Bit of refactoring, comments, etc.

src/hash.rs

@@ -7,7 +7,7 @@ use rayon::prelude::*;
 use crate::field::field::Field;
 use crate::gmimc::gmimc_permute_array;
 use crate::proof::Hash;
-use crate::util::{log2_ceil, reverse_index_bits_in_place};
+use crate::util::reverse_index_bits_in_place;
 
 pub(crate) const SPONGE_RATE: usize = 8;
 pub(crate) const SPONGE_CAPACITY: usize = 4;
@@ -16,8 +16,10 @@ pub(crate) const SPONGE_WIDTH: usize = SPONGE_RATE + SPONGE_CAPACITY;
 const GMIMC_ROUNDS: usize = 101;
 const GMIMC_CONSTANTS: [u64; GMIMC_ROUNDS] = [11875528958976719239, 6107683892976199900, 7756999550758271958, 14819109722912164804, 9716579428412441110, 13627117528901194436, 16260683900833506663, 5942251937084147420, 3340009544523273897, 5103423085715007461, 17051583366444092101, 11122892258227244197, 16564300648907092407, 978667924592675864, 17676416205210517593, 1938246372790494499, 8857737698008340728, 1616088456497468086, 15961521580811621978, 17427220057097673602, 14693961562064090188, 694121596646283736, 554241305747273747, 5783347729647881086, 14933083198980931734, 2600898787591841337, 9178797321043036456, 18068112389665928586, 14493389459750307626, 1650694762687203587, 12538946551586403559, 10144328970401184255, 4215161528137084719, 17559540991336287827, 1632269449854444901, 986434918028205468, 14921385763379308253, 4345141219277982730, 2645897826751167170, 9815223670029373528, 7687983869685434132, 13956100321958014639, 519639453142393369, 15617837024229225911, 1557446238053329052, 8130006133842942201, 864716631341688017, 2860289738131495304, 16723700803638270299, 8363528906277648001, 13196016034228493087, 2514677332206134618, 15626342185220554936, 466271571343554681, 17490024028988898434, 6454235936129380878, 15187752952940298536, 18043495619660620405, 17118101079533798167, 13420382916440963101, 535472393366793763, 1071152303676936161, 6351382326603870931, 12029593435043638097, 9983185196487342247, 414304527840226604, 1578977347398530191, 13594880016528059526, 13219707576179925776, 6596253305527634647, 17708788597914990288, 7005038999589109658, 10171979740390484633, 1791376803510914239, 2405996319967739434, 12383033218117026776, 17648019043455213923, 6600216741450137683, 5359884112225925883, 1501497388400572107, 11860887439428904719, 64080876483307031, 11909038931518362287, 14166132102057826906, 14172584203466994499, 593515702472765471, 3423583343794830614, 10041710997716717966, 13434212189787960052, 9943803922749087030, 3216887087479209126, 17385898166602921353, 617799950397934255, 9245115057096506938, 13290383521064450731, 10193883853810413351, 14648839921475785656, 14635698366607946133, 9134302981480720532, 10045888297267997632, 10752096344939765738];
 
-/// If we're building a Merkle tree involving more field elements than this, it will be broken up
-/// into smaller sub-trees that will be built in parallel.
+/// Controls the granularity of parallelization when building Merkle trees. I.e., we will try to
+/// split up the task into units of work, such that each unit involves hashing roughly this many
+/// elements. If this is too small, there may be too much synchronization overhead; if it's too
+/// large, some threads may spend significant time idle.
 const ELEMS_PER_CHUNK: usize = 1 << 8;
 
 /// Hash the vector if necessary to reduce its length to ~256 bits. If it already fits, this is a

src/proof.rs

@@ -25,9 +25,9 @@ pub struct Proof<F: Field> {
     /// Merkle root of LDEs of wire values.
     pub wires_root: Hash<F>,
     /// Merkle root of LDEs of Z, in the context of Plonk's permutation argument.
-    pub plonk_z_root: Hash<F>,
+    pub plonk_zs_root: Hash<F>,
     /// Merkle root of LDEs of the quotient polynomial components.
-    pub plonk_t_root: Hash<F>,
+    pub quotient_polys_root: Hash<F>,
 
     /// Purported values of each polynomial at each challenge point.
     pub openings: Vec<OpeningSet<F>>,
@@ -39,9 +39,9 @@ pub struct ProofTarget {
     /// Merkle root of LDEs of wire values.
     pub wires_root: HashTarget,
     /// Merkle root of LDEs of Z, in the context of Plonk's permutation argument.
-    pub plonk_z_root: HashTarget,
+    pub plonk_zs_root: HashTarget,
     /// Merkle root of LDEs of the quotient polynomial components.
-    pub plonk_t_root: HashTarget,
+    pub quotient_polys_root: HashTarget,
 
     /// Purported values of each polynomial at each challenge point.
     pub openings: Vec<OpeningSetTarget>,
@@ -71,9 +71,8 @@ pub struct OpeningSet<F: Field> {
     pub constants: Vec<F>,
     pub plonk_sigmas: Vec<F>,
     pub wires: Vec<F>,
-    // TODO: One or multiple?
-    pub plonk_z: Vec<F>,
-    pub plonk_t: Vec<F>,
+    pub plonk_zs: Vec<F>,
+    pub quotient_polys: Vec<F>,
 }
 
 /// The purported values of each polynomial at a single point.
@@ -81,7 +80,6 @@ pub struct OpeningSetTarget {
     pub constants: Vec<Target>,
     pub plonk_sigmas: Vec<Target>,
     pub wires: Vec<Target>,
-    // TODO: One or multiple?
-    pub plonk_z: Vec<Target>,
-    pub plonk_t: Vec<Target>,
+    pub plonk_zs: Vec<Target>,
+    pub quotient_polys: Vec<Target>,
 }

src/prover.rs

@@ -29,7 +29,7 @@ pub(crate) fn prove<F: Field>(
     let mut witness = inputs;
     info!("Running {} generators", prover_data.generators.len());
     generate_partial_witness(&mut witness, &prover_data.generators);
-    info!("{} to generate witness",
+    info!("{:.2}s to generate witness",
           start_witness.elapsed().as_secs_f32());
 
     let config = common_data.config;
@@ -41,20 +41,20 @@ pub(crate) fn prove<F: Field>(
         .into_par_iter()
         .map(|i| compute_wire_lde(i, &witness, degree, config.rate_bits))
         .collect::<Vec<_>>();
-    info!("{} to compute wire LDEs",
+    info!("{:.2}s to compute wire LDEs",
           start_wire_ldes.elapsed().as_secs_f32());
 
     // TODO: Could try parallelizing the transpose, or not doing it explicitly, instead having
     // merkle_root_bit_rev_order do it implicitly.
     let start_wire_transpose = Instant::now();
     let wire_ldes_t = transpose_poly_values(wire_ldes);
-    info!("{} to transpose wire LDEs",
+    info!("{:.2}s to transpose wire LDEs",
           start_wire_transpose.elapsed().as_secs_f32());
 
     // TODO: Could avoid cloning if it's significant?
     let start_wires_root = Instant::now();
     let wires_root = merkle_root_bit_rev_order(wire_ldes_t.clone());
-    info!("{} to Merklize wire LDEs",
+    info!("{:.2}s to Merklize wire LDEs",
           start_wires_root.elapsed().as_secs_f32());
 
     let mut challenger = Challenger::new();
@@ -66,15 +66,15 @@ pub(crate) fn prove<F: Field>(
     let plonk_z_vecs = compute_zs(&common_data);
     let plonk_z_ldes = PolynomialValues::lde_multiple(plonk_z_vecs, config.rate_bits);
     let plonk_z_ldes_t = transpose_poly_values(plonk_z_ldes);
-    info!("{}s to compute Z's and their LDEs",
+    info!("{:.2}s to compute Z's and their LDEs",
           start_plonk_z.elapsed().as_secs_f32());
 
     let start_plonk_z_root = Instant::now();
-    let plonk_z_root = merkle_root_bit_rev_order(plonk_z_ldes_t.clone());
-    info!("{}s to Merklize Z's",
+    let plonk_zs_root = merkle_root_bit_rev_order(plonk_z_ldes_t.clone());
+    info!("{:.2}s to Merklize Z's",
           start_plonk_z_root.elapsed().as_secs_f32());
 
-    challenger.observe_hash(&plonk_z_root);
+    challenger.observe_hash(&plonk_zs_root);
 
     let alphas = challenger.get_n_challenges(config.num_checks);
 
@@ -86,31 +86,30 @@ pub(crate) fn prove<F: Field>(
     let start_vanishing_poly = Instant::now();
     let vanishing_poly = compute_vanishing_poly(
         common_data, prover_data, wire_ldes_t, plonk_z_ldes_t, beta, gamma, alpha);
-    info!("{} to compute vanishing poly",
+    info!("{:.2}s to compute vanishing poly",
           start_vanishing_poly.elapsed().as_secs_f32());
 
+    // Compute the quotient polynomial, aka `t` in the Plonk paper.
     let quotient_poly_start = Instant::now();
-    let vanishing_poly_coeffs = ifft(vanishing_poly);
-    let plonk_t = divide_by_z_h(vanishing_poly_coeffs, degree);
+    let vanishing_poly_coeff = ifft(vanishing_poly);
+    let quotient_poly_coeff = divide_by_z_h(vanishing_poly_coeff, degree);
     // Split t into degree-n chunks.
-    let plonk_t_chunks = plonk_t.chunks(degree);
-    info!("{} to compute quotient poly",
+    let quotient_poly_coeff_chunks = quotient_poly_coeff.chunks(degree);
+    let quotient_poly_coeff_ldes = PolynomialCoeffs::lde_multiple(quotient_poly_coeff_chunks, config.rate_bits);
+    let quotient_poly_value_ldes = quotient_poly_coeff_ldes.into_iter().map(fft).collect();
+    let quotient_polys_root = merkle_root_bit_rev_order(transpose_poly_values(quotient_poly_value_ldes));
+    info!("{:.2}s to compute quotient poly and LDE",
           quotient_poly_start.elapsed().as_secs_f32());
 
-    // Need to convert to coeff form and back?
-    let plonk_t_ldes = PolynomialCoeffs::lde_multiple(plonk_t_chunks, config.rate_bits);
-    let plonk_t_ldes = plonk_t_ldes.into_iter().map(fft).collect();
-    let plonk_t_root = merkle_root_bit_rev_order(transpose_poly_values(plonk_t_ldes));
-
     let openings = Vec::new(); // TODO
 
-    info!("{}s for overall witness+proof generation",
+    info!("{:.2}s for overall witness+proof generation",
           start_proof_gen.elapsed().as_secs_f32());
 
     Proof {
         wires_root,
-        plonk_z_root,
-        plonk_t_root,
+        plonk_zs_root,
+        quotient_polys_root,
         openings,
     }
 }