EVM-verifiable ring-vrf

[swasilyev]

To check that the signer belongs to the ring we:

1. compute pk1 = sk.G
2. witness the index of the signer k=(0,...,0,1,0,...,0) and compute pk2 = <k, pks>
3. check the equality between pk1 == pk2

[swasilyev]

atm to make it pass the test, set https://github.com/w3f/ring-proof/blob/9dc7c15b17ef12bdd79c716b6d652034516deef4/w3f-plonk-common/src/verifier.rs#L77 to

    let lin_comm = CS::C::combine(&challenges.alphas[2..10], &lin_pices);

[swasilyev]

TODO:

• Clean up params.
• Constrain the vrf_in.
  Done, see here.
• Constraintpk_from_sk to be equal pk_from_index.
  These 2 can be merged probably to smth like L1.(doublings_of_in - vrf_in)+Ln.(pk_from_sk - pk_from_index), if we use ec addition to compute pk_from_index (otherwise pk_from_sk = pk + seed).
  Done, see here.
• Constrain pk_index to be unique.
  Done, see here.
• Off-by-one here https://github.com/w3f/ring-proof/blob/9dc7c15b17ef12bdd79c716b6d652034516deef4/w3f-plonk-common/src/gadgets/ec/mod.rs#L71 when using points computed with the doubling gadget.
  Mitigated in Column::constrained_len() #56
• Fix plonk verifier here: https://github.com/w3f/ring-proof/blob/9dc7c15b17ef12bdd79c716b6d652034516deef4/w3f-plonk-common/src/verifier.rs#L77 Done, now passes all the alphas to the piop.

[swasilyev]

todo: internalize this logic inside the gadget. Same for ec_add.

[swasilyev]

@drskalman I think now it's fully constrained.

• pk_index is boolean and the bits of pk_index[0..domain.capacity - 1] sum to 1. pk_index[domain.capacity - 1] doesn't participate in the ec add gadget.
• sk is just boolean. I assume that computing PK = b0.G + b1.(2G) + ... + bn.(2^nG) is not less hard for any n than a dlog.
  @AlistairStewart? (he says that's ok)