From 5586f5df3a1d9e48a3b89e05ebdccb68b34f9636 Mon Sep 17 00:00:00 2001 From: ledwards2225 Date: Thu, 20 Apr 2023 17:41:01 +0000 Subject: [PATCH] cleanup and reorg --- cpp/src/barretenberg/honk/pcs/ipa/ipa.hpp | 74 ++++++++----------- .../barretenberg/honk/pcs/ipa/ipa.test.cpp | 9 ++- 2 files changed, 36 insertions(+), 47 deletions(-) diff --git a/cpp/src/barretenberg/honk/pcs/ipa/ipa.hpp b/cpp/src/barretenberg/honk/pcs/ipa/ipa.hpp index 8f4eb2f6d8..a7eaf54f91 100644 --- a/cpp/src/barretenberg/honk/pcs/ipa/ipa.hpp +++ b/cpp/src/barretenberg/honk/pcs/ipa/ipa.hpp @@ -34,27 +34,25 @@ template class InnerProductArgument { * @brief Compute a proof for opening a single polynomial at a single evaluation point * * @param ck The commitment key containing srs and pippenger_runtime_state for computing MSM - * @param pub_input Data required to compute the opening proof. See spec for more details + * @param opening_pair (challenge, evaluation) * @param polynomial The witness polynomial whose opening proof needs to be computed - * - * @return a Proof, containing information required to verify whether the commitment is computed correctly and - * the polynomial evaluation is correct in the given challenge point. + * @param transcript Prover transcript */ static void reduce_prove(std::shared_ptr ck, const OpeningPair& opening_pair, const Polynomial& polynomial, ProverTranscript& transcript) { - Fr generator_challenge = transcript.get_challenge("generator_challenge"); + Fr generator_challenge = transcript.get_challenge("IPA:generator_challenge"); + auto aux_generator = CommitmentAffine::one() * generator_challenge; - auto& challenge_point = opening_pair.challenge; - ASSERT(challenge_point != 0 && "The challenge point should not be zero"); + ASSERT(opening_pair.challenge != 0 && "The challenge point should not be zero"); const size_t poly_degree = polynomial.size(); // To check poly_degree is greater than zero and a power of two // TODO(#220)(Arijit): To accomodate non power of two poly_degree ASSERT((poly_degree > 0) && (!(poly_degree & (poly_degree - 1))) && "The poly_degree should be positive and a power of two"); - auto aux_generator = CommitmentAffine::one() * generator_challenge; + auto a_vec = polynomial; // TODO(#220)(Arijit): to make it more efficient by directly using G_vector for the input points when i = 0 and // write the output points to G_vec_local. Then use G_vec_local for rounds where i>0, this can be done after we @@ -72,7 +70,7 @@ template class InnerProductArgument { Fr b_power = 1; for (size_t i = 0; i < poly_degree; i++) { b_vec[i] = b_power; - b_power *= challenge_point; + b_power *= opening_pair.challenge; } // Iterate for log_2(poly_degree) rounds to compute the round commitments. const size_t log_poly_degree = static_cast(numeric::get_msb(poly_degree)); @@ -90,21 +88,18 @@ template class InnerProductArgument { inner_prod_R += a_vec[round_size + j] * b_vec[j]; } // L_i = < a_vec_lo, G_vec_hi > + inner_prod_L * aux_generator - Commitment partial_L = barretenberg::scalar_multiplication::pippenger_without_endomorphism_basis_points( + L_elements[i] = barretenberg::scalar_multiplication::pippenger_without_endomorphism_basis_points( &a_vec[0], &G_vec_local[round_size], round_size, ck->pippenger_runtime_state); - partial_L += aux_generator * inner_prod_L; + L_elements[i] += aux_generator * inner_prod_L; // R_i = < a_vec_hi, G_vec_lo > + inner_prod_R * aux_generator - Commitment partial_R = barretenberg::scalar_multiplication::pippenger_without_endomorphism_basis_points( + R_elements[i] = barretenberg::scalar_multiplication::pippenger_without_endomorphism_basis_points( &a_vec[round_size], &G_vec_local[0], round_size, ck->pippenger_runtime_state); - partial_R += aux_generator * inner_prod_R; - - L_elements[i] = CommitmentAffine(partial_L); - R_elements[i] = CommitmentAffine(partial_R); + R_elements[i] += aux_generator * inner_prod_R; std::string index = std::to_string(i); - transcript.send_to_verifier("IPA:L_" + index, CommitmentAffine(partial_L)); - transcript.send_to_verifier("IPA:R_" + index, CommitmentAffine(partial_R)); + transcript.send_to_verifier("IPA:L_" + index, CommitmentAffine(L_elements[i])); + transcript.send_to_verifier("IPA:R_" + index, CommitmentAffine(R_elements[i])); // Generate the round challenge. const Fr round_challenge = transcript.get_challenge("IPA:round_challenge_" + index); @@ -157,41 +152,31 @@ template class InnerProductArgument { { auto commitment = transcript.template receive_from_prover("IPA:C"); - Fr generator_challenge = transcript.get_challenge("generator_challenge"); + Fr generator_challenge = transcript.get_challenge("IPA:generator_challenge"); auto aux_generator = CommitmentAffine::one() * generator_challenge; - // Local copies of public inputs - // auto& a_zero = proof.a_zero; - auto& challenge_point = opening_pair.challenge; - auto& evaluation = opening_pair.evaluation; size_t log_poly_degree = numeric::get_msb(poly_degree); // Compute C_prime - Commitment C_prime = commitment + (aux_generator * evaluation); + Commitment C_prime = commitment + (aux_generator * opening_pair.evaluation); - // Compute the round challeneges and their inverses. - std::vector L_vec(log_poly_degree); - std::vector R_vec(log_poly_degree); + // Compute C_zero = C_prime + ∑_{j ∈ [k]} u_j^2L_j + ∑_{j ∈ [k]} u_j^{-2}R_j + const size_t pippenger_size = 2 * log_poly_degree; std::vector round_challenges(log_poly_degree); std::vector round_challenges_inv(log_poly_degree); + std::vector msm_elements(pippenger_size); + std::vector msm_scalars(pippenger_size); for (size_t i = 0; i < log_poly_degree; i++) { std::string index = std::to_string(i); - L_vec[i] = transcript.template receive_from_prover("IPA:L_" + index); - R_vec[i] = transcript.template receive_from_prover("IPA:R_" + index); + auto element_L = transcript.template receive_from_prover("IPA:L_" + index); + auto element_R = transcript.template receive_from_prover("IPA:R_" + index); round_challenges[i] = transcript.get_challenge("IPA:round_challenge_" + index); - round_challenges_inv[i] = round_challenges[i]; - } - Fr::batch_invert(&round_challenges_inv[0], log_poly_degree); + round_challenges_inv[i] = round_challenges[i].invert(); - // Compute C_zero = C_prime + ∑_{j ∈ [k]} u_j^2L_j + ∑_{j ∈ [k]} u_j^{-2}R_j - const size_t pippenger_size = 2 * log_poly_degree; - std::vector msm_elements(pippenger_size); - std::vector msm_scalars(pippenger_size); - for (size_t i = 0; i < log_poly_degree; i++) { - msm_elements[2 * i] = L_vec[i]; - msm_elements[2 * i + 1] = R_vec[i]; - msm_scalars[2 * i] = round_challenges[i] * round_challenges[i]; - msm_scalars[2 * i + 1] = round_challenges_inv[i] * round_challenges_inv[i]; + msm_elements[2 * i] = element_L; + msm_elements[2 * i + 1] = element_R; + msm_scalars[2 * i] = round_challenges[i].sqr(); + msm_scalars[2 * i + 1] = round_challenges_inv[i].sqr(); } Commitment LR_sums = barretenberg::scalar_multiplication::pippenger_without_endomorphism_basis_points( &msm_scalars[0], &msm_elements[0], pippenger_size, vk->pippenger_runtime_state); @@ -208,7 +193,7 @@ template class InnerProductArgument { for (size_t i = 0; i < log_poly_degree; i++) { auto exponent = static_cast(Fr(2).pow(i)); b_zero *= round_challenges_inv[log_poly_degree - 1 - i] + - (round_challenges[log_poly_degree - 1 - i] * challenge_point.pow(exponent)); + (round_challenges[log_poly_degree - 1 - i] * opening_pair.challenge.pow(exponent)); } // Compute G_zero @@ -238,9 +223,8 @@ template class InnerProductArgument { auto a_zero = transcript.template receive_from_prover("IPA:a_0"); - Commitment right_hand_side = G_zero * a_zero; - Fr a_zero_b_zero = a_zero * b_zero; - right_hand_side += aux_generator * a_zero_b_zero; + Commitment right_hand_side = G_zero * a_zero + aux_generator * a_zero * b_zero; + return (C_zero.normalize() == right_hand_side.normalize()); } }; diff --git a/cpp/src/barretenberg/honk/pcs/ipa/ipa.test.cpp b/cpp/src/barretenberg/honk/pcs/ipa/ipa.test.cpp index d30eec5d26..17d74eb9e9 100644 --- a/cpp/src/barretenberg/honk/pcs/ipa/ipa.test.cpp +++ b/cpp/src/barretenberg/honk/pcs/ipa/ipa.test.cpp @@ -43,14 +43,19 @@ TYPED_TEST(IpaCommitmentTest, open) auto commitment = this->commit(poly); const OpeningPair opening_pair{ x, eval }; - auto prover_transcript = ProverTranscript::init_empty(); + // initialize empty prover transcript + ProverTranscript prover_transcript; + prover_transcript.send_to_verifier("IPA:C", commitment); IPA::reduce_prove(this->ck(), opening_pair, poly, prover_transcript); - auto verifier_transcript = VerifierTranscript::init_empty(prover_transcript); + // initialize verifier transcript from proof data + VerifierTranscript verifier_transcript{ prover_transcript.proof_data }; auto result = IPA::reduce_verify(this->vk(), opening_pair, n, verifier_transcript); EXPECT_TRUE(result); + + EXPECT_EQ(prover_transcript.get_manifest(), verifier_transcript.get_manifest()); } } // namespace proof_system::honk::pcs::ipa