Feat: Add batch_prove and batch_verify (#203)

* feat: batch prove and verify working

* chore: cargo clippy

* chore: cargo clippy

Author: shreyas-londhe

src/whir/domainsep.rs

@@ -20,9 +20,19 @@ pub trait WhirDomainSeparator<F: FftField, MerkleConfig: Config> {
         params: &WhirConfig<F, MerkleConfig, PowStrategy>,
     ) -> Self;
 
+    /// Domain separator for regular single-commitment proving
     #[must_use]
     fn add_whir_proof<PowStrategy>(self, params: &WhirConfig<F, MerkleConfig, PowStrategy>)
         -> Self;
+
+    /// Domain separator for batch proving multiple commitments
+    #[must_use]
+    fn add_whir_batch_proof<PowStrategy>(
+        self,
+        params: &WhirConfig<F, MerkleConfig, PowStrategy>,
+        num_witnesses: usize,
+        num_constraints_total: usize,
+    ) -> Self;
 }
 
 impl<F, MerkleConfig, DomainSeparator> WhirDomainSeparator<F, MerkleConfig> for DomainSeparator
@@ -65,57 +75,124 @@ where
     }
 
     fn add_whir_proof<PowStrategy>(
-        mut self,
+        self,
         params: &WhirConfig<F, MerkleConfig, PowStrategy>,
     ) -> Self {
-        // TODO: Add statement
-        if params.initial_statement {
-            self = self
-                .challenge_scalars(1, "initial_combination_randomness")
-                .add_sumcheck(
-                    params.folding_factor.at_round(0),
-                    params.starting_folding_pow_bits,
-                );
-        } else {
-            self = self
-                .challenge_scalars(params.folding_factor.at_round(0), "folding_randomness")
-                .pow(params.starting_folding_pow_bits);
-        }
+        add_whir_proof_impl(self, params, None)
+    }
 
-        let mut domain_size = params.starting_domain.size();
-        for (round, r) in params.round_parameters.iter().enumerate() {
-            let folded_domain_size = domain_size >> params.folding_factor.at_round(round);
-            let domain_size_bytes = ((folded_domain_size * 2 - 1).ilog2() as usize).div_ceil(8);
-
-            self = self
-                .add_digest("merkle_digest")
-                .add_ood(r.ood_samples, 1)
-                .pow(r.pow_bits)
-                .challenge_bytes(r.num_queries * domain_size_bytes, "stir_queries")
-                .hint("stir_answers")
-                .hint("merkle_proof");
-
-            self = self
-                .challenge_scalars(1, "combination_randomness")
-                .add_sumcheck(
-                    params.folding_factor.at_round(round + 1),
-                    r.folding_pow_bits,
-                );
-            domain_size >>= 1;
-        }
+    fn add_whir_batch_proof<PowStrategy>(
+        self,
+        params: &WhirConfig<F, MerkleConfig, PowStrategy>,
+        num_witnesses: usize,
+        num_constraints_total: usize,
+    ) -> Self {
+        // Step 1: Commit the full N×M constraint evaluation matrix to the transcript.
+        // This binds the prover to all cross-term evaluations before sampling γ,
+        // preventing adaptive attacks where the prover could choose cross-terms
+        // after seeing the batching challenge.
+        let matrix_size = num_witnesses * num_constraints_total;
+        let this = self.add_scalars(matrix_size, "constraint_evaluation_matrix");
+
+        // Step 2: Sample batching randomness γ after committing evaluations
+        let this = this.challenge_scalars(1, "batching_randomness");
+
+        // Step 3: Continue with standard WHIR proof protocol
+        add_whir_proof_impl(this, params, Some(num_witnesses))
+    }
+}
 
-        let folded_domain_size = domain_size
-            >> params
-                .folding_factor
-                .at_round(params.round_parameters.len());
+/// Private helper: shared implementation for both regular and batch proving.
+///
+/// # Arguments
+/// * `ds` - Domain separator state
+/// * `params` - WHIR protocol configuration
+/// * `num_witnesses` - `None` for regular proving, `Some(n)` for batch proving with n witnesses
+fn add_whir_proof_impl<F, MerkleConfig, DomainSeparator, PowStrategy>(
+    mut ds: DomainSeparator,
+    params: &WhirConfig<F, MerkleConfig, PowStrategy>,
+    num_witnesses: Option<usize>,
+) -> DomainSeparator
+where
+    F: FftField,
+    MerkleConfig: Config,
+    DomainSeparator:
+        ByteDomainSeparator + FieldDomainSeparator<F> + DigestDomainSeparator<MerkleConfig>,
+{
+    // Initial sumcheck (same for both regular and batch)
+    if params.initial_statement {
+        ds = ds
+            .challenge_scalars(1, "initial_combination_randomness")
+            .add_sumcheck(
+                params.folding_factor.at_round(0),
+                params.starting_folding_pow_bits,
+            );
+    } else {
+        ds = ds
+            .challenge_scalars(params.folding_factor.at_round(0), "folding_randomness")
+            .pow(params.starting_folding_pow_bits);
+    }
+
+    let mut domain_size = params.starting_domain.size();
+
+    // Round handling
+    for (round, r) in params.round_parameters.iter().enumerate() {
+        let folded_domain_size = domain_size >> params.folding_factor.at_round(round);
         let domain_size_bytes = ((folded_domain_size * 2 - 1).ilog2() as usize).div_ceil(8);
 
-        self.add_scalars(1 << params.final_sumcheck_rounds, "final_coeffs")
-            .pow(params.final_pow_bits)
-            .challenge_bytes(domain_size_bytes * params.final_queries, "final_queries")
-            .hint("stir_answers")
-            .hint("merkle_proof")
-            .add_sumcheck(params.final_sumcheck_rounds, params.final_folding_pow_bits)
-            .hint("deferred_weight_evaluations")
+        // Digest label differs for batch round 0
+        let digest_label = if round == 0 && num_witnesses.is_some() {
+            "batched_merkle_digest" // Round 0 commits to the batched polynomial
+        } else {
+            "merkle_digest"
+        };
+
+        ds = ds
+            .add_digest(digest_label)
+            .add_ood(r.ood_samples, 1)
+            .pow(r.pow_bits)
+            .challenge_bytes(r.num_queries * domain_size_bytes, "stir_queries");
+
+        // Round 0 Merkle proofs: batch proving requires N proofs (one per original tree),
+        // while regular proving requires just 1 proof.
+        if round == 0 {
+            if let Some(n) = num_witnesses {
+                // Batch proving: verify openings in all N original commitment trees
+                for i in 0..n {
+                    ds = ds
+                        .hint(&format!("stir_answers_witness_{i}"))
+                        .hint(&format!("merkle_proof_witness_{i}"));
+                }
+            } else {
+                // Regular proving: single commitment tree
+                ds = ds.hint("stir_answers").hint("merkle_proof");
+            }
+        } else {
+            // Rounds 1+: all proving modes use the single batched tree
+            ds = ds.hint("stir_answers").hint("merkle_proof");
+        }
+
+        ds = ds
+            .challenge_scalars(1, "combination_randomness")
+            .add_sumcheck(
+                params.folding_factor.at_round(round + 1),
+                r.folding_pow_bits,
+            );
+        domain_size >>= 1;
     }
+
+    // Final round (same for both regular and batch)
+    let folded_domain_size = domain_size
+        >> params
+            .folding_factor
+            .at_round(params.round_parameters.len());
+    let domain_size_bytes = ((folded_domain_size * 2 - 1).ilog2() as usize).div_ceil(8);
+
+    ds.add_scalars(1 << params.final_sumcheck_rounds, "final_coeffs")
+        .pow(params.final_pow_bits)
+        .challenge_bytes(domain_size_bytes * params.final_queries, "final_queries")
+        .hint("stir_answers")
+        .hint("merkle_proof")
+        .add_sumcheck(params.final_sumcheck_rounds, params.final_folding_pow_bits)
+        .hint("deferred_weight_evaluations")
 }