Merge remote-tracking branch 'origin/master' into cg/browser-civc

.github/workflows/ci.yml

@@ -120,7 +120,7 @@ jobs:
     if: github.event.pull_request.draft == false
     uses: ./.github/workflows/setup-runner.yml
     with:
-      username: ${{ needs.configure.outputs.username }}-x86
+      username: ${{ needs.configure.outputs.username }}
       runner_type: builder-x86
     secrets: inherit
 

barretenberg/.gitrepo

@@ -6,7 +6,7 @@
 [subrepo]
 remote = https://github.com/AztecProtocol/barretenberg
 	branch = master
-	commit = e049abf9a38687c894e99e170baa0c7dd79150df
-	parent = c95e5fd5606b7f14b1e2e43ecc770d5f22d294a0
+	commit = 0276e5b93d1226d5e71bd39683ae74c966f395c3
+	parent = ddba505bf4f875d2370a4555064aec6b09783818
 	method = merge
 	cmdver = 0.4.6

barretenberg/cpp/pil/avm/constants_gen.pil

@@ -2,7 +2,7 @@
 namespace constants(256);
     pol MAX_NOTE_HASHES_PER_CALL = 16;
     pol MAX_NULLIFIERS_PER_CALL = 16;
-    pol MAX_PUBLIC_CALL_STACK_LENGTH_PER_CALL = 16;
+    pol MAX_ENQUEUED_CALLS_PER_CALL = 16;
     pol MAX_L2_TO_L1_MSGS_PER_CALL = 2;
     pol MAX_PUBLIC_DATA_UPDATE_REQUESTS_PER_CALL = 64;
     pol MAX_PUBLIC_DATA_READS_PER_CALL = 64;

barretenberg/cpp/src/barretenberg/bb/main.cpp

@@ -588,7 +588,7 @@ void prove_tube(const std::string& output_path)
     // TODO(https://github.com/AztecProtocol/barretenberg/issues/1048): INSECURE - make this tube proof actually use
     // these public inputs by turning proof into witnesses and calling set_public on each witness
     auto num_public_inputs = static_cast<uint32_t>(static_cast<uint256_t>(proof.mega_proof[1]));
-    num_public_inputs -= bb::AGGREGATION_OBJECT_SIZE; // don't add the agg object
+    num_public_inputs -= bb::PAIRING_POINT_ACCUMULATOR_SIZE; // don't add the agg object
 
     for (size_t i = 0; i < num_public_inputs; i++) {
         auto offset = bb::HONK_PROOF_PUBLIC_INPUT_OFFSET;
@@ -598,12 +598,12 @@ void prove_tube(const std::string& output_path)
 
     verifier.verify(proof);
 
-    AggregationObjectIndices current_aggregation_object =
+    PairingPointAccumulatorIndices current_aggregation_object =
         stdlib::recursion::init_default_agg_obj_indices<Builder>(*builder);
 
     // TODO(https://github.com/AztecProtocol/barretenberg/issues/1069): Add aggregation to goblin recursive verifiers.
     // This is currently just setting the aggregation object to the default one.
-    builder->add_recursive_proof(current_aggregation_object);
+    builder->add_pairing_point_accumulator(current_aggregation_object);
 
     using Prover = UltraProver_<UltraFlavor>;
     using Verifier = UltraVerifier_<UltraFlavor>;

barretenberg/cpp/src/barretenberg/benchmark/ultra_bench/mega_zk_honk.bench.cpp

@@ -0,0 +1,51 @@
+#include <benchmark/benchmark.h>
+
+#include "barretenberg/benchmark/ultra_bench/mock_circuits.hpp"
+#include "barretenberg/stdlib_circuit_builders/mega_circuit_builder.hpp"
+
+using namespace benchmark;
+using namespace bb;
+
+/**
+ * @brief Benchmark: Construction of a Ultra Honk proof for a circuit determined by the provided circuit function
+ */
+static void construct_proof_megahonk_zk(State& state,
+                                        void (*test_circuit_function)(MegaCircuitBuilder&, size_t)) noexcept
+{
+    size_t num_iterations = 10; // 10x the circuit
+    bb::mock_circuits::construct_proof_with_specified_num_iterations<MegaZKProver>(
+        state, test_circuit_function, num_iterations);
+}
+
+/**
+ * @brief Benchmark: Construction of a Ultra Plonk proof with 2**n gates
+ */
+static void construct_proof_megahonk_power_of_2_zk(State& state) noexcept
+{
+    auto log2_of_gates = static_cast<size_t>(state.range(0));
+    bb::mock_circuits::construct_proof_with_specified_num_iterations<MegaZKProver>(
+        state, &bb::mock_circuits::generate_basic_arithmetic_circuit<MegaCircuitBuilder>, log2_of_gates);
+}
+
+// Define benchmarks
+
+// This exists due to an issue where get_row was blowing up in time
+BENCHMARK_CAPTURE(construct_proof_megahonk_zk, sha256, &stdlib::generate_sha256_test_circuit<MegaCircuitBuilder>)
+    ->Unit(kMillisecond);
+BENCHMARK_CAPTURE(construct_proof_megahonk_zk, keccak, &stdlib::generate_keccak_test_circuit<MegaCircuitBuilder>)
+    ->Unit(kMillisecond);
+BENCHMARK_CAPTURE(construct_proof_megahonk_zk,
+                  ecdsa_verification,
+                  &stdlib::generate_ecdsa_verification_test_circuit<MegaCircuitBuilder>)
+    ->Unit(kMillisecond);
+BENCHMARK_CAPTURE(construct_proof_megahonk_zk,
+                  merkle_membership,
+                  &stdlib::generate_merkle_membership_test_circuit<MegaCircuitBuilder>)
+    ->Unit(kMillisecond);
+
+BENCHMARK(construct_proof_megahonk_power_of_2_zk)
+    // 2**15 gates to 2**20 gates
+    ->DenseRange(15, 20)
+    ->Unit(kMillisecond);
+
+BENCHMARK_MAIN();

barretenberg/cpp/src/barretenberg/client_ivc/client_ivc.cpp

@@ -168,7 +168,7 @@ void ClientIVC::accumulate(ClientCircuit& circuit, const std::shared_ptr<Verific
 
     // TODO(https://github.com/AztecProtocol/barretenberg/issues/1069): Do proper aggregation with merge recursive
     // verifier.
-    circuit.add_recursive_proof(stdlib::recursion::init_default_agg_obj_indices<ClientCircuit>(circuit));
+    circuit.add_pairing_point_accumulator(stdlib::recursion::init_default_agg_obj_indices<ClientCircuit>(circuit));
 
     // Construct the proving key for circuit
     std::shared_ptr<DeciderProvingKey> proving_key;
@@ -244,7 +244,7 @@ HonkProof ClientIVC::construct_and_prove_hiding_circuit()
     // TODO(https://github.com/AztecProtocol/barretenberg/issues/1048): link these properly, likely insecure
     auto num_public_inputs = static_cast<uint32_t>(static_cast<uint256_t>(fold_proof[PUBLIC_INPUTS_SIZE_INDEX]));
     vinfo("num_public_inputs of the last folding proof BEFORE SUBTRACTION", num_public_inputs);
-    num_public_inputs -= bb::AGGREGATION_OBJECT_SIZE;             // exclude aggregation object
+    num_public_inputs -= bb::PAIRING_POINT_ACCUMULATOR_SIZE;      // exclude aggregation object
     num_public_inputs -= bb::PROPAGATED_DATABUS_COMMITMENTS_SIZE; // exclude propagated databus commitments
     vinfo("num_public_inputs of the last folding proof ", num_public_inputs);
     for (size_t i = 0; i < num_public_inputs; i++) {
@@ -272,7 +272,7 @@ HonkProof ClientIVC::construct_and_prove_hiding_circuit()
     DeciderRecursiveVerifier decider{ &builder, recursive_verifier_accumulator };
     decider.verify_proof(decider_proof);
 
-    builder.add_recursive_proof(stdlib::recursion::init_default_agg_obj_indices<ClientCircuit>(builder));
+    builder.add_pairing_point_accumulator(stdlib::recursion::init_default_agg_obj_indices<ClientCircuit>(builder));
 
     // Construct the last merge proof for the present circuit and add to merge verification queue
     MergeProof merge_proof = goblin.prove_merge(builder);

barretenberg/cpp/src/barretenberg/commitment_schemes/kzg/kzg.test.cpp

@@ -318,6 +318,8 @@ TYPED_TEST(KZGTest, ShpleminiKzgWithShiftAndConcatenation)
                                                        mle_opening_point,
                                                        this->vk()->get_g1_identity(),
                                                        verifier_transcript,
+                                                       /* libra commitments = */ {},
+                                                       /* libra evaluations = */ {},
                                                        to_vector_of_ref_vectors(concatenation_groups_commitments),
                                                        RefVector(c_evaluations));
     const auto pairing_points = KZG::reduce_verify_batch_opening_claim(batch_opening_claim, verifier_transcript);

barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp

@@ -27,10 +27,10 @@ template <typename Curve> class ShpleminiProver_ {
                               std::span<FF> multilinear_challenge,
                               const std::shared_ptr<CommitmentKey<Curve>>& commitment_key,
                               const std::shared_ptr<Transcript>& transcript,
-                              RefSpan<Polynomial> concatenated_polynomials = {},
-                              const std::vector<RefVector<Polynomial>>& groups_to_be_concatenated = {},
                               const std::vector<bb::Univariate<FF, LENGTH>>& libra_univariates = {},
-                              const std::vector<FF>& libra_evaluations = {})
+                              const std::vector<FF>& libra_evaluations = {},
+                              RefSpan<Polynomial> concatenated_polynomials = {},
+                              const std::vector<RefVector<Polynomial>>& groups_to_be_concatenated = {})
     {
         std::vector<OpeningClaim> opening_claims = GeminiProver::prove(circuit_size,
                                                                        f_polynomials,
@@ -129,10 +129,10 @@ template <typename Curve> class ShpleminiVerifier_ {
         const std::vector<Fr>& multivariate_challenge,
         const Commitment& g1_identity,
         const std::shared_ptr<Transcript>& transcript,
-        const std::vector<RefVector<Commitment>>& concatenation_group_commitments = {},
-        RefSpan<Fr> concatenated_evaluations = {},
         RefSpan<Commitment> libra_univariate_commitments = {},
-        const std::vector<Fr>& libra_univariate_evaluations = {})
+        const std::vector<Fr>& libra_univariate_evaluations = {},
+        const std::vector<RefVector<Commitment>>& concatenation_group_commitments = {},
+        RefSpan<Fr> concatenated_evaluations = {})
 
     {
 

barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.test.cpp

@@ -302,8 +302,6 @@ TYPED_TEST(ShpleminiTest, ShpleminiWithMaskingLibraUnivariates)
                                                 mle_opening_point,
                                                 this->ck(),
                                                 prover_transcript,
-                                                /* concatenated_polynomials = */ {},
-                                                /* groups_to_be_concatenated = */ {},
                                                 libra_univariates,
                                                 libra_evaluations);
     if constexpr (std::is_same_v<TypeParam, curve::Grumpkin>) {
@@ -318,19 +316,16 @@ TYPED_TEST(ShpleminiTest, ShpleminiWithMaskingLibraUnivariates)
 
     // Gemini verifier output:
     // - claim: d+1 commitments to Fold_{r}^(0), Fold_{-r}^(0), Fold^(l), d+1 evaluations a_0_pos, a_l, l = 0:d-1
-    auto batch_opening_claim =
-        ShpleminiVerifier::compute_batch_opening_claim(n,
-                                                       RefVector(unshifted_commitments),
-                                                       RefVector(shifted_commitments),
-                                                       RefArray{ eval1, eval2, eval3, eval4 },
-                                                       RefArray{ eval2_shift, eval3_shift },
-                                                       mle_opening_point,
-                                                       this->vk()->get_g1_identity(),
-                                                       verifier_transcript,
-                                                       /* concatenation_group_commitments = */ {},
-                                                       /* concatenated_evaluations = */ {},
-                                                       RefVector(libra_commitments),
-                                                       libra_evaluations);
+    auto batch_opening_claim = ShpleminiVerifier::compute_batch_opening_claim(n,
+                                                                              RefVector(unshifted_commitments),
+                                                                              RefVector(shifted_commitments),
+                                                                              RefArray{ eval1, eval2, eval3, eval4 },
+                                                                              RefArray{ eval2_shift, eval3_shift },
+                                                                              mle_opening_point,
+                                                                              this->vk()->get_g1_identity(),
+                                                                              verifier_transcript,
+                                                                              RefVector(libra_commitments),
+                                                                              libra_evaluations);
 
     if constexpr (std::is_same_v<TypeParam, curve::Grumpkin>) {
         auto result = IPA::reduce_verify_batch_opening_claim(batch_opening_claim, this->vk(), verifier_transcript);

barretenberg/cpp/src/barretenberg/dsl/acir_format/acir_format.cpp

@@ -239,7 +239,7 @@ void build_constraints(Builder& builder,
         }
     } else {
         process_plonk_recursion_constraints(builder, constraint_system, has_valid_witness_assignments, gate_counter);
-        AggregationObjectIndices current_aggregation_object =
+        PairingPointAccumulatorIndices current_aggregation_object =
             stdlib::recursion::init_default_agg_obj_indices<Builder>(builder);
         current_aggregation_object = process_honk_recursion_constraints(
             builder, constraint_system, has_valid_witness_assignments, gate_counter, current_aggregation_object);
@@ -253,11 +253,11 @@ void build_constraints(Builder& builder,
         if (!constraint_system.honk_recursion_constraints.empty() ||
             !constraint_system.avm_recursion_constraints.empty()) {
             ASSERT(honk_recursion);
-            builder.add_recursive_proof(current_aggregation_object);
+            builder.add_pairing_point_accumulator(current_aggregation_object);
         } else if (honk_recursion && builder.is_recursive_circuit) {
             // Make sure the verification key records the public input indices of the
             // final recursion output.
-            builder.add_recursive_proof(current_aggregation_object);
+            builder.add_pairing_point_accumulator(current_aggregation_object);
         }
     }
 }
@@ -275,8 +275,12 @@ void process_plonk_recursion_constraints(Builder& builder,
     // TODO(maxim): input_aggregation_object to be non-zero.
     // TODO(maxim): if not, we can add input_aggregation_object to the proof too for all recursive proofs
     // TODO(maxim): This might be the case for proof trees where the proofs are created on different machines
-    AggregationObjectIndices current_input_aggregation_object = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 };
-    AggregationObjectIndices current_output_aggregation_object = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 };
+    PairingPointAccumulatorIndices current_input_aggregation_object = {
+        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
+    };
+    PairingPointAccumulatorIndices current_output_aggregation_object = {
+        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
+    };
 
     // Get the size of proof with no public inputs prepended to it
     // This is used while processing recursion constraints to determine whether
@@ -294,21 +298,21 @@ void process_plonk_recursion_constraints(Builder& builder,
         // they want these constants set by keeping the nested aggregation object attached to
         // the proof as public inputs. As this is the only object that can prepended to the
         // proof if the proof is above the expected size (with public inputs stripped)
-        AggregationObjectPubInputIndices nested_aggregation_object = {};
+        PairingPointAccumPubInputIndices nested_aggregation_object = {};
         // If the proof has public inputs attached to it, we should handle setting the nested
         // aggregation object
         if (constraint.proof.size() > proof_size_no_pub_inputs) {
             // The public inputs attached to a proof should match the aggregation object in size
-            if (constraint.proof.size() - proof_size_no_pub_inputs != bb::AGGREGATION_OBJECT_SIZE) {
+            if (constraint.proof.size() - proof_size_no_pub_inputs != bb::PAIRING_POINT_ACCUMULATOR_SIZE) {
                 auto error_string = format("Public inputs are always stripped from proofs "
                                            "unless we have a recursive proof.\n"
                                            "Thus, public inputs attached to a proof must match "
                                            "the recursive aggregation object in size "
                                            "which is ",
-                                           bb::AGGREGATION_OBJECT_SIZE);
+                                           bb::PAIRING_POINT_ACCUMULATOR_SIZE);
                 throw_or_abort(error_string);
             }
-            for (size_t i = 0; i < bb::AGGREGATION_OBJECT_SIZE; ++i) {
+            for (size_t i = 0; i < bb::PAIRING_POINT_ACCUMULATOR_SIZE; ++i) {
                 // Set the nested aggregation object indices to the current size of the public
                 // inputs This way we know that the nested aggregation object indices will
                 // always be the last indices of the public inputs
@@ -320,7 +324,8 @@ void process_plonk_recursion_constraints(Builder& builder,
             // Remove the aggregation object so that they can be handled as normal public inputs
             // in the way that the recursion constraint expects
             constraint.proof.erase(constraint.proof.begin(),
-                                   constraint.proof.begin() + static_cast<std::ptrdiff_t>(bb::AGGREGATION_OBJECT_SIZE));
+                                   constraint.proof.begin() +
+                                       static_cast<std::ptrdiff_t>(bb::PAIRING_POINT_ACCUMULATOR_SIZE));
         }
 
         current_output_aggregation_object = create_recursion_constraints(builder,
@@ -346,15 +351,16 @@ void process_plonk_recursion_constraints(Builder& builder,
 
         // Make sure the verification key records the public input indices of the
         // final recursion output.
-        builder.set_recursive_proof(current_output_aggregation_object);
+        builder.set_pairing_point_accumulator(current_output_aggregation_object);
     }
 }
 
-AggregationObjectIndices process_honk_recursion_constraints(Builder& builder,
-                                                            AcirFormat& constraint_system,
-                                                            bool has_valid_witness_assignments,
-                                                            GateCounter<Builder>& gate_counter,
-                                                            AggregationObjectIndices current_aggregation_object)
+PairingPointAccumulatorIndices process_honk_recursion_constraints(
+    Builder& builder,
+    AcirFormat& constraint_system,
+    bool has_valid_witness_assignments,
+    GateCounter<Builder>& gate_counter,
+    PairingPointAccumulatorIndices current_aggregation_object)
 {
     // Add recursion constraints
     size_t idx = 0;
@@ -369,11 +375,12 @@ AggregationObjectIndices process_honk_recursion_constraints(Builder& builder,
 }
 
 #ifndef DISABLE_AZTEC_VM
-AggregationObjectIndices process_avm_recursion_constraints(Builder& builder,
-                                                           AcirFormat& constraint_system,
-                                                           bool has_valid_witness_assignments,
-                                                           GateCounter<Builder>& gate_counter,
-                                                           AggregationObjectIndices current_aggregation_object)
+PairingPointAccumulatorIndices process_avm_recursion_constraints(
+    Builder& builder,
+    AcirFormat& constraint_system,
+    bool has_valid_witness_assignments,
+    GateCounter<Builder>& gate_counter,
+    PairingPointAccumulatorIndices current_aggregation_object)
 {
     // Add recursion constraints
     size_t idx = 0;