Skip to content

Commit

Permalink
chore: take the PCS out of Zeromorph and refactor tests (#7078)
Browse files Browse the repository at this point in the history 
Separate the PCS from Zeromorph and do some refactoring of Zeromorph
tests as a precursor for Shplonking ECCVM.
  • Loading branch information
@maramihali
maramihali authored Jun 21, 2024
1 parent 366fb21 commit e192678
Show file tree
Hide file tree
Showing 34 changed files with 2,192 additions and 433 deletions.
2 changes: 1 addition & 1 deletion barretenberg/cpp/src/barretenberg/benchmark/ultra_bench/ultra_honk_rounds.bench.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@ BB_PROFILE static void test_round_inner(State& state, MegaProver& prover, size_t

DeciderProver_<MegaFlavor> decider_prover(prover.instance, prover.transcript);
time_if_index(RELATION_CHECK, [&] { decider_prover.execute_relation_check_rounds(); });
time_if_index(ZEROMORPH, [&] { decider_prover.execute_zeromorph_rounds(); });
time_if_index(ZEROMORPH, [&] { decider_prover.execute_pcs_rounds(); });
}
BB_PROFILE static void test_round(State& state, size_t index) noexcept
{
Expand Down
2 changes: 1 addition & 1 deletion barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplonk.hpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -264,7 +264,7 @@ template <typename Curve> class ShplonkVerifier_ {
}

// [G] += G₀⋅[1] = [G] + (∑ⱼ ρʲ ⋅ vⱼ / ( r − xⱼ ))⋅[1]
G_commitment += vk->get_first_g1() * G_commitment_constant;
G_commitment += vk->get_g1_identity() * G_commitment_constant;
}

// Return opening pair (z, 0) and commitment [G]
Expand Down
4 changes: 2 additions & 2 deletions barretenberg/cpp/src/barretenberg/commitment_schemes/verification_key.hpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ template <> class VerifierCommitmentKey<curve::BN254> {
srs = srs::get_crs_factory<Curve>()->get_verifier_crs();
};

Commitment get_first_g1() { return srs->get_first_g1(); }
Commitment get_g1_identity() { return srs->get_g1_identity(); }

/**
* @brief verifies a pairing equation over 2 points using the verifier SRS
Expand Down Expand Up @@ -93,7 +93,7 @@ template <> class VerifierCommitmentKey<curve::Grumpkin> {
srs = srs::get_crs_factory<Curve>()->get_verifier_crs(num_points);
}

Commitment get_first_g1() { return srs->get_first_g1(); }
Commitment get_g1_identity() { return srs->get_g1_identity(); }

Commitment* get_monomial_points() { return srs->get_monomial_points(); }

Expand Down
172 changes: 47 additions & 125 deletions barretenberg/cpp/src/barretenberg/commitment_schemes/zeromorph/zeromorph.hpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,13 +31,13 @@ template <class FF> inline std::vector<FF> powers_of_challenge(const FF challeng
/**
* @brief Prover for ZeroMorph multilinear PCS
*
* @tparam PCS - The univariate PCS used inside ZeroMorph as a building block
* @tparam Curve - The curve used for arithmetising ZeroMorph
*/
template <typename PCS> class ZeroMorphProver_ {
using Curve = typename PCS::Curve;
template <typename Curve> class ZeroMorphProver_ {
using FF = typename Curve::ScalarField;
using Commitment = typename Curve::AffineElement;
using Polynomial = bb::Polynomial<FF>;
using OpeningClaim = ProverOpeningClaim<Curve>;

// TODO(#742): Set this N_max to be the number of G1 elements in the mocked zeromorph SRS once it's in place.
// (Then, eventually, set it based on the real SRS). For now we set it to be larger then the Client IVC recursive
Expand Down Expand Up @@ -65,7 +65,8 @@ template <typename PCS> class ZeroMorphProver_ {
* @param u_challenge Multivariate challenge u = (u_0, ..., u_{d-1})
* @return std::vector<Polynomial> The quotients q_k
*/
static std::vector<Polynomial> compute_multilinear_quotients(Polynomial polynomial, std::span<const FF> u_challenge)
static std::vector<Polynomial> compute_multilinear_quotients(Polynomial& polynomial,
std::span<const FF> u_challenge)
{
size_t log_N = numeric::get_msb(polynomial.size());
// The size of the multilinear challenge must equal the log of the polynomial size
Expand Down Expand Up @@ -310,26 +311,28 @@ template <typename PCS> class ZeroMorphProver_ {
}

/**
* @brief Prove a set of multilinear evaluation claims for unshifted polynomials f_i and to-be-shifted
* polynomials g_i
* @brief * @brief Returns a univariate opening claim equivalent to a set of multilinear evaluation claims for
* unshifted polynomials f_i and to-be-shifted polynomials g_i to be subsequently proved with a univariate PCS
*
* @param f_polynomials Unshifted polynomials
* @param g_polynomials To-be-shifted polynomials (of which the shifts h_i were evaluated by sumcheck)
* @param evaluations Set of evaluations v_i = f_i(u), w_i = h_i(u) = g_i_shifted(u)
* @param multilinear_challenge Multilinear challenge point u
* @param commitment_key
* @param transcript
*
* @todo https://github.com/AztecProtocol/barretenberg/issues/1030: document concatenation trick
*/
static void prove(RefSpan<Polynomial> f_polynomials,
RefSpan<Polynomial> g_polynomials,
RefSpan<FF> f_evaluations,
RefSpan<FF> g_shift_evaluations,
std::span<FF> multilinear_challenge,
const std::shared_ptr<CommitmentKey<Curve>>& commitment_key,
const std::shared_ptr<NativeTranscript>& transcript,
RefSpan<Polynomial> concatenated_polynomials = {},
RefSpan<FF> concatenated_evaluations = {},
const std::vector<RefVector<Polynomial>>& concatenation_groups = {})
static OpeningClaim prove(RefSpan<Polynomial> f_polynomials,
RefSpan<Polynomial> g_polynomials,
RefSpan<FF> f_evaluations,
RefSpan<FF> g_shift_evaluations,
std::span<FF> multilinear_challenge,
const std::shared_ptr<CommitmentKey<Curve>>& commitment_key,
const std::shared_ptr<NativeTranscript>& transcript,
RefSpan<Polynomial> concatenated_polynomials = {},
RefSpan<FF> concatenated_evaluations = {},
const std::vector<RefVector<Polynomial>>& concatenation_groups = {})
{
// Generate batching challenge \rho and powers 1,...,\rho^{m-1}
const FF rho = transcript->template get_challenge<FF>("rho");
Expand Down Expand Up @@ -428,22 +431,20 @@ template <typename PCS> class ZeroMorphProver_ {

// Compute batched degree-check and ZM-identity quotient polynomial pi
auto pi_polynomial = compute_batched_evaluation_and_degree_check_polynomial(zeta_x, Z_x, z_challenge);
// Compute opening proof for x_challenge using the underlying univariate PCS
PCS::compute_opening_proof(
commitment_key, { .challenge = x_challenge, .evaluation = FF(0) }, pi_polynomial, transcript);

// Returns the claim used to generate an opening proof for the univariate polynomial at x_challenge
return { pi_polynomial, { .challenge = x_challenge, .evaluation = FF(0) } };
}
};

/**
* @brief Verifier for ZeroMorph multilinear PCS
*
* @tparam Curve
* @tparam Curve - The Curve used to arithmetise ZeroMorph
*/
template <typename PCS> class ZeroMorphVerifier_ {
using Curve = typename PCS::Curve;
template <typename Curve> class ZeroMorphVerifier_ {
using FF = typename Curve::ScalarField;
using Commitment = typename Curve::AffineElement;
using VerifierAccumulator = typename PCS::VerifierAccumulator;

public:
/**
Expand All @@ -458,7 +459,10 @@ template <typename PCS> class ZeroMorphVerifier_ {
* @param x_challenge
* @return Commitment
*/
static Commitment compute_C_zeta_x(Commitment C_q, std::vector<Commitment>& C_q_k, FF y_challenge, FF x_challenge)
static Commitment compute_C_zeta_x(const Commitment& C_q,
std::vector<Commitment>& C_q_k,
FF y_challenge,
FF x_challenge)
{
size_t log_N = C_q_k.size();
size_t N = 1 << log_N;
Expand Down Expand Up @@ -510,7 +514,7 @@ template <typename PCS> class ZeroMorphVerifier_ {
*
* @note The concatenation term arises from an implementation detail in the Translator and is not part of the
* conventional ZM protocol
* @param first_g1 first element in the SRS
* @param g1_identity first element in the SRS
* @param f_commitments Commitments to unshifted polynomials [f_i]
* @param g_commitments Commitments to to-be-shifted polynomials [g_i]
* @param C_q_k Commitments to q_k
Expand All @@ -521,7 +525,7 @@ template <typename PCS> class ZeroMorphVerifier_ {
* @param concatenation_groups_commitments
* @return Commitment
*/
static Commitment compute_C_Z_x(Commitment first_g1,
static Commitment compute_C_Z_x(const Commitment& g1_identity,
RefSpan<Commitment> f_commitments,
RefSpan<Commitment> g_commitments,
std::span<Commitment> C_q_k,
Expand All @@ -544,7 +548,7 @@ template <typename PCS> class ZeroMorphVerifier_ {
// Add contribution: -v * x * \Phi_n(x) * [1]_1
scalars.emplace_back(FF(-1) * batched_evaluation * x_challenge * phi_n_x);

commitments.emplace_back(first_g1);
commitments.emplace_back(g1_identity);

// Add contribution: x * \sum_{i=0}^{m-1} \rho^i*[f_i]
auto rho_pow = FF(1);
Expand Down Expand Up @@ -625,30 +629,24 @@ template <typename PCS> class ZeroMorphVerifier_ {
}

/**
* @brief Compute the univariate opening claim used in the last step of Zeromorph to verify the univariate PCS
* evaluation.
* @brief Return the univariate opening claim used to verify, in a subsequent PCS, a set of multilinear evaluation
* claims for unshifted polynomials f_i and to-be-shifted polynomials g_i
*
* @param unshifted_commitments
* @param to_be_shifted_commitments
* @param unshifted_evaluations
* @param shifted_evaluations
* @param multivariate_challenge
* @param first_g1
* @param commitments Commitments to polynomials f_i and g_i (unshifted and to-be-shifted)
* @param claimed_evaluations Claimed evaluations v_i = f_i(u) and w_i = h_i(u) = g_i_shifted(u)
* @param multivariate_challenge Challenge point u
* @param transcript
* @param concatenation_group_commitments
* @param concatenated_evaluations
* @return OpeningClaim<Curve>
* @return VerifierAccumulator Inputs to the final PCS verification check that will be accumulated
*/
static OpeningClaim<Curve> compute_univariate_evaluation_opening_claim(
RefSpan<Commitment> unshifted_commitments,
RefSpan<Commitment> to_be_shifted_commitments,
RefSpan<FF> unshifted_evaluations,
RefSpan<FF> shifted_evaluations,
std::span<FF> multivariate_challenge,
Commitment first_g1,
auto& transcript,
const std::vector<RefVector<Commitment>>& concatenation_group_commitments = {},
RefSpan<FF> concatenated_evaluations = {})
static OpeningClaim<Curve> verify(RefSpan<Commitment> unshifted_commitments,
RefSpan<Commitment> to_be_shifted_commitments,
RefSpan<FF> unshifted_evaluations,
RefSpan<FF> shifted_evaluations,
std::span<FF> multivariate_challenge,
const Commitment& g1_identity,
auto& transcript,
const std::vector<RefVector<Commitment>>& concatenation_group_commitments = {},
RefSpan<FF> concatenated_evaluations = {})
{
size_t log_N = multivariate_challenge.size();
FF rho = transcript->template get_challenge<FF>("rho");
Expand Down Expand Up @@ -689,7 +687,7 @@ template <typename PCS> class ZeroMorphVerifier_ {
auto C_zeta_x = compute_C_zeta_x(C_q, C_q_k, y_challenge, x_challenge);

// Compute commitment C_{Z_x}
Commitment C_Z_x = compute_C_Z_x(first_g1,
Commitment C_Z_x = compute_C_Z_x(g1_identity,
unshifted_commitments,
to_be_shifted_commitments,
C_q_k,
Expand All @@ -714,82 +712,6 @@ template <typename PCS> class ZeroMorphVerifier_ {

return { .opening_pair = { .challenge = x_challenge, .evaluation = FF(0) }, .commitment = C_zeta_Z };
}

/**
* @brief Verify a set of multilinear evaluation claims for unshifted polynomials f_i and to-be-shifted
* polynomials g_i
*
* @param commitments Commitments to polynomials f_i and g_i (unshifted and to-be-shifted)
* @param claimed_evaluations Claimed evaluations v_i = f_i(u) and w_i = h_i(u) = g_i_shifted(u)
* @param multivariate_challenge Challenge point u
* @param transcript
* @return VerifierAccumulator Inputs to the final PCS verification check that will be accumulated
*/
static VerifierAccumulator verify(RefSpan<Commitment> unshifted_commitments,
RefSpan<Commitment> to_be_shifted_commitments,
RefSpan<FF> unshifted_evaluations,
RefSpan<FF> shifted_evaluations,
std::span<FF> multivariate_challenge,
auto& transcript,
const std::vector<RefVector<Commitment>>& concatenation_group_commitments = {},
RefSpan<FF> concatenated_evaluations = {})
{
Commitment first_g1;

if constexpr (Curve::is_stdlib_type) {
auto builder = multivariate_challenge[0].get_context();
first_g1 = Commitment::one(builder);
} else {
first_g1 = Commitment::one();
}
auto opening_claim = compute_univariate_evaluation_opening_claim(unshifted_commitments,
to_be_shifted_commitments,
unshifted_evaluations,
shifted_evaluations,
multivariate_challenge,
first_g1,
transcript,
concatenation_group_commitments,
concatenated_evaluations);
return PCS::reduce_verify(opening_claim, transcript);
}

/**
* @brief Verify a set of multilinear evaluation claims for unshifted polynomials f_i and to-be-shifted
* polynomials g_i.
*
* @details Identical purpose as the function above but used when the verification of the PCS evaluation protocol
* requires the verification key prior to the last step that is accumulated.
*
* @param commitments Commitments to polynomials f_i and g_i (unshifted and to-be-shifted)
* @param claimed_evaluations Claimed evaluations v_i = f_i(u) and w_i = h_i(u) = g_i_shifted(u)
* @param multivariate_challenge Challenge point u
* @param transcript
* @return VerifierAccumulator Inputs to the final PCS verification check that will be accumulated
*/
static VerifierAccumulator verify(RefSpan<Commitment> unshifted_commitments,
RefSpan<Commitment> to_be_shifted_commitments,
RefSpan<FF> unshifted_evaluations,
RefSpan<FF> shifted_evaluations,
std::span<FF> multivariate_challenge,
const std::shared_ptr<VerifierCommitmentKey<Curve>>& vk,
auto& transcript,
const std::vector<RefVector<Commitment>>& concatenation_group_commitments = {},
RefSpan<FF> concatenated_evaluations = {})
{
Commitment first_g1 = vk->get_first_g1();

auto opening_claim = compute_univariate_evaluation_opening_claim(unshifted_commitments,
to_be_shifted_commitments,
unshifted_evaluations,
shifted_evaluations,
multivariate_challenge,
first_g1,
transcript,
concatenation_group_commitments,
concatenated_evaluations);
return PCS::reduce_verify(vk, opening_claim, transcript);
}
};

} // namespace bb
Loading

0 comments on commit e192678

Please sign in to comment.