refactor: remove GKR related code

README.md

@@ -39,7 +39,6 @@ Over time, we hope extend the library with additional features:
 
 **Perfect zero-knowledge.** The current implementation provides succinct proofs but NOT perfect zero-knowledge. This means that, in its current form, the library may not be suitable for use cases where proofs must not leak any info about secret inputs.
 
-**Auxiliary GKR proofs.** It will be possible to attach auxiliary GKR-based proofs to the base STARK proofs. This will enable powerful new ways of defining constraints and optimizing prover performance.
 
 ### Project structure
 The project is organized into several crates like so:

air/src/air/aux.rs

@@ -3,132 +3,22 @@
 // This source code is licensed under the MIT license found in the
 // LICENSE file in the root directory of this source tree.
 
-use alloc::{string::ToString, vec::Vec};
-
-use crypto::{ElementHasher, RandomCoin, RandomCoinError};
-use math::FieldElement;
-use utils::Deserializable;
-
-use super::lagrange::LagrangeKernelRandElements;
+use alloc::vec::Vec;
 
 /// Holds the randomly generated elements necessary to build the auxiliary trace.
-///
-/// Specifically, [`AuxRandElements`] currently supports 3 types of random elements:
-/// - the ones needed to build the Lagrange kernel column (when using GKR to accelerate LogUp),
-/// - the ones needed to build the "s" auxiliary column (when using GKR to accelerate LogUp),
-/// - the ones needed to build all the other auxiliary columns
 #[derive(Debug, Clone)]
 pub struct AuxRandElements<E> {
     rand_elements: Vec<E>,
-    gkr: Option<GkrRandElements<E>>,
 }
 
 impl<E> AuxRandElements<E> {
-    /// Creates a new [`AuxRandElements`], where the auxiliary trace doesn't contain a Lagrange
-    /// kernel column.
+    /// Creates a new [`AuxRandElements`].
     pub fn new(rand_elements: Vec<E>) -> Self {
-        Self { rand_elements, gkr: None }
-    }
-
-    /// Creates a new [`AuxRandElements`], where the auxiliary trace contains columns needed when
-    /// using GKR to accelerate LogUp (i.e. a Lagrange kernel column and the "s" column).
-    pub fn new_with_gkr(rand_elements: Vec<E>, gkr: GkrRandElements<E>) -> Self {
-        Self { rand_elements, gkr: Some(gkr) }
+        Self { rand_elements }
     }
 
-    /// Returns the random elements needed to build all columns other than the two GKR-related ones.
+    /// Returns the random elements needed to build all columns.
     pub fn rand_elements(&self) -> &[E] {
         &self.rand_elements
     }
-
-    /// Returns the random elements needed to build the Lagrange kernel column.
-    pub fn lagrange(&self) -> Option<&LagrangeKernelRandElements<E>> {
-        self.gkr.as_ref().map(|gkr| &gkr.lagrange)
-    }
-
-    /// Returns the random values used to linearly combine the openings returned from the GKR proof.
-    ///
-    /// These correspond to the lambdas in our documentation.
-    pub fn gkr_openings_combining_randomness(&self) -> Option<&[E]> {
-        self.gkr.as_ref().map(|gkr| gkr.openings_combining_randomness.as_ref())
-    }
-}
-
-/// Holds all the random elements needed when using GKR to accelerate LogUp.
-///
-/// This consists of two sets of random values:
-/// 1. The Lagrange kernel random elements (expanded on in [`LagrangeKernelRandElements`]), and
-/// 2. The "openings combining randomness".
-///
-/// After the verifying the LogUp-GKR circuit, the verifier is left with unproven claims provided
-/// nondeterministically by the prover about the evaluations of the MLE of the main trace columns at
-/// the Lagrange kernel random elements. Those claims are (linearly) combined into one using the
-/// openings combining randomness.
-#[derive(Clone, Debug)]
-pub struct GkrRandElements<E> {
-    lagrange: LagrangeKernelRandElements<E>,
-    openings_combining_randomness: Vec<E>,
-}
-
-impl<E> GkrRandElements<E> {
-    /// Constructs a new [`GkrRandElements`] from [`LagrangeKernelRandElements`], and the openings
-    /// combining randomness.
-    ///
-    /// See [`GkrRandElements`] for a more detailed description.
-    pub fn new(
-        lagrange: LagrangeKernelRandElements<E>,
-        openings_combining_randomness: Vec<E>,
-    ) -> Self {
-        Self { lagrange, openings_combining_randomness }
-    }
-
-    /// Returns the random elements needed to build the Lagrange kernel column.
-    pub fn lagrange_kernel_rand_elements(&self) -> &LagrangeKernelRandElements<E> {
-        &self.lagrange
-    }
-
-    /// Returns the random values used to linearly combine the openings returned from the GKR proof.
-    pub fn openings_combining_randomness(&self) -> &[E] {
-        &self.openings_combining_randomness
-    }
-}
-
-/// A trait for verifying a GKR proof.
-///
-/// Specifically, the use case in mind is proving the constraints of a LogUp bus using GKR, as
-/// described in [Improving logarithmic derivative lookups using
-/// GKR](https://eprint.iacr.org/2023/1284.pdf).
-pub trait GkrVerifier {
-    /// The GKR proof.
-    type GkrProof: Deserializable;
-    /// The error that can occur during GKR proof verification.
-    type Error: ToString;
-
-    /// Verifies the GKR proof, and returns the random elements that were used in building
-    /// the Lagrange kernel auxiliary column.
-    fn verify<E, Hasher>(
-        &self,
-        gkr_proof: Self::GkrProof,
-        public_coin: &mut impl RandomCoin<BaseField = E::BaseField, Hasher = Hasher>,
-    ) -> Result<GkrRandElements<E>, Self::Error>
-    where
-        E: FieldElement,
-        Hasher: ElementHasher<BaseField = E::BaseField>;
-}
-
-impl GkrVerifier for () {
-    type GkrProof = ();
-    type Error = RandomCoinError;
-
-    fn verify<E, Hasher>(
-        &self,
-        _gkr_proof: Self::GkrProof,
-        _public_coin: &mut impl RandomCoin<BaseField = E::BaseField, Hasher = Hasher>,
-    ) -> Result<GkrRandElements<E>, Self::Error>
-    where
-        E: FieldElement,
-        Hasher: ElementHasher<BaseField = E::BaseField>,
-    {
-        Ok(GkrRandElements::new(LagrangeKernelRandElements::default(), Vec::new()))
-    }
 }

air/src/air/coefficients.rs

@@ -32,16 +32,8 @@ use math::{get_power_series, get_power_series_with_offset, FieldElement};
 pub struct ConstraintCompositionCoefficients<E: FieldElement> {
     pub transition: Vec<E>,
     pub boundary: Vec<E>,
-    pub lagrange: Option<LagrangeConstraintsCompositionCoefficients<E>>,
 }
 
-/// Stores the constraint composition coefficients for the Lagrange kernel transition and boundary
-/// constraints.
-#[derive(Debug, Clone)]
-pub struct LagrangeConstraintsCompositionCoefficients<E: FieldElement> {
-    pub transition: Vec<E>,
-    pub boundary: E,
-}
 // DEEP COMPOSITION COEFFICIENTS
 // ================================================================================================
 /// Coefficients used in construction of DEEP composition polynomial.
@@ -83,33 +75,12 @@ pub struct LagrangeConstraintsCompositionCoefficients<E: FieldElement> {
 ///    Theorem 8 of https://eprint.iacr.org/2022/1216.
 /// 3. The error will depend on the batching used in building the DEEP polynomial. More precisely,
 ///    when using algebraic batching there is a loss of log_2(k + m - 1) bits of soundness.
-///
-/// In the case when the trace polynomials contain a trace polynomial corresponding to a Lagrange
-/// kernel column, the above expression of $Y(x)$ includes the additional term given by
-///
-/// $$
-/// \gamma \cdot \frac{T_l(x) - p_S(x)}{Z_S(x)}
-/// $$
-///
-/// where:
-///
-/// 1. $\gamma$ is the composition coefficient for the Lagrange kernel trace polynomial.
-/// 2. $T_l(x) is the evaluation of the Lagrange trace polynomial at $x$.
-/// 3. $S$ is the set of opening points for the Lagrange kernel i.e.,
-///    $S := {z, z.g, z.g^2, ..., z.g^{2^{log_2(\nu) - 1}}}$.
-/// 4. $p_S(X)$ is the polynomial of minimal degree interpolating the set ${(a, T_l(a)): a \in S}$.
-/// 5. $Z_S(X)$ is the polynomial of minimal degree vanishing over the set $S$.
-///
-/// Note that, if a Lagrange kernel trace polynomial is present, then the agreement parameter needs
-/// to be adapted accordingly.
 #[derive(Debug, Clone)]
 pub struct DeepCompositionCoefficients<E: FieldElement> {
     /// Trace polynomial composition coefficients $\alpha_i$.
     pub trace: Vec<E>,
     /// Constraint column polynomial composition coefficients $\beta_j$.
     pub constraints: Vec<E>,
-    /// Lagrange kernel trace polynomial composition coefficient $\gamma$.
-    pub lagrange: Option<E>,
 }
 
 impl<E: FieldElement> DeepCompositionCoefficients<E> {
@@ -133,7 +104,6 @@ impl<E: FieldElement> DeepCompositionCoefficients<E> {
         Ok(DeepCompositionCoefficients {
             trace: t_coefficients,
             constraints: c_coefficients,
-            lagrange: None,
         })
     }
 
@@ -162,7 +132,6 @@ impl<E: FieldElement> DeepCompositionCoefficients<E> {
         Ok(DeepCompositionCoefficients {
             trace: t_coefficients,
             constraints: c_coefficients,
-            lagrange: None,
         })
     }
 }

air/src/air/context.rs

@@ -21,7 +21,6 @@ pub struct AirContext<B: StarkField> {
     pub(super) aux_transition_constraint_degrees: Vec<TransitionConstraintDegree>,
     pub(super) num_main_assertions: usize,
     pub(super) num_aux_assertions: usize,
-    pub(super) lagrange_kernel_aux_column_idx: Option<usize>,
     pub(super) ce_blowup_factor: usize,
     pub(super) trace_domain_generator: B,
     pub(super) lde_domain_generator: B,
@@ -62,7 +61,6 @@ impl<B: StarkField> AirContext<B> {
             Vec::new(),
             num_assertions,
             0,
-            None,
             options,
         )
     }
@@ -95,7 +93,6 @@ impl<B: StarkField> AirContext<B> {
         aux_transition_constraint_degrees: Vec<TransitionConstraintDegree>,
         num_main_assertions: usize,
         num_aux_assertions: usize,
-        lagrange_kernel_aux_column_idx: Option<usize>,
         options: ProofOptions,
     ) -> Self {
         assert!(
@@ -124,15 +121,6 @@ impl<B: StarkField> AirContext<B> {
             );
         }
 
-        // validate Lagrange kernel aux column, if any
-        if let Some(lagrange_kernel_aux_column_idx) = lagrange_kernel_aux_column_idx {
-            assert!(
-            lagrange_kernel_aux_column_idx == trace_info.get_aux_segment_width() - 1,
-            "Lagrange kernel column should be the last column of the auxiliary trace: index={}, but aux trace width is {}",
-            lagrange_kernel_aux_column_idx, trace_info.get_aux_segment_width()
-            );
-        }
-
         // determine minimum blowup factor needed to evaluate transition constraints by taking
         // the blowup factor of the highest degree constraint
         let mut ce_blowup_factor = 0;
@@ -165,7 +153,6 @@ impl<B: StarkField> AirContext<B> {
             aux_transition_constraint_degrees,
             num_main_assertions,
             num_aux_assertions,
-            lagrange_kernel_aux_column_idx,
             ce_blowup_factor,
             trace_domain_generator: B::get_root_of_unity(trace_length.ilog2()),
             lde_domain_generator: B::get_root_of_unity(lde_domain_size.ilog2()),
@@ -209,8 +196,7 @@ impl<B: StarkField> AirContext<B> {
         self.trace_info.length() * self.options.blowup_factor()
     }
 
-    /// Returns the number of transition constraints for a computation, excluding the Lagrange
-    /// kernel transition constraints, which are managed separately.
+    /// Returns the number of transition constraints for a computation.
     ///
     /// The number of transition constraints is defined by the total number of transition constraint
     /// degree descriptors (for both the main and the auxiliary trace constraints). This number is
@@ -230,18 +216,7 @@ impl<B: StarkField> AirContext<B> {
         self.aux_transition_constraint_degrees.len()
     }
 
-    /// Returns the index of the auxiliary column which implements the Lagrange kernel, if any
-    pub fn lagrange_kernel_aux_column_idx(&self) -> Option<usize> {
-        self.lagrange_kernel_aux_column_idx
-    }
-
-    /// Returns true if the auxiliary trace segment contains a Lagrange kernel column
-    pub fn has_lagrange_kernel_aux_column(&self) -> bool {
-        self.lagrange_kernel_aux_column_idx().is_some()
-    }
-
-    /// Returns the total number of assertions defined for a computation, excluding the Lagrange
-    /// kernel assertion, which is managed separately.
+    /// Returns the total number of assertions defined for a computation.
     ///
     /// The number of assertions consists of the assertions placed against the main segment of an
     /// execution trace as well as assertions placed against the auxiliary trace segment.
@@ -287,11 +262,6 @@ impl<B: StarkField> AirContext<B> {
     /// if the highest constraint degree is equal to `5`, the constraint composition polynomial will
     /// require four columns and if the highest constraint degree is equal to `7`, it will require
     /// six columns to store.
-    ///
-    /// Note that the Lagrange kernel constraints require only 1 column, since the degree of the
-    /// numerator is `trace_len - 1` for all transition constraints (i.e. the base degree is 1).
-    /// Hence, no matter what the degree of the divisor is for each, the degree of the fraction will
-    /// be at most `trace_len - 1`.
     pub fn num_constraint_composition_columns(&self) -> usize {
         let mut highest_constraint_degree = 0_usize;
         for degree in self

air/src/air/divisor.rs

@@ -49,9 +49,7 @@ impl<B: StarkField> ConstraintDivisor<B> {
     /// and $k$ is the number of exemption points. The default value for $k$ is $1$.
     ///
     /// The above divisor specifies that transition constraints must hold on all steps of the
-    /// constraint enforcement domain except for the last $k$ steps. The constraint enforcement
-    /// domain is the entire trace in the case of transition constraints, but only a subset of the
-    /// trace for Lagrange kernel transition constraints.
+    /// constraint enforcement domain except for the last $k$ steps.
     pub fn from_transition(
         constraint_enforcement_domain_size: usize,
         num_exemptions: usize,