leanEthereum
diff --git a/‎README.md‎
Lines changed: 6 additions & 5 deletions b/‎README.md‎
Lines changed: 6 additions & 5 deletions
diff --git a/‎crates/backend/air/src/symbolic.rs‎
Lines changed: 1 addition & 0 deletions b/‎crates/backend/air/src/symbolic.rs‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎crates/backend/fiat-shamir/src/prover.rs‎
Lines changed: 4 additions & 4 deletions b/‎crates/backend/fiat-shamir/src/prover.rs‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎crates/backend/fiat-shamir/src/traits.rs‎
Lines changed: 2 additions & 9 deletions b/‎crates/backend/fiat-shamir/src/traits.rs‎
Lines changed: 2 additions & 9 deletions
diff --git a/‎crates/backend/fiat-shamir/src/transcript.rs‎
Lines changed: 30 additions & 15 deletions b/‎crates/backend/fiat-shamir/src/transcript.rs‎
Lines changed: 30 additions & 15 deletions
diff --git a/‎crates/backend/fiat-shamir/src/verifier.rs‎
Lines changed: 24 additions & 23 deletions b/‎crates/backend/fiat-shamir/src/verifier.rs‎
Lines changed: 24 additions & 23 deletions
diff --git a/‎crates/backend/field/src/field.rs‎
Lines changed: 2 additions & 0 deletions b/‎crates/backend/field/src/field.rs‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎crates/backend/koala-bear/src/monty_31/aarch64_neon/packing.rs‎
Lines changed: 1 addition & 0 deletions b/‎crates/backend/koala-bear/src/monty_31/aarch64_neon/packing.rs‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎crates/backend/koala-bear/src/monty_31/data_traits.rs‎
Lines changed: 1 addition & 0 deletions b/‎crates/backend/koala-bear/src/monty_31/data_traits.rs‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎crates/backend/koala-bear/src/monty_31/monty_31.rs‎
Lines changed: 1 addition & 0 deletions b/‎crates/backend/koala-bear/src/monty_31/monty_31.rs‎
Lines changed: 1 addition & 0 deletions
@@ -36,22 +36,23 @@ cargo run --release -- xmss --n-signatures 1400
 
 | WHIR rate \ regime | Proven               | Conjectured          |
 | ------------------ | -------------------- | -------------------- |
-| 1/2                | 610 XMSS/s - 383 KiB | 610 XMSS/s - 209 KiB |
-| 1/4                | 490 XMSS/s - 252 KiB | 490 XMSS/s - 148 KiB |
+| 1/2                | 775 XMSS/s - 374 KiB | 775 XMSS/s - 204 KiB |
+| 1/4                | 650 XMSS/s - 246 KiB | 650 XMSS/s - 146 KiB |
 
 (Proving throughput - proof size)
 
 ### Recursion
 
+2 to 1 recursion (WHIR rate = 1/4):
+
+
 ```bash
 cargo run --release -- recursion --n 2
 ```
 
-2 to 1 recursion (WHIR rate = 1/4):
-
 | Proven          | Conjectured     |
 | --------------- | --------------- |
-| 1.08s - 223 KiB | 1.03s - 134 KiB |
+| 0.77s - 223 KiB | 0.59s - 128 KiB |
 
 
 ### Bonus: unbounded recursive aggregation
 
@@ -98,6 +98,7 @@ impl<F: Field> PrimeCharacteristicRing for SymbolicExpression<F> {
     const ONE: Self = Self::Constant(F::ONE);
     const TWO: Self = Self::Constant(F::TWO);
     const NEG_ONE: Self = Self::Constant(F::NEG_ONE);
+    const INVERSE_OF_TWO: Self = Self::Constant(F::INVERSE_OF_TWO);
 
     #[inline]
     fn from_prime_subfield(f: Self::PrimeSubfield) -> Self {
 
@@ -30,8 +30,8 @@ where
         }
     }
 
-    pub fn raw_proof(&self) -> Vec<PF<EF>> {
-        self.transcript.raw_proof()
+    pub fn raw_proof(self) -> RawProof<PF<EF>> {
+        self.transcript.into_raw_proof()
     }
 
     pub fn pruned_proof(&self) -> PrunedProof<PF<EF>> {
@@ -74,14 +74,14 @@ where
 
     fn state(&self) -> String {
         format!(
-            "state: {} (len: {})",
+            "state: {} (n_items: {})",
             self.challenger
                 .state
                 .iter()
                 .map(|f| f.to_string())
                 .collect::<Vec<_>>()
                 .join(", "),
-            self.transcript.raw_proof().len()
+            self.transcript.0.len()
         )
     }
 
 
@@ -1,6 +1,6 @@
 use field::ExtensionField;
 
-use crate::{MerklePath, PF, ProofError, flatten_scalars_to_base, pack_scalars_to_extension};
+use crate::{MerkleOpening, MerklePath, PF, ProofError, flatten_scalars_to_base, pack_scalars_to_extension};
 
 pub trait ChallengeSampler<EF> {
     fn sample_vec(&mut self, len: usize) -> Vec<EF>;
@@ -40,9 +40,8 @@ pub trait FSProver<EF: ExtensionField<PF<EF>>>: ChallengeSampler<EF> {
 
 pub trait FSVerifier<EF: ExtensionField<PF<EF>>>: ChallengeSampler<EF> {
     fn state(&self) -> String;
-    fn transcript(&self) -> Vec<PF<EF>>;
     fn next_base_scalars_vec(&mut self, n: usize) -> Result<Vec<PF<EF>>, ProofError>;
-    fn receive_hint_base_scalars(&mut self, n: usize) -> Result<Vec<PF<EF>>, ProofError>;
+    fn next_merkle_opening(&mut self) -> Result<MerkleOpening<PF<EF>>, ProofError>;
     fn check_pow_grinding(&mut self, bits: usize) -> Result<(), ProofError>;
 
     fn next_extension_scalars_vec(&mut self, n: usize) -> Result<Vec<EF>, ProofError> {
@@ -54,10 +53,4 @@ pub trait FSVerifier<EF: ExtensionField<PF<EF>>>: ChallengeSampler<EF> {
     fn next_extension_scalar(&mut self) -> Result<EF, ProofError> {
         Ok(self.next_extension_scalars_vec(1)?[0])
     }
-
-    fn receive_hint_extension_scalars(&mut self, n: usize) -> Result<Vec<EF>, ProofError> {
-        Ok(pack_scalars_to_extension(
-            &self.receive_hint_base_scalars(n * EF::DIMENSION)?,
-        ))
-    }
 }
@@ -8,6 +8,18 @@ use crate::{PrunedMerklePaths, challenger::RATE};
 
 pub(crate) const DIGEST_LEN_FE: usize = 8;
 
+#[derive(Debug, Clone)]
+pub struct MerkleOpening<F> {
+    pub leaf_data: Vec<F>,
+    pub path: Vec<[F; DIGEST_LEN_FE]>,
+}
+
+#[derive(Clone)]
+pub struct RawProof<F> {
+    pub transcript: Vec<F>,
+    pub merkle_openings: Vec<MerkleOpening<F>>,
+}
+
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub enum TranscriptData<F, MerklePaths> {
     Interraction(Vec<F>),
@@ -30,34 +42,37 @@ pub struct MerklePaths<Data, F>(pub(crate) Vec<MerklePath<Data, F>>);
 pub struct Proof<F>(pub(crate) Vec<TranscriptData<F, MerklePaths<F, F>>>);
 
 impl<F: Field> Proof<F> {
-    pub fn raw_proof(&self) -> Vec<F> {
-        let mut proof = Vec::new();
-        for item in &self.0 {
+    pub fn into_raw_proof(self) -> RawProof<F> {
+        let mut transcript = Vec::new();
+        let mut merkle_openings = Vec::new();
+        for item in self.0 {
             match item {
                 TranscriptData::Interraction(scalars) => {
-                    proof.extend_from_slice(scalars);
                     let padding = scalars.len().next_multiple_of(RATE) - scalars.len();
-                    proof.extend(repeat_n(F::ZERO, padding));
+                    transcript.extend(scalars);
+                    transcript.extend(repeat_n(F::ZERO, padding));
                 }
                 TranscriptData::GrindingWitness(scalar) => {
-                    proof.push(*scalar);
-                    proof.extend(repeat_n(F::ZERO, RATE - 1));
+                    transcript.push(scalar);
+                    transcript.extend(repeat_n(F::ZERO, RATE - 1));
                 }
                 TranscriptData::MerklePaths(paths) => {
-                    for path in &paths.0 {
-                        proof.extend_from_slice(&path.leaf_data);
+                    for path in paths.0 {
                         assert!(path.leaf_data.len() % RATE == 0);
-                    }
-                    for path in &paths.0 {
-                        for hash in &path.sibling_hashes {
-                            proof.extend_from_slice(hash);
-                        }
+                        merkle_openings.push(MerkleOpening {
+                            leaf_data: path.leaf_data,
+                            path: path.sibling_hashes,
+                        });
                     }
                 }
             }
         }
-        proof
+        RawProof {
+            transcript,
+            merkle_openings,
+        }
     }
+
     pub fn prune(self) -> PrunedProof<F> {
         PrunedProof(
             self.0
 
@@ -10,7 +10,9 @@ use symetric::Compression;
 pub struct VerifierState<EF: ExtensionField<PF<EF>>, P> {
     challenger: Challenger<PF<EF>, P>,
     transcript: Vec<PF<EF>>,
-    index: usize,
+    merkle_openings: Vec<MerkleOpening<PF<EF>>>,
+    transcript_index: usize,
+    merkle_opening_index: usize,
     _extension_field: std::marker::PhantomData<EF>,
 }
 
@@ -19,12 +21,14 @@ where
     PF<EF>: PrimeField64,
 {
     #[must_use]
-    pub fn new(transcript: Vec<PF<EF>>, compressor: P) -> Self {
+    pub fn new(raw_proof: RawProof<PF<EF>>, compressor: P) -> Self {
         assert!(EF::DIMENSION <= RATE);
         Self {
             challenger: Challenger::new(compressor),
-            transcript,
-            index: 0,
+            transcript: raw_proof.transcript,
+            merkle_openings: raw_proof.merkle_openings,
+            transcript_index: 0,
+            merkle_opening_index: 0,
             _extension_field: std::marker::PhantomData,
         }
     }
@@ -48,34 +52,31 @@ where
 {
     fn state(&self) -> String {
         format!(
-            "state {} (len: {})",
+            "state {} (transcript_idx: {}, merkle_opening_idx: {})",
             self.challenger
                 .state
                 .iter()
                 .map(|f| f.to_string())
                 .collect::<Vec<_>>()
                 .join(", "),
-            self.index
+            self.transcript_index,
+            self.merkle_opening_index,
         )
     }
 
-    fn transcript(&self) -> Vec<PF<EF>> {
-        self.transcript.clone()
-    }
-
     fn next_base_scalars_vec(&mut self, n: usize) -> Result<Vec<PF<EF>>, ProofError> {
         let n_padded = n.next_multiple_of(RATE);
-        if n_padded > self.transcript.len() - self.index {
+        if n_padded > self.transcript.len() - self.transcript_index {
             return Err(ProofError::ExceededTranscript);
         }
-        let scalars = self.transcript[self.index..][..n].to_vec();
-        if self.transcript[self.index + n..self.index + n_padded]
+        let scalars = self.transcript[self.transcript_index..][..n].to_vec();
+        if self.transcript[self.transcript_index + n..self.transcript_index + n_padded]
             .iter()
             .any(|&x| x != PF::<EF>::ZERO)
         {
             return Err(ProofError::InvalidPadding);
         }
-        self.index += n_padded;
+        self.transcript_index += n_padded;
         for chunk in scalars.chunks(RATE) {
             let mut buffer = [PF::<EF>::ZERO; RATE];
             for (i, val) in chunk.iter().enumerate() {
@@ -87,32 +88,32 @@ where
         Ok(scalars)
     }
 
-    fn receive_hint_base_scalars(&mut self, n: usize) -> Result<Vec<PF<EF>>, ProofError> {
-        if n > self.transcript.len() - self.index {
+    fn next_merkle_opening(&mut self) -> Result<MerkleOpening<PF<EF>>, ProofError> {
+        if self.merkle_opening_index >= self.merkle_openings.len() {
             return Err(ProofError::ExceededTranscript);
         }
-        let scalars = self.transcript[self.index..self.index + n].to_vec();
-        self.index += n;
-        Ok(scalars)
+        let opening = self.merkle_openings[self.merkle_opening_index].clone();
+        self.merkle_opening_index += 1;
+        Ok(opening)
     }
 
     fn check_pow_grinding(&mut self, bits: usize) -> Result<(), ProofError> {
         if bits == 0 {
             return Ok(());
         }
 
-        if self.index + RATE > self.transcript.len() {
+        if self.transcript_index + RATE > self.transcript.len() {
             return Err(ProofError::ExceededTranscript);
         }
 
-        let witness = self.transcript[self.index];
-        if self.transcript[self.index + 1..self.index + RATE]
+        let witness = self.transcript[self.transcript_index];
+        if self.transcript[self.transcript_index + 1..self.transcript_index + RATE]
             .iter()
             .any(|&x| x != PF::<EF>::ZERO)
         {
             return Err(ProofError::InvalidPadding);
         }
-        self.index += RATE;
+        self.transcript_index += RATE;
 
         self.challenger.observe({
             let mut value = [PF::<EF>::ZERO; RATE];
 
@@ -110,6 +110,8 @@ pub trait PrimeCharacteristicRing:
     /// If the field has characteristic 2 this is equal to ONE.
     const NEG_ONE: Self;
 
+    const INVERSE_OF_TWO: Self;
+
     /// Embed an element of the prime field `ℤ/p` into the ring `R`.
     ///
     /// Given any element `[r] ∈ ℤ/p`, represented by an integer `r` between `0` and `p - 1`
 
@@ -188,6 +188,7 @@ impl<FP: FieldParameters> PrimeCharacteristicRing for PackedMontyField31Neon<FP>
     const ONE: Self = Self::broadcast(MontyField31::ONE);
     const TWO: Self = Self::broadcast(MontyField31::TWO);
     const NEG_ONE: Self = Self::broadcast(MontyField31::NEG_ONE);
+    const INVERSE_OF_TWO: Self = Self::broadcast(MontyField31::INVERSE_OF_TWO);
 
     #[inline]
     fn from_prime_subfield(f: Self::PrimeSubfield) -> Self {
 
@@ -55,6 +55,7 @@ pub trait FieldParameters: PackedMontyParameters + Sized {
     const MONTY_ONE: MontyField31<Self> = MontyField31::new(1);
     const MONTY_TWO: MontyField31<Self> = MontyField31::new(2);
     const MONTY_NEG_ONE: MontyField31<Self> = MontyField31::new(Self::PRIME - 1);
+    const MONTY_INVERSE_OF_TWO: MontyField31<Self> = MontyField31::new((Self::PRIME + 1) >> 1);
 
     // A generator of the fields multiplicative group. Needs to be given in Monty Form.
     const MONTY_GEN: MontyField31<Self>;
 
@@ -173,6 +173,7 @@ impl<FP: FieldParameters> PrimeCharacteristicRing for MontyField31<FP> {
     const ONE: Self = FP::MONTY_ONE;
     const TWO: Self = FP::MONTY_TWO;
     const NEG_ONE: Self = FP::MONTY_NEG_ONE;
+    const INVERSE_OF_TWO: Self = FP::MONTY_INVERSE_OF_TWO;
 
     #[inline(always)]
     fn from_prime_subfield(f: Self) -> Self {
Original file line number	Diff line number	Diff line change
`@@ -30,8 +30,8 @@ where`
`30`	`30`	`}`
`31`	`31`	`}`
`32`	`32`
`33`		`- pub fn raw_proof(&self) -> Vec<PF<EF>> {`
`34`		`- self.transcript.raw_proof()`
	`33`	`+ pub fn raw_proof(self) -> RawProof<PF<EF>> {`
	`34`	`+ self.transcript.into_raw_proof()`
`35`	`35`	`}`
`36`	`36`
`37`	`37`	`pub fn pruned_proof(&self) -> PrunedProof<PF<EF>> {`
`@@ -74,14 +74,14 @@ where`
`74`	`74`
`75`	`75`	`fn state(&self) -> String {`
`76`	`76`	`format!(`
`77`		`- "state: {} (len: {})",`
	`77`	`+ "state: {} (n_items: {})",`
`78`	`78`	`self.challenger`
`79`	`79`	`.state`
`80`	`80`	`.iter()`
`81`	`81`	`.map(\|f\| f.to_string())`
`82`	`82`	`.collect::<Vec<_>>()`
`83`	`83`	`.join(", "),`
`84`		`- self.transcript.raw_proof().len()`
	`84`	`+ self.transcript.0.len()`
`85`	`85`	`)`
`86`	`86`	`}`
`87`	`87`