template<typename
Curve>
class bb::ShplonkVerifier_< Curve >
Shplonk Verifier.
Given commitments to polynomials \([p_1], \dots, [p_m]\) and couples of challenge/evaluation \((x_i, v_i)\), the Shplonk verifier computes the following commitment:
\[
[G] := [Q] - \sum_{i=1}^m \frac{\nu^{i-1} [p_i]}{(z - x_i)} + \sum_{i=1}^m \frac{\nu^{i-1} v_i}{(z - x_i)} [1]
\]
where \(\nu\) is a random batching challenge, \([Q]\) is the commiment to the quotient polymomial
\[
\sum_{i=1}^m \nu^{i-1} \frac{(p_i - v_i)}{(x - x_i)}
\]
and \(z\) is the evaluation challenge.
When the polynomials \(p_1, \dots, p_m\) are linearly dependent, and the verifier which calls the Shplonk verifier needs to compute the commitments \([p_1], \dots, [p_m]\) starting from the linearly independent factors, computing the commitments and then executing the Shplonk verifier is not the most efficient way to execute the Shplonk verifier algorithm.
Consider the case \(m = 2\), and take \(p_2 = a p_1\) for some constant \(a \in \mathbb{F}\). Then, the most efficient way to execute the Shplonk verifier algorithm is to compute the following MSM
\[
[Q] - \left( \frac{1}{(z - x_1)} \
+ \frac{a \nu}{(z - x_2)} \right) [p_1] \
+ \left( \frac{v_1}{(z - x_1)} + \frac{v_2 \nu}{(z - x_2)} \right) [1]
\]
The Shplonk verifier api is designed to allow the execution of the Shplonk verifier algorithm in its most efficient form. To achieve this, the Shplonk verifier maintains an internal state depending of the following variables:
- \([f_1], \dots, [f_n]\) (
commitments in code) the commitments to the linearly independent polynomials such that for each polynomial \(p_i\) we wish to open it holds \(p_i = \sum_{i=1}^n p_{i,j} f_j\) for some \(p_j
\in \mathbb{F}\).
- \(\nu\) (
nu in code) the challenge used to batch the polynomial commitments.
- \(\nu^{i}\) (
current_nu in code), which is the power of the batching challenge used to batch the \(i\)-th polynomial \( p_i \) in the Shplonk verifier algorithm.
- \([Q]\) (
quotient in code).
- \(z\) (
z_challenge in code), the partial evaluation challenge.
- \((s_1, \dots, s_n)\) (
scalars in code), the coefficient of \([f_i]\) in the Shplonk verifier MSM.
- \(\theta\) (
identity_scalar_coefficient in code), the coefficient of \([1]\) in the Shplonk verifier MSM.
evaluation, the claimed evaluation at \(z\) of the commitment produced by the Shplonk verifier, always equal to \(0\).
Definition at line 343 of file shplonk.hpp.
1.9.8