- Generated by
1.9.8
|
Barretenberg
The ZK-SNARK library at the core of Aztec
|
The implementation of the sumcheck Prover for statements of the form \(\sum_{\vec \ell \in \{0,1\}^d} pow_{\beta}(\vec \ell) \cdot F \left(P_1(\vec \ell),\ldots, P_N(\vec \ell) \right) = 0 \) for multilinear polynomials \(P_1, \ldots, P_N \). More...
#include <sumcheck.hpp>
Public Types | |
| using | FF = typename Flavor::FF |
| using | ProverPolynomials = typename Flavor::ProverPolynomials |
| using | PartiallyEvaluatedMultivariates = typename Flavor::PartiallyEvaluatedMultivariates |
| using | ClaimedEvaluations = typename Flavor::AllValues |
| using | ZKData = ZKSumcheckData< Flavor > |
| using | Transcript = typename Flavor::Transcript |
| using | SubrelationSeparators = std::array< FF, Flavor::NUM_SUBRELATIONS - 1 > |
| using | CommitmentKey = typename Flavor::CommitmentKey |
| using | SumcheckRoundUnivariate = typename bb::Univariate< FF, BATCHED_RELATION_PARTIAL_LENGTH > |
Public Member Functions | |
| SumcheckProver (size_t multivariate_n, ProverPolynomials &prover_polynomials, std::shared_ptr< Transcript > transcript, const FF &relation_separator, const size_t virtual_log_n, const std::vector< FF > &accumulator_challenge, const std::vector< FF > &instance_challenge) | |
| SumcheckProver (size_t multivariate_n, ProverPolynomials &prover_polynomials, std::shared_ptr< Transcript > transcript, const FF &alpha, const std::vector< FF > &gate_challenges, const RelationParameters< FF > &relation_parameters, const size_t virtual_log_n) | |
| SumcheckOutput< Flavor > | prove () |
| Non-ZK version: Compute round univariate, place it in transcript, compute challenge, partially evaluate. Repeat until final round, then get full evaluations of prover polynomials, and place them in transcript. | |
| template<typename PolynomialT , std::size_t N> | |
| void | partially_evaluate (std::array< PolynomialT, N > &polynomials, const FF &round_challenge) |
| Evaluate at the round challenge and prepare class for next round. Specialization for array, see generic version. | |
| ClaimedEvaluations | extract_claimed_evaluations (PartiallyEvaluatedMultivariates &partially_evaluated_polynomials) |
| This method takes the book-keeping table containing partially evaluated prover polynomials and creates a vector containing the evaluations of all prover polynomials at the point \( (u_0, \ldots, u_{d-1} )\). For ZK Flavors: this method takes the book-keeping table containing partially evaluated prover polynomials and creates a vector containing the evaluations of all witness polynomials at the point \( (u_0, \ldots, u_{d-1}
)\) masked by the terms \( \texttt{eval_masking_scalars}_j\cdot \sum u_i(1-u_i)\) and the evaluations of all non-witness polynomials that are sent in clear. | |
Public Attributes | |
| const size_t | multivariate_n |
| const size_t | multivariate_d |
| ProverPolynomials & | full_polynomials |
| std::shared_ptr< Transcript > | transcript |
| SumcheckProverRound< Flavor > | round |
| SubrelationSeparators | alphas |
| std::vector< FF > | gate_challenges |
| bb::RelationParameters< FF > | relation_parameters |
| size_t | virtual_log_n |
| std::vector< FF > | multivariate_challenge |
| std::vector< FF > | accumulator_challenge = {} |
| std::vector< FF > | instance_challenge = {} |
| FF | libra_evaluation = FF{ 0 } |
| RowDisablingPolynomial< FF > | row_disabling_polynomial |
| PartiallyEvaluatedMultivariates | partially_evaluated_polynomials |
| Container for partially evaluated Prover Polynomials at a current challenge. Upon computing challenge \(
u_i \), the first \(2^{d-1-i}\) rows are updated using partially evaluate method. | |
| SumcheckOutput< Flavor > prove(ZKData &zk_sumcheck_data) void | partially_evaluate (auto &polynomials, const FF &round_challenge) |
ZK-version of prove that runs Sumcheck with disabled rows and masking of Round Univariates. The masking is ensured by adding random Libra univariates to the Sumcheck round univariates. | |
Static Public Attributes | |
| static constexpr bool | isMultilinearBatchingFlavor = IsAnyOf<Flavor, MultilinearBatchingFlavor> |
| static constexpr size_t | MAX_PARTIAL_RELATION_LENGTH = Flavor::MAX_PARTIAL_RELATION_LENGTH |
| The total algebraic degree of the Sumcheck relation \( F \) as a polynomial in Prover Polynomials \(P_1,\ldots, P_N\). | |
| static constexpr size_t | BATCHED_RELATION_PARTIAL_LENGTH = Flavor::BATCHED_RELATION_PARTIAL_LENGTH |
The implementation of the sumcheck Prover for statements of the form \(\sum_{\vec \ell \in \{0,1\}^d} pow_{\beta}(\vec \ell) \cdot F \left(P_1(\vec \ell),\ldots, P_N(\vec \ell) \right) = 0 \) for multilinear polynomials \(P_1, \ldots, P_N \).
The Sumcheck is applied to multivariate polynomials \(P_1, \ldots, P_N\) that are specidied by Flavor. Namely, prove method obtains full_polynomials by reference from Flavor 's prover polynomials. In particular, their number \(N\) is specified by the Flavor.
Given multilinear polynomials \( P_1,\ldots, P_N \in \mathbb{F}[X_0,\ldots, X_{d-1}] \) and a relation \( F \) which is a polynomial in \( N \) variables, we use Sumcheck over the polynomial
\begin{align} \tilde{F} (X_0,\ldots, X_{d-1}) = pow_{\beta}(X_0,\ldots, X_{d-1}) \cdot F\left( P_1 (X_0,\ldots, X_{d-1}), \ldots, P_N (X_0,\ldots, X_{d-1}) \right) \end{align}
to establish that \( F(P_1(\vec \ell),\ldots, P_N(\vec \ell) ) = 0 \), i.e. that \( F \) is satisfied, at every point of \(\{0,1\}^d\).
In the implementation, the relation polynomial \( F \) is determined by Flavor::Relations which is fed to Sumcheck Round Prover.
The following constants are used:
Given \( N \) Honk Prover Polynomials \( P_1, \ldots, P_N \), i.e. multilinear polynomials in \( d \) variables.
At initialization, Prover Polynomials are submitted by reference into full_polynomials, which is a two-dimensional array with \(N\) columns and \(2^d\) rows, whose entries are defined as follows \(\texttt{full_polynomials}_{i,j} = P_j(\vec i) \). Here, \( \vec i \in
\{0,1\}^d \) is identified with the binary representation of the integer \( 0 \leq i \leq 2^d-1 \).
When the first challenge \( u_0 \) is computed, the method partially evaluate takes as input full_polynomials and populates a new book-keeping table denoted by \(\texttt{partially_evaluated_polynomials} \). Its \( n/2 = 2^{d-1} \) rows will represent the evaluations \( P_i(u_0, X_1, ..., X_{d-1}) \), which are multilinear polynomials in \( d-1 \) variables.
More precisely, it is a table with \( 2^{d-1} \) rows and \( N \) columns, such that
\begin{align} \texttt{partially_evaluated_polynomials}_{i,j} = &\ P_j(0, i_1,\ldots, i_{d-1}) + u_0 \cdot (P_j(1,i_1,\ldots, i_{d-1})) - P_j(0, i_1,\ldots, i_{d-1})) \\ = &\ \texttt{full_polynomials}_{2 i,j} + u_0 \cdot (\texttt{full_polynomials}_{2i+1,j} - \texttt{full_polynomials}_{2 i,j}) \end{align}
In Round \( i < d-1\), partially evaluate updates the first \( 2^{d-1 - i} \) rows of \(\texttt{partially_evaluated_polynomials}\) with the evaluations \( P_1(u_0,\ldots, u_i, \vec \ell),\ldots, P_N(u_0,\ldots, u_i, \vec \ell)\) for \(\vec \ell \in \{0,1\}^{d-1-i}\). The details are specified in the corresponding docs.
After computing the last challenge \( u_{d-1} \) in Round \( d-1 \) and updating \( \texttt{partially_evaluated_polynomials} \), the prover looks into the 'top' row of the table containing evaluations \(P_1(u_0,\ldots, u_{d-1}), \ldots, P_N(u_0,\ldots, u_{d-1})\) and concatenates these values with the last challenge to the transcript.
Let \( \vec \beta = (\beta_0,\ldots, \beta_{d-1}) \in \mathbb{F}\) be a vector of challenges.
In Round \(i\), a univariate polynomial \( \tilde S^{i}(X_{i}) \) for the relation defined by \( \tilde{F}(X)\) is computed as follows. First, we introduce notation
As explained in GateSeparatorPolynomial,
\begin{align} \tilde{S}^{i}(X_i) = \sum_{ \ell = 0} ^{2^{d-i-1}-1} pow^i_\beta ( X_i, \ell_{i+1}, \ldots, \ell_{d-1} ) \cdot S^i_{\ell}( X_i ) = c_i\cdot ( (1−X_i) + X_i\cdot \beta_i ) \cdot \sum_{\ell = 0}^{2^{d-i-1}-1} \beta_{i+1}^{\ell_{i+1}} \cdot \ldots \cdot \beta_{d-1}^{\ell_{d-1}} \cdot S^{i}_{\ell}( X_i ). \end{align}
The evaluations of the round univariate \( \tilde{S}^i \) over the domain \(0,\ldots, D \) are obtained by the method compute_univariate. The implementation consists of the following sub-methods:
After computing Round univariates and adding them to the transcript, the prover generates round challenge by hashing the transcript. These operations are taken care of by Transcript Class methods.
The Sumcheck output is specified by bb::SumcheckOutput< Flavor >.
Definition at line 289 of file sumcheck.hpp.
| using bb::SumcheckProver< Flavor >::ClaimedEvaluations = typename Flavor::AllValues |
Definition at line 296 of file sumcheck.hpp.
| using bb::SumcheckProver< Flavor >::CommitmentKey = typename Flavor::CommitmentKey |
Definition at line 300 of file sumcheck.hpp.
| using bb::SumcheckProver< Flavor >::FF = typename Flavor::FF |
Definition at line 291 of file sumcheck.hpp.
| using bb::SumcheckProver< Flavor >::PartiallyEvaluatedMultivariates = typename Flavor::PartiallyEvaluatedMultivariates |
Definition at line 295 of file sumcheck.hpp.
| using bb::SumcheckProver< Flavor >::ProverPolynomials = typename Flavor::ProverPolynomials |
Definition at line 294 of file sumcheck.hpp.
| using bb::SumcheckProver< Flavor >::SubrelationSeparators = std::array<FF, Flavor::NUM_SUBRELATIONS - 1> |
Definition at line 299 of file sumcheck.hpp.
| using bb::SumcheckProver< Flavor >::SumcheckRoundUnivariate = typename bb::Univariate<FF, BATCHED_RELATION_PARTIAL_LENGTH> |
Definition at line 312 of file sumcheck.hpp.
| using bb::SumcheckProver< Flavor >::Transcript = typename Flavor::Transcript |
Definition at line 298 of file sumcheck.hpp.
| using bb::SumcheckProver< Flavor >::ZKData = ZKSumcheckData<Flavor> |
Definition at line 297 of file sumcheck.hpp.
|
inline |
Definition at line 356 of file sumcheck.hpp.
|
inline |
Definition at line 376 of file sumcheck.hpp.
|
inline |
This method takes the book-keeping table containing partially evaluated prover polynomials and creates a vector containing the evaluations of all prover polynomials at the point \( (u_0, \ldots, u_{d-1} )\). For ZK Flavors: this method takes the book-keeping table containing partially evaluated prover polynomials and creates a vector containing the evaluations of all witness polynomials at the point \( (u_0, \ldots, u_{d-1} )\) masked by the terms \( \texttt{eval_masking_scalars}_j\cdot \sum u_i(1-u_i)\) and the evaluations of all non-witness polynomials that are sent in clear.
| partially_evaluated_polynomials | |
| multivariate_evaluations |
Definition at line 740 of file sumcheck.hpp.
|
inline |
Evaluate at the round challenge and prepare class for next round. Specialization for array, see generic version.
Definition at line 708 of file sumcheck.hpp.
|
inline |
Non-ZK version: Compute round univariate, place it in transcript, compute challenge, partially evaluate. Repeat until final round, then get full evaluations of prover polynomials, and place them in transcript.
See Detailed description of Sumcheck Prover <Flavor>.
Definition at line 398 of file sumcheck.hpp.
| std::vector<FF> bb::SumcheckProver< Flavor >::accumulator_challenge = {} |
Definition at line 338 of file sumcheck.hpp.
| SubrelationSeparators bb::SumcheckProver< Flavor >::alphas |
Definition at line 326 of file sumcheck.hpp.
|
staticconstexpr |
Definition at line 310 of file sumcheck.hpp.
| ProverPolynomials& bb::SumcheckProver< Flavor >::full_polynomials |
Definition at line 319 of file sumcheck.hpp.
| std::vector<FF> bb::SumcheckProver< Flavor >::gate_challenges |
Definition at line 328 of file sumcheck.hpp.
| std::vector<FF> bb::SumcheckProver< Flavor >::instance_challenge = {} |
Definition at line 339 of file sumcheck.hpp.
|
staticconstexpr |
Definition at line 302 of file sumcheck.hpp.
| FF bb::SumcheckProver< Flavor >::libra_evaluation = FF{ 0 } |
Definition at line 340 of file sumcheck.hpp.
|
staticconstexpr |
The total algebraic degree of the Sumcheck relation \( F \) as a polynomial in Prover Polynomials \(P_1,\ldots, P_N\).
Definition at line 307 of file sumcheck.hpp.
| std::vector<FF> bb::SumcheckProver< Flavor >::multivariate_challenge |
Definition at line 335 of file sumcheck.hpp.
| const size_t bb::SumcheckProver< Flavor >::multivariate_d |
Definition at line 317 of file sumcheck.hpp.
| const size_t bb::SumcheckProver< Flavor >::multivariate_n |
Definition at line 315 of file sumcheck.hpp.
|
inline |
ZK-version of prove that runs Sumcheck with disabled rows and masking of Round Univariates. The masking is ensured by adding random Libra univariates to the Sumcheck round univariates.
| zk_sumcheck_data |
Evaluate Honk polynomials at the round challenge and prepare class for next round.
At initialization, Prover Polynomials are submitted by reference into full_polynomials, which is a two-dimensional array defined as
\begin{align} \texttt{full_polynomials}_{i,j} = P_j(\vec i). \end{align}
Here, \( \vec i \in \{0,1\}^d \) is identified with the binary representation of the integer \( 0 \leq i \leq 2^d-1 \).
When the first challenge \( u_0 \) is computed, the method partially evaluate takes as input full_polynomials and populates a new book-keeping table denoted \(\texttt{partially_evaluated_polynomials}\). Its \( n/2 = 2^{d-1} \) rows represent the evaluations \(
P_i(u_0, X_1, ..., X_{d-1}) \), which are multilinear polynomials in \( d-1 \) variables. More precisely, it is a table \( 2^{d-1} \) rows and \( N \) columns, such that
\begin{align} \texttt{partially_evaluated_polynomials}_{i,j} = &\ P_j(0, i_1,\ldots, i_{d-1}) + u_0 \cdot (P_j(1, i_1,\ldots, i_{d-1})) - P_j(0, i_1,\ldots, i_{d-1})) \\ = &\ \texttt{full_polynomials}_{2 i,j} + u_0 \cdot (\texttt{full_polynomials}_{2i+1,j} - \texttt{full_polynomials}_{2 i,j}) \end{align}
We elude copying all of the polynomial-defining data by only populating partially_evaluated_polynomials after the first round.
In Round \(0<i\leq d-1\), this method takes the challenge \( u_{i} \) and rewrites the first \( 2^{d-i-1} \) rows in the \( \texttt{partially_evaluated_polynomials} \) table with the values
\begin{align} \texttt{partially_evaluated_polynomials}_{\ell,j} \gets &\ P_j\left(u_0,\ldots, u_{i}, \vec \ell \right) \\ = &\ P_j\left(u_0,\ldots, u_{i-1}, 0, \vec \ell \right) + u_{i} \cdot \left( P_j\left(u_0, \ldots, u_{i-1}, 1, \vec \ell ) - P_j(u_0,\ldots, u_{i-1}, 0, \vec \ell \right)\right) \\ = &\ \texttt{partially_evaluated_polynomials}_{2 \ell,j} + u_{i} \cdot (\texttt{partially_evaluated_polynomials}_{2 \ell+1,j} - \texttt{partially_evaluated_polynomials}_{2\ell,j}) \end{align}
where \(\vec \ell \in \{0,1\}^{d-1-i}\). After the final update, i.e. when \( i = d-1 \), the upper row of the table contains the evaluations of Honk polynomials at the challenge point \( (u_0,\ldots, u_{d-1}) \).
| polynomials | Honk polynomials at initialization; partially evaluated polynomials in subsequent rounds |
| round_size | \(2^{d-i}\) |
| round_challenge | \(u_i\) |
Definition at line 682 of file sumcheck.hpp.
| PartiallyEvaluatedMultivariates bb::SumcheckProver< Flavor >::partially_evaluated_polynomials |
Container for partially evaluated Prover Polynomials at a current challenge. Upon computing challenge \( u_i \), the first \(2^{d-1-i}\) rows are updated using partially evaluate method.
NOTE: With ~40 columns, prob only want to allocate 256 EdgeGroup's at once to keep stack under 1MB? TODO(#224)(Cody): might want to just do C-style multidimensional array? for guaranteed adjacency?
Definition at line 353 of file sumcheck.hpp.
| bb::RelationParameters<FF> bb::SumcheckProver< Flavor >::relation_parameters |
Definition at line 330 of file sumcheck.hpp.
| SumcheckProverRound<Flavor> bb::SumcheckProver< Flavor >::round |
Definition at line 323 of file sumcheck.hpp.
| RowDisablingPolynomial<FF> bb::SumcheckProver< Flavor >::row_disabling_polynomial |
Definition at line 342 of file sumcheck.hpp.
| std::shared_ptr<Transcript> bb::SumcheckProver< Flavor >::transcript |
Definition at line 321 of file sumcheck.hpp.
| size_t bb::SumcheckProver< Flavor >::virtual_log_n |
Definition at line 333 of file sumcheck.hpp.
1.9.8