Skip to content

Commit

Permalink
split witness out, deprecate poly manifest, unify sumcheck pcs inputs… (
Browse files Browse the repository at this point in the history 
#159)

* split witness out, deprecate poly manifest, unify sumcheck pcs inputs, WiP but all tests passing

* minor updates

* cleanup and rebase fixes

* split up wires and z perm in prover

* making sumcheck related tests use enum for poly ordering

* remove poly manifest from prover tests

* make two more test suites rely on enum for poly ordering

* making verifier properly depend on enum

* fixed one more test, enum can now be permuted arbitrarily up to category

* automating claim construction in verifier

* completely removing Multivariates

* attempt to fix build error in CCI

* remove honk poly manifest altogether

* witness properly moved from composer helper to prover

* fix bad access of wires in pkey in some tests

* adding comments and doing some general cleanup
  • Loading branch information
@ledwards2225
ledwards2225 authored Feb 22, 2023
1 parent 20b3d16 commit 954a37a
Show file tree
Hide file tree
Showing 19 changed files with 626 additions and 681 deletions.
115 changes: 22 additions & 93 deletions cpp/src/aztec/honk/composer/composer_helper/composer_helper.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -80,32 +80,27 @@ template <typename CircuitConstructor>
std::shared_ptr<bonk::verification_key> ComposerHelper<CircuitConstructor>::compute_verification_key_base(
std::shared_ptr<bonk::proving_key> const& proving_key, std::shared_ptr<bonk::VerifierReferenceString> const& vrs)
{
auto circuit_verification_key = std::make_shared<bonk::verification_key>(
auto key = std::make_shared<bonk::verification_key>(
proving_key->circuit_size, proving_key->num_public_inputs, vrs, proving_key->composer_type);
// TODO(kesha): Dirty hack for now. Need to actually make commitment-agnositc
auto commitment_key = pcs::kzg::CommitmentKey(proving_key->circuit_size, "../srs_db/ignition");

for (size_t i = 0; i < proving_key->polynomial_manifest.size(); ++i) {
const auto& poly_info = proving_key->polynomial_manifest[i];

const std::string poly_label(poly_info.polynomial_label);
const std::string selector_commitment_label(poly_info.commitment_label);

if (poly_info.source == bonk::PolynomialSource::SELECTOR ||
poly_info.source == bonk::PolynomialSource::PERMUTATION ||
poly_info.source == bonk::PolynomialSource::OTHER) {

// Commit to the constraint selector polynomial and insert the commitment in the verification key.

auto poly_commitment = commitment_key.commit(proving_key->polynomial_cache.get(poly_label));
circuit_verification_key->commitments.insert({ selector_commitment_label, poly_commitment });
}
}

// Set the polynomial manifest in verification key.
circuit_verification_key->polynomial_manifest = bonk::PolynomialManifest(proving_key->composer_type);

return circuit_verification_key;
// Compute and store commitments to all precomputed polynomials
key->commitments["Q_M"] = commitment_key.commit(proving_key->polynomial_cache.get("q_m_lagrange"));
key->commitments["Q_1"] = commitment_key.commit(proving_key->polynomial_cache.get("q_1_lagrange"));
key->commitments["Q_2"] = commitment_key.commit(proving_key->polynomial_cache.get("q_2_lagrange"));
key->commitments["Q_3"] = commitment_key.commit(proving_key->polynomial_cache.get("q_3_lagrange"));
key->commitments["Q_C"] = commitment_key.commit(proving_key->polynomial_cache.get("q_c_lagrange"));
key->commitments["SIGMA_1"] = commitment_key.commit(proving_key->polynomial_cache.get("sigma_1_lagrange"));
key->commitments["SIGMA_2"] = commitment_key.commit(proving_key->polynomial_cache.get("sigma_2_lagrange"));
key->commitments["SIGMA_3"] = commitment_key.commit(proving_key->polynomial_cache.get("sigma_3_lagrange"));
key->commitments["ID_1"] = commitment_key.commit(proving_key->polynomial_cache.get("id_1_lagrange"));
key->commitments["ID_2"] = commitment_key.commit(proving_key->polynomial_cache.get("id_2_lagrange"));
key->commitments["ID_3"] = commitment_key.commit(proving_key->polynomial_cache.get("id_3_lagrange"));
key->commitments["LAGRANGE_FIRST"] = commitment_key.commit(proving_key->polynomial_cache.get("L_first_lagrange"));
key->commitments["LAGRANGE_LAST"] = commitment_key.commit(proving_key->polynomial_cache.get("L_last_lagrange"));

return key;
}

/**
Expand Down Expand Up @@ -151,23 +146,22 @@ void ComposerHelper<CircuitConstructor>::compute_witness_base(const CircuitConst
for (size_t j = 0; j < program_width; ++j) {
// Initialize the polynomial with all the actual copies variable values
// Expect all values to be set to 0 initially
polynomial w_lagrange(subgroup_size);
// Construct wire polynomials in place
auto& wire_lagrange = wire_polynomials.emplace_back(polynomial(subgroup_size));

// Place all public inputs at the start of w_l and w_r.
// All selectors at these indices are set to 0 so these values are not constrained at all.
if ((j == 0) || (j == 1)) {
for (size_t i = 0; i < num_public_inputs; ++i) {
w_lagrange[i] = circuit_constructor.get_variable(public_inputs[i]);
wire_lagrange[i] = circuit_constructor.get_variable(public_inputs[i]);
}
}

// Assign the variable values (which are pointed-to by the `w_` wires) to the wire witness polynomials
// `poly_w_`, shifted to make room for the public inputs at the beginning.
for (size_t i = 0; i < num_gates; ++i) {
w_lagrange[num_public_inputs + i] = circuit_constructor.get_variable(w[j][i]);
wire_lagrange[num_public_inputs + i] = circuit_constructor.get_variable(w[j][i]);
}
std::string index = std::to_string(j + 1);
circuit_proving_key->polynomial_cache.put("w_" + index + "_lagrange", std::move(w_lagrange));
}

computed_witness = true;
Expand Down Expand Up @@ -223,32 +217,6 @@ std::shared_ptr<bonk::verification_key> ComposerHelper<CircuitConstructor>::comp
return circuit_verification_key;
}

/**
* Create verifier: compute verification key,
* initialize verifier with it and an initial manifest and initialize commitment_scheme.
*
* @return The verifier.
* */
// TODO(Cody): This should go away altogether.
template <typename CircuitConstructor>
StandardVerifier ComposerHelper<CircuitConstructor>::create_verifier(const CircuitConstructor& circuit_constructor)
{
auto verification_key = compute_verification_key(circuit_constructor);
// TODO figure out types, actually
// circuit_verification_key->composer_type = type;

// TODO: initialize verifier according to manifest and key
// Verifier output_state(circuit_verification_key, create_manifest(public_inputs.size()));
StandardVerifier output_state;
// TODO: Do we need a commitment scheme defined here?
// std::unique_ptr<KateCommitmentScheme<standard_settings>> kate_commitment_scheme =
// std::make_unique<KateCommitmentScheme<standard_settings>>();

// output_state.commitment_scheme = std::move(kate_commitment_scheme);

return output_state;
}

template <typename CircuitConstructor>
StandardUnrolledVerifier ComposerHelper<CircuitConstructor>::create_unrolled_verifier(
const CircuitConstructor& circuit_constructor)
Expand Down Expand Up @@ -278,7 +246,7 @@ StandardUnrolledProver ComposerHelper<CircuitConstructor>::create_unrolled_prove

size_t num_sumcheck_rounds(circuit_proving_key->log_circuit_size);
auto manifest = Flavor::create_unrolled_manifest(circuit_constructor.public_inputs.size(), num_sumcheck_rounds);
StandardUnrolledProver output_state(circuit_proving_key, manifest);
StandardUnrolledProver output_state(std::move(wire_polynomials), circuit_proving_key, manifest);

// TODO(Cody): This should be more generic
std::unique_ptr<pcs::kzg::CommitmentKey> kate_commitment_key =
Expand All @@ -288,45 +256,6 @@ StandardUnrolledProver ComposerHelper<CircuitConstructor>::create_unrolled_prove

return output_state;
}
/**
* Create prover.
* 1. Compute the starting polynomials (q_l, etc, sigma, witness polynomials).
* 2. Initialize StandardProver with them.
* 3. Add Permutation and arithmetic widgets to the prover.
* 4. Add KateCommitmentScheme to the prover.
*
* @return Initialized prover.
* */
template <typename CircuitConstructor>
StandardProver ComposerHelper<CircuitConstructor>::create_prover(const CircuitConstructor& circuit_constructor)
{
// Compute q_l, etc. and sigma polynomials.
compute_proving_key(circuit_constructor);

// Compute witness polynomials.
compute_witness(circuit_constructor);
// TODO: Initialize prover properly
// Prover output_state(circuit_proving_key, create_manifest(public_inputs.size()));
StandardProver output_state(circuit_proving_key);
// Initialize constraints

// std::unique_ptr<ProverPermutationWidget<3, false>> permutation_widget =
// std::make_unique<ProverPermutationWidget<3, false>>(circuit_proving_key.get());

// std::unique_ptr<ProverArithmeticWidget<standard_settings>> arithmetic_widget =
// std::make_unique<ProverArithmeticWidget<standard_settings>>(circuit_proving_key.get());

// output_state.random_widgets.emplace_back(std::move(permutation_widget));
// output_state.transition_widgets.emplace_back(std::move(arithmetic_widget));

// Is commitment scheme going to stay a part of the prover? Why is it here?
// std::unique_ptr<KateCommitmentScheme<standard_settings>> kate_commitment_scheme =
// std::make_unique<KateCommitmentScheme<standard_settings>>();

// output_state.commitment_scheme = std::move(kate_commitment_scheme);

return output_state;
}

template class ComposerHelper<StandardCircuitConstructor>;
template StandardUnrolledProver ComposerHelper<StandardCircuitConstructor>::create_unrolled_prover<StandardHonk>(
Expand Down
14 changes: 2 additions & 12 deletions cpp/src/aztec/honk/composer/composer_helper/composer_helper.hpp
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
#pragma once

#include "polynomials/polynomial.hpp"
#include <srs/reference_string/file_reference_string.hpp>
#include <proof_system/proving_key/proving_key.hpp>
#include <honk/proof_system/prover.hpp>
Expand All @@ -20,6 +21,7 @@ template <typename CircuitConstructor> class ComposerHelper {
static constexpr size_t NUM_RANDOMIZED_GATES = 2; // equal to the number of multilinear evaluations leaked
static constexpr size_t program_width = CircuitConstructor::program_width;
std::shared_ptr<bonk::proving_key> circuit_proving_key;
std::vector<barretenberg::polynomial> wire_polynomials;
std::shared_ptr<bonk::verification_key> circuit_verification_key;
// TODO(kesha): we need to put this into the commitment key, so that the composer doesn't have to handle srs at all
std::shared_ptr<bonk::ReferenceStringFactory> crs_factory_;
Expand Down Expand Up @@ -53,18 +55,6 @@ template <typename CircuitConstructor> class ComposerHelper {
compute_witness_base<program_width>(circuit_constructor);
}

StandardVerifier create_verifier(const CircuitConstructor& circuit_constructor);
/**
* Preprocess the circuit. Delegates to create_prover.
*
* @return A new initialized prover.
*/
StandardProver preprocess(const CircuitConstructor& circuit_constructor)
{
return create_prover(circuit_constructor);
};
StandardProver create_prover(const CircuitConstructor& circuit_constructor);

StandardUnrolledVerifier create_unrolled_verifier(const CircuitConstructor& circuit_constructor);

template <typename Flavor>
Expand Down
64 changes: 33 additions & 31 deletions cpp/src/aztec/honk/composer/standard_honk_composer.test.cpp
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
#include "standard_honk_composer.hpp"
#include "common/assert.hpp"
#include "numeric/uint256/uint256.hpp"
#include "proof_system/flavor/flavor.hpp"
#include <cstdint>
#include <honk/proof_system/prover.hpp>
#include <honk/sumcheck/polynomials/multivariates.hpp>
#include <honk/sumcheck/sumcheck_round.hpp>
#include <honk/sumcheck/relations/grand_product_computation_relation.hpp>
#include <honk/sumcheck/relations/grand_product_initialization_relation.hpp>
Expand Down Expand Up @@ -70,7 +70,7 @@ TEST(standard_honk_composer, test_sigma_and_id_correctness)
for (size_t j = 0; j < composer.program_width; ++j) {
std::string index = std::to_string(j + 1);
const auto& permutation_polynomial = proving_key->polynomial_cache.get("sigma_" + index + "_lagrange");
const auto& witness_polynomial = proving_key->polynomial_cache.get("w_" + index + "_lagrange");
const auto& witness_polynomial = composer.composer_helper.wire_polynomials[j];
const auto& id_polynomial = proving_key->polynomial_cache.get("id_" + index + "_lagrange");
// left = ∏ᵢ,ⱼ(ωᵢ,ⱼ + β⋅ind(i,j) + γ)
// right = ∏ᵢ,ⱼ(ωᵢ,ⱼ + β⋅σ(i,j) + γ)
Expand Down Expand Up @@ -338,18 +338,17 @@ TEST(standard_honk_composer, test_check_sumcheck_relations_correctness)
fr gamma = fr::random_element();

// Compute grand product polynomial (now all the necessary polynomials are inside the proving key)
prover.compute_grand_product_polynomial(beta, gamma);
auto z_permutation = prover.compute_grand_product_polynomial(beta, gamma);

// Compute public input delta
const auto public_inputs = composer.circuit_constructor.get_public_inputs();
auto public_input_delta =
honk::compute_public_input_delta<fr>(public_inputs, beta, gamma, prover.key->circuit_size);

// Retrieve polynomials from proving key
polynomial z_perm = prover.key->polynomial_cache.get("z_perm_lagrange");
polynomial w_1 = prover.key->polynomial_cache.get("w_1_lagrange");
polynomial w_2 = prover.key->polynomial_cache.get("w_2_lagrange");
polynomial w_3 = prover.key->polynomial_cache.get("w_3_lagrange");
polynomial w_1 = prover.wire_polynomials[0];
polynomial w_2 = prover.wire_polynomials[1];
polynomial w_3 = prover.wire_polynomials[2];
polynomial q_m = prover.key->polynomial_cache.get("q_m_lagrange");
polynomial q_1 = prover.key->polynomial_cache.get("q_1_lagrange");
polynomial q_2 = prover.key->polynomial_cache.get("q_2_lagrange");
Expand All @@ -367,9 +366,8 @@ TEST(standard_honk_composer, test_check_sumcheck_relations_correctness)
// Specify sumcheck configuration
using honk::sumcheck::Univariate;
using honk::sumcheck::UnivariateView;
using Multivariates = honk::sumcheck::Multivariates<fr, bonk::StandardArithmetization::NUM_POLYNOMIALS>;
using SumCheckRound = honk::sumcheck::SumcheckRound<fr,
Multivariates::num,
bonk::StandardArithmetization::NUM_POLYNOMIALS,
honk::sumcheck::ArithmeticRelation,
honk::sumcheck::GrandProductComputationRelation,
honk::sumcheck::GrandProductInitializationRelation>;
Expand All @@ -394,6 +392,8 @@ TEST(standard_honk_composer, test_check_sumcheck_relations_correctness)

// Transpose the polynomials so that each entry of the vector contains an array of polynomial entries at that
// index
std::array<Univariate<fr, SumCheckRound::MAX_RELATION_LENGTH>, bonk::StandardArithmetization::NUM_POLYNOMIALS>
univariate_array;
for (size_t i = 0; i < prover.key->circuit_size; i++) {
// We only fill in the first element of each univariate with the value of an entry from the original poynomial
StandardUnivariate w_1_univariate(0);
Expand All @@ -403,9 +403,9 @@ TEST(standard_honk_composer, test_check_sumcheck_relations_correctness)
StandardUnivariate w_3_univariate(0);
w_3_univariate.value_at(0) = w_3[i];
StandardUnivariate z_perm_univariate(0);
z_perm_univariate.value_at(0) = z_perm[i];
z_perm_univariate.value_at(0) = z_permutation[i];
StandardUnivariate z_perm_shift_univariate(0);
z_perm_shift_univariate.value_at(0) = (i < (prover.key->circuit_size - 1)) ? z_perm[i + 1] : 0;
z_perm_shift_univariate.value_at(0) = (i < (prover.key->circuit_size - 1)) ? z_permutation[i + 1] : 0;
StandardUnivariate q_m_univariate(0);
q_m_univariate.value_at(0) = q_m[i];
StandardUnivariate q_1_univariate(0);
Expand All @@ -432,26 +432,28 @@ TEST(standard_honk_composer, test_check_sumcheck_relations_correctness)
L_first_univariate.value_at(0) = L_first[i];
StandardUnivariate L_last_univariate(0);
L_last_univariate.value_at(0) = L_last[i];
sumcheck_typed_polynomial_vector.push_back({
w_1_univariate,
w_2_univariate,
w_3_univariate,
z_perm_univariate,
z_perm_shift_univariate,
q_m_univariate,
q_1_univariate,
q_2_univariate,
q_3_univariate,
q_c_univariate,
sigma_1_univariate,
sigma_2_univariate,
sigma_3_univariate,
id_1_univariate,
id_2_univariate,
id_3_univariate,
L_first_univariate,
L_last_univariate,
});

using POLYNOMIAL = bonk::StandardArithmetization::POLYNOMIAL;
univariate_array[POLYNOMIAL::W_L] = w_1_univariate;
univariate_array[POLYNOMIAL::W_R] = w_2_univariate;
univariate_array[POLYNOMIAL::W_O] = w_3_univariate;
univariate_array[POLYNOMIAL::Z_PERM] = z_perm_univariate;
univariate_array[POLYNOMIAL::Z_PERM_SHIFT] = z_perm_shift_univariate;
univariate_array[POLYNOMIAL::Q_M] = q_m_univariate;
univariate_array[POLYNOMIAL::Q_L] = q_1_univariate;
univariate_array[POLYNOMIAL::Q_R] = q_2_univariate;
univariate_array[POLYNOMIAL::Q_O] = q_3_univariate;
univariate_array[POLYNOMIAL::Q_C] = q_c_univariate;
univariate_array[POLYNOMIAL::SIGMA_1] = sigma_1_univariate;
univariate_array[POLYNOMIAL::SIGMA_2] = sigma_2_univariate;
univariate_array[POLYNOMIAL::SIGMA_3] = sigma_3_univariate;
univariate_array[POLYNOMIAL::ID_1] = id_1_univariate;
univariate_array[POLYNOMIAL::ID_2] = id_2_univariate;
univariate_array[POLYNOMIAL::ID_3] = id_3_univariate;
univariate_array[POLYNOMIAL::LAGRANGE_FIRST] = L_first_univariate;
univariate_array[POLYNOMIAL::LAGRANGE_LAST] = L_last_univariate;

sumcheck_typed_polynomial_vector.push_back(univariate_array);
}
// Check all relations at all indices
for (size_t i = 0; i < prover.key->circuit_size; i++) {
Expand Down
Loading

0 comments on commit 954a37a

Please sign in to comment.