From 5613f194e0c0ade013f82737f415283e526bfdbf Mon Sep 17 00:00:00 2001
From: Jan Ferdinand Sauer <ferdinand@neptune.cash>
Date: Wed, 24 Jan 2024 14:12:53 +0100
Subject: [PATCH] refactor!: communicate possible STARK proving failures with
 `Result`

---
 triton-vm/benches/prove_fib.rs   |  2 +-
 triton-vm/benches/prove_halt.rs  |  2 +-
 triton-vm/benches/verify_halt.rs |  2 +-
 triton-vm/src/error.rs           | 14 +++++++++++++-
 triton-vm/src/lib.rs             | 10 ++++------
 triton-vm/src/shared_tests.rs    |  2 +-
 triton-vm/src/stark.rs           | 29 +++++++++++++----------------
 7 files changed, 34 insertions(+), 27 deletions(-)

diff --git a/triton-vm/benches/prove_fib.rs b/triton-vm/benches/prove_fib.rs
index 5e37ec5e..48f856ca 100644
--- a/triton-vm/benches/prove_fib.rs
+++ b/triton-vm/benches/prove_fib.rs
@@ -42,7 +42,7 @@ fn prover_timing_report(claim: &Claim, aet: &AlgebraicExecutionTrace) -> Report
     let profile_name = format!("Prove Fibonacci {FIBONACCI_INDEX}");
     let parameters = StarkParameters::default();
     let mut profiler = Some(TritonProfiler::new(&profile_name));
-    let proof = Stark::prove(parameters, claim, aet, &mut profiler);
+    let proof = Stark::prove(parameters, claim, aet, &mut profiler).unwrap();
     let mut profiler = profiler.unwrap();
     profiler.finish();
 
diff --git a/triton-vm/benches/prove_halt.rs b/triton-vm/benches/prove_halt.rs
index cc156d34..22afec26 100644
--- a/triton-vm/benches/prove_halt.rs
+++ b/triton-vm/benches/prove_halt.rs
@@ -22,7 +22,7 @@ fn prove_halt(criterion: &mut Criterion) {
         output,
     };
     let mut profiler = Some(TritonProfiler::new("Prove Halt"));
-    let proof = Stark::prove(parameters, &claim, &aet, &mut profiler);
+    let proof = Stark::prove(parameters, &claim, &aet, &mut profiler).unwrap();
     let mut profiler = profiler.unwrap();
     profiler.finish();
 
diff --git a/triton-vm/benches/verify_halt.rs b/triton-vm/benches/verify_halt.rs
index 9a377ade..5d3822de 100644
--- a/triton-vm/benches/verify_halt.rs
+++ b/triton-vm/benches/verify_halt.rs
@@ -22,7 +22,7 @@ fn verify_halt(criterion: &mut Criterion) {
     };
 
     let (aet, _) = program.trace_execution([].into(), [].into()).unwrap();
-    let proof = Stark::prove(parameters, &claim, &aet, &mut None);
+    let proof = Stark::prove(parameters, &claim, &aet, &mut None).unwrap();
 
     let mut profiler = Some(TritonProfiler::new("Verify Halt"));
     Stark::verify(parameters, &claim, &proof, &mut profiler).unwrap();
diff --git a/triton-vm/src/error.rs b/triton-vm/src/error.rs
index 9685d989..562c3da6 100644
--- a/triton-vm/src/error.rs
+++ b/triton-vm/src/error.rs
@@ -131,7 +131,7 @@ pub enum FriSetupError {
 }
 
 #[non_exhaustive]
-#[derive(Debug, Error)]
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Error)]
 pub enum FriProvingError {
     #[error(transparent)]
     MerkleTreeError(#[from] MerkleTreeError),
@@ -212,6 +212,18 @@ pub enum ProvingError {
     #[error("claimed public output does not match actual public output")]
     PublicOutputMismatch,
 
+    #[error(transparent)]
+    CanonicalRepresentationError(#[from] CanonicalRepresentationError),
+
+    #[error(transparent)]
+    MerkleTreeError(#[from] MerkleTreeError),
+
+    #[error(transparent)]
+    FriSetupError(#[from] FriSetupError),
+
+    #[error(transparent)]
+    FriProvingError(#[from] FriProvingError),
+
     #[error(transparent)]
     VMError(#[from] VMError),
 }
diff --git a/triton-vm/src/lib.rs b/triton-vm/src/lib.rs
index 8bc9481d..ceef6545 100644
--- a/triton-vm/src/lib.rs
+++ b/triton-vm/src/lib.rs
@@ -144,8 +144,6 @@
 
 #![recursion_limit = "4096"]
 
-use std::error::Error;
-
 pub use twenty_first;
 pub use twenty_first::shared_math::b_field_element::BFieldElement;
 pub use twenty_first::shared_math::tip5::Digest;
@@ -503,7 +501,7 @@ pub fn prove_program(
     program: &Program,
     public_input: &[u64],
     non_determinism: &NonDeterminism<u64>,
-) -> Result<(StarkParameters, Claim, Proof), Box<dyn Error>> {
+) -> Result<(StarkParameters, Claim, Proof), ProvingError> {
     input_elements_have_unique_representation(public_input, non_determinism)?;
 
     // Convert public and secret inputs to BFieldElements.
@@ -538,7 +536,7 @@ pub fn prove_program(
     };
 
     // Generate the proof.
-    let proof = Stark::prove(parameters, &claim, &aet, &mut None);
+    let proof = Stark::prove(parameters, &claim, &aet, &mut None)?;
 
     Ok((parameters, claim, proof))
 }
@@ -579,8 +577,8 @@ pub fn prove(
     if public_output != claim.output {
         return Err(ProvingError::PublicOutputMismatch);
     }
-    let proof = Stark::prove(parameters, claim, &aet, &mut None);
-    Ok(proof)
+
+    Stark::prove(parameters, claim, &aet, &mut None)
 }
 
 /// Verify a proof generated by [`prove`] or [`prove_program`].
diff --git a/triton-vm/src/shared_tests.rs b/triton-vm/src/shared_tests.rs
index ab0f3f96..92fa8dea 100644
--- a/triton-vm/src/shared_tests.rs
+++ b/triton-vm/src/shared_tests.rs
@@ -129,7 +129,7 @@ pub(crate) fn prove_with_low_security_level(
     let claim = construct_claim(&aet, public_input.individual_tokens, public_output);
 
     prof_start!(maybe_profiler, "prove");
-    let proof = Stark::prove(parameters, &claim, &aet, maybe_profiler);
+    let proof = Stark::prove(parameters, &claim, &aet, maybe_profiler).unwrap();
     prof_stop!(maybe_profiler, "prove");
 
     (parameters, claim, proof)
diff --git a/triton-vm/src/stark.rs b/triton-vm/src/stark.rs
index 5ad237bc..227e1f1e 100644
--- a/triton-vm/src/stark.rs
+++ b/triton-vm/src/stark.rs
@@ -29,6 +29,7 @@ use twenty_first::util_types::merkle_tree_maker::MerkleTreeMaker;
 
 use crate::aet::AlgebraicExecutionTrace;
 use crate::arithmetic_domain::ArithmeticDomain;
+use crate::error::ProvingError;
 use crate::error::VerificationError;
 use crate::error::VerificationError::*;
 use crate::fri;
@@ -143,7 +144,7 @@ impl Stark {
         claim: &Claim,
         aet: &AlgebraicExecutionTrace,
         maybe_profiler: &mut Option<TritonProfiler>,
-    ) -> Proof {
+    ) -> Result<Proof, ProvingError> {
         prof_start!(maybe_profiler, "Fiat-Shamir: claim", "hash");
         let mut proof_stream = StarkProofStream::new();
         proof_stream.alter_fiat_shamir_state_with(claim);
@@ -152,7 +153,7 @@ impl Stark {
         prof_start!(maybe_profiler, "derive additional parameters");
         let padded_height = aet.padded_height();
         let max_degree = Self::derive_max_degree(padded_height, parameters.num_trace_randomizers);
-        let fri = Self::derive_fri(parameters, padded_height).unwrap();
+        let fri = Self::derive_fri(parameters, padded_height)?;
         let quotient_domain = Self::quotient_domain(fri.domain, max_degree);
         proof_stream.enqueue(ProofItem::Log2PaddedHeight(padded_height.ilog2()));
         prof_stop!(maybe_profiler, "derive additional parameters");
@@ -266,7 +267,7 @@ impl Stark {
         prof_stop!(maybe_profiler, "hash rows of quotient segments");
         prof_start!(maybe_profiler, "Merkle tree", "hash");
         let quot_merkle_tree: MerkleTree<StarkHasher> =
-            MTMaker::from_digests(&fri_domain_quotient_segment_codewords_digests).unwrap();
+            MTMaker::from_digests(&fri_domain_quotient_segment_codewords_digests)?;
         let quot_merkle_tree_root = quot_merkle_tree.root();
         proof_stream.enqueue(ProofItem::MerkleRoot(quot_merkle_tree_root));
         prof_stop!(maybe_profiler, "Merkle tree");
@@ -438,9 +439,8 @@ impl Stark {
         prof_stop!(maybe_profiler, "combined DEEP polynomial");
 
         prof_start!(maybe_profiler, "FRI");
-        let revealed_current_row_indices = fri
-            .prove(&fri_combination_codeword, &mut proof_stream)
-            .unwrap();
+        let revealed_current_row_indices =
+            fri.prove(&fri_combination_codeword, &mut proof_stream)?;
         assert_eq!(
             parameters.num_combination_codeword_checks,
             revealed_current_row_indices.len()
@@ -453,9 +453,8 @@ impl Stark {
             master_base_table.fri_domain_table(),
             &revealed_current_row_indices,
         );
-        let base_authentication_structure = base_merkle_tree
-            .authentication_structure(&revealed_current_row_indices)
-            .unwrap();
+        let base_authentication_structure =
+            base_merkle_tree.authentication_structure(&revealed_current_row_indices)?;
         proof_stream.enqueue(ProofItem::MasterBaseTableRows(revealed_base_elems));
         proof_stream.enqueue(ProofItem::AuthenticationStructure(
             base_authentication_structure,
@@ -465,9 +464,8 @@ impl Stark {
             master_ext_table.fri_domain_table(),
             &revealed_current_row_indices,
         );
-        let ext_authentication_structure = ext_merkle_tree
-            .authentication_structure(&revealed_current_row_indices)
-            .unwrap();
+        let ext_authentication_structure =
+            ext_merkle_tree.authentication_structure(&revealed_current_row_indices)?;
         proof_stream.enqueue(ProofItem::MasterExtTableRows(revealed_ext_elems));
         proof_stream.enqueue(ProofItem::AuthenticationStructure(
             ext_authentication_structure,
@@ -481,9 +479,8 @@ impl Stark {
             .map(|&i| fri_domain_quotient_segment_codewords.row(i))
             .map(into_fixed_width_row)
             .collect_vec();
-        let revealed_quotient_authentication_structure = quot_merkle_tree
-            .authentication_structure(&revealed_current_row_indices)
-            .unwrap();
+        let revealed_quotient_authentication_structure =
+            quot_merkle_tree.authentication_structure(&revealed_current_row_indices)?;
         proof_stream.enqueue(ProofItem::QuotientSegmentsElements(
             revealed_quotient_segments_rows,
         ));
@@ -492,7 +489,7 @@ impl Stark {
         ));
         prof_stop!(maybe_profiler, "open trace leafs");
 
-        proof_stream.into()
+        Ok(proof_stream.into())
     }
 
     fn random_linear_sum_base_field(