Rearranged files (#17)

* removed unused file * change field import * change import of field package * changed field import * moved hash to poseidon and some changes to the field package * changed file structure
2026-01-13 09:31:32 +01:00 · 2023-05-19 19:49:14 -07:00
parent a415c95f6f
commit cf84b032e2
72 changed files with 2376 additions and 2228 deletions
--- a/verifier/internal/fri/fri.go
+++ b/verifier/internal/fri/fri.go
@@ -0,0 +1,571 @@
+package fri
+
+import (
+	"fmt"
+	"math"
+	"math/big"
+	"math/bits"
+
+	"github.com/consensys/gnark-crypto/field/goldilocks"
+	"github.com/consensys/gnark/frontend"
+	"github.com/succinctlabs/gnark-plonky2-verifier/field"
+	"github.com/succinctlabs/gnark-plonky2-verifier/poseidon"
+	"github.com/succinctlabs/gnark-plonky2-verifier/verifier/common"
+)
+
+type FriChip struct {
+	api      frontend.API                 `gnark:"-"`
+	fieldAPI frontend.API                 `gnark:"-"`
+	qeAPI    *field.QuadraticExtensionAPI `gnark:"-"`
+	hashAPI  *poseidon.HashAPI            `gnark:"-"`
+
+	poseidonChip *poseidon.PoseidonChip
+
+	friParams *common.FriParams `gnark:"-"`
+}
+
+func NewFriChip(
+	api frontend.API,
+	fieldAPI frontend.API,
+	qeAPI *field.QuadraticExtensionAPI,
+	hashAPI *poseidon.HashAPI,
+	poseidonChip *poseidon.PoseidonChip,
+	friParams *common.FriParams,
+) *FriChip {
+	return &FriChip{
+		api:          api,
+		fieldAPI:     fieldAPI,
+		qeAPI:        qeAPI,
+		hashAPI:      hashAPI,
+		poseidonChip: poseidonChip,
+		friParams:    friParams,
+	}
+}
+
+func (f *FriChip) assertLeadingZeros(powWitness field.F, friConfig common.FriConfig) {
+	// Asserts that powWitness'es big-endian bit representation has at least `leading_zeros` leading zeros.
+	// Note that this is assuming that the Goldilocks field is being used.  Specfically that the
+	// field is 64 bits long
+	maxPowWitness := uint64(math.Pow(2, float64(64-friConfig.ProofOfWorkBits))) - 1
+	f.fieldAPI.AssertIsLessOrEqual(powWitness, field.NewFieldElement(maxPowWitness))
+}
+
+func (f *FriChip) fromOpeningsAndAlpha(openings *FriOpenings, alpha field.QuadraticExtension) []field.QuadraticExtension {
+	// One reduced opening for all openings evaluated at point Zeta.
+	// Another one for all openings evaluated at point Zeta * Omega (which is only PlonkZsNext polynomial)
+
+	reducedOpenings := make([]field.QuadraticExtension, 0, 2)
+	for _, batch := range openings.Batches {
+		reducedOpenings = append(reducedOpenings, f.qeAPI.ReduceWithPowers(batch.Values, alpha))
+	}
+
+	return reducedOpenings
+}
+
+func (f *FriChip) hashOrNoop(data []field.F) poseidon.Hash {
+	var elements poseidon.Hash
+	if len(data) <= 4 {
+		// Pad the data to have a size of 4
+		for i, inputElement := range data {
+			elements[i] = inputElement
+		}
+		for i := len(data); i < 4; i++ {
+			elements[i] = field.ZERO_F
+		}
+
+		return elements
+	} else {
+		hashOutput := f.poseidonChip.HashNToMNoPad(data, 4)
+
+		if len(hashOutput) != len(elements) {
+			panic("The length of hashOutput and elements is different")
+		}
+
+		for i, hashField := range hashOutput {
+			elements[i] = hashField
+		}
+
+		return elements
+	}
+}
+
+func (f *FriChip) verifyMerkleProofToCapWithCapIndex(leafData []field.F, leafIndexBits []frontend.Variable, capIndexBits []frontend.Variable, merkleCap common.MerkleCap, proof *common.MerkleProof) {
+	currentDigest := f.hashOrNoop(leafData)
+	fourZeros := [4]field.F{field.ZERO_F, field.ZERO_F, field.ZERO_F, field.ZERO_F}
+	for i, sibling := range proof.Siblings {
+		bit := leafIndexBits[i]
+
+		var leftSiblingState poseidon.PoseidonState
+		copy(leftSiblingState[0:4], sibling[0:4])
+		copy(leftSiblingState[4:8], currentDigest[0:4])
+		copy(leftSiblingState[8:12], fourZeros[0:4])
+
+		leftHash := f.poseidonChip.Poseidon(leftSiblingState)
+
+		var leftHashCompress poseidon.Hash
+		leftHashCompress[0] = leftHash[0]
+		leftHashCompress[1] = leftHash[1]
+		leftHashCompress[2] = leftHash[2]
+		leftHashCompress[3] = leftHash[3]
+
+		var rightSiblingState poseidon.PoseidonState
+		copy(rightSiblingState[0:4], currentDigest[0:4])
+		copy(rightSiblingState[4:8], sibling[0:4])
+		copy(rightSiblingState[8:12], fourZeros[0:4])
+
+		rightHash := f.poseidonChip.Poseidon(rightSiblingState)
+
+		var rightHashCompress poseidon.Hash
+		rightHashCompress[0] = rightHash[0]
+		rightHashCompress[1] = rightHash[1]
+		rightHashCompress[2] = rightHash[2]
+		rightHashCompress[3] = rightHash[3]
+
+		currentDigest = f.hashAPI.SelectHash(bit, leftHashCompress, rightHashCompress)
+	}
+
+	// We assume that the cap_height is 4.  Create two levels of the Lookup2 circuit
+	if len(capIndexBits) != 4 || len(merkleCap) != 16 {
+		errorMsg, _ := fmt.Printf(
+			"capIndexBits length should be 4 and the merkleCap length should be 16.  Actual values (capIndexBits: %d, merkleCap: %d)\n",
+			len(capIndexBits),
+			len(merkleCap),
+		)
+		panic(errorMsg)
+	}
+
+	const NUM_LEAF_LOOKUPS = 4
+	var leafLookups [NUM_LEAF_LOOKUPS]poseidon.Hash
+	// First create the "leaf" lookup2 circuits
+	// The will use the least significant bits of the capIndexBits array
+	for i := 0; i < NUM_LEAF_LOOKUPS; i++ {
+		leafLookups[i] = f.hashAPI.Lookup2Hash(
+			capIndexBits[0], capIndexBits[1],
+			merkleCap[i*NUM_LEAF_LOOKUPS], merkleCap[i*NUM_LEAF_LOOKUPS+1], merkleCap[i*NUM_LEAF_LOOKUPS+2], merkleCap[i*NUM_LEAF_LOOKUPS+3],
+		)
+	}
+
+	// Use the most 2 significant bits of the capIndexBits array for the "root" lookup
+	merkleCapEntry := f.hashAPI.Lookup2Hash(capIndexBits[2], capIndexBits[3], leafLookups[0], leafLookups[1], leafLookups[2], leafLookups[3])
+	f.hashAPI.AssertIsEqualHash(currentDigest, merkleCapEntry)
+}
+
+func (f *FriChip) verifyInitialProof(xIndexBits []frontend.Variable, proof *common.FriInitialTreeProof, initialMerkleCaps []common.MerkleCap, capIndexBits []frontend.Variable) {
+	if len(proof.EvalsProofs) != len(initialMerkleCaps) {
+		panic("length of eval proofs in fri proof should equal length of initial merkle caps")
+	}
+
+	for i := 0; i < len(initialMerkleCaps); i++ {
+		evals := proof.EvalsProofs[i].Elements
+		merkleProof := proof.EvalsProofs[i].MerkleProof
+		cap := initialMerkleCaps[i]
+		f.verifyMerkleProofToCapWithCapIndex(evals, xIndexBits, capIndexBits, cap, &merkleProof)
+	}
+}
+
+// / We decompose FRI query indices into bits without verifying that the decomposition given by
+// / the prover is the canonical one. In particular, if `x_index < 2^field_bits - p`, then the
+// / prover could supply the binary encoding of either `x_index` or `x_index + p`, since they are
+// / congruent mod `p`. However, this only occurs with probability
+// /     p_ambiguous = (2^field_bits - p) / p
+// / which is small for the field that we use in practice.
+// /
+// / In particular, the soundness error of one FRI query is roughly the codeword rate, which
+// / is much larger than this ambiguous-element probability given any reasonable parameters.
+// / Thus ambiguous elements contribute a negligible amount to soundness error.
+// /
+// / Here we compare the probabilities as a sanity check, to verify the claim above.
+func (f *FriChip) assertNoncanonicalIndicesOK() {
+	numAmbiguousElems := uint64(math.MaxUint64) - goldilocks.Modulus().Uint64() + 1
+	queryError := f.friParams.Config.Rate()
+	pAmbiguous := float64(numAmbiguousElems) / float64(goldilocks.Modulus().Uint64())
+
+	// TODO:  Check that pAmbiguous value is the same as the one in plonky2 verifier
+	if pAmbiguous >= queryError*1e-5 {
+		panic("A non-negligible portion of field elements are in the range that permits non-canonical encodings. Need to do more analysis or enforce canonical encodings.")
+	}
+}
+
+func (f *FriChip) expFromBitsConstBase(
+	base goldilocks.Element,
+	exponentBits []frontend.Variable,
+) field.F {
+	product := field.ONE_F
+	for i, bit := range exponentBits {
+		pow := int64(1 << i)
+		// If the bit is on, we multiply product by base^pow.
+		// We can arithmetize this as:
+		//     product *= 1 + bit (base^pow - 1)
+		//     product = (base^pow - 1) product bit + product
+		basePow := goldilocks.NewElement(0)
+		basePow.Exp(base, big.NewInt(pow))
+
+		basePowElement := field.NewFieldElement(basePow.Uint64() - 1)
+
+		product = f.fieldAPI.Add(
+			f.fieldAPI.Mul(
+				basePowElement,
+				product,
+				bit,
+			),
+			product,
+		).(field.F)
+	}
+
+	return product
+}
+
+func (f *FriChip) calculateSubgroupX(
+	xIndexBits []frontend.Variable,
+	nLog uint64,
+) field.F {
+	// Compute x from its index
+	// `subgroup_x` is `subgroup[x_index]`, i.e., the actual field element in the domain.
+	// TODO - Make these as global values
+	g := field.NewFieldElement(field.GOLDILOCKS_MULTIPLICATIVE_GROUP_GENERATOR.Uint64())
+	base := field.GoldilocksPrimitiveRootOfUnity(nLog)
+
+	// Create a reverse list of xIndexBits
+	xIndexBitsRev := make([]frontend.Variable, 0)
+	for i := len(xIndexBits) - 1; i >= 0; i-- {
+		xIndexBitsRev = append(xIndexBitsRev, xIndexBits[i])
+	}
+
+	product := f.expFromBitsConstBase(base, xIndexBitsRev)
+
+	return f.fieldAPI.Mul(g, product).(field.F)
+}
+
+func (f *FriChip) friCombineInitial(
+	instance FriInstanceInfo,
+	proof common.FriInitialTreeProof,
+	friAlpha field.QuadraticExtension,
+	subgroupX_QE field.QuadraticExtension,
+	precomputedReducedEval []field.QuadraticExtension,
+) field.QuadraticExtension {
+	sum := f.qeAPI.ZERO_QE
+
+	if len(instance.Batches) != len(precomputedReducedEval) {
+		panic("len(openings) != len(precomputedReducedEval)")
+	}
+
+	for i := 0; i < len(instance.Batches); i++ {
+		batch := instance.Batches[i]
+		reducedOpenings := precomputedReducedEval[i]
+
+		point := batch.Point
+		evals := make([]field.QuadraticExtension, 0)
+		for _, polynomial := range batch.Polynomials {
+			evals = append(
+				evals,
+				field.QuadraticExtension{proof.EvalsProofs[polynomial.OracleIndex].Elements[polynomial.PolynomialInfo], field.ZERO_F},
+			)
+		}
+
+		reducedEvals := f.qeAPI.ReduceWithPowers(evals, friAlpha)
+		numerator := f.qeAPI.SubExtension(reducedEvals, reducedOpenings)
+		denominator := f.qeAPI.SubExtension(subgroupX_QE, point)
+		sum = f.qeAPI.MulExtension(f.qeAPI.ExpU64Extension(friAlpha, uint64(len(evals))), sum)
+		sum = f.qeAPI.AddExtension(
+			f.qeAPI.DivExtension(
+				numerator,
+				denominator,
+			),
+			sum,
+		)
+	}
+
+	return sum
+}
+
+func (f *FriChip) finalPolyEval(finalPoly common.PolynomialCoeffs, point field.QuadraticExtension) field.QuadraticExtension {
+	ret := f.qeAPI.ZERO_QE
+	for i := len(finalPoly.Coeffs) - 1; i >= 0; i-- {
+		ret = f.qeAPI.AddExtension(
+			f.qeAPI.MulExtension(
+				ret,
+				point,
+			),
+			finalPoly.Coeffs[i],
+		)
+	}
+	return ret
+}
+
+func (f *FriChip) interpolate(x field.QuadraticExtension, xPoints []field.QuadraticExtension, yPoints []field.QuadraticExtension, barycentricWeights []field.QuadraticExtension) field.QuadraticExtension {
+	if len(xPoints) != len(yPoints) || len(xPoints) != len(barycentricWeights) {
+		panic("length of xPoints, yPoints, and barycentricWeights are inconsistent")
+	}
+
+	lX := f.qeAPI.ONE_QE
+	for i := 0; i < len(xPoints); i++ {
+		lX = f.qeAPI.MulExtension(
+			lX,
+			f.qeAPI.SubExtension(
+				x,
+				xPoints[i],
+			),
+		)
+	}
+
+	sum := f.qeAPI.ZERO_QE
+	for i := 0; i < len(xPoints); i++ {
+		sum = f.qeAPI.AddExtension(
+			f.qeAPI.MulExtension(
+				f.qeAPI.DivExtension(
+					barycentricWeights[i],
+					f.qeAPI.SubExtension(
+						x,
+						xPoints[i],
+					),
+				),
+				yPoints[i],
+			),
+			sum,
+		)
+	}
+
+	interpolation := f.qeAPI.MulExtension(lX, sum)
+
+	returnField := interpolation
+	// Now check if x is already within the xPoints
+	for i := 0; i < len(xPoints); i++ {
+		returnField = f.qeAPI.Select(
+			f.qeAPI.IsZero(f.qeAPI.SubExtension(x, xPoints[i])),
+			yPoints[i],
+			returnField,
+		)
+	}
+
+	return returnField
+}
+
+func (f *FriChip) computeEvaluation(
+	x field.F,
+	xIndexWithinCosetBits []frontend.Variable,
+	arityBits uint64,
+	evals []field.QuadraticExtension,
+	beta field.QuadraticExtension,
+) field.QuadraticExtension {
+	arity := 1 << arityBits
+	if (len(evals)) != arity {
+		panic("len(evals) ! arity")
+	}
+	if arityBits > 8 {
+		panic("currently assuming that arityBits is <= 8")
+	}
+
+	g := field.GoldilocksPrimitiveRootOfUnity(arityBits)
+	gInv := goldilocks.NewElement(0)
+	gInv.Exp(g, big.NewInt(int64(arity-1)))
+
+	// The evaluation vector needs to be reordered first.  Permute the evals array such that each
+	// element's new index is the bit reverse of it's original index.
+	// TODO:  Optimization - Since the size of the evals array should be constant (e.g. 2^arityBits),
+	//        we can just hard code the permutation.
+	permutedEvals := make([]field.QuadraticExtension, len(evals))
+	for i := uint8(0); i < uint8(len(evals)); i++ {
+		newIndex := bits.Reverse8(i) >> arityBits
+		permutedEvals[newIndex] = evals[i]
+	}
+
+	// Want `g^(arity - rev_x_index_within_coset)` as in the out-of-circuit version. Compute it
+	// as `(g^-1)^rev_x_index_within_coset`.
+	revXIndexWithinCosetBits := make([]frontend.Variable, len(xIndexWithinCosetBits))
+	for i := 0; i < len(xIndexWithinCosetBits); i++ {
+		revXIndexWithinCosetBits[len(xIndexWithinCosetBits)-1-i] = xIndexWithinCosetBits[i]
+	}
+	start := f.expFromBitsConstBase(gInv, revXIndexWithinCosetBits)
+	cosetStart := f.fieldAPI.Mul(start, x).(field.F)
+
+	xPoints := make([]field.QuadraticExtension, len(evals))
+	yPoints := permutedEvals
+
+	// TODO: Make g_F a constant
+	g_F := f.qeAPI.FieldToQE(field.NewFieldElement(g.Uint64()))
+	xPoints[0] = f.qeAPI.FieldToQE(cosetStart)
+	for i := 1; i < len(evals); i++ {
+		xPoints[i] = f.qeAPI.MulExtension(xPoints[i-1], g_F)
+	}
+
+	// TODO:  This is n^2.  Is there a way to do this better?
+	// Compute the barycentric weights
+	barycentricWeights := make([]field.QuadraticExtension, len(xPoints))
+	for i := 0; i < len(xPoints); i++ {
+		barycentricWeights[i] = f.qeAPI.ONE_QE
+		for j := 0; j < len(xPoints); j++ {
+			if i != j {
+				barycentricWeights[i] = f.qeAPI.MulExtension(
+					f.qeAPI.SubExtension(xPoints[i], xPoints[j]),
+					barycentricWeights[i],
+				)
+			}
+		}
+		// Take the inverse of the barycentric weights
+		// TODO: Can provide a witness to this value
+		barycentricWeights[i] = f.qeAPI.InverseExtension(barycentricWeights[i])
+	}
+
+	return f.interpolate(beta, xPoints, yPoints, barycentricWeights)
+}
+
+func (f *FriChip) verifyQueryRound(
+	instance FriInstanceInfo,
+	challenges *common.FriChallenges,
+	precomputedReducedEval []field.QuadraticExtension,
+	initialMerkleCaps []common.MerkleCap,
+	proof *common.FriProof,
+	xIndex field.F,
+	n uint64,
+	nLog uint64,
+	roundProof *common.FriQueryRound,
+) {
+	f.assertNoncanonicalIndicesOK()
+	xIndexBits := f.fieldAPI.ToBinary(xIndex, int(nLog))
+	capIndexBits := xIndexBits[len(xIndexBits)-int(f.friParams.Config.CapHeight):]
+
+	f.verifyInitialProof(xIndexBits, &roundProof.InitialTreesProof, initialMerkleCaps, capIndexBits)
+
+	subgroupX := f.calculateSubgroupX(
+		xIndexBits,
+		nLog,
+	)
+
+	subgroupX_QE := field.QuadraticExtension{subgroupX, field.ZERO_F}
+
+	oldEval := f.friCombineInitial(
+		instance,
+		roundProof.InitialTreesProof,
+		challenges.FriAlpha,
+		subgroupX_QE,
+		precomputedReducedEval,
+	)
+
+	for i, arityBits := range f.friParams.ReductionArityBits {
+		evals := roundProof.Steps[i].Evals
+
+		cosetIndexBits := xIndexBits[arityBits:]
+		xIndexWithinCosetBits := xIndexBits[:arityBits]
+
+		// Assumes that the arity bits will be 4.  That means that the range of
+		// xIndexWithCoset is [0,2^4-1].  This is based on plonky2's circuit recursive
+		// config:  https://github.com/mir-protocol/plonky2/blob/main/plonky2/src/plonk/circuit_data.rs#L63
+		// Will use a two levels tree of 4-selector gadgets.
+		if arityBits != 4 {
+			panic("assuming arity bits is 4")
+		}
+
+		const NUM_LEAF_LOOKUPS = 4
+		var leafLookups [NUM_LEAF_LOOKUPS]field.QuadraticExtension
+		// First create the "leaf" lookup2 circuits
+		// The will use the least significant bits of the xIndexWithCosetBits array
+		for i := 0; i < NUM_LEAF_LOOKUPS; i++ {
+			leafLookups[i] = f.qeAPI.Lookup2(
+				xIndexWithinCosetBits[0],
+				xIndexWithinCosetBits[1],
+				evals[i*NUM_LEAF_LOOKUPS],
+				evals[i*NUM_LEAF_LOOKUPS+1],
+				evals[i*NUM_LEAF_LOOKUPS+2],
+				evals[i*NUM_LEAF_LOOKUPS+3],
+			)
+		}
+
+		// Use the most 2 significant bits of the xIndexWithCosetBits array for the "root" lookup
+		newEval := f.qeAPI.Lookup2(
+			xIndexWithinCosetBits[2],
+			xIndexWithinCosetBits[3],
+			leafLookups[0],
+			leafLookups[1],
+			leafLookups[2],
+			leafLookups[3],
+		)
+
+		f.qeAPI.AssertIsEqual(newEval, oldEval)
+
+		oldEval = f.computeEvaluation(
+			subgroupX,
+			xIndexWithinCosetBits,
+			arityBits,
+			evals,
+			challenges.FriBetas[i],
+		)
+
+		// Convert evals (array of QE) to fields by taking their 0th degree coefficients
+		fieldEvals := make([]field.F, 0, 2*len(evals))
+		for j := 0; j < len(evals); j++ {
+			fieldEvals = append(fieldEvals, evals[j][0])
+			fieldEvals = append(fieldEvals, evals[j][1])
+		}
+		f.verifyMerkleProofToCapWithCapIndex(
+			fieldEvals,
+			cosetIndexBits,
+			capIndexBits,
+			proof.CommitPhaseMerkleCaps[i],
+			&roundProof.Steps[i].MerkleProof,
+		)
+
+		// Update the point x to x^arity.
+		for j := uint64(0); j < arityBits; j++ {
+			subgroupX = f.fieldAPI.Mul(subgroupX, subgroupX).(field.F)
+		}
+
+		xIndexBits = cosetIndexBits
+	}
+
+	subgroupX_QE = f.qeAPI.FieldToQE(subgroupX)
+	finalPolyEval := f.finalPolyEval(proof.FinalPoly, subgroupX_QE)
+
+	f.qeAPI.AssertIsEqual(oldEval, finalPolyEval)
+}
+
+func (f *FriChip) VerifyFriProof(
+	instance FriInstanceInfo,
+	openings FriOpenings,
+	friChallenges *common.FriChallenges,
+	initialMerkleCaps []common.MerkleCap,
+	friProof *common.FriProof,
+) {
+	// TODO:  Check fri config
+	/* if let Some(max_arity_bits) = params.max_arity_bits() {
+		self.check_recursion_config::<C>(max_arity_bits);
+	}
+
+	debug_assert_eq!(
+		params.final_poly_len(),
+		proof.final_poly.len(),
+		"Final polynomial has wrong degree."
+	); */
+
+	// Check POW
+	f.assertLeadingZeros(friChallenges.FriPowResponse, f.friParams.Config)
+
+	precomputedReducedEvals := f.fromOpeningsAndAlpha(&openings, friChallenges.FriAlpha)
+
+	// Size of the LDE domain.
+	nLog := f.friParams.DegreeBits + f.friParams.Config.RateBits
+	n := uint64(math.Pow(2, float64(nLog)))
+
+	if len(friChallenges.FriQueryIndices) != len(friProof.QueryRoundProofs) {
+		panic(fmt.Sprintf(
+			"Number of query indices (%d) should equal number of query round proofs (%d)",
+			len(friChallenges.FriQueryIndices),
+			len(friProof.QueryRoundProofs),
+		))
+	}
+
+	for idx, xIndex := range friChallenges.FriQueryIndices {
+		roundProof := friProof.QueryRoundProofs[idx]
+
+		f.verifyQueryRound(
+			instance,
+			friChallenges,
+			precomputedReducedEvals,
+			initialMerkleCaps,
+			friProof,
+			xIndex,
+			n,
+			nLog,
+			&roundProof,
+		)
+	}
+}
--- a/verifier/internal/fri/fri_test.go
+++ b/verifier/internal/fri/fri_test.go
@@ -0,0 +1,188 @@
+package fri_test
+
+import (
+	"testing"
+
+	"github.com/consensys/gnark/frontend"
+	"github.com/consensys/gnark/test"
+	"github.com/succinctlabs/gnark-plonky2-verifier/field"
+	"github.com/succinctlabs/gnark-plonky2-verifier/poseidon"
+	"github.com/succinctlabs/gnark-plonky2-verifier/verifier/common"
+	"github.com/succinctlabs/gnark-plonky2-verifier/verifier/internal/fri"
+	"github.com/succinctlabs/gnark-plonky2-verifier/verifier/utils"
+)
+
+type TestFriCircuit struct {
+	proofWithPIsFilename            string `gnark:"-"`
+	commonCircuitDataFilename       string `gnark:"-"`
+	verifierOnlyCircuitDataFilename string `gnark:"-"`
+
+	plonkZeta       field.QuadraticExtension
+	friAlpha        field.QuadraticExtension
+	friBetas        []field.QuadraticExtension
+	friPOWResponse  field.F
+	friQueryIndices []field.F
+}
+
+func (circuit *TestFriCircuit) Define(api frontend.API) error {
+	proofWithPis := utils.DeserializeProofWithPublicInputs(circuit.proofWithPIsFilename)
+	commonCircuitData := utils.DeserializeCommonCircuitData(circuit.commonCircuitDataFilename)
+	verifierOnlyCircuitData := utils.DeserializeVerifierOnlyCircuitData(circuit.verifierOnlyCircuitDataFilename)
+
+	fieldAPI := field.NewFieldAPI(api)
+	qeAPI := field.NewQuadraticExtensionAPI(fieldAPI, commonCircuitData.DegreeBits)
+	hashAPI := poseidon.NewHashAPI(fieldAPI)
+	poseidonChip := poseidon.NewPoseidonChip(api, fieldAPI, qeAPI)
+	friChip := fri.NewFriChip(api, fieldAPI, qeAPI, hashAPI, poseidonChip, &commonCircuitData.FriParams)
+
+	friChallenges := common.FriChallenges{
+		FriAlpha:        circuit.friAlpha,
+		FriBetas:        circuit.friBetas,
+		FriPowResponse:  circuit.friPOWResponse,
+		FriQueryIndices: circuit.friQueryIndices,
+	}
+
+	initialMerkleCaps := []common.MerkleCap{
+		verifierOnlyCircuitData.ConstantSigmasCap,
+		proofWithPis.Proof.WiresCap,
+		proofWithPis.Proof.PlonkZsPartialProductsCap,
+		proofWithPis.Proof.QuotientPolysCap,
+	}
+
+	friChip.VerifyFriProof(
+		fri.GetFriInstance(&commonCircuitData, qeAPI, circuit.plonkZeta, commonCircuitData.DegreeBits),
+		fri.ToFriOpenings(proofWithPis.Proof.Openings),
+		&friChallenges,
+		initialMerkleCaps,
+		&proofWithPis.Proof.OpeningProof,
+	)
+
+	return nil
+}
+
+func TestFibonacciFriProof(t *testing.T) {
+	assert := test.NewAssert(t)
+
+	testCase := func() {
+		circuit := TestFriCircuit{
+			proofWithPIsFilename:            "./data/fibonacci/proof_with_public_inputs.json",
+			commonCircuitDataFilename:       "./data/fibonacci/common_circuit_data.json",
+			verifierOnlyCircuitDataFilename: "./data/fibonacci/verifier_only_circuit_data.json",
+			plonkZeta: field.QuadraticExtension{
+				field.NewFieldElementFromString("14887793628029982930"),
+				field.NewFieldElementFromString("1136137158284059037"),
+			},
+			friAlpha: field.QuadraticExtension{
+				field.NewFieldElementFromString("14641715242626918707"),
+				field.NewFieldElementFromString("10574243340537902930"),
+			},
+			friBetas:       []field.QuadraticExtension{},
+			friPOWResponse: field.NewFieldElement(82451580476419),
+			friQueryIndices: []field.F{
+				field.NewFieldElement(6790812084677375942),
+				field.NewFieldElement(12394212020331474798),
+				field.NewFieldElement(16457600747000998582),
+				field.NewFieldElement(1543271328932331916),
+				field.NewFieldElement(12115726870906958644),
+				field.NewFieldElement(6775897107605342797),
+				field.NewFieldElement(15989401564746021030),
+				field.NewFieldElement(10691676456016926845),
+				field.NewFieldElement(1632499470630032007),
+				field.NewFieldElement(1317292355445098328),
+				field.NewFieldElement(18391440812534384252),
+				field.NewFieldElement(17321705613231354333),
+				field.NewFieldElement(6176487551308859603),
+				field.NewFieldElement(7119835651572002873),
+				field.NewFieldElement(3903019169623116693),
+				field.NewFieldElement(4886491111111487546),
+				field.NewFieldElement(4087641893164620518),
+				field.NewFieldElement(13801643080324181364),
+				field.NewFieldElement(16993775312274189321),
+				field.NewFieldElement(9268202926222765679),
+				field.NewFieldElement(10683001302406181735),
+				field.NewFieldElement(13359465725531647963),
+				field.NewFieldElement(4523327590105620849),
+				field.NewFieldElement(4883588003760409588),
+				field.NewFieldElement(187699146998097671),
+				field.NewFieldElement(14489263557623716717),
+				field.NewFieldElement(11748359318238148146),
+				field.NewFieldElement(13636347200053048758),
+			},
+		}
+		witness := TestFriCircuit{}
+		err := test.IsSolved(&circuit, &witness, field.TEST_CURVE.ScalarField())
+		assert.NoError(err)
+	}
+
+	testCase()
+}
+
+func TestDummyFriProof(t *testing.T) {
+	assert := test.NewAssert(t)
+
+	testCase := func() {
+		circuit := TestFriCircuit{
+			proofWithPIsFilename:            "./data/dummy_2^14_gates/proof_with_public_inputs.json",
+			commonCircuitDataFilename:       "./data/dummy_2^14_gates/common_circuit_data.json",
+			verifierOnlyCircuitDataFilename: "./data/dummy_2^14_gates/verifier_only_circuit_data.json",
+			plonkZeta: field.QuadraticExtension{
+				field.NewFieldElementFromString("17377750363769967882"),
+				field.NewFieldElementFromString("11921191651424768462"),
+			},
+			friAlpha: field.QuadraticExtension{
+				field.NewFieldElementFromString("16721004555774385479"),
+				field.NewFieldElementFromString("10688151135543754663"),
+			},
+			friBetas: []field.QuadraticExtension{
+				{
+					field.NewFieldElementFromString("3312441922957827805"),
+					field.NewFieldElementFromString("15128092514958289671"),
+				},
+				{
+					field.NewFieldElementFromString("13630530769060141802"),
+					field.NewFieldElementFromString("14559883974933163008"),
+				},
+				{
+					field.NewFieldElementFromString("16146508250083930687"),
+					field.NewFieldElementFromString("5176346568444408396"),
+				},
+			},
+			friPOWResponse: field.NewFieldElement(4389),
+			friQueryIndices: []field.F{
+				field.NewFieldElementFromString("16334967868590615051"),
+				field.NewFieldElementFromString("2911473540496037915"),
+				field.NewFieldElementFromString("14887216056886344225"),
+				field.NewFieldElementFromString("7808811227805914295"),
+				field.NewFieldElementFromString("2018594961417375749"),
+				field.NewFieldElementFromString("3733368398777208435"),
+				field.NewFieldElementFromString("2623035669037055104"),
+				field.NewFieldElementFromString("299243030573481514"),
+				field.NewFieldElementFromString("7189789717962704433"),
+				field.NewFieldElementFromString("14566344026886816268"),
+				field.NewFieldElementFromString("12555390069003437453"),
+				field.NewFieldElementFromString("17225508403199418233"),
+				field.NewFieldElementFromString("5088797913879903292"),
+				field.NewFieldElementFromString("9715691392773433023"),
+				field.NewFieldElementFromString("7565836764713256165"),
+				field.NewFieldElementFromString("1500143546029322929"),
+				field.NewFieldElementFromString("1245802417104422080"),
+				field.NewFieldElementFromString("6831959786661245110"),
+				field.NewFieldElementFromString("17271054758535453780"),
+				field.NewFieldElementFromString("6225460404576395409"),
+				field.NewFieldElementFromString("15932661092896277351"),
+				field.NewFieldElementFromString("12452534049198240575"),
+				field.NewFieldElementFromString("4225199666055520177"),
+				field.NewFieldElementFromString("13235091290587791090"),
+				field.NewFieldElementFromString("2562357622728700774"),
+				field.NewFieldElementFromString("17676678042980201498"),
+				field.NewFieldElementFromString("5837067135702409874"),
+				field.NewFieldElementFromString("11238419549114325157"),
+			},
+		}
+		witness := TestFriCircuit{}
+		err := test.IsSolved(&circuit, &witness, field.TEST_CURVE.ScalarField())
+		assert.NoError(err)
+	}
+
+	testCase()
+}
--- a/verifier/internal/fri/fri_utils.go
+++ b/verifier/internal/fri/fri_utils.go
@@ -0,0 +1,199 @@
+package fri
+
+import (
+	"github.com/succinctlabs/gnark-plonky2-verifier/field"
+	"github.com/succinctlabs/gnark-plonky2-verifier/verifier/common"
+)
+
+type FriOpeningBatch struct {
+	Values []field.QuadraticExtension
+}
+
+type FriOpenings struct {
+	Batches []FriOpeningBatch
+}
+
+func ToFriOpenings(c common.OpeningSet) FriOpenings {
+	values := c.Constants                         // num_constants + 1
+	values = append(values, c.PlonkSigmas...)     // num_routed_wires
+	values = append(values, c.Wires...)           // num_wires
+	values = append(values, c.PlonkZs...)         // num_challenges
+	values = append(values, c.PartialProducts...) // num_challenges * num_partial_products
+	values = append(values, c.QuotientPolys...)   // num_challenges * quotient_degree_factor
+	zetaBatch := FriOpeningBatch{Values: values}
+	zetaNextBatch := FriOpeningBatch{Values: c.PlonkZsNext}
+	return FriOpenings{Batches: []FriOpeningBatch{zetaBatch, zetaNextBatch}}
+}
+
+type FriPolynomialInfo struct {
+	OracleIndex    uint64
+	PolynomialInfo uint64
+}
+
+type FriOracleInfo struct {
+	NumPolys uint64
+	Blinding bool
+}
+
+type FriBatchInfo struct {
+	Point       field.QuadraticExtension
+	Polynomials []FriPolynomialInfo
+}
+
+type FriInstanceInfo struct {
+	Oracles []FriOracleInfo
+	Batches []FriBatchInfo
+}
+
+type PlonkOracle struct {
+	index    uint64
+	blinding bool
+}
+
+var CONSTANTS_SIGMAS = PlonkOracle{
+	index:    0,
+	blinding: false,
+}
+
+var WIRES = PlonkOracle{
+	index:    1,
+	blinding: true,
+}
+
+var ZS_PARTIAL_PRODUCTS = PlonkOracle{
+	index:    2,
+	blinding: true,
+}
+
+var QUOTIENT = PlonkOracle{
+	index:    3,
+	blinding: true,
+}
+
+func polynomialInfoFromRange(c *common.CommonCircuitData, oracleIdx uint64, startPolyIdx uint64, endPolyIdx uint64) []FriPolynomialInfo {
+	returnArr := make([]FriPolynomialInfo, 0)
+	for i := startPolyIdx; i < endPolyIdx; i++ {
+		returnArr = append(returnArr,
+			FriPolynomialInfo{
+				OracleIndex:    oracleIdx,
+				PolynomialInfo: i,
+			})
+	}
+
+	return returnArr
+}
+
+// Range of the sigma polynomials in the `constants_sigmas_commitment`.
+func sigmasRange(c *common.CommonCircuitData) []uint64 {
+	returnArr := make([]uint64, 0)
+	for i := c.NumConstants; i <= c.NumConstants+c.Config.NumRoutedWires; i++ {
+		returnArr = append(returnArr, i)
+	}
+
+	return returnArr
+}
+
+func numPreprocessedPolys(c *common.CommonCircuitData) uint64 {
+	sigmasRange := sigmasRange(c)
+	return sigmasRange[len(sigmasRange)-1]
+}
+
+func numZSPartialProductsPolys(c *common.CommonCircuitData) uint64 {
+	return c.Config.NumChallenges * (1 + c.NumPartialProducts)
+}
+
+func numQuotientPolys(c *common.CommonCircuitData) uint64 {
+	return c.Config.NumChallenges * c.QuotientDegreeFactor
+}
+
+func friPreprocessedPolys(c *common.CommonCircuitData) []FriPolynomialInfo {
+	return polynomialInfoFromRange(
+		c,
+		CONSTANTS_SIGMAS.index,
+		0,
+		numPreprocessedPolys(c),
+	)
+}
+
+func friWirePolys(c *common.CommonCircuitData) []FriPolynomialInfo {
+	numWirePolys := c.Config.NumWires
+	return polynomialInfoFromRange(c, WIRES.index, 0, numWirePolys)
+}
+
+func friZSPartialProductsPolys(c *common.CommonCircuitData) []FriPolynomialInfo {
+	return polynomialInfoFromRange(
+		c,
+		ZS_PARTIAL_PRODUCTS.index,
+		0,
+		numZSPartialProductsPolys(c),
+	)
+}
+
+func friQuotientPolys(c *common.CommonCircuitData) []FriPolynomialInfo {
+	return polynomialInfoFromRange(
+		c,
+		QUOTIENT.index,
+		0,
+		numQuotientPolys(c),
+	)
+}
+
+func friZSPolys(c *common.CommonCircuitData) []FriPolynomialInfo {
+	return polynomialInfoFromRange(
+		c,
+		ZS_PARTIAL_PRODUCTS.index,
+		0,
+		c.Config.NumChallenges,
+	)
+}
+
+func friOracles(c *common.CommonCircuitData) []FriOracleInfo {
+	return []FriOracleInfo{
+		{
+			NumPolys: numPreprocessedPolys(c),
+			Blinding: CONSTANTS_SIGMAS.blinding,
+		},
+		{
+			NumPolys: c.Config.NumWires,
+			Blinding: WIRES.blinding,
+		},
+		{
+			NumPolys: numZSPartialProductsPolys(c),
+			Blinding: ZS_PARTIAL_PRODUCTS.blinding,
+		},
+		{
+			NumPolys: numQuotientPolys(c),
+			Blinding: QUOTIENT.blinding,
+		},
+	}
+}
+
+func friAllPolys(c *common.CommonCircuitData) []FriPolynomialInfo {
+	returnArr := make([]FriPolynomialInfo, 0)
+	returnArr = append(returnArr, friPreprocessedPolys(c)...)
+	returnArr = append(returnArr, friWirePolys(c)...)
+	returnArr = append(returnArr, friZSPartialProductsPolys(c)...)
+	returnArr = append(returnArr, friQuotientPolys(c)...)
+
+	return returnArr
+}
+
+func GetFriInstance(c *common.CommonCircuitData, qeAPI *field.QuadraticExtensionAPI, zeta field.QuadraticExtension, degreeBits uint64) FriInstanceInfo {
+	zetaBatch := FriBatchInfo{
+		Point:       zeta,
+		Polynomials: friAllPolys(c),
+	}
+
+	g := field.GoldilocksPrimitiveRootOfUnity(degreeBits)
+	zetaNext := qeAPI.MulExtension(qeAPI.FieldToQE(field.NewFieldElement(g.Uint64())), zeta)
+
+	zetaNextBath := FriBatchInfo{
+		Point:       zetaNext,
+		Polynomials: friZSPolys(c),
+	}
+
+	return FriInstanceInfo{
+		Oracles: friOracles(c),
+		Batches: []FriBatchInfo{zetaBatch, zetaNextBath},
+	}
+}