Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
prover.cpp
Go to the documentation of this file.
1#include "barretenberg/vm2/constraining/prover.hpp"
2
3#include <cstdlib>
4
5#include "barretenberg/commitment_schemes/claim.hpp"
6#include "barretenberg/commitment_schemes/commitment_key.hpp"
7#include "barretenberg/commitment_schemes/shplonk/shplemini.hpp"
8#include "barretenberg/common/constexpr_utils.hpp"
9#include "barretenberg/common/thread.hpp"
10#include "barretenberg/honk/library/grand_product_library.hpp"
11#include "barretenberg/honk/proof_system/logderivative_library.hpp"
12#include "barretenberg/relations/permutation_relation.hpp"
13#include "barretenberg/sumcheck/sumcheck.hpp"
14#include "barretenberg/vm2/common/constants.hpp"
15#include "barretenberg/vm2/constraining/polynomials.hpp"
16#include "barretenberg/vm2/tooling/stats.hpp"
17
18namespace bb::avm2 {
19
20// Maximum number of polynomials to batch commit at once.
21const size_t AVM_MAX_MSM_BATCH_SIZE =
22 getenv("AVM_MAX_MSM_BATCH_SIZE") != nullptr ? std::stoul(getenv("AVM_MAX_MSM_BATCH_SIZE")) : 32;
23
24using Flavor = AvmFlavor;
25using FF = Flavor::FF;
26
35AvmProver::AvmProver(std::shared_ptr<Flavor::ProvingKey> input_key,
36 std::shared_ptr<Flavor::VerificationKey> vk,
37 const PCSCommitmentKey& commitment_key)
38 : key(std::move(input_key))
39 , vk(std::move(vk))
40 , prover_polynomials(*key)
41 , commitment_key(commitment_key)
42{}
43
48void AvmProver::execute_preamble_round()
49{
50 // TODO(#15892): Fiat-shamir the vk hash by uncommenting the line below.
51 FF vk_hash = vk->hash();
52 // transcript->add_to_hash_buffer("avm_vk_hash", vk_hash);
53 info("AVM vk hash in prover: ", vk_hash);
54}
55
60void AvmProver::execute_public_inputs_round()
61{
62 BB_BENCH_NAME("AvmProver::execute_public_inputs_round");
63
64 using C = ColumnAndShifts;
65 // We take the starting values of the public inputs polynomials to add to the transcript
66 const auto public_inputs_cols = std::vector({ &prover_polynomials.get(C::public_inputs_cols_0_),
67 &prover_polynomials.get(C::public_inputs_cols_1_),
68 &prover_polynomials.get(C::public_inputs_cols_2_),
69 &prover_polynomials.get(C::public_inputs_cols_3_) });
70 for (size_t i = 0; i < public_inputs_cols.size(); ++i) {
71 for (size_t j = 0; j < AVM_PUBLIC_INPUTS_COLUMNS_MAX_LENGTH; ++j) {
72 // The public inputs are added to the hash buffer, but do not increase the size of the proof
73 transcript->add_to_hash_buffer("public_input_" + std::to_string(i) + "_" + std::to_string(j),
74 j < public_inputs_cols[i]->size() ? public_inputs_cols[i]->at(j) : FF(0));
75 }
76 }
77}
82void AvmProver::execute_wire_commitments_round()
83{
84 BB_BENCH_NAME("AvmProver::execute_wire_commitments_round");
85 // Commit to all polynomials (apart from logderivative inverse polynomials, which are committed to in the later
86 // logderivative phase)
87 auto wire_polys = prover_polynomials.get_wires();
88 const auto& labels = prover_polynomials.get_wires_labels();
89 auto batch = commitment_key.start_batch();
90 for (size_t idx = 0; idx < wire_polys.size(); ++idx) {
91 batch.add_to_batch(wire_polys[idx], labels[idx], /*mask for zk?*/ false);
92 }
93 batch.commit_and_send_to_verifier(transcript, AVM_MAX_MSM_BATCH_SIZE);
94}
95
96void AvmProver::execute_log_derivative_inverse_round()
97{
98 BB_BENCH_NAME("AvmProver::execute_log_derivative_inverse_round");
99
100 auto [beta, gamma] = transcript->template get_challenges<FF>(std::array<std::string, 2>{ "beta", "gamma" });
101 relation_parameters.beta = beta;
102 relation_parameters.gamma = gamma;
103 std::vector<std::function<void()>> tasks;
104
105 bb::constexpr_for<0, std::tuple_size_v<Flavor::LookupRelations>, 1>([&]<size_t relation_idx>() {
106 using Relation = std::tuple_element_t<relation_idx, Flavor::LookupRelations>;
107 tasks.push_back([&]() {
108 // We need to resize the inverse polynomials for the relation, now that the selectors have been computed.
109 constraining::resize_inverses(prover_polynomials,
110 Relation::Settings::INVERSES,
111 Relation::Settings::SRC_SELECTOR,
112 Relation::Settings::DST_SELECTOR);
113
114 AVM_TRACK_TIME(std::string("prove/log_derivative_inverse_round/") + std::string(Relation::NAME),
115 (compute_logderivative_inverse<FF, Relation>(
116 prover_polynomials, relation_parameters, key->circuit_size)));
117 });
118 });
119
120 bb::parallel_for(tasks.size(), [&](size_t i) { tasks[i](); });
121}
122
123void AvmProver::execute_log_derivative_inverse_commitments_round()
124{
125 BB_BENCH_NAME("AvmProver::execute_log_derivative_inverse_commitments_round");
126 auto batch = commitment_key.start_batch();
127 // Commit to all logderivative inverse polynomials and send to verifier
128 for (auto [derived_poly, commitment, label] : zip_view(prover_polynomials.get_derived(),
129 witness_commitments.get_derived(),
130 prover_polynomials.get_derived_labels())) {
131
132 batch.add_to_batch(derived_poly, label, /*mask for zk?*/ false);
133 }
134 batch.commit_and_send_to_verifier(transcript, AVM_MAX_MSM_BATCH_SIZE);
135}
136
141void AvmProver::execute_relation_check_rounds()
142{
143 BB_BENCH_NAME("AvmProver::execute_relation_check_rounds");
144 using Sumcheck = SumcheckProver<Flavor>;
145
146 // Multiply each linearly independent subrelation contribution by `alpha^i` for i = 0, ..., NUM_SUBRELATIONS - 1.
147 const FF alpha = transcript->template get_challenge<FF>("Sumcheck:alpha");
148
149 // Generate gate challenges
150 std::vector<FF> gate_challenges =
151 transcript->template get_dyadic_powers_of_challenge<FF>("Sumcheck:gate_challenge", key->log_circuit_size);
152
153 Sumcheck sumcheck(key->circuit_size,
154 prover_polynomials,
155 transcript,
156 alpha,
157 gate_challenges,
158 relation_parameters,
159 key->log_circuit_size);
160
161 sumcheck_output = sumcheck.prove();
162}
163
164void AvmProver::execute_pcs_rounds()
165{
166 BB_BENCH_NAME("AvmProver::execute_pcs_rounds");
167
168 using OpeningClaim = ProverOpeningClaim<Curve>;
169 using PolynomialBatcher = GeminiProver_<Curve>::PolynomialBatcher;
170
171 // Batch polynomials using short scalars to reduce ECCVM circuit size
172 auto unshifted_polys = prover_polynomials.get_unshifted();
173 auto shifted_polys = prover_polynomials.get_to_be_shifted();
174
175 // Generate the same batching challenge labels as on the verifier side
176 std::vector<std::string> unshifted_batching_challenge_labels;
177 unshifted_batching_challenge_labels.reserve(unshifted_polys.size() - 1);
178 for (size_t idx = 0; idx < unshifted_polys.size() - 1; idx++) {
179 unshifted_batching_challenge_labels.push_back("rho_" + std::to_string(idx));
180 }
181 std::vector<std::string> shifted_batching_challenge_labels;
182 shifted_batching_challenge_labels.reserve(shifted_polys.size());
183 for (size_t idx = 0; idx < shifted_polys.size(); idx++) {
184 shifted_batching_challenge_labels.push_back("rho_" + std::to_string(unshifted_polys.size() - 1 + idx));
185 }
186
187 // Get short batching challenges from transcript
188 auto unshifted_challenges = transcript->template get_challenges<FF>(unshifted_batching_challenge_labels);
189 auto shifted_challenges = transcript->template get_challenges<FF>(shifted_batching_challenge_labels);
190
191 // Batch the polynomials
192 Polynomial squashed_unshifted(key->circuit_size);
193 squashed_unshifted += unshifted_polys[0]; // First polynomial has coefficient 1
194 for (size_t i = 0; i < unshifted_challenges.size(); ++i) {
195 squashed_unshifted.add_scaled(unshifted_polys[i + 1], unshifted_challenges[i]);
196 }
197
198 Polynomial squashed_shifted(Polynomial::shiftable(key->circuit_size));
199 for (size_t i = 0; i < shifted_challenges.size(); ++i) {
200 squashed_shifted.add_scaled(shifted_polys[i], shifted_challenges[i]);
201 }
202
203 PolynomialBatcher polynomial_batcher(key->circuit_size);
204 polynomial_batcher.set_unshifted(RefVector{ squashed_unshifted });
205 polynomial_batcher.set_to_be_shifted_by_one(RefVector{ squashed_shifted });
206
207 const OpeningClaim prover_opening_claim = ShpleminiProver_<Curve>::prove(
208 key->circuit_size, polynomial_batcher, sumcheck_output.challenge, commitment_key, transcript);
209
210 PCS::compute_opening_proof(commitment_key, prover_opening_claim, transcript);
211}
212
213HonkProof AvmProver::export_proof()
214{
215 return transcript->export_proof();
216}
217
218HonkProof AvmProver::construct_proof()
219{
220 // Add circuit size public input size and public inputs to transcript.
221 execute_preamble_round();
222
223 // TODO(https://github.com/AztecProtocol/aztec-packages/pull/17045): make the protocols secure at some point
224 // // Add public inputs to transcript.
225 // AVM_TRACK_TIME("prove/public_inputs_round", execute_public_inputs_round());
226
227 // Compute wire commitments.
228 AVM_TRACK_TIME("prove/wire_commitments_round", execute_wire_commitments_round());
229
230 // Compute log derivative inverses.
231 AVM_TRACK_TIME("prove/log_derivative_inverse_round", execute_log_derivative_inverse_round());
232
233 // Compute commitments to logderivative inverse polynomials.
234 AVM_TRACK_TIME("prove/log_derivative_inverse_commitments_round",
235 execute_log_derivative_inverse_commitments_round());
236
237 // Run sumcheck subprotocol.
238 AVM_TRACK_TIME("prove/sumcheck", execute_relation_check_rounds());
239
240 // Execute PCS.
241 AVM_TRACK_TIME("prove/pcs_rounds", execute_pcs_rounds());
242
243 return export_proof();
244}
245
246} // namespace bb::avm2
AVM_PUBLIC_INPUTS_COLUMNS_MAX_LENGTH
#define AVM_PUBLIC_INPUTS_COLUMNS_MAX_LENGTH
Definition aztec_constants.hpp:175
BB_BENCH_NAME
#define BB_BENCH_NAME(name)
Definition bb_bench.hpp:219
bb::CommitmentKey
CommitmentKey object over a pairing group 𝔾₁.
Definition commitment_key.hpp:43
bb::CommitmentKey::start_batch
CommitBatch start_batch()
Definition commitment_key.hpp:182
bb::GeminiProver_::PolynomialBatcher
Class responsible for computation of the batched multilinear polynomials required by the Gemini proto...
Definition gemini.hpp:126
bb::KZG::compute_opening_proof
static void compute_opening_proof(const CK &ck, const ProverOpeningClaim< Curve > &opening_claim, const std::shared_ptr< Transcript > &prover_trancript)
Computes the KZG commitment to an opening proof polynomial at a single evaluation point.
Definition kzg.hpp:43
bb::OpeningClaim
Unverified claim (C,r,v) for some witness polynomial p(X) such that.
Definition claim.hpp:53
bb::Polynomial::add_scaled
void add_scaled(PolynomialSpan< const Fr > other, Fr scaling_factor) &
adds the polynomial q(X) 'other', multiplied by a scaling factor.
Definition polynomial.cpp:258
bb::Polynomial< FF >::shiftable
static Polynomial shiftable(size_t virtual_size)
Utility to create a shiftable polynomial of given virtual size.
Definition polynomial.hpp:107
bb::ProverOpeningClaim
Polynomial p and an opening pair (r,v) such that p(r) = v.
Definition claim.hpp:34
bb::RefVector
A template class for a reference vector. Behaves as if std::vector<T&> was possible.
Definition ref_vector.hpp:24
bb::Relation
A wrapper for Relations to expose methods used by the Sumcheck prover or verifier to add the contribu...
Definition relation_types.hpp:96
bb::ShpleminiProver_::prove
static OpeningClaim prove(const FF circuit_size, PolynomialBatcher &polynomial_batcher, std::span< FF > multilinear_challenge, const CommitmentKey< Curve > &commitment_key, const std::shared_ptr< Transcript > &transcript, const std::array< Polynomial, NUM_SMALL_IPA_EVALUATIONS > &libra_polynomials={}, const std::vector< Polynomial > &sumcheck_round_univariates={}, const std::vector< std::array< FF, 3 > > &sumcheck_round_evaluations={})
Definition shplemini.hpp:36
bb::SumcheckProver
The implementation of the sumcheck Prover for statements of the form for multilinear polynomials .
Definition sumcheck.hpp:289
bb::avm2::AvmFlavor::AllEntities::get
DataType & get(ColumnAndShifts c)
Definition flavor.hpp:148
bb::avm2::AvmFlavor::FF
AvmFlavorSettings::FF FF
Definition flavor.hpp:36
bb::avm2::AvmProver::execute_pcs_rounds
virtual void execute_pcs_rounds()
Definition prover.cpp:164
bb::avm2::AvmProver::transcript
std::shared_ptr< Transcript > transcript
Definition prover.hpp:44
bb::avm2::AvmProver::sumcheck_output
SumcheckOutput< Flavor > sumcheck_output
Definition prover.hpp:60
bb::avm2::AvmProver::commitment_key
PCSCommitmentKey commitment_key
Definition prover.hpp:62
bb::avm2::AvmProver::vk
std::shared_ptr< VerificationKey > vk
Definition prover.hpp:51
bb::avm2::AvmProver::execute_relation_check_rounds
virtual void execute_relation_check_rounds()
Run Sumcheck resulting in u = (u_1,...,u_d) challenges and all evaluations at u being calculated.
Definition prover.cpp:141
bb::avm2::AvmProver::AvmProver
AvmProver(std::shared_ptr< ProvingKey > input_key, std::shared_ptr< VerificationKey > vk, const PCSCommitmentKey &commitment_key)
Definition prover.cpp:35
bb::avm2::AvmProver::execute_preamble_round
virtual void execute_preamble_round()
Add circuit size, public input size, and public inputs to transcript.
Definition prover.cpp:48
bb::avm2::AvmProver::prover_polynomials
ProverPolynomials prover_polynomials
Definition prover.hpp:54
bb::avm2::AvmProver::execute_log_derivative_inverse_commitments_round
virtual void execute_log_derivative_inverse_commitments_round()
Definition prover.cpp:123
bb::avm2::AvmProver::witness_commitments
Flavor::WitnessCommitments witness_commitments
Definition prover.hpp:56
bb::avm2::AvmProver::execute_log_derivative_inverse_round
virtual void execute_log_derivative_inverse_round()
Definition prover.cpp:96
bb::avm2::AvmProver::relation_parameters
bb::RelationParameters< FF > relation_parameters
Definition prover.hpp:48
bb::avm2::AvmProver::FF
Flavor::FF FF
Definition prover.hpp:14
bb::avm2::AvmProver::construct_proof
virtual HonkProof construct_proof()
Definition prover.cpp:218
bb::avm2::AvmProver::key
std::shared_ptr< ProvingKey > key
Definition prover.hpp:50
bb::avm2::AvmProver::execute_public_inputs_round
virtual void execute_public_inputs_round()
Add public inputs to transcript.
Definition prover.cpp:60
bb::avm2::AvmProver::execute_wire_commitments_round
virtual void execute_wire_commitments_round()
Compute commitments to all of the witness wires (apart from the logderivative inverse wires)
Definition prover.cpp:82
bb::avm2::AvmProver::export_proof
virtual HonkProof export_proof()
Definition prover.cpp:213
zip_view
Definition zip_view.hpp:166
commitment_key.hpp
info
void info(Args... args)
Definition log.hpp:75
constexpr_utils.hpp
grand_product_library.hpp
key
FF key
Definition indexed_memory_tree.test.cpp:18
logderivative_library.hpp
bb::avm2::constraining::resize_inverses
void resize_inverses(AvmFlavor::ProverPolynomials &prover_polynomials, Column inverses_col, Column src_selector_col, Column dst_selector_col)
Definition polynomials.cpp:86
bb::avm2::AVM_MAX_MSM_BATCH_SIZE
const size_t AVM_MAX_MSM_BATCH_SIZE
Definition prover.cpp:21
bb::avm2::ColumnAndShifts
ColumnAndShifts
Definition columns.hpp:34
bb::avm2::FF
AvmFlavorSettings::FF FF
Definition field.hpp:10
bb::HonkProof
std::vector< fr > HonkProof
Definition proof.hpp:15
bb::parallel_for
void parallel_for(size_t num_iterations, const std::function< void(size_t)> &func)
Definition thread.cpp:111
bb::vk
VerifierCommitmentKey< Curve > vk
Definition ipa.fuzzer.cpp:21
std
STL namespace.
std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13
std::to_string
std::string to_string(bb::avm2::ValueTag tag)
Definition tagged_value.cpp:402
permutation_relation.hpp
AVM_TRACK_TIME
#define AVM_TRACK_TIME(key, body)
Definition stats.hpp:16
bb::CommitmentKey::CommitBatch::add_to_batch
void add_to_batch(Polynomial< Fr > &poly, const std::string &label, bool mask)
Definition commitment_key.hpp:172