SQUASH Start at 1

draft-irtf-cfrg-vdaf.md

@@ -3068,10 +3068,10 @@ Fourier Transform") algorithm. Note that this requires the field to be
 
 Finally, the validity circuit in our FLP may have any number of outputs (at
 least one). The input is said to be valid if each of the outputs is zero. To
-save bandwidth, we interpret the outputs as coefficients of a polynomial and
-evaluate the polynomial at a random point. If each of the outputs zero, then
-the reduced output will be zero; but if one of the outputs is non-zero, then
-the reduced output will be non-zero with high probability.
+save bandwidth, we take a random linear combination of the outputs. If each of
+the outputs is zero, then the reduced output will be zero; but if one of the
+outputs is non-zero, then the reduced output will be non-zero with high
+probability.
 
 ### Validity Circuits {#flp-generic-valid}
 
@@ -3247,7 +3247,9 @@ is generated as follows:
 
 1. Next, reduce `out` as follows. If `EVAL_OUTPUT_LEN > 1`, then consume the
    first element of `query_rand` by letting `[r], query_rand = front(1,
-   query_rand)`. Then let `v = out[0] + r*out[1] + r**2*out[2] + ...`.
+   query_rand)`. Then let `v = r*out[0] + r**2*out[1] + r**3*out[2] + ...`.
+   That is, interpret the outputs as coefficients of a polynomial `f(x)` and
+   evaluate polynomial `f(x)*x` at a random point `r`.
 
 1. Compute the wire polynomials just as in the prover's step (4.).
 

poc/flp_generic.py

@@ -308,7 +308,7 @@ def query(self, meas, proof, query_rand, joint_rand, num_shares):
         # Reduce the output.
         if self.Valid.EVAL_OUTPUT_LEN > 1:
             ([r], query_rand) = front(1, query_rand)
-            r_power = self.Field(1)
+            r_power = r
             v = self.Field(0)
             for x in out:
                 v += r_power * x