feat: Shplonk revival in ECCVM

barretenberg/cpp/src/barretenberg/benchmark/ipa_bench/ipa.bench.cpp

@@ -43,7 +43,7 @@ void ipa_open(State& state) noexcept
         auto prover_transcript = std::make_shared<NativeTranscript>();
         state.ResumeTiming();
         // Compute proof
-        IPA<Curve>::compute_opening_proof(ck, opening_pair, poly, prover_transcript);
+        IPA<Curve>::compute_opening_proof(ck, { poly, opening_pair }, prover_transcript);
         // Store info for verifier
         prover_transcripts[static_cast<size_t>(state.range(0)) - MIN_POLYNOMIAL_DEGREE_LOG2] = prover_transcript;
         opening_claims[static_cast<size_t>(state.range(0)) - MIN_POLYNOMIAL_DEGREE_LOG2] = opening_claim;

barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.fuzzer.cpp

@@ -21,11 +21,10 @@ class ProxyCaller {
   public:
     template <typename Transcript>
     static void compute_opening_proof_internal(const std::shared_ptr<CommitmentKey<Curve>>& ck,
-                                               const OpeningPair<Curve>& opening_pair,
-                                               const Polynomial<Curve::ScalarField>& polynomial,
+                                               const ProverOpeningClaim<Curve>& opening_claim,
                                                const std::shared_ptr<Transcript>& transcript)
     {
-        IPA<Curve>::compute_opening_proof_internal(ck, opening_pair, polynomial, transcript);
+        IPA<Curve>::compute_opening_proof_internal(ck, opening_claim, transcript);
     }
     template <typename Transcript>
     static bool verify_internal(const std::shared_ptr<VerifierCommitmentKey<Curve>>& vk,
@@ -145,7 +144,7 @@ extern "C" int LLVMFuzzerTestOneInput(const unsigned char* data, size_t size)
     }
     auto const opening_pair = OpeningPair<Curve>{ x, poly.evaluate(x) };
     auto const opening_claim = OpeningClaim<Curve>{ opening_pair, ck->commit(poly) };
-    ProxyCaller::compute_opening_proof_internal(ck, opening_pair, poly, transcript);
+    ProxyCaller::compute_opening_proof_internal(ck, { poly, opening_pair }, transcript);
 
     // Reset challenge indices
     transcript->reset_indices();

barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.hpp

@@ -130,10 +130,12 @@ template <typename Curve_> class IPA {
     */ 
    template <typename Transcript>
    static void compute_opening_proof_internal(const std::shared_ptr<CK>& ck,
-                                              const OpeningPair<Curve>& opening_pair,
-                                              const Polynomial& polynomial,
+                                              const ProverOpeningClaim<Curve>& opening_claim,
                                               const std::shared_ptr<Transcript>& transcript)
    {
+
+        Polynomial polynomial = opening_claim.polynomial;
+
         // clang-format on
         auto poly_length = static_cast<size_t>(polynomial.size());
 
@@ -184,6 +186,7 @@ template <typename Curve_> class IPA {
 
         // Step 5.
         // Compute vector b (vector of the powers of the challenge)
+        OpeningPair<Curve> opening_pair = opening_claim.opening_pair;
         std::vector<Fr> b_vec(poly_length);
         run_loop_in_parallel_if_effective(
             poly_length,
@@ -603,11 +606,10 @@ template <typename Curve_> class IPA {
      * compute_opening_proof_internal \endlink.
      */
     static void compute_opening_proof(const std::shared_ptr<CK>& ck,
-                                      const OpeningPair<Curve>& opening_pair,
-                                      const Polynomial& polynomial,
+                                      const ProverOpeningClaim<Curve>& opening_claim,
                                       const std::shared_ptr<NativeTranscript>& transcript)
     {
-        compute_opening_proof_internal(ck, opening_pair, polynomial, transcript);
+        compute_opening_proof_internal(ck, opening_claim, transcript);
     }
 
     /**

barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.test.cpp

@@ -67,7 +67,7 @@ TEST_F(IPATest, OpenZeroPolynomial)
 
     // initialize empty prover transcript
     auto prover_transcript = std::make_shared<NativeTranscript>();
-    IPA::compute_opening_proof(this->ck(), opening_pair, poly, prover_transcript);
+    IPA::compute_opening_proof(this->ck(), { poly, opening_pair }, prover_transcript);
 
     // initialize verifier transcript from proof data
     auto verifier_transcript = std::make_shared<NativeTranscript>(prover_transcript->proof_data);
@@ -92,7 +92,7 @@ TEST_F(IPATest, OpenAtZero)
 
     // initialize empty prover transcript
     auto prover_transcript = std::make_shared<NativeTranscript>();
-    IPA::compute_opening_proof(this->ck(), opening_pair, poly, prover_transcript);
+    IPA::compute_opening_proof(this->ck(), { poly, opening_pair }, prover_transcript);
 
     // initialize verifier transcript from proof data
     auto verifier_transcript = std::make_shared<NativeTranscript>(prover_transcript->proof_data);
@@ -131,7 +131,7 @@ TEST_F(IPATest, ChallengesAreZero)
         auto new_random_vector = random_vector;
         new_random_vector[i] = Fr::zero();
         transcript->initialize(new_random_vector);
-        EXPECT_ANY_THROW(IPA::compute_opening_proof_internal(this->ck(), opening_pair, poly, transcript));
+        EXPECT_ANY_THROW(IPA::compute_opening_proof_internal(this->ck(), { poly, opening_pair }, transcript));
     }
     // Fill out a vector of affine elements that the verifier receives from the prover with generators (we don't care
     // about them right now)
@@ -181,7 +181,7 @@ TEST_F(IPATest, AIsZeroAfterOneRound)
     transcript->initialize(random_vector);
 
     // Compute opening proof
-    IPA::compute_opening_proof_internal(this->ck(), opening_pair, poly, transcript);
+    IPA::compute_opening_proof_internal(this->ck(), { poly, opening_pair }, transcript);
 
     // Reset indices
     transcript->reset_indices();
@@ -221,7 +221,7 @@ TEST_F(IPATest, Open)
 
     // initialize empty prover transcript
     auto prover_transcript = std::make_shared<NativeTranscript>();
-    IPA::compute_opening_proof(this->ck(), opening_pair, poly, prover_transcript);
+    IPA::compute_opening_proof(this->ck(), { poly, opening_pair }, prover_transcript);
 
     // initialize verifier transcript from proof data
     auto verifier_transcript = std::make_shared<NativeTranscript>(prover_transcript->proof_data);
@@ -295,22 +295,18 @@ TEST_F(IPATest, GeminiShplonkIPAWithShift)
     const auto [gemini_opening_pairs, gemini_witnesses] = GeminiProver::compute_fold_polynomial_evaluations(
         mle_opening_point, std::move(gemini_polynomials), r_challenge);
 
+    std::vector<ProverOpeningClaim<Curve>> opening_claims;
+
     for (size_t l = 0; l < log_n; ++l) {
         std::string label = "Gemini:a_" + std::to_string(l);
         const auto& evaluation = gemini_opening_pairs[l + 1].evaluation;
         prover_transcript->send_to_verifier(label, evaluation);
+        opening_claims.emplace_back(gemini_witnesses[l], gemini_opening_pairs[l]);
     }
+    opening_claims.emplace_back(gemini_witnesses[log_n], gemini_opening_pairs[log_n]);
 
-    const Fr nu_challenge = prover_transcript->template get_challenge<Fr>("Shplonk:nu");
-    auto batched_quotient_Q =
-        ShplonkProver::compute_batched_quotient(gemini_opening_pairs, gemini_witnesses, nu_challenge);
-    prover_transcript->send_to_verifier("Shplonk:Q", this->ck()->commit(batched_quotient_Q));
-
-    const Fr z_challenge = prover_transcript->template get_challenge<Fr>("Shplonk:z");
-    const auto [shplonk_opening_pair, shplonk_witness] = ShplonkProver::compute_partially_evaluated_batched_quotient(
-        gemini_opening_pairs, gemini_witnesses, std::move(batched_quotient_Q), nu_challenge, z_challenge);
-
-    IPA::compute_opening_proof(this->ck(), shplonk_opening_pair, shplonk_witness, prover_transcript);
+    const auto opening_claim = ShplonkProver::prove(this->ck(), opening_claims, prover_transcript);
+    IPA::compute_opening_proof(this->ck(), opening_claim, prover_transcript);
 
     auto verifier_transcript = NativeTranscript::verifier_init_empty(prover_transcript);
 
@@ -321,7 +317,7 @@ TEST_F(IPATest, GeminiShplonkIPAWithShift)
                                                                      verifier_transcript);
 
     const auto shplonk_verifier_claim =
-        ShplonkVerifier::reduce_verification(this->vk(), gemini_verifier_claim, verifier_transcript);
+        ShplonkVerifier::reduce_verification(this->vk()->get_g1_identity(), gemini_verifier_claim, verifier_transcript);
     auto result = IPA::reduce_verify(this->vk(), shplonk_verifier_claim, verifier_transcript);
 
     EXPECT_EQ(result, true);

barretenberg/cpp/src/barretenberg/commitment_schemes/kzg/kzg.hpp

@@ -26,19 +26,19 @@ template <typename Curve_> class KZG {
      * @brief Computes the KZG commitment to an opening proof polynomial at a single evaluation point
      *
      * @param ck The commitment key which has a commit function, the srs and pippenger_runtime_state
-     * @param opening_pair OpeningPair = {r, v = p(r)}
-     * @param polynomial The witness whose opening proof needs to be computed
+     * @param opening_claim {p, (r, v = p(r))} where p is the witness polynomial whose opening proof needs to be
+     * computed
      * @param prover_transcript Prover transcript
      */
     static void compute_opening_proof(std::shared_ptr<CK> ck,
-                                      const OpeningPair<Curve>& opening_pair,
-                                      const Polynomial& polynomial,
+                                      const ProverOpeningClaim<Curve>& opening_claim,
                                       const std::shared_ptr<NativeTranscript>& prover_trancript)
     {
-        Polynomial quotient = polynomial;
-        quotient[0] -= opening_pair.evaluation;
+        Polynomial quotient = opening_claim.polynomial;
+        OpeningPair<Curve> pair = opening_claim.opening_pair;
+        quotient[0] -= pair.evaluation;
         // Computes the coefficients for the quotient polynomial q(X) = (p(X) - v) / (X - r) through an FFT
-        quotient.factor_roots(opening_pair.challenge);
+        quotient.factor_roots(pair.challenge);
         auto quotient_commitment = ck->commit(quotient);
         // TODO(#479): for now we compute the KZG commitment directly to unify the KZG and IPA interfaces but in the
         // future we might need to adjust this to use the incoming alternative to work queue (i.e. variation of

barretenberg/cpp/src/barretenberg/commitment_schemes/kzg/kzg.test.cpp

@@ -41,7 +41,7 @@ TYPED_TEST(KZGTest, single)
 
     auto prover_transcript = NativeTranscript::prover_init_empty();
 
-    KZG::compute_opening_proof(this->ck(), opening_pair, witness, prover_transcript);
+    KZG::compute_opening_proof(this->ck(), { witness, opening_pair }, prover_transcript);
 
     auto verifier_transcript = NativeTranscript::verifier_init_empty(prover_transcript);
     auto pairing_points = KZG::reduce_verify(opening_claim, verifier_transcript);
@@ -130,27 +130,23 @@ TYPED_TEST(KZGTest, GeminiShplonkKzgWithShift)
     const auto [gemini_opening_pairs, gemini_witnesses] = GeminiProver::compute_fold_polynomial_evaluations(
         mle_opening_point, std::move(gemini_polynomials), r_challenge);
 
+    std::vector<ProverOpeningClaim<TypeParam>> opening_claims;
     for (size_t l = 0; l < log_n; ++l) {
         std::string label = "Gemini:a_" + std::to_string(l);
         const auto& evaluation = gemini_opening_pairs[l + 1].evaluation;
         prover_transcript->send_to_verifier(label, evaluation);
+        opening_claims.emplace_back(gemini_witnesses[l], gemini_opening_pairs[l]);
     }
+    opening_claims.emplace_back(gemini_witnesses[log_n], gemini_opening_pairs[log_n]);
 
     // Shplonk prover output:
     // - opening pair: (z_challenge, 0)
     // - witness: polynomial Q - Q_z
-    const Fr nu_challenge = prover_transcript->template get_challenge<Fr>("Shplonk:nu");
-    auto batched_quotient_Q =
-        ShplonkProver::compute_batched_quotient(gemini_opening_pairs, gemini_witnesses, nu_challenge);
-    prover_transcript->send_to_verifier("Shplonk:Q", this->ck()->commit(batched_quotient_Q));
-
-    const Fr z_challenge = prover_transcript->template get_challenge<Fr>("Shplonk:z");
-    const auto [shplonk_opening_pair, shplonk_witness] = ShplonkProver::compute_partially_evaluated_batched_quotient(
-        gemini_opening_pairs, gemini_witnesses, std::move(batched_quotient_Q), nu_challenge, z_challenge);
+    const auto opening_claim = ShplonkProver::prove(this->ck(), opening_claims, prover_transcript);
 
     // KZG prover:
     // - Adds commitment [W] to transcript
-    KZG::compute_opening_proof(this->ck(), shplonk_opening_pair, shplonk_witness, prover_transcript);
+    KZG::compute_opening_proof(this->ck(), opening_claim, prover_transcript);
 
     // Run the full verifier PCS protocol with genuine opening claims (genuine commitment, genuine evaluation)
 
@@ -166,7 +162,7 @@ TYPED_TEST(KZGTest, GeminiShplonkKzgWithShift)
 
     // Shplonk verifier claim: commitment [Q] - [Q_z], opening point (z_challenge, 0)
     const auto shplonk_verifier_claim =
-        ShplonkVerifier::reduce_verification(this->vk(), gemini_verifier_claim, verifier_transcript);
+        ShplonkVerifier::reduce_verification(this->vk()->get_g1_identity(), gemini_verifier_claim, verifier_transcript);
 
     // KZG verifier:
     // aggregates inputs [Q] - [Q_z] and [W] into an 'accumulator' (can perform pairing check on result)