From 40aecc8e9516d19dda88a106bc9c89d316f375a7 Mon Sep 17 00:00:00 2001 From: Daniel Lubarov Date: Tue, 3 Jan 2023 10:10:57 -0800 Subject: [PATCH 1/3] Allow non-tight degree bound Reverts the degree adjustment part of #436. As @jimpo pointed out, the adjustment complicates security by allowing rational functions of the form `poly(x) / x`. A tight degree bound shouldn't be necessary. Ultimately we want to check that some witness function `f(x)` exists satisfying (simplified) `c(f(x)) = Z_H(x) q(x)`. We only need `f(x)` to be low-degree because that allows us to use polynomial identity testing. With PIT we don't care about exact degree bounds; a negligible degree change will have a negligible effect on PIT soundness. --- plonky2/src/fri/oracle.rs | 3 --- plonky2/src/fri/recursive_verifier.rs | 4 +--- plonky2/src/fri/verifier.rs | 4 +--- 3 files changed, 2 insertions(+), 9 deletions(-) diff --git a/plonky2/src/fri/oracle.rs b/plonky2/src/fri/oracle.rs index cc114d98..bfb199cc 100644 --- a/plonky2/src/fri/oracle.rs +++ b/plonky2/src/fri/oracle.rs @@ -193,9 +193,6 @@ impl, C: GenericConfig, const D: usize> alpha.shift_poly(&mut final_poly); final_poly += quotient; } - // Multiply the final polynomial by `X`, so that `final_poly` has the maximum degree for - // which the LDT will pass. See github.com/mir-protocol/plonky2/pull/436 for details. - final_poly.coeffs.insert(0, F::Extension::ZERO); let lde_final_poly = final_poly.lde(fri_params.config.rate_bits); let lde_final_values = timed!( diff --git a/plonky2/src/fri/recursive_verifier.rs b/plonky2/src/fri/recursive_verifier.rs index 822dd559..e7e48f82 100644 --- a/plonky2/src/fri/recursive_verifier.rs +++ b/plonky2/src/fri/recursive_verifier.rs @@ -262,9 +262,7 @@ impl, const D: usize> CircuitBuilder { sum = self.div_add_extension(numerator, denominator, sum); } - // Multiply the final polynomial by `X`, so that `final_poly` has the maximum degree for - // which the LDT will pass. See github.com/mir-protocol/plonky2/pull/436 for details. - self.mul_extension(sum, subgroup_x) + sum } fn fri_verifier_query_round>( diff --git a/plonky2/src/fri/verifier.rs b/plonky2/src/fri/verifier.rs index 6644b971..f860ba30 100644 --- a/plonky2/src/fri/verifier.rs +++ b/plonky2/src/fri/verifier.rs @@ -157,9 +157,7 @@ pub(crate) fn fri_combine_initial< sum += numerator / denominator; } - // Multiply the final polynomial by `X`, so that `final_poly` has the maximum degree for - // which the LDT will pass. See github.com/mir-protocol/plonky2/pull/436 for details. - sum * subgroup_x + sum } fn fri_verifier_query_round< From 2e59ceccc4f8840402d4c1fd51d7af4b5a115e51 Mon Sep 17 00:00:00 2001 From: Daniel Lubarov Date: Tue, 3 Jan 2023 10:40:05 -0800 Subject: [PATCH 2/3] import --- plonky2/src/fri/oracle.rs | 1 - 1 file changed, 1 deletion(-) diff --git a/plonky2/src/fri/oracle.rs b/plonky2/src/fri/oracle.rs index bfb199cc..09635d11 100644 --- a/plonky2/src/fri/oracle.rs +++ b/plonky2/src/fri/oracle.rs @@ -8,7 +8,6 @@ use crate::field::extension::Extendable; use crate::field::fft::FftRootTable; use crate::field::packed::PackedField; use crate::field::polynomial::{PolynomialCoeffs, PolynomialValues}; -use crate::field::types::Field; use crate::fri::proof::FriProof; use crate::fri::prover::fri_proof; use crate::fri::structure::{FriBatchInfo, FriInstanceInfo}; From 1ecdb96a6b9d7da42d6df4efe83cad25247bb63e Mon Sep 17 00:00:00 2001 From: Daniel Lubarov Date: Tue, 3 Jan 2023 11:03:20 -0800 Subject: [PATCH 3/3] Power of two length --- plonky2/src/fri/oracle.rs | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/plonky2/src/fri/oracle.rs b/plonky2/src/fri/oracle.rs index 09635d11..90890134 100644 --- a/plonky2/src/fri/oracle.rs +++ b/plonky2/src/fri/oracle.rs @@ -3,6 +3,7 @@ use alloc::vec::Vec; use itertools::Itertools; use maybe_rayon::*; +use plonky2_field::types::Field; use crate::field::extension::Extendable; use crate::field::fft::FftRootTable; @@ -188,7 +189,8 @@ impl, C: GenericConfig, const D: usize> &format!("reduce batch of {} polynomials", polynomials.len()), alpha.reduce_polys_base(polys_coeff) ); - let quotient = composition_poly.divide_by_linear(*point); + let mut quotient = composition_poly.divide_by_linear(*point); + quotient.coeffs.push(F::Extension::ZERO); // pad back to power of two alpha.shift_poly(&mut final_poly); final_poly += quotient; }