- Generated by
1.9.8
|
Barretenberg
The ZK-SNARK library at the core of Aztec
|
#include <eccvm_prover.hpp>
Public Types | |
| using | Flavor = ECCVMFlavor |
| using | FF = Flavor::FF |
| using | BF = Flavor::BF |
| using | Commitment = Flavor::Commitment |
| using | CommitmentKey = Flavor::CommitmentKey |
| using | ProvingKey = Flavor::ProvingKey |
| using | Polynomial = Flavor::Polynomial |
| using | CommitmentLabels = Flavor::CommitmentLabels |
| using | Transcript = Flavor::Transcript |
| using | TranslationEvaluations = bb::TranslationEvaluations_< FF > |
| using | CircuitBuilder = Flavor::CircuitBuilder |
| using | ZKData = ZKSumcheckData< Flavor > |
| using | SmallSubgroupIPA = SmallSubgroupIPAProver< Flavor > |
| using | OpeningClaim = ProverOpeningClaim< Flavor::Curve > |
| using | Proof = HonkProof |
Public Member Functions | |
| ECCVMProver (CircuitBuilder &builder, const std::shared_ptr< Transcript > &transcript) | |
| BB_PROFILE void | execute_preamble_round () |
| Fiat-Shamir the VK. | |
| BB_PROFILE void | execute_wire_commitments_round () |
| Compute commitments to the first three wires. | |
| BB_PROFILE void | execute_log_derivative_commitments_round () |
| Compute sorted witness-table accumulator. | |
| BB_PROFILE void | execute_grand_product_computation_round () |
| Compute permutation and lookup grand product polynomials and commitments. | |
| BB_PROFILE void | execute_relation_check_rounds () |
| Run Sumcheck resulting in u = (u_1,...,u_d) challenges and all evaluations at u being calculated. | |
| BB_PROFILE void | execute_pcs_rounds () |
| Produce a univariate opening claim for the sumcheck multivariate evalutions and a batched univariate claim for the transcript polynomials (for the Translator consistency check). Reduce the two opening claims to a single one via Shplonk and produce an opening proof with the univariate PCS of choice (IPA when operating on Grumpkin). | |
| BB_PROFILE void | execute_transcript_consistency_univariate_opening_round () |
| Proof | export_proof () |
| std::pair< Proof, OpeningClaim > | construct_proof () |
| void | compute_translation_opening_claims () |
To link the ECCVM Transcript wires op, Px, Py, z1, and z2 to the accumulator computed by the translator, we verify their evaluations as univariates. For efficiency reasons, we batch these evaluations. | |
Public Attributes | |
| std::shared_ptr< Transcript > | transcript |
| OpeningClaim | batch_opening_claim |
| std::array< OpeningClaim, NUM_OPENING_CLAIMS > | opening_claims |
| TranslationEvaluations | translation_evaluations |
| std::vector< FF > | public_inputs |
| bb::RelationParameters< FF > | relation_parameters |
| std::shared_ptr< ProvingKey > | key |
| CommitmentLabels | commitment_labels |
| ZKData | zk_sumcheck_data |
| FF | evaluation_challenge_x |
| FF | batching_challenge_v |
| SumcheckOutput< Flavor > | sumcheck_output |
Static Public Attributes | |
| static constexpr size_t | NUM_OPENING_CLAIMS = ECCVMFlavor::NUM_TRANSLATION_OPENING_CLAIMS + 1 |
Definition at line 22 of file eccvm_prover.hpp.
| using bb::ECCVMProver::BF = Flavor::BF |
Definition at line 26 of file eccvm_prover.hpp.
Definition at line 34 of file eccvm_prover.hpp.
Definition at line 27 of file eccvm_prover.hpp.
Definition at line 28 of file eccvm_prover.hpp.
Definition at line 31 of file eccvm_prover.hpp.
| using bb::ECCVMProver::FF = Flavor::FF |
Definition at line 25 of file eccvm_prover.hpp.
| using bb::ECCVMProver::Flavor = ECCVMFlavor |
Definition at line 24 of file eccvm_prover.hpp.
Definition at line 37 of file eccvm_prover.hpp.
Definition at line 30 of file eccvm_prover.hpp.
| using bb::ECCVMProver::Proof = HonkProof |
Definition at line 38 of file eccvm_prover.hpp.
Definition at line 29 of file eccvm_prover.hpp.
Definition at line 36 of file eccvm_prover.hpp.
Definition at line 32 of file eccvm_prover.hpp.
Definition at line 33 of file eccvm_prover.hpp.
| using bb::ECCVMProver::ZKData = ZKSumcheckData<Flavor> |
Definition at line 35 of file eccvm_prover.hpp.
|
explicit |
Definition at line 22 of file eccvm_prover.cpp.
| void bb::ECCVMProver::compute_translation_opening_claims | ( | ) |
To link the ECCVM Transcript wires op, Px, Py, z1, and z2 to the accumulator computed by the translator, we verify their evaluations as univariates. For efficiency reasons, we batch these evaluations.
As a sub-protocol of ECCVM, we are batch opening the op, Px, Py, z1, and z2 wires as univariates (as opposed to their openings as multilinears performed after Sumcheck). We often refer to these polynomials as translation_polynomials \( T_i \) for \( i=0, \ldots, 4\). Below, the evaluation_challenge_x is denoted by \( x \) and batching_challenge_v is denoted by \(v\).
The batched translation evaluation
\begin{align} \sum_{i=0}^4 T_i(x) \cdot v^i \end{align}
is used by the TranslatorVerifier to bind the ECCOpQueues over BN254 and Grumpkin. Namely, we check that the field element \( A = \text{accumulated_result} \) accumulated from the Ultra ECCOpQueue by TranslatorProver satisfies
\begin{align} x\cdot A = \sum_{i=0}^4 T_i(x) \cdot v^i, \end{align}
where \( x \) is an artifact of our implementation of shiftable polynomials.
The translation polynomials \( T_i \) contain random masking values in their first TRACE_OFFSET coefficients. Commitments to the masked \( T_i \) are safe to reveal, but the evaluations \( T_i(x) \) include the masking contribution. To preserve ZK, the prover uses SmallSubgroupIPA to prove the masking correction: the masking terms from all five \( T_i \) are concatenated into a polynomial \( M \) over a small subgroup \( H \), and the verifier recovers \( \sum_i m_i(x) \cdot v^i \) via an inner-product argument without learning the individual masking values.
opening_claims. Definition at line 250 of file eccvm_prover.cpp.
| std::pair< ECCVMProver::Proof, ECCVMProver::OpeningClaim > bb::ECCVMProver::construct_proof | ( | ) |
Definition at line 207 of file eccvm_prover.cpp.
| void bb::ECCVMProver::execute_grand_product_computation_round | ( | ) |
Compute permutation and lookup grand product polynomials and commitments.
Definition at line 117 of file eccvm_prover.cpp.
| void bb::ECCVMProver::execute_log_derivative_commitments_round | ( | ) |
Compute sorted witness-table accumulator.
Definition at line 77 of file eccvm_prover.cpp.
| void bb::ECCVMProver::execute_pcs_rounds | ( | ) |
Produce a univariate opening claim for the sumcheck multivariate evalutions and a batched univariate claim for the transcript polynomials (for the Translator consistency check). Reduce the two opening claims to a single one via Shplonk and produce an opening proof with the univariate PCS of choice (IPA when operating on Grumpkin).
Definition at line 161 of file eccvm_prover.cpp.
| void bb::ECCVMProver::execute_preamble_round | ( | ) |
Fiat-Shamir the VK.
Definition at line 40 of file eccvm_prover.cpp.
| void bb::ECCVMProver::execute_relation_check_rounds | ( | ) |
Run Sumcheck resulting in u = (u_1,...,u_d) challenges and all evaluations at u being calculated.
Definition at line 130 of file eccvm_prover.cpp.
| BB_PROFILE void bb::ECCVMProver::execute_transcript_consistency_univariate_opening_round | ( | ) |
| void bb::ECCVMProver::execute_wire_commitments_round | ( | ) |
Compute commitments to the first three wires.
Definition at line 55 of file eccvm_prover.cpp.
| ECCVMProver::Proof bb::ECCVMProver::export_proof | ( | ) |
Definition at line 202 of file eccvm_prover.cpp.
| OpeningClaim bb::ECCVMProver::batch_opening_claim |
Definition at line 56 of file eccvm_prover.hpp.
| FF bb::ECCVMProver::batching_challenge_v |
Definition at line 75 of file eccvm_prover.hpp.
| CommitmentLabels bb::ECCVMProver::commitment_labels |
Definition at line 71 of file eccvm_prover.hpp.
| FF bb::ECCVMProver::evaluation_challenge_x |
Definition at line 74 of file eccvm_prover.hpp.
| std::shared_ptr<ProvingKey> bb::ECCVMProver::key |
Definition at line 69 of file eccvm_prover.hpp.
|
staticconstexpr |
Definition at line 60 of file eccvm_prover.hpp.
| std::array<OpeningClaim, NUM_OPENING_CLAIMS> bb::ECCVMProver::opening_claims |
Definition at line 61 of file eccvm_prover.hpp.
| std::vector<FF> bb::ECCVMProver::public_inputs |
Definition at line 65 of file eccvm_prover.hpp.
| bb::RelationParameters<FF> bb::ECCVMProver::relation_parameters |
Definition at line 67 of file eccvm_prover.hpp.
| SumcheckOutput<Flavor> bb::ECCVMProver::sumcheck_output |
Definition at line 77 of file eccvm_prover.hpp.
| std::shared_ptr<Transcript> bb::ECCVMProver::transcript |
Definition at line 53 of file eccvm_prover.hpp.
| TranslationEvaluations bb::ECCVMProver::translation_evaluations |
Definition at line 63 of file eccvm_prover.hpp.
| ZKData bb::ECCVMProver::zk_sumcheck_data |
Definition at line 72 of file eccvm_prover.hpp.
1.9.8