chore: cleanup committing and masking utility (#12514)

Transfer the masking function to the polynomial class itself and create a `commit_to_witness` function for translator which will implicitly handle masking when ZK is enabled.
AztecProtocol · Mar 6, 2025 · 9f57048 · 9f57048 · AztecBot · Mar 6, 2025
1 parent 352bb1d
commit 9f57048
Show file tree

Hide file tree

Showing 5 changed files with 35 additions and 22 deletions.
diff --git a/barretenberg/cpp/src/barretenberg/polynomials/polynomial.hpp b/barretenberg/cpp/src/barretenberg/polynomials/polynomial.hpp
@@ -2,6 +2,7 @@
 #include "barretenberg/common/mem.hpp"
 #include "barretenberg/common/op_count.hpp"
 #include "barretenberg/common/zip_view.hpp"
+#include "barretenberg/constants.hpp"
 #include "barretenberg/crypto/sha256/sha256.hpp"
 #include "barretenberg/ecc/curves/grumpkin/grumpkin.hpp"
 #include "barretenberg/plonk_honk_shared/types/circuit_type.hpp"
@@ -255,6 +256,21 @@ template <typename Fr> class Polynomial {
      */
     Polynomial& operator*=(Fr scaling_factor);
 
+    /**
+     * @brief Add random values to the coefficients of a polynomial. In practice, this is used for ensuring the
+     * commitment and evaluation of a polynomial don't leak information about the coefficients in the context of zero
+     * knowledge.
+     */
+    void mask()
+    {
+        // Ensure there is sufficient space to add masking and also that we have memory allocated up to the virtual_size
+        ASSERT(virtual_size() >= MASKING_OFFSET);
+        ASSERT(virtual_size() == end_index());
+        for (size_t i = virtual_size() - 1; i <= virtual_size() - MASKING_OFFSET; i--) {
+            at(i) = FF::random_element();
+        }
+    }
+
     std::size_t size() const { return coefficients_.size(); }
     std::size_t virtual_size() const { return coefficients_.virtual_size(); }
     void increase_virtual_size(const size_t size_in) { coefficients_.increase_virtual_size(size_in); };
@@ -400,7 +416,6 @@ template <typename Fr> class Polynomial {
     // Namely, it supports polynomial shifts and 'virtual' zeroes past a size up until a 'virtual' size.
     SharedShiftedVirtualZeroesArray<Fr> coefficients_;
 };
-
 // NOLINTNEXTLINE(cppcoreguidelines-avoid-c-arrays)
 template <typename Fr> std::shared_ptr<Fr[]> _allocate_aligned_memory(size_t n_elements)
 {
@@ -514,4 +529,4 @@ template <typename Poly, typename... Polys> auto zip_polys(Poly&& poly, Polys&&.
     ASSERT((poly.start_index() == polys.start_index() && poly.end_index() == polys.end_index()) && ...);
     return zip_view(poly.indices(), poly.coeffs(), polys.coeffs()...);
 }
-} // namespace bb
+} // namespace bb
diff --git a/barretenberg/cpp/src/barretenberg/translator_vm/translator_prover.cpp b/barretenberg/cpp/src/barretenberg/translator_vm/translator_prover.cpp
@@ -38,6 +38,17 @@ void TranslatorProver::execute_preamble_round()
     transcript->send_to_verifier("accumulated_result", accumulated_result);
 }
 
+/**
+ * @brief Utility to commit to witness polynomial and send the commitment to verifier.
+ *
+ * @param polynomial
+ * @param label
+ */
+void TranslatorProver::commit_to_witness_polynomial(Polynomial& polynomial, const std::string& label)
+{
+    transcript->send_to_verifier(label, key->proving_key->commitment_key->commit(polynomial));
+}
+
 /**
  * @brief Compute commitments to wires and ordered range constraints.
  *
@@ -48,13 +59,13 @@ void TranslatorProver::execute_wire_and_sorted_constraints_commitments_round()
     for (const auto& [wire, label] :
          zip_view(key->proving_key->polynomials.get_wires(), commitment_labels.get_wires())) {
 
-        transcript->send_to_verifier(label, key->proving_key->commitment_key->commit(wire));
+        commit_to_witness_polynomial(wire, label);
     }
 
     // The ordered range constraints are of full circuit size.
     for (const auto& [ordered_range_constraint, label] : zip_view(
              key->proving_key->polynomials.get_ordered_constraints(), commitment_labels.get_ordered_constraints())) {
-        transcript->send_to_verifier(label, key->proving_key->commitment_key->commit(ordered_range_constraint));
+        commit_to_witness_polynomial(ordered_range_constraint, label);
     }
 }
 
@@ -105,8 +116,7 @@ void TranslatorProver::execute_grand_product_computation_round()
     // Compute constraint permutation grand product
     compute_grand_products<Flavor>(key->proving_key->polynomials, relation_parameters);
 
-    transcript->send_to_verifier(commitment_labels.z_perm,
-                                 key->proving_key->commitment_key->commit(key->proving_key->polynomials.z_perm));
+    commit_to_witness_polynomial(key->proving_key->polynomials.z_perm, commitment_labels.z_perm);
 }
 
 /**

diff --git a/barretenberg/cpp/src/barretenberg/translator_vm/translator_prover.hpp b/barretenberg/cpp/src/barretenberg/translator_vm/translator_prover.hpp
@@ -33,6 +33,7 @@ class TranslatorProver {
     BB_PROFILE void execute_grand_product_computation_round();
     BB_PROFILE void execute_relation_check_rounds();
     BB_PROFILE void execute_pcs_rounds();
+    void commit_to_witness_polynomial(Polynomial& polynomial, const std::string& label);
     HonkProof export_proof();
     HonkProof construct_proof();
 

diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/oink_prover.cpp b/barretenberg/cpp/src/barretenberg/ultra_honk/oink_prover.cpp
@@ -235,18 +235,6 @@ template <IsUltraFlavor Flavor> typename Flavor::RelationSeparator OinkProver<Fl
     return alphas;
 }
 
-/**
- * @brief We mask the commitment to a witness, its evaluation at the Sumcheck challenge and, if needed, the
- * evaluation of its shift.
- */
-template <IsUltraFlavor Flavor> void OinkProver<Flavor>::mask_witness_polynomial(Polynomial<FF>& polynomial)
-{
-    const size_t circuit_size = polynomial.virtual_size();
-    for (size_t idx = 1; idx < MASKING_OFFSET; idx++) {
-        polynomial.at(circuit_size - idx) = FF::random_element();
-    }
-}
-
 /**
  * @brief A uniform method to mask, commit, and send the corresponding commitment to the verifier.
  *
@@ -259,9 +247,9 @@ void OinkProver<Flavor>::commit_to_witness_polynomial(Polynomial<FF>& polynomial
                                                       const std::string& label,
                                                       const CommitmentKey::CommitType type)
 {
-    // Mask if needed
+    // Mask the polynomial when proving in zero-knowledge
     if constexpr (Flavor::HasZK) {
-        mask_witness_polynomial(polynomial);
+        polynomial.mask();
     };
 
     typename Flavor::Commitment commitment;

diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/oink_prover.hpp b/barretenberg/cpp/src/barretenberg/ultra_honk/oink_prover.hpp
@@ -63,12 +63,11 @@ template <IsUltraFlavor Flavor> class OinkProver {
     void execute_log_derivative_inverse_round();
     void execute_grand_product_computation_round();
     RelationSeparator generate_alphas_round();
-    void mask_witness_polynomial(Polynomial<FF>& polynomial);
     void commit_to_witness_polynomial(Polynomial<FF>& polynomial,
                                       const std::string& label,
                                       const CommitmentKey::CommitType type = CommitmentKey::CommitType::Default);
 };
 
 using MegaOinkProver = OinkProver<MegaFlavor>;
 
-} // namespace bb
+} // namespace bb