Barretenberg: src/barretenberg/ultra_honk/ultra_verifier.cpp Source File

// === AUDIT STATUS ===

// internal:    { status: not started, auditors: [], date: YYYY-MM-DD }

// external_1:  { status: not started, auditors: [], date: YYYY-MM-DD }

// external_2:  { status: not started, auditors: [], date: YYYY-MM-DD }

// =====================


#include "./ultra_verifier.hpp"

#include "barretenberg/commitment_schemes/ipa/ipa.hpp"

#include "barretenberg/commitment_schemes/pairing_points.hpp"

#include "barretenberg/numeric/bitop/get_msb.hpp"

#include "barretenberg/special_public_inputs/special_public_inputs.hpp"

#include "barretenberg/transcript/transcript.hpp"

#include "barretenberg/ultra_honk/oink_verifier.hpp"


namespace bb {


template <typename Flavor>

template <class IO>


UltraVerifier_<Flavor>::UltraVerifierOutput UltraVerifier_<Flavor>::verify_proof(

    const typename UltraVerifier_<Flavor>::Proof& proof, const typename UltraVerifier_<Flavor>::Proof& ipa_proof)

{

    using FF = typename Flavor::FF;


    transcript->load_proof(proof);

    OinkVerifier<Flavor> oink_verifier{ verification_key, transcript };

    oink_verifier.verify();


    // Determine the number of rounds in the sumcheck based on whether or not padding is employed

    const size_t log_n =

        Flavor::USE_PADDING ? Flavor::VIRTUAL_LOG_N : static_cast<size_t>(verification_key->vk->log_circuit_size);

    verification_key->target_sum = 0;

    verification_key->gate_challenges =

        transcript->template get_powers_of_challenge<FF>("Sumcheck:gate_challenge", log_n);


    DeciderVerifier decider_verifier{ verification_key, transcript };

    auto decider_output = decider_verifier.verify();


    // Reconstruct the public inputs

    IO inputs;

    inputs.reconstruct_from_public(verification_key->public_inputs);


    // Aggregate new pairing points with those reconstructed from the public inputs

    decider_output.pairing_points.aggregate(inputs.pairing_inputs);


    // Construrct the output

    UltraVerifierOutput output;

    output.result = decider_output.check();


    // Logging

    if (!decider_output.sumcheck_verified) {

        info("Sumcheck failed!");

    }


    if (!decider_output.libra_evals_verified) {

        info("Libra evals failed!");

    }


    if constexpr (HasIPAAccumulator<Flavor>) {

        // Reconstruct the nested IPA claim from the public inputs and run the native IPA verifier.

        ipa_transcript->load_proof(ipa_proof);

        bool ipa_result = IPA<curve::Grumpkin>::reduce_verify(ipa_verification_key, inputs.ipa_claim, ipa_transcript);


        // Logging

        if (!ipa_result) {

            info("IPA verification failed!");

        }


        // Update output

        output.result &= ipa_result;

    } else if constexpr (std::is_same_v<IO, HidingKernelIO>) {

        // Add ecc op tables if we are verifying a ClientIVC proof

        output.ecc_op_tables = inputs.ecc_op_tables;

    }


    return output;

}


template class UltraVerifier_<UltraFlavor>;

template class UltraVerifier_<UltraZKFlavor>;

template class UltraVerifier_<UltraKeccakFlavor>;

#ifdef STARKNET_GARAGA_FLAVORS

template class UltraVerifier_<UltraStarknetFlavor>;

template class UltraVerifier_<UltraStarknetZKFlavor>;

#endif

template class UltraVerifier_<UltraKeccakZKFlavor>;

template class UltraVerifier_<UltraRollupFlavor>;

template class UltraVerifier_<MegaFlavor>;

template class UltraVerifier_<MegaZKFlavor>;


template UltraVerifier_<UltraFlavor>::UltraVerifierOutput UltraVerifier_<UltraFlavor>::verify_proof<DefaultIO>(

    const Proof& proof, const Proof& ipa_proof);


template UltraVerifier_<UltraZKFlavor>::UltraVerifierOutput UltraVerifier_<UltraZKFlavor>::verify_proof<DefaultIO>(

    const Proof& proof, const Proof& ipa_proof);


template UltraVerifier_<UltraKeccakFlavor>::UltraVerifierOutput UltraVerifier_<UltraKeccakFlavor>::verify_proof<

    DefaultIO>(const Proof& proof, const Proof& ipa_proof);


#ifdef STARKNET_GARAGA_FLAVORS

template UltraVerifier_<UltraStarknetFlavor>::UltraVerifierOutput UltraVerifier_<UltraStarknetFlavor>::verify_proof<

    DefaultIO>(const Proof& proof, const Proof& ipa_proof);


template UltraVerifier_<UltraStarknetZKFlavor>::UltraVerifierOutput UltraVerifier_<UltraStarknetZKFlavor>::verify_proof<

    DefaultIO>(const Proof& proof, const Proof& ipa_proof);

#endif


template UltraVerifier_<UltraKeccakZKFlavor>::UltraVerifierOutput UltraVerifier_<UltraKeccakZKFlavor>::verify_proof<

    DefaultIO>(const Proof& proof, const Proof& ipa_proof);


template UltraVerifier_<UltraRollupFlavor>::UltraVerifierOutput UltraVerifier_<UltraRollupFlavor>::verify_proof<

    RollupIO>(const Proof& proof, const Proof& ipa_proof);


template UltraVerifier_<MegaFlavor>::UltraVerifierOutput UltraVerifier_<MegaFlavor>::verify_proof<DefaultIO>(

    const Proof& proof, const Proof& ipa_proof);


template UltraVerifier_<MegaZKFlavor>::UltraVerifierOutput UltraVerifier_<MegaZKFlavor>::verify_proof<DefaultIO>(

    const Proof& proof, const Proof& ipa_proof);


// ClientIVC specialization

template UltraVerifier_<MegaZKFlavor>::UltraVerifierOutput UltraVerifier_<MegaZKFlavor>::verify_proof<HidingKernelIO>(

    const Proof& proof, const Proof& ipa_proof);


} // namespace bb

bb::DeciderVerifier_
Definition decider_verifier.hpp:17

bb::DeciderVerifier_::verify
Output verify()
Verify a decider proof that is assumed to be contained in the transcript.
Definition decider_verifier.cpp:38

bb::DefaultIO
Manages the data that is propagated on the public inputs of an application/function circuit.
Definition special_public_inputs.hpp:19

bb::IPA
IPA (inner product argument) commitment scheme class.
Definition ipa.hpp:95

bb::MegaFlavor::FF
Curve::ScalarField FF
Definition mega_flavor.hpp:37

bb::MegaFlavor::VIRTUAL_LOG_N
static constexpr size_t VIRTUAL_LOG_N
Definition mega_flavor.hpp:49

bb::MegaFlavor::USE_PADDING
static constexpr bool USE_PADDING
Definition mega_flavor.hpp:56

bb::OinkVerifier
Verifier class for all the presumcheck rounds, which are shared between the folding verifier and ultr...
Definition oink_verifier.hpp:22

bb::OinkVerifier::verify
void verify()
Oink Verifier function that runs all the rounds of the verifier.
Definition oink_verifier.cpp:28

bb::PairingPoints::aggregate
void aggregate(const PairingPoints &other)
Aggregate the current pairing points with another set of pairing points using a random scalar.
Definition pairing_points.hpp:61

bb::RollupIO
The data that is propagated on the public inputs of a rollup circuit.
Definition special_public_inputs.hpp:81

bb::UltraVerifier_
Definition ultra_verifier.hpp:19

bb::UltraVerifier_::Proof
typename Transcript::Proof Proof
Definition ultra_verifier.hpp:27

bb::UltraVerifier_::FF
typename Flavor::FF FF
Definition ultra_verifier.hpp:20

bb::UltraVerifier_::verify_proof
UltraVerifierOutput verify_proof(const Proof &proof, const Proof &ipa_proof={})

pairing_points.hpp

info
void info(Args... args)
Definition log.hpp:70

bb::HasIPAAccumulator
Definition flavor_concepts.hpp:43

get_msb.hpp

ipa.hpp

bb
Entry point for Barretenberg command-line interface.
Definition acir_format_getters.cpp:6

std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13

oink_verifier.hpp

special_public_inputs.hpp

bb::DeciderVerifier_::Output::pairing_points
PairingPoints pairing_points
Definition decider_verifier.hpp:29

bb::UltraVerifier_::UltraVerifierOutput
Definition ultra_verifier.hpp:30

bb::UltraVerifier_::UltraVerifierOutput::ecc_op_tables
std::array< Commitment, Flavor::NUM_WIRES > ecc_op_tables
Definition ultra_verifier.hpp:33

bb::UltraVerifier_::UltraVerifierOutput::result
bool result
Definition ultra_verifier.hpp:32

transcript.hpp

ultra_verifier.hpp