- Generated by
1.9.8
|
Barretenberg
The ZK-SNARK library at the core of Aztec
|
A Curve-agnostic ZK protocol to prove inner products of small vectors. More...
#include <small_subgroup_ipa.hpp>
Public Member Functions | |
| SmallSubgroupIPAProver (const std::shared_ptr< typename Flavor::Transcript > &transcript, typename Flavor::CommitmentKey commitment_key) | |
| SmallSubgroupIPAProver (ZKSumcheckData< Flavor > &zk_sumcheck_data, const std::vector< FF > &multivariate_challenge, const FF claimed_inner_product, const std::shared_ptr< typename Flavor::Transcript > &transcript, const typename Flavor::CommitmentKey &commitment_key) | |
| Construct SmallSubgroupIPAProver from a ZKSumcheckData object and a sumcheck evaluation challenge. | |
| SmallSubgroupIPAProver (TranslationData< typename Flavor::Transcript > &translation_data, const FF evaluation_challenge_x, const FF batching_challenge_v, const std::shared_ptr< typename Flavor::Transcript > &transcript, const typename Flavor::CommitmentKey &commitment_key) | |
| Construct SmallSubgroupIPAProver from a TranslationData object and two challenges. It is Grumkin-specific. | |
| void | prove () |
| Compute the derived witnesses \( A \) and \( Q \) and commit to them. | |
| void | compute_challenge_polynomial (const std::vector< FF > &multivariate_challenge) |
| Computes the challenge polynomial F(X) based on the provided multivariate challenges. | |
| void | compute_eccvm_challenge_polynomial (const FF evaluation_challenge_x, const FF batching_challenge_v) |
| Compute a (public) challenge polynomial from the evaluation and batching challenges. | |
| void | compute_grand_sum_polynomial () |
| Computes the grand sum polynomial \( A(X) \). | |
| void | compute_grand_sum_identity_polynomial () |
| Compute \( L_1(X) * A(X) + (X - 1/g) (A(gX) - A(X) - F(X) G(X)) + L_{|H|}(X)(A(X) - s) \), where \( g
\) is the fixed generator of \( H \). | |
| void | compute_grand_sum_identity_quotient () |
| Efficiently compute the quotient of the grand sum identity polynomial \( C \) by \( Z_H = X ^ { | H | } -
1\). | |
| FF | compute_claimed_translation_inner_product (TranslationData< typename Flavor::Transcript > &translation_data) |
For test purposes: compute the batched evaluation of the last NUM_DISABLED_ROWS_IN_SUMCHECK rows of the ECCVM transcript polynomials Op, Px, Py, z1, z2. | |
| std::array< bb::Polynomial< FF >, NUM_SMALL_IPA_EVALUATIONS > | get_witness_polynomials () const |
| const Polynomial< FF > & | get_batched_polynomial () const |
| const Polynomial< FF > & | get_challenge_polynomial () const |
| std::array< FF, NUM_SMALL_IPA_EVALUATIONS > | evaluation_points (const FF &small_ipa_evaluation_challenge) |
| std::array< std::string, NUM_SMALL_IPA_EVALUATIONS > | evaluation_labels () |
Static Public Member Functions | |
| static std::array< Polynomial< FF >, 2 > | compute_lagrange_first_and_last (const std::array< FF, SUBGROUP_SIZE > &interpolation_domain, const EvaluationDomain< FF > &bn_evaluation_domain) |
| Compute monomial coefficients of the first and last Lagrange polynomials. | |
| static FF | compute_claimed_inner_product (ZKSumcheckData< Flavor > &zk_sumcheck_data, const std::vector< FF > &multivariate_challenge, const size_t &log_circuit_size) |
| For test purposes: Compute the sum of the Libra constant term and Libra univariates evaluated at Sumcheck challenges. | |
| static Polynomial< FF > | compute_monomial_coefficients (std::span< FF > lagrange_coeffs, const std::array< FF, SUBGROUP_SIZE > &interpolation_domain, const EvaluationDomain< FF > &bn_evaluation_domain) |
| Given a vector of coefficients of a polynomial in the Lagrange basis over \( H \), compute its coefficients in the monomial basis. We use IFFT over BN254 ScalarField and a generic method compute_efficient_interpolation, which has quadratic complexity and has to be used with caution. | |
Public Attributes | |
| FF | claimed_inner_product { 0 } |
Private Types | |
| using | Curve = typename Flavor::Curve |
| using | FF = typename Curve::ScalarField |
Private Attributes | |
| std::array< FF, SUBGROUP_SIZE > | interpolation_domain |
| EvaluationDomain< FF > | bn_evaluation_domain |
| Polynomial< FF > | concatenated_polynomial |
| Polynomial< FF > | concatenated_lagrange_form |
| Polynomial< FF > | challenge_polynomial |
| Polynomial< FF > | challenge_polynomial_lagrange |
| Polynomial< FF > | grand_sum_polynomial_unmasked |
| Polynomial< FF > | grand_sum_polynomial |
| std::array< FF, SUBGROUP_SIZE > | grand_sum_lagrange_coeffs |
| Polynomial< FF > | grand_sum_identity_polynomial |
| Polynomial< FF > | grand_sum_identity_quotient |
| std::string | label_prefix |
| std::shared_ptr< typename Flavor::Transcript > | transcript |
| Flavor::CommitmentKey | commitment_key |
Static Private Attributes | |
| static constexpr size_t | SUBGROUP_SIZE = Curve::SUBGROUP_SIZE |
| static constexpr size_t | WITNESS_MASKING_TERM_LENGTH = 2 |
| static constexpr size_t | MASKED_CONCATENATED_WITNESS_LENGTH = SUBGROUP_SIZE + WITNESS_MASKING_TERM_LENGTH |
| static constexpr size_t | GRAND_SUM_MASKING_TERM_LENGTH = 3 |
| static constexpr size_t | MASKED_GRAND_SUM_LENGTH = SUBGROUP_SIZE + GRAND_SUM_MASKING_TERM_LENGTH |
| static constexpr size_t | GRAND_SUM_IDENTITY_LENGTH = MASKED_CONCATENATED_WITNESS_LENGTH + SUBGROUP_SIZE |
| static constexpr size_t | QUOTIENT_LENGTH = GRAND_SUM_IDENTITY_LENGTH - SUBGROUP_SIZE |
| static constexpr size_t | LIBRA_UNIVARIATES_LENGTH = Curve::LIBRA_UNIVARIATES_LENGTH |
| static constexpr FF | subgroup_generator = Curve::subgroup_generator |
A Curve-agnostic ZK protocol to prove inner products of small vectors.
Implementation of the protocol described in Ariel's HackMD. Although we could in principle prove statements about a general witness polynomial \( G \) and a challenge polynomial \( F \) and a claim that \( \langle F, G \rangle = s \), we specialize to the following cases:
In both cases, we extract the witness polynomial \( G \) from the input. The main difference is in the construction of the challenge polynomial \( F \). Once \( F\) is computed by the corresponding method, we could call the common prove method on an object of this class.
Let \( G \) be the masked concatenated Libra polynomial. Without masking, it is defined by concatenating Libra constant term and the monomial coefficients of the Libra univariates \( g_i \) in the Lagrange basis over \( H \). More explicitly, unmasked concatenated Libra polynomial is given by the following vector of coefficients:
\begin{align} \big( \text{libra_constant_term}, g_{0,0}, \ldots, g_{0, \text{LIBRA_UNIVARIATES_LENGTH} - 1}, \ldots, g_{d-1, 0}, \ldots, g_{d-1, \text{LIBRA_UNIVARIATES_LENGTH} - 1} \big) \end{align}
, where \( d = \text{log_circuit_size}\). It is masked by adding \( (r_0 + r_1 X) Z_{H}(X)\), where \( Z_H(X) \) is the vanishing polynomial for \( H \).
Let \( G \) be the concatenated polynomial from the TranslationData class. Without masking, it is defined by concatenating NUM_TRANSLATION_EVALUATIONS polynomials of size NUM_DISABLED_ROWS_IN_SUMCHECK in the Lagrange basis over \( H \). It is masked by adding \( (r_0 + r_1 X) Z_{H}(X)\), where \( Z_H(X) \) is the vanishing polynomial for \( H \).
Definition at line 69 of file small_subgroup_ipa.hpp.
|
private |
Definition at line 70 of file small_subgroup_ipa.hpp.
|
private |
Definition at line 71 of file small_subgroup_ipa.hpp.
| bb::SmallSubgroupIPAProver< Flavor >::SmallSubgroupIPAProver | ( | const std::shared_ptr< typename Flavor::Transcript > & | transcript, |
| typename Flavor::CommitmentKey | commitment_key | ||
| ) |
Definition at line 30 of file small_subgroup_ipa.cpp.
| bb::SmallSubgroupIPAProver< Flavor >::SmallSubgroupIPAProver | ( | ZKSumcheckData< Flavor > & | zk_sumcheck_data, |
| const std::vector< FF > & | multivariate_challenge, | ||
| const FF | claimed_inner_product, | ||
| const std::shared_ptr< typename Flavor::Transcript > & | transcript, | ||
| const typename Flavor::CommitmentKey & | commitment_key | ||
| ) |
Construct SmallSubgroupIPAProver from a ZKSumcheckData object and a sumcheck evaluation challenge.
| zk_sumcheck_data | Contains the witness polynomial \( G \) called Libra concatenated polynomial. |
| multivariate_challenge | \( (u_0,\ldots, u_{d-1})\), needed to compute the challenge polynomial \( F \). |
| claimed_inner_product | The inner product of \( G \) and the challenge polynomial \( F \). |
Definition at line 59 of file small_subgroup_ipa.cpp.
| bb::SmallSubgroupIPAProver< Flavor >::SmallSubgroupIPAProver | ( | TranslationData< typename Flavor::Transcript > & | translation_data, |
| const FF | evaluation_challenge_x, | ||
| const FF | batching_challenge_v, | ||
| const std::shared_ptr< typename Flavor::Transcript > & | transcript, | ||
| const typename Flavor::CommitmentKey & | commitment_key | ||
| ) |
Construct SmallSubgroupIPAProver from a TranslationData object and two challenges. It is Grumkin-specific.
| translation_data | Contains the witness polynomial \( G \) which is a concatenation of last NUM_DISABLED_ROWS_IN_SUMCHECK coefficients of NUM_TRANSLATION_EVALUATIONS polynomials fed to TranslationData constructor. |
| evaluation_challenge_x | A challenge used to evaluate the univariates fed to TranslationData. |
| batching_challenge_v | A challenge used to batch the evaluations at \( x \). Both challenges are required to compute the challenge polynomial \( F \). |
| claimed_inner_product | The inner product of \( G \) and the challenge polynomial \( F \). |
Definition at line 93 of file small_subgroup_ipa.cpp.
| void bb::SmallSubgroupIPAProver< Flavor >::compute_challenge_polynomial | ( | const std::vector< FF > & | multivariate_challenge | ) |
Computes the challenge polynomial F(X) based on the provided multivariate challenges.
This method generates a polynomial in both Lagrange basis and monomial basis from Sumcheck's multivariate_challenge vector. The result is stored in challenge_polynomial_lagrange and challenge_polynomial. The former is re-used in the computation of the grand sum polynomial A(X)
The Lagrange basis polynomial is constructed as follows:
1.idx_poly in the CONST_PROOF_SIZE_LOG_N range, compute a sequence of coefficients recursively as powers of the corresponding multivariate challenge.coeffs_lagrange_basis. More explicitly, \( F = (1 , 1 , u_0, \ldots, u_0^{\text{LIBRA_UNIVARIATES_LENGTH}-1}, \ldots, 1, u_{D-1}, \ldots,
u_{D-1}^{\text{LIBRA_UNIVARIATES_LENGTH}-1} ) \) in the Lagrange basis over \( H \).If the curve is not BN254, the monomial polynomial is constructed directly using un-optimized Lagrange interpolation. Otherwise, an IFFT is used to convert the Lagrange basis coefficients into monomial basis coefficients.
| multivariate_challenge | A vector of field elements used to compute the challenge polynomial. |
Definition at line 195 of file small_subgroup_ipa.cpp.
|
static |
For test purposes: Compute the sum of the Libra constant term and Libra univariates evaluated at Sumcheck challenges.
| zk_sumcheck_data | Contains Libra constant term and scaled Libra univariates |
| multivariate_challenge | Sumcheck challenge |
| log_circuit_size |
Definition at line 381 of file small_subgroup_ipa.cpp.
| Flavor::Curve::ScalarField bb::SmallSubgroupIPAProver< Flavor >::compute_claimed_translation_inner_product | ( | TranslationData< typename Flavor::Transcript > & | translation_data | ) |
For test purposes: compute the batched evaluation of the last NUM_DISABLED_ROWS_IN_SUMCHECK rows of the ECCVM transcript polynomials Op, Px, Py, z1, z2.
| translation_data | Contains concatenated ECCVM Transcript polynomials. |
| evaluation_challenge_x | We evaluate the transcript polynomials at x as univariates. |
| batching_challenge_v | The evaluations at x are batched using v. |
Definition at line 409 of file small_subgroup_ipa.cpp.
| void bb::SmallSubgroupIPAProver< Flavor >::compute_eccvm_challenge_polynomial | ( | const FF | evaluation_challenge_x, |
| const FF | batching_challenge_v | ||
| ) |
Compute a (public) challenge polynomial from the evaluation and batching challenges.
While proving the batched evaluation of the masking term used to blind the ECCVM Transcript wires, the prover needs to compute the polynomial whose coefficients in the Lagrange basis over the small subgroup are given by \( (1, x , \ldots, x^{\text{NUM_DISABLED_ROWS_IN_SUMCHECK} - 1}, v, x \cdot v, \ldots, x^{\text{NUM_DISABLED_ROWS_IN_SUMCHECK} - 1}\cdot v^{\text{NUM_TRANSLATION_EVALUATIONS} - 1}, 0, \ldots, 0) \).
| evaluation_challenge_x | |
| batching_challenge_v |
Definition at line 216 of file small_subgroup_ipa.cpp.
| void bb::SmallSubgroupIPAProver< Flavor >::compute_grand_sum_identity_polynomial | ( | ) |
Compute \( L_1(X) * A(X) + (X - 1/g) (A(gX) - A(X) - F(X) G(X)) + L_{|H|}(X)(A(X) - s) \), where \( g \) is the fixed generator of \( H \).
Definition at line 279 of file small_subgroup_ipa.cpp.
| void bb::SmallSubgroupIPAProver< Flavor >::compute_grand_sum_identity_quotient | ( | ) |
Efficiently compute the quotient of the grand sum identity polynomial \( C \) by \( Z_H = X ^ { | H | } - 1\).
Definition at line 362 of file small_subgroup_ipa.cpp.
| void bb::SmallSubgroupIPAProver< Flavor >::compute_grand_sum_polynomial | ( | ) |
Computes the grand sum polynomial \( A(X) \).
0.Definition at line 245 of file small_subgroup_ipa.cpp.
|
static |
Compute monomial coefficients of the first and last Lagrange polynomials.
| interpolation_domain | |
| bn_evaluation_domain |
Definition at line 336 of file small_subgroup_ipa.cpp.
|
static |
Given a vector of coefficients of a polynomial in the Lagrange basis over \( H \), compute its coefficients in the monomial basis. We use IFFT over BN254 ScalarField and a generic method compute_efficient_interpolation, which has quadratic complexity and has to be used with caution.
Definition at line 429 of file small_subgroup_ipa.cpp.
|
inline |
Definition at line 191 of file small_subgroup_ipa.hpp.
|
inline |
Definition at line 186 of file small_subgroup_ipa.hpp.
|
inline |
Definition at line 183 of file small_subgroup_ipa.hpp.
|
inline |
Definition at line 184 of file small_subgroup_ipa.hpp.
|
inline |
Definition at line 178 of file small_subgroup_ipa.hpp.
| void bb::SmallSubgroupIPAProver< Flavor >::prove | ( | ) |
Compute the derived witnesses \( A \) and \( Q \) and commit to them.
\( A(X) \) is honestly constructed, i.e.
\begin{align} L_1(X) A(X) + (X - g^{-1}) (A(g \cdot X) - A(X) - F(X) G(X)) + L_{|H|}(X) (A(X) - s) = Z_H(X) Q(X), \end{align}
where \( Q(X) \) is the quotient of the left-hand side by \( Z_H(X) \). The second summand is the translation of the second condition using the fact that the coefficients of \( A(gX) \) are given by a cyclic shift of the coefficients of \( A(X) \).The methods of this class allow the prover to compute \( A(X) \) and \( Q(X) \).
After receiving a random evaluation challenge \( r \), the prover will send \( G(r), A(g\cdot r), A(r), Q(r) \) to the verifier. In the ZKSumcheckData case, \( r \) is the Gemini evaluation challenge, and this further part is taken care of by Shplemini. In the TranslationData case, \( r \) is an evaluation challenge that will be sampled in the translation evaluations sub-protocol of ECCVM.
Definition at line 150 of file small_subgroup_ipa.cpp.
|
private |
Definition at line 100 of file small_subgroup_ipa.hpp.
|
private |
Definition at line 109 of file small_subgroup_ipa.hpp.
|
private |
Definition at line 110 of file small_subgroup_ipa.hpp.
| FF bb::SmallSubgroupIPAProver< Flavor >::claimed_inner_product { 0 } |
Definition at line 131 of file small_subgroup_ipa.hpp.
|
private |
Definition at line 127 of file small_subgroup_ipa.hpp.
|
private |
Definition at line 105 of file small_subgroup_ipa.hpp.
|
private |
Definition at line 103 of file small_subgroup_ipa.hpp.
|
staticconstexprprivate |
Definition at line 84 of file small_subgroup_ipa.hpp.
|
private |
Definition at line 118 of file small_subgroup_ipa.hpp.
|
private |
Definition at line 121 of file small_subgroup_ipa.hpp.
|
private |
Definition at line 115 of file small_subgroup_ipa.hpp.
|
staticconstexprprivate |
Definition at line 80 of file small_subgroup_ipa.hpp.
|
private |
Definition at line 114 of file small_subgroup_ipa.hpp.
|
private |
Definition at line 113 of file small_subgroup_ipa.hpp.
|
private |
Definition at line 98 of file small_subgroup_ipa.hpp.
|
private |
Definition at line 124 of file small_subgroup_ipa.hpp.
|
staticconstexprprivate |
Definition at line 93 of file small_subgroup_ipa.hpp.
|
staticconstexprprivate |
Definition at line 77 of file small_subgroup_ipa.hpp.
|
staticconstexprprivate |
Definition at line 81 of file small_subgroup_ipa.hpp.
|
staticconstexprprivate |
Definition at line 87 of file small_subgroup_ipa.hpp.
|
staticconstexprprivate |
Definition at line 95 of file small_subgroup_ipa.hpp.
|
staticconstexprprivate |
Definition at line 73 of file small_subgroup_ipa.hpp.
|
private |
Definition at line 126 of file small_subgroup_ipa.hpp.
|
staticconstexprprivate |
Definition at line 76 of file small_subgroup_ipa.hpp.
1.9.8