feat: absorb OOD evals only once into the transcript (#382)

Author: Al-Kindi-0

air/src/proof/mod.rs

@@ -25,7 +25,7 @@ mod queries;
 pub use queries::Queries;
 
 mod ood_frame;
-pub use ood_frame::{OodFrame, QuotientOodFrame, TraceOodFrame};
+pub use ood_frame::{merge_ood_evaluations, OodFrame, QuotientOodFrame, TraceOodFrame};
 
 mod security;
 

air/src/proof/ood_frame.rs

@@ -5,7 +5,6 @@
 
 use alloc::vec::Vec;
 
-use crypto::ElementHasher;
 use math::FieldElement;
 use utils::{
     ByteReader, ByteWriter, Deserializable, DeserializationError, Serializable, SliceReader,
@@ -38,8 +37,7 @@ impl OodFrame {
     // UPDATERS
     // --------------------------------------------------------------------------------------------
 
-    /// Updates the trace state portion of this out-of-domain frame, and returns the hash of the
-    /// trace states.
+    /// Updates the trace state portion of this out-of-domain frame.
     ///
     /// The out-of-domain frame is stored as one vector built from the concatenation of values of
     /// two vectors, the current row vector and the next row vector. Given the input frame
@@ -58,10 +56,9 @@ impl OodFrame {
     ///
     /// # Panics
     /// Panics if evaluation frame has already been set.
-    pub fn set_trace_states<E, H>(&mut self, trace_ood_frame: &TraceOodFrame<E>) -> H::Digest
+    pub fn set_trace_states<E>(&mut self, trace_ood_frame: &TraceOodFrame<E>)
     where
         E: FieldElement,
-        H: ElementHasher<BaseField = E::BaseField>,
     {
         assert!(self.trace_states.is_empty(), "trace sates have already been set");
 
@@ -72,8 +69,6 @@ impl OodFrame {
         let frame_size: u8 = 2;
         self.trace_states.write_u8(frame_size);
         self.trace_states.write_many(&main_and_aux_trace_states);
-
-        H::hash_elements(&main_and_aux_trace_states)
     }
 
     /// Updates constraints composition polynomials (i.e., quotient polynomials) state portion of
@@ -97,13 +92,9 @@ impl OodFrame {
     /// # Panics
     /// Panics if:
     /// * Constraint evaluations have already been set.
-    pub fn set_quotient_states<E, H>(
-        &mut self,
-        quotients_ood_frame: &QuotientOodFrame<E>,
-    ) -> H::Digest
+    pub fn set_quotient_states<E>(&mut self, quotients_ood_frame: &QuotientOodFrame<E>)
     where
         E: FieldElement,
-        H: ElementHasher<BaseField = E::BaseField>,
     {
         assert!(self.quotient_states.is_empty(), "constraint evaluations have already been set");
 
@@ -114,8 +105,6 @@ impl OodFrame {
         let frame_size: u8 = 2;
         self.quotient_states.write_u8(frame_size);
         self.quotient_states.write_many(&quotient_states);
-
-        H::hash_elements(&quotient_states)
     }
 
     // PARSER
@@ -281,22 +270,14 @@ impl<E: FieldElement> TraceOodFrame<E> {
         }
     }
 
-    /// Hashes the main, auxiliary frames in a manner consistent with
-    /// [`OodFrame::set_trace_states`], with the purpose of reseeding the public coin.
-    pub fn hash<H: ElementHasher<BaseField = E::BaseField>>(&self) -> H::Digest {
-        let trace_states = self.to_trace_states();
-
-        H::hash_elements(&trace_states)
-    }
-
     /// Returns true if an auxiliary frame is present
     fn has_aux_frame(&self) -> bool {
         self.current_row.len() > self.main_trace_width
     }
 
     /// Returns the main/aux frames as a vector of elements described in
     /// [`OodFrame::set_trace_states`].
-    fn to_trace_states(&self) -> Vec<E> {
+    pub fn to_trace_states(&self) -> Vec<E> {
         let mut main_and_aux_frame_states = Vec::new();
         main_and_aux_frame_states.extend_from_slice(&self.current_row);
         main_and_aux_frame_states.extend_from_slice(&self.next_row);
@@ -335,19 +316,36 @@ impl<E: FieldElement> QuotientOodFrame<E> {
         &self.next_row
     }
 
-    /// Hashes the frame with the purpose of reseeding the public coin.
-    pub fn hash<H: ElementHasher<BaseField = E::BaseField>>(&self) -> H::Digest {
-        let trace_states = self.to_trace_states();
-
-        H::hash_elements(&trace_states)
-    }
-
     /// Returns the frame as a vector of elements.
-    fn to_trace_states(&self) -> Vec<E> {
+    pub fn to_trace_states(&self) -> Vec<E> {
         let mut quotients_frame_states = Vec::new();
         quotients_frame_states.extend_from_slice(&self.current_row);
         quotients_frame_states.extend_from_slice(&self.next_row);
 
         quotients_frame_states
     }
 }
+
+// HELPER
+// ================================================================================================
+
+/// Given trace and constraints polynomials OOD evaluations, returns the vector containing their
+/// concatenation, with the evaluations at `z` grouped together and coming first and followed
+/// by the evaluations at `z * g`.
+pub fn merge_ood_evaluations<E>(
+    trace_ood_frame: &TraceOodFrame<E>,
+    constraints_ood_frame: &QuotientOodFrame<E>,
+) -> Vec<E>
+where
+    E: FieldElement,
+{
+    let mut current_row = trace_ood_frame.current_row().to_vec();
+    current_row.extend_from_slice(constraints_ood_frame.current_row());
+    let mut next_row = trace_ood_frame.next_row().to_vec();
+    next_row.extend_from_slice(constraints_ood_frame.next_row());
+
+    let mut ood_evals = current_row;
+    ood_evals.extend_from_slice(&next_row);
+
+    ood_evals
+}

prover/src/channel.rs

@@ -7,7 +7,10 @@ use alloc::vec::Vec;
 use core::marker::PhantomData;
 
 use air::{
-    proof::{Commitments, Context, OodFrame, Proof, Queries, QuotientOodFrame, TraceOodFrame},
+    proof::{
+        merge_ood_evaluations, Commitments, Context, OodFrame, Proof, Queries, QuotientOodFrame,
+        TraceOodFrame,
+    },
     Air, ConstraintCompositionCoefficients, DeepCompositionCoefficients,
 };
 use crypto::{ElementHasher, RandomCoin, VectorCommitment};
@@ -93,19 +96,20 @@ where
         self.public_coin.reseed(constraint_root);
     }
 
-    /// Saves the evaluations of trace polynomials over the out-of-domain evaluation frame. This
-    /// also reseeds the public coin with the hashes of the evaluation frame states.
-    pub fn send_ood_trace_states(&mut self, trace_ood_frame: &TraceOodFrame<E>) {
-        let trace_states_hash = self.ood_frame.set_trace_states::<E, H>(trace_ood_frame);
-        self.public_coin.reseed(trace_states_hash);
-    }
-
-    /// Saves the evaluations of constraint composition polynomial columns over the out-of-domain
-    /// evaluation frame. This also reseeds the public coin with the hashes of the evaluation frame
-    /// states.
-    pub fn send_ood_constraint_evaluations(&mut self, evaluations: &QuotientOodFrame<E>) {
-        let quotient_hash = self.ood_frame.set_quotient_states::<E, H>(evaluations);
-        self.public_coin.reseed(quotient_hash);
+    /// Saves the evaluations of the trace and constraint composition polynomials over
+    /// the out-of-domain evaluation frame. This also reseeds the public coin with the hash
+    /// of all OOD evaluations.
+    pub fn send_ood_evaluations(
+        &mut self,
+        trace_ood_frame: &TraceOodFrame<E>,
+        constraints_ood_frame: &QuotientOodFrame<E>,
+    ) {
+        self.ood_frame.set_trace_states::<E>(trace_ood_frame);
+        self.ood_frame.set_quotient_states::<E>(constraints_ood_frame);
+        let ood_evals = merge_ood_evaluations(trace_ood_frame, constraints_ood_frame);
+        let digest = H::hash_elements(&ood_evals);
+
+        self.public_coin.reseed(digest);
     }
 
     // PUBLIC COIN METHODS

prover/src/lib.rs

@@ -397,10 +397,8 @@ pub trait Prover {
             // evaluate trace and constraint polynomials at the OOD point z and gz, where g is
             // the generator of the trace domain. and send the results to the verifier
             let ood_trace_states = trace_polys.get_ood_frame(z);
-            channel.send_ood_trace_states(&ood_trace_states);
-
             let ood_evaluations = composition_poly.get_ood_frame(z);
-            channel.send_ood_constraint_evaluations(&ood_evaluations);
+            channel.send_ood_evaluations(&ood_trace_states, &ood_evaluations);
 
             // draw random coefficients to use during DEEP polynomial composition, and use them to
             // initialize the DEEP composition polynomial

verifier/src/lib.rs

@@ -34,6 +34,7 @@ extern crate alloc;
 use alloc::vec::Vec;
 use core::cmp;
 
+use air::proof::merge_ood_evaluations;
 pub use air::{
     proof::Proof, Air, AirContext, Assertion, BoundaryConstraint, BoundaryConstraintGroup,
     ConstraintCompositionCoefficients, ConstraintDivisor, DeepCompositionCoefficients,
@@ -206,8 +207,7 @@ where
     // are consistent with the evaluations of composition polynomial columns sent by the prover
 
     // read the out-of-domain trace frames (the main trace frame and auxiliary trace frame, if
-    // provided) sent by the prover and evaluate constraints over them; also, reseed the public
-    // coin with the OOD frames received from the prover.
+    // provided) sent by the prover and evaluate constraints over them.
     let ood_trace_frame = channel.read_ood_trace_frame();
     let ood_main_trace_frame = ood_trace_frame.main_frame();
     let ood_aux_trace_frame = ood_trace_frame.aux_frame();
@@ -219,15 +219,14 @@ where
         aux_trace_rand_elements.as_ref(),
         z,
     );
-    public_coin.reseed(ood_trace_frame.hash::<H>());
 
-    // read evaluations of composition polynomial columns sent by the prover, and reduce them into
-    // a single value by computing \sum_{i=0}^{m-1}(z^(i * l) * value_i), where value_i is the
+    // read evaluations of composition polynomial columns sent by the prover, and reduce
+    // the evaluations at z into a single value by computing
+    // \sum_{i=0}^{m-1}(z^(i * l) * value_i), where value_i is the
     // evaluation of the ith column polynomial H_i(X) at z, l is the trace length and m is
     // the number of composition column polynomials. This computes H(z) (i.e.
     // the evaluation of the composition polynomial at z) using the fact that
     // H(X) = \sum_{i=0}^{m-1} X^{i * l} H_i(X).
-    // Also, reseed the public coin with the OOD constraint evaluations received from the prover.
     let ood_constraint_evaluations = channel.read_ood_constraint_frame();
     let ood_constraint_evaluation_2 = ood_constraint_evaluations
         .current_row()
@@ -237,14 +236,16 @@ where
             result + z.exp_vartime(((i * (air.trace_length())) as u32).into()) * value
         });
 
-    let ood_constraint_hash = ood_constraint_evaluations.hash::<H>();
-    public_coin.reseed(ood_constraint_hash);
-
     // finally, make sure the values are the same
     if ood_constraint_evaluation_1 != ood_constraint_evaluation_2 {
         return Err(VerifierError::InconsistentOodConstraintEvaluations);
     }
 
+    // reseed the public coin with OOD evaluations
+    let ood_evals = merge_ood_evaluations(&ood_trace_frame, &ood_constraint_evaluations);
+    let digest = H::hash_elements(&ood_evals);
+    public_coin.reseed(digest);
+
     // 4 ----- FRI commitments --------------------------------------------------------------------
     // draw coefficients for computing DEEP composition polynomial from the public coin; in the
     // interactive version of the protocol, the verifier sends these coefficients to the prover