pub struct RecursionChallenge<G>where
G: AffineRepr,{
pub chals: Vec<G::ScalarField>,
pub comm: PolyComm<G>,
}Expand description
Stores the accumulator from a previously verified IPA (Inner Product Argument).
In recursive proof composition, when we verify a proof, the IPA verification produces an accumulator that can be “deferred” rather than checked immediately. This accumulator consists of:
-
chals: The folding challengesu_1, ..., u_ksampled during thek = log_2(n)rounds of the IPA. These challenges define the challenge polynomial (also calledb(X)orh(X)):b(X) = prod_{i=0}^{k-1} (1 + u_{k-i} * X^{2^i})This polynomial was introduced in Section 3.2 of the Halo paper as a way to efficiently represent the folded evaluation point.
-
comm: The accumulated commitmentU = <h, G>wherehis the vector of coefficients ofb(X)andGis the commitment basis. This is the “deferred” part of IPA verification.
The accumulator satisfies the relation R_Acc: anyone can verify it in O(n)
time by recomputing <h, G>.
See the accumulation documentation for a complete description of how these accumulators are used in Pickles.
Fields§
§chals: Vec<G::ScalarField>The IPA folding challenges [u_1, ..., u_k] that define the challenge
polynomial b(X). See b_poly.
comm: PolyComm<G>The accumulated commitment from IPA verification.
This commitment is used in two places:
- Absorbed into the Fq-sponge for Fiat-Shamir (see
prover.rsandverifier.rswhere commitments of previous challenges are absorbed). - Included in the batched polynomial commitment verification, paired
with evaluations of
b(X)atzetaandzeta * omega(seeverifier.rswherepolysis constructed fromprev_challenges).
Implementations§
Source§impl<G: AffineRepr> RecursionChallenge<G>
impl<G: AffineRepr> RecursionChallenge<G>
pub fn new( chals: Vec<G::ScalarField>, comm: PolyComm<G>, ) -> RecursionChallenge<G>
Sourcepub fn evals(
&self,
max_poly_size: usize,
evaluation_points: &[G::ScalarField],
powers_of_eval_points_for_chunks: &[G::ScalarField],
) -> Vec<Vec<G::ScalarField>>
pub fn evals( &self, max_poly_size: usize, evaluation_points: &[G::ScalarField], powers_of_eval_points_for_chunks: &[G::ScalarField], ) -> Vec<Vec<G::ScalarField>>
Computes evaluations of the challenge polynomial b(X) at the given points.
The challenge polynomial is defined by the IPA challenges as:
b(X) = prod_{i=0}^{k-1} (1 + u_{k-i} * X^{2^i})where u_1, ..., u_k are the challenges sampled during the k rounds of
the IPA protocol (stored in self.chals).
This method evaluates b(X) at evaluation_points (typically zeta and
zeta * omega). If the polynomial degree exceeds max_poly_size, the
evaluations are “chunked” to handle polynomial splitting.
These evaluations are paired with Self::comm and included in the
batched polynomial commitment verification (see verifier.rs).
The MSM has size 2^k where k is the number of IPA rounds (e.g., k = 15 for
a domain of size 2^15, giving an MSM of 32768 points). Computing this in-circuit
would require EC scalar multiplication: using VarBaseMul
costs 2 rows per 5 bits (~104 rows for a 256-bit scalar). For an MSM of 32768 points,
the constraint count would be higher than the accepted circuit size. By deferring to
the out-of-circuit verifier, we avoid this cost entirely.
§Arguments
max_poly_size- Maximum polynomial size for chunkingevaluation_points- Points at which to evaluate (typically[zeta, zeta * omega])powers_of_eval_points_for_chunks- Powers used for recombining chunks
§Returns
A vector of evaluation vectors, one per evaluation point. Each inner vector contains the chunked evaluations (or a single evaluation if no chunking needed).
§References
Trait Implementations§
Source§impl<G> Clone for RecursionChallenge<G>
impl<G> Clone for RecursionChallenge<G>
Source§fn clone(&self) -> RecursionChallenge<G>
fn clone(&self) -> RecursionChallenge<G>
1.0.0 · Source§fn clone_from(&mut self, source: &Self)
fn clone_from(&mut self, source: &Self)
source. Read more