Barretenberg: src/barretenberg/commitment_schemes/kzg/kzg.hpp Source File

// === AUDIT STATUS ===

// internal:    { status: Complete, auditors: [Khashayar], commit: }

// external_1:  { status: not started, auditors: [], commit: }

// external_2:  { status: not started, auditors: [], commit: }

// =====================


#pragma once


#include "barretenberg/commitment_schemes/claim.hpp"

#include "barretenberg/commitment_schemes/commitment_key.hpp"

#include "barretenberg/commitment_schemes/pairing_points.hpp"

#include "barretenberg/commitment_schemes/verification_key.hpp"

#include "barretenberg/common/bb_bench.hpp"

#include "barretenberg/stdlib/primitives/pairing_points.hpp"

#include "barretenberg/transcript/transcript.hpp"


#include <memory>

#include <utility>


namespace bb {


template <typename Curve_> class KZG {

  public:

    using Curve = Curve_;

    using CK = CommitmentKey<Curve>;

    using VK = VerifierCommitmentKey<Curve>;

    using Fr = typename Curve::ScalarField;

    using Commitment = typename Curve::AffineElement;

    using GroupElement = typename Curve::Element;

    using Polynomial = bb::Polynomial<Fr>;

    using PairingPointsType =

        std::conditional_t<Curve::is_stdlib_type, stdlib::recursion::PairingPoints<Curve>, bb::PairingPoints<Curve>>;


    template <typename Transcript>


    static void compute_opening_proof(const CK& ck,

                                      const ProverOpeningClaim<Curve>& opening_claim,

                                      const std::shared_ptr<Transcript>& prover_trancript)

    {

        BB_BENCH_NAME("KZG::compute_opening_proof");

        Polynomial quotient = opening_claim.polynomial;

        OpeningPair<Curve> pair = opening_claim.opening_pair;

        Commitment quotient_commitment;


        if (opening_claim.polynomial.is_empty()) {

            // We treat the empty polynomial as the zero polynomial

            quotient_commitment = Commitment::infinity();

        } else {

            quotient.at(0) = quotient[0] - pair.evaluation;

            // Computes the coefficients for the quotient polynomial q(X) = (p(X) - v) / (X - r) through an FFT

            quotient.factor_roots(pair.challenge);

            quotient_commitment = ck.commit(quotient);

        }


        // TODO(#479): for now we compute the KZG commitment directly to unify the KZG and IPA interfaces but in the

        // future we might need to adjust this to use the incoming alternative to work queue (i.e. variation of

        // pthreads) or even the work queue itself

        prover_trancript->send_to_verifier("KZG:W", quotient_commitment);

    };


    template <typename Transcript>


    static PairingPointsType reduce_verify(const OpeningClaim<Curve>& claim,

                                           const std::shared_ptr<Transcript>& verifier_transcript)

    {

        auto quotient_commitment = verifier_transcript->template receive_from_prover<Commitment>("KZG:W");


        // Note: The pairing check can be expressed naturally as

        // e(C - v * [1]_1, [1]_2) = e([W]_1, [X - r]_2) where C =[p(X)]_1. This can be rearranged (e.g. see the plonk

        // paper) as e(C + r*[W]_1 - v*[1]_1, [1]_2) * e(-[W]_1, [X]_2) = 1, or e(P_0, [1]_2) * e(P_1, [X]_2) = 1

        GroupElement P_0;

        if constexpr (Curve::is_stdlib_type) {

            // Express operation as a batch_mul in order to use Goblinization if available

            auto builder = quotient_commitment.get_context();

            auto one = Fr(builder, 1);

            std::vector<GroupElement> commitments = { claim.commitment,

                                                      quotient_commitment,

                                                      GroupElement::one(builder) };

            std::vector<Fr> scalars = { one, claim.opening_pair.challenge, -claim.opening_pair.evaluation };


            // Compute C + r*[W]_1 + (-v)*[1]_1 as a batch_mul, no need of edge case handling since we don't expect the

            // points to be linearly dependent.

            P_0 = GroupElement::batch_mul(commitments, scalars, /*max_num_bits=*/0, /*with_edgecases=*/false);


        } else {

            P_0 = claim.commitment;

            P_0 += quotient_commitment * claim.opening_pair.challenge;

            P_0 -= GroupElement::one() * claim.opening_pair.evaluation;

        }


        auto P_1 = -quotient_commitment;

        return PairingPointsType(P_0, P_1);

    };


    template <typename Transcript>


    static PairingPointsType reduce_verify_batch_opening_claim(BatchOpeningClaim<Curve>&& batch_opening_claim,

                                                               const std::shared_ptr<Transcript>& transcript,

                                                               const size_t expected_final_msm_size = 0)

    {

        auto quotient_commitment = transcript->template receive_from_prover<Commitment>("KZG:W");


        // OriginTag suppression: The tag system flags patterns like A*α + B where A, B are

        // prover-supplied and α is a challenge derived without hashing them. The quotient commitment

        // W is prover-supplied and scaled by z in C + W·z, so it triggers this pattern.

        // This is a false positive: the pairing check e(C + W·z, [1]₂) · e(−W, [x]₂) = 1 forces W

        // to be the honest quotient commitment, so the prover cannot tamper with it.

        // We assign W the tag of z (evaluation_point): the challenge it is scaled by,

        // so the tag system does not flag the multiplication.

        if constexpr (Curve::is_stdlib_type) {

            const auto challenge_tag = batch_opening_claim.evaluation_point.get_origin_tag();

            quotient_commitment.set_origin_tag(challenge_tag);

        }


        // The pairing check can be expressed as

        // e(C + [W]₁ ⋅ z, [1]₂) * e(−[W]₁, [X]₂) = 1, where C = ∑ commitmentsᵢ ⋅ scalarsᵢ.

        GroupElement P_0;

        // Place the commitment to W to 'commitments'

        batch_opening_claim.commitments.emplace_back(quotient_commitment);

        // Update the scalars by adding the Shplonk evaluation challenge z

        batch_opening_claim.scalars.emplace_back(batch_opening_claim.evaluation_point);


        // Validate the final MSM size if expected size is provided

        if (expected_final_msm_size != 0) {

            if (batch_opening_claim.commitments.size() != expected_final_msm_size) {

                throw_or_abort("KZG verification: unexpected final MSM size " +

                               std::to_string(batch_opening_claim.commitments.size()) + " (expected " +

                               std::to_string(expected_final_msm_size) + ")");

            }

        }


        // Compute C + [W]₁ ⋅ z

        P_0 = GroupElement::batch_mul(batch_opening_claim.commitments,

                                      batch_opening_claim.scalars,

                                      /*max_num_bits=*/0,

                                      /*with_edgecases=*/true);

        auto P_1 = -quotient_commitment;


        return PairingPointsType(P_0, P_1);

    }


};


} // namespace bb

bb_bench.hpp

BB_BENCH_NAME
#define BB_BENCH_NAME(name)
Definition bb_bench.hpp:264

claim.hpp

bb::CommitmentKey
CommitmentKey object over a pairing group 𝔾₁.
Definition commitment_key.hpp:35

bb::KZG
Definition kzg.hpp:22

bb::KZG::Commitment
typename Curve::AffineElement Commitment
Definition kzg.hpp:28

bb::KZG::GroupElement
typename Curve::Element GroupElement
Definition kzg.hpp:29

bb::KZG::Curve
Curve_ Curve
Definition kzg.hpp:24

bb::KZG::reduce_verify
static PairingPointsType reduce_verify(const OpeningClaim< Curve > &claim, const std::shared_ptr< Transcript > &verifier_transcript)
Computes the input points for the pairing check needed to verify a KZG opening claim of a single poly...
Definition kzg.hpp:79

bb::KZG::reduce_verify_batch_opening_claim
static PairingPointsType reduce_verify_batch_opening_claim(BatchOpeningClaim< Curve > &&batch_opening_claim, const std::shared_ptr< Transcript > &transcript, const size_t expected_final_msm_size=0)
Computes the input points for the pairing check needed to verify a KZG opening claim obtained from a ...
Definition kzg.hpp:131

bb::KZG::Fr
typename Curve::ScalarField Fr
Definition kzg.hpp:27

bb::KZG::PairingPointsType
std::conditional_t< Curve::is_stdlib_type, stdlib::recursion::PairingPoints< Curve >, bb::PairingPoints< Curve > > PairingPointsType
Definition kzg.hpp:32

bb::KZG::compute_opening_proof
static void compute_opening_proof(const CK &ck, const ProverOpeningClaim< Curve > &opening_claim, const std::shared_ptr< Transcript > &prover_trancript)
Computes the KZG commitment to an opening proof polynomial at a single evaluation point.
Definition kzg.hpp:43

bb::OpeningClaim
Unverified claim (C,r,v) for some witness polynomial p(X) such that.
Definition claim.hpp:55

bb::OpeningClaim::opening_pair
OpeningPair< Curve > opening_pair
Definition claim.hpp:64

bb::OpeningClaim::commitment
Commitment commitment
Definition claim.hpp:66

bb::OpeningPair
Opening pair (r,v) for some witness polynomial p(X) such that p(r) = v.
Definition claim.hpp:21

bb::PairingPoints
An object storing two EC points that represent the inputs to a pairing check.
Definition pairing_points.hpp:22

bb::Polynomial
Structured polynomial class that represents the coefficients 'a' of a_0 + a_1 x .....
Definition polynomial.hpp:75

bb::Polynomial::is_empty
bool is_empty() const
Definition polynomial.hpp:208

bb::Polynomial::at
Fr & at(size_t index)
Our mutable accessor, unlike operator[]. We abuse precedent a bit to differentiate at() and operator[...
Definition polynomial.hpp:305

bb::Polynomial::factor_roots
void factor_roots(const Fr &root)
Divides p(X) by (X-r) in-place. Assumes that p(rⱼ)=0 for all j.
Definition polynomial.hpp:253

bb::ProverOpeningClaim
Polynomial p and an opening pair (r,v) such that p(r) = v.
Definition claim.hpp:36

bb::ProverOpeningClaim::polynomial
Polynomial polynomial
Definition claim.hpp:41

bb::ProverOpeningClaim::opening_pair
OpeningPair< Curve > opening_pair
Definition claim.hpp:42

bb::VerifierCommitmentKey
Representation of the Grumpkin Verifier Commitment Key inside a bn254 circuit.
Definition verifier_commitment_key.hpp:16

bb::curve::Grumpkin::Element
typename Group::element Element
Definition grumpkin.hpp:63

bb::curve::Grumpkin::is_stdlib_type
static constexpr bool is_stdlib_type
Definition grumpkin.hpp:67

bb::curve::Grumpkin::AffineElement
typename Group::affine_element AffineElement
Definition grumpkin.hpp:64

bb::curve::Grumpkin::ScalarField
bb::fq ScalarField
Definition grumpkin.hpp:60

commitment_key.hpp

pairing_points.hpp

builder
AluTraceBuilder builder
Definition alu.test.cpp:124

bb
Entry point for Barretenberg command-line interface.
Definition api.hpp:5

bb::ck
CommitmentKey< Curve > ck
Definition ipa.fuzzer.cpp:20

std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13

std::to_string
std::string to_string(bb::avm2::ValueTag tag)
Definition tagged_value.cpp:402

pairing_points.hpp

bb::BatchOpeningClaim
An accumulator consisting of the Shplonk evaluation challenge and vectors of commitments and scalars.
Definition claim.hpp:155

throw_or_abort
void throw_or_abort(std::string const &err)
Definition throw_or_abort.hpp:6

transcript.hpp

verification_key.hpp