Skip to content

Feat/univariate logup gkr #1188

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
diegokingston merged 21 commits into from
Mar 9, 2026
+5,593 −273
Merged

Feat/univariate logup gkr #1188

Show file tree
Hide file tree
Changes from 16 commits
Commits
Show all changes
21 commits
Select commit Hold shift + click to select a range
9b1e4be
Add univariate LogUp-GKR infrastructure
jotabulacios Feb 24, 2026
425f966
Implement Section 5 univariate IOP for LogUp-GKR (Phase 1 with Fiat-S…
jotabulacios Feb 24, 2026
3909f3b
Implement FRI PCS and univariate sumcheck for LogUp-GKR
jotabulacios Feb 25, 2026
63339a6
fix clippy
jotabulacios Feb 25, 2026
c1bc086
improve Readme
jotabulacios Feb 25, 2026
0040d41
Rename caulk_style example to univariate_to_multilinearand improve Re…
jotabulacios Feb 25, 2026
a14ec48
harden FRI PCS soundness
jotabulacios Feb 26, 2026
c3703e9
convert panics to result
jotabulacios Feb 26, 2026
bdd26a0
remane functions
jotabulacios Feb 26, 2026
64da7d1
remane PCS
jotabulacios Feb 26, 2026
866cc4c
Add univariate IOP + FRI examples for ROM check and range check
jotabulacios Feb 27, 2026
9ac1f19
remove unused commitment types and document Lagrange column's Boolean…
jotabulacios Mar 2, 2026
3caf15c
add optional serde support
jotabulacios Mar 2, 2026
7bd9704
Deduplicate FRI query indices to avoid redundant verification work
jotabulacios Mar 2, 2026
e4ec89d
fix(gkr-logup): address review findings — security comments, error ha…
diegokingston Mar 2, 2026
cb0f6f1
Remove unnecessary commitment of all-ones column
nicole-graus Mar 6, 2026
a3919c8
Make ones_are_implicit explicit in UnivariateIopProofV2 and bind it t…
nicole-graus Mar 6, 2026
2d73e22
Remove unused fix_firs_variable with different semantics from the MLE…
nicole-graus Mar 6, 2026
3a5c460
Recompute Lagrange column in verifier from OOD point instead of accep…
nicole-graus Mar 6, 2026
e0030fb
fix fmt
nicole-graus Mar 6, 2026
d47a275
fix four issues: replace assert with Err; prevent overflow; prevent a…
nicole-graus Mar 6, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions crates/math/src/polynomial/mod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,10 @@ pub use sparse::SparsePolynomial;
/// Represents the polynomial c_0 + c_1 * X + c_2 * X^2 + ... + c_n * X^n
/// as a vector of coefficients `[c_0, c_1, ... , c_n]`
#[derive(Debug, Clone, PartialEq, Eq)]
#[cfg_attr(
feature = "lambdaworks-serde-binary",
derive(serde::Serialize, serde::Deserialize)
)]
pub struct Polynomial<FE> {
pub coefficients: Vec<FE>,
}
Expand Down
4 changes: 4 additions & 0 deletions crates/provers/gkr-logup/Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,10 @@ edition = "2021"
lambdaworks-math = { workspace = true }
lambdaworks-crypto = { workspace = true }
lambdaworks-sumcheck = { path = "../sumcheck" }
serde = { version = "1.0", default-features = false, features = ["derive"], optional = true }

[features]
serde = ["dep:serde", "lambdaworks-math/lambdaworks-serde-binary", "lambdaworks-crypto/serde"]

[lib]
name = "lambdaworks_gkr_logup"
Expand Down
246 changes: 213 additions & 33 deletions crates/provers/gkr-logup/README.md
View file
Open in desktop

Large diffs are not rendered by default.

24 changes: 12 additions & 12 deletions crates/provers/gkr-logup/benches/batch_vs_individual.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,8 +46,8 @@ fn make_logup_layer(num_vars: usize, seed: u64) -> Layer<F> {
fn bench_individual_grand_product(num_vars: usize, n_instances: usize) {
for i in 0..n_instances {
let layer = make_grand_product_layer(num_vars, 42 + i as u64 * 100);
let mut channel = DefaultTranscript::<F>::new(&[]);
let _ = prove(&mut channel, layer);
let mut transcript = DefaultTranscript::<F>::new(&[]);
let _ = prove(&mut transcript, layer);
}
}

Expand All @@ -56,16 +56,16 @@ fn bench_batch_grand_product(num_vars: usize, n_instances: usize) {
let layers: Vec<Layer<F>> = (0..n_instances)
.map(|i| make_grand_product_layer(num_vars, 42 + i as u64 * 100))
.collect();
let mut channel = DefaultTranscript::<F>::new(&[]);
let _ = prove_batch(&mut channel, layers);
let mut transcript = DefaultTranscript::<F>::new(&[]);
let _ = prove_batch(&mut transcript, layers);
}

/// Prove N LogUp instances individually.
fn bench_individual_logup(num_vars: usize, n_instances: usize) {
for i in 0..n_instances {
let layer = make_logup_layer(num_vars, 42 + i as u64 * 100);
let mut channel = DefaultTranscript::<F>::new(&[]);
let _ = prove(&mut channel, layer);
let mut transcript = DefaultTranscript::<F>::new(&[]);
let _ = prove(&mut transcript, layer);
}
}

Expand All @@ -74,8 +74,8 @@ fn bench_batch_logup(num_vars: usize, n_instances: usize) {
let layers: Vec<Layer<F>> = (0..n_instances)
.map(|i| make_logup_layer(num_vars, 42 + i as u64 * 100))
.collect();
let mut channel = DefaultTranscript::<F>::new(&[]);
let _ = prove_batch(&mut channel, layers);
let mut transcript = DefaultTranscript::<F>::new(&[]);
let _ = prove_batch(&mut transcript, layers);
}

/// Prove N instances with mixed sizes (half at num_vars, half at num_vars-2).
Expand All @@ -87,8 +87,8 @@ fn bench_individual_mixed_sizes(num_vars: usize, n_instances: usize) {
num_vars.saturating_sub(2).max(1)
};
let layer = make_grand_product_layer(vars, 42 + i as u64 * 100);
let mut channel = DefaultTranscript::<F>::new(&[]);
let _ = prove(&mut channel, layer);
let mut transcript = DefaultTranscript::<F>::new(&[]);
let _ = prove(&mut transcript, layer);
}
}

Expand All @@ -104,8 +104,8 @@ fn bench_batch_mixed_sizes(num_vars: usize, n_instances: usize) {
make_grand_product_layer(vars, 42 + i as u64 * 100)
})
.collect();
let mut channel = DefaultTranscript::<F>::new(&[]);
let _ = prove_batch(&mut channel, layers);
let mut transcript = DefaultTranscript::<F>::new(&[]);
let _ = prove_batch(&mut transcript, layers);
}

fn print_comparison(label: &str, individual: std::time::Duration, batch: std::time::Duration) {
Copy link

@github-actions github-actions bot Feb 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Correctness:

  • No mathematical correctness issues were identified in the snippet related to modular arithmetic, field operations, curve operations, polynomial and FFT implementations, or proof systems.

Security:

  • The code does not reveal any potentially insecure operations in this snippet directly. However, it is crucial to verify if the DefaultTranscript implementation and the prove functions are side-channel resistant and follow cryptographic practices such as zeroization and secure randomness. The snippet itself does not contain any suspicious constructs in this regard, but this needs confirmation in the broader implementation context.

Performance:

  • The use of Vec<Layer<F>> to collect layers suggests some memory allocations, which is standard for batch processing. Ensure that these allocations are efficient and unavoidable.
  • There were no unnecessary allocations identified in this snippet itself.

Bugs & Errors:

  • The code consists of loops and simple operations with no explicit panics or unwraps visible. However, ensure that functions like make_grand_product_layer and make_logup_layer handle potential errors internally.
  • Potential off-by-one errors are not evident in this specific snippet, but indexing used in operations like saturating_sub should be carefully reviewed for correct handling.

Code Simplicity:

  • The repetition of the variable renaming from channel to transcript lacks clear justification visually but might imply a semantic shift or improved clarity when referring to the transcript. If there is indeed a difference, more refactoring could consolidate similar repetitive patterns.
  • This change from channel to transcript mainly impacts code readability and clarity, assuming transcript more accurately describes the variable's purpose. No overly complex implementations or duplicated code in the provided snippet itself need addressing.

Expand Down
93 changes: 93 additions & 0 deletions crates/provers/gkr-logup/examples/logup_gkr.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,93 @@
use lambdaworks_math::field::element::FieldElement;
use lambdaworks_math::field::fields::fft_friendly::quartic_babybear::Degree4BabyBearExtensionField;

use lambdaworks_gkr_logup::layer::Layer;
use lambdaworks_gkr_logup::prover;
use lambdaworks_gkr_logup::verifier::{verify, Gate};

use lambdaworks_crypto::fiat_shamir::default_transcript::DefaultTranscript;

type F = Degree4BabyBearExtensionField;
type FE = FieldElement<F>;

fn main() {
println!("=== LogUp-GKR (Multilinear MLE) ===\n");

test_logup_singles();
test_read_only_memory();

println!("\n=== All tests passed! ===");
}

fn test_logup_singles() {
println!("Test 1: LogUp Singles (ROM lookup)");

// z - access[i] denominators (multilinear MLE)
let z = FE::from(100u64);
let accesses: Vec<u64> = vec![20, 10, 20, 30, 10, 20, 40, 30];

let mle_values: Vec<FE> = accesses.iter().map(|&a| z - FE::from(a)).collect();

use lambdaworks_math::polynomial::DenseMultilinearPolynomial;
let mle = DenseMultilinearPolynomial::new(mle_values);

let layer = Layer::LogUpSingles { denominators: mle };

println!(" Layer n_variables: {}", layer.n_variables());

let mut transcript = DefaultTranscript::<F>::new(b"test1");

match prover::prove(&mut transcript, layer) {
Ok((proof, _)) => {
println!(" Proof generated!");

let gate = Gate::LogUp;
let mut transcript_verify = DefaultTranscript::<F>::new(b"test1");

match verify(gate, &proof, &mut transcript_verify) {
Ok(_) => println!(" ✓ LogUp Singles works!"),
Err(e) => println!(" ✗ Verify error: {:?}", e),
}
}
Err(e) => println!(" Error: {:?}", e),
}
}

fn test_read_only_memory() {
println!("\nTest 2: Read Only Memory (2 columns)");

let z = FE::from(1000u64);
let accesses: Vec<u64> = vec![5, 3, 5, 7, 3, 5, 9, 7];
let table: Vec<u64> = vec![3, 5, 7, 9, 11, 13, 15, 17];

let access_dens: Vec<FE> = accesses.iter().map(|&a| z - FE::from(a)).collect();
let table_dens: Vec<FE> = table.iter().map(|&t| z - FE::from(t)).collect();

use lambdaworks_math::polynomial::DenseMultilinearPolynomial;
let access_mle = DenseMultilinearPolynomial::new(access_dens);
let table_mle = DenseMultilinearPolynomial::new(table_dens);

let layer = Layer::LogUpMultiplicities {
numerators: table_mle,
denominators: access_mle,
};

println!(" Layer n_variables: {}", layer.n_variables());

let mut transcript = DefaultTranscript::<F>::new(b"test2");

match prover::prove(&mut transcript, layer) {
Ok((proof, _)) => {
println!(" Proof generated!");

let gate = Gate::LogUp;
let mut transcript_verify = DefaultTranscript::<F>::new(b"test2");

match verify(gate, &proof, &mut transcript_verify) {
Ok(_) => println!(" ✓ Read Only Memory works!"),
Err(e) => println!(" ✗ Verify error: {:?}", e),
}
}
Err(e) => println!(" Error: {:?}", e),
}
}
Copy link

@github-actions github-actions bot Feb 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Correctness:

  • Ensure that the DenseMultilinearPolynomial::new constructor handles edge cases correctly, such as empty vectors, since not all mathematical libraries handle these gracefully.

Security:

  • There is no evidence that operations involving secrets are constant-time. Consider reviewing operations involving sensitive data to protect against timing side-channels.
  • Verify that sensitive data in DefaultTranscript is properly zeroized after use to avoid leaving sensitive information in memory.
  • Ensure cryptographically secure randomness is used, particularly in the prover::prove function. Evaluate the security of randomness generation in the context of the whole library.
  • Confirm that there are no secret-dependent branches in the operations. Currently, it's unclear if branches could leak sensitive information.
  • There is no explicit mention of domain separation when using hash functions in transcripts. Ensure you're using domain separation to avoid potential collision risks among different contexts.

Performance:

  • Consider potential optimizations to reduce unnecessary memory allocations. Frequent vector creation, such as conversion in every map call, could be optimized.
  • Examine if the - operation in z - FE::from(a) can be further optimized if there's redundant computation of inverses or unnecessary calculations.

Bugs & Errors:

  • The code seems to handle potential errors during proof generation and verification with match statements. However, ensure these are comprehensive in handling all possible errors in production.
  • No potential panics were spotted, but verify any unchecked indexing or unwraps not present in the provided snippet.
  • Review potential integer overflows in your from operations. Ensure conversions like FE::from(u64) handle exceptions if the range goes beyond field limits.

Code Simplicity:

  • The logic is broadly clear, but there may be an abstraction layer at which point the implementation details for DenseMultilinearPolynomial and Layer could be encapsulated to increase simplicity.
  • Eliminate duplicated logic around proof generation and verification to make the code more concise and maintainable.

25 changes: 17 additions & 8 deletions crates/provers/gkr-logup/examples/read_only_memory.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,9 +76,9 @@ fn main() {
// Prove: batch both instances into a single GKR proof
// -------------------------------------------------------
println!("--- Proving ---");
let mut prover_channel = DefaultTranscript::<F>::new(&[]);
let mut prover_transcript = DefaultTranscript::<F>::new(&[]);
let (proof, _artifact) =
prove_batch(&mut prover_channel, vec![access_layer, table_layer]).unwrap();
prove_batch(&mut prover_transcript, vec![access_layer, table_layer]).unwrap();

println!(
"Batch proof: {} sumcheck layers, {} instances",
Expand All @@ -91,8 +91,12 @@ fn main() {
// Verify: batch verification
// -------------------------------------------------------
println!("--- Verifying ---");
let mut verifier_channel = DefaultTranscript::<F>::new(&[]);
let result = verify_batch(&[Gate::LogUp, Gate::LogUp], &proof, &mut verifier_channel);
let mut verifier_transcript = DefaultTranscript::<F>::new(&[]);
let result = verify_batch(
&[Gate::LogUp, Gate::LogUp],
&proof,
&mut verifier_transcript,
);

match &result {
Ok(artifact) => {
Expand Down Expand Up @@ -151,11 +155,16 @@ fn main() {
denominators: DenseMultilinearPolynomial::new(table_dens2),
};

let mut p_ch = DefaultTranscript::<F>::new(&[]);
let (bad_proof, _) = prove_batch(&mut p_ch, vec![bad_access_layer, table_layer2]).unwrap();
Copy link

@github-actions github-actions bot Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Correctness

  • The use of unwrap() in prove_batch can lead to potential panics if the operation fails. Consider using expect() for error messages or handling the error gracefully to provide more information.
  • Ensure that access_layer, table_layer, and bad_access_layer are properly initialized and valid for the operations being performed, as missing or incorrect initialization could lead to incorrect proof generation or verification.

Security

  • Ensure that the transcripts used (prover_transcript, verifier_transcript) are cryptographically secure, particularly regarding randomness and avoiding side-channel leaks (such as timing attacks). This includes confirming that transcript operations are constant-time where necessary.

Performance

  • In the current snippets, there are no visible performance issues with allocations, inversions, or MSM/FFT efficiency adjustments that can be commented on without additional context of how these methods are defined.

Bugs & Errors

  • The use of unwrap without proper handling could cause the program to panic unexpectedly, especially in production code.
  • The potential for memory issues isn't apparent from the given code snippet. More context would be needed to analyze memory safety thoroughly.

Code Simplicity

  • The code updates show changes in naming variables (artifact to gkr_result), which enhances clarity. Make sure this standard is enforced throughout for consistency.
  • Be cautious of any duplicated logic, especially if similar logic appears in multiple functions, though it isn't evident within this snippet.

Overall, while the code shows positive strides in clarity and correctness, the handling of possible errors and ensuring security motives through constant-time operations need attention before considering merging.

let mut prover_transcript = DefaultTranscript::<F>::new(&[]);
let (bad_proof, _) =
prove_batch(&mut prover_transcript, vec![bad_access_layer, table_layer2]).unwrap();

let mut v_ch = DefaultTranscript::<F>::new(&[]);
let bad_result = verify_batch(&[Gate::LogUp, Gate::LogUp], &bad_proof, &mut v_ch);
let mut verifier_transcript = DefaultTranscript::<F>::new(&[]);
let bad_result = verify_batch(
&[Gate::LogUp, Gate::LogUp],
&bad_proof,
&mut verifier_transcript,
);

match &bad_result {
Ok(_) => println!("GKR verification: PASSED (each tree is internally consistent)"),
Copy link

@github-actions github-actions bot Feb 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Correctness

  1. Ensure that prove_batch and verify_batch handle edge cases correctly, especially with zero or identity elements within their computations. The code doesn't show explicit checks for these conditions outside function calls, so the internal handling must be verified within those functions.

Security

  1. Verify that the DefaultTranscript operations do not introduce timing side channels -- ensure operations on secret data are constant-time. Also, confirm DefaultTranscript does zeroization of sensitive data properly when it is dropped or no longer used.
  2. No explicit handling or verification of cryptographically secure randomness is shown. Ensure all cryptographic operations relying on randomness use a secure source.
  3. Ensure that hash functions used within prove_batch, verify_batch, or DefaultTranscript provide domain separation to avoid collisions across different contexts.

Performance

  1. Check if DefaultTranscript::<F>::new(&[]) can be optimized to avoid unnecessary allocations, although the current snippet doesn’t explicitly show costly allocations, as only empty slices are passed.

Bugs & Errors

  1. Code directly uses unwrap() which may cause panics if prove_batch returns an error instead of a proof. A more robust error handling mechanism should be in place to avoid potential application crashes.

Code Simplicity

  1. The section where similar operations for prover_transcript and verifier_transcript are performed in each test case shows potential for abstraction to reduce duplication.

Consider addressing these points before merging the code.

Expand Down
126 changes: 126 additions & 0 deletions crates/provers/gkr-logup/examples/univariate_logup_gkr.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,126 @@
//! End-to-end example of the univariate LogUp-GKR IOP (Section 5 of ePrint 2023/1284).
//!
//! Demonstrates:
//! 1. LogUp Singles: ROM lookup with univariate commitments
//! 2. LogUp Multiplicities: table + multiplicities with univariate commitments
//! 3. Grand Product: simple product argument with univariate commitments

Copy link

@github-actions github-actions bot Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • Correctness: The code doesn't seem to handle cases where proofs or inputs are of degenerate or unexpected lengths, which can lead to incorrect proofs or verifications.

  • Security: Ensure that the transcript operations (such as new and unwrap) are constant-time where necessary, especially considering that they may operate on sensitive proof data. Additionally, verify the DefaultTranscript initialization to ensure domain separation if multiple independent transcripts could exist.

  • Performance: In this snippet, I don't have information about the verify_univariate implementation, but ensure that it doesn't perform unnecessary allocations or redundant operations, especially under conditions that would be more efficiently handled with FFTs.

  • Bugs & Errors: The unwrap usage without prior verification of conditions could lead to panics if verify_univariate fails. Consider handling potential errors more gracefully to ensure stability.

  • Code Simplicity: The removal of the debug print line for Lagrange column size suggests that the output was not needed, but ensure logging around proof structures is intentional and sufficient for easier debugging if issues arise without unnecessarily complex print statements.

Without more contextual information, it cannot be marked as suitable for merging as it stands, due to potential unchecked error scenarios and optimizations that might not be in place.

use lambdaworks_math::field::element::FieldElement;
use lambdaworks_math::field::fields::fft_friendly::quartic_babybear::Degree4BabyBearExtensionField;

use lambdaworks_crypto::fiat_shamir::default_transcript::DefaultTranscript;

use lambdaworks_gkr_logup::univariate::domain::CyclicDomain;
use lambdaworks_gkr_logup::univariate::iop::{prove_univariate, verify_univariate};
use lambdaworks_gkr_logup::univariate::lagrange::UnivariateLagrange;
use lambdaworks_gkr_logup::univariate_layer::UnivariateLayer;
use lambdaworks_gkr_logup::verifier::Gate;

type F = Degree4BabyBearExtensionField;
type FE = FieldElement<F>;

fn main() {
println!("=== Univariate LogUp-GKR IOP (Section 5) ===\n");

test_grand_product();
test_logup_singles();
test_logup_multiplicities();

println!("\n=== All examples passed! ===");
}

fn test_grand_product() {
println!("Example 1: Grand Product (univariate commitment)");

let values: Vec<FE> = (1..=8).map(|i| FE::from(i as u64)).collect();
let domain = CyclicDomain::new(3).unwrap();
let uni = UnivariateLagrange::new(values, domain).unwrap();

let layer = UnivariateLayer::GrandProduct {
values: uni,
commitment: None,
};

let mut prover_transcript = DefaultTranscript::<F>::new(b"grand_product_example");
let (proof, result) = prove_univariate(&mut prover_transcript, layer).unwrap();

println!(
" Proof generated: {} GKR layers",
proof.gkr_proof.sumcheck_proofs.len()
);
println!(" OOD point dimension: {}", result.ood_point.len());
println!(" Claims to verify: {}", result.claims_to_verify.len());

let mut verifier_transcript = DefaultTranscript::<F>::new(b"grand_product_example");
verify_univariate(Gate::GrandProduct, &proof, &mut verifier_transcript).unwrap();

println!(" ✓ Grand Product verified!\n");
}

fn test_logup_singles() {
println!("Example 2: LogUp Singles (ROM lookup)");

// Simulate a ROM lookup: 8 accesses to a table
let z = FE::from(100u64);
let accesses: Vec<u64> = vec![20, 10, 20, 30, 10, 20, 40, 30];
let dens: Vec<FE> = accesses.iter().map(|&a| z - FE::from(a)).collect();

let domain = CyclicDomain::new(3).unwrap();
let uni = UnivariateLagrange::new(dens, domain).unwrap();

let layer = UnivariateLayer::LogUpSingles {
denominators: uni,
denominator_commitment: None,
};

let mut prover_transcript = DefaultTranscript::<F>::new(b"logup_singles_example");
let (proof, result) = prove_univariate(&mut prover_transcript, layer).unwrap();

println!(
" Proof generated: {} GKR layers",
proof.gkr_proof.sumcheck_proofs.len()
);
println!(" OOD point dimension: {}", result.ood_point.len());
println!(" Lagrange column size: {}", proof.lagrange_column.len());

let mut verifier_transcript = DefaultTranscript::<F>::new(b"logup_singles_example");
verify_univariate(Gate::LogUp, &proof, &mut verifier_transcript).unwrap();

println!(" ✓ LogUp Singles verified!\n");
}

fn test_logup_multiplicities() {
println!("Example 3: LogUp Multiplicities (table + multiplicities)");

let z = FE::from(1000u64);
let table: Vec<u64> = vec![3, 5, 7, 9, 11, 13, 15, 17];

let table_dens: Vec<FE> = table.iter().map(|&t| z - FE::from(t)).collect();
let multiplicities: Vec<FE> = table.iter().map(|_| FE::one()).collect();

let domain = CyclicDomain::new(3).unwrap();
let num = UnivariateLagrange::new(multiplicities, domain.clone()).unwrap();
let den = UnivariateLagrange::new(table_dens, domain).unwrap();

let layer = UnivariateLayer::LogUpMultiplicities {
numerators: num,
denominators: den,
numerator_commitment: None,
denominator_commitment: None,
};

let mut prover_transcript = DefaultTranscript::<F>::new(b"logup_mult_example");
let (proof, result) = prove_univariate(&mut prover_transcript, layer).unwrap();

println!(
" Proof generated: {} GKR layers",
proof.gkr_proof.sumcheck_proofs.len()
);
println!(" Committed columns: {}", proof.committed_columns.len());
println!(" OOD point dimension: {}", result.ood_point.len());

let mut verifier_transcript = DefaultTranscript::<F>::new(b"logup_mult_example");
verify_univariate(Gate::LogUp, &proof, &mut verifier_transcript).unwrap();

println!(" ✓ LogUp Multiplicities verified!\n");
}
Copy link

@github-actions github-actions bot Feb 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Correctness

  • Mathematical Operations: General operations appear correct for creating FieldElement and working with the defined univariate log structures. However, please ensure that FieldElement inversions or divisions handle all edge cases, specifically where denominators could resolve to zero.
  • Edge Cases: There is use of modular arithmetic through FieldElement, but explicit checks for zero or identity elements are not visible, which might be critical, especially in FFT operations if used.
  • Polynomial and FFT Implementations: The code does not expose an interface to handle polynomials or FFT directly, but relies on UnivariateLagrange; ensure that internally, the library functions handle edge cases robustly.
  • Proof System Correctness: The code structure prepares and verifies univariate proofs. Without the cryptographic reasoning of the underlying mechanisms in lambdaworks_gkr_logup, verify that the commitment schemes and other cryptographic protocols correctly implement the math.

Security

  • Timing Side-Channels: Since interacting with cryptographic components like proofs and field elements, verify no secret-dependent operations breach constant time constraints.
  • Zeroization: There is no clear evidence of zeroization of secretive, sensitive data on scope completion (e.g., prover_transcript).
  • Randomness: Relying on the default transcript shows no implementation detail for randomness generation security. Ensure usage of cryptographically secure randomness sources.
  • Secret-dependent Branching: Code does not explicitly show secret-dependent branching but check all libraries included.
  • Hash Function Domain Separation: Transcripts are instantiated with domain-specific parameters; check all hash functions used maintain domain separation.

Performance

  • Allocations: There are multiple vector allocations (values, dens, table_dens, etc.). Consider reusing allocations if possible.
  • Redundant Operations: No apparent redundant field inversions or unnecessary recalculations. Verify low-level library optimizations.
  • MSM and FFT Efficiency: The code doesn't directly manipulate or illustrate multi-scalar multiplication (MSM) or FFT but ensure those libraries used (CyclicDomain) are efficient.

Bugs & Errors

  • Panics/Unwraps: Widespread usage of unwrap leads to potential runtime panics if any underlying component fails. Handle errors gracefully and provide context to the caller.
  • Memory Safety: Assuming safe Rust use but verify bounds and safe array accesses.
  • Off-By-One, Overflows: Code does not directly illustrate loops or manual bounds handling; verify all mathematical operations avoid overflow.

Code Simplicity

  • Implementations are readable but depend heavily on correct library behavior (lambdaworks_math, lambdaworks_crypto, etc.). Ensure proper unit testing covers all corner cases, especially considering new code paths.
  • Duplication is minimal, structured around clear, isolated tests.

This code demonstrates structured tests for a cryptographic library but has multiple concerns around error handling and security aspects. Address these before merging.

Loading
Loading