Lde/reinstate work queue (AztecProtocol/barretenberg#324)

* make MSM size in work queue more flexible * new work queue hooked up everywhere excluding shplonk * improve interface and remove commitment key from prover * move old work queue to plonk namespace
AztecProtocol · Apr 7, 2023 · 3c8790c · 3c8790c
1 parent d17c31e
commit 3c8790c
Show file tree

Hide file tree

Showing 14 changed files with 211 additions and 134 deletions.
diff --git a/...berg/cpp/src/barretenberg/honk/composer/composer_helper/standard_honk_composer_helper.cpp b/...berg/cpp/src/barretenberg/honk/composer/composer_helper/standard_honk_composer_helper.cpp
@@ -168,12 +168,6 @@ StandardProver StandardHonkComposerHelper<CircuitConstructor>::create_prover(
     auto manifest = Flavor::create_manifest(circuit_constructor.public_inputs.size(), num_sumcheck_rounds);
     StandardProver output_state(std::move(wire_polynomials), circuit_proving_key);
 
-    // TODO(Cody): This should be more generic
-    std::unique_ptr<pcs::kzg::CommitmentKey> kate_commitment_key =
-        std::make_unique<pcs::kzg::CommitmentKey>(circuit_proving_key->circuit_size, "../srs_db/ignition");
-
-    output_state.commitment_key = std::move(kate_commitment_key);
-
     return output_state;
 }
 template class StandardHonkComposerHelper<StandardCircuitConstructor>;

diff --git a/barretenberg/cpp/src/barretenberg/honk/pcs/kzg/kzg.hpp b/barretenberg/cpp/src/barretenberg/honk/pcs/kzg/kzg.hpp
@@ -60,23 +60,20 @@ template <typename Params> class UnivariateOpeningScheme {
     using Accumulator = BilinearAccumulator<Params>;
 
     /**
-     * @brief Compute KZG opening proof (commitment) and add it to transcript
+     * @brief Compute KZG opening proof polynomial
      *
-     * @param ck CommitmentKey
      * @param opening_pair OpeningPair = {r, v = polynomial(r)}
      * @param polynomial the witness polynomial being opened
+     * @return KZG quotient polynomial of the form (p(X) - v) / (X - r)
      */
-    static void reduce_prove(std::shared_ptr<CK> ck,
-                             const OpeningPair<Params>& opening_pair,
-                             const Polynomial& polynomial,
-                             ProverTranscript<Fr>& transcript)
+    static Polynomial compute_opening_proof_polynomial(const OpeningPair<Params>& opening_pair,
+                                                       const Polynomial& polynomial)
     {
         Polynomial quotient(polynomial);
         quotient[0] -= opening_pair.evaluation;
         quotient.factor_roots(opening_pair.challenge);
-        CommitmentAffine quotient_commitment = ck->commit(quotient);
 
-        transcript.send_to_verifier("KZG:W", quotient_commitment);
+        return quotient;
     };
 
     /**

diff --git a/barretenberg/cpp/src/barretenberg/honk/pcs/kzg/kzg.test.cpp b/barretenberg/cpp/src/barretenberg/honk/pcs/kzg/kzg.test.cpp
@@ -40,7 +40,8 @@ TYPED_TEST(BilinearAccumulationTest, single)
 
     auto prover_transcript = ProverTranscript<Fr>::init_empty();
 
-    KZG::reduce_prove(this->ck(), opening_pair, witness, prover_transcript);
+    auto quotient_W = KZG::compute_opening_proof_polynomial(opening_pair, witness);
+    prover_transcript.send_to_verifier("KZG:W", this->commit(quotient_W));
 
     auto verifier_transcript = VerifierTranscript<Fr>::init_empty(prover_transcript);
     auto kzg_claim = KZG::reduce_verify(opening_claim, verifier_transcript);
@@ -148,7 +149,8 @@ TYPED_TEST(BilinearAccumulationTest, GeminiShplonkKzgWithShift)
 
     // KZG prover:
     // - Adds commitment [W] to transcript
-    KZG::reduce_prove(this->ck(), shplonk_opening_pair, shplonk_witness, prover_transcript);
+    auto quotient_W = KZG::compute_opening_proof_polynomial(shplonk_opening_pair, shplonk_witness);
+    prover_transcript.send_to_verifier("KZG:W", this->commit(quotient_W));
 
     // Run the full verifier PCS protocol with genuine opening claims (genuine commitment, genuine evaluation)
 

diff --git a/barretenberg/cpp/src/barretenberg/honk/proof_system/prover.cpp b/barretenberg/cpp/src/barretenberg/honk/proof_system/prover.cpp
@@ -5,6 +5,7 @@
 #include "barretenberg/honk/sumcheck/sumcheck.hpp"
 #include <array>
 #include "barretenberg/honk/sumcheck/polynomials/univariate.hpp" // will go away
+#include "barretenberg/honk/transcript/transcript.hpp"
 #include "barretenberg/honk/utils/power_polynomial.hpp"
 #include "barretenberg/honk/pcs/commitment_key.hpp"
 #include <memory>
@@ -39,13 +40,10 @@ using POLYNOMIAL = proof_system::honk::StandardArithmetization::POLYNOMIAL;
  * */
 template <typename settings>
 Prover<settings>::Prover(std::vector<barretenberg::polynomial>&& wire_polys,
-                         std::shared_ptr<plonk::proving_key> input_key)
+                         const std::shared_ptr<plonk::proving_key> input_key)
     : wire_polynomials(wire_polys)
     , key(input_key)
-    , commitment_key(std::make_unique<pcs::kzg::CommitmentKey>(
-          input_key->circuit_size,
-          "../srs_db/ignition")) // TODO(Cody): Need better constructors for prover.
-// , queue(proving_key.get(), &transcript)
+    , queue(key, transcript)
 {
     // Note(luke): This could be done programmatically with some hacks but this isnt too bad and its nice to see the
     // polys laid out explicitly.
@@ -75,16 +73,14 @@ Prover<settings>::Prover(std::vector<barretenberg::polynomial>&& wire_polys,
 }
 
 /**
- * - Commit to wires 1,2,3
+ * - Add commitment to wires 1,2,3 to work queue
  * - Add PI to transcript (I guess PI will stay in w_2 for now?)
  *
  * */
 template <typename settings> void Prover<settings>::compute_wire_commitments()
 {
     for (size_t i = 0; i < settings::Arithmetization::num_wires; ++i) {
-        auto commitment = commitment_key->commit(wire_polynomials[i]);
-
-        transcript.send_to_verifier("W_" + std::to_string(i + 1), commitment);
+        queue.add_commitment(wire_polynomials[i], "W_" + std::to_string(i + 1));
     }
 }
 
@@ -94,8 +90,6 @@ template <typename settings> void Prover<settings>::compute_wire_commitments()
  * */
 template <typename settings> void Prover<settings>::execute_preamble_round()
 {
-    // queue.flush_queue(); // NOTE: Don't remove; we may reinstate the queue
-
     const auto circuit_size = static_cast<uint32_t>(key->circuit_size);
     const auto num_public_inputs = static_cast<uint32_t>(key->num_public_inputs);
 
@@ -113,7 +107,6 @@ template <typename settings> void Prover<settings>::execute_preamble_round()
  * */
 template <typename settings> void Prover<settings>::execute_wire_commitments_round()
 {
-    // queue.flush_queue(); // NOTE: Don't remove; we may reinstate the queue
     compute_wire_commitments();
 }
 
@@ -131,8 +124,6 @@ template <typename settings> void Prover<settings>::execute_tables_round()
  * */
 template <typename settings> void Prover<settings>::execute_grand_product_computation_round()
 {
-    // queue.flush_queue(); // NOTE: Don't remove; we may reinstate the queue
-
     // Compute and store parameters required by relations in Sumcheck
     auto [beta, gamma] = transcript.get_challenges("beta", "gamma");
 
@@ -147,9 +138,7 @@ template <typename settings> void Prover<settings>::execute_grand_product_comput
     z_permutation =
         prover_library::compute_permutation_grand_product<settings::program_width>(key, wire_polynomials, beta, gamma);
 
-    auto commitment = commitment_key->commit(z_permutation);
-
-    transcript.send_to_verifier("Z_PERM", commitment);
+    queue.add_commitment(z_permutation, "Z_PERM");
 
     prover_polynomials[POLYNOMIAL::Z_PERM] = z_permutation;
     prover_polynomials[POLYNOMIAL::Z_PERM_SHIFT] = z_permutation.shifted();
@@ -162,8 +151,6 @@ template <typename settings> void Prover<settings>::execute_grand_product_comput
  * */
 template <typename settings> void Prover<settings>::execute_relation_check_rounds()
 {
-    // queue.flush_queue(); // NOTE: Don't remove; we may reinstate the queue
-
     using Sumcheck = sumcheck::Sumcheck<Fr,
                                         ProverTranscript<Fr>,
                                         sumcheck::ArithmeticRelation,
@@ -197,22 +184,13 @@ template <typename settings> void Prover<settings>::execute_univariatization_rou
     Polynomial batched_poly_to_be_shifted(key->circuit_size); // batched to-be-shifted polynomials
     batched_poly_to_be_shifted.add_scaled(prover_polynomials[POLYNOMIAL::Z_PERM], rhos[NUM_UNSHIFTED_POLYS]);
 
-    // // Reserve space for d+1 Fold polynomials. At the end of this round, the last d-1 polynomials will
-    // // correspond to Fold^(i). At the end of the full Gemini prover protocol, the first two will
-    // // be the partially evaluated Fold polynomials Fold_{r}^(0) and Fold_{-r}^(0).
-    // fold_polynomials.reserve(key->log_circuit_size + 1);
-    // fold_polynomials.emplace_back(batched_poly_unshifted);
-    // fold_polynomials.emplace_back(batched_poly_to_be_shifted);
-
     // Compute d-1 polynomials Fold^(i), i = 1, ..., d-1.
     fold_polynomials = Gemini::compute_fold_polynomials(
         sumcheck_output.challenge_point, std::move(batched_poly_unshifted), std::move(batched_poly_to_be_shifted));
 
     // Compute and add to trasnscript the commitments [Fold^(i)], i = 1, ..., d-1
     for (size_t l = 0; l < key->log_circuit_size - 1; ++l) {
-        std::string label = "Gemini:FOLD_" + std::to_string(l + 1);
-        auto commitment = commitment_key->commit(fold_polynomials[l + 2]);
-        transcript.send_to_verifier(label, commitment);
+        queue.add_commitment(fold_polynomials[l + 2], "Gemini:FOLD_" + std::to_string(l + 1));
     }
 }
 
@@ -248,8 +226,7 @@ template <typename settings> void Prover<settings>::execute_shplonk_batched_quot
         Shplonk::compute_batched_quotient(gemini_output.opening_pairs, gemini_output.witnesses, nu_challenge);
 
     // commit to Q(X) and add [Q] to the transcript
-    auto Q_commitment = commitment_key->commit(batched_quotient_Q);
-    transcript.send_to_verifier("Shplonk:Q", Q_commitment);
+    queue.add_commitment(batched_quotient_Q, "Shplonk:Q");
 }
 
 /**
@@ -269,7 +246,8 @@ template <typename settings> void Prover<settings>::execute_shplonk_partial_eval
  * */
 template <typename settings> void Prover<settings>::execute_kzg_round()
 {
-    KZG::reduce_prove(commitment_key, shplonk_output.opening_pair, shplonk_output.witness, transcript);
+    quotient_W = KZG::compute_opening_proof_polynomial(shplonk_output.opening_pair, shplonk_output.witness);
+    queue.add_commitment(quotient_W, "KZG:W");
 }
 
 template <typename settings> plonk::proof& Prover<settings>::export_proof()
@@ -282,51 +260,48 @@ template <typename settings> plonk::proof& Prover<settings>::construct_proof()
 {
     // Add circuit size and public input size to transcript.
     execute_preamble_round();
-    // queue.process_queue(); // NOTE: Don't remove; we may reinstate the queue
 
     // Compute wire commitments; Add PI to transcript
     execute_wire_commitments_round();
-    // queue.process_queue(); // NOTE: Don't remove; we may reinstate the queue
+    queue.process_queue();
 
     // Currently a no-op; may execute some "random widgets", commit to W_4, do RAM/ROM stuff
     // if this prover structure is kept when we bring tables to Honk.
     // Suggestion: Maybe we shouldn't mix and match proof creation for different systems and
     // instead instatiate construct_proof differently for each?
     execute_tables_round();
-    // queue.process_queue(); // NOTE: Don't remove; we may reinstate the queue
 
     // Fiat-Shamir: beta & gamma
     // Compute grand product(s) and commitments.
     execute_grand_product_computation_round();
-    // queue.process_queue(); // NOTE: Don't remove; we may reinstate the queue
+    queue.process_queue();
 
     // Fiat-Shamir: alpha
     // Run sumcheck subprotocol.
     execute_relation_check_rounds();
-    // // queue currently only handles commitments, not partial multivariate evaluations.
-    // queue.process_queue(); // NOTE: Don't remove; we may reinstate the queue
 
     // Fiat-Shamir: rho
     // Compute Fold polynomials and their commitments.
     execute_univariatization_round();
-    // queue.process_queue(); // NOTE: Don't remove; we may reinstate the queue
+    queue.process_queue();
 
     // Fiat-Shamir: r
     // Compute Fold evaluations
     execute_pcs_evaluation_round();
 
     // Fiat-Shamir: nu
-    // Compute Shplonk batched quotient commitment
+    // Compute Shplonk batched quotient commitment Q
     execute_shplonk_batched_quotient_round();
+    queue.process_queue();
+
+    // Fiat-Shamir: z
+    // Compute partial evaluation Q_z
     execute_shplonk_partial_evaluation_round();
-    // queue.process_queue(); // NOTE: Don't remove; we may reinstate the queue
 
     // Fiat-Shamir: z
     // Compute KZG quotient commitment
     execute_kzg_round();
-    // queue.process_queue(); // NOTE: Don't remove; we may reinstate the queue
-
-    // queue.flush_queue(); // NOTE: Don't remove; we may reinstate the queue
+    queue.process_queue();
 
     return export_proof();
 }

diff --git a/barretenberg/cpp/src/barretenberg/honk/proof_system/prover.hpp b/barretenberg/cpp/src/barretenberg/honk/proof_system/prover.hpp
@@ -24,6 +24,7 @@
 #include <string>
 #include "barretenberg/honk/pcs/claim.hpp"
 #include "barretenberg/honk/proof_system/prover_library.hpp"
+#include "barretenberg/honk/proof_system/work_queue.hpp"
 
 namespace proof_system::honk {
 
@@ -64,29 +65,18 @@ template <typename settings> class Prover {
 
     std::shared_ptr<plonk::proving_key> key;
 
-    std::shared_ptr<pcs::kzg::CommitmentKey> commitment_key;
-
     // Container for spans of all polynomials required by the prover (i.e. all multivariates evaluated by Sumcheck).
     std::array<std::span<Fr>, honk::StandardArithmetization::POLYNOMIAL::COUNT> prover_polynomials;
 
     // Container for d + 1 Fold polynomials produced by Gemini
     std::vector<Polynomial> fold_polynomials;
 
-    Polynomial batched_quotient_Q;
-    Fr nu_challenge;
-
-    // Honk only needs a small portion of the functionality but may be fine to use existing work_queue
-    // NOTE: this is not currently in use, but it may well be used in the future.
-    // TODO(Adrian): Uncomment when we need this again.
-    // proof_system::work_queue queue;
-    // void flush_queued_work_items() { queue.flush_queue(); }
-    // proof_system::work_queue::work_item_info get_queued_work_item_info() const {
-    //     return queue.get_queued_work_item_info();
-    // }
-    // size_t get_scalar_multiplication_size(const size_t work_item_number) const
-    // {
-    //     return queue.get_scalar_multiplication_size(work_item_number);
-    // }
+    Polynomial batched_quotient_Q; // batched quotient poly computed by Shplonk
+    Fr nu_challenge;               // needed in both Shplonk rounds
+
+    Polynomial quotient_W;
+
+    work_queue<pcs::kzg::Params> queue;
 
     // This makes 'settings' accesible from Prover
     using settings_ = settings;

diff --git a/barretenberg/cpp/src/barretenberg/honk/proof_system/verifier.test.cpp b/barretenberg/cpp/src/barretenberg/honk/proof_system/verifier.test.cpp
@@ -198,8 +198,6 @@ template <class FF> class VerifierTests : public testing::Test {
         std::unique_ptr<pcs::kzg::CommitmentKey> kate_commitment_key =
             std::make_unique<pcs::kzg::CommitmentKey>(proving_key->circuit_size, "../srs_db/ignition");
 
-        prover.commitment_key = std::move(kate_commitment_key);
-
         return prover;
     }
 };