feat: extend functionality of SmallSubgroupIPA #12244
Conversation
| barretenberg_module(eccvm sumcheck commitment_schemes) |
There was a problem hiding this comment.
needed to add this after moving SmallSubgroupIPA stuff to .cpp + in two other CMake files below
…om:AztecProtocol/aztec-packages into si/small-subgroup-ipa-supports-translation
| @@ -31,7 +31,7 @@ template <typename Curve> class ShpleminiProver_ { | |||
| std::span<FF> multilinear_challenge, | |||
| const std::shared_ptr<CommitmentKey<Curve>>& commitment_key, | |||
| const std::shared_ptr<Transcript>& transcript, | |||
| const std::array<Polynomial, NUM_LIBRA_EVALUATIONS>& libra_polynomials = {}, | |||
| const std::array<Polynomial, NUM_SMALL_IPA_EVALUATIONS>& libra_polynomials = {}, | |||
There was a problem hiding this comment.
this global const is rather a SmallSubgroupIPA constant. I haven't thought the argument would be used elsewehere, so initially called it NUM_LIBRA_EVALUATIONS
| @@ -1,7 +1,9 @@ | |||
| #pragma once | |||
|
|
|||
There was a problem hiding this comment.
moved impls and some docs to cpp
| // Simulate the interaction between the prover and the verifier leading to the consistency check performed by the | ||
| // verifier. | ||
| TYPED_TEST(SmallSubgroupIPATest, TranslationMaskingTermConsistency) |
There was a problem hiding this comment.
don't know how to name it better
| } | ||
| /** | ||
| * @brief Let m_0, ..., m_4 be the vectors of last 4 coeffs in each transcript poly, we compute the concatenation | ||
| * \f$ (0 || m_0 || ... || m_4)\f$ in Lagrange and monomial basis and mask the latter. |
There was a problem hiding this comment.
here constant term is 0 because we don't need extra masking as opposed to the ZKSumcheckData-usecase (there is redundant randomness in the masking entries of the ECCVM transcript wires)
There was a problem hiding this comment.
Can you codify your PR comment here into a comment in the code?
There was a problem hiding this comment.
Over this looks good to me. As I mentioned, it would have been a lot easier to review if the hpp/cpp separation had happened in a separate PR - something to keep in mind for next time. I wound up just skimming through everything rather than trying to figure out what was new so my review may not have the depth it otherwise would have. I left some comments around things that I think could be clarified a bit either in code or comments. I think there is sufficient code sharing here so as not to warrant something like separate classes for the different use cases here but we should monitor things to ensure that the single class remains readable if any more complexity is introduced.
| template <typename Flavor> | ||
| SmallSubgroupIPAProver<Flavor>::SmallSubgroupIPAProver(std::shared_ptr<typename Flavor::Transcript>& transcript) | ||
| : interpolation_domain{} | ||
| , concatenated_polynomial(Polynomial<FF>(SUBGROUP_SIZE + 2)) |
There was a problem hiding this comment.
Not terribly important but it seems a little funny to me to initialize some of these members in the constructor given that SUBGROUP_SIZE is static. Maybe this is just a matter of preference? Curious if @ludamad has an opinion.
There was a problem hiding this comment.
I remember trying to not initialize them in the constructor and hitting memory errors
barretenberg/cpp/src/barretenberg/commitment_schemes/small_subgroup_ipa/small_subgroup_ipa.cpp
Outdated
Show resolved
Hide resolved
barretenberg/cpp/src/barretenberg/commitment_schemes/small_subgroup_ipa/small_subgroup_ipa.cpp
Outdated
Show resolved
Hide resolved
barretenberg/cpp/src/barretenberg/commitment_schemes/small_subgroup_ipa/small_subgroup_ipa.cpp
Outdated
Show resolved
Hide resolved
barretenberg/cpp/src/barretenberg/commitment_schemes/small_subgroup_ipa/small_subgroup_ipa.hpp
Outdated
Show resolved
Hide resolved
barretenberg/cpp/src/barretenberg/commitment_schemes/small_subgroup_ipa/small_subgroup_ipa.cpp
Outdated
Show resolved
Hide resolved
barretenberg/cpp/src/barretenberg/commitment_schemes/small_subgroup_ipa/small_subgroup_ipa.cpp
Outdated
Show resolved
Hide resolved
barretenberg/cpp/src/barretenberg/commitment_schemes/small_subgroup_ipa/small_subgroup_ipa.cpp
Outdated
Show resolved
Hide resolved
barretenberg/cpp/src/barretenberg/commitment_schemes/small_subgroup_ipa/small_subgroup_ipa.cpp
Outdated
Show resolved
Hide resolved
barretenberg/cpp/src/barretenberg/commitment_schemes/small_subgroup_ipa/small_subgroup_ipa.hpp
Outdated
Show resolved
Hide resolved
| commitment_key->commit(batched_quotient)); | ||
| } | ||
| } | ||
| std::array<Polynomial<FF>, 2> static compute_lagrange_polynomials( |
There was a problem hiding this comment.
I guess, this constant is fine, cause it's clear that we're computing 2 Lagranges
…om:AztecProtocol/aztec-packages into si/small-subgroup-ipa-supports-translation
…om:AztecProtocol/aztec-packages into si/small-subgroup-ipa-supports-translation
…om:AztecProtocol/aztec-packages into si/small-subgroup-ipa-supports-translation
|
| { | ||
| // Reallocate the commitment key if necessary. This is an edge case with SmallSubgroupIPA since it has | ||
| // polynomials that may exceed the circuit size. | ||
| if (commitment_key->dyadic_size < MASKED_GRAND_SUM_LENGTH) { |
There was a problem hiding this comment.
this is fine but just thinking out loud, maybe the right thing to do is to have each flavor define how to compute the required srs size..
There was a problem hiding this comment.
good point, I'll do a small separate PR to move it to the ck allocation step in oink and Translator/ECCVM provers
After [extending SmallSubgroupIPA functionality](#12244), we integrated the changes into the ECCVM logic. Specifically, the Prover and Verifier methods `compute_translation_opening_claim` were modified to establish the correctness of the value `translation_masking_term_eval`= $\sum_i m_i(x) v^i $, where $m_i$ are univariate polynomials of degree `MASKING_OFFSET` used to mask the wires `op`, `Px`, `Py`, `z1`, and `z2`. Detailed documentation has been included in the `ECCVMProver`'s method `compute_translation_opening_claims`. The integration into Goblin/ClientIVC required minimal changes - namely, the TranslatorVerifier accepts `translation_masking_term_eval` and subtracts it from the `eccvm_opening`. Note that currently the masking is not turned on in ECCVM, so `translation_masking_term_eval`= 0.
To fix the issue with translation evaluations when the masking is enabled in
ECCVM, we need to prove the batched evaluation of the masking term, where by masking term we mean a small table (5 columns, 4 rows) added at the end of the Transcript polynomials.Fortunately, we could use the SmallSubgroupIPA protocol to do this efficiently and faciliatate the integration of this fix into Goblin.
This is the first batch of changes:
TranslationDatadesigned to process the masked wires and commit to the masking termSmallSubgroupIPAfunctionality - now it could accept Translation data and produce a proof of the batch opening of the masking termSmallSubgroupIPATests