Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
kzg.hpp
Go to the documentation of this file.
1// === AUDIT STATUS ===
2// internal: { status: not started, auditors: [], date: YYYY-MM-DD }
3// external_1: { status: not started, auditors: [], date: YYYY-MM-DD }
4// external_2: { status: not started, auditors: [], date: YYYY-MM-DD }
5// =====================
6
7#pragma once
8
9#include "barretenberg/commitment_schemes/claim.hpp"
10#include "barretenberg/commitment_schemes/commitment_key.hpp"
11#include "barretenberg/commitment_schemes/pairing_points.hpp"
12#include "barretenberg/commitment_schemes/utils/batch_mul_native.hpp"
13#include "barretenberg/commitment_schemes/verification_key.hpp"
14#include "barretenberg/stdlib/primitives/pairing_points.hpp"
15#include "barretenberg/transcript/transcript.hpp"
16
17#include <memory>
18#include <utility>
19
20namespace bb {
21
22template <typename Curve_> class KZG {
23 public:
24 using Curve = Curve_;
25 using CK = CommitmentKey<Curve>;
26 using VK = VerifierCommitmentKey<Curve>;
27 using Fr = typename Curve::ScalarField;
28 using Commitment = typename Curve::AffineElement;
29 using GroupElement = typename Curve::Element;
30 using Polynomial = bb::Polynomial<Fr>;
31 using PairingPointsType =
32 std::conditional_t<Curve::is_stdlib_type, stdlib::recursion::PairingPoints<Curve>, bb::PairingPoints<Curve>>;
33
42 template <typename Transcript>
43 static void compute_opening_proof(const CK& ck,
44 const ProverOpeningClaim<Curve>& opening_claim,
45 const std::shared_ptr<Transcript>& prover_trancript)
46 {
47 Polynomial quotient = opening_claim.polynomial;
48 OpeningPair<Curve> pair = opening_claim.opening_pair;
49 Commitment quotient_commitment;
50
51 if (opening_claim.polynomial.is_empty()) {
52 // We treat the empty polynomial as the zero polynomial
53 quotient_commitment = Commitment::infinity();
54 } else {
55 quotient.at(0) = quotient[0] - pair.evaluation;
56 // Computes the coefficients for the quotient polynomial q(X) = (p(X) - v) / (X - r) through an FFT
57 quotient.factor_roots(pair.challenge);
58 quotient_commitment = ck.commit(quotient);
59 }
60
61 // TODO(#479): for now we compute the KZG commitment directly to unify the KZG and IPA interfaces but in the
62 // future we might need to adjust this to use the incoming alternative to work queue (i.e. variation of
63 // pthreads) or even the work queue itself
64 prover_trancript->send_to_verifier("KZG:W", quotient_commitment);
65
66 // Masking challenge is used in the recursive setting to perform batch_mul. This is not used
67 // by the prover directly, we just need it for consistent transcript state with the verifier.
68 prover_trancript->template get_challenge<Fr>("KZG:masking_challenge");
69 };
70
81 template <typename Transcript>
82 static PairingPointsType reduce_verify(const OpeningClaim<Curve>& claim,
83 const std::shared_ptr<Transcript>& verifier_transcript)
84 {
85 auto quotient_commitment = verifier_transcript->template receive_from_prover<Commitment>("KZG:W");
86
87 // Note: The pairing check can be expressed naturally as
88 // e(C - v * [1]_1, [1]_2) = e([W]_1, [X - r]_2) where C =[p(X)]_1. This can be rearranged (e.g. see the plonk
89 // paper) as e(C + r*[W]_1 - v*[1]_1, [1]_2) * e(-[W]_1, [X]_2) = 1, or e(P_0, [1]_2) * e(P_1, [X]_2) = 1
90 GroupElement P_0;
91 if constexpr (Curve::is_stdlib_type) {
92 // Express operation as a batch_mul in order to use Goblinization if available
93 auto builder = quotient_commitment.get_context();
94 auto one = Fr(builder, 1);
95 std::vector<GroupElement> commitments = { claim.commitment,
96 quotient_commitment,
97 GroupElement::one(builder) };
98 std::vector<Fr> scalars = { one, claim.opening_pair.challenge, -claim.opening_pair.evaluation };
99 P_0 = GroupElement::batch_mul(commitments, scalars);
100
101 } else {
102 P_0 = claim.commitment;
103 P_0 += quotient_commitment * claim.opening_pair.challenge;
104 P_0 -= GroupElement::one() * claim.opening_pair.evaluation;
105 }
106
107 auto P_1 = -quotient_commitment;
108 return PairingPointsType(P_0, P_1);
109 };
110
130 template <typename Transcript>
131 static PairingPointsType reduce_verify_batch_opening_claim(BatchOpeningClaim<Curve>&& batch_opening_claim,
132 const std::shared_ptr<Transcript>& transcript,
133 const size_t expected_final_msm_size = 0)
134 {
135 auto quotient_commitment = transcript->template receive_from_prover<Commitment>("KZG:W");
136
137 // This challenge is used to compute offset generators in the batch_mul call below
138 const Fr masking_challenge = transcript->template get_challenge<Fr>("KZG:masking_challenge");
139
140 // The pairing check can be expressed as
141 // e(C + [W]₁ ⋅ z, [1]₂) * e(−[W]₁, [X]₂) = 1, where C = ∑ commitmentsᵢ ⋅ scalarsᵢ.
142 GroupElement P_0;
143 // Place the commitment to W to 'commitments'
144 batch_opening_claim.commitments.emplace_back(quotient_commitment);
145 // Update the scalars by adding the Shplonk evaluation challenge z
146 batch_opening_claim.scalars.emplace_back(batch_opening_claim.evaluation_point);
147
148 // Validate the final MSM size if expected size is provided
149 if (expected_final_msm_size != 0) {
150 BB_ASSERT_EQ(batch_opening_claim.commitments.size(), expected_final_msm_size);
151 }
152
153 // Compute C + [W]₁ ⋅ z
154 if constexpr (Curve::is_stdlib_type) {
155 P_0 = GroupElement::batch_mul(batch_opening_claim.commitments,
156 batch_opening_claim.scalars,
157 /*max_num_bits=*/0,
158 /*with_edgecases=*/true,
159 /*masking_scalar=*/masking_challenge);
160 } else {
161 P_0 = batch_mul_native<Curve>(batch_opening_claim.commitments, batch_opening_claim.scalars);
162 }
163 auto P_1 = -quotient_commitment;
164
165 return PairingPointsType(P_0, P_1);
166 }
167};
168
169} // namespace bb
BB_ASSERT_EQ
#define BB_ASSERT_EQ(actual, expected,...)
Definition assert.hpp:77
batch_mul_native.hpp
bb::CommitmentKey
CommitmentKey object over a pairing group 𝔾₁.
Definition commitment_key.hpp:43
bb::KZG::Commitment
typename Curve::AffineElement Commitment
Definition kzg.hpp:28
bb::KZG::GroupElement
typename Curve::Element GroupElement
Definition kzg.hpp:29
bb::KZG::Curve
Curve_ Curve
Definition kzg.hpp:24
bb::KZG::reduce_verify
static PairingPointsType reduce_verify(const OpeningClaim< Curve > &claim, const std::shared_ptr< Transcript > &verifier_transcript)
Computes the input points for the pairing check needed to verify a KZG opening claim of a single poly...
Definition kzg.hpp:82
bb::KZG::reduce_verify_batch_opening_claim
static PairingPointsType reduce_verify_batch_opening_claim(BatchOpeningClaim< Curve > &&batch_opening_claim, const std::shared_ptr< Transcript > &transcript, const size_t expected_final_msm_size=0)
Computes the input points for the pairing check needed to verify a KZG opening claim obtained from a ...
Definition kzg.hpp:131
bb::KZG::Fr
typename Curve::ScalarField Fr
Definition kzg.hpp:27
bb::KZG::PairingPointsType
std::conditional_t< Curve::is_stdlib_type, stdlib::recursion::PairingPoints< Curve >, bb::PairingPoints< Curve > > PairingPointsType
Definition kzg.hpp:32
bb::KZG::compute_opening_proof
static void compute_opening_proof(const CK &ck, const ProverOpeningClaim< Curve > &opening_claim, const std::shared_ptr< Transcript > &prover_trancript)
Computes the KZG commitment to an opening proof polynomial at a single evaluation point.
Definition kzg.hpp:43
bb::OpeningClaim
Unverified claim (C,r,v) for some witness polynomial p(X) such that.
Definition claim.hpp:53
bb::OpeningClaim::opening_pair
OpeningPair< Curve > opening_pair
Definition claim.hpp:62
bb::OpeningClaim::commitment
Commitment commitment
Definition claim.hpp:64
bb::OpeningPair
Opening pair (r,v) for some witness polynomial p(X) such that p(r) = v.
Definition claim.hpp:19
bb::PairingPoints
An object storing two EC points that represent the inputs to a pairing check.
Definition pairing_points.hpp:24
bb::Polynomial
Structured polynomial class that represents the coefficients 'a' of a_0 + a_1 x .....
Definition polynomial.hpp:75
bb::Polynomial::is_empty
bool is_empty() const
Definition polynomial.hpp:170
bb::Polynomial::at
Fr & at(size_t index)
Our mutable accessor, unlike operator[]. We abuse precedent a bit to differentiate at() and operator[...
Definition polynomial.hpp:293
bb::Polynomial::factor_roots
void factor_roots(const Fr &root)
Divides p(X) by (X-r) in-place. Assumes that p(rⱼ)=0 for all j.
Definition polynomial.hpp:224
bb::ProverOpeningClaim
Polynomial p and an opening pair (r,v) such that p(r) = v.
Definition claim.hpp:34
bb::ProverOpeningClaim::polynomial
Polynomial polynomial
Definition claim.hpp:39
bb::ProverOpeningClaim::opening_pair
OpeningPair< Curve > opening_pair
Definition claim.hpp:40
bb::curve::Grumpkin::Element
typename Group::element Element
Definition grumpkin.hpp:62
bb::curve::Grumpkin::is_stdlib_type
static constexpr bool is_stdlib_type
Definition grumpkin.hpp:69
bb::curve::Grumpkin::AffineElement
typename Group::affine_element AffineElement
Definition grumpkin.hpp:63
commitment_key.hpp
pairing_points.hpp
builder
AluTraceBuilder builder
Definition alu.test.cpp:124
bb
Entry point for Barretenberg command-line interface.
Definition api.hpp:5
bb::ck
CommitmentKey< Curve > ck
Definition ipa.fuzzer.cpp:20
std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13
pairing_points.hpp
bb::BatchOpeningClaim
An accumulator consisting of the Shplonk evaluation challenge and vectors of commitments and scalars.
Definition claim.hpp:169
verification_key.hpp