Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
translator_prover.cpp
Go to the documentation of this file.
1// === AUDIT STATUS ===
2// internal: { status: Planned, auditors: [], commit: }
3// external_1: { status: not started, auditors: [], commit: }
4// external_2: { status: not started, auditors: [], commit: }
5// =====================
6
7#include "translator_prover.hpp"
8#include "barretenberg/commitment_schemes/claim.hpp"
9#include "barretenberg/commitment_schemes/commitment_key.hpp"
10#include "barretenberg/commitment_schemes/shplonk/shplemini.hpp"
11#include "barretenberg/commitment_schemes/small_subgroup_ipa/small_subgroup_ipa.hpp"
12#include "barretenberg/honk/library/grand_product_library.hpp"
13#include "barretenberg/sumcheck/sumcheck.hpp"
14
15namespace bb {
16
17TranslatorProver::TranslatorProver(const std::shared_ptr<TranslatorProvingKey>& key,
18 const std::shared_ptr<Transcript>& transcript)
19 : transcript(transcript)
20 , key(key)
21{
22 BB_BENCH();
23 if (!key->proving_key->commitment_key.initialized()) {
24 key->proving_key->commitment_key = CommitmentKey(key->proving_key->circuit_size);
25 }
26}
27
32void TranslatorProver::execute_preamble_round()
33{
34 // Fiat-Shamir the vk hash
35 Flavor::VerificationKey vk;
36 typename Flavor::FF vk_hash = vk.get_hash();
37 transcript->add_to_hash_buffer("vk_hash", vk_hash);
38 vinfo("Translator vk hash in prover: ", vk_hash);
39
40 const size_t RESULT_ROW = Flavor::RESULT_ROW;
41
42 // Set accumulated_result in relation parameters from the witness polynomials
43 // The verifier will receive this value from the ECCVM verifier instead of the transcript
44 relation_parameters.accumulated_result = { key->proving_key->polynomials.accumulators_binary_limbs_0[RESULT_ROW],
45 key->proving_key->polynomials.accumulators_binary_limbs_1[RESULT_ROW],
46 key->proving_key->polynomials.accumulators_binary_limbs_2[RESULT_ROW],
47 key->proving_key->polynomials.accumulators_binary_limbs_3[RESULT_ROW] };
48}
49
56void TranslatorProver::commit_to_witness_polynomial(Polynomial& polynomial, const std::string& label)
57{
58 transcript->send_to_verifier(label, key->proving_key->commitment_key.commit(polynomial));
59}
60
65void TranslatorProver::execute_wire_and_sorted_constraints_commitments_round()
66{
67 BB_BENCH_NAME("TranslatorProver::execute_wire_and_sorted_constraints_commitments_round");
68
69 // Create and commit to Gemini masking polynomial (for ZK-PCS)
70 const size_t circuit_size = key->proving_key->circuit_size;
71 key->proving_key->polynomials.gemini_masking_poly = Polynomial::random(circuit_size);
72 auto masking_commitment =
73 key->proving_key->commitment_key.commit(key->proving_key->polynomials.gemini_masking_poly);
74 transcript->send_to_verifier("Gemini:masking_poly_comm", masking_commitment);
75
76 // Commit to non-op-queue wires and ordered range constraints
77 // Note: Op queue wires (op, x_lo_y_hi, x_hi_z_1, y_lo_z_2) are NOT committed to here
78 // They are provided by the merge protocol and passed to the verifier
79 auto batch = key->proving_key->commitment_key.start_batch();
80 for (const auto& [wire, label] :
81 zip_view(key->proving_key->polynomials.get_non_opqueue_wires_and_ordered_range_constraints(),
82 commitment_labels.get_non_opqueue_wires_and_ordered_range_constraints())) {
83 batch.add_to_batch(wire, label, /*mask for zk?*/ false);
84 }
85 batch.commit_and_send_to_verifier(transcript);
86}
87
92void TranslatorProver::execute_grand_product_computation_round()
93{
94 // Compute and store parameters required by relations in Sumcheck
95 FF beta = transcript->template get_challenge<FF>("beta");
96 FF gamma = transcript->template get_challenge<FF>("gamma");
97 const size_t NUM_LIMB_BITS = Flavor::NUM_LIMB_BITS;
98 relation_parameters.beta = beta;
99 relation_parameters.gamma = gamma;
100 auto uint_evaluation_input = uint256_t(key->evaluation_input_x);
101 relation_parameters.evaluation_input_x = { uint_evaluation_input.slice(0, NUM_LIMB_BITS),
102 uint_evaluation_input.slice(NUM_LIMB_BITS, NUM_LIMB_BITS * 2),
103 uint_evaluation_input.slice(NUM_LIMB_BITS * 2, NUM_LIMB_BITS * 3),
104 uint_evaluation_input.slice(NUM_LIMB_BITS * 3, NUM_LIMB_BITS * 4),
105 uint_evaluation_input };
106
107 std::vector<uint256_t> uint_batching_challenge_powers;
108 auto batching_challenge_v = key->batching_challenge_v;
109 uint_batching_challenge_powers.emplace_back(batching_challenge_v);
110 auto running_power = batching_challenge_v * batching_challenge_v;
111 uint_batching_challenge_powers.emplace_back(running_power);
112 running_power *= batching_challenge_v;
113 uint_batching_challenge_powers.emplace_back(running_power);
114 running_power *= batching_challenge_v;
115 uint_batching_challenge_powers.emplace_back(running_power);
116
117 for (size_t i = 0; i < 4; i++) {
118 relation_parameters.batching_challenge_v[i] = {
119 uint_batching_challenge_powers[i].slice(0, NUM_LIMB_BITS),
120 uint_batching_challenge_powers[i].slice(NUM_LIMB_BITS, NUM_LIMB_BITS * 2),
121 uint_batching_challenge_powers[i].slice(NUM_LIMB_BITS * 2, NUM_LIMB_BITS * 3),
122 uint_batching_challenge_powers[i].slice(NUM_LIMB_BITS * 3, NUM_LIMB_BITS * 4),
123 uint_batching_challenge_powers[i]
124 };
125 }
126 // Compute constraint permutation grand product
127 compute_grand_products<Flavor>(key->proving_key->polynomials, relation_parameters);
128
129 commit_to_witness_polynomial(key->proving_key->polynomials.z_perm, commitment_labels.z_perm);
130}
131
136void TranslatorProver::execute_relation_check_rounds()
137{
138 using Sumcheck = SumcheckProver<Flavor>;
139
140 // Each linearly independent subrelation contribution is multiplied by `alpha^i`, where
141 // i = 0, ..., NUM_SUBRELATIONS- 1.
142 const FF alpha = transcript->template get_challenge<FF>("Sumcheck:alpha");
143
144 std::vector<FF> gate_challenges(Flavor::CONST_TRANSLATOR_LOG_N);
145 for (size_t idx = 0; idx < gate_challenges.size(); idx++) {
146 gate_challenges[idx] = transcript->template get_challenge<FF>("Sumcheck:gate_challenge_" + std::to_string(idx));
147 }
148
149 const size_t circuit_size = key->proving_key->circuit_size;
150
151 Sumcheck sumcheck(circuit_size,
152 key->proving_key->polynomials,
153 transcript,
154 alpha,
155 gate_challenges,
156 relation_parameters,
157 Flavor::CONST_TRANSLATOR_LOG_N);
158
159 const size_t log_subgroup_size = static_cast<size_t>(numeric::get_msb(Flavor::Curve::SUBGROUP_SIZE));
160 // Create a temporary commitment key that is only used to initialize the ZKSumcheckData
161 // If proving in WASM, the commitment key that is part of the Translator proving key remains deallocated
162 // until we enter the PCS round
163 CommitmentKey ck(1 << (log_subgroup_size + 1));
164
165 zk_sumcheck_data = ZKData(key->proving_key->log_circuit_size, transcript, ck);
166
167 sumcheck_output = sumcheck.prove(zk_sumcheck_data);
168}
169
176void TranslatorProver::execute_pcs_rounds()
177{
178 using Curve = typename Flavor::Curve;
179 using OpeningClaim = ProverOpeningClaim<Curve>;
180 using SmallSubgroupIPA = SmallSubgroupIPAProver<Flavor>;
181 using PolynomialBatcher = GeminiProver_<Curve>::PolynomialBatcher;
182
183 // Check whether the commitment key has been deallocated and reinitialize it if necessary
184 auto& ck = key->proving_key->commitment_key;
185 if (!ck.initialized()) {
186 ck = CommitmentKey(key->proving_key->circuit_size);
187 }
188
189 SmallSubgroupIPA small_subgroup_ipa_prover(
190 zk_sumcheck_data, sumcheck_output.challenge, sumcheck_output.claimed_libra_evaluation, transcript, ck);
191 small_subgroup_ipa_prover.prove();
192
193 PolynomialBatcher polynomial_batcher(key->proving_key->circuit_size);
194 polynomial_batcher.set_unshifted(key->proving_key->polynomials.get_unshifted_without_interleaved());
195 polynomial_batcher.set_to_be_shifted_by_one(key->proving_key->polynomials.get_to_be_shifted());
196 polynomial_batcher.set_interleaved(key->proving_key->polynomials.get_interleaved(),
197 key->proving_key->polynomials.get_groups_to_be_interleaved());
198
199 const OpeningClaim prover_opening_claim =
200 ShpleminiProver_<Curve>::prove(key->proving_key->circuit_size,
201 polynomial_batcher,
202 sumcheck_output.challenge,
203 ck,
204 transcript,
205 small_subgroup_ipa_prover.get_witness_polynomials());
206
207 PCS::compute_opening_proof(ck, prover_opening_claim, transcript);
208}
209
210HonkProof TranslatorProver::export_proof()
211{
212 return transcript->export_proof();
213}
214
215HonkProof TranslatorProver::construct_proof()
216{
217 BB_BENCH_NAME("TranslatorProver::construct_proof");
218
219 // Add circuit size public input size and public inputs to transcript.
220 execute_preamble_round();
221
222 // Compute first three wire commitments
223 execute_wire_and_sorted_constraints_commitments_round();
224
225 // Fiat-Shamir: gamma
226 // Compute grand product(s) and commitments.
227 execute_grand_product_computation_round();
228
229 // #ifndef __wasm__
230 // Free the commitment key
231 key->proving_key->commitment_key = CommitmentKey();
232 // #endif
233
234 // Fiat-Shamir: alpha
235 // Run sumcheck subprotocol.
236 execute_relation_check_rounds();
237
238 // Fiat-Shamir: rho, y, x, z
239 // Execute Shplemini PCS
240 execute_pcs_rounds();
241 vinfo("computed opening proof");
242 return export_proof();
243}
244
250uint256_t TranslatorProver::get_accumulated_result() const
251{
252 const size_t RESULT_ROW = Flavor::RESULT_ROW;
253 return uint256_t(key->proving_key->polynomials.accumulators_binary_limbs_0[RESULT_ROW]) +
254 (uint256_t(key->proving_key->polynomials.accumulators_binary_limbs_1[RESULT_ROW]) << 68) +
255 (uint256_t(key->proving_key->polynomials.accumulators_binary_limbs_2[RESULT_ROW]) << 136) +
256 (uint256_t(key->proving_key->polynomials.accumulators_binary_limbs_3[RESULT_ROW]) << 204);
257}
258
259} // namespace bb
BB_BENCH_NAME
#define BB_BENCH_NAME(name)
Definition bb_bench.hpp:219
BB_BENCH
#define BB_BENCH()
Definition bb_bench.hpp:223
bb::FixedVKAndHash_
Simple verification key class for fixed-size circuits (ECCVM, Translator).
Definition flavor.hpp:136
bb::GeminiProver_::PolynomialBatcher
Class responsible for computation of the batched multilinear polynomials required by the Gemini proto...
Definition gemini.hpp:126
bb::OpeningClaim
Unverified claim (C,r,v) for some witness polynomial p(X) such that.
Definition claim.hpp:53
bb::Polynomial::random
static Polynomial random(size_t size, size_t start_index=0)
Definition polynomial.hpp:300
bb::ProverOpeningClaim
Polynomial p and an opening pair (r,v) such that p(r) = v.
Definition claim.hpp:34
bb::ShpleminiProver_::prove
static OpeningClaim prove(size_t circuit_size, PolynomialBatcher &polynomial_batcher, std::span< FF > multilinear_challenge, const CommitmentKey< Curve > &commitment_key, const std::shared_ptr< Transcript > &transcript, const std::array< Polynomial, NUM_SMALL_IPA_EVALUATIONS > &libra_polynomials={}, const std::vector< Polynomial > &sumcheck_round_univariates={}, const std::vector< std::array< FF, 3 > > &sumcheck_round_evaluations={})
Definition shplemini.hpp:36
bb::SmallSubgroupIPAProver
A Curve-agnostic ZK protocol to prove inner products of small vectors.
Definition small_subgroup_ipa.hpp:69
bb::SumcheckProver
The implementation of the sumcheck Prover for statements of the form for multilinear polynomials .
Definition sumcheck.hpp:289
bb::TranslatorFlavor::CONST_TRANSLATOR_LOG_N
static constexpr size_t CONST_TRANSLATOR_LOG_N
Definition translator_flavor.hpp:74
bb::TranslatorFlavor::NUM_LIMB_BITS
static constexpr size_t NUM_LIMB_BITS
Definition translator_flavor.hpp:120
bb::TranslatorFlavor::RESULT_ROW
static constexpr size_t RESULT_ROW
Definition translator_flavor.hpp:93
bb::TranslatorProver::commitment_labels
CommitmentLabels commitment_labels
Definition translator_prover.hpp:52
bb::TranslatorProver::CommitmentKey
typename Flavor::CommitmentKey CommitmentKey
Definition translator_prover.hpp:23
bb::TranslatorProver::execute_relation_check_rounds
BB_PROFILE void execute_relation_check_rounds()
Run Sumcheck resulting in u = (u_1,...,u_d) challenges and all evaluations at u being calculated.
Definition translator_prover.cpp:136
bb::TranslatorProver::execute_preamble_round
BB_PROFILE void execute_preamble_round()
Add circuit size and values used in the relations to the transcript.
Definition translator_prover.cpp:32
bb::TranslatorProver::commit_to_witness_polynomial
void commit_to_witness_polynomial(Polynomial &polynomial, const std::string &label)
Utility to commit to witness polynomial and send the commitment to verifier.
Definition translator_prover.cpp:56
bb::TranslatorProver::get_accumulated_result
uint256_t get_accumulated_result() const
Extract the accumulated result from the circuit.
Definition translator_prover.cpp:250
bb::TranslatorProver::TranslatorProver
TranslatorProver(const std::shared_ptr< TranslatorProvingKey > &key, const std::shared_ptr< Transcript > &transcript)
Definition translator_prover.cpp:17
bb::TranslatorProver::execute_grand_product_computation_round
BB_PROFILE void execute_grand_product_computation_round()
Compute permutation product polynomial and commitments.
Definition translator_prover.cpp:92
bb::TranslatorProver::key
std::shared_ptr< TranslatorProvingKey > key
Definition translator_prover.hpp:50
bb::TranslatorProver::relation_parameters
bb::RelationParameters< FF > relation_parameters
Definition translator_prover.hpp:48
bb::TranslatorProver::transcript
std::shared_ptr< Transcript > transcript
Definition translator_prover.hpp:46
bb::TranslatorProver::ZKData
ZKSumcheckData< Flavor > ZKData
Definition translator_prover.hpp:29
bb::TranslatorProver::execute_wire_and_sorted_constraints_commitments_round
BB_PROFILE void execute_wire_and_sorted_constraints_commitments_round()
Compute commitments to wires and ordered range constraints.
Definition translator_prover.cpp:65
bb::TranslatorProver::sumcheck_output
SumcheckOutput< Flavor > sumcheck_output
Definition translator_prover.hpp:56
bb::TranslatorProver::Polynomial
typename Flavor::Polynomial Polynomial
Definition translator_prover.hpp:25
bb::TranslatorProver::execute_pcs_rounds
BB_PROFILE void execute_pcs_rounds()
Produce a univariate opening claim for the sumcheck multivariate evalutions and a batched univariate ...
Definition translator_prover.cpp:176
bb::TranslatorProver::FF
typename Flavor::FF FF
Definition translator_prover.hpp:20
bb::numeric::uint256_t
Definition uint256.hpp:32
zip_view
Definition zip_view.hpp:166
commitment_key.hpp
vinfo
#define vinfo(...)
Definition log.hpp:94
grand_product_library.hpp
key
FF key
Definition indexed_memory_tree.test.cpp:18
bb::numeric::get_msb
constexpr T get_msb(const T in)
Definition get_msb.hpp:47
bb
Entry point for Barretenberg command-line interface.
Definition api.hpp:5
bb::HonkProof
std::vector< fr > HonkProof
Definition proof.hpp:15
bb::ck
CommitmentKey< Curve > ck
Definition ipa.fuzzer.cpp:20
bb::vk
VerifierCommitmentKey< Curve > vk
Definition ipa.fuzzer.cpp:21
std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13
std::to_string
std::string to_string(bb::avm2::ValueTag tag)
Definition tagged_value.cpp:402
small_subgroup_ipa.hpp
bb::RelationParameters::batching_challenge_v
std::array< std::array< T, NUM_BINARY_LIMBS_IN_GOBLIN_TRANSLATOR+NUM_NATIVE_LIMBS_IN_GOBLIN_TRANSLATOR >, NUM_CHALLENGE_POWERS_IN_GOBLIN_TRANSLATOR > batching_challenge_v
Definition relation_parameters.hpp:48
bb::RelationParameters::accumulated_result
std::array< T, NUM_BINARY_LIMBS_IN_GOBLIN_TRANSLATOR > accumulated_result
Definition relation_parameters.hpp:42
bb::RelationParameters::evaluation_input_x
std::array< T, NUM_BINARY_LIMBS_IN_GOBLIN_TRANSLATOR+NUM_NATIVE_LIMBS_IN_GOBLIN_TRANSLATOR > evaluation_input_x
Definition relation_parameters.hpp:43
translator_prover.hpp