Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Shplonk revival in ECCVM #7164

Merged
merged 23 commits into from
Jun 25, 2024
Merged

feat: Shplonk revival in ECCVM #7164

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
23 commits
Select commit Hold shift + click to select a range
4971ebe
commit
maramihali Jun 18, 2024
e7350db
modify verifiers
maramihali Jun 18, 2024
1e07311
try to share more code paths in zm test files
maramihali Jun 18, 2024
77f6d94
cleanup
maramihali Jun 18, 2024
8b4f411
Merge remote-tracking branch 'origin/master' into mm/zeromorph-pcs-se…
maramihali Jun 18, 2024
437fb3f
more cleaning
maramihali Jun 19, 2024
ae02db0
Merge remote-tracking branch 'origin/master' into mm/zeromorph-pcs-se…
maramihali Jun 19, 2024
07cd6d8
make gcc happy
maramihali Jun 19, 2024
4eea9e6
recomment asserts and pass commitments as const ref
maramihali Jun 20, 2024
8b48161
recomment asserts and pass commitments as const ref
maramihali Jun 20, 2024
2ffa927
resolve review comments
maramihali Jun 21, 2024
4cee7b7
Merge remote-tracking branch 'origin/master' into mm/zeromorph-pcs-se…
maramihali Jun 21, 2024
90460c1
Merge branch 'mm/zeromorph-pcs-separation' into mm/shplonk-refactor
maramihali Jun 21, 2024
88f1e34
Shplonk refactor and ECCVM + Shplonk integration
maramihali Jun 24, 2024
676d3e6
Merge remote-tracking branch 'origin/master' into mm/shplonk-refactor
maramihali Jun 24, 2024
704436e
remove stale files and restore deleted files
maramihali Jun 24, 2024
9d2cbde
some cleanup
maramihali Jun 24, 2024
b9414c2
fix typo
maramihali Jun 24, 2024
586b941
Merge branch 'master' into mm/shplonk-refactor
maramihali Jun 24, 2024
34dcfc5
respond to review comments
maramihali Jun 25, 2024
c4467b1
Merge remote-tracking branch 'origin/master' into mm/shplonk-refactor
maramihali Jun 25, 2024
9db7e0d
fix fuzzer
maramihali Jun 25, 2024
b7044ca
Merge branch 'master' into mm/shplonk-refactor
maramihali Jun 25, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion barretenberg/cpp/src/barretenberg/benchmark/ipa_bench/ipa.bench.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ void ipa_open(State& state) noexcept
auto prover_transcript = std::make_shared<NativeTranscript>();
state.ResumeTiming();
// Compute proof
IPA<Curve>::compute_opening_proof(ck, opening_pair, poly, prover_transcript);
IPA<Curve>::compute_opening_proof(ck, { poly, opening_pair }, prover_transcript);
// Store info for verifier
prover_transcripts[static_cast<size_t>(state.range(0)) - MIN_POLYNOMIAL_DEGREE_LOG2] = prover_transcript;
opening_claims[static_cast<size_t>(state.range(0)) - MIN_POLYNOMIAL_DEGREE_LOG2] = opening_claim;
Expand Down
7 changes: 3 additions & 4 deletions barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.fuzzer.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,11 +21,10 @@ class ProxyCaller {
public:
template <typename Transcript>
static void compute_opening_proof_internal(const std::shared_ptr<CommitmentKey<Curve>>& ck,
const OpeningPair<Curve>& opening_pair,
const Polynomial<Curve::ScalarField>& polynomial,
const ProverOpeningClaim<Curve>& opening_claim,
const std::shared_ptr<Transcript>& transcript)
{
IPA<Curve>::compute_opening_proof_internal(ck, opening_pair, polynomial, transcript);
IPA<Curve>::compute_opening_proof_internal(ck, opening_claim, transcript);
}
template <typename Transcript>
static bool verify_internal(const std::shared_ptr<VerifierCommitmentKey<Curve>>& vk,
Expand Down Expand Up @@ -145,7 +144,7 @@ extern "C" int LLVMFuzzerTestOneInput(const unsigned char* data, size_t size)
}
auto const opening_pair = OpeningPair<Curve>{ x, poly.evaluate(x) };
auto const opening_claim = OpeningClaim<Curve>{ opening_pair, ck->commit(poly) };
ProxyCaller::compute_opening_proof_internal(ck, opening_pair, poly, transcript);
ProxyCaller::compute_opening_proof_internal(ck, { poly, opening_pair }, transcript);

// Reset challenge indices
transcript->reset_indices();
Expand Down
12 changes: 7 additions & 5 deletions barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.hpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -130,10 +130,12 @@ template <typename Curve_> class IPA {
*/
template <typename Transcript>
static void compute_opening_proof_internal(const std::shared_ptr<CK>& ck,
const OpeningPair<Curve>& opening_pair,
const Polynomial& polynomial,
const ProverOpeningClaim<Curve>& opening_claim,
const std::shared_ptr<Transcript>& transcript)
{

Polynomial polynomial = opening_claim.polynomial;

// clang-format on
auto poly_length = static_cast<size_t>(polynomial.size());

Expand Down Expand Up @@ -184,6 +186,7 @@ template <typename Curve_> class IPA {

// Step 5.
// Compute vector b (vector of the powers of the challenge)
OpeningPair<Curve> opening_pair = opening_claim.opening_pair;
std::vector<Fr> b_vec(poly_length);
run_loop_in_parallel_if_effective(
poly_length,
Expand Down Expand Up @@ -603,11 +606,10 @@ template <typename Curve_> class IPA {
* compute_opening_proof_internal \endlink.
*/
static void compute_opening_proof(const std::shared_ptr<CK>& ck,
const OpeningPair<Curve>& opening_pair,
const Polynomial& polynomial,
const ProverOpeningClaim<Curve>& opening_claim,
const std::shared_ptr<NativeTranscript>& transcript)
{
compute_opening_proof_internal(ck, opening_pair, polynomial, transcript);
compute_opening_proof_internal(ck, opening_claim, transcript);
}

/**
Expand Down
28 changes: 12 additions & 16 deletions barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.test.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@ TEST_F(IPATest, OpenZeroPolynomial)

// initialize empty prover transcript
auto prover_transcript = std::make_shared<NativeTranscript>();
IPA::compute_opening_proof(this->ck(), opening_pair, poly, prover_transcript);
IPA::compute_opening_proof(this->ck(), { poly, opening_pair }, prover_transcript);

// initialize verifier transcript from proof data
auto verifier_transcript = std::make_shared<NativeTranscript>(prover_transcript->proof_data);
Expand All @@ -92,7 +92,7 @@ TEST_F(IPATest, OpenAtZero)

// initialize empty prover transcript
auto prover_transcript = std::make_shared<NativeTranscript>();
IPA::compute_opening_proof(this->ck(), opening_pair, poly, prover_transcript);
IPA::compute_opening_proof(this->ck(), { poly, opening_pair }, prover_transcript);

// initialize verifier transcript from proof data
auto verifier_transcript = std::make_shared<NativeTranscript>(prover_transcript->proof_data);
Expand Down Expand Up @@ -131,7 +131,7 @@ TEST_F(IPATest, ChallengesAreZero)
auto new_random_vector = random_vector;
new_random_vector[i] = Fr::zero();
transcript->initialize(new_random_vector);
EXPECT_ANY_THROW(IPA::compute_opening_proof_internal(this->ck(), opening_pair, poly, transcript));
EXPECT_ANY_THROW(IPA::compute_opening_proof_internal(this->ck(), { poly, opening_pair }, transcript));
}
// Fill out a vector of affine elements that the verifier receives from the prover with generators (we don't care
// about them right now)
Expand Down Expand Up @@ -181,7 +181,7 @@ TEST_F(IPATest, AIsZeroAfterOneRound)
transcript->initialize(random_vector);

// Compute opening proof
IPA::compute_opening_proof_internal(this->ck(), opening_pair, poly, transcript);
IPA::compute_opening_proof_internal(this->ck(), { poly, opening_pair }, transcript);

// Reset indices
transcript->reset_indices();
Expand Down Expand Up @@ -221,7 +221,7 @@ TEST_F(IPATest, Open)

// initialize empty prover transcript
auto prover_transcript = std::make_shared<NativeTranscript>();
IPA::compute_opening_proof(this->ck(), opening_pair, poly, prover_transcript);
IPA::compute_opening_proof(this->ck(), { poly, opening_pair }, prover_transcript);

// initialize verifier transcript from proof data
auto verifier_transcript = std::make_shared<NativeTranscript>(prover_transcript->proof_data);
Expand Down Expand Up @@ -295,22 +295,18 @@ TEST_F(IPATest, GeminiShplonkIPAWithShift)
const auto [gemini_opening_pairs, gemini_witnesses] = GeminiProver::compute_fold_polynomial_evaluations(
mle_opening_point, std::move(gemini_polynomials), r_challenge);

std::vector<ProverOpeningClaim<Curve>> opening_claims;

for (size_t l = 0; l < log_n; ++l) {
std::string label = "Gemini:a_" + std::to_string(l);
const auto& evaluation = gemini_opening_pairs[l + 1].evaluation;
prover_transcript->send_to_verifier(label, evaluation);
opening_claims.emplace_back(gemini_witnesses[l], gemini_opening_pairs[l]);
}
opening_claims.emplace_back(gemini_witnesses[log_n], gemini_opening_pairs[log_n]);

const Fr nu_challenge = prover_transcript->template get_challenge<Fr>("Shplonk:nu");
auto batched_quotient_Q =
ShplonkProver::compute_batched_quotient(gemini_opening_pairs, gemini_witnesses, nu_challenge);
prover_transcript->send_to_verifier("Shplonk:Q", this->ck()->commit(batched_quotient_Q));

const Fr z_challenge = prover_transcript->template get_challenge<Fr>("Shplonk:z");
const auto [shplonk_opening_pair, shplonk_witness] = ShplonkProver::compute_partially_evaluated_batched_quotient(
gemini_opening_pairs, gemini_witnesses, std::move(batched_quotient_Q), nu_challenge, z_challenge);

IPA::compute_opening_proof(this->ck(), shplonk_opening_pair, shplonk_witness, prover_transcript);
const auto opening_claim = ShplonkProver::prove(this->ck(), opening_claims, prover_transcript);
IPA::compute_opening_proof(this->ck(), opening_claim, prover_transcript);

auto verifier_transcript = NativeTranscript::verifier_init_empty(prover_transcript);

Expand All @@ -321,7 +317,7 @@ TEST_F(IPATest, GeminiShplonkIPAWithShift)
verifier_transcript);

const auto shplonk_verifier_claim =
ShplonkVerifier::reduce_verification(this->vk(), gemini_verifier_claim, verifier_transcript);
ShplonkVerifier::reduce_verification(this->vk()->get_g1_identity(), gemini_verifier_claim, verifier_transcript);
auto result = IPA::reduce_verify(this->vk(), shplonk_verifier_claim, verifier_transcript);

EXPECT_EQ(result, true);
Expand Down
14 changes: 7 additions & 7 deletions barretenberg/cpp/src/barretenberg/commitment_schemes/kzg/kzg.hpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,19 +26,19 @@ template <typename Curve_> class KZG {
* @brief Computes the KZG commitment to an opening proof polynomial at a single evaluation point
*
* @param ck The commitment key which has a commit function, the srs and pippenger_runtime_state
* @param opening_pair OpeningPair = {r, v = p(r)}
* @param polynomial The witness whose opening proof needs to be computed
* @param opening_claim {p, (r, v = p(r))} where p is the witness polynomial whose opening proof needs to be
* computed
* @param prover_transcript Prover transcript
*/
static void compute_opening_proof(std::shared_ptr<CK> ck,
const OpeningPair<Curve>& opening_pair,
const Polynomial& polynomial,
const ProverOpeningClaim<Curve>& opening_claim,
const std::shared_ptr<NativeTranscript>& prover_trancript)
{
Polynomial quotient = polynomial;
quotient[0] -= opening_pair.evaluation;
Polynomial quotient = opening_claim.polynomial;
OpeningPair<Curve> pair = opening_claim.opening_pair;
quotient[0] -= pair.evaluation;
// Computes the coefficients for the quotient polynomial q(X) = (p(X) - v) / (X - r) through an FFT
quotient.factor_roots(opening_pair.challenge);
quotient.factor_roots(pair.challenge);
auto quotient_commitment = ck->commit(quotient);
// TODO(#479): for now we compute the KZG commitment directly to unify the KZG and IPA interfaces but in the
// future we might need to adjust this to use the incoming alternative to work queue (i.e. variation of
Expand Down
18 changes: 7 additions & 11 deletions barretenberg/cpp/src/barretenberg/commitment_schemes/kzg/kzg.test.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ TYPED_TEST(KZGTest, single)

auto prover_transcript = NativeTranscript::prover_init_empty();

KZG::compute_opening_proof(this->ck(), opening_pair, witness, prover_transcript);
KZG::compute_opening_proof(this->ck(), { witness, opening_pair }, prover_transcript);

auto verifier_transcript = NativeTranscript::verifier_init_empty(prover_transcript);
auto pairing_points = KZG::reduce_verify(opening_claim, verifier_transcript);
Expand Down Expand Up @@ -130,27 +130,23 @@ TYPED_TEST(KZGTest, GeminiShplonkKzgWithShift)
const auto [gemini_opening_pairs, gemini_witnesses] = GeminiProver::compute_fold_polynomial_evaluations(
mle_opening_point, std::move(gemini_polynomials), r_challenge);

std::vector<ProverOpeningClaim<TypeParam>> opening_claims;
for (size_t l = 0; l < log_n; ++l) {
std::string label = "Gemini:a_" + std::to_string(l);
const auto& evaluation = gemini_opening_pairs[l + 1].evaluation;
prover_transcript->send_to_verifier(label, evaluation);
opening_claims.emplace_back(gemini_witnesses[l], gemini_opening_pairs[l]);
}
opening_claims.emplace_back(gemini_witnesses[log_n], gemini_opening_pairs[log_n]);

// Shplonk prover output:
// - opening pair: (z_challenge, 0)
// - witness: polynomial Q - Q_z
const Fr nu_challenge = prover_transcript->template get_challenge<Fr>("Shplonk:nu");
auto batched_quotient_Q =
ShplonkProver::compute_batched_quotient(gemini_opening_pairs, gemini_witnesses, nu_challenge);
prover_transcript->send_to_verifier("Shplonk:Q", this->ck()->commit(batched_quotient_Q));

const Fr z_challenge = prover_transcript->template get_challenge<Fr>("Shplonk:z");
const auto [shplonk_opening_pair, shplonk_witness] = ShplonkProver::compute_partially_evaluated_batched_quotient(
gemini_opening_pairs, gemini_witnesses, std::move(batched_quotient_Q), nu_challenge, z_challenge);
const auto opening_claim = ShplonkProver::prove(this->ck(), opening_claims, prover_transcript);

// KZG prover:
// - Adds commitment [W] to transcript
KZG::compute_opening_proof(this->ck(), shplonk_opening_pair, shplonk_witness, prover_transcript);
KZG::compute_opening_proof(this->ck(), opening_claim, prover_transcript);

// Run the full verifier PCS protocol with genuine opening claims (genuine commitment, genuine evaluation)

Expand All @@ -166,7 +162,7 @@ TYPED_TEST(KZGTest, GeminiShplonkKzgWithShift)

// Shplonk verifier claim: commitment [Q] - [Q_z], opening point (z_challenge, 0)
const auto shplonk_verifier_claim =
ShplonkVerifier::reduce_verification(this->vk(), gemini_verifier_claim, verifier_transcript);
ShplonkVerifier::reduce_verification(this->vk()->get_g1_identity(), gemini_verifier_claim, verifier_transcript);

// KZG verifier:
// aggregates inputs [Q] - [Q_z] and [W] into an 'accumulator' (can perform pairing check on result)
Expand Down
Loading
Loading