Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
translator_prover.cpp
Go to the documentation of this file.
1// === AUDIT STATUS ===
2// internal: { status: Planned, auditors: [], commit: }
3// external_1: { status: not started, auditors: [], commit: }
4// external_2: { status: not started, auditors: [], commit: }
5// =====================
6
7#include "translator_prover.hpp"
8#include "barretenberg/commitment_schemes/claim.hpp"
9#include "barretenberg/commitment_schemes/commitment_key.hpp"
10#include "barretenberg/commitment_schemes/shplonk/shplemini.hpp"
11#include "barretenberg/commitment_schemes/small_subgroup_ipa/small_subgroup_ipa.hpp"
12#include "barretenberg/honk/library/grand_product_library.hpp"
13#include "barretenberg/relations/translator_vm/translator_decomposition_short_relation_impl.hpp"
14#include "barretenberg/relations/translator_vm/translator_delta_range_constraint_short_relation_impl.hpp"
15#include "barretenberg/relations/translator_vm/translator_extra_short_relations_impl.hpp"
16#include "barretenberg/relations/translator_vm/translator_non_native_field_short_relation_impl.hpp"
17#include "barretenberg/relations/translator_vm/translator_permutation_short_relation_impl.hpp"
18#include "barretenberg/sumcheck/sumcheck.hpp"
19
20namespace bb {
21
22TranslatorProver::TranslatorProver(const std::shared_ptr<TranslatorProvingKey>& key,
23 const std::shared_ptr<Transcript>& transcript)
24 : transcript(transcript)
25 , key(key)
26{
27 BB_BENCH();
28 key->proving_key->commitment_key = CommitmentKey(key->proving_key->circuit_size);
29}
30
35void TranslatorProver::execute_preamble_round()
36{
37 // Fiat-Shamir the vk hash
38 typename Flavor::VerificationKey vk;
39 typename Flavor::FF vk_hash = vk.get_hash();
40 transcript->add_to_hash_buffer("vk_hash", vk_hash);
41 vinfo("Translator vk hash in prover: ", vk_hash);
42
43 const size_t RESULT_ROW = Flavor::RESULT_ROW;
44
45 // Set accumulated_result in relation parameters from the witness polynomials
46 // The verifier will receive this value from the ECCVM verifier instead of the transcript
47 relation_parameters.accumulated_result = { key->proving_key->polynomials.accumulators_binary_limbs_0[RESULT_ROW],
48 key->proving_key->polynomials.accumulators_binary_limbs_1[RESULT_ROW],
49 key->proving_key->polynomials.accumulators_binary_limbs_2[RESULT_ROW],
50 key->proving_key->polynomials.accumulators_binary_limbs_3[RESULT_ROW] };
51}
52
59void TranslatorProver::commit_to_witness_polynomial(Polynomial& polynomial,
60 const std::string& label,
61 bool has_duplicates_hint)
62{
63 transcript->send_to_verifier(label, key->proving_key->commitment_key.commit(polynomial, has_duplicates_hint));
64}
65
70void TranslatorProver::execute_wire_and_sorted_constraints_commitments_round()
71{
72 BB_BENCH_NAME("TranslatorProver::execute_wire_and_sorted_constraints_commitments_round");
73
74 // Create and commit to Gemini masking polynomial (for ZK-PCS)
75 const size_t circuit_size = key->proving_key->circuit_size;
76 key->proving_key->polynomials.gemini_masking_poly = Polynomial::random(circuit_size);
77 auto masking_commitment =
78 key->proving_key->commitment_key.commit(key->proving_key->polynomials.gemini_masking_poly);
79 transcript->send_to_verifier("Gemini:masking_poly_comm", masking_commitment);
80
81 // Commit to non-op-queue wires and ordered range constraints
82 // Note: Op queue wires (op, x_lo_y_hi, x_hi_z_1, y_lo_z_2) are NOT committed to here
83 // They are provided by the merge protocol and passed to the verifier
84 auto batch = key->proving_key->commitment_key.start_batch();
85 for (const auto& [wire, label] :
86 zip_view(key->proving_key->polynomials.get_non_opqueue_wires_and_ordered_range_constraints(),
87 commitment_labels.get_non_opqueue_wires_and_ordered_range_constraints())) {
88 batch.add_to_batch(wire, label);
89 }
90 batch.commit_and_send_to_verifier(transcript);
91}
92
97void TranslatorProver::execute_grand_product_computation_round()
98{
99 // Compute and store parameters required by relations in Sumcheck
100 FF beta = transcript->template get_challenge<FF>("beta");
101 FF gamma = transcript->template get_challenge<FF>("gamma");
102 const size_t NUM_LIMB_BITS = Flavor::NUM_LIMB_BITS;
103 relation_parameters.beta = beta;
104 relation_parameters.gamma = gamma;
105 auto uint_evaluation_input = uint256_t(key->evaluation_input_x);
106 relation_parameters.evaluation_input_x = { uint_evaluation_input.slice(0, NUM_LIMB_BITS),
107 uint_evaluation_input.slice(NUM_LIMB_BITS, NUM_LIMB_BITS * 2),
108 uint_evaluation_input.slice(NUM_LIMB_BITS * 2, NUM_LIMB_BITS * 3),
109 uint_evaluation_input.slice(NUM_LIMB_BITS * 3, NUM_LIMB_BITS * 4),
110 uint_evaluation_input };
111
112 std::vector<uint256_t> uint_batching_challenge_powers;
113 auto batching_challenge_v = key->batching_challenge_v;
114 uint_batching_challenge_powers.emplace_back(batching_challenge_v);
115 auto running_power = batching_challenge_v * batching_challenge_v;
116 uint_batching_challenge_powers.emplace_back(running_power);
117 running_power *= batching_challenge_v;
118 uint_batching_challenge_powers.emplace_back(running_power);
119 running_power *= batching_challenge_v;
120 uint_batching_challenge_powers.emplace_back(running_power);
121
122 for (size_t i = 0; i < 4; i++) {
123 relation_parameters.batching_challenge_v[i] = {
124 uint_batching_challenge_powers[i].slice(0, NUM_LIMB_BITS),
125 uint_batching_challenge_powers[i].slice(NUM_LIMB_BITS, NUM_LIMB_BITS * 2),
126 uint_batching_challenge_powers[i].slice(NUM_LIMB_BITS * 2, NUM_LIMB_BITS * 3),
127 uint_batching_challenge_powers[i].slice(NUM_LIMB_BITS * 3, NUM_LIMB_BITS * 4),
128 uint_batching_challenge_powers[i]
129 };
130 }
131 // Compute constraint permutation grand product
132 compute_grand_products<Flavor>(key->proving_key->polynomials, relation_parameters);
133
134 // set has_duplicates_hint for Z_PERM (empty row = duplicate Z value)
135 commit_to_witness_polynomial(key->proving_key->polynomials.z_perm, commitment_labels.z_perm, true);
136}
137
142void TranslatorProver::execute_relation_check_rounds()
143{
144 using Sumcheck = SumcheckProver<Flavor>;
145
146 // Each linearly independent subrelation contribution is multiplied by `alpha^i`, where
147 // i = 0, ..., NUM_SUBRELATIONS- 1.
148 const FF alpha = transcript->template get_challenge<FF>("Sumcheck:alpha");
149
150 std::vector<FF> gate_challenges = transcript->template get_dyadic_powers_of_challenge<FF>(
151 "Sumcheck:gate_challenge", Flavor::CONST_TRANSLATOR_LOG_N);
152
153 const size_t circuit_size = key->proving_key->circuit_size;
154
155 Sumcheck sumcheck(circuit_size,
156 key->proving_key->polynomials,
157 transcript,
158 alpha,
159 gate_challenges,
160 relation_parameters,
161 Flavor::CONST_TRANSLATOR_LOG_N);
162
163 const size_t log_subgroup_size = static_cast<size_t>(numeric::get_msb(Flavor::Curve::SUBGROUP_SIZE));
164 // Create a temporary commitment key that is only used to initialize the ZKSumcheckData
165 // If proving in WASM, the commitment key that is part of the Translator proving key remains deallocated
166 // until we enter the PCS round
167 CommitmentKey ck(1 << (log_subgroup_size + 1));
168
169 zk_sumcheck_data = ZKData(key->proving_key->log_circuit_size, transcript, ck);
170
171 sumcheck_output = sumcheck.prove(zk_sumcheck_data);
172}
173
180void TranslatorProver::execute_pcs_rounds()
181{
182 using Curve = typename Flavor::Curve;
183 using OpeningClaim = ProverOpeningClaim<Curve>;
184 using SmallSubgroupIPA = SmallSubgroupIPAProver<Flavor>;
185 using PolynomialBatcher = GeminiProver_<Curve>::PolynomialBatcher;
186
187 auto& ck = key->proving_key->commitment_key;
188
189 SmallSubgroupIPA small_subgroup_ipa_prover(
190 zk_sumcheck_data, sumcheck_output.challenge, sumcheck_output.claimed_libra_evaluation, transcript, ck);
191 small_subgroup_ipa_prover.prove();
192
193 PolynomialBatcher polynomial_batcher(key->proving_key->circuit_size);
194
195 // Unshifted for PCS (excludes computable precomputed — verifier computes them locally)
196 polynomial_batcher.set_unshifted(key->proving_key->polynomials.get_pcs_unshifted());
197 // Shifted for PCS (base to-be-shifted + concatenated)
198 polynomial_batcher.set_to_be_shifted_by_one(key->proving_key->polynomials.get_pcs_to_be_shifted());
199
200 const OpeningClaim prover_opening_claim =
201 ShpleminiProver_<Curve>::prove(key->proving_key->circuit_size,
202 polynomial_batcher,
203 sumcheck_output.challenge,
204 ck,
205 transcript,
206 small_subgroup_ipa_prover.get_witness_polynomials());
207
208 PCS::compute_opening_proof(ck, prover_opening_claim, transcript);
209}
210
211HonkProof TranslatorProver::export_proof()
212{
213 return transcript->export_proof();
214}
215
216HonkProof TranslatorProver::construct_proof()
217{
218 BB_BENCH_NAME("TranslatorProver::construct_proof");
219
220 // Add circuit size public input size and public inputs to transcript.
221 execute_preamble_round();
222
223 // Compute first three wire commitments
224 execute_wire_and_sorted_constraints_commitments_round();
225
226 // Fiat-Shamir: gamma
227 // Compute grand product(s) and commitments.
228 execute_grand_product_computation_round();
229
230 // Fiat-Shamir: alpha
231 // Run sumcheck subprotocol.
232 execute_relation_check_rounds();
233
234 // Fiat-Shamir: rho, y, x, z
235 // Execute Shplemini PCS
236 execute_pcs_rounds();
237 vinfo("computed opening proof");
238 return export_proof();
239}
240
246uint256_t TranslatorProver::get_accumulated_result() const
247{
248 const size_t RESULT_ROW = Flavor::RESULT_ROW;
249 return uint256_t(key->proving_key->polynomials.accumulators_binary_limbs_0[RESULT_ROW]) +
250 (uint256_t(key->proving_key->polynomials.accumulators_binary_limbs_1[RESULT_ROW]) << 68) +
251 (uint256_t(key->proving_key->polynomials.accumulators_binary_limbs_2[RESULT_ROW]) << 136) +
252 (uint256_t(key->proving_key->polynomials.accumulators_binary_limbs_3[RESULT_ROW]) << 204);
253}
254
255} // namespace bb
BB_BENCH_NAME
#define BB_BENCH_NAME(name)
Definition bb_bench.hpp:264
BB_BENCH
#define BB_BENCH()
Definition bb_bench.hpp:268
bb::FixedVKAndHash_
Simple verification key class for fixed-size circuits (ECCVM, Translator, AVM).
Definition flavor.hpp:103
bb::GeminiProver_::PolynomialBatcher
Class responsible for computation of the batched multilinear polynomials required by the Gemini proto...
Definition gemini.hpp:128
bb::OpeningClaim
Unverified claim (C,r,v) for some witness polynomial p(X) such that.
Definition claim.hpp:55
bb::Polynomial::random
static Polynomial random(size_t size, size_t start_index=0)
Definition polynomial.hpp:311
bb::ProverOpeningClaim
Polynomial p and an opening pair (r,v) such that p(r) = v.
Definition claim.hpp:36
bb::ShpleminiProver_::prove
static OpeningClaim prove(size_t circuit_size, PolynomialBatcher &polynomial_batcher, std::span< FF > multilinear_challenge, const CommitmentKey< Curve > &commitment_key, const std::shared_ptr< Transcript > &transcript, const std::array< Polynomial, NUM_SMALL_IPA_EVALUATIONS > &libra_polynomials={}, const std::vector< Polynomial > &sumcheck_round_univariates={}, const std::vector< std::array< FF, 3 > > &sumcheck_round_evaluations={})
Definition shplemini.hpp:37
bb::SmallSubgroupIPAProver
A Curve-agnostic ZK protocol to prove inner products of small vectors.
Definition small_subgroup_ipa.hpp:69
bb::SumcheckProver
The implementation of the sumcheck Prover for statements of the form for multilinear polynomials .
Definition sumcheck.hpp:294
bb::TranslatorFlavor::CONST_TRANSLATOR_LOG_N
static constexpr size_t CONST_TRANSLATOR_LOG_N
Definition translator_flavor.hpp:89
bb::TranslatorFlavor::NUM_LIMB_BITS
static constexpr size_t NUM_LIMB_BITS
Definition translator_flavor.hpp:128
bb::TranslatorFlavor::RESULT_ROW
static constexpr size_t RESULT_ROW
Definition translator_flavor.hpp:108
bb::TranslatorProver::commitment_labels
CommitmentLabels commitment_labels
Definition translator_prover.hpp:56
bb::TranslatorProver::CommitmentKey
typename Flavor::CommitmentKey CommitmentKey
Definition translator_prover.hpp:25
bb::TranslatorProver::execute_relation_check_rounds
BB_PROFILE void execute_relation_check_rounds()
Run Sumcheck resulting in u = (u_1,...,u_d) challenges and all evaluations at u being calculated.
Definition translator_prover.cpp:142
bb::TranslatorProver::execute_preamble_round
BB_PROFILE void execute_preamble_round()
Add circuit size and values used in the relations to the transcript.
Definition translator_prover.cpp:35
bb::TranslatorProver::get_accumulated_result
uint256_t get_accumulated_result() const
Extract the accumulated result from the circuit.
Definition translator_prover.cpp:246
bb::TranslatorProver::TranslatorProver
TranslatorProver(const std::shared_ptr< TranslatorProvingKey > &key, const std::shared_ptr< Transcript > &transcript)
Definition translator_prover.cpp:22
bb::TranslatorProver::execute_grand_product_computation_round
BB_PROFILE void execute_grand_product_computation_round()
Compute permutation product polynomial and commitments.
Definition translator_prover.cpp:97
bb::TranslatorProver::key
std::shared_ptr< TranslatorProvingKey > key
Definition translator_prover.hpp:54
bb::TranslatorProver::relation_parameters
bb::RelationParameters< FF > relation_parameters
Definition translator_prover.hpp:52
bb::TranslatorProver::transcript
std::shared_ptr< Transcript > transcript
Definition translator_prover.hpp:50
bb::TranslatorProver::ZKData
ZKSumcheckData< Flavor > ZKData
Definition translator_prover.hpp:31
bb::TranslatorProver::execute_wire_and_sorted_constraints_commitments_round
BB_PROFILE void execute_wire_and_sorted_constraints_commitments_round()
Compute commitments to wires and ordered range constraints.
Definition translator_prover.cpp:70
bb::TranslatorProver::sumcheck_output
SumcheckOutput< Flavor > sumcheck_output
Definition translator_prover.hpp:60
bb::TranslatorProver::Polynomial
typename Flavor::Polynomial Polynomial
Definition translator_prover.hpp:27
bb::TranslatorProver::execute_pcs_rounds
BB_PROFILE void execute_pcs_rounds()
Produce a univariate opening claim for the sumcheck multivariate evalutions and a batched univariate ...
Definition translator_prover.cpp:180
bb::TranslatorProver::commit_to_witness_polynomial
void commit_to_witness_polynomial(Polynomial &polynomial, const std::string &label, bool has_duplicates_hint=false)
Utility to commit to witness polynomial and send the commitment to verifier.
Definition translator_prover.cpp:59
bb::TranslatorProver::FF
typename Flavor::FF FF
Definition translator_prover.hpp:22
bb::numeric::uint256_t
Definition uint256.hpp:32
zip_view
Definition zip_view.hpp:166
commitment_key.hpp
vinfo
#define vinfo(...)
Definition log.hpp:94
grand_product_library.hpp
key
FF key
Definition indexed_memory_tree.test.cpp:19
bb::numeric::get_msb
constexpr T get_msb(const T in)
Definition get_msb.hpp:50
bb
Entry point for Barretenberg command-line interface.
Definition api.hpp:5
bb::HonkProof
std::vector< fr > HonkProof
Definition proof.hpp:15
bb::ck
CommitmentKey< Curve > ck
Definition ipa.fuzzer.cpp:20
bb::vk
VerifierCommitmentKey< Curve > vk
Definition ipa.fuzzer.cpp:21
std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13
small_subgroup_ipa.hpp
bb::RelationParameters::batching_challenge_v
std::array< std::array< T, NUM_BINARY_LIMBS_IN_GOBLIN_TRANSLATOR+NUM_NATIVE_LIMBS_IN_GOBLIN_TRANSLATOR >, NUM_CHALLENGE_POWERS_IN_GOBLIN_TRANSLATOR > batching_challenge_v
Definition relation_parameters.hpp:64
bb::RelationParameters::accumulated_result
std::array< T, NUM_BINARY_LIMBS_IN_GOBLIN_TRANSLATOR > accumulated_result
Definition relation_parameters.hpp:58
bb::RelationParameters::evaluation_input_x
std::array< T, NUM_BINARY_LIMBS_IN_GOBLIN_TRANSLATOR+NUM_NATIVE_LIMBS_IN_GOBLIN_TRANSLATOR > evaluation_input_x
Definition relation_parameters.hpp:59
translator_decomposition_short_relation_impl.hpp
translator_delta_range_constraint_short_relation_impl.hpp
translator_extra_short_relations_impl.hpp
translator_non_native_field_short_relation_impl.hpp
translator_permutation_short_relation_impl.hpp
translator_prover.hpp