Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
shplemini.hpp
Go to the documentation of this file.
1// === AUDIT STATUS ===
2// internal: { status: Complete, auditors: [Khashayar], commit: }
3// external_1: { status: not started, auditors: [], commit: }
4// external_2: { status: not started, auditors: [], commit: }
5// =====================
6
7#pragma once
8#include "barretenberg/commitment_schemes/claim.hpp"
9#include "barretenberg/commitment_schemes/claim_batcher.hpp"
10#include "barretenberg/commitment_schemes/commitment_key.hpp"
11#include "barretenberg/commitment_schemes/gemini/gemini_impl.hpp"
12#include "barretenberg/commitment_schemes/shplonk/shplonk.hpp"
13#include "barretenberg/commitment_schemes/small_subgroup_ipa/small_subgroup_ipa.hpp"
14#include "barretenberg/commitment_schemes/verification_key.hpp"
15#include "barretenberg/common/bb_bench.hpp"
16#include "barretenberg/flavor/repeated_commitments_data.hpp"
17#include "barretenberg/sumcheck/zk_sumcheck_data.hpp"
18#include "barretenberg/transcript/origin_tag.hpp"
19#include "barretenberg/transcript/transcript.hpp"
20
21namespace bb {
22
23template <typename Curve> class ShpleminiProver_ {
24 public:
25 using FF = typename Curve::ScalarField;
26 using GroupElement = typename Curve::Element;
27 using Commitment = typename Curve::AffineElement;
28 using Polynomial = bb::Polynomial<FF>;
29 using OpeningClaim = ProverOpeningClaim<Curve>;
30
31 using VK = CommitmentKey<Curve>;
32 using ShplonkProver = ShplonkProver_<Curve>;
33 using GeminiProver = GeminiProver_<Curve>;
34 using PolynomialBatcher = GeminiProver::PolynomialBatcher;
35
36 template <typename Transcript>
37 static OpeningClaim prove(size_t circuit_size,
38 PolynomialBatcher& polynomial_batcher,
39 std::span<FF> multilinear_challenge,
40 const CommitmentKey<Curve>& commitment_key,
41 const std::shared_ptr<Transcript>& transcript,
42 const std::array<Polynomial, NUM_SMALL_IPA_EVALUATIONS>& libra_polynomials = {},
43 const std::vector<Polynomial>& sumcheck_round_univariates = {},
44 const std::vector<std::array<FF, 3>>& sumcheck_round_evaluations = {})
45 {
46 BB_BENCH_NAME("ShpleminiProver::prove");
47 // While Shplemini is not templated on Flavor, we derive ZK flag this way
48 const bool has_zk = (libra_polynomials[0].size() > 0);
49
50 // When padding is enabled, the size of the multilinear challenge may be bigger than the log of `circuit_size`.
51 const size_t virtual_log_n = multilinear_challenge.size();
52
53 std::vector<OpeningClaim> opening_claims = GeminiProver::prove(
54 circuit_size, polynomial_batcher, multilinear_challenge, commitment_key, transcript, has_zk);
55 // Create opening claims for Libra masking univariates and Sumcheck Round Univariates
56 std::vector<OpeningClaim> libra_opening_claims;
57
58 if (has_zk) {
59 const auto gemini_r = opening_claims[0].opening_pair.challenge;
60 libra_opening_claims = compute_libra_opening_claims(gemini_r, libra_polynomials, transcript);
61 }
62
63 // Currently, only used in ECCVM.
64 std::vector<OpeningClaim> sumcheck_round_claims;
65
66 if (!sumcheck_round_univariates.empty()) {
67 sumcheck_round_claims = compute_sumcheck_round_claims(
68 circuit_size, multilinear_challenge, sumcheck_round_univariates, sumcheck_round_evaluations);
69 }
70
71 return ShplonkProver::prove(
72 commitment_key, opening_claims, transcript, libra_opening_claims, sumcheck_round_claims, virtual_log_n);
73 };
74
80 template <typename Transcript>
81 static std::vector<OpeningClaim> compute_libra_opening_claims(
82 const FF gemini_r,
83 const std::array<Polynomial, NUM_SMALL_IPA_EVALUATIONS>& libra_polynomials,
84 const std::shared_ptr<Transcript>& transcript)
85 {
86 OpeningClaim new_claim;
87
88 std::vector<OpeningClaim> libra_opening_claims = {};
89
90 static constexpr FF subgroup_generator = Curve::subgroup_generator;
91
92 std::array<std::string, NUM_SMALL_IPA_EVALUATIONS> libra_eval_labels = {
93 "Libra:concatenation_eval", "Libra:shifted_grand_sum_eval", "Libra:grand_sum_eval", "Libra:quotient_eval"
94 };
95 const std::array<FF, NUM_SMALL_IPA_EVALUATIONS> evaluation_points = {
96 gemini_r, gemini_r * subgroup_generator, gemini_r, gemini_r
97 };
98 for (size_t idx = 0; idx < NUM_SMALL_IPA_EVALUATIONS; idx++) {
99 new_claim.polynomial = std::move(libra_polynomials[idx]);
100 new_claim.opening_pair.challenge = evaluation_points[idx];
101 new_claim.opening_pair.evaluation = new_claim.polynomial.evaluate(evaluation_points[idx]);
102 transcript->send_to_verifier(libra_eval_labels[idx], new_claim.opening_pair.evaluation);
103 libra_opening_claims.push_back(new_claim);
104 }
105
106 return libra_opening_claims;
107 }
108
114 static std::vector<OpeningClaim> compute_sumcheck_round_claims(
115 size_t circuit_size,
116 std::span<FF> multilinear_challenge,
117 const std::vector<Polynomial>& sumcheck_round_univariates,
118 const std::vector<std::array<FF, 3>>& sumcheck_round_evaluations)
119 {
120 OpeningClaim new_claim;
121 std::vector<OpeningClaim> sumcheck_round_claims = {};
122
123 const size_t log_n = numeric::get_msb(circuit_size);
124 for (size_t idx = 0; idx < log_n; idx++) {
125 const std::vector<FF> evaluation_points = { FF(0), FF(1), multilinear_challenge[idx] };
126 size_t eval_idx = 0;
127 new_claim.polynomial = std::move(sumcheck_round_univariates[idx]);
128
129 for (auto& eval_point : evaluation_points) {
130 new_claim.opening_pair.challenge = eval_point;
131 new_claim.opening_pair.evaluation = sumcheck_round_evaluations[idx][eval_idx];
132 sumcheck_round_claims.push_back(new_claim);
133 eval_idx++;
134 }
135 }
136
137 return sumcheck_round_claims;
138 }
139};
140
169template <typename Curve, bool HasZK> struct ShpleminiVerifierOutput_ {
170 BatchOpeningClaim<Curve> batch_opening_claim;
171};
176
177template <typename Curve, bool HasZK = false> class ShpleminiVerifier_ {
178 using Fr = typename Curve::ScalarField;
179 using GroupElement = typename Curve::Element;
180 using Commitment = typename Curve::AffineElement;
181 using VK = VerifierCommitmentKey<Curve>;
182 using ShplonkVerifier = ShplonkVerifier_<Curve>;
183 using GeminiVerifier = GeminiVerifier_<Curve>;
184 using ClaimBatcher = ClaimBatcher_<Curve>;
185 using ShpleminiVerifierOutput = ShpleminiVerifierOutput_<Curve, HasZK>;
186
187 public:
215 template <typename Transcript>
216 static ShpleminiVerifierOutput compute_batch_opening_claim(
217 ClaimBatcher& claim_batcher,
218 const std::vector<Fr>& multivariate_challenge,
219 const Commitment& g1_identity,
220 const std::shared_ptr<Transcript>& transcript,
221 const RepeatedCommitmentsData& repeated_commitments = {},
222 const std::array<Commitment, NUM_LIBRA_COMMITMENTS>& libra_commitments = {},
223 const Fr& libra_univariate_evaluation = Fr{ 0 },
224 const std::vector<Commitment>& sumcheck_round_commitments = {},
225 const std::vector<std::array<Fr, 3>>& sumcheck_round_evaluations = {})
226
227 {
228 const size_t virtual_log_n = multivariate_challenge.size();
229
230 const bool committed_sumcheck = !sumcheck_round_evaluations.empty();
231
232 Fr batched_evaluation = Fr{ 0 };
233
234 // Get the challenge ρ to batch commitments to multilinear polynomials and their shifts
235 const Fr gemini_batching_challenge = transcript->template get_challenge<Fr>("rho");
236
237 // Process Gemini transcript data:
238 // - Get Gemini commitments (com(A₁), com(A₂), … , com(Aₙ₋₁))
239 const std::vector<Commitment> fold_commitments =
240 GeminiVerifier::get_fold_commitments(virtual_log_n, transcript);
241 // - Get Gemini evaluation challenge r, that is used to open the Gemini fold polynomials Aᵢ, i = 0, … , d−1 on
242 // r^{2^i}
243 const Fr gemini_evaluation_challenge = transcript->template get_challenge<Fr>("Gemini:r");
244
245 // - Get negative fold evaluations (A₀(−r), A₁(−r²), ... , Aₙ₋₁(−r²⁽ⁿ⁻¹⁾))
246 std::vector<Fr> gemini_fold_neg_evaluations = GeminiVerifier::get_gemini_evaluations(virtual_log_n, transcript);
247
248 // - Compute vector (r, r², ... , r^{2^{d-1}}), where d = log_n
249 const std::vector<Fr> gemini_eval_challenge_powers =
250 gemini::powers_of_evaluation_challenge(gemini_evaluation_challenge, virtual_log_n);
251
252 std::array<Fr, NUM_SMALL_IPA_EVALUATIONS> libra_evaluations;
253 // In case of ZK, get the evaluations of Libra univariates from the transcript
254 if constexpr (HasZK) {
255 libra_evaluations[0] = transcript->template receive_from_prover<Fr>("Libra:concatenation_eval");
256 libra_evaluations[1] = transcript->template receive_from_prover<Fr>("Libra:shifted_grand_sum_eval");
257 libra_evaluations[2] = transcript->template receive_from_prover<Fr>("Libra:grand_sum_eval");
258 libra_evaluations[3] = transcript->template receive_from_prover<Fr>("Libra:quotient_eval");
259
260 // OriginTag false positive: Libra evaluations need to satisfy an identity where they
261 // are mixing without challenge, it is safe because these evaluations are opened in Shplonk.
262 if constexpr (Curve::is_stdlib_type) {
263 for (auto& eval : libra_evaluations) {
264 eval.clear_round_provenance();
265 }
266 }
267 }
268
269 // Process Shplonk transcript data:
270 // - Get Shplonk batching challenge
271 const Fr shplonk_batching_challenge = transcript->template get_challenge<Fr>("Shplonk:nu");
272
273 // Compute the powers of ν that are required for batching Gemini, SmallSubgroupIPA, and committed sumcheck
274 // univariate opening claims.
275 const std::vector<Fr> shplonk_batching_challenge_powers = compute_shplonk_batching_challenge_powers(
276 shplonk_batching_challenge, virtual_log_n, HasZK, committed_sumcheck);
277 // - Get the quotient commitment for the Shplonk batching of Gemini opening claims
278 const auto Q_commitment = transcript->template receive_from_prover<Commitment>("Shplonk:Q");
279
280 // Start populating the vector (Q, f₀, ... , fₖ₋₁, g₀, ... , gₘ₋₁, com(A₁), ... , com(A_{d-1}), [1]₁) where fᵢ
281 // are the k commitments to unshifted polynomials and gⱼ are the m commitments to shifted polynomials
282 std::vector<Commitment> commitments{ Q_commitment };
283
284 // Get Shplonk opening point z
285 const Fr shplonk_evaluation_challenge = transcript->template get_challenge<Fr>("Shplonk:z");
286
287 // OriginTag false positive: All evaluations received above are PCS-bound.
288 // The prover cannot choose them freely because they must satisfy the batched opening equation
289 // verified by the pairing check. Tag them with the shplonk evaluation challenge.
290 if constexpr (Curve::is_stdlib_type) {
291 const auto challenge_tag = shplonk_evaluation_challenge.get_origin_tag();
292 // Tag the Gemini fold evaluations
293 for (auto& eval : gemini_fold_neg_evaluations) {
294 eval.set_origin_tag(challenge_tag);
295 }
296 }
297
298 // Start computing the scalar to be multiplied by [1]₁
299 Fr constant_term_accumulator = Fr(0);
300
301 // Initialize the vector of scalars placing the scalar 1 corresponding to Q_commitment
302 std::vector<Fr> scalars;
303
304 scalars.emplace_back(Fr(1));
305
306 // Compute 1/(z − r), 1/(z + r), 1/(z - r²), 1/(z + r²), … , 1/(z - r^{2^{d-1}}), 1/(z + r^{2^{d-1}})
307 // These represent the denominators of the summand terms in Shplonk partially evaluated polynomial Q_z
308 const std::vector<Fr> inverse_vanishing_evals = ShplonkVerifier::compute_inverted_gemini_denominators(
309 shplonk_evaluation_challenge, gemini_eval_challenge_powers);
310
311 // Compute the additional factors to be multiplied with unshifted and shifted commitments when lazily
312 // reconstructing the commitment of Q_z
313 // For unshifted values, the scalar is computed as (1/(z−r) + ν/(z+r))
314 // For shifted values, the scalar is computed as r⁻¹ ⋅ (1/(z−r) − ν/(z+r))
315 claim_batcher.compute_scalars_for_each_batch(
316 inverse_vanishing_evals, shplonk_batching_challenge, gemini_evaluation_challenge);
317
318 // Place the commitments to prover polynomials in the commitments vector. Compute the evaluation of the
319 // batched multilinear polynomial. Populate the vector of scalars for the final batch mul
320 claim_batcher.update_batch_mul_inputs_and_batched_evaluation(
321 commitments, scalars, batched_evaluation, gemini_batching_challenge);
322
323 // Reconstruct Aᵢ(r²ⁱ) for i=0, ..., d - 1 from the batched evaluation of the multilinear polynomials and
324 // Aᵢ(−r²ⁱ) for i = 0, ..., d - 1.
325 const std::vector<Fr> gemini_fold_pos_evaluations = GeminiVerifier_<Curve>::compute_fold_pos_evaluations(
326 batched_evaluation, multivariate_challenge, gemini_eval_challenge_powers, gemini_fold_neg_evaluations);
327
328 // Place the commitments to Gemini fold polynomials Aᵢ in the vector of batch_mul commitments, compute the
329 // contributions from Aᵢ(−r²ⁱ) for i=1, … , d − 1 to the constant term accumulator, add corresponding scalars
330 // for the batch mul
331 batch_gemini_claims_received_from_prover(fold_commitments,
332 gemini_fold_neg_evaluations,
333 gemini_fold_pos_evaluations,
334 inverse_vanishing_evals,
335 shplonk_batching_challenge_powers,
336 commitments,
337 scalars,
338 constant_term_accumulator);
339 const Fr a_0_pos = gemini_fold_pos_evaluations[0];
340 // Add contributions from A₀₊(r) and A₀₋(-r) to constant_term_accumulator:
341 // Add A₀₊(r)/(z−r) to the constant term accumulator
342 constant_term_accumulator += a_0_pos * inverse_vanishing_evals[0];
343 // Add A₀₋(-r)/(z+r) to the constant term accumulator
344 constant_term_accumulator +=
345 gemini_fold_neg_evaluations[0] * shplonk_batching_challenge * inverse_vanishing_evals[1];
346
347 remove_repeated_commitments(commitments, scalars, repeated_commitments, HasZK);
348 // An optional boolean flag for SmallSubgroupIPAVerifier to check the consistency of the Libra evaluations
349 bool consistency_checked = true;
350 // For ZK flavors, the sumcheck output contains the evaluations of Libra univariates that submitted to the
351 // ShpleminiVerifier, otherwise this argument is set to be empty
352 if constexpr (HasZK) {
353 add_zk_data(virtual_log_n,
354 commitments,
355 scalars,
356 constant_term_accumulator,
357 libra_commitments,
358 libra_evaluations,
359 gemini_evaluation_challenge,
360 shplonk_batching_challenge_powers,
361 shplonk_evaluation_challenge);
362
363 consistency_checked = SmallSubgroupIPAVerifier<Curve>::check_libra_evaluations_consistency(
364 libra_evaluations, gemini_evaluation_challenge, multivariate_challenge, libra_univariate_evaluation);
365 }
366
367 // Used in ECCVM and BatchedHonkTranslator. The nu power offset in batch_sumcheck_round_claims
368 // assumes ZK claims (NUM_SMALL_IPA_EVALUATIONS) precede sumcheck round claims in the batching order.
369 if (committed_sumcheck) {
370 if constexpr (!HasZK) {
371 throw_or_abort("Shplemini: committed sumcheck requires ZK for correct nu power indexing");
372 }
373 batch_sumcheck_round_claims(commitments,
374 scalars,
375 constant_term_accumulator,
376 multivariate_challenge,
377 shplonk_batching_challenge_powers,
378 shplonk_evaluation_challenge,
379 sumcheck_round_commitments,
380 sumcheck_round_evaluations);
381 }
382
383 // Finalize the batch opening claim
384 commitments.emplace_back(g1_identity);
385 scalars.emplace_back(constant_term_accumulator);
386
387 BatchOpeningClaim<Curve> batch_opening_claim{ commitments, scalars, shplonk_evaluation_challenge };
388 ShpleminiVerifierOutput output = [&]() {
389 if constexpr (HasZK) {
390 return ShpleminiVerifierOutput{ batch_opening_claim, consistency_checked };
391 } else {
392 return ShpleminiVerifierOutput{ batch_opening_claim };
393 }
394 }();
395 return output;
396 };
397
439 static void batch_gemini_claims_received_from_prover(const std::vector<Commitment>& fold_commitments,
440 std::span<const Fr> gemini_neg_evaluations,
441 std::span<const Fr> gemini_pos_evaluations,
442 std::span<const Fr> inverse_vanishing_evals,
443 std::span<const Fr> shplonk_batching_challenge_powers,
444 std::vector<Commitment>& commitments,
445 std::vector<Fr>& scalars,
446 Fr& constant_term_accumulator)
447 {
448 const size_t virtual_log_n = gemini_neg_evaluations.size();
449 // Start from 1, because the commitment to A_0 is reconstructed from the commitments to the multilinear
450 // polynomials. The corresponding evaluations are also handled separately.
451 for (size_t j = 1; j < virtual_log_n; ++j) {
452 // The index of 1/ (z - r^{2^{j}}) in the vector of inverted Gemini denominators
453 const size_t pos_index = 2 * j;
454 // The index of 1/ (z + r^{2^{j}}) in the vector of inverted Gemini denominators
455 const size_t neg_index = (2 * j) + 1;
456
457 // Compute the "positive" scaling factor (ν^{2j}) / (z - r^{2^{j}})
458 Fr scaling_factor_pos = shplonk_batching_challenge_powers[pos_index] * inverse_vanishing_evals[pos_index];
459 // Compute the "negative" scaling factor (ν^{2j+1}) / (z + r^{2^{j}})
460 Fr scaling_factor_neg = shplonk_batching_challenge_powers[neg_index] * inverse_vanishing_evals[neg_index];
461
462 // Accumulate the const term contribution given by
463 // v^{2j} * A_j(r^{2^j}) /(z - r^{2^j}) + v^{2j+1} * A_j(-r^{2^j}) /(z+ r^{2^j})
464 constant_term_accumulator +=
465 scaling_factor_neg * gemini_neg_evaluations[j] + scaling_factor_pos * gemini_pos_evaluations[j];
466
467 // Place the scaling factor to the 'scalars' vector
468 scalars.emplace_back(-(scaling_factor_neg + scaling_factor_pos));
469 // Move com(Aᵢ) to the 'commitments' vector
470 commitments.emplace_back(std::move(fold_commitments[j - 1]));
471 }
472 }
473
484 static void remove_repeated_commitments(std::vector<Commitment>& commitments,
485 std::vector<Fr>& scalars,
486 const RepeatedCommitmentsData& repeated_commitments,
487 bool has_zk)
488 {
489 // The commitments/scalars vectors start with Shplonk:Q (and Gemini:masking_poly_comm if ZK)
490 // before the prover polynomial commitments, so offset the AllEntities indices accordingly.
491 const size_t offset = has_zk ? 2 : 1;
492
493 const auto& r1 = repeated_commitments.first;
494 const auto& r2 = repeated_commitments.second;
495 const size_t first_original_start = r1.original_start + offset;
496 const size_t first_duplicate_start = r1.duplicate_start + offset;
497 const size_t second_original_start = r2.original_start + offset;
498 const size_t second_duplicate_start = r2.duplicate_start + offset;
499
500 // Fold duplicate scalars into their originals
501 for (size_t i = 0; i < r1.count; i++) {
502 scalars[i + first_original_start] = scalars[i + first_original_start] + scalars[i + first_duplicate_start];
503 }
504 for (size_t i = 0; i < r2.count; i++) {
505 scalars[i + second_original_start] =
506 scalars[i + second_original_start] + scalars[i + second_duplicate_start];
507 }
508
509 // Erase the duplicate entries (higher-index range first to preserve lower indices)
510 // Each erase shifts elements down, so duplicate_start always points to the next duplicate;
511 // the original at original_start + i is unaffected since we erase higher-index ranges first.
512 // Commitment equality (original == duplicate) is verified by per-flavor
513 // RepeatedCommitmentsIndicesCorrect tests rather than at runtime here.
514 auto erase_range = [&](size_t duplicate_start, [[maybe_unused]] size_t original_start, size_t count) {
515 for (size_t i = 0; i < count; ++i) {
516 scalars.erase(scalars.begin() + static_cast<std::ptrdiff_t>(duplicate_start));
517 commitments.erase(commitments.begin() + static_cast<std::ptrdiff_t>(duplicate_start));
518 }
519 };
520 if (second_duplicate_start > first_duplicate_start) {
521 erase_range(second_duplicate_start, second_original_start, r2.count);
522 erase_range(first_duplicate_start, first_original_start, r1.count);
523 } else {
524 erase_range(first_duplicate_start, first_original_start, r1.count);
525 erase_range(second_duplicate_start, second_original_start, r2.count);
526 }
527 }
528
546 static void add_zk_data(const size_t virtual_log_n,
547 std::vector<Commitment>& commitments,
548 std::vector<Fr>& scalars,
549 Fr& constant_term_accumulator,
550 const std::array<Commitment, NUM_LIBRA_COMMITMENTS>& libra_commitments,
551 const std::array<Fr, NUM_SMALL_IPA_EVALUATIONS>& libra_evaluations,
552 const Fr& gemini_evaluation_challenge,
553 const std::vector<Fr>& shplonk_batching_challenge_powers,
554 const Fr& shplonk_evaluation_challenge)
555
556 {
557 // add Libra commitments to the vector of commitments
558 for (size_t idx = 0; idx < libra_commitments.size(); idx++) {
559 commitments.push_back(libra_commitments[idx]);
560 }
561
562 // compute corresponding scalars and the correction to the constant term
563 std::array<Fr, NUM_SMALL_IPA_EVALUATIONS> denominators;
564 std::array<Fr, NUM_SMALL_IPA_EVALUATIONS> batching_scalars;
565 // compute Shplonk denominators and invert them
566 denominators[0] = Fr(1) / (shplonk_evaluation_challenge - gemini_evaluation_challenge);
567 denominators[1] =
568 Fr(1) / (shplonk_evaluation_challenge - Fr(Curve::subgroup_generator) * gemini_evaluation_challenge);
569 denominators[2] = denominators[0];
570 denominators[3] = denominators[0];
571
572 // compute the scalars to be multiplied against the commitments [libra_concatenated], [grand_sum], [grand_sum],
573 // and [libra_quotient]
574 for (size_t idx = 0; idx < NUM_SMALL_IPA_EVALUATIONS; idx++) {
575 Fr scaling_factor = denominators[idx] * shplonk_batching_challenge_powers[2 * virtual_log_n + idx];
576 batching_scalars[idx] = -scaling_factor;
577 constant_term_accumulator += scaling_factor * libra_evaluations[idx];
578 }
579
580 // to save a scalar mul, add the sum of the batching scalars corresponding to the big sum evaluations
581 scalars.push_back(batching_scalars[0]);
582 scalars.push_back(batching_scalars[1] + batching_scalars[2]);
583 scalars.push_back(batching_scalars[3]);
584 }
585
629 static void batch_sumcheck_round_claims(std::vector<Commitment>& commitments,
630 std::vector<Fr>& scalars,
631 Fr& constant_term_accumulator,
632 const std::vector<Fr>& multilinear_challenge,
633 const std::vector<Fr>& shplonk_batching_challenge_powers,
634 const Fr& shplonk_evaluation_challenge,
635 const std::vector<Commitment>& sumcheck_round_commitments,
636 const std::vector<std::array<Fr, 3>>& sumcheck_round_evaluations)
637 {
638
639 std::vector<Fr> denominators = {};
640
641 // The number of Gemini claims is equal to `2 * log_n` and `log_n` is equal to the size of
642 // `multilinear_challenge`, as this method is never used with padding.
643 const size_t num_gemini_claims = 2 * multilinear_challenge.size();
644 // Denominators for the opening claims at 0 and 1. Need to be computed only once as opposed to the claims at the
645 // sumcheck round challenges.
646 std::array<Fr, 2> const_denominators;
647
648 const_denominators[0] = Fr(1) / (shplonk_evaluation_challenge);
649 const_denominators[1] = Fr(1) / (shplonk_evaluation_challenge - Fr{ 1 });
650
651 // Compute the denominators corresponding to the evaluation claims at the round challenges and add the
652 // commitments to the sumcheck round univariates to the vector of commitments
653 for (const auto& [challenge, comm] : zip_view(multilinear_challenge, sumcheck_round_commitments)) {
654 denominators.push_back(shplonk_evaluation_challenge - challenge);
655 commitments.push_back(comm);
656 }
657
658 // Invert denominators
659 if constexpr (!Curve::is_stdlib_type) {
660 Fr::batch_invert(denominators);
661 } else {
662 for (auto& denominator : denominators) {
663 denominator = Fr{ 1 } / denominator;
664 }
665 }
666
667 // Each commitment to a sumcheck round univariate [S_i] is multiplied by the sum of three scalars corresponding
668 // to the evaluations at 0, 1, and the round challenge u_i.
669 // Compute the power of `shplonk_batching_challenge` to add sumcheck univariate commitments and evaluations to
670 // the batch.
671 size_t power = num_gemini_claims + NUM_SMALL_IPA_EVALUATIONS;
672 for (const auto& [eval_array, denominator] : zip_view(sumcheck_round_evaluations, denominators)) {
673 // Initialize batched_scalar corresponding to 3 evaluations claims
674 Fr batched_scalar = Fr(0);
675 Fr const_term_contribution = Fr(0);
676 // Compute the contribution from the evaluations at 0 and 1
677 for (size_t idx = 0; idx < 2; idx++) {
678 Fr current_scaling_factor = const_denominators[idx] * shplonk_batching_challenge_powers[power++];
679 batched_scalar -= current_scaling_factor;
680 const_term_contribution += current_scaling_factor * eval_array[idx];
681 }
682
683 // Compute the contribution from the evaluation at the challenge u_i
684 Fr current_scaling_factor = denominator * shplonk_batching_challenge_powers[power++];
685 batched_scalar -= current_scaling_factor;
686 const_term_contribution += current_scaling_factor * eval_array[2];
687
688 // Update Shplonk constant term accumulator
689 constant_term_accumulator += const_term_contribution;
690 scalars.push_back(batched_scalar);
691 }
692 };
693};
694} // namespace bb
bb_bench.hpp
BB_BENCH_NAME
#define BB_BENCH_NAME(name)
Definition bb_bench.hpp:264
claim_batcher.hpp
bb::CommitmentKey
CommitmentKey object over a pairing group 𝔾₁.
Definition commitment_key.hpp:35
bb::GeminiProver_::PolynomialBatcher
Class responsible for computation of the batched multilinear polynomials required by the Gemini proto...
Definition gemini.hpp:128
bb::GeminiProver_
Definition gemini.hpp:107
bb::GeminiProver_::prove
static std::vector< Claim > prove(size_t circuit_size, PolynomialBatcher &polynomial_batcher, std::span< Fr > multilinear_challenge, const CommitmentKey< Curve > &commitment_key, const std::shared_ptr< Transcript > &transcript, bool has_zk=false)
bb::GeminiVerifier_
Gemini Verifier utility methods used by ShpleminiVerifier.
Definition gemini.hpp:300
bb::GeminiVerifier_::compute_fold_pos_evaluations
static std::vector< Fr > compute_fold_pos_evaluations(const Fr &batched_evaluation, std::span< const Fr > evaluation_point, std::span< const Fr > challenge_powers, std::span< const Fr > fold_neg_evals)
Compute .
Definition gemini.hpp:369
bb::GeminiVerifier_::get_fold_commitments
static std::vector< Commitment > get_fold_commitments(const size_t virtual_log_n, auto &transcript)
Receive the fold commitments from the prover. This method is used by Shplemini where padding may be e...
Definition gemini.hpp:313
bb::GeminiVerifier_::get_gemini_evaluations
static std::vector< Fr > get_gemini_evaluations(const size_t virtual_log_n, auto &transcript)
Receive the fold evaluations from the prover. This method is used by Shplemini where padding may be e...
Definition gemini.hpp:334
bb::Polynomial::evaluate
Fr evaluate(const Fr &z) const
Definition polynomial.cpp:192
bb::ProverOpeningClaim
Polynomial p and an opening pair (r,v) such that p(r) = v.
Definition claim.hpp:36
bb::ProverOpeningClaim::polynomial
Polynomial polynomial
Definition claim.hpp:41
bb::ProverOpeningClaim::opening_pair
OpeningPair< Curve > opening_pair
Definition claim.hpp:42
bb::ShpleminiProver_
Definition shplemini.hpp:23
bb::ShpleminiProver_::prove
static OpeningClaim prove(size_t circuit_size, PolynomialBatcher &polynomial_batcher, std::span< FF > multilinear_challenge, const CommitmentKey< Curve > &commitment_key, const std::shared_ptr< Transcript > &transcript, const std::array< Polynomial, NUM_SMALL_IPA_EVALUATIONS > &libra_polynomials={}, const std::vector< Polynomial > &sumcheck_round_univariates={}, const std::vector< std::array< FF, 3 > > &sumcheck_round_evaluations={})
Definition shplemini.hpp:37
bb::ShpleminiProver_::GroupElement
typename Curve::Element GroupElement
Definition shplemini.hpp:26
bb::ShpleminiProver_::Commitment
typename Curve::AffineElement Commitment
Definition shplemini.hpp:27
bb::ShpleminiProver_::compute_libra_opening_claims
static std::vector< OpeningClaim > compute_libra_opening_claims(const FF gemini_r, const std::array< Polynomial, NUM_SMALL_IPA_EVALUATIONS > &libra_polynomials, const std::shared_ptr< Transcript > &transcript)
For ZK Flavors: Evaluate the polynomials used in SmallSubgroupIPA argument, send the evaluations to t...
Definition shplemini.hpp:81
bb::ShpleminiProver_::FF
typename Curve::ScalarField FF
Definition shplemini.hpp:25
bb::ShpleminiProver_::compute_sumcheck_round_claims
static std::vector< OpeningClaim > compute_sumcheck_round_claims(size_t circuit_size, std::span< FF > multilinear_challenge, const std::vector< Polynomial > &sumcheck_round_univariates, const std::vector< std::array< FF, 3 > > &sumcheck_round_evaluations)
Create a vector of 3*log_n opening claims for the evaluations of Sumcheck Round Univariates at 0,...
Definition shplemini.hpp:114
bb::ShpleminiVerifier_
Definition shplemini.hpp:177
bb::ShpleminiVerifier_::compute_batch_opening_claim
static ShpleminiVerifierOutput compute_batch_opening_claim(ClaimBatcher &claim_batcher, const std::vector< Fr > &multivariate_challenge, const Commitment &g1_identity, const std::shared_ptr< Transcript > &transcript, const RepeatedCommitmentsData &repeated_commitments={}, const std::array< Commitment, NUM_LIBRA_COMMITMENTS > &libra_commitments={}, const Fr &libra_univariate_evaluation=Fr{ 0 }, const std::vector< Commitment > &sumcheck_round_commitments={}, const std::vector< std::array< Fr, 3 > > &sumcheck_round_evaluations={})
This method receives commitments to all prover polynomials, their claimed evaluations,...
Definition shplemini.hpp:216
bb::ShpleminiVerifier_::batch_sumcheck_round_claims
static void batch_sumcheck_round_claims(std::vector< Commitment > &commitments, std::vector< Fr > &scalars, Fr &constant_term_accumulator, const std::vector< Fr > &multilinear_challenge, const std::vector< Fr > &shplonk_batching_challenge_powers, const Fr &shplonk_evaluation_challenge, const std::vector< Commitment > &sumcheck_round_commitments, const std::vector< std::array< Fr, 3 > > &sumcheck_round_evaluations)
Adds the Sumcheck data into the Shplemini BatchOpeningClaim.
Definition shplemini.hpp:629
bb::ShpleminiVerifier_::batch_gemini_claims_received_from_prover
static void batch_gemini_claims_received_from_prover(const std::vector< Commitment > &fold_commitments, std::span< const Fr > gemini_neg_evaluations, std::span< const Fr > gemini_pos_evaluations, std::span< const Fr > inverse_vanishing_evals, std::span< const Fr > shplonk_batching_challenge_powers, std::vector< Commitment > &commitments, std::vector< Fr > &scalars, Fr &constant_term_accumulator)
Place fold polynomial commitments to commitments and compute the corresponding scalar multipliers.
Definition shplemini.hpp:439
bb::ShpleminiVerifier_::Commitment
typename Curve::AffineElement Commitment
Definition shplemini.hpp:180
bb::ShpleminiVerifier_::Fr
typename Curve::ScalarField Fr
Definition shplemini.hpp:178
bb::ShpleminiVerifier_::GroupElement
typename Curve::Element GroupElement
Definition shplemini.hpp:179
bb::ShpleminiVerifier_::remove_repeated_commitments
static void remove_repeated_commitments(std::vector< Commitment > &commitments, std::vector< Fr > &scalars, const RepeatedCommitmentsData &repeated_commitments, bool has_zk)
Combines scalars of repeating commitments to reduce the number of scalar multiplications performed by...
Definition shplemini.hpp:484
bb::ShpleminiVerifier_::ShpleminiVerifierOutput
ShpleminiVerifierOutput_< Curve, HasZK > ShpleminiVerifierOutput
Definition shplemini.hpp:185
bb::ShpleminiVerifier_::add_zk_data
static void add_zk_data(const size_t virtual_log_n, std::vector< Commitment > &commitments, std::vector< Fr > &scalars, Fr &constant_term_accumulator, const std::array< Commitment, NUM_LIBRA_COMMITMENTS > &libra_commitments, const std::array< Fr, NUM_SMALL_IPA_EVALUATIONS > &libra_evaluations, const Fr &gemini_evaluation_challenge, const std::vector< Fr > &shplonk_batching_challenge_powers, const Fr &shplonk_evaluation_challenge)
Add the opening data corresponding to Libra masking univariates to the batched opening claim.
Definition shplemini.hpp:546
bb::ShplonkProver_
Shplonk Prover.
Definition shplonk.hpp:37
bb::ShplonkProver_::prove
static ProverOpeningClaim< Curve > prove(const CommitmentKey< Curve > &commitment_key, std::span< ProverOpeningClaim< Curve > > opening_claims, const std::shared_ptr< Transcript > &transcript, std::span< ProverOpeningClaim< Curve > > libra_opening_claims={}, std::span< ProverOpeningClaim< Curve > > sumcheck_round_claims={}, const size_t virtual_log_n=0)
Returns a batched opening claim equivalent to a set of opening claims consisting of polynomials,...
Definition shplonk.hpp:254
bb::ShplonkVerifier_
Shplonk Verifier.
Definition shplonk.hpp:331
bb::ShplonkVerifier_::compute_inverted_gemini_denominators
static std::vector< Fr > compute_inverted_gemini_denominators(const Fr &shplonk_eval_challenge, const std::vector< Fr > &gemini_eval_challenge_powers)
Computes .
Definition shplonk.hpp:501
bb::SmallSubgroupIPAVerifier::check_libra_evaluations_consistency
static bool check_libra_evaluations_consistency(const std::array< FF, NUM_SMALL_IPA_EVALUATIONS > &libra_evaluations, const FF &gemini_evaluation_challenge, const std::vector< FF > &multilinear_challenge, const FF &inner_product_eval_claim)
A method required by ZKSumcheck. The challenge polynomial is concatenated from the powers of the sumc...
Definition small_subgroup_ipa.hpp:292
bb::VerifierCommitmentKey
Representation of the Grumpkin Verifier Commitment Key inside a bn254 circuit.
Definition verifier_commitment_key.hpp:16
bb::curve::Grumpkin::Element
typename Group::element Element
Definition grumpkin.hpp:63
bb::curve::Grumpkin::is_stdlib_type
static constexpr bool is_stdlib_type
Definition grumpkin.hpp:67
bb::curve::Grumpkin::AffineElement
typename Group::affine_element AffineElement
Definition grumpkin.hpp:64
bb::curve::Grumpkin::subgroup_generator
static constexpr ScalarField subgroup_generator
Definition grumpkin.hpp:77
zip_view
Definition zip_view.hpp:166
commitment_key.hpp
offset
ssize_t offset
Definition engine.cpp:62
gemini_impl.hpp
bb::gemini::powers_of_evaluation_challenge
std::vector< Fr > powers_of_evaluation_challenge(const Fr &r, const size_t num_squares)
Compute squares of folding challenge r.
Definition gemini.hpp:96
bb::numeric::get_msb
constexpr T get_msb(const T in)
Definition get_msb.hpp:50
bb
Entry point for Barretenberg command-line interface.
Definition api.hpp:5
std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13
origin_tag.hpp
This file contains part of the logic for the Origin Tag mechanism that tracks the use of in-circuit p...
repeated_commitments_data.hpp
small_subgroup_ipa.hpp
bb::BatchOpeningClaim
An accumulator consisting of the Shplonk evaluation challenge and vectors of commitments and scalars.
Definition claim.hpp:155
bb::ClaimBatcher_
Logic to support batching opening claims for unshifted and shifted polynomials in Shplemini.
Definition claim_batcher.hpp:26
bb::ClaimBatcher_::update_batch_mul_inputs_and_batched_evaluation
void update_batch_mul_inputs_and_batched_evaluation(std::vector< Commitment > &commitments, std::vector< Fr > &scalars, Fr &batched_evaluation, const Fr &rho)
Append the commitments and scalars from each batch of claims to the Shplemini vectors which subsequen...
Definition claim_batcher.hpp:104
bb::ClaimBatcher_::compute_scalars_for_each_batch
void compute_scalars_for_each_batch(std::span< const Fr > inverted_vanishing_evals, const Fr &nu_challenge, const Fr &r_challenge)
Compute scalars used to batch each set of claims, excluding contribution from batching challenge \rho...
Definition claim_batcher.hpp:68
bb::ShpleminiVerifierOutput_< Curve, true >::consistency_checked
bool consistency_checked
Definition shplemini.hpp:174
bb::ShpleminiVerifierOutput_< Curve, true >::batch_opening_claim
BatchOpeningClaim< Curve > batch_opening_claim
Definition shplemini.hpp:173
bb::ShpleminiVerifierOutput_
An efficient verifier for the evaluation proofs of multilinear polynomials and their shifts.
Definition shplemini.hpp:169
bb::ShpleminiVerifierOutput_::batch_opening_claim
BatchOpeningClaim< Curve > batch_opening_claim
Definition shplemini.hpp:170
bb::field< Bn254FrParams >::batch_invert
static void batch_invert(C &coeffs) noexcept
Batch invert a collection of field elements using Montgomery's trick.
Definition field_impl.hpp:418
throw_or_abort
void throw_or_abort(std::string const &err)
Definition throw_or_abort.hpp:6
verification_key.hpp
zk_sumcheck_data.hpp