From 859f33d4c25f4926fb499622912853c998b209cf Mon Sep 17 00:00:00 2001 From: maramihali Date: Wed, 18 Sep 2024 10:48:41 +0000 Subject: [PATCH 01/31] create a gemini prover and cleanup --- barretenberg/cpp/CMakePresets.json | 2 +- .../commitment_key.test.hpp | 12 +- .../commitment_schemes/gemini/gemini.cpp | 93 +++- .../commitment_schemes/gemini/gemini.hpp | 94 ++-- .../commitment_schemes/gemini/gemini.test.cpp | 85 +--- .../commitment_schemes/ipa/ipa.test.cpp | 111 ++--- .../commitment_schemes/kzg/kzg.test.cpp | 116 +---- .../shplonk/shplemini_verifier.test.cpp | 454 +++++++++--------- .../commitment_schemes/wrapper.hpp | 14 - .../shplemini.test.cpp | 6 +- .../barretenberg/polynomials/polynomial.hpp | 7 + .../stdlib_circuit_builders/ultra_flavor.hpp | 5 +- 12 files changed, 447 insertions(+), 552 deletions(-) delete mode 100644 barretenberg/cpp/src/barretenberg/commitment_schemes/wrapper.hpp diff --git a/barretenberg/cpp/CMakePresets.json b/barretenberg/cpp/CMakePresets.json index 140b5780ed01..b45ca9cea38f 100644 --- a/barretenberg/cpp/CMakePresets.json +++ b/barretenberg/cpp/CMakePresets.json @@ -98,7 +98,7 @@ "displayName": "Debugging build with Clang-16", "description": "Build with globally installed Clang-16 in debug mode", "inherits": "clang16", - "binaryDir": "build-debug", + "binaryDir": "build", "environment": { "CMAKE_BUILD_TYPE": "Debug", "CFLAGS": "-gdwarf-4", diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/commitment_key.test.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/commitment_key.test.hpp index 76956dd7ae92..d40cf153d54d 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/commitment_key.test.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/commitment_key.test.hpp @@ -139,14 +139,12 @@ template class CommitmentTest : public ::testing::Test { * @brief Ensures that a set of opening pairs is correct by checking that evaluations are * correct by recomputing them from each witness polynomial. */ - void verify_batch_opening_pair(std::span> opening_pairs, - std::span witnesses) + void verify_batch_opening_pair(std::vector> opening_claims) { - const size_t num_pairs = opening_pairs.size(); - ASSERT_EQ(witnesses.size(), num_pairs); - - for (size_t j = 0; j < num_pairs; ++j) { - this->verify_opening_pair(opening_pairs[j], witnesses[j]); + for (auto claim : opening_claims) { + auto& [x, y] = claim.opening_pair; + Fr y_expected = claim.polynomial.evaluate(x); + EXPECT_EQ(y, y_expected) << "OpeningPair: evaluations mismatch"; } } diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.cpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.cpp index 679857e1d66e..1518dcf4e15c 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.cpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.cpp @@ -1,10 +1,8 @@ - #include "gemini.hpp" #include "barretenberg/common/thread.hpp" #include #include -#include /** * @brief Protocol for opening several multi-linear polynomials at the same point. @@ -16,7 +14,7 @@ * f₀, …, fₖ₋₁ = multilinear polynomials, * g₀, …, gₕ₋₁ = shifted multilinear polynomial, * Each gⱼ is the left-shift of some f↺ᵢ, and gⱼ points to the same memory location as fᵢ. - * v₀, …, vₖ₋₁, v↺₀, …, v↺ₕ₋₁ = multilinear evalutions s.t. fⱼ(u) = vⱼ, and gⱼ(u) = f↺ⱼ(u) = v↺ⱼ + * v₀, …, vₖ₋₁, v↺₀, …, v↺ₕ₋₁ = multilinear evalutions s.t. fⱼ(u) = vⱼ, and gⱼ(u) = f↺ⱼ(u) = v↺ⱼ * * We use a challenge ρ to create a random linear combination of all fⱼ, * and actually define A₀ = F + G↺, where @@ -43,6 +41,55 @@ * since they are linear-combinations of the commitments [fⱼ] and [gⱼ]. */ namespace bb { +template +std::vector::Claim> GeminiProver_::prove( + const std::shared_ptr>& commitment_key, + std::span multilinear_challenge, + std::span multilinear_evaluations, /* u */ + RefSpan f_polynomials, // unshifted + RefSpan g_polynomials, // to-be-shifted + std::shared_ptr& transcript) +{ + ASSERT(multilinear_evaluations.size() == f_polynomials.size() + g_polynomials.size()); + Fr rho = transcript->template get_challenge("rho"); + std::vector rhos = gemini::powers_of_rho(rho, multilinear_evaluations.size()); + + // Compute batched multivariate evaluation + Fr batched_evaluation = Fr::zero(); + for (size_t i = 0; i < rhos.size(); ++i) { + batched_evaluation += multilinear_evaluations[i] * rhos[i]; + } + + size_t log_n = multilinear_challenge.size(); + size_t n = 1 << log_n; + // Compute batched polynomials + Polynomial batched_unshifted(n); + // TODO(mara): use shiftable, after you understand how it works + Polynomial batched_to_be_shifted = Polynomial::shiftable(1 << log_n); + + const size_t num_unshifted = f_polynomials.size(); + const size_t num_to_be_shifted = g_polynomials.size(); + for (size_t i = 0; i < num_unshifted; i++) { + batched_unshifted.add_scaled(f_polynomials[i], rhos[i]); + } + for (size_t i = 0; i < num_to_be_shifted; i++) { + batched_to_be_shifted.add_scaled(g_polynomials[i], rhos[num_unshifted + i]); + } + + // log_n + 2 + auto fold_polynomials = + compute_fold_polynomials(multilinear_challenge, std::move(batched_unshifted), std::move(batched_to_be_shifted)); + + // Commit to the folded polynomials (except the first two, explain why the first two are left out) and send the + // commitment to the verifier + for (size_t l = 0; l < log_n - 1; l++) { + transcript->send_to_verifier("Gemini:FOLD_" + std::to_string(l + 1), + commitment_key->commit(fold_polynomials[l + 2])); + } + const Fr r_challenge = transcript->template get_challenge("Gemini:r"); + return compute_fold_polynomial_evaluations( + multilinear_challenge, std::move(fold_polynomials), r_challenge, transcript); +}; /** * @brief Computes d-1 fold polynomials Fold_i, i = 1, ..., d-1 @@ -53,9 +100,10 @@ namespace bb { * @return std::vector */ template -std::vector::Polynomial> GeminiProver_::compute_gemini_polynomials( +std::vector::Polynomial> GeminiProver_::compute_fold_polynomials( std::span mle_opening_point, Polynomial&& batched_unshifted, Polynomial&& batched_to_be_shifted) { + const size_t num_variables = mle_opening_point.size(); // m const size_t num_threads = get_num_cpus_pow2(); @@ -141,13 +189,16 @@ std::vector::Polynomial> GeminiProver_::com * @param r_challenge univariate opening challenge */ template -GeminiProverOutput GeminiProver_::compute_fold_polynomial_evaluations( - std::span mle_opening_point, std::vector&& gemini_polynomials, const Fr& r_challenge) +std::vector::Claim> GeminiProver_::compute_fold_polynomial_evaluations( + std::span mle_opening_point, + std::vector&& fold_polynomials, + const Fr& r_challenge, + std::shared_ptr& transcript) { const size_t num_variables = mle_opening_point.size(); // m - Polynomial& batched_F = gemini_polynomials[0]; // F(X) = ∑ⱼ ρʲ fⱼ(X) - Polynomial& batched_G = gemini_polynomials[1]; // G(X) = ∑ⱼ ρᵏ⁺ʲ gⱼ(X) + Polynomial& batched_F = fold_polynomials[0]; // F(X) = ∑ⱼ ρʲ fⱼ(X) + Polynomial& batched_G = fold_polynomials[1]; // G(X) = ∑ⱼ ρᵏ⁺ʲ gⱼ(X) // Compute univariate opening queries rₗ = r^{2ˡ} for l = 0, 1, ..., m-1 std::vector r_squares = gemini::powers_of_evaluation_challenge(r_challenge, num_variables); @@ -156,36 +207,36 @@ GeminiProverOutput GeminiProver_::compute_fold_polynomial_evaluati Fr r_inv = r_challenge.invert(); batched_G *= r_inv; - // Construct A₀₊ = F + G/r and A₀₋ = F - G/r in place in gemini_polynomials + // Construct A₀₊ = F + G/r and A₀₋ = F - G/r in place in fold_polynomials Polynomial tmp = batched_F; - Polynomial& A_0_pos = gemini_polynomials[0]; + Polynomial& A_0_pos = fold_polynomials[0]; // A₀₊(X) = F(X) + G(X)/r, s.t. A₀₊(r) = A₀(r) A_0_pos += batched_G; // Perform a swap so that tmp = G(X)/r and A_0_neg = F(X) std::swap(tmp, batched_G); - Polynomial& A_0_neg = gemini_polynomials[1]; + Polynomial& A_0_neg = fold_polynomials[1]; // A₀₋(X) = F(X) - G(X)/r, s.t. A₀₋(-r) = A₀(-r) A_0_neg -= tmp; - std::vector> fold_poly_opening_pairs; - fold_poly_opening_pairs.reserve(num_variables + 1); + std::vector opening_claims; + opening_claims.reserve(num_variables + 1); // Compute first opening pair {r, A₀(r)} - fold_poly_opening_pairs.emplace_back( - OpeningPair{ r_challenge, gemini_polynomials[0].evaluate(r_challenge) }); - + Fr evaluation = fold_polynomials[0].evaluate(r_challenge); + opening_claims.emplace_back( + Claim{ fold_polynomials[0], { r_challenge, fold_polynomials[0].evaluate(r_challenge) } }); // Compute the remaining m opening pairs {−r^{2ˡ}, Aₗ(−r^{2ˡ})}, l = 0, ..., m-1. for (size_t l = 0; l < num_variables; ++l) { - fold_poly_opening_pairs.emplace_back( - OpeningPair{ -r_squares[l], gemini_polynomials[l + 1].evaluate(-r_squares[l]) }); + evaluation = fold_polynomials[l + 1].evaluate(-r_squares[l]); + transcript->send_to_verifier("Gemini:a_" + std::to_string(l + 1), evaluation); + opening_claims.emplace_back(Claim{ fold_polynomials[l + 1], { -r_squares[l], evaluation } }); } - return { fold_poly_opening_pairs, std::move(gemini_polynomials) }; + return opening_claims; }; - template class GeminiProver_; template class GeminiProver_; -}; // namespace bb +} // namespace bb diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.hpp index bc3034bc7533..89c1dc8acf99 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.hpp @@ -1,6 +1,6 @@ #pragma once -#include "../claim.hpp" +#include "barretenberg/commitment_schemes/claim.hpp" #include "barretenberg/polynomials/polynomial.hpp" #include "barretenberg/transcript/transcript.hpp" @@ -57,10 +57,6 @@ namespace bb { * ] * @tparam Curve CommitmentScheme parameters */ -template struct GeminiProverOutput { - std::vector> opening_pairs; - std::vector> witnesses; -}; namespace gemini { /** @@ -102,15 +98,25 @@ template inline std::vector powers_of_evaluation_challenge(const template class GeminiProver_ { using Fr = typename Curve::ScalarField; using Polynomial = bb::Polynomial; + using Claim = ProverOpeningClaim; public: - static std::vector compute_gemini_polynomials(std::span mle_opening_point, - Polynomial&& batched_unshifted, - Polynomial&& batched_to_be_shifted); + static std::vector compute_fold_polynomials(std::span multilinear_evaluations, + Polynomial&& batched_unshifted, + Polynomial&& batched_to_be_shifted); + + static std::vector compute_fold_polynomial_evaluations(std::span multilinear_evaluations, + std::vector&& gemini_polynomials, + const Fr& r_challenge, + std::shared_ptr& transcript); - static GeminiProverOutput compute_fold_polynomial_evaluations(std::span mle_opening_point, - std::vector&& gemini_polynomials, - const Fr& r_challenge); + // TODO(Mara): consider if we should template this by transcript to use with a test transcript + static std::vector prove(const std::shared_ptr>& commitment_key, + std::span multilinear_challenge, + std::span multilinear_evaluations, + RefSpan f_polynomials, + RefSpan g_polynomials, + std::shared_ptr& transcript); }; // namespace bb template class GeminiVerifier_ { @@ -122,22 +128,42 @@ template class GeminiVerifier_ { /** * @brief Returns univariate opening claims for the Fold polynomials to be checked later * - * @param mle_opening_point the MLE evaluation point u + * @param multilinear_evaluations the MLE evaluation point u * @param batched_evaluation batched evaluation from multivariate evals at the point u - * @param batched_f batched commitment to unshifted polynomials - * @param batched_g batched commitment to to-be-shifted polynomials + * @param batched_commitment_unshifted batched commitment to unshifted polynomials + * @param batched_commitment_to_be_shifted batched commitment to to-be-shifted polynomials * @param proof commitments to the m-1 folded polynomials, and alleged evaluations. * @param transcript * @return Fold polynomial opening claims: (r, A₀(r), C₀₊), (-r, A₀(-r), C₀₋), and * (Cⱼ, Aⱼ(-r^{2ʲ}), -r^{2}), j = [1, ..., m-1] */ - static std::vector> reduce_verification(std::span mle_opening_point, /* u */ - Fr& batched_evaluation, /* all */ - GroupElement& batched_f, /* unshifted */ - GroupElement& batched_g, /* to-be-shifted */ + static std::vector> reduce_verification(std::span multilinear_challenge, + std::span multilinear_evaluations, /* u */ + RefSpan unshifted_commitments, + RefSpan to_be_shifted_commitments, auto& transcript) { - const size_t num_variables = mle_opening_point.size(); + const size_t num_variables = multilinear_challenge.size(); + + Fr rho = transcript->template get_challenge("rho"); + std::vector rhos = gemini::powers_of_rho(rho, multilinear_evaluations.size()); + + GroupElement batched_commitment_unshifted = GroupElement::zero(); + GroupElement batched_commitment_to_be_shifted = GroupElement::zero(); + + Fr batched_evaluation = Fr::zero(); + for (size_t i = 0; i < multilinear_evaluations.size(); ++i) { + batched_evaluation += multilinear_evaluations[i] * rhos[i]; + } + + const size_t num_unshifted = unshifted_commitments.size(); + const size_t num_to_be_shifted = to_be_shifted_commitments.size(); + for (size_t i = 0; i < num_unshifted; i++) { + batched_commitment_unshifted += unshifted_commitments[i] * rhos[i]; + } + for (size_t i = 0; i < num_to_be_shifted; i++) { + batched_commitment_to_be_shifted += to_be_shifted_commitments[i] * rhos[num_unshifted + i]; + } // Get polynomials Fold_i, i = 1,...,m-1 from transcript const std::vector commitments = get_gemini_commitments(num_variables, transcript); @@ -149,12 +175,13 @@ template class GeminiVerifier_ { // Get evaluations a_i, i = 0,...,m-1 from transcript const std::vector evaluations = get_gemini_evaluations(num_variables, transcript); // Compute evaluation A₀(r) - auto a_0_pos = - compute_gemini_batched_univariate_evaluation(batched_evaluation, mle_opening_point, r_squares, evaluations); + auto a_0_pos = compute_gemini_batched_univariate_evaluation( + batched_evaluation, multilinear_challenge, r_squares, evaluations); // C₀_r_pos = ∑ⱼ ρʲ⋅[fⱼ] + r⁻¹⋅∑ⱼ ρᵏ⁺ʲ [gⱼ] // C₀_r_pos = ∑ⱼ ρʲ⋅[fⱼ] - r⁻¹⋅∑ⱼ ρᵏ⁺ʲ [gⱼ] - auto [c0_r_pos, c0_r_neg] = compute_simulated_commitments(batched_f, batched_g, r); + auto [c0_r_pos, c0_r_neg] = + compute_simulated_commitments(batched_commitment_unshifted, batched_commitment_to_be_shifted, r); std::vector> fold_polynomial_opening_claims; fold_polynomial_opening_claims.reserve(num_variables + 1); @@ -246,14 +273,13 @@ template class GeminiVerifier_ { /** * @brief Computes two commitments to A₀ partially evaluated in r and -r. * - * @param batched_f batched commitment to non-shifted polynomials - * @param batched_g batched commitment to to-be-shifted polynomials + * @param batched_commitment_unshifted batched commitment to non-shifted polynomials + * @param batched_commitment_to_be_shifted batched commitment to to-be-shifted polynomials * @param r evaluation point at which we have partially evaluated A₀ at r and -r. * @return std::pair c0_r_pos, c0_r_neg */ - static std::pair compute_simulated_commitments(GroupElement& batched_f, - GroupElement& batched_g, - Fr r) + static std::pair compute_simulated_commitments( + GroupElement& batched_commitment_unshifted, GroupElement& batched_commitment_to_be_shifted, Fr r) { // C₀ᵣ₊ = [F] + r⁻¹⋅[G] GroupElement C0_r_pos; @@ -265,7 +291,7 @@ template class GeminiVerifier_ { // TODO(#673): The following if-else represents the stldib/native code paths. Once the "native" verifier is // achieved through a builder Simulator, the stdlib codepath should become the only codepath. if constexpr (Curve::is_stdlib_type) { - std::vector commitments = { batched_f, batched_g }; + std::vector commitments = { batched_commitment_unshifted, batched_commitment_to_be_shifted }; auto builder = r.get_context(); auto one = Fr(builder, 1); // TODO(#707): these batch muls include the use of 1 as a scalar. This is handled appropriately as a non-mul @@ -274,12 +300,12 @@ template class GeminiVerifier_ { C0_r_pos = GroupElement::batch_mul(commitments, { one, r_inv }); C0_r_neg = GroupElement::batch_mul(commitments, { one, -r_inv }); } else { - C0_r_pos = batched_f; - C0_r_neg = batched_f; - if (!batched_g.is_point_at_infinity()) { - batched_g = batched_g * r_inv; - C0_r_pos += batched_g; - C0_r_neg -= batched_g; + C0_r_pos = batched_commitment_unshifted; + C0_r_neg = batched_commitment_unshifted; + if (!batched_commitment_to_be_shifted.is_point_at_infinity()) { + batched_commitment_to_be_shifted = batched_commitment_to_be_shifted * r_inv; + C0_r_pos += batched_commitment_to_be_shifted; + C0_r_neg -= batched_commitment_to_be_shifted; } } diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.test.cpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.test.cpp index 1da66356c642..a7a7a86b4837 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.test.cpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.test.cpp @@ -16,67 +16,28 @@ template class GeminiTest : public CommitmentTest { using GroupElement = typename Curve::Element; public: - void execute_gemini_and_verify_claims(size_t log_n, - std::vector multilinear_evaluation_point, - std::vector multilinear_evaluations, - std::vector> multilinear_polynomials, - std::vector> multilinear_polynomials_to_be_shifted, - std::vector multilinear_commitments, - std::vector multilinear_commitments_to_be_shifted) + void execute_gemini_and_verify_claims([[maybe_unused]] size_t log_n, + std::vector& multilinear_evaluation_point, + std::vector& multilinear_evaluations, + std::vector>& multilinear_polynomials, + std::vector>& multilinear_polynomials_to_be_shifted, + std::vector& multilinear_commitments, + std::vector& multilinear_commitments_to_be_shifted) { auto prover_transcript = NativeTranscript::prover_init_empty(); - const Fr rho = Fr::random_element(); - - std::vector rhos = gemini::powers_of_rho(rho, multilinear_evaluations.size()); - - // Compute batched multivariate evaluation - Fr batched_evaluation = Fr::zero(); - for (size_t i = 0; i < multilinear_evaluations.size(); ++i) { - batched_evaluation += multilinear_evaluations[i] * rhos[i]; - } - - Polynomial batched_unshifted(1 << log_n); - Polynomial batched_to_be_shifted = Polynomial::shiftable(1 << log_n); - GroupElement batched_commitment_unshifted = GroupElement::zero(); - GroupElement batched_commitment_to_be_shifted = GroupElement::zero(); - const size_t num_unshifted = multilinear_polynomials.size(); - const size_t num_shifted = multilinear_polynomials_to_be_shifted.size(); - for (size_t i = 0; i < num_unshifted; ++i) { - batched_unshifted.add_scaled(multilinear_polynomials[i], rhos[i]); - batched_commitment_unshifted += multilinear_commitments[i] * rhos[i]; - } - for (size_t i = 0; i < num_shifted; ++i) { - size_t rho_idx = num_unshifted + i; - batched_to_be_shifted.add_scaled(multilinear_polynomials_to_be_shifted[i], rhos[rho_idx]); - batched_commitment_to_be_shifted += multilinear_commitments_to_be_shifted[i] * rhos[rho_idx]; - } - // Compute: // - (d+1) opening pairs: {r, \hat{a}_0}, {-r^{2^i}, a_i}, i = 0, ..., d-1 // - (d+1) Fold polynomials Fold_{r}^(0), Fold_{-r}^(0), and Fold^(i), i = 0, ..., d-1 - auto gemini_polynomials = GeminiProver::compute_gemini_polynomials( - multilinear_evaluation_point, std::move(batched_unshifted), std::move(batched_to_be_shifted)); - - for (size_t l = 0; l < log_n - 1; ++l) { - std::string label = "FOLD_" + std::to_string(l + 1); - auto commitment = this->ck()->commit(gemini_polynomials[l + 2]); - prover_transcript->send_to_verifier(label, commitment); - } - - const Fr r_challenge = prover_transcript->get_challenge("Gemini:r"); - - auto prover_output = GeminiProver::compute_fold_polynomial_evaluations( - multilinear_evaluation_point, std::move(gemini_polynomials), r_challenge); - - for (size_t l = 0; l < log_n; ++l) { - std::string label = "Gemini:a_" + std::to_string(l); - const auto& evaluation = prover_output.opening_pairs[l + 1].evaluation; - prover_transcript->send_to_verifier(label, evaluation); - } + auto prover_output = GeminiProver::prove(this->commitment_key, + multilinear_evaluation_point, + multilinear_evaluations, + RefVector(multilinear_polynomials), + RefVector(multilinear_polynomials_to_be_shifted), + prover_transcript); // Check that the Fold polynomials have been evaluated correctly in the prover - this->verify_batch_opening_pair(prover_output.opening_pairs, prover_output.witnesses); + this->verify_batch_opening_pair(prover_output); auto verifier_transcript = NativeTranscript::verifier_init_empty(prover_transcript); @@ -84,19 +45,17 @@ template class GeminiTest : public CommitmentTest { // - Single opening pair: {r, \hat{a}_0} // - 2 partially evaluated Fold polynomial commitments [Fold_{r}^(0)] and [Fold_{-r}^(0)] // Aggregate: d+1 opening pairs and d+1 Fold poly commitments into verifier claim - auto verifier_claim = GeminiVerifier::reduce_verification(multilinear_evaluation_point, - batched_evaluation, - batched_commitment_unshifted, - batched_commitment_to_be_shifted, - verifier_transcript); + auto verifier_claims = GeminiVerifier::reduce_verification(multilinear_evaluation_point, + multilinear_evaluations, + RefVector(multilinear_commitments), + RefVector(multilinear_commitments_to_be_shifted), + verifier_transcript); // Check equality of the opening pairs computed by prover and verifier - for (size_t i = 0; i < (log_n + 1); ++i) { - ASSERT_EQ(prover_output.opening_pairs[i], verifier_claim[i].opening_pair); + for (auto [prover_claim, verifier_claim] : zip_view(prover_output, verifier_claims)) { + ASSERT_EQ(prover_claim.opening_pair, verifier_claim.opening_pair); + this->verify_opening_claim(verifier_claim, prover_claim.polynomial); } - - // Explicitly verify the claims computed by the verfier - this->verify_batch_opening_claim(verifier_claim, prover_output.witnesses); } }; diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.test.cpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.test.cpp index c8ad9c652db3..5905b5a7288d 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.test.cpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.test.cpp @@ -77,8 +77,8 @@ TEST_F(IPATest, OpenZeroPolynomial) EXPECT_TRUE(result); } -// This test makes sure that even if the whole vector \vec{b} generated from the x, at which we open the polynomial, is -// zero, IPA behaves +// This test makes sure that even if the whole vector \vec{b} generated from the x, at which we open the polynomial, +// is zero, IPA behaves TEST_F(IPATest, OpenAtZero) { using IPA = IPA; @@ -244,8 +244,6 @@ TEST_F(IPATest, GeminiShplonkIPAWithShift) const size_t n = 8; const size_t log_n = 3; - Fr rho = Fr::random_element(); - // Generate multilinear polynomials, their commitments (genuine and mocked) and evaluations (genuine) at a random // point. auto mle_opening_point = this->random_evaluation_point(log_n); // sometimes denoted 'u' @@ -261,59 +259,29 @@ TEST_F(IPATest, GeminiShplonkIPAWithShift) std::vector multilinear_evaluations = { eval1, eval2, eval2_shift }; - std::vector rhos = gemini::powers_of_rho(rho, multilinear_evaluations.size()); - - Fr batched_evaluation = Fr::zero(); - for (size_t i = 0; i < rhos.size(); ++i) { - batched_evaluation += multilinear_evaluations[i] * rhos[i]; - } - - Polynomial batched_unshifted(n); - Polynomial batched_to_be_shifted = Polynomial::shiftable(n); - batched_unshifted.add_scaled(poly1, rhos[0]); - batched_unshifted.add_scaled(poly2, rhos[1]); - batched_to_be_shifted.add_scaled(poly2, rhos[2]); - - GroupElement batched_commitment_unshifted = GroupElement::zero(); - GroupElement batched_commitment_to_be_shifted = GroupElement::zero(); - batched_commitment_unshifted = commitment1 * rhos[0] + commitment2 * rhos[1]; - batched_commitment_to_be_shifted = commitment2 * rhos[2]; - auto prover_transcript = NativeTranscript::prover_init_empty(); - auto gemini_polynomials = GeminiProver::compute_gemini_polynomials( - mle_opening_point, std::move(batched_unshifted), std::move(batched_to_be_shifted)); + // Run the full prover PCS protocol: - for (size_t l = 0; l < log_n - 1; ++l) { - std::string label = "FOLD_" + std::to_string(l + 1); - auto commitment = this->ck()->commit(gemini_polynomials[l + 2]); - prover_transcript->send_to_verifier(label, commitment); - } - - const Fr r_challenge = prover_transcript->template get_challenge("Gemini:r"); - - const auto [gemini_opening_pairs, gemini_witnesses] = GeminiProver::compute_fold_polynomial_evaluations( - mle_opening_point, std::move(gemini_polynomials), r_challenge); + // Compute: + // - (d+1) opening pairs: {r, \hat{a}_0}, {-r^{2^i}, a_i}, i = 0, ..., d-1 + // - (d+1) Fold polynomials Fold_{r}^(0), Fold_{-r}^(0), and Fold^(i), i = 0, ..., d-1 + auto prover_opening_claims = GeminiProver::prove(this->ck(), + mle_opening_point, + multilinear_evaluations, + RefArray{ poly1, poly2 }, + RefArray{ poly2 }, + prover_transcript); - std::vector> opening_claims; - - for (size_t l = 0; l < log_n; ++l) { - std::string label = "Gemini:a_" + std::to_string(l); - const auto& evaluation = gemini_opening_pairs[l + 1].evaluation; - prover_transcript->send_to_verifier(label, evaluation); - opening_claims.push_back({ gemini_witnesses[l], gemini_opening_pairs[l] }); - } - opening_claims.push_back({ gemini_witnesses[log_n], gemini_opening_pairs[log_n] }); - - const auto opening_claim = ShplonkProver::prove(this->ck(), opening_claims, prover_transcript); + const auto opening_claim = ShplonkProver::prove(this->ck(), prover_opening_claims, prover_transcript); IPA::compute_opening_proof(this->ck(), opening_claim, prover_transcript); auto verifier_transcript = NativeTranscript::verifier_init_empty(prover_transcript); auto gemini_verifier_claim = GeminiVerifier::reduce_verification(mle_opening_point, - batched_evaluation, - batched_commitment_unshifted, - batched_commitment_to_be_shifted, + multilinear_evaluations, + RefArray{ commitment1, commitment2 }, + RefArray{ commitment2 }, verifier_transcript); const auto shplonk_verifier_claim = @@ -348,45 +316,20 @@ TEST_F(IPATest, ShpleminiIPAWithShift) std::vector multilinear_evaluations = { eval1, eval2, eval2_shift }; auto prover_transcript = NativeTranscript::prover_init_empty(); - Fr rho = prover_transcript->template get_challenge("rho"); - std::vector rhos = gemini::powers_of_rho(rho, multilinear_evaluations.size()); - - Fr batched_evaluation = Fr::zero(); - for (size_t i = 0; i < rhos.size(); ++i) { - batched_evaluation += multilinear_evaluations[i] * rhos[i]; - } - - Polynomial batched_unshifted(n); - Polynomial batched_to_be_shifted = Polynomial::shiftable(n); - batched_unshifted.add_scaled(poly1, rhos[0]); - batched_unshifted.add_scaled(poly2, rhos[1]); - batched_to_be_shifted.add_scaled(poly2, rhos[2]); - - auto gemini_polynomials = GeminiProver::compute_gemini_polynomials( - mle_opening_point, std::move(batched_unshifted), std::move(batched_to_be_shifted)); - for (size_t l = 0; l < log_n - 1; ++l) { - std::string label = "FOLD_" + std::to_string(l + 1); - auto commitment = this->ck()->commit(gemini_polynomials[l + 2]); - prover_transcript->send_to_verifier(label, commitment); - } - - const Fr r_challenge = prover_transcript->template get_challenge("Gemini:r"); - - const auto [gemini_opening_pairs, gemini_witnesses] = GeminiProver::compute_fold_polynomial_evaluations( - mle_opening_point, std::move(gemini_polynomials), r_challenge); + // Run the full prover PCS protocol: - std::vector> opening_claims; - - for (size_t l = 0; l < log_n; ++l) { - std::string label = "Gemini:a_" + std::to_string(l); - const auto& evaluation = gemini_opening_pairs[l + 1].evaluation; - prover_transcript->send_to_verifier(label, evaluation); - opening_claims.push_back({ gemini_witnesses[l], gemini_opening_pairs[l] }); - } - opening_claims.push_back({ gemini_witnesses[log_n], gemini_opening_pairs[log_n] }); + // Compute: + // - (d+1) opening pairs: {r, \hat{a}_0}, {-r^{2^i}, a_i}, i = 0, ..., d-1 + // - (d+1) Fold polynomials Fold_{r}^(0), Fold_{-r}^(0), and Fold^(i), i = 0, ..., d-1 + auto prover_opening_claims = GeminiProver::prove(this->ck(), + mle_opening_point, + multilinear_evaluations, + RefArray{ poly1, poly2 }, + RefArray{ poly2 }, + prover_transcript); - const auto opening_claim = ShplonkProver::prove(this->ck(), opening_claims, prover_transcript); + const auto opening_claim = ShplonkProver::prove(this->ck(), prover_opening_claims, prover_transcript); IPA::compute_opening_proof(this->ck(), opening_claim, prover_transcript); auto verifier_transcript = NativeTranscript::verifier_init_empty(prover_transcript); diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/kzg/kzg.test.cpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/kzg/kzg.test.cpp index ded35bb6a425..92e7f2614e6b 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/kzg/kzg.test.cpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/kzg/kzg.test.cpp @@ -69,8 +69,6 @@ TYPED_TEST(KZGTest, GeminiShplonkKzgWithShift) const size_t n = 16; const size_t log_n = 4; - Fr rho = Fr::random_element(); - // Generate multilinear polynomials, their commitments (genuine and mocked) and evaluations (genuine) at a random // point. auto mle_opening_point = this->random_evaluation_point(log_n); // sometimes denoted 'u' @@ -87,27 +85,6 @@ TYPED_TEST(KZGTest, GeminiShplonkKzgWithShift) // Collect multilinear evaluations for input to prover std::vector multilinear_evaluations = { eval1, eval2, eval2_shift }; - std::vector rhos = gemini::powers_of_rho(rho, multilinear_evaluations.size()); - - // Compute batched multivariate evaluation - Fr batched_evaluation = Fr::zero(); - for (size_t i = 0; i < rhos.size(); ++i) { - batched_evaluation += multilinear_evaluations[i] * rhos[i]; - } - - // Compute batched polynomials - Polynomial batched_unshifted(n); - Polynomial batched_to_be_shifted = Polynomial::shiftable(n); - batched_unshifted.add_scaled(poly1, rhos[0]); - batched_unshifted.add_scaled(poly2, rhos[1]); - batched_to_be_shifted.add_scaled(poly2, rhos[2]); - - // Compute batched commitments - GroupElement batched_commitment_unshifted = GroupElement::zero(); - GroupElement batched_commitment_to_be_shifted = GroupElement::zero(); - batched_commitment_unshifted = commitment1 * rhos[0] + commitment2 * rhos[1]; - batched_commitment_to_be_shifted = commitment2 * rhos[2]; - auto prover_transcript = NativeTranscript::prover_init_empty(); // Run the full prover PCS protocol: @@ -115,33 +92,17 @@ TYPED_TEST(KZGTest, GeminiShplonkKzgWithShift) // Compute: // - (d+1) opening pairs: {r, \hat{a}_0}, {-r^{2^i}, a_i}, i = 0, ..., d-1 // - (d+1) Fold polynomials Fold_{r}^(0), Fold_{-r}^(0), and Fold^(i), i = 0, ..., d-1 - auto gemini_polynomials = GeminiProver::compute_gemini_polynomials( - mle_opening_point, std::move(batched_unshifted), std::move(batched_to_be_shifted)); - - for (size_t l = 0; l < log_n - 1; ++l) { - std::string label = "FOLD_" + std::to_string(l + 1); - auto commitment = this->ck()->commit(gemini_polynomials[l + 2]); - prover_transcript->send_to_verifier(label, commitment); - } - - const Fr r_challenge = prover_transcript->template get_challenge("Gemini:r"); - - const auto [gemini_opening_pairs, gemini_witnesses] = GeminiProver::compute_fold_polynomial_evaluations( - mle_opening_point, std::move(gemini_polynomials), r_challenge); - - std::vector> opening_claims; - for (size_t l = 0; l < log_n; ++l) { - std::string label = "Gemini:a_" + std::to_string(l); - const auto& evaluation = gemini_opening_pairs[l + 1].evaluation; - prover_transcript->send_to_verifier(label, evaluation); - opening_claims.push_back({ gemini_witnesses[l], gemini_opening_pairs[l] }); - } - opening_claims.push_back({ gemini_witnesses[log_n], gemini_opening_pairs[log_n] }); + auto prover_opening_claims = GeminiProver::prove(this->ck(), + mle_opening_point, + multilinear_evaluations, + RefArray{ poly1, poly2 }, + RefArray{ poly2 }, + prover_transcript); // Shplonk prover output: // - opening pair: (z_challenge, 0) // - witness: polynomial Q - Q_z - const auto opening_claim = ShplonkProver::prove(this->ck(), opening_claims, prover_transcript); + const auto opening_claim = ShplonkProver::prove(this->ck(), prover_opening_claims, prover_transcript); // KZG prover: // - Adds commitment [W] to transcript @@ -154,9 +115,9 @@ TYPED_TEST(KZGTest, GeminiShplonkKzgWithShift) // Gemini verifier output: // - claim: d+1 commitments to Fold_{r}^(0), Fold_{-r}^(0), Fold^(l), d+1 evaluations a_0_pos, a_l, l = 0:d-1 auto gemini_verifier_claim = GeminiVerifier::reduce_verification(mle_opening_point, - batched_evaluation, - batched_commitment_unshifted, - batched_commitment_to_be_shifted, + multilinear_evaluations, + RefArray{ commitment1, commitment2 }, + RefArray{ commitment2 }, verifier_transcript); // Shplonk verifier claim: commitment [Q] - [Q_z], opening point (z_challenge, 0) @@ -179,15 +140,13 @@ TYPED_TEST(KZGTest, ShpleminiKzgWithShift) using ShpleminiVerifier = ShpleminiVerifier_; using KZG = KZG; using Fr = typename TypeParam::ScalarField; - using GroupElement = typename TypeParam::Element; + // using GroupElement = typename TypeParam::Element; using Commitment = typename TypeParam::AffineElement; using Polynomial = typename bb::Polynomial; const size_t n = 16; const size_t log_n = 4; - auto prover_transcript = NativeTranscript::prover_init_empty(); - // Get batching challenge - Fr rho = prover_transcript->template get_challenge("rho"); + // Generate multilinear polynomials, their commitments (genuine and mocked) and evaluations (genuine) at a random // point. auto mle_opening_point = this->random_evaluation_point(log_n); // sometimes denoted 'u' @@ -205,59 +164,24 @@ TYPED_TEST(KZGTest, ShpleminiKzgWithShift) // Collect multilinear evaluations for input to prover std::vector multilinear_evaluations = { eval1, eval2, eval2_shift }; - std::vector rhos = gemini::powers_of_rho(rho, multilinear_evaluations.size()); - - // Compute batched multivariate evaluation - Fr batched_evaluation = Fr::zero(); - for (size_t i = 0; i < rhos.size(); ++i) { - batched_evaluation += multilinear_evaluations[i] * rhos[i]; - } - - // Compute batched polynomials - Polynomial batched_unshifted(n); - Polynomial batched_to_be_shifted = Polynomial::shiftable(n); - batched_unshifted.add_scaled(poly1, rhos[0]); - batched_unshifted.add_scaled(poly2, rhos[1]); - batched_to_be_shifted.add_scaled(poly2, rhos[2]); - - // Compute batched commitments - GroupElement batched_commitment_unshifted = GroupElement::zero(); - GroupElement batched_commitment_to_be_shifted = GroupElement::zero(); - batched_commitment_unshifted = commitment1 * rhos[0] + commitment2 * rhos[1]; - batched_commitment_to_be_shifted = commitment2 * rhos[2]; + auto prover_transcript = NativeTranscript::prover_init_empty(); // Run the full prover PCS protocol: // Compute: // - (d+1) opening pairs: {r, \hat{a}_0}, {-r^{2^i}, a_i}, i = 0, ..., d-1 // - (d+1) Fold polynomials Fold_{r}^(0), Fold_{-r}^(0), and Fold^(i), i = 0, ..., d-1 - auto gemini_polynomials = GeminiProver::compute_gemini_polynomials( - mle_opening_point, std::move(batched_unshifted), std::move(batched_to_be_shifted)); - - for (size_t l = 0; l < log_n - 1; ++l) { - std::string label = "FOLD_" + std::to_string(l + 1); - auto commitment = this->ck()->commit(gemini_polynomials[l + 2]); - prover_transcript->send_to_verifier(label, commitment); - } - - const Fr r_challenge = prover_transcript->template get_challenge("Gemini:r"); - - const auto [gemini_opening_pairs, gemini_witnesses] = GeminiProver::compute_fold_polynomial_evaluations( - mle_opening_point, std::move(gemini_polynomials), r_challenge); - - std::vector> opening_claims; - for (size_t l = 0; l < log_n; ++l) { - std::string label = "Gemini:a_" + std::to_string(l); - const auto& evaluation = gemini_opening_pairs[l + 1].evaluation; - prover_transcript->send_to_verifier(label, evaluation); - opening_claims.push_back({ gemini_witnesses[l], gemini_opening_pairs[l] }); - } - opening_claims.push_back({ gemini_witnesses[log_n], gemini_opening_pairs[log_n] }); + auto prover_opening_claims = GeminiProver::prove(this->ck(), + mle_opening_point, + multilinear_evaluations, + RefArray{ poly1, poly2 }, + RefArray{ poly2 }, + prover_transcript); // Shplonk prover output: // - opening pair: (z_challenge, 0) // - witness: polynomial Q - Q_z - const auto opening_claim = ShplonkProver::prove(this->ck(), opening_claims, prover_transcript); + const auto opening_claim = ShplonkProver::prove(this->ck(), prover_opening_claims, prover_transcript); // KZG prover: // - Adds commitment [W] to transcript diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini_verifier.test.cpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini_verifier.test.cpp index 45292861fae7..c04359b5a2a9 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini_verifier.test.cpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini_verifier.test.cpp @@ -1,228 +1,228 @@ -#include "shplemini_verifier.hpp" -#include "../commitment_key.test.hpp" -#include "../gemini/gemini.hpp" -#include "../kzg/kzg.hpp" -#include "../shplonk/shplonk.hpp" -#include "../utils/batch_mul_native.hpp" -#include "barretenberg/commitment_schemes/claim.hpp" -#include "barretenberg/ecc/curves/bn254/g1.hpp" - -#include -#include - -namespace bb { - -template class ShpleminiTest : public CommitmentTest { - public: - using Fr = typename Curve::ScalarField; - using Commitment = typename Curve::AffineElement; - using GroupElement = typename Curve::Element; - using Polynomial = bb::Polynomial; -}; - -using CurveTypes = ::testing::Types; - -TYPED_TEST_SUITE(ShpleminiTest, CurveTypes); - -// This test checks that batch_multivariate_opening_claims method operates correctly -TYPED_TEST(ShpleminiTest, CorrectnessOfMultivariateClaimBatching) -{ - using ShpleminiVerifier = ShpleminiVerifier_; - using Fr = typename TypeParam::ScalarField; - using GroupElement = typename TypeParam::Element; - using Commitment = typename TypeParam::AffineElement; - using Polynomial = typename bb::Polynomial; - using Utils = CommitmentSchemesUtils; - - const size_t n = 16; - const size_t log_n = 4; - - // Generate mock challenges - Fr rho = Fr::random_element(); - Fr gemini_eval_challenge = Fr::random_element(); - Fr shplonk_batching_challenge = Fr::random_element(); - Fr shplonk_eval_challenge = Fr::random_element(); - - // Generate multilinear polynomials and compute their commitments - auto mle_opening_point = this->random_evaluation_point(log_n); - auto poly1 = Polynomial::random(n); - auto poly2 = Polynomial::random(n, /*shiftable*/ 1); - Polynomial poly3(n); - - Commitment commitment1 = this->commit(poly1); - Commitment commitment2 = this->commit(poly2); - Commitment commitment3 = this->commit(poly3); - EXPECT_TRUE(commitment3.is_point_at_infinity()); - - std::vector unshifted_commitments = { commitment1, commitment2, commitment3 }; - std::vector shifted_commitments = { commitment2, commitment3 }; - - // Evaluate the polynomials at the multivariate challenge, poly3 is not evaluated, because it is 0. - auto eval1 = poly1.evaluate_mle(mle_opening_point); - auto eval2 = poly2.evaluate_mle(mle_opening_point); - Fr eval3{ 0 }; - Fr eval3_shift{ 0 }; - auto eval2_shift = poly2.evaluate_mle(mle_opening_point, true); - - // Collect multilinear evaluations - std::vector multilinear_evaluations = { eval1, eval2, eval3, eval2_shift, eval3_shift }; - std::vector rhos = gemini::powers_of_rho(rho, multilinear_evaluations.size()); - - // Compute batched multivariate evaluation - Fr batched_evaluation = - std::inner_product(multilinear_evaluations.begin(), multilinear_evaluations.end(), rhos.begin(), Fr::zero()); - - // Compute batched commitments manually - GroupElement batched_commitment_unshifted = commitment1 * rhos[0] + commitment2 * rhos[1] + commitment3 * rhos[2]; - GroupElement batched_commitment_to_be_shifted = commitment2 * rhos[3] + commitment3 * rhos[4]; - - // Compute expected result manually - GroupElement commitment_to_univariate = - batched_commitment_unshifted + batched_commitment_to_be_shifted * gemini_eval_challenge.invert(); - GroupElement commitment_to_univariate_neg = - batched_commitment_unshifted - batched_commitment_to_be_shifted * gemini_eval_challenge.invert(); - - GroupElement expected_result = - commitment_to_univariate * (shplonk_eval_challenge - gemini_eval_challenge).invert() + - commitment_to_univariate_neg * - (shplonk_batching_challenge * (shplonk_eval_challenge + gemini_eval_challenge).invert()); - - // Run the ShepliminiVerifier batching method - std::vector commitments; - std::vector scalars; - Fr verifier_batched_evaluation{ 0 }; - - Fr unshifted_scalar = (shplonk_eval_challenge - gemini_eval_challenge).invert() + - shplonk_batching_challenge * (shplonk_eval_challenge + gemini_eval_challenge).invert(); - - Fr shifted_scalar = gemini_eval_challenge.invert() * - ((shplonk_eval_challenge - gemini_eval_challenge).invert() - - shplonk_batching_challenge * (shplonk_eval_challenge + gemini_eval_challenge).invert()); - - ShpleminiVerifier::batch_multivariate_opening_claims(RefVector(unshifted_commitments), - RefVector(shifted_commitments), - RefVector(multilinear_evaluations), - rho, - unshifted_scalar, - shifted_scalar, - commitments, - scalars, - verifier_batched_evaluation); - - // Final pairing check - GroupElement shplemini_result = Utils::batch_mul_native(commitments, scalars); - - EXPECT_EQ(commitments.size(), unshifted_commitments.size() + shifted_commitments.size()); - EXPECT_EQ(batched_evaluation, verifier_batched_evaluation); - EXPECT_EQ(-expected_result, shplemini_result); -} - -TYPED_TEST(ShpleminiTest, CorrectnessOfGeminiClaimBatching) -{ - using GeminiProver = GeminiProver_; - using ShpleminiVerifier = ShpleminiVerifier_; - using ShplonkVerifier = ShplonkVerifier_; - using Fr = typename TypeParam::ScalarField; - using GroupElement = typename TypeParam::Element; - using Commitment = typename TypeParam::AffineElement; - using Polynomial = typename bb::Polynomial; - using Utils = CommitmentSchemesUtils; - - const size_t n = 16; - const size_t log_n = 4; - - // Generate mock challenges - Fr rho = Fr::random_element(); - Fr gemini_eval_challenge = Fr::random_element(); - Fr shplonk_batching_challenge = Fr::random_element(); - Fr shplonk_eval_challenge = Fr::random_element(); - - // Generate multilinear polynomials and compute their commitments - auto mle_opening_point = this->random_evaluation_point(log_n); - auto poly1 = Polynomial::random(n); - auto poly2 = Polynomial::random(n, /*shiftable*/ 1); - Polynomial poly3 = Polynomial::shiftable(n); - - // Evaluate the polynomials at the multivariate challenge, poly3 is not evaluated, because it is 0. - auto eval1 = poly1.evaluate_mle(mle_opening_point); - auto eval2 = poly2.evaluate_mle(mle_opening_point); - Fr eval3{ 0 }; - Fr eval3_shift{ 0 }; - auto eval2_shift = poly2.evaluate_mle(mle_opening_point, true); - - // Collect multilinear evaluations - std::vector multilinear_evaluations = { eval1, eval2, eval3, eval2_shift, eval3_shift }; - std::vector rhos = gemini::powers_of_rho(rho, multilinear_evaluations.size()); - - Polynomial batched_unshifted(n); - Polynomial batched_to_be_shifted = Polynomial::shiftable(n); - batched_unshifted.add_scaled(poly1, rhos[0]); - batched_unshifted.add_scaled(poly2, rhos[1]); - batched_unshifted.add_scaled(poly3, rhos[2]); - batched_to_be_shifted.add_scaled(poly2, rhos[3]); - batched_to_be_shifted.add_scaled(poly3, rhos[4]); - - // Compute: - // - (d+1) opening pairs: {r, \hat{a}_0}, {-r^{2^i}, a_i}, i = 0, ..., d-1 - // - (d+1) Fold polynomials Fold_{r}^(0), Fold_{-r}^(0), and Fold^(i), i = 0, ..., d-1 - auto gemini_polynomials = GeminiProver::compute_gemini_polynomials( - mle_opening_point, std::move(batched_unshifted), std::move(batched_to_be_shifted)); - - std::vector prover_commitments; - for (size_t l = 0; l < log_n - 1; ++l) { - auto commitment = this->ck()->commit(gemini_polynomials[l + 2]); - prover_commitments.emplace_back(commitment); - } - - const auto [gemini_opening_pairs, gemini_witnesses] = GeminiProver::compute_fold_polynomial_evaluations( - mle_opening_point, std::move(gemini_polynomials), gemini_eval_challenge); - - std::vector prover_evaluations; - std::vector> opening_claims; - for (size_t l = 0; l < log_n; ++l) { - const auto& evaluation = gemini_opening_pairs[l + 1].evaluation; - prover_evaluations.emplace_back(evaluation); - } - - std::vector r_squares = gemini::powers_of_evaluation_challenge(gemini_eval_challenge, log_n); - - GroupElement expected_result = GroupElement::zero(); - std::vector expected_inverse_vanishing_evals(log_n + 1); - // Compute expected inverses - expected_inverse_vanishing_evals[0] = (shplonk_eval_challenge - r_squares[0]).invert(); - expected_inverse_vanishing_evals[1] = (shplonk_eval_challenge + r_squares[0]).invert(); - expected_inverse_vanishing_evals[2] = (shplonk_eval_challenge + r_squares[1]).invert(); - expected_inverse_vanishing_evals[3] = (shplonk_eval_challenge + r_squares[2]).invert(); - expected_inverse_vanishing_evals[4] = (shplonk_eval_challenge + r_squares[3]).invert(); - - Fr current_challenge{ shplonk_batching_challenge * shplonk_batching_challenge }; - for (size_t idx = 0; idx < prover_commitments.size(); ++idx) { - expected_result -= prover_commitments[idx] * current_challenge * expected_inverse_vanishing_evals[idx + 2]; - current_challenge *= shplonk_batching_challenge; - } - - // Run the ShepliminiVerifier batching method - std::vector inverse_vanishing_evals = - ShplonkVerifier::compute_inverted_gemini_denominators(log_n + 1, shplonk_eval_challenge, r_squares); - - std::vector commitments; - std::vector scalars; - Fr expected_constant_term_accumulator{ 0 }; - - ShpleminiVerifier::batch_gemini_claims_received_from_prover(log_n, - prover_commitments, - prover_evaluations, - inverse_vanishing_evals, - shplonk_batching_challenge, - commitments, - scalars, - expected_constant_term_accumulator); - - EXPECT_EQ(commitments.size(), prover_commitments.size()); - // Compute the group element using the output of Shplemini method - GroupElement shplemini_result = Utils::batch_mul_native(commitments, scalars); - - EXPECT_EQ(shplemini_result, expected_result); -} -} // namespace bb +// #include "shplemini_verifier.hpp" +// #include "../commitment_key.test.hpp" +// #include "../gemini/gemini.hpp" +// #include "../kzg/kzg.hpp" +// #include "../shplonk/shplonk.hpp" +// #include "../utils/batch_mul_native.hpp" +// #include "barretenberg/commitment_schemes/claim.hpp" +// #include "barretenberg/ecc/curves/bn254/g1.hpp" + +// #include +// #include + +// namespace bb { + +// template class ShpleminiTest : public CommitmentTest { +// public: +// using Fr = typename Curve::ScalarField; +// using Commitment = typename Curve::AffineElement; +// using GroupElement = typename Curve::Element; +// using Polynomial = bb::Polynomial; +// }; + +// using CurveTypes = ::testing::Types; + +// TYPED_TEST_SUITE(ShpleminiTest, CurveTypes); + +// // This test checks that batch_multivariate_opening_claims method operates correctly +// TYPED_TEST(ShpleminiTest, CorrectnessOfMultivariateClaimBatching) +// { +// using ShpleminiVerifier = ShpleminiVerifier_; +// using Fr = typename TypeParam::ScalarField; +// using GroupElement = typename TypeParam::Element; +// using Commitment = typename TypeParam::AffineElement; +// using Polynomial = typename bb::Polynomial; +// using Utils = CommitmentSchemesUtils; + +// const size_t n = 16; +// const size_t log_n = 4; + +// // Generate mock challenges +// Fr rho = Fr::random_element(); +// Fr gemini_eval_challenge = Fr::random_element(); +// Fr shplonk_batching_challenge = Fr::random_element(); +// Fr shplonk_eval_challenge = Fr::random_element(); + +// // Generate multilinear polynomials and compute their commitments +// auto mle_opening_point = this->random_evaluation_point(log_n); +// auto poly1 = Polynomial::random(n); +// auto poly2 = Polynomial::random(n, /*shiftable*/ 1); +// Polynomial poly3(n); + +// Commitment commitment1 = this->commit(poly1); +// Commitment commitment2 = this->commit(poly2); +// Commitment commitment3 = this->commit(poly3); +// EXPECT_TRUE(commitment3.is_point_at_infinity()); + +// std::vector unshifted_commitments = { commitment1, commitment2, commitment3 }; +// std::vector shifted_commitments = { commitment2, commitment3 }; + +// // Evaluate the polynomials at the multivariate challenge, poly3 is not evaluated, because it is 0. +// auto eval1 = poly1.evaluate_mle(mle_opening_point); +// auto eval2 = poly2.evaluate_mle(mle_opening_point); +// Fr eval3{ 0 }; +// Fr eval3_shift{ 0 }; +// auto eval2_shift = poly2.evaluate_mle(mle_opening_point, true); + +// // Collect multilinear evaluations +// std::vector multilinear_evaluations = { eval1, eval2, eval3, eval2_shift, eval3_shift }; +// std::vector rhos = gemini::powers_of_rho(rho, multilinear_evaluations.size()); + +// // Compute batched multivariate evaluation +// Fr batched_evaluation = +// std::inner_product(multilinear_evaluations.begin(), multilinear_evaluations.end(), rhos.begin(), Fr::zero()); + +// // Compute batched commitments manually +// GroupElement batched_commitment_unshifted = commitment1 * rhos[0] + commitment2 * rhos[1] + commitment3 * +// rhos[2]; GroupElement batched_commitment_to_be_shifted = commitment2 * rhos[3] + commitment3 * rhos[4]; + +// // Compute expected result manually +// GroupElement commitment_to_univariate = +// batched_commitment_unshifted + batched_commitment_to_be_shifted * gemini_eval_challenge.invert(); +// GroupElement commitment_to_univariate_neg = +// batched_commitment_unshifted - batched_commitment_to_be_shifted * gemini_eval_challenge.invert(); + +// GroupElement expected_result = +// commitment_to_univariate * (shplonk_eval_challenge - gemini_eval_challenge).invert() + +// commitment_to_univariate_neg * +// (shplonk_batching_challenge * (shplonk_eval_challenge + gemini_eval_challenge).invert()); + +// // Run the ShepliminiVerifier batching method +// std::vector commitments; +// std::vector scalars; +// Fr verifier_batched_evaluation{ 0 }; + +// Fr unshifted_scalar = (shplonk_eval_challenge - gemini_eval_challenge).invert() + +// shplonk_batching_challenge * (shplonk_eval_challenge + gemini_eval_challenge).invert(); + +// Fr shifted_scalar = gemini_eval_challenge.invert() * +// ((shplonk_eval_challenge - gemini_eval_challenge).invert() - +// shplonk_batching_challenge * (shplonk_eval_challenge + gemini_eval_challenge).invert()); + +// ShpleminiVerifier::batch_multivariate_opening_claims(RefVector(unshifted_commitments), +// RefVector(shifted_commitments), +// RefVector(multilinear_evaluations), +// rho, +// unshifted_scalar, +// shifted_scalar, +// commitments, +// scalars, +// verifier_batched_evaluation); + +// // Final pairing check +// GroupElement shplemini_result = Utils::batch_mul_native(commitments, scalars); + +// EXPECT_EQ(commitments.size(), unshifted_commitments.size() + shifted_commitments.size()); +// EXPECT_EQ(batched_evaluation, verifier_batched_evaluation); +// EXPECT_EQ(-expected_result, shplemini_result); +// } + +// TYPED_TEST(ShpleminiTest, CorrectnessOfGeminiClaimBatching) +// { +// using GeminiProver = GeminiProver_; +// using ShpleminiVerifier = ShpleminiVerifier_; +// using ShplonkVerifier = ShplonkVerifier_; +// using Fr = typename TypeParam::ScalarField; +// using GroupElement = typename TypeParam::Element; +// using Commitment = typename TypeParam::AffineElement; +// using Polynomial = typename bb::Polynomial; +// using Utils = CommitmentSchemesUtils; + +// const size_t n = 16; +// const size_t log_n = 4; + +// // Generate mock challenges +// Fr rho = Fr::random_element(); +// Fr gemini_eval_challenge = Fr::random_element(); +// Fr shplonk_batching_challenge = Fr::random_element(); +// Fr shplonk_eval_challenge = Fr::random_element(); + +// // Generate multilinear polynomials and compute their commitments +// auto mle_opening_point = this->random_evaluation_point(log_n); +// auto poly1 = Polynomial::random(n); +// auto poly2 = Polynomial::random(n, /*shiftable*/ 1); +// Polynomial poly3 = Polynomial::shiftable(n); + +// // Evaluate the polynomials at the multivariate challenge, poly3 is not evaluated, because it is 0. +// auto eval1 = poly1.evaluate_mle(mle_opening_point); +// auto eval2 = poly2.evaluate_mle(mle_opening_point); +// Fr eval3{ 0 }; +// Fr eval3_shift{ 0 }; +// auto eval2_shift = poly2.evaluate_mle(mle_opening_point, true); + +// // Collect multilinear evaluations +// std::vector multilinear_evaluations = { eval1, eval2, eval3, eval2_shift, eval3_shift }; +// std::vector rhos = gemini::powers_of_rho(rho, multilinear_evaluations.size()); + +// Polynomial batched_unshifted(n); +// Polynomial batched_to_be_shifted = Polynomial::shiftable(n); +// batched_unshifted.add_scaled(poly1, rhos[0]); +// batched_unshifted.add_scaled(poly2, rhos[1]); +// batched_unshifted.add_scaled(poly3, rhos[2]); +// batched_to_be_shifted.add_scaled(poly2, rhos[3]); +// batched_to_be_shifted.add_scaled(poly3, rhos[4]); + +// // Compute: +// // - (d+1) opening pairs: {r, \hat{a}_0}, {-r^{2^i}, a_i}, i = 0, ..., d-1 +// // - (d+1) Fold polynomials Fold_{r}^(0), Fold_{-r}^(0), and Fold^(i), i = 0, ..., d-1 +// auto gemini_polynomials = GeminiProver::compute_fold_polynomials( +// mle_opening_point, std::move(batched_unshifted), std::move(batched_to_be_shifted)); + +// std::vector prover_commitments; +// for (size_t l = 0; l < log_n - 1; ++l) { +// auto commitment = this->ck()->commit(gemini_polynomials[l + 2]); +// prover_commitments.emplace_back(commitment); +// } + +// const auto [gemini_opening_pairs, gemini_witnesses] = GeminiProver::compute_fold_polynomial_evaluations( +// mle_opening_point, std::move(gemini_polynomials), gemini_eval_challenge); + +// std::vector prover_evaluations; +// std::vector> opening_claims; +// for (size_t l = 0; l < log_n; ++l) { +// const auto& evaluation = gemini_opening_pairs[l + 1].evaluation; +// prover_evaluations.emplace_back(evaluation); +// } + +// std::vector r_squares = gemini::powers_of_evaluation_challenge(gemini_eval_challenge, log_n); + +// GroupElement expected_result = GroupElement::zero(); +// std::vector expected_inverse_vanishing_evals(log_n + 1); +// // Compute expected inverses +// expected_inverse_vanishing_evals[0] = (shplonk_eval_challenge - r_squares[0]).invert(); +// expected_inverse_vanishing_evals[1] = (shplonk_eval_challenge + r_squares[0]).invert(); +// expected_inverse_vanishing_evals[2] = (shplonk_eval_challenge + r_squares[1]).invert(); +// expected_inverse_vanishing_evals[3] = (shplonk_eval_challenge + r_squares[2]).invert(); +// expected_inverse_vanishing_evals[4] = (shplonk_eval_challenge + r_squares[3]).invert(); + +// Fr current_challenge{ shplonk_batching_challenge * shplonk_batching_challenge }; +// for (size_t idx = 0; idx < prover_commitments.size(); ++idx) { +// expected_result -= prover_commitments[idx] * current_challenge * expected_inverse_vanishing_evals[idx + 2]; +// current_challenge *= shplonk_batching_challenge; +// } + +// // Run the ShepliminiVerifier batching method +// std::vector inverse_vanishing_evals = +// ShplonkVerifier::compute_inverted_gemini_denominators(log_n + 1, shplonk_eval_challenge, r_squares); + +// std::vector commitments; +// std::vector scalars; +// Fr expected_constant_term_accumulator{ 0 }; + +// ShpleminiVerifier::batch_gemini_claims_received_from_prover(log_n, +// prover_commitments, +// prover_evaluations, +// inverse_vanishing_evals, +// shplonk_batching_challenge, +// commitments, +// scalars, +// expected_constant_term_accumulator); + +// EXPECT_EQ(commitments.size(), prover_commitments.size()); +// // Compute the group element using the output of Shplemini method +// GroupElement shplemini_result = Utils::batch_mul_native(commitments, scalars); + +// EXPECT_EQ(shplemini_result, expected_result); +// } +// } // namespace bb diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/wrapper.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/wrapper.hpp deleted file mode 100644 index ded625f8e399..000000000000 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/wrapper.hpp +++ /dev/null @@ -1,14 +0,0 @@ -#pragma once - -#include "barretenberg/ecc/curves/bn254/g1.hpp" -#include "gemini/gemini.hpp" - -namespace bb { - -struct OpeningProof { - std::vector gemini; - bb::g1::affine_element shplonk; - bb::g1::affine_element kzg; -}; - -} // namespace bb diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/shplemini.test.cpp b/barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/shplemini.test.cpp index 050a2603972f..e1ef297a3880 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/shplemini.test.cpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/shplemini.test.cpp @@ -108,7 +108,7 @@ TEST(ShpleminiRecursionTest, ProveAndVerifySingle) }; // Compute d-1 polynomials Fold^(i), i = 1, ..., d-1. - auto fold_polynomials = GeminiProver::compute_gemini_polynomials( + auto fold_polynomials = GeminiProver::compute_fold_polynomials( u_challenge, std::move(batched_poly_unshifted), std::move(batched_poly_to_be_shifted)); // Comute and add to trasnscript the commitments [Fold^(i)], i = 1, ..., d-1 for (size_t l = 0; l < log_circuit_size - 1; ++l) { @@ -117,8 +117,8 @@ TEST(ShpleminiRecursionTest, ProveAndVerifySingle) } const NativeFr r_challenge = prover_transcript->template get_challenge("Gemini:r"); - const auto [gemini_opening_pairs, gemini_witnesses] = - GeminiProver::compute_fold_polynomial_evaluations(u_challenge, std::move(fold_polynomials), r_challenge); + const auto [gemini_opening_pairs, gemini_witnesses] = GeminiProver::compute_fold_polynomial_evaluations( + u_challenge, std::move(fold_polynomials), r_challenge, prover_transcript); std::vector> opening_claims; for (size_t l = 0; l < log_circuit_size; ++l) { diff --git a/barretenberg/cpp/src/barretenberg/polynomials/polynomial.hpp b/barretenberg/cpp/src/barretenberg/polynomials/polynomial.hpp index fa6608456c5f..894be20c83ed 100644 --- a/barretenberg/cpp/src/barretenberg/polynomials/polynomial.hpp +++ b/barretenberg/cpp/src/barretenberg/polynomials/polynomial.hpp @@ -69,6 +69,13 @@ template class Polynomial { : Polynomial(coefficients, coefficients.size()) {} + /** + * @brief Utility to efficiently construct a shift from the original polynomial. + * + * @details We define the shift of a polynomial F(X) as G(X) = F(X) / X. + * @param virtual_size the size of the polynomial to be shifted + * @return Polynomial + */ static Polynomial shiftable(size_t virtual_size) { return Polynomial(/*actual size*/ virtual_size - 1, virtual_size, /*shiftable offset*/ 1); diff --git a/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/ultra_flavor.hpp b/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/ultra_flavor.hpp index 2bb9cb89721d..fe5dbe526c99 100644 --- a/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/ultra_flavor.hpp +++ b/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/ultra_flavor.hpp @@ -38,8 +38,9 @@ class UltraFlavor { // Indicates that this flavor runs with non-ZK Sumcheck. static constexpr bool HasZK = false; static constexpr size_t NUM_WIRES = CircuitBuilder::NUM_WIRES; - // The number of multivariate polynomials on which a sumcheck prover sumcheck operates (including shifts). We often - // need containers of this size to hold related data, so we choose a name more agnostic than `NUM_POLYNOMIALS`. + // The number of multivariate polynomials on which a sumcheck prover sumcheck operates (witness polynomials, + // precomputed polynomials and shifts). We often need containers of this size to hold related data, so we choose a + // name more agnostic than `NUM_POLYNOMIALS`. static constexpr size_t NUM_ALL_ENTITIES = 44; // The number of polynomials precomputed to describe a circuit and to aid a prover in constructing a satisfying // assignment of witnesses. We again choose a neutral name. From 7dd17f0c2c40e289c3576213e53854bc1bf4f376 Mon Sep 17 00:00:00 2001 From: maramihali Date: Wed, 18 Sep 2024 13:06:12 +0000 Subject: [PATCH 02/31] fix shplemini --- .../commitment_schemes/gemini/gemini.cpp | 14 +- .../commitment_schemes/gemini/gemini.hpp | 3 +- .../shplonk/shplemini_verifier.test.cpp | 453 +++++++++--------- .../shplemini.test.cpp | 46 +- .../barretenberg/polynomials/polynomial.hpp | 1 - 5 files changed, 241 insertions(+), 276 deletions(-) diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.cpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.cpp index 1518dcf4e15c..3fe4d8425efd 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.cpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.cpp @@ -87,8 +87,12 @@ std::vector::Claim> GeminiProver_::prove( commitment_key->commit(fold_polynomials[l + 2])); } const Fr r_challenge = transcript->template get_challenge("Gemini:r"); - return compute_fold_polynomial_evaluations( - multilinear_challenge, std::move(fold_polynomials), r_challenge, transcript); + std::vector claims = + compute_fold_polynomial_evaluations(multilinear_challenge, std::move(fold_polynomials), r_challenge); + for (size_t l = 1; l <= log_n; l++) { + transcript->send_to_verifier("Gemini:a_" + std::to_string(l), claims[l].opening_pair.evaluation); + } + return claims; }; /** @@ -190,10 +194,7 @@ std::vector::Polynomial> GeminiProver_::com */ template std::vector::Claim> GeminiProver_::compute_fold_polynomial_evaluations( - std::span mle_opening_point, - std::vector&& fold_polynomials, - const Fr& r_challenge, - std::shared_ptr& transcript) + std::span mle_opening_point, std::vector&& fold_polynomials, const Fr& r_challenge) { const size_t num_variables = mle_opening_point.size(); // m @@ -231,7 +232,6 @@ std::vector::Claim> GeminiProver_::compute_ // Compute the remaining m opening pairs {−r^{2ˡ}, Aₗ(−r^{2ˡ})}, l = 0, ..., m-1. for (size_t l = 0; l < num_variables; ++l) { evaluation = fold_polynomials[l + 1].evaluate(-r_squares[l]); - transcript->send_to_verifier("Gemini:a_" + std::to_string(l + 1), evaluation); opening_claims.emplace_back(Claim{ fold_polynomials[l + 1], { -r_squares[l], evaluation } }); } diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.hpp index 89c1dc8acf99..e6d19e0dddb5 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.hpp @@ -107,8 +107,7 @@ template class GeminiProver_ { static std::vector compute_fold_polynomial_evaluations(std::span multilinear_evaluations, std::vector&& gemini_polynomials, - const Fr& r_challenge, - std::shared_ptr& transcript); + const Fr& r_challenge); // TODO(Mara): consider if we should template this by transcript to use with a test transcript static std::vector prove(const std::shared_ptr>& commitment_key, diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini_verifier.test.cpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini_verifier.test.cpp index c04359b5a2a9..194c9f7d3610 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini_verifier.test.cpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini_verifier.test.cpp @@ -1,228 +1,227 @@ -// #include "shplemini_verifier.hpp" -// #include "../commitment_key.test.hpp" -// #include "../gemini/gemini.hpp" -// #include "../kzg/kzg.hpp" -// #include "../shplonk/shplonk.hpp" -// #include "../utils/batch_mul_native.hpp" -// #include "barretenberg/commitment_schemes/claim.hpp" -// #include "barretenberg/ecc/curves/bn254/g1.hpp" - -// #include -// #include - -// namespace bb { - -// template class ShpleminiTest : public CommitmentTest { -// public: -// using Fr = typename Curve::ScalarField; -// using Commitment = typename Curve::AffineElement; -// using GroupElement = typename Curve::Element; -// using Polynomial = bb::Polynomial; -// }; - -// using CurveTypes = ::testing::Types; - -// TYPED_TEST_SUITE(ShpleminiTest, CurveTypes); - -// // This test checks that batch_multivariate_opening_claims method operates correctly -// TYPED_TEST(ShpleminiTest, CorrectnessOfMultivariateClaimBatching) -// { -// using ShpleminiVerifier = ShpleminiVerifier_; -// using Fr = typename TypeParam::ScalarField; -// using GroupElement = typename TypeParam::Element; -// using Commitment = typename TypeParam::AffineElement; -// using Polynomial = typename bb::Polynomial; -// using Utils = CommitmentSchemesUtils; - -// const size_t n = 16; -// const size_t log_n = 4; - -// // Generate mock challenges -// Fr rho = Fr::random_element(); -// Fr gemini_eval_challenge = Fr::random_element(); -// Fr shplonk_batching_challenge = Fr::random_element(); -// Fr shplonk_eval_challenge = Fr::random_element(); - -// // Generate multilinear polynomials and compute their commitments -// auto mle_opening_point = this->random_evaluation_point(log_n); -// auto poly1 = Polynomial::random(n); -// auto poly2 = Polynomial::random(n, /*shiftable*/ 1); -// Polynomial poly3(n); - -// Commitment commitment1 = this->commit(poly1); -// Commitment commitment2 = this->commit(poly2); -// Commitment commitment3 = this->commit(poly3); -// EXPECT_TRUE(commitment3.is_point_at_infinity()); - -// std::vector unshifted_commitments = { commitment1, commitment2, commitment3 }; -// std::vector shifted_commitments = { commitment2, commitment3 }; - -// // Evaluate the polynomials at the multivariate challenge, poly3 is not evaluated, because it is 0. -// auto eval1 = poly1.evaluate_mle(mle_opening_point); -// auto eval2 = poly2.evaluate_mle(mle_opening_point); -// Fr eval3{ 0 }; -// Fr eval3_shift{ 0 }; -// auto eval2_shift = poly2.evaluate_mle(mle_opening_point, true); - -// // Collect multilinear evaluations -// std::vector multilinear_evaluations = { eval1, eval2, eval3, eval2_shift, eval3_shift }; -// std::vector rhos = gemini::powers_of_rho(rho, multilinear_evaluations.size()); - -// // Compute batched multivariate evaluation -// Fr batched_evaluation = -// std::inner_product(multilinear_evaluations.begin(), multilinear_evaluations.end(), rhos.begin(), Fr::zero()); - -// // Compute batched commitments manually -// GroupElement batched_commitment_unshifted = commitment1 * rhos[0] + commitment2 * rhos[1] + commitment3 * -// rhos[2]; GroupElement batched_commitment_to_be_shifted = commitment2 * rhos[3] + commitment3 * rhos[4]; - -// // Compute expected result manually -// GroupElement commitment_to_univariate = -// batched_commitment_unshifted + batched_commitment_to_be_shifted * gemini_eval_challenge.invert(); -// GroupElement commitment_to_univariate_neg = -// batched_commitment_unshifted - batched_commitment_to_be_shifted * gemini_eval_challenge.invert(); - -// GroupElement expected_result = -// commitment_to_univariate * (shplonk_eval_challenge - gemini_eval_challenge).invert() + -// commitment_to_univariate_neg * -// (shplonk_batching_challenge * (shplonk_eval_challenge + gemini_eval_challenge).invert()); - -// // Run the ShepliminiVerifier batching method -// std::vector commitments; -// std::vector scalars; -// Fr verifier_batched_evaluation{ 0 }; - -// Fr unshifted_scalar = (shplonk_eval_challenge - gemini_eval_challenge).invert() + -// shplonk_batching_challenge * (shplonk_eval_challenge + gemini_eval_challenge).invert(); - -// Fr shifted_scalar = gemini_eval_challenge.invert() * -// ((shplonk_eval_challenge - gemini_eval_challenge).invert() - -// shplonk_batching_challenge * (shplonk_eval_challenge + gemini_eval_challenge).invert()); - -// ShpleminiVerifier::batch_multivariate_opening_claims(RefVector(unshifted_commitments), -// RefVector(shifted_commitments), -// RefVector(multilinear_evaluations), -// rho, -// unshifted_scalar, -// shifted_scalar, -// commitments, -// scalars, -// verifier_batched_evaluation); - -// // Final pairing check -// GroupElement shplemini_result = Utils::batch_mul_native(commitments, scalars); - -// EXPECT_EQ(commitments.size(), unshifted_commitments.size() + shifted_commitments.size()); -// EXPECT_EQ(batched_evaluation, verifier_batched_evaluation); -// EXPECT_EQ(-expected_result, shplemini_result); -// } - -// TYPED_TEST(ShpleminiTest, CorrectnessOfGeminiClaimBatching) -// { -// using GeminiProver = GeminiProver_; -// using ShpleminiVerifier = ShpleminiVerifier_; -// using ShplonkVerifier = ShplonkVerifier_; -// using Fr = typename TypeParam::ScalarField; -// using GroupElement = typename TypeParam::Element; -// using Commitment = typename TypeParam::AffineElement; -// using Polynomial = typename bb::Polynomial; -// using Utils = CommitmentSchemesUtils; - -// const size_t n = 16; -// const size_t log_n = 4; - -// // Generate mock challenges -// Fr rho = Fr::random_element(); -// Fr gemini_eval_challenge = Fr::random_element(); -// Fr shplonk_batching_challenge = Fr::random_element(); -// Fr shplonk_eval_challenge = Fr::random_element(); - -// // Generate multilinear polynomials and compute their commitments -// auto mle_opening_point = this->random_evaluation_point(log_n); -// auto poly1 = Polynomial::random(n); -// auto poly2 = Polynomial::random(n, /*shiftable*/ 1); -// Polynomial poly3 = Polynomial::shiftable(n); - -// // Evaluate the polynomials at the multivariate challenge, poly3 is not evaluated, because it is 0. -// auto eval1 = poly1.evaluate_mle(mle_opening_point); -// auto eval2 = poly2.evaluate_mle(mle_opening_point); -// Fr eval3{ 0 }; -// Fr eval3_shift{ 0 }; -// auto eval2_shift = poly2.evaluate_mle(mle_opening_point, true); - -// // Collect multilinear evaluations -// std::vector multilinear_evaluations = { eval1, eval2, eval3, eval2_shift, eval3_shift }; -// std::vector rhos = gemini::powers_of_rho(rho, multilinear_evaluations.size()); - -// Polynomial batched_unshifted(n); -// Polynomial batched_to_be_shifted = Polynomial::shiftable(n); -// batched_unshifted.add_scaled(poly1, rhos[0]); -// batched_unshifted.add_scaled(poly2, rhos[1]); -// batched_unshifted.add_scaled(poly3, rhos[2]); -// batched_to_be_shifted.add_scaled(poly2, rhos[3]); -// batched_to_be_shifted.add_scaled(poly3, rhos[4]); - -// // Compute: -// // - (d+1) opening pairs: {r, \hat{a}_0}, {-r^{2^i}, a_i}, i = 0, ..., d-1 -// // - (d+1) Fold polynomials Fold_{r}^(0), Fold_{-r}^(0), and Fold^(i), i = 0, ..., d-1 -// auto gemini_polynomials = GeminiProver::compute_fold_polynomials( -// mle_opening_point, std::move(batched_unshifted), std::move(batched_to_be_shifted)); - -// std::vector prover_commitments; -// for (size_t l = 0; l < log_n - 1; ++l) { -// auto commitment = this->ck()->commit(gemini_polynomials[l + 2]); -// prover_commitments.emplace_back(commitment); -// } - -// const auto [gemini_opening_pairs, gemini_witnesses] = GeminiProver::compute_fold_polynomial_evaluations( -// mle_opening_point, std::move(gemini_polynomials), gemini_eval_challenge); - -// std::vector prover_evaluations; -// std::vector> opening_claims; -// for (size_t l = 0; l < log_n; ++l) { -// const auto& evaluation = gemini_opening_pairs[l + 1].evaluation; -// prover_evaluations.emplace_back(evaluation); -// } - -// std::vector r_squares = gemini::powers_of_evaluation_challenge(gemini_eval_challenge, log_n); - -// GroupElement expected_result = GroupElement::zero(); -// std::vector expected_inverse_vanishing_evals(log_n + 1); -// // Compute expected inverses -// expected_inverse_vanishing_evals[0] = (shplonk_eval_challenge - r_squares[0]).invert(); -// expected_inverse_vanishing_evals[1] = (shplonk_eval_challenge + r_squares[0]).invert(); -// expected_inverse_vanishing_evals[2] = (shplonk_eval_challenge + r_squares[1]).invert(); -// expected_inverse_vanishing_evals[3] = (shplonk_eval_challenge + r_squares[2]).invert(); -// expected_inverse_vanishing_evals[4] = (shplonk_eval_challenge + r_squares[3]).invert(); - -// Fr current_challenge{ shplonk_batching_challenge * shplonk_batching_challenge }; -// for (size_t idx = 0; idx < prover_commitments.size(); ++idx) { -// expected_result -= prover_commitments[idx] * current_challenge * expected_inverse_vanishing_evals[idx + 2]; -// current_challenge *= shplonk_batching_challenge; -// } - -// // Run the ShepliminiVerifier batching method -// std::vector inverse_vanishing_evals = -// ShplonkVerifier::compute_inverted_gemini_denominators(log_n + 1, shplonk_eval_challenge, r_squares); - -// std::vector commitments; -// std::vector scalars; -// Fr expected_constant_term_accumulator{ 0 }; - -// ShpleminiVerifier::batch_gemini_claims_received_from_prover(log_n, -// prover_commitments, -// prover_evaluations, -// inverse_vanishing_evals, -// shplonk_batching_challenge, -// commitments, -// scalars, -// expected_constant_term_accumulator); - -// EXPECT_EQ(commitments.size(), prover_commitments.size()); -// // Compute the group element using the output of Shplemini method -// GroupElement shplemini_result = Utils::batch_mul_native(commitments, scalars); - -// EXPECT_EQ(shplemini_result, expected_result); -// } -// } // namespace bb +#include "shplemini_verifier.hpp" +#include "../commitment_key.test.hpp" +#include "../gemini/gemini.hpp" +#include "../kzg/kzg.hpp" +#include "../shplonk/shplonk.hpp" +#include "../utils/batch_mul_native.hpp" +#include "barretenberg/commitment_schemes/claim.hpp" +#include "barretenberg/ecc/curves/bn254/g1.hpp" + +#include +#include + +namespace bb { + +template class ShpleminiTest : public CommitmentTest { + public: + using Fr = typename Curve::ScalarField; + using Commitment = typename Curve::AffineElement; + using GroupElement = typename Curve::Element; + using Polynomial = bb::Polynomial; +}; + +using CurveTypes = ::testing::Types; + +TYPED_TEST_SUITE(ShpleminiTest, CurveTypes); + +// This test checks that batch_multivariate_opening_claims method operates correctly +TYPED_TEST(ShpleminiTest, CorrectnessOfMultivariateClaimBatching) +{ + using ShpleminiVerifier = ShpleminiVerifier_; + using Fr = typename TypeParam::ScalarField; + using GroupElement = typename TypeParam::Element; + using Commitment = typename TypeParam::AffineElement; + using Polynomial = typename bb::Polynomial; + using Utils = CommitmentSchemesUtils; + + const size_t n = 16; + const size_t log_n = 4; + + // Generate mock challenges + Fr rho = Fr::random_element(); + Fr gemini_eval_challenge = Fr::random_element(); + Fr shplonk_batching_challenge = Fr::random_element(); + Fr shplonk_eval_challenge = Fr::random_element(); + + // Generate multilinear polynomials and compute their commitments + auto mle_opening_point = this->random_evaluation_point(log_n); + auto poly1 = Polynomial::random(n); + auto poly2 = Polynomial::random(n, /*shiftable*/ 1); + Polynomial poly3(n); + + Commitment commitment1 = this->commit(poly1); + Commitment commitment2 = this->commit(poly2); + Commitment commitment3 = this->commit(poly3); + EXPECT_TRUE(commitment3.is_point_at_infinity()); + + std::vector unshifted_commitments = { commitment1, commitment2, commitment3 }; + std::vector shifted_commitments = { commitment2, commitment3 }; + + // Evaluate the polynomials at the multivariate challenge, poly3 is not evaluated, because it is 0. + auto eval1 = poly1.evaluate_mle(mle_opening_point); + auto eval2 = poly2.evaluate_mle(mle_opening_point); + Fr eval3{ 0 }; + Fr eval3_shift{ 0 }; + auto eval2_shift = poly2.evaluate_mle(mle_opening_point, true); + + // Collect multilinear evaluations + std::vector multilinear_evaluations = { eval1, eval2, eval3, eval2_shift, eval3_shift }; + std::vector rhos = gemini::powers_of_rho(rho, multilinear_evaluations.size()); + + // Compute batched multivariate evaluation + Fr batched_evaluation = + std::inner_product(multilinear_evaluations.begin(), multilinear_evaluations.end(), rhos.begin(), Fr::zero()); + + // Compute batched commitments manually + GroupElement batched_commitment_unshifted = commitment1 * rhos[0] + commitment2 * rhos[1] + commitment3 * rhos[2]; + GroupElement batched_commitment_to_be_shifted = commitment2 * rhos[3] + commitment3 * rhos[4]; + + // Compute expected result manually + GroupElement commitment_to_univariate = + batched_commitment_unshifted + batched_commitment_to_be_shifted * gemini_eval_challenge.invert(); + GroupElement commitment_to_univariate_neg = + batched_commitment_unshifted - batched_commitment_to_be_shifted * gemini_eval_challenge.invert(); + + GroupElement expected_result = + commitment_to_univariate * (shplonk_eval_challenge - gemini_eval_challenge).invert() + + commitment_to_univariate_neg * + (shplonk_batching_challenge * (shplonk_eval_challenge + gemini_eval_challenge).invert()); + + // Run the ShepliminiVerifier batching method + std::vector commitments; + std::vector scalars; + Fr verifier_batched_evaluation{ 0 }; + + Fr unshifted_scalar = (shplonk_eval_challenge - gemini_eval_challenge).invert() + + shplonk_batching_challenge * (shplonk_eval_challenge + gemini_eval_challenge).invert(); + + Fr shifted_scalar = gemini_eval_challenge.invert() * + ((shplonk_eval_challenge - gemini_eval_challenge).invert() - + shplonk_batching_challenge * (shplonk_eval_challenge + gemini_eval_challenge).invert()); + + ShpleminiVerifier::batch_multivariate_opening_claims(RefVector(unshifted_commitments), + RefVector(shifted_commitments), + RefVector(multilinear_evaluations), + rho, + unshifted_scalar, + shifted_scalar, + commitments, + scalars, + verifier_batched_evaluation); + + // Final pairing check + GroupElement shplemini_result = Utils::batch_mul_native(commitments, scalars); + + EXPECT_EQ(commitments.size(), unshifted_commitments.size() + shifted_commitments.size()); + EXPECT_EQ(batched_evaluation, verifier_batched_evaluation); + EXPECT_EQ(-expected_result, shplemini_result); +} + +TYPED_TEST(ShpleminiTest, CorrectnessOfGeminiClaimBatching) +{ + using GeminiProver = GeminiProver_; + using ShpleminiVerifier = ShpleminiVerifier_; + using ShplonkVerifier = ShplonkVerifier_; + using Fr = typename TypeParam::ScalarField; + using GroupElement = typename TypeParam::Element; + using Commitment = typename TypeParam::AffineElement; + using Polynomial = typename bb::Polynomial; + using Utils = CommitmentSchemesUtils; + + const size_t n = 16; + const size_t log_n = 4; + + // Generate mock challenges + Fr rho = Fr::random_element(); + Fr gemini_eval_challenge = Fr::random_element(); + Fr shplonk_batching_challenge = Fr::random_element(); + Fr shplonk_eval_challenge = Fr::random_element(); + + // Generate multilinear polynomials and compute their commitments + auto mle_opening_point = this->random_evaluation_point(log_n); + auto poly1 = Polynomial::random(n); + auto poly2 = Polynomial::random(n, /*shiftable*/ 1); + Polynomial poly3 = Polynomial::shiftable(n); + + // Evaluate the polynomials at the multivariate challenge, poly3 is not evaluated, because it is 0. + auto eval1 = poly1.evaluate_mle(mle_opening_point); + auto eval2 = poly2.evaluate_mle(mle_opening_point); + Fr eval3{ 0 }; + Fr eval3_shift{ 0 }; + auto eval2_shift = poly2.evaluate_mle(mle_opening_point, true); + + // Collect multilinear evaluations + std::vector multilinear_evaluations = { eval1, eval2, eval3, eval2_shift, eval3_shift }; + std::vector rhos = gemini::powers_of_rho(rho, multilinear_evaluations.size()); + + Polynomial batched_unshifted(n); + Polynomial batched_to_be_shifted = Polynomial::shiftable(n); + batched_unshifted.add_scaled(poly1, rhos[0]); + batched_unshifted.add_scaled(poly2, rhos[1]); + batched_unshifted.add_scaled(poly3, rhos[2]); + batched_to_be_shifted.add_scaled(poly2, rhos[3]); + batched_to_be_shifted.add_scaled(poly3, rhos[4]); + + // Compute: + // - (d+1) opening pairs: {r, \hat{a}_0}, {-r^{2^i}, a_i}, i = 0, ..., d-1 + // - (d+1) Fold polynomials Fold_{r}^(0), Fold_{-r}^(0), and Fold^(i), i = 0, ..., d-1 + auto gemini_polynomials = GeminiProver::compute_fold_polynomials( + mle_opening_point, std::move(batched_unshifted), std::move(batched_to_be_shifted)); + + std::vector prover_commitments; + for (size_t l = 0; l < log_n - 1; ++l) { + auto commitment = this->ck()->commit(gemini_polynomials[l + 2]); + prover_commitments.emplace_back(commitment); + } + + const auto opening_claims = GeminiProver::compute_fold_polynomial_evaluations( + mle_opening_point, std::move(gemini_polynomials), gemini_eval_challenge); + + std::vector prover_evaluations; + for (size_t l = 0; l < log_n; ++l) { + const auto& evaluation = opening_claims[l + 1].opening_pair.evaluation; + prover_evaluations.emplace_back(evaluation); + } + + std::vector r_squares = gemini::powers_of_evaluation_challenge(gemini_eval_challenge, log_n); + + GroupElement expected_result = GroupElement::zero(); + std::vector expected_inverse_vanishing_evals(log_n + 1); + // Compute expected inverses + expected_inverse_vanishing_evals[0] = (shplonk_eval_challenge - r_squares[0]).invert(); + expected_inverse_vanishing_evals[1] = (shplonk_eval_challenge + r_squares[0]).invert(); + expected_inverse_vanishing_evals[2] = (shplonk_eval_challenge + r_squares[1]).invert(); + expected_inverse_vanishing_evals[3] = (shplonk_eval_challenge + r_squares[2]).invert(); + expected_inverse_vanishing_evals[4] = (shplonk_eval_challenge + r_squares[3]).invert(); + + Fr current_challenge{ shplonk_batching_challenge * shplonk_batching_challenge }; + for (size_t idx = 0; idx < prover_commitments.size(); ++idx) { + expected_result -= prover_commitments[idx] * current_challenge * expected_inverse_vanishing_evals[idx + 2]; + current_challenge *= shplonk_batching_challenge; + } + + // Run the ShepliminiVerifier batching method + std::vector inverse_vanishing_evals = + ShplonkVerifier::compute_inverted_gemini_denominators(log_n + 1, shplonk_eval_challenge, r_squares); + + std::vector commitments; + std::vector scalars; + Fr expected_constant_term_accumulator{ 0 }; + + ShpleminiVerifier::batch_gemini_claims_received_from_prover(log_n, + prover_commitments, + prover_evaluations, + inverse_vanishing_evals, + shplonk_batching_challenge, + commitments, + scalars, + expected_constant_term_accumulator); + + EXPECT_EQ(commitments.size(), prover_commitments.size()); + // Compute the group element using the output of Shplemini method + GroupElement shplemini_result = Utils::batch_mul_native(commitments, scalars); + + EXPECT_EQ(shplemini_result, expected_result); +} +} // namespace bb diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/shplemini.test.cpp b/barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/shplemini.test.cpp index e1ef297a3880..bbc04a799b79 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/shplemini.test.cpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/shplemini.test.cpp @@ -90,49 +90,17 @@ TEST(ShpleminiRecursionTest, ProveAndVerifySingle) // Initialize an empty NativeTranscript auto prover_transcript = NativeTranscript::prover_init_empty(); - - NativeFr rho = prover_transcript->template get_challenge("rho"); - std::vector rhos = gemini::powers_of_rho(rho, NUM_SHIFTED + NUM_UNSHIFTED); - // Batch the unshifted polynomials and the to-be-shifted polynomials using ρ - Polynomial batched_poly_unshifted(N); - size_t poly_idx = 0; - for (auto& unshifted_poly : f_polynomials) { - batched_poly_unshifted.add_scaled(unshifted_poly, rhos[poly_idx]); - ++poly_idx; - } - - Polynomial batched_poly_to_be_shifted = Polynomial::shiftable(N); // batched to-be-shifted polynomials - for (auto& to_be_shifted_poly : g_polynomials) { - batched_poly_to_be_shifted.add_scaled(to_be_shifted_poly, rhos[poly_idx]); - ++poly_idx; - }; - - // Compute d-1 polynomials Fold^(i), i = 1, ..., d-1. - auto fold_polynomials = GeminiProver::compute_fold_polynomials( - u_challenge, std::move(batched_poly_unshifted), std::move(batched_poly_to_be_shifted)); - // Comute and add to trasnscript the commitments [Fold^(i)], i = 1, ..., d-1 - for (size_t l = 0; l < log_circuit_size - 1; ++l) { - NativeCommitment current_commitment = commitment_key->commit(fold_polynomials[l + 2]); - prover_transcript->send_to_verifier("Gemini:FOLD_" + std::to_string(l + 1), current_commitment); - } - const NativeFr r_challenge = prover_transcript->template get_challenge("Gemini:r"); - - const auto [gemini_opening_pairs, gemini_witnesses] = GeminiProver::compute_fold_polynomial_evaluations( - u_challenge, std::move(fold_polynomials), r_challenge, prover_transcript); - - std::vector> opening_claims; - for (size_t l = 0; l < log_circuit_size; ++l) { - std::string label = "Gemini:a_" + std::to_string(l); - const auto& evaluation = gemini_opening_pairs[l + 1].evaluation; - prover_transcript->send_to_verifier(label, evaluation); - opening_claims.push_back({ gemini_witnesses[l], gemini_opening_pairs[l] }); - } - opening_claims.push_back({ gemini_witnesses[log_circuit_size], gemini_opening_pairs[log_circuit_size] }); + auto prover_opening_claims = GeminiProver::prove(commitment_key, + u_challenge, + claimed_evaluations, + RefVector(f_polynomials), + RefVector(g_polynomials), + prover_transcript); // Shplonk prover output: // - opening pair: (z_challenge, 0) // - witness: polynomial Q - Q_z - ShplonkProver::prove(commitment_key, opening_claims, prover_transcript); + ShplonkProver::prove(commitment_key, prover_opening_claims, prover_transcript); Builder builder; StdlibProof stdlib_proof = bb::convert_proof_to_witness(&builder, prover_transcript->proof_data); diff --git a/barretenberg/cpp/src/barretenberg/polynomials/polynomial.hpp b/barretenberg/cpp/src/barretenberg/polynomials/polynomial.hpp index 894be20c83ed..9ed1c255b2cc 100644 --- a/barretenberg/cpp/src/barretenberg/polynomials/polynomial.hpp +++ b/barretenberg/cpp/src/barretenberg/polynomials/polynomial.hpp @@ -72,7 +72,6 @@ template class Polynomial { /** * @brief Utility to efficiently construct a shift from the original polynomial. * - * @details We define the shift of a polynomial F(X) as G(X) = F(X) / X. * @param virtual_size the size of the polynomial to be shifted * @return Polynomial */ From 1f5c083051da4b5f470757f03e2185451bde1109 Mon Sep 17 00:00:00 2001 From: maramihali Date: Wed, 18 Sep 2024 13:26:53 +0000 Subject: [PATCH 03/31] cleanup --- .../commitment_schemes/gemini/gemini.cpp | 33 ++++++++----------- .../commitment_schemes/gemini/gemini.hpp | 16 ++++----- .../commitment_schemes/gemini/gemini.test.cpp | 18 +++------- .../shplonk/shplemini_verifier.hpp | 12 +++---- .../shplonk/shplemini_verifier.test.cpp | 6 ++-- .../src/barretenberg/eccvm/eccvm_prover.hpp | 3 -- 6 files changed, 35 insertions(+), 53 deletions(-) diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.cpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.cpp index 3fe4d8425efd..2a9abea0c523 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.cpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.cpp @@ -1,9 +1,6 @@ #include "gemini.hpp" #include "barretenberg/common/thread.hpp" -#include -#include - /** * @brief Protocol for opening several multi-linear polynomials at the same point. * @@ -51,6 +48,9 @@ std::vector::Claim> GeminiProver_::prove( std::shared_ptr& transcript) { ASSERT(multilinear_evaluations.size() == f_polynomials.size() + g_polynomials.size()); + const size_t log_n = multilinear_challenge.size(); + const size_t n = 1 << log_n; + Fr rho = transcript->template get_challenge("rho"); std::vector rhos = gemini::powers_of_rho(rho, multilinear_evaluations.size()); @@ -60,11 +60,8 @@ std::vector::Claim> GeminiProver_::prove( batched_evaluation += multilinear_evaluations[i] * rhos[i]; } - size_t log_n = multilinear_challenge.size(); - size_t n = 1 << log_n; // Compute batched polynomials Polynomial batched_unshifted(n); - // TODO(mara): use shiftable, after you understand how it works Polynomial batched_to_be_shifted = Polynomial::shiftable(1 << log_n); const size_t num_unshifted = f_polynomials.size(); @@ -76,12 +73,9 @@ std::vector::Claim> GeminiProver_::prove( batched_to_be_shifted.add_scaled(g_polynomials[i], rhos[num_unshifted + i]); } - // log_n + 2 auto fold_polynomials = compute_fold_polynomials(multilinear_challenge, std::move(batched_unshifted), std::move(batched_to_be_shifted)); - // Commit to the folded polynomials (except the first two, explain why the first two are left out) and send the - // commitment to the verifier for (size_t l = 0; l < log_n - 1; l++) { transcript->send_to_verifier("Gemini:FOLD_" + std::to_string(l + 1), commitment_key->commit(fold_polynomials[l + 2])); @@ -89,9 +83,11 @@ std::vector::Claim> GeminiProver_::prove( const Fr r_challenge = transcript->template get_challenge("Gemini:r"); std::vector claims = compute_fold_polynomial_evaluations(multilinear_challenge, std::move(fold_polynomials), r_challenge); + for (size_t l = 1; l <= log_n; l++) { transcript->send_to_verifier("Gemini:a_" + std::to_string(l), claims[l].opening_pair.evaluation); } + return claims; }; @@ -107,7 +103,6 @@ template std::vector::Polynomial> GeminiProver_::compute_fold_polynomials( std::span mle_opening_point, Polynomial&& batched_unshifted, Polynomial&& batched_to_be_shifted) { - const size_t num_variables = mle_opening_point.size(); // m const size_t num_threads = get_num_cpus_pow2(); @@ -119,12 +114,12 @@ std::vector::Polynomial> GeminiProver_::com // The first two are populated here with the batched unshifted and to-be-shifted polynomial respectively. // They will eventually contain the full batched polynomial A₀ partially evaluated at the challenges r,-r. // This function populates the other m-1 polynomials with the foldings of A₀. - std::vector gemini_polynomials; - gemini_polynomials.reserve(num_variables + 1); + std::vector fold_polynomials; + fold_polynomials.reserve(num_variables + 1); // F(X) = ∑ⱼ ρʲ fⱼ(X) and G(X) = ∑ⱼ ρᵏ⁺ʲ gⱼ(X) - Polynomial& batched_F = gemini_polynomials.emplace_back(std::move(batched_unshifted)); - Polynomial& batched_G = gemini_polynomials.emplace_back(std::move(batched_to_be_shifted)); + Polynomial& batched_F = fold_polynomials.emplace_back(std::move(batched_unshifted)); + Polynomial& batched_G = fold_polynomials.emplace_back(std::move(batched_to_be_shifted)); constexpr size_t offset_to_folded = 2; // Offset because of F an G // A₀(X) = F(X) + G↺(X) = F(X) + G(X)/X. Polynomial A_0 = batched_F; @@ -136,7 +131,7 @@ std::vector::Polynomial> GeminiProver_::com const size_t n_l = 1 << (num_variables - l - 1); // A_l_fold = Aₗ₊₁(X) = (1-uₗ)⋅even(Aₗ)(X) + uₗ⋅odd(Aₗ)(X) - gemini_polynomials.emplace_back(Polynomial(n_l)); + fold_polynomials.emplace_back(Polynomial(n_l)); } // A_l = Aₗ(X) is the polynomial being folded @@ -158,7 +153,7 @@ std::vector::Polynomial> GeminiProver_::com const Fr u_l = mle_opening_point[l]; // A_l_fold = Aₗ₊₁(X) = (1-uₗ)⋅even(Aₗ)(X) + uₗ⋅odd(Aₗ)(X) - auto A_l_fold = gemini_polynomials[l + offset_to_folded].data(); + auto A_l_fold = fold_polynomials[l + offset_to_folded].data(); parallel_for(num_used_threads, [&](size_t i) { size_t current_chunk_size = (i == (num_used_threads - 1)) ? last_chunk_size : chunk_size; @@ -175,20 +170,20 @@ std::vector::Polynomial> GeminiProver_::com A_l = A_l_fold; } - return gemini_polynomials; + return fold_polynomials; }; /** * @brief Computes/aggragates d+1 Fold polynomials and their opening pairs (challenge, evaluation) * - * @details This function assumes that, upon input, last d-1 entries in gemini_polynomials are Fold_i. + * @details This function assumes that, upon input, last d-1 entries in fold_polynomials are Fold_i. * The first two entries are assumed to be, respectively, the batched unshifted and batched to-be-shifted * polynomials F(X) = ∑ⱼ ρʲfⱼ(X) and G(X) = ∑ⱼ ρᵏ⁺ʲ gⱼ(X). This function completes the computation * of the first two Fold polynomials as F + G/r and F - G/r. It then evaluates each of the d+1 * fold polynomials at, respectively, the points r, rₗ = r^{2ˡ} for l = 0, 1, ..., d-1. * * @param mle_opening_point u = (u₀,...,uₘ₋₁) is the MLE opening point - * @param gemini_polynomials vector of polynomials whose first two elements are F(X) = ∑ⱼ ρʲfⱼ(X) + * @param fold_polynomials vector of polynomials whose first two elements are F(X) = ∑ⱼ ρʲfⱼ(X) * and G(X) = ∑ⱼ ρᵏ⁺ʲ gⱼ(X), and the next d-1 elements are Fold_i, i = 1, ..., d-1. * @param r_challenge univariate opening challenge */ diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.hpp index e6d19e0dddb5..9e208baf4a1a 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.hpp @@ -4,8 +4,6 @@ #include "barretenberg/polynomials/polynomial.hpp" #include "barretenberg/transcript/transcript.hpp" -#include - /** * @brief Protocol for opening several multi-linear polynomials at the same point. * @@ -106,7 +104,7 @@ template class GeminiProver_ { Polynomial&& batched_to_be_shifted); static std::vector compute_fold_polynomial_evaluations(std::span multilinear_evaluations, - std::vector&& gemini_polynomials, + std::vector&& fold_polynomials, const Fr& r_challenge); // TODO(Mara): consider if we should template this by transcript to use with a test transcript @@ -165,7 +163,7 @@ template class GeminiVerifier_ { } // Get polynomials Fold_i, i = 1,...,m-1 from transcript - const std::vector commitments = get_gemini_commitments(num_variables, transcript); + const std::vector commitments = get_fold_commitments(num_variables, transcript); // compute vector of powers of random evaluation point r const Fr r = transcript->template get_challenge("Gemini:r"); @@ -198,16 +196,16 @@ template class GeminiVerifier_ { return fold_polynomial_opening_claims; } - static std::vector get_gemini_commitments(const size_t log_circuit_size, auto& transcript) + static std::vector get_fold_commitments(const size_t log_circuit_size, auto& transcript) { - std::vector gemini_commitments; - gemini_commitments.reserve(log_circuit_size - 1); + std::vector fold_commitments; + fold_commitments.reserve(log_circuit_size - 1); for (size_t i = 0; i < log_circuit_size - 1; ++i) { const Commitment commitment = transcript->template receive_from_prover("Gemini:FOLD_" + std::to_string(i + 1)); - gemini_commitments.emplace_back(commitment); + fold_commitments.emplace_back(commitment); } - return gemini_commitments; + return fold_commitments; } static std::vector get_gemini_evaluations(const size_t log_circuit_size, auto& transcript) { diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.test.cpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.test.cpp index a7a7a86b4837..881e70769cfb 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.test.cpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.test.cpp @@ -3,9 +3,6 @@ #include "../commitment_key.test.hpp" #include "barretenberg/polynomials/polynomial.hpp" #include "barretenberg/transcript/transcript.hpp" -#include -#include -#include using namespace bb; @@ -16,8 +13,7 @@ template class GeminiTest : public CommitmentTest { using GroupElement = typename Curve::Element; public: - void execute_gemini_and_verify_claims([[maybe_unused]] size_t log_n, - std::vector& multilinear_evaluation_point, + void execute_gemini_and_verify_claims(std::vector& multilinear_evaluation_point, std::vector& multilinear_evaluations, std::vector>& multilinear_polynomials, std::vector>& multilinear_polynomials_to_be_shifted, @@ -82,8 +78,7 @@ TYPED_TEST(GeminiTest, Single) std::vector multilinear_commitments = { commitment }; std::vector multilinear_commitments_to_be_shifted = {}; - this->execute_gemini_and_verify_claims(log_n, - u, + this->execute_gemini_and_verify_claims(u, multilinear_evaluations, multilinear_polynomials, multilinear_polynomials_to_be_shifted, @@ -114,8 +109,7 @@ TYPED_TEST(GeminiTest, SingleShift) std::vector multilinear_commitments = {}; std::vector multilinear_commitments_to_be_shifted = { commitment }; - this->execute_gemini_and_verify_claims(log_n, - u, + this->execute_gemini_and_verify_claims(u, multilinear_evaluations, multilinear_polynomials, multilinear_polynomials_to_be_shifted, @@ -149,8 +143,7 @@ TYPED_TEST(GeminiTest, Double) std::vector multilinear_commitments = { commitment1, commitment2 }; std::vector multilinear_commitments_to_be_shifted = {}; - this->execute_gemini_and_verify_claims(log_n, - u, + this->execute_gemini_and_verify_claims(u, multilinear_evaluations, multilinear_polynomials, multilinear_polynomials_to_be_shifted, @@ -185,8 +178,7 @@ TYPED_TEST(GeminiTest, DoubleWithShift) std::vector multilinear_commitments = { commitment1, commitment2 }; std::vector multilinear_commitments_to_be_shifted = { commitment2 }; - this->execute_gemini_and_verify_claims(log_n, - u, + this->execute_gemini_and_verify_claims(u, multilinear_evaluations, multilinear_polynomials, multilinear_polynomials_to_be_shifted, diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini_verifier.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini_verifier.hpp index 53893f7b0cb7..842e91f8b53c 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini_verifier.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini_verifier.hpp @@ -93,8 +93,8 @@ template class ShpleminiVerifier_ { // Process Gemini transcript data: // - Get Gemini commitments (com(A₁), com(A₂), … , com(Aₙ₋₁)) - const std::vector gemini_commitments = - GeminiVerifier::get_gemini_commitments(log_circuit_size, transcript); + const std::vector fold_commitments = + GeminiVerifier::get_fold_commitments(log_circuit_size, transcript); // - Get Gemini evaluation challenge for Aᵢ, i = 0, … , d−1 const Fr gemini_evaluation_challenge = transcript->template get_challenge("Gemini:r"); // - Get evaluations (A₀(−r), A₁(−r²), ... , Aₙ₋₁(−r²⁽ⁿ⁻¹⁾)) @@ -152,7 +152,7 @@ template class ShpleminiVerifier_ { // Place the commitments to Gemini Aᵢ to the vector of commitments, compute the contributions from // Aᵢ(−r²ⁱ) for i=1, … , n−1 to the constant term accumulator, add corresponding scalars batch_gemini_claims_received_from_prover(log_circuit_size, - gemini_commitments, + fold_commitments, gemini_evaluations, inverse_vanishing_evals, shplonk_batching_challenge, @@ -283,7 +283,7 @@ template class ShpleminiVerifier_ { * and adds them to the 'constant_term_accumulator'. * * @param log_circuit_size The logarithm of the circuit size, determining the depth of the Gemini protocol. - * @param gemini_commitments A vector containing the commitments to the Gemini fold polynomials \f$ A_i \f$. + * @param fold_commitments A vector containing the commitments to the Gemini fold polynomials \f$ A_i \f$. * @param gemini_evaluations A vector containing the evaluations of the Gemini fold polynomials \f$ A_i \f$ at * points \f$ -r^{2^i} \f$. * @param inverse_vanishing_evals A vector containing the inverse evaluations of the vanishing polynomial. @@ -293,7 +293,7 @@ template class ShpleminiVerifier_ { * @param constant_term_accumulator The accumulator for the summands of the constant term. */ static void batch_gemini_claims_received_from_prover(const size_t log_circuit_size, - const std::vector& gemini_commitments, + const std::vector& fold_commitments, const std::vector& gemini_evaluations, const std::vector& inverse_vanishing_evals, const Fr& shplonk_batching_challenge, @@ -313,7 +313,7 @@ template class ShpleminiVerifier_ { // Update the batching challenge current_batching_challenge *= shplonk_batching_challenge; // Move com(Aᵢ) to the 'commitments' vector - commitments.emplace_back(std::move(gemini_commitments[j])); + commitments.emplace_back(std::move(fold_commitments[j])); } } }; diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini_verifier.test.cpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini_verifier.test.cpp index 194c9f7d3610..01f9961127ae 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini_verifier.test.cpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini_verifier.test.cpp @@ -166,17 +166,17 @@ TYPED_TEST(ShpleminiTest, CorrectnessOfGeminiClaimBatching) // Compute: // - (d+1) opening pairs: {r, \hat{a}_0}, {-r^{2^i}, a_i}, i = 0, ..., d-1 // - (d+1) Fold polynomials Fold_{r}^(0), Fold_{-r}^(0), and Fold^(i), i = 0, ..., d-1 - auto gemini_polynomials = GeminiProver::compute_fold_polynomials( + auto fold_polynomials = GeminiProver::compute_fold_polynomials( mle_opening_point, std::move(batched_unshifted), std::move(batched_to_be_shifted)); std::vector prover_commitments; for (size_t l = 0; l < log_n - 1; ++l) { - auto commitment = this->ck()->commit(gemini_polynomials[l + 2]); + auto commitment = this->ck()->commit(fold_polynomials[l + 2]); prover_commitments.emplace_back(commitment); } const auto opening_claims = GeminiProver::compute_fold_polynomial_evaluations( - mle_opening_point, std::move(gemini_polynomials), gemini_eval_challenge); + mle_opening_point, std::move(fold_polynomials), gemini_eval_challenge); std::vector prover_evaluations; for (size_t l = 0; l < log_n; ++l) { diff --git a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_prover.hpp b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_prover.hpp index 52d243ca06c6..6a01c6af112e 100644 --- a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_prover.hpp +++ b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_prover.hpp @@ -53,9 +53,6 @@ class ECCVMProver { CommitmentLabels commitment_labels; - // Container for d + 1 Fold polynomials produced by Gemini - std::vector gemini_polynomials; - Polynomial batched_quotient_Q; // batched quotient poly computed by Shplonk FF nu_challenge; // needed in both Shplonk rounds From 318f98b1132cc477ce28bd709686604f8ab74e1d Mon Sep 17 00:00:00 2001 From: maramihali Date: Wed, 18 Sep 2024 13:33:16 +0000 Subject: [PATCH 04/31] more cleanup --- barretenberg/cpp/CMakePresets.json | 2 +- .../commitment_schemes/commitment_key.test.hpp | 17 ----------------- .../commitment_schemes/ipa/ipa.test.cpp | 4 ++-- .../commitment_schemes/kzg/kzg.test.cpp | 2 -- 4 files changed, 3 insertions(+), 22 deletions(-) diff --git a/barretenberg/cpp/CMakePresets.json b/barretenberg/cpp/CMakePresets.json index f841f6954b95..643e4590ae2c 100644 --- a/barretenberg/cpp/CMakePresets.json +++ b/barretenberg/cpp/CMakePresets.json @@ -98,7 +98,7 @@ "displayName": "Debugging build with Clang-16", "description": "Build with globally installed Clang-16 in debug mode", "inherits": "clang16", - "binaryDir": "build", + "binaryDir": "build-debug", "environment": { "CMAKE_BUILD_TYPE": "Debug", "CFLAGS": "-gdwarf-4", diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/commitment_key.test.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/commitment_key.test.hpp index d40cf153d54d..27ec8408c12d 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/commitment_key.test.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/commitment_key.test.hpp @@ -81,15 +81,6 @@ template class CommitmentTest : public ::testing::Test { return { x, y }; } - std::pair, Polynomial> random_claim(const size_t n) - { - auto polynomial = Polynomial::random(n); - auto opening_pair = random_eval(polynomial); - auto commitment = commit(polynomial); - auto opening_claim = OpeningClaim{ opening_pair, commitment }; - return { opening_claim, polynomial }; - }; - std::vector random_evaluation_point(const size_t num_variables) { std::vector u(num_variables); @@ -106,17 +97,9 @@ template class CommitmentTest : public ::testing::Test { Fr y_expected = witness.evaluate(x); EXPECT_EQ(y, y_expected) << "OpeningClaim: evaluations mismatch"; Commitment commitment_expected = commit(witness); - // found it EXPECT_EQ(commitment, commitment_expected) << "OpeningClaim: commitment mismatch"; } - void verify_opening_pair(const OpeningPair& opening_pair, const Polynomial& witness) - { - auto& [x, y] = opening_pair; - Fr y_expected = witness.evaluate(x); - EXPECT_EQ(y, y_expected) << "OpeningPair: evaluations mismatch"; - } - /** * @brief Ensures that a 'BatchOpeningClaim' is correct by checking that * - all evaluations are correct by recomputing them from each witness polynomial. diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.test.cpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.test.cpp index 5905b5a7288d..eb448f4e7091 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.test.cpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.test.cpp @@ -77,8 +77,8 @@ TEST_F(IPATest, OpenZeroPolynomial) EXPECT_TRUE(result); } -// This test makes sure that even if the whole vector \vec{b} generated from the x, at which we open the polynomial, -// is zero, IPA behaves +// This test makes sure that even if the whole vector \vec{b} generated from the x, at which we open the polynomial, is +// zero, IPA behaves TEST_F(IPATest, OpenAtZero) { using IPA = IPA; diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/kzg/kzg.test.cpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/kzg/kzg.test.cpp index 92e7f2614e6b..60f41bdb7f59 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/kzg/kzg.test.cpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/kzg/kzg.test.cpp @@ -140,13 +140,11 @@ TYPED_TEST(KZGTest, ShpleminiKzgWithShift) using ShpleminiVerifier = ShpleminiVerifier_; using KZG = KZG; using Fr = typename TypeParam::ScalarField; - // using GroupElement = typename TypeParam::Element; using Commitment = typename TypeParam::AffineElement; using Polynomial = typename bb::Polynomial; const size_t n = 16; const size_t log_n = 4; - // Generate multilinear polynomials, their commitments (genuine and mocked) and evaluations (genuine) at a random // point. auto mle_opening_point = this->random_evaluation_point(log_n); // sometimes denoted 'u' From d3bd8a8617dfcf0b2e4684e6c07657b88dacbf19 Mon Sep 17 00:00:00 2001 From: maramihali Date: Wed, 18 Sep 2024 13:48:37 +0000 Subject: [PATCH 05/31] wops, I forgot to commit an undo for a function removal --- .../commitment_schemes/commitment_key.test.hpp | 7 +++++++ .../src/barretenberg/commitment_schemes/gemini/gemini.hpp | 1 - 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/commitment_key.test.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/commitment_key.test.hpp index 27ec8408c12d..16464cda07fe 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/commitment_key.test.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/commitment_key.test.hpp @@ -100,6 +100,13 @@ template class CommitmentTest : public ::testing::Test { EXPECT_EQ(commitment, commitment_expected) << "OpeningClaim: commitment mismatch"; } + void verify_opening_pair(const OpeningPair& opening_pair, const Polynomial& witness) + { + auto& [x, y] = opening_pair; + Fr y_expected = witness.evaluate(x); + EXPECT_EQ(y, y_expected) << "OpeningPair: evaluations mismatch"; + } + /** * @brief Ensures that a 'BatchOpeningClaim' is correct by checking that * - all evaluations are correct by recomputing them from each witness polynomial. diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.hpp index 9e208baf4a1a..e38f6891bd65 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.hpp @@ -107,7 +107,6 @@ template class GeminiProver_ { std::vector&& fold_polynomials, const Fr& r_challenge); - // TODO(Mara): consider if we should template this by transcript to use with a test transcript static std::vector prove(const std::shared_ptr>& commitment_key, std::span multilinear_challenge, std::span multilinear_evaluations, From 171aaac0995dc1d0fa92771f54ae9f64e1631065 Mon Sep 17 00:00:00 2001 From: maramihali Date: Wed, 18 Sep 2024 14:17:49 +0000 Subject: [PATCH 06/31] make ultra keccak depend on ultra flavor --- .../ultra_keccak_flavor.hpp | 501 +----------------- 1 file changed, 2 insertions(+), 499 deletions(-) diff --git a/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/ultra_keccak_flavor.hpp b/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/ultra_keccak_flavor.hpp index 0b9485e41227..744bc57140da 100644 --- a/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/ultra_keccak_flavor.hpp +++ b/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/ultra_keccak_flavor.hpp @@ -19,370 +19,13 @@ #include "barretenberg/relations/relation_parameters.hpp" #include "barretenberg/relations/ultra_arithmetic_relation.hpp" #include "barretenberg/stdlib_circuit_builders/ultra_circuit_builder.hpp" +#include "barretenberg/stdlib_circuit_builders/ultra_flavor.hpp" #include "barretenberg/transcript/transcript.hpp" namespace bb { -class UltraKeccakFlavor { +class UltraKeccakFlavor : public bb::UltraFlavor { public: - using CircuitBuilder = UltraCircuitBuilder; - using Curve = curve::BN254; - using FF = Curve::ScalarField; - using GroupElement = Curve::Element; - using Commitment = Curve::AffineElement; - using PCS = KZG; - using Polynomial = bb::Polynomial; - using CommitmentKey = bb::CommitmentKey; - using VerifierCommitmentKey = bb::VerifierCommitmentKey; - - // Indicates that this flavor runs with non-ZK Sumcheck. - static constexpr bool HasZK = false; - static constexpr size_t NUM_WIRES = CircuitBuilder::NUM_WIRES; - // The number of multivariate polynomials on which a sumcheck prover sumcheck operates (including shifts). We often - // need containers of this size to hold related data, so we choose a name more agnostic than `NUM_POLYNOMIALS`. - static constexpr size_t NUM_ALL_ENTITIES = 44; - // The number of polynomials precomputed to describe a circuit and to aid a prover in constructing a satisfying - // assignment of witnesses. We again choose a neutral name. - static constexpr size_t NUM_PRECOMPUTED_ENTITIES = 27; - // The total number of witness entities not including shifts. - static constexpr size_t NUM_WITNESS_ENTITIES = 8; - // The total number of witnesses including shifts and derived entities. - static constexpr size_t NUM_ALL_WITNESS_ENTITIES = 13; - // Total number of folded polynomials, which is just all polynomials except the shifts - static constexpr size_t NUM_FOLDED_ENTITIES = NUM_PRECOMPUTED_ENTITIES + NUM_WITNESS_ENTITIES; - - using GrandProductRelations = std::tuple>; - // define the tuple of Relations that comprise the Sumcheck relation - // Note: made generic for use in MegaRecursive. - template - using Relations_ = std::tuple, - bb::UltraPermutationRelation, - bb::LogDerivLookupRelation, - bb::DeltaRangeConstraintRelation, - bb::EllipticRelation, - bb::AuxiliaryRelation, - bb::Poseidon2ExternalRelation, - bb::Poseidon2InternalRelation>; - - using Relations = Relations_; - - static constexpr size_t MAX_PARTIAL_RELATION_LENGTH = compute_max_partial_relation_length(); - static_assert(MAX_PARTIAL_RELATION_LENGTH == 7); - static constexpr size_t MAX_TOTAL_RELATION_LENGTH = compute_max_total_relation_length(); - static_assert(MAX_TOTAL_RELATION_LENGTH == 11); - static constexpr size_t NUM_SUBRELATIONS = compute_number_of_subrelations(); - // For instances of this flavour, used in folding, we need a unique sumcheck batching challenge for each - // subrelation. This is because using powers of alpha would increase the degree of Protogalaxy polynomial $G$ (the - // combiner) too much. - using RelationSeparator = std::array; - - // BATCHED_RELATION_PARTIAL_LENGTH = algebraic degree of sumcheck relation *after* multiplying by the `pow_zeta` - // random polynomial e.g. For \sum(x) [A(x) * B(x) + C(x)] * PowZeta(X), relation length = 2 and random relation - // length = 3 - static constexpr size_t BATCHED_RELATION_PARTIAL_LENGTH = MAX_PARTIAL_RELATION_LENGTH + 1; - static constexpr size_t NUM_RELATIONS = std::tuple_size_v; - - template - using ProtogalaxyTupleOfTuplesOfUnivariatesNoOptimisticSkipping = - decltype(create_protogalaxy_tuple_of_tuples_of_univariates()); - template - using ProtogalaxyTupleOfTuplesOfUnivariates = - decltype(create_protogalaxy_tuple_of_tuples_of_univariates()); - using SumcheckTupleOfTuplesOfUnivariates = decltype(create_sumcheck_tuple_of_tuples_of_univariates()); - using TupleOfArraysOfValues = decltype(create_tuple_of_arrays_of_values()); - - // Whether or not the first row of the execution trace is reserved for 0s to enable shifts - static constexpr bool has_zero_row = true; - - static constexpr bool is_decider = true; - - /** - * @brief A base class labelling precomputed entities and (ordered) subsets of interest. - * @details Used to build the proving key and verification key. - */ - template class PrecomputedEntities : public PrecomputedEntitiesBase { - public: - using DataType = DataType_; - DEFINE_FLAVOR_MEMBERS(DataType, - q_m, // column 0 - q_c, // column 1 - q_l, // column 2 - q_r, // column 3 - q_o, // column 4 - q_4, // column 5 - q_arith, // column 6 - q_delta_range, // column 7 - q_elliptic, // column 8 - q_aux, // column 9 - q_lookup, // column 10 - q_poseidon2_external, // column 11 - q_poseidon2_internal, // column 12 - sigma_1, // column 13 - sigma_2, // column 14 - sigma_3, // column 15 - sigma_4, // column 16 - id_1, // column 17 - id_2, // column 18 - id_3, // column 19 - id_4, // column 20 - table_1, // column 21 - table_2, // column 22 - table_3, // column 23 - table_4, // column 24 - lagrange_first, // column 25 - lagrange_last) // column 26 - - static constexpr CircuitType CIRCUIT_TYPE = CircuitBuilder::CIRCUIT_TYPE; - - auto get_selectors() - { - return RefArray{ q_m, - q_c, - q_l, - q_r, - q_o, - q_4, - q_arith, - q_delta_range, - q_elliptic, - q_aux, - q_lookup, - q_poseidon2_external, - q_poseidon2_internal }; - }; - auto get_sigma_polynomials() { return RefArray{ sigma_1, sigma_2, sigma_3, sigma_4 }; }; - auto get_id_polynomials() { return RefArray{ id_1, id_2, id_3, id_4 }; }; - - auto get_table_polynomials() { return RefArray{ table_1, table_2, table_3, table_4 }; }; - }; - - /** - * @brief Container for all witness polynomials used/constructed by the prover. - * @details Shifts are not included here since they do not occupy their own memory. - */ - template class WitnessEntities { - public: - DEFINE_FLAVOR_MEMBERS(DataType, - w_l, // column 0 - w_r, // column 1 - w_o, // column 2 - w_4, // column 3 - z_perm, // column 4 - lookup_inverses, // column 5 - lookup_read_counts, // column 6 - lookup_read_tags) // column 7 - - auto get_wires() { return RefArray{ w_l, w_r, w_o, w_4 }; }; - - MSGPACK_FIELDS(w_l, w_r, w_o, w_4, z_perm, lookup_inverses, lookup_read_counts, lookup_read_tags); - }; - - /** - * @brief Class for ShiftedEntities, containing shifted witness and table polynomials. - */ - template class ShiftedEntities { - public: - DEFINE_FLAVOR_MEMBERS(DataType, - table_1_shift, // column 0 - table_2_shift, // column 1 - table_3_shift, // column 2 - table_4_shift, // column 3 - w_l_shift, // column 4 - w_r_shift, // column 5 - w_o_shift, // column 6 - w_4_shift, // column 7 - z_perm_shift) // column 10 - - auto get_shifted() - { - return RefArray{ table_1_shift, table_2_shift, table_3_shift, table_4_shift, w_l_shift, - w_r_shift, w_o_shift, w_4_shift, z_perm_shift }; - }; - }; - - /** - * @brief A base class labelling all entities (for instance, all of the polynomials used by the prover during - * sumcheck) in this Honk variant along with particular subsets of interest - * @details Used to build containers for: the prover's polynomial during sumcheck; the sumcheck's folded - * polynomials; the univariates consturcted during during sumcheck; the evaluations produced by sumcheck. - * - * Symbolically we have: AllEntities = PrecomputedEntities + WitnessEntities + "ShiftedEntities". It could be - * implemented as such, but we have this now. - */ - template - class AllEntities : public PrecomputedEntities, - public WitnessEntities, - public ShiftedEntities { - public: - DEFINE_COMPOUND_GET_ALL(PrecomputedEntities, WitnessEntities, ShiftedEntities) - - auto get_wires() { return RefArray{ this->w_l, this->w_r, this->w_o, this->w_4 }; }; - auto get_selectors() { return PrecomputedEntities::get_selectors(); } - auto get_sigmas() { return RefArray{ this->sigma_1, this->sigma_2, this->sigma_3, this->sigma_4 }; }; - auto get_ids() { return RefArray{ this->id_1, this->id_2, this->id_3, this->id_4 }; }; - auto get_tables() { return RefArray{ this->table_1, this->table_2, this->table_3, this->table_4 }; }; - auto get_unshifted() - { - return concatenate(PrecomputedEntities::get_all(), WitnessEntities::get_all()); - }; - - auto get_precomputed() { return PrecomputedEntities::get_all(); } - - auto get_witness() { return WitnessEntities::get_all(); }; - auto get_to_be_shifted() - { - return RefArray{ this->table_1, this->table_2, this->table_3, this->table_4, this->w_l, - this->w_r, this->w_o, this->w_4, this->z_perm }; - }; - auto get_shifted() { return ShiftedEntities::get_all(); }; - }; - - public: - /** - * @brief A field element for each entity of the flavor. These entities represent the prover polynomials - * evaluated at one point. - */ - class AllValues : public AllEntities { - public: - using Base = AllEntities; - using Base::Base; - }; - - /** - * @brief A container for polynomials handles. - */ - // TODO(https://github.com/AztecProtocol/barretenberg/issues/966): use inheritance - class ProverPolynomials : public AllEntities { - public: - // Define all operations as default, except copy construction/assignment - ProverPolynomials() = default; - ProverPolynomials(size_t circuit_size) - { // Initialize all unshifted polynomials to the zero polynomial and initialize the - // shifted polys - - for (auto& poly : get_to_be_shifted()) { - poly = Polynomial{ /*memory size*/ circuit_size - 1, - /*largest possible index*/ circuit_size, - /* offset */ 1 }; - } - for (auto& poly : get_unshifted()) { - if (poly.is_empty()) { - // Not set above - poly = Polynomial{ /*memory size*/ circuit_size, /*largest possible index*/ circuit_size }; - } - } - set_shifted(); - } - ProverPolynomials& operator=(const ProverPolynomials&) = delete; - ProverPolynomials(const ProverPolynomials& o) = delete; - ProverPolynomials(ProverPolynomials&& o) noexcept = default; - ProverPolynomials& operator=(ProverPolynomials&& o) noexcept = default; - ~ProverPolynomials() = default; - [[nodiscard]] size_t get_polynomial_size() const { return q_c.size(); } - [[nodiscard]] AllValues get_row(const size_t row_idx) const - { - BB_OP_COUNT_TIME(); - AllValues result; - for (auto [result_field, polynomial] : zip_view(result.get_all(), get_all())) { - result_field = polynomial[row_idx]; - } - return result; - } - - // Set all shifted polynomials based on their to-be-shifted counterpart - void set_shifted() - { - for (auto [shifted, to_be_shifted] : zip_view(get_shifted(), get_to_be_shifted())) { - shifted = to_be_shifted.shifted(); - } - } - }; - /** - * @brief The proving key is responsible for storing the polynomials used by the prover. - * - */ - class ProvingKey : public ProvingKey_ { - public: - using Base = ProvingKey_; - - ProvingKey() = default; - ProvingKey(const size_t circuit_size, - const size_t num_public_inputs, - std::shared_ptr commitment_key = nullptr) - : Base(circuit_size, num_public_inputs, commitment_key) - , polynomials(circuit_size){}; - - std::vector memory_read_records; - std::vector memory_write_records; - ProverPolynomials polynomials; // storage for all polynomials evaluated by the prover - - /** - * @brief Add RAM/ROM memory records to the fourth wire polynomial - * - * @details This operation must be performed after the first three wires have been - * committed to, hence the dependence on the `eta` challenge. - * - * @tparam Flavor - * @param eta challenge produced after commitment to first three wire polynomials - */ - void add_ram_rom_memory_records_to_wire_4(const FF& eta, const FF& eta_two, const FF& eta_three) - { - // The memory record values are computed at the indicated indices as - // w4 = w3 * eta^3 + w2 * eta^2 + w1 * eta + read_write_flag; - // (See the Auxiliary relation for details) - auto wires = polynomials.get_wires(); - - // Compute read record values - for (const auto& gate_idx : memory_read_records) { - wires[3].at(gate_idx) += wires[2][gate_idx] * eta_three; - wires[3].at(gate_idx) += wires[1][gate_idx] * eta_two; - wires[3].at(gate_idx) += wires[0][gate_idx] * eta; - } - - // Compute write record values - for (const auto& gate_idx : memory_write_records) { - wires[3].at(gate_idx) += wires[2][gate_idx] * eta_three; - wires[3].at(gate_idx) += wires[1][gate_idx] * eta_two; - wires[3].at(gate_idx) += wires[0][gate_idx] * eta; - wires[3].at(gate_idx) += 1; - } - } - - /** - * @brief Compute the inverse polynomial used in the log derivative lookup argument - * - * @tparam Flavor - * @param beta - * @param gamma - */ - void compute_logderivative_inverses(const RelationParameters& relation_parameters) - { - // Compute inverses for conventional lookups - compute_logderivative_inverse>( - this->polynomials, relation_parameters, this->circuit_size); - } - - /** - * @brief Computes public_input_delta and the permutation grand product polynomial - * - * @param relation_parameters - */ - void compute_grand_product_polynomials(RelationParameters& relation_parameters) - { - auto public_input_delta = compute_public_input_delta(this->public_inputs, - relation_parameters.beta, - relation_parameters.gamma, - this->circuit_size, - this->pub_inputs_offset); - relation_parameters.public_input_delta = public_input_delta; - - // Compute permutation and lookup grand product polynomials - compute_grand_products(this->polynomials, relation_parameters); - } - }; - /** * @brief The verification key is responsible for storing the commitments to the precomputed (non-witnessk) * polynomials used by the verifier. @@ -509,146 +152,6 @@ class UltraKeccakFlavor { lagrange_last); }; - /** - * @brief A container for storing the partially evaluated multivariates produced by sumcheck. - */ - class PartiallyEvaluatedMultivariates : public AllEntities { - - public: - PartiallyEvaluatedMultivariates() = default; - PartiallyEvaluatedMultivariates(const size_t circuit_size) - { - // Storage is only needed after the first partial evaluation, hence polynomials of - // size (n / 2) - for (auto& poly : this->get_all()) { - poly = Polynomial(circuit_size / 2); - } - } - }; - - /** - * @brief A container for univariates used during Protogalaxy folding and sumcheck. - * @details During folding and sumcheck, the prover evaluates the relations on these univariates. - */ - template using ProverUnivariates = AllEntities>; - /** - * @brief A container for univariates used during Protogalaxy folding and sumcheck. - * @details During folding and sumcheck, the prover evaluates the relations on these univariates. - */ - template - using ProverUnivariatesWithOptimisticSkipping = AllEntities>; - - /** - * @brief A container for univariates produced during the hot loop in sumcheck. - */ - using ExtendedEdges = ProverUnivariates; - - /** - * @brief A container for the witness commitments. - */ - using WitnessCommitments = WitnessEntities; - - /** - * @brief A container for commitment labels. - * @note It's debatable whether this should inherit from AllEntities. since most entries are not strictly needed. It - * has, however, been useful during debugging to have these labels available. - * - */ - class CommitmentLabels : public AllEntities { - public: - CommitmentLabels() - { - w_l = "W_L"; - w_r = "W_R"; - w_o = "W_O"; - w_4 = "W_4"; - z_perm = "Z_PERM"; - lookup_inverses = "LOOKUP_INVERSES"; - lookup_read_counts = "LOOKUP_READ_COUNTS"; - lookup_read_tags = "LOOKUP_READ_TAGS"; - - q_c = "Q_C"; - q_l = "Q_L"; - q_r = "Q_R"; - q_o = "Q_O"; - q_4 = "Q_4"; - q_m = "Q_M"; - q_arith = "Q_ARITH"; - q_delta_range = "Q_SORT"; - q_elliptic = "Q_ELLIPTIC"; - q_aux = "Q_AUX"; - q_lookup = "Q_LOOKUP"; - q_poseidon2_external = "Q_POSEIDON2_EXTERNAL"; - q_poseidon2_internal = "Q_POSEIDON2_INTERNAL"; - sigma_1 = "SIGMA_1"; - sigma_2 = "SIGMA_2"; - sigma_3 = "SIGMA_3"; - sigma_4 = "SIGMA_4"; - id_1 = "ID_1"; - id_2 = "ID_2"; - id_3 = "ID_3"; - id_4 = "ID_4"; - table_1 = "TABLE_1"; - table_2 = "TABLE_2"; - table_3 = "TABLE_3"; - table_4 = "TABLE_4"; - lagrange_first = "LAGRANGE_FIRST"; - lagrange_last = "LAGRANGE_LAST"; - }; - }; - - /** - * @brief A container encapsulating all the commitments that the verifier receives (to precomputed polynomials and - * witness polynomials). - * - */ - template - class VerifierCommitments_ : public AllEntities { - public: - VerifierCommitments_(const std::shared_ptr& verification_key, - const std::optional& witness_commitments = std::nullopt) - { - this->q_m = verification_key->q_m; - this->q_c = verification_key->q_c; - this->q_l = verification_key->q_l; - this->q_r = verification_key->q_r; - this->q_o = verification_key->q_o; - this->q_4 = verification_key->q_4; - this->q_arith = verification_key->q_arith; - this->q_delta_range = verification_key->q_delta_range; - this->q_elliptic = verification_key->q_elliptic; - this->q_aux = verification_key->q_aux; - this->q_lookup = verification_key->q_lookup; - this->q_poseidon2_external = verification_key->q_poseidon2_external; - this->q_poseidon2_internal = verification_key->q_poseidon2_internal; - this->sigma_1 = verification_key->sigma_1; - this->sigma_2 = verification_key->sigma_2; - this->sigma_3 = verification_key->sigma_3; - this->sigma_4 = verification_key->sigma_4; - this->id_1 = verification_key->id_1; - this->id_2 = verification_key->id_2; - this->id_3 = verification_key->id_3; - this->id_4 = verification_key->id_4; - this->table_1 = verification_key->table_1; - this->table_2 = verification_key->table_2; - this->table_3 = verification_key->table_3; - this->table_4 = verification_key->table_4; - this->lagrange_first = verification_key->lagrange_first; - this->lagrange_last = verification_key->lagrange_last; - - if (witness_commitments.has_value()) { - auto commitments = witness_commitments.value(); - this->w_l = commitments.w_l; - this->w_r = commitments.w_r; - this->w_o = commitments.w_o; - this->lookup_inverses = commitments.lookup_inverses; - this->lookup_read_counts = commitments.lookup_read_counts; - this->lookup_read_tags = commitments.lookup_read_tags; - this->w_4 = commitments.w_4; - this->z_perm = commitments.z_perm; - } - } - }; // Specialize for Ultra (general case used in UltraRecursive). using VerifierCommitments = VerifierCommitments_; From 8024311d55a56395bfaca59db29a0e5e89242133 Mon Sep 17 00:00:00 2001 From: maramihali Date: Thu, 19 Sep 2024 14:27:45 +0000 Subject: [PATCH 07/31] ultra keccak with gemini, not working yet --- .../commitment_schemes/gemini/gemini.cpp | 235 +---------------- .../commitment_schemes/gemini/gemini.hpp | 15 +- .../commitment_schemes/gemini/gemini.test.cpp | 9 +- .../commitment_schemes/gemini/gemini_impl.hpp | 240 ++++++++++++++++++ .../commitment_schemes/ipa/ipa.test.cpp | 16 +- .../commitment_schemes/kzg/kzg.test.cpp | 32 +-- .../{shplemini_verifier.hpp => shplemini.hpp} | 134 +++++++--- ...i_verifier.test.cpp => shplemini.test.cpp} | 2 +- .../commitment_schemes/shplonk/shplonk.hpp | 6 +- .../zeromorph/zeromorph.hpp | 30 ++- .../zeromorph/zeromorph.test.cpp | 19 +- .../shplemini.test.cpp | 23 +- .../zeromorph.test.cpp | 19 +- .../src/barretenberg/eccvm/eccvm_prover.cpp | 16 +- .../src/barretenberg/eccvm/eccvm_verifier.cpp | 3 +- .../execution_trace/execution_trace.cpp | 2 + .../cpp/src/barretenberg/flavor/flavor.hpp | 10 +- .../eccvm_recursive_verifier.cpp | 3 +- .../decider_recursive_verifier.cpp | 3 +- .../ultra_recursive_verifier.cpp | 3 +- .../circuit_builders/circuit_builders_fwd.hpp | 1 + .../translator_recursive_verifier.cpp | 4 +- .../stdlib_circuit_builders/mega_flavor.hpp | 2 + .../stdlib_circuit_builders/ultra_flavor.hpp | 2 + .../ultra_keccak_with_gemini_flavor.hpp | 11 + .../translator_vm/translator_flavor.hpp | 2 + .../translator_vm/translator_prover.cpp | 22 +- .../translator_vm/translator_verifier.cpp | 3 +- .../ultra_honk/decider_prover.cpp | 18 +- .../ultra_honk/decider_prover.hpp | 1 + .../ultra_honk/decider_proving_key.cpp | 1 + .../ultra_honk/decider_proving_key.hpp | 1 + .../ultra_honk/decider_verifier.cpp | 20 +- .../barretenberg/ultra_honk/oink_prover.cpp | 1 + .../barretenberg/ultra_honk/oink_prover.hpp | 1 + .../barretenberg/ultra_honk/oink_verifier.cpp | 1 + .../barretenberg/ultra_honk/oink_verifier.hpp | 1 + .../ultra_honk/ultra_honk.test.cpp | 2 +- .../barretenberg/ultra_honk/ultra_prover.cpp | 1 + .../barretenberg/ultra_honk/ultra_prover.hpp | 1 + .../ultra_honk/ultra_verifier.cpp | 1 + .../barretenberg/vm/avm/generated/prover.cpp | 3 +- .../vm/avm/generated/verifier.cpp | 3 +- .../avm/recursion/avm_recursive_verifier.cpp | 3 +- .../bb-pil-backend/templates/prover.cpp.hbs | 3 +- .../bb-pil-backend/templates/verifier.cpp.hbs | 3 +- 46 files changed, 518 insertions(+), 414 deletions(-) create mode 100644 barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini_impl.hpp rename barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/{shplemini_verifier.hpp => shplemini.hpp} (74%) rename barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/{shplemini_verifier.test.cpp => shplemini.test.cpp} (99%) create mode 100644 barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/ultra_keccak_with_gemini_flavor.hpp diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.cpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.cpp index 2a9abea0c523..982c37c56821 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.cpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.cpp @@ -1,237 +1,6 @@ -#include "gemini.hpp" #include "barretenberg/common/thread.hpp" - -/** - * @brief Protocol for opening several multi-linear polynomials at the same point. - * - * - * m = number of variables - * n = 2ᵐ - * u = (u₀,...,uₘ₋₁) - * f₀, …, fₖ₋₁ = multilinear polynomials, - * g₀, …, gₕ₋₁ = shifted multilinear polynomial, - * Each gⱼ is the left-shift of some f↺ᵢ, and gⱼ points to the same memory location as fᵢ. - * v₀, …, vₖ₋₁, v↺₀, …, v↺ₕ₋₁ = multilinear evalutions s.t. fⱼ(u) = vⱼ, and gⱼ(u) = f↺ⱼ(u) = v↺ⱼ - * - * We use a challenge ρ to create a random linear combination of all fⱼ, - * and actually define A₀ = F + G↺, where - * F = ∑ⱼ ρʲ fⱼ - * G = ∑ⱼ ρᵏ⁺ʲ gⱼ, - * G↺ = is the shift of G - * where fⱼ is normal, and gⱼ is shifted. - * The evaluations are also batched, and - * v = ∑ ρʲ⋅vⱼ + ∑ ρᵏ⁺ʲ⋅v↺ⱼ = F(u) + G↺(u) - * - * The prover then creates the folded polynomials A₀, ..., Aₘ₋₁, - * and opens them at different points, as univariates. - * - * We open A₀ as univariate at r and -r. - * Since A₀ = F + G↺, but the verifier only has commitments to the gⱼs, - * we need to partially evaluate A₀ at both evaluation points. - * As univariate, we have - * A₀(X) = F(X) + G↺(X) = F(X) + G(X)/X - * So we define - * - A₀₊(X) = F(X) + G(X)/r - * - A₀₋(X) = F(X) − G(X)/r - * So that A₀₊(r) = A₀(r) and A₀₋(-r) = A₀(-r). - * The verifier is able to computed the simulated commitments to A₀₊(X) and A₀₋(X) - * since they are linear-combinations of the commitments [fⱼ] and [gⱼ]. - */ +#include "gemini_impl.hpp" namespace bb { -template -std::vector::Claim> GeminiProver_::prove( - const std::shared_ptr>& commitment_key, - std::span multilinear_challenge, - std::span multilinear_evaluations, /* u */ - RefSpan f_polynomials, // unshifted - RefSpan g_polynomials, // to-be-shifted - std::shared_ptr& transcript) -{ - ASSERT(multilinear_evaluations.size() == f_polynomials.size() + g_polynomials.size()); - const size_t log_n = multilinear_challenge.size(); - const size_t n = 1 << log_n; - - Fr rho = transcript->template get_challenge("rho"); - std::vector rhos = gemini::powers_of_rho(rho, multilinear_evaluations.size()); - - // Compute batched multivariate evaluation - Fr batched_evaluation = Fr::zero(); - for (size_t i = 0; i < rhos.size(); ++i) { - batched_evaluation += multilinear_evaluations[i] * rhos[i]; - } - - // Compute batched polynomials - Polynomial batched_unshifted(n); - Polynomial batched_to_be_shifted = Polynomial::shiftable(1 << log_n); - - const size_t num_unshifted = f_polynomials.size(); - const size_t num_to_be_shifted = g_polynomials.size(); - for (size_t i = 0; i < num_unshifted; i++) { - batched_unshifted.add_scaled(f_polynomials[i], rhos[i]); - } - for (size_t i = 0; i < num_to_be_shifted; i++) { - batched_to_be_shifted.add_scaled(g_polynomials[i], rhos[num_unshifted + i]); - } - - auto fold_polynomials = - compute_fold_polynomials(multilinear_challenge, std::move(batched_unshifted), std::move(batched_to_be_shifted)); - - for (size_t l = 0; l < log_n - 1; l++) { - transcript->send_to_verifier("Gemini:FOLD_" + std::to_string(l + 1), - commitment_key->commit(fold_polynomials[l + 2])); - } - const Fr r_challenge = transcript->template get_challenge("Gemini:r"); - std::vector claims = - compute_fold_polynomial_evaluations(multilinear_challenge, std::move(fold_polynomials), r_challenge); - - for (size_t l = 1; l <= log_n; l++) { - transcript->send_to_verifier("Gemini:a_" + std::to_string(l), claims[l].opening_pair.evaluation); - } - - return claims; -}; - -/** - * @brief Computes d-1 fold polynomials Fold_i, i = 1, ..., d-1 - * - * @param mle_opening_point multilinear opening point 'u' - * @param batched_unshifted F(X) = ∑ⱼ ρʲ fⱼ(X) - * @param batched_to_be_shifted G(X) = ∑ⱼ ρᵏ⁺ʲ gⱼ(X) - * @return std::vector - */ -template -std::vector::Polynomial> GeminiProver_::compute_fold_polynomials( - std::span mle_opening_point, Polynomial&& batched_unshifted, Polynomial&& batched_to_be_shifted) -{ - const size_t num_variables = mle_opening_point.size(); // m - - const size_t num_threads = get_num_cpus_pow2(); - constexpr size_t efficient_operations_per_thread = 64; // A guess of the number of operation for which there - // would be a point in sending them to a separate thread - - // Allocate space for m+1 Fold polynomials - // - // The first two are populated here with the batched unshifted and to-be-shifted polynomial respectively. - // They will eventually contain the full batched polynomial A₀ partially evaluated at the challenges r,-r. - // This function populates the other m-1 polynomials with the foldings of A₀. - std::vector fold_polynomials; - fold_polynomials.reserve(num_variables + 1); - - // F(X) = ∑ⱼ ρʲ fⱼ(X) and G(X) = ∑ⱼ ρᵏ⁺ʲ gⱼ(X) - Polynomial& batched_F = fold_polynomials.emplace_back(std::move(batched_unshifted)); - Polynomial& batched_G = fold_polynomials.emplace_back(std::move(batched_to_be_shifted)); - constexpr size_t offset_to_folded = 2; // Offset because of F an G - // A₀(X) = F(X) + G↺(X) = F(X) + G(X)/X. - Polynomial A_0 = batched_F; - A_0 += batched_G.shifted(); - - // Allocate everything before parallel computation - for (size_t l = 0; l < num_variables - 1; ++l) { - // size of the previous polynomial/2 - const size_t n_l = 1 << (num_variables - l - 1); - - // A_l_fold = Aₗ₊₁(X) = (1-uₗ)⋅even(Aₗ)(X) + uₗ⋅odd(Aₗ)(X) - fold_polynomials.emplace_back(Polynomial(n_l)); - } - - // A_l = Aₗ(X) is the polynomial being folded - // in the first iteration, we take the batched polynomial - // in the next iteration, it is the previously folded one - auto A_l = A_0.data(); - for (size_t l = 0; l < num_variables - 1; ++l) { - // size of the previous polynomial/2 - const size_t n_l = 1 << (num_variables - l - 1); - - // Use as many threads as it is useful so that 1 thread doesn't process 1 element, but make sure that there is - // at least 1 - size_t num_used_threads = std::min(n_l / efficient_operations_per_thread, num_threads); - num_used_threads = num_used_threads ? num_used_threads : 1; - size_t chunk_size = n_l / num_used_threads; - size_t last_chunk_size = (n_l % chunk_size) ? (n_l % num_used_threads) : chunk_size; - - // Openning point is the same for all - const Fr u_l = mle_opening_point[l]; - - // A_l_fold = Aₗ₊₁(X) = (1-uₗ)⋅even(Aₗ)(X) + uₗ⋅odd(Aₗ)(X) - auto A_l_fold = fold_polynomials[l + offset_to_folded].data(); - - parallel_for(num_used_threads, [&](size_t i) { - size_t current_chunk_size = (i == (num_used_threads - 1)) ? last_chunk_size : chunk_size; - for (std::ptrdiff_t j = (std::ptrdiff_t)(i * chunk_size); - j < (std::ptrdiff_t)((i * chunk_size) + current_chunk_size); - j++) { - // fold(Aₗ)[j] = (1-uₗ)⋅even(Aₗ)[j] + uₗ⋅odd(Aₗ)[j] - // = (1-uₗ)⋅Aₗ[2j] + uₗ⋅Aₗ[2j+1] - // = Aₗ₊₁[j] - A_l_fold[j] = A_l[j << 1] + u_l * (A_l[(j << 1) + 1] - A_l[j << 1]); - } - }); - // set Aₗ₊₁ = Aₗ for the next iteration - A_l = A_l_fold; - } - - return fold_polynomials; -}; - -/** - * @brief Computes/aggragates d+1 Fold polynomials and their opening pairs (challenge, evaluation) - * - * @details This function assumes that, upon input, last d-1 entries in fold_polynomials are Fold_i. - * The first two entries are assumed to be, respectively, the batched unshifted and batched to-be-shifted - * polynomials F(X) = ∑ⱼ ρʲfⱼ(X) and G(X) = ∑ⱼ ρᵏ⁺ʲ gⱼ(X). This function completes the computation - * of the first two Fold polynomials as F + G/r and F - G/r. It then evaluates each of the d+1 - * fold polynomials at, respectively, the points r, rₗ = r^{2ˡ} for l = 0, 1, ..., d-1. - * - * @param mle_opening_point u = (u₀,...,uₘ₋₁) is the MLE opening point - * @param fold_polynomials vector of polynomials whose first two elements are F(X) = ∑ⱼ ρʲfⱼ(X) - * and G(X) = ∑ⱼ ρᵏ⁺ʲ gⱼ(X), and the next d-1 elements are Fold_i, i = 1, ..., d-1. - * @param r_challenge univariate opening challenge - */ -template -std::vector::Claim> GeminiProver_::compute_fold_polynomial_evaluations( - std::span mle_opening_point, std::vector&& fold_polynomials, const Fr& r_challenge) -{ - const size_t num_variables = mle_opening_point.size(); // m - - Polynomial& batched_F = fold_polynomials[0]; // F(X) = ∑ⱼ ρʲ fⱼ(X) - Polynomial& batched_G = fold_polynomials[1]; // G(X) = ∑ⱼ ρᵏ⁺ʲ gⱼ(X) - - // Compute univariate opening queries rₗ = r^{2ˡ} for l = 0, 1, ..., m-1 - std::vector r_squares = gemini::powers_of_evaluation_challenge(r_challenge, num_variables); - - // Compute G/r - Fr r_inv = r_challenge.invert(); - batched_G *= r_inv; - - // Construct A₀₊ = F + G/r and A₀₋ = F - G/r in place in fold_polynomials - Polynomial tmp = batched_F; - Polynomial& A_0_pos = fold_polynomials[0]; - - // A₀₊(X) = F(X) + G(X)/r, s.t. A₀₊(r) = A₀(r) - A_0_pos += batched_G; - - // Perform a swap so that tmp = G(X)/r and A_0_neg = F(X) - std::swap(tmp, batched_G); - Polynomial& A_0_neg = fold_polynomials[1]; - - // A₀₋(X) = F(X) - G(X)/r, s.t. A₀₋(-r) = A₀(-r) - A_0_neg -= tmp; - - std::vector opening_claims; - opening_claims.reserve(num_variables + 1); - - // Compute first opening pair {r, A₀(r)} - Fr evaluation = fold_polynomials[0].evaluate(r_challenge); - opening_claims.emplace_back( - Claim{ fold_polynomials[0], { r_challenge, fold_polynomials[0].evaluate(r_challenge) } }); - // Compute the remaining m opening pairs {−r^{2ˡ}, Aₗ(−r^{2ˡ})}, l = 0, ..., m-1. - for (size_t l = 0; l < num_variables; ++l) { - evaluation = fold_polynomials[l + 1].evaluate(-r_squares[l]); - opening_claims.emplace_back(Claim{ fold_polynomials[l + 1], { -r_squares[l], evaluation } }); - } - - return opening_claims; -}; template class GeminiProver_; template class GeminiProver_; -} // namespace bb +}; // namespace bb \ No newline at end of file diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.hpp index e38f6891bd65..ce0fa0e2e91f 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.hpp @@ -99,20 +99,23 @@ template class GeminiProver_ { using Claim = ProverOpeningClaim; public: - static std::vector compute_fold_polynomials(std::span multilinear_evaluations, + static std::vector compute_fold_polynomials(const size_t log_N, + std::span multilinear_challenge, Polynomial&& batched_unshifted, Polynomial&& batched_to_be_shifted); - static std::vector compute_fold_polynomial_evaluations(std::span multilinear_evaluations, + static std::vector compute_fold_polynomial_evaluations(const size_t log_N, std::vector&& fold_polynomials, const Fr& r_challenge); - static std::vector prove(const std::shared_ptr>& commitment_key, - std::span multilinear_challenge, - std::span multilinear_evaluations, + template + static std::vector prove(const Fr circuit_size, RefSpan f_polynomials, RefSpan g_polynomials, - std::shared_ptr& transcript); + RefSpan multilinear_evaluations, + std::span multilinear_challenge, + const std::shared_ptr>& commitment_key, + const std::shared_ptr& transcript); }; // namespace bb template class GeminiVerifier_ { diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.test.cpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.test.cpp index 881e70769cfb..7d0b29a26a9f 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.test.cpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.test.cpp @@ -1,4 +1,4 @@ -#include "gemini.hpp" +#include "gemini_impl.hpp" #include "../commitment_key.test.hpp" #include "barretenberg/polynomials/polynomial.hpp" @@ -25,11 +25,12 @@ template class GeminiTest : public CommitmentTest { // Compute: // - (d+1) opening pairs: {r, \hat{a}_0}, {-r^{2^i}, a_i}, i = 0, ..., d-1 // - (d+1) Fold polynomials Fold_{r}^(0), Fold_{-r}^(0), and Fold^(i), i = 0, ..., d-1 - auto prover_output = GeminiProver::prove(this->commitment_key, - multilinear_evaluation_point, - multilinear_evaluations, + auto prover_output = GeminiProver::prove(1 << multilinear_evaluation_point.size(), RefVector(multilinear_polynomials), RefVector(multilinear_polynomials_to_be_shifted), + RefVector(multilinear_evaluations), + multilinear_evaluation_point, + this->commitment_key, prover_transcript); // Check that the Fold polynomials have been evaluated correctly in the prover diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini_impl.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini_impl.hpp new file mode 100644 index 000000000000..5876f5ac51b2 --- /dev/null +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini_impl.hpp @@ -0,0 +1,240 @@ +#pragma once +#include "barretenberg/common/thread.hpp" +#include "gemini.hpp" + +/** + * @brief Protocol for opening several multi-linear polynomials at the same point. + * + * + * m = number of variables + * n = 2ᵐ + * u = (u₀,...,uₘ₋₁) + * f₀, …, fₖ₋₁ = multilinear polynomials, + * g₀, …, gₕ₋₁ = shifted multilinear polynomial, + * Each gⱼ is the left-shift of some f↺ᵢ, and gⱼ points to the same memory location as fᵢ. + * v₀, …, vₖ₋₁, v↺₀, …, v↺ₕ₋₁ = multilinear evalutions s.t. fⱼ(u) = vⱼ, and gⱼ(u) = f↺ⱼ(u) = v↺ⱼ + * + * We use a challenge ρ to create a random linear combination of all fⱼ, + * and actually define A₀ = F + G↺, where + * F = ∑ⱼ ρʲ fⱼ + * G = ∑ⱼ ρᵏ⁺ʲ gⱼ, + * G↺ = is the shift of G + * where fⱼ is normal, and gⱼ is shifted. + * The evaluations are also batched, and + * v = ∑ ρʲ⋅vⱼ + ∑ ρᵏ⁺ʲ⋅v↺ⱼ = F(u) + G↺(u) + * + * The prover then creates the folded polynomials A₀, ..., Aₘ₋₁, + * and opens them at different points, as univariates. + * + * We open A₀ as univariate at r and -r. + * Since A₀ = F + G↺, but the verifier only has commitments to the gⱼs, + * we need to partially evaluate A₀ at both evaluation points. + * As univariate, we have + * A₀(X) = F(X) + G↺(X) = F(X) + G(X)/X + * So we define + * - A₀₊(X) = F(X) + G(X)/r + * - A₀₋(X) = F(X) − G(X)/r + * So that A₀₊(r) = A₀(r) and A₀₋(-r) = A₀(-r). + * The verifier is able to computed the simulated commitments to A₀₊(X) and A₀₋(X) + * since they are linear-combinations of the commitments [fⱼ] and [gⱼ]. + */ +namespace bb { +template +template +std::vector::Claim> GeminiProver_::prove( + [[maybe_unused]] Fr circuit_size, // Will be used when constant proof sizes are in + RefSpan f_polynomials, // unshifted + RefSpan g_polynomials, // to-be-shifted + RefSpan multilinear_evaluations, /* u */ + std::span multilinear_challenge, + const std::shared_ptr>& commitment_key, + const std::shared_ptr& transcript) +{ + ASSERT(multilinear_evaluations.size() == f_polynomials.size() + g_polynomials.size()); + size_t log_n = numeric::get_msb(static_cast(circuit_size)); + size_t n = 1 << log_n; + + Fr rho = transcript->template get_challenge("rho"); + std::vector rhos = gemini::powers_of_rho(rho, multilinear_evaluations.size()); + + // Compute batched multivariate evaluation + Fr batched_evaluation = Fr::zero(); + for (size_t i = 0; i < rhos.size(); ++i) { + batched_evaluation += multilinear_evaluations[i] * rhos[i]; + } + + // Compute batched polynomials + Polynomial batched_unshifted(n); + Polynomial batched_to_be_shifted = Polynomial::shiftable(1 << log_n); + + const size_t num_unshifted = f_polynomials.size(); + const size_t num_to_be_shifted = g_polynomials.size(); + for (size_t i = 0; i < num_unshifted; i++) { + batched_unshifted.add_scaled(f_polynomials[i], rhos[i]); + } + for (size_t i = 0; i < num_to_be_shifted; i++) { + batched_to_be_shifted.add_scaled(g_polynomials[i], rhos[num_unshifted + i]); + } + + auto fold_polynomials = compute_fold_polynomials( + log_n, multilinear_challenge, std::move(batched_unshifted), std::move(batched_to_be_shifted)); + + for (size_t l = 0; l < log_n - 1; l++) { + transcript->send_to_verifier("Gemini:FOLD_" + std::to_string(l + 1), + commitment_key->commit(fold_polynomials[l + 2])); + } + const Fr r_challenge = transcript->template get_challenge("Gemini:r"); + std::vector claims = compute_fold_polynomial_evaluations(log_n, std::move(fold_polynomials), r_challenge); + + for (size_t l = 1; l <= log_n; l++) { + transcript->send_to_verifier("Gemini:a_" + std::to_string(l), claims[l].opening_pair.evaluation); + } + + return claims; +}; + +/** + * @brief Computes d-1 fold polynomials Fold_i, i = 1, ..., d-1 + * + * @param mle_opening_point multilinear opening point 'u' + * @param batched_unshifted F(X) = ∑ⱼ ρʲ fⱼ(X) + * @param batched_to_be_shifted G(X) = ∑ⱼ ρᵏ⁺ʲ gⱼ(X) + * @return std::vector + */ +template +std::vector::Polynomial> GeminiProver_::compute_fold_polynomials( + const size_t log_N, + std::span mle_opening_point, + Polynomial&& batched_unshifted, + Polynomial&& batched_to_be_shifted) +{ + const size_t num_variables = log_N; + + const size_t num_threads = get_num_cpus_pow2(); + constexpr size_t efficient_operations_per_thread = 64; // A guess of the number of operation for which there + // would be a point in sending them to a separate thread + + // Allocate space for m+1 Fold polynomials + // + // The first two are populated here with the batched unshifted and to-be-shifted polynomial respectively. + // They will eventually contain the full batched polynomial A₀ partially evaluated at the challenges r,-r. + // This function populates the other m-1 polynomials with the foldings of A₀. + std::vector fold_polynomials; + fold_polynomials.reserve(num_variables + 1); + + // F(X) = ∑ⱼ ρʲ fⱼ(X) and G(X) = ∑ⱼ ρᵏ⁺ʲ gⱼ(X) + Polynomial& batched_F = fold_polynomials.emplace_back(std::move(batched_unshifted)); + Polynomial& batched_G = fold_polynomials.emplace_back(std::move(batched_to_be_shifted)); + constexpr size_t offset_to_folded = 2; // Offset because of F an G + // A₀(X) = F(X) + G↺(X) = F(X) + G(X)/X. + Polynomial A_0 = batched_F; + A_0 += batched_G.shifted(); + + // Allocate everything before parallel computation + for (size_t l = 0; l < num_variables - 1; ++l) { + // size of the previous polynomial/2 + const size_t n_l = 1 << (num_variables - l - 1); + + // A_l_fold = Aₗ₊₁(X) = (1-uₗ)⋅even(Aₗ)(X) + uₗ⋅odd(Aₗ)(X) + fold_polynomials.emplace_back(Polynomial(n_l)); + } + + // A_l = Aₗ(X) is the polynomial being folded + // in the first iteration, we take the batched polynomial + // in the next iteration, it is the previously folded one + auto A_l = A_0.data(); + for (size_t l = 0; l < num_variables - 1; ++l) { + // size of the previous polynomial/2 + const size_t n_l = 1 << (num_variables - l - 1); + + // Use as many threads as it is useful so that 1 thread doesn't process 1 element, but make sure that there is + // at least 1 + size_t num_used_threads = std::min(n_l / efficient_operations_per_thread, num_threads); + num_used_threads = num_used_threads ? num_used_threads : 1; + size_t chunk_size = n_l / num_used_threads; + size_t last_chunk_size = (n_l % chunk_size) ? (n_l % num_used_threads) : chunk_size; + + // Openning point is the same for all + const Fr u_l = mle_opening_point[l]; + + // A_l_fold = Aₗ₊₁(X) = (1-uₗ)⋅even(Aₗ)(X) + uₗ⋅odd(Aₗ)(X) + auto A_l_fold = fold_polynomials[l + offset_to_folded].data(); + + parallel_for(num_used_threads, [&](size_t i) { + size_t current_chunk_size = (i == (num_used_threads - 1)) ? last_chunk_size : chunk_size; + for (std::ptrdiff_t j = (std::ptrdiff_t)(i * chunk_size); + j < (std::ptrdiff_t)((i * chunk_size) + current_chunk_size); + j++) { + // fold(Aₗ)[j] = (1-uₗ)⋅even(Aₗ)[j] + uₗ⋅odd(Aₗ)[j] + // = (1-uₗ)⋅Aₗ[2j] + uₗ⋅Aₗ[2j+1] + // = Aₗ₊₁[j] + A_l_fold[j] = A_l[j << 1] + u_l * (A_l[(j << 1) + 1] - A_l[j << 1]); + } + }); + // set Aₗ₊₁ = Aₗ for the next iteration + A_l = A_l_fold; + } + + return fold_polynomials; +}; + +/** + * @brief Computes/aggragates d+1 Fold polynomials and their opening pairs (challenge, evaluation) + * + * @details This function assumes that, upon input, last d-1 entries in fold_polynomials are Fold_i. + * The first two entries are assumed to be, respectively, the batched unshifted and batched to-be-shifted + * polynomials F(X) = ∑ⱼ ρʲfⱼ(X) and G(X) = ∑ⱼ ρᵏ⁺ʲ gⱼ(X). This function completes the computation + * of the first two Fold polynomials as F + G/r and F - G/r. It then evaluates each of the d+1 + * fold polynomials at, respectively, the points r, rₗ = r^{2ˡ} for l = 0, 1, ..., d-1. + * + * @param mle_opening_point u = (u₀,...,uₘ₋₁) is the MLE opening point + * @param fold_polynomials vector of polynomials whose first two elements are F(X) = ∑ⱼ ρʲfⱼ(X) + * and G(X) = ∑ⱼ ρᵏ⁺ʲ gⱼ(X), and the next d-1 elements are Fold_i, i = 1, ..., d-1. + * @param r_challenge univariate opening challenge + */ +template +std::vector::Claim> GeminiProver_::compute_fold_polynomial_evaluations( + const size_t log_N, std::vector&& fold_polynomials, const Fr& r_challenge) +{ + const size_t num_variables = log_N; + + Polynomial& batched_F = fold_polynomials[0]; // F(X) = ∑ⱼ ρʲ fⱼ(X) + Polynomial& batched_G = fold_polynomials[1]; // G(X) = ∑ⱼ ρᵏ⁺ʲ gⱼ(X) + + // Compute univariate opening queries rₗ = r^{2ˡ} for l = 0, 1, ..., m-1 + std::vector r_squares = gemini::powers_of_evaluation_challenge(r_challenge, num_variables); + + // Compute G/r + Fr r_inv = r_challenge.invert(); + batched_G *= r_inv; + + // Construct A₀₊ = F + G/r and A₀₋ = F - G/r in place in fold_polynomials + Polynomial tmp = batched_F; + Polynomial& A_0_pos = fold_polynomials[0]; + + // A₀₊(X) = F(X) + G(X)/r, s.t. A₀₊(r) = A₀(r) + A_0_pos += batched_G; + + // Perform a swap so that tmp = G(X)/r and A_0_neg = F(X) + std::swap(tmp, batched_G); + Polynomial& A_0_neg = fold_polynomials[1]; + + // A₀₋(X) = F(X) - G(X)/r, s.t. A₀₋(-r) = A₀(-r) + A_0_neg -= tmp; + + std::vector opening_claims; + opening_claims.reserve(num_variables + 1); + + // Compute first opening pair {r, A₀(r)} + Fr evaluation = fold_polynomials[0].evaluate(r_challenge); + opening_claims.emplace_back( + Claim{ fold_polynomials[0], { r_challenge, fold_polynomials[0].evaluate(r_challenge) } }); + // Compute the remaining m opening pairs {−r^{2ˡ}, Aₗ(−r^{2ˡ})}, l = 0, ..., m-1. + for (size_t l = 0; l < num_variables; ++l) { + evaluation = fold_polynomials[l + 1].evaluate(-r_squares[l]); + opening_claims.emplace_back(Claim{ fold_polynomials[l + 1], { -r_squares[l], evaluation } }); + } + + return opening_claims; +}; +} // namespace bb diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.test.cpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.test.cpp index eb448f4e7091..d41af0eefb3c 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.test.cpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.test.cpp @@ -1,6 +1,6 @@ #include "../gemini/gemini.hpp" -#include "../shplonk/shplemini_verifier.hpp" +#include "../shplonk/shplemini.hpp" #include "../shplonk/shplonk.hpp" #include "./mock_transcript.hpp" #include "barretenberg/commitment_schemes/commitment_key.test.hpp" @@ -266,11 +266,12 @@ TEST_F(IPATest, GeminiShplonkIPAWithShift) // Compute: // - (d+1) opening pairs: {r, \hat{a}_0}, {-r^{2^i}, a_i}, i = 0, ..., d-1 // - (d+1) Fold polynomials Fold_{r}^(0), Fold_{-r}^(0), and Fold^(i), i = 0, ..., d-1 - auto prover_opening_claims = GeminiProver::prove(this->ck(), - mle_opening_point, - multilinear_evaluations, + auto prover_opening_claims = GeminiProver::prove(n, RefArray{ poly1, poly2 }, RefArray{ poly2 }, + RefVector(multilinear_evaluations), + mle_opening_point, + this->ck(), prover_transcript); const auto opening_claim = ShplonkProver::prove(this->ck(), prover_opening_claims, prover_transcript); @@ -322,11 +323,12 @@ TEST_F(IPATest, ShpleminiIPAWithShift) // Compute: // - (d+1) opening pairs: {r, \hat{a}_0}, {-r^{2^i}, a_i}, i = 0, ..., d-1 // - (d+1) Fold polynomials Fold_{r}^(0), Fold_{-r}^(0), and Fold^(i), i = 0, ..., d-1 - auto prover_opening_claims = GeminiProver::prove(this->ck(), - mle_opening_point, - multilinear_evaluations, + auto prover_opening_claims = GeminiProver::prove(n, RefArray{ poly1, poly2 }, RefArray{ poly2 }, + RefVector(multilinear_evaluations), + mle_opening_point, + this->ck(), prover_transcript); const auto opening_claim = ShplonkProver::prove(this->ck(), prover_opening_claims, prover_transcript); diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/kzg/kzg.test.cpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/kzg/kzg.test.cpp index 60f41bdb7f59..87278deef5d3 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/kzg/kzg.test.cpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/kzg/kzg.test.cpp @@ -1,7 +1,7 @@ #include "kzg.hpp" #include "../gemini/gemini.hpp" -#include "../shplonk/shplemini_verifier.hpp" +#include "../shplonk/shplemini.hpp" #include "../shplonk/shplonk.hpp" #include "../commitment_key.test.hpp" @@ -92,11 +92,12 @@ TYPED_TEST(KZGTest, GeminiShplonkKzgWithShift) // Compute: // - (d+1) opening pairs: {r, \hat{a}_0}, {-r^{2^i}, a_i}, i = 0, ..., d-1 // - (d+1) Fold polynomials Fold_{r}^(0), Fold_{-r}^(0), and Fold^(i), i = 0, ..., d-1 - auto prover_opening_claims = GeminiProver::prove(this->ck(), - mle_opening_point, - multilinear_evaluations, + auto prover_opening_claims = GeminiProver::prove(n, RefArray{ poly1, poly2 }, RefArray{ poly2 }, + RefVector(multilinear_evaluations), + mle_opening_point, + this->ck(), prover_transcript); // Shplonk prover output: @@ -169,11 +170,12 @@ TYPED_TEST(KZGTest, ShpleminiKzgWithShift) // Compute: // - (d+1) opening pairs: {r, \hat{a}_0}, {-r^{2^i}, a_i}, i = 0, ..., d-1 // - (d+1) Fold polynomials Fold_{r}^(0), Fold_{-r}^(0), and Fold^(i), i = 0, ..., d-1 - auto prover_opening_claims = GeminiProver::prove(this->ck(), - mle_opening_point, - multilinear_evaluations, + auto prover_opening_claims = GeminiProver::prove(n, RefArray{ poly1, poly2 }, RefArray{ poly2 }, + RefVector(multilinear_evaluations), + mle_opening_point, + this->ck(), prover_transcript); // Shplonk prover output: @@ -191,14 +193,14 @@ TYPED_TEST(KZGTest, ShpleminiKzgWithShift) // Gemini verifier output: // - claim: d+1 commitments to Fold_{r}^(0), Fold_{-r}^(0), Fold^(l), d+1 evaluations a_0_pos, a_l, l = 0:d-1 - const auto batch_opening_claim = ShpleminiVerifier::compute_batch_opening_claim(log_n, - RefVector(unshifted_commitments), - RefVector(shifted_commitments), - RefVector(multilinear_evaluations), - mle_opening_point, - this->vk()->get_g1_identity(), - verifier_transcript); - const auto pairing_points = KZG::reduce_verify_batch_opening_claim(batch_opening_claim, verifier_transcript); + const auto batch_opening_claim = ShpleminiVerifier::verify(log_n, + RefVector(unshifted_commitments), + RefVector(shifted_commitments), + RefVector(multilinear_evaluations), + mle_opening_point, + this->vk()->get_g1_identity(), + verifier_transcript); + const auto pairing_points = KZG::reduce_verify(batch_opening_claim, verifier_transcript); // Final pairing check: e([Q] - [Q_z] + z[W], [1]_2) = e([W], [x]_2) EXPECT_EQ(this->vk()->pairing_check(pairing_points[0], pairing_points[1]), true); diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini_verifier.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp similarity index 74% rename from barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini_verifier.hpp rename to barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp index 721d65a2cc0d..071ec824f1d8 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini_verifier.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp @@ -1,12 +1,45 @@ #pragma once #include "barretenberg/commitment_schemes/claim.hpp" #include "barretenberg/commitment_schemes/commitment_key.hpp" -#include "barretenberg/commitment_schemes/gemini/gemini.hpp" +#include "barretenberg/commitment_schemes/gemini/gemini_impl.hpp" #include "barretenberg/commitment_schemes/shplonk/shplonk.hpp" #include "barretenberg/commitment_schemes/verification_key.hpp" #include "barretenberg/transcript/transcript.hpp" namespace bb { + +template class ShpleminiProver_ { + public: + using FF = typename Curve::ScalarField; + using GroupElement = typename Curve::Element; + using Commitment = typename Curve::AffineElement; + using Polynomial = bb::Polynomial; + using OpeningClaim = ProverOpeningClaim; + + using VK = CommitmentKey; + using ShplonkProver = ShplonkProver_; + using GeminiProver = GeminiProver_; + + template + static OpeningClaim prove(FF circuit_size, + RefSpan f_polynomials, + RefSpan g_polynomials, + RefSpan multilinear_evaluations, + std::span multilinear_challenge, + const std::shared_ptr>& commitment_key, + const std::shared_ptr& transcript) + { + std::vector opening_claims = GeminiProver::prove(circuit_size, + f_polynomials, + g_polynomials, + multilinear_evaluations, + multilinear_challenge, + commitment_key, + transcript); + OpeningClaim batched_claim = ShplonkProver::prove(commitment_key, opening_claims, transcript); + return batched_claim; + }; +}; /** * \brief An efficient verifier for the evaluation proofs of multilinear polynomials and their shifts. * @@ -14,24 +47,24 @@ namespace bb { * \subsection Context * * This Verifier combines verifiers from four protocols: - * 1. **Batch opening protocol**: Reduces various evaluation claims of multilinear polynomials and their shifts to the - * opening claim of a single batched polynomial. - * 2. **Gemini protocol**: Reduces the batched polynomial opening claim to a claim about openings of Gemini univariate - * polynomials. - * 3. **Shplonk protocol**: Reduces the opening of Gemini univariate polynomials at different points to a single opening - * of a batched univariate polynomial. Outputs \f$ \text{shplonk_opening_claim} \f$. + * 1. **Batch opening protocol**: Reduces various evaluation claims of multilinear polynomials and their shifts to + * the opening claim of a single batched polynomial. + * 2. **Gemini protocol**: Reduces the batched polynomial opening claim to a claim about openings of Gemini + * univariate polynomials. + * 3. **Shplonk protocol**: Reduces the opening of Gemini univariate polynomials at different points to a single + * opening of a batched univariate polynomial. Outputs \f$ \text{shplonk_opening_claim} \f$. * 4. **KZG or IPA protocol**: Verifies the evaluation of the univariate batched by Shplonk. * * **Important Observation**: From step 1 to step 4, the Verifier is not required to hash any results of its group - * operations. Therefore, they could be performed at the very end, i.e. by the opening protocol of a chosen univariate - * PCS. Because of this and the shape of the pairing check in Shplonk, various batch_mul calls could be reduced to a - * single batch_mul call. This way we minimize the number of gates in the resulting recursive verifier circuits and save - * some group operations in the native setting. + * operations. Therefore, they could be performed at the very end, i.e. by the opening protocol of a chosen + * univariate PCS. Because of this and the shape of the pairing check in Shplonk, various batch_mul calls could be + * reduced to a single batch_mul call. This way we minimize the number of gates in the resulting recursive verifier + * circuits and save some group operations in the native setting. * - * \remark The sequence of steps could be performed by performing batching of unshifted and shifted polynomials, feeding - * it to the existing GeminiVerifier, whose output would be passed to the ShplonkVerifier and then to the reduce_verify - * method of a chosen PCS. However, it would be less efficient than ShpleminiVerifier in terms of group and field - * operations. + * \remark The sequence of steps could be performed by performing batching of unshifted and shifted polynomials, + * feeding it to the existing GeminiVerifier, whose output would be passed to the ShplonkVerifier and then to the + * reduce_verify method of a chosen PCS. However, it would be less efficient than ShpleminiVerifier in terms of + * group and field operations. * * \subsection Implementation * @@ -46,19 +79,19 @@ namespace bb { * - Compute the evaluation of the Gemini batched univariate. * 4. Output a \ref bb::BatchOpeningClaim "batch opening claim", which is a atriple \f$ (\text{commitments}, * \text{scalars}, \text{shplonk_evaluation_point}) \f$ that satisfies the following: \f[ \text{batch_mul} - * (\text{commitments},\ \text{scalars}) = \text{shplonk_opening_claim}.\text{point} \f] and the sizes of 'commitments' - * and 'scalars' are equal to: \f[ + * (\text{commitments},\ \text{scalars}) = \text{shplonk_opening_claim}.\text{point} \f] and the sizes of + * 'commitments' and 'scalars' are equal to: \f[ * \#\text{claimed_evaluations} + \text{log_circuit_size} + 2 * \f] * * The output triple is either fed to the corresponding \ref bb::KZG< Curve_ >::reduce_verify_batch_opening_claim - * "KZG method" or \ref bb::IPA< Curve_ >::reduce_verify_batch_opening_claim "IPA method". In the case of KZG, we reduce - * \f$ 6 \f$ batch_mul calls needed for the verification of the multivariate evaluation claims to the single batch_mul - * described above. In the case of IPA, the total number of batch_mul calls needed to verify the multivariate evaluation - * claims is reduced by \f$ 5 \f$. + * "KZG method" or \ref bb::IPA< Curve_ >::reduce_verify_batch_opening_claim "IPA method". In the case of KZG, we + * reduce \f$ 6 \f$ batch_mul calls needed for the verification of the multivariate evaluation claims to the single + * batch_mul described above. In the case of IPA, the total number of batch_mul calls needed to verify the + * multivariate evaluation claims is reduced by \f$ 5 \f$. * - * TODO (https://github.com/AztecProtocol/barretenberg/issues/1084) Reduce the size of batch_mul further by eliminating - * shifted commitments. + * TODO (https://github.com/AztecProtocol/barretenberg/issues/1084) Reduce the size of batch_mul further by + * eliminating shifted commitments. */ template class ShpleminiVerifier_ { @@ -70,6 +103,37 @@ template class ShpleminiVerifier_ { using GeminiVerifier = GeminiVerifier_; public: + template + static OpeningClaim verify(const Fr circuit_size, + RefSpan unshifted_commitments, + RefSpan shifted_commitments, + RefSpan claimed_evaluations, + const std::vector& multivariate_challenge, + const Commitment& g1_identity, + std::shared_ptr& transcript) + { + Fr log_N = numeric::get_msb(static_cast(circuit_size)); + + BatchOpeningClaim batch_opening_claim = compute_batch_opening_claim(log_N, + unshifted_commitments, + shifted_commitments, + claimed_evaluations, + multivariate_challenge, + g1_identity, + transcript); + + GroupElement commitment; + if constexpr (Curve::is_stdlib_type) { + commitment = GroupElement::batch_mul(batch_opening_claim.commitments, + batch_opening_claim.scalars, + /*max_num_bits=*/0, + /*with_edgecases=*/true); + } else { + commitment = batch_mul_native(batch_opening_claim.commitments, batch_opening_claim.scalars); + } + + return { { batch_opening_claim.evaluation_point, Fr(0) }, commitment }; + } template static BatchOpeningClaim compute_batch_opening_claim(const Fr log_N, RefSpan unshifted_commitments, @@ -135,8 +199,8 @@ template class ShpleminiVerifier_ { gemini_evaluation_challenge.invert() * (inverse_vanishing_evals[0] - shplonk_batching_challenge * inverse_vanishing_evals[1]); - // Place the commitments to prover polynomials in the commitments vector. Compute the evaluation of the batched - // multilinear polynomial. Populate the vector of scalars for the final batch mul + // Place the commitments to prover polynomials in the commitments vector. Compute the evaluation of the + // batched multilinear polynomial. Populate the vector of scalars for the final batch mul Fr batched_evaluation{ 0 }; batch_multivariate_opening_claims(unshifted_commitments, shifted_commitments, @@ -175,8 +239,8 @@ template class ShpleminiVerifier_ { return { commitments, scalars, shplonk_evaluation_challenge }; }; /** - * @brief Populates the vectors of commitments and scalars, and computes the evaluation of the batched multilinear - * polynomial at the sumcheck challenge. + * @brief Populates the vectors of commitments and scalars, and computes the evaluation of the batched + * multilinear polynomial at the sumcheck challenge. * * @details This function iterates over all commitments and the claimed evaluations of the corresponding * polynomials. The following notations are used: @@ -257,11 +321,11 @@ template class ShpleminiVerifier_ { } } /** - * @brief Populates the 'commitments' and 'scalars' vectors with the commitments to Gemini fold polynomials \f$ A_i - * \f$. + * @brief Populates the 'commitments' and 'scalars' vectors with the commitments to Gemini fold polynomials \f$ + * A_i \f$. * - * @details Once the commitments to Gemini "fold" polynomials \f$ A_i \f$ and their evaluations at \f$ -r^{2^i} \f$, - * where \f$ i = 1, \ldots, n-1 \f$, are received by the verifier, it performs the following operations: + * @details Once the commitments to Gemini "fold" polynomials \f$ A_i \f$ and their evaluations at \f$ -r^{2^i} + * \f$, where \f$ i = 1, \ldots, n-1 \f$, are received by the verifier, it performs the following operations: * * 1. Moves the vector * \f[ @@ -316,4 +380,12 @@ template class ShpleminiVerifier_ { } } }; + +// TODO: temporary hack +template class Shplemini_ { + public: + using Prover = ShpleminiProver_; + using Verifier = ShpleminiVerifier_; +}; + } // namespace bb \ No newline at end of file diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini_verifier.test.cpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.test.cpp similarity index 99% rename from barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini_verifier.test.cpp rename to barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.test.cpp index c19a9bbcb7de..f71245ed4072 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini_verifier.test.cpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.test.cpp @@ -1,5 +1,5 @@ -#include "shplemini_verifier.hpp" +#include "shplemini.hpp" #include "../commitment_key.test.hpp" #include "../gemini/gemini.hpp" #include "../kzg/kzg.hpp" diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplonk.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplonk.hpp index 5526feca2c3f..f8db79c9a2a2 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplonk.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplonk.hpp @@ -126,9 +126,10 @@ template class ShplonkProver_ { * @param transcript * @return ProverOpeningClaim */ + template static ProverOpeningClaim prove(const std::shared_ptr>& commitment_key, std::span> opening_claims, - auto& transcript) + const std::shared_ptr& transcript) { const Fr nu = transcript->template get_challenge("Shplonk:nu"); auto batched_quotient = compute_batched_quotient(opening_claims, nu); @@ -159,9 +160,10 @@ template class ShplonkVerifier_ { * @param transcript * @return OpeningClaim */ + template static OpeningClaim reduce_verification(Commitment g1_identity, std::span> claims, - auto& transcript) + std::shared_ptr& transcript) { const size_t num_claims = claims.size(); diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/zeromorph/zeromorph.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/zeromorph/zeromorph.hpp index e1ee3b92fcdf..9ef6903db264 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/zeromorph/zeromorph.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/zeromorph/zeromorph.hpp @@ -336,8 +336,7 @@ template class ZeroMorphProver_ { static OpeningClaim prove(FF circuit_size, RefSpan f_polynomials, RefSpan g_polynomials, - RefSpan f_evaluations, - RefSpan g_shift_evaluations, + RefSpan multilinear_evaluations, std::span multilinear_challenge, const std::shared_ptr>& commitment_key, const std::shared_ptr& transcript, @@ -371,17 +370,20 @@ template class ZeroMorphProver_ { FF batched_evaluation{ 0 }; Polynomial f_batched(N); // batched unshifted polynomials FF batching_scalar{ 1 }; - for (auto [f_poly, f_eval] : zip_view(f_polynomials, f_evaluations)) { + size_t evaluation_idx = 0; + for (auto f_poly : f_polynomials) { f_batched.add_scaled(f_poly, batching_scalar); - batched_evaluation += batching_scalar * f_eval; + batched_evaluation += batching_scalar * multilinear_evaluations[evaluation_idx]; batching_scalar *= rho; + evaluation_idx++; } Polynomial g_batched{ N - 1, N, 1 }; // batched to-be-shifted polynomials - for (auto [g_poly, g_shift_eval] : zip_view(g_polynomials, g_shift_evaluations)) { + for (auto g_poly : g_polynomials) { g_batched.add_scaled(g_poly, batching_scalar); - batched_evaluation += batching_scalar * g_shift_eval; + batched_evaluation += batching_scalar * multilinear_evaluations[evaluation_idx]; batching_scalar *= rho; + evaluation_idx++; }; size_t num_groups = concatenation_groups.size(); @@ -722,8 +724,7 @@ template class ZeroMorphVerifier_ { static OpeningClaim verify(FF circuit_size, RefSpan unshifted_commitments, RefSpan to_be_shifted_commitments, - RefSpan unshifted_evaluations, - RefSpan shifted_evaluations, + RefSpan multilinear_evaluations, std::span multivariate_challenge, const Commitment& g1_identity, const std::shared_ptr& transcript, @@ -742,11 +743,7 @@ template class ZeroMorphVerifier_ { // Construct batched evaluation v = sum_{i=0}^{m-1}\rho^i*f_i(u) + sum_{i=0}^{l-1}\rho^{m+i}*h_i(u) FF batched_evaluation = FF(0); FF batching_scalar = FF(1); - for (auto& value : unshifted_evaluations) { - batched_evaluation += value * batching_scalar; - batching_scalar *= rho; - } - for (auto& value : shifted_evaluations) { + for (auto& value : multilinear_evaluations) { batched_evaluation += value * batching_scalar; batching_scalar *= rho; } @@ -808,4 +805,11 @@ template class ZeroMorphVerifier_ { } }; +// This is temporary +template class ZeroMorph_ { + public: + using Prover = ZeroMorphProver_; + using Verifier = ZeroMorphVerifier_; +}; + } // namespace bb diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/zeromorph/zeromorph.test.cpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/zeromorph/zeromorph.test.cpp index 1f060410679b..ab793cde8be5 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/zeromorph/zeromorph.test.cpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/zeromorph/zeromorph.test.cpp @@ -208,13 +208,15 @@ template class ZeroMorphTest : public CommitmentTest u_challenge) { auto prover_transcript = NativeTranscript::prover_init_empty(); + std::vector multilinear_evaluations(unshifted.evaluations); + multilinear_evaluations.insert( + multilinear_evaluations.end(), shifted.evaluations.begin(), shifted.evaluations.end()); // Execute Prover protocol auto prover_opening_claim = ZeroMorphProver::prove(N, RefVector(unshifted.polynomials), // unshifted RefVector(shifted.polynomials), // to-be shifted - RefVector(unshifted.evaluations), // unshifted - RefVector(shifted.evaluations), // shifted + RefVector(multilinear_evaluations), u_challenge, this->commitment_key, prover_transcript); @@ -226,8 +228,7 @@ template class ZeroMorphTest : public CommitmentTestvk()->get_g1_identity(), verifier_transcript); @@ -235,7 +236,6 @@ template class ZeroMorphTest : public CommitmentTest>) { - result = PCS::reduce_verify(verifier_opening_claim, verifier_transcript); verified = this->vk()->pairing_check(result[0], result[1]); } else { @@ -257,6 +257,9 @@ template class ZeroMorphTest : public CommitmentTest multilinear_evaluations(unshifted.evaluations); + multilinear_evaluations.insert( + multilinear_evaluations.end(), shifted.evaluations.begin(), shifted.evaluations.end()); auto prover_transcript = NativeTranscript::prover_init_empty(); @@ -265,8 +268,7 @@ template class ZeroMorphTest : public CommitmentTestcommitment_key, prover_transcript, @@ -281,8 +283,7 @@ template class ZeroMorphTest : public CommitmentTestvk()->get_g1_identity(), verifier_transcript, diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/shplemini.test.cpp b/barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/shplemini.test.cpp index bbc04a799b79..282963fb5ff5 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/shplemini.test.cpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/shplemini.test.cpp @@ -1,9 +1,9 @@ +#include "barretenberg/commitment_schemes/shplonk/shplemini.hpp" #include "barretenberg/circuit_checker/circuit_checker.hpp" #include "barretenberg/commitment_schemes/commitment_key.test.hpp" #include "barretenberg/commitment_schemes/gemini/gemini.hpp" #include "barretenberg/commitment_schemes/ipa/ipa.hpp" #include "barretenberg/commitment_schemes/kzg/kzg.hpp" -#include "barretenberg/commitment_schemes/shplonk/shplemini_verifier.hpp" #include "barretenberg/commitment_schemes/shplonk/shplonk.hpp" #include "barretenberg/srs/global_crs.hpp" #include "barretenberg/stdlib/primitives/curves/bn254.hpp" @@ -33,8 +33,7 @@ TEST(ShpleminiRecursionTest, ProveAndVerifySingle) using NativeCurve = typename Curve::NativeCurve; using NativePCS = std::conditional_t, KZG, IPA>; using CommitmentKey = typename NativePCS::CK; - using GeminiProver = GeminiProver_; - using ShplonkProver = ShplonkProver_; + using ShpleminiProver = ShpleminiProver_; using ShpleminiVerifier = ShpleminiVerifier_; using Fr = typename Curve::ScalarField; using NativeFr = typename Curve::NativeCurve::ScalarField; @@ -90,17 +89,13 @@ TEST(ShpleminiRecursionTest, ProveAndVerifySingle) // Initialize an empty NativeTranscript auto prover_transcript = NativeTranscript::prover_init_empty(); - auto prover_opening_claims = GeminiProver::prove(commitment_key, - u_challenge, - claimed_evaluations, - RefVector(f_polynomials), - RefVector(g_polynomials), - prover_transcript); - - // Shplonk prover output: - // - opening pair: (z_challenge, 0) - // - witness: polynomial Q - Q_z - ShplonkProver::prove(commitment_key, prover_opening_claims, prover_transcript); + auto prover_opening_claims = ShpleminiProver::prove(N, + RefVector(f_polynomials), + RefVector(g_polynomials), + RefVector(claimed_evaluations), + u_challenge, + commitment_key, + prover_transcript); Builder builder; StdlibProof stdlib_proof = bb::convert_proof_to_witness(&builder, prover_transcript->proof_data); diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/zeromorph.test.cpp b/barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/zeromorph.test.cpp index a31be135de53..25ed21a16717 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/zeromorph.test.cpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/zeromorph.test.cpp @@ -51,10 +51,10 @@ TEST(ZeroMorphRecursionTest, ProveAndVerifySingle) // Construct some random multilinear polynomials f_i and their evaluations v_i = f_i(u) std::vector f_polynomials; // unshifted polynomials - std::vector v_evaluations; + std::vector multilinear_evaluations; for (size_t i = 0; i < NUM_UNSHIFTED; ++i) { f_polynomials.emplace_back(Polynomial::random(N, /* starting index for shift */ 1)); - v_evaluations.emplace_back(f_polynomials[i].evaluate_mle(u_challenge)); + multilinear_evaluations.emplace_back(f_polynomials[i].evaluate_mle(u_challenge)); } // Construct some "shifted" multilinear polynomials h_i as the left-shift-by-1 of f_i std::vector g_polynomials; // to-be-shifted polynomials @@ -64,7 +64,7 @@ TEST(ZeroMorphRecursionTest, ProveAndVerifySingle) for (size_t i = 0; i < NUM_SHIFTED; ++i) { g_polynomials.emplace_back(f_polynomials[i]); h_polynomials.emplace_back(g_polynomials[i].shifted()); - w_evaluations.emplace_back(h_polynomials[i].evaluate_mle(u_challenge)); + multilinear_evaluations.emplace_back(h_polynomials[i].evaluate_mle(u_challenge)); } } @@ -88,8 +88,7 @@ TEST(ZeroMorphRecursionTest, ProveAndVerifySingle) ZeroMorphProver::prove(N, RefVector(f_polynomials), RefVector(g_polynomials), - RefVector(v_evaluations), - RefVector(w_evaluations), + RefVector(multilinear_evaluations), u_challenge, commitment_key, prover_transcript); @@ -120,8 +119,7 @@ TEST(ZeroMorphRecursionTest, ProveAndVerifySingle) }; auto stdlib_f_commitments = commitments_to_witnesses(f_commitments); auto stdlib_g_commitments = commitments_to_witnesses(g_commitments); - auto stdlib_v_evaluations = elements_to_witness(v_evaluations); - auto stdlib_w_evaluations = elements_to_witness(w_evaluations); + auto stdlib_multilinear_evaluations = elements_to_witness(multilinear_evaluations); std::vector u_challenge_in_circuit(CONST_PROOF_SIZE_LOG_N); std::fill_n(u_challenge_in_circuit.begin(), CONST_PROOF_SIZE_LOG_N, Fr::from_witness(&builder, 0)); @@ -130,12 +128,9 @@ TEST(ZeroMorphRecursionTest, ProveAndVerifySingle) [[maybe_unused]] auto opening_claim = ZeroMorphVerifier::verify(Fr::from_witness(&builder, N), RefVector(stdlib_f_commitments), // unshifted RefVector(stdlib_g_commitments), // to-be-shifted - RefVector(stdlib_v_evaluations), // unshifted - RefVector(stdlib_w_evaluations), // shifted + RefVector(stdlib_multilinear_evaluations), u_challenge_in_circuit, Commitment::one(&builder), - stdlib_verifier_transcript, - {}, - {}); + stdlib_verifier_transcript); EXPECT_TRUE(CircuitChecker::check(builder)); } diff --git a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_prover.cpp b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_prover.cpp index 76a64e54fd64..92cc3e005c7f 100644 --- a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_prover.cpp +++ b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_prover.cpp @@ -119,15 +119,13 @@ void ECCVMProver::execute_pcs_rounds() // Execute the ZeroMorph protocol to produce a univariate opening claim for the multilinear evaluations produced by // Sumcheck - auto multivariate_to_univariate_opening_claim = - ZeroMorph::prove(key->circuit_size, - key->polynomials.get_unshifted(), - key->polynomials.get_to_be_shifted(), - sumcheck_output.claimed_evaluations.get_unshifted(), - sumcheck_output.claimed_evaluations.get_shifted(), - sumcheck_output.challenge, - commitment_key, - transcript); + auto multivariate_to_univariate_opening_claim = ZeroMorph::prove(key->circuit_size, + key->polynomials.get_unshifted(), + key->polynomials.get_to_be_shifted(), + sumcheck_output.claimed_evaluations.get_all(), + sumcheck_output.challenge, + commitment_key, + transcript); // Batch open the transcript polynomials as univariates for Translator consistency check. Since IPA cannot // currently handle polynomials for which the latter half of the coefficients are 0, we hackily diff --git a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.cpp b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.cpp index 26bd5ac6ce61..ffaf81848d46 100644 --- a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.cpp @@ -64,8 +64,7 @@ bool ECCVMVerifier::verify_proof(const HonkProof& proof) auto multivariate_to_univariate_opening_claim = ZeroMorph::verify(circuit_size, commitments.get_unshifted(), commitments.get_to_be_shifted(), - claimed_evaluations.get_unshifted(), - claimed_evaluations.get_shifted(), + claimed_evaluations.get_all(), multivariate_challenge, key->pcs_verification_key->get_g1_identity(), transcript); diff --git a/barretenberg/cpp/src/barretenberg/execution_trace/execution_trace.cpp b/barretenberg/cpp/src/barretenberg/execution_trace/execution_trace.cpp index 70146181fccb..f3f54b8eaecf 100644 --- a/barretenberg/cpp/src/barretenberg/execution_trace/execution_trace.cpp +++ b/barretenberg/cpp/src/barretenberg/execution_trace/execution_trace.cpp @@ -4,6 +4,7 @@ #include "barretenberg/stdlib_circuit_builders/mega_flavor.hpp" #include "barretenberg/stdlib_circuit_builders/ultra_flavor.hpp" #include "barretenberg/stdlib_circuit_builders/ultra_keccak_flavor.hpp" +#include "barretenberg/stdlib_circuit_builders/ultra_keccak_with_gemini_flavor.hpp" namespace bb { template @@ -149,6 +150,7 @@ void ExecutionTrace_::add_ecc_op_wires_to_proving_key(Builder& builder, template class ExecutionTrace_; template class ExecutionTrace_; +template class ExecutionTrace_; template class ExecutionTrace_; template class ExecutionTrace_; template class ExecutionTrace_; diff --git a/barretenberg/cpp/src/barretenberg/flavor/flavor.hpp b/barretenberg/cpp/src/barretenberg/flavor/flavor.hpp index cc443d58fa6d..cbcffa46d04e 100644 --- a/barretenberg/cpp/src/barretenberg/flavor/flavor.hpp +++ b/barretenberg/cpp/src/barretenberg/flavor/flavor.hpp @@ -328,6 +328,7 @@ class UltraFlavor; class UltraFlavorWithZK; class ECCVMFlavor; class UltraKeccakFlavor; +class UltraKeccakWithGeminiFlavor; class MegaFlavor; class TranslatorFlavor; class AvmFlavor; @@ -358,16 +359,16 @@ template concept IsPlonkFlavor = IsAnyOf; template -concept IsUltraPlonkFlavor = IsAnyOf; +concept IsUltraPlonkFlavor = IsAnyOf; template -concept IsUltraPlonkOrHonk = IsAnyOf; +concept IsUltraPlonkOrHonk = IsAnyOf; template -concept IsHonkFlavor = IsAnyOf; +concept IsHonkFlavor = IsAnyOf; template -concept IsUltraFlavor = IsAnyOf; +concept IsUltraFlavor = IsAnyOf; template concept IsGoblinFlavor = IsAnyOf concept IsGrumpkinFlavor = IsAnyOf; template concept IsFoldingFlavor = IsAnyOf, diff --git a/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.cpp b/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.cpp index eeb04cddc997..5b0ceba14acf 100644 --- a/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.cpp @@ -75,8 +75,7 @@ template void ECCVMRecursiveVerifier_::verify_proof(co auto multivariate_to_univariate_opening_claim = ZeroMorph::verify(circuit_size, commitments.get_unshifted(), commitments.get_to_be_shifted(), - claimed_evaluations.get_unshifted(), - claimed_evaluations.get_shifted(), + claimed_evaluations.get_all(), multivariate_challenge, key->pcs_verification_key->get_g1_identity(), transcript); diff --git a/barretenberg/cpp/src/barretenberg/stdlib/honk_verifier/decider_recursive_verifier.cpp b/barretenberg/cpp/src/barretenberg/stdlib/honk_verifier/decider_recursive_verifier.cpp index 96cc81cd8599..871d4a569d67 100644 --- a/barretenberg/cpp/src/barretenberg/stdlib/honk_verifier/decider_recursive_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/stdlib/honk_verifier/decider_recursive_verifier.cpp @@ -35,8 +35,7 @@ std::array DeciderRecursiveVerifier_:: auto opening_claim = ZeroMorph::verify(accumulator->verification_key->circuit_size, commitments.get_unshifted(), commitments.get_to_be_shifted(), - claimed_evaluations.get_unshifted(), - claimed_evaluations.get_shifted(), + claimed_evaluations.get_all(), multivariate_challenge, Commitment::one(builder), transcript); diff --git a/barretenberg/cpp/src/barretenberg/stdlib/honk_verifier/ultra_recursive_verifier.cpp b/barretenberg/cpp/src/barretenberg/stdlib/honk_verifier/ultra_recursive_verifier.cpp index a728f3e3f7ed..302c81c8dc9d 100644 --- a/barretenberg/cpp/src/barretenberg/stdlib/honk_verifier/ultra_recursive_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/stdlib/honk_verifier/ultra_recursive_verifier.cpp @@ -95,8 +95,7 @@ UltraRecursiveVerifier_::AggregationObject UltraRecursiveVerifier_circuit_size, commitments.get_unshifted(), commitments.get_to_be_shifted(), - claimed_evaluations.get_unshifted(), - claimed_evaluations.get_shifted(), + claimed_evaluations.get_all(), multivariate_challenge, Commitment::one(builder), transcript); diff --git a/barretenberg/cpp/src/barretenberg/stdlib/primitives/circuit_builders/circuit_builders_fwd.hpp b/barretenberg/cpp/src/barretenberg/stdlib/primitives/circuit_builders/circuit_builders_fwd.hpp index c3ea08590fdb..45f4c61d0bed 100644 --- a/barretenberg/cpp/src/barretenberg/stdlib/primitives/circuit_builders/circuit_builders_fwd.hpp +++ b/barretenberg/cpp/src/barretenberg/stdlib/primitives/circuit_builders/circuit_builders_fwd.hpp @@ -13,6 +13,7 @@ namespace bb { class StandardFlavor; class UltraFlavor; class UltraKeccakFlavor; +class UltraKeccakWithGeminiFlavor; class Bn254FrParams; class Bn254FqParams; diff --git a/barretenberg/cpp/src/barretenberg/stdlib/translator_vm_verifier/translator_recursive_verifier.cpp b/barretenberg/cpp/src/barretenberg/stdlib/translator_vm_verifier/translator_recursive_verifier.cpp index 234122e1ec32..8ecfb904450a 100644 --- a/barretenberg/cpp/src/barretenberg/stdlib/translator_vm_verifier/translator_recursive_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/stdlib/translator_vm_verifier/translator_recursive_verifier.cpp @@ -1,3 +1,4 @@ + #include "./translator_recursive_verifier.hpp" #include "barretenberg/commitment_schemes/zeromorph/zeromorph.hpp" #include "barretenberg/common/throw_or_abort.hpp" @@ -120,8 +121,7 @@ std::array TranslatorRecursiveVerifier_; using PCS = KZG; using Polynomial = bb::Polynomial; using CommitmentKey = bb::CommitmentKey; diff --git a/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/ultra_flavor.hpp b/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/ultra_flavor.hpp index fe5dbe526c99..114bd2c7eb43 100644 --- a/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/ultra_flavor.hpp +++ b/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/ultra_flavor.hpp @@ -1,5 +1,6 @@ #pragma once #include "barretenberg/commitment_schemes/kzg/kzg.hpp" +#include "barretenberg/commitment_schemes/zeromorph/zeromorph.hpp" #include "barretenberg/ecc/curves/bn254/g1.hpp" #include "barretenberg/flavor/flavor.hpp" #include "barretenberg/flavor/flavor_macros.hpp" @@ -30,6 +31,7 @@ class UltraFlavor { using FF = Curve::ScalarField; using GroupElement = Curve::Element; using Commitment = Curve::AffineElement; + using BatchedMultilinearEvaluationScheme = ZeroMorph_; using PCS = KZG; using Polynomial = bb::Polynomial; using CommitmentKey = bb::CommitmentKey; diff --git a/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/ultra_keccak_with_gemini_flavor.hpp b/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/ultra_keccak_with_gemini_flavor.hpp new file mode 100644 index 000000000000..db8c5c47f0c7 --- /dev/null +++ b/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/ultra_keccak_with_gemini_flavor.hpp @@ -0,0 +1,11 @@ +#pragma once +#include "barretenberg/commitment_schemes/shplonk/shplemini.hpp" +#include "barretenberg/stdlib_circuit_builders/ultra_keccak_flavor.hpp" +namespace bb { + +class UltraKeccakWithGeminiFlavor : public bb::UltraKeccakFlavor { + public: + using Curve = bb::UltraKeccakFlavor::Curve; + using BatchedMultilinearEvaluationScheme = Shplemini_; +}; +} // namespace bb \ No newline at end of file diff --git a/barretenberg/cpp/src/barretenberg/translator_vm/translator_flavor.hpp b/barretenberg/cpp/src/barretenberg/translator_vm/translator_flavor.hpp index 205d0dd98536..1086d4b20bf2 100644 --- a/barretenberg/cpp/src/barretenberg/translator_vm/translator_flavor.hpp +++ b/barretenberg/cpp/src/barretenberg/translator_vm/translator_flavor.hpp @@ -683,6 +683,8 @@ class TranslatorFlavor { this->ordered_range_constraints_4 }; }; + auto get_all_without_concatenated() { return concatenate(get_unshifted_without_concatenated(), get_shifted()); } + // Gemini-specific getters. auto get_unshifted() { diff --git a/barretenberg/cpp/src/barretenberg/translator_vm/translator_prover.cpp b/barretenberg/cpp/src/barretenberg/translator_vm/translator_prover.cpp index b172d003f774..42b6e6f1cce0 100644 --- a/barretenberg/cpp/src/barretenberg/translator_vm/translator_prover.cpp +++ b/barretenberg/cpp/src/barretenberg/translator_vm/translator_prover.cpp @@ -176,18 +176,16 @@ void TranslatorProver::execute_pcs_rounds() { using Curve = typename Flavor::Curve; using ZeroMorph = ZeroMorphProver_; - auto prover_opening_claim = - ZeroMorph::prove(key->circuit_size, - key->polynomials.get_unshifted_without_concatenated(), - key->polynomials.get_to_be_shifted(), - sumcheck_output.claimed_evaluations.get_unshifted_without_concatenated(), - sumcheck_output.claimed_evaluations.get_shifted(), - sumcheck_output.challenge, - commitment_key, - transcript, - key->polynomials.get_concatenated_constraints(), - sumcheck_output.claimed_evaluations.get_concatenated_constraints(), - key->polynomials.get_concatenation_groups()); + auto prover_opening_claim = ZeroMorph::prove(key->circuit_size, + key->polynomials.get_unshifted_without_concatenated(), + key->polynomials.get_to_be_shifted(), + sumcheck_output.claimed_evaluations.get_all(), + sumcheck_output.challenge, + commitment_key, + transcript, + key->polynomials.get_concatenated_constraints(), + sumcheck_output.claimed_evaluations.get_concatenated_constraints(), + key->polynomials.get_concatenation_groups()); PCS::compute_opening_proof(commitment_key, prover_opening_claim, transcript); } diff --git a/barretenberg/cpp/src/barretenberg/translator_vm/translator_verifier.cpp b/barretenberg/cpp/src/barretenberg/translator_vm/translator_verifier.cpp index 59429a359275..894db1bd9f94 100644 --- a/barretenberg/cpp/src/barretenberg/translator_vm/translator_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/translator_vm/translator_verifier.cpp @@ -116,8 +116,7 @@ bool TranslatorVerifier::verify_proof(const HonkProof& proof) auto opening_claim = ZeroMorph::verify(circuit_size, commitments.get_unshifted_without_concatenated(), commitments.get_to_be_shifted(), - claimed_evaluations.get_unshifted_without_concatenated(), - claimed_evaluations.get_shifted(), + claimed_evaluations.get_all_without_concatenated(), multivariate_challenge, Commitment::one(), transcript, diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/decider_prover.cpp b/barretenberg/cpp/src/barretenberg/ultra_honk/decider_prover.cpp index 5d8defd5036e..6eb5004ac84b 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/decider_prover.cpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/decider_prover.cpp @@ -47,15 +47,14 @@ template void DeciderProver_::execute_relation_ch * */ template void DeciderProver_::execute_pcs_rounds() { - using ZeroMorph = ZeroMorphProver_; - auto prover_opening_claim = ZeroMorph::prove(proving_key->proving_key.circuit_size, - proving_key->proving_key.polynomials.get_unshifted(), - proving_key->proving_key.polynomials.get_to_be_shifted(), - sumcheck_output.claimed_evaluations.get_unshifted(), - sumcheck_output.claimed_evaluations.get_shifted(), - sumcheck_output.challenge, - commitment_key, - transcript); + using Prover = Flavor::BatchedMultilinearEvaluationScheme::Prover; + auto prover_opening_claim = Prover::prove(proving_key->proving_key.circuit_size, + proving_key->proving_key.polynomials.get_unshifted(), + proving_key->proving_key.polynomials.get_to_be_shifted(), + sumcheck_output.claimed_evaluations.get_all(), + sumcheck_output.challenge, + commitment_key, + transcript); PCS::compute_opening_proof(commitment_key, prover_opening_claim, transcript); } @@ -81,6 +80,7 @@ template HonkProof DeciderProver_::construct_proo template class DeciderProver_; template class DeciderProver_; +template class DeciderProver_; template class DeciderProver_; } // namespace bb diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/decider_prover.hpp b/barretenberg/cpp/src/barretenberg/ultra_honk/decider_prover.hpp index c85a9520d47c..854b64ab3f7b 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/decider_prover.hpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/decider_prover.hpp @@ -4,6 +4,7 @@ #include "barretenberg/relations/relation_parameters.hpp" #include "barretenberg/stdlib_circuit_builders/mega_flavor.hpp" #include "barretenberg/stdlib_circuit_builders/ultra_flavor.hpp" +#include "barretenberg/stdlib_circuit_builders/ultra_keccak_with_gemini_flavor.hpp" #include "barretenberg/sumcheck/sumcheck_output.hpp" #include "barretenberg/transcript/transcript.hpp" #include "barretenberg/ultra_honk/decider_proving_key.hpp" diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/decider_proving_key.cpp b/barretenberg/cpp/src/barretenberg/ultra_honk/decider_proving_key.cpp index 1dcdaad737b2..2f0519bfa14c 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/decider_proving_key.cpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/decider_proving_key.cpp @@ -82,6 +82,7 @@ void DeciderProvingKey_::construct_databus_polynomials(Circuit& circuit) template class DeciderProvingKey_; template class DeciderProvingKey_; +template class DeciderProvingKey_; template class DeciderProvingKey_; } // namespace bb diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/decider_proving_key.hpp b/barretenberg/cpp/src/barretenberg/ultra_honk/decider_proving_key.hpp index fa2e344b5a3f..ad94c467a988 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/decider_proving_key.hpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/decider_proving_key.hpp @@ -9,6 +9,7 @@ #include "barretenberg/stdlib_circuit_builders/mega_flavor.hpp" #include "barretenberg/stdlib_circuit_builders/ultra_flavor.hpp" #include "barretenberg/stdlib_circuit_builders/ultra_keccak_flavor.hpp" +#include "barretenberg/stdlib_circuit_builders/ultra_keccak_with_gemini_flavor.hpp" namespace bb { /** diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/decider_verifier.cpp b/barretenberg/cpp/src/barretenberg/ultra_honk/decider_verifier.cpp index 8fb81f8749c6..b9e2687bf095 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/decider_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/decider_verifier.cpp @@ -36,8 +36,8 @@ template bool DeciderVerifier_::verify_proof(const Dec template bool DeciderVerifier_::verify() { using PCS = typename Flavor::PCS; - using Curve = typename Flavor::Curve; - using ZeroMorph = ZeroMorphVerifier_; + // using Curve = typename Flavor::Curve; + using Verifier = Flavor::BatchedMultilinearEvaluationScheme::Verifier; using VerifierCommitments = typename Flavor::VerifierCommitments; VerifierCommitments commitments{ accumulator->verification_key, accumulator->witness_commitments }; @@ -56,14 +56,13 @@ template bool DeciderVerifier_::verify() // Execute ZeroMorph rounds. See https://hackmd.io/dlf9xEwhTQyE3hiGbq4FsA?view for a complete description of the // unrolled protocol. - auto opening_claim = ZeroMorph::verify(accumulator->verification_key->circuit_size, - commitments.get_unshifted(), - commitments.get_to_be_shifted(), - claimed_evaluations.get_unshifted(), - claimed_evaluations.get_shifted(), - multivariate_challenge, - Commitment::one(), - transcript); + auto opening_claim = Verifier::verify(accumulator->verification_key->circuit_size, + commitments.get_unshifted(), + commitments.get_to_be_shifted(), + claimed_evaluations.get_all(), + multivariate_challenge, + Commitment::one(), + transcript); auto pairing_points = PCS::reduce_verify(opening_claim, transcript); auto verified = pcs_verification_key->pairing_check(pairing_points[0], pairing_points[1]); @@ -73,6 +72,7 @@ template bool DeciderVerifier_::verify() template class DeciderVerifier_; template class DeciderVerifier_; +template class DeciderVerifier_; template class DeciderVerifier_; } // namespace bb diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/oink_prover.cpp b/barretenberg/cpp/src/barretenberg/ultra_honk/oink_prover.cpp index 26e0f1cca5af..d2aa66e2b692 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/oink_prover.cpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/oink_prover.cpp @@ -220,6 +220,7 @@ template typename Flavor::RelationSeparator OinkProver; template class OinkProver; +template class OinkProver; template class OinkProver; } // namespace bb \ No newline at end of file diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/oink_prover.hpp b/barretenberg/cpp/src/barretenberg/ultra_honk/oink_prover.hpp index e252f7d904df..67834691ca74 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/oink_prover.hpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/oink_prover.hpp @@ -22,6 +22,7 @@ #include "barretenberg/stdlib_circuit_builders/mega_flavor.hpp" #include "barretenberg/stdlib_circuit_builders/ultra_flavor.hpp" #include "barretenberg/stdlib_circuit_builders/ultra_keccak_flavor.hpp" +#include "barretenberg/stdlib_circuit_builders/ultra_keccak_with_gemini_flavor.hpp" #include "barretenberg/transcript/transcript.hpp" #include "barretenberg/ultra_honk/decider_proving_key.hpp" diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/oink_verifier.cpp b/barretenberg/cpp/src/barretenberg/ultra_honk/oink_verifier.cpp index 227fa145a44c..6d18e3e74bcb 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/oink_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/oink_verifier.cpp @@ -157,6 +157,7 @@ template typename Flavor::RelationSeparator OinkVerifier< template class OinkVerifier; template class OinkVerifier; +template class OinkVerifier; template class OinkVerifier; } // namespace bb \ No newline at end of file diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/oink_verifier.hpp b/barretenberg/cpp/src/barretenberg/ultra_honk/oink_verifier.hpp index fab7bcdff19d..4a3a48053026 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/oink_verifier.hpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/oink_verifier.hpp @@ -6,6 +6,7 @@ #include "barretenberg/stdlib_circuit_builders/mega_flavor.hpp" #include "barretenberg/stdlib_circuit_builders/ultra_flavor.hpp" #include "barretenberg/stdlib_circuit_builders/ultra_keccak_flavor.hpp" +#include "barretenberg/stdlib_circuit_builders/ultra_keccak_with_gemini_flavor.hpp" #include "barretenberg/ultra_honk/decider_verification_key.hpp" namespace bb { diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_honk.test.cpp b/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_honk.test.cpp index 62dfe74c9c1e..3381db58fb29 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_honk.test.cpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_honk.test.cpp @@ -47,7 +47,7 @@ template class UltraHonkTests : public ::testing::Test { static void SetUpTestSuite() { bb::srs::init_crs_factory("../srs_db/ignition"); } }; -using FlavorTypes = testing::Types; +using FlavorTypes = testing::Types; TYPED_TEST_SUITE(UltraHonkTests, FlavorTypes); /** diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_prover.cpp b/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_prover.cpp index 2470b6a1c15d..7f7cb2f078bd 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_prover.cpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_prover.cpp @@ -61,5 +61,6 @@ template HonkProof UltraProver_::construct_proof( template class UltraProver_; template class UltraProver_; template class UltraProver_; +template class UltraProver_; } // namespace bb diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_prover.hpp b/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_prover.hpp index 6ab19509eb65..31f92818d352 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_prover.hpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_prover.hpp @@ -4,6 +4,7 @@ #include "barretenberg/relations/relation_parameters.hpp" #include "barretenberg/stdlib_circuit_builders/mega_flavor.hpp" #include "barretenberg/stdlib_circuit_builders/ultra_flavor.hpp" +#include "barretenberg/stdlib_circuit_builders/ultra_keccak_with_gemini_flavor.hpp" #include "barretenberg/sumcheck/sumcheck_output.hpp" #include "barretenberg/transcript/transcript.hpp" #include "barretenberg/ultra_honk/decider_proving_key.hpp" diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_verifier.cpp b/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_verifier.cpp index 6bd5b3fc3f19..e6689259a3e8 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_verifier.cpp @@ -30,6 +30,7 @@ template bool UltraVerifier_::verify_proof(const HonkP template class UltraVerifier_; template class UltraVerifier_; +template class UltraVerifier_; template class UltraVerifier_; } // namespace bb diff --git a/barretenberg/cpp/src/barretenberg/vm/avm/generated/prover.cpp b/barretenberg/cpp/src/barretenberg/vm/avm/generated/prover.cpp index 488bf1fc4b31..42fcce31b73d 100644 --- a/barretenberg/cpp/src/barretenberg/vm/avm/generated/prover.cpp +++ b/barretenberg/cpp/src/barretenberg/vm/avm/generated/prover.cpp @@ -130,8 +130,7 @@ void AvmProver::execute_pcs_rounds() auto prover_opening_claim = ZeroMorph::prove(key->circuit_size, prover_polynomials.get_unshifted(), prover_polynomials.get_to_be_shifted(), - sumcheck_output.claimed_evaluations.get_unshifted(), - sumcheck_output.claimed_evaluations.get_shifted(), + sumcheck_output.claimed_evaluations.get_all(), sumcheck_output.challenge, commitment_key, transcript); diff --git a/barretenberg/cpp/src/barretenberg/vm/avm/generated/verifier.cpp b/barretenberg/cpp/src/barretenberg/vm/avm/generated/verifier.cpp index bd132af86f62..c9295321a278 100644 --- a/barretenberg/cpp/src/barretenberg/vm/avm/generated/verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/vm/avm/generated/verifier.cpp @@ -140,8 +140,7 @@ bool AvmVerifier::verify_proof(const HonkProof& proof, auto opening_claim = ZeroMorph::verify(circuit_size, commitments.get_unshifted(), commitments.get_to_be_shifted(), - claimed_evaluations.get_unshifted(), - claimed_evaluations.get_shifted(), + claimed_evaluations.get_all(), multivariate_challenge, key->pcs_verification_key->get_g1_identity(), transcript); diff --git a/barretenberg/cpp/src/barretenberg/vm/avm/recursion/avm_recursive_verifier.cpp b/barretenberg/cpp/src/barretenberg/vm/avm/recursion/avm_recursive_verifier.cpp index 9148e568668c..a8fd0916fa1c 100644 --- a/barretenberg/cpp/src/barretenberg/vm/avm/recursion/avm_recursive_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/vm/avm/recursion/avm_recursive_verifier.cpp @@ -85,8 +85,7 @@ AvmRecursiveVerifier_::AggregationObject AvmRecursiveVerifier_:: auto opening_claim = Zeromorph::verify(circuit_size, commitments.get_unshifted(), commitments.get_to_be_shifted(), - claimed_evaluations.get_unshifted(), - claimed_evaluations.get_shifted(), + claimed_evaluations.get_all(), multivariate_challenge, Commitment::one(builder), transcript); diff --git a/bb-pilcom/bb-pil-backend/templates/prover.cpp.hbs b/bb-pilcom/bb-pil-backend/templates/prover.cpp.hbs index c8eada2e5062..8cf91ca2c2f4 100644 --- a/bb-pilcom/bb-pil-backend/templates/prover.cpp.hbs +++ b/bb-pilcom/bb-pil-backend/templates/prover.cpp.hbs @@ -131,8 +131,7 @@ void {{name}}Prover::execute_pcs_rounds() auto prover_opening_claim = ZeroMorph::prove(key->circuit_size, prover_polynomials.get_unshifted(), prover_polynomials.get_to_be_shifted(), - sumcheck_output.claimed_evaluations.get_unshifted(), - sumcheck_output.claimed_evaluations.get_shifted(), + sumcheck_output.claimed_evaluations.get_all(), sumcheck_output.challenge, commitment_key, transcript); diff --git a/bb-pilcom/bb-pil-backend/templates/verifier.cpp.hbs b/bb-pilcom/bb-pil-backend/templates/verifier.cpp.hbs index dbb2ad78685e..fb977f1b586c 100644 --- a/bb-pilcom/bb-pil-backend/templates/verifier.cpp.hbs +++ b/bb-pilcom/bb-pil-backend/templates/verifier.cpp.hbs @@ -119,8 +119,7 @@ bool {{name}}Verifier::verify_proof(const HonkProof& proof, [[maybe_unused]] con auto opening_claim = ZeroMorph::verify(circuit_size, commitments.get_unshifted(), commitments.get_to_be_shifted(), - claimed_evaluations.get_unshifted(), - claimed_evaluations.get_shifted(), + claimed_evaluations.get_all(), multivariate_challenge, key->pcs_verification_key->get_g1_identity(), transcript); From a40cba3b061c94ea28f36e11c13a19d3dbc391c4 Mon Sep 17 00:00:00 2001 From: maramihali Date: Fri, 20 Sep 2024 11:41:06 +0000 Subject: [PATCH 08/31] get rid of a separate flavor, will just delete zm from the contract, something still makes proof not verify --- .../commitment_schemes/gemini/gemini.hpp | 2 +- .../commitment_schemes/ipa/ipa.test.cpp | 2 +- .../commitment_schemes/kzg/kzg.test.cpp | 16 +++---- .../commitment_schemes/shplonk/shplemini.hpp | 47 +++---------------- .../shplonk/shplemini.test.cpp | 6 +-- .../zeromorph/zeromorph.hpp | 7 --- .../shplemini.test.cpp | 2 +- .../execution_trace/execution_trace.cpp | 2 - .../cpp/src/barretenberg/flavor/flavor.hpp | 10 ++-- .../circuit_builders/circuit_builders_fwd.hpp | 1 - .../stdlib_circuit_builders/mega_flavor.hpp | 1 - .../stdlib_circuit_builders/ultra_flavor.hpp | 1 - .../ultra_keccak_with_gemini_flavor.hpp | 11 ----- .../barretenberg/transcript/transcript.hpp | 2 +- .../ultra_honk/decider_prover.cpp | 19 ++++---- .../ultra_honk/decider_prover.hpp | 2 +- .../ultra_honk/decider_proving_key.cpp | 1 - .../ultra_honk/decider_proving_key.hpp | 1 - .../ultra_honk/decider_verifier.cpp | 36 +++++++++----- .../ultra_honk/decider_verifier.hpp | 1 + .../barretenberg/ultra_honk/oink_prover.cpp | 1 - .../barretenberg/ultra_honk/oink_prover.hpp | 1 - .../barretenberg/ultra_honk/oink_verifier.cpp | 1 - .../barretenberg/ultra_honk/oink_verifier.hpp | 1 - .../ultra_honk/ultra_honk.test.cpp | 2 +- .../barretenberg/ultra_honk/ultra_prover.cpp | 1 - .../barretenberg/ultra_honk/ultra_prover.hpp | 1 - .../ultra_honk/ultra_verifier.cpp | 1 - 28 files changed, 63 insertions(+), 116 deletions(-) delete mode 100644 barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/ultra_keccak_with_gemini_flavor.hpp diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.hpp index ce0fa0e2e91f..ea90f07cb82b 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.hpp @@ -213,7 +213,7 @@ template class GeminiVerifier_ { { std::vector gemini_evaluations; gemini_evaluations.reserve(log_circuit_size); - for (size_t i = 0; i < log_circuit_size; ++i) { + for (size_t i = 1; i <= log_circuit_size; ++i) { const Fr evaluation = transcript->template receive_from_prover("Gemini:a_" + std::to_string(i)); gemini_evaluations.emplace_back(evaluation); } diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.test.cpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.test.cpp index d41af0eefb3c..0b1fec24c903 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.test.cpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.test.cpp @@ -336,7 +336,7 @@ TEST_F(IPATest, ShpleminiIPAWithShift) auto verifier_transcript = NativeTranscript::verifier_init_empty(prover_transcript); - const auto batch_opening_claim = ShpleminiVerifier::compute_batch_opening_claim(log_n, + const auto batch_opening_claim = ShpleminiVerifier::compute_batch_opening_claim(n, RefVector(unshifted_commitments), RefVector(shifted_commitments), RefVector(multilinear_evaluations), diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/kzg/kzg.test.cpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/kzg/kzg.test.cpp index 87278deef5d3..10230931c1a9 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/kzg/kzg.test.cpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/kzg/kzg.test.cpp @@ -193,14 +193,14 @@ TYPED_TEST(KZGTest, ShpleminiKzgWithShift) // Gemini verifier output: // - claim: d+1 commitments to Fold_{r}^(0), Fold_{-r}^(0), Fold^(l), d+1 evaluations a_0_pos, a_l, l = 0:d-1 - const auto batch_opening_claim = ShpleminiVerifier::verify(log_n, - RefVector(unshifted_commitments), - RefVector(shifted_commitments), - RefVector(multilinear_evaluations), - mle_opening_point, - this->vk()->get_g1_identity(), - verifier_transcript); - const auto pairing_points = KZG::reduce_verify(batch_opening_claim, verifier_transcript); + const auto batch_opening_claim = ShpleminiVerifier::compute_batch_opening_claim(n, + RefVector(unshifted_commitments), + RefVector(shifted_commitments), + RefVector(multilinear_evaluations), + mle_opening_point, + this->vk()->get_g1_identity(), + verifier_transcript); + const auto pairing_points = KZG::reduce_verify_batch_opening_claim(batch_opening_claim, verifier_transcript); // Final pairing check: e([Q] - [Q_z] + z[W], [1]_2) = e([W], [x]_2) EXPECT_EQ(this->vk()->pairing_check(pairing_points[0], pairing_points[1]), true); diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp index 071ec824f1d8..8d4edab4ce82 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp @@ -104,38 +104,7 @@ template class ShpleminiVerifier_ { public: template - static OpeningClaim verify(const Fr circuit_size, - RefSpan unshifted_commitments, - RefSpan shifted_commitments, - RefSpan claimed_evaluations, - const std::vector& multivariate_challenge, - const Commitment& g1_identity, - std::shared_ptr& transcript) - { - Fr log_N = numeric::get_msb(static_cast(circuit_size)); - - BatchOpeningClaim batch_opening_claim = compute_batch_opening_claim(log_N, - unshifted_commitments, - shifted_commitments, - claimed_evaluations, - multivariate_challenge, - g1_identity, - transcript); - - GroupElement commitment; - if constexpr (Curve::is_stdlib_type) { - commitment = GroupElement::batch_mul(batch_opening_claim.commitments, - batch_opening_claim.scalars, - /*max_num_bits=*/0, - /*with_edgecases=*/true); - } else { - commitment = batch_mul_native(batch_opening_claim.commitments, batch_opening_claim.scalars); - } - - return { { batch_opening_claim.evaluation_point, Fr(0) }, commitment }; - } - template - static BatchOpeningClaim compute_batch_opening_claim(const Fr log_N, + static BatchOpeningClaim compute_batch_opening_claim(const Fr N, RefSpan unshifted_commitments, RefSpan shifted_commitments, RefSpan claimed_evaluations, @@ -143,13 +112,16 @@ template class ShpleminiVerifier_ { const Commitment& g1_identity, std::shared_ptr& transcript) { + // Extract log_circuit_size size_t log_circuit_size{ 0 }; + info(N); if constexpr (Curve::is_stdlib_type) { - log_circuit_size = static_cast(log_N.get_value()); + log_circuit_size = numeric::get_msb(static_cast(N.get_value())); } else { - log_circuit_size = static_cast(log_N); + log_circuit_size = numeric::get_msb(static_cast(N)); } + info(log_circuit_size); // Get the challenge ρ to batch commitments to multilinear polynomials and their shifts const Fr multivariate_batching_challenge = transcript->template get_challenge("rho"); @@ -381,11 +353,4 @@ template class ShpleminiVerifier_ { } }; -// TODO: temporary hack -template class Shplemini_ { - public: - using Prover = ShpleminiProver_; - using Verifier = ShpleminiVerifier_; -}; - } // namespace bb \ No newline at end of file diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.test.cpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.test.cpp index f71245ed4072..9edded91b10c 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.test.cpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.test.cpp @@ -165,7 +165,7 @@ TYPED_TEST(ShpleminiTest, CorrectnessOfGeminiClaimBatching) // - (d+1) opening pairs: {r, \hat{a}_0}, {-r^{2^i}, a_i}, i = 0, ..., d-1 // - (d+1) Fold polynomials Fold_{r}^(0), Fold_{-r}^(0), and Fold^(i), i = 0, ..., d-1 auto fold_polynomials = GeminiProver::compute_fold_polynomials( - mle_opening_point, std::move(batched_unshifted), std::move(batched_to_be_shifted)); + log_n, mle_opening_point, std::move(batched_unshifted), std::move(batched_to_be_shifted)); std::vector prover_commitments; for (size_t l = 0; l < log_n - 1; ++l) { @@ -173,8 +173,8 @@ TYPED_TEST(ShpleminiTest, CorrectnessOfGeminiClaimBatching) prover_commitments.emplace_back(commitment); } - const auto opening_claims = GeminiProver::compute_fold_polynomial_evaluations( - mle_opening_point, std::move(fold_polynomials), gemini_eval_challenge); + const auto opening_claims = + GeminiProver::compute_fold_polynomial_evaluations(log_n, std::move(fold_polynomials), gemini_eval_challenge); std::vector prover_evaluations; for (size_t l = 0; l < log_n; ++l) { diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/zeromorph/zeromorph.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/zeromorph/zeromorph.hpp index 9ef6903db264..2511f2cd5229 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/zeromorph/zeromorph.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/zeromorph/zeromorph.hpp @@ -805,11 +805,4 @@ template class ZeroMorphVerifier_ { } }; -// This is temporary -template class ZeroMorph_ { - public: - using Prover = ZeroMorphProver_; - using Verifier = ZeroMorphVerifier_; -}; - } // namespace bb diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/shplemini.test.cpp b/barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/shplemini.test.cpp index 282963fb5ff5..ae75f6c71f99 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/shplemini.test.cpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/shplemini.test.cpp @@ -128,7 +128,7 @@ TEST(ShpleminiRecursionTest, ProveAndVerifySingle) std::vector u_challenge_in_circuit = elements_to_witness(u_challenge); [[maybe_unused]] auto opening_claim = - ShpleminiVerifier::compute_batch_opening_claim(Fr::from_witness(&builder, log_circuit_size), + ShpleminiVerifier::compute_batch_opening_claim(Fr::from_witness(&builder, circuit_size), RefVector(stdlib_f_commitments), RefVector(stdlib_g_commitments), RefVector(stdlib_claimed_evaluations), diff --git a/barretenberg/cpp/src/barretenberg/execution_trace/execution_trace.cpp b/barretenberg/cpp/src/barretenberg/execution_trace/execution_trace.cpp index f3f54b8eaecf..70146181fccb 100644 --- a/barretenberg/cpp/src/barretenberg/execution_trace/execution_trace.cpp +++ b/barretenberg/cpp/src/barretenberg/execution_trace/execution_trace.cpp @@ -4,7 +4,6 @@ #include "barretenberg/stdlib_circuit_builders/mega_flavor.hpp" #include "barretenberg/stdlib_circuit_builders/ultra_flavor.hpp" #include "barretenberg/stdlib_circuit_builders/ultra_keccak_flavor.hpp" -#include "barretenberg/stdlib_circuit_builders/ultra_keccak_with_gemini_flavor.hpp" namespace bb { template @@ -150,7 +149,6 @@ void ExecutionTrace_::add_ecc_op_wires_to_proving_key(Builder& builder, template class ExecutionTrace_; template class ExecutionTrace_; -template class ExecutionTrace_; template class ExecutionTrace_; template class ExecutionTrace_; template class ExecutionTrace_; diff --git a/barretenberg/cpp/src/barretenberg/flavor/flavor.hpp b/barretenberg/cpp/src/barretenberg/flavor/flavor.hpp index cbcffa46d04e..e150eff27721 100644 --- a/barretenberg/cpp/src/barretenberg/flavor/flavor.hpp +++ b/barretenberg/cpp/src/barretenberg/flavor/flavor.hpp @@ -328,7 +328,6 @@ class UltraFlavor; class UltraFlavorWithZK; class ECCVMFlavor; class UltraKeccakFlavor; -class UltraKeccakWithGeminiFlavor; class MegaFlavor; class TranslatorFlavor; class AvmFlavor; @@ -359,16 +358,16 @@ template concept IsPlonkFlavor = IsAnyOf; template -concept IsUltraPlonkFlavor = IsAnyOf; +concept IsUltraPlonkFlavor = IsAnyOf; template -concept IsUltraPlonkOrHonk = IsAnyOf; +concept IsUltraPlonkOrHonk = IsAnyOf; template -concept IsHonkFlavor = IsAnyOf; +concept IsHonkFlavor = IsAnyOf; template -concept IsUltraFlavor = IsAnyOf; +concept IsUltraFlavor = IsAnyOf; template concept IsGoblinFlavor = IsAnyOf concept IsGrumpkinFlavor = IsAnyOf; template concept IsFoldingFlavor = IsAnyOf, diff --git a/barretenberg/cpp/src/barretenberg/stdlib/primitives/circuit_builders/circuit_builders_fwd.hpp b/barretenberg/cpp/src/barretenberg/stdlib/primitives/circuit_builders/circuit_builders_fwd.hpp index 45f4c61d0bed..c3ea08590fdb 100644 --- a/barretenberg/cpp/src/barretenberg/stdlib/primitives/circuit_builders/circuit_builders_fwd.hpp +++ b/barretenberg/cpp/src/barretenberg/stdlib/primitives/circuit_builders/circuit_builders_fwd.hpp @@ -13,7 +13,6 @@ namespace bb { class StandardFlavor; class UltraFlavor; class UltraKeccakFlavor; -class UltraKeccakWithGeminiFlavor; class Bn254FrParams; class Bn254FqParams; diff --git a/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/mega_flavor.hpp b/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/mega_flavor.hpp index 1b315f2b2b6a..0863d32932b0 100644 --- a/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/mega_flavor.hpp +++ b/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/mega_flavor.hpp @@ -32,7 +32,6 @@ class MegaFlavor { using FF = Curve::ScalarField; using GroupElement = Curve::Element; using Commitment = Curve::AffineElement; - using BatchedMultilinearEvaluationScheme = ZeroMorph_; using PCS = KZG; using Polynomial = bb::Polynomial; using CommitmentKey = bb::CommitmentKey; diff --git a/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/ultra_flavor.hpp b/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/ultra_flavor.hpp index 114bd2c7eb43..de5c6cf50756 100644 --- a/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/ultra_flavor.hpp +++ b/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/ultra_flavor.hpp @@ -31,7 +31,6 @@ class UltraFlavor { using FF = Curve::ScalarField; using GroupElement = Curve::Element; using Commitment = Curve::AffineElement; - using BatchedMultilinearEvaluationScheme = ZeroMorph_; using PCS = KZG; using Polynomial = bb::Polynomial; using CommitmentKey = bb::CommitmentKey; diff --git a/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/ultra_keccak_with_gemini_flavor.hpp b/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/ultra_keccak_with_gemini_flavor.hpp deleted file mode 100644 index db8c5c47f0c7..000000000000 --- a/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/ultra_keccak_with_gemini_flavor.hpp +++ /dev/null @@ -1,11 +0,0 @@ -#pragma once -#include "barretenberg/commitment_schemes/shplonk/shplemini.hpp" -#include "barretenberg/stdlib_circuit_builders/ultra_keccak_flavor.hpp" -namespace bb { - -class UltraKeccakWithGeminiFlavor : public bb::UltraKeccakFlavor { - public: - using Curve = bb::UltraKeccakFlavor::Curve; - using BatchedMultilinearEvaluationScheme = Shplemini_; -}; -} // namespace bb \ No newline at end of file diff --git a/barretenberg/cpp/src/barretenberg/transcript/transcript.hpp b/barretenberg/cpp/src/barretenberg/transcript/transcript.hpp index 06f69bdcb131..6eb811942374 100644 --- a/barretenberg/cpp/src/barretenberg/transcript/transcript.hpp +++ b/barretenberg/cpp/src/barretenberg/transcript/transcript.hpp @@ -1,6 +1,6 @@ #pragma once // #define LOG_CHALLENGES -// #define LOG_INTERACTIONS +#define LOG_INTERACTIONS #include "barretenberg/common/debug_log.hpp" #include "barretenberg/ecc/curves/bn254/fr.hpp" diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/decider_prover.cpp b/barretenberg/cpp/src/barretenberg/ultra_honk/decider_prover.cpp index 6eb5004ac84b..71c094cfb554 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/decider_prover.cpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/decider_prover.cpp @@ -47,14 +47,16 @@ template void DeciderProver_::execute_relation_ch * */ template void DeciderProver_::execute_pcs_rounds() { - using Prover = Flavor::BatchedMultilinearEvaluationScheme::Prover; - auto prover_opening_claim = Prover::prove(proving_key->proving_key.circuit_size, - proving_key->proving_key.polynomials.get_unshifted(), - proving_key->proving_key.polynomials.get_to_be_shifted(), - sumcheck_output.claimed_evaluations.get_all(), - sumcheck_output.challenge, - commitment_key, - transcript); + using BatchedMultivariateOpeningScheme = + std::conditional_t, ShpleminiProver_, ZeroMorphProver_>; + auto prover_opening_claim = + BatchedMultivariateOpeningScheme::prove(proving_key->proving_key.circuit_size, + proving_key->proving_key.polynomials.get_unshifted(), + proving_key->proving_key.polynomials.get_to_be_shifted(), + sumcheck_output.claimed_evaluations.get_all(), + sumcheck_output.challenge, + commitment_key, + transcript); PCS::compute_opening_proof(commitment_key, prover_opening_claim, transcript); } @@ -80,7 +82,6 @@ template HonkProof DeciderProver_::construct_proo template class DeciderProver_; template class DeciderProver_; -template class DeciderProver_; template class DeciderProver_; } // namespace bb diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/decider_prover.hpp b/barretenberg/cpp/src/barretenberg/ultra_honk/decider_prover.hpp index 854b64ab3f7b..05edb01d22ab 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/decider_prover.hpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/decider_prover.hpp @@ -1,10 +1,10 @@ #pragma once +#include "barretenberg/commitment_schemes/shplonk/shplemini.hpp" #include "barretenberg/commitment_schemes/zeromorph/zeromorph.hpp" #include "barretenberg/honk/proof_system/types/proof.hpp" #include "barretenberg/relations/relation_parameters.hpp" #include "barretenberg/stdlib_circuit_builders/mega_flavor.hpp" #include "barretenberg/stdlib_circuit_builders/ultra_flavor.hpp" -#include "barretenberg/stdlib_circuit_builders/ultra_keccak_with_gemini_flavor.hpp" #include "barretenberg/sumcheck/sumcheck_output.hpp" #include "barretenberg/transcript/transcript.hpp" #include "barretenberg/ultra_honk/decider_proving_key.hpp" diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/decider_proving_key.cpp b/barretenberg/cpp/src/barretenberg/ultra_honk/decider_proving_key.cpp index 2f0519bfa14c..1dcdaad737b2 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/decider_proving_key.cpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/decider_proving_key.cpp @@ -82,7 +82,6 @@ void DeciderProvingKey_::construct_databus_polynomials(Circuit& circuit) template class DeciderProvingKey_; template class DeciderProvingKey_; -template class DeciderProvingKey_; template class DeciderProvingKey_; } // namespace bb diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/decider_proving_key.hpp b/barretenberg/cpp/src/barretenberg/ultra_honk/decider_proving_key.hpp index ad94c467a988..fa2e344b5a3f 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/decider_proving_key.hpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/decider_proving_key.hpp @@ -9,7 +9,6 @@ #include "barretenberg/stdlib_circuit_builders/mega_flavor.hpp" #include "barretenberg/stdlib_circuit_builders/ultra_flavor.hpp" #include "barretenberg/stdlib_circuit_builders/ultra_keccak_flavor.hpp" -#include "barretenberg/stdlib_circuit_builders/ultra_keccak_with_gemini_flavor.hpp" namespace bb { /** diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/decider_verifier.cpp b/barretenberg/cpp/src/barretenberg/ultra_honk/decider_verifier.cpp index b9e2687bf095..3b9dd07dc1b5 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/decider_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/decider_verifier.cpp @@ -36,8 +36,10 @@ template bool DeciderVerifier_::verify_proof(const Dec template bool DeciderVerifier_::verify() { using PCS = typename Flavor::PCS; - // using Curve = typename Flavor::Curve; - using Verifier = Flavor::BatchedMultilinearEvaluationScheme::Verifier; + using Curve = typename Flavor::Curve; + using GroupElement = typename Curve::Element; + using ZeroMorph = ZeroMorphVerifier_; + using Shplemini = ShpleminiVerifier_; using VerifierCommitments = typename Flavor::VerifierCommitments; VerifierCommitments commitments{ accumulator->verification_key, accumulator->witness_commitments }; @@ -54,16 +56,29 @@ template bool DeciderVerifier_::verify() return false; } + std::array pairing_points; + if constexpr (bb::IsAnyOf) { + auto opening_claim = Shplemini::compute_batch_opening_claim(accumulator->verification_key->circuit_size, + commitments.get_unshifted(), + commitments.get_shifted(), + claimed_evaluations.get_all(), + multivariate_challenge, + Commitment::one(), + transcript); + pairing_points = PCS::reduce_verify_batch_opening_claim(opening_claim, transcript); + + } else { + auto opening_claim = ZeroMorph::verify(accumulator->verification_key->circuit_size, + commitments.get_unshifted(), + commitments.get_to_be_shifted(), + claimed_evaluations.get_all(), + multivariate_challenge, + Commitment::one(), + transcript); + pairing_points = PCS::reduce_verify(opening_claim, transcript); + } // Execute ZeroMorph rounds. See https://hackmd.io/dlf9xEwhTQyE3hiGbq4FsA?view for a complete description of the // unrolled protocol. - auto opening_claim = Verifier::verify(accumulator->verification_key->circuit_size, - commitments.get_unshifted(), - commitments.get_to_be_shifted(), - claimed_evaluations.get_all(), - multivariate_challenge, - Commitment::one(), - transcript); - auto pairing_points = PCS::reduce_verify(opening_claim, transcript); auto verified = pcs_verification_key->pairing_check(pairing_points[0], pairing_points[1]); @@ -72,7 +87,6 @@ template bool DeciderVerifier_::verify() template class DeciderVerifier_; template class DeciderVerifier_; -template class DeciderVerifier_; template class DeciderVerifier_; } // namespace bb diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/decider_verifier.hpp b/barretenberg/cpp/src/barretenberg/ultra_honk/decider_verifier.hpp index 904b0a8b9685..f69cea8cf378 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/decider_verifier.hpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/decider_verifier.hpp @@ -1,4 +1,5 @@ #pragma once +#include "barretenberg/commitment_schemes/shplonk/shplemini.hpp" #include "barretenberg/honk/proof_system/types/proof.hpp" #include "barretenberg/srs/global_crs.hpp" #include "barretenberg/stdlib_circuit_builders/mega_flavor.hpp" diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/oink_prover.cpp b/barretenberg/cpp/src/barretenberg/ultra_honk/oink_prover.cpp index d2aa66e2b692..26e0f1cca5af 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/oink_prover.cpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/oink_prover.cpp @@ -220,7 +220,6 @@ template typename Flavor::RelationSeparator OinkProver; template class OinkProver; -template class OinkProver; template class OinkProver; } // namespace bb \ No newline at end of file diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/oink_prover.hpp b/barretenberg/cpp/src/barretenberg/ultra_honk/oink_prover.hpp index 67834691ca74..e252f7d904df 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/oink_prover.hpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/oink_prover.hpp @@ -22,7 +22,6 @@ #include "barretenberg/stdlib_circuit_builders/mega_flavor.hpp" #include "barretenberg/stdlib_circuit_builders/ultra_flavor.hpp" #include "barretenberg/stdlib_circuit_builders/ultra_keccak_flavor.hpp" -#include "barretenberg/stdlib_circuit_builders/ultra_keccak_with_gemini_flavor.hpp" #include "barretenberg/transcript/transcript.hpp" #include "barretenberg/ultra_honk/decider_proving_key.hpp" diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/oink_verifier.cpp b/barretenberg/cpp/src/barretenberg/ultra_honk/oink_verifier.cpp index 6d18e3e74bcb..227fa145a44c 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/oink_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/oink_verifier.cpp @@ -157,7 +157,6 @@ template typename Flavor::RelationSeparator OinkVerifier< template class OinkVerifier; template class OinkVerifier; -template class OinkVerifier; template class OinkVerifier; } // namespace bb \ No newline at end of file diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/oink_verifier.hpp b/barretenberg/cpp/src/barretenberg/ultra_honk/oink_verifier.hpp index 4a3a48053026..fab7bcdff19d 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/oink_verifier.hpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/oink_verifier.hpp @@ -6,7 +6,6 @@ #include "barretenberg/stdlib_circuit_builders/mega_flavor.hpp" #include "barretenberg/stdlib_circuit_builders/ultra_flavor.hpp" #include "barretenberg/stdlib_circuit_builders/ultra_keccak_flavor.hpp" -#include "barretenberg/stdlib_circuit_builders/ultra_keccak_with_gemini_flavor.hpp" #include "barretenberg/ultra_honk/decider_verification_key.hpp" namespace bb { diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_honk.test.cpp b/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_honk.test.cpp index 3381db58fb29..62dfe74c9c1e 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_honk.test.cpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_honk.test.cpp @@ -47,7 +47,7 @@ template class UltraHonkTests : public ::testing::Test { static void SetUpTestSuite() { bb::srs::init_crs_factory("../srs_db/ignition"); } }; -using FlavorTypes = testing::Types; +using FlavorTypes = testing::Types; TYPED_TEST_SUITE(UltraHonkTests, FlavorTypes); /** diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_prover.cpp b/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_prover.cpp index 7f7cb2f078bd..2470b6a1c15d 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_prover.cpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_prover.cpp @@ -61,6 +61,5 @@ template HonkProof UltraProver_::construct_proof( template class UltraProver_; template class UltraProver_; template class UltraProver_; -template class UltraProver_; } // namespace bb diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_prover.hpp b/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_prover.hpp index 31f92818d352..6ab19509eb65 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_prover.hpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_prover.hpp @@ -4,7 +4,6 @@ #include "barretenberg/relations/relation_parameters.hpp" #include "barretenberg/stdlib_circuit_builders/mega_flavor.hpp" #include "barretenberg/stdlib_circuit_builders/ultra_flavor.hpp" -#include "barretenberg/stdlib_circuit_builders/ultra_keccak_with_gemini_flavor.hpp" #include "barretenberg/sumcheck/sumcheck_output.hpp" #include "barretenberg/transcript/transcript.hpp" #include "barretenberg/ultra_honk/decider_proving_key.hpp" diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_verifier.cpp b/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_verifier.cpp index e6689259a3e8..6bd5b3fc3f19 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_verifier.cpp @@ -30,7 +30,6 @@ template bool UltraVerifier_::verify_proof(const HonkP template class UltraVerifier_; template class UltraVerifier_; -template class UltraVerifier_; template class UltraVerifier_; } // namespace bb From 81363df734a1725543470510e51524ed2dd3a6a2 Mon Sep 17 00:00:00 2001 From: maramihali Date: Sat, 21 Sep 2024 11:17:31 +0000 Subject: [PATCH 09/31] stuff --- .../cpp/src/barretenberg/ultra_honk/decider_verifier.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/decider_verifier.cpp b/barretenberg/cpp/src/barretenberg/ultra_honk/decider_verifier.cpp index 3b9dd07dc1b5..9adfcf9dfa85 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/decider_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/decider_verifier.cpp @@ -60,7 +60,7 @@ template bool DeciderVerifier_::verify() if constexpr (bb::IsAnyOf) { auto opening_claim = Shplemini::compute_batch_opening_claim(accumulator->verification_key->circuit_size, commitments.get_unshifted(), - commitments.get_shifted(), + commitments.get_to_be_shifted(), claimed_evaluations.get_all(), multivariate_challenge, Commitment::one(), From 09a14cf6bb6390ccbc053272eb588ae946032ab3 Mon Sep 17 00:00:00 2001 From: maramihali Date: Sat, 21 Sep 2024 11:59:09 +0000 Subject: [PATCH 10/31] remove Zeromorph --- .../dsl/acir_proofs/honk_contract.hpp | 405 +----------------- barretenberg/sol/src/honk/HonkTypes.sol | 4 - barretenberg/sol/src/honk/HonkVerifier.sol | 215 +--------- barretenberg/sol/src/honk/Transcript.sol | 95 +--- .../sol/src/honk/instance/Add2Honk.sol | 214 +-------- .../sol/src/honk/instance/BlakeHonk.sol | 215 +--------- .../sol/src/honk/instance/EcdsaHonk.sol | 215 +--------- .../honk/keys/EcdsaHonkVerificationKey.sol | 84 ++-- .../ultra/keys/Add2UltraVerificationKey.sol | 4 +- .../ultra/keys/BlakeUltraVerificationKey.sol | 4 +- .../ultra/keys/EcdsaUltraVerificationKey.sol | 76 ++-- .../keys/RecursiveUltraVerificationKey.sol | 104 ++--- 12 files changed, 215 insertions(+), 1420 deletions(-) diff --git a/barretenberg/cpp/src/barretenberg/dsl/acir_proofs/honk_contract.hpp b/barretenberg/cpp/src/barretenberg/dsl/acir_proofs/honk_contract.hpp index 3a62a688bac1..7a451cd81f23 100644 --- a/barretenberg/cpp/src/barretenberg/dsl/acir_proofs/honk_contract.hpp +++ b/barretenberg/cpp/src/barretenberg/dsl/acir_proofs/honk_contract.hpp @@ -263,10 +263,6 @@ library Honk { // Sumcheck Fr[BATCHED_RELATION_PARTIAL_LENGTH][CONST_PROOF_SIZE_LOG_N] sumcheckUnivariates; Fr[NUMBER_OF_ENTITIES] sumcheckEvaluations; - // Zero morph - Honk.G1ProofPoint[CONST_PROOF_SIZE_LOG_N] zmCqs; - Honk.G1ProofPoint zmCq; - Honk.G1ProofPoint zmPi; } } @@ -281,12 +277,6 @@ struct Transcript { Fr[NUMBER_OF_ALPHAS] alphas; Fr[CONST_PROOF_SIZE_LOG_N] gateChallenges; Fr[CONST_PROOF_SIZE_LOG_N] sumCheckUChallenges; - Fr rho; - // Zero morph - Fr zmX; - Fr zmY; - Fr zmZ; - Fr zmQuotient; // Derived Fr publicInputsDelta; Fr lookupGrandProductDelta; @@ -308,11 +298,6 @@ library TranscriptLib { (t.gateChallenges, previousChallenge) = generateGateChallenges(previousChallenge); (t.sumCheckUChallenges, previousChallenge) = generateSumcheckChallenges(proof, previousChallenge); - (t.rho, previousChallenge) = generateRhoChallenge(proof, previousChallenge); - - (t.zmY, previousChallenge) = generateZMYChallenge(previousChallenge, proof); - - (t.zmX, t.zmZ, previousChallenge) = generateZMXZChallenges(previousChallenge, proof); return t; } @@ -436,52 +421,6 @@ library TranscriptLib { } nextPreviousChallenge = prevChallenge; } - - function generateRhoChallenge(Honk.Proof memory proof, Fr prevChallenge) internal view returns (Fr rho, Fr nextPreviousChallenge) - { - Fr[NUMBER_OF_ENTITIES + 1] memory rhoChallengeElements; - rhoChallengeElements[0] = prevChallenge; - - // TODO(https://github.com/AztecProtocol/barretenberg/issues/1098): memcpy - for (uint256 i = 0; i < NUMBER_OF_ENTITIES; i++) { - rhoChallengeElements[i + 1] = proof.sumcheckEvaluations[i]; - } - - nextPreviousChallenge = FrLib.fromBytes32(keccak256(abi.encodePacked(rhoChallengeElements))); - Fr unused; - (rho, unused) = splitChallenge(nextPreviousChallenge); - } - - function generateZMYChallenge(Fr previousChallenge, Honk.Proof memory proof) internal view returns (Fr zeromorphY, Fr nextPreviousChallenge) - { - uint256[CONST_PROOF_SIZE_LOG_N * 4 + 1] memory zmY; - zmY[0] = Fr.unwrap(previousChallenge); - - for (uint256 i; i < CONST_PROOF_SIZE_LOG_N; ++i) { - zmY[1 + i * 4] = proof.zmCqs[i].x_0; - zmY[2 + i * 4] = proof.zmCqs[i].x_1; - zmY[3 + i * 4] = proof.zmCqs[i].y_0; - zmY[4 + i * 4] = proof.zmCqs[i].y_1; - } - - nextPreviousChallenge = FrLib.fromBytes32(keccak256(abi.encodePacked(zmY))); - Fr unused; - (zeromorphY, unused) = splitChallenge(nextPreviousChallenge); - } - - function generateZMXZChallenges(Fr previousChallenge, Honk.Proof memory proof) internal pure returns (Fr zeromorphX, Fr zeromorphZ, Fr nextPreviousChallenge) - { - uint256[4 + 1] memory buf; - buf[0] = Fr.unwrap(previousChallenge); - - buf[1] = proof.zmCq.x_0; - buf[2] = proof.zmCq.x_1; - buf[3] = proof.zmCq.y_0; - buf[4] = proof.zmCq.y_1; - - nextPreviousChallenge = FrLib.fromBytes32(keccak256(abi.encodePacked(buf))); - (zeromorphX, zeromorphZ) = splitChallenge(nextPreviousChallenge); - } } // EC Point utilities @@ -1219,7 +1158,6 @@ library RelationsLib { // Errors error PublicInputsLengthWrong(); error SumcheckFailed(); -error ZeromorphFailed(); interface IVerifier { function verify(bytes calldata _proof, bytes32[] calldata _publicInputs) external view returns (bool); @@ -1246,11 +1184,8 @@ contract HonkVerifier is IVerifier // Sumcheck bool sumcheckVerified = verifySumcheck(p, t); if (!sumcheckVerified) revert SumcheckFailed(); - // Zeromorph - bool zeromorphVerified = verifyZeroMorph(p, vk, t); - if (!zeromorphVerified) revert ZeromorphFailed(); - return sumcheckVerified && zeromorphVerified; // Boolean condition not required - nice for vanity :) + return sumcheckVerified; // Boolean condition not required - nice for vanity :) } function loadVerificationKey() internal view returns (Honk.VerificationKey memory) { @@ -1347,45 +1282,6 @@ contract HonkVerifier is IVerifier } boundary = boundary + (NUMBER_OF_ENTITIES * 0x20); - // Zero morph Commitments - for (uint256 i = 0; i < CONST_PROOF_SIZE_LOG_N; i++) { - // Explicitly stating the x0, x1, y0, y1 start and end boundaries to make the calldata slicing bearable - uint256 xStart = boundary + (i * 0x80); - uint256 xEnd = xStart + 0x20; - - uint256 x1Start = xEnd; - uint256 x1End = x1Start + 0x20; - - uint256 yStart = x1End; - uint256 yEnd = yStart + 0x20; - - uint256 y1Start = yEnd; - uint256 y1End = y1Start + 0x20; - - p.zmCqs[i] = Honk.G1ProofPoint({ - x_0: uint256(bytes32(proof[xStart:xEnd])), - x_1: uint256(bytes32(proof[x1Start:x1End])), - y_0: uint256(bytes32(proof[yStart:yEnd])), - y_1: uint256(bytes32(proof[y1Start:y1End])) - }); - } - - boundary = boundary + (CONST_PROOF_SIZE_LOG_N * 0x80); - - p.zmCq = Honk.G1ProofPoint({ - x_0: uint256(bytes32(proof[boundary:boundary + 0x20])), - x_1: uint256(bytes32(proof[boundary + 0x20:boundary + 0x40])), - y_0: uint256(bytes32(proof[boundary + 0x40:boundary + 0x60])), - y_1: uint256(bytes32(proof[boundary + 0x60:boundary + 0x80])) - }); - - p.zmPi = Honk.G1ProofPoint({ - x_0: uint256(bytes32(proof[boundary + 0x80:boundary + 0xa0])), - x_1: uint256(bytes32(proof[boundary + 0xa0:boundary + 0xc0])), - y_0: uint256(bytes32(proof[boundary + 0xc0:boundary + 0xe0])), - y_1: uint256(bytes32(proof[boundary + 0xe0:boundary + 0x100])) - }); - return p; } @@ -1515,305 +1411,6 @@ contract HonkVerifier is IVerifier Fr univariateEval = Fr.wrap(1) + (roundChallenge * (tp.gateChallenges[round] - Fr.wrap(1))); newEvaluation = currentEvaluation * univariateEval; } - - function verifyZeroMorph(Honk.Proof memory proof, Honk.VerificationKey memory vk, Transcript memory tp) - internal - view - returns (bool verified) - { - // Construct batched evaluation v = sum_{i=0}^{m-1}\rho^i*f_i(u) + sum_{i=0}^{l-1}\rho^{m+i}*h_i(u) - Fr batchedEval = Fr.wrap(0); - Fr batchedScalar = Fr.wrap(1); - - // We linearly combine all evaluations (unshifted first, then shifted) - for (uint256 i = 0; i < NUMBER_OF_ENTITIES; ++i) { - batchedEval = batchedEval + proof.sumcheckEvaluations[i] * batchedScalar; - batchedScalar = batchedScalar * tp.rho; - } - - // Get k commitments - Honk.G1Point memory c_zeta = computeCZeta(proof, tp); - Honk.G1Point memory c_zeta_x = computeCZetaX(proof, vk, tp, batchedEval); - Honk.G1Point memory c_zeta_Z = ecAdd(c_zeta, ecMul(c_zeta_x, tp.zmZ)); - - // KZG pairing accumulator - Fr evaluation = Fr.wrap(0); - verified = zkgReduceVerify(proof, tp, evaluation, c_zeta_Z); - } - - // Compute commitment to lifted degree quotient identity - function computeCZeta(Honk.Proof memory proof, Transcript memory tp) internal view returns (Honk.G1Point memory) { - Fr[LOG_N + 1] memory scalars; - Honk.G1ProofPoint[LOG_N + 1] memory commitments; - - // Initial contribution - commitments[0] = proof.zmCq; - scalars[0] = Fr.wrap(1); - - // TODO: optimize pow operations here ? batch mulable - for (uint256 k = 0; k < LOG_N; ++k) { - Fr degree = Fr.wrap((1 << k) - 1); - Fr scalar = FrLib.pow(tp.zmY, k); - scalar = scalar * FrLib.pow(tp.zmX, (1 << LOG_N) - Fr.unwrap(degree) - 1); - scalar = scalar * MINUS_ONE; - - scalars[k + 1] = scalar; - commitments[k + 1] = proof.zmCqs[k]; - } - - // Convert all commitments for batch mul - Honk.G1Point[LOG_N + 1] memory comms = convertPoints(commitments); - - return batchMul(comms, scalars); - } - - struct CZetaXParams { - Fr phi_numerator; - Fr phi_n_x; - Fr rho_pow; - Fr phi_1; - Fr phi_2; - Fr x_pow_2k; - Fr x_pow_2kp1; - } - - function computeCZetaX( - Honk.Proof memory proof, - Honk.VerificationKey memory vk, - Transcript memory tp, - Fr batchedEval - ) internal view returns (Honk.G1Point memory) { - Fr[NUMBER_OF_ENTITIES + CONST_PROOF_SIZE_LOG_N + 1] memory scalars; - Honk.G1Point[NUMBER_OF_ENTITIES + CONST_PROOF_SIZE_LOG_N + 1] memory commitments; - CZetaXParams memory cp; - - // Phi_n(x) = (x^N - 1) / (x - 1) - cp.phi_numerator = FrLib.pow(tp.zmX, (1 << LOG_N)) - Fr.wrap(1); - cp.phi_n_x = FrLib.div(cp.phi_numerator, tp.zmX - Fr.wrap(1)); - - // Add contribution: -v * x * \Phi_n(x) * [1]_1 - // Add base - scalars[0] = MINUS_ONE * batchedEval * tp.zmX * cp.phi_n_x; - commitments[0] = Honk.G1Point({x: 1, y: 2}); // One - - // f - Add all unshifted commitments - // g - Add add to be shifted commitments - - // f commitments are accumulated at (zm_x * r) - cp.rho_pow = Fr.wrap(1); - for (uint256 i = 1; i <= NUMBER_UNSHIFTED; ++i) { - scalars[i] = tp.zmX * cp.rho_pow; - cp.rho_pow = cp.rho_pow * tp.rho; - } - // g commitments are accumulated at r - for (uint256 i = NUMBER_UNSHIFTED + 1; i <= NUMBER_OF_ENTITIES; ++i) { - scalars[i] = cp.rho_pow; - cp.rho_pow = cp.rho_pow * tp.rho; - } - - commitments[1] = vk.qm; - commitments[2] = vk.qc; - commitments[3] = vk.ql; - commitments[4] = vk.qr; - commitments[5] = vk.qo; - commitments[6] = vk.q4; - commitments[7] = vk.qArith; - commitments[8] = vk.qDeltaRange; - commitments[9] = vk.qElliptic; - commitments[10] = vk.qAux; - commitments[11] = vk.qLookup; - commitments[12] = vk.qPoseidon2External; - commitments[13] = vk.qPoseidon2Internal; - commitments[14] = vk.s1; - commitments[15] = vk.s2; - commitments[16] = vk.s3; - commitments[17] = vk.s4; - commitments[18] = vk.id1; - commitments[19] = vk.id2; - commitments[20] = vk.id3; - commitments[21] = vk.id4; - commitments[22] = vk.t1; - commitments[23] = vk.t2; - commitments[24] = vk.t3; - commitments[25] = vk.t4; - commitments[26] = vk.lagrangeFirst; - commitments[27] = vk.lagrangeLast; - - // Accumulate proof points - commitments[28] = convertProofPoint(proof.w1); - commitments[29] = convertProofPoint(proof.w2); - commitments[30] = convertProofPoint(proof.w3); - commitments[31] = convertProofPoint(proof.w4); - commitments[32] = convertProofPoint(proof.zPerm); - commitments[33] = convertProofPoint(proof.lookupInverses); - commitments[34] = convertProofPoint(proof.lookupReadCounts); - commitments[35] = convertProofPoint(proof.lookupReadTags); - - // to be Shifted - commitments[36] = vk.t1; - commitments[37] = vk.t2; - commitments[38] = vk.t3; - commitments[39] = vk.t4; - commitments[40] = convertProofPoint(proof.w1); - commitments[41] = convertProofPoint(proof.w2); - commitments[42] = convertProofPoint(proof.w3); - commitments[43] = convertProofPoint(proof.w4); - commitments[44] = convertProofPoint(proof.zPerm); - - // Add scalar contributions - // Add contributions: scalar * [q_k], k = 0,...,log_N, where - // scalar = -x * (x^{2^k} * \Phi_{n-k-1}(x^{2^{k+1}}) - u_k * \Phi_{n-k}(x^{2^k})) - cp.x_pow_2k = tp.zmX; - cp.x_pow_2kp1 = tp.zmX * tp.zmX; - for (uint256 k; k < CONST_PROOF_SIZE_LOG_N; ++k) { - bool dummy_round = k >= LOG_N; - - // note: defaults to 0 - Fr scalar; - if (!dummy_round) { - cp.phi_1 = FrLib.div(cp.phi_numerator, cp.x_pow_2kp1 - Fr.wrap(1)); - cp.phi_2 = FrLib.div(cp.phi_numerator, cp.x_pow_2k - Fr.wrap(1)); - - scalar = cp.x_pow_2k * cp.phi_1; - scalar = scalar - (tp.sumCheckUChallenges[k] * cp.phi_2); - scalar = scalar * tp.zmX; - scalar = scalar * MINUS_ONE; - - cp.x_pow_2k = cp.x_pow_2kp1; - cp.x_pow_2kp1 = cp.x_pow_2kp1 * cp.x_pow_2kp1; - } - - scalars[NUMBER_OF_ENTITIES + 1 + k] = scalar; - commitments[NUMBER_OF_ENTITIES + 1 + k] = convertProofPoint(proof.zmCqs[k]); - } - - return batchMul2(commitments, scalars); - } - - // Scalar Mul and acumulate into total - function batchMul(Honk.G1Point[LOG_N + 1] memory base, Fr[LOG_N + 1] memory scalars) - internal - view - returns (Honk.G1Point memory result) - { - uint256 limit = LOG_N + 1; - assembly { - let success := 0x01 - let free := mload(0x40) - - // Write the original into the accumulator - // Load into memory for ecMUL, leave offset for eccAdd result - // base is an array of pointers, so we have to dereference them - mstore(add(free, 0x40), mload(mload(base))) - mstore(add(free, 0x60), mload(add(0x20, mload(base)))) - // Add scalar - mstore(add(free, 0x80), mload(scalars)) - success := and(success, staticcall(gas(), 7, add(free, 0x40), 0x60, free, 0x40)) - - let count := 0x01 - - for {} lt(count, limit) { count := add(count, 1) } { - // Get loop offsets - let base_base := add(base, mul(count, 0x20)) - let scalar_base := add(scalars, mul(count, 0x20)) - - mstore(add(free, 0x40), mload(mload(base_base))) - mstore(add(free, 0x60), mload(add(0x20, mload(base_base)))) - // Add scalar - mstore(add(free, 0x80), mload(scalar_base)) - - success := and(success, staticcall(gas(), 7, add(free, 0x40), 0x60, add(free, 0x40), 0x40)) - success := and(success, staticcall(gas(), 6, free, 0x80, free, 0x40)) - } - - mstore(result, mload(free)) - mstore(add(result, 0x20), mload(add(free, 0x20))) - } - } - - // This implementation is the same as above with different constants - function batchMul2( - Honk.G1Point[NUMBER_OF_ENTITIES + CONST_PROOF_SIZE_LOG_N + 1] memory base, - Fr[NUMBER_OF_ENTITIES + CONST_PROOF_SIZE_LOG_N + 1] memory scalars - ) internal view returns (Honk.G1Point memory result) { - uint256 limit = NUMBER_OF_ENTITIES + LOG_N + 1; - assembly { - let success := 0x01 - let free := mload(0x40) - - // Write the original into the accumulator - // Load into memory for ecMUL, leave offset for eccAdd result - // base is an array of pointers, so we have to dereference them - mstore(add(free, 0x40), mload(mload(base))) - mstore(add(free, 0x60), mload(add(0x20, mload(base)))) - // Add scalar - mstore(add(free, 0x80), mload(scalars)) - success := and(success, staticcall(gas(), 7, add(free, 0x40), 0x60, free, 0x40)) - - let count := 0x01 - for {} lt(count, limit) { count := add(count, 1) } { - // Get loop offsets - let base_base := add(base, mul(count, 0x20)) - let scalar_base := add(scalars, mul(count, 0x20)) - - mstore(add(free, 0x40), mload(mload(base_base))) - mstore(add(free, 0x60), mload(add(0x20, mload(base_base)))) - // Add scalar - mstore(add(free, 0x80), mload(scalar_base)) - - success := and(success, staticcall(gas(), 7, add(free, 0x40), 0x60, add(free, 0x40), 0x40)) - // accumulator = accumulator + accumulator_2 - success := and(success, staticcall(gas(), 6, free, 0x80, free, 0x40)) - } - - // Return the result - i hate this - mstore(result, mload(free)) - mstore(add(result, 0x20), mload(add(free, 0x20))) - } - } - - function zkgReduceVerify( - Honk.Proof memory proof, - Transcript memory tp, - Fr evaluation, - Honk.G1Point memory commitment - ) internal view returns (bool) { - Honk.G1Point memory quotient_commitment = convertProofPoint(proof.zmPi); - Honk.G1Point memory ONE = Honk.G1Point({x: 1, y: 2}); - - Honk.G1Point memory P0 = commitment; - P0 = ecAdd(P0, ecMul(quotient_commitment, tp.zmX)); - - Honk.G1Point memory evalAsPoint = ecMul(ONE, evaluation); - P0 = ecSub(P0, evalAsPoint); - - Honk.G1Point memory P1 = negateInplace(quotient_commitment); - - // Perform pairing check - return pairing(P0, P1); - } - - function pairing(Honk.G1Point memory rhs, Honk.G1Point memory lhs) internal view returns(bool) - { - bytes memory input = - abi.encodePacked(rhs.x, - rhs.y, - // Fixed G1 point - uint256(0x198e9393920d483a7260bfb731fb5d25f1aa493335a9e71297e485b7aef312c2), - uint256(0x1800deef121f1e76426a00665e5c4479674322d4f75edadd46debd5cd992f6ed), - uint256(0x090689d0585ff075ec9e99ad690c3395bc4b313370b38ef355acdadcd122975b), - uint256(0x12c85ea5db8c6deb4aab71808dcb408fe3d1e7690c43d37b4ce6cc0166fa7daa), - lhs.x, - lhs.y, - // G1 point from VK - uint256(0x260e01b251f6f1c7e7ff4e580791dee8ea51d87a358e038b4efe30fac09383c1), - uint256(0x0118c4d5b837bcc2bc89b5b398b5974e9f5944073b32078b7e231fec938883b0), - uint256(0x04fc6369f7110fe3d25156c1bb9a72859cf2a04641f99ba4ee413c80da6a5fe4), - uint256(0x22febda3c0c0632a56475b4214e5615e11e6dd3f96e6cea2854a87d4dacc5e55)); - - (bool success, bytes memory result) = address(0x08).staticcall(input); - return abi.decode(result, (bool)); - } } // Conversion util - Duplicated as we cannot template LOG_N diff --git a/barretenberg/sol/src/honk/HonkTypes.sol b/barretenberg/sol/src/honk/HonkTypes.sol index 593d4bf2c2a7..180b163271f2 100644 --- a/barretenberg/sol/src/honk/HonkTypes.sol +++ b/barretenberg/sol/src/honk/HonkTypes.sol @@ -136,9 +136,5 @@ library Honk { // Sumcheck Fr[BATCHED_RELATION_PARTIAL_LENGTH][CONST_PROOF_SIZE_LOG_N] sumcheckUnivariates; Fr[NUMBER_OF_ENTITIES] sumcheckEvaluations; - // Zero morph - Honk.G1ProofPoint[CONST_PROOF_SIZE_LOG_N] zmCqs; - Honk.G1ProofPoint zmCq; - Honk.G1ProofPoint zmPi; } } diff --git a/barretenberg/sol/src/honk/HonkVerifier.sol b/barretenberg/sol/src/honk/HonkVerifier.sol index 540398bc0c6d..635d4188e711 100644 --- a/barretenberg/sol/src/honk/HonkVerifier.sol +++ b/barretenberg/sol/src/honk/HonkVerifier.sol @@ -27,7 +27,6 @@ import {RelationsLib} from "./Relations.sol"; error PublicInputsLengthWrong(); error SumcheckFailed(); -error ZeromorphFailed(); /// Smart contract verifier of honk proofs abstract contract BaseHonkVerifier is IVerifier { @@ -52,11 +51,7 @@ abstract contract BaseHonkVerifier is IVerifier { bool sumcheckVerified = verifySumcheck(p, t); if (!sumcheckVerified) revert SumcheckFailed(); - // Zeromorph - bool zeromorphVerified = verifyZeroMorph(p, vk, t); - if (!zeromorphVerified) revert ZeromorphFailed(); - - return sumcheckVerified && zeromorphVerified; // Boolean condition not required - nice for vanity :) + return sumcheckVerified; // Boolean condition not required - nice for vanity :) } function loadVerificationKey() internal view returns (Honk.VerificationKey memory) { @@ -192,181 +187,7 @@ abstract contract BaseHonkVerifier is IVerifier { newEvaluation = currentEvaluation * univariateEval; } - function verifyZeroMorph(Honk.Proof memory proof, Honk.VerificationKey memory vk, Transcript memory tp) - internal - view - returns (bool verified) - { - // Construct batched evaluation v = sum_{i=0}^{m-1}\rho^i*f_i(u) + sum_{i=0}^{l-1}\rho^{m+i}*h_i(u) - Fr batchedEval = Fr.wrap(0); - Fr batchedScalar = Fr.wrap(1); - - // We linearly combine all evaluations (unshifted first, then shifted) - for (uint256 i = 0; i < NUMBER_OF_ENTITIES; ++i) { - batchedEval = batchedEval + proof.sumcheckEvaluations[i] * batchedScalar; - batchedScalar = batchedScalar * tp.rho; - } - - // Get k commitments - Honk.G1Point memory c_zeta = computeCZeta(proof, tp); - Honk.G1Point memory c_zeta_x = computeCZetaX(proof, vk, tp, batchedEval); - Honk.G1Point memory c_zeta_Z = ecAdd(c_zeta, ecMul(c_zeta_x, tp.zmZ)); - - // KZG pairing accumulator - // WORKTODO: concerned that this is zero - it is multiplied by a point later on - Fr evaluation = Fr.wrap(0); - verified = zkgReduceVerify(proof, tp, evaluation, c_zeta_Z); - } - - // Compute commitment to lifted degree quotient identity - function computeCZeta(Honk.Proof memory proof, Transcript memory tp) internal view returns (Honk.G1Point memory) { - Fr[LOG_N + 1] memory scalars; - Honk.G1ProofPoint[LOG_N + 1] memory commitments; - - // Initial contribution - commitments[0] = proof.zmCq; - scalars[0] = Fr.wrap(1); - - // TODO: optimize pow operations here ? batch mulable - for (uint256 k = 0; k < LOG_N; ++k) { - Fr degree = Fr.wrap((1 << k) - 1); - Fr scalar = FrLib.pow(tp.zmY, k); - scalar = scalar * FrLib.pow(tp.zmX, (1 << LOG_N) - Fr.unwrap(degree) - 1); - scalar = scalar * MINUS_ONE; - - scalars[k + 1] = scalar; - commitments[k + 1] = proof.zmCqs[k]; - } - - // Convert all commitments for batch mul - Honk.G1Point[LOG_N + 1] memory comms = convertPoints(commitments); - - return batchMul(comms, scalars); - } - - struct CZetaXParams { - Fr phi_numerator; - Fr phi_n_x; - Fr rho_pow; - Fr phi_1; - Fr phi_2; - Fr x_pow_2k; - Fr x_pow_2kp1; - } - - function computeCZetaX( - Honk.Proof memory proof, - Honk.VerificationKey memory vk, - Transcript memory tp, - Fr batchedEval - ) internal view returns (Honk.G1Point memory) { - Fr[NUMBER_OF_ENTITIES + CONST_PROOF_SIZE_LOG_N + 1] memory scalars; - Honk.G1Point[NUMBER_OF_ENTITIES + CONST_PROOF_SIZE_LOG_N + 1] memory commitments; - CZetaXParams memory cp; - - // Phi_n(x) = (x^N - 1) / (x - 1) - cp.phi_numerator = FrLib.pow(tp.zmX, (1 << LOG_N)) - Fr.wrap(1); - cp.phi_n_x = FrLib.div(cp.phi_numerator, tp.zmX - Fr.wrap(1)); - - // Add contribution: -v * x * \Phi_n(x) * [1]_1 - // Add base - scalars[0] = MINUS_ONE * batchedEval * tp.zmX * cp.phi_n_x; - commitments[0] = Honk.G1Point({x: 1, y: 2}); // One - - // f - Add all unshifted commitments - // g - Add add to be shifted commitments - - // f commitments are accumulated at (zm_x * r) - cp.rho_pow = Fr.wrap(1); - for (uint256 i = 1; i <= NUMBER_UNSHIFTED; ++i) { - scalars[i] = tp.zmX * cp.rho_pow; - cp.rho_pow = cp.rho_pow * tp.rho; - } - // g commitments are accumulated at r - for (uint256 i = NUMBER_UNSHIFTED + 1; i <= NUMBER_OF_ENTITIES; ++i) { - scalars[i] = cp.rho_pow; - cp.rho_pow = cp.rho_pow * tp.rho; - } - - // TODO: dont accumulate these into the comms array, just accumulate directly - commitments[1] = vk.qm; - commitments[2] = vk.qc; - commitments[3] = vk.ql; - commitments[4] = vk.qr; - commitments[5] = vk.qo; - commitments[6] = vk.q4; - commitments[7] = vk.qArith; - commitments[8] = vk.qDeltaRange; - commitments[9] = vk.qElliptic; - commitments[10] = vk.qAux; - commitments[11] = vk.qLookup; - commitments[12] = vk.qPoseidon2External; - commitments[13] = vk.qPoseidon2Internal; - commitments[14] = vk.s1; - commitments[15] = vk.s2; - commitments[16] = vk.s3; - commitments[17] = vk.s4; - commitments[18] = vk.id1; - commitments[19] = vk.id2; - commitments[20] = vk.id3; - commitments[21] = vk.id4; - commitments[22] = vk.t1; - commitments[23] = vk.t2; - commitments[24] = vk.t3; - commitments[25] = vk.t4; - commitments[26] = vk.lagrangeFirst; - commitments[27] = vk.lagrangeLast; - - // Accumulate proof points - commitments[28] = convertProofPoint(proof.w1); - commitments[29] = convertProofPoint(proof.w2); - commitments[30] = convertProofPoint(proof.w3); - commitments[31] = convertProofPoint(proof.w4); - commitments[32] = convertProofPoint(proof.zPerm); - commitments[33] = convertProofPoint(proof.lookupInverses); - commitments[34] = convertProofPoint(proof.lookupReadCounts); - commitments[35] = convertProofPoint(proof.lookupReadTags); - - // to be Shifted - commitments[36] = vk.t1; - commitments[37] = vk.t2; - commitments[38] = vk.t3; - commitments[39] = vk.t4; - commitments[40] = convertProofPoint(proof.w1); - commitments[41] = convertProofPoint(proof.w2); - commitments[42] = convertProofPoint(proof.w3); - commitments[43] = convertProofPoint(proof.w4); - commitments[44] = convertProofPoint(proof.zPerm); - - // Add scalar contributions - // Add contributions: scalar * [q_k], k = 0,...,log_N, where - // scalar = -x * (x^{2^k} * \Phi_{n-k-1}(x^{2^{k+1}}) - u_k * \Phi_{n-k}(x^{2^k})) - cp.x_pow_2k = tp.zmX; - cp.x_pow_2kp1 = tp.zmX * tp.zmX; - for (uint256 k; k < CONST_PROOF_SIZE_LOG_N; ++k) { - bool dummy_round = k >= LOG_N; - - // note: defaults to 0 - Fr scalar; - if (!dummy_round) { - cp.phi_1 = FrLib.div(cp.phi_numerator, cp.x_pow_2kp1 - Fr.wrap(1)); - cp.phi_2 = FrLib.div(cp.phi_numerator, cp.x_pow_2k - Fr.wrap(1)); - - scalar = cp.x_pow_2k * cp.phi_1; - scalar = scalar - (tp.sumCheckUChallenges[k] * cp.phi_2); - scalar = scalar * tp.zmX; - scalar = scalar * MINUS_ONE; - - cp.x_pow_2k = cp.x_pow_2kp1; - cp.x_pow_2kp1 = cp.x_pow_2kp1 * cp.x_pow_2kp1; - } - - scalars[NUMBER_OF_ENTITIES + 1 + k] = scalar; - commitments[NUMBER_OF_ENTITIES + 1 + k] = convertProofPoint(proof.zmCqs[k]); - } - - return batchMul2(commitments, scalars); - } + // TODO: Implement Shplemini, functions above are left here in case they are useful // TODO: TODO: TODO: optimize // Scalar Mul and acumulate into total @@ -451,26 +272,26 @@ abstract contract BaseHonkVerifier is IVerifier { } } - function zkgReduceVerify( - Honk.Proof memory proof, - Transcript memory tp, - Fr evaluation, - Honk.G1Point memory commitment - ) internal view returns (bool) { - Honk.G1Point memory quotient_commitment = convertProofPoint(proof.zmPi); - Honk.G1Point memory ONE = Honk.G1Point({x: 1, y: 2}); + // function kzgReduceVerify( + // Honk.Proof memory proof, + // Transcript memory tp, + // Fr evaluation, + // Honk.G1Point memory commitment + // ) internal view returns (bool) { + // Honk.G1Point memory quotient_commitment = convertProofPoint(proof.zmPi); + // Honk.G1Point memory ONE = Honk.G1Point({x: 1, y: 2}); - Honk.G1Point memory P0 = commitment; - P0 = ecAdd(P0, ecMul(quotient_commitment, tp.zmX)); + // Honk.G1Point memory P0 = commitment; + // P0 = ecAdd(P0, ecMul(quotient_commitment, tp.zmX)); - Honk.G1Point memory evalAsPoint = ecMul(ONE, evaluation); - P0 = ecSub(P0, evalAsPoint); + // Honk.G1Point memory evalAsPoint = ecMul(ONE, evaluation); + // P0 = ecSub(P0, evalAsPoint); - Honk.G1Point memory P1 = negateInplace(quotient_commitment); + // Honk.G1Point memory P1 = negateInplace(quotient_commitment); - // Perform pairing check - return pairing(P0, P1); - } + // // Perform pairing check + // return pairing(P0, P1); + // } function pairing(Honk.G1Point memory rhs, Honk.G1Point memory lhs) internal view returns (bool) { bytes memory input = abi.encodePacked( diff --git a/barretenberg/sol/src/honk/Transcript.sol b/barretenberg/sol/src/honk/Transcript.sol index 1f450263a442..70ac62341581 100644 --- a/barretenberg/sol/src/honk/Transcript.sol +++ b/barretenberg/sol/src/honk/Transcript.sol @@ -19,12 +19,7 @@ struct Transcript { Fr[NUMBER_OF_ALPHAS] alphas; Fr[CONST_PROOF_SIZE_LOG_N] gateChallenges; Fr[CONST_PROOF_SIZE_LOG_N] sumCheckUChallenges; - Fr rho; - // Zero morph - Fr zmX; - Fr zmY; - Fr zmZ; - Fr zmQuotient; + // Fr rho; // Derived Fr publicInputsDelta; } @@ -45,11 +40,7 @@ library TranscriptLib { (t.gateChallenges, previousChallenge) = generateGateChallenges(previousChallenge); (t.sumCheckUChallenges, previousChallenge) = generateSumcheckChallenges(proof, previousChallenge); - (t.rho, previousChallenge) = generateRhoChallenge(proof, previousChallenge); - - (t.zmY, previousChallenge) = generateZMYChallenge(previousChallenge, proof); - - (t.zmX, t.zmZ, previousChallenge) = generateZMXZChallenges(previousChallenge, proof); + // (t.rho, previousChallenge) = generateRhoChallenge(proof, previousChallenge); return t; } @@ -186,6 +177,7 @@ library TranscriptLib { nextPreviousChallenge = prevChallenge; } + // TODO: reuse this for Shplemini function generateRhoChallenge(Honk.Proof memory proof, Fr prevChallenge) internal view @@ -204,43 +196,6 @@ library TranscriptLib { (rho, unused) = splitChallenge(nextPreviousChallenge); } - function generateZMYChallenge(Fr previousChallenge, Honk.Proof memory proof) - internal - view - returns (Fr zeromorphY, Fr nextPreviousChallenge) - { - uint256[CONST_PROOF_SIZE_LOG_N * 4 + 1] memory zmY; - zmY[0] = Fr.unwrap(previousChallenge); - - for (uint256 i; i < CONST_PROOF_SIZE_LOG_N; ++i) { - zmY[1 + i * 4] = proof.zmCqs[i].x_0; - zmY[2 + i * 4] = proof.zmCqs[i].x_1; - zmY[3 + i * 4] = proof.zmCqs[i].y_0; - zmY[4 + i * 4] = proof.zmCqs[i].y_1; - } - - nextPreviousChallenge = FrLib.fromBytes32(keccak256(abi.encodePacked(zmY))); - Fr unused; - (zeromorphY, unused) = splitChallenge(nextPreviousChallenge); - } - - function generateZMXZChallenges(Fr previousChallenge, Honk.Proof memory proof) - internal - pure - returns (Fr zeromorphX, Fr zeromorphZ, Fr nextPreviousChallenge) - { - uint256[4 + 1] memory buf; - buf[0] = Fr.unwrap(previousChallenge); - - buf[1] = proof.zmCq.x_0; - buf[2] = proof.zmCq.x_1; - buf[3] = proof.zmCq.y_0; - buf[4] = proof.zmCq.y_1; - - nextPreviousChallenge = FrLib.fromBytes32(keccak256(abi.encodePacked(buf))); - (zeromorphX, zeromorphZ) = splitChallenge(nextPreviousChallenge); - } - // TODO: mod q proof points // TODO: Preprocess all of the memory locations // TODO: Adjust proof point serde away from poseidon forced field elements @@ -332,44 +287,12 @@ library TranscriptLib { } boundary = boundary + (NUMBER_OF_ENTITIES * 0x20); - // Zero morph Commitments - for (uint256 i = 0; i < CONST_PROOF_SIZE_LOG_N; i++) { - // Explicitly stating the x0, x1, y0, y1 start and end boundaries to make the calldata slicing bearable - uint256 xStart = boundary + (i * 0x80); - uint256 xEnd = xStart + 0x20; - - uint256 x1Start = xEnd; - uint256 x1End = x1Start + 0x20; - - uint256 yStart = x1End; - uint256 yEnd = yStart + 0x20; - - uint256 y1Start = yEnd; - uint256 y1End = y1Start + 0x20; - - p.zmCqs[i] = Honk.G1ProofPoint({ - x_0: uint256(bytes32(proof[xStart:xEnd])), - x_1: uint256(bytes32(proof[x1Start:x1End])), - y_0: uint256(bytes32(proof[yStart:yEnd])), - y_1: uint256(bytes32(proof[y1Start:y1End])) - }); - } - - boundary = boundary + (CONST_PROOF_SIZE_LOG_N * 0x80); - - p.zmCq = Honk.G1ProofPoint({ - x_0: uint256(bytes32(proof[boundary:boundary + 0x20])), - x_1: uint256(bytes32(proof[boundary + 0x20:boundary + 0x40])), - y_0: uint256(bytes32(proof[boundary + 0x40:boundary + 0x60])), - y_1: uint256(bytes32(proof[boundary + 0x60:boundary + 0x80])) - }); - - p.zmPi = Honk.G1ProofPoint({ - x_0: uint256(bytes32(proof[boundary + 0x80:boundary + 0xa0])), - x_1: uint256(bytes32(proof[boundary + 0xa0:boundary + 0xc0])), - y_0: uint256(bytes32(proof[boundary + 0xc0:boundary + 0xe0])), - y_1: uint256(bytes32(proof[boundary + 0xe0:boundary + 0x100])) - }); + // p.zmPi = Honk.G1ProofPoint({ + // x_0: uint256(bytes32(proof[boundary + 0x80:boundary + 0xa0])), + // x_1: uint256(bytes32(proof[boundary + 0xa0:boundary + 0xc0])), + // y_0: uint256(bytes32(proof[boundary + 0xc0:boundary + 0xe0])), + // y_1: uint256(bytes32(proof[boundary + 0xe0:boundary + 0x100])) + // }); return p; } diff --git a/barretenberg/sol/src/honk/instance/Add2Honk.sol b/barretenberg/sol/src/honk/instance/Add2Honk.sol index 9f554d10b547..a6eaec5afa81 100644 --- a/barretenberg/sol/src/honk/instance/Add2Honk.sol +++ b/barretenberg/sol/src/honk/instance/Add2Honk.sol @@ -28,7 +28,6 @@ import {RelationsLib} from "../Relations.sol"; // Errors error PublicInputsLengthWrong(); error SumcheckFailed(); -error ZeromorphFailed(); /// Smart contract verifier of honk proofs contract Add2HonkVerifier is IVerifier { @@ -51,11 +50,7 @@ contract Add2HonkVerifier is IVerifier { bool sumcheckVerified = verifySumcheck(p, t); if (!sumcheckVerified) revert SumcheckFailed(); - // Zeromorph - bool zeromorphVerified = verifyZeroMorph(p, vk, t); - if (!zeromorphVerified) revert ZeromorphFailed(); - - return sumcheckVerified && zeromorphVerified; // Boolean condition not required - nice for vanity :) + return sumcheckVerified; // Boolean condition not required - nice for vanity :) } function loadVerificationKey() internal view returns (Honk.VerificationKey memory) { @@ -191,181 +186,6 @@ contract Add2HonkVerifier is IVerifier { newEvaluation = currentEvaluation * univariateEval; } - function verifyZeroMorph(Honk.Proof memory proof, Honk.VerificationKey memory vk, Transcript memory tp) - internal - view - returns (bool verified) - { - // Construct batched evaluation v = sum_{i=0}^{m-1}\rho^i*f_i(u) + sum_{i=0}^{l-1}\rho^{m+i}*h_i(u) - Fr batchedEval = Fr.wrap(0); - Fr batchedScalar = Fr.wrap(1); - - // We linearly combine all evaluations (unshifted first, then shifted) - for (uint256 i = 0; i < NUMBER_OF_ENTITIES; ++i) { - batchedEval = batchedEval + proof.sumcheckEvaluations[i] * batchedScalar; - batchedScalar = batchedScalar * tp.rho; - } - - // Get k commitments - Honk.G1Point memory c_zeta = computeCZeta(proof, tp); - Honk.G1Point memory c_zeta_x = computeCZetaX(proof, vk, tp, batchedEval); - Honk.G1Point memory c_zeta_Z = ecAdd(c_zeta, ecMul(c_zeta_x, tp.zmZ)); - - // KZG pairing accumulator - Fr evaluation = Fr.wrap(0); - verified = zkgReduceVerify(proof, tp, evaluation, c_zeta_Z); - } - - // Compute commitment to lifted degree quotient identity - function computeCZeta(Honk.Proof memory proof, Transcript memory tp) internal view returns (Honk.G1Point memory) { - Fr[LOG_N + 1] memory scalars; - Honk.G1ProofPoint[LOG_N + 1] memory commitments; - - // Initial contribution - commitments[0] = proof.zmCq; - scalars[0] = Fr.wrap(1); - - // TODO: optimize pow operations here ? batch mulable - for (uint256 k = 0; k < LOG_N; ++k) { - Fr degree = Fr.wrap((1 << k) - 1); - Fr scalar = FrLib.pow(tp.zmY, k); - scalar = scalar * FrLib.pow(tp.zmX, (1 << LOG_N) - Fr.unwrap(degree) - 1); - scalar = scalar * MINUS_ONE; - - scalars[k + 1] = scalar; - commitments[k + 1] = proof.zmCqs[k]; - } - - // Convert all commitments for batch mul - Honk.G1Point[LOG_N + 1] memory comms = convertPoints(commitments); - - return batchMul(comms, scalars); - } - - struct CZetaXParams { - Fr phi_numerator; - Fr phi_n_x; - Fr rho_pow; - Fr phi_1; - Fr phi_2; - Fr x_pow_2k; - Fr x_pow_2kp1; - } - - function computeCZetaX( - Honk.Proof memory proof, - Honk.VerificationKey memory vk, - Transcript memory tp, - Fr batchedEval - ) internal view returns (Honk.G1Point memory) { - Fr[NUMBER_OF_ENTITIES + CONST_PROOF_SIZE_LOG_N + 1] memory scalars; - Honk.G1Point[NUMBER_OF_ENTITIES + CONST_PROOF_SIZE_LOG_N + 1] memory commitments; - CZetaXParams memory cp; - - // Phi_n(x) = (x^N - 1) / (x - 1) - cp.phi_numerator = FrLib.pow(tp.zmX, (1 << LOG_N)) - Fr.wrap(1); - cp.phi_n_x = FrLib.div(cp.phi_numerator, tp.zmX - Fr.wrap(1)); - - // Add contribution: -v * x * \Phi_n(x) * [1]_1 - // Add base - scalars[0] = MINUS_ONE * batchedEval * tp.zmX * cp.phi_n_x; - commitments[0] = Honk.G1Point({x: 1, y: 2}); // One - - // f - Add all unshifted commitments - // g - Add add to be shifted commitments - - // f commitments are accumulated at (zm_x * r) - cp.rho_pow = Fr.wrap(1); - for (uint256 i = 1; i <= NUMBER_UNSHIFTED; ++i) { - scalars[i] = tp.zmX * cp.rho_pow; - cp.rho_pow = cp.rho_pow * tp.rho; - } - // g commitments are accumulated at r - for (uint256 i = NUMBER_UNSHIFTED + 1; i <= NUMBER_OF_ENTITIES; ++i) { - scalars[i] = cp.rho_pow; - cp.rho_pow = cp.rho_pow * tp.rho; - } - - // TODO: dont accumulate these into the comms array, just accumulate directly - commitments[1] = vk.qm; - commitments[2] = vk.qc; - commitments[3] = vk.ql; - commitments[4] = vk.qr; - commitments[5] = vk.qo; - commitments[6] = vk.q4; - commitments[7] = vk.qArith; - commitments[8] = vk.qDeltaRange; - commitments[9] = vk.qElliptic; - commitments[10] = vk.qAux; - commitments[11] = vk.qLookup; - commitments[12] = vk.qPoseidon2External; - commitments[13] = vk.qPoseidon2Internal; - commitments[14] = vk.s1; - commitments[15] = vk.s2; - commitments[16] = vk.s3; - commitments[17] = vk.s4; - commitments[18] = vk.id1; - commitments[19] = vk.id2; - commitments[20] = vk.id3; - commitments[21] = vk.id4; - commitments[22] = vk.t1; - commitments[23] = vk.t2; - commitments[24] = vk.t3; - commitments[25] = vk.t4; - commitments[26] = vk.lagrangeFirst; - commitments[27] = vk.lagrangeLast; - - // Accumulate proof points - commitments[28] = convertProofPoint(proof.w1); - commitments[29] = convertProofPoint(proof.w2); - commitments[30] = convertProofPoint(proof.w3); - commitments[31] = convertProofPoint(proof.w4); - commitments[32] = convertProofPoint(proof.zPerm); - commitments[33] = convertProofPoint(proof.lookupInverses); - commitments[34] = convertProofPoint(proof.lookupReadCounts); - commitments[35] = convertProofPoint(proof.lookupReadTags); - - // to be Shifted - commitments[36] = vk.t1; - commitments[37] = vk.t2; - commitments[38] = vk.t3; - commitments[39] = vk.t4; - commitments[40] = convertProofPoint(proof.w1); - commitments[41] = convertProofPoint(proof.w2); - commitments[42] = convertProofPoint(proof.w3); - commitments[43] = convertProofPoint(proof.w4); - commitments[44] = convertProofPoint(proof.zPerm); - - // Add scalar contributions - // Add contributions: scalar * [q_k], k = 0,...,log_N, where - // scalar = -x * (x^{2^k} * \Phi_{n-k-1}(x^{2^{k+1}}) - u_k * \Phi_{n-k}(x^{2^k})) - cp.x_pow_2k = tp.zmX; - cp.x_pow_2kp1 = tp.zmX * tp.zmX; - for (uint256 k; k < CONST_PROOF_SIZE_LOG_N; ++k) { - bool dummy_round = k >= LOG_N; - - // note: defaults to 0 - Fr scalar; - if (!dummy_round) { - cp.phi_1 = FrLib.div(cp.phi_numerator, cp.x_pow_2kp1 - Fr.wrap(1)); - cp.phi_2 = FrLib.div(cp.phi_numerator, cp.x_pow_2k - Fr.wrap(1)); - - scalar = cp.x_pow_2k * cp.phi_1; - scalar = scalar - (tp.sumCheckUChallenges[k] * cp.phi_2); - scalar = scalar * tp.zmX; - scalar = scalar * MINUS_ONE; - - cp.x_pow_2k = cp.x_pow_2kp1; - cp.x_pow_2kp1 = cp.x_pow_2kp1 * cp.x_pow_2kp1; - } - - scalars[NUMBER_OF_ENTITIES + 1 + k] = scalar; - commitments[NUMBER_OF_ENTITIES + 1 + k] = convertProofPoint(proof.zmCqs[k]); - } - - return batchMul2(commitments, scalars); - } - // TODO: TODO: TODO: optimize // Scalar Mul and acumulate into total function batchMul(Honk.G1Point[LOG_N + 1] memory base, Fr[LOG_N + 1] memory scalars) @@ -449,26 +269,26 @@ contract Add2HonkVerifier is IVerifier { } } - function zkgReduceVerify( - Honk.Proof memory proof, - Transcript memory tp, - Fr evaluation, - Honk.G1Point memory commitment - ) internal view returns (bool) { - Honk.G1Point memory quotient_commitment = convertProofPoint(proof.zmPi); - Honk.G1Point memory ONE = Honk.G1Point({x: 1, y: 2}); + // function kzgReduceVerify( + // Honk.Proof memory proof, + // Transcript memory tp, + // Fr evaluation, + // Honk.G1Point memory commitment + // ) internal view returns (bool) { + // Honk.G1Point memory quotient_commitment = convertProofPoint(proof.zmPi); + // Honk.G1Point memory ONE = Honk.G1Point({x: 1, y: 2}); - Honk.G1Point memory P0 = commitment; - P0 = ecAdd(P0, ecMul(quotient_commitment, tp.zmX)); + // Honk.G1Point memory P0 = commitment; + // P0 = ecAdd(P0, ecMul(quotient_commitment, tp.zmX)); - Honk.G1Point memory evalAsPoint = ecMul(ONE, evaluation); - P0 = ecSub(P0, evalAsPoint); + // Honk.G1Point memory evalAsPoint = ecMul(ONE, evaluation); + // P0 = ecSub(P0, evalAsPoint); - Honk.G1Point memory P1 = negateInplace(quotient_commitment); + // Honk.G1Point memory P1 = negateInplace(quotient_commitment); - // Perform pairing check - return pairing(P0, P1); - } + // // Perform pairing check + // return pairing(P0, P1); + // } function pairing(Honk.G1Point memory rhs, Honk.G1Point memory lhs) internal view returns (bool) { bytes memory input = abi.encodePacked( diff --git a/barretenberg/sol/src/honk/instance/BlakeHonk.sol b/barretenberg/sol/src/honk/instance/BlakeHonk.sol index f3b36f359b21..4c40fc2337b5 100644 --- a/barretenberg/sol/src/honk/instance/BlakeHonk.sol +++ b/barretenberg/sol/src/honk/instance/BlakeHonk.sol @@ -28,7 +28,6 @@ import {RelationsLib} from "../Relations.sol"; // Errors error PublicInputsLengthWrong(); error SumcheckFailed(); -error ZeromorphFailed(); /// Smart contract verifier of honk proofs contract BlakeHonkVerifier is IVerifier { @@ -51,11 +50,7 @@ contract BlakeHonkVerifier is IVerifier { bool sumcheckVerified = verifySumcheck(p, t); if (!sumcheckVerified) revert SumcheckFailed(); - // Zeromorph - bool zeromorphVerified = verifyZeroMorph(p, vk, t); - if (!zeromorphVerified) revert ZeromorphFailed(); - - return sumcheckVerified && zeromorphVerified; // Boolean condition not required - nice for vanity :) + return sumcheckVerified; // Boolean condition not required - nice for vanity :) } function loadVerificationKey() internal view returns (Honk.VerificationKey memory) { @@ -191,182 +186,6 @@ contract BlakeHonkVerifier is IVerifier { newEvaluation = currentEvaluation * univariateEval; } - function verifyZeroMorph(Honk.Proof memory proof, Honk.VerificationKey memory vk, Transcript memory tp) - internal - view - returns (bool verified) - { - // Construct batched evaluation v = sum_{i=0}^{m-1}\rho^i*f_i(u) + sum_{i=0}^{l-1}\rho^{m+i}*h_i(u) - Fr batchedEval = Fr.wrap(0); - Fr batchedScalar = Fr.wrap(1); - - // We linearly combine all evaluations (unshifted first, then shifted) - for (uint256 i = 0; i < NUMBER_OF_ENTITIES; ++i) { - batchedEval = batchedEval + proof.sumcheckEvaluations[i] * batchedScalar; - batchedScalar = batchedScalar * tp.rho; - } - - // Get k commitments - Honk.G1Point memory c_zeta = computeCZeta(proof, tp); - Honk.G1Point memory c_zeta_x = computeCZetaX(proof, vk, tp, batchedEval); - Honk.G1Point memory c_zeta_Z = ecAdd(c_zeta, ecMul(c_zeta_x, tp.zmZ)); - - // KZG pairing accumulator - // WORKTODO: concerned that this is zero - it is multiplied by a point later on - Fr evaluation = Fr.wrap(0); - verified = zkgReduceVerify(proof, tp, evaluation, c_zeta_Z); - } - - // Compute commitment to lifted degree quotient identity - function computeCZeta(Honk.Proof memory proof, Transcript memory tp) internal view returns (Honk.G1Point memory) { - Fr[LOG_N + 1] memory scalars; - Honk.G1ProofPoint[LOG_N + 1] memory commitments; - - // Initial contribution - commitments[0] = proof.zmCq; - scalars[0] = Fr.wrap(1); - - // TODO: optimize pow operations here ? batch mulable - for (uint256 k = 0; k < LOG_N; ++k) { - Fr degree = Fr.wrap((1 << k) - 1); - Fr scalar = FrLib.pow(tp.zmY, k); - scalar = scalar * FrLib.pow(tp.zmX, (1 << LOG_N) - Fr.unwrap(degree) - 1); - scalar = scalar * MINUS_ONE; - - scalars[k + 1] = scalar; - commitments[k + 1] = proof.zmCqs[k]; - } - - // Convert all commitments for batch mul - Honk.G1Point[LOG_N + 1] memory comms = convertPoints(commitments); - - return batchMul(comms, scalars); - } - - struct CZetaXParams { - Fr phi_numerator; - Fr phi_n_x; - Fr rho_pow; - Fr phi_1; - Fr phi_2; - Fr x_pow_2k; - Fr x_pow_2kp1; - } - - function computeCZetaX( - Honk.Proof memory proof, - Honk.VerificationKey memory vk, - Transcript memory tp, - Fr batchedEval - ) internal view returns (Honk.G1Point memory) { - Fr[NUMBER_OF_ENTITIES + CONST_PROOF_SIZE_LOG_N + 1] memory scalars; - Honk.G1Point[NUMBER_OF_ENTITIES + CONST_PROOF_SIZE_LOG_N + 1] memory commitments; - CZetaXParams memory cp; - - // Phi_n(x) = (x^N - 1) / (x - 1) - cp.phi_numerator = FrLib.pow(tp.zmX, (1 << LOG_N)) - Fr.wrap(1); - cp.phi_n_x = FrLib.div(cp.phi_numerator, tp.zmX - Fr.wrap(1)); - - // Add contribution: -v * x * \Phi_n(x) * [1]_1 - // Add base - scalars[0] = MINUS_ONE * batchedEval * tp.zmX * cp.phi_n_x; - commitments[0] = Honk.G1Point({x: 1, y: 2}); // One - - // f - Add all unshifted commitments - // g - Add add to be shifted commitments - - // f commitments are accumulated at (zm_x * r) - cp.rho_pow = Fr.wrap(1); - for (uint256 i = 1; i <= NUMBER_UNSHIFTED; ++i) { - scalars[i] = tp.zmX * cp.rho_pow; - cp.rho_pow = cp.rho_pow * tp.rho; - } - // g commitments are accumulated at r - for (uint256 i = NUMBER_UNSHIFTED + 1; i <= NUMBER_OF_ENTITIES; ++i) { - scalars[i] = cp.rho_pow; - cp.rho_pow = cp.rho_pow * tp.rho; - } - - // TODO: dont accumulate these into the comms array, just accumulate directly - commitments[1] = vk.qm; - commitments[2] = vk.qc; - commitments[3] = vk.ql; - commitments[4] = vk.qr; - commitments[5] = vk.qo; - commitments[6] = vk.q4; - commitments[7] = vk.qArith; - commitments[8] = vk.qDeltaRange; - commitments[9] = vk.qElliptic; - commitments[10] = vk.qAux; - commitments[11] = vk.qLookup; - commitments[12] = vk.qPoseidon2External; - commitments[13] = vk.qPoseidon2Internal; - commitments[14] = vk.s1; - commitments[15] = vk.s2; - commitments[16] = vk.s3; - commitments[17] = vk.s4; - commitments[18] = vk.id1; - commitments[19] = vk.id2; - commitments[20] = vk.id3; - commitments[21] = vk.id4; - commitments[22] = vk.t1; - commitments[23] = vk.t2; - commitments[24] = vk.t3; - commitments[25] = vk.t4; - commitments[26] = vk.lagrangeFirst; - commitments[27] = vk.lagrangeLast; - - // Accumulate proof points - commitments[28] = convertProofPoint(proof.w1); - commitments[29] = convertProofPoint(proof.w2); - commitments[30] = convertProofPoint(proof.w3); - commitments[31] = convertProofPoint(proof.w4); - commitments[32] = convertProofPoint(proof.zPerm); - commitments[33] = convertProofPoint(proof.lookupInverses); - commitments[34] = convertProofPoint(proof.lookupReadCounts); - commitments[35] = convertProofPoint(proof.lookupReadTags); - - // to be Shifted - commitments[36] = vk.t1; - commitments[37] = vk.t2; - commitments[38] = vk.t3; - commitments[39] = vk.t4; - commitments[40] = convertProofPoint(proof.w1); - commitments[41] = convertProofPoint(proof.w2); - commitments[42] = convertProofPoint(proof.w3); - commitments[43] = convertProofPoint(proof.w4); - commitments[44] = convertProofPoint(proof.zPerm); - - // Add scalar contributions - // Add contributions: scalar * [q_k], k = 0,...,log_N, where - // scalar = -x * (x^{2^k} * \Phi_{n-k-1}(x^{2^{k+1}}) - u_k * \Phi_{n-k}(x^{2^k})) - cp.x_pow_2k = tp.zmX; - cp.x_pow_2kp1 = tp.zmX * tp.zmX; - for (uint256 k; k < CONST_PROOF_SIZE_LOG_N; ++k) { - bool dummy_round = k >= LOG_N; - - // note: defaults to 0 - Fr scalar; - if (!dummy_round) { - cp.phi_1 = FrLib.div(cp.phi_numerator, cp.x_pow_2kp1 - Fr.wrap(1)); - cp.phi_2 = FrLib.div(cp.phi_numerator, cp.x_pow_2k - Fr.wrap(1)); - - scalar = cp.x_pow_2k * cp.phi_1; - scalar = scalar - (tp.sumCheckUChallenges[k] * cp.phi_2); - scalar = scalar * tp.zmX; - scalar = scalar * MINUS_ONE; - - cp.x_pow_2k = cp.x_pow_2kp1; - cp.x_pow_2kp1 = cp.x_pow_2kp1 * cp.x_pow_2kp1; - } - - scalars[NUMBER_OF_ENTITIES + 1 + k] = scalar; - commitments[NUMBER_OF_ENTITIES + 1 + k] = convertProofPoint(proof.zmCqs[k]); - } - - return batchMul2(commitments, scalars); - } - // TODO: TODO: TODO: optimize // Scalar Mul and acumulate into total function batchMul(Honk.G1Point[LOG_N + 1] memory base, Fr[LOG_N + 1] memory scalars) @@ -450,26 +269,26 @@ contract BlakeHonkVerifier is IVerifier { } } - function zkgReduceVerify( - Honk.Proof memory proof, - Transcript memory tp, - Fr evaluation, - Honk.G1Point memory commitment - ) internal view returns (bool) { - Honk.G1Point memory quotient_commitment = convertProofPoint(proof.zmPi); - Honk.G1Point memory ONE = Honk.G1Point({x: 1, y: 2}); + // function kzgReduceVerify( + // Honk.Proof memory proof, + // Transcript memory tp, + // Fr evaluation, + // Honk.G1Point memory commitment + // ) internal view returns (bool) { + // Honk.G1Point memory quotient_commitment = convertProofPoint(proof.zmPi); + // Honk.G1Point memory ONE = Honk.G1Point({x: 1, y: 2}); - Honk.G1Point memory P0 = commitment; - P0 = ecAdd(P0, ecMul(quotient_commitment, tp.zmX)); + // Honk.G1Point memory P0 = commitment; + // P0 = ecAdd(P0, ecMul(quotient_commitment, tp.zmX)); - Honk.G1Point memory evalAsPoint = ecMul(ONE, evaluation); - P0 = ecSub(P0, evalAsPoint); + // Honk.G1Point memory evalAsPoint = ecMul(ONE, evaluation); + // P0 = ecSub(P0, evalAsPoint); - Honk.G1Point memory P1 = negateInplace(quotient_commitment); + // Honk.G1Point memory P1 = negateInplace(quotient_commitment); - // Perform pairing check - return pairing(P0, P1); - } + // // Perform pairing check + // return pairing(P0, P1); + // } function pairing(Honk.G1Point memory rhs, Honk.G1Point memory lhs) internal view returns (bool) { bytes memory input = abi.encodePacked( diff --git a/barretenberg/sol/src/honk/instance/EcdsaHonk.sol b/barretenberg/sol/src/honk/instance/EcdsaHonk.sol index 1dc716151cd4..2a683c27dcc1 100644 --- a/barretenberg/sol/src/honk/instance/EcdsaHonk.sol +++ b/barretenberg/sol/src/honk/instance/EcdsaHonk.sol @@ -28,7 +28,6 @@ import {RelationsLib} from "../Relations.sol"; // Errors error PublicInputsLengthWrong(); error SumcheckFailed(); -error ZeromorphFailed(); /// Smart contract verifier of honk proofs contract EcdsaHonkVerifier is IVerifier { @@ -51,11 +50,7 @@ contract EcdsaHonkVerifier is IVerifier { bool sumcheckVerified = verifySumcheck(p, t); if (!sumcheckVerified) revert SumcheckFailed(); - // Zeromorph - bool zeromorphVerified = verifyZeroMorph(p, vk, t); - if (!zeromorphVerified) revert ZeromorphFailed(); - - return sumcheckVerified && zeromorphVerified; // Boolean condition not required - nice for vanity :) + return sumcheckVerified; // Boolean condition not required - nice for vanity :) } function loadVerificationKey() internal view returns (Honk.VerificationKey memory) { @@ -191,182 +186,6 @@ contract EcdsaHonkVerifier is IVerifier { newEvaluation = currentEvaluation * univariateEval; } - function verifyZeroMorph(Honk.Proof memory proof, Honk.VerificationKey memory vk, Transcript memory tp) - internal - view - returns (bool verified) - { - // Construct batched evaluation v = sum_{i=0}^{m-1}\rho^i*f_i(u) + sum_{i=0}^{l-1}\rho^{m+i}*h_i(u) - Fr batchedEval = Fr.wrap(0); - Fr batchedScalar = Fr.wrap(1); - - // We linearly combine all evaluations (unshifted first, then shifted) - for (uint256 i = 0; i < NUMBER_OF_ENTITIES; ++i) { - batchedEval = batchedEval + proof.sumcheckEvaluations[i] * batchedScalar; - batchedScalar = batchedScalar * tp.rho; - } - - // Get k commitments - Honk.G1Point memory c_zeta = computeCZeta(proof, tp); - Honk.G1Point memory c_zeta_x = computeCZetaX(proof, vk, tp, batchedEval); - Honk.G1Point memory c_zeta_Z = ecAdd(c_zeta, ecMul(c_zeta_x, tp.zmZ)); - - // KZG pairing accumulator - // WORKTODO: concerned that this is zero - it is multiplied by a point later on - Fr evaluation = Fr.wrap(0); - verified = zkgReduceVerify(proof, tp, evaluation, c_zeta_Z); - } - - // Compute commitment to lifted degree quotient identity - function computeCZeta(Honk.Proof memory proof, Transcript memory tp) internal view returns (Honk.G1Point memory) { - Fr[LOG_N + 1] memory scalars; - Honk.G1ProofPoint[LOG_N + 1] memory commitments; - - // Initial contribution - commitments[0] = proof.zmCq; - scalars[0] = Fr.wrap(1); - - // TODO: optimize pow operations here ? batch mulable - for (uint256 k = 0; k < LOG_N; ++k) { - Fr degree = Fr.wrap((1 << k) - 1); - Fr scalar = FrLib.pow(tp.zmY, k); - scalar = scalar * FrLib.pow(tp.zmX, (1 << LOG_N) - Fr.unwrap(degree) - 1); - scalar = scalar * MINUS_ONE; - - scalars[k + 1] = scalar; - commitments[k + 1] = proof.zmCqs[k]; - } - - // Convert all commitments for batch mul - Honk.G1Point[LOG_N + 1] memory comms = convertPoints(commitments); - - return batchMul(comms, scalars); - } - - struct CZetaXParams { - Fr phi_numerator; - Fr phi_n_x; - Fr rho_pow; - Fr phi_1; - Fr phi_2; - Fr x_pow_2k; - Fr x_pow_2kp1; - } - - function computeCZetaX( - Honk.Proof memory proof, - Honk.VerificationKey memory vk, - Transcript memory tp, - Fr batchedEval - ) internal view returns (Honk.G1Point memory) { - Fr[NUMBER_OF_ENTITIES + CONST_PROOF_SIZE_LOG_N + 1] memory scalars; - Honk.G1Point[NUMBER_OF_ENTITIES + CONST_PROOF_SIZE_LOG_N + 1] memory commitments; - CZetaXParams memory cp; - - // Phi_n(x) = (x^N - 1) / (x - 1) - cp.phi_numerator = FrLib.pow(tp.zmX, (1 << LOG_N)) - Fr.wrap(1); - cp.phi_n_x = FrLib.div(cp.phi_numerator, tp.zmX - Fr.wrap(1)); - - // Add contribution: -v * x * \Phi_n(x) * [1]_1 - // Add base - scalars[0] = MINUS_ONE * batchedEval * tp.zmX * cp.phi_n_x; - commitments[0] = Honk.G1Point({x: 1, y: 2}); // One - - // f - Add all unshifted commitments - // g - Add add to be shifted commitments - - // f commitments are accumulated at (zm_x * r) - cp.rho_pow = Fr.wrap(1); - for (uint256 i = 1; i <= NUMBER_UNSHIFTED; ++i) { - scalars[i] = tp.zmX * cp.rho_pow; - cp.rho_pow = cp.rho_pow * tp.rho; - } - // g commitments are accumulated at r - for (uint256 i = NUMBER_UNSHIFTED + 1; i <= NUMBER_OF_ENTITIES; ++i) { - scalars[i] = cp.rho_pow; - cp.rho_pow = cp.rho_pow * tp.rho; - } - - // TODO: dont accumulate these into the comms array, just accumulate directly - commitments[1] = vk.qm; - commitments[2] = vk.qc; - commitments[3] = vk.ql; - commitments[4] = vk.qr; - commitments[5] = vk.qo; - commitments[6] = vk.q4; - commitments[7] = vk.qArith; - commitments[8] = vk.qDeltaRange; - commitments[9] = vk.qElliptic; - commitments[10] = vk.qAux; - commitments[11] = vk.qLookup; - commitments[12] = vk.qPoseidon2External; - commitments[13] = vk.qPoseidon2Internal; - commitments[14] = vk.s1; - commitments[15] = vk.s2; - commitments[16] = vk.s3; - commitments[17] = vk.s4; - commitments[18] = vk.id1; - commitments[19] = vk.id2; - commitments[20] = vk.id3; - commitments[21] = vk.id4; - commitments[22] = vk.t1; - commitments[23] = vk.t2; - commitments[24] = vk.t3; - commitments[25] = vk.t4; - commitments[26] = vk.lagrangeFirst; - commitments[27] = vk.lagrangeLast; - - // Accumulate proof points - commitments[28] = convertProofPoint(proof.w1); - commitments[29] = convertProofPoint(proof.w2); - commitments[30] = convertProofPoint(proof.w3); - commitments[31] = convertProofPoint(proof.w4); - commitments[32] = convertProofPoint(proof.zPerm); - commitments[33] = convertProofPoint(proof.lookupInverses); - commitments[34] = convertProofPoint(proof.lookupReadCounts); - commitments[35] = convertProofPoint(proof.lookupReadTags); - - // to be Shifted - commitments[36] = vk.t1; - commitments[37] = vk.t2; - commitments[38] = vk.t3; - commitments[39] = vk.t4; - commitments[40] = convertProofPoint(proof.w1); - commitments[41] = convertProofPoint(proof.w2); - commitments[42] = convertProofPoint(proof.w3); - commitments[43] = convertProofPoint(proof.w4); - commitments[44] = convertProofPoint(proof.zPerm); - - // Add scalar contributions - // Add contributions: scalar * [q_k], k = 0,...,log_N, where - // scalar = -x * (x^{2^k} * \Phi_{n-k-1}(x^{2^{k+1}}) - u_k * \Phi_{n-k}(x^{2^k})) - cp.x_pow_2k = tp.zmX; - cp.x_pow_2kp1 = tp.zmX * tp.zmX; - for (uint256 k; k < CONST_PROOF_SIZE_LOG_N; ++k) { - bool dummy_round = k >= LOG_N; - - // note: defaults to 0 - Fr scalar; - if (!dummy_round) { - cp.phi_1 = FrLib.div(cp.phi_numerator, cp.x_pow_2kp1 - Fr.wrap(1)); - cp.phi_2 = FrLib.div(cp.phi_numerator, cp.x_pow_2k - Fr.wrap(1)); - - scalar = cp.x_pow_2k * cp.phi_1; - scalar = scalar - (tp.sumCheckUChallenges[k] * cp.phi_2); - scalar = scalar * tp.zmX; - scalar = scalar * MINUS_ONE; - - cp.x_pow_2k = cp.x_pow_2kp1; - cp.x_pow_2kp1 = cp.x_pow_2kp1 * cp.x_pow_2kp1; - } - - scalars[NUMBER_OF_ENTITIES + 1 + k] = scalar; - commitments[NUMBER_OF_ENTITIES + 1 + k] = convertProofPoint(proof.zmCqs[k]); - } - - return batchMul2(commitments, scalars); - } - // TODO: TODO: TODO: optimize // Scalar Mul and acumulate into total function batchMul(Honk.G1Point[LOG_N + 1] memory base, Fr[LOG_N + 1] memory scalars) @@ -450,26 +269,26 @@ contract EcdsaHonkVerifier is IVerifier { } } - function zkgReduceVerify( - Honk.Proof memory proof, - Transcript memory tp, - Fr evaluation, - Honk.G1Point memory commitment - ) internal view returns (bool) { - Honk.G1Point memory quotient_commitment = convertProofPoint(proof.zmPi); - Honk.G1Point memory ONE = Honk.G1Point({x: 1, y: 2}); + // function kzgReduceVerify( + // Honk.Proof memory proof, + // Transcript memory tp, + // Fr evaluation, + // Honk.G1Point memory commitment + // ) internal view returns (bool) { + // Honk.G1Point memory quotient_commitment = convertProofPoint(proof.zmPi); + // Honk.G1Point memory ONE = Honk.G1Point({x: 1, y: 2}); - Honk.G1Point memory P0 = commitment; - P0 = ecAdd(P0, ecMul(quotient_commitment, tp.zmX)); + // Honk.G1Point memory P0 = commitment; + // P0 = ecAdd(P0, ecMul(quotient_commitment, tp.zmX)); - Honk.G1Point memory evalAsPoint = ecMul(ONE, evaluation); - P0 = ecSub(P0, evalAsPoint); + // Honk.G1Point memory evalAsPoint = ecMul(ONE, evaluation); + // P0 = ecSub(P0, evalAsPoint); - Honk.G1Point memory P1 = negateInplace(quotient_commitment); + // Honk.G1Point memory P1 = negateInplace(quotient_commitment); - // Perform pairing check - return pairing(P0, P1); - } + // // Perform pairing check + // return pairing(P0, P1); + // } function pairing(Honk.G1Point memory rhs, Honk.G1Point memory lhs) internal view returns (bool) { bytes memory input = abi.encodePacked( diff --git a/barretenberg/sol/src/honk/keys/EcdsaHonkVerificationKey.sol b/barretenberg/sol/src/honk/keys/EcdsaHonkVerificationKey.sol index b2d9abdf2a20..26207d04184b 100644 --- a/barretenberg/sol/src/honk/keys/EcdsaHonkVerificationKey.sol +++ b/barretenberg/sol/src/honk/keys/EcdsaHonkVerificationKey.sol @@ -15,72 +15,72 @@ library EcdsaHonkVerificationKey { logCircuitSize: uint256(16), publicInputsSize: uint256(6), ql: Honk.G1Point({ - x: uint256(0x0b1acdcf739e1e6c27df046577122a292a77f4fcdf8056d8b8ae12f105d3a888), - y: uint256(0x145dad3bdd9a262411aaa657129df49dbf44a63f510e9ab8191622c643ebd9bd) + x: uint256(0x051ccdb8069f35f4ef85ad098e95681736a7bed10a7bee1b76a506235dc0b579), + y: uint256(0x05e168c2e4f90231545f5b24c1a84c1419b8798e4235cc2036c9e101e462b71d) }), qr: Honk.G1Point({ - x: uint256(0x1940872f30b32522e26efd0fd4a642289bce2c56083e7a03af564c30969066d8), - y: uint256(0x181fd173051ca19e37f09c42298c36d2e9834df50535d85d429f562352c0d924) + x: uint256(0x2c99eed1f855cd5152942cc090aabf15308eb00ac549e965eb3e1950479cce58), + y: uint256(0x170bf8541390153bf5807bc022c9369f99d8bc1fd87922a0627b144fec0414e2) }), qo: Honk.G1Point({ - x: uint256(0x2a1afa631e8b6ab8fb1444fb0154686a5a34c7a4ddae66bdc344e782a81382b3), - y: uint256(0x0cfa0936a5e63e723a5c318c7461ddc22824ad0ee62fa00e2e8b92f9b3f1cdf6) + x: uint256(0x1594abb7debcf41e3296178eeec941dbb6242ba13f50f4549734657ee5ebb8b1), + y: uint256(0x262e1469c56c719bdc4eaab93cc95868eed9fea1fa9ded03b46f2c061a341d4f) }), q4: Honk.G1Point({ - x: uint256(0x1a01666b2e915221eb0c1ae6bf91394d18c73e6882dd1241d244f932678982ec), - y: uint256(0x212b0436d2da1b4a6507142b794024ded58e3d41fdde2f95249405ffdd02b324) + x: uint256(0x16b49bbcd37e15ed89b2f6f5b97d021abe440ba7cbc69904484991fa7e6058a9), + y: uint256(0x197b14cb5d037642b27ed7cd79b9568e5853ad1e3508453c0ed1f30c1962fd52) }), qm: Honk.G1Point({ - x: uint256(0x0dd29943b961b1c615ab22df0e5b567489a7c9a9ad3ac92ae281d68ca603326c), - y: uint256(0x2a552165dc59dc5c5398e6b8c2227dc3f36ccdcc1250e7c9a8c1631c963aff2f) + x: uint256(0x175280d74e116a82ad6ccc34f640a5b3dda74b17372c9a0941d57749e37068a6), + y: uint256(0x0827b11a78b8a625ba940983effbcf7354aa0388bd472481c0a8a088653b9769) }), qc: Honk.G1Point({ - x: uint256(0x203785f30cf75ed2e8559faa797897174bca19ebcb44266c6bc87aee8dc86964), - y: uint256(0x11ae3fbccf0c302ab29a8123b2ef631a659a3750d27df3eb7c492ae978ac3f07) + x: uint256(0x2a262a7189292da31f3f4a7926c4d9fcae883188aafe9cf3ba2a623f0004a67a), + y: uint256(0x0d90b8808180521422b90889592111434dd5bbc0e5deb27419c1f5e6d0bf9883) }), qArith: Honk.G1Point({ - x: uint256(0x059453a86c23185b89783698e7da32ce59270611c312c82a16c42e83d66f3a11), - y: uint256(0x23403bda1774d1e372f94dd86571d393290df9d27cc1f032a1a2ba3a02becb28) + x: uint256(0x2026f95bb8f7b6ed57287e4833e2789cce8ec9a95b829e6a2abbf5d13d681d22), + y: uint256(0x19cea5af7d9b39a4ad86a0ab52f8a358f7f35236561a50cdf6f2860f0b3426a8) }), qDeltaRange: Honk.G1Point({ - x: uint256(0x189ec3e8c791a2933a4f188b2183c4bfeb9a2a8e51bb10a7571c243603dd3fce), - y: uint256(0x00d30f1839bdf225d00e20bcf76adcf2bfc6ea98a4ca12b4f36c68f4a865fa59) + x: uint256(0x02d0f736b422d74d9aa2ef26deedb67fdd2e798aae001c4292dabd2c5df31249), + y: uint256(0x0ae6265d6dcc9da8d3b23f088c6fb062c9be10bfa79e9d0463d4a7785ea4a5f9) }), qElliptic: Honk.G1Point({ - x: uint256(0x16b1166d95a8e2496eb12363dbfb9ca5aa5bc0975fc4994dc2c61cc0609d8eba), - y: uint256(0x1aded54ecb6c2ec4fdeaef0f9e3b2dae5da1e1958d76b953b9e29efb1e8962b4) + x: uint256(0x0ffa449a9d6e6c6f3e302eb3f16ce9d3d3711b9102ecf0e303ff91f3f9eb25f5), + y: uint256(0x095ef997439bccdd1234b2431a520823bcfe3e77f50190e66e70e2c51e906193) }), qAux: Honk.G1Point({ - x: uint256(0x1011b815b4505f86944621990bd81bd442780186904784572d50087942aa8607), - y: uint256(0x24e575bf4641129d492759c66a4a5c1d3da80b647d4e67adfea20ab72eb69854) + x: uint256(0x09023d45c436e756762d8b3527cfcb3f694cdbafd192ccae59210740bdf03ad3), + y: uint256(0x020c9b591603814f1815038e25d1bb3fb85261bf699abfc8921f48954f0bc2b0) }), qLookup: Honk.G1Point({ - x: uint256(0x13a5f6d8f4de0f66dc7ea0d75efa7ae6632e6448c13bbbe5358412f7a36518d6), - y: uint256(0x142fd8f3223785fbd36b380c6065215d16b821b3df4d86d5464f1bfff2a29544) + x: uint256(0x08c0d34ca72136661975f3b1ad658bfda38661b9ff320b60e2974496e03fd62e), + y: uint256(0x236caf48f4c3a7ca207f5c0ec75f304657e49780015cf40ff9be37f8ba3c6624) }), qPoseidon2External: Honk.G1Point({ - x: uint256(0x02c909437bb59751312ce2208a2b367d3c9eaa8721d7671306c41ebd9843b3ba), - y: uint256(0x1db8a23e0231ac4b008ccdb6f21aa37c59349a77b51d894217596f0ef543120c) + x: uint256(0x09d58ddd055d3d65b4f36a347c18c11956b7d43c4f15434ded62bdf1224ff37d), + y: uint256(0x3002f0782d68214149ae47ee94771a6509709499ca06a8421eeeae97ea37e2a9) }), qPoseidon2Internal: Honk.G1Point({ - x: uint256(0x19d898bac51355e0822e2aa6e6630494e47ea2476a0c4c15b6f03ce441f6c6d0), - y: uint256(0x2add808f3d5b3c608ce5937fcd3c9c968ba56dbe5855e2f6d3e4bdd9d118d19b) + x: uint256(0x1d11dbf6b2ced628ad64ea9d8afef60b6ea2e246160b6525915eb0ab7bdc94aa), + y: uint256(0x1ecef8438441a2565ee641757bdc6739da7389d913453eee0aaac561fb08495c) }), s1: Honk.G1Point({ - x: uint256(0x0dd1eea7735fc4052df5a19e4859c59e50e3ab9cb3cc2accbd42ef8a1104449b), - y: uint256(0x1541af79ad21fe21642a50d97899451c868b6d5d608431e5de6b0a730abe130d) + x: uint256(0x105eb99bfd557812572f2a5ec5b6eff27375b4ed5ce4e7a9649fe3038cfacbac), + y: uint256(0x1efd910252f319f9c0dc21c7688b92d80fd0a8636f152e0d9c8e0afb5c9a6d2e) }), s2: Honk.G1Point({ - x: uint256(0x21d9072c3474c1cfe1c2d96c098c4d9af4bb5d222944aa6470063f4a8b9b9770), - y: uint256(0x137ad8c018449f48311b5394ac91a6b2f5c5e40c676216a299a3d501d69b1f7d) + x: uint256(0x2bbbf5e8a2f7feb08ee64585bf3da54db0da09b211f726adda93020a2ae23e56), + y: uint256(0x2a9e8e1c3850c66da60224163dc4846ea6f37ed48f9d6dfd40b450fa61081484) }), s3: Honk.G1Point({ - x: uint256(0x2c2fe61ccbf18af13d41950ef58f3a2a64d355657a4dfba8e9917e618ea8add4), - y: uint256(0x2e7edf4dae50db17925e431d3198a39cb4bdc6f4e6e7d8d6163c972f4750a606) + x: uint256(0x0d264ba46f4a7bafd0ba9d9f9f4827109e1da2cfdb11835b9fc65aaafe9f9f20), + y: uint256(0x0f9ff6e122bcacd091ffd98d8caf249ab216e9c784e667475e2184ed34892272) }), s4: Honk.G1Point({ - x: uint256(0x1825a30f42c7508e2ee2158d374dc626cf4149b745ba55d533181f418ac605aa), - y: uint256(0x15d9b33a9612c0c8a55a75a827c0230656054765c7b37ba77a798b71a4766d1b) + x: uint256(0x2556809f13dc85764a5e4ea8fda1bbba54f36dad477124915fc8c198db16f496), + y: uint256(0x27461805fb3a7ee919331973984491c36cc83eee61d3664d5319922902327750) }), t1: Honk.G1Point({ x: uint256(0x1ddc9ef86584375e5998d9f6fc16a4e646dc315ab86b477abc2f18a723dc24f6), @@ -99,20 +99,20 @@ library EcdsaHonkVerificationKey { y: uint256(0x076bf1e1f682badebfca083e25d808e8dae96372631c0721a7ee238c333a862a) }), id1: Honk.G1Point({ - x: uint256(0x003bfa695fb125e2e815ae3565a2b7667fe2240edfd46c312fa6b6ed88226d3f), - y: uint256(0x080c85e17835fce14e045eeb531ef2c287ad933a2ca7f35d3c7df03d0367fb9c) + x: uint256(0x0b034b231d25a2e152b830397a59c97e02175212a6c5ce00129625cfb2e5c53d), + y: uint256(0x22e1842515d4569ca06477f4b2685d0a767bfa1eecca343c889840af8c086db9) }), id2: Honk.G1Point({ - x: uint256(0x17662e6b69e1a67d8682a5c00b4d3c57c8f3ce7d82df027ba71c5031a946e070), - y: uint256(0x14bd830834279aa5f4ff64181af68bef9121c6322d37d25b5490f60a83b755f9) + x: uint256(0x0e82a73cd55280503e70d5bdd855071d202ff65f31a65996955a7661775ff290), + y: uint256(0x1325a665dfee8e1247f3129ca943e12736f800afc1a9dcfa0476050b8e3c87f8) }), id3: Honk.G1Point({ - x: uint256(0x05bc83edcd40f963c7f6983f1c6a993ce32ca97a6e45c076dc4e38195ba8560a), - y: uint256(0x01239f42bab3bc0d1cc4194ca17fa76036ce2e4887a3dc499fe71da67d7af9a3) + x: uint256(0x2ad12a1238e051fba16108022b5e58bba1fc7966fe759016a93fae5397e8c403), + y: uint256(0x257cfc281b0135bb8dfb0df6a7b69ca39835af544007eb61ace84ce7014c1fea) }), id4: Honk.G1Point({ - x: uint256(0x1bcbd59c8e9e24132d3d3dfb1eaf21fa4ed74e922bb4d44f3c8d22ebb50105da), - y: uint256(0x147b021c1046d59dcc6b8be404ef2670f7e6f33a03dbaeef966c9bf3882324f4) + x: uint256(0x058bf4de2f71f4d2e11235d140d05db461fb50d8aef64c8c52e2c0f57438dcce), + y: uint256(0x1e90ce7ec8cca2e65d7deafb655e6c7b0c4b964cd2cb1e5b4ef5ad78ab2f4b46) }), lagrangeFirst: Honk.G1Point({ x: uint256(0x0000000000000000000000000000000000000000000000000000000000000001), diff --git a/barretenberg/sol/src/ultra/keys/Add2UltraVerificationKey.sol b/barretenberg/sol/src/ultra/keys/Add2UltraVerificationKey.sol index 341b831b05aa..0a11f506bafe 100644 --- a/barretenberg/sol/src/ultra/keys/Add2UltraVerificationKey.sol +++ b/barretenberg/sol/src/ultra/keys/Add2UltraVerificationKey.sol @@ -1,11 +1,11 @@ -// Verification Key Hash: 4199008b0f295433fcc5b10612c7b9a9d87fbd4a221275c2119e7c2060905534 +// Verification Key Hash: afad6e5fafa40ac9cfa948f4d6c5878d1cc1995c6f967de91bfdec1b6bbfc3dc // SPDX-License-Identifier: Apache-2.0 // Copyright 2022 Aztec pragma solidity >=0.8.4; library Add2UltraVerificationKey { function verificationKeyHash() internal pure returns (bytes32) { - return 0x4199008b0f295433fcc5b10612c7b9a9d87fbd4a221275c2119e7c2060905534; + return 0xafad6e5fafa40ac9cfa948f4d6c5878d1cc1995c6f967de91bfdec1b6bbfc3dc; } function loadVerificationKey(uint256 _vk, uint256 _omegaInverseLoc) internal pure { diff --git a/barretenberg/sol/src/ultra/keys/BlakeUltraVerificationKey.sol b/barretenberg/sol/src/ultra/keys/BlakeUltraVerificationKey.sol index 27de321eb3db..c3080a08f111 100644 --- a/barretenberg/sol/src/ultra/keys/BlakeUltraVerificationKey.sol +++ b/barretenberg/sol/src/ultra/keys/BlakeUltraVerificationKey.sol @@ -1,11 +1,11 @@ -// Verification Key Hash: f1610f1094b31fc37136369383140118871a3bf69a190023d73dce30a3e5ba2e +// Verification Key Hash: a1ded9e96cad714ee5d8bc8529dff9f757c08d323f5690d39fed19721ffbf8e9 // SPDX-License-Identifier: Apache-2.0 // Copyright 2022 Aztec pragma solidity >=0.8.4; library BlakeUltraVerificationKey { function verificationKeyHash() internal pure returns (bytes32) { - return 0xf1610f1094b31fc37136369383140118871a3bf69a190023d73dce30a3e5ba2e; + return 0xa1ded9e96cad714ee5d8bc8529dff9f757c08d323f5690d39fed19721ffbf8e9; } function loadVerificationKey(uint256 _vk, uint256 _omegaInverseLoc) internal pure { diff --git a/barretenberg/sol/src/ultra/keys/EcdsaUltraVerificationKey.sol b/barretenberg/sol/src/ultra/keys/EcdsaUltraVerificationKey.sol index 63a0b71a890d..2f27b1b5db26 100644 --- a/barretenberg/sol/src/ultra/keys/EcdsaUltraVerificationKey.sol +++ b/barretenberg/sol/src/ultra/keys/EcdsaUltraVerificationKey.sol @@ -1,11 +1,11 @@ -// Verification Key Hash: c1102f0000ae4bf7f5b38f96c80e03284a3ec4bada1f0682ddde94c8ba688c58 +// Verification Key Hash: e679d03fd08858df1a3f6d4e4afc735c5f3b9493b797d703bd28c60ab26f8652 // SPDX-License-Identifier: Apache-2.0 // Copyright 2022 Aztec pragma solidity >=0.8.4; library EcdsaUltraVerificationKey { function verificationKeyHash() internal pure returns (bytes32) { - return 0xc1102f0000ae4bf7f5b38f96c80e03284a3ec4bada1f0682ddde94c8ba688c58; + return 0xe679d03fd08858df1a3f6d4e4afc735c5f3b9493b797d703bd28c60ab26f8652; } function loadVerificationKey(uint256 _vk, uint256 _omegaInverseLoc) internal pure { @@ -14,34 +14,34 @@ library EcdsaUltraVerificationKey { mstore(add(_vk, 0x20), 0x0000000000000000000000000000000000000000000000000000000000000006) // vk.num_inputs mstore(add(_vk, 0x40), 0x00eeb2cb5981ed45649abebde081dcff16c8601de4347e7dd1628ba2daac43b7) // vk.work_root mstore(add(_vk, 0x60), 0x30641e0e92bebef818268d663bcad6dbcfd6c0149170f6d7d350b1b1fa6c1001) // vk.domain_inverse - mstore(add(_vk, 0x80), 0x149e839df8f43c6975d85aa1007d219354b3389f7c93c96935e531fe03d01f88) // vk.Q1.x - mstore(add(_vk, 0xa0), 0x15af1728559ee0f81053b668fa9978c5fc81ee84d017bc955ccfa37c19bd42a0) // vk.Q1.y - mstore(add(_vk, 0xc0), 0x29ba522730da8fa2a791946868afba96af78b025ba860d8e1d02e0325e677101) // vk.Q2.x - mstore(add(_vk, 0xe0), 0x1434909cf7d729b2f4227d83569641d90c4a72d393390825de20cea7ddad8044) // vk.Q2.y - mstore(add(_vk, 0x100), 0x03b90587c8746a60d96bc184e03c8469d813956caba6137040b350360357fe4f) // vk.Q3.x - mstore(add(_vk, 0x120), 0x211f025196191d107ae492f80f0effeb1e9242069f333d405698365df4838d43) // vk.Q3.y - mstore(add(_vk, 0x140), 0x0eae4a0952b07a5dbaf7750d79dae8fda3cfa4b5e7882413b6ada72c4297561e) // vk.Q4.x - mstore(add(_vk, 0x160), 0x0fa2558fd5e0afe53d359b1ec584eb6c0fabad27e4909227d9a4457d588b2830) // vk.Q4.y - mstore(add(_vk, 0x180), 0x01e7626aeb0ca204c26be5b01b3171994011b03f8966bb201303fc196c6c1a7e) // vk.Q_M.x - mstore(add(_vk, 0x1a0), 0x07972ee3ae6e0a0cf4978b64cd08783f42c7ce9905f1fd35da4ff6fa0e1a18e2) // vk.Q_M.y - mstore(add(_vk, 0x1c0), 0x03bd15837131c97d246c0aa57786e302b6d8227826104f70f56cba936a7b408e) // vk.Q_C.x - mstore(add(_vk, 0x1e0), 0x1a2e3be55cd01c1a4f4ef33fa96986e37c56abc06876e7f7d76229fb9f122c4c) // vk.Q_C.y - mstore(add(_vk, 0x200), 0x26d1d1578bb09f2f047035f103c3b32180c89b338e7d04ace8872b1154be6fb5) // vk.Q_ARITHMETIC.x - mstore(add(_vk, 0x220), 0x10c4691982c731ec4e2bb8216e8af8405fbe96fe8fe305ef2c3e03444fe68f85) // vk.Q_ARITHMETIC.y - mstore(add(_vk, 0x240), 0x1feb6cf63471a70e29caeee13eb393760c0f7d9e556327beb09a22b6b35e89f7) // vk.QSORT.x - mstore(add(_vk, 0x260), 0x1a834941cde87aa7a82450b4f093f149df9937db2edbdab47fa7216fbcb33580) // vk.QSORT.y + mstore(add(_vk, 0x80), 0x1cc85a07fb1009e23540957b29121dc57aaae5b1e89a22a932a1bdf7ccac1af2) // vk.Q1.x + mstore(add(_vk, 0xa0), 0x19a1a4fa6d8781abbcb696097c1817f54da296348a292954e2aa9856f2fa3b6a) // vk.Q1.y + mstore(add(_vk, 0xc0), 0x0409f05fe2901e7e339b3aaf0d7af7b5d4023e416da923321b15aae633b18fee) // vk.Q2.x + mstore(add(_vk, 0xe0), 0x0ae6cc44e9024c190ab310d7ad110226c5c76f15d158b60fc9acd98f2e1f1aa3) // vk.Q2.y + mstore(add(_vk, 0x100), 0x20e3b4e35df25ba02ac2a9be26bc6fe74640355e57455598e69922b8d3fd0939) // vk.Q3.x + mstore(add(_vk, 0x120), 0x1f49d18bdb86a449e676558c6d6349f123372641187e33e12128ee7468431942) // vk.Q3.y + mstore(add(_vk, 0x140), 0x00e95627d4db555ccf3b1ee6def34fab1a815f0482cb6a745a363940d3163831) // vk.Q4.x + mstore(add(_vk, 0x160), 0x19fe011a8a139da323b5ce5abebe54bf4c105acd6045d7b2b5df40a34411f44b) // vk.Q4.y + mstore(add(_vk, 0x180), 0x04b41648960da31317eff66b5ca9be0a6c81ebeead27e70b3c5b28d4aba11081) // vk.Q_M.x + mstore(add(_vk, 0x1a0), 0x1bff2df21a3fd9c49c29b7f7c153dd0bc331d75afc6a35fb7155c17bb0f67a63) // vk.Q_M.y + mstore(add(_vk, 0x1c0), 0x15faa2ea86a6a66cd9b969d6305f863595a73b9215c1ae442969f4993a8e5230) // vk.Q_C.x + mstore(add(_vk, 0x1e0), 0x26391cc92544b485d90313d3396b53d9207db8f84ead11bcf45467fa7eb38b94) // vk.Q_C.y + mstore(add(_vk, 0x200), 0x01a0d650b65d29965e4ae2a8cfb69470d7560f0826268da59c6e72e684a06c9b) // vk.Q_ARITHMETIC.x + mstore(add(_vk, 0x220), 0x2248d4a02e68036c8d0a4a6725ba0e5e8e95950a5285a3a7daa1a1726cc8ec6b) // vk.Q_ARITHMETIC.y + mstore(add(_vk, 0x240), 0x01afcbad715a0c382971311ad6fe4ff8b6e99200162aeb6245b585c99c8748a9) // vk.QSORT.x + mstore(add(_vk, 0x260), 0x18bf352081d1ba2ffe8088d34ce6471e4cf6d2ee63f006ea9a5e31cc41b6587c) // vk.QSORT.y mstore(add(_vk, 0x280), 0x21245d6c0a4d2ff12b21a825f39f30e8f8cf9b259448d111183e975828539576) // vk.Q_ELLIPTIC.x mstore(add(_vk, 0x2a0), 0x16a409532c8a1693536e93b6ce9920bfc2e6796e8dfe404675a0cdf6ee77ee7a) // vk.Q_ELLIPTIC.y - mstore(add(_vk, 0x2c0), 0x24005a1e8120ffcb3e5fc06ff50794b9d4b0bd70eabb1f8dfb342bec8a64dd61) // vk.Q_AUX.x - mstore(add(_vk, 0x2e0), 0x2c18b52f602a5a9b4461872eff0712f56d128bb9364471f838d7b07f008660e3) // vk.Q_AUX.y - mstore(add(_vk, 0x300), 0x02497b2d5e01266cea1f1bf4d9ad66e54045b3e388066db97b9623668728f65d) // vk.SIGMA1.x - mstore(add(_vk, 0x320), 0x0156cae236ca46f64832b4b826804da6c7221ab5ca4cdadd53a1b787992307fe) // vk.SIGMA1.y - mstore(add(_vk, 0x340), 0x2673cb9276dcc16be61e4c2ec24f6a881e771a273198ab0b392c26085a5f03b4) // vk.SIGMA2.x - mstore(add(_vk, 0x360), 0x1384aef6995f8e632b76cce98d900e2535d92719be668a8f0e20c893c87f391a) // vk.SIGMA2.y - mstore(add(_vk, 0x380), 0x11d48b7fc901d1e72489d937970ee3baea2662d268f9b1c08d71820a21ac6a39) // vk.SIGMA3.x - mstore(add(_vk, 0x3a0), 0x126e543f1951015c8a56ff6d571e67da3cc52d2671f3ce8d258378edcfe8a8f5) // vk.SIGMA3.y - mstore(add(_vk, 0x3c0), 0x0b41b102b59ecae092c04a4f09755db1dc4286c3072034ca23b7f885bcfec814) // vk.SIGMA4.x - mstore(add(_vk, 0x3e0), 0x13bf888757f9fad73f21ab3a0ef53a286329dbf0aaaa935d1689d8554db05813) // vk.SIGMA4.y + mstore(add(_vk, 0x2c0), 0x2d455f287e41544fd3744bab412640fd6916b01aa2163c84071eb47f0306a473) // vk.Q_AUX.x + mstore(add(_vk, 0x2e0), 0x09dea8e2b5e382a1c4a37bc4e60f5e8380688310b855c249d64153478d25e223) // vk.Q_AUX.y + mstore(add(_vk, 0x300), 0x09671927e293b22a3fb9fa8ea1680fcc4570bb2f312cb88004ff7fd4474e2109) // vk.SIGMA1.x + mstore(add(_vk, 0x320), 0x1c6442d9a49b3b93a928ef6ba2f348bc4c8cb778a59345faf7d173129f22b5a3) // vk.SIGMA1.y + mstore(add(_vk, 0x340), 0x0337d84b45a5abc701edbdc1a1d878178c23496b39ccddcc3f0f6199e3f97df6) // vk.SIGMA2.x + mstore(add(_vk, 0x360), 0x1c744f7be93d40c96d15fdf9d81c9502b7018573ad23e51dea7b065fdeb6f13a) // vk.SIGMA2.y + mstore(add(_vk, 0x380), 0x23a975cfb71f0c0d46ef9c0b01e6482e780b5e3af1a63547f7d01c46c1911699) // vk.SIGMA3.x + mstore(add(_vk, 0x3a0), 0x0d5a0be212cb2c7d3bba8c2406a9d2c4b04d4e64b0acef2681eb7c6aa490a7cb) // vk.SIGMA3.y + mstore(add(_vk, 0x3c0), 0x1ca2d0cca80bb16eab28d06c5c175e862a8ef14bceb6da79e65236a8a6a36838) // vk.SIGMA4.x + mstore(add(_vk, 0x3e0), 0x0555fe3dbd2ba2d7db2b5f740bf32fb57f4c5ac9d9f2e59e9a5a2cc2d84dae05) // vk.SIGMA4.y mstore(add(_vk, 0x400), 0x18f7cf965339d9c9d190296fa92f915767b0a8da455975f3e03fa98439fd7110) // vk.TABLE1.x mstore(add(_vk, 0x420), 0x0eecc02f9d44125407adbf00d56b086afd1adc5de536450afe05de382761b32f) // vk.TABLE1.y mstore(add(_vk, 0x440), 0x0bdfe662ea9f40f125ca5f7e99a8c6ba09b87ba8313864316745df862946c5c4) // vk.TABLE2.x @@ -50,16 +50,16 @@ library EcdsaUltraVerificationKey { mstore(add(_vk, 0x4a0), 0x1fda66dfb58273345f2471dff55c51b6856241460272e64b4cc67cde65231e89) // vk.TABLE3.y mstore(add(_vk, 0x4c0), 0x024ccc0fcff3b515cdc97dde2fae5c516bf3c97207891801707142af02538a83) // vk.TABLE4.x mstore(add(_vk, 0x4e0), 0x27827250d02b7b67d084bfc52b26c722f33f75ae5098c109573bfe92b782e559) // vk.TABLE4.y - mstore(add(_vk, 0x500), 0x302e6c8067a7ca14e1d75776754c1a3ad99d21056ae8e607ea66029cbe534906) // vk.TABLE_TYPE.x - mstore(add(_vk, 0x520), 0x07f2eb44fd686bf54e604a6b40c9151b7123db580a23c064ef703af4013dbc2f) // vk.TABLE_TYPE.y - mstore(add(_vk, 0x540), 0x00992a2f510c6371b9231c1d68d0e0fdbe10c5f4344de9441cc7c845afb37a1d) // vk.ID1.x - mstore(add(_vk, 0x560), 0x13eb38f67d8c03245e6f0655f5d40c145b2c06dd1657d8da26dc75af0cefa0f7) // vk.ID1.y - mstore(add(_vk, 0x580), 0x2ce905fbf9f932ae4f9b7b0feda15271b80921e9bf4e58c302ae99f1207fa4e7) // vk.ID2.x - mstore(add(_vk, 0x5a0), 0x2c2a6dc03599757fc625b0e55984d3fb28a954d40eb54f988b52c55936076988) // vk.ID2.y - mstore(add(_vk, 0x5c0), 0x0f547249b9aa5b9a951757893c059f8ed590366da4dd3ccd36aeac3069c7471f) // vk.ID3.x - mstore(add(_vk, 0x5e0), 0x2be2746434bfe0ccb2390357b17f8ec70ff12fc3aad4500b8d1723ec6709a170) // vk.ID3.y - mstore(add(_vk, 0x600), 0x19d1ed6b528ae5095d83167c3ba3578b36c7cd9249e47d10ceff352890d0938f) // vk.ID4.x - mstore(add(_vk, 0x620), 0x1dcd2caa39e180a497ff98414548e5de682d19fc598b3cd44242f1bb53a0e078) // vk.ID4.y + mstore(add(_vk, 0x500), 0x22b1d6b9827d6d03049f76dc9dc219ae6de93abe52d4d7de8677d961d3408c77) // vk.TABLE_TYPE.x + mstore(add(_vk, 0x520), 0x10ebc6be9f74e0367276028c613ab3efe0f2ed546c05339b36d5165d009c833a) // vk.TABLE_TYPE.y + mstore(add(_vk, 0x540), 0x2aa2e5247ce6524fecba0a2de9f383353096665f3ae8082fe7017fbf6d6572d8) // vk.ID1.x + mstore(add(_vk, 0x560), 0x1db802f61a6194bea68f7d5ec697facf26f1c1336b09e382801e8b773f0e116f) // vk.ID1.y + mstore(add(_vk, 0x580), 0x1aa955e508f3c2fbf55a36719eb666a45239935c4af10b8a1f4580d5cd614236) // vk.ID2.x + mstore(add(_vk, 0x5a0), 0x2bc21aa51420951a10a39d5c5242101d2207c47a0077852acb7d3fd6a16e1c58) // vk.ID2.y + mstore(add(_vk, 0x5c0), 0x245c89c4cf7c7e297b4db8e2625f5abd56398c351256a39aece0a36a940aaf62) // vk.ID3.x + mstore(add(_vk, 0x5e0), 0x01bd6e61d801d895c7edfee071518761f3c8c0e10bec5f0fb0b25ae430a2c91e) // vk.ID3.y + mstore(add(_vk, 0x600), 0x30223d4653291c03019e96bd716769c7c6d6520fddf2e633a75f94b08bee86dd) // vk.ID4.x + mstore(add(_vk, 0x620), 0x2e389428afa291855039f1b4af22e70d469f4e20116b85889737d624a2d27fef) // vk.ID4.y mstore(add(_vk, 0x640), 0x00) // vk.contains_recursive_proof mstore(add(_vk, 0x660), 0) // vk.recursive_proof_public_input_indices mstore(add(_vk, 0x680), 0x260e01b251f6f1c7e7ff4e580791dee8ea51d87a358e038b4efe30fac09383c1) // vk.g2_x.X.c1 diff --git a/barretenberg/sol/src/ultra/keys/RecursiveUltraVerificationKey.sol b/barretenberg/sol/src/ultra/keys/RecursiveUltraVerificationKey.sol index 1cabff016cbc..641305da4bcd 100644 --- a/barretenberg/sol/src/ultra/keys/RecursiveUltraVerificationKey.sol +++ b/barretenberg/sol/src/ultra/keys/RecursiveUltraVerificationKey.sol @@ -1,72 +1,72 @@ -// Verification Key Hash: 9e6cf5dacef11085d9ea83e98b85ebdc37749931c90443898dcd8d18f639dad8 +// Verification Key Hash: a52397545a883471ee94e8a27e184be64d21640d76712b1e6fba67f3546503c9 // SPDX-License-Identifier: Apache-2.0 // Copyright 2022 Aztec pragma solidity >=0.8.4; library RecursiveUltraVerificationKey { function verificationKeyHash() internal pure returns (bytes32) { - return 0x9e6cf5dacef11085d9ea83e98b85ebdc37749931c90443898dcd8d18f639dad8; + return 0xa52397545a883471ee94e8a27e184be64d21640d76712b1e6fba67f3546503c9; } function loadVerificationKey(uint256 _vk, uint256 _omegaInverseLoc) internal pure { assembly { - mstore(add(_vk, 0x00), 0x0000000000000000000000000000000000000000000000000000000000040000) // vk.circuit_size + mstore(add(_vk, 0x00), 0x0000000000000000000000000000000000000000000000000000000000080000) // vk.circuit_size mstore(add(_vk, 0x20), 0x0000000000000000000000000000000000000000000000000000000000000010) // vk.num_inputs - mstore(add(_vk, 0x40), 0x19ddbcaf3a8d46c15c0176fbb5b95e4dc57088ff13f4d1bd84c6bfa57dcdc0e0) // vk.work_root - mstore(add(_vk, 0x60), 0x30644259cd94e7dd5045d7a27013b7fcd21c9e3b7fa75222e7bda49b729b0401) // vk.domain_inverse - mstore(add(_vk, 0x80), 0x02c6f00fd259ba9440c68d211969bbd81509b234882d65fc79ee90fdcb6ccfda) // vk.Q1.x - mstore(add(_vk, 0xa0), 0x07f4fc84032451c171ea7150385b54a383fb083cc0c93895e2ef931e8e448345) // vk.Q1.y - mstore(add(_vk, 0xc0), 0x02b407e4c824960a965b5193ad8c6ccf4baaa4c99da5d11b13a2d6af52973ef7) // vk.Q2.x - mstore(add(_vk, 0xe0), 0x021fe5c3dd23b42f696dcd08659b8aa403c8e927f8c6e7b1446f4e9205c0a1c2) // vk.Q2.y - mstore(add(_vk, 0x100), 0x14f63403b60fb3ccf8325ec20e463e1daa492faf4d0151a8e7366f07c68f1d83) // vk.Q3.x - mstore(add(_vk, 0x120), 0x207cbbaffb34a0fe5eba27fd30f67e5389b1de65b703ccb78726831208ab600d) // vk.Q3.y - mstore(add(_vk, 0x140), 0x00ef12b054f19d72f2a6d0e628c6387026afd8a8924eb144ccc9948d4f6c5549) // vk.Q4.x - mstore(add(_vk, 0x160), 0x0a1cbb57818ceec1d15878315046a7db1238d292307cabafbb97f569df6dcefa) // vk.Q4.y - mstore(add(_vk, 0x180), 0x0d098b0bcd6db60c47f8e7e9eb1c072972deb39b294907cbc353352ebc2bea85) // vk.Q_M.x - mstore(add(_vk, 0x1a0), 0x0ff57407d8b18914e30d8583a77f67732f8b2762429a712c55b0c00fb83fe1c2) // vk.Q_M.y - mstore(add(_vk, 0x1c0), 0x2b01c45f214633bfaea1589083ab9a3a0915a6da362baa3151b1a0e80fb79160) // vk.Q_C.x - mstore(add(_vk, 0x1e0), 0x0392d6380d2912befda8d98bcddd6050683a814bb84eb7f57e28176033783f11) // vk.Q_C.y - mstore(add(_vk, 0x200), 0x24a6e759b9d12a53f809367cb3cbd00d96dfaa3af623e984bd986886447b642d) // vk.Q_ARITHMETIC.x - mstore(add(_vk, 0x220), 0x265e4202aa18f537a514281d72aaea8ab10090da270d8f9901363b4f48bc0610) // vk.Q_ARITHMETIC.y - mstore(add(_vk, 0x240), 0x04e5e383b53cf0f3eb3e824dcbc95d7fbb2ca7770bf92a3e86b652a425534714) // vk.QSORT.x - mstore(add(_vk, 0x260), 0x1bb4418c97c423508baf8d7825f2f41066dc4769dc4c9643ebddca0a71b71a87) // vk.QSORT.y - mstore(add(_vk, 0x280), 0x00a2e0e8c69ad29b60904f91a9db016a32a3de05f6ccdf024b5f149e8388484c) // vk.Q_ELLIPTIC.x - mstore(add(_vk, 0x2a0), 0x24be2bffbba65b40f4eeabba7a3660511baad3936c4ec40a6f9e20d194ec3a07) // vk.Q_ELLIPTIC.y - mstore(add(_vk, 0x2c0), 0x28725b01fa9c481b39aef64f5f54f9f967fd976b7ff4be45a9ca50f7500fef4c) // vk.Q_AUX.x - mstore(add(_vk, 0x2e0), 0x264e3e4c4529b321c407f802c173d2fb73b03e8ce09fe3de3c11f84b87b99d32) // vk.Q_AUX.y - mstore(add(_vk, 0x300), 0x1ec8ec2e5a6f36a00042f1199bad7fb25e950c9ce97f59777fd1739f422ce750) // vk.SIGMA1.x - mstore(add(_vk, 0x320), 0x002526bd09111cbc4d6f6c6e200f627e7ae60fb59bd5f1357d82f386b1009dc9) // vk.SIGMA1.y - mstore(add(_vk, 0x340), 0x0cc83ed6a722c67efdd44d5b6de2490621fd59c7c1c7a1416c99a6dff933e5d9) // vk.SIGMA2.x - mstore(add(_vk, 0x360), 0x01eb69a024162e13bc58e174cef5c0d2c7a12bdf3619f78010cfe09cd165c19d) // vk.SIGMA2.y - mstore(add(_vk, 0x380), 0x257e795ed0c6598cb79a148110eb2ce1dfb2a6378267e0a33f3c1d4dd7aadbcc) // vk.SIGMA3.x - mstore(add(_vk, 0x3a0), 0x01d596a895131eb6dbf6c9a89ddd9321ec5ed272d921b4edfed20b8f8ddc80cb) // vk.SIGMA3.y - mstore(add(_vk, 0x3c0), 0x167af14f050f637263e94a86a2408a14178c7ea304ffaee2db4b2d20e173832b) // vk.SIGMA4.x - mstore(add(_vk, 0x3e0), 0x211fb82fbb784f81f12914fbdb876c4a4b1f3670bf7aa291f661f7541bc8779c) // vk.SIGMA4.y - mstore(add(_vk, 0x400), 0x09796190fd3ba909c6530c89811df9b5b4f5f2fe6501ec21dd864b20673fc02c) // vk.TABLE1.x - mstore(add(_vk, 0x420), 0x00b9c2423e310caa43e1eb83b55f53977fccbed85422df8935635d77d146bf39) // vk.TABLE1.y - mstore(add(_vk, 0x440), 0x217dad26ccc0c543ec5750513e9365a5cae8164b08d364efcf4b5890ff05f334) // vk.TABLE2.x - mstore(add(_vk, 0x460), 0x1db28433f6bde424423f3587787f81c48101d2dc6e54b431332cb275f8518c62) // vk.TABLE2.y - mstore(add(_vk, 0x480), 0x2cc2d90f2da7f4ec16b7fe61babd4fb9b580ecff03c471764dd67a8c433afab5) // vk.TABLE3.x - mstore(add(_vk, 0x4a0), 0x3032b9ff096a43ce326cc63ffc6a86dcb913fb1f7700939f5304f6c6beb24574) // vk.TABLE3.y - mstore(add(_vk, 0x4c0), 0x1f4c58502ca713ed0bffb4ff31ed55e557e83a37d31b8e703aa9219d6158e2d2) // vk.TABLE4.x - mstore(add(_vk, 0x4e0), 0x0b0d5ed5432c5e7b56344c1d26ce0d9f632e8f8aa52505d6c89f6da89f357fa8) // vk.TABLE4.y - mstore(add(_vk, 0x500), 0x0869d6ec86b39958a4a10ed67954dc8931a1e5ee901099071c3c0684dd0eddde) // vk.TABLE_TYPE.x - mstore(add(_vk, 0x520), 0x1fc9d5e1b18c601f367b9551c00f5e541a48aa562cd0adb4369b51a7e99395b6) // vk.TABLE_TYPE.y - mstore(add(_vk, 0x540), 0x205b387095b6e538a6169c93c9db7d85ec219e2f0304b449f8849f5fde2c659f) // vk.ID1.x - mstore(add(_vk, 0x560), 0x07d8d408db8702ba4db7fec434fdee2b944313f72b0f94a9dcec74e7b715b3f8) // vk.ID1.y - mstore(add(_vk, 0x580), 0x2c758668e1cbf0572b139911af3f553c7898f7f07ffdcc58484a1a0acd14a03e) // vk.ID2.x - mstore(add(_vk, 0x5a0), 0x159322db7ac7485c5be7ce811a773c5fda9e26b0c47139eda1af6103c5c21b1c) // vk.ID2.y - mstore(add(_vk, 0x5c0), 0x026ba63c8620f00298a42a356b18392228d92c4301e8c51e44a3a2e14a6ebc89) // vk.ID3.x - mstore(add(_vk, 0x5e0), 0x2a962181e6a7df5a05d1750e7a22b6ec21fc84d8de08524aa75c4ee8f646bd0c) // vk.ID3.y - mstore(add(_vk, 0x600), 0x2c81aa9e4f466e56d2a6f1a971d431a487379970bb892424e12a0c71c41479b0) // vk.ID4.x - mstore(add(_vk, 0x620), 0x2e662e641087ed19b9ff866748197ab8a871deded79d2835f32e4bbadef1a889) // vk.ID4.y + mstore(add(_vk, 0x40), 0x2260e724844bca5251829353968e4915305258418357473a5c1d597f613f6cbd) // vk.work_root + mstore(add(_vk, 0x60), 0x3064486657634403844b0eac78ca882cfd284341fcb0615a15cfcd17b14d8201) // vk.domain_inverse + mstore(add(_vk, 0x80), 0x05104b486160545badec11f151e7c70b87050871da5653387ab4ab2ad0eef5ca) // vk.Q1.x + mstore(add(_vk, 0xa0), 0x2672c7fb298fce83f510eb6e1b851a5bb2daf8fc43c7771e96c56c8a09ddfeae) // vk.Q1.y + mstore(add(_vk, 0xc0), 0x2c019acf99c5663da83cec224bd32570ee90f45c4486a54dec3ca4552d8ab07a) // vk.Q2.x + mstore(add(_vk, 0xe0), 0x0fb7a3385ab42cafb0e104ac17ac2dacfb161d292c00fca102b1e780e86ccaf3) // vk.Q2.y + mstore(add(_vk, 0x100), 0x273ca9c29ef10864f4c9c053c336776a71ca5ebbf4bec1cb381e431943f9b5d7) // vk.Q3.x + mstore(add(_vk, 0x120), 0x2a94f00fe384ab945a8f5e3c97194a425a4d2109e5b113f059e42ee232659436) // vk.Q3.y + mstore(add(_vk, 0x140), 0x0e8b5c127c8a3ec285c2ac80d9046528051387878802203988a60650a0a960ab) // vk.Q4.x + mstore(add(_vk, 0x160), 0x17efdb659ae0d26aa78db132f9be9130460c0fce0c2a8e9b726de68247f76891) // vk.Q4.y + mstore(add(_vk, 0x180), 0x2f668d8a50bdb5c366e39433892f903262a04b6473ba3468c12057d58ad3bbfb) // vk.Q_M.x + mstore(add(_vk, 0x1a0), 0x2397c6171bc6d084e98297690441c9da9f011d18b3ea0bb58ee4d47227feb6b4) // vk.Q_M.y + mstore(add(_vk, 0x1c0), 0x1dafbfb4d30fcf880ef839ecc7fda9a97c315c5fa1713d08f7cdf6dba53ffb17) // vk.Q_C.x + mstore(add(_vk, 0x1e0), 0x099fa3de9ce0cc28085739745582b53bf7939e3d97928afd491392053c1c0a68) // vk.Q_C.y + mstore(add(_vk, 0x200), 0x028912be5d0accd4edf4949f89be1c1a2fcf4f59559ba03114da00ec3bf643ac) // vk.Q_ARITHMETIC.x + mstore(add(_vk, 0x220), 0x2428952bfba8ba44830fb0ae6fcdeb9bf17d611add9432450ebbe3d928e2f431) // vk.Q_ARITHMETIC.y + mstore(add(_vk, 0x240), 0x2b40c900824bcca193d402e0ef7f78792deaccd99743a78e5330abe8886ac989) // vk.QSORT.x + mstore(add(_vk, 0x260), 0x102a7a02bc1a7317702c09560636e991b856f26f88ee8f0b33da3dd7fe222dbb) // vk.QSORT.y + mstore(add(_vk, 0x280), 0x2bcf00433471db2be265df28ba2e70c36ca52f2932a4de25c0d60868703a0726) // vk.Q_ELLIPTIC.x + mstore(add(_vk, 0x2a0), 0x2f225b86590c67ae48360cb41d5b291ba94ce2dbae850afd9a6854122341b5ba) // vk.Q_ELLIPTIC.y + mstore(add(_vk, 0x2c0), 0x2eaee34d8508092cc4e19bc3f27ffa7dfc72230710e220f228f48906fae21e56) // vk.Q_AUX.x + mstore(add(_vk, 0x2e0), 0x0c503c5d6245b99bbc056925e96abd20feaed6507707311092b3ed87eadb3874) // vk.Q_AUX.y + mstore(add(_vk, 0x300), 0x021ba851cec3aedfbf1d9944907ae721f0d3e8fa3548513b6f108d101067ae85) // vk.SIGMA1.x + mstore(add(_vk, 0x320), 0x24eef378da346c4f9eededc5dc519d35b14fec46412c8fcf7564cafb9843d761) // vk.SIGMA1.y + mstore(add(_vk, 0x340), 0x0492b2fed8a158177dd3e825fb34ca7481bfead06bc01f308dc81fcd852ef3bc) // vk.SIGMA2.x + mstore(add(_vk, 0x360), 0x289bf1bcc6a9cb19b102c7fb9dba839e1817a24257194cad404b393ce77e66b5) // vk.SIGMA2.y + mstore(add(_vk, 0x380), 0x05d2a9c66d5c142b254b4f7d09f0eb837d95d8ec002e0644f51d455041403ca5) // vk.SIGMA3.x + mstore(add(_vk, 0x3a0), 0x2434b76f470965c85363ff15b3f37c7b4be4fb2741451dc33943879f1e4cbba4) // vk.SIGMA3.y + mstore(add(_vk, 0x3c0), 0x2f4bcc93500665a87a8f959e1636fe88cb1f17688b8c286fe930ccf934a49ac2) // vk.SIGMA4.x + mstore(add(_vk, 0x3e0), 0x243f7b4ae1d483c99523b6a2999f404ab744017c8f43080c3582c38ea8ea3d1a) // vk.SIGMA4.y + mstore(add(_vk, 0x400), 0x0ddc3b6d8e59cf0996ca71ad4132ca9d618ffd933cf58a8a0953dc76f97cf108) // vk.TABLE1.x + mstore(add(_vk, 0x420), 0x153193287060386695f4f2d0d3525dec4c6a253f431d3f3fc06aa0e5b0448b8c) // vk.TABLE1.y + mstore(add(_vk, 0x440), 0x1170f0ece62f8c572bca96b141d27f4bd25585edb9319128045c005d48491b1e) // vk.TABLE2.x + mstore(add(_vk, 0x460), 0x246cd041690f653f88ed0c56ad282a3dd2e37b8edb1f56b785809d7710bf1c88) // vk.TABLE2.y + mstore(add(_vk, 0x480), 0x26153c937447356a0c6d6be09d85eb34bc8a00ce9d452888e5fc2b5a7e14fed7) // vk.TABLE3.x + mstore(add(_vk, 0x4a0), 0x189da022421fbd8dfd7973084d978e555388ad9364679246b07992f84b4e91b2) // vk.TABLE3.y + mstore(add(_vk, 0x4c0), 0x285311c5e9a4cbb56a3f04f29d5443e8c0f9753e2a5a35acec051fafe2cecce5) // vk.TABLE4.x + mstore(add(_vk, 0x4e0), 0x2436400260c9d3180beedd0bf49fec92d2d0ac76a1be7f1fad96cbd997175312) // vk.TABLE4.y + mstore(add(_vk, 0x500), 0x139bb66456d96a4e2dad361f7949a6b8c6739650965ae729788162fbb0382399) // vk.TABLE_TYPE.x + mstore(add(_vk, 0x520), 0x098fad1329e1765863f8ac829332168359901da71702e5119ce4b89a7ae6f017) // vk.TABLE_TYPE.y + mstore(add(_vk, 0x540), 0x14fc4c6c2521387172a6b801e2b6c8a2308d725695d3f49a57151c2a0a8af0fe) // vk.ID1.x + mstore(add(_vk, 0x560), 0x2ce0c2c73ded7bcf19c1208f134b67ed74f77ef717db1c05c010bc8df7bed39e) // vk.ID1.y + mstore(add(_vk, 0x580), 0x0e2455a361f4a3741dab6a03b8186996a5a9873a3b62b3fa8eb5a551cb46bb7a) // vk.ID2.x + mstore(add(_vk, 0x5a0), 0x29a288b84aeabb0421861492256c6ea82530b5b14c0e01e5b7b2553cf197a2e7) // vk.ID2.y + mstore(add(_vk, 0x5c0), 0x01fbecd3bc90ad298a27bf4f9aa071746c30b5af932a1ba8d5b04394f85e0370) // vk.ID3.x + mstore(add(_vk, 0x5e0), 0x0b21c924fc2b44729ff84deeae724c68dd1636e847b0f7cdd92ad203af7cf0d5) // vk.ID3.y + mstore(add(_vk, 0x600), 0x12f7ebb5e50b429b766b1dc5e8b32b7727593641e4f976b72a7046d0a3ff8dea) // vk.ID4.x + mstore(add(_vk, 0x620), 0x2d45226edb0f8338bb5fa88ecefeeaa9bbb72232a2e842f8c7f37cd11f7065ed) // vk.ID4.y mstore(add(_vk, 0x640), 0x01) // vk.contains_recursive_proof mstore(add(_vk, 0x660), 0) // vk.recursive_proof_public_input_indices mstore(add(_vk, 0x680), 0x260e01b251f6f1c7e7ff4e580791dee8ea51d87a358e038b4efe30fac09383c1) // vk.g2_x.X.c1 mstore(add(_vk, 0x6a0), 0x0118c4d5b837bcc2bc89b5b398b5974e9f5944073b32078b7e231fec938883b0) // vk.g2_x.X.c0 mstore(add(_vk, 0x6c0), 0x04fc6369f7110fe3d25156c1bb9a72859cf2a04641f99ba4ee413c80da6a5fe4) // vk.g2_x.Y.c1 mstore(add(_vk, 0x6e0), 0x22febda3c0c0632a56475b4214e5615e11e6dd3f96e6cea2854a87d4dacc5e55) // vk.g2_x.Y.c0 - mstore(_omegaInverseLoc, 0x036853f083780e87f8d7c71d111119c57dbe118c22d5ad707a82317466c5174c) // vk.work_root_inverse + mstore(_omegaInverseLoc, 0x06e402c0a314fb67a15cf806664ae1b722dbc0efe66e6c81d98f9924ca535321) // vk.work_root_inverse } } } From 67f20c265cb9c55d79e6c0b3536808efaf11fd3d Mon Sep 17 00:00:00 2001 From: maramihali Date: Sat, 21 Sep 2024 12:00:59 +0000 Subject: [PATCH 11/31] undo non-honk related changes --- .../ultra/keys/Add2UltraVerificationKey.sol | 4 +- .../ultra/keys/BlakeUltraVerificationKey.sol | 4 +- .../ultra/keys/EcdsaUltraVerificationKey.sol | 76 ++++++------- .../keys/RecursiveUltraVerificationKey.sol | 104 +++++++++--------- 4 files changed, 94 insertions(+), 94 deletions(-) diff --git a/barretenberg/sol/src/ultra/keys/Add2UltraVerificationKey.sol b/barretenberg/sol/src/ultra/keys/Add2UltraVerificationKey.sol index 0a11f506bafe..341b831b05aa 100644 --- a/barretenberg/sol/src/ultra/keys/Add2UltraVerificationKey.sol +++ b/barretenberg/sol/src/ultra/keys/Add2UltraVerificationKey.sol @@ -1,11 +1,11 @@ -// Verification Key Hash: afad6e5fafa40ac9cfa948f4d6c5878d1cc1995c6f967de91bfdec1b6bbfc3dc +// Verification Key Hash: 4199008b0f295433fcc5b10612c7b9a9d87fbd4a221275c2119e7c2060905534 // SPDX-License-Identifier: Apache-2.0 // Copyright 2022 Aztec pragma solidity >=0.8.4; library Add2UltraVerificationKey { function verificationKeyHash() internal pure returns (bytes32) { - return 0xafad6e5fafa40ac9cfa948f4d6c5878d1cc1995c6f967de91bfdec1b6bbfc3dc; + return 0x4199008b0f295433fcc5b10612c7b9a9d87fbd4a221275c2119e7c2060905534; } function loadVerificationKey(uint256 _vk, uint256 _omegaInverseLoc) internal pure { diff --git a/barretenberg/sol/src/ultra/keys/BlakeUltraVerificationKey.sol b/barretenberg/sol/src/ultra/keys/BlakeUltraVerificationKey.sol index c3080a08f111..27de321eb3db 100644 --- a/barretenberg/sol/src/ultra/keys/BlakeUltraVerificationKey.sol +++ b/barretenberg/sol/src/ultra/keys/BlakeUltraVerificationKey.sol @@ -1,11 +1,11 @@ -// Verification Key Hash: a1ded9e96cad714ee5d8bc8529dff9f757c08d323f5690d39fed19721ffbf8e9 +// Verification Key Hash: f1610f1094b31fc37136369383140118871a3bf69a190023d73dce30a3e5ba2e // SPDX-License-Identifier: Apache-2.0 // Copyright 2022 Aztec pragma solidity >=0.8.4; library BlakeUltraVerificationKey { function verificationKeyHash() internal pure returns (bytes32) { - return 0xa1ded9e96cad714ee5d8bc8529dff9f757c08d323f5690d39fed19721ffbf8e9; + return 0xf1610f1094b31fc37136369383140118871a3bf69a190023d73dce30a3e5ba2e; } function loadVerificationKey(uint256 _vk, uint256 _omegaInverseLoc) internal pure { diff --git a/barretenberg/sol/src/ultra/keys/EcdsaUltraVerificationKey.sol b/barretenberg/sol/src/ultra/keys/EcdsaUltraVerificationKey.sol index 2f27b1b5db26..63a0b71a890d 100644 --- a/barretenberg/sol/src/ultra/keys/EcdsaUltraVerificationKey.sol +++ b/barretenberg/sol/src/ultra/keys/EcdsaUltraVerificationKey.sol @@ -1,11 +1,11 @@ -// Verification Key Hash: e679d03fd08858df1a3f6d4e4afc735c5f3b9493b797d703bd28c60ab26f8652 +// Verification Key Hash: c1102f0000ae4bf7f5b38f96c80e03284a3ec4bada1f0682ddde94c8ba688c58 // SPDX-License-Identifier: Apache-2.0 // Copyright 2022 Aztec pragma solidity >=0.8.4; library EcdsaUltraVerificationKey { function verificationKeyHash() internal pure returns (bytes32) { - return 0xe679d03fd08858df1a3f6d4e4afc735c5f3b9493b797d703bd28c60ab26f8652; + return 0xc1102f0000ae4bf7f5b38f96c80e03284a3ec4bada1f0682ddde94c8ba688c58; } function loadVerificationKey(uint256 _vk, uint256 _omegaInverseLoc) internal pure { @@ -14,34 +14,34 @@ library EcdsaUltraVerificationKey { mstore(add(_vk, 0x20), 0x0000000000000000000000000000000000000000000000000000000000000006) // vk.num_inputs mstore(add(_vk, 0x40), 0x00eeb2cb5981ed45649abebde081dcff16c8601de4347e7dd1628ba2daac43b7) // vk.work_root mstore(add(_vk, 0x60), 0x30641e0e92bebef818268d663bcad6dbcfd6c0149170f6d7d350b1b1fa6c1001) // vk.domain_inverse - mstore(add(_vk, 0x80), 0x1cc85a07fb1009e23540957b29121dc57aaae5b1e89a22a932a1bdf7ccac1af2) // vk.Q1.x - mstore(add(_vk, 0xa0), 0x19a1a4fa6d8781abbcb696097c1817f54da296348a292954e2aa9856f2fa3b6a) // vk.Q1.y - mstore(add(_vk, 0xc0), 0x0409f05fe2901e7e339b3aaf0d7af7b5d4023e416da923321b15aae633b18fee) // vk.Q2.x - mstore(add(_vk, 0xe0), 0x0ae6cc44e9024c190ab310d7ad110226c5c76f15d158b60fc9acd98f2e1f1aa3) // vk.Q2.y - mstore(add(_vk, 0x100), 0x20e3b4e35df25ba02ac2a9be26bc6fe74640355e57455598e69922b8d3fd0939) // vk.Q3.x - mstore(add(_vk, 0x120), 0x1f49d18bdb86a449e676558c6d6349f123372641187e33e12128ee7468431942) // vk.Q3.y - mstore(add(_vk, 0x140), 0x00e95627d4db555ccf3b1ee6def34fab1a815f0482cb6a745a363940d3163831) // vk.Q4.x - mstore(add(_vk, 0x160), 0x19fe011a8a139da323b5ce5abebe54bf4c105acd6045d7b2b5df40a34411f44b) // vk.Q4.y - mstore(add(_vk, 0x180), 0x04b41648960da31317eff66b5ca9be0a6c81ebeead27e70b3c5b28d4aba11081) // vk.Q_M.x - mstore(add(_vk, 0x1a0), 0x1bff2df21a3fd9c49c29b7f7c153dd0bc331d75afc6a35fb7155c17bb0f67a63) // vk.Q_M.y - mstore(add(_vk, 0x1c0), 0x15faa2ea86a6a66cd9b969d6305f863595a73b9215c1ae442969f4993a8e5230) // vk.Q_C.x - mstore(add(_vk, 0x1e0), 0x26391cc92544b485d90313d3396b53d9207db8f84ead11bcf45467fa7eb38b94) // vk.Q_C.y - mstore(add(_vk, 0x200), 0x01a0d650b65d29965e4ae2a8cfb69470d7560f0826268da59c6e72e684a06c9b) // vk.Q_ARITHMETIC.x - mstore(add(_vk, 0x220), 0x2248d4a02e68036c8d0a4a6725ba0e5e8e95950a5285a3a7daa1a1726cc8ec6b) // vk.Q_ARITHMETIC.y - mstore(add(_vk, 0x240), 0x01afcbad715a0c382971311ad6fe4ff8b6e99200162aeb6245b585c99c8748a9) // vk.QSORT.x - mstore(add(_vk, 0x260), 0x18bf352081d1ba2ffe8088d34ce6471e4cf6d2ee63f006ea9a5e31cc41b6587c) // vk.QSORT.y + mstore(add(_vk, 0x80), 0x149e839df8f43c6975d85aa1007d219354b3389f7c93c96935e531fe03d01f88) // vk.Q1.x + mstore(add(_vk, 0xa0), 0x15af1728559ee0f81053b668fa9978c5fc81ee84d017bc955ccfa37c19bd42a0) // vk.Q1.y + mstore(add(_vk, 0xc0), 0x29ba522730da8fa2a791946868afba96af78b025ba860d8e1d02e0325e677101) // vk.Q2.x + mstore(add(_vk, 0xe0), 0x1434909cf7d729b2f4227d83569641d90c4a72d393390825de20cea7ddad8044) // vk.Q2.y + mstore(add(_vk, 0x100), 0x03b90587c8746a60d96bc184e03c8469d813956caba6137040b350360357fe4f) // vk.Q3.x + mstore(add(_vk, 0x120), 0x211f025196191d107ae492f80f0effeb1e9242069f333d405698365df4838d43) // vk.Q3.y + mstore(add(_vk, 0x140), 0x0eae4a0952b07a5dbaf7750d79dae8fda3cfa4b5e7882413b6ada72c4297561e) // vk.Q4.x + mstore(add(_vk, 0x160), 0x0fa2558fd5e0afe53d359b1ec584eb6c0fabad27e4909227d9a4457d588b2830) // vk.Q4.y + mstore(add(_vk, 0x180), 0x01e7626aeb0ca204c26be5b01b3171994011b03f8966bb201303fc196c6c1a7e) // vk.Q_M.x + mstore(add(_vk, 0x1a0), 0x07972ee3ae6e0a0cf4978b64cd08783f42c7ce9905f1fd35da4ff6fa0e1a18e2) // vk.Q_M.y + mstore(add(_vk, 0x1c0), 0x03bd15837131c97d246c0aa57786e302b6d8227826104f70f56cba936a7b408e) // vk.Q_C.x + mstore(add(_vk, 0x1e0), 0x1a2e3be55cd01c1a4f4ef33fa96986e37c56abc06876e7f7d76229fb9f122c4c) // vk.Q_C.y + mstore(add(_vk, 0x200), 0x26d1d1578bb09f2f047035f103c3b32180c89b338e7d04ace8872b1154be6fb5) // vk.Q_ARITHMETIC.x + mstore(add(_vk, 0x220), 0x10c4691982c731ec4e2bb8216e8af8405fbe96fe8fe305ef2c3e03444fe68f85) // vk.Q_ARITHMETIC.y + mstore(add(_vk, 0x240), 0x1feb6cf63471a70e29caeee13eb393760c0f7d9e556327beb09a22b6b35e89f7) // vk.QSORT.x + mstore(add(_vk, 0x260), 0x1a834941cde87aa7a82450b4f093f149df9937db2edbdab47fa7216fbcb33580) // vk.QSORT.y mstore(add(_vk, 0x280), 0x21245d6c0a4d2ff12b21a825f39f30e8f8cf9b259448d111183e975828539576) // vk.Q_ELLIPTIC.x mstore(add(_vk, 0x2a0), 0x16a409532c8a1693536e93b6ce9920bfc2e6796e8dfe404675a0cdf6ee77ee7a) // vk.Q_ELLIPTIC.y - mstore(add(_vk, 0x2c0), 0x2d455f287e41544fd3744bab412640fd6916b01aa2163c84071eb47f0306a473) // vk.Q_AUX.x - mstore(add(_vk, 0x2e0), 0x09dea8e2b5e382a1c4a37bc4e60f5e8380688310b855c249d64153478d25e223) // vk.Q_AUX.y - mstore(add(_vk, 0x300), 0x09671927e293b22a3fb9fa8ea1680fcc4570bb2f312cb88004ff7fd4474e2109) // vk.SIGMA1.x - mstore(add(_vk, 0x320), 0x1c6442d9a49b3b93a928ef6ba2f348bc4c8cb778a59345faf7d173129f22b5a3) // vk.SIGMA1.y - mstore(add(_vk, 0x340), 0x0337d84b45a5abc701edbdc1a1d878178c23496b39ccddcc3f0f6199e3f97df6) // vk.SIGMA2.x - mstore(add(_vk, 0x360), 0x1c744f7be93d40c96d15fdf9d81c9502b7018573ad23e51dea7b065fdeb6f13a) // vk.SIGMA2.y - mstore(add(_vk, 0x380), 0x23a975cfb71f0c0d46ef9c0b01e6482e780b5e3af1a63547f7d01c46c1911699) // vk.SIGMA3.x - mstore(add(_vk, 0x3a0), 0x0d5a0be212cb2c7d3bba8c2406a9d2c4b04d4e64b0acef2681eb7c6aa490a7cb) // vk.SIGMA3.y - mstore(add(_vk, 0x3c0), 0x1ca2d0cca80bb16eab28d06c5c175e862a8ef14bceb6da79e65236a8a6a36838) // vk.SIGMA4.x - mstore(add(_vk, 0x3e0), 0x0555fe3dbd2ba2d7db2b5f740bf32fb57f4c5ac9d9f2e59e9a5a2cc2d84dae05) // vk.SIGMA4.y + mstore(add(_vk, 0x2c0), 0x24005a1e8120ffcb3e5fc06ff50794b9d4b0bd70eabb1f8dfb342bec8a64dd61) // vk.Q_AUX.x + mstore(add(_vk, 0x2e0), 0x2c18b52f602a5a9b4461872eff0712f56d128bb9364471f838d7b07f008660e3) // vk.Q_AUX.y + mstore(add(_vk, 0x300), 0x02497b2d5e01266cea1f1bf4d9ad66e54045b3e388066db97b9623668728f65d) // vk.SIGMA1.x + mstore(add(_vk, 0x320), 0x0156cae236ca46f64832b4b826804da6c7221ab5ca4cdadd53a1b787992307fe) // vk.SIGMA1.y + mstore(add(_vk, 0x340), 0x2673cb9276dcc16be61e4c2ec24f6a881e771a273198ab0b392c26085a5f03b4) // vk.SIGMA2.x + mstore(add(_vk, 0x360), 0x1384aef6995f8e632b76cce98d900e2535d92719be668a8f0e20c893c87f391a) // vk.SIGMA2.y + mstore(add(_vk, 0x380), 0x11d48b7fc901d1e72489d937970ee3baea2662d268f9b1c08d71820a21ac6a39) // vk.SIGMA3.x + mstore(add(_vk, 0x3a0), 0x126e543f1951015c8a56ff6d571e67da3cc52d2671f3ce8d258378edcfe8a8f5) // vk.SIGMA3.y + mstore(add(_vk, 0x3c0), 0x0b41b102b59ecae092c04a4f09755db1dc4286c3072034ca23b7f885bcfec814) // vk.SIGMA4.x + mstore(add(_vk, 0x3e0), 0x13bf888757f9fad73f21ab3a0ef53a286329dbf0aaaa935d1689d8554db05813) // vk.SIGMA4.y mstore(add(_vk, 0x400), 0x18f7cf965339d9c9d190296fa92f915767b0a8da455975f3e03fa98439fd7110) // vk.TABLE1.x mstore(add(_vk, 0x420), 0x0eecc02f9d44125407adbf00d56b086afd1adc5de536450afe05de382761b32f) // vk.TABLE1.y mstore(add(_vk, 0x440), 0x0bdfe662ea9f40f125ca5f7e99a8c6ba09b87ba8313864316745df862946c5c4) // vk.TABLE2.x @@ -50,16 +50,16 @@ library EcdsaUltraVerificationKey { mstore(add(_vk, 0x4a0), 0x1fda66dfb58273345f2471dff55c51b6856241460272e64b4cc67cde65231e89) // vk.TABLE3.y mstore(add(_vk, 0x4c0), 0x024ccc0fcff3b515cdc97dde2fae5c516bf3c97207891801707142af02538a83) // vk.TABLE4.x mstore(add(_vk, 0x4e0), 0x27827250d02b7b67d084bfc52b26c722f33f75ae5098c109573bfe92b782e559) // vk.TABLE4.y - mstore(add(_vk, 0x500), 0x22b1d6b9827d6d03049f76dc9dc219ae6de93abe52d4d7de8677d961d3408c77) // vk.TABLE_TYPE.x - mstore(add(_vk, 0x520), 0x10ebc6be9f74e0367276028c613ab3efe0f2ed546c05339b36d5165d009c833a) // vk.TABLE_TYPE.y - mstore(add(_vk, 0x540), 0x2aa2e5247ce6524fecba0a2de9f383353096665f3ae8082fe7017fbf6d6572d8) // vk.ID1.x - mstore(add(_vk, 0x560), 0x1db802f61a6194bea68f7d5ec697facf26f1c1336b09e382801e8b773f0e116f) // vk.ID1.y - mstore(add(_vk, 0x580), 0x1aa955e508f3c2fbf55a36719eb666a45239935c4af10b8a1f4580d5cd614236) // vk.ID2.x - mstore(add(_vk, 0x5a0), 0x2bc21aa51420951a10a39d5c5242101d2207c47a0077852acb7d3fd6a16e1c58) // vk.ID2.y - mstore(add(_vk, 0x5c0), 0x245c89c4cf7c7e297b4db8e2625f5abd56398c351256a39aece0a36a940aaf62) // vk.ID3.x - mstore(add(_vk, 0x5e0), 0x01bd6e61d801d895c7edfee071518761f3c8c0e10bec5f0fb0b25ae430a2c91e) // vk.ID3.y - mstore(add(_vk, 0x600), 0x30223d4653291c03019e96bd716769c7c6d6520fddf2e633a75f94b08bee86dd) // vk.ID4.x - mstore(add(_vk, 0x620), 0x2e389428afa291855039f1b4af22e70d469f4e20116b85889737d624a2d27fef) // vk.ID4.y + mstore(add(_vk, 0x500), 0x302e6c8067a7ca14e1d75776754c1a3ad99d21056ae8e607ea66029cbe534906) // vk.TABLE_TYPE.x + mstore(add(_vk, 0x520), 0x07f2eb44fd686bf54e604a6b40c9151b7123db580a23c064ef703af4013dbc2f) // vk.TABLE_TYPE.y + mstore(add(_vk, 0x540), 0x00992a2f510c6371b9231c1d68d0e0fdbe10c5f4344de9441cc7c845afb37a1d) // vk.ID1.x + mstore(add(_vk, 0x560), 0x13eb38f67d8c03245e6f0655f5d40c145b2c06dd1657d8da26dc75af0cefa0f7) // vk.ID1.y + mstore(add(_vk, 0x580), 0x2ce905fbf9f932ae4f9b7b0feda15271b80921e9bf4e58c302ae99f1207fa4e7) // vk.ID2.x + mstore(add(_vk, 0x5a0), 0x2c2a6dc03599757fc625b0e55984d3fb28a954d40eb54f988b52c55936076988) // vk.ID2.y + mstore(add(_vk, 0x5c0), 0x0f547249b9aa5b9a951757893c059f8ed590366da4dd3ccd36aeac3069c7471f) // vk.ID3.x + mstore(add(_vk, 0x5e0), 0x2be2746434bfe0ccb2390357b17f8ec70ff12fc3aad4500b8d1723ec6709a170) // vk.ID3.y + mstore(add(_vk, 0x600), 0x19d1ed6b528ae5095d83167c3ba3578b36c7cd9249e47d10ceff352890d0938f) // vk.ID4.x + mstore(add(_vk, 0x620), 0x1dcd2caa39e180a497ff98414548e5de682d19fc598b3cd44242f1bb53a0e078) // vk.ID4.y mstore(add(_vk, 0x640), 0x00) // vk.contains_recursive_proof mstore(add(_vk, 0x660), 0) // vk.recursive_proof_public_input_indices mstore(add(_vk, 0x680), 0x260e01b251f6f1c7e7ff4e580791dee8ea51d87a358e038b4efe30fac09383c1) // vk.g2_x.X.c1 diff --git a/barretenberg/sol/src/ultra/keys/RecursiveUltraVerificationKey.sol b/barretenberg/sol/src/ultra/keys/RecursiveUltraVerificationKey.sol index 641305da4bcd..1cabff016cbc 100644 --- a/barretenberg/sol/src/ultra/keys/RecursiveUltraVerificationKey.sol +++ b/barretenberg/sol/src/ultra/keys/RecursiveUltraVerificationKey.sol @@ -1,72 +1,72 @@ -// Verification Key Hash: a52397545a883471ee94e8a27e184be64d21640d76712b1e6fba67f3546503c9 +// Verification Key Hash: 9e6cf5dacef11085d9ea83e98b85ebdc37749931c90443898dcd8d18f639dad8 // SPDX-License-Identifier: Apache-2.0 // Copyright 2022 Aztec pragma solidity >=0.8.4; library RecursiveUltraVerificationKey { function verificationKeyHash() internal pure returns (bytes32) { - return 0xa52397545a883471ee94e8a27e184be64d21640d76712b1e6fba67f3546503c9; + return 0x9e6cf5dacef11085d9ea83e98b85ebdc37749931c90443898dcd8d18f639dad8; } function loadVerificationKey(uint256 _vk, uint256 _omegaInverseLoc) internal pure { assembly { - mstore(add(_vk, 0x00), 0x0000000000000000000000000000000000000000000000000000000000080000) // vk.circuit_size + mstore(add(_vk, 0x00), 0x0000000000000000000000000000000000000000000000000000000000040000) // vk.circuit_size mstore(add(_vk, 0x20), 0x0000000000000000000000000000000000000000000000000000000000000010) // vk.num_inputs - mstore(add(_vk, 0x40), 0x2260e724844bca5251829353968e4915305258418357473a5c1d597f613f6cbd) // vk.work_root - mstore(add(_vk, 0x60), 0x3064486657634403844b0eac78ca882cfd284341fcb0615a15cfcd17b14d8201) // vk.domain_inverse - mstore(add(_vk, 0x80), 0x05104b486160545badec11f151e7c70b87050871da5653387ab4ab2ad0eef5ca) // vk.Q1.x - mstore(add(_vk, 0xa0), 0x2672c7fb298fce83f510eb6e1b851a5bb2daf8fc43c7771e96c56c8a09ddfeae) // vk.Q1.y - mstore(add(_vk, 0xc0), 0x2c019acf99c5663da83cec224bd32570ee90f45c4486a54dec3ca4552d8ab07a) // vk.Q2.x - mstore(add(_vk, 0xe0), 0x0fb7a3385ab42cafb0e104ac17ac2dacfb161d292c00fca102b1e780e86ccaf3) // vk.Q2.y - mstore(add(_vk, 0x100), 0x273ca9c29ef10864f4c9c053c336776a71ca5ebbf4bec1cb381e431943f9b5d7) // vk.Q3.x - mstore(add(_vk, 0x120), 0x2a94f00fe384ab945a8f5e3c97194a425a4d2109e5b113f059e42ee232659436) // vk.Q3.y - mstore(add(_vk, 0x140), 0x0e8b5c127c8a3ec285c2ac80d9046528051387878802203988a60650a0a960ab) // vk.Q4.x - mstore(add(_vk, 0x160), 0x17efdb659ae0d26aa78db132f9be9130460c0fce0c2a8e9b726de68247f76891) // vk.Q4.y - mstore(add(_vk, 0x180), 0x2f668d8a50bdb5c366e39433892f903262a04b6473ba3468c12057d58ad3bbfb) // vk.Q_M.x - mstore(add(_vk, 0x1a0), 0x2397c6171bc6d084e98297690441c9da9f011d18b3ea0bb58ee4d47227feb6b4) // vk.Q_M.y - mstore(add(_vk, 0x1c0), 0x1dafbfb4d30fcf880ef839ecc7fda9a97c315c5fa1713d08f7cdf6dba53ffb17) // vk.Q_C.x - mstore(add(_vk, 0x1e0), 0x099fa3de9ce0cc28085739745582b53bf7939e3d97928afd491392053c1c0a68) // vk.Q_C.y - mstore(add(_vk, 0x200), 0x028912be5d0accd4edf4949f89be1c1a2fcf4f59559ba03114da00ec3bf643ac) // vk.Q_ARITHMETIC.x - mstore(add(_vk, 0x220), 0x2428952bfba8ba44830fb0ae6fcdeb9bf17d611add9432450ebbe3d928e2f431) // vk.Q_ARITHMETIC.y - mstore(add(_vk, 0x240), 0x2b40c900824bcca193d402e0ef7f78792deaccd99743a78e5330abe8886ac989) // vk.QSORT.x - mstore(add(_vk, 0x260), 0x102a7a02bc1a7317702c09560636e991b856f26f88ee8f0b33da3dd7fe222dbb) // vk.QSORT.y - mstore(add(_vk, 0x280), 0x2bcf00433471db2be265df28ba2e70c36ca52f2932a4de25c0d60868703a0726) // vk.Q_ELLIPTIC.x - mstore(add(_vk, 0x2a0), 0x2f225b86590c67ae48360cb41d5b291ba94ce2dbae850afd9a6854122341b5ba) // vk.Q_ELLIPTIC.y - mstore(add(_vk, 0x2c0), 0x2eaee34d8508092cc4e19bc3f27ffa7dfc72230710e220f228f48906fae21e56) // vk.Q_AUX.x - mstore(add(_vk, 0x2e0), 0x0c503c5d6245b99bbc056925e96abd20feaed6507707311092b3ed87eadb3874) // vk.Q_AUX.y - mstore(add(_vk, 0x300), 0x021ba851cec3aedfbf1d9944907ae721f0d3e8fa3548513b6f108d101067ae85) // vk.SIGMA1.x - mstore(add(_vk, 0x320), 0x24eef378da346c4f9eededc5dc519d35b14fec46412c8fcf7564cafb9843d761) // vk.SIGMA1.y - mstore(add(_vk, 0x340), 0x0492b2fed8a158177dd3e825fb34ca7481bfead06bc01f308dc81fcd852ef3bc) // vk.SIGMA2.x - mstore(add(_vk, 0x360), 0x289bf1bcc6a9cb19b102c7fb9dba839e1817a24257194cad404b393ce77e66b5) // vk.SIGMA2.y - mstore(add(_vk, 0x380), 0x05d2a9c66d5c142b254b4f7d09f0eb837d95d8ec002e0644f51d455041403ca5) // vk.SIGMA3.x - mstore(add(_vk, 0x3a0), 0x2434b76f470965c85363ff15b3f37c7b4be4fb2741451dc33943879f1e4cbba4) // vk.SIGMA3.y - mstore(add(_vk, 0x3c0), 0x2f4bcc93500665a87a8f959e1636fe88cb1f17688b8c286fe930ccf934a49ac2) // vk.SIGMA4.x - mstore(add(_vk, 0x3e0), 0x243f7b4ae1d483c99523b6a2999f404ab744017c8f43080c3582c38ea8ea3d1a) // vk.SIGMA4.y - mstore(add(_vk, 0x400), 0x0ddc3b6d8e59cf0996ca71ad4132ca9d618ffd933cf58a8a0953dc76f97cf108) // vk.TABLE1.x - mstore(add(_vk, 0x420), 0x153193287060386695f4f2d0d3525dec4c6a253f431d3f3fc06aa0e5b0448b8c) // vk.TABLE1.y - mstore(add(_vk, 0x440), 0x1170f0ece62f8c572bca96b141d27f4bd25585edb9319128045c005d48491b1e) // vk.TABLE2.x - mstore(add(_vk, 0x460), 0x246cd041690f653f88ed0c56ad282a3dd2e37b8edb1f56b785809d7710bf1c88) // vk.TABLE2.y - mstore(add(_vk, 0x480), 0x26153c937447356a0c6d6be09d85eb34bc8a00ce9d452888e5fc2b5a7e14fed7) // vk.TABLE3.x - mstore(add(_vk, 0x4a0), 0x189da022421fbd8dfd7973084d978e555388ad9364679246b07992f84b4e91b2) // vk.TABLE3.y - mstore(add(_vk, 0x4c0), 0x285311c5e9a4cbb56a3f04f29d5443e8c0f9753e2a5a35acec051fafe2cecce5) // vk.TABLE4.x - mstore(add(_vk, 0x4e0), 0x2436400260c9d3180beedd0bf49fec92d2d0ac76a1be7f1fad96cbd997175312) // vk.TABLE4.y - mstore(add(_vk, 0x500), 0x139bb66456d96a4e2dad361f7949a6b8c6739650965ae729788162fbb0382399) // vk.TABLE_TYPE.x - mstore(add(_vk, 0x520), 0x098fad1329e1765863f8ac829332168359901da71702e5119ce4b89a7ae6f017) // vk.TABLE_TYPE.y - mstore(add(_vk, 0x540), 0x14fc4c6c2521387172a6b801e2b6c8a2308d725695d3f49a57151c2a0a8af0fe) // vk.ID1.x - mstore(add(_vk, 0x560), 0x2ce0c2c73ded7bcf19c1208f134b67ed74f77ef717db1c05c010bc8df7bed39e) // vk.ID1.y - mstore(add(_vk, 0x580), 0x0e2455a361f4a3741dab6a03b8186996a5a9873a3b62b3fa8eb5a551cb46bb7a) // vk.ID2.x - mstore(add(_vk, 0x5a0), 0x29a288b84aeabb0421861492256c6ea82530b5b14c0e01e5b7b2553cf197a2e7) // vk.ID2.y - mstore(add(_vk, 0x5c0), 0x01fbecd3bc90ad298a27bf4f9aa071746c30b5af932a1ba8d5b04394f85e0370) // vk.ID3.x - mstore(add(_vk, 0x5e0), 0x0b21c924fc2b44729ff84deeae724c68dd1636e847b0f7cdd92ad203af7cf0d5) // vk.ID3.y - mstore(add(_vk, 0x600), 0x12f7ebb5e50b429b766b1dc5e8b32b7727593641e4f976b72a7046d0a3ff8dea) // vk.ID4.x - mstore(add(_vk, 0x620), 0x2d45226edb0f8338bb5fa88ecefeeaa9bbb72232a2e842f8c7f37cd11f7065ed) // vk.ID4.y + mstore(add(_vk, 0x40), 0x19ddbcaf3a8d46c15c0176fbb5b95e4dc57088ff13f4d1bd84c6bfa57dcdc0e0) // vk.work_root + mstore(add(_vk, 0x60), 0x30644259cd94e7dd5045d7a27013b7fcd21c9e3b7fa75222e7bda49b729b0401) // vk.domain_inverse + mstore(add(_vk, 0x80), 0x02c6f00fd259ba9440c68d211969bbd81509b234882d65fc79ee90fdcb6ccfda) // vk.Q1.x + mstore(add(_vk, 0xa0), 0x07f4fc84032451c171ea7150385b54a383fb083cc0c93895e2ef931e8e448345) // vk.Q1.y + mstore(add(_vk, 0xc0), 0x02b407e4c824960a965b5193ad8c6ccf4baaa4c99da5d11b13a2d6af52973ef7) // vk.Q2.x + mstore(add(_vk, 0xe0), 0x021fe5c3dd23b42f696dcd08659b8aa403c8e927f8c6e7b1446f4e9205c0a1c2) // vk.Q2.y + mstore(add(_vk, 0x100), 0x14f63403b60fb3ccf8325ec20e463e1daa492faf4d0151a8e7366f07c68f1d83) // vk.Q3.x + mstore(add(_vk, 0x120), 0x207cbbaffb34a0fe5eba27fd30f67e5389b1de65b703ccb78726831208ab600d) // vk.Q3.y + mstore(add(_vk, 0x140), 0x00ef12b054f19d72f2a6d0e628c6387026afd8a8924eb144ccc9948d4f6c5549) // vk.Q4.x + mstore(add(_vk, 0x160), 0x0a1cbb57818ceec1d15878315046a7db1238d292307cabafbb97f569df6dcefa) // vk.Q4.y + mstore(add(_vk, 0x180), 0x0d098b0bcd6db60c47f8e7e9eb1c072972deb39b294907cbc353352ebc2bea85) // vk.Q_M.x + mstore(add(_vk, 0x1a0), 0x0ff57407d8b18914e30d8583a77f67732f8b2762429a712c55b0c00fb83fe1c2) // vk.Q_M.y + mstore(add(_vk, 0x1c0), 0x2b01c45f214633bfaea1589083ab9a3a0915a6da362baa3151b1a0e80fb79160) // vk.Q_C.x + mstore(add(_vk, 0x1e0), 0x0392d6380d2912befda8d98bcddd6050683a814bb84eb7f57e28176033783f11) // vk.Q_C.y + mstore(add(_vk, 0x200), 0x24a6e759b9d12a53f809367cb3cbd00d96dfaa3af623e984bd986886447b642d) // vk.Q_ARITHMETIC.x + mstore(add(_vk, 0x220), 0x265e4202aa18f537a514281d72aaea8ab10090da270d8f9901363b4f48bc0610) // vk.Q_ARITHMETIC.y + mstore(add(_vk, 0x240), 0x04e5e383b53cf0f3eb3e824dcbc95d7fbb2ca7770bf92a3e86b652a425534714) // vk.QSORT.x + mstore(add(_vk, 0x260), 0x1bb4418c97c423508baf8d7825f2f41066dc4769dc4c9643ebddca0a71b71a87) // vk.QSORT.y + mstore(add(_vk, 0x280), 0x00a2e0e8c69ad29b60904f91a9db016a32a3de05f6ccdf024b5f149e8388484c) // vk.Q_ELLIPTIC.x + mstore(add(_vk, 0x2a0), 0x24be2bffbba65b40f4eeabba7a3660511baad3936c4ec40a6f9e20d194ec3a07) // vk.Q_ELLIPTIC.y + mstore(add(_vk, 0x2c0), 0x28725b01fa9c481b39aef64f5f54f9f967fd976b7ff4be45a9ca50f7500fef4c) // vk.Q_AUX.x + mstore(add(_vk, 0x2e0), 0x264e3e4c4529b321c407f802c173d2fb73b03e8ce09fe3de3c11f84b87b99d32) // vk.Q_AUX.y + mstore(add(_vk, 0x300), 0x1ec8ec2e5a6f36a00042f1199bad7fb25e950c9ce97f59777fd1739f422ce750) // vk.SIGMA1.x + mstore(add(_vk, 0x320), 0x002526bd09111cbc4d6f6c6e200f627e7ae60fb59bd5f1357d82f386b1009dc9) // vk.SIGMA1.y + mstore(add(_vk, 0x340), 0x0cc83ed6a722c67efdd44d5b6de2490621fd59c7c1c7a1416c99a6dff933e5d9) // vk.SIGMA2.x + mstore(add(_vk, 0x360), 0x01eb69a024162e13bc58e174cef5c0d2c7a12bdf3619f78010cfe09cd165c19d) // vk.SIGMA2.y + mstore(add(_vk, 0x380), 0x257e795ed0c6598cb79a148110eb2ce1dfb2a6378267e0a33f3c1d4dd7aadbcc) // vk.SIGMA3.x + mstore(add(_vk, 0x3a0), 0x01d596a895131eb6dbf6c9a89ddd9321ec5ed272d921b4edfed20b8f8ddc80cb) // vk.SIGMA3.y + mstore(add(_vk, 0x3c0), 0x167af14f050f637263e94a86a2408a14178c7ea304ffaee2db4b2d20e173832b) // vk.SIGMA4.x + mstore(add(_vk, 0x3e0), 0x211fb82fbb784f81f12914fbdb876c4a4b1f3670bf7aa291f661f7541bc8779c) // vk.SIGMA4.y + mstore(add(_vk, 0x400), 0x09796190fd3ba909c6530c89811df9b5b4f5f2fe6501ec21dd864b20673fc02c) // vk.TABLE1.x + mstore(add(_vk, 0x420), 0x00b9c2423e310caa43e1eb83b55f53977fccbed85422df8935635d77d146bf39) // vk.TABLE1.y + mstore(add(_vk, 0x440), 0x217dad26ccc0c543ec5750513e9365a5cae8164b08d364efcf4b5890ff05f334) // vk.TABLE2.x + mstore(add(_vk, 0x460), 0x1db28433f6bde424423f3587787f81c48101d2dc6e54b431332cb275f8518c62) // vk.TABLE2.y + mstore(add(_vk, 0x480), 0x2cc2d90f2da7f4ec16b7fe61babd4fb9b580ecff03c471764dd67a8c433afab5) // vk.TABLE3.x + mstore(add(_vk, 0x4a0), 0x3032b9ff096a43ce326cc63ffc6a86dcb913fb1f7700939f5304f6c6beb24574) // vk.TABLE3.y + mstore(add(_vk, 0x4c0), 0x1f4c58502ca713ed0bffb4ff31ed55e557e83a37d31b8e703aa9219d6158e2d2) // vk.TABLE4.x + mstore(add(_vk, 0x4e0), 0x0b0d5ed5432c5e7b56344c1d26ce0d9f632e8f8aa52505d6c89f6da89f357fa8) // vk.TABLE4.y + mstore(add(_vk, 0x500), 0x0869d6ec86b39958a4a10ed67954dc8931a1e5ee901099071c3c0684dd0eddde) // vk.TABLE_TYPE.x + mstore(add(_vk, 0x520), 0x1fc9d5e1b18c601f367b9551c00f5e541a48aa562cd0adb4369b51a7e99395b6) // vk.TABLE_TYPE.y + mstore(add(_vk, 0x540), 0x205b387095b6e538a6169c93c9db7d85ec219e2f0304b449f8849f5fde2c659f) // vk.ID1.x + mstore(add(_vk, 0x560), 0x07d8d408db8702ba4db7fec434fdee2b944313f72b0f94a9dcec74e7b715b3f8) // vk.ID1.y + mstore(add(_vk, 0x580), 0x2c758668e1cbf0572b139911af3f553c7898f7f07ffdcc58484a1a0acd14a03e) // vk.ID2.x + mstore(add(_vk, 0x5a0), 0x159322db7ac7485c5be7ce811a773c5fda9e26b0c47139eda1af6103c5c21b1c) // vk.ID2.y + mstore(add(_vk, 0x5c0), 0x026ba63c8620f00298a42a356b18392228d92c4301e8c51e44a3a2e14a6ebc89) // vk.ID3.x + mstore(add(_vk, 0x5e0), 0x2a962181e6a7df5a05d1750e7a22b6ec21fc84d8de08524aa75c4ee8f646bd0c) // vk.ID3.y + mstore(add(_vk, 0x600), 0x2c81aa9e4f466e56d2a6f1a971d431a487379970bb892424e12a0c71c41479b0) // vk.ID4.x + mstore(add(_vk, 0x620), 0x2e662e641087ed19b9ff866748197ab8a871deded79d2835f32e4bbadef1a889) // vk.ID4.y mstore(add(_vk, 0x640), 0x01) // vk.contains_recursive_proof mstore(add(_vk, 0x660), 0) // vk.recursive_proof_public_input_indices mstore(add(_vk, 0x680), 0x260e01b251f6f1c7e7ff4e580791dee8ea51d87a358e038b4efe30fac09383c1) // vk.g2_x.X.c1 mstore(add(_vk, 0x6a0), 0x0118c4d5b837bcc2bc89b5b398b5974e9f5944073b32078b7e231fec938883b0) // vk.g2_x.X.c0 mstore(add(_vk, 0x6c0), 0x04fc6369f7110fe3d25156c1bb9a72859cf2a04641f99ba4ee413c80da6a5fe4) // vk.g2_x.Y.c1 mstore(add(_vk, 0x6e0), 0x22febda3c0c0632a56475b4214e5615e11e6dd3f96e6cea2854a87d4dacc5e55) // vk.g2_x.Y.c0 - mstore(_omegaInverseLoc, 0x06e402c0a314fb67a15cf806664ae1b722dbc0efe66e6c81d98f9924ca535321) // vk.work_root_inverse + mstore(_omegaInverseLoc, 0x036853f083780e87f8d7c71d111119c57dbe118c22d5ad707a82317466c5174c) // vk.work_root_inverse } } } From 27766446cc8d442a12edcb1484b2b23de74be428 Mon Sep 17 00:00:00 2001 From: maramihali Date: Sat, 21 Sep 2024 12:27:31 +0000 Subject: [PATCH 12/31] rm changes to vks --- .../honk/keys/EcdsaHonkVerificationKey.sol | 84 +++++++++---------- 1 file changed, 42 insertions(+), 42 deletions(-) diff --git a/barretenberg/sol/src/honk/keys/EcdsaHonkVerificationKey.sol b/barretenberg/sol/src/honk/keys/EcdsaHonkVerificationKey.sol index 26207d04184b..b2d9abdf2a20 100644 --- a/barretenberg/sol/src/honk/keys/EcdsaHonkVerificationKey.sol +++ b/barretenberg/sol/src/honk/keys/EcdsaHonkVerificationKey.sol @@ -15,72 +15,72 @@ library EcdsaHonkVerificationKey { logCircuitSize: uint256(16), publicInputsSize: uint256(6), ql: Honk.G1Point({ - x: uint256(0x051ccdb8069f35f4ef85ad098e95681736a7bed10a7bee1b76a506235dc0b579), - y: uint256(0x05e168c2e4f90231545f5b24c1a84c1419b8798e4235cc2036c9e101e462b71d) + x: uint256(0x0b1acdcf739e1e6c27df046577122a292a77f4fcdf8056d8b8ae12f105d3a888), + y: uint256(0x145dad3bdd9a262411aaa657129df49dbf44a63f510e9ab8191622c643ebd9bd) }), qr: Honk.G1Point({ - x: uint256(0x2c99eed1f855cd5152942cc090aabf15308eb00ac549e965eb3e1950479cce58), - y: uint256(0x170bf8541390153bf5807bc022c9369f99d8bc1fd87922a0627b144fec0414e2) + x: uint256(0x1940872f30b32522e26efd0fd4a642289bce2c56083e7a03af564c30969066d8), + y: uint256(0x181fd173051ca19e37f09c42298c36d2e9834df50535d85d429f562352c0d924) }), qo: Honk.G1Point({ - x: uint256(0x1594abb7debcf41e3296178eeec941dbb6242ba13f50f4549734657ee5ebb8b1), - y: uint256(0x262e1469c56c719bdc4eaab93cc95868eed9fea1fa9ded03b46f2c061a341d4f) + x: uint256(0x2a1afa631e8b6ab8fb1444fb0154686a5a34c7a4ddae66bdc344e782a81382b3), + y: uint256(0x0cfa0936a5e63e723a5c318c7461ddc22824ad0ee62fa00e2e8b92f9b3f1cdf6) }), q4: Honk.G1Point({ - x: uint256(0x16b49bbcd37e15ed89b2f6f5b97d021abe440ba7cbc69904484991fa7e6058a9), - y: uint256(0x197b14cb5d037642b27ed7cd79b9568e5853ad1e3508453c0ed1f30c1962fd52) + x: uint256(0x1a01666b2e915221eb0c1ae6bf91394d18c73e6882dd1241d244f932678982ec), + y: uint256(0x212b0436d2da1b4a6507142b794024ded58e3d41fdde2f95249405ffdd02b324) }), qm: Honk.G1Point({ - x: uint256(0x175280d74e116a82ad6ccc34f640a5b3dda74b17372c9a0941d57749e37068a6), - y: uint256(0x0827b11a78b8a625ba940983effbcf7354aa0388bd472481c0a8a088653b9769) + x: uint256(0x0dd29943b961b1c615ab22df0e5b567489a7c9a9ad3ac92ae281d68ca603326c), + y: uint256(0x2a552165dc59dc5c5398e6b8c2227dc3f36ccdcc1250e7c9a8c1631c963aff2f) }), qc: Honk.G1Point({ - x: uint256(0x2a262a7189292da31f3f4a7926c4d9fcae883188aafe9cf3ba2a623f0004a67a), - y: uint256(0x0d90b8808180521422b90889592111434dd5bbc0e5deb27419c1f5e6d0bf9883) + x: uint256(0x203785f30cf75ed2e8559faa797897174bca19ebcb44266c6bc87aee8dc86964), + y: uint256(0x11ae3fbccf0c302ab29a8123b2ef631a659a3750d27df3eb7c492ae978ac3f07) }), qArith: Honk.G1Point({ - x: uint256(0x2026f95bb8f7b6ed57287e4833e2789cce8ec9a95b829e6a2abbf5d13d681d22), - y: uint256(0x19cea5af7d9b39a4ad86a0ab52f8a358f7f35236561a50cdf6f2860f0b3426a8) + x: uint256(0x059453a86c23185b89783698e7da32ce59270611c312c82a16c42e83d66f3a11), + y: uint256(0x23403bda1774d1e372f94dd86571d393290df9d27cc1f032a1a2ba3a02becb28) }), qDeltaRange: Honk.G1Point({ - x: uint256(0x02d0f736b422d74d9aa2ef26deedb67fdd2e798aae001c4292dabd2c5df31249), - y: uint256(0x0ae6265d6dcc9da8d3b23f088c6fb062c9be10bfa79e9d0463d4a7785ea4a5f9) + x: uint256(0x189ec3e8c791a2933a4f188b2183c4bfeb9a2a8e51bb10a7571c243603dd3fce), + y: uint256(0x00d30f1839bdf225d00e20bcf76adcf2bfc6ea98a4ca12b4f36c68f4a865fa59) }), qElliptic: Honk.G1Point({ - x: uint256(0x0ffa449a9d6e6c6f3e302eb3f16ce9d3d3711b9102ecf0e303ff91f3f9eb25f5), - y: uint256(0x095ef997439bccdd1234b2431a520823bcfe3e77f50190e66e70e2c51e906193) + x: uint256(0x16b1166d95a8e2496eb12363dbfb9ca5aa5bc0975fc4994dc2c61cc0609d8eba), + y: uint256(0x1aded54ecb6c2ec4fdeaef0f9e3b2dae5da1e1958d76b953b9e29efb1e8962b4) }), qAux: Honk.G1Point({ - x: uint256(0x09023d45c436e756762d8b3527cfcb3f694cdbafd192ccae59210740bdf03ad3), - y: uint256(0x020c9b591603814f1815038e25d1bb3fb85261bf699abfc8921f48954f0bc2b0) + x: uint256(0x1011b815b4505f86944621990bd81bd442780186904784572d50087942aa8607), + y: uint256(0x24e575bf4641129d492759c66a4a5c1d3da80b647d4e67adfea20ab72eb69854) }), qLookup: Honk.G1Point({ - x: uint256(0x08c0d34ca72136661975f3b1ad658bfda38661b9ff320b60e2974496e03fd62e), - y: uint256(0x236caf48f4c3a7ca207f5c0ec75f304657e49780015cf40ff9be37f8ba3c6624) + x: uint256(0x13a5f6d8f4de0f66dc7ea0d75efa7ae6632e6448c13bbbe5358412f7a36518d6), + y: uint256(0x142fd8f3223785fbd36b380c6065215d16b821b3df4d86d5464f1bfff2a29544) }), qPoseidon2External: Honk.G1Point({ - x: uint256(0x09d58ddd055d3d65b4f36a347c18c11956b7d43c4f15434ded62bdf1224ff37d), - y: uint256(0x3002f0782d68214149ae47ee94771a6509709499ca06a8421eeeae97ea37e2a9) + x: uint256(0x02c909437bb59751312ce2208a2b367d3c9eaa8721d7671306c41ebd9843b3ba), + y: uint256(0x1db8a23e0231ac4b008ccdb6f21aa37c59349a77b51d894217596f0ef543120c) }), qPoseidon2Internal: Honk.G1Point({ - x: uint256(0x1d11dbf6b2ced628ad64ea9d8afef60b6ea2e246160b6525915eb0ab7bdc94aa), - y: uint256(0x1ecef8438441a2565ee641757bdc6739da7389d913453eee0aaac561fb08495c) + x: uint256(0x19d898bac51355e0822e2aa6e6630494e47ea2476a0c4c15b6f03ce441f6c6d0), + y: uint256(0x2add808f3d5b3c608ce5937fcd3c9c968ba56dbe5855e2f6d3e4bdd9d118d19b) }), s1: Honk.G1Point({ - x: uint256(0x105eb99bfd557812572f2a5ec5b6eff27375b4ed5ce4e7a9649fe3038cfacbac), - y: uint256(0x1efd910252f319f9c0dc21c7688b92d80fd0a8636f152e0d9c8e0afb5c9a6d2e) + x: uint256(0x0dd1eea7735fc4052df5a19e4859c59e50e3ab9cb3cc2accbd42ef8a1104449b), + y: uint256(0x1541af79ad21fe21642a50d97899451c868b6d5d608431e5de6b0a730abe130d) }), s2: Honk.G1Point({ - x: uint256(0x2bbbf5e8a2f7feb08ee64585bf3da54db0da09b211f726adda93020a2ae23e56), - y: uint256(0x2a9e8e1c3850c66da60224163dc4846ea6f37ed48f9d6dfd40b450fa61081484) + x: uint256(0x21d9072c3474c1cfe1c2d96c098c4d9af4bb5d222944aa6470063f4a8b9b9770), + y: uint256(0x137ad8c018449f48311b5394ac91a6b2f5c5e40c676216a299a3d501d69b1f7d) }), s3: Honk.G1Point({ - x: uint256(0x0d264ba46f4a7bafd0ba9d9f9f4827109e1da2cfdb11835b9fc65aaafe9f9f20), - y: uint256(0x0f9ff6e122bcacd091ffd98d8caf249ab216e9c784e667475e2184ed34892272) + x: uint256(0x2c2fe61ccbf18af13d41950ef58f3a2a64d355657a4dfba8e9917e618ea8add4), + y: uint256(0x2e7edf4dae50db17925e431d3198a39cb4bdc6f4e6e7d8d6163c972f4750a606) }), s4: Honk.G1Point({ - x: uint256(0x2556809f13dc85764a5e4ea8fda1bbba54f36dad477124915fc8c198db16f496), - y: uint256(0x27461805fb3a7ee919331973984491c36cc83eee61d3664d5319922902327750) + x: uint256(0x1825a30f42c7508e2ee2158d374dc626cf4149b745ba55d533181f418ac605aa), + y: uint256(0x15d9b33a9612c0c8a55a75a827c0230656054765c7b37ba77a798b71a4766d1b) }), t1: Honk.G1Point({ x: uint256(0x1ddc9ef86584375e5998d9f6fc16a4e646dc315ab86b477abc2f18a723dc24f6), @@ -99,20 +99,20 @@ library EcdsaHonkVerificationKey { y: uint256(0x076bf1e1f682badebfca083e25d808e8dae96372631c0721a7ee238c333a862a) }), id1: Honk.G1Point({ - x: uint256(0x0b034b231d25a2e152b830397a59c97e02175212a6c5ce00129625cfb2e5c53d), - y: uint256(0x22e1842515d4569ca06477f4b2685d0a767bfa1eecca343c889840af8c086db9) + x: uint256(0x003bfa695fb125e2e815ae3565a2b7667fe2240edfd46c312fa6b6ed88226d3f), + y: uint256(0x080c85e17835fce14e045eeb531ef2c287ad933a2ca7f35d3c7df03d0367fb9c) }), id2: Honk.G1Point({ - x: uint256(0x0e82a73cd55280503e70d5bdd855071d202ff65f31a65996955a7661775ff290), - y: uint256(0x1325a665dfee8e1247f3129ca943e12736f800afc1a9dcfa0476050b8e3c87f8) + x: uint256(0x17662e6b69e1a67d8682a5c00b4d3c57c8f3ce7d82df027ba71c5031a946e070), + y: uint256(0x14bd830834279aa5f4ff64181af68bef9121c6322d37d25b5490f60a83b755f9) }), id3: Honk.G1Point({ - x: uint256(0x2ad12a1238e051fba16108022b5e58bba1fc7966fe759016a93fae5397e8c403), - y: uint256(0x257cfc281b0135bb8dfb0df6a7b69ca39835af544007eb61ace84ce7014c1fea) + x: uint256(0x05bc83edcd40f963c7f6983f1c6a993ce32ca97a6e45c076dc4e38195ba8560a), + y: uint256(0x01239f42bab3bc0d1cc4194ca17fa76036ce2e4887a3dc499fe71da67d7af9a3) }), id4: Honk.G1Point({ - x: uint256(0x058bf4de2f71f4d2e11235d140d05db461fb50d8aef64c8c52e2c0f57438dcce), - y: uint256(0x1e90ce7ec8cca2e65d7deafb655e6c7b0c4b964cd2cb1e5b4ef5ad78ab2f4b46) + x: uint256(0x1bcbd59c8e9e24132d3d3dfb1eaf21fa4ed74e922bb4d44f3c8d22ebb50105da), + y: uint256(0x147b021c1046d59dcc6b8be404ef2670f7e6f33a03dbaeef966c9bf3882324f4) }), lagrangeFirst: Honk.G1Point({ x: uint256(0x0000000000000000000000000000000000000000000000000000000000000001), From 49a0582e2cc5bf6f025fe06a4646dbae37307278 Mon Sep 17 00:00:00 2001 From: maramihali Date: Sat, 21 Sep 2024 14:16:30 +0000 Subject: [PATCH 13/31] ensure ordering of evaluation is right, still doesn't fix the problem --- barretenberg/acir_tests/sol-test/yarn.lock | 2 +- .../commitment_schemes/gemini/gemini.hpp | 3 +- .../commitment_schemes/gemini/gemini.test.cpp | 382 +++++++++--------- .../commitment_schemes/gemini/gemini_impl.hpp | 28 +- .../commitment_schemes/ipa/ipa.test.cpp | 11 +- .../commitment_schemes/kzg/kzg.test.cpp | 17 +- .../commitment_schemes/shplonk/shplemini.hpp | 28 +- .../shplonk/shplemini.test.cpp | 8 +- .../zeromorph/zeromorph.hpp | 23 +- .../zeromorph/zeromorph.test.cpp | 19 +- .../shplemini.test.cpp | 17 +- .../zeromorph.test.cpp | 15 +- .../eccvm_recursive_verifier.cpp | 3 +- .../decider_recursive_verifier.cpp | 3 +- .../ultra_recursive_verifier.cpp | 3 +- .../translator_recursive_verifier.cpp | 3 +- .../barretenberg/transcript/transcript.hpp | 2 +- .../translator_vm/translator_prover.cpp | 22 +- .../translator_vm/translator_verifier.cpp | 3 +- .../ultra_honk/decider_prover.cpp | 3 +- .../ultra_honk/decider_verifier.cpp | 6 +- .../barretenberg/vm/avm/generated/prover.cpp | 3 +- .../vm/avm/generated/verifier.cpp | 3 +- .../avm/recursion/avm_recursive_verifier.cpp | 3 +- .../bb-pil-backend/templates/prover.cpp.hbs | 3 +- .../bb-pil-backend/templates/verifier.cpp.hbs | 3 +- 26 files changed, 326 insertions(+), 290 deletions(-) diff --git a/barretenberg/acir_tests/sol-test/yarn.lock b/barretenberg/acir_tests/sol-test/yarn.lock index af80282ea956..5cfac7679f6e 100644 --- a/barretenberg/acir_tests/sol-test/yarn.lock +++ b/barretenberg/acir_tests/sol-test/yarn.lock @@ -1,4 +1,4 @@ -# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY. +d# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY. # yarn lockfile v1 diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.hpp index ea90f07cb82b..a303a13b53e6 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.hpp @@ -112,7 +112,8 @@ template class GeminiProver_ { static std::vector prove(const Fr circuit_size, RefSpan f_polynomials, RefSpan g_polynomials, - RefSpan multilinear_evaluations, + RefSpan unshifted_evaluations, + RefSpan shifted_evaluations, std::span multilinear_challenge, const std::shared_ptr>& commitment_key, const std::shared_ptr& transcript); diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.test.cpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.test.cpp index 7d0b29a26a9f..08a2e8dd7de1 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.test.cpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.test.cpp @@ -1,188 +1,194 @@ -#include "gemini_impl.hpp" - -#include "../commitment_key.test.hpp" -#include "barretenberg/polynomials/polynomial.hpp" -#include "barretenberg/transcript/transcript.hpp" - -using namespace bb; - -template class GeminiTest : public CommitmentTest { - using GeminiProver = GeminiProver_; - using GeminiVerifier = GeminiVerifier_; - using Fr = typename Curve::ScalarField; - using GroupElement = typename Curve::Element; - - public: - void execute_gemini_and_verify_claims(std::vector& multilinear_evaluation_point, - std::vector& multilinear_evaluations, - std::vector>& multilinear_polynomials, - std::vector>& multilinear_polynomials_to_be_shifted, - std::vector& multilinear_commitments, - std::vector& multilinear_commitments_to_be_shifted) - { - auto prover_transcript = NativeTranscript::prover_init_empty(); - - // Compute: - // - (d+1) opening pairs: {r, \hat{a}_0}, {-r^{2^i}, a_i}, i = 0, ..., d-1 - // - (d+1) Fold polynomials Fold_{r}^(0), Fold_{-r}^(0), and Fold^(i), i = 0, ..., d-1 - auto prover_output = GeminiProver::prove(1 << multilinear_evaluation_point.size(), - RefVector(multilinear_polynomials), - RefVector(multilinear_polynomials_to_be_shifted), - RefVector(multilinear_evaluations), - multilinear_evaluation_point, - this->commitment_key, - prover_transcript); - - // Check that the Fold polynomials have been evaluated correctly in the prover - this->verify_batch_opening_pair(prover_output); - - auto verifier_transcript = NativeTranscript::verifier_init_empty(prover_transcript); - - // Compute: - // - Single opening pair: {r, \hat{a}_0} - // - 2 partially evaluated Fold polynomial commitments [Fold_{r}^(0)] and [Fold_{-r}^(0)] - // Aggregate: d+1 opening pairs and d+1 Fold poly commitments into verifier claim - auto verifier_claims = GeminiVerifier::reduce_verification(multilinear_evaluation_point, - multilinear_evaluations, - RefVector(multilinear_commitments), - RefVector(multilinear_commitments_to_be_shifted), - verifier_transcript); - - // Check equality of the opening pairs computed by prover and verifier - for (auto [prover_claim, verifier_claim] : zip_view(prover_output, verifier_claims)) { - ASSERT_EQ(prover_claim.opening_pair, verifier_claim.opening_pair); - this->verify_opening_claim(verifier_claim, prover_claim.polynomial); - } - } -}; - -using ParamsTypes = ::testing::Types; -TYPED_TEST_SUITE(GeminiTest, ParamsTypes); - -TYPED_TEST(GeminiTest, Single) -{ - using Fr = typename TypeParam::ScalarField; - using GroupElement = typename TypeParam::Element; - - const size_t n = 16; - const size_t log_n = 4; - - auto u = this->random_evaluation_point(log_n); - auto poly = Polynomial::random(n); - auto commitment = this->commit(poly); - auto eval = poly.evaluate_mle(u); - - // Collect multilinear polynomials evaluations, and commitments for input to prover/verifier - std::vector multilinear_evaluations = { eval }; - std::vector> multilinear_polynomials = { poly.share() }; - std::vector> multilinear_polynomials_to_be_shifted = {}; - std::vector multilinear_commitments = { commitment }; - std::vector multilinear_commitments_to_be_shifted = {}; - - this->execute_gemini_and_verify_claims(u, - multilinear_evaluations, - multilinear_polynomials, - multilinear_polynomials_to_be_shifted, - multilinear_commitments, - multilinear_commitments_to_be_shifted); -} - -TYPED_TEST(GeminiTest, SingleShift) -{ - using Fr = typename TypeParam::ScalarField; - using GroupElement = typename TypeParam::Element; - - const size_t n = 16; - const size_t log_n = 4; - - auto u = this->random_evaluation_point(log_n); - - // shiftable polynomial must have 0 as last coefficient - auto poly = Polynomial::random(n, /*shiftable*/ 1); - - auto commitment = this->commit(poly); - auto eval_shift = poly.evaluate_mle(u, true); - - // Collect multilinear polynomials evaluations, and commitments for input to prover/verifier - std::vector multilinear_evaluations = { eval_shift }; - std::vector> multilinear_polynomials = {}; - std::vector> multilinear_polynomials_to_be_shifted = { poly.share() }; - std::vector multilinear_commitments = {}; - std::vector multilinear_commitments_to_be_shifted = { commitment }; - - this->execute_gemini_and_verify_claims(u, - multilinear_evaluations, - multilinear_polynomials, - multilinear_polynomials_to_be_shifted, - multilinear_commitments, - multilinear_commitments_to_be_shifted); -} - -TYPED_TEST(GeminiTest, Double) -{ - using Fr = typename TypeParam::ScalarField; - using GroupElement = typename TypeParam::Element; - - const size_t n = 16; - const size_t log_n = 4; - - auto u = this->random_evaluation_point(log_n); - - auto poly1 = Polynomial::random(n); - auto poly2 = Polynomial::random(n); - - auto commitment1 = this->commit(poly1); - auto commitment2 = this->commit(poly2); - - auto eval1 = poly1.evaluate_mle(u); - auto eval2 = poly2.evaluate_mle(u); - - // Collect multilinear polynomials evaluations, and commitments for input to prover/verifier - std::vector multilinear_evaluations = { eval1, eval2 }; - std::vector> multilinear_polynomials = { poly1.share(), poly2.share() }; - std::vector> multilinear_polynomials_to_be_shifted = {}; - std::vector multilinear_commitments = { commitment1, commitment2 }; - std::vector multilinear_commitments_to_be_shifted = {}; - - this->execute_gemini_and_verify_claims(u, - multilinear_evaluations, - multilinear_polynomials, - multilinear_polynomials_to_be_shifted, - multilinear_commitments, - multilinear_commitments_to_be_shifted); -} - -TYPED_TEST(GeminiTest, DoubleWithShift) -{ - using Fr = typename TypeParam::ScalarField; - using GroupElement = typename TypeParam::Element; - - const size_t n = 16; - const size_t log_n = 4; - - auto u = this->random_evaluation_point(log_n); - - auto poly1 = Polynomial::random(n); - auto poly2 = Polynomial::random(n, 1); // make 'shiftable' - - auto commitment1 = this->commit(poly1); - auto commitment2 = this->commit(poly2); - - auto eval1 = poly1.evaluate_mle(u); - auto eval2 = poly2.evaluate_mle(u); - auto eval2_shift = poly2.evaluate_mle(u, true); - - // Collect multilinear polynomials evaluations, and commitments for input to prover/verifier - std::vector multilinear_evaluations = { eval1, eval2, eval2_shift }; - std::vector> multilinear_polynomials = { poly1.share(), poly2.share() }; - std::vector> multilinear_polynomials_to_be_shifted = { poly2.share() }; - std::vector multilinear_commitments = { commitment1, commitment2 }; - std::vector multilinear_commitments_to_be_shifted = { commitment2 }; - - this->execute_gemini_and_verify_claims(u, - multilinear_evaluations, - multilinear_polynomials, - multilinear_polynomials_to_be_shifted, - multilinear_commitments, - multilinear_commitments_to_be_shifted); -} +// #include "gemini_impl.hpp" + +// #include "../commitment_key.test.hpp" +// #include "barretenberg/polynomials/polynomial.hpp" +// #include "barretenberg/transcript/transcript.hpp" + +// using namespace bb; + +// template class GeminiTest : public CommitmentTest { +// using GeminiProver = GeminiProver_; +// using GeminiVerifier = GeminiVerifier_; +// using Fr = typename Curve::ScalarField; +// using GroupElement = typename Curve::Element; + +// public: +// void execute_gemini_and_verify_claims(std::vector& multilinear_evaluation_point, +// std::vector& unshifted_evaluations, +// std::vector& shifted_evaluations, +// std::vector>& multilinear_polynomials, +// std::vector>& multilinear_polynomials_to_be_shifted, +// std::vector& multilinear_commitments, +// std::vector& multilinear_commitments_to_be_shifted) +// { +// auto prover_transcript = NativeTranscript::prover_init_empty(); + +// // Compute: +// // - (d+1) opening pairs: {r, \hat{a}_0}, {-r^{2^i}, a_i}, i = 0, ..., d-1 +// // - (d+1) Fold polynomials Fold_{r}^(0), Fold_{-r}^(0), and Fold^(i), i = 0, ..., d-1 +// auto prover_output = GeminiProver::prove(1 << multilinear_evaluation_point.size(), +// RefVector(multilinear_polynomials), +// RefVector(multilinear_polynomials_to_be_shifted), +// RefVector(unshifted_evaluations), +// RefVector(shifted_evaluations), +// multilinear_evaluation_point, +// this->commitment_key, +// prover_transcript); + +// // Check that the Fold polynomials have been evaluated correctly in the prover +// this->verify_batch_opening_pair(prover_output); + +// auto verifier_transcript = NativeTranscript::verifier_init_empty(prover_transcript); + +// // Compute: +// // - Single opening pair: {r, \hat{a}_0} +// // - 2 partially evaluated Fold polynomial commitments [Fold_{r}^(0)] and [Fold_{-r}^(0)] +// // Aggregate: d+1 opening pairs and d+1 Fold poly commitments into verifier claim +// auto verifier_claims = GeminiVerifier::reduce_verification(multilinear_evaluation_point, +// multilinear_evaluations, +// RefVector(multilinear_commitments), +// RefVector(multilinear_commitments_to_be_shifted), +// verifier_transcript); + +// // Check equality of the opening pairs computed by prover and verifier +// for (auto [prover_claim, verifier_claim] : zip_view(prover_output, verifier_claims)) { +// ASSERT_EQ(prover_claim.opening_pair, verifier_claim.opening_pair); +// this->verify_opening_claim(verifier_claim, prover_claim.polynomial); +// } +// } +// }; + +// using ParamsTypes = ::testing::Types; +// TYPED_TEST_SUITE(GeminiTest, ParamsTypes); + +// TYPED_TEST(GeminiTest, Single) +// { +// using Fr = typename TypeParam::ScalarField; +// using GroupElement = typename TypeParam::Element; + +// const size_t n = 16; +// const size_t log_n = 4; + +// auto u = this->random_evaluation_point(log_n); +// auto poly = Polynomial::random(n); +// auto commitment = this->commit(poly); +// auto eval = poly.evaluate_mle(u); + +// // Collect multilinear polynomials evaluations, and commitments for input to prover/verifier +// std::vector multilinear_evaluations = { eval }; +// std::vector> multilinear_polynomials = { poly.share() }; +// std::vector> multilinear_polynomials_to_be_shifted = {}; +// std::vector multilinear_commitments = { commitment }; +// std::vector multilinear_commitments_to_be_shifted = {}; + +// this->execute_gemini_and_verify_claims(u, +// { eval }, +// {}, +// multilinear_polynomials, +// multilinear_polynomials_to_be_shifted, +// multilinear_commitments, +// multilinear_commitments_to_be_shifted); +// } + +// TYPED_TEST(GeminiTest, SingleShift) +// { +// using Fr = typename TypeParam::ScalarField; +// using GroupElement = typename TypeParam::Element; + +// const size_t n = 16; +// const size_t log_n = 4; + +// auto u = this->random_evaluation_point(log_n); + +// // shiftable polynomial must have 0 as last coefficient +// auto poly = Polynomial::random(n, /*shiftable*/ 1); + +// auto commitment = this->commit(poly); +// auto eval_shift = poly.evaluate_mle(u, true); + +// // Collect multilinear polynomials evaluations, and commitments for input to prover/verifier +// std::vector multilinear_evaluations = { eval_shift }; +// std::vector> multilinear_polynomials = {}; +// std::vector> multilinear_polynomials_to_be_shifted = { poly.share() }; +// std::vector multilinear_commitments = {}; +// std::vector multilinear_commitments_to_be_shifted = { commitment }; + +// this->execute_gemini_and_verify_claims(u, +// {}, +// { eval_shift }, +// multilinear_polynomials, +// multilinear_polynomials_to_be_shifted, +// multilinear_commitments, +// multilinear_commitments_to_be_shifted); +// } + +// TYPED_TEST(GeminiTest, Double) +// { +// using Fr = typename TypeParam::ScalarField; +// using GroupElement = typename TypeParam::Element; + +// const size_t n = 16; +// const size_t log_n = 4; + +// auto u = this->random_evaluation_point(log_n); + +// auto poly1 = Polynomial::random(n); +// auto poly2 = Polynomial::random(n); + +// auto commitment1 = this->commit(poly1); +// auto commitment2 = this->commit(poly2); + +// auto eval1 = poly1.evaluate_mle(u); +// auto eval2 = poly2.evaluate_mle(u); + +// // Collect multilinear polynomials evaluations, and commitments for input to prover/verifier +// std::vector multilinear_evaluations = { eval1, eval2 }; +// std::vector> multilinear_polynomials = { poly1.share(), poly2.share() }; +// std::vector> multilinear_polynomials_to_be_shifted = {}; +// std::vector multilinear_commitments = { commitment1, commitment2 }; +// std::vector multilinear_commitments_to_be_shifted = {}; + +// this->execute_gemini_and_verify_claims(u, +// { eval1, eval2 }, +// {}, +// multilinear_polynomials, +// multilinear_polynomials_to_be_shifted, +// multilinear_commitments, +// multilinear_commitments_to_be_shifted); +// } + +// TYPED_TEST(GeminiTest, DoubleWithShift) +// { +// using Fr = typename TypeParam::ScalarField; +// using GroupElement = typename TypeParam::Element; + +// const size_t n = 16; +// const size_t log_n = 4; + +// auto u = this->random_evaluation_point(log_n); + +// auto poly1 = Polynomial::random(n); +// auto poly2 = Polynomial::random(n, 1); // make 'shiftable' + +// auto commitment1 = this->commit(poly1); +// auto commitment2 = this->commit(poly2); + +// auto eval1 = poly1.evaluate_mle(u); +// auto eval2 = poly2.evaluate_mle(u); +// auto eval2_shift = poly2.evaluate_mle(u, true); + +// // Collect multilinear polynomials evaluations, and commitments for input to prover/verifier +// std::vector multilinear_evaluations = { eval1, eval2, eval2_shift }; +// std::vector> multilinear_polynomials = { poly1.share(), poly2.share() }; +// std::vector> multilinear_polynomials_to_be_shifted = { poly2.share() }; +// std::vector multilinear_commitments = { commitment1, commitment2 }; +// std::vector multilinear_commitments_to_be_shifted = { commitment2 }; + +// this->execute_gemini_and_verify_claims(u, +// { eval1, eval2 }, +// { eval2_shift }, +// multilinear_polynomials, +// multilinear_polynomials_to_be_shifted, +// multilinear_commitments, +// multilinear_commitments_to_be_shifted); +// } diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini_impl.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini_impl.hpp index 5876f5ac51b2..68bd204c3d85 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini_impl.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini_impl.hpp @@ -42,38 +42,38 @@ namespace bb { template template std::vector::Claim> GeminiProver_::prove( - [[maybe_unused]] Fr circuit_size, // Will be used when constant proof sizes are in - RefSpan f_polynomials, // unshifted - RefSpan g_polynomials, // to-be-shifted - RefSpan multilinear_evaluations, /* u */ + [[maybe_unused]] Fr circuit_size, // Will be used when constant proof sizes are in + RefSpan f_polynomials, // unshifted + RefSpan g_polynomials, // to-be-shifted + RefSpan unshifted_evaluations, + RefSpan shifted_evaluations, std::span multilinear_challenge, const std::shared_ptr>& commitment_key, const std::shared_ptr& transcript) { - ASSERT(multilinear_evaluations.size() == f_polynomials.size() + g_polynomials.size()); + ASSERT(unshifted_evaluations.size() + shifted_evaluations.size() == f_polynomials.size() + g_polynomials.size()); size_t log_n = numeric::get_msb(static_cast(circuit_size)); size_t n = 1 << log_n; Fr rho = transcript->template get_challenge("rho"); - std::vector rhos = gemini::powers_of_rho(rho, multilinear_evaluations.size()); - - // Compute batched multivariate evaluation - Fr batched_evaluation = Fr::zero(); - for (size_t i = 0; i < rhos.size(); ++i) { - batched_evaluation += multilinear_evaluations[i] * rhos[i]; - } + std::vector rhos = gemini::powers_of_rho(rho, unshifted_evaluations.size() + shifted_evaluations.size()); // Compute batched polynomials Polynomial batched_unshifted(n); Polynomial batched_to_be_shifted = Polynomial::shiftable(1 << log_n); + // Fr batched_evaluation = Fr::zero(); const size_t num_unshifted = f_polynomials.size(); const size_t num_to_be_shifted = g_polynomials.size(); for (size_t i = 0; i < num_unshifted; i++) { - batched_unshifted.add_scaled(f_polynomials[i], rhos[i]); + Fr rho_challenge = rhos[i]; + batched_unshifted.add_scaled(f_polynomials[i], rho_challenge); + // batched_evaluation += unshifted_evaluations[i] * rho_challenge; } for (size_t i = 0; i < num_to_be_shifted; i++) { - batched_to_be_shifted.add_scaled(g_polynomials[i], rhos[num_unshifted + i]); + Fr rho_challenge = rhos[num_unshifted + i]; + batched_to_be_shifted.add_scaled(g_polynomials[i], rho_challenge); + // batched_evaluation += shifted_evaluations[i] * rho_challenge; } auto fold_polynomials = compute_fold_polynomials( diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.test.cpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.test.cpp index 0b1fec24c903..187fcdce629f 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.test.cpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.test.cpp @@ -269,7 +269,8 @@ TEST_F(IPATest, GeminiShplonkIPAWithShift) auto prover_opening_claims = GeminiProver::prove(n, RefArray{ poly1, poly2 }, RefArray{ poly2 }, - RefVector(multilinear_evaluations), + RefArray{ eval1, eval2 }, + RefArray{ eval2 }, mle_opening_point, this->ck(), prover_transcript); @@ -314,8 +315,6 @@ TEST_F(IPATest, ShpleminiIPAWithShift) auto eval2 = poly2.evaluate_mle(mle_opening_point); auto eval2_shift = poly2.evaluate_mle(mle_opening_point, true); - std::vector multilinear_evaluations = { eval1, eval2, eval2_shift }; - auto prover_transcript = NativeTranscript::prover_init_empty(); // Run the full prover PCS protocol: @@ -326,7 +325,8 @@ TEST_F(IPATest, ShpleminiIPAWithShift) auto prover_opening_claims = GeminiProver::prove(n, RefArray{ poly1, poly2 }, RefArray{ poly2 }, - RefVector(multilinear_evaluations), + RefArray{ eval1, eval2 }, + RefArray{ eval2_shift }, mle_opening_point, this->ck(), prover_transcript); @@ -339,7 +339,8 @@ TEST_F(IPATest, ShpleminiIPAWithShift) const auto batch_opening_claim = ShpleminiVerifier::compute_batch_opening_claim(n, RefVector(unshifted_commitments), RefVector(shifted_commitments), - RefVector(multilinear_evaluations), + RefArray{ eval1, eval2 }, + RefArray{ eval2_shift }, mle_opening_point, this->vk()->get_g1_identity(), verifier_transcript); diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/kzg/kzg.test.cpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/kzg/kzg.test.cpp index 10230931c1a9..339f58d58b96 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/kzg/kzg.test.cpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/kzg/kzg.test.cpp @@ -95,7 +95,8 @@ TYPED_TEST(KZGTest, GeminiShplonkKzgWithShift) auto prover_opening_claims = GeminiProver::prove(n, RefArray{ poly1, poly2 }, RefArray{ poly2 }, - RefVector(multilinear_evaluations), + RefArray{ eval1, eval2 }, + RefArray{ eval2_shift }, mle_opening_point, this->ck(), prover_transcript); @@ -155,13 +156,13 @@ TYPED_TEST(KZGTest, ShpleminiKzgWithShift) Commitment commitment1 = this->commit(poly1); Commitment commitment2 = this->commit(poly2); std::vector unshifted_commitments = { commitment1, commitment2 }; - std::vector shifted_commitments = { commitment2 }; + std::vector shifted_commitments = { commitment1 }; auto eval1 = poly1.evaluate_mle(mle_opening_point); auto eval2 = poly2.evaluate_mle(mle_opening_point); - auto eval2_shift = poly2.evaluate_mle(mle_opening_point, true); + auto eval1_shift = poly1.evaluate_mle(mle_opening_point, true); // Collect multilinear evaluations for input to prover - std::vector multilinear_evaluations = { eval1, eval2, eval2_shift }; + std::vector multilinear_evaluations = { eval1, eval2, eval1_shift }; auto prover_transcript = NativeTranscript::prover_init_empty(); @@ -172,8 +173,9 @@ TYPED_TEST(KZGTest, ShpleminiKzgWithShift) // - (d+1) Fold polynomials Fold_{r}^(0), Fold_{-r}^(0), and Fold^(i), i = 0, ..., d-1 auto prover_opening_claims = GeminiProver::prove(n, RefArray{ poly1, poly2 }, - RefArray{ poly2 }, - RefVector(multilinear_evaluations), + RefArray{ poly1 }, + RefArray{ eval1, eval2 }, + RefArray{ eval1_shift }, mle_opening_point, this->ck(), prover_transcript); @@ -196,7 +198,8 @@ TYPED_TEST(KZGTest, ShpleminiKzgWithShift) const auto batch_opening_claim = ShpleminiVerifier::compute_batch_opening_claim(n, RefVector(unshifted_commitments), RefVector(shifted_commitments), - RefVector(multilinear_evaluations), + RefArray{ eval1, eval2 }, + RefArray{ eval1_shift }, mle_opening_point, this->vk()->get_g1_identity(), verifier_transcript); diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp index 8d4edab4ce82..32cef2fdde89 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp @@ -24,7 +24,8 @@ template class ShpleminiProver_ { static OpeningClaim prove(FF circuit_size, RefSpan f_polynomials, RefSpan g_polynomials, - RefSpan multilinear_evaluations, + RefSpan unshifted_evaluations, + RefSpan shifted_evaluations, std::span multilinear_challenge, const std::shared_ptr>& commitment_key, const std::shared_ptr& transcript) @@ -32,7 +33,8 @@ template class ShpleminiProver_ { std::vector opening_claims = GeminiProver::prove(circuit_size, f_polynomials, g_polynomials, - multilinear_evaluations, + unshifted_evaluations, + shifted_evaluations, multilinear_challenge, commitment_key, transcript); @@ -107,7 +109,8 @@ template class ShpleminiVerifier_ { static BatchOpeningClaim compute_batch_opening_claim(const Fr N, RefSpan unshifted_commitments, RefSpan shifted_commitments, - RefSpan claimed_evaluations, + RefSpan unshifted_evaluations, + RefSpan shifted_evaluations, const std::vector& multivariate_challenge, const Commitment& g1_identity, std::shared_ptr& transcript) @@ -176,13 +179,15 @@ template class ShpleminiVerifier_ { Fr batched_evaluation{ 0 }; batch_multivariate_opening_claims(unshifted_commitments, shifted_commitments, - claimed_evaluations, + unshifted_evaluations, + shifted_evaluations, multivariate_batching_challenge, unshifted_scalar, shifted_scalar, commitments, scalars, batched_evaluation); + info("Verifier: ", batched_evaluation); // Place the commitments to Gemini Aᵢ to the vector of commitments, compute the contributions from // Aᵢ(−r²ⁱ) for i=1, … , n−1 to the constant term accumulator, add corresponding scalars @@ -259,7 +264,8 @@ template class ShpleminiVerifier_ { */ static void batch_multivariate_opening_claims(RefSpan unshifted_commitments, RefSpan shifted_commitments, - RefSpan claimed_evaluations, + RefSpan unshifted_evaluations, + RefSpan shifted_evaluations, const Fr& multivariate_batching_challenge, const Fr& unshifted_scalar, const Fr& shifted_scalar, @@ -267,27 +273,25 @@ template class ShpleminiVerifier_ { std::vector& scalars, Fr& batched_evaluation) { - size_t evaluation_idx = 0; Fr current_batching_challenge = Fr(1); - for (auto& unshifted_commitment : unshifted_commitments) { + for (auto [unshifted_commitment, unshifted_evaluation] : + zip_view(unshifted_commitments, unshifted_evaluations)) { // Move unshifted commitments to the 'commitments' vector commitments.emplace_back(std::move(unshifted_commitment)); // Compute −ρⁱ ⋅ (1/(z−r) + ν/(z+r)) and place into 'scalars' scalars.emplace_back(-unshifted_scalar * current_batching_challenge); // Accumulate the evaluation of ∑ ρⁱ ⋅ fᵢ at the sumcheck challenge - batched_evaluation += claimed_evaluations[evaluation_idx] * current_batching_challenge; - evaluation_idx += 1; + batched_evaluation += unshifted_evaluation * current_batching_challenge; // Update the batching challenge current_batching_challenge *= multivariate_batching_challenge; } - for (auto& shifted_commitment : shifted_commitments) { + for (auto [shifted_commitment, shifted_evaluation] : zip_view(shifted_commitments, shifted_evaluations)) { // Move shifted commitments to the 'commitments' vector commitments.emplace_back(std::move(shifted_commitment)); // Compute −ρ⁽ⁱ⁺ᵏ⁾ ⋅ r⁻¹ ⋅ (1/(z−r) − ν/(z+r)) and place into 'scalars' scalars.emplace_back(-shifted_scalar * current_batching_challenge); // Accumulate the evaluation of ∑ ρ⁽ⁱ⁺ᵏ⁾ ⋅ f_shift, i at the sumcheck challenge - batched_evaluation += claimed_evaluations[evaluation_idx] * current_batching_challenge; - evaluation_idx += 1; + batched_evaluation += shifted_evaluation * current_batching_challenge; // Update the batching challenge current_batching_challenge *= multivariate_batching_challenge; } diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.test.cpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.test.cpp index 9edded91b10c..57c542b1b490 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.test.cpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.test.cpp @@ -101,7 +101,8 @@ TYPED_TEST(ShpleminiTest, CorrectnessOfMultivariateClaimBatching) ShpleminiVerifier::batch_multivariate_opening_claims(RefVector(unshifted_commitments), RefVector(shifted_commitments), - RefVector(multilinear_evaluations), + RefArray{ eval1, eval2, eval3 }, + RefArray{ eval2_shift, eval3_shift }, rho, unshifted_scalar, shifted_scalar, @@ -116,8 +117,9 @@ TYPED_TEST(ShpleminiTest, CorrectnessOfMultivariateClaimBatching) EXPECT_EQ(batched_evaluation, verifier_batched_evaluation); EXPECT_EQ(-expected_result, shplemini_result); } - -TYPED_TEST(ShpleminiTest, CorrectnessOfGeminiClaimBatching) +0x0a77620a91f94ac0e8a3823a0d30688bbae0064fee682d386addae7400feb51e, + 0x13cc6c8e5f61f0c514dcab6c00b9b7fcd13f1cee5e7027383601c3726e036f3f TYPED_TEST(ShpleminiTest, + CorrectnessOfGeminiClaimBatching) { using GeminiProver = GeminiProver_; using ShpleminiVerifier = ShpleminiVerifier_; diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/zeromorph/zeromorph.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/zeromorph/zeromorph.hpp index 2511f2cd5229..e1ee3b92fcdf 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/zeromorph/zeromorph.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/zeromorph/zeromorph.hpp @@ -336,7 +336,8 @@ template class ZeroMorphProver_ { static OpeningClaim prove(FF circuit_size, RefSpan f_polynomials, RefSpan g_polynomials, - RefSpan multilinear_evaluations, + RefSpan f_evaluations, + RefSpan g_shift_evaluations, std::span multilinear_challenge, const std::shared_ptr>& commitment_key, const std::shared_ptr& transcript, @@ -370,20 +371,17 @@ template class ZeroMorphProver_ { FF batched_evaluation{ 0 }; Polynomial f_batched(N); // batched unshifted polynomials FF batching_scalar{ 1 }; - size_t evaluation_idx = 0; - for (auto f_poly : f_polynomials) { + for (auto [f_poly, f_eval] : zip_view(f_polynomials, f_evaluations)) { f_batched.add_scaled(f_poly, batching_scalar); - batched_evaluation += batching_scalar * multilinear_evaluations[evaluation_idx]; + batched_evaluation += batching_scalar * f_eval; batching_scalar *= rho; - evaluation_idx++; } Polynomial g_batched{ N - 1, N, 1 }; // batched to-be-shifted polynomials - for (auto g_poly : g_polynomials) { + for (auto [g_poly, g_shift_eval] : zip_view(g_polynomials, g_shift_evaluations)) { g_batched.add_scaled(g_poly, batching_scalar); - batched_evaluation += batching_scalar * multilinear_evaluations[evaluation_idx]; + batched_evaluation += batching_scalar * g_shift_eval; batching_scalar *= rho; - evaluation_idx++; }; size_t num_groups = concatenation_groups.size(); @@ -724,7 +722,8 @@ template class ZeroMorphVerifier_ { static OpeningClaim verify(FF circuit_size, RefSpan unshifted_commitments, RefSpan to_be_shifted_commitments, - RefSpan multilinear_evaluations, + RefSpan unshifted_evaluations, + RefSpan shifted_evaluations, std::span multivariate_challenge, const Commitment& g1_identity, const std::shared_ptr& transcript, @@ -743,7 +742,11 @@ template class ZeroMorphVerifier_ { // Construct batched evaluation v = sum_{i=0}^{m-1}\rho^i*f_i(u) + sum_{i=0}^{l-1}\rho^{m+i}*h_i(u) FF batched_evaluation = FF(0); FF batching_scalar = FF(1); - for (auto& value : multilinear_evaluations) { + for (auto& value : unshifted_evaluations) { + batched_evaluation += value * batching_scalar; + batching_scalar *= rho; + } + for (auto& value : shifted_evaluations) { batched_evaluation += value * batching_scalar; batching_scalar *= rho; } diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/zeromorph/zeromorph.test.cpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/zeromorph/zeromorph.test.cpp index ab793cde8be5..1f060410679b 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/zeromorph/zeromorph.test.cpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/zeromorph/zeromorph.test.cpp @@ -208,15 +208,13 @@ template class ZeroMorphTest : public CommitmentTest u_challenge) { auto prover_transcript = NativeTranscript::prover_init_empty(); - std::vector multilinear_evaluations(unshifted.evaluations); - multilinear_evaluations.insert( - multilinear_evaluations.end(), shifted.evaluations.begin(), shifted.evaluations.end()); // Execute Prover protocol auto prover_opening_claim = ZeroMorphProver::prove(N, RefVector(unshifted.polynomials), // unshifted RefVector(shifted.polynomials), // to-be shifted - RefVector(multilinear_evaluations), + RefVector(unshifted.evaluations), // unshifted + RefVector(shifted.evaluations), // shifted u_challenge, this->commitment_key, prover_transcript); @@ -228,7 +226,8 @@ template class ZeroMorphTest : public CommitmentTestvk()->get_g1_identity(), verifier_transcript); @@ -236,6 +235,7 @@ template class ZeroMorphTest : public CommitmentTest>) { + result = PCS::reduce_verify(verifier_opening_claim, verifier_transcript); verified = this->vk()->pairing_check(result[0], result[1]); } else { @@ -257,9 +257,6 @@ template class ZeroMorphTest : public CommitmentTest multilinear_evaluations(unshifted.evaluations); - multilinear_evaluations.insert( - multilinear_evaluations.end(), shifted.evaluations.begin(), shifted.evaluations.end()); auto prover_transcript = NativeTranscript::prover_init_empty(); @@ -268,7 +265,8 @@ template class ZeroMorphTest : public CommitmentTestcommitment_key, prover_transcript, @@ -283,7 +281,8 @@ template class ZeroMorphTest : public CommitmentTestvk()->get_g1_identity(), verifier_transcript, diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/shplemini.test.cpp b/barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/shplemini.test.cpp index ae75f6c71f99..eec1bbe2ec87 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/shplemini.test.cpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/shplemini.test.cpp @@ -67,14 +67,10 @@ TEST(ShpleminiRecursionTest, ProveAndVerifySingle) for (size_t i = 0; i < NUM_SHIFTED; ++i) { g_polynomials.emplace_back(f_polynomials[i]); h_polynomials.emplace_back(g_polynomials[i].shifted()); - w_evaluations.emplace_back(h_polynomials[i].evaluate_mle(u_challenge)); + w_evaluations.emplace_back(f_polynomials[i].evaluate_mle(u_challenge, true)); } } - std::vector claimed_evaluations; - claimed_evaluations.reserve(v_evaluations.size() + w_evaluations.size()); - claimed_evaluations.insert(claimed_evaluations.end(), v_evaluations.begin(), v_evaluations.end()); - claimed_evaluations.insert(claimed_evaluations.end(), w_evaluations.begin(), w_evaluations.end()); // Compute commitments [f_i] std::vector f_commitments; auto commitment_key = std::make_shared(4096); @@ -92,7 +88,8 @@ TEST(ShpleminiRecursionTest, ProveAndVerifySingle) auto prover_opening_claims = ShpleminiProver::prove(N, RefVector(f_polynomials), RefVector(g_polynomials), - RefVector(claimed_evaluations), + RefVector(v_evaluations), + RefVector(w_evaluations), u_challenge, commitment_key, prover_transcript); @@ -123,15 +120,17 @@ TEST(ShpleminiRecursionTest, ProveAndVerifySingle) }; auto stdlib_f_commitments = commitments_to_witnesses(f_commitments); auto stdlib_g_commitments = commitments_to_witnesses(g_commitments); - auto stdlib_claimed_evaluations = elements_to_witness(claimed_evaluations); + auto stdlib_v_evaluations = elements_to_witness(v_evaluations); + auto stdlib_w_evaluations = elements_to_witness(w_evaluations); std::vector u_challenge_in_circuit = elements_to_witness(u_challenge); [[maybe_unused]] auto opening_claim = - ShpleminiVerifier::compute_batch_opening_claim(Fr::from_witness(&builder, circuit_size), + ShpleminiVerifier::compute_batch_opening_claim(Fr::from_witness(&builder, N), RefVector(stdlib_f_commitments), RefVector(stdlib_g_commitments), - RefVector(stdlib_claimed_evaluations), + RefVector(stdlib_v_evaluations), + RefVector(stdlib_w_evaluations), u_challenge_in_circuit, Commitment::one(&builder), stdlib_verifier_transcript); diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/zeromorph.test.cpp b/barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/zeromorph.test.cpp index 25ed21a16717..5c6f22d6af4e 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/zeromorph.test.cpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/zeromorph.test.cpp @@ -51,10 +51,10 @@ TEST(ZeroMorphRecursionTest, ProveAndVerifySingle) // Construct some random multilinear polynomials f_i and their evaluations v_i = f_i(u) std::vector f_polynomials; // unshifted polynomials - std::vector multilinear_evaluations; + std::vector v_evaluations; for (size_t i = 0; i < NUM_UNSHIFTED; ++i) { f_polynomials.emplace_back(Polynomial::random(N, /* starting index for shift */ 1)); - multilinear_evaluations.emplace_back(f_polynomials[i].evaluate_mle(u_challenge)); + v_evaluations.emplace_back(f_polynomials[i].evaluate_mle(u_challenge)); } // Construct some "shifted" multilinear polynomials h_i as the left-shift-by-1 of f_i std::vector g_polynomials; // to-be-shifted polynomials @@ -64,7 +64,7 @@ TEST(ZeroMorphRecursionTest, ProveAndVerifySingle) for (size_t i = 0; i < NUM_SHIFTED; ++i) { g_polynomials.emplace_back(f_polynomials[i]); h_polynomials.emplace_back(g_polynomials[i].shifted()); - multilinear_evaluations.emplace_back(h_polynomials[i].evaluate_mle(u_challenge)); + w_evaluations.emplace_back(h_polynomials[i].evaluate_mle(u_challenge)); } } @@ -88,7 +88,8 @@ TEST(ZeroMorphRecursionTest, ProveAndVerifySingle) ZeroMorphProver::prove(N, RefVector(f_polynomials), RefVector(g_polynomials), - RefVector(multilinear_evaluations), + RefVector(v_evaluations), + RefVector(w_evaluations), u_challenge, commitment_key, prover_transcript); @@ -119,7 +120,8 @@ TEST(ZeroMorphRecursionTest, ProveAndVerifySingle) }; auto stdlib_f_commitments = commitments_to_witnesses(f_commitments); auto stdlib_g_commitments = commitments_to_witnesses(g_commitments); - auto stdlib_multilinear_evaluations = elements_to_witness(multilinear_evaluations); + auto stdlib_v_evaluations = elements_to_witness(v_evaluations); + auto stdlib_w_evaluations = elements_to_witness(w_evaluations); std::vector u_challenge_in_circuit(CONST_PROOF_SIZE_LOG_N); std::fill_n(u_challenge_in_circuit.begin(), CONST_PROOF_SIZE_LOG_N, Fr::from_witness(&builder, 0)); @@ -128,7 +130,8 @@ TEST(ZeroMorphRecursionTest, ProveAndVerifySingle) [[maybe_unused]] auto opening_claim = ZeroMorphVerifier::verify(Fr::from_witness(&builder, N), RefVector(stdlib_f_commitments), // unshifted RefVector(stdlib_g_commitments), // to-be-shifted - RefVector(stdlib_multilinear_evaluations), + RefVector(stdlib_v_evaluations), // unshifted + RefVector(stdlib_w_evaluations), // shifted u_challenge_in_circuit, Commitment::one(&builder), stdlib_verifier_transcript); diff --git a/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.cpp b/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.cpp index 5b0ceba14acf..eeb04cddc997 100644 --- a/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.cpp @@ -75,7 +75,8 @@ template void ECCVMRecursiveVerifier_::verify_proof(co auto multivariate_to_univariate_opening_claim = ZeroMorph::verify(circuit_size, commitments.get_unshifted(), commitments.get_to_be_shifted(), - claimed_evaluations.get_all(), + claimed_evaluations.get_unshifted(), + claimed_evaluations.get_shifted(), multivariate_challenge, key->pcs_verification_key->get_g1_identity(), transcript); diff --git a/barretenberg/cpp/src/barretenberg/stdlib/honk_verifier/decider_recursive_verifier.cpp b/barretenberg/cpp/src/barretenberg/stdlib/honk_verifier/decider_recursive_verifier.cpp index 871d4a569d67..96cc81cd8599 100644 --- a/barretenberg/cpp/src/barretenberg/stdlib/honk_verifier/decider_recursive_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/stdlib/honk_verifier/decider_recursive_verifier.cpp @@ -35,7 +35,8 @@ std::array DeciderRecursiveVerifier_:: auto opening_claim = ZeroMorph::verify(accumulator->verification_key->circuit_size, commitments.get_unshifted(), commitments.get_to_be_shifted(), - claimed_evaluations.get_all(), + claimed_evaluations.get_unshifted(), + claimed_evaluations.get_shifted(), multivariate_challenge, Commitment::one(builder), transcript); diff --git a/barretenberg/cpp/src/barretenberg/stdlib/honk_verifier/ultra_recursive_verifier.cpp b/barretenberg/cpp/src/barretenberg/stdlib/honk_verifier/ultra_recursive_verifier.cpp index 302c81c8dc9d..a728f3e3f7ed 100644 --- a/barretenberg/cpp/src/barretenberg/stdlib/honk_verifier/ultra_recursive_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/stdlib/honk_verifier/ultra_recursive_verifier.cpp @@ -95,7 +95,8 @@ UltraRecursiveVerifier_::AggregationObject UltraRecursiveVerifier_circuit_size, commitments.get_unshifted(), commitments.get_to_be_shifted(), - claimed_evaluations.get_all(), + claimed_evaluations.get_unshifted(), + claimed_evaluations.get_shifted(), multivariate_challenge, Commitment::one(builder), transcript); diff --git a/barretenberg/cpp/src/barretenberg/stdlib/translator_vm_verifier/translator_recursive_verifier.cpp b/barretenberg/cpp/src/barretenberg/stdlib/translator_vm_verifier/translator_recursive_verifier.cpp index 8ecfb904450a..7f5c5096b521 100644 --- a/barretenberg/cpp/src/barretenberg/stdlib/translator_vm_verifier/translator_recursive_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/stdlib/translator_vm_verifier/translator_recursive_verifier.cpp @@ -121,7 +121,8 @@ std::array TranslatorRecursiveVerifier_; - auto prover_opening_claim = ZeroMorph::prove(key->circuit_size, - key->polynomials.get_unshifted_without_concatenated(), - key->polynomials.get_to_be_shifted(), - sumcheck_output.claimed_evaluations.get_all(), - sumcheck_output.challenge, - commitment_key, - transcript, - key->polynomials.get_concatenated_constraints(), - sumcheck_output.claimed_evaluations.get_concatenated_constraints(), - key->polynomials.get_concatenation_groups()); + auto prover_opening_claim = + ZeroMorph::prove(key->circuit_size, + key->polynomials.get_unshifted_without_concatenated(), + key->polynomials.get_to_be_shifted(), + sumcheck_output.claimed_evaluations.get_unshifted_without_concatenated(), + sumcheck_output.claimed_evaluations.get_shifted(), + sumcheck_output.challenge, + commitment_key, + transcript, + key->polynomials.get_concatenated_constraints(), + sumcheck_output.claimed_evaluations.get_concatenated_constraints(), + key->polynomials.get_concatenation_groups()); PCS::compute_opening_proof(commitment_key, prover_opening_claim, transcript); } diff --git a/barretenberg/cpp/src/barretenberg/translator_vm/translator_verifier.cpp b/barretenberg/cpp/src/barretenberg/translator_vm/translator_verifier.cpp index 894db1bd9f94..59429a359275 100644 --- a/barretenberg/cpp/src/barretenberg/translator_vm/translator_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/translator_vm/translator_verifier.cpp @@ -116,7 +116,8 @@ bool TranslatorVerifier::verify_proof(const HonkProof& proof) auto opening_claim = ZeroMorph::verify(circuit_size, commitments.get_unshifted_without_concatenated(), commitments.get_to_be_shifted(), - claimed_evaluations.get_all_without_concatenated(), + claimed_evaluations.get_unshifted_without_concatenated(), + claimed_evaluations.get_shifted(), multivariate_challenge, Commitment::one(), transcript, diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/decider_prover.cpp b/barretenberg/cpp/src/barretenberg/ultra_honk/decider_prover.cpp index 71c094cfb554..0a589dac56ad 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/decider_prover.cpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/decider_prover.cpp @@ -53,7 +53,8 @@ template void DeciderProver_::execute_pcs_rounds( BatchedMultivariateOpeningScheme::prove(proving_key->proving_key.circuit_size, proving_key->proving_key.polynomials.get_unshifted(), proving_key->proving_key.polynomials.get_to_be_shifted(), - sumcheck_output.claimed_evaluations.get_all(), + sumcheck_output.claimed_evaluations.get_unshifted(), + sumcheck_output.claimed_evaluations.get_shifted(), sumcheck_output.challenge, commitment_key, transcript); diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/decider_verifier.cpp b/barretenberg/cpp/src/barretenberg/ultra_honk/decider_verifier.cpp index 9adfcf9dfa85..18ce637edc05 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/decider_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/decider_verifier.cpp @@ -61,7 +61,8 @@ template bool DeciderVerifier_::verify() auto opening_claim = Shplemini::compute_batch_opening_claim(accumulator->verification_key->circuit_size, commitments.get_unshifted(), commitments.get_to_be_shifted(), - claimed_evaluations.get_all(), + claimed_evaluations.get_unshifted(), + claimed_evaluations.get_shifted(), multivariate_challenge, Commitment::one(), transcript); @@ -71,7 +72,8 @@ template bool DeciderVerifier_::verify() auto opening_claim = ZeroMorph::verify(accumulator->verification_key->circuit_size, commitments.get_unshifted(), commitments.get_to_be_shifted(), - claimed_evaluations.get_all(), + claimed_evaluations.get_unshifted(), + claimed_evaluations.get_shifted(), multivariate_challenge, Commitment::one(), transcript); diff --git a/barretenberg/cpp/src/barretenberg/vm/avm/generated/prover.cpp b/barretenberg/cpp/src/barretenberg/vm/avm/generated/prover.cpp index 42fcce31b73d..488bf1fc4b31 100644 --- a/barretenberg/cpp/src/barretenberg/vm/avm/generated/prover.cpp +++ b/barretenberg/cpp/src/barretenberg/vm/avm/generated/prover.cpp @@ -130,7 +130,8 @@ void AvmProver::execute_pcs_rounds() auto prover_opening_claim = ZeroMorph::prove(key->circuit_size, prover_polynomials.get_unshifted(), prover_polynomials.get_to_be_shifted(), - sumcheck_output.claimed_evaluations.get_all(), + sumcheck_output.claimed_evaluations.get_unshifted(), + sumcheck_output.claimed_evaluations.get_shifted(), sumcheck_output.challenge, commitment_key, transcript); diff --git a/barretenberg/cpp/src/barretenberg/vm/avm/generated/verifier.cpp b/barretenberg/cpp/src/barretenberg/vm/avm/generated/verifier.cpp index c9295321a278..bd132af86f62 100644 --- a/barretenberg/cpp/src/barretenberg/vm/avm/generated/verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/vm/avm/generated/verifier.cpp @@ -140,7 +140,8 @@ bool AvmVerifier::verify_proof(const HonkProof& proof, auto opening_claim = ZeroMorph::verify(circuit_size, commitments.get_unshifted(), commitments.get_to_be_shifted(), - claimed_evaluations.get_all(), + claimed_evaluations.get_unshifted(), + claimed_evaluations.get_shifted(), multivariate_challenge, key->pcs_verification_key->get_g1_identity(), transcript); diff --git a/barretenberg/cpp/src/barretenberg/vm/avm/recursion/avm_recursive_verifier.cpp b/barretenberg/cpp/src/barretenberg/vm/avm/recursion/avm_recursive_verifier.cpp index a8fd0916fa1c..9148e568668c 100644 --- a/barretenberg/cpp/src/barretenberg/vm/avm/recursion/avm_recursive_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/vm/avm/recursion/avm_recursive_verifier.cpp @@ -85,7 +85,8 @@ AvmRecursiveVerifier_::AggregationObject AvmRecursiveVerifier_:: auto opening_claim = Zeromorph::verify(circuit_size, commitments.get_unshifted(), commitments.get_to_be_shifted(), - claimed_evaluations.get_all(), + claimed_evaluations.get_unshifted(), + claimed_evaluations.get_shifted(), multivariate_challenge, Commitment::one(builder), transcript); diff --git a/bb-pilcom/bb-pil-backend/templates/prover.cpp.hbs b/bb-pilcom/bb-pil-backend/templates/prover.cpp.hbs index 8cf91ca2c2f4..c8eada2e5062 100644 --- a/bb-pilcom/bb-pil-backend/templates/prover.cpp.hbs +++ b/bb-pilcom/bb-pil-backend/templates/prover.cpp.hbs @@ -131,7 +131,8 @@ void {{name}}Prover::execute_pcs_rounds() auto prover_opening_claim = ZeroMorph::prove(key->circuit_size, prover_polynomials.get_unshifted(), prover_polynomials.get_to_be_shifted(), - sumcheck_output.claimed_evaluations.get_all(), + sumcheck_output.claimed_evaluations.get_unshifted(), + sumcheck_output.claimed_evaluations.get_shifted(), sumcheck_output.challenge, commitment_key, transcript); diff --git a/bb-pilcom/bb-pil-backend/templates/verifier.cpp.hbs b/bb-pilcom/bb-pil-backend/templates/verifier.cpp.hbs index fb977f1b586c..dbb2ad78685e 100644 --- a/bb-pilcom/bb-pil-backend/templates/verifier.cpp.hbs +++ b/bb-pilcom/bb-pil-backend/templates/verifier.cpp.hbs @@ -119,7 +119,8 @@ bool {{name}}Verifier::verify_proof(const HonkProof& proof, [[maybe_unused]] con auto opening_claim = ZeroMorph::verify(circuit_size, commitments.get_unshifted(), commitments.get_to_be_shifted(), - claimed_evaluations.get_all(), + claimed_evaluations.get_unshifted(), + claimed_evaluations.get_shifted(), multivariate_challenge, key->pcs_verification_key->get_g1_identity(), transcript); From 17323fcd695befa2c756240e4cfed3005cee5208 Mon Sep 17 00:00:00 2001 From: maramihali Date: Mon, 23 Sep 2024 10:26:35 +0000 Subject: [PATCH 14/31] made things work --- barretenberg/acir_tests/sol-test/yarn.lock | 2 +- .../commitment_schemes/gemini/gemini.hpp | 11 +- .../commitment_schemes/gemini/gemini.test.cpp | 381 +++++++++--------- .../commitment_schemes/gemini/gemini_impl.hpp | 10 +- .../commitment_schemes/ipa/ipa.test.cpp | 24 +- .../commitment_schemes/kzg/kzg.test.cpp | 55 ++- .../commitment_schemes/shplonk/shplemini.hpp | 67 ++- .../shplonk/shplemini.test.cpp | 4 +- .../src/barretenberg/eccvm/eccvm_prover.cpp | 16 +- .../src/barretenberg/eccvm/eccvm_verifier.cpp | 3 +- .../cpp/src/barretenberg/flavor/flavor.hpp | 2 +- .../translator_recursive_verifier.cpp | 1 - .../stdlib_circuit_builders/mega_flavor.hpp | 1 - .../stdlib_circuit_builders/ultra_flavor.hpp | 1 - .../ultra_keccak_flavor.hpp | 1 + .../translator_vm/translator_flavor.hpp | 2 - .../ultra_honk/decider_prover.cpp | 35 +- .../ultra_honk/decider_verifier.cpp | 10 +- 18 files changed, 300 insertions(+), 326 deletions(-) diff --git a/barretenberg/acir_tests/sol-test/yarn.lock b/barretenberg/acir_tests/sol-test/yarn.lock index 5cfac7679f6e..af80282ea956 100644 --- a/barretenberg/acir_tests/sol-test/yarn.lock +++ b/barretenberg/acir_tests/sol-test/yarn.lock @@ -1,4 +1,4 @@ -d# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY. +# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY. # yarn lockfile v1 diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.hpp index a303a13b53e6..0766722893ed 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.hpp @@ -112,8 +112,6 @@ template class GeminiProver_ { static std::vector prove(const Fr circuit_size, RefSpan f_polynomials, RefSpan g_polynomials, - RefSpan unshifted_evaluations, - RefSpan shifted_evaluations, std::span multilinear_challenge, const std::shared_ptr>& commitment_key, const std::shared_ptr& transcript); @@ -138,7 +136,7 @@ template class GeminiVerifier_ { * (Cⱼ, Aⱼ(-r^{2ʲ}), -r^{2}), j = [1, ..., m-1] */ static std::vector> reduce_verification(std::span multilinear_challenge, - std::span multilinear_evaluations, /* u */ + std::span multilinear_evaluations, RefSpan unshifted_commitments, RefSpan to_be_shifted_commitments, auto& transcript) @@ -176,7 +174,7 @@ template class GeminiVerifier_ { const std::vector evaluations = get_gemini_evaluations(num_variables, transcript); // Compute evaluation A₀(r) auto a_0_pos = compute_gemini_batched_univariate_evaluation( - batched_evaluation, multilinear_challenge, r_squares, evaluations); + num_variables, batched_evaluation, multilinear_challenge, r_squares, evaluations); // C₀_r_pos = ∑ⱼ ρʲ⋅[fⱼ] + r⁻¹⋅∑ⱼ ρᵏ⁺ʲ [gⱼ] // C₀_r_pos = ∑ⱼ ρʲ⋅[fⱼ] - r⁻¹⋅∑ⱼ ρᵏ⁺ʲ [gⱼ] @@ -243,12 +241,13 @@ template class GeminiVerifier_ { * @param fold_polynomial_evals Evaluations \f$ A_{i-1}(-r^{2^{i-1}}) \f$. * @return Evaluation \f$ A_0(r) \f$. */ - static Fr compute_gemini_batched_univariate_evaluation(Fr& batched_eval_accumulator, + static Fr compute_gemini_batched_univariate_evaluation(size_t evaluation_point_size, + Fr& batched_eval_accumulator, std::span evaluation_point, std::span challenge_powers, std::span fold_polynomial_evals) { - const size_t num_variables = evaluation_point.size(); + const size_t num_variables = evaluation_point_size; const auto& evals = fold_polynomial_evals; diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.test.cpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.test.cpp index 08a2e8dd7de1..ebb8e2ccb2e2 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.test.cpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.test.cpp @@ -1,194 +1,187 @@ -// #include "gemini_impl.hpp" - -// #include "../commitment_key.test.hpp" -// #include "barretenberg/polynomials/polynomial.hpp" -// #include "barretenberg/transcript/transcript.hpp" - -// using namespace bb; - -// template class GeminiTest : public CommitmentTest { -// using GeminiProver = GeminiProver_; -// using GeminiVerifier = GeminiVerifier_; -// using Fr = typename Curve::ScalarField; -// using GroupElement = typename Curve::Element; - -// public: -// void execute_gemini_and_verify_claims(std::vector& multilinear_evaluation_point, -// std::vector& unshifted_evaluations, -// std::vector& shifted_evaluations, -// std::vector>& multilinear_polynomials, -// std::vector>& multilinear_polynomials_to_be_shifted, -// std::vector& multilinear_commitments, -// std::vector& multilinear_commitments_to_be_shifted) -// { -// auto prover_transcript = NativeTranscript::prover_init_empty(); - -// // Compute: -// // - (d+1) opening pairs: {r, \hat{a}_0}, {-r^{2^i}, a_i}, i = 0, ..., d-1 -// // - (d+1) Fold polynomials Fold_{r}^(0), Fold_{-r}^(0), and Fold^(i), i = 0, ..., d-1 -// auto prover_output = GeminiProver::prove(1 << multilinear_evaluation_point.size(), -// RefVector(multilinear_polynomials), -// RefVector(multilinear_polynomials_to_be_shifted), -// RefVector(unshifted_evaluations), -// RefVector(shifted_evaluations), -// multilinear_evaluation_point, -// this->commitment_key, -// prover_transcript); - -// // Check that the Fold polynomials have been evaluated correctly in the prover -// this->verify_batch_opening_pair(prover_output); - -// auto verifier_transcript = NativeTranscript::verifier_init_empty(prover_transcript); - -// // Compute: -// // - Single opening pair: {r, \hat{a}_0} -// // - 2 partially evaluated Fold polynomial commitments [Fold_{r}^(0)] and [Fold_{-r}^(0)] -// // Aggregate: d+1 opening pairs and d+1 Fold poly commitments into verifier claim -// auto verifier_claims = GeminiVerifier::reduce_verification(multilinear_evaluation_point, -// multilinear_evaluations, -// RefVector(multilinear_commitments), -// RefVector(multilinear_commitments_to_be_shifted), -// verifier_transcript); - -// // Check equality of the opening pairs computed by prover and verifier -// for (auto [prover_claim, verifier_claim] : zip_view(prover_output, verifier_claims)) { -// ASSERT_EQ(prover_claim.opening_pair, verifier_claim.opening_pair); -// this->verify_opening_claim(verifier_claim, prover_claim.polynomial); -// } -// } -// }; - -// using ParamsTypes = ::testing::Types; -// TYPED_TEST_SUITE(GeminiTest, ParamsTypes); - -// TYPED_TEST(GeminiTest, Single) -// { -// using Fr = typename TypeParam::ScalarField; -// using GroupElement = typename TypeParam::Element; - -// const size_t n = 16; -// const size_t log_n = 4; - -// auto u = this->random_evaluation_point(log_n); -// auto poly = Polynomial::random(n); -// auto commitment = this->commit(poly); -// auto eval = poly.evaluate_mle(u); - -// // Collect multilinear polynomials evaluations, and commitments for input to prover/verifier -// std::vector multilinear_evaluations = { eval }; -// std::vector> multilinear_polynomials = { poly.share() }; -// std::vector> multilinear_polynomials_to_be_shifted = {}; -// std::vector multilinear_commitments = { commitment }; -// std::vector multilinear_commitments_to_be_shifted = {}; - -// this->execute_gemini_and_verify_claims(u, -// { eval }, -// {}, -// multilinear_polynomials, -// multilinear_polynomials_to_be_shifted, -// multilinear_commitments, -// multilinear_commitments_to_be_shifted); -// } - -// TYPED_TEST(GeminiTest, SingleShift) -// { -// using Fr = typename TypeParam::ScalarField; -// using GroupElement = typename TypeParam::Element; - -// const size_t n = 16; -// const size_t log_n = 4; - -// auto u = this->random_evaluation_point(log_n); - -// // shiftable polynomial must have 0 as last coefficient -// auto poly = Polynomial::random(n, /*shiftable*/ 1); - -// auto commitment = this->commit(poly); -// auto eval_shift = poly.evaluate_mle(u, true); - -// // Collect multilinear polynomials evaluations, and commitments for input to prover/verifier -// std::vector multilinear_evaluations = { eval_shift }; -// std::vector> multilinear_polynomials = {}; -// std::vector> multilinear_polynomials_to_be_shifted = { poly.share() }; -// std::vector multilinear_commitments = {}; -// std::vector multilinear_commitments_to_be_shifted = { commitment }; - -// this->execute_gemini_and_verify_claims(u, -// {}, -// { eval_shift }, -// multilinear_polynomials, -// multilinear_polynomials_to_be_shifted, -// multilinear_commitments, -// multilinear_commitments_to_be_shifted); -// } - -// TYPED_TEST(GeminiTest, Double) -// { -// using Fr = typename TypeParam::ScalarField; -// using GroupElement = typename TypeParam::Element; - -// const size_t n = 16; -// const size_t log_n = 4; - -// auto u = this->random_evaluation_point(log_n); - -// auto poly1 = Polynomial::random(n); -// auto poly2 = Polynomial::random(n); - -// auto commitment1 = this->commit(poly1); -// auto commitment2 = this->commit(poly2); - -// auto eval1 = poly1.evaluate_mle(u); -// auto eval2 = poly2.evaluate_mle(u); - -// // Collect multilinear polynomials evaluations, and commitments for input to prover/verifier -// std::vector multilinear_evaluations = { eval1, eval2 }; -// std::vector> multilinear_polynomials = { poly1.share(), poly2.share() }; -// std::vector> multilinear_polynomials_to_be_shifted = {}; -// std::vector multilinear_commitments = { commitment1, commitment2 }; -// std::vector multilinear_commitments_to_be_shifted = {}; - -// this->execute_gemini_and_verify_claims(u, -// { eval1, eval2 }, -// {}, -// multilinear_polynomials, -// multilinear_polynomials_to_be_shifted, -// multilinear_commitments, -// multilinear_commitments_to_be_shifted); -// } - -// TYPED_TEST(GeminiTest, DoubleWithShift) -// { -// using Fr = typename TypeParam::ScalarField; -// using GroupElement = typename TypeParam::Element; - -// const size_t n = 16; -// const size_t log_n = 4; - -// auto u = this->random_evaluation_point(log_n); - -// auto poly1 = Polynomial::random(n); -// auto poly2 = Polynomial::random(n, 1); // make 'shiftable' - -// auto commitment1 = this->commit(poly1); -// auto commitment2 = this->commit(poly2); - -// auto eval1 = poly1.evaluate_mle(u); -// auto eval2 = poly2.evaluate_mle(u); -// auto eval2_shift = poly2.evaluate_mle(u, true); - -// // Collect multilinear polynomials evaluations, and commitments for input to prover/verifier -// std::vector multilinear_evaluations = { eval1, eval2, eval2_shift }; -// std::vector> multilinear_polynomials = { poly1.share(), poly2.share() }; -// std::vector> multilinear_polynomials_to_be_shifted = { poly2.share() }; -// std::vector multilinear_commitments = { commitment1, commitment2 }; -// std::vector multilinear_commitments_to_be_shifted = { commitment2 }; - -// this->execute_gemini_and_verify_claims(u, -// { eval1, eval2 }, -// { eval2_shift }, -// multilinear_polynomials, -// multilinear_polynomials_to_be_shifted, -// multilinear_commitments, -// multilinear_commitments_to_be_shifted); -// } +#include "gemini_impl.hpp" + +#include "../commitment_key.test.hpp" +#include "barretenberg/polynomials/polynomial.hpp" +#include "barretenberg/transcript/transcript.hpp" + +using namespace bb; + +template class GeminiTest : public CommitmentTest { + using GeminiProver = GeminiProver_; + using GeminiVerifier = GeminiVerifier_; + using Fr = typename Curve::ScalarField; + using GroupElement = typename Curve::Element; + + public: + void execute_gemini_and_verify_claims(std::vector& multilinear_evaluation_point, + std::vector& multilinear_evaluations, + RefSpan> multilinear_polynomials, + RefSpan> multilinear_polynomials_to_be_shifted, + RefVector multilinear_commitments, + RefVector multilinear_commitments_to_be_shifted) + { + auto prover_transcript = NativeTranscript::prover_init_empty(); + + // Compute: + // - (d+1) opening pairs: {r, \hat{a}_0}, {-r^{2^i}, a_i}, i = 0, ..., d-1 + // - (d+1) Fold polynomials Fold_{r}^(0), Fold_{-r}^(0), and Fold^(i), i = 0, ..., d-1 + auto prover_output = GeminiProver::prove(1 << multilinear_evaluation_point.size(), + multilinear_polynomials, + multilinear_polynomials_to_be_shifted, + multilinear_evaluation_point, + this->commitment_key, + prover_transcript); + + // Check that the Fold polynomials have been evaluated correctly in the prover + this->verify_batch_opening_pair(prover_output); + + auto verifier_transcript = NativeTranscript::verifier_init_empty(prover_transcript); + + // Compute: + // - Single opening pair: {r, \hat{a}_0} + // - 2 partially evaluated Fold polynomial commitments [Fold_{r}^(0)] and [Fold_{-r}^(0)] + // Aggregate: d+1 opening pairs and d+1 Fold poly commitments into verifier claim + auto verifier_claims = GeminiVerifier::reduce_verification(multilinear_evaluation_point, + multilinear_evaluations, + RefVector(multilinear_commitments), + RefVector(multilinear_commitments_to_be_shifted), + verifier_transcript); + + // Check equality of the opening pairs computed by prover and verifier + for (auto [prover_claim, verifier_claim] : zip_view(prover_output, verifier_claims)) { + ASSERT_EQ(prover_claim.opening_pair, verifier_claim.opening_pair); + this->verify_opening_claim(verifier_claim, prover_claim.polynomial); + } + } +}; + +using ParamsTypes = ::testing::Types; +TYPED_TEST_SUITE(GeminiTest, ParamsTypes); + +TYPED_TEST(GeminiTest, Single) +{ + using Fr = typename TypeParam::ScalarField; + using GroupElement = typename TypeParam::Element; + + const size_t n = 16; + const size_t log_n = 4; + + auto u = this->random_evaluation_point(log_n); + auto poly = Polynomial::random(n); + auto commitment = this->commit(poly); + auto eval = poly.evaluate_mle(u); + + // Collect multilinear polynomials evaluations, and commitments for input to prover/verifier + std::vector multilinear_evaluations = { eval }; + std::vector> multilinear_polynomials = { poly.share() }; + std::vector> multilinear_polynomials_to_be_shifted = {}; + std::vector multilinear_commitments = { commitment }; + std::vector multilinear_commitments_to_be_shifted = {}; + + this->execute_gemini_and_verify_claims(u, + multilinear_evaluations, + RefVector(multilinear_polynomials), + RefVector(multilinear_polynomials_to_be_shifted), + RefVector(multilinear_commitments), + RefVector(multilinear_commitments_to_be_shifted)); +} + +TYPED_TEST(GeminiTest, SingleShift) +{ + using Fr = typename TypeParam::ScalarField; + using GroupElement = typename TypeParam::Element; + + const size_t n = 16; + const size_t log_n = 4; + + auto u = this->random_evaluation_point(log_n); + + // shiftable polynomial must have 0 as last coefficient + auto poly = Polynomial::random(n, /*shiftable*/ 1); + + auto commitment = this->commit(poly); + auto eval_shift = poly.evaluate_mle(u, true); + + // Collect multilinear polynomials evaluations, and commitments for input to prover/verifier + std::vector multilinear_evaluations = { eval_shift }; + std::vector> multilinear_polynomials = {}; + std::vector> multilinear_polynomials_to_be_shifted = { poly.share() }; + std::vector multilinear_commitments = {}; + std::vector multilinear_commitments_to_be_shifted = { commitment }; + + this->execute_gemini_and_verify_claims(u, + multilinear_evaluations, + RefVector(multilinear_polynomials), + RefVector(multilinear_polynomials_to_be_shifted), + RefVector(multilinear_commitments), + RefVector(multilinear_commitments_to_be_shifted)); +} + +TYPED_TEST(GeminiTest, Double) +{ + using Fr = typename TypeParam::ScalarField; + using GroupElement = typename TypeParam::Element; + + const size_t n = 16; + const size_t log_n = 4; + + auto u = this->random_evaluation_point(log_n); + + auto poly1 = Polynomial::random(n); + auto poly2 = Polynomial::random(n); + + auto commitment1 = this->commit(poly1); + auto commitment2 = this->commit(poly2); + + auto eval1 = poly1.evaluate_mle(u); + auto eval2 = poly2.evaluate_mle(u); + + // Collect multilinear polynomials evaluations, and commitments for input to prover/verifier + std::vector multilinear_evaluations = { eval1, eval2 }; + std::vector> multilinear_polynomials = { poly1.share(), poly2.share() }; + std::vector> multilinear_polynomials_to_be_shifted = {}; + std::vector multilinear_commitments = { commitment1, commitment2 }; + std::vector multilinear_commitments_to_be_shifted = {}; + + this->execute_gemini_and_verify_claims(u, + multilinear_evaluations, + RefVector(multilinear_polynomials), + RefVector(multilinear_polynomials_to_be_shifted), + RefVector(multilinear_commitments), + RefVector(multilinear_commitments_to_be_shifted)); +} + +TYPED_TEST(GeminiTest, DoubleWithShift) +{ + using Fr = typename TypeParam::ScalarField; + using GroupElement = typename TypeParam::Element; + + const size_t n = 16; + const size_t log_n = 4; + + auto u = this->random_evaluation_point(log_n); + + auto poly1 = Polynomial::random(n); + auto poly2 = Polynomial::random(n, 1); // make 'shiftable' + + auto commitment1 = this->commit(poly1); + auto commitment2 = this->commit(poly2); + + auto eval1 = poly1.evaluate_mle(u); + auto eval2 = poly2.evaluate_mle(u); + auto eval2_shift = poly2.evaluate_mle(u, true); + + // Collect multilinear polynomials evaluations, and commitments for input to prover/verifier + std::vector multilinear_evaluations = { eval1, eval2, eval2_shift }; + std::vector> multilinear_polynomials = { poly1.share(), poly2.share() }; + std::vector> multilinear_polynomials_to_be_shifted = { poly2.share() }; + std::vector multilinear_commitments = { commitment1, commitment2 }; + std::vector multilinear_commitments_to_be_shifted = { commitment2 }; + + this->execute_gemini_and_verify_claims(u, + multilinear_evaluations, + RefVector(multilinear_polynomials), + RefVector(multilinear_polynomials_to_be_shifted), + RefVector(multilinear_commitments), + RefVector(multilinear_commitments_to_be_shifted)); +} diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini_impl.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini_impl.hpp index 68bd204c3d85..05a1cd994477 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini_impl.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini_impl.hpp @@ -42,38 +42,32 @@ namespace bb { template template std::vector::Claim> GeminiProver_::prove( - [[maybe_unused]] Fr circuit_size, // Will be used when constant proof sizes are in + Fr circuit_size, RefSpan f_polynomials, // unshifted RefSpan g_polynomials, // to-be-shifted - RefSpan unshifted_evaluations, - RefSpan shifted_evaluations, std::span multilinear_challenge, const std::shared_ptr>& commitment_key, const std::shared_ptr& transcript) { - ASSERT(unshifted_evaluations.size() + shifted_evaluations.size() == f_polynomials.size() + g_polynomials.size()); size_t log_n = numeric::get_msb(static_cast(circuit_size)); size_t n = 1 << log_n; Fr rho = transcript->template get_challenge("rho"); - std::vector rhos = gemini::powers_of_rho(rho, unshifted_evaluations.size() + shifted_evaluations.size()); + std::vector rhos = gemini::powers_of_rho(rho, f_polynomials.size() + g_polynomials.size()); // Compute batched polynomials Polynomial batched_unshifted(n); Polynomial batched_to_be_shifted = Polynomial::shiftable(1 << log_n); - // Fr batched_evaluation = Fr::zero(); const size_t num_unshifted = f_polynomials.size(); const size_t num_to_be_shifted = g_polynomials.size(); for (size_t i = 0; i < num_unshifted; i++) { Fr rho_challenge = rhos[i]; batched_unshifted.add_scaled(f_polynomials[i], rho_challenge); - // batched_evaluation += unshifted_evaluations[i] * rho_challenge; } for (size_t i = 0; i < num_to_be_shifted; i++) { Fr rho_challenge = rhos[num_unshifted + i]; batched_to_be_shifted.add_scaled(g_polynomials[i], rho_challenge); - // batched_evaluation += shifted_evaluations[i] * rho_challenge; } auto fold_polynomials = compute_fold_polynomials( diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.test.cpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.test.cpp index 187fcdce629f..9b3661a2ffda 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.test.cpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.test.cpp @@ -77,8 +77,8 @@ TEST_F(IPATest, OpenZeroPolynomial) EXPECT_TRUE(result); } -// This test makes sure that even if the whole vector \vec{b} generated from the x, at which we open the polynomial, is -// zero, IPA behaves +// This test makes sure that even if the whole vector \vec{b} generated from the x, at which we open the polynomial, +// is zero, IPA behaves TEST_F(IPATest, OpenAtZero) { using IPA = IPA; @@ -266,14 +266,8 @@ TEST_F(IPATest, GeminiShplonkIPAWithShift) // Compute: // - (d+1) opening pairs: {r, \hat{a}_0}, {-r^{2^i}, a_i}, i = 0, ..., d-1 // - (d+1) Fold polynomials Fold_{r}^(0), Fold_{-r}^(0), and Fold^(i), i = 0, ..., d-1 - auto prover_opening_claims = GeminiProver::prove(n, - RefArray{ poly1, poly2 }, - RefArray{ poly2 }, - RefArray{ eval1, eval2 }, - RefArray{ eval2 }, - mle_opening_point, - this->ck(), - prover_transcript); + auto prover_opening_claims = GeminiProver::prove( + n, RefArray{ poly1, poly2 }, RefArray{ poly2 }, mle_opening_point, this->ck(), prover_transcript); const auto opening_claim = ShplonkProver::prove(this->ck(), prover_opening_claims, prover_transcript); IPA::compute_opening_proof(this->ck(), opening_claim, prover_transcript); @@ -322,14 +316,8 @@ TEST_F(IPATest, ShpleminiIPAWithShift) // Compute: // - (d+1) opening pairs: {r, \hat{a}_0}, {-r^{2^i}, a_i}, i = 0, ..., d-1 // - (d+1) Fold polynomials Fold_{r}^(0), Fold_{-r}^(0), and Fold^(i), i = 0, ..., d-1 - auto prover_opening_claims = GeminiProver::prove(n, - RefArray{ poly1, poly2 }, - RefArray{ poly2 }, - RefArray{ eval1, eval2 }, - RefArray{ eval2_shift }, - mle_opening_point, - this->ck(), - prover_transcript); + auto prover_opening_claims = GeminiProver::prove( + n, RefArray{ poly1, poly2 }, RefArray{ poly2 }, mle_opening_point, this->ck(), prover_transcript); const auto opening_claim = ShplonkProver::prove(this->ck(), prover_opening_claims, prover_transcript); IPA::compute_opening_proof(this->ck(), opening_claim, prover_transcript); diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/kzg/kzg.test.cpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/kzg/kzg.test.cpp index 339f58d58b96..e23a6d90c774 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/kzg/kzg.test.cpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/kzg/kzg.test.cpp @@ -7,11 +7,6 @@ #include "../commitment_key.test.hpp" #include "barretenberg/commitment_schemes/claim.hpp" -#include "barretenberg/ecc/curves/bn254/g1.hpp" - -#include -#include - namespace bb { template class KZGTest : public CommitmentTest { @@ -92,14 +87,8 @@ TYPED_TEST(KZGTest, GeminiShplonkKzgWithShift) // Compute: // - (d+1) opening pairs: {r, \hat{a}_0}, {-r^{2^i}, a_i}, i = 0, ..., d-1 // - (d+1) Fold polynomials Fold_{r}^(0), Fold_{-r}^(0), and Fold^(i), i = 0, ..., d-1 - auto prover_opening_claims = GeminiProver::prove(n, - RefArray{ poly1, poly2 }, - RefArray{ poly2 }, - RefArray{ eval1, eval2 }, - RefArray{ eval2_shift }, - mle_opening_point, - this->ck(), - prover_transcript); + auto prover_opening_claims = GeminiProver::prove( + n, RefArray{ poly1, poly2 }, RefArray{ poly2 }, mle_opening_point, this->ck(), prover_transcript); // Shplonk prover output: // - opening pair: (z_challenge, 0) @@ -150,19 +139,26 @@ TYPED_TEST(KZGTest, ShpleminiKzgWithShift) // Generate multilinear polynomials, their commitments (genuine and mocked) and evaluations (genuine) at a random // point. auto mle_opening_point = this->random_evaluation_point(log_n); // sometimes denoted 'u' - auto poly1 = Polynomial::random(n); - auto poly2 = Polynomial::random(n, /*shiftable*/ 1); + auto poly1 = Polynomial::random(n, 1); + auto poly2 = Polynomial::random(n); + auto poly3 = Polynomial::random(n, 1); + auto poly4 = Polynomial::random(n); Commitment commitment1 = this->commit(poly1); Commitment commitment2 = this->commit(poly2); - std::vector unshifted_commitments = { commitment1, commitment2 }; - std::vector shifted_commitments = { commitment1 }; + Commitment commitment3 = this->commit(poly3); + Commitment commitment4 = this->commit(poly4); + std::vector unshifted_commitments = { commitment1, commitment2, commitment3, commitment4 }; + std::vector shifted_commitments = { commitment1, commitment3 }; auto eval1 = poly1.evaluate_mle(mle_opening_point); auto eval2 = poly2.evaluate_mle(mle_opening_point); + auto eval3 = poly3.evaluate_mle(mle_opening_point); + auto eval4 = poly4.evaluate_mle(mle_opening_point); auto eval1_shift = poly1.evaluate_mle(mle_opening_point, true); + auto eval3_shift = poly3.evaluate_mle(mle_opening_point, true); // Collect multilinear evaluations for input to prover - std::vector multilinear_evaluations = { eval1, eval2, eval1_shift }; + std::vector multilinear_evaluations = { eval1, eval2, eval3, eval1_shift, eval3_shift }; auto prover_transcript = NativeTranscript::prover_init_empty(); @@ -172,10 +168,8 @@ TYPED_TEST(KZGTest, ShpleminiKzgWithShift) // - (d+1) opening pairs: {r, \hat{a}_0}, {-r^{2^i}, a_i}, i = 0, ..., d-1 // - (d+1) Fold polynomials Fold_{r}^(0), Fold_{-r}^(0), and Fold^(i), i = 0, ..., d-1 auto prover_opening_claims = GeminiProver::prove(n, - RefArray{ poly1, poly2 }, - RefArray{ poly1 }, - RefArray{ eval1, eval2 }, - RefArray{ eval1_shift }, + RefArray{ poly1, poly2, poly3, poly4 }, + RefArray{ poly1, poly3 }, mle_opening_point, this->ck(), prover_transcript); @@ -195,14 +189,15 @@ TYPED_TEST(KZGTest, ShpleminiKzgWithShift) // Gemini verifier output: // - claim: d+1 commitments to Fold_{r}^(0), Fold_{-r}^(0), Fold^(l), d+1 evaluations a_0_pos, a_l, l = 0:d-1 - const auto batch_opening_claim = ShpleminiVerifier::compute_batch_opening_claim(n, - RefVector(unshifted_commitments), - RefVector(shifted_commitments), - RefArray{ eval1, eval2 }, - RefArray{ eval1_shift }, - mle_opening_point, - this->vk()->get_g1_identity(), - verifier_transcript); + const auto batch_opening_claim = + ShpleminiVerifier::compute_batch_opening_claim(n, + RefVector(unshifted_commitments), + RefVector(shifted_commitments), + RefArray{ eval1, eval2, eval3, eval4 }, + RefArray{ eval1_shift, eval3_shift }, + mle_opening_point, + this->vk()->get_g1_identity(), + verifier_transcript); const auto pairing_points = KZG::reduce_verify_batch_opening_claim(batch_opening_claim, verifier_transcript); // Final pairing check: e([Q] - [Q_z] + z[W], [1]_2) = e([W], [x]_2) diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp index 32cef2fdde89..c60d22d2b29c 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp @@ -24,20 +24,13 @@ template class ShpleminiProver_ { static OpeningClaim prove(FF circuit_size, RefSpan f_polynomials, RefSpan g_polynomials, - RefSpan unshifted_evaluations, - RefSpan shifted_evaluations, std::span multilinear_challenge, const std::shared_ptr>& commitment_key, const std::shared_ptr& transcript) { - std::vector opening_claims = GeminiProver::prove(circuit_size, - f_polynomials, - g_polynomials, - unshifted_evaluations, - shifted_evaluations, - multilinear_challenge, - commitment_key, - transcript); + std::vector opening_claims = GeminiProver::prove( + circuit_size, f_polynomials, g_polynomials, multilinear_challenge, commitment_key, transcript); + OpeningClaim batched_claim = ShplonkProver::prove(commitment_key, opening_claims, transcript); return batched_claim; }; @@ -49,24 +42,24 @@ template class ShpleminiProver_ { * \subsection Context * * This Verifier combines verifiers from four protocols: - * 1. **Batch opening protocol**: Reduces various evaluation claims of multilinear polynomials and their shifts to - * the opening claim of a single batched polynomial. - * 2. **Gemini protocol**: Reduces the batched polynomial opening claim to a claim about openings of Gemini - * univariate polynomials. - * 3. **Shplonk protocol**: Reduces the opening of Gemini univariate polynomials at different points to a single - * opening of a batched univariate polynomial. Outputs \f$ \text{shplonk_opening_claim} \f$. + * 1. **Batch opening protocol**: Reduces various evaluation claims of multilinear polynomials and their shifts to the + * opening claim of a single batched polynomial. + * 2. **Gemini protocol**: Reduces the batched polynomial opening claim to a claim about openings of Gemini univariate + * polynomials. + * 3. **Shplonk protocol**: Reduces the opening of Gemini univariate polynomials at different points to a single opening + * of a batched univariate polynomial. Outputs \f$ \text{shplonk_opening_claim} \f$. * 4. **KZG or IPA protocol**: Verifies the evaluation of the univariate batched by Shplonk. * * **Important Observation**: From step 1 to step 4, the Verifier is not required to hash any results of its group - * operations. Therefore, they could be performed at the very end, i.e. by the opening protocol of a chosen - * univariate PCS. Because of this and the shape of the pairing check in Shplonk, various batch_mul calls could be - * reduced to a single batch_mul call. This way we minimize the number of gates in the resulting recursive verifier - * circuits and save some group operations in the native setting. + * operations. Therefore, they could be performed at the very end, i.e. by the opening protocol of a chosen univariate + * PCS. Because of this and the shape of the pairing check in Shplonk, various batch_mul calls could be reduced to a + * single batch_mul call. This way we minimize the number of gates in the resulting recursive verifier circuits and save + * some group operations in the native setting. * - * \remark The sequence of steps could be performed by performing batching of unshifted and shifted polynomials, - * feeding it to the existing GeminiVerifier, whose output would be passed to the ShplonkVerifier and then to the - * reduce_verify method of a chosen PCS. However, it would be less efficient than ShpleminiVerifier in terms of - * group and field operations. + * \remark The sequence of steps could be performed by performing batching of unshifted and shifted polynomials, feeding + * it to the existing GeminiVerifier, whose output would be passed to the ShplonkVerifier and then to the reduce_verify + * method of a chosen PCS. However, it would be less efficient than ShpleminiVerifier in terms of group and field + * operations. * * \subsection Implementation * @@ -81,19 +74,19 @@ template class ShpleminiProver_ { * - Compute the evaluation of the Gemini batched univariate. * 4. Output a \ref bb::BatchOpeningClaim "batch opening claim", which is a atriple \f$ (\text{commitments}, * \text{scalars}, \text{shplonk_evaluation_point}) \f$ that satisfies the following: \f[ \text{batch_mul} - * (\text{commitments},\ \text{scalars}) = \text{shplonk_opening_claim}.\text{point} \f] and the sizes of - * 'commitments' and 'scalars' are equal to: \f[ + * (\text{commitments},\ \text{scalars}) = \text{shplonk_opening_claim}.\text{point} \f] and the sizes of 'commitments' + * and 'scalars' are equal to: \f[ * \#\text{claimed_evaluations} + \text{log_circuit_size} + 2 * \f] * * The output triple is either fed to the corresponding \ref bb::KZG< Curve_ >::reduce_verify_batch_opening_claim - * "KZG method" or \ref bb::IPA< Curve_ >::reduce_verify_batch_opening_claim "IPA method". In the case of KZG, we - * reduce \f$ 6 \f$ batch_mul calls needed for the verification of the multivariate evaluation claims to the single - * batch_mul described above. In the case of IPA, the total number of batch_mul calls needed to verify the - * multivariate evaluation claims is reduced by \f$ 5 \f$. + * "KZG method" or \ref bb::IPA< Curve_ >::reduce_verify_batch_opening_claim "IPA method". In the case of KZG, we reduce + * \f$ 6 \f$ batch_mul calls needed for the verification of the multivariate evaluation claims to the single batch_mul + * described above. In the case of IPA, the total number of batch_mul calls needed to verify the multivariate evaluation + * claims is reduced by \f$ 5 \f$. * - * TODO (https://github.com/AztecProtocol/barretenberg/issues/1084) Reduce the size of batch_mul further by - * eliminating shifted commitments. + * TODO (https://github.com/AztecProtocol/barretenberg/issues/1084) Reduce the size of batch_mul further by eliminating + * shifted commitments. */ template class ShpleminiVerifier_ { @@ -118,13 +111,11 @@ template class ShpleminiVerifier_ { // Extract log_circuit_size size_t log_circuit_size{ 0 }; - info(N); if constexpr (Curve::is_stdlib_type) { log_circuit_size = numeric::get_msb(static_cast(N.get_value())); } else { log_circuit_size = numeric::get_msb(static_cast(N)); } - info(log_circuit_size); // Get the challenge ρ to batch commitments to multilinear polynomials and their shifts const Fr multivariate_batching_challenge = transcript->template get_challenge("rho"); @@ -202,8 +193,12 @@ template class ShpleminiVerifier_ { // Add contributions from A₀(r) and A₀(-r) to constant_term_accumulator: // - Compute A₀(r) - const Fr a_0_pos = GeminiVerifier_::compute_gemini_batched_univariate_evaluation( - batched_evaluation, multivariate_challenge, gemini_eval_challenge_powers, gemini_evaluations); + const Fr a_0_pos = + GeminiVerifier_::compute_gemini_batched_univariate_evaluation(log_circuit_size, + batched_evaluation, + multivariate_challenge, + gemini_eval_challenge_powers, + gemini_evaluations); // - Add A₀(r)/(z−r) to the constant term accumulator constant_term_accumulator += a_0_pos * inverse_vanishing_evals[0]; // Add A₀(−r)/(z+r) to the constant term accumulator diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.test.cpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.test.cpp index 57c542b1b490..b1aad152f59b 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.test.cpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.test.cpp @@ -117,9 +117,7 @@ TYPED_TEST(ShpleminiTest, CorrectnessOfMultivariateClaimBatching) EXPECT_EQ(batched_evaluation, verifier_batched_evaluation); EXPECT_EQ(-expected_result, shplemini_result); } -0x0a77620a91f94ac0e8a3823a0d30688bbae0064fee682d386addae7400feb51e, - 0x13cc6c8e5f61f0c514dcab6c00b9b7fcd13f1cee5e7027383601c3726e036f3f TYPED_TEST(ShpleminiTest, - CorrectnessOfGeminiClaimBatching) +TYPED_TEST(ShpleminiTest, CorrectnessOfGeminiClaimBatching) { using GeminiProver = GeminiProver_; using ShpleminiVerifier = ShpleminiVerifier_; diff --git a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_prover.cpp b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_prover.cpp index 92cc3e005c7f..76a64e54fd64 100644 --- a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_prover.cpp +++ b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_prover.cpp @@ -119,13 +119,15 @@ void ECCVMProver::execute_pcs_rounds() // Execute the ZeroMorph protocol to produce a univariate opening claim for the multilinear evaluations produced by // Sumcheck - auto multivariate_to_univariate_opening_claim = ZeroMorph::prove(key->circuit_size, - key->polynomials.get_unshifted(), - key->polynomials.get_to_be_shifted(), - sumcheck_output.claimed_evaluations.get_all(), - sumcheck_output.challenge, - commitment_key, - transcript); + auto multivariate_to_univariate_opening_claim = + ZeroMorph::prove(key->circuit_size, + key->polynomials.get_unshifted(), + key->polynomials.get_to_be_shifted(), + sumcheck_output.claimed_evaluations.get_unshifted(), + sumcheck_output.claimed_evaluations.get_shifted(), + sumcheck_output.challenge, + commitment_key, + transcript); // Batch open the transcript polynomials as univariates for Translator consistency check. Since IPA cannot // currently handle polynomials for which the latter half of the coefficients are 0, we hackily diff --git a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.cpp b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.cpp index ffaf81848d46..26bd5ac6ce61 100644 --- a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.cpp @@ -64,7 +64,8 @@ bool ECCVMVerifier::verify_proof(const HonkProof& proof) auto multivariate_to_univariate_opening_claim = ZeroMorph::verify(circuit_size, commitments.get_unshifted(), commitments.get_to_be_shifted(), - claimed_evaluations.get_all(), + claimed_evaluations.get_unshifted(), + claimed_evaluations.get_shifted(), multivariate_challenge, key->pcs_verification_key->get_g1_identity(), transcript); diff --git a/barretenberg/cpp/src/barretenberg/flavor/flavor.hpp b/barretenberg/cpp/src/barretenberg/flavor/flavor.hpp index e150eff27721..cc443d58fa6d 100644 --- a/barretenberg/cpp/src/barretenberg/flavor/flavor.hpp +++ b/barretenberg/cpp/src/barretenberg/flavor/flavor.hpp @@ -367,7 +367,7 @@ template concept IsHonkFlavor = IsAnyOf; template -concept IsUltraFlavor = IsAnyOf; +concept IsUltraFlavor = IsAnyOf; template concept IsGoblinFlavor = IsAnyOf, VerifierCommitmentKey> { public: VerificationKey() = default; diff --git a/barretenberg/cpp/src/barretenberg/translator_vm/translator_flavor.hpp b/barretenberg/cpp/src/barretenberg/translator_vm/translator_flavor.hpp index 1086d4b20bf2..205d0dd98536 100644 --- a/barretenberg/cpp/src/barretenberg/translator_vm/translator_flavor.hpp +++ b/barretenberg/cpp/src/barretenberg/translator_vm/translator_flavor.hpp @@ -683,8 +683,6 @@ class TranslatorFlavor { this->ordered_range_constraints_4 }; }; - auto get_all_without_concatenated() { return concatenate(get_unshifted_without_concatenated(), get_shifted()); } - // Gemini-specific getters. auto get_unshifted() { diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/decider_prover.cpp b/barretenberg/cpp/src/barretenberg/ultra_honk/decider_prover.cpp index 0a589dac56ad..e8063431f7db 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/decider_prover.cpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/decider_prover.cpp @@ -47,17 +47,30 @@ template void DeciderProver_::execute_relation_ch * */ template void DeciderProver_::execute_pcs_rounds() { - using BatchedMultivariateOpeningScheme = - std::conditional_t, ShpleminiProver_, ZeroMorphProver_>; - auto prover_opening_claim = - BatchedMultivariateOpeningScheme::prove(proving_key->proving_key.circuit_size, - proving_key->proving_key.polynomials.get_unshifted(), - proving_key->proving_key.polynomials.get_to_be_shifted(), - sumcheck_output.claimed_evaluations.get_unshifted(), - sumcheck_output.claimed_evaluations.get_shifted(), - sumcheck_output.challenge, - commitment_key, - transcript); + using OpeningClaim = ProverOpeningClaim; + + // TODO(https://github.com/AztecProtocol/barretenberg/issues/1109): Remove this hack once the verifier runs on + // Shplemini for all Ultra flavors + OpeningClaim prover_opening_claim; + if constexpr (bb::IsAnyOf) { + + prover_opening_claim = ShpleminiProver_::prove(proving_key->proving_key.circuit_size, + proving_key->proving_key.polynomials.get_unshifted(), + proving_key->proving_key.polynomials.get_to_be_shifted(), + sumcheck_output.challenge, + commitment_key, + transcript); + } else { + + prover_opening_claim = ZeroMorphProver_::prove(proving_key->proving_key.circuit_size, + proving_key->proving_key.polynomials.get_unshifted(), + proving_key->proving_key.polynomials.get_to_be_shifted(), + sumcheck_output.claimed_evaluations.get_unshifted(), + sumcheck_output.claimed_evaluations.get_shifted(), + sumcheck_output.challenge, + commitment_key, + transcript); + } PCS::compute_opening_proof(commitment_key, prover_opening_claim, transcript); } diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/decider_verifier.cpp b/barretenberg/cpp/src/barretenberg/ultra_honk/decider_verifier.cpp index 18ce637edc05..c01393704006 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/decider_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/decider_verifier.cpp @@ -57,6 +57,8 @@ template bool DeciderVerifier_::verify() } std::array pairing_points; + // TODO(https://github.com/AztecProtocol/barretenberg/issues/1109): Remove this hack once the verifier runs on + // Shplemini for all Ultra flavors if constexpr (bb::IsAnyOf) { auto opening_claim = Shplemini::compute_batch_opening_claim(accumulator->verification_key->circuit_size, commitments.get_unshifted(), @@ -67,8 +69,9 @@ template bool DeciderVerifier_::verify() Commitment::one(), transcript); pairing_points = PCS::reduce_verify_batch_opening_claim(opening_claim, transcript); - } else { + // Execute ZeroMorph rounds. See https://hackmd.io/dlf9xEwhTQyE3hiGbq4FsA?view for a complete description of the + // unrolled protocol. auto opening_claim = ZeroMorph::verify(accumulator->verification_key->circuit_size, commitments.get_unshifted(), commitments.get_to_be_shifted(), @@ -79,10 +82,7 @@ template bool DeciderVerifier_::verify() transcript); pairing_points = PCS::reduce_verify(opening_claim, transcript); } - // Execute ZeroMorph rounds. See https://hackmd.io/dlf9xEwhTQyE3hiGbq4FsA?view for a complete description of the - // unrolled protocol. - - auto verified = pcs_verification_key->pairing_check(pairing_points[0], pairing_points[1]); + bool verified = pcs_verification_key->pairing_check(pairing_points[0], pairing_points[1]); return sumcheck_verified.value() && verified; } From 811cdfb0e98e89a41e9bd395506fc34efd7efa69 Mon Sep 17 00:00:00 2001 From: maramihali Date: Mon, 23 Sep 2024 15:27:47 +0000 Subject: [PATCH 15/31] remove infos --- .../src/barretenberg/commitment_schemes/shplonk/shplemini.hpp | 1 - 1 file changed, 1 deletion(-) diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp index c60d22d2b29c..9e5067bcbcef 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp @@ -178,7 +178,6 @@ template class ShpleminiVerifier_ { commitments, scalars, batched_evaluation); - info("Verifier: ", batched_evaluation); // Place the commitments to Gemini Aᵢ to the vector of commitments, compute the contributions from // Aᵢ(−r²ⁱ) for i=1, … , n−1 to the constant term accumulator, add corresponding scalars From e059c3c5ada5e3b923a8a8348dc90631b36447e4 Mon Sep 17 00:00:00 2001 From: maramihali Date: Tue, 24 Sep 2024 07:24:29 +0000 Subject: [PATCH 16/31] fix build and some cleanup --- .../commitment_schemes/shplonk/shplemini.hpp | 9 ++++----- .../commitment_schemes_recursion/shplemini.test.cpp | 10 ++-------- 2 files changed, 6 insertions(+), 13 deletions(-) diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp index 9e5067bcbcef..f3b2db272f60 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp @@ -291,11 +291,11 @@ template class ShpleminiVerifier_ { } } /** - * @brief Populates the 'commitments' and 'scalars' vectors with the commitments to Gemini fold polynomials \f$ - * A_i \f$. + * @brief Populates the 'commitments' and 'scalars' vectors with the commitments to Gemini fold polynomials \f$ A_i + * \f$. * - * @details Once the commitments to Gemini "fold" polynomials \f$ A_i \f$ and their evaluations at \f$ -r^{2^i} - * \f$, where \f$ i = 1, \ldots, n-1 \f$, are received by the verifier, it performs the following operations: + * @details Once the commitments to Gemini "fold" polynomials \f$ A_i \f$ and their evaluations at \f$ -r^{2^i} \f$, + * where \f$ i = 1, \ldots, n-1 \f$, are received by the verifier, it performs the following operations: * * 1. Moves the vector * \f[ @@ -350,5 +350,4 @@ template class ShpleminiVerifier_ { } } }; - } // namespace bb \ No newline at end of file diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/shplemini.test.cpp b/barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/shplemini.test.cpp index eec1bbe2ec87..1398cefe7e84 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/shplemini.test.cpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/shplemini.test.cpp @@ -85,14 +85,8 @@ TEST(ShpleminiRecursionTest, ProveAndVerifySingle) // Initialize an empty NativeTranscript auto prover_transcript = NativeTranscript::prover_init_empty(); - auto prover_opening_claims = ShpleminiProver::prove(N, - RefVector(f_polynomials), - RefVector(g_polynomials), - RefVector(v_evaluations), - RefVector(w_evaluations), - u_challenge, - commitment_key, - prover_transcript); + auto prover_opening_claims = ShpleminiProver::prove( + N, RefVector(f_polynomials), RefVector(g_polynomials), u_challenge, commitment_key, prover_transcript); Builder builder; StdlibProof stdlib_proof = bb::convert_proof_to_witness(&builder, prover_transcript->proof_data); From a2c2c99e0cd3057449f36a0f1a6732cc2aeaf6d5 Mon Sep 17 00:00:00 2001 From: maramihali Date: Tue, 24 Sep 2024 07:30:09 +0000 Subject: [PATCH 17/31] some more cleanup --- .../cpp/src/barretenberg/commitment_schemes/ipa/ipa.test.cpp | 3 --- .../src/barretenberg/commitment_schemes/shplonk/shplemini.hpp | 4 ++-- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.test.cpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.test.cpp index 9b3661a2ffda..7db3ea01e3b0 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.test.cpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.test.cpp @@ -8,9 +8,6 @@ #include "barretenberg/ecc/curves/bn254/fq12.hpp" #include "barretenberg/ecc/curves/types.hpp" #include "barretenberg/polynomials/polynomial_arithmetic.hpp" -#include -#include - using namespace bb; namespace { diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp index f3b2db272f60..98f4aa221477 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp @@ -21,7 +21,7 @@ template class ShpleminiProver_ { using GeminiProver = GeminiProver_; template - static OpeningClaim prove(FF circuit_size, + static OpeningClaim prove(const FF circuit_size, RefSpan f_polynomials, RefSpan g_polynomials, std::span multilinear_challenge, @@ -106,7 +106,7 @@ template class ShpleminiVerifier_ { RefSpan shifted_evaluations, const std::vector& multivariate_challenge, const Commitment& g1_identity, - std::shared_ptr& transcript) + const std::shared_ptr& transcript) { // Extract log_circuit_size From 48b0bcdd31ce854a96542cf7b388d7e88988a500 Mon Sep 17 00:00:00 2001 From: maramihali Date: Tue, 24 Sep 2024 09:56:29 +0000 Subject: [PATCH 18/31] draft --- barretenberg/acir_tests/sol-test/src/index.js | 4 +++- barretenberg/cpp/src/barretenberg/bb/main.cpp | 7 ++++++- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/barretenberg/acir_tests/sol-test/src/index.js b/barretenberg/acir_tests/sol-test/src/index.js index bcfed9528922..c6b983b53f57 100644 --- a/barretenberg/acir_tests/sol-test/src/index.js +++ b/barretenberg/acir_tests/sol-test/src/index.js @@ -4,10 +4,11 @@ import { spawn } from "child_process"; import { ethers } from "ethers"; import solc from "solc"; import linker from "solc/linker.js"; +import { info } from "console"; const NUMBER_OF_FIELDS_IN_PLONK_PROOF = 93; // This excludes the public inputs which are sent separately to the Solidity verifier -const NUMBER_OF_FIELDS_IN_HONK_PROOF = 423; +const NUMBER_OF_FIELDS_IN_HONK_PROOF = 303; // We use the solcjs compiler version in this test, although it is slower than foundry, to run the test end to end // it simplifies of parallelising the test suite @@ -149,6 +150,7 @@ const readPublicInputs = (proofAsFields) => { const publicInputs = []; // Compute the number of public inputs, not accounted for in the constant NUMBER_OF_FIELDS_IN_PROOF const numPublicInputs = proofAsFields.length - NUMBER_OF_FIELDS_IN_PROOF; + info(numPublicInputs); let publicInputsOffset = 0; // Honk proofs contain 3 pieces of metadata before the public inputs, while plonk does not diff --git a/barretenberg/cpp/src/barretenberg/bb/main.cpp b/barretenberg/cpp/src/barretenberg/bb/main.cpp index e2451319fc19..30adc8643f72 100644 --- a/barretenberg/cpp/src/barretenberg/bb/main.cpp +++ b/barretenberg/cpp/src/barretenberg/bb/main.cpp @@ -1099,6 +1099,12 @@ void prove_honk(const std::string& bytecodePath, const std::string& witnessPath, // Construct Honk proof Prover prover = compute_valid_prover(bytecodePath, witnessPath); auto proof = prover.construct_proof(); + // TODO(): remove this hack, put in place to only send the proof up to sumcheck to the contract + if constexpr (std::same_as) { + auto num_public_inputs = static_cast(prover.proving_key->proving_key.num_public_inputs); + proof.erase(proof.begin() + num_public_inputs + 303, proof.end()); + } + info(proof.size()); if (outputPath == "-") { writeRawBytesToStdout(to_buffer(proof)); vinfo("proof written to stdout"); @@ -1494,7 +1500,6 @@ int main(int argc, char* argv[]) std::string output_path = get_option(args, "-o", "./target/contract.sol"); contract(output_path, vk_path); } else if (command == "contract_ultra_honk") { - vinfo("Warning: Contract incomplete. Do not use in production!"); std::string output_path = get_option(args, "-o", "./target/contract.sol"); contract_honk(output_path, vk_path); } else if (command == "write_vk") { From ae129dbbcdd8f6e06a23c01c7142cd91315f8c59 Mon Sep 17 00:00:00 2001 From: maramihali Date: Tue, 24 Sep 2024 10:55:55 +0000 Subject: [PATCH 19/31] fix sol honk flow --- barretenberg/acir_tests/sol-test/src/index.js | 3 ++- barretenberg/cpp/src/barretenberg/bb/main.cpp | 5 +++-- .../barretenberg/stdlib_circuit_builders/ultra_flavor.hpp | 5 ++++- barretenberg/cpp/src/barretenberg/sumcheck/sumcheck.hpp | 1 + .../cpp/src/barretenberg/ultra_honk/ultra_honk.test.cpp | 1 + barretenberg/sol/src/honk/instance/Add2Honk.sol | 3 ++- 6 files changed, 13 insertions(+), 5 deletions(-) diff --git a/barretenberg/acir_tests/sol-test/src/index.js b/barretenberg/acir_tests/sol-test/src/index.js index c6b983b53f57..8115148bf2d3 100644 --- a/barretenberg/acir_tests/sol-test/src/index.js +++ b/barretenberg/acir_tests/sol-test/src/index.js @@ -7,7 +7,8 @@ import linker from "solc/linker.js"; import { info } from "console"; const NUMBER_OF_FIELDS_IN_PLONK_PROOF = 93; -// This excludes the public inputs which are sent separately to the Solidity verifier +// TODO(https://github.com/AztecProtocol/barretenberg/issues/1093): This is the size of the proof up to Sumcheck, without public inputs, as the Honk contract does not currently have a PCS. +// This needs to be changed once Shplemini is implemented in the smart contract. const NUMBER_OF_FIELDS_IN_HONK_PROOF = 303; // We use the solcjs compiler version in this test, although it is slower than foundry, to run the test end to end diff --git a/barretenberg/cpp/src/barretenberg/bb/main.cpp b/barretenberg/cpp/src/barretenberg/bb/main.cpp index 30adc8643f72..cadf836cc536 100644 --- a/barretenberg/cpp/src/barretenberg/bb/main.cpp +++ b/barretenberg/cpp/src/barretenberg/bb/main.cpp @@ -1099,12 +1099,13 @@ void prove_honk(const std::string& bytecodePath, const std::string& witnessPath, // Construct Honk proof Prover prover = compute_valid_prover(bytecodePath, witnessPath); auto proof = prover.construct_proof(); - // TODO(): remove this hack, put in place to only send the proof up to sumcheck to the contract + // TODO(https://github.com/AztecProtocol/barretenberg/issues/1093): As the Smart contract doesn't verify the PCS and + // Shplemini is not constant size, we slice the proof up to sumcheck so calculation of public inputs is correct. + // This hack will be subsequently removed. if constexpr (std::same_as) { auto num_public_inputs = static_cast(prover.proving_key->proving_key.num_public_inputs); proof.erase(proof.begin() + num_public_inputs + 303, proof.end()); } - info(proof.size()); if (outputPath == "-") { writeRawBytesToStdout(to_buffer(proof)); vinfo("proof written to stdout"); diff --git a/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/ultra_flavor.hpp b/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/ultra_flavor.hpp index fe5dbe526c99..b40174ce1646 100644 --- a/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/ultra_flavor.hpp +++ b/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/ultra_flavor.hpp @@ -57,12 +57,15 @@ class UltraFlavor { // Note: made generic for use in MegaRecursive. template + // List of relations reflecting the Ultra arithmetisation. WARNING: As UltraKeccak flavor inherits from Ultra flavor + // any change of ordering in this tuple needs to be reflected in the smart contract, otherwise relation accumulation + // will not match. using Relations_ = std::tuple, bb::UltraPermutationRelation, + bb::LogDerivLookupRelation, bb::DeltaRangeConstraintRelation, bb::EllipticRelation, bb::AuxiliaryRelation, - bb::LogDerivLookupRelation, bb::Poseidon2ExternalRelation, bb::Poseidon2InternalRelation>; diff --git a/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck.hpp b/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck.hpp index fccab56b551c..d42eb4a4fc5a 100644 --- a/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck.hpp +++ b/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck.hpp @@ -261,6 +261,7 @@ template class SumcheckProver { transcript->send_to_verifier("Sumcheck:univariate_" + std::to_string(idx), zero_univariate); FF round_challenge = transcript->template get_challenge("Sumcheck:u_" + std::to_string(idx)); multivariate_challenge.emplace_back(round_challenge); + info(round_challenge); } // The evaluations of Libra uninvariates at \f$ g_0(u_0), \ldots, g_{d-1} (u_{d-1}) \f$ are added to the // transcript. diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_honk.test.cpp b/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_honk.test.cpp index 62dfe74c9c1e..6ddd7d511fd8 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_honk.test.cpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_honk.test.cpp @@ -62,6 +62,7 @@ TYPED_TEST(UltraHonkTests, ANonZeroPolynomialIsAGoodPolynomial) auto circuit_builder = UltraCircuitBuilder(); auto proving_key = std::make_shared(circuit_builder); + info(proving_key->proving_key.num_public_inputs); typename TestFixture::Prover prover(proving_key); auto proof = prover.construct_proof(); auto& polynomials = proving_key->proving_key.polynomials; diff --git a/barretenberg/sol/src/honk/instance/Add2Honk.sol b/barretenberg/sol/src/honk/instance/Add2Honk.sol index a6eaec5afa81..a4afcb3626f1 100644 --- a/barretenberg/sol/src/honk/instance/Add2Honk.sol +++ b/barretenberg/sol/src/honk/instance/Add2Honk.sol @@ -16,7 +16,7 @@ import { CONST_PROOF_SIZE_LOG_N } from "../HonkTypes.sol"; -import {ecMul, ecAdd, ecSub, negateInplace, convertProofPoint} from "../utils.sol"; +import {ecMul, logFr, ecAdd, ecSub, negateInplace, convertProofPoint} from "../utils.sol"; // Field arithmetic libraries - prevent littering the code with modmul / addmul import {MODULUS as P, MINUS_ONE, Fr, FrLib} from "../Fr.sol"; @@ -99,6 +99,7 @@ contract Add2HonkVerifier is IVerifier { if (!valid) revert SumcheckFailed(); Fr roundChallenge = tp.sumCheckUChallenges[round]; + logFr("round challenge: ", roundChallenge); // Update the round target for the next rounf roundTarget = computeNextTargetSum(roundUnivariate, roundChallenge); From 6b45f0e4b49b9dadf4e32ca21bcf805f329b3c16 Mon Sep 17 00:00:00 2001 From: maramihali Date: Tue, 24 Sep 2024 13:53:55 +0000 Subject: [PATCH 20/31] make fold polys and fold comms constant --- .../commitment_schemes/gemini/gemini.hpp | 56 +++++++++++-------- .../commitment_schemes/gemini/gemini_impl.hpp | 18 ++++-- 2 files changed, 46 insertions(+), 28 deletions(-) diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.hpp index 0766722893ed..9823b0a8ad1e 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.hpp @@ -95,6 +95,7 @@ template inline std::vector powers_of_evaluation_challenge(const template class GeminiProver_ { using Fr = typename Curve::ScalarField; + using Commitment = typename Curve::AffineElement; using Polynomial = bb::Polynomial; using Claim = ProverOpeningClaim; @@ -168,11 +169,11 @@ template class GeminiVerifier_ { // compute vector of powers of random evaluation point r const Fr r = transcript->template get_challenge("Gemini:r"); - const std::vector r_squares = gemini::powers_of_evaluation_challenge(r, num_variables); + const std::vector r_squares = gemini::powers_of_evaluation_challenge(r, CONST_PROOF_SIZE_LOG_N); // Get evaluations a_i, i = 0,...,m-1 from transcript const std::vector evaluations = get_gemini_evaluations(num_variables, transcript); - // Compute evaluation A₀(r) + // Compute evaluation of A₀(r) auto a_0_pos = compute_gemini_batched_univariate_evaluation( num_variables, batched_evaluation, multilinear_challenge, r_squares, evaluations); @@ -197,22 +198,24 @@ template class GeminiVerifier_ { return fold_polynomial_opening_claims; } - static std::vector get_fold_commitments(const size_t log_circuit_size, auto& transcript) + static std::vector get_fold_commitments([[maybe_unused]] const size_t log_circuit_size, + auto& transcript) { std::vector fold_commitments; - fold_commitments.reserve(log_circuit_size - 1); - for (size_t i = 0; i < log_circuit_size - 1; ++i) { + fold_commitments.reserve(CONST_PROOF_SIZE_LOG_N - 1); + for (size_t i = 0; i < CONST_PROOF_SIZE_LOG_N - 1; ++i) { const Commitment commitment = transcript->template receive_from_prover("Gemini:FOLD_" + std::to_string(i + 1)); fold_commitments.emplace_back(commitment); } return fold_commitments; } - static std::vector get_gemini_evaluations(const size_t log_circuit_size, auto& transcript) + static std::vector get_gemini_evaluations([[maybe_unused]] const size_t log_circuit_size, auto& transcript) { std::vector gemini_evaluations; - gemini_evaluations.reserve(log_circuit_size); - for (size_t i = 1; i <= log_circuit_size; ++i) { + gemini_evaluations.reserve(CONST_PROOF_SIZE_LOG_N); + + for (size_t i = 1; i <= CONST_PROOF_SIZE_LOG_N; ++i) { const Fr evaluation = transcript->template receive_from_prover("Gemini:a_" + std::to_string(i)); gemini_evaluations.emplace_back(evaluation); } @@ -241,29 +244,36 @@ template class GeminiVerifier_ { * @param fold_polynomial_evals Evaluations \f$ A_{i-1}(-r^{2^{i-1}}) \f$. * @return Evaluation \f$ A_0(r) \f$. */ - static Fr compute_gemini_batched_univariate_evaluation(size_t evaluation_point_size, - Fr& batched_eval_accumulator, - std::span evaluation_point, - std::span challenge_powers, - std::span fold_polynomial_evals) + static Fr compute_gemini_batched_univariate_evaluation( + const size_t num_variables, + Fr& batched_eval_accumulator, + std::span evaluation_point, // CONST_PROOF_SIZE + std::span challenge_powers, // r_squares CONST_PROOF_SIZE_LOG_N + std::span fold_polynomial_evals) { - const size_t num_variables = evaluation_point_size; - const auto& evals = fold_polynomial_evals; // Solve the sequence of linear equations - for (size_t l = num_variables; l != 0; --l) { + for (size_t l = CONST_PROOF_SIZE_LOG_N; l != 0; --l) { // Get r²⁽ˡ⁻¹⁾ const Fr& challenge_power = challenge_powers[l - 1]; - // Get A₍ₗ₋₁₎(−r²⁽ˡ⁻¹⁾) - const Fr& eval_neg = evals[l - 1]; // Get uₗ₋₁ const Fr& u = evaluation_point[l - 1]; - // Compute the numerator - batched_eval_accumulator = - ((challenge_power * batched_eval_accumulator * 2) - eval_neg * (challenge_power * (Fr(1) - u) - u)); - // Divide by the denominator - batched_eval_accumulator *= (challenge_power * (Fr(1) - u) + u).invert(); + const Fr& eval_neg = evals[l - 1]; + bool is_dummy_round = (l > num_variables); + if (is_dummy_round) { + if (Curve::is_stdlib_type) { + // do dummy operations + } + + } else { + // Get A₍ₗ₋₁₎(−r²⁽ˡ⁻¹⁾) + // Compute the numerator + batched_eval_accumulator = + ((challenge_power * batched_eval_accumulator * 2) - eval_neg * (challenge_power * (Fr(1) - u) - u)); + // Divide by the denominator + batched_eval_accumulator *= (challenge_power * (Fr(1) - u) + u).invert(); + } } return batched_eval_accumulator; diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini_impl.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini_impl.hpp index 05a1cd994477..fde94fdcdb13 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini_impl.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini_impl.hpp @@ -73,15 +73,23 @@ std::vector::Claim> GeminiProver_::prove( auto fold_polynomials = compute_fold_polynomials( log_n, multilinear_challenge, std::move(batched_unshifted), std::move(batched_to_be_shifted)); - for (size_t l = 0; l < log_n - 1; l++) { - transcript->send_to_verifier("Gemini:FOLD_" + std::to_string(l + 1), - commitment_key->commit(fold_polynomials[l + 2])); + for (size_t l = 0; l < CONST_PROOF_SIZE_LOG_N - 1; l++) { + if (l < log_n - 1) { + transcript->send_to_verifier("Gemini:FOLD_" + std::to_string(l + 1), + commitment_key->commit(fold_polynomials[l + 2])); + } else { + transcript->send_to_verifier("Gemini:FOLD_" + std::to_string(l + 1), Commitment::one()); + } } const Fr r_challenge = transcript->template get_challenge("Gemini:r"); std::vector claims = compute_fold_polynomial_evaluations(log_n, std::move(fold_polynomials), r_challenge); - for (size_t l = 1; l <= log_n; l++) { - transcript->send_to_verifier("Gemini:a_" + std::to_string(l), claims[l].opening_pair.evaluation); + for (size_t l = 1; l <= CONST_PROOF_SIZE_LOG_N; l++) { + if (l <= log_n) { + transcript->send_to_verifier("Gemini:a_" + std::to_string(l), claims[l].opening_pair.evaluation); + } else { + transcript->send_to_verifier("Gemini:a_" + std::to_string(l), Fr::zero()); + } } return claims; From 85a44e8512a4cba9940ef5aa716edf3ad2ded217 Mon Sep 17 00:00:00 2001 From: maramihali Date: Thu, 26 Sep 2024 12:25:36 +0000 Subject: [PATCH 21/31] constant size shplemini --- .../circuit_checker/ultra_circuit_checker.cpp | 1 + .../commitment_schemes/gemini/gemini.hpp | 28 +++++---- .../commitment_schemes/shplonk/shplemini.hpp | 53 ++++++++++++----- .../shplonk/shplemini.test.cpp | 3 +- .../commitment_schemes/shplonk/shplonk.hpp | 59 ++++++++++++------- .../zeromorph/zeromorph.hpp | 2 +- .../shplemini.test.cpp | 46 ++++++++++----- .../zeromorph.test.cpp | 6 +- .../src/barretenberg/sumcheck/sumcheck.hpp | 1 + 9 files changed, 131 insertions(+), 68 deletions(-) diff --git a/barretenberg/cpp/src/barretenberg/circuit_checker/ultra_circuit_checker.cpp b/barretenberg/cpp/src/barretenberg/circuit_checker/ultra_circuit_checker.cpp index ad032fd2840f..64bf61da9e33 100644 --- a/barretenberg/cpp/src/barretenberg/circuit_checker/ultra_circuit_checker.cpp +++ b/barretenberg/cpp/src/barretenberg/circuit_checker/ultra_circuit_checker.cpp @@ -20,6 +20,7 @@ template bool UltraCircuitChecker::check(const Builder& build // Create a copy of the input circuit and finalize it Builder builder{ builder_in }; builder.finalize_circuit(); + info(builder.num_gates); // Construct a hash table for lookup table entries to efficiently determine if a lookup gate is valid LookupHashTable lookup_hash_table; diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.hpp index 9823b0a8ad1e..f6b8692e167d 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.hpp @@ -260,19 +260,27 @@ template class GeminiVerifier_ { // Get uₗ₋₁ const Fr& u = evaluation_point[l - 1]; const Fr& eval_neg = evals[l - 1]; + // Fr batched_eval_round_acc = batched_eval_accumulator; + // Get A₍ₗ₋₁₎(−r²⁽ˡ⁻¹⁾) + // Compute the numerator + Fr batched_eval_round_acc = + ((challenge_power * batched_eval_accumulator * 2) - eval_neg * (challenge_power * (Fr(1) - u) - u)); + // Divide by the denominator + batched_eval_round_acc *= (challenge_power * (Fr(1) - u) + u).invert(); + bool is_dummy_round = (l > num_variables); - if (is_dummy_round) { - if (Curve::is_stdlib_type) { - // do dummy operations - } - } else { - // Get A₍ₗ₋₁₎(−r²⁽ˡ⁻¹⁾) - // Compute the numerator + if constexpr (Curve::is_stdlib_type) { + auto builder = evaluation_point[0].get_context(); + // TODO(https://github.com/AztecProtocol/barretenberg/issues/1114): insecure! + stdlib::bool_t dummy_round = stdlib::bool_t(builder, is_dummy_round); batched_eval_accumulator = - ((challenge_power * batched_eval_accumulator * 2) - eval_neg * (challenge_power * (Fr(1) - u) - u)); - // Divide by the denominator - batched_eval_accumulator *= (challenge_power * (Fr(1) - u) + u).invert(); + Fr::conditional_assign(dummy_round, batched_eval_accumulator, batched_eval_round_acc); + + } else { + if (!is_dummy_round) { + batched_eval_accumulator = batched_eval_round_acc; + } } } diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp index 98f4aa221477..15db11d90a30 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp @@ -128,9 +128,9 @@ template class ShpleminiVerifier_ { const Fr gemini_evaluation_challenge = transcript->template get_challenge("Gemini:r"); // - Get evaluations (A₀(−r), A₁(−r²), ... , Aₙ₋₁(−r²⁽ⁿ⁻¹⁾)) const std::vector gemini_evaluations = GeminiVerifier::get_gemini_evaluations(log_circuit_size, transcript); - // - Compute vector (r, r², ... , r²⁽ⁿ⁻¹⁾), where n = log_circuit_size + // - Compute vector (r, r², ... , r²⁽ⁿ⁻¹⁾), where n = log_circuit_size, I think this should be CONST_PROOF_SIZE const std::vector gemini_eval_challenge_powers = - gemini::powers_of_evaluation_challenge(gemini_evaluation_challenge, log_circuit_size); + gemini::powers_of_evaluation_challenge(gemini_evaluation_challenge, CONST_PROOF_SIZE_LOG_N); // Process Shplonk transcript data: // - Get Shplonk batching challenge @@ -143,7 +143,7 @@ template class ShpleminiVerifier_ { // Get Shplonk opening point z const Fr shplonk_evaluation_challenge = transcript->template get_challenge("Shplonk:z"); // Start computing the scalar to be multiplied by [1]₁ - Fr constant_term_accumulator{ 0 }; + Fr constant_term_accumulator = Fr(0); // Initialize the vector of scalars placing the scalar 1 correposnding to Q_commitment std::vector scalars; @@ -154,6 +154,7 @@ template class ShpleminiVerifier_ { scalars.emplace_back(Fr(1)); } // Compute 1/(z − r), 1/(z + r), 1/(z + r²), … , 1/(z + r²⁽ⁿ⁻¹⁾) needed for Shplonk batching + // THIS NEEDS WORK, we need CONST_PROOF_SI~Z const std::vector inverse_vanishing_evals = ShplonkVerifier::compute_inverted_gemini_denominators( log_circuit_size + 1, shplonk_evaluation_challenge, gemini_eval_challenge_powers); @@ -167,7 +168,8 @@ template class ShpleminiVerifier_ { // Place the commitments to prover polynomials in the commitments vector. Compute the evaluation of the // batched multilinear polynomial. Populate the vector of scalars for the final batch mul - Fr batched_evaluation{ 0 }; + Fr batched_evaluation = Fr(0); + // THIS IS FINE batch_multivariate_opening_claims(unshifted_commitments, shifted_commitments, unshifted_evaluations, @@ -325,26 +327,45 @@ template class ShpleminiVerifier_ { * @param scalars Output vector where the computed scalars will be stored. * @param constant_term_accumulator The accumulator for the summands of the constant term. */ - static void batch_gemini_claims_received_from_prover(const size_t log_circuit_size, - const std::vector& fold_commitments, - const std::vector& gemini_evaluations, - const std::vector& inverse_vanishing_evals, - const Fr& shplonk_batching_challenge, - std::vector& commitments, - std::vector& scalars, - Fr& constant_term_accumulator) + static void batch_gemini_claims_received_from_prover( + [[maybe_unused]] const size_t log_circuit_size, + const std::vector& fold_commitments, + const std::vector& gemini_evaluations, + const std::vector& inverse_vanishing_evals, // from compute inverted gemini denominators + const Fr& shplonk_batching_challenge, + std::vector& commitments, + std::vector& scalars, + Fr& constant_term_accumulator) // this gets modified only here so should be returned by this { + // Initialize batching challenge as ν² - Fr current_batching_challenge = shplonk_batching_challenge * shplonk_batching_challenge; - for (size_t j = 0; j < log_circuit_size - 1; ++j) { + Fr current_batching_challenge = shplonk_batching_challenge.sqr(); + for (size_t j = 0; j < CONST_PROOF_SIZE_LOG_N - 1; ++j) { + bool is_dummy_round = j >= (log_circuit_size - 1); // Compute the scaling factor (ν²⁺ⁱ) / (z + r²⁽ⁱ⁺²⁾) for i = 0, … , d-2 Fr scaling_factor = current_batching_challenge * inverse_vanishing_evals[j + 2]; - // Place the scaling factor to the 'scalars' vector - scalars.emplace_back(-scaling_factor); + + if constexpr (Curve::is_stdlib_type) { + auto builder = shplonk_batching_challenge.get_context(); + // TODO(https://github.com/AztecProtocol/barretenberg/issues/1114): insecure! + stdlib::bool_t dummy_round = stdlib::bool_t(builder, is_dummy_round); + // Call fix witness + Fr zero = Fr(0); + zero.convert_constant_to_fixed_witness(builder); + scaling_factor = Fr::conditional_assign(dummy_round, zero, scaling_factor); + } else { + if (is_dummy_round) { + scaling_factor = 0; + } + } + // Add Aᵢ(−r²ⁱ) for i = 1, … , n-1 to the constant term accumulator constant_term_accumulator += scaling_factor * gemini_evaluations[j + 1]; // Update the batching challenge current_batching_challenge *= shplonk_batching_challenge; + + // Place the scaling factor to the 'scalars' vector + scalars.emplace_back(-scaling_factor); // Move com(Aᵢ) to the 'commitments' vector commitments.emplace_back(std::move(fold_commitments[j])); } diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.test.cpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.test.cpp index b1aad152f59b..3ced4164e877 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.test.cpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.test.cpp @@ -216,7 +216,8 @@ TYPED_TEST(ShpleminiTest, CorrectnessOfGeminiClaimBatching) scalars, expected_constant_term_accumulator); - EXPECT_EQ(commitments.size(), prover_commitments.size()); + // + // EXPECT_EQ(commitments.size(), prover_commitments.size()); // Compute the group element using the output of Shplemini method GroupElement shplemini_result = batch_mul_native(commitments, scalars); diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplonk.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplonk.hpp index f8db79c9a2a2..576a20499905 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplonk.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplonk.hpp @@ -31,7 +31,7 @@ template class ShplonkProver_ { public: /** - * @brief Compute batched quotient polynomial Q(X) = ∑ⱼ ρʲ ⋅ ( fⱼ(X) − vⱼ) / ( X − xⱼ ) + * @brief Compute batched quotient polynomial Q(X) = ∑ⱼ νʲ ⋅ ( fⱼ(X) − vⱼ) / ( X − xⱼ ) * * @param opening_claims list of prover opening claims {fⱼ(X), (xⱼ, vⱼ)} for a witness polynomial fⱼ(X), s.t. fⱼ(xⱼ) * = vⱼ. @@ -45,7 +45,7 @@ template class ShplonkProver_ { for (const auto& claim : opening_claims) { max_poly_size = std::max(max_poly_size, claim.polynomial.size()); } - // Q(X) = ∑ⱼ ρʲ ⋅ ( fⱼ(X) − vⱼ) / ( X − xⱼ ) + // Q(X) = ∑ⱼ νʲ ⋅ ( fⱼ(X) − vⱼ) / ( X − xⱼ ) Polynomial Q(max_poly_size); Polynomial tmp(max_poly_size); @@ -71,7 +71,7 @@ template class ShplonkProver_ { * * @param opening_pairs list of opening pairs (xⱼ, vⱼ) for a witness polynomial fⱼ(X), s.t. fⱼ(xⱼ) = vⱼ. * @param witness_polynomials list of polynomials fⱼ(X). - * @param batched_quotient_Q Q(X) = ∑ⱼ ρʲ ⋅ ( fⱼ(X) − vⱼ) / ( X − xⱼ ) + * @param batched_quotient_Q Q(X) = ∑ⱼ νʲ ⋅ ( fⱼ(X) − vⱼ) / ( X − xⱼ ) * @param nu_challenge * @param z_challenge * @return Output{OpeningPair, Polynomial} @@ -92,21 +92,21 @@ template class ShplonkProver_ { } Fr::batch_invert(inverse_vanishing_evals); - // G(X) = Q(X) - Q_z(X) = Q(X) - ∑ⱼ ρʲ ⋅ ( fⱼ(X) − vⱼ) / ( r − xⱼ ), + // G(X) = Q(X) - Q_z(X) = Q(X) - ∑ⱼ νʲ ⋅ ( fⱼ(X) − vⱼ) / ( r − xⱼ ), // s.t. G(r) = 0 Polynomial G(std::move(batched_quotient_Q)); // G(X) = Q(X) - // G₀ = ∑ⱼ ρʲ ⋅ vⱼ / ( r − xⱼ ) + // G₀ = ∑ⱼ νʲ ⋅ vⱼ / ( r − xⱼ ) Fr current_nu = Fr::one(); Polynomial tmp(G.size()); size_t idx = 0; for (const auto& claim : opening_claims) { - // tmp = ρʲ ⋅ ( fⱼ(X) − vⱼ) / ( r − xⱼ ) + // tmp = νʲ ⋅ ( fⱼ(X) − vⱼ) / ( r − xⱼ ) tmp = claim.polynomial; tmp.at(0) = tmp[0] - claim.opening_pair.evaluation; - Fr scaling_factor = current_nu * inverse_vanishing_evals[idx]; // = ρʲ / ( r − xⱼ ) + Fr scaling_factor = current_nu * inverse_vanishing_evals[idx]; // = νʲ / ( r − xⱼ ) - // G -= ρʲ ⋅ ( fⱼ(X) − vⱼ) / ( r − xⱼ ) + // G -= νʲ ⋅ ( fⱼ(X) − vⱼ) / ( r − xⱼ ) G.add_scaled(tmp, -scaling_factor); current_nu *= nu_challenge; @@ -196,8 +196,8 @@ template class ShplonkVerifier_ { std::vector commitments; std::vector scalars; - // [G] = [Q] - ∑ⱼ ρʲ / ( r − xⱼ )⋅[fⱼ] + G₀⋅[1] - // = [Q] - [∑ⱼ ρʲ ⋅ ( fⱼ(X) − vⱼ) / ( r − xⱼ )] + // [G] = [Q] - ∑ⱼ νʲ / ( r − xⱼ )⋅[fⱼ] + G₀⋅[1] + // = [Q] - [∑ⱼ νʲ ⋅ ( fⱼ(X) − vⱼ) / ( r − xⱼ )] commitments.emplace_back(Q_commitment); scalars.emplace_back(Fr(builder, 1)); // Fr(1) @@ -215,9 +215,9 @@ template class ShplonkVerifier_ { // (Cⱼ, xⱼ, vⱼ) const auto& [opening_pair, commitment] = claims[j]; - Fr scaling_factor = current_nu * inverse_vanishing_evals[j]; // = ρʲ / ( r − xⱼ ) + Fr scaling_factor = current_nu * inverse_vanishing_evals[j]; // = νʲ / ( r − xⱼ ) - // G₀ += ρʲ / ( r − xⱼ ) ⋅ vⱼ + // G₀ += νʲ / ( r − xⱼ ) ⋅ vⱼ G_commitment_constant += scaling_factor * opening_pair.evaluation; current_nu *= nu; @@ -230,12 +230,12 @@ template class ShplonkVerifier_ { commitments.emplace_back(g1_identity); scalars.emplace_back(G_commitment_constant); - // [G] += G₀⋅[1] = [G] + (∑ⱼ ρʲ ⋅ vⱼ / ( r − xⱼ ))⋅[1] + // [G] += G₀⋅[1] = [G] + (∑ⱼ νʲ ⋅ vⱼ / ( r − xⱼ ))⋅[1] G_commitment = GroupElement::batch_mul(commitments, scalars); } else { - // [G] = [Q] - ∑ⱼ ρʲ / ( r − xⱼ )⋅[fⱼ] + G₀⋅[1] - // = [Q] - [∑ⱼ ρʲ ⋅ ( fⱼ(X) − vⱼ) / ( r − xⱼ )] + // [G] = [Q] - ∑ⱼ νʲ / ( r − xⱼ )⋅[fⱼ] + G₀⋅[1] + // = [Q] - [∑ⱼ νʲ ⋅ ( fⱼ(X) − vⱼ) / ( r − xⱼ )] G_commitment = Q_commitment; // Compute {ẑⱼ(r)}ⱼ , where ẑⱼ(r) = 1/zⱼ(r) = 1/(r - xⱼ) @@ -252,18 +252,18 @@ template class ShplonkVerifier_ { // (Cⱼ, xⱼ, vⱼ) const auto& [opening_pair, commitment] = claims[j]; - Fr scaling_factor = current_nu * inverse_vanishing_evals[j]; // = ρʲ / ( r − xⱼ ) + Fr scaling_factor = current_nu * inverse_vanishing_evals[j]; // = νʲ / ( r − xⱼ ) - // G₀ += ρʲ / ( r − xⱼ ) ⋅ vⱼ + // G₀ += νʲ / ( r − xⱼ ) ⋅ vⱼ G_commitment_constant += scaling_factor * opening_pair.evaluation; - // [G] -= ρʲ / ( r − xⱼ )⋅[fⱼ] + // [G] -= νʲ / ( r − xⱼ )⋅[fⱼ] G_commitment -= commitment * scaling_factor; current_nu *= nu; } - // [G] += G₀⋅[1] = [G] + (∑ⱼ ρʲ ⋅ vⱼ / ( r − xⱼ ))⋅[1] + // [G] += G₀⋅[1] = [G] + (∑ⱼ νʲ ⋅ vⱼ / ( r − xⱼ ))⋅[1] G_commitment += g1_identity * G_commitment_constant; } @@ -273,7 +273,7 @@ template class ShplonkVerifier_ { /** * @brief Computes \f$ \frac{1}{z - r}, \frac{1}{z+r}, \ldots, \frac{1}{z+r^{2^{d-1}}} \f$. * - * @param log_circuit_size \f$ d \f$ + * @param num_gemini_claims \f$ d + 1 \f$ where d = log_circuit_size * @param shplonk_eval_challenge \f$ z \f$ * @param gemini_eval_challenge_powers \f$ (r , r^2, \ldots, r^{2^{d-1}}) \f$ * @return \f[ \left( \frac{1}{z - r}, \frac{1}{z+r}, \ldots, \frac{1}{z+r^{2^{d-1}}} \right) \f] @@ -284,9 +284,26 @@ template class ShplonkVerifier_ { { std::vector inverted_denominators; inverted_denominators.reserve(num_gemini_claims); + info(num_gemini_claims); inverted_denominators.emplace_back((shplonk_eval_challenge - gemini_eval_challenge_powers[0]).invert()); + size_t i = 0; for (const auto& gemini_eval_challenge_power : gemini_eval_challenge_powers) { - inverted_denominators.emplace_back((shplonk_eval_challenge + gemini_eval_challenge_power).invert()); + bool is_dummy_round = i > num_gemini_claims; + Fr round_inverted_denominator = (shplonk_eval_challenge + gemini_eval_challenge_power).invert(); + if constexpr (Curve::is_stdlib_type) { + auto builder = shplonk_eval_challenge.get_context(); + // TODO(https://github.com/AztecProtocol/barretenberg/issues/1114): insecure! + stdlib::bool_t dummy_round = stdlib::bool_t(builder, is_dummy_round); + Fr zero = Fr(0); + zero.convert_constant_to_fixed_witness(builder); + round_inverted_denominator = Fr::conditional_assign(dummy_round, zero, round_inverted_denominator); + } else { + if (is_dummy_round) { + round_inverted_denominator = 0; + } + } + inverted_denominators.emplace_back(round_inverted_denominator); + i++; } return inverted_denominators; } diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/zeromorph/zeromorph.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/zeromorph/zeromorph.hpp index e1ee3b92fcdf..33bfade2b354 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/zeromorph/zeromorph.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/zeromorph/zeromorph.hpp @@ -526,7 +526,7 @@ template class ZeroMorphVerifier_ { scalar *= FF(-1); if constexpr (Curve::is_stdlib_type) { auto builder = x_challenge.get_context(); - FF zero = FF::from_witness(builder, 0); + FF zero = FF(0); stdlib::bool_t dummy_round = stdlib::witness_t(builder, is_dummy_round); // TODO(https://github.com/AztecProtocol/barretenberg/issues/1039): is it kosher to reassign like this? scalar = FF::conditional_assign(dummy_round, zero, scalar); diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/shplemini.test.cpp b/barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/shplemini.test.cpp index 1398cefe7e84..e744f656abcc 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/shplemini.test.cpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/shplemini.test.cpp @@ -1,4 +1,5 @@ #include "barretenberg/commitment_schemes/shplonk/shplemini.hpp" +#include "../commitment_schemes/commitment_key.test.hpp" #include "barretenberg/circuit_checker/circuit_checker.hpp" #include "barretenberg/commitment_schemes/commitment_key.test.hpp" #include "barretenberg/commitment_schemes/gemini/gemini.hpp" @@ -10,6 +11,7 @@ #include "barretenberg/stdlib/primitives/curves/grumpkin.hpp" #include "barretenberg/stdlib/transcript/transcript.hpp" #include "barretenberg/stdlib_circuit_builders/ultra_circuit_builder.hpp" + #include using namespace bb; @@ -40,8 +42,8 @@ TEST(ShpleminiRecursionTest, ProveAndVerifySingle) using Polynomial = bb::Polynomial; using Transcript = bb::BaseTranscript>; - constexpr size_t N = 16; - constexpr size_t log_circuit_size = 4; + constexpr size_t N = 8192; + constexpr size_t log_circuit_size = 13; constexpr size_t NUM_UNSHIFTED = 2; constexpr size_t NUM_SHIFTED = 1; @@ -73,7 +75,7 @@ TEST(ShpleminiRecursionTest, ProveAndVerifySingle) // Compute commitments [f_i] std::vector f_commitments; - auto commitment_key = std::make_shared(4096); + auto commitment_key = std::make_shared(16384); for (size_t i = 0; i < NUM_UNSHIFTED; ++i) { f_commitments.emplace_back(commitment_key->commit(f_polynomials[i])); } @@ -87,11 +89,11 @@ TEST(ShpleminiRecursionTest, ProveAndVerifySingle) auto prover_transcript = NativeTranscript::prover_init_empty(); auto prover_opening_claims = ShpleminiProver::prove( N, RefVector(f_polynomials), RefVector(g_polynomials), u_challenge, commitment_key, prover_transcript); - + KZG::compute_opening_proof(commitment_key, prover_opening_claims, prover_transcript); Builder builder; StdlibProof stdlib_proof = bb::convert_proof_to_witness(&builder, prover_transcript->proof_data); auto stdlib_verifier_transcript = std::make_shared(stdlib_proof); - [[maybe_unused]] auto _ = stdlib_verifier_transcript->template receive_from_prover("Init"); + stdlib_verifier_transcript->template receive_from_prover("Init"); // Execute Verifier protocol without the need for vk prior the final check const auto commitments_to_witnesses = [&builder](const auto& commitments) { @@ -117,17 +119,29 @@ TEST(ShpleminiRecursionTest, ProveAndVerifySingle) auto stdlib_v_evaluations = elements_to_witness(v_evaluations); auto stdlib_w_evaluations = elements_to_witness(w_evaluations); - std::vector u_challenge_in_circuit = elements_to_witness(u_challenge); - - [[maybe_unused]] auto opening_claim = - ShpleminiVerifier::compute_batch_opening_claim(Fr::from_witness(&builder, N), - RefVector(stdlib_f_commitments), - RefVector(stdlib_g_commitments), - RefVector(stdlib_v_evaluations), - RefVector(stdlib_w_evaluations), - u_challenge_in_circuit, - Commitment::one(&builder), - stdlib_verifier_transcript); + std::vector u_challenge_in_circuit; + u_challenge_in_circuit.reserve(CONST_PROOF_SIZE_LOG_N); + std::transform(u_challenge.begin(), + u_challenge.end(), + std::back_inserter(u_challenge_in_circuit), + [&builder](const NativeFr u) { return Fr::from_witness(&builder, u); }); + std::generate_n(std::back_inserter(u_challenge_in_circuit), CONST_PROOF_SIZE_LOG_N - log_circuit_size, [&builder] { + Fr zero = Fr(0); + zero.convert_constant_to_fixed_witness(&builder); + return zero; + }); + auto opening_claim = ShpleminiVerifier::compute_batch_opening_claim(Fr::from_witness(&builder, N), + RefVector(stdlib_f_commitments), + RefVector(stdlib_g_commitments), + RefVector(stdlib_v_evaluations), + RefVector(stdlib_w_evaluations), + u_challenge_in_circuit, + Commitment::one(&builder), + stdlib_verifier_transcript); + auto pairing_points = KZG::reduce_verify_batch_opening_claim(opening_claim, stdlib_verifier_transcript); EXPECT_TRUE(CircuitChecker::check(builder)); + + auto vk = std::make_shared>(); + EXPECT_EQ(vk->pairing_check(pairing_points[0].get_value(), pairing_points[1].get_value()), true); } diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/zeromorph.test.cpp b/barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/zeromorph.test.cpp index 5c6f22d6af4e..ffcbfb05ec77 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/zeromorph.test.cpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/zeromorph.test.cpp @@ -17,7 +17,7 @@ template class ZeroMorphRecursionTest : public CommitmentTest; using Transcript = bb::BaseTranscript>; - constexpr size_t N = 8; - constexpr size_t LOG_N = 3; + constexpr size_t N = 16; + constexpr size_t LOG_N = 4; constexpr size_t NUM_UNSHIFTED = 2; constexpr size_t NUM_SHIFTED = 1; diff --git a/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck.hpp b/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck.hpp index d42eb4a4fc5a..b249ac34fbeb 100644 --- a/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck.hpp +++ b/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck.hpp @@ -738,6 +738,7 @@ template class SumcheckVerifier { if constexpr (IsRecursiveFlavor) { typename Flavor::CircuitBuilder* builder = round_challenge.get_context(); + // TODO(https://github.com/AztecProtocol/barretenberg/issues/1114): insecure! stdlib::bool_t dummy_round = stdlib::witness_t(builder, round_idx >= multivariate_d); bool checked = round.check_sum(round_univariate, dummy_round); // Only utilize the checked value if this is not a constant proof size padding round From 17875431e1fa59d9cf007e57805a6997caa0dfaf Mon Sep 17 00:00:00 2001 From: maramihali Date: Thu, 26 Sep 2024 14:46:10 +0000 Subject: [PATCH 22/31] cleanup --- barretenberg/acir_tests/sol-test/src/index.js | 5 --- .../circuit_checker/ultra_circuit_checker.cpp | 1 - .../commitment_schemes/gemini/gemini.hpp | 2 +- .../commitment_schemes/shplonk/shplemini.hpp | 19 +++++----- .../shplonk/shplemini.test.cpp | 2 -- .../commitment_schemes/shplonk/shplonk.hpp | 36 +++++++++---------- .../zeromorph/zeromorph.hpp | 1 + .../shplemini.test.cpp | 9 +---- .../zeromorph.test.cpp | 2 +- .../src/barretenberg/sumcheck/sumcheck.hpp | 1 - .../ultra_honk/decider_verifier.hpp | 1 - .../ultra_honk/ultra_honk.test.cpp | 1 - .../sol/src/honk/instance/Add2Honk.sol | 3 +- 13 files changed, 31 insertions(+), 52 deletions(-) diff --git a/barretenberg/acir_tests/sol-test/src/index.js b/barretenberg/acir_tests/sol-test/src/index.js index d9211ffce3b3..dc510d440acf 100644 --- a/barretenberg/acir_tests/sol-test/src/index.js +++ b/barretenberg/acir_tests/sol-test/src/index.js @@ -3,11 +3,6 @@ const { readFileSync, promises: fsPromises } = fs; import { spawn } from "child_process"; import { ethers } from "ethers"; import solc from "solc"; -<<<<<<< HEAD -import linker from "solc/linker.js"; -import { info } from "console"; -======= ->>>>>>> origin/master const NUMBER_OF_FIELDS_IN_PLONK_PROOF = 93; // TODO(https://github.com/AztecProtocol/barretenberg/issues/1093): This is the size of the proof up to Sumcheck, without public inputs, as the Honk contract does not currently have a PCS. diff --git a/barretenberg/cpp/src/barretenberg/circuit_checker/ultra_circuit_checker.cpp b/barretenberg/cpp/src/barretenberg/circuit_checker/ultra_circuit_checker.cpp index 64bf61da9e33..ad032fd2840f 100644 --- a/barretenberg/cpp/src/barretenberg/circuit_checker/ultra_circuit_checker.cpp +++ b/barretenberg/cpp/src/barretenberg/circuit_checker/ultra_circuit_checker.cpp @@ -20,7 +20,6 @@ template bool UltraCircuitChecker::check(const Builder& build // Create a copy of the input circuit and finalize it Builder builder{ builder_in }; builder.finalize_circuit(); - info(builder.num_gates); // Construct a hash table for lookup table entries to efficiently determine if a lookup gate is valid LookupHashTable lookup_hash_table; diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.hpp index f6ec5b49eadc..f6b8692e167d 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.hpp @@ -328,6 +328,6 @@ template class GeminiVerifier_ { return { C0_r_pos, C0_r_neg }; } -}; // namespace bb +}; } // namespace bb diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp index 50e5ec370eef..e39b61292a3d 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp @@ -154,7 +154,6 @@ template class ShpleminiVerifier_ { scalars.emplace_back(Fr(1)); } // Compute 1/(z − r), 1/(z + r), 1/(z + r²), … , 1/(z + r²⁽ⁿ⁻¹⁾) needed for Shplonk batching - // THIS NEEDS WORK, we need CONST_PROOF_SI~Z const std::vector inverse_vanishing_evals = ShplonkVerifier::compute_inverted_gemini_denominators( log_circuit_size + 1, shplonk_evaluation_challenge, gemini_eval_challenge_powers); @@ -326,15 +325,14 @@ template class ShpleminiVerifier_ { * @param scalars Output vector where the computed scalars will be stored. * @param constant_term_accumulator The accumulator for the summands of the constant term. */ - static void batch_gemini_claims_received_from_prover( - [[maybe_unused]] const size_t log_circuit_size, - const std::vector& fold_commitments, - const std::vector& gemini_evaluations, - const std::vector& inverse_vanishing_evals, // from compute inverted gemini denominators - const Fr& shplonk_batching_challenge, - std::vector& commitments, - std::vector& scalars, - Fr& constant_term_accumulator) // this gets modified only here so should be returned by this + static void batch_gemini_claims_received_from_prover(const size_t log_circuit_size, + const std::vector& fold_commitments, + const std::vector& gemini_evaluations, + const std::vector& inverse_vanishing_evals, + const Fr& shplonk_batching_challenge, + std::vector& commitments, + std::vector& scalars, + Fr& constant_term_accumulator) { // Initialize batching challenge as ν² @@ -348,7 +346,6 @@ template class ShpleminiVerifier_ { auto builder = shplonk_batching_challenge.get_context(); // TODO(https://github.com/AztecProtocol/barretenberg/issues/1114): insecure! stdlib::bool_t dummy_round = stdlib::bool_t(builder, is_dummy_round); - // Call fix witness Fr zero = Fr(0); zero.convert_constant_to_fixed_witness(builder); scaling_factor = Fr::conditional_assign(dummy_round, zero, scaling_factor); diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.test.cpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.test.cpp index 3ced4164e877..557393601796 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.test.cpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.test.cpp @@ -216,8 +216,6 @@ TYPED_TEST(ShpleminiTest, CorrectnessOfGeminiClaimBatching) scalars, expected_constant_term_accumulator); - // - // EXPECT_EQ(commitments.size(), prover_commitments.size()); // Compute the group element using the output of Shplemini method GroupElement shplemini_result = batch_mul_native(commitments, scalars); diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplonk.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplonk.hpp index 3b46eae6b10b..46cc2c51d07a 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplonk.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplonk.hpp @@ -96,17 +96,17 @@ template class ShplonkProver_ { // s.t. G(r) = 0 Polynomial G(std::move(batched_quotient_Q)); // G(X) = Q(X) - // G₀ = ∑ⱼ νʲ ⋅ vⱼ / ( r − xⱼ ) + // G₀ = ∑ⱼ νʲ ⋅ vⱼ / ( z − xⱼ ) Fr current_nu = Fr::one(); Polynomial tmp(G.size()); size_t idx = 0; for (const auto& claim : opening_claims) { - // tmp = νʲ ⋅ ( fⱼ(X) − vⱼ) / ( r − xⱼ ) + // tmp = νʲ ⋅ ( fⱼ(X) − vⱼ) / ( z − xⱼ ) tmp = claim.polynomial; tmp.at(0) = tmp[0] - claim.opening_pair.evaluation; - Fr scaling_factor = current_nu * inverse_vanishing_evals[idx]; // = νʲ / ( r − xⱼ ) + Fr scaling_factor = current_nu * inverse_vanishing_evals[idx]; // = νʲ / (z − xⱼ ) - // G -= νʲ ⋅ ( fⱼ(X) − vⱼ) / ( r − xⱼ ) + // G -= νʲ ⋅ ( fⱼ(X) − vⱼ) / ( z − xⱼ ) G.add_scaled(tmp, -scaling_factor); current_nu *= nu_challenge; @@ -174,15 +174,15 @@ template class ShplonkVerifier_ { const Fr z_challenge = transcript->template get_challenge("Shplonk:z"); - // [G] = [Q] - ∑ⱼ ρʲ / ( r − xⱼ )⋅[fⱼ] + G₀⋅[1] - // = [Q] - [∑ⱼ ρʲ ⋅ ( fⱼ(X) − vⱼ) / ( r − xⱼ )] + // [G] = [Q] - ∑ⱼ ρʲ / (z − xⱼ )⋅[fⱼ] + G₀⋅[1] + // = [Q] - [∑ⱼ ρʲ ⋅ ( fⱼ(X) − vⱼ) / (z − xⱼ )] GroupElement G_commitment; // compute simulated commitment to [G] as a linear combination of // [Q], { [fⱼ] }, [1]: // [G] = [Q] - ∑ⱼ (1/zⱼ(r))[Bⱼ] + ( ∑ⱼ (1/zⱼ(r)) Tⱼ(r) )[1] // = [Q] - ∑ⱼ (1/zⱼ(r))[Bⱼ] + G₀ [1] - // G₀ = ∑ⱼ ρʲ ⋅ vⱼ / ( r − xⱼ ) + // G₀ = ∑ⱼ ρʲ ⋅ vⱼ / (z − xⱼ ) auto G_commitment_constant = Fr(0); // TODO(#673): The recursive and non-recursive (native) logic is completely separated via the following @@ -196,8 +196,8 @@ template class ShplonkVerifier_ { std::vector commitments; std::vector scalars; - // [G] = [Q] - ∑ⱼ νʲ / ( r − xⱼ )⋅[fⱼ] + G₀⋅[1] - // = [Q] - [∑ⱼ νʲ ⋅ ( fⱼ(X) − vⱼ) / ( r − xⱼ )] + // [G] = [Q] - ∑ⱼ νʲ / (z − xⱼ )⋅[fⱼ] + G₀⋅[1] + // = [Q] - [∑ⱼ νʲ ⋅ ( fⱼ(X) − vⱼ) / (z − xⱼ )] commitments.emplace_back(Q_commitment); scalars.emplace_back(Fr(builder, 1)); // Fr(1) @@ -215,9 +215,9 @@ template class ShplonkVerifier_ { // (Cⱼ, xⱼ, vⱼ) const auto& [opening_pair, commitment] = claims[j]; - Fr scaling_factor = current_nu * inverse_vanishing_evals[j]; // = νʲ / ( r − xⱼ ) + Fr scaling_factor = current_nu * inverse_vanishing_evals[j]; // = νʲ / (z − xⱼ ) - // G₀ += νʲ / ( r − xⱼ ) ⋅ vⱼ + // G₀ += νʲ / (z − xⱼ ) ⋅ vⱼ G_commitment_constant += scaling_factor * opening_pair.evaluation; current_nu *= nu; @@ -230,12 +230,12 @@ template class ShplonkVerifier_ { commitments.emplace_back(g1_identity); scalars.emplace_back(G_commitment_constant); - // [G] += G₀⋅[1] = [G] + (∑ⱼ νʲ ⋅ vⱼ / ( r − xⱼ ))⋅[1] + // [G] += G₀⋅[1] = [G] + (∑ⱼ νʲ ⋅ vⱼ / (z − xⱼ ))⋅[1] G_commitment = GroupElement::batch_mul(commitments, scalars); } else { - // [G] = [Q] - ∑ⱼ νʲ / ( r − xⱼ )⋅[fⱼ] + G₀⋅[1] - // = [Q] - [∑ⱼ νʲ ⋅ ( fⱼ(X) − vⱼ) / ( r − xⱼ )] + // [G] = [Q] - ∑ⱼ νʲ / (z − xⱼ )⋅[fⱼ] + G₀⋅[1] + // = [Q] - [∑ⱼ νʲ ⋅ ( fⱼ(X) − vⱼ) / (z − xⱼ )] G_commitment = Q_commitment; // Compute {ẑⱼ(r)}ⱼ , where ẑⱼ(r) = 1/zⱼ(r) = 1/(r - xⱼ) @@ -252,18 +252,18 @@ template class ShplonkVerifier_ { // (Cⱼ, xⱼ, vⱼ) const auto& [opening_pair, commitment] = claims[j]; - Fr scaling_factor = current_nu * inverse_vanishing_evals[j]; // = νʲ / ( r − xⱼ ) + Fr scaling_factor = current_nu * inverse_vanishing_evals[j]; // = νʲ / (z − xⱼ ) - // G₀ += νʲ / ( r − xⱼ ) ⋅ vⱼ + // G₀ += νʲ / (z − xⱼ ) ⋅ vⱼ G_commitment_constant += scaling_factor * opening_pair.evaluation; - // [G] -= νʲ / ( r − xⱼ )⋅[fⱼ] + // [G] -= νʲ / (z − xⱼ )⋅[fⱼ] G_commitment -= commitment * scaling_factor; current_nu *= nu; } - // [G] += G₀⋅[1] = [G] + (∑ⱼ νʲ ⋅ vⱼ / ( r − xⱼ ))⋅[1] + // [G] += G₀⋅[1] = [G] + (∑ⱼ νʲ ⋅ vⱼ / (z − xⱼ ))⋅[1] G_commitment += g1_identity * G_commitment_constant; } diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/zeromorph/zeromorph.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/zeromorph/zeromorph.hpp index 33bfade2b354..e7a59d8b3a01 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/zeromorph/zeromorph.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/zeromorph/zeromorph.hpp @@ -527,6 +527,7 @@ template class ZeroMorphVerifier_ { if constexpr (Curve::is_stdlib_type) { auto builder = x_challenge.get_context(); FF zero = FF(0); + zero.convert_constant_to_fixed_witness(builder); stdlib::bool_t dummy_round = stdlib::witness_t(builder, is_dummy_round); // TODO(https://github.com/AztecProtocol/barretenberg/issues/1039): is it kosher to reassign like this? scalar = FF::conditional_assign(dummy_round, zero, scalar); diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/shplemini.test.cpp b/barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/shplemini.test.cpp index 9e9ef6ff4816..51a9895c582e 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/shplemini.test.cpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/shplemini.test.cpp @@ -1,9 +1,4 @@ #include "barretenberg/commitment_schemes/shplonk/shplemini.hpp" -<<<<<<< HEAD -#include "../commitment_schemes/commitment_key.test.hpp" - == == == - = ->>>>>>> origin/master #include "barretenberg/circuit_checker/circuit_checker.hpp" #include "barretenberg/commitment_schemes/commitment_key.test.hpp" #include "barretenberg/commitment_schemes/gemini/gemini.hpp" @@ -16,9 +11,7 @@ #include "barretenberg/stdlib/transcript/transcript.hpp" #include "barretenberg/stdlib_circuit_builders/ultra_circuit_builder.hpp" -#include - - using namespace bb; +using namespace bb; template class ShpleminiRecursionTest : public CommitmentTest {}; diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/zeromorph.test.cpp b/barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/zeromorph.test.cpp index ffcbfb05ec77..60b26699ea99 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/zeromorph.test.cpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/zeromorph.test.cpp @@ -17,7 +17,7 @@ template class ZeroMorphRecursionTest : public CommitmentTest class SumcheckProver { transcript->send_to_verifier("Sumcheck:univariate_" + std::to_string(idx), zero_univariate); FF round_challenge = transcript->template get_challenge("Sumcheck:u_" + std::to_string(idx)); multivariate_challenge.emplace_back(round_challenge); - info(round_challenge); } // The evaluations of Libra uninvariates at \f$ g_0(u_0), \ldots, g_{d-1} (u_{d-1}) \f$ are added to the // transcript. diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/decider_verifier.hpp b/barretenberg/cpp/src/barretenberg/ultra_honk/decider_verifier.hpp index a13bb168d6ed..b4d013a9fe4d 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/decider_verifier.hpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/decider_verifier.hpp @@ -1,5 +1,4 @@ #pragma once -#include "barretenberg/commitment_schemes/shplonk/shplemini.hpp" #include "barretenberg/honk/proof_system/types/proof.hpp" #include "barretenberg/srs/global_crs.hpp" #include "barretenberg/stdlib_circuit_builders/mega_flavor.hpp" diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_honk.test.cpp b/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_honk.test.cpp index 6ddd7d511fd8..62dfe74c9c1e 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_honk.test.cpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_honk.test.cpp @@ -62,7 +62,6 @@ TYPED_TEST(UltraHonkTests, ANonZeroPolynomialIsAGoodPolynomial) auto circuit_builder = UltraCircuitBuilder(); auto proving_key = std::make_shared(circuit_builder); - info(proving_key->proving_key.num_public_inputs); typename TestFixture::Prover prover(proving_key); auto proof = prover.construct_proof(); auto& polynomials = proving_key->proving_key.polynomials; diff --git a/barretenberg/sol/src/honk/instance/Add2Honk.sol b/barretenberg/sol/src/honk/instance/Add2Honk.sol index a4afcb3626f1..a6eaec5afa81 100644 --- a/barretenberg/sol/src/honk/instance/Add2Honk.sol +++ b/barretenberg/sol/src/honk/instance/Add2Honk.sol @@ -16,7 +16,7 @@ import { CONST_PROOF_SIZE_LOG_N } from "../HonkTypes.sol"; -import {ecMul, logFr, ecAdd, ecSub, negateInplace, convertProofPoint} from "../utils.sol"; +import {ecMul, ecAdd, ecSub, negateInplace, convertProofPoint} from "../utils.sol"; // Field arithmetic libraries - prevent littering the code with modmul / addmul import {MODULUS as P, MINUS_ONE, Fr, FrLib} from "../Fr.sol"; @@ -99,7 +99,6 @@ contract Add2HonkVerifier is IVerifier { if (!valid) revert SumcheckFailed(); Fr roundChallenge = tp.sumCheckUChallenges[round]; - logFr("round challenge: ", roundChallenge); // Update the round target for the next rounf roundTarget = computeNextTargetSum(roundUnivariate, roundChallenge); From 07f358df10c7fb1c4ab5f5ee40fe1caa82615051 Mon Sep 17 00:00:00 2001 From: maramihali Date: Thu, 26 Sep 2024 15:17:46 +0000 Subject: [PATCH 23/31] better tests --- .../commitment_schemes/shplonk/shplonk.hpp | 1 - .../shplemini.test.cpp | 194 +++++++++--------- .../zeromorph.test.cpp | 4 +- 3 files changed, 104 insertions(+), 95 deletions(-) diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplonk.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplonk.hpp index 46cc2c51d07a..c5b4d8334b02 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplonk.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplonk.hpp @@ -284,7 +284,6 @@ template class ShplonkVerifier_ { { std::vector inverted_denominators; inverted_denominators.reserve(num_gemini_claims); - info(num_gemini_claims); inverted_denominators.emplace_back((shplonk_eval_challenge - gemini_eval_challenge_powers[0]).invert()); size_t i = 0; for (const auto& gemini_eval_challenge_power : gemini_eval_challenge_powers) { diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/shplemini.test.cpp b/barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/shplemini.test.cpp index 51a9895c582e..02e2de4e920d 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/shplemini.test.cpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/shplemini.test.cpp @@ -10,6 +10,7 @@ #include "barretenberg/stdlib/primitives/curves/grumpkin.hpp" #include "barretenberg/stdlib/transcript/transcript.hpp" #include "barretenberg/stdlib_circuit_builders/ultra_circuit_builder.hpp" +#include using namespace bb; @@ -18,7 +19,8 @@ template class ShpleminiRecursionTest : public CommitmentTest; using Transcript = bb::BaseTranscript>; - constexpr size_t N = 8192; - constexpr size_t log_circuit_size = 13; - constexpr size_t NUM_UNSHIFTED = 2; - constexpr size_t NUM_SHIFTED = 1; - srs::init_crs_factory("../srs_db/ignition"); + auto run_shplemini = [](size_t log_circuit_size) { + size_t N = 1 << log_circuit_size; + constexpr size_t NUM_UNSHIFTED = 2; + constexpr size_t NUM_SHIFTED = 1; + std::vector u_challenge(log_circuit_size); + for (size_t idx = 0; idx < log_circuit_size; ++idx) { + u_challenge[idx] = NativeFr::random_element(&shplemini_engine); + }; + // Construct some random multilinear polynomials f_i and their evaluations v_i = f_i(u) + std::vector f_polynomials; // unshifted polynomials + std::vector v_evaluations; + for (size_t i = 0; i < NUM_UNSHIFTED; ++i) { + f_polynomials.emplace_back(Polynomial::random(N, /*shiftable*/ 1)); + v_evaluations.emplace_back(f_polynomials[i].evaluate_mle(u_challenge)); + } - std::vector u_challenge(log_circuit_size); - for (size_t idx = 0; idx < log_circuit_size; ++idx) { - u_challenge[idx] = NativeFr::random_element(&shplemini_engine); - }; - // Construct some random multilinear polynomials f_i and their evaluations v_i = f_i(u) - std::vector f_polynomials; // unshifted polynomials - std::vector v_evaluations; - for (size_t i = 0; i < NUM_UNSHIFTED; ++i) { - f_polynomials.emplace_back(Polynomial::random(N, /*shiftable*/ 1)); - v_evaluations.emplace_back(f_polynomials[i].evaluate_mle(u_challenge)); - } + // Construct some "shifted" multilinear polynomials h_i as the left-shift-by-1 of f_i + std::vector g_polynomials; // to-be-shifted polynomials + std::vector h_polynomials; // shifts of the to-be-shifted polynomials + std::vector w_evaluations; + if constexpr (NUM_SHIFTED > 0) { + for (size_t i = 0; i < NUM_SHIFTED; ++i) { + g_polynomials.emplace_back(f_polynomials[i]); + h_polynomials.emplace_back(g_polynomials[i].shifted()); + w_evaluations.emplace_back(f_polynomials[i].evaluate_mle(u_challenge, true)); + } + } - // Construct some "shifted" multilinear polynomials h_i as the left-shift-by-1 of f_i - std::vector g_polynomials; // to-be-shifted polynomials - std::vector h_polynomials; // shifts of the to-be-shifted polynomials - std::vector w_evaluations; - if constexpr (NUM_SHIFTED > 0) { + // Compute commitments [f_i] + std::vector f_commitments; + auto commitment_key = std::make_shared(16384); + for (size_t i = 0; i < NUM_UNSHIFTED; ++i) { + f_commitments.emplace_back(commitment_key->commit(f_polynomials[i])); + } + // Construct container of commitments of the "to-be-shifted" polynomials [g_i] (= [f_i]) + std::vector g_commitments; for (size_t i = 0; i < NUM_SHIFTED; ++i) { - g_polynomials.emplace_back(f_polynomials[i]); - h_polynomials.emplace_back(g_polynomials[i].shifted()); - w_evaluations.emplace_back(f_polynomials[i].evaluate_mle(u_challenge, true)); + g_commitments.emplace_back(f_commitments[i]); } - } - // Compute commitments [f_i] - std::vector f_commitments; - auto commitment_key = std::make_shared(16384); - for (size_t i = 0; i < NUM_UNSHIFTED; ++i) { - f_commitments.emplace_back(commitment_key->commit(f_polynomials[i])); - } - // Construct container of commitments of the "to-be-shifted" polynomials [g_i] (= [f_i]) - std::vector g_commitments; - for (size_t i = 0; i < NUM_SHIFTED; ++i) { - g_commitments.emplace_back(f_commitments[i]); - } + // Initialize an empty NativeTranscript + auto prover_transcript = NativeTranscript::prover_init_empty(); + auto prover_opening_claims = ShpleminiProver::prove( + N, RefVector(f_polynomials), RefVector(g_polynomials), u_challenge, commitment_key, prover_transcript); + KZG::compute_opening_proof(commitment_key, prover_opening_claims, prover_transcript); + Builder builder; + StdlibProof stdlib_proof = bb::convert_proof_to_witness(&builder, prover_transcript->proof_data); + auto stdlib_verifier_transcript = std::make_shared(stdlib_proof); + stdlib_verifier_transcript->template receive_from_prover("Init"); - // Initialize an empty NativeTranscript - auto prover_transcript = NativeTranscript::prover_init_empty(); - auto prover_opening_claims = ShpleminiProver::prove( - N, RefVector(f_polynomials), RefVector(g_polynomials), u_challenge, commitment_key, prover_transcript); - KZG::compute_opening_proof(commitment_key, prover_opening_claims, prover_transcript); - Builder builder; - StdlibProof stdlib_proof = bb::convert_proof_to_witness(&builder, prover_transcript->proof_data); - auto stdlib_verifier_transcript = std::make_shared(stdlib_proof); - stdlib_verifier_transcript->template receive_from_prover("Init"); + // Execute Verifier protocol without the need for vk prior the final check + const auto commitments_to_witnesses = [&builder](const auto& commitments) { + std::vector commitments_in_biggroup(commitments.size()); + std::transform(commitments.begin(), + commitments.end(), + commitments_in_biggroup.begin(), + [&builder](const auto& native_commitment) { + return Commitment::from_witness(&builder, native_commitment); + }); + return commitments_in_biggroup; + }; + const auto elements_to_witness = [&](const auto& elements) { + std::vector elements_in_circuit(elements.size()); + std::transform( + elements.begin(), elements.end(), elements_in_circuit.begin(), [&builder](const auto& native_element) { + return Fr::from_witness(&builder, native_element); + }); + return elements_in_circuit; + }; + auto stdlib_f_commitments = commitments_to_witnesses(f_commitments); + auto stdlib_g_commitments = commitments_to_witnesses(g_commitments); + auto stdlib_v_evaluations = elements_to_witness(v_evaluations); + auto stdlib_w_evaluations = elements_to_witness(w_evaluations); - // Execute Verifier protocol without the need for vk prior the final check - const auto commitments_to_witnesses = [&builder](const auto& commitments) { - std::vector commitments_in_biggroup(commitments.size()); - std::transform(commitments.begin(), - commitments.end(), - commitments_in_biggroup.begin(), - [&builder](const auto& native_commitment) { - return Commitment::from_witness(&builder, native_commitment); - }); - return commitments_in_biggroup; - }; - const auto elements_to_witness = [&](const auto& elements) { - std::vector elements_in_circuit(elements.size()); - std::transform(elements.begin(), - elements.end(), - elements_in_circuit.begin(), - [&builder](const auto& native_element) { return Fr::from_witness(&builder, native_element); }); - return elements_in_circuit; - }; - auto stdlib_f_commitments = commitments_to_witnesses(f_commitments); - auto stdlib_g_commitments = commitments_to_witnesses(g_commitments); - auto stdlib_v_evaluations = elements_to_witness(v_evaluations); - auto stdlib_w_evaluations = elements_to_witness(w_evaluations); + std::vector u_challenge_in_circuit; + u_challenge_in_circuit.reserve(CONST_PROOF_SIZE_LOG_N); + auto u_iter = u_challenge.begin(); + + std::generate_n(std::back_inserter(u_challenge_in_circuit), CONST_PROOF_SIZE_LOG_N, [&] { + // We still need to do the same + Fr zero = Fr(0); + zero.convert_constant_to_fixed_witness(&builder); + if (u_iter < u_challenge.end()) { + return Fr::from_witness(&builder, *u_iter++); + } + return zero; + }); - std::vector u_challenge_in_circuit; - u_challenge_in_circuit.reserve(CONST_PROOF_SIZE_LOG_N); - std::transform(u_challenge.begin(), - u_challenge.end(), - std::back_inserter(u_challenge_in_circuit), - [&builder](const NativeFr u) { return Fr::from_witness(&builder, u); }); - std::generate_n(std::back_inserter(u_challenge_in_circuit), CONST_PROOF_SIZE_LOG_N - log_circuit_size, [&builder] { - Fr zero = Fr(0); - zero.convert_constant_to_fixed_witness(&builder); - return zero; - }); + auto opening_claim = ShpleminiVerifier::compute_batch_opening_claim(Fr::from_witness(&builder, N), + RefVector(stdlib_f_commitments), + RefVector(stdlib_g_commitments), + RefVector(stdlib_v_evaluations), + RefVector(stdlib_w_evaluations), + u_challenge_in_circuit, + Commitment::one(&builder), + stdlib_verifier_transcript); + auto pairing_points = KZG::reduce_verify_batch_opening_claim(opening_claim, stdlib_verifier_transcript); + EXPECT_TRUE(CircuitChecker::check(builder)); - auto opening_claim = ShpleminiVerifier::compute_batch_opening_claim(Fr::from_witness(&builder, N), - RefVector(stdlib_f_commitments), - RefVector(stdlib_g_commitments), - RefVector(stdlib_v_evaluations), - RefVector(stdlib_w_evaluations), - u_challenge_in_circuit, - Commitment::one(&builder), - stdlib_verifier_transcript); - auto pairing_points = KZG::reduce_verify_batch_opening_claim(opening_claim, stdlib_verifier_transcript); - EXPECT_TRUE(CircuitChecker::check(builder)); + auto vk = std::make_shared>(); + EXPECT_EQ(vk->pairing_check(pairing_points[0].get_value(), pairing_points[1].get_value()), true); + + // Return finalised number of gates; + return builder.num_gates; + }; - auto vk = std::make_shared>(); - EXPECT_EQ(vk->pairing_check(pairing_points[0].get_value(), pairing_points[1].get_value()), true); + size_t num_gates_6 = run_shplemini(6); + size_t num_gates_13 = run_shplemini(13); + EXPECT_EQ(num_gates_6, num_gates_13); } diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/zeromorph.test.cpp b/barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/zeromorph.test.cpp index 60b26699ea99..5c6f22d6af4e 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/zeromorph.test.cpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/zeromorph.test.cpp @@ -38,8 +38,8 @@ TEST(ZeroMorphRecursionTest, ProveAndVerifySingle) using ZeroMorphVerifier = ZeroMorphVerifier_; using Transcript = bb::BaseTranscript>; - constexpr size_t N = 16; - constexpr size_t LOG_N = 4; + constexpr size_t N = 8; + constexpr size_t LOG_N = 3; constexpr size_t NUM_UNSHIFTED = 2; constexpr size_t NUM_SHIFTED = 1; From 56c7c4045233fd4a0011e4a6f3b3545aedff3202 Mon Sep 17 00:00:00 2001 From: maramihali Date: Thu, 26 Sep 2024 15:22:52 +0000 Subject: [PATCH 24/31] fix typo --- barretenberg/acir_tests/sol-test/src/index.js | 1 - 1 file changed, 1 deletion(-) diff --git a/barretenberg/acir_tests/sol-test/src/index.js b/barretenberg/acir_tests/sol-test/src/index.js index dc510d440acf..25a25484ba6f 100644 --- a/barretenberg/acir_tests/sol-test/src/index.js +++ b/barretenberg/acir_tests/sol-test/src/index.js @@ -149,7 +149,6 @@ const readPublicInputs = (proofAsFields) => { const publicInputs = []; // Compute the number of public inputs, not accounted for in the constant NUMBER_OF_FIELDS_IN_PROOF const numPublicInputs = proofAsFields.length - NUMBER_OF_FIELDS_IN_PROOF; - info(numPublicInputs); let publicInputsOffset = 0; // Honk proofs contain 3 pieces of metadata before the public inputs, while plonk does not From 4ae0d4ec0afaccee2ea0867e8ffc43e39bcceb60 Mon Sep 17 00:00:00 2001 From: maramihali Date: Thu, 26 Sep 2024 16:32:54 +0000 Subject: [PATCH 25/31] cleanup from PR review --- .../cpp/src/barretenberg/commitment_schemes/gemini/gemini.hpp | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.hpp index f6b8692e167d..61b0d36b5d39 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.hpp @@ -173,7 +173,7 @@ template class GeminiVerifier_ { // Get evaluations a_i, i = 0,...,m-1 from transcript const std::vector evaluations = get_gemini_evaluations(num_variables, transcript); - // Compute evaluation of A₀(r) + // Compute evaluation A₀(r) auto a_0_pos = compute_gemini_batched_univariate_evaluation( num_variables, batched_evaluation, multilinear_challenge, r_squares, evaluations); @@ -260,7 +260,6 @@ template class GeminiVerifier_ { // Get uₗ₋₁ const Fr& u = evaluation_point[l - 1]; const Fr& eval_neg = evals[l - 1]; - // Fr batched_eval_round_acc = batched_eval_accumulator; // Get A₍ₗ₋₁₎(−r²⁽ˡ⁻¹⁾) // Compute the numerator Fr batched_eval_round_acc = From 5935883160fc50d73c35a563c84ce133eb6f69c6 Mon Sep 17 00:00:00 2001 From: maramihali Date: Thu, 26 Sep 2024 17:31:22 +0000 Subject: [PATCH 26/31] stuff --- .../ultra_recursive_verifier.cpp | 22 +++++------ .../stdlib_circuit_builders/mega_flavor.hpp | 24 ++++++++---- .../stdlib_circuit_builders/ultra_flavor.hpp | 25 ++++++++----- .../ultra_honk/decider_prover.cpp | 28 ++++---------- .../ultra_honk/decider_verifier.cpp | 37 +++++-------------- .../ultra_honk/mega_transcript.test.cpp | 16 +++++--- .../ultra_honk/ultra_transcript.test.cpp | 16 +++++--- 7 files changed, 81 insertions(+), 87 deletions(-) diff --git a/barretenberg/cpp/src/barretenberg/stdlib/honk_verifier/ultra_recursive_verifier.cpp b/barretenberg/cpp/src/barretenberg/stdlib/honk_verifier/ultra_recursive_verifier.cpp index a728f3e3f7ed..9e48901af45c 100644 --- a/barretenberg/cpp/src/barretenberg/stdlib/honk_verifier/ultra_recursive_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/stdlib/honk_verifier/ultra_recursive_verifier.cpp @@ -1,5 +1,5 @@ #include "barretenberg/stdlib/honk_verifier/ultra_recursive_verifier.hpp" -#include "barretenberg/commitment_schemes/zeromorph/zeromorph.hpp" +#include "barretenberg/commitment_schemes/shplonk/shplemini.hpp" #include "barretenberg/numeric/bitop/get_msb.hpp" #include "barretenberg/plonk_honk_shared/library/grand_product_delta.hpp" #include "barretenberg/transcript/transcript.hpp" @@ -42,7 +42,7 @@ UltraRecursiveVerifier_::AggregationObject UltraRecursiveVerifier_; using PCS = typename Flavor::PCS; using Curve = typename Flavor::Curve; - using ZeroMorph = ::bb::ZeroMorphVerifier_; + using Shplemini = ::bb::ShpleminiVerifier_; using VerifierCommitments = typename Flavor::VerifierCommitments; using Transcript = typename Flavor::Transcript; @@ -92,15 +92,15 @@ UltraRecursiveVerifier_::AggregationObject UltraRecursiveVerifier_relation_parameters, verification_key->alphas, gate_challenges); // Execute ZeroMorph to produce an opening claim subsequently verified by a univariate PCS - auto opening_claim = ZeroMorph::verify(key->circuit_size, - commitments.get_unshifted(), - commitments.get_to_be_shifted(), - claimed_evaluations.get_unshifted(), - claimed_evaluations.get_shifted(), - multivariate_challenge, - Commitment::one(builder), - transcript); - auto pairing_points = PCS::reduce_verify(opening_claim, transcript); + auto opening_claim = Shplemini::compute_batch_opening_claim(key->circuit_size, + commitments.get_unshifted(), + commitments.get_to_be_shifted(), + claimed_evaluations.get_unshifted(), + claimed_evaluations.get_shifted(), + multivariate_challenge, + Commitment::one(builder), + transcript); + auto pairing_points = PCS::reduce_verify_batch_opening_claim(opening_claim, transcript); pairing_points[0] = pairing_points[0].normalize(); pairing_points[1] = pairing_points[1].normalize(); diff --git a/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/mega_flavor.hpp b/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/mega_flavor.hpp index 2c1f44c617e3..c2e91f65c66b 100644 --- a/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/mega_flavor.hpp +++ b/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/mega_flavor.hpp @@ -876,8 +876,9 @@ class MegaFlavor { Commitment lookup_read_tags_comm; std::vector> sumcheck_univariates; std::array sumcheck_evaluations; - std::vector zm_cq_comms; - Commitment zm_cq_comm; + std::vector gemini_fold_comms; + std::vector gemini_fold_evals; + Commitment shplonk_q_comm; Commitment kzg_w_comm; Transcript_() = default; @@ -942,10 +943,14 @@ class MegaFlavor { num_frs_read)); } sumcheck_evaluations = deserialize_from_buffer>(proof_data, num_frs_read); - for (size_t i = 0; i < CONST_PROOF_SIZE_LOG_N; ++i) { - zm_cq_comms.push_back(deserialize_from_buffer(proof_data, num_frs_read)); + for (size_t i = 0; i < CONST_PROOF_SIZE_LOG_N - 1; ++i) { + gemini_fold_comms.push_back(deserialize_from_buffer(proof_data, num_frs_read)); + } + for (size_t i = 1; i <= CONST_PROOF_SIZE_LOG_N; ++i) { + gemini_fold_evals.push_back(deserialize_from_buffer(proof_data, num_frs_read)); } - zm_cq_comm = deserialize_from_buffer(proof_data, num_frs_read); + shplonk_q_comm = deserialize_from_buffer(proof_data, num_frs_read); + kzg_w_comm = deserialize_from_buffer(proof_data, num_frs_read); } @@ -987,10 +992,13 @@ class MegaFlavor { serialize_to_buffer(sumcheck_univariates[i], proof_data); } serialize_to_buffer(sumcheck_evaluations, proof_data); - for (size_t i = 0; i < CONST_PROOF_SIZE_LOG_N; ++i) { - serialize_to_buffer(zm_cq_comms[i], proof_data); + for (size_t i = 0; i < CONST_PROOF_SIZE_LOG_N - 1; ++i) { + serialize_to_buffer(gemini_fold_comms[i], proof_data); + } + for (size_t i = 1; i <= CONST_PROOF_SIZE_LOG_N; ++i) { + serialize_to_buffer(gemini_fold_evals[i], proof_data); } - serialize_to_buffer(zm_cq_comm, proof_data); + serialize_to_buffer(shplonk_q_comm, proof_data); serialize_to_buffer(kzg_w_comm, proof_data); ASSERT(proof_data.size() == old_proof_length); diff --git a/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/ultra_flavor.hpp b/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/ultra_flavor.hpp index b40174ce1646..d8e278476000 100644 --- a/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/ultra_flavor.hpp +++ b/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/ultra_flavor.hpp @@ -721,10 +721,10 @@ class UltraFlavor { Commitment lookup_inverses_comm; std::vector> sumcheck_univariates; std::array sumcheck_evaluations; - std::vector zm_cq_comms; - Commitment zm_cq_comm; + std::vector gemini_fold_comms; + std::vector gemini_fold_evals; + Commitment shplonk_q_comm; Commitment kzg_w_comm; - Transcript() = default; // Used by verifier to initialize the transcript @@ -778,10 +778,14 @@ class UltraFlavor { num_frs_read)); } sumcheck_evaluations = deserialize_from_buffer>(proof_data, num_frs_read); - for (size_t i = 0; i < CONST_PROOF_SIZE_LOG_N; ++i) { - zm_cq_comms.push_back(deserialize_from_buffer(proof_data, num_frs_read)); + for (size_t i = 0; i < CONST_PROOF_SIZE_LOG_N - 1; ++i) { + gemini_fold_comms.push_back(deserialize_from_buffer(proof_data, num_frs_read)); + } + for (size_t i = 1; i <= CONST_PROOF_SIZE_LOG_N; ++i) { + gemini_fold_evals.push_back(deserialize_from_buffer(proof_data, num_frs_read)); } - zm_cq_comm = deserialize_from_buffer(proof_data, num_frs_read); + shplonk_q_comm = deserialize_from_buffer(proof_data, num_frs_read); + kzg_w_comm = deserialize_from_buffer(proof_data, num_frs_read); } @@ -813,10 +817,13 @@ class UltraFlavor { serialize_to_buffer(sumcheck_univariates[i], proof_data); } serialize_to_buffer(sumcheck_evaluations, proof_data); - for (size_t i = 0; i < CONST_PROOF_SIZE_LOG_N; ++i) { - serialize_to_buffer(zm_cq_comms[i], proof_data); + for (size_t i = 0; i < CONST_PROOF_SIZE_LOG_N - 1; ++i) { + serialize_to_buffer(gemini_fold_comms[i], proof_data); + } + for (size_t i = 1; i <= CONST_PROOF_SIZE_LOG_N; ++i) { + serialize_to_buffer(gemini_fold_evals[i], proof_data); } - serialize_to_buffer(zm_cq_comm, proof_data); + serialize_to_buffer(shplonk_q_comm, proof_data); serialize_to_buffer(kzg_w_comm, proof_data); // sanity check to make sure we generate the same length of proof as before. diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/decider_prover.cpp b/barretenberg/cpp/src/barretenberg/ultra_honk/decider_prover.cpp index e8063431f7db..7a5f590df02f 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/decider_prover.cpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/decider_prover.cpp @@ -49,28 +49,14 @@ template void DeciderProver_::execute_pcs_rounds( { using OpeningClaim = ProverOpeningClaim; - // TODO(https://github.com/AztecProtocol/barretenberg/issues/1109): Remove this hack once the verifier runs on - // Shplemini for all Ultra flavors - OpeningClaim prover_opening_claim; - if constexpr (bb::IsAnyOf) { + const OpeningClaim prover_opening_claim = + ShpleminiProver_::prove(proving_key->proving_key.circuit_size, + proving_key->proving_key.polynomials.get_unshifted(), + proving_key->proving_key.polynomials.get_to_be_shifted(), + sumcheck_output.challenge, + commitment_key, + transcript); - prover_opening_claim = ShpleminiProver_::prove(proving_key->proving_key.circuit_size, - proving_key->proving_key.polynomials.get_unshifted(), - proving_key->proving_key.polynomials.get_to_be_shifted(), - sumcheck_output.challenge, - commitment_key, - transcript); - } else { - - prover_opening_claim = ZeroMorphProver_::prove(proving_key->proving_key.circuit_size, - proving_key->proving_key.polynomials.get_unshifted(), - proving_key->proving_key.polynomials.get_to_be_shifted(), - sumcheck_output.claimed_evaluations.get_unshifted(), - sumcheck_output.claimed_evaluations.get_shifted(), - sumcheck_output.challenge, - commitment_key, - transcript); - } PCS::compute_opening_proof(commitment_key, prover_opening_claim, transcript); } diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/decider_verifier.cpp b/barretenberg/cpp/src/barretenberg/ultra_honk/decider_verifier.cpp index 477ac93c297c..763c74c6a628 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/decider_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/decider_verifier.cpp @@ -39,8 +39,6 @@ template bool DeciderVerifier_::verify() { using PCS = typename Flavor::PCS; using Curve = typename Flavor::Curve; - using GroupElement = typename Curve::Element; - using ZeroMorph = ZeroMorphVerifier_; using Shplemini = ShpleminiVerifier_; using VerifierCommitments = typename Flavor::VerifierCommitments; @@ -58,32 +56,15 @@ template bool DeciderVerifier_::verify() return false; } - std::array pairing_points; - // TODO(https://github.com/AztecProtocol/barretenberg/issues/1109): Remove this hack once the verifier runs on - // Shplemini for all Ultra flavors - if constexpr (bb::IsAnyOf) { - const auto opening_claim = Shplemini::compute_batch_opening_claim(accumulator->verification_key->circuit_size, - commitments.get_unshifted(), - commitments.get_to_be_shifted(), - claimed_evaluations.get_unshifted(), - claimed_evaluations.get_shifted(), - multivariate_challenge, - Commitment::one(), - transcript); - pairing_points = PCS::reduce_verify_batch_opening_claim(opening_claim, transcript); - } else { - // Execute ZeroMorph rounds. See https://hackmd.io/dlf9xEwhTQyE3hiGbq4FsA?view for a complete description of the - // unrolled protocol. - const auto opening_claim = ZeroMorph::verify(accumulator->verification_key->circuit_size, - commitments.get_unshifted(), - commitments.get_to_be_shifted(), - claimed_evaluations.get_unshifted(), - claimed_evaluations.get_shifted(), - multivariate_challenge, - Commitment::one(), - transcript); - pairing_points = PCS::reduce_verify(opening_claim, transcript); - } + const auto opening_claim = Shplemini::compute_batch_opening_claim(accumulator->verification_key->circuit_size, + commitments.get_unshifted(), + commitments.get_to_be_shifted(), + claimed_evaluations.get_unshifted(), + claimed_evaluations.get_shifted(), + multivariate_challenge, + Commitment::one(), + transcript); + const auto pairing_points = PCS::reduce_verify_batch_opening_claim(opening_claim, transcript); bool verified = pcs_verification_key->pairing_check(pairing_points[0], pairing_points[1]); return sumcheck_verified.value() && verified; diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/mega_transcript.test.cpp b/barretenberg/cpp/src/barretenberg/ultra_honk/mega_transcript.test.cpp index 94754892919d..461ef54a4038 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/mega_transcript.test.cpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/mega_transcript.test.cpp @@ -107,15 +107,21 @@ class MegaTranscriptTests : public ::testing::Test { manifest_expected.add_challenge(round, "rho"); round++; - for (size_t i = 0; i < CONST_PROOF_SIZE_LOG_N; ++i) { + for (size_t i = 1; i < CONST_PROOF_SIZE_LOG_N; ++i) { + std::string idx = std::to_string(i); + manifest_expected.add_entry(round, "Gemini:FOLD_" + idx, frs_per_G); + } + manifest_expected.add_challenge(round, "Gemini:r"); + round++; + for (size_t i = 1; i <= CONST_PROOF_SIZE_LOG_N; ++i) { std::string idx = std::to_string(i); - manifest_expected.add_entry(round, "ZM:C_q_" + idx, frs_per_G); + manifest_expected.add_entry(round, "Gemini:a_" + idx, frs_per_Fr); } - manifest_expected.add_challenge(round, "ZM:y"); + manifest_expected.add_challenge(round, "Shplonk:nu"); round++; - manifest_expected.add_entry(round, "ZM:C_q", frs_per_G); - manifest_expected.add_challenge(round, "ZM:x", "ZM:z"); + manifest_expected.add_entry(round, "Shplonk:Q", frs_per_G); + manifest_expected.add_challenge(round, "Shplonk:z"); round++; manifest_expected.add_entry(round, "KZG:W", frs_per_G); diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_transcript.test.cpp b/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_transcript.test.cpp index 29b4c87172ee..147db031eadd 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_transcript.test.cpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_transcript.test.cpp @@ -92,15 +92,21 @@ class UltraTranscriptTests : public ::testing::Test { manifest_expected.add_challenge(round, "rho"); round++; - for (size_t i = 0; i < CONST_PROOF_SIZE_LOG_N; ++i) { + for (size_t i = 1; i < CONST_PROOF_SIZE_LOG_N; ++i) { + std::string idx = std::to_string(i); + manifest_expected.add_entry(round, "Gemini:FOLD_" + idx, frs_per_G); + } + manifest_expected.add_challenge(round, "Gemini:r"); + round++; + for (size_t i = 1; i <= CONST_PROOF_SIZE_LOG_N; ++i) { std::string idx = std::to_string(i); - manifest_expected.add_entry(round, "ZM:C_q_" + idx, frs_per_G); + manifest_expected.add_entry(round, "Gemini:a_" + idx, frs_per_Fr); } - manifest_expected.add_challenge(round, "ZM:y"); + manifest_expected.add_challenge(round, "Shplonk:nu"); round++; - manifest_expected.add_entry(round, "ZM:C_q", frs_per_G); - manifest_expected.add_challenge(round, "ZM:x", "ZM:z"); + manifest_expected.add_entry(round, "Shplonk:Q", frs_per_G); + manifest_expected.add_challenge(round, "Shplonk:z"); round++; manifest_expected.add_entry(round, "KZG:W", frs_per_G); From 1b780043d97b8094976753ee7c9b224f895b8f30 Mon Sep 17 00:00:00 2001 From: maramihali Date: Mon, 30 Sep 2024 10:57:46 +0000 Subject: [PATCH 27/31] fix stuff that was making circuit not be constant size --- .../commitment_schemes/gemini/gemini.hpp | 6 +-- .../commitment_schemes/shplonk/shplemini.hpp | 54 +++++++++---------- .../commitment_schemes/shplonk/shplonk.hpp | 15 ------ 3 files changed, 29 insertions(+), 46 deletions(-) diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.hpp index 61b0d36b5d39..53173de9ea98 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.hpp @@ -267,17 +267,15 @@ template class GeminiVerifier_ { // Divide by the denominator batched_eval_round_acc *= (challenge_power * (Fr(1) - u) + u).invert(); - bool is_dummy_round = (l > num_variables); - if constexpr (Curve::is_stdlib_type) { auto builder = evaluation_point[0].get_context(); // TODO(https://github.com/AztecProtocol/barretenberg/issues/1114): insecure! - stdlib::bool_t dummy_round = stdlib::bool_t(builder, is_dummy_round); + stdlib::bool_t dummy_round = stdlib::witness_t(builder, l > num_variables); batched_eval_accumulator = Fr::conditional_assign(dummy_round, batched_eval_accumulator, batched_eval_round_acc); } else { - if (!is_dummy_round) { + if (l < num_variables) { batched_eval_accumulator = batched_eval_round_acc; } } diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp index e39b61292a3d..746b804a18ea 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp @@ -99,14 +99,15 @@ template class ShpleminiVerifier_ { public: template - static BatchOpeningClaim compute_batch_opening_claim(const Fr N, - RefSpan unshifted_commitments, - RefSpan shifted_commitments, - RefSpan unshifted_evaluations, - RefSpan shifted_evaluations, - const std::vector& multivariate_challenge, - const Commitment& g1_identity, - const std::shared_ptr& transcript) + static BatchOpeningClaim compute_batch_opening_claim( + const Fr N, + RefSpan unshifted_commitments, + RefSpan shifted_commitments, + RefSpan unshifted_evaluations, + RefSpan shifted_evaluations, + [[maybe_unused]] const std::vector& multivariate_challenge, + const Commitment& g1_identity, + const std::shared_ptr& transcript) { // Extract log_circuit_size @@ -198,7 +199,7 @@ template class ShpleminiVerifier_ { multivariate_challenge, gemini_eval_challenge_powers, gemini_evaluations); - // - Add A₀(r)/(z−r) to the constant term accumulator + // // - Add A₀(r)/(z−r) to the constant term accumulator constant_term_accumulator += a_0_pos * inverse_vanishing_evals[0]; // Add A₀(−r)/(z+r) to the constant term accumulator constant_term_accumulator += gemini_evaluations[0] * shplonk_batching_challenge * inverse_vanishing_evals[1]; @@ -325,41 +326,40 @@ template class ShpleminiVerifier_ { * @param scalars Output vector where the computed scalars will be stored. * @param constant_term_accumulator The accumulator for the summands of the constant term. */ - static void batch_gemini_claims_received_from_prover(const size_t log_circuit_size, - const std::vector& fold_commitments, - const std::vector& gemini_evaluations, - const std::vector& inverse_vanishing_evals, - const Fr& shplonk_batching_challenge, - std::vector& commitments, - std::vector& scalars, - Fr& constant_term_accumulator) + static void batch_gemini_claims_received_from_prover( + const size_t log_circuit_size, + const std::vector& fold_commitments, + const std::vector& gemini_evaluations, + [[maybe_unused]] const std::vector& inverse_vanishing_evals, + const Fr& shplonk_batching_challenge, + std::vector& commitments, + std::vector& scalars, + Fr& constant_term_accumulator) { // Initialize batching challenge as ν² Fr current_batching_challenge = shplonk_batching_challenge.sqr(); for (size_t j = 0; j < CONST_PROOF_SIZE_LOG_N - 1; ++j) { - bool is_dummy_round = j >= (log_circuit_size - 1); // Compute the scaling factor (ν²⁺ⁱ) / (z + r²⁽ⁱ⁺²⁾) for i = 0, … , d-2 Fr scaling_factor = current_batching_challenge * inverse_vanishing_evals[j + 2]; + // Add Aᵢ(−r²ⁱ) for i = 1, … , n-1 to the constant term accumulator + constant_term_accumulator += scaling_factor * gemini_evaluations[j + 1]; + + // Update the batching challenge + current_batching_challenge *= shplonk_batching_challenge; + if constexpr (Curve::is_stdlib_type) { auto builder = shplonk_batching_challenge.get_context(); // TODO(https://github.com/AztecProtocol/barretenberg/issues/1114): insecure! - stdlib::bool_t dummy_round = stdlib::bool_t(builder, is_dummy_round); + stdlib::bool_t dummy_round = stdlib::witness_t(builder, j >= (log_circuit_size - 1)); Fr zero = Fr(0); - zero.convert_constant_to_fixed_witness(builder); scaling_factor = Fr::conditional_assign(dummy_round, zero, scaling_factor); } else { - if (is_dummy_round) { + if (j >= (log_circuit_size - 1)) { scaling_factor = 0; } } - - // Add Aᵢ(−r²ⁱ) for i = 1, … , n-1 to the constant term accumulator - constant_term_accumulator += scaling_factor * gemini_evaluations[j + 1]; - // Update the batching challenge - current_batching_challenge *= shplonk_batching_challenge; - // Place the scaling factor to the 'scalars' vector scalars.emplace_back(-scaling_factor); // Move com(Aᵢ) to the 'commitments' vector diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplonk.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplonk.hpp index c5b4d8334b02..fa8deca2a6a9 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplonk.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplonk.hpp @@ -285,24 +285,9 @@ template class ShplonkVerifier_ { std::vector inverted_denominators; inverted_denominators.reserve(num_gemini_claims); inverted_denominators.emplace_back((shplonk_eval_challenge - gemini_eval_challenge_powers[0]).invert()); - size_t i = 0; for (const auto& gemini_eval_challenge_power : gemini_eval_challenge_powers) { - bool is_dummy_round = i > num_gemini_claims; Fr round_inverted_denominator = (shplonk_eval_challenge + gemini_eval_challenge_power).invert(); - if constexpr (Curve::is_stdlib_type) { - auto builder = shplonk_eval_challenge.get_context(); - // TODO(https://github.com/AztecProtocol/barretenberg/issues/1114): insecure! - stdlib::bool_t dummy_round = stdlib::bool_t(builder, is_dummy_round); - Fr zero = Fr(0); - zero.convert_constant_to_fixed_witness(builder); - round_inverted_denominator = Fr::conditional_assign(dummy_round, zero, round_inverted_denominator); - } else { - if (is_dummy_round) { - round_inverted_denominator = 0; - } - } inverted_denominators.emplace_back(round_inverted_denominator); - i++; } return inverted_denominators; } From 2f86a498e67b81046fbe133922715d17bf0e80ee Mon Sep 17 00:00:00 2001 From: maramihali Date: Mon, 30 Sep 2024 14:57:13 +0000 Subject: [PATCH 28/31] figure out proof sizes --- barretenberg/cpp/src/barretenberg/bb/main.cpp | 1 + .../commitment_schemes/gemini/gemini.hpp | 2 +- .../zeromorph/zeromorph.hpp | 1 - .../ultra_honk/ultra_transcript.test.cpp | 1 + .../verify_honk_proof/Prover.toml | 577 +----------------- .../verify_honk_proof/src/main.nr | 2 +- 6 files changed, 7 insertions(+), 577 deletions(-) diff --git a/barretenberg/cpp/src/barretenberg/bb/main.cpp b/barretenberg/cpp/src/barretenberg/bb/main.cpp index cadf836cc536..1d902ca51b7d 100644 --- a/barretenberg/cpp/src/barretenberg/bb/main.cpp +++ b/barretenberg/cpp/src/barretenberg/bb/main.cpp @@ -1099,6 +1099,7 @@ void prove_honk(const std::string& bytecodePath, const std::string& witnessPath, // Construct Honk proof Prover prover = compute_valid_prover(bytecodePath, witnessPath); auto proof = prover.construct_proof(); + info(proof.size()); // TODO(https://github.com/AztecProtocol/barretenberg/issues/1093): As the Smart contract doesn't verify the PCS and // Shplemini is not constant size, we slice the proof up to sumcheck so calculation of public inputs is correct. // This hack will be subsequently removed. diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.hpp index 53173de9ea98..d8fa2ab6e54c 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.hpp @@ -275,7 +275,7 @@ template class GeminiVerifier_ { Fr::conditional_assign(dummy_round, batched_eval_accumulator, batched_eval_round_acc); } else { - if (l < num_variables) { + if (l <= num_variables) { batched_eval_accumulator = batched_eval_round_acc; } } diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/zeromorph/zeromorph.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/zeromorph/zeromorph.hpp index e7a59d8b3a01..33bfade2b354 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/zeromorph/zeromorph.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/zeromorph/zeromorph.hpp @@ -527,7 +527,6 @@ template class ZeroMorphVerifier_ { if constexpr (Curve::is_stdlib_type) { auto builder = x_challenge.get_context(); FF zero = FF(0); - zero.convert_constant_to_fixed_witness(builder); stdlib::bool_t dummy_round = stdlib::witness_t(builder, is_dummy_round); // TODO(https://github.com/AztecProtocol/barretenberg/issues/1039): is it kosher to reassign like this? scalar = FF::conditional_assign(dummy_round, zero, scalar); diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_transcript.test.cpp b/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_transcript.test.cpp index 147db031eadd..5f6cee1b5ec5 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_transcript.test.cpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_transcript.test.cpp @@ -146,6 +146,7 @@ TEST_F(UltraTranscriptTests, ProverManifestConsistency) auto proving_key = std::make_shared(builder); UltraProver prover(proving_key); auto proof = prover.construct_proof(); + info(proof.size()); // Check that the prover generated manifest agrees with the manifest hard coded in this suite auto manifest_expected = construct_ultra_honk_manifest(); diff --git a/noir/noir-repo/test_programs/execution_success/verify_honk_proof/Prover.toml b/noir/noir-repo/test_programs/execution_success/verify_honk_proof/Prover.toml index debcf3abf867..45a84c26eb84 100644 --- a/noir/noir-repo/test_programs/execution_success/verify_honk_proof/Prover.toml +++ b/noir/noir-repo/test_programs/execution_success/verify_honk_proof/Prover.toml @@ -1,575 +1,4 @@ key_hash = "0x0000000000000000000000000000000000000000000000000000000000000000" -proof = [ - "0x0000000000000000000000000000000000000000000000000000000000000040", - "0x0000000000000000000000000000000000000000000000000000000000000011", - "0x0000000000000000000000000000000000000000000000000000000000000001", - "0x0000000000000000000000000000000000000000000000042ab5d6d1986846cf", - "0x00000000000000000000000000000000000000000000000b75c020998797da78", - "0x0000000000000000000000000000000000000000000000005a107acb64952eca", - "0x000000000000000000000000000000000000000000000000000031e97a575e9d", - "0x00000000000000000000000000000000000000000000000b5666547acf8bd5a4", - "0x00000000000000000000000000000000000000000000000c410db10a01750aeb", - "0x00000000000000000000000000000000000000000000000d722669117f9758a4", - "0x000000000000000000000000000000000000000000000000000178cbf4206471", - "0x000000000000000000000000000000000000000000000000e91b8a11e7842c38", - "0x000000000000000000000000000000000000000000000007fd51009034b3357f", - "0x000000000000000000000000000000000000000000000009889939f81e9c7402", - "0x0000000000000000000000000000000000000000000000000000f94656a2ca48", - "0x000000000000000000000000000000000000000000000006fb128b46c1ddb67f", - "0x0000000000000000000000000000000000000000000000093fe27776f50224bd", - "0x000000000000000000000000000000000000000000000004a0c80c0da527a081", - "0x0000000000000000000000000000000000000000000000000001b52c2020d746", - "0x0000000000000000000000000000005a9bae947e1e91af9e4033d8d6aa6ed632", - "0x000000000000000000000000000000000025e485e013446d4ac7981c88ba6ecc", - "0x000000000000000000000000000000ff1e0496e30ab24a63b32b2d1120b76e62", - "0x00000000000000000000000000000000001afe0a8a685d7cd85d1010e55d9d7c", - "0x000000000000000000000000000000b0804efd6573805f991458295f510a2004", - "0x00000000000000000000000000000000000c81a178016e2fe18605022d5a8b0e", - "0x000000000000000000000000000000eba51e76eb1cfff60a53a0092a3c3dea47", - "0x000000000000000000000000000000000022e7466247b533282f5936ac4e6c15", - "0x00000000000000000000000000000071b1d76edf770edff98f00ff4deec264cd", - "0x00000000000000000000000000000000001e48128e68794d8861fcbb2986a383", - "0x000000000000000000000000000000d3a2af4915ae6d86b097adc377fafda2d4", - "0x000000000000000000000000000000000006359de9ca452dab3a4f1f8d9c9d98", - "0x0000000000000000000000000000006cf7dd96d7636fda5953191b1ad776d491", - "0x00000000000000000000000000000000001633d881a08d136e834cb13a28fcc6", - "0x00000000000000000000000000000001254956cff6908b069fca0e6cf1c47eb1", - "0x000000000000000000000000000000000006f4d4dd3890e997e75e75886bf8f7", - "0x0000000000000000000000000000006cf7dd96d7636fda5953191b1ad776d491", - "0x00000000000000000000000000000000001633d881a08d136e834cb13a28fcc6", - "0x00000000000000000000000000000001254956cff6908b069fca0e6cf1c47eb1", - "0x000000000000000000000000000000000006f4d4dd3890e997e75e75886bf8f7", - "0x000000000000000000000000000000f968b227a358a305607f3efc933823d288", - "0x00000000000000000000000000000000000eaf8adb390375a76d95e918b65e08", - "0x000000000000000000000000000000bb34b4b447aae56f5e24f81c3acd6d547f", - "0x00000000000000000000000000000000002175d012746260ebcfe339a91a81e1", - "0x00000000000000000000000000000052eebbd1f6f7554e837f60c44000ed14b6", - "0x00000000000000000000000000000000001c1c045a3ec94b8801f2272cc0b3f4", - "0x0000000000000000000000000000004d2ef74134578f6b431a9df071ffca4292", - "0x0000000000000000000000000000000000291326ade7aa6f0dfc8900eab5580b", - "0x0000000000000000000000000000002433eec6418a6dba820c9527e2581fc8bc", - "0x00000000000000000000000000000000000e88b7daad19af2ac2f9bdf9e50ee2", - "0x000000000000000000000000000000dcfce2c427155cc3e4d035735d3dd5ece8", - "0x00000000000000000000000000000000002d7d473cac1a15d0fee8b22c1a7b3e", - "0x23fb9503f571d567261006e2ca8b4326d325820140b488bb71617583602f4e3e", - "0x0c68b96eebbfcac292403ed3b6f61536550e66473904e7d5d28080108fd0b1c3", - "0x08d3bdbefd6d437c50fb9e3e3861913433e76577a18d81aa0ea4b8843e55f9ae", - "0x08f6173fe87b72da6d821a496eb99b0cfe0ccadcffd25e5a3b718d83ff9adb1a", - "0x1e6bd0a24c2cc58c93cf255cc68dd0c57299c99fd934267906b34facb0145cf4", - "0x1175996557630bc376d38636f72b277cb8d54a969a39988a7e78f464c03eaeda", - "0x03c3bd1f43baf44de0d9bf0f474c5df04b182214d57a196a717aef8868f9948c", - "0x27306ffc7a96c8c27c9812d9dfa649ab6897b69125939aabe814e07d105daa32", - "0x0c7f0b70aa08158e55bb39471609782656793ac76a03f2b64dcd135e6542592c", - "0x03885b9eff8dac38a64779e3aba31f18c74166892cef9c5081ab57f6daf59865", - "0x18dd8385333838c514fd11f36469c88e7ea5f6440aee17fa93c0f03c765d4ced", - "0x08ad5bc6c05ecc9ae0d8f0b3196f229a53dbe753f41c12c52045c40e7d8220cc", - "0x2f308380f90378084075f2bafa73228b17cbdfc2d693f9aaa1e5089557d0f32e", - "0x2d3407e6de05e5935a31037c3db88069d0c41ec86cc8dda815048d6ce76f7a5f", - "0x108c231f660e75f209201507a2dba6fccf99734ad91db8ecea675275afdf3ce1", - "0x0e68df40e8c467a617229ab0f1dc0d4a04254492e709333d623c0963518dd6b4", - "0x290650614292eec7c4f26fd402a047298f1a618dc8ff7de615752f737df7d515", - "0x0de290891aaf146fd890a3cd5c25025113df2ec4d0a134513a2f397eaf4e3ea9", - "0x25521f6f658bd20d9aaa8041164509b7b8d96fc5ef385f6eb6582375d1a86168", - "0x0e9ab2f2f06220644c41fb09456d91751c522b015622f30568e66457f647a2bc", - "0x28364f88f1e9c7d8e7767a3b954c5daa29223d646279930b34da51351dc01992", - "0x0560c214728aacc262eeee0037be142d81aec26a1f5a9cf0606c4236ed344aa8", - "0x1faea1662601fa01ad93d160277a1c81f2c60a761b74660f24a596ec8cb783e7", - "0x0e703bb7bbf3a8bb8211715d86a1becb7aa3271f51d6001d5d3042faa7465df9", - "0x0cc5b499ea9d9cbae4a0e33a5b601a7f7b686d6980dc0dd5bae4382a8ab1c7c7", - "0x27fae143a80a37af95a47d5953096eef9b1127b5475480b8a6ecebdb00a65e23", - "0x02cdf7c51d9182fbe07e7768ed0fcfe452ef70fc2ac87dc38fc0d4137bdf4aec", - "0x14838df5a54d57d0a28b0375107bb7e7e7259c576a08ea39db6af8b0341d2911", - "0x1b1fb0b1242e17beebb218c4ec88c830accea9bc93deec6d087d36d4d8de31fd", - "0x1a8c0bdf35e674aa37118f5ad7fe6b62c65d8502e9697b3a92dfda8a1923d110", - "0x2819aaa537cf012ceb48a8c8036b6fee492eeeef6698dcf8e3bc825d71efa3f8", - "0x1ceedf534535a0d2a427b2ceeb3c8878a658b80eaf5210dbc0d32888fe3d05a7", - "0x25c96dba803387eb5f3562785bc3bccddb7c9eb019bd4b07dd4563f77965c00c", - "0x0353f3ff0f4f3da362b11eac12167dcbc9b3c76fb555f7e5534c14bb4c3f8037", - "0x2904e33424ad29d38bda66a50b54a67acdf09be06a068ddc09d5eabdf9c2a9e5", - "0x0b28534bf4b58e7f46c4a7514f3b521dd47bbac2a3adf09387baf19ec8df39c5", - "0x1628b67c5d7b8c4cb5d8cdd2d0fd1d92bea3bfcf490fba7f16447cb686d7a388", - "0x151bde642447aaf993e737329a3b81c6e243eecbe6a7bb43cdb8ffe74b2c0484", - "0x07b319f585e9a9a3883deaddd9b0f43c844cbc7477636034f1543ce9f98821bf", - "0x2c8738d76925012cc029f5b888be3cae165daa6beb22b5d73f017c918d891c34", - "0x118fff7a26b04a6476c21267a3a4e96247640f6eabd05a05f1a94f881c6ee32b", - "0x081d82e0808b6d444b03e1d722375adef2659d5914faa3d9ca4cb12c912be257", - "0x18426c5ff5a3140f19bdc05e247cc05e1f70e1ea482b2a2b21f4930a494d7a61", - "0x296babb7c6a72783d92bc3dee7f90a97302d64a518faeec0f42af4f599ccc0d1", - "0x03337dd83835a2e9fe02c97056360eec725d55b01f039663108939f0333dba11", - "0x11a796e7e6f1081be5aad42b475dc224f9547769bc6b358af63207fe0d324a4a", - "0x2419618a28070cb7af904460207371f5ff9fa0939f6a0148add60ede530b0f14", - "0x004d323457b070f3f41a4ce1ad5a867b3dea1a592bccb40c4d69c8521d9682b6", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x2d6ba30a2a23364900cf52019e2d19574813fe4922763a4e281c58c400ffce14", - "0x06a0c085375f88283bedf3a1fc76ef35490655f372e2a985842a9375383b69d7", - "0x219b78e5cf2ab2e35edfc8e40362062081a24ff4e9c9d15afa254c2a02d6d4e2", - "0x182f29b047e6167c338c36d31685a825c66f327336545c623e7a6bd18e4fa97f", - "0x1686460e2586e702724b9daf02315a33ddf5cbd275cfadbc3858f9ef3fe97133", - "0x2183aaf585ac708b4000a5b88cf5a767356677087133bd90fff1c3e030b91f1e", - "0x27dfa9c69d03c7776fecac8e0f56162caa95f44692cdae91f5b52dfc97eb9006", - "0x10a9959de8c6d238c6c6dd68274cc9fc5b6d66759938638072d71659a2fe210d", - "0x0e179d6215630fdd7d50362ade21893456d4b9a693e96152d9a6bac6518d4605", - "0x0175b579d4e3b24eb0a319a6c79756c8a68ce2c1e0d0d8d1593d685125fbfb66", - "0x1132bd3d531944f5024f2705d39b13e00ae90c246f6550c745234fd3d080712b", - "0x1f2326f3955b431f2a17e937128b890aa366b107b69c61b8b45832fd06ce9e4e", - "0x13576e6c03c3f2042c56113991821ec1f9dec46b6b0ff2748e037c94e6656c40", - "0x00bb713034ce9d247110149e2a1754dc76f3ad700d420508148060091037477a", - "0x25fb93286a48dc64c67ffac9e3f4a96b6c70bb87744e10e44a782117f8f537a0", - "0x191227cd5e49d8a6b5aca93888b3286b41069df547e4bd91ffe65e48ab45b2a8", - "0x120d4ac764ca4db67357140c8a8dd1523c013f747250a03a6130416669b087e1", - "0x131cc1285b242d73eee36b79ccb3024525ae3caf0f91981cb89ec8d81b16a198", - "0x0cacfa5aa1bc4624d5d476aced4d4c8026fb881679172dbc482d18772bc28c9f", - "0x0e138279e8a4fe06018e9b9e649921500766e7a7afcc971f41732aa51ec31a43", - "0x000000000000000000000000000000332f935a88cd2cc8a138d5ff2efe4cdec8", - "0x0e1c2af7515e65c7ebced1a37faf4dbeef5c414f5601219d00d3844658b05a61", - "0x12aff8e8eed2d2946c91652d448240590690672893b4759cdd31e1ec9ea45138", - "0x1e89f396af25e81f9c4b3af2b0a15fd961789f3a8aa60edbdc4e8f2dfb610375", - "0x29c05199f808bf38009ee7fa3c82b6aa5e3d65f180f49d4564c4bf6918399461", - "0x019ce7ac46f4e5f1d4ce2d3866321506cea78ff5e5fe400d83b0395341cfe5d5", - "0x20b40d1a69e62e7eecbf490915e2791975d3bca30859f237c56c4486e1fbb441", - "0x243f7e62233a1f80ee17978814d7ab095bcc416d6bcee4583ce1167c7206b7b4", - "0x0b6067a921e8d87bc8fd1af67382fbe2a27bcc833effa13fd7d85b5458d71e28", - "0x30307a6766be04f3c50378d1b83f2e147e2ceef344d0c60e1abf939d29c26e27", - "0x004c0ec19588b920084d00c6bfe0af4dbf83ca101eac5d833cb8191fe1c298b4", - "0x00da79a40286bd8d3993b331a72f8195c7ba04bd863d1afd469bb094e29cc7d9", - "0x115b70a2c50ee9abc28472ba8e820cfba158113a5a39c8e31817c84182d0503a", - "0x09341d5c4b6d85bde38834a418a8ca375592c320c669bdd540c7ccee760f2ea1", - "0x09341d5c4b6d85bde38834a418a8ca375592c320c669bdd540c7ccee760f2ea1", - "0x0e63e927a9562ce0914fcd8892dff9a94ac722365ce21b8f5c75cc560b364e57", - "0x05cf84989894e741a3e1cd815a8f84febfb08e61ee7b424c902fb02ca7d12e95", - "0x1f958ad88d5e4a270f35e534154e7a519c5bbfab36d5084202d5b78baf63e09e", - "0x21f0a33450db8821c2f8d042aae7e70bf05c9814b063e73c5e95f8ddba515a81", - "0x2767a30fa0351c7deb2c8f542ecace4c41c1d136dd460dfad50b372f2a5f4b71", - "0x137ee4ebfbc7227bf57ffc35d3368dd4f96c62911db9380aafa220d061c3b59d", - "0x111515d3566611192f64e1e0848635ca6d7f73d8039d8b3522da1e2359e6d1b2", - "0x2f6284e905c491b8defe4c467b2e664e2fbf144b5ca45e05c4a9d1aa8d41e149", - "0x1e688ca09721459cd96d6af042716567a8f5fdb479f08ff9eff248c6013315a4", - "0x00000000000000000000000000000015207c89ecabf752a46c0d5b8dbd296d86", - "0x0000000000000000000000000000000000286c2b4d49249737816da8fd9f2753", - "0x0000000000000000000000000000002492e649af820ca5d83e59823126c03bfb", - "0x00000000000000000000000000000000001cdf1b636e33bf02a813687147476e", - "0x000000000000000000000000000000b49023689f96212b8166d0c9b105e6df9a", - "0x00000000000000000000000000000000000d9d27730e57d86079464ecd8d9edd", - "0x0000000000000000000000000000005292b5583bd716a723bae47d344d655528", - "0x000000000000000000000000000000000026651dba1a1074382c734163ab3614", - "0x0000000000000000000000000000008984f01bc1f237c72fd6d2bb10cc21eb85", - "0x00000000000000000000000000000000001029818de60ae9bb21ac2b5d5a4c97", - "0x0000000000000000000000000000003aca28da52679f34e33756dfe00f1d8072", - "0x0000000000000000000000000000000000124ecac53af720c02d18f54fd29100", - "0x000000000000000000000000000000d09ed1c104d0397f046d89b8476f47e641", - "0x00000000000000000000000000000000002c5094b27ad41c8a203b16dc74ee54", - "0x000000000000000000000000000000bf8609068d29793771eb3f64e7dc3db96d", - "0x0000000000000000000000000000000000225e220e16aedaecf2c10de6e41042", - "0x0000000000000000000000000000006ae4f0d8baca7866ad4632141f90770cd7", - "0x0000000000000000000000000000000000256cb979ab5bbe98be3a413ae8f246", - "0x000000000000000000000000000000891f30bd3ac8e7e63e00db4951d518822f", - "0x000000000000000000000000000000000014dffca5d842acfcd23fa491a7dae2", - "0x000000000000000000000000000000af99905ea5b7a25f2172f044a59b90e67d", - "0x00000000000000000000000000000000001e35bb78e382a5b98ad04b846df528", - "0x0000000000000000000000000000003cfb75469b791ea188b8dfdff0f269e7b5", - "0x00000000000000000000000000000000000e4fb9eb44a3d44d808794066f8811", - "0x0000000000000000000000000000000000000000000000000000000000000001", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000002", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000001", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000002", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000001", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000002", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000001", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000002", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000001", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000002", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000001", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000002", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000001", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000002", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000001", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000002", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000001", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000002", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000001", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000002", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000001", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000002", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000001", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000002", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000001", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000002", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000001", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000002", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000001", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000002", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000001", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000002", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000001", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000002", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000001", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000002", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000001", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000002", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000001", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000002", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000001", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000002", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000001", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000002", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x000000000000000000000000000000c42f38f2993af03e18e76996c49f945c6a", - "0x00000000000000000000000000000000002aefe820f0e4700abedd9fb6f046c1", - "0x0000000000000000000000000000007a878e53414bf22854877c5066eaf916b8", - "0x00000000000000000000000000000000001410a75247434da28c1ba6b64703bb", - "0x000000000000000000000000000000bca902c1e2af8b47771e7eb42c3870f46b", - "0x0000000000000000000000000000000000276eb602c3c232b51668d229d602b8", - "0x000000000000000000000000000000dac1254c0753ee39d49d795bc6b3550ba7", - "0x000000000000000000000000000000000007d60be9174146bd83f202aa062b92", -] -public_inputs = [ - "0x0000000000000000000000000000000000000000000000000000000000000003", -] -verification_key = [ - "0x0000000000000000000000000000000000000000000000000000000000000040", - "0x0000000000000000000000000000000000000000000000000000000000000011", - "0x0000000000000000000000000000000000000000000000000000000000000001", - "0x0000000000000000000000000000000000000000000000000000000000000001", - "0x0000000000000000000000000000000000000000000000000000000000000001", - "0x0000000000000000000000000000000000000000000000000000000000000002", - "0x0000000000000000000000000000000000000000000000000000000000000003", - "0x0000000000000000000000000000000000000000000000000000000000000004", - "0x0000000000000000000000000000000000000000000000000000000000000005", - "0x0000000000000000000000000000000000000000000000000000000000000006", - "0x0000000000000000000000000000000000000000000000000000000000000007", - "0x0000000000000000000000000000000000000000000000000000000000000008", - "0x0000000000000000000000000000000000000000000000000000000000000009", - "0x000000000000000000000000000000000000000000000000000000000000000a", - "0x000000000000000000000000000000000000000000000000000000000000000b", - "0x000000000000000000000000000000000000000000000000000000000000000c", - "0x000000000000000000000000000000000000000000000000000000000000000d", - "0x000000000000000000000000000000000000000000000000000000000000000e", - "0x000000000000000000000000000000000000000000000000000000000000000f", - "0x0000000000000000000000000000000000000000000000000000000000000010", - "0x00000000000000000000000000000060e430ad1c23bfcf3514323aae3f206e84", - "0x00000000000000000000000000000000001b5c3ff4c2458d8f481b1c068f27ae", - "0x000000000000000000000000000000bb510ab2112def34980e4fc6998ad9dd16", - "0x00000000000000000000000000000000000576e7c105b43e061e13cb877fefe1", - "0x000000000000000000000000000000ced074785d11857b065d8199e6669a601c", - "0x00000000000000000000000000000000000053b48a4098c1c0ae268f273952f7", - "0x000000000000000000000000000000d1d4b26e941db8168cee8f6de548ae0fd8", - "0x00000000000000000000000000000000001a9adf5a6dadc3d948bb61dfd63f4c", - "0x0000000000000000000000000000009ce1faac6f8de6ebb18f1db17372c82ad5", - "0x00000000000000000000000000000000002002681bb417184b2df070a16a3858", - "0x000000000000000000000000000000161baa651a8092e0e84725594de5aba511", - "0x00000000000000000000000000000000000be0064399c2a1efff9eb0cdcb2223", - "0x0000000000000000000000000000008673be6fd1bdbe980a29d8c1ded54381e7", - "0x000000000000000000000000000000000008a5158a7d9648cf1d234524c9fa0c", - "0x0000000000000000000000000000002b4fce6e4b1c72062b296d49bca2aa4130", - "0x00000000000000000000000000000000002e45a9eff4b6769e55fb710cded44f", - "0x00000000000000000000000000000072b85bf733758b76bcf97333efb85a23e3", - "0x000000000000000000000000000000000017da0ea508994fc82862715e4b5592", - "0x00000000000000000000000000000094fa74695cf058dba8ff35aec95456c6c3", - "0x0000000000000000000000000000000000211acddb851061c24b8f159e832bd1", - "0x000000000000000000000000000000303b5e5c531384b9a792e11702ad3bcab0", - "0x00000000000000000000000000000000000d336dff51a60b8833d5d7f6d4314c", - "0x0000000000000000000000000000009f825dde88092070747180d581c342444a", - "0x0000000000000000000000000000000000237fbd6511a03cca8cac01b555fe01", - "0x0000000000000000000000000000007c313205159495df6d8de292079a4844ff", - "0x000000000000000000000000000000000018facdfc468530dd45e8f7a1d38ce9", - "0x0000000000000000000000000000000d1ce33446fc3dc4ab40ca38d92dac74e1", - "0x00000000000000000000000000000000000852d8e3e0e8f4435af3e94222688b", - "0x0000000000000000000000000000006c04ee19ec1dfec87ed47d6d04aa158de2", - "0x000000000000000000000000000000000013240f97a584b45184c8ec31319b5f", - "0x000000000000000000000000000000cefb5d240b07ceb4be26ea429b6dc9d9e0", - "0x00000000000000000000000000000000002dad22022121d689f57fb38ca21349", - "0x000000000000000000000000000000c9f189f2a91aeb664ce376d8b157ba98f8", - "0x00000000000000000000000000000000002531a51ad54f124d58094b219818d2", - "0x000000000000000000000000000000ef1e6db71809307f677677e62b4163f556", - "0x0000000000000000000000000000000000272da4396fb2a7ee0638b9140e523d", - "0x0000000000000000000000000000002e54c0244a7732c87bc4712a76dd8c83fb", - "0x000000000000000000000000000000000007db77b3e04b7eba9643da57cbbe4d", - "0x000000000000000000000000000000e0dfe1ddd7f74ae0d636c910c3e85830d8", - "0x00000000000000000000000000000000000466fa9b57ec4664abd1505b490862", - "0x0000000000000000000000000000009ee55ae8a32fe5384c79907067cc27192e", - "0x00000000000000000000000000000000000799d0e465cec07ecb5238c854e830", - "0x0000000000000000000000000000001d5910ad361e76e1c241247a823733c39f", - "0x00000000000000000000000000000000002b03f2ccf7507564da2e6678bef8fe", - "0x000000000000000000000000000000ee40d90bea71fba7a412dd61fcf34e8ceb", - "0x0000000000000000000000000000000000140b0936c323fd2471155617b6af56", - "0x0000000000000000000000000000002b90071823185c5ff8e440fd3d73b6fefc", - "0x00000000000000000000000000000000002b6c10790a5f6631c87d652e059df4", - "0x00000000000000000000000000000029a17181c7934fc3fdbd352eac5cb521b9", - "0x00000000000000000000000000000000001f497cbf5284ff29a2d336e5991999", - "0x000000000000000000000000000000072bd9c0c6beda1fdee6d4ff0432ba9e1b", - "0x000000000000000000000000000000000013ea38a0bd2aa751a490a724fac818", - "0x000000000000000000000000000000c599f63dcd3edd49f08ae5c3141c1e3493", - "0x00000000000000000000000000000000002bdb36be0bea09950dd32a8ccf6fbc", - "0x00000000000000000000000000000047f27f29724e7f19eba0340256a0bd4b7d", - "0x00000000000000000000000000000000001c1c5ccf87a962129ca785f8f35120", - "0x000000000000000000000000000000c5c71efdae00679bbe4a95096e012b1817", - "0x000000000000000000000000000000000017a365de041e317817d0135f2b48e0", - "0x0000000000000000000000000000008ae711ac402f7848d719c93a89ba8d39f1", - "0x00000000000000000000000000000000002b6fb40ed8a1935226f4f9786a0499", - "0x0000000000000000000000000000002f03a71501d83de1da5715a4e9462d6198", - "0x00000000000000000000000000000000001644064443b8546f48eae693af47b8", - "0x00000000000000000000000000000083763ab1b6e8fe269b2fe4c7b9c448c08d", - "0x000000000000000000000000000000000021d7cc18c59676a8eeb47c0111c251", - "0x000000000000000000000000000000b5f937153073e03ea7d51a996e0ebc2e6b", - "0x000000000000000000000000000000000011ddd0e26457373eb06e0493177672", - "0x000000000000000000000000000000c5f6eb9f6fc8fa99811a4a88c74a6d018b", - "0x000000000000000000000000000000000025bcd07a0732c123567834f5109558", - "0x000000000000000000000000000000aeb08a0b1a4442189448b4e97490568146", - "0x000000000000000000000000000000000002a1744e4771705536a88f07e0f90f", - "0x000000000000000000000000000000b938568293bd0724b0ea76c2ec34c4a829", - "0x0000000000000000000000000000000000053296e8f3b9ad3af877dfa9c7c2a7", - "0x000000000000000000000000000000f0ca1db6323996eba26bdc86dafef9d10b", - "0x00000000000000000000000000000000001441a46c58af03d5645d52721d956a", - "0x0000000000000000000000000000008bbf8f884013c66c28ba09c2fbd573b656", - "0x0000000000000000000000000000000000206c391ca06fac27d1908e94570243", - "0x0000000000000000000000000000002d4f5aaed88ba4f79612d53b804ca8f194", - "0x00000000000000000000000000000000001674011c96392df08970fa6b7b4cb8", - "0x0000000000000000000000000000009f88297c1729d76c4d9306853598c91325", - "0x0000000000000000000000000000000000256f51adfcacc3c1e340be4d32d3e9", - "0x0000000000000000000000000000000ab9955eec0d74eb799afed2a802b24d75", - "0x00000000000000000000000000000000001fcbe43ea105b30d36ed0b21b03411", - "0x000000000000000000000000000000d66b1d5433f1aa5305cd1edce7c22de466", - "0x00000000000000000000000000000000002331546a256b8a3b751956806680d4", - "0x000000000000000000000000000000e97954ad6cd6f45fb15c91434121db4304", - "0x00000000000000000000000000000000002e20a97e09d50f227ced47e7a98250", - "0x0000000000000000000000000000001ebbc27eb9ebededefba79522eb58ae89b", - "0x0000000000000000000000000000000000090efa4974e566e81d1177b85a30be", - "0x0000000000000000000000000000005eafa070b9c9632404052642e3bc14f9fd", - "0x00000000000000000000000000000000001489068864102daca6a6b8bc4d448b", - "0x0000000000000000000000000000009ebc91aaaac036a6477cadbe54e8556dfd", - "0x00000000000000000000000000000000000ef6d835e2ed3343b95c82c8c54037", - "0x00000000000000000000000000000033b28b529dff46e93af4e7422530478e4a", - "0x000000000000000000000000000000000020a86c2f8591bf190bcddcc03c42fb", - "0x000000000000000000000000000000a9679d0acc088f7dc27bf6d866bcd2dda2", - "0x00000000000000000000000000000000002fb9d0d2d4099402bed74f738f64cc", - "0x00000000000000000000000000000023b09f876a29a061582848a8b9a5870c12", - "0x00000000000000000000000000000000001d5bb906f03f0d49e9c4791bc43af9", - "0x00000000000000000000000000000017aac9854ea240d8ec97bf760c4d4ba870", - "0x00000000000000000000000000000000000b227a556c414ada0dc75bb303e30e", - "0x0000000000000000000000000000000000000000000000000000000000000001", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000002", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000009b624fa65d1a24b7f14a8f25f3789622af", - "0x000000000000000000000000000000000013d47bff8c630e847b70e2732fd3f0", - "0x00000000000000000000000000000061d21663e93132f32921075f4c936a84df", - "0x00000000000000000000000000000000001a74ca4e118fb480b9b999902989a3", -] +proof = ["0x0000000000000000000000000000000000000000000000000000000000000040", "0x0000000000000000000000000000000000000000000000000000000000000011", "0x0000000000000000000000000000000000000000000000000000000000000001", "0x0000000000000000000000000000000000000000000000042ab5d6d1986846cf", "0x00000000000000000000000000000000000000000000000b75c020998797da78", "0x0000000000000000000000000000000000000000000000005a107acb64952eca", "0x000000000000000000000000000000000000000000000000000031e97a575e9d", "0x00000000000000000000000000000000000000000000000b5666547acf8bd5a4", "0x00000000000000000000000000000000000000000000000c410db10a01750aeb", "0x00000000000000000000000000000000000000000000000d722669117f9758a4", "0x000000000000000000000000000000000000000000000000000178cbf4206471", "0x000000000000000000000000000000000000000000000000e91b8a11e7842c38", "0x000000000000000000000000000000000000000000000007fd51009034b3357f", "0x000000000000000000000000000000000000000000000009889939f81e9c7402", "0x0000000000000000000000000000000000000000000000000000f94656a2ca48", "0x000000000000000000000000000000000000000000000006fb128b46c1ddb67f", "0x0000000000000000000000000000000000000000000000093fe27776f50224bd", "0x000000000000000000000000000000000000000000000004a0c80c0da527a081", "0x0000000000000000000000000000000000000000000000000001b52c2020d746", "0x0000000000000000000000000000005a9bae947e1e91af9e4033d8d6aa6ed632", "0x000000000000000000000000000000000025e485e013446d4ac7981c88ba6ecc", "0x000000000000000000000000000000ff1e0496e30ab24a63b32b2d1120b76e62", "0x00000000000000000000000000000000001afe0a8a685d7cd85d1010e55d9d7c", "0x000000000000000000000000000000b0804efd6573805f991458295f510a2004", "0x00000000000000000000000000000000000c81a178016e2fe18605022d5a8b0e", "0x000000000000000000000000000000eba51e76eb1cfff60a53a0092a3c3dea47", "0x000000000000000000000000000000000022e7466247b533282f5936ac4e6c15", "0x00000000000000000000000000000071b1d76edf770edff98f00ff4deec264cd", "0x00000000000000000000000000000000001e48128e68794d8861fcbb2986a383", "0x000000000000000000000000000000d3a2af4915ae6d86b097adc377fafda2d4", "0x000000000000000000000000000000000006359de9ca452dab3a4f1f8d9c9d98", "0x0000000000000000000000000000006cf7dd96d7636fda5953191b1ad776d491", "0x00000000000000000000000000000000001633d881a08d136e834cb13a28fcc6", "0x00000000000000000000000000000001254956cff6908b069fca0e6cf1c47eb1", "0x000000000000000000000000000000000006f4d4dd3890e997e75e75886bf8f7", "0x0000000000000000000000000000006cf7dd96d7636fda5953191b1ad776d491", "0x00000000000000000000000000000000001633d881a08d136e834cb13a28fcc6", "0x00000000000000000000000000000001254956cff6908b069fca0e6cf1c47eb1", "0x000000000000000000000000000000000006f4d4dd3890e997e75e75886bf8f7", "0x000000000000000000000000000000f968b227a358a305607f3efc933823d288", "0x00000000000000000000000000000000000eaf8adb390375a76d95e918b65e08", "0x000000000000000000000000000000bb34b4b447aae56f5e24f81c3acd6d547f", "0x00000000000000000000000000000000002175d012746260ebcfe339a91a81e1", "0x00000000000000000000000000000052eebbd1f6f7554e837f60c44000ed14b6", "0x00000000000000000000000000000000001c1c045a3ec94b8801f2272cc0b3f4", "0x0000000000000000000000000000004d2ef74134578f6b431a9df071ffca4292", "0x0000000000000000000000000000000000291326ade7aa6f0dfc8900eab5580b", "0x0000000000000000000000000000002433eec6418a6dba820c9527e2581fc8bc", "0x00000000000000000000000000000000000e88b7daad19af2ac2f9bdf9e50ee2", "0x000000000000000000000000000000dcfce2c427155cc3e4d035735d3dd5ece8", "0x00000000000000000000000000000000002d7d473cac1a15d0fee8b22c1a7b3e", "0x1a4249b90be4602c8ff40c7c276160ee41b2a0f8a238ce7706e9face2db03d48", "0x162204b9d54d3ffd285c393a5a1ff76ee681474fd780a21a3cf7fac5c24fc2b9", "0x30279eb953d8ee79b2155c69c04e6443c5de6bf7e02886256dd7b3cd3c9502a4", "0x0d32c1bd21baf43e72d5d82d461ef54833807ff81a877adc822f27a6db88d754", "0x0fe15e055c0803d5ebe6dd77689b70cfd82138f008810ce24535c992daaff27d", "0x1fba82c012671212ce2fc13fd09bf8fba4f7d5875ab8d37495d1ccfcff287331", "0x090738a5842fa4d2699b3726aa0dd97cb59569b4be2c6825335ec4969f859dc2", "0x0c6cb72dabbc28abcf4a50c203534e066c29f48c24ca64d672092f263df3f9d7", "0x0f27fbea0d9145f815c288b50fe7e8c10b8185d325b5264624fd57102855d05d", "0x2a815cd3fd1c43c72ee0130465250ff771d1e7be2347e4ada331b83265a03450", "0x148b4ecf2ad7ed17409417086867ee27bc1b0906dbc9cbb3714c285071e2db70", "0x08e700a42b1d6d36ee65f8ebedf47d3a44463ff9fa579dce13b7492e20142c3a", "0x2e23c69521d572ff2152c50f8c9a9191535f4cf37f95f1e0428692e78842b642", "0x14519e0354365923fb41400c19866135b45e975d56a0980260bc99f0390b1d5f", "0x04caded1f05738f736cb5bcf08d785e395e58eb7738523a20638aa16bc51593e", "0x28787eaccd38383215ea21ec02895c32d979f68ca155f534a2e2d377bff6698b", "0x20a1b81fa96c58cf11c5762c5ceb731efdcb081fca2d34d5c463d2cf40e6da18", "0x11789a06fe3bf53833741d180f068d29534d5bb58a5c64b8119542e62b189fb4", "0x23d00fcd032ace719ffcbc513bfa177a55b04377d76455c2788d999d05d011e2", "0x01f0e81b57b4a73cc118e51ede18f8724debf25c2d109db6ef45280f99f1a3fa", "0x156d1c9b61749810de728f259c2c1c1fd4dbff97101426e26087ca461c93307c", "0x1c5d619ac3a478cfd06d5eebfd879960bb321236be173813f5e78d1366d32c69", "0x250cfae4e1dfc551406f1f3d10b649a637dcb7bcb0f6f697994cf96afd35d0c1", "0x242b999f58cf5f53c874d1092bd38725aa9ea076f5bc8f176efa9ea23393874b", "0x2e15748255c4a5e0e9fe38047341b692a967257de27a85a3a38681bc9f1602ea", "0x01ef83886ea7017253699cb6371988eb8e21b4f7023d7479ece4907fe6d4a6fd", "0x08db2dbc271e375b9312f695c59c48f313235b3432cad50921c8d9ad6dd7ad7a", "0x199309f2c2cd45c15a4abb0e6554a1615ff5a6e9488a8d900bbf835fc8f664ef", "0x074be7a3d88e31ab1b59c9208c012bcfb1f85f351c709e68134996891db52b57", "0x301b1011354d2ebf46134fc4d6d734bb6ed8542d719f38f5e09a376a580cad7f", "0x12968f3eccaa27e44f14d5aaac6ecb70c00d040e07536292e685d7cab03fc563", "0x2110a023c8c22fd2ed70270a2d0a265b92a32ce2217ffe1be9a5d7d5c25f512f", "0x1e8cf4c60c53900f0430d5b44de5804fe8b38299bc803beeb4216e1a289cf624", "0x12301cb908ccb28a2616e29b831ec7105b5d3ebf45ff5fe91d50a9dd53a50b52", "0x0f1029ed107d84ff2d6d4a416cbd01da3f3d7bf5b2209ce93ba424f4b85616fc", "0x1b431d016611b8abd684afd9e92331c3325967b1116bfa91d4f44e2f8e2c9fc2", "0x281e335a0fd117064c8ace3f01e02b134a19e9b9220571ebfaaaa0e3a12d34db", "0x22559c106f77e2ae95677d5e38e288343e3b7168371aec7d3aaab9ef8150af70", "0x13f113b1d9b590149cf08c3f6e90589cda5c7b98528866b891256cb9d5d814e7", "0x10252ef388e4c80246962e98b9e976fab2cd25e1e6f1e3fd2a7d4786c5218a97", "0x16b890723dfdebd9912a9207255f95cb800222165b6fae97ec46e461f23e83f3", "0x25caf77c7d2e8e069341ec90f3c8f6d64319cfd2d77cab0625cf0377285ba11c", "0x016c84288b0bc3c50eebbe250cdd5a4ee50b2c65a24ac64d0c930cbdecb95141", "0x20a537c045b069d47dc6315f45b391f60681222381e5059ec7c8b17bf677d911", "0x2594c0edfcd4064d215a3d797bc8e3b2f401c61f3961ae96ccbec8f8fd29e81f", "0x1c831d7047483ca00ed59bdb84c47ffb8bbebbae92aa164c7b35fcffbb8a35d3", "0x2ea7f60de52b8cd6b0bd06f861fc1f2c5ed1d1fbfa53caccdb836400a03df434", "0x275c6c8bd115f7d2ce196439e2330fad305c6745bab0bf1ce3f2fa32dadc3c43", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x2b3f4e210619347288731e7f0eea1ae60dd8696fe87319044864d099a03a9536", "0x0fecd3d2aebedeb8be2b0b7e3a74de9ec8bd2cb72851541463729e0715aef48b", "0x10bee385ad0c2cd3ff88ef4d630840749e4367f9add4a300fc4f545a7778e92c", "0x1fe792730eeafbd22c4eb80e86e2b40108b1e55b2a08db786289eea5745b9e3b", "0x04d411679da432816b213cd5580dda1fd6c2f258684c036be19b5b26baca583c", "0x159f17b655d2b8a803e0cfb564918628be52d3baa950ca1b127854491624f8f4", "0x225340463867d9252a1269013536e2e1dd219aa18eadef13c324b63d44679334", "0x1885e231554e02abb40ed54b72ebf09b883d0298a6bc06fc645a30365f370ef2", "0x233344517f25170972b8ba35d01f2df2e073d322993abce7df26796126e93498", "0x08990e8faa13b18b4433ec417c5cc596885e11ffd372d5f612c08cc79a5d5c80", "0x1e960a0c892b755c28e21dcbed816c1b182d7da43bae07f8ee622bd4485f79e7", "0x27b58e2ee290a179d349ace82752528b2ff946d60c092b99ef42f53c25d0c99f", "0x2a5cf8a3193107d982edd253002c7a52ab876b445dde8307ab78fbdca022d93c", "0x2b1ab4d5277f8c82750c1c7bd043889b71465ec64a9afc1bfa37d06b1ebd0725", "0x2a0dbf5c4373a58a83d5f2a031ea0615bf12800e33b70c3191a7cbb15966ced8", "0x1f272bb4a19d14a0abdfebc9fc83125e10623b9aef730f8d25f2bf5bead38ea9", "0x2c2339cf0ae7aff56091a568c1e2c3f01f52d8ed13400737fd31eaabcaffb9bd", "0x21f5fefe6b5fa0b5da71089befb74a1a39e52b4f830cb330c3c284e154614dfd", "0x1e6f6ba4b2444586b380dc4e2b3fad111ff1f4754420a846f53ea0789ebfb0ad", "0x1193d170b0b2dd0c4a04331a4b4aa3f12920f182ec3ab547837e30f1116ca584", "0x00000000000000000000000000000025704a15c9e2ce8a69558e7bbcdcbc7784", "0x2e5d36112770fb6c985681cafe40a8c99ad13f702309e7969801dd0ed080e727", "0x0eefc2585f591bb457183134e19ad643966272234d645514bf7868d6dd8ae2cb", "0x300803e4e2339ad39b9c31f228949bbeaf9c74b7101e7be1930b088126247eaa", "0x2bb562a50ed944b438b83b01f200101a34faef7f296a75c84c731755ebddbc1a", "0x1288e0b9c742af39cbcac21357c1b29511b0bbdd3d0e3cf5e14b2eef68a28ab3", "0x20f089131cc96d86ff1cfb67fa3f51670f4bad30158751b2587354bbec76cdf9", "0x1a26c6d3e633f9bf8434cf755b5f1217dad0d455071a97a7bcf85b824f5cf07a", "0x0d7e9b8a51fccf910ec25bdbd13e70b34bd6ea6f4d629fa744f9cdf5f2beb1cf", "0x0b40f28ce428e64df9cf5a024133fc420f39decf5f6af020cc3211ab298d4631", "0x0ca4f189dde7a55fe829f46681232904f6670249a22e0deb47222bd309523a8a", "0x2c544f2e31143783977645edb2a6bdb39b875053963bfa1a5b3ae9de204a7ebe", "0x00aae4454eb48fb18ff60db6b9d015abea2e770a2f7d86d121522b834c791ba5", "0x07d74e351fd4cccf4e18475d25211efa8a359066fc693a5c8505ddb507e4b74b", "0x07d74e351fd4cccf4e18475d25211efa8a359066fc693a5c8505ddb507e4b74b", "0x2d9e5bff47207d82533e2445959941181cc890c5779bc7f24d6e8a7b9e425b5c", "0x0aea3c0c317c441a5775a9849108d7a6889b39128235f717b09b184aa08e4eb7", "0x1ca5bc6fb37c55a562f4991901c39902f42d14db71284116df74cb4e7d55e493", "0x220fed26d64cd69f40e6d145a423e4a3c8cd0dce747e7d51647441270ad4d774", "0x15be574c9358889257aa2a30ff7b5fcc31a57da7032296e2c1201c49a44bbdb6", "0x2de539925525bedd3b7f43a9c6bf0f713151a17f79ac7ff4a9cd27b15ffe892a", "0x083086693dbf465211741e2cbff70ff38eb08383faf22d397eb2742c8ad7396a", "0x1fdfa258a890598816e807c50058d7a1462edd5ff196a2eae0f862e454b49aa1", "0x10c434c6daaa8226fa8e3e302123dfdc4455cf68063df518949df5a65a945213", "0x0000000000000000000000000000006472a7874de2c454a4591ed7784df1c104", "0x000000000000000000000000000000000008c46ac53d2c4ad0c26a5d6c790082", "0x0000000000000000000000000000005e422f9cfb8725800de60dfe0a8d4104c0", "0x000000000000000000000000000000000000f10fd4e4de81a0c00073ec91c274", "0x000000000000000000000000000000b20813090eca76bc6aa4a699b1ec8d5d6d", "0x0000000000000000000000000000000000292cc9f8a744eb00e0903c29ce87a7", "0x000000000000000000000000000000350a368b415fbb99fa90a26a42b1a3affd", "0x0000000000000000000000000000000000280eb9275cb05a3435f464d1dc369d", "0x000000000000000000000000000000280df6505e20c7725fe6d29439f96ee05d", "0x000000000000000000000000000000000017ef5033a08535451e2747827aa94b", "0x0000000000000000000000000000002f9ba89ae91b4e4a4ff8ccbd0526faad2f", "0x00000000000000000000000000000000001c2013561dafcc02cb03220bdf23c4", "0x000000000000000000000000000000aac102c400f9e5da0321ded4510994434b", "0x00000000000000000000000000000000001ec8ab9cc834b492fde124962f04a1", "0x0000000000000000000000000000000673dbd698da8b8cce450d2a083aba9987", "0x00000000000000000000000000000000000a49e55bb040249cb41c63cea901cd", "0x000000000000000000000000000000133d92af8d76ee0c74a12081ee7b2ef8c4", "0x0000000000000000000000000000000000240f552d1c6cbb007650e4b142e0a5", "0x000000000000000000000000000000e29c6e7d982ec08d51c79d6261c28d742d", "0x000000000000000000000000000000000021baeec04d9be419c923626034e7b3", "0x0000000000000000000000000000000000000000000000000000000000000001", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000002", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000001", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000002", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000001", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000002", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000001", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000002", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000001", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000002", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000001", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000002", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000001", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000002", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000001", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000002", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000001", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000002", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000001", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000002", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000001", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000002", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000001", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000002", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000001", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000002", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000001", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000002", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000001", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000002", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000001", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000002", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000001", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000002", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000001", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000002", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000001", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000002", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000001", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000002", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000001", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000002", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000001", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000002", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x1e940a528b42d8230e7d4dff76262a80986c0d00b2c02a9bc0559e36212d1547", "0x1ceccf21ac39f70d76ad6f7fe0dcb33b6af04555a0b1959e4714d65925e4e253", "0x096139d757046cdbdb7ee89a95f112f70882a43a46c2f739d9be115dda013420", "0x2f9c8ac67c7825b08eff0e7f7656a671f4c64e5601f2efab35b1b795801eec04", "0x2077e648e1704851cdffd7e6e56311634a7b741bab77ca34d9dff12a6a2bfe99", "0x115d48c4a97aeb3c447a060f9e0d675b0dc7f4a05a3f5776e2f279f3a165d7dc", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x000000000000000000000000000000fd38c45c3ec5b841482a80e3a56ce82555", "0x00000000000000000000000000000000000ad70b03f092f60af3e0ce1bb29d2c", "0x0000000000000000000000000000007a184d5342c90c634c0b1a050f0b97c9fb", "0x0000000000000000000000000000000000271f42abcb3bc1f0332e4b3ca85e1d", "0x0000000000000000000000000000008256322bbe2c1b8cd9d84e5ff6123477f2", "0x000000000000000000000000000000000025cab962761681dd9547f4c78814df", "0x0000000000000000000000000000008c4234510e5825c02b9ac427bcbf8e279a", "0x000000000000000000000000000000000013a14e0d7fc073c44643af38cc5396"] +public_inputs = ["0x0000000000000000000000000000000000000000000000000000000000000003"] +verification_key = ["0x0000000000000000000000000000000000000000000000000000000000000040", "0x0000000000000000000000000000000000000000000000000000000000000011", "0x0000000000000000000000000000000000000000000000000000000000000001", "0x0000000000000000000000000000000000000000000000000000000000000001", "0x0000000000000000000000000000000000000000000000000000000000000001", "0x0000000000000000000000000000000000000000000000000000000000000002", "0x0000000000000000000000000000000000000000000000000000000000000003", "0x0000000000000000000000000000000000000000000000000000000000000004", "0x0000000000000000000000000000000000000000000000000000000000000005", "0x0000000000000000000000000000000000000000000000000000000000000006", "0x0000000000000000000000000000000000000000000000000000000000000007", "0x0000000000000000000000000000000000000000000000000000000000000008", "0x0000000000000000000000000000000000000000000000000000000000000009", "0x000000000000000000000000000000000000000000000000000000000000000a", "0x000000000000000000000000000000000000000000000000000000000000000b", "0x000000000000000000000000000000000000000000000000000000000000000c", "0x000000000000000000000000000000000000000000000000000000000000000d", "0x000000000000000000000000000000000000000000000000000000000000000e", "0x000000000000000000000000000000000000000000000000000000000000000f", "0x0000000000000000000000000000000000000000000000000000000000000010", "0x00000000000000000000000000000060e430ad1c23bfcf3514323aae3f206e84", "0x00000000000000000000000000000000001b5c3ff4c2458d8f481b1c068f27ae", "0x000000000000000000000000000000bb510ab2112def34980e4fc6998ad9dd16", "0x00000000000000000000000000000000000576e7c105b43e061e13cb877fefe1", "0x000000000000000000000000000000ced074785d11857b065d8199e6669a601c", "0x00000000000000000000000000000000000053b48a4098c1c0ae268f273952f7", "0x000000000000000000000000000000d1d4b26e941db8168cee8f6de548ae0fd8", "0x00000000000000000000000000000000001a9adf5a6dadc3d948bb61dfd63f4c", "0x0000000000000000000000000000009ce1faac6f8de6ebb18f1db17372c82ad5", "0x00000000000000000000000000000000002002681bb417184b2df070a16a3858", "0x000000000000000000000000000000161baa651a8092e0e84725594de5aba511", "0x00000000000000000000000000000000000be0064399c2a1efff9eb0cdcb2223", "0x0000000000000000000000000000008673be6fd1bdbe980a29d8c1ded54381e7", "0x000000000000000000000000000000000008a5158a7d9648cf1d234524c9fa0c", "0x0000000000000000000000000000002b4fce6e4b1c72062b296d49bca2aa4130", "0x00000000000000000000000000000000002e45a9eff4b6769e55fb710cded44f", "0x00000000000000000000000000000072b85bf733758b76bcf97333efb85a23e3", "0x000000000000000000000000000000000017da0ea508994fc82862715e4b5592", "0x00000000000000000000000000000094fa74695cf058dba8ff35aec95456c6c3", "0x0000000000000000000000000000000000211acddb851061c24b8f159e832bd1", "0x000000000000000000000000000000303b5e5c531384b9a792e11702ad3bcab0", "0x00000000000000000000000000000000000d336dff51a60b8833d5d7f6d4314c", "0x0000000000000000000000000000009f825dde88092070747180d581c342444a", "0x0000000000000000000000000000000000237fbd6511a03cca8cac01b555fe01", "0x0000000000000000000000000000007c313205159495df6d8de292079a4844ff", "0x000000000000000000000000000000000018facdfc468530dd45e8f7a1d38ce9", "0x0000000000000000000000000000000d1ce33446fc3dc4ab40ca38d92dac74e1", "0x00000000000000000000000000000000000852d8e3e0e8f4435af3e94222688b", "0x0000000000000000000000000000006c04ee19ec1dfec87ed47d6d04aa158de2", "0x000000000000000000000000000000000013240f97a584b45184c8ec31319b5f", "0x000000000000000000000000000000cefb5d240b07ceb4be26ea429b6dc9d9e0", "0x00000000000000000000000000000000002dad22022121d689f57fb38ca21349", "0x000000000000000000000000000000c9f189f2a91aeb664ce376d8b157ba98f8", "0x00000000000000000000000000000000002531a51ad54f124d58094b219818d2", "0x000000000000000000000000000000ef1e6db71809307f677677e62b4163f556", "0x0000000000000000000000000000000000272da4396fb2a7ee0638b9140e523d", "0x0000000000000000000000000000002e54c0244a7732c87bc4712a76dd8c83fb", "0x000000000000000000000000000000000007db77b3e04b7eba9643da57cbbe4d", "0x000000000000000000000000000000e0dfe1ddd7f74ae0d636c910c3e85830d8", "0x00000000000000000000000000000000000466fa9b57ec4664abd1505b490862", "0x0000000000000000000000000000009ee55ae8a32fe5384c79907067cc27192e", "0x00000000000000000000000000000000000799d0e465cec07ecb5238c854e830", "0x0000000000000000000000000000001d5910ad361e76e1c241247a823733c39f", "0x00000000000000000000000000000000002b03f2ccf7507564da2e6678bef8fe", "0x000000000000000000000000000000ee40d90bea71fba7a412dd61fcf34e8ceb", "0x0000000000000000000000000000000000140b0936c323fd2471155617b6af56", "0x0000000000000000000000000000002b90071823185c5ff8e440fd3d73b6fefc", "0x00000000000000000000000000000000002b6c10790a5f6631c87d652e059df4", "0x00000000000000000000000000000029a17181c7934fc3fdbd352eac5cb521b9", "0x00000000000000000000000000000000001f497cbf5284ff29a2d336e5991999", "0x000000000000000000000000000000072bd9c0c6beda1fdee6d4ff0432ba9e1b", "0x000000000000000000000000000000000013ea38a0bd2aa751a490a724fac818", "0x000000000000000000000000000000c599f63dcd3edd49f08ae5c3141c1e3493", "0x00000000000000000000000000000000002bdb36be0bea09950dd32a8ccf6fbc", "0x00000000000000000000000000000047f27f29724e7f19eba0340256a0bd4b7d", "0x00000000000000000000000000000000001c1c5ccf87a962129ca785f8f35120", "0x000000000000000000000000000000c5c71efdae00679bbe4a95096e012b1817", "0x000000000000000000000000000000000017a365de041e317817d0135f2b48e0", "0x0000000000000000000000000000008ae711ac402f7848d719c93a89ba8d39f1", "0x00000000000000000000000000000000002b6fb40ed8a1935226f4f9786a0499", "0x0000000000000000000000000000002f03a71501d83de1da5715a4e9462d6198", "0x00000000000000000000000000000000001644064443b8546f48eae693af47b8", "0x00000000000000000000000000000083763ab1b6e8fe269b2fe4c7b9c448c08d", "0x000000000000000000000000000000000021d7cc18c59676a8eeb47c0111c251", "0x000000000000000000000000000000b5f937153073e03ea7d51a996e0ebc2e6b", "0x000000000000000000000000000000000011ddd0e26457373eb06e0493177672", "0x000000000000000000000000000000c5f6eb9f6fc8fa99811a4a88c74a6d018b", "0x000000000000000000000000000000000025bcd07a0732c123567834f5109558", "0x000000000000000000000000000000aeb08a0b1a4442189448b4e97490568146", "0x000000000000000000000000000000000002a1744e4771705536a88f07e0f90f", "0x000000000000000000000000000000b938568293bd0724b0ea76c2ec34c4a829", "0x0000000000000000000000000000000000053296e8f3b9ad3af877dfa9c7c2a7", "0x000000000000000000000000000000f0ca1db6323996eba26bdc86dafef9d10b", "0x00000000000000000000000000000000001441a46c58af03d5645d52721d956a", "0x0000000000000000000000000000008bbf8f884013c66c28ba09c2fbd573b656", "0x0000000000000000000000000000000000206c391ca06fac27d1908e94570243", "0x0000000000000000000000000000002d4f5aaed88ba4f79612d53b804ca8f194", "0x00000000000000000000000000000000001674011c96392df08970fa6b7b4cb8", "0x0000000000000000000000000000009f88297c1729d76c4d9306853598c91325", "0x0000000000000000000000000000000000256f51adfcacc3c1e340be4d32d3e9", "0x0000000000000000000000000000000ab9955eec0d74eb799afed2a802b24d75", "0x00000000000000000000000000000000001fcbe43ea105b30d36ed0b21b03411", "0x000000000000000000000000000000d66b1d5433f1aa5305cd1edce7c22de466", "0x00000000000000000000000000000000002331546a256b8a3b751956806680d4", "0x000000000000000000000000000000e97954ad6cd6f45fb15c91434121db4304", "0x00000000000000000000000000000000002e20a97e09d50f227ced47e7a98250", "0x0000000000000000000000000000001ebbc27eb9ebededefba79522eb58ae89b", "0x0000000000000000000000000000000000090efa4974e566e81d1177b85a30be", "0x0000000000000000000000000000005eafa070b9c9632404052642e3bc14f9fd", "0x00000000000000000000000000000000001489068864102daca6a6b8bc4d448b", "0x0000000000000000000000000000009ebc91aaaac036a6477cadbe54e8556dfd", "0x00000000000000000000000000000000000ef6d835e2ed3343b95c82c8c54037", "0x00000000000000000000000000000033b28b529dff46e93af4e7422530478e4a", "0x000000000000000000000000000000000020a86c2f8591bf190bcddcc03c42fb", "0x000000000000000000000000000000a9679d0acc088f7dc27bf6d866bcd2dda2", "0x00000000000000000000000000000000002fb9d0d2d4099402bed74f738f64cc", "0x00000000000000000000000000000023b09f876a29a061582848a8b9a5870c12", "0x00000000000000000000000000000000001d5bb906f03f0d49e9c4791bc43af9", "0x00000000000000000000000000000017aac9854ea240d8ec97bf760c4d4ba870", "0x00000000000000000000000000000000000b227a556c414ada0dc75bb303e30e", "0x0000000000000000000000000000000000000000000000000000000000000001", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000000000000000000000000000000000000002", "0x0000000000000000000000000000000000000000000000000000000000000000", "0x0000000000000000000000000000009b624fa65d1a24b7f14a8f25f3789622af", "0x000000000000000000000000000000000013d47bff8c630e847b70e2732fd3f0", "0x00000000000000000000000000000061d21663e93132f32921075f4c936a84df", "0x00000000000000000000000000000000001a74ca4e118fb480b9b999902989a3"] diff --git a/noir/noir-repo/test_programs/execution_success/verify_honk_proof/src/main.nr b/noir/noir-repo/test_programs/execution_success/verify_honk_proof/src/main.nr index 1a07081c4ec5..40559b64c7c7 100644 --- a/noir/noir-repo/test_programs/execution_success/verify_honk_proof/src/main.nr +++ b/noir/noir-repo/test_programs/execution_success/verify_honk_proof/src/main.nr @@ -1,6 +1,6 @@ // This circuit aggregates a single Honk proof from `assert_statement_recursive`. -global SIZE_OF_PROOF_IF_LOGN_IS_28 : u32 = 439; +global SIZE_OF_PROOF_IF_LOGN_IS_28 : u32 = 463; global HONK_IDENTIFIER : u32 = 1; fn main( verification_key: [Field; 128], From ac7a09be26fd520e1deb48fdc1f6e5ecb38ad250 Mon Sep 17 00:00:00 2001 From: maramihali Date: Mon, 30 Sep 2024 16:05:44 +0000 Subject: [PATCH 29/31] change relevant constants --- l1-contracts/src/core/libraries/ConstantsGen.sol | 6 +++--- .../noir-protocol-circuits/crates/types/src/constants.nr | 4 ++-- yarn-project/circuits.js/src/constants.gen.ts | 6 +++--- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/l1-contracts/src/core/libraries/ConstantsGen.sol b/l1-contracts/src/core/libraries/ConstantsGen.sol index 12516f2ff60d..34c98c741112 100644 --- a/l1-contracts/src/core/libraries/ConstantsGen.sol +++ b/l1-contracts/src/core/libraries/ConstantsGen.sol @@ -229,9 +229,9 @@ library Constants { uint256 internal constant LOGS_HASHES_NUM_BYTES_PER_BASE_ROLLUP = 64; uint256 internal constant NUM_MSGS_PER_BASE_PARITY = 4; uint256 internal constant NUM_BASE_PARITY_PER_ROOT_PARITY = 4; - uint256 internal constant RECURSIVE_PROOF_LENGTH = 439; - uint256 internal constant NESTED_RECURSIVE_PROOF_LENGTH = 439; - uint256 internal constant TUBE_PROOF_LENGTH = 439; + uint256 internal constant RECURSIVE_PROOF_LENGTH = 463; + uint256 internal constant NESTED_RECURSIVE_PROOF_LENGTH = 463; + uint256 internal constant TUBE_PROOF_LENGTH = 463; uint256 internal constant VERIFICATION_KEY_LENGTH_IN_FIELDS = 128; uint256 internal constant MEM_TAG_U1 = 1; uint256 internal constant MEM_TAG_U8 = 2; diff --git a/noir-projects/noir-protocol-circuits/crates/types/src/constants.nr b/noir-projects/noir-protocol-circuits/crates/types/src/constants.nr index cbe5021a9a4d..783ba03b953b 100644 --- a/noir-projects/noir-protocol-circuits/crates/types/src/constants.nr +++ b/noir-projects/noir-protocol-circuits/crates/types/src/constants.nr @@ -313,8 +313,8 @@ global NUM_MSGS_PER_BASE_PARITY: u32 = 4; global NUM_BASE_PARITY_PER_ROOT_PARITY: u32 = 4; // Lengths of the different types of proofs in fields -global RECURSIVE_PROOF_LENGTH: u32 = 439; -global NESTED_RECURSIVE_PROOF_LENGTH: u32 = 439; +global RECURSIVE_PROOF_LENGTH: u32= 463; +global NESTED_RECURSIVE_PROOF_LENGTH: u32= 463; global TUBE_PROOF_LENGTH: u32 = RECURSIVE_PROOF_LENGTH; // in the future these can differ global VERIFICATION_KEY_LENGTH_IN_FIELDS: u32 = 128; diff --git a/yarn-project/circuits.js/src/constants.gen.ts b/yarn-project/circuits.js/src/constants.gen.ts index 8888fa967751..23e759d5c3e1 100644 --- a/yarn-project/circuits.js/src/constants.gen.ts +++ b/yarn-project/circuits.js/src/constants.gen.ts @@ -211,9 +211,9 @@ export const L2_TO_L1_MSGS_NUM_BYTES_PER_BASE_ROLLUP = 256; export const LOGS_HASHES_NUM_BYTES_PER_BASE_ROLLUP = 64; export const NUM_MSGS_PER_BASE_PARITY = 4; export const NUM_BASE_PARITY_PER_ROOT_PARITY = 4; -export const RECURSIVE_PROOF_LENGTH = 439; -export const NESTED_RECURSIVE_PROOF_LENGTH = 439; -export const TUBE_PROOF_LENGTH = 439; +export const RECURSIVE_PROOF_LENGTH = 463; +export const NESTED_RECURSIVE_PROOF_LENGTH = 463; +export const TUBE_PROOF_LENGTH = 463; export const VERIFICATION_KEY_LENGTH_IN_FIELDS = 128; export const AVM_VERIFICATION_KEY_LENGTH_IN_FIELDS = 66; export const AVM_PROOF_LENGTH_IN_FIELDS = 3822; From e363839fd26cf5cbfba7fe5aaa772c86f81c8c41 Mon Sep 17 00:00:00 2001 From: maramihali Date: Tue, 1 Oct 2024 10:37:25 +0000 Subject: [PATCH 30/31] fix honk recursion constraint dummy proof --- .../acir_format/honk_recursion_constraint.cpp | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/barretenberg/cpp/src/barretenberg/dsl/acir_format/honk_recursion_constraint.cpp b/barretenberg/cpp/src/barretenberg/dsl/acir_format/honk_recursion_constraint.cpp index 28611d076228..bcf7df01f069 100644 --- a/barretenberg/cpp/src/barretenberg/dsl/acir_format/honk_recursion_constraint.cpp +++ b/barretenberg/cpp/src/barretenberg/dsl/acir_format/honk_recursion_constraint.cpp @@ -94,7 +94,7 @@ void create_dummy_vkey_and_proof(Builder& builder, offset++; } - // first 7 commitments + // first 8 witness commitments for (size_t i = 0; i < Flavor::NUM_WITNESS_ENTITIES; i++) { auto comm = curve::BN254::AffineElement::one() * fr::random_element(); auto frs = field_conversion::convert_to_bn254_frs(comm); @@ -105,20 +105,20 @@ void create_dummy_vkey_and_proof(Builder& builder, offset += 4; } - // now the univariates, which can just be 0s (7*CONST_PROOF_SIZE_LOG_N Frs) + // now the univariates, which can just be 0s (8*CONST_PROOF_SIZE_LOG_N Frs) for (size_t i = 0; i < CONST_PROOF_SIZE_LOG_N * Flavor::BATCHED_RELATION_PARTIAL_LENGTH; i++) { builder.assert_equal(builder.add_variable(fr::random_element()), proof_fields[offset].witness_index); offset++; } - // now the sumcheck evaluations, which is just 43 0s + // now the sumcheck evaluations, which is just 44 0s for (size_t i = 0; i < Flavor::NUM_ALL_ENTITIES; i++) { builder.assert_equal(builder.add_variable(fr::random_element()), proof_fields[offset].witness_index); offset++; } - // now the zeromorph commitments, which are CONST_PROOF_SIZE_LOG_N comms - for (size_t i = 0; i < CONST_PROOF_SIZE_LOG_N; i++) { + // now the gemini fold commitments which are CONST_PROOF_SIZE_LOG_N - 1 comms + for (size_t i = 1; i < CONST_PROOF_SIZE_LOG_N; i++) { auto comm = curve::BN254::AffineElement::one() * fr::random_element(); auto frs = field_conversion::convert_to_bn254_frs(comm); builder.assert_equal(builder.add_variable(frs[0]), proof_fields[offset].witness_index); @@ -128,7 +128,13 @@ void create_dummy_vkey_and_proof(Builder& builder, offset += 4; } - // lastly the 2 commitments + // the gemini fold evaluations which are also CONST_PROOF_SIZE_LOG_N + for (size_t i = 1; i <= CONST_PROOF_SIZE_LOG_N; i++) { + builder.assert_equal(builder.add_variable(fr::random_element()), proof_fields[offset].witness_index); + offset++; + } + + // lastly the shplonk batched quotient commitment and kzg quotient commitment for (size_t i = 0; i < 2; i++) { auto comm = curve::BN254::AffineElement::one() * fr::random_element(); auto frs = field_conversion::convert_to_bn254_frs(comm); From 6824546bb72615534ace33863e7e711d9eba9e47 Mon Sep 17 00:00:00 2001 From: maramihali Date: Tue, 1 Oct 2024 11:21:40 +0000 Subject: [PATCH 31/31] cleanup --- barretenberg/cpp/src/barretenberg/bb/main.cpp | 1 - .../commitment_schemes/shplonk/shplemini.hpp | 36 +++++++++---------- .../acir_format/honk_recursion_constraint.cpp | 4 +-- .../decider_recursive_verifier.cpp | 3 +- .../ultra_recursive_verifier.cpp | 2 +- .../ultra_recursive_verifier.test.cpp | 9 +---- .../ultra_honk/decider_prover.cpp | 1 - .../ultra_honk/mega_transcript.test.cpp | 5 --- .../ultra_honk/ultra_transcript.test.cpp | 1 - 9 files changed, 22 insertions(+), 40 deletions(-) diff --git a/barretenberg/cpp/src/barretenberg/bb/main.cpp b/barretenberg/cpp/src/barretenberg/bb/main.cpp index 1d902ca51b7d..cadf836cc536 100644 --- a/barretenberg/cpp/src/barretenberg/bb/main.cpp +++ b/barretenberg/cpp/src/barretenberg/bb/main.cpp @@ -1099,7 +1099,6 @@ void prove_honk(const std::string& bytecodePath, const std::string& witnessPath, // Construct Honk proof Prover prover = compute_valid_prover(bytecodePath, witnessPath); auto proof = prover.construct_proof(); - info(proof.size()); // TODO(https://github.com/AztecProtocol/barretenberg/issues/1093): As the Smart contract doesn't verify the PCS and // Shplemini is not constant size, we slice the proof up to sumcheck so calculation of public inputs is correct. // This hack will be subsequently removed. diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp index 746b804a18ea..1d5aae300ce3 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp @@ -99,15 +99,14 @@ template class ShpleminiVerifier_ { public: template - static BatchOpeningClaim compute_batch_opening_claim( - const Fr N, - RefSpan unshifted_commitments, - RefSpan shifted_commitments, - RefSpan unshifted_evaluations, - RefSpan shifted_evaluations, - [[maybe_unused]] const std::vector& multivariate_challenge, - const Commitment& g1_identity, - const std::shared_ptr& transcript) + static BatchOpeningClaim compute_batch_opening_claim(const Fr N, + RefSpan unshifted_commitments, + RefSpan shifted_commitments, + RefSpan unshifted_evaluations, + RefSpan shifted_evaluations, + const std::vector& multivariate_challenge, + const Commitment& g1_identity, + const std::shared_ptr& transcript) { // Extract log_circuit_size @@ -199,7 +198,7 @@ template class ShpleminiVerifier_ { multivariate_challenge, gemini_eval_challenge_powers, gemini_evaluations); - // // - Add A₀(r)/(z−r) to the constant term accumulator + // - Add A₀(r)/(z−r) to the constant term accumulator constant_term_accumulator += a_0_pos * inverse_vanishing_evals[0]; // Add A₀(−r)/(z+r) to the constant term accumulator constant_term_accumulator += gemini_evaluations[0] * shplonk_batching_challenge * inverse_vanishing_evals[1]; @@ -326,15 +325,14 @@ template class ShpleminiVerifier_ { * @param scalars Output vector where the computed scalars will be stored. * @param constant_term_accumulator The accumulator for the summands of the constant term. */ - static void batch_gemini_claims_received_from_prover( - const size_t log_circuit_size, - const std::vector& fold_commitments, - const std::vector& gemini_evaluations, - [[maybe_unused]] const std::vector& inverse_vanishing_evals, - const Fr& shplonk_batching_challenge, - std::vector& commitments, - std::vector& scalars, - Fr& constant_term_accumulator) + static void batch_gemini_claims_received_from_prover(const size_t log_circuit_size, + const std::vector& fold_commitments, + const std::vector& gemini_evaluations, + const std::vector& inverse_vanishing_evals, + const Fr& shplonk_batching_challenge, + std::vector& commitments, + std::vector& scalars, + Fr& constant_term_accumulator) { // Initialize batching challenge as ν² diff --git a/barretenberg/cpp/src/barretenberg/dsl/acir_format/honk_recursion_constraint.cpp b/barretenberg/cpp/src/barretenberg/dsl/acir_format/honk_recursion_constraint.cpp index bcf7df01f069..0f6ca3d7b39e 100644 --- a/barretenberg/cpp/src/barretenberg/dsl/acir_format/honk_recursion_constraint.cpp +++ b/barretenberg/cpp/src/barretenberg/dsl/acir_format/honk_recursion_constraint.cpp @@ -105,7 +105,7 @@ void create_dummy_vkey_and_proof(Builder& builder, offset += 4; } - // now the univariates, which can just be 0s (8*CONST_PROOF_SIZE_LOG_N Frs) + // now the univariates, which can just be 0s (8*CONST_PROOF_SIZE_LOG_N Frs, where 8 is the maximum relation degree) for (size_t i = 0; i < CONST_PROOF_SIZE_LOG_N * Flavor::BATCHED_RELATION_PARTIAL_LENGTH; i++) { builder.assert_equal(builder.add_variable(fr::random_element()), proof_fields[offset].witness_index); offset++; @@ -117,7 +117,7 @@ void create_dummy_vkey_and_proof(Builder& builder, offset++; } - // now the gemini fold commitments which are CONST_PROOF_SIZE_LOG_N - 1 comms + // now the gemini fold commitments which are CONST_PROOF_SIZE_LOG_N - 1 for (size_t i = 1; i < CONST_PROOF_SIZE_LOG_N; i++) { auto comm = curve::BN254::AffineElement::one() * fr::random_element(); auto frs = field_conversion::convert_to_bn254_frs(comm); diff --git a/barretenberg/cpp/src/barretenberg/stdlib/honk_verifier/decider_recursive_verifier.cpp b/barretenberg/cpp/src/barretenberg/stdlib/honk_verifier/decider_recursive_verifier.cpp index fcc7af811e39..a47470cf5778 100644 --- a/barretenberg/cpp/src/barretenberg/stdlib/honk_verifier/decider_recursive_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/stdlib/honk_verifier/decider_recursive_verifier.cpp @@ -30,8 +30,7 @@ std::array DeciderRecursiveVerifier_:: auto [multivariate_challenge, claimed_evaluations, sumcheck_verified] = sumcheck.verify(accumulator->relation_parameters, accumulator->alphas, accumulator->gate_challenges); - // Execute Shplemini rounds. See https://hackmd.io/dlf9xEwhTQyE3hiGbq4FsA?view for a complete description of the - // unrolled protocol. + // Execute Shplemini rounds. auto opening_claim = Shplemini::compute_batch_opening_claim(accumulator->verification_key->circuit_size, commitments.get_unshifted(), commitments.get_to_be_shifted(), diff --git a/barretenberg/cpp/src/barretenberg/stdlib/honk_verifier/ultra_recursive_verifier.cpp b/barretenberg/cpp/src/barretenberg/stdlib/honk_verifier/ultra_recursive_verifier.cpp index 9e48901af45c..bf1ac000ac91 100644 --- a/barretenberg/cpp/src/barretenberg/stdlib/honk_verifier/ultra_recursive_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/stdlib/honk_verifier/ultra_recursive_verifier.cpp @@ -91,7 +91,7 @@ UltraRecursiveVerifier_::AggregationObject UltraRecursiveVerifier_relation_parameters, verification_key->alphas, gate_challenges); - // Execute ZeroMorph to produce an opening claim subsequently verified by a univariate PCS + // Execute Shplemini to produce a batch opening claim subsequently verified by a univariate PCS auto opening_claim = Shplemini::compute_batch_opening_claim(key->circuit_size, commitments.get_unshifted(), commitments.get_to_be_shifted(), diff --git a/barretenberg/cpp/src/barretenberg/stdlib/honk_verifier/ultra_recursive_verifier.test.cpp b/barretenberg/cpp/src/barretenberg/stdlib/honk_verifier/ultra_recursive_verifier.test.cpp index fadb5460be2e..fe7c55710937 100644 --- a/barretenberg/cpp/src/barretenberg/stdlib/honk_verifier/ultra_recursive_verifier.test.cpp +++ b/barretenberg/cpp/src/barretenberg/stdlib/honk_verifier/ultra_recursive_verifier.test.cpp @@ -170,14 +170,10 @@ template class RecursiveVerifierTest : public testing size_t block_idx = 0; for (auto [b_10, b_11] : zip_view(blocks_10.get(), blocks_11.get())) { info("block index: ", block_idx); - size_t sel_idx = 0; EXPECT_TRUE(b_10.selectors.size() == 13); EXPECT_TRUE(b_11.selectors.size() == 13); for (auto [p_10, p_11] : zip_view(b_10.selectors, b_11.selectors)) { - - info("sel index: ", sel_idx); check_eq(p_10, p_11); - sel_idx++; } block_idx++; } @@ -215,10 +211,7 @@ template class RecursiveVerifierTest : public testing // Create a recursive verification circuit for the proof of the inner circuit OuterBuilder outer_circuit; RecursiveVerifier verifier{ &outer_circuit, verification_key }; - typename RecursiveFlavor::CommitmentLabels commitment_labels; - for (auto [label, key] : zip_view(commitment_labels.get_precomputed(), verifier.key->get_all())) { - info("label: ", label, " value: ", key.get_value()); - } + aggregation_state agg_obj = init_default_aggregation_state(outer_circuit); auto pairing_points = verifier.verify_proof(inner_proof, agg_obj); diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/decider_prover.cpp b/barretenberg/cpp/src/barretenberg/ultra_honk/decider_prover.cpp index 1e6d398f9c57..0e1bfae71a81 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/decider_prover.cpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/decider_prover.cpp @@ -59,7 +59,6 @@ template void DeciderProver_::execute_pcs_rounds( sumcheck_output.challenge, commitment_key, transcript); - PCS::compute_opening_proof(commitment_key, prover_opening_claim, transcript); } diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/mega_transcript.test.cpp b/barretenberg/cpp/src/barretenberg/ultra_honk/mega_transcript.test.cpp index 102a394a2464..461ef54a4038 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/mega_transcript.test.cpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/mega_transcript.test.cpp @@ -259,14 +259,9 @@ TEST_F(MegaTranscriptTests, StructureTest) EXPECT_TRUE(verifier.verify_proof(proof)); // try deserializing and serializing with no changes and check proof is still valid - auto prover_manifest = prover.transcript->get_manifest(); - prover_manifest.print(); - prover.transcript->deserialize_full_transcript(); prover.transcript->serialize_full_transcript(); EXPECT_TRUE(verifier.verify_proof(prover.export_proof())); // we have changed nothing so proof is still valid - auto prover_manifest1 = prover.transcript->get_manifest(); - prover_manifest1.print(); Flavor::Commitment one_group_val = Flavor::Commitment::one(); FF rand_val = FF::random_element(); diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_transcript.test.cpp b/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_transcript.test.cpp index 5f6cee1b5ec5..147db031eadd 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_transcript.test.cpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_transcript.test.cpp @@ -146,7 +146,6 @@ TEST_F(UltraTranscriptTests, ProverManifestConsistency) auto proving_key = std::make_shared(builder); UltraProver prover(proving_key); auto proof = prover.construct_proof(); - info(proof.size()); // Check that the prover generated manifest agrees with the manifest hard coded in this suite auto manifest_expected = construct_ultra_honk_manifest();