diff --git a/starky2/src/constraint_consumer.rs b/starky2/src/constraint_consumer.rs index ada28730..fd21e366 100644 --- a/starky2/src/constraint_consumer.rs +++ b/starky2/src/constraint_consumer.rs @@ -9,7 +9,7 @@ use plonky2::plonk::circuit_builder::CircuitBuilder; pub struct ConstraintConsumer { /// Random values used to combine multiple constraints into one. - alphas: Vec, + pub alphas: Vec, /// Running sums of constraints that have been emitted so far, scaled by powers of alpha. // TODO(JN): This is pub so it can be used in a test. Once we have an API for accessing this diff --git a/starky2/src/cross_table_lookup.rs b/starky2/src/cross_table_lookup.rs index 124294b2..4a8423d5 100644 --- a/starky2/src/cross_table_lookup.rs +++ b/starky2/src/cross_table_lookup.rs @@ -152,6 +152,7 @@ impl<'a, F: RichField + Extendable, const D: usize> proofs: &[&StarkProofWithPublicInputs], cross_table_lookups: &'a [CrossTableLookup], ctl_challenges: &'a GrandProductChallengeSet, + num_permutation_zs: usize, ) -> Vec> { let mut ctl_zs = proofs .iter() @@ -162,13 +163,15 @@ impl<'a, F: RichField + Extendable, const D: usize> .as_ref() .unwrap() // TODO: fix unwrap .iter() + .skip(num_permutation_zs) .zip( p.proof .openings .permutation_lookup_zs_right .as_ref() .unwrap() - .iter(), + .iter() + .skip(num_permutation_zs), ) }) .collect::>(); diff --git a/starky2/src/get_challenges.rs b/starky2/src/get_challenges.rs index 9851c787..7e65a432 100644 --- a/starky2/src/get_challenges.rs +++ b/starky2/src/get_challenges.rs @@ -22,7 +22,7 @@ fn get_challenges( challenger: &mut Challenger, stark: &S, trace_cap: &MerkleCap, - permutation_zs_cap: Option<&MerkleCap>, + permutation_ctl_zs_cap: Option<&MerkleCap>, quotient_polys_cap: &MerkleCap, openings: &StarkOpeningSet, commit_phase_merkle_caps: &[MerkleCap], @@ -38,18 +38,18 @@ where { let num_challenges = config.num_challenges; - challenger.observe_cap(trace_cap); - - let permutation_challenge_sets = permutation_zs_cap.map(|permutation_zs_cap| { - let tmp = get_n_grand_product_challenge_sets( + let permutation_challenge_sets = stark.uses_permutation_args().then(|| { + get_n_grand_product_challenge_sets( challenger, num_challenges, stark.permutation_batch_size(), - ); - challenger.observe_cap(permutation_zs_cap); - tmp + ) }); + if let Some(cap) = permutation_ctl_zs_cap { + challenger.observe_cap(cap); + } + let stark_alphas = challenger.get_n_challenges(num_challenges); challenger.observe_cap(quotient_polys_cap); @@ -132,7 +132,7 @@ where let StarkProof { trace_cap, - permutation_zs_cap, + permutation_ctl_zs_cap, quotient_polys_cap, openings, opening_proof: @@ -148,7 +148,7 @@ where challenger, stark, trace_cap, - permutation_zs_cap.as_ref(), + permutation_ctl_zs_cap.as_ref(), quotient_polys_cap, openings, commit_phase_merkle_caps, diff --git a/starky2/src/proof.rs b/starky2/src/proof.rs index b8ede54f..a30f3a9b 100644 --- a/starky2/src/proof.rs +++ b/starky2/src/proof.rs @@ -40,7 +40,7 @@ pub struct StarkProof, C: GenericConfig, /// Merkle cap of LDEs of trace values. pub trace_cap: MerkleCap, /// Merkle cap of LDEs of permutation Z values. - pub permutation_zs_cap: Option>, + pub permutation_ctl_zs_cap: Option>, /// Merkle cap of LDEs of trace values. pub quotient_polys_cap: MerkleCap, /// Purported values of each polynomial at the challenge point. diff --git a/starky2/src/prover.rs b/starky2/src/prover.rs index cf9472e4..6dc94657 100644 --- a/starky2/src/prover.rs +++ b/starky2/src/prover.rs @@ -174,10 +174,10 @@ where None, ) }); - let permutation_zs_cap = permutation_ctl_zs_commitment + let permutation_ctl_zs_cap = permutation_ctl_zs_commitment .as_ref() .map(|commit| commit.merkle_tree.cap.clone()); - if let Some(cap) = &permutation_zs_cap { + if let Some(cap) = &permutation_ctl_zs_cap { challenger.observe_cap(cap); } @@ -271,7 +271,7 @@ where ); let proof = StarkProof { trace_cap: trace_commitment.merkle_tree.cap.clone(), - permutation_zs_cap, + permutation_ctl_zs_cap, quotient_polys_cap, openings, opening_proof, @@ -434,13 +434,17 @@ fn test_it<'a, F, C, S, const D: usize>( S: Stark, { let degree = 1 << degree_bits; + let rate_bits = 0; + + let size = degree << rate_bits; + let step = 1 << rate_bits; // Evaluation of the first Lagrange polynomial on the LDE domain. - let lagrange_first = PolynomialValues::selector(degree, 0); + let lagrange_first = PolynomialValues::selector(degree, 0).lde(rate_bits); // Evaluation of the last Lagrange polynomial on the LDE domain. - let lagrange_last = PolynomialValues::selector(degree, degree - 1); + let lagrange_last = PolynomialValues::selector(degree, degree - 1).lde(rate_bits); - let subgroup = F::two_adic_subgroup(degree_bits); + let subgroup = F::two_adic_subgroup(degree_bits + rate_bits); // Retrieve the LDE values at index `i`. let get_comm_values = |comm: &PolynomialBatch, i| -> Vec { @@ -453,9 +457,9 @@ fn test_it<'a, F, C, S, const D: usize>( // Last element of the subgroup. let last = F::primitive_root_of_unity(degree_bits).inverse(); - let constraint_values = (0..degree) + let constraint_values = (0..size) .map(|i| { - let i_next = (i + 1) % degree; + let i_next = (i + step) % size; let x = subgroup[i]; let z_last = x - last; @@ -515,5 +519,8 @@ fn test_it<'a, F, C, S, const D: usize>( }) .collect::>(); - dbg!(constraint_values); + let values = transpose(&constraint_values); + for v in values { + assert!(v.iter().all(|x| x.is_zero())); + } } diff --git a/starky2/src/recursive_verifier.rs b/starky2/src/recursive_verifier.rs index e091d64c..6dcc7a7e 100644 --- a/starky2/src/recursive_verifier.rs +++ b/starky2/src/recursive_verifier.rs @@ -301,9 +301,10 @@ pub fn set_stark_proof_target, W, const D: usize>( &proof.openings.to_fri_openings(), ); - if let (Some(permutation_zs_cap_target), Some(permutation_zs_cap)) = - (&proof_target.permutation_zs_cap, &proof.permutation_zs_cap) - { + if let (Some(permutation_zs_cap_target), Some(permutation_zs_cap)) = ( + &proof_target.permutation_zs_cap, + &proof.permutation_ctl_zs_cap, + ) { witness.set_cap_target(permutation_zs_cap_target, permutation_zs_cap); } diff --git a/starky2/src/verifier.rs b/starky2/src/verifier.rs index 7ef9381e..2f7a628e 100644 --- a/starky2/src/verifier.rs +++ b/starky2/src/verifier.rs @@ -44,8 +44,12 @@ where cross_table_lookups, } = all_stark; - let ctl_vars_per_table = - CTLCheckVars::from_proofs(&all_proof.proofs(), &cross_table_lookups, &ctl_challenges); + let ctl_vars_per_table = CTLCheckVars::from_proofs( + &all_proof.proofs(), + &cross_table_lookups, + &ctl_challenges, + 0, // TODO: Fix 0 + ); verify_stark_proof_with_challenges( cpu_stark, @@ -180,7 +184,7 @@ where } let merkle_caps = once(proof.trace_cap.clone()) - .chain(proof.permutation_zs_cap.clone()) + .chain(proof.permutation_ctl_zs_cap.clone()) .chain(once(proof.quotient_polys_cap.clone())) .collect_vec(); @@ -227,7 +231,7 @@ fn check_permutation_options< challenges: &StarkProofChallenges, ) -> Result<()> { let options_is_some = [ - proof_with_pis.proof.permutation_zs_cap.is_some(), + proof_with_pis.proof.permutation_ctl_zs_cap.is_some(), proof_with_pis .proof .openings