Barretenberg: src/barretenberg/commitment_schemes/gemini/gemini.hpp Source File

// === AUDIT STATUS ===

// internal:    { status: Complete, auditors: [Khashayar], commit: }

// external_1:  { status: not started, auditors: [], commit: }

// external_2:  { status: not started, auditors: [], commit: }

// =====================


#pragma once


#include "barretenberg/commitment_schemes/claim.hpp"

#include "barretenberg/commitment_schemes/claim_batcher.hpp"

#include "barretenberg/common/bb_bench.hpp"

#include "barretenberg/polynomials/polynomial.hpp"

#include "barretenberg/transcript/transcript.hpp"


namespace bb {


namespace gemini {


template <class Fr> inline std::vector<Fr> powers_of_rho(const Fr& rho, const size_t num_powers)

{

    std::vector<Fr> rhos = { Fr(1), rho };

    rhos.reserve(num_powers);

    for (size_t j = 2; j < num_powers; j++) {

        rhos.emplace_back(rhos[j - 1] * rho);

    }

    return rhos;

};


template <class Fr> inline std::vector<Fr> powers_of_evaluation_challenge(const Fr& r, const size_t num_squares)

{

    std::vector<Fr> squares = { r };

    squares.reserve(num_squares);

    for (size_t j = 1; j < num_squares; j++) {

        squares.emplace_back(squares[j - 1].sqr());

    }

    return squares;

};


} // namespace gemini


template <typename Curve> class GeminiProver_ {

    using Fr = typename Curve::ScalarField;

    using Commitment = typename Curve::AffineElement;

    using Polynomial = bb::Polynomial<Fr>;

    using Claim = ProverOpeningClaim<Curve>;


  public:


    class PolynomialBatcher {


        size_t full_batched_size = 0; // size of the full batched polynomial (generally the circuit size)

        size_t actual_data_size_ = 0; // max end_index across all polynomials (actual data extent)


        Polynomial batched_unshifted;            // linear combination of unshifted polynomials

        Polynomial batched_to_be_shifted_by_one; // linear combination of to-be-shifted polynomials


      public:

        RefVector<Polynomial> unshifted;            // set of unshifted polynomials

        RefVector<Polynomial> to_be_shifted_by_one; // set of polynomials to be left shifted by 1


        PolynomialBatcher(const size_t full_batched_size, const size_t actual_data_size = 0)

            : full_batched_size(full_batched_size)

            , actual_data_size_(actual_data_size == 0 ? full_batched_size : actual_data_size)

            , batched_unshifted(actual_data_size_, full_batched_size)

            , batched_to_be_shifted_by_one(Polynomial::shiftable(actual_data_size_, full_batched_size))

        {}


        bool has_unshifted() const { return unshifted.size() > 0; }

        bool has_to_be_shifted_by_one() const { return to_be_shifted_by_one.size() > 0; }


        // Set references to the polynomials to be batched

        void set_unshifted(RefVector<Polynomial> polynomials) { unshifted = polynomials; }

        void set_to_be_shifted_by_one(RefVector<Polynomial> polynomials) { to_be_shifted_by_one = polynomials; }


        Polynomial compute_batched(const Fr& challenge)

        {

            Fr running_scalar(1);

            BB_BENCH_NAME("compute_batched");

            // lambda for batching polynomials; updates the running scalar in place

            auto batch = [&](Polynomial& batched, const RefVector<Polynomial>& polynomials_to_batch) {

                for (auto& poly : polynomials_to_batch) {

                    batched.add_scaled(poly, running_scalar);

                    running_scalar *= challenge;

                }

            };


            Polynomial full_batched(full_batched_size);


            // compute the linear combination F of the unshifted polynomials

            if (has_unshifted()) {

                batch(batched_unshifted, unshifted);

                full_batched += batched_unshifted; // A₀ += F

            }


            // compute the linear combination G of the to-be-shifted polynomials

            if (has_to_be_shifted_by_one()) {

                batch(batched_to_be_shifted_by_one, to_be_shifted_by_one);

                full_batched += batched_to_be_shifted_by_one.shifted(); // A₀ += G/X

            }


            return full_batched;

        }


        std::pair<Polynomial, Polynomial> compute_partially_evaluated_batch_polynomials(const Fr& r_challenge)

        {

            // Initialize A₀₊ with only the actual data extent; virtual zeroes cover the rest

            Polynomial A_0_pos(actual_data_size_, full_batched_size); // A₀₊


            if (has_unshifted()) {

                A_0_pos += batched_unshifted; // A₀₊ += F

            }


            Polynomial A_0_neg = A_0_pos;


            if (has_to_be_shifted_by_one()) {

                Fr r_inv = r_challenge.invert();       // r⁻¹

                batched_to_be_shifted_by_one *= r_inv; // G = G/r


                A_0_pos += batched_to_be_shifted_by_one; // A₀₊ += G/r

                A_0_neg -= batched_to_be_shifted_by_one; // A₀₋ -= G/r

            }


            return { A_0_pos, A_0_neg };

        };


    };


    static std::vector<Polynomial> compute_fold_polynomials(const size_t log_n,

                                                            std::span<const Fr> multilinear_challenge,

                                                            const Polynomial& A_0,

                                                            const bool& has_zk = false);


    static std::vector<Claim> construct_univariate_opening_claims(const size_t log_n,

                                                                  Polynomial&& A_0_pos,

                                                                  Polynomial&& A_0_neg,

                                                                  std::vector<Polynomial>&& fold_polynomials,

                                                                  const Fr& r_challenge);


    template <typename Transcript>

    static std::vector<Claim> prove(size_t circuit_size,

                                    PolynomialBatcher& polynomial_batcher,

                                    std::span<Fr> multilinear_challenge,

                                    const CommitmentKey<Curve>& commitment_key,

                                    const std::shared_ptr<Transcript>& transcript,

                                    bool has_zk = false);


}; // namespace bb


template <typename Curve> class GeminiVerifier_ {

    using Fr = typename Curve::ScalarField;

    using Commitment = typename Curve::AffineElement;


  public:


    static std::vector<Commitment> get_fold_commitments(const size_t virtual_log_n, auto& transcript)

    {

        std::vector<Commitment> fold_commitments;

        fold_commitments.reserve(virtual_log_n - 1);

        for (size_t i = 1; i < virtual_log_n; ++i) {

            const Commitment commitment =

                transcript->template receive_from_prover<Commitment>("Gemini:FOLD_" + std::to_string(i));

            fold_commitments.emplace_back(commitment);

        }

        return fold_commitments;

    }


    static std::vector<Fr> get_gemini_evaluations(const size_t virtual_log_n, auto& transcript)

    {

        std::vector<Fr> gemini_evaluations;

        gemini_evaluations.reserve(virtual_log_n);


        for (size_t i = 1; i <= virtual_log_n; ++i) {

            const Fr evaluation = transcript->template receive_from_prover<Fr>("Gemini:a_" + std::to_string(i));

            gemini_evaluations.emplace_back(evaluation);

        }

        return gemini_evaluations;

    }


    static std::vector<Fr> compute_fold_pos_evaluations(std::span<const Fr> padding_indicator_array,

                                                        const Fr& batched_evaluation,

                                                        std::span<const Fr> evaluation_point, // size = virtual_log_n

                                                        std::span<const Fr> challenge_powers, // size = virtual_log_n

                                                        std::span<const Fr> fold_neg_evals)   // size = virtual_log_n

    {

        const size_t virtual_log_n = evaluation_point.size();


        std::vector<Fr> evals(fold_neg_evals.begin(), fold_neg_evals.end());


        Fr eval_pos_prev = batched_evaluation;


        std::vector<Fr> fold_pos_evaluations;

        fold_pos_evaluations.reserve(virtual_log_n);


        // Solve the sequence of linear equations

        for (size_t l = virtual_log_n; l != 0; --l) {

            // Get r²⁽ˡ⁻¹⁾

            const Fr& challenge_power = challenge_powers[l - 1];

            // Get uₗ₋₁

            const Fr& u = evaluation_point[l - 1];

            // Get A₍ₗ₋₁₎(−r²⁽ˡ⁻¹⁾)

            const Fr& eval_neg = evals[l - 1];

            // Compute the numerator

            Fr eval_pos = ((challenge_power * eval_pos_prev * 2) - eval_neg * (challenge_power * (Fr(1) - u) - u));

            // Divide by the denominator

            eval_pos *= (challenge_power * (Fr(1) - u) + u).invert();


            // If current index is bigger than log_n, we propagate `batched_evaluation` to the next

            // round.  Otherwise, current `eval_pos` A₍ₗ₋₁₎(r²⁽ˡ⁻¹⁾) becomes `eval_pos_prev` in the round l-2.

            eval_pos_prev =

                padding_indicator_array[l - 1] * eval_pos + (Fr{ 1 } - padding_indicator_array[l - 1]) * eval_pos_prev;

            // If current index is bigger than log_n, we emplace 0, which is later multiplied against

            // Commitment::one().

            fold_pos_evaluations.emplace_back(padding_indicator_array[l - 1] * eval_pos_prev);

        }


        std::reverse(fold_pos_evaluations.begin(), fold_pos_evaluations.end());


        return fold_pos_evaluations;

    }


};


} // namespace bb

bb_bench.hpp

BB_BENCH_NAME
#define BB_BENCH_NAME(name)
Definition bb_bench.hpp:225

claim.hpp

claim_batcher.hpp

bb::CommitmentKey
CommitmentKey object over a pairing group 𝔾₁.
Definition commitment_key.hpp:35

bb::GeminiProver_::PolynomialBatcher
Class responsible for computation of the batched multilinear polynomials required by the Gemini proto...
Definition gemini.hpp:125

bb::GeminiProver_::PolynomialBatcher::set_to_be_shifted_by_one
void set_to_be_shifted_by_one(RefVector< Polynomial > polynomials)
Definition gemini.hpp:149

bb::GeminiProver_::PolynomialBatcher::has_to_be_shifted_by_one
bool has_to_be_shifted_by_one() const
Definition gemini.hpp:145

bb::GeminiProver_::PolynomialBatcher::actual_data_size_
size_t actual_data_size_
Definition gemini.hpp:128

bb::GeminiProver_::PolynomialBatcher::PolynomialBatcher
PolynomialBatcher(const size_t full_batched_size, const size_t actual_data_size=0)
Definition gemini.hpp:137

bb::GeminiProver_::PolynomialBatcher::set_unshifted
void set_unshifted(RefVector< Polynomial > polynomials)
Definition gemini.hpp:148

bb::GeminiProver_::PolynomialBatcher::batched_unshifted
Polynomial batched_unshifted
Definition gemini.hpp:130

bb::GeminiProver_::PolynomialBatcher::full_batched_size
size_t full_batched_size
Definition gemini.hpp:127

bb::GeminiProver_::PolynomialBatcher::compute_batched
Polynomial compute_batched(const Fr &challenge)
Compute batched polynomial A₀ = F + G/X as the linear combination of all polynomials to be opened,...
Definition gemini.hpp:159

bb::GeminiProver_::PolynomialBatcher::to_be_shifted_by_one
RefVector< Polynomial > to_be_shifted_by_one
Definition gemini.hpp:135

bb::GeminiProver_::PolynomialBatcher::compute_partially_evaluated_batch_polynomials
std::pair< Polynomial, Polynomial > compute_partially_evaluated_batch_polynomials(const Fr &r_challenge)
Compute partially evaluated batched polynomials A₀(X, r) = A₀₊ = F + G/r, A₀(X, -r) = A₀₋ = F - G/r.
Definition gemini.hpp:194

bb::GeminiProver_::PolynomialBatcher::unshifted
RefVector< Polynomial > unshifted
Definition gemini.hpp:134

bb::GeminiProver_::PolynomialBatcher::has_unshifted
bool has_unshifted() const
Definition gemini.hpp:144

bb::GeminiProver_::PolynomialBatcher::batched_to_be_shifted_by_one
Polynomial batched_to_be_shifted_by_one
Definition gemini.hpp:131

bb::GeminiProver_
Definition gemini.hpp:104

bb::GeminiProver_::prove
static std::vector< Claim > prove(size_t circuit_size, PolynomialBatcher &polynomial_batcher, std::span< Fr > multilinear_challenge, const CommitmentKey< Curve > &commitment_key, const std::shared_ptr< Transcript > &transcript, bool has_zk=false)

bb::GeminiProver_::construct_univariate_opening_claims
static std::vector< Claim > construct_univariate_opening_claims(const size_t log_n, Polynomial &&A_0_pos, Polynomial &&A_0_neg, std::vector< Polynomial > &&fold_polynomials, const Fr &r_challenge)
Computes/aggragates d+1 univariate polynomial opening claims of the form {polynomial,...
Definition gemini_impl.hpp:205

bb::GeminiProver_::Fr
typename Curve::ScalarField Fr
Definition gemini.hpp:105

bb::GeminiProver_::Commitment
typename Curve::AffineElement Commitment
Definition gemini.hpp:106

bb::GeminiProver_::compute_fold_polynomials
static std::vector< Polynomial > compute_fold_polynomials(const size_t log_n, std::span< const Fr > multilinear_challenge, const Polynomial &A_0, const bool &has_zk=false)
Computes d-1 fold polynomials Fold_i, i = 1, ..., d-1.
Definition gemini_impl.hpp:110

bb::GeminiVerifier_
Gemini Verifier utility methods used by ShpleminiVerifier.
Definition gemini.hpp:241

bb::GeminiVerifier_::Fr
typename Curve::ScalarField Fr
Definition gemini.hpp:242

bb::GeminiVerifier_::compute_fold_pos_evaluations
static std::vector< Fr > compute_fold_pos_evaluations(std::span< const Fr > padding_indicator_array, const Fr &batched_evaluation, std::span< const Fr > evaluation_point, std::span< const Fr > challenge_powers, std::span< const Fr > fold_neg_evals)
Compute .
Definition gemini.hpp:319

bb::GeminiVerifier_::get_fold_commitments
static std::vector< Commitment > get_fold_commitments(const size_t virtual_log_n, auto &transcript)
Receive the fold commitments from the prover. This method is used by Shplemini where padding may be e...
Definition gemini.hpp:254

bb::GeminiVerifier_::get_gemini_evaluations
static std::vector< Fr > get_gemini_evaluations(const size_t virtual_log_n, auto &transcript)
Receive the fold evaluations from the prover. This method is used by Shplemini where padding may be e...
Definition gemini.hpp:275

bb::GeminiVerifier_::Commitment
typename Curve::AffineElement Commitment
Definition gemini.hpp:243

bb::Polynomial
Structured polynomial class that represents the coefficients 'a' of a_0 + a_1 x .....
Definition polynomial.hpp:75

bb::Polynomial::shifted
Polynomial shifted() const
Returns a Polynomial the left-shift of self.
Definition polynomial.cpp:270

bb::Polynomial::add_scaled
void add_scaled(PolynomialSpan< const Fr > other, const Fr &scaling_factor)
adds the polynomial q(X) 'other', multiplied by a scaling factor.
Definition polynomial.cpp:250

bb::ProverOpeningClaim
Polynomial p and an opening pair (r,v) such that p(r) = v.
Definition claim.hpp:36

bb::RefVector
A template class for a reference vector. Behaves as if std::vector<T&> was possible.
Definition ref_vector.hpp:24

bb::curve::Grumpkin::AffineElement
typename Group::affine_element AffineElement
Definition grumpkin.hpp:65

bb::curve::Grumpkin::ScalarField
bb::fq ScalarField
Definition grumpkin.hpp:61

bb::gemini::powers_of_evaluation_challenge
std::vector< Fr > powers_of_evaluation_challenge(const Fr &r, const size_t num_squares)
Compute squares of folding challenge r.
Definition gemini.hpp:93

bb::gemini::powers_of_rho
std::vector< Fr > powers_of_rho(const Fr &rho, const size_t num_powers)
Compute powers of challenge ρ
Definition gemini.hpp:76

bb
Entry point for Barretenberg command-line interface.
Definition api.hpp:5

std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13

std::to_string
std::string to_string(bb::avm2::ValueTag tag)
Definition tagged_value.cpp:402

Fr
Curve::ScalarField Fr
Definition pippenger.bench.cpp:20

polynomial.hpp

bb::field< Bn254FrParams >

transcript.hpp