diff --git a/src/fri/verifier.rs b/src/fri/verifier.rs index 981db38a..2ff6b7b8 100644 --- a/src/fri/verifier.rs +++ b/src/fri/verifier.rs @@ -148,6 +148,7 @@ fn fri_combine_initial, const D: usize>( subgroup_x: F, config: &FriConfig, ) -> F::Extension { + assert!(D > 1, "Not implemented for D=1."); let degree_log = proof.evals_proofs[0].1.siblings.len() - config.rate_bits; let mut cur_alpha = F::Extension::ONE; @@ -155,35 +156,22 @@ fn fri_combine_initial, const D: usize>( let mut poly_count = 0; let mut e = F::Extension::ZERO; - let ev = if D == 1 { - vec![0, 1, 2, 4] - } else { - vec![0, 1, 4] - } - .iter() - .flat_map(|&i| { - let v = &proof.evals_proofs[i].0; - &v[..v.len() - if config.blinding[i] { SALT_SIZE } else { 0 }] - }) - .rev() - .fold(F::Extension::ZERO, |acc, &e| { - poly_count += 1; - alpha * acc + e.into() - }); - let composition_eval = if D == 1 { - vec![ - &os.constants, - &os.plonk_sigmas, - &os.wires, - &os.quotient_polys, - ] - } else { - vec![&os.constants, &os.plonk_sigmas, &os.quotient_polys] - } - .iter() - .flat_map(|v| v.iter()) - .rev() - .fold(F::Extension::ZERO, |acc, &e| acc * alpha + e); + let ev = vec![0, 1, 4] + .iter() + .flat_map(|&i| { + let v = &proof.evals_proofs[i].0; + &v[..v.len() - if config.blinding[i] { SALT_SIZE } else { 0 }] + }) + .rev() + .fold(F::Extension::ZERO, |acc, &e| { + poly_count += 1; + alpha * acc + e.into() + }); + let composition_eval = [&os.constants, &os.plonk_sigmas, &os.quotient_polys] + .iter() + .flat_map(|v| v.iter()) + .rev() + .fold(F::Extension::ZERO, |acc, &e| acc * alpha + e); let numerator = ev - composition_eval; let denominator = F::Extension::from_basefield(subgroup_x) - zeta; e += cur_alpha * numerator / denominator; @@ -208,26 +196,24 @@ fn fri_combine_initial, const D: usize>( e += cur_alpha * numerator / denominator; cur_alpha = alpha.exp(poly_count); - if D > 1 { - let ev = proof.evals_proofs[2].0 - [..proof.evals_proofs[2].0.len() - if config.blinding[2] { SALT_SIZE } else { 0 }] - .iter() - .rev() - .fold(F::Extension::ZERO, |acc, &e| { - poly_count += 1; - alpha * acc + e.into() - }); - let zeta_frob = zeta.frobenius(); - let wire_evals_frob = os.wires.iter().map(|e| e.frobenius()).collect::>(); - let wires_interpol = interpolant(&[ - (zeta, reduce_with_powers(&os.wires, alpha)), - (zeta_frob, reduce_with_powers(&wire_evals_frob, alpha)), - ]); - let numerator = ev - wires_interpol.eval(subgroup_x.into()); - let denominator = (F::Extension::from_basefield(subgroup_x) - zeta) - * (F::Extension::from_basefield(subgroup_x) - zeta_frob); - e += cur_alpha * numerator / denominator; - } + let ev = proof.evals_proofs[2].0 + [..proof.evals_proofs[2].0.len() - if config.blinding[2] { SALT_SIZE } else { 0 }] + .iter() + .rev() + .fold(F::Extension::ZERO, |acc, &e| { + poly_count += 1; + alpha * acc + e.into() + }); + let zeta_frob = zeta.frobenius(); + let wire_evals_frob = os.wires.iter().map(|e| e.frobenius()).collect::>(); + let wires_interpol = interpolant(&[ + (zeta, reduce_with_powers(&os.wires, alpha)), + (zeta_frob, reduce_with_powers(&wire_evals_frob, alpha)), + ]); + let numerator = ev - wires_interpol.eval(subgroup_x.into()); + let denominator = (F::Extension::from_basefield(subgroup_x) - zeta) + * (F::Extension::from_basefield(subgroup_x) - zeta_frob); + e += cur_alpha * numerator / denominator; e } diff --git a/src/polynomial/commitment.rs b/src/polynomial/commitment.rs index f7906e18..06194ad9 100644 --- a/src/polynomial/commitment.rs +++ b/src/polynomial/commitment.rs @@ -87,6 +87,7 @@ impl ListPolynomialCommitment { where F: Extendable, { + assert!(D > 1, "Not implemented for D=1."); let degree_log = log2_strict(commitments[0].degree); let g = F::Extension::primitive_root_of_unity(degree_log); for &p in &[zeta, g * zeta] { @@ -117,32 +118,19 @@ impl ListPolynomialCommitment { let mut poly_count = 0; // Polynomials opened at a single point. - let composition_poly = if D == 1 { - vec![0, 1, 2, 4] - } else { - vec![0, 1, 4] - } - .iter() - .flat_map(|&i| &commitments[i].polynomials) - .rev() - .fold(PolynomialCoeffs::empty(), |acc, p| { - poly_count += 1; - &(&acc * alpha) + &p.to_extension() - }); - let composition_eval = if D == 1 { - vec![ - &os.constants, - &os.plonk_sigmas, - &os.wires, - &os.quotient_polys, - ] - } else { - vec![&os.constants, &os.plonk_sigmas, &os.quotient_polys] - } - .iter() - .flat_map(|v| v.iter()) - .rev() - .fold(F::Extension::ZERO, |acc, &e| acc * alpha + e); + let composition_poly = [0, 1, 4] + .iter() + .flat_map(|&i| &commitments[i].polynomials) + .rev() + .fold(PolynomialCoeffs::empty(), |acc, p| { + poly_count += 1; + &(&acc * alpha) + &p.to_extension() + }); + let composition_eval = [&os.constants, &os.plonk_sigmas, &os.quotient_polys] + .iter() + .flat_map(|v| v.iter()) + .rev() + .fold(F::Extension::ZERO, |acc, &e| acc * alpha + e); let quotient = Self::compute_quotient(&[zeta], &[composition_eval], &composition_poly); final_poly = &final_poly + &("ient * cur_alpha); @@ -171,30 +159,30 @@ impl ListPolynomialCommitment { final_poly = &final_poly + &(&zs_quotient * cur_alpha); cur_alpha = alpha.exp(poly_count); - // If working in an extension field, need to check that wires are in the base field. + // When working in an extension field, need to check that wires are in the base field. // Check this by opening the wires polynomials at `zeta` and `zeta.frobenius()` and using the fact that // a polynomial `f` is over the base field iff `f(z).frobenius()=f(z.frobenius())` with high probability. - if D > 1 { - let wires_composition_poly = commitments[2].polynomials.iter().rev().fold( - PolynomialCoeffs::empty(), - |acc, p| { + let wires_composition_poly = + commitments[2] + .polynomials + .iter() + .rev() + .fold(PolynomialCoeffs::empty(), |acc, p| { poly_count += 1; &(&acc * alpha) + &p.to_extension() - }, - ); - let wire_evals_frob = os.wires.iter().map(|e| e.frobenius()).collect::>(); - let wires_composition_evals = [ - reduce_with_powers(&os.wires, alpha), - reduce_with_powers(&wire_evals_frob, alpha), - ]; + }); + let wire_evals_frob = os.wires.iter().map(|e| e.frobenius()).collect::>(); + let wires_composition_evals = [ + reduce_with_powers(&os.wires, alpha), + reduce_with_powers(&wire_evals_frob, alpha), + ]; - let wires_quotient = Self::compute_quotient( - &[zeta, zeta.frobenius()], - &wires_composition_evals, - &wires_composition_poly, - ); - final_poly = &final_poly + &(&wires_quotient * cur_alpha); - } + let wires_quotient = Self::compute_quotient( + &[zeta, zeta.frobenius()], + &wires_composition_evals, + &wires_composition_poly, + ); + final_poly = &final_poly + &(&wires_quotient * cur_alpha); let lde_final_poly = final_poly.lde(config.rate_bits); let lde_final_values = lde_final_poly @@ -370,16 +358,6 @@ mod tests { ) } - mod base { - use super::*; - use crate::field::crandall_field::CrandallField; - - #[test] - fn test_batch_polynomial_commitment() -> Result<()> { - check_batch_polynomial_commitment::() - } - } - mod quadratic { use super::*; use crate::field::crandall_field::CrandallField;