Barretenberg: src/barretenberg/ultra_honk/ultra_prover.cpp Source File

// === AUDIT STATUS ===

// internal:    { status: Completed, auditors: [Sergei], commit: }

// external_1:  { status: not started, auditors: [], commit: }

// external_2:  { status: not started, auditors: [], commit: }

// =====================


#include "ultra_prover.hpp"

#include "barretenberg/commitment_schemes/gemini/gemini.hpp"

#include "barretenberg/commitment_schemes/shplonk/shplemini.hpp"

#include "barretenberg/flavor/mega_avm_flavor.hpp"

#include "barretenberg/sumcheck/sumcheck.hpp"

#include "barretenberg/ultra_honk/oink_prover.hpp"

namespace bb {


template <typename Flavor>


UltraProver_<Flavor>::UltraProver_(std::shared_ptr<ProverInstance> prover_instance,

                                   const std::shared_ptr<HonkVK>& honk_vk,

                                   const std::shared_ptr<Transcript>& transcript)

    : prover_instance(std::move(prover_instance))

    , transcript(transcript)

    , honk_vk(honk_vk)

{}


template <typename Flavor> typename UltraProver_<Flavor>::Proof UltraProver_<Flavor>::export_proof()

{

    auto proof = transcript->export_proof();


    // Append IPA proof if present

    if (!prover_instance->ipa_proof.empty()) {

        BB_ASSERT_EQ(prover_instance->ipa_proof.size(), static_cast<size_t>(IPA_PROOF_LENGTH));

        proof.insert(proof.end(), prover_instance->ipa_proof.begin(), prover_instance->ipa_proof.end());

    }


    return proof;

}


template <typename Flavor> void UltraProver_<Flavor>::generate_gate_challenges()

{

    virtual_log_n =

        Flavor::USE_PADDING ? Flavor::VIRTUAL_LOG_N : static_cast<size_t>(prover_instance->log_dyadic_size());


    prover_instance->gate_challenges =

        transcript->template get_dyadic_powers_of_challenge<FF>("Sumcheck:gate_challenge", virtual_log_n);

}


template <typename Flavor> typename UltraProver_<Flavor>::Proof UltraProver_<Flavor>::construct_proof()

{

    // The CRS only needs to accommodate the actual data extent (max_end_index) rather than the

    // full dyadic_size. All committed polynomials fit within this bound: witness/selector polys

    // have backing ≤ max_end_index, Gemini fold polys have size ≤ dyadic_size/2 < max_end_index,

    // Shplonk quotient Q is sized at max(claim sizes), and KZG opening proof is sized at Q.size().

    // For ZK, the gemini_masking_poly (at dyadic_size) is already reflected in max_end_index.

    size_t key_size = prover_instance->polynomials.max_end_index();

    if constexpr (Flavor::HasZK) {

        // SmallSubgroupIPA commits fixed-size polynomials (up to SUBGROUP_SIZE + 3). Ensure the

        // CRS is large enough for tiny test circuits where max_end_index may be smaller.

        constexpr size_t log_subgroup_size = static_cast<size_t>(numeric::get_msb(Curve::SUBGROUP_SIZE));

        key_size = std::max(key_size, size_t{ 1 } << (log_subgroup_size + 1));

    }

    commitment_key = CommitmentKey(key_size);


    OinkProver<Flavor> oink_prover(prover_instance, honk_vk, transcript);

    oink_prover.prove();

    vinfo("created oink proof");


    generate_gate_challenges();


    // Run sumcheck

    execute_sumcheck_iop();

    vinfo("finished relation check rounds");

    // Execute Shplemini PCS

    execute_pcs();

    vinfo("finished PCS rounds");


    return export_proof();

}


template <typename Flavor> void UltraProver_<Flavor>::execute_sumcheck_iop()

{

    BB_BENCH_NAME("sumcheck.prove");


    using Sumcheck = SumcheckProver<Flavor>;

    size_t polynomial_size = prover_instance->dyadic_size();

    Sumcheck sumcheck(polynomial_size,

                      prover_instance->polynomials,

                      transcript,

                      prover_instance->alpha,

                      prover_instance->gate_challenges,

                      prover_instance->relation_parameters,

                      virtual_log_n);


    if constexpr (Flavor::HasZK) {

        zk_sumcheck_data = ZKData(numeric::get_msb(polynomial_size), transcript, commitment_key);

        sumcheck_output = sumcheck.prove(zk_sumcheck_data);

    } else {

        sumcheck_output = sumcheck.prove();

    }

}


template <typename Flavor> void UltraProver_<Flavor>::execute_pcs()

{

    using OpeningClaim = ProverOpeningClaim<Curve>;

    using PolynomialBatcher = GeminiProver_<Curve>::PolynomialBatcher;


    auto& ck = commitment_key;


    PolynomialBatcher polynomial_batcher(prover_instance->dyadic_size(), prover_instance->polynomials.max_end_index());

    polynomial_batcher.set_unshifted(prover_instance->polynomials.get_unshifted());

    polynomial_batcher.set_to_be_shifted_by_one(prover_instance->polynomials.get_to_be_shifted());


    OpeningClaim prover_opening_claim;

    if constexpr (!Flavor::HasZK) {

        prover_opening_claim = ShpleminiProver_<Curve>::prove(

            prover_instance->dyadic_size(), polynomial_batcher, sumcheck_output.challenge, ck, transcript);

    } else {


        SmallSubgroupIPA small_subgroup_ipa_prover(

            zk_sumcheck_data, sumcheck_output.challenge, sumcheck_output.claimed_libra_evaluation, transcript, ck);

        small_subgroup_ipa_prover.prove();


        prover_opening_claim = ShpleminiProver_<Curve>::prove(prover_instance->dyadic_size(),

                                                              polynomial_batcher,

                                                              sumcheck_output.challenge,

                                                              ck,

                                                              transcript,

                                                              small_subgroup_ipa_prover.get_witness_polynomials());

    }

    vinfo("executed multivariate-to-univariate reduction");

    PCS::compute_opening_proof(ck, prover_opening_claim, transcript);

    vinfo("computed opening proof");

}


template class UltraProver_<UltraFlavor>;

template class UltraProver_<UltraZKFlavor>;

template class UltraProver_<UltraKeccakFlavor>;

#ifdef STARKNET_GARAGA_FLAVORS

template class UltraProver_<UltraStarknetFlavor>;

template class UltraProver_<UltraStarknetZKFlavor>;

#endif

template class UltraProver_<UltraKeccakZKFlavor>;

template class UltraProver_<MegaFlavor>;

template class UltraProver_<MegaZKFlavor>;

template class UltraProver_<MegaAvmFlavor>;


} // namespace bb

BB_ASSERT_EQ
#define BB_ASSERT_EQ(actual, expected,...)
Definition assert.hpp:83

BB_BENCH_NAME
#define BB_BENCH_NAME(name)
Definition bb_bench.hpp:225

bb::ECCVMFlavor::HasZK
static constexpr bool HasZK
Definition eccvm_flavor.hpp:60

bb::ECCVMFlavor::USE_PADDING
static constexpr bool USE_PADDING
Definition eccvm_flavor.hpp:62

bb::GeminiProver_::PolynomialBatcher
Class responsible for computation of the batched multilinear polynomials required by the Gemini proto...
Definition gemini.hpp:125

bb::OinkProver
Executes the "Oink" phase of the Honk proving protocol: the initial rounds that commit to witness dat...
Definition oink_prover.hpp:52

bb::OinkProver::prove
void prove()
Commit to witnesses, compute relation parameters, and prepare for Sumcheck.
Definition oink_prover.cpp:22

bb::OpeningClaim
Unverified claim (C,r,v) for some witness polynomial p(X) such that.
Definition claim.hpp:55

bb::ProverOpeningClaim
Polynomial p and an opening pair (r,v) such that p(r) = v.
Definition claim.hpp:36

bb::ShpleminiProver_::prove
static OpeningClaim prove(size_t circuit_size, PolynomialBatcher &polynomial_batcher, std::span< FF > multilinear_challenge, const CommitmentKey< Curve > &commitment_key, const std::shared_ptr< Transcript > &transcript, const std::array< Polynomial, NUM_SMALL_IPA_EVALUATIONS > &libra_polynomials={}, const std::vector< Polynomial > &sumcheck_round_univariates={}, const std::vector< std::array< FF, 3 > > &sumcheck_round_evaluations={})
Definition shplemini.hpp:36

bb::SmallSubgroupIPAProver
A Curve-agnostic ZK protocol to prove inner products of small vectors.
Definition small_subgroup_ipa.hpp:69

bb::SmallSubgroupIPAProver::get_witness_polynomials
std::array< bb::Polynomial< FF >, NUM_SMALL_IPA_EVALUATIONS > get_witness_polynomials() const
Definition small_subgroup_ipa.hpp:178

bb::SmallSubgroupIPAProver::prove
void prove()
Compute the derived witnesses  and  and commit to them.
Definition small_subgroup_ipa.cpp:150

bb::SumcheckProver
The implementation of the sumcheck Prover for statements of the form  for multilinear polynomials .
Definition sumcheck.hpp:298

bb::UltraProver_
Definition ultra_prover.hpp:18

bb::UltraProver_::UltraProver_
UltraProver_(std::shared_ptr< ProverInstance >, const std::shared_ptr< HonkVK > &, const std::shared_ptr< Transcript > &transcript=std::make_shared< Transcript >())
Definition ultra_prover.cpp:16

bb::UltraProver_::generate_gate_challenges
BB_PROFILE void generate_gate_challenges()
Definition ultra_prover.cpp:52

bb::UltraProver_::execute_pcs
BB_PROFILE void execute_pcs()
Reduce the sumcheck multivariate evaluations to a single univariate opening claim via Shplemini,...
Definition ultra_prover.cpp:123

bb::UltraProver_::Proof
typename Transcript::Proof Proof
Definition ultra_prover.hpp:29

bb::UltraProver_::execute_sumcheck_iop
BB_PROFILE void execute_sumcheck_iop()
Run Sumcheck to establish that ∑_i pow(\vec{β*})f_i(ω) = 0, producing sumcheck round challenges u = (...
Definition ultra_prover.cpp:97

bb::UltraProver_::CommitmentKey
typename Flavor::CommitmentKey CommitmentKey
Definition ultra_prover.hpp:22

bb::UltraProver_::export_proof
Proof export_proof()
Export the complete proof, including IPA proof for rollup circuits.
Definition ultra_prover.cpp:39

bb::UltraProver_::construct_proof
Proof construct_proof()
Definition ultra_prover.cpp:61

bb::curve::Grumpkin::SUBGROUP_SIZE
static constexpr size_t SUBGROUP_SIZE
Definition grumpkin.hpp:74

vinfo
#define vinfo(...)
Definition log.hpp:94

gemini.hpp

mega_avm_flavor.hpp

bb::numeric::get_msb
constexpr T get_msb(const T in)
Definition get_msb.hpp:49

bb
Entry point for Barretenberg command-line interface.
Definition api.hpp:5

bb::ck
CommitmentKey< Curve > ck
Definition ipa.fuzzer.cpp:20

std
STL namespace.

std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13

oink_prover.hpp

shplemini.hpp

bb::ZKSumcheckData
This structure is created to contain various polynomials and constants required by ZK Sumcheck.
Definition zk_sumcheck_data.hpp:22

sumcheck.hpp

ultra_prover.hpp