Opt : smaller proof size by using alternate randomness sampling approach (audit branch : v1)

[ocdbytes]

Summary

• Implements zkWHIR 2.0 using the "Alternative Randomness Sampling" approach, replacing the previous per-round blinding strategy. Proof size drops from (μ+1)·q(δ) to (ν+1)·q(δ) field
  elements, where ν = ⌊μ/ℓ⌋ + 1 ≪ μ.
• Extracts shared WHIR round logic into whir/rounds.rs, deduplicating the fold-commit-sumcheck loop between base WHIR and zkWHIR.
• Adds open_at_indices / verify_at_indices to irs_commit for the Γ consistency check (opening at caller-provided codeword positions instead of transcript-sampled ones).

Design

Two WHIR instances run as sub-protocols:

1. Blinded polynomial (f̂ = f + msk(Φ₀)): standard WHIR rounds on f_zk = ρ·f + g, with a Γ consistency check verifying [[f̂]] openings match [[H]].
2. Blinding polynomial (M, ĝ₁..ĝ_ν): batched proof over ν + n committed vectors using weight covectors derived from beq tables.

Protocol steps:

1. Commitment — sample masking/blinding polynomials, commit both instances
2. Blinding claims — verifier sends β, prover sends G claims
3. Combination — verifier sends ρ ≠ 0, prover forms f_zk = ρ·f + g
4. Initial sumcheck on f_zk
5. OOD/STIR queries + remaining WHIR rounds (shared via rounds.rs)
6. Γ consistency check — verify [[f̂]] openings match [[H]] at FRI query indices
7. Batched blinding proof via second WHIR instance

Reference Issue : #230

Reference Doc : [ ZK WHIR updated params doc by @yswami-tfh ]

Metric	Previous Implementation	New Implementation	Change
Proof Size	3.2 MB	740 KB	-77%
Verifier Time	243 ms	136 ms	-44%

[codspeed-hq]

Merging this PR will degrade performance by 24.13%

❌ 4 regressed benchmarks
✅ 6 untouched benchmarks
⏩ 22 skipped benchmarks¹

⚠️ Please fix the performance issues or acknowledge them on CodSpeed.

Performance Changes

	Mode	Benchmark	BASE	HEAD	Efficiency
❌	Simulation	interleaved_rs_encode[(22, 4, 4)]	3.4 s	4.1 s	-16.91%
❌	Simulation	interleaved_rs_encode[(18, 4, 3)]	155.3 ms	179.3 ms	-13.39%
❌	Simulation	interleaved_rs_encode[(20, 4, 4)]	612.9 ms	807.8 ms	-24.13%
❌	Simulation	interleaved_rs_encode[(18, 2, 2)]	68.8 ms	86.2 ms	-20.23%

---

_{Comparing ocdbytes:aj/opt/proof-size-v1 (4469b8e) with main (0aeaa7f)²}

Footnotes

1. 22 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports. ↩

2. No successful run was found on v1 (37fef3f) during the generation of this report, so main (0aeaa7f) was used instead as the comparison base. There might be some changes unrelated to this pull request in this report. ↩