From f172261372dc8de05ddada426d64021c0d7f6ab8 Mon Sep 17 00:00:00 2001 From: ledwards2225 <l.edwards.d@gmail.com> Date: Wed, 29 Mar 2023 21:39:06 +0000 Subject: [PATCH] make gemini method return fold polys per Adrians suggestion --- .../barretenberg/honk/pcs/gemini/gemini.hpp | 27 +++++++++++++------ .../honk/pcs/gemini/gemini.test.cpp | 7 ++--- .../barretenberg/honk/pcs/kzg/kzg.test.cpp | 7 ++--- .../barretenberg/honk/proof_system/prover.cpp | 15 ++++++----- 4 files changed, 31 insertions(+), 25 deletions(-) diff --git a/cpp/src/barretenberg/honk/pcs/gemini/gemini.hpp b/cpp/src/barretenberg/honk/pcs/gemini/gemini.hpp index bfef6ac791..513347e251 100644 --- a/cpp/src/barretenberg/honk/pcs/gemini/gemini.hpp +++ b/cpp/src/barretenberg/honk/pcs/gemini/gemini.hpp @@ -78,18 +78,27 @@ template <typename Params> class MultilinearReductionScheme { /** * @brief Computes d-1 fold polynomials Fold_i, i = 1, ..., d-1 * - * @param mle_opening_point u = (u₀,...,uₘ₋₁) is the MLE opening point - * @param fold_polynomials (m + 1) - many polynomials. The first two are assumed initialized to F(X) = ∑ⱼ ρʲfⱼ(X) - * and G(X) = ∑ⱼ ρᵏ⁺ʲ gⱼ(X), i.e. the batched unshifted polynomials and the batched to-be-shifted polynomials. This - * function populates the next d-1 elements with Fold_i, i = 1, ..., d-1. - * + * @param mle_opening_point multilinear opening point 'u' + * @param batched_unshifted F(X) = ∑ⱼ ρʲ fⱼ(X) + * @param batched_to_be_shifted G(X) = ∑ⱼ ρᵏ⁺ʲ gⱼ(X) + * @return std::vector<Polynomial> */ - static void compute_fold_polynomials(std::span<const Fr> mle_opening_point, auto& fold_polynomials) + static std::vector<Polynomial> compute_fold_polynomials(std::span<const Fr> mle_opening_point, + const Polynomial&& batched_unshifted, + const Polynomial&& batched_to_be_shifted) { const size_t num_variables = mle_opening_point.size(); // m - Polynomial& batched_F = fold_polynomials[0]; // F(X) = ∑ⱼ ρʲ fⱼ(X) - Polynomial& batched_G = fold_polynomials[1]; // G(X) = ∑ⱼ ρᵏ⁺ʲ gⱼ(X) + // Allocate space for m+1 Fold polynomials + // + // The first two are populated here with the batched unshifted and to-be-shifted polynomial respectively. + // They will eventually contain the full batched polynomial A₀ partially evaluated at the challenges r,-r. + // This function populates the other m-1 polynomials with the foldings of A₀. + std::vector<Polynomial> fold_polynomials; + fold_polynomials.reserve(num_variables + 1); + + Polynomial& batched_F = fold_polynomials.emplace_back(batched_unshifted); // F(X) = ∑ⱼ ρʲ fⱼ(X) + Polynomial& batched_G = fold_polynomials.emplace_back(batched_to_be_shifted); // G(X) = ∑ⱼ ρᵏ⁺ʲ gⱼ(X) // A₀(X) = F(X) + G↺(X) = F(X) + G(X)/X. Polynomial A_0(batched_F); @@ -123,6 +132,8 @@ template <typename Params> class MultilinearReductionScheme { // set Aₗ₊₁ = Aₗ for the next iteration A_l = A_l_fold; } + + return fold_polynomials; }; /** diff --git a/cpp/src/barretenberg/honk/pcs/gemini/gemini.test.cpp b/cpp/src/barretenberg/honk/pcs/gemini/gemini.test.cpp index 2e00b8c7b3..17af010e23 100644 --- a/cpp/src/barretenberg/honk/pcs/gemini/gemini.test.cpp +++ b/cpp/src/barretenberg/honk/pcs/gemini/gemini.test.cpp @@ -52,14 +52,11 @@ template <class Params> class GeminiTest : public CommitmentTest<Params> { batched_commitment_to_be_shifted += multilinear_commitments_to_be_shifted[i] * rhos[rho_idx]; } - std::vector<Polynomial> fold_polynomials; - fold_polynomials.emplace_back(batched_unshifted); - fold_polynomials.emplace_back(batched_to_be_shifted); - // Compute: // - (d+1) opening pairs: {r, \hat{a}_0}, {-r^{2^i}, a_i}, i = 0, ..., d-1 // - (d+1) Fold polynomials Fold_{r}^(0), Fold_{-r}^(0), and Fold^(i), i = 0, ..., d-1 - Gemini::compute_fold_polynomials(multilinear_evaluation_point, fold_polynomials); + auto fold_polynomials = Gemini::compute_fold_polynomials( + multilinear_evaluation_point, std::move(batched_unshifted), std::move(batched_to_be_shifted)); for (size_t l = 0; l < log_n - 1; ++l) { std::string label = "FOLD_" + std::to_string(l + 1); diff --git a/cpp/src/barretenberg/honk/pcs/kzg/kzg.test.cpp b/cpp/src/barretenberg/honk/pcs/kzg/kzg.test.cpp index 978a1a2e16..ebbf44af0a 100644 --- a/cpp/src/barretenberg/honk/pcs/kzg/kzg.test.cpp +++ b/cpp/src/barretenberg/honk/pcs/kzg/kzg.test.cpp @@ -102,10 +102,6 @@ TYPED_TEST(BilinearAccumulationTest, GeminiShplonkKzgWithShift) batched_unshifted.add_scaled(poly2, rhos[1]); batched_to_be_shifted.add_scaled(poly2, rhos[2]); - std::vector<Polynomial> fold_polynomials; - fold_polynomials.emplace_back(batched_unshifted); - fold_polynomials.emplace_back(batched_to_be_shifted); - // Compute batched commitments Commitment batched_commitment_unshifted = Commitment::zero(); Commitment batched_commitment_to_be_shifted = Commitment::zero(); @@ -119,7 +115,8 @@ TYPED_TEST(BilinearAccumulationTest, GeminiShplonkKzgWithShift) // Compute: // - (d+1) opening pairs: {r, \hat{a}_0}, {-r^{2^i}, a_i}, i = 0, ..., d-1 // - (d+1) Fold polynomials Fold_{r}^(0), Fold_{-r}^(0), and Fold^(i), i = 0, ..., d-1 - Gemini::compute_fold_polynomials(mle_opening_point, fold_polynomials); + auto fold_polynomials = Gemini::compute_fold_polynomials( + mle_opening_point, std::move(batched_unshifted), std::move(batched_to_be_shifted)); for (size_t l = 0; l < log_n - 1; ++l) { std::string label = "FOLD_" + std::to_string(l + 1); diff --git a/cpp/src/barretenberg/honk/proof_system/prover.cpp b/cpp/src/barretenberg/honk/proof_system/prover.cpp index 10a4a03abb..3a4ae363b8 100644 --- a/cpp/src/barretenberg/honk/proof_system/prover.cpp +++ b/cpp/src/barretenberg/honk/proof_system/prover.cpp @@ -303,15 +303,16 @@ template <typename settings> void Prover<settings>::execute_univariatization_rou Polynomial batched_poly_to_be_shifted(key->circuit_size); // batched to-be-shifted polynomials batched_poly_to_be_shifted.add_scaled(prover_polynomials[POLYNOMIAL::Z_PERM], rhos[NUM_UNSHIFTED_POLYS]); - // Reserve space for d+1 Fold polynomials. At the end of this round, the last d-1 polynomials will - // correspond to Fold^(i). At the end of the full Gemini prover protocol, the first two will - // be the partially evaluated Fold polynomials Fold_{r}^(0) and Fold_{-r}^(0). - fold_polynomials.reserve(key->log_circuit_size + 1); - fold_polynomials.emplace_back(batched_poly_unshifted); - fold_polynomials.emplace_back(batched_poly_to_be_shifted); + // // Reserve space for d+1 Fold polynomials. At the end of this round, the last d-1 polynomials will + // // correspond to Fold^(i). At the end of the full Gemini prover protocol, the first two will + // // be the partially evaluated Fold polynomials Fold_{r}^(0) and Fold_{-r}^(0). + // fold_polynomials.reserve(key->log_circuit_size + 1); + // fold_polynomials.emplace_back(batched_poly_unshifted); + // fold_polynomials.emplace_back(batched_poly_to_be_shifted); // Compute d-1 polynomials Fold^(i), i = 1, ..., d-1. - Gemini::compute_fold_polynomials(sumcheck_output.challenge_point, fold_polynomials); + fold_polynomials = Gemini::compute_fold_polynomials( + sumcheck_output.challenge_point, std::move(batched_poly_unshifted), std::move(batched_poly_to_be_shifted)); // Compute and add to trasnscript the commitments [Fold^(i)], i = 1, ..., d-1 for (size_t l = 0; l < key->log_circuit_size - 1; ++l) {