Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
small_subgroup_ipa.cpp
Go to the documentation of this file.
1// === AUDIT STATUS ===
2// internal: { status: not started, auditors: [], date: YYYY-MM-DD }
3// external_1: { status: not started, auditors: [], date: YYYY-MM-DD }
4// external_2: { status: not started, auditors: [], date: YYYY-MM-DD }
5// =====================
6
7#include "barretenberg/commitment_schemes/small_subgroup_ipa/small_subgroup_ipa.hpp"
8#include "barretenberg/commitment_schemes/utils/test_settings.hpp"
9#include "barretenberg/constants.hpp"
10#include "barretenberg/ecc/curves/bn254/bn254.hpp"
11#include "barretenberg/eccvm/eccvm_flavor.hpp"
12#include "barretenberg/eccvm/eccvm_translation_data.hpp"
13#include "barretenberg/ext/starknet/flavor/ultra_starknet_zk_flavor.hpp"
14#include "barretenberg/flavor/mega_zk_flavor.hpp"
15#include "barretenberg/flavor/ultra_keccak_zk_flavor.hpp"
16#include "barretenberg/flavor/ultra_zk_flavor.hpp"
17#include "barretenberg/polynomials/polynomial.hpp"
18#include "barretenberg/polynomials/univariate.hpp"
19#include "barretenberg/stdlib/primitives/curves/grumpkin.hpp"
20#include "barretenberg/sumcheck/zk_sumcheck_data.hpp"
21#include "barretenberg/translator_vm/translator_flavor.hpp"
22
23#include <array>
24#include <vector>
25
26namespace bb {
27
28// Default constructor to initialize all common members.
29template <typename Flavor>
30SmallSubgroupIPAProver<Flavor>::SmallSubgroupIPAProver(const std::shared_ptr<typename Flavor::Transcript>& transcript,
31 typename Flavor::CommitmentKey commitment_key)
32 : interpolation_domain{}
33 , concatenated_polynomial(MASKED_CONCATENATED_WITNESS_LENGTH)
34 , concatenated_lagrange_form(SUBGROUP_SIZE)
35 , challenge_polynomial(SUBGROUP_SIZE)
36 , challenge_polynomial_lagrange(SUBGROUP_SIZE)
37 , grand_sum_polynomial_unmasked(SUBGROUP_SIZE)
38 , grand_sum_polynomial(MASKED_GRAND_SUM_LENGTH)
39 , grand_sum_identity_polynomial(GRAND_SUM_IDENTITY_LENGTH)
40 , grand_sum_identity_quotient(QUOTIENT_LENGTH)
41 , transcript(transcript)
42{
43 // Reallocate the commitment key if necessary. This is an edge case with SmallSubgroupIPA since it has
44 // polynomials that may exceed the circuit size.
45 if (commitment_key.dyadic_size < MASKED_GRAND_SUM_LENGTH) {
46 commitment_key = typename Flavor::CommitmentKey(MASKED_GRAND_SUM_LENGTH);
47 };
48 this->commitment_key = commitment_key;
49};
50
58template <typename Flavor>
59SmallSubgroupIPAProver<Flavor>::SmallSubgroupIPAProver(ZKSumcheckData<Flavor>& zk_sumcheck_data,
60 const std::vector<FF>& multivariate_challenge,
61 const FF claimed_inner_product,
62 const std::shared_ptr<typename Flavor::Transcript>& transcript,
63 const typename Flavor::CommitmentKey& commitment_key)
64 : SmallSubgroupIPAProver(transcript, commitment_key)
65{
66 this->claimed_inner_product = claimed_inner_product;
67 interpolation_domain = zk_sumcheck_data.interpolation_domain;
68 concatenated_polynomial = zk_sumcheck_data.libra_concatenated_monomial_form;
69 concatenated_lagrange_form = zk_sumcheck_data.libra_concatenated_lagrange_form;
70
71 label_prefix = "Libra:";
72 // Extract the evaluation domain computed by ZKSumcheckData
73 if constexpr (std::is_same_v<Curve, curve::BN254>) {
74 bn_evaluation_domain = std::move(zk_sumcheck_data.bn_evaluation_domain);
75 }
76
77 // Construct the challenge polynomial in Lagrange basis, compute its monomial coefficients
78 compute_challenge_polynomial(multivariate_challenge);
79}
80
92template <typename Flavor>
93SmallSubgroupIPAProver<Flavor>::SmallSubgroupIPAProver(TranslationData<typename Flavor::Transcript>& translation_data,
94 const FF evaluation_challenge_x,
95 const FF batching_challenge_v,
96 const std::shared_ptr<typename Flavor::Transcript>& transcript,
97 const typename Flavor::CommitmentKey& commitment_key)
98 : SmallSubgroupIPAProver(transcript, commitment_key)
99
100{
101 // TranslationData is Grumpkin-specific
102 if constexpr (IsAnyOf<Flavor, ECCVMFlavor, GrumpkinSettings>) {
103 label_prefix = "Translation:";
104 interpolation_domain = translation_data.interpolation_domain;
105 concatenated_polynomial = translation_data.masked_concatenated_polynomial;
106 concatenated_lagrange_form = translation_data.concatenated_polynomial_lagrange;
107
108 // Construct the challenge polynomial in Lagrange basis, compute its monomial coefficients
109 compute_eccvm_challenge_polynomial(evaluation_challenge_x, batching_challenge_v);
110
111 // The prover computes the inner product of the challenge polynomial and the concatenation of
112 // the masking terms. This value is used to "denoise" the masked batched evaluation of
113 // `translation_polynomials` contained in `translation_data`.
114 claimed_inner_product = compute_claimed_translation_inner_product(translation_data);
115 transcript->send_to_verifier(label_prefix + "masking_term_eval", claimed_inner_product);
116 }
117}
118
150template <typename Flavor> void SmallSubgroupIPAProver<Flavor>::prove()
151{
152
153 // Construct unmasked grand sum polynomial in Lagrange basis, compute its monomial coefficients and mask it
154 compute_grand_sum_polynomial();
155
156 // Send masked commitment [A + Z_H * R] to the verifier, where R is of degree 2
157 transcript->send_to_verifier(label_prefix + "grand_sum_commitment", commitment_key.commit(grand_sum_polynomial));
158
159 // Compute C(X)
160 compute_grand_sum_identity_polynomial();
161
162 // Compute Q(X)
163 compute_grand_sum_identity_quotient();
164
165 // Send commitment [Q] to the verifier
166 transcript->send_to_verifier(label_prefix + "quotient_commitment",
167 commitment_key.commit(grand_sum_identity_quotient));
168}
169
194template <typename Flavor>
195void SmallSubgroupIPAProver<Flavor>::compute_challenge_polynomial(const std::vector<FF>& multivariate_challenge)
196{
197 std::vector<FF> coeffs_lagrange_basis =
198 compute_challenge_polynomial_coeffs<typename Flavor::Curve>(multivariate_challenge);
199
200 challenge_polynomial_lagrange = Polynomial<FF>(coeffs_lagrange_basis);
201
202 // Compute monomial coefficients
203 challenge_polynomial =
204 compute_monomial_coefficients(coeffs_lagrange_basis, interpolation_domain, bn_evaluation_domain);
205}
215template <typename Flavor>
216void SmallSubgroupIPAProver<Flavor>::compute_eccvm_challenge_polynomial(const FF evaluation_challenge_x,
217 const FF batching_challenge_v)
218{
219
220 std::vector<FF> coeffs_lagrange_basis =
221 compute_eccvm_challenge_coeffs<typename Flavor::Curve>(evaluation_challenge_x, batching_challenge_v);
222
223 challenge_polynomial_lagrange = Polynomial<FF>(coeffs_lagrange_basis);
224
225 // Compute monomial coefficients
226 challenge_polynomial = Polynomial<FF>(interpolation_domain, coeffs_lagrange_basis, SUBGROUP_SIZE);
227}
245template <typename Flavor> void SmallSubgroupIPAProver<Flavor>::compute_grand_sum_polynomial()
246{
247 grand_sum_lagrange_coeffs[0] = 0;
248
249 // Compute the grand sum coefficients recursively
250 for (size_t idx = 1; idx < SUBGROUP_SIZE; idx++) {
251 size_t prev_idx = idx - 1;
252 grand_sum_lagrange_coeffs[idx] =
253 grand_sum_lagrange_coeffs[prev_idx] +
254 challenge_polynomial_lagrange.at(prev_idx) * concatenated_lagrange_form.at(prev_idx);
255 };
256
257 // Get the coefficients in the monomial basis
258 grand_sum_polynomial_unmasked =
259 compute_monomial_coefficients(grand_sum_lagrange_coeffs, interpolation_domain, bn_evaluation_domain);
260
261 // Generate random masking_term of degree 2
262 auto masking_term = bb::Univariate<FF, GRAND_SUM_MASKING_TERM_LENGTH>::get_random();
263
264 grand_sum_polynomial += grand_sum_polynomial_unmasked;
265 // Since Z_H(X) = X^|H| - 1, its product with the masking term R(X) is given by X^{H}*R(X) - R(X). Therefore
266 // to mask A, we subtract the coefficients of R from the first GRAND_SUM_MASKING_TERM_LENGTH coefficients
267 // of A and by set the coefficients A_{i+SUBGROUP_SIZE} to be equal to R_i
268 for (size_t idx = 0; idx < GRAND_SUM_MASKING_TERM_LENGTH; idx++) {
269 grand_sum_polynomial.at(idx) -= masking_term.value_at(idx);
270 grand_sum_polynomial.at(idx + SUBGROUP_SIZE) += masking_term.value_at(idx);
271 }
272};
273
279template <typename Flavor> void SmallSubgroupIPAProver<Flavor>::compute_grand_sum_identity_polynomial()
280{
281 // Compute shifted grand sum polynomial A(gX)
282 Polynomial<FF> shifted_grand_sum(MASKED_GRAND_SUM_LENGTH);
283
284 for (size_t idx = 0; idx < MASKED_GRAND_SUM_LENGTH; idx++) {
285 shifted_grand_sum.at(idx) = grand_sum_polynomial.at(idx) * interpolation_domain[idx % SUBGROUP_SIZE];
286 }
287
288 const auto& [lagrange_first, lagrange_last] =
289 compute_lagrange_first_and_last(interpolation_domain, bn_evaluation_domain);
290
291 // Compute -F(X)*G(X), the negated product of challenge_polynomial and concatenated_polynomial
292 for (size_t i = 0; i < MASKED_CONCATENATED_WITNESS_LENGTH; ++i) {
293 for (size_t j = 0; j < SUBGROUP_SIZE; ++j) {
294 grand_sum_identity_polynomial.at(i + j) -= concatenated_polynomial.at(i) * challenge_polynomial.at(j);
295 }
296 }
297
298 // Compute - F(X) * G(X) + A(gX) - A(X)
299 for (size_t idx = 0; idx < MASKED_GRAND_SUM_LENGTH; idx++) {
300 grand_sum_identity_polynomial.at(idx) += shifted_grand_sum.at(idx) - grand_sum_polynomial.at(idx);
301 }
302
303 // Mutiply - F(X) * G(X) + A(gX) - A(X) by X-g:
304 // 1. Multiply by X
305 for (size_t idx = GRAND_SUM_IDENTITY_LENGTH - 1; idx > 0; idx--) {
306 grand_sum_identity_polynomial.at(idx) = grand_sum_identity_polynomial.at(idx - 1);
307 }
308 grand_sum_identity_polynomial.at(0) = FF(0);
309 // 2. Subtract 1/g(A(gX) - A(X) - F(X) * G(X))
310 for (size_t idx = 0; idx < GRAND_SUM_IDENTITY_LENGTH - 1; idx++) {
311 grand_sum_identity_polynomial.at(idx) -=
312 grand_sum_identity_polynomial.at(idx + 1) * interpolation_domain[SUBGROUP_SIZE - 1];
313 }
314
315 // Add (L_1 + L_{|H|}) * A(X) to the result
316 for (size_t i = 0; i < MASKED_GRAND_SUM_LENGTH; ++i) {
317 for (size_t j = 0; j < SUBGROUP_SIZE; ++j) {
318 grand_sum_identity_polynomial.at(i + j) +=
319 grand_sum_polynomial.at(i) * (lagrange_first.at(j) + lagrange_last.at(j));
320 }
321 }
322 // Subtract L_{|H|} * s
323 for (size_t idx = 0; idx < SUBGROUP_SIZE; idx++) {
324 grand_sum_identity_polynomial.at(idx) -= lagrange_last.at(idx) * claimed_inner_product;
325 }
326}
334template <typename Flavor>
335std::array<Polynomial<typename Flavor::Curve::ScalarField>, 2> SmallSubgroupIPAProver<
336 Flavor>::compute_lagrange_first_and_last(const std::array<FF, SUBGROUP_SIZE>& interpolation_domain,
337 const EvaluationDomain<FF>& bn_evaluation_domain)
338{
339 // Compute the monomial coefficients of L_1
340 std::array<FF, SUBGROUP_SIZE> lagrange_coeffs;
341 lagrange_coeffs[0] = FF(1);
342 for (size_t idx = 1; idx < SUBGROUP_SIZE; idx++) {
343 lagrange_coeffs[idx] = FF(0);
344 }
345
346 Polynomial<FF> lagrange_first_monomial =
347 compute_monomial_coefficients(lagrange_coeffs, interpolation_domain, bn_evaluation_domain);
348
349 // Compute the monomial coefficients of L_{|H|}, the last Lagrange polynomial
350 lagrange_coeffs[0] = FF(0);
351 lagrange_coeffs[SUBGROUP_SIZE - 1] = FF(1);
352
353 Polynomial<FF> lagrange_last_monomial =
354 compute_monomial_coefficients(lagrange_coeffs, interpolation_domain, bn_evaluation_domain);
355
356 return { lagrange_first_monomial, lagrange_last_monomial };
357}
358
362template <typename Flavor> void SmallSubgroupIPAProver<Flavor>::compute_grand_sum_identity_quotient()
363{
364
365 auto remainder = grand_sum_identity_polynomial;
366 for (size_t idx = GRAND_SUM_IDENTITY_LENGTH - 1; idx >= SUBGROUP_SIZE; idx--) {
367 grand_sum_identity_quotient.at(idx - SUBGROUP_SIZE) = remainder.at(idx);
368 remainder.at(idx - SUBGROUP_SIZE) += remainder.at(idx);
369 }
370}
371
380template <typename Flavor>
381typename Flavor::Curve::ScalarField SmallSubgroupIPAProver<Flavor>::compute_claimed_inner_product(
382 ZKSumcheckData<Flavor>& zk_sumcheck_data,
383 const std::vector<FF>& multivariate_challenge,
384 const size_t& log_circuit_size)
385{
386 const FF libra_challenge_inv = zk_sumcheck_data.libra_challenge.invert();
387 // Compute claimed inner product similarly to the SumcheckProver
388 FF claimed_inner_product = FF{ 0 };
389 size_t idx = 0;
390 for (const auto& univariate : zk_sumcheck_data.libra_univariates) {
391 claimed_inner_product += univariate.evaluate(multivariate_challenge[idx]);
392 idx++;
393 }
394 // Libra Univariates are mutiplied by the Libra challenge in setup_auxiliary_data(), needs to be undone
395 claimed_inner_product *= libra_challenge_inv / FF(1 << (log_circuit_size - 1));
396 claimed_inner_product += zk_sumcheck_data.constant_term;
397 return claimed_inner_product;
398}
399
408template <typename Flavor>
409typename Flavor::Curve::ScalarField SmallSubgroupIPAProver<Flavor>::compute_claimed_translation_inner_product(
410 TranslationData<typename Flavor::Transcript>& translation_data)
411{
412 FF claimed_inner_product{ 0 };
413 if constexpr (IsAnyOf<Flavor, ECCVMFlavor, GrumpkinSettings>) {
414 for (size_t idx = 0; idx < SUBGROUP_SIZE; idx++) {
415 claimed_inner_product +=
416 translation_data.concatenated_polynomial_lagrange.at(idx) * challenge_polynomial_lagrange.at(idx);
417 }
418 }
419 return claimed_inner_product;
420}
421
428template <typename Flavor>
429Polynomial<typename Flavor::Curve::ScalarField> SmallSubgroupIPAProver<Flavor>::compute_monomial_coefficients(
430 std::span<FF> lagrange_coeffs,
431 const std::array<FF, SUBGROUP_SIZE>& interpolation_domain,
432 const EvaluationDomain<FF>& bn_evaluation_domain)
433{
434 using FF = typename Flavor::Curve::ScalarField;
435 if constexpr (!std::is_same_v<typename Flavor::Curve, curve::BN254>) {
436 return Polynomial<FF>(interpolation_domain, lagrange_coeffs, SUBGROUP_SIZE);
437 } else {
438 std::vector<FF> lagrange_last_ifft(SUBGROUP_SIZE);
439 polynomial_arithmetic::ifft<FF>(lagrange_coeffs.data(), lagrange_last_ifft.data(), bn_evaluation_domain);
440 return Polynomial<FF>(lagrange_last_ifft);
441 }
442}
443
444// Instantiate with ZK Flavors
445template class SmallSubgroupIPAProver<ECCVMFlavor>;
446template class SmallSubgroupIPAProver<TranslatorFlavor>;
447template class SmallSubgroupIPAProver<MegaZKFlavor>;
448template class SmallSubgroupIPAProver<UltraZKFlavor>;
449template class SmallSubgroupIPAProver<UltraKeccakZKFlavor>;
450#ifdef STARKNET_GARAGA_FLAVORS
451template class SmallSubgroupIPAProver<UltraStarknetZKFlavor>;
452#endif
453
454// Instantiations used in tests
455template class SmallSubgroupIPAProver<BN254Settings>;
456template class SmallSubgroupIPAProver<GrumpkinSettings>;
457
458} // namespace bb
bb::CommitmentKey
CommitmentKey object over a pairing group 𝔾₁.
Definition commitment_key.hpp:40
bb::MegaFlavor::CommitmentKey
bb::CommitmentKey< Curve > CommitmentKey
Definition mega_flavor.hpp:42
bb::Polynomial
Structured polynomial class that represents the coefficients 'a' of a_0 + a_1 x .....
Definition polynomial.hpp:74
bb::Polynomial::at
Fr & at(size_t index)
Our mutable accessor, unlike operator[]. We abuse precedent a bit to differentiate at() and operator[...
Definition polynomial.hpp:306
bb::SmallSubgroupIPAProver
A Curve-agnostic ZK protocol to prove inner products of small vectors.
Definition small_subgroup_ipa.hpp:69
bb::SmallSubgroupIPAProver::transcript
std::shared_ptr< typename Flavor::Transcript > transcript
Definition small_subgroup_ipa.hpp:126
bb::SmallSubgroupIPAProver::compute_eccvm_challenge_polynomial
void compute_eccvm_challenge_polynomial(const FF evaluation_challenge_x, const FF batching_challenge_v)
Compute a (public) challenge polynomial from the evaluation and batching challenges.
Definition small_subgroup_ipa.cpp:216
bb::SmallSubgroupIPAProver::FF
typename Curve::ScalarField FF
Definition small_subgroup_ipa.hpp:71
bb::SmallSubgroupIPAProver::compute_challenge_polynomial
void compute_challenge_polynomial(const std::vector< FF > &multivariate_challenge)
Computes the challenge polynomial F(X) based on the provided multivariate challenges.
Definition small_subgroup_ipa.cpp:195
bb::SmallSubgroupIPAProver::compute_monomial_coefficients
static Polynomial< FF > compute_monomial_coefficients(std::span< FF > lagrange_coeffs, const std::array< FF, SUBGROUP_SIZE > &interpolation_domain, const EvaluationDomain< FF > &bn_evaluation_domain)
Given a vector of coefficients of a polynomial in the Lagrange basis over , compute its coefficients ...
Definition small_subgroup_ipa.cpp:429
bb::SmallSubgroupIPAProver::interpolation_domain
std::array< FF, SUBGROUP_SIZE > interpolation_domain
Definition small_subgroup_ipa.hpp:98
bb::SmallSubgroupIPAProver::compute_grand_sum_polynomial
void compute_grand_sum_polynomial()
Computes the grand sum polynomial .
Definition small_subgroup_ipa.cpp:245
bb::SmallSubgroupIPAProver::MASKED_GRAND_SUM_LENGTH
static constexpr size_t MASKED_GRAND_SUM_LENGTH
Definition small_subgroup_ipa.hpp:81
bb::SmallSubgroupIPAProver::compute_grand_sum_identity_quotient
void compute_grand_sum_identity_quotient()
Efficiently compute the quotient of the grand sum identity polynomial by .
Definition small_subgroup_ipa.cpp:362
bb::SmallSubgroupIPAProver::compute_claimed_inner_product
static FF compute_claimed_inner_product(ZKSumcheckData< Flavor > &zk_sumcheck_data, const std::vector< FF > &multivariate_challenge, const size_t &log_circuit_size)
For test purposes: Compute the sum of the Libra constant term and Libra univariates evaluated at Sumc...
Definition small_subgroup_ipa.cpp:381
bb::SmallSubgroupIPAProver::compute_grand_sum_identity_polynomial
void compute_grand_sum_identity_polynomial()
Compute , where is the fixed generator of .
Definition small_subgroup_ipa.cpp:279
bb::SmallSubgroupIPAProver::concatenated_lagrange_form
Polynomial< FF > concatenated_lagrange_form
Definition small_subgroup_ipa.hpp:105
bb::SmallSubgroupIPAProver::SmallSubgroupIPAProver
SmallSubgroupIPAProver(const std::shared_ptr< typename Flavor::Transcript > &transcript, typename Flavor::CommitmentKey commitment_key)
Definition small_subgroup_ipa.cpp:30
bb::SmallSubgroupIPAProver::commitment_key
Flavor::CommitmentKey commitment_key
Definition small_subgroup_ipa.hpp:127
bb::SmallSubgroupIPAProver::bn_evaluation_domain
EvaluationDomain< FF > bn_evaluation_domain
Definition small_subgroup_ipa.hpp:100
bb::SmallSubgroupIPAProver::prove
void prove()
Compute the derived witnesses and and commit to them.
Definition small_subgroup_ipa.cpp:150
bb::SmallSubgroupIPAProver::compute_claimed_translation_inner_product
FF compute_claimed_translation_inner_product(TranslationData< typename Flavor::Transcript > &translation_data)
For test purposes: compute the batched evaluation of the last NUM_DISABLED_ROWS_IN_SUMCHECK rows of t...
Definition small_subgroup_ipa.cpp:409
bb::TranslationData
A class designed to accept the ECCVM Transcript Polynomials, concatenate their masking terms in Lagra...
Definition eccvm_translation_data.hpp:20
bb::TranslationData::interpolation_domain
std::array< FF, SUBGROUP_SIZE > interpolation_domain
Definition eccvm_translation_data.hpp:41
bb::Univariate::get_random
static Univariate get_random()
Definition univariate.hpp:189
eccvm_flavor.hpp
eccvm_translation_data.hpp
mega_zk_flavor.hpp
bb
Entry point for Barretenberg command-line interface.
Definition acir_format_getters.cpp:6
bb::FF
typename Flavor::FF FF
Definition protogalaxy.bench.cpp:16
std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13
small_subgroup_ipa.hpp
bb::ZKSumcheckData
This structure is created to contain various polynomials and constants required by ZK Sumcheck.
Definition zk_sumcheck_data.hpp:22
bb::ZKSumcheckData::libra_concatenated_monomial_form
Polynomial< FF > libra_concatenated_monomial_form
Definition zk_sumcheck_data.hpp:44
bb::ZKSumcheckData::libra_univariates
std::vector< Polynomial< FF > > libra_univariates
Definition zk_sumcheck_data.hpp:46
bb::ZKSumcheckData::libra_concatenated_lagrange_form
Polynomial< FF > libra_concatenated_lagrange_form
Definition zk_sumcheck_data.hpp:43
bb::ZKSumcheckData::bn_evaluation_domain
EvaluationDomain< FF > bn_evaluation_domain
Definition zk_sumcheck_data.hpp:40
bb::ZKSumcheckData::interpolation_domain
std::array< FF, SUBGROUP_SIZE > interpolation_domain
Definition zk_sumcheck_data.hpp:41
test_settings.hpp
translator_flavor.hpp
ultra_keccak_zk_flavor.hpp
ultra_starknet_zk_flavor.hpp
ultra_zk_flavor.hpp
zk_sumcheck_data.hpp