WIP step 7

verifier_circuit/src/poly_commitment/commitment.ts

@@ -1,4 +1,5 @@
 import { Group, Scalar } from "o1js";
+import { Sponge } from "../verifier/sponge";
 
 /**
 * A polynomial commitment
@@ -182,3 +183,44 @@ export function bPolyCoefficients(chals: Scalar[]) {
 
     return s;
 }
+
+/**
+ * Contains the evaluation of a polynomial commitment at a set of points.
+ */
+export class Evaluation
+{
+    /** The commitment of the polynomial being evaluated */
+    commitment: PolyComm<Group>
+    /** Contains an evaluation table */
+    evaluations: Scalar[][]
+    /** optional degree bound */
+    degree_bound?: number
+
+    constructor(
+        commitment: PolyComm<Group>,
+        evaluations: Scalar[][],
+        degree_bound?: number
+    ) {
+        this.commitment = commitment;
+        this.evaluations = evaluations;
+        this.degree_bound = degree_bound;
+    }
+}
+
+/**
+ * Contains the batch evaluation
+ */
+export class AggregatedEvaluationProof
+{
+    sponge: Sponge
+    evaluations: Evaluation[]
+    /** vector of evaluation points */
+    evaluation_points: Scalar[]
+    /** scaling factor for evaluation point powers */
+    polyscale: Scalar
+    /** scaling factor for polynomials */
+    evalscale: Scalar
+    /** batched opening proof */
+    opening: &'a OpeningProof
+    combined_inner_product: Scalar
+}

verifier_circuit/src/prover/prover.ts

@@ -9,6 +9,7 @@ import { GateType } from "../circuits/gate.js";
 import { Alphas } from "../alphas.js";
 import { Column, PolishToken } from "./expr.js";
 import { deserHexScalar } from "../serde/serde_proof.js";
+import { range } from "../util/misc.js";
 
 /** The proof that the prover creates from a ProverIndex `witness`. */
 export class ProverProof {
@@ -329,7 +330,6 @@ export class ProverProof {
                 .getColumn(col)!;
             es.push([[evals.zeta, evals.zetaOmega], undefined]);
         };
-        const range = (n: number) => Array.from({ length: n }, (value, key) => key);
 
         push_column_eval({ kind: "z" })
         push_column_eval({ kind: "index", typ: GateType.Generic })

verifier_circuit/src/util/misc.ts

@@ -0,0 +1 @@
+export const range = (n: number) => Array.from({ length: n }, (value, key) => key);

verifier_circuit/src/verifier/batch.ts

@@ -1,11 +1,12 @@
-import { PolyComm } from "../poly_commitment/commitment.js";
+import { Evaluation, PolyComm } from "../poly_commitment/commitment.js";
 import { ProverProof, PointEvaluations, ProofEvaluations, Constants } from "../prover/prover.js";
 import { Verifier, VerifierIndex } from "./verifier.js";
 import { Group, Scalar } from "o1js";
 import { deserHexScalar } from "../serde/serde_proof.js";
 import { Column, PolishToken } from "../prover/expr.js";
 import { GateType } from "../circuits/gate.js";
 import { powScalar } from "../util/scalar.js";
+import { range } from "../util/misc.js";
 
 export class Context {
     verifier_index: VerifierIndex
@@ -19,7 +20,7 @@ export class Context {
     }
 
     getColumn(col: Column): PolyComm<Group> | undefined {
-        switch(col.kind) {
+        switch (col.kind) {
             case "witness": return this.proof.commitments.wComm[col.index];
             case "coefficient": return this.verifier_index.coefficients_comm[col.index];
             case "permutation": return this.verifier_index.sigma_comm[col.index];
@@ -151,6 +152,45 @@ export class Batch extends Verifier {
                 chunked_t_comm,
                 zeta_to_domain_size.sub(Scalar.from(1))));
 
+        //~ 7. List the polynomial commitments, and their associated evaluations,
+        //~    that are associated to the aggregated evaluation proof in the proof:
+        let evaluations: Evaluation[] = [];
+
+        //recursion
+        evaluations.concat(polys.map(([c, e]) => new Evaluation(c, e)));
+        // public input
+        evaluations.push(new Evaluation(public_comm, public_evals));
+        // ft commitment (chunks)
+        evaluations.push(new Evaluation(ft_comm, [[ft_eval0], [proof.ft_eval1]]));
+
+        for (const col of [
+            { kind: "z" },
+            { kind: "index", typ: GateType.Generic },
+            { kind: "index", typ: GateType.Poseidon },
+            { kind: "index", typ: GateType.CompleteAdd },
+            { kind: "index", typ: GateType.VarBaseMul },
+            { kind: "index", typ: GateType.EndoMul },
+            { kind: "index", typ: GateType.EndoMulScalar },
+        ]
+            .concat(range(Verifier.COLUMNS).map((i) => { return { kind: "witness", index: i } }))
+            .concat(range(Verifier.COLUMNS).map((i) => { return { kind: "coefficient", index: i } }))
+            .concat(range(Verifier.PERMUTS - 1).map((i) => { return { kind: "permutation", index: i } })) as Column[]
+        ) {
+            const eva = proof.evals.getColumn(col)!;
+            evaluations.push(new Evaluation(context.getColumn(col)!, [eva?.zeta, eva?.zetaOmega]));
+        }
+
+        // prepare for the opening proof verification
+        let evaluation_points = vec![oracles.zeta, oracles.zeta * verifier_index.domain.group_gen];
+        Ok(BatchEvaluationProof {
+            sponge: fq_sponge,
+            evaluations,
+            evaluation_points,
+            polyscale: oracles.v,
+            evalscale: oracles.u,
+            opening: &proof.proof,
+            combined_inner_product,
+        })
         /*
           Compute the commitment to the linearized polynomial $f$. To do this, add the constraints of all of the gates, of the permutation, and optionally of the lookup. (See the separate sections in the constraints section.) Any polynomial should be replaced by its associated commitment, contained in the verifier index or in the proof, unless a polynomial has its evaluation provided by the proof in which case the evaluation should be used in place of the commitment.
           Compute the (chuncked) commitment of $ft$ (see Maller’s optimization).