Struct HidingFriPcs

pub struct HidingFriPcs<Val, Dft, InputMmcs, FriMmcs, R> { /* private fields */ }

A hiding FRI PCS. Both MMCSs must also be hiding; this is not enforced at compile time so it’s the user’s responsibility to configure.

Implementations

impl<Val, Dft, InputMmcs, FriMmcs, R> HidingFriPcs<Val, Dft, InputMmcs, FriMmcs, R>

pub fn new( dft: Dft, mmcs: InputMmcs, params: FriParameters<FriMmcs>, num_random_codewords: usize, rng: R, ) -> Self

Trait Implementations

impl<Val: Clone, Dft: Clone, InputMmcs: Clone, FriMmcs: Clone, R: Clone> Clone for HidingFriPcs<Val, Dft, InputMmcs, FriMmcs, R>

fn clone(&self) -> HidingFriPcs<Val, Dft, InputMmcs, FriMmcs, R>

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl<Val: Debug, Dft: Debug, InputMmcs: Debug, FriMmcs: Debug, R: Debug> Debug for HidingFriPcs<Val, Dft, InputMmcs, FriMmcs, R>

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl<Val, Dft, InputMmcs, FriMmcs, Challenge, Challenger, R> Pcs<Challenge, Challenger> for HidingFriPcs<Val, Dft, InputMmcs, FriMmcs, R>

where Val: TwoAdicField, StandardUniform: Distribution<Val>, Dft: TwoAdicSubgroupDft<Val>, InputMmcs: Mmcs<Val>, FriMmcs: Mmcs<Challenge>, Challenge: TwoAdicField + ExtensionField<Val>, Challenger: FieldChallenger<Val> + CanObserve<FriMmcs::Commitment> + GrindingChallenger<Witness = Val>, R: Rng + Send + Sync,

type Proof = (Vec<Vec<Vec<Vec<Challenge>>>>, FriProof<Challenge, FriMmcs, Val, Vec<BatchOpening<Val, InputMmcs>>>)

The first item contains the openings of the random polynomials added by this wrapper. The second item is the usual FRI proof.

fn get_quotient_ldes( &self, evaluations: impl IntoIterator<Item = (Self::Domain, RowMajorMatrix<Val>)>, num_chunks: usize, ) -> Vec<RowMajorMatrix<Val>>

Get the quotient polynomial LDEs. We first decompose the quotient polynomial into num_chunks many smaller polynomials each of degree degree / num_chunks. These quotient polynomials are then randomized as explained in Section 4.2 of https://eprint.iacr.org/2024/1037.pdf .

Arguments

• quotient_domain the domain of the quotient polynomial.
• quotient_evaluations the evaluations of the quotient polynomial over the domain. This should be in standard (not bit-reversed) order.
• num_chunks the number of smaller polynomials to decompose the quotient polynomial into.

Panics

This function panics if num_chunks is either 0 or 1. The first case makes no logical sense and in the second case, the resulting commitment would not be hiding.

const ZK: bool = true

Set to true to activate randomization and achieve zero-knowledge.

type Domain = TwoAdicMultiplicativeCoset<Val>

The class of evaluation domains that this commitment scheme works over.

type Commitment = <InputMmcs as Mmcs<Val>>::Commitment

The commitment that’s sent to the verifier.

type ProverData = <InputMmcs as Mmcs<Val>>::ProverData<DenseMatrix<Val>>

Data that the prover stores for committed polynomials, to help the prover with opening.

type EvaluationsOnDomain<'a> = HorizontallyTruncated<Val, RowIndexMappedView<BitReversalPerm, DenseMatrix<Val, &'a [Val]>>>

Type of the output of get_evaluations_on_domain.

type Error = FriError<<FriMmcs as Mmcs<Challenge>>::Error, <InputMmcs as Mmcs<Val>>::Error>

The type of a proof verification error.

fn natural_domain_for_degree(&self, degree: usize) -> Self::Domain

This should return a domain such that Domain::next_point returns Some.

fn commit( &self, evaluations: impl IntoIterator<Item = (Self::Domain, RowMajorMatrix<Val>)>, ) -> (Self::Commitment, Self::ProverData)

Given a collection of evaluation matrices, produce a binding commitment to the polynomials defined by those evaluations. If zk is enabled, the evaluations are first randomized as explained in Section 3 of https://eprint.iacr.org/2024/1037.pdf .

fn commit_preprocessing( &self, evaluations: impl IntoIterator<Item = (Self::Domain, RowMajorMatrix<Val>)>, ) -> (Self::Commitment, Self::ProverData)

Same as commit but without randomization. This is used for preprocessed columns which do not have to be randomized even when ZK is enabled. Note that the preprocessed columns still need to be padded to the extended domain height.

fn commit_ldes( &self, ldes: Vec<RowMajorMatrix<Val>>, ) -> (Self::Commitment, Self::ProverData)

Commits to a collection of LDE evaluation matrices.

fn get_evaluations_on_domain<'a>( &self, prover_data: &'a Self::ProverData, idx: usize, domain: Self::Domain, ) -> Self::EvaluationsOnDomain<'a>

Given prover data corresponding to a commitment to a collection of evaluation matrices, return the evaluations of those matrices on the given domain.

fn get_evaluations_on_domain_no_random<'a>( &self, prover_data: &'a Self::ProverData, idx: usize, domain: Self::Domain, ) -> Self::EvaluationsOnDomain<'a>

This is the same as get_evaluations_on_domain but without randomization. This is used for preprocessed columns which do not have to be randomized even when ZK is enabled.

fn open( &self, rounds: Vec<(&Self::ProverData, Vec<Vec<Challenge>>)>, challenger: &mut Challenger, ) -> (OpenedValues<Challenge>, Self::Proof)

Open a collection of polynomial commitments at a set of points. Produce the values at those points along with a proof of correctness.

fn open_with_preprocessing( &self, rounds: Vec<(&Self::ProverData, Vec<Vec<Challenge>>)>, challenger: &mut Challenger, is_preprocessing: bool, ) -> (OpenedValues<Challenge>, Self::Proof)

Open a collection of polynomial commitments at a set of points, when there is preprocessing data. It is the same as open when ZK is disabled. Produce the values at those points along with a proof of correctness.

fn verify( &self, rounds: Vec<(Self::Commitment, Vec<(Self::Domain, Vec<(Challenge, Vec<Challenge>)>)>)>, proof: &Self::Proof, challenger: &mut Challenger, ) -> Result<(), Self::Error>

Verify that a collection of opened values is correct.

fn get_opt_randomization_poly_commitment( &self, ext_trace_domains: impl IntoIterator<Item = Self::Domain>, ) -> Option<(Self::Commitment, Self::ProverData)>

const TRACE_IDX: usize = _

Index of the trace commitment in the computed opened values.

const QUOTIENT_IDX: usize = _

Index of the quotient commitments in the computed opened values.

const PREPROCESSED_TRACE_IDX: usize = _

Index of the preprocessed trace commitment in the computed opened values.

fn commit_quotient( &self, quotient_domain: Self::Domain, quotient_evaluations: DenseMatrix<<Self::Domain as PolynomialSpace>::Val>, num_chunks: usize, ) -> (Self::Commitment, Self::ProverData)

Commit to the quotient polynomial. We first decompose the quotient polynomial into num_chunks many smaller polynomials each of degree degree / num_chunks. This can have minor performance benefits, but is not strictly necessary in the non zk case. When zk is enabled, this commitment will additionally include some randomization process to hide the inputs.