From 40aecc8e9516d19dda88a106bc9c89d316f375a7 Mon Sep 17 00:00:00 2001
From: Daniel Lubarov <daniel@lubarov.com>
Date: Tue, 3 Jan 2023 10:10:57 -0800
Subject: [PATCH] Allow non-tight degree bound

Reverts the degree adjustment part of #436. As @jimpo pointed out, the adjustment complicates security by allowing rational functions of the form `poly(x) / x`.

A tight degree bound shouldn't be necessary. Ultimately we want to check that some witness function `f(x)` exists satisfying (simplified) `c(f(x)) = Z_H(x) q(x)`.  We only need `f(x)` to be low-degree because that allows us to use polynomial identity testing. With PIT we don't care about exact degree bounds; a negligible degree change will have a negligible effect on PIT soundness.
---
 plonky2/src/fri/oracle.rs             | 3 ---
 plonky2/src/fri/recursive_verifier.rs | 4 +---
 plonky2/src/fri/verifier.rs           | 4 +---
 3 files changed, 2 insertions(+), 9 deletions(-)

diff --git a/plonky2/src/fri/oracle.rs b/plonky2/src/fri/oracle.rs
index cc114d98..bfb199cc 100644
--- a/plonky2/src/fri/oracle.rs
+++ b/plonky2/src/fri/oracle.rs
@@ -193,9 +193,6 @@ impl<F: RichField + Extendable<D>, C: GenericConfig<D, F = F>, const D: usize>
             alpha.shift_poly(&mut final_poly);
             final_poly += quotient;
         }
-        // Multiply the final polynomial by `X`, so that `final_poly` has the maximum degree for
-        // which the LDT will pass. See github.com/mir-protocol/plonky2/pull/436 for details.
-        final_poly.coeffs.insert(0, F::Extension::ZERO);
 
         let lde_final_poly = final_poly.lde(fri_params.config.rate_bits);
         let lde_final_values = timed!(
diff --git a/plonky2/src/fri/recursive_verifier.rs b/plonky2/src/fri/recursive_verifier.rs
index 822dd559..e7e48f82 100644
--- a/plonky2/src/fri/recursive_verifier.rs
+++ b/plonky2/src/fri/recursive_verifier.rs
@@ -262,9 +262,7 @@ impl<F: RichField + Extendable<D>, const D: usize> CircuitBuilder<F, D> {
             sum = self.div_add_extension(numerator, denominator, sum);
         }
 
-        // Multiply the final polynomial by `X`, so that `final_poly` has the maximum degree for
-        // which the LDT will pass. See github.com/mir-protocol/plonky2/pull/436 for details.
-        self.mul_extension(sum, subgroup_x)
+        sum
     }
 
     fn fri_verifier_query_round<C: GenericConfig<D, F = F>>(
diff --git a/plonky2/src/fri/verifier.rs b/plonky2/src/fri/verifier.rs
index 6644b971..f860ba30 100644
--- a/plonky2/src/fri/verifier.rs
+++ b/plonky2/src/fri/verifier.rs
@@ -157,9 +157,7 @@ pub(crate) fn fri_combine_initial<
         sum += numerator / denominator;
     }
 
-    // Multiply the final polynomial by `X`, so that `final_poly` has the maximum degree for
-    // which the LDT will pass. See github.com/mir-protocol/plonky2/pull/436 for details.
-    sum * subgroup_x
+    sum
 }
 
 fn fri_verifier_query_round<