Barretenberg: src/barretenberg/flavor/multilinear_batching_flavor.hpp Source File

// === AUDIT STATUS ===

// internal:    { status: Complete, auditors: [Sergei], commit: }

// external_1:  { status: not started, auditors: [], commit: }

// external_2:  { status: not started, auditors: [], commit: }

// =====================


#pragma once


#include "barretenberg/commitment_schemes/kzg/kzg.hpp"

#include "barretenberg/common/ref_vector.hpp"

#include "barretenberg/flavor/flavor.hpp"

#include "barretenberg/flavor/flavor_macros.hpp"

#include "barretenberg/flavor/partially_evaluated_multivariates.hpp"

#include "barretenberg/flavor/relation_definitions.hpp"

#include "barretenberg/relations/multilinear_batching/multilinear_batching_relation.hpp"

#include "barretenberg/transcript/transcript.hpp"


namespace bb {


// Forward declaration for debug comparison method

template <typename Curve> struct MultilinearBatchingVerifierClaim;


class MultilinearBatchingFlavor {

  public:

    using Curve = curve::BN254;

    using FF = Curve::ScalarField;

    using GroupElement = Curve::Element;

    using Commitment = Curve::AffineElement;

    using PCS = KZG<Curve>;

    using Polynomial = bb::Polynomial<FF>;

    using CommitmentKey = bb::CommitmentKey<Curve>;

    using VerifierCommitmentKey = bb::VerifierCommitmentKey<Curve>;

    using Transcript = NativeTranscript;

    using Codec = FrCodec;


    // An upper bound on the size of the MultilinearBatching-circuits. `CONST_FOLDING_LOG_N` bounds the log circuit

    // sizes in the Chonk context.

    static constexpr size_t VIRTUAL_LOG_N = CONST_FOLDING_LOG_N;

    static constexpr bool USE_SHORT_MONOMIALS = false;

    // Indicates that this flavor runs with non-ZK Sumcheck.

    static constexpr bool HasZK = false;

    // Indicates that this flavor runs with Multilinear Batching.

    static constexpr bool IS_MULTILINEAR_BATCHING = true;

    // To achieve fixed proof size and that the recursive verifier circuit is constant, we are using padding in Sumcheck

    // and Shplemini

    static constexpr bool USE_PADDING = true;


    // ============ PROOF STRUCTURE CONSTANTS ============

    // Number of accumulator commitments sent in proof (non_shifted + shifted).

    // Note: instance commitments are computed by verifier from Oink witness commitments.

    // Note: eq polynomials are computed from challenges, not committed.

    static constexpr size_t NUM_ACCUMULATOR_COMMITMENTS = 2;

    // Number of accumulator evaluations sent in proof (non_shifted + shifted).

    static constexpr size_t NUM_ACCUMULATOR_EVALUATIONS = 2;


    // ============ SUMCHECK CONSTANTS ============

    // Total polynomials in sumcheck: 4 unshifted + 2 shifted views.

    static constexpr size_t NUM_ALL_ENTITIES = 6;

    static constexpr size_t NUM_SHIFTED_ENTITIES = 2;


    // define the tuple of Relations that comprise the Sumcheck relation

    // Note: made generic for use in MegaRecursive.

    template <typename FF>

    using Relations_ =

        std::tuple<bb::MultilinearBatchingAccumulatorRelation<FF>, bb::MultilinearBatchingInstanceRelation<FF>>;

    using Relations = Relations_<FF>;


    static constexpr size_t MAX_PARTIAL_RELATION_LENGTH = compute_max_partial_relation_length<Relations>();

    // BATCHED_RELATION_PARTIAL_LENGTH = algebraic degree of sumcheck relation *after* multiplying by the `pow_zeta`

    // random polynomial e.g. For \sum(x) [A(x) * B(x) + C(x)] * PowZeta(X), relation length = 2 and random relation

    // length = 3

    static constexpr size_t BATCHED_RELATION_PARTIAL_LENGTH = MAX_PARTIAL_RELATION_LENGTH + 1;

    static constexpr size_t NUM_RELATIONS = std::tuple_size_v<Relations>;


    // A challenge whose powers are used to batch subrelation contributions during Sumcheck

    static constexpr size_t NUM_SUBRELATIONS = compute_number_of_subrelations<Relations>();

    using SubrelationSeparator = FF;


    template <typename DataType> class AllEntities {

      public:

        DEFINE_FLAVOR_MEMBERS(DataType,

                              batched_unshifted_accumulator, // Accumulator's batched unshifted poly (committed)

                              batched_unshifted_instance,    // Instance's batched unshifted poly (verifier computes)

                              eq_accumulator,                // eq(u, r_acc) selector (derived from challenges)

                              eq_instance,                   // eq(u, r_inst) selector (derived from challenges)

                              batched_shifted_accumulator,   // Accumulator's batched shifted poly

                              batched_shifted_instance);     // Instance's batched shifted poly


        auto get_unshifted()

        {

            return RefArray{ batched_unshifted_accumulator, batched_unshifted_instance, eq_accumulator, eq_instance };

        };


        auto get_shifted() { return RefArray{ batched_shifted_accumulator, batched_shifted_instance }; };

    };


    class AllValues : public AllEntities<FF> {

      public:

        using Base = AllEntities<FF>;

        using Base::Base;

    };


    class ProverPolynomials : public AllEntities<Polynomial> {

      public:

        [[nodiscard]] size_t get_polynomial_size() const { return batched_unshifted_accumulator.size(); }


        void increase_polynomials_virtual_size(const size_t size_in)

        {

            for (auto& polynomial : this->get_all()) {

                polynomial.increase_virtual_size(size_in);

            }

        }


    };


    struct ProverClaim {

        std::vector<FF> challenge;         // Evaluation point r

        FF non_shifted_evaluation;         // Claimed value P(r)

        FF shifted_evaluation;             // Claimed value P_shifted(r)

        Polynomial non_shifted_polynomial; // The polynomial P

        Polynomial shifted_polynomial;     // The shiftable polynomial (pre-shift form)

        Commitment non_shifted_commitment; // Commitment [P]

        Commitment shifted_commitment;     // Commitment [P_shifted]

        size_t dyadic_size;                // Size of the polynomial domain


#ifndef NDEBUG

        bool compare_with_verifier_claim(const MultilinearBatchingVerifierClaim<curve::BN254>& verifier_claim);

#endif

    };


    class ProvingKey {

      public:

        // Polynomials for sumcheck: batched witnesses + eq selectors

        ProverPolynomials polynomials;


        // Evaluation points r_acc and r_inst (sent to verifier for eq polynomial construction)

        std::vector<FF> accumulator_challenge;

        std::vector<FF> instance_challenge;


        // Claimed evaluations v_acc = P_acc(r_acc) and v_inst = P_inst(r_inst)

        std::vector<FF> accumulator_evaluations;

        std::vector<FF> instance_evaluations;


        size_t circuit_size;


        // Commitments [P_acc] and [P_inst] - combined into output claim's commitment

        Commitment non_shifted_accumulator_commitment;

        Commitment shifted_accumulator_commitment;

        Commitment non_shifted_instance_commitment;

        Commitment shifted_instance_commitment;


        // Pre-shifted polynomials for computing new claim's shifted polynomial

        Polynomial preshifted_accumulator;

        Polynomial preshifted_instance;


        ProvingKey() = default;


        ProvingKey(ProverClaim&& accumulator_claim, ProverClaim&& instance_claim);

    };


    using PartiallyEvaluatedMultivariates =

        PartiallyEvaluatedMultivariatesBase<AllEntities<Polynomial>, ProverPolynomials, Polynomial>;


    template <size_t LENGTH> using ProverUnivariates = AllEntities<bb::Univariate<FF, LENGTH>>;


    using ExtendedEdges = ProverUnivariates<MAX_PARTIAL_RELATION_LENGTH>;

};


// Type alias for external usage

using MultilinearBatchingProverClaim = MultilinearBatchingFlavor::ProverClaim;


} // namespace bb

bb::BaseTranscript
Common transcript class for both parties. Stores the data for the current round, as well as the manif...
Definition transcript.hpp:41

bb::CommitmentKey
CommitmentKey object over a pairing group 𝔾₁.
Definition commitment_key.hpp:35

bb::FrCodec
Definition field_conversion.hpp:19

bb::KZG
Definition kzg.hpp:21

bb::MultilinearBatchingFlavor::AllEntities
All polynomials used in multilinear batching sumcheck.
Definition multilinear_batching_flavor.hpp:90

bb::MultilinearBatchingFlavor::AllEntities::DEFINE_FLAVOR_MEMBERS
DEFINE_FLAVOR_MEMBERS(DataType, batched_unshifted_accumulator, batched_unshifted_instance, eq_accumulator, eq_instance, batched_shifted_accumulator, batched_shifted_instance)

bb::MultilinearBatchingFlavor::AllEntities::get_unshifted
auto get_unshifted()
Definition multilinear_batching_flavor.hpp:100

bb::MultilinearBatchingFlavor::AllEntities::get_shifted
auto get_shifted()
Definition multilinear_batching_flavor.hpp:104

bb::MultilinearBatchingFlavor::AllValues
A field element for each entity of the flavor. These entities represent the prover polynomials evalua...
Definition multilinear_batching_flavor.hpp:111

bb::MultilinearBatchingFlavor::ProverPolynomials
A container for the prover polynomials handles.
Definition multilinear_batching_flavor.hpp:120

bb::MultilinearBatchingFlavor::ProverPolynomials::increase_polynomials_virtual_size
void increase_polynomials_virtual_size(const size_t size_in)
Definition multilinear_batching_flavor.hpp:123

bb::MultilinearBatchingFlavor::ProverPolynomials::get_polynomial_size
size_t get_polynomial_size() const
Definition multilinear_batching_flavor.hpp:122

bb::MultilinearBatchingFlavor::ProvingKey
The proving key for multilinear batching sumcheck.
Definition multilinear_batching_flavor.hpp:181

bb::MultilinearBatchingFlavor::ProvingKey::instance_evaluations
std::vector< FF > instance_evaluations
Definition multilinear_batching_flavor.hpp:192

bb::MultilinearBatchingFlavor::ProvingKey::accumulator_challenge
std::vector< FF > accumulator_challenge
Definition multilinear_batching_flavor.hpp:187

bb::MultilinearBatchingFlavor::ProvingKey::shifted_instance_commitment
Commitment shifted_instance_commitment
Definition multilinear_batching_flavor.hpp:200

bb::MultilinearBatchingFlavor::ProvingKey::preshifted_instance
Polynomial preshifted_instance
Definition multilinear_batching_flavor.hpp:204

bb::MultilinearBatchingFlavor::ProvingKey::polynomials
ProverPolynomials polynomials
Definition multilinear_batching_flavor.hpp:184

bb::MultilinearBatchingFlavor::ProvingKey::ProvingKey
ProvingKey()=default

bb::MultilinearBatchingFlavor::ProvingKey::preshifted_accumulator
Polynomial preshifted_accumulator
Definition multilinear_batching_flavor.hpp:203

bb::MultilinearBatchingFlavor::ProvingKey::accumulator_evaluations
std::vector< FF > accumulator_evaluations
Definition multilinear_batching_flavor.hpp:191

bb::MultilinearBatchingFlavor::ProvingKey::non_shifted_accumulator_commitment
Commitment non_shifted_accumulator_commitment
Definition multilinear_batching_flavor.hpp:197

bb::MultilinearBatchingFlavor::ProvingKey::circuit_size
size_t circuit_size
Definition multilinear_batching_flavor.hpp:194

bb::MultilinearBatchingFlavor::ProvingKey::non_shifted_instance_commitment
Commitment non_shifted_instance_commitment
Definition multilinear_batching_flavor.hpp:199

bb::MultilinearBatchingFlavor::ProvingKey::instance_challenge
std::vector< FF > instance_challenge
Definition multilinear_batching_flavor.hpp:188

bb::MultilinearBatchingFlavor::ProvingKey::shifted_accumulator_commitment
Commitment shifted_accumulator_commitment
Definition multilinear_batching_flavor.hpp:198

bb::MultilinearBatchingFlavor
Definition multilinear_batching_flavor.hpp:23

bb::MultilinearBatchingFlavor::NUM_ACCUMULATOR_EVALUATIONS
static constexpr size_t NUM_ACCUMULATOR_EVALUATIONS
Definition multilinear_batching_flavor.hpp:54

bb::MultilinearBatchingFlavor::Commitment
Curve::AffineElement Commitment
Definition multilinear_batching_flavor.hpp:28

bb::MultilinearBatchingFlavor::NUM_SUBRELATIONS
static constexpr size_t NUM_SUBRELATIONS
Definition multilinear_batching_flavor.hpp:76

bb::MultilinearBatchingFlavor::BATCHED_RELATION_PARTIAL_LENGTH
static constexpr size_t BATCHED_RELATION_PARTIAL_LENGTH
Definition multilinear_batching_flavor.hpp:72

bb::MultilinearBatchingFlavor::MAX_PARTIAL_RELATION_LENGTH
static constexpr size_t MAX_PARTIAL_RELATION_LENGTH
Definition multilinear_batching_flavor.hpp:68

bb::MultilinearBatchingFlavor::NUM_SHIFTED_ENTITIES
static constexpr size_t NUM_SHIFTED_ENTITIES
Definition multilinear_batching_flavor.hpp:59

bb::MultilinearBatchingFlavor::IS_MULTILINEAR_BATCHING
static constexpr bool IS_MULTILINEAR_BATCHING
Definition multilinear_batching_flavor.hpp:43

bb::MultilinearBatchingFlavor::Relations
Relations_< FF > Relations
Definition multilinear_batching_flavor.hpp:66

bb::MultilinearBatchingFlavor::USE_PADDING
static constexpr bool USE_PADDING
Definition multilinear_batching_flavor.hpp:46

bb::MultilinearBatchingFlavor::FF
Curve::ScalarField FF
Definition multilinear_batching_flavor.hpp:26

bb::MultilinearBatchingFlavor::HasZK
static constexpr bool HasZK
Definition multilinear_batching_flavor.hpp:41

bb::MultilinearBatchingFlavor::GroupElement
Curve::Element GroupElement
Definition multilinear_batching_flavor.hpp:27

bb::MultilinearBatchingFlavor::USE_SHORT_MONOMIALS
static constexpr bool USE_SHORT_MONOMIALS
Definition multilinear_batching_flavor.hpp:39

bb::MultilinearBatchingFlavor::NUM_ALL_ENTITIES
static constexpr size_t NUM_ALL_ENTITIES
Definition multilinear_batching_flavor.hpp:58

bb::MultilinearBatchingFlavor::NUM_RELATIONS
static constexpr size_t NUM_RELATIONS
Definition multilinear_batching_flavor.hpp:73

bb::MultilinearBatchingFlavor::NUM_ACCUMULATOR_COMMITMENTS
static constexpr size_t NUM_ACCUMULATOR_COMMITMENTS
Definition multilinear_batching_flavor.hpp:52

bb::MultilinearBatchingFlavor::Relations_
std::tuple< bb::MultilinearBatchingAccumulatorRelation< FF >, bb::MultilinearBatchingInstanceRelation< FF > > Relations_
Definition multilinear_batching_flavor.hpp:65

bb::MultilinearBatchingFlavor::VIRTUAL_LOG_N
static constexpr size_t VIRTUAL_LOG_N
Definition multilinear_batching_flavor.hpp:38

bb::PartiallyEvaluatedMultivariatesBase
A container for storing the partially evaluated multivariates produced by sumcheck.
Definition partially_evaluated_multivariates.hpp:25

bb::Polynomial< FF >

bb::RefArray
A template class for a reference array. Behaves as if std::array<T&, N> was possible.
Definition ref_array.hpp:22

bb::Relation
A wrapper for Relations to expose methods used by the Sumcheck prover or verifier to add the contribu...
Definition relation_types.hpp:96

bb::VerifierCommitmentKey
Representation of the Grumpkin Verifier Commitment Key inside a bn254 circuit.
Definition verifier_commitment_key.hpp:16

bb::curve::BN254
Definition bn254.hpp:16

bb::curve::BN254::Element
typename Group::element Element
Definition bn254.hpp:21

bb::curve::BN254::AffineElement
typename Group::affine_element AffineElement
Definition bn254.hpp:22

bb::curve::BN254::ScalarField
bb::fr ScalarField
Definition bn254.hpp:18

flavor.hpp
Base class templates for structures that contain data parameterized by the fundamental polynomials of...

flavor_macros.hpp

kzg.hpp

multilinear_batching_relation.hpp

bb
Entry point for Barretenberg command-line interface.
Definition api.hpp:5

bb::NativeTranscript
BaseTranscript< FrCodec, bb::crypto::Poseidon2< bb::crypto::Poseidon2Bn254ScalarFieldParams > > NativeTranscript
Definition transcript.hpp:497

std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13

partially_evaluated_multivariates.hpp

ref_vector.hpp

relation_definitions.hpp

bb::MultilinearBatchingFlavor::ProverClaim
Prover's claim for multilinear batching - contains polynomials and their evaluation claims.
Definition multilinear_batching_flavor.hpp:136

bb::MultilinearBatchingFlavor::ProverClaim::non_shifted_commitment
Commitment non_shifted_commitment
Definition multilinear_batching_flavor.hpp:142

bb::MultilinearBatchingFlavor::ProverClaim::shifted_polynomial
Polynomial shifted_polynomial
Definition multilinear_batching_flavor.hpp:141

bb::MultilinearBatchingFlavor::ProverClaim::shifted_evaluation
FF shifted_evaluation
Definition multilinear_batching_flavor.hpp:139

bb::MultilinearBatchingFlavor::ProverClaim::non_shifted_polynomial
Polynomial non_shifted_polynomial
Definition multilinear_batching_flavor.hpp:140

bb::MultilinearBatchingFlavor::ProverClaim::dyadic_size
size_t dyadic_size
Definition multilinear_batching_flavor.hpp:144

bb::MultilinearBatchingFlavor::ProverClaim::compare_with_verifier_claim
bool compare_with_verifier_claim(const MultilinearBatchingVerifierClaim< curve::BN254 > &verifier_claim)
Debug helper to compare prover claim against verifier claim.
Definition multilinear_batching_flavor.cpp:54

bb::MultilinearBatchingFlavor::ProverClaim::challenge
std::vector< FF > challenge
Definition multilinear_batching_flavor.hpp:137

bb::MultilinearBatchingFlavor::ProverClaim::non_shifted_evaluation
FF non_shifted_evaluation
Definition multilinear_batching_flavor.hpp:138

bb::MultilinearBatchingFlavor::ProverClaim::shifted_commitment
Commitment shifted_commitment
Definition multilinear_batching_flavor.hpp:143

bb::MultilinearBatchingVerifierClaim
Verifier's claim for multilinear batching - contains commitments and evaluation claims.
Definition multilinear_batching_claims.hpp:18

bb::field< Bn254FrParams >

transcript.hpp