Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
eccvm_flavor.hpp
Go to the documentation of this file.
1// === AUDIT STATUS ===
2// internal: { status: not started, auditors: [], date: YYYY-MM-DD }
3// external_1: { status: not started, auditors: [], date: YYYY-MM-DD }
4// external_2: { status: not started, auditors: [], date: YYYY-MM-DD }
5// =====================
6
7#pragma once
8#include "barretenberg/commitment_schemes/ipa/ipa.hpp"
9#include "barretenberg/common/assert.hpp"
10#include "barretenberg/common/std_array.hpp"
11#include "barretenberg/ecc/curves/bn254/bn254.hpp"
12#include "barretenberg/ecc/curves/grumpkin/grumpkin.hpp"
13#include "barretenberg/eccvm//eccvm_fixed_vk.hpp"
14#include "barretenberg/eccvm/eccvm_circuit_builder.hpp"
15#include "barretenberg/flavor/flavor.hpp"
16#include "barretenberg/flavor/flavor_macros.hpp"
17#include "barretenberg/flavor/relation_definitions.hpp"
18#include "barretenberg/flavor/repeated_commitments_data.hpp"
19#include "barretenberg/polynomials/polynomial.hpp"
20#include "barretenberg/polynomials/univariate.hpp"
21#include "barretenberg/relations/ecc_vm/ecc_bools_relation.hpp"
22#include "barretenberg/relations/ecc_vm/ecc_lookup_relation.hpp"
23#include "barretenberg/relations/ecc_vm/ecc_msm_relation.hpp"
24#include "barretenberg/relations/ecc_vm/ecc_point_table_relation.hpp"
25#include "barretenberg/relations/ecc_vm/ecc_set_relation.hpp"
26#include "barretenberg/relations/ecc_vm/ecc_transcript_relation.hpp"
27#include "barretenberg/relations/ecc_vm/ecc_wnaf_relation.hpp"
28#include "barretenberg/relations/relation_parameters.hpp"
29
30// NOLINTBEGIN(cppcoreguidelines-avoid-const-or-ref-data-members)
31
32namespace bb {
33
34class ECCVMFlavor {
35 public:
36 using CircuitBuilder = ECCVMCircuitBuilder;
37 using CycleGroup = bb::g1;
38 using Curve = curve::Grumpkin;
39 using G1 = typename Curve::Group;
40 using PCS = IPA<Curve>;
41 using FF = typename Curve::ScalarField;
42 using BF = typename Curve::BaseField;
43 using Polynomial = bb::Polynomial<FF>;
44 using GroupElement = typename G1::element;
45 using Commitment = typename G1::affine_element;
46 using CommitmentKey = bb::CommitmentKey<Curve>;
47 using VerifierCommitmentKey = bb::VerifierCommitmentKey<Curve>;
48 using MSM = bb::eccvm::MSM<CycleGroup>;
49 using Transcript = NativeTranscript;
50
51 // indicates when evaluating sumcheck, edges must be extended to be MAX_TOTAL_RELATION_LENGTH
52 static constexpr bool USE_SHORT_MONOMIALS = false;
53
54 // Indicates that this flavor runs with ZK Sumcheck.
55 static constexpr bool HasZK = true;
56 // ECCVM proof size and its recursive verifier circuit are genuinely fixed, hence no padding is needed.
57 static constexpr bool USE_PADDING = false;
58 // Fixed size of the ECCVM circuits used in ClientIVC
59 // Important: these constants cannot be arbitrarily changes - please consult with a member of the Crypto team if
60 // they become too small.
61 static constexpr size_t ECCVM_FIXED_SIZE = 1UL << CONST_ECCVM_LOG_N;
62
63 static constexpr size_t NUM_WIRES = 85;
64
65 // The number of multivariate polynomials on which a sumcheck prover sumcheck operates (including shifts). We often
66 // need containers of this size to hold related data, so we choose a name more agnostic than `NUM_POLYNOMIALS`.
67 // Note: this number does not include the individual sorted list polynomials.
68 static constexpr size_t NUM_ALL_ENTITIES = 116;
69 // The number of polynomials precomputed to describe a circuit and to aid a prover in constructing a satisfying
70 // assignment of witnesses. We again choose a neutral name.
71 static constexpr size_t NUM_PRECOMPUTED_ENTITIES = 3;
72 // The total number of witness entities not including shifts.
73 static constexpr size_t NUM_WITNESS_ENTITIES = 87;
74 // The number of entities in ShiftedEntities.
75 static constexpr size_t NUM_SHIFTED_ENTITIES = 26;
76 // The number of entities in DerivedWitnessEntities that are not going to be shifted.
77 static constexpr size_t NUM_DERIVED_WITNESS_ENTITIES_NON_SHIFTED = 1;
78 // A container to be fed to ShpleminiVerifier to avoid redundant scalar muls, the first number is the index of the
79 // first witness to be shifted.
80 static constexpr RepeatedCommitmentsData REPEATED_COMMITMENTS =
81 RepeatedCommitmentsData(NUM_PRECOMPUTED_ENTITIES + NUM_WITNESS_ENTITIES -
82 NUM_DERIVED_WITNESS_ENTITIES_NON_SHIFTED - NUM_SHIFTED_ENTITIES,
83 NUM_PRECOMPUTED_ENTITIES + NUM_WITNESS_ENTITIES,
84 NUM_SHIFTED_ENTITIES);
85
86 using GrandProductRelations = std::tuple<ECCVMSetRelation<FF>>;
87 // define the tuple of Relations that comprise the Sumcheck relation
88 template <typename FF>
89 using Relations_ = std::tuple<ECCVMTranscriptRelation<FF>,
90 ECCVMPointTableRelation<FF>,
91 ECCVMWnafRelation<FF>,
92 ECCVMMSMRelation<FF>,
93 ECCVMSetRelation<FF>,
94 ECCVMLookupRelation<FF>,
95 ECCVMBoolsRelation<FF>>;
96 using Relations = Relations_<FF>;
97 using LookupRelation = ECCVMLookupRelation<FF>;
98
99 static constexpr size_t NUM_SUBRELATIONS = compute_number_of_subrelations<Relations>();
100 using SubrelationSeparators = std::array<FF, NUM_SUBRELATIONS - 1>;
101
102 static constexpr size_t MAX_PARTIAL_RELATION_LENGTH = compute_max_partial_relation_length<Relations>();
103
104 // BATCHED_RELATION_PARTIAL_LENGTH = algebraic degree of sumcheck relation *after* multiplying by the `pow_zeta`
105 // random polynomial e.g. For \sum(x) [A(x) * B(x) + C(x)] * PowZeta(X), relation length = 2 and random relation
106 // length = 3.
107 // The degree has to be further increased by 1 because the relation is multiplied by the Row Disabling //
108 // Polynomial
109 static constexpr size_t BATCHED_RELATION_PARTIAL_LENGTH = MAX_PARTIAL_RELATION_LENGTH + 2;
110 static constexpr size_t NUM_RELATIONS = std::tuple_size<Relations>::value;
111
112 static constexpr size_t num_frs_comm = bb::field_conversion::calc_num_bn254_frs<Commitment>();
113 static constexpr size_t num_frs_fq = bb::field_conversion::calc_num_bn254_frs<FF>();
114
115 // Proof length formula
116 static constexpr size_t PROOF_LENGTH_WITHOUT_PUB_INPUTS =
117 /* 1. NUM_WITNESS_ENTITIES commitments */ (NUM_WITNESS_ENTITIES * num_frs_comm) +
118 /* 2. Libra concatenation commitment*/ (num_frs_comm) +
119 /* 3. Libra sum */ (num_frs_fq) +
120 /* 4. CONST_ECCVM_LOG_N sumcheck univariates commitments */
121 (CONST_ECCVM_LOG_N * num_frs_comm) +
122 /* 5. 2 * CONST_ECCVM_LOG_N sumcheck univariate evaluations */
123 (2 * CONST_ECCVM_LOG_N * num_frs_fq) +
124 /* 6. NUM_ALL_ENTITIES sumcheck evaluations*/ (NUM_ALL_ENTITIES * num_frs_fq) +
125 /* 7. Libra claimed evaluation */ (num_frs_fq) +
126 /* 8. Libra grand sum commitment */ (num_frs_comm) +
127 /* 9. Libra quotient commitment */ (num_frs_comm) +
128 /* 10. Gemini masking commitment */ (num_frs_comm) +
129 /* 11. Gemini masking evaluation */ (num_frs_fq) +
130 /* 12. CONST_ECCVM_LOG_N - 1 Gemini Fold commitments */
131 ((CONST_ECCVM_LOG_N - 1) * num_frs_comm) +
132 /* 13. CONST_ECCVM_LOG_N Gemini a evaluations */
133 (CONST_ECCVM_LOG_N * num_frs_fq) +
134 /* 14. NUM_SMALL_IPA_EVALUATIONS libra evals */ (NUM_SMALL_IPA_EVALUATIONS * num_frs_fq) +
135 /* 15. Shplonk Q commitment */ (num_frs_comm) +
136 /* 16. Translator concatenated masking term commitment */ (num_frs_comm) +
137 /* 17 Translator op evaluation */ (num_frs_fq) +
138 /* 18 Translator Px evaluation */ (num_frs_fq) +
139 /* 19 Translator Py evaluation */ (num_frs_fq) +
140 /* 20 Translator z1 evaluation */ (num_frs_fq) +
141 /* 21 Translator z2 evaluation */ (num_frs_fq) +
142 /* 22 Translator concatenated masking term evaluation */ (num_frs_fq) +
143 /* 23 Translator grand sum commitment */ (num_frs_comm) +
144 /* 24 Translator quotient commitment */ (num_frs_comm) +
145 /* 25 Translator concatenation eval */ (num_frs_fq) +
146 /* 26 Translator grand sum shift eval */ (num_frs_fq) +
147 /* 27 Translator grand sum eval */ (num_frs_fq) +
148 /* 28 Translator quotient eval */ (num_frs_fq) +
149 /* 29 Shplonk Q commitment */ (num_frs_comm) +
150 /* 30 IPA proof */ IPA_PROOF_LENGTH;
151
152 // The sub-protocol `compute_translation_opening_claims` outputs an opening claim for the batched univariate
153 // evaluation of `op`, `Px`, `Py`, `z1`, and `z2`, and an array of opening claims for the evaluations of the
154 // SmallSubgroupIPA witness polynomials.
155 static constexpr size_t NUM_TRANSLATION_OPENING_CLAIMS = NUM_SMALL_IPA_EVALUATIONS + 1;
156
157 // TODO(https://github.com/AztecProtocol/barretenberg/issues/989): refine access specifiers in flavors, this is
158 // public as it is also used in the recursive flavor but the two could possibly me unified eventually
163 template <typename DataType_> class PrecomputedEntities {
164 public:
165 bool operator==(const PrecomputedEntities& other) const = default;
166 using DataType = DataType_;
167 DEFINE_FLAVOR_MEMBERS(DataType,
168 lagrange_first, // column 0
169 lagrange_second, // column 1
170 lagrange_last); // column 2
171
172 DataType get_selectors() { return get_all(); };
173 };
174
179 template <typename DataType> struct DerivedWitnessEntities {
180 DEFINE_FLAVOR_MEMBERS(DataType,
181 z_perm, // column 0
182 lookup_inverses); // column 1
183 };
184 template <typename DataType> class WireNonShiftedEntities {
185 public:
186 DEFINE_FLAVOR_MEMBERS(DataType,
187 transcript_add, // column 0
188 transcript_eq, // column 1
189 transcript_msm_transition, // column 2
190 transcript_Px, // column 3
191 transcript_Py, // column 4
192 transcript_z1, // column 5
193 transcript_z2, // column 6
194 transcript_z1zero, // column 7
195 transcript_z2zero, // column 8
196 transcript_op, // column 9
197 transcript_msm_x, // column 10
198 transcript_msm_y, // column 11
199 precompute_point_transition, // column 12
200 precompute_s1lo, // column 13
201 precompute_s2hi, // column 14
202 precompute_s2lo, // column 15
203 precompute_s3hi, // column 16
204 precompute_s3lo, // column 17
205 precompute_s4hi, // column 18
206 precompute_s4lo, // column 19
207 precompute_skew, // column 20
208 msm_size_of_msm, // column 21
209 msm_add2, // column 22
210 msm_add3, // column 23
211 msm_add4, // column 24
212 msm_x1, // column 25
213 msm_y1, // column 26
214 msm_x2, // column 27
215 msm_y2, // column 28
216 msm_x3, // column 29
217 msm_y3, // column 30
218 msm_x4, // column 31
219 msm_y4, // column 32
220 msm_collision_x1, // column 33
221 msm_collision_x2, // column 34
222 msm_collision_x3, // column 35
223 msm_collision_x4, // column 36
224 msm_lambda1, // column 37
225 msm_lambda2, // column 38
226 msm_lambda3, // column 39
227 msm_lambda4, // column 40
228 msm_slice1, // column 41
229 msm_slice2, // column 42
230 msm_slice3, // column 43
231 msm_slice4, // column 44
232 transcript_reset_accumulator, // column 45
233 lookup_read_counts_0, // column 46
234 lookup_read_counts_1, // column 47
235 transcript_base_infinity, // column 48
236 transcript_base_x_inverse, // column 49
237 transcript_base_y_inverse, // column 50
238 transcript_add_x_equal, // column 51
239 transcript_add_y_equal, // column 52
240 transcript_add_lambda, // column 53
241 transcript_msm_intermediate_x, // column 54
242 transcript_msm_intermediate_y, // column 55
243 transcript_msm_infinity, // column 56
244 transcript_msm_x_inverse, // column 57
245 transcript_msm_count_zero_at_transition, // column 58
246 transcript_msm_count_at_transition_inverse) // column 59
247 };
248
254 template <typename DataType> class WireToBeShiftedWithoutAccumulatorsEntities {
255 public:
256 DEFINE_FLAVOR_MEMBERS(DataType,
257 transcript_mul, // column 60
258 transcript_msm_count, // column 61
259 precompute_scalar_sum, // column 62
260 precompute_s1hi, // column 63
261 precompute_dx, // column 64
262 precompute_dy, // column 65
263 precompute_tx, // column 66
264 precompute_ty, // column 67
265 msm_transition, // column 68
266 msm_add, // column 69
267 msm_double, // column 70
268 msm_skew, // column 71
269 msm_accumulator_x, // column 72
270 msm_accumulator_y, // column 73
271 msm_count, // column 74
272 msm_round, // column 75
273 msm_add1, // column 76
274 msm_pc, // column 77
275 precompute_pc, // column 78
276 transcript_pc, // column 79
277 precompute_round, // column 80
278 precompute_select) // column 81
279 };
280
285 template <typename DataType> class WireToBeShiftedAccumulatorEntities {
286 public:
287 DEFINE_FLAVOR_MEMBERS(DataType,
288 transcript_accumulator_not_empty, // column 82
289 transcript_accumulator_x, // column 83
290 transcript_accumulator_y) // column 84
291 };
292
297 template <typename DataType>
322
326 template <typename DataType> class ShiftedEntities {
327 public:
328 DEFINE_FLAVOR_MEMBERS(DataType,
329 transcript_mul_shift, // column 0
330 transcript_msm_count_shift, // column 1
331 precompute_scalar_sum_shift, // column 2
332 precompute_s1hi_shift, // column 3
333 precompute_dx_shift, // column 4
334 precompute_dy_shift, // column 5
335 precompute_tx_shift, // column 6
336 precompute_ty_shift, // column 7
337 msm_transition_shift, // column 8
338 msm_add_shift, // column 9
339 msm_double_shift, // column 10
340 msm_skew_shift, // column 11
341 msm_accumulator_x_shift, // column 12
342 msm_accumulator_y_shift, // column 13
343 msm_count_shift, // column 14
344 msm_round_shift, // column 15
345 msm_add1_shift, // column 16
346 msm_pc_shift, // column 17
347 precompute_pc_shift, // column 18
348 transcript_pc_shift, // column 19
349 precompute_round_shift, // column 20
350 precompute_select_shift, // column 21
351 transcript_accumulator_not_empty_shift, // column 22
352 transcript_accumulator_x_shift, // column 23
353 transcript_accumulator_y_shift, // column 24
354 z_perm_shift); // column 25
355 };
356
357 template <typename DataType, typename PrecomputedAndWitnessEntitiesSuperset>
358 static auto get_to_be_shifted(PrecomputedAndWitnessEntitiesSuperset& entities)
359 {
360 // NOTE: must match order of ShiftedEntities above!
361 return RefArray{ entities.transcript_mul, // column 0
362 entities.transcript_msm_count, // column 1
363 entities.precompute_scalar_sum, // column 2
364 entities.precompute_s1hi, // column 3
365 entities.precompute_dx, // column 4
366 entities.precompute_dy, // column 5
367 entities.precompute_tx, // column 6
368 entities.precompute_ty, // column 7
369 entities.msm_transition, // column 8
370 entities.msm_add, // column 9
371 entities.msm_double, // column 10
372 entities.msm_skew, // column 11
373 entities.msm_accumulator_x, // column 12
374 entities.msm_accumulator_y, // column 13
375 entities.msm_count, // column 14
376 entities.msm_round, // column 15
377 entities.msm_add1, // column 16
378 entities.msm_pc, // column 17
379 entities.precompute_pc, // column 18
380 entities.transcript_pc, // column 19
381 entities.precompute_round, // column 20
382 entities.precompute_select, // column 21
383 entities.transcript_accumulator_not_empty, // column 22
384 entities.transcript_accumulator_x, // column 23
385 entities.transcript_accumulator_y, // column 24
386 entities.z_perm }; // column 25
387 }
388
399 template <typename DataType>
400 class AllEntities : public PrecomputedEntities<DataType>,
401 public WitnessEntities<DataType>,
402 public ShiftedEntities<DataType> {
403 public:
404 DEFINE_COMPOUND_GET_ALL(PrecomputedEntities<DataType>, WitnessEntities<DataType>, ShiftedEntities<DataType>)
409 auto get_to_be_shifted() { return ECCVMFlavor::get_to_be_shifted<DataType>(*this); }
410 auto get_shifted() { return ShiftedEntities<DataType>::get_all(); };
411 auto get_precomputed() { return PrecomputedEntities<DataType>::get_all(); };
412 };
413
418 class AllValues : public AllEntities<FF> {
419 public:
420 using Base = AllEntities<FF>;
421 using Base::Base;
422 };
423
427 template <size_t LENGTH> using ProverUnivariates = AllEntities<bb::Univariate<FF, LENGTH>>;
428
432 using ExtendedEdges = ProverUnivariates<MAX_PARTIAL_RELATION_LENGTH>;
433
437 class ProverPolynomials : public AllEntities<Polynomial> {
438 public:
439 // Define all operations as default, except copy construction/assignment
440 ProverPolynomials() = default;
441 ProverPolynomials& operator=(const ProverPolynomials&) = delete;
442 ProverPolynomials(const ProverPolynomials& o) = delete;
443 ProverPolynomials(ProverPolynomials&& o) noexcept = default;
444 ProverPolynomials& operator=(ProverPolynomials&& o) noexcept = default;
445 ~ProverPolynomials() = default;
446 [[nodiscard]] size_t get_polynomial_size() const { return this->lagrange_first.size(); }
447
452 AllValues get_row(const size_t row_idx) const
453 {
454 AllValues result;
455 for (auto [result_field, polynomial] : zip_view(result.get_all(), this->get_all())) {
456 result_field = polynomial[row_idx];
457 }
458 return result;
459 }
460 // Set all shifted polynomials based on their to-be-shifted counterpart
461 void set_shifted()
462 {
463 for (auto [shifted, to_be_shifted] : zip_view(get_shifted(), get_to_be_shifted())) {
464 shifted = to_be_shifted.shifted();
465 }
466 }
467
468#ifdef FUZZING
469 ProverPolynomials(const CircuitBuilder& builder, bool disable_fixed_dyadic_trace_size = false)
470#else
562 ProverPolynomials(const CircuitBuilder& builder)
563#endif
564 {
565 // compute rows for the three different sections of the ECCVM execution trace
566 const auto transcript_rows =
567 ECCVMTranscriptBuilder::compute_rows(builder.op_queue->get_eccvm_ops(), builder.get_number_of_muls());
568 const std::vector<MSM> msms = builder.get_msms();
569 const auto point_table_rows =
570 ECCVMPointTablePrecomputationBuilder::compute_rows(CircuitBuilder::get_flattened_scalar_muls(msms));
571 const auto result = ECCVMMSMMBuilder::compute_rows(
572 msms, builder.get_number_of_muls(), builder.op_queue->get_num_msm_rows());
573 const auto& msm_rows = std::get<0>(result);
574 const auto& point_table_read_counts = std::get<1>(result);
575
576 const size_t num_rows = std::max({ point_table_rows.size(), msm_rows.size(), transcript_rows.size() }) +
577 NUM_DISABLED_ROWS_IN_SUMCHECK;
578 const auto log_num_rows = static_cast<size_t>(numeric::get_msb64(num_rows));
579 size_t dyadic_num_rows = 1UL << (log_num_rows + (1UL << log_num_rows == num_rows ? 0 : 1));
580 if (ECCVM_FIXED_SIZE < dyadic_num_rows) {
581 throw_or_abort("The ECCVM circuit size has exceeded the fixed upper bound! Fixed size: " +
582 std::to_string(ECCVM_FIXED_SIZE) + " actual size: " + std::to_string(dyadic_num_rows));
583 }
584
585#ifdef FUZZING
586 // We don't want to spend all the time generating the full trace if we are just fuzzing eccvm.
587 if (disable_fixed_dyadic_trace_size) {
588 dyadic_num_rows = num_rows;
589 } else {
590 dyadic_num_rows = ECCVM_FIXED_SIZE;
591 }
592#else
593 dyadic_num_rows = ECCVM_FIXED_SIZE;
594#endif
595 size_t unmasked_witness_size = dyadic_num_rows - NUM_DISABLED_ROWS_IN_SUMCHECK;
596
597 for (auto& poly : get_to_be_shifted()) {
598 poly = Polynomial{ /*memory size*/ dyadic_num_rows - 1,
599 /*largest possible index*/ dyadic_num_rows,
600 /* offset */ 1 };
601 }
602 // allocate polynomials; define lagrange and lookup read count polynomials
603 for (auto& poly : get_all()) {
604 if (poly.is_empty()) {
605 poly = Polynomial(dyadic_num_rows);
606 }
607 }
608 lagrange_first.at(0) = 1;
609 lagrange_second.at(1) = 1;
610 lagrange_last.at(unmasked_witness_size - 1) = 1;
611 for (size_t i = 0; i < point_table_read_counts[0].size(); ++i) {
612 // Explanation of off-by-one offset:
613 // When computing the WNAF slice for a point at point counter value `pc` and a round index `round`, the
614 // row number that computes the slice can be derived. This row number is then mapped to the index of
615 // `lookup_read_counts`. We do this mapping in `ecc_msm_relation`. We are off-by-one because we add an
616 // empty row at the start of the WNAF columns that is not accounted for (index of lookup_read_counts
617 // maps to the row in our WNAF columns that computes a slice for a given value of pc and round)
618 lookup_read_counts_0.at(i + 1) = point_table_read_counts[0][i];
619 lookup_read_counts_1.at(i + 1) = point_table_read_counts[1][i];
620 }
621
622 // compute polynomials for transcript columns
623 parallel_for_range(transcript_rows.size(), [&](size_t start, size_t end) {
624 for (size_t i = start; i < end; i++) {
625 transcript_accumulator_not_empty.set_if_valid_index(i, transcript_rows[i].accumulator_not_empty);
626 transcript_add.set_if_valid_index(i, transcript_rows[i].q_add);
627 transcript_mul.set_if_valid_index(i, transcript_rows[i].q_mul);
628 transcript_eq.set_if_valid_index(i, transcript_rows[i].q_eq);
629 transcript_reset_accumulator.set_if_valid_index(i, transcript_rows[i].q_reset_accumulator);
630 transcript_msm_transition.set_if_valid_index(i, transcript_rows[i].msm_transition);
631 transcript_pc.set_if_valid_index(i, transcript_rows[i].pc);
632 transcript_msm_count.set_if_valid_index(i, transcript_rows[i].msm_count);
633 transcript_Px.set_if_valid_index(i, transcript_rows[i].base_x);
634 transcript_Py.set_if_valid_index(i, transcript_rows[i].base_y);
635 transcript_z1.set_if_valid_index(i, transcript_rows[i].z1);
636 transcript_z2.set_if_valid_index(i, transcript_rows[i].z2);
637 transcript_z1zero.set_if_valid_index(i, transcript_rows[i].z1_zero);
638 transcript_z2zero.set_if_valid_index(i, transcript_rows[i].z2_zero);
639 transcript_op.set_if_valid_index(i, transcript_rows[i].opcode);
640 transcript_accumulator_x.set_if_valid_index(i, transcript_rows[i].accumulator_x);
641 transcript_accumulator_y.set_if_valid_index(i, transcript_rows[i].accumulator_y);
642 transcript_msm_x.set_if_valid_index(i, transcript_rows[i].msm_output_x);
643 transcript_msm_y.set_if_valid_index(i, transcript_rows[i].msm_output_y);
644 transcript_base_infinity.set_if_valid_index(i, transcript_rows[i].base_infinity);
645 transcript_base_x_inverse.set_if_valid_index(i, transcript_rows[i].base_x_inverse);
646 transcript_base_y_inverse.set_if_valid_index(i, transcript_rows[i].base_y_inverse);
647 transcript_add_x_equal.set_if_valid_index(i, transcript_rows[i].transcript_add_x_equal);
648 transcript_add_y_equal.set_if_valid_index(i, transcript_rows[i].transcript_add_y_equal);
649 transcript_add_lambda.set_if_valid_index(i, transcript_rows[i].transcript_add_lambda);
650 transcript_msm_intermediate_x.set_if_valid_index(i,
651 transcript_rows[i].transcript_msm_intermediate_x);
652 transcript_msm_intermediate_y.set_if_valid_index(i,
653 transcript_rows[i].transcript_msm_intermediate_y);
654 transcript_msm_infinity.set_if_valid_index(i, transcript_rows[i].transcript_msm_infinity);
655 transcript_msm_x_inverse.set_if_valid_index(i, transcript_rows[i].transcript_msm_x_inverse);
656 transcript_msm_count_zero_at_transition.set_if_valid_index(
657 i, transcript_rows[i].msm_count_zero_at_transition);
658 transcript_msm_count_at_transition_inverse.set_if_valid_index(
659 i, transcript_rows[i].msm_count_at_transition_inverse);
660 }
661 });
662
663 parallel_for_range(point_table_rows.size(), [&](size_t start, size_t end) {
664 for (size_t i = start; i < end; i++) {
665 // first row is always an empty row (to accommodate shifted polynomials which must have 0 as 1st
666 // coefficient). All other rows in the point_table_rows represent active wnaf gates (i.e.
667 // precompute_select = 1)
668 precompute_select.set_if_valid_index(i, (i != 0) ? 1 : 0);
669 precompute_pc.set_if_valid_index(i, point_table_rows[i].pc);
670 precompute_point_transition.set_if_valid_index(
671 i, static_cast<uint64_t>(point_table_rows[i].point_transition));
672 precompute_round.set_if_valid_index(i, point_table_rows[i].round);
673 precompute_scalar_sum.set_if_valid_index(i, point_table_rows[i].scalar_sum);
674 precompute_s1hi.set_if_valid_index(i, point_table_rows[i].s1);
675 precompute_s1lo.set_if_valid_index(i, point_table_rows[i].s2);
676 precompute_s2hi.set_if_valid_index(i, point_table_rows[i].s3);
677 precompute_s2lo.set_if_valid_index(i, point_table_rows[i].s4);
678 precompute_s3hi.set_if_valid_index(i, point_table_rows[i].s5);
679 precompute_s3lo.set_if_valid_index(i, point_table_rows[i].s6);
680 precompute_s4hi.set_if_valid_index(i, point_table_rows[i].s7);
681 precompute_s4lo.set_if_valid_index(i, point_table_rows[i].s8);
682 // If skew is active (i.e. we need to subtract a base point from the msm result),
683 // write `7` into rows.precompute_skew. `7`, in binary representation, equals `-1` when converted
684 // into WNAF form
685 precompute_skew.set_if_valid_index(i, point_table_rows[i].skew ? 7 : 0);
686 precompute_dx.set_if_valid_index(i, point_table_rows[i].precompute_double.x);
687 precompute_dy.set_if_valid_index(i, point_table_rows[i].precompute_double.y);
688 precompute_tx.set_if_valid_index(i, point_table_rows[i].precompute_accumulator.x);
689 precompute_ty.set_if_valid_index(i, point_table_rows[i].precompute_accumulator.y);
690 }
691 });
692
693 // compute polynomials for the msm columns
694 parallel_for_range(msm_rows.size(), [&](size_t start, size_t end) {
695 for (size_t i = start; i < end; i++) {
696 msm_transition.set_if_valid_index(i, static_cast<int>(msm_rows[i].msm_transition));
697 msm_add.set_if_valid_index(i, static_cast<int>(msm_rows[i].q_add));
698 msm_double.set_if_valid_index(i, static_cast<int>(msm_rows[i].q_double));
699 msm_skew.set_if_valid_index(i, static_cast<int>(msm_rows[i].q_skew));
700 msm_accumulator_x.set_if_valid_index(i, msm_rows[i].accumulator_x);
701 msm_accumulator_y.set_if_valid_index(i, msm_rows[i].accumulator_y);
702 msm_pc.set_if_valid_index(i, msm_rows[i].pc);
703 msm_size_of_msm.set_if_valid_index(i, msm_rows[i].msm_size);
704 msm_count.set_if_valid_index(i, msm_rows[i].msm_count);
705 msm_round.set_if_valid_index(i, msm_rows[i].msm_round);
706 msm_add1.set_if_valid_index(i, static_cast<int>(msm_rows[i].add_state[0].add));
707 msm_add2.set_if_valid_index(i, static_cast<int>(msm_rows[i].add_state[1].add));
708 msm_add3.set_if_valid_index(i, static_cast<int>(msm_rows[i].add_state[2].add));
709 msm_add4.set_if_valid_index(i, static_cast<int>(msm_rows[i].add_state[3].add));
710 msm_x1.set_if_valid_index(i, msm_rows[i].add_state[0].point.x);
711 msm_y1.set_if_valid_index(i, msm_rows[i].add_state[0].point.y);
712 msm_x2.set_if_valid_index(i, msm_rows[i].add_state[1].point.x);
713 msm_y2.set_if_valid_index(i, msm_rows[i].add_state[1].point.y);
714 msm_x3.set_if_valid_index(i, msm_rows[i].add_state[2].point.x);
715 msm_y3.set_if_valid_index(i, msm_rows[i].add_state[2].point.y);
716 msm_x4.set_if_valid_index(i, msm_rows[i].add_state[3].point.x);
717 msm_y4.set_if_valid_index(i, msm_rows[i].add_state[3].point.y);
718 msm_collision_x1.set_if_valid_index(i, msm_rows[i].add_state[0].collision_inverse);
719 msm_collision_x2.set_if_valid_index(i, msm_rows[i].add_state[1].collision_inverse);
720 msm_collision_x3.set_if_valid_index(i, msm_rows[i].add_state[2].collision_inverse);
721 msm_collision_x4.set_if_valid_index(i, msm_rows[i].add_state[3].collision_inverse);
722 msm_lambda1.set_if_valid_index(i, msm_rows[i].add_state[0].lambda);
723 msm_lambda2.set_if_valid_index(i, msm_rows[i].add_state[1].lambda);
724 msm_lambda3.set_if_valid_index(i, msm_rows[i].add_state[2].lambda);
725 msm_lambda4.set_if_valid_index(i, msm_rows[i].add_state[3].lambda);
726 msm_slice1.set_if_valid_index(i, msm_rows[i].add_state[0].slice);
727 msm_slice2.set_if_valid_index(i, msm_rows[i].add_state[1].slice);
728 msm_slice3.set_if_valid_index(i, msm_rows[i].add_state[2].slice);
729 msm_slice4.set_if_valid_index(i, msm_rows[i].add_state[3].slice);
730 }
731 });
732 this->set_shifted();
733 }
734 };
735
739 class PartiallyEvaluatedMultivariates : public AllEntities<Polynomial> {
740
741 public:
742 PartiallyEvaluatedMultivariates() = default;
743 PartiallyEvaluatedMultivariates(const size_t circuit_size)
744 {
745 // Storage is only needed after the first partial evaluation, hence polynomials of size (n / 2)
746 for (auto& poly : this->get_all()) {
747 poly = Polynomial(circuit_size / 2);
748 }
749 }
750 PartiallyEvaluatedMultivariates(const ProverPolynomials& full_polynomials, size_t circuit_size)
751 {
752 for (auto [poly, full_poly] : zip_view(get_all(), full_polynomials.get_all())) {
753 // After the initial sumcheck round, the new size is CEIL(size/2).
754 size_t desired_size = full_poly.end_index() / 2 + full_poly.end_index() % 2;
755 poly = Polynomial(desired_size, circuit_size / 2);
756 }
757 }
758 };
759
764 class ProvingKey {
765 public:
766 size_t circuit_size = ECCVM_FIXED_SIZE; // The circuit size is fixed for the ECCVM.
767 size_t log_circuit_size = CONST_ECCVM_LOG_N;
768
769 // Used to amortize the commitment time if the `fixed size` > `real_size`.
770 size_t real_size = 0;
771
772 ProverPolynomials polynomials; // storage for all polynomials evaluated by the prover
773 CommitmentKey commitment_key;
774
775 // Constructor for fixed size ProvingKey
776 ProvingKey(const CircuitBuilder& builder)
777 : real_size(builder.get_circuit_subgroup_size(builder.get_estimated_num_finalized_gates()))
778 , polynomials(builder)
779 {}
780 };
781
790 class VerificationKey : public NativeVerificationKey_<PrecomputedEntities<Commitment>, Transcript> {
791 public:
792 // Serialized Verification Key length in fields
793 static constexpr size_t VERIFICATION_KEY_LENGTH =
794 /* 1. NUM_PRECOMPUTED_ENTITIES commitments */ (NUM_PRECOMPUTED_ENTITIES * num_frs_comm);
795
796 bool operator==(const VerificationKey&) const = default;
797
798 // IPA verification key requires one more point.
799 VerifierCommitmentKey pcs_verification_key = VerifierCommitmentKey(ECCVM_FIXED_SIZE + 1);
800
801 // Default construct the fixed VK that results from ECCVM_FIXED_SIZE
802 VerificationKey()
803 : NativeVerificationKey_(ECCVM_FIXED_SIZE, /*num_public_inputs=*/0)
804 {
805 this->pub_inputs_offset = 0;
806
807 // Populate the commitments of the precomputed polynomials using the fixed VK data
808 for (auto [vk_commitment, fixed_commitment] :
809 zip_view(this->get_all(), ECCVMFixedVKCommitments::get_all())) {
810 vk_commitment = fixed_commitment;
811 }
812 }
813
814 VerificationKey(const size_t circuit_size, const size_t num_public_inputs)
815 : NativeVerificationKey_(circuit_size, num_public_inputs)
816 {}
817
818 VerificationKey(const std::shared_ptr<ProvingKey>& proving_key)
819 {
820 this->log_circuit_size = CONST_ECCVM_LOG_N;
821 this->num_public_inputs = 0;
822 this->pub_inputs_offset = 0;
823
824 for (auto [polynomial, commitment] :
825 zip_view(proving_key->polynomials.get_precomputed(), this->get_all())) {
826 commitment = proving_key->commitment_key.commit(polynomial);
827 }
828 }
829
835 std::vector<fr> to_field_elements() const override
836 {
837 using namespace bb::field_conversion;
838
839 auto serialize_to_field_buffer = []<typename T>(const T& input, std::vector<fr>& buffer) {
840 std::vector<fr> input_fields = convert_to_bn254_frs<T>(input);
841 buffer.insert(buffer.end(), input_fields.begin(), input_fields.end());
842 };
843
844 std::vector<fr> elements;
845 for (const Commitment& commitment : this->get_all()) {
846 serialize_to_field_buffer(commitment, elements);
847 }
848 return elements;
849 }
857 fr hash_through_transcript([[maybe_unused]] const std::string& domain_separator,
858 [[maybe_unused]] Transcript& transcript) const override
859 {
860 throw_or_abort("Not intended to be used because vk is hardcoded in circuit.");
861 }
862
863 // TODO(https://github.com/AztecProtocol/barretenberg/issues/1324): Remove `circuit_size` and `log_circuit_size`
864 // from MSGPACK and the verification key.
865 // Don't statically check for object completeness.
866 using MSGPACK_NO_STATIC_CHECK = std::true_type;
867 MSGPACK_FIELDS(
868 log_circuit_size, num_public_inputs, pub_inputs_offset, lagrange_first, lagrange_second, lagrange_last);
869 };
870
877 class CommitmentLabels : public AllEntities<std::string> {
878 private:
879 using Base = AllEntities<std::string>;
880
881 public:
882 CommitmentLabels()
883 : AllEntities<std::string>()
884 {
885 Base::transcript_add = "TRANSCRIPT_ADD";
886 Base::transcript_mul = "TRANSCRIPT_MUL";
887 Base::transcript_eq = "TRANSCRIPT_EQ";
888 Base::transcript_msm_transition = "TRANSCRIPT_MSM_TRANSITION";
889 Base::transcript_pc = "TRANSCRIPT_PC";
890 Base::transcript_msm_count = "TRANSCRIPT_MSM_COUNT";
891 Base::transcript_Px = "TRANSCRIPT_PX";
892 Base::transcript_Py = "TRANSCRIPT_PY";
893 Base::transcript_z1 = "TRANSCRIPT_Z1";
894 Base::transcript_z2 = "TRANSCRIPT_Z2";
895 Base::transcript_z1zero = "TRANSCRIPT_Z1ZERO";
896 Base::transcript_z2zero = "TRANSCRIPT_Z2ZERO";
897 Base::transcript_op = "TRANSCRIPT_OP";
898 Base::transcript_accumulator_x = "TRANSCRIPT_ACCUMULATOR_X";
899 Base::transcript_accumulator_y = "TRANSCRIPT_ACCUMULATOR_Y";
900 Base::transcript_msm_x = "TRANSCRIPT_MSM_X";
901 Base::transcript_msm_y = "TRANSCRIPT_MSM_Y";
902 Base::precompute_pc = "PRECOMPUTE_PC";
903 Base::precompute_point_transition = "PRECOMPUTE_POINT_TRANSITION";
904 Base::precompute_round = "PRECOMPUTE_ROUND";
905 Base::precompute_scalar_sum = "PRECOMPUTE_SCALAR_SUM";
906 Base::precompute_s1hi = "PRECOMPUTE_S1HI";
907 Base::precompute_s1lo = "PRECOMPUTE_S1LO";
908 Base::precompute_s2hi = "PRECOMPUTE_S2HI";
909 Base::precompute_s2lo = "PRECOMPUTE_S2LO";
910 Base::precompute_s3hi = "PRECOMPUTE_S3HI";
911 Base::precompute_s3lo = "PRECOMPUTE_S3LO";
912 Base::precompute_s4hi = "PRECOMPUTE_S4HI";
913 Base::precompute_s4lo = "PRECOMPUTE_S4LO";
914 Base::precompute_skew = "PRECOMPUTE_SKEW";
915 Base::precompute_dx = "PRECOMPUTE_DX";
916 Base::precompute_dy = "PRECOMPUTE_DY";
917 Base::precompute_tx = "PRECOMPUTE_TX";
918 Base::precompute_ty = "PRECOMPUTE_TY";
919 Base::msm_transition = "MSM_TRANSITION";
920 Base::msm_add = "MSM_ADD";
921 Base::msm_double = "MSM_DOUBLE";
922 Base::msm_skew = "MSM_SKEW";
923 Base::msm_accumulator_x = "MSM_ACCUMULATOR_X";
924 Base::msm_accumulator_y = "MSM_ACCUMULATOR_Y";
925 Base::msm_pc = "MSM_PC";
926 Base::msm_size_of_msm = "MSM_SIZE_OF_MSM";
927 Base::msm_count = "MSM_COUNT";
928 Base::msm_round = "MSM_ROUND";
929 Base::msm_add1 = "MSM_ADD1";
930 Base::msm_add2 = "MSM_ADD2";
931 Base::msm_add3 = "MSM_ADD3";
932 Base::msm_add4 = "MSM_ADD4";
933 Base::msm_x1 = "MSM_X1";
934 Base::msm_y1 = "MSM_Y1";
935 Base::msm_x2 = "MSM_X2";
936 Base::msm_y2 = "MSM_Y2";
937 Base::msm_x3 = "MSM_X3";
938 Base::msm_y3 = "MSM_Y3";
939 Base::msm_x4 = "MSM_X4";
940 Base::msm_y4 = "MSM_Y4";
941 Base::msm_collision_x1 = "MSM_COLLISION_X1";
942 Base::msm_collision_x2 = "MSM_COLLISION_X2";
943 Base::msm_collision_x3 = "MSM_COLLISION_X3";
944 Base::msm_collision_x4 = "MSM_COLLISION_X4";
945 Base::msm_lambda1 = "MSM_LAMBDA1";
946 Base::msm_lambda2 = "MSM_LAMBDA2";
947 Base::msm_lambda3 = "MSM_LAMBDA3";
948 Base::msm_lambda4 = "MSM_LAMBDA4";
949 Base::msm_slice1 = "MSM_SLICE1";
950 Base::msm_slice2 = "MSM_SLICE2";
951 Base::msm_slice3 = "MSM_SLICE3";
952 Base::msm_slice4 = "MSM_SLICE4";
953 Base::transcript_accumulator_not_empty = "TRANSCRIPT_ACCUMULATOR_NOT_EMPTY";
954 Base::transcript_reset_accumulator = "TRANSCRIPT_RESET_ACCUMULATOR";
955 Base::precompute_select = "PRECOMPUTE_SELECT";
956 Base::lookup_read_counts_0 = "LOOKUP_READ_COUNTS_0";
957 Base::lookup_read_counts_1 = "LOOKUP_READ_COUNTS_1";
958 Base::transcript_base_infinity = "TRANSCRIPT_BASE_INFINITY";
959 Base::transcript_base_x_inverse = "TRANSCRIPT_BASE_X_INVERSE";
960 Base::transcript_base_y_inverse = "TRANSCRIPT_BASE_Y_INVERSE";
961 Base::transcript_add_x_equal = "TRANSCRIPT_ADD_X_EQUAL";
962 Base::transcript_add_y_equal = "TRANSCRIPT_ADD_Y_EQUAL";
963 Base::transcript_add_lambda = "TRANSCRIPT_ADD_LAMBDA";
964 Base::transcript_msm_intermediate_x = "TRANSCRIPT_MSM_INTERMEDIATE_X";
965 Base::transcript_msm_intermediate_y = "TRANSCRIPT_MSM_INTERMEDIATE_Y";
966 Base::transcript_msm_infinity = "TRANSCRIPT_MSM_INFINITY";
967 Base::transcript_msm_x_inverse = "TRANSCRIPT_MSM_X_INVERSE";
968 Base::transcript_msm_count_zero_at_transition = "TRANSCRIPT_MSM_COUNT_ZERO_AT_TRANSITION";
969 Base::transcript_msm_count_at_transition_inverse = "TRANSCRIPT_MSM_COUNT_AT_TRANSITION_INVERSE";
970 Base::z_perm = "Z_PERM";
971 Base::z_perm_shift = "Z_PERM_SHIFT";
972 Base::lookup_inverses = "LOOKUP_INVERSES";
973 // The ones beginning with "__" are only used for debugging
974 Base::lagrange_first = "__LAGRANGE_FIRST";
975 Base::lagrange_second = "__LAGRANGE_SECOND";
976 Base::lagrange_last = "__LAGRANGE_LAST";
977 };
978 };
979
980 template <typename Commitment, typename VerificationKey>
981 class VerifierCommitments_ : public AllEntities<Commitment> {
982 public:
983 VerifierCommitments_(const std::shared_ptr<VerificationKey>& verification_key)
984 {
985 this->lagrange_first = verification_key->lagrange_first;
986 this->lagrange_second = verification_key->lagrange_second;
987 this->lagrange_last = verification_key->lagrange_last;
988 }
989 };
990
991 using VerifierCommitments = VerifierCommitments_<Commitment, VerificationKey>;
992
997 class IPATranscript : public NativeTranscript {
998 public:
999 uint32_t ipa_poly_degree;
1000 std::vector<Commitment> ipa_l_comms;
1001 std::vector<Commitment> ipa_r_comms;
1002 Commitment ipa_G_0_eval;
1003 FF ipa_a_0_eval;
1004
1005 IPATranscript() = default;
1006
1007 void deserialize_full_transcript()
1008 {
1009 // take current proof and put them into the struct
1010 size_t num_frs_read = 0;
1011 ipa_poly_degree = NativeTranscript::template deserialize_from_buffer<uint32_t>(NativeTranscript::proof_data,
1012 num_frs_read);
1013
1014 for (size_t i = 0; i < CONST_ECCVM_LOG_N; ++i) {
1015 ipa_l_comms.emplace_back(NativeTranscript::template deserialize_from_buffer<Commitment>(
1016 NativeTranscript::proof_data, num_frs_read));
1017 ipa_r_comms.emplace_back(NativeTranscript::template deserialize_from_buffer<Commitment>(
1018 NativeTranscript::proof_data, num_frs_read));
1019 }
1020 ipa_G_0_eval = NativeTranscript::template deserialize_from_buffer<Commitment>(NativeTranscript::proof_data,
1021 num_frs_read);
1022 ipa_a_0_eval =
1023 NativeTranscript::template deserialize_from_buffer<FF>(NativeTranscript::proof_data, num_frs_read);
1024 }
1025
1026 void serialize_full_transcript()
1027 {
1028 size_t old_proof_length = NativeTranscript::proof_data.size();
1029 NativeTranscript::proof_data.clear();
1030
1031 NativeTranscript::serialize_to_buffer(ipa_poly_degree, NativeTranscript::proof_data);
1032 for (size_t i = 0; i < CONST_ECCVM_LOG_N; ++i) {
1033 NativeTranscript::serialize_to_buffer(ipa_l_comms[i], NativeTranscript::proof_data);
1034 NativeTranscript::serialize_to_buffer(ipa_r_comms[i], NativeTranscript::proof_data);
1035 }
1036
1037 serialize_to_buffer(ipa_G_0_eval, proof_data);
1038 serialize_to_buffer(ipa_a_0_eval, proof_data);
1039
1040 BB_ASSERT_EQ(NativeTranscript::proof_data.size(), old_proof_length);
1041 }
1042 };
1043
1051 template <typename ProverPolynomialsOrPartiallyEvaluatedMultivariates, typename EdgeType>
1052 static bool skip_entire_row([[maybe_unused]] const ProverPolynomialsOrPartiallyEvaluatedMultivariates& polynomials,
1053 [[maybe_unused]] const EdgeType edge_idx)
1054 {
1055 // skip conditions. TODO: add detailed commentary during audit.
1056 // The most important skip condition is that `z_perm == z_perm_shift`. This implies that none of the wire values
1057 // for the present input are involved in non-trivial copy constraints. Edge cases where nonzero rows do not
1058 // contribute to permutation:
1059 //
1060 // 1: If `lagrange_last != 0`, the permutation polynomial identity is updated even if
1061 // z_perm == z_perm_shift
1062 //
1063 // 2: The final MSM row won't add to the permutation but still has polynomial identitiy
1064 // contributions. This is because the permutation argument uses the SHIFTED msm columns when performing
1065 // lookups i.e. `polynomials.msm_accumulator_x[last_edge_idx] will change z_perm[last_edge_idx - 1] and
1066 // z_perm_shift[last_edge_idx - 1]
1067 //
1068 // 3. The value of `transcript_mul` can be non-zero at the end of an MSM of points-at-infinity, which will
1069 // cause `full_msm_count` to be non-zero while `transcript_msm_count` vanishes.
1070 //
1071 // 4. For similar reasons, we must add that `transcript_op==0`.
1072 return (polynomials.z_perm[edge_idx] == polynomials.z_perm_shift[edge_idx]) &&
1073 (polynomials.z_perm[edge_idx + 1] == polynomials.z_perm_shift[edge_idx + 1]) &&
1074 (polynomials.lagrange_last[edge_idx] == 0 && polynomials.lagrange_last[edge_idx + 1]) == 0 &&
1075 (polynomials.msm_transition[edge_idx] == 0 && polynomials.msm_transition[edge_idx + 1] == 0) &&
1076 (polynomials.transcript_mul[edge_idx] == 0 && polynomials.transcript_mul[edge_idx + 1] == 0) &&
1077 (polynomials.transcript_op[edge_idx] == 0 && polynomials.transcript_op[edge_idx + 1] == 0);
1078 }
1079};
1080
1081// NOLINTEND(cppcoreguidelines-avoid-const-or-ref-data-members)
1082
1083} // namespace bb
BB_ASSERT_EQ
#define BB_ASSERT_EQ(actual, expected,...)
Definition assert.hpp:59
bb::BaseTranscript
Common transcript class for both parties. Stores the data for the current round, as well as the manif...
Definition transcript.hpp:154
bb::CommitmentKey
CommitmentKey object over a pairing group 𝔾₁.
Definition commitment_key.hpp:40
bb::ECCVMCircuitBuilder::get_flattened_scalar_muls
static std::vector< ScalarMul > get_flattened_scalar_muls(const std::vector< MSM > &msms)
Definition eccvm_circuit_builder.hpp:242
bb::ECCVMFlavor::AllEntities
A base class labelling all entities (for instance, all of the polynomials used by the prover during s...
Definition eccvm_flavor.hpp:402
bb::ECCVMFlavor::AllValues
A field element for each entity of the flavor. These entities represent the prover polynomials evalua...
Definition eccvm_flavor.hpp:418
bb::ECCVMFlavor::CommitmentLabels
A container for commitment labels.
Definition eccvm_flavor.hpp:877
bb::ECCVMFlavor::IPATranscript
Derived class that defines proof structure for ECCVM IPA proof, as well as supporting functions.
Definition eccvm_flavor.hpp:997
bb::ECCVMFlavor::IPATranscript::ipa_r_comms
std::vector< Commitment > ipa_r_comms
Definition eccvm_flavor.hpp:1001
bb::ECCVMFlavor::IPATranscript::ipa_l_comms
std::vector< Commitment > ipa_l_comms
Definition eccvm_flavor.hpp:1000
bb::ECCVMFlavor::PartiallyEvaluatedMultivariates
A container for storing the partially evaluated multivariates produced by sumcheck.
Definition eccvm_flavor.hpp:739
bb::ECCVMFlavor::PartiallyEvaluatedMultivariates::PartiallyEvaluatedMultivariates
PartiallyEvaluatedMultivariates(const ProverPolynomials &full_polynomials, size_t circuit_size)
Definition eccvm_flavor.hpp:750
bb::ECCVMFlavor::PartiallyEvaluatedMultivariates::PartiallyEvaluatedMultivariates
PartiallyEvaluatedMultivariates(const size_t circuit_size)
Definition eccvm_flavor.hpp:743
bb::ECCVMFlavor::PrecomputedEntities
A base class labelling precomputed entities and (ordered) subsets of interest.
Definition eccvm_flavor.hpp:163
bb::ECCVMFlavor::PrecomputedEntities::DEFINE_FLAVOR_MEMBERS
DEFINE_FLAVOR_MEMBERS(DataType, lagrange_first, lagrange_second, lagrange_last)
bb::ECCVMFlavor::PrecomputedEntities::operator==
bool operator==(const PrecomputedEntities &other) const =default
bb::ECCVMFlavor::ProverPolynomials
A container for the prover polynomials.
Definition eccvm_flavor.hpp:437
bb::ECCVMFlavor::ProverPolynomials::get_row
AllValues get_row(const size_t row_idx) const
Returns the evaluations of all prover polynomials at one point on the boolean hypercube,...
Definition eccvm_flavor.hpp:452
bb::ECCVMFlavor::ProverPolynomials::ProverPolynomials
ProverPolynomials(const ProverPolynomials &o)=delete
bb::ECCVMFlavor::ProverPolynomials::ProverPolynomials
ProverPolynomials(ProverPolynomials &&o) noexcept=default
bb::ECCVMFlavor::ProverPolynomials::ProverPolynomials
ProverPolynomials(const CircuitBuilder &builder)
Compute the ECCVM flavor polynomial data required to generate an ECCVM Proof.
Definition eccvm_flavor.hpp:562
bb::ECCVMFlavor::ProverPolynomials::operator=
ProverPolynomials & operator=(const ProverPolynomials &)=delete
bb::ECCVMFlavor::ProverPolynomials::operator=
ProverPolynomials & operator=(ProverPolynomials &&o) noexcept=default
bb::ECCVMFlavor::ProvingKey
The proving key is responsible for storing the polynomials used by the prover.
Definition eccvm_flavor.hpp:764
bb::ECCVMFlavor::ProvingKey::polynomials
ProverPolynomials polynomials
Definition eccvm_flavor.hpp:772
bb::ECCVMFlavor::ProvingKey::ProvingKey
ProvingKey(const CircuitBuilder &builder)
Definition eccvm_flavor.hpp:776
bb::ECCVMFlavor::ShiftedEntities
Represents polynomials shifted by 1 or their evaluations, defined relative to WitnessEntities.
Definition eccvm_flavor.hpp:326
bb::ECCVMFlavor::ShiftedEntities::DEFINE_FLAVOR_MEMBERS
DEFINE_FLAVOR_MEMBERS(DataType, transcript_mul_shift, transcript_msm_count_shift, precompute_scalar_sum_shift, precompute_s1hi_shift, precompute_dx_shift, precompute_dy_shift, precompute_tx_shift, precompute_ty_shift, msm_transition_shift, msm_add_shift, msm_double_shift, msm_skew_shift, msm_accumulator_x_shift, msm_accumulator_y_shift, msm_count_shift, msm_round_shift, msm_add1_shift, msm_pc_shift, precompute_pc_shift, transcript_pc_shift, precompute_round_shift, precompute_select_shift, transcript_accumulator_not_empty_shift, transcript_accumulator_x_shift, transcript_accumulator_y_shift, z_perm_shift)
bb::ECCVMFlavor::VerificationKey
The verification key is responsible for storing the commitments to the precomputed (non-witnessk) pol...
Definition eccvm_flavor.hpp:790
bb::ECCVMFlavor::VerificationKey::to_field_elements
std::vector< fr > to_field_elements() const override
Serialize verification key to field elements.
Definition eccvm_flavor.hpp:835
bb::ECCVMFlavor::VerificationKey::MSGPACK_FIELDS
MSGPACK_FIELDS(log_circuit_size, num_public_inputs, pub_inputs_offset, lagrange_first, lagrange_second, lagrange_last)
bb::ECCVMFlavor::VerificationKey::VerificationKey
VerificationKey(const std::shared_ptr< ProvingKey > &proving_key)
Definition eccvm_flavor.hpp:818
bb::ECCVMFlavor::VerificationKey::VerificationKey
VerificationKey(const size_t circuit_size, const size_t num_public_inputs)
Definition eccvm_flavor.hpp:814
bb::ECCVMFlavor::VerificationKey::hash_through_transcript
fr hash_through_transcript(const std::string &domain_separator, Transcript &transcript) const override
Unused function because vk is hardcoded in recursive verifier, so no transcript hashing is needed.
Definition eccvm_flavor.hpp:857
bb::ECCVMFlavor::VerificationKey::operator==
bool operator==(const VerificationKey &) const =default
bb::ECCVMFlavor::VerifierCommitments_
Definition eccvm_flavor.hpp:981
bb::ECCVMFlavor::VerifierCommitments_::VerifierCommitments_
VerifierCommitments_(const std::shared_ptr< VerificationKey > &verification_key)
Definition eccvm_flavor.hpp:983
bb::ECCVMFlavor::WireToBeShiftedAccumulatorEntities
Containter for transcript accumulators, they stand out as the only to-be-shifted wires that are alway...
Definition eccvm_flavor.hpp:285
bb::ECCVMFlavor::WireToBeShiftedWithoutAccumulatorsEntities
Container for all to-be-shifted witness polynomials excluding the accumulators used/constructed by th...
Definition eccvm_flavor.hpp:254
bb::ECCVMFlavor::WitnessEntities
Container for all witness polynomials used/constructed by the prover.
Definition eccvm_flavor.hpp:301
bb::ECCVMFlavor::WitnessEntities::DEFINE_COMPOUND_GET_ALL
DEFINE_COMPOUND_GET_ALL(WireNonShiftedEntities< DataType >, WireToBeShiftedWithoutAccumulatorsEntities< DataType >, WireToBeShiftedAccumulatorEntities< DataType >, DerivedWitnessEntities< DataType >) auto get_wires()
Definition eccvm_flavor.hpp:303
bb::ECCVMFlavor::ECCVM_FIXED_SIZE
static constexpr size_t ECCVM_FIXED_SIZE
Definition eccvm_flavor.hpp:61
bb::ECCVMFlavor::HasZK
static constexpr bool HasZK
Definition eccvm_flavor.hpp:55
bb::ECCVMFlavor::FF
typename Curve::ScalarField FF
Definition eccvm_flavor.hpp:41
bb::ECCVMFlavor::NUM_SUBRELATIONS
static constexpr size_t NUM_SUBRELATIONS
Definition eccvm_flavor.hpp:99
bb::ECCVMFlavor::NUM_ALL_ENTITIES
static constexpr size_t NUM_ALL_ENTITIES
Definition eccvm_flavor.hpp:68
bb::ECCVMFlavor::MAX_PARTIAL_RELATION_LENGTH
static constexpr size_t MAX_PARTIAL_RELATION_LENGTH
Definition eccvm_flavor.hpp:102
bb::ECCVMFlavor::get_to_be_shifted
static auto get_to_be_shifted(PrecomputedAndWitnessEntitiesSuperset &entities)
Definition eccvm_flavor.hpp:358
bb::ECCVMFlavor::Relations_
std::tuple< ECCVMTranscriptRelation< FF >, ECCVMPointTableRelation< FF >, ECCVMWnafRelation< FF >, ECCVMMSMRelation< FF >, ECCVMSetRelation< FF >, ECCVMLookupRelation< FF >, ECCVMBoolsRelation< FF > > Relations_
Definition eccvm_flavor.hpp:95
bb::ECCVMFlavor::Commitment
typename G1::affine_element Commitment
Definition eccvm_flavor.hpp:45
bb::ECCVMFlavor::BF
typename Curve::BaseField BF
Definition eccvm_flavor.hpp:42
bb::ECCVMFlavor::Polynomial
bb::Polynomial< FF > Polynomial
Definition eccvm_flavor.hpp:43
bb::ECCVMFlavor::skip_entire_row
static bool skip_entire_row(const ProverPolynomialsOrPartiallyEvaluatedMultivariates &polynomials, const EdgeType edge_idx)
When evaluating the sumcheck protocol - can we skip evaluation of all relations for a given row?
Definition eccvm_flavor.hpp:1052
bb::ECCVMFlavor::GroupElement
typename G1::element GroupElement
Definition eccvm_flavor.hpp:44
bb::ECCVMFlavor::GrandProductRelations
std::tuple< ECCVMSetRelation< FF > > GrandProductRelations
Definition eccvm_flavor.hpp:86
bb::ECCVMFlavor::G1
typename Curve::Group G1
Definition eccvm_flavor.hpp:39
bb::ECCVMFlavor::USE_SHORT_MONOMIALS
static constexpr bool USE_SHORT_MONOMIALS
Definition eccvm_flavor.hpp:52
bb::ECCVMFlavor::NUM_WITNESS_ENTITIES
static constexpr size_t NUM_WITNESS_ENTITIES
Definition eccvm_flavor.hpp:73
bb::ECCVMFlavor::NUM_TRANSLATION_OPENING_CLAIMS
static constexpr size_t NUM_TRANSLATION_OPENING_CLAIMS
Definition eccvm_flavor.hpp:155
bb::ECCVMFlavor::NUM_SHIFTED_ENTITIES
static constexpr size_t NUM_SHIFTED_ENTITIES
Definition eccvm_flavor.hpp:75
bb::ECCVMFlavor::NUM_PRECOMPUTED_ENTITIES
static constexpr size_t NUM_PRECOMPUTED_ENTITIES
Definition eccvm_flavor.hpp:71
bb::ECCVMFlavor::PROOF_LENGTH_WITHOUT_PUB_INPUTS
static constexpr size_t PROOF_LENGTH_WITHOUT_PUB_INPUTS
Definition eccvm_flavor.hpp:116
bb::ECCVMFlavor::NUM_WIRES
static constexpr size_t NUM_WIRES
Definition eccvm_flavor.hpp:63
bb::ECCVMFlavor::BATCHED_RELATION_PARTIAL_LENGTH
static constexpr size_t BATCHED_RELATION_PARTIAL_LENGTH
Definition eccvm_flavor.hpp:109
bb::ECCVMFlavor::num_frs_comm
static constexpr size_t num_frs_comm
Definition eccvm_flavor.hpp:112
bb::ECCVMFlavor::USE_PADDING
static constexpr bool USE_PADDING
Definition eccvm_flavor.hpp:57
bb::ECCVMFlavor::num_frs_fq
static constexpr size_t num_frs_fq
Definition eccvm_flavor.hpp:113
bb::ECCVMFlavor::REPEATED_COMMITMENTS
static constexpr RepeatedCommitmentsData REPEATED_COMMITMENTS
Definition eccvm_flavor.hpp:80
bb::ECCVMFlavor::NUM_RELATIONS
static constexpr size_t NUM_RELATIONS
Definition eccvm_flavor.hpp:110
bb::ECCVMFlavor::Relations
Relations_< FF > Relations
Definition eccvm_flavor.hpp:96
bb::ECCVMFlavor::MSM
bb::eccvm::MSM< CycleGroup > MSM
Definition eccvm_flavor.hpp:48
bb::ECCVMFlavor::NUM_DERIVED_WITNESS_ENTITIES_NON_SHIFTED
static constexpr size_t NUM_DERIVED_WITNESS_ENTITIES_NON_SHIFTED
Definition eccvm_flavor.hpp:77
bb::ECCVMFlavor::SubrelationSeparators
std::array< FF, NUM_SUBRELATIONS - 1 > SubrelationSeparators
Definition eccvm_flavor.hpp:100
bb::ECCVMMSMMBuilder::compute_rows
static std::tuple< std::vector< MSMRow >, std::array< std::vector< size_t >, 2 > > compute_rows(const std::vector< MSM > &msms, const uint32_t total_number_of_muls, const size_t num_msm_rows)
Computes the row values for the Straus MSM columns of the ECCVM.
Definition msm_builder.hpp:84
bb::ECCVMPointTablePrecomputationBuilder::compute_rows
static std::vector< PointTablePrecomputationRow > compute_rows(const std::vector< bb::eccvm::ScalarMul< CycleGroup > > &ecc_muls)
Definition precomputed_tables_builder.hpp:53
bb::ECCVMTranscriptBuilder::compute_rows
static std::vector< TranscriptRow > compute_rows(const std::vector< ECCVMOperation > &vm_operations, const uint32_t total_number_of_muls)
Computes the ECCVM transcript rows.
Definition transcript_builder.hpp:137
bb::IPA
IPA (inner product argument) commitment scheme class.
Definition ipa.hpp:95
bb::NativeVerificationKey_
Base Native verification key class.
Definition flavor.hpp:152
bb::NativeVerificationKey_< PrecomputedEntities< Commitment >, Transcript >::Commitment
typename PrecomputedCommitments::DataType Commitment
Definition flavor.hpp:154
bb::RefArray
A template class for a reference array. Behaves as if std::array<T&, N> was possible.
Definition ref_array.hpp:22
bb::Relation
A wrapper for Relations to expose methods used by the Sumcheck prover or verifier to add the contribu...
Definition relation_types.hpp:153
bb::curve::Grumpkin::Group
typename grumpkin::g1 Group
Definition grumpkin.hpp:54
bb::group
group class. Represents an elliptic curve group element. Group is parametrised by Fq and Fr
Definition group.hpp:36
zip_view
Definition zip_view.hpp:166
Polynomial
typename Flavor::Polynomial Polynomial
Definition combiner.test.cpp:11
builder
AluTraceBuilder builder
Definition alu.test.cpp:123
ecc_bools_relation.hpp
ecc_lookup_relation.hpp
ecc_msm_relation.hpp
ecc_point_table_relation.hpp
ecc_set_relation.hpp
ecc_transcript_relation.hpp
ecc_wnaf_relation.hpp
eccvm_circuit_builder.hpp
eccvm_fixed_vk.hpp
buffer
uint8_t buffer[RANDOM_BUFFER_SIZE]
Definition engine.cpp:34
flavor.hpp
Base class templates for structures that contain data parameterized by the fundamental polynomials of...
flavor_macros.hpp
DEFINE_FLAVOR_MEMBERS
#define DEFINE_FLAVOR_MEMBERS(DataType,...)
Define the body of a flavor class, included each member and a pointer view with which to iterate the ...
Definition flavor_macros.hpp:68
DEFINE_COMPOUND_GET_ALL
#define DEFINE_COMPOUND_GET_ALL(...)
Definition flavor_macros.hpp:83
bb::eccvm::MSM
std::vector< ScalarMul< CycleGroup > > MSM
Definition eccvm_builder_types.hpp:38
bb::field_conversion
Definition field_conversion.cpp:10
bb::numeric::get_msb64
constexpr uint64_t get_msb64(const uint64_t in)
Definition get_msb.hpp:30
bb
Entry point for Barretenberg command-line interface.
Definition acir_format_getters.cpp:6
bb::g1
group< fq, fr, Bn254G1Params > g1
Definition g1.hpp:33
bb::concatenate
RefArray< T,(Ns+...)> constexpr concatenate(const RefArray< T, Ns > &... ref_arrays)
Concatenates multiple RefArray objects into a single RefArray.
Definition ref_array.hpp:158
bb::NativeTranscript
BaseTranscript< NativeTranscriptParams > NativeTranscript
Definition transcript.hpp:755
bb::parallel_for_range
void parallel_for_range(size_t num_points, const std::function< void(size_t, size_t)> &func, size_t no_multhreading_if_less_or_equal)
Split a loop into several loops running in parallel.
Definition thread.cpp:102
std
STL namespace.
std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13
std::to_string
std::string to_string(bb::avm2::ValueTag tag)
Definition tagged_value.cpp:399
relation_definitions.hpp
relation_parameters.hpp
repeated_commitments_data.hpp
std_array.hpp
bb::ECCVMFlavor::DerivedWitnessEntities
Container for all derived witness polynomials used/constructed by the prover.
Definition eccvm_flavor.hpp:179
bb::ECCVMFlavor::DerivedWitnessEntities::DEFINE_FLAVOR_MEMBERS
DEFINE_FLAVOR_MEMBERS(DataType, z_perm, lookup_inverses)
throw_or_abort
void throw_or_abort(std::string const &err)
Definition throw_or_abort.hpp:6