Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
zk_sumcheck_data.hpp
Go to the documentation of this file.
1// === AUDIT STATUS ===
2// internal: { status: not started, auditors: [], date: YYYY-MM-DD }
3// external_1: { status: not started, auditors: [], date: YYYY-MM-DD }
4// external_2: { status: not started, auditors: [], date: YYYY-MM-DD }
5// =====================
6
7#pragma once
8
9#include "barretenberg/constants.hpp"
10#include "barretenberg/ecc/curves/bn254/bn254.hpp"
11#include "barretenberg/polynomials/polynomial.hpp"
12#include "barretenberg/polynomials/univariate.hpp"
13#include <array>
14#include <vector>
15
16namespace bb {
17
22template <typename Flavor> struct ZKSumcheckData {
23 using Curve = typename Flavor::Curve;
24 using FF = typename Curve::ScalarField;
25
26 static constexpr size_t SUBGROUP_SIZE = Curve::SUBGROUP_SIZE;
27
28 static constexpr FF subgroup_generator = Curve::subgroup_generator;
29
30 // The size of the LibraUnivariates.
31 static constexpr size_t LIBRA_UNIVARIATES_LENGTH = Curve::LIBRA_UNIVARIATES_LENGTH;
32
33 static constexpr FF one_half = FF(1) / FF(2);
34
35 // Container for the evaluations of Libra Univariates that have to be proven.
36 using ClaimedLibraEvaluations = std::vector<FF>;
37
38 FF constant_term;
39
40 EvaluationDomain<FF> bn_evaluation_domain = EvaluationDomain<FF>();
41 std::array<FF, SUBGROUP_SIZE> interpolation_domain;
42 // to compute product in lagrange basis
43 Polynomial<FF> libra_concatenated_lagrange_form;
44 Polynomial<FF> libra_concatenated_monomial_form;
45
46 std::vector<Polynomial<FF>> libra_univariates{};
47 size_t log_circuit_size{ 0 };
48 FF libra_scaling_factor{ 1 };
49 FF libra_challenge;
50 FF libra_total_sum;
51 FF libra_running_sum;
52 ClaimedLibraEvaluations libra_evaluations;
53
54 size_t univariate_length;
55 // Default constructor
56 ZKSumcheckData() = default;
57
58 // Main constructor
59 ZKSumcheckData(const size_t multivariate_d,
60 std::shared_ptr<typename Flavor::Transcript> transcript = nullptr,
61 const typename Flavor::CommitmentKey& commitment_key = typename Flavor::CommitmentKey())
62 : constant_term(FF::random_element())
63 , libra_concatenated_monomial_form(SUBGROUP_SIZE + 2) // includes masking
64 , libra_univariates(generate_libra_univariates(multivariate_d, LIBRA_UNIVARIATES_LENGTH))
65 , log_circuit_size(multivariate_d)
66 , univariate_length(LIBRA_UNIVARIATES_LENGTH)
67
68 {
69 create_interpolation_domain();
70
71 compute_concatenated_libra_polynomial();
72
73 // If proving_key is provided, commit to the concatenated and masked libra polynomial
74 if (commitment_key.initialized()) {
75 auto libra_commitment = commitment_key.commit(libra_concatenated_monomial_form);
76 transcript->send_to_verifier("Libra:concatenation_commitment", libra_commitment);
77 }
78 // Compute the total sum of the Libra polynomials
79 libra_scaling_factor = FF(1);
80 libra_total_sum = compute_libra_total_sum(libra_univariates, libra_scaling_factor, constant_term);
81
82 // Send the Libra total sum to the transcript
83 transcript->send_to_verifier("Libra:Sum", libra_total_sum);
84
85 // Receive the Libra challenge from the transcript
86 libra_challenge = transcript->template get_challenge<FF>("Libra:Challenge");
87
88 // Initialize the Libra running sum
89 libra_running_sum = libra_total_sum * libra_challenge;
90
91 // Prepare the Libra data for the first round of sumcheck
92
93 setup_auxiliary_data(libra_univariates, libra_scaling_factor, libra_challenge, libra_running_sum);
94 }
95
124 static std::vector<Polynomial<FF>> generate_libra_univariates(const size_t number_of_polynomials,
125 const size_t univariate_length)
126 {
127 std::vector<Polynomial<FF>> libra_full_polynomials(number_of_polynomials);
128
129 for (auto& libra_polynomial : libra_full_polynomials) {
130 libra_polynomial = Polynomial<FF>::random(univariate_length);
131 };
132 return libra_full_polynomials;
133 };
134
143 static FF compute_libra_total_sum(const std::vector<Polynomial<FF>>& libra_univariates,
144 FF& scaling_factor,
145 const FF& constant_term)
146 {
147 FF total_sum = 0;
148 scaling_factor *= one_half;
149
150 for (auto& univariate : libra_univariates) {
151 total_sum += univariate.at(0) + univariate.evaluate(FF(1));
152 scaling_factor *= 2;
153 }
154 total_sum *= scaling_factor;
155
156 return total_sum + constant_term * (1 << libra_univariates.size());
157 }
158
171 static void setup_auxiliary_data(auto& libra_univariates,
172 FF& libra_scaling_factor,
173 const FF& libra_challenge,
174 FF& libra_running_sum)
175 {
176 libra_scaling_factor *= libra_challenge; // \rho * 2^{d-1}
177 for (auto& univariate : libra_univariates) {
178 univariate *= libra_scaling_factor;
179 };
180 // subtract the contribution of the first libra univariate from libra total sum
181 libra_running_sum += -libra_univariates[0].at(0) - libra_univariates[0].evaluate(FF(1));
182 libra_running_sum *= one_half;
183 }
184
190 void create_interpolation_domain()
191 {
192 if constexpr (std::is_same_v<Curve, curve::BN254>) {
193 bn_evaluation_domain = EvaluationDomain<FF>(SUBGROUP_SIZE, SUBGROUP_SIZE);
194 if (bn_evaluation_domain.size > 0) {
195 bn_evaluation_domain.compute_lookup_table();
196 }
197 }
198
199 interpolation_domain[0] = FF{ 1 };
200 for (size_t idx = 1; idx < SUBGROUP_SIZE; idx++) {
201 interpolation_domain[idx] = interpolation_domain[idx - 1] * subgroup_generator;
202 }
203 }
204
209 void compute_concatenated_libra_polynomial()
210 {
211 std::array<FF, SUBGROUP_SIZE> coeffs_lagrange_subgroup;
212 coeffs_lagrange_subgroup[0] = constant_term;
213
214 for (size_t idx = 1; idx < SUBGROUP_SIZE; idx++) {
215 coeffs_lagrange_subgroup[idx] = FF{ 0 };
216 }
217
218 for (size_t poly_idx = 0; poly_idx < log_circuit_size; poly_idx++) {
219 for (size_t idx = 0; idx < LIBRA_UNIVARIATES_LENGTH; idx++) {
220 size_t idx_to_populate = 1 + poly_idx * LIBRA_UNIVARIATES_LENGTH + idx;
221 coeffs_lagrange_subgroup[idx_to_populate] = libra_univariates[poly_idx].at(idx);
222 }
223 }
224
225 libra_concatenated_lagrange_form = Polynomial<FF>(coeffs_lagrange_subgroup);
226
227 bb::Univariate<FF, 2> masking_scalars = bb::Univariate<FF, 2>::get_random();
228
229 Polynomial<FF> libra_concatenated_monomial_form_unmasked(SUBGROUP_SIZE);
230 if constexpr (!std::is_same_v<Curve, curve::BN254>) {
231 libra_concatenated_monomial_form_unmasked =
232 Polynomial<FF>(interpolation_domain, coeffs_lagrange_subgroup, SUBGROUP_SIZE);
233 } else {
234 std::vector<FF> coeffs_lagrange_subgroup_ifft(SUBGROUP_SIZE);
235 polynomial_arithmetic::ifft(
236 coeffs_lagrange_subgroup.data(), coeffs_lagrange_subgroup_ifft.data(), bn_evaluation_domain);
237 libra_concatenated_monomial_form_unmasked = Polynomial<FF>(coeffs_lagrange_subgroup_ifft);
238 }
239
240 for (size_t idx = 0; idx < SUBGROUP_SIZE; idx++) {
241 libra_concatenated_monomial_form.at(idx) = libra_concatenated_monomial_form_unmasked.at(idx);
242 }
243
244 for (size_t idx = 0; idx < masking_scalars.size(); idx++) {
245 libra_concatenated_monomial_form.at(idx) -= masking_scalars.value_at(idx);
246 libra_concatenated_monomial_form.at(SUBGROUP_SIZE + idx) += masking_scalars.value_at(idx);
247 }
248 }
249
275 void update_zk_sumcheck_data(const FF& round_challenge, const size_t round_idx)
276 {
277 static constexpr FF two_inv = FF(1) / FF(2);
278 // when round_idx = d - 1, the update is not needed
279 if (round_idx < this->log_circuit_size - 1) {
280 for (auto& univariate : this->libra_univariates) {
281 univariate *= two_inv;
282 };
283 // compute the evaluation \f$ \rho \cdot 2^{d-2-i} \çdot g_i(u_i) \f$
284 const FF libra_evaluation = this->libra_univariates[round_idx].evaluate(round_challenge);
285 const auto& next_libra_univariate = this->libra_univariates[round_idx + 1];
286 // update the running sum by adding g_i(u_i) and subtracting (g_i(0) + g_i(1))
287 this->libra_running_sum += -next_libra_univariate.at(0) - next_libra_univariate.evaluate(FF(1));
288 this->libra_running_sum *= two_inv;
289
290 this->libra_running_sum += libra_evaluation;
291 this->libra_scaling_factor *= two_inv;
292
293 this->libra_evaluations.emplace_back(libra_evaluation / this->libra_scaling_factor);
294 } else {
295 // compute the evaluation of the last Libra univariate at the challenge u_{d-1}
296 const FF libra_evaluation =
297 this->libra_univariates[round_idx].evaluate(round_challenge) / this->libra_scaling_factor;
298 // place the evalution into the vector of Libra evaluations
299 this->libra_evaluations.emplace_back(libra_evaluation);
300 for (auto univariate : this->libra_univariates) {
301 univariate *= FF(1) / this->libra_challenge;
302 }
303 };
304 }
305};
306
307} // namespace bb
bb::CommitmentKey
CommitmentKey object over a pairing group 𝔾₁.
Definition commitment_key.hpp:40
bb::MegaFlavor::Curve
curve::BN254 Curve
Definition mega_flavor.hpp:36
bb::Polynomial
Structured polynomial class that represents the coefficients 'a' of a_0 + a_1 x .....
Definition polynomial.hpp:74
bb::Polynomial::at
Fr & at(size_t index)
Our mutable accessor, unlike operator[]. We abuse precedent a bit to differentiate at() and operator[...
Definition polynomial.hpp:306
bb::Univariate
A univariate polynomial represented by its values on {domain_start, domain_start + 1,...
Definition univariate.hpp:35
bb::Univariate::value_at
Fr & value_at(size_t i)
Definition univariate.hpp:147
bb::Univariate::get_random
static Univariate get_random()
Definition univariate.hpp:189
bb::curve::Grumpkin::SUBGROUP_SIZE
static constexpr size_t SUBGROUP_SIZE
Definition grumpkin.hpp:67
bb::curve::Grumpkin::LIBRA_UNIVARIATES_LENGTH
static constexpr uint32_t LIBRA_UNIVARIATES_LENGTH
Definition grumpkin.hpp:79
bb::curve::Grumpkin::subgroup_generator
static constexpr ScalarField subgroup_generator
Definition grumpkin.hpp:72
bb::polynomial_arithmetic::ifft
void ifft(Fr *coeffs, const EvaluationDomain< Fr > &domain)
Definition polynomial_arithmetic.cpp:365
bb
Entry point for Barretenberg command-line interface.
Definition acir_format_getters.cpp:6
std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13
bb::ZKSumcheckData
This structure is created to contain various polynomials and constants required by ZK Sumcheck.
Definition zk_sumcheck_data.hpp:22
bb::ZKSumcheckData::ZKSumcheckData
ZKSumcheckData()=default
bb::ZKSumcheckData::libra_concatenated_monomial_form
Polynomial< FF > libra_concatenated_monomial_form
Definition zk_sumcheck_data.hpp:44
bb::ZKSumcheckData::LIBRA_UNIVARIATES_LENGTH
static constexpr size_t LIBRA_UNIVARIATES_LENGTH
Definition zk_sumcheck_data.hpp:31
bb::ZKSumcheckData::libra_univariates
std::vector< Polynomial< FF > > libra_univariates
Definition zk_sumcheck_data.hpp:46
bb::ZKSumcheckData::libra_evaluations
ClaimedLibraEvaluations libra_evaluations
Definition zk_sumcheck_data.hpp:52
bb::ZKSumcheckData::subgroup_generator
static constexpr FF subgroup_generator
Definition zk_sumcheck_data.hpp:28
bb::ZKSumcheckData::FF
typename Curve::ScalarField FF
Definition zk_sumcheck_data.hpp:24
bb::ZKSumcheckData::libra_concatenated_lagrange_form
Polynomial< FF > libra_concatenated_lagrange_form
Definition zk_sumcheck_data.hpp:43
bb::ZKSumcheckData::generate_libra_univariates
static std::vector< Polynomial< FF > > generate_libra_univariates(const size_t number_of_polynomials, const size_t univariate_length)
Given number of univariate polynomials and the number of their evaluations meant to be hidden,...
Definition zk_sumcheck_data.hpp:124
bb::ZKSumcheckData::ZKSumcheckData
ZKSumcheckData(const size_t multivariate_d, std::shared_ptr< typename Flavor::Transcript > transcript=nullptr, const typename Flavor::CommitmentKey &commitment_key=typename Flavor::CommitmentKey())
Definition zk_sumcheck_data.hpp:59
bb::ZKSumcheckData::ClaimedLibraEvaluations
std::vector< FF > ClaimedLibraEvaluations
Definition zk_sumcheck_data.hpp:36
bb::ZKSumcheckData::one_half
static constexpr FF one_half
Definition zk_sumcheck_data.hpp:33
bb::ZKSumcheckData::update_zk_sumcheck_data
void update_zk_sumcheck_data(const FF &round_challenge, const size_t round_idx)
Upon receiving the challenge , the prover updates Libra data. If .
Definition zk_sumcheck_data.hpp:275
bb::ZKSumcheckData::compute_libra_total_sum
static FF compute_libra_total_sum(const std::vector< Polynomial< FF > > &libra_univariates, FF &scaling_factor, const FF &constant_term)
Compute the sum of the randomly sampled multivariate polynomial over the Boolean hypercube.
Definition zk_sumcheck_data.hpp:143
bb::ZKSumcheckData::setup_auxiliary_data
static void setup_auxiliary_data(auto &libra_univariates, FF &libra_scaling_factor, const FF &libra_challenge, FF &libra_running_sum)
Set up Libra book-keeping table that simplifies the computation of Libra Round Univariates.
Definition zk_sumcheck_data.hpp:171
bb::ZKSumcheckData::bn_evaluation_domain
EvaluationDomain< FF > bn_evaluation_domain
Definition zk_sumcheck_data.hpp:40
bb::ZKSumcheckData::Curve
typename Flavor::Curve Curve
Definition zk_sumcheck_data.hpp:23
bb::ZKSumcheckData::interpolation_domain
std::array< FF, SUBGROUP_SIZE > interpolation_domain
Definition zk_sumcheck_data.hpp:41
bb::ZKSumcheckData::SUBGROUP_SIZE
static constexpr size_t SUBGROUP_SIZE
Definition zk_sumcheck_data.hpp:26
bb::ZKSumcheckData::create_interpolation_domain
void create_interpolation_domain()
Create a interpolation domain object and initialize the evaluation domain in the case of BN254 scalar...
Definition zk_sumcheck_data.hpp:190
bb::ZKSumcheckData::ZKSumcheckData
ZKSumcheckData(const size_t multivariate_d, const size_t univariate_length)
For test purposes: Constructs a sumcheck instance from the polynomial , where is a random univariate...
Definition zk_sumcheck_data.hpp:105
bb::ZKSumcheckData::compute_concatenated_libra_polynomial
void compute_concatenated_libra_polynomial()
Compute concatenated libra polynomial in lagrange basis, transform to monomial, add masking term Z_H(...
Definition zk_sumcheck_data.hpp:209