From 2c37dc494f91d304beb475c77f488545d564c154 Mon Sep 17 00:00:00 2001 From: iakovenkos Date: Mon, 28 Oct 2024 17:53:35 +0000 Subject: [PATCH 01/17] shplemini supports opening of libra masking univariates --- .../barretenberg/commitment_schemes/claim.hpp | 1 + .../commitment_schemes/kzg/kzg.test.cpp | 36 +++++ .../commitment_schemes/shplonk/shplemini.hpp | 78 ++++++++++- .../shplonk/shplemini.test.cpp | 129 ++++++++++++++++++ .../commitment_schemes/shplonk/shplonk.hpp | 55 +++++++- 5 files changed, 289 insertions(+), 10 deletions(-) diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/claim.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/claim.hpp index 129cb4df521..3eee1dba270 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/claim.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/claim.hpp @@ -84,5 +84,6 @@ template struct BatchOpeningClaim { std::vector commitments; std::vector scalars; typename Curve::ScalarField evaluation_point; + typename Curve::ScalarField batching_challenge; }; } // namespace bb diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/kzg/kzg.test.cpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/kzg/kzg.test.cpp index 4b951685549..5b10d91a19d 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/kzg/kzg.test.cpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/kzg/kzg.test.cpp @@ -41,6 +41,42 @@ TYPED_TEST(KZGTest, single) EXPECT_EQ(this->vk()->pairing_check(pairing_points[0], pairing_points[1]), true); } +/** + * @brief Test opening proof of a polynomial given by its evaluations at \f$ i = 0, \ldots, n \f$. Should only be used + * for small values of \f$ n \f$. + * + */ +TYPED_TEST(KZGTest, SingleInLagrangeBasis) +{ + const size_t n = 4; + + using KZG = KZG; + using Fr = typename TypeParam::ScalarField; + + // create a random univariate (coefficients are in Lagrange basis) + auto witness = bb::Univariate::get_random(); + // define the interpolation domain + std::array eval_points = { Fr(0), Fr(1), Fr(2), Fr(3) }; + // compute the monomial coefficients + Polynomial witness_polynomial(std::span(eval_points), std::span(witness), n); + // commit to the polynomial in the monomial form + g1::element commitment = this->commit(witness_polynomial); + + auto challenge = Fr::random_element(); + // evaluate the original univariate + auto evaluation = witness.evaluate(challenge); + auto opening_pair = OpeningPair{ challenge, evaluation }; + auto opening_claim = OpeningClaim{ opening_pair, commitment }; + + auto prover_transcript = NativeTranscript::prover_init_empty(); + + KZG::compute_opening_proof(this->ck(), { witness_polynomial, opening_pair }, prover_transcript); + + auto verifier_transcript = NativeTranscript::verifier_init_empty(prover_transcript); + auto pairing_points = KZG::reduce_verify(opening_claim, verifier_transcript); + + EXPECT_EQ(this->vk()->pairing_check(pairing_points[0], pairing_points[1]), true); +} /** * @brief Test full PCS protocol: Gemini, Shplonk, KZG and pairing check * @details Demonstrates the full PCS protocol as it is used in the construction and verification diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp index 2f247d8d1ee..c8b71e26770 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp @@ -20,7 +20,7 @@ template class ShpleminiProver_ { using ShplonkProver = ShplonkProver_; using GeminiProver = GeminiProver_; - template + template static OpeningClaim prove(const FF circuit_size, RefSpan f_polynomials, RefSpan g_polynomials, @@ -28,7 +28,9 @@ template class ShpleminiProver_ { const std::shared_ptr>& commitment_key, const std::shared_ptr& transcript, RefSpan concatenated_polynomials = {}, - const std::vector>& groups_to_be_concatenated = {}) + const std::vector>& groups_to_be_concatenated = {}, + const std::vector libra_univariates = {}, + const std::vector libra_evaluations = {}) { std::vector opening_claims = GeminiProver::prove(circuit_size, f_polynomials, @@ -38,8 +40,20 @@ template class ShpleminiProver_ { transcript, concatenated_polynomials, groups_to_be_concatenated); - - OpeningClaim batched_claim = ShplonkProver::prove(commitment_key, opening_claims, transcript); + std::vector libra_opening_claims; + if (!libra_univariates.empty()) { + size_t idx = 0; + for (auto [libra_univariate, libra_evaluation] : zip_view(libra_univariates, libra_evaluations)) { + OpeningClaim new_claim; + new_claim.polynomial = Polynomial{ libra_univariate }; + new_claim.opening_pair.challenge = multilinear_challenge[idx]; + new_claim.opening_pair.evaluation = libra_evaluation; + libra_opening_claims.push_back(new_claim); + idx++; + } + } + OpeningClaim batched_claim = + ShplonkProver::prove(commitment_key, opening_claims, transcript, libra_opening_claims); return batched_claim; }; }; @@ -105,6 +119,8 @@ template class ShpleminiVerifier_ { using ShplonkVerifier = ShplonkVerifier_; using GeminiVerifier = GeminiVerifier_; + const static Fr final_shplonk_power; + public: template static BatchOpeningClaim compute_batch_opening_claim( @@ -254,7 +270,7 @@ template class ShpleminiVerifier_ { commitments.emplace_back(g1_identity); scalars.emplace_back(constant_term_accumulator); - return { commitments, scalars, shplonk_evaluation_challenge }; + return { commitments, scalars, shplonk_evaluation_challenge, shplonk_batching_challenge }; }; /** * @brief Populates the vectors of commitments and scalars, and computes the evaluation of the batched @@ -421,6 +437,7 @@ template class ShpleminiVerifier_ { // Update the batching challenge current_batching_challenge *= shplonk_batching_challenge; + info(j, " current batching challenge verifier ", current_batching_challenge); if constexpr (Curve::is_stdlib_type) { auto builder = shplonk_batching_challenge.get_context(); @@ -439,5 +456,56 @@ template class ShpleminiVerifier_ { commitments.emplace_back(std::move(fold_commitments[j])); } } + + static void add_zk_data(BatchOpeningClaim& batch_opening_claim, + RefSpan libra_univariate_commitments, + const std::vector& libra_univariate_evaluations, + RefSpan masking_scalar_commitments, + const std::vector& multivariate_challenge, + const Fr& quadratic_challenge, + const Fr& shplonk_batching_challenge, + const Fr& shplonk_evaluation_challenge, + const size_t first_witness_index) + + { + // compute the correct power of \nu + Fr shplonk_challenge_power = Fr{ 1 }; + for (size_t j = 0; j < CONST_PROOF_SIZE_LOG_N + 2; ++j) { + shplonk_challenge_power *= shplonk_batching_challenge; + } + // get the commitments and scalars vectors from the batch opening claim + auto& commitments = batch_opening_claim.commitments; + auto& scalars = batch_opening_claim.scalars; + + // needed to keep track of the constant term contribution + const size_t idx_of_constant_term = commitments.size() - 1; + + // compute shplonk denominators and batch invert them + std::vector denominators; + size_t num_libra_univariates = libra_univariate_commitments.size(); + for (size_t idx = 0; idx < num_libra_univariates; idx++) { + denominators.push_back(shplonk_evaluation_challenge - multivariate_challenge[idx]); + }; + Fr::batch_invert(denominators); + + Fr& constant_term = scalars[idx_of_constant_term]; + for (const auto [libra_univariate_commitment, denominator, libra_univariate_evaluation] : + zip_view(libra_univariate_commitments, denominators, libra_univariate_evaluations)) { + commitments.push_back(libra_univariate_commitment); + Fr scaling_factor = denominator * shplonk_challenge_power; + scalars.push_back(-scaling_factor); + shplonk_challenge_power *= shplonk_batching_challenge; + constant_term += scaling_factor * libra_univariate_evaluation; + } + + const size_t num_masked_witnesses = masking_scalar_commitments.size(); + + for (size_t idx = 0; idx < num_masked_witnesses; idx++) { + commitments.push_back(masking_scalar_commitments[idx]); + size_t witness_idx = first_witness_index + 1; + Fr corresponding_witness_scalar = scalars[witness_idx]; + scalars.push_back(corresponding_witness_scalar * quadratic_challenge); + } + } }; } // namespace bb \ No newline at end of file diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.test.cpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.test.cpp index 55739360179..61a6e5b5bb9 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.test.cpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.test.cpp @@ -221,4 +221,133 @@ TYPED_TEST(ShpleminiTest, CorrectnessOfGeminiClaimBatching) EXPECT_EQ(shplemini_result, expected_result); } + +TYPED_TEST(ShpleminiTest, ShpleminiProverAndVerifierTest) +{ + if constexpr (std::is_same_v) { + GTEST_SKIP() << "Test only runs for curve::BN254"; + } else { + using ShpleminiProver = ShpleminiProver_; + using ShpleminiVerifier = ShpleminiVerifier_; + using KZG = KZG; + using Fr = typename TypeParam::ScalarField; + using Commitment = typename TypeParam::AffineElement; + using Polynomial = typename bb::Polynomial; + + const size_t n = 16; + const size_t log_n = 4; + const size_t LIBRA_UNIVARIATE_LENGTH = 12; + + std::array interpolation_domain; + for (size_t idx = 0; idx < LIBRA_UNIVARIATE_LENGTH; idx++) { + interpolation_domain[idx] = Fr(idx); + } + // Generate multilinear polynomials, their commitments (genuine and mocked) and evaluations (genuine) at a + // random point. + auto mle_opening_point = this->random_evaluation_point(log_n); // sometimes denoted 'u' + auto poly1 = Polynomial::random(n); + auto poly2 = Polynomial::random(n, 1); + auto poly3 = Polynomial::random(n, 1); + auto poly4 = Polynomial::random(n); + + Fr masking_term1 = Fr::get_random(); + + std::vector> libra_univariates; + std::vector libra_commitments; + std::vector libra_univariate_monomial; + std::vector libra_evaluations; + for (size_t idx = 0; idx < log_n; idx++) { + // generate random univariate + auto libra_polynomial = bb::Univariate::get_random(); + // populate the vector of libra evaluations + libra_evaluations.push_back(libra_polynomial.evaluate(mle_opening_point[idx])); + + // libra_univariates.push_back(libra_polynomial); + // interpolate polynomial from evals + Polynomial libra_monomial = + Polynomial(std::span(interpolation_domain), std::span(libra_polynomial), LIBRA_UNIVARIATE_LENGTH); + + ASSERT_EQ(libra_polynomial.evaluate(mle_opening_point[idx]), + libra_monomial.evaluate(mle_opening_point[idx])); + libra_univariate_monomial.push_back(libra_monomial); + // commit and populate the vector of libra commitments + Commitment libra_commitment = this->commit(libra_monomial); + libra_commitments.push_back(libra_commitment); + } + + Commitment commitment1 = this->commit(poly1); + Commitment commitment2 = this->commit(poly2); + Commitment commitment3 = this->commit(poly3); + Commitment commitment4 = this->commit(poly4); + std::vector unshifted_commitments = { commitment1, commitment2, commitment3, commitment4 }; + std::vector shifted_commitments = { commitment2, commitment3 }; + auto eval1 = poly1.evaluate_mle(mle_opening_point); + auto eval2 = poly2.evaluate_mle(mle_opening_point); + auto eval3 = poly3.evaluate_mle(mle_opening_point); + auto eval4 = poly4.evaluate_mle(mle_opening_point); + auto eval2_shift = poly2.evaluate_mle(mle_opening_point, true); + auto eval3_shift = poly3.evaluate_mle(mle_opening_point, true); + + // Collect multilinear evaluations for input to prover + // std::vector multilinear_evaluations = { eval1, eval2, eval3, eval4, eval2_shift, eval3_shift }; + + auto prover_transcript = NativeTranscript::prover_init_empty(); + + // Run the full prover PCS protocol: + auto opening_claim = ShpleminiProver::template prove( + Fr{ n }, + RefArray{ poly1, poly2, poly3, poly4 }, + RefArray{ poly2, poly3 }, + mle_opening_point, + this->ck(), + prover_transcript, + {}, + {}, + RefVector(libra_univariate_monomial), + libra_evaluations); + + KZG::compute_opening_proof(this->ck(), opening_claim, prover_transcript); + + // Run the full verifier PCS protocol with genuine opening claims (genuine commitment, genuine evaluation) + + auto verifier_transcript = NativeTranscript::verifier_init_empty(prover_transcript); + + // Gemini verifier output: + // - claim: d+1 commitments to Fold_{r}^(0), Fold_{-r}^(0), Fold^(l), d+1 evaluations a_0_pos, a_l, l = 0:d-1 + auto batch_opening_claim = + ShpleminiVerifier::compute_batch_opening_claim(n, + RefVector(unshifted_commitments), + RefVector(shifted_commitments), + RefArray{ eval1, eval2, eval3, eval4 }, + RefArray{ eval2_shift, eval3_shift }, + mle_opening_point, + this->vk()->get_g1_identity(), + verifier_transcript, + {}, + {}); + + const Fr shplonk_eval_challenge = batch_opening_claim.evaluation_point; + const Fr shplonk_batching_challenge = batch_opening_claim.batching_challenge; + + Fr qudatratic_sum = Fr{ 0 }; + for (size_t idx = 0; idx < n; idx++) { + qudatratic_sum = mle_opening_point[idx](Fr(1) - mle_opening_point[idx]); + } + + ShpleminiVerifier::add_zk_data(batch_opening_claim, + RefVector(libra_commitments), + libra_evaluations, + {}, + mle_opening_point, + /* quadratic challenge */ Fr(0), + /* shplonk_batching_challenge =*/shplonk_batching_challenge, + /* shplonk_evaluation_challenge = */ shplonk_eval_challenge, + /* first_witness_index = */ 0); + + const auto pairing_points = KZG::reduce_verify_batch_opening_claim(batch_opening_claim, verifier_transcript); + + // Final pairing check: e([Q] - [Q_z] + z[W], [1]_2) = e([W], [x]_2) + EXPECT_EQ(this->vk()->pairing_check(pairing_points[0], pairing_points[1]), true); + } +} } // namespace bb diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplonk.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplonk.hpp index 1322fb34c3d..4dba9d3a0be 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplonk.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplonk.hpp @@ -38,7 +38,9 @@ template class ShplonkProver_ { * @param nu batching challenge * @return Polynomial Q(X) */ - static Polynomial compute_batched_quotient(std::span> opening_claims, const Fr& nu) + static Polynomial compute_batched_quotient(std::span> opening_claims, + const Fr& nu, + std::span> libra_opening_claims) { // Find n, the maximum size of all polynomials fⱼ(X) size_t max_poly_size{ 0 }; @@ -50,6 +52,7 @@ template class ShplonkProver_ { Polynomial tmp(max_poly_size); Fr current_nu = Fr::one(); + size_t idx = 0; for (const auto& claim : opening_claims) { // Compute individual claim quotient tmp = ( fⱼ(X) − vⱼ) / ( X − xⱼ ) @@ -59,9 +62,27 @@ template class ShplonkProver_ { // Add the claim quotient to the batched quotient polynomial Q.add_scaled(tmp, current_nu); + info(idx, " prover nu in real claims", current_nu); + idx++; current_nu *= nu; } + for (size_t idx = opening_claims.size(); idx < CONST_PROOF_SIZE_LOG_N + 2; idx++) { + current_nu *= nu; + }; + + for (const auto& claim : libra_opening_claims) { + // Compute individual claim quotient tmp = ( fⱼ(X) − vⱼ) / ( X − xⱼ ) + tmp = claim.polynomial; + tmp.at(0) = tmp[0] - claim.opening_pair.evaluation; + tmp.factor_roots(claim.opening_pair.challenge); + + // Add the claim quotient to the batched quotient polynomial + Q.add_scaled(tmp, current_nu); + info(idx, " prover nu in libra", current_nu); + idx++; + current_nu *= nu; + } // Return batched quotient polynomial Q(X) return Q; }; @@ -80,7 +101,8 @@ template class ShplonkProver_ { std::span> opening_claims, Polynomial& batched_quotient_Q, const Fr& nu_challenge, - const Fr& z_challenge) + const Fr& z_challenge, + std::span> libra_opening_claims = {}) { const size_t num_opening_claims = opening_claims.size(); @@ -90,6 +112,10 @@ template class ShplonkProver_ { for (const auto& claim : opening_claims) { inverse_vanishing_evals.emplace_back(z_challenge - claim.opening_pair.challenge); } + for (const auto& claim : libra_opening_claims) { + inverse_vanishing_evals.emplace_back(z_challenge - claim.opening_pair.challenge); + info("libra denominator P ", z_challenge - claim.opening_pair.challenge); + } Fr::batch_invert(inverse_vanishing_evals); // G(X) = Q(X) - Q_z(X) = Q(X) - ∑ⱼ νʲ ⋅ ( fⱼ(X) − vⱼ) / ( z − xⱼ ), @@ -100,6 +126,7 @@ template class ShplonkProver_ { Fr current_nu = Fr::one(); Polynomial tmp(G.size()); size_t idx = 0; + for (const auto& claim : opening_claims) { // tmp = νʲ ⋅ ( fⱼ(X) − vⱼ) / ( z − xⱼ ) tmp = claim.polynomial; @@ -112,7 +139,23 @@ template class ShplonkProver_ { current_nu *= nu_challenge; idx++; } + for (size_t idx = opening_claims.size(); idx < CONST_PROOF_SIZE_LOG_N + 2; idx++) { + current_nu *= nu_challenge; + }; + + for (const auto& claim : libra_opening_claims) { + + // Compute individual claim quotient tmp = ( fⱼ(X) − vⱼ) / ( X − xⱼ ) + tmp = claim.polynomial; + tmp.at(0) = tmp[0] - claim.opening_pair.evaluation; + Fr scaling_factor = current_nu * inverse_vanishing_evals[idx]; // = νʲ / (z − xⱼ ) + // tmp.factor_roots(claim.opening_pair.challenge); + // Add the claim quotient to the batched quotient polynomial + G.add_scaled(tmp, -scaling_factor); + idx++; + current_nu *= nu_challenge; + } // Return opening pair (z, 0) and polynomial G(X) = Q(X) - Q_z(X) return { .polynomial = G, .opening_pair = { .challenge = z_challenge, .evaluation = Fr::zero() } }; }; @@ -129,14 +172,16 @@ template class ShplonkProver_ { template static ProverOpeningClaim prove(const std::shared_ptr>& commitment_key, std::span> opening_claims, - const std::shared_ptr& transcript) + const std::shared_ptr& transcript, + std::span> libra_opening_claims = {}) { const Fr nu = transcript->template get_challenge("Shplonk:nu"); - auto batched_quotient = compute_batched_quotient(opening_claims, nu); + auto batched_quotient = compute_batched_quotient(opening_claims, nu, libra_opening_claims); auto batched_quotient_commitment = commitment_key->commit(batched_quotient); transcript->send_to_verifier("Shplonk:Q", batched_quotient_commitment); const Fr z = transcript->template get_challenge("Shplonk:z"); - return compute_partially_evaluated_batched_quotient(opening_claims, batched_quotient, nu, z); + return compute_partially_evaluated_batched_quotient( + opening_claims, batched_quotient, nu, z, libra_opening_claims); } }; From 7bbacc287f0ef906833e9863d1044d27661ae2a3 Mon Sep 17 00:00:00 2001 From: iakovenkos Date: Tue, 29 Oct 2024 14:26:24 +0000 Subject: [PATCH 02/17] clean-up --- .../commitment_schemes/shplonk/shplemini.hpp | 24 +- .../shplonk/shplemini.test.cpp | 216 ++++++++---------- .../commitment_schemes/shplonk/shplonk.hpp | 9 +- 3 files changed, 111 insertions(+), 138 deletions(-) diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp index c8b71e26770..3b38a1ff65b 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp @@ -20,7 +20,7 @@ template class ShpleminiProver_ { using ShplonkProver = ShplonkProver_; using GeminiProver = GeminiProver_; - template + template static OpeningClaim prove(const FF circuit_size, RefSpan f_polynomials, RefSpan g_polynomials, @@ -460,14 +460,12 @@ template class ShpleminiVerifier_ { static void add_zk_data(BatchOpeningClaim& batch_opening_claim, RefSpan libra_univariate_commitments, const std::vector& libra_univariate_evaluations, - RefSpan masking_scalar_commitments, - const std::vector& multivariate_challenge, - const Fr& quadratic_challenge, - const Fr& shplonk_batching_challenge, - const Fr& shplonk_evaluation_challenge, - const size_t first_witness_index) + const std::vector& multivariate_challenge) { + const auto shplonk_batching_challenge = batch_opening_claim.batching_challenge; + + const auto shplonk_evaluation_challenge = batch_opening_claim.evaluation_point; // compute the correct power of \nu Fr shplonk_challenge_power = Fr{ 1 }; for (size_t j = 0; j < CONST_PROOF_SIZE_LOG_N + 2; ++j) { @@ -488,7 +486,7 @@ template class ShpleminiVerifier_ { }; Fr::batch_invert(denominators); - Fr& constant_term = scalars[idx_of_constant_term]; + Fr constant_term = 0; for (const auto [libra_univariate_commitment, denominator, libra_univariate_evaluation] : zip_view(libra_univariate_commitments, denominators, libra_univariate_evaluations)) { commitments.push_back(libra_univariate_commitment); @@ -497,15 +495,7 @@ template class ShpleminiVerifier_ { shplonk_challenge_power *= shplonk_batching_challenge; constant_term += scaling_factor * libra_univariate_evaluation; } - - const size_t num_masked_witnesses = masking_scalar_commitments.size(); - - for (size_t idx = 0; idx < num_masked_witnesses; idx++) { - commitments.push_back(masking_scalar_commitments[idx]); - size_t witness_idx = first_witness_index + 1; - Fr corresponding_witness_scalar = scalars[witness_idx]; - scalars.push_back(corresponding_witness_scalar * quadratic_challenge); - } + scalars[idx_of_constant_term] += constant_term; } }; } // namespace bb \ No newline at end of file diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.test.cpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.test.cpp index 61a6e5b5bb9..1044b00e8eb 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.test.cpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.test.cpp @@ -6,6 +6,7 @@ #include "../shplonk/shplonk.hpp" #include "../utils/batch_mul_native.hpp" #include "barretenberg/commitment_schemes/claim.hpp" +#include "barretenberg/commitment_schemes/ipa/ipa.hpp" #include "barretenberg/ecc/curves/bn254/g1.hpp" #include @@ -222,130 +223,111 @@ TYPED_TEST(ShpleminiTest, CorrectnessOfGeminiClaimBatching) EXPECT_EQ(shplemini_result, expected_result); } -TYPED_TEST(ShpleminiTest, ShpleminiProverAndVerifierTest) +TYPED_TEST(ShpleminiTest, ShpleminiWithMaskingLibraUnivariates) { + using ShpleminiProver = ShpleminiProver_; + using ShpleminiVerifier = ShpleminiVerifier_; + using KZG = KZG; + using IPA = IPA; + using Fr = typename TypeParam::ScalarField; + using Commitment = typename TypeParam::AffineElement; + using Polynomial = typename bb::Polynomial; + + const size_t n = 16; + const size_t log_n = 4; + const size_t LIBRA_UNIVARIATE_LENGTH = 12; + + std::array interpolation_domain; + for (size_t idx = 0; idx < LIBRA_UNIVARIATE_LENGTH; idx++) { + interpolation_domain[idx] = Fr(idx); + } + // Generate multilinear polynomials, their commitments (genuine and mocked) and evaluations (genuine) at a + // random point. + auto mle_opening_point = this->random_evaluation_point(log_n); // sometimes denoted 'u' + auto poly1 = Polynomial::random(n); + auto poly2 = Polynomial::random(n, 1); + auto poly3 = Polynomial::random(n, 1); + auto poly4 = Polynomial::random(n); + + std::vector> libra_univariates; + std::vector libra_commitments; + std::vector libra_univariate_monomial; + std::vector libra_evaluations; + for (size_t idx = 0; idx < log_n; idx++) { + // generate random univariate + auto libra_polynomial = bb::Univariate::get_random(); + // populate the vector of libra evaluations + libra_evaluations.push_back(libra_polynomial.evaluate(mle_opening_point[idx])); + + // libra_univariates.push_back(libra_polynomial); + // interpolate polynomial from evals + Polynomial libra_monomial = + Polynomial(std::span(interpolation_domain), std::span(libra_polynomial), LIBRA_UNIVARIATE_LENGTH); + + ASSERT_EQ(libra_polynomial.evaluate(mle_opening_point[idx]), libra_monomial.evaluate(mle_opening_point[idx])); + libra_univariate_monomial.push_back(libra_monomial); + // commit and populate the vector of libra commitments + Commitment libra_commitment = this->commit(libra_monomial); + libra_commitments.push_back(libra_commitment); + } + + Commitment commitment1 = this->commit(poly1); + Commitment commitment2 = this->commit(poly2); + Commitment commitment3 = this->commit(poly3); + Commitment commitment4 = this->commit(poly4); + std::vector unshifted_commitments = { commitment1, commitment2, commitment3, commitment4 }; + std::vector shifted_commitments = { commitment2, commitment3 }; + auto eval1 = poly1.evaluate_mle(mle_opening_point); + auto eval2 = poly2.evaluate_mle(mle_opening_point); + auto eval3 = poly3.evaluate_mle(mle_opening_point); + auto eval4 = poly4.evaluate_mle(mle_opening_point); + auto eval2_shift = poly2.evaluate_mle(mle_opening_point, true); + auto eval3_shift = poly3.evaluate_mle(mle_opening_point, true); + + // Collect multilinear evaluations for input to prover + // std::vector multilinear_evaluations = { eval1, eval2, eval3, eval4, eval2_shift, eval3_shift }; + + auto prover_transcript = NativeTranscript::prover_init_empty(); + + // Run the full prover PCS protocol: + auto opening_claim = ShpleminiProver::prove(Fr{ n }, + RefArray{ poly1, poly2, poly3, poly4 }, + RefArray{ poly2, poly3 }, + mle_opening_point, + this->ck(), + prover_transcript, + {}, + {}, + RefVector(libra_univariate_monomial), + libra_evaluations); if constexpr (std::is_same_v) { - GTEST_SKIP() << "Test only runs for curve::BN254"; + IPA::compute_opening_proof(this->ck(), opening_claim, prover_transcript); } else { - using ShpleminiProver = ShpleminiProver_; - using ShpleminiVerifier = ShpleminiVerifier_; - using KZG = KZG; - using Fr = typename TypeParam::ScalarField; - using Commitment = typename TypeParam::AffineElement; - using Polynomial = typename bb::Polynomial; - - const size_t n = 16; - const size_t log_n = 4; - const size_t LIBRA_UNIVARIATE_LENGTH = 12; - - std::array interpolation_domain; - for (size_t idx = 0; idx < LIBRA_UNIVARIATE_LENGTH; idx++) { - interpolation_domain[idx] = Fr(idx); - } - // Generate multilinear polynomials, their commitments (genuine and mocked) and evaluations (genuine) at a - // random point. - auto mle_opening_point = this->random_evaluation_point(log_n); // sometimes denoted 'u' - auto poly1 = Polynomial::random(n); - auto poly2 = Polynomial::random(n, 1); - auto poly3 = Polynomial::random(n, 1); - auto poly4 = Polynomial::random(n); - - Fr masking_term1 = Fr::get_random(); - - std::vector> libra_univariates; - std::vector libra_commitments; - std::vector libra_univariate_monomial; - std::vector libra_evaluations; - for (size_t idx = 0; idx < log_n; idx++) { - // generate random univariate - auto libra_polynomial = bb::Univariate::get_random(); - // populate the vector of libra evaluations - libra_evaluations.push_back(libra_polynomial.evaluate(mle_opening_point[idx])); - - // libra_univariates.push_back(libra_polynomial); - // interpolate polynomial from evals - Polynomial libra_monomial = - Polynomial(std::span(interpolation_domain), std::span(libra_polynomial), LIBRA_UNIVARIATE_LENGTH); - - ASSERT_EQ(libra_polynomial.evaluate(mle_opening_point[idx]), - libra_monomial.evaluate(mle_opening_point[idx])); - libra_univariate_monomial.push_back(libra_monomial); - // commit and populate the vector of libra commitments - Commitment libra_commitment = this->commit(libra_monomial); - libra_commitments.push_back(libra_commitment); - } - - Commitment commitment1 = this->commit(poly1); - Commitment commitment2 = this->commit(poly2); - Commitment commitment3 = this->commit(poly3); - Commitment commitment4 = this->commit(poly4); - std::vector unshifted_commitments = { commitment1, commitment2, commitment3, commitment4 }; - std::vector shifted_commitments = { commitment2, commitment3 }; - auto eval1 = poly1.evaluate_mle(mle_opening_point); - auto eval2 = poly2.evaluate_mle(mle_opening_point); - auto eval3 = poly3.evaluate_mle(mle_opening_point); - auto eval4 = poly4.evaluate_mle(mle_opening_point); - auto eval2_shift = poly2.evaluate_mle(mle_opening_point, true); - auto eval3_shift = poly3.evaluate_mle(mle_opening_point, true); - - // Collect multilinear evaluations for input to prover - // std::vector multilinear_evaluations = { eval1, eval2, eval3, eval4, eval2_shift, eval3_shift }; - - auto prover_transcript = NativeTranscript::prover_init_empty(); - - // Run the full prover PCS protocol: - auto opening_claim = ShpleminiProver::template prove( - Fr{ n }, - RefArray{ poly1, poly2, poly3, poly4 }, - RefArray{ poly2, poly3 }, - mle_opening_point, - this->ck(), - prover_transcript, - {}, - {}, - RefVector(libra_univariate_monomial), - libra_evaluations); - KZG::compute_opening_proof(this->ck(), opening_claim, prover_transcript); + } - // Run the full verifier PCS protocol with genuine opening claims (genuine commitment, genuine evaluation) - - auto verifier_transcript = NativeTranscript::verifier_init_empty(prover_transcript); - - // Gemini verifier output: - // - claim: d+1 commitments to Fold_{r}^(0), Fold_{-r}^(0), Fold^(l), d+1 evaluations a_0_pos, a_l, l = 0:d-1 - auto batch_opening_claim = - ShpleminiVerifier::compute_batch_opening_claim(n, - RefVector(unshifted_commitments), - RefVector(shifted_commitments), - RefArray{ eval1, eval2, eval3, eval4 }, - RefArray{ eval2_shift, eval3_shift }, - mle_opening_point, - this->vk()->get_g1_identity(), - verifier_transcript, - {}, - {}); - - const Fr shplonk_eval_challenge = batch_opening_claim.evaluation_point; - const Fr shplonk_batching_challenge = batch_opening_claim.batching_challenge; - - Fr qudatratic_sum = Fr{ 0 }; - for (size_t idx = 0; idx < n; idx++) { - qudatratic_sum = mle_opening_point[idx](Fr(1) - mle_opening_point[idx]); - } - - ShpleminiVerifier::add_zk_data(batch_opening_claim, - RefVector(libra_commitments), - libra_evaluations, - {}, - mle_opening_point, - /* quadratic challenge */ Fr(0), - /* shplonk_batching_challenge =*/shplonk_batching_challenge, - /* shplonk_evaluation_challenge = */ shplonk_eval_challenge, - /* first_witness_index = */ 0); + // Run the full verifier PCS protocol with genuine opening claims (genuine commitment, genuine evaluation) - const auto pairing_points = KZG::reduce_verify_batch_opening_claim(batch_opening_claim, verifier_transcript); + auto verifier_transcript = NativeTranscript::verifier_init_empty(prover_transcript); + + // Gemini verifier output: + // - claim: d+1 commitments to Fold_{r}^(0), Fold_{-r}^(0), Fold^(l), d+1 evaluations a_0_pos, a_l, l = 0:d-1 + auto batch_opening_claim = ShpleminiVerifier::compute_batch_opening_claim(n, + RefVector(unshifted_commitments), + RefVector(shifted_commitments), + RefArray{ eval1, eval2, eval3, eval4 }, + RefArray{ eval2_shift, eval3_shift }, + mle_opening_point, + this->vk()->get_g1_identity(), + verifier_transcript); + ShpleminiVerifier::add_zk_data( + batch_opening_claim, RefVector(libra_commitments), libra_evaluations, mle_opening_point); + if constexpr (std::is_same_v) { + auto result = IPA::reduce_verify_batch_opening_claim(batch_opening_claim, this->vk(), verifier_transcript); + EXPECT_EQ(result, true); + } else { + const auto pairing_points = KZG::reduce_verify_batch_opening_claim(batch_opening_claim, verifier_transcript); // Final pairing check: e([Q] - [Q_z] + z[W], [1]_2) = e([W], [x]_2) EXPECT_EQ(this->vk()->pairing_check(pairing_points[0], pairing_points[1]), true); } diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplonk.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplonk.hpp index 4dba9d3a0be..2a22cfba24c 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplonk.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplonk.hpp @@ -106,15 +106,16 @@ template class ShplonkProver_ { { const size_t num_opening_claims = opening_claims.size(); - // {ẑⱼ(r)}ⱼ , where ẑⱼ(r) = 1/zⱼ(r) = 1/(r - xⱼ) + // {ẑⱼ(z)}ⱼ , where ẑⱼ(r) = 1/zⱼ(z) = 1/(z - xⱼ) std::vector inverse_vanishing_evals; inverse_vanishing_evals.reserve(num_opening_claims); for (const auto& claim : opening_claims) { inverse_vanishing_evals.emplace_back(z_challenge - claim.opening_pair.challenge); } + + // Add the terms (z - uₖ) for k = 0, …, d−1 where d is the number of rounds in Sumcheck for (const auto& claim : libra_opening_claims) { inverse_vanishing_evals.emplace_back(z_challenge - claim.opening_pair.challenge); - info("libra denominator P ", z_challenge - claim.opening_pair.challenge); } Fr::batch_invert(inverse_vanishing_evals); @@ -139,17 +140,17 @@ template class ShplonkProver_ { current_nu *= nu_challenge; idx++; } + + // Take into account the constant proof size in Gemini for (size_t idx = opening_claims.size(); idx < CONST_PROOF_SIZE_LOG_N + 2; idx++) { current_nu *= nu_challenge; }; for (const auto& claim : libra_opening_claims) { - // Compute individual claim quotient tmp = ( fⱼ(X) − vⱼ) / ( X − xⱼ ) tmp = claim.polynomial; tmp.at(0) = tmp[0] - claim.opening_pair.evaluation; Fr scaling_factor = current_nu * inverse_vanishing_evals[idx]; // = νʲ / (z − xⱼ ) - // tmp.factor_roots(claim.opening_pair.challenge); // Add the claim quotient to the batched quotient polynomial G.add_scaled(tmp, -scaling_factor); From c78ed6e115c9fd9466177052a58e908ed944206c Mon Sep 17 00:00:00 2001 From: iakovenkos Date: Wed, 30 Oct 2024 09:31:45 +0000 Subject: [PATCH 03/17] de-coupled sumcheck from zk sumcheck data --- .../src/barretenberg/sumcheck/sumcheck.hpp | 245 ++++++------------ .../barretenberg/sumcheck/sumcheck.test.cpp | 45 +++- .../barretenberg/sumcheck/sumcheck_round.hpp | 17 +- .../sumcheck/zk_sumcheck_data.hpp | 156 ++++++++++- 4 files changed, 280 insertions(+), 183 deletions(-) diff --git a/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck.hpp b/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck.hpp index abe5443bea4..5b278113976 100644 --- a/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck.hpp +++ b/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck.hpp @@ -157,7 +157,7 @@ template class SumcheckProver { std::shared_ptr transcript; SumcheckProverRound round; // Declare a container for ZK Sumcheck data - ZKSumcheckData zk_sumcheck_data; + // ZKSumcheckData zk_sumcheck_data; /** * @@ -190,16 +190,13 @@ template class SumcheckProver { SumcheckOutput prove(ProverPolynomials& full_polynomials, const bb::RelationParameters& relation_parameters, const RelationSeparator alpha, - const std::vector& gate_challenges) + const std::vector& gate_challenges, + ZKSumcheckData zk_sumcheck_data = ZKSumcheckData()) { // In case the Flavor has ZK, we populate sumcheck data structure with randomness, compute correcting term for // the total sum, etc. - if constexpr (Flavor::HasZK) { - setup_zk_sumcheck_data(zk_sumcheck_data); - }; bb::GateSeparatorPolynomial gate_separators(gate_challenges, multivariate_d); - std::vector multivariate_challenge; multivariate_challenge.reserve(multivariate_d); size_t round_idx = 0; @@ -242,6 +239,8 @@ template class SumcheckProver { // Place evaluations of Sumcheck Round Univariate in the transcript transcript->send_to_verifier("Sumcheck:univariate_" + std::to_string(round_idx), round_univariate); FF round_challenge = transcript->template get_challenge("Sumcheck:u_" + std::to_string(round_idx)); + // info("round challenge prover ", round_challenge); + multivariate_challenge.emplace_back(round_challenge); // Prepare sumcheck book-keeping table for the next round partially_evaluate(partially_evaluated_polynomials, round.round_size, round_challenge); @@ -274,6 +273,7 @@ template class SumcheckProver { const FF& libra_evaluation = zk_sumcheck_data.libra_evaluations[idx]; std::string libra_evaluation_label = "Libra:evaluation_" + std::to_string(idx); transcript->send_to_verifier(libra_evaluation_label, libra_evaluation); + // info("libra evaluation Prover ", libra_evaluation); } }; @@ -368,107 +368,66 @@ polynomials that are sent in clear. ClaimedEvaluations extract_claimed_evaluations(PartiallyEvaluatedMultivariates& partially_evaluated_polynomials) { ClaimedEvaluations multivariate_evaluations; - if constexpr (!Flavor::HasZK) { - for (auto [eval, poly] : - zip_view(multivariate_evaluations.get_all(), partially_evaluated_polynomials.get_all())) { - eval = poly[0]; - }; - } else { - // Extract claimed evaluations of non-witness polynomials - for (auto [eval, poly] : zip_view(multivariate_evaluations.get_non_witnesses(), - partially_evaluated_polynomials.get_non_witnesses())) { - eval = poly[0]; - }; - // Extract claimed evaluations of all witness polynomials - for (auto [eval, poly, masking_term] : zip_view(multivariate_evaluations.get_all_witnesses(), - partially_evaluated_polynomials.get_all_witnesses(), - zk_sumcheck_data.masking_terms_evaluations)) { - eval = poly[0] + masking_term.value_at(0); - } - } - return multivariate_evaluations; - }; - - /** - * @brief Create and populate the structure required for the ZK Sumcheck. - - * @details This method creates an array of random field elements \f$ \rho_1,\ldots, \rho_{N_w}\f$ aimed to mask the - evaluations of witness polynomials, these are contained in \f$ \texttt{eval_masking_scalars} \f$. In order to - optimize the computation of Sumcheck Round Univariates, it populates a table of univariates \f$ - \texttt{masking_terms_evaluations} \f$ which contains at the beginning the evaluations of polynomials \f$ \rho_j - \cdot (1-X)\cdot X \f$ at \f$ 0,\ldots, \text{MAX_PARTIAL_RELATION_LENGTH} - 1\f$. This method also creates Libra - univariates, computes the Libra total sum and adds it to the transcript, and sets up all auxiliary objects. - * - * @param zk_sumcheck_data - */ - void setup_zk_sumcheck_data(ZKSumcheckData& zk_sumcheck_data) - { - - EvalMaskingScalars eval_masking_scalars; - - for (size_t k = 0; k < NUM_ALL_WITNESS_ENTITIES; ++k) { - // TODO(https://github.com/AztecProtocol/barretenberg/issues/1136): Once Shplemini supports ZK, these - // constants must be generated in Oink - eval_masking_scalars[k] = FF(0); + // if constexpr (!Flavor::HasZK) { + for (auto [eval, poly] : + zip_view(multivariate_evaluations.get_all(), partially_evaluated_polynomials.get_all())) { + eval = poly[0]; }; - // Generate random scalars \f$ \rho_1,\ldots, \rho_{N_w}\f$ to mask the evaluations of witness polynomials and - // populate the table masking_terms_evaluations with the terms \f$ \rho_j \cdot (1-k) \cdot k \f$ - auto masking_terms_evaluations = create_evaluation_masking_table(eval_masking_scalars); - // Generate random Libra Polynomials to mask Round Univariates. - LibraUnivariates libra_univariates = generate_libra_polynomials(multivariate_d); - // have to commit to libra_univariates here - auto libra_scaling_factor = FF(1); - FF libra_total_sum = compute_libra_total_sum(libra_univariates, libra_scaling_factor); - transcript->send_to_verifier("Libra:Sum", libra_total_sum); - // get the challenge for the zk-sumcheck claim \sigma + \rho \cdot libra_total_sum - FF libra_challenge = transcript->template get_challenge("Libra:Challenge"); - // Initialize Libra running sum by multiplpying it by Libra challenge \f$\rho\f$; - auto libra_running_sum = libra_total_sum * libra_challenge; - // Multiply the column-univariates of the array of libra polynomials by libra challenge and power of \f$ 2\f$, - // modify libra running_sum subtracting the contribution from the first univariate - setup_libra_data(libra_univariates, libra_scaling_factor, libra_challenge, libra_running_sum); - - std::vector libra_evaluations; - libra_evaluations.reserve(multivariate_d); - zk_sumcheck_data = ZKSumcheckData{ eval_masking_scalars, masking_terms_evaluations, libra_univariates, - libra_scaling_factor, libra_challenge, libra_running_sum, - libra_evaluations }; + // } else { + // // Extract claimed evaluations of non-witness polynomials + // for (auto [eval, poly] : zip_view(multivariate_evaluations.get_non_witnesses(), + // partially_evaluated_polynomials.get_non_witnesses())) { + // eval = poly[0]; + // }; + // // Extract claimed evaluations of all witness polynomials + // for (auto [eval, poly, masking_term] : zip_view(multivariate_evaluations.get_all_witnesses(), + // partially_evaluated_polynomials.get_all_witnesses(), + // zk_sumcheck_data.masking_terms_evaluations)) { + // eval = poly[0] + masking_term.value_at(0); + // } + // } + return multivariate_evaluations; }; - /** - * @brief Given number of univariate polynomials and the number of their evaluations meant to be hidden, this method - * produces a vector of univariate polynomials of degree \ref ZK_BATCHED_LENGTH "ZK_BATCHED_LENGTH - 1" with - * independent uniformly random coefficients. - * - */ - static LibraUnivariates generate_libra_polynomials(size_t number_of_polynomials) - { - LibraUnivariates libra_full_polynomials(number_of_polynomials); - for (auto& libra_polynomial : libra_full_polynomials) { - // generate random polynomial of required size - libra_polynomial = bb::Univariate::get_random(); - }; - - return libra_full_polynomials; - }; - /** - * @brief Generate an array of random scalars of size equal to the number of all witness polynomials and populate a - * table of evaluations of the quadratic terms needed for masking evaluations of witnesses. - * - * @param evaluations - */ - static EvaluationMaskingTable create_evaluation_masking_table(EvalMaskingScalars eval_masking_scalars) - { - EvaluationMaskingTable output_table; - for (size_t column_idx = 0; column_idx < NUM_ALL_WITNESS_ENTITIES; ++column_idx) { - for (size_t row_idx = 0; row_idx < MAX_PARTIAL_RELATION_LENGTH; ++row_idx) { - auto scalar = FF(row_idx); - output_table[column_idx].value_at(row_idx) = - scalar * (FF(1) - scalar) * eval_masking_scalars[column_idx]; - }; - }; - return output_table; - }; + public: + // static void setup_zk_sumcheck_data(ZKSumcheckData& zk_sumcheck_data, + // const size_t multivariate_d, + // std::shared_ptr transcript) + // { + + // EvalMaskingScalars eval_masking_scalars; + + // for (size_t k = 0; k < NUM_ALL_WITNESS_ENTITIES; ++k) { + // // TODO(https://github.com/AztecProtocol/barretenberg/issues/1136): Once Shplemini supports ZK, these + // // constants must be generated in Oink + // eval_masking_scalars[k] = FF(0); + // }; + // // Generate random scalars \f$ \rho_1,\ldots, \rho_{N_w}\f$ to mask the evaluations of witness polynomials + // and + // // populate the table masking_terms_evaluations with the terms \f$ \rho_j \cdot (1-k) \cdot k \f$ + // auto masking_terms_evaluations = create_evaluation_masking_table(eval_masking_scalars); + // // Generate random Libra Polynomials to mask Round Univariates. + // LibraUnivariates libra_univariates = generate_libra_polynomials(multivariate_d); + // // have to commit to libra_univariates here + // auto libra_scaling_factor = FF(1); + // FF libra_total_sum = compute_libra_total_sum(libra_univariates, libra_scaling_factor); + // transcript->send_to_verifier("Libra:Sum", libra_total_sum); + // // get the challenge for the zk-sumcheck claim \sigma + \rho \cdot libra_total_sum + // FF libra_challenge = transcript->template get_challenge("Libra:Challenge"); + // // Initialize Libra running sum by multiplpying it by Libra challenge \f$\rho\f$; + // auto libra_running_sum = libra_total_sum * libra_challenge; + // // Multiply the column-univariates of the array of libra polynomials by libra challenge and power of \f$ + // 2\f$, + // // modify libra running_sum subtracting the contribution from the first univariate + // setup_libra_data(libra_univariates, libra_scaling_factor, libra_challenge, libra_running_sum); + + // std::vector libra_evaluations; + // libra_evaluations.reserve(multivariate_d); + // zk_sumcheck_data = ZKSumcheckData{ eval_masking_scalars, masking_terms_evaluations, + // libra_univariates, + // libra_scaling_factor, libra_challenge, libra_running_sum, + // libra_evaluations }; + // }; /** * @brief Update the table of masking quadratic terms by adding a contribution from a current challenge. @@ -483,64 +442,15 @@ polynomials that are sent in clear. * @param masking_scalars * @param round_challenge */ - void update_masking_terms_evaluations(ZKSumcheckData& zk_sumcheck_data, FF round_challenge) - { - for (auto [masking_term, masking_scalar] : - zip_view(zk_sumcheck_data.masking_terms_evaluations, zk_sumcheck_data.eval_masking_scalars)) { - for (size_t k = 0; k < MAX_PARTIAL_RELATION_LENGTH; ++k) { - masking_term.value_at(k) += round_challenge * (FF(1) - round_challenge) * masking_scalar; - } - } - } - /** - * @brief Compute the sum of the randomly sampled multivariate polynomial \f$ G = \sum_{i=0}^{n-1} g_i(X_i) \f$ over - * the Boolean hypercube. - * - * @param libra_univariates - * @param scaling_factor - * @return FF - */ - static FF compute_libra_total_sum(auto libra_univariates, FF& scaling_factor) - { - FF total_sum = 0; - scaling_factor = scaling_factor / 2; - - for (auto univariate : libra_univariates) { - total_sum += univariate.value_at(0) + univariate.value_at(1); - scaling_factor *= 2; - } - total_sum *= scaling_factor; - - return total_sum; - } - /** - * @brief Set up Libra book-keeping table that simplifies the computation of Libra Round Univariates - * - * @details The array of Libra univariates is getting scaled - * \f{align}{ - \texttt{libra_univariates} \gets \texttt{libra_univariates}\cdot \rho \cdot 2^{d-1} - \f} - * We also initialize - * \f{align}{ - \texttt{libra_running_sum} \gets \texttt{libra_total_sum} - \texttt{libra_univariates}_{0,0} - - \texttt{libra_univariates}_{0,1} \f}. - * @param libra_table - * @param libra_round_factor - * @param libra_challenge - */ - void setup_libra_data(auto& libra_univariates, - FF& libra_scaling_factor, - const FF libra_challenge, - FF& libra_running_sum) - { - libra_scaling_factor *= libra_challenge; // \rho * 2^{d-1} - for (auto& univariate : libra_univariates) { - univariate *= libra_scaling_factor; - }; - // subtract the contribution of the first libra univariate from libra total sum - libra_running_sum += -libra_univariates[0].value_at(0) - libra_univariates[0].value_at(1); - libra_running_sum *= FF(1) / FF(2); - } + // void update_masking_terms_evaluations(ZKSumcheckData& zk_sumcheck_data, FF round_challenge) + // { + // for (auto [masking_term, masking_scalar] : + // zip_view(zk_sumcheck_data.masking_terms_evaluations, zk_sumcheck_data.eval_masking_scalars)) { + // for (size_t k = 0; k < MAX_PARTIAL_RELATION_LENGTH; ++k) { + // masking_term.value_at(k) += round_challenge * (FF(1) - round_challenge) * masking_scalar; + // } + // } + // } /** * @brief Upon receiving the challenge \f$u_i\f$, the prover updates Libra data. If \f$ i < d-1\f$ @@ -601,7 +511,7 @@ polynomials that are sent in clear. void update_zk_sumcheck_data(ZKSumcheckData& zk_sumcheck_data, FF round_challenge, size_t round_idx) { update_libra_data(zk_sumcheck_data, round_challenge, round_idx); - update_masking_terms_evaluations(zk_sumcheck_data, round_challenge); + // update_masking_terms_evaluations(zk_sumcheck_data, round_challenge); } /** * @brief By the design of ZK Sumcheck, instead of claimed evaluations of witness polynomials \f$ P_1, \ldots, @@ -728,8 +638,10 @@ template class SumcheckVerifier { if constexpr (Flavor::HasZK) { // get the claimed sum of libra masking multivariate over the hypercube libra_total_sum = transcript->template receive_from_prover("Libra:Sum"); + info("libra tot sum verifier ", libra_total_sum); // get the challenge for the ZK Sumcheck claim libra_challenge = transcript->template get_challenge("Libra:Challenge"); + info("libra challenge Verifier ", libra_challenge); } std::vector multivariate_challenge; multivariate_challenge.reserve(multivariate_d); @@ -745,6 +657,7 @@ template class SumcheckVerifier { transcript->template receive_from_prover>( round_univariate_label); FF round_challenge = transcript->template get_challenge("Sumcheck:u_" + std::to_string(round_idx)); + // info("round challenge verifier ", round_challenge); if constexpr (IsRecursiveFlavor) { typename Flavor::CircuitBuilder* builder = round_challenge.get_context(); @@ -763,7 +676,10 @@ template class SumcheckVerifier { } else { if (round_idx < multivariate_d) { bool checked = round.check_sum(round_univariate); + info("checked? ", checked); verified = verified && checked; + info("verified? ", checked); + multivariate_challenge.emplace_back(round_challenge); round.compute_next_target_sum(round_univariate, round_challenge); gate_separators.partially_evaluate(round_challenge); @@ -779,6 +695,7 @@ template class SumcheckVerifier { for (size_t idx = 0; idx < multivariate_d; idx++) { libra_evaluations[idx] = transcript->template receive_from_prover("Libra:evaluation_" + std::to_string(idx)); + info("libra eval Verifier ", libra_evaluations[idx]); full_libra_purported_value += libra_evaluations[idx]; }; full_libra_purported_value *= libra_challenge; @@ -801,6 +718,8 @@ template class SumcheckVerifier { } else { final_check = (full_honk_purported_value == round.target_total_sum); } + info("verified?", verified); + info("final check? ", final_check); verified = final_check && verified; // For ZK Flavors: the evaluations of Libra univariates are included in the Sumcheck Output if constexpr (!Flavor::HasZK) { diff --git a/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck.test.cpp b/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck.test.cpp index eac46840fe8..e651712486e 100644 --- a/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck.test.cpp +++ b/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck.test.cpp @@ -142,7 +142,16 @@ template class SumcheckTests : public ::testing::Test { gate_challenges[idx] = transcript->template get_challenge("Sumcheck:gate_challenge_" + std::to_string(idx)); } - auto output = sumcheck.prove(full_polynomials, {}, alpha, gate_challenges); + SumcheckOutput output; + + if constexpr (Flavor::HasZK) { + ZKSumcheckData zk_sumcheck_data(multivariate_d, transcript); + info("size lib univar ", zk_sumcheck_data.libra_univariates.size()); + output = sumcheck.prove(full_polynomials, {}, alpha, gate_challenges, zk_sumcheck_data); + } else { + info("here?"); + output = sumcheck.prove(full_polynomials, {}, alpha, gate_challenges); + } FF u_0 = output.challenge[0]; FF u_1 = output.challenge[1]; std::vector expected_values; @@ -214,14 +223,27 @@ template class SumcheckTests : public ::testing::Test { RelationSeparator prover_alpha; for (size_t idx = 0; idx < prover_alpha.size(); idx++) { prover_alpha[idx] = prover_transcript->template get_challenge("Sumcheck:alpha_" + std::to_string(idx)); + info("prover alpha ", prover_alpha[idx]); } std::vector prover_gate_challenges(multivariate_d); for (size_t idx = 0; idx < multivariate_d; idx++) { prover_gate_challenges[idx] = prover_transcript->template get_challenge("Sumcheck:gate_challenge_" + std::to_string(idx)); } - auto output = - sumcheck_prover.prove(full_polynomials, relation_parameters, prover_alpha, prover_gate_challenges); + SumcheckOutput output; + if constexpr (Flavor::HasZK) { + ZKSumcheckData zk_sumcheck_data(multivariate_d, prover_transcript); + info("size lib univar ", zk_sumcheck_data.libra_univariates.size()); + output = sumcheck_prover.prove( + full_polynomials, relation_parameters, prover_alpha, prover_gate_challenges, zk_sumcheck_data); + for (auto eval : output.claimed_evaluations.get_all()) { + info("prover eval: ", eval); + }; + + } else { + info("here?"); + output = sumcheck_prover.prove(full_polynomials, relation_parameters, prover_alpha, prover_gate_challenges); + } auto verifier_transcript = Flavor::Transcript::verifier_init_empty(prover_transcript); @@ -230,6 +252,7 @@ template class SumcheckTests : public ::testing::Test { for (size_t idx = 0; idx < verifier_alpha.size(); idx++) { verifier_alpha[idx] = verifier_transcript->template get_challenge("Sumcheck:alpha_" + std::to_string(idx)); + info("alpha ", verifier_alpha[idx]); } std::vector verifier_gate_challenges(multivariate_d); for (size_t idx = 0; idx < multivariate_d; idx++) { @@ -238,6 +261,10 @@ template class SumcheckTests : public ::testing::Test { } auto verifier_output = sumcheck_verifier.verify(relation_parameters, verifier_alpha, verifier_gate_challenges); + for (auto eval : verifier_output.claimed_evaluations.get_all()) { + info("verifier eval: ", eval); + } + auto verified = verifier_output.verified.value(); EXPECT_EQ(verified, true); @@ -301,8 +328,16 @@ template class SumcheckTests : public ::testing::Test { prover_gate_challenges[idx] = prover_transcript->template get_challenge("Sumcheck:gate_challenge_" + std::to_string(idx)); } - auto output = - sumcheck_prover.prove(full_polynomials, relation_parameters, prover_alpha, prover_gate_challenges); + SumcheckOutput output; + if constexpr (Flavor::HasZK) { + ZKSumcheckData zk_sumcheck_data(multivariate_d, prover_transcript); + info("size lib univar ", zk_sumcheck_data.libra_univariates.size()); + output = sumcheck_prover.prove( + full_polynomials, relation_parameters, prover_alpha, prover_gate_challenges, zk_sumcheck_data); + } else { + info("here?"); + output = sumcheck_prover.prove(full_polynomials, relation_parameters, prover_alpha, prover_gate_challenges); + } auto verifier_transcript = Flavor::Transcript::verifier_init_empty(prover_transcript); diff --git a/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck_round.hpp b/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck_round.hpp index 7aaf9e8d793..26ba6817ea7 100644 --- a/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck_round.hpp +++ b/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck_round.hpp @@ -192,11 +192,11 @@ template class SumcheckProverRound { size_t end = (thread_idx + 1) * iterations_per_thread; for (size_t edge_idx = start; edge_idx < end; edge_idx += 2) { - if constexpr (!Flavor::HasZK) { - extend_edges(extended_edges[thread_idx], polynomials, edge_idx); - } else { - extend_edges_with_masking(extended_edges[thread_idx], polynomials, edge_idx, zk_sumcheck_data); - } + // if constexpr (!Flavor::HasZK) { + extend_edges(extended_edges[thread_idx], polynomials, edge_idx); + // } else { + // extend_edges_with_masking(extended_edges[thread_idx], polynomials, edge_idx, zk_sumcheck_data); + // } // Compute the \f$ \ell \f$-th edge's univariate contribution, // scale it by the corresponding \f$ pow_{\beta} \f$ contribution and add it to the accumulators for \f$ // \tilde{S}^i(X_i) \f$. If \f$ \ell \f$'s binary representation is given by \f$ (\ell_{i+1},\ldots, @@ -321,8 +321,10 @@ template class SumcheckProverRound { size_t round_idx) { SumcheckRoundUnivariate libra_round_univariate; + // info("inside compute libra? ", round_idx); // select the i'th column of Libra book-keeping table - auto current_column = zk_sumcheck_data.libra_univariates[round_idx]; + const auto& current_column = zk_sumcheck_data.libra_univariates[round_idx]; + // info("univariate accessed?"); // the evaluation of Libra round univariate at k=0...D are equal to \f$\texttt{libra_univariates}_{i}(k)\f$ // corrected by the Libra running sum for (size_t idx = 0; idx < BATCHED_RELATION_PARTIAL_LENGTH; ++idx) { @@ -448,6 +450,7 @@ template class SumcheckVerifierRound { sumcheck_round_failed = (target_total_sum != total_sum); round_failed = round_failed || sumcheck_round_failed; + // info("check sum failed", round_failed); return !sumcheck_round_failed; }; @@ -478,7 +481,7 @@ template class SumcheckVerifierRound { if (!dummy_round.get_value()) { sumcheck_round_failed = (target_total_sum.get_value() != total_sum.get_value()); } - + // info("round failed? dd ", round_failed); round_failed = round_failed || sumcheck_round_failed; return !sumcheck_round_failed; }; diff --git a/barretenberg/cpp/src/barretenberg/sumcheck/zk_sumcheck_data.hpp b/barretenberg/cpp/src/barretenberg/sumcheck/zk_sumcheck_data.hpp index 57f2db7f4f7..13eb31d90e5 100644 --- a/barretenberg/cpp/src/barretenberg/sumcheck/zk_sumcheck_data.hpp +++ b/barretenberg/cpp/src/barretenberg/sumcheck/zk_sumcheck_data.hpp @@ -28,27 +28,167 @@ template struct ZKSumcheckData { static constexpr size_t BATCHED_RELATION_PARTIAL_LENGTH = Flavor::BATCHED_RELATION_PARTIAL_LENGTH; // Initialize the length of the array of evaluation masking scalars as 0 for non-ZK Flavors and as // NUM_ALL_WITNESS_ENTITIES for ZK FLavors - static constexpr size_t MASKING_SCALARS_LENGTH = Flavor::HasZK ? Flavor::NUM_ALL_WITNESS_ENTITIES : 0; + // static constexpr size_t MASKING_SCALARS_LENGTH = Flavor::HasZK ? Flavor::NUM_ALL_WITNESS_ENTITIES : 0; // Array of random scalars used to hide the witness info from leaking through the claimed evaluations - using EvalMaskingScalars = std::array; + // using EvalMaskingScalars = std::array; // Auxiliary table that represents the evaluations of quadratic polynomials r_j * X(1-X) at 0,..., // MAX_PARTIAL_RELATION_LENGTH - 1 - using EvaluationMaskingTable = std::array, MASKING_SCALARS_LENGTH>; - // The size of the LibraUnivariates. We ensure that they do not take extra space when Flavor runs non-ZK - // Sumcheck. + // using EvaluationMaskingTable = std::array, + // MASKING_SCALARS_LENGTH>; The size of the LibraUnivariates. We ensure that they do not take extra space when + // Flavor runs non-ZK Sumcheck. static constexpr size_t LIBRA_UNIVARIATES_LENGTH = Flavor::HasZK ? Flavor::BATCHED_RELATION_PARTIAL_LENGTH : 0; // Container for the Libra Univariates. Their number depends on the size of the circuit. using LibraUnivariates = std::vector>; // Container for the evaluations of Libra Univariates that have to be proven. using ClaimedLibraEvaluations = std::vector; - EvalMaskingScalars eval_masking_scalars; - EvaluationMaskingTable masking_terms_evaluations; + // EvalMaskingScalars eval_masking_scalars; + // EvaluationMaskingTable masking_terms_evaluations; LibraUnivariates libra_univariates; FF libra_scaling_factor{ 1 }; FF libra_challenge; FF libra_running_sum; ClaimedLibraEvaluations libra_evaluations; -}; + // Default constructor + ZKSumcheckData() = default; + + // Constructor + ZKSumcheckData(const size_t multivariate_d, std::shared_ptr transcript) + { + // Initialization logic from setup_zk_sumcheck_data + setup_zk_sumcheck_data(multivariate_d, transcript); + } + + public: + /** + * @brief Create and populate the structure required for the ZK Sumcheck. + * + * @details This method creates an array of random field elements \f$ \rho_1,\ldots, \rho_{N_w}\f$ aimed to mask + * the evaluations of witness polynomials, these are contained in \f$ \texttt{eval_masking_scalars} \f$. In order to + * optimize the computation of Sumcheck Round Univariates, it populates a table of univariates \f$ + * \texttt{masking_terms_evaluations} \f$ which contains at the beginning the evaluations of polynomials \f$ \rho_j + * \cdot (1-X)\cdot X \f$ at \f$ 0,\ldots, \text{MAX_PARTIAL_RELATION_LENGTH} - 1\f$. This method also creates Libra + * univariates, computes the Libra total sum and adds it to the transcript, and sets up all auxiliary objects. + * + * @param zk_sumcheck_data + */ + void setup_zk_sumcheck_data(const size_t multivariate_d, std::shared_ptr transcript) + { + // Generate random scalars for masking + // for (size_t k = 0; k < MASKING_SCALARS_LENGTH; ++k) { + // eval_masking_scalars[k] = FF::random_element(); + // } + + // Create the evaluation masking table + // masking_terms_evaluations = create_evaluation_masking_table(eval_masking_scalars); + + // Generate random Libra polynomials + libra_univariates = generate_libra_polynomials(multivariate_d); + + // Compute the total sum of the Libra polynomials + libra_scaling_factor = FF(1); + FF libra_total_sum = compute_libra_total_sum(libra_univariates, libra_scaling_factor); + info("libra total sum", libra_total_sum); + + // Send the Libra total sum to the transcript + transcript->send_to_verifier("Libra:Sum", libra_total_sum); + + // Receive the Libra challenge from the transcript + libra_challenge = transcript->template get_challenge("Libra:Challenge"); + info("Libra challenge Prover ", libra_challenge); + + // Initialize the Libra running sum + libra_running_sum = libra_total_sum * libra_challenge; + + // Setup the Libra data + setup_libra_data(libra_univariates, libra_scaling_factor, libra_challenge, libra_running_sum); + } + + /** + * @brief Given number of univariate polynomials and the number of their evaluations meant to be hidden, this method + * produces a vector of univariate polynomials of degree \ref ZK_BATCHED_LENGTH "ZK_BATCHED_LENGTH - 1" with + * independent uniformly random coefficients. + * + */ + + static LibraUnivariates generate_libra_polynomials(size_t number_of_polynomials) + { + LibraUnivariates libra_full_polynomials(number_of_polynomials); + for (auto& libra_polynomial : libra_full_polynomials) { + // generate random polynomial of required size + libra_polynomial = bb::Univariate::get_random(); + }; + return libra_full_polynomials; + }; + + /** + * @brief Compute the sum of the randomly sampled multivariate polynomial \f$ G = \sum_{i=0}^{n-1} g_i(X_i) \f$ over + * the Boolean hypercube. + * + * @param libra_univariates + * @param scaling_factor + * @return FF + */ + static FF compute_libra_total_sum(auto libra_univariates, FF& scaling_factor) + { + FF total_sum = 0; + scaling_factor = scaling_factor / 2; + + for (auto univariate : libra_univariates) { + total_sum += univariate.value_at(0) + univariate.value_at(1); + scaling_factor *= 2; + } + total_sum *= scaling_factor; + + return total_sum; + } + + /** + * @brief Set up Libra book-keeping table that simplifies the computation of Libra Round Univariates + * + * @details The array of Libra univariates is getting scaled + * \f{align}{ + \texttt{libra_univariates} \gets \texttt{libra_univariates}\cdot \rho \cdot 2^{d-1} + \f} + * We also initialize + * \f{align}{ + \texttt{libra_running_sum} \gets \texttt{libra_total_sum} - \texttt{libra_univariates}_{0,0} - + \texttt{libra_univariates}_{0,1} \f}. + * @param libra_table + * @param libra_round_factor + * @param libra_challenge + */ + static void setup_libra_data(auto& libra_univariates, + FF& libra_scaling_factor, + const FF libra_challenge, + FF& libra_running_sum) + { + libra_scaling_factor *= libra_challenge; // \rho * 2^{d-1} + for (auto& univariate : libra_univariates) { + univariate *= libra_scaling_factor; + }; + // subtract the contribution of the first libra univariate from libra total sum + libra_running_sum += -libra_univariates[0].value_at(0) - libra_univariates[0].value_at(1); + libra_running_sum *= FF(1) / FF(2); + } + /** + * @brief Generate an array of random scalars of size equal to the number of all witness polynomials and populate a + * table of evaluations of the quadratic terms needed for masking evaluations of witnesses. + * + * @param evaluations + */ + // static EvaluationMaskingTable create_evaluation_masking_table(EvalMaskingScalars eval_masking_scalars) + // { + // EvaluationMaskingTable output_table; + // for (size_t column_idx = 0; column_idx < MASKING_SCALARS_LENGTH; ++column_idx) { + // for (size_t row_idx = 0; row_idx < MAX_PARTIAL_RELATION_LENGTH; ++row_idx) { + // auto scalar = FF(row_idx); + // output_table[column_idx].value_at(row_idx) = + // scalar * (FF(1) - scalar) * eval_masking_scalars[column_idx]; + // }; + // }; + // return output_table; + // }; +}; } // namespace bb From fe93b4de6c1e5e90a604088b566a63e679fa1532 Mon Sep 17 00:00:00 2001 From: iakovenkos Date: Wed, 30 Oct 2024 15:30:32 +0000 Subject: [PATCH 04/17] eccvm native proves/verifies evals of masking polys --- .../commitment_schemes/shplonk/shplemini.hpp | 3 +- .../commitment_schemes/shplonk/shplonk.hpp | 12 +-- .../src/barretenberg/eccvm/eccvm_flavor.hpp | 12 ++- .../src/barretenberg/eccvm/eccvm_prover.cpp | 47 +++++++-- .../src/barretenberg/eccvm/eccvm_prover.hpp | 2 + .../eccvm/eccvm_transcript.test.cpp | 4 + .../src/barretenberg/eccvm/eccvm_verifier.cpp | 9 +- .../src/barretenberg/eccvm/eccvm_verifier.hpp | 1 + .../barretenberg/sumcheck/sumcheck.test.cpp | 1 + .../sumcheck/zk_sumcheck_data.hpp | 96 +++++++++++-------- .../ultra_honk/decider_prover.cpp | 2 +- 11 files changed, 130 insertions(+), 59 deletions(-) diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp index 3b38a1ff65b..4ff43155a01 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp @@ -45,7 +45,7 @@ template class ShpleminiProver_ { size_t idx = 0; for (auto [libra_univariate, libra_evaluation] : zip_view(libra_univariates, libra_evaluations)) { OpeningClaim new_claim; - new_claim.polynomial = Polynomial{ libra_univariate }; + new_claim.polynomial = libra_univariate; new_claim.opening_pair.challenge = multilinear_challenge[idx]; new_claim.opening_pair.evaluation = libra_evaluation; libra_opening_claims.push_back(new_claim); @@ -491,6 +491,7 @@ template class ShpleminiVerifier_ { zip_view(libra_univariate_commitments, denominators, libra_univariate_evaluations)) { commitments.push_back(libra_univariate_commitment); Fr scaling_factor = denominator * shplonk_challenge_power; + info("nu power verifier", shplonk_challenge_power); scalars.push_back(-scaling_factor); shplonk_challenge_power *= shplonk_batching_challenge; constant_term += scaling_factor * libra_univariate_evaluation; diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplonk.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplonk.hpp index 2a22cfba24c..0f0d44bb332 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplonk.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplonk.hpp @@ -52,7 +52,7 @@ template class ShplonkProver_ { Polynomial tmp(max_poly_size); Fr current_nu = Fr::one(); - size_t idx = 0; + // size_t idx = 0; for (const auto& claim : opening_claims) { // Compute individual claim quotient tmp = ( fⱼ(X) − vⱼ) / ( X − xⱼ ) @@ -62,8 +62,8 @@ template class ShplonkProver_ { // Add the claim quotient to the batched quotient polynomial Q.add_scaled(tmp, current_nu); - info(idx, " prover nu in real claims", current_nu); - idx++; + // info(idx, " prover nu in real claims", current_nu); + // idx++; current_nu *= nu; } for (size_t idx = opening_claims.size(); idx < CONST_PROOF_SIZE_LOG_N + 2; idx++) { @@ -71,7 +71,7 @@ template class ShplonkProver_ { }; for (const auto& claim : libra_opening_claims) { - + info(" current nu in the prover ", current_nu); // Compute individual claim quotient tmp = ( fⱼ(X) − vⱼ) / ( X − xⱼ ) tmp = claim.polynomial; tmp.at(0) = tmp[0] - claim.opening_pair.evaluation; @@ -79,8 +79,8 @@ template class ShplonkProver_ { // Add the claim quotient to the batched quotient polynomial Q.add_scaled(tmp, current_nu); - info(idx, " prover nu in libra", current_nu); - idx++; + // info(idx, " prover nu in libra", current_nu); + // idx++; current_nu *= nu; } // Return batched quotient polynomial Q(X) diff --git a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_flavor.hpp b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_flavor.hpp index ce15706cc6a..4ec0919a7d7 100644 --- a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_flavor.hpp +++ b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_flavor.hpp @@ -936,6 +936,7 @@ class ECCVMFlavor { Commitment transcript_msm_count_at_transition_inverse_comm; Commitment z_perm_comm; Commitment lookup_inverses_comm; + std::vector libra_commitments; FF libra_sum; std::vector> sumcheck_univariates; std::vector libra_evaluations; @@ -1142,7 +1143,11 @@ class ECCVMFlavor { NativeTranscript::proof_data, num_frs_read); z_perm_comm = NativeTranscript::template deserialize_from_buffer(NativeTranscript::proof_data, num_frs_read); - + size_t log_circuit_size = static_cast(numeric::get_msb(circuit_size)); + for (size_t i = 0; i < log_circuit_size; i++) { + libra_commitments.emplace_back(NativeTranscript::template deserialize_from_buffer( + NativeTranscript::proof_data, num_frs_read)); + }; libra_sum = NativeTranscript::template deserialize_from_buffer(NativeTranscript::proof_data, num_frs_read); for (size_t i = 0; i < CONST_PROOF_SIZE_LOG_N; ++i) { @@ -1151,7 +1156,6 @@ class ECCVMFlavor { NativeTranscript::proof_data, num_frs_read)); } - size_t log_circuit_size = static_cast(numeric::get_msb(circuit_size)); for (size_t i = 0; i < log_circuit_size; i++) { libra_evaluations.emplace_back( NativeTranscript::template deserialize_from_buffer(NativeTranscript::proof_data, num_frs_read)); @@ -1302,6 +1306,10 @@ class ECCVMFlavor { NativeTranscript::template serialize_to_buffer(lookup_inverses_comm, NativeTranscript::proof_data); NativeTranscript::template serialize_to_buffer(z_perm_comm, NativeTranscript::proof_data); + for (size_t i = 0; i < log_circuit_size; ++i) { + NativeTranscript::template serialize_to_buffer(libra_commitments[i], NativeTranscript::proof_data); + } + NativeTranscript::template serialize_to_buffer(libra_sum, NativeTranscript::proof_data); for (size_t i = 0; i < CONST_PROOF_SIZE_LOG_N; ++i) { diff --git a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_prover.cpp b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_prover.cpp index db62c810d80..93cd929e38f 100644 --- a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_prover.cpp +++ b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_prover.cpp @@ -100,7 +100,33 @@ void ECCVMProver::execute_relation_check_rounds() for (size_t idx = 0; idx < gate_challenges.size(); idx++) { gate_challenges[idx] = transcript->template get_challenge("Sumcheck:gate_challenge_" + std::to_string(idx)); } - sumcheck_output = sumcheck.prove(key->polynomials, relation_parameters, alpha, gate_challenges); + // create masking polynomials for sumcheck round univariates and auxiliary data + zk_sumcheck_data = ZKSumcheckData(key->log_circuit_size, transcript, key); + // ZKSumcheckData zk_sumcheck_data_copy = zk_sumcheck_data; + info("some other stuff", zk_sumcheck_data.libra_challenge); + info("monomial size ", zk_sumcheck_data.libra_univariates_monomial.size()); + + for (auto& eval : zk_sumcheck_data.libra_univariates_monomial) { + info("exec rounds before sumcheck ", eval); + } + + sumcheck_output = sumcheck.prove(key->polynomials, relation_parameters, alpha, gate_challenges, zk_sumcheck_data); + size_t idx = 0; + + for (auto [poly_mon, poly_lag] : + zip_view(zk_sumcheck_data.libra_univariates_monomial, zk_sumcheck_data.libra_univariates)) { + info("eval at u_", idx); + auto eval_mon = poly_mon.evaluate(sumcheck_output.challenge[idx]); + auto eval_lag = poly_lag.evaluate(sumcheck_output.challenge[idx]); + info(eval_mon, " || ", eval_lag); + idx++; + } + // for (auto& eval : zk_sumcheck_data.libra_evaluations) { + // info("right after sumcheck ", eval); + // }; + for (auto& eval : sumcheck_output.claimed_libra_evaluations) { + info("claimed evals sumcheck outp rounds ", eval); + } } /** @@ -118,12 +144,19 @@ void ECCVMProver::execute_pcs_rounds() // Execute the Shplemini (Gemini + Shplonk) protocol to produce a univariate opening claim for the multilinear // evaluations produced by Sumcheck - const OpeningClaim multivariate_to_univariate_opening_claim = Shplemini::prove(key->circuit_size, - key->polynomials.get_unshifted(), - key->polynomials.get_to_be_shifted(), - sumcheck_output.challenge, - key->commitment_key, - transcript); + info("in pcs: ", zk_sumcheck_data.libra_univariates_monomial.size()); + info("eval size? ", sumcheck_output.claimed_libra_evaluations.size()); + const OpeningClaim multivariate_to_univariate_opening_claim = + Shplemini::prove(key->circuit_size, + key->polynomials.get_unshifted(), + key->polynomials.get_to_be_shifted(), + sumcheck_output.challenge, + key->commitment_key, + transcript, + {}, + {}, + zk_sumcheck_data.libra_univariates_monomial, + sumcheck_output.claimed_libra_evaluations); // Get the challenge at which we evaluate all transcript polynomials as univariates evaluation_challenge_x = transcript->template get_challenge("Translation:evaluation_challenge_x"); diff --git a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_prover.hpp b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_prover.hpp index 8ce5c467d0e..88b58903803 100644 --- a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_prover.hpp +++ b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_prover.hpp @@ -5,6 +5,7 @@ #include "barretenberg/plonk_honk_shared/library/grand_product_library.hpp" #include "barretenberg/relations/relation_parameters.hpp" #include "barretenberg/sumcheck/sumcheck_output.hpp" +#include "barretenberg/sumcheck/zk_sumcheck_data.hpp" #include "barretenberg/transcript/transcript.hpp" namespace bb { @@ -50,6 +51,7 @@ class ECCVMProver { std::shared_ptr key; CommitmentLabels commitment_labels; + ZKSumcheckData zk_sumcheck_data; Polynomial batched_quotient_Q; // batched quotient poly computed by Shplonk FF nu_challenge; // needed in both Shplonk rounds diff --git a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_transcript.test.cpp b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_transcript.test.cpp index de882d3954a..8d63d2bf007 100644 --- a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_transcript.test.cpp +++ b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_transcript.test.cpp @@ -139,6 +139,10 @@ class ECCVMTranscriptTests : public ::testing::Test { } round++; + for (size_t i = 0; i < log_n; i++) { + std::string idx = std::to_string(i); + manifest_expected.add_entry(round, "Libra:commitment_" + idx, frs_per_G); + } manifest_expected.add_entry(round, "Libra:Sum", frs_per_Fr); // get the challenge for the ZK Sumcheck claim manifest_expected.add_challenge(round, "Libra:Challenge"); diff --git a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.cpp b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.cpp index 90761596a5e..7f52456baa0 100644 --- a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.cpp @@ -53,6 +53,11 @@ bool ECCVMVerifier::verify_proof(const HonkProof& proof) gate_challenges[idx] = transcript->template get_challenge("Sumcheck:gate_challenge_" + std::to_string(idx)); } + for (size_t idx = 0; idx < log_circuit_size; idx++) { + Commitment libra_commitment = + transcript->receive_from_prover("Libra:commitment_" + std::to_string(idx)); + libra_commitments.push_back(libra_commitment); + } auto [multivariate_challenge, claimed_evaluations, libra_evaluations, sumcheck_verified] = sumcheck.verify(relation_parameters, alpha, gate_challenges); @@ -63,7 +68,7 @@ bool ECCVMVerifier::verify_proof(const HonkProof& proof) // Compute the Shplemini accumulator consisting of the Shplonk evaluation and the commitments and scalars vector // produced by the unified protocol - const BatchOpeningClaim sumcheck_batch_opening_claims = + BatchOpeningClaim sumcheck_batch_opening_claims = Shplemini::compute_batch_opening_claim(circuit_size, commitments.get_unshifted(), commitments.get_to_be_shifted(), @@ -72,6 +77,8 @@ bool ECCVMVerifier::verify_proof(const HonkProof& proof) multivariate_challenge, key->pcs_verification_key->get_g1_identity(), transcript); + Shplemini::add_zk_data( + sumcheck_batch_opening_claims, RefVector(libra_commitments), libra_evaluations, multivariate_challenge); // Reduce the accumulator to a single opening claim const OpeningClaim multivariate_to_univariate_opening_claim = diff --git a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.hpp b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.hpp index 10e49d08a76..3d640ee6f3c 100644 --- a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.hpp +++ b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.hpp @@ -27,5 +27,6 @@ class ECCVMVerifier { std::shared_ptr key; std::map commitments; std::shared_ptr transcript; + std::vector libra_commitments; }; } // namespace bb diff --git a/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck.test.cpp b/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck.test.cpp index e651712486e..d1ce338d128 100644 --- a/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck.test.cpp +++ b/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck.test.cpp @@ -330,6 +330,7 @@ template class SumcheckTests : public ::testing::Test { } SumcheckOutput output; if constexpr (Flavor::HasZK) { + // construct libra masking polynomials and compute auxiliary data ZKSumcheckData zk_sumcheck_data(multivariate_d, prover_transcript); info("size lib univar ", zk_sumcheck_data.libra_univariates.size()); output = sumcheck_prover.prove( diff --git a/barretenberg/cpp/src/barretenberg/sumcheck/zk_sumcheck_data.hpp b/barretenberg/cpp/src/barretenberg/sumcheck/zk_sumcheck_data.hpp index 13eb31d90e5..d938eea9602 100644 --- a/barretenberg/cpp/src/barretenberg/sumcheck/zk_sumcheck_data.hpp +++ b/barretenberg/cpp/src/barretenberg/sumcheck/zk_sumcheck_data.hpp @@ -1,5 +1,6 @@ #pragma once +#include "barretenberg/polynomials/polynomial.hpp" #include "barretenberg/polynomials/univariate.hpp" #include #include @@ -18,33 +19,25 @@ template struct ZKSumcheckData { * \f$P_1,\ldots, P_N\f$. */ static constexpr size_t MAX_PARTIAL_RELATION_LENGTH = Flavor::MAX_PARTIAL_RELATION_LENGTH; - // The number of all witnesses including shifts and derived witnesses from flavors that have ZK, - // otherwise, set this constant to 0. + /** * @brief The total algebraic degree of the Sumcheck relation \f$ F \f$ as a polynomial in Prover Polynomials * \f$P_1,\ldots, P_N\f$ incremented by 1, i.e. it is equal \ref MAX_PARTIAL_RELATION_LENGTH * "MAX_PARTIAL_RELATION_LENGTH + 1". */ static constexpr size_t BATCHED_RELATION_PARTIAL_LENGTH = Flavor::BATCHED_RELATION_PARTIAL_LENGTH; - // Initialize the length of the array of evaluation masking scalars as 0 for non-ZK Flavors and as - // NUM_ALL_WITNESS_ENTITIES for ZK FLavors - // static constexpr size_t MASKING_SCALARS_LENGTH = Flavor::HasZK ? Flavor::NUM_ALL_WITNESS_ENTITIES : 0; - // Array of random scalars used to hide the witness info from leaking through the claimed evaluations - // using EvalMaskingScalars = std::array; - // Auxiliary table that represents the evaluations of quadratic polynomials r_j * X(1-X) at 0,..., - // MAX_PARTIAL_RELATION_LENGTH - 1 - // using EvaluationMaskingTable = std::array, - // MASKING_SCALARS_LENGTH>; The size of the LibraUnivariates. We ensure that they do not take extra space when - // Flavor runs non-ZK Sumcheck. + // The size of the LibraUnivariates. We ensure that they do not take extra space when Flavor runs non-ZK Sumcheck. static constexpr size_t LIBRA_UNIVARIATES_LENGTH = Flavor::HasZK ? Flavor::BATCHED_RELATION_PARTIAL_LENGTH : 0; // Container for the Libra Univariates. Their number depends on the size of the circuit. using LibraUnivariates = std::vector>; + using LibraUnivariatesInMonomialBasis = std::vector>; // Container for the evaluations of Libra Univariates that have to be proven. using ClaimedLibraEvaluations = std::vector; // EvalMaskingScalars eval_masking_scalars; // EvaluationMaskingTable masking_terms_evaluations; LibraUnivariates libra_univariates; + LibraUnivariatesInMonomialBasis libra_univariates_monomial; FF libra_scaling_factor{ 1 }; FF libra_challenge; FF libra_running_sum; @@ -54,10 +47,12 @@ template struct ZKSumcheckData { ZKSumcheckData() = default; // Constructor - ZKSumcheckData(const size_t multivariate_d, std::shared_ptr transcript) + ZKSumcheckData(const size_t multivariate_d, + std::shared_ptr transcript, + std::shared_ptr proving_key = nullptr) { // Initialization logic from setup_zk_sumcheck_data - setup_zk_sumcheck_data(multivariate_d, transcript); + setup_zk_sumcheck_data(multivariate_d, transcript, proving_key); } public: @@ -73,19 +68,25 @@ template struct ZKSumcheckData { * * @param zk_sumcheck_data */ - void setup_zk_sumcheck_data(const size_t multivariate_d, std::shared_ptr transcript) + void setup_zk_sumcheck_data(const size_t multivariate_d, + std::shared_ptr transcript, + std::shared_ptr proving_key = nullptr) { - // Generate random scalars for masking - // for (size_t k = 0; k < MASKING_SCALARS_LENGTH; ++k) { - // eval_masking_scalars[k] = FF::random_element(); - // } - - // Create the evaluation masking table - // masking_terms_evaluations = create_evaluation_masking_table(eval_masking_scalars); // Generate random Libra polynomials libra_univariates = generate_libra_polynomials(multivariate_d); + libra_univariates_monomial = transform_to_monomial(libra_univariates); + + if (proving_key != nullptr) { + size_t idx = 0; + for (auto& libra_univariate_monomial : libra_univariates_monomial) { + auto libra_commitment = proving_key->commitment_key->commit(libra_univariate_monomial); + transcript->send_to_verifier("Libra:commitment_" + std::to_string(idx), libra_commitment); + info("libra comm prover", libra_commitment); + idx++; + } + } // Compute the total sum of the Libra polynomials libra_scaling_factor = FF(1); FF libra_total_sum = compute_libra_total_sum(libra_univariates, libra_scaling_factor); @@ -112,16 +113,47 @@ template struct ZKSumcheckData { * */ - static LibraUnivariates generate_libra_polynomials(size_t number_of_polynomials) + static LibraUnivariates generate_libra_polynomials(const size_t number_of_polynomials + // LibraUnivariatesInMonomialBasis& libra_univariates_monomial + ) { LibraUnivariates libra_full_polynomials(number_of_polynomials); + + // for (size_t idx = 0; idx < LIBRA_UNIVARIATES_LENGTH; idx++) { + // interpolation_domain[idx] = FF(idx); + // } + for (auto& libra_polynomial : libra_full_polynomials) { // generate random polynomial of required size libra_polynomial = bb::Univariate::get_random(); + // Polynomial libra_univariate_monomial( + // std::span(interpolation_domain), std::span(libra_polynomial), LIBRA_UNIVARIATES_LENGTH); + // libra_univariates_monomial.push_back(libra_univariate_monomial); }; return libra_full_polynomials; }; + static LibraUnivariatesInMonomialBasis transform_to_monomial(const LibraUnivariates& libra_full_polynomials) + { + std::array interpolation_domain; + info("libra univar length", LIBRA_UNIVARIATES_LENGTH); + LibraUnivariatesInMonomialBasis libra_univariates_monomial; + libra_univariates_monomial.reserve(libra_full_polynomials.size()); + info("size ", libra_univariates_monomial.size()); + + for (size_t idx = 0; idx < LIBRA_UNIVARIATES_LENGTH; idx++) { + interpolation_domain[idx] = FF(idx); + } + + for (auto& libra_polynomial : libra_full_polynomials) { + // generate random polynomial of required size + Polynomial libra_univariate_monomial( + std::span(interpolation_domain), std::span(libra_polynomial), LIBRA_UNIVARIATES_LENGTH); + libra_univariates_monomial.push_back(libra_univariate_monomial); + }; + return libra_univariates_monomial; + }; + /** * @brief Compute the sum of the randomly sampled multivariate polynomial \f$ G = \sum_{i=0}^{n-1} g_i(X_i) \f$ over * the Boolean hypercube. @@ -172,23 +204,5 @@ template struct ZKSumcheckData { libra_running_sum += -libra_univariates[0].value_at(0) - libra_univariates[0].value_at(1); libra_running_sum *= FF(1) / FF(2); } - /** - * @brief Generate an array of random scalars of size equal to the number of all witness polynomials and populate a - * table of evaluations of the quadratic terms needed for masking evaluations of witnesses. - * - * @param evaluations - */ - // static EvaluationMaskingTable create_evaluation_masking_table(EvalMaskingScalars eval_masking_scalars) - // { - // EvaluationMaskingTable output_table; - // for (size_t column_idx = 0; column_idx < MASKING_SCALARS_LENGTH; ++column_idx) { - // for (size_t row_idx = 0; row_idx < MAX_PARTIAL_RELATION_LENGTH; ++row_idx) { - // auto scalar = FF(row_idx); - // output_table[column_idx].value_at(row_idx) = - // scalar * (FF(1) - scalar) * eval_masking_scalars[column_idx]; - // }; - // }; - // return output_table; - // }; }; } // namespace bb diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/decider_prover.cpp b/barretenberg/cpp/src/barretenberg/ultra_honk/decider_prover.cpp index 5c38536fd55..324758d692f 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/decider_prover.cpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/decider_prover.cpp @@ -32,7 +32,7 @@ template void DeciderProver_::execute_relation_ch { PROFILE_THIS_NAME("sumcheck.prove"); - + ZKSumcheckData zk_sumcheck_data = ZKSumcheckData(); sumcheck_output = sumcheck.prove(proving_key->proving_key.polynomials, proving_key->relation_parameters, proving_key->alphas, From df7f731e07ae17bd5f9f25b58601c72ae6153065 Mon Sep 17 00:00:00 2001 From: iakovenkos Date: Thu, 31 Oct 2024 10:01:23 +0000 Subject: [PATCH 05/17] debugging eccvm recursive --- .../commitment_schemes/shplonk/shplemini.hpp | 8 ++++- .../commitment_schemes/shplonk/shplonk.hpp | 2 +- .../src/barretenberg/eccvm/eccvm_prover.cpp | 26 +++++++-------- .../src/barretenberg/eccvm/eccvm_verifier.cpp | 8 +++-- .../cpp/src/barretenberg/relations/utils.hpp | 1 + .../eccvm_recursive_verifier.cpp | 19 +++++++++-- .../eccvm_recursive_verifier.hpp | 1 + .../eccvm_recursive_verifier.test.cpp | 2 +- .../src/barretenberg/sumcheck/sumcheck.hpp | 33 +++++++++++++++++++ .../barretenberg/sumcheck/sumcheck_round.hpp | 9 +++++ 10 files changed, 89 insertions(+), 20 deletions(-) diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp index 4ff43155a01..dee3b147d29 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp @@ -484,7 +484,13 @@ template class ShpleminiVerifier_ { for (size_t idx = 0; idx < num_libra_univariates; idx++) { denominators.push_back(shplonk_evaluation_challenge - multivariate_challenge[idx]); }; - Fr::batch_invert(denominators); + if constexpr (Curve::is_stdlib_type) { + for (Fr& denominator : denominators) { + denominator.invert(); + } + } else { + Fr::batch_invert(denominators); + } Fr constant_term = 0; for (const auto [libra_univariate_commitment, denominator, libra_univariate_evaluation] : diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplonk.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplonk.hpp index 0f0d44bb332..578255db879 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplonk.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplonk.hpp @@ -71,7 +71,7 @@ template class ShplonkProver_ { }; for (const auto& claim : libra_opening_claims) { - info(" current nu in the prover ", current_nu); + // info(" current nu in the prover ", current_nu); // Compute individual claim quotient tmp = ( fⱼ(X) − vⱼ) / ( X − xⱼ ) tmp = claim.polynomial; tmp.at(0) = tmp[0] - claim.opening_pair.evaluation; diff --git a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_prover.cpp b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_prover.cpp index 93cd929e38f..f074348f916 100644 --- a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_prover.cpp +++ b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_prover.cpp @@ -106,21 +106,21 @@ void ECCVMProver::execute_relation_check_rounds() info("some other stuff", zk_sumcheck_data.libra_challenge); info("monomial size ", zk_sumcheck_data.libra_univariates_monomial.size()); - for (auto& eval : zk_sumcheck_data.libra_univariates_monomial) { - info("exec rounds before sumcheck ", eval); - } + // for (auto& eval : zk_sumcheck_data.libra_univariates_monomial) { + // info("exec rounds before sumcheck ", eval); + // } sumcheck_output = sumcheck.prove(key->polynomials, relation_parameters, alpha, gate_challenges, zk_sumcheck_data); - size_t idx = 0; - - for (auto [poly_mon, poly_lag] : - zip_view(zk_sumcheck_data.libra_univariates_monomial, zk_sumcheck_data.libra_univariates)) { - info("eval at u_", idx); - auto eval_mon = poly_mon.evaluate(sumcheck_output.challenge[idx]); - auto eval_lag = poly_lag.evaluate(sumcheck_output.challenge[idx]); - info(eval_mon, " || ", eval_lag); - idx++; - } + // size_t idx = 0; + + // for (auto [poly_mon, poly_lag] : + // zip_view(zk_sumcheck_data.libra_univariates_monomial, zk_sumcheck_data.libra_univariates)) { + // info("eval at u_", idx); + // auto eval_mon = poly_mon.evaluate(sumcheck_output.challenge[idx]); + // auto eval_lag = poly_lag.evaluate(sumcheck_output.challenge[idx]); + // info(eval_mon, " || ", eval_lag); + // idx++; + // } // for (auto& eval : zk_sumcheck_data.libra_evaluations) { // info("right after sumcheck ", eval); // }; diff --git a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.cpp b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.cpp index 7f52456baa0..0c768017893 100644 --- a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.cpp @@ -48,9 +48,12 @@ bool ECCVMVerifier::verify_proof(const HonkProof& proof) const size_t log_circuit_size = numeric::get_msb(circuit_size); auto sumcheck = SumcheckVerifier(log_circuit_size, transcript); FF alpha = transcript->template get_challenge("Sumcheck:alpha"); + info("alpha native ", alpha); + std::vector gate_challenges(static_cast(numeric::get_msb(key->circuit_size))); for (size_t idx = 0; idx < gate_challenges.size(); idx++) { gate_challenges[idx] = transcript->template get_challenge("Sumcheck:gate_challenge_" + std::to_string(idx)); + // info(" gate challenge native ", idx, " ", gate_challenges[idx]); } for (size_t idx = 0; idx < log_circuit_size; idx++) { @@ -60,12 +63,13 @@ bool ECCVMVerifier::verify_proof(const HonkProof& proof) } auto [multivariate_challenge, claimed_evaluations, libra_evaluations, sumcheck_verified] = sumcheck.verify(relation_parameters, alpha, gate_challenges); - + for (size_t idx = 0; idx < multivariate_challenge.size(); idx++) { + info("sumcheck native challenge u_", idx, " = ", multivariate_challenge[idx]); + } // If Sumcheck did not verify, return false if (sumcheck_verified.has_value() && !sumcheck_verified.value()) { return false; } - // Compute the Shplemini accumulator consisting of the Shplonk evaluation and the commitments and scalars vector // produced by the unified protocol BatchOpeningClaim sumcheck_batch_opening_claims = diff --git a/barretenberg/cpp/src/barretenberg/relations/utils.hpp b/barretenberg/cpp/src/barretenberg/relations/utils.hpp index 846fc1d5f9c..aad76caf196 100644 --- a/barretenberg/cpp/src/barretenberg/relations/utils.hpp +++ b/barretenberg/cpp/src/barretenberg/relations/utils.hpp @@ -156,6 +156,7 @@ template class RelationUtils { const Parameters& relation_parameters, const FF& partial_evaluation_result) { + info("pow value? ", partial_evaluation_result); constexpr_for<0, NUM_RELATIONS, 1>([&]() { // FIXME: You wan't /*consider_skipping=*/false here, but tests need to be fixed. accumulate_single_relation( diff --git a/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.cpp b/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.cpp index 2e58d33bc03..d8fa47180d9 100644 --- a/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.cpp @@ -63,19 +63,32 @@ template void ECCVMRecursiveVerifier_::verify_proof(co // maximum possible size of an ECCVM circuit otherwise we might run into problem because the number of rounds of // sumcheck is dependent on circuit size. const size_t log_circuit_size = numeric::get_msb(static_cast(circuit_size.get_value())); - auto sumcheck = SumcheckVerifier(log_circuit_size, transcript, FF(0)); + auto sumcheck = SumcheckVerifier(log_circuit_size, transcript); const FF alpha = transcript->template get_challenge("Sumcheck:alpha"); + info("alpha ", alpha); std::vector gate_challenges(static_cast(numeric::get_msb(key->circuit_size))); for (size_t idx = 0; idx < gate_challenges.size(); idx++) { gate_challenges[idx] = transcript->template get_challenge("Sumcheck:gate_challenge_" + std::to_string(idx)); + // info(" gate challenge recrusive ", idx, " ", gate_challenges[idx]); } + for (size_t idx = 0; idx < log_circuit_size; idx++) { + Commitment libra_commitment = + transcript->template receive_from_prover("Libra:commitment_" + std::to_string(idx)); + libra_commitments.push_back(libra_commitment); + info("libra comm V: ", libra_commitment); + } auto [multivariate_challenge, claimed_evaluations, libra_evaluations, sumcheck_verified] = sumcheck.verify(relation_parameters, alpha, gate_challenges); + for (size_t idx = 0; idx < multivariate_challenge.size(); idx++) { + info("sumcheck recursive challenge u_", idx, " = ", multivariate_challenge[idx]); + } + info("SUMCHECK verified", sumcheck_verified.value()); + // Compute the Shplemini accumulator consisting of the Shplonk evaluation and the commitments and scalars vector // produced by the unified protocol - const BatchOpeningClaim sumcheck_batch_opening_claims = + BatchOpeningClaim sumcheck_batch_opening_claims = Shplemini::compute_batch_opening_claim(circuit_size, commitments.get_unshifted(), commitments.get_to_be_shifted(), @@ -84,6 +97,8 @@ template void ECCVMRecursiveVerifier_::verify_proof(co multivariate_challenge, key->pcs_verification_key->get_g1_identity(), transcript); + Shplemini::add_zk_data( + sumcheck_batch_opening_claims, RefVector(libra_commitments), libra_evaluations, multivariate_challenge); // Reduce the accumulator to a single opening claim const OpeningClaim multivariate_to_univariate_opening_claim = PCS::reduce_batch_opening_claim(sumcheck_batch_opening_claims); diff --git a/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.hpp b/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.hpp index 6a590ebba40..16bfcfd6f8a 100644 --- a/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.hpp +++ b/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.hpp @@ -27,5 +27,6 @@ template class ECCVMRecursiveVerifier_ { Builder* builder; std::shared_ptr transcript; + std::vector libra_commitments; }; } // namespace bb diff --git a/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.test.cpp b/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.test.cpp index 5dc17cb76b5..f4376959627 100644 --- a/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.test.cpp +++ b/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.test.cpp @@ -95,7 +95,7 @@ template class ECCVMRecursiveTests : public ::testing InnerVerifier native_verifier(prover.key); bool native_result = native_verifier.verify_proof(proof); EXPECT_TRUE(native_result); - + info("native result", native_result); auto recursive_manifest = verifier.transcript->get_manifest(); auto native_manifest = native_verifier.transcript->get_manifest(); for (size_t i = 0; i < recursive_manifest.size(); ++i) { diff --git a/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck.hpp b/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck.hpp index 5b278113976..36f3cc40126 100644 --- a/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck.hpp +++ b/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck.hpp @@ -197,6 +197,7 @@ template class SumcheckProver { // the total sum, etc. bb::GateSeparatorPolynomial gate_separators(gate_challenges, multivariate_d); + std::vector multivariate_challenge; multivariate_challenge.reserve(multivariate_d); size_t round_idx = 0; @@ -626,6 +627,19 @@ template class SumcheckVerifier { bool verified(true); bb::GateSeparatorPolynomial gate_separators(gate_challenges); + + for (auto gate_challenge : gate_challenges) { + info("gate challenge ", gate_challenge); + } + + info("rel gamma", relation_parameters.gamma); + info("rel beta", relation_parameters.beta); + info("rel beta_sqr", relation_parameters.beta_sqr); + info("beta cube", relation_parameters.beta_cube); + info("set perm delta", relation_parameters.eccvm_set_permutation_delta); + // info(" relation_parameters.eccvm_set_permutation_delta = + // relation_parameters.eccvm_set_permutation_delta.invert(); + // All but final round. // target_total_sum is initialized to zero then mutated in place. @@ -664,13 +678,17 @@ template class SumcheckVerifier { // TODO(https://github.com/AztecProtocol/barretenberg/issues/1114): insecure! stdlib::bool_t dummy_round = stdlib::witness_t(builder, round_idx >= multivariate_d); bool checked = round.check_sum(round_univariate, dummy_round); + // info("checked? ", checked); // Only utilize the checked value if this is not a constant proof size padding round if (round_idx < multivariate_d) { verified = verified && checked; } + // info("verified? ", verified); + multivariate_challenge.emplace_back(round_challenge); round.compute_next_target_sum(round_univariate, round_challenge, dummy_round); + info("native round target sum: ", round.target_total_sum); gate_separators.partially_evaluate(round_challenge, dummy_round); } else { @@ -704,13 +722,28 @@ template class SumcheckVerifier { ClaimedEvaluations purported_evaluations; auto transcript_evaluations = transcript->template receive_from_prover>("Sumcheck:evaluations"); + // size_t idx = 0; for (auto [eval, transcript_eval] : zip_view(purported_evaluations.get_all(), transcript_evaluations)) { eval = transcript_eval; + + // if constexpr (IsRecursiveFlavor) { + // info("recursive eval ", idx, " ", transcript_eval); + // } else { + // info("native eval ", idx, " ", transcript_eval); + // } + // idx++; } + // Evaluate the Honk relation at the point (u_0, ..., u_{d-1}) using claimed evaluations of prover polynomials. // In ZK Flavors, the evaluation is corrected by full_libra_purported_value + if constexpr (Flavor::HasZK) { + info("libra relation accumulated ", full_libra_purported_value); + } FF full_honk_purported_value = round.compute_full_relation_purported_value( purported_evaluations, relation_parameters, gate_separators, alpha, full_libra_purported_value); + info("honk value? ", full_honk_purported_value); + info("round target tot sum ", round.target_total_sum); + bool final_check(false); //! [Final Verification Step] if constexpr (IsRecursiveFlavor) { diff --git a/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck_round.hpp b/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck_round.hpp index 26ba6817ea7..88c80b3939d 100644 --- a/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck_round.hpp +++ b/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck_round.hpp @@ -467,6 +467,8 @@ template class SumcheckVerifierRound { { FF total_sum = FF::conditional_assign(dummy_round, target_total_sum, univariate.value_at(0) + univariate.value_at(1)); + + // info("total sum", total_sum); // TODO(#673): Conditionals like this can go away once native verification is is just recursive verification // with a simulated builder. bool sumcheck_round_failed(false); @@ -476,6 +478,7 @@ template class SumcheckVerifierRound { // value is in relaxed form. This happens at the first round when target_total_sum is initially set to // 0. total_sum.self_reduce(); + // info("self reduce? ", total_sum); } target_total_sum.assert_equal(total_sum); if (!dummy_round.get_value()) { @@ -532,10 +535,16 @@ template class SumcheckVerifierRound { // The verifier should never skip computation of contributions from any relation Utils::template accumulate_relation_evaluations_without_skipping<>( purported_evaluations, relation_evaluations, relation_parameters, gate_sparators.partial_evaluation_result); + info("rel eval "); + // for (size_t idx = 0; idx < std::get<1>(relation_evaluations).size(); idx++) { + // info(std::get<1>(relation_evaluations)[idx]); + // } FF running_challenge{ 1 }; FF output{ 0 }; Utils::scale_and_batch_elements(relation_evaluations, alpha, running_challenge, output); + + info("honk without libra?", output); if constexpr (Flavor::HasZK) { output += full_libra_purported_value.value(); }; From 0b3e50aaeb621bbf954df77a5fe29bdb609472db Mon Sep 17 00:00:00 2001 From: iakovenkos Date: Thu, 31 Oct 2024 14:15:56 +0000 Subject: [PATCH 06/17] debugggging still --- .../commitment_schemes/shplonk/shplemini.hpp | 2 -- .../cpp/src/barretenberg/eccvm/eccvm_flavor.hpp | 5 ++--- .../src/barretenberg/eccvm/eccvm_verifier.cpp | 5 +++++ .../honk/proof_system/logderivative_library.hpp | 4 ++++ .../relations/ecc_vm/ecc_bools_relation.cpp | 2 +- .../relations/ecc_vm/ecc_lookup_relation.cpp | 2 +- .../relations/ecc_vm/ecc_lookup_relation.hpp | 7 +++++++ .../relations/ecc_vm/ecc_msm_relation.cpp | 2 +- .../ecc_vm/ecc_point_table_relation.cpp | 2 +- .../relations/ecc_vm/ecc_set_relation.cpp | 2 +- .../relations/ecc_vm/ecc_transcript_relation.cpp | 2 +- .../relations/ecc_vm/ecc_wnaf_relation.cpp | 2 +- .../cpp/src/barretenberg/relations/utils.hpp | 1 + .../eccvm_verifier/eccvm_recursive_flavor.hpp | 6 +++--- .../eccvm_verifier/eccvm_recursive_verifier.cpp | 5 +++++ .../cpp/src/barretenberg/sumcheck/sumcheck.hpp | 2 -- .../src/barretenberg/sumcheck/sumcheck_round.hpp | 16 +++++++++++++--- 17 files changed, 47 insertions(+), 20 deletions(-) diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp index dee3b147d29..6205ace2970 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp @@ -437,7 +437,6 @@ template class ShpleminiVerifier_ { // Update the batching challenge current_batching_challenge *= shplonk_batching_challenge; - info(j, " current batching challenge verifier ", current_batching_challenge); if constexpr (Curve::is_stdlib_type) { auto builder = shplonk_batching_challenge.get_context(); @@ -497,7 +496,6 @@ template class ShpleminiVerifier_ { zip_view(libra_univariate_commitments, denominators, libra_univariate_evaluations)) { commitments.push_back(libra_univariate_commitment); Fr scaling_factor = denominator * shplonk_challenge_power; - info("nu power verifier", shplonk_challenge_power); scalars.push_back(-scaling_factor); shplonk_challenge_power *= shplonk_batching_challenge; constant_term += scaling_factor * libra_univariate_evaluation; diff --git a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_flavor.hpp b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_flavor.hpp index 4ec0919a7d7..e7fbe4b3bee 100644 --- a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_flavor.hpp +++ b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_flavor.hpp @@ -68,7 +68,7 @@ class ECCVMFlavor { using Relations = Relations_; using LookupRelation = ECCVMLookupRelation; - static constexpr size_t MAX_PARTIAL_RELATION_LENGTH = compute_max_partial_relation_length(); + static constexpr size_t MAX_PARTIAL_RELATION_LENGTH = compute_max_partial_relation_length(); // BATCHED_RELATION_PARTIAL_LENGTH = algebraic degree of sumcheck relation *after* multiplying by the `pow_zeta` // random polynomial e.g. For \sum(x) [A(x) * B(x) + C(x)] * PowZeta(X), relation length = 2 and random relation @@ -79,8 +79,7 @@ class ECCVMFlavor { // Instantiate the BarycentricData needed to extend each Relation Univariate // define the containers for storing the contributions from each relation in Sumcheck - using SumcheckTupleOfTuplesOfUnivariates = - decltype(create_sumcheck_tuple_of_tuples_of_univariates()); + using SumcheckTupleOfTuplesOfUnivariates = decltype(create_sumcheck_tuple_of_tuples_of_univariates()); using TupleOfArraysOfValues = decltype(create_tuple_of_arrays_of_values()); diff --git a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.cpp b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.cpp index 0c768017893..41857f32978 100644 --- a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.cpp @@ -32,12 +32,17 @@ bool ECCVMVerifier::verify_proof(const HonkProof& proof) auto beta_sqr = beta * beta; relation_parameters.gamma = gamma; + info("native gamma ", relation_parameters.gamma); relation_parameters.beta = beta; + info("native beta ", relation_parameters.beta); relation_parameters.beta_sqr = beta * beta; + info("native beta.sqr ", relation_parameters.beta_sqr); relation_parameters.beta_cube = beta_sqr * beta; + info("native beta cube ", relation_parameters.beta_cube); relation_parameters.eccvm_set_permutation_delta = gamma * (gamma + beta_sqr) * (gamma + beta_sqr + beta_sqr) * (gamma + beta_sqr + beta_sqr + beta_sqr); relation_parameters.eccvm_set_permutation_delta = relation_parameters.eccvm_set_permutation_delta.invert(); + info("set perm delta after inversion ", relation_parameters.eccvm_set_permutation_delta); // Get commitment to permutation and lookup grand products commitments.lookup_inverses = diff --git a/barretenberg/cpp/src/barretenberg/honk/proof_system/logderivative_library.hpp b/barretenberg/cpp/src/barretenberg/honk/proof_system/logderivative_library.hpp index 940c88c8c6d..50c12242b4e 100644 --- a/barretenberg/cpp/src/barretenberg/honk/proof_system/logderivative_library.hpp +++ b/barretenberg/cpp/src/barretenberg/honk/proof_system/logderivative_library.hpp @@ -137,9 +137,13 @@ void accumulate_logderivative_lookup_subrelation_contributions(ContainerOverSubr // each predicate is degree-1 // degree of relation at this point = NUM_TOTAL_TERMS + 1 + bb::constexpr_for<0, READ_TERMS, 1>([&]() { + // info("read terms ", READ_TERMS); std::get<1>(accumulator) += Relation::template compute_read_term_predicate(in) * denominator_accumulator[i]; + info("denom accumulator? ", denominator_accumulator[i]); + info("interm accum ", std::get<1>(accumulator)); }); // each predicate is degree-1, `lookup_read_counts` is degree-1 diff --git a/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_bools_relation.cpp b/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_bools_relation.cpp index 6416f9c5de5..539b6e6cd6d 100644 --- a/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_bools_relation.cpp +++ b/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_bools_relation.cpp @@ -5,5 +5,5 @@ namespace bb { template class ECCVMBoolsRelationImpl; -DEFINE_ZK_SUMCHECK_RELATION_CLASS(ECCVMBoolsRelationImpl, ECCVMFlavor); +DEFINE_SUMCHECK_RELATION_CLASS(ECCVMBoolsRelationImpl, ECCVMFlavor); } // namespace bb \ No newline at end of file diff --git a/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_lookup_relation.cpp b/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_lookup_relation.cpp index 69dcc7122e1..4afdd9c0898 100644 --- a/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_lookup_relation.cpp +++ b/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_lookup_relation.cpp @@ -4,5 +4,5 @@ namespace bb { template class ECCVMLookupRelationImpl; -DEFINE_ZK_SUMCHECK_RELATION_CLASS(ECCVMLookupRelationImpl, ECCVMFlavor); +DEFINE_SUMCHECK_RELATION_CLASS(ECCVMLookupRelationImpl, ECCVMFlavor); } // namespace bb diff --git a/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_lookup_relation.hpp b/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_lookup_relation.hpp index 04486374550..c675523d1f2 100644 --- a/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_lookup_relation.hpp +++ b/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_lookup_relation.hpp @@ -82,15 +82,22 @@ polynomials, using View = typename Accumulator::View; if constexpr (read_index == 0) { + + info("read index 0", in.msm_add1); return Accumulator(View(in.msm_add1)); } if constexpr (read_index == 1) { + // info("read index 1", in.msm_add2); return Accumulator(View(in.msm_add2)); } if constexpr (read_index == 2) { + info("read index 2", in.msm_add3); + return Accumulator(View(in.msm_add3)); } if constexpr (read_index == 3) { + info("read index 3", in.msm_add4); + return Accumulator(View(in.msm_add4)); } return Accumulator(1); diff --git a/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_msm_relation.cpp b/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_msm_relation.cpp index 41af3083e12..bb7c3738b6f 100644 --- a/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_msm_relation.cpp +++ b/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_msm_relation.cpp @@ -5,6 +5,6 @@ namespace bb { template class ECCVMMSMRelationImpl; -DEFINE_ZK_SUMCHECK_RELATION_CLASS(ECCVMMSMRelationImpl, ECCVMFlavor); +DEFINE_SUMCHECK_RELATION_CLASS(ECCVMMSMRelationImpl, ECCVMFlavor); } // namespace bb diff --git a/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_point_table_relation.cpp b/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_point_table_relation.cpp index 2abf1ac3a22..ce12ce062ac 100644 --- a/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_point_table_relation.cpp +++ b/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_point_table_relation.cpp @@ -4,6 +4,6 @@ namespace bb { template class ECCVMPointTableRelationImpl; -DEFINE_ZK_SUMCHECK_RELATION_CLASS(ECCVMPointTableRelationImpl, ECCVMFlavor); +DEFINE_SUMCHECK_RELATION_CLASS(ECCVMPointTableRelationImpl, ECCVMFlavor); } // namespace bb diff --git a/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_set_relation.cpp b/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_set_relation.cpp index 495c60c59be..03e8565fcb4 100644 --- a/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_set_relation.cpp +++ b/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_set_relation.cpp @@ -4,7 +4,7 @@ namespace bb { template class ECCVMSetRelationImpl; -DEFINE_ZK_SUMCHECK_RELATION_CLASS(ECCVMSetRelationImpl, ECCVMFlavor); +DEFINE_SUMCHECK_RELATION_CLASS(ECCVMSetRelationImpl, ECCVMFlavor); DEFINE_SUMCHECK_PERMUTATION_CLASS(ECCVMSetRelationImpl, ECCVMFlavor); } // namespace bb diff --git a/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_transcript_relation.cpp b/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_transcript_relation.cpp index 498133147a8..79834907a99 100644 --- a/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_transcript_relation.cpp +++ b/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_transcript_relation.cpp @@ -7,5 +7,5 @@ namespace bb { template class ECCVMTranscriptRelationImpl; -DEFINE_ZK_SUMCHECK_RELATION_CLASS(ECCVMTranscriptRelationImpl, ECCVMFlavor); +DEFINE_SUMCHECK_RELATION_CLASS(ECCVMTranscriptRelationImpl, ECCVMFlavor); } // namespace bb diff --git a/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_wnaf_relation.cpp b/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_wnaf_relation.cpp index 06cc795e012..2ab7a00a381 100644 --- a/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_wnaf_relation.cpp +++ b/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_wnaf_relation.cpp @@ -5,6 +5,6 @@ namespace bb { template class ECCVMWnafRelationImpl; -DEFINE_ZK_SUMCHECK_RELATION_CLASS(ECCVMWnafRelationImpl, ECCVMFlavor); +DEFINE_SUMCHECK_RELATION_CLASS(ECCVMWnafRelationImpl, ECCVMFlavor); } // namespace bb diff --git a/barretenberg/cpp/src/barretenberg/relations/utils.hpp b/barretenberg/cpp/src/barretenberg/relations/utils.hpp index aad76caf196..57a8ab08f5d 100644 --- a/barretenberg/cpp/src/barretenberg/relations/utils.hpp +++ b/barretenberg/cpp/src/barretenberg/relations/utils.hpp @@ -246,6 +246,7 @@ template class RelationUtils { std::copy(challenges.begin(), challenges.end(), tmp.begin() + 1); auto scale_by_challenges_and_accumulate = [&](auto& element) { for (auto& entry : element) { + result += entry * tmp[idx]; idx++; } diff --git a/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_flavor.hpp b/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_flavor.hpp index 088ff2979f7..f08554c5670 100644 --- a/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_flavor.hpp +++ b/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_flavor.hpp @@ -52,9 +52,9 @@ template class ECCVMRecursiveFlavor_ { using Relations = ECCVMFlavor::Relations_; // think these two are not needed for recursive verifier land - // using GrandProductRelations = std::tuple>; - // using LookupRelation = ECCVMLookupRelation; - static constexpr size_t MAX_PARTIAL_RELATION_LENGTH = compute_max_partial_relation_length(); + using GrandProductRelations = std::tuple>; + using LookupRelation = ECCVMLookupRelation; + static constexpr size_t MAX_PARTIAL_RELATION_LENGTH = compute_max_partial_relation_length(); // BATCHED_RELATION_PARTIAL_LENGTH = algebraic degree of sumcheck relation *after* multiplying by the `pow_zeta` // random polynomial e.g. For \sum(x) [A(x) * B(x) + C(x)] * PowZeta(X), relation length = 2 and random relation diff --git a/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.cpp b/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.cpp index d8fa47180d9..2537aa5f9da 100644 --- a/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.cpp @@ -46,12 +46,17 @@ template void ECCVMRecursiveVerifier_::verify_proof(co auto beta_sqr = beta * beta; relation_parameters.gamma = gamma; + info("rec gamma ", relation_parameters.gamma); relation_parameters.beta = beta; + info("rec beta ", relation_parameters.beta); relation_parameters.beta_sqr = beta * beta; + info("rec beta.sqr ", relation_parameters.beta_sqr); relation_parameters.beta_cube = beta_sqr * beta; + info("rec beta cube ", relation_parameters.beta_cube); relation_parameters.eccvm_set_permutation_delta = gamma * (gamma + beta_sqr) * (gamma + beta_sqr + beta_sqr) * (gamma + beta_sqr + beta_sqr + beta_sqr); relation_parameters.eccvm_set_permutation_delta = relation_parameters.eccvm_set_permutation_delta.invert(); + info("rec set perm delta after inversion ", relation_parameters.eccvm_set_permutation_delta); // Get commitment to permutation and lookup grand products commitments.lookup_inverses = diff --git a/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck.hpp b/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck.hpp index 36f3cc40126..dc834fb2e4d 100644 --- a/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck.hpp +++ b/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck.hpp @@ -688,13 +688,11 @@ template class SumcheckVerifier { multivariate_challenge.emplace_back(round_challenge); round.compute_next_target_sum(round_univariate, round_challenge, dummy_round); - info("native round target sum: ", round.target_total_sum); gate_separators.partially_evaluate(round_challenge, dummy_round); } else { if (round_idx < multivariate_d) { bool checked = round.check_sum(round_univariate); - info("checked? ", checked); verified = verified && checked; info("verified? ", checked); diff --git a/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck_round.hpp b/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck_round.hpp index 88c80b3939d..dcb4c9a2259 100644 --- a/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck_round.hpp +++ b/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck_round.hpp @@ -533,13 +533,23 @@ template class SumcheckVerifierRound { std::optional full_libra_purported_value = std::nullopt) { // The verifier should never skip computation of contributions from any relation + // size_t idx = 0; + // for (auto eval : purported_evaluations.get_all()) { + // info("claimed eval ", idx, " ", eval); + // idx++; + // } Utils::template accumulate_relation_evaluations_without_skipping<>( purported_evaluations, relation_evaluations, relation_parameters, gate_sparators.partial_evaluation_result); - info("rel eval "); + // info("rel eval <5>"); - // for (size_t idx = 0; idx < std::get<1>(relation_evaluations).size(); idx++) { - // info(std::get<1>(relation_evaluations)[idx]); + // for (size_t idx = 0; idx < std::get<5>(relation_evaluations).size(); idx++) { + // info(std::get<5>(relation_evaluations)[idx]); + // } + // info("rel eval <6>"); + // for (size_t idx = 0; idx < std::get<6>(relation_evaluations).size(); idx++) { + // info(std::get<6>(relation_evaluations)[idx]); // } + FF running_challenge{ 1 }; FF output{ 0 }; Utils::scale_and_batch_elements(relation_evaluations, alpha, running_challenge, output); From 4298d52626e1636658675ded9910a3d009510565 Mon Sep 17 00:00:00 2001 From: iakovenkos Date: Thu, 31 Oct 2024 19:26:14 +0000 Subject: [PATCH 07/17] eccvm recursive fixed --- .../commitment_schemes/shplonk/shplemini.hpp | 32 +++++++++++++---- .../src/barretenberg/eccvm/eccvm_verifier.cpp | 15 ++++++-- .../proof_system/logderivative_library.hpp | 2 -- .../relations/ecc_vm/ecc_lookup_relation.hpp | 4 --- .../eccvm_recursive_verifier.cpp | 15 +++++--- .../barretenberg/sumcheck/sumcheck_round.hpp | 36 +++++++++++++++++-- .../sumcheck/zk_sumcheck_data.hpp | 12 +++---- 7 files changed, 87 insertions(+), 29 deletions(-) diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp index 6205ace2970..4d0f042730a 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp @@ -463,8 +463,14 @@ template class ShpleminiVerifier_ { { const auto shplonk_batching_challenge = batch_opening_claim.batching_challenge; + info("shpl batching challenge ", shplonk_batching_challenge); const auto shplonk_evaluation_challenge = batch_opening_claim.evaluation_point; + info("shpl eval challenge ", shplonk_evaluation_challenge); + + for (auto eval : libra_univariate_evaluations) { + info("libra eval received ", eval); + } // compute the correct power of \nu Fr shplonk_challenge_power = Fr{ 1 }; for (size_t j = 0; j < CONST_PROOF_SIZE_LOG_N + 2; ++j) { @@ -481,14 +487,25 @@ template class ShpleminiVerifier_ { std::vector denominators; size_t num_libra_univariates = libra_univariate_commitments.size(); for (size_t idx = 0; idx < num_libra_univariates; idx++) { - denominators.push_back(shplonk_evaluation_challenge - multivariate_challenge[idx]); - }; - if constexpr (Curve::is_stdlib_type) { - for (Fr& denominator : denominators) { - denominator.invert(); + + if constexpr (Curve::is_stdlib_type) { + auto denom_reduced = shplonk_evaluation_challenge - multivariate_challenge[idx]; + denom_reduced.self_reduce(); + info("denom reduced non-native", idx, " ", denom_reduced); + denominators.push_back(Fr(1) / + (shplonk_evaluation_challenge - multivariate_challenge[idx])); // very strange + info("denom inverted", Fr(1) / (shplonk_evaluation_challenge - multivariate_challenge[idx])); + } else { + denominators.push_back(shplonk_evaluation_challenge - multivariate_challenge[idx]); + info("denom native", idx, " ", (shplonk_evaluation_challenge - multivariate_challenge[idx])); } - } else { + }; + + if constexpr (!Curve::is_stdlib_type) { Fr::batch_invert(denominators); + for (auto denom : denominators) { + info("denom native inverted ", denom); + } } Fr constant_term = 0; @@ -496,7 +513,8 @@ template class ShpleminiVerifier_ { zip_view(libra_univariate_commitments, denominators, libra_univariate_evaluations)) { commitments.push_back(libra_univariate_commitment); Fr scaling_factor = denominator * shplonk_challenge_power; - scalars.push_back(-scaling_factor); + scalars.push_back((-scaling_factor)); + info("libra scalars? ", -scaling_factor); shplonk_challenge_power *= shplonk_batching_challenge; constant_term += scaling_factor * libra_univariate_evaluation; } diff --git a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.cpp b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.cpp index 41857f32978..473461d841d 100644 --- a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.cpp @@ -68,9 +68,9 @@ bool ECCVMVerifier::verify_proof(const HonkProof& proof) } auto [multivariate_challenge, claimed_evaluations, libra_evaluations, sumcheck_verified] = sumcheck.verify(relation_parameters, alpha, gate_challenges); - for (size_t idx = 0; idx < multivariate_challenge.size(); idx++) { - info("sumcheck native challenge u_", idx, " = ", multivariate_challenge[idx]); - } + // for (size_t idx = 0; idx < multivariate_challenge.size(); idx++) { + // info("sumcheck native challenge u_", idx, " = ", multivariate_challenge[idx]); + // } // If Sumcheck did not verify, return false if (sumcheck_verified.has_value() && !sumcheck_verified.value()) { return false; @@ -86,8 +86,17 @@ bool ECCVMVerifier::verify_proof(const HonkProof& proof) multivariate_challenge, key->pcs_verification_key->get_g1_identity(), transcript); + info("native point", + batch_mul_native(sumcheck_batch_opening_claims.commitments, sumcheck_batch_opening_claims.scalars)); Shplemini::add_zk_data( sumcheck_batch_opening_claims, RefVector(libra_commitments), libra_evaluations, multivariate_challenge); + // for (auto scalar : sumcheck_batch_opening_claims.scalars) { + // info("native batching scalar", scalar); + // } + + info("native point after zk data ", + batch_mul_native(sumcheck_batch_opening_claims.commitments, sumcheck_batch_opening_claims.scalars)); + info("scalars native size", sumcheck_batch_opening_claims.scalars.size()); // Reduce the accumulator to a single opening claim const OpeningClaim multivariate_to_univariate_opening_claim = diff --git a/barretenberg/cpp/src/barretenberg/honk/proof_system/logderivative_library.hpp b/barretenberg/cpp/src/barretenberg/honk/proof_system/logderivative_library.hpp index 50c12242b4e..3d254496091 100644 --- a/barretenberg/cpp/src/barretenberg/honk/proof_system/logderivative_library.hpp +++ b/barretenberg/cpp/src/barretenberg/honk/proof_system/logderivative_library.hpp @@ -142,8 +142,6 @@ void accumulate_logderivative_lookup_subrelation_contributions(ContainerOverSubr // info("read terms ", READ_TERMS); std::get<1>(accumulator) += Relation::template compute_read_term_predicate(in) * denominator_accumulator[i]; - info("denom accumulator? ", denominator_accumulator[i]); - info("interm accum ", std::get<1>(accumulator)); }); // each predicate is degree-1, `lookup_read_counts` is degree-1 diff --git a/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_lookup_relation.hpp b/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_lookup_relation.hpp index c675523d1f2..4612d1ef11d 100644 --- a/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_lookup_relation.hpp +++ b/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_lookup_relation.hpp @@ -83,20 +83,16 @@ polynomials, if constexpr (read_index == 0) { - info("read index 0", in.msm_add1); return Accumulator(View(in.msm_add1)); } if constexpr (read_index == 1) { - // info("read index 1", in.msm_add2); return Accumulator(View(in.msm_add2)); } if constexpr (read_index == 2) { - info("read index 2", in.msm_add3); return Accumulator(View(in.msm_add3)); } if constexpr (read_index == 3) { - info("read index 3", in.msm_add4); return Accumulator(View(in.msm_add4)); } diff --git a/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.cpp b/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.cpp index 2537aa5f9da..1264ed220a3 100644 --- a/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.cpp @@ -81,14 +81,14 @@ template void ECCVMRecursiveVerifier_::verify_proof(co Commitment libra_commitment = transcript->template receive_from_prover("Libra:commitment_" + std::to_string(idx)); libra_commitments.push_back(libra_commitment); - info("libra comm V: ", libra_commitment); + // info("libra comm V: ", libra_commitment); } auto [multivariate_challenge, claimed_evaluations, libra_evaluations, sumcheck_verified] = sumcheck.verify(relation_parameters, alpha, gate_challenges); - for (size_t idx = 0; idx < multivariate_challenge.size(); idx++) { - info("sumcheck recursive challenge u_", idx, " = ", multivariate_challenge[idx]); - } + // for (size_t idx = 0; idx < multivariate_challenge.size(); idx++) { + // info("sumcheck recursive challenge u_", idx, " = ", multivariate_challenge[idx]); + // } info("SUMCHECK verified", sumcheck_verified.value()); // Compute the Shplemini accumulator consisting of the Shplonk evaluation and the commitments and scalars vector @@ -102,8 +102,14 @@ template void ECCVMRecursiveVerifier_::verify_proof(co multivariate_challenge, key->pcs_verification_key->get_g1_identity(), transcript); + info("non-native point", + Commitment::batch_mul(sumcheck_batch_opening_claims.commitments, sumcheck_batch_opening_claims.scalars)); Shplemini::add_zk_data( sumcheck_batch_opening_claims, RefVector(libra_commitments), libra_evaluations, multivariate_challenge); + + info("non-native point after zk data", + Commitment::batch_mul(sumcheck_batch_opening_claims.commitments, sumcheck_batch_opening_claims.scalars, true)); + info("scalars recursive size", sumcheck_batch_opening_claims.scalars.size()); // Reduce the accumulator to a single opening claim const OpeningClaim multivariate_to_univariate_opening_claim = PCS::reduce_batch_opening_claim(sumcheck_batch_opening_claims); @@ -150,6 +156,7 @@ template void ECCVMRecursiveVerifier_::verify_proof(co const auto batched_opening_verified = PCS::reduce_verify(key->pcs_verification_key, batch_opening_claim, transcript); + info("batching opening verified? ", batched_opening_verified); ASSERT(sumcheck_verified && batched_opening_verified); } diff --git a/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck_round.hpp b/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck_round.hpp index dcb4c9a2259..6f7c4cd1bb8 100644 --- a/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck_round.hpp +++ b/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck_round.hpp @@ -532,14 +532,39 @@ template class SumcheckVerifierRound { const RelationSeparator alpha, std::optional full_libra_purported_value = std::nullopt) { - // The verifier should never skip computation of contributions from any relation + info("pow = ", gate_sparators.partial_evaluation_result); // size_t idx = 0; // for (auto eval : purported_evaluations.get_all()) { - // info("claimed eval ", idx, " ", eval); + // info("evals ", idx, " ", eval); // idx++; // } Utils::template accumulate_relation_evaluations_without_skipping<>( purported_evaluations, relation_evaluations, relation_parameters, gate_sparators.partial_evaluation_result); + // info("rel eval <0>"); + // for (size_t idx = 0; idx < std::get<0>(relation_evaluations).size(); idx++) { + // info(std::get<0>(relation_evaluations)[idx]); + // } + + // info("rel eval <1>"); + + // for (size_t idx = 0; idx < std::get<1>(relation_evaluations).size(); idx++) { + // info(std::get<1>(relation_evaluations)[idx]); + // } + // info("rel eval <2>"); + + // for (size_t idx = 0; idx < std::get<2>(relation_evaluations).size(); idx++) { + // info(std::get<2>(relation_evaluations)[idx]); + // } + // info("rel eval <3>"); + + // for (size_t idx = 0; idx < std::get<3>(relation_evaluations).size(); idx++) { + // info(std::get<3>(relation_evaluations)[idx]); + // } + // info("rel eval <4>"); + + // for (size_t idx = 0; idx < std::get<4>(relation_evaluations).size(); idx++) { + // info(std::get<4>(relation_evaluations)[idx]); + // } // info("rel eval <5>"); // for (size_t idx = 0; idx < std::get<5>(relation_evaluations).size(); idx++) { @@ -554,9 +579,14 @@ template class SumcheckVerifierRound { FF output{ 0 }; Utils::scale_and_batch_elements(relation_evaluations, alpha, running_challenge, output); - info("honk without libra?", output); + // info("honk without libra?", output); + + // info("after reduction ", output); if constexpr (Flavor::HasZK) { output += full_libra_purported_value.value(); + if constexpr (IsECCVMRecursiveFlavor) { + output.self_reduce(); + } }; return output; } diff --git a/barretenberg/cpp/src/barretenberg/sumcheck/zk_sumcheck_data.hpp b/barretenberg/cpp/src/barretenberg/sumcheck/zk_sumcheck_data.hpp index d938eea9602..3ede0fc5a58 100644 --- a/barretenberg/cpp/src/barretenberg/sumcheck/zk_sumcheck_data.hpp +++ b/barretenberg/cpp/src/barretenberg/sumcheck/zk_sumcheck_data.hpp @@ -83,7 +83,7 @@ template struct ZKSumcheckData { for (auto& libra_univariate_monomial : libra_univariates_monomial) { auto libra_commitment = proving_key->commitment_key->commit(libra_univariate_monomial); transcript->send_to_verifier("Libra:commitment_" + std::to_string(idx), libra_commitment); - info("libra comm prover", libra_commitment); + // info("libra comm prover", libra_commitment); idx++; } } @@ -103,7 +103,7 @@ template struct ZKSumcheckData { libra_running_sum = libra_total_sum * libra_challenge; // Setup the Libra data - setup_libra_data(libra_univariates, libra_scaling_factor, libra_challenge, libra_running_sum); + setup_auxiliary_data(libra_univariates, libra_scaling_factor, libra_challenge, libra_running_sum); } /** @@ -191,10 +191,10 @@ template struct ZKSumcheckData { * @param libra_round_factor * @param libra_challenge */ - static void setup_libra_data(auto& libra_univariates, - FF& libra_scaling_factor, - const FF libra_challenge, - FF& libra_running_sum) + static void setup_auxiliary_data(auto& libra_univariates, + FF& libra_scaling_factor, + const FF libra_challenge, + FF& libra_running_sum) { libra_scaling_factor *= libra_challenge; // \rho * 2^{d-1} for (auto& univariate : libra_univariates) { From bf468eb600ffce1e04d053e38ba8fae4b82d6c5a Mon Sep 17 00:00:00 2001 From: iakovenkos Date: Mon, 4 Nov 2024 10:02:53 +0000 Subject: [PATCH 08/17] opening proofs for libra polynomials in translator --- .../commitment_schemes/shplonk/shplemini.hpp | 6 ------ .../cpp/src/barretenberg/eccvm/eccvm_verifier.cpp | 8 -------- .../translator_recursive_verifier.cpp | 9 ++++++++- .../translator_recursive_verifier.hpp | 1 + .../src/barretenberg/translator_vm/translator_prover.cpp | 9 +++++++-- .../src/barretenberg/translator_vm/translator_prover.hpp | 3 +++ .../barretenberg/translator_vm/translator_verifier.cpp | 8 +++++++- .../barretenberg/translator_vm/translator_verifier.hpp | 1 + 8 files changed, 27 insertions(+), 18 deletions(-) diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp index 4d0f042730a..083b3966bff 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp @@ -489,22 +489,16 @@ template class ShpleminiVerifier_ { for (size_t idx = 0; idx < num_libra_univariates; idx++) { if constexpr (Curve::is_stdlib_type) { - auto denom_reduced = shplonk_evaluation_challenge - multivariate_challenge[idx]; - denom_reduced.self_reduce(); - info("denom reduced non-native", idx, " ", denom_reduced); denominators.push_back(Fr(1) / (shplonk_evaluation_challenge - multivariate_challenge[idx])); // very strange - info("denom inverted", Fr(1) / (shplonk_evaluation_challenge - multivariate_challenge[idx])); } else { denominators.push_back(shplonk_evaluation_challenge - multivariate_challenge[idx]); - info("denom native", idx, " ", (shplonk_evaluation_challenge - multivariate_challenge[idx])); } }; if constexpr (!Curve::is_stdlib_type) { Fr::batch_invert(denominators); for (auto denom : denominators) { - info("denom native inverted ", denom); } } diff --git a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.cpp b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.cpp index 473461d841d..89fd2c37442 100644 --- a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.cpp @@ -32,17 +32,12 @@ bool ECCVMVerifier::verify_proof(const HonkProof& proof) auto beta_sqr = beta * beta; relation_parameters.gamma = gamma; - info("native gamma ", relation_parameters.gamma); relation_parameters.beta = beta; - info("native beta ", relation_parameters.beta); relation_parameters.beta_sqr = beta * beta; - info("native beta.sqr ", relation_parameters.beta_sqr); relation_parameters.beta_cube = beta_sqr * beta; - info("native beta cube ", relation_parameters.beta_cube); relation_parameters.eccvm_set_permutation_delta = gamma * (gamma + beta_sqr) * (gamma + beta_sqr + beta_sqr) * (gamma + beta_sqr + beta_sqr + beta_sqr); relation_parameters.eccvm_set_permutation_delta = relation_parameters.eccvm_set_permutation_delta.invert(); - info("set perm delta after inversion ", relation_parameters.eccvm_set_permutation_delta); // Get commitment to permutation and lookup grand products commitments.lookup_inverses = @@ -53,7 +48,6 @@ bool ECCVMVerifier::verify_proof(const HonkProof& proof) const size_t log_circuit_size = numeric::get_msb(circuit_size); auto sumcheck = SumcheckVerifier(log_circuit_size, transcript); FF alpha = transcript->template get_challenge("Sumcheck:alpha"); - info("alpha native ", alpha); std::vector gate_challenges(static_cast(numeric::get_msb(key->circuit_size))); for (size_t idx = 0; idx < gate_challenges.size(); idx++) { @@ -86,8 +80,6 @@ bool ECCVMVerifier::verify_proof(const HonkProof& proof) multivariate_challenge, key->pcs_verification_key->get_g1_identity(), transcript); - info("native point", - batch_mul_native(sumcheck_batch_opening_claims.commitments, sumcheck_batch_opening_claims.scalars)); Shplemini::add_zk_data( sumcheck_batch_opening_claims, RefVector(libra_commitments), libra_evaluations, multivariate_challenge); // for (auto scalar : sumcheck_batch_opening_claims.scalars) { diff --git a/barretenberg/cpp/src/barretenberg/stdlib/translator_vm_verifier/translator_recursive_verifier.cpp b/barretenberg/cpp/src/barretenberg/stdlib/translator_vm_verifier/translator_recursive_verifier.cpp index a94fe57d157..229468bd0f0 100644 --- a/barretenberg/cpp/src/barretenberg/stdlib/translator_vm_verifier/translator_recursive_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/stdlib/translator_vm_verifier/translator_recursive_verifier.cpp @@ -111,10 +111,15 @@ std::array TranslatorRecursiveVerifier_template get_challenge("Sumcheck:gate_challenge_" + std::to_string(idx)); } + for (size_t idx = 0; idx < log_circuit_size; idx++) { + Commitment libra_commitment = + transcript->template receive_from_prover("Libra:commitment_" + std::to_string(idx)); + libra_commitments.push_back(libra_commitment); + } auto [multivariate_challenge, claimed_evaluations, libra_evaluations, sumcheck_verified] = sumcheck.verify(relation_parameters, alpha, gate_challenges); - const BatchOpeningClaim opening_claim = + BatchOpeningClaim opening_claim = Shplemini::compute_batch_opening_claim(circuit_size, commitments.get_unshifted_without_concatenated(), commitments.get_to_be_shifted(), @@ -125,6 +130,8 @@ std::array TranslatorRecursiveVerifier_ class TranslatorRecursiveVerifier_ { Builder* builder; RelationParams relation_parameters; + std::vector libra_commitments; TranslatorRecursiveVerifier_(Builder* builder, const std::shared_ptr& native_verifier_key, diff --git a/barretenberg/cpp/src/barretenberg/translator_vm/translator_prover.cpp b/barretenberg/cpp/src/barretenberg/translator_vm/translator_prover.cpp index 49b0e9501d6..18fd90a3eaf 100644 --- a/barretenberg/cpp/src/barretenberg/translator_vm/translator_prover.cpp +++ b/barretenberg/cpp/src/barretenberg/translator_vm/translator_prover.cpp @@ -158,7 +158,10 @@ void TranslatorProver::execute_relation_check_rounds() for (size_t idx = 0; idx < gate_challenges.size(); idx++) { gate_challenges[idx] = transcript->template get_challenge("Sumcheck:gate_challenge_" + std::to_string(idx)); } - sumcheck_output = sumcheck.prove(key->polynomials, relation_parameters, alpha, gate_challenges); + // create masking polynomials for sumcheck round univariates and auxiliary data + zk_sumcheck_data = ZKSumcheckData(key->log_circuit_size, transcript, key); + + sumcheck_output = sumcheck.prove(key->polynomials, relation_parameters, alpha, gate_challenges, zk_sumcheck_data); } /** @@ -181,7 +184,9 @@ void TranslatorProver::execute_pcs_rounds() key->commitment_key, transcript, key->polynomials.get_concatenated(), - key->polynomials.get_groups_to_be_concatenated()); + key->polynomials.get_groups_to_be_concatenated(), + zk_sumcheck_data.libra_univariates_monomial, + sumcheck_output.claimed_libra_evaluations); PCS::compute_opening_proof(key->commitment_key, prover_opening_claim, transcript); } diff --git a/barretenberg/cpp/src/barretenberg/translator_vm/translator_prover.hpp b/barretenberg/cpp/src/barretenberg/translator_vm/translator_prover.hpp index 82e66c5c021..a8a19591ef8 100644 --- a/barretenberg/cpp/src/barretenberg/translator_vm/translator_prover.hpp +++ b/barretenberg/cpp/src/barretenberg/translator_vm/translator_prover.hpp @@ -2,6 +2,7 @@ #include "barretenberg/honk/proof_system/types/proof.hpp" #include "barretenberg/relations/relation_parameters.hpp" #include "barretenberg/sumcheck/sumcheck_output.hpp" +#include "barretenberg/sumcheck/zk_sumcheck_data.hpp" #include "barretenberg/translator_vm/translator_flavor.hpp" namespace bb { @@ -48,6 +49,8 @@ class TranslatorProver { CommitmentLabels commitment_labels; + ZKSumcheckData zk_sumcheck_data; + SumcheckOutput sumcheck_output; private: diff --git a/barretenberg/cpp/src/barretenberg/translator_vm/translator_verifier.cpp b/barretenberg/cpp/src/barretenberg/translator_vm/translator_verifier.cpp index 5f91b012310..f9158047fc2 100644 --- a/barretenberg/cpp/src/barretenberg/translator_vm/translator_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/translator_vm/translator_verifier.cpp @@ -102,6 +102,11 @@ bool TranslatorVerifier::verify_proof(const HonkProof& proof) gate_challenges[idx] = transcript->template get_challenge("Sumcheck:gate_challenge_" + std::to_string(idx)); } + for (size_t idx = 0; idx < log_circuit_size; idx++) { + Commitment libra_commitment = + transcript->receive_from_prover("Libra:commitment_" + std::to_string(idx)); + libra_commitments.push_back(libra_commitment); + } auto [multivariate_challenge, claimed_evaluations, libra_evaluations, sumcheck_verified] = sumcheck.verify(relation_parameters, alpha, gate_challenges); @@ -110,7 +115,7 @@ bool TranslatorVerifier::verify_proof(const HonkProof& proof) return false; } - const BatchOpeningClaim opening_claim = + BatchOpeningClaim opening_claim = Shplemini::compute_batch_opening_claim(circuit_size, commitments.get_unshifted_without_concatenated(), commitments.get_to_be_shifted(), @@ -121,6 +126,7 @@ bool TranslatorVerifier::verify_proof(const HonkProof& proof) transcript, commitments.get_groups_to_be_concatenated(), claimed_evaluations.get_concatenated()); + Shplemini::add_zk_data(opening_claim, RefVector(libra_commitments), libra_evaluations, multivariate_challenge); const auto pairing_points = PCS::reduce_verify_batch_opening_claim(opening_claim, transcript); auto verified = key->pcs_verification_key->pairing_check(pairing_points[0], pairing_points[1]); diff --git a/barretenberg/cpp/src/barretenberg/translator_vm/translator_verifier.hpp b/barretenberg/cpp/src/barretenberg/translator_vm/translator_verifier.hpp index dbe0dc66cdb..5ed5f0c34b5 100644 --- a/barretenberg/cpp/src/barretenberg/translator_vm/translator_verifier.hpp +++ b/barretenberg/cpp/src/barretenberg/translator_vm/translator_verifier.hpp @@ -24,6 +24,7 @@ class TranslatorVerifier { std::map commitments; std::shared_ptr transcript; RelationParameters relation_parameters; + std::vector libra_commitments; TranslatorVerifier(const std::shared_ptr& verifier_key, const std::shared_ptr& transcript); From ab9b81ea33fb6fb985b83aa6482f2f350dae2c6a Mon Sep 17 00:00:00 2001 From: iakovenkos Date: Mon, 4 Nov 2024 10:29:09 +0000 Subject: [PATCH 09/17] translator relation degree changes reverted --- .../commitment_schemes/shplonk/shplemini.hpp | 2 -- .../translator_decomposition_relation_2.cpp | 5 ++--- .../translator_delta_range_constraint_relation.cpp | 2 +- .../translator_vm/translator_extra_relations.cpp | 4 ++-- .../translator_non_native_field_relation.cpp | 2 +- .../translator_permutation_relation.cpp | 2 +- .../translator_recursive_flavor.hpp | 2 +- .../translator_vm/translator_flavor.hpp | 14 +++++++------- 8 files changed, 15 insertions(+), 18 deletions(-) diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp index 083b3966bff..fa083da1a19 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp @@ -498,8 +498,6 @@ template class ShpleminiVerifier_ { if constexpr (!Curve::is_stdlib_type) { Fr::batch_invert(denominators); - for (auto denom : denominators) { - } } Fr constant_term = 0; diff --git a/barretenberg/cpp/src/barretenberg/relations/translator_vm/translator_decomposition_relation_2.cpp b/barretenberg/cpp/src/barretenberg/relations/translator_vm/translator_decomposition_relation_2.cpp index 93220028f21..095bdc164d2 100644 --- a/barretenberg/cpp/src/barretenberg/relations/translator_vm/translator_decomposition_relation_2.cpp +++ b/barretenberg/cpp/src/barretenberg/relations/translator_vm/translator_decomposition_relation_2.cpp @@ -10,10 +10,9 @@ template void TranslatorDecompositionRelationImpl::accumul RelationParameters const&, TranslatorFlavor::FF const&); template void TranslatorDecompositionRelationImpl::accumulate< - bb::Relation< - TranslatorDecompositionRelationImpl>::ZKSumcheckTupleOfUnivariatesOverSubrelations, + bb::Relation>::SumcheckTupleOfUnivariatesOverSubrelations, TranslatorFlavor::ExtendedEdges>(bb::Relation>:: - ZKSumcheckTupleOfUnivariatesOverSubrelations&, + SumcheckTupleOfUnivariatesOverSubrelations&, TranslatorFlavor::ExtendedEdges const&, RelationParameters const&, TranslatorFlavor::FF const&); diff --git a/barretenberg/cpp/src/barretenberg/relations/translator_vm/translator_delta_range_constraint_relation.cpp b/barretenberg/cpp/src/barretenberg/relations/translator_vm/translator_delta_range_constraint_relation.cpp index 2aef52a29bb..fd651d31f2e 100644 --- a/barretenberg/cpp/src/barretenberg/relations/translator_vm/translator_delta_range_constraint_relation.cpp +++ b/barretenberg/cpp/src/barretenberg/relations/translator_vm/translator_delta_range_constraint_relation.cpp @@ -2,5 +2,5 @@ #include "barretenberg/translator_vm/translator_flavor.hpp" namespace bb { template class TranslatorDeltaRangeConstraintRelationImpl; -DEFINE_ZK_SUMCHECK_RELATION_CLASS(TranslatorDeltaRangeConstraintRelationImpl, TranslatorFlavor); +DEFINE_SUMCHECK_RELATION_CLASS(TranslatorDeltaRangeConstraintRelationImpl, TranslatorFlavor); } // namespace bb \ No newline at end of file diff --git a/barretenberg/cpp/src/barretenberg/relations/translator_vm/translator_extra_relations.cpp b/barretenberg/cpp/src/barretenberg/relations/translator_vm/translator_extra_relations.cpp index 471fa8b7765..bf4bd53ac57 100644 --- a/barretenberg/cpp/src/barretenberg/relations/translator_vm/translator_extra_relations.cpp +++ b/barretenberg/cpp/src/barretenberg/relations/translator_vm/translator_extra_relations.cpp @@ -4,6 +4,6 @@ namespace bb { template class TranslatorOpcodeConstraintRelationImpl; template class TranslatorAccumulatorTransferRelationImpl; -DEFINE_ZK_SUMCHECK_RELATION_CLASS(TranslatorOpcodeConstraintRelationImpl, TranslatorFlavor); -DEFINE_ZK_SUMCHECK_RELATION_CLASS(TranslatorAccumulatorTransferRelationImpl, TranslatorFlavor); +DEFINE_SUMCHECK_RELATION_CLASS(TranslatorOpcodeConstraintRelationImpl, TranslatorFlavor); +DEFINE_SUMCHECK_RELATION_CLASS(TranslatorAccumulatorTransferRelationImpl, TranslatorFlavor); } // namespace bb \ No newline at end of file diff --git a/barretenberg/cpp/src/barretenberg/relations/translator_vm/translator_non_native_field_relation.cpp b/barretenberg/cpp/src/barretenberg/relations/translator_vm/translator_non_native_field_relation.cpp index 480c3debd44..f80ddfe235c 100644 --- a/barretenberg/cpp/src/barretenberg/relations/translator_vm/translator_non_native_field_relation.cpp +++ b/barretenberg/cpp/src/barretenberg/relations/translator_vm/translator_non_native_field_relation.cpp @@ -2,5 +2,5 @@ #include "barretenberg/translator_vm/translator_flavor.hpp" namespace bb { template class TranslatorNonNativeFieldRelationImpl; -DEFINE_ZK_SUMCHECK_RELATION_CLASS(TranslatorNonNativeFieldRelationImpl, TranslatorFlavor); +DEFINE_SUMCHECK_RELATION_CLASS(TranslatorNonNativeFieldRelationImpl, TranslatorFlavor); } // namespace bb \ No newline at end of file diff --git a/barretenberg/cpp/src/barretenberg/relations/translator_vm/translator_permutation_relation.cpp b/barretenberg/cpp/src/barretenberg/relations/translator_vm/translator_permutation_relation.cpp index da62ffb604d..81f96d8f8ff 100644 --- a/barretenberg/cpp/src/barretenberg/relations/translator_vm/translator_permutation_relation.cpp +++ b/barretenberg/cpp/src/barretenberg/relations/translator_vm/translator_permutation_relation.cpp @@ -2,5 +2,5 @@ #include "barretenberg/translator_vm/translator_flavor.hpp" namespace bb { template class TranslatorPermutationRelationImpl; -DEFINE_ZK_SUMCHECK_RELATION_CLASS(TranslatorPermutationRelationImpl, TranslatorFlavor); +DEFINE_SUMCHECK_RELATION_CLASS(TranslatorPermutationRelationImpl, TranslatorFlavor); } // namespace bb \ No newline at end of file diff --git a/barretenberg/cpp/src/barretenberg/stdlib/translator_vm_verifier/translator_recursive_flavor.hpp b/barretenberg/cpp/src/barretenberg/stdlib/translator_vm_verifier/translator_recursive_flavor.hpp index a40cae2ad3b..63b3c56eddf 100644 --- a/barretenberg/cpp/src/barretenberg/stdlib/translator_vm_verifier/translator_recursive_flavor.hpp +++ b/barretenberg/cpp/src/barretenberg/stdlib/translator_vm_verifier/translator_recursive_flavor.hpp @@ -89,7 +89,7 @@ template class TranslatorRecursiveFlavor_ { using Relations = TranslatorFlavor::Relations_; - static constexpr size_t MAX_PARTIAL_RELATION_LENGTH = compute_max_partial_relation_length(); + static constexpr size_t MAX_PARTIAL_RELATION_LENGTH = compute_max_partial_relation_length(); static constexpr size_t MAX_TOTAL_RELATION_LENGTH = compute_max_total_relation_length(); // BATCHED_RELATION_PARTIAL_LENGTH = algebraic degree of sumcheck relation *after* multiplying by the `pow_zeta` diff --git a/barretenberg/cpp/src/barretenberg/translator_vm/translator_flavor.hpp b/barretenberg/cpp/src/barretenberg/translator_vm/translator_flavor.hpp index 5cb3f6a7003..13d3ca6789e 100644 --- a/barretenberg/cpp/src/barretenberg/translator_vm/translator_flavor.hpp +++ b/barretenberg/cpp/src/barretenberg/translator_vm/translator_flavor.hpp @@ -93,7 +93,7 @@ class TranslatorFlavor { TranslatorNonNativeFieldRelation>; using Relations = Relations_; - static constexpr size_t MAX_PARTIAL_RELATION_LENGTH = compute_max_partial_relation_length(); + static constexpr size_t MAX_PARTIAL_RELATION_LENGTH = compute_max_partial_relation_length(); static constexpr size_t MAX_TOTAL_RELATION_LENGTH = compute_max_total_relation_length(); // BATCHED_RELATION_PARTIAL_LENGTH = algebraic degree of sumcheck relation *after* multiplying by the `pow_zeta` @@ -104,12 +104,12 @@ class TranslatorFlavor { // define the containers for storing the contributions from each relation in Sumcheck using SumcheckTupleOfTuplesOfUnivariates = - std::tuple::ZKSumcheckTupleOfUnivariatesOverSubrelations, - typename TranslatorDeltaRangeConstraintRelation::ZKSumcheckTupleOfUnivariatesOverSubrelations, - typename TranslatorOpcodeConstraintRelation::ZKSumcheckTupleOfUnivariatesOverSubrelations, - typename TranslatorAccumulatorTransferRelation::ZKSumcheckTupleOfUnivariatesOverSubrelations, - typename TranslatorDecompositionRelation::ZKSumcheckTupleOfUnivariatesOverSubrelations, - typename TranslatorNonNativeFieldRelation::ZKSumcheckTupleOfUnivariatesOverSubrelations>; + std::tuple::SumcheckTupleOfUnivariatesOverSubrelations, + typename TranslatorDeltaRangeConstraintRelation::SumcheckTupleOfUnivariatesOverSubrelations, + typename TranslatorOpcodeConstraintRelation::SumcheckTupleOfUnivariatesOverSubrelations, + typename TranslatorAccumulatorTransferRelation::SumcheckTupleOfUnivariatesOverSubrelations, + typename TranslatorDecompositionRelation::SumcheckTupleOfUnivariatesOverSubrelations, + typename TranslatorNonNativeFieldRelation::SumcheckTupleOfUnivariatesOverSubrelations>; using TupleOfArraysOfValues = decltype(create_tuple_of_arrays_of_values()); /** From aca70fa7ef78661572f9f438049527d839ff5530 Mon Sep 17 00:00:00 2001 From: iakovenkos Date: Mon, 4 Nov 2024 16:32:34 +0000 Subject: [PATCH 10/17] some clean-up --- .../commitment_schemes/shplonk/shplemini.hpp | 74 +++++++----- .../shplonk/shplemini.test.cpp | 39 +++--- .../src/barretenberg/eccvm/eccvm_verifier.cpp | 15 +-- .../cpp/src/barretenberg/relations/utils.hpp | 1 - .../eccvm_recursive_verifier.cpp | 14 +-- .../translator_recursive_verifier.cpp | 7 +- .../src/barretenberg/sumcheck/sumcheck.hpp | 114 +----------------- .../barretenberg/sumcheck/sumcheck_round.hpp | 43 ------- .../sumcheck/zk_sumcheck_data.hpp | 57 +++++---- .../translator_vm/translator_verifier.cpp | 7 +- 10 files changed, 114 insertions(+), 257 deletions(-) diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp index fa083da1a19..8707cae4732 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp @@ -20,7 +20,7 @@ template class ShpleminiProver_ { using ShplonkProver = ShplonkProver_; using GeminiProver = GeminiProver_; - template + template static OpeningClaim prove(const FF circuit_size, RefSpan f_polynomials, RefSpan g_polynomials, @@ -29,8 +29,8 @@ template class ShpleminiProver_ { const std::shared_ptr& transcript, RefSpan concatenated_polynomials = {}, const std::vector>& groups_to_be_concatenated = {}, - const std::vector libra_univariates = {}, - const std::vector libra_evaluations = {}) + const std::vector>& libra_univariates = {}, + const std::vector& libra_evaluations = {}) { std::vector opening_claims = GeminiProver::prove(circuit_size, f_polynomials, @@ -40,12 +40,13 @@ template class ShpleminiProver_ { transcript, concatenated_polynomials, groups_to_be_concatenated); + // Create opening claims for Libra masking univariates std::vector libra_opening_claims; if (!libra_univariates.empty()) { size_t idx = 0; for (auto [libra_univariate, libra_evaluation] : zip_view(libra_univariates, libra_evaluations)) { OpeningClaim new_claim; - new_claim.polynomial = libra_univariate; + new_claim.polynomial = Polynomial(libra_univariate); new_claim.opening_pair.challenge = multilinear_challenge[idx]; new_claim.opening_pair.evaluation = libra_evaluation; libra_opening_claims.push_back(new_claim); @@ -133,7 +134,9 @@ template class ShpleminiVerifier_ { const Commitment& g1_identity, const std::shared_ptr& transcript, const std::vector>& concatenation_group_commitments = {}, - RefSpan concatenated_evaluations = {}) + RefSpan concatenated_evaluations = {}, + RefSpan libra_univariate_commitments = {}, + const std::vector& libra_univariate_evaluations = {}) { @@ -270,6 +273,16 @@ template class ShpleminiVerifier_ { commitments.emplace_back(g1_identity); scalars.emplace_back(constant_term_accumulator); + if (!libra_univariate_evaluations.empty()) { + add_zk_data(commitments, + scalars, + libra_univariate_commitments, + libra_univariate_evaluations, + multivariate_challenge, + shplonk_batching_challenge, + shplonk_evaluation_challenge); + } + return { commitments, scalars, shplonk_evaluation_challenge, shplonk_batching_challenge }; }; /** @@ -456,29 +469,36 @@ template class ShpleminiVerifier_ { } } - static void add_zk_data(BatchOpeningClaim& batch_opening_claim, + /** + * @brief Add the opening data corresponding to Libra masking univariates to the batched opening claim + * + * @details After verifying ZK Sumcheck, the verifier has to validate the claims about the evaluations of Libra + * univariates used to mask Sumcheck round univariates. To minimize the overhead of such openings, we continue the + * Shplonk batching started in Gemini, i.e. we add new claims multiplied by a suitable power of the Shplonk batching + * challenge and re-use the evaluation challenge sampled to prove the evaluations of Gemini polynomials. + * + * @param commitments + * @param scalars + * @param libra_univariate_commitments + * @param libra_univariate_evaluations + * @param multivariate_challenge + * @param shplonk_batching_challenge + * @param shplonk_evaluation_challenge + */ + static void add_zk_data(std::vector& commitments, + std::vector& scalars, RefSpan libra_univariate_commitments, const std::vector& libra_univariate_evaluations, - const std::vector& multivariate_challenge) + const std::vector& multivariate_challenge, + const Fr& shplonk_batching_challenge, + const Fr& shplonk_evaluation_challenge) { - const auto shplonk_batching_challenge = batch_opening_claim.batching_challenge; - info("shpl batching challenge ", shplonk_batching_challenge); - - const auto shplonk_evaluation_challenge = batch_opening_claim.evaluation_point; - info("shpl eval challenge ", shplonk_evaluation_challenge); - - for (auto eval : libra_univariate_evaluations) { - info("libra eval received ", eval); - } - // compute the correct power of \nu + // compute current power of Shplonk batching challenge taking into account the const proof size Fr shplonk_challenge_power = Fr{ 1 }; for (size_t j = 0; j < CONST_PROOF_SIZE_LOG_N + 2; ++j) { shplonk_challenge_power *= shplonk_batching_challenge; } - // get the commitments and scalars vectors from the batch opening claim - auto& commitments = batch_opening_claim.commitments; - auto& scalars = batch_opening_claim.scalars; // needed to keep track of the constant term contribution const size_t idx_of_constant_term = commitments.size() - 1; @@ -486,30 +506,30 @@ template class ShpleminiVerifier_ { // compute shplonk denominators and batch invert them std::vector denominators; size_t num_libra_univariates = libra_univariate_commitments.size(); - for (size_t idx = 0; idx < num_libra_univariates; idx++) { + // compute Shplonk denominators and invert them + for (size_t idx = 0; idx < num_libra_univariates; idx++) { if constexpr (Curve::is_stdlib_type) { - denominators.push_back(Fr(1) / - (shplonk_evaluation_challenge - multivariate_challenge[idx])); // very strange + denominators.push_back(Fr(1) / (shplonk_evaluation_challenge - multivariate_challenge[idx])); } else { denominators.push_back(shplonk_evaluation_challenge - multivariate_challenge[idx]); } }; - if constexpr (!Curve::is_stdlib_type) { Fr::batch_invert(denominators); } - + // add Libra commitments to the vector of commitments; compute corresponding scalars and the correction to the + // constant term Fr constant_term = 0; for (const auto [libra_univariate_commitment, denominator, libra_univariate_evaluation] : zip_view(libra_univariate_commitments, denominators, libra_univariate_evaluations)) { - commitments.push_back(libra_univariate_commitment); + commitments.push_back(std::move(libra_univariate_commitment)); Fr scaling_factor = denominator * shplonk_challenge_power; scalars.push_back((-scaling_factor)); - info("libra scalars? ", -scaling_factor); shplonk_challenge_power *= shplonk_batching_challenge; constant_term += scaling_factor * libra_univariate_evaluation; } + scalars[idx_of_constant_term] += constant_term; } }; diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.test.cpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.test.cpp index 1044b00e8eb..3bf5c466d34 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.test.cpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.test.cpp @@ -251,24 +251,23 @@ TYPED_TEST(ShpleminiTest, ShpleminiWithMaskingLibraUnivariates) std::vector> libra_univariates; std::vector libra_commitments; - std::vector libra_univariate_monomial; std::vector libra_evaluations; for (size_t idx = 0; idx < log_n; idx++) { - // generate random univariate - auto libra_polynomial = bb::Univariate::get_random(); - // populate the vector of libra evaluations - libra_evaluations.push_back(libra_polynomial.evaluate(mle_opening_point[idx])); - - // libra_univariates.push_back(libra_polynomial); - // interpolate polynomial from evals - Polynomial libra_monomial = - Polynomial(std::span(interpolation_domain), std::span(libra_polynomial), LIBRA_UNIVARIATE_LENGTH); - - ASSERT_EQ(libra_polynomial.evaluate(mle_opening_point[idx]), libra_monomial.evaluate(mle_opening_point[idx])); - libra_univariate_monomial.push_back(libra_monomial); - // commit and populate the vector of libra commitments - Commitment libra_commitment = this->commit(libra_monomial); + // generate random polynomial + Polynomial libra_polynomial = Polynomial::random(LIBRA_UNIVARIATE_LENGTH); + // create a univariate with the same coefficients (to store an array intead of a vector) + bb::Univariate libra_univariate; + for (size_t i = 0; i < LIBRA_UNIVARIATE_LENGTH; i++) { + libra_univariate.value_at(i) = libra_polynomial[i]; + } + libra_univariates.push_back(libra_univariate); + + // commit to libra polynomial and populate the vector of libra commitments + Commitment libra_commitment = this->commit(libra_polynomial); libra_commitments.push_back(libra_commitment); + + // evaluate current libra univariate at the corresponding challenge and store the value in libra evaluations + libra_evaluations.push_back(libra_polynomial.evaluate(mle_opening_point[idx])); } Commitment commitment1 = this->commit(poly1); @@ -298,7 +297,7 @@ TYPED_TEST(ShpleminiTest, ShpleminiWithMaskingLibraUnivariates) prover_transcript, {}, {}, - RefVector(libra_univariate_monomial), + libra_univariates, libra_evaluations); if constexpr (std::is_same_v) { IPA::compute_opening_proof(this->ck(), opening_claim, prover_transcript); @@ -319,10 +318,12 @@ TYPED_TEST(ShpleminiTest, ShpleminiWithMaskingLibraUnivariates) RefArray{ eval2_shift, eval3_shift }, mle_opening_point, this->vk()->get_g1_identity(), - verifier_transcript); + verifier_transcript, + {}, + {}, + RefVector(libra_commitments), + libra_evaluations); - ShpleminiVerifier::add_zk_data( - batch_opening_claim, RefVector(libra_commitments), libra_evaluations, mle_opening_point); if constexpr (std::is_same_v) { auto result = IPA::reduce_verify_batch_opening_claim(batch_opening_claim, this->vk(), verifier_transcript); EXPECT_EQ(result, true); diff --git a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.cpp b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.cpp index 89fd2c37442..2d9454d0f93 100644 --- a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.cpp @@ -79,16 +79,11 @@ bool ECCVMVerifier::verify_proof(const HonkProof& proof) claimed_evaluations.get_shifted(), multivariate_challenge, key->pcs_verification_key->get_g1_identity(), - transcript); - Shplemini::add_zk_data( - sumcheck_batch_opening_claims, RefVector(libra_commitments), libra_evaluations, multivariate_challenge); - // for (auto scalar : sumcheck_batch_opening_claims.scalars) { - // info("native batching scalar", scalar); - // } - - info("native point after zk data ", - batch_mul_native(sumcheck_batch_opening_claims.commitments, sumcheck_batch_opening_claims.scalars)); - info("scalars native size", sumcheck_batch_opening_claims.scalars.size()); + transcript, + {}, + {}, + RefVector(libra_commitments), + libra_evaluations); // Reduce the accumulator to a single opening claim const OpeningClaim multivariate_to_univariate_opening_claim = diff --git a/barretenberg/cpp/src/barretenberg/relations/utils.hpp b/barretenberg/cpp/src/barretenberg/relations/utils.hpp index 57a8ab08f5d..c7b85b041af 100644 --- a/barretenberg/cpp/src/barretenberg/relations/utils.hpp +++ b/barretenberg/cpp/src/barretenberg/relations/utils.hpp @@ -156,7 +156,6 @@ template class RelationUtils { const Parameters& relation_parameters, const FF& partial_evaluation_result) { - info("pow value? ", partial_evaluation_result); constexpr_for<0, NUM_RELATIONS, 1>([&]() { // FIXME: You wan't /*consider_skipping=*/false here, but tests need to be fixed. accumulate_single_relation( diff --git a/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.cpp b/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.cpp index 1264ed220a3..8d343556b51 100644 --- a/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.cpp @@ -101,15 +101,11 @@ template void ECCVMRecursiveVerifier_::verify_proof(co claimed_evaluations.get_shifted(), multivariate_challenge, key->pcs_verification_key->get_g1_identity(), - transcript); - info("non-native point", - Commitment::batch_mul(sumcheck_batch_opening_claims.commitments, sumcheck_batch_opening_claims.scalars)); - Shplemini::add_zk_data( - sumcheck_batch_opening_claims, RefVector(libra_commitments), libra_evaluations, multivariate_challenge); - - info("non-native point after zk data", - Commitment::batch_mul(sumcheck_batch_opening_claims.commitments, sumcheck_batch_opening_claims.scalars, true)); - info("scalars recursive size", sumcheck_batch_opening_claims.scalars.size()); + transcript, + {}, + {}, + RefVector(libra_commitments), + libra_evaluations); // Reduce the accumulator to a single opening claim const OpeningClaim multivariate_to_univariate_opening_claim = PCS::reduce_batch_opening_claim(sumcheck_batch_opening_claims); diff --git a/barretenberg/cpp/src/barretenberg/stdlib/translator_vm_verifier/translator_recursive_verifier.cpp b/barretenberg/cpp/src/barretenberg/stdlib/translator_vm_verifier/translator_recursive_verifier.cpp index 229468bd0f0..b956bc641f5 100644 --- a/barretenberg/cpp/src/barretenberg/stdlib/translator_vm_verifier/translator_recursive_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/stdlib/translator_vm_verifier/translator_recursive_verifier.cpp @@ -119,7 +119,7 @@ std::array TranslatorRecursiveVerifier_ opening_claim = + const BatchOpeningClaim opening_claim = Shplemini::compute_batch_opening_claim(circuit_size, commitments.get_unshifted_without_concatenated(), commitments.get_to_be_shifted(), @@ -129,8 +129,9 @@ std::array TranslatorRecursiveVerifier_ class SumcheckProver { // Place evaluations of Sumcheck Round Univariate in the transcript transcript->send_to_verifier("Sumcheck:univariate_" + std::to_string(round_idx), round_univariate); FF round_challenge = transcript->template get_challenge("Sumcheck:u_" + std::to_string(round_idx)); - // info("round challenge prover ", round_challenge); multivariate_challenge.emplace_back(round_challenge); // Prepare sumcheck book-keeping table for the next round @@ -274,7 +273,6 @@ template class SumcheckProver { const FF& libra_evaluation = zk_sumcheck_data.libra_evaluations[idx]; std::string libra_evaluation_label = "Libra:evaluation_" + std::to_string(idx); transcript->send_to_verifier(libra_evaluation_label, libra_evaluation); - // info("libra evaluation Prover ", libra_evaluation); } }; @@ -369,90 +367,13 @@ polynomials that are sent in clear. ClaimedEvaluations extract_claimed_evaluations(PartiallyEvaluatedMultivariates& partially_evaluated_polynomials) { ClaimedEvaluations multivariate_evaluations; - // if constexpr (!Flavor::HasZK) { for (auto [eval, poly] : zip_view(multivariate_evaluations.get_all(), partially_evaluated_polynomials.get_all())) { eval = poly[0]; }; - // } else { - // // Extract claimed evaluations of non-witness polynomials - // for (auto [eval, poly] : zip_view(multivariate_evaluations.get_non_witnesses(), - // partially_evaluated_polynomials.get_non_witnesses())) { - // eval = poly[0]; - // }; - // // Extract claimed evaluations of all witness polynomials - // for (auto [eval, poly, masking_term] : zip_view(multivariate_evaluations.get_all_witnesses(), - // partially_evaluated_polynomials.get_all_witnesses(), - // zk_sumcheck_data.masking_terms_evaluations)) { - // eval = poly[0] + masking_term.value_at(0); - // } - // } return multivariate_evaluations; }; - public: - // static void setup_zk_sumcheck_data(ZKSumcheckData& zk_sumcheck_data, - // const size_t multivariate_d, - // std::shared_ptr transcript) - // { - - // EvalMaskingScalars eval_masking_scalars; - - // for (size_t k = 0; k < NUM_ALL_WITNESS_ENTITIES; ++k) { - // // TODO(https://github.com/AztecProtocol/barretenberg/issues/1136): Once Shplemini supports ZK, these - // // constants must be generated in Oink - // eval_masking_scalars[k] = FF(0); - // }; - // // Generate random scalars \f$ \rho_1,\ldots, \rho_{N_w}\f$ to mask the evaluations of witness polynomials - // and - // // populate the table masking_terms_evaluations with the terms \f$ \rho_j \cdot (1-k) \cdot k \f$ - // auto masking_terms_evaluations = create_evaluation_masking_table(eval_masking_scalars); - // // Generate random Libra Polynomials to mask Round Univariates. - // LibraUnivariates libra_univariates = generate_libra_polynomials(multivariate_d); - // // have to commit to libra_univariates here - // auto libra_scaling_factor = FF(1); - // FF libra_total_sum = compute_libra_total_sum(libra_univariates, libra_scaling_factor); - // transcript->send_to_verifier("Libra:Sum", libra_total_sum); - // // get the challenge for the zk-sumcheck claim \sigma + \rho \cdot libra_total_sum - // FF libra_challenge = transcript->template get_challenge("Libra:Challenge"); - // // Initialize Libra running sum by multiplpying it by Libra challenge \f$\rho\f$; - // auto libra_running_sum = libra_total_sum * libra_challenge; - // // Multiply the column-univariates of the array of libra polynomials by libra challenge and power of \f$ - // 2\f$, - // // modify libra running_sum subtracting the contribution from the first univariate - // setup_libra_data(libra_univariates, libra_scaling_factor, libra_challenge, libra_running_sum); - - // std::vector libra_evaluations; - // libra_evaluations.reserve(multivariate_d); - // zk_sumcheck_data = ZKSumcheckData{ eval_masking_scalars, masking_terms_evaluations, - // libra_univariates, - // libra_scaling_factor, libra_challenge, libra_running_sum, - // libra_evaluations }; - // }; - - /** - * @brief Update the table of masking quadratic terms by adding a contribution from a current challenge. - * - @details At initialization, \f$j\f$'th column of the masking terms evaluations table is a vector \f$(0, 0, \rho_2 - \cdot 2, \ldots, \rho_j \cdot k (1-k), \ldots, \rho_j \cdot (D-1) (1-(D-1)))\f$. Upon getting current round - challenge, the prover adds the term \f$ \rho_j \cdot u_i \cdot (1-u_i)\f$ to each entry in the table. - - It is useful at the stage of evaluating the relation \f$ \tilde{F} \f$ at the arguments given by the values of - \f$(\widehat{P}_1, \ldots, \widehat{P}_{N_w})\f$ at the points \f$u_0,\ldots, u_{i}, k, \vec \ell)\f$. - * @param evaluations - * @param masking_scalars - * @param round_challenge - */ - // void update_masking_terms_evaluations(ZKSumcheckData& zk_sumcheck_data, FF round_challenge) - // { - // for (auto [masking_term, masking_scalar] : - // zip_view(zk_sumcheck_data.masking_terms_evaluations, zk_sumcheck_data.eval_masking_scalars)) { - // for (size_t k = 0; k < MAX_PARTIAL_RELATION_LENGTH; ++k) { - // masking_term.value_at(k) += round_challenge * (FF(1) - round_challenge) * masking_scalar; - // } - // } - // } - /** * @brief Upon receiving the challenge \f$u_i\f$, the prover updates Libra data. If \f$ i < d-1\f$ @@ -628,18 +549,6 @@ template class SumcheckVerifier { bb::GateSeparatorPolynomial gate_separators(gate_challenges); - for (auto gate_challenge : gate_challenges) { - info("gate challenge ", gate_challenge); - } - - info("rel gamma", relation_parameters.gamma); - info("rel beta", relation_parameters.beta); - info("rel beta_sqr", relation_parameters.beta_sqr); - info("beta cube", relation_parameters.beta_cube); - info("set perm delta", relation_parameters.eccvm_set_permutation_delta); - // info(" relation_parameters.eccvm_set_permutation_delta = - // relation_parameters.eccvm_set_permutation_delta.invert(); - // All but final round. // target_total_sum is initialized to zero then mutated in place. @@ -652,10 +561,8 @@ template class SumcheckVerifier { if constexpr (Flavor::HasZK) { // get the claimed sum of libra masking multivariate over the hypercube libra_total_sum = transcript->template receive_from_prover("Libra:Sum"); - info("libra tot sum verifier ", libra_total_sum); // get the challenge for the ZK Sumcheck claim libra_challenge = transcript->template get_challenge("Libra:Challenge"); - info("libra challenge Verifier ", libra_challenge); } std::vector multivariate_challenge; multivariate_challenge.reserve(multivariate_d); @@ -671,19 +578,16 @@ template class SumcheckVerifier { transcript->template receive_from_prover>( round_univariate_label); FF round_challenge = transcript->template get_challenge("Sumcheck:u_" + std::to_string(round_idx)); - // info("round challenge verifier ", round_challenge); if constexpr (IsRecursiveFlavor) { typename Flavor::CircuitBuilder* builder = round_challenge.get_context(); // TODO(https://github.com/AztecProtocol/barretenberg/issues/1114): insecure! stdlib::bool_t dummy_round = stdlib::witness_t(builder, round_idx >= multivariate_d); bool checked = round.check_sum(round_univariate, dummy_round); - // info("checked? ", checked); // Only utilize the checked value if this is not a constant proof size padding round if (round_idx < multivariate_d) { verified = verified && checked; } - // info("verified? ", verified); multivariate_challenge.emplace_back(round_challenge); @@ -694,7 +598,6 @@ template class SumcheckVerifier { if (round_idx < multivariate_d) { bool checked = round.check_sum(round_univariate); verified = verified && checked; - info("verified? ", checked); multivariate_challenge.emplace_back(round_challenge); round.compute_next_target_sum(round_univariate, round_challenge); @@ -711,7 +614,6 @@ template class SumcheckVerifier { for (size_t idx = 0; idx < multivariate_d; idx++) { libra_evaluations[idx] = transcript->template receive_from_prover("Libra:evaluation_" + std::to_string(idx)); - info("libra eval Verifier ", libra_evaluations[idx]); full_libra_purported_value += libra_evaluations[idx]; }; full_libra_purported_value *= libra_challenge; @@ -720,27 +622,14 @@ template class SumcheckVerifier { ClaimedEvaluations purported_evaluations; auto transcript_evaluations = transcript->template receive_from_prover>("Sumcheck:evaluations"); - // size_t idx = 0; for (auto [eval, transcript_eval] : zip_view(purported_evaluations.get_all(), transcript_evaluations)) { eval = transcript_eval; - - // if constexpr (IsRecursiveFlavor) { - // info("recursive eval ", idx, " ", transcript_eval); - // } else { - // info("native eval ", idx, " ", transcript_eval); - // } - // idx++; } // Evaluate the Honk relation at the point (u_0, ..., u_{d-1}) using claimed evaluations of prover polynomials. // In ZK Flavors, the evaluation is corrected by full_libra_purported_value - if constexpr (Flavor::HasZK) { - info("libra relation accumulated ", full_libra_purported_value); - } FF full_honk_purported_value = round.compute_full_relation_purported_value( purported_evaluations, relation_parameters, gate_separators, alpha, full_libra_purported_value); - info("honk value? ", full_honk_purported_value); - info("round target tot sum ", round.target_total_sum); bool final_check(false); //! [Final Verification Step] @@ -749,8 +638,7 @@ template class SumcheckVerifier { } else { final_check = (full_honk_purported_value == round.target_total_sum); } - info("verified?", verified); - info("final check? ", final_check); + verified = final_check && verified; // For ZK Flavors: the evaluations of Libra univariates are included in the Sumcheck Output if constexpr (!Flavor::HasZK) { diff --git a/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck_round.hpp b/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck_round.hpp index 6f7c4cd1bb8..32b2d49d870 100644 --- a/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck_round.hpp +++ b/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck_round.hpp @@ -532,56 +532,13 @@ template class SumcheckVerifierRound { const RelationSeparator alpha, std::optional full_libra_purported_value = std::nullopt) { - info("pow = ", gate_sparators.partial_evaluation_result); - // size_t idx = 0; - // for (auto eval : purported_evaluations.get_all()) { - // info("evals ", idx, " ", eval); - // idx++; - // } Utils::template accumulate_relation_evaluations_without_skipping<>( purported_evaluations, relation_evaluations, relation_parameters, gate_sparators.partial_evaluation_result); - // info("rel eval <0>"); - // for (size_t idx = 0; idx < std::get<0>(relation_evaluations).size(); idx++) { - // info(std::get<0>(relation_evaluations)[idx]); - // } - - // info("rel eval <1>"); - - // for (size_t idx = 0; idx < std::get<1>(relation_evaluations).size(); idx++) { - // info(std::get<1>(relation_evaluations)[idx]); - // } - // info("rel eval <2>"); - - // for (size_t idx = 0; idx < std::get<2>(relation_evaluations).size(); idx++) { - // info(std::get<2>(relation_evaluations)[idx]); - // } - // info("rel eval <3>"); - - // for (size_t idx = 0; idx < std::get<3>(relation_evaluations).size(); idx++) { - // info(std::get<3>(relation_evaluations)[idx]); - // } - // info("rel eval <4>"); - - // for (size_t idx = 0; idx < std::get<4>(relation_evaluations).size(); idx++) { - // info(std::get<4>(relation_evaluations)[idx]); - // } - // info("rel eval <5>"); - - // for (size_t idx = 0; idx < std::get<5>(relation_evaluations).size(); idx++) { - // info(std::get<5>(relation_evaluations)[idx]); - // } - // info("rel eval <6>"); - // for (size_t idx = 0; idx < std::get<6>(relation_evaluations).size(); idx++) { - // info(std::get<6>(relation_evaluations)[idx]); - // } FF running_challenge{ 1 }; FF output{ 0 }; Utils::scale_and_batch_elements(relation_evaluations, alpha, running_challenge, output); - // info("honk without libra?", output); - - // info("after reduction ", output); if constexpr (Flavor::HasZK) { output += full_libra_purported_value.value(); if constexpr (IsECCVMRecursiveFlavor) { diff --git a/barretenberg/cpp/src/barretenberg/sumcheck/zk_sumcheck_data.hpp b/barretenberg/cpp/src/barretenberg/sumcheck/zk_sumcheck_data.hpp index 3ede0fc5a58..20b507475a4 100644 --- a/barretenberg/cpp/src/barretenberg/sumcheck/zk_sumcheck_data.hpp +++ b/barretenberg/cpp/src/barretenberg/sumcheck/zk_sumcheck_data.hpp @@ -30,14 +30,13 @@ template struct ZKSumcheckData { static constexpr size_t LIBRA_UNIVARIATES_LENGTH = Flavor::HasZK ? Flavor::BATCHED_RELATION_PARTIAL_LENGTH : 0; // Container for the Libra Univariates. Their number depends on the size of the circuit. using LibraUnivariates = std::vector>; - using LibraUnivariatesInMonomialBasis = std::vector>; // Container for the evaluations of Libra Univariates that have to be proven. using ClaimedLibraEvaluations = std::vector; // EvalMaskingScalars eval_masking_scalars; // EvaluationMaskingTable masking_terms_evaluations; LibraUnivariates libra_univariates; - LibraUnivariatesInMonomialBasis libra_univariates_monomial; + LibraUnivariates libra_univariates_monomial; FF libra_scaling_factor{ 1 }; FF libra_challenge; FF libra_running_sum; @@ -73,31 +72,29 @@ template struct ZKSumcheckData { std::shared_ptr proving_key = nullptr) { - // Generate random Libra polynomials - libra_univariates = generate_libra_polynomials(multivariate_d); - + // Generate random Libra polynomials in the Lagrange basis + libra_univariates = generate_libra_univariates(multivariate_d); + // To commit to libra_univariates and open them later, need to get their coefficients in the monomial basis libra_univariates_monomial = transform_to_monomial(libra_univariates); + // If proving_key is provided, commit to libra_univariates if (proving_key != nullptr) { size_t idx = 0; for (auto& libra_univariate_monomial : libra_univariates_monomial) { - auto libra_commitment = proving_key->commitment_key->commit(libra_univariate_monomial); + auto libra_commitment = proving_key->commitment_key->commit(Polynomial(libra_univariate_monomial)); transcript->send_to_verifier("Libra:commitment_" + std::to_string(idx), libra_commitment); - // info("libra comm prover", libra_commitment); idx++; } } // Compute the total sum of the Libra polynomials libra_scaling_factor = FF(1); FF libra_total_sum = compute_libra_total_sum(libra_univariates, libra_scaling_factor); - info("libra total sum", libra_total_sum); // Send the Libra total sum to the transcript transcript->send_to_verifier("Libra:Sum", libra_total_sum); // Receive the Libra challenge from the transcript libra_challenge = transcript->template get_challenge("Libra:Challenge"); - info("Libra challenge Prover ", libra_challenge); // Initialize the Libra running sum libra_running_sum = libra_total_sum * libra_challenge; @@ -112,44 +109,46 @@ template struct ZKSumcheckData { * independent uniformly random coefficients. * */ - - static LibraUnivariates generate_libra_polynomials(const size_t number_of_polynomials + static LibraUnivariates generate_libra_univariates(const size_t number_of_polynomials // LibraUnivariatesInMonomialBasis& libra_univariates_monomial ) { LibraUnivariates libra_full_polynomials(number_of_polynomials); - // for (size_t idx = 0; idx < LIBRA_UNIVARIATES_LENGTH; idx++) { - // interpolation_domain[idx] = FF(idx); - // } - for (auto& libra_polynomial : libra_full_polynomials) { - // generate random polynomial of required size libra_polynomial = bb::Univariate::get_random(); - // Polynomial libra_univariate_monomial( - // std::span(interpolation_domain), std::span(libra_polynomial), LIBRA_UNIVARIATES_LENGTH); - // libra_univariates_monomial.push_back(libra_univariate_monomial); }; return libra_full_polynomials; }; - - static LibraUnivariatesInMonomialBasis transform_to_monomial(const LibraUnivariates& libra_full_polynomials) + /** + * @brief Transform Libra univariates from Lagrange to monomial form + * + * @param libra_full_polynomials + * @return LibraUnivariates + */ + static LibraUnivariates transform_to_monomial(const LibraUnivariates& libra_full_polynomials) { std::array interpolation_domain; - info("libra univar length", LIBRA_UNIVARIATES_LENGTH); - LibraUnivariatesInMonomialBasis libra_univariates_monomial; + LibraUnivariates libra_univariates_monomial; libra_univariates_monomial.reserve(libra_full_polynomials.size()); - info("size ", libra_univariates_monomial.size()); for (size_t idx = 0; idx < LIBRA_UNIVARIATES_LENGTH; idx++) { interpolation_domain[idx] = FF(idx); } for (auto& libra_polynomial : libra_full_polynomials) { - // generate random polynomial of required size - Polynomial libra_univariate_monomial( + + // Use the efficient Lagrange interpolation + Polynomial libra_polynomial_monomial( std::span(interpolation_domain), std::span(libra_polynomial), LIBRA_UNIVARIATES_LENGTH); - libra_univariates_monomial.push_back(libra_univariate_monomial); + + // To avoid storing Polynomials (coefficients are vectors), we define a univariate with the coefficients + // interpolated above + bb::Univariate libra_univariate; + for (size_t idx = 0; idx < LIBRA_UNIVARIATES_LENGTH; idx++) { + libra_univariate.value_at(idx) = libra_polynomial_monomial[idx]; + } + libra_univariates_monomial.push_back(libra_univariate); }; return libra_univariates_monomial; }; @@ -162,12 +161,12 @@ template struct ZKSumcheckData { * @param scaling_factor * @return FF */ - static FF compute_libra_total_sum(auto libra_univariates, FF& scaling_factor) + static FF compute_libra_total_sum(const LibraUnivariates& libra_univariates, FF& scaling_factor) { FF total_sum = 0; scaling_factor = scaling_factor / 2; - for (auto univariate : libra_univariates) { + for (auto& univariate : libra_univariates) { total_sum += univariate.value_at(0) + univariate.value_at(1); scaling_factor *= 2; } diff --git a/barretenberg/cpp/src/barretenberg/translator_vm/translator_verifier.cpp b/barretenberg/cpp/src/barretenberg/translator_vm/translator_verifier.cpp index f9158047fc2..7025f3b2025 100644 --- a/barretenberg/cpp/src/barretenberg/translator_vm/translator_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/translator_vm/translator_verifier.cpp @@ -115,7 +115,7 @@ bool TranslatorVerifier::verify_proof(const HonkProof& proof) return false; } - BatchOpeningClaim opening_claim = + const BatchOpeningClaim opening_claim = Shplemini::compute_batch_opening_claim(circuit_size, commitments.get_unshifted_without_concatenated(), commitments.get_to_be_shifted(), @@ -125,8 +125,9 @@ bool TranslatorVerifier::verify_proof(const HonkProof& proof) Commitment::one(), transcript, commitments.get_groups_to_be_concatenated(), - claimed_evaluations.get_concatenated()); - Shplemini::add_zk_data(opening_claim, RefVector(libra_commitments), libra_evaluations, multivariate_challenge); + claimed_evaluations.get_concatenated(), + RefVector(libra_commitments), + libra_evaluations); const auto pairing_points = PCS::reduce_verify_batch_opening_claim(opening_claim, transcript); auto verified = key->pcs_verification_key->pairing_check(pairing_points[0], pairing_points[1]); From b7584bac982b8e3eb800d380086f0401dd9b72a0 Mon Sep 17 00:00:00 2001 From: iakovenkos Date: Mon, 4 Nov 2024 16:34:50 +0000 Subject: [PATCH 11/17] removed redundant line --- barretenberg/cpp/src/barretenberg/ultra_honk/decider_prover.cpp | 1 - 1 file changed, 1 deletion(-) diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/decider_prover.cpp b/barretenberg/cpp/src/barretenberg/ultra_honk/decider_prover.cpp index 324758d692f..8e1c4daac48 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/decider_prover.cpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/decider_prover.cpp @@ -32,7 +32,6 @@ template void DeciderProver_::execute_relation_ch { PROFILE_THIS_NAME("sumcheck.prove"); - ZKSumcheckData zk_sumcheck_data = ZKSumcheckData(); sumcheck_output = sumcheck.prove(proving_key->proving_key.polynomials, proving_key->relation_parameters, proving_key->alphas, From 6403477e76e31fb29dc8d91ce5012469f31f9488 Mon Sep 17 00:00:00 2001 From: iakovenkos Date: Mon, 4 Nov 2024 17:16:07 +0000 Subject: [PATCH 12/17] clean-up --- .../barretenberg/commitment_schemes/claim.hpp | 1 - .../commitment_schemes/kzg/kzg.test.cpp | 2 +- .../commitment_schemes/shplonk/shplemini.hpp | 4 +--- .../commitment_schemes/shplonk/shplonk.hpp | 7 ------- .../src/barretenberg/eccvm/eccvm_prover.cpp | 21 ------------------- .../src/barretenberg/eccvm/eccvm_verifier.cpp | 4 ---- .../proof_system/logderivative_library.hpp | 2 -- .../cpp/src/barretenberg/relations/utils.hpp | 1 - .../eccvm_verifier/eccvm_recursive_flavor.hpp | 4 ++-- .../eccvm_recursive_verifier.cpp | 12 +---------- .../eccvm_recursive_verifier.test.cpp | 1 - .../src/barretenberg/sumcheck/sumcheck.hpp | 16 +------------- .../barretenberg/sumcheck/sumcheck.test.cpp | 16 -------------- .../sumcheck/zk_sumcheck_data.hpp | 7 ++++--- .../ultra_honk/decider_prover.cpp | 1 + 15 files changed, 11 insertions(+), 88 deletions(-) diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/claim.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/claim.hpp index 3eee1dba270..129cb4df521 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/claim.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/claim.hpp @@ -84,6 +84,5 @@ template struct BatchOpeningClaim { std::vector commitments; std::vector scalars; typename Curve::ScalarField evaluation_point; - typename Curve::ScalarField batching_challenge; }; } // namespace bb diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/kzg/kzg.test.cpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/kzg/kzg.test.cpp index 5b10d91a19d..813f612ff60 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/kzg/kzg.test.cpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/kzg/kzg.test.cpp @@ -58,7 +58,7 @@ TYPED_TEST(KZGTest, SingleInLagrangeBasis) // define the interpolation domain std::array eval_points = { Fr(0), Fr(1), Fr(2), Fr(3) }; // compute the monomial coefficients - Polynomial witness_polynomial(std::span(eval_points), std::span(witness), n); + Polynomial witness_polynomial(std::span(eval_points), std::span(witness), n); // commit to the polynomial in the monomial form g1::element commitment = this->commit(witness_polynomial); diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp index 8707cae4732..ab102ee0381 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp @@ -120,8 +120,6 @@ template class ShpleminiVerifier_ { using ShplonkVerifier = ShplonkVerifier_; using GeminiVerifier = GeminiVerifier_; - const static Fr final_shplonk_power; - public: template static BatchOpeningClaim compute_batch_opening_claim( @@ -283,7 +281,7 @@ template class ShpleminiVerifier_ { shplonk_evaluation_challenge); } - return { commitments, scalars, shplonk_evaluation_challenge, shplonk_batching_challenge }; + return { commitments, scalars, shplonk_evaluation_challenge }; }; /** * @brief Populates the vectors of commitments and scalars, and computes the evaluation of the batched diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplonk.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplonk.hpp index 578255db879..65823138a67 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplonk.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplonk.hpp @@ -52,9 +52,7 @@ template class ShplonkProver_ { Polynomial tmp(max_poly_size); Fr current_nu = Fr::one(); - // size_t idx = 0; for (const auto& claim : opening_claims) { - // Compute individual claim quotient tmp = ( fⱼ(X) − vⱼ) / ( X − xⱼ ) tmp = claim.polynomial; tmp.at(0) = tmp[0] - claim.opening_pair.evaluation; @@ -62,8 +60,6 @@ template class ShplonkProver_ { // Add the claim quotient to the batched quotient polynomial Q.add_scaled(tmp, current_nu); - // info(idx, " prover nu in real claims", current_nu); - // idx++; current_nu *= nu; } for (size_t idx = opening_claims.size(); idx < CONST_PROOF_SIZE_LOG_N + 2; idx++) { @@ -71,7 +67,6 @@ template class ShplonkProver_ { }; for (const auto& claim : libra_opening_claims) { - // info(" current nu in the prover ", current_nu); // Compute individual claim quotient tmp = ( fⱼ(X) − vⱼ) / ( X − xⱼ ) tmp = claim.polynomial; tmp.at(0) = tmp[0] - claim.opening_pair.evaluation; @@ -79,8 +74,6 @@ template class ShplonkProver_ { // Add the claim quotient to the batched quotient polynomial Q.add_scaled(tmp, current_nu); - // info(idx, " prover nu in libra", current_nu); - // idx++; current_nu *= nu; } // Return batched quotient polynomial Q(X) diff --git a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_prover.cpp b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_prover.cpp index f074348f916..6957b579fe1 100644 --- a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_prover.cpp +++ b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_prover.cpp @@ -100,30 +100,9 @@ void ECCVMProver::execute_relation_check_rounds() for (size_t idx = 0; idx < gate_challenges.size(); idx++) { gate_challenges[idx] = transcript->template get_challenge("Sumcheck:gate_challenge_" + std::to_string(idx)); } - // create masking polynomials for sumcheck round univariates and auxiliary data zk_sumcheck_data = ZKSumcheckData(key->log_circuit_size, transcript, key); - // ZKSumcheckData zk_sumcheck_data_copy = zk_sumcheck_data; - info("some other stuff", zk_sumcheck_data.libra_challenge); - info("monomial size ", zk_sumcheck_data.libra_univariates_monomial.size()); - - // for (auto& eval : zk_sumcheck_data.libra_univariates_monomial) { - // info("exec rounds before sumcheck ", eval); - // } sumcheck_output = sumcheck.prove(key->polynomials, relation_parameters, alpha, gate_challenges, zk_sumcheck_data); - // size_t idx = 0; - - // for (auto [poly_mon, poly_lag] : - // zip_view(zk_sumcheck_data.libra_univariates_monomial, zk_sumcheck_data.libra_univariates)) { - // info("eval at u_", idx); - // auto eval_mon = poly_mon.evaluate(sumcheck_output.challenge[idx]); - // auto eval_lag = poly_lag.evaluate(sumcheck_output.challenge[idx]); - // info(eval_mon, " || ", eval_lag); - // idx++; - // } - // for (auto& eval : zk_sumcheck_data.libra_evaluations) { - // info("right after sumcheck ", eval); - // }; for (auto& eval : sumcheck_output.claimed_libra_evaluations) { info("claimed evals sumcheck outp rounds ", eval); } diff --git a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.cpp b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.cpp index 2d9454d0f93..3ae0e994b96 100644 --- a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.cpp @@ -52,7 +52,6 @@ bool ECCVMVerifier::verify_proof(const HonkProof& proof) std::vector gate_challenges(static_cast(numeric::get_msb(key->circuit_size))); for (size_t idx = 0; idx < gate_challenges.size(); idx++) { gate_challenges[idx] = transcript->template get_challenge("Sumcheck:gate_challenge_" + std::to_string(idx)); - // info(" gate challenge native ", idx, " ", gate_challenges[idx]); } for (size_t idx = 0; idx < log_circuit_size; idx++) { @@ -62,9 +61,6 @@ bool ECCVMVerifier::verify_proof(const HonkProof& proof) } auto [multivariate_challenge, claimed_evaluations, libra_evaluations, sumcheck_verified] = sumcheck.verify(relation_parameters, alpha, gate_challenges); - // for (size_t idx = 0; idx < multivariate_challenge.size(); idx++) { - // info("sumcheck native challenge u_", idx, " = ", multivariate_challenge[idx]); - // } // If Sumcheck did not verify, return false if (sumcheck_verified.has_value() && !sumcheck_verified.value()) { return false; diff --git a/barretenberg/cpp/src/barretenberg/honk/proof_system/logderivative_library.hpp b/barretenberg/cpp/src/barretenberg/honk/proof_system/logderivative_library.hpp index 3d254496091..940c88c8c6d 100644 --- a/barretenberg/cpp/src/barretenberg/honk/proof_system/logderivative_library.hpp +++ b/barretenberg/cpp/src/barretenberg/honk/proof_system/logderivative_library.hpp @@ -137,9 +137,7 @@ void accumulate_logderivative_lookup_subrelation_contributions(ContainerOverSubr // each predicate is degree-1 // degree of relation at this point = NUM_TOTAL_TERMS + 1 - bb::constexpr_for<0, READ_TERMS, 1>([&]() { - // info("read terms ", READ_TERMS); std::get<1>(accumulator) += Relation::template compute_read_term_predicate(in) * denominator_accumulator[i]; }); diff --git a/barretenberg/cpp/src/barretenberg/relations/utils.hpp b/barretenberg/cpp/src/barretenberg/relations/utils.hpp index c7b85b041af..846fc1d5f9c 100644 --- a/barretenberg/cpp/src/barretenberg/relations/utils.hpp +++ b/barretenberg/cpp/src/barretenberg/relations/utils.hpp @@ -245,7 +245,6 @@ template class RelationUtils { std::copy(challenges.begin(), challenges.end(), tmp.begin() + 1); auto scale_by_challenges_and_accumulate = [&](auto& element) { for (auto& entry : element) { - result += entry * tmp[idx]; idx++; } diff --git a/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_flavor.hpp b/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_flavor.hpp index f08554c5670..f486752a9cb 100644 --- a/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_flavor.hpp +++ b/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_flavor.hpp @@ -52,8 +52,8 @@ template class ECCVMRecursiveFlavor_ { using Relations = ECCVMFlavor::Relations_; // think these two are not needed for recursive verifier land - using GrandProductRelations = std::tuple>; - using LookupRelation = ECCVMLookupRelation; + // using GrandProductRelations = std::tuple>; + // using LookupRelation = ECCVMLookupRelation; static constexpr size_t MAX_PARTIAL_RELATION_LENGTH = compute_max_partial_relation_length(); // BATCHED_RELATION_PARTIAL_LENGTH = algebraic degree of sumcheck relation *after* multiplying by the `pow_zeta` diff --git a/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.cpp b/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.cpp index 8d343556b51..1201ff23a5d 100644 --- a/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.cpp @@ -46,17 +46,12 @@ template void ECCVMRecursiveVerifier_::verify_proof(co auto beta_sqr = beta * beta; relation_parameters.gamma = gamma; - info("rec gamma ", relation_parameters.gamma); relation_parameters.beta = beta; - info("rec beta ", relation_parameters.beta); relation_parameters.beta_sqr = beta * beta; - info("rec beta.sqr ", relation_parameters.beta_sqr); relation_parameters.beta_cube = beta_sqr * beta; - info("rec beta cube ", relation_parameters.beta_cube); relation_parameters.eccvm_set_permutation_delta = gamma * (gamma + beta_sqr) * (gamma + beta_sqr + beta_sqr) * (gamma + beta_sqr + beta_sqr + beta_sqr); relation_parameters.eccvm_set_permutation_delta = relation_parameters.eccvm_set_permutation_delta.invert(); - info("rec set perm delta after inversion ", relation_parameters.eccvm_set_permutation_delta); // Get commitment to permutation and lookup grand products commitments.lookup_inverses = @@ -70,25 +65,20 @@ template void ECCVMRecursiveVerifier_::verify_proof(co const size_t log_circuit_size = numeric::get_msb(static_cast(circuit_size.get_value())); auto sumcheck = SumcheckVerifier(log_circuit_size, transcript); const FF alpha = transcript->template get_challenge("Sumcheck:alpha"); - info("alpha ", alpha); std::vector gate_challenges(static_cast(numeric::get_msb(key->circuit_size))); for (size_t idx = 0; idx < gate_challenges.size(); idx++) { gate_challenges[idx] = transcript->template get_challenge("Sumcheck:gate_challenge_" + std::to_string(idx)); - // info(" gate challenge recrusive ", idx, " ", gate_challenges[idx]); } for (size_t idx = 0; idx < log_circuit_size; idx++) { Commitment libra_commitment = transcript->template receive_from_prover("Libra:commitment_" + std::to_string(idx)); libra_commitments.push_back(libra_commitment); - // info("libra comm V: ", libra_commitment); } + auto [multivariate_challenge, claimed_evaluations, libra_evaluations, sumcheck_verified] = sumcheck.verify(relation_parameters, alpha, gate_challenges); - // for (size_t idx = 0; idx < multivariate_challenge.size(); idx++) { - // info("sumcheck recursive challenge u_", idx, " = ", multivariate_challenge[idx]); - // } info("SUMCHECK verified", sumcheck_verified.value()); // Compute the Shplemini accumulator consisting of the Shplonk evaluation and the commitments and scalars vector diff --git a/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.test.cpp b/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.test.cpp index 1c79ecfad83..1c2d82719aa 100644 --- a/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.test.cpp +++ b/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.test.cpp @@ -95,7 +95,6 @@ template class ECCVMRecursiveTests : public ::testing InnerVerifier native_verifier(prover.key); bool native_result = native_verifier.verify_proof(proof); EXPECT_TRUE(native_result); - info("native result", native_result); auto recursive_manifest = verifier.transcript->get_manifest(); auto native_manifest = native_verifier.transcript->get_manifest(); for (size_t i = 0; i < recursive_manifest.size(); ++i) { diff --git a/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck.hpp b/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck.hpp index 8fad192b66c..36e44868035 100644 --- a/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck.hpp +++ b/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck.hpp @@ -156,8 +156,6 @@ template class SumcheckProver { std::shared_ptr transcript; SumcheckProverRound round; - // Declare a container for ZK Sumcheck data - // ZKSumcheckData zk_sumcheck_data; /** * @@ -240,7 +238,6 @@ template class SumcheckProver { // Place evaluations of Sumcheck Round Univariate in the transcript transcript->send_to_verifier("Sumcheck:univariate_" + std::to_string(round_idx), round_univariate); FF round_challenge = transcript->template get_challenge("Sumcheck:u_" + std::to_string(round_idx)); - multivariate_challenge.emplace_back(round_challenge); // Prepare sumcheck book-keeping table for the next round partially_evaluate(partially_evaluated_polynomials, round.round_size, round_challenge); @@ -399,7 +396,7 @@ polynomials that are sent in clear. * @param libra_running_sum * @param libra_evaluations */ - void update_libra_data(ZKSumcheckData& zk_sumcheck_data, const FF round_challenge, size_t round_idx) + void update_zk_sumcheck_data(ZKSumcheckData& zk_sumcheck_data, const FF round_challenge, size_t round_idx) { // when round_idx = d - 1, the update is not needed if (round_idx < zk_sumcheck_data.libra_univariates.size() - 1) { @@ -430,11 +427,6 @@ polynomials that are sent in clear. }; } - void update_zk_sumcheck_data(ZKSumcheckData& zk_sumcheck_data, FF round_challenge, size_t round_idx) - { - update_libra_data(zk_sumcheck_data, round_challenge, round_idx); - // update_masking_terms_evaluations(zk_sumcheck_data, round_challenge); - } /** * @brief By the design of ZK Sumcheck, instead of claimed evaluations of witness polynomials \f$ P_1, \ldots, P_{N_w} \f$, the prover sends the evaluations of the witness polynomials masked by the terms \f$ \rho_j @@ -548,7 +540,6 @@ template class SumcheckVerifier { bool verified(true); bb::GateSeparatorPolynomial gate_separators(gate_challenges); - // All but final round. // target_total_sum is initialized to zero then mutated in place. @@ -588,7 +579,6 @@ template class SumcheckVerifier { if (round_idx < multivariate_d) { verified = verified && checked; } - multivariate_challenge.emplace_back(round_challenge); round.compute_next_target_sum(round_univariate, round_challenge, dummy_round); @@ -598,7 +588,6 @@ template class SumcheckVerifier { if (round_idx < multivariate_d) { bool checked = round.check_sum(round_univariate); verified = verified && checked; - multivariate_challenge.emplace_back(round_challenge); round.compute_next_target_sum(round_univariate, round_challenge); gate_separators.partially_evaluate(round_challenge); @@ -625,12 +614,10 @@ template class SumcheckVerifier { for (auto [eval, transcript_eval] : zip_view(purported_evaluations.get_all(), transcript_evaluations)) { eval = transcript_eval; } - // Evaluate the Honk relation at the point (u_0, ..., u_{d-1}) using claimed evaluations of prover polynomials. // In ZK Flavors, the evaluation is corrected by full_libra_purported_value FF full_honk_purported_value = round.compute_full_relation_purported_value( purported_evaluations, relation_parameters, gate_separators, alpha, full_libra_purported_value); - bool final_check(false); //! [Final Verification Step] if constexpr (IsRecursiveFlavor) { @@ -638,7 +625,6 @@ template class SumcheckVerifier { } else { final_check = (full_honk_purported_value == round.target_total_sum); } - verified = final_check && verified; // For ZK Flavors: the evaluations of Libra univariates are included in the Sumcheck Output if constexpr (!Flavor::HasZK) { diff --git a/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck.test.cpp b/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck.test.cpp index d1ce338d128..174f62fa598 100644 --- a/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck.test.cpp +++ b/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck.test.cpp @@ -146,10 +146,8 @@ template class SumcheckTests : public ::testing::Test { if constexpr (Flavor::HasZK) { ZKSumcheckData zk_sumcheck_data(multivariate_d, transcript); - info("size lib univar ", zk_sumcheck_data.libra_univariates.size()); output = sumcheck.prove(full_polynomials, {}, alpha, gate_challenges, zk_sumcheck_data); } else { - info("here?"); output = sumcheck.prove(full_polynomials, {}, alpha, gate_challenges); } FF u_0 = output.challenge[0]; @@ -223,7 +221,6 @@ template class SumcheckTests : public ::testing::Test { RelationSeparator prover_alpha; for (size_t idx = 0; idx < prover_alpha.size(); idx++) { prover_alpha[idx] = prover_transcript->template get_challenge("Sumcheck:alpha_" + std::to_string(idx)); - info("prover alpha ", prover_alpha[idx]); } std::vector prover_gate_challenges(multivariate_d); for (size_t idx = 0; idx < multivariate_d; idx++) { @@ -233,15 +230,9 @@ template class SumcheckTests : public ::testing::Test { SumcheckOutput output; if constexpr (Flavor::HasZK) { ZKSumcheckData zk_sumcheck_data(multivariate_d, prover_transcript); - info("size lib univar ", zk_sumcheck_data.libra_univariates.size()); output = sumcheck_prover.prove( full_polynomials, relation_parameters, prover_alpha, prover_gate_challenges, zk_sumcheck_data); - for (auto eval : output.claimed_evaluations.get_all()) { - info("prover eval: ", eval); - }; - } else { - info("here?"); output = sumcheck_prover.prove(full_polynomials, relation_parameters, prover_alpha, prover_gate_challenges); } @@ -252,7 +243,6 @@ template class SumcheckTests : public ::testing::Test { for (size_t idx = 0; idx < verifier_alpha.size(); idx++) { verifier_alpha[idx] = verifier_transcript->template get_challenge("Sumcheck:alpha_" + std::to_string(idx)); - info("alpha ", verifier_alpha[idx]); } std::vector verifier_gate_challenges(multivariate_d); for (size_t idx = 0; idx < multivariate_d; idx++) { @@ -261,10 +251,6 @@ template class SumcheckTests : public ::testing::Test { } auto verifier_output = sumcheck_verifier.verify(relation_parameters, verifier_alpha, verifier_gate_challenges); - for (auto eval : verifier_output.claimed_evaluations.get_all()) { - info("verifier eval: ", eval); - } - auto verified = verifier_output.verified.value(); EXPECT_EQ(verified, true); @@ -332,11 +318,9 @@ template class SumcheckTests : public ::testing::Test { if constexpr (Flavor::HasZK) { // construct libra masking polynomials and compute auxiliary data ZKSumcheckData zk_sumcheck_data(multivariate_d, prover_transcript); - info("size lib univar ", zk_sumcheck_data.libra_univariates.size()); output = sumcheck_prover.prove( full_polynomials, relation_parameters, prover_alpha, prover_gate_challenges, zk_sumcheck_data); } else { - info("here?"); output = sumcheck_prover.prove(full_polynomials, relation_parameters, prover_alpha, prover_gate_challenges); } diff --git a/barretenberg/cpp/src/barretenberg/sumcheck/zk_sumcheck_data.hpp b/barretenberg/cpp/src/barretenberg/sumcheck/zk_sumcheck_data.hpp index 20b507475a4..7c46f5fe360 100644 --- a/barretenberg/cpp/src/barretenberg/sumcheck/zk_sumcheck_data.hpp +++ b/barretenberg/cpp/src/barretenberg/sumcheck/zk_sumcheck_data.hpp @@ -126,7 +126,7 @@ template struct ZKSumcheckData { * @param libra_full_polynomials * @return LibraUnivariates */ - static LibraUnivariates transform_to_monomial(const LibraUnivariates& libra_full_polynomials) + static LibraUnivariates transform_to_monomial(LibraUnivariates& libra_full_polynomials) { std::array interpolation_domain; LibraUnivariates libra_univariates_monomial; @@ -139,8 +139,9 @@ template struct ZKSumcheckData { for (auto& libra_polynomial : libra_full_polynomials) { // Use the efficient Lagrange interpolation - Polynomial libra_polynomial_monomial( - std::span(interpolation_domain), std::span(libra_polynomial), LIBRA_UNIVARIATES_LENGTH); + Polynomial libra_polynomial_monomial(std::span(interpolation_domain), + std::span(libra_polynomial.evaluations), + LIBRA_UNIVARIATES_LENGTH); // To avoid storing Polynomials (coefficients are vectors), we define a univariate with the coefficients // interpolated above diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/decider_prover.cpp b/barretenberg/cpp/src/barretenberg/ultra_honk/decider_prover.cpp index 8e1c4daac48..5c38536fd55 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/decider_prover.cpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/decider_prover.cpp @@ -32,6 +32,7 @@ template void DeciderProver_::execute_relation_ch { PROFILE_THIS_NAME("sumcheck.prove"); + sumcheck_output = sumcheck.prove(proving_key->proving_key.polynomials, proving_key->relation_parameters, proving_key->alphas, From 8a1e95f7fa0320dae92017eca7c6f73ab405c3f4 Mon Sep 17 00:00:00 2001 From: iakovenkos Date: Mon, 4 Nov 2024 18:16:06 +0000 Subject: [PATCH 13/17] fix: link zero constraint relation in translator --- .../relations/translator_vm/translator_extra_relations.cpp | 1 + .../cpp/src/barretenberg/translator_vm/translator_flavor.hpp | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/barretenberg/cpp/src/barretenberg/relations/translator_vm/translator_extra_relations.cpp b/barretenberg/cpp/src/barretenberg/relations/translator_vm/translator_extra_relations.cpp index cd7163c9a7d..eafbafc88b0 100644 --- a/barretenberg/cpp/src/barretenberg/relations/translator_vm/translator_extra_relations.cpp +++ b/barretenberg/cpp/src/barretenberg/relations/translator_vm/translator_extra_relations.cpp @@ -8,4 +8,5 @@ template class TranslatorZeroConstraintsRelationImpl; DEFINE_SUMCHECK_RELATION_CLASS(TranslatorOpcodeConstraintRelationImpl, TranslatorFlavor); DEFINE_SUMCHECK_RELATION_CLASS(TranslatorAccumulatorTransferRelationImpl, TranslatorFlavor); +DEFINE_SUMCHECK_RELATION_CLASS(TranslatorZeroConstraintsRelationImpl, TranslatorFlavor); } // namespace bb \ No newline at end of file diff --git a/barretenberg/cpp/src/barretenberg/translator_vm/translator_flavor.hpp b/barretenberg/cpp/src/barretenberg/translator_vm/translator_flavor.hpp index f9140c07f2f..dced2b66d4f 100644 --- a/barretenberg/cpp/src/barretenberg/translator_vm/translator_flavor.hpp +++ b/barretenberg/cpp/src/barretenberg/translator_vm/translator_flavor.hpp @@ -110,7 +110,8 @@ class TranslatorFlavor { typename TranslatorOpcodeConstraintRelation::SumcheckTupleOfUnivariatesOverSubrelations, typename TranslatorAccumulatorTransferRelation::SumcheckTupleOfUnivariatesOverSubrelations, typename TranslatorDecompositionRelation::SumcheckTupleOfUnivariatesOverSubrelations, - typename TranslatorNonNativeFieldRelation::SumcheckTupleOfUnivariatesOverSubrelations>; + typename TranslatorNonNativeFieldRelation::SumcheckTupleOfUnivariatesOverSubrelations, + typename TranslatorZeroConstraintsRelation::SumcheckTupleOfUnivariatesOverSubrelations>; using TupleOfArraysOfValues = decltype(create_tuple_of_arrays_of_values()); /** From 25045568422c4e587a507cb7c70d0bedef175094 Mon Sep 17 00:00:00 2001 From: iakovenkos Date: Tue, 5 Nov 2024 11:39:46 +0000 Subject: [PATCH 14/17] fix bb native tests --- .../commitment_schemes/shplonk/shplemini.hpp | 1 + .../shplonk/shplemini.test.cpp | 35 +++++++++++-------- .../src/barretenberg/eccvm/eccvm_prover.cpp | 9 ++--- .../src/barretenberg/eccvm/eccvm_verifier.cpp | 7 ++-- .../src/barretenberg/eccvm/eccvm_verifier.hpp | 1 - .../eccvm_recursive_verifier.cpp | 8 ++--- .../eccvm_recursive_verifier.hpp | 1 - .../translator_recursive_verifier.cpp | 1 + .../translator_recursive_verifier.hpp | 1 - .../translator_vm/translator_verifier.cpp | 3 ++ .../translator_vm/translator_verifier.hpp | 1 - 11 files changed, 37 insertions(+), 31 deletions(-) diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp index ab102ee0381..af752a7f687 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp @@ -528,6 +528,7 @@ template class ShpleminiVerifier_ { constant_term += scaling_factor * libra_univariate_evaluation; } + // update the constant term of the Shplonk batched claim scalars[idx_of_constant_term] += constant_term; } }; diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.test.cpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.test.cpp index 3bf5c466d34..9b8bbd6444b 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.test.cpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.test.cpp @@ -223,6 +223,12 @@ TYPED_TEST(ShpleminiTest, CorrectnessOfGeminiClaimBatching) EXPECT_EQ(shplemini_result, expected_result); } +/** + * @brief Libra masking univariates are used in sumcheck to prevent the leakage of witness data through the evaluations + * of round univariates. Here we test the opening of log_n Libra masking univariates batched with the opening of several + * prover polynomials and their shifts. + * + */ TYPED_TEST(ShpleminiTest, ShpleminiWithMaskingLibraUnivariates) { using ShpleminiProver = ShpleminiProver_; @@ -295,8 +301,8 @@ TYPED_TEST(ShpleminiTest, ShpleminiWithMaskingLibraUnivariates) mle_opening_point, this->ck(), prover_transcript, - {}, - {}, + /* concatenated_polynomials = */ {}, + /* groups_to_be_concatenated = */ {}, libra_univariates, libra_evaluations); if constexpr (std::is_same_v) { @@ -311,18 +317,19 @@ TYPED_TEST(ShpleminiTest, ShpleminiWithMaskingLibraUnivariates) // Gemini verifier output: // - claim: d+1 commitments to Fold_{r}^(0), Fold_{-r}^(0), Fold^(l), d+1 evaluations a_0_pos, a_l, l = 0:d-1 - auto batch_opening_claim = ShpleminiVerifier::compute_batch_opening_claim(n, - RefVector(unshifted_commitments), - RefVector(shifted_commitments), - RefArray{ eval1, eval2, eval3, eval4 }, - RefArray{ eval2_shift, eval3_shift }, - mle_opening_point, - this->vk()->get_g1_identity(), - verifier_transcript, - {}, - {}, - RefVector(libra_commitments), - libra_evaluations); + auto batch_opening_claim = + ShpleminiVerifier::compute_batch_opening_claim(n, + RefVector(unshifted_commitments), + RefVector(shifted_commitments), + RefArray{ eval1, eval2, eval3, eval4 }, + RefArray{ eval2_shift, eval3_shift }, + mle_opening_point, + this->vk()->get_g1_identity(), + verifier_transcript, + /* concatenation_group_commitments = */ {}, + /* concatenated_evaluations = */ {}, + RefVector(libra_commitments), + libra_evaluations); if constexpr (std::is_same_v) { auto result = IPA::reduce_verify_batch_opening_claim(batch_opening_claim, this->vk(), verifier_transcript); diff --git a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_prover.cpp b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_prover.cpp index 6957b579fe1..d4a047e290d 100644 --- a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_prover.cpp +++ b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_prover.cpp @@ -103,9 +103,6 @@ void ECCVMProver::execute_relation_check_rounds() zk_sumcheck_data = ZKSumcheckData(key->log_circuit_size, transcript, key); sumcheck_output = sumcheck.prove(key->polynomials, relation_parameters, alpha, gate_challenges, zk_sumcheck_data); - for (auto& eval : sumcheck_output.claimed_libra_evaluations) { - info("claimed evals sumcheck outp rounds ", eval); - } } /** @@ -123,8 +120,6 @@ void ECCVMProver::execute_pcs_rounds() // Execute the Shplemini (Gemini + Shplonk) protocol to produce a univariate opening claim for the multilinear // evaluations produced by Sumcheck - info("in pcs: ", zk_sumcheck_data.libra_univariates_monomial.size()); - info("eval size? ", sumcheck_output.claimed_libra_evaluations.size()); const OpeningClaim multivariate_to_univariate_opening_claim = Shplemini::prove(key->circuit_size, key->polynomials.get_unshifted(), @@ -132,8 +127,8 @@ void ECCVMProver::execute_pcs_rounds() sumcheck_output.challenge, key->commitment_key, transcript, - {}, - {}, + /* concatenated_polynomials = */ {}, + /* groups_to_be_concatenated = */ {}, zk_sumcheck_data.libra_univariates_monomial, sumcheck_output.claimed_libra_evaluations); diff --git a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.cpp b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.cpp index 3ae0e994b96..fecdc133d84 100644 --- a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.cpp @@ -54,11 +54,14 @@ bool ECCVMVerifier::verify_proof(const HonkProof& proof) gate_challenges[idx] = transcript->template get_challenge("Sumcheck:gate_challenge_" + std::to_string(idx)); } + // Receive commitments to Libra masking polynomials + std::vector libra_commitments; for (size_t idx = 0; idx < log_circuit_size; idx++) { Commitment libra_commitment = transcript->receive_from_prover("Libra:commitment_" + std::to_string(idx)); libra_commitments.push_back(libra_commitment); } + auto [multivariate_challenge, claimed_evaluations, libra_evaluations, sumcheck_verified] = sumcheck.verify(relation_parameters, alpha, gate_challenges); // If Sumcheck did not verify, return false @@ -76,8 +79,8 @@ bool ECCVMVerifier::verify_proof(const HonkProof& proof) multivariate_challenge, key->pcs_verification_key->get_g1_identity(), transcript, - {}, - {}, + /* concatenation_group_commitments = */ {}, + /* concatenated_evaluations = */ {}, RefVector(libra_commitments), libra_evaluations); diff --git a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.hpp b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.hpp index 3d640ee6f3c..10e49d08a76 100644 --- a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.hpp +++ b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.hpp @@ -27,6 +27,5 @@ class ECCVMVerifier { std::shared_ptr key; std::map commitments; std::shared_ptr transcript; - std::vector libra_commitments; }; } // namespace bb diff --git a/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.cpp b/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.cpp index 1201ff23a5d..f24f8fd1841 100644 --- a/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.cpp @@ -70,6 +70,8 @@ template void ECCVMRecursiveVerifier_::verify_proof(co gate_challenges[idx] = transcript->template get_challenge("Sumcheck:gate_challenge_" + std::to_string(idx)); } + // Receive commitments to Libra masking polynomials + std::vector libra_commitments; for (size_t idx = 0; idx < log_circuit_size; idx++) { Commitment libra_commitment = transcript->template receive_from_prover("Libra:commitment_" + std::to_string(idx)); @@ -79,8 +81,6 @@ template void ECCVMRecursiveVerifier_::verify_proof(co auto [multivariate_challenge, claimed_evaluations, libra_evaluations, sumcheck_verified] = sumcheck.verify(relation_parameters, alpha, gate_challenges); - info("SUMCHECK verified", sumcheck_verified.value()); - // Compute the Shplemini accumulator consisting of the Shplonk evaluation and the commitments and scalars vector // produced by the unified protocol BatchOpeningClaim sumcheck_batch_opening_claims = @@ -92,8 +92,8 @@ template void ECCVMRecursiveVerifier_::verify_proof(co multivariate_challenge, key->pcs_verification_key->get_g1_identity(), transcript, - {}, - {}, + /* concatenation_group_commitments = */ {}, + /* concatenated_evaluations = */ {}, RefVector(libra_commitments), libra_evaluations); // Reduce the accumulator to a single opening claim diff --git a/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.hpp b/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.hpp index 16bfcfd6f8a..6a590ebba40 100644 --- a/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.hpp +++ b/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.hpp @@ -27,6 +27,5 @@ template class ECCVMRecursiveVerifier_ { Builder* builder; std::shared_ptr transcript; - std::vector libra_commitments; }; } // namespace bb diff --git a/barretenberg/cpp/src/barretenberg/stdlib/translator_vm_verifier/translator_recursive_verifier.cpp b/barretenberg/cpp/src/barretenberg/stdlib/translator_vm_verifier/translator_recursive_verifier.cpp index b8798312cdd..a0ac7ab54e7 100644 --- a/barretenberg/cpp/src/barretenberg/stdlib/translator_vm_verifier/translator_recursive_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/stdlib/translator_vm_verifier/translator_recursive_verifier.cpp @@ -111,6 +111,7 @@ std::array TranslatorRecursiveVerifier_template get_challenge("Sumcheck:gate_challenge_" + std::to_string(idx)); } + std::vector libra_commitments; for (size_t idx = 0; idx < log_circuit_size; idx++) { Commitment libra_commitment = transcript->template receive_from_prover("Libra:commitment_" + std::to_string(idx)); diff --git a/barretenberg/cpp/src/barretenberg/stdlib/translator_vm_verifier/translator_recursive_verifier.hpp b/barretenberg/cpp/src/barretenberg/stdlib/translator_vm_verifier/translator_recursive_verifier.hpp index 792fad946b2..39742bb65cc 100644 --- a/barretenberg/cpp/src/barretenberg/stdlib/translator_vm_verifier/translator_recursive_verifier.hpp +++ b/barretenberg/cpp/src/barretenberg/stdlib/translator_vm_verifier/translator_recursive_verifier.hpp @@ -33,7 +33,6 @@ template class TranslatorRecursiveVerifier_ { Builder* builder; RelationParams relation_parameters; - std::vector libra_commitments; TranslatorRecursiveVerifier_(Builder* builder, const std::shared_ptr& native_verifier_key, diff --git a/barretenberg/cpp/src/barretenberg/translator_vm/translator_verifier.cpp b/barretenberg/cpp/src/barretenberg/translator_vm/translator_verifier.cpp index 7025f3b2025..2dfada1eae0 100644 --- a/barretenberg/cpp/src/barretenberg/translator_vm/translator_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/translator_vm/translator_verifier.cpp @@ -102,11 +102,14 @@ bool TranslatorVerifier::verify_proof(const HonkProof& proof) gate_challenges[idx] = transcript->template get_challenge("Sumcheck:gate_challenge_" + std::to_string(idx)); } + // Receive commitments to Libra masking polynomials + std::vector libra_commitments; for (size_t idx = 0; idx < log_circuit_size; idx++) { Commitment libra_commitment = transcript->receive_from_prover("Libra:commitment_" + std::to_string(idx)); libra_commitments.push_back(libra_commitment); } + auto [multivariate_challenge, claimed_evaluations, libra_evaluations, sumcheck_verified] = sumcheck.verify(relation_parameters, alpha, gate_challenges); diff --git a/barretenberg/cpp/src/barretenberg/translator_vm/translator_verifier.hpp b/barretenberg/cpp/src/barretenberg/translator_vm/translator_verifier.hpp index 5ed5f0c34b5..dbe0dc66cdb 100644 --- a/barretenberg/cpp/src/barretenberg/translator_vm/translator_verifier.hpp +++ b/barretenberg/cpp/src/barretenberg/translator_vm/translator_verifier.hpp @@ -24,7 +24,6 @@ class TranslatorVerifier { std::map commitments; std::shared_ptr transcript; RelationParameters relation_parameters; - std::vector libra_commitments; TranslatorVerifier(const std::shared_ptr& verifier_key, const std::shared_ptr& transcript); From 937af2a3732293260eaa446bbecbc05320547538 Mon Sep 17 00:00:00 2001 From: iakovenkos Date: Tue, 5 Nov 2024 12:14:29 +0000 Subject: [PATCH 15/17] clean up --- .../barretenberg/sumcheck/sumcheck_round.hpp | 37 +------------------ 1 file changed, 2 insertions(+), 35 deletions(-) diff --git a/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck_round.hpp b/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck_round.hpp index 32b2d49d870..758797b8bcc 100644 --- a/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck_round.hpp +++ b/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck_round.hpp @@ -112,29 +112,6 @@ template class SumcheckProverRound { } } - template - void extend_edges_with_masking(ExtendedEdges& extended_edges, - ProverPolynomialsOrPartiallyEvaluatedMultivariates& multivariates, - const size_t edge_idx, - const ZKSumcheckData& zk_sumcheck_data) - { - // extend edges of witness polynomials and add correcting terms - for (auto [extended_edge, multivariate, masking_univariate] : - zip_view(extended_edges.get_all_witnesses(), - multivariates.get_all_witnesses(), - zk_sumcheck_data.masking_terms_evaluations)) { - bb::Univariate edge({ multivariate[edge_idx], multivariate[edge_idx + 1] }); - extended_edge = edge.template extend_to(); - extended_edge += masking_univariate; - }; - // extend edges of public polynomials - for (auto [extended_edge, multivariate] : - zip_view(extended_edges.get_non_witnesses(), multivariates.get_non_witnesses())) { - bb::Univariate edge({ multivariate[edge_idx], multivariate[edge_idx + 1] }); - extended_edge = edge.template extend_to(); - }; - }; - /** * @brief Return the evaluations of the univariate round polynomials \f$ \tilde{S}_{i} (X_{i}) \f$ at \f$ X_{i } = 0,\ldots, D \f$. Most likely, \f$ D \f$ is around \f$ 12 \f$. At the @@ -192,11 +169,7 @@ template class SumcheckProverRound { size_t end = (thread_idx + 1) * iterations_per_thread; for (size_t edge_idx = start; edge_idx < end; edge_idx += 2) { - // if constexpr (!Flavor::HasZK) { extend_edges(extended_edges[thread_idx], polynomials, edge_idx); - // } else { - // extend_edges_with_masking(extended_edges[thread_idx], polynomials, edge_idx, zk_sumcheck_data); - // } // Compute the \f$ \ell \f$-th edge's univariate contribution, // scale it by the corresponding \f$ pow_{\beta} \f$ contribution and add it to the accumulators for \f$ // \tilde{S}^i(X_i) \f$. If \f$ \ell \f$'s binary representation is given by \f$ (\ell_{i+1},\ldots, @@ -321,10 +294,8 @@ template class SumcheckProverRound { size_t round_idx) { SumcheckRoundUnivariate libra_round_univariate; - // info("inside compute libra? ", round_idx); // select the i'th column of Libra book-keeping table const auto& current_column = zk_sumcheck_data.libra_univariates[round_idx]; - // info("univariate accessed?"); // the evaluation of Libra round univariate at k=0...D are equal to \f$\texttt{libra_univariates}_{i}(k)\f$ // corrected by the Libra running sum for (size_t idx = 0; idx < BATCHED_RELATION_PARTIAL_LENGTH; ++idx) { @@ -450,7 +421,6 @@ template class SumcheckVerifierRound { sumcheck_round_failed = (target_total_sum != total_sum); round_failed = round_failed || sumcheck_round_failed; - // info("check sum failed", round_failed); return !sumcheck_round_failed; }; @@ -467,8 +437,6 @@ template class SumcheckVerifierRound { { FF total_sum = FF::conditional_assign(dummy_round, target_total_sum, univariate.value_at(0) + univariate.value_at(1)); - - // info("total sum", total_sum); // TODO(#673): Conditionals like this can go away once native verification is is just recursive verification // with a simulated builder. bool sumcheck_round_failed(false); @@ -478,13 +446,12 @@ template class SumcheckVerifierRound { // value is in relaxed form. This happens at the first round when target_total_sum is initially set to // 0. total_sum.self_reduce(); - // info("self reduce? ", total_sum); } target_total_sum.assert_equal(total_sum); if (!dummy_round.get_value()) { sumcheck_round_failed = (target_total_sum.get_value() != total_sum.get_value()); } - // info("round failed? dd ", round_failed); + round_failed = round_failed || sumcheck_round_failed; return !sumcheck_round_failed; }; @@ -532,13 +499,13 @@ template class SumcheckVerifierRound { const RelationSeparator alpha, std::optional full_libra_purported_value = std::nullopt) { + // The verifier should never skip computation of contributions from any relation Utils::template accumulate_relation_evaluations_without_skipping<>( purported_evaluations, relation_evaluations, relation_parameters, gate_sparators.partial_evaluation_result); FF running_challenge{ 1 }; FF output{ 0 }; Utils::scale_and_batch_elements(relation_evaluations, alpha, running_challenge, output); - if constexpr (Flavor::HasZK) { output += full_libra_purported_value.value(); if constexpr (IsECCVMRecursiveFlavor) { From 95d4160cacaec8fab41ca4608462bf9b8dcd5cc4 Mon Sep 17 00:00:00 2001 From: iakovenkos Date: Tue, 5 Nov 2024 12:26:07 +0000 Subject: [PATCH 16/17] fix build --- .../eccvm_recursive_verifier.cpp | 1 - .../sumcheck/zk_sumcheck_data.hpp | 33 ++++++++----------- 2 files changed, 13 insertions(+), 21 deletions(-) diff --git a/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.cpp b/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.cpp index 208487e4dbc..97c0635855d 100644 --- a/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.cpp @@ -143,7 +143,6 @@ template void ECCVMRecursiveVerifier_::verify_proof(co // TODO(https://github.com/AztecProtocol/barretenberg/issues/1142): Handle this return value correctly. const typename PCS::VerifierAccumulator batched_opening_accumulator = PCS::reduce_verify(key->pcs_verification_key, batch_opening_claim, transcript); - info("batching opening verified? ", batched_opening_verified); ASSERT(sumcheck_verified); } diff --git a/barretenberg/cpp/src/barretenberg/sumcheck/zk_sumcheck_data.hpp b/barretenberg/cpp/src/barretenberg/sumcheck/zk_sumcheck_data.hpp index 7c46f5fe360..41d4e245a3c 100644 --- a/barretenberg/cpp/src/barretenberg/sumcheck/zk_sumcheck_data.hpp +++ b/barretenberg/cpp/src/barretenberg/sumcheck/zk_sumcheck_data.hpp @@ -33,8 +33,6 @@ template struct ZKSumcheckData { // Container for the evaluations of Libra Univariates that have to be proven. using ClaimedLibraEvaluations = std::vector; - // EvalMaskingScalars eval_masking_scalars; - // EvaluationMaskingTable masking_terms_evaluations; LibraUnivariates libra_univariates; LibraUnivariates libra_univariates_monomial; FF libra_scaling_factor{ 1 }; @@ -50,7 +48,6 @@ template struct ZKSumcheckData { std::shared_ptr transcript, std::shared_ptr proving_key = nullptr) { - // Initialization logic from setup_zk_sumcheck_data setup_zk_sumcheck_data(multivariate_d, transcript, proving_key); } @@ -109,9 +106,7 @@ template struct ZKSumcheckData { * independent uniformly random coefficients. * */ - static LibraUnivariates generate_libra_univariates(const size_t number_of_polynomials - // LibraUnivariatesInMonomialBasis& libra_univariates_monomial - ) + static LibraUnivariates generate_libra_univariates(const size_t number_of_polynomials) { LibraUnivariates libra_full_polynomials(number_of_polynomials); @@ -120,6 +115,7 @@ template struct ZKSumcheckData { }; return libra_full_polynomials; }; + /** * @brief Transform Libra univariates from Lagrange to monomial form * @@ -177,20 +173,17 @@ template struct ZKSumcheckData { } /** - * @brief Set up Libra book-keeping table that simplifies the computation of Libra Round Univariates - * - * @details The array of Libra univariates is getting scaled - * \f{align}{ - \texttt{libra_univariates} \gets \texttt{libra_univariates}\cdot \rho \cdot 2^{d-1} - \f} - * We also initialize - * \f{align}{ - \texttt{libra_running_sum} \gets \texttt{libra_total_sum} - \texttt{libra_univariates}_{0,0} - - \texttt{libra_univariates}_{0,1} \f}. - * @param libra_table - * @param libra_round_factor - * @param libra_challenge - */ + * @brief Set up Libra book-keeping table that simplifies the computation of Libra Round Univariates + * + * @details The array of Libra univariates is getting scaled + * \f{align}{\texttt{libra_univariates} \gets \texttt{libra_univariates}\cdot \rho \cdot 2^{d-1}\f} + * We also initialize + * \f{align}{ \texttt{libra_running_sum} \gets \texttt{libra_total_sum} - \texttt{libra_univariates}_{0,0} - + * \texttt{libra_univariates}_{0,1} \f}. + * @param libra_table + * @param libra_round_factor + * @param libra_challenge + */ static void setup_auxiliary_data(auto& libra_univariates, FF& libra_scaling_factor, const FF libra_challenge, From 69b913e825a99c7b2af7113d67670f5fd3129aa4 Mon Sep 17 00:00:00 2001 From: iakovenkos Date: Wed, 6 Nov 2024 19:24:32 +0000 Subject: [PATCH 17/17] clean-up after review --- .../commitment_schemes/shplonk/shplemini.hpp | 30 ++++++++----------- .../shplonk/shplemini.test.cpp | 3 +- .../commitment_schemes/shplonk/shplonk.hpp | 4 ++- .../relations/ecc_vm/ecc_lookup_relation.hpp | 3 -- 4 files changed, 18 insertions(+), 22 deletions(-) diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp index af752a7f687..59688cdf2e1 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp @@ -42,16 +42,14 @@ template class ShpleminiProver_ { groups_to_be_concatenated); // Create opening claims for Libra masking univariates std::vector libra_opening_claims; - if (!libra_univariates.empty()) { - size_t idx = 0; - for (auto [libra_univariate, libra_evaluation] : zip_view(libra_univariates, libra_evaluations)) { - OpeningClaim new_claim; - new_claim.polynomial = Polynomial(libra_univariate); - new_claim.opening_pair.challenge = multilinear_challenge[idx]; - new_claim.opening_pair.evaluation = libra_evaluation; - libra_opening_claims.push_back(new_claim); - idx++; - } + size_t idx = 0; + for (auto [libra_univariate, libra_evaluation] : zip_view(libra_univariates, libra_evaluations)) { + OpeningClaim new_claim; + new_claim.polynomial = Polynomial(libra_univariate); + new_claim.opening_pair.challenge = multilinear_challenge[idx]; + new_claim.opening_pair.evaluation = libra_evaluation; + libra_opening_claims.push_back(new_claim); + idx++; } OpeningClaim batched_claim = ShplonkProver::prove(commitment_key, opening_claims, transcript, libra_opening_claims); @@ -271,6 +269,8 @@ template class ShpleminiVerifier_ { commitments.emplace_back(g1_identity); scalars.emplace_back(constant_term_accumulator); + // For ZK flavors, the sumcheck output contains the evaluations of Libra univariates that submitted to the + // ShpleminiVerifier, otherwise this argument is set to be empty if (!libra_univariate_evaluations.empty()) { add_zk_data(commitments, scalars, @@ -498,9 +498,8 @@ template class ShpleminiVerifier_ { shplonk_challenge_power *= shplonk_batching_challenge; } - // needed to keep track of the constant term contribution - const size_t idx_of_constant_term = commitments.size() - 1; - + // need to keep track of the contribution to the constant term + Fr& constant_term = scalars.back(); // compute shplonk denominators and batch invert them std::vector denominators; size_t num_libra_univariates = libra_univariate_commitments.size(); @@ -518,18 +517,15 @@ template class ShpleminiVerifier_ { } // add Libra commitments to the vector of commitments; compute corresponding scalars and the correction to the // constant term - Fr constant_term = 0; for (const auto [libra_univariate_commitment, denominator, libra_univariate_evaluation] : zip_view(libra_univariate_commitments, denominators, libra_univariate_evaluations)) { commitments.push_back(std::move(libra_univariate_commitment)); Fr scaling_factor = denominator * shplonk_challenge_power; scalars.push_back((-scaling_factor)); shplonk_challenge_power *= shplonk_batching_challenge; + // update the constant term of the Shplonk batched claim constant_term += scaling_factor * libra_univariate_evaluation; } - - // update the constant term of the Shplonk batched claim - scalars[idx_of_constant_term] += constant_term; } }; } // namespace bb \ No newline at end of file diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.test.cpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.test.cpp index 9b8bbd6444b..9914b2e092c 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.test.cpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.test.cpp @@ -241,6 +241,7 @@ TYPED_TEST(ShpleminiTest, ShpleminiWithMaskingLibraUnivariates) const size_t n = 16; const size_t log_n = 4; + // In practice, the length of Libra univariates is equal to FLAVOR::BATCHED_RELATION_PARTIAL_LENGTH const size_t LIBRA_UNIVARIATE_LENGTH = 12; std::array interpolation_domain; @@ -261,7 +262,7 @@ TYPED_TEST(ShpleminiTest, ShpleminiWithMaskingLibraUnivariates) for (size_t idx = 0; idx < log_n; idx++) { // generate random polynomial Polynomial libra_polynomial = Polynomial::random(LIBRA_UNIVARIATE_LENGTH); - // create a univariate with the same coefficients (to store an array intead of a vector) + // create a univariate with the same coefficients (to store an array instead of a vector) bb::Univariate libra_univariate; for (size_t i = 0; i < LIBRA_UNIVARIATE_LENGTH; i++) { libra_univariate.value_at(i) = libra_polynomial[i]; diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplonk.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplonk.hpp index 65823138a67..527e1d0b73e 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplonk.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplonk.hpp @@ -57,11 +57,13 @@ template class ShplonkProver_ { tmp = claim.polynomial; tmp.at(0) = tmp[0] - claim.opening_pair.evaluation; tmp.factor_roots(claim.opening_pair.challenge); - // Add the claim quotient to the batched quotient polynomial Q.add_scaled(tmp, current_nu); current_nu *= nu; } + + // We use the same batching challenge for Gemini and Libra opening claims. The number of the claims + // batched before adding Libra commitments and evaluations is bounded by CONST_PROOF_SIZE_LOG_N+2 for (size_t idx = opening_claims.size(); idx < CONST_PROOF_SIZE_LOG_N + 2; idx++) { current_nu *= nu; }; diff --git a/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_lookup_relation.hpp b/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_lookup_relation.hpp index 4612d1ef11d..04486374550 100644 --- a/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_lookup_relation.hpp +++ b/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_lookup_relation.hpp @@ -82,18 +82,15 @@ polynomials, using View = typename Accumulator::View; if constexpr (read_index == 0) { - return Accumulator(View(in.msm_add1)); } if constexpr (read_index == 1) { return Accumulator(View(in.msm_add2)); } if constexpr (read_index == 2) { - return Accumulator(View(in.msm_add3)); } if constexpr (read_index == 3) { - return Accumulator(View(in.msm_add4)); } return Accumulator(1);