Barretenberg: src/barretenberg/commitment_schemes/gemini/gemini.hpp Source File

// === AUDIT STATUS ===

// internal:    { status: Complete, auditors: [Khashayar], commit: }

// external_1:  { status: not started, auditors: [], commit: }

// external_2:  { status: not started, auditors: [], commit: }

// =====================


#pragma once


#include "barretenberg/commitment_schemes/claim.hpp"

#include "barretenberg/commitment_schemes/claim_batcher.hpp"

#include "barretenberg/common/bb_bench.hpp"

#include "barretenberg/common/thread.hpp"

#include "barretenberg/polynomials/polynomial.hpp"

#include "barretenberg/transcript/transcript.hpp"


namespace bb {


namespace gemini {


template <class Fr> inline std::vector<Fr> powers_of_rho(const Fr& rho, const size_t num_powers)

{

    std::vector<Fr> rhos = { Fr(1), rho };

    rhos.reserve(num_powers);

    for (size_t j = 2; j < num_powers; j++) {

        rhos.emplace_back(rhos[j - 1] * rho);

    }

    return rhos;

};


template <class Fr> inline std::vector<Fr> powers_of_evaluation_challenge(const Fr& r, const size_t num_squares)

{

    std::vector<Fr> squares = { r };

    squares.reserve(num_squares);

    for (size_t j = 1; j < num_squares; j++) {

        squares.emplace_back(squares[j - 1].sqr());

    }

    return squares;

};


} // namespace gemini


template <typename Curve> class GeminiProver_ {

    using Fr = typename Curve::ScalarField;

    using Commitment = typename Curve::AffineElement;

    using Polynomial = bb::Polynomial<Fr>;

    using Claim = ProverOpeningClaim<Curve>;


  public:


    class PolynomialBatcher {


        size_t full_batched_size = 0; // size of the full batched polynomial (generally the circuit size)


        Polynomial batched_unshifted;            // linear combination of unshifted polynomials

        Polynomial batched_to_be_shifted_by_one; // linear combination of to-be-shifted polynomials

        Polynomial batched_interleaved;          // linear combination of interleaved polynomials

        // linear combination of the groups to be interleaved where polynomial i in the batched group is obtained by

        // linearly combining the i-th polynomial in each group

        std::vector<Polynomial> batched_group;


      public:

        RefVector<Polynomial> unshifted;                             // set of unshifted polynomials

        RefVector<Polynomial> to_be_shifted_by_one;                  // set of polynomials to be left shifted by 1

        RefVector<Polynomial> interleaved;                           // the interleaved polynomials used in Translator

        std::vector<RefVector<Polynomial>> groups_to_be_interleaved; // groups of polynomials to be interleaved


        PolynomialBatcher(const size_t full_batched_size)

            : full_batched_size(full_batched_size)

            , batched_unshifted(full_batched_size)

            , batched_to_be_shifted_by_one(Polynomial::shiftable(full_batched_size))

        {}


        bool has_unshifted() const { return unshifted.size() > 0; }

        bool has_to_be_shifted_by_one() const { return to_be_shifted_by_one.size() > 0; }

        bool has_interleaved() const { return interleaved.size() > 0; }


        // Set references to the polynomials to be batched

        void set_unshifted(RefVector<Polynomial> polynomials) { unshifted = polynomials; }

        void set_to_be_shifted_by_one(RefVector<Polynomial> polynomials) { to_be_shifted_by_one = polynomials; }


        void set_interleaved(RefVector<Polynomial> results, std::vector<RefVector<Polynomial>> groups)

        {

            // Ensure the Gemini subprotocol for interleaved polynomials operates correctly

            if (groups[0].size() % 2 != 0) {

                throw_or_abort("Group size must be even ");

            }

            interleaved = results;

            groups_to_be_interleaved = groups;

        }


        Polynomial compute_batched(const Fr& challenge)

        {

            Fr running_scalar(1);

            BB_BENCH_NAME("compute_batched");

            // lambda for batching polynomials; updates the running scalar in place

            auto batch = [&](Polynomial& batched, const RefVector<Polynomial>& polynomials_to_batch) {

                for (auto& poly : polynomials_to_batch) {

                    batched.add_scaled(poly, running_scalar);

                    running_scalar *= challenge;

                }

            };


            Polynomial full_batched(full_batched_size);


            // compute the linear combination F of the unshifted polynomials

            if (has_unshifted()) {

                batch(batched_unshifted, unshifted);

                full_batched += batched_unshifted; // A₀ += F

            }


            // compute the linear combination G of the to-be-shifted polynomials

            if (has_to_be_shifted_by_one()) {

                batch(batched_to_be_shifted_by_one, to_be_shifted_by_one);

                full_batched += batched_to_be_shifted_by_one.shifted(); // A₀ += G/X

            }


            // compute the linear combination of the interleaved polynomials and groups

            if (has_interleaved()) {

                batched_interleaved = Polynomial(full_batched_size);

                for (size_t i = 0; i < groups_to_be_interleaved[0].size(); ++i) {

                    batched_group.push_back(Polynomial(full_batched_size));

                }


                for (size_t i = 0; i < groups_to_be_interleaved.size(); ++i) {

                    batched_interleaved.add_scaled(interleaved[i], running_scalar);

                    // Use parallel chunking for the batching operations

                    parallel_for([this, running_scalar, i](const ThreadChunk& chunk) {

                        for (size_t j = 0; j < groups_to_be_interleaved[0].size(); ++j) {

                            batched_group[j].add_scaled_chunk(chunk, groups_to_be_interleaved[i][j], running_scalar);

                        }

                    });

                    running_scalar *= challenge;

                }


                full_batched += batched_interleaved;

            }


            return full_batched;

        }


        std::pair<Polynomial, Polynomial> compute_partially_evaluated_batch_polynomials(const Fr& r_challenge)

        {

            // Initialize A₀₊ and compute A₀₊ += F as necessary

            Polynomial A_0_pos(full_batched_size); // A₀₊


            if (has_unshifted()) {

                A_0_pos += batched_unshifted; // A₀₊ += F

            }


            Polynomial A_0_neg = A_0_pos;


            if (has_to_be_shifted_by_one()) {

                Fr r_inv = r_challenge.invert();       // r⁻¹

                batched_to_be_shifted_by_one *= r_inv; // G = G/r


                A_0_pos += batched_to_be_shifted_by_one; // A₀₊ += G/r

                A_0_neg -= batched_to_be_shifted_by_one; // A₀₋ -= G/r

            }


            return { A_0_pos, A_0_neg };

        };


        std::pair<Polynomial, Polynomial> compute_partially_evaluated_interleaved_polynomial(const Fr& r_challenge)

        {

            Polynomial P_pos(batched_group[0]);

            Polynomial P_neg(batched_group[0]);


            Fr current_r_shift_pos = r_challenge;

            Fr current_r_shift_neg = -r_challenge;

            for (size_t i = 1; i < batched_group.size(); i++) {

                // Add r^i * Pᵢ(X) to P₊(X)

                P_pos.add_scaled(batched_group[i], current_r_shift_pos);

                // Add (-r)^i * Pᵢ(X) to P₋(X)

                P_neg.add_scaled(batched_group[i], current_r_shift_neg);

                // Update the current power of r

                current_r_shift_pos *= r_challenge;

                current_r_shift_neg *= -r_challenge;

            }


            return { P_pos, P_neg };

        }


        size_t get_group_size() { return batched_group.size(); }

    };


    static std::vector<Polynomial> compute_fold_polynomials(const size_t log_n,

                                                            std::span<const Fr> multilinear_challenge,

                                                            const Polynomial& A_0,

                                                            const bool& has_zk = false);


    static std::pair<Polynomial, Polynomial> compute_partially_evaluated_batch_polynomials(

        const size_t log_n,

        PolynomialBatcher& polynomial_batcher,

        const Fr& r_challenge,

        const std::vector<Polynomial>& batched_groups_to_be_concatenated = {});


    static std::vector<Claim> construct_univariate_opening_claims(const size_t log_n,

                                                                  Polynomial&& A_0_pos,

                                                                  Polynomial&& A_0_neg,

                                                                  std::vector<Polynomial>&& fold_polynomials,

                                                                  const Fr& r_challenge);


    template <typename Transcript>

    static std::vector<Claim> prove(size_t circuit_size,

                                    PolynomialBatcher& polynomial_batcher,

                                    std::span<Fr> multilinear_challenge,

                                    const CommitmentKey<Curve>& commitment_key,

                                    const std::shared_ptr<Transcript>& transcript,

                                    bool has_zk = false);


}; // namespace bb


template <typename Curve> class GeminiVerifier_ {

    using Fr = typename Curve::ScalarField;

    using Commitment = typename Curve::AffineElement;


  public:


    static std::vector<Commitment> get_fold_commitments(const size_t virtual_log_n, auto& transcript)

    {

        std::vector<Commitment> fold_commitments;

        fold_commitments.reserve(virtual_log_n - 1);

        for (size_t i = 1; i < virtual_log_n; ++i) {

            const Commitment commitment =

                transcript->template receive_from_prover<Commitment>("Gemini:FOLD_" + std::to_string(i));

            fold_commitments.emplace_back(commitment);

        }

        return fold_commitments;

    }


    static std::vector<Fr> get_gemini_evaluations(const size_t virtual_log_n, auto& transcript)

    {

        std::vector<Fr> gemini_evaluations;

        gemini_evaluations.reserve(virtual_log_n);


        for (size_t i = 1; i <= virtual_log_n; ++i) {

            const Fr evaluation = transcript->template receive_from_prover<Fr>("Gemini:a_" + std::to_string(i));

            gemini_evaluations.emplace_back(evaluation);

        }

        return gemini_evaluations;

    }


    static std::vector<Fr> compute_fold_pos_evaluations(std::span<const Fr> padding_indicator_array,

                                                        const Fr& batched_evaluation,

                                                        std::span<const Fr> evaluation_point, // size = virtual_log_n

                                                        std::span<const Fr> challenge_powers, // size = virtual_log_n

                                                        std::span<const Fr> fold_neg_evals,   // size = virtual_log_n

                                                        Fr p_neg = Fr(0))

    {

        const size_t virtual_log_n = evaluation_point.size();


        std::vector<Fr> evals(fold_neg_evals.begin(), fold_neg_evals.end());


        Fr eval_pos_prev = batched_evaluation;


        std::vector<Fr> fold_pos_evaluations;

        fold_pos_evaluations.reserve(virtual_log_n);


        // Add the contribution of P-((-r)ˢ) to get A_0(-r), which is 0 if there are no interleaved polynomials

        evals[0] += p_neg;

        // Solve the sequence of linear equations

        for (size_t l = virtual_log_n; l != 0; --l) {

            // Get r²⁽ˡ⁻¹⁾

            const Fr& challenge_power = challenge_powers[l - 1];

            // Get uₗ₋₁

            const Fr& u = evaluation_point[l - 1];

            // Get A₍ₗ₋₁₎(−r²⁽ˡ⁻¹⁾)

            const Fr& eval_neg = evals[l - 1];

            // Compute the numerator

            Fr eval_pos = ((challenge_power * eval_pos_prev * 2) - eval_neg * (challenge_power * (Fr(1) - u) - u));

            // Divide by the denominator

            eval_pos *= (challenge_power * (Fr(1) - u) + u).invert();


            // If current index is bigger than log_n, we propagate `batched_evaluation` to the next

            // round.  Otherwise, current `eval_pos` A₍ₗ₋₁₎(r²⁽ˡ⁻¹⁾) becomes `eval_pos_prev` in the round l-2.

            eval_pos_prev =

                padding_indicator_array[l - 1] * eval_pos + (Fr{ 1 } - padding_indicator_array[l - 1]) * eval_pos_prev;

            // If current index is bigger than log_n, we emplace 0, which is later multiplied against

            // Commitment::one().

            fold_pos_evaluations.emplace_back(padding_indicator_array[l - 1] * eval_pos_prev);

        }


        std::reverse(fold_pos_evaluations.begin(), fold_pos_evaluations.end());


        return fold_pos_evaluations;

    }


};


} // namespace bb

bb_bench.hpp

BB_BENCH_NAME
#define BB_BENCH_NAME(name)
Definition bb_bench.hpp:219

claim.hpp

claim_batcher.hpp

bb::CommitmentKey
CommitmentKey object over a pairing group 𝔾₁.
Definition commitment_key.hpp:43

bb::GeminiProver_::PolynomialBatcher
Class responsible for computation of the batched multilinear polynomials required by the Gemini proto...
Definition gemini.hpp:126

bb::GeminiProver_::PolynomialBatcher::compute_partially_evaluated_interleaved_polynomial
std::pair< Polynomial, Polynomial > compute_partially_evaluated_interleaved_polynomial(const Fr &r_challenge)
Compute the partially evaluated polynomials P₊(X, r) and P₋(X, -r)
Definition gemini.hpp:263

bb::GeminiProver_::PolynomialBatcher::set_to_be_shifted_by_one
void set_to_be_shifted_by_one(RefVector< Polynomial > polynomials)
Definition gemini.hpp:155

bb::GeminiProver_::PolynomialBatcher::has_to_be_shifted_by_one
bool has_to_be_shifted_by_one() const
Definition gemini.hpp:150

bb::GeminiProver_::PolynomialBatcher::set_interleaved
void set_interleaved(RefVector< Polynomial > results, std::vector< RefVector< Polynomial > > groups)
Definition gemini.hpp:157

bb::GeminiProver_::PolynomialBatcher::interleaved
RefVector< Polynomial > interleaved
Definition gemini.hpp:140

bb::GeminiProver_::PolynomialBatcher::groups_to_be_interleaved
std::vector< RefVector< Polynomial > > groups_to_be_interleaved
Definition gemini.hpp:141

bb::GeminiProver_::PolynomialBatcher::get_group_size
size_t get_group_size()
Definition gemini.hpp:283

bb::GeminiProver_::PolynomialBatcher::set_unshifted
void set_unshifted(RefVector< Polynomial > polynomials)
Definition gemini.hpp:154

bb::GeminiProver_::PolynomialBatcher::batched_interleaved
Polynomial batched_interleaved
Definition gemini.hpp:132

bb::GeminiProver_::PolynomialBatcher::batched_group
std::vector< Polynomial > batched_group
Definition gemini.hpp:135

bb::GeminiProver_::PolynomialBatcher::batched_unshifted
Polynomial batched_unshifted
Definition gemini.hpp:130

bb::GeminiProver_::PolynomialBatcher::full_batched_size
size_t full_batched_size
Definition gemini.hpp:128

bb::GeminiProver_::PolynomialBatcher::compute_batched
Polynomial compute_batched(const Fr &challenge)
Compute batched polynomial A₀ = F + G/X as the linear combination of all polynomials to be opened,...
Definition gemini.hpp:175

bb::GeminiProver_::PolynomialBatcher::to_be_shifted_by_one
RefVector< Polynomial > to_be_shifted_by_one
Definition gemini.hpp:139

bb::GeminiProver_::PolynomialBatcher::compute_partially_evaluated_batch_polynomials
std::pair< Polynomial, Polynomial > compute_partially_evaluated_batch_polynomials(const Fr &r_challenge)
Compute partially evaluated batched polynomials A₀(X, r) = A₀₊ = F + G/r, A₀(X, -r) = A₀₋ = F - G/r.
Definition gemini.hpp:231

bb::GeminiProver_::PolynomialBatcher::has_interleaved
bool has_interleaved() const
Definition gemini.hpp:151

bb::GeminiProver_::PolynomialBatcher::unshifted
RefVector< Polynomial > unshifted
Definition gemini.hpp:138

bb::GeminiProver_::PolynomialBatcher::has_unshifted
bool has_unshifted() const
Definition gemini.hpp:149

bb::GeminiProver_::PolynomialBatcher::batched_to_be_shifted_by_one
Polynomial batched_to_be_shifted_by_one
Definition gemini.hpp:131

bb::GeminiProver_::PolynomialBatcher::PolynomialBatcher
PolynomialBatcher(const size_t full_batched_size)
Definition gemini.hpp:143

bb::GeminiProver_
Definition gemini.hpp:105

bb::GeminiProver_::prove
static std::vector< Claim > prove(size_t circuit_size, PolynomialBatcher &polynomial_batcher, std::span< Fr > multilinear_challenge, const CommitmentKey< Curve > &commitment_key, const std::shared_ptr< Transcript > &transcript, bool has_zk=false)

bb::GeminiProver_::Polynomial
bb::Polynomial< Fr > Polynomial
Definition gemini.hpp:108

bb::GeminiProver_::construct_univariate_opening_claims
static std::vector< Claim > construct_univariate_opening_claims(const size_t log_n, Polynomial &&A_0_pos, Polynomial &&A_0_neg, std::vector< Polynomial > &&fold_polynomials, const Fr &r_challenge)
Computes/aggragates d+1 univariate polynomial opening claims of the form {polynomial,...
Definition gemini_impl.hpp:228

bb::GeminiProver_::Fr
typename Curve::ScalarField Fr
Definition gemini.hpp:106

bb::GeminiProver_::compute_partially_evaluated_batch_polynomials
static std::pair< Polynomial, Polynomial > compute_partially_evaluated_batch_polynomials(const size_t log_n, PolynomialBatcher &polynomial_batcher, const Fr &r_challenge, const std::vector< Polynomial > &batched_groups_to_be_concatenated={})

bb::GeminiProver_::Commitment
typename Curve::AffineElement Commitment
Definition gemini.hpp:107

bb::GeminiProver_::compute_fold_polynomials
static std::vector< Polynomial > compute_fold_polynomials(const size_t log_n, std::span< const Fr > multilinear_challenge, const Polynomial &A_0, const bool &has_zk=false)
Computes d-1 fold polynomials Fold_i, i = 1, ..., d-1.
Definition gemini_impl.hpp:124

bb::GeminiVerifier_
Gemini Verifier utility methods used by ShpleminiVerifier.
Definition gemini.hpp:316

bb::GeminiVerifier_::Fr
typename Curve::ScalarField Fr
Definition gemini.hpp:317

bb::GeminiVerifier_::compute_fold_pos_evaluations
static std::vector< Fr > compute_fold_pos_evaluations(std::span< const Fr > padding_indicator_array, const Fr &batched_evaluation, std::span< const Fr > evaluation_point, std::span< const Fr > challenge_powers, std::span< const Fr > fold_neg_evals, Fr p_neg=Fr(0))
Compute .
Definition gemini.hpp:397

bb::GeminiVerifier_::get_fold_commitments
static std::vector< Commitment > get_fold_commitments(const size_t virtual_log_n, auto &transcript)
Receive the fold commitments from the prover. This method is used by Shplemini where padding may be e...
Definition gemini.hpp:329

bb::GeminiVerifier_::get_gemini_evaluations
static std::vector< Fr > get_gemini_evaluations(const size_t virtual_log_n, auto &transcript)
Receive the fold evaluations from the prover. This method is used by Shplemini where padding may be e...
Definition gemini.hpp:350

bb::GeminiVerifier_::Commitment
typename Curve::AffineElement Commitment
Definition gemini.hpp:318

bb::Polynomial
Structured polynomial class that represents the coefficients 'a' of a_0 + a_1 x .....
Definition polynomial.hpp:75

bb::Polynomial::shifted
Polynomial shifted() const
Returns a Polynomial the left-shift of self.
Definition polynomial.cpp:278

bb::Polynomial::add_scaled
void add_scaled(PolynomialSpan< const Fr > other, const Fr &scaling_factor)
adds the polynomial q(X) 'other', multiplied by a scaling factor.
Definition polynomial.cpp:258

bb::ProverOpeningClaim
Polynomial p and an opening pair (r,v) such that p(r) = v.
Definition claim.hpp:34

bb::RefVector
A template class for a reference vector. Behaves as if std::vector<T&> was possible.
Definition ref_vector.hpp:24

bb::curve::Grumpkin::AffineElement
typename Group::affine_element AffineElement
Definition grumpkin.hpp:63

bb::curve::Grumpkin::ScalarField
bb::fq ScalarField
Definition grumpkin.hpp:59

bb::gemini::powers_of_evaluation_challenge
std::vector< Fr > powers_of_evaluation_challenge(const Fr &r, const size_t num_squares)
Compute squares of folding challenge r.
Definition gemini.hpp:94

bb::gemini::powers_of_rho
std::vector< Fr > powers_of_rho(const Fr &rho, const size_t num_powers)
Compute powers of challenge ρ
Definition gemini.hpp:77

bb
Entry point for Barretenberg command-line interface.
Definition api.hpp:5

bb::parallel_for
void parallel_for(size_t num_iterations, const std::function< void(size_t)> &func)
Definition thread.cpp:111

std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13

std::to_string
std::string to_string(bb::avm2::ValueTag tag)
Definition tagged_value.cpp:402

Fr
Curve::ScalarField Fr
Definition pippenger.bench.cpp:28

polynomial.hpp

bb::ThreadChunk
Definition thread.hpp:158

bb::field< Bn254FrParams >

thread.hpp

throw_or_abort
void throw_or_abort(std::string const &err)
Definition throw_or_abort.hpp:6

transcript.hpp