Barretenberg: src/barretenberg/vm2/constraining/prover.cpp Source File

#include "barretenberg/vm2/constraining/prover.hpp"


#include "barretenberg/commitment_schemes/claim.hpp"

#include "barretenberg/commitment_schemes/commitment_key.hpp"

#include "barretenberg/commitment_schemes/shplonk/shplemini.hpp"

#include "barretenberg/common/constexpr_utils.hpp"

#include "barretenberg/common/thread.hpp"

#include "barretenberg/honk/library/grand_product_library.hpp"

#include "barretenberg/honk/proof_system/logderivative_library.hpp"

#include "barretenberg/relations/permutation_relation.hpp"

#include "barretenberg/sumcheck/sumcheck.hpp"

#include "barretenberg/vm2/common/constants.hpp"

#include "barretenberg/vm2/tooling/stats.hpp"


namespace bb::avm2 {


using Flavor = AvmFlavor;

using FF = Flavor::FF;


AvmProver::AvmProver(std::shared_ptr<Flavor::ProvingKey> input_key,

                     std::shared_ptr<Flavor::VerificationKey> vk,

                     const PCSCommitmentKey& commitment_key)

    : key(std::move(input_key))

    , vk(std::move(vk))

    , prover_polynomials(*key)

    , commitment_key(commitment_key)

{}


void AvmProver::execute_preamble_round()

{

    // TODO(#15892): Fiat-shamir the vk hash by uncommenting the line below.

    FF vk_hash = vk->hash();

    // transcript->add_to_hash_buffer("avm_vk_hash", vk_hash);

    info("AVM vk hash in prover: ", vk_hash);

}


void AvmProver::execute_wire_commitments_round()

{

    // Commit to all polynomials (apart from logderivative inverse polynomials, which are committed to in the later

    // logderivative phase)

    auto wire_polys = prover_polynomials.get_wires();

    const auto& labels = prover_polynomials.get_wires_labels();

    for (size_t idx = 0; idx < wire_polys.size(); ++idx) {

        auto comm = commitment_key.commit(wire_polys[idx]);

        transcript->send_to_verifier(labels[idx], comm);

    }

}


void AvmProver::execute_log_derivative_inverse_round()

{

    auto [beta, gamma] = transcript->template get_challenges<FF>("beta", "gamma");

    relation_parameters.beta = beta;

    relation_parameters.gamma = gamma;

    std::vector<std::function<void()>> tasks;


    bb::constexpr_for<0, std::tuple_size_v<Flavor::LookupRelations>, 1>([&]<size_t relation_idx>() {

        using Relation = std::tuple_element_t<relation_idx, Flavor::LookupRelations>;

        tasks.push_back([&]() {

            AVM_TRACK_TIME(std::string("prove/log_derivative_inverse_round/") + std::string(Relation::NAME),

                           (compute_logderivative_inverse<FF, Relation>(

                               prover_polynomials, relation_parameters, key->circuit_size)));

        });

    });


    bb::parallel_for(tasks.size(), [&](size_t i) { tasks[i](); });

}


void AvmProver::execute_log_derivative_inverse_commitments_round()

{

    // Commit to all logderivative inverse polynomials

    for (auto [commitment, key_poly] : zip_view(witness_commitments.get_derived(), key->get_derived())) {

        commitment = commitment_key.commit(key_poly);

    }


    // Send all commitments to the verifier

    for (auto [label, commitment] :

         zip_view(prover_polynomials.get_derived_labels(), witness_commitments.get_derived())) {

        transcript->send_to_verifier(label, commitment);

    }

}


void AvmProver::execute_relation_check_rounds()

{

    using Sumcheck = SumcheckProver<Flavor>;


    // Multiply each linearly independent subrelation contribution by `alpha^i` for i = 0, ..., NUM_SUBRELATIONS - 1.

    const FF alpha = transcript->template get_challenge<FF>("Sumcheck:alpha");


    // Generate gate challenges

    std::vector<FF> gate_challenges =

        transcript->template get_powers_of_challenge<FF>("Sumcheck:gate_challenge", key->log_circuit_size);


    Sumcheck sumcheck(key->circuit_size,

                      prover_polynomials,

                      transcript,

                      alpha,

                      gate_challenges,

                      relation_parameters,

                      key->log_circuit_size);


    sumcheck_output = sumcheck.prove();

}


void AvmProver::execute_pcs_rounds()

{

    using OpeningClaim = ProverOpeningClaim<Curve>;

    using PolynomialBatcher = GeminiProver_<Curve>::PolynomialBatcher;


    PolynomialBatcher polynomial_batcher(key->circuit_size);

    polynomial_batcher.set_unshifted(prover_polynomials.get_unshifted());

    polynomial_batcher.set_to_be_shifted_by_one(prover_polynomials.get_to_be_shifted());


    const OpeningClaim prover_opening_claim = ShpleminiProver_<Curve>::prove(

        key->circuit_size, polynomial_batcher, sumcheck_output.challenge, commitment_key, transcript);


    PCS::compute_opening_proof(commitment_key, prover_opening_claim, transcript);

}


HonkProof AvmProver::export_proof()

{

    return transcript->export_proof();

}


HonkProof AvmProver::construct_proof()

{

    // Add circuit size public input size and public inputs to transcript.

    execute_preamble_round();


    // Compute wire commitments.

    AVM_TRACK_TIME("prove/wire_commitments_round", execute_wire_commitments_round());


    // Compute log derivative inverses.

    AVM_TRACK_TIME("prove/log_derivative_inverse_round", execute_log_derivative_inverse_round());


    // Compute commitments to logderivative inverse polynomials.

    AVM_TRACK_TIME("prove/log_derivative_inverse_commitments_round",

                   execute_log_derivative_inverse_commitments_round());


    // Run sumcheck subprotocol.

    AVM_TRACK_TIME("prove/sumcheck", execute_relation_check_rounds());


    // Execute PCS.

    AVM_TRACK_TIME("prove/pcs_rounds", execute_pcs_rounds());


    return export_proof();

}


} // namespace bb::avm2

claim.hpp

bb::CommitmentKey
CommitmentKey object over a pairing group 𝔾₁.
Definition commitment_key.hpp:40

bb::CommitmentKey::commit
Commitment commit(PolynomialSpan< const Fr > polynomial) const
Uses the ProverSRS to create a commitment to p(X)
Definition commitment_key.hpp:87

bb::GeminiProver_::PolynomialBatcher
Class responsible for computation of the batched multilinear polynomials required by the Gemini proto...
Definition gemini.hpp:123

bb::KZG::compute_opening_proof
static void compute_opening_proof(const CK &ck, const ProverOpeningClaim< Curve > &opening_claim, const std::shared_ptr< Transcript > &prover_trancript)
Computes the KZG commitment to an opening proof polynomial at a single evaluation point.
Definition kzg.hpp:40

bb::OpeningClaim
Unverified claim (C,r,v) for some witness polynomial p(X) such that.
Definition claim.hpp:53

bb::ProverOpeningClaim
Polynomial p and an opening pair (r,v) such that p(r) = v.
Definition claim.hpp:34

bb::Relation
A wrapper for Relations to expose methods used by the Sumcheck prover or verifier to add the contribu...
Definition relation_types.hpp:153

bb::ShpleminiProver_::prove
static OpeningClaim prove(const FF circuit_size, PolynomialBatcher &polynomial_batcher, std::span< FF > multilinear_challenge, const CommitmentKey< Curve > &commitment_key, const std::shared_ptr< Transcript > &transcript, const std::array< Polynomial, NUM_SMALL_IPA_EVALUATIONS > &libra_polynomials={}, const std::vector< Polynomial > &sumcheck_round_univariates={}, const std::vector< std::array< FF, 3 > > &sumcheck_round_evaluations={})
Definition shplemini.hpp:35

bb::SumcheckProver
The implementation of the sumcheck Prover for statements of the form  for multilinear polynomials .
Definition sumcheck.hpp:123

bb::avm2::AvmFlavor::AllEntities::get_unshifted
auto get_unshifted()
Definition flavor.hpp:178

bb::avm2::AvmFlavor::AllEntities::get_to_be_shifted
auto get_to_be_shifted()
Definition flavor.hpp:190

bb::avm2::AvmFlavor::WitnessEntities::get_derived
auto get_derived()
Definition flavor.hpp:166

bb::avm2::AvmFlavor::WitnessEntities::get_wires
auto get_wires()
Definition flavor.hpp:164

bb::avm2::AvmFlavor::WitnessEntities::get_derived_labels
static const auto & get_derived_labels()
Definition flavor.hpp:167

bb::avm2::AvmFlavor::WitnessEntities::get_wires_labels
static const auto & get_wires_labels()
Definition flavor.hpp:165

bb::avm2::AvmFlavor
Definition flavor.hpp:28

bb::avm2::AvmFlavor::FF
AvmFlavorSettings::FF FF
Definition flavor.hpp:34

bb::avm2::AvmProver::execute_pcs_rounds
virtual void execute_pcs_rounds()
Definition prover.cpp:124

bb::avm2::AvmProver::transcript
std::shared_ptr< Transcript > transcript
Definition prover.hpp:43

bb::avm2::AvmProver::sumcheck_output
SumcheckOutput< Flavor > sumcheck_output
Definition prover.hpp:59

bb::avm2::AvmProver::commitment_key
PCSCommitmentKey commitment_key
Definition prover.hpp:61

bb::avm2::AvmProver::vk
std::shared_ptr< VerificationKey > vk
Definition prover.hpp:50

bb::avm2::AvmProver::execute_relation_check_rounds
virtual void execute_relation_check_rounds()
Run Sumcheck resulting in u = (u_1,...,u_d) challenges and all evaluations at u being calculated.
Definition prover.cpp:102

bb::avm2::AvmProver::AvmProver
AvmProver(std::shared_ptr< ProvingKey > input_key, std::shared_ptr< VerificationKey > vk, const PCSCommitmentKey &commitment_key)
Definition prover.cpp:28

bb::avm2::AvmProver::execute_preamble_round
virtual void execute_preamble_round()
Add circuit size, public input size, and public inputs to transcript.
Definition prover.cpp:41

bb::avm2::AvmProver::prover_polynomials
ProverPolynomials prover_polynomials
Definition prover.hpp:53

bb::avm2::AvmProver::execute_log_derivative_inverse_commitments_round
virtual void execute_log_derivative_inverse_commitments_round()
Definition prover.cpp:84

bb::avm2::AvmProver::witness_commitments
Flavor::WitnessCommitments witness_commitments
Definition prover.hpp:55

bb::avm2::AvmProver::execute_log_derivative_inverse_round
virtual void execute_log_derivative_inverse_round()
Definition prover.cpp:65

bb::avm2::AvmProver::relation_parameters
bb::RelationParameters< FF > relation_parameters
Definition prover.hpp:47

bb::avm2::AvmProver::FF
Flavor::FF FF
Definition prover.hpp:14

bb::avm2::AvmProver::construct_proof
virtual HonkProof construct_proof()
Definition prover.cpp:144

bb::avm2::AvmProver::key
std::shared_ptr< ProvingKey > key
Definition prover.hpp:49

bb::avm2::AvmProver::execute_wire_commitments_round
virtual void execute_wire_commitments_round()
Compute commitments to all of the witness wires (apart from the logderivative inverse wires)
Definition prover.cpp:53

bb::avm2::AvmProver::export_proof
virtual HonkProof export_proof()
Definition prover.cpp:139

zip_view
Definition zip_view.hpp:166

commitment_key.hpp

info
void info(Args... args)
Definition log.hpp:70

constexpr_utils.hpp

grand_product_library.hpp

key
FF key
Definition indexed_memory_tree.test.cpp:18

logderivative_library.hpp

bb::avm2
Definition flavor.hpp:472

bb::avm2::FF
AvmFlavorSettings::FF FF
Definition field.hpp:10

bb::HonkProof
std::vector< fr > HonkProof
Definition proof.hpp:15

bb::parallel_for
void parallel_for(size_t num_iterations, const std::function< void(size_t)> &func)
Definition thread.cpp:72

bb::vk
VerifierCommitmentKey< Curve > vk
Definition ipa.fuzzer.cpp:21

std
STL namespace.

std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13

permutation_relation.hpp

prover.hpp

shplemini.hpp

stats.hpp

AVM_TRACK_TIME
#define AVM_TRACK_TIME(key, body)
Definition stats.hpp:17

bb::RelationParameters::beta
T beta
Definition relation_parameters.hpp:29

bb::RelationParameters::gamma
T gamma
Definition relation_parameters.hpp:30

sumcheck.hpp

thread.hpp

constants.hpp