Candidate API for Merkle proof data

Does this make sense? I think other libraries tend to include the leaf's index (either as an integer, or a series of bits indicating left/right turns) as part of a "proof". In FRI, the leaf indices are chosen by the verifier, so I thought that approach might be sort of redundant. Let me know what you think though.
2026-01-24 00:23:07 +00:00 · 2021-04-06 19:11:21 -07:00 · 2021-04-06 19:11:21 -07:00 · e8eb658f8e
commit e8eb658f8e
parent 88a84d5be3
4 changed files with 42 additions and 9 deletions
--- a/src/gadgets/merkle_proofs.rs
+++ b/src/gadgets/merkle_proofs.rs
@ -0,0 +1,24 @@
+use crate::circuit_builder::CircuitBuilder;
+use crate::field::field::Field;
+use crate::target::Target;
+
+pub struct MerkleProof<F: Field> {
+    /// The Merkle digest of each sibling subtree, staying from the bottommost layer.
+    pub siblings: Vec<F>,
+}
+
+pub struct MerkleProofTarget {
+    /// The Merkle digest of each sibling subtree, staying from the bottommost layer.
+    pub siblings: Vec<Target>,
+}
+
+impl<F: Field> CircuitBuilder<F> {
+    pub(crate) fn verify_merkle_proof(
+        &mut self,
+        leaf_index: Target,
+        leaf_data: Vec<Target>,
+        proof: MerkleProofTarget,
+    ) {
+        todo!()
+    }
+}
--- a/src/gadgets/mod.rs
+++ b/src/gadgets/mod.rs
@ -1,3 +1,4 @@
 pub(crate) mod arithmetic;
-pub(crate) mod split_join;
 pub(crate) mod hash;
+pub(crate) mod merkle_proofs;
+pub(crate) mod split_join;
--- a/src/proof.rs
+++ b/src/proof.rs
@ -1,5 +1,6 @@
 use crate::field::field::Field;
 use crate::target::Target;
+use crate::gadgets::merkle_proofs::{MerkleProofTarget, MerkleProof};

 /// Represents a ~256 bit hash output.
 #[derive(Copy, Clone, Debug)]
@ -32,7 +33,8 @@ pub struct Proof<F: Field> {
    /// Purported values of each polynomial at each challenge point.
    pub openings: Vec<OpeningSet<F>>,

-    // TODO: FRI Merkle proofs.
+    /// A FRI argument for each FRI query.
+    pub fri_proofs: Vec<FriProof<F>>,
 }

 pub struct ProofTarget {
@ -50,22 +52,25 @@ pub struct ProofTarget {
    pub fri_proofs: Vec<FriProofTarget>,
 }

+pub struct FriProof<F: Field> {
+    /// Merkle proofs for the original purported codewords, i.e. the subject of the LDT.
+    pub initial_merkle_proofs: Vec<MerkleProof<F>>,
+    /// Merkle proofs for the reduced polynomials that were sent in the commit phase.
+    pub intermediate_merkle_proofs: Vec<MerkleProof<F>>,
+    /// The final polynomial in coefficient form.
+    pub final_poly: Vec<F>,
+}
+
 /// Represents a single FRI query, i.e. a path through the reduction tree.
 pub struct FriProofTarget {
    /// Merkle proofs for the original purported codewords, i.e. the subject of the LDT.
    pub initial_merkle_proofs: Vec<MerkleProofTarget>,
    /// Merkle proofs for the reduced polynomials that were sent in the commit phase.
    pub intermediate_merkle_proofs: Vec<MerkleProofTarget>,
-    /// The final polynomial in point-value form.
+    /// The final polynomial in coefficient form.
    pub final_poly: Vec<Target>,
 }

-pub struct MerkleProofTarget {
-    pub leaf: Vec<Target>,
-    pub siblings: Vec<Target>,
-    // TODO: Also need left/right turn info.
-}
-
 /// The purported values of each polynomial at a single point.
 pub struct OpeningSet<F: Field> {
    pub constants: Vec<F>,
--- a/src/prover.rs
+++ b/src/prover.rs
@ -111,6 +111,8 @@ pub(crate) fn prove<F: Field>(

    let openings = Vec::new(); // TODO

+    let fri_proofs = Vec::new(); // TODO
+
    info!("{:.3}s for overall witness & proof generation",
          start_proof_gen.elapsed().as_secs_f32());

@ -119,6 +121,7 @@ pub(crate) fn prove<F: Field>(
        plonk_zs_root,
        quotient_polys_root,
        openings,
+        fri_proofs,
    }
 }