- Generated by
1.9.8
|
Barretenberg
The ZK-SNARK library at the core of Aztec
|
The implementation of the sumcheck Prover for statements of the form \(\sum_{\vec \ell \in \{0,1\}^d} pow_{\beta}(\vec \ell) \cdot F \left(P_1(\vec \ell),\ldots, P_N(\vec \ell) \right) = 0 \) for multilinear polynomials \(P_1, \ldots, P_N \). More...
#include <sumcheck.hpp>
Public Types | |
| using | FF = typename Flavor::FF |
| using | ProverPolynomials = typename Flavor::ProverPolynomials |
| using | PartiallyEvaluatedMultivariates = typename Flavor::PartiallyEvaluatedMultivariates |
| using | ClaimedEvaluations = typename Flavor::AllValues |
| using | ZKData = ZKSumcheckData< Flavor > |
| using | Transcript = typename Flavor::Transcript |
| using | SubrelationSeparators = typename Flavor::SubrelationSeparators |
| using | CommitmentKey = typename Flavor::CommitmentKey |
| using | SumcheckRoundUnivariate = typename bb::Univariate< FF, BATCHED_RELATION_PARTIAL_LENGTH > |
Public Member Functions | |
| SumcheckProver (size_t multivariate_n, ProverPolynomials &prover_polynomials, std::shared_ptr< Transcript > transcript, const SubrelationSeparators &relation_separator, const std::vector< FF > &gate_challenges, const RelationParameters< FF > &relation_parameters, const size_t virtual_log_n) | |
| SumcheckProver (size_t multivariate_n, ProverPolynomials &prover_polynomials, std::shared_ptr< Transcript > transcript, const FF &alpha, const std::vector< FF > &gate_challenges, const RelationParameters< FF > &relation_parameters, const size_t virtual_log_n) | |
| SumcheckOutput< Flavor > | prove () |
| Non-ZK version: Compute round univariate, place it in transcript, compute challenge, partially evaluate. Repeat until final round, then get full evaluations of prover polynomials, and place them in transcript. | |
| template<typename PolynomialT , std::size_t N> | |
| void | partially_evaluate (std::array< PolynomialT, N > &polynomials, const FF &round_challenge) |
| Evaluate at the round challenge and prepare class for next round. Specialization for array, see generic version. | |
| ClaimedEvaluations | extract_claimed_evaluations (PartiallyEvaluatedMultivariates &partially_evaluated_polynomials) |
| This method takes the book-keeping table containing partially evaluated prover polynomials and creates a vector containing the evaluations of all prover polynomials at the point \( (u_0, \ldots, u_{d-1} )\). For ZK Flavors: this method takes the book-keeping table containing partially evaluated prover polynomials and creates a vector containing the evaluations of all witness polynomials at the point \( (u_0, \ldots, u_{d-1}
)\) masked by the terms \( \texttt{eval_masking_scalars}_j\cdot \sum u_i(1-u_i)\) and the evaluations of all non-witness polynomials that are sent in clear. | |
| void | commit_to_round_univariate (const size_t round_idx, bb::Univariate< FF, BATCHED_RELATION_PARTIAL_LENGTH > &round_univariate, const CommitmentKey &ck) |
| Compute monomial coefficients of the round univariate, commit to it, populate an auxiliary structure needed in the PCS round. | |
Public Attributes | |
| const size_t | multivariate_n |
| const size_t | multivariate_d |
| ProverPolynomials & | full_polynomials |
| std::shared_ptr< Transcript > | transcript |
| SumcheckProverRound< Flavor > | round |
| SubrelationSeparators | alphas |
| std::vector< FF > | gate_challenges |
| bb::RelationParameters< FF > | relation_parameters |
| size_t | virtual_log_n |
| std::vector< FF > | multivariate_challenge |
| std::vector< typename Flavor::Commitment > | round_univariate_commitments = {} |
| std::vector< std::array< FF, 3 > > | round_evaluations = {} |
| std::vector< Polynomial< FF > > | round_univariates = {} |
| std::vector< FF > | eval_domain = {} |
| FF | libra_evaluation = FF{ 0 } |
| RowDisablingPolynomial< FF > | row_disabling_polynomial |
| PartiallyEvaluatedMultivariates | partially_evaluated_polynomials |
| Container for partially evaluated Prover Polynomials at a current challenge. Upon computing challenge \(
u_i \), the first \(2^{d-1-i}\) rows are updated using partially evaluate method. | |
| SumcheckOutput< Flavor > prove(ZKData &zk_sumcheck_data) void | partially_evaluate (auto &polynomials, const FF &round_challenge) |
ZK-version of prove that runs Sumcheck with disabled rows and masking of Round Univariates. The masking is ensured by adding random Libra univariates to the Sumcheck round univariates. | |
Static Public Attributes | |
| static constexpr size_t | MAX_PARTIAL_RELATION_LENGTH = Flavor::MAX_PARTIAL_RELATION_LENGTH |
| The total algebraic degree of the Sumcheck relation \( F \) as a polynomial in Prover Polynomials \(P_1,\ldots, P_N\). | |
| static constexpr size_t | BATCHED_RELATION_PARTIAL_LENGTH = Flavor::BATCHED_RELATION_PARTIAL_LENGTH |
The implementation of the sumcheck Prover for statements of the form \(\sum_{\vec \ell \in \{0,1\}^d} pow_{\beta}(\vec \ell) \cdot F \left(P_1(\vec \ell),\ldots, P_N(\vec \ell) \right) = 0 \) for multilinear polynomials \(P_1, \ldots, P_N \).
The Sumcheck is applied to multivariate polynomials \(P_1, \ldots, P_N\) that are specidied by Flavor. Namely, prove method obtains full_polynomials by reference from Flavor 's prover polynomials. In particular, their number \(N\) is specified by the Flavor.
Given multilinear polynomials \( P_1,\ldots, P_N \in \mathbb{F}[X_0,\ldots, X_{d-1}] \) and a relation \( F \) which is a polynomial in \( N \) variables, we use Sumcheck over the polynomial
\begin{align} \tilde{F} (X_0,\ldots, X_{d-1}) = pow_{\beta}(X_0,\ldots, X_{d-1}) \cdot F\left( P_1 (X_0,\ldots, X_{d-1}), \ldots, P_N (X_0,\ldots, X_{d-1}) \right) \end{align}
to establish that \( F(P_1(\vec \ell),\ldots, P_N(\vec \ell) ) = 0 \), i.e. that \( F \) is satisfied, at every point of \(\{0,1\}^d\).
In the implementation, the relation polynomial \( F \) is determined by Flavor::Relations which is fed to Sumcheck Round Prover.
The following constants are used:
Given \( N \) Honk Prover Polynomials \( P_1, \ldots, P_N \), i.e. multilinear polynomials in \( d \) variables.
At initialization, Prover Polynomials are submitted by reference into full_polynomials, which is a two-dimensional array with \(N\) columns and \(2^d\) rows, whose entries are defined as follows \(\texttt{full_polynomials}_{i,j} = P_j(\vec i) \). Here, \( \vec i \in
\{0,1\}^d \) is identified with the binary representation of the integer \( 0 \leq i \leq 2^d-1 \).
When the first challenge \( u_0 \) is computed, the method partially evaluate takes as input full_polynomials and populates a new book-keeping table denoted by \(\texttt{partially_evaluated_polynomials} \). Its \( n/2 = 2^{d-1} \) rows will represent the evaluations \( P_i(u_0, X_1, ..., X_{d-1}) \), which are multilinear polynomials in \( d-1 \) variables.
More precisely, it is a table with \( 2^{d-1} \) rows and \( N \) columns, such that
\begin{align} \texttt{partially_evaluated_polynomials}_{i,j} = &\ P_j(0, i_1,\ldots, i_{d-1}) + u_0 \cdot (P_j(1,i_1,\ldots, i_{d-1})) - P_j(0, i_1,\ldots, i_{d-1})) \\ = &\ \texttt{full_polynomials}_{2 i,j} + u_0 \cdot (\texttt{full_polynomials}_{2i+1,j} - \texttt{full_polynomials}_{2 i,j}) \end{align}
In Round \( i < d-1\), partially evaluate updates the first \( 2^{d-1 - i} \) rows of \(\texttt{partially_evaluated_polynomials}\) with the evaluations \( P_1(u_0,\ldots, u_i, \vec \ell),\ldots, P_N(u_0,\ldots, u_i, \vec \ell)\) for \(\vec \ell \in \{0,1\}^{d-1-i}\). The details are specified in the corresponding docs.
After computing the last challenge \( u_{d-1} \) in Round \( d-1 \) and updating \( \texttt{partially_evaluated_polynomials} \), the prover looks into the 'top' row of the table containing evaluations \(P_1(u_0,\ldots, u_{d-1}), \ldots, P_N(u_0,\ldots, u_{d-1})\) and concatenates these values with the last challenge to the transcript.
Let \( \vec \beta = (\beta_0,\ldots, \beta_{d-1}) \in \mathbb{F}\) be a vector of challenges.
In Round \(i\), a univariate polynomial \( \tilde S^{i}(X_{i}) \) for the relation defined by \( \tilde{F}(X)\) is computed as follows. First, we introduce notation
As explained in GateSeparatorPolynomial,
\begin{align} \tilde{S}^{i}(X_i) = \sum_{ \ell = 0} ^{2^{d-i-1}-1} pow^i_\beta ( X_i, \ell_{i+1}, \ldots, \ell_{d-1} ) \cdot S^i_{\ell}( X_i ) = c_i\cdot ( (1−X_i) + X_i\cdot \beta_i ) \cdot \sum_{\ell = 0}^{2^{d-i-1}-1} \beta_{i+1}^{\ell_{i+1}} \cdot \ldots \cdot \beta_{d-1}^{\ell_{d-1}} \cdot S^{i}_{\ell}( X_i ). \end{align}
The evaluations of the round univariate \( \tilde{S}^i \) over the domain \(0,\ldots, D \) are obtained by the method compute_univariate. The implementation consists of the following sub-methods:
After computing Round univariates and adding them to the transcript, the prover generates round challenge by hashing the transcript. These operations are taken care of by Transcript Class methods.
The Sumcheck output is specified by bb::SumcheckOutput< Flavor >.
Definition at line 123 of file sumcheck.hpp.
| using bb::SumcheckProver< Flavor >::ClaimedEvaluations = typename Flavor::AllValues |
Definition at line 130 of file sumcheck.hpp.
| using bb::SumcheckProver< Flavor >::CommitmentKey = typename Flavor::CommitmentKey |
Definition at line 134 of file sumcheck.hpp.
| using bb::SumcheckProver< Flavor >::FF = typename Flavor::FF |
Definition at line 125 of file sumcheck.hpp.
| using bb::SumcheckProver< Flavor >::PartiallyEvaluatedMultivariates = typename Flavor::PartiallyEvaluatedMultivariates |
Definition at line 129 of file sumcheck.hpp.
| using bb::SumcheckProver< Flavor >::ProverPolynomials = typename Flavor::ProverPolynomials |
Definition at line 128 of file sumcheck.hpp.
| using bb::SumcheckProver< Flavor >::SubrelationSeparators = typename Flavor::SubrelationSeparators |
Definition at line 133 of file sumcheck.hpp.
| using bb::SumcheckProver< Flavor >::SumcheckRoundUnivariate = typename bb::Univariate<FF, BATCHED_RELATION_PARTIAL_LENGTH> |
Definition at line 145 of file sumcheck.hpp.
| using bb::SumcheckProver< Flavor >::Transcript = typename Flavor::Transcript |
Definition at line 132 of file sumcheck.hpp.
| using bb::SumcheckProver< Flavor >::ZKData = ZKSumcheckData<Flavor> |
Definition at line 131 of file sumcheck.hpp.
|
inline |
Definition at line 190 of file sumcheck.hpp.
|
inline |
Definition at line 209 of file sumcheck.hpp.
|
inline |
Compute monomial coefficients of the round univariate, commit to it, populate an auxiliary structure needed in the PCS round.
| round_idx | |
| round_univariate | Sumcheck Round Univariate |
| eval_domain | {0, 1, ... , BATCHED_RELATION_PARTIAL_LENGTH-1} |
| transcript | |
| ck | Commitment key of size BATCHED_RELATION_PARTIAL_LENGTH |
| round_univariates | Auxiliary container to be fed to Shplemini |
| round_univariate_evaluations | Auxiliary container to be fed to Shplemini |
Definition at line 583 of file sumcheck.hpp.
|
inline |
This method takes the book-keeping table containing partially evaluated prover polynomials and creates a vector containing the evaluations of all prover polynomials at the point \( (u_0, \ldots, u_{d-1} )\). For ZK Flavors: this method takes the book-keeping table containing partially evaluated prover polynomials and creates a vector containing the evaluations of all witness polynomials at the point \( (u_0, \ldots, u_{d-1} )\) masked by the terms \( \texttt{eval_masking_scalars}_j\cdot \sum u_i(1-u_i)\) and the evaluations of all non-witness polynomials that are sent in clear.
| partially_evaluated_polynomials | |
| multivariate_evaluations |
Definition at line 561 of file sumcheck.hpp.
|
inline |
Evaluate at the round challenge and prepare class for next round. Specialization for array, see generic version.
Definition at line 529 of file sumcheck.hpp.
|
inline |
Non-ZK version: Compute round univariate, place it in transcript, compute challenge, partially evaluate. Repeat until final round, then get full evaluations of prover polynomials, and place them in transcript.
See Detailed description of Sumcheck Prover <Flavor>.
Definition at line 231 of file sumcheck.hpp.
| SubrelationSeparators bb::SumcheckProver< Flavor >::alphas |
Definition at line 159 of file sumcheck.hpp.
|
staticconstexpr |
Definition at line 143 of file sumcheck.hpp.
| std::vector<FF> bb::SumcheckProver< Flavor >::eval_domain = {} |
Definition at line 173 of file sumcheck.hpp.
| ProverPolynomials& bb::SumcheckProver< Flavor >::full_polynomials |
Definition at line 152 of file sumcheck.hpp.
| std::vector<FF> bb::SumcheckProver< Flavor >::gate_challenges |
Definition at line 161 of file sumcheck.hpp.
| FF bb::SumcheckProver< Flavor >::libra_evaluation = FF{ 0 } |
Definition at line 174 of file sumcheck.hpp.
|
staticconstexpr |
The total algebraic degree of the Sumcheck relation \( F \) as a polynomial in Prover Polynomials \(P_1,\ldots, P_N\).
Definition at line 140 of file sumcheck.hpp.
| std::vector<FF> bb::SumcheckProver< Flavor >::multivariate_challenge |
Definition at line 168 of file sumcheck.hpp.
| const size_t bb::SumcheckProver< Flavor >::multivariate_d |
Definition at line 150 of file sumcheck.hpp.
| const size_t bb::SumcheckProver< Flavor >::multivariate_n |
Definition at line 148 of file sumcheck.hpp.
|
inline |
ZK-version of prove that runs Sumcheck with disabled rows and masking of Round Univariates. The masking is ensured by adding random Libra univariates to the Sumcheck round univariates.
| zk_sumcheck_data |
Evaluate Honk polynomials at the round challenge and prepare class for next round.
At initialization, Prover Polynomials are submitted by reference into full_polynomials, which is a two-dimensional array defined as
\begin{align} \texttt{full_polynomials}_{i,j} = P_j(\vec i). \end{align}
Here, \( \vec i \in \{0,1\}^d \) is identified with the binary representation of the integer \( 0 \leq i \leq 2^d-1 \).
When the first challenge \( u_0 \) is computed, the method partially evaluate takes as input full_polynomials and populates a new book-keeping table denoted \(\texttt{partially_evaluated_polynomials}\). Its \( n/2 = 2^{d-1} \) rows represent the evaluations \(
P_i(u_0, X_1, ..., X_{d-1}) \), which are multilinear polynomials in \( d-1 \) variables. More precisely, it is a table \( 2^{d-1} \) rows and \( N \) columns, such that
\begin{align} \texttt{partially_evaluated_polynomials}_{i,j} = &\ P_j(0, i_1,\ldots, i_{d-1}) + u_0 \cdot (P_j(1, i_1,\ldots, i_{d-1})) - P_j(0, i_1,\ldots, i_{d-1})) \\ = &\ \texttt{full_polynomials}_{2 i,j} + u_0 \cdot (\texttt{full_polynomials}_{2i+1,j} - \texttt{full_polynomials}_{2 i,j}) \end{align}
We elude copying all of the polynomial-defining data by only populating partially_evaluated_polynomials after the first round.
In Round \(0<i\leq d-1\), this method takes the challenge \( u_{i} \) and rewrites the first \( 2^{d-i-1} \) rows in the \( \texttt{partially_evaluated_polynomials} \) table with the values
\begin{align} \texttt{partially_evaluated_polynomials}_{\ell,j} \gets &\ P_j\left(u_0,\ldots, u_{i}, \vec \ell \right) \\ = &\ P_j\left(u_0,\ldots, u_{i-1}, 0, \vec \ell \right) + u_{i} \cdot \left( P_j\left(u_0, \ldots, u_{i-1}, 1, \vec \ell ) - P_j(u_0,\ldots, u_{i-1}, 0, \vec \ell \right)\right) \\ = &\ \texttt{partially_evaluated_polynomials}_{2 \ell,j} + u_{i} \cdot (\texttt{partially_evaluated_polynomials}_{2 \ell+1,j} - \texttt{partially_evaluated_polynomials}_{2\ell,j}) \end{align}
where \(\vec \ell \in \{0,1\}^{d-1-i}\). After the final update, i.e. when \( i = d-1 \), the upper row of the table contains the evaluations of Honk polynomials at the challenge point \( (u_0,\ldots, u_{d-1}) \).
| polynomials | Honk polynomials at initialization; partially evaluated polynomials in subsequent rounds |
| round_size | \(2^{d-i}\) |
| round_challenge | \(u_i\) |
Definition at line 503 of file sumcheck.hpp.
| PartiallyEvaluatedMultivariates bb::SumcheckProver< Flavor >::partially_evaluated_polynomials |
Container for partially evaluated Prover Polynomials at a current challenge. Upon computing challenge \( u_i \), the first \(2^{d-1-i}\) rows are updated using partially evaluate method.
NOTE: With ~40 columns, prob only want to allocate 256 EdgeGroup's at once to keep stack under 1MB? TODO(#224)(Cody): might want to just do C-style multidimensional array? for guaranteed adjacency?
Definition at line 187 of file sumcheck.hpp.
| bb::RelationParameters<FF> bb::SumcheckProver< Flavor >::relation_parameters |
Definition at line 163 of file sumcheck.hpp.
| SumcheckProverRound<Flavor> bb::SumcheckProver< Flavor >::round |
Definition at line 156 of file sumcheck.hpp.
| std::vector<std::array<FF, 3> > bb::SumcheckProver< Flavor >::round_evaluations = {} |
Definition at line 171 of file sumcheck.hpp.
| std::vector<typename Flavor::Commitment> bb::SumcheckProver< Flavor >::round_univariate_commitments = {} |
Definition at line 170 of file sumcheck.hpp.
| std::vector<Polynomial<FF> > bb::SumcheckProver< Flavor >::round_univariates = {} |
Definition at line 172 of file sumcheck.hpp.
| RowDisablingPolynomial<FF> bb::SumcheckProver< Flavor >::row_disabling_polynomial |
Definition at line 176 of file sumcheck.hpp.
| std::shared_ptr<Transcript> bb::SumcheckProver< Flavor >::transcript |
Definition at line 154 of file sumcheck.hpp.
| size_t bb::SumcheckProver< Flavor >::virtual_log_n |
Definition at line 166 of file sumcheck.hpp.
1.9.8