piop computes the linearization polynomial

w3f-plonk-common/src/piop.rs

@@ -47,9 +47,29 @@ pub trait VerifierPiop<F: PrimeField, C: Commitment<F>> {
     // Columns the commitments to which are publicly known. These commitments are omitted from the proof.
     fn precommitted_columns(&self) -> Vec<C>;
 
+    // Constant terms of the linearization polynomials for each constraint.
     fn evaluate_constraints_main(&self) -> Vec<F>;
 
-    fn constraint_polynomials_linearized_commitments(&self) -> Vec<C>;
+    // Computes the constant term of the aggregated linearization polynomial
+    // from the column evaluations at `zeta`.
+    fn _evaluate_lin_poly_ct(&self, agg_coeffs: &[F]) -> F {
+        self.evaluate_constraints_main()
+            .iter()
+            .zip(agg_coeffs)
+            .map(|(c, alpha)| *alpha * c)
+            .sum()
+    }
+
+    // Computes the quotient polynomial of the constraint system
+    // from the column evaluations at `zeta` and the value of the linearization poly at `zeta.omega`.
+    fn evaluate_q_at_zeta(&self, agg_coeffs: &[F], lin_at_zeta_omega: F) -> F {
+        let eval: F = self._evaluate_lin_poly_ct(agg_coeffs);
+        self.domain_evaluated()
+            .divide_by_vanishing_poly_in_zeta(eval + lin_at_zeta_omega)
+    }
+
+    // Commitment to the aggregated linearization polynomial without the constant term.
+    fn lin_poly_commitment(&self, agg_coeffs: &[F]) -> C;
 
     fn domain_evaluated(&self) -> &EvaluatedDomain<F>;
 }

w3f-plonk-common/src/verifier.rs

@@ -44,17 +44,7 @@ impl<F: PrimeField, CS: PCS<F>, T: PlonkTranscript<F, CS>> PlonkVerifier<F, CS,
         Commitments: ColumnsCommited<F, CS::C>,
         Evaluations: ColumnsEvaluated<F>,
     {
-        let eval: F = piop
-            .evaluate_constraints_main()
-            .iter()
-            .zip(challenges.alphas.iter())
-            .map(|(c, alpha)| *alpha * c)
-            .sum();
-        let zeta = challenges.zeta;
-        let domain_evaluated = piop.domain_evaluated();
-
-        let q_zeta =
-            domain_evaluated.divide_by_vanishing_poly_in_zeta(eval + proof.lin_at_zeta_omega);
+        let q_zeta = piop.evaluate_q_at_zeta(&challenges.alphas, proof.lin_at_zeta_omega);
 
         let mut columns = [
             piop.precommitted_columns(),
@@ -66,23 +56,23 @@ impl<F: PrimeField, CS: PCS<F>, T: PlonkTranscript<F, CS>> PlonkVerifier<F, CS,
         let mut columns_at_zeta = proof.columns_at_zeta.to_vec();
         columns_at_zeta.push(q_zeta);
 
-        let cl = CS::C::combine(&challenges.nus, &columns);
-        let agg_y = columns_at_zeta
+        let agg_comm = CS::C::combine(&challenges.nus, &columns);
+        let agg_at_zeta = columns_at_zeta
             .into_iter()
             .zip(challenges.nus.iter())
             .map(|(y, r)| y * r)
             .sum();
 
-        let lin_pices = piop.constraint_polynomials_linearized_commitments();
-        let lin_comm = CS::C::combine(&challenges.alphas[..3], &lin_pices);
+        let lin_comm = piop.lin_poly_commitment(&challenges.alphas);
 
-        let zeta_omega = zeta * domain_evaluated.omega();
+        let zeta = challenges.zeta;
+        let zeta_omega = zeta * piop.domain_evaluated().omega();
 
         CS::batch_verify(
             &self.pcs_vk,
-            vec![cl, lin_comm],
-            vec![challenges.zeta, zeta_omega],
-            vec![agg_y, proof.lin_at_zeta_omega],
+            vec![agg_comm, lin_comm],
+            vec![zeta, zeta_omega],
+            vec![agg_at_zeta, proof.lin_at_zeta_omega],
             vec![proof.agg_at_zeta_proof, proof.lin_at_zeta_omega_proof],
             rng,
         )

w3f-ring-proof/src/piop/verifier.rs

@@ -123,19 +123,25 @@ impl<F: PrimeField, C: Commitment<F>, Jubjub: TECurveConfig<BaseField = F>> Veri
         .concat()
     }
 
-    fn constraint_polynomials_linearized_commitments(&self) -> Vec<C> {
-        let inner_prod_acc =
-            (&self.witness_columns_committed.inn_prod_acc).mul(self.inner_prod.not_last);
-        let acc_x = &self.witness_columns_committed.cond_add_acc[0];
-        let acc_y = &self.witness_columns_committed.cond_add_acc[1];
+    fn lin_poly_commitment(&self, agg_coeffs: &[F]) -> C {
+        assert_eq!(agg_coeffs.len(), Self::N_CONSTRAINTS);
 
-        let (c_acc_x, c_acc_y) = self.cond_add.acc_coeffs_1();
-        let c1_lin = acc_x.mul(c_acc_x) + acc_y.mul(c_acc_y);
+        let inner_prod_acc = self.witness_columns_committed.inn_prod_acc.clone();
+        let inner_prod_coeff = agg_coeffs[0] * self.inner_prod.not_last;
 
+        let cond_add_acc_x = self.witness_columns_committed.cond_add_acc[0].clone();
+        let cond_add_acc_y = self.witness_columns_committed.cond_add_acc[1].clone();
+        let (c_acc_x, c_acc_y) = self.cond_add.acc_coeffs_1();
+        let mut cond_add_x_coeff = agg_coeffs[1] * c_acc_x;
+        let mut cond_add_y_coeff = agg_coeffs[1] * c_acc_y;
         let (c_acc_x, c_acc_y) = self.cond_add.acc_coeffs_2();
-        let c2_lin = acc_x.mul(c_acc_x) + acc_y.mul(c_acc_y);
+        cond_add_x_coeff += agg_coeffs[2] * c_acc_x;
+        cond_add_y_coeff += agg_coeffs[2] * c_acc_y;
 
-        vec![inner_prod_acc, c1_lin, c2_lin]
+        C::combine(
+            &[inner_prod_coeff, cond_add_x_coeff, cond_add_y_coeff],
+            &[inner_prod_acc.clone(), cond_add_acc_x, cond_add_acc_y],
+        )
     }
 
     fn domain_evaluated(&self) -> &EvaluatedDomain<F> {