Skip to content

Commit

Permalink
feat: Shplonk revival in ECCVM (#7164)
Browse files Browse the repository at this point in the history 
Refactor Shplonk to have better encapsulated functionality on proving
side and integrate it in ECCVM. Until now, we performed two IPA rounds
in ECCVM, the second one necessary to ensure the consistency of
transcript polynomials. We introduce Shplonk to batch the two opening
claims and perform one round of IPA which reduces the number of
constraints by ~5 million constraints in the ClientIVCRecursiveVerifier.
The branch also includes small refactorings in ECCVM prover and
verifier.
```
Before: 17956264
After: 12495384
```
(number of gates produced by running the `prove_tube` flow in branch and
master)
  • Loading branch information
@maramihali
maramihali authored Jun 25, 2024
1 parent bb38246 commit 34eb5a0
Show file tree
Hide file tree
Showing 18 changed files with 286 additions and 328 deletions.
2 changes: 1 addition & 1 deletion barretenberg/cpp/src/barretenberg/benchmark/ipa_bench/ipa.bench.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ void ipa_open(State& state) noexcept
auto prover_transcript = std::make_shared<NativeTranscript>();
state.ResumeTiming();
// Compute proof
IPA<Curve>::compute_opening_proof(ck, opening_pair, poly, prover_transcript);
IPA<Curve>::compute_opening_proof(ck, { poly, opening_pair }, prover_transcript);
// Store info for verifier
prover_transcripts[static_cast<size_t>(state.range(0)) - MIN_POLYNOMIAL_DEGREE_LOG2] = prover_transcript;
opening_claims[static_cast<size_t>(state.range(0)) - MIN_POLYNOMIAL_DEGREE_LOG2] = opening_claim;
Expand Down
7 changes: 3 additions & 4 deletions barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.fuzzer.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,11 +21,10 @@ class ProxyCaller {
public:
template <typename Transcript>
static void compute_opening_proof_internal(const std::shared_ptr<CommitmentKey<Curve>>& ck,
const OpeningPair<Curve>& opening_pair,
const Polynomial<Curve::ScalarField>& polynomial,
const ProverOpeningClaim<Curve>& opening_claim,
const std::shared_ptr<Transcript>& transcript)
{
IPA<Curve>::compute_opening_proof_internal(ck, opening_pair, polynomial, transcript);
IPA<Curve>::compute_opening_proof_internal(ck, opening_claim, transcript);
}
template <typename Transcript>
static bool verify_internal(const std::shared_ptr<VerifierCommitmentKey<Curve>>& vk,
Expand Down Expand Up @@ -145,7 +144,7 @@ extern "C" int LLVMFuzzerTestOneInput(const unsigned char* data, size_t size)
}
auto const opening_pair = OpeningPair<Curve>{ x, poly.evaluate(x) };
auto const opening_claim = OpeningClaim<Curve>{ opening_pair, ck->commit(poly) };
ProxyCaller::compute_opening_proof_internal(ck, opening_pair, poly, transcript);
ProxyCaller::compute_opening_proof_internal(ck, { poly, opening_pair }, transcript);

// Reset challenge indices
transcript->reset_indices();
Expand Down
12 changes: 7 additions & 5 deletions barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.hpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -130,10 +130,12 @@ template <typename Curve_> class IPA {
*/
template <typename Transcript>
static void compute_opening_proof_internal(const std::shared_ptr<CK>& ck,
const OpeningPair<Curve>& opening_pair,
const Polynomial& polynomial,
const ProverOpeningClaim<Curve>& opening_claim,
const std::shared_ptr<Transcript>& transcript)
{

Polynomial polynomial = opening_claim.polynomial;

// clang-format on
auto poly_length = static_cast<size_t>(polynomial.size());

Expand Down Expand Up @@ -184,6 +186,7 @@ template <typename Curve_> class IPA {

// Step 5.
// Compute vector b (vector of the powers of the challenge)
OpeningPair<Curve> opening_pair = opening_claim.opening_pair;
std::vector<Fr> b_vec(poly_length);
run_loop_in_parallel_if_effective(
poly_length,
Expand Down Expand Up @@ -603,11 +606,10 @@ template <typename Curve_> class IPA {
* compute_opening_proof_internal \endlink.
*/
static void compute_opening_proof(const std::shared_ptr<CK>& ck,
const OpeningPair<Curve>& opening_pair,
const Polynomial& polynomial,
const ProverOpeningClaim<Curve>& opening_claim,
const std::shared_ptr<NativeTranscript>& transcript)
{
compute_opening_proof_internal(ck, opening_pair, polynomial, transcript);
compute_opening_proof_internal(ck, opening_claim, transcript);
}

/**
Expand Down
28 changes: 12 additions & 16 deletions barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.test.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@ TEST_F(IPATest, OpenZeroPolynomial)

// initialize empty prover transcript
auto prover_transcript = std::make_shared<NativeTranscript>();
IPA::compute_opening_proof(this->ck(), opening_pair, poly, prover_transcript);
IPA::compute_opening_proof(this->ck(), { poly, opening_pair }, prover_transcript);

// initialize verifier transcript from proof data
auto verifier_transcript = std::make_shared<NativeTranscript>(prover_transcript->proof_data);
Expand All @@ -92,7 +92,7 @@ TEST_F(IPATest, OpenAtZero)

// initialize empty prover transcript
auto prover_transcript = std::make_shared<NativeTranscript>();
IPA::compute_opening_proof(this->ck(), opening_pair, poly, prover_transcript);
IPA::compute_opening_proof(this->ck(), { poly, opening_pair }, prover_transcript);

// initialize verifier transcript from proof data
auto verifier_transcript = std::make_shared<NativeTranscript>(prover_transcript->proof_data);
Expand Down Expand Up @@ -131,7 +131,7 @@ TEST_F(IPATest, ChallengesAreZero)
auto new_random_vector = random_vector;
new_random_vector[i] = Fr::zero();
transcript->initialize(new_random_vector);
EXPECT_ANY_THROW(IPA::compute_opening_proof_internal(this->ck(), opening_pair, poly, transcript));
EXPECT_ANY_THROW(IPA::compute_opening_proof_internal(this->ck(), { poly, opening_pair }, transcript));
}
// Fill out a vector of affine elements that the verifier receives from the prover with generators (we don't care
// about them right now)
Expand Down Expand Up @@ -181,7 +181,7 @@ TEST_F(IPATest, AIsZeroAfterOneRound)
transcript->initialize(random_vector);

// Compute opening proof
IPA::compute_opening_proof_internal(this->ck(), opening_pair, poly, transcript);
IPA::compute_opening_proof_internal(this->ck(), { poly, opening_pair }, transcript);

// Reset indices
transcript->reset_indices();
Expand Down Expand Up @@ -221,7 +221,7 @@ TEST_F(IPATest, Open)

// initialize empty prover transcript
auto prover_transcript = std::make_shared<NativeTranscript>();
IPA::compute_opening_proof(this->ck(), opening_pair, poly, prover_transcript);
IPA::compute_opening_proof(this->ck(), { poly, opening_pair }, prover_transcript);

// initialize verifier transcript from proof data
auto verifier_transcript = std::make_shared<NativeTranscript>(prover_transcript->proof_data);
Expand Down Expand Up @@ -295,22 +295,18 @@ TEST_F(IPATest, GeminiShplonkIPAWithShift)
const auto [gemini_opening_pairs, gemini_witnesses] = GeminiProver::compute_fold_polynomial_evaluations(
mle_opening_point, std::move(gemini_polynomials), r_challenge);

std::vector<ProverOpeningClaim<Curve>> opening_claims;

for (size_t l = 0; l < log_n; ++l) {
std::string label = "Gemini:a_" + std::to_string(l);
const auto& evaluation = gemini_opening_pairs[l + 1].evaluation;
prover_transcript->send_to_verifier(label, evaluation);
opening_claims.emplace_back(gemini_witnesses[l], gemini_opening_pairs[l]);
}
opening_claims.emplace_back(gemini_witnesses[log_n], gemini_opening_pairs[log_n]);

const Fr nu_challenge = prover_transcript->template get_challenge<Fr>("Shplonk:nu");
auto batched_quotient_Q =
ShplonkProver::compute_batched_quotient(gemini_opening_pairs, gemini_witnesses, nu_challenge);
prover_transcript->send_to_verifier("Shplonk:Q", this->ck()->commit(batched_quotient_Q));

const Fr z_challenge = prover_transcript->template get_challenge<Fr>("Shplonk:z");
const auto [shplonk_opening_pair, shplonk_witness] = ShplonkProver::compute_partially_evaluated_batched_quotient(
gemini_opening_pairs, gemini_witnesses, std::move(batched_quotient_Q), nu_challenge, z_challenge);

IPA::compute_opening_proof(this->ck(), shplonk_opening_pair, shplonk_witness, prover_transcript);
const auto opening_claim = ShplonkProver::prove(this->ck(), opening_claims, prover_transcript);
IPA::compute_opening_proof(this->ck(), opening_claim, prover_transcript);

auto verifier_transcript = NativeTranscript::verifier_init_empty(prover_transcript);

Expand All @@ -321,7 +317,7 @@ TEST_F(IPATest, GeminiShplonkIPAWithShift)
verifier_transcript);

const auto shplonk_verifier_claim =
ShplonkVerifier::reduce_verification(this->vk(), gemini_verifier_claim, verifier_transcript);
ShplonkVerifier::reduce_verification(this->vk()->get_g1_identity(), gemini_verifier_claim, verifier_transcript);
auto result = IPA::reduce_verify(this->vk(), shplonk_verifier_claim, verifier_transcript);

EXPECT_EQ(result, true);
Expand Down
14 changes: 7 additions & 7 deletions barretenberg/cpp/src/barretenberg/commitment_schemes/kzg/kzg.hpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,19 +26,19 @@ template <typename Curve_> class KZG {
* @brief Computes the KZG commitment to an opening proof polynomial at a single evaluation point
*
* @param ck The commitment key which has a commit function, the srs and pippenger_runtime_state
* @param opening_pair OpeningPair = {r, v = p(r)}
* @param polynomial The witness whose opening proof needs to be computed
* @param opening_claim {p, (r, v = p(r))} where p is the witness polynomial whose opening proof needs to be
* computed
* @param prover_transcript Prover transcript
*/
static void compute_opening_proof(std::shared_ptr<CK> ck,
const OpeningPair<Curve>& opening_pair,
const Polynomial& polynomial,
const ProverOpeningClaim<Curve>& opening_claim,
const std::shared_ptr<NativeTranscript>& prover_trancript)
{
Polynomial quotient = polynomial;
quotient[0] -= opening_pair.evaluation;
Polynomial quotient = opening_claim.polynomial;
OpeningPair<Curve> pair = opening_claim.opening_pair;
quotient[0] -= pair.evaluation;
// Computes the coefficients for the quotient polynomial q(X) = (p(X) - v) / (X - r) through an FFT
quotient.factor_roots(opening_pair.challenge);
quotient.factor_roots(pair.challenge);
auto quotient_commitment = ck->commit(quotient);
// TODO(#479): for now we compute the KZG commitment directly to unify the KZG and IPA interfaces but in the
// future we might need to adjust this to use the incoming alternative to work queue (i.e. variation of
Expand Down
18 changes: 7 additions & 11 deletions barretenberg/cpp/src/barretenberg/commitment_schemes/kzg/kzg.test.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ TYPED_TEST(KZGTest, single)

auto prover_transcript = NativeTranscript::prover_init_empty();

KZG::compute_opening_proof(this->ck(), opening_pair, witness, prover_transcript);
KZG::compute_opening_proof(this->ck(), { witness, opening_pair }, prover_transcript);

auto verifier_transcript = NativeTranscript::verifier_init_empty(prover_transcript);
auto pairing_points = KZG::reduce_verify(opening_claim, verifier_transcript);
Expand Down Expand Up @@ -130,27 +130,23 @@ TYPED_TEST(KZGTest, GeminiShplonkKzgWithShift)
const auto [gemini_opening_pairs, gemini_witnesses] = GeminiProver::compute_fold_polynomial_evaluations(
mle_opening_point, std::move(gemini_polynomials), r_challenge);

std::vector<ProverOpeningClaim<TypeParam>> opening_claims;
for (size_t l = 0; l < log_n; ++l) {
std::string label = "Gemini:a_" + std::to_string(l);
const auto& evaluation = gemini_opening_pairs[l + 1].evaluation;
prover_transcript->send_to_verifier(label, evaluation);
opening_claims.emplace_back(gemini_witnesses[l], gemini_opening_pairs[l]);
}
opening_claims.emplace_back(gemini_witnesses[log_n], gemini_opening_pairs[log_n]);

// Shplonk prover output:
// - opening pair: (z_challenge, 0)
// - witness: polynomial Q - Q_z
const Fr nu_challenge = prover_transcript->template get_challenge<Fr>("Shplonk:nu");
auto batched_quotient_Q =
ShplonkProver::compute_batched_quotient(gemini_opening_pairs, gemini_witnesses, nu_challenge);
prover_transcript->send_to_verifier("Shplonk:Q", this->ck()->commit(batched_quotient_Q));

const Fr z_challenge = prover_transcript->template get_challenge<Fr>("Shplonk:z");
const auto [shplonk_opening_pair, shplonk_witness] = ShplonkProver::compute_partially_evaluated_batched_quotient(
gemini_opening_pairs, gemini_witnesses, std::move(batched_quotient_Q), nu_challenge, z_challenge);
const auto opening_claim = ShplonkProver::prove(this->ck(), opening_claims, prover_transcript);

// KZG prover:
// - Adds commitment [W] to transcript
KZG::compute_opening_proof(this->ck(), shplonk_opening_pair, shplonk_witness, prover_transcript);
KZG::compute_opening_proof(this->ck(), opening_claim, prover_transcript);

// Run the full verifier PCS protocol with genuine opening claims (genuine commitment, genuine evaluation)

Expand All @@ -166,7 +162,7 @@ TYPED_TEST(KZGTest, GeminiShplonkKzgWithShift)

// Shplonk verifier claim: commitment [Q] - [Q_z], opening point (z_challenge, 0)
const auto shplonk_verifier_claim =
ShplonkVerifier::reduce_verification(this->vk(), gemini_verifier_claim, verifier_transcript);
ShplonkVerifier::reduce_verification(this->vk()->get_g1_identity(), gemini_verifier_claim, verifier_transcript);

// KZG verifier:
// aggregates inputs [Q] - [Q_z] and [W] into an 'accumulator' (can perform pairing check on result)
Expand Down
Loading

0 comments on commit 34eb5a0

Please sign in to comment.