From a83368c8da55fde6ea4a1135fbab47a5b5298e28 Mon Sep 17 00:00:00 2001 From: Lucas Xia Date: Fri, 22 Mar 2024 14:05:15 -0600 Subject: [PATCH] refactor: clean out prover instance and remove instance from oink (#5314) Moves sorted_polynomials, initialize_prover_polynomials, compute_sorted_accumulator_polynomials, compute_sorted_list_accumulator, compute_logderivative_inverse, compute_grand_product_polynomials out of prover instance and into the proving_key. We also modify the OinkProver to return an OinkProverOutput, which is just the relation_parameters. These changes enable us to remove instance from the oink prover, and only take in a proving_key. ``` -------------------------------------------------------------------------------- Benchmark Time CPU Iterations UserCounters... -------------------------------------------------------------------------------- ClientIVCBench/Full/6 23860 ms 18897 ms 1 Decider::construct_proof=1 Decider::construct_proof(t)=751.457M ECCVMComposer::compute_commitment_key=1 ECCVMComposer::compute_commitment_key(t)=3.7316M ECCVMComposer::compute_witness=1 ECCVMComposer::compute_witness(t)=129.141M ECCVMComposer::create_prover=1 ECCVMComposer::create_prover(t)=149.103M ECCVMComposer::create_proving_key=1 ECCVMComposer::create_proving_key(t)=16.0015M ECCVMProver::construct_proof=1 ECCVMProver::construct_proof(t)=1.76309G Goblin::merge=11 Goblin::merge(t)=135.854M GoblinTranslatorCircuitBuilder::constructor=1 GoblinTranslatorCircuitBuilder::constructor(t)=57.9044M GoblinTranslatorProver=1 GoblinTranslatorProver(t)=125.368M GoblinTranslatorProver::construct_proof=1 GoblinTranslatorProver::construct_proof(t)=953.077M ProtoGalaxyProver_::accumulator_update_round=10 ProtoGalaxyProver_::accumulator_update_round(t)=725.626M ProtoGalaxyProver_::combiner_quotient_round=10 ProtoGalaxyProver_::combiner_quotient_round(t)=7.21724G ProtoGalaxyProver_::perturbator_round=10 ProtoGalaxyProver_::perturbator_round(t)=1.3161G ProtoGalaxyProver_::preparation_round=10 ProtoGalaxyProver_::preparation_round(t)=4.14482G ProtogalaxyProver::fold_instances=10 ProtogalaxyProver::fold_instances(t)=13.4038G ProverInstance(Circuit&)=11 ProverInstance(Circuit&)(t)=2.02586G batch_mul_with_endomorphism=30 batch_mul_with_endomorphism(t)=565.397M commit=425 commit(t)=4.00022G compute_combiner=10 compute_combiner(t)=7.21503G compute_perturbator=9 compute_perturbator(t)=1.31577G compute_univariate=48 compute_univariate(t)=1.4239G construct_circuits=6 construct_circuits(t)=4.4678G Benchmarking lock deleted. client_ivc_bench.json 100% 3995 110.5KB/s 00:00 function ms % sum construct_circuits(t) 4468 18.89% ProverInstance(Circuit&)(t) 2026 8.57% ProtogalaxyProver::fold_instances(t) 13404 56.68% Decider::construct_proof(t) 751 3.18% ECCVMComposer::create_prover(t) 149 0.63% ECCVMProver::construct_proof(t) 1763 7.45% GoblinTranslatorProver::construct_proof(t) 953 4.03% Goblin::merge(t) 136 0.57% Total time accounted for: 23650ms/23860ms = 99.12% Major contributors: function ms % sum commit(t) 4000 16.91% compute_combiner(t) 7215 30.51% compute_perturbator(t) 1316 5.56% compute_univariate(t) 1424 6.02% Breakdown of ProtogalaxyProver::fold_instances: ProtoGalaxyProver_::preparation_round(t) 4145 30.92% ProtoGalaxyProver_::perturbator_round(t) 1316 9.82% ProtoGalaxyProver_::combiner_quotient_round(t) 7217 53.84% ProtoGalaxyProver_::accumulator_update_round(t) 726 5.41% ``` --- .../cpp/scripts/analyze_client_ivc_bench.py | 1 - .../ultra_bench/ultra_honk_rounds.bench.cpp | 3 + .../src/barretenberg/flavor/goblin_ultra.hpp | 143 ++++++++++++++++++ .../cpp/src/barretenberg/flavor/ultra.hpp | 128 ++++++++++++++++ .../library/grand_product_library.hpp | 6 +- .../protogalaxy/protogalaxy.test.cpp | 15 +- .../protogalaxy/protogalaxy_prover.cpp | 19 +-- .../sumcheck/instance/prover_instance.cpp | 131 ---------------- .../sumcheck/instance/prover_instance.hpp | 17 +-- .../instance/prover_instance.test.cpp | 4 +- .../goblin_translator_prover.cpp | 2 +- .../barretenberg/ultra_honk/oink_prover.cpp | 82 ++++++---- .../barretenberg/ultra_honk/oink_prover.hpp | 19 ++- .../ultra_honk/relation_correctness.test.cpp | 28 ++-- .../barretenberg/ultra_honk/sumcheck.test.cpp | 14 +- .../barretenberg/ultra_honk/ultra_prover.cpp | 21 +-- 16 files changed, 384 insertions(+), 249 deletions(-) diff --git a/barretenberg/cpp/scripts/analyze_client_ivc_bench.py b/barretenberg/cpp/scripts/analyze_client_ivc_bench.py index af374d05a5d..7f83664a03e 100644 --- a/barretenberg/cpp/scripts/analyze_client_ivc_bench.py +++ b/barretenberg/cpp/scripts/analyze_client_ivc_bench.py @@ -12,7 +12,6 @@ "ProtogalaxyProver::fold_instances(t)", "Decider::construct_proof(t)", "ECCVMComposer::create_prover(t)", - "GoblinTranslatorComposer::create_prover(t)", "ECCVMProver::construct_proof(t)", "GoblinTranslatorProver::construct_proof(t)", "Goblin::merge(t)" diff --git a/barretenberg/cpp/src/barretenberg/benchmark/ultra_bench/ultra_honk_rounds.bench.cpp b/barretenberg/cpp/src/barretenberg/benchmark/ultra_bench/ultra_honk_rounds.bench.cpp index 5f6fdf186de..2ec4edfdbee 100644 --- a/barretenberg/cpp/src/barretenberg/benchmark/ultra_bench/ultra_honk_rounds.bench.cpp +++ b/barretenberg/cpp/src/barretenberg/benchmark/ultra_bench/ultra_honk_rounds.bench.cpp @@ -49,6 +49,9 @@ BB_PROFILE static void test_round_inner(State& state, GoblinUltraProver& prover, time_if_index(SORTED_LIST_ACCUMULATOR, [&] { prover.oink_prover.execute_sorted_list_accumulator_round(); }); time_if_index(LOG_DERIVATIVE_INVERSE, [&] { prover.oink_prover.execute_log_derivative_inverse_round(); }); time_if_index(GRAND_PRODUCT_COMPUTATION, [&] { prover.oink_prover.execute_grand_product_computation_round(); }); + // we need to get the relation_parameters and prover_polynomials from the oink_prover + prover.instance->relation_parameters = prover.oink_prover.relation_parameters; + prover.instance->prover_polynomials = GoblinUltraFlavor::ProverPolynomials(prover.instance->proving_key); time_if_index(RELATION_CHECK, [&] { prover.execute_relation_check_rounds(); }); time_if_index(ZEROMORPH, [&] { prover.execute_zeromorph_rounds(); }); } diff --git a/barretenberg/cpp/src/barretenberg/flavor/goblin_ultra.hpp b/barretenberg/cpp/src/barretenberg/flavor/goblin_ultra.hpp index a8ed0ceb79f..944a6142d1d 100644 --- a/barretenberg/cpp/src/barretenberg/flavor/goblin_ultra.hpp +++ b/barretenberg/cpp/src/barretenberg/flavor/goblin_ultra.hpp @@ -6,6 +6,8 @@ #include "barretenberg/honk/proof_system/types/proof.hpp" #include "barretenberg/polynomials/univariate.hpp" #include "barretenberg/proof_system/circuit_builder/goblin_ultra_circuit_builder.hpp" +#include "barretenberg/proof_system/library/grand_product_delta.hpp" +#include "barretenberg/proof_system/library/grand_product_library.hpp" #include "barretenberg/relations/auxiliary_relation.hpp" #include "barretenberg/relations/databus_lookup_relation.hpp" #include "barretenberg/relations/delta_range_constraint_relation.hpp" @@ -266,6 +268,7 @@ class GoblinUltraFlavor { std::vector memory_read_records; std::vector memory_write_records; + std::array sorted_polynomials; size_t num_ecc_op_gates; // needed to determine public input offset @@ -276,6 +279,124 @@ class GoblinUltraFlavor { }; // The plookup wires that store plookup read data. auto get_table_column_wires() { return RefArray{ w_l, w_r, w_o }; }; + + /** + * @brief Construct sorted list accumulator polynomial 's'. + * + * @details Compute s = s_1 + η*s_2 + η²*s_3 + η³*s_4 (via Horner) where s_i are the + * sorted concatenated witness/table polynomials + * + * @param key proving key + * @param sorted_list_polynomials sorted concatenated witness/table polynomials + * @param eta random challenge + * @return Polynomial + */ + void compute_sorted_list_accumulator(const FF& eta) + { + const size_t circuit_size = this->circuit_size; + + auto sorted_list_accumulator = Polynomial{ circuit_size }; + + // Construct s via Horner, i.e. s = s_1 + η(s_2 + η(s_3 + η*s_4)) + for (size_t i = 0; i < circuit_size; ++i) { + FF T0 = this->sorted_polynomials[3][i]; + T0 *= eta; + T0 += this->sorted_polynomials[2][i]; + T0 *= eta; + T0 += this->sorted_polynomials[1][i]; + T0 *= eta; + T0 += this->sorted_polynomials[0][i]; + sorted_list_accumulator[i] = T0; + } + this->sorted_accum = sorted_list_accumulator.share(); + } + + void compute_sorted_accumulator_polynomials(const FF& eta) + { + // Compute sorted witness-table accumulator + this->compute_sorted_list_accumulator(eta); + + // Finalize fourth wire polynomial by adding lookup memory records + add_plookup_memory_records_to_wire_4(eta); + } + + /** + * @brief Add plookup memory records to the fourth wire polynomial + * + * @details This operation must be performed after the first three wires have been committed to, hence the + * dependence on the `eta` challenge. + * + * @tparam Flavor + * @param eta challenge produced after commitment to first three wire polynomials + */ + void add_plookup_memory_records_to_wire_4(const FF& eta) + { + // The plookup memory record values are computed at the indicated indices as + // w4 = w3 * eta^3 + w2 * eta^2 + w1 * eta + read_write_flag; + // (See plookup_auxiliary_widget.hpp for details) + auto wires = this->get_wires(); + + // Compute read record values + for (const auto& gate_idx : this->memory_read_records) { + wires[3][gate_idx] += wires[2][gate_idx]; + wires[3][gate_idx] *= eta; + wires[3][gate_idx] += wires[1][gate_idx]; + wires[3][gate_idx] *= eta; + wires[3][gate_idx] += wires[0][gate_idx]; + wires[3][gate_idx] *= eta; + } + + // Compute write record values + for (const auto& gate_idx : this->memory_write_records) { + wires[3][gate_idx] += wires[2][gate_idx]; + wires[3][gate_idx] *= eta; + wires[3][gate_idx] += wires[1][gate_idx]; + wires[3][gate_idx] *= eta; + wires[3][gate_idx] += wires[0][gate_idx]; + wires[3][gate_idx] *= eta; + wires[3][gate_idx] += 1; + } + } + + /** + * @brief Compute the inverse polynomial used in the log derivative lookup argument + * + * @tparam Flavor + * @param beta + * @param gamma + */ + void compute_logderivative_inverse(const RelationParameters& relation_parameters) + { + auto prover_polynomials = ProverPolynomials(*this); + // Compute permutation and lookup grand product polynomials + bb::compute_logderivative_inverse( + prover_polynomials, relation_parameters, this->circuit_size); + this->lookup_inverses = prover_polynomials.lookup_inverses; + } + + /** + * @brief Computes public_input_delta, lookup_grand_product_delta, the z_perm and z_lookup polynomials + * + * @param relation_parameters + */ + void compute_grand_product_polynomials(RelationParameters& relation_parameters) + { + auto public_input_delta = compute_public_input_delta(this->public_inputs, + relation_parameters.beta, + relation_parameters.gamma, + this->circuit_size, + this->pub_inputs_offset); + relation_parameters.public_input_delta = public_input_delta; + auto lookup_grand_product_delta = compute_lookup_grand_product_delta( + relation_parameters.beta, relation_parameters.gamma, this->circuit_size); + relation_parameters.lookup_grand_product_delta = lookup_grand_product_delta; + + // Compute permutation and lookup grand product polynomials + auto prover_polynomials = ProverPolynomials(*this); + compute_grand_products(*this, prover_polynomials, relation_parameters); + this->z_perm = prover_polynomials.z_perm; + this->z_lookup = prover_polynomials.z_lookup; + } }; /** @@ -331,6 +452,28 @@ class GoblinUltraFlavor { */ class ProverPolynomials : public AllEntities { public: + ProverPolynomials(ProvingKey& proving_key) + { + for (auto [prover_poly, key_poly] : zip_view(this->get_unshifted(), proving_key.get_all())) { + ASSERT(flavor_get_label(*this, prover_poly) == flavor_get_label(proving_key, key_poly)); + prover_poly = key_poly.share(); + } + for (auto [prover_poly, key_poly] : zip_view(this->get_shifted(), proving_key.get_to_be_shifted())) { + ASSERT(flavor_get_label(*this, prover_poly) == (flavor_get_label(proving_key, key_poly) + "_shift")); + prover_poly = key_poly.shifted(); + } + } + ProverPolynomials(std::shared_ptr& proving_key) + { + for (auto [prover_poly, key_poly] : zip_view(this->get_unshifted(), proving_key->get_all())) { + ASSERT(flavor_get_label(*this, prover_poly) == flavor_get_label(*proving_key, key_poly)); + prover_poly = key_poly.share(); + } + for (auto [prover_poly, key_poly] : zip_view(this->get_shifted(), proving_key->get_to_be_shifted())) { + ASSERT(flavor_get_label(*this, prover_poly) == (flavor_get_label(*proving_key, key_poly) + "_shift")); + prover_poly = key_poly.shifted(); + } + } // Define all operations as default, except move construction/assignment ProverPolynomials() = default; ProverPolynomials& operator=(const ProverPolynomials&) = delete; diff --git a/barretenberg/cpp/src/barretenberg/flavor/ultra.hpp b/barretenberg/cpp/src/barretenberg/flavor/ultra.hpp index d6db5c90909..b2f0d8901c8 100644 --- a/barretenberg/cpp/src/barretenberg/flavor/ultra.hpp +++ b/barretenberg/cpp/src/barretenberg/flavor/ultra.hpp @@ -8,11 +8,14 @@ #include "barretenberg/polynomials/polynomial.hpp" #include "barretenberg/polynomials/univariate.hpp" #include "barretenberg/proof_system/circuit_builder/ultra_circuit_builder.hpp" +#include "barretenberg/proof_system/library/grand_product_delta.hpp" +#include "barretenberg/proof_system/library/grand_product_library.hpp" #include "barretenberg/relations/auxiliary_relation.hpp" #include "barretenberg/relations/delta_range_constraint_relation.hpp" #include "barretenberg/relations/elliptic_relation.hpp" #include "barretenberg/relations/lookup_relation.hpp" #include "barretenberg/relations/permutation_relation.hpp" +#include "barretenberg/relations/relation_parameters.hpp" #include "barretenberg/relations/ultra_arithmetic_relation.hpp" #include "barretenberg/transcript/transcript.hpp" @@ -272,6 +275,7 @@ class UltraFlavor { std::vector memory_read_records; std::vector memory_write_records; + std::array sorted_polynomials; auto get_to_be_shifted() { @@ -280,6 +284,108 @@ class UltraFlavor { }; // The plookup wires that store plookup read data. auto get_table_column_wires() { return RefArray{ w_l, w_r, w_o }; }; + + /** + * @brief Construct sorted list accumulator polynomial 's'. + * + * @details Compute s = s_1 + η*s_2 + η²*s_3 + η³*s_4 (via Horner) where s_i are the + * sorted concatenated witness/table polynomials + * + * @param key proving key + * @param sorted_list_polynomials sorted concatenated witness/table polynomials + * @param eta random challenge + * @return Polynomial + */ + void compute_sorted_list_accumulator(const FF& eta) + { + const size_t circuit_size = this->circuit_size; + + auto sorted_list_accumulator = Polynomial{ circuit_size }; + + // Construct s via Horner, i.e. s = s_1 + η(s_2 + η(s_3 + η*s_4)) + for (size_t i = 0; i < circuit_size; ++i) { + FF T0 = this->sorted_polynomials[3][i]; + T0 *= eta; + T0 += this->sorted_polynomials[2][i]; + T0 *= eta; + T0 += this->sorted_polynomials[1][i]; + T0 *= eta; + T0 += this->sorted_polynomials[0][i]; + sorted_list_accumulator[i] = T0; + } + this->sorted_accum = sorted_list_accumulator.share(); + } + + void compute_sorted_accumulator_polynomials(const FF& eta) + { + // Compute sorted witness-table accumulator + this->compute_sorted_list_accumulator(eta); + + // Finalize fourth wire polynomial by adding lookup memory records + add_plookup_memory_records_to_wire_4(eta); + } + + /** + * @brief Add plookup memory records to the fourth wire polynomial + * + * @details This operation must be performed after the first three wires have been committed to, hence the + * dependence on the `eta` challenge. + * + * @tparam Flavor + * @param eta challenge produced after commitment to first three wire polynomials + */ + void add_plookup_memory_records_to_wire_4(const FF& eta) + { + // The plookup memory record values are computed at the indicated indices as + // w4 = w3 * eta^3 + w2 * eta^2 + w1 * eta + read_write_flag; + // (See plookup_auxiliary_widget.hpp for details) + auto wires = this->get_wires(); + + // Compute read record values + for (const auto& gate_idx : this->memory_read_records) { + wires[3][gate_idx] += wires[2][gate_idx]; + wires[3][gate_idx] *= eta; + wires[3][gate_idx] += wires[1][gate_idx]; + wires[3][gate_idx] *= eta; + wires[3][gate_idx] += wires[0][gate_idx]; + wires[3][gate_idx] *= eta; + } + + // Compute write record values + for (const auto& gate_idx : this->memory_write_records) { + wires[3][gate_idx] += wires[2][gate_idx]; + wires[3][gate_idx] *= eta; + wires[3][gate_idx] += wires[1][gate_idx]; + wires[3][gate_idx] *= eta; + wires[3][gate_idx] += wires[0][gate_idx]; + wires[3][gate_idx] *= eta; + wires[3][gate_idx] += 1; + } + } + + /** + * @brief Computes public_input_delta, lookup_grand_product_delta, the z_perm and z_lookup polynomials + * + * @param relation_parameters + */ + void compute_grand_product_polynomials(RelationParameters& relation_parameters) + { + auto public_input_delta = compute_public_input_delta(this->public_inputs, + relation_parameters.beta, + relation_parameters.gamma, + this->circuit_size, + this->pub_inputs_offset); + relation_parameters.public_input_delta = public_input_delta; + auto lookup_grand_product_delta = compute_lookup_grand_product_delta( + relation_parameters.beta, relation_parameters.gamma, this->circuit_size); + relation_parameters.lookup_grand_product_delta = lookup_grand_product_delta; + + // Compute permutation and lookup grand product polynomials + auto prover_polynomials = ProverPolynomials(*this); + compute_grand_products(*this, prover_polynomials, relation_parameters); + this->z_perm = prover_polynomials.z_perm; + this->z_lookup = prover_polynomials.z_lookup; + } }; /** @@ -307,6 +413,28 @@ class UltraFlavor { */ class ProverPolynomials : public AllEntities { public: + ProverPolynomials(ProvingKey& proving_key) + { + for (auto [prover_poly, key_poly] : zip_view(this->get_unshifted(), proving_key.get_all())) { + ASSERT(flavor_get_label(*this, prover_poly) == flavor_get_label(proving_key, key_poly)); + prover_poly = key_poly.share(); + } + for (auto [prover_poly, key_poly] : zip_view(this->get_shifted(), proving_key.get_to_be_shifted())) { + ASSERT(flavor_get_label(*this, prover_poly) == (flavor_get_label(proving_key, key_poly) + "_shift")); + prover_poly = key_poly.shifted(); + } + } + ProverPolynomials(std::shared_ptr& proving_key) + { + for (auto [prover_poly, key_poly] : zip_view(this->get_unshifted(), proving_key->get_all())) { + ASSERT(flavor_get_label(*this, prover_poly) == flavor_get_label(*proving_key, key_poly)); + prover_poly = key_poly.share(); + } + for (auto [prover_poly, key_poly] : zip_view(this->get_shifted(), proving_key->get_to_be_shifted())) { + ASSERT(flavor_get_label(*this, prover_poly) == (flavor_get_label(*proving_key, key_poly) + "_shift")); + prover_poly = key_poly.shifted(); + } + } // Define all operations as default, except move construction/assignment ProverPolynomials() = default; ProverPolynomials& operator=(const ProverPolynomials&) = delete; diff --git a/barretenberg/cpp/src/barretenberg/proof_system/library/grand_product_library.hpp b/barretenberg/cpp/src/barretenberg/proof_system/library/grand_product_library.hpp index 897d5a63642..5d2675649bf 100644 --- a/barretenberg/cpp/src/barretenberg/proof_system/library/grand_product_library.hpp +++ b/barretenberg/cpp/src/barretenberg/proof_system/library/grand_product_library.hpp @@ -142,7 +142,7 @@ void compute_grand_product(const size_t circuit_size, } template -void compute_grand_products(std::shared_ptr& key, +void compute_grand_products(const typename Flavor::ProvingKey& key, typename Flavor::ProverPolynomials& full_polynomials, bb::RelationParameters& relation_parameters) { @@ -157,10 +157,10 @@ void compute_grand_products(std::shared_ptr& key, // For example, for UltraPermutationRelation, this will be `full_polynomials.z_perm` // For example, for LookupRelation, this will be `full_polynomials.z_lookup` bb::Polynomial& full_polynomial = GrandProdRelation::get_grand_product_polynomial(full_polynomials); - auto& key_polynomial = GrandProdRelation::get_grand_product_polynomial(*key); + auto& key_polynomial = GrandProdRelation::get_grand_product_polynomial(key); full_polynomial = key_polynomial.share(); - compute_grand_product(key->circuit_size, full_polynomials, relation_parameters); + compute_grand_product(key.circuit_size, full_polynomials, relation_parameters); bb::Polynomial& full_polynomial_shift = GrandProdRelation::get_shifted_grand_product_polynomial(full_polynomials); full_polynomial_shift = key_polynomial.shifted(); diff --git a/barretenberg/cpp/src/barretenberg/protogalaxy/protogalaxy.test.cpp b/barretenberg/cpp/src/barretenberg/protogalaxy/protogalaxy.test.cpp index b013f2e17cf..1124bfdec23 100644 --- a/barretenberg/cpp/src/barretenberg/protogalaxy/protogalaxy.test.cpp +++ b/barretenberg/cpp/src/barretenberg/protogalaxy/protogalaxy.test.cpp @@ -117,16 +117,17 @@ template class ProtoGalaxyTests : public testing::Test { construct_circuit(builder); auto instance = std::make_shared(builder); - instance->initialize_prover_polynomials(); - auto eta = FF::random_element(); - auto beta = FF::random_element(); - auto gamma = FF::random_element(); - instance->compute_sorted_accumulator_polynomials(eta); + instance->relation_parameters.eta = FF::random_element(); + instance->relation_parameters.beta = FF::random_element(); + instance->relation_parameters.gamma = FF::random_element(); + + instance->proving_key->compute_sorted_accumulator_polynomials(instance->relation_parameters.eta); if constexpr (IsGoblinFlavor) { - instance->compute_logderivative_inverse(beta, gamma); + instance->proving_key->compute_logderivative_inverse(instance->relation_parameters); } - instance->compute_grand_product_polynomials(beta, gamma); + instance->proving_key->compute_grand_product_polynomials(instance->relation_parameters); + instance->prover_polynomials = ProverPolynomials(instance->proving_key); for (auto& alpha : instance->alphas) { alpha = FF::random_element(); diff --git a/barretenberg/cpp/src/barretenberg/protogalaxy/protogalaxy_prover.cpp b/barretenberg/cpp/src/barretenberg/protogalaxy/protogalaxy_prover.cpp index cb2df2fb6e2..93d35cad10f 100644 --- a/barretenberg/cpp/src/barretenberg/protogalaxy/protogalaxy_prover.cpp +++ b/barretenberg/cpp/src/barretenberg/protogalaxy/protogalaxy_prover.cpp @@ -6,22 +6,11 @@ template void ProtoGalaxyProver_::finalise_and_send_instance(std::shared_ptr instance, const std::string& domain_separator) { - OinkProver oink_prover(instance, commitment_key, transcript, domain_separator + '_'); + OinkProver oink_prover(instance->proving_key, commitment_key, transcript, domain_separator + '_'); - // Add circuit size public input size and public inputs to transcript - oink_prover.execute_preamble_round(); - - // Compute first three wire commitments - oink_prover.execute_wire_commitments_round(); - - // Compute sorted list accumulator and commitment - oink_prover.execute_sorted_list_accumulator_round(); - - // Fiat-Shamir: beta & gamma - oink_prover.execute_log_derivative_inverse_round(); - - // Compute grand product(s) and commitments. - oink_prover.execute_grand_product_computation_round(); + auto [relation_params] = oink_prover.prove(); + instance->relation_parameters = std::move(relation_params); + instance->prover_polynomials = ProverPolynomials(instance->proving_key); // Generate relation separators alphas for sumcheck for (size_t idx = 0; idx < NUM_SUBRELATIONS - 1; idx++) { diff --git a/barretenberg/cpp/src/barretenberg/sumcheck/instance/prover_instance.cpp b/barretenberg/cpp/src/barretenberg/sumcheck/instance/prover_instance.cpp index 731619b9e50..7f04ee8401c 100644 --- a/barretenberg/cpp/src/barretenberg/sumcheck/instance/prover_instance.cpp +++ b/barretenberg/cpp/src/barretenberg/sumcheck/instance/prover_instance.cpp @@ -2,8 +2,6 @@ #include "barretenberg/honk/proof_system/logderivative_library.hpp" #include "barretenberg/proof_system/circuit_builder/ultra_circuit_builder.hpp" #include "barretenberg/proof_system/composer/permutation_lib.hpp" -#include "barretenberg/proof_system/library/grand_product_delta.hpp" -#include "barretenberg/proof_system/library/grand_product_library.hpp" namespace bb { /** @@ -74,135 +72,6 @@ void ProverInstance_::construct_table_polynomials(Circuit& circuit, size proving_key->table_4 = table_polynomials[3].share(); } -template void ProverInstance_::initialize_prover_polynomials() -{ - for (auto [prover_poly, key_poly] : zip_view(prover_polynomials.get_unshifted(), proving_key->get_all())) { - ASSERT(flavor_get_label(prover_polynomials, prover_poly) == flavor_get_label(*proving_key, key_poly)); - prover_poly = key_poly.share(); - } - for (auto [prover_poly, key_poly] : zip_view(prover_polynomials.get_shifted(), proving_key->get_to_be_shifted())) { - ASSERT(flavor_get_label(prover_polynomials, prover_poly) == - (flavor_get_label(*proving_key, key_poly) + "_shift")); - prover_poly = key_poly.shifted(); - } -} - -template void ProverInstance_::compute_sorted_accumulator_polynomials(FF eta) -{ - relation_parameters.eta = eta; - // Compute sorted witness-table accumulator - compute_sorted_list_accumulator(eta); - prover_polynomials.sorted_accum = proving_key->sorted_accum.share(); - prover_polynomials.sorted_accum_shift = proving_key->sorted_accum.shifted(); - - // Finalize fourth wire polynomial by adding lookup memory records - add_plookup_memory_records_to_wire_4(eta); - prover_polynomials.w_4 = proving_key->w_4.share(); - prover_polynomials.w_4_shift = proving_key->w_4.shifted(); -} - -/** - * @brief Construct sorted list accumulator polynomial 's'. - * - * @details Compute s = s_1 + η*s_2 + η²*s_3 + η³*s_4 (via Horner) where s_i are the - * sorted concatenated witness/table polynomials - * - * @param key proving key - * @param sorted_list_polynomials sorted concatenated witness/table polynomials - * @param eta random challenge - * @return Polynomial - */ -template void ProverInstance_::compute_sorted_list_accumulator(FF eta) -{ - const size_t circuit_size = proving_key->circuit_size; - - auto sorted_list_accumulator = Polynomial{ circuit_size }; - - // Construct s via Horner, i.e. s = s_1 + η(s_2 + η(s_3 + η*s_4)) - for (size_t i = 0; i < circuit_size; ++i) { - FF T0 = sorted_polynomials[3][i]; - T0 *= eta; - T0 += sorted_polynomials[2][i]; - T0 *= eta; - T0 += sorted_polynomials[1][i]; - T0 *= eta; - T0 += sorted_polynomials[0][i]; - sorted_list_accumulator[i] = T0; - } - proving_key->sorted_accum = sorted_list_accumulator.share(); -} - -/** - * @brief Add plookup memory records to the fourth wire polynomial - * - * @details This operation must be performed after the first three wires have been committed to, hence the dependence on - * the `eta` challenge. - * - * @tparam Flavor - * @param eta challenge produced after commitment to first three wire polynomials - */ -template void ProverInstance_::add_plookup_memory_records_to_wire_4(FF eta) -{ - // The plookup memory record values are computed at the indicated indices as - // w4 = w3 * eta^3 + w2 * eta^2 + w1 * eta + read_write_flag; - // (See plookup_auxiliary_widget.hpp for details) - auto wires = proving_key->get_wires(); - - // Compute read record values - for (const auto& gate_idx : proving_key->memory_read_records) { - wires[3][gate_idx] += wires[2][gate_idx]; - wires[3][gate_idx] *= eta; - wires[3][gate_idx] += wires[1][gate_idx]; - wires[3][gate_idx] *= eta; - wires[3][gate_idx] += wires[0][gate_idx]; - wires[3][gate_idx] *= eta; - } - - // Compute write record values - for (const auto& gate_idx : proving_key->memory_write_records) { - wires[3][gate_idx] += wires[2][gate_idx]; - wires[3][gate_idx] *= eta; - wires[3][gate_idx] += wires[1][gate_idx]; - wires[3][gate_idx] *= eta; - wires[3][gate_idx] += wires[0][gate_idx]; - wires[3][gate_idx] *= eta; - wires[3][gate_idx] += 1; - } -} - -/** - * @brief Compute the inverse polynomial used in the log derivative lookup argument - * - * @tparam Flavor - * @param beta - * @param gamma - */ -template -void ProverInstance_::compute_logderivative_inverse(FF beta, FF gamma) - requires IsGoblinFlavor -{ - relation_parameters.beta = beta; - relation_parameters.gamma = gamma; - - // Compute permutation and lookup grand product polynomials - bb::compute_logderivative_inverse( - prover_polynomials, relation_parameters, proving_key->circuit_size); -} - -template void ProverInstance_::compute_grand_product_polynomials(FF beta, FF gamma) -{ - auto public_input_delta = compute_public_input_delta( - proving_key->public_inputs, beta, gamma, proving_key->circuit_size, proving_key->pub_inputs_offset); - relation_parameters.beta = beta; - relation_parameters.gamma = gamma; - relation_parameters.public_input_delta = public_input_delta; - auto lookup_grand_product_delta = compute_lookup_grand_product_delta(beta, gamma, proving_key->circuit_size); - relation_parameters.lookup_grand_product_delta = lookup_grand_product_delta; - - // Compute permutation and lookup grand product polynomials - compute_grand_products(proving_key, prover_polynomials, relation_parameters); -} - template class ProverInstance_; template class ProverInstance_; diff --git a/barretenberg/cpp/src/barretenberg/sumcheck/instance/prover_instance.hpp b/barretenberg/cpp/src/barretenberg/sumcheck/instance/prover_instance.hpp index 29a2b71fc86..b16dd99dbf9 100644 --- a/barretenberg/cpp/src/barretenberg/sumcheck/instance/prover_instance.hpp +++ b/barretenberg/cpp/src/barretenberg/sumcheck/instance/prover_instance.hpp @@ -33,8 +33,6 @@ template class ProverInstance_ { std::shared_ptr proving_key; ProverPolynomials prover_polynomials; - std::array sorted_polynomials; - RelationSeparator alphas; bb::RelationParameters relation_parameters; @@ -73,7 +71,7 @@ template class ProverInstance_ { construct_table_polynomials(circuit, dyadic_circuit_size); - sorted_polynomials = construct_sorted_list_polynomials(circuit, dyadic_circuit_size); + proving_key->sorted_polynomials = construct_sorted_list_polynomials(circuit, dyadic_circuit_size); std::span public_wires_source = proving_key->w_r; @@ -92,20 +90,9 @@ template class ProverInstance_ { ProverInstance_() = default; ~ProverInstance_() = default; - void initialize_prover_polynomials(); - - void compute_sorted_accumulator_polynomials(FF); - - void compute_sorted_list_accumulator(FF); - - void compute_logderivative_inverse(FF, FF) - requires IsGoblinFlavor; - void compute_databus_id() requires IsGoblinFlavor; - void compute_grand_product_polynomials(FF, FF); - private: static constexpr size_t num_zero_rows = Flavor::has_zero_row ? 1 : 0; static constexpr size_t NUM_WIRES = Circuit::NUM_WIRES; @@ -117,8 +104,6 @@ template class ProverInstance_ { requires IsGoblinFlavor; void construct_table_polynomials(Circuit&, size_t); - - void add_plookup_memory_records_to_wire_4(FF); }; } // namespace bb diff --git a/barretenberg/cpp/src/barretenberg/sumcheck/instance/prover_instance.test.cpp b/barretenberg/cpp/src/barretenberg/sumcheck/instance/prover_instance.test.cpp index 2f9d5fa18a4..78f87455419 100644 --- a/barretenberg/cpp/src/barretenberg/sumcheck/instance/prover_instance.test.cpp +++ b/barretenberg/cpp/src/barretenberg/sumcheck/instance/prover_instance.test.cpp @@ -60,10 +60,10 @@ template class InstanceTests : public testing::Test { // Get random challenge eta auto eta = FF::random_element(); - auto sorted_list_polynomials = instance.sorted_polynomials; + auto sorted_list_polynomials = instance.proving_key->sorted_polynomials; // Method 1: computed sorted list accumulator polynomial using prover library method - instance.compute_sorted_list_accumulator(eta); + instance.proving_key->compute_sorted_list_accumulator(eta); auto sorted_list_accumulator = instance.proving_key->sorted_accum; // Method 2: Compute local sorted list accumulator simply and inefficiently diff --git a/barretenberg/cpp/src/barretenberg/translator_vm/goblin_translator_prover.cpp b/barretenberg/cpp/src/barretenberg/translator_vm/goblin_translator_prover.cpp index 2ddff25fa1e..ffeaa978161 100644 --- a/barretenberg/cpp/src/barretenberg/translator_vm/goblin_translator_prover.cpp +++ b/barretenberg/cpp/src/barretenberg/translator_vm/goblin_translator_prover.cpp @@ -290,7 +290,7 @@ void GoblinTranslatorProver::execute_grand_product_computation_round() }; } // Compute constraint permutation grand product - compute_grand_products(key, prover_polynomials, relation_parameters); + compute_grand_products(*key, prover_polynomials, relation_parameters); transcript->send_to_verifier(commitment_labels.z_perm, commitment_key->commit(key->z_perm)); } diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/oink_prover.cpp b/barretenberg/cpp/src/barretenberg/ultra_honk/oink_prover.cpp index 9f140c5815c..1a8a8d123d0 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/oink_prover.cpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/oink_prover.cpp @@ -2,23 +2,51 @@ namespace bb { +/** + * @brief Oink Prover function that runs all the rounds of the verifier + * @details Returns the witness commitments and relation_parameters + * @tparam Flavor + * @return OinkProverOutput + */ +template OinkProverOutput OinkProver::prove() +{ + // Add circuit size public input size and public inputs to transcript-> + execute_preamble_round(); + + // Compute first three wire commitments + execute_wire_commitments_round(); + + // Compute sorted list accumulator and commitment + execute_sorted_list_accumulator_round(); + + // Fiat-Shamir: beta & gamma + execute_log_derivative_inverse_round(); + + // Compute grand product(s) and commitments. + execute_grand_product_computation_round(); + + return OinkProverOutput{ + .relation_parameters = std::move(relation_parameters), + }; +} + /** * @brief Add circuit size, public input size, and public inputs to transcript * */ template void OinkProver::execute_preamble_round() { - const auto circuit_size = static_cast(instance->proving_key->circuit_size); - const auto num_public_inputs = static_cast(instance->proving_key->num_public_inputs); + const auto circuit_size = static_cast(proving_key->circuit_size); + const auto num_public_inputs = static_cast(proving_key->num_public_inputs); transcript->send_to_verifier(domain_separator + "circuit_size", circuit_size); transcript->send_to_verifier(domain_separator + "public_input_size", num_public_inputs); transcript->send_to_verifier(domain_separator + "pub_inputs_offset", - static_cast(instance->proving_key->pub_inputs_offset)); + static_cast(proving_key->pub_inputs_offset)); - ASSERT(instance->proving_key->num_public_inputs == instance->proving_key->public_inputs.size()); + ASSERT(proving_key->num_public_inputs == proving_key->public_inputs.size()); - for (size_t i = 0; i < instance->proving_key->num_public_inputs; ++i) { - auto public_input_i = instance->proving_key->public_inputs[i]; + for (size_t i = 0; i < proving_key->num_public_inputs; ++i) { + auto public_input_i = proving_key->public_inputs[i]; transcript->send_to_verifier(domain_separator + "public_input_" + std::to_string(i), public_input_i); } } @@ -32,9 +60,9 @@ template void OinkProver::execute_wire_commitment { // Commit to the first three wire polynomials of the instance // We only commit to the fourth wire polynomial after adding memory recordss - witness_commitments.w_l = commitment_key->commit(instance->proving_key->w_l); - witness_commitments.w_r = commitment_key->commit(instance->proving_key->w_r); - witness_commitments.w_o = commitment_key->commit(instance->proving_key->w_o); + witness_commitments.w_l = commitment_key->commit(proving_key->w_l); + witness_commitments.w_r = commitment_key->commit(proving_key->w_r); + witness_commitments.w_o = commitment_key->commit(proving_key->w_o); auto wire_comms = witness_commitments.get_wires(); auto wire_labels = commitment_labels.get_wires(); @@ -44,10 +72,10 @@ template void OinkProver::execute_wire_commitment if constexpr (IsGoblinFlavor) { // Commit to Goblin ECC op wires - witness_commitments.ecc_op_wire_1 = commitment_key->commit(instance->proving_key->ecc_op_wire_1); - witness_commitments.ecc_op_wire_2 = commitment_key->commit(instance->proving_key->ecc_op_wire_2); - witness_commitments.ecc_op_wire_3 = commitment_key->commit(instance->proving_key->ecc_op_wire_3); - witness_commitments.ecc_op_wire_4 = commitment_key->commit(instance->proving_key->ecc_op_wire_4); + witness_commitments.ecc_op_wire_1 = commitment_key->commit(proving_key->ecc_op_wire_1); + witness_commitments.ecc_op_wire_2 = commitment_key->commit(proving_key->ecc_op_wire_2); + witness_commitments.ecc_op_wire_3 = commitment_key->commit(proving_key->ecc_op_wire_3); + witness_commitments.ecc_op_wire_4 = commitment_key->commit(proving_key->ecc_op_wire_4); auto op_wire_comms = witness_commitments.get_ecc_op_wires(); auto labels = commitment_labels.get_ecc_op_wires(); @@ -55,8 +83,8 @@ template void OinkProver::execute_wire_commitment transcript->send_to_verifier(domain_separator + labels[idx], op_wire_comms[idx]); } // Commit to DataBus columns - witness_commitments.calldata = commitment_key->commit(instance->proving_key->calldata); - witness_commitments.calldata_read_counts = commitment_key->commit(instance->proving_key->calldata_read_counts); + witness_commitments.calldata = commitment_key->commit(proving_key->calldata); + witness_commitments.calldata_read_counts = commitment_key->commit(proving_key->calldata_read_counts); transcript->send_to_verifier(domain_separator + commitment_labels.calldata, witness_commitments.calldata); transcript->send_to_verifier(domain_separator + commitment_labels.calldata_read_counts, witness_commitments.calldata_read_counts); @@ -70,13 +98,12 @@ template void OinkProver::execute_wire_commitment template void OinkProver::execute_sorted_list_accumulator_round() { - auto eta = transcript->template get_challenge(domain_separator + "eta"); - instance->compute_sorted_accumulator_polynomials(eta); - + relation_parameters.eta = transcript->template get_challenge(domain_separator + "eta"); + proving_key->compute_sorted_accumulator_polynomials(relation_parameters.eta); // Commit to the sorted witness-table accumulator and the finalized (i.e. with memory records) fourth wire // polynomial - witness_commitments.sorted_accum = commitment_key->commit(instance->proving_key->sorted_accum); - witness_commitments.w_4 = commitment_key->commit(instance->proving_key->w_4); + witness_commitments.sorted_accum = commitment_key->commit(proving_key->sorted_accum); + witness_commitments.w_4 = commitment_key->commit(proving_key->w_4); transcript->send_to_verifier(domain_separator + commitment_labels.sorted_accum, witness_commitments.sorted_accum); transcript->send_to_verifier(domain_separator + commitment_labels.w_4, witness_commitments.w_4); @@ -89,12 +116,12 @@ template void OinkProver::execute_sorted_list_acc template void OinkProver::execute_log_derivative_inverse_round() { auto [beta, gamma] = transcript->template get_challenges(domain_separator + "beta", domain_separator + "gamma"); - instance->relation_parameters.beta = beta; - instance->relation_parameters.gamma = gamma; + relation_parameters.beta = beta; + relation_parameters.gamma = gamma; if constexpr (IsGoblinFlavor) { // Compute and commit to the logderivative inverse used in DataBus - instance->compute_logderivative_inverse(beta, gamma); - witness_commitments.lookup_inverses = commitment_key->commit(instance->proving_key->lookup_inverses); + proving_key->compute_logderivative_inverse(relation_parameters); + witness_commitments.lookup_inverses = commitment_key->commit(proving_key->lookup_inverses); transcript->send_to_verifier(domain_separator + commitment_labels.lookup_inverses, witness_commitments.lookup_inverses); } @@ -107,11 +134,10 @@ template void OinkProver::execute_log_derivative_ template void OinkProver::execute_grand_product_computation_round() { - instance->compute_grand_product_polynomials(instance->relation_parameters.beta, - instance->relation_parameters.gamma); + proving_key->compute_grand_product_polynomials(relation_parameters); - witness_commitments.z_perm = commitment_key->commit(instance->proving_key->z_perm); - witness_commitments.z_lookup = commitment_key->commit(instance->proving_key->z_lookup); + witness_commitments.z_perm = commitment_key->commit(proving_key->z_perm); + witness_commitments.z_lookup = commitment_key->commit(proving_key->z_lookup); transcript->send_to_verifier(domain_separator + commitment_labels.z_perm, witness_commitments.z_perm); transcript->send_to_verifier(domain_separator + commitment_labels.z_lookup, witness_commitments.z_lookup); diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/oink_prover.hpp b/barretenberg/cpp/src/barretenberg/ultra_honk/oink_prover.hpp index f113589314e..fcf81279651 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/oink_prover.hpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/oink_prover.hpp @@ -21,10 +21,12 @@ #include "barretenberg/flavor/goblin_ultra.hpp" #include "barretenberg/flavor/ultra.hpp" -#include "barretenberg/sumcheck/instance/prover_instance.hpp" #include "barretenberg/transcript/transcript.hpp" namespace bb { +template struct OinkProverOutput { + bb::RelationParameters relation_parameters; +}; /** * @brief Class for all the oink rounds, which are shared between the folding prover and ultra prover. @@ -36,30 +38,31 @@ namespace bb { */ template class OinkProver { using CommitmentKey = typename Flavor::CommitmentKey; - using Instance = ProverInstance_; + using ProvingKey = typename Flavor::ProvingKey; using Transcript = typename Flavor::Transcript; using FF = typename Flavor::FF; public: - std::shared_ptr instance; + std::shared_ptr proving_key; std::shared_ptr transcript; std::shared_ptr commitment_key; std::string domain_separator; typename Flavor::WitnessCommitments witness_commitments; typename Flavor::CommitmentLabels commitment_labels; - OinkProver(const std::shared_ptr>& inst, + bb::RelationParameters relation_parameters; + + OinkProver(const std::shared_ptr& proving_key, const std::shared_ptr& commitment_key, const std::shared_ptr& transcript, std::string domain_separator = "") - : instance(inst) + : proving_key(proving_key) , transcript(transcript) , commitment_key(commitment_key) , domain_separator(std::move(domain_separator)) - { - instance->initialize_prover_polynomials(); - } + {} + OinkProverOutput prove(); void execute_preamble_round(); void execute_wire_commitments_round(); void execute_sorted_list_accumulator_round(); diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/relation_correctness.test.cpp b/barretenberg/cpp/src/barretenberg/ultra_honk/relation_correctness.test.cpp index 85a6eba0bc6..4f7e2c1ed41 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/relation_correctness.test.cpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/relation_correctness.test.cpp @@ -267,13 +267,13 @@ TEST_F(RelationCorrectnessTests, UltraRelationCorrectness) auto circuit_size = proving_key->circuit_size; // Generate eta, beta and gamma - FF eta = FF::random_element(); - FF beta = FF::random_element(); - FF gamma = FF::random_element(); + instance->relation_parameters.eta = FF::random_element(); + instance->relation_parameters.beta = FF::random_element(); + instance->relation_parameters.gamma = FF::random_element(); - instance->initialize_prover_polynomials(); - instance->compute_sorted_accumulator_polynomials(eta); - instance->compute_grand_product_polynomials(beta, gamma); + instance->proving_key->compute_sorted_accumulator_polynomials(instance->relation_parameters.eta); + instance->proving_key->compute_grand_product_polynomials(instance->relation_parameters); + instance->prover_polynomials = Flavor::ProverPolynomials(instance->proving_key); // Check that selectors are nonzero to ensure corresponding relation has nontrivial contribution ensure_non_zero(proving_key->q_arith); @@ -319,14 +319,14 @@ TEST_F(RelationCorrectnessTests, GoblinUltraRelationCorrectness) auto circuit_size = proving_key->circuit_size; // Generate eta, beta and gamma - FF eta = FF::random_element(); - FF beta = FF::random_element(); - FF gamma = FF::random_element(); - - instance->initialize_prover_polynomials(); - instance->compute_sorted_accumulator_polynomials(eta); - instance->compute_logderivative_inverse(beta, gamma); - instance->compute_grand_product_polynomials(beta, gamma); + instance->relation_parameters.eta = FF::random_element(); + instance->relation_parameters.beta = FF::random_element(); + instance->relation_parameters.gamma = FF::random_element(); + + instance->proving_key->compute_sorted_accumulator_polynomials(instance->relation_parameters.eta); + instance->proving_key->compute_logderivative_inverse(instance->relation_parameters); + instance->proving_key->compute_grand_product_polynomials(instance->relation_parameters); + instance->prover_polynomials = Flavor::ProverPolynomials(instance->proving_key); // Check that selectors are nonzero to ensure corresponding relation has nontrivial contribution ensure_non_zero(proving_key->q_arith); diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/sumcheck.test.cpp b/barretenberg/cpp/src/barretenberg/ultra_honk/sumcheck.test.cpp index 4f71fd5ea62..0cd4c773619 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/sumcheck.test.cpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/sumcheck.test.cpp @@ -147,16 +147,16 @@ TEST_F(SumcheckTestsRealCircuit, Ultra) false); // Create a prover (it will compute proving key and witness) - auto instance = std::make_shared>(builder); + auto instance = std::make_shared>(builder); // Generate eta, beta and gamma - FF eta = FF::random_element(); - FF beta = FF::random_element(); - FF gamma = FF::random_element(); + instance->relation_parameters.eta = FF::random_element(); + instance->relation_parameters.beta = FF::random_element(); + instance->relation_parameters.gamma = FF::random_element(); - instance->initialize_prover_polynomials(); - instance->compute_sorted_accumulator_polynomials(eta); - instance->compute_grand_product_polynomials(beta, gamma); + instance->proving_key->compute_sorted_accumulator_polynomials(instance->relation_parameters.eta); + instance->proving_key->compute_grand_product_polynomials(instance->relation_parameters); + instance->prover_polynomials = Flavor::ProverPolynomials(instance->proving_key); auto prover_transcript = Transcript::prover_init_empty(); auto circuit_size = instance->proving_key->circuit_size; diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_prover.cpp b/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_prover.cpp index fe78a0d7d88..a8bce2bfc93 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_prover.cpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_prover.cpp @@ -15,7 +15,7 @@ UltraProver_::UltraProver_(const std::shared_ptr& inst, const : instance(std::move(inst)) , transcript(transcript) , commitment_key(instance->proving_key->commitment_key) - , oink_prover(inst, commitment_key, transcript, "") + , oink_prover(inst->proving_key, commitment_key, transcript, "") {} /** @@ -30,7 +30,7 @@ UltraProver_::UltraProver_(Builder& circuit) : instance(std::make_shared(circuit)) , transcript(std::make_shared()) , commitment_key(instance->proving_key->commitment_key) - , oink_prover(instance, commitment_key, transcript, "") + , oink_prover(instance->proving_key, commitment_key, transcript, "") {} /** @@ -79,20 +79,9 @@ template HonkProof& UltraProver_::export_proof() template HonkProof& UltraProver_::construct_proof() { - // Add circuit size public input size and public inputs to transcript-> - oink_prover.execute_preamble_round(); - - // Compute first three wire commitments - oink_prover.execute_wire_commitments_round(); - - // Compute sorted list accumulator and commitment - oink_prover.execute_sorted_list_accumulator_round(); - - // Fiat-Shamir: beta & gamma - oink_prover.execute_log_derivative_inverse_round(); - - // Compute grand product(s) and commitments. - oink_prover.execute_grand_product_computation_round(); + auto [relation_params] = oink_prover.prove(); + instance->relation_parameters = std::move(relation_params); + instance->prover_polynomials = ProverPolynomials(instance->proving_key); // Fiat-Shamir: alpha // Run sumcheck subprotocol.