feat: Include Configuration in Fiat-Shamir hash (#7195)

Context: celestiaorg/rsema1d-private#10

This PR adds the configuration (K, N, rowSize) to the seed of the
fiat-shamir coefficient derivation.
Previously only the rowRoot seeded the fiat-shamir coefficients. Now the
coefficients are unique per configuration & rowRoot pair.

Author: jonas089

pkg/rsema1d/SPEC.md

@@ -224,18 +224,28 @@ MapIndexToTreePosition(index, K):
 
 1. **Derive RLC Coefficients**
 
+   Bind the row root and the codec parameters (K, N, rowSize) into the
+   Fiat-Shamir seed so coefficients are unique per (rowRoot, params)
+   tuple. K, N, and rowSize are each encoded as 4-byte little-endian
+   unsigned 32-bit integers and absorbed in that order:
+
    ```text
-   seed = SHA256(rowRoot)
-   numSymbols = rowSize / 2  // Each GF16 symbol is 2 bytes
+   params     = LE32(K) || LE32(N) || LE32(rowSize)     // 12 bytes
+   seed       = SHA256(rowRoot || params)               // 32 bytes
+   numSymbols = rowSize / 2                             // each GF16 symbol is 2 bytes
    for i in 0..numSymbols:
-       coeffs[i] = HashToGF128(SHA256(seed || i))
+       coeffs[i] = HashToGF128(SHA256(seed || LE32(i))) // i as 4-byte LE uint32
    ```
 
-   Where HashToGF128 converts a 32-byte hash to a GF128 element by:
+   Where:
 
-   - Taking bytes 0-15 as 8 little-endian uint16 values
-   - Taking bytes 16-31 as 8 little-endian uint16 values
-   - XORing corresponding pairs to produce final 8 GF(2^16) values
+   - `LE32(x)` denotes the 4-byte little-endian encoding of the unsigned
+     32-bit integer `x`.
+   - `||` denotes byte concatenation.
+   - `HashToGF128` converts a 32-byte hash to a GF128 element by:
+     - Taking bytes 0-15 as 8 little-endian uint16 values
+     - Taking bytes 16-31 as 8 little-endian uint16 values
+     - XORing corresponding pairs to produce final 8 GF(2^16) values
 
 1. **Compute RLC Results (Original Rows Only)**
 
@@ -458,7 +468,7 @@ Row 3: 0x00000000000000000000000000000000000000000000000000000000000000000000000
 **Expected commitment**:
 
 ```text
-0x9f637574ecb67828c5ce7589a0a6ce139ccad3bea8e92d22d9e28fde83a905e7
+0xf57fdff87d54f71bc0c860808b046356c8d4850e67b923e08411208df08cb5ab
 ```
 
 ### 6.2 Test Vector 2: K=3, N=9, rowSize=256
@@ -474,7 +484,7 @@ Row 2: 0x00...(255 zero bytes)...03
 **Expected commitment**:
 
 ```text
-0x2d67c13aa6a5c0be41b7e84f36188562c64ff3547ce74ffd410ab1afa7897f22
+0x0e0b5f2a0b8e9ef09fbd70256b4c346291450ef239fd98894d177b5f32c579ab
 ```
 
 ### 6.3 Verification Test Cases

pkg/rsema1d/codec.go

@@ -40,7 +40,7 @@ func Encode(data [][]byte, config *Config) (*ExtendedData, Commitment, []field.G
 	rowRoot := rowTree.Root()
 
 	// 4. Derive RLC coefficients
-	coeffs := deriveCoefficients(rowRoot, config.RowSize)
+	coeffs := deriveCoefficients(rowRoot, config.K, config.N, config.RowSize)
 
 	// 5. Compute RLC results for original rows
 	rlcOrig := computeRLCOrig(data, coeffs, config)
@@ -98,7 +98,7 @@ func EncodeParity(extended [][]byte, config *Config) (*ExtendedData, Commitment,
 	rowRoot := rowTree.Root()
 
 	// 3. Derive RLC coefficients
-	coeffs := deriveCoefficients(rowRoot, config.RowSize)
+	coeffs := deriveCoefficients(rowRoot, config.K, config.N, config.RowSize)
 
 	// 4. Compute RLC results for original rows (first K rows)
 	originalRows := extended[:config.K]

pkg/rsema1d/codec_bench_test.go

@@ -220,7 +220,7 @@ func BenchmarkComputeRLCOrig(b *testing.B) {
 			}
 
 			rowRoot := [32]byte{1, 2, 3, 4}
-			coeffs := deriveCoefficients(rowRoot, cfg.rowSize)
+			coeffs := deriveCoefficients(rowRoot, codecConfig.K, codecConfig.N, codecConfig.RowSize)
 
 			setup := func() any {
 				return generateTestData(cfg.k, cfg.rowSize)
@@ -605,7 +605,7 @@ func BenchmarkDeriveCoefficients(b *testing.B) {
 
 			b.ResetTimer()
 			for range b.N {
-				deriveCoefficients(rowRoot, config.RowSize)
+				deriveCoefficients(rowRoot, config.K, config.N, config.RowSize)
 			}
 		})
 	}

pkg/rsema1d/codec_tamper_test.go

@@ -41,7 +41,7 @@ func TestTamperedExtendedDataBeforeCommitment(t *testing.T) {
 			rowRoot := rowTree.Root()
 
 			// Step 3: Derive RLC coefficients
-			coeffs := deriveCoefficients(rowRoot, config.RowSize)
+			coeffs := deriveCoefficients(rowRoot, config.K, config.N, config.RowSize)
 
 			// Step 4: Compute RLC results for original rows
 			rlcOrig := computeRLCOrig(data, coeffs, config)
@@ -129,7 +129,7 @@ func TestTamperedRLCBeforeCommitment(t *testing.T) {
 			rowRoot := rowTree.Root()
 
 			// Step 3: Derive RLC coefficients
-			coeffs := deriveCoefficients(rowRoot, config.RowSize)
+			coeffs := deriveCoefficients(rowRoot, config.K, config.N, config.RowSize)
 
 			// Step 4: Compute RLC results for original rows
 			rlcOrig := computeRLCOrig(data, coeffs, config)
@@ -211,7 +211,7 @@ func TestTamperedOriginalRLCBeforeCommitment(t *testing.T) {
 			rowRoot := rowTree.Root()
 
 			// Step 3: Derive RLC coefficients
-			coeffs := deriveCoefficients(rowRoot, config.RowSize)
+			coeffs := deriveCoefficients(rowRoot, config.K, config.N, config.RowSize)
 
 			// Step 4: Compute RLC results for original rows
 			rlcOrig := computeRLCOrig(data, coeffs, config)
@@ -317,7 +317,7 @@ func TestMultipleTamperedRows(t *testing.T) {
 			rowTree := buildPaddedRowTree(extended, config)
 			rowRoot := rowTree.Root()
 
-			coeffs := deriveCoefficients(rowRoot, config.RowSize)
+			coeffs := deriveCoefficients(rowRoot, config.K, config.N, config.RowSize)
 			rlcOrig := computeRLCOrig(data, coeffs, config)
 
 			// Build padded RLC Merkle tree
@@ -403,11 +403,8 @@ func TestInvalidRowProofDepth(t *testing.T) {
 			rowTree := buildPaddedRowTree(extended, config)
 			rowRoot := rowTree.Root()
 
-			coeffs := deriveCoefficients(rowRoot, config.RowSize)
+			coeffs := deriveCoefficients(rowRoot, config.K, config.N, config.RowSize)
 			rlcOrig := computeRLCOrig(data, coeffs, config)
-			if err != nil {
-				t.Fatalf("ExtendRLCResults failed: %v", err)
-			}
 
 			rlcOrigTree := BuildPaddedRLCTree(rlcOrig, config)
 			rlcOrigRoot := rlcOrigTree.Root()
@@ -449,7 +446,7 @@ func TestInvalidRowProofDepth(t *testing.T) {
 			if err != nil {
 				t.Errorf("Failed to compute fake row root: %v", err)
 			}
-			fakeCoeffs := deriveCoefficients(fakeRowRoot, config.RowSize)
+			fakeCoeffs := deriveCoefficients(fakeRowRoot, config.K, config.N, config.RowSize)
 			fakeRlcCommitment := computeRLC(maliciousProof.Row, fakeCoeffs)
 			ctx.rlcOrigRoot = rlcOrigRoot
 
@@ -494,7 +491,7 @@ func TestVerifyRowWithContextWithMultipleOpenings(t *testing.T) {
 	assert.NoError(t, err)
 	nodes, asNodes := buildAdversarialPaddedRowTree(extended)
 	rowRoot := nodes[0]
-	coeffs := deriveCoefficients([32]byte(rowRoot), config.RowSize)
+	coeffs := deriveCoefficients([32]byte(rowRoot), config.K, config.N, config.RowSize)
 	rlcOrig := computeRLCOrig(data, coeffs, config)
 	rlcOrigTree := BuildPaddedRLCTree(rlcOrig, config)
 	rlcOrigRoot := rlcOrigTree.Root()

pkg/rsema1d/codec_test.go

@@ -269,7 +269,7 @@ func TestRLCCommutationProperty(t *testing.T) {
 				t.Fatalf("Encode() error: %v", err)
 			}
 
-			coeffs := deriveCoefficients(extData.rowRoot, config.RowSize)
+			coeffs := deriveCoefficients(extData.rowRoot, config.K, config.N, config.RowSize)
 			extendedRLCs, err := encoding.ExtendRLCResults(extData.rlcOrig, tc.n)
 			if err != nil {
 				t.Fatalf("ExtendRLCResults() error: %v", err)

pkg/rsema1d/coder.go

@@ -65,8 +65,10 @@ func (c *Coder) commit(extendedRows [][]byte) *ExtendedData {
 	rowTree := buildPaddedRowTree(extendedRows, c.config)
 	rowRoot := rowTree.Root()
 
-	// derive RLC coefficients and compute RLC results for original rows
-	coeffs := deriveCoefficients(rowRoot, len(extendedRows[0]))
+	// derive RLC coefficients and compute RLC results for original rows.
+	// rowSize is taken from the data to support the Coder's deferred-RowSize
+	// mode (config.RowSize may be 0 when the Coder is reused across shards).
+	coeffs := deriveCoefficients(rowRoot, c.config.K, c.config.N, len(extendedRows[0]))
 	rlcOrig := computeRLCVectorized(extendedRows[:c.config.K], coeffs, c.config)
 
 	// build padded RLC Merkle tree

pkg/rsema1d/commitment.go

@@ -9,16 +9,29 @@ import (
 	"github.com/celestiaorg/celestia-app/v9/pkg/rsema1d/field"
 )
 
-// deriveCoefficients generates RLC coefficients via Fiat-Shamir, fanning
-// the SHA256 loop out across GOMAXPROCS via static chunking above the
-// parallel break-even. Below the threshold goroutine startup would dwarf
-// the per-iteration SHA256.
-func deriveCoefficients(rowRoot [32]byte, rowSize int) []field.GF128 {
-	numSymbols := rowSize / 2
+// deriveCoefficients generates RLC coefficients via Fiat-Shamir (internal).
+// k, n, and rowSize are bound into the seed so coefficients are unique per
+// (rowRoot, k, n, rowSize) tuple. Callers pick where rowSize comes from:
+// producer paths (Encode) pass config.RowSize; consumer paths (Verify, Coder)
+// pass the actual data length.
+func deriveCoefficients(rowRoot [32]byte, k, n, rowSize int) []field.GF128 {
+	// Bind rowRoot and the codec parameters into the Fiat-Shamir seed so
+	// coefficients are unique per (rowRoot, k, n, rowSize) tuple.
+	h := sha256.New()
+	h.Write(rowRoot[:])
+	var params [12]byte
+	binary.LittleEndian.PutUint32(params[0:4], uint32(k))
+	binary.LittleEndian.PutUint32(params[4:8], uint32(n))
+	binary.LittleEndian.PutUint32(params[8:12], uint32(rowSize))
+	h.Write(params[:])
+	var seed [32]byte
+	h.Sum(seed[:0])
+
+	numSymbols := rowSize / 2 // Each GF16 symbol is 2 bytes
 	coeffs := make([]field.GF128, numSymbols)
 	workers := min(runtime.GOMAXPROCS(0), numSymbols)
 	if workers <= 1 || numSymbols < minParallelDeriveSymbols {
-		deriveCoefficientsRange(rowRoot, coeffs, 0, numSymbols)
+		deriveCoefficientsRange(seed, coeffs, 0, numSymbols)
 		return coeffs
 	}
 	chunk := (numSymbols + workers - 1) / workers
@@ -29,7 +42,7 @@ func deriveCoefficients(rowRoot [32]byte, rowSize int) []field.GF128 {
 		end := min(start+chunk, numSymbols)
 		go func(start, end int) {
 			defer wg.Done()
-			deriveCoefficientsRange(rowRoot, coeffs, start, end)
+			deriveCoefficientsRange(seed, coeffs, start, end)
 		}(start, end)
 	}
 	wg.Wait()
@@ -40,10 +53,13 @@ func deriveCoefficients(rowRoot [32]byte, rowSize int) []field.GF128 {
 // parallel is slower below ~256 and 1.3-7× faster from 512 upward.
 const minParallelDeriveSymbols = 512
 
-func deriveCoefficientsRange(rowRoot [32]byte, coeffs []field.GF128, start, end int) {
-	seed := sha256.Sum256(rowRoot[:])
+func deriveCoefficientsRange(seed [32]byte, coeffs []field.GF128, start, end int) {
 	var input [32 + 4]byte
 	copy(input[:32], seed[:])
+
+	// Reuse a single SHA256 hasher with Reset() between iterations.
+	// This avoids re-initializing the digest state from scratch on each call
+	// to sha256.Sum256, saving ~12% on coefficient derivation.
 	h := sha256.New()
 	var digest [32]byte
 	for i := start; i < end; i++ {

pkg/rsema1d/commitment_test.go

@@ -33,8 +33,8 @@ func TestDeriveCoefficients(t *testing.T) {
 			rowRoot := sha256.Sum256([]byte("test root"))
 
 			// Derive coefficients
-			coeffs1 := deriveCoefficients(rowRoot, config.RowSize)
-			coeffs2 := deriveCoefficients(rowRoot, config.RowSize)
+			coeffs1 := deriveCoefficients(rowRoot, config.K, config.N, config.RowSize)
+			coeffs2 := deriveCoefficients(rowRoot, config.K, config.N, config.RowSize)
 
 			// Test determinism
 			if len(coeffs1) != len(coeffs2) {
@@ -55,7 +55,7 @@ func TestDeriveCoefficients(t *testing.T) {
 
 			// Test that different roots produce different coefficients
 			differentRoot := sha256.Sum256([]byte("different root"))
-			coeffs3 := deriveCoefficients(differentRoot, config.RowSize)
+			coeffs3 := deriveCoefficients(differentRoot, config.K, config.N, config.RowSize)
 
 			allSame := true
 			for i := range coeffs1 {
@@ -98,7 +98,7 @@ func TestComputeRLC(t *testing.T) {
 
 			// Derive coefficients
 			rowRoot := sha256.Sum256([]byte("test"))
-			coeffs := deriveCoefficients(rowRoot, config.RowSize)
+			coeffs := deriveCoefficients(rowRoot, config.K, config.N, config.RowSize)
 
 			// Compute RLC
 			rlc1 := computeRLC(row, coeffs)
@@ -190,7 +190,7 @@ func TestRLCLinearity(t *testing.T) {
 
 	// Derive coefficients
 	rowRoot := sha256.Sum256([]byte("test"))
-	coeffs := deriveCoefficients(rowRoot, config.RowSize)
+	coeffs := deriveCoefficients(rowRoot, config.K, config.N, config.RowSize)
 
 	// Compute RLCs
 	rlcA := computeRLC(rowA, coeffs)
@@ -247,45 +247,50 @@ func TestCommitmentDeterminism(t *testing.T) {
 }
 
 func TestCoefficientsConsistency(t *testing.T) {
-	// Test that coefficient derivation is consistent across different row counts
-	// but same rowSize
-	configs := []struct {
-		k int
-		n int
-	}{
-		{4, 4},
-		{8, 8},
-		{16, 16},
-	}
-
-	rowSize := 128
+	// Coefficient derivation must be deterministic for a given
+	// (rowRoot, K, N, RowSize) tuple, and must differ when any of those
+	// transcript inputs change.
 	rowRoot := sha256.Sum256([]byte("consistent root"))
+	base := &Config{K: 8, N: 8, RowSize: 128, WorkerCount: 1}
 
-	var prevCoeffs []field.GF128
+	baseCoeffs := deriveCoefficients(rowRoot, base.K, base.N, base.RowSize)
 
-	for i, tc := range configs {
-		config := &Config{
-			K:           tc.k,
-			N:           tc.n,
-			RowSize:     rowSize,
-			WorkerCount: 1,
+	// Same inputs → identical output.
+	again := deriveCoefficients(rowRoot, base.K, base.N, base.RowSize)
+	if len(again) != len(baseCoeffs) {
+		t.Fatalf("deterministic: length mismatch: got %d want %d", len(again), len(baseCoeffs))
+	}
+	for i := range baseCoeffs {
+		if !field.Equal128(baseCoeffs[i], again[i]) {
+			t.Fatalf("deterministic: coefficient %d differs", i)
 		}
+	}
 
-		coeffs := deriveCoefficients(rowRoot, config.RowSize)
-
-		// All configs with same rowSize should produce same coefficients
-		if i > 0 {
-			if len(coeffs) != len(prevCoeffs) {
-				t.Fatalf("Config %d: coefficient count differs", i)
-			}
-
-			for j := range coeffs {
-				if !field.Equal128(coeffs[j], prevCoeffs[j]) {
-					t.Errorf("Config %d: coefficient %d differs", i, j)
-				}
-			}
+	// Varying any of K, N, RowSize must change the coefficients.
+	variants := []struct {
+		name   string
+		config *Config
+	}{
+		{"different K", &Config{K: 4, N: 8, RowSize: 128, WorkerCount: 1}},
+		{"different N", &Config{K: 8, N: 16, RowSize: 128, WorkerCount: 1}},
+		{"different RowSize", &Config{K: 8, N: 8, RowSize: 256, WorkerCount: 1}},
+	}
+	for _, v := range variants {
+		got := deriveCoefficients(rowRoot, v.config.K, v.config.N, v.config.RowSize)
+		if equalGF128Slice(got, baseCoeffs) {
+			t.Errorf("%s: coefficients unexpectedly equal to base", v.name)
 		}
+	}
+}
 
-		prevCoeffs = coeffs
+func equalGF128Slice(a, b []field.GF128) bool {
+	if len(a) != len(b) {
+		return false
+	}
+	for i := range a {
+		if !field.Equal128(a[i], b[i]) {
+			return false
+		}
 	}
+	return true
 }

pkg/rsema1d/config.go

@@ -39,7 +39,8 @@ func (c *Config) Validate() error {
 	if c.N <= 0 {
 		return errors.New("n must be positive")
 	}
-	// RowSize=0 is valid (means variable row size, determined at runtime)
+	// RowSize=0 is valid (means variable row size, determined at runtime by
+	// the Coder, which derives it from the data passed to each operation).
 	if c.RowSize < 0 {
 		return errors.New("RowSize must be non-negative")
 	}

pkg/rsema1d/incorrect_encoding.go

@@ -59,7 +59,7 @@ func GenerateIncorrectEncoding(data [][]byte, config *Config, rowIndices []int,
 	newRowRoot := newRowTree.Root()
 
 	// 4. Derive new coefficients from the new row root
-	newCoeffs := deriveCoefficients(newRowRoot, config.RowSize)
+	newCoeffs := deriveCoefficients(newRowRoot, config.K, config.N, config.RowSize)
 
 	// 5. Compute RLC using non-tampered original rows: for any tampered original
 	// row, use the saved pre-tamper data so the RLC values stay correct for them.