Barretenberg: src/barretenberg/ultra_honk/ultra_prover.cpp Source File

// === AUDIT STATUS ===

// internal:    { status: Planned, auditors: [], commit: }

// external_1:  { status: not started, auditors: [], commit: }

// external_2:  { status: not started, auditors: [], commit: }

// =====================


#include "ultra_prover.hpp"

#include "barretenberg/commitment_schemes/gemini/gemini.hpp"

#include "barretenberg/commitment_schemes/shplonk/shplemini.hpp"

#include "barretenberg/flavor/mega_avm_flavor.hpp"

#include "barretenberg/sumcheck/sumcheck.hpp"

#include "barretenberg/ultra_honk/oink_prover.hpp"

namespace bb {


template <IsUltraOrMegaHonk Flavor>


UltraProver_<Flavor>::UltraProver_(const std::shared_ptr<ProverInstance>& prover_instance,

                                   const std::shared_ptr<HonkVK>& honk_vk,

                                   const CommitmentKey& commitment_key)

    : prover_instance(std::move(prover_instance))

    , honk_vk(honk_vk)

    , transcript(std::make_shared<Transcript>())

    , commitment_key(commitment_key)

{}


template <IsUltraOrMegaHonk Flavor>


UltraProver_<Flavor>::UltraProver_(const std::shared_ptr<ProverInstance>& prover_instance,

                                   const std::shared_ptr<HonkVK>& honk_vk,

                                   const std::shared_ptr<Transcript>& transcript)

    : prover_instance(std::move(prover_instance))

    , honk_vk(honk_vk)

    , transcript(transcript)

    , commitment_key(prover_instance->commitment_key)

{}


template <IsUltraOrMegaHonk Flavor>


UltraProver_<Flavor>::UltraProver_(Builder& circuit,

                                   const std::shared_ptr<HonkVK>& honk_vk,

                                   const std::shared_ptr<Transcript>& transcript)

    : prover_instance(std::make_shared<ProverInstance>(circuit))

    , honk_vk(honk_vk)

    , transcript(transcript)

    , commitment_key(prover_instance->commitment_key)

{}


template <IsUltraOrMegaHonk Flavor>


UltraProver_<Flavor>::UltraProver_(Builder&& circuit, const std::shared_ptr<HonkVK>& honk_vk)

    : prover_instance(std::make_shared<ProverInstance>(circuit))

    , honk_vk(honk_vk)

    , transcript(std::make_shared<Transcript>())

    , commitment_key(prover_instance->commitment_key)

{}


template <IsUltraOrMegaHonk Flavor> typename UltraProver_<Flavor>::Proof UltraProver_<Flavor>::export_proof()

{

    auto proof = transcript->export_proof();


    // Add the IPA proof

    if constexpr (HasIPAAccumulator<Flavor>) {

        // The extra calculation is for the IPA proof length.

        BB_ASSERT_EQ(prover_instance->ipa_proof.size(), static_cast<size_t>(IPA_PROOF_LENGTH));

        proof.insert(proof.end(), prover_instance->ipa_proof.begin(), prover_instance->ipa_proof.end());

    }


    return proof;

}


template <IsUltraOrMegaHonk Flavor> void UltraProver_<Flavor>::generate_gate_challenges()

{

    // Determine the number of rounds in the sumcheck based on whether or not padding is employed

    const size_t virtual_log_n =

        Flavor::USE_PADDING ? Flavor::VIRTUAL_LOG_N : static_cast<size_t>(prover_instance->log_dyadic_size());


    prover_instance->gate_challenges =

        transcript->template get_dyadic_powers_of_challenge<FF>("Sumcheck:gate_challenge", virtual_log_n);

}


template <IsUltraOrMegaHonk Flavor> typename UltraProver_<Flavor>::Proof UltraProver_<Flavor>::construct_proof()

{

    OinkProver<Flavor> oink_prover(prover_instance, honk_vk, transcript);

    oink_prover.prove();

    vinfo("created oink proof");


    generate_gate_challenges();


    // Run sumcheck

    execute_sumcheck_iop();

    vinfo("finished relation check rounds");

    // Execute Shplemini PCS

    execute_pcs();

    vinfo("finished PCS rounds");


    return export_proof();

}


template <IsUltraOrMegaHonk Flavor> void UltraProver_<Flavor>::execute_sumcheck_iop()

{

    const size_t virtual_log_n = Flavor::USE_PADDING ? Flavor::VIRTUAL_LOG_N : prover_instance->log_dyadic_size();


    using Sumcheck = SumcheckProver<Flavor>;

    size_t polynomial_size = prover_instance->dyadic_size();

    Sumcheck sumcheck(polynomial_size,

                      prover_instance->polynomials,

                      transcript,

                      prover_instance->alpha,

                      prover_instance->gate_challenges,

                      prover_instance->relation_parameters,

                      virtual_log_n);

    {


        BB_BENCH_NAME("sumcheck.prove");


        if constexpr (Flavor::HasZK) {

            const size_t log_subgroup_size = static_cast<size_t>(numeric::get_msb(Curve::SUBGROUP_SIZE));

            CommitmentKey commitment_key(1 << (log_subgroup_size + 1));

            zk_sumcheck_data = ZKData(numeric::get_msb(polynomial_size), transcript, commitment_key);

            sumcheck_output = sumcheck.prove(zk_sumcheck_data);

        } else {

            sumcheck_output = sumcheck.prove();

        }

    }

}


template <IsUltraOrMegaHonk Flavor> void UltraProver_<Flavor>::execute_pcs()

{

    using OpeningClaim = ProverOpeningClaim<Curve>;

    using PolynomialBatcher = GeminiProver_<Curve>::PolynomialBatcher;


    auto& ck = prover_instance->commitment_key;

    if (!ck.initialized()) {

        ck = CommitmentKey(prover_instance->dyadic_size());

    }


    PolynomialBatcher polynomial_batcher(prover_instance->dyadic_size());

    polynomial_batcher.set_unshifted(prover_instance->polynomials.get_unshifted());

    polynomial_batcher.set_to_be_shifted_by_one(prover_instance->polynomials.get_to_be_shifted());


    OpeningClaim prover_opening_claim;

    if constexpr (!Flavor::HasZK) {

        prover_opening_claim = ShpleminiProver_<Curve>::prove(

            prover_instance->dyadic_size(), polynomial_batcher, sumcheck_output.challenge, ck, transcript);

    } else {


        SmallSubgroupIPA small_subgroup_ipa_prover(

            zk_sumcheck_data, sumcheck_output.challenge, sumcheck_output.claimed_libra_evaluation, transcript, ck);

        small_subgroup_ipa_prover.prove();


        prover_opening_claim = ShpleminiProver_<Curve>::prove(prover_instance->dyadic_size(),

                                                              polynomial_batcher,

                                                              sumcheck_output.challenge,

                                                              ck,

                                                              transcript,

                                                              small_subgroup_ipa_prover.get_witness_polynomials());

    }

    vinfo("executed multivariate-to-univariate reduction");

    PCS::compute_opening_proof(ck, prover_opening_claim, transcript);

    vinfo("computed opening proof");

}


template class UltraProver_<UltraFlavor>;

template class UltraProver_<UltraZKFlavor>;

template class UltraProver_<UltraKeccakFlavor>;

#ifdef STARKNET_GARAGA_FLAVORS

template class UltraProver_<UltraStarknetFlavor>;

template class UltraProver_<UltraStarknetZKFlavor>;

#endif

template class UltraProver_<UltraKeccakZKFlavor>;

template class UltraProver_<UltraRollupFlavor>;

template class UltraProver_<MegaFlavor>;

template class UltraProver_<MegaZKFlavor>;

template class UltraProver_<MegaAvmFlavor>;


} // namespace bb

BB_ASSERT_EQ
#define BB_ASSERT_EQ(actual, expected,...)
Definition assert.hpp:93

BB_BENCH_NAME
#define BB_BENCH_NAME(name)
Definition bb_bench.hpp:219

bb::ECCVMFlavor::HasZK
static constexpr bool HasZK
Definition eccvm_flavor.hpp:58

bb::ECCVMFlavor::USE_PADDING
static constexpr bool USE_PADDING
Definition eccvm_flavor.hpp:60

bb::GeminiProver_::PolynomialBatcher
Class responsible for computation of the batched multilinear polynomials required by the Gemini proto...
Definition gemini.hpp:126

bb::OinkProver
Class for all the oink rounds, which are shared between the folding prover and ultra prover.
Definition oink_prover.hpp:39

bb::OinkProver::prove
void prove()
Oink Prover function that runs all the rounds of the verifier.
Definition oink_prover.cpp:21

bb::OpeningClaim
Unverified claim (C,r,v) for some witness polynomial p(X) such that.
Definition claim.hpp:53

bb::ProverInstance_
A ProverInstance is normally constructed from a finalized circuit and it contains all the information...
Definition prover_instance.hpp:33

bb::ProverOpeningClaim
Polynomial p and an opening pair (r,v) such that p(r) = v.
Definition claim.hpp:34

bb::ShpleminiProver_::prove
static OpeningClaim prove(size_t circuit_size, PolynomialBatcher &polynomial_batcher, std::span< FF > multilinear_challenge, const CommitmentKey< Curve > &commitment_key, const std::shared_ptr< Transcript > &transcript, const std::array< Polynomial, NUM_SMALL_IPA_EVALUATIONS > &libra_polynomials={}, const std::vector< Polynomial > &sumcheck_round_univariates={}, const std::vector< std::array< FF, 3 > > &sumcheck_round_evaluations={})
Definition shplemini.hpp:36

bb::SmallSubgroupIPAProver
A Curve-agnostic ZK protocol to prove inner products of small vectors.
Definition small_subgroup_ipa.hpp:69

bb::SmallSubgroupIPAProver::get_witness_polynomials
std::array< bb::Polynomial< FF >, NUM_SMALL_IPA_EVALUATIONS > get_witness_polynomials() const
Definition small_subgroup_ipa.hpp:178

bb::SmallSubgroupIPAProver::prove
void prove()
Compute the derived witnesses  and  and commit to them.
Definition small_subgroup_ipa.cpp:150

bb::SumcheckProver
The implementation of the sumcheck Prover for statements of the form  for multilinear polynomials .
Definition sumcheck.hpp:289

bb::UltraProver_
Definition ultra_prover.hpp:20

bb::UltraProver_::generate_gate_challenges
BB_PROFILE void generate_gate_challenges()
Definition ultra_prover.cpp:81

bb::UltraProver_::execute_pcs
BB_PROFILE void execute_pcs()
Produce a univariate opening claim for the sumcheck multivariate evalutions and a batched univariate ...
Definition ultra_prover.cpp:148

bb::UltraProver_::Proof
typename Transcript::Proof Proof
Definition ultra_prover.hpp:36

bb::UltraProver_::execute_sumcheck_iop
BB_PROFILE void execute_sumcheck_iop()
Run Sumcheck to establish that ∑_i pow(\vec{β*})f_i(ω) = 0. This results in u = (u_1,...
Definition ultra_prover.cpp:114

bb::UltraProver_::CommitmentKey
typename Flavor::CommitmentKey CommitmentKey
Definition ultra_prover.hpp:26

bb::UltraProver_::Transcript
typename Flavor::Transcript Transcript
Definition ultra_prover.hpp:35

bb::UltraProver_::UltraProver_
UltraProver_(const std::shared_ptr< ProverInstance > &, const std::shared_ptr< HonkVK > &, const CommitmentKey &)
Definition ultra_prover.cpp:16

bb::UltraProver_::Builder
typename Flavor::CircuitBuilder Builder
Definition ultra_prover.hpp:24

bb::UltraProver_::export_proof
Proof export_proof()
Definition ultra_prover.cpp:67

bb::UltraProver_::construct_proof
Proof construct_proof()
Definition ultra_prover.cpp:91

bb::curve::Grumpkin::SUBGROUP_SIZE
static constexpr size_t SUBGROUP_SIZE
Definition grumpkin.hpp:74

vinfo
#define vinfo(...)
Definition log.hpp:94

bb::HasIPAAccumulator
Definition flavor_concepts.hpp:44

gemini.hpp

mega_avm_flavor.hpp

bb::numeric::get_msb
constexpr T get_msb(const T in)
Definition get_msb.hpp:47

bb
Entry point for Barretenberg command-line interface.
Definition api.hpp:5

bb::ck
CommitmentKey< Curve > ck
Definition ipa.fuzzer.cpp:20

std
STL namespace.

std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13

oink_prover.hpp

shplemini.hpp

bb::ZKSumcheckData
This structure is created to contain various polynomials and constants required by ZK Sumcheck.
Definition zk_sumcheck_data.hpp:22

sumcheck.hpp

ultra_prover.hpp