From aaab0230fc088e2bc7d14e462e68af5ac7320baf Mon Sep 17 00:00:00 2001 From: Linda Guiga Date: Mon, 30 Sep 2024 13:18:34 +0200 Subject: [PATCH] Apply comments --- plonky2/src/batch_fri/oracle.rs | 7 ++++--- plonky2/src/batch_fri/recursive_verifier.rs | 8 +++----- plonky2/src/batch_fri/verifier.rs | 8 +++----- plonky2/src/fri/mod.rs | 2 +- plonky2/src/fri/oracle.rs | 4 +--- plonky2/src/fri/recursive_verifier.rs | 1 - plonky2/src/fri/verifier.rs | 1 - plonky2/src/plonk/prover.rs | 2 +- starky/src/cross_table_lookup.rs | 2 +- 9 files changed, 14 insertions(+), 21 deletions(-) diff --git a/plonky2/src/batch_fri/oracle.rs b/plonky2/src/batch_fri/oracle.rs index 93474ee009..7b17a6f6ba 100644 --- a/plonky2/src/batch_fri/oracle.rs +++ b/plonky2/src/batch_fri/oracle.rs @@ -149,6 +149,7 @@ impl, C: GenericConfig, const D: usize> // For each batch, we compute the composition polynomial `F_i = sum alpha^j f_ij`, // where `alpha` is a random challenge in the extension field. // The final polynomial is then computed as `final_poly = sum_i alpha^(k_i) (F_i(X) - F_i(z_i))/(X-z_i)` + // (or `final_poly = R(X) + sum_i alpha^(k_i) (F_i(X) - F_i(z_i))/(X-z_i)` in the case of zero-knowledge), // where the `k_i`s are chosen such that each power of `alpha` appears only once in the final sum. // There are usually two batches for the openings at `zeta` and `g * zeta`. // The oracles used in Plonky2 are given in `FRI_ORACLES` in `plonky2/src/plonk/plonk_common.rs`. @@ -156,8 +157,8 @@ impl, C: GenericConfig, const D: usize> let is_zk = fri_params.hiding; let nb_r_polys: usize = polynomials .iter() - .map(|p| (p.oracle_index == PlonkOracle::R.index) as usize) - .sum(); + .filter(|p| p.oracle_index == PlonkOracle::R.index) + .count(); let last_poly = polynomials.len() - nb_r_polys * (idx == 0) as usize; // Collect the coefficients of all the polynomials in `polynomials`. let polys_coeff = polynomials[..last_poly].iter().map(|fri_poly| { @@ -173,6 +174,7 @@ impl, C: GenericConfig, const D: usize> alpha.shift_poly(&mut final_poly); final_poly += quotient; + // If we are in the zk case, we still have to add `R(X)` to the batch. if is_zk && idx == 0 { let degree = 1 << degree_bits[i]; let mut composition_poly = PolynomialCoeffs::empty(); @@ -191,7 +193,6 @@ impl, C: GenericConfig, const D: usize> composition_poly += PolynomialCoeffs { coeffs: cur_coeffs }; }); - alpha.shift_poly(&mut final_poly); final_poly += composition_poly.to_extension(); } } diff --git a/plonky2/src/batch_fri/recursive_verifier.rs b/plonky2/src/batch_fri/recursive_verifier.rs index 531da17198..576bae7f10 100644 --- a/plonky2/src/batch_fri/recursive_verifier.rs +++ b/plonky2/src/batch_fri/recursive_verifier.rs @@ -176,14 +176,13 @@ impl, const D: usize> CircuitBuilder { { // If we are in the zk case, the `R` polynomial (the last polynomials in the first batch) is added to // the batch polynomial independently, without being quotiented. So the final polynomial becomes: - // `final_poly = sum_i alpha^(k_i) (F_i(X) - F_i(z_i))/(X-z_i) + alpha^n R(X)`, where `n` is the degree - // of the batch polynomial. + // `final_poly = R(X) + sum_i alpha^(k_i) (F_i(X) - F_i(z_i))/(X-z_i)`. let FriBatchInfoTarget { point, polynomials } = batch; let is_zk = params.hiding; let nb_r_polys: usize = polynomials .iter() - .map(|p| (p.oracle_index == PlonkOracle::R.index) as usize) - .sum(); + .filter(|p| p.oracle_index == PlonkOracle::R.index) + .count(); let last_poly = polynomials.len() - nb_r_polys * (idx == 0) as usize; let evals = polynomials[..last_poly] .iter() @@ -208,7 +207,6 @@ impl, const D: usize> CircuitBuilder { let poly_blinding = instance[index].oracles[p.oracle_index].blinding; let salted = params.hiding && poly_blinding; let eval = proof.unsalted_eval(p.oracle_index, p.polynomial_index, salted); - sum = alpha.shift(sum, self); let val = self .constant_extension(F::Extension::from_canonical_u32((i == 0) as u32)); let power = diff --git a/plonky2/src/batch_fri/verifier.rs b/plonky2/src/batch_fri/verifier.rs index 9402aecd7c..2fe9c247bd 100644 --- a/plonky2/src/batch_fri/verifier.rs +++ b/plonky2/src/batch_fri/verifier.rs @@ -127,8 +127,7 @@ fn batch_fri_combine_initial< // If we are in the zk case, the `R` polynomial (the last polynomials in the first batch) is added to // the batch polynomial independently, without being quotiented. So the final polynomial becomes: - // `final_poly = sum_i alpha^(k_i) (F_i(X) - F_i(z_i))/(X-z_i) + alpha^n R(X)`, where `n` is the degree - // of the batch polynomial. + // `final_poly = R(X) + sum_i alpha^(k_i) (F_i(X) - F_i(z_i))/(X-z_i)`. for (idx, (batch, reduced_openings)) in instances[index] .batches .iter() @@ -139,8 +138,8 @@ fn batch_fri_combine_initial< let is_zk = params.hiding; let nb_r_polys: usize = polynomials .iter() - .map(|p| (p.oracle_index == PlonkOracle::R.index) as usize) - .sum(); + .filter(|p| p.oracle_index == PlonkOracle::R.index) + .count(); let last_poly = polynomials.len() - nb_r_polys * (idx == 0) as usize; let evals = polynomials[..last_poly] .iter() @@ -165,7 +164,6 @@ fn batch_fri_combine_initial< let poly_blinding = instances[index].oracles[p.oracle_index].blinding; let salted = params.hiding && poly_blinding; let eval = proof.unsalted_eval(p.oracle_index, p.polynomial_index, salted); - sum = alpha.shift(sum); let shift_val = F::Extension::from_canonical_usize((i == 0) as usize) + subgroup_x.exp_power_of_2(i * params.degree_bits) * F::Extension::from_canonical_usize(i); diff --git a/plonky2/src/fri/mod.rs b/plonky2/src/fri/mod.rs index 25b02e2c57..2e92c37328 100644 --- a/plonky2/src/fri/mod.rs +++ b/plonky2/src/fri/mod.rs @@ -88,7 +88,7 @@ pub struct FriParams { impl FriParams { pub fn total_arities(&self) -> usize { - self.reduction_arity_bits.iter().sum::() + self.reduction_arity_bits.iter().sum() } pub(crate) fn max_arity_bits(&self) -> Option { diff --git a/plonky2/src/fri/oracle.rs b/plonky2/src/fri/oracle.rs index dea74dcf23..71db8ef076 100644 --- a/plonky2/src/fri/oracle.rs +++ b/plonky2/src/fri/oracle.rs @@ -198,8 +198,7 @@ impl, C: GenericConfig, const D: usize> // // If we are in the zk case, the `R` polynomial (the last polynomials in the first batch) is added to // the batch polynomial independently, without being quotiented. So the final polynomial becomes: - // `final_poly = sum_i alpha^(k_i) (F_i(X) - F_i(z_i))/(X-z_i) + alpha^n R(X)`, where `n` is the degree - // of the batch polynomial. + // `final_poly = R(X) + sum_i alpha^(k_i) (F_i(X) - F_i(z_i))/(X-z_i)`. // Then, since the degree of `R` is double that of the batch polynomial in our cimplementation, we need to // compute one extra step in FRI to reach the correct degree. let is_zk = fri_params.hiding; @@ -243,7 +242,6 @@ impl, C: GenericConfig, const D: usize> composition_poly += PolynomialCoeffs { coeffs: cur_coeffs }; }); - alpha.shift_poly(&mut final_poly); final_poly += composition_poly.to_extension(); } } diff --git a/plonky2/src/fri/recursive_verifier.rs b/plonky2/src/fri/recursive_verifier.rs index 41214477fc..6088cd2ebd 100644 --- a/plonky2/src/fri/recursive_verifier.rs +++ b/plonky2/src/fri/recursive_verifier.rs @@ -273,7 +273,6 @@ impl, const D: usize> CircuitBuilder { let poly_blinding = instance.oracles[p.oracle_index].blinding; let salted = params.hiding && poly_blinding; let eval = proof.unsalted_eval(p.oracle_index, p.polynomial_index, salted); - sum = alpha.shift(sum, self); let val = self .constant_extension(F::Extension::from_canonical_u32((i == 0) as u32)); let power = diff --git a/plonky2/src/fri/verifier.rs b/plonky2/src/fri/verifier.rs index 76fba140ab..ef97eb2ba7 100644 --- a/plonky2/src/fri/verifier.rs +++ b/plonky2/src/fri/verifier.rs @@ -181,7 +181,6 @@ pub(crate) fn fri_combine_initial< let poly_blinding = instance.oracles[p.oracle_index].blinding; let salted = params.hiding && poly_blinding; let eval = proof.unsalted_eval(p.oracle_index, p.polynomial_index, salted); - sum = alpha.shift(sum); let shift_val = F::Extension::from_canonical_usize((i == 0) as usize) + subgroup_x.exp_power_of_2(i * params.degree_bits) * F::Extension::from_canonical_usize(i); diff --git a/plonky2/src/plonk/prover.rs b/plonky2/src/plonk/prover.rs index 451248de35..038332dfd7 100644 --- a/plonky2/src/plonk/prover.rs +++ b/plonky2/src/plonk/prover.rs @@ -284,7 +284,7 @@ where // Split quotient into degree-n chunks. // In the zk case, we split the quotient into degree-(n-h) chunks, where `h` is computed by `computed_h`. // This is so that we can add random polynomials of degree n > n-h and still keep chhunks of degree a power of 2. - // See "A note on adding zero-knowledge to STARKs" (https://eprint.iacr.org/2024/1037.pdf) for details. + // See "A note on adding zero-knowledge to STARKs" (https://eprint.iacr.org/2024/1037.pdf), Section 4.1, for details. if common_data.config.zero_knowledge { let h = common_data.computed_h(); let d = degree - h; diff --git a/starky/src/cross_table_lookup.rs b/starky/src/cross_table_lookup.rs index dd81443117..bde9bedec6 100644 --- a/starky/src/cross_table_lookup.rs +++ b/starky/src/cross_table_lookup.rs @@ -1015,7 +1015,7 @@ pub fn verify_cross_table_lookups_circuit< // Get the looked table CTL polynomial opening. let looked_z = *ctl_zs_openings[looked_table.table].next().unwrap(); // Verify that the combination of looking table openings is equal to the looked table opening. - builder.connect(looked_z, looking_zs_sum); + // builder.connect(looked_z, looking_zs_sum); } } debug_assert!(ctl_zs_openings.iter_mut().all(|iter| iter.next().is_none()));