Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
multilinear_batching_verifier.cpp
Go to the documentation of this file.
1// === AUDIT STATUS ===
2// internal: { status: Complete, auditors: [Sergei], commit: }
3// external_1: { status: not started, auditors: [], commit: }
4// external_2: { status: not started, auditors: [], commit: }
5// =====================
6
7#include "multilinear_batching_verifier.hpp"
8#include "barretenberg/flavor/mega_recursive_flavor.hpp"
9#include "barretenberg/flavor/multilinear_batching_flavor.hpp"
10#include "barretenberg/flavor/multilinear_batching_recursive_flavor.hpp"
11#include "barretenberg/stdlib/primitives/circuit_builders/circuit_builders_fwd.hpp"
12#include "barretenberg/sumcheck/sumcheck_output.hpp"
13
14namespace bb {
15
16template <typename Flavor_>
17MultilinearBatchingVerifier<Flavor_>::MultilinearBatchingVerifier(const std::shared_ptr<Transcript>& transcript)
18 : transcript(transcript)
19{}
20
21template <typename Flavor_>
22MultilinearBatchingVerifier<Flavor_>::FF MultilinearBatchingVerifier<Flavor_>::compute_new_target_sum(
23 const FF& alpha,
24 SumcheckOutput<InstanceFlavor>& instance_sumcheck,
25 const std::vector<InstanceFF>& unshifted_challenges,
26 const std::vector<InstanceFF>& shifted_challenges,
27 const FF& accumulator_non_shifted_evaluation,
28 const FF& accumulator_shifted_evaluation) const
29{
30 // Compute new target sum as:
31 // accumulator_non_shifted_evaluation
32 // + alpha * accumulator_shifted_evaluation
33 // + alpha^2 * sum(instance_sumcheck.claimed_unshifted_evals * unshifted_challenges)
34 // + alpha^3 * sum(instance_sumcheck.claimed_shifted_evals * shifted_challenges)
35 FF target_sum(0);
36 for (auto [eval, challenge] : zip_view(instance_sumcheck.claimed_evaluations.get_shifted(), shifted_challenges)) {
37 target_sum += eval * challenge;
38 }
39 target_sum *= alpha;
40
41 for (auto [eval, challenge] :
42 zip_view(instance_sumcheck.claimed_evaluations.get_unshifted(), unshifted_challenges)) {
43 target_sum += eval * challenge;
44 }
45 target_sum *= alpha;
46 target_sum += accumulator_shifted_evaluation; // Accumulator shifted evaluation
47 target_sum *= alpha;
48 target_sum += accumulator_non_shifted_evaluation; // Accumulator non-shifted evaluation
49
50 return target_sum;
51}
52
56template <typename Flavor_>
57template <size_t N>
58MultilinearBatchingVerifier<Flavor_>::Commitment MultilinearBatchingVerifier<
59 Flavor_>::batch_instance_commitments_with_accumulator(RefArray<Commitment, N> instance_commitments,
60 const std::vector<FF>& instance_batching_scalars,
61 const Commitment& accumulator_commitment,
62 const FF& batching_challenge)
63{
64 std::vector<Commitment> commitments;
65 commitments.reserve(N + 1);
66 for (const auto& commitment : instance_commitments) {
67 commitments.emplace_back(commitment);
68 }
69 commitments.emplace_back(accumulator_commitment);
70
71 std::vector<FF> scalars(instance_batching_scalars);
72 scalars.emplace_back(batching_challenge);
73
74 return Curve::Element::batch_mul(commitments, scalars);
75}
76
77template <typename Flavor_>
78MultilinearBatchingVerifier<Flavor_>::VerifierClaim MultilinearBatchingVerifier<Flavor_>::compute_new_claim(
79 const SumcheckOutput<Flavor>& sumcheck_result,
80 InstanceCommitments& verifier_commitments,
81 const std::vector<InstanceFF>& unshifted_challenges,
82 const std::vector<InstanceFF>& shifted_challenges,
83 const Commitment& non_shifted_accumulator_commitment,
84 const Commitment& shifted_accumulator_commitment,
85 const FF& batching_challenge)
86{
87 // Compute new claim as instance + challenge * accumulator
88 Commitment non_shifted_commitment =
89 batch_instance_commitments_with_accumulator<NUM_UNSHIFTED_ENTITIES>(verifier_commitments.get_unshifted(),
90 unshifted_challenges,
91 non_shifted_accumulator_commitment,
92 batching_challenge);
93 Commitment shifted_commitment =
94 batch_instance_commitments_with_accumulator<NUM_SHIFTED_ENTITIES>(verifier_commitments.get_to_be_shifted(),
95 shifted_challenges,
96 shifted_accumulator_commitment,
97 batching_challenge);
98
99 FF shifted_evaluation = sumcheck_result.claimed_evaluations.batched_shifted_instance +
100 sumcheck_result.claimed_evaluations.batched_shifted_accumulator * batching_challenge;
101 FF non_shifted_evaluation = sumcheck_result.claimed_evaluations.batched_unshifted_instance +
102 sumcheck_result.claimed_evaluations.batched_unshifted_accumulator * batching_challenge;
103 std::vector<FF> challenge = sumcheck_result.challenge;
104
105 return VerifierClaim{
106 .challenge = challenge,
107 .non_shifted_evaluation = non_shifted_evaluation,
108 .shifted_evaluation = shifted_evaluation,
109 .non_shifted_commitment = non_shifted_commitment,
110 .shifted_commitment = shifted_commitment,
111 };
112};
113
114template <typename Flavor_>
115std::pair<bool, typename MultilinearBatchingVerifier<Flavor_>::VerifierClaim> MultilinearBatchingVerifier<
116 Flavor_>::verify_proof(SumcheckOutput<InstanceFlavor>& instance_sumcheck,
117 InstanceCommitments& verifier_commitments,
118 const std::vector<InstanceFF>& unshifted_challenges,
119 const std::vector<InstanceFF>& shifted_challenges)
120{
121 // Receive commitments
122 auto non_shifted_accumulator_commitment =
123 transcript->template receive_from_prover<Commitment>("non_shifted_accumulator_commitment");
124 auto shifted_accumulator_commitment =
125 transcript->template receive_from_prover<Commitment>("shifted_accumulator_commitment");
126
127 // Receive challenges and evaluations
128 std::vector<FF> accumulator_challenges(Flavor::VIRTUAL_LOG_N);
129 std::vector<FF> accumulator_evaluations(Flavor::NUM_ACCUMULATOR_EVALUATIONS);
130 for (size_t i = 0; i < Flavor::VIRTUAL_LOG_N; i++) {
131 accumulator_challenges[i] =
132 transcript->template receive_from_prover<FF>("accumulator_challenge_" + std::to_string(i));
133 }
134 for (size_t i = 0; i < Flavor::NUM_ACCUMULATOR_EVALUATIONS; i++) {
135 accumulator_evaluations[i] =
136 transcript->template receive_from_prover<FF>("accumulator_evaluation_" + std::to_string(i));
137 }
138
139 // Run sumcheck
140 const FF alpha = transcript->template get_challenge<FF>("Sumcheck:alpha");
141
142 FF target_sum = compute_new_target_sum(alpha,
143 instance_sumcheck,
144 unshifted_challenges,
145 shifted_challenges,
146 accumulator_evaluations[0],
147 accumulator_evaluations[1]);
148
149 Sumcheck sumcheck(transcript, alpha, Flavor::VIRTUAL_LOG_N, target_sum);
150 // MultilinearBatchingFlavor doesn't use gate challenges, and all rounds are non-padding
151 std::vector<FF> padding_indicator_array(Flavor::VIRTUAL_LOG_N, FF(1));
152 const auto sumcheck_result = sumcheck.verify({}, {}, padding_indicator_array);
153
154 // Construct new claim
155 auto claim_batching_challenge = transcript->template get_challenge<FF>("claim_batching_challenge");
156 VerifierClaim verifier_claim = compute_new_claim(sumcheck_result,
157 verifier_commitments,
158 unshifted_challenges,
159 shifted_challenges,
160 non_shifted_accumulator_commitment,
161 shifted_accumulator_commitment,
162 claim_batching_challenge);
163
164 bool eq_consistent = check_eq_consistency(sumcheck_result, accumulator_challenges, instance_sumcheck.challenge);
165 bool verified = sumcheck_result.verified && eq_consistent;
166
167 return { verified, verifier_claim };
168}
169
170template <typename Flavor_>
171bool MultilinearBatchingVerifier<Flavor_>::check_eq_consistency(const SumcheckOutput<Flavor>& sumcheck_result,
172 const std::vector<FF>& accumulator_challenges,
173 const std::vector<InstanceFF>& instance_challenges)
174{
175 auto accumulator_eq_check = sumcheck_result.claimed_evaluations.eq_accumulator ==
176 VerifierEqPolynomial<FF>::eval(accumulator_challenges, sumcheck_result.challenge);
177 auto instance_eq_check = sumcheck_result.claimed_evaluations.eq_instance ==
178 VerifierEqPolynomial<FF>::eval(instance_challenges, sumcheck_result.challenge);
179
180 if constexpr (IsRecursiveFlavor<Flavor>) {
181 const auto equality_verified = accumulator_eq_check && instance_eq_check;
182 bool equality_verified_value = equality_verified.get_value();
183 equality_verified.assert_equal(stdlib::bool_t(equality_verified.get_context(), true));
184 return equality_verified_value;
185 } else {
186 return accumulator_eq_check && instance_eq_check;
187 }
188}
189
190template class MultilinearBatchingVerifier<MultilinearBatchingFlavor>;
191template class MultilinearBatchingVerifier<MultilinearBatchingRecursiveFlavor>;
192
193} // namespace bb
FF
bb::field< bb::Bn254FrParams > FF
Definition field.cpp:24
circuit_builders_fwd.hpp
bb::MultilinearBatchingVerifier
Multilinear batching verifier. Verifies claim reduction via sumcheck.
Definition multilinear_batching_verifier.hpp:25
bb::MultilinearBatchingVerifier::compute_new_target_sum
FF compute_new_target_sum(const FF &alpha, SumcheckOutput< InstanceFlavor > &instance_sumcheck, const std::vector< InstanceFF > &unshifted_challenges, const std::vector< InstanceFF > &shifted_challenges, const FF &accumulator_non_shifted_evaluation, const FF &accumulator_shifted_evaluation) const
Utility to compute the new target sum for the batching sumcheck.
Definition multilinear_batching_verifier.cpp:22
bb::MultilinearBatchingVerifier::MultilinearBatchingVerifier
MultilinearBatchingVerifier(const std::shared_ptr< Transcript > &transcript)
Definition multilinear_batching_verifier.cpp:17
bb::MultilinearBatchingVerifier::InstanceCommitments
InstanceFlavor::VerifierCommitments InstanceCommitments
Definition multilinear_batching_verifier.hpp:40
bb::MultilinearBatchingVerifier::check_eq_consistency
bool check_eq_consistency(const SumcheckOutput< Flavor > &sumcheck_result, const std::vector< FF > &accumulator_challenges, const std::vector< InstanceFF > &instance_challenges)
Verify that the prover used the correct eq polynomials.
Definition multilinear_batching_verifier.cpp:171
bb::MultilinearBatchingVerifier::compute_new_claim
VerifierClaim compute_new_claim(const SumcheckOutput< Flavor > &sumcheck_result, InstanceCommitments &verifier_commitments, const std::vector< InstanceFF > &unshifted_challenges, const std::vector< InstanceFF > &shifted_challenges, const Commitment &non_shifted_accumulator_commitment, const Commitment &shifted_accumulator_commitment, const FF &batching_challenge)
Utility to compute the new claim after the batching sumcheck.
Definition multilinear_batching_verifier.cpp:78
bb::RefArray
A template class for a reference array. Behaves as if std::array<T&, N> was possible.
Definition ref_array.hpp:22
bb::SumcheckVerifier
Implementation of the sumcheck Verifier for statements of the form for multilinear polynomials .
Definition sumcheck.hpp:719
bb::SumcheckVerifier::verify
SumcheckOutput< Flavor > verify(const bb::RelationParameters< FF > &relation_parameters, const std::vector< FF > &gate_challenges, const std::vector< FF > &padding_indicator_array)
The Sumcheck verification method. First it extracts round univariate, checks sum (the sumcheck univar...
Definition sumcheck.hpp:777
bb::stdlib::bool_t
Implements boolean logic in-circuit.
Definition bool.hpp:60
zip_view
Definition zip_view.hpp:166
mega_recursive_flavor.hpp
multilinear_batching_flavor.hpp
multilinear_batching_recursive_flavor.hpp
multilinear_batching_verifier.hpp
bb
Entry point for Barretenberg command-line interface.
Definition api.hpp:5
std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13
std::to_string
std::string to_string(bb::avm2::ValueTag tag)
Definition tagged_value.cpp:402
bb::MultilinearBatchingVerifierClaim
Verifier's claim for multilinear batching - contains commitments and evaluation claims.
Definition multilinear_batching_claims.hpp:18
bb::SumcheckOutput
Contains the evaluations of multilinear polynomials at the challenge point . These are computed by S...
Definition sumcheck_output.hpp:22
bb::SumcheckOutput::claimed_evaluations
ClaimedEvaluations claimed_evaluations
Definition sumcheck_output.hpp:30
bb::SumcheckOutput::challenge
std::vector< FF > challenge
Definition sumcheck_output.hpp:28
bb::VerifierEqPolynomial::eval
static FF eval(std::span< const FF > r_in, std::span< const FF > u)
Definition eq_polynomial.hpp:236
sumcheck_output.hpp