Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
ultra_prover.cpp
Go to the documentation of this file.
1// === AUDIT STATUS ===
2// internal: { status: Completed, auditors: [Sergei], commit: }
3// external_1: { status: not started, auditors: [], commit: }
4// external_2: { status: not started, auditors: [], commit: }
5// =====================
6
7#include "ultra_prover.hpp"
8#include "barretenberg/commitment_schemes/gemini/gemini.hpp"
9#include "barretenberg/commitment_schemes/shplonk/shplemini.hpp"
10#include "barretenberg/common/memory_profile.hpp"
11#include "barretenberg/flavor/mega_avm_flavor.hpp"
12#include "barretenberg/sumcheck/sumcheck.hpp"
13#include "barretenberg/ultra_honk/oink_prover.hpp"
14namespace bb {
15
16template <typename Flavor>
17UltraProver_<Flavor>::UltraProver_(std::shared_ptr<ProverInstance> prover_instance,
18 const std::shared_ptr<HonkVK>& honk_vk,
19 const std::shared_ptr<Transcript>& transcript)
20 : prover_instance(std::move(prover_instance))
21 , transcript(transcript)
22 , honk_vk(honk_vk)
23{}
24
40template <typename Flavor> typename UltraProver_<Flavor>::Proof UltraProver_<Flavor>::export_proof()
41{
42 auto proof = transcript->export_proof();
43
44 // Append IPA proof if present
45 if (!prover_instance->ipa_proof.empty()) {
46 BB_ASSERT_EQ(prover_instance->ipa_proof.size(), static_cast<size_t>(IPA_PROOF_LENGTH));
47 proof.insert(proof.end(), prover_instance->ipa_proof.begin(), prover_instance->ipa_proof.end());
48 }
49
50 return proof;
51}
52
53template <typename Flavor> void UltraProver_<Flavor>::generate_gate_challenges()
54{
55 virtual_log_n =
56 Flavor::USE_PADDING ? Flavor::VIRTUAL_LOG_N : static_cast<size_t>(prover_instance->log_dyadic_size());
57
58 prover_instance->gate_challenges =
59 transcript->template get_dyadic_powers_of_challenge<FF>("Sumcheck:gate_challenge", virtual_log_n);
60}
61
62template <typename Flavor> typename UltraProver_<Flavor>::Proof UltraProver_<Flavor>::construct_proof()
63{
64 BB_BENCH_NAME("UltraProver::construct_proof");
65 size_t key_size = prover_instance->polynomials.max_end_index();
66 if constexpr (Flavor::HasZK) {
67 // SmallSubgroupIPA commits polynomials up to SUBGROUP_SIZE + 3.
68 constexpr size_t log_subgroup_size = static_cast<size_t>(numeric::get_msb(Curve::SUBGROUP_SIZE));
69 key_size = std::max(key_size, size_t{ 1 } << (log_subgroup_size + 1));
70 }
71 commitment_key = CommitmentKey(key_size);
72
73 OinkProver<Flavor> oink_prover(prover_instance, honk_vk, transcript);
74 oink_prover.prove();
75 vinfo("created oink proof");
76 if (detail::use_memory_profile) {
77 detail::GLOBAL_MEMORY_PROFILE.add_checkpoint("after_oink");
78 }
79
80 generate_gate_challenges();
81
82 // Run sumcheck
83 execute_sumcheck_iop();
84 vinfo("finished relation check rounds");
85 if (detail::use_memory_profile) {
86 detail::GLOBAL_MEMORY_PROFILE.add_checkpoint("after_sumcheck");
87 }
88 // Execute Shplemini PCS
89 execute_pcs();
90 vinfo("finished PCS rounds");
91 if (detail::use_memory_profile) {
92 detail::GLOBAL_MEMORY_PROFILE.add_checkpoint("after_pcs");
93 }
94
95 return export_proof();
96}
97
102template <typename Flavor> void UltraProver_<Flavor>::execute_sumcheck_iop()
103{
104 BB_BENCH_NAME("sumcheck.prove");
105
106 using Sumcheck = SumcheckProver<Flavor>;
107 size_t polynomial_size = prover_instance->dyadic_size();
108 Sumcheck sumcheck(polynomial_size,
109 prover_instance->polynomials,
110 transcript,
111 prover_instance->alpha,
112 prover_instance->gate_challenges,
113 prover_instance->relation_parameters,
114 virtual_log_n);
115
116 if constexpr (Flavor::HasZK) {
117 // Generate libra univariates for ALL rounds (real + virtual) so that the ZK and non-ZK
118 // virtual round paths are unified. The libra contributes to every round uniformly.
119 zk_sumcheck_data = ZKData(virtual_log_n, transcript, commitment_key);
120 sumcheck_output = sumcheck.prove(zk_sumcheck_data);
121 } else {
122 sumcheck_output = sumcheck.prove();
123 }
124}
125
130template <typename Flavor> void UltraProver_<Flavor>::execute_pcs()
131{
132 BB_BENCH_NAME("UltraProver::execute_pcs");
133 using OpeningClaim = ProverOpeningClaim<Curve>;
134 using PolynomialBatcher = GeminiProver_<Curve>::PolynomialBatcher;
135
136 auto& ck = commitment_key;
137
138 PolynomialBatcher polynomial_batcher(prover_instance->dyadic_size(), prover_instance->polynomials.max_end_index());
139 polynomial_batcher.set_unshifted(prover_instance->polynomials.get_unshifted());
140 polynomial_batcher.set_to_be_shifted_by_one(prover_instance->polynomials.get_to_be_shifted());
141
142 OpeningClaim prover_opening_claim;
143 if constexpr (!Flavor::HasZK) {
144 prover_opening_claim = ShpleminiProver_<Curve>::prove(
145 prover_instance->dyadic_size(), polynomial_batcher, sumcheck_output.challenge, ck, transcript);
146 } else {
147
148 SmallSubgroupIPA small_subgroup_ipa_prover(
149 zk_sumcheck_data, sumcheck_output.challenge, sumcheck_output.claimed_libra_evaluation, transcript, ck);
150 small_subgroup_ipa_prover.prove();
151
152 prover_opening_claim = ShpleminiProver_<Curve>::prove(prover_instance->dyadic_size(),
153 polynomial_batcher,
154 sumcheck_output.challenge,
155 ck,
156 transcript,
157 small_subgroup_ipa_prover.get_witness_polynomials());
158 }
159 vinfo("executed multivariate-to-univariate reduction");
160 PCS::compute_opening_proof(ck, prover_opening_claim, transcript);
161 vinfo("computed opening proof");
162}
163
164template class UltraProver_<UltraFlavor>;
165template class UltraProver_<UltraZKFlavor>;
166template class UltraProver_<UltraKeccakFlavor>;
167#ifdef STARKNET_GARAGA_FLAVORS
168template class UltraProver_<UltraStarknetFlavor>;
169template class UltraProver_<UltraStarknetZKFlavor>;
170#endif
171template class UltraProver_<UltraKeccakZKFlavor>;
172template class UltraProver_<MegaFlavor>;
173template class UltraProver_<MegaZKFlavor>;
174template class UltraProver_<MegaAvmFlavor>;
175
176} // namespace bb
BB_ASSERT_EQ
#define BB_ASSERT_EQ(actual, expected,...)
Definition assert.hpp:83
BB_BENCH_NAME
#define BB_BENCH_NAME(name)
Definition bb_bench.hpp:264
bb::ECCVMFlavor::HasZK
static constexpr bool HasZK
Definition eccvm_flavor.hpp:60
bb::ECCVMFlavor::USE_PADDING
static constexpr bool USE_PADDING
Definition eccvm_flavor.hpp:64
bb::GeminiProver_::PolynomialBatcher
Class responsible for computation of the batched multilinear polynomials required by the Gemini proto...
Definition gemini.hpp:128
bb::OinkProver
Executes the "Oink" phase of the Honk proving protocol: the initial rounds that commit to witness dat...
Definition oink_prover.hpp:52
bb::OinkProver::prove
void prove(bool emit_alpha=true)
Commit to witnesses, compute relation parameters, and prepare for Sumcheck.
Definition oink_prover.cpp:22
bb::OpeningClaim
Unverified claim (C,r,v) for some witness polynomial p(X) such that.
Definition claim.hpp:55
bb::ProverOpeningClaim
Polynomial p and an opening pair (r,v) such that p(r) = v.
Definition claim.hpp:36
bb::ShpleminiProver_::prove
static OpeningClaim prove(size_t circuit_size, PolynomialBatcher &polynomial_batcher, std::span< FF > multilinear_challenge, const CommitmentKey< Curve > &commitment_key, const std::shared_ptr< Transcript > &transcript, const std::array< Polynomial, NUM_SMALL_IPA_EVALUATIONS > &libra_polynomials={}, const std::vector< Polynomial > &sumcheck_round_univariates={}, const std::vector< std::array< FF, 3 > > &sumcheck_round_evaluations={})
Definition shplemini.hpp:37
bb::SmallSubgroupIPAProver
A Curve-agnostic ZK protocol to prove inner products of small vectors.
Definition small_subgroup_ipa.hpp:69
bb::SmallSubgroupIPAProver::get_witness_polynomials
std::array< bb::Polynomial< FF >, NUM_SMALL_IPA_EVALUATIONS > get_witness_polynomials() const
Definition small_subgroup_ipa.hpp:178
bb::SmallSubgroupIPAProver::prove
void prove()
Compute the derived witnesses and and commit to them.
Definition small_subgroup_ipa.cpp:150
bb::SumcheckProver
The implementation of the sumcheck Prover for statements of the form for multilinear polynomials .
Definition sumcheck.hpp:294
bb::UltraProver_
Definition ultra_prover.hpp:18
bb::UltraProver_::UltraProver_
UltraProver_(std::shared_ptr< ProverInstance >, const std::shared_ptr< HonkVK > &, const std::shared_ptr< Transcript > &transcript=std::make_shared< Transcript >())
Definition ultra_prover.cpp:17
bb::UltraProver_::generate_gate_challenges
BB_PROFILE void generate_gate_challenges()
Definition ultra_prover.cpp:53
bb::UltraProver_::execute_pcs
BB_PROFILE void execute_pcs()
Reduce the sumcheck multivariate evaluations to a single univariate opening claim via Shplemini,...
Definition ultra_prover.cpp:130
bb::UltraProver_::Proof
typename Transcript::Proof Proof
Definition ultra_prover.hpp:29
bb::UltraProver_::execute_sumcheck_iop
BB_PROFILE void execute_sumcheck_iop()
Run Sumcheck to establish that ∑_i pow(\vec{β*})f_i(ω) = 0, producing sumcheck round challenges u = (...
Definition ultra_prover.cpp:102
bb::UltraProver_::CommitmentKey
typename Flavor::CommitmentKey CommitmentKey
Definition ultra_prover.hpp:22
bb::UltraProver_::export_proof
Proof export_proof()
Export the complete proof, including IPA proof for rollup circuits.
Definition ultra_prover.cpp:40
bb::UltraProver_::construct_proof
Proof construct_proof()
Definition ultra_prover.cpp:62
bb::curve::Grumpkin::SUBGROUP_SIZE
static constexpr size_t SUBGROUP_SIZE
Definition grumpkin.hpp:72
vinfo
#define vinfo(...)
Definition log.hpp:94
mega_avm_flavor.hpp
memory_profile.hpp
bb::detail::use_memory_profile
bool use_memory_profile
Definition memory_profile.cpp:33
bb::detail::GLOBAL_MEMORY_PROFILE
MemoryProfile GLOBAL_MEMORY_PROFILE
Definition memory_profile.cpp:35
bb::numeric::get_msb
constexpr T get_msb(const T in)
Definition get_msb.hpp:50
bb
Entry point for Barretenberg command-line interface.
Definition api.hpp:5
bb::ck
CommitmentKey< Curve > ck
Definition ipa.fuzzer.cpp:20
std
STL namespace.
std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13
oink_prover.hpp
bb::ZKSumcheckData
This structure is created to contain various polynomials and constants required by ZK Sumcheck.
Definition zk_sumcheck_data.hpp:23
bb::detail::MemoryProfile::add_checkpoint
void add_checkpoint(const std::string &stage)
Definition memory_profile.cpp:37
ultra_prover.hpp