diff --git a/barretenberg/cpp/src/barretenberg/benchmark/goblin_bench/eccvm.bench.cpp b/barretenberg/cpp/src/barretenberg/benchmark/goblin_bench/eccvm.bench.cpp index 44f7ee24fe38..f796d8930686 100644 --- a/barretenberg/cpp/src/barretenberg/benchmark/goblin_bench/eccvm.bench.cpp +++ b/barretenberg/cpp/src/barretenberg/benchmark/goblin_bench/eccvm.bench.cpp @@ -65,8 +65,8 @@ void eccvm_prove(State& state) noexcept }; } -BENCHMARK(eccvm_generate_prover)->Unit(kMillisecond)->DenseRange(10, 20); -BENCHMARK(eccvm_prove)->Unit(kMillisecond)->DenseRange(10, 20); +BENCHMARK(eccvm_generate_prover)->Unit(kMillisecond)->DenseRange(12, 18); +BENCHMARK(eccvm_prove)->Unit(kMillisecond)->DenseRange(12, 18); } // namespace BENCHMARK_MAIN(); diff --git a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_flavor.hpp b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_flavor.hpp index 991c01f12578..ce15706cc6ac 100644 --- a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_flavor.hpp +++ b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_flavor.hpp @@ -39,8 +39,8 @@ class ECCVMFlavor { using RelationSeparator = FF; using MSM = bb::eccvm::MSM; - // Indicates that this flavor runs with non-ZK Sumcheck. - static constexpr bool HasZK = false; + // Indicates that this flavor runs with ZK Sumcheck. + static constexpr bool HasZK = true; static constexpr size_t NUM_WIRES = 85; // The number of multivariate polynomials on which a sumcheck prover sumcheck operates (including shifts). We often @@ -67,7 +67,8 @@ class ECCVMFlavor { ECCVMBoolsRelation>; using Relations = Relations_; using LookupRelation = ECCVMLookupRelation; - static constexpr size_t MAX_PARTIAL_RELATION_LENGTH = compute_max_partial_relation_length(); + + static constexpr size_t MAX_PARTIAL_RELATION_LENGTH = compute_max_partial_relation_length(); // BATCHED_RELATION_PARTIAL_LENGTH = algebraic degree of sumcheck relation *after* multiplying by the `pow_zeta` // random polynomial e.g. For \sum(x) [A(x) * B(x) + C(x)] * PowZeta(X), relation length = 2 and random relation @@ -78,7 +79,9 @@ class ECCVMFlavor { // Instantiate the BarycentricData needed to extend each Relation Univariate // define the containers for storing the contributions from each relation in Sumcheck - using SumcheckTupleOfTuplesOfUnivariates = decltype(create_sumcheck_tuple_of_tuples_of_univariates()); + using SumcheckTupleOfTuplesOfUnivariates = + decltype(create_sumcheck_tuple_of_tuples_of_univariates()); + using TupleOfArraysOfValues = decltype(create_tuple_of_arrays_of_values()); // TODO(https://github.com/AztecProtocol/barretenberg/issues/989): refine access specifiers in flavors, this is @@ -933,7 +936,9 @@ class ECCVMFlavor { Commitment transcript_msm_count_at_transition_inverse_comm; Commitment z_perm_comm; Commitment lookup_inverses_comm; + FF libra_sum; std::vector> sumcheck_univariates; + std::vector libra_evaluations; std::array sumcheck_evaluations; std::vector gemini_fold_comms; std::vector gemini_fold_evals; @@ -1137,11 +1142,20 @@ class ECCVMFlavor { NativeTranscript::proof_data, num_frs_read); z_perm_comm = NativeTranscript::template deserialize_from_buffer(NativeTranscript::proof_data, num_frs_read); + + libra_sum = + NativeTranscript::template deserialize_from_buffer(NativeTranscript::proof_data, num_frs_read); for (size_t i = 0; i < CONST_PROOF_SIZE_LOG_N; ++i) { sumcheck_univariates.emplace_back(NativeTranscript::template deserialize_from_buffer< bb::Univariate>( NativeTranscript::proof_data, num_frs_read)); } + + size_t log_circuit_size = static_cast(numeric::get_msb(circuit_size)); + for (size_t i = 0; i < log_circuit_size; i++) { + libra_evaluations.emplace_back( + NativeTranscript::template deserialize_from_buffer(NativeTranscript::proof_data, num_frs_read)); + } sumcheck_evaluations = NativeTranscript::template deserialize_from_buffer>( NativeTranscript::proof_data, num_frs_read); for (size_t i = 0; i < CONST_PROOF_SIZE_LOG_N - 1; ++i) { @@ -1183,6 +1197,8 @@ class ECCVMFlavor { void serialize_full_transcript() { size_t old_proof_length = NativeTranscript::proof_data.size(); + size_t log_circuit_size = static_cast(numeric::get_msb(circuit_size)); + NativeTranscript::proof_data.clear(); NativeTranscript::template serialize_to_buffer(circuit_size, NativeTranscript::proof_data); @@ -1285,9 +1301,16 @@ class ECCVMFlavor { NativeTranscript::proof_data); NativeTranscript::template serialize_to_buffer(lookup_inverses_comm, NativeTranscript::proof_data); NativeTranscript::template serialize_to_buffer(z_perm_comm, NativeTranscript::proof_data); + + NativeTranscript::template serialize_to_buffer(libra_sum, NativeTranscript::proof_data); + for (size_t i = 0; i < CONST_PROOF_SIZE_LOG_N; ++i) { NativeTranscript::template serialize_to_buffer(sumcheck_univariates[i], NativeTranscript::proof_data); } + + for (size_t i = 0; i < log_circuit_size; ++i) { + NativeTranscript::template serialize_to_buffer(libra_evaluations[i], NativeTranscript::proof_data); + } NativeTranscript::template serialize_to_buffer(sumcheck_evaluations, NativeTranscript::proof_data); for (size_t i = 0; i < CONST_PROOF_SIZE_LOG_N - 1; ++i) { NativeTranscript::template serialize_to_buffer(gemini_fold_comms[i], proof_data); diff --git a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_transcript.test.cpp b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_transcript.test.cpp index fde6b109669e..de882d3954ad 100644 --- a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_transcript.test.cpp +++ b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_transcript.test.cpp @@ -137,6 +137,11 @@ class ECCVMTranscriptTests : public ::testing::Test { std::string label = "Sumcheck:gate_challenge_" + std::to_string(i); manifest_expected.add_challenge(round, label); } + round++; + + manifest_expected.add_entry(round, "Libra:Sum", frs_per_Fr); + // get the challenge for the ZK Sumcheck claim + manifest_expected.add_challenge(round, "Libra:Challenge"); for (size_t i = 0; i < CONST_PROOF_SIZE_LOG_N; ++i) { round++; @@ -147,7 +152,15 @@ class ECCVMTranscriptTests : public ::testing::Test { } round++; + + for (size_t i = 0; i < log_n; i++) { + std::string idx = std::to_string(i); + manifest_expected.add_entry(round, "Libra:evaluation_" + idx, frs_per_Fr); + } + // manifest_expected.add_entry(round, "Libra:evaluation", log_n * frs_per_Fr); + manifest_expected.add_entry(round, "Sumcheck:evaluations", frs_per_evals); + manifest_expected.add_challenge(round, "rho"); round++; @@ -256,6 +269,7 @@ TEST_F(ECCVMTranscriptTests, ProverManifestConsistency) // Check that the prover generated manifest agrees with the manifest hard coded in this suite auto manifest_expected = this->construct_eccvm_honk_manifest(prover.key->circuit_size); auto prover_manifest = prover.transcript->get_manifest(); + // Note: a manifest can be printed using manifest.print() for (size_t round = 0; round < manifest_expected.size(); ++round) { ASSERT_EQ(prover_manifest[round], manifest_expected[round]) << "Prover manifest discrepency in round " << round; diff --git a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.cpp b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.cpp index 46f6fe064599..90761596a5eb 100644 --- a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.cpp @@ -53,7 +53,7 @@ bool ECCVMVerifier::verify_proof(const HonkProof& proof) gate_challenges[idx] = transcript->template get_challenge("Sumcheck:gate_challenge_" + std::to_string(idx)); } - auto [multivariate_challenge, claimed_evaluations, sumcheck_verified] = + auto [multivariate_challenge, claimed_evaluations, libra_evaluations, sumcheck_verified] = sumcheck.verify(relation_parameters, alpha, gate_challenges); // If Sumcheck did not verify, return false diff --git a/barretenberg/cpp/src/barretenberg/flavor/relation_definitions.hpp b/barretenberg/cpp/src/barretenberg/flavor/relation_definitions.hpp index b94abec60138..daa85c353c9f 100644 --- a/barretenberg/cpp/src/barretenberg/flavor/relation_definitions.hpp +++ b/barretenberg/cpp/src/barretenberg/flavor/relation_definitions.hpp @@ -28,6 +28,11 @@ ACCUMULATE(RelationImpl, Flavor, SumcheckArrayOfValuesOverSubrelations, EvaluationEdge) \ ACCUMULATE(RelationImpl, Flavor, SumcheckArrayOfValuesOverSubrelations, EntityEdge) +#define DEFINE_ZK_SUMCHECK_RELATION_CLASS(RelationImpl, Flavor) \ + ACCUMULATE(RelationImpl, Flavor, ZKSumcheckTupleOfUnivariatesOverSubrelations, ExtendedEdge) \ + ACCUMULATE(RelationImpl, Flavor, SumcheckArrayOfValuesOverSubrelations, EvaluationEdge) \ + ACCUMULATE(RelationImpl, Flavor, SumcheckArrayOfValuesOverSubrelations, EntityEdge) + #define DEFINE_SUMCHECK_VERIFIER_RELATION_CLASS(RelationImpl, Flavor) \ ACCUMULATE(RelationImpl, Flavor, SumcheckArrayOfValuesOverSubrelations, EvaluationEdge) diff --git a/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_bools_relation.cpp b/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_bools_relation.cpp index 539b6e6cd6d3..6416f9c5de53 100644 --- a/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_bools_relation.cpp +++ b/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_bools_relation.cpp @@ -5,5 +5,5 @@ namespace bb { template class ECCVMBoolsRelationImpl; -DEFINE_SUMCHECK_RELATION_CLASS(ECCVMBoolsRelationImpl, ECCVMFlavor); +DEFINE_ZK_SUMCHECK_RELATION_CLASS(ECCVMBoolsRelationImpl, ECCVMFlavor); } // namespace bb \ No newline at end of file diff --git a/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_bools_relation.hpp b/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_bools_relation.hpp index 95afbf3aca93..211aeb9a786c 100644 --- a/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_bools_relation.hpp +++ b/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_bools_relation.hpp @@ -30,6 +30,9 @@ polynomials, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, }; + // Max among {SUBRELATION_PARTIAL_LENGTH + SUBRELATION_WITNESS_DEGREE} + static constexpr size_t ZK_RELATION_LENGTH = 5; + template static void accumulate(ContainerOverSubrelations& accumulator, const AllEntities& in, diff --git a/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_lookup_relation.cpp b/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_lookup_relation.cpp index 4afdd9c0898a..69dcc7122e18 100644 --- a/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_lookup_relation.cpp +++ b/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_lookup_relation.cpp @@ -4,5 +4,5 @@ namespace bb { template class ECCVMLookupRelationImpl; -DEFINE_SUMCHECK_RELATION_CLASS(ECCVMLookupRelationImpl, ECCVMFlavor); +DEFINE_ZK_SUMCHECK_RELATION_CLASS(ECCVMLookupRelationImpl, ECCVMFlavor); } // namespace bb diff --git a/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_lookup_relation.hpp b/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_lookup_relation.hpp index 2ef8c62257f5..044863745507 100644 --- a/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_lookup_relation.hpp +++ b/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_lookup_relation.hpp @@ -31,6 +31,9 @@ polynomials, LENGTH - 1 // left-shiftable polynomial sub-relation }; + // Max among {SUBRELATION_PARTIAL_LENGTH + SUBRELATION_WITNESS_DEGREE} + static constexpr size_t ZK_RELATION_LENGTH = 17; + static constexpr std::array SUBRELATION_LINEARLY_INDEPENDENT = { true, false }; template static bool operation_exists_at_row(const AllValues& row) diff --git a/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_msm_relation.cpp b/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_msm_relation.cpp index bb7c3738b6f1..41af3083e12a 100644 --- a/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_msm_relation.cpp +++ b/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_msm_relation.cpp @@ -5,6 +5,6 @@ namespace bb { template class ECCVMMSMRelationImpl; -DEFINE_SUMCHECK_RELATION_CLASS(ECCVMMSMRelationImpl, ECCVMFlavor); +DEFINE_ZK_SUMCHECK_RELATION_CLASS(ECCVMMSMRelationImpl, ECCVMFlavor); } // namespace bb diff --git a/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_msm_relation.hpp b/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_msm_relation.hpp index e7572f4e5858..22926ca59ecd 100644 --- a/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_msm_relation.hpp +++ b/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_msm_relation.hpp @@ -37,19 +37,19 @@ namespace bb { template class ECCVMMSMRelationImpl { public: using FF = FF_; - static constexpr std::array SUBRELATION_PARTIAL_LENGTHS{ 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8 }; /** - * @brief For ZK-Flavors: Upper bound on the degrees of subrelations considered as polynomials only in witness -polynomials, + * @brief Upper bound on the degrees of subrelations considered as polynomials only in witness polynomials, * i.e. all selectors and public polynomials are treated as constants. The subrelation witness degree does not * exceed the subrelation partial degree given by SUBRELATION_PARTIAL_LENGTH - 1. */ static constexpr std::array SUBRELATION_WITNESS_DEGREES{ 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7 }; + // Max among {SUBRELATION_PARTIAL_LENGTH + SUBRELATION_WITNESS_DEGREE} + static constexpr size_t ZK_RELATION_LENGTH = 15; template static void accumulate(ContainerOverSubrelations& accumulator, diff --git a/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_point_table_relation.cpp b/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_point_table_relation.cpp index ce12ce062ac6..2abf1ac3a22d 100644 --- a/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_point_table_relation.cpp +++ b/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_point_table_relation.cpp @@ -4,6 +4,6 @@ namespace bb { template class ECCVMPointTableRelationImpl; -DEFINE_SUMCHECK_RELATION_CLASS(ECCVMPointTableRelationImpl, ECCVMFlavor); +DEFINE_ZK_SUMCHECK_RELATION_CLASS(ECCVMPointTableRelationImpl, ECCVMFlavor); } // namespace bb diff --git a/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_point_table_relation.hpp b/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_point_table_relation.hpp index 30b4eb77c84e..213a29a0f277 100644 --- a/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_point_table_relation.hpp +++ b/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_point_table_relation.hpp @@ -19,6 +19,7 @@ namespace bb { template class ECCVMPointTableRelationImpl { public: using FF = FF_; + static constexpr size_t ZK_RELATION_LENGTH = 11; static constexpr std::array SUBRELATION_PARTIAL_LENGTHS{ 6, 6, 6, 6, 6, 6 }; /** diff --git a/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_set_relation.cpp b/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_set_relation.cpp index 03e8565fcb4e..495c60c59bef 100644 --- a/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_set_relation.cpp +++ b/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_set_relation.cpp @@ -4,7 +4,7 @@ namespace bb { template class ECCVMSetRelationImpl; -DEFINE_SUMCHECK_RELATION_CLASS(ECCVMSetRelationImpl, ECCVMFlavor); +DEFINE_ZK_SUMCHECK_RELATION_CLASS(ECCVMSetRelationImpl, ECCVMFlavor); DEFINE_SUMCHECK_PERMUTATION_CLASS(ECCVMSetRelationImpl, ECCVMFlavor); } // namespace bb diff --git a/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_set_relation.hpp b/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_set_relation.hpp index f0c742e24b80..d0e0ab35a23a 100644 --- a/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_set_relation.hpp +++ b/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_set_relation.hpp @@ -13,8 +13,8 @@ template class ECCVMSetRelationImpl { using FF = FF_; static constexpr std::array SUBRELATION_PARTIAL_LENGTHS{ - 21, // grand product construction sub-relation - 21 // left-shiftable polynomial sub-relation + 22, // grand product construction sub-relation + 3 // left-shiftable polynomial sub-relation }; /** * @brief For ZK-Flavors: Upper bound on the degrees of subrelations considered as polynomials only in witness @@ -23,10 +23,13 @@ polynomials, * exceed the subrelation partial degree given by SUBRELATION_PARTIAL_LENGTH - 1. */ static constexpr std::array SUBRELATION_WITNESS_DEGREES{ - 20, // grand product construction sub-relation - 20 // left-shiftable polynomial sub-relation + 21, // grand product construction sub-relation + 1 // left-shiftable polynomial sub-relation }; + // Max among {SUBRELATION_PARTIAL_LENGTH + SUBRELATION_WITNESS_DEGREE} + static constexpr size_t ZK_RELATION_LENGTH = 43; + template static Accumulator convert_to_wnaf(const auto& s0, const auto& s1) { auto t = s0 + s0; diff --git a/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_set_relation_impl.hpp b/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_set_relation_impl.hpp index 354ec4286b29..8f77a85a2937 100644 --- a/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_set_relation_impl.hpp +++ b/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_set_relation_impl.hpp @@ -311,9 +311,10 @@ Accumulator ECCVMSetRelationImpl::compute_grand_product_denominator(const Al // FF endomorphism_base_field_shift = FF::cube_root_of_unity(); FF endomorphism_base_field_shift = FF(bb::fq::cube_root_of_unity()); - auto transcript_input1 = transcript_pc + transcript_Px * beta + transcript_Py * beta_sqr + z1 * beta_cube; + auto transcript_input1 = + transcript_pc + transcript_Px * beta + transcript_Py * beta_sqr + z1 * beta_cube; // degree = 1 auto transcript_input2 = (transcript_pc - 1) + transcript_Px * endomorphism_base_field_shift * beta - - transcript_Py * beta_sqr + z2 * beta_cube; + transcript_Py * beta_sqr + z2 * beta_cube; // degree = 2 // | q_mul | z2_zero | z1_zero | base_infinity | lookup | // | ----- | ------- | ------- | ------------- |----------------------- | @@ -326,15 +327,15 @@ Accumulator ECCVMSetRelationImpl::compute_grand_product_denominator(const Al // | 1 | 0 | 1 | 1 | 1 | // | 1 | 1 | 0 | 1 | 1 | // | 1 | 1 | 1 | 1 | 1 | - transcript_input1 = (transcript_input1 + gamma) * lookup_first + (-lookup_first + 1); - transcript_input2 = (transcript_input2 + gamma) * lookup_second + (-lookup_second + 1); + transcript_input1 = (transcript_input1 + gamma) * lookup_first + (-lookup_first + 1); // degree 2 + transcript_input2 = (transcript_input2 + gamma) * lookup_second + (-lookup_second + 1); // degree 3 - // transcript_product = degree 3 + // transcript_product = degree 6 auto transcript_product = (transcript_input1 * transcript_input2) * (-base_infinity + 1) + base_infinity; - // point_table_init_write = degree 4 + // point_table_init_write = degree 7 auto point_table_init_write = transcript_mul * transcript_product + (-transcript_mul + 1); - denominator *= point_table_init_write; // degree-14 + denominator *= point_table_init_write; // degree 17 // auto point_table_init_write_1 = transcript_mul * transcript_input1 + (-transcript_mul + 1); // denominator *= point_table_init_write_1; // degree-11 @@ -391,25 +392,28 @@ void ECCVMSetRelationImpl::accumulate(ContainerOverSubrelations& accumulator { using Accumulator = typename std::tuple_element_t<0, ContainerOverSubrelations>; using View = typename Accumulator::View; + using ShortView = typename std::tuple_element_t<1, ContainerOverSubrelations>::View; // degree-11 Accumulator numerator_evaluation = compute_grand_product_numerator(in, params); - // degree-17 + // degree-20 Accumulator denominator_evaluation = compute_grand_product_denominator(in, params); const auto& lagrange_first = View(in.lagrange_first); const auto& lagrange_last = View(in.lagrange_last); + const auto& lagrange_last_short = ShortView(in.lagrange_last); const auto& z_perm = View(in.z_perm); const auto& z_perm_shift = View(in.z_perm_shift); + const auto& z_perm_shift_short = ShortView(in.z_perm_shift); - // degree-18 + // degree-21 std::get<0>(accumulator) += ((z_perm + lagrange_first) * numerator_evaluation - (z_perm_shift + lagrange_last) * denominator_evaluation) * scaling_factor; // Contribution (2) - std::get<1>(accumulator) += (lagrange_last * z_perm_shift) * scaling_factor; + std::get<1>(accumulator) += lagrange_last_short * z_perm_shift_short * scaling_factor; } } // namespace bb diff --git a/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_transcript_relation.cpp b/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_transcript_relation.cpp index 79834907a990..498133147a8a 100644 --- a/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_transcript_relation.cpp +++ b/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_transcript_relation.cpp @@ -7,5 +7,5 @@ namespace bb { template class ECCVMTranscriptRelationImpl; -DEFINE_SUMCHECK_RELATION_CLASS(ECCVMTranscriptRelationImpl, ECCVMFlavor); +DEFINE_ZK_SUMCHECK_RELATION_CLASS(ECCVMTranscriptRelationImpl, ECCVMFlavor); } // namespace bb diff --git a/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_transcript_relation.hpp b/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_transcript_relation.hpp index f5500649a4f4..fcb9f73e48bb 100644 --- a/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_transcript_relation.hpp +++ b/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_transcript_relation.hpp @@ -34,15 +34,17 @@ template class ECCVMTranscriptRelationImpl { 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, }; /** - * @brief For ZK-Flavors: Upper bound on the degrees of subrelations considered as polynomials only in witness -polynomials, - * i.e. all selectors and public polynomials are treated as constants. The subrelation witness degree does not + * @brief Upper bound on the degrees of subrelations considered as polynomials only in +witness polynomials, + * i.e. all selectors and public polynomials are treated as constants. The subrelation witness degree does +not * exceed the subrelation partial degree given by SUBRELATION_PARTIAL_LENGTH - 1. */ static constexpr std::array SUBRELATION_WITNESS_DEGREES{ 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, }; - + // Max among {SUBRELATION_PARTIAL_LENGTH + SUBRELATION_WITNESS_DEGREE} + static constexpr size_t ZK_RELATION_LENGTH = 15; template static void accumulate(ContainerOverSubrelations& accumulator, const AllEntities& in, diff --git a/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_wnaf_relation.cpp b/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_wnaf_relation.cpp index 2ab7a00a3818..06cc795e012a 100644 --- a/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_wnaf_relation.cpp +++ b/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_wnaf_relation.cpp @@ -5,6 +5,6 @@ namespace bb { template class ECCVMWnafRelationImpl; -DEFINE_SUMCHECK_RELATION_CLASS(ECCVMWnafRelationImpl, ECCVMFlavor); +DEFINE_ZK_SUMCHECK_RELATION_CLASS(ECCVMWnafRelationImpl, ECCVMFlavor); } // namespace bb diff --git a/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_wnaf_relation.hpp b/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_wnaf_relation.hpp index b8a1e3255d58..f6e6c07b5bfe 100644 --- a/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_wnaf_relation.hpp +++ b/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_wnaf_relation.hpp @@ -48,6 +48,9 @@ polynomials, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, }; + // Max among {SUBRELATION_PARTIAL_LENGTH + SUBRELATION_WITNESS_DEGREE} + static constexpr size_t ZK_RELATION_LENGTH = 9; + template static void accumulate(ContainerOverSubrelations& accumulator, const AllEntities& in, diff --git a/barretenberg/cpp/src/barretenberg/relations/translator_vm/translator_decomposition_relation.hpp b/barretenberg/cpp/src/barretenberg/relations/translator_vm/translator_decomposition_relation.hpp index e97869a8185d..d71ef18f80f0 100644 --- a/barretenberg/cpp/src/barretenberg/relations/translator_vm/translator_decomposition_relation.hpp +++ b/barretenberg/cpp/src/barretenberg/relations/translator_vm/translator_decomposition_relation.hpp @@ -62,7 +62,7 @@ template class TranslatorDecompositionRelationImpl { 3 // decomposition of z2 into 2 limbs subrelation }; /** - * @brief For ZK-Flavors: Upper bound on the degrees of subrelations considered as polynomials only in witness + * @brief Upper bound on the degrees of subrelations considered as polynomials only in witness polynomials, * i.e. all selectors and public polynomials are treated as constants. The subrelation witness degree does not * exceed the subrelation partial degree given by SUBRELATION_PARTIAL_LENGTH - 1. @@ -118,6 +118,8 @@ polynomials, 2 // decomposition of z2 into 2 limbs subrelation }; + // Max among {SUBRELATION_PARTIAL_LENGTH + SUBRELATION_WITNESS_DEGREE} + static constexpr size_t ZK_RELATION_LENGTH = 5; /** * @brief Returns true if the contribution from all subrelations for the provided inputs is identically zero * diff --git a/barretenberg/cpp/src/barretenberg/relations/translator_vm/translator_decomposition_relation_2.cpp b/barretenberg/cpp/src/barretenberg/relations/translator_vm/translator_decomposition_relation_2.cpp index 095bdc164d24..93220028f21b 100644 --- a/barretenberg/cpp/src/barretenberg/relations/translator_vm/translator_decomposition_relation_2.cpp +++ b/barretenberg/cpp/src/barretenberg/relations/translator_vm/translator_decomposition_relation_2.cpp @@ -10,9 +10,10 @@ template void TranslatorDecompositionRelationImpl::accumul RelationParameters const&, TranslatorFlavor::FF const&); template void TranslatorDecompositionRelationImpl::accumulate< - bb::Relation>::SumcheckTupleOfUnivariatesOverSubrelations, + bb::Relation< + TranslatorDecompositionRelationImpl>::ZKSumcheckTupleOfUnivariatesOverSubrelations, TranslatorFlavor::ExtendedEdges>(bb::Relation>:: - SumcheckTupleOfUnivariatesOverSubrelations&, + ZKSumcheckTupleOfUnivariatesOverSubrelations&, TranslatorFlavor::ExtendedEdges const&, RelationParameters const&, TranslatorFlavor::FF const&); diff --git a/barretenberg/cpp/src/barretenberg/relations/translator_vm/translator_delta_range_constraint_relation.cpp b/barretenberg/cpp/src/barretenberg/relations/translator_vm/translator_delta_range_constraint_relation.cpp index fd651d31f2e3..2aef52a29bb1 100644 --- a/barretenberg/cpp/src/barretenberg/relations/translator_vm/translator_delta_range_constraint_relation.cpp +++ b/barretenberg/cpp/src/barretenberg/relations/translator_vm/translator_delta_range_constraint_relation.cpp @@ -2,5 +2,5 @@ #include "barretenberg/translator_vm/translator_flavor.hpp" namespace bb { template class TranslatorDeltaRangeConstraintRelationImpl; -DEFINE_SUMCHECK_RELATION_CLASS(TranslatorDeltaRangeConstraintRelationImpl, TranslatorFlavor); +DEFINE_ZK_SUMCHECK_RELATION_CLASS(TranslatorDeltaRangeConstraintRelationImpl, TranslatorFlavor); } // namespace bb \ No newline at end of file diff --git a/barretenberg/cpp/src/barretenberg/relations/translator_vm/translator_delta_range_constraint_relation.hpp b/barretenberg/cpp/src/barretenberg/relations/translator_vm/translator_delta_range_constraint_relation.hpp index 498bd835e806..448e95ca085d 100644 --- a/barretenberg/cpp/src/barretenberg/relations/translator_vm/translator_delta_range_constraint_relation.hpp +++ b/barretenberg/cpp/src/barretenberg/relations/translator_vm/translator_delta_range_constraint_relation.hpp @@ -24,7 +24,7 @@ template class TranslatorDeltaRangeConstraintRelationImpl { }; /** - * @brief For ZK-Flavors: Upper bound on the degrees of subrelations considered as polynomials only in witness + * @brief Upper bound on the degrees of subrelations considered as polynomials only in witness polynomials, * i.e. all selectors and public polynomials are treated as constants. The subrelation witness degree does not * exceed the subrelation partial degree given by SUBRELATION_PARTIAL_LENGTH - 1. @@ -42,6 +42,10 @@ polynomials, 2 // ordered_range_constraints_4 ends with defined maximum value subrelation }; + + // Max among {SUBRELATION_PARTIAL_LENGTH + SUBRELATION_WITNESS_DEGREE} + static constexpr size_t ZK_RELATION_LENGTH = 11; + /** * @brief Expression for the generalized permutation sort relation * diff --git a/barretenberg/cpp/src/barretenberg/relations/translator_vm/translator_extra_relations.cpp b/barretenberg/cpp/src/barretenberg/relations/translator_vm/translator_extra_relations.cpp index bf4bd53ac574..471fa8b77652 100644 --- a/barretenberg/cpp/src/barretenberg/relations/translator_vm/translator_extra_relations.cpp +++ b/barretenberg/cpp/src/barretenberg/relations/translator_vm/translator_extra_relations.cpp @@ -4,6 +4,6 @@ namespace bb { template class TranslatorOpcodeConstraintRelationImpl; template class TranslatorAccumulatorTransferRelationImpl; -DEFINE_SUMCHECK_RELATION_CLASS(TranslatorOpcodeConstraintRelationImpl, TranslatorFlavor); -DEFINE_SUMCHECK_RELATION_CLASS(TranslatorAccumulatorTransferRelationImpl, TranslatorFlavor); +DEFINE_ZK_SUMCHECK_RELATION_CLASS(TranslatorOpcodeConstraintRelationImpl, TranslatorFlavor); +DEFINE_ZK_SUMCHECK_RELATION_CLASS(TranslatorAccumulatorTransferRelationImpl, TranslatorFlavor); } // namespace bb \ No newline at end of file diff --git a/barretenberg/cpp/src/barretenberg/relations/translator_vm/translator_extra_relations.hpp b/barretenberg/cpp/src/barretenberg/relations/translator_vm/translator_extra_relations.hpp index dbc80857edd6..c30ed383a4c2 100644 --- a/barretenberg/cpp/src/barretenberg/relations/translator_vm/translator_extra_relations.hpp +++ b/barretenberg/cpp/src/barretenberg/relations/translator_vm/translator_extra_relations.hpp @@ -13,7 +13,7 @@ template class TranslatorOpcodeConstraintRelationImpl { 7 // opcode constraint relation }; /** - * @brief For ZK-Flavors: Upper bound on the degrees of subrelations considered as polynomials only in witness + * @brief Upper bound on the degrees of subrelations considered as polynomials only in witness polynomials, * i.e. all selectors and public polynomials are treated as constants. The subrelation witness degree does not * exceed the subrelation partial degree given by SUBRELATION_PARTIAL_LENGTH - 1. @@ -21,6 +21,8 @@ polynomials, static constexpr std::array SUBRELATION_WITNESS_DEGREES{ 6 // opcode constraint relation }; + // Max among {SUBRELATION_PARTIAL_LENGTH + SUBRELATION_WITNESS_DEGREE} + static constexpr size_t ZK_RELATION_LENGTH = 13; /** * @brief Returns true if the contribution from all subrelations for the provided inputs is identically zero * @@ -47,6 +49,7 @@ polynomials, template class TranslatorAccumulatorTransferRelationImpl { public: using FF = FF_; + static constexpr size_t ZK_RELATION_LENGTH = 5; // 1 + polynomial degree of this relation static constexpr size_t RELATION_LENGTH = 3; // degree((SOME_LAGRANGE)(A-B)) = 2 diff --git a/barretenberg/cpp/src/barretenberg/relations/translator_vm/translator_non_native_field_relation.cpp b/barretenberg/cpp/src/barretenberg/relations/translator_vm/translator_non_native_field_relation.cpp index f80ddfe235c6..480c3debd442 100644 --- a/barretenberg/cpp/src/barretenberg/relations/translator_vm/translator_non_native_field_relation.cpp +++ b/barretenberg/cpp/src/barretenberg/relations/translator_vm/translator_non_native_field_relation.cpp @@ -2,5 +2,5 @@ #include "barretenberg/translator_vm/translator_flavor.hpp" namespace bb { template class TranslatorNonNativeFieldRelationImpl; -DEFINE_SUMCHECK_RELATION_CLASS(TranslatorNonNativeFieldRelationImpl, TranslatorFlavor); +DEFINE_ZK_SUMCHECK_RELATION_CLASS(TranslatorNonNativeFieldRelationImpl, TranslatorFlavor); } // namespace bb \ No newline at end of file diff --git a/barretenberg/cpp/src/barretenberg/relations/translator_vm/translator_non_native_field_relation.hpp b/barretenberg/cpp/src/barretenberg/relations/translator_vm/translator_non_native_field_relation.hpp index 4218c4d4c5e4..468a5c3ae08d 100644 --- a/barretenberg/cpp/src/barretenberg/relations/translator_vm/translator_non_native_field_relation.hpp +++ b/barretenberg/cpp/src/barretenberg/relations/translator_vm/translator_non_native_field_relation.hpp @@ -15,7 +15,7 @@ template class TranslatorNonNativeFieldRelationImpl { 3 // Prime subrelation (checks result in native field) }; /** - * @brief For ZK-Flavors: Upper bound on the degrees of subrelations considered as polynomials only in witness + * @brief Upper bound on the degrees of subrelations considered as polynomials only in witness polynomials, * i.e. all selectors and public polynomials are treated as constants. The subrelation witness degree does not * exceed the subrelation partial degree given by SUBRELATION_PARTIAL_LENGTH - 1. @@ -25,6 +25,8 @@ polynomials, 2, // Higher wide limb subrelation (checks result is 0 in higher mod 2¹³⁶), 2 // Prime subrelation (checks result in native field) }; + // Max among {SUBRELATION_PARTIAL_LENGTH + SUBRELATION_WITNESS_DEGREE} + static constexpr size_t ZK_RELATION_LENGTH = 5; /** * @brief Returns true if the contribution from all subrelations for the provided inputs is identically zero * diff --git a/barretenberg/cpp/src/barretenberg/relations/translator_vm/translator_permutation_relation.cpp b/barretenberg/cpp/src/barretenberg/relations/translator_vm/translator_permutation_relation.cpp index 81f96d8f8ff0..da62ffb604d5 100644 --- a/barretenberg/cpp/src/barretenberg/relations/translator_vm/translator_permutation_relation.cpp +++ b/barretenberg/cpp/src/barretenberg/relations/translator_vm/translator_permutation_relation.cpp @@ -2,5 +2,5 @@ #include "barretenberg/translator_vm/translator_flavor.hpp" namespace bb { template class TranslatorPermutationRelationImpl; -DEFINE_SUMCHECK_RELATION_CLASS(TranslatorPermutationRelationImpl, TranslatorFlavor); +DEFINE_ZK_SUMCHECK_RELATION_CLASS(TranslatorPermutationRelationImpl, TranslatorFlavor); } // namespace bb \ No newline at end of file diff --git a/barretenberg/cpp/src/barretenberg/relations/translator_vm/translator_permutation_relation.hpp b/barretenberg/cpp/src/barretenberg/relations/translator_vm/translator_permutation_relation.hpp index 439c17d247d6..5279ca98d129 100644 --- a/barretenberg/cpp/src/barretenberg/relations/translator_vm/translator_permutation_relation.hpp +++ b/barretenberg/cpp/src/barretenberg/relations/translator_vm/translator_permutation_relation.hpp @@ -14,7 +14,7 @@ template class TranslatorPermutationRelationImpl { 3 // left-shiftable polynomial sub-relation }; /** - * @brief For ZK-Flavors: The degrees of subrelations considered as polynomials only in witness polynomials, + * @brief The degrees of subrelations considered as polynomials only in witness polynomials, * i.e. all selectors and public polynomials are treated as constants. * */ @@ -22,6 +22,8 @@ template class TranslatorPermutationRelationImpl { 6, // grand product construction sub-relation 1 // left-shiftable polynomial sub-relation }; + // Max among {SUBRELATION_PARTIAL_LENGTH + SUBRELATION_WITNESS_DEGREE} + static constexpr size_t ZK_RELATION_LENGTH = 13; inline static auto& get_grand_product_polynomial(auto& in) { return in.z_perm; } inline static auto& get_shifted_grand_product_polynomial(auto& in) { return in.z_perm_shift; } diff --git a/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_flavor.hpp b/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_flavor.hpp index eaddea77f9da..088ff2979f7e 100644 --- a/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_flavor.hpp +++ b/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_flavor.hpp @@ -34,7 +34,7 @@ template class ECCVMRecursiveFlavor_ { using PCS = IPA; // Indicates that this flavor runs with non-ZK Sumcheck. - static constexpr bool HasZK = false; + static constexpr bool HasZK = true; static constexpr size_t NUM_WIRES = ECCVMFlavor::NUM_WIRES; // The number of multivariate polynomials on which a sumcheck prover sumcheck operates (including shifts). We often // need containers of this size to hold related data, so we choose a name more agnostic than `NUM_POLYNOMIALS`. @@ -45,6 +45,7 @@ template class ECCVMRecursiveFlavor_ { static constexpr size_t NUM_PRECOMPUTED_ENTITIES = ECCVMFlavor::NUM_PRECOMPUTED_ENTITIES; // The total number of witness entities not including shifts. static constexpr size_t NUM_WITNESS_ENTITIES = ECCVMFlavor::NUM_WITNESS_ENTITIES; + static constexpr size_t NUM_ALL_WITNESS_ENTITIES = ECCVMFlavor::NUM_ALL_WITNESS_ENTITIES; // define the tuple of Relations that comprise the Sumcheck relation // Reuse the Relations from ECCVM @@ -53,7 +54,7 @@ template class ECCVMRecursiveFlavor_ { // think these two are not needed for recursive verifier land // using GrandProductRelations = std::tuple>; // using LookupRelation = ECCVMLookupRelation; - static constexpr size_t MAX_PARTIAL_RELATION_LENGTH = compute_max_partial_relation_length(); + static constexpr size_t MAX_PARTIAL_RELATION_LENGTH = compute_max_partial_relation_length(); // BATCHED_RELATION_PARTIAL_LENGTH = algebraic degree of sumcheck relation *after* multiplying by the `pow_zeta` // random polynomial e.g. For \sum(x) [A(x) * B(x) + C(x)] * PowZeta(X), relation length = 2 and random relation diff --git a/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.cpp b/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.cpp index 7699e4d4bcbe..2e58d33bc038 100644 --- a/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.cpp @@ -70,7 +70,7 @@ template void ECCVMRecursiveVerifier_::verify_proof(co gate_challenges[idx] = transcript->template get_challenge("Sumcheck:gate_challenge_" + std::to_string(idx)); } - auto [multivariate_challenge, claimed_evaluations, sumcheck_verified] = + auto [multivariate_challenge, claimed_evaluations, libra_evaluations, sumcheck_verified] = sumcheck.verify(relation_parameters, alpha, gate_challenges); // Compute the Shplemini accumulator consisting of the Shplonk evaluation and the commitments and scalars vector diff --git a/barretenberg/cpp/src/barretenberg/stdlib/translator_vm_verifier/translator_recursive_flavor.hpp b/barretenberg/cpp/src/barretenberg/stdlib/translator_vm_verifier/translator_recursive_flavor.hpp index 36f8159dad43..a40cae2ad3b4 100644 --- a/barretenberg/cpp/src/barretenberg/stdlib/translator_vm_verifier/translator_recursive_flavor.hpp +++ b/barretenberg/cpp/src/barretenberg/stdlib/translator_vm_verifier/translator_recursive_flavor.hpp @@ -42,7 +42,7 @@ template class TranslatorRecursiveFlavor_ { using VerifierCommitmentKey = bb::VerifierCommitmentKey; // Indicates that this flavor runs with non-ZK Sumcheck. - static constexpr bool HasZK = false; + static constexpr bool HasZK = true; static constexpr size_t MINIMUM_MINI_CIRCUIT_SIZE = 2048; // The size of the circuit which is filled with non-zero values for most polynomials. Most relations (everything @@ -89,7 +89,7 @@ template class TranslatorRecursiveFlavor_ { using Relations = TranslatorFlavor::Relations_; - static constexpr size_t MAX_PARTIAL_RELATION_LENGTH = compute_max_partial_relation_length(); + static constexpr size_t MAX_PARTIAL_RELATION_LENGTH = compute_max_partial_relation_length(); static constexpr size_t MAX_TOTAL_RELATION_LENGTH = compute_max_total_relation_length(); // BATCHED_RELATION_PARTIAL_LENGTH = algebraic degree of sumcheck relation *after* multiplying by the `pow_zeta` diff --git a/barretenberg/cpp/src/barretenberg/stdlib/translator_vm_verifier/translator_recursive_verifier.cpp b/barretenberg/cpp/src/barretenberg/stdlib/translator_vm_verifier/translator_recursive_verifier.cpp index fb5a030844fe..7872a5f1f090 100644 --- a/barretenberg/cpp/src/barretenberg/stdlib/translator_vm_verifier/translator_recursive_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/stdlib/translator_vm_verifier/translator_recursive_verifier.cpp @@ -111,7 +111,7 @@ std::array TranslatorRecursiveVerifier_template get_challenge("Sumcheck:gate_challenge_" + std::to_string(idx)); } - auto [multivariate_challenge, claimed_evaluations, sumcheck_verified] = + auto [multivariate_challenge, claimed_evaluations, libra_evaluations, sumcheck_verified] = sumcheck.verify(relation_parameters, alpha, gate_challenges); // Execute ZeroMorph rounds followed by the univariate PCS. See https://hackmd.io/dlf9xEwhTQyE3hiGbq4FsA?view for a diff --git a/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck.hpp b/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck.hpp index 083236863f07..abe5443bea4a 100644 --- a/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck.hpp +++ b/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck.hpp @@ -270,7 +270,11 @@ template class SumcheckProver { // The evaluations of Libra uninvariates at \f$ g_0(u_0), \ldots, g_{d-1} (u_{d-1}) \f$ are added to the // transcript. if constexpr (Flavor::HasZK) { - transcript->send_to_verifier("Libra:evaluations", zk_sumcheck_data.libra_evaluations); + for (size_t idx = 0; idx < multivariate_d; idx++) { + const FF& libra_evaluation = zk_sumcheck_data.libra_evaluations[idx]; + std::string libra_evaluation_label = "Libra:evaluation_" + std::to_string(idx); + transcript->send_to_verifier(libra_evaluation_label, libra_evaluation); + } }; // Claimed evaluations of Prover polynomials are extracted and added to the transcript. When Flavor has ZK, the @@ -403,7 +407,9 @@ polynomials that are sent in clear. EvalMaskingScalars eval_masking_scalars; for (size_t k = 0; k < NUM_ALL_WITNESS_ENTITIES; ++k) { - eval_masking_scalars[k] = FF::random_element(); + // TODO(https://github.com/AztecProtocol/barretenberg/issues/1136): Once Shplemini supports ZK, these + // constants must be generated in Oink + eval_masking_scalars[k] = FF(0); }; // Generate random scalars \f$ \rho_1,\ldots, \rho_{N_w}\f$ to mask the evaluations of witness polynomials and // populate the table masking_terms_evaluations with the terms \f$ \rho_j \cdot (1-k) \cdot k \f$ @@ -772,7 +778,7 @@ template class SumcheckVerifier { if constexpr (Flavor::HasZK) { for (size_t idx = 0; idx < multivariate_d; idx++) { libra_evaluations[idx] = - transcript->template receive_from_prover("libra_evaluation" + std::to_string(idx)); + transcript->template receive_from_prover("Libra:evaluation_" + std::to_string(idx)); full_libra_purported_value += libra_evaluations[idx]; }; full_libra_purported_value *= libra_challenge; diff --git a/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck_round.hpp b/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck_round.hpp index f36a0b4627ea..7aaf9e8d793d 100644 --- a/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck_round.hpp +++ b/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck_round.hpp @@ -103,34 +103,37 @@ template class SumcheckProverRound { */ template void extend_edges(ExtendedEdges& extended_edges, - ProverPolynomialsOrPartiallyEvaluatedMultivariates& multivariates, - size_t edge_idx, - std::optional> zk_sumcheck_data = std::nullopt) + const ProverPolynomialsOrPartiallyEvaluatedMultivariates& multivariates, + const size_t edge_idx) { + for (auto [extended_edge, multivariate] : zip_view(extended_edges.get_all(), multivariates.get_all())) { + bb::Univariate edge({ multivariate[edge_idx], multivariate[edge_idx + 1] }); + extended_edge = edge.template extend_to(); + } + } - if constexpr (!Flavor::HasZK) { - for (auto [extended_edge, multivariate] : zip_view(extended_edges.get_all(), multivariates.get_all())) { - bb::Univariate edge({ multivariate[edge_idx], multivariate[edge_idx + 1] }); - extended_edge = edge.template extend_to(); - } - } else { - // extend edges of witness polynomials and add correcting terms - for (auto [extended_edge, multivariate, masking_univariate] : - zip_view(extended_edges.get_all_witnesses(), - multivariates.get_all_witnesses(), - zk_sumcheck_data.value().masking_terms_evaluations)) { - bb::Univariate edge({ multivariate[edge_idx], multivariate[edge_idx + 1] }); - extended_edge = edge.template extend_to(); - extended_edge += masking_univariate; - }; - // extend edges of public polynomials - for (auto [extended_edge, multivariate] : - zip_view(extended_edges.get_non_witnesses(), multivariates.get_non_witnesses())) { - bb::Univariate edge({ multivariate[edge_idx], multivariate[edge_idx + 1] }); - extended_edge = edge.template extend_to(); - }; + template + void extend_edges_with_masking(ExtendedEdges& extended_edges, + ProverPolynomialsOrPartiallyEvaluatedMultivariates& multivariates, + const size_t edge_idx, + const ZKSumcheckData& zk_sumcheck_data) + { + // extend edges of witness polynomials and add correcting terms + for (auto [extended_edge, multivariate, masking_univariate] : + zip_view(extended_edges.get_all_witnesses(), + multivariates.get_all_witnesses(), + zk_sumcheck_data.masking_terms_evaluations)) { + bb::Univariate edge({ multivariate[edge_idx], multivariate[edge_idx + 1] }); + extended_edge = edge.template extend_to(); + extended_edge += masking_univariate; }; - } + // extend edges of public polynomials + for (auto [extended_edge, multivariate] : + zip_view(extended_edges.get_non_witnesses(), multivariates.get_non_witnesses())) { + bb::Univariate edge({ multivariate[edge_idx], multivariate[edge_idx + 1] }); + extended_edge = edge.template extend_to(); + }; + }; /** * @brief Return the evaluations of the univariate round polynomials \f$ \tilde{S}_{i} (X_{i}) \f$ at \f$ X_{i } = @@ -161,7 +164,7 @@ template class SumcheckProverRound { const bb::RelationParameters& relation_parameters, const bb::GateSeparatorPolynomial& gate_sparators, const RelationSeparator alpha, - std::optional> zk_sumcheck_data = std::nullopt) // only submitted when Flavor HasZK + ZKSumcheckData zk_sumcheck_data) // only populated when Flavor HasZK { PROFILE_THIS_NAME("compute_univariate"); @@ -192,7 +195,7 @@ template class SumcheckProverRound { if constexpr (!Flavor::HasZK) { extend_edges(extended_edges[thread_idx], polynomials, edge_idx); } else { - extend_edges(extended_edges[thread_idx], polynomials, edge_idx, zk_sumcheck_data); + extend_edges_with_masking(extended_edges[thread_idx], polynomials, edge_idx, zk_sumcheck_data); } // Compute the \f$ \ell \f$-th edge's univariate contribution, // scale it by the corresponding \f$ pow_{\beta} \f$ contribution and add it to the accumulators for \f$ @@ -212,9 +215,9 @@ template class SumcheckProverRound { } // For ZK Flavors: The evaluations of the round univariates are masked by the evaluations of Libra univariates if constexpr (Flavor::HasZK) { - auto libra_round_univariate = compute_libra_round_univariate(zk_sumcheck_data.value(), round_idx); + const auto libra_round_univariate = compute_libra_round_univariate(zk_sumcheck_data, round_idx); // Batch the univariate contributions from each sub-relation to obtain the round univariate - auto round_univariate = + const auto round_univariate = batch_over_relations(univariate_accumulators, alpha, gate_sparators); // Mask the round univariate return round_univariate + libra_round_univariate; diff --git a/barretenberg/cpp/src/barretenberg/sumcheck/zk_sumcheck_data.hpp b/barretenberg/cpp/src/barretenberg/sumcheck/zk_sumcheck_data.hpp index f438ab379162..57f2db7f4f7a 100644 --- a/barretenberg/cpp/src/barretenberg/sumcheck/zk_sumcheck_data.hpp +++ b/barretenberg/cpp/src/barretenberg/sumcheck/zk_sumcheck_data.hpp @@ -1,5 +1,6 @@ #pragma once +#include "barretenberg/polynomials/univariate.hpp" #include #include #include diff --git a/barretenberg/cpp/src/barretenberg/translator_vm/translator_flavor.hpp b/barretenberg/cpp/src/barretenberg/translator_vm/translator_flavor.hpp index 1be1825aed2d..828e4deccbe3 100644 --- a/barretenberg/cpp/src/barretenberg/translator_vm/translator_flavor.hpp +++ b/barretenberg/cpp/src/barretenberg/translator_vm/translator_flavor.hpp @@ -34,8 +34,8 @@ class TranslatorFlavor { using BF = Curve::BaseField; using Polynomial = bb::Polynomial; using RelationSeparator = FF; - // Indicates that this flavor runs with non-ZK Sumcheck. - static constexpr bool HasZK = false; + // Indicates that this flavor runs with ZK Sumcheck. + static constexpr bool HasZK = true; static constexpr size_t MINIMUM_MINI_CIRCUIT_SIZE = 2048; // The size of the circuit which is filled with non-zero values for most polynomials. Most relations (everything @@ -93,7 +93,7 @@ class TranslatorFlavor { TranslatorNonNativeFieldRelation>; using Relations = Relations_; - static constexpr size_t MAX_PARTIAL_RELATION_LENGTH = compute_max_partial_relation_length(); + static constexpr size_t MAX_PARTIAL_RELATION_LENGTH = compute_max_partial_relation_length(); static constexpr size_t MAX_TOTAL_RELATION_LENGTH = compute_max_total_relation_length(); // BATCHED_RELATION_PARTIAL_LENGTH = algebraic degree of sumcheck relation *after* multiplying by the `pow_zeta` @@ -104,12 +104,12 @@ class TranslatorFlavor { // define the containers for storing the contributions from each relation in Sumcheck using SumcheckTupleOfTuplesOfUnivariates = - std::tuple::SumcheckTupleOfUnivariatesOverSubrelations, - typename TranslatorDeltaRangeConstraintRelation::SumcheckTupleOfUnivariatesOverSubrelations, - typename TranslatorOpcodeConstraintRelation::SumcheckTupleOfUnivariatesOverSubrelations, - typename TranslatorAccumulatorTransferRelation::SumcheckTupleOfUnivariatesOverSubrelations, - typename TranslatorDecompositionRelation::SumcheckTupleOfUnivariatesOverSubrelations, - typename TranslatorNonNativeFieldRelation::SumcheckTupleOfUnivariatesOverSubrelations>; + std::tuple::ZKSumcheckTupleOfUnivariatesOverSubrelations, + typename TranslatorDeltaRangeConstraintRelation::ZKSumcheckTupleOfUnivariatesOverSubrelations, + typename TranslatorOpcodeConstraintRelation::ZKSumcheckTupleOfUnivariatesOverSubrelations, + typename TranslatorAccumulatorTransferRelation::ZKSumcheckTupleOfUnivariatesOverSubrelations, + typename TranslatorDecompositionRelation::ZKSumcheckTupleOfUnivariatesOverSubrelations, + typename TranslatorNonNativeFieldRelation::ZKSumcheckTupleOfUnivariatesOverSubrelations>; using TupleOfArraysOfValues = decltype(create_tuple_of_arrays_of_values()); /** diff --git a/barretenberg/cpp/src/barretenberg/translator_vm/translator_verifier.cpp b/barretenberg/cpp/src/barretenberg/translator_vm/translator_verifier.cpp index 715d799b5c2f..7faad377b6ee 100644 --- a/barretenberg/cpp/src/barretenberg/translator_vm/translator_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/translator_vm/translator_verifier.cpp @@ -102,7 +102,7 @@ bool TranslatorVerifier::verify_proof(const HonkProof& proof) gate_challenges[idx] = transcript->template get_challenge("Sumcheck:gate_challenge_" + std::to_string(idx)); } - auto [multivariate_challenge, claimed_evaluations, sumcheck_verified] = + auto [multivariate_challenge, claimed_evaluations, libra_evaluations, sumcheck_verified] = sumcheck.verify(relation_parameters, alpha, gate_challenges); // If Sumcheck did not verify, return false diff --git a/barretenberg/ts/src/barretenberg_wasm/barretenberg_wasm_main/index.ts b/barretenberg/ts/src/barretenberg_wasm/barretenberg_wasm_main/index.ts index e8022343df82..1be981669ae9 100644 --- a/barretenberg/ts/src/barretenberg_wasm/barretenberg_wasm_main/index.ts +++ b/barretenberg/ts/src/barretenberg_wasm/barretenberg_wasm_main/index.ts @@ -32,7 +32,7 @@ export class BarretenbergWasmMain extends BarretenbergWasmBase { module: WebAssembly.Module, threads = Math.min(getNumCpu(), BarretenbergWasmMain.MAX_THREADS), logger: (msg: string) => void = debug, - initial = 28, + initial = 30, maximum = 2 ** 16, ) { this.logger = logger;