24 if (!prover_instance->commitment_key.initialized()) {
25 prover_instance->commitment_key =
CommitmentKey(prover_instance->dyadic_size());
28 execute_preamble_round();
30 commit_to_masking_poly();
32 execute_wire_commitments_round();
34 execute_sorted_list_accumulator_round();
36 execute_log_derivative_inverse_round();
38 execute_grand_product_computation_round();
41 prover_instance->alpha = generate_alpha_round();
55 return transcript->export_proof();
65 fr vk_hash = honk_vk->hash_with_origin_tagging(*transcript);
66 transcript->add_to_hash_buffer(domain_separator +
"vk_hash", vk_hash);
67 vinfo(
"vk hash in Oink prover: ", vk_hash);
69 for (
size_t i = 0; i < prover_instance->num_public_inputs(); ++i) {
70 auto public_input_i = prover_instance->public_inputs[i];
71 transcript->send_to_verifier(domain_separator +
"public_input_" +
std::to_string(i), public_input_i);
85 auto batch = prover_instance->commitment_key.start_batch();
89 batch.add_to_batch(prover_instance->polynomials.w_l, commitment_labels.w_l,
Flavor::HasZK);
90 batch.add_to_batch(prover_instance->polynomials.w_r, commitment_labels.w_r,
Flavor::HasZK);
91 batch.add_to_batch(prover_instance->polynomials.w_o, commitment_labels.w_o,
Flavor::HasZK);
99 bool mask_ecc_op_polys =
false;
101 for (
auto [polynomial, label] :
102 zip_view(prover_instance->polynomials.get_ecc_op_wires(), commitment_labels.get_ecc_op_wires())) {
105 batch.add_to_batch(polynomial, domain_separator + label, mask_ecc_op_polys);
110 for (
auto [polynomial, label] :
111 zip_view(prover_instance->polynomials.get_databus_entities(), commitment_labels.get_databus_entities())) {
114 bool is_unmasked_databus_commitment = label ==
"CALLDATA";
115 batch.add_to_batch(polynomial, label,
Flavor::HasZK && !is_unmasked_databus_commitment);
120 auto computed_commitments = batch.commit_and_send_to_verifier(transcript);
121 prover_instance->commitments.w_l = computed_commitments[0];
122 prover_instance->commitments.w_r = computed_commitments[1];
123 prover_instance->commitments.w_o = computed_commitments[2];
126 size_t commitment_idx = 3;
127 for (
auto& commitment : prover_instance->commitments.get_ecc_op_wires()) {
128 commitment = computed_commitments[commitment_idx];
132 for (
auto& commitment : prover_instance->commitments.get_databus_entities()) {
133 commitment = computed_commitments[commitment_idx];
145 BB_BENCH_NAME(
"OinkProver::execute_sorted_list_accumulator_round");
147 prover_instance->relation_parameters.compute_eta_powers(transcript->template get_challenge<FF>(
"eta"));
150 prover_instance->memory_read_records,
151 prover_instance->memory_write_records,
152 prover_instance->relation_parameters.eta,
153 prover_instance->relation_parameters.eta_two,
154 prover_instance->relation_parameters.eta_three);
157 auto batch = prover_instance->commitment_key.start_batch();
158 batch.add_to_batch(prover_instance->polynomials.lookup_read_counts,
159 commitment_labels.lookup_read_counts,
162 prover_instance->polynomials.lookup_read_tags, commitment_labels.lookup_read_tags,
Flavor::HasZK);
164 prover_instance->polynomials.w_4, domain_separator + commitment_labels.w_4,
Flavor::HasZK);
165 auto computed_commitments = batch.commit_and_send_to_verifier(transcript);
167 prover_instance->commitments.lookup_read_counts = computed_commitments[0];
168 prover_instance->commitments.lookup_read_tags = computed_commitments[1];
169 prover_instance->commitments.w_4 = computed_commitments[2];
178 BB_BENCH_NAME(
"OinkProver::execute_log_derivative_inverse_round");
179 auto [beta, gamma] = transcript->template get_challenges<FF>(
181 prover_instance->relation_parameters.compute_beta_powers(beta);
182 prover_instance->relation_parameters.gamma = gamma;
186 prover_instance->polynomials, prover_instance->dyadic_size(), prover_instance->relation_parameters);
188 auto batch = prover_instance->commitment_key.start_batch();
189 batch.add_to_batch(prover_instance->polynomials.lookup_inverses,
190 commitment_labels.lookup_inverses,
195 for (
auto [polynomial, label] :
196 zip_view(prover_instance->polynomials.get_databus_inverses(), commitment_labels.get_databus_inverses())) {
200 auto computed_commitments = batch.commit_and_send_to_verifier(transcript);
202 prover_instance->commitments.lookup_inverses = computed_commitments[0];
204 size_t commitment_idx = 1;
205 for (
auto& commitment : prover_instance->commitments.get_databus_inverses()) {
206 commitment = computed_commitments[commitment_idx];
218 BB_BENCH_NAME(
"OinkProver::execute_grand_product_computation_round");
222 prover_instance->public_inputs,
223 prover_instance->pub_inputs_offset(),
224 prover_instance->relation_parameters,
225 prover_instance->get_final_active_wire_idx() + 1);
229 prover_instance->commitments.z_perm =
230 commit_to_witness_polynomial(prover_instance->polynomials.z_perm, commitment_labels.z_perm);
240 return transcript->template get_challenge<FF>(domain_separator +
"alpha");
250template <IsUltraOrMegaHonk Flavor>
252 const std::string& label)
262 commitment = prover_instance->commitment_key.commit(polynomial);
264 transcript->send_to_verifier(domain_separator + label, commitment);
273 const size_t polynomial_size = prover_instance->dyadic_size();
277 auto masking_commitment =
278 prover_instance->commitment_key.commit(prover_instance->polynomials.gemini_masking_poly);
279 transcript->send_to_verifier(
"Gemini:masking_poly_comm", masking_commitment);
286#ifdef STARKNET_GARAGA_FLAVORS
#define BB_BENCH_NAME(name)
static constexpr bool HasZK
typename G1::affine_element Commitment
Class for all the oink rounds, which are shared between the folding prover and ultra prover.
Proof export_proof()
Export the Oink proof.
Flavor::Commitment commit_to_witness_polynomial(Polynomial< FF > &polynomial, const std::string &label)
A uniform method to mask, commit, and send the corresponding commitment to the verifier.
void execute_log_derivative_inverse_round()
Compute log derivative inverse polynomial and its commitment, if required.
void execute_grand_product_computation_round()
Compute permutation and lookup grand product polynomials and their commitments.
void prove()
Oink Prover function that runs all the rounds of the verifier.
SubrelationSeparator generate_alpha_round()
void execute_preamble_round()
Add circuit size, public input size, and public inputs to transcript.
typename Flavor::CommitmentKey CommitmentKey
void execute_sorted_list_accumulator_round()
Compute sorted witness-table accumulator and commit to the resulting polynomials.
void commit_to_masking_poly()
void execute_wire_commitments_round()
Commit to the wire polynomials (part of the witness), with the exception of the fourth wire,...
typename Transcript::Proof Proof
Structured polynomial class that represents the coefficients 'a' of a_0 + a_1 x .....
static Polynomial random(size_t size, size_t start_index=0)
void mask()
Add random values to the coefficients of a polynomial. In practice, this is used for ensuring the com...
static void compute_logderivative_inverses(Flavor::ProverPolynomials &polynomials, const size_t circuit_size, RelationParameters< FF > &relation_parameters)
Compute the inverse polynomials used in the log derivative lookup relations.
static void compute_grand_product_polynomial(Flavor::ProverPolynomials &polynomials, std::vector< FF > &public_inputs, const size_t pub_inputs_offset, RelationParameters< FF > &relation_parameters, size_t size_override=0)
Computes public_input_delta and the permutation grand product polynomial.
static void add_ram_rom_memory_records_to_wire_4(typename Flavor::ProverPolynomials &polynomials, const std::vector< uint32_t > &memory_read_records, const std::vector< uint32_t > &memory_write_records, const FF &eta, const FF &eta_two, const FF &eta_three)
Add RAM/ROM memory records to the fourth wire polynomial.
Entry point for Barretenberg command-line interface.
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
std::string to_string(bb::avm2::ValueTag tag)
1.9.8