes #73
Replace
KzgBatchVerifierwith a thin wrapper aroundMultiRingBatchVerifier(now justBatchVerifier)Bonus: simplify
BatchItem:BatchItem(then namedPreparedMultiRingItem) used to borrowRingVerifiersolely so the batch verifier could clone the verifier's transcript when folding in per-item entropy. That borrow leaked a lifetime and a transcript type parameter into the item and every method touching it.An overarching transcript is now owned by
BatchVerifier, passed once at construction (BatchVerifier::new(kzg_vk, transcript)), and cloned on each push to fold entropy. As a resultBatchItemis now a plain owned struct and self-contained so they can be stored/sent, decoupled from the originating verifier.