[iop-prover] Fix commit_masked for msg_len < packing width

When log_len < P::LOG_WIDTH, the message and mask each fit within a
single packed element, so concatenating them at the packed level
produces two separate P values rather than the intended log_len + 1
scalars packed into one P. In that case, build the combined value
with P::from_scalars over the chained scalar iterators instead.

Same fix applied at the call site in basefold_zk_channel where the
combined (witness || mask) buffer is constructed for prove_zk.

Author: jimpo

crates/iop-prover/src/basefold_zk_channel.rs

@@ -7,6 +7,8 @@
 //! this channel always applies zero-knowledge blinding to all oracles by generating masks
 //! internally.
 
+use std::iter;
+
 use binius_field::{BinaryField, PackedField};
 use binius_iop::{channel::OracleSpec, fri::FRIParams, merkle_tree::MerkleTreeScheme};
 use binius_ip_prover::channel::IPProverChannel;
@@ -182,23 +184,35 @@ where
 			buffer.log_len()
 		);
 
-		// Copy the message for later use in prove_zk (commit_masked consumes buffer).
-		let log_len = buffer.log_len();
-		let message_values: Box<[P]> = buffer.as_ref().into();
-
 		// Generate mask, interleave, and commit via commit_masked.
 		let CommitMaskedOutput {
 			commitment,
 			committed,
 			codeword,
 			mask,
-		} = fri::commit_masked(fri_params, self.ntt, self.merkle_prover, buffer, &mut self.rng)
-			.expect("FRI commit_masked should succeed with valid params");
+		} = fri::commit_masked(
+			fri_params,
+			self.ntt,
+			self.merkle_prover,
+			buffer.to_ref(),
+			&mut self.rng,
+		)
+		.expect("FRI commit_masked should succeed with valid params");
 
 		// Build the combined (witness || mask) buffer for later use in prove_zk.
-		let mut combined_values = Vec::with_capacity(message_values.len() * 2);
-		combined_values.extend_from_slice(&message_values);
-		combined_values.extend_from_slice(mask.as_ref());
+		let log_len = buffer.log_len();
+		let combined_values = if log_len < P::LOG_WIDTH {
+			let combined_value =
+				P::from_scalars(iter::chain(buffer.iter_scalars(), mask.iter_scalars()));
+			vec![combined_value]
+		} else {
+			// TODO: The concatenation here is sequential and a performance issue. Ideally, commit
+			// should not allocate and copy the memory into a temp buffer.
+			// TODO: At the very least, make this a parallel copy
+			iter::chain(buffer.as_ref(), mask.as_ref())
+				.copied()
+				.collect::<Vec<_>>()
+		};
 		let combined = FieldBuffer::new(log_len + 1, combined_values.into_boxed_slice());
 
 		// Send commitment via transcript.

crates/iop-prover/src/fri/commit.rs

@@ -1,6 +1,8 @@
 // Copyright 2025 Irreducible Inc.
 // Copyright 2026 The Binius Developers
 
+use std::iter;
+
 use binius_field::{BinaryField, PackedField};
 use binius_iop::{fri::FRIParams, merkle_tree::MerkleTreeScheme};
 use binius_math::{FieldBuffer, FieldSlice, ntt::AdditiveNTT};
@@ -133,12 +135,18 @@ where
 		par_rand::<StdRng, _, _>(packed_len, &mut rng, P::random).collect(),
 	);
 
-	// TODO: The concatenation here is sequential and a performance issue. Ideally, commit should
-	// not allocate and copy the memory into a temp buffer.
-	let combined_packed_len = packed_len * 2;
-	let mut combined_values = Vec::with_capacity(combined_packed_len);
-	combined_values.extend_from_slice(message.as_ref());
-	combined_values.extend_from_slice(mask.as_ref());
+	let combined_values = if log_len < P::LOG_WIDTH {
+		let combined_value =
+			P::from_scalars(iter::chain(message.iter_scalars(), mask.iter_scalars()));
+		vec![combined_value]
+	} else {
+		// TODO: The concatenation here is sequential and a performance issue. Ideally, commit
+		// should not allocate and copy the memory into a temp buffer.
+		// TODO: At the very least, make this a parallel copy
+		iter::chain(message.as_ref(), mask.as_ref())
+			.copied()
+			.collect::<Vec<_>>()
+	};
 	let combined = FieldBuffer::new(log_len + 1, combined_values.into_boxed_slice());
 
 	let CommitOutput {