Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
ultra_prover.cpp
Go to the documentation of this file.
1// === AUDIT STATUS ===
2// internal: { status: Completed, auditors: [Sergei], commit: }
3// external_1: { status: not started, auditors: [], commit: }
4// external_2: { status: not started, auditors: [], commit: }
5// =====================
6
7#include "ultra_prover.hpp"
8#include "barretenberg/commitment_schemes/gemini/gemini.hpp"
9#include "barretenberg/commitment_schemes/shplonk/shplemini.hpp"
10#include "barretenberg/flavor/mega_avm_flavor.hpp"
11#include "barretenberg/sumcheck/sumcheck.hpp"
12#include "barretenberg/ultra_honk/oink_prover.hpp"
13namespace bb {
14
15template <typename Flavor>
16UltraProver_<Flavor>::UltraProver_(std::shared_ptr<ProverInstance> prover_instance,
17 const std::shared_ptr<HonkVK>& honk_vk,
18 const std::shared_ptr<Transcript>& transcript)
19 : prover_instance(std::move(prover_instance))
20 , transcript(transcript)
21 , honk_vk(honk_vk)
22{}
23
39template <typename Flavor> typename UltraProver_<Flavor>::Proof UltraProver_<Flavor>::export_proof()
40{
41 auto proof = transcript->export_proof();
42
43 // Append IPA proof if present
44 if (!prover_instance->ipa_proof.empty()) {
45 BB_ASSERT_EQ(prover_instance->ipa_proof.size(), static_cast<size_t>(IPA_PROOF_LENGTH));
46 proof.insert(proof.end(), prover_instance->ipa_proof.begin(), prover_instance->ipa_proof.end());
47 }
48
49 return proof;
50}
51
52template <typename Flavor> void UltraProver_<Flavor>::generate_gate_challenges()
53{
54 virtual_log_n =
55 Flavor::USE_PADDING ? Flavor::VIRTUAL_LOG_N : static_cast<size_t>(prover_instance->log_dyadic_size());
56
57 prover_instance->gate_challenges =
58 transcript->template get_dyadic_powers_of_challenge<FF>("Sumcheck:gate_challenge", virtual_log_n);
59}
60
61template <typename Flavor> typename UltraProver_<Flavor>::Proof UltraProver_<Flavor>::construct_proof()
62{
63 // The CRS only needs to accommodate the actual data extent (max_end_index) rather than the
64 // full dyadic_size. All committed polynomials fit within this bound: witness/selector polys
65 // have backing ≤ max_end_index, Gemini fold polys have size ≤ dyadic_size/2 < max_end_index,
66 // Shplonk quotient Q is sized at max(claim sizes), and KZG opening proof is sized at Q.size().
67 // For ZK, the gemini_masking_poly (at dyadic_size) is already reflected in max_end_index.
68 size_t key_size = prover_instance->polynomials.max_end_index();
69 if constexpr (Flavor::HasZK) {
70 // SmallSubgroupIPA commits fixed-size polynomials (up to SUBGROUP_SIZE + 3). Ensure the
71 // CRS is large enough for tiny test circuits where max_end_index may be smaller.
72 constexpr size_t log_subgroup_size = static_cast<size_t>(numeric::get_msb(Curve::SUBGROUP_SIZE));
73 key_size = std::max(key_size, size_t{ 1 } << (log_subgroup_size + 1));
74 }
75 commitment_key = CommitmentKey(key_size);
76
77 OinkProver<Flavor> oink_prover(prover_instance, honk_vk, transcript);
78 oink_prover.prove();
79 vinfo("created oink proof");
80
81 generate_gate_challenges();
82
83 // Run sumcheck
84 execute_sumcheck_iop();
85 vinfo("finished relation check rounds");
86 // Execute Shplemini PCS
87 execute_pcs();
88 vinfo("finished PCS rounds");
89
90 return export_proof();
91}
92
97template <typename Flavor> void UltraProver_<Flavor>::execute_sumcheck_iop()
98{
99 BB_BENCH_NAME("sumcheck.prove");
100
101 using Sumcheck = SumcheckProver<Flavor>;
102 size_t polynomial_size = prover_instance->dyadic_size();
103 Sumcheck sumcheck(polynomial_size,
104 prover_instance->polynomials,
105 transcript,
106 prover_instance->alpha,
107 prover_instance->gate_challenges,
108 prover_instance->relation_parameters,
109 virtual_log_n);
110
111 if constexpr (Flavor::HasZK) {
112 zk_sumcheck_data = ZKData(numeric::get_msb(polynomial_size), transcript, commitment_key);
113 sumcheck_output = sumcheck.prove(zk_sumcheck_data);
114 } else {
115 sumcheck_output = sumcheck.prove();
116 }
117}
118
123template <typename Flavor> void UltraProver_<Flavor>::execute_pcs()
124{
125 using OpeningClaim = ProverOpeningClaim<Curve>;
126 using PolynomialBatcher = GeminiProver_<Curve>::PolynomialBatcher;
127
128 auto& ck = commitment_key;
129
130 PolynomialBatcher polynomial_batcher(prover_instance->dyadic_size(), prover_instance->polynomials.max_end_index());
131 polynomial_batcher.set_unshifted(prover_instance->polynomials.get_unshifted());
132 polynomial_batcher.set_to_be_shifted_by_one(prover_instance->polynomials.get_to_be_shifted());
133
134 OpeningClaim prover_opening_claim;
135 if constexpr (!Flavor::HasZK) {
136 prover_opening_claim = ShpleminiProver_<Curve>::prove(
137 prover_instance->dyadic_size(), polynomial_batcher, sumcheck_output.challenge, ck, transcript);
138 } else {
139
140 SmallSubgroupIPA small_subgroup_ipa_prover(
141 zk_sumcheck_data, sumcheck_output.challenge, sumcheck_output.claimed_libra_evaluation, transcript, ck);
142 small_subgroup_ipa_prover.prove();
143
144 prover_opening_claim = ShpleminiProver_<Curve>::prove(prover_instance->dyadic_size(),
145 polynomial_batcher,
146 sumcheck_output.challenge,
147 ck,
148 transcript,
149 small_subgroup_ipa_prover.get_witness_polynomials());
150 }
151 vinfo("executed multivariate-to-univariate reduction");
152 PCS::compute_opening_proof(ck, prover_opening_claim, transcript);
153 vinfo("computed opening proof");
154}
155
156template class UltraProver_<UltraFlavor>;
157template class UltraProver_<UltraZKFlavor>;
158template class UltraProver_<UltraKeccakFlavor>;
159#ifdef STARKNET_GARAGA_FLAVORS
160template class UltraProver_<UltraStarknetFlavor>;
161template class UltraProver_<UltraStarknetZKFlavor>;
162#endif
163template class UltraProver_<UltraKeccakZKFlavor>;
164template class UltraProver_<MegaFlavor>;
165template class UltraProver_<MegaZKFlavor>;
166template class UltraProver_<MegaAvmFlavor>;
167
168} // namespace bb
BB_ASSERT_EQ
#define BB_ASSERT_EQ(actual, expected,...)
Definition assert.hpp:83
BB_BENCH_NAME
#define BB_BENCH_NAME(name)
Definition bb_bench.hpp:225
bb::ECCVMFlavor::HasZK
static constexpr bool HasZK
Definition eccvm_flavor.hpp:60
bb::ECCVMFlavor::USE_PADDING
static constexpr bool USE_PADDING
Definition eccvm_flavor.hpp:62
bb::GeminiProver_::PolynomialBatcher
Class responsible for computation of the batched multilinear polynomials required by the Gemini proto...
Definition gemini.hpp:125
bb::OinkProver
Executes the "Oink" phase of the Honk proving protocol: the initial rounds that commit to witness dat...
Definition oink_prover.hpp:52
bb::OinkProver::prove
void prove(bool emit_alpha=true)
Commit to witnesses, compute relation parameters, and prepare for Sumcheck.
Definition oink_prover.cpp:22
bb::OpeningClaim
Unverified claim (C,r,v) for some witness polynomial p(X) such that.
Definition claim.hpp:55
bb::ProverOpeningClaim
Polynomial p and an opening pair (r,v) such that p(r) = v.
Definition claim.hpp:36
bb::ShpleminiProver_::prove
static OpeningClaim prove(size_t circuit_size, PolynomialBatcher &polynomial_batcher, std::span< FF > multilinear_challenge, const CommitmentKey< Curve > &commitment_key, const std::shared_ptr< Transcript > &transcript, const std::array< Polynomial, NUM_SMALL_IPA_EVALUATIONS > &libra_polynomials={}, const std::vector< Polynomial > &sumcheck_round_univariates={}, const std::vector< std::array< FF, 3 > > &sumcheck_round_evaluations={})
Definition shplemini.hpp:36
bb::SmallSubgroupIPAProver
A Curve-agnostic ZK protocol to prove inner products of small vectors.
Definition small_subgroup_ipa.hpp:69
bb::SmallSubgroupIPAProver::get_witness_polynomials
std::array< bb::Polynomial< FF >, NUM_SMALL_IPA_EVALUATIONS > get_witness_polynomials() const
Definition small_subgroup_ipa.hpp:178
bb::SmallSubgroupIPAProver::prove
void prove()
Compute the derived witnesses and and commit to them.
Definition small_subgroup_ipa.cpp:150
bb::SumcheckProver
The implementation of the sumcheck Prover for statements of the form for multilinear polynomials .
Definition sumcheck.hpp:298
bb::UltraProver_
Definition ultra_prover.hpp:18
bb::UltraProver_::UltraProver_
UltraProver_(std::shared_ptr< ProverInstance >, const std::shared_ptr< HonkVK > &, const std::shared_ptr< Transcript > &transcript=std::make_shared< Transcript >())
Definition ultra_prover.cpp:16
bb::UltraProver_::generate_gate_challenges
BB_PROFILE void generate_gate_challenges()
Definition ultra_prover.cpp:52
bb::UltraProver_::execute_pcs
BB_PROFILE void execute_pcs()
Reduce the sumcheck multivariate evaluations to a single univariate opening claim via Shplemini,...
Definition ultra_prover.cpp:123
bb::UltraProver_::Proof
typename Transcript::Proof Proof
Definition ultra_prover.hpp:29
bb::UltraProver_::execute_sumcheck_iop
BB_PROFILE void execute_sumcheck_iop()
Run Sumcheck to establish that ∑_i pow(\vec{β*})f_i(ω) = 0, producing sumcheck round challenges u = (...
Definition ultra_prover.cpp:97
bb::UltraProver_::CommitmentKey
typename Flavor::CommitmentKey CommitmentKey
Definition ultra_prover.hpp:22
bb::UltraProver_::export_proof
Proof export_proof()
Export the complete proof, including IPA proof for rollup circuits.
Definition ultra_prover.cpp:39
bb::UltraProver_::construct_proof
Proof construct_proof()
Definition ultra_prover.cpp:61
bb::curve::Grumpkin::SUBGROUP_SIZE
static constexpr size_t SUBGROUP_SIZE
Definition grumpkin.hpp:73
vinfo
#define vinfo(...)
Definition log.hpp:94
mega_avm_flavor.hpp
bb::numeric::get_msb
constexpr T get_msb(const T in)
Definition get_msb.hpp:49
bb
Entry point for Barretenberg command-line interface.
Definition api.hpp:5
bb::ck
CommitmentKey< Curve > ck
Definition ipa.fuzzer.cpp:20
std
STL namespace.
std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13
oink_prover.hpp
bb::ZKSumcheckData
This structure is created to contain various polynomials and constants required by ZK Sumcheck.
Definition zk_sumcheck_data.hpp:22
ultra_prover.hpp