Barretenberg: src/barretenberg/vm2/constraining/verifier.cpp Source File

#include "barretenberg/vm2/constraining/verifier.hpp"


#include "barretenberg/commitment_schemes/shplonk/shplemini.hpp"

#include "barretenberg/common/log.hpp"

#include "barretenberg/numeric/bitop/get_msb.hpp"

#include "barretenberg/transcript/transcript.hpp"

#include "barretenberg/vm2/common/constants.hpp"


namespace bb::avm2 {


AvmVerifier::AvmVerifier(std::shared_ptr<Flavor::VerificationKey> verifier_key)

    : key(std::move(verifier_key))

{}


AvmVerifier::AvmVerifier(AvmVerifier&& other) noexcept

    : key(std::move(other.key))

    , transcript(std::move(other.transcript))

{}


AvmVerifier& AvmVerifier::operator=(AvmVerifier&& other) noexcept

{

    key = other.key;

    transcript = other.transcript;

    commitments.clear();

    return *this;

}


using FF = AvmFlavor::FF;


// Evaluate the given public input column over the multivariate challenge points


inline FF AvmVerifier::evaluate_public_input_column(const std::vector<FF>& points, std::vector<FF> challenges)

{

    Polynomial<FF> polynomial(points, (1 << key->log_circuit_size));

    return polynomial.evaluate_mle(challenges);

}


bool AvmVerifier::verify_proof(const HonkProof& proof, const std::vector<std::vector<FF>>& public_inputs)

{

    using Flavor = AvmFlavor;

    using FF = Flavor::FF;

    using Commitment = Flavor::Commitment;

    using PCS = Flavor::PCS;

    using Curve = Flavor::Curve;

    using VerifierCommitments = Flavor::VerifierCommitments;

    using Shplemini = ShpleminiVerifier_<Curve>;

    using ClaimBatcher = ClaimBatcher_<Curve>;

    using ClaimBatch = ClaimBatcher::Batch;

    using VerifierCommitmentKey = typename Flavor::VerifierCommitmentKey;


    RelationParameters<FF> relation_parameters;


    transcript->load_proof(proof);


    // TODO(#15892): Fiat-Shamir the vk hash by uncommenting the line below.

    FF vk_hash = key->hash();

    // transcript->add_to_hash_buffer("avm_vk_hash", vk_hash);

    info("AVM vk hash in verifier: ", vk_hash);


    VerifierCommitments commitments{ key };

    // Get commitments to VM wires

    for (auto [comm, label] : zip_view(commitments.get_wires(), commitments.get_wires_labels())) {

        comm = transcript->template receive_from_prover<Commitment>(label);

    }


    auto [beta, gamm] = transcript->template get_challenges<FF>("beta", "gamma");

    relation_parameters.beta = beta;

    relation_parameters.gamma = gamm;


    // Get commitments to inverses

    for (auto [label, commitment] : zip_view(commitments.get_derived_labels(), commitments.get_derived())) {

        commitment = transcript->template receive_from_prover<Commitment>(label);

    }


    // Execute Sumcheck Verifier

    std::vector<FF> padding_indicator_array(key->log_circuit_size, 1);


    // Multiply each linearly independent subrelation contribution by `alpha^i` for i = 0, ..., NUM_SUBRELATIONS - 1.

    const FF alpha = transcript->template get_challenge<FF>("Sumcheck:alpha");


    SumcheckVerifier<Flavor> sumcheck(transcript, alpha, key->log_circuit_size);


    // Get the gate challenges for sumcheck computation

    std::vector<FF> gate_challenges =

        transcript->template get_powers_of_challenge<FF>("Sumcheck:gate_challenge", key->log_circuit_size);


    SumcheckOutput<Flavor> output = sumcheck.verify(relation_parameters, gate_challenges, padding_indicator_array);


    // If Sumcheck did not verify, return false

    if (!output.verified) {

        vinfo("Sumcheck verification failed");

        return false;

    }


    if (public_inputs.size() != AVM_NUM_PUBLIC_INPUT_COLUMNS) {

        vinfo("Public inputs size mismatch");

        return false;

    }


    std::array<FF, AVM_NUM_PUBLIC_INPUT_COLUMNS> claimed_evaluations = {

        output.claimed_evaluations.public_inputs_cols_0_,

        output.claimed_evaluations.public_inputs_cols_1_,

        output.claimed_evaluations.public_inputs_cols_2_,

        output.claimed_evaluations.public_inputs_cols_3_,

    };

    for (size_t i = 0; i < AVM_NUM_PUBLIC_INPUT_COLUMNS; i++) {

        FF public_input_evaluation = evaluate_public_input_column(public_inputs[i], output.challenge);

        if (public_input_evaluation != claimed_evaluations[i]) {

            vinfo("public_input_evaluation failed, public inputs col ", i);

            return false;

        }

    }


    ClaimBatcher claim_batcher{

        .unshifted = ClaimBatch{ commitments.get_unshifted(), output.claimed_evaluations.get_unshifted() },

        .shifted = ClaimBatch{ commitments.get_to_be_shifted(), output.claimed_evaluations.get_shifted() }

    };

    const BatchOpeningClaim<Curve> opening_claim = Shplemini::compute_batch_opening_claim(

        padding_indicator_array, claim_batcher, output.challenge, Commitment::one(), transcript);


    const auto pairing_points = PCS::reduce_verify_batch_opening_claim(opening_claim, transcript);

    VerifierCommitmentKey pcs_vkey{};

    const auto shplemini_verified = pcs_vkey.pairing_check(pairing_points[0], pairing_points[1]);


    if (!shplemini_verified) {

        vinfo("Shplemini verification failed");

        return false;

    }


    return true;

}


} // namespace bb::avm2

AVM_NUM_PUBLIC_INPUT_COLUMNS
#define AVM_NUM_PUBLIC_INPUT_COLUMNS
Definition aztec_constants.hpp:166

bb::Polynomial
Structured polynomial class that represents the coefficients 'a' of a_0 + a_1 x .....
Definition polynomial.hpp:74

bb::Polynomial::evaluate_mle
Fr evaluate_mle(std::span< const Fr > evaluation_points, bool shift=false) const
evaluate multi-linear extension p(X_0,…,X_{n-1}) = \sum_i a_i*L_i(X_0,…,X_{n-1}) at u = (u_0,...
Definition polynomial.cpp:202

bb::ShpleminiVerifier_
An efficient verifier for the evaluation proofs of multilinear polynomials and their shifts.
Definition shplemini.hpp:189

bb::SumcheckVerifier
Implementation of the sumcheck Verifier for statements of the form  for multilinear polynomials .
Definition sumcheck.hpp:645

bb::SumcheckVerifier::verify
SumcheckOutput< Flavor > verify(const bb::RelationParameters< FF > &relation_parameters, std::vector< FF > &gate_challenges, const std::vector< FF > &padding_indicator_array)
Extract round univariate, check sum, generate challenge, compute next target sum.....
Definition sumcheck.hpp:718

bb::VerifierCommitmentKey< Curve >

bb::avm2::AvmFlavor
Definition flavor.hpp:28

bb::avm2::AvmFlavor::FF
AvmFlavorSettings::FF FF
Definition flavor.hpp:34

bb::avm2::AvmFlavor::VerifierCommitmentKey
AvmFlavorSettings::VerifierCommitmentKey VerifierCommitmentKey
Definition flavor.hpp:41

bb::avm2::AvmFlavor::VerifierCommitments
VerifierCommitments_< Commitment, VerificationKey > VerifierCommitments
Definition flavor.hpp:361

bb::avm2::AvmFlavor::PCS
AvmFlavorSettings::PCS PCS
Definition flavor.hpp:32

bb::avm2::AvmFlavor::Commitment
AvmFlavorSettings::Commitment Commitment
Definition flavor.hpp:38

bb::avm2::AvmFlavor::Curve
AvmFlavorSettings::Curve Curve
Definition flavor.hpp:30

bb::avm2::AvmVerifier
Definition verifier.hpp:8

bb::avm2::AvmVerifier::AvmVerifier
AvmVerifier(std::shared_ptr< VerificationKey > verifier_key)
Definition verifier.cpp:11

bb::avm2::AvmVerifier::transcript
std::shared_ptr< Transcript > transcript
Definition verifier.hpp:31

bb::avm2::AvmVerifier::operator=
AvmVerifier & operator=(const AvmVerifier &other)=delete

bb::avm2::AvmVerifier::evaluate_public_input_column
FF evaluate_public_input_column(const std::vector< FF > &points, std::vector< FF > challenges)
Definition verifier.cpp:31

bb::avm2::AvmVerifier::key
std::shared_ptr< VerificationKey > key
Definition verifier.hpp:29

bb::avm2::AvmVerifier::verify_proof
virtual bool verify_proof(const HonkProof &proof, const std::vector< std::vector< FF > > &public_inputs)
This function verifies an Avm Honk proof for given program settings.
Definition verifier.cpp:41

bb::avm2::AvmVerifier::FF
Flavor::FF FF
Definition verifier.hpp:11

bb::avm2::AvmVerifier::commitments
std::map< std::string, Commitment > commitments
Definition verifier.hpp:30

bb::avm2::AvmVerifier::Commitment
Flavor::Commitment Commitment
Definition verifier.hpp:12

bb::curve::Grumpkin
Definition grumpkin.hpp:50

zip_view
Definition zip_view.hpp:166

log.hpp

vinfo
void vinfo(Args... args)
Definition log.hpp:76

info
void info(Args... args)
Definition log.hpp:70

get_msb.hpp

key
FF key
Definition indexed_memory_tree.test.cpp:18

bb::avm2
Definition flavor.hpp:472

bb::avm2::FF
AvmFlavorSettings::FF FF
Definition field.hpp:10

bb::HonkProof
std::vector< fr > HonkProof
Definition proof.hpp:15

std
STL namespace.

std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13

shplemini.hpp

bb::BatchOpeningClaim
An accumulator consisting of the Shplonk evaluation challenge and vectors of commitments and scalars.
Definition claim.hpp:169

bb::ClaimBatcher_
Logic to support batching opening claims for unshifted and shifted polynomials in Shplemini.
Definition claim_batcher.hpp:27

bb::RelationParameters
Container for parameters used by the grand product (permutation, lookup) Honk relations.
Definition relation_parameters.hpp:19

bb::RelationParameters::beta
T beta
Definition relation_parameters.hpp:29

bb::RelationParameters::gamma
T gamma
Definition relation_parameters.hpp:30

bb::SumcheckOutput
Contains the evaluations of multilinear polynomials  at the challenge point . These are computed by S...
Definition sumcheck_output.hpp:22

bb::SumcheckOutput::verified
bool verified
Definition sumcheck_output.hpp:33

bb::SumcheckOutput::claimed_evaluations
ClaimedEvaluations claimed_evaluations
Definition sumcheck_output.hpp:30

bb::SumcheckOutput::challenge
std::vector< FF > challenge
Definition sumcheck_output.hpp:28

transcript.hpp

verifier.hpp

constants.hpp