Barretenberg: src/barretenberg/flavor/ultra_keccak_zk_flavor.hpp Source File

// === AUDIT STATUS ===

// internal:    { status: not started, auditors: [], date: YYYY-MM-DD }

// external_1:  { status: not started, auditors: [], date: YYYY-MM-DD }

// external_2:  { status: not started, auditors: [], date: YYYY-MM-DD }

// =====================


#pragma once


#include "barretenberg/common/assert.hpp"

#include "barretenberg/constants.hpp"

#include "barretenberg/flavor/ultra_keccak_flavor.hpp"


namespace bb {


class UltraKeccakZKFlavor : public UltraKeccakFlavor {

  public:

    // This flavor runs with ZK Sumcheck

    static constexpr bool HasZK = true;


    // The number of entities added for ZK (gemini_masking_poly)

    static constexpr size_t NUM_MASKING_POLYNOMIALS = 1;


    // Determine the number of evaluations of Prover and Libra Polynomials that the Prover sends to the Verifier in

    // the rounds of ZK Sumcheck.

    static constexpr size_t BATCHED_RELATION_PARTIAL_LENGTH = UltraKeccakFlavor::BATCHED_RELATION_PARTIAL_LENGTH + 1;

    static_assert(BATCHED_RELATION_PARTIAL_LENGTH == Curve::LIBRA_UNIVARIATES_LENGTH,

                  "LIBRA_UNIVARIATES_LENGTH must be equal to UltraKeccakZKFlavor::BATCHED_RELATION_PARTIAL_LENGTH");


    // Override AllEntities to use ZK version (this automatically updates ProverPolynomials and AllValues)

    template <typename DataType> using AllEntities = UltraFlavor::AllEntities_<DataType, HasZK>;


    // NUM_WITNESS_ENTITIES includes gemini_masking_poly

    static constexpr size_t NUM_WITNESS_ENTITIES = UltraKeccakFlavor::NUM_WITNESS_ENTITIES + NUM_MASKING_POLYNOMIALS;

    // NUM_ALL_ENTITIES includes gemini_masking_poly

    static constexpr size_t NUM_ALL_ENTITIES = UltraKeccakFlavor::NUM_ALL_ENTITIES + NUM_MASKING_POLYNOMIALS;

    // NUM_UNSHIFTED_ENTITIES includes gemini_masking_poly

    static constexpr size_t NUM_UNSHIFTED_ENTITIES =

        UltraKeccakFlavor::NUM_UNSHIFTED_ENTITIES + NUM_MASKING_POLYNOMIALS;


    // Size of the final PCS MSM for ZK = non-ZK size + NUM_LIBRA_COMMITMENTS (3)


    static constexpr size_t FINAL_PCS_MSM_SIZE(size_t log_n = VIRTUAL_LOG_N)

    {

        return NUM_UNSHIFTED_ENTITIES + log_n + 2 + NUM_LIBRA_COMMITMENTS;

    }


    // Override OINK_PROOF_LENGTH to include gemini_masking_poly commitment (sent via commit_to_masking_poly)

    static constexpr size_t OINK_PROOF_LENGTH_WITHOUT_PUB_INPUTS =

        /* 1. NUM_WITNESS_ENTITIES commitments (includes gemini_masking_poly) */ (NUM_WITNESS_ENTITIES *

                                                                                  num_elements_comm);


    using AllValues = UltraFlavor::AllValues_<HasZK>;

    using ProverPolynomials = UltraFlavor::ProverPolynomials_<HasZK>;

    using PartiallyEvaluatedMultivariates = UltraFlavor::PartiallyEvaluatedMultivariates_<HasZK>;

    using VerifierCommitments = UltraFlavor::VerifierCommitments_<Commitment, VerificationKey, HasZK>;


    // Override ProverUnivariates and ExtendedEdges to include gemini_masking_poly

    template <size_t LENGTH> using ProverUnivariates = AllEntities<bb::Univariate<FF, LENGTH>>;

    using ExtendedEdges = ProverUnivariates<MAX_PARTIAL_RELATION_LENGTH>;


    // Proof length formula method


    static constexpr size_t PROOF_LENGTH_WITHOUT_PUB_INPUTS(size_t virtual_log_n = VIRTUAL_LOG_N)

    {

        return /* 1. NUM_WITNESS_ENTITIES commitments */ (NUM_WITNESS_ENTITIES * num_elements_comm) +

               /* 2. Libra concatenation commitment*/ (num_elements_comm) +

               /* 3. Libra sum */ (num_elements_fr) +

               /* 4. virtual_log_n sumcheck univariates */

               (virtual_log_n * BATCHED_RELATION_PARTIAL_LENGTH * num_elements_fr) +

               /* 5. NUM_ALL_ENTITIES sumcheck evaluations*/ (NUM_ALL_ENTITIES * num_elements_fr) +

               /* 6. Libra claimed evaluation */ (num_elements_fr) +

               /* 7. Libra grand sum commitment */ (num_elements_comm) +

               /* 8. Libra quotient commitment */ (num_elements_comm) +

               /* 9. virtual_log_n - 1 Gemini Fold commitments */

               ((virtual_log_n - 1) * num_elements_comm) +

               /* 10. virtual_log_n Gemini a evaluations */

               (virtual_log_n * num_elements_fr) +

               /* 11. NUM_SMALL_IPA_EVALUATIONS libra evals */ (NUM_SMALL_IPA_EVALUATIONS * num_elements_fr) +

               /* 12. Shplonk Q commitment */ (num_elements_comm) +

               /* 13. KZG W commitment */ (num_elements_comm);

    }


    class Transcript : public UltraKeccakFlavor::Transcript {

      public:

        using Base = UltraKeccakFlavor::Transcript::Base;

        // Override sumcheck_evaluations to use the correct size for ZK flavor

        std::array<FF, NUM_ALL_ENTITIES> sumcheck_evaluations;

        // Note: we have a different vector of univariates because the degree for ZK flavors differs

        std::vector<bb::Univariate<FF, BATCHED_RELATION_PARTIAL_LENGTH>> zk_sumcheck_univariates;

        Commitment libra_concatenation_commitment;

        FF libra_sum;

        FF libra_claimed_evaluation;

        Commitment libra_grand_sum_commitment;

        Commitment libra_quotient_commitment;

        FF libra_concatenation_eval;

        FF libra_shifted_grand_sum_eval;

        FF libra_grand_sum_eval;

        FF libra_quotient_eval;

        Commitment hiding_polynomial_commitment;

        FF hiding_polynomial_eval;


        Transcript() = default;


        static std::shared_ptr<Transcript> prover_init_empty()

        {

            auto transcript = Base::prover_init_empty();

            return std::static_pointer_cast<Transcript>(transcript);

        };


        static std::shared_ptr<Transcript> verifier_init_empty(const std::shared_ptr<Transcript>& transcript)

        {

            auto verifier_transcript = Base::verifier_init_empty(transcript);

            return std::static_pointer_cast<Transcript>(verifier_transcript);

        };


        void deserialize_full_transcript(size_t public_input_size, size_t virtual_log_n = VIRTUAL_LOG_N)

        {

            // take current proof and put them into the struct

            size_t num_frs_read = 0;

            auto& proof_data = this->proof_data;

            for (size_t i = 0; i < public_input_size; ++i) {

                this->public_inputs.push_back(Base::template deserialize_from_buffer<FF>(proof_data, num_frs_read));

            }

            hiding_polynomial_commitment = Base::template deserialize_from_buffer<Commitment>(proof_data, num_frs_read);

            this->w_l_comm = Base::template deserialize_from_buffer<Commitment>(proof_data, num_frs_read);

            this->w_r_comm = Base::template deserialize_from_buffer<Commitment>(proof_data, num_frs_read);

            this->w_o_comm = Base::template deserialize_from_buffer<Commitment>(proof_data, num_frs_read);

            this->lookup_read_counts_comm =

                Base::template deserialize_from_buffer<Commitment>(proof_data, num_frs_read);

            this->lookup_read_tags_comm = Base::template deserialize_from_buffer<Commitment>(proof_data, num_frs_read);

            this->w_4_comm = Base::template deserialize_from_buffer<Commitment>(proof_data, num_frs_read);

            this->lookup_inverses_comm = Base::template deserialize_from_buffer<Commitment>(proof_data, num_frs_read);

            this->z_perm_comm = Base::template deserialize_from_buffer<Commitment>(proof_data, num_frs_read);

            libra_concatenation_commitment =

                Base::template deserialize_from_buffer<Commitment>(proof_data, num_frs_read);

            libra_sum = Base::template deserialize_from_buffer<FF>(proof_data, num_frs_read);


            for (size_t i = 0; i < virtual_log_n; ++i) {

                zk_sumcheck_univariates.push_back(

                    Base::template deserialize_from_buffer<bb::Univariate<FF, BATCHED_RELATION_PARTIAL_LENGTH>>(

                        proof_data, num_frs_read));

            }

            libra_claimed_evaluation = Base::template deserialize_from_buffer<FF>(proof_data, num_frs_read);

            this->sumcheck_evaluations =

                Base::template deserialize_from_buffer<std::array<FF, NUM_ALL_ENTITIES>>(proof_data, num_frs_read);

            libra_grand_sum_commitment = Base::template deserialize_from_buffer<Commitment>(proof_data, num_frs_read);

            libra_quotient_commitment = Base::template deserialize_from_buffer<Commitment>(proof_data, num_frs_read);

            for (size_t i = 0; i < virtual_log_n - 1; ++i) {

                this->gemini_fold_comms.push_back(

                    Base::template deserialize_from_buffer<Commitment>(proof_data, num_frs_read));

            }

            for (size_t i = 0; i < virtual_log_n; ++i) {

                this->gemini_fold_evals.push_back(Base::template deserialize_from_buffer<FF>(proof_data, num_frs_read));

            }

            libra_concatenation_eval = Base::template deserialize_from_buffer<FF>(proof_data, num_frs_read);

            libra_shifted_grand_sum_eval = Base::template deserialize_from_buffer<FF>(proof_data, num_frs_read);

            libra_grand_sum_eval = Base::template deserialize_from_buffer<FF>(proof_data, num_frs_read);

            libra_quotient_eval = Base::template deserialize_from_buffer<FF>(proof_data, num_frs_read);

            this->shplonk_q_comm = Base::template deserialize_from_buffer<Commitment>(proof_data, num_frs_read);


            this->kzg_w_comm = Base::template deserialize_from_buffer<Commitment>(proof_data, num_frs_read);

        }


        void serialize_full_transcript(size_t virtual_log_n = VIRTUAL_LOG_N)

        {

            auto& proof_data = this->proof_data;

            size_t old_proof_length = proof_data.size();

            proof_data.clear(); // clear proof_data so the rest of the function can replace it

            for (const auto& public_input : this->public_inputs) {

                Base::serialize_to_buffer(public_input, proof_data);

            }

            Base::serialize_to_buffer(hiding_polynomial_commitment, proof_data);

            Base::serialize_to_buffer(this->w_l_comm, proof_data);

            Base::serialize_to_buffer(this->w_r_comm, proof_data);

            Base::serialize_to_buffer(this->w_o_comm, proof_data);

            Base::serialize_to_buffer(this->lookup_read_counts_comm, proof_data);

            Base::serialize_to_buffer(this->lookup_read_tags_comm, proof_data);

            Base::serialize_to_buffer(this->w_4_comm, proof_data);

            Base::serialize_to_buffer(this->lookup_inverses_comm, proof_data);

            Base::serialize_to_buffer(this->z_perm_comm, proof_data);

            Base::serialize_to_buffer(libra_concatenation_commitment, proof_data);

            Base::serialize_to_buffer(libra_sum, proof_data);


            for (size_t i = 0; i < virtual_log_n; ++i) {

                Base::serialize_to_buffer(zk_sumcheck_univariates[i], proof_data);

            }

            Base::serialize_to_buffer(libra_claimed_evaluation, proof_data);


            Base::serialize_to_buffer(this->sumcheck_evaluations, proof_data);

            Base::serialize_to_buffer(libra_grand_sum_commitment, proof_data);

            Base::serialize_to_buffer(libra_quotient_commitment, proof_data);

            for (size_t i = 0; i < virtual_log_n - 1; ++i) {

                Base::serialize_to_buffer(this->gemini_fold_comms[i], proof_data);

            }

            for (size_t i = 0; i < virtual_log_n; ++i) {

                Base::serialize_to_buffer(this->gemini_fold_evals[i], proof_data);

            }

            Base::serialize_to_buffer(libra_concatenation_eval, proof_data);

            Base::serialize_to_buffer(libra_shifted_grand_sum_eval, proof_data);

            Base::serialize_to_buffer(libra_grand_sum_eval, proof_data);

            Base::serialize_to_buffer(libra_quotient_eval, proof_data);

            Base::serialize_to_buffer(this->shplonk_q_comm, proof_data);

            Base::serialize_to_buffer(this->kzg_w_comm, proof_data);


            BB_ASSERT_EQ(proof_data.size(), old_proof_length);

        }


    };


};


} // namespace bb

assert.hpp

BB_ASSERT_EQ
#define BB_ASSERT_EQ(actual, expected,...)
Definition assert.hpp:77

bb::BaseTranscript< Codec, HashFunction >

bb::BaseTranscript< Codec, HashFunction >::serialize_to_buffer
void serialize_to_buffer(const T &element, Proof &proof_data)
Serializes object and appends it to proof_data.
Definition transcript.hpp:158

bb::BaseTranscript< Codec, HashFunction >::prover_init_empty
static std::shared_ptr< BaseTranscript > prover_init_empty()
For testing: initializes transcript with some arbitrary data so that a challenge can be generated aft...
Definition transcript.hpp:438

bb::BaseTranscript< Codec, HashFunction >::verifier_init_empty
static std::shared_ptr< BaseTranscript > verifier_init_empty(const std::shared_ptr< BaseTranscript > &transcript)
For testing: initializes transcript based on proof data then receives junk data produced by BaseTrans...
Definition transcript.hpp:453

bb::UltraFlavor::AllEntities_
A base class labelling all entities (for instance, all of the polynomials used by the prover during s...
Definition ultra_flavor.hpp:260

bb::UltraFlavor::AllValues_
A field element for each entity of the flavor. These entities represent the prover polynomials evalua...
Definition ultra_flavor.hpp:285

bb::UltraFlavor::PartiallyEvaluatedMultivariates_
A container for storing the partially evaluated multivariates produced by sumcheck.
Definition ultra_flavor.hpp:532

bb::UltraFlavor::ProverPolynomials_
A container for polynomials handles.
Definition ultra_flavor.hpp:297

bb::UltraFlavor::Transcript_::Base
BaseTranscript< Codec, HashFunction > Base
Definition ultra_flavor.hpp:375

bb::UltraFlavor::VerifierCommitments_
A container encapsulating all the commitments that the verifier receives (to precomputed polynomials ...
Definition ultra_flavor.hpp:630

bb::UltraFlavor::BATCHED_RELATION_PARTIAL_LENGTH
static constexpr size_t BATCHED_RELATION_PARTIAL_LENGTH
Definition ultra_flavor.hpp:111

bb::UltraFlavor::Commitment
Curve::AffineElement Commitment
Definition ultra_flavor.hpp:41

bb::UltraFlavor::VIRTUAL_LOG_N
static constexpr size_t VIRTUAL_LOG_N
Definition ultra_flavor.hpp:47

bb::UltraFlavor::NUM_ALL_ENTITIES
static constexpr size_t NUM_ALL_ENTITIES
Definition ultra_flavor.hpp:60

bb::UltraFlavor::NUM_UNSHIFTED_ENTITIES
static constexpr size_t NUM_UNSHIFTED_ENTITIES
Definition ultra_flavor.hpp:69

bb::UltraFlavor::NUM_WITNESS_ENTITIES
static constexpr size_t NUM_WITNESS_ENTITIES
Definition ultra_flavor.hpp:65

bb::UltraKeccakFlavor
Definition ultra_keccak_flavor.hpp:13

bb::UltraKeccakFlavor::num_elements_comm
static constexpr size_t num_elements_comm
Definition ultra_keccak_flavor.hpp:20

bb::UltraKeccakFlavor::Transcript
UltraKeccakFlavor::Transcript_< U256Codec, bb::crypto::Keccak > Transcript
Definition ultra_keccak_flavor.hpp:15

bb::UltraKeccakFlavor::num_elements_fr
static constexpr size_t num_elements_fr
Definition ultra_keccak_flavor.hpp:21

bb::UltraKeccakZKFlavor::Transcript
Derived class that defines proof structure for Ultra zero knowledge proofs, as well as supporting fun...
Definition ultra_keccak_zk_flavor.hpp:86

bb::UltraKeccakZKFlavor::Transcript::libra_sum
FF libra_sum
Definition ultra_keccak_zk_flavor.hpp:94

bb::UltraKeccakZKFlavor::Transcript::sumcheck_evaluations
std::array< FF, NUM_ALL_ENTITIES > sumcheck_evaluations
Definition ultra_keccak_zk_flavor.hpp:90

bb::UltraKeccakZKFlavor::Transcript::libra_quotient_eval
FF libra_quotient_eval
Definition ultra_keccak_zk_flavor.hpp:101

bb::UltraKeccakZKFlavor::Transcript::deserialize_full_transcript
void deserialize_full_transcript(size_t public_input_size, size_t virtual_log_n=VIRTUAL_LOG_N)
Takes a FULL Ultra proof and deserializes it into the public member variables that compose the struct...
Definition ultra_keccak_zk_flavor.hpp:125

bb::UltraKeccakZKFlavor::Transcript::libra_shifted_grand_sum_eval
FF libra_shifted_grand_sum_eval
Definition ultra_keccak_zk_flavor.hpp:99

bb::UltraKeccakZKFlavor::Transcript::verifier_init_empty
static std::shared_ptr< Transcript > verifier_init_empty(const std::shared_ptr< Transcript > &transcript)
Definition ultra_keccak_zk_flavor.hpp:113

bb::UltraKeccakZKFlavor::Transcript::hiding_polynomial_eval
FF hiding_polynomial_eval
Definition ultra_keccak_zk_flavor.hpp:103

bb::UltraKeccakZKFlavor::Transcript::libra_concatenation_eval
FF libra_concatenation_eval
Definition ultra_keccak_zk_flavor.hpp:98

bb::UltraKeccakZKFlavor::Transcript::Transcript
Transcript()=default

bb::UltraKeccakZKFlavor::Transcript::hiding_polynomial_commitment
Commitment hiding_polynomial_commitment
Definition ultra_keccak_zk_flavor.hpp:102

bb::UltraKeccakZKFlavor::Transcript::libra_grand_sum_eval
FF libra_grand_sum_eval
Definition ultra_keccak_zk_flavor.hpp:100

bb::UltraKeccakZKFlavor::Transcript::libra_claimed_evaluation
FF libra_claimed_evaluation
Definition ultra_keccak_zk_flavor.hpp:95

bb::UltraKeccakZKFlavor::Transcript::prover_init_empty
static std::shared_ptr< Transcript > prover_init_empty()
Definition ultra_keccak_zk_flavor.hpp:107

bb::UltraKeccakZKFlavor::Transcript::zk_sumcheck_univariates
std::vector< bb::Univariate< FF, BATCHED_RELATION_PARTIAL_LENGTH > > zk_sumcheck_univariates
Definition ultra_keccak_zk_flavor.hpp:92

bb::UltraKeccakZKFlavor::Transcript::serialize_full_transcript
void serialize_full_transcript(size_t virtual_log_n=VIRTUAL_LOG_N)
Serializes the structure variables into a FULL Ultra proof. Should be called only if deserialize_full...
Definition ultra_keccak_zk_flavor.hpp:179

bb::UltraKeccakZKFlavor::Transcript::libra_concatenation_commitment
Commitment libra_concatenation_commitment
Definition ultra_keccak_zk_flavor.hpp:93

bb::UltraKeccakZKFlavor::Transcript::libra_grand_sum_commitment
Commitment libra_grand_sum_commitment
Definition ultra_keccak_zk_flavor.hpp:96

bb::UltraKeccakZKFlavor::Transcript::libra_quotient_commitment
Commitment libra_quotient_commitment
Definition ultra_keccak_zk_flavor.hpp:97

bb::UltraKeccakZKFlavor
Definition ultra_keccak_zk_flavor.hpp:15

bb::UltraKeccakZKFlavor::HasZK
static constexpr bool HasZK
Definition ultra_keccak_zk_flavor.hpp:18

bb::UltraKeccakZKFlavor::PROOF_LENGTH_WITHOUT_PUB_INPUTS
static constexpr size_t PROOF_LENGTH_WITHOUT_PUB_INPUTS(size_t virtual_log_n=VIRTUAL_LOG_N)
Definition ultra_keccak_zk_flavor.hpp:61

bb::UltraKeccakZKFlavor::FINAL_PCS_MSM_SIZE
static constexpr size_t FINAL_PCS_MSM_SIZE(size_t log_n=VIRTUAL_LOG_N)
Definition ultra_keccak_zk_flavor.hpp:41

bb::UltraKeccakZKFlavor::NUM_MASKING_POLYNOMIALS
static constexpr size_t NUM_MASKING_POLYNOMIALS
Definition ultra_keccak_zk_flavor.hpp:21

bb::UltraKeccakZKFlavor::BATCHED_RELATION_PARTIAL_LENGTH
static constexpr size_t BATCHED_RELATION_PARTIAL_LENGTH
Definition ultra_keccak_zk_flavor.hpp:25

bb::UltraKeccakZKFlavor::NUM_ALL_ENTITIES
static constexpr size_t NUM_ALL_ENTITIES
Definition ultra_keccak_zk_flavor.hpp:35

bb::UltraKeccakZKFlavor::NUM_UNSHIFTED_ENTITIES
static constexpr size_t NUM_UNSHIFTED_ENTITIES
Definition ultra_keccak_zk_flavor.hpp:37

bb::UltraKeccakZKFlavor::OINK_PROOF_LENGTH_WITHOUT_PUB_INPUTS
static constexpr size_t OINK_PROOF_LENGTH_WITHOUT_PUB_INPUTS
Definition ultra_keccak_zk_flavor.hpp:47

bb::UltraKeccakZKFlavor::NUM_WITNESS_ENTITIES
static constexpr size_t NUM_WITNESS_ENTITIES
Definition ultra_keccak_zk_flavor.hpp:33

bb::Univariate
A univariate polynomial represented by its values on {0, 1,..., domain_end - 1}.
Definition univariate.hpp:32

bb::curve::Grumpkin::LIBRA_UNIVARIATES_LENGTH
static constexpr uint32_t LIBRA_UNIVARIATES_LENGTH
Definition grumpkin.hpp:86

constants.hpp

bb
Entry point for Barretenberg command-line interface.
Definition api.hpp:5

std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13

bb::field< Bn254FrParams >

ultra_keccak_flavor.hpp