From 3ff32afcd39a8cd7dd13cc70283e1fd9bf383c79 Mon Sep 17 00:00:00 2001 From: codygunton Date: Tue, 11 Apr 2023 21:25:56 +0000 Subject: [PATCH] "Everything builds" in clang! --- .../standard_honk_composer_helper.cpp | 39 ++-- .../standard_honk_composer_helper.hpp | 4 +- .../honk/composer/standard_honk_composer.hpp | 4 + .../composer/standard_honk_composer.test.cpp | 44 ++--- .../barretenberg/honk/proof_system/prover.cpp | 110 ++++++----- .../barretenberg/honk/proof_system/prover.hpp | 48 ++--- .../honk/proof_system/prover_library.cpp | 172 ++++++++++++------ .../honk/proof_system/prover_library.hpp | 35 ++-- .../honk/proof_system/prover_library.test.cpp | 77 ++++---- .../honk/proof_system/verifier.cpp | 6 +- .../honk/proof_system/work_queue.hpp | 11 +- .../proof_system/flavor/flavor.hpp | 39 ++++ 12 files changed, 337 insertions(+), 252 deletions(-) diff --git a/cpp/src/barretenberg/honk/composer/composer_helper/standard_honk_composer_helper.cpp b/cpp/src/barretenberg/honk/composer/composer_helper/standard_honk_composer_helper.cpp index 91e795e366..72a9e55b77 100644 --- a/cpp/src/barretenberg/honk/composer/composer_helper/standard_honk_composer_helper.cpp +++ b/cpp/src/barretenberg/honk/composer/composer_helper/standard_honk_composer_helper.cpp @@ -17,7 +17,7 @@ namespace proof_system::honk { * Compute proving key base. * * 1. Load crs. - * 2. Initialize this.circuit_proving_key. + * 2. Initialize this.proving_key. * 3. Create constraint selector polynomials from each of this composer's `selectors` vectors and add them to the * proving key. * @@ -28,14 +28,14 @@ namespace proof_system::honk { std::shared_ptr StandardHonkComposerHelper::compute_proving_key_base( const CircuitConstructor& constructor, const size_t minimum_circuit_size, const size_t num_randomized_gates) { - // Initialize circuit_proving_key + // Initialize proving_key // TODO(#229)(Kesha): replace composer types. - circuit_proving_key = initialize_proving_key( + proving_key = initialize_proving_key( constructor, crs_factory_.get(), minimum_circuit_size, num_randomized_gates, ComposerType::STANDARD_HONK); // Compute lagrange selectors - construct_selector_polynomials(constructor, circuit_proving_key.get()); + construct_selector_polynomials(constructor, proving_key.get()); - return circuit_proving_key; + return proving_key; } /** @@ -103,20 +103,20 @@ void StandardHonkComposerHelper::compute_witness(const CircuitConstructor& circu std::shared_ptr StandardHonkComposerHelper::compute_proving_key( const CircuitConstructor& circuit_constructor) { - if (circuit_proving_key) { - return circuit_proving_key; + if (proving_key) { + return proving_key; } // Compute q_l, q_r, q_o, etc polynomials // WORKTODO(Cody): meaningless constructor here StandardHonkComposerHelper::compute_proving_key_base(circuit_constructor, ComposerType::STANDARD_HONK); // Compute sigma polynomials (we should update that late) - compute_standard_honk_sigma_permutations(circuit_constructor, circuit_proving_key.get()); - compute_standard_honk_id_polynomials(circuit_proving_key.get()); + compute_standard_honk_sigma_permutations(circuit_constructor, proving_key.get()); + compute_standard_honk_id_polynomials(proving_key.get()); - compute_first_and_last_lagrange_polynomials(circuit_proving_key.get()); + compute_first_and_last_lagrange_polynomials(proving_key.get()); - return circuit_proving_key; + return proving_key; } /** @@ -130,13 +130,13 @@ std::shared_ptr StandardHonkComposerHelper::compute_ver if (circuit_verification_key) { return circuit_verification_key; } - if (!circuit_proving_key) { + if (!proving_key) { compute_proving_key(circuit_constructor); } - circuit_verification_key = StandardHonkComposerHelper::compute_verification_key_base( - circuit_proving_key, crs_factory_->get_verifier_crs()); - circuit_verification_key->composer_type = circuit_proving_key->composer_type; + circuit_verification_key = + StandardHonkComposerHelper::compute_verification_key_base(proving_key, crs_factory_->get_verifier_crs()); + circuit_verification_key->composer_type = proving_key->composer_type; return circuit_verification_key; } @@ -159,14 +159,7 @@ StandardProver StandardHonkComposerHelper::create_prover(const CircuitConstructo compute_proving_key(circuit_constructor); compute_witness(circuit_constructor); - // size_t num_sumcheck_rounds(circuit_proving_key->log_circuit_size); - // StandardProver output_state(std::move(wire_polynomials), circuit_proving_key); - // WORKTODO - auto crs_factory = ReferenceStringFactory(); - auto crs = crs_factory.get_prover_crs(999); - auto pk_ptr = std::make_shared(12, 2, crs, ComposerType::STANDARD); - - StandardProver output_state(std::move(wire_polynomials), pk_ptr); + StandardProver output_state(std::move(wire_polynomials), proving_key); return output_state; } diff --git a/cpp/src/barretenberg/honk/composer/composer_helper/standard_honk_composer_helper.hpp b/cpp/src/barretenberg/honk/composer/composer_helper/standard_honk_composer_helper.hpp index f89847a6e3..59ac5bda68 100644 --- a/cpp/src/barretenberg/honk/composer/composer_helper/standard_honk_composer_helper.hpp +++ b/cpp/src/barretenberg/honk/composer/composer_helper/standard_honk_composer_helper.hpp @@ -24,7 +24,7 @@ class StandardHonkComposerHelper { static constexpr size_t NUM_RANDOMIZED_GATES = 2; // equal to the number of multilinear evaluations leaked static constexpr size_t num_wires = CircuitConstructor::num_wires; - std::shared_ptr circuit_proving_key; + std::shared_ptr proving_key; std::vector wire_polynomials; std::shared_ptr circuit_verification_key; // TODO(#218)(kesha): we need to put this into the commitment key, so that the composer doesn't have to handle srs @@ -44,7 +44,7 @@ class StandardHonkComposerHelper { : crs_factory_(std::move(crs_factory)) {} StandardHonkComposerHelper(std::shared_ptr p_key, std::shared_ptr v_key) - : circuit_proving_key(std::move(p_key)) + : proving_key(std::move(p_key)) , circuit_verification_key(std::move(v_key)) {} StandardHonkComposerHelper(StandardHonkComposerHelper&& other) noexcept = default; diff --git a/cpp/src/barretenberg/honk/composer/standard_honk_composer.hpp b/cpp/src/barretenberg/honk/composer/standard_honk_composer.hpp index b985666f23..735905b359 100644 --- a/cpp/src/barretenberg/honk/composer/standard_honk_composer.hpp +++ b/cpp/src/barretenberg/honk/composer/standard_honk_composer.hpp @@ -17,6 +17,10 @@ namespace proof_system::honk { */ class StandardHonkComposer { public: + // TODO(Cody): This should go in flavor or something. + static constexpr merkle::HashType merkle_hash_type = merkle::HashType::LOOKUP_PEDERSEN; + static constexpr pedersen::CommitmentType commitment_type = pedersen::CommitmentType::FIXED_BASE_PEDERSEN; + using Flavor = flavor::Standard; using CircuitConstructor = StandardCircuitConstructor; using ProvingKey = typename Flavor::ProvingKey; diff --git a/cpp/src/barretenberg/honk/composer/standard_honk_composer.test.cpp b/cpp/src/barretenberg/honk/composer/standard_honk_composer.test.cpp index 186a8b30ba..ccc829a54c 100644 --- a/cpp/src/barretenberg/honk/composer/standard_honk_composer.test.cpp +++ b/cpp/src/barretenberg/honk/composer/standard_honk_composer.test.cpp @@ -9,6 +9,7 @@ #include "barretenberg/honk/sumcheck/relations/grand_product_initialization_relation.hpp" #include "barretenberg/honk/utils/public_inputs.hpp" #include "barretenberg/polynomials/polynomial.hpp" +#include "barretenberg/proof_system/flavor/flavor.hpp" #include @@ -376,7 +377,6 @@ TEST(StandardHonkComposer, SumcheckRelationCorrectness) { // Create a composer and a dummy circuit with a few gates StandardHonkComposer composer = StandardHonkComposer(); - static const size_t num_wires = StandardHonkComposer::num_wires; fr a = fr::one(); // Using the public variable to check that public_input_delta is computed and added to the relation correctly uint32_t a_idx = composer.add_public_variable(a); @@ -410,8 +410,8 @@ TEST(StandardHonkComposer, SumcheckRelationCorrectness) constexpr size_t num_polynomials = proof_system::honk::StandardArithmetization::NUM_POLYNOMIALS; // Compute grand product polynomial - polynomial z_perm_poly = - prover_library::compute_permutation_grand_product(prover.key, prover.wire_polynomials, beta, gamma); + polynomial z_perm_poly = prover_library::compute_permutation_grand_product( + prover.key, prover.wire_polynomials, beta, gamma); // Create an array of spans to the underlying polynomials to more easily // get the transposition. @@ -419,25 +419,25 @@ TEST(StandardHonkComposer, SumcheckRelationCorrectness) // in the list below std::array, num_polynomials> evaluations_array; - using POLYNOMIAL = proof_system::honk::StandardArithmetization::POLYNOMIAL; - evaluations_array[POLYNOMIAL::W_L] = prover.wire_polynomials[0]; - evaluations_array[POLYNOMIAL::W_R] = prover.wire_polynomials[1]; - evaluations_array[POLYNOMIAL::W_O] = prover.wire_polynomials[2]; - evaluations_array[POLYNOMIAL::Z_PERM] = z_perm_poly; - evaluations_array[POLYNOMIAL::Z_PERM_SHIFT] = z_perm_poly.shifted(); - evaluations_array[POLYNOMIAL::Q_M] = prover.key->polynomial_store.get("q_m_lagrange"); - evaluations_array[POLYNOMIAL::Q_L] = prover.key->polynomial_store.get("q_1_lagrange"); - evaluations_array[POLYNOMIAL::Q_R] = prover.key->polynomial_store.get("q_2_lagrange"); - evaluations_array[POLYNOMIAL::Q_O] = prover.key->polynomial_store.get("q_3_lagrange"); - evaluations_array[POLYNOMIAL::Q_C] = prover.key->polynomial_store.get("q_c_lagrange"); - evaluations_array[POLYNOMIAL::SIGMA_1] = prover.key->polynomial_store.get("sigma_1_lagrange"); - evaluations_array[POLYNOMIAL::SIGMA_2] = prover.key->polynomial_store.get("sigma_2_lagrange"); - evaluations_array[POLYNOMIAL::SIGMA_3] = prover.key->polynomial_store.get("sigma_3_lagrange"); - evaluations_array[POLYNOMIAL::ID_1] = prover.key->polynomial_store.get("id_1_lagrange"); - evaluations_array[POLYNOMIAL::ID_2] = prover.key->polynomial_store.get("id_2_lagrange"); - evaluations_array[POLYNOMIAL::ID_3] = prover.key->polynomial_store.get("id_3_lagrange"); - evaluations_array[POLYNOMIAL::LAGRANGE_FIRST] = prover.key->polynomial_store.get("L_first_lagrange"); - evaluations_array[POLYNOMIAL::LAGRANGE_LAST] = prover.key->polynomial_store.get("L_last_lagrange"); + // WORKTODO + // evaluations_array[POLYNOMIAL::W_L] = prover.wire_polynomials[0]; + // evaluations_array[POLYNOMIAL::W_R] = prover.wire_polynomials[1]; + // evaluations_array[POLYNOMIAL::W_O] = prover.wire_polynomials[2]; + // evaluations_array[POLYNOMIAL::Z_PERM] = z_perm_poly; + // evaluations_array[POLYNOMIAL::Z_PERM_SHIFT] = z_perm_poly.shifted(); + // evaluations_array[POLYNOMIAL::Q_M] = prover.key->polynomial_store.get("q_m_lagrange"); + // evaluations_array[POLYNOMIAL::Q_L] = prover.key->polynomial_store.get("q_1_lagrange"); + // evaluations_array[POLYNOMIAL::Q_R] = prover.key->polynomial_store.get("q_2_lagrange"); + // evaluations_array[POLYNOMIAL::Q_O] = prover.key->polynomial_store.get("q_3_lagrange"); + // evaluations_array[POLYNOMIAL::Q_C] = prover.key->polynomial_store.get("q_c_lagrange"); + // evaluations_array[POLYNOMIAL::SIGMA_1] = prover.key->polynomial_store.get("sigma_1_lagrange"); + // evaluations_array[POLYNOMIAL::SIGMA_2] = prover.key->polynomial_store.get("sigma_2_lagrange"); + // evaluations_array[POLYNOMIAL::SIGMA_3] = prover.key->polynomial_store.get("sigma_3_lagrange"); + // evaluations_array[POLYNOMIAL::ID_1] = prover.key->polynomial_store.get("id_1_lagrange"); + // evaluations_array[POLYNOMIAL::ID_2] = prover.key->polynomial_store.get("id_2_lagrange"); + // evaluations_array[POLYNOMIAL::ID_3] = prover.key->polynomial_store.get("id_3_lagrange"); + // evaluations_array[POLYNOMIAL::LAGRANGE_FIRST] = prover.key->polynomial_store.get("L_first_lagrange"); + // evaluations_array[POLYNOMIAL::LAGRANGE_LAST] = prover.key->polynomial_store.get("L_last_lagrange"); // Construct the round for applying sumcheck relations and results for storing computed results auto relations = std::tuple(honk::sumcheck::ArithmeticRelation(), diff --git a/cpp/src/barretenberg/honk/proof_system/prover.cpp b/cpp/src/barretenberg/honk/proof_system/prover.cpp index d473de2c2f..ef4851774b 100644 --- a/cpp/src/barretenberg/honk/proof_system/prover.cpp +++ b/cpp/src/barretenberg/honk/proof_system/prover.cpp @@ -19,32 +19,27 @@ #include "barretenberg/honk/sumcheck/relations/grand_product_initialization_relation.hpp" #include "barretenberg/polynomials/polynomial.hpp" #include "barretenberg/honk/flavor/flavor.hpp" +#include "barretenberg/proof_system/flavor/flavor.hpp" #include "barretenberg/transcript/transcript_wrappers.hpp" #include #include "barretenberg/honk/pcs/claim.hpp" namespace proof_system::honk { -using Fr = barretenberg::fr; -using Commitment = barretenberg::g1::affine_element; -using Polynomial = barretenberg::Polynomial; -using POLYNOMIAL = proof_system::honk::StandardArithmetization::POLYNOMIAL; - /** * Create Prover from proving key, witness and manifest. * * @param input_key Proving key. - * @param input_manifest Input manifest + * @param input_manifest Input manifestxo * * @tparam settings Settings class. * */ // TODO(Cody): both input types are foo& in prototype -template -Prover::Prover(std::vector&& wire_polys, - const std::shared_ptr input_key) +template +Prover::Prover(std::vector&& wire_polys, const std::shared_ptr input_key) : wire_polynomials(wire_polys) , key(input_key) - , queue(key, transcript) + , queue(input_key->circuit_size, transcript) { // Note(luke): This could be done programmatically with some hacks but this isnt too bad and its nice to see the // polys laid out explicitly. @@ -63,26 +58,28 @@ Prover::Prover(std::vector&& wire_polys, // prover_polynomials.lagrange_last = key->polynomial_store.get("L_last_lagrange"); // prover_polynomials.w_l = wire_polynomials[0]; // prover_polynomials.w_r = wire_polynomials[1]; - // prover_polynomials.w_o = wire_polynomials[2];template - prover_polynomials[POLYNOMIAL::Q_C] = key->polynomial_store.get("q_c_lagrange"); - prover_polynomials[POLYNOMIAL::Q_L] = key->polynomial_store.get("q_1_lagrange"); - prover_polynomials[POLYNOMIAL::Q_R] = key->polynomial_store.get("q_2_lagrange"); - prover_polynomials[POLYNOMIAL::Q_O] = key->polynomial_store.get("q_3_lagrange"); - prover_polynomials[POLYNOMIAL::Q_M] = key->polynomial_store.get("q_m_lagrange"); - prover_polynomials[POLYNOMIAL::SIGMA_1] = key->polynomial_store.get("sigma_1_lagrange"); - prover_polynomials[POLYNOMIAL::SIGMA_2] = key->polynomial_store.get("sigma_2_lagrange"); - prover_polynomials[POLYNOMIAL::SIGMA_3] = key->polynomial_store.get("sigma_3_lagrange"); - prover_polynomials[POLYNOMIAL::ID_1] = key->polynomial_store.get("id_1_lagrange"); - prover_polynomials[POLYNOMIAL::ID_2] = key->polynomial_store.get("id_2_lagrange"); - prover_polynomials[POLYNOMIAL::ID_3] = key->polynomial_store.get("id_3_lagrange"); - prover_polynomials[POLYNOMIAL::LAGRANGE_FIRST] = key->polynomial_store.get("L_first_lagrange"); - prover_polynomials[POLYNOMIAL::LAGRANGE_LAST] = key->polynomial_store.get("L_last_lagrange"); - prover_polynomials[POLYNOMIAL::W_L] = wire_polynomials[0]; - prover_polynomials[POLYNOMIAL::W_R] = wire_polynomials[1]; - prover_polynomials[POLYNOMIAL::W_O] = wire_polynomials[2]; + // prover_polynomials.w_o = wire_polynomials[2];template + + // prover_polynomials[honk::StandardHonk::MULTIVARIATE::Q_C] = key->polynomial_store.get("q_c_lagrange"); + // prover_polynomials[honk::StandardHonk::MULTIVARIATE::Q_L] = key->polynomial_store.get("q_1_lagrange"); + // prover_polynomials[honk::StandardHonk::MULTIVARIATE::Q_R] = key->polynomial_store.get("q_2_lagrange"); + // prover_polynomials[honk::StandardHonk::MULTIVARIATE::Q_O] = key->polynomial_store.get("q_3_lagrange"); + // prover_polynomials[honk::StandardHonk::MULTIVARIATE::Q_M] = key->polynomial_store.get("q_m_lagrange"); + // prover_polynomials[honk::StandardHonk::MULTIVARIATE::SIGMA_1] = key->polynomial_store.get("sigma_1_lagrange"); + // prover_polynomials[honk::StandardHonk::MULTIVARIATE::SIGMA_2] = key->polynomial_store.get("sigma_2_lagrange"); + // prover_polynomials[honk::StandardHonk::MULTIVARIATE::SIGMA_3] = key->polynomial_store.get("sigma_3_lagrange"); + // prover_polynomials[honk::StandardHonk::MULTIVARIATE::ID_1] = key->polynomial_store.get("id_1_lagrange"); + // prover_polynomials[honk::StandardHonk::MULTIVARIATE::ID_2] = key->polynomial_store.get("id_2_lagrange"); + // prover_polynomials[honk::StandardHonk::MULTIVARIATE::ID_3] = key->polynomial_store.get("id_3_lagrange"); + // prover_polynomials[honk::StandardHonk::MULTIVARIATE::LAGRANGE_FIRST] = + // key->polynomial_store.get("L_first_lagrange"); + // prover_polynomials[honk::StandardHonk::MULTIVARIATE::LAGRANGE_LAST] = + // key->polynomial_store.get("L_last_lagrange"); prover_polynomials[honk::StandardHonk::MULTIVARIATE::W_L] = + // wire_polynomials[0]; prover_polynomials[honk::StandardHonk::MULTIVARIATE::W_R] = wire_polynomials[1]; + // prover_polynomials[honk::StandardHonk::MULTIVARIATE::W_O] = wire_polynomials[2]; // Add public inputs to transcript from the second wire polynomial - std::span public_wires_source = prover_polynomials[POLYNOMIAL::W_R]; + std::span public_wires_source = prover_polynomials[honk::StandardHonk::MULTIVARIATE::W_R]; for (size_t i = 0; i < key->num_public_inputs; ++i) { public_inputs.emplace_back(public_wires_source[i]); @@ -94,9 +91,10 @@ Prover::Prover(std::vector&& wire_polys, * - Add PI to transcript (I guess PI will stay in w_2 for now?) * * */ -template void Prover::compute_wire_commitments() +template void Prover::compute_wire_commitments() { - for (size_t i = 0; i < settings::Arithmetization::num_wires; ++i) { + for (size_t i = 0; i < Flavor::num_wires; ++i) { + // WORKTODO queue.add_commitment(wire_polynomials[i], "W_" + std::to_string(i + 1)); } } @@ -105,7 +103,7 @@ template void Prover::compute_wire_commitments() * - Add circuit size, public input size, and public inputs to transcript * * */ -template void Prover::execute_preamble_round() +template void Prover::execute_preamble_round() { const auto circuit_size = static_cast(key->circuit_size); const auto num_public_inputs = static_cast(key->num_public_inputs); @@ -122,7 +120,7 @@ template void Prover::execute_preamble_round() /** * - compute wire commitments * */ -template void Prover::execute_wire_commitments_round() +template void Prover::execute_wire_commitments_round() { compute_wire_commitments(); } @@ -130,7 +128,7 @@ template void Prover::execute_wire_commitments_rou /** * For Standard Honk, this is a non-op (just like for Standard/Turbo Plonk). * */ -template void Prover::execute_tables_round() +template void Prover::execute_tables_round() { // No operations are needed here for Standard Honk } @@ -139,26 +137,25 @@ template void Prover::execute_tables_round() * - Do Fiat-Shamir to get "beta" challenge (Note: gamma = beta^2) * - Compute grand product polynomial (permutation only) and commitment * */ -template void Prover::execute_grand_product_computation_round() +template void Prover::execute_grand_product_computation_round() { // Compute and store parameters required by relations in Sumcheck auto [beta, gamma] = transcript.get_challenges("beta", "gamma"); - auto public_input_delta = compute_public_input_delta(public_inputs, beta, gamma, key->circuit_size); + auto public_input_delta = compute_public_input_delta(public_inputs, beta, gamma, key->circuit_size); - relation_parameters = sumcheck::RelationParameters{ + relation_parameters = sumcheck::RelationParameters{ .beta = beta, .gamma = gamma, .public_input_delta = public_input_delta, }; - z_permutation = - prover_library::compute_permutation_grand_product(key, wire_polynomials, beta, gamma); + z_permutation = prover_library::compute_permutation_grand_product(key, wire_polynomials, beta, gamma); queue.add_commitment(z_permutation, "Z_PERM"); - prover_polynomials[POLYNOMIAL::Z_PERM] = z_permutation; - prover_polynomials[POLYNOMIAL::Z_PERM_SHIFT] = z_permutation.shifted(); + prover_polynomials[honk::StandardHonk::MULTIVARIATE::Z_PERM] = z_permutation; + prover_polynomials[honk::StandardHonk::MULTIVARIATE::Z_PERM_SHIFT] = z_permutation.shifted(); } /** @@ -166,10 +163,10 @@ template void Prover::execute_grand_product_comput * - Run Sumcheck resulting in u = (u_1,...,u_d) challenges and all * evaluations at u being calculated. * */ -template void Prover::execute_relation_check_rounds() +template void Prover::execute_relation_check_rounds() { - using Sumcheck = sumcheck::Sumcheck, + using Sumcheck = sumcheck::Sumcheck, sumcheck::ArithmeticRelation, sumcheck::GrandProductComputationRelation, sumcheck::GrandProductInitializationRelation>; @@ -184,14 +181,14 @@ template void Prover::execute_relation_check_round * - Compute d+1 Fold polynomials and their evaluations. * * */ -template void Prover::execute_univariatization_round() +template void Prover::execute_univariatization_round() { const size_t NUM_POLYNOMIALS = proof_system::honk::StandardArithmetization::NUM_POLYNOMIALS; const size_t NUM_UNSHIFTED_POLYS = proof_system::honk::StandardArithmetization::NUM_UNSHIFTED_POLYNOMIALS; // Generate batching challenge ρ and powers 1,ρ,…,ρᵐ⁻¹ - Fr rho = transcript.get_challenge("rho"); - std::vector rhos = Gemini::powers_of_rho(rho, NUM_POLYNOMIALS); + FF rho = transcript.get_challenge("rho"); + std::vector rhos = Gemini::powers_of_rho(rho, NUM_POLYNOMIALS); // Batch the unshifted polynomials and the to-be-shifted polynomials using ρ Polynomial batched_poly_unshifted(key->circuit_size); // batched unshifted polynomials @@ -199,7 +196,8 @@ template void Prover::execute_univariatization_rou batched_poly_unshifted.add_scaled(prover_polynomials[i], rhos[i]); } Polynomial batched_poly_to_be_shifted(key->circuit_size); // batched to-be-shifted polynomials - batched_poly_to_be_shifted.add_scaled(prover_polynomials[POLYNOMIAL::Z_PERM], rhos[NUM_UNSHIFTED_POLYS]); + batched_poly_to_be_shifted.add_scaled(prover_polynomials[honk::StandardHonk::MULTIVARIATE::Z_PERM], + rhos[NUM_UNSHIFTED_POLYS]); // Compute d-1 polynomials Fold^(i), i = 1, ..., d-1. fold_polynomials = Gemini::compute_fold_polynomials( @@ -217,9 +215,9 @@ template void Prover::execute_univariatization_rou * - Compute and aggregate opening pairs (challenge, evaluation) for each of d Fold polynomials. * - Add d-many Fold evaluations a_i, i = 0, ..., d-1 to the transcript, excluding eval of Fold_{r}^(0) * */ -template void Prover::execute_pcs_evaluation_round() +template void Prover::execute_pcs_evaluation_round() { - const Fr r_challenge = transcript.get_challenge("Gemini:r"); + const FF r_challenge = transcript.get_challenge("Gemini:r"); gemini_output = Gemini::compute_fold_polynomial_evaluations( sumcheck_output.challenge_point, std::move(fold_polynomials), r_challenge); @@ -235,7 +233,7 @@ template void Prover::execute_pcs_evaluation_round * - Do Fiat-Shamir to get "nu" challenge. * - Compute commitment [Q]_1 * */ -template void Prover::execute_shplonk_batched_quotient_round() +template void Prover::execute_shplonk_batched_quotient_round() { nu_challenge = transcript.get_challenge("Shplonk:nu"); @@ -250,9 +248,9 @@ template void Prover::execute_shplonk_batched_quot * - Do Fiat-Shamir to get "z" challenge. * - Compute polynomial Q(X) - Q_z(X) * */ -template void Prover::execute_shplonk_partial_evaluation_round() +template void Prover::execute_shplonk_partial_evaluation_round() { - const Fr z_challenge = transcript.get_challenge("Shplonk:z"); + const FF z_challenge = transcript.get_challenge("Shplonk:z"); shplonk_output = Shplonk::compute_partially_evaluated_batched_quotient( gemini_output.opening_pairs, gemini_output.witnesses, std::move(batched_quotient_Q), nu_challenge, z_challenge); } @@ -261,19 +259,19 @@ template void Prover::execute_shplonk_partial_eval * - Compute KZG quotient commitment [W]_1. * * */ -template void Prover::execute_kzg_round() +template void Prover::execute_kzg_round() { quotient_W = KZG::compute_opening_proof_polynomial(shplonk_output.opening_pair, shplonk_output.witness); queue.add_commitment(quotient_W, "KZG:W"); } -template plonk::proof& Prover::export_proof() +template plonk::proof& Prover::export_proof() { proof.proof_data = transcript.proof_data; return proof; } -template plonk::proof& Prover::construct_proof() +template plonk::proof& Prover::construct_proof() { // Add circuit size and public input size to transcript. execute_preamble_round(); @@ -323,6 +321,6 @@ template plonk::proof& Prover::construct_proof() return export_proof(); } -template class Prover; +template class Prover; } // namespace proof_system::honk diff --git a/cpp/src/barretenberg/honk/proof_system/prover.hpp b/cpp/src/barretenberg/honk/proof_system/prover.hpp index 2a0e4de314..97269516bc 100644 --- a/cpp/src/barretenberg/honk/proof_system/prover.hpp +++ b/cpp/src/barretenberg/honk/proof_system/prover.hpp @@ -25,16 +25,19 @@ #include "barretenberg/honk/pcs/claim.hpp" #include "barretenberg/honk/proof_system/prover_library.hpp" #include "barretenberg/honk/proof_system/work_queue.hpp" +#include "barretenberg/proof_system/flavor/flavor.hpp" namespace proof_system::honk { -using Fr = barretenberg::fr; -using Polynomial = Polynomial; +template class Prover { -template class Prover { + using FF = typename Flavor::FF; + using PCSParams = typename Flavor::PCSParams; + using ProvingKey = typename Flavor::ProvingKey; + using Polynomial = typename Flavor::Polynomial; public: - Prover(std::vector&& wire_polys, std::shared_ptr input_key = nullptr); + Prover(std::vector&& wire_polys, std::shared_ptr input_key = nullptr); void execute_preamble_round(); void execute_wire_commitments_round(); @@ -54,47 +57,44 @@ template class Prover { plonk::proof& export_proof(); plonk::proof& construct_proof(); - ProverTranscript transcript; + ProverTranscript transcript; - std::vector public_inputs; + std::vector public_inputs; - sumcheck::RelationParameters relation_parameters; + sumcheck::RelationParameters relation_parameters; - std::vector wire_polynomials; - barretenberg::polynomial z_permutation; + std::vector wire_polynomials; + Polynomial z_permutation; - std::shared_ptr key; + std::shared_ptr key; // Container for spans of all polynomials required by the prover (i.e. all multivariates evaluated by Sumcheck). - std::array, honk::StandardArithmetization::POLYNOMIAL::COUNT> prover_polynomials; + std::array, Flavor::NUM_ALL_ENTITIES> prover_polynomials; // WORKTODO: to be replaced // Container for d + 1 Fold polynomials produced by Gemini std::vector fold_polynomials; Polynomial batched_quotient_Q; // batched quotient poly computed by Shplonk - Fr nu_challenge; // needed in both Shplonk rounds + FF nu_challenge; // needed in both Shplonk rounds Polynomial quotient_W; - work_queue queue; + work_queue queue; - // This makes 'settings' accesible from Prover - using settings_ = settings; + sumcheck::SumcheckOutput sumcheck_output; + pcs::gemini::ProverOutput gemini_output; + pcs::shplonk::ProverOutput shplonk_output; - sumcheck::SumcheckOutput sumcheck_output; - pcs::gemini::ProverOutput gemini_output; - pcs::shplonk::ProverOutput shplonk_output; - - using Gemini = pcs::gemini::MultilinearReductionScheme; - using Shplonk = pcs::shplonk::SingleBatchOpeningScheme; - using KZG = pcs::kzg::UnivariateOpeningScheme; + using Gemini = pcs::gemini::MultilinearReductionScheme; + using Shplonk = pcs::shplonk::SingleBatchOpeningScheme; + using KZG = pcs::kzg::UnivariateOpeningScheme; private: plonk::proof proof; }; -extern template class Prover; +extern template class Prover; -using StandardProver = Prover; +using StandardProver = Prover; } // namespace proof_system::honk diff --git a/cpp/src/barretenberg/honk/proof_system/prover_library.cpp b/cpp/src/barretenberg/honk/proof_system/prover_library.cpp index d99a2947a4..63ace178b7 100644 --- a/cpp/src/barretenberg/honk/proof_system/prover_library.cpp +++ b/cpp/src/barretenberg/honk/proof_system/prover_library.cpp @@ -1,16 +1,17 @@ #include "prover_library.hpp" #include "barretenberg/plonk/proof_system/types/prover_settings.hpp" +#include "barretenberg/proof_system/flavor/flavor.hpp" #include namespace proof_system::honk::prover_library { -using Fr = barretenberg::fr; -using Polynomial = barretenberg::Polynomial; +using FF = barretenberg::fr; +using Polynomial = barretenberg::Polynomial; /** * @brief Compute the permutation grand product polynomial Z_perm(X) * * - * @detail (This description assumes program_width 3). Z_perm may be defined in terms of its values + * @detail (This description assumes Flavor::num_wires 3). Z_perm may be defined in terms of its values * on X_i = 0,1,...,n-1 as Z_perm[0] = 1 and for i = 1:n-1 * * (w_1(j) + β⋅id_1(j) + γ) ⋅ (w_2(j) + β⋅id_2(j) + γ) ⋅ (w_3(j) + β⋅id_3(j) + γ) @@ -24,8 +25,8 @@ using Polynomial = barretenberg::Polynomial; * Z_perm[i] = ∏ -------------------------- * B_1(j) ⋅ B_2(j) ⋅ B_3(j) * - * Step 1) Compute the 2*program_width length-n polynomials A_i and B_i - * Step 2) Compute the 2*program_width length-n polynomials ∏ A_i(j) and ∏ B_i(j) + * Step 1) Compute the 2*Flavor::num_wires length-n polynomials A_i and B_i + * Step 2) Compute the 2*Flavor::num_wires length-n polynomials ∏ A_i(j) and ∏ B_i(j) * Step 3) Compute the two length-n polynomials defined by * numer[i] = ∏ A_1(j)⋅A_2(j)⋅A_3(j), and denom[i] = ∏ B_1(j)⋅B_2(j)⋅B_3(j) * Step 4) Compute Z_perm[i+1] = numer[i]/denom[i] (recall: Z_perm[0] = 1) @@ -34,46 +35,49 @@ using Polynomial = barretenberg::Polynomial; * one batch inversion (at the expense of more multiplications) */ // TODO(#222)(luke): Parallelize -template -Polynomial compute_permutation_grand_product(std::shared_ptr& key, - std::vector& wire_polynomials, - Fr beta, - Fr gamma) +template +typename Flavor::Polynomial compute_permutation_grand_product( + std::shared_ptr& key, + std::vector& wire_polynomials, + typename Flavor::FF beta, + typename Flavor::FF gamma) { using barretenberg::polynomial_arithmetic::copy_polynomial; + using Polynomial = typename Flavor::Polynomial; // TODO(luke): instantiate z_perm here then make the 0th accum a span of it? avoid extra memory. // Allocate accumulator polynomials that will serve as scratch space - std::array numerator_accumulator; - std::array denominator_accumulator; - for (size_t i = 0; i < program_width; ++i) { + std::array numerator_accumulator; + std::array denominator_accumulator; + for (size_t i = 0; i < Flavor::num_wires; ++i) { numerator_accumulator[i] = Polynomial{ key->circuit_size }; denominator_accumulator[i] = Polynomial{ key->circuit_size }; } // Populate wire and permutation polynomials - std::array, program_width> wires; - std::array, program_width> sigmas; - for (size_t i = 0; i < program_width; ++i) { + std::array, Flavor::num_wires> wires; + std::array, Flavor::num_wires> sigmas; + for (size_t i = 0; i < Flavor::num_wires; ++i) { std::string sigma_id = "sigma_" + std::to_string(i + 1) + "_lagrange"; wires[i] = wire_polynomials[i]; - sigmas[i] = key->polynomial_store.get(sigma_id); + // WORKTODO + // sigmas[i] = key->polynomial_store.get(sigma_id); } // Step (1) // TODO(#222)(kesha): Change the order to engage automatic prefetching and get rid of redundant computation for (size_t i = 0; i < key->circuit_size; ++i) { - for (size_t k = 0; k < program_width; ++k) { + for (size_t k = 0; k < Flavor::num_wires; ++k) { // Note(luke): this idx could be replaced by proper ID polys if desired - Fr idx = k * key->circuit_size + i; + FF idx = k * key->circuit_size + i; numerator_accumulator[k][i] = wires[k][i] + (idx * beta) + gamma; // w_k(i) + β.(k*n+i) + γ denominator_accumulator[k][i] = wires[k][i] + (sigmas[k][i] * beta) + gamma; // w_k(i) + β.σ_k(i) + γ } } // Step (2) - for (size_t k = 0; k < program_width; ++k) { + for (size_t k = 0; k < Flavor::num_wires; ++k) { for (size_t i = 0; i < key->circuit_size - 1; ++i) { numerator_accumulator[k][i + 1] *= numerator_accumulator[k][i]; denominator_accumulator[k][i + 1] *= denominator_accumulator[k][i]; @@ -82,7 +86,7 @@ Polynomial compute_permutation_grand_product(std::shared_ptr // Step (3) for (size_t i = 0; i < key->circuit_size; ++i) { - for (size_t k = 1; k < program_width; ++k) { + for (size_t k = 1; k < Flavor::num_wires; ++k) { numerator_accumulator[0][i] *= numerator_accumulator[k][i]; denominator_accumulator[0][i] *= denominator_accumulator[k][i]; } @@ -93,8 +97,8 @@ Polynomial compute_permutation_grand_product(std::shared_ptr // denominator_accumulator[0][i]. At the end of this computation, the quotient numerator_accumulator[0] / // denominator_accumulator[0] is stored in numerator_accumulator[0]. // Note: Since numerator_accumulator[0][i] corresponds to z_lookup[i+1], we only iterate up to i = (n - 2). - Fr* inversion_coefficients = &denominator_accumulator[1][0]; // arbitrary scratch space - Fr inversion_accumulator = Fr::one(); + FF* inversion_coefficients = &denominator_accumulator[1][0]; // arbitrary scratch space + FF inversion_accumulator = FF::one(); for (size_t i = 0; i < key->circuit_size - 1; ++i) { inversion_coefficients[i] = numerator_accumulator[0][i] * inversion_accumulator; inversion_accumulator *= denominator_accumulator[0][i]; @@ -181,15 +185,17 @@ Polynomial compute_permutation_grand_product(std::shared_ptr * @param gamma * @return Polynomial */ -Polynomial compute_lookup_grand_product(std::shared_ptr& key, - std::vector& wire_polynomials, - Polynomial& sorted_list_accumulator, - Fr eta, - Fr beta, - Fr gamma) +template +typename Flavor::Polynomial compute_lookup_grand_product(std::shared_ptr& key, + std::vector& wire_polynomials, + typename Flavor::Polynomial& sorted_list_accumulator, + typename Flavor::FF eta, + typename Flavor::FF beta, + typename Flavor::FF gamma) + { - const Fr eta_sqr = eta.sqr(); - const Fr eta_cube = eta_sqr * eta; + const FF eta_sqr = eta.sqr(); + const FF eta_cube = eta_sqr * eta; const size_t circuit_size = key->circuit_size; @@ -203,37 +209,49 @@ Polynomial compute_lookup_grand_product(std::shared_ptr& key } // Obtain column step size values that have been stored in repurposed selctors - std::span column_1_step_size = key->polynomial_store.get("q_2_lagrange"); - std::span column_2_step_size = key->polynomial_store.get("q_m_lagrange"); - std::span column_3_step_size = key->polynomial_store.get("q_c_lagrange"); + std::span column_1_step_size; + std::span column_2_step_size; + std::span column_3_step_size; + // WORKTODO + // std::span column_1_step_size = key->polynomial_store.get("q_2_lagrange"); + // std::span column_2_step_size = key->polynomial_store.get("q_m_lagrange"); + // std::span column_3_step_size = key->polynomial_store.get("q_c_lagrange"); // Utilize three wires; this is not tied to program width - std::array, 3> wires; + std::array, 3> wires; for (size_t i = 0; i < 3; ++i) { wires[i] = wire_polynomials[i]; } // Note: the number of table polys is related to program width but '4' is the only value supported - std::array, 4> tables{ - key->polynomial_store.get("table_value_1_lagrange"), - key->polynomial_store.get("table_value_2_lagrange"), - key->polynomial_store.get("table_value_3_lagrange"), - key->polynomial_store.get("table_value_4_lagrange"), + std::vector temp_vector; + std::span temp_span{ temp_vector }; + std::array, 4> tables{ + temp_span, temp_span, temp_span, temp_span + // WORKDTODO + // key->polynomial_store.get("table_value_1_lagrange"), + // key->polynomial_store.get("table_value_2_lagrange"), + // key->polynomial_store.get("table_value_3_lagrange"), + // key->polynomial_store.get("table_value_4_lagrange"), }; - std::span lookup_selector = key->polynomial_store.get("table_type_lagrange"); - std::span lookup_index_selector = key->polynomial_store.get("q_3_lagrange"); + std::span lookup_selector{ temp_vector }; + std::span lookup_index_selector{ temp_vector }; + + // WORKTODO + // std::span lookup_selector = key->polynomial_store.get("table_type_lagrange"); + // std::span lookup_index_selector = key->polynomial_store.get("q_3_lagrange"); - const Fr beta_plus_one = beta + Fr(1); // (1 + β) - const Fr gamma_times_beta_plus_one = gamma * beta_plus_one; // γ(1 + β) + const FF beta_plus_one = beta + FF(1); // (1 + β) + const FF gamma_times_beta_plus_one = gamma * beta_plus_one; // γ(1 + β) // Step (1) - Fr T0; // intermediate value for various calculations below + FF T0; // intermediate value for various calculations below // Note: block_mask is used for efficient modulus, i.e. i % N := i & (N-1), for N = 2^k const size_t block_mask = circuit_size - 1; // Initialize 't(X)' to be used in an expression of the form t(X) + β*t(Xω) - Fr next_table = tables[0][0] + tables[1][0] * eta + tables[2][0] * eta_sqr + tables[3][0] * eta_cube; + FF next_table = tables[0][0] + tables[1][0] * eta + tables[2][0] * eta_sqr + tables[3][0] * eta_cube; for (size_t i = 0; i < circuit_size; ++i) { @@ -290,7 +308,7 @@ Polynomial compute_lookup_grand_product(std::shared_ptr& key // Step (3) // Compute * ∏_{j& key Polynomial z_lookup(key->circuit_size); // Initialize 0th coefficient to 0 to ensure z_perm is left-shiftable via division by X in gemini - z_lookup[0] = Fr::zero(); + z_lookup[0] = FF::zero(); barretenberg::polynomial_arithmetic::copy_polynomial( accumulators[0].data(), &z_lookup[1], key->circuit_size - 1, key->circuit_size - 1); @@ -327,20 +345,22 @@ Polynomial compute_lookup_grand_product(std::shared_ptr& key * @param eta random challenge * @return Polynomial */ -Polynomial compute_sorted_list_accumulator(std::shared_ptr& key, - std::vector& sorted_list_polynomials, - Fr eta) +template +typename Flavor::Polynomial compute_sorted_list_accumulator( + std::shared_ptr& key, + std::vector& sorted_list_polynomials, + typename Flavor::FF eta) { const size_t circuit_size = key->circuit_size; barretenberg::polynomial sorted_list_accumulator(sorted_list_polynomials[0]); - std::span s_2 = sorted_list_polynomials[1]; - std::span s_3 = sorted_list_polynomials[2]; - std::span s_4 = sorted_list_polynomials[3]; + std::span s_2 = sorted_list_polynomials[1]; + std::span s_3 = sorted_list_polynomials[2]; + std::span s_4 = sorted_list_polynomials[3]; // Construct s via Horner, i.e. s = s_1 + η(s_2 + η(s_3 + η*s_4)) for (size_t i = 0; i < circuit_size; ++i) { - Fr T0 = s_4[i]; + FF T0 = s_4[i]; T0 *= eta; T0 += s_3[i]; T0 *= eta; @@ -352,9 +372,41 @@ Polynomial compute_sorted_list_accumulator(std::shared_ptr& return sorted_list_accumulator; } -template Polynomial compute_permutation_grand_product( - std::shared_ptr&, std::vector&, Fr, Fr); -template Polynomial compute_permutation_grand_product( - std::shared_ptr&, std::vector&, Fr, Fr); - +template honk::flavor::Standard::Polynomial compute_permutation_grand_product( + std::shared_ptr&, + std::vector&, + honk::flavor::Standard::FF, + honk::flavor::Standard::FF); + +template honk::flavor::Ultra::Polynomial compute_permutation_grand_product( + std::shared_ptr&, + std::vector&, + honk::flavor::Ultra::FF, + honk::flavor::Ultra::FF); + +template typename honk::flavor::Standard::Polynomial compute_lookup_grand_product( + std::shared_ptr& key, + std::vector& wire_polynomials, + typename honk::flavor::Standard::Polynomial& sorted_list_accumulator, + typename honk::flavor::Standard::FF eta, + typename honk::flavor::Standard::FF beta, + typename honk::flavor::Standard::FF gamma); + +template typename honk::flavor::Ultra::Polynomial compute_lookup_grand_product( + std::shared_ptr& key, + std::vector& wire_polynomials, + typename honk::flavor::Ultra::Polynomial& sorted_list_accumulator, + typename honk::flavor::Ultra::FF eta, + typename honk::flavor::Ultra::FF beta, + typename honk::flavor::Ultra::FF gamma); + +template typename honk::flavor::Standard::Polynomial compute_sorted_list_accumulator( + std::shared_ptr& key, + std::vector& sorted_list_polynomials, + typename honk::flavor::Standard::FF eta); + +template typename honk::flavor::Ultra::Polynomial compute_sorted_list_accumulator( + std::shared_ptr& key, + std::vector& sorted_list_polynomials, + typename honk::flavor::Ultra::FF eta); } // namespace proof_system::honk::prover_library diff --git a/cpp/src/barretenberg/honk/proof_system/prover_library.hpp b/cpp/src/barretenberg/honk/proof_system/prover_library.hpp index c88a089f85..57968c6c2a 100644 --- a/cpp/src/barretenberg/honk/proof_system/prover_library.hpp +++ b/cpp/src/barretenberg/honk/proof_system/prover_library.hpp @@ -7,24 +7,25 @@ namespace proof_system::honk::prover_library { -using Fr = barretenberg::fr; -using Polynomial = barretenberg::Polynomial; +template +typename Flavor::Polynomial compute_permutation_grand_product( + std::shared_ptr& key, + std::vector& wire_polynomials, + typename Flavor::FF beta, + typename Flavor::FF gamma); -template -Polynomial compute_permutation_grand_product(std::shared_ptr& key, - std::vector& wire_polynomials, - Fr beta, - Fr gamma); +template +typename Flavor::Polynomial compute_lookup_grand_product(std::shared_ptr& key, + std::vector& wire_polynomials, + typename Flavor::Polynomial& sorted_list_accumulator, + typename Flavor::FF eta, + typename Flavor::FF beta, + typename Flavor::FF gamma); -Polynomial compute_lookup_grand_product(std::shared_ptr& key, - std::vector& wire_polynomials, - Polynomial& sorted_list_accumulator, - Fr eta, - Fr beta, - Fr gamma); - -Polynomial compute_sorted_list_accumulator(std::shared_ptr& key, - std::vector& sorted_list_polynomials, - Fr eta); +template +typename Flavor::Polynomial compute_sorted_list_accumulator( + std::shared_ptr& key, + std::vector& sorted_list_polynomials, + typename Flavor::FF eta); } // namespace proof_system::honk::prover_library diff --git a/cpp/src/barretenberg/honk/proof_system/prover_library.test.cpp b/cpp/src/barretenberg/honk/proof_system/prover_library.test.cpp index 0902129370..fd4776d641 100644 --- a/cpp/src/barretenberg/honk/proof_system/prover_library.test.cpp +++ b/cpp/src/barretenberg/honk/proof_system/prover_library.test.cpp @@ -1,4 +1,5 @@ #include "barretenberg/plonk/proof_system/types/prover_settings.hpp" +#include "barretenberg/proof_system/flavor/flavor.hpp" #include "prover.hpp" #include "prover_library.hpp" #include "barretenberg/polynomials/polynomial.hpp" @@ -13,7 +14,6 @@ using namespace proof_system::honk; namespace prover_library_tests { -// field is named Fscalar here because of clash with the Fr template class ProverLibraryTests : public testing::Test { using Polynomial = barretenberg::Polynomial; @@ -42,7 +42,7 @@ template class ProverLibraryTests : public testing::Test { * @note This test does confirm the correctness of z_permutation, only that the two implementations yield an * identical result. */ - template static void test_permutation_grand_product_construction() + template static void test_permutation_grand_product_construction() { // Define some mock inputs for proving key constructor static const size_t num_gates = 8; @@ -50,7 +50,7 @@ template class ProverLibraryTests : public testing::Test { auto reference_string = std::make_shared(num_gates + 1, "../srs_db/ignition"); // Instatiate a proving_key and make a pointer to it. This will be used to instantiate a Prover. - auto proving_key = std::make_shared( + auto proving_key = std::make_shared( num_gates, num_public_inputs, reference_string, ComposerType::STANDARD_HONK); // static const size_t program_width = StandardProver::settings_::program_width; @@ -60,13 +60,13 @@ template class ProverLibraryTests : public testing::Test { // can simply be random. We're not interested in the particular properties of the result. std::vector wires; std::vector sigmas; - for (size_t i = 0; i < program_width; ++i) { + for (size_t i = 0; i < Flavor::num_wires; ++i) { wires.emplace_back(get_random_polynomial(num_gates)); sigmas.emplace_back(get_random_polynomial(num_gates)); // Add sigma polys to proving_key; to be used by the prover in constructing it's own z_perm std::string sigma_id = "sigma_" + std::to_string(i + 1) + "_lagrange"; - proving_key->polynomial_store.put(sigma_id, Polynomial{ sigmas[i] }); + // proving_key->polynomial_store.put(sigma_id, Polynomial{ sigmas[i] }); // WORKTODO } // Get random challenges @@ -75,13 +75,13 @@ template class ProverLibraryTests : public testing::Test { // Method 1: Compute z_perm using 'compute_grand_product_polynomial' as the prover would in practice Polynomial z_permutation = - prover_library::compute_permutation_grand_product(proving_key, wires, beta, gamma); + prover_library::compute_permutation_grand_product(proving_key, wires, beta, gamma); // Method 2: Compute z_perm locally using the simplest non-optimized syntax possible. The comment below, // which describes the computation in 4 steps, is adapted from a similar comment in // compute_grand_product_polynomial. /* - * Assume program_width 3. Z_perm may be defined in terms of its values + * Assume Flavor::num_wires 3. Z_perm may be defined in terms of its values * on X_i = 0,1,...,n-1 as Z_perm[0] = 0 and for i = 1:n-1 * * (w_1(j) + β⋅id_1(j) + γ) ⋅ (w_2(j) + β⋅id_2(j) + γ) ⋅ (w_3(j) + β⋅id_3(j) + γ) @@ -95,20 +95,20 @@ template class ProverLibraryTests : public testing::Test { * Z_perm[i] = ∏ -------------------------- * B_1(j) ⋅ B_2(j) ⋅ B_3(j) * - * Step 1) Compute the 2*program_width length-n polynomials A_i and B_i - * Step 2) Compute the 2*program_width length-n polynomials ∏ A_i(j) and ∏ B_i(j) + * Step 1) Compute the 2*Flavor::num_wires length-n polynomials A_i and B_i + * Step 2) Compute the 2*Flavor::num_wires length-n polynomials ∏ A_i(j) and ∏ B_i(j) * Step 3) Compute the two length-n polynomials defined by * numer[i] = ∏ A_1(j)⋅A_2(j)⋅A_3(j), and denom[i] = ∏ B_1(j)⋅B_2(j)⋅B_3(j) * Step 4) Compute Z_perm[i+1] = numer[i]/denom[i] (recall: Z_perm[0] = 1) */ // Make scratch space for the numerator and denominator accumulators. - std::array, program_width> numererator_accum; - std::array, program_width> denominator_accum; + std::array, Flavor::num_wires> numererator_accum; + std::array, Flavor::num_wires> denominator_accum; // Step (1) for (size_t i = 0; i < proving_key->circuit_size; ++i) { - for (size_t k = 0; k < program_width; ++k) { + for (size_t k = 0; k < Flavor::num_wires; ++k) { FF idx = k * proving_key->circuit_size + i; // id_k[i] numererator_accum[k][i] = wires[k][i] + (idx * beta) + gamma; // w_k(i) + β.(k*n+i) + γ denominator_accum[k][i] = wires[k][i] + (sigmas[k][i] * beta) + gamma; // w_k(i) + β.σ_k(i) + γ @@ -116,7 +116,7 @@ template class ProverLibraryTests : public testing::Test { } // Step (2) - for (size_t k = 0; k < program_width; ++k) { + for (size_t k = 0; k < Flavor::num_wires; ++k) { for (size_t i = 0; i < proving_key->circuit_size - 1; ++i) { numererator_accum[k][i + 1] *= numererator_accum[k][i]; denominator_accum[k][i + 1] *= denominator_accum[k][i]; @@ -125,7 +125,7 @@ template class ProverLibraryTests : public testing::Test { // Step (3) for (size_t i = 0; i < proving_key->circuit_size; ++i) { - for (size_t k = 1; k < program_width; ++k) { + for (size_t k = 1; k < Flavor::num_wires; ++k) { numererator_accum[0][i] *= numererator_accum[k][i]; denominator_accum[0][i] *= denominator_accum[k][i]; } @@ -159,7 +159,9 @@ template class ProverLibraryTests : public testing::Test { auto reference_string = std::make_shared(circuit_size + 1, "../srs_db/ignition"); // Instatiate a proving_key and make a pointer to it. This will be used to instantiate a Prover. - auto proving_key = std::make_shared( + // WORKTODO + using Flavor = honk::flavor::Standard; + auto proving_key = std::make_shared( circuit_size, num_public_inputs, reference_string, ComposerType::STANDARD_HONK); // Construct mock wire and permutation polynomials. @@ -173,7 +175,7 @@ template class ProverLibraryTests : public testing::Test { for (size_t i = 0; i < 4; ++i) { tables.emplace_back(get_random_polynomial(circuit_size)); std::string label = "table_value_" + std::to_string(i + 1) + "_lagrange"; - proving_key->polynomial_store.put(label, Polynomial{ tables[i] }); + // proving_key->polynomial_store.put(label, Polynomial{ tables[i] }); // WORKTODO } auto s_lagrange = get_random_polynomial(circuit_size); @@ -183,12 +185,12 @@ template class ProverLibraryTests : public testing::Test { auto lookup_index_selector = get_random_polynomial(circuit_size); auto lookup_selector = get_random_polynomial(circuit_size); - proving_key->polynomial_store.put("s_lagrange", Polynomial{ s_lagrange }); - proving_key->polynomial_store.put("q_2_lagrange", Polynomial{ column_1_step_size }); - proving_key->polynomial_store.put("q_m_lagrange", Polynomial{ column_2_step_size }); - proving_key->polynomial_store.put("q_c_lagrange", Polynomial{ column_3_step_size }); - proving_key->polynomial_store.put("q_3_lagrange", Polynomial{ lookup_index_selector }); - proving_key->polynomial_store.put("table_type_lagrange", Polynomial{ lookup_selector }); + // proving_key->polynomial_store.put("s_lagrange", Polynomial{ s_lagrange }); // WORKTODO + // proving_key->polynomial_store.put("q_2_lagrange", Polynomial{ column_1_step_size }); // WORKTODO + // proving_key->polynomial_store.put("q_m_lagrange", Polynomial{ column_2_step_size }); // WORKTODO + // proving_key->polynomial_store.put("q_c_lagrange", Polynomial{ column_3_step_size }); // WORKTODO + // proving_key->polynomial_store.put("q_3_lagrange", Polynomial{ lookup_index_selector }); // WORKTODO + // proving_key->polynomial_store.put("table_type_lagrange", Polynomial{ lookup_selector }); // WORKTODO // Get random challenges auto beta = FF::random_element(); @@ -197,7 +199,7 @@ template class ProverLibraryTests : public testing::Test { // Method 1: Compute z_lookup using the prover library method Polynomial z_lookup = - prover_library::compute_lookup_grand_product(proving_key, wires, s_lagrange, eta, beta, gamma); + prover_library::compute_lookup_grand_product(proving_key, wires, s_lagrange, eta, beta, gamma); // Method 2: Compute the lookup grand product polynomial Z_lookup: // @@ -206,8 +208,8 @@ template class ProverLibraryTests : public testing::Test { // ∏(s_k + βs_{k+1} + γ(1 + β)) // // in a way that is simple to read (but inefficient). See prover library method for more details. - const Fr eta_sqr = eta.sqr(); - const Fr eta_cube = eta_sqr * eta; + const FF eta_sqr = eta.sqr(); + const FF eta_cube = eta_sqr * eta; std::array accumulators; for (size_t i = 0; i < 4; ++i) { @@ -219,12 +221,12 @@ template class ProverLibraryTests : public testing::Test { // Note: block_mask is used for efficient modulus, i.e. i % N := i & (N-1), for N = 2^k const size_t block_mask = circuit_size - 1; // Initialize 't(X)' to be used in an expression of the form t(X) + β*t(Xω) - Fr table_i = tables[0][0] + tables[1][0] * eta + tables[2][0] * eta_sqr + tables[3][0] * eta_cube; + FF table_i = tables[0][0] + tables[1][0] * eta + tables[2][0] * eta_sqr + tables[3][0] * eta_cube; for (size_t i = 0; i < circuit_size; ++i) { size_t shift_idx = (i + 1) & block_mask; // f = (w_1 + q_2*w_1(Xω)) + η(w_2 + q_m*w_2(Xω)) + η²(w_3 + q_c*w_3(Xω)) + η³q_index. - Fr f_i = (wires[0][i] + wires[0][shift_idx] * column_1_step_size[i]) + + FF f_i = (wires[0][i] + wires[0][shift_idx] * column_1_step_size[i]) + (wires[1][i] + wires[1][shift_idx] * column_2_step_size[i]) * eta + (wires[2][i] + wires[2][shift_idx] * column_3_step_size[i]) * eta_sqr + eta_cube * lookup_index_selector[i]; @@ -233,17 +235,17 @@ template class ProverLibraryTests : public testing::Test { accumulators[0][i] = lookup_selector[i] * f_i + gamma; // t = t_1 + ηt_2 + η²t_3 + η³t_4 - Fr table_i_plus_1 = tables[0][shift_idx] + eta * tables[1][shift_idx] + eta_sqr * tables[2][shift_idx] + + FF table_i_plus_1 = tables[0][shift_idx] + eta * tables[1][shift_idx] + eta_sqr * tables[2][shift_idx] + eta_cube * tables[3][shift_idx]; // t + βt(Xω) + γ(1 + β) - accumulators[1][i] = table_i + table_i_plus_1 * beta + gamma * (Fr::one() + beta); + accumulators[1][i] = table_i + table_i_plus_1 * beta + gamma * (FF::one() + beta); // (1 + β) - accumulators[2][i] = Fr::one() + beta; + accumulators[2][i] = FF::one() + beta; // s + βs(Xω) + γ(1 + β) - accumulators[3][i] = s_lagrange[i] + beta * s_lagrange[shift_idx] + gamma * (Fr::one() + beta); + accumulators[3][i] = s_lagrange[i] + beta * s_lagrange[shift_idx] + gamma * (FF::one() + beta); // Set t(X_i) for next iteration table_i = table_i_plus_1; @@ -286,7 +288,8 @@ template class ProverLibraryTests : public testing::Test { static const size_t circuit_size = 8; static const size_t num_public_inputs = 0; auto reference_string = std::make_shared(circuit_size + 1, "../srs_db/ignition"); - auto proving_key = std::make_shared( + using Flavor = honk::flavor::Standard; // WORKTODO + auto proving_key = std::make_shared( circuit_size, num_public_inputs, reference_string, ComposerType::STANDARD_HONK); // Get random challenge eta @@ -300,11 +303,11 @@ template class ProverLibraryTests : public testing::Test { // Method 1: computed sorted list accumulator polynomial using prover library method Polynomial sorted_list_accumulator = - prover_library::compute_sorted_list_accumulator(proving_key, sorted_list_polynomials, eta); + prover_library::compute_sorted_list_accumulator(proving_key, sorted_list_polynomials, eta); // Method 2: Compute local sorted list accumulator simply and inefficiently - const Fr eta_sqr = eta.sqr(); - const Fr eta_cube = eta_sqr * eta; + const FF eta_sqr = eta.sqr(); + const FF eta_cube = eta_sqr * eta; // Compute s = s_1 + η*s_2 + η²*s_3 + η³*s_4 Polynomial sorted_list_accumulator_expected{ sorted_list_polynomials[0] }; @@ -323,8 +326,8 @@ TYPED_TEST_SUITE(ProverLibraryTests, FieldTypes); TYPED_TEST(ProverLibraryTests, PermutationGrandProduct) { - TestFixture::template test_permutation_grand_product_construction(); - TestFixture::template test_permutation_grand_product_construction(); + TestFixture::template test_permutation_grand_product_construction(); + TestFixture::template test_permutation_grand_product_construction(); } TYPED_TEST(ProverLibraryTests, LookupGrandProduct) diff --git a/cpp/src/barretenberg/honk/proof_system/verifier.cpp b/cpp/src/barretenberg/honk/proof_system/verifier.cpp index 26e4b7e033..990d57345c 100644 --- a/cpp/src/barretenberg/honk/proof_system/verifier.cpp +++ b/cpp/src/barretenberg/honk/proof_system/verifier.cpp @@ -154,11 +154,11 @@ template bool Verifier::verify_pro auto batched_commitment_to_be_shifted = Commitment::zero(); // Compute powers of batching challenge rho - Fr rho = transcript.get_challenge("rho"); - std::vector rhos = Gemini::powers_of_rho(rho, NUM_POLYNOMIALS); + FF rho = transcript.get_challenge("rho"); + std::vector rhos = Gemini::powers_of_rho(rho, NUM_POLYNOMIALS); // Compute batched multivariate evaluation - Fr batched_evaluation = Fr::zero(); + FF batched_evaluation = FF::zero(); for (size_t i = 0; i < NUM_POLYNOMIALS; ++i) { batched_evaluation += multivariate_evaluations[i] * rhos[i]; } diff --git a/cpp/src/barretenberg/honk/proof_system/work_queue.hpp b/cpp/src/barretenberg/honk/proof_system/work_queue.hpp index c666053adc..7d175b5067 100644 --- a/cpp/src/barretenberg/honk/proof_system/work_queue.hpp +++ b/cpp/src/barretenberg/honk/proof_system/work_queue.hpp @@ -1,7 +1,6 @@ #pragma once #include "barretenberg/honk/transcript/transcript.hpp" -#include "barretenberg/plonk/proof_system/proving_key/proving_key.hpp" #include #include @@ -30,19 +29,15 @@ template class work_queue { }; private: - std::shared_ptr proving_key; // TODO(luke): Consider handling all transcript interactions in the prover rather than embedding them in the queue. proof_system::honk::ProverTranscript& transcript; CommitmentKey commitment_key; std::vector work_item_queue; public: - explicit work_queue(std::shared_ptr& proving_key, - proof_system::honk::ProverTranscript& prover_transcript) - : proving_key(proving_key) - , transcript(prover_transcript) - , commitment_key(proving_key->circuit_size, - "../srs_db/ignition"){}; // TODO(luke): make this properly parameterized + explicit work_queue(size_t circuit_size, proof_system::honk::ProverTranscript& prover_transcript) + : transcript(prover_transcript) + , commitment_key(circuit_size, "../srs_db/ignition"){}; // TODO(luke): make this properly parameterized work_queue(const work_queue& other) = default; work_queue(work_queue&& other) noexcept = default; diff --git a/cpp/src/barretenberg/proof_system/flavor/flavor.hpp b/cpp/src/barretenberg/proof_system/flavor/flavor.hpp index a1a5de286d..9d9d7b33d1 100644 --- a/cpp/src/barretenberg/proof_system/flavor/flavor.hpp +++ b/cpp/src/barretenberg/proof_system/flavor/flavor.hpp @@ -4,6 +4,7 @@ #include #include #include +#include "barretenberg/honk/pcs/commitment_key.hpp" #include "barretenberg/honk/sumcheck/polynomials/univariate.hpp" #include "barretenberg/ecc/curves/bn254/g1.hpp" #include "barretenberg/plonk/proof_system/proving_key/proving_key.hpp" @@ -31,6 +32,43 @@ template class Data { consteval size_t size() { return _data.size(); }; }; +class Ultra { + public: + using CircuitConstructor = proof_system::UltraCircuitConstructor; + static constexpr size_t num_wires = CircuitConstructor::num_wires; + // static constexpr size_t NUM_ALL_ENTITIES = 18; + // static constexpr size_t NUM_PRECOMPUTED_ENTITIES = 13; + + using FF = barretenberg::fr; + using Polynomial = barretenberg::Polynomial; + using PolynomialView = std::span; + using G1 = barretenberg::g1; + using Commitment = G1; + using CommitmentView = G1; // TODO(Cody): make a pointer? + using PCSParams = pcs::kzg::Params; + + class ProvingKey { + public: + const size_t circuit_size; + const size_t log_circuit_size; // TODO(Cody) + const size_t num_public_inputs; + std::shared_ptr crs; + EvaluationDomain evaluation_domain; + const ComposerType composer_type; // TODO(Cody): Get rid of this + + ProvingKey(const size_t circuit_size, + const size_t num_public_inputs, + std::shared_ptr const& crs, + ComposerType composer_type) + : circuit_size(circuit_size) + , log_circuit_size(numeric::get_msb(circuit_size)) + , num_public_inputs(num_public_inputs) + , crs(crs) + , evaluation_domain(circuit_size, circuit_size) + , composer_type(composer_type){}; + }; +}; + class Standard { public: using CircuitConstructor = proof_system::StandardCircuitConstructor; @@ -44,6 +82,7 @@ class Standard { using G1 = barretenberg::g1; using Commitment = G1; using CommitmentView = G1; // TODO(Cody): make a pointer? + using PCSParams = pcs::kzg::Params; // TODO(Cody): Made this public derivation so that I could populate selector polys from circuit constructor. template class PrecomputedData : public Data {