Barretenberg: src/barretenberg/commitment_schemes/gemini/gemini.hpp Source File

// === AUDIT STATUS ===

// internal:    { status: not started, auditors: [], date: YYYY-MM-DD }

// external_1:  { status: not started, auditors: [], date: YYYY-MM-DD }

// external_2:  { status: not started, auditors: [], date: YYYY-MM-DD }

// =====================


#pragma once


#include "barretenberg/commitment_schemes/claim.hpp"

#include "barretenberg/commitment_schemes/claim_batcher.hpp"

#include "barretenberg/polynomials/polynomial.hpp"

#include "barretenberg/transcript/transcript.hpp"


namespace bb {


namespace gemini {


template <class Fr> inline std::vector<Fr> powers_of_rho(const Fr rho, const size_t num_powers)

{

    std::vector<Fr> rhos = { Fr(1), rho };

    rhos.reserve(num_powers);

    for (size_t j = 2; j < num_powers; j++) {

        rhos.emplace_back(rhos[j - 1] * rho);

    }

    return rhos;

};


template <class Fr> inline std::vector<Fr> powers_of_evaluation_challenge(const Fr r, const size_t num_squares)

{

    std::vector<Fr> squares = { r };

    squares.reserve(num_squares);

    for (size_t j = 1; j < num_squares; j++) {

        squares.emplace_back(squares[j - 1].sqr());

    }

    return squares;

};


} // namespace gemini


template <typename Curve> class GeminiProver_ {

    using Fr = typename Curve::ScalarField;

    using Commitment = typename Curve::AffineElement;

    using Polynomial = bb::Polynomial<Fr>;

    using Claim = ProverOpeningClaim<Curve>;


  public:


    class PolynomialBatcher {


        size_t full_batched_size = 0; // size of the full batched polynomial (generally the circuit size)

        bool batched_unshifted_initialized = false;


        Polynomial random_polynomial; // random polynomial used for ZK

        bool has_random_polynomial = false;


        RefVector<Polynomial> unshifted;                             // set of unshifted polynomials

        RefVector<Polynomial> to_be_shifted_by_one;                  // set of polynomials to be left shifted by 1

        RefVector<Polynomial> to_be_shifted_by_k;                    // set of polynomials to be right shifted by k

        RefVector<Polynomial> interleaved;                           // the interleaved polynomials used in Translator

        std::vector<RefVector<Polynomial>> groups_to_be_interleaved; // groups of polynomials to be interleaved


        size_t k_shift_magnitude = 0; // magnitude of right-shift-by-k (assumed even)


        Polynomial batched_unshifted;            // linear combination of unshifted polynomials

        Polynomial batched_to_be_shifted_by_one; // linear combination of to-be-shifted polynomials

        Polynomial batched_to_be_shifted_by_k;   // linear combination of to-be-shifted-by-k polynomials

        Polynomial batched_interleaved;          // linear combination of interleaved polynomials

        // linear combination of the groups to be interleaved where polynomial i in the batched group is obtained by

        // linearly combining the i-th polynomial in each group

        std::vector<Polynomial> batched_group;


      public:


        PolynomialBatcher(const size_t full_batched_size)

            : full_batched_size(full_batched_size)

            , batched_unshifted(full_batched_size)

            , batched_to_be_shifted_by_one(Polynomial::shiftable(full_batched_size))

        {}


        bool has_unshifted() const { return unshifted.size() > 0; }

        bool has_to_be_shifted_by_one() const { return to_be_shifted_by_one.size() > 0; }

        bool has_to_be_shifted_by_k() const { return to_be_shifted_by_k.size() > 0; }

        bool has_interleaved() const { return interleaved.size() > 0; }


        // Set references to the polynomials to be batched

        void set_unshifted(RefVector<Polynomial> polynomials) { unshifted = polynomials; }

        void set_to_be_shifted_by_one(RefVector<Polynomial> polynomials) { to_be_shifted_by_one = polynomials; }


        void set_to_be_shifted_by_k(RefVector<Polynomial> polynomials, const size_t shift_magnitude)

        {

            BB_ASSERT_EQ(

                k_shift_magnitude % 2, static_cast<size_t>(0), "k must be even for the formulas herein to be valid");

            to_be_shifted_by_k = polynomials;

            k_shift_magnitude = shift_magnitude;

        }


        // Initialize the random polynomial used to add randomness to the batched polynomials for ZK


        void set_random_polynomial(Polynomial&& random)

        {

            has_random_polynomial = true;

            random_polynomial = random;

        }


        void set_interleaved(RefVector<Polynomial> results, std::vector<RefVector<Polynomial>> groups)

        {

            // Ensure the Gemini subprotocol for interleaved polynomials operates correctly

            if (groups[0].size() % 2 != 0) {

                throw_or_abort("Group size must be even ");

            }

            interleaved = results;

            groups_to_be_interleaved = groups;

        }


        Polynomial compute_batched(const Fr& challenge, Fr& running_scalar)

        {

            // lambda for batching polynomials; updates the running scalar in place

            auto batch = [&](Polynomial& batched, const RefVector<Polynomial>& polynomials_to_batch) {

                for (auto& poly : polynomials_to_batch) {

                    batched.add_scaled(poly, running_scalar);

                    running_scalar *= challenge;

                }

            };


            Polynomial full_batched(full_batched_size);


            // if necessary, add randomness to the full batched polynomial for ZK

            if (has_random_polynomial) {

                full_batched += random_polynomial; // A₀ += rand

            }


            // compute the linear combination F of the unshifted polynomials

            if (has_unshifted()) {

                batch(batched_unshifted, unshifted);

                full_batched += batched_unshifted; // A₀ += F

            }


            // compute the linear combination G of the to-be-shifted polynomials

            if (has_to_be_shifted_by_one()) {

                batch(batched_to_be_shifted_by_one, to_be_shifted_by_one);

                full_batched += batched_to_be_shifted_by_one.shifted(); // A₀ += G/X

            }


            // compute the linear combination H of the to-be-shifted-by-k polynomials

            if (has_to_be_shifted_by_k()) {

                batched_to_be_shifted_by_k = Polynomial(full_batched_size - k_shift_magnitude, full_batched_size, 0);

                batch(batched_to_be_shifted_by_k, to_be_shifted_by_k);

                full_batched += batched_to_be_shifted_by_k.right_shifted(k_shift_magnitude); // A₀ += X^k * H

            }


            // compute the linear combination of the interleaved polynomials and groups

            if (has_interleaved()) {

                batched_interleaved = Polynomial(full_batched_size);

                for (size_t i = 0; i < groups_to_be_interleaved[0].size(); ++i) {

                    batched_group.push_back(Polynomial(full_batched_size));

                }

                for (size_t i = 0; i < groups_to_be_interleaved.size(); ++i) {

                    batched_interleaved.add_scaled(interleaved[i], running_scalar);

                    for (size_t j = 0; j < groups_to_be_interleaved[0].size(); ++j) {

                        batched_group[j].add_scaled(groups_to_be_interleaved[i][j], running_scalar);

                    }

                    running_scalar *= challenge;

                }

                full_batched += batched_interleaved;

            }


            return full_batched;

        }


        std::pair<Polynomial, Polynomial> compute_partially_evaluated_batch_polynomials(const Fr& r_challenge)

        {

            // Initialize A₀₊ and compute A₀₊ += Random and A₀₊ += F as necessary

            Polynomial A_0_pos(full_batched_size); // A₀₊


            if (has_random_polynomial) {

                A_0_pos += random_polynomial; // A₀₊ += random

            }

            if (has_unshifted()) {

                A_0_pos += batched_unshifted; // A₀₊ += F

            }


            if (has_to_be_shifted_by_k()) {

                Fr r_pow_k = r_challenge.pow(k_shift_magnitude); // r^k

                batched_to_be_shifted_by_k *= r_pow_k;

                A_0_pos += batched_to_be_shifted_by_k; // A₀₊ += r^k * H

            }


            Polynomial A_0_neg = A_0_pos;


            if (has_to_be_shifted_by_one()) {

                Fr r_inv = r_challenge.invert();       // r⁻¹

                batched_to_be_shifted_by_one *= r_inv; // G = G/r


                A_0_pos += batched_to_be_shifted_by_one; // A₀₊ += G/r

                A_0_neg -= batched_to_be_shifted_by_one; // A₀₋ -= G/r

            }


            return { A_0_pos, A_0_neg };

        };


        std::pair<Polynomial, Polynomial> compute_partially_evaluated_interleaved_polynomial(const Fr& r_challenge)

        {

            Polynomial P_pos(batched_group[0]);

            Polynomial P_neg(batched_group[0]);


            Fr current_r_shift_pos = r_challenge;

            Fr current_r_shift_neg = -r_challenge;

            for (size_t i = 1; i < batched_group.size(); i++) {

                P_pos.add_scaled(batched_group[i], current_r_shift_pos);

                P_neg.add_scaled(batched_group[i], current_r_shift_neg);

                current_r_shift_pos *= r_challenge;

                current_r_shift_neg *= -r_challenge;

            }


            return { P_pos, P_neg };

        }


        size_t get_group_size() { return batched_group.size(); }

    };


    static std::vector<Polynomial> compute_fold_polynomials(const size_t log_n,

                                                            std::span<const Fr> multilinear_challenge,

                                                            const Polynomial& A_0,

                                                            const bool& has_zk = false);


    static std::pair<Polynomial, Polynomial> compute_partially_evaluated_batch_polynomials(

        const size_t log_n,

        PolynomialBatcher& polynomial_batcher,

        const Fr& r_challenge,

        const std::vector<Polynomial>& batched_groups_to_be_concatenated = {});


    static std::vector<Claim> construct_univariate_opening_claims(const size_t log_n,

                                                                  Polynomial&& A_0_pos,

                                                                  Polynomial&& A_0_neg,

                                                                  std::vector<Polynomial>&& fold_polynomials,

                                                                  const Fr& r_challenge);


    template <typename Transcript>

    static std::vector<Claim> prove(const Fr circuit_size,

                                    PolynomialBatcher& polynomial_batcher,

                                    std::span<Fr> multilinear_challenge,

                                    const CommitmentKey<Curve>& commitment_key,

                                    const std::shared_ptr<Transcript>& transcript,

                                    bool has_zk = false);


}; // namespace bb


template <typename Curve> class GeminiVerifier_ {

    using Fr = typename Curve::ScalarField;

    using GroupElement = typename Curve::Element;

    using Commitment = typename Curve::AffineElement;

    using ClaimBatcher = ClaimBatcher_<Curve>;


  public:


    static std::vector<OpeningClaim<Curve>> reduce_verification(std::span<Fr> multilinear_challenge,

                                                                ClaimBatcher& claim_batcher,

                                                                auto& transcript)


    {

        const size_t log_n = multilinear_challenge.size();

        const bool has_interleaved = claim_batcher.interleaved.has_value();


        const Fr rho = transcript->template get_challenge<Fr>("rho");


        GroupElement batched_commitment_unshifted = GroupElement::zero();

        GroupElement batched_commitment_to_be_shifted = GroupElement::zero();


        Fr batched_evaluation = Fr(0);

        Fr batching_scalar = Fr(1);

        for (auto [eval, comm] :

             zip_view(claim_batcher.get_unshifted().evaluations, claim_batcher.get_unshifted().commitments)) {

            batched_evaluation += eval * batching_scalar;

            batched_commitment_unshifted += comm * batching_scalar;

            batching_scalar *= rho;

        }


        for (auto [eval, comm] :

             zip_view(claim_batcher.get_shifted().evaluations, claim_batcher.get_shifted().commitments)) {

            batched_evaluation += eval * batching_scalar;

            batched_commitment_to_be_shifted += comm * batching_scalar;

            batching_scalar *= rho;

        }


        // Get polynomials Fold_i, i = 1,...,m-1 from transcript

        const std::vector<Commitment> commitments = get_fold_commitments(log_n, transcript);


        // compute vector of powers of random evaluation point r

        const Fr r = transcript->template get_challenge<Fr>("Gemini:r");

        const std::vector<Fr> r_squares = gemini::powers_of_evaluation_challenge(r, log_n);


        // Get evaluations a_i, i = 0,...,m-1 from transcript

        const std::vector<Fr> evaluations = get_gemini_evaluations(log_n, transcript);


        // C₀_r_pos = ∑ⱼ ρʲ⋅[fⱼ] + r⁻¹⋅∑ⱼ ρᵏ⁺ʲ [gⱼ], the commitment to A₀₊

        // C₀_r_neg = ∑ⱼ ρʲ⋅[fⱼ] - r⁻¹⋅∑ⱼ ρᵏ⁺ʲ [gⱼ], the commitment to  A₀₋

        GroupElement C0_r_pos = batched_commitment_unshifted;

        GroupElement C0_r_neg = batched_commitment_unshifted;


        Fr r_inv = r.invert();

        if (!batched_commitment_to_be_shifted.is_point_at_infinity()) {

            batched_commitment_to_be_shifted = batched_commitment_to_be_shifted * r_inv;

            C0_r_pos += batched_commitment_to_be_shifted;

            C0_r_neg -= batched_commitment_to_be_shifted;

        }


        // If verifying the opening for the translator VM, we reconstruct the commitment of the batched interleaved

        // polynomials, "partially evaluated" in r and -r, using the commitments in the interleaved groups

        GroupElement C_P_pos = GroupElement::zero();

        GroupElement C_P_neg = GroupElement::zero();

        if (has_interleaved) {

            size_t interleaved_group_size = claim_batcher.get_groups_to_be_interleaved_size();

            Fr current_r_shift_pos = Fr(1);

            Fr current_r_shift_neg = Fr(1);

            std::vector<Fr> r_shifts_pos;

            std::vector<Fr> r_shifts_neg;

            for (size_t i = 0; i < interleaved_group_size; ++i) {

                r_shifts_pos.emplace_back(current_r_shift_pos);

                r_shifts_neg.emplace_back(current_r_shift_neg);

                current_r_shift_pos *= r;

                current_r_shift_neg *= (-r);

            }


            for (auto [group_commitments, interleaved_evaluation] : zip_view(

                     claim_batcher.get_interleaved().commitments_groups, claim_batcher.get_interleaved().evaluations)) {

                // Compute the contribution from each group j of commitments Gⱼ = {C₀, C₁, C₂, C₃, ..., Cₛ₋₁} where s is

                // assumed even

                // C_P_pos += ∑ᵢ ρᵏ⁺ᵐ⁺ʲ⋅ rⁱ ⋅ Cᵢ

                // C_P_neg += ∑ᵢ ρᵏ⁺ᵐ⁺ʲ⋅ (-r)ⁱ ⋅ Cᵢ

                for (size_t i = 0; i < interleaved_group_size; ++i) {

                    C_P_pos += group_commitments[i] * batching_scalar * r_shifts_pos[i];

                    C_P_neg += group_commitments[i] * batching_scalar * r_shifts_neg[i];

                }

                batched_evaluation += interleaved_evaluation * batching_scalar;

                batching_scalar *= rho;

            }

        }


        Fr p_neg = Fr(0);

        Fr p_pos = Fr(0);

        if (has_interleaved) {

            p_pos = transcript->template receive_from_prover<Fr>("Gemini:P_0_pos");

            p_neg = transcript->template receive_from_prover<Fr>("Gemini:P_0_neg");

        }

        std::vector<Fr> padding_indicator_array(log_n, Fr{ 1 });


        // Compute the evaluations  Aₗ(r^{2ˡ}) for l = 0, ..., m-1

        std::vector<Fr> gemini_fold_pos_evaluations = compute_fold_pos_evaluations(

            padding_indicator_array, batched_evaluation, multilinear_challenge, r_squares, evaluations, p_neg);

        // Extract the evaluation A₀(r) = A₀₊(r) + P₊(r^s)

        auto full_a_0_pos = gemini_fold_pos_evaluations[0];

        std::vector<OpeningClaim<Curve>> fold_polynomial_opening_claims;

        fold_polynomial_opening_claims.reserve(2 * log_n + 2);


        // ( [A₀₊], r, A₀₊(r) )

        fold_polynomial_opening_claims.emplace_back(OpeningClaim<Curve>{ { r, full_a_0_pos - p_pos }, C0_r_pos });

        // ( [A₀₋], -r, A₀-(-r) )

        fold_polynomial_opening_claims.emplace_back(OpeningClaim<Curve>{ { -r, evaluations[0] }, C0_r_neg });

        for (size_t l = 0; l < log_n - 1; ++l) {

            // ([Aₗ], r^{2ˡ}, Aₗ(r^{2ˡ}) )

            fold_polynomial_opening_claims.emplace_back(

                OpeningClaim<Curve>{ { r_squares[l + 1], gemini_fold_pos_evaluations[l + 1] }, commitments[l] });

            // ([Aₗ], −r^{2ˡ}, Aₗ(−r^{2ˡ}) )

            fold_polynomial_opening_claims.emplace_back(

                OpeningClaim<Curve>{ { -r_squares[l + 1], evaluations[l + 1] }, commitments[l] });

        }

        if (has_interleaved) {

            uint32_t interleaved_group_size = claim_batcher.get_groups_to_be_interleaved_size();

            Fr r_pow = r.pow(interleaved_group_size);

            fold_polynomial_opening_claims.emplace_back(OpeningClaim<Curve>{ { r_pow, p_pos }, C_P_pos });

            fold_polynomial_opening_claims.emplace_back(OpeningClaim<Curve>{ { r_pow, p_neg }, C_P_neg });

        }


        return fold_polynomial_opening_claims;

    }


    static std::vector<Commitment> get_fold_commitments([[maybe_unused]] const size_t virtual_log_n, auto& transcript)

    {

        std::vector<Commitment> fold_commitments;

        fold_commitments.reserve(virtual_log_n - 1);

        for (size_t i = 0; i < virtual_log_n - 1; ++i) {

            const Commitment commitment =

                transcript->template receive_from_prover<Commitment>("Gemini:FOLD_" + std::to_string(i + 1));

            fold_commitments.emplace_back(commitment);

        }

        return fold_commitments;

    }


    static std::vector<Fr> get_gemini_evaluations(const size_t virtual_log_n, auto& transcript)

    {

        std::vector<Fr> gemini_evaluations;

        gemini_evaluations.reserve(virtual_log_n);


        for (size_t i = 1; i <= virtual_log_n; ++i) {

            const Fr evaluation = transcript->template receive_from_prover<Fr>("Gemini:a_" + std::to_string(i));

            gemini_evaluations.emplace_back(evaluation);

        }

        return gemini_evaluations;

    }


    static std::vector<Fr> compute_fold_pos_evaluations(std::span<const Fr> padding_indicator_array,

                                                        const Fr& batched_evaluation,

                                                        std::span<const Fr> evaluation_point, // size = virtual_log_n

                                                        std::span<const Fr> challenge_powers, // size = virtual_log_n

                                                        std::span<const Fr> fold_neg_evals,   // size = virtual_log_n

                                                        Fr p_neg = Fr(0))

    {

        const size_t virtual_log_n = evaluation_point.size();


        std::vector<Fr> evals(fold_neg_evals.begin(), fold_neg_evals.end());


        Fr eval_pos_prev = batched_evaluation;


        Fr zero{ 0 };

        if constexpr (Curve::is_stdlib_type) {

            zero.convert_constant_to_fixed_witness(fold_neg_evals[0].get_context());

        }


        std::vector<Fr> fold_pos_evaluations;

        fold_pos_evaluations.reserve(virtual_log_n);


        // Add the contribution of P-((-r)ˢ) to get A_0(-r), which is 0 if there are no interleaved polynomials

        evals[0] += p_neg;

        // Solve the sequence of linear equations

        for (size_t l = virtual_log_n; l != 0; --l) {

            // Get r²⁽ˡ⁻¹⁾

            const Fr& challenge_power = challenge_powers[l - 1];

            // Get uₗ₋₁

            const Fr& u = evaluation_point[l - 1];

            const Fr& eval_neg = evals[l - 1];

            // Get A₍ₗ₋₁₎(−r²⁽ˡ⁻¹⁾)

            // Compute the numerator

            Fr eval_pos = ((challenge_power * eval_pos_prev * 2) - eval_neg * (challenge_power * (Fr(1) - u) - u));

            // Divide by the denominator

            eval_pos *= (challenge_power * (Fr(1) - u) + u).invert();


            // If current index is bigger than log_n, we propagate `batched_evaluation` to the next

            // round.  Otherwise, current `eval_pos` A₍ₗ₋₁₎(−r²⁽ˡ⁻¹⁾) becomes `eval_pos_prev` in the round l-2.

            eval_pos_prev =

                padding_indicator_array[l - 1] * eval_pos + (Fr{ 1 } - padding_indicator_array[l - 1]) * eval_pos_prev;

            // If current index is bigger than log_n, we emplace 0, which is later multiplied against

            // Commitment::one().

            fold_pos_evaluations.emplace_back(padding_indicator_array[l - 1] * eval_pos_prev);

        }


        std::reverse(fold_pos_evaluations.begin(), fold_pos_evaluations.end());


        return fold_pos_evaluations;

    }

};


} // namespace bb

BB_ASSERT_EQ
#define BB_ASSERT_EQ(actual, expected,...)
Definition assert.hpp:59

claim.hpp

claim_batcher.hpp

bb::CommitmentKey
CommitmentKey object over a pairing group 𝔾₁.
Definition commitment_key.hpp:40

bb::GeminiProver_::PolynomialBatcher
Class responsible for computation of the batched multilinear polynomials required by the Gemini proto...
Definition gemini.hpp:123

bb::GeminiProver_::PolynomialBatcher::compute_partially_evaluated_interleaved_polynomial
std::pair< Polynomial, Polynomial > compute_partially_evaluated_interleaved_polynomial(const Fr &r_challenge)
Compute the partially evaluated polynomials P₊(X, r) and P₋(X, -r)
Definition gemini.hpp:298

bb::GeminiProver_::PolynomialBatcher::set_to_be_shifted_by_one
void set_to_be_shifted_by_one(RefVector< Polynomial > polynomials)
Definition gemini.hpp:161

bb::GeminiProver_::PolynomialBatcher::has_random_polynomial
bool has_random_polynomial
Definition gemini.hpp:129

bb::GeminiProver_::PolynomialBatcher::batched_unshifted_initialized
bool batched_unshifted_initialized
Definition gemini.hpp:126

bb::GeminiProver_::PolynomialBatcher::has_to_be_shifted_by_one
bool has_to_be_shifted_by_one() const
Definition gemini.hpp:155

bb::GeminiProver_::PolynomialBatcher::set_interleaved
void set_interleaved(RefVector< Polynomial > results, std::vector< RefVector< Polynomial > > groups)
Definition gemini.hpp:177

bb::GeminiProver_::PolynomialBatcher::set_random_polynomial
void set_random_polynomial(Polynomial &&random)
Definition gemini.hpp:171

bb::GeminiProver_::PolynomialBatcher::interleaved
RefVector< Polynomial > interleaved
Definition gemini.hpp:134

bb::GeminiProver_::PolynomialBatcher::groups_to_be_interleaved
std::vector< RefVector< Polynomial > > groups_to_be_interleaved
Definition gemini.hpp:135

bb::GeminiProver_::PolynomialBatcher::batched_to_be_shifted_by_k
Polynomial batched_to_be_shifted_by_k
Definition gemini.hpp:141

bb::GeminiProver_::PolynomialBatcher::has_to_be_shifted_by_k
bool has_to_be_shifted_by_k() const
Definition gemini.hpp:156

bb::GeminiProver_::PolynomialBatcher::random_polynomial
Polynomial random_polynomial
Definition gemini.hpp:128

bb::GeminiProver_::PolynomialBatcher::get_group_size
size_t get_group_size()
Definition gemini.hpp:315

bb::GeminiProver_::PolynomialBatcher::to_be_shifted_by_k
RefVector< Polynomial > to_be_shifted_by_k
Definition gemini.hpp:133

bb::GeminiProver_::PolynomialBatcher::set_to_be_shifted_by_k
void set_to_be_shifted_by_k(RefVector< Polynomial > polynomials, const size_t shift_magnitude)
Definition gemini.hpp:162

bb::GeminiProver_::PolynomialBatcher::compute_batched
Polynomial compute_batched(const Fr &challenge, Fr &running_scalar)
Compute batched polynomial A₀ = F + G/X as the linear combination of all polynomials to be opened.
Definition gemini.hpp:195

bb::GeminiProver_::PolynomialBatcher::set_unshifted
void set_unshifted(RefVector< Polynomial > polynomials)
Definition gemini.hpp:160

bb::GeminiProver_::PolynomialBatcher::batched_interleaved
Polynomial batched_interleaved
Definition gemini.hpp:142

bb::GeminiProver_::PolynomialBatcher::batched_group
std::vector< Polynomial > batched_group
Definition gemini.hpp:145

bb::GeminiProver_::PolynomialBatcher::batched_unshifted
Polynomial batched_unshifted
Definition gemini.hpp:139

bb::GeminiProver_::PolynomialBatcher::full_batched_size
size_t full_batched_size
Definition gemini.hpp:125

bb::GeminiProver_::PolynomialBatcher::to_be_shifted_by_one
RefVector< Polynomial > to_be_shifted_by_one
Definition gemini.hpp:132

bb::GeminiProver_::PolynomialBatcher::compute_partially_evaluated_batch_polynomials
std::pair< Polynomial, Polynomial > compute_partially_evaluated_batch_polynomials(const Fr &r_challenge)
Compute partially evaluated batched polynomials A₀(X, r) = A₀₊ = F + G/r, A₀(X, -r) = A₀₋ = F - G/r.
Definition gemini.hpp:257

bb::GeminiProver_::PolynomialBatcher::has_interleaved
bool has_interleaved() const
Definition gemini.hpp:157

bb::GeminiProver_::PolynomialBatcher::k_shift_magnitude
size_t k_shift_magnitude
Definition gemini.hpp:137

bb::GeminiProver_::PolynomialBatcher::unshifted
RefVector< Polynomial > unshifted
Definition gemini.hpp:131

bb::GeminiProver_::PolynomialBatcher::has_unshifted
bool has_unshifted() const
Definition gemini.hpp:154

bb::GeminiProver_::PolynomialBatcher::batched_to_be_shifted_by_one
Polynomial batched_to_be_shifted_by_one
Definition gemini.hpp:140

bb::GeminiProver_::PolynomialBatcher::PolynomialBatcher
PolynomialBatcher(const size_t full_batched_size)
Definition gemini.hpp:148

bb::GeminiProver_
Definition gemini.hpp:103

bb::GeminiProver_::Polynomial
bb::Polynomial< Fr > Polynomial
Definition gemini.hpp:106

bb::GeminiProver_::construct_univariate_opening_claims
static std::vector< Claim > construct_univariate_opening_claims(const size_t log_n, Polynomial &&A_0_pos, Polynomial &&A_0_neg, std::vector< Polynomial > &&fold_polynomials, const Fr &r_challenge)
Computes/aggragates d+1 univariate polynomial opening claims of the form {polynomial,...
Definition gemini_impl.hpp:243

bb::GeminiProver_::Fr
typename Curve::ScalarField Fr
Definition gemini.hpp:104

bb::GeminiProver_::prove
static std::vector< Claim > prove(const Fr circuit_size, PolynomialBatcher &polynomial_batcher, std::span< Fr > multilinear_challenge, const CommitmentKey< Curve > &commitment_key, const std::shared_ptr< Transcript > &transcript, bool has_zk=false)

bb::GeminiProver_::compute_partially_evaluated_batch_polynomials
static std::pair< Polynomial, Polynomial > compute_partially_evaluated_batch_polynomials(const size_t log_n, PolynomialBatcher &polynomial_batcher, const Fr &r_challenge, const std::vector< Polynomial > &batched_groups_to_be_concatenated={})

bb::GeminiProver_::Commitment
typename Curve::AffineElement Commitment
Definition gemini.hpp:105

bb::GeminiProver_::compute_fold_polynomials
static std::vector< Polynomial > compute_fold_polynomials(const size_t log_n, std::span< const Fr > multilinear_challenge, const Polynomial &A_0, const bool &has_zk=false)
Computes d-1 fold polynomials Fold_i, i = 1, ..., d-1.
Definition gemini_impl.hpp:139

bb::GeminiVerifier_
Definition gemini.hpp:345

bb::GeminiVerifier_::reduce_verification
static std::vector< OpeningClaim< Curve > > reduce_verification(std::span< Fr > multilinear_challenge, ClaimBatcher &claim_batcher, auto &transcript)
Returns univariate opening claims for the Fold polynomials to be checked later.
Definition gemini.hpp:364

bb::GeminiVerifier_::Fr
typename Curve::ScalarField Fr
Definition gemini.hpp:346

bb::GeminiVerifier_::get_fold_commitments
static std::vector< Commitment > get_fold_commitments(const size_t virtual_log_n, auto &transcript)
Receive the fold commitments from the prover. This method is used by Shplemini where padding may be e...
Definition gemini.hpp:493

bb::GeminiVerifier_::get_gemini_evaluations
static std::vector< Fr > get_gemini_evaluations(const size_t virtual_log_n, auto &transcript)
Receive the fold evaluations from the prover. This method is used by Shplemini where padding may be e...
Definition gemini.hpp:514

bb::GeminiVerifier_::GroupElement
typename Curve::Element GroupElement
Definition gemini.hpp:347

bb::GeminiVerifier_::Commitment
typename Curve::AffineElement Commitment
Definition gemini.hpp:348

bb::OpeningClaim
Unverified claim (C,r,v) for some witness polynomial p(X) such that.
Definition claim.hpp:53

bb::Polynomial
Structured polynomial class that represents the coefficients 'a' of a_0 + a_1 x .....
Definition polynomial.hpp:74

bb::Polynomial::shifted
Polynomial shifted() const
Returns a Polynomial the left-shift of self.
Definition polynomial.cpp:351

bb::Polynomial::right_shifted
Polynomial right_shifted(const size_t magnitude) const
Returns a Polynomial equal to the right-shift-by-magnitude of self.
Definition polynomial.cpp:361

bb::Polynomial::add_scaled
void add_scaled(PolynomialSpan< const Fr > other, Fr scaling_factor) &
adds the polynomial q(X) 'other', multiplied by a scaling factor.
Definition polynomial.cpp:335

bb::ProverOpeningClaim
Polynomial p and an opening pair (r,v) such that p(r) = v.
Definition claim.hpp:34

bb::RefVector
A template class for a reference vector. Behaves as if std::vector<T&> was possible.
Definition ref_vector.hpp:23

bb::curve::Grumpkin::Element
typename Group::element Element
Definition grumpkin.hpp:55

bb::curve::Grumpkin::is_stdlib_type
static constexpr bool is_stdlib_type
Definition grumpkin.hpp:62

bb::curve::Grumpkin::AffineElement
typename Group::affine_element AffineElement
Definition grumpkin.hpp:56

bb::curve::Grumpkin::ScalarField
bb::fq ScalarField
Definition grumpkin.hpp:52

zip_view
Definition zip_view.hpp:166

bb::gemini::powers_of_evaluation_challenge
std::vector< Fr > powers_of_evaluation_challenge(const Fr r, const size_t num_squares)
Compute squares of folding challenge r.
Definition gemini.hpp:92

bb::gemini::powers_of_rho
std::vector< Fr > powers_of_rho(const Fr rho, const size_t num_powers)
Compute powers of challenge ρ
Definition gemini.hpp:75

bb
Entry point for Barretenberg command-line interface.
Definition acir_format_getters.cpp:6

std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13

std::to_string
std::string to_string(bb::avm2::ValueTag tag)
Definition tagged_value.cpp:399

Fr
Curve::ScalarField Fr
Definition pippenger.bench.cpp:28

polynomial.hpp

bb::ClaimBatcher_::Batch::commitments
RefVector< Commitment > commitments
Definition claim_batcher.hpp:32

bb::ClaimBatcher_::Batch::evaluations
RefVector< Fr > evaluations
Definition claim_batcher.hpp:33

bb::ClaimBatcher_::InterleavedBatch::evaluations
RefVector< Fr > evaluations
Definition claim_batcher.hpp:39

bb::ClaimBatcher_::InterleavedBatch::commitments_groups
std::vector< RefVector< Commitment > > commitments_groups
Definition claim_batcher.hpp:38

bb::ClaimBatcher_
Logic to support batching opening claims for unshifted and shifted polynomials in Shplemini.
Definition claim_batcher.hpp:27

bb::ClaimBatcher_::get_groups_to_be_interleaved_size
uint32_t get_groups_to_be_interleaved_size()
Definition claim_batcher.hpp:55

bb::ClaimBatcher_::get_shifted
Batch get_shifted()
Definition claim_batcher.hpp:52

bb::ClaimBatcher_::get_interleaved
InterleavedBatch get_interleaved()
Definition claim_batcher.hpp:54

bb::ClaimBatcher_::interleaved
std::optional< InterleavedBatch > interleaved
Definition claim_batcher.hpp:48

bb::ClaimBatcher_::get_unshifted
Batch get_unshifted()
Definition claim_batcher.hpp:51

bb::field< Bn254FrParams >

bb::field::invert
constexpr field invert() const noexcept
Definition field_impl.hpp:378

throw_or_abort
void throw_or_abort(std::string const &err)
Definition throw_or_abort.hpp:6

transcript.hpp