barretenberg-doxygen/3f0fad0de81d472cf71c03df11cf01ed6e7e09e0/sumcheck_8hpp_source.html

#pragma once

#include "barretenberg/proof_system/library/grand_product_delta.hpp"

#include "barretenberg/sumcheck/instance/prover_instance.hpp"

#include "barretenberg/sumcheck/sumcheck_output.hpp"

#include "barretenberg/transcript/transcript.hpp"

#include "sumcheck_round.hpp"


namespace proof_system::honk::sumcheck {


template <typename Flavor> class SumcheckProver {


  public:

    using FF = typename Flavor::FF;

    using ProverPolynomials = typename Flavor::ProverPolynomials;

    using PartiallyEvaluatedMultivariates = typename Flavor::PartiallyEvaluatedMultivariates;

    using ClaimedEvaluations = typename Flavor::AllValues;

    using Transcript = typename Flavor::Transcript;

    using Instance = ProverInstance_<Flavor>;


    std::shared_ptr<Transcript> transcript;


    const size_t multivariate_n;

    const size_t multivariate_d;

    SumcheckProverRound<Flavor> round;


    PartiallyEvaluatedMultivariates partially_evaluated_polynomials;


    // prover instantiates sumcheck with circuit size and a prover transcript

    SumcheckProver(size_t multivariate_n, const std::shared_ptr<Transcript>& transcript)

        : transcript(transcript)

        , multivariate_n(multivariate_n)

        , multivariate_d(numeric::get_msb(multivariate_n))

        , round(multivariate_n)

        , partially_evaluated_polynomials(multivariate_n){};


    SumcheckOutput<Flavor> prove(ProverPolynomials& full_polynomials,

                                 const proof_system::RelationParameters<FF>& relation_parameters,

                                 FF alpha) // pass by value, not by reference

    {

        FF zeta = transcript->get_challenge("Sumcheck:zeta");


        barretenberg::PowUnivariate<FF> pow_univariate(zeta);


        std::vector<FF> multivariate_challenge;

        multivariate_challenge.reserve(multivariate_d);


        // First round

        // This populates partially_evaluated_polynomials.

        auto round_univariate = round.compute_univariate(full_polynomials, relation_parameters, pow_univariate, alpha);

        transcript->send_to_verifier("Sumcheck:univariate_0", round_univariate);

        FF round_challenge = transcript->get_challenge("Sumcheck:u_0");

        multivariate_challenge.emplace_back(round_challenge);

        partially_evaluate(full_polynomials, multivariate_n, round_challenge);

        pow_univariate.partially_evaluate(round_challenge);

        round.round_size =

            round.round_size >> 1; // TODO(#224)(Cody): Maybe partially_evaluate should do this and release memory?


        // All but final round

        // We operate on partially_evaluated_polynomials in place.

        for (size_t round_idx = 1; round_idx < multivariate_d; round_idx++) {

            // Write the round univariate to the transcript

            round_univariate =

                round.compute_univariate(partially_evaluated_polynomials, relation_parameters, pow_univariate, alpha);

            transcript->send_to_verifier("Sumcheck:univariate_" + std::to_string(round_idx), round_univariate);

            FF round_challenge = transcript->get_challenge("Sumcheck:u_" + std::to_string(round_idx));

            multivariate_challenge.emplace_back(round_challenge);

            partially_evaluate(partially_evaluated_polynomials, round.round_size, round_challenge);

            pow_univariate.partially_evaluate(round_challenge);

            round.round_size = round.round_size >> 1;

        }


        // Final round: Extract multivariate evaluations from partially_evaluated_polynomials and add to transcript

        ClaimedEvaluations multivariate_evaluations;

        for (auto [eval, poly] :

             zip_view(multivariate_evaluations.get_all(), partially_evaluated_polynomials.get_all())) {

            eval = (poly)[0];

        }

        transcript->send_to_verifier("Sumcheck:evaluations", multivariate_evaluations);


        return { multivariate_challenge, multivariate_evaluations };

    };


    SumcheckOutput<Flavor> prove(std::shared_ptr<Instance> instance)

    {

        return prove(instance->prover_polynomials, instance->relation_parameters, instance->alpha);

    };


    void partially_evaluate(auto& polynomials, size_t round_size, FF round_challenge)

    {

        auto pep_view = partially_evaluated_polynomials.get_all();

        auto poly_view = polynomials.get_all();

        // after the first round, operate in place on partially_evaluated_polynomials

        parallel_for(poly_view.size(), [&](size_t j) {

            for (size_t i = 0; i < round_size; i += 2) {

                pep_view[j][i >> 1] = poly_view[j][i] + round_challenge * (poly_view[j][i + 1] - poly_view[j][i]);

            }

        });

    };

    template <typename PolynomialT, std::size_t N>

    void partially_evaluate(std::array<PolynomialT, N>& polynomials, size_t round_size, FF round_challenge)

    {

        auto pep_view = partially_evaluated_polynomials.get_all();

        // after the first round, operate in place on partially_evaluated_polynomials

        parallel_for(polynomials.size(), [&](size_t j) {

            for (size_t i = 0; i < round_size; i += 2) {

                pep_view[j][i >> 1] = polynomials[j][i] + round_challenge * (polynomials[j][i + 1] - polynomials[j][i]);

            }

        });

    };

};


template <typename Flavor> class SumcheckVerifier {


  public:

    using Utils = barretenberg::RelationUtils<Flavor>;

    using FF = typename Flavor::FF;

    using ClaimedEvaluations = typename Flavor::AllValues;

    using Transcript = typename Flavor::Transcript;


    static constexpr size_t BATCHED_RELATION_PARTIAL_LENGTH = Flavor::BATCHED_RELATION_PARTIAL_LENGTH;

    static constexpr size_t NUM_POLYNOMIALS = Flavor::NUM_ALL_ENTITIES;


    const size_t multivariate_d;

    SumcheckVerifierRound<Flavor> round;


    // verifier instantiates sumcheck with circuit size

    explicit SumcheckVerifier(size_t multivariate_n)

        : multivariate_d(numeric::get_msb(multivariate_n))

        , round(){};


    SumcheckOutput<Flavor> verify(const proof_system::RelationParameters<FF>& relation_parameters,

                                  FF alpha,

                                  const std::shared_ptr<Transcript>& transcript)

    {

        bool verified(true);


        FF zeta = transcript->get_challenge("Sumcheck:zeta");


        barretenberg::PowUnivariate<FF> pow_univariate(zeta);

        // All but final round.

        // target_total_sum is initialized to zero then mutated in place.


        if (multivariate_d == 0) {

            throw_or_abort("Number of variables in multivariate is 0.");

        }


        std::vector<FF> multivariate_challenge;

        multivariate_challenge.reserve(multivariate_d);


        for (size_t round_idx = 0; round_idx < multivariate_d; round_idx++) {

            // Obtain the round univariate from the transcript

            std::string round_univariate_label = "Sumcheck:univariate_" + std::to_string(round_idx);

            auto round_univariate =

                transcript->template receive_from_prover<barretenberg::Univariate<FF, BATCHED_RELATION_PARTIAL_LENGTH>>(

                    round_univariate_label);


            bool checked = round.check_sum(round_univariate);

            verified = verified && checked;

            FF round_challenge = transcript->get_challenge("Sumcheck:u_" + std::to_string(round_idx));

            multivariate_challenge.emplace_back(round_challenge);


            round.compute_next_target_sum(round_univariate, round_challenge);

            pow_univariate.partially_evaluate(round_challenge);

        }


        // Final round

        ClaimedEvaluations purported_evaluations;

        auto transcript_evaluations =

            transcript->template receive_from_prover<std::array<FF, NUM_POLYNOMIALS>>("Sumcheck:evaluations");

        for (auto [eval, transcript_eval] : zip_view(purported_evaluations.get_all(), transcript_evaluations)) {

            eval = transcript_eval;

        }


        FF full_honk_relation_purported_value = round.compute_full_honk_relation_purported_value(

            purported_evaluations, relation_parameters, pow_univariate, alpha);


        bool checked = false;

        if constexpr (IsRecursiveFlavor<Flavor>) {

            checked = (full_honk_relation_purported_value == round.target_total_sum).get_value();

        } else {

            checked = (full_honk_relation_purported_value == round.target_total_sum);

        }

        verified = verified && checked;


        return SumcheckOutput<Flavor>{ multivariate_challenge, purported_evaluations, verified };

    };

};

} // namespace proof_system::honk::sumcheck

barretenberg::RelationUtils
Definition: utils.hpp:7

proof_system::honk::BaseTranscript
Common transcript class for both parties. Stores the data for the current round, as well as the manif...
Definition: transcript.hpp:62

proof_system::honk::ProverInstance_
An Instance is normally constructed from a finalized circuit and it's role is to compute all the poly...
Definition: prover_instance.hpp:20

proof_system::honk::flavor::GoblinTranslator::AllValues
A field element for each entity of the flavor. These entities represent the prover polynomials evalua...
Definition: goblin_translator.hpp:947

proof_system::honk::flavor::GoblinTranslator::PartiallyEvaluatedMultivariates
A container for storing the partially evaluated multivariates produced by sumcheck.
Definition: goblin_translator.hpp:993

proof_system::honk::flavor::GoblinTranslator::ProverPolynomials
A container for the prover polynomials handles.
Definition: goblin_translator.hpp:955

proof_system::honk::sumcheck::SumcheckProverRound
Definition: sumcheck_round.hpp:53

proof_system::honk::sumcheck::SumcheckProverRound::compute_univariate
barretenberg::Univariate< FF, BATCHED_RELATION_PARTIAL_LENGTH > compute_univariate(ProverPolynomialsOrPartiallyEvaluatedMultivariates &polynomials, const proof_system::RelationParameters< FF > &relation_parameters, const barretenberg::PowUnivariate< FF > &pow_univariate, const FF alpha)
Return the evaluations of the univariate restriction (S_l(X_l) in the thesis) at num_multivariates-ma...
Definition: sumcheck_round.hpp:103

proof_system::honk::sumcheck::SumcheckProver
Definition: sumcheck.hpp:10

proof_system::honk::sumcheck::SumcheckProver::partially_evaluated_polynomials
PartiallyEvaluatedMultivariates partially_evaluated_polynomials
(partially_evaluated_polynomials) Suppose the Honk polynomials (multilinear in d variables) are calle...
Definition: sumcheck.hpp:57

proof_system::honk::sumcheck::SumcheckProver::partially_evaluate
void partially_evaluate(auto &polynomials, size_t round_size, FF round_challenge)
Evaluate at the round challenge and prepare class for next round. Illustration of layout in example o...
Definition: sumcheck.hpp:144

proof_system::honk::sumcheck::SumcheckProver::partially_evaluate
void partially_evaluate(std::array< PolynomialT, N > &polynomials, size_t round_size, FF round_challenge)
Evaluate at the round challenge and prepare class for next round. Specialization for array,...
Definition: sumcheck.hpp:160

proof_system::honk::sumcheck::SumcheckProver::prove
SumcheckOutput< Flavor > prove(ProverPolynomials &full_polynomials, const proof_system::RelationParameters< FF > &relation_parameters, FF alpha)
Compute univariate restriction place in transcript, generate challenge, partially evaluate,...
Definition: sumcheck.hpp:73

proof_system::honk::sumcheck::SumcheckProver::prove
SumcheckOutput< Flavor > prove(std::shared_ptr< Instance > instance)
Compute univariate restriction place in transcript, generate challenge, partially evaluate,...
Definition: sumcheck.hpp:124

proof_system::honk::sumcheck::SumcheckVerifierRound
Definition: sumcheck_round.hpp:258

proof_system::honk::sumcheck::SumcheckVerifierRound::compute_full_honk_relation_purported_value
FF compute_full_honk_relation_purported_value(ClaimedEvaluations purported_evaluations, const proof_system::RelationParameters< FF > &relation_parameters, const barretenberg::PowUnivariate< FF > &pow_univariate, const FF alpha)
General purpose method for applying a tuple of arrays (of FFs)
Definition: sumcheck_round.hpp:324

proof_system::honk::sumcheck::SumcheckVerifierRound::compute_next_target_sum
FF compute_next_target_sum(barretenberg::Univariate< FF, BATCHED_RELATION_PARTIAL_LENGTH > &univariate, FF &round_challenge)
After checking that the univariate is good for this round, compute the next target sum.
Definition: sumcheck_round.hpp:307

proof_system::honk::sumcheck::SumcheckVerifier
Definition: sumcheck.hpp:172

proof_system::honk::sumcheck::SumcheckVerifier::verify
SumcheckOutput< Flavor > verify(const proof_system::RelationParameters< FF > &relation_parameters, FF alpha, const std::shared_ptr< Transcript > &transcript)
Extract round univariate, check sum, generate challenge, compute next target sum.....
Definition: sumcheck.hpp:200

zip_view
Definition: zip_view.hpp:159

proof_system::IsRecursiveFlavor
Definition: flavor.hpp:300

numeric
Definition: field2_declarations.hpp:6

barretenberg::PowUnivariate
Definition: pow.hpp:93

barretenberg::PowUnivariate::partially_evaluate
void partially_evaluate(FF challenge)
Parially evaluate the polynomial in the new challenge, by updating the constant c_{l} -> c_{l+1}....
Definition: pow.hpp:121

barretenberg::field< Bn254FrParams >

proof_system::RelationParameters
Container for parameters used by the grand product (permutation, lookup) Honk relations.
Definition: relation_parameters.hpp:12

proof_system::honk::sumcheck::SumcheckOutput
Contains the multi-linear evaluations of the polynomials at the challenge point 'u'....
Definition: sumcheck_output.hpp:13