The effect on soundness error is negligible for our current field, but this introduces an assertion that could fail if we changed to a field with more elements in the "ambiguous" range.
My previous change introduced a bug -- when `num_routed_wires` was a multiple of 8, the partial products "consumed" all `num_routed_wires` terms, whereas we actually want to leave 8 terms for the final product.
This also changes `check_partial_products` to include the final product constraint, and merges `vanishing_v_shift_terms` into `vanishing_partial_products_terms`. I think this is natural since `Z(x)`, partial products, and `Z(g x)` are all part of the product accumulator chain.
Just passing the "combined constraints" buffer into `eval_filtered_recursively`, so that we can combine a mul by the filter with an add into the buffer. Saves 56 wires.
* Specialize `InterpolationGate`
To cosets of subgroups of roots of unity. This way
- `InterpolationGate` needs fewer routed wires, bringing our minimum routed wires down from 28 to 25.
- The recursive `compute_evaluation` avoids some multiplications, saving 100~200 gates depending on `num_routed_wires`.
* Update test
* feedback
* More wires for ConstantGate
* fix
* fix
* Optimize recursive Poseidon constraint evaluation
- Avoid `ArithmeticGate`s with unique constants; use `ConstantGate` wires instead
- Avoid an unnecessary squaring in exponentiations
Brings Poseidon evaluation down to a reasonable 273 gates when `num_routed_wires = 48`.
* Shrink further with another couple layers of recursion
To keep it reasonably fast, we shrink to degree 2^12 before we start using a really high rate. Each layer is reasonably quick this way; overall time is ~20s for me.
Final proof is now 52-54kb. It can go down to ~51kb if we add one more layer with `num_routed_wires: 28` (vs 32), but I feel like I may be overcomplicating this already...
* Batched eval_vanishing_poly_base
* Reduce the number of allocations
* Lints
* Delete unused things
* Minor: fix a debug_assert
* Daniel PR comments
* Lints
* Daniel PR comments
* 2 challenges, 28 routed wires
2 challenges gives certain checks approximately (field_bits - degree_bits) * 2 bits of security, so we maintain our target of 100 bits for circuits with 2^14 gates or fewer.
28 routed wires is the min for `InterpolationGate`. A lower number helps reduce proof sizes. We can go back to a high number if there's any strong reason to reduce our gate count (e.g. if we were trying to hit 2^12).
* Check FRI conjectured security
* Fix
