From f7e92af963ce9e9df4f6b78dcd14dbfd251a2302 Mon Sep 17 00:00:00 2001 From: wborgeaud Date: Wed, 9 Jun 2021 17:55:49 +0200 Subject: [PATCH] Comment out errors --- src/fri/recursive_verifier.rs | 24 +++++++++++------------- src/gadgets/split_base.rs | 9 +++++++-- src/gadgets/split_join.rs | 12 ++++++------ src/proof.rs | 1 + src/verifier.rs | 4 ++-- 5 files changed, 27 insertions(+), 23 deletions(-) diff --git a/src/fri/recursive_verifier.rs b/src/fri/recursive_verifier.rs index 7c84d765..d990977d 100644 --- a/src/fri/recursive_verifier.rs +++ b/src/fri/recursive_verifier.rs @@ -308,14 +308,14 @@ impl, const D: usize> CircuitBuilder { }; let mut evals = round_proof.steps[i].evals.clone(); // Insert P(y) into the evaluation vector, since it wasn't included by the prover. - evals.insert(x_index & (arity - 1), e_x); - evaluations.push(evals); - self.verify_merkle_proof( - flatten_target(&evaluations[i]), - x_index >> arity_bits, - proof.commit_phase_merkle_roots[i], - &round_proof.steps[i].merkle_proof, - )?; + // evals.insert(x_index & (arity - 1), e_x); + // evaluations.push(evals); + // self.verify_merkle_proof( + // flatten_target(&evaluations[i]), + // x_index >> arity_bits, + // proof.commit_phase_merkle_roots[i], + // &round_proof.steps[i].merkle_proof, + // )?; if i > 0 { // Update the point x to x^arity. @@ -325,7 +325,7 @@ impl, const D: usize> CircuitBuilder { } domain_size = next_domain_size; old_x_index = x_index; - x_index >>= arity_bits; + // x_index >>= arity_bits; } let last_evals = evaluations.last().unwrap(); @@ -343,10 +343,8 @@ impl, const D: usize> CircuitBuilder { // Final check of FRI. After all the reductions, we check that the final polynomial is equal // to the one sent by the prover. - ensure!( - proof.final_poly.eval(subgroup_x.into()) == purported_eval, - "Final polynomial evaluation is invalid." - ); + let eval = proof.final_poly.eval_scalar(self, subgroup_x); + self.assert_equal_extension(eval, purported_eval); Ok(()) } diff --git a/src/gadgets/split_base.rs b/src/gadgets/split_base.rs index 776c3091..a61334bb 100644 --- a/src/gadgets/split_base.rs +++ b/src/gadgets/split_base.rs @@ -48,8 +48,13 @@ impl, const D: usize> CircuitBuilder { /// Returns `k` such that any number with `k` trailing zeros in base `base` has at least /// `n` trailing zeros in base 2. const fn num_limbs_to_check(n: u32, base: usize) -> usize { - assert_eq!(base % 2, 0, "Base should be even."); - ceil_div_usize(n as usize, base.trailing_zeros() as usize) + if base % 2 == 1 { + // Dirty trick to panic if the base is odd. + // TODO: replace with `assert_eq!(base % 2, 0, "Base should be even.")` when stable. + [][0] + } else { + ceil_div_usize(n as usize, base.trailing_zeros() as usize) + } } #[cfg(test)] diff --git a/src/gadgets/split_join.rs b/src/gadgets/split_join.rs index c8f75efa..0524e7d7 100644 --- a/src/gadgets/split_join.rs +++ b/src/gadgets/split_join.rs @@ -29,24 +29,24 @@ impl, const D: usize> CircuitBuilder { /// Verifies that the decomposition is correct by using `k` `BaseSum<2>` gates /// with `k` such that `k*num_routed_bits>=64`. pub(crate) fn split_le(&mut self, integer: Target) -> Vec { - let num_limbs = self.config.num_routed_wires - BaseSumGate::WIRE_LIMBS_START; + let num_limbs = self.config.num_routed_wires - BaseSumGate::<2>::WIRE_LIMBS_START; let k = ceil_div_usize(64, num_limbs); let gates = (0..k) - .map(|_| self.add_gate_no_constants(BaseSumGate::new(num_limbs))) + .map(|_| self.add_gate_no_constants(BaseSumGate::<2>::new(num_limbs))) .collect::>(); let mut bits = Vec::with_capacity(64); for &gate in &gates { bits.extend(Target::wires_from_range( gate, - BaseSumGate::WIRE_LIMBS_START..BaseSumGate::WIRE_LIMBS_START + num_limbs, + BaseSumGate::<2>::WIRE_LIMBS_START..BaseSumGate::<2>::WIRE_LIMBS_START + num_limbs, )); } let zero = self.zero(); let mut acc = zero; for &gate in gates.iter().rev() { - let sum = Target::wire(gate, BaseSumGate::WIRE_SUM); + let sum = Target::wire(gate, BaseSumGate::<2>::WIRE_SUM); acc = self.arithmetic( F::from_canonical_usize(1 << num_limbs), acc, @@ -140,8 +140,8 @@ impl SimpleGenerator for WireSplitGenerator { let mut integer_value = witness.get_target(self.integer).to_canonical_u64(); let mut result = PartialWitness::new(); - for gate in self.gates { - let sum = Target::wire(gate, BaseSumGate::WIRE_SUM); + for &gate in &self.gates { + let sum = Target::wire(gate, BaseSumGate::<2>::WIRE_SUM); result.set_target( sum, F::from_canonical_u64(integer_value & ((1 << self.num_limbs) - 1)), diff --git a/src/proof.rs b/src/proof.rs index 59b7bb9c..04ddf06c 100644 --- a/src/proof.rs +++ b/src/proof.rs @@ -144,6 +144,7 @@ pub struct FriProofTarget { pub pow_witness: Target, } +#[derive(Clone, Debug)] /// The purported values of each polynomial at a single point. pub struct OpeningSet, const D: usize> { pub constants: Vec, diff --git a/src/verifier.rs b/src/verifier.rs index d2a7bb63..a2750421 100644 --- a/src/verifier.rs +++ b/src/verifier.rs @@ -55,13 +55,13 @@ pub(crate) fn verify, const D: usize>( ); // Check each polynomial identity, of the form `vanishing(x) = Z_H(x) quotient(x)`, at zeta. - let quotient_polys_zeta = proof.openings.quotient_polys; + let quotient_polys_zeta = &proof.openings.quotient_polys; let z_h_zeta = eval_zero_poly(common_data.degree(), zeta); for i in 0..num_challenges { ensure!(vanishing_polys_zeta[i] == z_h_zeta * quotient_polys_zeta[i]); } - let evaluations = proof.openings; + let evaluations = proof.openings.clone(); let merkle_roots = &[ verifier_data.constants_root,