refactor: Optimizing build times for polynomial commitment scheme module

cpp/src/barretenberg/honk/composer/composer_helper/standard_honk_composer_helper.cpp

@@ -1,6 +1,6 @@
 #include "standard_honk_composer_helper.hpp"
 #include "barretenberg/polynomials/polynomial.hpp"
-#include "barretenberg/honk/pcs/commitment_key.hpp"
+#include "barretenberg/proof_system/pcs/commitment_key.hpp"
 #include "barretenberg/numeric/bitop/get_msb.hpp"
 #include "barretenberg/srs/factories/crs_factory.hpp"
 

cpp/src/barretenberg/honk/flavor/standard.hpp

@@ -5,14 +5,14 @@
 #include <string>
 #include <type_traits>
 #include <vector>
-#include "barretenberg/honk/pcs/commitment_key.hpp"
+#include "barretenberg/proof_system/pcs/commitment_key.hpp"
 #include "barretenberg/honk/sumcheck/polynomials/barycentric_data.hpp"
-#include "barretenberg/honk/pcs/kzg/kzg.hpp"
+#include "barretenberg/proof_system/pcs/kzg/kzg.hpp"
 #include "barretenberg/honk/sumcheck/polynomials/univariate.hpp"
 #include "barretenberg/ecc/curves/bn254/g1.hpp"
 #include "barretenberg/honk/sumcheck/relations/arithmetic_relation.hpp"
 #include "barretenberg/honk/sumcheck/relations/permutation_relation.hpp"
-#include "barretenberg/honk/transcript/transcript.hpp"
+#include "barretenberg/proof_system/transcript/transcript.hpp"
 #include "barretenberg/polynomials/evaluation_domain.hpp"
 #include "barretenberg/polynomials/polynomial.hpp"
 #include "barretenberg/proof_system/circuit_constructors/standard_circuit_constructor.hpp"
@@ -39,8 +39,8 @@ class Standard {
     using GroupElement = G1::element;
     using Commitment = G1::affine_element;
     using CommitmentHandle = G1::affine_element;
-    using PCSParams = pcs::kzg::Params;
-    using PCS = pcs::kzg::KZG<PCSParams>;
+    using PCSParams = proof_system::pcs::kzg::Params;
+    using PCS = proof_system::pcs::kzg::KZG<PCSParams>;
 
     static constexpr size_t NUM_WIRES = CircuitConstructor::NUM_WIRES;
     // The number of multivariate polynomials on which a sumcheck prover sumcheck operates (including shifts). We often

cpp/src/barretenberg/honk/flavor/standard_grumpkin.hpp

@@ -5,14 +5,14 @@
 #include <string>
 #include <type_traits>
 #include <vector>
-#include "barretenberg/honk/pcs/commitment_key.hpp"
+#include "barretenberg/proof_system/pcs/commitment_key.hpp"
 #include "barretenberg/honk/sumcheck/polynomials/barycentric_data.hpp"
-#include "barretenberg/honk/pcs/ipa/ipa.hpp"
+#include "barretenberg/proof_system/pcs/ipa/ipa.hpp"
 #include "barretenberg/honk/sumcheck/polynomials/univariate.hpp"
 #include "barretenberg/ecc/curves/bn254/g1.hpp"
 #include "barretenberg/honk/sumcheck/relations/arithmetic_relation.hpp"
 #include "barretenberg/honk/sumcheck/relations/permutation_relation.hpp"
-#include "barretenberg/honk/transcript/transcript.hpp"
+#include "barretenberg/proof_system/transcript/transcript.hpp"
 #include "barretenberg/polynomials/evaluation_domain.hpp"
 #include "barretenberg/polynomials/polynomial.hpp"
 #include "barretenberg/proof_system/circuit_constructors/standard_circuit_constructor.hpp"
@@ -31,8 +31,8 @@ class StandardGrumpkin {
     using GroupElement = G1::element;
     using Commitment = G1::affine_element;
     using CommitmentHandle = G1::affine_element;
-    using PCSParams = pcs::ipa::Params;
-    using PCS = pcs::ipa::IPA<PCSParams>;
+    using PCSParams = proof_system::pcs::ipa::Params;
+    using PCS = proof_system::pcs::ipa::IPA<PCSParams>;
     static constexpr size_t NUM_WIRES = CircuitConstructor::NUM_WIRES;
     // The number of multivariate polynomials on which a sumcheck prover sumcheck operates (including shifts). We often
     // need containers of this size to hold related data, so we choose a name more agnostic than `NUM_POLYNOMIALS`

cpp/src/barretenberg/honk/flavor/ultra.hpp

@@ -5,12 +5,12 @@
 #include <string>
 #include <type_traits>
 #include <vector>
-#include "barretenberg/honk/pcs/commitment_key.hpp"
+#include "barretenberg/proof_system/pcs/commitment_key.hpp"
 #include "barretenberg/honk/sumcheck/polynomials/barycentric_data.hpp"
-#include "barretenberg/honk/pcs/kzg/kzg.hpp"
+#include "barretenberg/proof_system/pcs/kzg/kzg.hpp"
 #include "barretenberg/honk/sumcheck/polynomials/univariate.hpp"
 #include "barretenberg/ecc/curves/bn254/g1.hpp"
-#include "barretenberg/honk/transcript/transcript.hpp"
+#include "barretenberg/proof_system/transcript/transcript.hpp"
 #include "barretenberg/polynomials/evaluation_domain.hpp"
 #include "barretenberg/polynomials/polynomial.hpp"
 #include "barretenberg/proof_system/circuit_constructors/ultra_circuit_constructor.hpp"
@@ -38,8 +38,8 @@ class Ultra {
     // UltraHonk will be run with KZG by default but temporarily we set the commitment to IPA to
     // be able to do e2e tests with this pcs as well
     // TODO: instantiate this with both IPA and KZG when the templating work is finished
-    using PCSParams = pcs::kzg::Params;
-    using PCS = pcs::kzg::KZG<PCSParams>;
+    using PCSParams = proof_system::pcs::kzg::Params;
+    using PCS = proof_system::pcs::kzg::KZG<PCSParams>;
 
     static constexpr size_t NUM_WIRES = CircuitConstructor::NUM_WIRES;
     // The number of multivariate polynomials on which a sumcheck prover sumcheck operates (including shifts). We often

cpp/src/barretenberg/honk/flavor/ultra_grumpkin.hpp

@@ -5,12 +5,12 @@
 #include <string>
 #include <type_traits>
 #include <vector>
-#include "barretenberg/honk/pcs/commitment_key.hpp"
+#include "barretenberg/proof_system/pcs/commitment_key.hpp"
 #include "barretenberg/honk/sumcheck/polynomials/barycentric_data.hpp"
-#include "barretenberg/honk/pcs/ipa/ipa.hpp"
+#include "barretenberg/proof_system/pcs/ipa/ipa.hpp"
 #include "barretenberg/honk/sumcheck/polynomials/univariate.hpp"
 #include "barretenberg/ecc/curves/bn254/g1.hpp"
-#include "barretenberg/honk/transcript/transcript.hpp"
+#include "barretenberg/proof_system/transcript/transcript.hpp"
 #include "barretenberg/polynomials/evaluation_domain.hpp"
 #include "barretenberg/polynomials/polynomial.hpp"
 #include "barretenberg/proof_system/circuit_constructors/ultra_circuit_constructor.hpp"
@@ -36,8 +36,8 @@ class UltraGrumpkin {
     using GroupElement = G1::element;
     using Commitment = G1::affine_element;
     using CommitmentHandle = G1::affine_element;
-    using PCSParams = pcs::ipa::Params;
-    using PCS = pcs::ipa::IPA<PCSParams>;
+    using PCSParams = proof_system::pcs::ipa::Params;
+    using PCS = proof_system::pcs::ipa::IPA<PCSParams>;
 
     static constexpr size_t NUM_WIRES = CircuitConstructor::NUM_WIRES;
     // The number of multivariate polynomials on which a sumcheck prover sumcheck operates (including shifts). We often

cpp/src/barretenberg/honk/pcs/gemini/gemini.cpp

@@ -360,6 +360,6 @@ std::pair<typename Params::GroupElement, typename Params::GroupElement> Multilin
     }
     return { C0_r_pos, C0_r_neg };
 };
-template class MultilinearReductionScheme<proof_system::honk::pcs::kzg::Params>;
-template class MultilinearReductionScheme<proof_system::honk::pcs::ipa::Params>;
+template class MultilinearReductionScheme<proof_system::pcs::kzg::Params>;
+template class MultilinearReductionScheme<proof_system::pcs::ipa::Params>;
 }; // namespace proof_system::honk::pcs::gemini

cpp/src/barretenberg/honk/pcs/gemini/gemini.hpp

@@ -1,12 +1,13 @@
 #pragma once
 
-#include "../claim.hpp"
-#include "barretenberg/honk/pcs/commitment_key.hpp"
+#include "barretenberg/proof_system/pcs/claim.hpp"
+#include "barretenberg/proof_system/pcs/commitment_key.hpp"
 #include "barretenberg/polynomials/polynomial.hpp"
-#include "barretenberg/honk/transcript/transcript.hpp"
+#include "barretenberg/proof_system/transcript/transcript.hpp"
 
 #include <vector>
 
+using namespace proof_system::pcs;
 /**
  * @brief Protocol for opening several multi-linear polynomials at the same point.
  *
@@ -44,7 +45,6 @@
  * since they are linear-combinations of the commitments [fⱼ] and [gⱼ].
  */
 namespace proof_system::honk::pcs::gemini {
-
 /**
  * @brief Prover output (evalutation pair, witness) that can be passed on to Shplonk batch opening.
  * @details Evaluation pairs {r, A₀₊(r)}, {-r, A₀₋(-r)}, {-r^{2^j}, Aⱼ(-r^{2^j)}, j = [1, ..., m-1]

cpp/src/barretenberg/honk/pcs/gemini/gemini.test.cpp

@@ -1,8 +1,10 @@
 #include "gemini.hpp"
 
-#include "../commitment_key.test.hpp"
-#include "barretenberg/honk/transcript/transcript.hpp"
+#include "barretenberg/proof_system/pcs/commitment_key.test.hpp"
+#include "barretenberg/proof_system/transcript/transcript.hpp"
 #include "barretenberg/polynomials/polynomial.hpp"
+#include "barretenberg/proof_system/pcs/shplonk/shplonk_single.hpp"
+#include "barretenberg/proof_system/pcs/kzg/kzg.hpp"
 #include <cstddef>
 #include <gtest/gtest.h>
 #include <span>
@@ -237,4 +239,128 @@ TYPED_TEST(GeminiTest, DoubleWithShift)
                                            multilinear_commitments_to_be_shifted);
 }
 
+/**
+ * @brief Test full PCS protocol: Gemini, Shplonk, KZG and pairing check
+ * @details Demonstrates the full PCS protocol as it is used in the construction and verification
+ * of a single Honk proof. (Expository comments included throughout).
+ *
+ */
+TYPED_TEST(GeminiTest, GeminiShplonkKzgWithShift)
+{
+    using Shplonk = shplonk::SingleBatchOpeningScheme<TypeParam>;
+    using Gemini = gemini::MultilinearReductionScheme<TypeParam>;
+    using KZG = kzg::KZG<TypeParam>;
+    using Fr = typename TypeParam::Fr;
+    using GroupElement = typename TypeParam::GroupElement;
+    using Polynomial = typename barretenberg::Polynomial<Fr>;
+
+    const size_t n = 16;
+    const size_t log_n = 4;
+
+    Fr rho = Fr::random_element();
+
+    // Generate multilinear polynomials, their commitments (genuine and mocked) and evaluations (genuine) at a random
+    // point.
+    const auto mle_opening_point = this->random_evaluation_point(log_n); // sometimes denoted 'u'
+    auto poly1 = this->random_polynomial(n);
+    auto poly2 = this->random_polynomial(n);
+    poly2[0] = Fr::zero(); // this property is required of polynomials whose shift is used
+
+    GroupElement commitment1 = this->commit(poly1);
+    GroupElement commitment2 = this->commit(poly2);
+
+    auto eval1 = poly1.evaluate_mle(mle_opening_point);
+    auto eval2 = poly2.evaluate_mle(mle_opening_point);
+    auto eval2_shift = poly2.evaluate_mle(mle_opening_point, true);
+
+    // Collect multilinear evaluations for input to prover
+    std::vector<Fr> multilinear_evaluations = { eval1, eval2, eval2_shift };
+
+    std::vector<Fr> rhos = Gemini::powers_of_rho(rho, multilinear_evaluations.size());
+
+    // Compute batched multivariate evaluation
+    Fr batched_evaluation = Fr::zero();
+    for (size_t i = 0; i < rhos.size(); ++i) {
+        batched_evaluation += multilinear_evaluations[i] * rhos[i];
+    }
+
+    // Compute batched polynomials
+    Polynomial batched_unshifted(n);
+    Polynomial batched_to_be_shifted(n);
+    batched_unshifted.add_scaled(poly1, rhos[0]);
+    batched_unshifted.add_scaled(poly2, rhos[1]);
+    batched_to_be_shifted.add_scaled(poly2, rhos[2]);
+
+    // Compute batched commitments
+    GroupElement batched_commitment_unshifted = GroupElement::zero();
+    GroupElement batched_commitment_to_be_shifted = GroupElement::zero();
+    batched_commitment_unshifted = commitment1 * rhos[0] + commitment2 * rhos[1];
+    batched_commitment_to_be_shifted = commitment2 * rhos[2];
+
+    auto prover_transcript = ProverTranscript<Fr>::init_empty();
+
+    // Run the full prover PCS protocol:
+
+    // Compute:
+    // - (d+1) opening pairs: {r, \hat{a}_0}, {-r^{2^i}, a_i}, i = 0, ..., d-1
+    // - (d+1) Fold polynomials Fold_{r}^(0), Fold_{-r}^(0), and Fold^(i), i = 0, ..., d-1
+    auto fold_polynomials = Gemini::compute_fold_polynomials(
+        mle_opening_point, std::move(batched_unshifted), std::move(batched_to_be_shifted));
+
+    for (size_t l = 0; l < log_n - 1; ++l) {
+        std::string label = "FOLD_" + std::to_string(l + 1);
+        auto commitment = this->ck()->commit(fold_polynomials[l + 2]);
+        prover_transcript.send_to_verifier(label, commitment);
+    }
+
+    const Fr r_challenge = prover_transcript.get_challenge("Gemini:r");
+
+    const auto [gemini_opening_pairs, gemini_witnesses] =
+        Gemini::compute_fold_polynomial_evaluations(mle_opening_point, std::move(fold_polynomials), r_challenge);
+
+    for (size_t l = 0; l < log_n; ++l) {
+        std::string label = "Gemini:a_" + std::to_string(l);
+        const auto& evaluation = gemini_opening_pairs[l + 1].evaluation;
+        prover_transcript.send_to_verifier(label, evaluation);
+    }
+
+    // Shplonk prover output:
+    // - opening pair: (z_challenge, 0)
+    // - witness: polynomial Q - Q_z
+    const Fr nu_challenge = prover_transcript.get_challenge("Shplonk:nu");
+    auto batched_quotient_Q = Shplonk::compute_batched_quotient(gemini_opening_pairs, gemini_witnesses, nu_challenge);
+    prover_transcript.send_to_verifier("Shplonk:Q", this->ck()->commit(batched_quotient_Q));
+
+    const Fr z_challenge = prover_transcript.get_challenge("Shplonk:z");
+    const auto [shplonk_opening_pair, shplonk_witness] = Shplonk::compute_partially_evaluated_batched_quotient(
+        gemini_opening_pairs, gemini_witnesses, std::move(batched_quotient_Q), nu_challenge, z_challenge);
+
+    // KZG prover:
+    // - Adds commitment [W] to transcript
+    KZG::compute_opening_proof(this->ck(), shplonk_opening_pair, shplonk_witness, prover_transcript);
+
+    // Run the full verifier PCS protocol with genuine opening claims (genuine commitment, genuine evaluation)
+
+    auto verifier_transcript = VerifierTranscript<Fr>::init_empty(prover_transcript);
+
+    // Gemini verifier output:
+    // - claim: d+1 commitments to Fold_{r}^(0), Fold_{-r}^(0), Fold^(l), d+1 evaluations a_0_pos, a_l, l = 0:d-1
+    auto gemini_verifier_claim = Gemini::reduce_verify(mle_opening_point,
+                                                       batched_evaluation,
+                                                       batched_commitment_unshifted,
+                                                       batched_commitment_to_be_shifted,
+                                                       verifier_transcript);
+
+    // Shplonk verifier claim: commitment [Q] - [Q_z], opening point (z_challenge, 0)
+    const auto shplonk_verifier_claim = Shplonk::reduce_verify(gemini_verifier_claim, verifier_transcript);
+
+    // KZG verifier:
+    // aggregates inputs [Q] - [Q_z] and [W] into an 'accumulator' (can perform pairing check on result)
+    bool verified = KZG::verify(this->vk(), shplonk_verifier_claim, verifier_transcript);
+
+    // Final pairing check: e([Q] - [Q_z] + z[W], [1]_2) = e([W], [x]_2)
+
+    EXPECT_EQ(verified, true);
+}
+
 } // namespace proof_system::honk::pcs::gemini