From d5679e4e852a5be879e9589562ade4751025e5a9 Mon Sep 17 00:00:00 2001
From: Sergey Vasilyev <swasilyev@gmail.com>
Date: Wed, 5 Mar 2025 13:44:03 +0300
Subject: [PATCH 1/3] piop computes the linearization polynomial

---
 w3f-plonk-common/src/piop.rs        |  2 +-
 w3f-plonk-common/src/verifier.rs    |  3 +--
 w3f-ring-proof/src/piop/verifier.rs | 22 +++++++++++++---------
 3 files changed, 15 insertions(+), 12 deletions(-)

diff --git a/w3f-plonk-common/src/piop.rs b/w3f-plonk-common/src/piop.rs
index 7362bd4..1b224d1 100644
--- a/w3f-plonk-common/src/piop.rs
+++ b/w3f-plonk-common/src/piop.rs
@@ -49,7 +49,7 @@ pub trait VerifierPiop<F: PrimeField, C: Commitment<F>> {
 
     fn evaluate_constraints_main(&self) -> Vec<F>;
 
-    fn constraint_polynomials_linearized_commitments(&self) -> Vec<C>;
+    fn constraint_polynomials_linearized_commitments(&self, agg_coeffs: &[F]) -> C;
 
     fn domain_evaluated(&self) -> &EvaluatedDomain<F>;
 }
diff --git a/w3f-plonk-common/src/verifier.rs b/w3f-plonk-common/src/verifier.rs
index 174127e..66bfb33 100644
--- a/w3f-plonk-common/src/verifier.rs
+++ b/w3f-plonk-common/src/verifier.rs
@@ -73,8 +73,7 @@ impl<F: PrimeField, CS: PCS<F>, T: PlonkTranscript<F, CS>> PlonkVerifier<F, CS,
             .map(|(y, r)| y * r)
             .sum();
 
-        let lin_pices = piop.constraint_polynomials_linearized_commitments();
-        let lin_comm = CS::C::combine(&challenges.alphas[..3], &lin_pices);
+        let lin_comm = piop.constraint_polynomials_linearized_commitments(&challenges.alphas);
 
         let zeta_omega = zeta * domain_evaluated.omega();
 
diff --git a/w3f-ring-proof/src/piop/verifier.rs b/w3f-ring-proof/src/piop/verifier.rs
index afd2145..ca73ed6 100644
--- a/w3f-ring-proof/src/piop/verifier.rs
+++ b/w3f-ring-proof/src/piop/verifier.rs
@@ -123,19 +123,23 @@ impl<F: PrimeField, C: Commitment<F>, Jubjub: TECurveConfig<BaseField = F>> Veri
         .concat()
     }
 
-    fn constraint_polynomials_linearized_commitments(&self) -> Vec<C> {
-        let inner_prod_acc =
-            (&self.witness_columns_committed.inn_prod_acc).mul(self.inner_prod.not_last);
-        let acc_x = &self.witness_columns_committed.cond_add_acc[0];
-        let acc_y = &self.witness_columns_committed.cond_add_acc[1];
+    fn constraint_polynomials_linearized_commitments(&self, agg_coeffs: &[F]) -> C {
+        assert_eq!(agg_coeffs.len(), Self::N_CONSTRAINTS);
 
-        let (c_acc_x, c_acc_y) = self.cond_add.acc_coeffs_1();
-        let c1_lin = acc_x.mul(c_acc_x) + acc_y.mul(c_acc_y);
+        let inner_prod_acc = self.witness_columns_committed.inn_prod_acc.clone();
+        let inner_prod_coeff = agg_coeffs[0] * self.inner_prod.not_last;
 
+        let cond_add_acc_x = self.witness_columns_committed.cond_add_acc[0].clone();
+        let cond_add_acc_y = self.witness_columns_committed.cond_add_acc[1].clone();
+        let (c_acc_x, c_acc_y) = self.cond_add.acc_coeffs_1();
+        let mut cond_add_x_coeff = agg_coeffs[1] * c_acc_x;
+        let mut cond_add_y_coeff = agg_coeffs[1] * c_acc_y;
         let (c_acc_x, c_acc_y) = self.cond_add.acc_coeffs_2();
-        let c2_lin = acc_x.mul(c_acc_x) + acc_y.mul(c_acc_y);
+        cond_add_x_coeff += agg_coeffs[2] * c_acc_x;
+        cond_add_y_coeff += agg_coeffs[2] * c_acc_y;
 
-        vec![inner_prod_acc, c1_lin, c2_lin]
+        C::combine(&[inner_prod_coeff, cond_add_x_coeff, cond_add_y_coeff],
+        &[inner_prod_acc.clone(), cond_add_acc_x, cond_add_acc_y])
     }
 
     fn domain_evaluated(&self) -> &EvaluatedDomain<F> {

From f66e06a41d5d39a62b7ebbb930ce57532c0f4ba8 Mon Sep 17 00:00:00 2001
From: Sergey Vasilyev <swasilyev@gmail.com>
Date: Fri, 14 Mar 2025 09:54:48 +0300
Subject: [PATCH 2/3] piop method name fixed

---
 w3f-plonk-common/src/piop.rs        |  4 +++-
 w3f-plonk-common/src/verifier.rs    | 12 ++++++------
 w3f-ring-proof/src/piop/verifier.rs |  8 +++++---
 3 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/w3f-plonk-common/src/piop.rs b/w3f-plonk-common/src/piop.rs
index 1b224d1..4739e86 100644
--- a/w3f-plonk-common/src/piop.rs
+++ b/w3f-plonk-common/src/piop.rs
@@ -47,9 +47,11 @@ pub trait VerifierPiop<F: PrimeField, C: Commitment<F>> {
     // Columns the commitments to which are publicly known. These commitments are omitted from the proof.
     fn precommitted_columns(&self) -> Vec<C>;
 
+    // Constant terms of the linearization polynomials for each constraint.
     fn evaluate_constraints_main(&self) -> Vec<F>;
 
-    fn constraint_polynomials_linearized_commitments(&self, agg_coeffs: &[F]) -> C;
+    // Commitment to the aggregated linearization polynomial without the constant term.
+    fn lin_poly_commitment(&self, agg_coeffs: &[F]) -> C;
 
     fn domain_evaluated(&self) -> &EvaluatedDomain<F>;
 }
diff --git a/w3f-plonk-common/src/verifier.rs b/w3f-plonk-common/src/verifier.rs
index 66bfb33..1e4d280 100644
--- a/w3f-plonk-common/src/verifier.rs
+++ b/w3f-plonk-common/src/verifier.rs
@@ -66,22 +66,22 @@ impl<F: PrimeField, CS: PCS<F>, T: PlonkTranscript<F, CS>> PlonkVerifier<F, CS,
         let mut columns_at_zeta = proof.columns_at_zeta.to_vec();
         columns_at_zeta.push(q_zeta);
 
-        let cl = CS::C::combine(&challenges.nus, &columns);
-        let agg_y = columns_at_zeta
+        let agg_comm = CS::C::combine(&challenges.nus, &columns);
+        let agg_at_zeta = columns_at_zeta
             .into_iter()
             .zip(challenges.nus.iter())
             .map(|(y, r)| y * r)
             .sum();
 
-        let lin_comm = piop.constraint_polynomials_linearized_commitments(&challenges.alphas);
+        let lin_comm = piop.lin_poly_commitment(&challenges.alphas);
 
         let zeta_omega = zeta * domain_evaluated.omega();
 
         CS::batch_verify(
             &self.pcs_vk,
-            vec![cl, lin_comm],
-            vec![challenges.zeta, zeta_omega],
-            vec![agg_y, proof.lin_at_zeta_omega],
+            vec![agg_comm, lin_comm],
+            vec![zeta, zeta_omega],
+            vec![agg_at_zeta, proof.lin_at_zeta_omega],
             vec![proof.agg_at_zeta_proof, proof.lin_at_zeta_omega_proof],
             rng,
         )
diff --git a/w3f-ring-proof/src/piop/verifier.rs b/w3f-ring-proof/src/piop/verifier.rs
index ca73ed6..ea6ea24 100644
--- a/w3f-ring-proof/src/piop/verifier.rs
+++ b/w3f-ring-proof/src/piop/verifier.rs
@@ -123,7 +123,7 @@ impl<F: PrimeField, C: Commitment<F>, Jubjub: TECurveConfig<BaseField = F>> Veri
         .concat()
     }
 
-    fn constraint_polynomials_linearized_commitments(&self, agg_coeffs: &[F]) -> C {
+    fn lin_poly_commitment(&self, agg_coeffs: &[F]) -> C {
         assert_eq!(agg_coeffs.len(), Self::N_CONSTRAINTS);
 
         let inner_prod_acc = self.witness_columns_committed.inn_prod_acc.clone();
@@ -138,8 +138,10 @@ impl<F: PrimeField, C: Commitment<F>, Jubjub: TECurveConfig<BaseField = F>> Veri
         cond_add_x_coeff += agg_coeffs[2] * c_acc_x;
         cond_add_y_coeff += agg_coeffs[2] * c_acc_y;
 
-        C::combine(&[inner_prod_coeff, cond_add_x_coeff, cond_add_y_coeff],
-        &[inner_prod_acc.clone(), cond_add_acc_x, cond_add_acc_y])
+        C::combine(
+            &[inner_prod_coeff, cond_add_x_coeff, cond_add_y_coeff],
+            &[inner_prod_acc.clone(), cond_add_acc_x, cond_add_acc_y],
+        )
     }
 
     fn domain_evaluated(&self) -> &EvaluatedDomain<F> {

From 83fdef8d5ee5c8b1366d0d69c81892067043bf7e Mon Sep 17 00:00:00 2001
From: Sergey Vasilyev <swasilyev@gmail.com>
Date: Fri, 14 Mar 2025 10:46:11 +0300
Subject: [PATCH 3/3] piop::evaluate_q_at_zeta

---
 w3f-plonk-common/src/piop.rs     | 18 ++++++++++++++++++
 w3f-plonk-common/src/verifier.rs | 15 +++------------
 2 files changed, 21 insertions(+), 12 deletions(-)

diff --git a/w3f-plonk-common/src/piop.rs b/w3f-plonk-common/src/piop.rs
index 4739e86..df37e9b 100644
--- a/w3f-plonk-common/src/piop.rs
+++ b/w3f-plonk-common/src/piop.rs
@@ -50,6 +50,24 @@ pub trait VerifierPiop<F: PrimeField, C: Commitment<F>> {
     // Constant terms of the linearization polynomials for each constraint.
     fn evaluate_constraints_main(&self) -> Vec<F>;
 
+    // Computes the constant term of the aggregated linearization polynomial
+    // from the column evaluations at `zeta`.
+    fn _evaluate_lin_poly_ct(&self, agg_coeffs: &[F]) -> F {
+        self.evaluate_constraints_main()
+            .iter()
+            .zip(agg_coeffs)
+            .map(|(c, alpha)| *alpha * c)
+            .sum()
+    }
+
+    // Computes the quotient polynomial of the constraint system
+    // from the column evaluations at `zeta` and the value of the linearization poly at `zeta.omega`.
+    fn evaluate_q_at_zeta(&self, agg_coeffs: &[F], lin_at_zeta_omega: F) -> F {
+        let eval: F = self._evaluate_lin_poly_ct(agg_coeffs);
+        self.domain_evaluated()
+            .divide_by_vanishing_poly_in_zeta(eval + lin_at_zeta_omega)
+    }
+
     // Commitment to the aggregated linearization polynomial without the constant term.
     fn lin_poly_commitment(&self, agg_coeffs: &[F]) -> C;
 
diff --git a/w3f-plonk-common/src/verifier.rs b/w3f-plonk-common/src/verifier.rs
index 1e4d280..184c01e 100644
--- a/w3f-plonk-common/src/verifier.rs
+++ b/w3f-plonk-common/src/verifier.rs
@@ -44,17 +44,7 @@ impl<F: PrimeField, CS: PCS<F>, T: PlonkTranscript<F, CS>> PlonkVerifier<F, CS,
         Commitments: ColumnsCommited<F, CS::C>,
         Evaluations: ColumnsEvaluated<F>,
     {
-        let eval: F = piop
-            .evaluate_constraints_main()
-            .iter()
-            .zip(challenges.alphas.iter())
-            .map(|(c, alpha)| *alpha * c)
-            .sum();
-        let zeta = challenges.zeta;
-        let domain_evaluated = piop.domain_evaluated();
-
-        let q_zeta =
-            domain_evaluated.divide_by_vanishing_poly_in_zeta(eval + proof.lin_at_zeta_omega);
+        let q_zeta = piop.evaluate_q_at_zeta(&challenges.alphas, proof.lin_at_zeta_omega);
 
         let mut columns = [
             piop.precommitted_columns(),
@@ -75,7 +65,8 @@ impl<F: PrimeField, CS: PCS<F>, T: PlonkTranscript<F, CS>> PlonkVerifier<F, CS,
 
         let lin_comm = piop.lin_poly_commitment(&challenges.alphas);
 
-        let zeta_omega = zeta * domain_evaluated.omega();
+        let zeta = challenges.zeta;
+        let zeta_omega = zeta * piop.domain_evaluated().omega();
 
         CS::batch_verify(
             &self.pcs_vk,