From 9ccfbedccef0c1dc1e572dbdbef1d4da66d2f2cc Mon Sep 17 00:00:00 2001
From: Christopher Patton <cpatton@cloudflare.com>
Date: Thu, 13 Jun 2024 12:51:17 -0700
Subject: [PATCH] SQUASH Start at 1

---
 draft-irtf-cfrg-vdaf.md | 12 +++++++-----
 poc/flp_generic.py      |  2 +-
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/draft-irtf-cfrg-vdaf.md b/draft-irtf-cfrg-vdaf.md
index 071e13f5..1220bac1 100644
--- a/draft-irtf-cfrg-vdaf.md
+++ b/draft-irtf-cfrg-vdaf.md
@@ -3068,10 +3068,10 @@ Fourier Transform") algorithm. Note that this requires the field to be
 
 Finally, the validity circuit in our FLP may have any number of outputs (at
 least one). The input is said to be valid if each of the outputs is zero. To
-save bandwidth, we interpret the outputs as coefficients of a polynomial and
-evaluate the polynomial at a random point. If each of the outputs zero, then
-the reduced output will be zero; but if one of the outputs is non-zero, then
-the reduced output will be non-zero with high probability.
+save bandwidth, we take a random linear combination of the outputs. If each of
+the outputs is zero, then the reduced output will be zero; but if one of the
+outputs is non-zero, then the reduced output will be non-zero with high
+probability.
 
 ### Validity Circuits {#flp-generic-valid}
 
@@ -3247,7 +3247,9 @@ is generated as follows:
 
 1. Next, reduce `out` as follows. If `EVAL_OUTPUT_LEN > 1`, then consume the
    first element of `query_rand` by letting `[r], query_rand = front(1,
-   query_rand)`. Then let `v = out[0] + r*out[1] + r**2*out[2] + ...`.
+   query_rand)`. Then let `v = r*out[0] + r**2*out[1] + r**3*out[2] + ...`.
+   That is, interpret the outputs as coefficients of a polynomial `f(x)` and
+   evaluate polynomial `f(x)*x` at a random point `r`.
 
 1. Compute the wire polynomials just as in the prover's step (4.).
 
diff --git a/poc/flp_generic.py b/poc/flp_generic.py
index 963ffdad..7692a314 100644
--- a/poc/flp_generic.py
+++ b/poc/flp_generic.py
@@ -308,7 +308,7 @@ def query(self, meas, proof, query_rand, joint_rand, num_shares):
         # Reduce the output.
         if self.Valid.EVAL_OUTPUT_LEN > 1:
             ([r], query_rand) = front(1, query_rand)
-            r_power = self.Field(1)
+            r_power = r
             v = self.Field(0)
             for x in out:
                 v += r_power * x