Prover: implements the top-level of the limitless prover

prover/protocol/compiler/lookup/compiler.go

@@ -61,14 +61,20 @@ func CompileLogDerivative(comp *wizard.CompiledIOP) {
 		// push to zCatalog
 		tableCtx.pushToZCatalog(zCatalog)
 
-		proverActions[round].pushMAssignment(
-			mAssignmentTask{
-				M:       tableCtx.M,
-				S:       checkTable,
-				T:       lookupTable,
-				SFilter: includedFilters,
-			},
-		)
+		if comp.HasSeed {
+			panic("unimplemented")
+			// we expect the following format
+			// proverActions[round].pushMAssignment(mShare [][]field.Element)
+		} else {
+			proverActions[round].pushMAssignment(
+				mAssignmentTask{
+					M:       tableCtx.M,
+					S:       checkTable,
+					T:       lookupTable,
+					SFilter: includedFilters,
+				},
+			)
+		}
 	}
 
 	// This loops is necessary to build a sorted list of the entries of zCatalog.
@@ -108,6 +114,10 @@ func CompileLogDerivative(comp *wizard.CompiledIOP) {
 		va.Name = zC.Name
 	}
 
+	if comp.HasSeed {
+		va.IsDistributed = true
+	}
+
 	for round := range proverActions {
 		// It would not be a bugged to include a proverAction that does nothing
 		// but this pollutes the performance analysis of the prover and logs.

prover/protocol/compiler/lookup/prover.go

@@ -303,6 +303,7 @@ func (a mAssignmentTask) run(run *wizard.ProverRuntime) {
 type zAssignmentTask zCtx
 
 func (z zAssignmentTask) run(run *wizard.ProverRuntime) {
+	zSum := field.Zero()
 	parallel.Execute(len(z.ZDenominatorBoarded), func(start, stop int) {
 		for frag := start; frag < stop; frag++ {
 
@@ -330,6 +331,11 @@ func (z zAssignmentTask) run(run *wizard.ProverRuntime) {
 
 			run.AssignColumn(z.Zs[frag].GetColID(), sv.NewRegular(packedZ))
 			run.AssignLocalPoint(z.ZOpenings[frag].ID, packedZ[len(packedZ)-1])
+
+			// compute the global sum of all ZOpenings
+			zSum.Add(&zSum, &packedZ[len(packedZ)-1])
 		}
 	})
+	// assign the public input
+	run.AssignColumn(z.PI.GetColID(), sv.NewRegular([]field.Element{zSum}))
 }

prover/protocol/compiler/lookup/verifier.go

@@ -21,6 +21,10 @@ type finalEvaluationCheck struct {
 	Name string
 	// ZOpenings lists all the openings of all the zCtx
 	ZOpenings []query.LocalOpening
+	// public input is expected to be the global sum of ZOpenings, for the distributed compilation.
+	PI field.Element
+	// IsDistributed indicates sif the compilation is distributed
+	IsDistributed bool
 }
 
 // Run implements the [wizard.VerifierAction]
@@ -34,7 +38,11 @@ func (f *finalEvaluationCheck) Run(run *wizard.VerifierRuntime) error {
 		zSum.Add(&zSum, &temp)
 	}
 
-	if zSum != field.Zero() {
+	if f.IsDistributed {
+		if zSum != f.PI {
+			return fmt.Errorf("log-derivate lookup, the final evaluation check failed for %v,", f.Name)
+		}
+	} else if zSum != field.Zero() {
 		return fmt.Errorf("log-derivate lookup, the final evaluation check failed for %v,", f.Name)
 	}
 

prover/protocol/compiler/lookup/z_packing.go

@@ -37,6 +37,8 @@ type zCtx struct {
 	// ZOpenings are the opening queries to the end of each Z.
 	ZOpenings []query.LocalOpening
 	Name      string
+	// Public Input is supposed to be the global sum of ZOpening
+	PI ifaces.Column
 }
 
 // check permutation and see how/where compile is called (see how to constracut z there)
@@ -119,6 +121,13 @@ func (z *zCtx) compile(comp *wizard.CompiledIOP) {
 			column.Shift(z.Zs[i], -1),
 		)
 	}
+
+	z.PI = comp.InsertColumn(
+		z.Round,
+		deriveName[ifaces.ColID]("PI", comp.SelfRecursionCount, z.Round, z.Size),
+		1,
+		column.PublicInput,
+	)
 }
 
 // attempt to take the subslice of a slice, and truncates or returns an empty

prover/protocol/wizard/compiled.go

@@ -120,6 +120,13 @@ type CompiledIOP struct {
 	//
 	// For efficiency reasons, the fiatShamirSetup is derived using SHA2.
 	fiatShamirSetup field.Element
+
+	// seed stores an initial value (instead of transcript of round 0) to update the Fiat-Shamir
+	// for the distributed compiler.
+	Seed field.Element
+
+	// HasSeed indicates if there is a valid seed to use for the distributed compilations
+	HasSeed bool
 }
 
 // NumRounds returns the total number of prover interactions with the verifier

prover/protocol/wizard/prover.go

@@ -480,46 +480,54 @@ func (run *ProverRuntime) goNextRound() {
 
 	if !run.Spec.DummyCompiled {
 
-		/*
-			Make sure that all messages have been written and use them
-			to update the FS state.  Note that we do not need to update
-			FS using the last round of the prover because he is always
-			the last one to "talk" in the protocol.
-		*/
-		start := run.FS.TranscriptSize
-		msgsToFS := run.Spec.Columns.AllKeysProofAt(run.currRound)
-		for _, msgName := range msgsToFS {
-			instance := run.GetMessage(msgName)
-			run.FS.UpdateSV(instance)
+		if run.Spec.HasSeed {
+			run.FS.Update(run.Spec.Seed)
+			logrus.Debugf("Fiat-shamir round %v - 1 seed elements in the transcript", run.currRound)
 		}
-		logrus.Debugf("Fiat-shamir round %v - %v proof elements in the transcript", run.currRound, run.FS.TranscriptSize-start)
-
-		/*
-			Make sure that all messages have been written and use them
-			to update the FS state.  Note that we do not need to update
-			FS using the last round of the prover because he is always
-			the last one to "talk" in the protocol.
-		*/
-		start = run.FS.TranscriptSize
-		msgsToFS = run.Spec.Columns.AllKeysPublicInputAt(run.currRound)
-		for _, msgName := range msgsToFS {
-			instance := run.GetMessage(msgName)
-			run.FS.UpdateSV(instance)
-		}
-		logrus.Debugf("Fiat-shamir round %v - %v public inputs in the transcript", run.currRound, run.FS.TranscriptSize-start)
-
-		/*
-			Also include the prover's allegations for all evaluations
-		*/
-		start = run.FS.TranscriptSize
-		paramsToFS := run.Spec.QueriesParams.AllKeysAt(run.currRound)
-		for _, qName := range paramsToFS {
-			// Implicitly, this will panic whenever we start supporting
-			// a new type of query params
-			params := run.QueriesParams.MustGet(qName)
-			params.UpdateFS(run.FS)
+		// we are using the seed rather than than the transcript of the first round.
+		if !run.Spec.HasSeed || run.currRound != 0 {
+
+			/*
+				Make sure that all messages have been written and use them
+				to update the FS state.  Note that we do not need to update
+				FS using the last round of the prover because he is always
+				the last one to "talk" in the protocol.
+			*/
+			start := run.FS.TranscriptSize
+			msgsToFS := run.Spec.Columns.AllKeysProofAt(run.currRound)
+			for _, msgName := range msgsToFS {
+				instance := run.GetMessage(msgName)
+				run.FS.UpdateSV(instance)
+			}
+			logrus.Debugf("Fiat-shamir round %v - %v proof elements in the transcript", run.currRound, run.FS.TranscriptSize-start)
+
+			/*
+				Make sure that all messages have been written and use them
+				to update the FS state.  Note that we do not need to update
+				FS using the last round of the prover because he is always
+				the last one to "talk" in the protocol.
+			*/
+			start = run.FS.TranscriptSize
+			msgsToFS = run.Spec.Columns.AllKeysPublicInputAt(run.currRound)
+			for _, msgName := range msgsToFS {
+				instance := run.GetMessage(msgName)
+				run.FS.UpdateSV(instance)
+			}
+			logrus.Debugf("Fiat-shamir round %v - %v public inputs in the transcript", run.currRound, run.FS.TranscriptSize-start)
+
+			/*
+				Also include the prover's allegations for all evaluations
+			*/
+			start = run.FS.TranscriptSize
+			paramsToFS := run.Spec.QueriesParams.AllKeysAt(run.currRound)
+			for _, qName := range paramsToFS {
+				// Implicitly, this will panic whenever we start supporting
+				// a new type of query params
+				params := run.QueriesParams.MustGet(qName)
+				params.UpdateFS(run.FS)
+			}
+			logrus.Debugf("Fiat-shamir round %v - %v query params in the transcript", run.currRound, run.FS.TranscriptSize-start)
 		}
-		logrus.Debugf("Fiat-shamir round %v - %v query params in the transcript", run.currRound, run.FS.TranscriptSize-start)
 	}
 
 	// Increment the number of rounds