Perf/fri merkle folding#611
Draft
diegokingston wants to merge 3 commits into
Draft
Conversation
A Merkle cap commits the top 2^cap_height tree nodes instead of a single root, so every authentication path stops cap_height levels early — smaller proofs and cap_height fewer hash compressions per opening. The cap is just a slice of the existing heap-ordered node array (the nodes at tree depth cap_height), so no new tree storage is needed. Adds `cap`, `get_proof_by_pos_capped`, `get_batch_proof_capped`, and `Proof`/`BatchProof::verify_capped`; the existing root-based methods become cap_height=0 wrappers and are bit-for-bit unchanged in behavior. cap_height clamps to the tree depth, so small trees degrade gracefully to a single root. Stage 1 of the caps + arity-4 FRI plan; purely additive, no STARK-layer changes yet.
`FieldElementQuadBackend` hashes a fixed group of four field elements into one leaf. With arity-4 FRI folding a single fold orbit is four evaluations that are always opened together, so they belong under one leaf hash — this is the FRI-layer leaf for the arity-4 commit phase. Mirrors the existing `FieldElementPairBackend`; exposed as `QuadKeccak256Backend`. Building block for stage 2b (arity-4 FRI).
Codex Code ReviewFindings
No other real issues found in the PR diff. I attempted to run |
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
| let cap_height = cap.len().trailing_zeros() as usize; | ||
| // Process level by level, from the leaves up to the cap level, same as | ||
| // `get_batch_auth_path_positions`. | ||
| for _ in 0..depth - cap_height { |
There was a problem hiding this comment.
Medium — DoS via usize underflow
depth - cap_height is an unchecked usize subtraction. If a caller passes a cap with more nodes than the tree has leaves (e.g. cap.len() = 2 * num_leaves), then cap_height > depth, which:
- debug builds: panics immediately.
- release builds: wraps to
usize::MAX, causing theforloop to iterate ~2⁶⁴ times (effectively an infinite hang).
The is_power_of_two guard a few lines up doesn't prevent this — it only ensures the cap is a power of two, not that it's ≤ num_leaves.
The verifier is meant to be called with untrusted inputs, so this needs a bounds check before the arithmetic:
Suggested change
| for _ in 0..depth - cap_height { | |
| let depth = num_leaves.trailing_zeros() as usize; | |
| let cap_height = cap.len().trailing_zeros() as usize; | |
| if cap_height > depth { | |
| return false; | |
| } | |
| // Process level by level, from the leaves up to the cap level, same as | |
| // `get_batch_auth_path_positions`. | |
| for _ in 0..depth - cap_height { |
Commit the top 2^c Merkle nodes as a cap instead of a single root, so every opening path is c hashes shorter, and fold FRI by 4 per committed layer (two binary folds) to halve the number of FRI trees and paths. - StarkProof / prover / verifier carry MerkleCap commitments; preprocessed trees stay uncapped to preserve the AIR-hardcoded constants. - FRI layers commit quad-leaf trees (one leaf per arity-4 fold orbit); commit_phase does one uncommitted initial fold then number_layers/2 arity-4 layers, folding to a constant last value. - Verifier replays two challenges per committed layer and folds each 4-element orbit, with the (-1)^(index&1) twiddle parity handled. The CUDA pair-leaf FRI tree builder is now stale w.r.t. arity-4; its CPU-parity test is disabled with a TODO until the CUDA builder is updated.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.