Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
oink_prover.cpp
Go to the documentation of this file.
1// === AUDIT STATUS ===
2// internal: { status: not started, auditors: [], date: YYYY-MM-DD }
3// external_1: { status: not started, auditors: [], date: YYYY-MM-DD }
4// external_2: { status: not started, auditors: [], date: YYYY-MM-DD }
5// =====================
6
7#include "barretenberg/ultra_honk/oink_prover.hpp"
8#include "barretenberg/common/op_count.hpp"
9#include "barretenberg/honk/proving_key_inspector.hpp"
10#include "barretenberg/relations/logderiv_lookup_relation.hpp"
11#include "barretenberg/ultra_honk/witness_computation.hpp"
12
13namespace bb {
14
20template <IsUltraOrMegaHonk Flavor> void OinkProver<Flavor>::prove()
21{
22 if (!proving_key->commitment_key.initialized()) {
23 proving_key->commitment_key = CommitmentKey(proving_key->dyadic_size());
24 }
25 {
26
27 PROFILE_THIS_NAME("execute_preamble_round");
28
29 // Add circuit size public input size and public inputs to transcript->
30 execute_preamble_round();
31 }
32 {
33
34 PROFILE_THIS_NAME("execute_wire_commitments_round");
35
36 // Compute first three wire commitments
37 execute_wire_commitments_round();
38 }
39 {
40
41 PROFILE_THIS_NAME("execute_sorted_list_accumulator_round");
42
43 // Compute sorted list accumulator and commitment
44 execute_sorted_list_accumulator_round();
45 }
46
47 {
48
49 PROFILE_THIS_NAME("execute_log_derivative_inverse_round");
50
51 // Fiat-Shamir: beta & gamma
52 execute_log_derivative_inverse_round();
53 }
54
55 {
56
57 PROFILE_THIS_NAME("execute_grand_product_computation_round");
58
59 // Compute grand product(s) and commitments.
60 execute_grand_product_computation_round();
61 }
62
63 // Generate relation separators alphas for sumcheck/combiner computation
64 proving_key->alphas = generate_alphas_round();
65
66 // #ifndef __wasm__
67 // Free the commitment key
68 proving_key->commitment_key = CommitmentKey();
69 // #endif
70
71 proving_key->is_complete = true;
72}
73
78template <IsUltraOrMegaHonk Flavor> typename OinkProver<Flavor>::Proof OinkProver<Flavor>::export_proof()
79{
80 return transcript->export_proof();
81}
82
87template <IsUltraOrMegaHonk Flavor> void OinkProver<Flavor>::execute_preamble_round()
88{
89 PROFILE_THIS_NAME("OinkProver::execute_preamble_round");
90 fr vk_hash = honk_vk->hash_through_transcript(domain_separator, *transcript);
91 transcript->add_to_hash_buffer(domain_separator + "vk_hash", vk_hash);
92 vinfo("vk hash in Oink prover: ", vk_hash);
93
94 for (size_t i = 0; i < proving_key->num_public_inputs(); ++i) {
95 auto public_input_i = proving_key->public_inputs[i];
96 transcript->send_to_verifier(domain_separator + "public_input_" + std::to_string(i), public_input_i);
97 }
98}
99
105template <IsUltraOrMegaHonk Flavor> void OinkProver<Flavor>::execute_wire_commitments_round()
106{
107 PROFILE_THIS_NAME("OinkProver::execute_wire_commitments_round");
108 // Commit to the first three wire polynomials
109 // We only commit to the fourth wire polynomial after adding memory recordss
110 {
111 PROFILE_THIS_NAME("COMMIT::wires");
112 auto commit_type = (proving_key->get_is_structured()) ? CommitmentKey::CommitType::Structured
113 : CommitmentKey::CommitType::Default;
114
115 commit_to_witness_polynomial(proving_key->polynomials.w_l, commitment_labels.w_l, commit_type);
116 commit_to_witness_polynomial(proving_key->polynomials.w_r, commitment_labels.w_r, commit_type);
117 commit_to_witness_polynomial(proving_key->polynomials.w_o, commitment_labels.w_o, commit_type);
118 }
119
120 if constexpr (IsMegaFlavor<Flavor>) {
121
122 // Commit to Goblin ECC op wires.
123 // To avoid possible issues with the current work on the merge protocol, they are not
124 // masked in MegaZKFlavor
125 for (auto [polynomial, label] :
126 zip_view(proving_key->polynomials.get_ecc_op_wires(), commitment_labels.get_ecc_op_wires())) {
127 {
128 PROFILE_THIS_NAME("COMMIT::ecc_op_wires");
129 transcript->send_to_verifier(domain_separator + label, proving_key->commitment_key.commit(polynomial));
130 };
131 }
132
133 // Commit to DataBus related polynomials
134 for (auto [polynomial, label] :
135 zip_view(proving_key->polynomials.get_databus_entities(), commitment_labels.get_databus_entities())) {
136 {
137 PROFILE_THIS_NAME("COMMIT::databus");
138 commit_to_witness_polynomial(polynomial, label);
139 }
140 }
141 }
142}
143
148template <IsUltraOrMegaHonk Flavor> void OinkProver<Flavor>::execute_sorted_list_accumulator_round()
149{
150 PROFILE_THIS_NAME("OinkProver::execute_sorted_list_accumulator_round");
151 // Get eta challenges
152 auto [eta, eta_two, eta_three] = transcript->template get_challenges<FF>(
153 domain_separator + "eta", domain_separator + "eta_two", domain_separator + "eta_three");
154 proving_key->relation_parameters.eta = eta;
155 proving_key->relation_parameters.eta_two = eta_two;
156 proving_key->relation_parameters.eta_three = eta_three;
157
158 WitnessComputation<Flavor>::add_ram_rom_memory_records_to_wire_4(proving_key->polynomials,
159 proving_key->memory_read_records,
160 proving_key->memory_write_records,
161 eta,
162 eta_two,
163 eta_three);
164
165 // Commit to lookup argument polynomials and the finalized (i.e. with memory records) fourth wire polynomial
166 {
167 PROFILE_THIS_NAME("COMMIT::lookup_counts_tags");
168 commit_to_witness_polynomial(proving_key->polynomials.lookup_read_counts,
169 commitment_labels.lookup_read_counts,
170 CommitmentKey::CommitType::Sparse);
171
172 commit_to_witness_polynomial(proving_key->polynomials.lookup_read_tags,
173 commitment_labels.lookup_read_tags,
174 CommitmentKey::CommitType::Sparse);
175 }
176 {
177 PROFILE_THIS_NAME("COMMIT::wires");
178 auto commit_type = (proving_key->get_is_structured()) ? CommitmentKey::CommitType::Structured
179 : CommitmentKey::CommitType::Default;
180 commit_to_witness_polynomial(
181 proving_key->polynomials.w_4, domain_separator + commitment_labels.w_4, commit_type);
182 }
183}
184
189template <IsUltraOrMegaHonk Flavor> void OinkProver<Flavor>::execute_log_derivative_inverse_round()
190{
191 PROFILE_THIS_NAME("OinkProver::execute_log_derivative_inverse_round");
192 auto [beta, gamma] = transcript->template get_challenges<FF>(domain_separator + "beta", domain_separator + "gamma");
193 proving_key->relation_parameters.beta = beta;
194 proving_key->relation_parameters.gamma = gamma;
195
196 // Compute the inverses used in log-derivative lookup relations
197 WitnessComputation<Flavor>::compute_logderivative_inverses(
198 proving_key->polynomials, proving_key->dyadic_size(), proving_key->relation_parameters);
199
200 {
201 PROFILE_THIS_NAME("COMMIT::lookup_inverses");
202 commit_to_witness_polynomial(proving_key->polynomials.lookup_inverses,
203 commitment_labels.lookup_inverses,
204 CommitmentKey::CommitType::Sparse);
205 }
206
207 // If Mega, commit to the databus inverse polynomials and send
208 if constexpr (IsMegaFlavor<Flavor>) {
209 for (auto [polynomial, label] :
210 zip_view(proving_key->polynomials.get_databus_inverses(), commitment_labels.get_databus_inverses())) {
211 {
212 PROFILE_THIS_NAME("COMMIT::databus_inverses");
213 commit_to_witness_polynomial(polynomial, label, CommitmentKey::CommitType::Sparse);
214 }
215 };
216 }
217}
218
223template <IsUltraOrMegaHonk Flavor> void OinkProver<Flavor>::execute_grand_product_computation_round()
224{
225 PROFILE_THIS_NAME("OinkProver::execute_grand_product_computation_round");
226 // Compute the permutation grand product polynomial
227
228 WitnessComputation<Flavor>::compute_grand_product_polynomial(proving_key->polynomials,
229 proving_key->public_inputs,
230 proving_key->pub_inputs_offset(),
231 proving_key->active_region_data,
232 proving_key->relation_parameters,
233 proving_key->get_final_active_wire_idx() + 1);
234
235 {
236 PROFILE_THIS_NAME("COMMIT::z_perm");
237 auto commit_type = (proving_key->get_is_structured()) ? CommitmentKey::CommitType::StructuredNonZeroComplement
238 : CommitmentKey::CommitType::Default;
239 commit_to_witness_polynomial(proving_key->polynomials.z_perm, commitment_labels.z_perm, commit_type);
240 }
241}
242
243template <IsUltraOrMegaHonk Flavor> typename Flavor::SubrelationSeparators OinkProver<Flavor>::generate_alphas_round()
244{
245 PROFILE_THIS_NAME("OinkProver::generate_alphas_round");
246
247 // Get the relation separation challenges for sumcheck/combiner computation
248 std::array<std::string, Flavor::NUM_SUBRELATIONS - 1> challenge_labels;
249
250 for (size_t idx = 0; idx < Flavor::NUM_SUBRELATIONS - 1; ++idx) {
251 challenge_labels[idx] = domain_separator + "alpha_" + std::to_string(idx);
252 }
253 // It is more efficient to generate an array of challenges than to generate them individually.
254 SubrelationSeparators alphas = transcript->template get_challenges<FF>(challenge_labels);
255
256 return alphas;
257}
258
266template <IsUltraOrMegaHonk Flavor>
267void OinkProver<Flavor>::commit_to_witness_polynomial(Polynomial<FF>& polynomial,
268 const std::string& label,
269 const CommitmentKey::CommitType type)
270{
271 // Mask the polynomial when proving in zero-knowledge
272 if constexpr (Flavor::HasZK) {
273 polynomial.mask();
274 };
275
276 typename Flavor::Commitment commitment;
277
278 commitment =
279 proving_key->commitment_key.commit_with_type(polynomial, type, proving_key->active_region_data.get_ranges());
280 // Send the commitment to the verifier
281 transcript->send_to_verifier(domain_separator + label, commitment);
282}
283
284template class OinkProver<UltraFlavor>;
285template class OinkProver<UltraZKFlavor>;
286template class OinkProver<UltraKeccakFlavor>;
287#ifdef STARKNET_GARAGA_FLAVORS
288template class OinkProver<UltraStarknetFlavor>;
289template class OinkProver<UltraStarknetZKFlavor>;
290#endif
291template class OinkProver<UltraKeccakZKFlavor>;
292template class OinkProver<UltraRollupFlavor>;
293template class OinkProver<MegaFlavor>;
294template class OinkProver<MegaZKFlavor>;
295
296} // namespace bb
bb::MegaFlavor::SubrelationSeparators
std::array< FF, NUM_SUBRELATIONS - 1 > SubrelationSeparators
Definition mega_flavor.hpp:126
bb::MegaFlavor::NUM_SUBRELATIONS
static constexpr size_t NUM_SUBRELATIONS
Definition mega_flavor.hpp:125
bb::MegaFlavor::HasZK
static constexpr bool HasZK
Definition mega_flavor.hpp:53
bb::MegaFlavor::Commitment
Curve::AffineElement Commitment
Definition mega_flavor.hpp:39
bb::OinkProver
Class for all the oink rounds, which are shared between the folding prover and ultra prover.
Definition oink_prover.hpp:40
bb::OinkProver::export_proof
Proof export_proof()
Export the Oink proof.
Definition oink_prover.cpp:78
bb::OinkProver::execute_log_derivative_inverse_round
void execute_log_derivative_inverse_round()
Compute log derivative inverse polynomial and its commitment, if required.
Definition oink_prover.cpp:189
bb::OinkProver::execute_grand_product_computation_round
void execute_grand_product_computation_round()
Compute permutation and lookup grand product polynomials and their commitments.
Definition oink_prover.cpp:223
bb::OinkProver::prove
void prove()
Oink Prover function that runs all the rounds of the verifier.
Definition oink_prover.cpp:20
bb::OinkProver::execute_preamble_round
void execute_preamble_round()
Add circuit size, public input size, and public inputs to transcript.
Definition oink_prover.cpp:87
bb::OinkProver::CommitmentKey
typename Flavor::CommitmentKey CommitmentKey
Definition oink_prover.hpp:41
bb::OinkProver::generate_alphas_round
SubrelationSeparators generate_alphas_round()
Definition oink_prover.cpp:243
bb::OinkProver::execute_sorted_list_accumulator_round
void execute_sorted_list_accumulator_round()
Compute sorted witness-table accumulator and commit to the resulting polynomials.
Definition oink_prover.cpp:148
bb::OinkProver::SubrelationSeparators
typename Flavor::SubrelationSeparators SubrelationSeparators
Definition oink_prover.hpp:56
bb::OinkProver::commit_to_witness_polynomial
void commit_to_witness_polynomial(Polynomial< FF > &polynomial, const std::string &label, const CommitmentKey::CommitType type=CommitmentKey::CommitType::Default)
A uniform method to mask, commit, and send the corresponding commitment to the verifier.
Definition oink_prover.cpp:267
bb::OinkProver::execute_wire_commitments_round
void execute_wire_commitments_round()
Commit to the wire polynomials (part of the witness), with the exception of the fourth wire,...
Definition oink_prover.cpp:105
bb::OinkProver::Proof
typename Transcript::Proof Proof
Definition oink_prover.hpp:46
bb::Polynomial
Structured polynomial class that represents the coefficients 'a' of a_0 + a_1 x .....
Definition polynomial.hpp:74
bb::Polynomial::mask
void mask()
Add random values to the coefficients of a polynomial. In practice, this is used for ensuring the com...
Definition polynomial.hpp:280
bb::WitnessComputation::compute_logderivative_inverses
static void compute_logderivative_inverses(Flavor::ProverPolynomials &polynomials, const size_t circuit_size, RelationParameters< FF > &relation_parameters)
Compute the inverse polynomials used in the log derivative lookup relations.
Definition witness_computation.cpp:71
bb::WitnessComputation::add_ram_rom_memory_records_to_wire_4
static void add_ram_rom_memory_records_to_wire_4(typename Flavor::ProverPolynomials &polynomials, const std::vector< uint32_t > &memory_read_records, const std::vector< uint32_t > &memory_write_records, const FF &eta, const FF &eta_two, const FF &eta_three)
Add RAM/ROM memory records to the fourth wire polynomial.
Definition witness_computation.cpp:35
bb::WitnessComputation::compute_grand_product_polynomial
static void compute_grand_product_polynomial(Flavor::ProverPolynomials &polynomials, std::vector< FF > &public_inputs, const size_t pub_inputs_offset, ActiveRegionData &active_region_data, RelationParameters< FF > &relation_parameters, size_t size_override=0)
Computes public_input_delta and the permutation grand product polynomial.
Definition witness_computation.cpp:102
zip_view
Definition zip_view.hpp:166
vinfo
void vinfo(Args... args)
Definition log.hpp:76
logderiv_lookup_relation.hpp
bb
Entry point for Barretenberg command-line interface.
Definition acir_format_getters.cpp:6
std::to_string
std::string to_string(bb::avm2::ValueTag tag)
Definition tagged_value.cpp:399
oink_prover.hpp
op_count.hpp
PROFILE_THIS_NAME
#define PROFILE_THIS_NAME(name)
Definition op_count.hpp:16
proving_key_inspector.hpp
witness_computation.hpp