Barretenberg: src/barretenberg/commitment_schemes/shplonk/shplemini.hpp Source File

// === AUDIT STATUS ===

// internal:    { status: Complete, auditors: [Khashayar], commit: }

// external_1:  { status: not started, auditors: [], commit: }

// external_2:  { status: not started, auditors: [], commit: }

// =====================


#pragma once

#include "barretenberg/commitment_schemes/claim.hpp"

#include "barretenberg/commitment_schemes/claim_batcher.hpp"

#include "barretenberg/commitment_schemes/commitment_key.hpp"

#include "barretenberg/commitment_schemes/gemini/gemini_impl.hpp"

#include "barretenberg/commitment_schemes/shplonk/shplonk.hpp"

#include "barretenberg/commitment_schemes/small_subgroup_ipa/small_subgroup_ipa.hpp"

#include "barretenberg/commitment_schemes/verification_key.hpp"

#include "barretenberg/flavor/repeated_commitments_data.hpp"

#include "barretenberg/sumcheck/zk_sumcheck_data.hpp"

#include "barretenberg/transcript/origin_tag.hpp"

#include "barretenberg/transcript/transcript.hpp"


namespace bb {


template <typename Curve> class ShpleminiProver_ {

  public:

    using FF = typename Curve::ScalarField;

    using GroupElement = typename Curve::Element;

    using Commitment = typename Curve::AffineElement;

    using Polynomial = bb::Polynomial<FF>;

    using OpeningClaim = ProverOpeningClaim<Curve>;


    using VK = CommitmentKey<Curve>;

    using ShplonkProver = ShplonkProver_<Curve>;

    using GeminiProver = GeminiProver_<Curve>;

    using PolynomialBatcher = GeminiProver::PolynomialBatcher;


    template <typename Transcript>


    static OpeningClaim prove(size_t circuit_size,

                              PolynomialBatcher& polynomial_batcher,

                              std::span<FF> multilinear_challenge,

                              const CommitmentKey<Curve>& commitment_key,

                              const std::shared_ptr<Transcript>& transcript,

                              const std::array<Polynomial, NUM_SMALL_IPA_EVALUATIONS>& libra_polynomials = {},

                              const std::vector<Polynomial>& sumcheck_round_univariates = {},

                              const std::vector<std::array<FF, 3>>& sumcheck_round_evaluations = {})

    {

        // While Shplemini is not templated on Flavor, we derive ZK flag this way

        const bool has_zk = (libra_polynomials[0].size() > 0);


        // When padding is enabled, the size of the multilinear challenge may be bigger than the log of `circuit_size`.

        const size_t virtual_log_n = multilinear_challenge.size();


        std::vector<OpeningClaim> opening_claims = GeminiProver::prove(

            circuit_size, polynomial_batcher, multilinear_challenge, commitment_key, transcript, has_zk);

        // Create opening claims for Libra masking univariates and Sumcheck Round Univariates

        std::vector<OpeningClaim> libra_opening_claims;


        if (has_zk) {

            const auto gemini_r = opening_claims[0].opening_pair.challenge;

            libra_opening_claims = compute_libra_opening_claims(gemini_r, libra_polynomials, transcript);

        }


        // Currently, only used in ECCVM.

        std::vector<OpeningClaim> sumcheck_round_claims;


        if (!sumcheck_round_univariates.empty()) {

            sumcheck_round_claims = compute_sumcheck_round_claims(

                circuit_size, multilinear_challenge, sumcheck_round_univariates, sumcheck_round_evaluations);

        }


        return ShplonkProver::prove(

            commitment_key, opening_claims, transcript, libra_opening_claims, sumcheck_round_claims, virtual_log_n);

    };


    template <typename Transcript>


    static std::vector<OpeningClaim> compute_libra_opening_claims(

        const FF gemini_r,

        const std::array<Polynomial, NUM_SMALL_IPA_EVALUATIONS>& libra_polynomials,

        const std::shared_ptr<Transcript>& transcript)

    {

        OpeningClaim new_claim;


        std::vector<OpeningClaim> libra_opening_claims = {};


        static constexpr FF subgroup_generator = Curve::subgroup_generator;


        std::array<std::string, NUM_SMALL_IPA_EVALUATIONS> libra_eval_labels = {

            "Libra:concatenation_eval", "Libra:shifted_grand_sum_eval", "Libra:grand_sum_eval", "Libra:quotient_eval"

        };

        const std::array<FF, NUM_SMALL_IPA_EVALUATIONS> evaluation_points = {

            gemini_r, gemini_r * subgroup_generator, gemini_r, gemini_r

        };

        for (size_t idx = 0; idx < NUM_SMALL_IPA_EVALUATIONS; idx++) {

            new_claim.polynomial = std::move(libra_polynomials[idx]);

            new_claim.opening_pair.challenge = evaluation_points[idx];

            new_claim.opening_pair.evaluation = new_claim.polynomial.evaluate(evaluation_points[idx]);

            transcript->send_to_verifier(libra_eval_labels[idx], new_claim.opening_pair.evaluation);

            libra_opening_claims.push_back(new_claim);

        }


        return libra_opening_claims;

    }


    static std::vector<OpeningClaim> compute_sumcheck_round_claims(

        size_t circuit_size,

        std::span<FF> multilinear_challenge,

        const std::vector<Polynomial>& sumcheck_round_univariates,

        const std::vector<std::array<FF, 3>>& sumcheck_round_evaluations)

    {

        OpeningClaim new_claim;

        std::vector<OpeningClaim> sumcheck_round_claims = {};


        const size_t log_n = numeric::get_msb(circuit_size);

        for (size_t idx = 0; idx < log_n; idx++) {

            const std::vector<FF> evaluation_points = { FF(0), FF(1), multilinear_challenge[idx] };

            size_t eval_idx = 0;

            new_claim.polynomial = std::move(sumcheck_round_univariates[idx]);


            for (auto& eval_point : evaluation_points) {

                new_claim.opening_pair.challenge = eval_point;

                new_claim.opening_pair.evaluation = sumcheck_round_evaluations[idx][eval_idx];

                sumcheck_round_claims.push_back(new_claim);

                eval_idx++;

            }

        }


        return sumcheck_round_claims;

    }


};


template <typename Curve, bool HasZK> struct ShpleminiVerifierOutput_ {

    BatchOpeningClaim<Curve> batch_opening_claim;

};


template <typename Curve> struct ShpleminiVerifierOutput_<Curve, true> {

    BatchOpeningClaim<Curve> batch_opening_claim;

    bool consistency_checked;

};


template <typename Curve, bool HasZK = false> class ShpleminiVerifier_ {

    using Fr = typename Curve::ScalarField;

    using GroupElement = typename Curve::Element;

    using Commitment = typename Curve::AffineElement;

    using VK = VerifierCommitmentKey<Curve>;

    using ShplonkVerifier = ShplonkVerifier_<Curve>;

    using GeminiVerifier = GeminiVerifier_<Curve>;

    using ClaimBatcher = ClaimBatcher_<Curve>;

    using ShpleminiVerifierOutput = ShpleminiVerifierOutput_<Curve, HasZK>;


  public:

    template <typename Transcript>


    static ShpleminiVerifierOutput compute_batch_opening_claim(

        std::span<const Fr> padding_indicator_array,

        ClaimBatcher& claim_batcher,

        const std::vector<Fr>& multivariate_challenge,

        const Commitment& g1_identity,

        const std::shared_ptr<Transcript>& transcript,

        const RepeatedCommitmentsData& repeated_commitments = {},

        const std::array<Commitment, NUM_LIBRA_COMMITMENTS>& libra_commitments = {},

        const Fr& libra_univariate_evaluation = Fr{ 0 },

        const std::vector<Commitment>& sumcheck_round_commitments = {},

        const std::vector<std::array<Fr, 3>>& sumcheck_round_evaluations = {})


    {

        const size_t virtual_log_n = multivariate_challenge.size();


        const bool committed_sumcheck = !sumcheck_round_evaluations.empty();


        Fr batched_evaluation = Fr{ 0 };


        // Get the challenge ρ to batch commitments to multilinear polynomials and their shifts

        const Fr gemini_batching_challenge = transcript->template get_challenge<Fr>("rho");


        // Process Gemini transcript data:

        // - Get Gemini commitments (com(A₁), com(A₂), … , com(Aₙ₋₁))

        const std::vector<Commitment> fold_commitments =

            GeminiVerifier::get_fold_commitments(virtual_log_n, transcript);

        // - Get Gemini evaluation challenge r, that is used to open the Gemini fold polynomials Aᵢ, i = 0, … , d−1 on

        // r^{2^i}

        const Fr gemini_evaluation_challenge = transcript->template get_challenge<Fr>("Gemini:r");


        // - Get negative fold evaluations (A₀(−r), A₁(−r²), ... , Aₙ₋₁(−r²⁽ⁿ⁻¹⁾))

        const std::vector<Fr> gemini_fold_neg_evaluations =

            GeminiVerifier::get_gemini_evaluations(virtual_log_n, transcript);


        // - Compute vector (r, r², ... , r^{2^{d-1}}), where d = log_n

        const std::vector<Fr> gemini_eval_challenge_powers =

            gemini::powers_of_evaluation_challenge(gemini_evaluation_challenge, virtual_log_n);


        std::array<Fr, NUM_SMALL_IPA_EVALUATIONS> libra_evaluations;

        // In case of ZK, get the evaluations of Libra univariates from the transcript

        if constexpr (HasZK) {

            libra_evaluations[0] = transcript->template receive_from_prover<Fr>("Libra:concatenation_eval");

            libra_evaluations[1] = transcript->template receive_from_prover<Fr>("Libra:shifted_grand_sum_eval");

            libra_evaluations[2] = transcript->template receive_from_prover<Fr>("Libra:grand_sum_eval");

            libra_evaluations[3] = transcript->template receive_from_prover<Fr>("Libra:quotient_eval");


            // OriginTag false positive: Libra evaluations need to satisfy an identity where they

            // are mixing without challenge, it is safe because these evaluations are opened in Shplonk.

            if constexpr (Curve::is_stdlib_type) {

                for (auto& eval : libra_evaluations) {

                    eval.clear_round_provenance();

                }

            }

        }


        // Process Shplonk transcript data:

        // - Get Shplonk batching challenge

        const Fr shplonk_batching_challenge = transcript->template get_challenge<Fr>("Shplonk:nu");


        // Compute the powers of ν that are required for batching Gemini, SmallSubgroupIPA, and committed sumcheck

        // univariate opening claims.

        const std::vector<Fr> shplonk_batching_challenge_powers = compute_shplonk_batching_challenge_powers(

            shplonk_batching_challenge, virtual_log_n, HasZK, committed_sumcheck);

        // - Get the quotient commitment for the Shplonk batching of Gemini opening claims

        const auto Q_commitment = transcript->template receive_from_prover<Commitment>("Shplonk:Q");


        // Start populating the vector (Q, f₀, ... , fₖ₋₁, g₀, ... , gₘ₋₁, com(A₁), ... , com(A_{d-1}), [1]₁) where fᵢ

        // are the k commitments to unshifted polynomials and gⱼ are the m commitments to shifted polynomials

        std::vector<Commitment> commitments{ Q_commitment };


        // Get Shplonk opening point z

        const Fr shplonk_evaluation_challenge = transcript->template get_challenge<Fr>("Shplonk:z");


        // OriginTag false positive: All evaluations received above are PCS-bound.

        // The prover cannot choose them freely because they must satisfy the batched opening equation

        // verified by the pairing check. Tag them with the shplonk evaluation challenge.

        if constexpr (Curve::is_stdlib_type) {

            const auto challenge_tag = shplonk_evaluation_challenge.get_origin_tag();

            // Tag the Gemini fold evaluations

            for (auto& eval : const_cast<std::vector<Fr>&>(gemini_fold_neg_evaluations)) {

                eval.set_origin_tag(challenge_tag);

            }

        }


        // Start computing the scalar to be multiplied by [1]₁

        Fr constant_term_accumulator = Fr(0);


        // Initialize the vector of scalars placing the scalar 1 corresponding to Q_commitment

        std::vector<Fr> scalars;


        scalars.emplace_back(Fr(1));


        // Compute 1/(z − r), 1/(z + r), 1/(z - r²),  1/(z + r²), … , 1/(z - r^{2^{d-1}}), 1/(z + r^{2^{d-1}})

        // These represent the denominators of the summand terms in Shplonk partially evaluated polynomial Q_z

        const std::vector<Fr> inverse_vanishing_evals = ShplonkVerifier::compute_inverted_gemini_denominators(

            shplonk_evaluation_challenge, gemini_eval_challenge_powers);


        // Compute the additional factors to be multiplied with unshifted and shifted commitments when lazily

        // reconstructing the commitment of Q_z

        // For unshifted values, the scalar is computed as (1/(z−r) + ν/(z+r))

        // For shifted values, the scalar is computed as r⁻¹ ⋅ (1/(z−r) − ν/(z+r))

        claim_batcher.compute_scalars_for_each_batch(

            inverse_vanishing_evals, shplonk_batching_challenge, gemini_evaluation_challenge);


        // Place the commitments to prover polynomials in the commitments vector. Compute the evaluation of the

        // batched multilinear polynomial. Populate the vector of scalars for the final batch mul

        claim_batcher.update_batch_mul_inputs_and_batched_evaluation(

            commitments, scalars, batched_evaluation, gemini_batching_challenge);


        // Reconstruct Aᵢ(r²ⁱ) for i=0, ..., d - 1 from the batched evaluation of the multilinear polynomials and

        // Aᵢ(−r²ⁱ) for i = 0, ..., d - 1.

        const std::vector<Fr> gemini_fold_pos_evaluations =

            GeminiVerifier_<Curve>::compute_fold_pos_evaluations(padding_indicator_array,

                                                                 batched_evaluation,

                                                                 multivariate_challenge,

                                                                 gemini_eval_challenge_powers,

                                                                 gemini_fold_neg_evaluations);


        // Place the commitments to Gemini fold polynomials Aᵢ in the vector of batch_mul commitments, compute the

        // contributions from Aᵢ(−r²ⁱ) for i=1, … , d − 1 to the constant term accumulator, add corresponding scalars

        // for the batch mul

        batch_gemini_claims_received_from_prover(padding_indicator_array,

                                                 fold_commitments,

                                                 gemini_fold_neg_evaluations,

                                                 gemini_fold_pos_evaluations,

                                                 inverse_vanishing_evals,

                                                 shplonk_batching_challenge_powers,

                                                 commitments,

                                                 scalars,

                                                 constant_term_accumulator);

        const Fr a_0_pos = gemini_fold_pos_evaluations[0];

        // Add contributions from A₀₊(r) and  A₀₋(-r) to constant_term_accumulator:

        // Add  A₀₊(r)/(z−r) to the constant term accumulator

        constant_term_accumulator += a_0_pos * inverse_vanishing_evals[0];

        // Add  A₀₋(-r)/(z+r) to the constant term accumulator

        constant_term_accumulator +=

            gemini_fold_neg_evaluations[0] * shplonk_batching_challenge * inverse_vanishing_evals[1];


        remove_repeated_commitments(commitments, scalars, repeated_commitments, HasZK);

        // An optional boolean flag for SmallSubgroupIPAVerifier to check the consistency of the Libra evaluations

        bool consistency_checked = true;

        // For ZK flavors, the sumcheck output contains the evaluations of Libra univariates that submitted to the

        // ShpleminiVerifier, otherwise this argument is set to be empty

        if constexpr (HasZK) {

            add_zk_data(virtual_log_n,

                        commitments,

                        scalars,

                        constant_term_accumulator,

                        libra_commitments,

                        libra_evaluations,

                        gemini_evaluation_challenge,

                        shplonk_batching_challenge_powers,

                        shplonk_evaluation_challenge);


            consistency_checked = SmallSubgroupIPAVerifier<Curve>::check_libra_evaluations_consistency(

                libra_evaluations, gemini_evaluation_challenge, multivariate_challenge, libra_univariate_evaluation);

        }


        // Currently, only used in ECCVM

        if (committed_sumcheck) {

            batch_sumcheck_round_claims(commitments,

                                        scalars,

                                        constant_term_accumulator,

                                        multivariate_challenge,

                                        shplonk_batching_challenge_powers,

                                        shplonk_evaluation_challenge,

                                        sumcheck_round_commitments,

                                        sumcheck_round_evaluations);

        }


        // Finalize the batch opening claim

        commitments.emplace_back(g1_identity);

        scalars.emplace_back(constant_term_accumulator);


        BatchOpeningClaim<Curve> batch_opening_claim{ commitments, scalars, shplonk_evaluation_challenge };

        ShpleminiVerifierOutput output = [&]() {

            if constexpr (HasZK) {

                return ShpleminiVerifierOutput{ batch_opening_claim, consistency_checked };

            } else {

                return ShpleminiVerifierOutput{ batch_opening_claim };

            }

        }();

        return output;

    };


    static void batch_gemini_claims_received_from_prover(std::span<const Fr> padding_indicator_array,

                                                         const std::vector<Commitment>& fold_commitments,

                                                         std::span<const Fr> gemini_neg_evaluations,

                                                         std::span<const Fr> gemini_pos_evaluations,

                                                         std::span<const Fr> inverse_vanishing_evals,

                                                         std::span<const Fr> shplonk_batching_challenge_powers,

                                                         std::vector<Commitment>& commitments,

                                                         std::vector<Fr>& scalars,

                                                         Fr& constant_term_accumulator)

    {

        const size_t virtual_log_n = gemini_neg_evaluations.size();

        // Start from 1, because the commitment to A_0 is reconstructed from the commitments to the multilinear

        // polynomials. The corresponding evaluations are also handled separately.

        for (size_t j = 1; j < virtual_log_n; ++j) {

            // The index of 1/ (z - r^{2^{j}}) in the vector of inverted Gemini denominators

            const size_t pos_index = 2 * j;

            // The index of 1/ (z + r^{2^{j}}) in the vector of inverted Gemini denominators

            const size_t neg_index = (2 * j) + 1;


            // Compute the "positive" scaling factor  (ν^{2j}) / (z - r^{2^{j}})

            Fr scaling_factor_pos = shplonk_batching_challenge_powers[pos_index] * inverse_vanishing_evals[pos_index];

            // Compute the "negative" scaling factor  (ν^{2j+1}) / (z + r^{2^{j}})

            Fr scaling_factor_neg = shplonk_batching_challenge_powers[neg_index] * inverse_vanishing_evals[neg_index];


            // Accumulate the const term contribution given by

            // v^{2j} * A_j(r^{2^j}) /(z - r^{2^j}) + v^{2j+1} * A_j(-r^{2^j}) /(z+ r^{2^j})

            constant_term_accumulator +=

                scaling_factor_neg * gemini_neg_evaluations[j] + scaling_factor_pos * gemini_pos_evaluations[j];


            // Place the scaling factor to the 'scalars' vector

            scalars.emplace_back(-padding_indicator_array[j] * (scaling_factor_neg + scaling_factor_pos));

            // Move com(Aᵢ) to the 'commitments' vector

            commitments.emplace_back(std::move(fold_commitments[j - 1]));

        }

    }


    static void remove_repeated_commitments(std::vector<Commitment>& commitments,

                                            std::vector<Fr>& scalars,

                                            const RepeatedCommitmentsData& repeated_commitments,

                                            bool has_zk)

    {

        // The commitments/scalars vectors start with Shplonk:Q (and Gemini:masking_poly_comm if ZK)

        // before the prover polynomial commitments, so offset the AllEntities indices accordingly.

        const size_t offset = has_zk ? 2 : 1;


        const auto& r1 = repeated_commitments.first;

        const auto& r2 = repeated_commitments.second;

        const size_t first_original_start = r1.original_start + offset;

        const size_t first_duplicate_start = r1.duplicate_start + offset;

        const size_t second_original_start = r2.original_start + offset;

        const size_t second_duplicate_start = r2.duplicate_start + offset;


        // Fold duplicate scalars into their originals

        for (size_t i = 0; i < r1.count; i++) {

            scalars[i + first_original_start] = scalars[i + first_original_start] + scalars[i + first_duplicate_start];

        }

        for (size_t i = 0; i < r2.count; i++) {

            scalars[i + second_original_start] =

                scalars[i + second_original_start] + scalars[i + second_duplicate_start];

        }


        // Erase the duplicate entries (higher-index range first to preserve lower indices)

        auto erase_range = [&](size_t start, size_t count) {

            for (size_t i = 0; i < count; ++i) {

                scalars.erase(scalars.begin() + static_cast<std::ptrdiff_t>(start));

                commitments.erase(commitments.begin() + static_cast<std::ptrdiff_t>(start));

            }

        };

        if (second_duplicate_start > first_duplicate_start) {

            erase_range(second_duplicate_start, r2.count);

            erase_range(first_duplicate_start, r1.count);

        } else {

            erase_range(first_duplicate_start, r1.count);

            erase_range(second_duplicate_start, r2.count);

        }

    }


    static void add_zk_data(const size_t virtual_log_n,

                            std::vector<Commitment>& commitments,

                            std::vector<Fr>& scalars,

                            Fr& constant_term_accumulator,

                            const std::array<Commitment, NUM_LIBRA_COMMITMENTS>& libra_commitments,

                            const std::array<Fr, NUM_SMALL_IPA_EVALUATIONS>& libra_evaluations,

                            const Fr& gemini_evaluation_challenge,

                            const std::vector<Fr>& shplonk_batching_challenge_powers,

                            const Fr& shplonk_evaluation_challenge)


    {

        // add Libra commitments to the vector of commitments

        for (size_t idx = 0; idx < libra_commitments.size(); idx++) {

            commitments.push_back(libra_commitments[idx]);

        }


        // compute corresponding scalars and the correction to the constant term

        std::array<Fr, NUM_SMALL_IPA_EVALUATIONS> denominators;

        std::array<Fr, NUM_SMALL_IPA_EVALUATIONS> batching_scalars;

        // compute Shplonk denominators and invert them

        denominators[0] = Fr(1) / (shplonk_evaluation_challenge - gemini_evaluation_challenge);

        denominators[1] =

            Fr(1) / (shplonk_evaluation_challenge - Fr(Curve::subgroup_generator) * gemini_evaluation_challenge);

        denominators[2] = denominators[0];

        denominators[3] = denominators[0];


        // compute the scalars to be multiplied against the commitments [libra_concatenated], [grand_sum], [grand_sum],

        // and [libra_quotient]

        for (size_t idx = 0; idx < NUM_SMALL_IPA_EVALUATIONS; idx++) {

            Fr scaling_factor = denominators[idx] * shplonk_batching_challenge_powers[2 * virtual_log_n + idx];

            batching_scalars[idx] = -scaling_factor;

            constant_term_accumulator += scaling_factor * libra_evaluations[idx];

        }


        // to save a scalar mul, add the sum of the batching scalars corresponding to the big sum evaluations

        scalars.push_back(batching_scalars[0]);

        scalars.push_back(batching_scalars[1] + batching_scalars[2]);

        scalars.push_back(batching_scalars[3]);

    }


    static void batch_sumcheck_round_claims(std::vector<Commitment>& commitments,

                                            std::vector<Fr>& scalars,

                                            Fr& constant_term_accumulator,

                                            const std::vector<Fr>& multilinear_challenge,

                                            const std::vector<Fr>& shplonk_batching_challenge_powers,

                                            const Fr& shplonk_evaluation_challenge,

                                            const std::vector<Commitment>& sumcheck_round_commitments,

                                            const std::vector<std::array<Fr, 3>>& sumcheck_round_evaluations)

    {


        std::vector<Fr> denominators = {};


        // The number of Gemini claims is equal to `2 * log_n` and `log_n` is equal to the size of

        // `multilinear_challenge`, as this method is never used with padding.

        const size_t num_gemini_claims = 2 * multilinear_challenge.size();

        // Denominators for the opening claims at 0 and 1. Need to be computed only once as opposed to the claims at the

        // sumcheck round challenges.

        std::array<Fr, 2> const_denominators;


        const_denominators[0] = Fr(1) / (shplonk_evaluation_challenge);

        const_denominators[1] = Fr(1) / (shplonk_evaluation_challenge - Fr{ 1 });


        // Compute the denominators corresponding to the evaluation claims at the round challenges and add the

        // commitments to the sumcheck round univariates to the vector of commitments

        for (const auto& [challenge, comm] : zip_view(multilinear_challenge, sumcheck_round_commitments)) {

            denominators.push_back(shplonk_evaluation_challenge - challenge);

            commitments.push_back(comm);

        }


        // Invert denominators

        if constexpr (!Curve::is_stdlib_type) {

            Fr::batch_invert(denominators);

        } else {

            for (auto& denominator : denominators) {

                denominator = Fr{ 1 } / denominator;

            }

        }


        // Each commitment to a sumcheck round univariate [S_i] is multiplied by the sum of three scalars corresponding

        // to the evaluations at 0, 1, and the round challenge u_i.

        // Compute the power of `shplonk_batching_challenge` to add sumcheck univariate commitments and evaluations to

        // the batch.

        size_t power = num_gemini_claims + NUM_SMALL_IPA_EVALUATIONS;

        for (const auto& [eval_array, denominator] : zip_view(sumcheck_round_evaluations, denominators)) {

            // Initialize batched_scalar corresponding to 3 evaluations claims

            Fr batched_scalar = Fr(0);

            Fr const_term_contribution = Fr(0);

            // Compute the contribution from the evaluations at 0 and 1

            for (size_t idx = 0; idx < 2; idx++) {

                Fr current_scaling_factor = const_denominators[idx] * shplonk_batching_challenge_powers[power++];

                batched_scalar -= current_scaling_factor;

                const_term_contribution += current_scaling_factor * eval_array[idx];

            }


            // Compute the contribution from the evaluation at the challenge u_i

            Fr current_scaling_factor = denominator * shplonk_batching_challenge_powers[power++];

            batched_scalar -= current_scaling_factor;

            const_term_contribution += current_scaling_factor * eval_array[2];


            // Update Shplonk constant term accumulator

            constant_term_accumulator += const_term_contribution;

            scalars.push_back(batched_scalar);

        }

    };


};


} // namespace bb

claim.hpp

claim_batcher.hpp

bb::CommitmentKey
CommitmentKey object over a pairing group 𝔾₁.
Definition commitment_key.hpp:35

bb::GeminiProver_::PolynomialBatcher
Class responsible for computation of the batched multilinear polynomials required by the Gemini proto...
Definition gemini.hpp:125

bb::GeminiProver_
Definition gemini.hpp:104

bb::GeminiProver_::prove
static std::vector< Claim > prove(size_t circuit_size, PolynomialBatcher &polynomial_batcher, std::span< Fr > multilinear_challenge, const CommitmentKey< Curve > &commitment_key, const std::shared_ptr< Transcript > &transcript, bool has_zk=false)

bb::GeminiVerifier_
Gemini Verifier utility methods used by ShpleminiVerifier.
Definition gemini.hpp:241

bb::GeminiVerifier_::compute_fold_pos_evaluations
static std::vector< Fr > compute_fold_pos_evaluations(std::span< const Fr > padding_indicator_array, const Fr &batched_evaluation, std::span< const Fr > evaluation_point, std::span< const Fr > challenge_powers, std::span< const Fr > fold_neg_evals)
Compute .
Definition gemini.hpp:319

bb::GeminiVerifier_::get_fold_commitments
static std::vector< Commitment > get_fold_commitments(const size_t virtual_log_n, auto &transcript)
Receive the fold commitments from the prover. This method is used by Shplemini where padding may be e...
Definition gemini.hpp:254

bb::GeminiVerifier_::get_gemini_evaluations
static std::vector< Fr > get_gemini_evaluations(const size_t virtual_log_n, auto &transcript)
Receive the fold evaluations from the prover. This method is used by Shplemini where padding may be e...
Definition gemini.hpp:275

bb::Polynomial< FF >

bb::Polynomial::evaluate
Fr evaluate(const Fr &z) const
Definition polynomial.cpp:187

bb::ProverOpeningClaim
Polynomial p and an opening pair (r,v) such that p(r) = v.
Definition claim.hpp:36

bb::ProverOpeningClaim::polynomial
Polynomial polynomial
Definition claim.hpp:41

bb::ProverOpeningClaim::opening_pair
OpeningPair< Curve > opening_pair
Definition claim.hpp:42

bb::ShpleminiProver_
Definition shplemini.hpp:22

bb::ShpleminiProver_::prove
static OpeningClaim prove(size_t circuit_size, PolynomialBatcher &polynomial_batcher, std::span< FF > multilinear_challenge, const CommitmentKey< Curve > &commitment_key, const std::shared_ptr< Transcript > &transcript, const std::array< Polynomial, NUM_SMALL_IPA_EVALUATIONS > &libra_polynomials={}, const std::vector< Polynomial > &sumcheck_round_univariates={}, const std::vector< std::array< FF, 3 > > &sumcheck_round_evaluations={})
Definition shplemini.hpp:36

bb::ShpleminiProver_::GroupElement
typename Curve::Element GroupElement
Definition shplemini.hpp:25

bb::ShpleminiProver_::Commitment
typename Curve::AffineElement Commitment
Definition shplemini.hpp:26

bb::ShpleminiProver_::compute_libra_opening_claims
static std::vector< OpeningClaim > compute_libra_opening_claims(const FF gemini_r, const std::array< Polynomial, NUM_SMALL_IPA_EVALUATIONS > &libra_polynomials, const std::shared_ptr< Transcript > &transcript)
For ZK Flavors: Evaluate the polynomials used in SmallSubgroupIPA argument, send the evaluations to t...
Definition shplemini.hpp:79

bb::ShpleminiProver_::FF
typename Curve::ScalarField FF
Definition shplemini.hpp:24

bb::ShpleminiProver_::compute_sumcheck_round_claims
static std::vector< OpeningClaim > compute_sumcheck_round_claims(size_t circuit_size, std::span< FF > multilinear_challenge, const std::vector< Polynomial > &sumcheck_round_univariates, const std::vector< std::array< FF, 3 > > &sumcheck_round_evaluations)
Create a vector of 3*log_n opening claims for the evaluations of Sumcheck Round Univariates at 0,...
Definition shplemini.hpp:112

bb::ShpleminiVerifier_
Definition shplemini.hpp:175

bb::ShpleminiVerifier_::batch_gemini_claims_received_from_prover
static void batch_gemini_claims_received_from_prover(std::span< const Fr > padding_indicator_array, const std::vector< Commitment > &fold_commitments, std::span< const Fr > gemini_neg_evaluations, std::span< const Fr > gemini_pos_evaluations, std::span< const Fr > inverse_vanishing_evals, std::span< const Fr > shplonk_batching_challenge_powers, std::vector< Commitment > &commitments, std::vector< Fr > &scalars, Fr &constant_term_accumulator)
Place fold polynomial commitments to commitments and compute the corresponding scalar multipliers.
Definition shplemini.hpp:443

bb::ShpleminiVerifier_::batch_sumcheck_round_claims
static void batch_sumcheck_round_claims(std::vector< Commitment > &commitments, std::vector< Fr > &scalars, Fr &constant_term_accumulator, const std::vector< Fr > &multilinear_challenge, const std::vector< Fr > &shplonk_batching_challenge_powers, const Fr &shplonk_evaluation_challenge, const std::vector< Commitment > &sumcheck_round_commitments, const std::vector< std::array< Fr, 3 > > &sumcheck_round_evaluations)
Adds the Sumcheck data into the Shplemini BatchOpeningClaim.
Definition shplemini.hpp:630

bb::ShpleminiVerifier_::Commitment
typename Curve::AffineElement Commitment
Definition shplemini.hpp:178

bb::ShpleminiVerifier_::Fr
typename Curve::ScalarField Fr
Definition shplemini.hpp:176

bb::ShpleminiVerifier_::compute_batch_opening_claim
static ShpleminiVerifierOutput compute_batch_opening_claim(std::span< const Fr > padding_indicator_array, ClaimBatcher &claim_batcher, const std::vector< Fr > &multivariate_challenge, const Commitment &g1_identity, const std::shared_ptr< Transcript > &transcript, const RepeatedCommitmentsData &repeated_commitments={}, const std::array< Commitment, NUM_LIBRA_COMMITMENTS > &libra_commitments={}, const Fr &libra_univariate_evaluation=Fr{ 0 }, const std::vector< Commitment > &sumcheck_round_commitments={}, const std::vector< std::array< Fr, 3 > > &sumcheck_round_evaluations={})
This method receives commitments to all prover polynomials, their claimed evaluations,...
Definition shplemini.hpp:214

bb::ShpleminiVerifier_::GroupElement
typename Curve::Element GroupElement
Definition shplemini.hpp:177

bb::ShpleminiVerifier_::remove_repeated_commitments
static void remove_repeated_commitments(std::vector< Commitment > &commitments, std::vector< Fr > &scalars, const RepeatedCommitmentsData &repeated_commitments, bool has_zk)
Combines scalars of repeating commitments to reduce the number of scalar multiplications performed by...
Definition shplemini.hpp:489

bb::ShpleminiVerifier_::ShpleminiVerifierOutput
ShpleminiVerifierOutput_< Curve, HasZK > ShpleminiVerifierOutput
Definition shplemini.hpp:183

bb::ShpleminiVerifier_::add_zk_data
static void add_zk_data(const size_t virtual_log_n, std::vector< Commitment > &commitments, std::vector< Fr > &scalars, Fr &constant_term_accumulator, const std::array< Commitment, NUM_LIBRA_COMMITMENTS > &libra_commitments, const std::array< Fr, NUM_SMALL_IPA_EVALUATIONS > &libra_evaluations, const Fr &gemini_evaluation_challenge, const std::vector< Fr > &shplonk_batching_challenge_powers, const Fr &shplonk_evaluation_challenge)
Add the opening data corresponding to Libra masking univariates to the batched opening claim.
Definition shplemini.hpp:547

bb::ShplonkProver_
Shplonk Prover.
Definition shplonk.hpp:36

bb::ShplonkProver_::prove
static ProverOpeningClaim< Curve > prove(const CommitmentKey< Curve > &commitment_key, std::span< ProverOpeningClaim< Curve > > opening_claims, const std::shared_ptr< Transcript > &transcript, std::span< ProverOpeningClaim< Curve > > libra_opening_claims={}, std::span< ProverOpeningClaim< Curve > > sumcheck_round_claims={}, const size_t virtual_log_n=0)
Returns a batched opening claim equivalent to a set of opening claims consisting of polynomials,...
Definition shplonk.hpp:262

bb::ShplonkVerifier_
Shplonk Verifier.
Definition shplonk.hpp:338

bb::ShplonkVerifier_::compute_inverted_gemini_denominators
static std::vector< Fr > compute_inverted_gemini_denominators(const Fr &shplonk_eval_challenge, const std::vector< Fr > &gemini_eval_challenge_powers)
Computes .
Definition shplonk.hpp:506

bb::SmallSubgroupIPAVerifier::check_libra_evaluations_consistency
static bool check_libra_evaluations_consistency(const std::array< FF, NUM_SMALL_IPA_EVALUATIONS > &libra_evaluations, const FF &gemini_evaluation_challenge, const std::vector< FF > &multilinear_challenge, const FF &inner_product_eval_claim)
A method required by ZKSumcheck. The challenge polynomial is concatenated from the powers of the sumc...
Definition small_subgroup_ipa.hpp:292

bb::VerifierCommitmentKey
Representation of the Grumpkin Verifier Commitment Key inside a bn254 circuit.
Definition verifier_commitment_key.hpp:16

bb::curve::Grumpkin
Definition grumpkin.hpp:59

bb::curve::Grumpkin::Element
typename Group::element Element
Definition grumpkin.hpp:64

bb::curve::Grumpkin::is_stdlib_type
static constexpr bool is_stdlib_type
Definition grumpkin.hpp:68

bb::curve::Grumpkin::AffineElement
typename Group::affine_element AffineElement
Definition grumpkin.hpp:65

bb::curve::Grumpkin::ScalarField
bb::fq ScalarField
Definition grumpkin.hpp:61

bb::curve::Grumpkin::subgroup_generator
static constexpr ScalarField subgroup_generator
Definition grumpkin.hpp:78

zip_view
Definition zip_view.hpp:166

commitment_key.hpp

offset
ssize_t offset
Definition engine.cpp:52

gemini_impl.hpp

bb::gemini::powers_of_evaluation_challenge
std::vector< Fr > powers_of_evaluation_challenge(const Fr &r, const size_t num_squares)
Compute squares of folding challenge r.
Definition gemini.hpp:93

bb::numeric::get_msb
constexpr T get_msb(const T in)
Definition get_msb.hpp:49

bb
Entry point for Barretenberg command-line interface.
Definition api.hpp:5

std
STL namespace.

std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13

origin_tag.hpp
This file contains part of the logic for the Origin Tag mechanism that tracks the use of in-circuit p...

repeated_commitments_data.hpp

shplonk.hpp

small_subgroup_ipa.hpp

bb::BatchOpeningClaim
An accumulator consisting of the Shplonk evaluation challenge and vectors of commitments and scalars.
Definition claim.hpp:155

bb::ClaimBatcher_
Logic to support batching opening claims for unshifted and shifted polynomials in Shplemini.
Definition claim_batcher.hpp:26

bb::ClaimBatcher_::update_batch_mul_inputs_and_batched_evaluation
void update_batch_mul_inputs_and_batched_evaluation(std::vector< Commitment > &commitments, std::vector< Fr > &scalars, Fr &batched_evaluation, const Fr &rho)
Append the commitments and scalars from each batch of claims to the Shplemini vectors which subsequen...
Definition claim_batcher.hpp:95

bb::ClaimBatcher_::compute_scalars_for_each_batch
void compute_scalars_for_each_batch(std::span< const Fr > inverted_vanishing_evals, const Fr &nu_challenge, const Fr &r_challenge)
Compute scalars used to batch each set of claims, excluding contribution from batching challenge \rho...
Definition claim_batcher.hpp:68

bb::DuplicateRange::original_start
size_t original_start
Definition repeated_commitments_data.hpp:24

bb::RepeatedCommitmentsData
Definition repeated_commitments_data.hpp:29

bb::RepeatedCommitmentsData::second
DuplicateRange second
Definition repeated_commitments_data.hpp:31

bb::RepeatedCommitmentsData::first
DuplicateRange first
Definition repeated_commitments_data.hpp:30

bb::ShpleminiVerifierOutput_< Curve, true >::consistency_checked
bool consistency_checked
Definition shplemini.hpp:172

bb::ShpleminiVerifierOutput_< Curve, true >::batch_opening_claim
BatchOpeningClaim< Curve > batch_opening_claim
Definition shplemini.hpp:171

bb::ShpleminiVerifierOutput_
An efficient verifier for the evaluation proofs of multilinear polynomials and their shifts.
Definition shplemini.hpp:167

bb::ShpleminiVerifierOutput_::batch_opening_claim
BatchOpeningClaim< Curve > batch_opening_claim
Definition shplemini.hpp:168

bb::field< Bn254FrParams >

bb::field< Bn254FrParams >::batch_invert
static void batch_invert(C &coeffs) noexcept
Batch invert a collection of field elements using Montgomery's trick.
Definition field_impl.hpp:429

transcript.hpp

verification_key.hpp

zk_sumcheck_data.hpp