Merge pull request #6 from FilipLaurentiu/filip/stark_constraints_rep…

…resentation

The vanishing polynomial in STARK is build using all the values from the evaluation domain as roots.

src/stark/overview.md

@@ -69,13 +69,13 @@ Usually, as we're acting in a field, a subgroup of large-enough size is chosen i
 
 Second, let's see how to represent a constraint like "_the first two registers added together in a row equal the value of the third register in the next row_" as a polynomial. If the three registers in our examples are encoded as the polynomials $f_1, f_2, f_3$ then we need a way to encode "the next row". If our domain is simply $(0, 1, 2, \cdots)$ then the next row for a polynomial $f_1(x)$ is simply $f_1(x + 1)$. Similarly, if we're using a subgroup generated by $g$ as domain, we can write the next row as $f_1(x \cdot g)$. So the previous example constraint can be written as the constraint polynomial $c_0(x) = f_1(x) + f_2(x) - f_3(x \cdot g)$.
 
-If a constraint polynomial $c_0(x)$ is correctly satisfied by a given execution trace, then it should be zero on the entire domain (for state transition constraints) or on some values of the domain (for boundary constraints). This means we can write it as $c_0(x) = t(x) \cdot \sum_i (x-g^i)$ for some "quotient" polynomial $t$ and the evaluation points $g^i$ (that encode the rows) where the constraint should apply. (In other words, you can factor $c_0$ using its roots $g^i$.)
+If a constraint polynomial $c_0(x)$ is correctly satisfied by a given execution trace, then it should be zero on the entire domain (for state transition constraints) or on some values of the domain (for boundary constraints). This means we can write it as $c_0(x) = t(x) \cdot \prod_i (x-g^i)$ for some "quotient" polynomial $t$ and the evaluation points $g^i$ (that encode the rows) where the constraint should apply. (In other words, you can factor $c_0$ using its roots $g^i$.)
 
-> Note: for STARKs to be efficient, you shouldn't have too many roots. Hence why boundary constraints should be limited to a few rows. But how does it work for state transition constraints that need to be applied to all the rows? The answer is that since we are in a subgroup there's a very efficient way to compute $\sum_i (x - g^i)$. You can read more about that in [Efficient computation of the vanishing polynomial](https://o1-labs.github.io/proof-systems/plonk/domain.html#efficient-computation-of-the-vanishing-polynomial) of the Mina book.
+> Note: for STARKs to be efficient, you shouldn't have too many roots. Hence why boundary constraints should be limited to a few rows. But how does it work for state transition constraints that need to be applied to all the rows? The answer is that since we are in a subgroup there's a very efficient way to compute $\prod_i (x - g^i)$. You can read more about that in [Efficient computation of the vanishing polynomial](https://o1-labs.github.io/proof-systems/plonk/domain.html#efficient-computation-of-the-vanishing-polynomial) of the Mina book.
 
-At this point, you should understand that a prover that wants to convince you that a constraint $c_1$ applies to an execution trace table can do so by showing you that $t$ exists. The prover can do so by sending the verifier the $t$ polynomial and the verifier computes $c_1$ from the register polynomials and verifies that it is indeed equal to $t$ multiplied by the $\sum_i (x-g^i)$. This is what is done both in Plonk and in STARK.
+At this point, you should understand that a prover that wants to convince you that a constraint $c_1$ applies to an execution trace table can do so by showing you that $t$ exists. The prover can do so by sending the verifier the $t$ polynomial and the verifier computes $c_1$ from the register polynomials and verifies that it is indeed equal to $t$ multiplied by the $\prod_i (x-g^i)$. This is what is done both in Plonk and in STARK.
 
-> Note: if a constraint doesn't satisfy the execution trace, then you won't be able to factor it with $\sum_i (x - g^i)$ as not all of the $g^i$ will be roots. For this reason you'll get something like $c_1(x) = t(x) \cdot \sum_i (x - g^i) + r(x)$ for $r$ some "rest" polynomial. TODO: at this point can we still get a $t$ but it will have a high degree? If not then why do we have to do a low-degree test later?
+> Note: if a constraint doesn't satisfy the execution trace, then you won't be able to factor it with $\prod_i (x - g^i)$ as not all of the $g^i$ will be roots. For this reason you'll get something like $c_1(x) = t(x) \cdot \prod_i (x - g^i) + r(x)$ for $r$ some "rest" polynomial. TODO: at this point can we still get a $t$ but it will have a high degree? If not then why do we have to do a low-degree test later?
 
 Now let's see our modification to the previous protocol:
 
@@ -112,7 +112,7 @@ Now our protocol looks like this:
 1. The prover evaluates the quotient polynomials at $z$ and sends the evaluations to the verifier (these evaluations are called "masks" in the paper).
 1. For each evaluation, the prover also sends evaluation proofs.
 1. The verifier verifies all evaluation proofs.
-1. The verifier then checks that each constraint is satisfied, by checking the $t = c \cdot \sum_i (x - g^i)$ equation _in the clear_ (using the evaluations provided by the prover).
+1. The verifier then checks that each constraint is satisfied, by checking the $t = c \cdot \prod_i (x - g^i)$ equation _in the clear_ (using the evaluations provided by the prover).
 
 ## Straw man 5: a random linear combination to reduce all the checks to a single check