From 69dc14f88a2e2aa8891043d093064c3688e8ff32 Mon Sep 17 00:00:00 2001 From: wborgeaud Date: Mon, 19 Jul 2021 20:46:18 +0200 Subject: [PATCH] Added PrecomputedReducedEvals struct --- src/fri/verifier.rs | 57 ++++++++++++++++++++++++++++++++------------- 1 file changed, 41 insertions(+), 16 deletions(-) diff --git a/src/fri/verifier.rs b/src/fri/verifier.rs index df0c33fc..adf60026 100644 --- a/src/fri/verifier.rs +++ b/src/fri/verifier.rs @@ -8,7 +8,7 @@ use crate::fri::FriConfig; use crate::hash::hash_n_to_1; use crate::merkle_proofs::verify_merkle_proof; use crate::plonk_challenger::Challenger; -use crate::plonk_common::PlonkPolynomials; +use crate::plonk_common::{reduce_with_powers, PlonkPolynomials}; use crate::proof::{FriInitialTreeProof, FriProof, FriQueryRound, Hash, OpeningSet}; use crate::util::scaling::ReducingFactor; use crate::util::{log2_strict, reverse_bits, reverse_index_bits_in_place}; @@ -112,11 +112,13 @@ pub fn verify_fri_proof, const D: usize>( "Number of reductions should be non-zero." ); + let precomputed_reduced_evals = PrecomputedReducedEvals::from_os_and_alpha(&os, alpha); for round_proof in &proof.query_round_proofs { fri_verifier_query_round( os, zeta, alpha, + precomputed_reduced_evals, initial_merkle_roots, &proof, challenger, @@ -142,12 +144,44 @@ fn fri_verify_initial_proof( Ok(()) } +/// Holds the reduced (by `alpha`) evaluations at `zeta` for the polynomial opened just at +/// zeta, for `Z` at zeta and for `Z` at `g*zeta`. +#[derive(Copy, Clone)] +struct PrecomputedReducedEvals, const D: usize> { + pub single: F::Extension, + pub zs: F::Extension, + pub zs_right: F::Extension, +} + +impl, const D: usize> PrecomputedReducedEvals { + fn from_os_and_alpha(os: &OpeningSet, alpha: F::Extension) -> Self { + let mut alpha = ReducingFactor::new(alpha); + let single = alpha.reduce( + os.constants + .iter() + .chain(&os.plonk_sigmas) + .chain(&os.wires) + .chain(&os.quotient_polys) + .chain(&os.partial_products), + ); + let zs = alpha.reduce(os.plonk_zs.iter()); + let zs_right = alpha.reduce(os.plonk_zs_right.iter()); + + Self { + single, + zs, + zs_right, + } + } +} + fn fri_combine_initial, const D: usize>( proof: &FriInitialTreeProof, alpha: F::Extension, os: &OpeningSet, zeta: F::Extension, subgroup_x: F, + precomputed_reduced_evals: PrecomputedReducedEvals, common_data: &CommonCircuitData, ) -> F::Extension { let config = &common_data.config; @@ -174,19 +208,8 @@ fn fri_combine_initial, const D: usize>( [common_data.partial_products_range()], ) .map(|&e| F::Extension::from_basefield(e)); - let single_openings = os - .constants - .iter() - .chain(&os.plonk_sigmas) - .chain(&os.wires) - .chain(&os.quotient_polys) - .chain(&os.partial_products); - let single_diffs = single_evals - .into_iter() - .zip(single_openings) - .map(|(e, &o)| e - o) - .collect::>(); - let single_numerator = alpha.reduce(single_diffs.iter()); + let single_composition_eval = alpha.reduce(single_evals); + let single_numerator = single_composition_eval - precomputed_reduced_evals.single; let single_denominator = subgroup_x - zeta; sum += single_numerator / single_denominator; alpha.reset(); @@ -201,8 +224,8 @@ fn fri_combine_initial, const D: usize>( let zeta_right = F::Extension::primitive_root_of_unity(degree_log) * zeta; let zs_interpol = interpolate2( [ - (zeta, alpha.clone().reduce(os.plonk_zs.iter())), - (zeta_right, alpha.reduce(os.plonk_zs_right.iter())), + (zeta, precomputed_reduced_evals.zs), + (zeta_right, precomputed_reduced_evals.zs_right), ], subgroup_x, ); @@ -218,6 +241,7 @@ fn fri_verifier_query_round, const D: usize>( os: &OpeningSet, zeta: F::Extension, alpha: F::Extension, + precomputed_reduced_evals: PrecomputedReducedEvals, initial_merkle_roots: &[Hash], proof: &FriProof, challenger: &mut Challenger, @@ -251,6 +275,7 @@ fn fri_verifier_query_round, const D: usize>( os, zeta, subgroup_x, + precomputed_reduced_evals, common_data, ) } else {