reverse remainder commitment (#373)

Author: Al-Kindi-0

CHANGELOG.md

@@ -11,6 +11,7 @@
 - Update security estimator to take batching method into account (#361).
 - [BREAKING] Added option for algebraic batching to build constraint composition polynomial (#363).
 - Updated minimum supported Rust version to 1.84.
+- Commit to coefficients of FRI remainder polynomial in reverse order (#373).
 
 ## 0.11.0 (2024-11-24)
 - [BREAKING] Made the prover generic over the `ConstraintCommitment` type (#343).

fri/src/prover/mod.rs

@@ -223,11 +223,16 @@ where
 
     /// Creates remainder polynomial in coefficient form from a vector of `evaluations` over a
     /// domain.
+    ///
+    /// We commit to the coefficients of the remainder polynomial in reverse order so that
+    /// evaluating the remainder polynomial on the verifier's end, using Horner's evaluation
+    /// method, becomes easier.
     fn set_remainder(&mut self, channel: &mut C, evaluations: &mut [E]) {
         let inv_twiddles = fft::get_inv_twiddles(evaluations.len());
         fft::interpolate_poly_with_offset(evaluations, &inv_twiddles, self.options.domain_offset());
         let remainder_poly_size = evaluations.len() / self.options.blowup_factor();
-        let remainder_poly = evaluations[..remainder_poly_size].to_vec();
+        let remainder_poly: Vec<_> =
+            evaluations[..remainder_poly_size].iter().copied().rev().collect();
         let commitment = <H as ElementHasher>::hash_elements(&remainder_poly);
         channel.commit_fri_layer(commitment);
         self.remainder_poly = FriRemainder(remainder_poly);
@@ -240,7 +245,9 @@ where
     /// For each of the provided `positions`, corresponding evaluations from each of the layers
     /// (excluding the remainder layer) are recorded into the proof together with a batch opening
     /// proof against the sent vector commitment. For the remainder, we send the whole remainder
-    /// polynomial resulting from interpolating the remainder layer evaluations.
+    /// polynomial resulting from interpolating the remainder layer evaluations. The coefficients
+    /// of the remainder polynomial are sent in reverse order so as to make evaluating it on
+    /// the verifier's end, using Horner's evaluation method, easier.
     ///
     /// # Panics
     /// Panics is the prover state is clean (no FRI layers have been build yet).

fri/src/verifier/mod.rs

@@ -308,14 +308,16 @@ where
 
         // read the remainder polynomial from the channel and make sure it agrees with the
         // evaluations from the previous layer.
+        // note that the coefficients of the remainder polynomial are sent in reverse order and
+        // this simplifies evaluation using Horner's method.
         let remainder_poly = channel.read_remainder()?;
         if remainder_poly.len() > max_degree_plus_1 {
             return Err(VerifierError::RemainderDegreeMismatch(max_degree_plus_1 - 1));
         }
         let offset: E::BaseField = self.options().domain_offset();
 
         for (&position, evaluation) in positions.iter().zip(evaluations) {
-            let comp_eval = eval_horner::<E>(
+            let comp_eval = eval_horner_rev::<E>(
                 &remainder_poly,
                 offset * domain_generator.exp_vartime((position as u64).into()),
             );
@@ -348,10 +350,11 @@ fn get_query_values<E: FieldElement, const N: usize>(
     result
 }
 
-// Evaluates a polynomial with coefficients in an extension field at a point in the base field.
-pub fn eval_horner<E>(p: &[E], x: E::BaseField) -> E
+/// Evaluates a polynomial with coefficients in an extension field given in reverse order at a point
+/// in the base field.
+fn eval_horner_rev<E>(p: &[E], x: E::BaseField) -> E
 where
     E: FieldElement,
 {
-    p.iter().rev().fold(E::ZERO, |acc, &coeff| acc * E::from(x) + coeff)
+    p.iter().fold(E::ZERO, |acc, &coeff| acc * E::from(x) + coeff)
 }