barretenberg-doxygen/3f0fad0de81d472cf71c03df11cf01ed6e7e09e0/kzg_8hpp_source.html

#pragma once


#include "../claim.hpp"

#include "barretenberg/commitment_schemes/commitment_key.hpp"

#include "barretenberg/commitment_schemes/verification_key.hpp"

#include "barretenberg/polynomials/polynomial.hpp"

#include "barretenberg/transcript/transcript.hpp"


#include <memory>

#include <utility>


namespace proof_system::honk::pcs::kzg {


template <typename Curve> class KZG {

    using CK = CommitmentKey<Curve>;

    using VK = VerifierCommitmentKey<Curve>;

    using Fr = typename Curve::ScalarField;

    using Commitment = typename Curve::AffineElement;

    using GroupElement = typename Curve::Element;

    using Polynomial = barretenberg::Polynomial<Fr>;


  public:

    static void compute_opening_proof(std::shared_ptr<CK> ck,

                                      const OpeningPair<Curve>& opening_pair,

                                      const Polynomial& polynomial,

                                      const std::shared_ptr<BaseTranscript>& prover_trancript)

    {

        Polynomial quotient = polynomial;

        quotient[0] -= opening_pair.evaluation;

        // Computes the coefficients for the quotient polynomial q(X) = (p(X) - v) / (X - r) through an FFT

        quotient.factor_roots(opening_pair.challenge);

        auto quotient_commitment = ck->commit(quotient);

        // TODO(#479): for now we compute the KZG commitment directly to unify the KZG and IPA interfaces but in the

        // future we might need to adjust this to use the incoming alternative to work queue (i.e. variation of

        // pthreads) or even the work queue itself

        prover_trancript->send_to_verifier("KZG:W", quotient_commitment);

    };


    static bool verify(const std::shared_ptr<VK>& vk,

                       const OpeningClaim<Curve>& claim,

                       const std::shared_ptr<BaseTranscript>& verifier_transcript)

    {

        auto quotient_commitment = verifier_transcript->template receive_from_prover<Commitment>("KZG:W");

        auto lhs = claim.commitment - (GroupElement::one() * claim.opening_pair.evaluation) +

                   (quotient_commitment * claim.opening_pair.challenge);

        auto rhs = -quotient_commitment;


        return vk->pairing_check(lhs, rhs);

    };


    static std::array<GroupElement, 2> compute_pairing_points(const OpeningClaim<Curve>& claim,

                                                              const auto& verifier_transcript)

    {

        auto quotient_commitment = verifier_transcript->template receive_from_prover<Commitment>("KZG:W");


        GroupElement P_0;

        if constexpr (Curve::is_stdlib_type) {

            auto builder = verifier_transcript->builder;

            auto one = Fr(builder, 1);

            std::vector<GroupElement> commitments = { claim.commitment,

                                                      quotient_commitment,

                                                      GroupElement::one(builder) };

            std::vector<Fr> scalars = { one, claim.opening_pair.challenge, -claim.opening_pair.evaluation };

            P_0 = GroupElement::batch_mul(commitments, scalars);


        } else {

            P_0 = claim.commitment;

            P_0 += quotient_commitment * claim.opening_pair.challenge;

            P_0 -= GroupElement::one() * claim.opening_pair.evaluation;

        }


        auto P_1 = -quotient_commitment;


        return { P_0, P_1 };

    };

};

} // namespace proof_system::honk::pcs::kzg

barretenberg::Polynomial
Definition: polynomial.hpp:12

barretenberg::Polynomial::factor_roots
void factor_roots(std::span< const Fr > roots)
Divides p(X) by (X-r₁)⋯(X−rₘ) in-place. Assumes that p(rⱼ)=0 for all j.
Definition: polynomial.hpp:214

proof_system::honk::pcs::CommitmentKey
CommitmentKey object over a pairing group 𝔾₁.
Definition: commitment_key.hpp:35

proof_system::honk::pcs::OpeningClaim
Unverified claim (C,r,v) for some witness polynomial p(X) such that.
Definition: claim.hpp:43

proof_system::honk::pcs::OpeningPair
Opening pair (r,v) for some witness polynomial p(X) such that p(r) = v.
Definition: claim.hpp:12

proof_system::honk::pcs::VerifierCommitmentKey
Definition: verification_key.hpp:25

proof_system::honk::pcs::kzg::KZG
Definition: kzg.hpp:14

proof_system::honk::pcs::kzg::KZG::verify
static bool verify(const std::shared_ptr< VK > &vk, const OpeningClaim< Curve > &claim, const std::shared_ptr< BaseTranscript > &verifier_transcript)
Computes the KZG verification for an opening claim of a single polynomial commitment.
Definition: kzg.hpp:56

proof_system::honk::pcs::kzg::KZG::compute_pairing_points
static std::array< GroupElement, 2 > compute_pairing_points(const OpeningClaim< Curve > &claim, const auto &verifier_transcript)
Computes the input points for the pairing check needed to verify a KZG opening claim of a single poly...
Definition: kzg.hpp:78

proof_system::honk::pcs::kzg::KZG::compute_opening_proof
static void compute_opening_proof(std::shared_ptr< CK > ck, const OpeningPair< Curve > &opening_pair, const Polynomial &polynomial, const std::shared_ptr< BaseTranscript > &prover_trancript)
Computes the KZG commitment to an opening proof polynomial at a single evaluation point.
Definition: kzg.hpp:31