Lde/transcript (#248)

* adding adrians new transcript classes
* tests added for transcript and new manifest concept

---------

Co-authored-by: codygunton <[email protected]>

cpp/src/barretenberg/crypto/blake3s/blake3s.hpp

@@ -27,7 +27,7 @@
     Also, the length of the output in this specific implementation is fixed at 32 bytes which is the only
     version relevant to Barretenberg.
 */
-
+#pragma once
 #include <stddef.h>
 #include <stdint.h>
 #include <vector>

cpp/src/barretenberg/honk/composer/composer_helper/standard_honk_composer_helper.cpp

@@ -148,10 +148,7 @@ StandardVerifier StandardHonkComposerHelper<CircuitConstructor>::create_verifier
     const CircuitConstructor& circuit_constructor)
 {
     compute_verification_key(circuit_constructor);
-    StandardVerifier output_state(
-        circuit_verification_key,
-        honk::StandardHonk::create_manifest(circuit_constructor.public_inputs.size(),
-                                            numeric::get_msb(circuit_verification_key->circuit_size)));
+    StandardVerifier output_state(circuit_verification_key);
 
     // TODO(Cody): This should be more generic
     auto kate_verification_key = std::make_unique<pcs::kzg::VerificationKey>("../srs_db/ignition");
@@ -172,7 +169,7 @@ StandardProver StandardHonkComposerHelper<CircuitConstructor>::create_prover(
 
     size_t num_sumcheck_rounds(circuit_proving_key->log_circuit_size);
     auto manifest = Flavor::create_manifest(circuit_constructor.public_inputs.size(), num_sumcheck_rounds);
-    StandardProver output_state(std::move(wire_polynomials), circuit_proving_key, manifest);
+    StandardProver output_state(std::move(wire_polynomials), circuit_proving_key);
 
     // TODO(Cody): This should be more generic
     std::unique_ptr<pcs::kzg::CommitmentKey> kate_commitment_key =

cpp/src/barretenberg/honk/composer/standard_honk_composer.test.cpp

@@ -335,16 +335,13 @@ TEST(StandardHonkComposer, SumcheckRelationCorrectness)
     // Generate beta and gamma
     fr beta = fr::random_element();
     fr gamma = fr::random_element();
-    fr zeta = fr::random_element();
 
     // Compute public input delta
     const auto public_inputs = composer.circuit_constructor.get_public_inputs();
     auto public_input_delta =
         honk::compute_public_input_delta<fr>(public_inputs, beta, gamma, prover.key->circuit_size);
 
     sumcheck::RelationParameters<fr> params{
-        .zeta = zeta,
-        .alpha = fr::one(),
         .beta = beta,
         .gamma = gamma,
         .public_input_delta = public_input_delta,

cpp/src/barretenberg/honk/pcs/claim.hpp

@@ -27,14 +27,14 @@ template <typename Params> class OpeningPair {
  */
 template <typename Params> class OpeningClaim {
     using CK = typename Params::CK;
-    using Commitment = typename Params::Commitment;
+    using CommitmentAffine = typename Params::C;
     using Fr = typename Params::Fr;
 
   public:
     // (query r, evaluation v = p(r))
     OpeningPair<Params> opening_pair;
     // commitment to univariate polynomial p(X)
-    Commitment commitment;
+    CommitmentAffine commitment;
 
     /**
      * @brief inefficiently check that the claim is correct by recomputing the commitment
@@ -52,11 +52,7 @@ template <typename Params> class OpeningClaim {
         }
         // Note: real_commitment is a raw type, while commitment may be a linear combination.
         auto real_commitment = ck->commit(polynomial);
-        if (real_commitment != commitment) {
-            // if (commitment != real_commitment) {
-            return false;
-        }
-        return true;
+        return (real_commitment == commitment);
     };
 
     bool operator==(const OpeningClaim& other) const = default;
@@ -81,19 +77,15 @@ template <typename Params> class OpeningClaim {
  *
  * @tparam CommitmentKey
  */
-template <typename Params> struct MLEOpeningClaim {
-    using Commitment = typename Params::Commitment;
+template <typename Params> class MLEOpeningClaim {
+    using CommitmentAffine = typename Params::C;
     using Fr = typename Params::Fr;
 
-    MLEOpeningClaim(auto commitment, auto evaluation)
-        : commitment(commitment)
-        , evaluation(evaluation)
-    {}
-
+  public:
     // commitment to a univariate polynomial
     // whose coefficients are the multi-linear evaluations
     // of C = [f]
-    Commitment commitment;
+    CommitmentAffine commitment;
     // v  = f(u) = ∑ᵢ aᵢ⋅Lᵢ(u)
     // v↺ = g(u) = a₁⋅L₀(u) + … + aₙ₋₁⋅Lₙ₋₂(u)
     Fr evaluation;

cpp/src/barretenberg/honk/pcs/commitment_key.test.hpp

@@ -66,7 +66,7 @@ template <typename Params> class CommitmentTest : public ::testing::Test {
     using VK = typename Params::VK;
 
     using Fr = typename Params::Fr;
-    using Commitment = typename Params::Commitment;
+    using CommitmentAffine = typename Params::C;
     using Polynomial = typename Params::Polynomial;
     using Transcript = transcript::StandardTranscript;
 
@@ -78,7 +78,7 @@ template <typename Params> class CommitmentTest : public ::testing::Test {
     std::shared_ptr<CK> ck() { return commitment_key; }
     std::shared_ptr<VK> vk() { return verification_key; }
 
-    Commitment commit(const Polynomial& polynomial) { return commitment_key->commit(polynomial); }
+    CommitmentAffine commit(const Polynomial& polynomial) { return commitment_key->commit(polynomial); }
 
     Polynomial random_polynomial(const size_t n)
     {
@@ -122,7 +122,7 @@ template <typename Params> class CommitmentTest : public ::testing::Test {
         auto& [x, y] = claim.opening_pair;
         Fr y_expected = witness.evaluate(x);
         EXPECT_EQ(y, y_expected) << "OpeningClaim: evaluations mismatch";
-        Commitment commitment_expected = commit(witness);
+        CommitmentAffine commitment_expected = commit(witness);
         EXPECT_EQ(commitment, commitment_expected) << "OpeningClaim: commitment mismatch";
     }
 

cpp/src/barretenberg/honk/pcs/gemini/gemini.hpp

@@ -4,6 +4,7 @@
 #include "barretenberg/common/log.hpp"
 #include "barretenberg/honk/pcs/commitment_key.hpp"
 #include "barretenberg/polynomials/polynomial.hpp"
+#include "barretenberg/honk/transcript/transcript.hpp"
 
 #include "barretenberg/common/assert.hpp"
 #include <memory>
@@ -113,7 +114,7 @@ template <typename Params> class MultilinearReductionScheme {
                                              std::span<const Fr> mle_opening_point,
                                              const Polynomial&& batched_shifted,       /* unshifted */
                                              const Polynomial&& batched_to_be_shifted, /* to-be-shifted */
-                                             const auto& transcript)
+                                             ProverTranscript<Fr>& transcript)
     {
         const size_t num_variables = mle_opening_point.size(); // m
 
@@ -165,19 +166,17 @@ template <typename Params> class MultilinearReductionScheme {
         /*
          * Create commitments C₁,…,Cₘ₋₁ to polynomials FOLD_i, i = 1,...,d-1 and add to transcript
          */
-        std::vector<Commitment> commitments;
+        std::vector<CommitmentAffine> commitments;
         commitments.reserve(num_variables - 1);
         for (size_t l = 0; l < num_variables - 1; ++l) {
             commitments.emplace_back(ck->commit(fold_polynomials[l + 2]));
-            transcript->add_element("FOLD_" + std::to_string(l + 1),
-                                    static_cast<CommitmentAffine>(commitments[l]).to_buffer());
+            transcript.send_to_verifier("Gemini:FOLD_" + std::to_string(l + 1), commitments[l]);
         }
 
         /*
          * Generate evaluation challenge r, and compute rₗ = r^{2ˡ} for l = 0, 1, ..., m-1
          */
-        transcript->apply_fiat_shamir("r");
-        const Fr r_challenge = Fr::serialize_from_buffer(transcript->get_challenge("r").begin());
+        const Fr r_challenge = transcript.get_challenge("Gemini:r");
         std::vector<Fr> r_squares = squares_of_r(r_challenge, num_variables);
 
         /*
@@ -223,7 +222,7 @@ template <typename Params> class MultilinearReductionScheme {
             const Polynomial& A_l = fold_polynomials[l + 1];
 
             fold_polynomial_evals.emplace_back(A_l.evaluate(-r_squares[l]));
-            transcript->add_element("a_" + std::to_string(l), fold_polynomial_evals[l].to_buffer());
+            transcript.send_to_verifier("Gemini:a_" + std::to_string(l), fold_polynomial_evals[l]);
         }
 
         // Compute evaluation A₀(r)
@@ -259,17 +258,33 @@ template <typename Params> class MultilinearReductionScheme {
                                                            const Fr batched_evaluation,           /* all */
                                                            Commitment& batched_f,                 /* unshifted */
                                                            Commitment& batched_g,                 /* to-be-shifted */
-                                                           const Proof<Params>& proof,
-                                                           const auto& transcript)
+                                                           VerifierTranscript<Fr>& transcript)
     {
         const size_t num_variables = mle_opening_point.size();
 
+        // Get polynomials Fold_i, i = 1,...,m-1 from transcript
+        std::vector<CommitmentAffine> commitments;
+        commitments.reserve(num_variables - 1);
+        for (size_t i = 0; i < num_variables - 1; ++i) {
+            auto commitment =
+                transcript.template receive_from_prover<CommitmentAffine>("Gemini:FOLD_" + std::to_string(i + 1));
+            commitments.emplace_back(commitment);
+        }
+
         // compute vector of powers of random evaluation point r
-        const Fr r = Fr::serialize_from_buffer(transcript->get_challenge("r").begin());
+        const Fr r = transcript.get_challenge("Gemini:r");
         std::vector<Fr> r_squares = squares_of_r(r, num_variables);
 
+        // Get evaluations a_i, i = 0,...,m-1 from transcript
+        std::vector<Fr> evaluations;
+        evaluations.reserve(num_variables);
+        for (size_t i = 0; i < num_variables; ++i) {
+            auto eval = transcript.template receive_from_prover<Fr>("Gemini:a_" + std::to_string(i));
+            evaluations.emplace_back(eval);
+        }
+
         // Compute evaluation A₀(r)
-        auto a_0_pos = compute_eval_pos(batched_evaluation, mle_opening_point, r_squares, proof.evaluations);
+        auto a_0_pos = compute_eval_pos(batched_evaluation, mle_opening_point, r_squares, evaluations);
 
         // C₀_r_pos = ∑ⱼ ρʲ⋅[fⱼ] + r⁻¹⋅∑ⱼ ρᵏ⁺ʲ [gⱼ]
         // C₀_r_pos = ∑ⱼ ρʲ⋅[fⱼ] - r⁻¹⋅∑ⱼ ρᵏ⁺ʲ [gⱼ]
@@ -281,40 +296,16 @@ template <typename Params> class MultilinearReductionScheme {
         // ( [A₀₊], r, A₀(r) )
         fold_polynomial_opening_claims.emplace_back(OpeningClaim<Params>{ { r, a_0_pos }, c0_r_pos });
         // ( [A₀₋], -r, A₀(-r) )
-        fold_polynomial_opening_claims.emplace_back(OpeningClaim<Params>{ { -r, proof.evaluations[0] }, c0_r_neg });
+        fold_polynomial_opening_claims.emplace_back(OpeningClaim<Params>{ { -r, evaluations[0] }, c0_r_neg });
         for (size_t l = 0; l < num_variables - 1; ++l) {
             // ([A₀₋], −r^{2ˡ}, Aₗ(−r^{2ˡ}) )
             fold_polynomial_opening_claims.emplace_back(
-                OpeningClaim<Params>{ { -r_squares[l + 1], proof.evaluations[l + 1] }, proof.commitments[l] });
+                OpeningClaim<Params>{ { -r_squares[l + 1], evaluations[l + 1] }, commitments[l] });
         }
 
         return fold_polynomial_opening_claims;
     };
 
-    /**
-     * @brief Reconstruct Gemini proof from transcript
-     *
-     * @param transcript
-     * @return Proof
-     * @details Proof consists of:
-     * - d Fold poly evaluations a_0, ..., a_{d-1}
-     * - (d-1) Fold polynomial commitments [Fold^(1)], ..., [Fold^(d-1)]
-     */
-    static Proof<Params> reconstruct_proof_from_transcript(const auto& transcript, const size_t log_n)
-    {
-        Proof<Params> proof;
-        for (size_t i = 0; i < log_n; i++) {
-            std::string label = "a_" + std::to_string(i);
-            proof.evaluations.emplace_back(transcript->get_field_element(label));
-        };
-        for (size_t i = 1; i < log_n; i++) {
-            std::string label = "FOLD_" + std::to_string(i);
-            proof.commitments.emplace_back(transcript->get_group_element(label));
-        };
-
-        return proof;
-    }
-
     static std::vector<Fr> powers_of_rho(const Fr rho, const size_t num_powers)
     {
         std::vector<Fr> rhos = { Fr(1), rho };

cpp/src/barretenberg/honk/pcs/gemini/gemini.test.cpp

@@ -1,6 +1,7 @@
 #include "gemini.hpp"
 
 #include "../commitment_key.test.hpp"
+#include "barretenberg/honk/transcript/transcript.hpp"
 #include "barretenberg/polynomials/polynomial.hpp"
 #include <cstddef>
 #include <gtest/gtest.h>
@@ -23,11 +24,9 @@ template <class Params> class GeminiTest : public CommitmentTest<Params> {
                                           std::vector<Commitment> multilinear_commitments,
                                           std::vector<Commitment> multilinear_commitments_to_be_shifted)
     {
-        using Transcript = transcript::StandardTranscript;
-        auto transcript = std::make_shared<Transcript>(StandardHonk::create_manifest(0, log_n));
-        transcript->mock_inputs_prior_to_challenge("rho");
-        transcript->apply_fiat_shamir("rho");
-        const Fr rho = Fr::serialize_from_buffer(transcript->get_challenge("rho").begin());
+        auto prover_transcript = ProverTranscript<Fr>::init_empty();
+
+        const Fr rho = Fr::random_element();
 
         std::vector<Fr> rhos = Gemini::powers_of_rho(rho, multilinear_evaluations.size());
 
@@ -60,15 +59,12 @@ template <class Params> class GeminiTest : public CommitmentTest<Params> {
                                                   multilinear_evaluation_point,
                                                   std::move(batched_unshifted),
                                                   std::move(batched_to_be_shifted),
-                                                  transcript);
+                                                  prover_transcript);
 
         // Check that the Fold polynomials have been evaluated correctly in the prover
         this->verify_batch_opening_pair(prover_output.opening_pairs, prover_output.witnesses);
 
-        // Construct a Gemini proof object consisting of
-        // - d Fold poly evaluations a_0, ..., a_{d-1}
-        // - (d-1) Fold polynomial commitments [Fold^(1)], ..., [Fold^(d-1)]
-        auto gemini_proof = Gemini::reconstruct_proof_from_transcript(transcript, log_n);
+        auto verifier_transcript = VerifierTranscript<Fr>::init_empty(prover_transcript);
 
         // Compute:
         // - Single opening pair: {r, \hat{a}_0}
@@ -78,8 +74,7 @@ template <class Params> class GeminiTest : public CommitmentTest<Params> {
                                                     batched_evaluation,
                                                     batched_commitment_unshifted,
                                                     batched_commitment_to_be_shifted,
-                                                    gemini_proof,
-                                                    transcript);
+                                                    verifier_transcript);
 
         // Check equality of the opening pairs computed by prover and verifier
         for (size_t i = 0; i < (log_n + 1); ++i) {

cpp/src/barretenberg/honk/pcs/kzg/kzg.hpp

@@ -2,6 +2,7 @@
 
 #include "../claim.hpp"
 #include "barretenberg/polynomials/polynomial.hpp"
+#include "barretenberg/honk/transcript/transcript.hpp"
 
 #include <memory>
 #include <utility>
@@ -17,6 +18,7 @@ namespace honk::pcs::kzg {
 template <typename Params> class BilinearAccumulator {
     using VK = typename Params::VK;
     using Fr = typename Params::Fr;
+    using CommitmentAffine = typename Params::C;
     using Commitment = typename Params::Commitment;
 
   public:
@@ -43,7 +45,7 @@ template <typename Params> class BilinearAccumulator {
 
     bool operator==(const BilinearAccumulator& other) const = default;
 
-    Commitment lhs, rhs;
+    CommitmentAffine lhs, rhs;
 };
 
 template <typename Params> class UnivariateOpeningScheme {
@@ -67,14 +69,14 @@ template <typename Params> class UnivariateOpeningScheme {
     static void reduce_prove(std::shared_ptr<CK> ck,
                              const OpeningPair<Params>& opening_pair,
                              const Polynomial& polynomial,
-                             const auto& transcript)
+                             ProverTranscript<Fr>& transcript)
     {
         Polynomial quotient(polynomial);
         quotient[0] -= opening_pair.evaluation;
         quotient.factor_roots(opening_pair.query);
-        Commitment proof = ck->commit(quotient);
+        CommitmentAffine quotient_commitment = ck->commit(quotient);
 
-        transcript->add_element("W", static_cast<CommitmentAffine>(proof).to_buffer());
+        transcript.send_to_verifier("KZG:W", quotient_commitment);
     };
 
     /**
@@ -85,9 +87,10 @@ template <typename Params> class UnivariateOpeningScheme {
      * @param proof π, a commitment to Q(X) = ( P(X) - v )/( X - r)
      * @return Accumulator {C − v⋅[1]₁ + r⋅π, −π}
      */
-    static Accumulator reduce_verify(const OpeningClaim<Params>& claim, const Commitment& proof)
+    static Accumulator reduce_verify(const OpeningClaim<Params>& claim, VerifierTranscript<Fr>& verifier_transcript)
     {
-        return Accumulator(claim, proof);
+        auto quotient_commitment = verifier_transcript.template receive_from_prover<CommitmentAffine>("KZG:W");
+        return Accumulator(claim, quotient_commitment);
     };
 };
 } // namespace honk::pcs::kzg