From b6cb72b629867209a09535c0c4274032422926e0 Mon Sep 17 00:00:00 2001 From: wborgeaud Date: Thu, 27 Jan 2022 13:27:06 +0100 Subject: [PATCH] Comments --- starky/src/fibonacci_stark.rs | 5 +++++ starky/src/proof.rs | 2 +- starky/src/prover.rs | 29 ++++++++++++++++++++--------- starky/src/stark.rs | 2 ++ 4 files changed, 28 insertions(+), 10 deletions(-) diff --git a/starky/src/fibonacci_stark.rs b/starky/src/fibonacci_stark.rs index e6caa1e6..5e41f18e 100644 --- a/starky/src/fibonacci_stark.rs +++ b/starky/src/fibonacci_stark.rs @@ -9,6 +9,9 @@ use crate::constraint_consumer::{ConstraintConsumer, RecursiveConstraintConsumer use crate::stark::Stark; use crate::vars::{StarkEvaluationTargets, StarkEvaluationVars}; +/// Toy STARK system used for testing. +/// Computes a Fibonacci sequence with inital values `x0, x1` using the transition +/// `x0 <- x1, x1 <- x0 + x1`. pub struct FibonacciStark, const D: usize> { x0: F, x1: F, @@ -51,7 +54,9 @@ impl, const D: usize> Stark for FibonacciStar FE: FieldExtension, P: PackedField, { + // x0 <- x1 yield_constr.one(vars.next_values[0] - vars.local_values[1]); + // x1 <- x0 + x1 yield_constr.one(vars.next_values[1] - vars.local_values[0] - vars.local_values[1]); } diff --git a/starky/src/proof.rs b/starky/src/proof.rs index 22ebf5e2..4218e71f 100644 --- a/starky/src/proof.rs +++ b/starky/src/proof.rs @@ -52,7 +52,7 @@ impl, const D: usize> StarkOpeningSet { Self { local_values: eval_commitment(zeta, trace_commitment), next_values: eval_commitment(zeta * g, trace_commitment), - permutation_zs: vec![], + permutation_zs: vec![/*TODO*/], quotient_polys: eval_commitment(zeta, quotient_commitment), } } diff --git a/starky/src/prover.rs b/starky/src/prover.rs index 29d9f2e4..5af22871 100644 --- a/starky/src/prover.rs +++ b/starky/src/prover.rs @@ -20,6 +20,7 @@ use crate::proof::{StarkOpeningSet, StarkProof}; use crate::stark::Stark; use crate::vars::StarkEvaluationVars; +// TODO: Deal with public inputs. pub fn prove( stark: S, config: StarkConfig, @@ -82,7 +83,7 @@ where quotient_poly .pad(degree << rate_bits) .expect("Quotient has failed, the vanishing polynomial is not divisible by `Z_H"); - // Split t into degree-n chunks. + // Split quotient into degree-n chunks. quotient_poly.chunks(degree) }) .collect(); @@ -134,6 +135,10 @@ where }) } +/// Computes the quotient polynomials `(sum alpha^i C_i(x)) / Z_H(x)` for `alpha` in `alphas`, +/// where the `C_i`s are the Stark constraints. +// TODO: This won't work for the Fibonacci example because the constraints wrap around the subgroup. +// The denominator should be the vanishing polynomial of `H` without its last element. fn compute_quotient_polys( stark: &S, trace_commitment: &PolynomialBatch, @@ -151,11 +156,13 @@ where let degree = 1 << degree_bits; let points = F::two_adic_subgroup(degree_bits + rate_bits); + // Evaluation of the first Lagrange polynomial on the LDE domain. let lagrange_first = { let mut evals = PolynomialValues::new(vec![F::ZERO; degree]); evals.values[0] = F::ONE; evals.lde(rate_bits) }; + // Evaluation of the last Lagrange polynomial on the LDE domain. let lagrange_last = { let mut evals = PolynomialValues::new(vec![F::ZERO; degree]); evals.values[degree - 1] = F::ONE; @@ -164,6 +171,11 @@ where let z_h_on_coset = ZeroPolyOnCoset::new(degree_bits, rate_bits); + // Retrieve the LDE values at index `i`. + let get_at_index = |comm: &PolynomialBatch, i: usize| -> [F; S::COLUMNS] { + comm.get_lde_values(i).try_into().unwrap() + }; + alphas .iter() .map(|&alpha| { @@ -171,6 +183,7 @@ where (0..degree << rate_bits) .into_par_iter() .map(|i| { + // TODO: Set `P` to a genuine `PackedField` here. let mut consumer = ConstraintConsumer::::new( alpha, lagrange_first.values[i], @@ -178,17 +191,15 @@ where ); let vars = StarkEvaluationVars:: { - local_values: trace_commitment - .get_lde_values(i) - .try_into() - .unwrap(), - next_values: trace_commitment - .get_lde_values((i + 1) % (degree << rate_bits)) - .try_into() - .unwrap(), + local_values: &get_at_index(trace_commitment, i), + next_values: &get_at_index( + trace_commitment, + (i + 1) % (degree << rate_bits), + ), public_inputs: &[F::ZERO; S::PUBLIC_INPUTS], }; stark.eval_packed_base(vars, &mut consumer); + // TODO: Fix this once we a genuine `PackedField`. let constraints_eval = consumer.accumulator(); let denominator_inv = z_h_on_coset.eval_inverse(i); constraints_eval * denominator_inv diff --git a/starky/src/stark.rs b/starky/src/stark.rs index 3c44f343..f91d4fdd 100644 --- a/starky/src/stark.rs +++ b/starky/src/stark.rs @@ -61,6 +61,8 @@ pub trait Stark, const D: usize>: Sync { yield_constr: &mut RecursiveConstraintConsumer, ); + /// Computes the FRI instance used to prove this Stark. + // TODO: Permutation polynomials. fn fri_instance( zeta: F::Extension, g: F::Extension,