- Generated by
1.9.8
|
Barretenberg
The ZK-SNARK library at the core of Aztec
|
#include <eccvm_prover.hpp>
Public Types | |
| using | Flavor = ECCVMFlavor |
| using | FF = Flavor::FF |
| using | BF = Flavor::BF |
| using | Commitment = Flavor::Commitment |
| using | CommitmentKey = Flavor::CommitmentKey |
| using | ProvingKey = Flavor::ProvingKey |
| using | Polynomial = Flavor::Polynomial |
| using | CommitmentLabels = Flavor::CommitmentLabels |
| using | Transcript = Flavor::Transcript |
| using | TranslationEvaluations = bb::TranslationEvaluations_< FF > |
| using | CircuitBuilder = Flavor::CircuitBuilder |
| using | ZKData = ZKSumcheckData< Flavor > |
| using | SmallSubgroupIPA = SmallSubgroupIPAProver< Flavor > |
| using | OpeningClaim = ProverOpeningClaim< Flavor::Curve > |
| using | Proof = HonkProof |
Public Member Functions | |
| ECCVMProver (CircuitBuilder &builder, const std::shared_ptr< Transcript > &transcript) | |
| BB_PROFILE void | execute_preamble_round () |
| Fiat-Shamir the VK. | |
| BB_PROFILE void | execute_wire_commitments_round () |
| Compute commitments to the first three wires. | |
| BB_PROFILE void | execute_log_derivative_commitments_round () |
| Compute sorted witness-table accumulator. | |
| BB_PROFILE void | execute_grand_product_computation_round () |
| Compute permutation and lookup grand product polynomials and commitments. | |
| BB_PROFILE void | execute_relation_check_rounds () |
| Run Sumcheck resulting in u = (u_1,...,u_d) challenges and all evaluations at u being calculated. | |
| BB_PROFILE void | execute_pcs_rounds () |
| Produce a univariate opening claim for the sumcheck multivariate evalutions and a batched univariate claim for the transcript polynomials (for the Translator consistency check). Reduce the two opening claims to a single one via Shplonk and produce an opening proof with the univariate PCS of choice (IPA when operating on Grumpkin). | |
| BB_PROFILE void | execute_transcript_consistency_univariate_opening_round () |
| Proof | export_proof () |
| std::pair< Proof, OpeningClaim > | construct_proof () |
| void | compute_translation_opening_claims () |
To link the ECCVM Transcript wires op, Px, Py, z1, and z2 to the accumulator computed by the translator, we verify their evaluations as univariates. For efficiency reasons, we batch these evaluations. | |
| void | commit_to_witness_polynomial (Polynomial &polynomial, const std::string &label) |
| Utility to mask and commit to a witness polynomial and send the commitment to verifier. | |
Public Attributes | |
| std::shared_ptr< Transcript > | transcript |
| size_t | unmasked_witness_size |
| OpeningClaim | batch_opening_claim |
| std::array< OpeningClaim, NUM_OPENING_CLAIMS > | opening_claims |
| TranslationEvaluations | translation_evaluations |
| std::vector< FF > | public_inputs |
| bb::RelationParameters< FF > | relation_parameters |
| std::shared_ptr< ProvingKey > | key |
| CommitmentLabels | commitment_labels |
| ZKData | zk_sumcheck_data |
| FF | evaluation_challenge_x |
| FF | batching_challenge_v |
| SumcheckOutput< Flavor > | sumcheck_output |
Static Public Attributes | |
| static constexpr size_t | NUM_OPENING_CLAIMS = ECCVMFlavor::NUM_TRANSLATION_OPENING_CLAIMS + 1 |
Definition at line 22 of file eccvm_prover.hpp.
| using bb::ECCVMProver::BF = Flavor::BF |
Definition at line 26 of file eccvm_prover.hpp.
Definition at line 34 of file eccvm_prover.hpp.
Definition at line 27 of file eccvm_prover.hpp.
Definition at line 28 of file eccvm_prover.hpp.
Definition at line 31 of file eccvm_prover.hpp.
| using bb::ECCVMProver::FF = Flavor::FF |
Definition at line 25 of file eccvm_prover.hpp.
| using bb::ECCVMProver::Flavor = ECCVMFlavor |
Definition at line 24 of file eccvm_prover.hpp.
Definition at line 37 of file eccvm_prover.hpp.
Definition at line 30 of file eccvm_prover.hpp.
| using bb::ECCVMProver::Proof = HonkProof |
Definition at line 38 of file eccvm_prover.hpp.
Definition at line 29 of file eccvm_prover.hpp.
Definition at line 36 of file eccvm_prover.hpp.
Definition at line 32 of file eccvm_prover.hpp.
Definition at line 33 of file eccvm_prover.hpp.
| using bb::ECCVMProver::ZKData = ZKSumcheckData<Flavor> |
Definition at line 35 of file eccvm_prover.hpp.
|
explicit |
Definition at line 22 of file eccvm_prover.cpp.
| void bb::ECCVMProver::commit_to_witness_polynomial | ( | Polynomial & | polynomial, |
| const std::string & | label | ||
| ) |
Utility to mask and commit to a witness polynomial and send the commitment to verifier.
| polynomial | |
| label |
Definition at line 336 of file eccvm_prover.cpp.
| void bb::ECCVMProver::compute_translation_opening_claims | ( | ) |
To link the ECCVM Transcript wires op, Px, Py, z1, and z2 to the accumulator computed by the translator, we verify their evaluations as univariates. For efficiency reasons, we batch these evaluations.
As a sub-protocol of ECCVM, we are batch opening the op, Px, Py, z1, and z2 wires as univariates (as opposed to their openings as multilinears performed after Sumcheck). We often refer to these polynomials as translation_polynomials \( T_i \) for \( i=0, \ldots, 4\). Below, the evaluation_challenge_x is denoted by \( x \) and batching_challenge_v is denoted by \(v\).
The batched translation evaluation
\begin{align} \sum_{i=0}^4 T_i(x) \cdot v^i \end{align}
is used by the TranslatorVerifier to bind the ECCOpQueues over BN254 and Grumpkin. Namely, we check that the field element \( A = \text{accumulated_result} \) accumulated from the Ultra ECCOpQueue by TranslatorProver satisfies
\begin{align} x\cdot A = \sum_{i=0}^4 T_i(x) \cdot v^i, \end{align}
where \( x \) is an artifact of our implementation of shiftable polynomials.
This check gets trickier when the witness wires in ECCVM are masked. Namely, we randomize the last \( \text{NUM_DISABLED_ROWS_IN_SUMCHECK} \) coefficients of \( T_i \). Let \( N = \text{circuit_size} - \text{NUM_DISABLED_ROWS_IN_SUMCHECK}\). Denote
\begin{align} \widetilde{T}_i(X) = T_i(X) + X^N \cdot m_i(X). \end{align}
Informally speaking, to preserve ZK, the ECCVMVerifier must never obtain the commitments to \( T_i \) or the evaluations \( T_i(x) \) of the unmasked wires.
With masking, the identity above becomes
\begin{align} x\cdot A = \sum_i (\widetilde{T}_i - X^N \cdot m_i(X)) v^i =\sum_i \widetilde{T}_i v^i - X^N \cdot \sum_i m_i(X) v^i \end{align}
The prover could send the evals of \( \widetilde{T}_i \) without revealing witness information. Moreover, the prover could prove the evaluation \( x^N \cdot \sum m_i(x) v^i \) using SmallSubgroupIPA argument. Namely, before obtaining \( x \) and \( v \), the prover sends a commitment to the polynomial \( \widetilde{M} = M + Z_H \cdot R\), where the coefficients of \( M \) are given by the concatenation
\begin{align} M = (m_0||m_1||m_2||m_3||m_4 || \vec{0}) \end{align}
in the Lagrange basis over the small multiplicative subgroup \( H \), where \( Z_H \) is the vanishing polynomial \( X^{|H|} -1 \) and \( R(X) \) is a random polynomial of degree \( 2 \). SmallSubgroupIPAProver allows us to prove the inner product of \( M \) against the challenge_polynomial
\begin{align} ( 1, x , x^2 , x^3, v , v\cdot x ,\ldots, ... , v^4, v^4 x , v^4 x^2 , v^4 x^3, \vec{0} )\end{align}
without revealing any other witness information apart from the claimed inner product.
opening_claims. Definition at line 260 of file eccvm_prover.cpp.
| std::pair< ECCVMProver::Proof, ECCVMProver::OpeningClaim > bb::ECCVMProver::construct_proof | ( | ) |
Definition at line 202 of file eccvm_prover.cpp.
| void bb::ECCVMProver::execute_grand_product_computation_round | ( | ) |
Compute permutation and lookup grand product polynomials and commitments.
Definition at line 111 of file eccvm_prover.cpp.
| void bb::ECCVMProver::execute_log_derivative_commitments_round | ( | ) |
Compute sorted witness-table accumulator.
Definition at line 78 of file eccvm_prover.cpp.
| void bb::ECCVMProver::execute_pcs_rounds | ( | ) |
Produce a univariate opening claim for the sumcheck multivariate evalutions and a batched univariate claim for the transcript polynomials (for the Translator consistency check). Reduce the two opening claims to a single one via Shplonk and produce an opening proof with the univariate PCS of choice (IPA when operating on Grumpkin).
Definition at line 156 of file eccvm_prover.cpp.
| void bb::ECCVMProver::execute_preamble_round | ( | ) |
Fiat-Shamir the VK.
Definition at line 40 of file eccvm_prover.cpp.
| void bb::ECCVMProver::execute_relation_check_rounds | ( | ) |
Run Sumcheck resulting in u = (u_1,...,u_d) challenges and all evaluations at u being calculated.
Definition at line 123 of file eccvm_prover.cpp.
| BB_PROFILE void bb::ECCVMProver::execute_transcript_consistency_univariate_opening_round | ( | ) |
| void bb::ECCVMProver::execute_wire_commitments_round | ( | ) |
Compute commitments to the first three wires.
Definition at line 55 of file eccvm_prover.cpp.
| ECCVMProver::Proof bb::ECCVMProver::export_proof | ( | ) |
Definition at line 197 of file eccvm_prover.cpp.
| OpeningClaim bb::ECCVMProver::batch_opening_claim |
Definition at line 60 of file eccvm_prover.hpp.
| FF bb::ECCVMProver::batching_challenge_v |
Definition at line 79 of file eccvm_prover.hpp.
| CommitmentLabels bb::ECCVMProver::commitment_labels |
Definition at line 75 of file eccvm_prover.hpp.
| FF bb::ECCVMProver::evaluation_challenge_x |
Definition at line 78 of file eccvm_prover.hpp.
| std::shared_ptr<ProvingKey> bb::ECCVMProver::key |
Definition at line 73 of file eccvm_prover.hpp.
|
staticconstexpr |
Definition at line 64 of file eccvm_prover.hpp.
| std::array<OpeningClaim, NUM_OPENING_CLAIMS> bb::ECCVMProver::opening_claims |
Definition at line 65 of file eccvm_prover.hpp.
| std::vector<FF> bb::ECCVMProver::public_inputs |
Definition at line 69 of file eccvm_prover.hpp.
| bb::RelationParameters<FF> bb::ECCVMProver::relation_parameters |
Definition at line 71 of file eccvm_prover.hpp.
| SumcheckOutput<Flavor> bb::ECCVMProver::sumcheck_output |
Definition at line 81 of file eccvm_prover.hpp.
| std::shared_ptr<Transcript> bb::ECCVMProver::transcript |
Definition at line 55 of file eccvm_prover.hpp.
| TranslationEvaluations bb::ECCVMProver::translation_evaluations |
Definition at line 67 of file eccvm_prover.hpp.
| size_t bb::ECCVMProver::unmasked_witness_size |
Definition at line 57 of file eccvm_prover.hpp.
| ZKData bb::ECCVMProver::zk_sumcheck_data |
Definition at line 76 of file eccvm_prover.hpp.
1.9.8