- Generated by
1.9.8
|
Barretenberg
The ZK-SNARK library at the core of Aztec
|
Imlementation of the Sumcheck prover round. More...
#include <sumcheck_round.hpp>
Classes | |
| struct | BlockOfContiguousRows |
| Helper struct that describes a block of non-zero unskippable rows. More... | |
| struct | RowIterator |
| Helper struct that will, given a vector of BlockOfContiguousRows, return the edge indices that correspond to the nonzero rows. More... | |
Public Types | |
| using | FF = typename Flavor::FF |
| using | ExtendedEdges = std::conditional_t< Flavor::USE_SHORT_MONOMIALS, typename Flavor::template ProverUnivariates< 2 >, typename Flavor::ExtendedEdges > |
| using | ZKData = ZKSumcheckData< Flavor > |
| using | SumcheckRoundUnivariate = bb::Univariate< FF, BATCHED_RELATION_PARTIAL_LENGTH > |
Public Member Functions | |
| SumcheckProverRound (size_t initial_round_size) | |
| template<typename ProverPolynomialsOrPartiallyEvaluatedMultivariates > | |
| void | extend_edges (ExtendedEdges &extended_edges, const ProverPolynomialsOrPartiallyEvaluatedMultivariates &multivariates, const size_t edge_idx) |
| To compute the round univariate in Round \(i\), the prover first computes the values of Honk polynomials \( P_1,\ldots, P_N \) at the points of the form \( (u_0,\ldots, u_{i-1}, k, \vec \ell)\) for \(
k=0,\ldots, D \), where \( D \) is defined as partial algebraic degree of the relation multiplied by pow-polynomial. | |
| template<typename ProverPolynomialsOrPartiallyEvaluatedMultivariates > | |
| SumcheckRoundUnivariate | compute_univariate (ProverPolynomialsOrPartiallyEvaluatedMultivariates &polynomials, const bb::RelationParameters< FF > &relation_parameters, const bb::GateSeparatorPolynomial< FF > &gate_separators, const SubrelationSeparators &alphas) |
| Return the evaluations of the univariate round polynomials. Toggles between chunked computation (designed with the AVM in mind) and a version which intelligently allows from row-skipped functionality. | |
| template<typename ProverPolynomialsOrPartiallyEvaluatedMultivariates > | |
| SumcheckRoundUnivariate | compute_univariate_with_chunking (ProverPolynomialsOrPartiallyEvaluatedMultivariates &polynomials, const bb::RelationParameters< FF > &relation_parameters, const bb::GateSeparatorPolynomial< FF > &gate_separators, const SubrelationSeparators &alphas) |
| Return the evaluations of the univariate round polynomials \( \tilde{S}_{i} (X_{i}) \) at \( X_{i } = 0,\ldots, D \). Most likely, \( D \) is around \( 12 \). At the end, reset all univariate accumulators to be zero. | |
| template<typename ProverPolynomialsOrPartiallyEvaluatedMultivariates > | |
| std::vector< BlockOfContiguousRows > | compute_contiguous_round_size (ProverPolynomialsOrPartiallyEvaluatedMultivariates &polynomials) |
| Compute the number of unskippable rows we must iterate over. | |
| template<typename ProverPolynomialsOrPartiallyEvaluatedMultivariates > | |
| SumcheckRoundUnivariate | compute_univariate_with_row_skipping (ProverPolynomialsOrPartiallyEvaluatedMultivariates &polynomials, const bb::RelationParameters< FF > &relation_parameters, const bb::GateSeparatorPolynomial< FF > &gate_separators, const SubrelationSeparators alphas) |
Version of compute_univariate that allows for row-skipping, as a prover-side optimization. | |
| template<typename ProverPolynomialsOrPartiallyEvaluatedMultivariates > requires Flavor | |
| SumcheckRoundUnivariate | compute_hiding_univariate (const size_t round_idx, const ProverPolynomialsOrPartiallyEvaluatedMultivariates &polynomials, const bb::RelationParameters< FF > &relation_parameters, const bb::GateSeparatorPolynomial< FF > &gate_separators, const SubrelationSeparators &alpha, const ZKData &zk_sumcheck_data, const RowDisablingPolynomial< FF > row_disabling_polynomial) |
| For ZK Flavors: A method disabling the last 4 rows of the ProverPolynomials. | |
Static Public Member Functions | |
| template<typename ExtendedUnivariate , typename ContainerOverSubrelations > | |
| static ExtendedUnivariate | batch_over_relations (ContainerOverSubrelations &univariate_accumulators, const SubrelationSeparators &challenge, const bb::GateSeparatorPolynomial< FF > &gate_separators) |
| Given a tuple of tuples of extended per-relation contributions, \( (t_0, t_1, \ldots,
t_{\text{NUM_SUBRELATIONS}-1}) \) and a challenge \( \alpha \), scale them by the relation separator \(\alpha\), extend to the correct degree, and take the sum multiplying by \(pow_{\beta}\)-contributions. | |
| template<typename ExtendedUnivariate , typename TupleOfTuplesOfUnivariates > | |
| static void | extend_and_batch_univariates (const TupleOfTuplesOfUnivariates &tuple, ExtendedUnivariate &result, const bb::GateSeparatorPolynomial< FF > &gate_separators) |
| Extend Univariates then sum them multiplying by the current \( pow_{\beta} \)-contributions. | |
| static SumcheckRoundUnivariate | compute_libra_univariate (const ZKData &zk_sumcheck_data, size_t round_idx) |
| Compute Libra round univariate expressed given by the formula. | |
Public Attributes | |
| size_t | round_size |
| In Round \(i = 0,\ldots, d-1\), equals \(2^{d-i}\). | |
| SumcheckTupleOfTuplesOfUnivariates | univariate_accumulators |
Static Public Attributes | |
| static constexpr size_t | NUM_RELATIONS = Flavor::NUM_RELATIONS |
| Number of batched sub-relations in \(F\) specified by Flavor. | |
| static constexpr size_t | MAX_PARTIAL_RELATION_LENGTH = Flavor::MAX_PARTIAL_RELATION_LENGTH |
| The total algebraic degree of the Sumcheck relation \( F \) as a polynomial in Prover Polynomials \(P_1,\ldots, P_N\). | |
| static constexpr size_t | BATCHED_RELATION_PARTIAL_LENGTH = Flavor::BATCHED_RELATION_PARTIAL_LENGTH |
| The total algebraic degree of the Sumcheck relation \( F \) as a polynomial in Prover Polynomials \(P_1,\ldots, P_N\) incremented by 1, i.e. it is equal MAX_PARTIAL_RELATION_LENGTH + 1. | |
| static constexpr size_t | LIBRA_UNIVARIATES_LENGTH = Flavor::Curve::LIBRA_UNIVARIATES_LENGTH |
Private Types | |
| using | Utils = bb::RelationUtils< Flavor > |
| using | Relations = typename Flavor::Relations |
| using | SumcheckTupleOfTuplesOfUnivariates = decltype(create_sumcheck_tuple_of_tuples_of_univariates< Relations >()) |
| using | SubrelationSeparators = typename Flavor::SubrelationSeparators |
Private Member Functions | |
| void | accumulate_relation_univariates (SumcheckTupleOfTuplesOfUnivariates &univariate_accumulators, const auto &extended_edges, const bb::RelationParameters< FF > &relation_parameters, const FF &scaling_factor) |
| In Round \( i \), for a given point \( \vec \ell \in \{0,1\}^{d-1 - i}\), calculate the contribution of each sub-relation to \( T^i(X_i) \). | |
Imlementation of the Sumcheck prover round.
The evaluations of the round univariate \( \tilde{S}^i \) over the domain \(0,\ldots, D \) are obtained by the method compute univariate. The implementation consists of the following sub-methods:
Note: This class uses recursive function calls with template parameters. This is a common trick that is used to force the compiler to unroll loops. The idea is that a function that is only called once will always be inlined, and since template functions always create different functions, this is guaranteed.
Definition at line 45 of file sumcheck_round.hpp.
| using bb::SumcheckProverRound< Flavor >::ExtendedEdges = std::conditional_t<Flavor::USE_SHORT_MONOMIALS, typename Flavor::template ProverUnivariates<2>, typename Flavor::ExtendedEdges> |
Definition at line 54 of file sumcheck_round.hpp.
| using bb::SumcheckProverRound< Flavor >::FF = typename Flavor::FF |
Definition at line 53 of file sumcheck_round.hpp.
|
private |
Definition at line 48 of file sumcheck_round.hpp.
|
private |
Definition at line 50 of file sumcheck_round.hpp.
| using bb::SumcheckProverRound< Flavor >::SumcheckRoundUnivariate = bb::Univariate<FF, BATCHED_RELATION_PARTIAL_LENGTH> |
Definition at line 78 of file sumcheck_round.hpp.
|
private |
Definition at line 49 of file sumcheck_round.hpp.
|
private |
Definition at line 47 of file sumcheck_round.hpp.
| using bb::SumcheckProverRound< Flavor >::ZKData = ZKSumcheckData<Flavor> |
Definition at line 57 of file sumcheck_round.hpp.
|
inline |
Definition at line 86 of file sumcheck_round.hpp.
|
inlineprivate |
In Round \( i \), for a given point \( \vec \ell \in \{0,1\}^{d-1 - i}\), calculate the contribution of each sub-relation to \( T^i(X_i) \).
In Round \( i \), this method computes the univariate \( T^i(X_i) \) deined in this section. It is done as follows:
Definition at line 689 of file sumcheck_round.hpp.
|
inlinestatic |
Given a tuple of tuples of extended per-relation contributions, \( (t_0, t_1, \ldots, t_{\text{NUM_SUBRELATIONS}-1}) \) and a challenge \( \alpha \), scale them by the relation separator \(\alpha\), extend to the correct degree, and take the sum multiplying by \(pow_{\beta}\)-contributions.
This method receives as input the univariate accumulators computed by accumulate relation univariates after passing through the entire hypercube and applying add_nested_tuples method to join the threads. The accumulators are scaled using the method scaleunivariates", extended to the degree \_form#18 and summed with appropriate \_form#51-factors using \ref extend_and_batch_univariates "extend and batch univariates method" to return a vector \((\tilde{S}^i(0), \ldots, \tilde{S}^i(D))\).
| challenge | Challenge \(\alpha\). |
| gate_separators | Round \(pow_{\beta}\)-factor given by \( ( (1−u_i) + u_i\cdot \beta_i )\). |
Definition at line 572 of file sumcheck_round.hpp.
|
inline |
Compute the number of unskippable rows we must iterate over.
Some circuits have a circuit size much larger than the number of used rows (ECCVM, Translator). For relevant flavors, we have a skip_entire_row method that can be used to check whether to skip. This method iterates over the execution trace & computes blocks of contiguous unskippable rows.
| ProverPolynomialsOrPartiallyEvaluatedMultivariates |
| polynomials |
Definition at line 355 of file sumcheck_round.hpp.
|
inline |
For ZK Flavors: A method disabling the last 4 rows of the ProverPolynomials.
See description of RowDisablingPolynomial
Definition at line 469 of file sumcheck_round.hpp.
|
inlinestatic |
Compute Libra round univariate expressed given by the formula.
\begin{align} \texttt{libra_round_univariate}_i(k) = \rho \cdot 2^{d-1-i} \left(\sum_{j = 0}^{i-1} g_j(u_{j}) + g_{i,k}+ \sum_{j=i+1}^{d-1}\left(g_{j,0}+g_{j,1}\right)\right) = \texttt{libra_univariates}_{i}(k) + \texttt{libra_running_sum} \end{align}
.
| zk_sumcheck_data | |
| round_idx |
Definition at line 643 of file sumcheck_round.hpp.
|
inline |
Return the evaluations of the univariate round polynomials. Toggles between chunked computation (designed with the AVM in mind) and a version which intelligently allows from row-skipped functionality.
Definition at line 147 of file sumcheck_round.hpp.
|
inline |
Return the evaluations of the univariate round polynomials \( \tilde{S}_{i} (X_{i}) \) at \( X_{i } = 0,\ldots, D \). Most likely, \( D \) is around \( 12 \). At the end, reset all univariate accumulators to be zero.
First, the vector of pow challenges is computed. Then, multi-threading is being set up. Compute the evaluations of partially evaluated Honk polynomials \( P_j\left(u_0,\ldots, u_{i-1}, X_{i} , \vec \ell \right) \) for \( X_{i} = 2, \ldots, D \) using extend edges method. This method invokes more general extend_to method that in this case reduces to a very simple expression
\begin{align} P_j\left( u_0,\ldots, u_{i-1}, k, \vec \ell \right) = P_j\left( u_0,\ldots, u_{i-1}, k-1, \vec \ell \right) + P_j\left( u_0,\ldots, u_{i-1}, 1, \vec \ell \right) - P_j\left( u_0,\ldots, u_{i-1}, 0, \vec \ell \right) \end{align}
, where \( k=2,\ldots, D \). For a given \( \vec \ell \in \{0,1\}^{d -1 -i} \), we invoke accumulate relation univariates to compute the contributions of \( P_1\left(u_0,\ldots, u_{i-1}, k, \vec \ell \right) \), ..., \( P_N\left(u_0,\ldots, u_{i-1}, k, \vec \ell \right) \) to every sub-relation. Finally, the accumulators for individual relations' contributions are summed with appropriate factors using method extend and batch univariates.
Definition at line 182 of file sumcheck_round.hpp.
|
inline |
Version of compute_univariate that allows for row-skipping, as a prover-side optimization.
Definition at line 406 of file sumcheck_round.hpp.
|
inlinestatic |
Extend Univariates then sum them multiplying by the current \( pow_{\beta} \)-contributions.
Since the sub-relations comprising full Honk relation are of different degrees, the computation of the evaluations of round univariate \( \tilde{S}_{i}(X_{i}) \) at points \( X_{i} = 0,\ldots, D \) requires to extend evaluations of individual relations to the domain \( 0,\ldots, D\). Moreover, linearly independent sub-relations, i.e. whose validity is being checked at every point of the hypercube, are multiplied by the constant \( c_i = pow_\beta(u_0,\ldots, u_{i-1}) \) and the current \(pow_{\beta}\)-factor \( ( (1−X_i) + X_i\cdot \beta_i ) \vert_{X_i = k} \) for \( k = 0,\ldots, D\).
| extended_size | Size after extension |
| tuple | A tuple of tuples of Univariates |
| result | Round univariate \( \tilde{S}^i\) represented by its evaluations over \( \{0,\ldots, D\} \). |
| gate_separators | Round \(pow_{\beta}\)-factor \( ( (1−X_i) + X_i\cdot \beta_i )\). |
Definition at line 600 of file sumcheck_round.hpp.
|
inline |
To compute the round univariate in Round \(i\), the prover first computes the values of Honk polynomials \( P_1,\ldots, P_N \) at the points of the form \( (u_0,\ldots, u_{i-1}, k, \vec \ell)\) for \( k=0,\ldots, D \), where \( D \) is defined as partial algebraic degree of the relation multiplied by pow-polynomial.
In the first round, extend edges method receives required evaluations from the prover polynomials. In the subsequent rounds, the method receives partially evaluated polynomials.
In both cases, in Round \( i \), the method receives \((0, \vec \ell) \in \{0,1\}\times\{0,1\}^{d-1 - i} \), accesses the evaluations \( P_j\left(u_0,\ldots, u_{i-1}, 0, \vec \ell\right) \) and \( P_j\left(u_0,\ldots, u_{i-1}, 1, \vec \ell\right) \) of \( N \) linear polynomials \( P_j\left(u_0,\ldots, u_{i-1}, X_{i}, \vec \ell \right) \) that are already available either from the prover's input in the first round, or from the multivariates table. Using general method extend_to, the evaluations of these polynomials are extended from the domain \( \{0,1\} \) to the domain \( \{0,\ldots, D\} \) required for the computation of the round univariate. In the case when witness polynomials are masked (ZK Flavors), this method has to distinguish between witness and non-witness polynomials. The witness univariates obtained from witness multilinears are corrected by a masking quadratic term extended to the same length MAX_PARTIAL_RELATION_LENGTH. Should only be called externally with relation_idx equal to 0. In practice, #multivariates is either ProverPolynomials or PartiallyEvaluatedMultivariates.
| edge_idx | A point \((0, \vec \ell) \in \{0,1\}^{d-i} \), where \( i\in \{0,\ldots, d-1\}\) is Round number. |
| extended_edges | Container for the evaluations of \(P_j(u_0,\ldots, u_{i-1}, k, \vec \ell) \) for \(k=0,\ldots, D\) and \(j=1,\ldots,N\). |
Definition at line 124 of file sumcheck_round.hpp.
|
staticconstexpr |
The total algebraic degree of the Sumcheck relation \( F \) as a polynomial in Prover Polynomials \(P_1,\ldots, P_N\) incremented by 1, i.e. it is equal MAX_PARTIAL_RELATION_LENGTH + 1.
Definition at line 77 of file sumcheck_round.hpp.
|
staticconstexpr |
Definition at line 83 of file sumcheck_round.hpp.
|
staticconstexpr |
The total algebraic degree of the Sumcheck relation \( F \) as a polynomial in Prover Polynomials \(P_1,\ldots, P_N\).
Definition at line 71 of file sumcheck_round.hpp.
|
staticconstexpr |
Number of batched sub-relations in \(F\) specified by Flavor.
Definition at line 66 of file sumcheck_round.hpp.
| size_t bb::SumcheckProverRound< Flavor >::round_size |
In Round \(i = 0,\ldots, d-1\), equals \(2^{d-i}\).
Definition at line 61 of file sumcheck_round.hpp.
| SumcheckTupleOfTuplesOfUnivariates bb::SumcheckProverRound< Flavor >::univariate_accumulators |
Definition at line 80 of file sumcheck_round.hpp.
1.9.8