Skip to content

Commit

Permalink
feat: Zeromorph with concatenation (Goblin Translator part 10) (#3006)
Browse files Browse the repository at this point in the history
Extends ZeroMorph to be able to handle concatenation (use commitments of
several polynomials to represent a commitment to a polynomial
constructed from their concatenation).

---------

Co-authored-by: ledwards2225 <l.edwards.d@gmail.com>
  • Loading branch information
Rumata888 and ledwards2225 authored Oct 26, 2023
1 parent 997c15c commit 70b0f17
Show file tree
Hide file tree
Showing 2 changed files with 351 additions and 7 deletions.
66 changes: 59 additions & 7 deletions barretenberg/cpp/src/barretenberg/honk/pcs/zeromorph/zeromorph.hpp
Original file line number Diff line number Diff line change
Expand Up @@ -173,21 +173,28 @@ template <typename Curve> class ZeroMorphProver_ {
*
* Z_x = x * f_batched + g_batched - v * x * \Phi_n(x)
* - x * \sum_k (x^{2^k}\Phi_{n-k-1}(x^{2^{k-1}}) - u_k\Phi_{n-k}(x^{2^k})) * q_k
* + concatentation_term
*
* where f_batched = \sum_{i=0}^{m-1}\rho^i*f_i, g_batched = \sum_{i=0}^{l-1}\rho^{m+i}*g_i
*
* and concatenation_term = \sum_{i=0}^{concatenation_index}(x^{i * min_N + 1}concatenation_groups_batched_{i})
*
* @note The concatenation term arises from an implementation detail in the Goblin Translator and is not part of the
* conventional ZM protocol
* @param input_polynomial
* @param quotients
* @param v_evaluation
* @param x_challenge
* @return Polynomial
*/
static Polynomial compute_partially_evaluated_zeromorph_identity_polynomial(Polynomial& f_batched,
Polynomial& g_batched,
std::vector<Polynomial>& quotients,
FF v_evaluation,
std::span<FF> u_challenge,
FF x_challenge)
static Polynomial compute_partially_evaluated_zeromorph_identity_polynomial(
Polynomial& f_batched,
Polynomial& g_batched,
std::vector<Polynomial>& quotients,
FF v_evaluation,
std::span<FF> u_challenge,
FF x_challenge,
std::vector<Polynomial> concatenation_groups_batched = {})
{
size_t N = f_batched.size();
size_t log_N = quotients.size();
Expand Down Expand Up @@ -221,6 +228,21 @@ template <typename Curve> class ZeroMorphProver_ {
result.add_scaled(quotients[k], scalar);
}

// If necessary, add to Z_x the contribution related to concatenated polynomials:
// \sum_{i=0}^{concatenation_index}(x^{i * min_n + 1}concatenation_groups_batched_{i}).
// We are effectively reconstructing concatenated polynomials from their chunks now that we know x
// Note: this is an implementation detail related to Goblin Translator and is not part of the standard protocol.
if (!concatenation_groups_batched.empty()) {
size_t MINICIRCUIT_N = N / concatenation_groups_batched.size();
auto x_to_minicircuit_N =
x_challenge.pow(MINICIRCUIT_N); // power of x used to shift polynomials to the right
auto running_shift = x_challenge;
for (size_t i = 0; i < concatenation_groups_batched.size(); i++) {
result.add_scaled(concatenation_groups_batched[i], running_shift);
running_shift *= x_to_minicircuit_N;
}
}

return result;
}

Expand Down Expand Up @@ -432,14 +454,22 @@ template <typename Curve> class ZeroMorphVerifier_ {
*
* C_{Z_x} = x * \sum_{i=0}^{m-1}\rho^i*[f_i] + \sum_{i=0}^{l-1}\rho^{m+i}*[g_i] - v * x * \Phi_n(x) * [1]_1
* - x * \sum_k (x^{2^k}\Phi_{n-k-1}(x^{2^{k-1}}) - u_k\Phi_{n-k}(x^{2^k})) * [q_k]
* + concatentation_term
* where
*
* concatenation_term = \sum{i=0}^{o-1}\sum_{j=0}^{concatenation_index}(rho^{m+l+i} * x^{j * min_N + 1}
* * concatenation_groups_commitments_{i}_{j})
*
* @note The concatenation term arises from an implementation detail in the Goblin Translator and is not part of the
* conventional ZM protocol
* @param f_commitments Commitments to unshifted polynomials [f_i]
* @param g_commitments Commitments to to-be-shifted polynomials [g_i]
* @param C_q_k Commitments to q_k
* @param rho
* @param batched_evaluation \sum_{i=0}^{m-1} \rho^i*f_i(u) + \sum_{i=0}^{l-1} \rho^{m+i}*h_i(u)
* @param x_challenge
* @param u_challenge multilinear challenge
* @param concatenation_groups_commitments
* @return Commitment
*/
static Commitment compute_C_Z_x(std::vector<Commitment> f_commitments,
Expand All @@ -448,7 +478,8 @@ template <typename Curve> class ZeroMorphVerifier_ {
FF rho,
FF batched_evaluation,
FF x_challenge,
std::vector<FF> u_challenge)
std::vector<FF> u_challenge,
std::vector<std::vector<Commitment>> concatenation_groups_commitments = {})
{
size_t log_N = C_q_k.size();
size_t N = 1 << log_N;
Expand Down Expand Up @@ -485,6 +516,27 @@ template <typename Curve> class ZeroMorphVerifier_ {
rho_pow *= rho;
}

// If applicable, add contribution from concatenated polynomial commitments
// Note: this is an implementation detail related to Goblin Translator and is not part of the standard protocol.
if (!concatenation_groups_commitments.empty()) {
size_t CONCATENATION_INDEX = concatenation_groups_commitments[0].size();
size_t MINICIRCUIT_N = N / CONCATENATION_INDEX;
std::vector<FF> x_shifts;
auto current_x_shift = x_challenge;
auto x_to_minicircuit_n = x_challenge.pow(MINICIRCUIT_N);
for (size_t i = 0; i < CONCATENATION_INDEX; ++i) {
x_shifts.emplace_back(current_x_shift);
current_x_shift *= x_to_minicircuit_n;
}
for (auto& concatenation_group_commitment : concatenation_groups_commitments) {
for (size_t i = 0; i < CONCATENATION_INDEX; ++i) {
scalars.emplace_back(rho_pow * x_shifts[i]);
commitments.emplace_back(concatenation_group_commitment[i]);
}
rho_pow *= rho;
}
}

// Add contributions: scalar * [q_k], k = 0,...,log_N, where
// scalar = -x * (x^{2^k} * \Phi_{n-k-1}(x^{2^{k+1}}) - u_k * \Phi_{n-k}(x^{2^k}))
auto x_pow_2k = x_challenge; // x^{2^k}
Expand Down
Loading

0 comments on commit 70b0f17

Please sign in to comment.