Barretenberg: src/barretenberg/hypernova/hypernova_prover.cpp Source File

// === AUDIT STATUS ===

// internal:    { status: Complete, auditors: [Sergei], commit: }

// external_1:  { status: not started, auditors: [], commit: }

// external_2:  { status: not started, auditors: [], commit: }

// =====================


#include "barretenberg/hypernova/hypernova_prover.hpp"

#include "barretenberg/commitment_schemes/shplonk/shplemini.hpp"

#include "barretenberg/hypernova/hypernova_batching_challenges.hpp"

#include "barretenberg/multilinear_batching/multilinear_batching_prover.hpp"


namespace bb {


template <size_t N>


HypernovaFoldingProver::Commitment HypernovaFoldingProver::batch_mul(const RefArray<Commitment, N>& _points,

                                                                     const std::vector<FF>& scalars)

{

    std::vector<Commitment> points(N);

    for (size_t idx = 0; idx < N; ++idx) {

        points[idx] = _points[idx];

    }

    return Commitment::batch_mul(points, scalars);

}


HypernovaFoldingProver::Accumulator HypernovaFoldingProver::sumcheck_output_to_accumulator(

    HypernovaFoldingProver::MegaSumcheckOutput& sumcheck_output,

    const std::shared_ptr<typename HypernovaFoldingProver::ProverInstance>& instance,

    const std::shared_ptr<typename HypernovaFoldingProver::VerificationKey>& honk_vk)

{

    BB_BENCH_NAME("HypernovaFoldingProver::sumcheck_output_to_accumulator");


    // Generate challenges to batch shifted and unshifted polynomials/commitments/evaluation

    auto [unshifted_challenges, shifted_challenges] =

        get_hypernova_batching_challenges<FF>(transcript, NUM_UNSHIFTED_ENTITIES, NUM_SHIFTED_ENTITIES);


    // Batch polynomials

    Polynomial<FF> batched_unshifted_polynomial = batch_polynomials<Flavor::NUM_UNSHIFTED_ENTITIES>(

        instance->polynomials.get_unshifted(), instance->dyadic_size(), unshifted_challenges);

    Polynomial<FF> batched_shifted_polynomial = batch_polynomials<Flavor::NUM_SHIFTED_ENTITIES>(

        instance->polynomials.get_to_be_shifted(), instance->dyadic_size(), shifted_challenges);


    // Batch evaluations

    FF batched_unshifted_evaluation(0);

    FF batched_shifted_evaluation(0);


    for (auto [eval, challenge] : zip_view(sumcheck_output.claimed_evaluations.get_unshifted(), unshifted_challenges)) {

        batched_unshifted_evaluation += eval * challenge;

    }

    for (auto [eval, challenge] : zip_view(sumcheck_output.claimed_evaluations.get_shifted(), shifted_challenges)) {

        batched_shifted_evaluation += eval * challenge;

    }


    // Batch commitments

    VerifierCommitments verifier_commitments(honk_vk, instance->commitments);


    Commitment batched_unshifted_commitment = batch_mul(verifier_commitments.get_unshifted(), unshifted_challenges);

    Commitment batched_shifted_commitment = batch_mul(verifier_commitments.get_to_be_shifted(), shifted_challenges);


    return Accumulator{

        .challenge = std::move(sumcheck_output.challenge),

        .non_shifted_evaluation = batched_unshifted_evaluation,

        .shifted_evaluation = batched_shifted_evaluation,

        .non_shifted_polynomial = std::move(batched_unshifted_polynomial),

        .shifted_polynomial = std::move(batched_shifted_polynomial),

        .non_shifted_commitment = batched_unshifted_commitment,

        .shifted_commitment = batched_shifted_commitment,

        .dyadic_size = instance->dyadic_size(),

    };

};


template <size_t N>


Polynomial<HypernovaFoldingProver::FF> HypernovaFoldingProver::batch_polynomials(

    RefArray<Polynomial<FF>, N> polynomials_to_batch,

    const size_t& full_batched_size,

    const std::vector<FF>& challenges)

{

    BB_BENCH_NAME("HypernovaFoldingProver::batch_polynomials");

    BB_ASSERT_EQ(full_batched_size,

                 polynomials_to_batch[0].virtual_size(),

                 "The virtual size of the first polynomial is different from the full batched size.");

    BB_ASSERT_EQ(

        challenges.size(), N, "The number of challenges provided does not match the number of polynomials to batch.");


    for (size_t idx = 1; idx < N; idx++) {

        polynomials_to_batch[0].add_scaled(polynomials_to_batch[idx], challenges[idx]);

    }


    return polynomials_to_batch[0];

};


HypernovaFoldingProver::Accumulator HypernovaFoldingProver::instance_to_accumulator(

    const std::shared_ptr<typename HypernovaFoldingProver::ProverInstance>& instance,

    const std::shared_ptr<VerificationKey>& honk_vk)

{

    BB_BENCH_NAME("HypernovaFoldingProver::instance_to_accumulator");


    vinfo("HypernovaFoldingProver: converting instance to accumulator...");


    // Complete the incoming instance

    auto precomputed_vk = honk_vk ? honk_vk : std::make_shared<VerificationKey>(instance->get_precomputed());

    MegaOinkProver oink_prover{ instance, precomputed_vk, transcript };

    oink_prover.prove();


    instance->gate_challenges = transcript->template get_dyadic_powers_of_challenge<FF>(

        "HypernovaFoldingProver:gate_challenge", Flavor::VIRTUAL_LOG_N);


    // Run Sumcheck with padding

    MegaSumcheckProver sumcheck(instance->dyadic_size(),

                                instance->polynomials,

                                transcript,

                                instance->alpha,

                                instance->gate_challenges,

                                instance->relation_parameters,

                                Flavor::VIRTUAL_LOG_N);

    auto sumcheck_output = sumcheck.prove();


    Accumulator accumulator = sumcheck_output_to_accumulator(sumcheck_output, instance, precomputed_vk);


    vinfo("HypernovaFoldingProver: accumulator constructed.");


    return accumulator;

}


std::pair<HonkProof, HypernovaFoldingProver::Accumulator> HypernovaFoldingProver::fold(

    Accumulator&& accumulator,

    const std::shared_ptr<ProverInstance>& instance,

    const std::shared_ptr<VerificationKey>& honk_vk)

{

    Accumulator incoming_accumulator = instance_to_accumulator(instance, honk_vk);


    // Sumcheck

    MultilinearBatchingProver batching_prover(std::move(accumulator), std::move(incoming_accumulator), transcript);


    HonkProof proof = batching_prover.construct_proof();


    return { proof, batching_prover.compute_new_claim() };

}


} // namespace bb

BB_ASSERT_EQ
#define BB_ASSERT_EQ(actual, expected,...)
Definition assert.hpp:83

instance
std::shared_ptr< Napi::ThreadSafeFunction > instance
Definition avm_simulate_napi.cpp:128

BB_BENCH_NAME
#define BB_BENCH_NAME(name)
Definition bb_bench.hpp:219

bb::HypernovaFoldingProver::transcript
std::shared_ptr< Transcript > transcript
Definition hypernova_prover.hpp:88

bb::HypernovaFoldingProver::sumcheck_output_to_accumulator
Accumulator sumcheck_output_to_accumulator(MegaSumcheckOutput &sumcheck_output, const std::shared_ptr< ProverInstance > &instance, const std::shared_ptr< VerificationKey > &honk_vk)
Convert the output of the sumcheck run on the incoming instance into an accumulator.
Definition hypernova_prover.cpp:25

bb::HypernovaFoldingProver::NUM_SHIFTED_ENTITIES
static constexpr size_t NUM_SHIFTED_ENTITIES
Definition hypernova_prover.hpp:53

bb::HypernovaFoldingProver::NUM_UNSHIFTED_ENTITIES
static constexpr size_t NUM_UNSHIFTED_ENTITIES
Definition hypernova_prover.hpp:52

bb::HypernovaFoldingProver::instance_to_accumulator
Accumulator instance_to_accumulator(const std::shared_ptr< ProverInstance > &instance, const std::shared_ptr< VerificationKey > &honk_vk=nullptr)
Turn an instance into an accumulator by running Sumcheck.
Definition hypernova_prover.cpp:91

bb::HypernovaFoldingProver::Commitment
Flavor::Commitment Commitment
Definition hypernova_prover.hpp:42

bb::HypernovaFoldingProver::batch_mul
Commitment batch_mul(const RefArray< Commitment, N > &_points, const std::vector< FF > &scalars)
Utility to perform batch mul of commitments.
Definition hypernova_prover.cpp:15

bb::HypernovaFoldingProver::batch_polynomials
static Polynomial< FF > batch_polynomials(RefArray< Polynomial< FF >, N > polynomials_to_batch, const size_t &full_batched_size, const std::vector< FF > &challenges)
Batch prover polynomials. Batching happens in place into the first polynomial in the RefArray supplie...
Definition hypernova_prover.cpp:72

bb::HypernovaFoldingProver::fold
std::pair< HonkProof, Accumulator > fold(Accumulator &&accumulator, const std::shared_ptr< ProverInstance > &instance, const std::shared_ptr< VerificationKey > &honk_vk=nullptr)
Fold an instance into an accumulator.
Definition hypernova_prover.cpp:124

bb::MegaFlavor::VerifierCommitments_
Definition mega_flavor.hpp:556

bb::MegaFlavor::WitnessEntities_::get_to_be_shifted
auto get_to_be_shifted()
Definition mega_flavor.hpp:301

bb::MegaFlavor::VIRTUAL_LOG_N
static constexpr size_t VIRTUAL_LOG_N
Definition mega_flavor.hpp:52

bb::MultilinearBatchingProver
Prover for multilinear batching - reduces two polynomial evaluation claims to one via sumcheck.
Definition multilinear_batching_prover.hpp:35

bb::MultilinearBatchingProver::construct_proof
HonkProof construct_proof()
Construct a multilinear batching proof.
Definition multilinear_batching_prover.cpp:105

bb::MultilinearBatchingProver::compute_new_claim
BB_PROFILE MultilinearBatchingProverClaim compute_new_claim()
Compute the batched output claim after sumcheck.
Definition multilinear_batching_prover.cpp:59

bb::OinkProver
Class for all the oink rounds, which are shared between the folding prover and ultra prover.
Definition oink_prover.hpp:39

bb::OinkProver::prove
void prove()
Oink Prover function that runs all the rounds of the verifier.
Definition oink_prover.cpp:21

bb::Polynomial
Structured polynomial class that represents the coefficients 'a' of a_0 + a_1 x .....
Definition polynomial.hpp:75

bb::RefArray
A template class for a reference array. Behaves as if std::array<T&, N> was possible.
Definition ref_array.hpp:22

bb::SumcheckProver
The implementation of the sumcheck Prover for statements of the form  for multilinear polynomials .
Definition sumcheck.hpp:289

bb::SumcheckProver::prove
SumcheckOutput< Flavor > prove()
Non-ZK version: Compute round univariate, place it in transcript, compute challenge,...
Definition sumcheck.hpp:387

zip_view
Definition zip_view.hpp:166

vinfo
#define vinfo(...)
Definition log.hpp:94

hypernova_batching_challenges.hpp

hypernova_prover.hpp

multilinear_batching_prover.hpp

bb
Entry point for Barretenberg command-line interface.
Definition api.hpp:5

bb::HonkProof
std::vector< fr > HonkProof
Definition proof.hpp:15

std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13

shplemini.hpp

bb::MultilinearBatchingFlavor::ProverClaim
Prover's claim for multilinear batching - contains polynomials and their evaluation claims.
Definition multilinear_batching_flavor.hpp:156

bb::MultilinearBatchingFlavor::ProverClaim::challenge
std::vector< FF > challenge
Definition multilinear_batching_flavor.hpp:157

bb::SumcheckOutput
Contains the evaluations of multilinear polynomials  at the challenge point . These are computed by S...
Definition sumcheck_output.hpp:22

bb::SumcheckOutput::claimed_evaluations
ClaimedEvaluations claimed_evaluations
Definition sumcheck_output.hpp:30

bb::SumcheckOutput::challenge
std::vector< FF > challenge
Definition sumcheck_output.hpp:28

bb::field< Bn254FrParams >