Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
decider_verifier.cpp
Go to the documentation of this file.
1// === AUDIT STATUS ===
2// internal: { status: not started, auditors: [], date: YYYY-MM-DD }
3// external_1: { status: not started, auditors: [], date: YYYY-MM-DD }
4// external_2: { status: not started, auditors: [], date: YYYY-MM-DD }
5// =====================
6
7#include "decider_verifier.hpp"
8#include "barretenberg/commitment_schemes/shplonk/shplemini.hpp"
9#include "barretenberg/numeric/bitop/get_msb.hpp"
10#include "barretenberg/stdlib/primitives/padding_indicator_array/padding_indicator_array.hpp"
11#include "barretenberg/sumcheck/sumcheck.hpp"
12#include "barretenberg/transcript/transcript.hpp"
13#include "barretenberg/ultra_honk/decider_verification_key.hpp"
14
15namespace bb {
16
17template <typename Flavor>
18DeciderVerifier_<Flavor>::DeciderVerifier_(const std::shared_ptr<DeciderVerificationKey>& accumulator,
19 const std::shared_ptr<Transcript>& transcript)
20 : accumulator(accumulator)
21 , transcript(transcript)
22{}
23
27template <typename Flavor>
28typename DeciderVerifier_<Flavor>::Output DeciderVerifier_<Flavor>::verify_proof(const DeciderProof& proof)
29{
30 transcript->load_proof(proof);
31 return verify();
32}
33
38template <typename Flavor> typename DeciderVerifier_<Flavor>::Output DeciderVerifier_<Flavor>::verify()
39{
40 using PCS = typename Flavor::PCS;
41 using Curve = typename Flavor::Curve;
42 using Shplemini = ShpleminiVerifier_<Curve>;
43 using VerifierCommitments = typename Flavor::VerifierCommitments;
44 using ClaimBatcher = ClaimBatcher_<Curve>;
45 using ClaimBatch = ClaimBatcher::Batch;
46
47 VerifierCommitments commitments{ accumulator->vk, accumulator->witness_commitments };
48
49 const size_t log_circuit_size = static_cast<size_t>(accumulator->vk->log_circuit_size);
50
51 const size_t virtual_log_n = Flavor::USE_PADDING ? Flavor::VIRTUAL_LOG_N : log_circuit_size;
52
53 std::vector<FF> padding_indicator_array(virtual_log_n, 1);
54 if constexpr (Flavor::HasZK) {
55 for (size_t idx = 0; idx < virtual_log_n; idx++) {
56 padding_indicator_array[idx] = (idx < log_circuit_size) ? FF{ 1 } : FF{ 0 };
57 }
58 }
59
60 SumcheckVerifier<Flavor> sumcheck(transcript, accumulator->alphas, virtual_log_n, accumulator->target_sum);
61 // For MegaZKFlavor: receive commitments to Libra masking polynomials
62 std::array<Commitment, NUM_LIBRA_COMMITMENTS> libra_commitments = {};
63 if constexpr (Flavor::HasZK) {
64 libra_commitments[0] = transcript->template receive_from_prover<Commitment>("Libra:concatenation_commitment");
65 }
66 SumcheckOutput<Flavor> sumcheck_output =
67 sumcheck.verify(accumulator->relation_parameters, accumulator->gate_challenges, padding_indicator_array);
68
69 // For MegaZKFlavor: the sumcheck output contains claimed evaluations of the Libra polynomials
70 if constexpr (Flavor::HasZK) {
71 libra_commitments[1] = transcript->template receive_from_prover<Commitment>("Libra:grand_sum_commitment");
72 libra_commitments[2] = transcript->template receive_from_prover<Commitment>("Libra:quotient_commitment");
73 }
74
75 bool consistency_checked = true;
76 ClaimBatcher claim_batcher{
77 .unshifted = ClaimBatch{ commitments.get_unshifted(), sumcheck_output.claimed_evaluations.get_unshifted() },
78 .shifted = ClaimBatch{ commitments.get_to_be_shifted(), sumcheck_output.claimed_evaluations.get_shifted() }
79 };
80 const BatchOpeningClaim<Curve> opening_claim =
81 Shplemini::compute_batch_opening_claim(padding_indicator_array,
82 claim_batcher,
83 sumcheck_output.challenge,
84 Commitment::one(),
85 transcript,
86 Flavor::REPEATED_COMMITMENTS,
87 Flavor::HasZK,
88 &consistency_checked,
89 libra_commitments,
90 sumcheck_output.claimed_libra_evaluation);
91
92 const auto pairing_points = PCS::reduce_verify_batch_opening_claim(opening_claim, transcript);
93
94 return Output{ sumcheck_output.verified, consistency_checked, { pairing_points[0], pairing_points[1] } };
95}
96
97template class DeciderVerifier_<UltraFlavor>;
98template class DeciderVerifier_<UltraZKFlavor>;
99template class DeciderVerifier_<UltraKeccakFlavor>;
100#ifdef STARKNET_GARAGA_FLAVORS
101template class DeciderVerifier_<UltraStarknetFlavor>;
102template class DeciderVerifier_<UltraStarknetZKFlavor>;
103#endif
104template class DeciderVerifier_<UltraKeccakZKFlavor>;
105template class DeciderVerifier_<UltraRollupFlavor>;
106template class DeciderVerifier_<MegaFlavor>;
107template class DeciderVerifier_<MegaZKFlavor>;
108
109} // namespace bb
bb::DeciderVerifier_
Definition decider_verifier.hpp:17
bb::DeciderVerifier_::verify
Output verify()
Verify a decider proof that is assumed to be contained in the transcript.
Definition decider_verifier.cpp:38
bb::DeciderVerifier_::FF
typename Flavor::FF FF
Definition decider_verifier.hpp:18
bb::DeciderVerifier_::DeciderProof
typename Transcript::Proof DeciderProof
Definition decider_verifier.hpp:23
bb::DeciderVerifier_::verify_proof
Output verify_proof(const DeciderProof &)
Verify a decider proof relative to a decider verification key (ϕ, \vec{β*}, e*).
Definition decider_verifier.cpp:28
bb::DeciderVerifier_::DeciderVerifier_
DeciderVerifier_()
bb::MegaFlavor::REPEATED_COMMITMENTS
static constexpr RepeatedCommitmentsData REPEATED_COMMITMENTS
Definition mega_flavor.hpp:71
bb::MegaFlavor::Curve
curve::BN254 Curve
Definition mega_flavor.hpp:36
bb::MegaFlavor::HasZK
static constexpr bool HasZK
Definition mega_flavor.hpp:53
bb::MegaFlavor::VIRTUAL_LOG_N
static constexpr size_t VIRTUAL_LOG_N
Definition mega_flavor.hpp:49
bb::MegaFlavor::USE_PADDING
static constexpr bool USE_PADDING
Definition mega_flavor.hpp:56
bb::MegaFlavor::PCS
KZG< Curve > PCS
Definition mega_flavor.hpp:40
bb::MegaFlavor::VerifierCommitments
VerifierCommitments_< Commitment, VerificationKey > VerifierCommitments
Definition mega_flavor.hpp:648
bb::ShpleminiVerifier_
An efficient verifier for the evaluation proofs of multilinear polynomials and their shifts.
Definition shplemini.hpp:189
bb::SumcheckVerifier
Implementation of the sumcheck Verifier for statements of the form for multilinear polynomials .
Definition sumcheck.hpp:645
bb::SumcheckVerifier::verify
SumcheckOutput< Flavor > verify(const bb::RelationParameters< FF > &relation_parameters, std::vector< FF > &gate_challenges, const std::vector< FF > &padding_indicator_array)
Extract round univariate, check sum, generate challenge, compute next target sum.....
Definition sumcheck.hpp:718
decider_verification_key.hpp
decider_verifier.hpp
get_msb.hpp
bb
Entry point for Barretenberg command-line interface.
Definition acir_format_getters.cpp:6
std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13
padding_indicator_array.hpp
For a small integer N = virtual_log_n and a given witness x = log_n, compute in-circuit an indicator_...
bb::BatchOpeningClaim
An accumulator consisting of the Shplonk evaluation challenge and vectors of commitments and scalars.
Definition claim.hpp:169
bb::ClaimBatcher_
Logic to support batching opening claims for unshifted and shifted polynomials in Shplemini.
Definition claim_batcher.hpp:27
bb::DeciderVerifier_::Output
Definition decider_verifier.hpp:26
bb::SumcheckOutput
Contains the evaluations of multilinear polynomials at the challenge point . These are computed by S...
Definition sumcheck_output.hpp:22
bb::SumcheckOutput::claimed_evaluations
ClaimedEvaluations claimed_evaluations
Definition sumcheck_output.hpp:30
bb::SumcheckOutput::challenge
std::vector< FF > challenge
Definition sumcheck_output.hpp:28