From bc5bc8245d597e20e4c25955c181c70210160e3c Mon Sep 17 00:00:00 2001 From: wborgeaud Date: Thu, 3 Feb 2022 11:49:44 +0100 Subject: [PATCH] PR feedback --- field/src/polynomial/mod.rs | 3 ++- plonky2/src/plonk/proof.rs | 8 ++++---- starky/src/constraint_consumer.rs | 8 ++++---- starky/src/proof.rs | 22 ++++++++++++++++++---- starky/src/prover.rs | 7 +++---- starky/src/stark.rs | 1 + starky/src/verifier.rs | 16 ++++++++-------- 7 files changed, 40 insertions(+), 25 deletions(-) diff --git a/field/src/polynomial/mod.rs b/field/src/polynomial/mod.rs index d36757b3..7fccb46e 100644 --- a/field/src/polynomial/mod.rs +++ b/field/src/polynomial/mod.rs @@ -57,7 +57,8 @@ impl PolynomialValues { fft_with_options(coeffs, Some(rate_bits), None) } - pub fn coset_lde(self, rate_bits: usize) -> Self { + /// Low-degree extend `Self` (seen as evaluations over the subgroup) onto a coset. + pub fn lde_onto_coset(self, rate_bits: usize) -> Self { let coeffs = ifft(self).lde(rate_bits); coeffs.coset_fft_with_options(F::coset_shift(), Some(rate_bits), None) } diff --git a/plonky2/src/plonk/proof.rs b/plonky2/src/plonk/proof.rs index 9d9eaaff..803e64d4 100644 --- a/plonky2/src/plonk/proof.rs +++ b/plonky2/src/plonk/proof.rs @@ -227,16 +227,16 @@ impl, C: GenericConfig, const D: usize> } pub(crate) struct ProofChallenges, const D: usize> { - // Random values used in Plonk's permutation argument. + /// Random values used in Plonk's permutation argument. pub plonk_betas: Vec, - // Random values used in Plonk's permutation argument. + /// Random values used in Plonk's permutation argument. pub plonk_gammas: Vec, - // Random values used to combine PLONK constraints. + /// Random values used to combine PLONK constraints. pub plonk_alphas: Vec, - // Point at which the PLONK polynomials are opened. + /// Point at which the PLONK polynomials are opened. pub plonk_zeta: F::Extension, pub fri_challenges: FriChallenges, diff --git a/starky/src/constraint_consumer.rs b/starky/src/constraint_consumer.rs index 922475c3..091215dd 100644 --- a/starky/src/constraint_consumer.rs +++ b/starky/src/constraint_consumer.rs @@ -104,8 +104,8 @@ impl, const D: usize> RecursiveConstraintConsumer, constraint: ExtensionTarget, ) { - self.constraint_acc = - builder.scalar_mul_add_extension(self.alpha, self.constraint_acc, constraint); + let filtered_constraint = builder.mul_extension(constraint, self.z_last); + self.constraint(builder, filtered_constraint); } /// Add one constraint valid on all rows. @@ -114,8 +114,8 @@ impl, const D: usize> RecursiveConstraintConsumer, constraint: ExtensionTarget, ) { - let filtered_constraint = builder.mul_extension(constraint, self.z_last); - self.constraint(builder, filtered_constraint); + self.constraint_acc = + builder.scalar_mul_add_extension(self.alpha, self.constraint_acc, constraint); } /// Add one constraint, but first multiply it by a filter such that it will only apply to the diff --git a/starky/src/proof.rs b/starky/src/proof.rs index 50ef21bc..5f96f1f4 100644 --- a/starky/src/proof.rs +++ b/starky/src/proof.rs @@ -52,10 +52,10 @@ pub struct CompressedStarkProofWithPublicInputs< } pub(crate) struct StarkProofChallenges, const D: usize> { - // Random values used to combine PLONK constraints. + /// Random values used to combine STARK constraints. pub stark_alphas: Vec, - // Point at which the PLONK polynomials are opened. + /// Point at which the STARK polynomials are opened. pub stark_zeta: F::Extension, pub fri_challenges: FriChallenges, @@ -66,6 +66,7 @@ pub struct StarkOpeningSet, const D: usize> { pub local_values: Vec, pub next_values: Vec, pub permutation_zs: Vec, + pub permutation_zs_right: Vec, pub quotient_polys: Vec, } @@ -86,19 +87,28 @@ impl, const D: usize> StarkOpeningSet { local_values: eval_commitment(zeta, trace_commitment), next_values: eval_commitment(zeta * g, trace_commitment), permutation_zs: vec![/*TODO*/], + permutation_zs_right: vec![/*TODO*/], quotient_polys: eval_commitment(zeta, quotient_commitment), } } + // TODO: Replace with a `observe_fri_openings` function. // Note: Can't implement this directly on `Challenger` as it's in a different crate. pub fn observe>(&self, challenger: &mut Challenger) { let StarkOpeningSet { local_values, next_values, permutation_zs, + permutation_zs_right, quotient_polys, } = self; - for v in &[local_values, next_values, permutation_zs, quotient_polys] { + for v in &[ + local_values, + next_values, + permutation_zs, + permutation_zs_right, + quotient_polys, + ] { challenger.observe_extension_elements(v); } } @@ -113,7 +123,11 @@ impl, const D: usize> StarkOpeningSet { .concat(), }; let zeta_right_batch = FriOpeningBatch { - values: self.next_values.to_vec(), + values: [ + self.next_values.as_slice(), + self.permutation_zs_right.as_slice(), + ] + .concat(), }; FriOpenings { batches: vec![zeta_batch, zeta_right_batch], diff --git a/starky/src/prover.rs b/starky/src/prover.rs index 4d7f8c3f..d2c63e02 100644 --- a/starky/src/prover.rs +++ b/starky/src/prover.rs @@ -168,13 +168,13 @@ where let lagrange_first = { let mut evals = PolynomialValues::new(vec![F::ZERO; degree]); evals.values[0] = F::ONE; - evals.coset_lde(rate_bits) + evals.lde_onto_coset(rate_bits) }; // Evaluation of the last Lagrange polynomial on the LDE domain. let lagrange_last = { let mut evals = PolynomialValues::new(vec![F::ZERO; degree]); evals.values[degree - 1] = F::ONE; - evals.coset_lde(rate_bits) + evals.lde_onto_coset(rate_bits) }; let z_h_on_coset = ZeroPolyOnCoset::::new(degree_bits, rate_bits); @@ -212,8 +212,7 @@ where stark.eval_packed_base(vars, &mut consumer); // TODO: Fix this once we use a genuine `PackedField`. let mut constraints_evals = consumer.accumulators(); - // We divide the constraints evaluations by `Z_H(x) / x - last`, i.e., the vanishing - // polynomial of `H` without it's last element. + // We divide the constraints evaluations by `Z_H(x)`. let denominator_inv = z_h_on_coset.eval_inverse(i); for eval in &mut constraints_evals { *eval *= denominator_inv; diff --git a/starky/src/stark.rs b/starky/src/stark.rs index 3b8c795a..00441240 100644 --- a/starky/src/stark.rs +++ b/starky/src/stark.rs @@ -9,6 +9,7 @@ use crate::vars::StarkEvaluationTargets; use crate::vars::StarkEvaluationVars; /// Represents a STARK system. +// TODO: Add a `constraint_degree` fn that returns the maximum constraint degree. pub trait Stark, const D: usize>: Sync { /// The total number of columns in the trace. const COLUMNS: usize; diff --git a/starky/src/verifier.rs b/starky/src/verifier.rs index 843bdb63..b91fe457 100644 --- a/starky/src/verifier.rs +++ b/starky/src/verifier.rs @@ -58,6 +58,7 @@ where local_values, next_values, permutation_zs, + permutation_zs_right, quotient_polys, } = &proof.openings; let vars = StarkEvaluationVars { @@ -85,7 +86,7 @@ where l_last, ); stark.eval_ext(vars, &mut consumer); - let acc = consumer.accumulators(); + let vanishing_polys_zeta = consumer.accumulators(); // Check each polynomial identity, of the form `vanishing(x) = Z_H(x) quotient(x)`, at zeta. let quotient_polys_zeta = &proof.openings.quotient_polys; @@ -100,9 +101,10 @@ where .chunks(1 << config.fri_config.rate_bits) .enumerate() { - ensure!(acc[i] == z_h_zeta * reduce_with_powers(chunk, zeta_pow_deg)); + ensure!(vanishing_polys_zeta[i] == z_h_zeta * reduce_with_powers(chunk, zeta_pow_deg)); } + // TODO: Permutation polynomials. let merkle_caps = &[proof.trace_cap, proof.quotient_polys_cap]; verify_fri_proof::( @@ -139,12 +141,10 @@ fn recover_degree, C: GenericConfig, cons proof: &StarkProof, config: &StarkConfig, ) -> usize { - 1 << (proof.opening_proof.query_round_proofs[0] + let initial_merkle_proof = &proof.opening_proof.query_round_proofs[0] .initial_trees_proof .evals_proofs[0] - .1 - .siblings - .len() - + config.fri_config.cap_height - - config.fri_config.rate_bits) + .1; + let lde_bits = config.fri_config.cap_height + initial_merkle_proof.siblings.len(); + 1 << (lde_bits - config.fri_config.rate_bits) }