From 6820c1849ab1acd418e784a6a15f1e07b315db79 Mon Sep 17 00:00:00 2001
From: wborgeaud <williamborgeaud@gmail.com>
Date: Wed, 5 May 2021 17:00:47 +0200
Subject: [PATCH] Working blinding in LPC

---
 src/fri.rs                   |  7 ++++
 src/polynomial/commitment.rs | 68 +++++++++++++++++++++++++-----------
 2 files changed, 55 insertions(+), 20 deletions(-)

diff --git a/src/fri.rs b/src/fri.rs
index 30c01e03..3677af95 100644
--- a/src/fri.rs
+++ b/src/fri.rs
@@ -28,6 +28,9 @@ pub struct FriConfig {
 
     /// Number of query rounds to perform.
     pub num_query_rounds: usize,
+
+    /// True if the last element of the Merkle trees' leaf vectors is a blinding element.
+    pub blinding: bool,
 }
 
 fn fri_delta(rate_log: usize, conjecture: bool) -> f64 {
@@ -340,6 +343,7 @@ fn fri_combine_initial<F: Field>(
     interpolant: &PolynomialCoeffs<F>,
     points: &[(F, F)],
     subgroup_x: F,
+    config: &FriConfig,
 ) -> F {
     let e = proof
         .evals_proofs
@@ -347,6 +351,7 @@ fn fri_combine_initial<F: Field>(
         .map(|(v, _)| v)
         .flatten()
         .rev()
+        .skip(if config.blinding { 1 } else { 0 })
         .fold(F::ZERO, |acc, &e| alpha * acc + e);
     let numerator = e - interpolant.eval(subgroup_x);
     let denominator = points.iter().map(|&(x, _)| subgroup_x - x).product();
@@ -389,6 +394,7 @@ fn fri_verifier_query_round<F: Field>(
                 interpolant,
                 points,
                 subgroup_x,
+                config,
             )
         } else {
             let last_evals = &evaluations[i - 1];
@@ -472,6 +478,7 @@ mod tests {
             rate_bits,
             proof_of_work_bits: 2,
             reduction_arity_bits,
+            blinding: false,
         };
         let tree = {
             let mut leaves = coset_lde
diff --git a/src/polynomial/commitment.rs b/src/polynomial/commitment.rs
index ee9d49c4..796b7603 100644
--- a/src/polynomial/commitment.rs
+++ b/src/polynomial/commitment.rs
@@ -15,15 +15,10 @@ struct ListPolynomialCommitment<F: Field> {
     pub fri_config: FriConfig,
     pub merkle_tree: MerkleTree<F>,
     pub degree: usize,
-    pub blinding: bool,
 }
 
 impl<F: Field> ListPolynomialCommitment<F> {
-    pub fn new(
-        polynomials: Vec<PolynomialCoeffs<F>>,
-        fri_config: &FriConfig,
-        blinding: bool,
-    ) -> Self {
+    pub fn new(polynomials: Vec<PolynomialCoeffs<F>>, fri_config: &FriConfig) -> Self {
         let degree = polynomials[0].len();
         let lde_values = polynomials
             .iter()
@@ -34,7 +29,7 @@ impl<F: Field> ListPolynomialCommitment<F> {
                     .coset_fft(F::MULTIPLICATIVE_GROUP_GENERATOR)
                     .values
             })
-            .chain(blinding.then(|| {
+            .chain(fri_config.blinding.then(|| {
                 (0..(degree << fri_config.rate_bits))
                     .map(|_| F::rand())
                     .collect()
@@ -43,7 +38,6 @@ impl<F: Field> ListPolynomialCommitment<F> {
 
         let mut leaves = transpose(&lde_values);
         reverse_index_bits_in_place(&mut leaves);
-        // let merkle_tree = MerkleTree::new(transpose(&lde_values), false);
         let merkle_tree = MerkleTree::new(leaves, false);
 
         Self {
@@ -51,7 +45,6 @@ impl<F: Field> ListPolynomialCommitment<F> {
             fri_config: fri_config.clone(),
             merkle_tree,
             degree,
-            blinding,
         }
     }
 
@@ -182,32 +175,67 @@ mod tests {
     use crate::field::crandall_field::CrandallField;
     use anyhow::Result;
 
+    fn rand_vec<F: Field>(n: usize) -> Vec<F> {
+        (0..n).map(|_| F::rand()).collect()
+    }
+
+    fn gen_random_test_case<F: Field>(
+        k: usize,
+        degree_log: usize,
+        num_points: usize,
+    ) -> (Vec<PolynomialCoeffs<F>>, Vec<F>) {
+        let degree = 1 << degree_log;
+
+        let polys = (0..k)
+            .map(|_| PolynomialCoeffs::new(rand_vec(degree)))
+            .collect();
+        let mut points = rand_vec::<F>(num_points);
+        while points.iter().any(|&x| x.exp_usize(degree).is_one()) {
+            points = rand_vec(num_points);
+        }
+
+        (polys, points)
+    }
+
     #[test]
     fn test_polynomial_commitment() -> Result<()> {
         type F = CrandallField;
 
         let k = 10;
         let degree_log = 11;
-        let degree = 1 << degree_log;
-
+        let num_points = 3;
         let fri_config = FriConfig {
             proof_of_work_bits: 2,
             rate_bits: 2,
             reduction_arity_bits: vec![3, 2, 1, 2],
             num_query_rounds: 3,
+            blinding: false,
         };
+        let (polys, points) = gen_random_test_case::<F>(k, degree_log, num_points);
 
-        let polys = (0..k)
-            .map(|_| PolynomialCoeffs::new((0..degree).map(|_| F::rand()).collect()))
-            .collect();
-
-        let lpc = ListPolynomialCommitment::new(polys, &fri_config, false);
-
-        let num_points = 3;
-        let points = (0..num_points).map(|_| F::rand()).collect::<Vec<_>>();
-
+        let lpc = ListPolynomialCommitment::new(polys, &fri_config);
         let proof = lpc.open(&points, &mut Challenger::new());
+        proof.verify(&points, &mut Challenger::new(), &fri_config)
+    }
 
+    #[test]
+    fn test_polynomial_commitment_blinding() -> Result<()> {
+        type F = CrandallField;
+
+        let k = 10;
+        let degree_log = 11;
+        let num_points = 3;
+        let fri_config = FriConfig {
+            proof_of_work_bits: 2,
+            rate_bits: 2,
+            reduction_arity_bits: vec![3, 2, 1, 2],
+            num_query_rounds: 3,
+            blinding: true,
+        };
+        let (polys, points) = gen_random_test_case::<F>(k, degree_log, num_points);
+
+        let lpc = ListPolynomialCommitment::new(polys, &fri_config);
+        let proof = lpc.open(&points, &mut Challenger::new());
         proof.verify(&points, &mut Challenger::new(), &fri_config)
     }
 }