diff --git a/include/nil/crypto3/zk/commitments/detail/polynomial/basic_fri.hpp b/include/nil/crypto3/zk/commitments/detail/polynomial/basic_fri.hpp index 0391dd97b..965f426e8 100644 --- a/include/nil/crypto3/zk/commitments/detail/polynomial/basic_fri.hpp +++ b/include/nil/crypto3/zk/commitments/detail/polynomial/basic_fri.hpp @@ -132,21 +132,21 @@ namespace nil { }; struct round_proof_type { - bool operator==(const round_proof_type &rhs) const { - return p == rhs.p && T_root == rhs.T_root && colinear_path == rhs.colinear_path; - } + // bool operator==(const round_proof_type &rhs) const { + // return p == rhs.p && T_root == rhs.T_root && colinear_path == rhs.colinear_path; + // } - bool operator!=(const round_proof_type &rhs) const { - return !(rhs == *this); - } + // bool operator!=(const round_proof_type &rhs) const { + // return !(rhs == *this); + // } // y and colinear value are stored in proof_type::values; // for i-th round y = proof_type::values[i]; colinear_value = // proof_type::values[i+1]; - merkle_proof_type p; // for y - typename merkle_tree_type::value_type T_root; - merkle_proof_type colinear_path; // for colinear_value + std::vector p; // for y + std::vector T_root; + std::vector colinear_path; // for colinear_value }; struct proof_type { @@ -173,7 +173,7 @@ namespace nil { math::polynomial, leaf_size>::type final_polynomials_type; - std::vector round_proofs; // 0..r-2 + round_proof_type round_proofs; // 0..r-2 final_polynomials_type final_polynomials; rounds_polynomials_values_type values; // y-s and colinear_values for round_proof_type @@ -406,6 +406,25 @@ namespace nil { return typename FRI::merkle_proof_type(tree, min_x_index); } + template + static inline std::vector + make_compressed_proof_specialized(const std::vector x_indeces, const std::vector domain_sizes, + const typename FRI::merkle_tree_type &tree) { + std::vector compressed_proofs; + std::vector min_x_indeces(x_indeces.size()); + for (std::size_t i = 0; i < x_indeces.size(); i++) { + min_x_indeces[i] = std::min(x_indeces[i], get_paired_index(x_indeces[i], domain_sizes[i])); + } + return containers::generate_compressed_proofs(tree, min_x_indeces); + } + + template + static inline bool + validate_compressed_proofs(const std::vector &compressed_proofs, + const std::vector> &leafs_data) { + return containers::validate_compressed_proofs, typename FRI::merkle_tree_hash_type, FRI::m>(compressed_proofs, leafs_data); + } + template static inline std::size_t get_folded_index(std::size_t x_index, std::size_t domain_size, const std::size_t fri_step) { @@ -575,7 +594,7 @@ namespace nil { std::uint64_t x_index = (transcript.template int_challenge()) % domain_size; typename FRI::field_type::value_type x = fri_params.D[0]->get_domain_element(x_index); - std::vector round_proofs; + typename FRI::round_proof_type round_proofs; std::unique_ptr p_tree = std::make_unique(T); typename FRI::merkle_tree_type T_next; @@ -585,6 +604,7 @@ namespace nil { std::vector> s_indices; typename FRI::rounds_polynomials_values_type values; + auto colinear_domain = fri_params.D[basis_index]->size(); for (std::size_t i = 0; i < fri_params.step_list.size() - 1; i++) { domain_size = fri_params.D[basis_index]->size(); @@ -625,8 +645,17 @@ namespace nil { } // TODO: check if leaf index calculation is correct - auto p = make_proof_specialized( - get_folded_index(x_index, domain_size, fri_params.step_list[i]), domain_size, *p_tree); + if (i == 0) { + auto p = make_proof_specialized( + get_folded_index(x_index, domain_size, fri_params.step_list[i]), domain_size, *p_tree); + round_proofs.p.push_back(p); + } else { + auto compressed = make_compressed_proof_specialized({get_folded_index(x_index, domain_size, fri_params.step_list[i]), + get_folded_index(x_index, fri_params.D[basis_index]->size(), fri_params.step_list[i])}, + {domain_size, colinear_domain}, *p_tree); + round_proofs.p.push_back(compressed[0]); + round_proofs.colinear_path.push_back(compressed[1]); + } typename FRI::polynomials_values_type colinear_value; if constexpr (!FRI::is_const_size) { @@ -679,13 +708,16 @@ namespace nil { fri_params.step_list[i + 1]); // new merkle tree transcript(commit(T_next)); - typename FRI::merkle_proof_type colinear_path = make_proof_specialized( - get_folded_index(x_index, fri_params.D[basis_index]->size(), - fri_params.step_list[i + 1]), - fri_params.D[basis_index]->size(), T_next); - - round_proofs.push_back(typename FRI::round_proof_type({p, p_tree->root(), colinear_path})); + if (i == fri_params.step_list.size() - 2) { + auto colinear_path = make_proof_specialized( + get_folded_index(x_index, fri_params.D[basis_index]->size(), + fri_params.step_list[i + 1]), + fri_params.D[basis_index]->size(), T_next); + round_proofs.colinear_path.push_back(colinear_path); + } + round_proofs.T_root.push_back(p_tree->root()); + p_tree = std::make_unique(T_next); } @@ -850,6 +882,7 @@ namespace nil { } } + std::vector leaf_data_colinear; std::size_t basis_index = 0; for (std::size_t i = 0; i < fri_params.step_list.size() - 1; i++) { domain_size = fri_params.D[basis_index]->size(); @@ -867,9 +900,9 @@ namespace nil { const std::size_t coset_size = 1 << fri_params.step_list[i]; auto correct_order_idx = get_correct_order(x_index, domain_size, fri_params.step_list[i], s_indices); - std::vector leaf_data(coset_size * FRI::field_element_type::length() * + std::vector leaf_data_p(coset_size * FRI::field_element_type::length() * leaf_size); - auto write_iter = leaf_data.begin(); + auto write_iter = leaf_data_p.begin(); for (std::size_t polynom_index = 0; polynom_index < leaf_size; polynom_index++) { for (auto [idx, pair_idx] : correct_order_idx) { typename FRI::field_element_type leaf_val0( @@ -880,16 +913,21 @@ namespace nil { leaf_val1.write(write_iter, FRI::field_element_type::length()); } } - if (!proof.round_proofs[i].p.validate(leaf_data)) { - return false; - } - - // Check merkle roots. + + // Check merkle proofs and roots. if (i == 0) { - if (t_polynomials != proof.round_proofs[i].p.root()) + if (!proof.round_proofs.p[i].validate(leaf_data_p)) { + return false; + } + if (t_polynomials != proof.round_proofs.p[i].root()) return false; } else { - if (proof.round_proofs[i - 1].colinear_path.root() != proof.round_proofs[i].T_root) + if (!validate_compressed_proofs({proof.round_proofs.p[i], + proof.round_proofs.colinear_path[i - 1]}, + {leaf_data_p, leaf_data_colinear})) { + return false; + } + if (proof.round_proofs.colinear_path[i - 1].root() != proof.round_proofs.T_root[i]) return false; } } @@ -956,8 +994,8 @@ namespace nil { const std::size_t coset_size = 1 << fri_params.step_list[i + 1]; auto correct_order_idx = get_correct_order(x_index_next, fri_params.D[basis_index]->size(), fri_params.step_list[i + 1], s_indices); - std::vector leaf_data(coset_size * FRI::field_element_type::length() * leaf_size); - auto write_iter = leaf_data.begin(); + leaf_data_colinear = std::vector(coset_size * FRI::field_element_type::length() * leaf_size); + auto write_iter = leaf_data_colinear.begin(); typename FRI::field_type::value_type alpha = transcript.template challenge(); @@ -988,9 +1026,11 @@ namespace nil { } } - transcript(proof.round_proofs[i].colinear_path.root()); - if (!proof.round_proofs[i].colinear_path.validate(leaf_data)) { - return false; + transcript(proof.round_proofs.colinear_path[i].root()); + if (i == fri_params.step_list.size() - 2) { + if (!proof.round_proofs.colinear_path[i].validate(leaf_data_colinear)) { + return false; + } } x_index = x_index_next; @@ -1001,7 +1041,7 @@ namespace nil { commit(precommit(proof.final_polynomials, fri_params.D[basis_index], fri_params.step_list[fri_params.step_list.size() - 1])); - if (final_root != proof.round_proofs[fri_params.step_list.size() - 2].colinear_path.root()) { + if (final_root != proof.round_proofs.colinear_path[fri_params.step_list.size() - 2].root()) { return false; } diff --git a/include/nil/crypto3/zk/commitments/polynomial/lpc.hpp b/include/nil/crypto3/zk/commitments/polynomial/lpc.hpp index 81525a1c4..164573b2e 100644 --- a/include/nil/crypto3/zk/commitments/polynomial/lpc.hpp +++ b/include/nil/crypto3/zk/commitments/polynomial/lpc.hpp @@ -218,7 +218,7 @@ namespace nil { for (std::size_t round_id = 0; round_id <= LPC::lambda - 1; round_id++) { fri_proof[round_id] = proof_eval(Q, g, T, fri_params, transcript); - BOOST_ASSERT(fri_proof[round_id].round_proofs[0].T_root == commit(T)); + BOOST_ASSERT(fri_proof[round_id].round_proofs.T_root[0] == commit(T)); } return typename LPC::proof_type({z, commit(T), fri_proof}); @@ -389,7 +389,7 @@ namespace nil { for (std::size_t round_id = 0; round_id <= LPC::lambda - 1; round_id++) { fri_proof[round_id] = proof_eval(Q, g, T, fri_params, transcript); - BOOST_ASSERT(fri_proof[round_id].round_proofs[0].T_root == commit(T)); + BOOST_ASSERT(fri_proof[round_id].round_proofs.T_root[0] == commit(T)); } return typename LPC::proof_type({z, commit(T), fri_proof}); @@ -588,7 +588,7 @@ namespace nil { for (std::size_t round_id = 0; round_id <= LPC::lambda - 1; round_id++) { fri_proof[round_id] = proof_eval(Q, g, T, fri_params, transcript); - BOOST_ASSERT(fri_proof[round_id].round_proofs[0].T_root == commit(T)); + BOOST_ASSERT(fri_proof[round_id].round_proofs.T_root[0] == commit(T)); } return typename LPC::proof_type({z, commit(T), fri_proof}); diff --git a/test/commitment/fri.cpp b/test/commitment/fri.cpp index 4e2528d00..3bd6f36b0 100644 --- a/test/commitment/fri.cpp +++ b/test/commitment/fri.cpp @@ -133,7 +133,7 @@ BOOST_AUTO_TEST_CASE(fri_basic_test) { zk::transcript::fiat_shamir_heuristic_sequential transcript_verifier(init_blob); BOOST_CHECK( - zk::algorithms::verify_eval(proof, params, proof.round_proofs[0].T_root, transcript_verifier)); + zk::algorithms::verify_eval(proof, params, proof.round_proofs.T_root[0], transcript_verifier)); typename FieldType::value_type verifier_next_challenge = transcript_verifier.template challenge(); typename FieldType::value_type prover_next_challenge = transcript.template challenge(); @@ -195,7 +195,7 @@ BOOST_AUTO_TEST_CASE(fri_basic_skipping_layers_test) { zk::transcript::fiat_shamir_heuristic_sequential transcript_verifier(init_blob); BOOST_CHECK( - zk::algorithms::verify_eval(proof, params, proof.round_proofs[0].T_root, transcript_verifier)); + zk::algorithms::verify_eval(proof, params, proof.round_proofs.T_root[0], transcript_verifier)); typename FieldType::value_type verifier_next_challenge = transcript_verifier.template challenge(); typename FieldType::value_type prover_next_challenge = transcript.template challenge(); @@ -306,7 +306,7 @@ BOOST_AUTO_TEST_CASE(batched_fri_basic_compile_time_size_test) { zk::transcript::fiat_shamir_heuristic_sequential transcript_verifier(init_blob); BOOST_CHECK( - zk::algorithms::verify_eval(proof, params, proof.round_proofs[0].T_root, transcript_verifier)); + zk::algorithms::verify_eval(proof, params, proof.round_proofs.T_root[0], transcript_verifier)); typename FieldType::value_type verifier_next_challenge = transcript_verifier.template challenge(); typename FieldType::value_type prover_next_challenge = transcript.template challenge(); @@ -374,7 +374,7 @@ BOOST_AUTO_TEST_CASE(batched_fri_basic_compile_time_size_skipping_layers_test) { zk::transcript::fiat_shamir_heuristic_sequential transcript_verifier(init_blob); BOOST_CHECK( - zk::algorithms::verify_eval(proof, params, proof.round_proofs[0].T_root, transcript_verifier)); + zk::algorithms::verify_eval(proof, params, proof.round_proofs.T_root[0], transcript_verifier)); typename FieldType::value_type verifier_next_challenge = transcript_verifier.template challenge(); typename FieldType::value_type prover_next_challenge = transcript.template challenge(); @@ -434,7 +434,7 @@ BOOST_AUTO_TEST_CASE(batched_fri_basic_runtime_size_test) { zk::transcript::fiat_shamir_heuristic_sequential transcript_verifier(init_blob); BOOST_CHECK( - zk::algorithms::verify_eval(proof, params, proof.round_proofs[0].T_root, transcript_verifier)); + zk::algorithms::verify_eval(proof, params, proof.round_proofs.T_root[0], transcript_verifier)); typename FieldType::value_type verifier_next_challenge = transcript_verifier.template challenge(); typename FieldType::value_type prover_next_challenge = transcript.template challenge(); @@ -500,7 +500,7 @@ BOOST_AUTO_TEST_CASE(batched_fri_basic_runtime_size_skipping_layers_test) { zk::transcript::fiat_shamir_heuristic_sequential transcript_verifier(init_blob); BOOST_CHECK( - zk::algorithms::verify_eval(proof, params, proof.round_proofs[0].T_root, transcript_verifier)); + zk::algorithms::verify_eval(proof, params, proof.round_proofs.T_root[0], transcript_verifier)); typename FieldType::value_type verifier_next_challenge = transcript_verifier.template challenge(); typename FieldType::value_type prover_next_challenge = transcript.template challenge(); @@ -565,7 +565,7 @@ BOOST_AUTO_TEST_CASE(fri_dfs_basic_test) { zk::transcript::fiat_shamir_heuristic_sequential transcript_verifier(init_blob); BOOST_CHECK( - zk::algorithms::verify_eval(proof, params, proof.round_proofs[0].T_root, transcript_verifier)); + zk::algorithms::verify_eval(proof, params, proof.round_proofs.T_root[0], transcript_verifier)); typename FieldType::value_type verifier_next_challenge = transcript_verifier.template challenge(); typename FieldType::value_type prover_next_challenge = transcript.template challenge(); @@ -629,7 +629,7 @@ BOOST_AUTO_TEST_CASE(fri_dfs_basic_skipping_layers_test) { zk::transcript::fiat_shamir_heuristic_sequential transcript_verifier(init_blob); BOOST_CHECK( - zk::algorithms::verify_eval(proof, params, proof.round_proofs[0].T_root, transcript_verifier)); + zk::algorithms::verify_eval(proof, params, proof.round_proofs.T_root[0], transcript_verifier)); typename FieldType::value_type verifier_next_challenge = transcript_verifier.template challenge(); typename FieldType::value_type prover_next_challenge = transcript.template challenge(); @@ -690,7 +690,7 @@ BOOST_AUTO_TEST_CASE(fri_dfs_test_2) { zk::transcript::fiat_shamir_heuristic_sequential transcript_verifier(init_blob); BOOST_CHECK( - zk::algorithms::verify_eval(proof, params, proof.round_proofs[0].T_root, transcript_verifier)); + zk::algorithms::verify_eval(proof, params, proof.round_proofs.T_root[0], transcript_verifier)); typename FieldType::value_type verifier_next_challenge = transcript_verifier.template challenge(); typename FieldType::value_type prover_next_challenge = transcript.template challenge(); @@ -765,7 +765,7 @@ BOOST_AUTO_TEST_CASE(batched_fri_dfs_basic_test) { zk::transcript::fiat_shamir_heuristic_sequential transcript_verifier(init_blob); BOOST_CHECK( - zk::algorithms::verify_eval(proof, params, proof.round_proofs[0].T_root, transcript_verifier)); + zk::algorithms::verify_eval(proof, params, proof.round_proofs.T_root[0], transcript_verifier)); typename FieldType::value_type verifier_next_challenge = transcript_verifier.template challenge(); typename FieldType::value_type prover_next_challenge = transcript.template challenge(); @@ -841,7 +841,7 @@ BOOST_AUTO_TEST_CASE(batched_fri_dfs_basic_skipping_layers_test) { zk::transcript::fiat_shamir_heuristic_sequential transcript_verifier(init_blob); BOOST_CHECK( - zk::algorithms::verify_eval(proof, params, proof.round_proofs[0].T_root, transcript_verifier)); + zk::algorithms::verify_eval(proof, params, proof.round_proofs.T_root[0], transcript_verifier)); typename FieldType::value_type verifier_next_challenge = transcript_verifier.template challenge(); typename FieldType::value_type prover_next_challenge = transcript.template challenge(); @@ -918,7 +918,7 @@ BOOST_AUTO_TEST_CASE(batched_fri_dfs_test_2) { zk::transcript::fiat_shamir_heuristic_sequential transcript_verifier(init_blob); BOOST_CHECK( - zk::algorithms::verify_eval(proof, params, proof.round_proofs[0].T_root, transcript_verifier)); + zk::algorithms::verify_eval(proof, params, proof.round_proofs.T_root[0], transcript_verifier)); typename FieldType::value_type verifier_next_challenge = transcript_verifier.template challenge(); typename FieldType::value_type prover_next_challenge = transcript.template challenge();