From e8eb658f8ec046dd840bce6e45aa54a598c1a165 Mon Sep 17 00:00:00 2001
From: Daniel Lubarov <daniel@lubarov.com>
Date: Tue, 6 Apr 2021 19:11:21 -0700
Subject: [PATCH 1/3] Candidate API for Merkle proof data

Does this make sense? I think other libraries tend to include the leaf's index (either as an integer, or a series of bits indicating left/right turns) as part of a "proof". In FRI, the leaf indices are chosen by the verifier, so I thought that approach might be sort of redundant. Let me know what you think though.
---
 src/gadgets/merkle_proofs.rs | 24 ++++++++++++++++++++++++
 src/gadgets/mod.rs           |  3 ++-
 src/proof.rs                 | 21 +++++++++++++--------
 src/prover.rs                |  3 +++
 4 files changed, 42 insertions(+), 9 deletions(-)
 create mode 100644 src/gadgets/merkle_proofs.rs

diff --git a/src/gadgets/merkle_proofs.rs b/src/gadgets/merkle_proofs.rs
new file mode 100644
index 00000000..97f2ba2b
--- /dev/null
+++ b/src/gadgets/merkle_proofs.rs
@@ -0,0 +1,24 @@
+use crate::circuit_builder::CircuitBuilder;
+use crate::field::field::Field;
+use crate::target::Target;
+
+pub struct MerkleProof<F: Field> {
+    /// The Merkle digest of each sibling subtree, staying from the bottommost layer.
+    pub siblings: Vec<F>,
+}
+
+pub struct MerkleProofTarget {
+    /// The Merkle digest of each sibling subtree, staying from the bottommost layer.
+    pub siblings: Vec<Target>,
+}
+
+impl<F: Field> CircuitBuilder<F> {
+    pub(crate) fn verify_merkle_proof(
+        &mut self,
+        leaf_index: Target,
+        leaf_data: Vec<Target>,
+        proof: MerkleProofTarget,
+    ) {
+        todo!()
+    }
+}
diff --git a/src/gadgets/mod.rs b/src/gadgets/mod.rs
index f2c22478..8407efe7 100644
--- a/src/gadgets/mod.rs
+++ b/src/gadgets/mod.rs
@@ -1,3 +1,4 @@
 pub(crate) mod arithmetic;
-pub(crate) mod split_join;
 pub(crate) mod hash;
+pub(crate) mod merkle_proofs;
+pub(crate) mod split_join;
diff --git a/src/proof.rs b/src/proof.rs
index e9e61888..9bfd5843 100644
--- a/src/proof.rs
+++ b/src/proof.rs
@@ -1,5 +1,6 @@
 use crate::field::field::Field;
 use crate::target::Target;
+use crate::gadgets::merkle_proofs::{MerkleProofTarget, MerkleProof};
 
 /// Represents a ~256 bit hash output.
 #[derive(Copy, Clone, Debug)]
@@ -32,7 +33,8 @@ pub struct Proof<F: Field> {
     /// Purported values of each polynomial at each challenge point.
     pub openings: Vec<OpeningSet<F>>,
 
-    // TODO: FRI Merkle proofs.
+    /// A FRI argument for each FRI query.
+    pub fri_proofs: Vec<FriProof<F>>,
 }
 
 pub struct ProofTarget {
@@ -50,22 +52,25 @@ pub struct ProofTarget {
     pub fri_proofs: Vec<FriProofTarget>,
 }
 
+pub struct FriProof<F: Field> {
+    /// Merkle proofs for the original purported codewords, i.e. the subject of the LDT.
+    pub initial_merkle_proofs: Vec<MerkleProof<F>>,
+    /// Merkle proofs for the reduced polynomials that were sent in the commit phase.
+    pub intermediate_merkle_proofs: Vec<MerkleProof<F>>,
+    /// The final polynomial in coefficient form.
+    pub final_poly: Vec<F>,
+}
+
 /// Represents a single FRI query, i.e. a path through the reduction tree.
 pub struct FriProofTarget {
     /// Merkle proofs for the original purported codewords, i.e. the subject of the LDT.
     pub initial_merkle_proofs: Vec<MerkleProofTarget>,
     /// Merkle proofs for the reduced polynomials that were sent in the commit phase.
     pub intermediate_merkle_proofs: Vec<MerkleProofTarget>,
-    /// The final polynomial in point-value form.
+    /// The final polynomial in coefficient form.
     pub final_poly: Vec<Target>,
 }
 
-pub struct MerkleProofTarget {
-    pub leaf: Vec<Target>,
-    pub siblings: Vec<Target>,
-    // TODO: Also need left/right turn info.
-}
-
 /// The purported values of each polynomial at a single point.
 pub struct OpeningSet<F: Field> {
     pub constants: Vec<F>,
diff --git a/src/prover.rs b/src/prover.rs
index fe60e697..d4de3f5d 100644
--- a/src/prover.rs
+++ b/src/prover.rs
@@ -111,6 +111,8 @@ pub(crate) fn prove<F: Field>(
 
     let openings = Vec::new(); // TODO
 
+    let fri_proofs = Vec::new(); // TODO
+
     info!("{:.3}s for overall witness & proof generation",
           start_proof_gen.elapsed().as_secs_f32());
 
@@ -119,6 +121,7 @@ pub(crate) fn prove<F: Field>(
         plonk_zs_root,
         quotient_polys_root,
         openings,
+        fri_proofs,
     }
 }
 

From 9a8a7b610583a2373fb01b76422fa4cce34c825f Mon Sep 17 00:00:00 2001
From: Daniel Lubarov <daniel@lubarov.com>
Date: Tue, 6 Apr 2021 19:22:12 -0700
Subject: [PATCH 2/3] Non-circuit version

---
 src/gadgets/merkle_proofs.rs | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/gadgets/merkle_proofs.rs b/src/gadgets/merkle_proofs.rs
index 97f2ba2b..94abb0e1 100644
--- a/src/gadgets/merkle_proofs.rs
+++ b/src/gadgets/merkle_proofs.rs
@@ -12,6 +12,14 @@ pub struct MerkleProofTarget {
     pub siblings: Vec<Target>,
 }
 
+pub(crate) fn verify_merkle_proof<F: Field>(
+    leaf_index: usize,
+    leaf_data: Vec<F>,
+    proof: MerkleProof<F>,
+) {
+    todo!()
+}
+
 impl<F: Field> CircuitBuilder<F> {
     pub(crate) fn verify_merkle_proof(
         &mut self,

From 0cd73399408fd84c7d2bbad1e96a8dc2cb2acd09 Mon Sep 17 00:00:00 2001
From: Daniel Lubarov <daniel@lubarov.com>
Date: Wed, 7 Apr 2021 09:10:06 -0700
Subject: [PATCH 3/3] Fixes based on PR feedback

---
 src/gadgets/merkle_proofs.rs | 15 +++++++++++----
 src/proof.rs                 |  4 ++++
 2 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/src/gadgets/merkle_proofs.rs b/src/gadgets/merkle_proofs.rs
index 94abb0e1..246406b6 100644
--- a/src/gadgets/merkle_proofs.rs
+++ b/src/gadgets/merkle_proofs.rs
@@ -1,30 +1,37 @@
 use crate::circuit_builder::CircuitBuilder;
 use crate::field::field::Field;
+use crate::proof::{Hash, HashTarget};
 use crate::target::Target;
 
 pub struct MerkleProof<F: Field> {
     /// The Merkle digest of each sibling subtree, staying from the bottommost layer.
-    pub siblings: Vec<F>,
+    pub siblings: Vec<Hash<F>>,
 }
 
 pub struct MerkleProofTarget {
     /// The Merkle digest of each sibling subtree, staying from the bottommost layer.
-    pub siblings: Vec<Target>,
+    pub siblings: Vec<HashTarget>,
 }
 
+/// Verifies that the given leaf data is present at the given index in the Merkle tree with the
+/// given root.
 pub(crate) fn verify_merkle_proof<F: Field>(
-    leaf_index: usize,
     leaf_data: Vec<F>,
+    leaf_index: usize,
+    merkle_root: Hash<F>,
     proof: MerkleProof<F>,
 ) {
     todo!()
 }
 
 impl<F: Field> CircuitBuilder<F> {
+    /// Verifies that the given leaf data is present at the given index in the Merkle tree with the
+    /// given root.
     pub(crate) fn verify_merkle_proof(
         &mut self,
-        leaf_index: Target,
         leaf_data: Vec<Target>,
+        leaf_index: Target,
+        merkle_root: HashTarget,
         proof: MerkleProofTarget,
     ) {
         todo!()
diff --git a/src/proof.rs b/src/proof.rs
index 9bfd5843..d25196cb 100644
--- a/src/proof.rs
+++ b/src/proof.rs
@@ -53,6 +53,8 @@ pub struct ProofTarget {
 }
 
 pub struct FriProof<F: Field> {
+    /// A Merkle root for each reduced polynomial in the commit phase.
+    pub commit_phase_merkle_roots: Vec<Hash<F>>,
     /// Merkle proofs for the original purported codewords, i.e. the subject of the LDT.
     pub initial_merkle_proofs: Vec<MerkleProof<F>>,
     /// Merkle proofs for the reduced polynomials that were sent in the commit phase.
@@ -63,6 +65,8 @@ pub struct FriProof<F: Field> {
 
 /// Represents a single FRI query, i.e. a path through the reduction tree.
 pub struct FriProofTarget {
+    /// A Merkle root for each reduced polynomial in the commit phase.
+    pub commit_phase_merkle_roots: Vec<HashTarget>,
     /// Merkle proofs for the original purported codewords, i.e. the subject of the LDT.
     pub initial_merkle_proofs: Vec<MerkleProofTarget>,
     /// Merkle proofs for the reduced polynomials that were sent in the commit phase.