Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
commitment_key.hpp
Go to the documentation of this file.
1// === AUDIT STATUS ===
2// internal: { status: not started, auditors: [], date: YYYY-MM-DD }
3// external_1: { status: not started, auditors: [], date: YYYY-MM-DD }
4// external_2: { status: not started, auditors: [], date: YYYY-MM-DD }
5// =====================
6
7#pragma once
8
16#include "barretenberg/common/bb_bench.hpp"
17#include "barretenberg/common/ref_span.hpp"
18#include "barretenberg/constants.hpp"
19#include "barretenberg/ecc/batched_affine_addition/batched_affine_addition.hpp"
20#include "barretenberg/ecc/scalar_multiplication/scalar_multiplication.hpp"
21#include "barretenberg/numeric/bitop/get_msb.hpp"
22#include "barretenberg/numeric/bitop/pow.hpp"
23#include "barretenberg/polynomials/polynomial.hpp"
24#include "barretenberg/polynomials/polynomial_arithmetic.hpp"
25#include "barretenberg/srs/factories/crs_factory.hpp"
26#include "barretenberg/srs/global_crs.hpp"
27
28#include <cstddef>
29#include <cstdlib>
30#include <limits>
31#include <memory>
32#include <string_view>
33
34namespace bb {
43template <class Curve> class CommitmentKey {
44
45 using Fr = typename Curve::ScalarField;
46 using Commitment = typename Curve::AffineElement;
47 using G1 = typename Curve::AffineElement;
48
49 static size_t get_num_needed_srs_points(size_t num_points)
50 {
51 // NOTE: Currently we must round up internal space for points as our pippenger algorithm (specifically,
52 // pippenger_unsafe_optimized_for_non_dyadic_polys) will use next power of 2. This is used to simplify the
53 // recursive halving scheme. We do, however allow the polynomial to not be fully formed. Pippenger internally
54 // will pad 0s into the runtime state.
55 return numeric::round_up_power_2(num_points);
56 }
57
58 public:
59 std::shared_ptr<srs::factories::Crs<Curve>> srs;
60 size_t dyadic_size;
61
62 CommitmentKey() = default;
63
71 CommitmentKey(const size_t num_points)
72 : srs(srs::get_crs_factory<Curve>()->get_crs(get_num_needed_srs_points(num_points)))
73 , dyadic_size(get_num_needed_srs_points(num_points))
74 {}
80 bool initialized() const { return srs != nullptr; }
81
88 Commitment commit(PolynomialSpan<const Fr> polynomial) const
89 {
90 // Note: this fn used to expand polynomials to the dyadic size,
91 // due to a quirk in how our pippenger algo used to function.
92 // The pippenger algo has been refactored and this is no longer an issue
93 BB_BENCH_NAME("CommitmentKey::commit");
94 std::span<const G1> point_table = srs->get_monomial_points();
95 size_t consumed_srs = polynomial.start_index + polynomial.size();
96 if (consumed_srs > srs->get_monomial_size()) {
97 throw_or_abort(format("Attempting to commit to a polynomial that needs ",
98 consumed_srs,
99 " points with an SRS of size ",
100 srs->get_monomial_size()));
101 }
102
103 G1 r = scalar_multiplication::pippenger_unsafe<Curve>(polynomial, point_table);
104 Commitment point(r);
105 return point;
106 };
114 std::vector<Commitment> batch_commit(RefSpan<Polynomial<Fr>> polynomials,
115 size_t max_batch_size = std::numeric_limits<size_t>::max()) const
116 {
117 BB_BENCH_NAME("CommitmentKey::batch_commit");
118
119 // We can only commit max_batch_size at a time
120 // This is to prevent excessive memory usage in the pippenger algorithm
121 // First batch, create the commitments vector
122 std::vector<Commitment> commitments;
123
124 for (size_t i = 0; i < polynomials.size();) {
125 // Note: have to be careful how we compute this to not overlow e.g. max_batch_size + 1 would
126 size_t batch_size = std::min(max_batch_size, polynomials.size() - i);
127 size_t batch_end = i + batch_size;
128
129 // Prepare spans for batch MSM
130 std::vector<std::span<const G1>> points_spans;
131 std::vector<std::span<Fr>> scalar_spans;
132
133 for (auto& polynomial : polynomials.subspan(i, batch_end - i)) {
134 std::span<const G1> point_table = srs->get_monomial_points().subspan(polynomial.start_index());
135 size_t consumed_srs = polynomial.start_index() + polynomial.size();
136 if (consumed_srs > srs->get_monomial_size()) {
137 throw_or_abort(format("Attempting to commit to a polynomial that needs ",
138 consumed_srs,
139 " points with an SRS of size ",
140 srs->get_monomial_size()));
141 }
142 scalar_spans.emplace_back(polynomial.coeffs());
143 points_spans.emplace_back(point_table);
144 }
145
146 // Perform batch MSM
147 auto results = scalar_multiplication::MSM<Curve>::batch_multi_scalar_mul(points_spans, scalar_spans, false);
148 for (const auto& result : results) {
149 commitments.emplace_back(result);
150 }
151 i += batch_size;
152 }
153 return commitments;
154 };
155
156 // helper builder struct for constructing a batch to commit at once
157 struct CommitBatch {
158 CommitmentKey* key;
159 RefVector<Polynomial<Fr>> wires;
160 std::vector<std::string> labels;
161 std::vector<Commitment> commit_and_send_to_verifier(auto transcript,
162 size_t max_batch_size = std::numeric_limits<size_t>::max())
163 {
164 std::vector<Commitment> commitments = key->batch_commit(wires, max_batch_size);
165 for (size_t i = 0; i < commitments.size(); ++i) {
166 transcript->send_to_verifier(labels[i], commitments[i]);
167 }
168
169 return commitments;
170 }
171
172 void add_to_batch(Polynomial<Fr>& poly, const std::string& label, bool mask)
173 {
174 if (mask) {
175 poly.mask();
176 }
177 wires.push_back(poly);
178 labels.push_back(label);
179 }
180 };
181
182 CommitBatch start_batch() { return CommitBatch{ this, {}, {} }; }
183};
184
185} // namespace bb
batched_affine_addition.hpp
bb_bench.hpp
BB_BENCH_NAME
#define BB_BENCH_NAME(name)
Definition bb_bench.hpp:219
bb::CommitmentKey
CommitmentKey object over a pairing group 𝔾₁.
Definition commitment_key.hpp:43
bb::CommitmentKey::CommitmentKey
CommitmentKey()=default
bb::CommitmentKey::batch_commit
std::vector< Commitment > batch_commit(RefSpan< Polynomial< Fr > > polynomials, size_t max_batch_size=std::numeric_limits< size_t >::max()) const
Batch commitment to multiple polynomials.
Definition commitment_key.hpp:114
bb::CommitmentKey::G1
typename Curve::AffineElement G1
Definition commitment_key.hpp:47
bb::CommitmentKey::Fr
typename Curve::ScalarField Fr
Definition commitment_key.hpp:45
bb::CommitmentKey::Commitment
typename Curve::AffineElement Commitment
Definition commitment_key.hpp:46
bb::CommitmentKey::CommitmentKey
CommitmentKey(const size_t num_points)
Construct a new Kate Commitment Key object from existing SRS.
Definition commitment_key.hpp:71
bb::CommitmentKey::commit
Commitment commit(PolynomialSpan< const Fr > polynomial) const
Uses the ProverSRS to create a commitment to p(X)
Definition commitment_key.hpp:88
bb::CommitmentKey::initialized
bool initialized() const
Checks the commitment key is properly initialized.
Definition commitment_key.hpp:80
bb::CommitmentKey::srs
std::shared_ptr< srs::factories::Crs< Curve > > srs
Definition commitment_key.hpp:59
bb::CommitmentKey::start_batch
CommitBatch start_batch()
Definition commitment_key.hpp:182
bb::CommitmentKey::get_num_needed_srs_points
static size_t get_num_needed_srs_points(size_t num_points)
Definition commitment_key.hpp:49
bb::Polynomial
Structured polynomial class that represents the coefficients 'a' of a_0 + a_1 x .....
Definition polynomial.hpp:75
bb::Polynomial::mask
void mask()
Add random values to the coefficients of a polynomial. In practice, this is used for ensuring the com...
Definition polynomial.hpp:267
bb::RefVector
A template class for a reference vector. Behaves as if std::vector<T&> was possible.
Definition ref_vector.hpp:24
bb::curve::Grumpkin::AffineElement
typename Group::affine_element AffineElement
Definition grumpkin.hpp:63
bb::scalar_multiplication::MSM::batch_multi_scalar_mul
static std::vector< AffineElement > batch_multi_scalar_mul(std::span< std::span< const AffineElement > > points, std::span< std::span< ScalarField > > scalars, bool handle_edge_cases=true) noexcept
Compute multiple multi-scalar multiplications.
Definition scalar_multiplication.cpp:760
format
std::string format(Args... args)
Definition log.hpp:22
crs_factory.hpp
get_msb.hpp
global_crs.hpp
bb::numeric::round_up_power_2
constexpr T round_up_power_2(const T in)
Definition get_msb.hpp:52
bb
Entry point for Barretenberg command-line interface.
Definition api.hpp:5
std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13
polynomial_arithmetic.hpp
ref_span.hpp
scalar_multiplication.hpp
bb::CommitmentKey::CommitBatch::labels
std::vector< std::string > labels
Definition commitment_key.hpp:160
bb::CommitmentKey::CommitBatch::commit_and_send_to_verifier
std::vector< Commitment > commit_and_send_to_verifier(auto transcript, size_t max_batch_size=std::numeric_limits< size_t >::max())
Definition commitment_key.hpp:161
bb::CommitmentKey::CommitBatch::add_to_batch
void add_to_batch(Polynomial< Fr > &poly, const std::string &label, bool mask)
Definition commitment_key.hpp:172
bb::CommitmentKey::CommitBatch::wires
RefVector< Polynomial< Fr > > wires
Definition commitment_key.hpp:159
bb::PolynomialSpan::size
size_t size() const
Definition polynomial.hpp:36
throw_or_abort
void throw_or_abort(std::string const &err)
Definition throw_or_abort.hpp:6