plonky2/starky/src/fibonacci_stark.rs

use std::marker::PhantomData;

use plonky2::field::extension::{Extendable, FieldExtension};
use plonky2::field::packed::PackedField;
use plonky2::field::polynomial::PolynomialValues;
use plonky2::hash::hash_types::RichField;
use plonky2::plonk::circuit_builder::CircuitBuilder;

use crate::constraint_consumer::{ConstraintConsumer, RecursiveConstraintConsumer};
use crate::permutation::PermutationPair;
use crate::stark::Stark;
use crate::util::trace_rows_to_poly_values;
use crate::vars::{StarkEvaluationTargets, StarkEvaluationVars};

/// Toy STARK system used for testing.
/// Computes a Fibonacci sequence with state `[x0, x1, i, j]` using the state transition
/// `x0' <- x1, x1' <- x0 + x1, i' <- i+1, j' <- j+1`.
/// Note: The `i, j` columns are only used to test the permutation argument.
#[derive(Copy, Clone)]
struct FibonacciStark<F: RichField + Extendable<D>, const D: usize> {
    num_rows: usize,
    _phantom: PhantomData<F>,
}

impl<F: RichField + Extendable<D>, const D: usize> FibonacciStark<F, D> {
    // The first public input is `x0`.
    const PI_INDEX_X0: usize = 0;
    // The second public input is `x1`.
    const PI_INDEX_X1: usize = 1;
    // The third public input is the second element of the last row, which should be equal to the
    // `num_rows`-th Fibonacci number.
    const PI_INDEX_RES: usize = 2;

    fn new(num_rows: usize) -> Self {
        Self {
            num_rows,
            _phantom: PhantomData,
        }
    }

    /// Generate the trace using `x0, x1, 0, 1` as initial state values.
    fn generate_trace(&self, x0: F, x1: F) -> Vec<PolynomialValues<F>> {
        let mut trace_rows = (0..self.num_rows)
            .scan([x0, x1, F::ZERO, F::ONE], |acc, _| {
                let tmp = *acc;
                acc[0] = tmp[1];
                acc[1] = tmp[0] + tmp[1];
                acc[2] = tmp[2] + F::ONE;
                acc[3] = tmp[3] + F::ONE;
                Some(tmp)
            })
            .collect::<Vec<_>>();
        trace_rows[self.num_rows - 1][3] = F::ZERO; // So that column 2 and 3 are permutation of one another.
        trace_rows_to_poly_values(trace_rows)
    }
}

impl<F: RichField + Extendable<D>, const D: usize> Stark<F, D> for FibonacciStark<F, D> {
    const COLUMNS: usize = 4;
    const PUBLIC_INPUTS: usize = 3;

    fn eval_packed_generic<FE, P, const D2: usize>(
        &self,
        vars: StarkEvaluationVars<FE, P, { Self::COLUMNS }, { Self::PUBLIC_INPUTS }>,
        yield_constr: &mut ConstraintConsumer<P>,
    ) where
        FE: FieldExtension<D2, BaseField = F>,
        P: PackedField<Scalar = FE>,
    {
        // Check public inputs.
        yield_constr
            .constraint_first_row(vars.local_values[0] - vars.public_inputs[Self::PI_INDEX_X0]);
        yield_constr
            .constraint_first_row(vars.local_values[1] - vars.public_inputs[Self::PI_INDEX_X1]);
        yield_constr
            .constraint_last_row(vars.local_values[1] - vars.public_inputs[Self::PI_INDEX_RES]);

        // x0' <- x1
        yield_constr.constraint_transition(vars.next_values[0] - vars.local_values[1]);
        // x1' <- x0 + x1
        yield_constr.constraint_transition(
            vars.next_values[1] - vars.local_values[0] - vars.local_values[1],
        );
    }

    fn eval_ext_circuit(
        &self,
        builder: &mut CircuitBuilder<F, D>,
        vars: StarkEvaluationTargets<D, { Self::COLUMNS }, { Self::PUBLIC_INPUTS }>,
        yield_constr: &mut RecursiveConstraintConsumer<F, D>,
    ) {
        // Check public inputs.
        let pis_constraints = [
            builder.sub_extension(vars.local_values[0], vars.public_inputs[Self::PI_INDEX_X0]),
            builder.sub_extension(vars.local_values[1], vars.public_inputs[Self::PI_INDEX_X1]),
            builder.sub_extension(vars.local_values[1], vars.public_inputs[Self::PI_INDEX_RES]),
        ];
        yield_constr.constraint_first_row(builder, pis_constraints[0]);
        yield_constr.constraint_first_row(builder, pis_constraints[1]);
        yield_constr.constraint_last_row(builder, pis_constraints[2]);

        // x0' <- x1
        let first_col_constraint = builder.sub_extension(vars.next_values[0], vars.local_values[1]);
        yield_constr.constraint_transition(builder, first_col_constraint);
        // x1' <- x0 + x1
        let second_col_constraint = {
            let tmp = builder.sub_extension(vars.next_values[1], vars.local_values[0]);
            builder.sub_extension(tmp, vars.local_values[1])
        };
        yield_constr.constraint_transition(builder, second_col_constraint);
    }

    fn constraint_degree(&self) -> usize {
        2
    }

    fn permutation_pairs(&self) -> Vec<PermutationPair> {
        vec![PermutationPair::singletons(2, 3)]
    }
}

#[cfg(test)]
mod tests {
    use anyhow::Result;
    use plonky2::field::extension::Extendable;
    use plonky2::field::types::Field;
    use plonky2::hash::hash_types::RichField;
    use plonky2::iop::witness::PartialWitness;
    use plonky2::plonk::circuit_builder::CircuitBuilder;
    use plonky2::plonk::circuit_data::CircuitConfig;
    use plonky2::plonk::config::{
        AlgebraicHasher, GenericConfig, Hasher, PoseidonGoldilocksConfig,
    };
    use plonky2::util::timing::TimingTree;

    use crate::config::StarkConfig;
    use crate::fibonacci_stark::FibonacciStark;
    use crate::proof::StarkProofWithPublicInputs;
    use crate::prover::prove;
    use crate::recursive_verifier::{
        add_virtual_stark_proof_with_pis, set_stark_proof_with_pis_target,
        verify_stark_proof_circuit,
    };
    use crate::stark::Stark;
    use crate::stark_testing::{test_stark_circuit_constraints, test_stark_low_degree};
    use crate::verifier::verify_stark_proof;

    fn fibonacci<F: Field>(n: usize, x0: F, x1: F) -> F {
        (0..n).fold((x0, x1), |x, _| (x.1, x.0 + x.1)).1
    }

    #[test]
    fn test_fibonacci_stark() -> Result<()> {
        const D: usize = 2;
        type C = PoseidonGoldilocksConfig;
        type F = <C as GenericConfig<D>>::F;
        type S = FibonacciStark<F, D>;

        let config = StarkConfig::standard_fast_config();
        let num_rows = 1 << 5;
        let public_inputs = [F::ZERO, F::ONE, fibonacci(num_rows - 1, F::ZERO, F::ONE)];
        let stark = S::new(num_rows);
        let trace = stark.generate_trace(public_inputs[0], public_inputs[1]);
        let proof = prove::<F, C, S, D>(
            stark,
            &config,
            trace,
            public_inputs,
            &mut TimingTree::default(),
        )?;

        verify_stark_proof(stark, proof, &config)
    }

    #[test]
    fn test_fibonacci_stark_degree() -> Result<()> {
        const D: usize = 2;
        type C = PoseidonGoldilocksConfig;
        type F = <C as GenericConfig<D>>::F;
        type S = FibonacciStark<F, D>;

        let num_rows = 1 << 5;
        let stark = S::new(num_rows);
        test_stark_low_degree(stark)
    }

    #[test]
    fn test_fibonacci_stark_circuit() -> Result<()> {
        const D: usize = 2;
        type C = PoseidonGoldilocksConfig;
        type F = <C as GenericConfig<D>>::F;
        type S = FibonacciStark<F, D>;

        let num_rows = 1 << 5;
        let stark = S::new(num_rows);
        test_stark_circuit_constraints::<F, C, S, D>(stark)
    }

    #[test]
    fn test_recursive_stark_verifier() -> Result<()> {
        init_logger();
        const D: usize = 2;
        type C = PoseidonGoldilocksConfig;
        type F = <C as GenericConfig<D>>::F;
        type S = FibonacciStark<F, D>;

        let config = StarkConfig::standard_fast_config();
        let num_rows = 1 << 5;
        let public_inputs = [F::ZERO, F::ONE, fibonacci(num_rows - 1, F::ZERO, F::ONE)];
        let stark = S::new(num_rows);
        let trace = stark.generate_trace(public_inputs[0], public_inputs[1]);
        let proof = prove::<F, C, S, D>(
            stark,
            &config,
            trace,
            public_inputs,
            &mut TimingTree::default(),
        )?;
        verify_stark_proof(stark, proof.clone(), &config)?;

        recursive_proof::<F, C, S, C, D>(stark, proof, &config, true)
    }

    fn recursive_proof<
        F: RichField + Extendable<D>,
        C: GenericConfig<D, F = F>,
        S: Stark<F, D> + Copy,
        InnerC: GenericConfig<D, F = F>,
        const D: usize,
    >(
        stark: S,
        inner_proof: StarkProofWithPublicInputs<F, InnerC, D>,
        inner_config: &StarkConfig,
        print_gate_counts: bool,
    ) -> Result<()>
    where
        InnerC::Hasher: AlgebraicHasher<F>,
        [(); S::COLUMNS]:,
        [(); S::PUBLIC_INPUTS]:,
        [(); C::Hasher::HASH_SIZE]:,
    {
        let circuit_config = CircuitConfig::standard_recursion_config();
        let mut builder = CircuitBuilder::<F, D>::new(circuit_config);
        let mut pw = PartialWitness::new();
        let degree_bits = inner_proof.proof.recover_degree_bits(inner_config);
        let pt = add_virtual_stark_proof_with_pis(&mut builder, stark, inner_config, degree_bits);
        set_stark_proof_with_pis_target(&mut pw, &pt, &inner_proof);

        verify_stark_proof_circuit::<F, InnerC, S, D>(&mut builder, stark, pt, inner_config);

        if print_gate_counts {
            builder.print_gate_counts(0);
        }

        let data = builder.build::<C>();
        let proof = data.prove(pw)?;
        data.verify(proof)
    }

    fn init_logger() {
        let _ = env_logger::builder().format_timestamp(None).try_init();
    }
}
Added test stark 2022-01-27 07:56:22 +01:00			`use std::marker::PhantomData;`

`extension_field` -> `extension` (#581) It seems redundant in most contexts, e.g. `use plonky2::field::extension_field::Extendable;`. One could import `extension_field`, but it's not that common in Rust, and `field::extension` is now about as short. 2022-06-27 07:18:21 -07:00			`use plonky2::field::extension::{Extendable, FieldExtension};`
`packed_field` -> `packed` (#584) * `packed_field` -> `packed` For cleaner imports; "field" is usually clear from context * fix 2022-06-27 15:07:52 -07:00			`use plonky2::field::packed::PackedField;`
Halo2 style lookup arguments in System Zero (#513) * Halo2 style lookup arguments in System Zero It's a really nice and simple protocol, particularly for the verifier since the constraints are trivial (aside from the underlying batched permutation checks, which we already support). See the [Halo2 book](https://zcash.github.io/halo2/design/proving-system/lookup.html) and this [talk](https://www.youtube.com/watch?v=YlTt12s7vGE&t=5237s) by @daira. Previously we generated the whole trace in row-wise form, but it's much more efficient to generate these "permuted" columns column-wise. So I changed our STARK framework to accept the trace in column-wise form. STARK impls now have the flexibility to do some generation row-wise and some column-wise (without extra costs; there's a single transpose as before). * sorting * fixes * PR feedback * into_iter * timing 2022-03-16 17:37:34 -07:00			`use plonky2::field::polynomial::PolynomialValues;`
Added test stark 2022-01-27 07:56:22 +01:00			`use plonky2::hash::hash_types::RichField;`
			`use plonky2::plonk::circuit_builder::CircuitBuilder;`

			`use crate::constraint_consumer::{ConstraintConsumer, RecursiveConstraintConsumer};`
Should work (does not) 2022-02-21 18:00:03 +01:00			`use crate::permutation::PermutationPair;`
Added test stark 2022-01-27 07:56:22 +01:00			`use crate::stark::Stark;`
Halo2 style lookup arguments in System Zero (#513) * Halo2 style lookup arguments in System Zero It's a really nice and simple protocol, particularly for the verifier since the constraints are trivial (aside from the underlying batched permutation checks, which we already support). See the [Halo2 book](https://zcash.github.io/halo2/design/proving-system/lookup.html) and this [talk](https://www.youtube.com/watch?v=YlTt12s7vGE&t=5237s) by @daira. Previously we generated the whole trace in row-wise form, but it's much more efficient to generate these "permuted" columns column-wise. So I changed our STARK framework to accept the trace in column-wise form. STARK impls now have the flexibility to do some generation row-wise and some column-wise (without extra costs; there's a single transpose as before). * sorting * fixes * PR feedback * into_iter * timing 2022-03-16 17:37:34 -07:00			`use crate::util::trace_rows_to_poly_values;`
Added test stark 2022-01-27 07:56:22 +01:00			`use crate::vars::{StarkEvaluationTargets, StarkEvaluationVars};`

Comments 2022-01-27 13:27:06 +01:00			`/// Toy STARK system used for testing.`
Should work (does not) 2022-02-21 18:00:03 +01:00			/// Computes a Fibonacci sequence with state `[x0, x1, i, j]` using the state transition
			/// `x0' <- x1, x1' <- x0 + x1, i' <- i+1, j' <- j+1`.
Simplification 2022-02-22 17:00:08 +01:00			/// Note: The `i, j` columns are only used to test the permutation argument.
Constraint check working 2022-01-31 18:00:07 +01:00			`#[derive(Copy, Clone)]`
PR feedback 2022-01-28 05:02:31 +01:00			`struct FibonacciStark<F: RichField + Extendable<D>, const D: usize> {`
			`num_rows: usize,`
Added test stark 2022-01-27 07:56:22 +01:00			`_phantom: PhantomData<F>,`
			`}`

Working prover 2022-01-27 12:58:56 +01:00			`impl<F: RichField + Extendable<D>, const D: usize> FibonacciStark<F, D> {`
PR feedback 2022-01-28 05:02:31 +01:00			// The first public input is `x0`.
			`const PI_INDEX_X0: usize = 0;`
			// The second public input is `x1`.
			`const PI_INDEX_X1: usize = 1;`
			`// The third public input is the second element of the last row, which should be equal to the`
Remove initial values from Fibonacci STARK state 2022-01-28 13:59:43 +01:00			// `num_rows`-th Fibonacci number.
PR feedback 2022-01-28 05:02:31 +01:00			`const PI_INDEX_RES: usize = 2;`
Added test stark 2022-01-27 07:56:22 +01:00
Remove initial values from Fibonacci STARK state 2022-01-28 13:59:43 +01:00			`fn new(num_rows: usize) -> Self {`
Added test stark 2022-01-27 07:56:22 +01:00			`Self {`
PR feedback 2022-01-28 05:02:31 +01:00			`num_rows,`
Added test stark 2022-01-27 07:56:22 +01:00			`_phantom: PhantomData,`
			`}`
			`}`

Should work (does not) 2022-02-21 18:00:03 +01:00			/// Generate the trace using `x0, x1, 0, 1` as initial state values.
Halo2 style lookup arguments in System Zero (#513) * Halo2 style lookup arguments in System Zero It's a really nice and simple protocol, particularly for the verifier since the constraints are trivial (aside from the underlying batched permutation checks, which we already support). See the [Halo2 book](https://zcash.github.io/halo2/design/proving-system/lookup.html) and this [talk](https://www.youtube.com/watch?v=YlTt12s7vGE&t=5237s) by @daira. Previously we generated the whole trace in row-wise form, but it's much more efficient to generate these "permuted" columns column-wise. So I changed our STARK framework to accept the trace in column-wise form. STARK impls now have the flexibility to do some generation row-wise and some column-wise (without extra costs; there's a single transpose as before). * sorting * fixes * PR feedback * into_iter * timing 2022-03-16 17:37:34 -07:00			`fn generate_trace(&self, x0: F, x1: F) -> Vec<PolynomialValues<F>> {`
			`let mut trace_rows = (0..self.num_rows)`
Should work (does not) 2022-02-21 18:00:03 +01:00			`.scan([x0, x1, F::ZERO, F::ONE], \|acc, _\| {`
Added test stark 2022-01-27 07:56:22 +01:00			`let tmp = *acc;`
Working prover 2022-01-27 12:58:56 +01:00			`acc[0] = tmp[1];`
			`acc[1] = tmp[0] + tmp[1];`
Should work (does not) 2022-02-21 18:00:03 +01:00			`acc[2] = tmp[2] + F::ONE;`
			`acc[3] = tmp[3] + F::ONE;`
Added test stark 2022-01-27 07:56:22 +01:00			`Some(tmp)`
			`})`
Should work (does not) 2022-02-21 18:00:03 +01:00			`.collect::<Vec<_>>();`
Halo2 style lookup arguments in System Zero (#513) * Halo2 style lookup arguments in System Zero It's a really nice and simple protocol, particularly for the verifier since the constraints are trivial (aside from the underlying batched permutation checks, which we already support). See the [Halo2 book](https://zcash.github.io/halo2/design/proving-system/lookup.html) and this [talk](https://www.youtube.com/watch?v=YlTt12s7vGE&t=5237s) by @daira. Previously we generated the whole trace in row-wise form, but it's much more efficient to generate these "permuted" columns column-wise. So I changed our STARK framework to accept the trace in column-wise form. STARK impls now have the flexibility to do some generation row-wise and some column-wise (without extra costs; there's a single transpose as before). * sorting * fixes * PR feedback * into_iter * timing 2022-03-16 17:37:34 -07:00			`trace_rows[self.num_rows - 1][3] = F::ZERO; // So that column 2 and 3 are permutation of one another.`
			`trace_rows_to_poly_values(trace_rows)`
Added test stark 2022-01-27 07:56:22 +01:00			`}`
			`}`

Working prover 2022-01-27 12:58:56 +01:00			`impl<F: RichField + Extendable<D>, const D: usize> Stark<F, D> for FibonacciStark<F, D> {`
Should work (does not) 2022-02-21 18:00:03 +01:00			`const COLUMNS: usize = 4;`
PR feedback 2022-01-28 05:02:31 +01:00			`const PUBLIC_INPUTS: usize = 3;`
Added test stark 2022-01-27 07:56:22 +01:00
			`fn eval_packed_generic<FE, P, const D2: usize>(`
			`&self,`
			`vars: StarkEvaluationVars<FE, P, { Self::COLUMNS }, { Self::PUBLIC_INPUTS }>,`
			`yield_constr: &mut ConstraintConsumer<P>,`
			`) where`
			`FE: FieldExtension<D2, BaseField = F>,`
			`P: PackedField<Scalar = FE>,`
			`{`
Test pass 2022-02-01 10:48:53 +01:00			`// Check public inputs.`
Add distinction between (non-)wrapping constraints 2022-02-02 11:23:03 +01:00			`yield_constr`
			`.constraint_first_row(vars.local_values[0] - vars.public_inputs[Self::PI_INDEX_X0]);`
			`yield_constr`
			`.constraint_first_row(vars.local_values[1] - vars.public_inputs[Self::PI_INDEX_X1]);`
			`yield_constr`
			`.constraint_last_row(vars.local_values[1] - vars.public_inputs[Self::PI_INDEX_RES]);`
Remove initial values from Fibonacci STARK state 2022-01-28 13:59:43 +01:00
PR feedback 2022-02-15 08:35:57 +01:00			`// x0' <- x1`
Rename constraint methods (#497) Most of our constraints apply to all rows, and it seems safest to make that the "default". 2022-02-20 17:48:31 -07:00			`yield_constr.constraint_transition(vars.next_values[0] - vars.local_values[1]);`
PR feedback 2022-02-15 08:35:57 +01:00			`// x1' <- x0 + x1`
Rename constraint methods (#497) Most of our constraints apply to all rows, and it seems safest to make that the "default". 2022-02-20 17:48:31 -07:00			`yield_constr.constraint_transition(`
			`vars.next_values[1] - vars.local_values[0] - vars.local_values[1],`
			`);`
Added test stark 2022-01-27 07:56:22 +01:00			`}`

Use `*_circuit` suffix for gadgets 2022-05-17 11:04:35 +02:00			`fn eval_ext_circuit(`
Added test stark 2022-01-27 07:56:22 +01:00			`&self,`
			`builder: &mut CircuitBuilder<F, D>,`
			`vars: StarkEvaluationTargets<D, { Self::COLUMNS }, { Self::PUBLIC_INPUTS }>,`
			`yield_constr: &mut RecursiveConstraintConsumer<F, D>,`
			`) {`
Fibonacci recursive constraints 2022-02-07 10:25:01 +01:00			`// Check public inputs.`
			`let pis_constraints = [`
			`builder.sub_extension(vars.local_values[0], vars.public_inputs[Self::PI_INDEX_X0]),`
			`builder.sub_extension(vars.local_values[1], vars.public_inputs[Self::PI_INDEX_X1]),`
			`builder.sub_extension(vars.local_values[1], vars.public_inputs[Self::PI_INDEX_RES]),`
			`];`
			`yield_constr.constraint_first_row(builder, pis_constraints[0]);`
			`yield_constr.constraint_first_row(builder, pis_constraints[1]);`
			`yield_constr.constraint_last_row(builder, pis_constraints[2]);`

PR feedback 2022-02-15 08:35:57 +01:00			`// x0' <- x1`
Fibonacci recursive constraints 2022-02-07 10:25:01 +01:00			`let first_col_constraint = builder.sub_extension(vars.next_values[0], vars.local_values[1]);`
Rename constraint methods (#497) Most of our constraints apply to all rows, and it seems safest to make that the "default". 2022-02-20 17:48:31 -07:00			`yield_constr.constraint_transition(builder, first_col_constraint);`
PR feedback 2022-02-15 08:35:57 +01:00			`// x1' <- x0 + x1`
Fibonacci recursive constraints 2022-02-07 10:25:01 +01:00			`let second_col_constraint = {`
			`let tmp = builder.sub_extension(vars.next_values[1], vars.local_values[0]);`
			`builder.sub_extension(tmp, vars.local_values[1])`
			`};`
Rename constraint methods (#497) Most of our constraints apply to all rows, and it seems safest to make that the "default". 2022-02-20 17:48:31 -07:00			`yield_constr.constraint_transition(builder, second_col_constraint);`
Added test stark 2022-01-27 07:56:22 +01:00			`}`
Working 2022-02-04 15:56:59 +01:00
Fix number of quotient polys 2022-02-04 17:04:07 +01:00			`fn constraint_degree(&self) -> usize {`
Fix degree 2022-02-04 16:39:34 +01:00			`2`
Working 2022-02-04 15:56:59 +01:00			`}`
Should work (does not) 2022-02-21 18:00:03 +01:00
			`fn permutation_pairs(&self) -> Vec<PermutationPair> {`
Halo2 style lookup arguments in System Zero (#513) * Halo2 style lookup arguments in System Zero It's a really nice and simple protocol, particularly for the verifier since the constraints are trivial (aside from the underlying batched permutation checks, which we already support). See the [Halo2 book](https://zcash.github.io/halo2/design/proving-system/lookup.html) and this [talk](https://www.youtube.com/watch?v=YlTt12s7vGE&t=5237s) by @daira. Previously we generated the whole trace in row-wise form, but it's much more efficient to generate these "permuted" columns column-wise. So I changed our STARK framework to accept the trace in column-wise form. STARK impls now have the flexibility to do some generation row-wise and some column-wise (without extra costs; there's a single transpose as before). * sorting * fixes * PR feedback * into_iter * timing 2022-03-16 17:37:34 -07:00			`vec![PermutationPair::singletons(2, 3)]`
Should work (does not) 2022-02-21 18:00:03 +01:00			`}`
Added test stark 2022-01-27 07:56:22 +01:00			`}`

Recursive stark test (failing) 2022-02-10 16:14:18 +01:00			`#[cfg(test)]`
			`mod tests {`
			`use anyhow::Result;`
`extension_field` -> `extension` (#581) It seems redundant in most contexts, e.g. `use plonky2::field::extension_field::Extendable;`. One could import `extension_field`, but it's not that common in Rust, and `field::extension` is now about as short. 2022-06-27 07:18:21 -07:00			`use plonky2::field::extension::Extendable;`
`field_types` -> `types` (#583) * `field_types` -> `types` Here too, I think "field" is usually clear from context, e.g. in `use plonky2::field::types::Field;`. * fixes * fmt 2022-06-27 12:24:09 -07:00			`use plonky2::field::types::Field;`
Recursive stark test (failing) 2022-02-10 16:14:18 +01:00			`use plonky2::hash::hash_types::RichField;`
			`use plonky2::iop::witness::PartialWitness;`
			`use plonky2::plonk::circuit_builder::CircuitBuilder;`
Clippy 2022-02-14 10:00:37 +01:00			`use plonky2::plonk::circuit_data::CircuitConfig;`
Changes after #481 2022-02-15 08:17:07 +01:00			`use plonky2::plonk::config::{`
			`AlgebraicHasher, GenericConfig, Hasher, PoseidonGoldilocksConfig,`
			`};`
Recursive stark test (failing) 2022-02-10 16:14:18 +01:00			`use plonky2::util::timing::TimingTree;`

			`use crate::config::StarkConfig;`
			`use crate::fibonacci_stark::FibonacciStark;`
			`use crate::proof::StarkProofWithPublicInputs;`
			`use crate::prover::prove;`
			`use crate::recursive_verifier::{`
Use `*_circuit` suffix for gadgets 2022-05-17 11:04:35 +02:00			`add_virtual_stark_proof_with_pis, set_stark_proof_with_pis_target,`
			`verify_stark_proof_circuit,`
Recursive stark test (failing) 2022-02-10 16:14:18 +01:00			`};`
			`use crate::stark::Stark;`
Start 2022-05-19 10:22:57 +02:00			`use crate::stark_testing::{test_stark_circuit_constraints, test_stark_low_degree};`
PR feedback 2022-02-15 08:35:57 +01:00			`use crate::verifier::verify_stark_proof;`
Recursive stark test (failing) 2022-02-10 16:14:18 +01:00
			`fn fibonacci<F: Field>(n: usize, x0: F, x1: F) -> F {`
			`(0..n).fold((x0, x1), \|x, _\| (x.1, x.0 + x.1)).1`
			`}`

			`#[test]`
			`fn test_fibonacci_stark() -> Result<()> {`
			`const D: usize = 2;`
			`type C = PoseidonGoldilocksConfig;`
			`type F = <C as GenericConfig<D>>::F;`
			`type S = FibonacciStark<F, D>;`

			`let config = StarkConfig::standard_fast_config();`
			`let num_rows = 1 << 5;`
			`let public_inputs = [F::ZERO, F::ONE, fibonacci(num_rows - 1, F::ZERO, F::ONE)];`
			`let stark = S::new(num_rows);`
			`let trace = stark.generate_trace(public_inputs[0], public_inputs[1]);`
			`let proof = prove::<F, C, S, D>(`
			`stark,`
			`&config,`
			`trace,`
			`public_inputs,`
			`&mut TimingTree::default(),`
			`)?;`

PR feedback 2022-02-15 08:35:57 +01:00			`verify_stark_proof(stark, proof, &config)`
Recursive stark test (failing) 2022-02-10 16:14:18 +01:00			`}`

			`#[test]`
			`fn test_fibonacci_stark_degree() -> Result<()> {`
			`const D: usize = 2;`
			`type C = PoseidonGoldilocksConfig;`
			`type F = <C as GenericConfig<D>>::F;`
			`type S = FibonacciStark<F, D>;`

			`let num_rows = 1 << 5;`
			`let stark = S::new(num_rows);`
			`test_stark_low_degree(stark)`
			`}`

Start 2022-05-19 10:22:57 +02:00			`#[test]`
			`fn test_fibonacci_stark_circuit() -> Result<()> {`
			`const D: usize = 2;`
			`type C = PoseidonGoldilocksConfig;`
			`type F = <C as GenericConfig<D>>::F;`
			`type S = FibonacciStark<F, D>;`

			`let num_rows = 1 << 5;`
			`let stark = S::new(num_rows);`
Finish test 2022-05-19 11:10:10 +02:00			`test_stark_circuit_constraints::<F, C, S, D>(stark)`
Start 2022-05-19 10:22:57 +02:00			`}`

Recursive stark test (failing) 2022-02-10 16:14:18 +01:00			`#[test]`
			`fn test_recursive_stark_verifier() -> Result<()> {`
			`init_logger();`
			`const D: usize = 2;`
			`type C = PoseidonGoldilocksConfig;`
			`type F = <C as GenericConfig<D>>::F;`
			`type S = FibonacciStark<F, D>;`

			`let config = StarkConfig::standard_fast_config();`
			`let num_rows = 1 << 5;`
			`let public_inputs = [F::ZERO, F::ONE, fibonacci(num_rows - 1, F::ZERO, F::ONE)];`
			`let stark = S::new(num_rows);`
			`let trace = stark.generate_trace(public_inputs[0], public_inputs[1]);`
			`let proof = prove::<F, C, S, D>(`
			`stark,`
			`&config,`
			`trace,`
			`public_inputs,`
			`&mut TimingTree::default(),`
			`)?;`
PR feedback 2022-02-15 08:35:57 +01:00			`verify_stark_proof(stark, proof.clone(), &config)?;`
Recursive stark test (failing) 2022-02-10 16:14:18 +01:00
Minor 2022-02-14 10:23:26 +01:00			`recursive_proof::<F, C, S, C, D>(stark, proof, &config, true)`
Recursive stark test (failing) 2022-02-10 16:14:18 +01:00			`}`

			`fn recursive_proof<`
			`F: RichField + Extendable<D>,`
			`C: GenericConfig<D, F = F>,`
Minor 2022-02-14 10:23:26 +01:00			`S: Stark<F, D> + Copy,`
Recursive stark test (failing) 2022-02-10 16:14:18 +01:00			`InnerC: GenericConfig<D, F = F>,`
			`const D: usize,`
			`>(`
			`stark: S,`
			`inner_proof: StarkProofWithPublicInputs<F, InnerC, D>,`
			`inner_config: &StarkConfig,`
			`print_gate_counts: bool,`
			`) -> Result<()>`
			`where`
			`InnerC::Hasher: AlgebraicHasher<F>,`
			`[(); S::COLUMNS]:,`
			`[(); S::PUBLIC_INPUTS]:,`
Changes after #481 2022-02-15 08:17:07 +01:00			`[(); C::Hasher::HASH_SIZE]:,`
Recursive stark test (failing) 2022-02-10 16:14:18 +01:00			`{`
			`let circuit_config = CircuitConfig::standard_recursion_config();`
			`let mut builder = CircuitBuilder::<F, D>::new(circuit_config);`
			`let mut pw = PartialWitness::new();`
			`let degree_bits = inner_proof.proof.recover_degree_bits(inner_config);`
			`let pt = add_virtual_stark_proof_with_pis(&mut builder, stark, inner_config, degree_bits);`
PR feedback 2022-02-15 08:35:57 +01:00			`set_stark_proof_with_pis_target(&mut pw, &pt, &inner_proof);`
Recursive stark test (failing) 2022-02-10 16:14:18 +01:00
Use `*_circuit` suffix for gadgets 2022-05-17 11:04:35 +02:00			`verify_stark_proof_circuit::<F, InnerC, S, D>(&mut builder, stark, pt, inner_config);`
Recursive stark test (failing) 2022-02-10 16:14:18 +01:00
			`if print_gate_counts {`
			`builder.print_gate_counts(0);`
			`}`

			`let data = builder.build::<C>();`
Change visibility 2022-02-14 10:12:24 +01:00			`let proof = data.prove(pw)?;`
Clippy 2022-02-14 10:00:37 +01:00			`data.verify(proof)`
Recursive stark test (failing) 2022-02-10 16:14:18 +01:00			`}`

			`fn init_logger() {`
			`let _ = env_logger::builder().format_timestamp(None).try_init();`
			`}`
			`}`