Skip to content

Commit

Permalink
simplify computation of CZx
Browse files Browse the repository at this point in the history
  • Loading branch information
@ledwards2225
ledwards2225 committed Oct 24, 2023
1 parent f24f736 commit 5b8ce67
Show file tree
Hide file tree
Showing 2 changed files with 25 additions and 107 deletions.
116 changes: 17 additions & 99 deletions barretenberg/cpp/src/barretenberg/honk/pcs/zeromorph/zeromorph.hpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -473,19 +473,27 @@ template <typename Curve> class ZeroMorphVerifier_ {
}

/**
* @brief Compute commitment to partially evaluated ZeroMorph identity Z
* @brief
* @details Compute commitment C_{Z_x} = [Z_x]_1 using homomorphicity:
*
* C_{Z_x} = x * \sum_{i=0}^{m-1}\rho^i*[f_i] + \sum_{i=0}^{l-1}\rho^{m+i}*[g_i] - v * x * \Phi_n(x) * [1]_1
* - x * \sum_k (x^{2^k}\Phi_{n-k-1}(x^{2^{k-1}}) - u_k\Phi_{n-k}(x^{2^k})) * [q_k]
* + concatentation_term
* where
*
* @param f_commitments Commitments to unshifted polynomials [f_i]
* @param g_commitments Commitments to to-be-shifted polynomials [g_i]
* @param C_q_k Commitments to q_k
* concatenation_term = \sum{i=0}^{o-1}\sum_{j=0}^{concatenation_index}(rho^{m+l+i} * x^{j * min_N + 1}
* * concatenation_groups_commitments_{i}_{j})
*
* @note The concatenation term arises from an implementation detail in the Goblin Translator and is not part of the
* conventional ZM protocol
* @param f_commitments
* @param g_commitments
* @param C_q_k
* @param rho
* @param batched_evaluation \sum_{i=0}^{m-1} \rho^i*f_i(u) + \sum_{i=0}^{l-1} \rho^{m+i}*h_i(u)
* @param batched_evaluation
* @param x_challenge
* @param u_challenge multilinear challenge
* @param u_challenge
* @param concatenation_groups_commitments
* @return Commitment
*/
static Commitment compute_C_Z_x(std::vector<Commitment> f_commitments,
Expand All @@ -494,99 +502,8 @@ template <typename Curve> class ZeroMorphVerifier_ {
FF rho,
FF batched_evaluation,
FF x_challenge,
std::vector<FF> u_challenge)
{
size_t log_N = C_q_k.size();
size_t N = 1 << log_N;

std::vector<FF> scalars;
std::vector<Commitment> commitments;

// Phi_n(x) = (x^N - 1) / (x - 1)
auto phi_numerator = x_challenge.pow(N) - 1; // x^N - 1
auto phi_n_x = phi_numerator / (x_challenge - 1);

// Add contribution: -v * x * \Phi_n(x) * [1]_1
if constexpr (Curve::is_stdlib_type) {
auto builder = x_challenge.get_context();
scalars.emplace_back(FF(builder, -1) * batched_evaluation * x_challenge * phi_n_x);
commitments.emplace_back(Commitment::one(builder));
} else {
scalars.emplace_back(FF(-1) * batched_evaluation * x_challenge * phi_n_x);
commitments.emplace_back(Commitment::one());
}

// Add contribution: x * \sum_{i=0}^{m-1} \rho^i*[f_i]
auto rho_pow = FF(1);
for (auto& commitment : f_commitments) {
scalars.emplace_back(x_challenge * rho_pow);
commitments.emplace_back(commitment);
rho_pow *= rho;
}

// Add contribution: \sum_{i=0}^{l-1} \rho^{m+i}*[g_i]
for (auto& commitment : g_commitments) {
scalars.emplace_back(rho_pow);
commitments.emplace_back(commitment);
rho_pow *= rho;
}

// Add contributions: scalar * [q_k], k = 0,...,log_N, where
// scalar = -x * (x^{2^k} * \Phi_{n-k-1}(x^{2^{k+1}}) - u_k * \Phi_{n-k}(x^{2^k}))
auto x_pow_2k = x_challenge; // x^{2^k}
auto x_pow_2kp1 = x_challenge * x_challenge; // x^{2^{k + 1}}
for (size_t k = 0; k < log_N; ++k) {

auto phi_term_1 = phi_numerator / (x_pow_2kp1 - 1); // \Phi_{n-k-1}(x^{2^{k + 1}})
auto phi_term_2 = phi_numerator / (x_pow_2k - 1); // \Phi_{n-k}(x^{2^k})

auto scalar = x_pow_2k * phi_term_1;
scalar -= u_challenge[k] * phi_term_2;
scalar *= x_challenge;
scalar *= FF(-1);

scalars.emplace_back(scalar);
commitments.emplace_back(C_q_k[k]);

// Update powers of challenge x
x_pow_2k = x_pow_2kp1;
x_pow_2kp1 *= x_pow_2kp1;
}

if constexpr (Curve::is_stdlib_type) {
return Commitment::batch_mul(commitments, scalars);
} else {
return batch_mul_native(commitments, scalars);
}
}

/**
* @brief Compute commitment to partially evaluated ZeroMorph identity Z
* @details Compute commitment C_{Z_x} = [Z_x]_1 using homomorphicity:
*
* C_{Z_x} = x * \sum_{i=0}^{m-1}\rho^i*[f_i] + \sum_{i=0}^{l-1}\rho^{m+i}*[g_i] +
* \sum{i=0}^{o-1}\sum_{j=0}^{concatenation_index}(rho^{m+l+i} * x^{j * min_N + 1}
* *concatenation_groups_commitments_{i}_{j}) - v * x * \Phi_n(x) * [1]_1 - x * \sum_k
* (x^{2^k}\Phi_{n-k-1}(x^{2^{k-1}}) - u_k\Phi_{n-k}(x^{2^k})) * [q_k]
*
* @param f_commitments Commitments to unshifted polynomials [f_i]
* @param g_commitments Commitments to to-be-shifted polynomials [g_i]
* @param C_q_k Commitments to q_k
* @param rho
* @param batched_evaluation \sum_{i=0}^{m-1} \rho^i*f_i(u) + \sum_{i=0}^{l-1} \rho^{m+i}*h_i(u)
* @param x_challenge
* @param u_challenge multilinear challenge
* @return Commitment
*/
static Commitment compute_C_Z_x_with_concatenations(
std::vector<Commitment> f_commitments,
std::vector<Commitment> g_commitments,
std::vector<std::vector<Commitment>> concatenation_groups_commitments,
std::vector<Commitment>& C_q_k,
FF rho,
FF batched_evaluation,
FF x_challenge,
std::vector<FF> u_challenge)
std::vector<FF> u_challenge,
std::vector<std::vector<Commitment>> concatenation_groups_commitments = {})
{
size_t log_N = C_q_k.size();
size_t N = 1 << log_N;
Expand Down Expand Up @@ -641,6 +558,7 @@ template <typename Curve> class ZeroMorphVerifier_ {
rho_pow *= rho;
}
}

// Add contributions: scalar * [q_k], k = 0,...,log_N, where
// scalar = -x * (x^{2^k} * \Phi_{n-k-1}(x^{2^{k+1}}) - u_k * \Phi_{n-k}(x^{2^k}))
auto x_pow_2k = x_challenge; // x^{2^k}
Expand Down
16 changes: 8 additions & 8 deletions barretenberg/cpp/src/barretenberg/honk/pcs/zeromorph/zeromorph.test.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -462,14 +462,14 @@ template <class Curve> class ZeroMorphWithConcatenationTest : public CommitmentT
auto C_zeta_x = ZeroMorphVerifier::compute_C_zeta_x(C_q, C_q_k, y_challenge, x_challenge);

// Compute commitment C_{Z_x}
Commitment C_Z_x = ZeroMorphVerifier::compute_C_Z_x_with_concatenations(f_commitments,
g_commitments,
concatenation_groups_commitments,
C_q_k,
rho,
v_evaluation,
x_challenge,
u_challenge);
Commitment C_Z_x = ZeroMorphVerifier::compute_C_Z_x(f_commitments,
g_commitments,
C_q_k,
rho,
v_evaluation,
x_challenge,
u_challenge,
concatenation_groups_commitments);

// Compute commitment C_{\zeta,Z}
auto C_zeta_Z = C_zeta_x + C_Z_x * z_challenge;
Expand Down

0 comments on commit 5b8ce67

Please sign in to comment.