Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
ultra_recursive_verifier.cpp
Go to the documentation of this file.
1// === AUDIT STATUS ===
2// internal: { status: not started, auditors: [], date: YYYY-MM-DD }
3// external_1: { status: not started, auditors: [], date: YYYY-MM-DD }
4// external_2: { status: not started, auditors: [], date: YYYY-MM-DD }
5// =====================
6
7#include "barretenberg/stdlib/honk_verifier/ultra_recursive_verifier.hpp"
8#include "barretenberg/commitment_schemes/shplonk/shplemini.hpp"
9#include "barretenberg/flavor/flavor.hpp"
10#include "barretenberg/honk/library/grand_product_delta.hpp"
11#include "barretenberg/numeric/bitop/get_msb.hpp"
12#include "barretenberg/stdlib/primitives/circuit_builders/circuit_builders_fwd.hpp"
13#include "barretenberg/stdlib/primitives/padding_indicator_array/padding_indicator_array.hpp"
14#include "barretenberg/stdlib/primitives/public_input_component/public_input_component.hpp"
15#include "barretenberg/stdlib/special_public_inputs/special_public_inputs.hpp"
16#include "barretenberg/transcript/transcript.hpp"
17
18namespace bb::stdlib::recursion::honk {
19
20template <typename Flavor>
21UltraRecursiveVerifier_<Flavor>::UltraRecursiveVerifier_(Builder* builder,
22 const std::shared_ptr<VKAndHash>& vk_and_hash,
23 const std::shared_ptr<Transcript>& transcript)
24 : key(std::make_shared<RecursiveDeciderVK>(builder, vk_and_hash))
25 , builder(builder)
26 , transcript(transcript)
27{}
28
35template <typename Flavor>
36template <class IO>
37UltraRecursiveVerifier_<Flavor>::Output UltraRecursiveVerifier_<Flavor>::verify_proof(
38 const stdlib::Proof<Builder>& proof)
39{
40 using Sumcheck = ::bb::SumcheckVerifier<Flavor>;
41 using PCS = typename Flavor::PCS;
42 using Curve = typename Flavor::Curve;
43 using Shplemini = ::bb::ShpleminiVerifier_<Curve>;
44 using VerifierCommitments = typename Flavor::VerifierCommitments;
45 using ClaimBatcher = ClaimBatcher_<Curve>;
46 using ClaimBatch = ClaimBatcher::Batch;
47
48 const size_t num_public_inputs = static_cast<uint32_t>(key->vk_and_hash->vk->num_public_inputs.get_value());
49 BB_ASSERT_EQ(proof.size(), Flavor::NativeFlavor::PROOF_LENGTH_WITHOUT_PUB_INPUTS() + num_public_inputs);
50
51 StdlibProof ipa_proof;
52 StdlibProof honk_proof;
53 if constexpr (HasIPAAccumulator<Flavor>) {
54 const size_t HONK_PROOF_LENGTH = Flavor::NativeFlavor::PROOF_LENGTH_WITHOUT_PUB_INPUTS() - IPA_PROOF_LENGTH;
55 // The extra calculation is for the IPA proof length.
56 // TODO(https://github.com/AztecProtocol/barretenberg/issues/1182): Handle in ProofSurgeon.
57 BB_ASSERT_EQ(proof.size(), HONK_PROOF_LENGTH + IPA_PROOF_LENGTH + num_public_inputs);
58 // split out the ipa proof
59 const std::ptrdiff_t honk_proof_with_pub_inputs_length =
60 static_cast<std::ptrdiff_t>(HONK_PROOF_LENGTH + num_public_inputs);
61 ipa_proof = StdlibProof(proof.begin() + honk_proof_with_pub_inputs_length, proof.end());
62 honk_proof = StdlibProof(proof.begin(), proof.begin() + honk_proof_with_pub_inputs_length);
63 } else {
64 honk_proof = proof;
65 }
66 transcript->load_proof(honk_proof);
67 OinkVerifier oink_verifier{ builder, key, transcript };
68 oink_verifier.verify();
69 const std::vector<FF>& public_inputs = key->public_inputs;
70
71 VerifierCommitments commitments{ key->vk_and_hash->vk, key->witness_commitments };
72 static constexpr size_t VIRTUAL_LOG_N = Flavor::NativeFlavor::VIRTUAL_LOG_N;
73 // Get the gate challenges for sumcheck computation
74 key->gate_challenges = transcript->template get_powers_of_challenge<FF>("Sumcheck:gate_challenge", VIRTUAL_LOG_N);
75
76 // Execute Sumcheck Verifier and extract multivariate opening point u = (u_0, ..., u_{d-1}) and purported
77 // multivariate evaluations at u
78
79 std::vector<FF> padding_indicator_array(VIRTUAL_LOG_N, 1);
80 if constexpr (Flavor::HasZK) {
81 // TODO(https://github.com/AztecProtocol/barretenberg/issues/1521): ZK Recursive verifiers need to evaluate
82 // RowDisablingPolynomial, which requires knowing the actual `log_circuit_size`. Can be fixed by reserving the
83 // first rows of the trace for masking.
84 padding_indicator_array =
85 compute_padding_indicator_array<Curve, VIRTUAL_LOG_N>(key->vk_and_hash->vk->log_circuit_size);
86 }
87
88 Sumcheck sumcheck(transcript, key->alphas, VIRTUAL_LOG_N);
89
90 // Receive commitments to Libra masking polynomials
91 std::array<Commitment, NUM_LIBRA_COMMITMENTS> libra_commitments = {};
92 if constexpr (Flavor::HasZK) {
93 libra_commitments[0] = transcript->template receive_from_prover<Commitment>("Libra:concatenation_commitment");
94 }
95 SumcheckOutput<Flavor> sumcheck_output =
96 sumcheck.verify(key->relation_parameters, key->gate_challenges, padding_indicator_array);
97
98 // For MegaZKFlavor: the sumcheck output contains claimed evaluations of the Libra polynomials
99 if constexpr (Flavor::HasZK) {
100 libra_commitments[1] = transcript->template receive_from_prover<Commitment>("Libra:grand_sum_commitment");
101 libra_commitments[2] = transcript->template receive_from_prover<Commitment>("Libra:quotient_commitment");
102 }
103 // Execute Shplemini to produce a batch opening claim subsequently verified by a univariate PCS
104 bool consistency_checked = true;
105 ClaimBatcher claim_batcher{
106 .unshifted = ClaimBatch{ commitments.get_unshifted(), sumcheck_output.claimed_evaluations.get_unshifted() },
107 .shifted = ClaimBatch{ commitments.get_to_be_shifted(), sumcheck_output.claimed_evaluations.get_shifted() }
108 };
109 const BatchOpeningClaim<Curve> opening_claim =
110 Shplemini::compute_batch_opening_claim(padding_indicator_array,
111 claim_batcher,
112 sumcheck_output.challenge,
113 Commitment::one(builder),
114 transcript,
115 Flavor::REPEATED_COMMITMENTS,
116 Flavor::HasZK,
117 &consistency_checked,
118 libra_commitments,
119 sumcheck_output.claimed_libra_evaluation);
120
121 auto pairing_points = PCS::reduce_verify_batch_opening_claim(opening_claim, transcript);
122
123 // Reconstruct the public inputs
124 IO inputs;
125 inputs.reconstruct_from_public(public_inputs);
126
127 // Construct output
128 Output output(inputs);
129 output.ipa_proof = ipa_proof; // Add IPA proof
130
131 // Aggregate new pairing point with the ones reconstructed from the public inputs
132 output.points_accumulator.aggregate(pairing_points);
133
134 return output;
135}
136
137template class UltraRecursiveVerifier_<bb::UltraRecursiveFlavor_<UltraCircuitBuilder>>;
138template class UltraRecursiveVerifier_<bb::UltraRecursiveFlavor_<MegaCircuitBuilder>>;
139template class UltraRecursiveVerifier_<bb::UltraZKRecursiveFlavor_<UltraCircuitBuilder>>;
140template class UltraRecursiveVerifier_<bb::UltraZKRecursiveFlavor_<MegaCircuitBuilder>>;
141template class UltraRecursiveVerifier_<bb::UltraRollupRecursiveFlavor_<UltraCircuitBuilder>>;
142template class UltraRecursiveVerifier_<bb::MegaRecursiveFlavor_<UltraCircuitBuilder>>;
143template class UltraRecursiveVerifier_<bb::MegaRecursiveFlavor_<MegaCircuitBuilder>>;
144template class UltraRecursiveVerifier_<bb::MegaZKRecursiveFlavor_<MegaCircuitBuilder>>;
145template class UltraRecursiveVerifier_<bb::MegaZKRecursiveFlavor_<UltraCircuitBuilder>>;
146
147// UltraRecursiveFlavor_ specializations
148template UltraRecursiveVerifier_<bb::UltraRecursiveFlavor_<UltraCircuitBuilder>>::Output UltraRecursiveVerifier_<
149 bb::UltraRecursiveFlavor_<UltraCircuitBuilder>>::
150 verify_proof<DefaultIO<UltraCircuitBuilder>>(
151 const UltraRecursiveVerifier_<bb::UltraRecursiveFlavor_<UltraCircuitBuilder>>::StdlibProof& proof);
152
153template UltraRecursiveVerifier_<bb::UltraRecursiveFlavor_<MegaCircuitBuilder>>::Output UltraRecursiveVerifier_<
154 bb::UltraRecursiveFlavor_<MegaCircuitBuilder>>::
155 verify_proof<DefaultIO<MegaCircuitBuilder>>(
156 const UltraRecursiveVerifier_<bb::UltraRecursiveFlavor_<MegaCircuitBuilder>>::StdlibProof& proof);
157
158// UltraZKRecursiveFlavor_ specializations
159template UltraRecursiveVerifier_<bb::UltraZKRecursiveFlavor_<UltraCircuitBuilder>>::Output UltraRecursiveVerifier_<
160 bb::UltraZKRecursiveFlavor_<UltraCircuitBuilder>>::
161 verify_proof<DefaultIO<UltraCircuitBuilder>>(
162 const UltraRecursiveVerifier_<bb::UltraZKRecursiveFlavor_<UltraCircuitBuilder>>::StdlibProof& proof);
163
164template UltraRecursiveVerifier_<bb::UltraZKRecursiveFlavor_<MegaCircuitBuilder>>::Output UltraRecursiveVerifier_<
165 bb::UltraZKRecursiveFlavor_<MegaCircuitBuilder>>::
166 verify_proof<DefaultIO<MegaCircuitBuilder>>(
167 const UltraRecursiveVerifier_<bb::UltraZKRecursiveFlavor_<MegaCircuitBuilder>>::StdlibProof& proof);
168
169// UltraRollupRecursiveFlavor_ specialization
170template UltraRecursiveVerifier_<bb::UltraRollupRecursiveFlavor_<UltraCircuitBuilder>>::Output UltraRecursiveVerifier_<
171 bb::UltraRollupRecursiveFlavor_<UltraCircuitBuilder>>::
172 verify_proof<RollupIO>(
173 const UltraRecursiveVerifier_<bb::UltraRollupRecursiveFlavor_<UltraCircuitBuilder>>::StdlibProof& proof);
174
175// MegaRecursiveFlavor_ specialization with DefaultIO
176template UltraRecursiveVerifier_<bb::MegaRecursiveFlavor_<UltraCircuitBuilder>>::Output UltraRecursiveVerifier_<
177 bb::MegaRecursiveFlavor_<UltraCircuitBuilder>>::
178 verify_proof<DefaultIO<UltraCircuitBuilder>>(
179 const UltraRecursiveVerifier_<bb::MegaRecursiveFlavor_<UltraCircuitBuilder>>::StdlibProof& proof);
180
181template UltraRecursiveVerifier_<bb::MegaRecursiveFlavor_<MegaCircuitBuilder>>::Output UltraRecursiveVerifier_<
182 bb::MegaRecursiveFlavor_<MegaCircuitBuilder>>::
183 verify_proof<DefaultIO<MegaCircuitBuilder>>(
184 const UltraRecursiveVerifier_<bb::MegaRecursiveFlavor_<MegaCircuitBuilder>>::StdlibProof& proof);
185
186// MegaZKRecursiveFlavor_ specialization with DefaultIO
187template UltraRecursiveVerifier_<bb::MegaZKRecursiveFlavor_<UltraCircuitBuilder>>::Output UltraRecursiveVerifier_<
188 bb::MegaZKRecursiveFlavor_<UltraCircuitBuilder>>::
189 verify_proof<DefaultIO<UltraCircuitBuilder>>(
190 const UltraRecursiveVerifier_<bb::MegaZKRecursiveFlavor_<UltraCircuitBuilder>>::StdlibProof& proof);
191
192template UltraRecursiveVerifier_<bb::MegaZKRecursiveFlavor_<MegaCircuitBuilder>>::Output UltraRecursiveVerifier_<
193 bb::MegaZKRecursiveFlavor_<MegaCircuitBuilder>>::
194 verify_proof<DefaultIO<MegaCircuitBuilder>>(
195 const UltraRecursiveVerifier_<bb::MegaZKRecursiveFlavor_<MegaCircuitBuilder>>::StdlibProof& proof);
196
197// ClientIVC specialization
198template UltraRecursiveVerifier_<bb::MegaZKRecursiveFlavor_<UltraCircuitBuilder>>::Output UltraRecursiveVerifier_<
199 bb::MegaZKRecursiveFlavor_<UltraCircuitBuilder>>::
200 verify_proof<HidingKernelIO<UltraCircuitBuilder>>(
201 const UltraRecursiveVerifier_<bb::MegaZKRecursiveFlavor_<UltraCircuitBuilder>>::StdlibProof& proof);
202
203// GoblinAvm specialization
204template UltraRecursiveVerifier_<bb::MegaRecursiveFlavor_<UltraCircuitBuilder>>::Output UltraRecursiveVerifier_<
205 bb::MegaRecursiveFlavor_<UltraCircuitBuilder>>::
206 verify_proof<GoblinAvmIO<UltraCircuitBuilder>>(
207 const UltraRecursiveVerifier_<bb::MegaRecursiveFlavor_<UltraCircuitBuilder>>::StdlibProof& proof);
208
209} // namespace bb::stdlib::recursion::honk
BB_ASSERT_EQ
#define BB_ASSERT_EQ(actual, expected,...)
Definition assert.hpp:59
circuit_builders_fwd.hpp
bb::ECCVMFlavor::PROOF_LENGTH_WITHOUT_PUB_INPUTS
static constexpr size_t PROOF_LENGTH_WITHOUT_PUB_INPUTS
Definition eccvm_flavor.hpp:116
bb::MegaFlavor::REPEATED_COMMITMENTS
static constexpr RepeatedCommitmentsData REPEATED_COMMITMENTS
Definition mega_flavor.hpp:71
bb::MegaFlavor::Curve
curve::BN254 Curve
Definition mega_flavor.hpp:36
bb::MegaFlavor::HasZK
static constexpr bool HasZK
Definition mega_flavor.hpp:53
bb::MegaFlavor::VIRTUAL_LOG_N
static constexpr size_t VIRTUAL_LOG_N
Definition mega_flavor.hpp:49
bb::MegaFlavor::PCS
KZG< Curve > PCS
Definition mega_flavor.hpp:40
bb::MegaFlavor::VerifierCommitments
VerifierCommitments_< Commitment, VerificationKey > VerifierCommitments
Definition mega_flavor.hpp:648
bb::MegaRecursiveFlavor_
The recursive counterpart to the "native" Mega flavor.
Definition mega_recursive_flavor.hpp:39
bb::MegaZKRecursiveFlavor_
The recursive counterpart to the "native" MegaZKFlavor.
Definition mega_zk_recursive_flavor.hpp:39
bb::ShpleminiVerifier_
An efficient verifier for the evaluation proofs of multilinear polynomials and their shifts.
Definition shplemini.hpp:189
bb::SumcheckVerifier
Implementation of the sumcheck Verifier for statements of the form for multilinear polynomials .
Definition sumcheck.hpp:645
bb::UltraRecursiveFlavor_
The recursive counterpart to the "native" Ultra flavor.
Definition ultra_recursive_flavor.hpp:51
bb::UltraRollupRecursiveFlavor_
The recursive counterpart to the "native" UltraRollupFlavor.
Definition ultra_rollup_recursive_flavor.hpp:39
bb::UltraZKRecursiveFlavor_
The recursive counterpart to the Ultra flavor with ZK.
Definition ultra_zk_recursive_flavor.hpp:52
bb::stdlib::Proof
A simple wrapper around a vector of stdlib field elements representing a proof.
Definition proof.hpp:19
bb::stdlib::recursion::honk::OinkRecursiveVerifier_
Definition oink_recursive_verifier.hpp:13
bb::stdlib::recursion::honk::RecursiveDeciderVerificationKey_
The stdlib counterpart of DeciderVerificationKey, used in recursive folding verification.
Definition recursive_decider_verification_key.hpp:18
bb::stdlib::recursion::honk::UltraRecursiveVerifier_
Definition ultra_recursive_verifier.hpp:53
bb::stdlib::recursion::honk::UltraRecursiveVerifier_::UltraRecursiveVerifier_
UltraRecursiveVerifier_(Builder *builder, const std::shared_ptr< VKAndHash > &vk_and_hash, const std::shared_ptr< Transcript > &transcript=std::make_shared< Transcript >())
Definition ultra_recursive_verifier.cpp:21
bb::stdlib::recursion::honk::UltraRecursiveVerifier_::Builder
typename Flavor::CircuitBuilder Builder
Definition ultra_recursive_verifier.hpp:62
bb::stdlib::recursion::honk::UltraRecursiveVerifier_::verify_proof
Output verify_proof(const StdlibProof &proof)
builder
AluTraceBuilder builder
Definition alu.test.cpp:123
flavor.hpp
Base class templates for structures that contain data parameterized by the fundamental polynomials of...
get_msb.hpp
grand_product_delta.hpp
key
FF key
Definition indexed_memory_tree.test.cpp:18
bb::stdlib::recursion::honk::StdlibProof
stdlib::Proof< Builder > StdlibProof
Definition transcript.test.cpp:24
std
STL namespace.
std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13
padding_indicator_array.hpp
For a small integer N = virtual_log_n and a given witness x = log_n, compute in-circuit an indicator_...
public_input_component.hpp
special_public_inputs.hpp
bb::BatchOpeningClaim
An accumulator consisting of the Shplonk evaluation challenge and vectors of commitments and scalars.
Definition claim.hpp:169
bb::ClaimBatcher_
Logic to support batching opening claims for unshifted and shifted polynomials in Shplemini.
Definition claim_batcher.hpp:27
bb::SumcheckOutput
Contains the evaluations of multilinear polynomials at the challenge point . These are computed by S...
Definition sumcheck_output.hpp:22
bb::SumcheckOutput::claimed_evaluations
ClaimedEvaluations claimed_evaluations
Definition sumcheck_output.hpp:30
bb::SumcheckOutput::challenge
std::vector< FF > challenge
Definition sumcheck_output.hpp:28
bb::stdlib::recursion::PairingPoints::aggregate
void aggregate(PairingPoints const &other)
Compute a linear combination of the present pairing points with an input set of pairing points.
Definition pairing_points.hpp:60
ultra_recursive_verifier.hpp