diff --git a/air/src/proof/mod.rs b/air/src/proof/mod.rs index 9cd1fa180..1014b156b 100644 --- a/air/src/proof/mod.rs +++ b/air/src/proof/mod.rs @@ -288,11 +288,30 @@ fn proven_security_protocol_for_m( let m = m as f64; let rho = 1.0 / options.blowup_factor() as f64; let alpha = (1.0 + 0.5 / m) * sqrt(rho); - let theta = 1.0 - alpha; - let max_deg = options.blowup_factor() as f64; + let max_deg = options.blowup_factor() as f64 + 1.0; + // To apply Theorem 8 in https://eprint.iacr.org/2022/1216.pdf, we need to apply FRI with + // a slightly larger agreement parameter alpha. + // More concretely, we need alpha > rho_plus.sqrt() where rho_plus is the rate in function field + // F(Z) and defined as (trace_domain_size + 2.0) / lde_domain_size . + // This means that the range of m needs to be restricted in order to ensure that + // alpha := 1 - theta := rho.sqrt() * (1 + 1/2m) is greater than rho_plus.sqrt(). + // Determining the range of m is the responsibility of the calling function. + // Now, once m is fixed, we need to make sure that we choose an m_plus such that + // alpha <= rho_plus.sqrt() * (1 + 1/2m_plus). This m_plus will be used to define + // the list-decoding list size in F(Z). + + // Modified rate in function field F(Z) let lde_domain_size = (trace_domain_size * options.blowup_factor()) as f64; let trace_domain_size = trace_domain_size as f64; + let num_openings = 2.0; + let rho_plus = (trace_domain_size + num_openings) / lde_domain_size; + + // New proximity parameter m_plus, corresponding to rho_plus, needed to make sure that + // alpha < rho_plus.sqrt() * (1 + 1 / (2 * m_plus)) + let m_plus = ceil(1.0 / (2.0 * (alpha / sqrt(rho_plus) - 1.0))); + let alpha_plus = (1.0 + 0.5 / m_plus) * sqrt(rho_plus); + let theta_plus = 1.0 - alpha_plus; // Computes FRI commit-phase (i.e., pre-query) soundness error. // This considers only the first term given in eq. 7 in https://eprint.iacr.org/2022/1216.pdf, @@ -302,7 +321,7 @@ fn proven_security_protocol_for_m( // Compute FRI query-phase soundness error let fri_queries_err_bits = - options.grinding_factor() as f64 - log2(powf(1.0 - theta, num_fri_queries)); + options.grinding_factor() as f64 - log2(powf(1.0 - theta_plus, num_fri_queries)); // Combined error for FRI let fri_err_bits = cmp::min(fri_commit_err_bits as u64, fri_queries_err_bits as u64); @@ -311,23 +330,6 @@ fn proven_security_protocol_for_m( } let fri_err_bits = fri_err_bits - 1; - // To apply Theorem 8 in https://eprint.iacr.org/2022/1216.pdf, we need to apply FRI with - // a slightly larger agreement parameter alpha. - // More concretely, we need alpha > rho_plus.sqrt() where rho_plus is the rate in function field - // F(Z) and defined as (trace_domain_size + 2.0) / lde_domain_size . - // This means that the range of m needs to be restricted in order to ensure that - // alpha := 1 - theta := rho.sqrt() * (1 + 1/2m) is greater than rho_plus.sqrt(). - // Determining the range of m is the responsibility of the calling function. - // Now, once m is fixed, we need to make sure that we choose an m_plus such that - // alpha <= rho_plus.sqrt() * (1 + 1/2m_plus). This m_plus will be used to define - // the list-decoding list size in F(Z). - - // Modified rate in function field F(Z) - let rho_plus = (trace_domain_size + 2.0) / lde_domain_size; - // New proximity parameter m_plus, corresponding to rho_plus, needed to make sure that - // alpha < rho_plus.sqrt() * (1 + 1 / (2 * m_plus)) - let m_plus = ceil(1.0 / (2.0 * (alpha / sqrt(rho_plus) - 1.0))); - // List size let l_plus = (2.0 * m_plus + 1.0) / (2.0 * sqrt(rho_plus)); @@ -339,7 +341,7 @@ fn proven_security_protocol_for_m( // can be approximated by |F| for all practical domain sizes. We also use the blow-up factor // as an upper bound for the maximal constraint degree. let deep_err_bits = - -log2(l_plus * (max_deg * (trace_domain_size + 1.0) + (trace_domain_size - 1.0))) + -log2(l_plus * (max_deg * (trace_domain_size + num_openings - 1.0) + (trace_domain_size - 1.0))) + extension_field_bits; let min = cmp::min(cmp::min(fri_err_bits, ali_err_bits as u64), deep_err_bits as u64);