perf: parallelize commit phase and reduce allocations

.github/workflows/ci.yml

@@ -20,7 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: dtolnay/rust-toolchain@stable
+      - uses: actions-rust-lang/setup-rust-toolchain@v1
         with:
           components: rustfmt
       - name: Check formatting
@@ -31,20 +31,20 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: dtolnay/rust-toolchain@stable
+      - uses: actions-rust-lang/setup-rust-toolchain@v1
         with:
           components: clippy
       - name: Clippy (all features)
-        run: cargo clippy -q --message-format=short --all-features --all-targets -- -D warnings
+        run: cargo clippy --all --all-targets --all-features -- -D warnings
       - name: Clippy (no default features)
-        run: cargo clippy -q --message-format=short --no-default-features --lib -- -D warnings
+        run: cargo clippy --all --all-targets --no-default-features -- -D warnings
 
   doc:
     name: Documentation
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: dtolnay/rust-toolchain@stable
+      - uses: actions-rust-lang/setup-rust-toolchain@v1
       - name: Build documentation
         run: cargo doc -q --no-deps --all-features
         env:
@@ -55,8 +55,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: dtolnay/rust-toolchain@stable
+      - uses: actions-rust-lang/setup-rust-toolchain@v1
       - name: Install cargo-nextest
         uses: taiki-e/install-action@nextest
       - name: Run tests
-        run: cargo nextest run -q --all-features
+        run: cargo nextest run --all-features

AGENTS.md

@@ -0,0 +1,35 @@
+# AGENTS.md
+
+**Compatibility notice (explicit): This repo makes NO backward-compatibility guarantees. Breaking changes are allowed and expected.**
+
+## Project Overview
+
+Hachi is a lattice-based polynomial commitment scheme (PCS) with transparent setup and post-quantum security. Built in Rust. Intended to replace Dory in Jolt.
+
+## Essential Commands
+
+```bash
+cargo clippy --all --message-format=short -q -- -D warnings
+cargo fmt -q
+cargo test          # no nextest yet
+```
+
+## Crate Structure
+
+Two workspace members: `hachi-pcs` (root) and `derive` (proc macros).
+
+- `src/primitives/` — Core traits: `FieldCore`, `Module`, `MultilinearLagrange`, `Transcript`, serialization
+- `src/algebra/` — Concrete backends: prime fields, extension fields, cyclotomic rings, NTT, domains
+- `src/protocol/` — Protocol layer: commitment, prover, verifier, opening (ring-switch), challenges, transcript
+- `src/error.rs` — Error types
+
+## Key Abstractions
+
+- `CommitmentScheme` / `StreamingCommitmentScheme` — top-level PCS traits
+- `FieldCore` + `PseudoMersenneField` + `Module` — arithmetic over lattice-friendly fields and rings
+- `MultilinearLagrange` — multilinear polynomial in Lagrange basis
+- `Transcript` — Fiat-Shamir
+
+## Feature Flags
+
+- `parallel` — Rayon parallelization

CLAUDE.md

@@ -0,0 +1 @@
+AGENTS.md

CONSTANT_TIME_NOTES.md

@@ -0,0 +1,42 @@
+# Constant-Time Review Notes (Phase 0/1 Algebra)
+
+This note tracks timing-sensitive implementation decisions for the current
+algebra and ring stack.
+
+## Reviewed Components
+
+- `src/algebra/fields/fp32.rs`
+- `src/algebra/fields/fp64.rs`
+- `src/algebra/fields/fp128.rs`
+- `src/algebra/ntt/prime.rs`
+- `src/algebra/ntt/butterfly.rs`
+- `src/algebra/ring/cyclotomic.rs`
+- `src/algebra/ring/crt_ntt_repr.rs`
+
+## Current State
+
+- Branchless primitives are in place for:
+  - `Fp32/Fp64/Fp128` add/sub/neg raw helpers.
+  - `Fp128` multiplication reduction (`reduce_u256`) with branchless conditional subtract.
+  - `Fp32/Fp64` multiplication reduction (division-free fixed-iteration paths).
+  - NTT helper operations `csubp`, `caddp`, and `center`.
+- NTT butterfly arithmetic runs in fixed loop structure independent of data.
+- Ring multiplication (`CyclotomicRing`) is fixed-structure schoolbook over `D`.
+- CRT reconstruction inner accumulation now uses fixed-trip, branchless
+  modular add/mul-by-small-factor helpers.
+- Prime fields now expose `Invertible::inv_or_zero()` for secret-bearing
+  inversion use-cases without input-dependent branching on zero.
+- CRT reconstruction final projection now uses a division-free fixed-iteration
+  reducer (`reduce_u128_divfree`) instead of `% q`.
+
+## Known Timing Risks / Follow-ups
+
+- `FieldCore::inv()` still returns `Option` and therefore branches on zero;
+  treat that API as public-value oriented. Use `Invertible::inv_or_zero()`
+  in secret-dependent paths.
+
+## Action Items Before Production-Critical Use
+
+1. Wire secret-bearing call sites to `Invertible::inv_or_zero()` as
+   protocol code matures.
+2. Add dedicated CT review tests/checklists for any arithmetic subsystem changes.