It works fine if we bound recursion methods with `C::Hasher: AlgebraicHasher<F>`. This bound feels natural to me - it's like saying "the recursion methods assume the inner hasher has a circuit implementation".
FFTs became proper benches, while recursion became tests. We might consider having either bins or benches for recursion in the future, but the code in this old recursion bin won't be useful, so might as well delete it for now.
I.e. instead of opening `Z` at `zeta` and `g zeta` by running FRI on a quotient involving an interpolant, we just run FRI on two separate opening expressions, one for `zeta` and one for `g zeta`.
A few motivations for this:
- I think this will make it slightly easier to generalize our FRI code to work with STARKs. I.e. if we have an object representing the structure of polynomial openings in an IOP, that object will be slightly simpler.
- It's less code. We could potentially remove some more code, e.g. the generality of `compute_quotient` is no longer needed, but I left it for now.
- It saves 3 gates!
* Simpler Keccak pseudo-permutation
After rejecting a value, I think it's a little simpler to continue the hash chain vs retrying with an incremented nonce.
* PR feedback
* fix byte order
My goal is to make the FRI code independent of circuit objects like `CommonCircuitData`, so that it can be reused by STARK code which won't involve those objects.
A few changes here:
- Move `rate_bits` and `cap_height` into `FriConfig`.
- Move `degree_bits` into `FriParameters` (since it's instance size specific).
- Make `FriParams` contain `FriConfig`, so FRI methods can take just the former and access fields in both.
- Replace `CommonCircuitConfig` with `FriParams` in FRI prover methods.
The FRI verifier methods still involve circuit objects, as they have PLONK logic in `fri_combine_initial`. Will think about how to deal with that after this.
* Split into crates
I kept other changes to a minimum, so 95% of this is just moving things. One complication that came up is that since `PrimeField` is now outside the plonky2 crate, these two impls now conflict:
```
impl<F: PrimeField> From<HashOut<F>> for Vec<u8> { ... }
impl<F: PrimeField> From<HashOut<F>> for Vec<F> { ... }
```
with this note:
```
note: upstream crates may add a new impl of trait `plonky2_field::field_types::PrimeField` for type `u8` in future versions
```
I worked around this by adding a `GenericHashOut` trait with methods like `to_bytes()` instead of overloading `From`/`Into`. Personally I prefer the explicitness anyway.
* Move out permutation network stuff also
* Fix imports
* Fix import
* Also move out insertion
* Comment
* fmt
* PR feedback
* Print timing for a regular Poseidon recursive proof
Rather than the Keccak-256 proof. I kept it but hid the timing since it's less important to us. Alternatively we could test Keccak-256 only in the size-optimized test, since that's basically testing a bridge proof. Let me know if you have a preference.
* Remove Keccak proof per PR discussion
