Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
merge_verifier.test.cpp
Go to the documentation of this file.
1#include "barretenberg/ultra_honk/merge_verifier.hpp"
2#include "barretenberg/circuit_checker/circuit_checker.hpp"
3#include "barretenberg/common/test.hpp"
4#include "barretenberg/ecc/fields/field_conversion.hpp"
5#include "barretenberg/goblin/mock_circuits.hpp"
6#include "barretenberg/stdlib/merge_verifier/merge_recursive_verifier.hpp"
7#include "barretenberg/stdlib/primitives/curves/bn254.hpp"
8#include "barretenberg/ultra_honk/merge_prover.hpp"
9#include "barretenberg/ultra_honk/ultra_prover.hpp"
10#include "barretenberg/ultra_honk/ultra_verifier.hpp"
11
12namespace bb::stdlib::recursion::goblin {
13
21template <class RecursiveBuilder> class RecursiveMergeVerifierTest : public testing::Test {
22
23 // Types for recursive verifier circuit
24 using RecursiveMergeVerifier = MergeRecursiveVerifier_<RecursiveBuilder>;
25 using RecursiveTableCommitments = MergeRecursiveVerifier_<RecursiveBuilder>::TableCommitments;
26 using RecursiveMergeCommitments = MergeRecursiveVerifier_<RecursiveBuilder>::InputCommitments;
27
28 // Define types relevant for inner circuit
29 using InnerFlavor = MegaFlavor;
30 using InnerDeciderProvingKey = DeciderProvingKey_<InnerFlavor>;
31 using InnerBuilder = typename InnerFlavor::CircuitBuilder;
32
33 // Define additional types for testing purposes
34 using Commitment = InnerFlavor::Commitment;
35 using FF = InnerFlavor::FF;
36 using VerifierCommitmentKey = bb::VerifierCommitmentKey<curve::BN254>;
37 using MergeProof = MergeProver::MergeProof;
38 using TableCommitments = MergeVerifier::TableCommitments;
39 using MergeCommitments = MergeVerifier::InputCommitments;
40
41 enum class TamperProofMode { None, Shift, MCommitment, LEval };
42
43 public:
44 static void SetUpTestSuite() { bb::srs::init_file_crs_factory(bb::srs::bb_crs_path()); }
45
46 static void tamper_with_proof(MergeProof& merge_proof, const TamperProofMode tampering_mode)
47 {
48 const size_t shift_idx = 0; // Index of shift_size in the merge proof
49 const size_t m_commitment_idx = 1; // Index of first commitment to merged table in merge proof
50 const size_t l_eval_idx = 34; // Index of first evaluation of l(1/kappa) in merge proof
51
52 switch (tampering_mode) {
53 case TamperProofMode::Shift:
54 // Tamper with the shift size in the proof
55 merge_proof[shift_idx] += 1;
56 break;
57 case TamperProofMode::MCommitment: {
58 // Tamper with the commitment in the proof
59 Commitment m_commitment =
60 bb::field_conversion::convert_from_bn254_frs<Commitment>(std::span{ merge_proof }.subspan(
61 m_commitment_idx, bb::field_conversion::calc_num_bn254_frs<Commitment>()));
62 m_commitment = m_commitment + Commitment::one();
63 auto m_commitment_frs = bb::field_conversion::convert_to_bn254_frs<Commitment>(m_commitment);
64 for (size_t idx = 0; idx < 4; ++idx) {
65 merge_proof[m_commitment_idx + idx] = m_commitment_frs[idx];
66 }
67 break;
68 }
69 case TamperProofMode::LEval:
70 // Tamper with the evaluation in the proof
71 merge_proof[l_eval_idx] -= FF(1);
72 break;
73 default:
74 // Nothing to do
75 break;
76 }
77 }
78
79 static void prove_and_verify_merge(const std::shared_ptr<ECCOpQueue>& op_queue,
80 const MergeSettings settings = MergeSettings::PREPEND,
81 const TamperProofMode tampering_mode = TamperProofMode::None,
82 const bool expected = true)
83 {
84 RecursiveBuilder outer_circuit;
85
86 MergeProver merge_prover{ op_queue, settings };
87 auto merge_proof = merge_prover.construct_proof();
88 tamper_with_proof(merge_proof, tampering_mode);
89
90 // Subtable values and commitments - needed for (Recursive)MergeVerifier
91 MergeCommitments merge_commitments;
92 RecursiveMergeCommitments recursive_merge_commitments;
93 auto t_current = op_queue->construct_current_ultra_ops_subtable_columns();
94 auto T_prev = op_queue->construct_previous_ultra_ops_table_columns();
95 for (size_t idx = 0; idx < InnerFlavor::NUM_WIRES; idx++) {
96 merge_commitments.t_commitments[idx] = merge_prover.pcs_commitment_key.commit(t_current[idx]);
97 merge_commitments.T_prev_commitments[idx] = merge_prover.pcs_commitment_key.commit(T_prev[idx]);
98 recursive_merge_commitments.t_commitments[idx] =
99 RecursiveMergeVerifier::Commitment::from_witness(&outer_circuit, merge_commitments.t_commitments[idx]);
100 recursive_merge_commitments.T_prev_commitments[idx] = RecursiveMergeVerifier::Commitment::from_witness(
101 &outer_circuit, merge_commitments.T_prev_commitments[idx]);
102 }
103
104 // Create a recursive merge verification circuit for the merge proof
105 RecursiveMergeVerifier verifier{ &outer_circuit, settings };
106 verifier.transcript->enable_manifest();
107 const stdlib::Proof<RecursiveBuilder> stdlib_merge_proof(outer_circuit, merge_proof);
108 auto [pairing_points, recursive_merged_table_commitments] =
109 verifier.verify_proof(stdlib_merge_proof, recursive_merge_commitments);
110
111 // Check for a failure flag in the recursive verifier circuit
112 EXPECT_EQ(outer_circuit.failed(), !expected) << outer_circuit.err();
113
114 // Check 1: Perform native merge verification then perform the pairing on the outputs of the recursive merge
115 // verifier and check that the result agrees.
116 MergeVerifier native_verifier{ settings };
117 native_verifier.transcript->enable_manifest();
118 auto [verified_native, merged_table_commitments] = native_verifier.verify_proof(merge_proof, merge_commitments);
119 VerifierCommitmentKey pcs_verification_key;
120 bool verified_recursive =
121 pcs_verification_key.pairing_check(pairing_points.P0.get_value(), pairing_points.P1.get_value());
122 EXPECT_EQ(verified_native, verified_recursive);
123 EXPECT_EQ(verified_recursive, expected);
124
125 // Check 2: Ensure that the underlying native and recursive merge verification algorithms agree by ensuring
126 // the manifests produced by each agree.
127 auto recursive_manifest = verifier.transcript->get_manifest();
128 auto native_manifest = native_verifier.transcript->get_manifest();
129 for (size_t i = 0; i < recursive_manifest.size(); ++i) {
130 EXPECT_EQ(recursive_manifest[i], native_manifest[i]);
131 }
132 }
133
137 static void test_degree_check_failure()
138 {
139 auto op_queue = std::make_shared<ECCOpQueue>();
140
141 InnerBuilder circuit{ op_queue };
142 GoblinMockCircuits::construct_simple_circuit(circuit);
143 prove_and_verify_merge(op_queue, MergeSettings::PREPEND, TamperProofMode::Shift, false);
144 }
145
149 static void test_merge_failure()
150 {
151 auto op_queue = std::make_shared<ECCOpQueue>();
152
153 InnerBuilder circuit{ op_queue };
154 GoblinMockCircuits::construct_simple_circuit(circuit);
155 prove_and_verify_merge(op_queue, MergeSettings::PREPEND, TamperProofMode::MCommitment, false);
156 }
157
161 static void test_eval_failure()
162 {
163 auto op_queue = std::make_shared<ECCOpQueue>();
164
165 InnerBuilder circuit{ op_queue };
166 GoblinMockCircuits::construct_simple_circuit(circuit);
167 prove_and_verify_merge(op_queue, MergeSettings::PREPEND, TamperProofMode::LEval, false);
168 }
169
177 static void test_recursive_merge_verification()
178 {
179 auto op_queue = std::make_shared<ECCOpQueue>();
180
181 InnerBuilder circuit{ op_queue };
182 GoblinMockCircuits::construct_simple_circuit(circuit);
183 prove_and_verify_merge(op_queue);
184
185 InnerBuilder circuit2{ op_queue };
186 GoblinMockCircuits::construct_simple_circuit(circuit2);
187 prove_and_verify_merge(op_queue);
188
189 InnerBuilder circuit3{ op_queue };
190 GoblinMockCircuits::construct_simple_circuit(circuit3);
191 prove_and_verify_merge(op_queue, MergeSettings::APPEND);
192 }
193};
194
195using Builders = testing::Types<MegaCircuitBuilder, UltraCircuitBuilder>;
196
197TYPED_TEST_SUITE(RecursiveMergeVerifierTest, Builders);
198
199TYPED_TEST(RecursiveMergeVerifierTest, SingleRecursiveVerification)
200{
201 TestFixture::test_recursive_merge_verification();
202};
203
204TYPED_TEST(RecursiveMergeVerifierTest, DegreeCheckFailure)
205{
206 TestFixture::test_degree_check_failure();
207};
208
209TYPED_TEST(RecursiveMergeVerifierTest, MergeFailure)
210{
211 TestFixture::test_merge_failure();
212};
213
214TYPED_TEST(RecursiveMergeVerifierTest, EvalFailure)
215{
216 TestFixture::test_eval_failure();
217};
218
219} // namespace bb::stdlib::recursion::goblin
circuit_checker.hpp
bb::DeciderProvingKey_
A DeciderProvingKey is normally constructed from a finalized circuit and it contains all the informat...
Definition decider_proving_key.hpp:36
bb::GoblinMockCircuits::construct_simple_circuit
static void construct_simple_circuit(MegaBuilder &builder, bool last_circuit=false)
Generate a simple test circuit with some ECC op gates and conventional arithmetic gates.
Definition mock_circuits.hpp:139
bb::MegaFlavor::FF
Curve::ScalarField FF
Definition mega_flavor.hpp:37
bb::MegaFlavor::NUM_WIRES
static constexpr size_t NUM_WIRES
Definition mega_flavor.hpp:57
bb::MegaFlavor::CircuitBuilder
MegaCircuitBuilder CircuitBuilder
Definition mega_flavor.hpp:35
bb::MegaFlavor::Commitment
Curve::AffineElement Commitment
Definition mega_flavor.hpp:39
bb::MergeProver
Prover class for the Goblin ECC op queue transcript merge protocol.
Definition merge_prover.hpp:22
bb::MergeProver::construct_proof
BB_PROFILE MergeProof construct_proof()
bb::MergeProver::MergeProof
std::vector< FF > MergeProof
Definition merge_prover.hpp:34
bb::MergeVerifier
Verifier class for the Goblin ECC op queue transcript merge protocol.
Definition merge_verifier.hpp:22
bb::MergeVerifier::TableCommitments
std::array< Commitment, NUM_WIRES > TableCommitments
Definition merge_verifier.hpp:35
bb::MergeVerifier::transcript
std::shared_ptr< Transcript > transcript
Definition merge_verifier.hpp:48
bb::VerifierCommitmentKey< curve::BN254 >::pairing_check
bool pairing_check(const GroupElement &p0, const GroupElement &p1)
verifies a pairing equation over 2 points using the verifier SRS
Definition verification_key.hpp:67
bb::VerifierCommitmentKey
Representation of the Grumpkin Verifier Commitment Key inside a bn254 circuit.
Definition verifier_commitment_key.hpp:16
bb::stdlib::Proof
A simple wrapper around a vector of stdlib field elements representing a proof.
Definition proof.hpp:19
bb::stdlib::recursion::goblin::MergeRecursiveVerifier_
Definition merge_recursive_verifier.hpp:16
bb::stdlib::recursion::goblin::MergeRecursiveVerifier_::transcript
std::shared_ptr< Transcript > transcript
Definition merge_recursive_verifier.hpp:27
bb::stdlib::recursion::goblin::MergeRecursiveVerifier_::TableCommitments
std::array< Commitment, NUM_WIRES > TableCommitments
Definition merge_recursive_verifier.hpp:33
bb::stdlib::recursion::goblin::RecursiveMergeVerifierTest
Test suite for recursive verification of Goblin Merge proofs.
Definition merge_verifier.test.cpp:21
bb::stdlib::recursion::goblin::RecursiveMergeVerifierTest::test_recursive_merge_verification
static void test_recursive_merge_verification()
Test recursive merge verification for the ops generated by several sample circuit,...
Definition merge_verifier.test.cpp:177
bb::stdlib::recursion::goblin::RecursiveMergeVerifierTest::test_eval_failure
static void test_eval_failure()
Test failure g_j(kappa) = kappa^{k-1} * l_j(1/kappa)
Definition merge_verifier.test.cpp:161
bb::stdlib::recursion::goblin::RecursiveMergeVerifierTest::tamper_with_proof
static void tamper_with_proof(MergeProof &merge_proof, const TamperProofMode tampering_mode)
Definition merge_verifier.test.cpp:46
bb::stdlib::recursion::goblin::RecursiveMergeVerifierTest::prove_and_verify_merge
static void prove_and_verify_merge(const std::shared_ptr< ECCOpQueue > &op_queue, const MergeSettings settings=MergeSettings::PREPEND, const TamperProofMode tampering_mode=TamperProofMode::None, const bool expected=true)
Definition merge_verifier.test.cpp:79
bb::stdlib::recursion::goblin::RecursiveMergeVerifierTest::test_merge_failure
static void test_merge_failure()
Test failure when m \neq l + X^k r.
Definition merge_verifier.test.cpp:149
bb::stdlib::recursion::goblin::RecursiveMergeVerifierTest::RecursiveTableCommitments
MergeRecursiveVerifier_< RecursiveBuilder >::TableCommitments RecursiveTableCommitments
Definition merge_verifier.test.cpp:25
bb::stdlib::recursion::goblin::RecursiveMergeVerifierTest::test_degree_check_failure
static void test_degree_check_failure()
Test failure when degree(l) > shift_size (as read from the proof)
Definition merge_verifier.test.cpp:137
field_conversion.hpp
mock_circuits.hpp
merge_prover.hpp
merge_recursive_verifier.hpp
merge_verifier.hpp
bb::srs::bb_crs_path
std::filesystem::path bb_crs_path()
Definition global_crs.cpp:14
bb::srs::init_file_crs_factory
void init_file_crs_factory(const std::filesystem::path &path)
Definition global_crs.hpp:14
bb::stdlib::recursion::goblin::TYPED_TEST
TYPED_TEST(RecursiveMergeVerifierTest, SingleRecursiveVerification)
Definition merge_verifier.test.cpp:199
bb::stdlib::recursion::goblin::TYPED_TEST_SUITE
TYPED_TEST_SUITE(RecursiveMergeVerifierTest, Builders)
bb::stdlib::recursion::goblin::Builders
testing::Types< MegaCircuitBuilder, UltraCircuitBuilder > Builders
Definition merge_verifier.test.cpp:195
bb::MergeSettings
MergeSettings
The MergeSettings define whether an current subtable will be added at the beginning (PREPEND) or at t...
Definition ecc_ops_table.hpp:21
std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13
bb::stdlib::recursion::goblin::MergeRecursiveVerifier_::InputCommitments
Definition merge_recursive_verifier.hpp:41
bb::stdlib::recursion::goblin::MergeRecursiveVerifier_::InputCommitments::T_prev_commitments
TableCommitments T_prev_commitments
Definition merge_recursive_verifier.hpp:43
bb::stdlib::recursion::goblin::MergeRecursiveVerifier_::InputCommitments::t_commitments
TableCommitments t_commitments
Definition merge_recursive_verifier.hpp:42
ultra_prover.hpp
ultra_verifier.hpp