Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
shplonk.test.cpp
Go to the documentation of this file.
1#include "barretenberg/commitment_schemes/shplonk/shplonk.hpp"
2#include "barretenberg/circuit_checker/circuit_checker.hpp"
3#include "barretenberg/commitment_schemes/commitment_key.test.hpp"
4#include "barretenberg/stdlib/primitives/curves/bn254.hpp"
5#include "barretenberg/stdlib/primitives/curves/grumpkin.hpp"
6#include "barretenberg/stdlib/proof/proof.hpp"
7#include "barretenberg/stdlib/transcript/transcript.hpp"
8#include <gtest/gtest.h>
9
10using namespace bb;
11
12static constexpr size_t LOG_DEGREE = 4;
13static constexpr size_t MAX_POLY_DEGREE = 1UL << LOG_DEGREE;
14template <class Builder> class ShplonkRecursionTest : public CommitmentTest<typename curve::BN254> {
15 public:
16 using Curve = stdlib::bn254<Builder>;
17 using NativeCurve = Curve::NativeCurve;
18 using Fr = Curve::ScalarField;
19 using Commitment = Curve::AffineElement;
20
21 std::vector<OpeningClaim<Curve>> native_to_stdlib_opening_claims(
22 Builder* builder, std::vector<OpeningClaim<NativeCurve>>& opening_claims, const size_t num_claims)
23 {
24 std::vector<OpeningClaim<stdlib::bn254<Builder>>> stdlib_opening_claims;
25 for (size_t idx = 0; idx < num_claims; idx++) {
26 auto r = Fr::from_witness(builder, opening_claims[idx].opening_pair.challenge);
27 auto eval = Fr::from_witness(builder, opening_claims[idx].opening_pair.evaluation);
28 auto commit = Commitment::from_witness(builder, opening_claims[idx].commitment);
29 stdlib_opening_claims.emplace_back(OpeningClaim<Curve>({ r, eval }, commit));
30 }
31
32 return stdlib_opening_claims;
33 }
34
35 std::pair<std::vector<Commitment>, std::vector<OpeningPair<Curve>>> native_to_stdlib_pairs_and_commitments(
36 Builder* builder, std::vector<OpeningClaim<NativeCurve>>& opening_claims, const size_t num_claims)
37 {
38 std::vector<OpeningPair<Curve>> stdlib_opening_pairs;
39 std::vector<Commitment> stdlib_commitments;
40 for (size_t idx = 0; idx < num_claims; idx++) {
41 auto opening_claim = opening_claims[idx];
42 auto r = Fr::from_witness(builder, opening_claim.opening_pair.challenge);
43 auto eval = Fr::from_witness(builder, opening_claim.opening_pair.evaluation);
44 auto commit = Commitment::from_witness(builder, opening_claim.commitment);
45 stdlib_opening_pairs.emplace_back(OpeningPair<Curve>(r, eval));
46 stdlib_commitments.emplace_back(commit);
47 }
48
49 return std::make_pair(stdlib_commitments, stdlib_opening_pairs);
50 }
51};
52
53using BuilderTypes = ::testing::Types<UltraCircuitBuilder, MegaCircuitBuilder>;
54TYPED_TEST_SUITE(ShplonkRecursionTest, BuilderTypes);
55
56TYPED_TEST(ShplonkRecursionTest, Simple)
57{
58 using Builder = TypeParam;
59 using Curve = stdlib::bn254<TypeParam>;
60 using ClaimData = UnivariateClaimData<typename Curve::NativeCurve>;
61 using ShplonkProver = ShplonkProver_<typename Curve::NativeCurve>;
62 using ShplonkVerifier = ShplonkVerifier_<Curve>;
63 using Fr = typename Curve::ScalarField;
64 using Commitment = typename Curve::AffineElement;
65 using Transcript = bb::BaseTranscript<stdlib::recursion::honk::StdlibTranscriptParams<Builder>>;
66 using StdlibProof = stdlib::Proof<Builder>;
67
68 // Prover transcript
69 auto prover_transcript = NativeTranscript::prover_init_empty();
70
71 // Test data
72 auto setup = this->generate_claim_data({ MAX_POLY_DEGREE, MAX_POLY_DEGREE / 2 });
73
74 // Shplonk prover functionality
75 auto prover_opening_claims = ClaimData::prover_opening_claims(setup);
76 auto batched_prover_claim = ShplonkProver::prove(this->ck(), prover_opening_claims, prover_transcript);
77 this->verify_opening_pair(batched_prover_claim.opening_pair, batched_prover_claim.polynomial);
78
79 // Convert proof to stdlib
80 Builder builder;
81 StdlibProof stdlib_proof(builder, prover_transcript->export_proof());
82
83 // Convert opening claims to witnesses
84 auto native_verifier_claims = ClaimData::verifier_opening_claims(setup);
85 auto stdlib_opening_claims =
86 this->native_to_stdlib_opening_claims(&builder, native_verifier_claims, native_verifier_claims.size());
87
88 // Shplonk verifier functionality
89 auto verifier_transcript = std::make_shared<Transcript>();
90 verifier_transcript->load_proof(stdlib_proof);
91 [[maybe_unused]] auto _ = verifier_transcript->template receive_from_prover<Fr>("Init");
92 [[maybe_unused]] auto batched_verifier_claim =
93 ShplonkVerifier::reduce_verification(Commitment::one(&builder), stdlib_opening_claims, verifier_transcript);
94
95 EXPECT_TRUE(CircuitChecker::check(builder));
96}
97
98TYPED_TEST(ShplonkRecursionTest, LineralyDependent)
99{
100 using Builder = TypeParam;
101 using Curve = stdlib::bn254<TypeParam>;
102 using ClaimData = UnivariateClaimData<typename Curve::NativeCurve>;
103 using ShplonkProver = ShplonkProver_<typename Curve::NativeCurve>;
104 using ShplonkVerifier = ShplonkVerifier_<Curve>;
105 using Fr = typename Curve::ScalarField;
106 using GroupElement = Curve::Element;
107 using Commitment = typename Curve::AffineElement;
108 using OpeningClaim = OpeningClaim<Curve>;
109 using Transcript = bb::BaseTranscript<stdlib::recursion::honk::StdlibTranscriptParams<Builder>>;
110 using StdlibProof = stdlib::Proof<Builder>;
111
112 // Prover transcript
113 auto prover_transcript = NativeTranscript::prover_init_empty();
114
115 // Generate two random (unrelated) polynomials of two different sizes and a random linear combinations
116 auto setup = this->generate_claim_data({ MAX_POLY_DEGREE, MAX_POLY_DEGREE / 2 });
117
118 // Extract the commitments to be used in the Shplonk verifier
119 auto commitments = ClaimData::polynomial_commitments(setup);
120
121 // Linearly combine the polynomials and evalu
122 auto [coefficients, evals] = this->combine_claims(setup);
123
124 // Shplonk prover functionality
125 auto prover_opening_claims = ClaimData::prover_opening_claims(setup);
126 auto batched_prover_claim = ShplonkProver::prove(this->ck(), prover_opening_claims, prover_transcript);
127 this->verify_opening_pair(batched_prover_claim.opening_pair, batched_prover_claim.polynomial);
128 auto proof = prover_transcript->export_proof();
129
130 auto native_opening_claims = ClaimData::verifier_opening_claims(setup);
131 {
132 // Shplonk verifier functionality - expensive way
133 // Convert proof to stdlib
134 Builder builder;
135 StdlibProof stdlib_proof(builder, proof);
136
137 auto coeff1 = Fr::from_witness(&builder, coefficients[0]);
138 auto coeff2 = Fr::from_witness(&builder, coefficients[1]);
139
140 // Convert opening claims to witnesses
141 auto stdlib_opening_claims =
142 this->native_to_stdlib_opening_claims(&builder, native_opening_claims, native_opening_claims.size() - 1);
143
144 // Compute last commitment as it would happen in a circuit
145 Commitment commit = GroupElement::batch_mul(
146 { stdlib_opening_claims[0].commitment, stdlib_opening_claims[1].commitment }, { coeff1, coeff2 });
147
148 // Opening pair for the linear combination as it would be received by the Verifier from the Prover
149 Fr r = Fr::from_witness(&builder, native_opening_claims[2].opening_pair.challenge);
150 Fr eval = Fr::from_witness(&builder, native_opening_claims[2].opening_pair.evaluation);
151
152 // Opening claim for the linear combination
153 stdlib_opening_claims.emplace_back(OpeningClaim({ r, eval }, commit));
154
155 auto verifier_transcript = std::make_shared<Transcript>();
156 verifier_transcript->load_proof(stdlib_proof);
157 [[maybe_unused]] auto _ = verifier_transcript->template receive_from_prover<Fr>("Init");
158 [[maybe_unused]] auto batched_verifier_claim =
159 ShplonkVerifier::reduce_verification(Commitment::one(&builder), stdlib_opening_claims, verifier_transcript);
160
161 EXPECT_TRUE(CircuitChecker::check(builder));
162
163 if constexpr (std::is_same_v<Builder, UltraCircuitBuilder>) {
164 info("Num gates UltraCircuitBuilder (non-efficient way: size-5 MSM + size-2 MSM): ", builder.num_gates);
165 } else if constexpr (std::is_same_v<Builder, MegaCircuitBuilder>) {
166 info("Num MSM rows MegaCircuitBuilder (non-efficient way: size-5 MSM + size-2 MSM): ",
167 builder.op_queue->get_num_rows());
168 }
169 }
170
171 {
172 // Shplonk verifier functionality - efficient way
173 // Convert proof to stdlib
174 Builder builder;
175 StdlibProof stdlib_proof(builder, proof);
176
177 auto coeff1 = Fr::from_witness(&builder, coefficients[0]);
178 auto coeff2 = Fr::from_witness(&builder, coefficients[1]);
179
180 // Convert opening claims to witnesses
181 auto [stdlib_commitments, stdlib_opening_pairs] = this->native_to_stdlib_pairs_and_commitments(
182 &builder, native_opening_claims, native_opening_claims.size() - 1);
183
184 // Opening pair for the linear combination as it would be received by the Verifier from the Prover
185 Fr r = Fr::from_witness(&builder, native_opening_claims[2].opening_pair.challenge);
186 Fr eval = Fr::from_witness(&builder, native_opening_claims[2].opening_pair.evaluation);
187
188 // Update data
189 std::vector<typename ShplonkVerifier::LinearCombinationOfClaims> update_data = {
190 { { 0 }, { Fr(1) }, stdlib_opening_pairs[0] },
191 { { 1 }, { Fr(1) }, stdlib_opening_pairs[1] },
192 { { 0, 1 }, { coeff1, coeff2 }, { r, eval } }
193 };
194
195 // Shplonk verifier functionality - cheap way
196 auto verifier_transcript = std::make_shared<Transcript>();
197 verifier_transcript->load_proof(stdlib_proof);
198 [[maybe_unused]] auto _ = verifier_transcript->template receive_from_prover<Fr>("Init");
199
200 ShplonkVerifier verifier(stdlib_commitments, verifier_transcript, native_opening_claims.size());
201
202 // Execute the shplonk verifier functionality
203 [[maybe_unused]] auto batched_verifier_claim =
204 verifier.reduce_verification_vector_claims(this->vk().get_g1_identity(), update_data);
205
206 EXPECT_TRUE(CircuitChecker::check(builder));
207
208 if constexpr (std::is_same_v<Builder, UltraCircuitBuilder>) {
209 info("Num gates UltraCircuitBuilder (efficient way: size-4 MSM): ", builder.num_gates);
210 } else if constexpr (std::is_same_v<Builder, MegaCircuitBuilder>) {
211 info("Num MSM rows MegaCircuitBuilder (efficient way: size-4 MSM): ", builder.op_queue->get_num_rows());
212 }
213 }
214}
circuit_checker.hpp
ShplonkRecursionTest::Commitment
Curve::AffineElement Commitment
Definition shplonk.test.cpp:19
ShplonkRecursionTest::native_to_stdlib_opening_claims
std::vector< OpeningClaim< Curve > > native_to_stdlib_opening_claims(Builder *builder, std::vector< OpeningClaim< NativeCurve > > &opening_claims, const size_t num_claims)
Definition shplonk.test.cpp:21
ShplonkRecursionTest::native_to_stdlib_pairs_and_commitments
std::pair< std::vector< Commitment >, std::vector< OpeningPair< Curve > > > native_to_stdlib_pairs_and_commitments(Builder *builder, std::vector< OpeningClaim< NativeCurve > > &opening_claims, const size_t num_claims)
Definition shplonk.test.cpp:35
bb::BaseTranscript
Common transcript class for both parties. Stores the data for the current round, as well as the manif...
Definition transcript.hpp:154
bb::BaseTranscript::prover_init_empty
static std::shared_ptr< BaseTranscript > prover_init_empty()
For testing: initializes transcript with some arbitrary data so that a challenge can be generated aft...
Definition transcript.hpp:653
bb::CommitmentTest< curve::BN254 >::commit
Commitment commit(const Polynomial &polynomial)
Definition commitment_key.test.hpp:141
bb::OpeningClaim
Unverified claim (C,r,v) for some witness polynomial p(X) such that.
Definition claim.hpp:53
bb::OpeningPair
Opening pair (r,v) for some witness polynomial p(X) such that p(r) = v.
Definition claim.hpp:19
bb::ShplonkProver_
Shplonk Prover.
Definition shplonk.hpp:36
bb::ShplonkVerifier_
Shplonk Verifier.
Definition shplonk.hpp:343
bb::TranslatorCircuitChecker::check
static bool check(const Builder &circuit)
Check the witness satisifies the circuit.
Definition translator_circuit_checker.cpp:20
bb::curve::Grumpkin::Element
typename Group::element Element
Definition grumpkin.hpp:55
bb::curve::Grumpkin::AffineElement
typename Group::affine_element AffineElement
Definition grumpkin.hpp:56
bb::stdlib::Proof
A simple wrapper around a vector of stdlib field elements representing a proof.
Definition proof.hpp:19
bb::stdlib::field_t
Definition field.hpp:45
bb::stdlib::field_t::from_witness
static field_t from_witness(Builder *ctx, const bb::fr &input)
Definition field.hpp:424
commitment_key.test.hpp
info
void info(Args... args)
Definition log.hpp:70
builder
AluTraceBuilder builder
Definition alu.test.cpp:123
bb
Entry point for Barretenberg command-line interface.
Definition acir_format_getters.cpp:6
bb::TYPED_TEST_SUITE
TYPED_TEST_SUITE(ShpleminiTest, TestSettings)
bb::TYPED_TEST
TYPED_TEST(ShpleminiTest, CorrectnessOfMultivariateClaimBatching)
Definition shplemini.test.cpp:47
bb::ck
CommitmentKey< Curve > ck
Definition ipa.fuzzer.cpp:20
bb::vk
VerifierCommitmentKey< Curve > vk
Definition ipa.fuzzer.cpp:21
std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13
Fr
Curve::ScalarField Fr
Definition pippenger.bench.cpp:28
BuilderTypes
::testing::Types< UltraCircuitBuilder, MegaCircuitBuilder > BuilderTypes
Definition shplonk.test.cpp:53
bb::stdlib::bn254::ScalarField
field_t< CircuitBuilder > ScalarField
Definition bn254.hpp:33
bb::stdlib::bn254::AffineElement
Group AffineElement
Definition bn254.hpp:37
bb::stdlib::bn254::NativeCurve
curve::BN254 NativeCurve
Definition bn254.hpp:21