plonky2/src/prover.rs

use std::time::Instant;

use log::info;
use rayon::prelude::*;

use crate::circuit_data::{CommonCircuitData, ProverOnlyCircuitData};
use crate::field::extension_field::Extendable;
use crate::field::fft::ifft;
use crate::field::field::Field;
use crate::generator::generate_partial_witness;
use crate::plonk_challenger::Challenger;
use crate::plonk_common::eval_vanishing_poly_base;
use crate::polynomial::commitment::ListPolynomialCommitment;
use crate::polynomial::polynomial::{PolynomialCoeffs, PolynomialValues};
use crate::proof::Proof;
use crate::timed;
use crate::util::transpose;
use crate::vars::EvaluationVarsBase;
use crate::wire::Wire;
use crate::witness::PartialWitness;

/// Corresponds to constants - sigmas - wires - zs - quotient — polynomial commitments.
pub const PLONK_BLINDING: [bool; 5] = [false, false, true, true, true];

pub(crate) fn prove<F: Extendable<D>, const D: usize>(
    prover_data: &ProverOnlyCircuitData<F>,
    common_data: &CommonCircuitData<F, D>,
    inputs: PartialWitness<F>,
) -> Proof<F, D> {
    let fri_config = &common_data.config.fri_config;

    let start_proof_gen = Instant::now();

    let mut witness = inputs;
    info!("Running {} generators", prover_data.generators.len());
    timed!(
        generate_partial_witness(&mut witness, &prover_data.generators,),
        "to generate witness"
    );

    let config = &common_data.config;
    let num_wires = config.num_wires;
    let num_challenges = config.num_challenges;
    let quotient_degree = common_data.quotient_degree();

    let degree = common_data.degree();
    let wires_polynomials: Vec<PolynomialCoeffs<F>> = timed!(
        (0..num_wires)
            .into_par_iter()
            .map(|i| compute_wire_polynomial(i, &witness, degree))
            .collect(),
        "to compute wire polynomials"
    );

    // TODO: Could try parallelizing the transpose, or not doing it explicitly, instead having
    // merkle_root_bit_rev_order do it implicitly.
    let wires_commitment = timed!(
        ListPolynomialCommitment::new(wires_polynomials, fri_config.rate_bits, true),
        "to compute wires commitment"
    );

    let mut challenger = Challenger::new();
    // Observe the instance.
    // TODO: Need to include public inputs as well.
    challenger.observe_hash(&common_data.circuit_digest);

    challenger.observe_hash(&wires_commitment.merkle_tree.root);
    let betas = challenger.get_n_challenges(num_challenges);
    let gammas = challenger.get_n_challenges(num_challenges);

    let plonk_z_vecs = timed!(compute_zs(&common_data), "to compute Z's");

    let plonk_zs_commitment = timed!(
        ListPolynomialCommitment::new(plonk_z_vecs, fri_config.rate_bits, true),
        "to commit to Z's"
    );

    challenger.observe_hash(&plonk_zs_commitment.merkle_tree.root);

    let alphas = challenger.get_n_challenges(num_challenges);

    let vanishing_polys = timed!(
        compute_vanishing_polys(
            common_data,
            prover_data,
            &wires_commitment,
            &plonk_zs_commitment,
            &betas,
            &gammas,
            &alphas,
        ),
        "to compute vanishing polys"
    );

    // Compute the quotient polynomials, aka `t` in the Plonk paper.
    let all_quotient_poly_chunks = timed!(
        vanishing_polys
            .into_par_iter()
            .flat_map(|vanishing_poly| {
                let vanishing_poly_coeff = ifft(vanishing_poly);
                let quotient_poly_coeff = vanishing_poly_coeff.divide_by_z_h(degree);
                // Split t into degree-n chunks.
                quotient_poly_coeff.chunks(degree)
            })
            .collect(),
        "to compute quotient polys"
    );

    let quotient_polys_commitment = timed!(
        ListPolynomialCommitment::new(all_quotient_poly_chunks, fri_config.rate_bits, true),
        "to commit to quotient polys"
    );

    challenger.observe_hash(&quotient_polys_commitment.merkle_tree.root);

    let zeta = challenger.get_extension_challenge();

    let (opening_proof, mut openings) = timed!(
        ListPolynomialCommitment::open_plonk(
            &[
                &prover_data.constants_commitment,
                &prover_data.sigmas_commitment,
                &wires_commitment,
                &plonk_zs_commitment,
                &quotient_polys_commitment,
            ],
            zeta,
            &mut challenger,
            &common_data.config.fri_config
        ),
        "to compute opening proofs"
    );

    info!(
        "{:.3}s for overall witness & proof generation",
        start_proof_gen.elapsed().as_secs_f32()
    );

    Proof {
        wires_root: wires_commitment.merkle_tree.root,
        plonk_zs_root: plonk_zs_commitment.merkle_tree.root,
        quotient_polys_root: quotient_polys_commitment.merkle_tree.root,
        openings,
        opening_proof,
    }
}

fn compute_zs<F: Extendable<D>, const D: usize>(
    common_data: &CommonCircuitData<F, D>,
) -> Vec<PolynomialCoeffs<F>> {
    (0..common_data.config.num_challenges)
        .map(|i| compute_z(common_data, i))
        .collect()
}

fn compute_z<F: Extendable<D>, const D: usize>(
    common_data: &CommonCircuitData<F, D>,
    _i: usize,
) -> PolynomialCoeffs<F> {
    PolynomialCoeffs::zero(common_data.degree()) // TODO
}

fn compute_vanishing_polys<F: Extendable<D>, const D: usize>(
    common_data: &CommonCircuitData<F, D>,
    prover_data: &ProverOnlyCircuitData<F>,
    wires_commitment: &ListPolynomialCommitment<F>,
    plonk_zs_commitment: &ListPolynomialCommitment<F>,
    betas: &[F],
    gammas: &[F],
    alphas: &[F],
) -> Vec<PolynomialValues<F>> {
    let lde_size = common_data.lde_size();
    let lde_gen = common_data.lde_generator();
    let num_challenges = common_data.config.num_challenges;

    let points = F::cyclic_subgroup_known_order(lde_gen, lde_size);
    let values: Vec<Vec<F>> = points
        .into_par_iter()
        .enumerate()
        .map(|(i, x)| {
            let i_next = (i + 1) % lde_size;
            let local_wires = wires_commitment.leaf(i);
            let local_constants = prover_data.constants_commitment.leaf(i);
            let local_plonk_zs = plonk_zs_commitment.leaf(i);
            let next_plonk_zs = plonk_zs_commitment.leaf(i_next);
            let s_sigmas = prover_data.sigmas_commitment.leaf(i);

            debug_assert_eq!(local_wires.len(), common_data.config.num_wires);
            debug_assert_eq!(local_plonk_zs.len(), num_challenges);

            let vars = EvaluationVarsBase {
                local_constants,
                local_wires,
            };
            eval_vanishing_poly_base(
                common_data,
                x,
                vars,
                local_plonk_zs,
                next_plonk_zs,
                s_sigmas,
                betas,
                gammas,
                alphas,
            )
        })
        .collect();

    transpose(&values)
        .into_iter()
        .map(PolynomialValues::new)
        .collect()
}

fn compute_wire_polynomial<F: Field>(
    input: usize,
    witness: &PartialWitness<F>,
    degree: usize,
) -> PolynomialCoeffs<F> {
    let wire_values = (0..degree)
        // Some gates do not use all wires, and we do not require that generators populate unused
        // wires, so some wire values will not be set. We can set these to any value; here we
        // arbitrary pick zero. Ideally we would verify that no constraints operate on these unset
        // wires, but that isn't trivial.
        .map(|gate| {
            witness
                .try_get_wire(Wire { gate, input })
                .unwrap_or(F::ZERO)
        })
        .collect();
    PolynomialValues::new(wire_values).ifft()
}
More prover work 2021-03-25 15:20:14 -07:00			`use std::time::Instant;`

			`use log::info;`
No more polynomial programming abstraction It was too expensive. 2021-03-28 15:36:51 -07:00			`use rayon::prelude::*;`
More prover work 2021-03-25 15:20:14 -07:00
Refactor polynomial code 2021-03-30 13:30:31 -07:00			`use crate::circuit_data::{CommonCircuitData, ProverOnlyCircuitData};`
Working FRI with field extensions 2021-05-18 15:22:06 +02:00			`use crate::field::extension_field::Extendable;`
Minor 2021-05-10 13:10:40 +02:00			`use crate::field::fft::ifft;`
Initial commit 2021-02-09 21:25:21 -08:00			`use crate::field::field::Field;`
Tweak APIs 2021-03-21 11:17:00 -07:00			`use crate::generator::generate_partial_witness;`
Multiple vanishing polys, and multiple associated quotient polys With different random alphas 2021-04-01 13:22:54 -07:00			`use crate::plonk_challenger::Challenger;`
Bit of verifier work (#54) * Bit of verifier work * Minor * next_plonk_zs now available after William's changes 2021-06-08 21:23:52 -07:00			`use crate::plonk_common::eval_vanishing_poly_base;`
Generic tests 2021-05-18 16:06:47 +02:00			`use crate::polynomial::commitment::ListPolynomialCommitment;`
Fix some warnings 2021-03-30 20:16:20 -07:00			`use crate::polynomial::polynomial::{PolynomialCoeffs, PolynomialValues};`
Minor 2021-05-10 13:10:40 +02:00			`use crate::proof::Proof;`
Move timed! and call from ListPolynomialCommitment 2021-05-14 07:33:46 -07:00			`use crate::timed;`
Minor 2021-05-10 13:10:40 +02:00			`use crate::util::transpose;`
Draw challenge points from the extension field (#51) * Draw challenge points from the extension field * Now building * Misc * Default eval_unfiltered_base * fmt * A few field settings * Add to Sage * Display tweak * eval_filtered_base * Quartic in bench * Missing methods * Fix tests * PR feedback 2021-05-30 13:25:53 -07:00			`use crate::vars::EvaluationVarsBase;`
Bit of prover work 2021-03-21 11:57:33 -07:00			`use crate::wire::Wire;`
Tweak APIs 2021-03-21 11:17:00 -07:00			`use crate::witness::PartialWitness;`
Initial commit 2021-02-09 21:25:21 -08:00
Blinding parameter can be set differently for each Merkle tree in a FRI proof. 2021-05-11 09:56:21 +02:00			`/// Corresponds to constants - sigmas - wires - zs - quotient — polynomial commitments.`
			`pub const PLONK_BLINDING: [bool; 5] = [false, false, true, true, true];`

Draw challenge points from the extension field (#51) * Draw challenge points from the extension field * Now building * Misc * Default eval_unfiltered_base * fmt * A few field settings * Add to Sage * Display tweak * eval_filtered_base * Quartic in bench * Missing methods * Fix tests * PR feedback 2021-05-30 13:25:53 -07:00			`pub(crate) fn prove<F: Extendable<D>, const D: usize>(`
Initial commit 2021-02-09 21:25:21 -08:00			`prover_data: &ProverOnlyCircuitData<F>,`
Draw challenge points from the extension field (#51) * Draw challenge points from the extension field * Now building * Misc * Default eval_unfiltered_base * fmt * A few field settings * Add to Sage * Display tweak * eval_filtered_base * Quartic in bench * Missing methods * Fix tests * PR feedback 2021-05-30 13:25:53 -07:00			`common_data: &CommonCircuitData<F, D>,`
Tweak APIs 2021-03-21 11:17:00 -07:00			`inputs: PartialWitness<F>,`
Const generics everywhere 2021-05-18 15:44:50 +02:00			`) -> Proof<F, D> {`
Batch open for PLONK 2021-05-07 11:30:03 +02:00			`let fri_config = &common_data.config.fri_config;`

Minor 2021-03-30 23:47:29 -07:00			`let start_proof_gen = Instant::now();`

			`let mut witness = inputs;`
More prover work 2021-03-25 15:20:14 -07:00			`info!("Running {} generators", prover_data.generators.len());`
Batch open for PLONK 2021-05-07 11:30:03 +02:00			`timed!(`
Rollback to previous semantics 2021-06-23 13:46:19 +02:00			`generate_partial_witness(&mut witness, &prover_data.generators,),`
Batch open for PLONK 2021-05-07 11:30:03 +02:00			`"to generate witness"`
Progress on FRI 2021-04-21 22:31:45 +02:00			`);`
Tweak APIs 2021-03-21 11:17:00 -07:00
Batch open for PLONK 2021-05-07 11:30:03 +02:00			`let config = &common_data.config;`
Bit of prover work 2021-03-21 11:57:33 -07:00			`let num_wires = config.num_wires;`
num_checks -> num_challenges 2021-05-14 08:07:00 -07:00			`let num_challenges = config.num_challenges;`
Multiple vanishing polys, and multiple associated quotient polys With different random alphas 2021-04-01 13:22:54 -07:00			`let quotient_degree = common_data.quotient_degree();`
More prover work 2021-03-25 15:20:14 -07:00
Tweaks 2021-03-30 10:02:00 -07:00			`let degree = common_data.degree();`
Batch open for PLONK 2021-05-07 11:30:03 +02:00			`let wires_polynomials: Vec<PolynomialCoeffs<F>> = timed!(`
			`(0..num_wires)`
			`.into_par_iter()`
			`.map(\|i\| compute_wire_polynomial(i, &witness, degree))`
			`.collect(),`
			`"to compute wire polynomials"`
Progress on FRI 2021-04-21 22:31:45 +02:00			`);`
More prover work 2021-03-25 15:20:14 -07:00
Tweaks 2021-03-30 10:02:00 -07:00			`// TODO: Could try parallelizing the transpose, or not doing it explicitly, instead having`
			`// merkle_root_bit_rev_order do it implicitly.`
Batch open for PLONK 2021-05-07 11:30:03 +02:00			`let wires_commitment = timed!(`
Blinding parameter can be set differently for each Merkle tree in a FRI proof. 2021-05-11 09:56:21 +02:00			`ListPolynomialCommitment::new(wires_polynomials, fri_config.rate_bits, true),`
Batch open for PLONK 2021-05-07 11:30:03 +02:00			`"to compute wires commitment"`
Progress on FRI 2021-04-21 22:31:45 +02:00			`);`
Bit of prover work 2021-03-21 11:57:33 -07:00
Sponges etc 2021-03-31 21:15:24 -07:00			`let mut challenger = Challenger::new();`
Seed Challenger with a hash of the instance I think this is the recommended way to apply Fiat-Shamir, to avoid any possible attacks like taking someone else's proof and using it to prove a slightly different statement. 2021-04-22 16:32:57 -07:00			`// Observe the instance.`
			`// TODO: Need to include public inputs as well.`
			`challenger.observe_hash(&common_data.circuit_digest);`

Update PLONK prover. 2021-05-06 23:14:37 +02:00			`challenger.observe_hash(&wires_commitment.merkle_tree.root);`
num_checks -> num_challenges 2021-05-14 08:07:00 -07:00			`let betas = challenger.get_n_challenges(num_challenges);`
			`let gammas = challenger.get_n_challenges(num_challenges);`
Sponges etc 2021-03-31 21:15:24 -07:00
Batch open for PLONK 2021-05-07 11:30:03 +02:00			`let plonk_z_vecs = timed!(compute_zs(&common_data), "to compute Z's");`
Minor 2021-03-30 23:47:29 -07:00
Batch open for PLONK 2021-05-07 11:30:03 +02:00			`let plonk_zs_commitment = timed!(`
Blinding parameter can be set differently for each Merkle tree in a FRI proof. 2021-05-11 09:56:21 +02:00			`ListPolynomialCommitment::new(plonk_z_vecs, fri_config.rate_bits, true),`
Batch open for PLONK 2021-05-07 11:30:03 +02:00			`"to commit to Z's"`
Progress on FRI 2021-04-21 22:31:45 +02:00			`);`
No more polynomial programming abstraction It was too expensive. 2021-03-28 15:36:51 -07:00
Update PLONK prover. 2021-05-06 23:14:37 +02:00			`challenger.observe_hash(&plonk_zs_commitment.merkle_tree.root);`
Sponges etc 2021-03-31 21:15:24 -07:00
num_checks -> num_challenges 2021-05-14 08:07:00 -07:00			`let alphas = challenger.get_n_challenges(num_challenges);`
Sponges etc 2021-03-31 21:15:24 -07:00
Batch open for PLONK 2021-05-07 11:30:03 +02:00			`let vanishing_polys = timed!(`
			`compute_vanishing_polys(`
			`common_data,`
			`prover_data,`
Fix bug 2021-05-07 16:22:13 +02:00			`&wires_commitment,`
			`&plonk_zs_commitment,`
Batch open for PLONK 2021-05-07 11:30:03 +02:00			`&betas,`
			`&gammas,`
			`&alphas,`
			`),`
			`"to compute vanishing polys"`
Progress on FRI 2021-04-21 22:31:45 +02:00			`);`
Multiple vanishing polys, and multiple associated quotient polys With different random alphas 2021-04-01 13:22:54 -07:00
			// Compute the quotient polynomials, aka `t` in the Plonk paper.
Compute the three quotient polys in parallel Reduces that step from ~0.19s to ~0.09s on my laptop. 2021-05-23 22:21:27 -07:00			`let all_quotient_poly_chunks = timed!(`
			`vanishing_polys`
			`.into_par_iter()`
			`.flat_map(\|vanishing_poly\| {`
Batch open for PLONK 2021-05-07 11:30:03 +02:00			`let vanishing_poly_coeff = ifft(vanishing_poly);`
Finish merging in old_polynomial 2021-05-12 11:20:47 -07:00			`let quotient_poly_coeff = vanishing_poly_coeff.divide_by_z_h(degree);`
Batch open for PLONK 2021-05-07 11:30:03 +02:00			`// Split t into degree-n chunks.`
Compute the three quotient polys in parallel Reduces that step from ~0.19s to ~0.09s on my laptop. 2021-05-23 22:21:27 -07:00			`quotient_poly_coeff.chunks(degree)`
			`})`
			`.collect(),`
			`"to compute quotient polys"`
			`);`

			`let quotient_polys_commitment = timed!(`
			`ListPolynomialCommitment::new(all_quotient_poly_chunks, fri_config.rate_bits, true),`
			`"to commit to quotient polys"`
Progress on FRI 2021-04-21 22:31:45 +02:00			`);`
Fix coset [i]fft 2021-03-30 11:46:58 -07:00
Fixes based on PR comments 2021-05-11 10:01:35 +02:00			`challenger.observe_hash(&quotient_polys_commitment.merkle_tree.root);`
Update PLONK prover. 2021-05-06 23:14:37 +02:00
Rewrite LPC code to be more PLONK-specific 2021-05-31 17:49:04 +02:00			`let zeta = challenger.get_extension_challenge();`
Update PLONK prover. 2021-05-06 23:14:37 +02:00
Bit of verifier work (#54) * Bit of verifier work * Minor * next_plonk_zs now available after William's changes 2021-06-08 21:23:52 -07:00			`let (opening_proof, mut openings) = timed!(`
Rewrite LPC code to be more PLONK-specific 2021-05-31 17:49:04 +02:00			`ListPolynomialCommitment::open_plonk(`
Minor 2021-05-07 16:49:27 +02:00			`&[`
			`&prover_data.constants_commitment,`
			`&prover_data.sigmas_commitment,`
			`&wires_commitment,`
			`&plonk_zs_commitment,`
			`&quotient_polys_commitment,`
			`],`
Rewrite LPC code to be more PLONK-specific 2021-05-31 17:49:04 +02:00			`zeta,`
Minor 2021-05-07 16:49:27 +02:00			`&mut challenger,`
Blinding parameter can be set differently for each Merkle tree in a FRI proof. 2021-05-11 09:56:21 +02:00			`&common_data.config.fri_config`
Minor 2021-05-07 16:49:27 +02:00			`),`
			`"to compute opening proofs"`
Update PLONK prover. 2021-05-06 23:14:37 +02:00			`);`
Candidate API for Merkle proof data Does this make sense? I think other libraries tend to include the leaf's index (either as an integer, or a series of bits indicating left/right turns) as part of a "proof". In FRI, the leaf indices are chosen by the verifier, so I thought that approach might be sort of redundant. Let me know what you think though. 2021-04-06 19:11:21 -07:00
Progress on FRI 2021-04-21 22:31:45 +02:00			`info!(`
			`"{:.3}s for overall witness & proof generation",`
			`start_proof_gen.elapsed().as_secs_f32()`
			`);`
Bit of prover work 2021-03-21 11:57:33 -07:00
Tweaks 2021-03-30 10:02:00 -07:00			`Proof {`
Update PLONK prover. 2021-05-06 23:14:37 +02:00			`wires_root: wires_commitment.merkle_tree.root,`
			`plonk_zs_root: plonk_zs_commitment.merkle_tree.root,`
			`quotient_polys_root: quotient_polys_commitment.merkle_tree.root,`
Bit of prover work 2021-03-21 11:57:33 -07:00			`openings,`
Fix bug 2021-05-07 16:22:13 +02:00			`opening_proof,`
Bit of prover work 2021-03-21 11:57:33 -07:00			`}`
			`}`

Draw challenge points from the extension field (#51) * Draw challenge points from the extension field * Now building * Misc * Default eval_unfiltered_base * fmt * A few field settings * Add to Sage * Display tweak * eval_filtered_base * Quartic in bench * Missing methods * Fix tests * PR feedback 2021-05-30 13:25:53 -07:00			`fn compute_zs<F: Extendable<D>, const D: usize>(`
			`common_data: &CommonCircuitData<F, D>,`
			`) -> Vec<PolynomialCoeffs<F>> {`
num_checks -> num_challenges 2021-05-14 08:07:00 -07:00			`(0..common_data.config.num_challenges)`
No more polynomial programming abstraction It was too expensive. 2021-03-28 15:36:51 -07:00			`.map(\|i\| compute_z(common_data, i))`
			`.collect()`
			`}`

Draw challenge points from the extension field (#51) * Draw challenge points from the extension field * Now building * Misc * Default eval_unfiltered_base * fmt * A few field settings * Add to Sage * Display tweak * eval_filtered_base * Quartic in bench * Missing methods * Fix tests * PR feedback 2021-05-30 13:25:53 -07:00			`fn compute_z<F: Extendable<D>, const D: usize>(`
			`common_data: &CommonCircuitData<F, D>,`
			`_i: usize,`
			`) -> PolynomialCoeffs<F> {`
Update PLONK prover. 2021-05-06 23:14:37 +02:00			`PolynomialCoeffs::zero(common_data.degree()) // TODO`
No more polynomial programming abstraction It was too expensive. 2021-03-28 15:36:51 -07:00			`}`

Draw challenge points from the extension field (#51) * Draw challenge points from the extension field * Now building * Misc * Default eval_unfiltered_base * fmt * A few field settings * Add to Sage * Display tweak * eval_filtered_base * Quartic in bench * Missing methods * Fix tests * PR feedback 2021-05-30 13:25:53 -07:00			`fn compute_vanishing_polys<F: Extendable<D>, const D: usize>(`
			`common_data: &CommonCircuitData<F, D>,`
No more polynomial programming abstraction It was too expensive. 2021-03-28 15:36:51 -07:00			`prover_data: &ProverOnlyCircuitData<F>,`
Fix bug 2021-05-07 16:22:13 +02:00			`wires_commitment: &ListPolynomialCommitment<F>,`
			`plonk_zs_commitment: &ListPolynomialCommitment<F>,`
Properly use the three betas and gammas ... for the three different `Z`s we use. Before I was just using the first value as a temporary thing. 2021-04-23 14:25:24 -07:00			`betas: &[F],`
			`gammas: &[F],`
Multiple vanishing polys, and multiple associated quotient polys With different random alphas 2021-04-01 13:22:54 -07:00			`alphas: &[F],`
			`) -> Vec<PolynomialValues<F>> {`
No more polynomial programming abstraction It was too expensive. 2021-03-28 15:36:51 -07:00			`let lde_size = common_data.lde_size();`
			`let lde_gen = common_data.lde_generator();`
num_checks -> num_challenges 2021-05-14 08:07:00 -07:00			`let num_challenges = common_data.config.num_challenges;`
No more polynomial programming abstraction It was too expensive. 2021-03-28 15:36:51 -07:00
Parallelize vanishing poly computation 2021-04-01 13:46:24 -07:00			`let points = F::cyclic_subgroup_known_order(lde_gen, lde_size);`
Progress on FRI 2021-04-21 22:31:45 +02:00			`let values: Vec<Vec<F>> = points`
Minor 2021-05-07 16:49:27 +02:00			`.into_par_iter()`
Progress on FRI 2021-04-21 22:31:45 +02:00			`.enumerate()`
			`.map(\|(i, x)\| {`
			`let i_next = (i + 1) % lde_size;`
Fix bug 2021-05-07 16:22:13 +02:00			`let local_wires = wires_commitment.leaf(i);`
			`let local_constants = prover_data.constants_commitment.leaf(i);`
			`let local_plonk_zs = plonk_zs_commitment.leaf(i);`
Minor 2021-05-10 13:10:40 +02:00			`let next_plonk_zs = plonk_zs_commitment.leaf(i_next);`
Fix bug 2021-05-07 16:22:13 +02:00			`let s_sigmas = prover_data.sigmas_commitment.leaf(i);`
Progress on FRI 2021-04-21 22:31:45 +02:00
			`debug_assert_eq!(local_wires.len(), common_data.config.num_wires);`
num_checks -> num_challenges 2021-05-14 08:07:00 -07:00			`debug_assert_eq!(local_plonk_zs.len(), num_challenges);`
Progress on FRI 2021-04-21 22:31:45 +02:00
Draw challenge points from the extension field (#51) * Draw challenge points from the extension field * Now building * Misc * Default eval_unfiltered_base * fmt * A few field settings * Add to Sage * Display tweak * eval_filtered_base * Quartic in bench * Missing methods * Fix tests * PR feedback 2021-05-30 13:25:53 -07:00			`let vars = EvaluationVarsBase {`
Progress on FRI 2021-04-21 22:31:45 +02:00			`local_constants,`
			`local_wires,`
			`};`
Bit of verifier work (#54) * Bit of verifier work * Minor * next_plonk_zs now available after William's changes 2021-06-08 21:23:52 -07:00			`eval_vanishing_poly_base(`
Progress on FRI 2021-04-21 22:31:45 +02:00			`common_data,`
			`x,`
			`vars,`
			`local_plonk_zs,`
			`next_plonk_zs,`
			`s_sigmas,`
Properly use the three betas and gammas ... for the three different `Z`s we use. Before I was just using the first value as a temporary thing. 2021-04-23 14:25:24 -07:00			`betas,`
			`gammas,`
Progress on FRI 2021-04-21 22:31:45 +02:00			`alphas,`
			`)`
			`})`
			`.collect();`
Multiple vanishing polys, and multiple associated quotient polys With different random alphas 2021-04-01 13:22:54 -07:00
Parallelize vanishing poly computation 2021-04-01 13:46:24 -07:00			`transpose(&values)`
			`.into_iter()`
Multiple vanishing polys, and multiple associated quotient polys With different random alphas 2021-04-01 13:22:54 -07:00			`.map(PolynomialValues::new)`
			`.collect()`
No more polynomial programming abstraction It was too expensive. 2021-03-28 15:36:51 -07:00			`}`

Update PLONK prover. 2021-05-06 23:14:37 +02:00			`fn compute_wire_polynomial<F: Field>(`
			`input: usize,`
			`witness: &PartialWitness<F>,`
			`degree: usize,`
			`) -> PolynomialCoeffs<F> {`
			`let wire_values = (0..degree)`
			`// Some gates do not use all wires, and we do not require that generators populate unused`
			`// wires, so some wire values will not be set. We can set these to any value; here we`
			`// arbitrary pick zero. Ideally we would verify that no constraints operate on these unset`
			`// wires, but that isn't trivial.`
			`.map(\|gate\| {`
			`witness`
			`.try_get_wire(Wire { gate, input })`
			`.unwrap_or(F::ZERO)`
			`})`
			`.collect();`
			`PolynomialValues::new(wire_values).ifft()`
			`}`