From 99aed8b1ac915aef6db7e10835827f9b5677a8ff Mon Sep 17 00:00:00 2001 From: Rumata888 Date: Thu, 22 Jun 2023 18:08:59 +0000 Subject: [PATCH 1/5] Everything builds --- .../standard_honk_composer_helper.cpp | 2 +- cpp/src/barretenberg/honk/flavor/standard.hpp | 6 +- .../honk/flavor/standard_grumpkin.hpp | 6 +- cpp/src/barretenberg/honk/flavor/ultra.hpp | 6 +- .../honk/flavor/ultra_grumpkin.hpp | 6 +- .../barretenberg/honk/pcs/gemini/gemini.hpp | 6 +- .../honk/pcs/gemini/gemini.test.cpp | 130 +++++++++- .../barretenberg/honk/pcs/kzg/kzg.test.cpp | 177 -------------- .../barretenberg/honk/proof_system/prover.cpp | 2 +- .../barretenberg/honk/proof_system/prover.hpp | 6 +- .../honk/proof_system/ultra_prover.cpp | 4 +- .../honk/proof_system/ultra_prover.hpp | 4 +- .../honk/proof_system/ultra_verifier.cpp | 2 +- .../honk/proof_system/verifier.cpp | 2 +- .../honk/proof_system/work_queue.hpp | 2 +- .../polynomials/multivariates.test.cpp | 2 +- .../barretenberg/honk/sumcheck/sumcheck.hpp | 2 +- .../honk/sumcheck/sumcheck.test.cpp | 2 +- ...ript.test.cpp => honk_transcript.test.cpp} | 113 +-------- .../composer_helper/composer_helper_lib.cpp | 2 +- .../standard_plonk_composer_helper.cpp | 2 +- .../standard_plonk_composer_helper.hpp | 2 +- .../barretenberg/proof_system/CMakeLists.txt | 2 +- .../{honk => proof_system}/pcs/claim.hpp | 0 .../proof_system/pcs/commitment_key.cpp | 226 ++++++++++++++++++ .../pcs/commitment_key.hpp | 33 +-- .../pcs/commitment_key.test.hpp | 0 .../{honk => proof_system}/pcs/ipa/ipa.hpp | 6 +- .../pcs/ipa/ipa.test.cpp | 4 +- .../{honk => proof_system}/pcs/kzg/kzg.hpp | 4 +- .../proof_system/pcs/kzg/kzg.test.cpp | 52 ++++ .../pcs/shplonk/shplonk.hpp | 0 .../pcs/shplonk/shplonk.test.cpp | 5 +- .../pcs/shplonk/shplonk_single.hpp | 6 +- .../transcript/transcript.hpp | 0 .../transcript/transcript.test.cpp | 111 +++++++++ 36 files changed, 574 insertions(+), 361 deletions(-) delete mode 100644 cpp/src/barretenberg/honk/pcs/kzg/kzg.test.cpp rename cpp/src/barretenberg/honk/transcript/{transcript.test.cpp => honk_transcript.test.cpp} (68%) rename cpp/src/barretenberg/{honk => proof_system}/pcs/claim.hpp (100%) create mode 100644 cpp/src/barretenberg/proof_system/pcs/commitment_key.cpp rename cpp/src/barretenberg/{honk => proof_system}/pcs/commitment_key.hpp (85%) rename cpp/src/barretenberg/{honk => proof_system}/pcs/commitment_key.test.hpp (100%) rename cpp/src/barretenberg/{honk => proof_system}/pcs/ipa/ipa.hpp (98%) rename cpp/src/barretenberg/{honk => proof_system}/pcs/ipa/ipa.test.cpp (96%) rename cpp/src/barretenberg/{honk => proof_system}/pcs/kzg/kzg.hpp (95%) create mode 100644 cpp/src/barretenberg/proof_system/pcs/kzg/kzg.test.cpp rename cpp/src/barretenberg/{honk => proof_system}/pcs/shplonk/shplonk.hpp (100%) rename cpp/src/barretenberg/{honk => proof_system}/pcs/shplonk/shplonk.test.cpp (96%) rename cpp/src/barretenberg/{honk => proof_system}/pcs/shplonk/shplonk_single.hpp (97%) rename cpp/src/barretenberg/{honk => proof_system}/transcript/transcript.hpp (100%) create mode 100644 cpp/src/barretenberg/proof_system/transcript/transcript.test.cpp diff --git a/cpp/src/barretenberg/honk/composer/composer_helper/standard_honk_composer_helper.cpp b/cpp/src/barretenberg/honk/composer/composer_helper/standard_honk_composer_helper.cpp index 0ea4402823..b770b18b74 100644 --- a/cpp/src/barretenberg/honk/composer/composer_helper/standard_honk_composer_helper.cpp +++ b/cpp/src/barretenberg/honk/composer/composer_helper/standard_honk_composer_helper.cpp @@ -1,6 +1,6 @@ #include "standard_honk_composer_helper.hpp" #include "barretenberg/polynomials/polynomial.hpp" -#include "barretenberg/honk/pcs/commitment_key.hpp" +#include "barretenberg/proof_system/pcs/commitment_key.hpp" #include "barretenberg/numeric/bitop/get_msb.hpp" #include "barretenberg/srs/factories/crs_factory.hpp" diff --git a/cpp/src/barretenberg/honk/flavor/standard.hpp b/cpp/src/barretenberg/honk/flavor/standard.hpp index 5c89e78368..a2267d6e49 100644 --- a/cpp/src/barretenberg/honk/flavor/standard.hpp +++ b/cpp/src/barretenberg/honk/flavor/standard.hpp @@ -5,14 +5,14 @@ #include #include #include -#include "barretenberg/honk/pcs/commitment_key.hpp" +#include "barretenberg/proof_system/pcs/commitment_key.hpp" #include "barretenberg/honk/sumcheck/polynomials/barycentric_data.hpp" -#include "barretenberg/honk/pcs/kzg/kzg.hpp" +#include "barretenberg/proof_system/pcs/kzg/kzg.hpp" #include "barretenberg/honk/sumcheck/polynomials/univariate.hpp" #include "barretenberg/ecc/curves/bn254/g1.hpp" #include "barretenberg/honk/sumcheck/relations/arithmetic_relation.hpp" #include "barretenberg/honk/sumcheck/relations/permutation_relation.hpp" -#include "barretenberg/honk/transcript/transcript.hpp" +#include "barretenberg/proof_system/transcript/transcript.hpp" #include "barretenberg/polynomials/evaluation_domain.hpp" #include "barretenberg/polynomials/polynomial.hpp" #include "barretenberg/proof_system/circuit_constructors/standard_circuit_constructor.hpp" diff --git a/cpp/src/barretenberg/honk/flavor/standard_grumpkin.hpp b/cpp/src/barretenberg/honk/flavor/standard_grumpkin.hpp index 704559bf80..05a8dabdc4 100644 --- a/cpp/src/barretenberg/honk/flavor/standard_grumpkin.hpp +++ b/cpp/src/barretenberg/honk/flavor/standard_grumpkin.hpp @@ -5,14 +5,14 @@ #include #include #include -#include "barretenberg/honk/pcs/commitment_key.hpp" +#include "barretenberg/proof_system/pcs/commitment_key.hpp" #include "barretenberg/honk/sumcheck/polynomials/barycentric_data.hpp" -#include "barretenberg/honk/pcs/ipa/ipa.hpp" +#include "barretenberg/proof_system/pcs/ipa/ipa.hpp" #include "barretenberg/honk/sumcheck/polynomials/univariate.hpp" #include "barretenberg/ecc/curves/bn254/g1.hpp" #include "barretenberg/honk/sumcheck/relations/arithmetic_relation.hpp" #include "barretenberg/honk/sumcheck/relations/permutation_relation.hpp" -#include "barretenberg/honk/transcript/transcript.hpp" +#include "barretenberg/proof_system/transcript/transcript.hpp" #include "barretenberg/polynomials/evaluation_domain.hpp" #include "barretenberg/polynomials/polynomial.hpp" #include "barretenberg/proof_system/circuit_constructors/standard_circuit_constructor.hpp" diff --git a/cpp/src/barretenberg/honk/flavor/ultra.hpp b/cpp/src/barretenberg/honk/flavor/ultra.hpp index 8760e0a28f..091c51843e 100644 --- a/cpp/src/barretenberg/honk/flavor/ultra.hpp +++ b/cpp/src/barretenberg/honk/flavor/ultra.hpp @@ -5,12 +5,12 @@ #include #include #include -#include "barretenberg/honk/pcs/commitment_key.hpp" +#include "barretenberg/proof_system/pcs/commitment_key.hpp" #include "barretenberg/honk/sumcheck/polynomials/barycentric_data.hpp" -#include "barretenberg/honk/pcs/kzg/kzg.hpp" +#include "barretenberg/proof_system/pcs/kzg/kzg.hpp" #include "barretenberg/honk/sumcheck/polynomials/univariate.hpp" #include "barretenberg/ecc/curves/bn254/g1.hpp" -#include "barretenberg/honk/transcript/transcript.hpp" +#include "barretenberg/proof_system/transcript/transcript.hpp" #include "barretenberg/polynomials/evaluation_domain.hpp" #include "barretenberg/polynomials/polynomial.hpp" #include "barretenberg/proof_system/circuit_constructors/ultra_circuit_constructor.hpp" diff --git a/cpp/src/barretenberg/honk/flavor/ultra_grumpkin.hpp b/cpp/src/barretenberg/honk/flavor/ultra_grumpkin.hpp index ed257d535c..44d345f2c0 100644 --- a/cpp/src/barretenberg/honk/flavor/ultra_grumpkin.hpp +++ b/cpp/src/barretenberg/honk/flavor/ultra_grumpkin.hpp @@ -5,12 +5,12 @@ #include #include #include -#include "barretenberg/honk/pcs/commitment_key.hpp" +#include "barretenberg/proof_system/pcs/commitment_key.hpp" #include "barretenberg/honk/sumcheck/polynomials/barycentric_data.hpp" -#include "barretenberg/honk/pcs/ipa/ipa.hpp" +#include "barretenberg/proof_system/pcs/ipa/ipa.hpp" #include "barretenberg/honk/sumcheck/polynomials/univariate.hpp" #include "barretenberg/ecc/curves/bn254/g1.hpp" -#include "barretenberg/honk/transcript/transcript.hpp" +#include "barretenberg/proof_system/transcript/transcript.hpp" #include "barretenberg/polynomials/evaluation_domain.hpp" #include "barretenberg/polynomials/polynomial.hpp" #include "barretenberg/proof_system/circuit_constructors/ultra_circuit_constructor.hpp" diff --git a/cpp/src/barretenberg/honk/pcs/gemini/gemini.hpp b/cpp/src/barretenberg/honk/pcs/gemini/gemini.hpp index 4f19c365d8..ece9e85bb3 100644 --- a/cpp/src/barretenberg/honk/pcs/gemini/gemini.hpp +++ b/cpp/src/barretenberg/honk/pcs/gemini/gemini.hpp @@ -1,9 +1,9 @@ #pragma once -#include "../claim.hpp" -#include "barretenberg/honk/pcs/commitment_key.hpp" +#include "barretenberg/proof_system/pcs/claim.hpp" +#include "barretenberg/proof_system/pcs/commitment_key.hpp" #include "barretenberg/polynomials/polynomial.hpp" -#include "barretenberg/honk/transcript/transcript.hpp" +#include "barretenberg/proof_system/transcript/transcript.hpp" #include diff --git a/cpp/src/barretenberg/honk/pcs/gemini/gemini.test.cpp b/cpp/src/barretenberg/honk/pcs/gemini/gemini.test.cpp index 69a28eb032..269a4aef79 100644 --- a/cpp/src/barretenberg/honk/pcs/gemini/gemini.test.cpp +++ b/cpp/src/barretenberg/honk/pcs/gemini/gemini.test.cpp @@ -1,8 +1,10 @@ #include "gemini.hpp" -#include "../commitment_key.test.hpp" -#include "barretenberg/honk/transcript/transcript.hpp" +#include "barretenberg/proof_system/pcs/commitment_key.test.hpp" +#include "barretenberg/proof_system/transcript/transcript.hpp" #include "barretenberg/polynomials/polynomial.hpp" +#include "barretenberg/proof_system/pcs/shplonk/shplonk_single.hpp" +#include "barretenberg/proof_system/pcs/kzg/kzg.hpp" #include #include #include @@ -237,4 +239,128 @@ TYPED_TEST(GeminiTest, DoubleWithShift) multilinear_commitments_to_be_shifted); } +/** + * @brief Test full PCS protocol: Gemini, Shplonk, KZG and pairing check + * @details Demonstrates the full PCS protocol as it is used in the construction and verification + * of a single Honk proof. (Expository comments included throughout). + * + */ +TYPED_TEST(GeminiTest, GeminiShplonkKzgWithShift) +{ + using Shplonk = shplonk::SingleBatchOpeningScheme; + using Gemini = gemini::MultilinearReductionScheme; + using KZG = kzg::KZG; + using Fr = typename TypeParam::Fr; + using GroupElement = typename TypeParam::GroupElement; + using Polynomial = typename barretenberg::Polynomial; + + const size_t n = 16; + const size_t log_n = 4; + + Fr rho = Fr::random_element(); + + // Generate multilinear polynomials, their commitments (genuine and mocked) and evaluations (genuine) at a random + // point. + const auto mle_opening_point = this->random_evaluation_point(log_n); // sometimes denoted 'u' + auto poly1 = this->random_polynomial(n); + auto poly2 = this->random_polynomial(n); + poly2[0] = Fr::zero(); // this property is required of polynomials whose shift is used + + GroupElement commitment1 = this->commit(poly1); + GroupElement commitment2 = this->commit(poly2); + + auto eval1 = poly1.evaluate_mle(mle_opening_point); + auto eval2 = poly2.evaluate_mle(mle_opening_point); + auto eval2_shift = poly2.evaluate_mle(mle_opening_point, true); + + // Collect multilinear evaluations for input to prover + std::vector multilinear_evaluations = { eval1, eval2, eval2_shift }; + + std::vector rhos = Gemini::powers_of_rho(rho, multilinear_evaluations.size()); + + // Compute batched multivariate evaluation + Fr batched_evaluation = Fr::zero(); + for (size_t i = 0; i < rhos.size(); ++i) { + batched_evaluation += multilinear_evaluations[i] * rhos[i]; + } + + // Compute batched polynomials + Polynomial batched_unshifted(n); + Polynomial batched_to_be_shifted(n); + batched_unshifted.add_scaled(poly1, rhos[0]); + batched_unshifted.add_scaled(poly2, rhos[1]); + batched_to_be_shifted.add_scaled(poly2, rhos[2]); + + // Compute batched commitments + GroupElement batched_commitment_unshifted = GroupElement::zero(); + GroupElement batched_commitment_to_be_shifted = GroupElement::zero(); + batched_commitment_unshifted = commitment1 * rhos[0] + commitment2 * rhos[1]; + batched_commitment_to_be_shifted = commitment2 * rhos[2]; + + auto prover_transcript = ProverTranscript::init_empty(); + + // Run the full prover PCS protocol: + + // Compute: + // - (d+1) opening pairs: {r, \hat{a}_0}, {-r^{2^i}, a_i}, i = 0, ..., d-1 + // - (d+1) Fold polynomials Fold_{r}^(0), Fold_{-r}^(0), and Fold^(i), i = 0, ..., d-1 + auto fold_polynomials = Gemini::compute_fold_polynomials( + mle_opening_point, std::move(batched_unshifted), std::move(batched_to_be_shifted)); + + for (size_t l = 0; l < log_n - 1; ++l) { + std::string label = "FOLD_" + std::to_string(l + 1); + auto commitment = this->ck()->commit(fold_polynomials[l + 2]); + prover_transcript.send_to_verifier(label, commitment); + } + + const Fr r_challenge = prover_transcript.get_challenge("Gemini:r"); + + const auto [gemini_opening_pairs, gemini_witnesses] = + Gemini::compute_fold_polynomial_evaluations(mle_opening_point, std::move(fold_polynomials), r_challenge); + + for (size_t l = 0; l < log_n; ++l) { + std::string label = "Gemini:a_" + std::to_string(l); + const auto& evaluation = gemini_opening_pairs[l + 1].evaluation; + prover_transcript.send_to_verifier(label, evaluation); + } + + // Shplonk prover output: + // - opening pair: (z_challenge, 0) + // - witness: polynomial Q - Q_z + const Fr nu_challenge = prover_transcript.get_challenge("Shplonk:nu"); + auto batched_quotient_Q = Shplonk::compute_batched_quotient(gemini_opening_pairs, gemini_witnesses, nu_challenge); + prover_transcript.send_to_verifier("Shplonk:Q", this->ck()->commit(batched_quotient_Q)); + + const Fr z_challenge = prover_transcript.get_challenge("Shplonk:z"); + const auto [shplonk_opening_pair, shplonk_witness] = Shplonk::compute_partially_evaluated_batched_quotient( + gemini_opening_pairs, gemini_witnesses, std::move(batched_quotient_Q), nu_challenge, z_challenge); + + // KZG prover: + // - Adds commitment [W] to transcript + KZG::compute_opening_proof(this->ck(), shplonk_opening_pair, shplonk_witness, prover_transcript); + + // Run the full verifier PCS protocol with genuine opening claims (genuine commitment, genuine evaluation) + + auto verifier_transcript = VerifierTranscript::init_empty(prover_transcript); + + // Gemini verifier output: + // - claim: d+1 commitments to Fold_{r}^(0), Fold_{-r}^(0), Fold^(l), d+1 evaluations a_0_pos, a_l, l = 0:d-1 + auto gemini_verifier_claim = Gemini::reduce_verify(mle_opening_point, + batched_evaluation, + batched_commitment_unshifted, + batched_commitment_to_be_shifted, + verifier_transcript); + + // Shplonk verifier claim: commitment [Q] - [Q_z], opening point (z_challenge, 0) + const auto shplonk_verifier_claim = Shplonk::reduce_verify(gemini_verifier_claim, verifier_transcript); + + // KZG verifier: + // aggregates inputs [Q] - [Q_z] and [W] into an 'accumulator' (can perform pairing check on result) + bool verified = KZG::verify(this->vk(), shplonk_verifier_claim, verifier_transcript); + + // Final pairing check: e([Q] - [Q_z] + z[W], [1]_2) = e([W], [x]_2) + + EXPECT_EQ(verified, true); +} + } // namespace proof_system::honk::pcs::gemini diff --git a/cpp/src/barretenberg/honk/pcs/kzg/kzg.test.cpp b/cpp/src/barretenberg/honk/pcs/kzg/kzg.test.cpp deleted file mode 100644 index 439b33cc9f..0000000000 --- a/cpp/src/barretenberg/honk/pcs/kzg/kzg.test.cpp +++ /dev/null @@ -1,177 +0,0 @@ - -#include "kzg.hpp" -#include "../shplonk/shplonk_single.hpp" -#include "../gemini/gemini.hpp" - -#include "../commitment_key.test.hpp" -#include "barretenberg/honk/pcs/claim.hpp" -#include "barretenberg/honk/pcs/commitment_key.hpp" -#include "barretenberg/polynomials/polynomial.hpp" - -#include "barretenberg/ecc/curves/bn254/g1.hpp" - -#include -#include - -namespace proof_system::honk::pcs::kzg { - -template class KZGTest : public CommitmentTest { - public: - using Fr = typename Params::Fr; - using Commitment = typename Params::Commitment; - using GroupElement = typename Params::GroupElement; - using Polynomial = barretenberg::Polynomial; -}; - -TYPED_TEST_SUITE(KZGTest, CommitmentSchemeParams); - -TYPED_TEST(KZGTest, single) -{ - const size_t n = 16; - - using KZG = KZG; - using Fr = typename TypeParam::Fr; - - auto witness = this->random_polynomial(n); - barretenberg::g1::element commitment = this->commit(witness); - - auto challenge = Fr::random_element(); - auto evaluation = witness.evaluate(challenge); - auto opening_pair = OpeningPair{ challenge, evaluation }; - auto opening_claim = OpeningClaim{ opening_pair, commitment }; - - auto prover_transcript = ProverTranscript::init_empty(); - - KZG::compute_opening_proof(this->ck(), opening_pair, witness, prover_transcript); - - auto verifier_transcript = VerifierTranscript::init_empty(prover_transcript); - bool verified = KZG::verify(this->vk(), opening_claim, verifier_transcript); - - EXPECT_EQ(verified, true); -} - -/** - * @brief Test full PCS protocol: Gemini, Shplonk, KZG and pairing check - * @details Demonstrates the full PCS protocol as it is used in the construction and verification - * of a single Honk proof. (Expository comments included throughout). - * - */ -TYPED_TEST(KZGTest, GeminiShplonkKzgWithShift) -{ - using Shplonk = shplonk::SingleBatchOpeningScheme; - using Gemini = gemini::MultilinearReductionScheme; - using KZG = KZG; - using Fr = typename TypeParam::Fr; - using GroupElement = typename TypeParam::GroupElement; - using Polynomial = typename barretenberg::Polynomial; - - const size_t n = 16; - const size_t log_n = 4; - - Fr rho = Fr::random_element(); - - // Generate multilinear polynomials, their commitments (genuine and mocked) and evaluations (genuine) at a random - // point. - const auto mle_opening_point = this->random_evaluation_point(log_n); // sometimes denoted 'u' - auto poly1 = this->random_polynomial(n); - auto poly2 = this->random_polynomial(n); - poly2[0] = Fr::zero(); // this property is required of polynomials whose shift is used - - GroupElement commitment1 = this->commit(poly1); - GroupElement commitment2 = this->commit(poly2); - - auto eval1 = poly1.evaluate_mle(mle_opening_point); - auto eval2 = poly2.evaluate_mle(mle_opening_point); - auto eval2_shift = poly2.evaluate_mle(mle_opening_point, true); - - // Collect multilinear evaluations for input to prover - std::vector multilinear_evaluations = { eval1, eval2, eval2_shift }; - - std::vector rhos = Gemini::powers_of_rho(rho, multilinear_evaluations.size()); - - // Compute batched multivariate evaluation - Fr batched_evaluation = Fr::zero(); - for (size_t i = 0; i < rhos.size(); ++i) { - batched_evaluation += multilinear_evaluations[i] * rhos[i]; - } - - // Compute batched polynomials - Polynomial batched_unshifted(n); - Polynomial batched_to_be_shifted(n); - batched_unshifted.add_scaled(poly1, rhos[0]); - batched_unshifted.add_scaled(poly2, rhos[1]); - batched_to_be_shifted.add_scaled(poly2, rhos[2]); - - // Compute batched commitments - GroupElement batched_commitment_unshifted = GroupElement::zero(); - GroupElement batched_commitment_to_be_shifted = GroupElement::zero(); - batched_commitment_unshifted = commitment1 * rhos[0] + commitment2 * rhos[1]; - batched_commitment_to_be_shifted = commitment2 * rhos[2]; - - auto prover_transcript = ProverTranscript::init_empty(); - - // Run the full prover PCS protocol: - - // Compute: - // - (d+1) opening pairs: {r, \hat{a}_0}, {-r^{2^i}, a_i}, i = 0, ..., d-1 - // - (d+1) Fold polynomials Fold_{r}^(0), Fold_{-r}^(0), and Fold^(i), i = 0, ..., d-1 - auto fold_polynomials = Gemini::compute_fold_polynomials( - mle_opening_point, std::move(batched_unshifted), std::move(batched_to_be_shifted)); - - for (size_t l = 0; l < log_n - 1; ++l) { - std::string label = "FOLD_" + std::to_string(l + 1); - auto commitment = this->ck()->commit(fold_polynomials[l + 2]); - prover_transcript.send_to_verifier(label, commitment); - } - - const Fr r_challenge = prover_transcript.get_challenge("Gemini:r"); - - const auto [gemini_opening_pairs, gemini_witnesses] = - Gemini::compute_fold_polynomial_evaluations(mle_opening_point, std::move(fold_polynomials), r_challenge); - - for (size_t l = 0; l < log_n; ++l) { - std::string label = "Gemini:a_" + std::to_string(l); - const auto& evaluation = gemini_opening_pairs[l + 1].evaluation; - prover_transcript.send_to_verifier(label, evaluation); - } - - // Shplonk prover output: - // - opening pair: (z_challenge, 0) - // - witness: polynomial Q - Q_z - const Fr nu_challenge = prover_transcript.get_challenge("Shplonk:nu"); - auto batched_quotient_Q = Shplonk::compute_batched_quotient(gemini_opening_pairs, gemini_witnesses, nu_challenge); - prover_transcript.send_to_verifier("Shplonk:Q", this->ck()->commit(batched_quotient_Q)); - - const Fr z_challenge = prover_transcript.get_challenge("Shplonk:z"); - const auto [shplonk_opening_pair, shplonk_witness] = Shplonk::compute_partially_evaluated_batched_quotient( - gemini_opening_pairs, gemini_witnesses, std::move(batched_quotient_Q), nu_challenge, z_challenge); - - // KZG prover: - // - Adds commitment [W] to transcript - KZG::compute_opening_proof(this->ck(), shplonk_opening_pair, shplonk_witness, prover_transcript); - - // Run the full verifier PCS protocol with genuine opening claims (genuine commitment, genuine evaluation) - - auto verifier_transcript = VerifierTranscript::init_empty(prover_transcript); - - // Gemini verifier output: - // - claim: d+1 commitments to Fold_{r}^(0), Fold_{-r}^(0), Fold^(l), d+1 evaluations a_0_pos, a_l, l = 0:d-1 - auto gemini_verifier_claim = Gemini::reduce_verify(mle_opening_point, - batched_evaluation, - batched_commitment_unshifted, - batched_commitment_to_be_shifted, - verifier_transcript); - - // Shplonk verifier claim: commitment [Q] - [Q_z], opening point (z_challenge, 0) - const auto shplonk_verifier_claim = Shplonk::reduce_verify(gemini_verifier_claim, verifier_transcript); - - // KZG verifier: - // aggregates inputs [Q] - [Q_z] and [W] into an 'accumulator' (can perform pairing check on result) - bool verified = KZG::verify(this->vk(), shplonk_verifier_claim, verifier_transcript); - - // Final pairing check: e([Q] - [Q_z] + z[W], [1]_2) = e([W], [x]_2) - - EXPECT_EQ(verified, true); -} - -} // namespace proof_system::honk::pcs::kzg diff --git a/cpp/src/barretenberg/honk/proof_system/prover.cpp b/cpp/src/barretenberg/honk/proof_system/prover.cpp index 9407fe95f6..0cfe75fabf 100644 --- a/cpp/src/barretenberg/honk/proof_system/prover.cpp +++ b/cpp/src/barretenberg/honk/proof_system/prover.cpp @@ -1,7 +1,7 @@ #include "prover.hpp" #include "barretenberg/honk/proof_system/prover_library.hpp" #include "barretenberg/honk/sumcheck/sumcheck.hpp" -#include "barretenberg/honk/transcript/transcript.hpp" +#include "barretenberg/proof_system/transcript/transcript.hpp" #include "barretenberg/honk/utils/power_polynomial.hpp" namespace proof_system::honk { diff --git a/cpp/src/barretenberg/honk/proof_system/prover.hpp b/cpp/src/barretenberg/honk/proof_system/prover.hpp index cf024c4c5a..3ce6f01ce4 100644 --- a/cpp/src/barretenberg/honk/proof_system/prover.hpp +++ b/cpp/src/barretenberg/honk/proof_system/prover.hpp @@ -1,9 +1,9 @@ #pragma once -#include "barretenberg/honk/pcs/shplonk/shplonk.hpp" +#include "barretenberg/proof_system/pcs/shplonk/shplonk.hpp" #include "barretenberg/plonk/proof_system/types/proof.hpp" #include "barretenberg/honk/pcs/gemini/gemini.hpp" -#include "barretenberg/honk/pcs/shplonk/shplonk_single.hpp" -#include "barretenberg/honk/transcript/transcript.hpp" +#include "barretenberg/proof_system/pcs/shplonk/shplonk_single.hpp" +#include "barretenberg/proof_system/transcript/transcript.hpp" #include "barretenberg/honk/sumcheck/sumcheck.hpp" #include "barretenberg/honk/sumcheck/sumcheck_output.hpp" #include "barretenberg/honk/proof_system/prover_library.hpp" diff --git a/cpp/src/barretenberg/honk/proof_system/ultra_prover.cpp b/cpp/src/barretenberg/honk/proof_system/ultra_prover.cpp index ba61525755..595e51bb93 100644 --- a/cpp/src/barretenberg/honk/proof_system/ultra_prover.cpp +++ b/cpp/src/barretenberg/honk/proof_system/ultra_prover.cpp @@ -6,7 +6,7 @@ #include #include "barretenberg/honk/sumcheck/polynomials/univariate.hpp" // will go away #include "barretenberg/honk/utils/power_polynomial.hpp" -#include "barretenberg/honk/pcs/commitment_key.hpp" +#include "barretenberg/proof_system/pcs/commitment_key.hpp" #include #include #include @@ -16,7 +16,7 @@ #include "barretenberg/polynomials/polynomial.hpp" #include "barretenberg/transcript/transcript_wrappers.hpp" #include -#include "barretenberg/honk/pcs/claim.hpp" +#include "barretenberg/proof_system/pcs/claim.hpp" namespace proof_system::honk { diff --git a/cpp/src/barretenberg/honk/proof_system/ultra_prover.hpp b/cpp/src/barretenberg/honk/proof_system/ultra_prover.hpp index 070d5e3df1..9278de5ba2 100644 --- a/cpp/src/barretenberg/honk/proof_system/ultra_prover.hpp +++ b/cpp/src/barretenberg/honk/proof_system/ultra_prover.hpp @@ -2,8 +2,8 @@ #include "barretenberg/honk/proof_system/work_queue.hpp" #include "barretenberg/plonk/proof_system/types/proof.hpp" #include "barretenberg/honk/pcs/gemini/gemini.hpp" -#include "barretenberg/honk/pcs/shplonk/shplonk_single.hpp" -#include "barretenberg/honk/transcript/transcript.hpp" +#include "barretenberg/proof_system/pcs/shplonk/shplonk_single.hpp" +#include "barretenberg/proof_system/transcript/transcript.hpp" #include "barretenberg/honk/flavor/ultra.hpp" #include "barretenberg/honk/flavor/ultra_grumpkin.hpp" #include "barretenberg/honk/sumcheck/relations/relation_parameters.hpp" diff --git a/cpp/src/barretenberg/honk/proof_system/ultra_verifier.cpp b/cpp/src/barretenberg/honk/proof_system/ultra_verifier.cpp index 4b70607dd3..f1e2ed7cc9 100644 --- a/cpp/src/barretenberg/honk/proof_system/ultra_verifier.cpp +++ b/cpp/src/barretenberg/honk/proof_system/ultra_verifier.cpp @@ -1,5 +1,5 @@ #include "./ultra_verifier.hpp" -#include "barretenberg/honk/transcript/transcript.hpp" +#include "barretenberg/proof_system/transcript/transcript.hpp" #include "barretenberg/numeric/bitop/get_msb.hpp" #include "barretenberg/honk/flavor/standard.hpp" #include "barretenberg/honk/utils/power_polynomial.hpp" diff --git a/cpp/src/barretenberg/honk/proof_system/verifier.cpp b/cpp/src/barretenberg/honk/proof_system/verifier.cpp index a03b9060e9..b9e9e2e6fc 100644 --- a/cpp/src/barretenberg/honk/proof_system/verifier.cpp +++ b/cpp/src/barretenberg/honk/proof_system/verifier.cpp @@ -1,5 +1,5 @@ #include "./verifier.hpp" -#include "barretenberg/honk/transcript/transcript.hpp" +#include "barretenberg/proof_system/transcript/transcript.hpp" #include "barretenberg/numeric/bitop/get_msb.hpp" #include "barretenberg/honk/utils/power_polynomial.hpp" diff --git a/cpp/src/barretenberg/honk/proof_system/work_queue.hpp b/cpp/src/barretenberg/honk/proof_system/work_queue.hpp index 8caecc341a..b27bbb6cf4 100644 --- a/cpp/src/barretenberg/honk/proof_system/work_queue.hpp +++ b/cpp/src/barretenberg/honk/proof_system/work_queue.hpp @@ -1,6 +1,6 @@ #pragma once -#include "barretenberg/honk/transcript/transcript.hpp" +#include "barretenberg/proof_system/transcript/transcript.hpp" #include "barretenberg/srs/global_crs.hpp" #include #include diff --git a/cpp/src/barretenberg/honk/sumcheck/polynomials/multivariates.test.cpp b/cpp/src/barretenberg/honk/sumcheck/polynomials/multivariates.test.cpp index f7417d5624..9cfe983bee 100644 --- a/cpp/src/barretenberg/honk/sumcheck/polynomials/multivariates.test.cpp +++ b/cpp/src/barretenberg/honk/sumcheck/polynomials/multivariates.test.cpp @@ -3,7 +3,7 @@ #include "barretenberg/honk/sumcheck/sumcheck.hpp" #include -#include "barretenberg/honk/transcript/transcript.hpp" +#include "barretenberg/proof_system/transcript/transcript.hpp" #include "barretenberg/numeric/random/engine.hpp" #include "barretenberg/honk/flavor/standard.hpp" diff --git a/cpp/src/barretenberg/honk/sumcheck/sumcheck.hpp b/cpp/src/barretenberg/honk/sumcheck/sumcheck.hpp index 399b943870..58fbed746f 100644 --- a/cpp/src/barretenberg/honk/sumcheck/sumcheck.hpp +++ b/cpp/src/barretenberg/honk/sumcheck/sumcheck.hpp @@ -2,7 +2,7 @@ #include "barretenberg/common/serialize.hpp" #include #include "barretenberg/honk/sumcheck/relations/relation_parameters.hpp" -#include "barretenberg/honk/transcript/transcript.hpp" +#include "barretenberg/proof_system/transcript/transcript.hpp" #include "barretenberg/honk/utils/grand_product_delta.hpp" #include "barretenberg/common/throw_or_abort.hpp" #include "sumcheck_round.hpp" diff --git a/cpp/src/barretenberg/honk/sumcheck/sumcheck.test.cpp b/cpp/src/barretenberg/honk/sumcheck/sumcheck.test.cpp index f97ec72070..51626d8358 100644 --- a/cpp/src/barretenberg/honk/sumcheck/sumcheck.test.cpp +++ b/cpp/src/barretenberg/honk/sumcheck/sumcheck.test.cpp @@ -1,5 +1,5 @@ #include "sumcheck.hpp" -#include "barretenberg/honk/transcript/transcript.hpp" +#include "barretenberg/proof_system/transcript/transcript.hpp" #include "barretenberg/honk/flavor/standard.hpp" #include "barretenberg/transcript/transcript_wrappers.hpp" #include "relations/arithmetic_relation.hpp" diff --git a/cpp/src/barretenberg/honk/transcript/transcript.test.cpp b/cpp/src/barretenberg/honk/transcript/honk_transcript.test.cpp similarity index 68% rename from cpp/src/barretenberg/honk/transcript/transcript.test.cpp rename to cpp/src/barretenberg/honk/transcript/honk_transcript.test.cpp index 1475e49038..1fcd82d285 100644 --- a/cpp/src/barretenberg/honk/transcript/transcript.test.cpp +++ b/cpp/src/barretenberg/honk/transcript/honk_transcript.test.cpp @@ -1,4 +1,4 @@ -#include "transcript.hpp" +#include "barretenberg/proof_system/transcript//transcript.hpp" #include "barretenberg/ecc/curves/bn254/g1.hpp" #include "barretenberg/honk/composer/composer_helper/standard_honk_composer_helper.hpp" #include "barretenberg/honk/composer/composer_helper/ultra_honk_composer_helper.hpp" @@ -13,7 +13,7 @@ using namespace proof_system::honk; -template class TranscriptTests : public testing::Test { +template class HonkTranscriptTests : public testing::Test { public: using FF = typename Flavor::FF; static void SetUpTestSuite() { barretenberg::srs::init_crs_factory("../srs_db/ignition"); } @@ -112,13 +112,13 @@ template class TranscriptTests : public testing::Test { }; using StandardFlavorTypes = testing::Types; -TYPED_TEST_SUITE(TranscriptTests, StandardFlavorTypes); +TYPED_TEST_SUITE(HonkTranscriptTests, StandardFlavorTypes); /** * @brief Ensure consistency between the manifest hard coded in this testing suite and the one generated by the * standard honk prover over the course of proof construction. */ -TYPED_TEST(TranscriptTests, ProverManifestConsistency) +TYPED_TEST(HonkTranscriptTests, ProverManifestConsistency) { using Flavor = TypeParam; // Construct a simple circuit of size n = 8 (i.e. the minimum circuit size) @@ -146,7 +146,7 @@ TYPED_TEST(TranscriptTests, ProverManifestConsistency) * construction and the one generated by the verifier over the course of proof verification. * */ -TYPED_TEST(TranscriptTests, VerifierManifestConsistency) +TYPED_TEST(HonkTranscriptTests, VerifierManifestConsistency) { using Flavor = TypeParam; // Construct a simple circuit of size n = 8 (i.e. the minimum circuit size) @@ -177,114 +177,13 @@ TYPED_TEST(TranscriptTests, VerifierManifestConsistency) } } -/** - * @brief Test and demonstrate the basic functionality of the prover and verifier transcript - * - */ -TYPED_TEST(TranscriptTests, ProverAndVerifierBasic) -{ - constexpr size_t LENGTH = 8; - - using Fr = barretenberg::fr; - using Univariate = proof_system::honk::sumcheck::Univariate; - using Commitment = barretenberg::g1::affine_element; - - std::array evaluations; - for (auto& eval : evaluations) { - eval = Fr::random_element(); - } - - // Add some junk to the transcript and compute challenges - uint32_t data = 25; - auto scalar = Fr::random_element(); - auto commitment = Commitment::one(); - auto univariate = Univariate(evaluations); - - // Instantiate a prover transcript and mock an example protocol - ProverTranscript prover_transcript; - - // round 0 - prover_transcript.send_to_verifier("data", data); - Fr alpha = prover_transcript.get_challenge("alpha"); - - // round 1 - prover_transcript.send_to_verifier("scalar", scalar); - prover_transcript.send_to_verifier("commitment", commitment); - Fr beta = prover_transcript.get_challenge("beta"); - - // round 2 - prover_transcript.send_to_verifier("univariate", univariate); - auto [gamma, delta] = prover_transcript.get_challenges("gamma", "delta"); - - // Instantiate a verifier transcript from the raw bytes of the prover transcript; receive data and generate - // challenges according to the example protocol - VerifierTranscript verifier_transcript(prover_transcript.proof_data); - - // round 0 - auto data_received = verifier_transcript.template receive_from_prover("data"); - Fr verifier_alpha = verifier_transcript.get_challenge("alpha"); - - // round 1 - auto scalar_received = verifier_transcript.template receive_from_prover("scalar"); - auto commitment_received = verifier_transcript.template receive_from_prover("commitment"); - Fr verifier_beta = verifier_transcript.get_challenge("beta"); - - // round 2 - auto univariate_received = verifier_transcript.template receive_from_prover("univariate"); - auto [verifier_gamma, verifier_delta] = verifier_transcript.get_challenges("gamma", "delta"); - - // Check the correctness of the elements received by the verifier - EXPECT_EQ(data_received, data); - EXPECT_EQ(scalar_received, scalar); - EXPECT_EQ(commitment_received, commitment); - EXPECT_EQ(univariate_received, univariate); - - // Check consistency of prover and verifier challenges - EXPECT_EQ(alpha, verifier_alpha); - EXPECT_EQ(beta, verifier_beta); - EXPECT_EQ(gamma, verifier_gamma); - EXPECT_EQ(delta, verifier_delta); - - // Check consistency of the generated manifests - EXPECT_EQ(prover_transcript.get_manifest(), verifier_transcript.get_manifest()); -} - -/** - * @brief Demonstrate extent to which verifier transcript is flexible / constrained - * - */ -TYPED_TEST(TranscriptTests, VerifierMistake) -{ - using Fr = barretenberg::fr; - - auto scalar_1 = Fr::random_element(); - auto scalar_2 = Fr::random_element(); - - ProverTranscript prover_transcript; - - prover_transcript.send_to_verifier("scalar1", scalar_1); - prover_transcript.send_to_verifier("scalar2", scalar_2); - auto prover_alpha = prover_transcript.get_challenge("alpha"); - - VerifierTranscript verifier_transcript(prover_transcript.proof_data); - - verifier_transcript.template receive_from_prover("scalar1"); - // accidentally skip receipt of "scalar2"... - // but then generate a challenge anyway - auto verifier_alpha = verifier_transcript.get_challenge("alpha"); - - // Challenges will not agree but neither will the manifests - EXPECT_NE(prover_alpha, verifier_alpha); - EXPECT_NE(prover_transcript.get_manifest(), verifier_transcript.get_manifest()); -} - /** * @brief Ensure consistency between the manifest generated by the ultra honk prover over the course of proof * construction and the one generated by the verifier over the course of proof verification. * */ // TODO(Mara): This is not a typed test and we should have a construct_ultra_honk_manifest as well. -TYPED_TEST(TranscriptTests, UltraVerifierManifestConsistency) +TYPED_TEST(HonkTranscriptTests, UltraVerifierManifestConsistency) { // Construct a simple circuit of size n = 8 (i.e. the minimum circuit size) auto circuit_constructor = proof_system::UltraCircuitConstructor(); diff --git a/cpp/src/barretenberg/plonk/composer/composer_helper/composer_helper_lib.cpp b/cpp/src/barretenberg/plonk/composer/composer_helper/composer_helper_lib.cpp index 1060f129c3..9fd7223e60 100644 --- a/cpp/src/barretenberg/plonk/composer/composer_helper/composer_helper_lib.cpp +++ b/cpp/src/barretenberg/plonk/composer/composer_helper/composer_helper_lib.cpp @@ -5,7 +5,7 @@ * */ #include "composer_helper_lib.hpp" -#include "barretenberg/honk/pcs/commitment_key.hpp" +#include "barretenberg/proof_system/pcs/commitment_key.hpp" #include "barretenberg/srs/factories/crs_factory.hpp" namespace proof_system::plonk { diff --git a/cpp/src/barretenberg/plonk/composer/composer_helper/standard_plonk_composer_helper.cpp b/cpp/src/barretenberg/plonk/composer/composer_helper/standard_plonk_composer_helper.cpp index dd2d35acce..974881c050 100644 --- a/cpp/src/barretenberg/plonk/composer/composer_helper/standard_plonk_composer_helper.cpp +++ b/cpp/src/barretenberg/plonk/composer/composer_helper/standard_plonk_composer_helper.cpp @@ -1,6 +1,6 @@ #include "standard_plonk_composer_helper.hpp" #include "barretenberg/polynomials/polynomial.hpp" -#include "barretenberg/honk/pcs/commitment_key.hpp" +#include "barretenberg/proof_system/pcs/commitment_key.hpp" #include "barretenberg/numeric/bitop/get_msb.hpp" #include "barretenberg/plonk/proof_system/widgets/transition_widgets/arithmetic_widget.hpp" #include "barretenberg/plonk/proof_system/widgets/random_widgets/permutation_widget.hpp" diff --git a/cpp/src/barretenberg/plonk/composer/composer_helper/standard_plonk_composer_helper.hpp b/cpp/src/barretenberg/plonk/composer/composer_helper/standard_plonk_composer_helper.hpp index ec93293e94..e0d5f7fd2d 100644 --- a/cpp/src/barretenberg/plonk/composer/composer_helper/standard_plonk_composer_helper.hpp +++ b/cpp/src/barretenberg/plonk/composer/composer_helper/standard_plonk_composer_helper.hpp @@ -6,7 +6,7 @@ #include "barretenberg/plonk/proof_system/prover/prover.hpp" #include "barretenberg/plonk/proof_system/verifier/verifier.hpp" #include "barretenberg/proof_system/circuit_constructors/standard_circuit_constructor.hpp" -#include "barretenberg/honk/pcs/commitment_key.hpp" +#include "barretenberg/proof_system/pcs/commitment_key.hpp" #include "barretenberg/plonk/proof_system/verification_key/verification_key.hpp" #include "barretenberg/plonk/proof_system/verifier/verifier.hpp" #include "barretenberg/plonk/composer/composer_helper/composer_helper_lib.hpp" diff --git a/cpp/src/barretenberg/proof_system/CMakeLists.txt b/cpp/src/barretenberg/proof_system/CMakeLists.txt index c4e00489ca..7c0079af22 100644 --- a/cpp/src/barretenberg/proof_system/CMakeLists.txt +++ b/cpp/src/barretenberg/proof_system/CMakeLists.txt @@ -1 +1 @@ -barretenberg_module(proof_system polynomials crypto_generators crypto_pedersen_hash) \ No newline at end of file +barretenberg_module(proof_system crypto_pedersen_commitment crypto_blake3s srs) \ No newline at end of file diff --git a/cpp/src/barretenberg/honk/pcs/claim.hpp b/cpp/src/barretenberg/proof_system/pcs/claim.hpp similarity index 100% rename from cpp/src/barretenberg/honk/pcs/claim.hpp rename to cpp/src/barretenberg/proof_system/pcs/claim.hpp diff --git a/cpp/src/barretenberg/proof_system/pcs/commitment_key.cpp b/cpp/src/barretenberg/proof_system/pcs/commitment_key.cpp new file mode 100644 index 0000000000..6da4801475 --- /dev/null +++ b/cpp/src/barretenberg/proof_system/pcs/commitment_key.cpp @@ -0,0 +1,226 @@ +/** + * @brief Provides interfaces for different 'CommitmentKey' classes. + * + * TODO(#218)(Mara): This class should handle any modification to the SRS (e.g compute pippenger point table) to + * simplify the codebase. + */ + +#include "commitment_key.hpp" +#include "barretenberg/ecc/curves/bn254/bn254.hpp" +#include "barretenberg/polynomials/polynomial_arithmetic.hpp" +#include "barretenberg/polynomials/polynomial.hpp" +#include "barretenberg/srs/factories/crs_factory.hpp" +#include "barretenberg/srs/factories/file_crs_factory.hpp" +#include "barretenberg/ecc/scalar_multiplication/scalar_multiplication.hpp" +#include "barretenberg/ecc/curves/bn254/pairing.hpp" +#include "barretenberg/numeric/bitop/pow.hpp" +#include +#include +#include + +namespace proof_system::honk::pcs { + +namespace kzg { +using Fr = typename barretenberg::g1::Fr; +using Commitment = typename barretenberg::g1::affine_element; +using GroupElement = barretenberg::g1::element; + +using Polynomial = barretenberg::Polynomial; + +/** + * @brief Construct a new Kate Commitment Key object from existing SRS + * + * @param n + * @param path + * + */ +Params::CommitmentKey::CommitmentKey(const size_t num_points, + std::shared_ptr crs_factory) + : pippenger_runtime_state(num_points) + , srs(crs_factory->get_prover_crs(num_points)) +{} + +// Note: This constructor is used only by Plonk; For Honk the CommitmentKey is solely responsible for extracting +// the srs. +Params::CommitmentKey::CommitmentKey(const size_t num_points, + std::shared_ptr> prover_srs) + : pippenger_runtime_state(num_points) + , srs(prover_srs) +{} + +/** + * @brief Uses the ProverSRS to create a commitment to p(X) + * + * @param polynomial a univariate polynomial p(X) = ∑ᵢ aᵢ⋅Xⁱ () + * @return Commitment computed as C = [p(x)] = ∑ᵢ aᵢ⋅[xⁱ]₁ where x is the secret trapdoor + */ +Commitment Params::CommitmentKey::commit(std::span polynomial) +{ + const size_t degree = polynomial.size(); + ASSERT(degree <= srs->get_monomial_size()); + return barretenberg::scalar_multiplication::pippenger_unsafe( + const_cast(polynomial.data()), srs->get_monomial_points(), degree, pippenger_runtime_state); +}; + +/** + * @brief Construct a new Kate Verification Key object from existing SRS + * + * @param num_points + * @param verifier_srs verifier G2 point + */ +Params::VerificationKey::VerificationKey([[maybe_unused]] size_t num_points, + std::shared_ptr crs_factory) + : verifier_srs(crs_factory->get_verifier_crs()) +{} + +/** + * @brief verifies a pairing equation over 2 points using the verifier SRS + * + * @param p0 = P₀ + * @param p1 = P₁ + * @return e(P₀,[1]₁)e(P₁,[x]₂) ≡ [1]ₜ + */ +bool Params::VerificationKey::pairing_check(const GroupElement& p0, const GroupElement& p1) +{ + Commitment pairing_points[2]{ p0, p1 }; + // The final pairing check of step 12. + // TODO(Adrian): try to template parametrise the pairing + fq12 output :/ + barretenberg::fq12 result = barretenberg::pairing::reduced_ate_pairing_batch_precomputed( + pairing_points, verifier_srs->get_precomputed_g2_lines(), 2); + + return (result == barretenberg::fq12::one()); +} + +} // namespace kzg + +// namespace fake { + +// // Define a common trapdoor for both keys +// namespace { +// template constexpr typename G::Fr trapdoor(5); +// } + +// template struct Params { +// using Fr = typename G::Fr; +// using Commitment = typename G::affine_element; +// using GroupElement = typename G::element; + +// using Polynomial = barretenberg::Polynomial; + +// template class CommitmentKey; +// template class VerificationKey; + +// /** +// * @brief Simulates a KZG CommitmentKey, but where we know the secret trapdoor +// * which allows us to commit to polynomials using a single group multiplication. +// * +// * @tparam G the commitment group +// */ +// template class CommitmentKey { + +// public: +// /** +// * @brief efficiently create a KZG commitment to p(X) using the trapdoor 'secret' +// * Uses only 1 group scalar multiplication, and 1 polynomial evaluation +// * +// * +// * @param polynomial a univariate polynomial p(X) +// * @return Commitment computed as C = p(secret)•[1]_1 . +// */ +// Commitment commit(std::span polynomial) +// { +// const Fr eval_secret = barretenberg::polynomial_arithmetic::evaluate(polynomial, trapdoor); +// return Commitment::one() * eval_secret; +// }; +// }; + +// template class VerificationKey { + +// public: +// /** +// * @brief verifies a pairing equation over 2 points using the trapdoor +// * +// * @param p0 = P₀ +// * @param p1 = P₁ +// * @return P₀ - x⋅P₁ ≡ [1] +// */ +// bool pairing_check(const Commitment& p0, const Commitment& p1) +// { +// Commitment result = p0 + p1 * trapdoor; +// return result.is_point_at_infinity(); +// } +// }; +// }; +// } // namespace fake + +// namespace ipa { + +// struct Params { +// using Fr = typename barretenberg::g1::Fr; +// using Commitment = typename barretenberg::g1::affine_element; +// using GroupElement = barretenberg::g1::element; + +// using Polynomial = barretenberg::Polynomial; + +// class CommitmentKey; +// class VerificationKey; + +// class CommitmentKey { + +// public: +// CommitmentKey() = delete; + +// /** +// * @brief Construct a new IPA Commitment Key object from existing SRS.. +// * +// * @param num_points +// * @param path +// * +// */ +// CommitmentKey(const size_t num_points, std::shared_ptr crs_factory) +// : pippenger_runtime_state(num_points) +// , srs(crs_factory->get_prover_crs(num_points)) +// {} + +// /** +// * @brief Uses the ProverSRS to create an unblinded commitment to p(X) +// * +// * @param polynomial a univariate polynomial p(X) = ∑ᵢ aᵢ⋅Xⁱ () +// * @return Commitment computed as C = [p(x)] = ∑ᵢ aᵢ⋅Gᵢ where Gᵢ is the i-th element of the SRS +// */ +// Commitment commit(std::span polynomial) +// { +// const size_t degree = polynomial.size(); +// ASSERT(degree <= srs->get_monomial_size()); +// return barretenberg::scalar_multiplication::pippenger_unsafe( +// const_cast(polynomial.data()), srs->get_monomial_points(), degree, pippenger_runtime_state); +// }; + +// barretenberg::scalar_multiplication::pippenger_runtime_state pippenger_runtime_state; +// std::shared_ptr> srs; +// }; + +// class VerificationKey { +// public: +// VerificationKey() = delete; + +// /** +// * @brief Construct a new IPA Verification Key object from existing SRS +// * +// * +// * @param num_points specifies the length of the SRS +// * @param path is the location to the SRS file +// */ +// VerificationKey(size_t num_points, std::shared_ptr crs_factory) +// : pippenger_runtime_state(num_points) +// , srs(crs_factory->get_prover_crs(num_points)) +// {} + +// barretenberg::scalar_multiplication::pippenger_runtime_state pippenger_runtime_state; +// std::shared_ptr> srs; +// }; +// }; + +// } // namespace ipa + +} // namespace proof_system::honk::pcs diff --git a/cpp/src/barretenberg/honk/pcs/commitment_key.hpp b/cpp/src/barretenberg/proof_system/pcs/commitment_key.hpp similarity index 85% rename from cpp/src/barretenberg/honk/pcs/commitment_key.hpp rename to cpp/src/barretenberg/proof_system/pcs/commitment_key.hpp index e03db71bee..64aa8774c1 100644 --- a/cpp/src/barretenberg/honk/pcs/commitment_key.hpp +++ b/cpp/src/barretenberg/proof_system/pcs/commitment_key.hpp @@ -52,18 +52,12 @@ struct Params { * @param path * */ - CommitmentKey(const size_t num_points, std::shared_ptr crs_factory) - : pippenger_runtime_state(num_points) - , srs(crs_factory->get_prover_crs(num_points)) - {} + CommitmentKey(const size_t num_points, std::shared_ptr crs_factory); // Note: This constructor is used only by Plonk; For Honk the CommitmentKey is solely responsible for extracting // the srs. CommitmentKey(const size_t num_points, - std::shared_ptr> prover_srs) - : pippenger_runtime_state(num_points) - , srs(prover_srs) - {} + std::shared_ptr> prover_srs); /** * @brief Uses the ProverSRS to create a commitment to p(X) @@ -71,13 +65,7 @@ struct Params { * @param polynomial a univariate polynomial p(X) = ∑ᵢ aᵢ⋅Xⁱ () * @return Commitment computed as C = [p(x)] = ∑ᵢ aᵢ⋅[xⁱ]₁ where x is the secret trapdoor */ - Commitment commit(std::span polynomial) - { - const size_t degree = polynomial.size(); - ASSERT(degree <= srs->get_monomial_size()); - return barretenberg::scalar_multiplication::pippenger_unsafe( - const_cast(polynomial.data()), srs->get_monomial_points(), degree, pippenger_runtime_state); - }; + Commitment commit(std::span polynomial); barretenberg::scalar_multiplication::pippenger_runtime_state pippenger_runtime_state; std::shared_ptr> srs; @@ -95,9 +83,7 @@ struct Params { * @param verifier_srs verifier G2 point */ VerificationKey([[maybe_unused]] size_t num_points, - std::shared_ptr crs_factory) - : verifier_srs(crs_factory->get_verifier_crs()) - {} + std::shared_ptr crs_factory); /** * @brief verifies a pairing equation over 2 points using the verifier SRS @@ -106,16 +92,7 @@ struct Params { * @param p1 = P₁ * @return e(P₀,[1]₁)e(P₁,[x]₂) ≡ [1]ₜ */ - bool pairing_check(const GroupElement& p0, const GroupElement& p1) - { - Commitment pairing_points[2]{ p0, p1 }; - // The final pairing check of step 12. - // TODO(Adrian): try to template parametrise the pairing + fq12 output :/ - barretenberg::fq12 result = barretenberg::pairing::reduced_ate_pairing_batch_precomputed( - pairing_points, verifier_srs->get_precomputed_g2_lines(), 2); - - return (result == barretenberg::fq12::one()); - } + bool pairing_check(const GroupElement& p0, const GroupElement& p1); std::shared_ptr verifier_srs; }; diff --git a/cpp/src/barretenberg/honk/pcs/commitment_key.test.hpp b/cpp/src/barretenberg/proof_system/pcs/commitment_key.test.hpp similarity index 100% rename from cpp/src/barretenberg/honk/pcs/commitment_key.test.hpp rename to cpp/src/barretenberg/proof_system/pcs/commitment_key.test.hpp diff --git a/cpp/src/barretenberg/honk/pcs/ipa/ipa.hpp b/cpp/src/barretenberg/proof_system/pcs/ipa/ipa.hpp similarity index 98% rename from cpp/src/barretenberg/honk/pcs/ipa/ipa.hpp rename to cpp/src/barretenberg/proof_system/pcs/ipa/ipa.hpp index 174136d80f..fe434ccf2b 100644 --- a/cpp/src/barretenberg/honk/pcs/ipa/ipa.hpp +++ b/cpp/src/barretenberg/proof_system/pcs/ipa/ipa.hpp @@ -5,9 +5,9 @@ #include "barretenberg/ecc/scalar_multiplication/scalar_multiplication.hpp" #include #include "barretenberg/common/assert.hpp" -#include "barretenberg/honk/pcs/claim.hpp" -#include "barretenberg/honk/pcs/commitment_key.hpp" -#include "barretenberg/honk/transcript/transcript.hpp" +#include "barretenberg/proof_system/pcs/claim.hpp" +#include "barretenberg/proof_system/pcs/commitment_key.hpp" +#include "barretenberg/proof_system/transcript/transcript.hpp" /** * @brief IPA (inner-product argument) commitment scheme class. Conforms to the specification diff --git a/cpp/src/barretenberg/honk/pcs/ipa/ipa.test.cpp b/cpp/src/barretenberg/proof_system/pcs/ipa/ipa.test.cpp similarity index 96% rename from cpp/src/barretenberg/honk/pcs/ipa/ipa.test.cpp rename to cpp/src/barretenberg/proof_system/pcs/ipa/ipa.test.cpp index 898cb98f39..a7d7fe6c51 100644 --- a/cpp/src/barretenberg/honk/pcs/ipa/ipa.test.cpp +++ b/cpp/src/barretenberg/proof_system/pcs/ipa/ipa.test.cpp @@ -5,8 +5,8 @@ #include "barretenberg/polynomials/polynomial_arithmetic.hpp" #include "barretenberg/polynomials/polynomial.hpp" #include "barretenberg/ecc/curves/bn254/fq12.hpp" -#include "barretenberg/honk/pcs/commitment_key.hpp" -#include "barretenberg/honk/pcs/commitment_key.test.hpp" +#include "barretenberg/proof_system/pcs/commitment_key.hpp" +#include "barretenberg/proof_system/pcs/commitment_key.test.hpp" using namespace barretenberg; namespace proof_system::honk::pcs::ipa { diff --git a/cpp/src/barretenberg/honk/pcs/kzg/kzg.hpp b/cpp/src/barretenberg/proof_system/pcs/kzg/kzg.hpp similarity index 95% rename from cpp/src/barretenberg/honk/pcs/kzg/kzg.hpp rename to cpp/src/barretenberg/proof_system/pcs/kzg/kzg.hpp index fb69278dee..98ac026b64 100644 --- a/cpp/src/barretenberg/honk/pcs/kzg/kzg.hpp +++ b/cpp/src/barretenberg/proof_system/pcs/kzg/kzg.hpp @@ -1,9 +1,9 @@ #pragma once #include "../claim.hpp" -#include "barretenberg/honk/pcs/commitment_key.hpp" +#include "barretenberg/proof_system/pcs/commitment_key.hpp" #include "barretenberg/polynomials/polynomial.hpp" -#include "barretenberg/honk/transcript/transcript.hpp" +#include "barretenberg/proof_system/transcript/transcript.hpp" #include #include diff --git a/cpp/src/barretenberg/proof_system/pcs/kzg/kzg.test.cpp b/cpp/src/barretenberg/proof_system/pcs/kzg/kzg.test.cpp new file mode 100644 index 0000000000..9537a50e74 --- /dev/null +++ b/cpp/src/barretenberg/proof_system/pcs/kzg/kzg.test.cpp @@ -0,0 +1,52 @@ + +#include "kzg.hpp" +#include "../shplonk/shplonk_single.hpp" + +#include "../commitment_key.test.hpp" +#include "barretenberg/proof_system/pcs/claim.hpp" +#include "barretenberg/proof_system/pcs/commitment_key.hpp" +#include "barretenberg/polynomials/polynomial.hpp" + +#include "barretenberg/ecc/curves/bn254/g1.hpp" + +#include +#include + +namespace proof_system::honk::pcs::kzg { + +template class KZGTest : public CommitmentTest { + public: + using Fr = typename Params::Fr; + using Commitment = typename Params::Commitment; + using GroupElement = typename Params::GroupElement; + using Polynomial = barretenberg::Polynomial; +}; + +TYPED_TEST_SUITE(KZGTest, CommitmentSchemeParams); + +TYPED_TEST(KZGTest, single) +{ + const size_t n = 16; + + using KZG = KZG; + using Fr = typename TypeParam::Fr; + + auto witness = this->random_polynomial(n); + barretenberg::g1::element commitment = this->commit(witness); + + auto challenge = Fr::random_element(); + auto evaluation = witness.evaluate(challenge); + auto opening_pair = OpeningPair{ challenge, evaluation }; + auto opening_claim = OpeningClaim{ opening_pair, commitment }; + + auto prover_transcript = ProverTranscript::init_empty(); + + KZG::compute_opening_proof(this->ck(), opening_pair, witness, prover_transcript); + + auto verifier_transcript = VerifierTranscript::init_empty(prover_transcript); + bool verified = KZG::verify(this->vk(), opening_claim, verifier_transcript); + + EXPECT_EQ(verified, true); +} + +} // namespace proof_system::honk::pcs::kzg diff --git a/cpp/src/barretenberg/honk/pcs/shplonk/shplonk.hpp b/cpp/src/barretenberg/proof_system/pcs/shplonk/shplonk.hpp similarity index 100% rename from cpp/src/barretenberg/honk/pcs/shplonk/shplonk.hpp rename to cpp/src/barretenberg/proof_system/pcs/shplonk/shplonk.hpp diff --git a/cpp/src/barretenberg/honk/pcs/shplonk/shplonk.test.cpp b/cpp/src/barretenberg/proof_system/pcs/shplonk/shplonk.test.cpp similarity index 96% rename from cpp/src/barretenberg/honk/pcs/shplonk/shplonk.test.cpp rename to cpp/src/barretenberg/proof_system/pcs/shplonk/shplonk.test.cpp index 059c44fd98..37d1f3389b 100644 --- a/cpp/src/barretenberg/honk/pcs/shplonk/shplonk.test.cpp +++ b/cpp/src/barretenberg/proof_system/pcs/shplonk/shplonk.test.cpp @@ -1,5 +1,4 @@ #include "shplonk_single.hpp" -#include "../gemini/gemini.hpp" #include #include @@ -7,8 +6,8 @@ #include #include -#include "../commitment_key.test.hpp" -#include "barretenberg/honk/pcs/claim.hpp" +#include "barretenberg/proof_system/pcs/commitment_key.test.hpp" +#include "barretenberg/proof_system/pcs/claim.hpp" #include "barretenberg/polynomials/polynomial.hpp" namespace proof_system::honk::pcs::shplonk { template class ShplonkTest : public CommitmentTest {}; diff --git a/cpp/src/barretenberg/honk/pcs/shplonk/shplonk_single.hpp b/cpp/src/barretenberg/proof_system/pcs/shplonk/shplonk_single.hpp similarity index 97% rename from cpp/src/barretenberg/honk/pcs/shplonk/shplonk_single.hpp rename to cpp/src/barretenberg/proof_system/pcs/shplonk/shplonk_single.hpp index 95190804b9..8fd3b51988 100644 --- a/cpp/src/barretenberg/honk/pcs/shplonk/shplonk_single.hpp +++ b/cpp/src/barretenberg/proof_system/pcs/shplonk/shplonk_single.hpp @@ -1,8 +1,8 @@ #pragma once -#include "barretenberg/honk/pcs/claim.hpp" +#include "barretenberg/proof_system/pcs/claim.hpp" #include "shplonk.hpp" -#include "barretenberg/honk/pcs/commitment_key.hpp" -#include "barretenberg/honk/transcript/transcript.hpp" +#include "barretenberg/proof_system/pcs/commitment_key.hpp" +#include "barretenberg/proof_system/transcript/transcript.hpp" namespace proof_system::honk::pcs::shplonk { diff --git a/cpp/src/barretenberg/honk/transcript/transcript.hpp b/cpp/src/barretenberg/proof_system/transcript/transcript.hpp similarity index 100% rename from cpp/src/barretenberg/honk/transcript/transcript.hpp rename to cpp/src/barretenberg/proof_system/transcript/transcript.hpp diff --git a/cpp/src/barretenberg/proof_system/transcript/transcript.test.cpp b/cpp/src/barretenberg/proof_system/transcript/transcript.test.cpp new file mode 100644 index 0000000000..cb43e41658 --- /dev/null +++ b/cpp/src/barretenberg/proof_system/transcript/transcript.test.cpp @@ -0,0 +1,111 @@ +#include "transcript.hpp" +#include "barretenberg/ecc/curves/bn254/g1.hpp" +#include "barretenberg/honk/sumcheck/polynomials/univariate.hpp" +#include "barretenberg/numeric/bitop/get_msb.hpp" +#include +#include +#include +#include + +using namespace proof_system::honk; + +/** + * @brief Test and demonstrate the basic functionality of the prover and verifier transcript + * + */ +TEST(TranscriptTests, ProverAndVerifierBasic) +{ + constexpr size_t LENGTH = 8; + + using Fr = barretenberg::fr; + using Univariate = proof_system::honk::sumcheck::Univariate; + using Commitment = barretenberg::g1::affine_element; + + std::array evaluations; + for (auto& eval : evaluations) { + eval = Fr::random_element(); + } + + // Add some junk to the transcript and compute challenges + uint32_t data = 25; + auto scalar = Fr::random_element(); + auto commitment = Commitment::one(); + auto univariate = Univariate(evaluations); + + // Instantiate a prover transcript and mock an example protocol + ProverTranscript prover_transcript; + + // round 0 + prover_transcript.send_to_verifier("data", data); + Fr alpha = prover_transcript.get_challenge("alpha"); + + // round 1 + prover_transcript.send_to_verifier("scalar", scalar); + prover_transcript.send_to_verifier("commitment", commitment); + Fr beta = prover_transcript.get_challenge("beta"); + + // round 2 + prover_transcript.send_to_verifier("univariate", univariate); + auto [gamma, delta] = prover_transcript.get_challenges("gamma", "delta"); + + // Instantiate a verifier transcript from the raw bytes of the prover transcript; receive data and generate + // challenges according to the example protocol + VerifierTranscript verifier_transcript(prover_transcript.proof_data); + + // round 0 + auto data_received = verifier_transcript.template receive_from_prover("data"); + Fr verifier_alpha = verifier_transcript.get_challenge("alpha"); + + // round 1 + auto scalar_received = verifier_transcript.template receive_from_prover("scalar"); + auto commitment_received = verifier_transcript.template receive_from_prover("commitment"); + Fr verifier_beta = verifier_transcript.get_challenge("beta"); + + // round 2 + auto univariate_received = verifier_transcript.template receive_from_prover("univariate"); + auto [verifier_gamma, verifier_delta] = verifier_transcript.get_challenges("gamma", "delta"); + + // Check the correctness of the elements received by the verifier + EXPECT_EQ(data_received, data); + EXPECT_EQ(scalar_received, scalar); + EXPECT_EQ(commitment_received, commitment); + EXPECT_EQ(univariate_received, univariate); + + // Check consistency of prover and verifier challenges + EXPECT_EQ(alpha, verifier_alpha); + EXPECT_EQ(beta, verifier_beta); + EXPECT_EQ(gamma, verifier_gamma); + EXPECT_EQ(delta, verifier_delta); + + // Check consistency of the generated manifests + EXPECT_EQ(prover_transcript.get_manifest(), verifier_transcript.get_manifest()); +} + +/** + * @brief Demonstrate extent to which verifier transcript is flexible / constrained + * + */ +TEST(TranscriptTests, VerifierMistake) +{ + using Fr = barretenberg::fr; + + auto scalar_1 = Fr::random_element(); + auto scalar_2 = Fr::random_element(); + + ProverTranscript prover_transcript; + + prover_transcript.send_to_verifier("scalar1", scalar_1); + prover_transcript.send_to_verifier("scalar2", scalar_2); + auto prover_alpha = prover_transcript.get_challenge("alpha"); + + VerifierTranscript verifier_transcript(prover_transcript.proof_data); + + verifier_transcript.template receive_from_prover("scalar1"); + // accidentally skip receipt of "scalar2"... + // but then generate a challenge anyway + auto verifier_alpha = verifier_transcript.get_challenge("alpha"); + + // Challenges will not agree but neither will the manifests + EXPECT_NE(prover_alpha, verifier_alpha); + EXPECT_NE(prover_transcript.get_manifest(), verifier_transcript.get_manifest()); +} From c64fbb4c55943cc50a9d48bbbf598a57894f3fa6 Mon Sep 17 00:00:00 2001 From: Rumata888 Date: Thu, 22 Jun 2023 18:39:47 +0000 Subject: [PATCH 2/5] Dehonked files that have been moved into proof_system --- cpp/src/barretenberg/honk/flavor/standard.hpp | 4 ++-- cpp/src/barretenberg/honk/flavor/standard_grumpkin.hpp | 4 ++-- cpp/src/barretenberg/honk/flavor/ultra.hpp | 4 ++-- cpp/src/barretenberg/honk/flavor/ultra_grumpkin.hpp | 4 ++-- cpp/src/barretenberg/honk/pcs/gemini/gemini.cpp | 4 ++-- cpp/src/barretenberg/honk/pcs/gemini/gemini.hpp | 2 +- cpp/src/barretenberg/honk/proof_system/prover.hpp | 4 ++-- .../barretenberg/honk/proof_system/ultra_prover.hpp | 4 ++-- .../barretenberg/honk/proof_system/ultra_verifier.cpp | 2 +- cpp/src/barretenberg/honk/proof_system/verifier.cpp | 2 +- cpp/src/barretenberg/honk/proof_system/work_queue.hpp | 4 ++-- .../honk/sumcheck/polynomials/multivariates.test.cpp | 10 +++++----- .../composer/composer_helper/composer_helper_lib.cpp | 2 +- cpp/src/barretenberg/proof_system/pcs/claim.hpp | 4 ++-- .../barretenberg/proof_system/pcs/commitment_key.cpp | 4 ++-- .../barretenberg/proof_system/pcs/commitment_key.hpp | 4 ++-- .../proof_system/pcs/commitment_key.test.hpp | 4 ++-- cpp/src/barretenberg/proof_system/pcs/ipa/ipa.hpp | 4 ++-- cpp/src/barretenberg/proof_system/pcs/ipa/ipa.test.cpp | 4 ++-- cpp/src/barretenberg/proof_system/pcs/kzg/kzg.hpp | 4 ++-- cpp/src/barretenberg/proof_system/pcs/kzg/kzg.test.cpp | 4 ++-- .../barretenberg/proof_system/pcs/shplonk/shplonk.hpp | 4 ++-- .../proof_system/pcs/shplonk/shplonk.test.cpp | 4 ++-- .../proof_system/pcs/shplonk/shplonk_single.hpp | 5 +++-- .../proof_system/transcript/transcript.hpp | 4 ++-- .../proof_system/transcript/transcript.test.cpp | 4 ++-- 26 files changed, 52 insertions(+), 51 deletions(-) diff --git a/cpp/src/barretenberg/honk/flavor/standard.hpp b/cpp/src/barretenberg/honk/flavor/standard.hpp index a2267d6e49..dbf8184df8 100644 --- a/cpp/src/barretenberg/honk/flavor/standard.hpp +++ b/cpp/src/barretenberg/honk/flavor/standard.hpp @@ -39,8 +39,8 @@ class Standard { using GroupElement = G1::element; using Commitment = G1::affine_element; using CommitmentHandle = G1::affine_element; - using PCSParams = pcs::kzg::Params; - using PCS = pcs::kzg::KZG; + using PCSParams = proof_system::pcs::kzg::Params; + using PCS = proof_system::pcs::kzg::KZG; static constexpr size_t NUM_WIRES = CircuitConstructor::NUM_WIRES; // The number of multivariate polynomials on which a sumcheck prover sumcheck operates (including shifts). We often diff --git a/cpp/src/barretenberg/honk/flavor/standard_grumpkin.hpp b/cpp/src/barretenberg/honk/flavor/standard_grumpkin.hpp index 05a8dabdc4..f70c49da6c 100644 --- a/cpp/src/barretenberg/honk/flavor/standard_grumpkin.hpp +++ b/cpp/src/barretenberg/honk/flavor/standard_grumpkin.hpp @@ -31,8 +31,8 @@ class StandardGrumpkin { using GroupElement = G1::element; using Commitment = G1::affine_element; using CommitmentHandle = G1::affine_element; - using PCSParams = pcs::ipa::Params; - using PCS = pcs::ipa::IPA; + using PCSParams = proof_system::pcs::ipa::Params; + using PCS = proof_system::pcs::ipa::IPA; static constexpr size_t NUM_WIRES = CircuitConstructor::NUM_WIRES; // The number of multivariate polynomials on which a sumcheck prover sumcheck operates (including shifts). We often // need containers of this size to hold related data, so we choose a name more agnostic than `NUM_POLYNOMIALS` diff --git a/cpp/src/barretenberg/honk/flavor/ultra.hpp b/cpp/src/barretenberg/honk/flavor/ultra.hpp index 091c51843e..2c30230341 100644 --- a/cpp/src/barretenberg/honk/flavor/ultra.hpp +++ b/cpp/src/barretenberg/honk/flavor/ultra.hpp @@ -38,8 +38,8 @@ class Ultra { // UltraHonk will be run with KZG by default but temporarily we set the commitment to IPA to // be able to do e2e tests with this pcs as well // TODO: instantiate this with both IPA and KZG when the templating work is finished - using PCSParams = pcs::kzg::Params; - using PCS = pcs::kzg::KZG; + using PCSParams = proof_system::pcs::kzg::Params; + using PCS = proof_system::pcs::kzg::KZG; static constexpr size_t NUM_WIRES = CircuitConstructor::NUM_WIRES; // The number of multivariate polynomials on which a sumcheck prover sumcheck operates (including shifts). We often diff --git a/cpp/src/barretenberg/honk/flavor/ultra_grumpkin.hpp b/cpp/src/barretenberg/honk/flavor/ultra_grumpkin.hpp index 44d345f2c0..5dca661d29 100644 --- a/cpp/src/barretenberg/honk/flavor/ultra_grumpkin.hpp +++ b/cpp/src/barretenberg/honk/flavor/ultra_grumpkin.hpp @@ -36,8 +36,8 @@ class UltraGrumpkin { using GroupElement = G1::element; using Commitment = G1::affine_element; using CommitmentHandle = G1::affine_element; - using PCSParams = pcs::ipa::Params; - using PCS = pcs::ipa::IPA; + using PCSParams = proof_system::pcs::ipa::Params; + using PCS = proof_system::pcs::ipa::IPA; static constexpr size_t NUM_WIRES = CircuitConstructor::NUM_WIRES; // The number of multivariate polynomials on which a sumcheck prover sumcheck operates (including shifts). We often diff --git a/cpp/src/barretenberg/honk/pcs/gemini/gemini.cpp b/cpp/src/barretenberg/honk/pcs/gemini/gemini.cpp index 27135537ff..3855772e9b 100644 --- a/cpp/src/barretenberg/honk/pcs/gemini/gemini.cpp +++ b/cpp/src/barretenberg/honk/pcs/gemini/gemini.cpp @@ -360,6 +360,6 @@ std::pair Multilin } return { C0_r_pos, C0_r_neg }; }; -template class MultilinearReductionScheme; -template class MultilinearReductionScheme; +template class MultilinearReductionScheme; +template class MultilinearReductionScheme; }; // namespace proof_system::honk::pcs::gemini diff --git a/cpp/src/barretenberg/honk/pcs/gemini/gemini.hpp b/cpp/src/barretenberg/honk/pcs/gemini/gemini.hpp index ece9e85bb3..5a2ec2115c 100644 --- a/cpp/src/barretenberg/honk/pcs/gemini/gemini.hpp +++ b/cpp/src/barretenberg/honk/pcs/gemini/gemini.hpp @@ -7,6 +7,7 @@ #include +using namespace proof_system::pcs; /** * @brief Protocol for opening several multi-linear polynomials at the same point. * @@ -44,7 +45,6 @@ * since they are linear-combinations of the commitments [fⱼ] and [gⱼ]. */ namespace proof_system::honk::pcs::gemini { - /** * @brief Prover output (evalutation pair, witness) that can be passed on to Shplonk batch opening. * @details Evaluation pairs {r, A₀₊(r)}, {-r, A₀₋(-r)}, {-r^{2^j}, Aⱼ(-r^{2^j)}, j = [1, ..., m-1] diff --git a/cpp/src/barretenberg/honk/proof_system/prover.hpp b/cpp/src/barretenberg/honk/proof_system/prover.hpp index 3ce6f01ce4..8fd131ab8d 100644 --- a/cpp/src/barretenberg/honk/proof_system/prover.hpp +++ b/cpp/src/barretenberg/honk/proof_system/prover.hpp @@ -73,11 +73,11 @@ template class StandardProver_ { sumcheck::SumcheckOutput sumcheck_output; pcs::gemini::ProverOutput gemini_output; - pcs::shplonk::ProverOutput shplonk_output; + proof_system::pcs::shplonk::ProverOutput shplonk_output; std::shared_ptr pcs_commitment_key; using Gemini = pcs::gemini::MultilinearReductionScheme; - using Shplonk = pcs::shplonk::SingleBatchOpeningScheme; + using Shplonk = proof_system::pcs::shplonk::SingleBatchOpeningScheme; private: plonk::proof proof; diff --git a/cpp/src/barretenberg/honk/proof_system/ultra_prover.hpp b/cpp/src/barretenberg/honk/proof_system/ultra_prover.hpp index 9278de5ba2..0ed9e40c58 100644 --- a/cpp/src/barretenberg/honk/proof_system/ultra_prover.hpp +++ b/cpp/src/barretenberg/honk/proof_system/ultra_prover.hpp @@ -68,11 +68,11 @@ template class UltraProver_ { sumcheck::SumcheckOutput sumcheck_output; pcs::gemini::ProverOutput gemini_output; - pcs::shplonk::ProverOutput shplonk_output; + proof_system::pcs::shplonk::ProverOutput shplonk_output; std::shared_ptr pcs_commitment_key; using Gemini = pcs::gemini::MultilinearReductionScheme; - using Shplonk = pcs::shplonk::SingleBatchOpeningScheme; + using Shplonk = proof_system::pcs::shplonk::SingleBatchOpeningScheme; private: plonk::proof proof; diff --git a/cpp/src/barretenberg/honk/proof_system/ultra_verifier.cpp b/cpp/src/barretenberg/honk/proof_system/ultra_verifier.cpp index f1e2ed7cc9..d2d4dcfbbf 100644 --- a/cpp/src/barretenberg/honk/proof_system/ultra_verifier.cpp +++ b/cpp/src/barretenberg/honk/proof_system/ultra_verifier.cpp @@ -40,7 +40,7 @@ template bool UltraVerifier_::verify_proof(const plonk using PCSParams = typename Flavor::PCSParams; using PCS = typename Flavor::PCS; using Gemini = pcs::gemini::MultilinearReductionScheme; - using Shplonk = pcs::shplonk::SingleBatchOpeningScheme; + using Shplonk = proof_system::pcs::shplonk::SingleBatchOpeningScheme; using VerifierCommitments = typename Flavor::VerifierCommitments; using CommitmentLabels = typename Flavor::CommitmentLabels; diff --git a/cpp/src/barretenberg/honk/proof_system/verifier.cpp b/cpp/src/barretenberg/honk/proof_system/verifier.cpp index b9e9e2e6fc..1a6295821c 100644 --- a/cpp/src/barretenberg/honk/proof_system/verifier.cpp +++ b/cpp/src/barretenberg/honk/proof_system/verifier.cpp @@ -60,7 +60,7 @@ template bool StandardVerifier_::verify_proof(const pl using Commitment = typename Flavor::Commitment; using PCSParams = typename Flavor::PCSParams; using Gemini = pcs::gemini::MultilinearReductionScheme; - using Shplonk = pcs::shplonk::SingleBatchOpeningScheme; + using Shplonk = proof_system::pcs::shplonk::SingleBatchOpeningScheme; using PCS = typename Flavor::PCS; using VerifierCommitments = typename Flavor::VerifierCommitments; using CommitmentLabels = typename Flavor::CommitmentLabels; diff --git a/cpp/src/barretenberg/honk/proof_system/work_queue.hpp b/cpp/src/barretenberg/honk/proof_system/work_queue.hpp index b27bbb6cf4..799ef1e851 100644 --- a/cpp/src/barretenberg/honk/proof_system/work_queue.hpp +++ b/cpp/src/barretenberg/honk/proof_system/work_queue.hpp @@ -31,12 +31,12 @@ template class work_queue { private: // TODO(luke): Consider handling all transcript interactions in the prover rather than embedding them in the queue. - proof_system::honk::ProverTranscript& transcript; + proof_system::ProverTranscript& transcript; std::shared_ptr commitment_key; std::vector work_item_queue; public: - explicit work_queue(auto commitment_key, proof_system::honk::ProverTranscript& prover_transcript) + explicit work_queue(auto commitment_key, proof_system::ProverTranscript& prover_transcript) : transcript(prover_transcript) , commitment_key(commitment_key){}; diff --git a/cpp/src/barretenberg/honk/sumcheck/polynomials/multivariates.test.cpp b/cpp/src/barretenberg/honk/sumcheck/polynomials/multivariates.test.cpp index 9cfe983bee..3101c18fcd 100644 --- a/cpp/src/barretenberg/honk/sumcheck/polynomials/multivariates.test.cpp +++ b/cpp/src/barretenberg/honk/sumcheck/polynomials/multivariates.test.cpp @@ -46,7 +46,7 @@ TYPED_TEST(MultivariatesTests, FoldTwoRoundsSpecial) { using Flavor = TypeParam; using FF = typename Flavor::FF; - using Transcript = honk::ProverTranscript; + using Transcript = proof_system::ProverTranscript; // values here are chosen to check another test const size_t multivariate_d(2); @@ -84,7 +84,7 @@ TYPED_TEST(MultivariatesTests, FoldTwoRoundsGeneric) { using Flavor = TypeParam; using FF = typename Flavor::FF; - using Transcript = honk::ProverTranscript; + using Transcript = proof_system::ProverTranscript; const size_t multivariate_d(2); const size_t multivariate_n(1 << multivariate_d); @@ -141,7 +141,7 @@ TYPED_TEST(MultivariatesTests, FoldThreeRoundsSpecial) { using Flavor = TypeParam; using FF = typename Flavor::FF; - using Transcript = honk::ProverTranscript; + using Transcript = proof_system::ProverTranscript; const size_t multivariate_d(3); const size_t multivariate_n(1 << multivariate_d); @@ -192,7 +192,7 @@ TYPED_TEST(MultivariatesTests, FoldThreeRoundsGeneric) { using Flavor = TypeParam; using FF = typename Flavor::FF; - using Transcript = honk::ProverTranscript; + using Transcript = proof_system::ProverTranscript; const size_t multivariate_d(3); const size_t multivariate_n(1 << multivariate_d); @@ -243,7 +243,7 @@ TYPED_TEST(MultivariatesTests, FoldThreeRoundsGenericMultiplePolys) { using Flavor = TypeParam; using FF = typename Flavor::FF; - using Transcript = honk::ProverTranscript; + using Transcript = proof_system::ProverTranscript; const size_t multivariate_d(3); const size_t multivariate_n(1 << multivariate_d); diff --git a/cpp/src/barretenberg/plonk/composer/composer_helper/composer_helper_lib.cpp b/cpp/src/barretenberg/plonk/composer/composer_helper/composer_helper_lib.cpp index 9fd7223e60..1e0ddfaf3b 100644 --- a/cpp/src/barretenberg/plonk/composer/composer_helper/composer_helper_lib.cpp +++ b/cpp/src/barretenberg/plonk/composer/composer_helper/composer_helper_lib.cpp @@ -52,7 +52,7 @@ std::shared_ptr compute_verification_key_common( proving_key->circuit_size, proving_key->num_public_inputs, vrs, proving_key->composer_type); // TODO(kesha): Dirty hack for now. Need to actually make commitment-agnositc auto commitment_key = - proof_system::honk::pcs::kzg::Params::CommitmentKey(proving_key->circuit_size, proving_key->reference_string); + proof_system::pcs::kzg::Params::CommitmentKey(proving_key->circuit_size, proving_key->reference_string); for (size_t i = 0; i < proving_key->polynomial_manifest.size(); ++i) { const auto& poly_info = proving_key->polynomial_manifest[i]; diff --git a/cpp/src/barretenberg/proof_system/pcs/claim.hpp b/cpp/src/barretenberg/proof_system/pcs/claim.hpp index a07a070656..f80fd1d974 100644 --- a/cpp/src/barretenberg/proof_system/pcs/claim.hpp +++ b/cpp/src/barretenberg/proof_system/pcs/claim.hpp @@ -2,7 +2,7 @@ #include "barretenberg/polynomials/polynomial.hpp" -namespace proof_system::honk::pcs { +namespace proof_system::pcs { /** * @brief Opening pair (r,v) for some witness polynomial p(X) such that p(r) = v * @@ -90,4 +90,4 @@ template class MLEOpeningClaim { // v↺ = g(u) = a₁⋅L₀(u) + … + aₙ₋₁⋅Lₙ₋₂(u) Fr evaluation; }; -} // namespace proof_system::honk::pcs +} // namespace proof_system::pcs diff --git a/cpp/src/barretenberg/proof_system/pcs/commitment_key.cpp b/cpp/src/barretenberg/proof_system/pcs/commitment_key.cpp index 6da4801475..33e4a0098f 100644 --- a/cpp/src/barretenberg/proof_system/pcs/commitment_key.cpp +++ b/cpp/src/barretenberg/proof_system/pcs/commitment_key.cpp @@ -18,7 +18,7 @@ #include #include -namespace proof_system::honk::pcs { +namespace proof_system::pcs { namespace kzg { using Fr = typename barretenberg::g1::Fr; @@ -223,4 +223,4 @@ bool Params::VerificationKey::pairing_check(const GroupElement& p0, const GroupE // } // namespace ipa -} // namespace proof_system::honk::pcs +} // namespace proof_system::pcs diff --git a/cpp/src/barretenberg/proof_system/pcs/commitment_key.hpp b/cpp/src/barretenberg/proof_system/pcs/commitment_key.hpp index 64aa8774c1..dd1983329c 100644 --- a/cpp/src/barretenberg/proof_system/pcs/commitment_key.hpp +++ b/cpp/src/barretenberg/proof_system/pcs/commitment_key.hpp @@ -20,7 +20,7 @@ #include #include -namespace proof_system::honk::pcs { +namespace proof_system::pcs { namespace kzg { @@ -230,4 +230,4 @@ struct Params { } // namespace ipa -} // namespace proof_system::honk::pcs +} // namespace proof_system::pcs diff --git a/cpp/src/barretenberg/proof_system/pcs/commitment_key.test.hpp b/cpp/src/barretenberg/proof_system/pcs/commitment_key.test.hpp index 6a481d1679..74dae72144 100644 --- a/cpp/src/barretenberg/proof_system/pcs/commitment_key.test.hpp +++ b/cpp/src/barretenberg/proof_system/pcs/commitment_key.test.hpp @@ -17,7 +17,7 @@ #include "claim.hpp" #include "commitment_key.hpp" -namespace proof_system::honk::pcs { +namespace proof_system::pcs { template inline std::shared_ptr CreateCommitmentKey(); @@ -206,4 +206,4 @@ using IpaCommitmentSchemeParams = ::testing::Types; // using CommitmentSchemeParams = // ::testing::Types, fake::Params, kzg::Params>; -} // namespace proof_system::honk::pcs +} // namespace proof_system::pcs diff --git a/cpp/src/barretenberg/proof_system/pcs/ipa/ipa.hpp b/cpp/src/barretenberg/proof_system/pcs/ipa/ipa.hpp index fe434ccf2b..018d0ba699 100644 --- a/cpp/src/barretenberg/proof_system/pcs/ipa/ipa.hpp +++ b/cpp/src/barretenberg/proof_system/pcs/ipa/ipa.hpp @@ -14,7 +14,7 @@ * https://hackmd.io/q-A8y6aITWyWJrvsGGMWNA?view. * */ -namespace proof_system::honk::pcs::ipa { +namespace proof_system::pcs::ipa { template class IPA { using Fr = typename Params::Fr; @@ -224,4 +224,4 @@ template class IPA { } }; -} // namespace proof_system::honk::pcs::ipa +} // namespace proof_system::pcs::ipa diff --git a/cpp/src/barretenberg/proof_system/pcs/ipa/ipa.test.cpp b/cpp/src/barretenberg/proof_system/pcs/ipa/ipa.test.cpp index a7d7fe6c51..67fed93cdf 100644 --- a/cpp/src/barretenberg/proof_system/pcs/ipa/ipa.test.cpp +++ b/cpp/src/barretenberg/proof_system/pcs/ipa/ipa.test.cpp @@ -8,7 +8,7 @@ #include "barretenberg/proof_system/pcs/commitment_key.hpp" #include "barretenberg/proof_system/pcs/commitment_key.test.hpp" using namespace barretenberg; -namespace proof_system::honk::pcs::ipa { +namespace proof_system::pcs::ipa { class IPATest : public CommitmentTest { public: @@ -78,4 +78,4 @@ TEST_F(IPATest, Open) EXPECT_EQ(prover_transcript.get_manifest(), verifier_transcript.get_manifest()); } -} // namespace proof_system::honk::pcs::ipa +} // namespace proof_system::pcs::ipa diff --git a/cpp/src/barretenberg/proof_system/pcs/kzg/kzg.hpp b/cpp/src/barretenberg/proof_system/pcs/kzg/kzg.hpp index 98ac026b64..a58d909d77 100644 --- a/cpp/src/barretenberg/proof_system/pcs/kzg/kzg.hpp +++ b/cpp/src/barretenberg/proof_system/pcs/kzg/kzg.hpp @@ -8,7 +8,7 @@ #include #include -namespace proof_system::honk::pcs::kzg { +namespace proof_system::pcs::kzg { template class KZG { using CK = typename Params::CommitmentKey; @@ -65,4 +65,4 @@ template class KZG { return vk->pairing_check(lhs, rhs); }; }; -} // namespace proof_system::honk::pcs::kzg +} // namespace proof_system::pcs::kzg diff --git a/cpp/src/barretenberg/proof_system/pcs/kzg/kzg.test.cpp b/cpp/src/barretenberg/proof_system/pcs/kzg/kzg.test.cpp index 9537a50e74..8ae02db8e5 100644 --- a/cpp/src/barretenberg/proof_system/pcs/kzg/kzg.test.cpp +++ b/cpp/src/barretenberg/proof_system/pcs/kzg/kzg.test.cpp @@ -12,7 +12,7 @@ #include #include -namespace proof_system::honk::pcs::kzg { +namespace proof_system::pcs::kzg { template class KZGTest : public CommitmentTest { public: @@ -49,4 +49,4 @@ TYPED_TEST(KZGTest, single) EXPECT_EQ(verified, true); } -} // namespace proof_system::honk::pcs::kzg +} // namespace proof_system::pcs::kzg diff --git a/cpp/src/barretenberg/proof_system/pcs/shplonk/shplonk.hpp b/cpp/src/barretenberg/proof_system/pcs/shplonk/shplonk.hpp index af84e1b632..84792122b8 100644 --- a/cpp/src/barretenberg/proof_system/pcs/shplonk/shplonk.hpp +++ b/cpp/src/barretenberg/proof_system/pcs/shplonk/shplonk.hpp @@ -17,7 +17,7 @@ * The challenges are ρ (batching) and r (random evaluation). * */ -namespace proof_system::honk::pcs::shplonk { +namespace proof_system::pcs::shplonk { /** * @brief Single commitment to Q(X) = ∑ₖ ( Bₖ(X) − Tₖ(X) ) / zₖ(X) @@ -43,4 +43,4 @@ template struct ProverOutput { OutputWitness witness; // single polynomial G(X) }; -} // namespace proof_system::honk::pcs::shplonk +} // namespace proof_system::pcs::shplonk diff --git a/cpp/src/barretenberg/proof_system/pcs/shplonk/shplonk.test.cpp b/cpp/src/barretenberg/proof_system/pcs/shplonk/shplonk.test.cpp index 37d1f3389b..74db0eaee2 100644 --- a/cpp/src/barretenberg/proof_system/pcs/shplonk/shplonk.test.cpp +++ b/cpp/src/barretenberg/proof_system/pcs/shplonk/shplonk.test.cpp @@ -9,7 +9,7 @@ #include "barretenberg/proof_system/pcs/commitment_key.test.hpp" #include "barretenberg/proof_system/pcs/claim.hpp" #include "barretenberg/polynomials/polynomial.hpp" -namespace proof_system::honk::pcs::shplonk { +namespace proof_system::pcs::shplonk { template class ShplonkTest : public CommitmentTest {}; TYPED_TEST_SUITE(ShplonkTest, CommitmentSchemeParams); @@ -67,4 +67,4 @@ TYPED_TEST(ShplonkTest, ShplonkSimple) this->verify_opening_claim(verifier_claim, shplonk_prover_witness); } -} // namespace proof_system::honk::pcs::shplonk +} // namespace proof_system::pcs::shplonk diff --git a/cpp/src/barretenberg/proof_system/pcs/shplonk/shplonk_single.hpp b/cpp/src/barretenberg/proof_system/pcs/shplonk/shplonk_single.hpp index 8fd3b51988..e92d7baa63 100644 --- a/cpp/src/barretenberg/proof_system/pcs/shplonk/shplonk_single.hpp +++ b/cpp/src/barretenberg/proof_system/pcs/shplonk/shplonk_single.hpp @@ -4,7 +4,8 @@ #include "barretenberg/proof_system/pcs/commitment_key.hpp" #include "barretenberg/proof_system/transcript/transcript.hpp" -namespace proof_system::honk::pcs::shplonk { +using namespace proof_system::pcs; +namespace proof_system::pcs::shplonk { /** * @brief Protocol for opening several polynomials, each in a single different point. @@ -175,4 +176,4 @@ template class SingleBatchOpeningScheme { return { { z_challenge, Fr::zero() }, G_commitment }; }; }; -} // namespace proof_system::honk::pcs::shplonk +} // namespace proof_system::pcs::shplonk diff --git a/cpp/src/barretenberg/proof_system/transcript/transcript.hpp b/cpp/src/barretenberg/proof_system/transcript/transcript.hpp index fec507a642..ffcde0ad34 100644 --- a/cpp/src/barretenberg/proof_system/transcript/transcript.hpp +++ b/cpp/src/barretenberg/proof_system/transcript/transcript.hpp @@ -15,7 +15,7 @@ #include #include -namespace proof_system::honk { +namespace proof_system { class TranscriptManifest { struct RoundData { @@ -270,4 +270,4 @@ template class VerifierTranscript : public BaseTranscript { return element; } }; -} // namespace proof_system::honk +} // namespace proof_system diff --git a/cpp/src/barretenberg/proof_system/transcript/transcript.test.cpp b/cpp/src/barretenberg/proof_system/transcript/transcript.test.cpp index cb43e41658..abc92a762d 100644 --- a/cpp/src/barretenberg/proof_system/transcript/transcript.test.cpp +++ b/cpp/src/barretenberg/proof_system/transcript/transcript.test.cpp @@ -7,7 +7,7 @@ #include #include -using namespace proof_system::honk; +using namespace proof_system; /** * @brief Test and demonstrate the basic functionality of the prover and verifier transcript @@ -18,7 +18,7 @@ TEST(TranscriptTests, ProverAndVerifierBasic) constexpr size_t LENGTH = 8; using Fr = barretenberg::fr; - using Univariate = proof_system::honk::sumcheck::Univariate; + using Univariate = std::array; using Commitment = barretenberg::g1::affine_element; std::array evaluations; From 275b48e37e44a49c226aede91beaff15607a56d4 Mon Sep 17 00:00:00 2001 From: Rumata888 Date: Thu, 22 Jun 2023 19:01:53 +0000 Subject: [PATCH 3/5] Commitment key cpped --- .../proof_system/pcs/commitment_key.cpp | 178 +++++------------- .../proof_system/pcs/commitment_key.hpp | 146 +++++--------- 2 files changed, 92 insertions(+), 232 deletions(-) diff --git a/cpp/src/barretenberg/proof_system/pcs/commitment_key.cpp b/cpp/src/barretenberg/proof_system/pcs/commitment_key.cpp index 33e4a0098f..ae6bb826a1 100644 --- a/cpp/src/barretenberg/proof_system/pcs/commitment_key.cpp +++ b/cpp/src/barretenberg/proof_system/pcs/commitment_key.cpp @@ -93,134 +93,54 @@ bool Params::VerificationKey::pairing_check(const GroupElement& p0, const GroupE } // namespace kzg -// namespace fake { - -// // Define a common trapdoor for both keys -// namespace { -// template constexpr typename G::Fr trapdoor(5); -// } - -// template struct Params { -// using Fr = typename G::Fr; -// using Commitment = typename G::affine_element; -// using GroupElement = typename G::element; - -// using Polynomial = barretenberg::Polynomial; - -// template class CommitmentKey; -// template class VerificationKey; - -// /** -// * @brief Simulates a KZG CommitmentKey, but where we know the secret trapdoor -// * which allows us to commit to polynomials using a single group multiplication. -// * -// * @tparam G the commitment group -// */ -// template class CommitmentKey { - -// public: -// /** -// * @brief efficiently create a KZG commitment to p(X) using the trapdoor 'secret' -// * Uses only 1 group scalar multiplication, and 1 polynomial evaluation -// * -// * -// * @param polynomial a univariate polynomial p(X) -// * @return Commitment computed as C = p(secret)•[1]_1 . -// */ -// Commitment commit(std::span polynomial) -// { -// const Fr eval_secret = barretenberg::polynomial_arithmetic::evaluate(polynomial, trapdoor); -// return Commitment::one() * eval_secret; -// }; -// }; - -// template class VerificationKey { - -// public: -// /** -// * @brief verifies a pairing equation over 2 points using the trapdoor -// * -// * @param p0 = P₀ -// * @param p1 = P₁ -// * @return P₀ - x⋅P₁ ≡ [1] -// */ -// bool pairing_check(const Commitment& p0, const Commitment& p1) -// { -// Commitment result = p0 + p1 * trapdoor; -// return result.is_point_at_infinity(); -// } -// }; -// }; -// } // namespace fake - -// namespace ipa { - -// struct Params { -// using Fr = typename barretenberg::g1::Fr; -// using Commitment = typename barretenberg::g1::affine_element; -// using GroupElement = barretenberg::g1::element; - -// using Polynomial = barretenberg::Polynomial; - -// class CommitmentKey; -// class VerificationKey; - -// class CommitmentKey { - -// public: -// CommitmentKey() = delete; - -// /** -// * @brief Construct a new IPA Commitment Key object from existing SRS.. -// * -// * @param num_points -// * @param path -// * -// */ -// CommitmentKey(const size_t num_points, std::shared_ptr crs_factory) -// : pippenger_runtime_state(num_points) -// , srs(crs_factory->get_prover_crs(num_points)) -// {} - -// /** -// * @brief Uses the ProverSRS to create an unblinded commitment to p(X) -// * -// * @param polynomial a univariate polynomial p(X) = ∑ᵢ aᵢ⋅Xⁱ () -// * @return Commitment computed as C = [p(x)] = ∑ᵢ aᵢ⋅Gᵢ where Gᵢ is the i-th element of the SRS -// */ -// Commitment commit(std::span polynomial) -// { -// const size_t degree = polynomial.size(); -// ASSERT(degree <= srs->get_monomial_size()); -// return barretenberg::scalar_multiplication::pippenger_unsafe( -// const_cast(polynomial.data()), srs->get_monomial_points(), degree, pippenger_runtime_state); -// }; - -// barretenberg::scalar_multiplication::pippenger_runtime_state pippenger_runtime_state; -// std::shared_ptr> srs; -// }; - -// class VerificationKey { -// public: -// VerificationKey() = delete; - -// /** -// * @brief Construct a new IPA Verification Key object from existing SRS -// * -// * -// * @param num_points specifies the length of the SRS -// * @param path is the location to the SRS file -// */ -// VerificationKey(size_t num_points, std::shared_ptr crs_factory) -// : pippenger_runtime_state(num_points) -// , srs(crs_factory->get_prover_crs(num_points)) -// {} - -// barretenberg::scalar_multiplication::pippenger_runtime_state pippenger_runtime_state; -// std::shared_ptr> srs; -// }; -// }; - -// } // namespace ipa +namespace ipa { + +using Fr = typename barretenberg::g1::Fr; +using Commitment = typename barretenberg::g1::affine_element; +using GroupElement = barretenberg::g1::element; + +using Polynomial = barretenberg::Polynomial; + +/** + * @brief Construct a new IPA Commitment Key object from existing SRS.. + * + * @param num_points + * @param path + * + */ +Params::CommitmentKey::CommitmentKey(const size_t num_points, + std::shared_ptr crs_factory) + : pippenger_runtime_state(num_points) + , srs(crs_factory->get_prover_crs(num_points)) +{} + +/** + * @brief Uses the ProverSRS to create an unblinded commitment to p(X) + * + * @param polynomial a univariate polynomial p(X) = ∑ᵢ aᵢ⋅Xⁱ () + * @return Commitment computed as C = [p(x)] = ∑ᵢ aᵢ⋅Gᵢ where Gᵢ is the i-th element of the SRS + */ +Commitment Params::CommitmentKey::commit(std::span polynomial) +{ + const size_t degree = polynomial.size(); + ASSERT(degree <= srs->get_monomial_size()); + return barretenberg::scalar_multiplication::pippenger_unsafe( + const_cast(polynomial.data()), srs->get_monomial_points(), degree, pippenger_runtime_state); +}; + +/** + * @brief Construct a new IPA Verification Key object from existing SRS + * + * + * @param num_points specifies the length of the SRS + * @param path is the location to the SRS file + */ +Params::VerificationKey::VerificationKey(size_t num_points, + std::shared_ptr crs_factory) + : pippenger_runtime_state(num_points) + , srs(crs_factory->get_prover_crs(num_points)) +{} + +} // namespace ipa } // namespace proof_system::pcs diff --git a/cpp/src/barretenberg/proof_system/pcs/commitment_key.hpp b/cpp/src/barretenberg/proof_system/pcs/commitment_key.hpp index dd1983329c..b088f4659a 100644 --- a/cpp/src/barretenberg/proof_system/pcs/commitment_key.hpp +++ b/cpp/src/barretenberg/proof_system/pcs/commitment_key.hpp @@ -43,63 +43,73 @@ struct Params { class CommitmentKey { public: + barretenberg::scalar_multiplication::pippenger_runtime_state pippenger_runtime_state; + std::shared_ptr> srs; + CommitmentKey() = delete; - /** - * @brief Construct a new Kate Commitment Key object from existing SRS - * - * @param n - * @param path - * - */ CommitmentKey(const size_t num_points, std::shared_ptr crs_factory); - // Note: This constructor is used only by Plonk; For Honk the CommitmentKey is solely responsible for extracting - // the srs. CommitmentKey(const size_t num_points, std::shared_ptr> prover_srs); - /** - * @brief Uses the ProverSRS to create a commitment to p(X) - * - * @param polynomial a univariate polynomial p(X) = ∑ᵢ aᵢ⋅Xⁱ () - * @return Commitment computed as C = [p(x)] = ∑ᵢ aᵢ⋅[xⁱ]₁ where x is the secret trapdoor - */ Commitment commit(std::span polynomial); - - barretenberg::scalar_multiplication::pippenger_runtime_state pippenger_runtime_state; - std::shared_ptr> srs; }; class VerificationKey { public: + std::shared_ptr verifier_srs; + VerificationKey() = delete; - /** - * @brief Construct a new Kate Verification Key object from existing SRS - * - * @param num_points - * @param verifier_srs verifier G2 point - */ VerificationKey([[maybe_unused]] size_t num_points, std::shared_ptr crs_factory); - /** - * @brief verifies a pairing equation over 2 points using the verifier SRS - * - * @param p0 = P₀ - * @param p1 = P₁ - * @return e(P₀,[1]₁)e(P₁,[x]₂) ≡ [1]ₜ - */ bool pairing_check(const GroupElement& p0, const GroupElement& p1); - - std::shared_ptr verifier_srs; }; }; } // namespace kzg +namespace ipa { + +struct Params { + using Fr = typename barretenberg::g1::Fr; + using Commitment = typename barretenberg::g1::affine_element; + using GroupElement = barretenberg::g1::element; + + using Polynomial = barretenberg::Polynomial; + + class CommitmentKey; + class VerificationKey; + + class CommitmentKey { + + public: + barretenberg::scalar_multiplication::pippenger_runtime_state pippenger_runtime_state; + std::shared_ptr> srs; + + CommitmentKey() = delete; + + CommitmentKey(const size_t num_points, std::shared_ptr crs_factory); + + Commitment commit(std::span polynomial); + }; + + class VerificationKey { + public: + barretenberg::scalar_multiplication::pippenger_runtime_state pippenger_runtime_state; + std::shared_ptr> srs; + + VerificationKey() = delete; + + VerificationKey(size_t num_points, std::shared_ptr crs_factory); + }; +}; + +} // namespace ipa + namespace fake { // Define a common trapdoor for both keys @@ -160,74 +170,4 @@ template struct Params { }; } // namespace fake -namespace ipa { - -struct Params { - using Fr = typename barretenberg::g1::Fr; - using Commitment = typename barretenberg::g1::affine_element; - using GroupElement = barretenberg::g1::element; - - using Polynomial = barretenberg::Polynomial; - - class CommitmentKey; - class VerificationKey; - - class CommitmentKey { - - public: - CommitmentKey() = delete; - - /** - * @brief Construct a new IPA Commitment Key object from existing SRS.. - * - * @param num_points - * @param path - * - */ - CommitmentKey(const size_t num_points, std::shared_ptr crs_factory) - : pippenger_runtime_state(num_points) - , srs(crs_factory->get_prover_crs(num_points)) - {} - - /** - * @brief Uses the ProverSRS to create an unblinded commitment to p(X) - * - * @param polynomial a univariate polynomial p(X) = ∑ᵢ aᵢ⋅Xⁱ () - * @return Commitment computed as C = [p(x)] = ∑ᵢ aᵢ⋅Gᵢ where Gᵢ is the i-th element of the SRS - */ - Commitment commit(std::span polynomial) - { - const size_t degree = polynomial.size(); - ASSERT(degree <= srs->get_monomial_size()); - return barretenberg::scalar_multiplication::pippenger_unsafe( - const_cast(polynomial.data()), srs->get_monomial_points(), degree, pippenger_runtime_state); - }; - - barretenberg::scalar_multiplication::pippenger_runtime_state pippenger_runtime_state; - std::shared_ptr> srs; - }; - - class VerificationKey { - public: - VerificationKey() = delete; - - /** - * @brief Construct a new IPA Verification Key object from existing SRS - * - * - * @param num_points specifies the length of the SRS - * @param path is the location to the SRS file - */ - VerificationKey(size_t num_points, std::shared_ptr crs_factory) - : pippenger_runtime_state(num_points) - , srs(crs_factory->get_prover_crs(num_points)) - {} - - barretenberg::scalar_multiplication::pippenger_runtime_state pippenger_runtime_state; - std::shared_ptr> srs; - }; -}; - -} // namespace ipa - } // namespace proof_system::pcs From 5366d38e0dd44de50e3cfaddf6977f7205baefb6 Mon Sep 17 00:00:00 2001 From: Rumata888 Date: Thu, 22 Jun 2023 19:15:33 +0000 Subject: [PATCH 4/5] Clean commitment key up a bit --- .../barretenberg/proof_system/pcs/commitment_key.cpp | 10 ---------- .../barretenberg/proof_system/pcs/commitment_key.hpp | 9 --------- 2 files changed, 19 deletions(-) diff --git a/cpp/src/barretenberg/proof_system/pcs/commitment_key.cpp b/cpp/src/barretenberg/proof_system/pcs/commitment_key.cpp index ae6bb826a1..c474696ce0 100644 --- a/cpp/src/barretenberg/proof_system/pcs/commitment_key.cpp +++ b/cpp/src/barretenberg/proof_system/pcs/commitment_key.cpp @@ -6,17 +6,7 @@ */ #include "commitment_key.hpp" -#include "barretenberg/ecc/curves/bn254/bn254.hpp" -#include "barretenberg/polynomials/polynomial_arithmetic.hpp" -#include "barretenberg/polynomials/polynomial.hpp" -#include "barretenberg/srs/factories/crs_factory.hpp" -#include "barretenberg/srs/factories/file_crs_factory.hpp" -#include "barretenberg/ecc/scalar_multiplication/scalar_multiplication.hpp" #include "barretenberg/ecc/curves/bn254/pairing.hpp" -#include "barretenberg/numeric/bitop/pow.hpp" -#include -#include -#include namespace proof_system::pcs { diff --git a/cpp/src/barretenberg/proof_system/pcs/commitment_key.hpp b/cpp/src/barretenberg/proof_system/pcs/commitment_key.hpp index b088f4659a..1621be018d 100644 --- a/cpp/src/barretenberg/proof_system/pcs/commitment_key.hpp +++ b/cpp/src/barretenberg/proof_system/pcs/commitment_key.hpp @@ -1,5 +1,4 @@ #pragma once - /** * @brief Provides interfaces for different 'CommitmentKey' classes. * @@ -8,17 +7,9 @@ */ #include "barretenberg/ecc/curves/bn254/bn254.hpp" -#include "barretenberg/polynomials/polynomial_arithmetic.hpp" #include "barretenberg/polynomials/polynomial.hpp" #include "barretenberg/srs/factories/crs_factory.hpp" -#include "barretenberg/srs/factories/file_crs_factory.hpp" #include "barretenberg/ecc/scalar_multiplication/scalar_multiplication.hpp" -#include "barretenberg/ecc/curves/bn254/pairing.hpp" -#include "barretenberg/numeric/bitop/pow.hpp" - -#include -#include -#include namespace proof_system::pcs { From 31fdf6534f028a25a01df90efee694e2bdddc568 Mon Sep 17 00:00:00 2001 From: Rumata888 Date: Thu, 22 Jun 2023 19:48:55 +0000 Subject: [PATCH 5/5] Cpped claim --- .../barretenberg/proof_system/pcs/claim.cpp | 23 +++++++++++++++++++ .../barretenberg/proof_system/pcs/claim.hpp | 22 ++++++++---------- 2 files changed, 33 insertions(+), 12 deletions(-) create mode 100644 cpp/src/barretenberg/proof_system/pcs/claim.cpp diff --git a/cpp/src/barretenberg/proof_system/pcs/claim.cpp b/cpp/src/barretenberg/proof_system/pcs/claim.cpp new file mode 100644 index 0000000000..c17ab2822b --- /dev/null +++ b/cpp/src/barretenberg/proof_system/pcs/claim.cpp @@ -0,0 +1,23 @@ +#include "claim.hpp" + +namespace proof_system::pcs { +template +bool OpeningClaim::verify(std::shared_ptr ck, + const barretenberg::Polynomial& polynomial) const +{ + Fr real_eval = polynomial.evaluate(opening_pair.challenge); + if (real_eval != opening_pair.evaluation) { + return false; + } + // Note: real_commitment is a raw type, while commitment may be a linear combination. + auto real_commitment = ck->commit(polynomial); + return (real_commitment == commitment); +}; + +template class OpeningPair; +template class OpeningClaim; +template class MLEOpeningClaim; +template class OpeningPair; +template class OpeningClaim; +template class MLEOpeningClaim; +} // namespace proof_system::pcs diff --git a/cpp/src/barretenberg/proof_system/pcs/claim.hpp b/cpp/src/barretenberg/proof_system/pcs/claim.hpp index f80fd1d974..67efe9922f 100644 --- a/cpp/src/barretenberg/proof_system/pcs/claim.hpp +++ b/cpp/src/barretenberg/proof_system/pcs/claim.hpp @@ -1,8 +1,9 @@ #pragma once #include "barretenberg/polynomials/polynomial.hpp" - +#include "commitment_key.hpp" namespace proof_system::pcs { + /** * @brief Opening pair (r,v) for some witness polynomial p(X) such that p(r) = v * @@ -17,7 +18,6 @@ template class OpeningPair { bool operator==(const OpeningPair& other) const = default; }; - /** * @brief Unverified claim (C,r,v) for some witness polynomial p(X) such that * - C = Commit(p(X)) @@ -44,16 +44,7 @@ template class OpeningClaim { * @param polynomial the claimed witness polynomial p(X) * @return C = Commit(p(X)) && p(r) = v */ - bool verify(std::shared_ptr ck, const barretenberg::Polynomial& polynomial) const - { - Fr real_eval = polynomial.evaluate(opening_pair.challenge); - if (real_eval != opening_pair.evaluation) { - return false; - } - // Note: real_commitment is a raw type, while commitment may be a linear combination. - auto real_commitment = ck->commit(polynomial); - return (real_commitment == commitment); - }; + bool verify(std::shared_ptr ck, const barretenberg::Polynomial& polynomial) const; bool operator==(const OpeningClaim& other) const = default; }; @@ -90,4 +81,11 @@ template class MLEOpeningClaim { // v↺ = g(u) = a₁⋅L₀(u) + … + aₙ₋₁⋅Lₙ₋₂(u) Fr evaluation; }; + +extern template class OpeningPair; +extern template class OpeningClaim; +extern template class MLEOpeningClaim; +extern template class OpeningPair; +extern template class OpeningClaim; +extern template class MLEOpeningClaim; } // namespace proof_system::pcs