From 65b9bc059882bfba0bc8a10b871101f1642b2f85 Mon Sep 17 00:00:00 2001
From: Shahar Papini <43779613+spapinistarkware@users.noreply.github.com>
Date: Wed, 3 Apr 2024 14:55:59 +0300
Subject: [PATCH] FRI using simple merkle (#530)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

<!-- Reviewable:start -->
This change is [<img src="https://reviewable.io/review_button.svg" height="34" align="absmiddle" alt="Reviewable"/>](https://reviewable.io/reviews/starkware-libs/stwo/530)
<!-- Reviewable:end -->
---
 src/commitment_scheme/prover.rs      | 10 +++
 src/core/commitment_scheme/prover.rs |  6 +-
 src/core/fri.rs                      | 97 ++++++++++++++--------------
 3 files changed, 61 insertions(+), 52 deletions(-)

diff --git a/src/commitment_scheme/prover.rs b/src/commitment_scheme/prover.rs
index 108afd61d..cfd91f192 100644
--- a/src/commitment_scheme/prover.rs
+++ b/src/commitment_scheme/prover.rs
@@ -78,6 +78,7 @@ impl<B: MerkleOps<H>, H: MerkleHasher> MerkleProver<B, H> {
         columns: Vec<&Col<B, BaseField>>,
     ) -> (ColumnVec<Vec<BaseField>>, MerkleDecommitment<H>) {
         // Check that queries are sorted and deduped.
+        // TODO(andrew): Consider using a Queries struct to prevent this.
         for queries in queries_per_log_size.values() {
             assert!(
                 queries.windows(2).all(|w| w[0] < w[1]),
@@ -220,3 +221,12 @@ impl<H: MerkleHasher> MerkleDecommitment<H> {
         }
     }
 }
+// TODO(andreW): Remove these in favor of the `derivative` crate.
+impl<H: MerkleHasher> Clone for MerkleDecommitment<H> {
+    fn clone(&self) -> Self {
+        Self {
+            hash_witness: self.hash_witness.clone(),
+            column_witness: self.column_witness.clone(),
+        }
+    }
+}
diff --git a/src/core/commitment_scheme/prover.rs b/src/core/commitment_scheme/prover.rs
index e2e5385e5..455541163 100644
--- a/src/core/commitment_scheme/prover.rs
+++ b/src/core/commitment_scheme/prover.rs
@@ -18,7 +18,7 @@ use super::super::prover::{
 use super::super::ColumnVec;
 use super::quotients::{compute_fri_quotients, PointSample};
 use super::utils::TreeVec;
-use crate::commitment_scheme::blake2_hash::{Blake2sHash, Blake2sHasher};
+use crate::commitment_scheme::blake2_hash::Blake2sHash;
 use crate::commitment_scheme::blake2_merkle::Blake2sMerkleHasher;
 use crate::commitment_scheme::prover::{MerkleDecommitment, MerkleProver};
 use crate::core::channel::Channel;
@@ -91,7 +91,7 @@ impl CommitmentSchemeProver {
         // Run FRI commitment phase on the oods quotients.
         let fri_config = FriConfig::new(LOG_LAST_LAYER_DEGREE_BOUND, LOG_BLOWUP_FACTOR, N_QUERIES);
         let fri_prover =
-            FriProver::<CPUBackend, Blake2sHasher>::commit(channel, fri_config, &quotients);
+            FriProver::<CPUBackend, Blake2sMerkleHasher>::commit(channel, fri_config, &quotients);
 
         // Proof of work.
         let proof_of_work = ProofOfWork::new(PROOF_OF_WORK_BITS).prove(channel);
@@ -127,7 +127,7 @@ pub struct CommitmentSchemeProof {
     pub decommitments: TreeVec<MerkleDecommitment<MerkleHasher>>,
     pub queried_values: TreeVec<ColumnVec<Vec<BaseField>>>,
     pub proof_of_work: ProofOfWorkProof,
-    pub fri_proof: FriProof<Blake2sHasher>,
+    pub fri_proof: FriProof<Blake2sMerkleHasher>,
 }
 
 /// Prover data for a single commitment tree in a commitment scheme. The commitment scheme allows to
diff --git a/src/core/fri.rs b/src/core/fri.rs
index 1dcaaa4e6..adbfb0c9e 100644
--- a/src/core/fri.rs
+++ b/src/core/fri.rs
@@ -10,16 +10,16 @@ use thiserror::Error;
 
 use super::backend::{Backend, CPUBackend};
 use super::channel::Channel;
-use super::fields::m31::BaseField;
 use super::fields::qm31::SecureField;
+use super::fields::secure_column::SecureColumn;
 use super::poly::circle::{CircleEvaluation, SecureEvaluation};
 use super::poly::line::{LineEvaluation, LinePoly};
 use super::poly::BitReversedOrder;
 // TODO(andrew): Create fri/ directory, move queries.rs there and split this file up.
 use super::queries::{Queries, SparseSubCircleDomain};
-use crate::commitment_scheme::hasher::Hasher;
-use crate::commitment_scheme::merkle_decommitment::MerkleDecommitment;
-use crate::commitment_scheme::merkle_tree::MerkleTree;
+use crate::commitment_scheme::ops::{MerkleHasher, MerkleOps};
+use crate::commitment_scheme::prover::{MerkleDecommitment, MerkleProver};
+use crate::commitment_scheme::verifier::MerkleVerifier;
 use crate::core::circle::Coset;
 use crate::core::poly::line::LineDomain;
 use crate::core::utils::bit_reverse_index;
@@ -104,7 +104,7 @@ pub trait FriOps: Backend + Sized {
 }
 
 /// A FRI prover that applies the FRI protocol to prove a set of polynomials are of low degree.
-pub struct FriProver<B: FriOps, H: Hasher> {
+pub struct FriProver<B: FriOps + MerkleOps<H>, H: MerkleHasher> {
     config: FriConfig,
     inner_layers: Vec<FriLayerProver<B, H>>,
     last_layer_poly: LinePoly,
@@ -112,7 +112,7 @@ pub struct FriProver<B: FriOps, H: Hasher> {
     column_log_sizes: Vec<u32>,
 }
 
-impl<B: FriOps, H: Hasher<NativeType = u8>> FriProver<B, H> {
+impl<B: FriOps + MerkleOps<H>, H: MerkleHasher> FriProver<B, H> {
     /// Commits to multiple [CircleEvaluation]s.
     ///
     /// `columns` must be provided in descending order by size.
@@ -273,7 +273,7 @@ impl<B: FriOps, H: Hasher<NativeType = u8>> FriProver<B, H> {
     }
 }
 
-pub struct FriVerifier<H: Hasher> {
+pub struct FriVerifier<H: MerkleHasher> {
     config: FriConfig,
     /// Alpha used to fold all circle polynomials to univariate polynomials.
     circle_poly_alpha: SecureField,
@@ -289,7 +289,7 @@ pub struct FriVerifier<H: Hasher> {
     queries: Option<Queries>,
 }
 
-impl<H: Hasher<NativeType = u8>> FriVerifier<H> {
+impl<H: MerkleHasher> FriVerifier<H> {
     /// Verifies the commitment stage of FRI.
     ///
     /// `column_bounds` should be the committed circle polynomial degree bounds in descending order.
@@ -328,7 +328,7 @@ impl<H: Hasher<NativeType = u8>> FriVerifier<H> {
         ));
 
         for (layer_index, proof) in proof.inner_layers.into_iter().enumerate() {
-            channel.mix_digest(proof.commitment);
+            channel.mix_digest(proof.commitment.clone());
 
             let folding_alpha = channel.draw_felt();
 
@@ -591,7 +591,7 @@ impl LinePolyDegreeBound {
 
 /// A FRI proof.
 #[derive(Debug)]
-pub struct FriProof<H: Hasher> {
+pub struct FriProof<H: MerkleHasher> {
     pub inner_layers: Vec<FriLayerProof<H>>,
     pub last_layer_poly: LinePoly,
 }
@@ -607,15 +607,15 @@ pub const CIRCLE_TO_LINE_FOLD_STEP: u32 = 1;
 ///
 /// The subset corresponds to the set of evaluations needed by a FRI verifier.
 #[derive(Debug)]
-pub struct FriLayerProof<H: Hasher> {
+pub struct FriLayerProof<H: MerkleHasher> {
     /// The subset stored corresponds to the set of evaluations the verifier doesn't have but needs
     /// to fold and verify the merkle decommitment.
     pub evals_subset: Vec<SecureField>,
-    pub decommitment: MerkleDecommitment<BaseField, H>,
+    pub decommitment: MerkleDecommitment<H>,
     pub commitment: H::Hash,
 }
 
-struct FriLayerVerifier<H: Hasher> {
+struct FriLayerVerifier<H: MerkleHasher> {
     degree_bound: LinePolyDegreeBound,
     domain: LineDomain,
     folding_alpha: SecureField,
@@ -623,7 +623,7 @@ struct FriLayerVerifier<H: Hasher> {
     proof: FriLayerProof<H>,
 }
 
-impl<H: Hasher<NativeType = u8>> FriLayerVerifier<H> {
+impl<H: MerkleHasher> FriLayerVerifier<H> {
     /// Verifies the layer's merkle decommitment and returns the the folded queries and query evals.
     ///
     /// # Errors
@@ -640,38 +640,18 @@ impl<H: Hasher<NativeType = u8>> FriLayerVerifier<H> {
         queries: Queries,
         evals_at_queries: Vec<SecureField>,
     ) -> Result<(Queries, Vec<SecureField>), FriVerificationError> {
-        let decommitment = &self.proof.decommitment;
-        let commitment = self.proof.commitment;
+        let decommitment = self.proof.decommitment.clone();
+        let commitment = self.proof.commitment.clone();
 
         // Extract the evals needed for decommitment and folding.
         let sparse_evaluation = self.extract_evaluation(&queries, &evals_at_queries)?;
 
         // TODO: When leaf values are removed from the decommitment, also remove this block.
-        {
-            let mut expected_decommitment_evals = Vec::new();
-
-            for leaf in decommitment.values() {
-                // Ensure each leaf is a single value.
-                if let Ok(evals) = leaf.try_into() {
-                    expected_decommitment_evals.push(SecureField::from_m31_array(evals));
-                } else {
-                    return Err(FriVerificationError::InnerLayerCommitmentInvalid {
-                        layer: self.layer_index,
-                    });
-                }
-            }
-
-            let actual_decommitment_evals = sparse_evaluation
-                .subline_evals
-                .iter()
-                .flat_map(|e| e.values.into_iter());
-
-            if !actual_decommitment_evals.eq(expected_decommitment_evals) {
-                return Err(FriVerificationError::InnerLayerCommitmentInvalid {
-                    layer: self.layer_index,
-                });
-            }
-        }
+        let actual_decommitment_evals: SecureColumn<CPUBackend> = sparse_evaluation
+            .subline_evals
+            .iter()
+            .flat_map(|e| e.values.into_iter())
+            .collect();
 
         let folded_queries = queries.fold(FOLD_STEP);
 
@@ -685,7 +665,21 @@ impl<H: Hasher<NativeType = u8>> FriLayerVerifier<H> {
             })
             .collect::<Vec<usize>>();
 
-        if !decommitment.verify(commitment, &decommitment_positions) {
+        let merkle_verifier = MerkleVerifier {
+            root: commitment,
+            column_log_sizes: vec![self.domain.log_size(); 4],
+        };
+        // TODO(spapini): Propagate error.
+        if merkle_verifier
+            .verify(
+                [(self.domain.log_size(), decommitment_positions)]
+                    .into_iter()
+                    .collect(),
+                actual_decommitment_evals.columns.into_iter().collect_vec(),
+                decommitment,
+            )
+            .is_err()
+        {
             return Err(FriVerificationError::InnerLayerCommitmentInvalid {
                 layer: self.layer_index,
             });
@@ -768,16 +762,16 @@ impl<H: Hasher<NativeType = u8>> FriLayerVerifier<H> {
 /// The polynomial evaluations are viewed as evaluation of a polynomial on multiple distinct cosets
 /// of size two. Each leaf of the merkle tree commits to a single coset evaluation.
 // TODO(andrew): Support different step sizes.
-struct FriLayerProver<B: FriOps, H: Hasher> {
+struct FriLayerProver<B: FriOps + MerkleOps<H>, H: MerkleHasher> {
     evaluation: LineEvaluation<B>,
-    merkle_tree: MerkleTree<BaseField, H>,
+    merkle_tree: MerkleProver<B, H>,
 }
 
-impl<B: FriOps, H: Hasher<NativeType = u8>> FriLayerProver<B, H> {
+impl<B: FriOps + MerkleOps<H>, H: MerkleHasher> FriLayerProver<B, H> {
     fn new(evaluation: LineEvaluation<B>) -> Self {
         // TODO(spapini): Commit on slice.
         // TODO(spapini): Merkle tree in backend.
-        let merkle_tree = MerkleTree::commit(evaluation.values.to_cpu().columns.into());
+        let merkle_tree = MerkleProver::commit(evaluation.values.columns.iter().collect_vec());
         #[allow(unreachable_code)]
         FriLayerProver {
             evaluation,
@@ -813,7 +807,12 @@ impl<B: FriOps, H: Hasher<NativeType = u8>> FriLayerProver<B, H> {
         }
 
         let commitment = self.merkle_tree.root();
-        let decommitment = self.merkle_tree.generate_decommitment(decommit_positions);
+        let (_, decommitment) = self.merkle_tree.decommit(
+            [(self.evaluation.domain().log_size(), decommit_positions)]
+                .into_iter()
+                .collect(),
+            self.evaluation.values.columns.iter().collect_vec(),
+        );
 
         FriLayerProof {
             evals_subset,
@@ -904,7 +903,7 @@ mod tests {
     use num_traits::{One, Zero};
 
     use super::{get_opening_positions, FriVerificationError, SparseCircleEvaluation};
-    use crate::commitment_scheme::blake2_hash::Blake2sHasher;
+    use crate::commitment_scheme::blake2_merkle::Blake2sMerkleHasher;
     use crate::core::backend::cpu::{CPUCircleEvaluation, CPUCirclePoly};
     use crate::core::backend::{CPUBackend, Col, Column, ColumnOps};
     use crate::core::circle::{CirclePointIndex, Coset};
@@ -925,7 +924,7 @@ mod tests {
     /// Default blowup factor used for tests.
     const LOG_BLOWUP_FACTOR: u32 = 2;
 
-    type FriProver = super::FriProver<CPUBackend, Blake2sHasher>;
+    type FriProver = super::FriProver<CPUBackend, Blake2sMerkleHasher>;
 
     #[test]
     fn fold_line_works() {