FRI Verifier

In this section, we describe the implementation of the FRI verifier in Stwo, continuing the example from the technical overview and prover documentation. The verifier's role is to check that all folding steps have been performed correctly by the prover.

The FriVerifier struct verifies the FRI proof generated by the prover.

pub struct FriVerifier<MC: MerkleChannel> {
    config: FriConfig,
    // TODO(andrew): The first layer currently commits to all input polynomials. Consider allowing
    // flexibility to only commit to input polynomials on a per-log-size basis. This allows
    // flexibility for cases where committing to the first layer, for a specific log size, isn't
    // necessary. FRI would simply return more query positions for the "uncommitted" log sizes.
    first_layer: FriFirstLayerVerifier<MC::H>,
    inner_layers: Vec<FriInnerLayerVerifier<MC::H>>,
    last_layer_domain: LineDomain,
    last_layer_poly: LinePoly,
    /// The queries used for decommitment. Initialized when calling
    /// [`FriVerifier::sample_query_positions()`].
    queries: Option<Queries>,
}

The main components are:

• config: The FriConfig containing protocol parameters.
• first_layer: The first layer verifier, which checks Merkle decommitments for all initial circle polynomials (i.e., $h_0$, $h_1$, $h_2$).
• inner_layers: A vector of inner layer verifiers, each corresponding to a folding round and its Merkle decommitment (i.e., two layers, corresponding to $g_0$ and $g_1$).
• last_layer_domain: The "line" domain for the final layer polynomial (i.e., $I_2$).
• last_layer_poly: The final "line" polynomial $g_2$ sent in clear by the prover.
• queries: The set of queries used for spot-checking the folding identities.

Initialization

The commit function initializes the FriVerifier using the FRI proof, the Fiat-Shamir channel, and protocol parameters. It sets up the verifier for the query phase.

    pub fn commit(
        channel: &mut MC::C,
        config: FriConfig,
        proof: FriProof<MC::H>,
        column_bounds: Vec<CirclePolyDegreeBound>,
    ) -> Result<Self, FriVerificationError> {
        assert!(column_bounds.is_sorted_by_key(|b| Reverse(*b)));

        MC::mix_root(channel, proof.first_layer.commitment);

        let max_column_bound = column_bounds[0];
        let column_commitment_domains = column_bounds
            .iter()
            .map(|bound| {
                let commitment_domain_log_size = bound.log_degree_bound + config.log_blowup_factor;
                CanonicCoset::new(commitment_domain_log_size).circle_domain()
            })
            .collect();

        let first_layer = FriFirstLayerVerifier {
            column_bounds,
            column_commitment_domains,
            proof: proof.first_layer,
            folding_alpha: channel.draw_secure_felt(),
        };

        let mut inner_layers = Vec::new();
        let mut layer_bound = max_column_bound.fold_to_line();
        let mut layer_domain = LineDomain::new(Coset::half_odds(
            layer_bound.log_degree_bound + config.log_blowup_factor,
        ));

        for (layer_index, proof) in proof.inner_layers.into_iter().enumerate() {
            MC::mix_root(channel, proof.commitment);

            inner_layers.push(FriInnerLayerVerifier {
                degree_bound: layer_bound,
                domain: layer_domain,
                folding_alpha: channel.draw_secure_felt(),
                layer_index,
                proof,
            });

            layer_bound = layer_bound
                .fold(FOLD_STEP)
                .ok_or(FriVerificationError::InvalidNumFriLayers)?;
            layer_domain = layer_domain.double();
        }

        if layer_bound.log_degree_bound != config.log_last_layer_degree_bound {
            return Err(FriVerificationError::InvalidNumFriLayers);
        }

        let last_layer_domain = layer_domain;
        let last_layer_poly = proof.last_layer_poly;

        if last_layer_poly.len() > (1 << config.log_last_layer_degree_bound) {
            return Err(FriVerificationError::LastLayerDegreeInvalid);
        }

        channel.mix_felts(&last_layer_poly);

        Ok(Self {
            config,
            first_layer,
            inner_layers,
            last_layer_domain,
            last_layer_poly,
            queries: None,
        })
    }

The inputs are as follows:

• channel: The Fiat-Shamir channel for randomness and transcript hashing.
• config: The FriConfig with protocol parameters.
• proof: The FriProof struct containing Merkle decommitments and the last layer polynomial.
• column_bounds: The degree bounds for each committed circle polynomial, in descending order.

At a high level, it proceeds as follows:

1. Initializes the first layer verifier with the Merkle decommitments for circle polynomials $h_0$, $h_1$, $h_2$, their respective domains $H_0$, $H_1$, $H_2$, their degree bounds, and folding randomness ${\lambda }_0$.
2. Initializes each inner layer verifier with its Merkle decommitment, domain, degree bounds, and folding randomness. For our example:
   • The first inner FRI verifier layer will store decommitments for $g_0$, its domain $I_0$, degree bound, and folding randomness ${\lambda }_1$.
   • Similarly, the second inner FRI verifier layer will store decommitments for $g_1$, its domain $I_1$, degree bound, and folding randomness ${\lambda }_2$.
3. Stores the last layer polynomial $g_2$ and its domain $I_2$.
4. Initializes the queries as None and prepares the verifier for the query phase.
5. Outputs the FriVerifier struct.

Query generation

The function sample_query_positions uses the Fiat-Shamir channel to generate random query positions for checking the folding equations. It maps each domain size to its respective query positions, ensuring that queries are adapted to the domain of each polynomial.

    pub fn sample_query_positions(&mut self, channel: &mut MC::C) -> BTreeMap<u32, Vec<usize>> {
        let column_log_sizes = self
            .first_layer
            .column_commitment_domains
            .iter()
            .map(|domain| domain.log_size())
            .collect::<BTreeSet<u32>>();
        let max_column_log_size = *column_log_sizes.iter().max().unwrap();
        let queries = Queries::generate(channel, max_column_log_size, self.config.n_queries);
        let query_positions_by_log_size =
            get_query_positions_by_log_size(&queries, column_log_sizes);
        self.queries = Some(queries);
        query_positions_by_log_size
    }
}

It takes the following input:

• &mut self: This will be used to update the queries in FriVerifier, which was initialized to None.
• channel: The Fiat-Shamir channel.

At a high level, it proceeds as follows:

1. Samples n_queries random positions on the largest domain using the channel.
2. Returns a mapping from domain log sizes to their respective query positions using the function query_positions_by_log_size.

Suppose $s=1$ query is sampled at $P_0=(x_0,y_0)\in H_0$. The function computes the corresponding positions $P_1=\pi (P_0)$ in $H_1$ and $P_2=\pi (P_1)$ in $H_2$, mapping each to the correct domain size.

Verification

The function decommit verifies the FriVerifier after it has been initialized with the FriProof by verifying the Merkle decommitments and folding equations for all layers. It ensures that the prover's folding steps were performed correctly and that the final polynomial is close to the expected polynomial space.

    pub fn decommit(
        mut self,
        first_layer_query_evals: ColumnVec<Vec<SecureField>>,
    ) -> Result<(), FriVerificationError> {
        let queries = self.queries.take().expect("queries not sampled");
        self.decommit_on_queries(&queries, first_layer_query_evals)
    }

    fn decommit_on_queries(
        self,
        queries: &Queries,
        first_layer_query_evals: ColumnVec<Vec<SecureField>>,
    ) -> Result<(), FriVerificationError> {
        let first_layer_sparse_evals =
            self.decommit_first_layer(queries, first_layer_query_evals)?;
        let inner_layer_queries = queries.fold(CIRCLE_TO_LINE_FOLD_STEP);
        let (last_layer_queries, last_layer_query_evals) =
            self.decommit_inner_layers(&inner_layer_queries, first_layer_sparse_evals)?;
        self.decommit_last_layer(last_layer_queries, last_layer_query_evals)
    }

It takes the following as input:

• mut self: The FriVerifier struct after initialization using the commit function.
• first_layer_query_evals: The evaluations of the circle polynomials at the sampled query points.

It proceeds as follows:

1. First Layer Verification:

   • Verifies Merkle decommitments for $h_0$, $h_1$, $h_2$ at the queried points $P_0$, $P_1$, and $P_2$, respectively.
   • Extracts the necessary evaluations for folding into the next layer.

2. Inner Layer Verification:

   • For each inner layer, verifies Merkle decommitments for $g_0$, $g_1$ at the folded query points $x_0$ and $x_1$, respectively.
   • Checks the following two folding equations using the folding randomness and the evaluations from previous layers. $$\begin{array}{rl}{g}_0(x_0)& ={\lambda }_0^2\cdot \left(\frac{h_0(x_0,y_0)+h_0(x_0,-y_0)}{2}+{\lambda }_0\cdot \frac{h_0(x_0,y_0)-h_0(x_0,-y_0)}{2\cdot y_0}\right)\end{array}$$ $$\begin{array}{rl}{g}_1(x_1)& =\frac{g_0(x_0)+g_0(-x_0)}{2}+{\lambda }_1\cdot \frac{g_0(x_0)-g_0(-x_0)}{2\cdot x_0}\\ & +{\lambda }_1^2\cdot \left(\frac{h_1(x_1,y_1)+h_1(x_1,-y_1)}{2}+{\lambda }_1\cdot \frac{h_1(x_1,y_1)-h_1(x_1,-y_1)}{2\cdot y_1}\right)\end{array}$$ where $P_0=(x_0,y_0)$ and $P_1=\pi ((x_0,y_0))=(x_1,y_1)$.

3. Last Layer Verification:

   • Checks that the final polynomial $g_2$ matches the evaluations at the last layer's query positions.

4. Returns success if all checks pass; otherwise, returns an error indicating which layer failed.