# WHIR: Reed‚ÄìSolomon Proximity Testing with Super-Fast Verification

[WHIR](https://eprint.iacr.org/2024/1586) is a multivariate Polynomial Commitment Scheme (PCS) with three main ideas combined into one:

1. Using sumcheck as a _proof_ of multilinear polynomial commitment. 
    Given, a multilinear polynomial $f(x_1, \cdots, x_\mu)$, it's 
    evaluation at a point $\vec{a}$ can be written as 
    $f(\vec{a}) = \sum_{\vec{b}\in \{0,1\}^\mu} f(\vec{b})\cdot \mathsf{eq}(\vec{b},\vec{a})$.
    The sumcheck protocol _reduces_ a claim of this form to a 
    claim about evaluating $f(\vec{x})$ at a random point 
    $\vec{r}$ of verifier's choosing. But this causes a problem: 
    If the verifier could not evaluate $f(\vec{a})$ in the first place, 
    why would it be able to evaluate $f(\vec{r})$? 

    The first main idea in WHIR (which first appeared in 
    [BaseFold](https://eprint.iacr.org/2023/1705.pdf)) 
    is that instead of reducing the sumcheck claim to a _random evaluation_, 
    one can **reduce the sumcheck claim to a Proof of Proximity** and a final evaluation. 
    To achieve this, WHIR intermixes sumcheck rounds with FRI rounds, and relies on 
    consistancy checks across FRI proof oracles to ensure soundness 
    across rounds. By the last round, the FRI proof oracle is small enough that
    the sumcheck value can be directly computed and checked against expected value. 
    This is the jist of Basefold/WHIR reduction.

3. The second idea in WHIR is to use lower rate codes to minimize FRI query 
   complexity (this idea first appeared in [STIR](https://eprint.iacr.org/2024/390.pdf) paper). Unlike in STIR, however, 
   WHIR elegantly avoids division operations during inter-round 
   proof-oracle consistancy checks by simply updating the sumcheck claim 
   both on prover and verifier side. 

4. The third idea is to use out of domain (OOD) queries to eliminate "pretenders." This allows 
   WHIR to achieve better soundness even in in list-decoding region. This idea first appeared in [DEEP-FRI](https://www.math.toronto.edu/swastik/deep-fri.pdf) paper.

The following code describes a run of the protocol. All the SageMath WHIR code is located in [src/whir.py](./src/whir.py) directory.

File [src/proth_primes.py](./src/proth_primes.py) has a long list of [proth prime](https://en.wikipedia.org/wiki/Proth_prime), which are prime numbers of the form $k\cdot2^n$ for different values of $k$ and $n$. These primes are convinient for NTT operations.

In [1]:
%load_ext autoreload
%autoreload 2

from src.proth_primes import proth_in_range
from src.whir import *
from sage.rings.finite_rings.all import GF
from sage.rings.polynomial.all import PolynomialRing
from sage.misc.functional import log
from sage.misc.prandom import random

In [2]:
(p, k, n) = proth_in_range(15, 15, 27,27)
print(f"Using prime {p} = {k}‚ãÖ2^{n} + 1")
Fq = GF(p)
omega = Fq.multiplicative_generator() 
omega = omega**k
omega_2sylow_expo = log(omega.multiplicative_order(), 2)
print(f"Maximal 2-sylow multiplicative generator: {omega}")
print(f"Maximal 2-sylow multiplicative power: {omega_2sylow_expo}")

Using prime 2013265921 = 15‚ãÖ2^27 + 1
Maximal 2-sylow multiplicative generator: 440564289
Maximal 2-sylow multiplicative power: 27


---
### Setup

Creating WHIR sumcheck with four variables and using a random multilinear polynomial.

In [3]:
variables_count = 3
code_rate_factor = 8
sumcheck_rounds = 2
shift_queries = 5

PolyRing = gen_mvariate_ring(Fq, variables_count=variables_count)
WeightRing = PolynomialRing(PolyRing, "Z") 

X0, X1, X2 = PolyRing.gens()
Z = WeightRing.gen()

input_poly = X0*X1*X2 - 2*X0*X1 + 3*X0*X2 - 4*X1*X2 + 5*X0 - 6*X2 + 7 # random_multilinear_poly(PolyRing);
evaluation_point = [5, 6, 7] # [Fq.random_element() for _ in range(variables_count)]

pcs_evaluation_claim = input_poly(evaluation_point)

print(f"Using polyomial: {input_poly}")
print(f"Evaluation point: {evaluation_point}")
print(f"Evaluated value: {input_poly(evaluation_point)}")

Using polyomial: X‚ÇÄ*X‚ÇÅ*X‚ÇÇ - 2*X‚ÇÄ*X‚ÇÅ + 3*X‚ÇÄ*X‚ÇÇ - 4*X‚ÇÅ*X‚ÇÇ + 5*X‚ÇÄ - 6*X‚ÇÇ + 7
Evaluation point: [5, 6, 7]
Evaluated value: 77


In [4]:
ntt_order = code_rate_factor*(2**variables_count)
omega_order = omega.multiplicative_order()
assert omega_order % ntt_order == 0
coset_exponent = omega_order // ntt_order
ntt_omega = omega**coset_exponent
print(f"Using NTT group generator: {ntt_omega}, order: {ntt_omega.multiplicative_order()}")

Using NTT group generator: 1721589904, order: 64


Create the weight polynomial for the given evaluation point. This evaluation point will typically come from the verifier, and is known to the verifier. 

In [5]:
weight_poly = eq_weight_polynomial(WeightRing, evaluation_point)
print(f"Prover's Weight polynomial: {weight_poly}")

Prover's Weight polynomial: (1287*X‚ÇÄ*X‚ÇÅ*X‚ÇÇ - 594*X‚ÇÄ*X‚ÇÅ - 585*X‚ÇÄ*X‚ÇÇ - 572*X‚ÇÅ*X‚ÇÇ + 270*X‚ÇÄ + 264*X‚ÇÅ + 260*X‚ÇÇ - 120)*Z


### Verifier (positive case)

In [6]:
prover = WhirRound(input_poly, weight_poly, ntt_omega, pcs_evaluation_claim)
print(f"Sumcheck polynomial: {prover.sumcheck_poly}")

Sumcheck polynomial: 1287*X‚ÇÄ^2*X‚ÇÅ^2*X‚ÇÇ^2 - 3168*X‚ÇÄ^2*X‚ÇÅ^2*X‚ÇÇ + 3276*X‚ÇÄ^2*X‚ÇÅ*X‚ÇÇ^2 - 5720*X‚ÇÄ*X‚ÇÅ^2*X‚ÇÇ^2 + 1188*X‚ÇÄ^2*X‚ÇÅ^2 + 6093*X‚ÇÄ^2*X‚ÇÅ*X‚ÇÇ + 3784*X‚ÇÄ*X‚ÇÅ^2*X‚ÇÇ - 1755*X‚ÇÄ^2*X‚ÇÇ^2 - 6838*X‚ÇÄ*X‚ÇÅ*X‚ÇÇ^2 + 2288*X‚ÇÅ^2*X‚ÇÇ^2 - 3510*X‚ÇÄ^2*X‚ÇÅ - 528*X‚ÇÄ*X‚ÇÅ^2 - 2115*X‚ÇÄ^2*X‚ÇÇ + 8785*X‚ÇÄ*X‚ÇÅ*X‚ÇÇ - 1056*X‚ÇÅ^2*X‚ÇÇ + 4290*X‚ÇÄ*X‚ÇÇ^2 + 2392*X‚ÇÅ*X‚ÇÇ^2 + 1350*X‚ÇÄ^2 - 2598*X‚ÇÄ*X‚ÇÅ - 4775*X‚ÇÄ*X‚ÇÇ - 5108*X‚ÇÅ*X‚ÇÇ - 1560*X‚ÇÇ^2 + 1290*X‚ÇÄ + 1848*X‚ÇÅ + 2540*X‚ÇÇ - 840


In [7]:
verifier = WhirVerifier(weight_poly, ntt_omega, pcs_evaluation_claim)
succes = verifier.validate_pcs_claim(prover)
if succes == True:
    print(f"PCS verification succeeded")
else:
    print(f"PCS verification failed")


----- New Sumcheck Round -----

Round-0 poly: 504*X‚ÇÄ^2 - 2051*X‚ÇÄ + 812, challenge: None
Hypercube sum 77 matches claimed sum 77
Round-1 poly: -269987154*X‚ÇÅ^2 - 196926249*X‚ÇÅ - 669995104, challenge: 970176965
Hypercube sum 206362310 matches claimed sum 206362310
New sumcheck claim: 206362310

----- Next OOD + STIR Round -----

Combination randomness ùõæ: 1019336606
OOD challenge: 1300415762
shift queries: [772607190, 1253260071]
    Weight update for OOD challenge 1300415762 : Z*(259325105*X‚ÇÅ*X‚ÇÇ - 842512712*X‚ÇÅ + 271666596*X‚ÇÇ + 220591782)
    Weight update for shift query 772607190 : Z*(779449488*X‚ÇÅ*X‚ÇÇ - 623750515*X‚ÇÅ + 695854016*X‚ÇÇ + 272402358)
    Weight update for shift query 1253260071 : Z*(191116099*X‚ÇÅ*X‚ÇÇ - 855563900*X‚ÇÅ + 100838210*X‚ÇÇ - 677049140)
Final new weight: (-858970913*X‚ÇÅ*X‚ÇÇ + 323427645*X‚ÇÅ + 461575944*X‚ÇÇ - 968461653)*Z

----- New Sumcheck Round -----

Round-0 poly: -433246494*X‚ÇÅ^2 + 776955451*X‚ÇÅ + 493921307, challenge: None
Hypercu

### Verifier (negative case)

In [8]:
prover = WhirRound(input_poly, weight_poly, ntt_omega, pcs_evaluation_claim)

verifier = WhirVerifier(weight_poly, ntt_omega, pcs_evaluation_claim + 1)
succes = verifier.validate_pcs_claim(prover)
if succes == True:
    print(f"PCS verification succeeded")
else:
    print(f"PCS verification failed")


----- New Sumcheck Round -----

Round-0 poly: 504*X‚ÇÄ^2 - 2051*X‚ÇÄ + 812, challenge: None
ERROR: Sumcheck claim failed
PCS verification failed
