Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
decider_prover.cpp
Go to the documentation of this file.
1// === AUDIT STATUS ===
2// internal: { status: not started, auditors: [], date: YYYY-MM-DD }
3// external_1: { status: not started, auditors: [], date: YYYY-MM-DD }
4// external_2: { status: not started, auditors: [], date: YYYY-MM-DD }
5// =====================
6
7#include "decider_prover.hpp"
8#include "barretenberg/commitment_schemes/small_subgroup_ipa/small_subgroup_ipa.hpp"
9#include "barretenberg/common/op_count.hpp"
10#include "barretenberg/sumcheck/sumcheck.hpp"
11
12namespace bb {
13
22template <IsUltraOrMegaHonk Flavor>
23DeciderProver_<Flavor>::DeciderProver_(const std::shared_ptr<DeciderPK>& proving_key,
24 const std::shared_ptr<Transcript>& transcript)
25 : proving_key(std::move(proving_key))
26 , transcript(transcript)
27{}
28
34template <IsUltraOrMegaHonk Flavor> void DeciderProver_<Flavor>::execute_relation_check_rounds()
35{
36 const size_t virtual_log_n = Flavor::USE_PADDING ? Flavor::VIRTUAL_LOG_N : proving_key->log_dyadic_size();
37
38 using Sumcheck = SumcheckProver<Flavor>;
39 size_t polynomial_size = proving_key->dyadic_size();
40 Sumcheck sumcheck(polynomial_size,
41 proving_key->polynomials,
42 transcript,
43 proving_key->alphas,
44 proving_key->gate_challenges,
45 proving_key->relation_parameters,
46 virtual_log_n);
47 {
48
49 PROFILE_THIS_NAME("sumcheck.prove");
50
51 if constexpr (Flavor::HasZK) {
52 const size_t log_subgroup_size = static_cast<size_t>(numeric::get_msb(Curve::SUBGROUP_SIZE));
53 CommitmentKey commitment_key(1 << (log_subgroup_size + 1));
54 zk_sumcheck_data = ZKData(numeric::get_msb(polynomial_size), transcript, commitment_key);
55 sumcheck_output = sumcheck.prove(zk_sumcheck_data);
56 } else {
57 sumcheck_output = sumcheck.prove();
58 }
59 }
60}
61
68template <IsUltraOrMegaHonk Flavor> void DeciderProver_<Flavor>::execute_pcs_rounds()
69{
70 using OpeningClaim = ProverOpeningClaim<Curve>;
71 using PolynomialBatcher = GeminiProver_<Curve>::PolynomialBatcher;
72
73 auto& ck = proving_key->commitment_key;
74 if (!ck.initialized()) {
75 ck = CommitmentKey(proving_key->dyadic_size());
76 }
77
78 PolynomialBatcher polynomial_batcher(proving_key->dyadic_size());
79 polynomial_batcher.set_unshifted(proving_key->polynomials.get_unshifted());
80 polynomial_batcher.set_to_be_shifted_by_one(proving_key->polynomials.get_to_be_shifted());
81
82 OpeningClaim prover_opening_claim;
83 if constexpr (!Flavor::HasZK) {
84 prover_opening_claim = ShpleminiProver_<Curve>::prove(
85 proving_key->dyadic_size(), polynomial_batcher, sumcheck_output.challenge, ck, transcript);
86 } else {
87
88 SmallSubgroupIPA small_subgroup_ipa_prover(
89 zk_sumcheck_data, sumcheck_output.challenge, sumcheck_output.claimed_libra_evaluation, transcript, ck);
90 small_subgroup_ipa_prover.prove();
91
92 prover_opening_claim = ShpleminiProver_<Curve>::prove(proving_key->dyadic_size(),
93 polynomial_batcher,
94 sumcheck_output.challenge,
95 ck,
96 transcript,
97 small_subgroup_ipa_prover.get_witness_polynomials());
98 }
99 vinfo("executed multivariate-to-univariate reduction");
100 PCS::compute_opening_proof(ck, prover_opening_claim, transcript);
101 vinfo("computed opening proof");
102}
103
104template <IsUltraOrMegaHonk Flavor> DeciderProver_<Flavor>::Proof DeciderProver_<Flavor>::export_proof()
105{
106 return transcript->export_proof();
107}
108
109template <IsUltraOrMegaHonk Flavor> void DeciderProver_<Flavor>::construct_proof()
110{
111 PROFILE_THIS_NAME("Decider::construct_proof");
112
113 // Run sumcheck subprotocol.
114 execute_relation_check_rounds();
115
116 // Fiat-Shamir: rho, y, x, z
117 // Execute Shplemini PCS
118 execute_pcs_rounds();
119 vinfo("finished decider proving.");
120}
121
122template class DeciderProver_<UltraFlavor>;
123template class DeciderProver_<UltraZKFlavor>;
124template class DeciderProver_<UltraRollupFlavor>;
125template class DeciderProver_<UltraKeccakFlavor>;
126#ifdef STARKNET_GARAGA_FLAVORS
127template class DeciderProver_<UltraStarknetFlavor>;
128template class DeciderProver_<UltraStarknetZKFlavor>;
129#endif
130template class DeciderProver_<UltraKeccakZKFlavor>;
131template class DeciderProver_<MegaFlavor>;
132template class DeciderProver_<MegaZKFlavor>;
133
134} // namespace bb
bb::DeciderProver_
Definition decider_prover.hpp:22
bb::DeciderProver_::Proof
typename Flavor::Transcript::Proof Proof
Definition decider_prover.hpp:35
bb::DeciderProver_::DeciderProver_
DeciderProver_(const std::shared_ptr< DeciderPK > &, const std::shared_ptr< Transcript > &transcript=std::make_shared< Transcript >())
Definition decider_prover.cpp:23
bb::DeciderProver_::CommitmentKey
typename Flavor::CommitmentKey CommitmentKey
Definition decider_prover.hpp:26
bb::DeciderProver_::execute_pcs_rounds
BB_PROFILE void execute_pcs_rounds()
Produce a univariate opening claim for the sumcheck multivariate evalutions and a batched univariate ...
Definition decider_prover.cpp:68
bb::DeciderProver_::execute_relation_check_rounds
BB_PROFILE void execute_relation_check_rounds()
Run Sumcheck to establish that ∑_i pow(\vec{β*})f_i(ω) = e*. This results in u = (u_1,...
Definition decider_prover.cpp:34
bb::DeciderProver_::construct_proof
void construct_proof()
Definition decider_prover.cpp:109
bb::DeciderProver_::export_proof
Proof export_proof()
Definition decider_prover.cpp:104
bb::GeminiProver_::PolynomialBatcher
Class responsible for computation of the batched multilinear polynomials required by the Gemini proto...
Definition gemini.hpp:123
bb::MegaFlavor::HasZK
static constexpr bool HasZK
Definition mega_flavor.hpp:53
bb::MegaFlavor::VIRTUAL_LOG_N
static constexpr size_t VIRTUAL_LOG_N
Definition mega_flavor.hpp:49
bb::MegaFlavor::USE_PADDING
static constexpr bool USE_PADDING
Definition mega_flavor.hpp:56
bb::OpeningClaim
Unverified claim (C,r,v) for some witness polynomial p(X) such that.
Definition claim.hpp:53
bb::ProverOpeningClaim
Polynomial p and an opening pair (r,v) such that p(r) = v.
Definition claim.hpp:34
bb::ShpleminiProver_::prove
static OpeningClaim prove(const FF circuit_size, PolynomialBatcher &polynomial_batcher, std::span< FF > multilinear_challenge, const CommitmentKey< Curve > &commitment_key, const std::shared_ptr< Transcript > &transcript, const std::array< Polynomial, NUM_SMALL_IPA_EVALUATIONS > &libra_polynomials={}, const std::vector< Polynomial > &sumcheck_round_univariates={}, const std::vector< std::array< FF, 3 > > &sumcheck_round_evaluations={})
Definition shplemini.hpp:35
bb::SmallSubgroupIPAProver
A Curve-agnostic ZK protocol to prove inner products of small vectors.
Definition small_subgroup_ipa.hpp:69
bb::SmallSubgroupIPAProver::get_witness_polynomials
std::array< bb::Polynomial< FF >, NUM_SMALL_IPA_EVALUATIONS > get_witness_polynomials() const
Definition small_subgroup_ipa.hpp:178
bb::SmallSubgroupIPAProver::prove
void prove()
Compute the derived witnesses and and commit to them.
Definition small_subgroup_ipa.cpp:150
bb::SumcheckProver
The implementation of the sumcheck Prover for statements of the form for multilinear polynomials .
Definition sumcheck.hpp:123
bb::curve::Grumpkin::SUBGROUP_SIZE
static constexpr size_t SUBGROUP_SIZE
Definition grumpkin.hpp:67
vinfo
void vinfo(Args... args)
Definition log.hpp:76
decider_prover.hpp
bb::numeric::get_msb
constexpr T get_msb(const T in)
Definition get_msb.hpp:47
bb
Entry point for Barretenberg command-line interface.
Definition acir_format_getters.cpp:6
bb::ck
CommitmentKey< Curve > ck
Definition ipa.fuzzer.cpp:20
std
STL namespace.
op_count.hpp
PROFILE_THIS_NAME
#define PROFILE_THIS_NAME(name)
Definition op_count.hpp:16
small_subgroup_ipa.hpp
bb::ZKSumcheckData
This structure is created to contain various polynomials and constants required by ZK Sumcheck.
Definition zk_sumcheck_data.hpp:22