Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
eccvm_recursive_verifier.test.cpp
Go to the documentation of this file.
1#include "barretenberg/circuit_checker/circuit_checker.hpp"
2#include "barretenberg/commitment_schemes/ipa/ipa.hpp"
3#include "barretenberg/dsl/acir_format/gate_count_constants.hpp"
4#include "barretenberg/eccvm/eccvm_prover.hpp"
5#include "barretenberg/eccvm/eccvm_verifier.hpp"
6#include "barretenberg/stdlib/honk_verifier/ultra_verification_keys_comparator.hpp"
7#include "barretenberg/stdlib/test_utils/tamper_proof.hpp"
8#include "barretenberg/ultra_honk/ultra_prover.hpp"
9#include "barretenberg/ultra_honk/ultra_verifier.hpp"
10
11#include <gtest/gtest.h>
12
13namespace {
14auto& engine = bb::numeric::get_debug_randomness();
15}
16namespace bb {
17class ECCVMRecursiveTests : public ::testing::Test {
18 public:
19 using RecursiveFlavor = ECCVMRecursiveFlavor;
20 using InnerFlavor = RecursiveFlavor::NativeFlavor;
21 using InnerBuilder = InnerFlavor::CircuitBuilder;
22 using InnerProver = ECCVMProver;
23 using InnerVerifier = ECCVMVerifier;
24 using InnerG1 = InnerFlavor::Commitment;
25 using InnerFF = InnerFlavor::FF;
26 using InnerBF = InnerFlavor::BF;
27 using InnerPK = InnerFlavor::ProvingKey;
28 using InnerVK = InnerFlavor::VerificationKey;
29
30 using Transcript = InnerFlavor::Transcript;
31 using StdlibTranscript = RecursiveFlavor::Transcript;
32
33 using RecursiveVerifier = ECCVMRecursiveVerifier;
34
35 using OuterBuilder = RecursiveFlavor::CircuitBuilder;
36 using OuterFlavor = std::conditional_t<IsMegaBuilder<OuterBuilder>, MegaFlavor, UltraFlavor>;
37 using OuterProver = UltraProver_<OuterFlavor>;
38 using OuterVerifier = UltraVerifier_<OuterFlavor, bb::DefaultIO>;
39 using OuterProverInstance = ProverInstance_<OuterFlavor>;
40
41 using PCS = IPA<ECCVMFlavor::Curve, CONST_ECCVM_LOG_N>;
42 static void SetUpTestSuite() { bb::srs::init_file_crs_factory(bb::srs::bb_crs_path()); }
43
50 static InnerBuilder generate_circuit(numeric::RNG* engine = nullptr, const size_t num_iterations = 1)
51 {
52 using Curve = curve::BN254;
53 using G1 = Curve::Element;
54 using Fr = Curve::ScalarField;
55 using Fq = curve::Grumpkin::ScalarField;
56
57 std::shared_ptr<ECCOpQueue> op_queue = std::make_shared<ECCOpQueue>();
58 G1 a = G1::random_element(engine);
59 G1 b = G1::random_element(engine);
60 G1 c = G1::random_element(engine);
61 Fr x = Fr::random_element(engine);
62 Fr y = Fr::random_element(engine);
63 for (size_t idx = 0; idx < num_iterations; idx++) {
64 op_queue->add_accumulate(a);
65 op_queue->mul_accumulate(a, x);
66 op_queue->mul_accumulate(b, x);
67 op_queue->mul_accumulate(b, y);
68 op_queue->add_accumulate(a);
69 op_queue->mul_accumulate(b, x);
70 op_queue->eq_and_reset();
71 op_queue->add_accumulate(c);
72 op_queue->mul_accumulate(a, x);
73 op_queue->mul_accumulate(b, x);
74 op_queue->eq_and_reset();
75 op_queue->mul_accumulate(a, x);
76 op_queue->mul_accumulate(b, x);
77 op_queue->mul_accumulate(c, x);
78 op_queue->merge();
79 }
80 // Set hiding op for ECCVM ZK (required before ECCVMCircuitBuilder construction)
81 op_queue->append_hiding_op(Fq::random_element(engine), Fq::random_element(engine));
82 InnerBuilder builder{ op_queue };
83 return builder;
84 }
85
86 static void test_recursive_verification()
87 {
88 InnerBuilder builder = generate_circuit(&engine);
89 std::shared_ptr<Transcript> prover_transcript = std::make_shared<Transcript>();
90 InnerProver prover(builder, prover_transcript);
91 auto [proof, opening_claim] = prover.construct_proof();
92
93 // Compute IPA proof
94 auto ipa_transcript = std::make_shared<Transcript>();
95 PCS::compute_opening_proof(prover.key->commitment_key, opening_claim, ipa_transcript);
96 HonkProof ipa_proof = ipa_transcript->export_proof();
97
98 auto verification_key = std::make_shared<InnerFlavor::VerificationKey>();
99
100 info("ECCVM Recursive Verifier");
101 OuterBuilder outer_circuit;
102 auto stdlib_proof = stdlib::Proof<OuterBuilder>(outer_circuit, proof);
103 std::shared_ptr<StdlibTranscript> stdlib_verifier_transcript = std::make_shared<StdlibTranscript>();
104 RecursiveVerifier verifier{ stdlib_verifier_transcript, stdlib_proof };
105 verifier.get_transcript()->enable_manifest();
106 [[maybe_unused]] auto recursive_result = verifier.reduce_to_ipa_opening();
107 stdlib::recursion::honk::DefaultIO<OuterBuilder>::add_default(outer_circuit);
108
109 info("Recursive Verifier: num gates = ", outer_circuit.get_num_finalized_gates_inefficient());
110
111 // Check for a failure flag in the recursive verifier circuit
112 EXPECT_EQ(outer_circuit.failed(), false) << outer_circuit.err();
113
114 bool result = CircuitChecker::check(outer_circuit);
115 EXPECT_TRUE(result);
116
117 std::shared_ptr<Transcript> verifier_transcript = std::make_shared<Transcript>();
118 InnerVerifier native_verifier(verifier_transcript, proof);
119 verifier_transcript->enable_manifest();
120 auto native_result = native_verifier.reduce_to_ipa_opening();
121
122 // Verify IPA
123 auto ipa_verify_transcript = std::make_shared<Transcript>();
124 ipa_verify_transcript->load_proof(ipa_proof);
125 auto ipa_vk = VerifierCommitmentKey<curve::Grumpkin>{ ECCVMFlavor::ECCVM_FIXED_SIZE };
126 bool ipa_verified = IPA<curve::Grumpkin>::reduce_verify(ipa_vk, native_result.ipa_claim, ipa_verify_transcript);
127 EXPECT_TRUE(ipa_verified && native_result.reduction_succeeded);
128 auto recursive_manifest = verifier.get_transcript()->get_manifest();
129 auto native_manifest = native_verifier.get_transcript()->get_manifest();
130
131 ASSERT_GT(recursive_manifest.size(), 0);
132 for (size_t i = 0; i < recursive_manifest.size(); ++i) {
133 EXPECT_EQ(recursive_manifest[i], native_manifest[i])
134 << "Recursive Verifier/Verifier manifest discrepency in round " << i;
135 }
136
137 // Ensure verification key commitments are the same
138 for (auto [vk_poly, native_vk_poly] :
139 zip_view(verifier.get_verification_key()->get_all(), verification_key->get_all())) {
140 EXPECT_EQ(vk_poly.get_value(), native_vk_poly);
141 }
142
143 // Construct a full proof from the recursive verifier circuit
144 {
145 auto prover_instance = std::make_shared<OuterProverInstance>(outer_circuit);
146 auto verification_key = std::make_shared<OuterFlavor::VerificationKey>(prover_instance->get_precomputed());
147 auto vk_and_hash = std::make_shared<OuterFlavor::VKAndHash>(verification_key);
148 OuterProver prover(prover_instance, verification_key);
149 OuterVerifier verifier(vk_and_hash);
150 auto proof = prover.construct_proof();
151 bool verified = verifier.verify_proof(proof).result;
152
153 ASSERT_TRUE(verified);
154 }
155
156 // Check that the size of the recursive verifier is consistent with historical expectation
157 ASSERT_EQ(outer_circuit.get_num_finalized_gates(), acir_format::ECCVM_RECURSIVE_VERIFIER_GATE_COUNT)
158 << "Ultra-arithmetized ECCVM Recursive verifier gate count changed! Update this value if you are sure this "
159 "is expected.";
160 }
161
162 static void test_recursive_verification_failure()
163 {
164 InnerBuilder builder = generate_circuit(&engine);
165 builder.op_queue->add_erroneous_equality_op_for_testing();
166 builder.op_queue->merge();
167 std::shared_ptr<Transcript> prover_transcript = std::make_shared<Transcript>();
168 InnerProver prover(builder, prover_transcript);
169 auto [proof, opening_claim] = prover.construct_proof();
170
171 // Compute IPA proof
172 auto ipa_transcript = std::make_shared<Transcript>();
173 PCS::compute_opening_proof(prover.key->commitment_key, opening_claim, ipa_transcript);
174 HonkProof ipa_proof = ipa_transcript->export_proof();
175
176 auto verification_key = std::make_shared<InnerFlavor::VerificationKey>();
177
178 OuterBuilder outer_circuit;
179 auto stdlib_proof = stdlib::Proof<OuterBuilder>(outer_circuit, proof);
180
181 std::shared_ptr<StdlibTranscript> stdlib_verifier_transcript = std::make_shared<StdlibTranscript>();
182 RecursiveVerifier verifier{ stdlib_verifier_transcript, stdlib_proof };
183 [[maybe_unused]] auto output = verifier.reduce_to_ipa_opening();
184 stdlib::recursion::honk::DefaultIO<OuterBuilder>::add_default(outer_circuit);
185 info("Recursive Verifier: estimated num finalized gates = ",
186 outer_circuit.get_num_finalized_gates_inefficient());
187
188 // Check for a failure flag in the recursive verifier circuit
189 EXPECT_FALSE(CircuitChecker::check(outer_circuit));
190 }
191
192 static void test_recursive_verification_failure_tampered_proof()
193 {
194 for (size_t idx = 0; idx < 2; idx++) {
195 InnerBuilder builder = generate_circuit(&engine);
196 std::shared_ptr<Transcript> prover_transcript = std::make_shared<Transcript>();
197 InnerProver prover(builder, prover_transcript);
198 auto [proof, opening_claim] = prover.construct_proof();
199
200 // Compute IPA proof
201 auto ipa_transcript_prover = std::make_shared<Transcript>();
202 PCS::compute_opening_proof(prover.key->commitment_key, opening_claim, ipa_transcript_prover);
203 HonkProof ipa_proof_native = ipa_transcript_prover->export_proof();
204
205 // Tamper with the proof to be verified
206 tamper_with_proof<InnerProver, InnerFlavor>(proof, static_cast<bool>(idx));
207
208 OuterBuilder outer_circuit;
209 auto stdlib_proof = stdlib::Proof<OuterBuilder>(outer_circuit, proof);
210 std::shared_ptr<StdlibTranscript> stdlib_verifier_transcript = std::make_shared<StdlibTranscript>();
211 RecursiveVerifier verifier{ stdlib_verifier_transcript, stdlib_proof };
212 auto recursive_result = verifier.reduce_to_ipa_opening();
213 stdlib::recursion::honk::DefaultIO<OuterBuilder>::add_default(outer_circuit);
214
215 if (idx == 0) {
216 // In this case, we changed the first non-zero value in the proof. It leads to a circuit check failure.
217 EXPECT_FALSE(CircuitChecker::check(outer_circuit));
218 } else {
219 // Changing the last commitment in the `proof_data` would not result in a circuit check failure at
220 // this stage.
221 EXPECT_TRUE(CircuitChecker::check(outer_circuit));
222
223 // However, IPA recursive verifier must fail, as one of the commitments is incorrect.
224 VerifierCommitmentKey<InnerFlavor::Curve> native_pcs_vk(1UL << CONST_ECCVM_LOG_N);
225 VerifierCommitmentKey<stdlib::grumpkin<OuterBuilder>> stdlib_pcs_vkey(
226 &outer_circuit, 1UL << CONST_ECCVM_LOG_N, native_pcs_vk);
227
228 // Construct ipa_transcript from proof
229 auto stdlib_ipa_proof = stdlib::Proof<OuterBuilder>(outer_circuit, ipa_proof_native);
230 std::shared_ptr<StdlibTranscript> ipa_transcript = std::make_shared<StdlibTranscript>(stdlib_ipa_proof);
231 EXPECT_FALSE(IPA<RecursiveFlavor::Curve>::full_verify_recursive(
232 stdlib_pcs_vkey, recursive_result.ipa_claim, ipa_transcript));
233 }
234 }
235 }
236
237 static void test_independent_vk_hash()
238 {
239
240 // Retrieves the trace blocks (each consisting of a specific gate) from the recursive verifier circuit
241 auto get_blocks = [](size_t inner_size)
242 -> std::tuple<OuterBuilder::ExecutionTrace, std::shared_ptr<OuterFlavor::VerificationKey>> {
243 auto inner_circuit = generate_circuit(&engine, inner_size);
244 std::shared_ptr<Transcript> prover_transcript = std::make_shared<Transcript>();
245 InnerProver inner_prover(inner_circuit, prover_transcript);
246
247 auto [proof, opening_claim] = inner_prover.construct_proof();
248
249 // Compute IPA proof
250 auto ipa_transcript = std::make_shared<Transcript>();
251 PCS::compute_opening_proof(inner_prover.key->commitment_key, opening_claim, ipa_transcript);
252 HonkProof ipa_proof = ipa_transcript->export_proof();
253
254 // Create a recursive verification circuit for the proof of the inner circuit
255 OuterBuilder outer_circuit;
256 auto stdlib_proof = stdlib::Proof<OuterBuilder>(outer_circuit, proof);
257
258 std::shared_ptr<StdlibTranscript> stdlib_verifier_transcript = std::make_shared<StdlibTranscript>();
259 RecursiveVerifier verifier{ stdlib_verifier_transcript, stdlib_proof };
260
261 [[maybe_unused]] auto recursive_opening_claim = verifier.reduce_to_ipa_opening();
262 stdlib::recursion::honk::DefaultIO<OuterBuilder>::add_default(outer_circuit);
263
264 auto outer_proving_key = std::make_shared<OuterProverInstance>(outer_circuit);
265 auto outer_verification_key =
266 std::make_shared<OuterFlavor::VerificationKey>(outer_proving_key->get_precomputed());
267
268 return { outer_circuit.blocks, outer_verification_key };
269 };
270
271 auto [blocks_20, verification_key_20] = get_blocks(20);
272 auto [blocks_40, verification_key_40] = get_blocks(40);
273
274 compare_ultra_blocks_and_verification_keys<OuterFlavor>({ blocks_20, blocks_40 },
275 { verification_key_20, verification_key_40 });
276 };
277};
278
283
284TEST_F(ECCVMRecursiveTests, SingleRecursiveVerificationFailure)
285{
286 ECCVMRecursiveTests::test_recursive_verification_failure();
287};
288
289TEST_F(ECCVMRecursiveTests, SingleRecursiveVerificationFailureTamperedProof)
290{
291 BB_DISABLE_ASSERTS(); // Avoid on_curve assertion failure in cycle_group constructor
292 ECCVMRecursiveTests::test_recursive_verification_failure_tampered_proof();
293};
294
299} // namespace bb
BB_DISABLE_ASSERTS
#define BB_DISABLE_ASSERTS()
Definition assert.hpp:33
circuit_checker.hpp
bb::BaseTranscript
Common transcript class for both parties. Stores the data for the current round, as well as the manif...
Definition transcript.hpp:41
bb::CircuitBuilderBase::err
const std::string & err() const
Definition circuit_builder_base_impl.hpp:167
bb::ECCVMFlavor::ProvingKey
The proving key is responsible for storing the polynomials used by the prover.
Definition eccvm_flavor.hpp:776
bb::ECCVMFlavor::ECCVM_FIXED_SIZE
static constexpr size_t ECCVM_FIXED_SIZE
Definition eccvm_flavor.hpp:65
bb::ECCVMFlavor::FF
typename Curve::ScalarField FF
Definition eccvm_flavor.hpp:42
bb::ECCVMFlavor::CircuitBuilder
ECCVMCircuitBuilder CircuitBuilder
Definition eccvm_flavor.hpp:38
bb::ECCVMFlavor::Commitment
typename G1::affine_element Commitment
Definition eccvm_flavor.hpp:46
bb::ECCVMFlavor::BF
typename Curve::BaseField BF
Definition eccvm_flavor.hpp:43
bb::ECCVMFlavor::VerificationKey
FixedVKAndHash_< PrecomputedEntities< Commitment >, BF, ECCVMHardcodedVKAndHash > VerificationKey
The verification key stores commitments to the precomputed polynomials used by the verifier.
Definition eccvm_flavor.hpp:798
bb::ECCVMFlavor::Transcript
BaseTranscript< Codec, HashFunction > Transcript
Definition eccvm_flavor.hpp:52
bb::ECCVMProver::construct_proof
std::pair< Proof, OpeningClaim > construct_proof()
Definition eccvm_prover.cpp:202
bb::ECCVMProver::key
std::shared_ptr< ProvingKey > key
Definition eccvm_prover.hpp:73
bb::ECCVMRecursiveFlavor::Transcript
StdlibTranscript< CircuitBuilder > Transcript
Definition eccvm_recursive_flavor.hpp:89
bb::ECCVMRecursiveTests::generate_circuit
static InnerBuilder generate_circuit(numeric::RNG *engine=nullptr, const size_t num_iterations=1)
Adds operations in BN254 to the op_queue and then constructs and ECCVM circuit from the op_queue.
Definition eccvm_recursive_verifier.test.cpp:50
bb::ECCVMRecursiveTests::test_recursive_verification_failure_tampered_proof
static void test_recursive_verification_failure_tampered_proof()
Definition eccvm_recursive_verifier.test.cpp:192
bb::ECCVMRecursiveTests::OuterFlavor
std::conditional_t< IsMegaBuilder< OuterBuilder >, MegaFlavor, UltraFlavor > OuterFlavor
Definition eccvm_recursive_verifier.test.cpp:36
bb::ECCVMVerifier_
Unified ECCVM verifier class for both native and recursive verification.
Definition eccvm_verifier.hpp:19
bb::ECCVMVerifier_::get_transcript
std::shared_ptr< Transcript > get_transcript() const
Definition eccvm_verifier.hpp:92
bb::ECCVMVerifier_::reduce_to_ipa_opening
ReductionResult reduce_to_ipa_opening()
Reduce the ECCVM proof to an IPA opening claim.
Definition eccvm_verifier.cpp:20
bb::FixedVKAndHash_
Simple verification key class for fixed-size circuits (ECCVM, Translator).
Definition flavor.hpp:136
bb::IPA
IPA (inner product argument) commitment scheme class.
Definition ipa.hpp:92
bb::ProverInstance_
A ProverInstance is normally constructed from a finalized circuit and it contains all the information...
Definition prover_instance.hpp:33
bb::TranslatorCircuitChecker::check
static bool check(const Builder &circuit)
Check the witness satisifies the circuit.
Definition translator_circuit_checker.cpp:20
bb::UltraCircuitBuilder_
Definition ultra_circuit_builder.hpp:41
bb::UltraCircuitBuilder_::get_num_finalized_gates
size_t get_num_finalized_gates() const override
Get the number of gates in a finalized circuit.
Definition ultra_circuit_builder.hpp:366
bb::UltraCircuitBuilder_::blocks
ExecutionTrace blocks
Definition ultra_circuit_builder.hpp:199
bb::UltraCircuitBuilder_::ExecutionTrace
ExecutionTrace_ ExecutionTrace
Definition ultra_circuit_builder.hpp:43
bb::UltraCircuitBuilder_::get_num_finalized_gates_inefficient
size_t get_num_finalized_gates_inefficient(bool ensure_nonzero=true) const
Get the number of gates in the finalized version of the circuit.
Definition ultra_circuit_builder.hpp:380
bb::UltraProver_
Definition ultra_prover.hpp:20
bb::UltraProver_::construct_proof
Proof construct_proof()
Definition ultra_prover.cpp:91
bb::UltraVerifier_
Definition ultra_verifier.hpp:82
bb::UltraVerifier_::verify_proof
Output verify_proof(const Proof &proof)
Perform ultra verification.
Definition ultra_verifier.cpp:214
bb::VerifierCommitmentKey
Representation of the Grumpkin Verifier Commitment Key inside a bn254 circuit.
Definition verifier_commitment_key.hpp:16
bb::curve::Grumpkin::Element
typename Group::element Element
Definition grumpkin.hpp:62
bb::stdlib::Proof
A simple wrapper around a vector of stdlib field elements representing a proof.
Definition proof.hpp:19
bb::stdlib::recursion::honk::DefaultIO::add_default
static void add_default(Builder &builder)
Add default public inputs when they are not present.
Definition special_public_inputs.hpp:206
zip_view
Definition zip_view.hpp:166
info
#define info(...)
Definition log.hpp:93
builder
AluTraceBuilder builder
Definition alu.test.cpp:124
a
FF a
Definition field_gt.test.cpp:52
b
FF b
Definition field_gt.test.cpp:53
eccvm_prover.hpp
engine
numeric::RNG & engine
Definition eccvm_transcript.test.cpp:286
eccvm_verifier.hpp
gate_count_constants.hpp
acir_format::ECCVM_RECURSIVE_VERIFIER_GATE_COUNT
constexpr size_t ECCVM_RECURSIVE_VERIFIER_GATE_COUNT
Definition gate_count_constants.hpp:156
bb::numeric::get_debug_randomness
RNG & get_debug_randomness(bool reset, std::uint_fast64_t seed)
Definition engine.cpp:190
bb::srs::bb_crs_path
std::filesystem::path bb_crs_path()
Definition global_crs.cpp:14
bb::srs::init_file_crs_factory
void init_file_crs_factory(const std::filesystem::path &path)
Definition global_crs.hpp:14
bb
Entry point for Barretenberg command-line interface.
Definition api.hpp:5
bb::HonkProof
std::vector< fr > HonkProof
Definition proof.hpp:15
bb::ECCVMRecursiveVerifier
ECCVMVerifier_< ECCVMRecursiveFlavor > ECCVMRecursiveVerifier
Definition eccvm_verifier.hpp:126
bb::TEST_F
TEST_F(IPATest, ChallengesAreZero)
Definition ipa.test.cpp:142
bb::ECCVMVerifier
ECCVMVerifier_< ECCVMFlavor > ECCVMVerifier
Definition eccvm_verifier.hpp:125
std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13
G1
Curve::AffineElement G1
Definition pippenger.bench.cpp:29
bb::field< Bn254FrParams >::random_element
static field random_element(numeric::RNG *engine=nullptr) noexcept
Definition field_impl.hpp:677
tamper_proof.hpp
ultra_prover.hpp
ultra_verification_keys_comparator.hpp
ultra_verifier.hpp