fix(recursion): final_poly & FRI missing randomness (#1703)

Updating the recursive verifier to match with the fix in
GHSA-f69f-5fx9-w9r9

## Final poly length
plonky3 has changed so that `proof.final_poly.len()` must equal
`config.final_poly_len()`. Since our recursion program only supports
final poly length = 0, we can remove the previous checks that higher
degree coefficients are zero.

## Missing randomness in mixed domain handling in FRI folding
The folding needs to add `beta^2` to roll in new terms from reduced
opening.

We introduce a new array `betas_squared` to precompute and cache the
squares since the `betas` are re-used across different FRI queries.
(Side note on optimization: Zach and I discussed and it seemed like
there is no difference between iter_zip'ing two arrays and loading them
both versus storing a pair in one array since we load each Ext as a
separate instruction).

I changed the recursion code to use `iter_zip` now that another
`betas_squared` needed to be passed in and we generally want to use
`iter_zip` everywhere. There is no enumerate support in `iter_zip`, so I
created another array of the indices to also zip over.

Note: I think we previously were just skipping and not checking
`ro[log_blowup]` corresponding to trace height 1 matrices. This is now
fixed as explained in the comments (the reasoning is slightly different
than in the Plonky3 implementation).

---------

Co-authored-by: HrikB <23041116+HrikB@users.noreply.github.com>
Co-authored-by: Yi Sun <yi-sun@users.noreply.github.com>

Author: 3 people

Cargo.lock

@@ -1,5 +1,5 @@
 [workspace.package]
-version = "1.1.2"
+version = "1.2.0"
 edition = "2021"
 rust-version = "1.82"
 authors = ["OpenVM Authors"]
@@ -107,8 +107,8 @@ lto = "thin"
 
 [workspace.dependencies]
 # Stark Backend
-openvm-stark-backend = { git = "https://github.com/openvm-org/stark-backend.git", tag = "v1.0.1", default-features = false }
-openvm-stark-sdk = { git = "https://github.com/openvm-org/stark-backend.git", tag = "v1.0.1", default-features = false }
+openvm-stark-backend = { git = "https://github.com/openvm-org/stark-backend.git", tag = "v1.1.0", default-features = false }
+openvm-stark-sdk = { git = "https://github.com/openvm-org/stark-backend.git", tag = "v1.1.0", default-features = false }
 
 # OpenVM
 openvm-sdk = { path = "crates/sdk", default-features = false }
@@ -166,18 +166,18 @@ openvm-pairing-guest = { path = "extensions/pairing/guest", default-features = f
 openvm-benchmarks-utils = { path = "benchmarks/utils", default-features = false }
 
 # Plonky3
-p3-field = { git = "https://github.com/Plonky3/Plonky3.git", rev = "1ba4e5c" }
+p3-field = { git = "https://github.com/Plonky3/Plonky3.git", rev = "539bbc84085efb609f4f62cb03cf49588388abdb" }
 p3-baby-bear = { git = "https://github.com/Plonky3/Plonky3.git", features = [
     "nightly-features",
-], rev = "1ba4e5c" }
-p3-dft = { git = "https://github.com/Plonky3/Plonky3.git", rev = "1ba4e5c" }
-p3-fri = { git = "https://github.com/Plonky3/Plonky3.git", rev = "1ba4e5c" }
-p3-keccak-air = { git = "https://github.com/Plonky3/Plonky3.git", rev = "1ba4e5c" }
-p3-merkle-tree = { git = "https://github.com/Plonky3/Plonky3.git", rev = "1ba4e5c" }
-p3-monty-31 = { git = "https://github.com/Plonky3/Plonky3.git", rev = "1ba4e5c" }
-p3-poseidon2 = { git = "https://github.com/Plonky3/Plonky3.git", rev = "1ba4e5c" }
-p3-poseidon2-air = { git = "https://github.com/Plonky3/Plonky3.git", rev = "1ba4e5c" }
-p3-symmetric = { git = "https://github.com/Plonky3/Plonky3.git", rev = "1ba4e5c" }
+], rev = "539bbc84085efb609f4f62cb03cf49588388abdb" }
+p3-dft = { git = "https://github.com/Plonky3/Plonky3.git", rev = "539bbc84085efb609f4f62cb03cf49588388abdb" }
+p3-fri = { git = "https://github.com/Plonky3/Plonky3.git", rev = "539bbc84085efb609f4f62cb03cf49588388abdb" }
+p3-keccak-air = { git = "https://github.com/Plonky3/Plonky3.git", rev = "539bbc84085efb609f4f62cb03cf49588388abdb" }
+p3-merkle-tree = { git = "https://github.com/Plonky3/Plonky3.git", rev = "539bbc84085efb609f4f62cb03cf49588388abdb" }
+p3-monty-31 = { git = "https://github.com/Plonky3/Plonky3.git", rev = "539bbc84085efb609f4f62cb03cf49588388abdb" }
+p3-poseidon2 = { git = "https://github.com/Plonky3/Plonky3.git", rev = "539bbc84085efb609f4f62cb03cf49588388abdb" }
+p3-poseidon2-air = { git = "https://github.com/Plonky3/Plonky3.git", rev = "539bbc84085efb609f4f62cb03cf49588388abdb" }
+p3-symmetric = { git = "https://github.com/Plonky3/Plonky3.git", rev = "539bbc84085efb609f4f62cb03cf49588388abdb" }
 
 zkhash = { git = "https://github.com/HorizenLabs/poseidon2.git", rev = "bb476b9" }
 snark-verifier-sdk = { version = "0.2.0", default-features = false, features = [

Cargo.toml

@@ -32,7 +32,7 @@ OpenVM is a performant and modular zkVM framework built for customization and ex
 
 ## Status
 
-As of May 2025, OpenVM v1.1.0 and later are recommended for production use. OpenVM completed an external [audit](https://github.com/openvm-org/openvm/blob/main/audits/v1-cantina-report.pdf) on [Cantina](https://cantina.xyz/) from January to March 2025 as well as an internal [audit](https://github.com/openvm-org/openvm/blob/main/audits/v1-internal/README.md) by members of the [Axiom](https://axiom.xyz/) team during the same timeframe.
+As of June 2025, OpenVM v1.2.0 and later are recommended for production use. OpenVM completed an external [audit](https://github.com/openvm-org/openvm/blob/main/audits/v1-cantina-report.pdf) on [Cantina](https://cantina.xyz/) from January to March 2025 as well as an internal [audit](https://github.com/openvm-org/openvm/blob/main/audits/v1-internal/README.md) by members of the [Axiom](https://axiom.xyz/) team during the same timeframe.
 
 ## For Users
 

README.md

@@ -9,7 +9,7 @@ To use OpenVM for generating proofs, you must install the OpenVM command line to
 Begin the installation:
 
 ```bash
-cargo install --locked --git http://github.com/openvm-org/openvm.git --tag v1.1.2 cargo-openvm
+cargo install --locked --git http://github.com/openvm-org/openvm.git --tag v1.2.0 cargo-openvm
 ```
 
 This will globally install `cargo-openvm`. You can validate a successful installation with:
@@ -23,7 +23,7 @@ cargo openvm --version
 To build from source, clone the repository and begin the installation.
 
 ```bash
-git clone --branch v1.1.2 --single-branch https://github.com/openvm-org/openvm.git
+git clone --branch v1.2.0 --single-branch https://github.com/openvm-org/openvm.git
 cd openvm
 cargo install --locked --force --path crates/cli
 ```

book/src/getting-started/install.md

@@ -33,7 +33,7 @@ The following chapters will guide you through:
 
 ## Security Status
 
-As of May 2025, OpenVM v1.1.0 and later are recommended for production use. OpenVM completed an external [audit](https://github.com/openvm-org/openvm/blob/main/audits/v1-cantina-report.pdf) on [Cantina](https://cantina.xyz/) from January to March 2025 as well as an internal [audit](https://github.com/openvm-org/openvm/blob/main/audits/v1-internal/README.md) by members of the [Axiom](https://axiom.xyz/) team during the same timeframe.
+As of June 2025, OpenVM v1.2.0 and later are recommended for production use. OpenVM completed an external [audit](https://github.com/openvm-org/openvm/blob/main/audits/v1-cantina-report.pdf) on [Cantina](https://cantina.xyz/) from January to March 2025 as well as an internal [audit](https://github.com/openvm-org/openvm/blob/main/audits/v1-internal/README.md) by members of the [Axiom](https://axiom.xyz/) team during the same timeframe.
 
 > 📖 **About this book**
 >

book/src/introduction.md

@@ -1,6 +1,6 @@
 # Solidity SDK
 
-As a supplement to OpenVM, we provide a [Solidity SDK](https://github.com/openvm-org/openvm-solidity-sdk) containing OpenVM verifier contracts generated at official release commits using the `cargo openvm setup` [command](../advanced-usage/sdk.md#setup). The contracts are built at every _minor_ release as OpenVM guarantees verifier backward compatibility across patch releases. 
+As a supplement to OpenVM, we provide a [Solidity SDK](https://github.com/openvm-org/openvm-solidity-sdk) containing OpenVM verifier contracts generated at official release commits using the `cargo openvm setup` [command](../advanced-usage/sdk.md#setup). The contracts are built at every _minor_ release as OpenVM guarantees verifier backward compatibility across patch releases.
 
 Note that these builds are for the default aggregation VM config which should be sufficient for most users. If you use a custom config, you will need to manually generate the verifier contract using the [OpenVM SDK](../advanced-usage/sdk.md).
 
@@ -17,13 +17,13 @@ forge install openvm-org/openvm-solidity-sdk
 Once you have the SDK installed, you can import the SDK contracts into your Solidity project:
 
 ```solidity
-import "openvm-solidity-sdk/v1.1/OpenVmHalo2Verifier.sol";
+import "openvm-solidity-sdk/v1.2/OpenVmHalo2Verifier.sol";
 ```
 
 If you are using an already-deployed verifier contract, you can simply import the `IOpenVmHalo2Verifier` interface:
 
 ```solidity
-import { IOpenVmHalo2Verifier } from "openvm-solidity-sdk/v1.1/interfaces/IOpenVmHalo2Verifier.sol";
+import { IOpenVmHalo2Verifier } from "openvm-solidity-sdk/v1.2/interfaces/IOpenVmHalo2Verifier.sol";
 
 contract MyContract {
     function myFunction() public view {
@@ -49,7 +49,7 @@ To deploy an instance of a verifier contract, you can clone the repo and simply
 ```bash
 git clone --recursive https://github.com/openvm-org/openvm-solidity-sdk.git
 cd openvm-solidity-sdk
-forge create src/v1.1/OpenVmHalo2Verifier.sol:OpenVmHalo2Verifier --rpc-url $RPC --private-key $PRIVATE_KEY --broadcast
+forge create src/v1.2/OpenVmHalo2Verifier.sol:OpenVmHalo2Verifier --rpc-url $RPC --private-key $PRIVATE_KEY --broadcast
 ```
 
 We recommend a direct deployment from the SDK repo since the proper compiler configurations are all pre-set.

book/src/writing-apps/solidity.md

@@ -30,23 +30,25 @@ pub mod witness;
 ///
 /// Reference: <https://github.com/Plonky3/Plonky3/blob/4809fa7bedd9ba8f6f5d3267b1592618e3776c57/fri/src/verifier.rs#L101>
 #[allow(clippy::too_many_arguments)]
-#[allow(unused_variables)]
-pub fn verify_query<C: Config>(
+fn verify_query<C: Config>(
     builder: &mut Builder<C>,
     config: &FriConfigVariable<C>,
     commit_phase_commits: &Array<C, DigestVariable<C>>,
     index_bits: &Array<C, Var<C::N>>,
     proof: &FriQueryProofVariable<C>,
     betas: &Array<C, Ext<C::F, C::EF>>,
+    betas_squared: &Array<C, Ext<C::F, C::EF>>,
     reduced_openings: &Array<C, Ext<C::F, C::EF>>,
     log_max_lde_height: RVar<C::N>,
+    i_plus_one_arr: &Array<C, Usize<C::N>>,
 ) -> Ext<C::F, C::EF>
 where
     C::F: TwoAdicField,
     C::EF: TwoAdicField,
 {
     builder.cycle_tracker_start("verify-query");
-    let folded_eval: Ext<C::F, C::EF> = builder.eval(C::F::ZERO);
+    // reduced_openings.len() == MAX_TWO_ADICITY >= log_max_lde_height
+    let folded_eval: Ext<C::F, C::EF> = builder.get(reduced_openings, log_max_lde_height);
     let two_adic_generator_f = config.get_two_adic_generator(builder, log_max_lde_height);
 
     let two_adic_gen_ext = two_adic_generator_f.to_operand().symbolic();
@@ -55,84 +57,113 @@ where
     let index_bits_truncated = index_bits.slice(builder, 0, log_max_lde_height);
     let x = builder.exp_bits_big_endian(two_adic_generator_ef, &index_bits_truncated);
 
-    // proof.commit_phase_openings.len() == log_max_lde_height - log_blowup
+    // assert proof.commit_phase_openings.len() == log_max_height
+    // where
+    //   - commit_phase_commits.len() = log_max_height is compile-time constant (assuming
+    //     log_final_poly_len = 0)
+    //   - log_max_lde_height = log_max_height + log_blowup by definition in verify_two_adic_pcs
     builder.assert_usize_eq(
         proof.commit_phase_openings.len(),
         commit_phase_commits.len(),
     );
-    builder
-        .range(0, commit_phase_commits.len())
-        .for_each(|i_vec, builder| {
-            let i = i_vec[0];
-            let log_folded_height = builder.eval_expr(log_max_lde_height - i - C::N::ONE);
-            let log_folded_height_plus_one = builder.eval_expr(log_folded_height + C::N::ONE);
-            let commit = builder.get(commit_phase_commits, i);
-            let step = builder.get(&proof.commit_phase_openings, i);
-            let beta = builder.get(betas, i);
-
-            // reduced_openings.len() == MAX_TWO_ADICITY >= log_max_lde_height >=
-            // log_folded_height_plus_one
-            let reduced_opening = builder.get(reduced_openings, log_folded_height_plus_one);
-            builder.assign(&folded_eval, folded_eval + reduced_opening);
-
-            let index_bit = builder.get(index_bits, i);
-            let index_sibling_mod_2: Var<C::N> =
-                builder.eval(SymbolicVar::from(C::N::ONE) - index_bit);
-            let i_plus_one = builder.eval_expr(i + RVar::one());
-            let index_pair = index_bits.shift(builder, i_plus_one);
-
-            let evals: Array<C, Ext<C::F, C::EF>> = builder.array(2);
-            let eval_0: Ext<C::F, C::EF>;
-            let eval_1: Ext<C::F, C::EF>;
-            if builder.flags.static_only {
-                [eval_0, eval_1] = cond_eval(
-                    builder,
-                    index_sibling_mod_2,
-                    step.sibling_value,
-                    folded_eval,
-                );
-                builder.set_value(&evals, 0, eval_0);
-                builder.set_value(&evals, 1, eval_1);
-            } else {
-                builder.set_value(&evals, 0, folded_eval);
-                builder.set_value(&evals, 1, folded_eval);
-                // This is faster than branching.
-                builder.set_value(&evals, index_sibling_mod_2, step.sibling_value);
-                eval_0 = builder.get(&evals, 0);
-                eval_1 = builder.get(&evals, 1);
-            }
+    // By definition in verify_two_adic_pcs:
+    // - betas, betas_squared, i_plus_one_arr have length log_max_height
+    // - index_bits has length log_max_lde_height
+    iter_zip!(
+        builder,
+        commit_phase_commits,
+        proof.commit_phase_openings,
+        betas,
+        betas_squared,
+        i_plus_one_arr,
+        index_bits
+    )
+    .for_each(|ptr_vec, builder| {
+        let [comm_ptr, opening_ptr, beta_ptr, beta_sq_ptr, i_plus_one_ptr, index_bit_ptr] =
+            ptr_vec.try_into().unwrap();
 
-            let dims = DimensionsVariable::<C> {
-                log_height: builder.eval(log_folded_height),
-            };
-            let dims_slice: Array<C, DimensionsVariable<C>> = builder.array(1);
-            builder.set_value(&dims_slice, 0, dims);
+        let i_plus_one = builder.iter_ptr_get(i_plus_one_arr, i_plus_one_ptr);
+        let i_plus_one = RVar::from(i_plus_one);
+        let log_folded_height = builder.eval_expr(log_max_lde_height - i_plus_one);
+        let commit = builder.iter_ptr_get(commit_phase_commits, comm_ptr);
+        let step = builder.iter_ptr_get(&proof.commit_phase_openings, opening_ptr);
+        let beta = builder.iter_ptr_get(betas, beta_ptr);
+        let beta_sq = builder.iter_ptr_get(betas_squared, beta_sq_ptr);
 
-            let opened_values = builder.array(1);
-            builder.set_value(&opened_values, 0, evals);
-            builder.cycle_tracker_start("verify-batch-ext");
-            verify_batch::<C>(
+        let index_bit = builder.iter_ptr_get(index_bits, index_bit_ptr);
+        let index_sibling_mod_2: Var<C::N> = builder.eval(SymbolicVar::from(C::N::ONE) - index_bit);
+        let index_pair = index_bits.shift(builder, i_plus_one);
+
+        let evals: Array<C, Ext<C::F, C::EF>> = builder.array(2);
+        let eval_0: Ext<C::F, C::EF>;
+        let eval_1: Ext<C::F, C::EF>;
+        if builder.flags.static_only {
+            [eval_0, eval_1] = cond_eval(
                 builder,
-                &commit,
-                dims_slice,
-                index_pair,
-                &NestedOpenedValues::Ext(opened_values),
-                &step.opening_proof,
+                index_sibling_mod_2,
+                step.sibling_value,
+                folded_eval,
             );
-            builder.cycle_tracker_end("verify-batch-ext");
+            builder.set_value(&evals, 0, eval_0);
+            builder.set_value(&evals, 1, eval_1);
+        } else {
+            builder.set_value(&evals, 0, folded_eval);
+            builder.set_value(&evals, 1, folded_eval);
+            // This is faster than branching.
+            builder.set_value(&evals, index_sibling_mod_2, step.sibling_value);
+            eval_0 = builder.get(&evals, 0);
+            eval_1 = builder.get(&evals, 1);
+        }
+
+        let dims = DimensionsVariable::<C> {
+            log_height: builder.eval(log_folded_height),
+        };
+        let dims_slice: Array<C, DimensionsVariable<C>> = builder.array(1);
+        builder.set_value(&dims_slice, 0, dims);
 
-            let two_adic_generator_one = config.get_two_adic_generator(builder, Usize::from(1));
+        let opened_values = builder.array(1);
+        builder.set_value(&opened_values, 0, evals);
+        builder.cycle_tracker_start("verify-batch-ext");
+        verify_batch::<C>(
+            builder,
+            &commit,
+            dims_slice,
+            index_pair,
+            &NestedOpenedValues::Ext(opened_values),
+            &step.opening_proof,
+        );
+        builder.cycle_tracker_end("verify-batch-ext");
 
-            let [xs_0, xs_1]: [Ext<_, _>; 2] =
-                cond_eval(builder, index_sibling_mod_2, x * two_adic_generator_one, x);
+        let two_adic_generator_one = config.get_two_adic_generator(builder, Usize::from(1));
 
-            builder.assign(
-                &folded_eval,
-                eval_0 + (beta - xs_0) * (eval_1 - eval_0) / (xs_1 - xs_0),
-            );
+        let [xs_0, xs_1]: [Ext<_, _>; 2] =
+            cond_eval(builder, index_sibling_mod_2, x * two_adic_generator_one, x);
 
-            builder.assign(&x, x * x);
-        });
+        builder.assign(
+            &folded_eval,
+            eval_0 + (beta - xs_0) * (eval_1 - eval_0) / (xs_1 - xs_0),
+        );
+
+        builder.assign(&x, x * x);
+
+        // reduced_openings.len() == MAX_TWO_ADICITY >= log_max_lde_height >= log_folded_height
+        let reduced_opening = builder.get(reduced_openings, log_folded_height);
+        // Roll in new reduced opening polynomial at the folded height. This is 0 if there is no
+        // reduced opening at the folded height.
+        //
+        // Each `reduced_opening` is the evaluation of a reduced opening polynomial, which is itself
+        // a random linear combination `f_{i, 0}(x) + alpha f_{i, 1}(x) + ...`, but when we add it
+        // to the current folded polynomial evaluation claim, we need to multiply by a new random
+        // factor since `f_{i, 0}` has no leading coefficient.
+        //
+        // We use `beta^2` as the random factor since `beta` is already used in the folding.
+        //
+        // Note: this will include the case `reduced_opening = reduced_openings[log_blowup]` in the
+        // last iteration of the loop. Since we roll this in with the beta^2 factor, the low degree
+        // test will also include this case (corresponding to `log_height = 0`, which is not done in
+        // the Plonky3 implementation).
+        builder.assign(&folded_eval, folded_eval + beta_sq * reduced_opening);
+    });
 
     builder.cycle_tracker_end("verify-query");
     folded_eval