Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
hypernova_prover.cpp
Go to the documentation of this file.
1// === AUDIT STATUS ===
2// internal: { status: Complete, auditors: [Sergei], commit: }
3// external_1: { status: not started, auditors: [], commit: }
4// external_2: { status: not started, auditors: [], commit: }
5// =====================
6
7#include "barretenberg/hypernova/hypernova_prover.hpp"
8#include "barretenberg/commitment_schemes/shplonk/shplemini.hpp"
9#include "barretenberg/hypernova/hypernova_batching_challenges.hpp"
10#include "barretenberg/multilinear_batching/multilinear_batching_prover.hpp"
11
12namespace bb {
13
14template <size_t N>
15HypernovaFoldingProver::Commitment HypernovaFoldingProver::batch_mul(const RefArray<Commitment, N>& _points,
16 const std::vector<FF>& scalars)
17{
18 std::vector<Commitment> points(N);
19 for (size_t idx = 0; idx < N; ++idx) {
20 points[idx] = _points[idx];
21 }
22 return Commitment::batch_mul(points, scalars);
23}
24
25HypernovaFoldingProver::Accumulator HypernovaFoldingProver::sumcheck_output_to_accumulator(
26 HypernovaFoldingProver::MegaSumcheckOutput& sumcheck_output,
27 const std::shared_ptr<typename HypernovaFoldingProver::ProverInstance>& instance,
28 const std::shared_ptr<typename HypernovaFoldingProver::VerificationKey>& honk_vk)
29{
30 BB_BENCH_NAME("HypernovaFoldingProver::sumcheck_output_to_accumulator");
31
32 // Generate challenges to batch shifted and unshifted polynomials/commitments/evaluation
33 auto [unshifted_challenges, shifted_challenges] =
34 get_hypernova_batching_challenges<FF>(transcript, NUM_UNSHIFTED_ENTITIES, NUM_SHIFTED_ENTITIES);
35
36 // Batch polynomials
37 Polynomial<FF> batched_unshifted_polynomial = batch_polynomials<Flavor::NUM_UNSHIFTED_ENTITIES>(
38 instance->polynomials.get_unshifted(), instance->dyadic_size(), unshifted_challenges);
39 Polynomial<FF> batched_shifted_polynomial = batch_polynomials<Flavor::NUM_SHIFTED_ENTITIES>(
40 instance->polynomials.get_to_be_shifted(), instance->dyadic_size(), shifted_challenges);
41
42 // Batch evaluations
43 FF batched_unshifted_evaluation(0);
44 FF batched_shifted_evaluation(0);
45
46 for (auto [eval, challenge] : zip_view(sumcheck_output.claimed_evaluations.get_unshifted(), unshifted_challenges)) {
47 batched_unshifted_evaluation += eval * challenge;
48 }
49 for (auto [eval, challenge] : zip_view(sumcheck_output.claimed_evaluations.get_shifted(), shifted_challenges)) {
50 batched_shifted_evaluation += eval * challenge;
51 }
52
53 // Batch commitments
54 VerifierCommitments verifier_commitments(honk_vk, instance->commitments);
55
56 Commitment batched_unshifted_commitment = batch_mul(verifier_commitments.get_unshifted(), unshifted_challenges);
57 Commitment batched_shifted_commitment = batch_mul(verifier_commitments.get_to_be_shifted(), shifted_challenges);
58
59 return Accumulator{
60 .challenge = std::move(sumcheck_output.challenge),
61 .non_shifted_evaluation = batched_unshifted_evaluation,
62 .shifted_evaluation = batched_shifted_evaluation,
63 .non_shifted_polynomial = std::move(batched_unshifted_polynomial),
64 .shifted_polynomial = std::move(batched_shifted_polynomial),
65 .non_shifted_commitment = batched_unshifted_commitment,
66 .shifted_commitment = batched_shifted_commitment,
67 .dyadic_size = instance->dyadic_size(),
68 };
69};
70
71template <size_t N>
72Polynomial<HypernovaFoldingProver::FF> HypernovaFoldingProver::batch_polynomials(
73 RefArray<Polynomial<FF>, N> polynomials_to_batch,
74 const size_t& full_batched_size,
75 const std::vector<FF>& challenges)
76{
77 BB_BENCH_NAME("HypernovaFoldingProver::batch_polynomials");
78 BB_ASSERT_EQ(full_batched_size,
79 polynomials_to_batch[0].virtual_size(),
80 "The virtual size of the first polynomial is different from the full batched size.");
81 BB_ASSERT_EQ(
82 challenges.size(), N, "The number of challenges provided does not match the number of polynomials to batch.");
83
84 // Ensure the first polynomial has enough backing to accumulate all others (they may have different backing sizes
85 // and/or start indices). add_scaled requires destination start_index <= source start_index.
86 size_t min_start = polynomials_to_batch[0].start_index();
87 size_t max_end = polynomials_to_batch[0].end_index();
88 for (size_t idx = 1; idx < N; idx++) {
89 min_start = std::min(min_start, polynomials_to_batch[idx].start_index());
90 max_end = std::max(max_end, polynomials_to_batch[idx].end_index());
91 }
92
93 if (min_start < polynomials_to_batch[0].start_index() || max_end > polynomials_to_batch[0].end_index()) {
94 Polynomial<FF> result(max_end - min_start, full_batched_size, min_start);
95 result += polynomials_to_batch[0];
96 for (size_t idx = 1; idx < N; idx++) {
97 result.add_scaled(polynomials_to_batch[idx], challenges[idx]);
98 }
99 return result;
100 }
101
102 for (size_t idx = 1; idx < N; idx++) {
103 polynomials_to_batch[0].add_scaled(polynomials_to_batch[idx], challenges[idx]);
104 }
105
106 return polynomials_to_batch[0];
107};
108
109HypernovaFoldingProver::Accumulator HypernovaFoldingProver::instance_to_accumulator(
110 const std::shared_ptr<typename HypernovaFoldingProver::ProverInstance>& instance,
111 const std::shared_ptr<VerificationKey>& honk_vk)
112{
113 BB_BENCH_NAME("HypernovaFoldingProver::instance_to_accumulator");
114
115 vinfo("HypernovaFoldingProver: converting instance to accumulator...");
116
117 // Complete the incoming instance
118 auto precomputed_vk = honk_vk ? honk_vk : std::make_shared<VerificationKey>(instance->get_precomputed());
119 MegaOinkProver oink_prover{ instance, precomputed_vk, transcript };
120 oink_prover.prove();
121
122 instance->gate_challenges = transcript->template get_dyadic_powers_of_challenge<FF>(
123 "HypernovaFoldingProver:gate_challenge", Flavor::VIRTUAL_LOG_N);
124
125 // Run Sumcheck with padding
126 MegaSumcheckProver sumcheck(instance->dyadic_size(),
127 instance->polynomials,
128 transcript,
129 instance->alpha,
130 instance->gate_challenges,
131 instance->relation_parameters,
132 Flavor::VIRTUAL_LOG_N);
133 auto sumcheck_output = sumcheck.prove();
134
135 Accumulator accumulator = sumcheck_output_to_accumulator(sumcheck_output, instance, precomputed_vk);
136
137 vinfo("HypernovaFoldingProver: accumulator constructed.");
138
139 return accumulator;
140}
141
142std::pair<HonkProof, HypernovaFoldingProver::Accumulator> HypernovaFoldingProver::fold(
143 Accumulator&& accumulator,
144 const std::shared_ptr<ProverInstance>& instance,
145 const std::shared_ptr<VerificationKey>& honk_vk)
146{
147 Accumulator incoming_accumulator = instance_to_accumulator(instance, honk_vk);
148
149 // Sumcheck
150 MultilinearBatchingProver batching_prover(std::move(accumulator), std::move(incoming_accumulator), transcript);
151
152 HonkProof proof = batching_prover.construct_proof();
153
154 return { proof, batching_prover.compute_new_claim() };
155}
156} // namespace bb
BB_ASSERT_EQ
#define BB_ASSERT_EQ(actual, expected,...)
Definition assert.hpp:83
instance
std::shared_ptr< Napi::ThreadSafeFunction > instance
Definition avm_simulate_napi.cpp:128
BB_BENCH_NAME
#define BB_BENCH_NAME(name)
Definition bb_bench.hpp:225
bb::HypernovaFoldingProver::transcript
std::shared_ptr< Transcript > transcript
Definition hypernova_prover.hpp:88
bb::HypernovaFoldingProver::sumcheck_output_to_accumulator
Accumulator sumcheck_output_to_accumulator(MegaSumcheckOutput &sumcheck_output, const std::shared_ptr< ProverInstance > &instance, const std::shared_ptr< VerificationKey > &honk_vk)
Convert the output of the sumcheck run on the incoming instance into an accumulator.
Definition hypernova_prover.cpp:25
bb::HypernovaFoldingProver::NUM_SHIFTED_ENTITIES
static constexpr size_t NUM_SHIFTED_ENTITIES
Definition hypernova_prover.hpp:53
bb::HypernovaFoldingProver::NUM_UNSHIFTED_ENTITIES
static constexpr size_t NUM_UNSHIFTED_ENTITIES
Definition hypernova_prover.hpp:52
bb::HypernovaFoldingProver::instance_to_accumulator
Accumulator instance_to_accumulator(const std::shared_ptr< ProverInstance > &instance, const std::shared_ptr< VerificationKey > &honk_vk=nullptr)
Turn an instance into an accumulator by running Sumcheck.
Definition hypernova_prover.cpp:109
bb::HypernovaFoldingProver::batch_mul
Commitment batch_mul(const RefArray< Commitment, N > &_points, const std::vector< FF > &scalars)
Utility to perform batch mul of commitments.
Definition hypernova_prover.cpp:15
bb::HypernovaFoldingProver::batch_polynomials
static Polynomial< FF > batch_polynomials(RefArray< Polynomial< FF >, N > polynomials_to_batch, const size_t &full_batched_size, const std::vector< FF > &challenges)
Batch prover polynomials. Batching happens in place into the first polynomial in the RefArray supplie...
Definition hypernova_prover.cpp:72
bb::HypernovaFoldingProver::fold
std::pair< HonkProof, Accumulator > fold(Accumulator &&accumulator, const std::shared_ptr< ProverInstance > &instance, const std::shared_ptr< VerificationKey > &honk_vk=nullptr)
Fold an instance into an accumulator.
Definition hypernova_prover.cpp:142
bb::MegaFlavor::VerifierCommitments_
Definition mega_flavor.hpp:453
bb::MegaFlavor::WitnessEntities_::get_to_be_shifted
auto get_to_be_shifted()
Definition mega_flavor.hpp:252
bb::MegaFlavor::VIRTUAL_LOG_N
static constexpr size_t VIRTUAL_LOG_N
Definition mega_flavor.hpp:49
bb::MultilinearBatchingProver
Prover for multilinear batching - reduces two polynomial evaluation claims to one via sumcheck.
Definition multilinear_batching_prover.hpp:35
bb::MultilinearBatchingProver::construct_proof
HonkProof construct_proof()
Construct a multilinear batching proof.
Definition multilinear_batching_prover.cpp:116
bb::MultilinearBatchingProver::compute_new_claim
BB_PROFILE MultilinearBatchingProverClaim compute_new_claim()
Compute the batched output claim after sumcheck.
Definition multilinear_batching_prover.cpp:59
bb::OinkProver
Executes the "Oink" phase of the Honk proving protocol: the initial rounds that commit to witness dat...
Definition oink_prover.hpp:52
bb::OinkProver::prove
void prove(bool emit_alpha=true)
Commit to witnesses, compute relation parameters, and prepare for Sumcheck.
Definition oink_prover.cpp:22
bb::Polynomial
Structured polynomial class that represents the coefficients 'a' of a_0 + a_1 x .....
Definition polynomial.hpp:75
bb::Polynomial::add_scaled
void add_scaled(PolynomialSpan< const Fr > other, const Fr &scaling_factor)
adds the polynomial q(X) 'other', multiplied by a scaling factor.
Definition polynomial.cpp:250
bb::RefArray
A template class for a reference array. Behaves as if std::array<T&, N> was possible.
Definition ref_array.hpp:22
bb::SumcheckProver
The implementation of the sumcheck Prover for statements of the form for multilinear polynomials .
Definition sumcheck.hpp:298
bb::SumcheckProver::prove
SumcheckOutput< Flavor > prove()
Non-ZK version: Compute round univariate, place it in transcript, compute challenge,...
Definition sumcheck.hpp:396
zip_view
Definition zip_view.hpp:166
vinfo
#define vinfo(...)
Definition log.hpp:94
hypernova_batching_challenges.hpp
hypernova_prover.hpp
multilinear_batching_prover.hpp
bb
Entry point for Barretenberg command-line interface.
Definition api.hpp:5
bb::HonkProof
std::vector< fr > HonkProof
Definition proof.hpp:15
std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13
bb::MultilinearBatchingFlavor::ProverClaim
Prover's claim for multilinear batching - contains polynomials and their evaluation claims.
Definition multilinear_batching_flavor.hpp:137
bb::SumcheckOutput
Contains the evaluations of multilinear polynomials at the challenge point . These are computed by S...
Definition sumcheck_output.hpp:22
bb::SumcheckOutput::claimed_evaluations
ClaimedEvaluations claimed_evaluations
Definition sumcheck_output.hpp:30
bb::SumcheckOutput::challenge
std::vector< FF > challenge
Definition sumcheck_output.hpp:28