From 71f01491b08f7688235d65da347e8693da1ea5de Mon Sep 17 00:00:00 2001 From: Sergey Vasilyev Date: Wed, 20 May 2026 14:08:36 +0300 Subject: [PATCH 1/7] quotient computed by piop --- w3f-plonk-common/src/piop.rs | 24 +++++++++++++++++++++++- w3f-plonk-common/src/prover.rs | 19 ++----------------- w3f-ring-proof/src/piop/prover.rs | 20 ++++++++++++-------- 3 files changed, 37 insertions(+), 26 deletions(-) diff --git a/w3f-plonk-common/src/piop.rs b/w3f-plonk-common/src/piop.rs index 81e5333..56c0b96 100644 --- a/w3f-plonk-common/src/piop.rs +++ b/w3f-plonk-common/src/piop.rs @@ -1,4 +1,4 @@ -use ark_ff::PrimeField; +use ark_ff::{FftField, PrimeField}; use ark_poly::univariate::DensePolynomial; use ark_poly::Evaluations; use ark_serialize::{CanonicalDeserialize, CanonicalSerialize}; @@ -9,6 +9,8 @@ use crate::domain::{Domain, EvaluatedDomain}; use crate::{ColumnsCommited, ColumnsEvaluated}; pub trait ProverPiop> { + const N_CONSTRAINTS: usize; + type Commitments: ColumnsCommited; type Evaluations: ColumnsEvaluated; type Instance: CanonicalSerialize + CanonicalDeserialize; @@ -29,6 +31,16 @@ pub trait ProverPiop> { // Constraint polynomials in evaluation form. fn constraints(&self) -> Vec>; + fn quotient(&self, alphas: &[F]) -> DensePolynomial { + let constraint_polys = self.constraints(); + // Aggregate constraint polynomials in evaluation form... + let agg_constraint_poly = aggregate_evaluations(&constraint_polys, &alphas); + // ...and then interpolate (to save some FFTs). + let agg_constraint_poly = agg_constraint_poly.interpolate(); + let quotient_poly = self.domain().divide_by_vanishing_poly(&agg_constraint_poly); + quotient_poly + } + // 'Linearized' parts of constraint polynomials. // For a constraint of the form C = C(c1(X),...,ck(X),c1(wX),...,ck(wX)), where ci's are of degree n, // and an evaluation point z, it is a degree n polynomial r = C(c1(z),...,ck(z),c1(X),...,ck(X)). @@ -41,6 +53,16 @@ pub trait ProverPiop> { fn result(&self) -> Self::Instance; } +fn aggregate_evaluations(polys: &[Evaluations], coeffs: &[F]) -> Evaluations { + assert_eq!(coeffs.len(), polys.len()); + polys + .iter() + .zip(coeffs.iter()) + .map(|(p, &c)| p * c) + .reduce(|acc, p| &acc + &p) + .unwrap() +} + pub trait VerifierPiop> { const N_CONSTRAINTS: usize; const N_COLUMNS: usize; diff --git a/w3f-plonk-common/src/prover.rs b/w3f-plonk-common/src/prover.rs index 1233922..a5c4e07 100644 --- a/w3f-plonk-common/src/prover.rs +++ b/w3f-plonk-common/src/prover.rs @@ -62,13 +62,8 @@ impl, T: PlonkTranscript> PlonkProver transcript.add_committed_cols(&column_commitments); // ROUND 2 - let constraint_polys = piop.constraints(); - let alphas = transcript.get_constraints_aggregation_coeffs(constraint_polys.len()); - // Aggregate constraint polynomials in evaluation form... - let agg_constraint_poly = Self::aggregate_evaluations(&constraint_polys, &alphas); - // ...and then interpolate (to save some FFTs). - let agg_constraint_poly = agg_constraint_poly.interpolate(); - let quotient_poly = piop.domain().divide_by_vanishing_poly(&agg_constraint_poly); + let alphas = transcript.get_constraints_aggregation_coeffs(P::N_CONSTRAINTS); + let quotient_poly = piop.quotient(&alphas); // The prover commits to the quotient polynomial... let quotient_commitment = CS::commit(&self.pcs_ck, "ient_poly).unwrap(); transcript.add_quotient_commitment("ient_commitment); @@ -137,14 +132,4 @@ impl, T: PlonkTranscript> PlonkProver lin_at_zeta_omega_proof, } } - - pub fn aggregate_evaluations(polys: &[Evaluations], coeffs: &[F]) -> Evaluations { - assert_eq!(coeffs.len(), polys.len()); - polys - .iter() - .zip(coeffs.iter()) - .map(|(p, &c)| p * c) - .reduce(|acc, p| &acc + &p) - .unwrap() - } } diff --git a/w3f-ring-proof/src/piop/prover.rs b/w3f-ring-proof/src/piop/prover.rs index ca06cea..bec7254 100644 --- a/w3f-ring-proof/src/piop/prover.rs +++ b/w3f-ring-proof/src/piop/prover.rs @@ -24,7 +24,7 @@ use w3f_plonk_common::FieldColumn; // The 'table': columns representing the execution trace of the computation // and the constraints -- polynomials that vanish on every 2 consecutive rows. -pub struct PiopProver> { +pub struct PiopProver> { domain: Domain, /// Advice (public input) columns points: AffineColumn, @@ -40,7 +40,7 @@ pub struct PiopProver> { cond_add_acc_y: FixedCells, } -impl> PiopProver { +impl> PiopProver { pub fn build( params: &PiopParams, fixed_columns: FixedColumns, @@ -142,8 +142,10 @@ impl ProverPiop for PiopProver> where F: PrimeField, C: Commitment, - Curve: TECurveConfig, + Curve: TECurveConfig, { + const N_CONSTRAINTS: usize = 7; + type Commitments = RingCommitments; type Evaluations = RingEvaluations; type Instance = TeAffine; @@ -174,7 +176,7 @@ where self.cond_add_acc_y.constraints(), self.inner_prod_acc.constraints(), ] - .concat() + .concat() } fn constraints_lin(&self, zeta: &F) -> Vec> { @@ -186,7 +188,7 @@ where self.cond_add_acc_y.constraints_linearized(zeta), self.inner_prod_acc.constraints_linearized(zeta), ] - .concat() + .concat() } fn domain(&self) -> &Domain { @@ -202,8 +204,10 @@ impl ProverPiop for PiopProver> where F: PrimeField, C: Commitment, - Curve: SWCurveConfig, + Curve: SWCurveConfig, { + const N_CONSTRAINTS: usize = 7; + type Commitments = RingCommitments; type Evaluations = RingEvaluations; type Instance = SwAffine; @@ -234,7 +238,7 @@ where self.cond_add_acc_y.constraints(), self.inner_prod_acc.constraints(), ] - .concat() + .concat() } fn constraints_lin(&self, zeta: &F) -> Vec> { @@ -246,7 +250,7 @@ where self.cond_add_acc_y.constraints_linearized(zeta), self.inner_prod_acc.constraints_linearized(zeta), ] - .concat() + .concat() } fn domain(&self) -> &Domain { From d96a05e99ff607ccfd0ab1314808afe72acb269e Mon Sep 17 00:00:00 2001 From: Sergey Vasilyev Date: Wed, 20 May 2026 14:18:34 +0300 Subject: [PATCH 2/7] quotient computed by piop --- w3f-plonk-common/src/piop.rs | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/w3f-plonk-common/src/piop.rs b/w3f-plonk-common/src/piop.rs index 56c0b96..d851fac 100644 --- a/w3f-plonk-common/src/piop.rs +++ b/w3f-plonk-common/src/piop.rs @@ -41,6 +41,16 @@ pub trait ProverPiop> { quotient_poly } + fn quotient(&self, alphas: &[F]) -> DensePolynomial { + let constraint_polys = self.constraints(); + // Aggregate constraint polynomials in evaluation form... + let agg_constraint_poly = aggregate_evaluations(&constraint_polys, &alphas); + // ...and then interpolate (to save some FFTs). + let agg_constraint_poly = agg_constraint_poly.interpolate(); + let quotient_poly = self.domain().divide_by_vanishing_poly(&agg_constraint_poly); + quotient_poly + } + // 'Linearized' parts of constraint polynomials. // For a constraint of the form C = C(c1(X),...,ck(X),c1(wX),...,ck(wX)), where ci's are of degree n, // and an evaluation point z, it is a degree n polynomial r = C(c1(z),...,ck(z),c1(X),...,ck(X)). From ffc2149a9f8c0eae706ad1efe4ab34d0c6b1a621 Mon Sep 17 00:00:00 2001 From: Sergey Vasilyev Date: Wed, 20 May 2026 14:57:59 +0300 Subject: [PATCH 3/7] fix --- w3f-plonk-common/src/piop.rs | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/w3f-plonk-common/src/piop.rs b/w3f-plonk-common/src/piop.rs index d851fac..56c0b96 100644 --- a/w3f-plonk-common/src/piop.rs +++ b/w3f-plonk-common/src/piop.rs @@ -41,16 +41,6 @@ pub trait ProverPiop> { quotient_poly } - fn quotient(&self, alphas: &[F]) -> DensePolynomial { - let constraint_polys = self.constraints(); - // Aggregate constraint polynomials in evaluation form... - let agg_constraint_poly = aggregate_evaluations(&constraint_polys, &alphas); - // ...and then interpolate (to save some FFTs). - let agg_constraint_poly = agg_constraint_poly.interpolate(); - let quotient_poly = self.domain().divide_by_vanishing_poly(&agg_constraint_poly); - quotient_poly - } - // 'Linearized' parts of constraint polynomials. // For a constraint of the form C = C(c1(X),...,ck(X),c1(wX),...,ck(wX)), where ci's are of degree n, // and an evaluation point z, it is a degree n polynomial r = C(c1(z),...,ck(z),c1(X),...,ck(X)). From 5f36e56dd067460ce844bd5b3d362d9ed82951e5 Mon Sep 17 00:00:00 2001 From: Sergey Vasilyev Date: Wed, 20 May 2026 15:02:50 +0300 Subject: [PATCH 4/7] polynomial splitting --- w3f-plonk-common/src/domain.rs | 2 ++ w3f-plonk-common/src/kzg_acc.rs | 2 +- w3f-plonk-common/src/lib.rs | 4 ++-- w3f-plonk-common/src/piop.rs | 34 ++++++++++++++++++++++++++++++-- w3f-plonk-common/src/prover.rs | 20 +++++++++++-------- w3f-plonk-common/src/verifier.rs | 6 ++++-- w3f-ring-proof/src/lib.rs | 2 +- 7 files changed, 54 insertions(+), 16 deletions(-) diff --git a/w3f-plonk-common/src/domain.rs b/w3f-plonk-common/src/domain.rs index 34e0eb1..e08a39a 100644 --- a/w3f-plonk-common/src/domain.rs +++ b/w3f-plonk-common/src/domain.rs @@ -185,6 +185,7 @@ pub struct EvaluatedDomain { pub l_first: F, pub l_last: F, pub vanishing_polynomial_inv: F, + pub z_n: F, // z^n } impl EvaluatedDomain { @@ -224,6 +225,7 @@ impl EvaluatedDomain { l_first, l_last, vanishing_polynomial_inv, + z_n, } } diff --git a/w3f-plonk-common/src/kzg_acc.rs b/w3f-plonk-common/src/kzg_acc.rs index 0b7bbeb..45e3858 100644 --- a/w3f-plonk-common/src/kzg_acc.rs +++ b/w3f-plonk-common/src/kzg_acc.rs @@ -109,7 +109,7 @@ impl KzgAccumulator { .map(|c| c.0) .collect::>(), ); - self.acc_points.push(proof.quotient_commitment.clone().0); + // self.acc_points.push(proof.quotient_commitment.clone().0); self.acc_scalars .extend(challenges.nus.iter().map(|nu| *nu * r).collect::>()); // numbers should match here diff --git a/w3f-plonk-common/src/lib.rs b/w3f-plonk-common/src/lib.rs index 7f0f89d..1fcca3b 100644 --- a/w3f-plonk-common/src/lib.rs +++ b/w3f-plonk-common/src/lib.rs @@ -103,7 +103,7 @@ where { pub column_commitments: Commitments, pub columns_at_zeta: Evaluations, - pub quotient_commitment: CS::C, + pub quotient_commitment: Vec, pub lin_at_zeta_omega: F, pub agg_at_zeta_proof: CS::Proof, pub lin_at_zeta_omega_proof: CS::Proof, @@ -120,7 +120,7 @@ where { pub column_commitments: Commitments, pub columns_at_zeta: Evaluations, - pub quotient_commitment: C, + pub quotient_commitment: Vec, pub lin_at_zeta_omega: F, } diff --git a/w3f-plonk-common/src/piop.rs b/w3f-plonk-common/src/piop.rs index 56c0b96..9ddeed4 100644 --- a/w3f-plonk-common/src/piop.rs +++ b/w3f-plonk-common/src/piop.rs @@ -1,10 +1,10 @@ use ark_ff::{FftField, PrimeField}; use ark_poly::univariate::DensePolynomial; -use ark_poly::Evaluations; +use ark_poly::{DenseUVPolynomial, EvaluationDomain, Evaluations}; use ark_serialize::{CanonicalDeserialize, CanonicalSerialize}; use ark_std::vec::Vec; use w3f_pcs::pcs::Commitment; - +use w3f_pcs::utils; use crate::domain::{Domain, EvaluatedDomain}; use crate::{ColumnsCommited, ColumnsEvaluated}; @@ -41,6 +41,30 @@ pub trait ProverPiop> { quotient_poly } + fn split_quotient(&self, q: DensePolynomial) -> Vec> { + let n = self.domain().domains.x1.size(); + let chunks: Vec> = q.coeffs.chunks(n) + .map(|coeffs| DensePolynomial::from_coefficients_slice(coeffs)) + .collect(); + chunks + } + + fn quotient_chunks(&self, alphas: &[F]) -> Vec> { + let q = self.quotient(alphas); + self.split_quotient(q) + } + + fn folded_quotient(&self, chunks: &[DensePolynomial], zeta: F) -> DensePolynomial { + let n = self.domain().domains.x1.size() as u64; + let zn = zeta.pow([n]); + let folded = chunks.iter() + .zip(utils::powers(zn)) + .map(|(chunk, coeff)| chunk * coeff) + .reduce(|acc, new| acc + new) + .unwrap(); + folded + } + // 'Linearized' parts of constraint polynomials. // For a constraint of the form C = C(c1(X),...,ck(X),c1(wX),...,ck(wX)), where ci's are of degree n, // and an evaluation point z, it is a degree n polynomial r = C(c1(z),...,ck(z),c1(X),...,ck(X)). @@ -93,5 +117,11 @@ pub trait VerifierPiop> { // Commitment to the aggregated linearization polynomial without the constant term. fn lin_poly_commitment(&self, agg_coeffs: &[F]) -> (Vec, Vec); + fn quotient_commitment(&self, chunks: &[C]) -> C { + let zn = self.domain_evaluated().z_n; + let quotient = chunks.iter().zip(utils::powers(zn)).map(|(chunk, coeff)| chunk.mul(coeff)).sum(); + quotient + } + fn domain_evaluated(&self) -> &EvaluatedDomain; } diff --git a/w3f-plonk-common/src/prover.rs b/w3f-plonk-common/src/prover.rs index a5c4e07..38f20ea 100644 --- a/w3f-plonk-common/src/prover.rs +++ b/w3f-plonk-common/src/prover.rs @@ -1,11 +1,10 @@ use ark_ff::PrimeField; use ark_poly::univariate::DensePolynomial; -use ark_poly::{Evaluations, Polynomial}; +use ark_poly::Polynomial; use ark_serialize::CanonicalSerialize; use ark_std::format; use ark_std::vec::Vec; use ark_std::{end_timer, start_timer, vec}; - use w3f_pcs::aggregation::single::aggregate_polys; use w3f_pcs::pcs::PCS; @@ -63,15 +62,20 @@ impl, T: PlonkTranscript> PlonkProver // ROUND 2 let alphas = transcript.get_constraints_aggregation_coeffs(P::N_CONSTRAINTS); - let quotient_poly = piop.quotient(&alphas); + // let quotient_poly = piop.quotient(&alphas); // The prover commits to the quotient polynomial... - let quotient_commitment = CS::commit(&self.pcs_ck, "ient_poly).unwrap(); - transcript.add_quotient_commitment("ient_commitment); - + let quotient_chunks = piop.quotient_chunks(&alphas); + let chunks_committed: Vec<_> = quotient_chunks.iter() + .map(|qi| CS::commit(&self.pcs_ck, qi).unwrap()) + .collect(); + for qi_committed in chunks_committed.iter() { + transcript.add_quotient_commitment(&qi_committed); + } // and receives the evaluation point in response // ROUND 3 let zeta = transcript.get_evaluation_point(); + let q_folded = piop.folded_quotient("ient_chunks, zeta); let columns_to_open = piop.columns(); let columns_at_zeta = piop.columns_evaluated(&zeta); let constraint_polys_linearized = piop.constraints_lin(&zeta); @@ -82,11 +86,11 @@ impl, T: PlonkTranscript> PlonkProver transcript.add_evaluations(&columns_at_zeta, &lin_at_zeta_omega); let piop_proof = PiopProof { column_commitments, - quotient_commitment, + quotient_commitment: chunks_committed, columns_at_zeta, lin_at_zeta_omega, }; - let polys_at_zeta = [columns_to_open, vec![quotient_poly]].concat(); + let polys_at_zeta = [columns_to_open, vec![q_folded]].concat(); let pcs_openings = PcsOpeningAt2Points { polys_at_zeta, polys_at_zeta_omega: vec![lin], diff --git a/w3f-plonk-common/src/verifier.rs b/w3f-plonk-common/src/verifier.rs index 4561559..3929a9e 100644 --- a/w3f-plonk-common/src/verifier.rs +++ b/w3f-plonk-common/src/verifier.rs @@ -53,7 +53,7 @@ impl, T: PlonkTranscript> PlonkVerifier, T: PlonkTranscript> PlonkVerifier>(2usize.pow(9), 1); + _test_ring_proof::>(2usize.pow(12), 1); } #[test] From 2361be13db05393f2d6784b7bec3ac485d6d9a43 Mon Sep 17 00:00:00 2001 From: Sergey Vasilyev Date: Wed, 20 May 2026 15:29:16 +0300 Subject: [PATCH 5/7] accumulation fixed --- w3f-plonk-common/src/kzg_acc.rs | 8 ++++++-- w3f-plonk-common/src/piop.rs | 9 ++++++++- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/w3f-plonk-common/src/kzg_acc.rs b/w3f-plonk-common/src/kzg_acc.rs index 45e3858..cdd5a4b 100644 --- a/w3f-plonk-common/src/kzg_acc.rs +++ b/w3f-plonk-common/src/kzg_acc.rs @@ -1,3 +1,4 @@ +use std::io::Read; use crate::piop::VerifierPiop; use crate::verifier::Challenges; use crate::{ColumnsCommited, ColumnsEvaluated, Proof}; @@ -109,9 +110,12 @@ impl KzgAccumulator { .map(|c| c.0) .collect::>(), ); - // self.acc_points.push(proof.quotient_commitment.clone().0); + let mut r_nus = challenges.nus.iter().map(|nu| r * nu); + self.acc_scalars.extend(r_nus.by_ref().take(Piop::N_COLUMNS)); + self.acc_points.extend(proof.quotient_commitment.iter().map(|c| c.0)); + let r_nu_last = r_nus.next().unwrap(); self.acc_scalars - .extend(challenges.nus.iter().map(|nu| *nu * r).collect::>()); // numbers should match here + .extend(piop.chunk_coeffs().map(|c| r_nu_last * c).take(proof.quotient_commitment.len())); self.acc_points.push(proof.agg_at_zeta_proof); self.acc_scalars.push(zeta * r); diff --git a/w3f-plonk-common/src/piop.rs b/w3f-plonk-common/src/piop.rs index 9ddeed4..64385da 100644 --- a/w3f-plonk-common/src/piop.rs +++ b/w3f-plonk-common/src/piop.rs @@ -117,9 +117,16 @@ pub trait VerifierPiop> { // Commitment to the aggregated linearization polynomial without the constant term. fn lin_poly_commitment(&self, agg_coeffs: &[F]) -> (Vec, Vec); + fn chunk_coeffs(&self) -> impl Iterator { + let zn = self.domain_evaluated().z_n; + utils::powers(zn) + } + fn quotient_commitment(&self, chunks: &[C]) -> C { let zn = self.domain_evaluated().z_n; - let quotient = chunks.iter().zip(utils::powers(zn)).map(|(chunk, coeff)| chunk.mul(coeff)).sum(); + let quotient = chunks.iter().zip(self.chunk_coeffs()) + .map(|(chunk, coeff)| chunk.mul(coeff)) + .sum(); quotient } From 7c273e004025a0e21d242c063a5b5989bb668d28 Mon Sep 17 00:00:00 2001 From: Sergey Vasilyev Date: Wed, 20 May 2026 15:30:01 +0300 Subject: [PATCH 6/7] fmt --- w3f-ring-proof/src/piop/prover.rs | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/w3f-ring-proof/src/piop/prover.rs b/w3f-ring-proof/src/piop/prover.rs index bec7254..f7fe2ba 100644 --- a/w3f-ring-proof/src/piop/prover.rs +++ b/w3f-ring-proof/src/piop/prover.rs @@ -24,7 +24,7 @@ use w3f_plonk_common::FieldColumn; // The 'table': columns representing the execution trace of the computation // and the constraints -- polynomials that vanish on every 2 consecutive rows. -pub struct PiopProver> { +pub struct PiopProver> { domain: Domain, /// Advice (public input) columns points: AffineColumn, @@ -40,7 +40,7 @@ pub struct PiopProver> { cond_add_acc_y: FixedCells, } -impl> PiopProver { +impl> PiopProver { pub fn build( params: &PiopParams, fixed_columns: FixedColumns, @@ -142,7 +142,7 @@ impl ProverPiop for PiopProver> where F: PrimeField, C: Commitment, - Curve: TECurveConfig, + Curve: TECurveConfig, { const N_CONSTRAINTS: usize = 7; @@ -176,7 +176,7 @@ where self.cond_add_acc_y.constraints(), self.inner_prod_acc.constraints(), ] - .concat() + .concat() } fn constraints_lin(&self, zeta: &F) -> Vec> { @@ -188,7 +188,7 @@ where self.cond_add_acc_y.constraints_linearized(zeta), self.inner_prod_acc.constraints_linearized(zeta), ] - .concat() + .concat() } fn domain(&self) -> &Domain { @@ -204,7 +204,7 @@ impl ProverPiop for PiopProver> where F: PrimeField, C: Commitment, - Curve: SWCurveConfig, + Curve: SWCurveConfig, { const N_CONSTRAINTS: usize = 7; @@ -238,7 +238,7 @@ where self.cond_add_acc_y.constraints(), self.inner_prod_acc.constraints(), ] - .concat() + .concat() } fn constraints_lin(&self, zeta: &F) -> Vec> { @@ -250,7 +250,7 @@ where self.cond_add_acc_y.constraints_linearized(zeta), self.inner_prod_acc.constraints_linearized(zeta), ] - .concat() + .concat() } fn domain(&self) -> &Domain { From 2e7dcd325ac75692710e2cdd51d6c9748472d41b Mon Sep 17 00:00:00 2001 From: Sergey Vasilyev Date: Wed, 20 May 2026 15:47:56 +0300 Subject: [PATCH 7/7] warnings --- w3f-plonk-common/src/kzg_acc.rs | 14 +++++++++----- w3f-plonk-common/src/piop.rs | 16 ++++++++++------ w3f-plonk-common/src/prover.rs | 3 ++- 3 files changed, 21 insertions(+), 12 deletions(-) diff --git a/w3f-plonk-common/src/kzg_acc.rs b/w3f-plonk-common/src/kzg_acc.rs index cdd5a4b..fa51a5b 100644 --- a/w3f-plonk-common/src/kzg_acc.rs +++ b/w3f-plonk-common/src/kzg_acc.rs @@ -1,4 +1,3 @@ -use std::io::Read; use crate::piop::VerifierPiop; use crate::verifier::Challenges; use crate::{ColumnsCommited, ColumnsEvaluated, Proof}; @@ -111,11 +110,16 @@ impl KzgAccumulator { .collect::>(), ); let mut r_nus = challenges.nus.iter().map(|nu| r * nu); - self.acc_scalars.extend(r_nus.by_ref().take(Piop::N_COLUMNS)); - self.acc_points.extend(proof.quotient_commitment.iter().map(|c| c.0)); - let r_nu_last = r_nus.next().unwrap(); self.acc_scalars - .extend(piop.chunk_coeffs().map(|c| r_nu_last * c).take(proof.quotient_commitment.len())); + .extend(r_nus.by_ref().take(Piop::N_COLUMNS)); + self.acc_points + .extend(proof.quotient_commitment.iter().map(|c| c.0)); + let r_nu_last = r_nus.next().unwrap(); + self.acc_scalars.extend( + piop.chunk_coeffs() + .map(|c| r_nu_last * c) + .take(proof.quotient_commitment.len()), + ); self.acc_points.push(proof.agg_at_zeta_proof); self.acc_scalars.push(zeta * r); diff --git a/w3f-plonk-common/src/piop.rs b/w3f-plonk-common/src/piop.rs index 64385da..a1c6a28 100644 --- a/w3f-plonk-common/src/piop.rs +++ b/w3f-plonk-common/src/piop.rs @@ -1,3 +1,5 @@ +use crate::domain::{Domain, EvaluatedDomain}; +use crate::{ColumnsCommited, ColumnsEvaluated}; use ark_ff::{FftField, PrimeField}; use ark_poly::univariate::DensePolynomial; use ark_poly::{DenseUVPolynomial, EvaluationDomain, Evaluations}; @@ -5,8 +7,6 @@ use ark_serialize::{CanonicalDeserialize, CanonicalSerialize}; use ark_std::vec::Vec; use w3f_pcs::pcs::Commitment; use w3f_pcs::utils; -use crate::domain::{Domain, EvaluatedDomain}; -use crate::{ColumnsCommited, ColumnsEvaluated}; pub trait ProverPiop> { const N_CONSTRAINTS: usize; @@ -43,7 +43,9 @@ pub trait ProverPiop> { fn split_quotient(&self, q: DensePolynomial) -> Vec> { let n = self.domain().domains.x1.size(); - let chunks: Vec> = q.coeffs.chunks(n) + let chunks: Vec> = q + .coeffs + .chunks(n) .map(|coeffs| DensePolynomial::from_coefficients_slice(coeffs)) .collect(); chunks @@ -57,7 +59,8 @@ pub trait ProverPiop> { fn folded_quotient(&self, chunks: &[DensePolynomial], zeta: F) -> DensePolynomial { let n = self.domain().domains.x1.size() as u64; let zn = zeta.pow([n]); - let folded = chunks.iter() + let folded = chunks + .iter() .zip(utils::powers(zn)) .map(|(chunk, coeff)| chunk * coeff) .reduce(|acc, new| acc + new) @@ -123,8 +126,9 @@ pub trait VerifierPiop> { } fn quotient_commitment(&self, chunks: &[C]) -> C { - let zn = self.domain_evaluated().z_n; - let quotient = chunks.iter().zip(self.chunk_coeffs()) + let quotient = chunks + .iter() + .zip(self.chunk_coeffs()) .map(|(chunk, coeff)| chunk.mul(coeff)) .sum(); quotient diff --git a/w3f-plonk-common/src/prover.rs b/w3f-plonk-common/src/prover.rs index 38f20ea..3296f9a 100644 --- a/w3f-plonk-common/src/prover.rs +++ b/w3f-plonk-common/src/prover.rs @@ -65,7 +65,8 @@ impl, T: PlonkTranscript> PlonkProver // let quotient_poly = piop.quotient(&alphas); // The prover commits to the quotient polynomial... let quotient_chunks = piop.quotient_chunks(&alphas); - let chunks_committed: Vec<_> = quotient_chunks.iter() + let chunks_committed: Vec<_> = quotient_chunks + .iter() .map(|qi| CS::commit(&self.pcs_ck, qi).unwrap()) .collect(); for qi_committed in chunks_committed.iter() {