Went back to proper fiat shamir

mimc_stark/fri.py

@@ -30,7 +30,6 @@ def prove_low_degree(values, root_of_unity, maxdeg_plus_1, modulus, exclude_mult
 
     # Select a pseudo-random x coordinate
     special_x = int.from_bytes(m[1], 'big') % modulus
-    special_x = root_of_unity + 5
 
     # Calculate the "column" at that x coordinate
     # (see https://vitalik.ca/general/2017/11/22/starks_part_2.html)
@@ -90,7 +89,6 @@ def verify_low_degree_proof(merkle_root, root_of_unity, proof, maxdeg_plus_1, mo
 
         # Calculate the pseudo-random x coordinate
         special_x = int.from_bytes(merkle_root, 'big') % modulus
-        special_x = root_of_unity + 5
 
         # Calculate the pseudo-randomly sampled y indices
         ys = get_pseudorandom_indices(root2, roudeg // 4, 40,

mimc_stark/mimc_stark.py

@@ -4,7 +4,7 @@ from poly_utils import PrimeField
 import time
 from fft import fft
 from fri import prove_low_degree, verify_low_degree_proof
-from utils import get_power_cycle, get_pseudorandom_indices
+from utils import get_power_cycle, get_pseudorandom_indices, is_a_power_of_2
 
 modulus = 2**256 - 2**32 * 351 + 1
 f = PrimeField(modulus)
@@ -13,20 +13,22 @@ nonresidue = 7
 spot_check_security_factor = 80
 extension_factor = 8
 
-# Compute a MIMC permutation for 2**logsteps steps
-def mimc(inp, logsteps, round_constants):
+# Compute a MIMC permutation for some number of steps
+def mimc(inp, steps, round_constants):
     start_time = time.time()
-    steps = 2**logsteps
     for i in range(steps-1):
         inp = (inp**3 + round_constants[i % len(round_constants)]) % modulus
     print("MIMC computed in %.4f sec" % (time.time() - start_time))
     return inp
 
 # Generate a STARK for a MIMC calculation
-def mk_mimc_proof(inp, logsteps, round_constants):
+def mk_mimc_proof(inp, steps, round_constants):
     start_time = time.time()
-    assert logsteps <= 29
-    steps = 2**logsteps
+    # Some constraints to make our job easier
+    assert steps <= 2**32 // extension_factor
+    assert is_a_power_of_2(steps) and is_a_power_of_2(len(round_constants))
+    assert len(round_constants) < steps
+
     precision = steps * extension_factor
 
     # Root of unity such that x^precision=1
@@ -140,11 +142,13 @@ def mk_mimc_proof(inp, logsteps, round_constants):
     return o
 
 # Verifies a STARK
-def verify_mimc_proof(inp, logsteps, round_constants, output, proof):
+def verify_mimc_proof(inp, steps, round_constants, output, proof):
     p_root, d_root, b_root, l_root, branches, fri_proof = proof
     start_time = time.time()
+    assert steps <= 2**32 // extension_factor
+    assert is_a_power_of_2(steps) and is_a_power_of_2(len(round_constants))
+    assert len(round_constants) < steps
 
-    steps = 2**logsteps
     precision = steps * extension_factor
 
     # Get (steps)th root of unity

mimc_stark/test.py

@@ -40,12 +40,12 @@ def test_stark():
     import random
     #constants = [random.randrange(modulus) for i in range(64)]
     constants = [(i**7) ^ 42 for i in range(64)]
-    proof = mk_mimc_proof(INPUT, LOGSTEPS, constants)
+    proof = mk_mimc_proof(INPUT, 2**LOGSTEPS, constants)
     p_root, d_root, b_root, l_root, branches, fri_proof = proof
     L1 = bin_length(compress_branches(branches))
     L2 = bin_length(compress_fri(fri_proof))
     print("Approx proof length: %d (branches), %d (FRI proof), %d (total)" % (L1, L2, L1 + L2))
-    assert verify_mimc_proof(3, LOGSTEPS, constants, mimc(3, LOGSTEPS, constants), proof)
+    assert verify_mimc_proof(3, 2**LOGSTEPS, constants, mimc(3, 2**LOGSTEPS, constants), proof)
 
 if __name__ == '__main__':
     test_stark()

mimc_stark/utils.py

@@ -20,3 +20,6 @@ def get_pseudorandom_indices(seed, modulus, count, exclude_multiples_of=0):
         real_modulus = modulus * (exclude_multiples_of - 1) // exclude_multiples_of
         o = [int.from_bytes(data[i: i+4], 'big') % real_modulus for i in range(0, count * 4, 4)]
         return [x+1+x//(exclude_multiples_of-1) for x in o]
+
+def is_a_power_of_2(x):
+    return True if x==1 else False if x%2 else is_a_power_of_2(x//2)