- Generated by
1.9.8
|
Barretenberg
The ZK-SNARK library at the core of Aztec
|
The IVC scheme used by the aztec client for private function execution. More...
#include <client_ivc.hpp>
Classes | |
| struct | Proof |
| A full proof for the IVC scheme containing a Mega proof showing correctness of the hiding circuit (which recursive verified the last folding and decider proof) and a Goblin proof (translator VM, ECCVM and last merge proof). More... | |
| struct | StdlibVerifierInputs |
| struct | VerificationKey |
| struct | VerifierInputs |
Public Member Functions | |
| size_t | get_num_circuits () const |
| ClientIVC (size_t num_circuits, TraceSettings trace_settings={}) | |
| void | instantiate_stdlib_verification_queue (ClientCircuit &circuit, const std::vector< std::shared_ptr< RecursiveVKAndHash > > &input_keys={}) |
| Instantiate a stdlib verification queue for use in the kernel completion logic. | |
| std::tuple< std::shared_ptr< RecursiveDeciderVerificationKey >, PairingPoints, TableCommitments > | perform_recursive_verification_and_databus_consistency_checks (ClientCircuit &circuit, const StdlibVerifierInputs &verifier_inputs, const std::shared_ptr< RecursiveDeciderVerificationKey > &input_verifier_accumulator, const TableCommitments &T_prev_commitments, const std::shared_ptr< RecursiveTranscript > &accumulation_recursive_transcript) |
| Populate the provided circuit with constraints for (1) recursive verification of the provided accumulation proof and (2) the associated databus commitment consistency checks. | |
| void | complete_kernel_circuit_logic (ClientCircuit &circuit) |
| Append logic to complete a kernel circuit. | |
| void | accumulate (ClientCircuit &circuit, const std::shared_ptr< MegaVerificationKey > &precomputed_vk) |
| Perform prover work for accumulation (e.g. PG folding, merge proving) | |
| Proof | prove () |
| Construct a proof for the IVC, which, if verified, fully establishes its correctness. | |
| HonkProof | construct_mega_proof_for_hiding_kernel (ClientCircuit &circuit) |
| Construct a zero-knowledge proof for the hiding circuit, which recursively verifies the last folding, merge and decider proof. | |
| bool | verify (const Proof &proof) const |
| Verify a full proof of the IVC. | |
| bool | prove_and_verify () |
| Construct and verify a proof for the IVC. | |
| HonkProof | construct_decider_proof (const std::shared_ptr< Transcript > &transcript) |
| Internal method for constructing a decider proof. | |
| VerificationKey | get_vk () const |
Static Public Member Functions | |
| static void | hide_op_queue_accumulation_result (ClientCircuit &circuit) |
| Add a random operation to the op queue to hide its content in Translator computation. | |
| static bool | verify (const Proof &proof, const VerificationKey &vk) |
Public Attributes | |
| ExecutionTraceUsageTracker | trace_usage_tracker |
| size_t | num_circuits_accumulated = 0 |
| ProverFoldOutput | fold_output |
| HonkProof | decider_proof |
| std::shared_ptr< DeciderVerificationKey > | recursive_verifier_native_accum |
| std::shared_ptr< DeciderVerificationKey > | native_verifier_accum |
| std::shared_ptr< MegaVerificationKey > | honk_vk |
| VerificationQueue | verification_queue |
| StdlibVerificationQueue | stdlib_verification_queue |
| DataBusDepot | bus_depot |
| TraceSettings | trace_settings |
| MegaFlavor::CommitmentKey | bn254_commitment_key |
| Goblin | goblin |
Private Types | |
| using | ProverFoldOutput = FoldingResult< Flavor > |
Private Member Functions | |
| void | update_native_verifier_accumulator (const VerifierInputs &queue_entry, const std::shared_ptr< Transcript > &verifier_transcript) |
| Runs either Oink or PG native verifier to update the native verifier accumulator. | |
| HonkProof | construct_oink_proof (const std::shared_ptr< DeciderProvingKey > &proving_key, const std::shared_ptr< MegaVerificationKey > &honk_vk, const std::shared_ptr< Transcript > &transcript) |
| HonkProof | construct_pg_proof (const std::shared_ptr< DeciderProvingKey > &proving_key, const std::shared_ptr< MegaVerificationKey > &honk_vk, const std::shared_ptr< Transcript > &transcript, bool is_kernel) |
| QUEUE_TYPE | get_queue_type () const |
| Get queue type for the proof of a circuit about to be accumulated based on num circuits accumulated so far. | |
Static Private Member Functions | |
| static std::shared_ptr< RecursiveDeciderVerificationKey > | perform_oink_recursive_verification (ClientCircuit &circuit, const std::shared_ptr< RecursiveDeciderVerificationKey > &verifier_instance, const std::shared_ptr< RecursiveTranscript > &transcript, const StdlibProof &proof) |
| static std::shared_ptr< RecursiveDeciderVerificationKey > | perform_pg_recursive_verification (ClientCircuit &circuit, const std::shared_ptr< RecursiveDeciderVerificationKey > &verifier_accumulator, const std::shared_ptr< RecursiveDeciderVerificationKey > &verifier_instance, const std::shared_ptr< RecursiveTranscript > &transcript, const StdlibProof &proof, std::optional< StdlibFF > &prev_accum_hash, bool is_kernel) |
Private Attributes | |
| std::shared_ptr< Transcript > | transcript = std::make_shared<Transcript>() |
| std::shared_ptr< Transcript > | prover_accumulation_transcript = std::make_shared<Transcript>() |
| size_t | num_circuits |
The IVC scheme used by the aztec client for private function execution.
Combines Protogalaxy with Goblin to accumulate one circuit at a time with efficient EC group operations. It is assumed that the circuits being accumulated correspond alternatingly to an app and a kernel, as is the case in Aztec. Two recursive folding verifiers are appended to each kernel (except the first one) to verify the folding of a previous kernel and an app/function circuit. Due to this structure it is enforced that the total number of circuits being accumulated is even.
Definition at line 39 of file client_ivc.hpp.
Definition at line 81 of file client_ivc.hpp.
Definition at line 51 of file client_ivc.hpp.
Definition at line 76 of file client_ivc.hpp.
Definition at line 52 of file client_ivc.hpp.
Definition at line 48 of file client_ivc.hpp.
Definition at line 54 of file client_ivc.hpp.
| using bb::ClientIVC::DeciderRecursiveVerifier = stdlib::recursion::honk::DeciderRecursiveVerifier_<RecursiveFlavor> |
Definition at line 73 of file client_ivc.hpp.
Definition at line 50 of file client_ivc.hpp.
Definition at line 56 of file client_ivc.hpp.
Definition at line 53 of file client_ivc.hpp.
Definition at line 49 of file client_ivc.hpp.
Definition at line 58 of file client_ivc.hpp.
| using bb::ClientIVC::FF = Flavor::FF |
Definition at line 45 of file client_ivc.hpp.
| using bb::ClientIVC::Flavor = MegaFlavor |
Definition at line 42 of file client_ivc.hpp.
Definition at line 55 of file client_ivc.hpp.
| using bb::ClientIVC::FoldingRecursiveVerifier = bb::stdlib::recursion::honk::ProtogalaxyRecursiveVerifier_<RecursiveDeciderVerificationKeys> |
Definition at line 70 of file client_ivc.hpp.
Definition at line 57 of file client_ivc.hpp.
| using bb::ClientIVC::FoldProof = std::vector<FF> |
Definition at line 47 of file client_ivc.hpp.
Definition at line 80 of file client_ivc.hpp.
Definition at line 79 of file client_ivc.hpp.
| using bb::ClientIVC::MegaProver = UltraProver_<Flavor> |
Definition at line 60 of file client_ivc.hpp.
Definition at line 43 of file client_ivc.hpp.
Definition at line 61 of file client_ivc.hpp.
Definition at line 44 of file client_ivc.hpp.
| using bb::ClientIVC::OinkRecursiveVerifier = stdlib::recursion::honk::OinkRecursiveVerifier_<RecursiveFlavor> |
Definition at line 72 of file client_ivc.hpp.
Definition at line 77 of file client_ivc.hpp.
| using bb::ClientIVC::Point = Flavor::Curve::AffineElement |
Definition at line 46 of file client_ivc.hpp.
|
private |
Definition at line 206 of file client_ivc.hpp.
Definition at line 78 of file client_ivc.hpp.
Definition at line 67 of file client_ivc.hpp.
| using bb::ClientIVC::RecursiveDeciderVerificationKeys = bb::stdlib::recursion::honk::RecursiveDeciderVerificationKeys_<RecursiveFlavor, 2> |
Definition at line 65 of file client_ivc.hpp.
Definition at line 64 of file client_ivc.hpp.
Definition at line 74 of file client_ivc.hpp.
Definition at line 68 of file client_ivc.hpp.
Definition at line 69 of file client_ivc.hpp.
Definition at line 83 of file client_ivc.hpp.
Definition at line 82 of file client_ivc.hpp.
| using bb::ClientIVC::StdlibVerificationQueue = std::deque<StdlibVerifierInputs> |
Definition at line 200 of file client_ivc.hpp.
| using bb::ClientIVC::TableCommitments = std::array<RecursiveFlavor::Commitment, ClientCircuit::NUM_WIRES> |
Definition at line 87 of file client_ivc.hpp.
Definition at line 62 of file client_ivc.hpp.
Definition at line 59 of file client_ivc.hpp.
| using bb::ClientIVC::VerificationQueue = std::deque<VerifierInputs> |
Definition at line 191 of file client_ivc.hpp.
Definition at line 84 of file client_ivc.hpp.
|
strong |
| Enumerator | |
|---|---|
| OINK | |
| PG | |
| PG_FINAL | |
| PG_TAIL | |
| MEGA | |
Definition at line 176 of file client_ivc.hpp.
| bb::ClientIVC::ClientIVC | ( | size_t | num_circuits, |
| TraceSettings | trace_settings = {} |
||
| ) |
Definition at line 19 of file client_ivc.cpp.
| void bb::ClientIVC::accumulate | ( | ClientCircuit & | circuit, |
| const std::shared_ptr< MegaVerificationKey > & | precomputed_vk | ||
| ) |
Perform prover work for accumulation (e.g. PG folding, merge proving)
Execute prover work for accumulation.
| circuit | The incoming statement |
| precomputed_vk | The verification key of the incoming statement OR a mocked key whose metadata needs to be set using the proving key produced from circuit in order to pass some assertions in the Oink prover. |
| mock_vk | A boolean to say whether the precomputed vk should have its metadata set. |
Construct an proving key for the provided circuit. If this is the first step in the IVC, simply initialize the folding accumulator. Otherwise, execute the PG prover to fold the proving key into the accumulator and produce a folding proof. Also execute the merge protocol to produce a merge proof.
| circuit | this case, just produce a Honk proof for that circuit and do no folding. |
| precomputed_vk |
Definition at line 447 of file client_ivc.cpp.
| void bb::ClientIVC::complete_kernel_circuit_logic | ( | ClientCircuit & | circuit | ) |
Append logic to complete a kernel circuit.
A kernel circuit may contain some combination of PG recursive verification, merge recursive verification, and databus commitment consistency checks. This method appends this logic to a provided kernel circuit.
| circuit |
Definition at line 284 of file client_ivc.cpp.
| HonkProof bb::ClientIVC::construct_decider_proof | ( | const std::shared_ptr< Transcript > & | transcript | ) |
Internal method for constructing a decider proof.
Definition at line 615 of file client_ivc.cpp.
| HonkProof bb::ClientIVC::construct_mega_proof_for_hiding_kernel | ( | ClientCircuit & | circuit | ) |
Construct a zero-knowledge proof for the hiding circuit, which recursively verifies the last folding, merge and decider proof.
Definition at line 542 of file client_ivc.cpp.
|
private |
Definition at line 365 of file client_ivc.cpp.
|
private |
Definition at line 385 of file client_ivc.cpp.
|
inline |
Definition at line 242 of file client_ivc.hpp.
|
private |
Get queue type for the proof of a circuit about to be accumulated based on num circuits accumulated so far.
Definition at line 412 of file client_ivc.cpp.
| ClientIVC::VerificationKey bb::ClientIVC::get_vk | ( | ) | const |
Definition at line 734 of file client_ivc.cpp.
|
static |
Add a random operation to the op queue to hide its content in Translator computation.
Translator circuit builder computes the evaluation at some random challenge x of a batched polynomial derived from processing the ultra_op version of op_queue. This result (referred to as accumulated_result in translator) is included in the translator proof and, on the verifier side, checked against the same computation performed by ECCVM (this is done in verify_translation). To prevent leaking information about the actual accumulated_result (and implicitly about the ops) when the proof is sent to the rollup, a random but valid operation is added to the op queue, to ensure the polynomial over Grumpkin, whose evaluation is accumulated_result, has at least one random coefficient.
Definition at line 528 of file client_ivc.cpp.
| void bb::ClientIVC::instantiate_stdlib_verification_queue | ( | ClientCircuit & | circuit, |
| const std::vector< std::shared_ptr< RecursiveVKAndHash > > & | input_keys = {} |
||
| ) |
Instantiate a stdlib verification queue for use in the kernel completion logic.
Construct a stdlib proof/verification_key for each entry in the native verification queue. By default, both are constructed from their counterpart in the native queue. Alternatively, Stdlib verification keys can be provided directly as input to this method. (The later option is used, for example, when constructing recursive verifiers based on the verification key witnesses from an acir recursion constraint. This option is not provided for proofs since valid proof witnesses are in general not known at the time of acir constraint generation).
| circuit |
Definition at line 44 of file client_ivc.cpp.
|
staticprivate |
Definition at line 76 of file client_ivc.cpp.
|
staticprivate |
Definition at line 93 of file client_ivc.cpp.
| std::tuple< std::shared_ptr< ClientIVC::RecursiveDeciderVerificationKey >, ClientIVC::PairingPoints, ClientIVC::TableCommitments > bb::ClientIVC::perform_recursive_verification_and_databus_consistency_checks | ( | ClientCircuit & | circuit, |
| const StdlibVerifierInputs & | verifier_inputs, | ||
| const std::shared_ptr< RecursiveDeciderVerificationKey > & | input_verifier_accumulator, | ||
| const TableCommitments & | T_prev_commitments, | ||
| const std::shared_ptr< RecursiveTranscript > & | accumulation_recursive_transcript | ||
| ) |
Populate the provided circuit with constraints for (1) recursive verification of the provided accumulation proof and (2) the associated databus commitment consistency checks.
The recursive verifier will be either Oink or Protogalaxy depending on the specified proof type. In either case, the verifier accumulator is updated in place via the verification algorithm. Databus commitment consistency checks are performed on the witness commitments and public inputs extracted from the proof by the verifier. Merge verification is performed with commitments to the subtable t_j extracted from the PG verifier. The computed commitment T is propagated to the next step of recursive verification.
| circuit | |
| verifier_inputs | {proof, vkey, type (Oink/PG)} A set of inputs for recursive verification |
| merge_commitments | Container for the commitments for the Merge recursive verification to be performed |
| accumulation_recursive_transcript | Transcript shared across recursive verification of the folding of K_{i-1} (kernel), A_{i,1} (app), .., A_{i, n} (app) |
Definition at line 139 of file client_ivc.cpp.
| ClientIVC::Proof bb::ClientIVC::prove | ( | ) |
Construct a proof for the IVC, which, if verified, fully establishes its correctness.
Definition at line 560 of file client_ivc.cpp.
| bool bb::ClientIVC::prove_and_verify | ( | ) |
Construct and verify a proof for the IVC.
Definition at line 630 of file client_ivc.cpp.
|
private |
Runs either Oink or PG native verifier to update the native verifier accumulator.
| queue_entry | The verifier inputs from the queue. |
| verifier_transcript | Verifier transcript corresponding to the prover transcript. |
Definition at line 739 of file client_ivc.cpp.
| bool bb::ClientIVC::verify | ( | const Proof & | proof | ) | const |
Verify a full proof of the IVC.
| proof |
Definition at line 605 of file client_ivc.cpp.
|
static |
Definition at line 578 of file client_ivc.cpp.
| MegaFlavor::CommitmentKey bb::ClientIVC::bn254_commitment_key |
Definition at line 238 of file client_ivc.hpp.
| DataBusDepot bb::ClientIVC::bus_depot |
Definition at line 233 of file client_ivc.hpp.
| HonkProof bb::ClientIVC::decider_proof |
Definition at line 219 of file client_ivc.hpp.
| ProverFoldOutput bb::ClientIVC::fold_output |
Definition at line 218 of file client_ivc.hpp.
| Goblin bb::ClientIVC::goblin |
Definition at line 240 of file client_ivc.hpp.
| std::shared_ptr<MegaVerificationKey> bb::ClientIVC::honk_vk |
Definition at line 225 of file client_ivc.hpp.
| std::shared_ptr<DeciderVerificationKey> bb::ClientIVC::native_verifier_accum |
Definition at line 224 of file client_ivc.hpp.
|
private |
Definition at line 214 of file client_ivc.hpp.
| size_t bb::ClientIVC::num_circuits_accumulated = 0 |
Definition at line 216 of file client_ivc.hpp.
|
private |
Definition at line 212 of file client_ivc.hpp.
| std::shared_ptr<DeciderVerificationKey> bb::ClientIVC::recursive_verifier_native_accum |
Definition at line 222 of file client_ivc.hpp.
| StdlibVerificationQueue bb::ClientIVC::stdlib_verification_queue |
Definition at line 230 of file client_ivc.hpp.
| TraceSettings bb::ClientIVC::trace_settings |
Definition at line 236 of file client_ivc.hpp.
| ExecutionTraceUsageTracker bb::ClientIVC::trace_usage_tracker |
Definition at line 203 of file client_ivc.hpp.
|
private |
Definition at line 209 of file client_ivc.hpp.
| VerificationQueue bb::ClientIVC::verification_queue |
Definition at line 228 of file client_ivc.hpp.
1.9.8