Arrabbiata: implement coin_challenge and load it in the env

o1-labs · Feb 12, 2025 · c29c506 · c29c506
1 parent 48945d4
commit c29c506
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 2 deletions.
diff --git a/arrabbiata/src/main.rs b/arrabbiata/src/main.rs
@@ -5,6 +5,7 @@
 //! specify the number of iterations, and keep this file relatively simple.
 
 use arrabbiata::{
+    challenge::ChallengeTerm,
     curve::PlonkSpongeConstants,
     interpreter::{self, InterpreterEnv},
     witness::Env,
@@ -126,8 +127,8 @@ pub fn main() {
         // Commit to the accumulator and absorb the commitment
         // ----- Permutation argument -----
 
-        // FIXME:
         // Coin challenge α for combining the constraints
+        env.coin_challenge(ChallengeTerm::ConstraintRandomiser);
 
         // ----- Accumulation/folding argument -----
         // FIXME:

diff --git a/arrabbiata/src/witness.rs b/arrabbiata/src/witness.rs
@@ -12,7 +12,7 @@ use rayon::iter::{IntoParallelRefIterator, ParallelIterator};
 use std::time::Instant;
 
 use crate::{
-    challenge::Challenges,
+    challenge::{ChallengeTerm, Challenges},
     column::{Column, Gadget},
     curve::{ArrabbiataCurve, PlonkSpongeConstants},
     interpreter::{Instruction, InterpreterEnv, Side},
@@ -1236,4 +1236,51 @@ where
             Instruction::NoOp => Instruction::NoOp,
         }
     }
+
+    /// Simulate an interaction with the verifier by requesting to coin a
+    /// challenge from the current prover sponge state.
+    ///
+    /// This method supposes that all the messages have been sent to the
+    /// verifier previously, and the attribute [self.prover_sponge_state] has
+    /// been updated accordingly by absorbing all the messages correctly.
+    ///
+    /// The side-effect of this method will be to run a permutation on the
+    /// sponge state _after_ coining the challenge.
+    /// There is an hypothesis on the sponge state that the inner permutation
+    /// has been correctly executed if the absorbtion rate had been reached at
+    /// the last element.
+    ///
+    /// The challenge will be added to the [self.challenges] attribute at the
+    /// position given by the challenge `chal`.
+    ///
+    /// Internally, the method is implemented by simply loading the prover
+    /// sponge state, and squeezing a challenge from it, relying on the
+    /// implementation of the sponge. Usually, the challenge would be the first
+    /// N bits of the first element, but it is left as an implementation detail
+    /// of the sponge given by the curve.
+    pub fn coin_challenge(&mut self, chal: ChallengeTerm) {
+        if self.current_iteration % 2 == 0 {
+            let mut sponge = E1::create_new_sponge();
+            self.prover_sponge_state.iter().for_each(|x| {
+                E1::absorb_fq(
+                    &mut sponge,
+                    E1::BaseField::from_biguint(&x.to_biguint().unwrap()).unwrap(),
+                )
+            });
+            let verifier_answer = E1::squeeze_challenge(&mut sponge).to_biguint().into();
+            self.challenges[chal] = verifier_answer;
+            sponge.sponge.poseidon_block_cipher();
+        } else {
+            let mut sponge = E2::create_new_sponge();
+            self.prover_sponge_state.iter().for_each(|x| {
+                E2::absorb_fq(
+                    &mut sponge,
+                    E2::BaseField::from_biguint(&x.to_biguint().unwrap()).unwrap(),
+                )
+            });
+            let verifier_answer = E2::squeeze_challenge(&mut sponge).to_biguint().into();
+            self.challenges[chal] = verifier_answer;
+            sponge.sponge.poseidon_block_cipher();
+        };
+    }
 }