Everything builds

AztecProtocol · Jun 22, 2023 · 62ff20f · 62ff20f
1 parent 16719c5
commit 62ff20f
Show file tree

Hide file tree

Showing 36 changed files with 574 additions and 361 deletions.
diff --git a/cpp/src/barretenberg/honk/composer/composer_helper/standard_honk_composer_helper.cpp b/cpp/src/barretenberg/honk/composer/composer_helper/standard_honk_composer_helper.cpp
@@ -1,6 +1,6 @@
 #include "standard_honk_composer_helper.hpp"
 #include "barretenberg/polynomials/polynomial.hpp"
-#include "barretenberg/honk/pcs/commitment_key.hpp"
+#include "barretenberg/proof_system/pcs/commitment_key.hpp"
 #include "barretenberg/numeric/bitop/get_msb.hpp"
 #include "barretenberg/srs/factories/crs_factory.hpp"
 

diff --git a/cpp/src/barretenberg/honk/flavor/standard.hpp b/cpp/src/barretenberg/honk/flavor/standard.hpp
@@ -5,14 +5,14 @@
 #include <string>
 #include <type_traits>
 #include <vector>
-#include "barretenberg/honk/pcs/commitment_key.hpp"
+#include "barretenberg/proof_system/pcs/commitment_key.hpp"
 #include "barretenberg/honk/sumcheck/polynomials/barycentric_data.hpp"
-#include "barretenberg/honk/pcs/kzg/kzg.hpp"
+#include "barretenberg/proof_system/pcs/kzg/kzg.hpp"
 #include "barretenberg/honk/sumcheck/polynomials/univariate.hpp"
 #include "barretenberg/ecc/curves/bn254/g1.hpp"
 #include "barretenberg/honk/sumcheck/relations/arithmetic_relation.hpp"
 #include "barretenberg/honk/sumcheck/relations/permutation_relation.hpp"
-#include "barretenberg/honk/transcript/transcript.hpp"
+#include "barretenberg/proof_system/transcript/transcript.hpp"
 #include "barretenberg/polynomials/evaluation_domain.hpp"
 #include "barretenberg/polynomials/polynomial.hpp"
 #include "barretenberg/proof_system/circuit_constructors/standard_circuit_constructor.hpp"

diff --git a/cpp/src/barretenberg/honk/flavor/standard_grumpkin.hpp b/cpp/src/barretenberg/honk/flavor/standard_grumpkin.hpp
@@ -5,14 +5,14 @@
 #include <string>
 #include <type_traits>
 #include <vector>
-#include "barretenberg/honk/pcs/commitment_key.hpp"
+#include "barretenberg/proof_system/pcs/commitment_key.hpp"
 #include "barretenberg/honk/sumcheck/polynomials/barycentric_data.hpp"
-#include "barretenberg/honk/pcs/ipa/ipa.hpp"
+#include "barretenberg/proof_system/pcs/ipa/ipa.hpp"
 #include "barretenberg/honk/sumcheck/polynomials/univariate.hpp"
 #include "barretenberg/ecc/curves/bn254/g1.hpp"
 #include "barretenberg/honk/sumcheck/relations/arithmetic_relation.hpp"
 #include "barretenberg/honk/sumcheck/relations/permutation_relation.hpp"
-#include "barretenberg/honk/transcript/transcript.hpp"
+#include "barretenberg/proof_system/transcript/transcript.hpp"
 #include "barretenberg/polynomials/evaluation_domain.hpp"
 #include "barretenberg/polynomials/polynomial.hpp"
 #include "barretenberg/proof_system/circuit_constructors/standard_circuit_constructor.hpp"

diff --git a/cpp/src/barretenberg/honk/flavor/ultra.hpp b/cpp/src/barretenberg/honk/flavor/ultra.hpp
@@ -5,12 +5,12 @@
 #include <string>
 #include <type_traits>
 #include <vector>
-#include "barretenberg/honk/pcs/commitment_key.hpp"
+#include "barretenberg/proof_system/pcs/commitment_key.hpp"
 #include "barretenberg/honk/sumcheck/polynomials/barycentric_data.hpp"
-#include "barretenberg/honk/pcs/kzg/kzg.hpp"
+#include "barretenberg/proof_system/pcs/kzg/kzg.hpp"
 #include "barretenberg/honk/sumcheck/polynomials/univariate.hpp"
 #include "barretenberg/ecc/curves/bn254/g1.hpp"
-#include "barretenberg/honk/transcript/transcript.hpp"
+#include "barretenberg/proof_system/transcript/transcript.hpp"
 #include "barretenberg/polynomials/evaluation_domain.hpp"
 #include "barretenberg/polynomials/polynomial.hpp"
 #include "barretenberg/proof_system/circuit_constructors/ultra_circuit_constructor.hpp"

diff --git a/cpp/src/barretenberg/honk/flavor/ultra_grumpkin.hpp b/cpp/src/barretenberg/honk/flavor/ultra_grumpkin.hpp
@@ -5,12 +5,12 @@
 #include <string>
 #include <type_traits>
 #include <vector>
-#include "barretenberg/honk/pcs/commitment_key.hpp"
+#include "barretenberg/proof_system/pcs/commitment_key.hpp"
 #include "barretenberg/honk/sumcheck/polynomials/barycentric_data.hpp"
-#include "barretenberg/honk/pcs/ipa/ipa.hpp"
+#include "barretenberg/proof_system/pcs/ipa/ipa.hpp"
 #include "barretenberg/honk/sumcheck/polynomials/univariate.hpp"
 #include "barretenberg/ecc/curves/bn254/g1.hpp"
-#include "barretenberg/honk/transcript/transcript.hpp"
+#include "barretenberg/proof_system/transcript/transcript.hpp"
 #include "barretenberg/polynomials/evaluation_domain.hpp"
 #include "barretenberg/polynomials/polynomial.hpp"
 #include "barretenberg/proof_system/circuit_constructors/ultra_circuit_constructor.hpp"

diff --git a/cpp/src/barretenberg/honk/pcs/gemini/gemini.hpp b/cpp/src/barretenberg/honk/pcs/gemini/gemini.hpp
@@ -1,9 +1,9 @@
 #pragma once
 
-#include "../claim.hpp"
-#include "barretenberg/honk/pcs/commitment_key.hpp"
+#include "barretenberg/proof_system/pcs/claim.hpp"
+#include "barretenberg/proof_system/pcs/commitment_key.hpp"
 #include "barretenberg/polynomials/polynomial.hpp"
-#include "barretenberg/honk/transcript/transcript.hpp"
+#include "barretenberg/proof_system/transcript/transcript.hpp"
 
 #include <vector>
 

diff --git a/cpp/src/barretenberg/honk/pcs/gemini/gemini.test.cpp b/cpp/src/barretenberg/honk/pcs/gemini/gemini.test.cpp
@@ -1,8 +1,10 @@
 #include "gemini.hpp"
 
-#include "../commitment_key.test.hpp"
-#include "barretenberg/honk/transcript/transcript.hpp"
+#include "barretenberg/proof_system/pcs/commitment_key.test.hpp"
+#include "barretenberg/proof_system/transcript/transcript.hpp"
 #include "barretenberg/polynomials/polynomial.hpp"
+#include "barretenberg/proof_system/pcs/shplonk/shplonk_single.hpp"
+#include "barretenberg/proof_system/pcs/kzg/kzg.hpp"
 #include <cstddef>
 #include <gtest/gtest.h>
 #include <span>
@@ -237,4 +239,128 @@ TYPED_TEST(GeminiTest, DoubleWithShift)
                                            multilinear_commitments_to_be_shifted);
 }
 
+/**
+ * @brief Test full PCS protocol: Gemini, Shplonk, KZG and pairing check
+ * @details Demonstrates the full PCS protocol as it is used in the construction and verification
+ * of a single Honk proof. (Expository comments included throughout).
+ *
+ */
+TYPED_TEST(GeminiTest, GeminiShplonkKzgWithShift)
+{
+    using Shplonk = shplonk::SingleBatchOpeningScheme<TypeParam>;
+    using Gemini = gemini::MultilinearReductionScheme<TypeParam>;
+    using KZG = kzg::KZG<TypeParam>;
+    using Fr = typename TypeParam::Fr;
+    using GroupElement = typename TypeParam::GroupElement;
+    using Polynomial = typename barretenberg::Polynomial<Fr>;
+
+    const size_t n = 16;
+    const size_t log_n = 4;
+
+    Fr rho = Fr::random_element();
+
+    // Generate multilinear polynomials, their commitments (genuine and mocked) and evaluations (genuine) at a random
+    // point.
+    const auto mle_opening_point = this->random_evaluation_point(log_n); // sometimes denoted 'u'
+    auto poly1 = this->random_polynomial(n);
+    auto poly2 = this->random_polynomial(n);
+    poly2[0] = Fr::zero(); // this property is required of polynomials whose shift is used
+
+    GroupElement commitment1 = this->commit(poly1);
+    GroupElement commitment2 = this->commit(poly2);
+
+    auto eval1 = poly1.evaluate_mle(mle_opening_point);
+    auto eval2 = poly2.evaluate_mle(mle_opening_point);
+    auto eval2_shift = poly2.evaluate_mle(mle_opening_point, true);
+
+    // Collect multilinear evaluations for input to prover
+    std::vector<Fr> multilinear_evaluations = { eval1, eval2, eval2_shift };
+
+    std::vector<Fr> rhos = Gemini::powers_of_rho(rho, multilinear_evaluations.size());
+
+    // Compute batched multivariate evaluation
+    Fr batched_evaluation = Fr::zero();
+    for (size_t i = 0; i < rhos.size(); ++i) {
+        batched_evaluation += multilinear_evaluations[i] * rhos[i];
+    }
+
+    // Compute batched polynomials
+    Polynomial batched_unshifted(n);
+    Polynomial batched_to_be_shifted(n);
+    batched_unshifted.add_scaled(poly1, rhos[0]);
+    batched_unshifted.add_scaled(poly2, rhos[1]);
+    batched_to_be_shifted.add_scaled(poly2, rhos[2]);
+
+    // Compute batched commitments
+    GroupElement batched_commitment_unshifted = GroupElement::zero();
+    GroupElement batched_commitment_to_be_shifted = GroupElement::zero();
+    batched_commitment_unshifted = commitment1 * rhos[0] + commitment2 * rhos[1];
+    batched_commitment_to_be_shifted = commitment2 * rhos[2];
+
+    auto prover_transcript = ProverTranscript<Fr>::init_empty();
+
+    // Run the full prover PCS protocol:
+
+    // Compute:
+    // - (d+1) opening pairs: {r, \hat{a}_0}, {-r^{2^i}, a_i}, i = 0, ..., d-1
+    // - (d+1) Fold polynomials Fold_{r}^(0), Fold_{-r}^(0), and Fold^(i), i = 0, ..., d-1
+    auto fold_polynomials = Gemini::compute_fold_polynomials(
+        mle_opening_point, std::move(batched_unshifted), std::move(batched_to_be_shifted));
+
+    for (size_t l = 0; l < log_n - 1; ++l) {
+        std::string label = "FOLD_" + std::to_string(l + 1);
+        auto commitment = this->ck()->commit(fold_polynomials[l + 2]);
+        prover_transcript.send_to_verifier(label, commitment);
+    }
+
+    const Fr r_challenge = prover_transcript.get_challenge("Gemini:r");
+
+    const auto [gemini_opening_pairs, gemini_witnesses] =
+        Gemini::compute_fold_polynomial_evaluations(mle_opening_point, std::move(fold_polynomials), r_challenge);
+
+    for (size_t l = 0; l < log_n; ++l) {
+        std::string label = "Gemini:a_" + std::to_string(l);
+        const auto& evaluation = gemini_opening_pairs[l + 1].evaluation;
+        prover_transcript.send_to_verifier(label, evaluation);
+    }
+
+    // Shplonk prover output:
+    // - opening pair: (z_challenge, 0)
+    // - witness: polynomial Q - Q_z
+    const Fr nu_challenge = prover_transcript.get_challenge("Shplonk:nu");
+    auto batched_quotient_Q = Shplonk::compute_batched_quotient(gemini_opening_pairs, gemini_witnesses, nu_challenge);
+    prover_transcript.send_to_verifier("Shplonk:Q", this->ck()->commit(batched_quotient_Q));
+
+    const Fr z_challenge = prover_transcript.get_challenge("Shplonk:z");
+    const auto [shplonk_opening_pair, shplonk_witness] = Shplonk::compute_partially_evaluated_batched_quotient(
+        gemini_opening_pairs, gemini_witnesses, std::move(batched_quotient_Q), nu_challenge, z_challenge);
+
+    // KZG prover:
+    // - Adds commitment [W] to transcript
+    KZG::compute_opening_proof(this->ck(), shplonk_opening_pair, shplonk_witness, prover_transcript);
+
+    // Run the full verifier PCS protocol with genuine opening claims (genuine commitment, genuine evaluation)
+
+    auto verifier_transcript = VerifierTranscript<Fr>::init_empty(prover_transcript);
+
+    // Gemini verifier output:
+    // - claim: d+1 commitments to Fold_{r}^(0), Fold_{-r}^(0), Fold^(l), d+1 evaluations a_0_pos, a_l, l = 0:d-1
+    auto gemini_verifier_claim = Gemini::reduce_verify(mle_opening_point,
+                                                       batched_evaluation,
+                                                       batched_commitment_unshifted,
+                                                       batched_commitment_to_be_shifted,
+                                                       verifier_transcript);
+
+    // Shplonk verifier claim: commitment [Q] - [Q_z], opening point (z_challenge, 0)
+    const auto shplonk_verifier_claim = Shplonk::reduce_verify(gemini_verifier_claim, verifier_transcript);
+
+    // KZG verifier:
+    // aggregates inputs [Q] - [Q_z] and [W] into an 'accumulator' (can perform pairing check on result)
+    bool verified = KZG::verify(this->vk(), shplonk_verifier_claim, verifier_transcript);
+
+    // Final pairing check: e([Q] - [Q_z] + z[W], [1]_2) = e([W], [x]_2)
+
+    EXPECT_EQ(verified, true);
+}
+
 } // namespace proof_system::honk::pcs::gemini