chore: make dependence on number of openings explicit and correct its…

… use
facebook · Jan 12, 2024 · a8e1a80 · a8e1a80
1 parent a450b81
commit a8e1a80
Showing 1 changed file with 23 additions and 21 deletions.
diff --git a/air/src/proof/mod.rs b/air/src/proof/mod.rs
@@ -288,11 +288,30 @@ fn proven_security_protocol_for_m(
     let m = m as f64;
     let rho = 1.0 / options.blowup_factor() as f64;
     let alpha = (1.0 + 0.5 / m) * sqrt(rho);
-    let theta = 1.0 - alpha;
-    let max_deg = options.blowup_factor() as f64;
+    let max_deg = options.blowup_factor() as f64 + 1.0;
 
+    // To apply Theorem 8 in https://eprint.iacr.org/2022/1216.pdf, we need to apply FRI with
+    // a slightly larger agreement parameter alpha.
+    // More concretely, we need alpha > rho_plus.sqrt() where rho_plus is the rate in function field
+    // F(Z) and defined as (trace_domain_size + 2.0) / lde_domain_size .
+    // This means that the range of m needs to be restricted in order to ensure that
+    // alpha := 1 - theta := rho.sqrt() * (1 + 1/2m) is greater than rho_plus.sqrt().
+    // Determining the range of m is the responsibility of the calling function.
+    // Now, once m is fixed, we need to make sure that we choose an m_plus such that
+    // alpha <= rho_plus.sqrt() * (1 + 1/2m_plus). This m_plus will be used to define
+    // the list-decoding list size in F(Z).
+
+    // Modified rate in function field F(Z)
     let lde_domain_size = (trace_domain_size * options.blowup_factor()) as f64;
     let trace_domain_size = trace_domain_size as f64;
+    let num_openings = 2.0;
+    let rho_plus = (trace_domain_size + num_openings) / lde_domain_size;
+
+    // New proximity parameter m_plus, corresponding to rho_plus, needed to make sure that
+    //  alpha < rho_plus.sqrt() * (1 + 1 / (2 * m_plus))
+    let m_plus = ceil(1.0 / (2.0 * (alpha / sqrt(rho_plus) - 1.0)));
+    let alpha_plus = (1.0 + 0.5 / m_plus) * sqrt(rho_plus);
+    let theta_plus = 1.0 - alpha_plus;
 
     // Computes FRI commit-phase (i.e., pre-query) soundness error.
     // This considers only the first term given in eq. 7 in https://eprint.iacr.org/2022/1216.pdf,
@@ -302,7 +321,7 @@ fn proven_security_protocol_for_m(
 
     // Compute FRI query-phase soundness error
     let fri_queries_err_bits =
-        options.grinding_factor() as f64 - log2(powf(1.0 - theta, num_fri_queries));
+        options.grinding_factor() as f64 - log2(powf(1.0 - theta_plus, num_fri_queries));
 
     // Combined error for FRI
     let fri_err_bits = cmp::min(fri_commit_err_bits as u64, fri_queries_err_bits as u64);
@@ -311,23 +330,6 @@ fn proven_security_protocol_for_m(
     }
     let fri_err_bits = fri_err_bits - 1;
 
-    // To apply Theorem 8 in https://eprint.iacr.org/2022/1216.pdf, we need to apply FRI with
-    // a slightly larger agreement parameter alpha.
-    // More concretely, we need alpha > rho_plus.sqrt() where rho_plus is the rate in function field
-    // F(Z) and defined as (trace_domain_size + 2.0) / lde_domain_size .
-    // This means that the range of m needs to be restricted in order to ensure that
-    // alpha := 1 - theta := rho.sqrt() * (1 + 1/2m) is greater than rho_plus.sqrt().
-    // Determining the range of m is the responsibility of the calling function.
-    // Now, once m is fixed, we need to make sure that we choose an m_plus such that
-    // alpha <= rho_plus.sqrt() * (1 + 1/2m_plus). This m_plus will be used to define
-    // the list-decoding list size in F(Z).
-
-    // Modified rate in function field F(Z)
-    let rho_plus = (trace_domain_size + 2.0) / lde_domain_size;
-    // New proximity parameter m_plus, corresponding to rho_plus, needed to make sure that
-    //  alpha < rho_plus.sqrt() * (1 + 1 / (2 * m_plus))
-    let m_plus = ceil(1.0 / (2.0 * (alpha / sqrt(rho_plus) - 1.0)));
-
     // List size
     let l_plus = (2.0 * m_plus + 1.0) / (2.0 * sqrt(rho_plus));
 
@@ -339,7 +341,7 @@ fn proven_security_protocol_for_m(
     // can be approximated by |F| for all practical domain sizes. We also use the blow-up factor
     // as an upper bound for the maximal constraint degree.
     let deep_err_bits =
-        -log2(l_plus * (max_deg * (trace_domain_size + 1.0) + (trace_domain_size - 1.0)))
+        -log2(l_plus * (max_deg * (trace_domain_size + num_openings - 1.0) + (trace_domain_size - 1.0)))
             + extension_field_bits;
 
     let min = cmp::min(cmp::min(fri_err_bits, ali_err_bits as u64), deep_err_bits as u64);