ligerito 0.6.2

Ligerito polynomial commitment scheme over binary extension fields
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327

//! State Continuity Tests
//!
//! These tests verify that execution chains correctly - critical for
//! continuous PVM execution (JAM/graypaper model).
//!
//! Without state continuity constraints, a prover could:
//! 1. Execute step i correctly
//! 2. Fork to a different state for step i+1
//! 3. Execute step i+1 correctly from that forged state
//! 4. Have both steps verify individually ✓
//! 5. But break the execution chain ✗

#![cfg(feature = "polkavm-integration")]

use ligerito::pcvm::polkavm_adapter::PolkaVMRegisters;
use ligerito::pcvm::polkavm_arithmetization::arithmetize_polkavm_trace;
use ligerito::pcvm::polkavm_constraints_v2::{InstructionProof, ProvenTransition};
use ligerito_binary_fields::{BinaryElem128, BinaryElem32, BinaryFieldElement};

use polkavm::program::Instruction;
use polkavm_common::program::{RawReg, Reg};

fn raw_reg(r: Reg) -> RawReg {
    RawReg::from(r)
}

/// Test: Forged register continuity is rejected
#[test]
fn test_reject_forged_register_continuity() {
    // Step 1: load_imm a0, 42
    let mut regs_0 = [0u32; 13];
    let mut regs_1 = regs_0;
    regs_1[7] = 42; // a0 = 42

    let step1 = (
        ProvenTransition {
            pc: 0x1000,
            next_pc: 0x1002,
            instruction_size: 2,
            regs_before: PolkaVMRegisters::from_array(regs_0),
            regs_after: PolkaVMRegisters::from_array(regs_1),
            memory_root_before: [0u8; 32],
            memory_root_after: [0u8; 32],
            memory_proof: None,
            instruction_proof: InstructionProof {
                merkle_path: vec![],
                position: 0,
                opcode: 0,
                operands: [0, 0, 0],
            },
        },
        Instruction::load_imm(raw_reg(Reg::A0), 42),
    );

    // Step 2: FORGED initial state
    // Instead of starting with a0=42 (from step 1), we claim a0=999
    let mut forged_regs_before = [0u32; 13];
    forged_regs_before[7] = 999; // WRONG! Should be 42

    let mut regs_2 = forged_regs_before;
    regs_2[8] = 100; // a1 = 100

    let step2 = (
        ProvenTransition {
            pc: 0x1002,
            next_pc: 0x1004,
            instruction_size: 2,
            regs_before: PolkaVMRegisters::from_array(forged_regs_before), // FORGED!
            regs_after: PolkaVMRegisters::from_array(regs_2),
            memory_root_before: [0u8; 32],
            memory_root_after: [0u8; 32],
            memory_proof: None,
            instruction_proof: InstructionProof {
                merkle_path: vec![],
                position: 0,
                opcode: 0,
                operands: [0, 0, 0],
            },
        },
        Instruction::load_imm(raw_reg(Reg::A1), 100),
    );

    let trace = vec![step1, step2];

    // Arithmetize with batching challenge
    let batching_challenge = BinaryElem128::from(0x12345678u128);
    let arith = arithmetize_polkavm_trace(&trace, [0u8; 32], batching_challenge)
        .expect("Should arithmetize");

    // Constraint accumulator should be NON-ZERO due to forged register continuity
    assert_ne!(
        arith.constraint_accumulator,
        BinaryElem128::zero(),
        "Forged register continuity should fail! Accumulator: {:?}",
        arith.constraint_accumulator
    );

    println!("✓ Forged register continuity correctly rejected");
    println!("  - Step 1 ends with: a0 = 42");
    println!("  - Step 2 claims to start with: a0 = 999");
    println!(
        "  - Constraint accumulator: {:?} (non-zero)",
        arith.constraint_accumulator
    );
}

/// Test: Forged memory root continuity is rejected
#[test]
fn test_reject_forged_memory_continuity() {
    let mut regs = [0u32; 13];

    // Step 1: Some operation that produces memory_root_after = [1, 2, 3, ...]
    let mut memory_root_1 = [0u8; 32];
    memory_root_1[0] = 1;
    memory_root_1[1] = 2;

    let step1 = (
        ProvenTransition {
            pc: 0x1000,
            next_pc: 0x1002,
            instruction_size: 2,
            regs_before: PolkaVMRegisters::from_array(regs),
            regs_after: PolkaVMRegisters::from_array(regs),
            memory_root_before: [0u8; 32],
            memory_root_after: memory_root_1, // Final state: [1, 2, 0, 0, ...]
            memory_proof: None,
            instruction_proof: InstructionProof {
                merkle_path: vec![],
                position: 0,
                opcode: 0,
                operands: [0, 0, 0],
            },
        },
        Instruction::load_imm(raw_reg(Reg::A0), 0),
    );

    // Step 2: FORGED memory root
    // Claims to start with [99, 88, ...] instead of [1, 2, ...]
    let mut forged_memory_root = [0u8; 32];
    forged_memory_root[0] = 99; // WRONG! Should be 1
    forged_memory_root[1] = 88; // WRONG! Should be 2

    let step2 = (
        ProvenTransition {
            pc: 0x1002,
            next_pc: 0x1004,
            instruction_size: 2,
            regs_before: PolkaVMRegisters::from_array(regs),
            regs_after: PolkaVMRegisters::from_array(regs),
            memory_root_before: forged_memory_root, // FORGED!
            memory_root_after: forged_memory_root,
            memory_proof: None,
            instruction_proof: InstructionProof {
                merkle_path: vec![],
                position: 0,
                opcode: 0,
                operands: [0, 0, 0],
            },
        },
        Instruction::load_imm(raw_reg(Reg::A0), 0),
    );

    let trace = vec![step1, step2];

    let batching_challenge = BinaryElem128::from(0xABCDEF01u128);
    let arith = arithmetize_polkavm_trace(&trace, [0u8; 32], batching_challenge)
        .expect("Should arithmetize");

    // Constraint accumulator should be NON-ZERO
    assert_ne!(
        arith.constraint_accumulator,
        BinaryElem128::zero(),
        "Forged memory continuity should fail!"
    );

    println!("✓ Forged memory root continuity correctly rejected");
    println!("  - Step 1 ends with memory_root: [1, 2, 0, ...]");
    println!("  - Step 2 claims to start with: [99, 88, 0, ...]");
    println!(
        "  - Constraint accumulator: {:?} (non-zero)",
        arith.constraint_accumulator
    );
}

/// Test: Forged PC continuity is rejected
#[test]
fn test_reject_forged_pc_continuity() {
    let mut regs = [0u32; 13];

    // Step 1: Instruction at 0x1000, next_pc = 0x1002
    let step1 = (
        ProvenTransition {
            pc: 0x1000,
            next_pc: 0x1002, // Step 1 says "next is 0x1002"
            instruction_size: 2,
            regs_before: PolkaVMRegisters::from_array(regs),
            regs_after: PolkaVMRegisters::from_array(regs),
            memory_root_before: [0u8; 32],
            memory_root_after: [0u8; 32],
            memory_proof: None,
            instruction_proof: InstructionProof {
                merkle_path: vec![],
                position: 0,
                opcode: 0,
                operands: [0, 0, 0],
            },
        },
        Instruction::load_imm(raw_reg(Reg::A0), 0),
    );

    // Step 2: FORGED PC
    // Claims to start at 0x9999 instead of 0x1002
    let step2 = (
        ProvenTransition {
            pc: 0x9999, // WRONG! Should be 0x1002
            next_pc: 0x999B,
            instruction_size: 2,
            regs_before: PolkaVMRegisters::from_array(regs),
            regs_after: PolkaVMRegisters::from_array(regs),
            memory_root_before: [0u8; 32],
            memory_root_after: [0u8; 32],
            memory_proof: None,
            instruction_proof: InstructionProof {
                merkle_path: vec![],
                position: 0,
                opcode: 0,
                operands: [0, 0, 0],
            },
        },
        Instruction::load_imm(raw_reg(Reg::A0), 0),
    );

    let trace = vec![step1, step2];

    let batching_challenge = BinaryElem128::from(0x11111111u128);
    let arith = arithmetize_polkavm_trace(&trace, [0u8; 32], batching_challenge)
        .expect("Should arithmetize");

    // Constraint accumulator should be NON-ZERO
    assert_ne!(
        arith.constraint_accumulator,
        BinaryElem128::zero(),
        "Forged PC continuity should fail!"
    );

    println!("✓ Forged PC continuity correctly rejected");
    println!("  - Step 1 next_pc: 0x1002");
    println!("  - Step 2 pc: 0x9999 (control flow forgery!)");
    println!(
        "  - Constraint accumulator: {:?} (non-zero)",
        arith.constraint_accumulator
    );
}

/// Test: Valid continuity passes
#[test]
fn test_valid_state_continuity_passes() {
    // Create a valid 3-step chain
    let mut regs_0 = [0u32; 13];

    // Step 1: load_imm a0, 10
    let mut regs_1 = regs_0;
    regs_1[7] = 10;

    let step1 = (
        ProvenTransition {
            pc: 0x1000,
            next_pc: 0x1002,
            instruction_size: 2,
            regs_before: PolkaVMRegisters::from_array(regs_0),
            regs_after: PolkaVMRegisters::from_array(regs_1), // Final: a0=10
            memory_root_before: [0u8; 32],
            memory_root_after: [0u8; 32],
            memory_proof: None,
            instruction_proof: InstructionProof {
                merkle_path: vec![],
                position: 0,
                opcode: 0,
                operands: [0, 0, 0],
            },
        },
        Instruction::load_imm(raw_reg(Reg::A0), 10),
    );

    // Step 2: load_imm a1, 20
    // CORRECT: regs_before = regs_1 (from step 1's regs_after)
    let mut regs_2 = regs_1;
    regs_2[8] = 20;

    let step2 = (
        ProvenTransition {
            pc: 0x1002, // CORRECT: matches step1.next_pc
            next_pc: 0x1004,
            instruction_size: 2,
            regs_before: PolkaVMRegisters::from_array(regs_1), // CORRECT: chains from step 1
            regs_after: PolkaVMRegisters::from_array(regs_2),
            memory_root_before: [0u8; 32], // CORRECT: matches step1.memory_root_after
            memory_root_after: [0u8; 32],
            memory_proof: None,
            instruction_proof: InstructionProof {
                merkle_path: vec![],
                position: 0,
                opcode: 0,
                operands: [0, 0, 0],
            },
        },
        Instruction::load_imm(raw_reg(Reg::A1), 20),
    );

    let trace = vec![step1, step2];

    let batching_challenge = BinaryElem128::from(0x42424242u128);
    let arith = arithmetize_polkavm_trace(&trace, [0u8; 32], batching_challenge)
        .expect("Should arithmetize");

    // Constraint accumulator should be ZERO (all constraints satisfied)
    assert_eq!(
        arith.constraint_accumulator,
        BinaryElem128::zero(),
        "Valid continuity should pass! Accumulator: {:?}",
        arith.constraint_accumulator
    );

    println!("✓ Valid state continuity correctly accepted");
    println!("  - All states chain correctly");
    println!("  - Constraint accumulator: ZERO (all satisfied)");
}