Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
recursive_verifier.cpp
Go to the documentation of this file.
1// === AUDIT STATUS ===
2// internal: { status: Planned, auditors: [Federico], commit: }
3// external_1: { status: not started, auditors: [], commit: }
4// external_2: { status: not started, auditors: [], commit: }
5// =====================
6
7#include "recursive_verifier.hpp"
8
9#include <algorithm>
10#include <cstddef>
11#include <memory>
12#include <numeric>
13
14#include "barretenberg/commitment_schemes/shplonk/shplemini.hpp"
15#include "barretenberg/honk/proof_system/types/proof.hpp"
16#include "barretenberg/polynomials/polynomial.hpp"
17#include "barretenberg/polynomials/shared_shifted_virtual_zeroes_array.hpp"
18#include "barretenberg/stdlib/primitives/field/field.hpp"
19#include "barretenberg/stdlib/primitives/padding_indicator_array/padding_indicator_array.hpp"
20#include "barretenberg/transcript/transcript.hpp"
21#include "barretenberg/vm2/common/aztec_constants.hpp"
22#include "barretenberg/vm2/common/constants.hpp"
23#include "barretenberg/vm2/constraining/avm_fixed_vk.hpp"
24
25namespace bb::avm2 {
26
27AvmRecursiveVerifier::AvmRecursiveVerifier(Builder& builder, const std::shared_ptr<Transcript>& transcript)
28 : builder(builder)
29 , transcript(transcript)
30{
31 auto native_vk = std::make_shared<NativeVerificationKey>(constraining::AvmFixedVKCommitments::get_all());
32
33 key = std::make_shared<VerificationKey>(&builder, native_vk);
34 key->fix_witness();
35
36 auto native_vk_hash = native_vk->hash();
37 vk_hash = FF::from_witness(&builder, native_vk_hash);
38 vk_hash.fix_witness();
39}
40
41// Evaluate the given public input column over the multivariate challenge points
42AvmRecursiveVerifier::FF AvmRecursiveVerifier::evaluate_public_input_column(const std::vector<FF>& points,
43 const std::vector<FF>& challenges)
44{
45 auto coefficients = SharedShiftedVirtualZeroesArray<FF>{
46 .start_ = 0,
47 .end_ = points.size(),
48 .virtual_size_ = MAX_AVM_TRACE_SIZE,
49 .backing_memory_ = BackingMemory<FF>::allocate(points.size()),
50 };
51
52 memcpy(
53 static_cast<void*>(coefficients.data()), static_cast<const void*>(points.data()), sizeof(FF) * points.size());
54
55 return generic_evaluate_mle<FF>(challenges, coefficients);
56}
57
58AvmRecursiveVerifier::PairingPoints AvmRecursiveVerifier::verify_proof(
59 const HonkProof& proof, const std::vector<std::vector<fr>>& public_inputs_vec_nt)
60{
61 StdlibProof stdlib_proof(builder, proof);
62
63 std::vector<std::vector<FF>> public_inputs_ct;
64 public_inputs_ct.reserve(public_inputs_vec_nt.size());
65
66 for (const auto& vec : public_inputs_vec_nt) {
67 std::vector<FF> vec_ct;
68 vec_ct.reserve(vec.size());
69 for (const auto& el : vec) {
70 vec_ct.push_back(stdlib::witness_t<Builder>(&builder, el));
71 }
72 public_inputs_ct.push_back(vec_ct);
73 }
74
75 return verify_proof(stdlib_proof, public_inputs_ct);
76}
77
78// TODO(#991): (see https://github.com/AztecProtocol/barretenberg/issues/991)
79AvmRecursiveVerifier::PairingPoints AvmRecursiveVerifier::verify_proof(
80 const stdlib::Proof<Builder>& stdlib_proof, const std::vector<std::vector<FF>>& public_inputs)
81{
82 using Curve = typename Flavor::Curve;
83 using PCS = typename Flavor::PCS;
84 using VerifierCommitments = typename Flavor::VerifierCommitments;
85 using RelationParams = RelationParameters<typename Flavor::FF>;
86 using Shplemini = ShpleminiVerifier_<Curve, Flavor::HasZK>;
87 using ClaimBatcher = ClaimBatcher_<Curve>;
88 using ClaimBatch = ClaimBatcher::Batch;
89
90 if (public_inputs.size() != AVM_NUM_PUBLIC_INPUT_COLUMNS) {
91 throw_or_abort("AvmRecursiveVerifier::verify_proof: public inputs size mismatch");
92 }
93 for (const auto& public_input : public_inputs) {
94 if (public_input.size() != AVM_PUBLIC_INPUTS_COLUMNS_MAX_LENGTH) {
95 throw_or_abort("AvmRecursiveVerifier::verify_proof: public input size mismatch");
96 }
97 }
98
99 transcript->load_proof(stdlib_proof);
100
101 transcript->add_to_hash_buffer("avm_vk_hash", vk_hash);
102
103 info("AVM vk hash in recursive verifier: ", vk_hash.get_value());
104
105 RelationParams relation_parameters;
106 VerifierCommitments commitments{ key };
107
108 // Add public inputs to transcript for Fiat-Shamir
109 for (size_t i = 0; i < AVM_NUM_PUBLIC_INPUT_COLUMNS; i++) {
110 for (size_t j = 0; j < public_inputs[i].size(); j++) {
111 transcript->add_to_hash_buffer("public_input_" + std::to_string(i) + "_" + std::to_string(j),
112 public_inputs[i][j]);
113 }
114 }
115 // Get commitments to VM wires
116 for (auto [comm, label] : zip_view(commitments.get_wires(), commitments.get_wires_labels())) {
117 comm = transcript->template receive_from_prover<Commitment>(label);
118 }
119
120 auto [beta, gamma] = transcript->template get_challenges<FF>(std::array<std::string, 2>{ "beta", "gamma" });
121 relation_parameters.beta = beta;
122 relation_parameters.gamma = gamma;
123
124 // Get commitments to inverses
125 for (auto [label, commitment] : zip_view(commitments.get_derived_labels(), commitments.get_derived())) {
126 commitment = transcript->template receive_from_prover<Commitment>(label);
127 }
128
129 std::vector<FF> padding_indicator_array(MAX_AVM_TRACE_LOG_SIZE, FF(1));
130
131 // Multiply each linearly independent subrelation contribution by `alpha^i` for i = 0, ..., NUM_SUBRELATIONS - 1.
132 const FF alpha = transcript->template get_challenge<FF>("Sumcheck:alpha");
133
134 SumcheckVerifier<Flavor> sumcheck(transcript, alpha, MAX_AVM_TRACE_LOG_SIZE);
135
136 std::vector<FF> gate_challenges =
137 transcript->template get_dyadic_powers_of_challenge<FF>("Sumcheck:gate_challenge", MAX_AVM_TRACE_LOG_SIZE);
138
139 // No need to constrain that sumcheck_verified is true as this is guaranteed by the implementation of
140 // when called over a "circuit field" types.
141 SumcheckOutput<Flavor> output = sumcheck.verify(relation_parameters, gate_challenges, padding_indicator_array);
142 vinfo("verified sumcheck: ", (output.verified));
143
144 using C = ColumnAndShifts;
145 std::array<FF, AVM_NUM_PUBLIC_INPUT_COLUMNS> claimed_evaluations = {
146 output.claimed_evaluations.get(C::public_inputs_cols_0_),
147 output.claimed_evaluations.get(C::public_inputs_cols_1_),
148 output.claimed_evaluations.get(C::public_inputs_cols_2_),
149 output.claimed_evaluations.get(C::public_inputs_cols_3_),
150 };
151
152 // Validate public inputs match the claimed evaluations
153 for (size_t i = 0; i < AVM_NUM_PUBLIC_INPUT_COLUMNS; i++) {
154 FF public_input_evaluation = evaluate_public_input_column(public_inputs[i], output.challenge);
155 public_input_evaluation.assert_equal(claimed_evaluations[i],
156 format("public_input_evaluation failed at column ", i));
157 }
158
159 // Batch commitments and evaluations using short scalars to reduce ECCVM circuit size
160 auto unshifted_comms = commitments.get_unshifted();
161 auto unshifted_evals = output.claimed_evaluations.get_unshifted();
162 auto shifted_comms = commitments.get_to_be_shifted();
163 auto shifted_evals = output.claimed_evaluations.get_shifted();
164
165 // Generate batching challenge labels
166 // Note: We get N-1 challenges for N unshifted commitments (first commitment has implicit coefficient 1)
167 std::vector<std::string> unshifted_batching_challenge_labels;
168 unshifted_batching_challenge_labels.reserve(unshifted_comms.size() - 1);
169 for (size_t idx = 0; idx < unshifted_comms.size() - 1; idx++) {
170 unshifted_batching_challenge_labels.push_back("rho_" + std::to_string(idx));
171 }
172 std::vector<std::string> shifted_batching_challenge_labels;
173 shifted_batching_challenge_labels.reserve(shifted_comms.size());
174 for (size_t idx = 0; idx < shifted_comms.size(); idx++) {
175 shifted_batching_challenge_labels.push_back("rho_" + std::to_string(unshifted_comms.size() - 1 + idx));
176 }
177
178 // Get short (128-bit) batching challenges from transcript
179 auto unshifted_challenges = transcript->template get_challenges<FF>(unshifted_batching_challenge_labels);
180 auto shifted_challenges = transcript->template get_challenges<FF>(shifted_batching_challenge_labels);
181
182 // Batch commitments: first commitment has coefficient 1, rest are batched with challenges
183 Commitment squashed_unshifted =
184 unshifted_comms[0] +
185 Commitment::batch_mul(
186 std::vector<Commitment>(unshifted_comms.begin() + 1, unshifted_comms.end()), unshifted_challenges, 128);
187
188 Commitment squashed_shifted = Commitment::batch_mul(
189 std::vector<Commitment>(shifted_comms.begin(), shifted_comms.end()), shifted_challenges, 128);
190
191 // Batch evaluations: compute inner product with first eval as initial value for unshifted
192 FF squashed_unshifted_eval = std::inner_product(
193 unshifted_challenges.begin(), unshifted_challenges.end(), unshifted_evals.begin() + 1, unshifted_evals[0]);
194
195 FF squashed_shifted_eval =
196 std::inner_product(shifted_challenges.begin(), shifted_challenges.end(), shifted_evals.begin(), FF(0));
197
198 // Execute Shplemini rounds with squashed claims
199 ClaimBatcher squashed_claim_batcher{ .unshifted = ClaimBatch{ .commitments = RefVector(squashed_unshifted),
200 .evaluations = RefVector(squashed_unshifted_eval) },
201 .shifted = ClaimBatch{ .commitments = RefVector(squashed_shifted),
202 .evaluations = RefVector(squashed_shifted_eval) } };
203 auto opening_claim =
204 Shplemini::compute_batch_opening_claim(
205 padding_indicator_array, squashed_claim_batcher, output.challenge, Commitment::one(&builder), transcript)
206 .batch_opening_claim;
207
208 PairingPoints pairing_points(PCS::reduce_verify_batch_opening_claim(std::move(opening_claim), transcript));
209
210 if (builder.failed()) {
211 info("AVM Recursive verifier builder failed with error: ", builder.err());
212 }
213
214 is_verification_complete = true;
215
216 return pairing_points;
217}
218
219AvmRecursiveVerifier::FF AvmRecursiveVerifier::hash_avm_transcript(const stdlib::Proof<Builder>& stdlib_proof)
220{
221 BB_ASSERT(is_verification_complete, "Transcript can only be hashed after verification is complete");
222 return Transcript::hash_avm_transcript(transcript, stdlib_proof);
223};
224
225} // namespace bb::avm2
BB_ASSERT
#define BB_ASSERT(expression,...)
Definition assert.hpp:70
avm_fixed_vk.hpp
aztec_constants.hpp
AVM_NUM_PUBLIC_INPUT_COLUMNS
#define AVM_NUM_PUBLIC_INPUT_COLUMNS
Definition aztec_constants.hpp:176
AVM_PUBLIC_INPUTS_COLUMNS_MAX_LENGTH
#define AVM_PUBLIC_INPUTS_COLUMNS_MAX_LENGTH
Definition aztec_constants.hpp:175
bb::IPA
IPA (inner product argument) commitment scheme class.
Definition ipa.hpp:92
bb::ShpleminiVerifier_
Definition shplemini.hpp:175
bb::avm2::AvmRecursiveFlavor::TemplatedTranscript::hash_avm_transcript
static stdlib::field_t< Builder > hash_avm_transcript(Builder &builder, const stdlib::Proof< Builder > &stdlib_proof, const std::vector< std::vector< stdlib::field_t< Builder > > > &public_inputs)
Construct a transcript replicating the operations performed on the AVM transcript during proof verifi...
Definition recursive_flavor.hpp:266
bb::avm2::AvmRecursiveFlavor::VerifierCommitments
NativeFlavor::VerifierCommitments_< Commitment, VerificationKey > VerifierCommitments
Definition recursive_flavor.hpp:305
bb::avm2::AvmRecursiveFlavor::Curve
AvmRecursiveFlavorSettings::Curve Curve
Definition recursive_flavor.hpp:23
bb::avm2::AvmRecursiveFlavor::PCS
AvmRecursiveFlavorSettings::PCS PCS
Definition recursive_flavor.hpp:24
bb::avm2::AvmRecursiveVerifier::AvmRecursiveVerifier
AvmRecursiveVerifier(Builder &builder, const std::shared_ptr< Transcript > &transcript=std::make_shared< Transcript >())
Definition recursive_verifier.cpp:27
bb::avm2::AvmRecursiveVerifier::transcript
std::shared_ptr< Transcript > transcript
Definition recursive_verifier.hpp:52
bb::avm2::AvmRecursiveVerifier::VerifierCommitments
typename Flavor::VerifierCommitments VerifierCommitments
Definition recursive_verifier.hpp:28
bb::avm2::AvmRecursiveVerifier::hash_avm_transcript
FF hash_avm_transcript(const StdlibProof &stdlib_proof)
Hash the transcript after verification is complete to produce a hash of the public inputs and proofs ...
Definition recursive_verifier.cpp:219
bb::avm2::AvmRecursiveVerifier::key
std::shared_ptr< VerificationKey > key
Definition recursive_verifier.hpp:50
bb::avm2::AvmRecursiveVerifier::PairingPoints
stdlib::recursion::PairingPoints< Curve > PairingPoints
Definition recursive_verifier.hpp:29
bb::avm2::AvmRecursiveVerifier::evaluate_public_input_column
FF evaluate_public_input_column(const std::vector< FF > &points, const std::vector< FF > &challenges)
Definition recursive_verifier.cpp:42
bb::avm2::AvmRecursiveVerifier::verify_proof
PairingPoints verify_proof(const HonkProof &proof, const std::vector< std::vector< fr > > &public_inputs_vec_nt)
Definition recursive_verifier.cpp:58
bb::avm2::AvmRecursiveVerifier::Builder
typename Flavor::CircuitBuilder Builder
Definition recursive_verifier.hpp:25
bb::avm2::AvmRecursiveVerifier::Commitment
typename Flavor::Commitment Commitment
Definition recursive_verifier.hpp:21
bb::avm2::constraining::AvmFixedVKCommitments::get_all
static constexpr std::array< Commitment, VerificationKey::NUM_PRECOMPUTED_COMMITMENTS > get_all()
Definition avm_fixed_vk.hpp:18
bb::stdlib::Proof
A simple wrapper around a vector of stdlib field elements representing a proof.
Definition proof.hpp:19
bb::stdlib::witness_t
Definition witness.hpp:16
zip_view
Definition zip_view.hpp:166
format
std::string format(Args... args)
Definition log.hpp:23
info
#define info(...)
Definition log.hpp:93
vinfo
#define vinfo(...)
Definition log.hpp:94
builder
AluTraceBuilder builder
Definition alu.test.cpp:124
proof.hpp
bb::avm2::MAX_AVM_TRACE_SIZE
constexpr std::size_t MAX_AVM_TRACE_SIZE
Definition constants.hpp:13
bb::avm2::MAX_AVM_TRACE_LOG_SIZE
constexpr std::size_t MAX_AVM_TRACE_LOG_SIZE
Definition constants.hpp:12
bb::avm2::ColumnAndShifts
ColumnAndShifts
Definition columns.hpp:34
bb::HonkProof
std::vector< fr > HonkProof
Definition proof.hpp:15
bb::RefVector
RefVector(T &, Ts &...) -> RefVector< T >
Deduction guide for the RefVector class. Allows for RefVector {a, b, c} without explicit template par...
std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13
std::to_string
std::string to_string(bb::avm2::ValueTag tag)
Definition tagged_value.cpp:402
padding_indicator_array.hpp
For a small integer N = virtual_log_n and a given witness x = log_n, compute in-circuit an indicator_...
recursive_verifier.hpp
shared_shifted_virtual_zeroes_array.hpp
BackingMemory::allocate
static BackingMemory allocate(size_t size)
Definition backing_memory.hpp:92
SharedShiftedVirtualZeroesArray
A shared pointer array template that represents a virtual array filled with zeros up to virtual_size_...
Definition shared_shifted_virtual_zeroes_array.hpp:29
SharedShiftedVirtualZeroesArray::start_
size_t start_
The starting index of the memory-backed range.
Definition shared_shifted_virtual_zeroes_array.hpp:110
bb::ClaimBatcher_
Logic to support batching opening claims for unshifted, shifted and interleaved polynomials in Shplem...
Definition claim_batcher.hpp:28
bb::RelationParameters
Container for parameters used by the grand product (permutation, lookup) Honk relations.
Definition relation_parameters.hpp:19
bb::stdlib::recursion::PairingPoints
An object storing two EC points that represent the inputs to a pairing check.
Definition pairing_points.hpp:36
throw_or_abort
void throw_or_abort(std::string const &err)
Definition throw_or_abort.hpp:6