PolyhedraZK · niconiconi · Jan 23, 2025 · Jan 23, 2025 · Jan 23, 2025 · Jan 23, 2025
diff --git a/gkr/Cargo.toml b/gkr/Cargo.toml
@@ -58,7 +58,7 @@ path = "src/utils.rs"
 default = []
 # default = [ "grinding" ]
 grinding = [ "config/grinding" ]
-
+recursion = [ "transcript/recursion" ]
 
 [[bench]]
 name = "gkr-hashes"

diff --git a/gkr/src/prover/linear_gkr.rs b/gkr/src/prover/linear_gkr.rs
@@ -99,7 +99,7 @@ impl<Cfg: GKRConfig> Prover<Cfg> {
         };
         let mut buffer = vec![];
         commitment.serialize_into(&mut buffer).unwrap(); // TODO: error propagation
-        transcript.append_u8_slice(&buffer);
+        transcript.append_commitment(&buffer);
 
         transcript_root_broadcast(&mut transcript, &self.config.mpi_config);
 

diff --git a/gkr/src/verifier.rs b/gkr/src/verifier.rs
@@ -279,7 +279,14 @@ impl<Cfg: GKRConfig> Verifier<Cfg> {
             .unwrap();
         let mut buffer = vec![];
         commitment.serialize_into(&mut buffer).unwrap();
-        transcript.append_u8_slice(&buffer);
+
+        // this function will iteratively hash the commitment, and append the final hash output
+        // to the transcript. this introduces a decent circuit depth for the FS transform.
+        //
+        // note that this function is almost identical to grind, expect that grind uses a
+        // fixed hasher, where as this function uses the transcript hasher
+        let pcs_verified = transcript.append_commitment_and_check_digest(&buffer, &mut cursor);
+        log::info!("pcs verification: {}", pcs_verified);
 
         // TODO: Implement a trait containing the size function,
         // and use the following line to avoid unnecessary deserialization and serialization
@@ -303,6 +310,7 @@ impl<Cfg: GKRConfig> Verifier<Cfg> {
             &mut cursor,
         );
 
+        verified &= pcs_verified;
         log::info!("GKR verification: {}", verified);
 
         transcript_verifier_sync(&mut transcript, &self.config.mpi_config);

diff --git a/scripts/test_recursion.py b/scripts/test_recursion.py
@@ -102,7 +102,7 @@ def gkr_proof_file(prefix: str, cpu_ids: list[int]) -> str:
 
 
 def expander_compile():
-    if subprocess.run("cargo build --release --bin expander-exec", shell=True).returncode != 0:
+    if subprocess.run("cargo build --release --bin expander-exec --features=recursion", shell=True).returncode != 0:
         raise Exception("build process is not returning 0")
 
 

diff --git a/transcript/Cargo.toml b/transcript/Cargo.toml
@@ -10,3 +10,6 @@ mpi_config = { path = "../config/mpi_config" }
 
 sha2.workspace = true
 tiny-keccak.workspace = true
+
+[features]
+recursion = []
diff --git a/transcript/src/transcript.rs b/transcript/src/transcript.rs
@@ -1,14 +1,33 @@
-use std::{fmt::Debug, marker::PhantomData};
+use std::{fmt::Debug, io::Read, marker::PhantomData};
 
 use arith::{ExtensionField, Field, FieldSerde};
 use field_hashers::FiatShamirFieldHasher;
 
 use crate::{fiat_shamir_hash::FiatShamirBytesHash, Proof};
 
+// When appending the initial commitment, we hash the commitment bytes
+// for sufficient number of times, so that the FS hash has a sufficient circuit depth
+
+#[cfg(not(feature = "recursion"))]
+const PCS_DIGEST_LOOP: usize = 1000;
+
 pub trait Transcript<F: ExtensionField>: Clone + Debug {
     /// Create a new transcript.
     fn new() -> Self;
 
+    /// Append a polynomial commitment to the transcript
+    /// called by the prover
+    fn append_commitment(&mut self, commitment_bytes: &[u8]);
+
+    /// Append a polynomial commitment to the transcript
+    /// check that the pcs digest in the proof is correct
+    /// called by the verifier
+    fn append_commitment_and_check_digest<R: Read>(
+        &mut self,
+        commitment_bytes: &[u8],
+        proof_reader: &mut R,
+    ) -> bool;
+
     /// Append a field element to the transcript.
     fn append_field_element(&mut self, f: &F);
 
@@ -103,6 +122,53 @@ impl<F: ExtensionField, H: FiatShamirBytesHash> Transcript<F> for BytesHashTrans
         }
     }
 
+    #[inline]
+    fn append_commitment(&mut self, commitment_bytes: &[u8]) {
+        self.append_u8_slice(commitment_bytes);
+
+        #[cfg(not(feature = "recursion"))]
+        {
+            // When appending the initial commitment, we hash the commitment bytes
+            // for sufficient number of times, so that the FS hash has a sufficient circuit depth
+            let mut digest = [0u8; 32];
+            H::hash(&mut digest, commitment_bytes);
+            for _ in 0..PCS_DIGEST_LOOP {
+                H::hash_inplace(&mut digest);
+            }
+            self.append_u8_slice(&digest);
+        }
+    }
+
+    #[inline]
+    /// check that the pcs digest in the proof is correct
+    fn append_commitment_and_check_digest<R: Read>(
+        &mut self,
+        commitment_bytes: &[u8],
+        _proof_reader: &mut R,
+    ) -> bool {
+        self.append_u8_slice(commitment_bytes);
+
+        #[cfg(not(feature = "recursion"))]
+        {
+            // When appending the initial commitment, we hash the commitment bytes
+            // for sufficient number of times, so that the FS hash has a sufficient circuit depth
+            let mut digest = [0u8; 32];
+            H::hash(&mut digest, commitment_bytes);
+            for _ in 0..PCS_DIGEST_LOOP {
+                H::hash_inplace(&mut digest);
+            }
+            self.append_u8_slice(&digest);
+
+            // check that digest matches the proof
+            let mut pcs_digest = [0u8; 32];
+            _proof_reader.read_exact(&mut pcs_digest).unwrap();
+
+            digest == pcs_digest
+        }
+        #[cfg(feature = "recursion")]
+        true
+    }
+
     fn append_field_element(&mut self, f: &F) {
         let mut buf = vec![];
         f.serialize_into(&mut buf).unwrap();
@@ -238,6 +304,58 @@ where
         }
     }
 
+    #[inline]
+    fn append_commitment(&mut self, commitment_bytes: &[u8]) {
+        self.append_u8_slice(commitment_bytes);
+
+        #[cfg(not(feature = "recursion"))]
+        {
+            // When appending the initial commitment, we hash the commitment bytes
+            // for sufficient number of times, so that the FS hash has a sufficient circuit depth
+            let mut challenge = self.generate_challenge_field_element().to_limbs();
+            let hasher = H::new();
+            for _ in 0..PCS_DIGEST_LOOP {
+                challenge = hasher.hash_to_state(&challenge);
+            }
+
+            let mut digest_bytes = vec![];
+            challenge.serialize_into(&mut digest_bytes).unwrap();
+            self.append_u8_slice(&digest_bytes);
+        }
+    }
+
+    #[inline]
+    fn append_commitment_and_check_digest<R: Read>(
+        &mut self,
+        commitment_bytes: &[u8],
+        _proof_reader: &mut R,
+    ) -> bool {
+        self.append_u8_slice(commitment_bytes);
+
+        #[cfg(not(feature = "recursion"))]
+        {
+            // When appending the initial commitment, we hash the commitment bytes
+            // for sufficient number of times, so that the FS hash has a sufficient circuit depth
+            let mut challenge = self.generate_challenge_field_element().to_limbs();
+            let hasher = H::new();
+            for _ in 0..PCS_DIGEST_LOOP {
+                challenge = hasher.hash_to_state(&challenge);
+            }
+            let mut digest_bytes = vec![];
+            challenge.serialize_into(&mut digest_bytes).unwrap();
+            self.append_u8_slice(&digest_bytes);
+
+            // check that digest matches the proof
+            let challenge_from_proof =
+                Vec::<ChallengeF::BaseField>::deserialize_from(_proof_reader).unwrap();
+
+            challenge_from_proof == challenge
+        }
+
+        #[cfg(feature = "recursion")]
+        true
+    }
+
     fn append_field_element(&mut self, f: &ChallengeF) {
         if !self.proof_locked {
             let mut buffer = vec![];