Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
eccvm_prover.cpp
Go to the documentation of this file.
1// === AUDIT STATUS ===
2// internal: { status: not started, auditors: [], date: YYYY-MM-DD }
3// external_1: { status: not started, auditors: [], date: YYYY-MM-DD }
4// external_2: { status: not started, auditors: [], date: YYYY-MM-DD }
5// =====================
6
7#include "eccvm_prover.hpp"
8#include "barretenberg/commitment_schemes/claim.hpp"
9#include "barretenberg/commitment_schemes/commitment_key.hpp"
10#include "barretenberg/commitment_schemes/shplonk/shplemini.hpp"
11#include "barretenberg/commitment_schemes/shplonk/shplonk.hpp"
12#include "barretenberg/commitment_schemes/small_subgroup_ipa/small_subgroup_ipa.hpp"
13#include "barretenberg/common/bb_bench.hpp"
14#include "barretenberg/common/ref_array.hpp"
15#include "barretenberg/honk/library/grand_product_library.hpp"
16#include "barretenberg/honk/proof_system/logderivative_library.hpp"
17#include "barretenberg/relations/permutation_relation.hpp"
18#include "barretenberg/sumcheck/sumcheck.hpp"
19
20namespace bb {
21
22ECCVMProver::ECCVMProver(CircuitBuilder& builder, const std::shared_ptr<Transcript>& transcript)
23 : transcript(transcript)
24{
25 BB_BENCH_NAME("ECCVMProver(CircuitBuilder&)");
26
27 // TODO(https://github.com/AztecProtocol/barretenberg/issues/939): Remove redundancy between
28 // ProvingKey/ProverPolynomials and update the model to reflect what's done in all other proving systems.
29
30 // Construct the proving key; populates all polynomials except for witness polys
31 key = std::make_shared<ProvingKey>(builder);
32
33 key->commitment_key = CommitmentKey(key->circuit_size);
34}
35
40void ECCVMProver::execute_preamble_round()
41{
42 using VerificationKey = Flavor::VerificationKey;
43
44 // Fiat-Shamir the vk hash
45 VerificationKey vk;
46 typename Flavor::BF vk_hash = vk.hash();
47 transcript->add_to_hash_buffer("vk_hash", vk_hash);
48 vinfo("ECCVM vk hash in prover: ", vk_hash);
49}
50
55void ECCVMProver::execute_wire_commitments_round()
56{
57 BB_BENCH_NAME("ECCVMProver::execute_wire_commitments_round");
58
59 const size_t circuit_size = key->circuit_size;
60 unmasked_witness_size = circuit_size - NUM_DISABLED_ROWS_IN_SUMCHECK;
61
62 // Create and commit to Gemini masking polynomial (for ZK-PCS)
63 key->polynomials.gemini_masking_poly = Polynomial::random(circuit_size);
64 auto masking_commitment = key->commitment_key.commit(key->polynomials.gemini_masking_poly);
65 transcript->send_to_verifier("Gemini:masking_poly_comm", masking_commitment);
66
67 auto batch = key->commitment_key.start_batch();
68 for (const auto& [wire, label] : zip_view(key->polynomials.get_wires(), commitment_labels.get_wires())) {
69 batch.add_to_batch(wire, label, /* mask for zk? */ true);
70 }
71 batch.commit_and_send_to_verifier(transcript);
72}
73
78void ECCVMProver::execute_log_derivative_commitments_round()
79{
80 BB_BENCH_NAME("ECCVMProver::execute_log_derivative_commitments_round");
81
82 // Compute and add beta to relation parameters
83 auto [beta, gamma] = transcript->template get_challenges<FF>(std::array<std::string, 2>{ "beta", "gamma" });
84
85 // TODO(#583)(@zac-williamson): fix Transcript to be able to generate more than 2 challenges per round! oof.
86 auto beta_sqr = beta * beta;
87 relation_parameters.gamma = gamma;
88 relation_parameters.beta = beta;
89 relation_parameters.beta_sqr = beta_sqr;
90 relation_parameters.beta_cube = beta_sqr * beta;
91 relation_parameters.eccvm_set_permutation_delta =
92 gamma * (gamma + beta_sqr) * (gamma + beta_sqr + beta_sqr) * (gamma + beta_sqr + beta_sqr + beta_sqr);
93 relation_parameters.eccvm_set_permutation_delta = relation_parameters.eccvm_set_permutation_delta.invert();
94 // Compute inverse polynomial for our logarithmic-derivative lookup method
95 compute_logderivative_inverse<typename Flavor::FF,
96 typename Flavor::LookupRelation,
97 typename Flavor::ProverPolynomials,
98 true>(key->polynomials, relation_parameters, unmasked_witness_size);
99 commit_to_witness_polynomial(key->polynomials.lookup_inverses, commitment_labels.lookup_inverses);
100}
101
106void ECCVMProver::execute_grand_product_computation_round()
107{
108 BB_BENCH_NAME("ECCVMProver::execute_grand_product_computation_round");
109 // Compute permutation grand product and their commitments
110 compute_grand_products<Flavor>(key->polynomials, relation_parameters, unmasked_witness_size);
111 commit_to_witness_polynomial(key->polynomials.z_perm, commitment_labels.z_perm);
112}
113
118void ECCVMProver::execute_relation_check_rounds()
119{
120 BB_BENCH_NAME("ECCVMProver::execute_relation_check_rounds");
121 using Sumcheck = SumcheckProver<Flavor>;
122
123 // Each linearly independent subrelation contribution is multiplied by `alpha^i`, where
124 // i = 0, ..., NUM_SUBRELATIONS- 1.
125 FF alpha = transcript->template get_challenge<FF>("Sumcheck:alpha");
126
127 std::vector<FF> gate_challenges(CONST_ECCVM_LOG_N);
128 for (size_t idx = 0; idx < gate_challenges.size(); idx++) {
129 gate_challenges[idx] = transcript->template get_challenge<FF>("Sumcheck:gate_challenge_" + std::to_string(idx));
130 }
131
132 Sumcheck sumcheck(key->circuit_size,
133 key->polynomials,
134 transcript,
135 alpha,
136 gate_challenges,
137 relation_parameters,
138 CONST_ECCVM_LOG_N);
139
140 zk_sumcheck_data = ZKData(key->log_circuit_size, transcript, key->commitment_key);
141
142 sumcheck_output = sumcheck.prove(zk_sumcheck_data);
143}
144
151void ECCVMProver::execute_pcs_rounds()
152{
153 BB_BENCH_NAME("ECCVMProver::execute_pcs_rounds");
154 using Curve = typename Flavor::Curve;
155 using Shplemini = ShpleminiProver_<Curve>;
156 using Shplonk = ShplonkProver_<Curve>;
157 using OpeningClaim = ProverOpeningClaim<Curve>;
158 using PolynomialBatcher = GeminiProver_<Curve>::PolynomialBatcher;
159
160 SmallSubgroupIPA small_subgroup_ipa_prover(zk_sumcheck_data,
161 sumcheck_output.challenge,
162 sumcheck_output.claimed_libra_evaluation,
163 transcript,
164 key->commitment_key);
165 small_subgroup_ipa_prover.prove();
166
167 // Execute the Shplemini (Gemini + Shplonk) protocol to produce a univariate opening claim for the multilinear
168 // evaluations produced by Sumcheck
169 PolynomialBatcher polynomial_batcher(key->circuit_size);
170 polynomial_batcher.set_unshifted(key->polynomials.get_unshifted());
171 polynomial_batcher.set_to_be_shifted_by_one(key->polynomials.get_to_be_shifted());
172
173 OpeningClaim multivariate_to_univariate_opening_claim =
174 Shplemini::prove(key->circuit_size,
175 polynomial_batcher,
176 sumcheck_output.challenge,
177 key->commitment_key,
178 transcript,
179 small_subgroup_ipa_prover.get_witness_polynomials(),
180 sumcheck_output.round_univariates,
181 sumcheck_output.round_univariate_evaluations);
182
183 ECCVMProver::compute_translation_opening_claims();
184
185 opening_claims.back() = std::move(multivariate_to_univariate_opening_claim);
186
187 // Reduce the opening claims to a single opening claim via Shplonk
188 // IPA proving is performed externally
189 batch_opening_claim = Shplonk::prove(key->commitment_key, opening_claims, transcript);
190}
191
192ECCVMProver::Proof ECCVMProver::export_proof()
193{
194 return { transcript->export_proof() };
195}
196
210
255void ECCVMProver::compute_translation_opening_claims()
256{
257 // Used to capture the batched evaluation of unmasked `translation_polynomials` while preserving ZK
258 using SmallIPA = SmallSubgroupIPAProver<ECCVMFlavor>;
259
260 // Initialize SmallSubgroupIPA structures
261 std::array<std::string, NUM_SMALL_IPA_EVALUATIONS> evaluation_labels;
262 std::array<FF, NUM_SMALL_IPA_EVALUATIONS> evaluation_points;
263
264 // Collect the polynomials to be batched
265 RefArray translation_polynomials{ key->polynomials.transcript_op,
266 key->polynomials.transcript_Px,
267 key->polynomials.transcript_Py,
268 key->polynomials.transcript_z1,
269 key->polynomials.transcript_z2 };
270
271 // Extract the masking terms of `translation_polynomials`, concatenate them in the Lagrange basis over SmallSubgroup
272 // H, mask the resulting polynomial, and commit to it
273 TranslationData<Transcript> translation_data(translation_polynomials, transcript, key->commitment_key);
274
275 // Get a challenge to evaluate the `translation_polynomials` as univariates
276 evaluation_challenge_x = transcript->template get_challenge<FF>("Translation:evaluation_challenge_x");
277
278 // Evaluate `translation_polynomial` as univariates and add their evaluations at x to the transcript
279 for (auto [eval, poly, label] :
280 zip_view(translation_evaluations.get_all(), translation_polynomials, translation_evaluations.labels)) {
281 eval = poly.evaluate(evaluation_challenge_x);
282 transcript->send_to_verifier(label, eval);
283 }
284
285 // Get another challenge to batch the evaluations of the transcript polynomials
286 batching_challenge_v = transcript->template get_challenge<FF>("Translation:batching_challenge_v");
287
288 SmallIPA translation_masking_term_prover(
289 translation_data, evaluation_challenge_x, batching_challenge_v, transcript, key->commitment_key);
290 translation_masking_term_prover.prove();
291
292 // Get the challenge to check evaluations of the SmallSubgroupIPA witness polynomials
293 FF small_ipa_evaluation_challenge =
294 transcript->template get_challenge<FF>("Translation:small_ipa_evaluation_challenge");
295
296 // Populate SmallSubgroupIPA opening claims:
297 // 1. Get the evaluation points and labels
298 evaluation_points = translation_masking_term_prover.evaluation_points(small_ipa_evaluation_challenge);
299 evaluation_labels = translation_masking_term_prover.evaluation_labels();
300 // 2. Compute the evaluations of witness polynomials at corresponding points, send them to the verifier, and create
301 // the opening claims
302 for (size_t idx = 0; idx < NUM_SMALL_IPA_EVALUATIONS; idx++) {
303 auto witness_poly = translation_masking_term_prover.get_witness_polynomials()[idx];
304 const FF evaluation = witness_poly.evaluate(evaluation_points[idx]);
305 transcript->send_to_verifier(evaluation_labels[idx], evaluation);
306 opening_claims[idx] = { .polynomial = witness_poly, .opening_pair = { evaluation_points[idx], evaluation } };
307 }
308
309 // Compute the opening claim for the masked evaluations of `op`, `Px`, `Py`, `z1`, and `z2` at
310 // `evaluation_challenge_x` batched by the powers of `batching_challenge_v`.
311 Polynomial batched_translation_univariate{ key->circuit_size };
312 FF batched_translation_evaluation{ 0 };
313 FF batching_scalar = FF(1);
314 for (auto [polynomial, eval] : zip_view(translation_polynomials, translation_evaluations.get_all())) {
315 batched_translation_univariate.add_scaled(polynomial, batching_scalar);
316 batched_translation_evaluation += eval * batching_scalar;
317 batching_scalar *= batching_challenge_v;
318 }
319
320 // Add the batched claim to the array of SmallSubgroupIPA opening claims.
321 opening_claims[NUM_SMALL_IPA_EVALUATIONS] = { batched_translation_univariate,
322 { evaluation_challenge_x, batched_translation_evaluation } };
323}
324
331void ECCVMProver::commit_to_witness_polynomial(Polynomial& polynomial, const std::string& label)
332{
333 // We add NUM_DISABLED_ROWS_IN_SUMCHECK-1 random values to the coefficients of each wire polynomial to not leak
334 // information via the commitment and evaluations. -1 is caused by shifts.
335 polynomial.mask();
336 transcript->send_to_verifier(label, key->commitment_key.commit(polynomial));
337}
338} // namespace bb
bb_bench.hpp
BB_BENCH_NAME
#define BB_BENCH_NAME(name)
Definition bb_bench.hpp:219
bb::ECCVMFlavor::ProverPolynomials
A container for the prover polynomials.
Definition eccvm_flavor.hpp:457
bb::ECCVMFlavor::VerificationKey
The verification key is responsible for storing the commitments to the precomputed (non-witnessk) pol...
Definition eccvm_flavor.hpp:818
bb::ECCVMFlavor::FF
typename Curve::ScalarField FF
Definition eccvm_flavor.hpp:42
bb::ECCVMFlavor::BF
typename Curve::BaseField BF
Definition eccvm_flavor.hpp:43
bb::ECCVMFlavor::Curve
curve::Grumpkin Curve
Definition eccvm_flavor.hpp:39
bb::ECCVMFlavor::LookupRelation
ECCVMLookupRelation< FF > LookupRelation
Definition eccvm_flavor.hpp:104
bb::ECCVMProver::batch_opening_claim
OpeningClaim batch_opening_claim
Definition eccvm_prover.hpp:61
bb::ECCVMProver::commit_to_witness_polynomial
void commit_to_witness_polynomial(Polynomial &polynomial, const std::string &label)
Utility to mask and commit to a witness polynomial and send the commitment to verifier.
Definition eccvm_prover.cpp:331
bb::ECCVMProver::sumcheck_output
SumcheckOutput< Flavor > sumcheck_output
Definition eccvm_prover.hpp:82
bb::ECCVMProver::execute_log_derivative_commitments_round
BB_PROFILE void execute_log_derivative_commitments_round()
Compute sorted witness-table accumulator.
Definition eccvm_prover.cpp:78
bb::ECCVMProver::unmasked_witness_size
size_t unmasked_witness_size
Definition eccvm_prover.hpp:58
bb::ECCVMProver::ECCVMProver
ECCVMProver(CircuitBuilder &builder, const std::shared_ptr< Transcript > &transcript)
Definition eccvm_prover.cpp:22
bb::ECCVMProver::ZKData
ZKSumcheckData< Flavor > ZKData
Definition eccvm_prover.hpp:36
bb::ECCVMProver::transcript
std::shared_ptr< Transcript > transcript
Definition eccvm_prover.hpp:56
bb::ECCVMProver::construct_proof
std::pair< Proof, OpeningClaim > construct_proof()
Definition eccvm_prover.cpp:197
bb::ECCVMProver::commitment_labels
CommitmentLabels commitment_labels
Definition eccvm_prover.hpp:76
bb::ECCVMProver::translation_evaluations
TranslationEvaluations translation_evaluations
Definition eccvm_prover.hpp:68
bb::ECCVMProver::key
std::shared_ptr< ProvingKey > key
Definition eccvm_prover.hpp:74
bb::ECCVMProver::execute_preamble_round
BB_PROFILE void execute_preamble_round()
Fiat-Shamir the VK.
Definition eccvm_prover.cpp:40
bb::ECCVMProver::execute_wire_commitments_round
BB_PROFILE void execute_wire_commitments_round()
Compute commitments to the first three wires.
Definition eccvm_prover.cpp:55
bb::ECCVMProver::CommitmentKey
Flavor::CommitmentKey CommitmentKey
Definition eccvm_prover.hpp:29
bb::ECCVMProver::opening_claims
std::array< OpeningClaim, NUM_OPENING_CLAIMS > opening_claims
Definition eccvm_prover.hpp:66
bb::ECCVMProver::execute_grand_product_computation_round
BB_PROFILE void execute_grand_product_computation_round()
Compute permutation and lookup grand product polynomials and commitments.
Definition eccvm_prover.cpp:106
bb::ECCVMProver::execute_relation_check_rounds
BB_PROFILE void execute_relation_check_rounds()
Run Sumcheck resulting in u = (u_1,...,u_d) challenges and all evaluations at u being calculated.
Definition eccvm_prover.cpp:118
bb::ECCVMProver::execute_pcs_rounds
BB_PROFILE void execute_pcs_rounds()
Produce a univariate opening claim for the sumcheck multivariate evalutions and a batched univariate ...
Definition eccvm_prover.cpp:151
bb::ECCVMProver::compute_translation_opening_claims
void compute_translation_opening_claims()
To link the ECCVM Transcript wires op, Px, Py, z1, and z2 to the accumulator computed by the translat...
Definition eccvm_prover.cpp:255
bb::ECCVMProver::relation_parameters
bb::RelationParameters< FF > relation_parameters
Definition eccvm_prover.hpp:72
bb::GeminiProver_::PolynomialBatcher
Class responsible for computation of the batched multilinear polynomials required by the Gemini proto...
Definition gemini.hpp:126
bb::Polynomial< FF >::random
static Polynomial random(size_t size, size_t start_index=0)
Definition polynomial.hpp:299
bb::Polynomial::mask
void mask()
Add random values to the coefficients of a polynomial. In practice, this is used for ensuring the com...
Definition polynomial.hpp:267
bb::RefArray
A template class for a reference array. Behaves as if std::array<T&, N> was possible.
Definition ref_array.hpp:22
bb::ShpleminiProver_
Definition shplemini.hpp:22
bb::ShplonkProver_
Shplonk Prover.
Definition shplonk.hpp:36
bb::SmallSubgroupIPAProver
A Curve-agnostic ZK protocol to prove inner products of small vectors.
Definition small_subgroup_ipa.hpp:69
bb::SmallSubgroupIPAProver::get_witness_polynomials
std::array< bb::Polynomial< FF >, NUM_SMALL_IPA_EVALUATIONS > get_witness_polynomials() const
Definition small_subgroup_ipa.hpp:178
bb::SmallSubgroupIPAProver::prove
void prove()
Compute the derived witnesses and and commit to them.
Definition small_subgroup_ipa.cpp:150
bb::SumcheckProver
The implementation of the sumcheck Prover for statements of the form for multilinear polynomials .
Definition sumcheck.hpp:289
bb::TranslationData
A class designed to accept the ECCVM Transcript Polynomials, concatenate their masking terms in Lagra...
Definition eccvm_translation_data.hpp:20
zip_view
Definition zip_view.hpp:166
commitment_key.hpp
vinfo
#define vinfo(...)
Definition log.hpp:80
builder
AluTraceBuilder builder
Definition alu.test.cpp:124
eccvm_prover.hpp
grand_product_library.hpp
VerificationKey
UltraKeccakFlavor::VerificationKey VerificationKey
Definition honk_key_gen.cpp:20
logderivative_library.hpp
bb
Entry point for Barretenberg command-line interface.
Definition api.hpp:5
bb::compute_logderivative_inverse
void compute_logderivative_inverse(Polynomials &polynomials, auto &relation_parameters, const size_t circuit_size)
Compute the inverse polynomial I(X) required for logderivative lookupsdetails Inverse may be defined ...
Definition logderivative_library.hpp:40
bb::vk
VerifierCommitmentKey< Curve > vk
Definition ipa.fuzzer.cpp:21
std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13
std::to_string
std::string to_string(bb::avm2::ValueTag tag)
Definition tagged_value.cpp:402
permutation_relation.hpp
ref_array.hpp
small_subgroup_ipa.hpp
bb::TranslationEvaluations_::get_all
RefArray< BF, NUM_TRANSLATION_EVALUATIONS > get_all()
Definition translation_evaluations.hpp:24
bb::TranslationEvaluations_::labels
std::array< std::string, NUM_TRANSLATION_EVALUATIONS > labels
Definition translation_evaluations.hpp:26
bb::field::invert
constexpr field invert() const noexcept
Definition field_impl.hpp:377