diff --git a/cpp/src/barretenberg/honk/composer/composer_helper/standard_honk_composer_helper.cpp b/cpp/src/barretenberg/honk/composer/composer_helper/standard_honk_composer_helper.cpp index 2bbf1c596d..8c61e02a5d 100644 --- a/cpp/src/barretenberg/honk/composer/composer_helper/standard_honk_composer_helper.cpp +++ b/cpp/src/barretenberg/honk/composer/composer_helper/standard_honk_composer_helper.cpp @@ -168,12 +168,6 @@ StandardProver StandardHonkComposerHelper::create_prover( auto manifest = Flavor::create_manifest(circuit_constructor.public_inputs.size(), num_sumcheck_rounds); StandardProver output_state(std::move(wire_polynomials), circuit_proving_key); - // TODO(Cody): This should be more generic - std::unique_ptr kate_commitment_key = - std::make_unique(circuit_proving_key->circuit_size, "../srs_db/ignition"); - - output_state.commitment_key = std::move(kate_commitment_key); - return output_state; } template class StandardHonkComposerHelper; diff --git a/cpp/src/barretenberg/honk/pcs/kzg/kzg.hpp b/cpp/src/barretenberg/honk/pcs/kzg/kzg.hpp index b6ba93653a..7160339cf2 100644 --- a/cpp/src/barretenberg/honk/pcs/kzg/kzg.hpp +++ b/cpp/src/barretenberg/honk/pcs/kzg/kzg.hpp @@ -60,23 +60,20 @@ template class UnivariateOpeningScheme { using Accumulator = BilinearAccumulator; /** - * @brief Compute KZG opening proof (commitment) and add it to transcript + * @brief Compute KZG opening proof polynomial * - * @param ck CommitmentKey * @param opening_pair OpeningPair = {r, v = polynomial(r)} * @param polynomial the witness polynomial being opened + * @return KZG quotient polynomial of the form (p(X) - v) / (X - r) */ - static void reduce_prove(std::shared_ptr ck, - const OpeningPair& opening_pair, - const Polynomial& polynomial, - ProverTranscript& transcript) + static Polynomial compute_opening_proof_polynomial(const OpeningPair& opening_pair, + const Polynomial& polynomial) { Polynomial quotient(polynomial); quotient[0] -= opening_pair.evaluation; quotient.factor_roots(opening_pair.challenge); - CommitmentAffine quotient_commitment = ck->commit(quotient); - transcript.send_to_verifier("KZG:W", quotient_commitment); + return quotient; }; /** diff --git a/cpp/src/barretenberg/honk/pcs/kzg/kzg.test.cpp b/cpp/src/barretenberg/honk/pcs/kzg/kzg.test.cpp index 54b571021a..e618dc0141 100644 --- a/cpp/src/barretenberg/honk/pcs/kzg/kzg.test.cpp +++ b/cpp/src/barretenberg/honk/pcs/kzg/kzg.test.cpp @@ -40,7 +40,8 @@ TYPED_TEST(BilinearAccumulationTest, single) auto prover_transcript = ProverTranscript::init_empty(); - KZG::reduce_prove(this->ck(), opening_pair, witness, prover_transcript); + auto quotient_W = KZG::compute_opening_proof_polynomial(opening_pair, witness); + prover_transcript.send_to_verifier("KZG:W", this->commit(quotient_W)); auto verifier_transcript = VerifierTranscript::init_empty(prover_transcript); auto kzg_claim = KZG::reduce_verify(opening_claim, verifier_transcript); @@ -148,7 +149,8 @@ TYPED_TEST(BilinearAccumulationTest, GeminiShplonkKzgWithShift) // KZG prover: // - Adds commitment [W] to transcript - KZG::reduce_prove(this->ck(), shplonk_opening_pair, shplonk_witness, prover_transcript); + auto quotient_W = KZG::compute_opening_proof_polynomial(shplonk_opening_pair, shplonk_witness); + prover_transcript.send_to_verifier("KZG:W", this->commit(quotient_W)); // Run the full verifier PCS protocol with genuine opening claims (genuine commitment, genuine evaluation) diff --git a/cpp/src/barretenberg/honk/proof_system/prover.cpp b/cpp/src/barretenberg/honk/proof_system/prover.cpp index 3c93e9964b..e728a40f75 100644 --- a/cpp/src/barretenberg/honk/proof_system/prover.cpp +++ b/cpp/src/barretenberg/honk/proof_system/prover.cpp @@ -5,6 +5,7 @@ #include "barretenberg/honk/sumcheck/sumcheck.hpp" #include #include "barretenberg/honk/sumcheck/polynomials/univariate.hpp" // will go away +#include "barretenberg/honk/transcript/transcript.hpp" #include "barretenberg/honk/utils/power_polynomial.hpp" #include "barretenberg/honk/pcs/commitment_key.hpp" #include @@ -39,13 +40,10 @@ using POLYNOMIAL = proof_system::honk::StandardArithmetization::POLYNOMIAL; * */ template Prover::Prover(std::vector&& wire_polys, - std::shared_ptr input_key) + const std::shared_ptr input_key) : wire_polynomials(wire_polys) , key(input_key) - , commitment_key(std::make_unique( - input_key->circuit_size, - "../srs_db/ignition")) // TODO(Cody): Need better constructors for prover. -// , queue(proving_key.get(), &transcript) + , queue(key, transcript) { // Note(luke): This could be done programmatically with some hacks but this isnt too bad and its nice to see the // polys laid out explicitly. @@ -75,16 +73,14 @@ Prover::Prover(std::vector&& wire_polys, } /** - * - Commit to wires 1,2,3 + * - Add commitment to wires 1,2,3 to work queue * - Add PI to transcript (I guess PI will stay in w_2 for now?) * * */ template void Prover::compute_wire_commitments() { for (size_t i = 0; i < settings::Arithmetization::num_wires; ++i) { - auto commitment = commitment_key->commit(wire_polynomials[i]); - - transcript.send_to_verifier("W_" + std::to_string(i + 1), commitment); + queue.add_commitment(wire_polynomials[i], "W_" + std::to_string(i + 1)); } } @@ -94,8 +90,6 @@ template void Prover::compute_wire_commitments() * */ template void Prover::execute_preamble_round() { - // queue.flush_queue(); // NOTE: Don't remove; we may reinstate the queue - const auto circuit_size = static_cast(key->circuit_size); const auto num_public_inputs = static_cast(key->num_public_inputs); @@ -113,7 +107,6 @@ template void Prover::execute_preamble_round() * */ template void Prover::execute_wire_commitments_round() { - // queue.flush_queue(); // NOTE: Don't remove; we may reinstate the queue compute_wire_commitments(); } @@ -131,8 +124,6 @@ template void Prover::execute_tables_round() * */ template void Prover::execute_grand_product_computation_round() { - // queue.flush_queue(); // NOTE: Don't remove; we may reinstate the queue - // Compute and store parameters required by relations in Sumcheck auto [beta, gamma] = transcript.get_challenges("beta", "gamma"); @@ -147,9 +138,7 @@ template void Prover::execute_grand_product_comput z_permutation = prover_library::compute_permutation_grand_product(key, wire_polynomials, beta, gamma); - auto commitment = commitment_key->commit(z_permutation); - - transcript.send_to_verifier("Z_PERM", commitment); + queue.add_commitment(z_permutation, "Z_PERM"); prover_polynomials[POLYNOMIAL::Z_PERM] = z_permutation; prover_polynomials[POLYNOMIAL::Z_PERM_SHIFT] = z_permutation.shifted(); @@ -162,8 +151,6 @@ template void Prover::execute_grand_product_comput * */ template void Prover::execute_relation_check_rounds() { - // queue.flush_queue(); // NOTE: Don't remove; we may reinstate the queue - using Sumcheck = sumcheck::Sumcheck, sumcheck::ArithmeticRelation, @@ -197,22 +184,13 @@ template void Prover::execute_univariatization_rou Polynomial batched_poly_to_be_shifted(key->circuit_size); // batched to-be-shifted polynomials batched_poly_to_be_shifted.add_scaled(prover_polynomials[POLYNOMIAL::Z_PERM], rhos[NUM_UNSHIFTED_POLYS]); - // // Reserve space for d+1 Fold polynomials. At the end of this round, the last d-1 polynomials will - // // correspond to Fold^(i). At the end of the full Gemini prover protocol, the first two will - // // be the partially evaluated Fold polynomials Fold_{r}^(0) and Fold_{-r}^(0). - // fold_polynomials.reserve(key->log_circuit_size + 1); - // fold_polynomials.emplace_back(batched_poly_unshifted); - // fold_polynomials.emplace_back(batched_poly_to_be_shifted); - // Compute d-1 polynomials Fold^(i), i = 1, ..., d-1. fold_polynomials = Gemini::compute_fold_polynomials( sumcheck_output.challenge_point, std::move(batched_poly_unshifted), std::move(batched_poly_to_be_shifted)); // Compute and add to trasnscript the commitments [Fold^(i)], i = 1, ..., d-1 for (size_t l = 0; l < key->log_circuit_size - 1; ++l) { - std::string label = "Gemini:FOLD_" + std::to_string(l + 1); - auto commitment = commitment_key->commit(fold_polynomials[l + 2]); - transcript.send_to_verifier(label, commitment); + queue.add_commitment(fold_polynomials[l + 2], "Gemini:FOLD_" + std::to_string(l + 1)); } } @@ -248,8 +226,7 @@ template void Prover::execute_shplonk_batched_quot Shplonk::compute_batched_quotient(gemini_output.opening_pairs, gemini_output.witnesses, nu_challenge); // commit to Q(X) and add [Q] to the transcript - auto Q_commitment = commitment_key->commit(batched_quotient_Q); - transcript.send_to_verifier("Shplonk:Q", Q_commitment); + queue.add_commitment(batched_quotient_Q, "Shplonk:Q"); } /** @@ -269,7 +246,8 @@ template void Prover::execute_shplonk_partial_eval * */ template void Prover::execute_kzg_round() { - KZG::reduce_prove(commitment_key, shplonk_output.opening_pair, shplonk_output.witness, transcript); + quotient_W = KZG::compute_opening_proof_polynomial(shplonk_output.opening_pair, shplonk_output.witness); + queue.add_commitment(quotient_W, "KZG:W"); } template plonk::proof& Prover::export_proof() @@ -282,51 +260,48 @@ template plonk::proof& Prover::construct_proof() { // Add circuit size and public input size to transcript. execute_preamble_round(); - // queue.process_queue(); // NOTE: Don't remove; we may reinstate the queue // Compute wire commitments; Add PI to transcript execute_wire_commitments_round(); - // queue.process_queue(); // NOTE: Don't remove; we may reinstate the queue + queue.process_queue(); // Currently a no-op; may execute some "random widgets", commit to W_4, do RAM/ROM stuff // if this prover structure is kept when we bring tables to Honk. // Suggestion: Maybe we shouldn't mix and match proof creation for different systems and // instead instatiate construct_proof differently for each? execute_tables_round(); - // queue.process_queue(); // NOTE: Don't remove; we may reinstate the queue // Fiat-Shamir: beta & gamma // Compute grand product(s) and commitments. execute_grand_product_computation_round(); - // queue.process_queue(); // NOTE: Don't remove; we may reinstate the queue + queue.process_queue(); // Fiat-Shamir: alpha // Run sumcheck subprotocol. execute_relation_check_rounds(); - // // queue currently only handles commitments, not partial multivariate evaluations. - // queue.process_queue(); // NOTE: Don't remove; we may reinstate the queue // Fiat-Shamir: rho // Compute Fold polynomials and their commitments. execute_univariatization_round(); - // queue.process_queue(); // NOTE: Don't remove; we may reinstate the queue + queue.process_queue(); // Fiat-Shamir: r // Compute Fold evaluations execute_pcs_evaluation_round(); // Fiat-Shamir: nu - // Compute Shplonk batched quotient commitment + // Compute Shplonk batched quotient commitment Q execute_shplonk_batched_quotient_round(); + queue.process_queue(); + + // Fiat-Shamir: z + // Compute partial evaluation Q_z execute_shplonk_partial_evaluation_round(); - // queue.process_queue(); // NOTE: Don't remove; we may reinstate the queue // Fiat-Shamir: z // Compute KZG quotient commitment execute_kzg_round(); - // queue.process_queue(); // NOTE: Don't remove; we may reinstate the queue - - // queue.flush_queue(); // NOTE: Don't remove; we may reinstate the queue + queue.process_queue(); return export_proof(); } diff --git a/cpp/src/barretenberg/honk/proof_system/prover.hpp b/cpp/src/barretenberg/honk/proof_system/prover.hpp index cef92763f9..2a0e4de314 100644 --- a/cpp/src/barretenberg/honk/proof_system/prover.hpp +++ b/cpp/src/barretenberg/honk/proof_system/prover.hpp @@ -24,6 +24,7 @@ #include #include "barretenberg/honk/pcs/claim.hpp" #include "barretenberg/honk/proof_system/prover_library.hpp" +#include "barretenberg/honk/proof_system/work_queue.hpp" namespace proof_system::honk { @@ -64,29 +65,18 @@ template class Prover { std::shared_ptr key; - std::shared_ptr commitment_key; - // Container for spans of all polynomials required by the prover (i.e. all multivariates evaluated by Sumcheck). std::array, honk::StandardArithmetization::POLYNOMIAL::COUNT> prover_polynomials; // Container for d + 1 Fold polynomials produced by Gemini std::vector fold_polynomials; - Polynomial batched_quotient_Q; - Fr nu_challenge; - - // Honk only needs a small portion of the functionality but may be fine to use existing work_queue - // NOTE: this is not currently in use, but it may well be used in the future. - // TODO(Adrian): Uncomment when we need this again. - // proof_system::work_queue queue; - // void flush_queued_work_items() { queue.flush_queue(); } - // proof_system::work_queue::work_item_info get_queued_work_item_info() const { - // return queue.get_queued_work_item_info(); - // } - // size_t get_scalar_multiplication_size(const size_t work_item_number) const - // { - // return queue.get_scalar_multiplication_size(work_item_number); - // } + Polynomial batched_quotient_Q; // batched quotient poly computed by Shplonk + Fr nu_challenge; // needed in both Shplonk rounds + + Polynomial quotient_W; + + work_queue queue; // This makes 'settings' accesible from Prover using settings_ = settings; diff --git a/cpp/src/barretenberg/honk/proof_system/verifier.test.cpp b/cpp/src/barretenberg/honk/proof_system/verifier.test.cpp index 42f559aabf..b98d39e893 100644 --- a/cpp/src/barretenberg/honk/proof_system/verifier.test.cpp +++ b/cpp/src/barretenberg/honk/proof_system/verifier.test.cpp @@ -198,8 +198,6 @@ template class VerifierTests : public testing::Test { std::unique_ptr kate_commitment_key = std::make_unique(proving_key->circuit_size, "../srs_db/ignition"); - prover.commitment_key = std::move(kate_commitment_key); - return prover; } }; diff --git a/cpp/src/barretenberg/honk/proof_system/work_queue.hpp b/cpp/src/barretenberg/honk/proof_system/work_queue.hpp new file mode 100644 index 0000000000..c666053adc --- /dev/null +++ b/cpp/src/barretenberg/honk/proof_system/work_queue.hpp @@ -0,0 +1,147 @@ +#pragma once + +#include "barretenberg/honk/transcript/transcript.hpp" +#include "barretenberg/plonk/proof_system/proving_key/proving_key.hpp" +#include +#include + +namespace proof_system::honk { + +// Currently only one type of work queue operation but there will likely be others related to Sumcheck +enum WorkType { SCALAR_MULTIPLICATION }; + +// TODO(luke): This Params template parameter is the same type expected by e.g. components of the PCS. Eventually it +// should be replaced by some sort of Flavor concept that contains info about the Field etc. This should be resolved +// at the same time as the similar patterns in Gemini etc. +template class work_queue { + + using CommitmentKey = typename Params::CK; + using FF = typename Params::Fr; + using Commitment = typename Params::C; + + struct work_item_info { + uint32_t num_scalar_multiplications; + }; + + struct work_item { + WorkType work_type = SCALAR_MULTIPLICATION; + std::span mul_scalars; + std::string label; + }; + + private: + std::shared_ptr proving_key; + // TODO(luke): Consider handling all transcript interactions in the prover rather than embedding them in the queue. + proof_system::honk::ProverTranscript& transcript; + CommitmentKey commitment_key; + std::vector work_item_queue; + + public: + explicit work_queue(std::shared_ptr& proving_key, + proof_system::honk::ProverTranscript& prover_transcript) + : proving_key(proving_key) + , transcript(prover_transcript) + , commitment_key(proving_key->circuit_size, + "../srs_db/ignition"){}; // TODO(luke): make this properly parameterized + + work_queue(const work_queue& other) = default; + work_queue(work_queue&& other) noexcept = default; + work_queue& operator=(const work_queue& other) = delete; + work_queue& operator=(work_queue&& other) = delete; + ~work_queue() = default; + + [[nodiscard]] work_item_info get_queued_work_item_info() const + { + uint32_t scalar_mul_count = 0; + for (const auto& item : work_item_queue) { + if (item.work_type == WorkType::SCALAR_MULTIPLICATION) { + ++scalar_mul_count; + } + } + return work_item_info{ scalar_mul_count }; + }; + + [[nodiscard]] FF* get_scalar_multiplication_data(size_t work_item_number) const + { + size_t count = 0; + for (const auto& item : work_item_queue) { + if (item.work_type == WorkType::SCALAR_MULTIPLICATION) { + if (count == work_item_number) { + return const_cast(item.mul_scalars.data()); + } + ++count; + } + } + return nullptr; + }; + + [[nodiscard]] size_t get_scalar_multiplication_size(size_t work_item_number) const + { + size_t count = 0; + for (const auto& item : work_item_queue) { + if (item.work_type == WorkType::SCALAR_MULTIPLICATION) { + if (count == work_item_number) { + return item.mul_scalars.size(); + } + ++count; + } + } + return 0; + }; + + void put_scalar_multiplication_data(const Commitment& result, size_t work_item_number) + { + size_t count = 0; + for (const auto& item : work_item_queue) { + if (item.work_type == WorkType::SCALAR_MULTIPLICATION) { + if (count == work_item_number) { + transcript.send_to_verifier(item.label, result); + return; + } + ++count; + } + } + }; + + void flush_queue() { work_item_queue = std::vector(); }; + + void add_commitment(std::span polynomial, std::string label) + { + add_to_queue({ SCALAR_MULTIPLICATION, polynomial, label }); + } + + void process_queue() + { + for (const auto& item : work_item_queue) { + switch (item.work_type) { + + case WorkType::SCALAR_MULTIPLICATION: { + + // Run pippenger multi-scalar multiplication. + auto commitment = commitment_key.commit(item.mul_scalars); + + transcript.send_to_verifier(item.label, commitment); + + break; + } + default: { + } + } + } + work_item_queue = std::vector(); + }; + + [[nodiscard]] std::vector get_queue() const { return work_item_queue; }; + + private: + void add_to_queue(const work_item& item) + { + // Note: currently no difference between wasm and native but may be in the future +#if defined(__wasm__) + work_item_queue.push_back(item); +#else + work_item_queue.push_back(item); +#endif + }; +}; +} // namespace proof_system::honk \ No newline at end of file diff --git a/cpp/src/barretenberg/plonk/proof_system/commitment_scheme/commitment_scheme.test.cpp b/cpp/src/barretenberg/plonk/proof_system/commitment_scheme/commitment_scheme.test.cpp index 933de8cd5d..ab02ef5a76 100644 --- a/cpp/src/barretenberg/plonk/proof_system/commitment_scheme/commitment_scheme.test.cpp +++ b/cpp/src/barretenberg/plonk/proof_system/commitment_scheme/commitment_scheme.test.cpp @@ -41,7 +41,7 @@ TEST(commitment_scheme, kate_open) auto circuit_proving_key = std::make_shared(n, 0, crs, ComposerType::STANDARD); work_queue queue(circuit_proving_key.get(), &inp_tx); - newKate.commit(&coeffs[0], "F_COMM", 0, queue); + newKate.commit(&coeffs[0], "F_COMM", n, queue); queue.process_queue(); fr y = fr::random_element(); @@ -49,7 +49,7 @@ TEST(commitment_scheme, kate_open) fr f = polynomial_arithmetic::evaluate(&coeffs[0], z, n); newKate.compute_opening_polynomial(&coeffs[0], &W[0], z, n); - newKate.commit(&W[0], "W_COMM", fr(0), queue); + newKate.commit(&W[0], "W_COMM", n, queue); queue.process_queue(); // check if W(y)(y - z) = F(y) - F(z) @@ -103,7 +103,7 @@ TEST(commitment_scheme, kate_batch_open) for (size_t j = 0; j < m; ++j) { newKate.commit(&coeffs[k * m * n + j * n], "F_{" + std::to_string(k + 1) + ", " + std::to_string(j + 1) + "}", - 0, + n, queue); } } @@ -116,7 +116,7 @@ TEST(commitment_scheme, kate_batch_open) for (size_t k = 0; k < t; ++k) { challenges[k] = fr::random_element(); tags[k] = "W_" + std::to_string(k + 1); - item_constants[k] = fr(0); + item_constants[k] = n; } // compute opening polynomials W_1, W_2, ..., W_t diff --git a/cpp/src/barretenberg/plonk/proof_system/commitment_scheme/kate_commitment_scheme.cpp b/cpp/src/barretenberg/plonk/proof_system/commitment_scheme/kate_commitment_scheme.cpp index 1992b97435..9e1d5a9d02 100644 --- a/cpp/src/barretenberg/plonk/proof_system/commitment_scheme/kate_commitment_scheme.cpp +++ b/cpp/src/barretenberg/plonk/proof_system/commitment_scheme/kate_commitment_scheme.cpp @@ -224,9 +224,11 @@ void KateCommitmentScheme::batch_open(const transcript::StandardTransc // Commit to the opening and shifted opening polynomials KateCommitmentScheme::commit( - input_key->polynomial_store.get("opening_poly").get_coefficients(), "PI_Z", fr(0), queue); - KateCommitmentScheme::commit( - input_key->polynomial_store.get("shifted_opening_poly").get_coefficients(), "PI_Z_OMEGA", fr(0), queue); + input_key->polynomial_store.get("opening_poly").get_coefficients(), "PI_Z", input_key->circuit_size, queue); + KateCommitmentScheme::commit(input_key->polynomial_store.get("shifted_opening_poly").get_coefficients(), + "PI_Z_OMEGA", + input_key->circuit_size, + queue); } template diff --git a/cpp/src/barretenberg/plonk/proof_system/prover/prover.cpp b/cpp/src/barretenberg/plonk/proof_system/prover/prover.cpp index 3c3647e7f0..5e91ef8ae4 100644 --- a/cpp/src/barretenberg/plonk/proof_system/prover/prover.cpp +++ b/cpp/src/barretenberg/plonk/proof_system/prover/prover.cpp @@ -79,7 +79,7 @@ template void ProverBase::compute_wire_commitments barretenberg::fr* coefficients = key->polynomial_store.get(wire_tag).get_coefficients(); // This automatically saves the computed point to the transcript - fr domain_size_flag = i > 2 ? work_queue::MSMType::MONOMIAL_N : work_queue::MSMType::MONOMIAL_N_PLUS_ONE; + fr domain_size_flag = i > 2 ? key->circuit_size : (key->circuit_size + 1); commitment_scheme->commit(coefficients, commit_tag, domain_size_flag, queue); } @@ -137,7 +137,7 @@ template void ProverBase::compute_quotient_commitm std::string quotient_tag = "T_" + std::to_string(i + 1); // Set flag that determines domain size (currently n or n+1) in pippenger (see process_queue()). // Note: After blinding, all t_i have size n+1 representation (degree n) except t_4 in Turbo/Ultra. - fr domain_size_flag = i > 2 ? work_queue::MSMType::MONOMIAL_N : work_queue::MSMType::MONOMIAL_N_PLUS_ONE; + fr domain_size_flag = i > 2 ? key->circuit_size : (key->circuit_size + 1); commitment_scheme->commit(coefficients, quotient_tag, domain_size_flag, queue); } } @@ -311,7 +311,7 @@ template void ProverBase::execute_second_round() .work_type = work_queue::WorkType::SCALAR_MULTIPLICATION, .mul_scalars = key->polynomial_store.get(wire_tag).get_coefficients(), .tag = "W_4", - .constant = work_queue::MSMType::MONOMIAL_N_PLUS_ONE, + .constant = key->circuit_size + 1, .index = 0, }); } diff --git a/cpp/src/barretenberg/plonk/proof_system/widgets/random_widgets/permutation_widget_impl.hpp b/cpp/src/barretenberg/plonk/proof_system/widgets/random_widgets/permutation_widget_impl.hpp index e85c0a616e..f59863bc5e 100644 --- a/cpp/src/barretenberg/plonk/proof_system/widgets/random_widgets/permutation_widget_impl.hpp +++ b/cpp/src/barretenberg/plonk/proof_system/widgets/random_widgets/permutation_widget_impl.hpp @@ -326,7 +326,7 @@ void ProverPermutationWidgetcircuit_size, 0, }); diff --git a/cpp/src/barretenberg/plonk/proof_system/widgets/random_widgets/plookup_widget_impl.hpp b/cpp/src/barretenberg/plonk/proof_system/widgets/random_widgets/plookup_widget_impl.hpp index 3b933a91b5..2a9161c443 100644 --- a/cpp/src/barretenberg/plonk/proof_system/widgets/random_widgets/plookup_widget_impl.hpp +++ b/cpp/src/barretenberg/plonk/proof_system/widgets/random_widgets/plookup_widget_impl.hpp @@ -358,7 +358,7 @@ void ProverPlookupWidget::compute_rou .work_type = work_queue::WorkType::SCALAR_MULTIPLICATION, .mul_scalars = s.get_coefficients(), .tag = "S", - .constant = barretenberg::fr(0), + .constant = key->circuit_size, .index = 0, }); @@ -382,7 +382,7 @@ void ProverPlookupWidget::compute_rou .work_type = work_queue::WorkType::SCALAR_MULTIPLICATION, .mul_scalars = z.get_coefficients(), .tag = "Z_LOOKUP", - .constant = barretenberg::fr(0), + .constant = key->circuit_size, .index = 0, }); diff --git a/cpp/src/barretenberg/proof_system/work_queue/work_queue.cpp b/cpp/src/barretenberg/proof_system/work_queue/work_queue.cpp index 54d29fad31..038716f4f8 100644 --- a/cpp/src/barretenberg/proof_system/work_queue/work_queue.cpp +++ b/cpp/src/barretenberg/proof_system/work_queue/work_queue.cpp @@ -3,9 +3,9 @@ #include "barretenberg/ecc/curves/bn254/scalar_multiplication/scalar_multiplication.hpp" #include "barretenberg/polynomials/polynomial_arithmetic.hpp" -namespace proof_system { +namespace proof_system::plonk { -work_queue::work_queue(plonk::proving_key* prover_key, transcript::StandardTranscript* prover_transcript) +work_queue::work_queue(proving_key* prover_key, transcript::StandardTranscript* prover_transcript) : key(prover_key) , transcript(prover_transcript) , work_item_queue() @@ -50,7 +50,7 @@ size_t work_queue::get_scalar_multiplication_size(const size_t work_item_number) for (const auto& item : work_item_queue) { if (item.work_type == WorkType::SCALAR_MULTIPLICATION) { if (count == work_item_number) { - return (item.constant == MSMType::MONOMIAL_N_PLUS_ONE) ? key->circuit_size + 1 : key->circuit_size; + return static_cast(static_cast(item.constant)); } ++count; } @@ -198,39 +198,12 @@ void work_queue::process_queue() switch (item.work_type) { // most expensive op case WorkType::SCALAR_MULTIPLICATION: { - // We use the variable work_item::constant to set the size of the multi-scalar multiplication. - // Note that a size (n+1) MSM is always needed to commit to the quotient polynomial parts t_1, t_2 - // and t_3 for Standard/Turbo/Ultra due to the addition of blinding factors - size_t msm_size = 0; - barretenberg::g1::affine_element* srs_points; - switch (static_cast(uint256_t(item.constant))) { - case MSMType::MONOMIAL_N: { - if (key->reference_string->get_monomial_size() < key->small_domain.size) { - info("MSM: Monomial reference string size: ", - key->reference_string->get_monomial_size(), - ", required size: ", - key->small_domain.size); - } - msm_size = key->small_domain.size; - srs_points = key->reference_string->get_monomial_points(); - break; - } - case MSMType::MONOMIAL_N_PLUS_ONE: { - if (key->reference_string->get_monomial_size() < key->small_domain.size + 1) { - info("MSM: Monomial reference string size: ", - key->reference_string->get_monomial_size(), - ", required size: ", - key->small_domain.size + 1); - } - msm_size = key->small_domain.size + 1; - srs_points = key->reference_string->get_monomial_points(); - break; - } - default: { - info("Incorrect item constant value: ", static_cast(uint256_t(item.constant))); - srs_points = key->reference_string->get_monomial_points(); - } - } + // Note: work_item.constant is an Fr type (see SMALL_FFT), but here it is interpreted simply as a size_t + auto msm_size = static_cast(static_cast(item.constant)); + + ASSERT(msm_size <= key->reference_string->get_monomial_size()); + + barretenberg::g1::affine_element* srs_points = key->reference_string->get_monomial_points(); // Run pippenger multi-scalar multiplication. auto runtime_state = barretenberg::scalar_multiplication::pippenger_runtime_state(msm_size); @@ -305,4 +278,4 @@ std::vector work_queue::get_queue() const return work_item_queue; } -} // namespace proof_system +} // namespace proof_system::plonk diff --git a/cpp/src/barretenberg/proof_system/work_queue/work_queue.hpp b/cpp/src/barretenberg/proof_system/work_queue/work_queue.hpp index 4cbf548149..b7f01347d9 100644 --- a/cpp/src/barretenberg/proof_system/work_queue/work_queue.hpp +++ b/cpp/src/barretenberg/proof_system/work_queue/work_queue.hpp @@ -3,13 +3,12 @@ #include "../../transcript/transcript_wrappers.hpp" #include "barretenberg/plonk/proof_system/proving_key/proving_key.hpp" -namespace proof_system { +namespace proof_system::plonk { // TODO(Cody): Template by flavor? class work_queue { public: enum WorkType { FFT, SMALL_FFT, IFFT, SCALAR_MULTIPLICATION }; - enum MSMType { MONOMIAL_N, MONOMIAL_N_PLUS_ONE }; struct work_item_info { uint32_t num_scalar_multiplications; @@ -30,7 +29,7 @@ class work_queue { barretenberg::fr shift_factor; }; - work_queue(plonk::proving_key* prover_key = nullptr, transcript::StandardTranscript* prover_transcript = nullptr); + work_queue(proving_key* prover_key = nullptr, transcript::StandardTranscript* prover_transcript = nullptr); work_queue(const work_queue& other) = default; work_queue(work_queue&& other) = default; @@ -62,8 +61,8 @@ class work_queue { std::vector get_queue() const; private: - plonk::proving_key* key; + proving_key* key; transcript::StandardTranscript* transcript; std::vector work_item_queue; }; -} // namespace proof_system \ No newline at end of file +} // namespace proof_system::plonk \ No newline at end of file