diff --git a/barretenberg/cpp/src/barretenberg/benchmark/ultra_bench/ultra_honk_rounds.bench.cpp b/barretenberg/cpp/src/barretenberg/benchmark/ultra_bench/ultra_honk_rounds.bench.cpp index 7c35497b1f52..79b53abb683c 100644 --- a/barretenberg/cpp/src/barretenberg/benchmark/ultra_bench/ultra_honk_rounds.bench.cpp +++ b/barretenberg/cpp/src/barretenberg/benchmark/ultra_bench/ultra_honk_rounds.bench.cpp @@ -55,7 +55,6 @@ BB_PROFILE static void test_round_inner(State& state, GoblinUltraProver& prover, // we need to get the relation_parameters and prover_polynomials from the oink_prover prover.instance->proving_key = std::move(oink_prover.proving_key); prover.instance->relation_parameters = oink_prover.relation_parameters; - prover.instance->prover_polynomials = GoblinUltraFlavor::ProverPolynomials(prover.instance->proving_key); time_if_index(RELATION_CHECK, [&] { prover.execute_relation_check_rounds(); }); time_if_index(ZEROMORPH, [&] { prover.execute_zeromorph_rounds(); }); } diff --git a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_flavor.hpp b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_flavor.hpp index c3c26a6ef701..e1828ca8fe4d 100644 --- a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_flavor.hpp +++ b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_flavor.hpp @@ -234,32 +234,32 @@ class ECCVMFlavor { static auto get_to_be_shifted(PrecomputedAndWitnessEntitiesSuperset& entities) { // NOTE: must match order of ShiftedEntities above! - return RefArray{ entities.transcript_mul, - entities.transcript_msm_count, - entities.transcript_accumulator_x, - entities.transcript_accumulator_y, - entities.precompute_scalar_sum, - entities.precompute_s1hi, - entities.precompute_dx, - entities.precompute_dy, - entities.precompute_tx, - entities.precompute_ty, - entities.msm_transition, - entities.msm_add, - entities.msm_double, - entities.msm_skew, - entities.msm_accumulator_x, - entities.msm_accumulator_y, - entities.msm_count, - entities.msm_round, - entities.msm_add1, - entities.msm_pc, - entities.precompute_pc, - entities.transcript_pc, - entities.precompute_round, - entities.transcript_accumulator_empty, - entities.precompute_select, - entities.z_perm }; + return RefArray{ entities.transcript_mul, // column 0 + entities.transcript_msm_count, // column 1 + entities.transcript_accumulator_x, // column 2 + entities.transcript_accumulator_y, // column 3 + entities.precompute_scalar_sum, // column 4 + entities.precompute_s1hi, // column 5 + entities.precompute_dx, // column 6 + entities.precompute_dy, // column 7 + entities.precompute_tx, // column 8 + entities.precompute_ty, // column 9 + entities.msm_transition, // column 10 + entities.msm_add, // column 11 + entities.msm_double, // column 12 + entities.msm_skew, // column 13 + entities.msm_accumulator_x, // column 14 + entities.msm_accumulator_y, // column 15 + entities.msm_count, // column 16 + entities.msm_round, // column 17 + entities.msm_add1, // column 18 + entities.msm_pc, // column 19 + entities.precompute_pc, // column 20 + entities.transcript_pc, // column 21 + entities.precompute_round, // column 22 + entities.transcript_accumulator_empty, // column 23 + entities.precompute_select, // column 24 + entities.z_perm }; // column 25 } /** * @brief A base class labelling all entities (for instance, all of the polynomials used by the prover during @@ -293,72 +293,10 @@ class ECCVMFlavor { auto get_to_be_shifted() { return ECCVMFlavor::get_to_be_shifted(*this); } auto get_shifted() { return ShiftedEntities::get_all(); }; + auto get_precomputed() { return PrecomputedEntities::get_all(); }; }; public: - /** - * @brief The proving key is responsible for storing the polynomials used by the prover. - * @note TODO(Cody): Maybe multiple inheritance is the right thing here. In that case, nothing should eve - * inherit from ProvingKey. - */ - class ProvingKey : public ProvingKey_, WitnessEntities, CommitmentKey> { - public: - // Expose constructors on the base class - using Base = ProvingKey_, WitnessEntities, CommitmentKey>; - using Base::Base; - - ProvingKey(const CircuitBuilder& builder) - : ProvingKey_, WitnessEntities, CommitmentKey>( - builder.get_circuit_subgroup_size(builder.get_num_gates()), 0) - { - const auto [_lagrange_first, _lagrange_last] = - compute_first_and_last_lagrange_polynomials(circuit_size); - lagrange_first = _lagrange_first; - lagrange_last = _lagrange_last; - { - Polynomial _lagrange_second(circuit_size); - _lagrange_second[1] = 1; - lagrange_second = _lagrange_second.share(); - } - } - - auto get_to_be_shifted() { return ECCVMFlavor::get_to_be_shifted(*this); } - // The plookup wires that store plookup read data. - RefArray get_table_column_wires() { return {}; }; - }; - - /** - * @brief The verification key is responsible for storing the the commitments to the precomputed (non-witnessk) - * polynomials used by the verifier. - * - * @note Note the discrepancy with what sort of data is stored here vs in the proving key. We may want to - * resolve that, and split out separate PrecomputedPolynomials/Commitments data for clarity but also for - * portability of our circuits. - */ - class VerificationKey : public VerificationKey_, VerifierCommitmentKey> { - public: - std::vector public_inputs; - - VerificationKey(const size_t circuit_size, const size_t num_public_inputs) - : VerificationKey_(circuit_size, num_public_inputs) - {} - - VerificationKey(const std::shared_ptr& proving_key) - : public_inputs(proving_key->public_inputs) - { - this->pcs_verification_key = std::make_shared(proving_key->circuit_size); - this->circuit_size = proving_key->circuit_size; - this->log_circuit_size = numeric::get_msb(this->circuit_size); - this->num_public_inputs = proving_key->num_public_inputs; - this->pub_inputs_offset = proving_key->pub_inputs_offset; - - for (auto [polynomial, commitment] : - zip_view(proving_key->get_precomputed_polynomials(), this->get_all())) { - commitment = proving_key->commitment_key->commit(polynomial); - } - } - }; - /** * @brief A container for polynomials produced after the first round of sumcheck. * @todo TODO(#394) Use polynomial classes for guaranteed memory alignment. @@ -432,6 +370,13 @@ class ECCVMFlavor { } return result; } + // Set all shifted polynomials based on their to-be-shifted counterpart + void set_shifted() + { + for (auto [shifted, to_be_shifted] : zip_view(get_shifted(), get_to_be_shifted())) { + shifted = to_be_shifted.shifted(); + } + } /** * @brief Compute the ECCVM flavor polynomial data required to generate an ECCVM Proof @@ -513,7 +458,7 @@ class ECCVMFlavor { table (reads come from msm_x/y3, msm_x/y4) * @return ProverPolynomials */ - ProverPolynomials(CircuitBuilder& builder) + ProverPolynomials(const CircuitBuilder& builder) { const auto msms = builder.get_msms(); const auto flattened_muls = builder.get_flattened_scalar_muls(msms); @@ -652,31 +597,57 @@ class ECCVMFlavor { msm_slice4[i] = msm_state[i].add_state[3].slice; } }); - transcript_mul_shift = transcript_mul.shifted(); - transcript_msm_count_shift = transcript_msm_count.shifted(); - transcript_accumulator_x_shift = transcript_accumulator_x.shifted(); - transcript_accumulator_y_shift = transcript_accumulator_y.shifted(); - precompute_scalar_sum_shift = precompute_scalar_sum.shifted(); - precompute_s1hi_shift = precompute_s1hi.shifted(); - precompute_dx_shift = precompute_dx.shifted(); - precompute_dy_shift = precompute_dy.shifted(); - precompute_tx_shift = precompute_tx.shifted(); - precompute_ty_shift = precompute_ty.shifted(); - msm_transition_shift = msm_transition.shifted(); - msm_add_shift = msm_add.shifted(); - msm_double_shift = msm_double.shifted(); - msm_skew_shift = msm_skew.shifted(); - msm_accumulator_x_shift = msm_accumulator_x.shifted(); - msm_accumulator_y_shift = msm_accumulator_y.shifted(); - msm_count_shift = msm_count.shifted(); - msm_round_shift = msm_round.shifted(); - msm_add1_shift = msm_add1.shifted(); - msm_pc_shift = msm_pc.shifted(); - precompute_pc_shift = precompute_pc.shifted(); - transcript_pc_shift = transcript_pc.shifted(); - precompute_round_shift = precompute_round.shifted(); - transcript_accumulator_empty_shift = transcript_accumulator_empty.shifted(); - precompute_select_shift = precompute_select.shifted(); + this->set_shifted(); + } + }; + + /** + * @brief The proving key is responsible for storing the polynomials used by the prover. + * + */ + class ProvingKey : public ProvingKey_ { + public: + // Expose constructors on the base class + using Base = ProvingKey_; + using Base::Base; + + ProverPolynomials polynomials; // storage for all polynomials evaluated by the prover + + ProvingKey(const CircuitBuilder& builder) + : Base(builder.get_circuit_subgroup_size(builder.get_num_gates()), 0) + , polynomials(builder) + {} + }; + + /** + * @brief The verification key is responsible for storing the the commitments to the precomputed (non-witnessk) + * polynomials used by the verifier. + * + * @note Note the discrepancy with what sort of data is stored here vs in the proving key. We may want to + * resolve that, and split out separate PrecomputedPolynomials/Commitments data for clarity but also for + * portability of our circuits. + */ + class VerificationKey : public VerificationKey_, VerifierCommitmentKey> { + public: + std::vector public_inputs; + + VerificationKey(const size_t circuit_size, const size_t num_public_inputs) + : VerificationKey_(circuit_size, num_public_inputs) + {} + + VerificationKey(const std::shared_ptr& proving_key) + : public_inputs(proving_key->public_inputs) + { + this->pcs_verification_key = std::make_shared(proving_key->circuit_size); + this->circuit_size = proving_key->circuit_size; + this->log_circuit_size = numeric::get_msb(this->circuit_size); + this->num_public_inputs = proving_key->num_public_inputs; + this->pub_inputs_offset = proving_key->pub_inputs_offset; + + for (auto [polynomial, commitment] : + zip_view(proving_key->polynomials.get_precomputed(), this->get_all())) { + commitment = proving_key->commitment_key->commit(polynomial); + } } }; diff --git a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_prover.cpp b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_prover.cpp index 0f5066d8e2be..ea860e1e4c71 100644 --- a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_prover.cpp +++ b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_prover.cpp @@ -14,7 +14,6 @@ namespace bb { ECCVMProver::ECCVMProver(CircuitBuilder& builder, const std::shared_ptr& transcript) : transcript(transcript) - , prover_polynomials(builder) { BB_OP_COUNT_TIME_NAME("ECCVMProver(CircuitBuilder&)"); @@ -24,13 +23,6 @@ ECCVMProver::ECCVMProver(CircuitBuilder& builder, const std::shared_ptr(builder); - // Share all unshifted polys from the prover polynomials to the proving key. Note: this means that updating a - // polynomial in one container automatically updates it in the other via the shared memory. - for (auto [prover_poly, key_poly] : zip_view(prover_polynomials.get_unshifted(), key->get_all())) { - ASSERT(flavor_get_label(prover_polynomials, prover_poly) == flavor_get_label(*key, key_poly)); - key_poly = prover_poly.share(); - } - commitment_key = std::make_shared(key->circuit_size); } @@ -51,7 +43,7 @@ void ECCVMProver::execute_preamble_round() */ void ECCVMProver::execute_wire_commitments_round() { - auto wire_polys = key->get_wires(); + auto wire_polys = key->polynomials.get_wires(); auto labels = commitment_labels.get_wires(); for (size_t idx = 0; idx < wire_polys.size(); ++idx) { transcript->send_to_verifier(labels[idx], commitment_key->commit(wire_polys[idx])); @@ -78,8 +70,9 @@ void ECCVMProver::execute_log_derivative_commitments_round() relation_parameters.eccvm_set_permutation_delta = relation_parameters.eccvm_set_permutation_delta.invert(); // Compute inverse polynomial for our logarithmic-derivative lookup method compute_logderivative_inverse( - prover_polynomials, relation_parameters, key->circuit_size); - transcript->send_to_verifier(commitment_labels.lookup_inverses, commitment_key->commit(key->lookup_inverses)); + key->polynomials, relation_parameters, key->circuit_size); + transcript->send_to_verifier(commitment_labels.lookup_inverses, + commitment_key->commit(key->polynomials.lookup_inverses)); } /** @@ -89,9 +82,9 @@ void ECCVMProver::execute_log_derivative_commitments_round() void ECCVMProver::execute_grand_product_computation_round() { // Compute permutation grand product and their commitments - compute_permutation_grand_products(key, prover_polynomials, relation_parameters); + compute_grand_products(key->polynomials, relation_parameters); - transcript->send_to_verifier(commitment_labels.z_perm, commitment_key->commit(key->z_perm)); + transcript->send_to_verifier(commitment_labels.z_perm, commitment_key->commit(key->polynomials.z_perm)); } /** @@ -108,7 +101,7 @@ void ECCVMProver::execute_relation_check_rounds() for (size_t idx = 0; idx < gate_challenges.size(); idx++) { gate_challenges[idx] = transcript->template get_challenge("Sumcheck:gate_challenge_" + std::to_string(idx)); } - sumcheck_output = sumcheck.prove(prover_polynomials, relation_parameters, alpha, gate_challenges); + sumcheck_output = sumcheck.prove(key->polynomials, relation_parameters, alpha, gate_challenges); } /** @@ -118,8 +111,8 @@ void ECCVMProver::execute_relation_check_rounds() * */ void ECCVMProver::execute_zeromorph_rounds() { - ZeroMorph::prove(prover_polynomials.get_unshifted(), - prover_polynomials.get_to_be_shifted(), + ZeroMorph::prove(key->polynomials.get_unshifted(), + key->polynomials.get_to_be_shifted(), sumcheck_output.claimed_evaluations.get_unshifted(), sumcheck_output.claimed_evaluations.get_shifted(), sumcheck_output.challenge, @@ -146,11 +139,11 @@ void ECCVMProver::execute_transcript_consistency_univariate_opening_round() // Get the challenge at which we evaluate the polynomials as univariates evaluation_challenge_x = transcript->template get_challenge("Translation:evaluation_challenge_x"); - translation_evaluations.op = key->transcript_op.evaluate(evaluation_challenge_x); - translation_evaluations.Px = key->transcript_Px.evaluate(evaluation_challenge_x); - translation_evaluations.Py = key->transcript_Py.evaluate(evaluation_challenge_x); - translation_evaluations.z1 = key->transcript_z1.evaluate(evaluation_challenge_x); - translation_evaluations.z2 = key->transcript_z2.evaluate(evaluation_challenge_x); + translation_evaluations.op = key->polynomials.transcript_op.evaluate(evaluation_challenge_x); + translation_evaluations.Px = key->polynomials.transcript_Px.evaluate(evaluation_challenge_x); + translation_evaluations.Py = key->polynomials.transcript_Py.evaluate(evaluation_challenge_x); + translation_evaluations.z1 = key->polynomials.transcript_z1.evaluate(evaluation_challenge_x); + translation_evaluations.z2 = key->polynomials.transcript_z2.evaluate(evaluation_challenge_x); // Add the univariate evaluations to the transcript transcript->send_to_verifier("Translation:op", translation_evaluations.op); @@ -164,8 +157,9 @@ void ECCVMProver::execute_transcript_consistency_univariate_opening_round() FF ipa_batching_challenge = transcript->template get_challenge("Translation:ipa_batching_challenge"); // Collect the polynomials and evaluations to be batched - RefArray univariate_polynomials{ key->transcript_op, key->transcript_Px, key->transcript_Py, - key->transcript_z1, key->transcript_z2, hack }; + RefArray univariate_polynomials{ key->polynomials.transcript_op, key->polynomials.transcript_Px, + key->polynomials.transcript_Py, key->polynomials.transcript_z1, + key->polynomials.transcript_z2, hack }; std::array univariate_evaluations; for (auto [eval, polynomial] : zip_view(univariate_evaluations, univariate_polynomials)) { eval = polynomial.evaluate(evaluation_challenge_x); diff --git a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_prover.hpp b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_prover.hpp index b91b6d851e20..a4f99d8cde0e 100644 --- a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_prover.hpp +++ b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_prover.hpp @@ -3,6 +3,7 @@ #include "barretenberg/eccvm/eccvm_flavor.hpp" #include "barretenberg/goblin/translation_evaluations.hpp" #include "barretenberg/honk/proof_system/types/proof.hpp" +#include "barretenberg/plonk_honk_shared/library/grand_product_library.hpp" #include "barretenberg/relations/relation_parameters.hpp" #include "barretenberg/sumcheck/sumcheck_output.hpp" #include "barretenberg/transcript/transcript.hpp" @@ -18,7 +19,6 @@ class ECCVMProver { using CommitmentKey = typename Flavor::CommitmentKey; using ProvingKey = typename Flavor::ProvingKey; using Polynomial = typename Flavor::Polynomial; - using ProverPolynomials = typename Flavor::ProverPolynomials; using CommitmentLabels = typename Flavor::CommitmentLabels; using Transcript = typename Flavor::Transcript; using TranslationEvaluations = bb::TranslationEvaluations; @@ -50,9 +50,6 @@ class ECCVMProver { std::shared_ptr key; - // Container for spans of all polynomials required by the prover (i.e. all multivariates evaluated by Sumcheck). - ProverPolynomials prover_polynomials; - CommitmentLabels commitment_labels; // Container for d + 1 Fold polynomials produced by Gemini diff --git a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_trace_checker.cpp b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_trace_checker.cpp index 349ec65c675c..c8acc2400bea 100644 --- a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_trace_checker.cpp +++ b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_trace_checker.cpp @@ -1,5 +1,6 @@ #include "eccvm_trace_checker.hpp" #include "barretenberg/eccvm/eccvm_flavor.hpp" +#include "barretenberg/plonk_honk_shared/library/grand_product_library.hpp" using namespace bb; @@ -31,7 +32,7 @@ bool ECCVMTraceChecker::check(Builder& builder) ProverPolynomials polynomials(builder); const size_t num_rows = polynomials.get_polynomial_size(); compute_logderivative_inverse>(polynomials, params, num_rows); - compute_permutation_grand_product>(num_rows, polynomials, params); + compute_grand_product>(polynomials, params); polynomials.z_perm_shift = Polynomial(polynomials.z_perm.shifted()); diff --git a/barretenberg/cpp/src/barretenberg/execution_trace/execution_trace.cpp b/barretenberg/cpp/src/barretenberg/execution_trace/execution_trace.cpp index 79442b91bea9..d582089921ec 100644 --- a/barretenberg/cpp/src/barretenberg/execution_trace/execution_trace.cpp +++ b/barretenberg/cpp/src/barretenberg/execution_trace/execution_trace.cpp @@ -31,10 +31,12 @@ void ExecutionTrace_::add_wires_and_selectors_to_proving_key(TraceData& typename Flavor::ProvingKey& proving_key) { if constexpr (IsHonkFlavor) { - for (auto [pkey_wire, trace_wire] : zip_view(proving_key.get_wires(), trace_data.wires)) { + for (auto [pkey_wire, trace_wire] : zip_view(proving_key.polynomials.get_wires(), trace_data.wires)) { pkey_wire = trace_wire.share(); } - for (auto [pkey_selector, trace_selector] : zip_view(proving_key.get_selectors(), trace_data.selectors)) { + proving_key.polynomials.set_shifted(); // Ensure shifted wires are set correctly + for (auto [pkey_selector, trace_selector] : + zip_view(proving_key.polynomials.get_selectors(), trace_data.selectors)) { pkey_selector = trace_selector.share(); } proving_key.pub_inputs_offset = trace_data.pub_inputs_offset; @@ -146,28 +148,17 @@ void ExecutionTrace_::add_ecc_op_wires_to_proving_key(Builder& builder, typename Flavor::ProvingKey& proving_key) requires IsGoblinFlavor { - // Initialize the ecc op wire polynomials to zero on the whole domain - std::array op_wire_polynomials; - for (auto& poly : op_wire_polynomials) { - poly = Polynomial{ proving_key.circuit_size }; - } - Polynomial ecc_op_selector{ proving_key.circuit_size }; - // Copy the ecc op data from the conventional wires into the op wires over the range of ecc op gates + auto& ecc_op_selector = proving_key.polynomials.lagrange_ecc_op; const size_t op_wire_offset = Flavor::has_zero_row ? 1 : 0; - for (auto [ecc_op_wire, wire] : zip_view(op_wire_polynomials, proving_key.get_wires())) { + for (auto [ecc_op_wire, wire] : + zip_view(proving_key.polynomials.get_ecc_op_wires(), proving_key.polynomials.get_wires())) { for (size_t i = 0; i < builder.blocks.ecc_op.size(); ++i) { size_t idx = i + op_wire_offset; ecc_op_wire[idx] = wire[idx]; - ecc_op_selector[idx] = 1; // construct the selector as the indicator on the ecc op block + ecc_op_selector[idx] = 1; // construct selector as the indicator on the ecc op block } } - - proving_key.ecc_op_wire_1 = op_wire_polynomials[0].share(); - proving_key.ecc_op_wire_2 = op_wire_polynomials[1].share(); - proving_key.ecc_op_wire_3 = op_wire_polynomials[2].share(); - proving_key.ecc_op_wire_4 = op_wire_polynomials[3].share(); - proving_key.lagrange_ecc_op = ecc_op_selector.share(); } template class ExecutionTrace_; diff --git a/barretenberg/cpp/src/barretenberg/flavor/flavor.hpp b/barretenberg/cpp/src/barretenberg/flavor/flavor.hpp index d2a847a0dbcc..18eda8ecd0cf 100644 --- a/barretenberg/cpp/src/barretenberg/flavor/flavor.hpp +++ b/barretenberg/cpp/src/barretenberg/flavor/flavor.hpp @@ -98,8 +98,35 @@ class PrecomputedEntitiesBase { * @tparam FF The scalar field on which we will encode our polynomial data. When instantiating, this may be extractable * from the other template paramter. */ +template class ProvingKey_ { + public: + size_t circuit_size; + bool contains_recursive_proof; + std::vector recursive_proof_public_input_indices; + bb::EvaluationDomain evaluation_domain; + std::shared_ptr commitment_key; + size_t num_public_inputs; + size_t log_circuit_size; + + // Offset off the public inputs from the start of the execution trace + size_t pub_inputs_offset = 0; + + // The number of public inputs has to be the same for all instances because they are + // folded element by element. + std::vector public_inputs; + + ProvingKey_() = default; + ProvingKey_(const size_t circuit_size, const size_t num_public_inputs) + { + this->commitment_key = std::make_shared(circuit_size + 1); + this->evaluation_domain = bb::EvaluationDomain(circuit_size, circuit_size); + this->circuit_size = circuit_size; + this->log_circuit_size = numeric::get_msb(circuit_size); + this->num_public_inputs = num_public_inputs; + }; +}; template -class ProvingKey_ : public PrecomputedPolynomials, public WitnessPolynomials { +class ProvingKeyAvm_ : public PrecomputedPolynomials, public WitnessPolynomials { public: using Polynomial = typename PrecomputedPolynomials::DataType; using FF = typename Polynomial::FF; @@ -110,9 +137,7 @@ class ProvingKey_ : public PrecomputedPolynomials, public WitnessPolynomials { bb::EvaluationDomain evaluation_domain; std::shared_ptr commitment_key; - // offset due to placing zero wires at the start of execution trace - // non-zero for Instances constructed from circuits, this concept doesn't exist for accumulated - // instances + // Offset off the public inputs from the start of the execution trace size_t pub_inputs_offset = 0; // The number of public inputs has to be the same for all instances because they are @@ -128,8 +153,8 @@ class ProvingKey_ : public PrecomputedPolynomials, public WitnessPolynomials { auto get_witness_polynomials() { return WitnessPolynomials::get_all(); } auto get_precomputed_polynomials() { return PrecomputedPolynomials::get_all(); } auto get_selectors() { return PrecomputedPolynomials::get_selectors(); } - ProvingKey_() = default; - ProvingKey_(const size_t circuit_size, const size_t num_public_inputs) + ProvingKeyAvm_() = default; + ProvingKeyAvm_(const size_t circuit_size, const size_t num_public_inputs) { this->commitment_key = std::make_shared(circuit_size + 1); this->evaluation_domain = bb::EvaluationDomain(circuit_size, circuit_size); diff --git a/barretenberg/cpp/src/barretenberg/flavor/flavor.test.cpp b/barretenberg/cpp/src/barretenberg/flavor/flavor.test.cpp index 889f4f9504cf..06d24472a9a3 100644 --- a/barretenberg/cpp/src/barretenberg/flavor/flavor.test.cpp +++ b/barretenberg/cpp/src/barretenberg/flavor/flavor.test.cpp @@ -17,7 +17,7 @@ TEST(Flavor, Getters) // set size_t coset_idx = 0; - for (auto& id_poly : proving_key.get_id_polynomials()) { + for (auto& id_poly : proving_key.polynomials.get_ids()) { typename Flavor::Polynomial new_poly(proving_key.circuit_size); for (size_t i = 0; i < proving_key.circuit_size; ++i) { id_poly[i] = coset_idx * proving_key.circuit_size + i; @@ -26,9 +26,9 @@ TEST(Flavor, Getters) } // Polynomials in the proving key can be set through loops over subsets produced by the getters - EXPECT_EQ(proving_key.id_1[0], FF(0)); - EXPECT_EQ(proving_key.id_2[0], FF(4)); - EXPECT_EQ(proving_key.id_3[0], FF(8)); + EXPECT_EQ(proving_key.polynomials.id_1[0], FF(0)); + EXPECT_EQ(proving_key.polynomials.id_2[0], FF(4)); + EXPECT_EQ(proving_key.polynomials.id_3[0], FF(8)); Flavor::ProverPolynomials prover_polynomials; Flavor::CommitmentLabels commitment_labels; diff --git a/barretenberg/cpp/src/barretenberg/flavor/relation_definitions.hpp b/barretenberg/cpp/src/barretenberg/flavor/relation_definitions.hpp index 203542d91275..0b1fed6342ee 100644 --- a/barretenberg/cpp/src/barretenberg/flavor/relation_definitions.hpp +++ b/barretenberg/cpp/src/barretenberg/flavor/relation_definitions.hpp @@ -31,9 +31,9 @@ #define SUMCHECK_PERMUTATION_CLASS(...) _SUMCHECK_PERMUTATION_CLASS(__VA_ARGS__) #define DEFINE_SUMCHECK_PERMUTATION_CLASS(RelationImpl, Flavor) \ - PERMUTATION_METHOD(compute_permutation_numerator, RelationImpl, Flavor, UnivariateAccumulator0, ExtendedEdge) \ - PERMUTATION_METHOD(compute_permutation_numerator, RelationImpl, Flavor, ValueAccumulator0, EvaluationEdge) \ - PERMUTATION_METHOD(compute_permutation_numerator, RelationImpl, Flavor, ValueAccumulator0, EntityEdge) \ - PERMUTATION_METHOD(compute_permutation_denominator, RelationImpl, Flavor, UnivariateAccumulator0, ExtendedEdge) \ - PERMUTATION_METHOD(compute_permutation_denominator, RelationImpl, Flavor, ValueAccumulator0, EvaluationEdge) \ - PERMUTATION_METHOD(compute_permutation_denominator, RelationImpl, Flavor, ValueAccumulator0, EntityEdge) + PERMUTATION_METHOD(compute_grand_product_numerator, RelationImpl, Flavor, UnivariateAccumulator0, ExtendedEdge) \ + PERMUTATION_METHOD(compute_grand_product_numerator, RelationImpl, Flavor, ValueAccumulator0, EvaluationEdge) \ + PERMUTATION_METHOD(compute_grand_product_numerator, RelationImpl, Flavor, ValueAccumulator0, EntityEdge) \ + PERMUTATION_METHOD(compute_grand_product_denominator, RelationImpl, Flavor, UnivariateAccumulator0, ExtendedEdge) \ + PERMUTATION_METHOD(compute_grand_product_denominator, RelationImpl, Flavor, ValueAccumulator0, EvaluationEdge) \ + PERMUTATION_METHOD(compute_grand_product_denominator, RelationImpl, Flavor, ValueAccumulator0, EntityEdge) diff --git a/barretenberg/cpp/src/barretenberg/honk/proof_system/permutation_library.hpp b/barretenberg/cpp/src/barretenberg/honk/proof_system/permutation_library.hpp index a061412d85d4..8ecb9e376ce4 100644 --- a/barretenberg/cpp/src/barretenberg/honk/proof_system/permutation_library.hpp +++ b/barretenberg/cpp/src/barretenberg/honk/proof_system/permutation_library.hpp @@ -7,166 +7,6 @@ namespace bb { -/** - * @brief Compute a permutation grand product polynomial Z_perm(X) - * * - * @details - * Z_perm may be defined in terms of its values on X_i = 0,1,...,n-1 as Z_perm[0] = 1 and for i = 1:n-1 - * relation::numerator(j) - * Z_perm[i] = ∏ -------------------------------------------------------------------------------- - * relation::denominator(j) - * - * where ∏ := ∏_{j=0:i-1} - * - * The specific algebraic relation used by Z_perm is defined by Flavor::GrandProductRelations - * - * For example, in Flavor::Standard the relation describes: - * - * (w_1(j) + β⋅id_1(j) + γ) ⋅ (w_2(j) + β⋅id_2(j) + γ) ⋅ (w_3(j) + β⋅id_3(j) + γ) - * Z_perm[i] = ∏ -------------------------------------------------------------------------------- - * (w_1(j) + β⋅σ_1(j) + γ) ⋅ (w_2(j) + β⋅σ_2(j) + γ) ⋅ (w_3(j) + β⋅σ_3(j) + γ) - * where ∏ := ∏_{j=0:i-1} and id_i(X) = id(X) + n*(i-1) - * - * For Flavor::Ultra both the UltraPermutation and Lookup grand products are computed by this method. - * - * The grand product is constructed over the course of three steps. - * - * For expositional simplicity, write Z_perm[i] as - * - * A(j) - * Z_perm[i] = ∏ -------------------------- - * B(h) - * - * Step 1) Compute 2 length-n polynomials A, B - * Step 2) Compute 2 length-n polynomials numerator = ∏ A(j), nenominator = ∏ B(j) - * Step 3) Compute Z_perm[i + 1] = numerator[i] / denominator[i] (recall: Z_perm[0] = 1) - * - * Note: Step (3) utilizes Montgomery batch inversion to replace n-many inversions with - */ -template -void compute_permutation_grand_product(const size_t circuit_size, - auto& full_polynomials, - bb::RelationParameters& relation_parameters) -{ - using FF = typename Flavor::FF; - using Polynomial = typename Flavor::Polynomial; - using Accumulator = std::tuple_element_t<0, typename GrandProdRelation::SumcheckArrayOfValuesOverSubrelations>; - - // Allocate numerator/denominator polynomials that will serve as scratch space - // TODO(zac) we can re-use the permutation polynomial as the numerator polynomial. - // Reduces readability (issue #2215) - Polynomial numerator = Polynomial{ circuit_size }; - Polynomial denominator = Polynomial{ circuit_size }; - - // Step (1) - // Populate `numerator` and `denominator` with the algebra described by GrandProdRelation - static constexpr size_t MIN_CIRCUIT_SIZE_TO_MULTITHREAD = 64; - const size_t num_threads = circuit_size >= MIN_CIRCUIT_SIZE_TO_MULTITHREAD - ? (circuit_size >= get_num_cpus_pow2() ? get_num_cpus_pow2() : 1) - : 1; - const size_t block_size = circuit_size / num_threads; - parallel_for(num_threads, [&](size_t thread_idx) { - const size_t start = thread_idx * block_size; - const size_t end = (thread_idx + 1) * block_size; - for (size_t i = start; i < end; ++i) { - - typename Flavor::AllValues evaluations; - for (auto [eval, poly] : zip_view(evaluations.get_all(), full_polynomials.get_all())) { - eval = poly.size() > i ? poly[i] : 0; - } - numerator[i] = GrandProdRelation::template compute_permutation_numerator(evaluations, - relation_parameters); - denominator[i] = GrandProdRelation::template compute_permutation_denominator( - evaluations, relation_parameters); - } - }); - - // Step (2) - // Compute the accumulating product of the numerator and denominator terms. - // This step is split into three parts for efficient multithreading: - // (i) compute ∏ A(j), ∏ B(j) subproducts for each thread - // (ii) compute scaling factor required to convert each subproduct into a single running product - // (ii) combine subproducts into a single running product - // - // For example, consider 4 threads and a size-8 numerator { a0, a1, a2, a3, a4, a5, a6, a7 } - // (i) Each thread computes 1 element of N = {{ a0, a0a1 }, { a2, a2a3 }, { a4, a4a5 }, { a6, a6a7 }} - // (ii) Take partial products P = { 1, a0a1, a2a3, a4a5 } - // (iii) Each thread j computes N[i][j]*P[j]= - // {{a0,a0a1},{a0a1a2,a0a1a2a3},{a0a1a2a3a4,a0a1a2a3a4a5},{a0a1a2a3a4a5a6,a0a1a2a3a4a5a6a7}} - std::vector partial_numerators(num_threads); - std::vector partial_denominators(num_threads); - - parallel_for(num_threads, [&](size_t thread_idx) { - const size_t start = thread_idx * block_size; - const size_t end = (thread_idx + 1) * block_size; - for (size_t i = start; i < end - 1; ++i) { - numerator[i + 1] *= numerator[i]; - denominator[i + 1] *= denominator[i]; - } - partial_numerators[thread_idx] = numerator[end - 1]; - partial_denominators[thread_idx] = denominator[end - 1]; - }); - - parallel_for(num_threads, [&](size_t thread_idx) { - const size_t start = thread_idx * block_size; - const size_t end = (thread_idx + 1) * block_size; - if (thread_idx > 0) { - FF numerator_scaling = 1; - FF denominator_scaling = 1; - - for (size_t j = 0; j < thread_idx; ++j) { - numerator_scaling *= partial_numerators[j]; - denominator_scaling *= partial_denominators[j]; - } - for (size_t i = start; i < end; ++i) { - numerator[i] *= numerator_scaling; - denominator[i] *= denominator_scaling; - } - } - - // Final step: invert denominator - FF::batch_invert(std::span{ &denominator[start], block_size }); - }); - - // Step (3) Compute z_perm[i] = numerator[i] / denominator[i] - auto& grand_product_polynomial = GrandProdRelation::get_grand_product_polynomial(full_polynomials); - grand_product_polynomial[0] = 0; - parallel_for(num_threads, [&](size_t thread_idx) { - const size_t start = thread_idx * block_size; - const size_t end = (thread_idx == num_threads - 1) ? circuit_size - 1 : (thread_idx + 1) * block_size; - for (size_t i = start; i < end; ++i) { - grand_product_polynomial[i + 1] = numerator[i] * denominator[i]; - } - }); -} - -template -void compute_permutation_grand_products(std::shared_ptr& key, - typename Flavor::ProverPolynomials& full_polynomials, - bb::RelationParameters& relation_parameters) -{ - using GrandProductRelations = typename Flavor::GrandProductRelations; - using FF = typename Flavor::FF; - - constexpr size_t NUM_RELATIONS = std::tuple_size{}; - bb::constexpr_for<0, NUM_RELATIONS, 1>([&]() { - using PermutationRelation = typename std::tuple_element::type; - - // Assign the grand product polynomial to the relevant std::span member of `full_polynomials` (and its shift) - // For example, for UltraPermutationRelation, this will be `full_polynomials.z_perm` - // For example, for LookupRelation, this will be `full_polynomials.z_lookup` - bb::Polynomial& full_polynomial = PermutationRelation::get_grand_product_polynomial(full_polynomials); - bb::Polynomial& key_polynomial = PermutationRelation::get_grand_product_polynomial(*key); - full_polynomial = key_polynomial.share(); - - compute_permutation_grand_product( - key->circuit_size, full_polynomials, relation_parameters); - bb::Polynomial& full_polynomial_shift = - PermutationRelation::get_shifted_grand_product_polynomial(full_polynomials); - full_polynomial_shift = key_polynomial.shifted(); - }); -} - /** * @brief Compute new polynomials which are the concatenated versions of other polynomials * @@ -181,16 +21,15 @@ void compute_permutation_grand_products(std::shared_ptr void compute_concatenated_polynomials(StorageHandle* proving_key) +template void compute_concatenated_polynomials(typename Flavor::ProverPolynomials& polynomials) { // Concatenation groups are vectors of polynomials that are concatenated together - auto concatenation_groups = proving_key->get_concatenation_groups(); + auto concatenation_groups = polynomials.get_concatenation_groups(); // Resulting concatenated polynomials - auto targets = proving_key->get_concatenated_constraints(); + auto targets = polynomials.get_concatenated_constraints(); // Targets have to be full-sized polynomials. We can compute the mini circuit size from them by dividing by // concatenation index @@ -236,11 +75,10 @@ template void compute_concatenated_pol * can construct a proof when ( k + 1 ) ⋅ ( max_range/ 3 + 1 ) < concatenated size * * @tparam Flavor - * @tparam StorageHandle * @param proving_key */ -template -void compute_goblin_translator_range_constraint_ordered_polynomials(StorageHandle* proving_key, +template +void compute_goblin_translator_range_constraint_ordered_polynomials(typename Flavor::ProverPolynomials& polynomials, size_t mini_circuit_dyadic_size) { @@ -271,14 +109,14 @@ void compute_goblin_translator_range_constraint_ordered_polynomials(StorageHandl } std::vector> ordered_vectors_uint(num_concatenated_wires); - auto ordered_constraint_polynomials = std::vector{ &proving_key->ordered_range_constraints_0, - &proving_key->ordered_range_constraints_1, - &proving_key->ordered_range_constraints_2, - &proving_key->ordered_range_constraints_3 }; + auto ordered_constraint_polynomials = std::vector{ &polynomials.ordered_range_constraints_0, + &polynomials.ordered_range_constraints_1, + &polynomials.ordered_range_constraints_2, + &polynomials.ordered_range_constraints_3 }; std::vector extra_denominator_uint(full_circuit_size); // Get information which polynomials need to be concatenated - auto concatenation_groups = proving_key->get_concatenation_groups(); + auto concatenation_groups = polynomials.get_concatenation_groups(); // A function that transfers elements from each of the polynomials in the chosen concatenation group in the uint // ordered polynomials @@ -352,7 +190,7 @@ void compute_goblin_translator_range_constraint_ordered_polynomials(StorageHandl // And copy it to the actual polynomial std::transform(extra_denominator_uint.cbegin(), extra_denominator_uint.cend(), - proving_key->ordered_range_constraints_4.begin(), + polynomials.ordered_range_constraints_4.begin(), [](uint32_t in) { return FF(in); }); } diff --git a/barretenberg/cpp/src/barretenberg/plonk/composer/ultra_composer.cpp b/barretenberg/cpp/src/barretenberg/plonk/composer/ultra_composer.cpp index bc856916cb83..d72ec79e4ee3 100644 --- a/barretenberg/cpp/src/barretenberg/plonk/composer/ultra_composer.cpp +++ b/barretenberg/cpp/src/barretenberg/plonk/composer/ultra_composer.cpp @@ -242,7 +242,18 @@ void UltraComposer::add_table_column_selector_poly_to_proving_key(polynomial& se void UltraComposer::construct_table_polynomials(CircuitBuilder& circuit, size_t subgroup_size) { size_t additional_offset = s_randomness + 1; - auto table_polynomials = construct_lookup_table_polynomials(circuit, subgroup_size, additional_offset); + + using Polynomial = typename Flavor::Polynomial; + std::array table_polynomials; + for (auto& poly : table_polynomials) { + poly = Polynomial(subgroup_size); + } + + construct_lookup_table_polynomials( + { table_polynomials[0], table_polynomials[1], table_polynomials[2], table_polynomials[3] }, + circuit, + subgroup_size, + additional_offset); // // In the case of using UltraPlonkComposer for a circuit which does _not_ make use of any lookup tables, all four // // table columns would be all zeros. This would result in these polys' commitments all being the point at diff --git a/barretenberg/cpp/src/barretenberg/plonk_honk_shared/composer/composer_lib.hpp b/barretenberg/cpp/src/barretenberg/plonk_honk_shared/composer/composer_lib.hpp index b4ab7818f40e..06a901d7425f 100644 --- a/barretenberg/cpp/src/barretenberg/plonk_honk_shared/composer/composer_lib.hpp +++ b/barretenberg/cpp/src/barretenberg/plonk_honk_shared/composer/composer_lib.hpp @@ -1,4 +1,5 @@ #pragma once +#include "barretenberg/common/ref_array.hpp" #include "barretenberg/flavor/flavor.hpp" #include "barretenberg/polynomials/polynomial_store.hpp" @@ -7,15 +8,11 @@ namespace bb { template -std::array construct_lookup_table_polynomials( - const typename Flavor::CircuitBuilder& circuit, size_t dyadic_circuit_size, size_t additional_offset = 0) +void construct_lookup_table_polynomials(RefArray table_polynomials, + const typename Flavor::CircuitBuilder& circuit, + size_t dyadic_circuit_size, + size_t additional_offset = 0) { - using Polynomial = typename Flavor::Polynomial; - std::array table_polynomials; - for (auto& poly : table_polynomials) { - poly = Polynomial(dyadic_circuit_size); - } - // Create lookup selector polynomials which interpolate each table column. // Our selector polys always need to interpolate the full subgroup size, so here we offset so as to // put the table column's values at the end. (The first gates are for non-lookup constraints). @@ -23,6 +20,7 @@ std::array construct_lookup_table_polynomials( // ^^^^^^^^^ ^^^^^^^^ ^^^^^^^ ^nonzero to ensure uniqueness and to avoid infinity commitments // | table randomness // ignored, as used for regular constraints and padding to the next power of 2. + ASSERT(dyadic_circuit_size > circuit.get_tables_size() + additional_offset); size_t offset = dyadic_circuit_size - circuit.get_tables_size() - additional_offset; for (const auto& table : circuit.lookup_tables) { @@ -36,7 +34,6 @@ std::array construct_lookup_table_polynomials( ++offset; } } - return table_polynomials; } /** diff --git a/barretenberg/cpp/src/barretenberg/plonk_honk_shared/composer/permutation_lib.hpp b/barretenberg/cpp/src/barretenberg/plonk_honk_shared/composer/permutation_lib.hpp index 04629363042a..52bd04ec97df 100644 --- a/barretenberg/cpp/src/barretenberg/plonk_honk_shared/composer/permutation_lib.hpp +++ b/barretenberg/cpp/src/barretenberg/plonk_honk_shared/composer/permutation_lib.hpp @@ -180,7 +180,7 @@ PermutationMapping compute_permutation_mapping( template void compute_honk_style_permutation_lagrange_polynomials_from_mapping( const RefSpan& permutation_polynomials, // sigma or ID poly - std::array, Flavor::NUM_WIRES>& permutation_mappings, + const std::array, Flavor::NUM_WIRES>& permutation_mappings, typename Flavor::ProvingKey* proving_key) { using FF = typename Flavor::FF; @@ -384,9 +384,9 @@ void compute_permutation_argument_polynomials(const typename Flavor::CircuitBuil } else if constexpr (IsUltraFlavor) { // any UltraHonk flavor // Compute Honk-style sigma and ID polynomials from the corresponding mappings compute_honk_style_permutation_lagrange_polynomials_from_mapping( - key->get_sigma_polynomials(), mapping.sigmas, key); + key->polynomials.get_sigmas(), mapping.sigmas, key); compute_honk_style_permutation_lagrange_polynomials_from_mapping( - key->get_id_polynomials(), mapping.ids, key); + key->polynomials.get_ids(), mapping.ids, key); } } diff --git a/barretenberg/cpp/src/barretenberg/plonk_honk_shared/library/grand_product_library.hpp b/barretenberg/cpp/src/barretenberg/plonk_honk_shared/library/grand_product_library.hpp index 78899bc1a226..43d01587541d 100644 --- a/barretenberg/cpp/src/barretenberg/plonk_honk_shared/library/grand_product_library.hpp +++ b/barretenberg/cpp/src/barretenberg/plonk_honk_shared/library/grand_product_library.hpp @@ -48,8 +48,7 @@ namespace bb { * Note: Step (3) utilizes Montgomery batch inversion to replace n-many inversions with */ template -void compute_grand_product(const size_t circuit_size, - typename Flavor::ProverPolynomials& full_polynomials, +void compute_grand_product(typename Flavor::ProverPolynomials& full_polynomials, bb::RelationParameters& relation_parameters) { using FF = typename Flavor::FF; @@ -58,6 +57,7 @@ void compute_grand_product(const size_t circuit_size, // Allocate numerator/denominator polynomials that will serve as scratch space // TODO(zac) we can re-use the permutation polynomial as the numerator polynomial. Reduces readability + size_t circuit_size = full_polynomials.get_polynomial_size(); Polynomial numerator{ circuit_size }; Polynomial denominator{ circuit_size }; @@ -65,16 +65,14 @@ void compute_grand_product(const size_t circuit_size, // Populate `numerator` and `denominator` with the algebra described by Relation const size_t num_threads = circuit_size >= get_num_cpus_pow2() ? get_num_cpus_pow2() : 1; const size_t block_size = circuit_size / num_threads; - auto full_polynomials_view = full_polynomials.get_all(); parallel_for(num_threads, [&](size_t thread_idx) { const size_t start = thread_idx * block_size; const size_t end = (thread_idx + 1) * block_size; typename Flavor::AllValues evaluations; - auto evaluations_view = evaluations.get_all(); // TODO(https://github.com/AztecProtocol/barretenberg/issues/940): construction of evaluations is equivalent to // calling get_row which creates full copies. avoid? for (size_t i = start; i < end; ++i) { - for (auto [eval, full_poly] : zip_view(evaluations_view, full_polynomials_view)) { + for (auto [eval, full_poly] : zip_view(evaluations.get_all(), full_polynomials.get_all())) { eval = full_poly.size() > i ? full_poly[i] : 0; } numerator[i] = GrandProdRelation::template compute_grand_product_numerator( @@ -143,29 +141,21 @@ void compute_grand_product(const size_t circuit_size, }); } +/** + * @brief Compute the grand product corresponding to each grand-product relation defined in the Flavor + * + */ template -void compute_grand_products(const typename Flavor::ProvingKey& key, - typename Flavor::ProverPolynomials& full_polynomials, +void compute_grand_products(typename Flavor::ProverPolynomials& full_polynomials, bb::RelationParameters& relation_parameters) { using GrandProductRelations = typename Flavor::GrandProductRelations; - using FF = typename Flavor::FF; constexpr size_t NUM_RELATIONS = std::tuple_size{}; bb::constexpr_for<0, NUM_RELATIONS, 1>([&]() { using GrandProdRelation = typename std::tuple_element::type; - // Assign the grand product polynomial to the relevant std::span member of `full_polynomials` (and its shift) - // For example, for UltraPermutationRelation, this will be `full_polynomials.z_perm` - // For example, for LookupRelation, this will be `full_polynomials.z_lookup` - bb::Polynomial& full_polynomial = GrandProdRelation::get_grand_product_polynomial(full_polynomials); - auto& key_polynomial = GrandProdRelation::get_grand_product_polynomial(key); - full_polynomial = key_polynomial.share(); - - compute_grand_product(key.circuit_size, full_polynomials, relation_parameters); - bb::Polynomial& full_polynomial_shift = - GrandProdRelation::get_shifted_grand_product_polynomial(full_polynomials); - full_polynomial_shift = key_polynomial.shifted(); + compute_grand_product(full_polynomials, relation_parameters); }); } diff --git a/barretenberg/cpp/src/barretenberg/polynomials/polynomial.test.cpp b/barretenberg/cpp/src/barretenberg/polynomials/polynomial.test.cpp new file mode 100644 index 000000000000..59e4d5fa7474 --- /dev/null +++ b/barretenberg/cpp/src/barretenberg/polynomials/polynomial.test.cpp @@ -0,0 +1,61 @@ +#include +#include + +#include "barretenberg/polynomials/polynomial.hpp" + +using namespace bb; + +// Simple test/demonstration of shifted functionality +TEST(Polynomial, Shifted) +{ + using FF = bb::fr; + using Polynomial = Polynomial; + const size_t SIZE = 10; + auto poly = Polynomial::random(SIZE); + poly[0] = 0; // make it shiftable + + // Instantiate the shift via the shited method + auto poly_shifted = poly.shifted(); + + EXPECT_EQ(poly_shifted.size(), poly.size()); + + // The shift is indeed the shift + for (size_t i = 0; i < poly_shifted.size(); ++i) { + EXPECT_EQ(poly_shifted.at(i), poly.at(i + 1)); + } + + // If I change the original polynomial, the shift is updated accordingly + poly[3] = 25; + for (size_t i = 0; i < poly_shifted.size(); ++i) { + EXPECT_EQ(poly_shifted.at(i), poly.at(i + 1)); + } +} + +// Simple test/demonstration of share functionality +TEST(Polynomial, Share) +{ + using FF = bb::fr; + using Polynomial = Polynomial; + const size_t SIZE = 10; + auto poly = Polynomial::random(SIZE); + + // "clone" the poly via the share method + auto poly_clone = poly.share(); + + // The two are indeed equal + EXPECT_EQ(poly_clone, poly); + + // Changing one changes the other + poly[3] = 25; + EXPECT_EQ(poly_clone, poly); + + poly_clone[2] = 13; + EXPECT_EQ(poly_clone, poly); + + // If reset the original poly, it will no longer be equal to the clone made earlier + // Note: if we had not made a clone, the memory from the original poly would be leaked + auto poly2 = Polynomial::random(SIZE); + poly = poly2.share(); + + EXPECT_NE(poly_clone, poly); +} diff --git a/barretenberg/cpp/src/barretenberg/protogalaxy/combiner.test.cpp b/barretenberg/cpp/src/barretenberg/protogalaxy/combiner.test.cpp index 2e6f87f73f99..72a6fa53233c 100644 --- a/barretenberg/cpp/src/barretenberg/protogalaxy/combiner.test.cpp +++ b/barretenberg/cpp/src/barretenberg/protogalaxy/combiner.test.cpp @@ -44,8 +44,7 @@ TEST(Protogalaxy, CombinerOn2Instances) auto prover_polynomials = get_sequential_prover_polynomials( /*log_circuit_size=*/1, idx * 128); restrict_to_standard_arithmetic_relation(prover_polynomials); - instance->prover_polynomials = std::move(prover_polynomials); - instance->proving_key = Flavor::ProvingKey(); + instance->proving_key.polynomials = std::move(prover_polynomials); instance->proving_key.circuit_size = 2; instance_data[idx] = instance; } @@ -78,8 +77,7 @@ TEST(Protogalaxy, CombinerOn2Instances) auto prover_polynomials = get_zero_prover_polynomials( /*log_circuit_size=*/1); restrict_to_standard_arithmetic_relation(prover_polynomials); - instance->prover_polynomials = std::move(prover_polynomials); - instance->proving_key = Flavor::ProvingKey(); + instance->proving_key.polynomials = std::move(prover_polynomials); instance->proving_key.circuit_size = 2; instance_data[idx] = instance; } @@ -104,13 +102,13 @@ TEST(Protogalaxy, CombinerOn2Instances) polys.q_o[idx] = -1; }; - create_add_gate(instances[0]->prover_polynomials, 0, 1, 2); - create_add_gate(instances[0]->prover_polynomials, 1, 0, 4); - create_add_gate(instances[1]->prover_polynomials, 0, 3, 4); - create_mul_gate(instances[1]->prover_polynomials, 1, 1, 4); + create_add_gate(instances[0]->proving_key.polynomials, 0, 1, 2); + create_add_gate(instances[0]->proving_key.polynomials, 1, 0, 4); + create_add_gate(instances[1]->proving_key.polynomials, 0, 3, 4); + create_mul_gate(instances[1]->proving_key.polynomials, 1, 1, 4); - restrict_to_standard_arithmetic_relation(instances[0]->prover_polynomials); - restrict_to_standard_arithmetic_relation(instances[1]->prover_polynomials); + restrict_to_standard_arithmetic_relation(instances[0]->proving_key.polynomials); + restrict_to_standard_arithmetic_relation(instances[1]->proving_key.polynomials); /* Instance 0 Instance 1 w_l w_r w_o q_m q_l q_r q_o q_c w_l w_r w_o q_m q_l q_r q_o q_c @@ -169,8 +167,7 @@ TEST(Protogalaxy, CombinerOn4Instances) auto instance = std::make_shared(); auto prover_polynomials = get_zero_prover_polynomials( /*log_circuit_size=*/1); - instance->prover_polynomials = std::move(prover_polynomials); - instance->proving_key = Flavor::ProvingKey(); + instance->proving_key.polynomials = std::move(prover_polynomials); instance->proving_key.circuit_size = 2; instance_data[idx] = instance; } @@ -178,10 +175,10 @@ TEST(Protogalaxy, CombinerOn4Instances) ProverInstances instances{ instance_data }; instances.alphas.fill(bb::Univariate(FF(0))); // focus on the arithmetic relation only - zero_all_selectors(instances[0]->prover_polynomials); - zero_all_selectors(instances[1]->prover_polynomials); - zero_all_selectors(instances[2]->prover_polynomials); - zero_all_selectors(instances[3]->prover_polynomials); + zero_all_selectors(instances[0]->proving_key.polynomials); + zero_all_selectors(instances[1]->proving_key.polynomials); + zero_all_selectors(instances[2]->proving_key.polynomials); + zero_all_selectors(instances[3]->proving_key.polynomials); auto pow_polynomial = PowPolynomial(std::vector{ 2 }); auto result = prover.compute_combiner(instances, pow_polynomial); diff --git a/barretenberg/cpp/src/barretenberg/protogalaxy/decider_prover.cpp b/barretenberg/cpp/src/barretenberg/protogalaxy/decider_prover.cpp index 1175e6d7f8f7..7c17c906600e 100644 --- a/barretenberg/cpp/src/barretenberg/protogalaxy/decider_prover.cpp +++ b/barretenberg/cpp/src/barretenberg/protogalaxy/decider_prover.cpp @@ -40,8 +40,8 @@ template void DeciderProver_::execute_relation_ch * */ template void DeciderProver_::execute_zeromorph_rounds() { - ZeroMorph::prove(accumulator->prover_polynomials.get_unshifted(), - accumulator->prover_polynomials.get_to_be_shifted(), + ZeroMorph::prove(accumulator->proving_key.polynomials.get_unshifted(), + accumulator->proving_key.polynomials.get_to_be_shifted(), sumcheck_output.claimed_evaluations.get_unshifted(), sumcheck_output.claimed_evaluations.get_shifted(), sumcheck_output.challenge, diff --git a/barretenberg/cpp/src/barretenberg/protogalaxy/protogalaxy.test.cpp b/barretenberg/cpp/src/barretenberg/protogalaxy/protogalaxy.test.cpp index 2443df216155..0b51c91f57b4 100644 --- a/barretenberg/cpp/src/barretenberg/protogalaxy/protogalaxy.test.cpp +++ b/barretenberg/cpp/src/barretenberg/protogalaxy/protogalaxy.test.cpp @@ -77,15 +77,6 @@ template class ProtoGalaxyTests : public testing::Test { return instances; } - static ProverPolynomials construct_full_prover_polynomials(auto& input_polynomials) - { - ProverPolynomials full_polynomials; - for (auto [prover_poly, input_poly] : zip_view(full_polynomials.get_all(), input_polynomials)) { - prover_poly = input_poly.share(); - } - return full_polynomials; - } - static std::tuple, std::shared_ptr> fold_and_verify( const std::vector>& prover_instances, const std::vector>& verifier_instances) @@ -102,7 +93,7 @@ template class ProtoGalaxyTests : public testing::Test { { auto instance_size = accumulator->proving_key.circuit_size; auto expected_honk_evals = ProtoGalaxyProver::compute_full_honk_evaluations( - accumulator->prover_polynomials, accumulator->alphas, accumulator->relation_parameters); + accumulator->proving_key.polynomials, accumulator->alphas, accumulator->relation_parameters); // Construct pow(\vec{betas*}) as in the paper auto expected_pows = PowPolynomial(accumulator->gate_challenges); expected_pows.compute_values(); @@ -152,13 +143,12 @@ template class ProtoGalaxyTests : public testing::Test { instance->proving_key.compute_logderivative_inverse(instance->relation_parameters); } instance->proving_key.compute_grand_product_polynomials(instance->relation_parameters); - instance->prover_polynomials = ProverPolynomials(instance->proving_key); for (auto& alpha : instance->alphas) { alpha = FF::random_element(); } auto full_honk_evals = ProtoGalaxyProver::compute_full_honk_evaluations( - instance->prover_polynomials, instance->alphas, instance->relation_parameters); + instance->proving_key.polynomials, instance->alphas, instance->relation_parameters); // Evaluations should be 0 for valid circuit for (const auto& eval : full_honk_evals) { @@ -194,11 +184,12 @@ template class ProtoGalaxyTests : public testing::Test { using RelationSeparator = typename Flavor::RelationSeparator; const size_t log_instance_size(3); const size_t instance_size(1 << log_instance_size); - std::array, Flavor::NUM_ALL_ENTITIES> random_polynomials; - for (auto& poly : random_polynomials) { + // Construct fully random prover polynomials + ProverPolynomials full_polynomials; + for (auto& poly : full_polynomials.get_all()) { poly = bb::Polynomial::random(instance_size); } - auto full_polynomials = construct_full_prover_polynomials(random_polynomials); + auto relation_parameters = bb::RelationParameters::get_random(); RelationSeparator alphas; for (auto& alpha : alphas) { @@ -223,7 +214,7 @@ template class ProtoGalaxyTests : public testing::Test { } auto accumulator = std::make_shared(); - accumulator->prover_polynomials = std::move(full_polynomials); + accumulator->proving_key.polynomials = std::move(full_polynomials); accumulator->gate_challenges = betas; accumulator->target_sum = target_sum; accumulator->relation_parameters = relation_parameters; @@ -432,7 +423,7 @@ template class ProtoGalaxyTests : public testing::Test { check_accumulator_target_sum_manual(prover_accumulator, true); // Tamper with an accumulator polynomial - prover_accumulator->prover_polynomials.w_l[1] = FF::random_element(); + prover_accumulator->proving_key.polynomials.w_l[1] = FF::random_element(); check_accumulator_target_sum_manual(prover_accumulator, false); TupleOfInstances insts_2 = construct_instances(1); // just one set of prover/verifier instances diff --git a/barretenberg/cpp/src/barretenberg/protogalaxy/protogalaxy_prover.cpp b/barretenberg/cpp/src/barretenberg/protogalaxy/protogalaxy_prover.cpp index ccafde8cc61e..6d67ab105764 100644 --- a/barretenberg/cpp/src/barretenberg/protogalaxy/protogalaxy_prover.cpp +++ b/barretenberg/cpp/src/barretenberg/protogalaxy/protogalaxy_prover.cpp @@ -11,7 +11,6 @@ void ProtoGalaxyProver_::finalise_and_send_instance(std::shared auto [proving_key, relation_params, alphas] = oink_prover.prove(); instance->proving_key = std::move(proving_key); instance->relation_parameters = std::move(relation_params); - instance->prover_polynomials = ProverPolynomials(instance->proving_key); instance->alphas = std::move(alphas); } @@ -80,7 +79,7 @@ std::shared_ptr ProtoGalaxyProver_gate_challenges = instances.next_gate_challenges; // Initialize accumulator proving key polynomials - auto accumulator_polys = next_accumulator->proving_key.get_all(); + auto accumulator_polys = next_accumulator->proving_key.polynomials.get_all(); run_loop_in_parallel(Flavor::NUM_FOLDED_ENTITIES, [&](size_t start_idx, size_t end_idx) { for (size_t poly_idx = start_idx; poly_idx < end_idx; poly_idx++) { auto& acc_poly = accumulator_polys[poly_idx]; @@ -92,7 +91,7 @@ std::shared_ptr ProtoGalaxyProver_proving_key.get_all(); + auto input_polys = instances[inst_idx]->proving_key.polynomials.get_all(); run_loop_in_parallel(Flavor::NUM_FOLDED_ENTITIES, [&](size_t start_idx, size_t end_idx) { for (size_t poly_idx = start_idx; poly_idx < end_idx; poly_idx++) { auto& acc_poly = accumulator_polys[poly_idx]; @@ -141,10 +140,6 @@ std::shared_ptr ProtoGalaxyProver_relation_parameters = folded_relation_parameters; next_accumulator->proving_key = std::move(instances[0]->proving_key); - // Derive the prover polynomials from the proving key polynomials since we only fold the unshifted polynomials. This - // is extremely cheap since we only call .share() and .shifted() polynomial functions. We need the folded prover - // polynomials for the decider. - next_accumulator->prover_polynomials = ProverPolynomials(next_accumulator->proving_key); return next_accumulator; } diff --git a/barretenberg/cpp/src/barretenberg/protogalaxy/protogalaxy_prover.hpp b/barretenberg/cpp/src/barretenberg/protogalaxy/protogalaxy_prover.hpp index 470d8f110b5f..d9cffcca9c70 100644 --- a/barretenberg/cpp/src/barretenberg/protogalaxy/protogalaxy_prover.hpp +++ b/barretenberg/cpp/src/barretenberg/protogalaxy/protogalaxy_prover.hpp @@ -255,7 +255,7 @@ template class ProtoGalaxyProver_ { { BB_OP_COUNT_TIME(); auto full_honk_evaluations = compute_full_honk_evaluations( - accumulator->prover_polynomials, accumulator->alphas, accumulator->relation_parameters); + accumulator->proving_key.polynomials, accumulator->alphas, accumulator->relation_parameters); const auto betas = accumulator->gate_challenges; assert(betas.size() == deltas.size()); auto coeffs = construct_perturbator_coefficients(betas, deltas, full_honk_evaluations); diff --git a/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_set_relation.cpp b/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_set_relation.cpp index 852ceded6990..3fa0e512058e 100644 --- a/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_set_relation.cpp +++ b/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_set_relation.cpp @@ -34,7 +34,7 @@ namespace bb { */ template template -Accumulator ECCVMSetRelationImpl::compute_permutation_numerator(const AllEntities& in, const Parameters& params) +Accumulator ECCVMSetRelationImpl::compute_grand_product_numerator(const AllEntities& in, const Parameters& params) { using View = typename Accumulator::View; @@ -227,7 +227,7 @@ Accumulator ECCVMSetRelationImpl::compute_permutation_numerator(const AllEnt template template -Accumulator ECCVMSetRelationImpl::compute_permutation_denominator(const AllEntities& in, const Parameters& params) +Accumulator ECCVMSetRelationImpl::compute_grand_product_denominator(const AllEntities& in, const Parameters& params) { using View = typename Accumulator::View; @@ -244,7 +244,7 @@ Accumulator ECCVMSetRelationImpl::compute_permutation_denominator(const AllE /** * @brief First term: tuple of (pc, round, wnaf_slice), used to determine which points we extract from lookup tables * when evaluaing MSMs in ECCVMMsmRelation. - * These values must be equivalent to the values computed in the 1st term of `compute_permutation_numerator` + * These values must be equivalent to the values computed in the 1st term of `compute_grand_product_numerator` */ Accumulator denominator(1); // degree-0 { @@ -283,7 +283,7 @@ Accumulator ECCVMSetRelationImpl::compute_permutation_denominator(const AllE * @brief Second term: tuple of (transcript_pc, transcript_Px, transcript_Py, z1) OR (transcript_pc, \lambda * * transcript_Px, -transcript_Py, z2) for each scalar multiplication in ECCVMTranscriptRelation columns. (the latter * term uses the curve endomorphism: \lambda = cube root of unity). These values must be equivalent to the second - * term values in `compute_permutation_numerator` + * term values in `compute_grand_product_numerator` */ { const auto& transcript_pc = View(in.transcript_pc); @@ -373,10 +373,10 @@ void ECCVMSetRelationImpl::accumulate(ContainerOverSubrelations& accumulator using View = typename Accumulator::View; // degree-11 - Accumulator numerator_evaluation = compute_permutation_numerator(in, params); + Accumulator numerator_evaluation = compute_grand_product_numerator(in, params); // degree-17 - Accumulator denominator_evaluation = compute_permutation_denominator(in, params); + Accumulator denominator_evaluation = compute_grand_product_denominator(in, params); const auto& lagrange_first = View(in.lagrange_first); const auto& lagrange_last = View(in.lagrange_last); diff --git a/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_set_relation.hpp b/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_set_relation.hpp index 41043a881342..44fd632dee9a 100644 --- a/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_set_relation.hpp +++ b/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_set_relation.hpp @@ -32,10 +32,10 @@ template class ECCVMSetRelationImpl { inline static auto& get_shifted_grand_product_polynomial(auto& input) { return input.z_perm_shift; } template - static Accumulator compute_permutation_numerator(const AllEntities& in, const Parameters& params); + static Accumulator compute_grand_product_numerator(const AllEntities& in, const Parameters& params); template - static Accumulator compute_permutation_denominator(const AllEntities& in, const Parameters& params); + static Accumulator compute_grand_product_denominator(const AllEntities& in, const Parameters& params); template static void accumulate(ContainerOverSubrelations& accumulator, diff --git a/barretenberg/cpp/src/barretenberg/stdlib/honk_recursion/verifier/protogalaxy_recursive_verifier.test.cpp b/barretenberg/cpp/src/barretenberg/stdlib/honk_recursion/verifier/protogalaxy_recursive_verifier.test.cpp index 22c9b7f29f4a..ebe037413566 100644 --- a/barretenberg/cpp/src/barretenberg/stdlib/honk_recursion/verifier/protogalaxy_recursive_verifier.test.cpp +++ b/barretenberg/cpp/src/barretenberg/stdlib/honk_recursion/verifier/protogalaxy_recursive_verifier.test.cpp @@ -346,7 +346,7 @@ template class ProtoGalaxyRecursiveTests : public tes auto verification_key = std::make_shared(prover_inst->proving_key); auto verifier_inst = std::make_shared(verification_key); - prover_accumulator->prover_polynomials.w_l[1] = FF::random_element(); + prover_accumulator->proving_key.polynomials.w_l[1] = FF::random_element(); // Generate a folding proof with the incorrect polynomials which would result in the prover having the wrong // target sum diff --git a/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/goblin_ultra_flavor.hpp b/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/goblin_ultra_flavor.hpp index 993160fb26b1..49b0e6791699 100644 --- a/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/goblin_ultra_flavor.hpp +++ b/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/goblin_ultra_flavor.hpp @@ -240,6 +240,10 @@ class GoblinUltraFlavor { DEFINE_COMPOUND_GET_ALL(PrecomputedEntities, WitnessEntities, ShiftedEntities) auto get_wires() { return RefArray{ this->w_l, this->w_r, this->w_o, this->w_4 }; }; + auto get_selectors() { return PrecomputedEntities::get_selectors(); } + auto get_sigmas() { return RefArray{ this->sigma_1, this->sigma_2, this->sigma_3, this->sigma_4 }; }; + auto get_ids() { return RefArray{ this->id_1, this->id_2, this->id_3, this->id_4 }; }; + auto get_tables() { return RefArray{ this->table_1, this->table_2, this->table_3, this->table_4 }; }; auto get_ecc_op_wires() { return RefArray{ this->ecc_op_wire_1, this->ecc_op_wire_2, this->ecc_op_wire_3, this->ecc_op_wire_4 }; @@ -260,28 +264,71 @@ class GoblinUltraFlavor { auto get_shifted() { return ShiftedEntities::get_all(); }; }; + /** + * @brief A field element for each entity of the flavor. These entities represent the prover polynomials evaluated + * at one point. + */ + class AllValues : public AllEntities { + public: + using Base = AllEntities; + using Base::Base; + }; + + /** + * @brief A container for the prover polynomials handles. + */ + class ProverPolynomials : public AllEntities { + public: + // Define all operations as default, except copy construction/assignment + ProverPolynomials() = default; + ProverPolynomials(size_t circuit_size) + { // Initialize all unshifted polynomials to the zero polynomial and initialize the shifted polys + for (auto& poly : get_unshifted()) { + poly = Polynomial{ circuit_size }; + } + set_shifted(); + } + ProverPolynomials& operator=(const ProverPolynomials&) = delete; + ProverPolynomials(const ProverPolynomials& o) = delete; + ProverPolynomials(ProverPolynomials&& o) noexcept = default; + ProverPolynomials& operator=(ProverPolynomials&& o) noexcept = default; + ~ProverPolynomials() = default; + [[nodiscard]] size_t get_polynomial_size() const { return q_c.size(); } + [[nodiscard]] AllValues get_row(size_t row_idx) const + { + AllValues result; + for (auto [result_field, polynomial] : zip_view(result.get_all(), this->get_all())) { + result_field = polynomial[row_idx]; + } + return result; + } + + void set_shifted() + { + for (auto [shifted, to_be_shifted] : zip_view(get_shifted(), get_to_be_shifted())) { + shifted = to_be_shifted.shifted(); + } + } + }; + /** * @brief The proving key is responsible for storing the polynomials used by the prover. - * @note TODO(Cody): Maybe multiple inheritance is the right thing here. In that case, nothing should eve inherit - * from ProvingKey. + * */ - class ProvingKey : public ProvingKey_, WitnessEntities, CommitmentKey> { + class ProvingKey : public ProvingKey_ { public: // Expose constructors on the base class - using Base = ProvingKey_, WitnessEntities, CommitmentKey>; + using Base = ProvingKey_; using Base::Base; + ProvingKey(const size_t circuit_size, const size_t num_public_inputs) + : Base(circuit_size, num_public_inputs) + , polynomials(circuit_size){}; + std::vector memory_read_records; std::vector memory_write_records; std::array sorted_polynomials; - - auto get_to_be_shifted() - { - return RefArray{ this->table_1, this->table_2, this->table_3, this->table_4, this->w_l, this->w_r, - this->w_o, this->w_4, this->sorted_accum, this->z_perm, this->z_lookup }; - }; - // The plookup wires that store plookup read data. - auto get_table_column_wires() { return RefArray{ w_l, w_r, w_o }; }; + ProverPolynomials polynomials; // storage for all polynomials evaluated by the prover void compute_sorted_accumulator_polynomials(const FF& eta, const FF& eta_two, const FF& eta_three) { @@ -306,7 +353,7 @@ class GoblinUltraFlavor { void compute_sorted_list_accumulator(const FF& eta, const FF& eta_two, const FF& eta_three) { - auto sorted_list_accumulator = Polynomial{ this->circuit_size }; + auto& sorted_list_accumulator = polynomials.sorted_accum; // Construct s via Horner, i.e. s = s_1 + η(s_2 + η(s_3 + η*s_4)) for (size_t i = 0; i < this->circuit_size; ++i) { @@ -316,7 +363,6 @@ class GoblinUltraFlavor { T0 += sorted_polynomials[0][i]; sorted_list_accumulator[i] = T0; } - sorted_accum = sorted_list_accumulator.share(); } /** @@ -333,7 +379,7 @@ class GoblinUltraFlavor { // The plookup memory record values are computed at the indicated indices as // w4 = w3 * eta^3 + w2 * eta^2 + w1 * eta + read_write_flag; // (See plookup_auxiliary_widget.hpp for details) - auto wires = get_wires(); + auto wires = polynomials.get_wires(); // Compute read record values for (const auto& gate_idx : memory_read_records) { @@ -360,17 +406,13 @@ class GoblinUltraFlavor { */ void compute_logderivative_inverse(const RelationParameters& relation_parameters) { - auto prover_polynomials = ProverPolynomials(*this); - // Compute inverses for calldata reads DatabusLookupRelation::compute_logderivative_inverse( - prover_polynomials, relation_parameters, this->circuit_size); - this->calldata_inverses = prover_polynomials.calldata_inverses; + this->polynomials, relation_parameters, this->circuit_size); // Compute inverses for return data reads DatabusLookupRelation::compute_logderivative_inverse( - prover_polynomials, relation_parameters, this->circuit_size); - this->return_data_inverses = prover_polynomials.return_data_inverses; + this->polynomials, relation_parameters, this->circuit_size); } /** @@ -391,10 +433,7 @@ class GoblinUltraFlavor { relation_parameters.lookup_grand_product_delta = lookup_grand_product_delta; // Compute permutation and lookup grand product polynomials - auto prover_polynomials = ProverPolynomials(*this); - compute_grand_products(*this, prover_polynomials, relation_parameters); - this->z_perm = prover_polynomials.z_perm; - this->z_lookup = prover_polynomials.z_lookup; + compute_grand_products(this->polynomials, relation_parameters); } }; @@ -423,7 +462,7 @@ class GoblinUltraFlavor { this->num_public_inputs = proving_key.num_public_inputs; this->pub_inputs_offset = proving_key.pub_inputs_offset; - for (auto [polynomial, commitment] : zip_view(proving_key.get_precomputed_polynomials(), this->get_all())) { + for (auto [polynomial, commitment] : zip_view(proving_key.polynomials.get_precomputed(), this->get_all())) { commitment = proving_key.commitment_key->commit(polynomial); } } @@ -558,51 +597,6 @@ class GoblinUltraFlavor { */ using ExtendedEdges = ProverUnivariates; - /** - * @brief A field element for each entity of the flavor. These entities represent the prover polynomials evaluated - * at one point. - */ - class AllValues : public AllEntities { - public: - using Base = AllEntities; - using Base::Base; - }; - - /** - * @brief A container for the prover polynomials handles. - */ - class ProverPolynomials : public AllEntities { - public: - // TODO(https://github.com/AztecProtocol/barretenberg/issues/925), proving_key could be const ref - ProverPolynomials(ProvingKey& proving_key) - { - for (auto [prover_poly, key_poly] : zip_view(this->get_unshifted(), proving_key.get_all())) { - ASSERT(flavor_get_label(*this, prover_poly) == flavor_get_label(proving_key, key_poly)); - prover_poly = key_poly.share(); - } - for (auto [prover_poly, key_poly] : zip_view(this->get_shifted(), proving_key.get_to_be_shifted())) { - ASSERT(flavor_get_label(*this, prover_poly) == (flavor_get_label(proving_key, key_poly) + "_shift")); - prover_poly = key_poly.shifted(); - } - } - // Define all operations as default, except copy construction/assignment - ProverPolynomials() = default; - ProverPolynomials& operator=(const ProverPolynomials&) = delete; - ProverPolynomials(const ProverPolynomials& o) = delete; - ProverPolynomials(ProverPolynomials&& o) noexcept = default; - ProverPolynomials& operator=(ProverPolynomials&& o) noexcept = default; - ~ProverPolynomials() = default; - [[nodiscard]] size_t get_polynomial_size() const { return q_c.size(); } - [[nodiscard]] AllValues get_row(size_t row_idx) const - { - AllValues result; - for (auto [result_field, polynomial] : zip_view(result.get_all(), this->get_all())) { - result_field = polynomial[row_idx]; - } - return result; - } - }; - /** * @brief A container for the witness commitments. */ diff --git a/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/grand_product_library.test.cpp b/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/grand_product_library.test.cpp index 7a2ef577349b..9ab7c789f67b 100644 --- a/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/grand_product_library.test.cpp +++ b/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/grand_product_library.test.cpp @@ -47,33 +47,15 @@ template class GrandProductTests : public testing::Test { */ template static void test_permutation_grand_product_construction() { - // Define some mock inputs for proving key constructor - static const size_t num_gates = 8; - static const size_t num_public_inputs = 0; - - // Instatiate a proving_key and make a pointer to it. This will be used to instantiate a Prover. - auto proving_key = std::make_shared(num_gates, num_public_inputs); - - // static const size_t program_width = StandardProver::settings_::program_width; - - // Construct mock wire and permutation polynomials. - // Note: for the purpose of checking the consistency between two methods of computing z_perm, these polynomials - // can simply be random. We're not interested in the particular properties of the result. - std::vector wires; - std::vector sigmas; - std::vector ids; - - auto wire_polynomials = proving_key->get_wires(); - auto sigma_polynomials = proving_key->get_sigma_polynomials(); - auto id_polynomials = proving_key->get_id_polynomials(); - for (size_t i = 0; i < Flavor::NUM_WIRES; ++i) { - wires.emplace_back(get_random_polynomial(num_gates)); - sigmas.emplace_back(get_random_polynomial(num_gates)); - ids.emplace_back(get_random_polynomial(num_gates)); - - populate_span(wire_polynomials[i], wires[i]); - populate_span(sigma_polynomials[i], sigmas[i]); - populate_span(id_polynomials[i], ids[i]); + using ProverPolynomials = typename Flavor::ProverPolynomials; + + // Set a mock circuit size + static const size_t circuit_size = 8; + + // Construct a ProverPolynomials object with completely random polynomials + ProverPolynomials prover_polynomials; + for (auto& poly : prover_polynomials.get_all()) { + poly = get_random_polynomial(circuit_size); } // Get random challenges @@ -88,12 +70,6 @@ template class GrandProductTests : public testing::Test { .lookup_grand_product_delta = 1, }; - typename Flavor::ProverPolynomials prover_polynomials; - for (auto [prover_poly, key_poly] : zip_view(prover_polynomials.get_unshifted(), proving_key->get_all())) { - ASSERT(flavor_get_label(prover_polynomials, prover_poly) == flavor_get_label(*proving_key, key_poly)); - prover_poly = key_poly.share(); - } - // Method 1: Compute z_perm using 'compute_grand_product_polynomial' as the prover would in practice constexpr size_t PERMUTATION_RELATION_INDEX = 0; using LHS = @@ -101,7 +77,7 @@ template class GrandProductTests : public testing::Test { ASSERT(Flavor::NUM_WIRES == 4); using RHS = typename bb::UltraPermutationRelation; static_assert(std::same_as); - compute_grand_product(proving_key->circuit_size, prover_polynomials, params); + compute_grand_product(prover_polynomials, params); // Method 2: Compute z_perm locally using the simplest non-optimized syntax possible. The comment below, // which describes the computation in 4 steps, is adapted from a similar comment in @@ -129,11 +105,14 @@ template class GrandProductTests : public testing::Test { */ // Make scratch space for the numerator and denominator accumulators. - std::array, Flavor::NUM_WIRES> numerator_accum; - std::array, Flavor::NUM_WIRES> denominator_accum; + std::array, Flavor::NUM_WIRES> numerator_accum; + std::array, Flavor::NUM_WIRES> denominator_accum; + auto wires = prover_polynomials.get_wires(); + auto sigmas = prover_polynomials.get_sigmas(); + auto ids = prover_polynomials.get_ids(); // Step (1) - for (size_t i = 0; i < proving_key->circuit_size; ++i) { + for (size_t i = 0; i < circuit_size; ++i) { for (size_t k = 0; k < Flavor::NUM_WIRES; ++k) { numerator_accum[k][i] = wires[k][i] + (ids[k][i] * beta) + gamma; // w_k(i) + β.id_k(i) + γ denominator_accum[k][i] = wires[k][i] + (sigmas[k][i] * beta) + gamma; // w_k(i) + β.σ_k(i) + γ @@ -142,14 +121,14 @@ template class GrandProductTests : public testing::Test { // Step (2) for (size_t k = 0; k < Flavor::NUM_WIRES; ++k) { - for (size_t i = 0; i < proving_key->circuit_size - 1; ++i) { + for (size_t i = 0; i < circuit_size - 1; ++i) { numerator_accum[k][i + 1] *= numerator_accum[k][i]; denominator_accum[k][i + 1] *= denominator_accum[k][i]; } } // Step (3) - for (size_t i = 0; i < proving_key->circuit_size; ++i) { + for (size_t i = 0; i < circuit_size; ++i) { for (size_t k = 1; k < Flavor::NUM_WIRES; ++k) { numerator_accum[0][i] *= numerator_accum[k][i]; denominator_accum[0][i] *= denominator_accum[k][i]; @@ -157,15 +136,15 @@ template class GrandProductTests : public testing::Test { } // Step (4) - Polynomial z_permutation_expected(proving_key->circuit_size); + Polynomial z_permutation_expected(circuit_size); z_permutation_expected[0] = FF::zero(); // Z_0 = 1 // Note: in practice, we replace this expensive element-wise division with Montgomery batch inversion - for (size_t i = 0; i < proving_key->circuit_size - 1; ++i) { + for (size_t i = 0; i < circuit_size - 1; ++i) { z_permutation_expected[i + 1] = numerator_accum[0][i] / denominator_accum[0][i]; } // Check consistency between locally computed z_perm and the one computed by the prover library - EXPECT_EQ(proving_key->z_perm, z_permutation_expected); + EXPECT_EQ(prover_polynomials.z_perm, z_permutation_expected); }; /** @@ -178,51 +157,19 @@ template class GrandProductTests : public testing::Test { */ static void test_lookup_grand_product_construction() { - // Define some mock inputs for proving key constructor - static const size_t circuit_size = 8; - static const size_t num_public_inputs = 0; - - // Instatiate a proving_key and make a pointer to it. This will be used to instantiate a Prover. using Flavor = UltraFlavor; - auto proving_key = std::make_shared(circuit_size, num_public_inputs); - - // Construct mock wire and permutation polynomials. - // Note: for the purpose of checking the consistency between two methods of computing z_lookup, these - // polynomials can simply be random. We're not interested in the particular properties of the result. - std::vector wires; - auto wire_polynomials = proving_key->get_wires(); - // Note(luke): Use of 3 wires is fundamental to the structure of the tables and should not be tied to NUM_WIRES - // for now - for (size_t i = 0; i < 3; ++i) { // TODO(Cody): will this test ever generalize? - Polynomial random_polynomial = get_random_polynomial(circuit_size); - random_polynomial[0] = 0; // when computing shifts, 1st element needs to be 0 - wires.emplace_back(random_polynomial); - populate_span(wire_polynomials[i], random_polynomial); - } + using ProverPolynomials = typename Flavor::ProverPolynomials; - std::vector tables; - auto table_polynomials = proving_key->get_table_polynomials(); - for (auto& table_polynomial : table_polynomials) { - Polynomial random_polynomial = get_random_polynomial(circuit_size); - random_polynomial[0] = 0; // when computing shifts, 1st element needs to be 0 - tables.emplace_back(random_polynomial); - populate_span(table_polynomial, random_polynomial); - } + // Set a mock circuit size + static const size_t circuit_size = 8; - auto sorted_batched = get_random_polynomial(circuit_size); - sorted_batched[0] = 0; // when computing shifts, 1st element needs to be 0 - auto column_1_step_size = get_random_polynomial(circuit_size); - auto column_2_step_size = get_random_polynomial(circuit_size); - auto column_3_step_size = get_random_polynomial(circuit_size); - auto lookup_index_selector = get_random_polynomial(circuit_size); - auto lookup_selector = get_random_polynomial(circuit_size); - - proving_key->sorted_accum = sorted_batched.share(); - populate_span(proving_key->q_r, column_1_step_size); - populate_span(proving_key->q_m, column_2_step_size); - populate_span(proving_key->q_c, column_3_step_size); - populate_span(proving_key->q_o, lookup_index_selector); - populate_span(proving_key->q_lookup, lookup_selector); + // Construct a ProverPolynomials object with completely random polynomials + ProverPolynomials prover_polynomials; + for (auto& poly : prover_polynomials.get_unshifted()) { + poly = get_random_polynomial(circuit_size); + poly[0] = 0; // for shiftability + } + prover_polynomials.set_shifted(); // Get random challenges auto beta = FF::random_element(); @@ -241,28 +188,12 @@ template class GrandProductTests : public testing::Test { .lookup_grand_product_delta = 1, }; - typename Flavor::ProverPolynomials prover_polynomials; - for (auto [prover_poly, key_poly] : zip_view(prover_polynomials.get_unshifted(), proving_key->get_all())) { - ASSERT(flavor_get_label(prover_polynomials, prover_poly) == flavor_get_label(*proving_key, key_poly)); - prover_poly = key_poly.share(); - } - for (auto [prover_poly, key_poly] : - zip_view(prover_polynomials.get_shifted(), proving_key->get_to_be_shifted())) { - ASSERT(flavor_get_label(prover_polynomials, prover_poly) == - flavor_get_label(*proving_key, key_poly) + "_shift"); - prover_poly = key_poly.shifted(); - } - // Test a few assignments - EXPECT_EQ(&proving_key->z_lookup[0], &prover_polynomials.z_lookup[0]); - EXPECT_EQ(&proving_key->sigma_1[0], &prover_polynomials.sigma_1[0]); - EXPECT_EQ(&proving_key->lagrange_last[0], &prover_polynomials.lagrange_last[0]); - // Method 1: Compute z_lookup using the prover library method constexpr size_t LOOKUP_RELATION_INDEX = 1; using LHS = typename std::tuple_element::type; using RHS = LookupRelation; static_assert(std::same_as); - compute_grand_product(proving_key->circuit_size, prover_polynomials, params); + compute_grand_product(prover_polynomials, params); // Method 2: Compute the lookup grand product polynomial Z_lookup: // @@ -279,6 +210,15 @@ template class GrandProductTests : public testing::Test { // Step (1) + auto wires = prover_polynomials.get_wires(); + auto tables = prover_polynomials.get_tables(); + auto sorted_batched = prover_polynomials.sorted_accum; + auto column_1_step_size = prover_polynomials.q_r; + auto column_2_step_size = prover_polynomials.q_m; + auto column_3_step_size = prover_polynomials.q_c; + auto lookup_index_selector = prover_polynomials.q_o; + auto lookup_selector = prover_polynomials.q_lookup; + // Note: block_mask is used for efficient modulus, i.e. i % N := i & (N-1), for N = 2^k const size_t block_mask = circuit_size - 1; // Initialize 't(X)' to be used in an expression of the form t(X) + β*t(Xω) @@ -332,7 +272,7 @@ template class GrandProductTests : public testing::Test { z_lookup_expected[i + 1] = accumulators[0][i] / accumulators[3][i]; } - EXPECT_EQ(proving_key->z_lookup, z_lookup_expected); + EXPECT_EQ(prover_polynomials.z_lookup, z_lookup_expected); }; }; diff --git a/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/permutation_lib.test.cpp b/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/permutation_lib.test.cpp index a47fdc8cbc71..18eddd125e2f 100644 --- a/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/permutation_lib.test.cpp +++ b/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/permutation_lib.test.cpp @@ -76,7 +76,7 @@ TEST_F(PermutationHelperTests, ComputeHonkStyleSigmaLagrangePolynomialsFromMappi auto mapping = compute_permutation_mapping(circuit_constructor, proving_key.get(), {}); compute_honk_style_permutation_lagrange_polynomials_from_mapping( - proving_key->get_sigma_polynomials(), mapping.sigmas, proving_key.get()); + proving_key->polynomials.get_sigmas(), mapping.sigmas, proving_key.get()); } TEST_F(PermutationHelperTests, ComputeStandardAuxPolynomials) diff --git a/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/ultra_flavor.hpp b/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/ultra_flavor.hpp index 8c8624b5ae23..1ceed0af6fbc 100644 --- a/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/ultra_flavor.hpp +++ b/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/ultra_flavor.hpp @@ -230,6 +230,13 @@ class UltraFlavor { z_lookup_shift) // column 42 auto get_wires() { return RefArray{ w_l, w_r, w_o, w_4 }; }; + auto get_selectors() + { + return RefArray{ q_m, q_c, q_l, q_r, q_o, q_4, q_arith, q_delta_range, q_elliptic, q_aux, q_lookup }; + } + auto get_sigmas() { return RefArray{ sigma_1, sigma_2, sigma_3, sigma_4 }; }; + auto get_ids() { return RefArray{ id_1, id_2, id_3, id_4 }; }; + auto get_tables() { return RefArray{ table_1, table_2, table_3, table_4 }; }; // Gemini-specific getters. auto get_unshifted() { @@ -264,28 +271,72 @@ class UltraFlavor { }; public: + /** + * @brief A field element for each entity of the flavor. These entities represent the prover polynomials + * evaluated at one point. + */ + class AllValues : public AllEntities { + public: + using Base = AllEntities; + using Base::Base; + }; + + /** + * @brief A container for polynomials handles. + */ + // TODO(https://github.com/AztecProtocol/barretenberg/issues/966): use inheritance + class ProverPolynomials : public AllEntities { + public: + // Define all operations as default, except copy construction/assignment + ProverPolynomials() = default; + ProverPolynomials(size_t circuit_size) + { // Initialize all unshifted polynomials to the zero polynomial and initialize the shifted polys + for (auto& poly : get_unshifted()) { + poly = Polynomial{ circuit_size }; + } + set_shifted(); + } + ProverPolynomials& operator=(const ProverPolynomials&) = delete; + ProverPolynomials(const ProverPolynomials& o) = delete; + ProverPolynomials(ProverPolynomials&& o) noexcept = default; + ProverPolynomials& operator=(ProverPolynomials&& o) noexcept = default; + ~ProverPolynomials() = default; + [[nodiscard]] size_t get_polynomial_size() const { return q_c.size(); } + [[nodiscard]] AllValues get_row(const size_t row_idx) const + { + AllValues result; + for (auto [result_field, polynomial] : zip_view(result.get_all(), get_all())) { + result_field = polynomial[row_idx]; + } + return result; + } + + // Set all shifted polynomials based on their to-be-shifted counterpart + void set_shifted() + { + for (auto [shifted, to_be_shifted] : zip_view(get_shifted(), get_to_be_shifted())) { + shifted = to_be_shifted.shifted(); + } + } + }; /** * @brief The proving key is responsible for storing the polynomials used by the prover. - * @note TODO(Cody): Maybe multiple inheritance is the right thing here. In that case, nothing should eve inherit - * from ProvingKey. + * */ - class ProvingKey : public ProvingKey_, WitnessEntities, CommitmentKey> { + class ProvingKey : public ProvingKey_ { public: // Expose constructors on the base class - using Base = ProvingKey_, WitnessEntities, CommitmentKey>; + using Base = ProvingKey_; using Base::Base; + ProvingKey(const size_t circuit_size, const size_t num_public_inputs) + : Base(circuit_size, num_public_inputs) + , polynomials(circuit_size){}; + std::vector memory_read_records; std::vector memory_write_records; std::array sorted_polynomials; - - auto get_to_be_shifted() - { - return RefArray{ this->table_1, this->table_2, this->table_3, this->table_4, this->w_l, this->w_r, - this->w_o, this->w_4, this->sorted_accum, this->z_perm, this->z_lookup }; - }; - // The plookup wires that store plookup read data. - auto get_table_column_wires() { return RefArray{ w_l, w_r, w_o }; }; + ProverPolynomials polynomials; // storage for all polynomials evaluated by the prover void compute_sorted_accumulator_polynomials(const FF& eta, const FF& eta_two, const FF& eta_three) { @@ -309,7 +360,7 @@ class UltraFlavor { */ void compute_sorted_list_accumulator(const FF& eta, const FF& eta_two, const FF& eta_three) { - auto sorted_list_accumulator = Polynomial{ this->circuit_size }; + auto& sorted_list_accumulator = polynomials.sorted_accum; // Construct s via Horner, i.e. s = s_1 + η(s_2 + η(s_3 + η*s_4)) for (size_t i = 0; i < this->circuit_size; ++i) { @@ -319,7 +370,6 @@ class UltraFlavor { T0 += sorted_polynomials[0][i]; sorted_list_accumulator[i] = T0; } - sorted_accum = sorted_list_accumulator.share(); } /** @@ -336,7 +386,7 @@ class UltraFlavor { // The plookup memory record values are computed at the indicated indices as // w4 = w3 * eta^3 + w2 * eta^2 + w1 * eta + read_write_flag; // (See plookup_auxiliary_widget.hpp for details) - auto wires = get_wires(); + auto wires = polynomials.get_wires(); // Compute read record values for (const auto& gate_idx : memory_read_records) { @@ -372,10 +422,7 @@ class UltraFlavor { relation_parameters.lookup_grand_product_delta = lookup_grand_product_delta; // Compute permutation and lookup grand product polynomials - auto prover_polynomials = ProverPolynomials(*this); - compute_grand_products(*this, prover_polynomials, relation_parameters); - this->z_perm = prover_polynomials.z_perm; - this->z_lookup = prover_polynomials.z_lookup; + compute_grand_products(this->polynomials, relation_parameters); } }; @@ -402,7 +449,7 @@ class UltraFlavor { this->num_public_inputs = proving_key.num_public_inputs; this->pub_inputs_offset = proving_key.pub_inputs_offset; - for (auto [polynomial, commitment] : zip_view(proving_key.get_precomputed_polynomials(), this->get_all())) { + for (auto [polynomial, commitment] : zip_view(proving_key.polynomials.get_precomputed(), this->get_all())) { commitment = proving_key.commitment_key->commit(polynomial); } } @@ -495,49 +542,6 @@ class UltraFlavor { lagrange_first, lagrange_last); }; - /** - * @brief A field element for each entity of the flavor. These entities represent the prover polynomials - * evaluated at one point. - */ - class AllValues : public AllEntities { - public: - using Base = AllEntities; - using Base::Base; - }; - - /** - * @brief A container for polynomials handles. - */ - class ProverPolynomials : public AllEntities { - public: - ProverPolynomials(ProvingKey& proving_key) - { - for (auto [prover_poly, key_poly] : zip_view(this->get_unshifted(), proving_key.get_all())) { - ASSERT(flavor_get_label(*this, prover_poly) == flavor_get_label(proving_key, key_poly)); - prover_poly = key_poly.share(); - } - for (auto [prover_poly, key_poly] : zip_view(this->get_shifted(), proving_key.get_to_be_shifted())) { - ASSERT(flavor_get_label(*this, prover_poly) == (flavor_get_label(proving_key, key_poly) + "_shift")); - prover_poly = key_poly.shifted(); - } - } - // Define all operations as default, except copy construction/assignment - ProverPolynomials() = default; - ProverPolynomials& operator=(const ProverPolynomials&) = delete; - ProverPolynomials(const ProverPolynomials& o) = delete; - ProverPolynomials(ProverPolynomials&& o) noexcept = default; - ProverPolynomials& operator=(ProverPolynomials&& o) noexcept = default; - ~ProverPolynomials() = default; - [[nodiscard]] size_t get_polynomial_size() const { return q_c.size(); } - [[nodiscard]] AllValues get_row(const size_t row_idx) const - { - AllValues result; - for (auto [result_field, polynomial] : zip_view(result.get_all(), get_all())) { - result_field = polynomial[row_idx]; - } - return result; - } - }; /** * @brief A container for storing the partially evaluated multivariates produced by sumcheck. diff --git a/barretenberg/cpp/src/barretenberg/sumcheck/instance/instances.hpp b/barretenberg/cpp/src/barretenberg/sumcheck/instance/instances.hpp index dcfc88830983..50e1848a0a4d 100644 --- a/barretenberg/cpp/src/barretenberg/sumcheck/instance/instances.hpp +++ b/barretenberg/cpp/src/barretenberg/sumcheck/instance/instances.hpp @@ -76,9 +76,9 @@ template struct ProverInstances_ { auto get_polynomials_views() const { // As a practical measure, get the first instance's view to deduce the array type - std::arrayprover_polynomials.get_all()), NUM> views; + std::arrayproving_key.polynomials.get_all()), NUM> views; for (size_t i = 0; i < NUM; i++) { - views[i] = _data[i]->prover_polynomials.get_all(); + views[i] = _data[i]->proving_key.polynomials.get_all(); } return views; } diff --git a/barretenberg/cpp/src/barretenberg/sumcheck/instance/prover_instance.cpp b/barretenberg/cpp/src/barretenberg/sumcheck/instance/prover_instance.cpp index 6be3a9f42d47..3b42eab9d0fb 100644 --- a/barretenberg/cpp/src/barretenberg/sumcheck/instance/prover_instance.cpp +++ b/barretenberg/cpp/src/barretenberg/sumcheck/instance/prover_instance.cpp @@ -41,10 +41,10 @@ template void ProverInstance_::construct_databus_polynomials(Circuit& circuit) requires IsGoblinFlavor { - Polynomial public_calldata{ dyadic_circuit_size }; - Polynomial calldata_read_counts{ dyadic_circuit_size }; - Polynomial public_return_data{ dyadic_circuit_size }; - Polynomial return_data_read_counts{ dyadic_circuit_size }; + auto& public_calldata = proving_key.polynomials.calldata; + auto& calldata_read_counts = proving_key.polynomials.calldata_read_counts; + auto& public_return_data = proving_key.polynomials.return_data; + auto& return_data_read_counts = proving_key.polynomials.return_data_read_counts; auto calldata = circuit.get_calldata(); auto return_data = circuit.get_return_data(); @@ -59,27 +59,11 @@ void ProverInstance_::construct_databus_polynomials(Circuit& circuit) return_data_read_counts[idx] = return_data.get_read_count(idx); } - Polynomial databus_id{ dyadic_circuit_size }; + auto& databus_id = proving_key.polynomials.databus_id; // Compute a simple identity polynomial for use in the databus lookup argument for (size_t i = 0; i < databus_id.size(); ++i) { databus_id[i] = i; } - - proving_key.calldata = public_calldata.share(); - proving_key.calldata_read_counts = calldata_read_counts.share(); - proving_key.return_data = public_return_data.share(); - proving_key.return_data_read_counts = return_data_read_counts.share(); - proving_key.databus_id = databus_id.share(); -} - -template -void ProverInstance_::construct_table_polynomials(Circuit& circuit, size_t dyadic_circuit_size) -{ - auto table_polynomials = construct_lookup_table_polynomials(circuit, dyadic_circuit_size); - proving_key.table_1 = table_polynomials[0].share(); - proving_key.table_2 = table_polynomials[1].share(); - proving_key.table_3 = table_polynomials[2].share(); - proving_key.table_4 = table_polynomials[3].share(); } template class ProverInstance_; diff --git a/barretenberg/cpp/src/barretenberg/sumcheck/instance/prover_instance.hpp b/barretenberg/cpp/src/barretenberg/sumcheck/instance/prover_instance.hpp index 60c055f6125a..48b5c8e4ff3d 100644 --- a/barretenberg/cpp/src/barretenberg/sumcheck/instance/prover_instance.hpp +++ b/barretenberg/cpp/src/barretenberg/sumcheck/instance/prover_instance.hpp @@ -31,7 +31,6 @@ template class ProverInstance_ { public: ProvingKey proving_key; - ProverPolynomials prover_polynomials; RelationSeparator alphas; bb::RelationParameters relation_parameters; @@ -67,7 +66,7 @@ template class ProverInstance_ { dyadic_circuit_size = compute_dyadic_size(circuit); } - proving_key = std::move(ProvingKey(dyadic_circuit_size, circuit.public_inputs.size())); + proving_key = ProvingKey(dyadic_circuit_size, circuit.public_inputs.size()); // Construct and add to proving key the wire, selector and copy constraint polynomials Trace::populate(circuit, proving_key, is_structured); @@ -78,16 +77,14 @@ template class ProverInstance_ { } // First and last lagrange polynomials (in the full circuit size) - const auto [lagrange_first, lagrange_last] = - compute_first_and_last_lagrange_polynomials(dyadic_circuit_size); - proving_key.lagrange_first = lagrange_first; - proving_key.lagrange_last = lagrange_last; + proving_key.polynomials.lagrange_first[0] = 1; + proving_key.polynomials.lagrange_last[dyadic_circuit_size - 1] = 1; - construct_table_polynomials(circuit, dyadic_circuit_size); + construct_lookup_table_polynomials(proving_key.polynomials.get_tables(), circuit, dyadic_circuit_size); proving_key.sorted_polynomials = construct_sorted_list_polynomials(circuit, dyadic_circuit_size); - std::span public_wires_source = proving_key.w_r; + std::span public_wires_source = proving_key.polynomials.w_r; // Construct the public inputs array for (size_t i = 0; i < proving_key.num_public_inputs; ++i) { @@ -99,9 +96,6 @@ template class ProverInstance_ { ProverInstance_() = default; ~ProverInstance_() = default; - void compute_databus_id() - requires IsGoblinFlavor; - private: static constexpr size_t num_zero_rows = Flavor::has_zero_row ? 1 : 0; static constexpr size_t NUM_WIRES = Circuit::NUM_WIRES; @@ -122,8 +116,6 @@ template class ProverInstance_ { void construct_databus_polynomials(Circuit&) requires IsGoblinFlavor; - - void construct_table_polynomials(Circuit&, size_t); }; } // namespace bb diff --git a/barretenberg/cpp/src/barretenberg/sumcheck/instance/prover_instance.test.cpp b/barretenberg/cpp/src/barretenberg/sumcheck/instance/prover_instance.test.cpp index 55834fac7b33..98a1f836f2ba 100644 --- a/barretenberg/cpp/src/barretenberg/sumcheck/instance/prover_instance.test.cpp +++ b/barretenberg/cpp/src/barretenberg/sumcheck/instance/prover_instance.test.cpp @@ -66,7 +66,7 @@ template class InstanceTests : public testing::Test { // Method 1: computed sorted list accumulator polynomial using prover library method instance.proving_key.compute_sorted_list_accumulator(eta, eta_two, eta_three); - auto sorted_list_accumulator = instance.proving_key.sorted_accum; + auto sorted_list_accumulator = instance.proving_key.polynomials.sorted_accum; // Compute s = s_1 + η*s_2 + η²*s_3 + η³*s_4 Polynomial sorted_list_accumulator_expected{ sorted_list_polynomials[0] }; diff --git a/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck.hpp b/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck.hpp index bbf104425d6b..56a4fc3e9b16 100644 --- a/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck.hpp +++ b/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck.hpp @@ -71,8 +71,10 @@ template class SumcheckProver { */ SumcheckOutput prove(std::shared_ptr instance) { - return prove( - instance->prover_polynomials, instance->relation_parameters, instance->alphas, instance->gate_challenges); + return prove(instance->proving_key.polynomials, + instance->relation_parameters, + instance->alphas, + instance->gate_challenges); }; /** diff --git a/barretenberg/cpp/src/barretenberg/translator_vm/goblin_translator_flavor.hpp b/barretenberg/cpp/src/barretenberg/translator_vm/goblin_translator_flavor.hpp index 46eac85ce3ad..ff7cc5fffa8c 100644 --- a/barretenberg/cpp/src/barretenberg/translator_vm/goblin_translator_flavor.hpp +++ b/barretenberg/cpp/src/barretenberg/translator_vm/goblin_translator_flavor.hpp @@ -131,24 +131,14 @@ class GoblinTranslatorFlavor { inline void compute_lagrange_polynomials(const CircuitBuilder& builder) { - const size_t circuit_size = compute_dyadic_circuit_size(builder); const size_t mini_circuit_dyadic_size = compute_mini_circuit_dyadic_size(builder); - Polynomial lagrange_polynomial_odd_in_minicircuit(circuit_size); - Polynomial lagrange_polynomial_even_in_minicircut(circuit_size); - Polynomial lagrange_polynomial_second(circuit_size); - Polynomial lagrange_polynomial_second_to_last_in_minicircuit(circuit_size); - for (size_t i = 1; i < mini_circuit_dyadic_size - 1; i += 2) { - lagrange_polynomial_odd_in_minicircuit[i] = 1; - lagrange_polynomial_even_in_minicircut[i + 1] = 1; + this->lagrange_odd_in_minicircuit[i] = 1; + this->lagrange_even_in_minicircuit[i + 1] = 1; } - this->lagrange_odd_in_minicircuit = lagrange_polynomial_odd_in_minicircuit.share(); - this->lagrange_even_in_minicircuit = lagrange_polynomial_even_in_minicircut.share(); - lagrange_polynomial_second[1] = 1; - lagrange_polynomial_second_to_last_in_minicircuit[mini_circuit_dyadic_size - 2] = 1; - this->lagrange_second_to_last_in_minicircuit = lagrange_polynomial_second_to_last_in_minicircuit.share(); - this->lagrange_second = lagrange_polynomial_second.share(); + this->lagrange_second[1] = 1; + this->lagrange_second_to_last_in_minicircuit[mini_circuit_dyadic_size - 2] = 1; } /** @@ -287,13 +277,22 @@ class GoblinTranslatorFlavor { relation_wide_limbs_range_constraint_0, // column 76 relation_wide_limbs_range_constraint_1, // column 77 relation_wide_limbs_range_constraint_2, // column 78 - relation_wide_limbs_range_constraint_3, // column 79 - ordered_range_constraints_0, // column 80 - ordered_range_constraints_1, // column 81 - ordered_range_constraints_2, // column 82 - ordered_range_constraints_3, // column 83 - ordered_range_constraints_4); // column 84 + relation_wide_limbs_range_constraint_3); // column 79 + }; + + // TODO(https://github.com/AztecProtocol/barretenberg/issues/907) + // Note: These are technically derived from wires but do not depend on challenges (like z_perm). They are committed + // to in the wires commitment round. + template class OrderedRangeConstraints { + public: + DEFINE_FLAVOR_MEMBERS(DataType, + ordered_range_constraints_0, // column 0 + ordered_range_constraints_1, // column 1 + ordered_range_constraints_2, // column 2 + ordered_range_constraints_3, // column 3 + ordered_range_constraints_4); // column 4 }; + template class WireNonshiftedEntities { public: DEFINE_FLAVOR_MEMBERS(DataType, @@ -311,26 +310,38 @@ class GoblinTranslatorFlavor { template class WitnessEntities : public WireNonshiftedEntities, public WireToBeShiftedEntities, + public OrderedRangeConstraints, public DerivedWitnessEntities, public ConcatenatedRangeConstraints { public: DEFINE_COMPOUND_GET_ALL(WireNonshiftedEntities, WireToBeShiftedEntities, + OrderedRangeConstraints, DerivedWitnessEntities, ConcatenatedRangeConstraints) + // Used when populating wire polynomials directly from circuit data auto get_wires() { return concatenate(WireNonshiftedEntities::get_all(), WireToBeShiftedEntities::get_all()); }; + // Used when computing commitments to wires + ordered range constraints during proof consrtuction + auto get_wires_and_ordered_range_constraints() + { + return concatenate(WireNonshiftedEntities::get_all(), + WireToBeShiftedEntities::get_all(), + OrderedRangeConstraints::get_all()); + }; + // everything but ConcatenatedRangeConstraints (used for ZeroMorph input since concatenated handled separately) // TODO(https://github.com/AztecProtocol/barretenberg/issues/810) auto get_unshifted_without_concatenated() { return concatenate(WireNonshiftedEntities::get_all(), WireToBeShiftedEntities::get_all(), + OrderedRangeConstraints::get_all(), DerivedWitnessEntities::get_all()); } @@ -338,6 +349,7 @@ class GoblinTranslatorFlavor { { return concatenate(WireNonshiftedEntities::get_all(), WireToBeShiftedEntities::get_all(), + OrderedRangeConstraints::get_all(), DerivedWitnessEntities::get_all(), ConcatenatedRangeConstraints::get_all()); } @@ -345,12 +357,14 @@ class GoblinTranslatorFlavor { { return concatenate(WireNonshiftedEntities::get_labels(), WireToBeShiftedEntities::get_labels(), + OrderedRangeConstraints::get_labels(), DerivedWitnessEntities::get_labels(), ConcatenatedRangeConstraints::get_labels()); } auto get_to_be_shifted() { return concatenate(WireToBeShiftedEntities::get_all(), + OrderedRangeConstraints::get_all(), DerivedWitnessEntities::get_all()); }; @@ -559,6 +573,9 @@ class GoblinTranslatorFlavor { {} DEFINE_COMPOUND_GET_ALL(PrecomputedEntities, WitnessEntities, ShiftedEntities) + + auto get_precomputed() { return PrecomputedEntities::get_all(); }; + /** * @brief Get the polynomials that are concatenated for the permutation relation * @@ -722,8 +739,8 @@ class GoblinTranslatorFlavor { // Next power of 2 const size_t mini_circuit_dyadic_size = builder.get_circuit_subgroup_size(total_num_gates); - // The actual circuit size is several times bigger than the trace in the builder, because we use - // concatenation to bring the degree of relations down, while extending the length. + // The actual circuit size is several times bigger than the trace in the builder, because we use concatenation + // to bring the degree of relations down, while extending the length. return mini_circuit_dyadic_size * CONCATENATION_GROUP_SIZE; } @@ -732,53 +749,89 @@ class GoblinTranslatorFlavor { return builder.get_circuit_subgroup_size(compute_total_num_gates(builder)); } + /** + * @brief A field element for each entity of the flavor. These entities represent the prover polynomials + * evaluated at one point. + */ + class AllValues : public AllEntities { + public: + using Base = AllEntities; + using Base::Base; + }; + /** + * @brief A container for the prover polynomials handles. + */ + class ProverPolynomials : public AllEntities { + public: + // Define all operations as default, except copy construction/assignment + ProverPolynomials() = default; + // Constructor to init all unshifted polys to the zero polynomial and set the shifted poly data + ProverPolynomials(size_t circuit_size) + { + for (auto& poly : get_unshifted()) { + poly = Polynomial{ circuit_size }; + } + set_shifted(); + } + ProverPolynomials& operator=(const ProverPolynomials&) = delete; + ProverPolynomials(const ProverPolynomials& o) = delete; + ProverPolynomials(ProverPolynomials&& o) noexcept = default; + ProverPolynomials& operator=(ProverPolynomials&& o) noexcept = default; + ~ProverPolynomials() = default; + [[nodiscard]] size_t get_polynomial_size() const { return this->op.size(); } + /** + * @brief Returns the evaluations of all prover polynomials at one point on the boolean + * hypercube, which represents one row in the execution trace. + */ + [[nodiscard]] AllValues get_row(size_t row_idx) const + { + AllValues result; + for (auto [result_field, polynomial] : zip_view(result.get_all(), this->get_all())) { + result_field = polynomial[row_idx]; + } + return result; + } + // Set all shifted polynomials based on their to-be-shifted counterpart + void set_shifted() + { + for (auto [shifted, to_be_shifted] : zip_view(get_shifted(), get_to_be_shifted())) { + shifted = to_be_shifted.shifted(); + } + } + }; + /** * @brief The proving key is responsible for storing the polynomials used by the prover. - * @note TODO(Cody): Maybe multiple inheritance is the right thing here. In that case, nothing should eve - * inherit from ProvingKey. + * */ - class ProvingKey : public ProvingKey_, WitnessEntities, CommitmentKey> { + class ProvingKey : public ProvingKey_ { public: BF batching_challenge_v = { 0 }; BF evaluation_input_x = { 0 }; + ProverPolynomials polynomials; // storage for all polynomials evaluated by the prover // Expose constructors on the base class - using Base = ProvingKey_, WitnessEntities, CommitmentKey>; + using Base = ProvingKey_; using Base::Base; ProvingKey() = default; ProvingKey(const CircuitBuilder& builder) - : ProvingKey_, WitnessEntities, CommitmentKey>( - compute_dyadic_circuit_size(builder), 0) + : Base(compute_dyadic_circuit_size(builder), 0) , batching_challenge_v(builder.batching_challenge_v) , evaluation_input_x(builder.evaluation_input_x) + , polynomials(this->circuit_size) { // First and last lagrange polynomials (in the full circuit size) - const auto [lagrange_first, lagrange_last] = - compute_first_and_last_lagrange_polynomials(compute_dyadic_circuit_size(builder)); - this->lagrange_first = lagrange_first; - this->lagrange_last = lagrange_last; + polynomials.lagrange_first[0] = 1; + polynomials.lagrange_last[circuit_size - 1] = 1; // Compute polynomials with odd and even indices set to 1 up to the minicircuit margin + lagrange // polynomials at second and second to last indices in the minicircuit - compute_lagrange_polynomials(builder); + polynomials.compute_lagrange_polynomials(builder); // Compute the numerator for the permutation argument with several repetitions of steps bridging 0 and - // maximum range constraint - compute_extra_range_constraint_numerator(); - } - - // TODO(https://github.com/AztecProtocol/barretenberg/issues/810): get around this by properly having - // concatenated range be a concept outside of witnessentities - std::vector get_labels() - { - return concatenate(PrecomputedEntities::get_labels(), - WitnessEntities::get_unshifted_labels()); - } - auto get_all() - { - return concatenate(PrecomputedEntities::get_all(), - WitnessEntities::get_unshifted()); + // maximum range constraint compute_extra_range_constraint_numerator(); + polynomials.compute_extra_range_constraint_numerator(); } }; @@ -807,46 +860,11 @@ class GoblinTranslatorFlavor { this->pub_inputs_offset = proving_key->pub_inputs_offset; for (auto [polynomial, commitment] : - zip_view(proving_key->get_precomputed_polynomials(), this->get_all())) { + zip_view(proving_key->polynomials.get_precomputed(), this->get_all())) { commitment = proving_key->commitment_key->commit(polynomial); } } }; - /** - * @brief A field element for each entity of the flavor. These entities represent the prover polynomials - * evaluated at one point. - */ - class AllValues : public AllEntities { - public: - using Base = AllEntities; - using Base::Base; - }; - /** - * @brief A container for the prover polynomials handles. - */ - class ProverPolynomials : public AllEntities { - public: - // Define all operations as default, except copy construction/assignment - ProverPolynomials() = default; - ProverPolynomials& operator=(const ProverPolynomials&) = delete; - ProverPolynomials(const ProverPolynomials& o) = delete; - ProverPolynomials(ProverPolynomials&& o) noexcept = default; - ProverPolynomials& operator=(ProverPolynomials&& o) noexcept = default; - ~ProverPolynomials() = default; - [[nodiscard]] size_t get_polynomial_size() const { return this->op.size(); } - /** - * @brief Returns the evaluations of all prover polynomials at one point on the boolean hypercube, which - * represents one row in the execution trace. - */ - [[nodiscard]] AllValues get_row(size_t row_idx) const - { - AllValues result; - for (auto [result_field, polynomial] : zip_view(result.get_all(), this->get_all())) { - result_field = polynomial[row_idx]; - } - return result; - } - }; /** * @brief A container for easier mapping of polynomials diff --git a/barretenberg/cpp/src/barretenberg/translator_vm/goblin_translator_prover.cpp b/barretenberg/cpp/src/barretenberg/translator_vm/goblin_translator_prover.cpp index ae7f49569481..52776acbe42d 100644 --- a/barretenberg/cpp/src/barretenberg/translator_vm/goblin_translator_prover.cpp +++ b/barretenberg/cpp/src/barretenberg/translator_vm/goblin_translator_prover.cpp @@ -18,52 +18,8 @@ GoblinTranslatorProver::GoblinTranslatorProver(CircuitBuilder& circuit_builder, // Compute total number of gates, dyadic circuit size, etc. key = std::make_shared(circuit_builder); - dyadic_circuit_size = key->circuit_size; compute_witness(circuit_builder); compute_commitment_key(key->circuit_size); - - for (auto [prover_poly, key_poly] : zip_view(prover_polynomials.get_unshifted(), key->get_all())) { - ASSERT(flavor_get_label(prover_polynomials, prover_poly) == flavor_get_label(*key, key_poly)); - prover_poly = key_poly.share(); - } - for (auto [prover_poly, key_poly] : zip_view(prover_polynomials.get_shifted(), key->get_to_be_shifted())) { - ASSERT(flavor_get_label(prover_polynomials, prover_poly) == flavor_get_label(*key, key_poly) + "_shift"); - prover_poly = key_poly.shifted(); - } -} - -/** - * @brief Construct the witness polynomials from the witness vectors in the circuit constructor. - * - * @details In goblin translator wires come as is, since they have to reflect the structure of polynomials in the first - * 4 wires, which we've commited to - * - * @tparam Flavor provides the circuit constructor type and the number of wires. - * @param circuit_builder - * @param dyadic_circuit_size Power of 2 circuit size - * @todo TODO(https://github.com/AztecProtocol/barretenberg/issues/783) Optimize memory operations. - * @return std::vector - * */ -std::vector construct_wire_polynomials( - const GoblinTranslatorProver::CircuitBuilder& circuit_builder, const size_t dyadic_circuit_size) -{ - const size_t num_gates = circuit_builder.num_gates; - - std::vector wire_polynomials; - // Populate the wire polynomials with values from conventional wires - for (size_t wire_idx = 0; wire_idx < GoblinTranslatorFlavor::NUM_WIRES; ++wire_idx) { - // Expect all values to be set to 0 initially - GoblinTranslatorProver::Polynomial w_lagrange(dyadic_circuit_size); - - // Insert conventional gate wire values into the wire polynomial - for (size_t i = 0; i < num_gates; ++i) { - auto& wire = circuit_builder.wires[wire_idx]; - w_lagrange[i] = circuit_builder.get_variable(wire[i]); - } - - wire_polynomials.push_back(std::move(w_lagrange)); - } - return wire_polynomials; } /** @@ -76,103 +32,22 @@ void GoblinTranslatorProver::compute_witness(CircuitBuilder& circuit_builder) return; } - // Construct the conventional wire polynomials - auto wire_polynomials = construct_wire_polynomials(circuit_builder, dyadic_circuit_size); - - // TODO(https://github.com/AztecProtocol/barretenberg/issues/907) - // In order: - // wire_polynomials - // = WireEntities::get_wires - concatenated - // = WireNonShiftedEntities + WireToBeShiftedEntities - concatenated - key->op = wire_polynomials[0]; - key->x_lo_y_hi = wire_polynomials[1]; - key->x_hi_z_1 = wire_polynomials[2]; - key->y_lo_z_2 = wire_polynomials[3]; - key->p_x_low_limbs = wire_polynomials[4]; - key->p_x_low_limbs_range_constraint_0 = wire_polynomials[5]; - key->p_x_low_limbs_range_constraint_1 = wire_polynomials[6]; - key->p_x_low_limbs_range_constraint_2 = wire_polynomials[7]; - key->p_x_low_limbs_range_constraint_3 = wire_polynomials[8]; - key->p_x_low_limbs_range_constraint_4 = wire_polynomials[9]; - key->p_x_low_limbs_range_constraint_tail = wire_polynomials[10]; - key->p_x_high_limbs = wire_polynomials[11]; - key->p_x_high_limbs_range_constraint_0 = wire_polynomials[12]; - key->p_x_high_limbs_range_constraint_1 = wire_polynomials[13]; - key->p_x_high_limbs_range_constraint_2 = wire_polynomials[14]; - key->p_x_high_limbs_range_constraint_3 = wire_polynomials[15]; - key->p_x_high_limbs_range_constraint_4 = wire_polynomials[16]; - key->p_x_high_limbs_range_constraint_tail = wire_polynomials[17]; - key->p_y_low_limbs = wire_polynomials[18]; - key->p_y_low_limbs_range_constraint_0 = wire_polynomials[19]; - key->p_y_low_limbs_range_constraint_1 = wire_polynomials[20]; - key->p_y_low_limbs_range_constraint_2 = wire_polynomials[21]; - key->p_y_low_limbs_range_constraint_3 = wire_polynomials[22]; - key->p_y_low_limbs_range_constraint_4 = wire_polynomials[23]; - key->p_y_low_limbs_range_constraint_tail = wire_polynomials[24]; - key->p_y_high_limbs = wire_polynomials[25]; - key->p_y_high_limbs_range_constraint_0 = wire_polynomials[26]; - key->p_y_high_limbs_range_constraint_1 = wire_polynomials[27]; - key->p_y_high_limbs_range_constraint_2 = wire_polynomials[28]; - key->p_y_high_limbs_range_constraint_3 = wire_polynomials[29]; - key->p_y_high_limbs_range_constraint_4 = wire_polynomials[30]; - key->p_y_high_limbs_range_constraint_tail = wire_polynomials[31]; - key->z_low_limbs = wire_polynomials[32]; - key->z_low_limbs_range_constraint_0 = wire_polynomials[33]; - key->z_low_limbs_range_constraint_1 = wire_polynomials[34]; - key->z_low_limbs_range_constraint_2 = wire_polynomials[35]; - key->z_low_limbs_range_constraint_3 = wire_polynomials[36]; - key->z_low_limbs_range_constraint_4 = wire_polynomials[37]; - key->z_low_limbs_range_constraint_tail = wire_polynomials[38]; - key->z_high_limbs = wire_polynomials[39]; - key->z_high_limbs_range_constraint_0 = wire_polynomials[40]; - key->z_high_limbs_range_constraint_1 = wire_polynomials[41]; - key->z_high_limbs_range_constraint_2 = wire_polynomials[42]; - key->z_high_limbs_range_constraint_3 = wire_polynomials[43]; - key->z_high_limbs_range_constraint_4 = wire_polynomials[44]; - key->z_high_limbs_range_constraint_tail = wire_polynomials[45]; - key->accumulators_binary_limbs_0 = wire_polynomials[46]; - key->accumulators_binary_limbs_1 = wire_polynomials[47]; - key->accumulators_binary_limbs_2 = wire_polynomials[48]; - key->accumulators_binary_limbs_3 = wire_polynomials[49]; - key->accumulator_low_limbs_range_constraint_0 = wire_polynomials[50]; - key->accumulator_low_limbs_range_constraint_1 = wire_polynomials[51]; - key->accumulator_low_limbs_range_constraint_2 = wire_polynomials[52]; - key->accumulator_low_limbs_range_constraint_3 = wire_polynomials[53]; - key->accumulator_low_limbs_range_constraint_4 = wire_polynomials[54]; - key->accumulator_low_limbs_range_constraint_tail = wire_polynomials[55]; - key->accumulator_high_limbs_range_constraint_0 = wire_polynomials[56]; - key->accumulator_high_limbs_range_constraint_1 = wire_polynomials[57]; - key->accumulator_high_limbs_range_constraint_2 = wire_polynomials[58]; - key->accumulator_high_limbs_range_constraint_3 = wire_polynomials[59]; - key->accumulator_high_limbs_range_constraint_4 = wire_polynomials[60]; - key->accumulator_high_limbs_range_constraint_tail = wire_polynomials[61]; - key->quotient_low_binary_limbs = wire_polynomials[62]; - key->quotient_high_binary_limbs = wire_polynomials[63]; - key->quotient_low_limbs_range_constraint_0 = wire_polynomials[64]; - key->quotient_low_limbs_range_constraint_1 = wire_polynomials[65]; - key->quotient_low_limbs_range_constraint_2 = wire_polynomials[66]; - key->quotient_low_limbs_range_constraint_3 = wire_polynomials[67]; - key->quotient_low_limbs_range_constraint_4 = wire_polynomials[68]; - key->quotient_low_limbs_range_constraint_tail = wire_polynomials[69]; - key->quotient_high_limbs_range_constraint_0 = wire_polynomials[70]; - key->quotient_high_limbs_range_constraint_1 = wire_polynomials[71]; - key->quotient_high_limbs_range_constraint_2 = wire_polynomials[72]; - key->quotient_high_limbs_range_constraint_3 = wire_polynomials[73]; - key->quotient_high_limbs_range_constraint_4 = wire_polynomials[74]; - key->quotient_high_limbs_range_constraint_tail = wire_polynomials[75]; - key->relation_wide_limbs = wire_polynomials[76]; - key->relation_wide_limbs_range_constraint_0 = wire_polynomials[77]; - key->relation_wide_limbs_range_constraint_1 = wire_polynomials[78]; - key->relation_wide_limbs_range_constraint_2 = wire_polynomials[79]; - key->relation_wide_limbs_range_constraint_3 = wire_polynomials[80]; + // Populate the wire polynomials from the wire vectors in the circuit constructor. Note: In goblin translator wires + // come as is, since they have to reflect the structure of polynomials in the first 4 wires, which we've commited to + for (auto [wire_poly, wire] : zip_view(key->polynomials.get_wires(), circuit_builder.wires)) { + for (size_t i = 0; i < circuit_builder.num_gates; ++i) { + wire_poly[i] = circuit_builder.get_variable(wire[i]); + } + } // We construct concatenated versions of range constraint polynomials, where several polynomials are concatenated // into one. These polynomials are not commited to. - bb::compute_concatenated_polynomials(key.get()); + bb::compute_concatenated_polynomials(key->polynomials); // We also contruct ordered polynomials, which have the same values as concatenated ones + enough values to bridge // the range from 0 to maximum range defined by the range constraint. - bb::compute_goblin_translator_range_constraint_ordered_polynomials(key.get(), mini_circuit_dyadic_size); + bb::compute_goblin_translator_range_constraint_ordered_polynomials(key->polynomials, + mini_circuit_dyadic_size); computed_witness = true; } @@ -198,10 +73,10 @@ void GoblinTranslatorProver::execute_preamble_round() const auto SHIFT = uint256_t(1) << Flavor::NUM_LIMB_BITS; const auto SHIFTx2 = uint256_t(1) << (Flavor::NUM_LIMB_BITS * 2); const auto SHIFTx3 = uint256_t(1) << (Flavor::NUM_LIMB_BITS * 3); - const auto accumulated_result = - BF(uint256_t(key->accumulators_binary_limbs_0[1]) + uint256_t(key->accumulators_binary_limbs_1[1]) * SHIFT + - uint256_t(key->accumulators_binary_limbs_2[1]) * SHIFTx2 + - uint256_t(key->accumulators_binary_limbs_3[1]) * SHIFTx3); + const auto accumulated_result = BF(uint256_t(key->polynomials.accumulators_binary_limbs_0[1]) + + uint256_t(key->polynomials.accumulators_binary_limbs_1[1]) * SHIFT + + uint256_t(key->polynomials.accumulators_binary_limbs_2[1]) * SHIFTx2 + + uint256_t(key->polynomials.accumulators_binary_limbs_3[1]) * SHIFTx3); transcript->send_to_verifier("circuit_size", circuit_size); transcript->send_to_verifier("evaluation_input_x", key->evaluation_input_x); transcript->send_to_verifier("accumulated_result", accumulated_result); @@ -213,9 +88,9 @@ void GoblinTranslatorProver::execute_preamble_round() */ void GoblinTranslatorProver::execute_wire_and_sorted_constraints_commitments_round() { - // Commit to all wire polynomials - auto wire_polys = key->get_wires(); - auto labels = commitment_labels.get_wires(); + // Commit to all wire polynomials and ordered range constraint polynomials + auto wire_polys = key->polynomials.get_wires_and_ordered_range_constraints(); + auto labels = commitment_labels.get_wires_and_ordered_range_constraints(); for (size_t idx = 0; idx < wire_polys.size(); ++idx) { transcript->send_to_verifier(labels[idx], commitment_key->commit(wire_polys[idx])); } @@ -241,10 +116,10 @@ void GoblinTranslatorProver::execute_grand_product_computation_round() uint_evaluation_input.slice(NUM_LIMB_BITS * 3, NUM_LIMB_BITS * 4), uint_evaluation_input }; - relation_parameters.accumulated_result = { key->accumulators_binary_limbs_0[1], - key->accumulators_binary_limbs_1[1], - key->accumulators_binary_limbs_2[1], - key->accumulators_binary_limbs_3[1] }; + relation_parameters.accumulated_result = { key->polynomials.accumulators_binary_limbs_0[1], + key->polynomials.accumulators_binary_limbs_1[1], + key->polynomials.accumulators_binary_limbs_2[1], + key->polynomials.accumulators_binary_limbs_3[1] }; std::vector uint_batching_challenge_powers; auto batching_challenge_v = key->batching_challenge_v; @@ -266,9 +141,9 @@ void GoblinTranslatorProver::execute_grand_product_computation_round() }; } // Compute constraint permutation grand product - compute_grand_products(*key, prover_polynomials, relation_parameters); + compute_grand_products(key->polynomials, relation_parameters); - transcript->send_to_verifier(commitment_labels.z_perm, commitment_key->commit(key->z_perm)); + transcript->send_to_verifier(commitment_labels.z_perm, commitment_key->commit(key->polynomials.z_perm)); } /** @@ -285,7 +160,7 @@ void GoblinTranslatorProver::execute_relation_check_rounds() for (size_t idx = 0; idx < gate_challenges.size(); idx++) { gate_challenges[idx] = transcript->template get_challenge("Sumcheck:gate_challenge_" + std::to_string(idx)); } - sumcheck_output = sumcheck.prove(prover_polynomials, relation_parameters, alpha, gate_challenges); + sumcheck_output = sumcheck.prove(key->polynomials, relation_parameters, alpha, gate_challenges); } /** @@ -296,16 +171,16 @@ void GoblinTranslatorProver::execute_relation_check_rounds() void GoblinTranslatorProver::execute_zeromorph_rounds() { using ZeroMorph = ZeroMorphProver_; - ZeroMorph::prove(prover_polynomials.get_unshifted_without_concatenated(), - prover_polynomials.get_to_be_shifted(), + ZeroMorph::prove(key->polynomials.get_unshifted_without_concatenated(), + key->polynomials.get_to_be_shifted(), sumcheck_output.claimed_evaluations.get_unshifted_without_concatenated(), sumcheck_output.claimed_evaluations.get_shifted(), sumcheck_output.challenge, commitment_key, transcript, - prover_polynomials.get_concatenated_constraints(), + key->polynomials.get_concatenated_constraints(), sumcheck_output.claimed_evaluations.get_concatenated_constraints(), - prover_polynomials.get_concatenation_groups()); + key->polynomials.get_concatenation_groups()); } HonkProof& GoblinTranslatorProver::export_proof() diff --git a/barretenberg/cpp/src/barretenberg/translator_vm/goblin_translator_prover.hpp b/barretenberg/cpp/src/barretenberg/translator_vm/goblin_translator_prover.hpp index 7fdc6228baab..077632dfc044 100644 --- a/barretenberg/cpp/src/barretenberg/translator_vm/goblin_translator_prover.hpp +++ b/barretenberg/cpp/src/barretenberg/translator_vm/goblin_translator_prover.hpp @@ -18,7 +18,6 @@ class GoblinTranslatorProver { using CommitmentKey = typename Flavor::CommitmentKey; using ProvingKey = typename Flavor::ProvingKey; using Polynomial = typename Flavor::Polynomial; - using ProverPolynomials = typename Flavor::ProverPolynomials; using CommitmentLabels = typename Flavor::CommitmentLabels; using PCS = typename Flavor::PCS; using Transcript = typename Flavor::Transcript; @@ -47,9 +46,6 @@ class GoblinTranslatorProver { std::shared_ptr key; - // Container for spans of all polynomials required by the prover (i.e. all multivariates evaluated by Sumcheck). - ProverPolynomials prover_polynomials; - CommitmentLabels commitment_labels; std::shared_ptr commitment_key; diff --git a/barretenberg/cpp/src/barretenberg/translator_vm/relation_correctness.test.cpp b/barretenberg/cpp/src/barretenberg/translator_vm/relation_correctness.test.cpp index 1d15be935fbb..c1b1cca37788 100644 --- a/barretenberg/cpp/src/barretenberg/translator_vm/relation_correctness.test.cpp +++ b/barretenberg/cpp/src/barretenberg/translator_vm/relation_correctness.test.cpp @@ -137,17 +137,16 @@ TEST_F(GoblinTranslatorRelationCorrectnessTests, Permutation) fill_polynomial_with_random_14_bit_values(prover_polynomials.relation_wide_limbs_range_constraint_3); // Compute ordered range constraint polynomials that go in the denominator of the grand product polynomial - compute_goblin_translator_range_constraint_ordered_polynomials(&prover_polynomials, mini_circuit_size); + compute_goblin_translator_range_constraint_ordered_polynomials(prover_polynomials, mini_circuit_size); // Compute the fixed numerator (part of verification key) prover_polynomials.compute_extra_range_constraint_numerator(); // Compute concatenated polynomials (4 polynomials produced from other constraint polynomials by concatenation) - compute_concatenated_polynomials(&prover_polynomials); + compute_concatenated_polynomials(prover_polynomials); // Compute the grand product polynomial - compute_grand_product>( - full_circuit_size, prover_polynomials, params); + compute_grand_product>(prover_polynomials, params); prover_polynomials.z_perm_shift = prover_polynomials.z_perm.shifted(); using Relations = typename Flavor::Relations; diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/oink_prover.cpp b/barretenberg/cpp/src/barretenberg/ultra_honk/oink_prover.cpp index 700ece5181f2..b34fd9588d45 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/oink_prover.cpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/oink_prover.cpp @@ -65,9 +65,9 @@ template void OinkProver::execute_wire_commitment { // Commit to the first three wire polynomials of the instance // We only commit to the fourth wire polynomial after adding memory recordss - witness_commitments.w_l = commitment_key->commit(proving_key.w_l); - witness_commitments.w_r = commitment_key->commit(proving_key.w_r); - witness_commitments.w_o = commitment_key->commit(proving_key.w_o); + witness_commitments.w_l = commitment_key->commit(proving_key.polynomials.w_l); + witness_commitments.w_r = commitment_key->commit(proving_key.polynomials.w_r); + witness_commitments.w_o = commitment_key->commit(proving_key.polynomials.w_o); auto wire_comms = witness_commitments.get_wires(); auto wire_labels = commitment_labels.get_wires(); @@ -77,10 +77,10 @@ template void OinkProver::execute_wire_commitment if constexpr (IsGoblinFlavor) { // Commit to Goblin ECC op wires - witness_commitments.ecc_op_wire_1 = commitment_key->commit(proving_key.ecc_op_wire_1); - witness_commitments.ecc_op_wire_2 = commitment_key->commit(proving_key.ecc_op_wire_2); - witness_commitments.ecc_op_wire_3 = commitment_key->commit(proving_key.ecc_op_wire_3); - witness_commitments.ecc_op_wire_4 = commitment_key->commit(proving_key.ecc_op_wire_4); + witness_commitments.ecc_op_wire_1 = commitment_key->commit(proving_key.polynomials.ecc_op_wire_1); + witness_commitments.ecc_op_wire_2 = commitment_key->commit(proving_key.polynomials.ecc_op_wire_2); + witness_commitments.ecc_op_wire_3 = commitment_key->commit(proving_key.polynomials.ecc_op_wire_3); + witness_commitments.ecc_op_wire_4 = commitment_key->commit(proving_key.polynomials.ecc_op_wire_4); auto op_wire_comms = witness_commitments.get_ecc_op_wires(); auto labels = commitment_labels.get_ecc_op_wires(); @@ -89,13 +89,14 @@ template void OinkProver::execute_wire_commitment } // Commit to DataBus columns and corresponding read counts - witness_commitments.calldata = commitment_key->commit(proving_key.calldata); - witness_commitments.calldata_read_counts = commitment_key->commit(proving_key.calldata_read_counts); + witness_commitments.calldata = commitment_key->commit(proving_key.polynomials.calldata); + witness_commitments.calldata_read_counts = commitment_key->commit(proving_key.polynomials.calldata_read_counts); transcript->send_to_verifier(domain_separator + commitment_labels.calldata, witness_commitments.calldata); transcript->send_to_verifier(domain_separator + commitment_labels.calldata_read_counts, witness_commitments.calldata_read_counts); - witness_commitments.return_data = commitment_key->commit(proving_key.return_data); - witness_commitments.return_data_read_counts = commitment_key->commit(proving_key.return_data_read_counts); + witness_commitments.return_data = commitment_key->commit(proving_key.polynomials.return_data); + witness_commitments.return_data_read_counts = + commitment_key->commit(proving_key.polynomials.return_data_read_counts); transcript->send_to_verifier(domain_separator + commitment_labels.return_data, witness_commitments.return_data); transcript->send_to_verifier(domain_separator + commitment_labels.return_data_read_counts, witness_commitments.return_data_read_counts); @@ -119,8 +120,8 @@ template void OinkProver::execute_sorted_list_acc relation_parameters.eta, relation_parameters.eta_two, relation_parameters.eta_three); // Commit to the sorted witness-table accumulator and the finalized (i.e. with memory records) fourth wire // polynomial - witness_commitments.sorted_accum = commitment_key->commit(proving_key.sorted_accum); - witness_commitments.w_4 = commitment_key->commit(proving_key.w_4); + witness_commitments.sorted_accum = commitment_key->commit(proving_key.polynomials.sorted_accum); + witness_commitments.w_4 = commitment_key->commit(proving_key.polynomials.w_4); transcript->send_to_verifier(domain_separator + commitment_labels.sorted_accum, witness_commitments.sorted_accum); transcript->send_to_verifier(domain_separator + commitment_labels.w_4, witness_commitments.w_4); @@ -138,8 +139,9 @@ template void OinkProver::execute_log_derivative_ if constexpr (IsGoblinFlavor) { // Compute and commit to the logderivative inverse used in DataBus proving_key.compute_logderivative_inverse(relation_parameters); - witness_commitments.calldata_inverses = commitment_key->commit(proving_key.calldata_inverses); - witness_commitments.return_data_inverses = commitment_key->commit(proving_key.return_data_inverses); + + witness_commitments.calldata_inverses = commitment_key->commit(proving_key.polynomials.calldata_inverses); + witness_commitments.return_data_inverses = commitment_key->commit(proving_key.polynomials.return_data_inverses); transcript->send_to_verifier(domain_separator + commitment_labels.calldata_inverses, witness_commitments.calldata_inverses); transcript->send_to_verifier(domain_separator + commitment_labels.return_data_inverses, @@ -153,11 +155,10 @@ template void OinkProver::execute_log_derivative_ */ template void OinkProver::execute_grand_product_computation_round() { - proving_key.compute_grand_product_polynomials(relation_parameters); - witness_commitments.z_perm = commitment_key->commit(proving_key.z_perm); - witness_commitments.z_lookup = commitment_key->commit(proving_key.z_lookup); + witness_commitments.z_perm = commitment_key->commit(proving_key.polynomials.z_perm); + witness_commitments.z_lookup = commitment_key->commit(proving_key.polynomials.z_lookup); transcript->send_to_verifier(domain_separator + commitment_labels.z_perm, witness_commitments.z_perm); transcript->send_to_verifier(domain_separator + commitment_labels.z_lookup, witness_commitments.z_lookup); diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/relation_correctness.test.cpp b/barretenberg/cpp/src/barretenberg/ultra_honk/relation_correctness.test.cpp index ac3ca627ce51..12ac51adf353 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/relation_correctness.test.cpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/relation_correctness.test.cpp @@ -276,19 +276,18 @@ TEST_F(UltraRelationCorrectnessTests, Ultra) instance->relation_parameters.eta_two, instance->relation_parameters.eta_three); instance->proving_key.compute_grand_product_polynomials(instance->relation_parameters); - instance->prover_polynomials = Flavor::ProverPolynomials(instance->proving_key); // Check that selectors are nonzero to ensure corresponding relation has nontrivial contribution - ensure_non_zero(proving_key.q_arith); - ensure_non_zero(proving_key.q_delta_range); - ensure_non_zero(proving_key.q_lookup); - ensure_non_zero(proving_key.q_elliptic); - ensure_non_zero(proving_key.q_aux); + ensure_non_zero(proving_key.polynomials.q_arith); + ensure_non_zero(proving_key.polynomials.q_delta_range); + ensure_non_zero(proving_key.polynomials.q_lookup); + ensure_non_zero(proving_key.polynomials.q_elliptic); + ensure_non_zero(proving_key.polynomials.q_aux); // Construct the round for applying sumcheck relations and results for storing computed results using Relations = typename Flavor::Relations; - auto& prover_polynomials = instance->prover_polynomials; + auto& prover_polynomials = instance->proving_key.polynomials; auto params = instance->relation_parameters; // Check that each relation is satisfied across each row of the prover polynomials check_relation>(circuit_size, prover_polynomials, params); @@ -333,28 +332,27 @@ TEST_F(UltraRelationCorrectnessTests, GoblinUltra) instance->relation_parameters.eta_three); instance->proving_key.compute_logderivative_inverse(instance->relation_parameters); instance->proving_key.compute_grand_product_polynomials(instance->relation_parameters); - instance->prover_polynomials = Flavor::ProverPolynomials(instance->proving_key); // Check that selectors are nonzero to ensure corresponding relation has nontrivial contribution - ensure_non_zero(proving_key.q_arith); - ensure_non_zero(proving_key.q_delta_range); - ensure_non_zero(proving_key.q_lookup); - ensure_non_zero(proving_key.q_elliptic); - ensure_non_zero(proving_key.q_aux); - ensure_non_zero(proving_key.q_busread); - ensure_non_zero(proving_key.q_poseidon2_external); - ensure_non_zero(proving_key.q_poseidon2_internal); - - ensure_non_zero(proving_key.calldata); - ensure_non_zero(proving_key.calldata_read_counts); - ensure_non_zero(proving_key.calldata_inverses); - ensure_non_zero(proving_key.return_data); - ensure_non_zero(proving_key.return_data_read_counts); - ensure_non_zero(proving_key.return_data_inverses); + ensure_non_zero(proving_key.polynomials.q_arith); + ensure_non_zero(proving_key.polynomials.q_delta_range); + ensure_non_zero(proving_key.polynomials.q_lookup); + ensure_non_zero(proving_key.polynomials.q_elliptic); + ensure_non_zero(proving_key.polynomials.q_aux); + ensure_non_zero(proving_key.polynomials.q_busread); + ensure_non_zero(proving_key.polynomials.q_poseidon2_external); + ensure_non_zero(proving_key.polynomials.q_poseidon2_internal); + + ensure_non_zero(proving_key.polynomials.calldata); + ensure_non_zero(proving_key.polynomials.calldata_read_counts); + ensure_non_zero(proving_key.polynomials.calldata_inverses); + ensure_non_zero(proving_key.polynomials.return_data); + ensure_non_zero(proving_key.polynomials.return_data_read_counts); + ensure_non_zero(proving_key.polynomials.return_data_inverses); // Construct the round for applying sumcheck relations and results for storing computed results using Relations = typename Flavor::Relations; - auto& prover_polynomials = instance->prover_polynomials; + auto& prover_polynomials = instance->proving_key.polynomials; auto params = instance->relation_parameters; // Check that each relation is satisfied across each row of the prover polynomials diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/sumcheck.test.cpp b/barretenberg/cpp/src/barretenberg/ultra_honk/sumcheck.test.cpp index 9c267bb72b5a..5962b8ba212f 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/sumcheck.test.cpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/sumcheck.test.cpp @@ -161,7 +161,6 @@ TEST_F(SumcheckTestsRealCircuit, Ultra) instance->relation_parameters.eta_two, instance->relation_parameters.eta_three); instance->proving_key.compute_grand_product_polynomials(instance->relation_parameters); - instance->prover_polynomials = Flavor::ProverPolynomials(instance->proving_key); auto prover_transcript = Transcript::prover_init_empty(); auto circuit_size = instance->proving_key.circuit_size; diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_composer.test.cpp b/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_composer.test.cpp index a4d5cf5e5d80..564afd23c4a7 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_composer.test.cpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_composer.test.cpp @@ -71,17 +71,17 @@ TEST_F(UltraHonkComposerTests, ANonZeroPolynomialIsAGoodPolynomial) auto instance = std::make_shared(circuit_builder); UltraProver prover(instance); auto proof = prover.construct_proof(); - auto& proving_key = instance->proving_key; + auto& polynomials = instance->proving_key.polynomials; - for (auto& poly : proving_key.get_selectors()) { + for (auto& poly : polynomials.get_selectors()) { ensure_non_zero(poly); } - for (auto& poly : proving_key.get_table_polynomials()) { + for (auto& poly : polynomials.get_tables()) { ensure_non_zero(poly); } - for (auto& poly : proving_key.get_wires()) { + for (auto& poly : polynomials.get_wires()) { ensure_non_zero(poly); } } @@ -207,15 +207,8 @@ TEST_F(UltraHonkComposerTests, create_gates_from_plookup_accumulators) expected_scalar >>= table_bits; } } - auto instance = std::make_shared(circuit_builder); - UltraProver prover(instance); - auto verification_key = std::make_shared(instance->proving_key); - UltraVerifier verifier(verification_key); - auto proof = prover.construct_proof(); - - bool result = verifier.verify_proof(proof); - EXPECT_EQ(result, true); + prove_and_verify(circuit_builder, /*expected_result=*/true); } TEST_F(UltraHonkComposerTests, test_no_lookup_proof) diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_prover.cpp b/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_prover.cpp index f3fc6b0e5be8..92166a00142e 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_prover.cpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_prover.cpp @@ -57,8 +57,8 @@ template void UltraProver_::execute_relation_chec * */ template void UltraProver_::execute_zeromorph_rounds() { - ZeroMorph::prove(instance->prover_polynomials.get_unshifted(), - instance->prover_polynomials.get_to_be_shifted(), + ZeroMorph::prove(instance->proving_key.polynomials.get_unshifted(), + instance->proving_key.polynomials.get_to_be_shifted(), sumcheck_output.claimed_evaluations.get_unshifted(), sumcheck_output.claimed_evaluations.get_shifted(), sumcheck_output.challenge, @@ -79,7 +79,6 @@ template HonkProof& UltraProver_::construct_proof instance->proving_key = std::move(proving_key); instance->relation_parameters = std::move(relation_params); instance->alphas = alphas; - instance->prover_polynomials = ProverPolynomials(instance->proving_key); // Fiat-Shamir: alpha // Run sumcheck subprotocol. diff --git a/barretenberg/cpp/src/barretenberg/vm/generated/avm_flavor.hpp b/barretenberg/cpp/src/barretenberg/vm/generated/avm_flavor.hpp index e55fbc4dc80f..fdafe0ffaac9 100644 --- a/barretenberg/cpp/src/barretenberg/vm/generated/avm_flavor.hpp +++ b/barretenberg/cpp/src/barretenberg/vm/generated/avm_flavor.hpp @@ -1566,10 +1566,11 @@ class AvmFlavor { }; public: - class ProvingKey : public ProvingKey_, WitnessEntities, CommitmentKey> { + class ProvingKey + : public ProvingKeyAvm_, WitnessEntities, CommitmentKey> { public: // Expose constructors on the base class - using Base = ProvingKey_, WitnessEntities, CommitmentKey>; + using Base = ProvingKeyAvm_, WitnessEntities, CommitmentKey>; using Base::Base; RefVector get_to_be_shifted()