add verifier checks: proof structure match circuit structure

nicole-graus · nicole-graus · commit e1b761666203 · 2025-07-25T15:53:11.000-03:00
diff --git a/crates/provers/gkr/src/sumcheck.rs b/crates/provers/gkr/src/sumcheck.rs
@@ -148,7 +148,9 @@ where
             }
         }
 
-        // Check that the degree of g_j does not exceed the theoretical bound
+        // Check that the degree of `g_j` does not exceed the theoretical bound.
+        // The polynomial `g_j` should be cuadratic since the polynomial `f(b,c)` to which the sumcheck is applied
+        // is the sum of of two products, where each one is the product of two multilinear polynomials.
         if g_j.degree() > 2 {
             return Err(crate::verifier::VerifierError::InvalidDegree);
         }
diff --git a/crates/provers/gkr/src/verifier.rs b/crates/provers/gkr/src/verifier.rs
@@ -29,6 +29,11 @@ impl Verifier {
         FieldElement<F>: ByteConversion,
         <F as IsField>::BaseType: Send + Sync + Copy,
     {
+        // The proof should haver one layer-proof for each circuit layer.
+        if proof.layer_proofs.len() != circuit.layers().len() {
+            println!("The proof has an invalid number of proof layers");
+            return Ok(false);
+        }
         // Fiat-Shamir heuristic:
         // Both parties need to to append to the transcript the circuit, the inputs and the outputs.
         // See https://eprint.iacr.org/2025/118.pdf, Sections 2.1 and 2.2
@@ -57,6 +62,16 @@ impl Verifier {
 
         // For each layer, verify the sumcheck proof and calculate the next layer's challenges and claimed sum.
         for (layer_idx, layer_proof) in proof.layer_proofs.iter().enumerate() {
+            // The number of sumcheck round polynomials `g_j` should be `2 * k_{i+1}`,
+            // where `k_{i+1} = next_num_vars` is the number of variables in the next layer.
+            let next_num_vars = circuit
+                .num_vars_at(layer_idx + 1)
+                .ok_or(VerifierError::InvalidProof)?;
+            if layer_proof.sumcheck_proof.round_polynomials.len() != 2 * next_num_vars {
+                println!("The proof has an invalid number of sumcheck round polynomials at layer {layer_idx}");
+                return Ok(false);
+            }
+
             // Sumcheck verification.
             let (sumcheck_verified, sumcheck_challenges) = gkr_sumcheck_verify(
                 claimed_sum.clone(),

Original file line number	Diff line number	Diff line change
`@@ -148,7 +148,9 @@ where`
`148`	`148`	`}`
`149`	`149`	`}`
`150`	`150`
`151`		`- // Check that the degree of g_j does not exceed the theoretical bound`
	`151`	+ // Check that the degree of `g_j` does not exceed the theoretical bound.
	`152`	+ // The polynomial `g_j` should be cuadratic since the polynomial `f(b,c)` to which the sumcheck is applied
	`153`	`+ // is the sum of of two products, where each one is the product of two multilinear polynomials.`
`152`	`154`	`if g_j.degree() > 2 {`
`153`	`155`	`return Err(crate::verifier::VerifierError::InvalidDegree);`
`154`	`156`	`}`