Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
eccvm.test.cpp
Go to the documentation of this file.
1#include <cstddef>
2#include <cstdint>
3#include <gtest/gtest.h>
4#include <vector>
5
6#include "barretenberg/commitment_schemes/verification_key.hpp"
7#include "barretenberg/ecc/curves/grumpkin/grumpkin.hpp"
8#include "barretenberg/eccvm/eccvm_circuit_builder.hpp"
9#include "barretenberg/eccvm/eccvm_prover.hpp"
10#include "barretenberg/eccvm/eccvm_verifier.hpp"
11#include "barretenberg/honk/library/grand_product_delta.hpp"
12#include "barretenberg/numeric/uint256/uint256.hpp"
13#include "barretenberg/relations/permutation_relation.hpp"
14#include "barretenberg/relations/relation_parameters.hpp"
15#include "barretenberg/srs/global_crs.hpp"
16#include "barretenberg/sumcheck/sumcheck.hpp"
17#include "barretenberg/sumcheck/sumcheck_round.hpp"
18
19using namespace bb;
20using FF = ECCVMFlavor::FF;
21using PK = ECCVMFlavor::ProvingKey;
22using Transcript = ECCVMFlavor::Transcript;
23class ECCVMTests : public ::testing::Test {
24 protected:
25 void SetUp() override { srs::init_file_crs_factory(bb::srs::bb_crs_path()); };
26};
27namespace {
28auto& engine = numeric::get_debug_randomness();
29}
30
37ECCVMCircuitBuilder generate_circuit(numeric::RNG* engine = nullptr)
38{
39 using Curve = curve::BN254;
40 using G1 = Curve::Element;
41 using Fr = Curve::ScalarField;
42
43 std::shared_ptr<ECCOpQueue> op_queue = std::make_shared<ECCOpQueue>();
44 G1 a = G1::random_element(engine);
45 G1 b = G1::random_element(engine);
46 G1 c = G1::random_element(engine);
47 Fr x = Fr::random_element(engine);
48 Fr y = Fr::random_element(engine);
49
50 op_queue->add_accumulate(a);
51 op_queue->mul_accumulate(a, x);
52 op_queue->mul_accumulate(b, x);
53 op_queue->mul_accumulate(b, y);
54 op_queue->add_accumulate(a);
55 op_queue->mul_accumulate(b, x);
56 op_queue->eq_and_reset();
57 op_queue->add_accumulate(c);
58 op_queue->mul_accumulate(a, x);
59 op_queue->mul_accumulate(b, x);
60 op_queue->eq_and_reset();
61 op_queue->mul_accumulate(a, x);
62 op_queue->mul_accumulate(b, x);
63 op_queue->mul_accumulate(c, x);
64 op_queue->merge();
65 ECCVMCircuitBuilder builder{ op_queue };
66 return builder;
67}
68
69ECCVMCircuitBuilder generate_zero_circuit([[maybe_unused]] numeric::RNG* engine = nullptr)
70{
71 using Curve = curve::BN254;
72 using G1 = Curve::Element;
73 using Fr = Curve::ScalarField;
74
75 std::shared_ptr<ECCOpQueue> op_queue = std::make_shared<ECCOpQueue>();
76 [[maybe_unused]] G1 a = G1::random_element(engine);
77
78 [[maybe_unused]] Fr x = Fr::random_element(engine);
79 for (auto i = 0; i < 8; i++) {
80 op_queue->mul_accumulate(Curve::Group::affine_point_at_infinity, 0);
81 }
82 op_queue->merge();
83
84 ECCVMCircuitBuilder builder{ op_queue };
85 return builder;
86}
87
88void complete_proving_key_for_test(bb::RelationParameters<FF>& relation_parameters,
89 std::shared_ptr<PK>& pk,
90 std::vector<FF>& gate_challenges)
91{
92 // Prepare the inputs for the sumcheck prover:
93 // Compute and add beta to relation parameters
94 const FF beta = FF::random_element();
95 const FF gamma = FF::random_element();
96 const FF beta_sqr = beta * beta;
97 relation_parameters.gamma = gamma;
98 relation_parameters.beta = beta;
99 relation_parameters.beta_sqr = beta_sqr;
100 relation_parameters.beta_cube = beta_sqr * beta;
101 relation_parameters.eccvm_set_permutation_delta =
102 gamma * (gamma + beta_sqr) * (gamma + beta_sqr + beta_sqr) * (gamma + beta_sqr + beta_sqr + beta_sqr);
103 relation_parameters.eccvm_set_permutation_delta = relation_parameters.eccvm_set_permutation_delta.invert();
104
105 const size_t unmasked_witness_size = pk->circuit_size - NUM_DISABLED_ROWS_IN_SUMCHECK;
106 // Compute z_perm and inverse polynomial for our logarithmic-derivative lookup method
107 compute_logderivative_inverse<FF, ECCVMFlavor::LookupRelation>(
108 pk->polynomials, relation_parameters, unmasked_witness_size);
109 compute_grand_products<ECCVMFlavor>(pk->polynomials, relation_parameters, unmasked_witness_size);
110
111 // Generate gate challenges
112 for (size_t idx = 0; idx < CONST_ECCVM_LOG_N; idx++) {
113 gate_challenges[idx] = FF::random_element();
114 }
115}
116TEST_F(ECCVMTests, Zeroes)
117{
118 ECCVMCircuitBuilder builder = generate_zero_circuit(&engine);
119
120 std::shared_ptr<Transcript> prover_transcript = std::make_shared<Transcript>();
121 ECCVMProver prover(builder, prover_transcript);
122 ECCVMProof proof = prover.construct_proof();
123
124 std::shared_ptr<Transcript> verifier_transcript = std::make_shared<Transcript>();
125 ECCVMVerifier verifier(verifier_transcript);
126 bool verified = verifier.verify_proof(proof);
127
128 ASSERT_TRUE(verified);
129}
137TEST_F(ECCVMTests, ProofLengthCheck)
138{
139 ECCVMCircuitBuilder builder = generate_circuit(&engine);
140
141 std::shared_ptr<Transcript> prover_transcript = std::make_shared<Transcript>();
142 ECCVMProver prover(builder, prover_transcript);
143 ECCVMProof proof = prover.construct_proof();
144 EXPECT_EQ(proof.size(), ECCVMFlavor::PROOF_LENGTH_WITHOUT_PUB_INPUTS);
145}
146
147TEST_F(ECCVMTests, BaseCaseFixedSize)
148{
149 ECCVMCircuitBuilder builder = generate_circuit(&engine);
150
151 std::shared_ptr<Transcript> prover_transcript = std::make_shared<Transcript>();
152 ECCVMProver prover(builder, prover_transcript);
153 ECCVMProof proof = prover.construct_proof();
154
155 std::shared_ptr<Transcript> verifier_transcript = std::make_shared<Transcript>();
156 ECCVMVerifier verifier(verifier_transcript);
157 bool verified = verifier.verify_proof(proof);
158
159 ASSERT_TRUE(verified);
160}
161
162TEST_F(ECCVMTests, EqFailsFixedSize)
163{
164 auto builder = generate_circuit(&engine);
165 // Tamper with the eq op such that the expected value is incorect
166 builder.op_queue->add_erroneous_equality_op_for_testing();
167 builder.op_queue->merge();
168
169 std::shared_ptr<Transcript> prover_transcript = std::make_shared<Transcript>();
170 ECCVMProver prover(builder, prover_transcript);
171
172 ECCVMProof proof = prover.construct_proof();
173
174 std::shared_ptr<Transcript> verifier_transcript = std::make_shared<Transcript>();
175 ECCVMVerifier verifier(verifier_transcript);
176 bool verified = verifier.verify_proof(proof);
177 ASSERT_FALSE(verified);
178}
179
180TEST_F(ECCVMTests, CommittedSumcheck)
181{
182 using Flavor = ECCVMFlavor;
183 using ProvingKey = ECCVMFlavor::ProvingKey;
184 using FF = ECCVMFlavor::FF;
185 using Transcript = Flavor::Transcript;
186 using ZKData = ZKSumcheckData<Flavor>;
187
188 bb::RelationParameters<FF> relation_parameters;
189 std::vector<FF> gate_challenges(CONST_ECCVM_LOG_N);
190
191 ECCVMCircuitBuilder builder = generate_circuit(&engine);
192 std::shared_ptr<Transcript> prover_transcript = std::make_shared<Transcript>();
193 ECCVMProver prover(builder, prover_transcript);
194 auto pk = std::make_shared<ProvingKey>(builder);
195
196 // Prepare the inputs for the sumcheck prover:
197 // Compute and add beta to relation parameters
198 const FF alpha = FF::random_element();
199 complete_proving_key_for_test(relation_parameters, pk, gate_challenges);
200
201 // Clear the transcript
202 prover_transcript = std::make_shared<Transcript>();
203
204 // Run Sumcheck on the ECCVM Prover polynomials
205 using SumcheckProver = SumcheckProver<ECCVMFlavor>;
206 SumcheckProver sumcheck_prover(pk->circuit_size,
207 pk->polynomials,
208 prover_transcript,
209 alpha,
210 gate_challenges,
211 relation_parameters,
212 CONST_ECCVM_LOG_N);
213
214 ZKData zk_sumcheck_data = ZKData(CONST_ECCVM_LOG_N, prover_transcript);
215
216 auto prover_output = sumcheck_prover.prove(zk_sumcheck_data);
217
218 std::shared_ptr<Transcript> verifier_transcript = std::make_shared<Transcript>();
219 verifier_transcript->load_proof(prover_transcript->export_proof());
220
221 // Execute Sumcheck Verifier
222 SumcheckVerifier<Flavor> sumcheck_verifier(verifier_transcript, alpha, CONST_ECCVM_LOG_N);
223 SumcheckOutput<ECCVMFlavor> verifier_output = sumcheck_verifier.verify(relation_parameters, gate_challenges);
224
225 // Evaluate prover's round univariates at corresponding challenges and compare them with the claimed evaluations
226 // computed by the verifier
227 for (size_t idx = 0; idx < CONST_ECCVM_LOG_N; idx++) {
228 FF true_eval_at_the_challenge = prover_output.round_univariates[idx].evaluate(prover_output.challenge[idx]);
229 FF verifier_eval_at_the_challenge = verifier_output.round_univariate_evaluations[idx][2];
230 EXPECT_TRUE(true_eval_at_the_challenge == verifier_eval_at_the_challenge);
231 }
232
233 // Check that the first sumcheck univariate is consistent with the claimed ZK Sumchek Sum
234 FF prover_target_sum = zk_sumcheck_data.libra_challenge * zk_sumcheck_data.libra_total_sum;
235
236 EXPECT_TRUE(prover_target_sum == verifier_output.round_univariate_evaluations[0][0] +
237 verifier_output.round_univariate_evaluations[0][1]);
238
239 EXPECT_TRUE(verifier_output.verified);
240}
241
248TEST_F(ECCVMTests, FixedVK)
249{
250 // Generate a circuit and its verification key (computed at runtime from the proving key)
251 ECCVMCircuitBuilder builder = generate_circuit(&engine);
252 std::shared_ptr<Transcript> prover_transcript = std::make_shared<Transcript>();
253 ECCVMProver prover(builder, prover_transcript);
254
255 std::shared_ptr<Transcript> verifier_transcript = std::make_shared<Transcript>();
256 ECCVMVerifier verifier(verifier_transcript);
257
258 // Generate the default fixed VK
259 ECCVMFlavor::VerificationKey fixed_vk{};
260 // Generate a VK from PK
261 ECCVMFlavor::VerificationKey vk_computed_by_prover(prover.key);
262
263 // Set verifier PCS key to null in both the fixed VK and the generated VK
264 fixed_vk.pcs_verification_key = VerifierCommitmentKey<curve::Grumpkin>();
265 vk_computed_by_prover.pcs_verification_key = VerifierCommitmentKey<curve::Grumpkin>();
266
267 auto labels = verifier.key->get_labels();
268 size_t index = 0;
269 for (auto [vk_commitment, fixed_commitment] : zip_view(vk_computed_by_prover.get_all(), fixed_vk.get_all())) {
270 EXPECT_EQ(vk_commitment, fixed_commitment)
271 << "Mismatch between vk_commitment and fixed_commitment at label: " << labels[index];
272 ++index;
273 }
274
275 // Check that the fixed VK is equal to the generated VK
276 EXPECT_EQ(fixed_vk, vk_computed_by_prover);
277}
ECCVMTests::SetUp
void SetUp() override
Definition eccvm.test.cpp:25
bb::BaseTranscript
Common transcript class for both parties. Stores the data for the current round, as well as the manif...
Definition transcript.hpp:154
bb::ECCVMFlavor::ProvingKey
The proving key is responsible for storing the polynomials used by the prover.
Definition eccvm_flavor.hpp:764
bb::ECCVMFlavor::VerificationKey
The verification key is responsible for storing the commitments to the precomputed (non-witnessk) pol...
Definition eccvm_flavor.hpp:790
bb::ECCVMFlavor::VerificationKey::pcs_verification_key
VerifierCommitmentKey pcs_verification_key
Definition eccvm_flavor.hpp:799
bb::ECCVMFlavor::FF
typename Curve::ScalarField FF
Definition eccvm_flavor.hpp:41
bb::ECCVMFlavor::PROOF_LENGTH_WITHOUT_PUB_INPUTS
static constexpr size_t PROOF_LENGTH_WITHOUT_PUB_INPUTS
Definition eccvm_flavor.hpp:116
bb::ECCVMFlavor::Transcript
NativeTranscript Transcript
Definition eccvm_flavor.hpp:49
bb::ECCVMProver::construct_proof
ECCVMProof construct_proof()
Definition eccvm_prover.cpp:208
bb::ECCVMProver::key
std::shared_ptr< ProvingKey > key
Definition eccvm_prover.hpp:76
bb::ECCVMVerifier::verify_proof
bool verify_proof(const ECCVMProof &proof)
This function verifies an ECCVM Honk proof for given program settings.
Definition eccvm_verifier.cpp:18
bb::ECCVMVerifier::key
std::shared_ptr< VerificationKey > key
Definition eccvm_verifier.hpp:39
bb::MegaFlavor::Transcript
NativeTranscript Transcript
Definition mega_flavor.hpp:45
bb::SumcheckProver
The implementation of the sumcheck Prover for statements of the form for multilinear polynomials .
Definition sumcheck.hpp:123
bb::SumcheckProver::prove
SumcheckOutput< Flavor > prove()
Non-ZK version: Compute round univariate, place it in transcript, compute challenge,...
Definition sumcheck.hpp:231
bb::SumcheckVerifier
Implementation of the sumcheck Verifier for statements of the form for multilinear polynomials .
Definition sumcheck.hpp:645
bb::SumcheckVerifier::verify
SumcheckOutput< Flavor > verify(const bb::RelationParameters< FF > &relation_parameters, std::vector< FF > &gate_challenges, const std::vector< FF > &padding_indicator_array)
Extract round univariate, check sum, generate challenge, compute next target sum.....
Definition sumcheck.hpp:718
bb::VerifierCommitmentKey
Representation of the Grumpkin Verifier Commitment Key inside a bn254 circuit.
Definition verifier_commitment_key.hpp:16
bb::curve::Grumpkin::Element
typename Group::element Element
Definition grumpkin.hpp:55
zip_view
Definition zip_view.hpp:166
builder
AluTraceBuilder builder
Definition alu.test.cpp:123
a
FF a
Definition field_gt.test.cpp:51
b
FF b
Definition field_gt.test.cpp:52
complete_proving_key_for_test
void complete_proving_key_for_test(bb::RelationParameters< FF > &relation_parameters, std::shared_ptr< PK > &pk, std::vector< FF > &gate_challenges)
Definition eccvm.test.cpp:88
generate_zero_circuit
ECCVMCircuitBuilder generate_zero_circuit(numeric::RNG *engine=nullptr)
Definition eccvm.test.cpp:69
generate_circuit
ECCVMCircuitBuilder generate_circuit(numeric::RNG *engine=nullptr)
Adds operations in BN254 to the op_queue and then constructs and ECCVM circuit from the op_queue.
Definition eccvm.test.cpp:37
eccvm_circuit_builder.hpp
eccvm_prover.hpp
engine
numeric::RNG & engine
Definition eccvm_transcript.test.cpp:282
eccvm_verifier.hpp
global_crs.hpp
grand_product_delta.hpp
bb::numeric::get_debug_randomness
RNG & get_debug_randomness(bool reset, std::uint_fast64_t seed)
Definition engine.cpp:190
bb::srs::bb_crs_path
std::filesystem::path bb_crs_path()
Definition global_crs.cpp:14
bb::srs::init_file_crs_factory
void init_file_crs_factory(const std::filesystem::path &path)
Definition global_crs.hpp:14
bb
Entry point for Barretenberg command-line interface.
Definition acir_format_getters.cpp:6
bb::TEST_F
TEST_F(IPATest, ChallengesAreZero)
Definition ipa.test.cpp:123
bb::FF
typename Flavor::FF FF
Definition protogalaxy.bench.cpp:16
std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13
permutation_relation.hpp
G1
Curve::AffineElement G1
Definition pippenger.bench.cpp:29
relation_parameters.hpp
bb::ECCVMProof::size
size_t size() const
Definition proof.hpp:27
bb::RelationParameters
Container for parameters used by the grand product (permutation, lookup) Honk relations.
Definition relation_parameters.hpp:19
bb::SumcheckOutput
Contains the evaluations of multilinear polynomials at the challenge point . These are computed by S...
Definition sumcheck_output.hpp:22
bb::SumcheckOutput::round_univariate_evaluations
std::vector< std::array< FF, 3 > > round_univariate_evaluations
Definition sumcheck_output.hpp:41
bb::ZKSumcheckData
This structure is created to contain various polynomials and constants required by ZK Sumcheck.
Definition zk_sumcheck_data.hpp:22
bb::field< Bn254FrParams >::random_element
static field random_element(numeric::RNG *engine=nullptr) noexcept
Definition field_impl.hpp:665
sumcheck_round.hpp
verification_key.hpp