feat: translation evaluations with zk

barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp

@@ -605,8 +605,8 @@ template <typename Curve> class ShpleminiVerifier_ {
         denominators[2] = denominators[0];
         denominators[3] = denominators[0];
 
-        // compute the scalars to be multiplied against the commitments [libra_concatenated], [big_sum], [big_sum], and
-        // [libra_quotient]
+        // compute the scalars to be multiplied against the commitments [libra_concatenated], [grand_sum], [grand_sum],
+        // and [libra_quotient]
         for (size_t idx = 0; idx < NUM_SMALL_IPA_EVALUATIONS; idx++) {
             Fr scaling_factor = denominators[idx] * shplonk_challenge_power;
             batching_scalars[idx] = -scaling_factor;

barretenberg/cpp/src/barretenberg/commitment_schemes/small_subgroup_ipa/small_subgroup_ipa.cpp

@@ -85,22 +85,26 @@ template <typename Flavor>
 SmallSubgroupIPAProver<Flavor>::SmallSubgroupIPAProver(TranslationData<typename Flavor::Transcript>& translation_data,
                                                        const FF evaluation_challenge_x,
                                                        const FF batching_challenge_v,
-                                                       const FF claimed_inner_product,
                                                        const std::shared_ptr<typename Flavor::Transcript>& transcript,
                                                        std::shared_ptr<typename Flavor::CommitmentKey>& commitment_key)
     : SmallSubgroupIPAProver(transcript, commitment_key)
 
 {
     // TranslationData is Grumpkin-specific
     if constexpr (IsAnyOf<Flavor, ECCVMFlavor, GrumpkinSettings>) {
-        this->claimed_inner_product = claimed_inner_product;
         label_prefix = "Translation:";
         interpolation_domain = translation_data.interpolation_domain;
         concatenated_polynomial = translation_data.masked_concatenated_polynomial;
         concatenated_lagrange_form = translation_data.concatenated_polynomial_lagrange;
 
         // Construct the challenge polynomial in Lagrange basis, compute its monomial coefficients
         compute_eccvm_challenge_polynomial(evaluation_challenge_x, batching_challenge_v);
+
+        // The prover computes the inner product of the challenge polynomial and the concatenation of
+        // the masking terms. This value is used to "denoise" the masked batched evaluation of
+        // `translation_polynomials` contained in `translation_data`.
+        claimed_inner_product = compute_claimed_translation_inner_product(translation_data);
+        transcript->send_to_verifier(label_prefix + "masking_term_eval", claimed_inner_product);
     }
 }
 
@@ -396,17 +400,10 @@ typename Flavor::Curve::ScalarField SmallSubgroupIPAProver<Flavor>::compute_clai
  */
 template <typename Flavor>
 typename Flavor::Curve::ScalarField SmallSubgroupIPAProver<Flavor>::compute_claimed_translation_inner_product(
-    TranslationData<typename Flavor::Transcript>& translation_data,
-    const FF& evaluation_challenge_x,
-    const FF& batching_challenge_v)
+    TranslationData<typename Flavor::Transcript>& translation_data)
 {
     FF claimed_inner_product{ 0 };
     if constexpr (IsAnyOf<Flavor, ECCVMFlavor, GrumpkinSettings>) {
-        const std::vector<FF> coeffs_lagrange_basis =
-            compute_eccvm_challenge_coeffs<typename Flavor::Curve>(evaluation_challenge_x, batching_challenge_v);
-
-        Polynomial<FF> challenge_polynomial_lagrange(coeffs_lagrange_basis);
-
         for (size_t idx = 0; idx < SUBGROUP_SIZE; idx++) {
             claimed_inner_product +=
                 translation_data.concatenated_polynomial_lagrange.at(idx) * challenge_polynomial_lagrange.at(idx);

barretenberg/cpp/src/barretenberg/commitment_schemes/small_subgroup_ipa/small_subgroup_ipa.hpp

@@ -8,6 +8,7 @@
 #include "barretenberg/polynomials/univariate.hpp"
 #include "barretenberg/stdlib/primitives/curves/grumpkin.hpp"
 #include "barretenberg/sumcheck/zk_sumcheck_data.hpp"
+#include "small_subgroup_ipa_utils.hpp"
 
 #include <array>
 #include <vector>
@@ -87,9 +88,6 @@ template <typename Flavor> class SmallSubgroupIPAProver {
     // Fixed generator of H
     static constexpr FF subgroup_generator = Curve::subgroup_generator;
 
-    // The SmallSubgroupIPA claim
-    FF claimed_inner_product;
-
     // Interpolation domain {1, g, \ldots, g^{SUBGROUP_SIZE - 1}} used by ECCVM
     std::array<FF, SUBGROUP_SIZE> interpolation_domain;
     // We use IFFT over BN254 scalar field
@@ -123,6 +121,9 @@ template <typename Flavor> class SmallSubgroupIPAProver {
     std::shared_ptr<typename Flavor::CommitmentKey> commitment_key;
 
   public:
+    // The SmallSubgroupIPA claim
+    FF claimed_inner_product{ 0 };
+
     // Default constructor to initialize all polynomials, transcript, and commitment key.
     SmallSubgroupIPAProver(const std::shared_ptr<typename Flavor::Transcript>& transcript,
                            std::shared_ptr<typename Flavor::CommitmentKey>& commitment_key);
@@ -138,7 +139,6 @@ template <typename Flavor> class SmallSubgroupIPAProver {
     SmallSubgroupIPAProver(TranslationData<typename Flavor::Transcript>& translation_data,
                            const FF evaluation_challenge_x,
                            const FF batching_challenge_v,
-                           const FF claimed_inner_product,
                            const std::shared_ptr<typename Flavor::Transcript>& transcript,
                            std::shared_ptr<typename Flavor::CommitmentKey>& commitment_key);
 
@@ -161,9 +161,7 @@ template <typename Flavor> class SmallSubgroupIPAProver {
                                             const std::vector<FF>& multivariate_challenge,
                                             const size_t& log_circuit_size);
 
-    static FF compute_claimed_translation_inner_product(TranslationData<typename Flavor::Transcript>& translation_data,
-                                                        const FF& evaluation_challenge_x,
-                                                        const FF& batching_challenge_v);
+    FF compute_claimed_translation_inner_product(TranslationData<typename Flavor::Transcript>& translation_data);
 
     Polynomial<FF> static compute_monomial_coefficients(std::span<FF> lagrange_coeffs,
                                                         const std::array<FF, SUBGROUP_SIZE>& interpolation_domain,
@@ -178,6 +176,16 @@ template <typename Flavor> class SmallSubgroupIPAProver {
     // Getters for test purposes
     const Polynomial<FF>& get_batched_polynomial() const { return grand_sum_identity_polynomial; }
     const Polynomial<FF>& get_challenge_polynomial() const { return challenge_polynomial; }
+
+    std::array<FF, NUM_SMALL_IPA_EVALUATIONS> evaluation_points(const FF& small_ipa_evaluation_challenge)
+    {
+        return compute_evaluation_points(small_ipa_evaluation_challenge, Curve::subgroup_generator);
+    }
+
+    std::array<std::string, NUM_SMALL_IPA_EVALUATIONS> evaluation_labels()
+    {
+        return get_evaluation_labels(label_prefix);
+    };
 };
 
 /*!
@@ -390,6 +398,14 @@ template <typename Curve> class SmallSubgroupIPAVerifier {
             result.begin(), result.end(), result.begin(), [&](FF& denominator) { return denominator * numerator; });
         return result;
     }
+    static std::array<FF, NUM_SMALL_IPA_EVALUATIONS> evaluation_points(const FF& small_ipa_evaluation_challenge)
+    {
+        return compute_evaluation_points<FF>(small_ipa_evaluation_challenge, Curve::subgroup_generator);
+    }
+    static std::array<std::string, NUM_SMALL_IPA_EVALUATIONS> evaluation_labels(const std::string& label_prefix)
+    {
+        return get_evaluation_labels(label_prefix);
+    };
 };
 
 /**

barretenberg/cpp/src/barretenberg/commitment_schemes/small_subgroup_ipa/small_subgroup_ipa.test.cpp

@@ -34,7 +34,7 @@ template <typename Flavor> class SmallSubgroupIPATest : public ::testing::Test {
 
     // A helper to evaluate the four IPA witness polynomials at x, x*g, x, x
     std::array<FF, NUM_SMALL_IPA_EVALUATIONS> evaluate_small_ipa_witnesses(
-        const std::array<Polynomial<FF>, 4>& witness_polynomials)
+        const std::array<Polynomial<FF>, NUM_SMALL_IPA_EVALUATIONS>& witness_polynomials)
     {
         // Hard-coded pattern of evaluation: (x, x*g, x, x)
         return { witness_polynomials[0].evaluate(evaluation_challenge),
@@ -289,25 +289,19 @@ TYPED_TEST(SmallSubgroupIPATest, TranslationMaskingTermConsistency)
         const FF evaluation_challenge_x = FF::random_element();
         const FF batching_challenge_v = FF::random_element();
 
-        const FF claimed_inner_product = Prover::compute_claimed_translation_inner_product(
-            translation_data, evaluation_challenge_x, batching_challenge_v);
-
-        Prover small_subgroup_ipa_prover(translation_data,
-                                         evaluation_challenge_x,
-                                         batching_challenge_v,
-                                         claimed_inner_product,
-                                         prover_transcript,
-                                         ck);
+        Prover small_subgroup_ipa_prover(
+            translation_data, evaluation_challenge_x, batching_challenge_v, prover_transcript, ck);
         small_subgroup_ipa_prover.prove();
 
         const std::array<FF, NUM_SMALL_IPA_EVALUATIONS> small_ipa_evaluations =
             this->evaluate_small_ipa_witnesses(small_subgroup_ipa_prover.get_witness_polynomials());
 
-        bool consistency_checked = Verifier::check_eccvm_evaluations_consistency(small_ipa_evaluations,
-                                                                                 this->evaluation_challenge,
-                                                                                 evaluation_challenge_x,
-                                                                                 batching_challenge_v,
-                                                                                 claimed_inner_product);
+        bool consistency_checked =
+            Verifier::check_eccvm_evaluations_consistency(small_ipa_evaluations,
+                                                          this->evaluation_challenge,
+                                                          evaluation_challenge_x,
+                                                          batching_challenge_v,
+                                                          small_subgroup_ipa_prover.claimed_inner_product);
 
         EXPECT_TRUE(consistency_checked);
     }
@@ -348,24 +342,19 @@ TYPED_TEST(SmallSubgroupIPATest, TranslationMaskingTermConsistencyFailure)
         const FF evaluation_challenge_x = FF::random_element();
         const FF batching_challenge_v = FF::random_element();
 
-        const FF claimed_inner_product = FF::random_element();
-
-        Prover small_subgroup_ipa_prover(translation_data,
-                                         evaluation_challenge_x,
-                                         batching_challenge_v,
-                                         claimed_inner_product,
-                                         prover_transcript,
-                                         ck);
+        Prover small_subgroup_ipa_prover(
+            translation_data, evaluation_challenge_x, batching_challenge_v, prover_transcript, ck);
         small_subgroup_ipa_prover.prove();
 
         const std::array<FF, NUM_SMALL_IPA_EVALUATIONS> small_ipa_evaluations =
             this->evaluate_small_ipa_witnesses(small_subgroup_ipa_prover.get_witness_polynomials());
 
-        bool consistency_checked = Verifier::check_eccvm_evaluations_consistency(small_ipa_evaluations,
-                                                                                 this->evaluation_challenge,
-                                                                                 evaluation_challenge_x,
-                                                                                 batching_challenge_v,
-                                                                                 claimed_inner_product);
+        bool consistency_checked =
+            Verifier::check_eccvm_evaluations_consistency(small_ipa_evaluations,
+                                                          this->evaluation_challenge,
+                                                          evaluation_challenge_x,
+                                                          batching_challenge_v,
+                                                          /*tampered claimed inner product = */ FF::random_element());
 
         EXPECT_TRUE(!consistency_checked);
     }

barretenberg/cpp/src/barretenberg/commitment_schemes/small_subgroup_ipa/small_subgroup_ipa_utils.hpp

@@ -0,0 +1,47 @@
+#pragma once
+
+#include "barretenberg/common/ref_array.hpp"
+#include "barretenberg/constants.hpp"
+
+#include <array>
+#include <string>
+
+namespace bb {
+
+/**
+ * @brief Shared by Prover and Verifier. `label_prefix` is either `Libra:` or `Translation:`.
+ */
+inline std::array<std::string, NUM_SMALL_IPA_EVALUATIONS> get_evaluation_labels(const std::string& label_prefix)
+{
+    return { label_prefix + "concatenation_eval",
+             label_prefix + "grand_sum_shift_eval",
+             label_prefix + "grand_sum_eval",
+             label_prefix + "quotient_eval" };
+};
+
+/**
+ * @brief The verification of Grand Sum Identity requires the evaluations G(r), A(g * r), A(r), Q(r). Shared by Prover
+ * and Verifier.
+ */
+template <typename FF>
+inline std::array<FF, NUM_SMALL_IPA_EVALUATIONS> compute_evaluation_points(const FF& small_ipa_evaluation_challenge,
+                                                                           const FF& subgroup_generator)
+{
+    return { small_ipa_evaluation_challenge,
+             small_ipa_evaluation_challenge * subgroup_generator,
+             small_ipa_evaluation_challenge,
+             small_ipa_evaluation_challenge };
+}
+
+/**
+ * @brief Contains commitments to polynomials [G], [A], and [Q]. See \ref SmallSubgroupIPAProver docs.
+ */
+template <typename Commitment> struct SmallSubgroupIPACommitments {
+    Commitment concatenated, grand_sum, quotient;
+    // The grand sum commitment is returned twice since we are opening the corresponding polynomial at 2 points.
+    RefArray<Commitment, NUM_SMALL_IPA_EVALUATIONS> get_all()
+    {
+        return { concatenated, grand_sum, grand_sum, quotient }; // {[G], [A], [A], [Q]}
+    };
+};
+} // namespace bb

barretenberg/cpp/src/barretenberg/eccvm/eccvm_flavor.hpp

@@ -99,6 +99,10 @@ class ECCVMFlavor {
     // define the containers for storing the contributions from each relation in Sumcheck
     using SumcheckTupleOfTuplesOfUnivariates = decltype(create_sumcheck_tuple_of_tuples_of_univariates<Relations>());
 
+    // The sub-protocol `compute_translation_opening_claims` outputs an opening claim for the batched univariate
+    // evaluation of `op`, `Px`, `Py`, `z1`, and `z2`, and an array of opening claims for the evaluations of the
+    // SmallSubgroupIPA witness polynomials.
+    static constexpr size_t NUM_TRANSLATION_OPENING_CLAIMS = NUM_SMALL_IPA_EVALUATIONS + 1;
     using TupleOfArraysOfValues = decltype(create_tuple_of_arrays_of_values<Relations>());
 
     // TODO(https://github.com/AztecProtocol/barretenberg/issues/989): refine access specifiers in flavors, this is
@@ -1013,11 +1017,19 @@ class ECCVMFlavor {
         std::vector<Commitment> gemini_fold_comms;
         std::vector<FF> gemini_fold_evals;
         Commitment shplonk_q_comm;
+        Commitment translation_concatenated_masking_term_commitment;
+        FF translation_masking_term_eval;
         FF translation_eval_op;
         FF translation_eval_px;
         FF translation_eval_py;
         FF translation_eval_z1;
         FF translation_eval_z2;
+        Commitment translation_grand_sum_commitment;
+        Commitment translation_quotient_commitment;
+        FF translation_concatenation_eval;
+        FF translation_grand_sum_shift_eval;
+        FF translation_grand_sum_eval;
+        FF translation_quotient_eval;
         Commitment shplonk_q2_comm;
 
         Transcript() = default;
@@ -1242,6 +1254,8 @@ class ECCVMFlavor {
             libra_quotient_eval = deserialize_from_buffer<FF>(proof_data, num_frs_read);
             shplonk_q_comm = deserialize_from_buffer<Commitment>(proof_data, num_frs_read);
 
+            translation_concatenated_masking_term_commitment =
+                NativeTranscript::template deserialize_from_buffer<Commitment>(proof_data, num_frs_read);
             translation_eval_op =
                 NativeTranscript::template deserialize_from_buffer<FF>(NativeTranscript::proof_data, num_frs_read);
             translation_eval_px =
@@ -1253,6 +1267,20 @@ class ECCVMFlavor {
             translation_eval_z2 =
                 NativeTranscript::template deserialize_from_buffer<FF>(NativeTranscript::proof_data, num_frs_read);
 
+            translation_masking_term_eval =
+                NativeTranscript::template deserialize_from_buffer<FF>(proof_data, num_frs_read);
+            translation_grand_sum_commitment =
+                NativeTranscript::template deserialize_from_buffer<Commitment>(proof_data, num_frs_read);
+            translation_quotient_commitment =
+                NativeTranscript::template deserialize_from_buffer<Commitment>(proof_data, num_frs_read);
+            translation_concatenation_eval =
+                NativeTranscript::template deserialize_from_buffer<FF>(proof_data, num_frs_read);
+            translation_grand_sum_shift_eval =
+                NativeTranscript::template deserialize_from_buffer<FF>(proof_data, num_frs_read);
+            translation_grand_sum_eval =
+                NativeTranscript::template deserialize_from_buffer<FF>(proof_data, num_frs_read);
+            translation_quotient_eval =
+                NativeTranscript::template deserialize_from_buffer<FF>(proof_data, num_frs_read);
             shplonk_q2_comm = NativeTranscript::template deserialize_from_buffer<Commitment>(proof_data, num_frs_read);
         }
 
@@ -1393,12 +1421,21 @@ class ECCVMFlavor {
             NativeTranscript::template serialize_to_buffer(libra_quotient_eval, proof_data);
             NativeTranscript::template serialize_to_buffer(shplonk_q_comm, proof_data);
 
+            NativeTranscript::template serialize_to_buffer(translation_concatenated_masking_term_commitment,
+                                                           proof_data);
             NativeTranscript::template serialize_to_buffer(translation_eval_op, NativeTranscript::proof_data);
             NativeTranscript::template serialize_to_buffer(translation_eval_px, NativeTranscript::proof_data);
             NativeTranscript::template serialize_to_buffer(translation_eval_py, NativeTranscript::proof_data);
             NativeTranscript::template serialize_to_buffer(translation_eval_z1, NativeTranscript::proof_data);
             NativeTranscript::template serialize_to_buffer(translation_eval_z2, NativeTranscript::proof_data);
 
+            NativeTranscript::template serialize_to_buffer(translation_masking_term_eval, proof_data);
+            NativeTranscript::template serialize_to_buffer(translation_grand_sum_commitment, proof_data);
+            NativeTranscript::template serialize_to_buffer(translation_quotient_commitment, proof_data);
+            NativeTranscript::template serialize_to_buffer(translation_concatenation_eval, proof_data);
+            NativeTranscript::template serialize_to_buffer(translation_grand_sum_shift_eval, proof_data);
+            NativeTranscript::template serialize_to_buffer(translation_grand_sum_eval, proof_data);
+            NativeTranscript::template serialize_to_buffer(translation_quotient_eval, proof_data);
             NativeTranscript::template serialize_to_buffer(shplonk_q2_comm, NativeTranscript::proof_data);
 
             ASSERT(NativeTranscript::proof_data.size() == old_proof_length);