Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
oink_recursive_verifier.cpp
Go to the documentation of this file.
1// === AUDIT STATUS ===
2// internal: { status: not started, auditors: [], date: YYYY-MM-DD }
3// external_1: { status: not started, auditors: [], date: YYYY-MM-DD }
4// external_2: { status: not started, auditors: [], date: YYYY-MM-DD }
5// =====================
6
7#include "barretenberg/stdlib/honk_verifier/oink_recursive_verifier.hpp"
8
9#include "barretenberg/flavor/mega_recursive_flavor.hpp"
10#include "barretenberg/flavor/mega_zk_recursive_flavor.hpp"
11#include "barretenberg/flavor/ultra_recursive_flavor.hpp"
12#include "barretenberg/flavor/ultra_rollup_recursive_flavor.hpp"
13#include "barretenberg/flavor/ultra_zk_recursive_flavor.hpp"
14#include "barretenberg/honk/library/grand_product_delta.hpp"
15#include "barretenberg/numeric/bitop/get_msb.hpp"
16#include <utility>
17
18namespace bb::stdlib::recursion::honk {
19
20template <typename Flavor>
21OinkRecursiveVerifier_<Flavor>::OinkRecursiveVerifier_(Builder* builder,
22 const std::shared_ptr<RecursiveDeciderVK>& decider_vk,
23 const std::shared_ptr<Transcript>& transcript,
24 std::string domain_separator)
25 : decider_vk(decider_vk)
26 , builder(builder)
27 , transcript(transcript)
28 , domain_separator(std::move(domain_separator))
29{}
30
31template <typename Flavor>
32OinkRecursiveVerifier_<Flavor>::OinkRecursiveVerifier_(Builder* builder,
33 const std::shared_ptr<RecursiveDeciderVK>& decider_vk,
34 std::string domain_separator)
35 : decider_vk(decider_vk)
36 , builder(builder)
37 , domain_separator(std::move(domain_separator))
38{}
39
40template <typename Flavor> void OinkRecursiveVerifier_<Flavor>::verify_proof(const OinkProof& proof)
41{
42 transcript->load_proof(proof);
43 verify();
44}
45
46template <typename Flavor> void OinkRecursiveVerifier_<Flavor>::verify()
47{
48 using CommitmentLabels = typename Flavor::CommitmentLabels;
49
50 WitnessCommitments commitments;
51 CommitmentLabels labels;
52
53 FF vk_hash = decider_vk->vk_and_hash->vk->hash_through_transcript(domain_separator, *transcript);
54 transcript->add_to_hash_buffer(domain_separator + "vk_hash", vk_hash);
55 vinfo("vk hash in Oink recursive verifier: ", vk_hash);
56 vinfo("expected vk hash: ", decider_vk->vk_and_hash->hash);
57 // Check that the vk hash matches the hash of the verification key
58 decider_vk->vk_and_hash->hash.assert_equal(vk_hash);
59
60 size_t num_public_inputs =
61 static_cast<size_t>(static_cast<uint32_t>(decider_vk->vk_and_hash->vk->num_public_inputs.get_value()));
62 std::vector<FF> public_inputs;
63 for (size_t i = 0; i < num_public_inputs; ++i) {
64 public_inputs.emplace_back(
65 transcript->template receive_from_prover<FF>(domain_separator + "public_input_" + std::to_string(i)));
66 }
67
68 // Get commitments to first three wire polynomials
69 commitments.w_l = transcript->template receive_from_prover<Commitment>(domain_separator + labels.w_l);
70 commitments.w_r = transcript->template receive_from_prover<Commitment>(domain_separator + labels.w_r);
71 commitments.w_o = transcript->template receive_from_prover<Commitment>(domain_separator + labels.w_o);
72
73 // If Goblin, get commitments to ECC op wire polynomials and DataBus columns
74 if constexpr (IsMegaFlavor<Flavor>) {
75 // Receive ECC op wire commitments
76 for (auto [commitment, label] : zip_view(commitments.get_ecc_op_wires(), labels.get_ecc_op_wires())) {
77 commitment = transcript->template receive_from_prover<Commitment>(domain_separator + label);
78 }
79
80 // Receive DataBus related polynomial commitments
81 for (auto [commitment, label] : zip_view(commitments.get_databus_entities(), labels.get_databus_entities())) {
82 commitment = transcript->template receive_from_prover<Commitment>(domain_separator + label);
83 }
84 }
85
86 // Get eta challenges; used in RAM/ROM memory records and log derivative lookup argument
87 auto [eta, eta_two, eta_three] = transcript->template get_challenges<FF>(
88 domain_separator + "eta", domain_separator + "eta_two", domain_separator + "eta_three");
89
90 // Get commitments to lookup argument polynomials and fourth wire
91 commitments.lookup_read_counts =
92 transcript->template receive_from_prover<Commitment>(domain_separator + labels.lookup_read_counts);
93 commitments.lookup_read_tags =
94 transcript->template receive_from_prover<Commitment>(domain_separator + labels.lookup_read_tags);
95 commitments.w_4 = transcript->template receive_from_prover<Commitment>(domain_separator + labels.w_4);
96
97 // Get permutation challenges
98 auto [beta, gamma] = transcript->template get_challenges<FF>(domain_separator + "beta", domain_separator + "gamma");
99
100 commitments.lookup_inverses =
101 transcript->template receive_from_prover<Commitment>(domain_separator + labels.lookup_inverses);
102
103 // If Goblin (i.e. using DataBus) receive commitments to log-deriv inverses polynomials
104 if constexpr (IsMegaFlavor<Flavor>) {
105 for (auto [commitment, label] : zip_view(commitments.get_databus_inverses(), labels.get_databus_inverses())) {
106 commitment = transcript->template receive_from_prover<Commitment>(domain_separator + label);
107 }
108 }
109
110 const FF public_input_delta =
111 compute_public_input_delta<Flavor>(public_inputs, beta, gamma, decider_vk->vk_and_hash->vk->pub_inputs_offset);
112
113 // Get commitment to permutation and lookup grand products
114 commitments.z_perm = transcript->template receive_from_prover<Commitment>(domain_separator + labels.z_perm);
115
116 // Get the subrelation separation challenges for sumcheck/combiner computation
117 std::array<std::string, Flavor::NUM_SUBRELATIONS - 1> challenge_labels;
118
119 for (size_t idx = 0; idx < Flavor::NUM_SUBRELATIONS - 1; ++idx) {
120 challenge_labels[idx] = domain_separator + "alpha_" + std::to_string(idx);
121 }
122 // It is more efficient to generate an array of challenges than to generate them individually.
123 SubrelationSeparators alphas = transcript->template get_challenges<FF>(challenge_labels);
124
125 decider_vk->relation_parameters =
126 RelationParameters<FF>{ eta, eta_two, eta_three, beta, gamma, public_input_delta };
127 decider_vk->witness_commitments = std::move(commitments);
128 decider_vk->alphas = std::move(alphas);
129 decider_vk->public_inputs = std::move(public_inputs);
130 decider_vk->is_complete = true; // instance has been completely populated
131}
132
133template class OinkRecursiveVerifier_<bb::UltraRecursiveFlavor_<UltraCircuitBuilder>>;
134template class OinkRecursiveVerifier_<bb::UltraRecursiveFlavor_<MegaCircuitBuilder>>;
135template class OinkRecursiveVerifier_<bb::MegaRecursiveFlavor_<UltraCircuitBuilder>>;
136template class OinkRecursiveVerifier_<bb::MegaRecursiveFlavor_<MegaCircuitBuilder>>;
137template class OinkRecursiveVerifier_<bb::MegaZKRecursiveFlavor_<MegaCircuitBuilder>>;
138template class OinkRecursiveVerifier_<bb::MegaZKRecursiveFlavor_<UltraCircuitBuilder>>;
139template class OinkRecursiveVerifier_<bb::UltraRollupRecursiveFlavor_<UltraCircuitBuilder>>;
140template class OinkRecursiveVerifier_<bb::UltraZKRecursiveFlavor_<UltraCircuitBuilder>>;
141template class OinkRecursiveVerifier_<bb::UltraZKRecursiveFlavor_<MegaCircuitBuilder>>;
142} // namespace bb::stdlib::recursion::honk
bb::MegaFlavor::CommitmentLabels
A container for commitment labels.
Definition mega_flavor.hpp:562
bb::MegaFlavor::NUM_SUBRELATIONS
static constexpr size_t NUM_SUBRELATIONS
Definition mega_flavor.hpp:125
bb::stdlib::recursion::honk::OinkRecursiveVerifier_
Definition oink_recursive_verifier.hpp:13
bb::stdlib::recursion::honk::OinkRecursiveVerifier_::Builder
typename Flavor::CircuitBuilder Builder
Definition oink_recursive_verifier.hpp:20
bb::stdlib::recursion::honk::OinkRecursiveVerifier_::SubrelationSeparators
typename Flavor::SubrelationSeparators SubrelationSeparators
Definition oink_recursive_verifier.hpp:21
bb::stdlib::recursion::honk::OinkRecursiveVerifier_::OinkProof
std::vector< FF > OinkProof
Definition oink_recursive_verifier.hpp:24
bb::stdlib::recursion::honk::OinkRecursiveVerifier_::FF
typename Flavor::FF FF
Definition oink_recursive_verifier.hpp:15
bb::stdlib::recursion::honk::OinkRecursiveVerifier_::WitnessCommitments
typename Flavor::WitnessCommitments WitnessCommitments
Definition oink_recursive_verifier.hpp:23
bb::stdlib::recursion::honk::OinkRecursiveVerifier_::verify_proof
void verify_proof(const OinkProof &proof)
Constructs an oink recursive verifier circuit for a provided oink proof.
Definition oink_recursive_verifier.cpp:40
bb::stdlib::recursion::honk::OinkRecursiveVerifier_::verify
void verify()
Constructs an oink recursive verifier circuit for an oink proof assumed to be contained in the transc...
Definition oink_recursive_verifier.cpp:46
bb::stdlib::recursion::honk::OinkRecursiveVerifier_::OinkRecursiveVerifier_
OinkRecursiveVerifier_(Builder *builder, const std::shared_ptr< RecursiveDeciderVK > &decider_vk, const std::shared_ptr< Transcript > &transcript, std::string domain_separator="")
Constructs an Oink Recursive Verifier with a transcript that has been instantiated externally.
Definition oink_recursive_verifier.cpp:21
zip_view
Definition zip_view.hpp:166
vinfo
void vinfo(Args... args)
Definition log.hpp:76
builder
AluTraceBuilder builder
Definition alu.test.cpp:123
get_msb.hpp
grand_product_delta.hpp
mega_recursive_flavor.hpp
mega_zk_recursive_flavor.hpp
std
STL namespace.
std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13
std::to_string
std::string to_string(bb::avm2::ValueTag tag)
Definition tagged_value.cpp:399
oink_recursive_verifier.hpp
bb::RelationParameters
Container for parameters used by the grand product (permutation, lookup) Honk relations.
Definition relation_parameters.hpp:19
ultra_recursive_flavor.hpp
ultra_rollup_recursive_flavor.hpp
ultra_zk_recursive_flavor.hpp