fflonk and shplonk improvements #550
Description
PR #498 added fflonk and shplonk batched commitment verification. As it is still experimental package then we left some issues unresolved for now:
- Use the polynomial package. It already has some methods implemented what we need and makes it imo relevant. Otherwise we copy-paste methods all over. And I think it also makes it nicer if we have
[]polynomial.Polynomialinstead of[][]fr.Elementetc. - our implementation currently doesn't match the paper as we don't compute the n-th roots, but instead for given input we assume the input to be
x^nand then take the corresponding roots. But in practice we have smooth modulus (2^n * other factors), so can use successive square roots. And because we code generate, then we can generate the full chain directly. - instead of using []fr.Element for points in shplonk, we could define a structure a la struct Points { Pts []fr.Element, Shape shplonk.PointShape}. Depending on the shape of the points (they are roots of unity, or some known powers etc.) we can have different approaches for polynomial multiplication etc.
- add marshal roundtrip tests
- add gopter tests