Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
small_subgroup_ipa.cpp
Go to the documentation of this file.
1// === AUDIT STATUS ===
2// internal: { status: Planned, auditors: [Khashayar], commit: }
3// external_1: { status: not started, auditors: [], commit: }
4// external_2: { status: not started, auditors: [], commit: }
5// =====================
6
7#include "barretenberg/commitment_schemes/small_subgroup_ipa/small_subgroup_ipa.hpp"
8#include "barretenberg/commitment_schemes/utils/test_settings.hpp"
9#include "barretenberg/constants.hpp"
10#include "barretenberg/ecc/curves/bn254/bn254.hpp"
11#include "barretenberg/eccvm/eccvm_flavor.hpp"
12#include "barretenberg/eccvm/eccvm_short_monomial_flavor.hpp"
13#include "barretenberg/eccvm/eccvm_translation_data.hpp"
14#include "barretenberg/ext/starknet/flavor/ultra_starknet_zk_flavor.hpp"
15#include "barretenberg/flavor/mega_zk_flavor.hpp"
16#include "barretenberg/flavor/ultra_keccak_zk_flavor.hpp"
17#include "barretenberg/flavor/ultra_zk_flavor.hpp"
18#include "barretenberg/polynomials/polynomial.hpp"
19#include "barretenberg/polynomials/univariate.hpp"
20#include "barretenberg/stdlib/primitives/curves/grumpkin.hpp"
21#include "barretenberg/sumcheck/zk_sumcheck_data.hpp"
22#include "barretenberg/translator_vm/translator_flavor.hpp"
23
24#include <array>
25#include <type_traits>
26#include <vector>
27
28namespace bb {
29
30// Default constructor to initialize all common members.
31template <typename Flavor>
32SmallSubgroupIPAProver<Flavor>::SmallSubgroupIPAProver(const std::shared_ptr<typename Flavor::Transcript>& transcript,
33 typename Flavor::CommitmentKey commitment_key)
34 : interpolation_domain{}
35 , concatenated_polynomial(MASKED_CONCATENATED_WITNESS_LENGTH)
36 , concatenated_lagrange_form(SUBGROUP_SIZE)
37 , challenge_polynomial(SUBGROUP_SIZE)
38 , challenge_polynomial_lagrange(SUBGROUP_SIZE)
39 , grand_sum_polynomial_unmasked(SUBGROUP_SIZE)
40 , grand_sum_polynomial(MASKED_GRAND_SUM_LENGTH)
41 , grand_sum_identity_polynomial(GRAND_SUM_IDENTITY_LENGTH)
42 , grand_sum_identity_quotient(QUOTIENT_LENGTH)
43 , transcript(transcript)
44{
45 // Reallocate the commitment key if necessary. This is an edge case with SmallSubgroupIPA since it has
46 // polynomials that may exceed the circuit size.
47 if (commitment_key.srs_size < MASKED_GRAND_SUM_LENGTH) {
48 commitment_key = typename Flavor::CommitmentKey(MASKED_GRAND_SUM_LENGTH);
49 };
50 this->commitment_key = commitment_key;
51};
52
60template <typename Flavor>
61SmallSubgroupIPAProver<Flavor>::SmallSubgroupIPAProver(ZKSumcheckData<Flavor>& zk_sumcheck_data,
62 const std::vector<FF>& multivariate_challenge,
63 const FF claimed_inner_product,
64 const std::shared_ptr<typename Flavor::Transcript>& transcript,
65 const typename Flavor::CommitmentKey& commitment_key)
66 : SmallSubgroupIPAProver(transcript, commitment_key)
67{
68 this->claimed_inner_product = claimed_inner_product;
69 interpolation_domain = zk_sumcheck_data.interpolation_domain;
70 concatenated_polynomial = zk_sumcheck_data.libra_concatenated_monomial_form;
71 concatenated_lagrange_form = zk_sumcheck_data.libra_concatenated_lagrange_form;
72
73 label_prefix = "Libra:";
74 // Extract the evaluation domain computed by ZKSumcheckData
75 if constexpr (std::is_same_v<Curve, curve::BN254>) {
76 bn_evaluation_domain = std::move(zk_sumcheck_data.bn_evaluation_domain);
77 }
78
79 // Construct the challenge polynomial in Lagrange basis, compute its monomial coefficients
80 compute_challenge_polynomial(multivariate_challenge);
81}
82
94template <typename Flavor>
95SmallSubgroupIPAProver<Flavor>::SmallSubgroupIPAProver(TranslationData<typename Flavor::Transcript>& translation_data,
96 const FF evaluation_challenge_x,
97 const FF batching_challenge_v,
98 const std::shared_ptr<typename Flavor::Transcript>& transcript,
99 const typename Flavor::CommitmentKey& commitment_key)
100 : SmallSubgroupIPAProver(transcript, commitment_key)
101
102{
103 // TranslationData is Grumpkin-specific
104 if constexpr (std::is_base_of_v<ECCVMFlavor, Flavor> || std::is_same_v<Flavor, GrumpkinSettings>) {
105 label_prefix = "Translation:";
106 interpolation_domain = translation_data.interpolation_domain;
107 concatenated_polynomial = translation_data.masked_concatenated_polynomial;
108 concatenated_lagrange_form = translation_data.concatenated_polynomial_lagrange;
109
110 // Construct the challenge polynomial in Lagrange basis, compute its monomial coefficients
111 compute_eccvm_challenge_polynomial(evaluation_challenge_x, batching_challenge_v);
112
113 // The prover computes the inner product of the challenge polynomial and the concatenation of
114 // the masking terms. This value is used to "denoise" the masked batched evaluation of
115 // `translation_polynomials` contained in `translation_data`.
116 claimed_inner_product = compute_claimed_translation_inner_product(translation_data);
117 transcript->send_to_verifier(label_prefix + "masking_term_eval", claimed_inner_product);
118 }
119}
120
152template <typename Flavor> void SmallSubgroupIPAProver<Flavor>::prove()
153{
154
155 // Construct unmasked grand sum polynomial in Lagrange basis, compute its monomial coefficients and mask it
156 compute_grand_sum_polynomial();
157
158 // Send masked commitment [A + Z_H * R] to the verifier, where R is of degree 2
159 transcript->send_to_verifier(label_prefix + "grand_sum_commitment", commitment_key.commit(grand_sum_polynomial));
160
161 // Compute C(X)
162 compute_grand_sum_identity_polynomial();
163
164 // Compute Q(X)
165 compute_grand_sum_identity_quotient();
166
167 // Send commitment [Q] to the verifier
168 transcript->send_to_verifier(label_prefix + "quotient_commitment",
169 commitment_key.commit(grand_sum_identity_quotient));
170}
171
196template <typename Flavor>
197void SmallSubgroupIPAProver<Flavor>::compute_challenge_polynomial(const std::vector<FF>& multivariate_challenge)
198{
199 std::vector<FF> coeffs_lagrange_basis =
200 compute_challenge_polynomial_coeffs<typename Flavor::Curve>(multivariate_challenge);
201
202 challenge_polynomial_lagrange = Polynomial<FF>(coeffs_lagrange_basis);
203
204 // Compute monomial coefficients
205 challenge_polynomial =
206 compute_monomial_coefficients(coeffs_lagrange_basis, interpolation_domain, bn_evaluation_domain);
207}
217template <typename Flavor>
218void SmallSubgroupIPAProver<Flavor>::compute_eccvm_challenge_polynomial(const FF evaluation_challenge_x,
219 const FF batching_challenge_v)
220{
221
222 std::vector<FF> coeffs_lagrange_basis = compute_eccvm_challenge_coeffs<typename Flavor::Curve>(
223 evaluation_challenge_x, batching_challenge_v, NUM_TRANSLATION_EVALUATIONS, NUM_DISABLED_ROWS_IN_SUMCHECK);
224
225 challenge_polynomial_lagrange = Polynomial<FF>(coeffs_lagrange_basis);
226
227 // Compute monomial coefficients
228 challenge_polynomial = Polynomial<FF>(interpolation_domain, coeffs_lagrange_basis, SUBGROUP_SIZE);
229}
247template <typename Flavor> void SmallSubgroupIPAProver<Flavor>::compute_grand_sum_polynomial()
248{
249 grand_sum_lagrange_coeffs[0] = 0;
250
251 // Compute the grand sum coefficients recursively
252 for (size_t idx = 1; idx < SUBGROUP_SIZE; idx++) {
253 size_t prev_idx = idx - 1;
254 grand_sum_lagrange_coeffs[idx] =
255 grand_sum_lagrange_coeffs[prev_idx] +
256 challenge_polynomial_lagrange.at(prev_idx) * concatenated_lagrange_form.at(prev_idx);
257 };
258
259 // Get the coefficients in the monomial basis
260 grand_sum_polynomial_unmasked =
261 compute_monomial_coefficients(grand_sum_lagrange_coeffs, interpolation_domain, bn_evaluation_domain);
262
263 // Generate random masking_term of degree 2
264 auto masking_term = bb::Univariate<FF, GRAND_SUM_MASKING_TERM_LENGTH>::get_random();
265
266 grand_sum_polynomial += grand_sum_polynomial_unmasked;
267 // Since Z_H(X) = X^|H| - 1, its product with the masking term R(X) is given by X^{H}*R(X) - R(X). Therefore
268 // to mask A, we subtract the coefficients of R from the first GRAND_SUM_MASKING_TERM_LENGTH coefficients
269 // of A and by set the coefficients A_{i+SUBGROUP_SIZE} to be equal to R_i
270 for (size_t idx = 0; idx < GRAND_SUM_MASKING_TERM_LENGTH; idx++) {
271 grand_sum_polynomial.at(idx) -= masking_term.value_at(idx);
272 grand_sum_polynomial.at(idx + SUBGROUP_SIZE) += masking_term.value_at(idx);
273 }
274};
275
281template <typename Flavor> void SmallSubgroupIPAProver<Flavor>::compute_grand_sum_identity_polynomial()
282{
283 // Compute shifted grand sum polynomial A(gX)
284 Polynomial<FF> shifted_grand_sum(MASKED_GRAND_SUM_LENGTH);
285
286 for (size_t idx = 0; idx < MASKED_GRAND_SUM_LENGTH; idx++) {
287 shifted_grand_sum.at(idx) = grand_sum_polynomial.at(idx) * interpolation_domain[idx % SUBGROUP_SIZE];
288 }
289
290 const auto& [lagrange_first, lagrange_last] =
291 compute_lagrange_first_and_last(interpolation_domain, bn_evaluation_domain);
292
293 // Compute -F(X)*G(X), the negated product of challenge_polynomial and concatenated_polynomial
294 for (size_t i = 0; i < MASKED_CONCATENATED_WITNESS_LENGTH; ++i) {
295 for (size_t j = 0; j < SUBGROUP_SIZE; ++j) {
296 grand_sum_identity_polynomial.at(i + j) -= concatenated_polynomial.at(i) * challenge_polynomial.at(j);
297 }
298 }
299
300 // Compute - F(X) * G(X) + A(gX) - A(X)
301 for (size_t idx = 0; idx < MASKED_GRAND_SUM_LENGTH; idx++) {
302 grand_sum_identity_polynomial.at(idx) += shifted_grand_sum.at(idx) - grand_sum_polynomial.at(idx);
303 }
304
305 // Mutiply - F(X) * G(X) + A(gX) - A(X) by X-g:
306 // 1. Multiply by X
307 for (size_t idx = GRAND_SUM_IDENTITY_LENGTH - 1; idx > 0; idx--) {
308 grand_sum_identity_polynomial.at(idx) = grand_sum_identity_polynomial.at(idx - 1);
309 }
310 grand_sum_identity_polynomial.at(0) = FF(0);
311 // 2. Subtract 1/g(A(gX) - A(X) - F(X) * G(X))
312 for (size_t idx = 0; idx < GRAND_SUM_IDENTITY_LENGTH - 1; idx++) {
313 grand_sum_identity_polynomial.at(idx) -=
314 grand_sum_identity_polynomial.at(idx + 1) * interpolation_domain[SUBGROUP_SIZE - 1];
315 }
316
317 // Add (L_1 + L_{|H|}) * A(X) to the result
318 for (size_t i = 0; i < MASKED_GRAND_SUM_LENGTH; ++i) {
319 for (size_t j = 0; j < SUBGROUP_SIZE; ++j) {
320 grand_sum_identity_polynomial.at(i + j) +=
321 grand_sum_polynomial.at(i) * (lagrange_first.at(j) + lagrange_last.at(j));
322 }
323 }
324 // Subtract L_{|H|} * s
325 for (size_t idx = 0; idx < SUBGROUP_SIZE; idx++) {
326 grand_sum_identity_polynomial.at(idx) -= lagrange_last.at(idx) * claimed_inner_product;
327 }
328}
336template <typename Flavor>
337std::array<Polynomial<typename Flavor::Curve::ScalarField>, 2> SmallSubgroupIPAProver<
338 Flavor>::compute_lagrange_first_and_last(const std::array<FF, SUBGROUP_SIZE>& interpolation_domain,
339 const EvaluationDomain<FF>& bn_evaluation_domain)
340{
341 // Compute the monomial coefficients of L_1
342 std::array<FF, SUBGROUP_SIZE> lagrange_coeffs;
343 lagrange_coeffs[0] = FF(1);
344 for (size_t idx = 1; idx < SUBGROUP_SIZE; idx++) {
345 lagrange_coeffs[idx] = FF(0);
346 }
347
348 Polynomial<FF> lagrange_first_monomial =
349 compute_monomial_coefficients(lagrange_coeffs, interpolation_domain, bn_evaluation_domain);
350
351 // Compute the monomial coefficients of L_{|H|}, the last Lagrange polynomial
352 lagrange_coeffs[0] = FF(0);
353 lagrange_coeffs[SUBGROUP_SIZE - 1] = FF(1);
354
355 Polynomial<FF> lagrange_last_monomial =
356 compute_monomial_coefficients(lagrange_coeffs, interpolation_domain, bn_evaluation_domain);
357
358 return { lagrange_first_monomial, lagrange_last_monomial };
359}
360
364template <typename Flavor> void SmallSubgroupIPAProver<Flavor>::compute_grand_sum_identity_quotient()
365{
366
367 auto remainder = grand_sum_identity_polynomial;
368 for (size_t idx = GRAND_SUM_IDENTITY_LENGTH - 1; idx >= SUBGROUP_SIZE; idx--) {
369 grand_sum_identity_quotient.at(idx - SUBGROUP_SIZE) = remainder.at(idx);
370 remainder.at(idx - SUBGROUP_SIZE) += remainder.at(idx);
371 }
372}
373
382template <typename Flavor>
383typename Flavor::Curve::ScalarField SmallSubgroupIPAProver<Flavor>::compute_claimed_inner_product(
384 ZKSumcheckData<Flavor>& zk_sumcheck_data,
385 const std::vector<FF>& multivariate_challenge,
386 const size_t& log_circuit_size)
387{
388 const FF libra_challenge_inv = zk_sumcheck_data.libra_challenge.invert();
389 // Compute claimed inner product similarly to the SumcheckProver
390 FF claimed_inner_product = FF{ 0 };
391 size_t idx = 0;
392 for (const auto& univariate : zk_sumcheck_data.libra_univariates) {
393 claimed_inner_product += univariate.evaluate(multivariate_challenge[idx]);
394 idx++;
395 }
396 // Libra Univariates are mutiplied by the Libra challenge in setup_auxiliary_data(), needs to be undone
397 claimed_inner_product *= libra_challenge_inv / FF(1 << (log_circuit_size - 1));
398 claimed_inner_product += zk_sumcheck_data.constant_term;
399 return claimed_inner_product;
400}
401
410template <typename Flavor>
411typename Flavor::Curve::ScalarField SmallSubgroupIPAProver<Flavor>::compute_claimed_translation_inner_product(
412 TranslationData<typename Flavor::Transcript>& translation_data)
413{
414 FF claimed_inner_product{ 0 };
415 if constexpr (std::is_base_of_v<ECCVMFlavor, Flavor> || std::is_same_v<Flavor, GrumpkinSettings>) {
416 for (size_t idx = 0; idx < SUBGROUP_SIZE; idx++) {
417 claimed_inner_product +=
418 translation_data.concatenated_polynomial_lagrange.at(idx) * challenge_polynomial_lagrange.at(idx);
419 }
420 }
421 return claimed_inner_product;
422}
423
430template <typename Flavor>
431Polynomial<typename Flavor::Curve::ScalarField> SmallSubgroupIPAProver<Flavor>::compute_monomial_coefficients(
432 std::span<FF> lagrange_coeffs,
433 const std::array<FF, SUBGROUP_SIZE>& interpolation_domain,
434 const EvaluationDomain<FF>& bn_evaluation_domain)
435{
436 using FF = typename Flavor::Curve::ScalarField;
437 if constexpr (!std::is_same_v<typename Flavor::Curve, curve::BN254>) {
438 return Polynomial<FF>(interpolation_domain, lagrange_coeffs, SUBGROUP_SIZE);
439 } else {
440 std::vector<FF> lagrange_last_ifft(SUBGROUP_SIZE);
441 polynomial_arithmetic::ifft<FF>(lagrange_coeffs.data(), lagrange_last_ifft.data(), bn_evaluation_domain);
442 return Polynomial<FF>(lagrange_last_ifft);
443 }
444}
445
446// Instantiate with ZK Flavors
447template class SmallSubgroupIPAProver<ECCVMFlavor>;
448template class SmallSubgroupIPAProver<ECCVMShortMonomialFlavor>;
449template class SmallSubgroupIPAProver<TranslatorFlavor>;
450template class SmallSubgroupIPAProver<TranslatorShortMonomialFlavor>;
451template class SmallSubgroupIPAProver<MegaZKFlavor>;
452template class SmallSubgroupIPAProver<UltraZKFlavor>;
453template class SmallSubgroupIPAProver<UltraKeccakZKFlavor>;
454#ifdef STARKNET_GARAGA_FLAVORS
455template class SmallSubgroupIPAProver<UltraStarknetZKFlavor>;
456#endif
457
458// Instantiations used in tests
459template class SmallSubgroupIPAProver<BN254Settings>;
460template class SmallSubgroupIPAProver<GrumpkinSettings>;
461
462} // namespace bb
FF
bb::field< bb::Bn254FrParams > FF
Definition field.cpp:24
bb::CommitmentKey
CommitmentKey object over a pairing group 𝔾₁.
Definition commitment_key.hpp:39
bb::ECCVMFlavor::CommitmentKey
bb::CommitmentKey< Curve > CommitmentKey
Definition eccvm_flavor.hpp:48
bb::Polynomial
Structured polynomial class that represents the coefficients 'a' of a_0 + a_1 x .....
Definition polynomial.hpp:75
bb::Polynomial::at
Fr & at(size_t index)
Our mutable accessor, unlike operator[]. We abuse precedent a bit to differentiate at() and operator[...
Definition polynomial.hpp:305
bb::SmallSubgroupIPAProver
A Curve-agnostic ZK protocol to prove inner products of small vectors.
Definition small_subgroup_ipa.hpp:69
bb::SmallSubgroupIPAProver::transcript
std::shared_ptr< typename Flavor::Transcript > transcript
Definition small_subgroup_ipa.hpp:126
bb::SmallSubgroupIPAProver::compute_eccvm_challenge_polynomial
void compute_eccvm_challenge_polynomial(const FF evaluation_challenge_x, const FF batching_challenge_v)
Compute a (public) challenge polynomial from the evaluation and batching challenges.
Definition small_subgroup_ipa.cpp:218
bb::SmallSubgroupIPAProver::FF
typename Curve::ScalarField FF
Definition small_subgroup_ipa.hpp:71
bb::SmallSubgroupIPAProver::compute_challenge_polynomial
void compute_challenge_polynomial(const std::vector< FF > &multivariate_challenge)
Computes the challenge polynomial F(X) based on the provided multivariate challenges.
Definition small_subgroup_ipa.cpp:197
bb::SmallSubgroupIPAProver::compute_monomial_coefficients
static Polynomial< FF > compute_monomial_coefficients(std::span< FF > lagrange_coeffs, const std::array< FF, SUBGROUP_SIZE > &interpolation_domain, const EvaluationDomain< FF > &bn_evaluation_domain)
Given a vector of coefficients of a polynomial in the Lagrange basis over , compute its coefficients ...
Definition small_subgroup_ipa.cpp:431
bb::SmallSubgroupIPAProver::interpolation_domain
std::array< FF, SUBGROUP_SIZE > interpolation_domain
Definition small_subgroup_ipa.hpp:98
bb::SmallSubgroupIPAProver::compute_grand_sum_polynomial
void compute_grand_sum_polynomial()
Computes the grand sum polynomial .
Definition small_subgroup_ipa.cpp:247
bb::SmallSubgroupIPAProver::MASKED_GRAND_SUM_LENGTH
static constexpr size_t MASKED_GRAND_SUM_LENGTH
Definition small_subgroup_ipa.hpp:81
bb::SmallSubgroupIPAProver::compute_grand_sum_identity_quotient
void compute_grand_sum_identity_quotient()
Efficiently compute the quotient of the grand sum identity polynomial by .
Definition small_subgroup_ipa.cpp:364
bb::SmallSubgroupIPAProver::compute_claimed_inner_product
static FF compute_claimed_inner_product(ZKSumcheckData< Flavor > &zk_sumcheck_data, const std::vector< FF > &multivariate_challenge, const size_t &log_circuit_size)
For test purposes: Compute the sum of the Libra constant term and Libra univariates evaluated at Sumc...
Definition small_subgroup_ipa.cpp:383
bb::SmallSubgroupIPAProver::compute_grand_sum_identity_polynomial
void compute_grand_sum_identity_polynomial()
Compute , where is the fixed generator of .
Definition small_subgroup_ipa.cpp:281
bb::SmallSubgroupIPAProver::concatenated_lagrange_form
Polynomial< FF > concatenated_lagrange_form
Definition small_subgroup_ipa.hpp:105
bb::SmallSubgroupIPAProver::SmallSubgroupIPAProver
SmallSubgroupIPAProver(const std::shared_ptr< typename Flavor::Transcript > &transcript, typename Flavor::CommitmentKey commitment_key)
Definition small_subgroup_ipa.cpp:32
bb::SmallSubgroupIPAProver::commitment_key
Flavor::CommitmentKey commitment_key
Definition small_subgroup_ipa.hpp:127
bb::SmallSubgroupIPAProver::bn_evaluation_domain
EvaluationDomain< FF > bn_evaluation_domain
Definition small_subgroup_ipa.hpp:100
bb::SmallSubgroupIPAProver::prove
void prove()
Compute the derived witnesses and and commit to them.
Definition small_subgroup_ipa.cpp:152
bb::SmallSubgroupIPAProver::compute_claimed_translation_inner_product
FF compute_claimed_translation_inner_product(TranslationData< typename Flavor::Transcript > &translation_data)
For test purposes: compute the batched evaluation of the last NUM_DISABLED_ROWS_IN_SUMCHECK rows of t...
Definition small_subgroup_ipa.cpp:411
bb::TranslationData
A class designed to accept the ECCVM Transcript Polynomials, concatenate their masking terms in Lagra...
Definition eccvm_translation_data.hpp:20
bb::TranslationData::interpolation_domain
std::array< FF, SUBGROUP_SIZE > interpolation_domain
Definition eccvm_translation_data.hpp:41
bb::Univariate::get_random
static Univariate get_random()
Definition univariate.hpp:142
eccvm_flavor.hpp
eccvm_short_monomial_flavor.hpp
eccvm_translation_data.hpp
mega_zk_flavor.hpp
bb
Entry point for Barretenberg command-line interface.
Definition api.hpp:5
std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13
small_subgroup_ipa.hpp
bb::ZKSumcheckData
This structure is created to contain various polynomials and constants required by ZK Sumcheck.
Definition zk_sumcheck_data.hpp:23
bb::ZKSumcheckData::libra_concatenated_monomial_form
Polynomial< FF > libra_concatenated_monomial_form
Definition zk_sumcheck_data.hpp:45
bb::ZKSumcheckData::libra_univariates
std::vector< Polynomial< FF > > libra_univariates
Definition zk_sumcheck_data.hpp:47
bb::ZKSumcheckData::libra_concatenated_lagrange_form
Polynomial< FF > libra_concatenated_lagrange_form
Definition zk_sumcheck_data.hpp:44
bb::ZKSumcheckData::bn_evaluation_domain
EvaluationDomain< FF > bn_evaluation_domain
Definition zk_sumcheck_data.hpp:41
bb::ZKSumcheckData::interpolation_domain
std::array< FF, SUBGROUP_SIZE > interpolation_domain
Definition zk_sumcheck_data.hpp:42
test_settings.hpp
translator_flavor.hpp
ultra_keccak_zk_flavor.hpp
ultra_starknet_zk_flavor.hpp
ultra_zk_flavor.hpp
zk_sumcheck_data.hpp