Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
multilinear_batching_prover.cpp
Go to the documentation of this file.
1// === AUDIT STATUS ===
2// internal: { status: not started, auditors: [], date: YYYY-MM-DD }
3// external_1: { status: not started, auditors: [], date: YYYY-MM-DD }
4// external_2: { status: not started, auditors: [], date: YYYY-MM-DD }
5// =====================
6
7#include "multilinear_batching_prover.hpp"
8#include "barretenberg/commitment_schemes/claim.hpp"
9#include "barretenberg/commitment_schemes/commitment_key.hpp"
10#include "barretenberg/commitment_schemes/shplonk/shplemini.hpp"
11#include "barretenberg/commitment_schemes/small_subgroup_ipa/small_subgroup_ipa.hpp"
12#include "barretenberg/honk/library/grand_product_library.hpp"
13#include "barretenberg/sumcheck/sumcheck.hpp"
14
15namespace bb {
16
17MultilinearBatchingProver::MultilinearBatchingProver(
18 const std::shared_ptr<MultilinearBatchingProverClaim>& accumulator_claim,
19 const std::shared_ptr<MultilinearBatchingProverClaim>& instance_claim,
20 const std::shared_ptr<Transcript>& transcript)
21 : transcript(transcript)
22{
23 BB_BENCH();
24 ProverPolynomials polynomials;
25 size_t virtual_circuit_size = 1 << Flavor::VIRTUAL_LOG_N;
26 size_t max_dyadic_size = std::max(accumulator_claim->dyadic_size, instance_claim->dyadic_size);
27 polynomials.w_non_shifted_accumulator = accumulator_claim->non_shifted_polynomial;
28 polynomials.w_shifted_accumulator = accumulator_claim->shifted_polynomial.shifted();
29 polynomials.w_non_shifted_instance = instance_claim->non_shifted_polynomial;
30 polynomials.w_shifted_instance = instance_claim->shifted_polynomial.shifted();
31 polynomials.w_evaluations_accumulator =
32 ProverEqPolynomial<FF>::construct(accumulator_claim->challenge, bb::numeric::get_msb(max_dyadic_size));
33 polynomials.w_evaluations_instance =
34 ProverEqPolynomial<FF>::construct(instance_claim->challenge, bb::numeric::get_msb(max_dyadic_size));
35
36 polynomials.increase_polynomials_virtual_size(virtual_circuit_size);
37 std::vector<FF> accumulator_evaluations = { accumulator_claim->non_shifted_evaluation,
38 accumulator_claim->shifted_evaluation };
39 std::vector<FF> instance_evaluations = { instance_claim->non_shifted_evaluation,
40 instance_claim->shifted_evaluation };
41 key = std::make_shared<MultilinearBatchingProvingKey>(polynomials,
42 accumulator_claim->challenge,
43 instance_claim->challenge,
44 accumulator_evaluations,
45 instance_evaluations,
46 accumulator_claim->non_shifted_commitment,
47 accumulator_claim->shifted_commitment,
48 instance_claim->non_shifted_commitment,
49 instance_claim->shifted_commitment,
50 accumulator_claim->shifted_polynomial,
51 instance_claim->shifted_polynomial);
52 key->proving_key->circuit_size = max_dyadic_size;
53}
54
55void MultilinearBatchingProver::execute_commitments_round()
56{
57 BB_BENCH();
58 transcript->send_to_verifier("non_shifted_accumulator_commitment", key->non_shifted_accumulator_commitment);
59 transcript->send_to_verifier("shifted_accumulator_commitment", key->shifted_accumulator_commitment);
60 transcript->send_to_verifier("non_shifted_instance_commitment", key->non_shifted_instance_commitment);
61 transcript->send_to_verifier("shifted_instance_commitment", key->shifted_instance_commitment);
62}
63void MultilinearBatchingProver::execute_challenges_and_evaluations_round()
64{
65 BB_BENCH();
66 for (size_t i = 0; i < Flavor::VIRTUAL_LOG_N; i++) {
67 transcript->send_to_verifier("accumulator_challenge_" + std::to_string(i),
68 key->proving_key->accumulator_challenge[i]);
69 transcript->send_to_verifier("instance_challenge_" + std::to_string(i),
70 key->proving_key->instance_challenge[i]);
71 }
72 for (size_t i = 0; i < 2; i++) {
73 transcript->send_to_verifier("accumulator_evaluation_" + std::to_string(i),
74 key->proving_key->accumulator_evaluations[i]);
75 transcript->send_to_verifier("instance_evaluation_" + std::to_string(i),
76 key->proving_key->instance_evaluations[i]);
77 }
78}
79
84void MultilinearBatchingProver::execute_relation_check_rounds()
85{
86 BB_BENCH();
87 using Sumcheck = SumcheckProver<Flavor>;
88
89 // Each linearly independent subrelation contribution is multiplied by `alpha^i`, where
90 // i = 0, ..., NUM_SUBRELATIONS- 1.
91 const FF alpha = transcript->template get_challenge<FF>("Sumcheck:alpha");
92
93 std::vector<FF> gate_challenges(Flavor::VIRTUAL_LOG_N);
94 for (size_t idx = 0; idx < gate_challenges.size(); idx++) {
95 gate_challenges[idx] = FF(1);
96 }
97
98 const size_t circuit_size = key->proving_key->circuit_size;
99
100 Sumcheck sumcheck(circuit_size,
101 key->proving_key->polynomials,
102 transcript,
103 alpha,
104 gate_challenges,
105 relation_parameters,
106 Flavor::VIRTUAL_LOG_N,
107 key->proving_key->accumulator_challenge,
108 key->proving_key->instance_challenge);
109
110 sumcheck_output = sumcheck.prove();
111}
112
113void MultilinearBatchingProver::compute_new_claim()
114{
115 BB_BENCH();
116 auto claim_batching_challenge = transcript->get_challenge<FF>("claim_batching_challenge");
117 auto new_non_shifted_polynomial = Polynomial(key->proving_key->circuit_size);
118 new_non_shifted_polynomial += key->proving_key->polynomials.w_non_shifted_accumulator;
119 new_non_shifted_polynomial.add_scaled(key->proving_key->polynomials.w_non_shifted_instance,
120 claim_batching_challenge);
121 auto new_shifted_polynomial = Polynomial::shiftable(key->proving_key->circuit_size);
122 new_shifted_polynomial += key->preshifted_accumulator;
123 new_shifted_polynomial.add_scaled(key->preshifted_instance, claim_batching_challenge);
124 auto new_non_shifted_commitment =
125 key->non_shifted_accumulator_commitment + key->non_shifted_instance_commitment * claim_batching_challenge;
126 auto new_shifted_commitment =
127 key->shifted_accumulator_commitment + key->shifted_instance_commitment * claim_batching_challenge;
128 new_claim.challenge = sumcheck_output.challenge;
129 new_claim.non_shifted_polynomial = new_non_shifted_polynomial;
130 new_claim.shifted_polynomial = new_shifted_polynomial;
131 new_claim.non_shifted_commitment = new_non_shifted_commitment;
132 new_claim.shifted_commitment = new_shifted_commitment;
133 new_claim.non_shifted_evaluation =
134 sumcheck_output.claimed_evaluations.w_non_shifted_accumulator +
135 sumcheck_output.claimed_evaluations.w_non_shifted_instance * claim_batching_challenge;
136 new_claim.shifted_evaluation = sumcheck_output.claimed_evaluations.w_shifted_accumulator +
137 sumcheck_output.claimed_evaluations.w_shifted_instance * claim_batching_challenge;
138 new_claim.dyadic_size = key->proving_key->circuit_size;
139}
140
141HonkProof MultilinearBatchingProver::export_proof()
142{
143 return transcript->export_proof();
144}
145
146HonkProof MultilinearBatchingProver::construct_proof()
147{
148 BB_BENCH_NAME("MultilinearBatchingProver::construct_proof");
149
150 // Add circuit size public input size and public inputs to transcript.
151 execute_commitments_round();
152
153 // Fiat-Shamir: challenges and evaluations
154 execute_challenges_and_evaluations_round();
155 // Fiat-Shamir: alpha
156 // Run sumcheck subprotocol.
157 execute_relation_check_rounds();
158
159 vinfo("computed opening proof");
160 return export_proof();
161}
162
163} // namespace bb
BB_BENCH_NAME
#define BB_BENCH_NAME(name)
Definition bb_bench.hpp:218
BB_BENCH
#define BB_BENCH()
Definition bb_bench.hpp:222
bb::MultilinearBatchingProver::MultilinearBatchingProver
MultilinearBatchingProver(const std::shared_ptr< MultilinearBatchingProverClaim > &accumulator_claim, const std::shared_ptr< MultilinearBatchingProverClaim > &instance_claim, const std::shared_ptr< Transcript > &transcript)
Definition multilinear_batching_prover.cpp:17
bb::MultilinearBatchingProver::new_claim
MultilinearBatchingProverClaim new_claim
Definition multilinear_batching_prover.hpp:49
bb::MultilinearBatchingProver::execute_relation_check_rounds
BB_PROFILE void execute_relation_check_rounds()
Run Sumcheck resulting in u = (u_1,...,u_d) challenges and all evaluations at u being calculated.
Definition multilinear_batching_prover.cpp:84
bb::MultilinearBatchingProver::ProverPolynomials
typename Flavor::ProverPolynomials ProverPolynomials
Definition multilinear_batching_prover.hpp:20
bb::MultilinearBatchingProver::key
std::shared_ptr< MultilinearBatchingProvingKey > key
Definition multilinear_batching_prover.hpp:47
bb::MultilinearBatchingProver::transcript
std::shared_ptr< Transcript > transcript
Definition multilinear_batching_prover.hpp:45
bb::ProverEqPolynomial::construct
static Polynomial< FF > construct(std::span< const FF > challenges, size_t log_num_monomials)
Construct eq(X, r) coefficient table over Boolean hypercube {0,1}^d.
Definition eq_polynomial.hpp:56
bb::SumcheckProver
The implementation of the sumcheck Prover for statements of the form for multilinear polynomials .
Definition sumcheck.hpp:126
commitment_key.hpp
vinfo
#define vinfo(...)
Definition log.hpp:79
grand_product_library.hpp
multilinear_batching_prover.hpp
bb::numeric::get_msb
constexpr T get_msb(const T in)
Definition get_msb.hpp:47
bb
Entry point for Barretenberg command-line interface.
Definition acir_format_getters.cpp:6
bb::HonkProof
std::vector< fr > HonkProof
Definition proof.hpp:15
std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13
std::to_string
std::string to_string(bb::avm2::ValueTag tag)
Definition tagged_value.cpp:400
small_subgroup_ipa.hpp