Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
protogalaxy_recursive_verifier.test.cpp
Go to the documentation of this file.
1#include "barretenberg/stdlib/protogalaxy_verifier/protogalaxy_recursive_verifier.hpp"
2#include "barretenberg/circuit_checker/circuit_checker.hpp"
3#include "barretenberg/common/test.hpp"
4#include "barretenberg/protogalaxy/protogalaxy_prover.hpp"
5#include "barretenberg/protogalaxy/protogalaxy_verifier.hpp"
6#include "barretenberg/stdlib/hash/blake3s/blake3s.hpp"
7#include "barretenberg/stdlib/hash/pedersen/pedersen.hpp"
8#include "barretenberg/stdlib/honk_verifier/decider_recursive_verifier.hpp"
9#include "barretenberg/stdlib/special_public_inputs/special_public_inputs.hpp"
10#include "barretenberg/ultra_honk/decider_prover.hpp"
11#include "barretenberg/ultra_honk/ultra_prover.hpp"
12#include "barretenberg/ultra_honk/ultra_verifier.hpp"
13
14auto& engine = bb::numeric::get_debug_randomness();
15
16namespace bb::stdlib::recursion::honk {
17class ProtogalaxyRecursiveTests : public testing::Test {
18 public:
19 // Define types for the inner circuit, i.e. the circuit whose proof will be recursively verified
20 using RecursiveFlavor = MegaRecursiveFlavor_<MegaCircuitBuilder>;
21 using InnerFlavor = RecursiveFlavor::NativeFlavor;
22 using InnerProver = UltraProver_<InnerFlavor>;
23 using InnerVerifier = UltraVerifier_<InnerFlavor>;
24 using InnerBuilder = InnerFlavor::CircuitBuilder;
25 using InnerDeciderProvingKey = DeciderProvingKey_<InnerFlavor>;
26 using InnerDeciderVerificationKey = ::bb::DeciderVerificationKey_<InnerFlavor>;
27 using InnerVerificationKey = InnerFlavor::VerificationKey;
28 using InnerCurve = bn254<InnerBuilder>;
29 using Commitment = InnerFlavor::Commitment;
30 using FF = InnerFlavor::FF;
31
32 // Defines types for the outer circuit, i.e. the circuit of the recursive verifier
33 using OuterBuilder = RecursiveFlavor::CircuitBuilder;
34 using OuterFlavor = MegaFlavor;
35 using OuterProver = UltraProver_<OuterFlavor>;
36 using OuterVerifier = UltraVerifier_<OuterFlavor>;
37 using OuterDeciderProvingKey = DeciderProvingKey_<OuterFlavor>;
38
39 using RecursiveDeciderVerificationKeys =
40 ::bb::stdlib::recursion::honk::RecursiveDeciderVerificationKeys_<RecursiveFlavor, 2>;
41 using RecursiveDeciderVerificationKey = RecursiveDeciderVerificationKeys::DeciderVK;
42 using RecursiveVerificationKey = RecursiveDeciderVerificationKeys::VerificationKey;
43 using RecursiveVKAndHash = RecursiveDeciderVerificationKeys::VKAndHash;
44 using FoldingRecursiveVerifier = ProtogalaxyRecursiveVerifier_<RecursiveDeciderVerificationKeys>;
45 using DeciderRecursiveVerifier = DeciderRecursiveVerifier_<RecursiveFlavor>;
46 using InnerDeciderProver = DeciderProver_<InnerFlavor>;
47 using InnerDeciderVerifier = DeciderVerifier_<InnerFlavor>;
48 using InnerDeciderVerificationKeys = DeciderVerificationKeys_<InnerFlavor, 2>;
49 using InnerFoldingVerifier = ProtogalaxyVerifier_<InnerDeciderVerificationKeys>;
50 using InnerFoldingProver = ProtogalaxyProver_<InnerFlavor>;
51
52 static void SetUpTestSuite() { bb::srs::init_file_crs_factory(bb::srs::bb_crs_path()); }
63 static void create_function_circuit(InnerBuilder& builder, size_t log_num_gates = 10)
64 {
65 using fr_ct = typename InnerCurve::ScalarField;
66 using fq_ct = stdlib::bigfield<InnerBuilder, typename InnerCurve::BaseFieldNative::Params>;
67 using public_witness_ct = typename InnerCurve::public_witness_ct;
68 using witness_ct = typename InnerCurve::witness_ct;
69 using byte_array_ct = typename InnerCurve::byte_array_ct;
70 using fr = typename InnerCurve::ScalarFieldNative;
71
72 // Create 2^log_n many add gates based on input log num gates
73 const size_t num_gates = 1 << log_num_gates;
74 for (size_t i = 0; i < num_gates; ++i) {
75 fr a = fr::random_element(&engine);
76 uint32_t a_idx = builder.add_variable(a);
77
78 fr b = fr::random_element(&engine);
79 fr c = fr::random_element(&engine);
80 fr d = a + b + c;
81 uint32_t b_idx = builder.add_variable(b);
82 uint32_t c_idx = builder.add_variable(c);
83 uint32_t d_idx = builder.add_variable(d);
84
85 builder.create_big_add_gate({ a_idx, b_idx, c_idx, d_idx, fr(1), fr(1), fr(1), fr(-1), fr(0) });
86 }
87
88 // Define some additional non-trivial but arbitrary circuit logic
89 fr_ct a(public_witness_ct(&builder, fr::random_element(&engine)));
90 fr_ct b(public_witness_ct(&builder, fr::random_element(&engine)));
91 fr_ct c(public_witness_ct(&builder, fr::random_element(&engine)));
92
93 for (size_t i = 0; i < 32; ++i) {
94 a = (a * b) + b + a;
95 a = a.madd(b, c);
96 }
97 pedersen_hash<InnerBuilder>::hash({ a, b });
98 byte_array_ct to_hash(&builder, "nonsense test data");
99 stdlib::Blake3s<InnerBuilder>::hash(to_hash);
100
101 fr bigfield_data = fr::random_element(&engine);
102 fr bigfield_data_a{ bigfield_data.data[0], bigfield_data.data[1], 0, 0 };
103 fr bigfield_data_b{ bigfield_data.data[2], bigfield_data.data[3], 0, 0 };
104
105 fq_ct big_a(fr_ct(witness_ct(&builder, bigfield_data_a.to_montgomery_form())), fr_ct(witness_ct(&builder, 0)));
106 fq_ct big_b(fr_ct(witness_ct(&builder, bigfield_data_b.to_montgomery_form())), fr_ct(witness_ct(&builder, 0)));
107
108 big_a* big_b;
109
110 stdlib::recursion::honk::DefaultIO<OuterBuilder>::add_default(builder);
111 };
112
113 static std::tuple<std::shared_ptr<InnerDeciderProvingKey>, std::shared_ptr<InnerDeciderVerificationKey>>
114 fold_and_verify_native()
115 {
116 InnerBuilder builder1;
117 create_function_circuit(builder1);
118 InnerBuilder builder2;
119 builder2.add_public_variable(FF(1));
120 create_function_circuit(builder2);
121
122 auto decider_pk_1 = std::make_shared<InnerDeciderProvingKey>(builder1);
123 auto honk_vk_1 = std::make_shared<InnerVerificationKey>(decider_pk_1->get_precomputed());
124 auto decider_vk_1 = std::make_shared<InnerDeciderVerificationKey>(honk_vk_1);
125 auto decider_pk_2 = std::make_shared<InnerDeciderProvingKey>(builder2);
126 auto honk_vk_2 = std::make_shared<InnerVerificationKey>(decider_pk_2->get_precomputed());
127 auto decider_vk_2 = std::make_shared<InnerDeciderVerificationKey>(honk_vk_2);
128 InnerFoldingProver folding_prover({ decider_pk_1, decider_pk_2 },
129 { decider_vk_1, decider_vk_2 },
130 std::make_shared<typename InnerFoldingProver::Transcript>());
131 InnerFoldingVerifier folding_verifier({ decider_vk_1, decider_vk_2 },
132 std::make_shared<typename InnerFoldingVerifier::Transcript>());
133
134 auto [prover_accumulator, folding_proof] = folding_prover.prove();
135 auto verifier_accumulator = folding_verifier.verify_folding_proof(folding_proof);
136 return { prover_accumulator, verifier_accumulator };
137 }
138
142 static void test_circuit()
143 {
144 InnerBuilder builder;
145
146 create_function_circuit(builder);
147
148 bool result = CircuitChecker::check(builder);
149 EXPECT_EQ(result, true);
150 };
151
157 static void test_new_evaluate()
158 {
159 OuterBuilder builder;
160 using fr_ct = typename bn254<OuterBuilder>::ScalarField;
161 using fr = typename bn254<OuterBuilder>::ScalarFieldNative;
162
163 std::vector<fr> coeffs;
164 std::vector<fr_ct> coeffs_ct;
165 for (size_t idx = 0; idx < 8; idx++) {
166 auto el = fr::random_element(&engine);
167 coeffs.emplace_back(el);
168 coeffs_ct.emplace_back(fr_ct(&builder, el));
169 }
170 Polynomial<fr> poly(coeffs);
171 fr point = fr::random_element(&engine);
172 fr_ct point_ct(fr_ct(&builder, point));
173 auto res1 = poly.evaluate(point);
174
175 auto res2 = evaluate_perturbator(coeffs_ct, point_ct);
176 EXPECT_EQ(res1, res2.get_value());
177 };
178
183 static void test_recursive_folding(const size_t num_verifiers = 1)
184 {
185 // Create two arbitrary circuits for the first round of folding
186 InnerBuilder builder1;
187 create_function_circuit(builder1);
188 InnerBuilder builder2;
189 builder2.add_public_variable(FF(1));
190 create_function_circuit(builder2);
191
192 auto decider_pk_1 = std::make_shared<InnerDeciderProvingKey>(builder1);
193 auto honk_vk_1 = std::make_shared<InnerVerificationKey>(decider_pk_1->get_precomputed());
194 auto decider_vk_1 = std::make_shared<InnerDeciderVerificationKey>(honk_vk_1);
195 auto decider_pk_2 = std::make_shared<InnerDeciderProvingKey>(builder2);
196 auto honk_vk_2 = std::make_shared<InnerVerificationKey>(decider_pk_2->get_precomputed());
197 auto decider_vk_2 = std::make_shared<InnerDeciderVerificationKey>(honk_vk_2);
198 // Generate a folding proof
199 InnerFoldingProver folding_prover({ decider_pk_1, decider_pk_2 },
200 { decider_vk_1, decider_vk_2 },
201 std::make_shared<typename InnerFoldingProver::Transcript>());
202 auto folding_proof = folding_prover.prove();
203
204 // Create a folding verifier circuit
205 OuterBuilder folding_circuit;
206
207 auto recursive_decider_vk_1 = std::make_shared<RecursiveDeciderVerificationKey>(&folding_circuit, decider_vk_1);
208 auto recursive_vk_and_hash_2 = std::make_shared<RecursiveVKAndHash>(folding_circuit, decider_vk_2->vk);
209 stdlib::Proof<OuterBuilder> stdlib_proof(folding_circuit, folding_proof.proof);
210
211 auto verifier = FoldingRecursiveVerifier{ &folding_circuit,
212 recursive_decider_vk_1,
213 { recursive_vk_and_hash_2 },
214 std::make_shared<typename FoldingRecursiveVerifier::Transcript>() };
215 std::shared_ptr<RecursiveDeciderVerificationKey> accumulator;
216 for (size_t idx = 0; idx < num_verifiers; idx++) {
217 verifier.transcript->enable_manifest();
218 accumulator = verifier.verify_folding_proof(stdlib_proof);
219 if (idx < num_verifiers - 1) { // else the transcript is null in the test below
220 auto recursive_vk_and_hash = std::make_shared<RecursiveVKAndHash>(folding_circuit, decider_vk_1->vk);
221 verifier =
222 FoldingRecursiveVerifier{ &folding_circuit,
223 accumulator,
224 { recursive_vk_and_hash },
225 std::make_shared<typename FoldingRecursiveVerifier::Transcript>() };
226 }
227 }
228 info("Folding Recursive Verifier: num gates unfinalized = ", folding_circuit.num_gates);
229 EXPECT_EQ(folding_circuit.failed(), false) << folding_circuit.err();
230
231 // Perform native folding verification and ensure it returns the same result (either true or false) as
232 // calling check_circuit on the recursive folding verifier
233 InnerFoldingVerifier native_folding_verifier({ decider_vk_1, decider_vk_2 },
234 std::make_shared<typename InnerFoldingVerifier::Transcript>());
235 native_folding_verifier.transcript->enable_manifest();
236 std::shared_ptr<InnerDeciderVerificationKey> native_accumulator;
237 for (size_t idx = 0; idx < num_verifiers; idx++) {
238 native_accumulator = native_folding_verifier.verify_folding_proof(folding_proof.proof);
239 if (idx < num_verifiers - 1) { // else the transcript is null in the test below
240 native_folding_verifier =
241 InnerFoldingVerifier{ { native_accumulator, decider_vk_1 },
242 std::make_shared<typename InnerFoldingVerifier::Transcript>() };
243 native_folding_verifier.transcript->enable_manifest();
244 }
245 }
246
247 // Ensure that the underlying native and recursive folding verification algorithms agree by ensuring the
248 // manifests produced by each agree.
249 auto recursive_folding_manifest = verifier.transcript->get_manifest();
250 auto native_folding_manifest = native_folding_verifier.transcript->get_manifest();
251
252 ASSERT_GT(recursive_folding_manifest.size(), 0);
253 for (size_t i = 0; i < recursive_folding_manifest.size(); ++i) {
254 EXPECT_EQ(recursive_folding_manifest[i], native_folding_manifest[i])
255 << "Recursive Verifier/Verifier manifest discrepency in round " << i;
256 }
257
258 // Check for a failure flag in the recursive verifier circuit
259 {
260 stdlib::recursion::honk::DefaultIO<OuterBuilder>::add_default(folding_circuit);
261 // inefficiently check finalized size
262 folding_circuit.finalize_circuit(/* ensure_nonzero= */ true);
263 info("Folding Recursive Verifier: num gates finalized = ", folding_circuit.num_gates);
264 auto decider_pk = std::make_shared<OuterDeciderProvingKey>(folding_circuit);
265 info("Dyadic size of verifier circuit: ", decider_pk->dyadic_size());
266 auto honk_vk = std::make_shared<typename OuterFlavor::VerificationKey>(decider_pk->get_precomputed());
267 OuterProver prover(decider_pk, honk_vk);
268 OuterVerifier verifier(honk_vk);
269 auto proof = prover.construct_proof();
270 bool verified = verifier.template verify_proof<bb::DefaultIO>(proof).result;
271
272 ASSERT_TRUE(verified);
273 }
274 };
275
281 static void test_full_protogalaxy_recursive()
282 {
283 using NativeVerifierCommitmentKey = typename InnerFlavor::VerifierCommitmentKey;
284 // Create two arbitrary circuits for the first round of folding
285 InnerBuilder builder1;
286 create_function_circuit(builder1);
287 InnerBuilder builder2;
288 builder2.add_public_variable(FF(1));
289
290 create_function_circuit(builder2);
291
292 auto decider_pk_1 = std::make_shared<InnerDeciderProvingKey>(builder1);
293 auto honk_vk_1 = std::make_shared<InnerVerificationKey>(decider_pk_1->get_precomputed());
294 auto decider_vk_1 = std::make_shared<InnerDeciderVerificationKey>(honk_vk_1);
295 auto decider_pk_2 = std::make_shared<InnerDeciderProvingKey>(builder2);
296 auto honk_vk_2 = std::make_shared<InnerVerificationKey>(decider_pk_2->get_precomputed());
297 auto decider_vk_2 = std::make_shared<InnerDeciderVerificationKey>(honk_vk_2);
298 // Generate a folding proof
299 InnerFoldingProver folding_prover({ decider_pk_1, decider_pk_2 },
300 { decider_vk_1, decider_vk_2 },
301 std::make_shared<typename InnerFoldingProver::Transcript>());
302 auto folding_proof = folding_prover.prove();
303
304 // Create a folding verifier circuit
305 OuterBuilder folding_circuit;
306 auto recursive_decider_vk_1 = std::make_shared<RecursiveDeciderVerificationKey>(&folding_circuit, decider_vk_1);
307 auto recursive_vk_and_hash_2 = std::make_shared<RecursiveVKAndHash>(folding_circuit, decider_vk_2->vk);
308 stdlib::Proof<OuterBuilder> stdlib_proof(folding_circuit, folding_proof.proof);
309
310 auto verifier = FoldingRecursiveVerifier{ &folding_circuit,
311 recursive_decider_vk_1,
312 { recursive_vk_and_hash_2 },
313 std::make_shared<typename FoldingRecursiveVerifier::Transcript>() };
314 verifier.transcript->enable_manifest();
315 auto recursive_verifier_native_accum = verifier.verify_folding_proof(stdlib_proof);
316 auto native_verifier_acc =
317 std::make_shared<InnerDeciderVerificationKey>(recursive_verifier_native_accum->get_value());
318 info("Folding Recursive Verifier: num gates = ", folding_circuit.get_estimated_num_finalized_gates());
319
320 // Check for a failure flag in the recursive verifier circuit
321 EXPECT_EQ(folding_circuit.failed(), false) << folding_circuit.err();
322
323 // Perform native folding verification and ensure it returns the same result (either true or false) as
324 // calling check_circuit on the recursive folding verifier
325 InnerFoldingVerifier native_folding_verifier({ decider_vk_1, decider_vk_2 },
326 std::make_shared<typename InnerFoldingVerifier::Transcript>());
327 native_folding_verifier.transcript->enable_manifest();
328 auto verifier_accumulator = native_folding_verifier.verify_folding_proof(folding_proof.proof);
329
330 // Ensure that the underlying native and recursive folding verification algorithms agree by ensuring the
331 // manifests produced by each agree.
332 auto recursive_folding_manifest = verifier.transcript->get_manifest();
333 auto native_folding_manifest = native_folding_verifier.transcript->get_manifest();
334
335 ASSERT_GT(recursive_folding_manifest.size(), 0);
336 for (size_t i = 0; i < recursive_folding_manifest.size(); ++i) {
337 EXPECT_EQ(recursive_folding_manifest[i], native_folding_manifest[i])
338 << "Recursive Verifier/Verifier manifest discrepency in round " << i;
339 }
340
341 InnerDeciderProver decider_prover(folding_proof.accumulator);
342 decider_prover.construct_proof();
343 auto decider_proof = decider_prover.export_proof();
344
345 OuterBuilder decider_circuit;
346 DeciderRecursiveVerifier decider_verifier{ &decider_circuit, native_verifier_acc };
347 auto pairing_points = decider_verifier.verify_proof(decider_proof);
348
349 // IO
350 DefaultIO<OuterBuilder> inputs;
351 inputs.pairing_inputs = pairing_points;
352 inputs.set_public();
353
354 info("Decider Recursive Verifier: num gates = ", decider_circuit.num_gates);
355 // Check for a failure flag in the recursive verifier circuit
356 EXPECT_EQ(decider_circuit.failed(), false) << decider_circuit.err();
357
358 // Perform native verification then perform the pairing on the outputs of the recursive decider verifier and
359 // check that the result agrees.
360 InnerDeciderVerifier native_decider_verifier(verifier_accumulator);
361 auto native_decider_output = native_decider_verifier.verify_proof(decider_proof);
362 auto native_result = native_decider_output.check();
363 NativeVerifierCommitmentKey pcs_vkey{};
364 auto recursive_result = pcs_vkey.pairing_check(pairing_points.P0.get_value(), pairing_points.P1.get_value());
365 EXPECT_EQ(native_result, recursive_result);
366
367 {
368 auto decider_pk = std::make_shared<OuterDeciderProvingKey>(decider_circuit);
369 auto honk_vk = std::make_shared<typename OuterFlavor::VerificationKey>(decider_pk->get_precomputed());
370 OuterProver prover(decider_pk, honk_vk);
371 OuterVerifier verifier(honk_vk);
372 auto proof = prover.construct_proof();
373 bool verified = verifier.template verify_proof<bb::DefaultIO>(proof).result;
374
375 ASSERT_TRUE(verified);
376 }
377 };
378
379 static void test_tampered_decider_proof()
380 {
381 // Natively fold two circuits
382 auto [prover_accumulator, verifier_accumulator] = fold_and_verify_native();
383
384 // Tamper with the accumulator by changing the target sum
385 verifier_accumulator->target_sum = FF::random_element(&engine);
386
387 // Create a decider proof for accumulator obtained through folding
388 InnerDeciderProver decider_prover(prover_accumulator);
389 decider_prover.construct_proof();
390 auto decider_proof = decider_prover.export_proof();
391
392 // Create a decider verifier circuit for recursively verifying the decider proof
393 OuterBuilder decider_circuit;
394 DeciderRecursiveVerifier decider_verifier{ &decider_circuit, verifier_accumulator };
395 [[maybe_unused]] auto output = decider_verifier.verify_proof(decider_proof);
396 info("Decider Recursive Verifier: num gates = ", decider_circuit.num_gates);
397
398 // We expect the decider circuit check to fail due to the bad proof
399 EXPECT_FALSE(CircuitChecker::check(decider_circuit));
400 };
401
402 static void test_tampered_accumulator()
403 {
404 // Fold two circuits natively
405 auto [prover_accumulator, verifier_accumulator] = fold_and_verify_native();
406
407 // Create another circuit to do a second round of folding
408 InnerBuilder builder;
409 create_function_circuit(builder);
410 auto prover_inst = std::make_shared<InnerDeciderProvingKey>(builder);
411 auto verification_key = std::make_shared<InnerVerificationKey>(prover_inst->get_precomputed());
412 auto verifier_inst = std::make_shared<InnerDeciderVerificationKey>(verification_key);
413
414 // Corrupt a wire value in the accumulator
415 prover_accumulator->polynomials.w_l.at(1) = FF::random_element(&engine);
416
417 // Generate a folding proof with the incorrect polynomials which would result in the prover having the wrong
418 // target sum
419 InnerFoldingProver folding_prover({ prover_accumulator, prover_inst },
420 { verifier_accumulator, verifier_inst },
421 std::make_shared<typename InnerFoldingProver::Transcript>());
422 auto folding_proof = folding_prover.prove();
423
424 // Create a folding verifier circuit
425 // commitments
426 OuterBuilder folding_circuit;
427 auto recursive_decider_vk_1 =
428 std::make_shared<RecursiveDeciderVerificationKey>(&folding_circuit, verifier_accumulator);
429 auto recursive_vk_and_hash_2 = std::make_shared<RecursiveVKAndHash>(folding_circuit, verifier_inst->vk);
430 stdlib::Proof<OuterBuilder> stdlib_proof(folding_circuit, folding_proof.proof);
431
432 auto verifier = FoldingRecursiveVerifier{ &folding_circuit,
433 recursive_decider_vk_1,
434 { recursive_vk_and_hash_2 },
435 std::make_shared<typename FoldingRecursiveVerifier::Transcript>() };
436 auto recursive_verifier_acc = verifier.verify_folding_proof(stdlib_proof);
437
438 // Validate that the target sum between prover and verifier is now different
439 EXPECT_FALSE(folding_proof.accumulator->target_sum == recursive_verifier_acc->target_sum.get_value());
440 };
441
442 // Ensure that the PG recursive verifier circuit is independent of the size of the circuits being folded
443 static void test_constant_pg_verifier_circuit()
444 {
445 struct ProofAndVerifier {
446 HonkProof fold_proof;
447 OuterBuilder verifier_circuit;
448 };
449
450 // Fold two circuits of a given size then construct a recursive PG verifier circuit
451 auto produce_proof_and_verifier_circuit = [](size_t log_num_gates) -> ProofAndVerifier {
452 InnerBuilder builder1;
453 create_function_circuit(builder1, log_num_gates);
454 InnerBuilder builder2;
455 create_function_circuit(builder2, log_num_gates);
456
457 // Generate a folding proof
458 auto decider_pk_1 = std::make_shared<InnerDeciderProvingKey>(builder1);
459 auto decider_pk_2 = std::make_shared<InnerDeciderProvingKey>(builder2);
460 auto honk_vk_1 = std::make_shared<InnerVerificationKey>(decider_pk_1->get_precomputed());
461 auto decider_vk_1 = std::make_shared<InnerDeciderVerificationKey>(honk_vk_1);
462 auto honk_vk_2 = std::make_shared<InnerVerificationKey>(decider_pk_2->get_precomputed());
463 auto decider_vk_2 = std::make_shared<InnerDeciderVerificationKey>(honk_vk_2);
464 InnerFoldingProver folding_prover({ decider_pk_1, decider_pk_2 },
465 { decider_vk_1, decider_vk_2 },
466 std::make_shared<typename InnerFoldingProver::Transcript>());
467 auto fold_result = folding_prover.prove();
468
469 // Create a folding verifier circuit
470 OuterBuilder verifier_circuit;
471 auto recursive_decider_vk_1 =
472 std::make_shared<RecursiveDeciderVerificationKey>(&verifier_circuit, decider_vk_1);
473 auto recursive_vk_and_hash_2 = std::make_shared<RecursiveVKAndHash>(verifier_circuit, decider_vk_2->vk);
474 stdlib::Proof<OuterBuilder> stdlib_proof(verifier_circuit, fold_result.proof);
475
476 auto verifier =
477 FoldingRecursiveVerifier{ &verifier_circuit,
478 recursive_decider_vk_1,
479 { recursive_vk_and_hash_2 },
480 std::make_shared<typename FoldingRecursiveVerifier::Transcript>() };
481 auto recursive_verifier_native_accum = verifier.verify_folding_proof(stdlib_proof);
482
483 return { fold_result.proof, verifier_circuit };
484 };
485
486 // Create fold proofs and verifier circuits from folding circuits of different sizes
487 auto [proof_1, verifier_circuit_1] = produce_proof_and_verifier_circuit(10);
488 auto [proof_2, verifier_circuit_2] = produce_proof_and_verifier_circuit(11);
489
490 EXPECT_TRUE(CircuitChecker::check(verifier_circuit_1));
491 EXPECT_TRUE(CircuitChecker::check(verifier_circuit_2));
492
493 // Check that the proofs are the same size and that the verifier circuits have the same number of gates
494 EXPECT_EQ(proof_1.size(), proof_2.size());
495 EXPECT_EQ(verifier_circuit_1.get_estimated_num_finalized_gates(),
496 verifier_circuit_2.get_estimated_num_finalized_gates());
497
498 // The circuit blocks (selectors + wires) fully determine the circuit - check that they are identical
499 EXPECT_EQ(verifier_circuit_1.blocks, verifier_circuit_2.blocks);
500 }
501};
502
507
512
517
518TEST_F(ProtogalaxyRecursiveTests, RecursiveFoldingTwiceTest)
519{
520 ProtogalaxyRecursiveTests::test_recursive_folding(/* num_verifiers= */ 2);
521}
522
528
533
538
543
544} // namespace bb::stdlib::recursion::honk
circuit_checker.hpp
bb::CircuitBuilderBase::add_public_variable
virtual uint32_t add_public_variable(const FF &in)
Definition circuit_builder_base_impl.hpp:146
bb::DeciderProver_
Definition decider_prover.hpp:22
bb::DeciderProver_::construct_proof
void construct_proof()
Definition decider_prover.cpp:109
bb::DeciderProver_::export_proof
Proof export_proof()
Definition decider_prover.cpp:104
bb::DeciderProvingKey_
A DeciderProvingKey is normally constructed from a finalized circuit and it contains all the informat...
Definition decider_proving_key.hpp:36
bb::DeciderVerificationKey_
The DeciderVerificationKey encapsulates all the necessary information for a Mega Honk Verifier to ver...
Definition decider_verification_key.hpp:20
bb::DeciderVerifier_
Definition decider_verifier.hpp:17
bb::DeciderVerifier_::verify_proof
Output verify_proof(const DeciderProof &)
Verify a decider proof relative to a decider verification key (ϕ, \vec{β*}, e*).
Definition decider_verifier.cpp:28
bb::MegaCircuitBuilder_
Definition mega_circuit_builder.hpp:17
bb::MegaFlavor::VerificationKey
The verification key is responsible for storing the commitments to the precomputed (non-witness) poly...
Definition mega_flavor.hpp:440
bb::MegaFlavor::FF
Curve::ScalarField FF
Definition mega_flavor.hpp:37
bb::MegaFlavor::VerifierCommitmentKey
bb::VerifierCommitmentKey< Curve > VerifierCommitmentKey
Definition mega_flavor.hpp:43
bb::MegaFlavor::CircuitBuilder
MegaCircuitBuilder CircuitBuilder
Definition mega_flavor.hpp:35
bb::MegaFlavor::Commitment
Curve::AffineElement Commitment
Definition mega_flavor.hpp:39
bb::MegaRecursiveFlavor_
The recursive counterpart to the "native" Mega flavor.
Definition mega_recursive_flavor.hpp:39
bb::MegaRecursiveFlavor_::NativeFlavor
MegaFlavor NativeFlavor
Definition mega_recursive_flavor.hpp:47
bb::MegaRecursiveFlavor_::CircuitBuilder
BuilderType CircuitBuilder
Definition mega_recursive_flavor.hpp:41
bb::Polynomial
Structured polynomial class that represents the coefficients 'a' of a_0 + a_1 x .....
Definition polynomial.hpp:74
bb::Polynomial::evaluate
Fr evaluate(const Fr &z, size_t target_size) const
Definition polynomial.cpp:190
bb::ProtogalaxyProver_
Definition protogalaxy_prover.hpp:17
bb::ProtogalaxyProver_::prove
BB_PROFILE FoldingResult< Flavor > prove()
Execute the folding prover.
Definition protogalaxy_prover_impl.hpp:174
bb::ProtogalaxyVerifier_
Definition protogalaxy_verifier.hpp:15
bb::ProtogalaxyVerifier_::transcript
std::shared_ptr< Transcript > transcript
Definition protogalaxy_verifier.hpp:31
bb::ProtogalaxyVerifier_::verify_folding_proof
std::shared_ptr< DeciderVK > verify_folding_proof(const std::vector< FF > &)
Run the folding protocol on the verifier side to establish whether the public data ϕ of the new accum...
Definition protogalaxy_verifier.cpp:69
bb::TranslatorCircuitChecker::check
static bool check(const Builder &circuit)
Check the witness satisifies the circuit.
Definition translator_circuit_checker.cpp:20
bb::UltraProver_
Definition ultra_prover.hpp:19
bb::UltraProver_::construct_proof
Proof construct_proof()
Definition ultra_prover.cpp:89
bb::UltraVerifier_
Definition ultra_verifier.hpp:19
bb::stdlib::Blake3s::hash
static byte_array_ct hash(const byte_array_ct &input)
Definition blake3s.cpp:183
bb::stdlib::Proof
A simple wrapper around a vector of stdlib field elements representing a proof.
Definition proof.hpp:19
bb::stdlib::byte_array
Represents a dynamic array of bytes in-circuit.
Definition byte_array.hpp:28
bb::stdlib::field_t
Definition field.hpp:45
bb::stdlib::pedersen_hash::hash
static field_ct hash(const std::vector< field_ct > &in, GeneratorContext context={})
Definition pedersen.cpp:15
bb::stdlib::public_witness_t
Definition witness.hpp:59
bb::stdlib::recursion::honk::DeciderRecursiveVerifier_
Definition decider_recursive_verifier.hpp:17
bb::stdlib::recursion::honk::DeciderRecursiveVerifier_::verify_proof
PairingPoints verify_proof(const HonkProof &proof)
Creates a circuit that executes the decider verifier algorithm up to the final pairing check.
Definition decider_recursive_verifier.cpp:21
bb::stdlib::recursion::honk::DefaultIO
Manages the data that is propagated on the public inputs of an application/function circuit.
Definition special_public_inputs.hpp:142
bb::stdlib::recursion::honk::DefaultIO::set_public
void set_public()
Set each IO component to be a public input of the underlying circuit.
Definition special_public_inputs.hpp:172
bb::stdlib::recursion::honk::DefaultIO::add_default
static void add_default(Builder &builder)
Add default public inputs when they are not present.
Definition special_public_inputs.hpp:185
bb::stdlib::recursion::honk::ProtogalaxyRecursiveTests::fold_and_verify_native
static std::tuple< std::shared_ptr< InnerDeciderProvingKey >, std::shared_ptr< InnerDeciderVerificationKey > > fold_and_verify_native()
Definition protogalaxy_recursive_verifier.test.cpp:114
bb::stdlib::recursion::honk::ProtogalaxyRecursiveTests::test_full_protogalaxy_recursive
static void test_full_protogalaxy_recursive()
Perform two rounds of folding valid circuits and then recursive verify the final decider proof,...
Definition protogalaxy_recursive_verifier.test.cpp:281
bb::stdlib::recursion::honk::ProtogalaxyRecursiveTests::RecursiveVerificationKey
RecursiveDeciderVerificationKeys::VerificationKey RecursiveVerificationKey
Definition protogalaxy_recursive_verifier.test.cpp:42
bb::stdlib::recursion::honk::ProtogalaxyRecursiveTests::create_function_circuit
static void create_function_circuit(InnerBuilder &builder, size_t log_num_gates=10)
Create a non-trivial arbitrary inner circuit, the proof of which will be recursively verified.
Definition protogalaxy_recursive_verifier.test.cpp:63
bb::stdlib::recursion::honk::ProtogalaxyRecursiveTests::test_new_evaluate
static void test_new_evaluate()
Ensure that evaluating the perturbator in the recursive folding verifier returns the same result as e...
Definition protogalaxy_recursive_verifier.test.cpp:157
bb::stdlib::recursion::honk::ProtogalaxyRecursiveTests::test_recursive_folding
static void test_recursive_folding(const size_t num_verifiers=1)
Tests that a valid recursive fold works as expected.
Definition protogalaxy_recursive_verifier.test.cpp:183
bb::stdlib::recursion::honk::ProtogalaxyRecursiveTests::test_circuit
static void test_circuit()
Create inner circuit and call check_circuit on it.
Definition protogalaxy_recursive_verifier.test.cpp:142
bb::stdlib::recursion::honk::ProtogalaxyRecursiveVerifier_
Definition protogalaxy_recursive_verifier.hpp:18
bb::stdlib::recursion::honk::ProtogalaxyRecursiveVerifier_::transcript
std::shared_ptr< Transcript > transcript
Definition protogalaxy_recursive_verifier.hpp:35
bb::stdlib::recursion::honk::ProtogalaxyRecursiveVerifier_::verify_folding_proof
std::shared_ptr< DeciderVK > verify_folding_proof(const stdlib::Proof< Builder > &)
Run the folding protocol on the verifier side to establish whether the public data ϕ of the new accum...
Definition protogalaxy_recursive_verifier.cpp:41
bb::stdlib::recursion::honk::RecursiveDeciderVerificationKey_
The stdlib counterpart of DeciderVerificationKey, used in recursive folding verification.
Definition recursive_decider_verification_key.hpp:18
bb::stdlib::witness_t
Definition witness.hpp:16
info
void info(Args... args)
Definition log.hpp:70
builder
AluTraceBuilder builder
Definition alu.test.cpp:123
a
FF a
Definition field_gt.test.cpp:51
b
FF b
Definition field_gt.test.cpp:52
decider_prover.hpp
decider_recursive_verifier.hpp
engine
numeric::RNG & engine
Definition eccvm_transcript.test.cpp:282
fr_ct
bn254::ScalarField fr_ct
Definition graph_description_bigfield.test.cpp:28
fq_ct
bn254::BaseField fq_ct
Definition graph_description_bigfield.test.cpp:29
public_witness_ct
bn254::public_witness_ct public_witness_ct
Definition graph_description_bigfield.test.cpp:30
witness_ct
bn254::witness_ct witness_ct
Definition graph_description_bigfield.test.cpp:31
bb::numeric::get_debug_randomness
RNG & get_debug_randomness(bool reset, std::uint_fast64_t seed)
Definition engine.cpp:190
bb::srs::bb_crs_path
std::filesystem::path bb_crs_path()
Definition global_crs.cpp:14
bb::srs::init_file_crs_factory
void init_file_crs_factory(const std::filesystem::path &path)
Definition global_crs.hpp:14
bb::stdlib::recursion::honk::TEST_F
TEST_F(BoomerangGoblinRecursiveVerifierTests, graph_description_basic)
Construct and check a goblin recursive verification circuit.
Definition graph_description_goblin.test.cpp:81
bb::HonkProof
std::vector< fr > HonkProof
Definition proof.hpp:15
bb::fr
field< Bn254FrParams > fr
Definition fr.hpp:174
std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13
protogalaxy_prover.hpp
protogalaxy_recursive_verifier.hpp
engine
auto & engine
Definition protogalaxy_recursive_verifier.test.cpp:14
protogalaxy_verifier.hpp
special_public_inputs.hpp
bb::DeciderVerificationKeys_
Definition decider_keys.hpp:108
bb::DeciderVerifier_::Output::check
bool check()
Definition decider_verifier.hpp:31
bb::field< Bn254FrParams >::random_element
static field random_element(numeric::RNG *engine=nullptr) noexcept
Definition field_impl.hpp:665
bb::stdlib::bn254::ScalarField
field_t< CircuitBuilder > ScalarField
Definition bn254.hpp:33
bb::stdlib::bn254::byte_array_ct
byte_array< CircuitBuilder > byte_array_ct
Definition bn254.hpp:43
bb::stdlib::bn254::ScalarFieldNative
curve::BN254::ScalarField ScalarFieldNative
Definition bn254.hpp:24
bb::stdlib::bn254::public_witness_ct
public_witness_t< CircuitBuilder > public_witness_ct
Definition bn254.hpp:42
bb::stdlib::bn254::witness_ct
witness_t< CircuitBuilder > witness_ct
Definition bn254.hpp:41
bb::stdlib::recursion::honk::RecursiveDeciderVerificationKeys_
Definition recursive_decider_verification_keys.hpp:14
bb::stdlib::recursion::honk::RecursiveDeciderVerificationKeys_::VerificationKey
typename Flavor::VerificationKey VerificationKey
Definition recursive_decider_verification_keys.hpp:17
bb::stdlib::recursion::honk::RecursiveDeciderVerificationKeys_::VKAndHash
typename Flavor::VKAndHash VKAndHash
Definition recursive_decider_verification_keys.hpp:18
bb::stdlib::recursion::honk::RecursiveDeciderVerificationKeys_::DeciderVK
RecursiveDeciderVerificationKey_< Flavor > DeciderVK
Definition recursive_decider_verification_keys.hpp:19
ultra_prover.hpp
ultra_verifier.hpp