Allow non-tight degree bound

Reverts the degree adjustment part of #436. As @jimpo pointed out, the adjustment complicates security by allowing rational functions of the form `poly(x) / x`. A tight degree bound shouldn't be necessary. Ultimately we want to check that some witness function `f(x)` exists satisfying (simplified) `c(f(x)) = Z_H(x) q(x)`. We only need `f(x)` to be low-degree because that allows us to use polynomial identity testing. With PIT we don't care about exact degree bounds; a negligible degree change will have a negligible effect on PIT soundness.
2026-01-09 01:03:08 +00:00 · 2023-01-03 10:10:57 -08:00 · 2023-01-03 10:10:57 -08:00 · 40aecc8e95
commit 40aecc8e95
parent 32cda2136b
3 changed files with 2 additions and 9 deletions
--- a/plonky2/src/fri/oracle.rs
+++ b/plonky2/src/fri/oracle.rs
@ -193,9 +193,6 @@ impl<F: RichField + Extendable<D>, C: GenericConfig<D, F = F>, const D: usize>
            alpha.shift_poly(&mut final_poly);
            final_poly += quotient;
        }
-        // Multiply the final polynomial by `X`, so that `final_poly` has the maximum degree for
-        // which the LDT will pass. See github.com/mir-protocol/plonky2/pull/436 for details.
-        final_poly.coeffs.insert(0, F::Extension::ZERO);

        let lde_final_poly = final_poly.lde(fri_params.config.rate_bits);
        let lde_final_values = timed!(
--- a/plonky2/src/fri/recursive_verifier.rs
+++ b/plonky2/src/fri/recursive_verifier.rs
@ -262,9 +262,7 @@ impl<F: RichField + Extendable<D>, const D: usize> CircuitBuilder<F, D> {
            sum = self.div_add_extension(numerator, denominator, sum);
        }

-        // Multiply the final polynomial by `X`, so that `final_poly` has the maximum degree for
-        // which the LDT will pass. See github.com/mir-protocol/plonky2/pull/436 for details.
-        self.mul_extension(sum, subgroup_x)
+        sum
    }

    fn fri_verifier_query_round<C: GenericConfig<D, F = F>>(
--- a/plonky2/src/fri/verifier.rs
+++ b/plonky2/src/fri/verifier.rs
@ -157,9 +157,7 @@ pub(crate) fn fri_combine_initial<
        sum += numerator / denominator;
    }

-    // Multiply the final polynomial by `X`, so that `final_poly` has the maximum degree for
-    // which the LDT will pass. See github.com/mir-protocol/plonky2/pull/436 for details.
-    sum * subgroup_x
+    sum
 }

 fn fri_verifier_query_round<