Skip to content

Commit

Permalink
Merge branch 'master' into tf/cross-block-deduplication
Browse files Browse the repository at this point in the history
  • Loading branch information
TomAFrench authored Nov 21, 2024
2 parents 1265f54 + 570f70a commit 1548c9e
Show file tree
Hide file tree
Showing 197 changed files with 4,577 additions and 2,075 deletions.
2 changes: 1 addition & 1 deletion .noir-sync-commit
Original file line number Diff line number Diff line change
@@ -1 +1 @@
13856a121125b1ccca15919942081a5d157d280e
68c32b4ffd9b069fe4b119327dbf4018c17ab9d4
4 changes: 2 additions & 2 deletions barretenberg/.gitrepo
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
[subrepo]
remote = https://github.com/AztecProtocol/barretenberg
branch = master
commit = 9c8cb12a6deec4e427c013cf719b9f714f57ccab
parent = 85c8a3b29c861e61274cc0e33d47ca4aa89c144d
commit = ab3ba56bb526145969e5a615e1a9c17b566c8310
parent = ec34442fa3e8df0f8f1ef1e4c88df3f1895fc2dd
method = merge
cmdver = 0.4.6
29 changes: 22 additions & 7 deletions barretenberg/cpp/src/barretenberg/bb/main.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -590,7 +590,7 @@ void prove_tube(const std::string& output_path)
}
ClientIVC verifier{ builder, input };

verifier.verify(proof);
ClientIVC::Output client_ivc_rec_verifier_output = verifier.verify(proof);

PairingPointAccumulatorIndices current_aggregation_object =
stdlib::recursion::init_default_agg_obj_indices<Builder>(*builder);
Expand All @@ -599,6 +599,12 @@ void prove_tube(const std::string& output_path)
// This is currently just setting the aggregation object to the default one.
builder->add_pairing_point_accumulator(current_aggregation_object);

// The tube only calls an IPA recursive verifier once, so we can just add this IPA claim and proof
// TODO(https://github.com/AztecProtocol/barretenberg/issues/1154): We shouldn't add these to the public inputs for
// now since we don't handle them correctly. Uncomment when we start using UltraRollupHonk in the rollup.
// builder->add_ipa_claim(client_ivc_rec_verifier_output.opening_claim.get_witness_indices());
// builder->ipa_proof = convert_stdlib_proof_to_native(client_ivc_rec_verifier_output.ipa_transcript->proof_data);

using Prover = UltraProver_<UltraFlavor>;
using Verifier = UltraVerifier_<UltraFlavor>;
Prover tube_prover{ *builder };
Expand All @@ -622,8 +628,9 @@ void prove_tube(const std::string& output_path)
write_file(tubeAsFieldsVkPath, { data.begin(), data.end() });

info("Native verification of the tube_proof");
Verifier tube_verifier(tube_verification_key);
bool verified = tube_verifier.verify_proof(tube_proof);
auto ipa_verification_key = std::make_shared<VerifierCommitmentKey<curve::Grumpkin>>(1 << CONST_ECCVM_LOG_N);
Verifier tube_verifier(tube_verification_key, ipa_verification_key);
bool verified = tube_verifier.verify_proof(tube_proof, builder->ipa_proof);
info("Tube proof verification: ", verified);
}

Expand Down Expand Up @@ -1066,7 +1073,7 @@ UltraProver_<Flavor> compute_valid_prover(const std::string& bytecodePath,
using Prover = UltraProver_<Flavor>;

bool honk_recursion = false;
if constexpr (IsAnyOf<Flavor, UltraFlavor, UltraKeccakFlavor>) {
if constexpr (IsAnyOf<Flavor, UltraFlavor, UltraKeccakFlavor, UltraRollupFlavor>) {
honk_recursion = true;
}
auto constraint_system = get_constraint_system(bytecodePath, honk_recursion);
Expand Down Expand Up @@ -1132,14 +1139,22 @@ template <IsUltraFlavor Flavor> bool verify_honk(const std::string& proof_path,
{
using VerificationKey = Flavor::VerificationKey;
using Verifier = UltraVerifier_<Flavor>;
using VerifierCommitmentKey = bb::VerifierCommitmentKey<curve::BN254>;

auto g2_data = get_bn254_g2_data(CRS_PATH);
srs::init_crs_factory({}, g2_data);
auto proof = from_buffer<std::vector<bb::fr>>(read_file(proof_path));
auto vk = std::make_shared<VerificationKey>(from_buffer<VerificationKey>(read_file(vk_path)));
vk->pcs_verification_key = std::make_shared<VerifierCommitmentKey>();
Verifier verifier{ vk };
vk->pcs_verification_key = std::make_shared<VerifierCommitmentKey<curve::BN254>>();

// TODO(https://github.com/AztecProtocol/barretenberg/issues/1154): Remove this and pass in the IPA proof to the
// verifier.
std::shared_ptr<VerifierCommitmentKey<curve::Grumpkin>> ipa_verification_key = nullptr;
if constexpr (HasIPAAccumulatorFlavor<Flavor>) {
init_grumpkin_crs(1 << 16);
vk->contains_ipa_claim = false;
ipa_verification_key = std::make_shared<VerifierCommitmentKey<curve::Grumpkin>>(1 << CONST_ECCVM_LOG_N);
}
Verifier verifier{ vk, ipa_verification_key };

bool verified = verifier.verify_proof(proof);

Expand Down
24 changes: 17 additions & 7 deletions barretenberg/cpp/src/barretenberg/client_ivc/client_ivc.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ void ClientIVC::instantiate_stdlib_verification_queue(
size_t key_idx = 0;
for (auto& [proof, vkey, type] : verification_queue) {
// Construct stdlib proof directly from the internal native queue data
auto stdlib_proof = bb::convert_proof_to_witness(&circuit, proof);
auto stdlib_proof = bb::convert_native_proof_to_stdlib(&circuit, proof);

// Use the provided stdlib vkey if present, otherwise construct one from the internal native queue
auto stdlib_vkey =
Expand Down Expand Up @@ -176,10 +176,11 @@ void ClientIVC::accumulate(ClientCircuit& circuit, const std::shared_ptr<Verific
proving_key = std::make_shared<DeciderProvingKey>(circuit, trace_settings);
trace_usage_tracker = ExecutionTraceUsageTracker(trace_settings);
} else {
proving_key = std::make_shared<DeciderProvingKey>(
circuit, trace_settings, fold_output.accumulator->proving_key.commitment_key);
proving_key = std::make_shared<DeciderProvingKey>(circuit, trace_settings);
}

proving_key->proving_key.commitment_key = bn254_commitment_key;

vinfo("getting honk vk... precomputed?: ", precomputed_vk);
// Update the accumulator trace usage based on the present circuit
trace_usage_tracker.update(circuit);
Expand Down Expand Up @@ -261,7 +262,7 @@ HonkProof ClientIVC::construct_and_prove_hiding_circuit()
auto stdlib_decider_vk =
std::make_shared<RecursiveVerificationKey>(&builder, verification_queue[0].honk_verification_key);

auto stdlib_proof = bb::convert_proof_to_witness(&builder, fold_proof);
auto stdlib_proof = bb::convert_native_proof_to_stdlib(&builder, fold_proof);

// Perform recursive folding verification of the last folding proof
FoldingRecursiveVerifier folding_verifier{ &builder, stdlib_verifier_accumulator, { stdlib_decider_vk } };
Expand All @@ -278,7 +279,7 @@ HonkProof ClientIVC::construct_and_prove_hiding_circuit()
MergeProof merge_proof = goblin.prove_merge(builder);
merge_verification_queue.emplace_back(merge_proof);

auto decider_pk = std::make_shared<DeciderProvingKey>(builder);
auto decider_pk = std::make_shared<DeciderProvingKey>(builder, TraceSettings(), bn254_commitment_key);
honk_vk = std::make_shared<VerificationKey>(decider_pk->proving_key);
MegaProver prover(decider_pk);

Expand Down Expand Up @@ -338,6 +339,7 @@ bool ClientIVC::verify(const Proof& proof)
HonkProof ClientIVC::decider_prove() const
{
vinfo("prove decider...");
fold_output.accumulator->proving_key.commitment_key = bn254_commitment_key;
MegaDeciderProver decider_prover(fold_output.accumulator);
return decider_prover.construct_proof();
vinfo("finished decider proving.");
Expand All @@ -352,11 +354,19 @@ HonkProof ClientIVC::decider_prove() const
bool ClientIVC::prove_and_verify()
{
auto start = std::chrono::steady_clock::now();
auto proof = prove();
const auto proof = prove();
auto end = std::chrono::steady_clock::now();
auto diff = std::chrono::duration_cast<std::chrono::milliseconds>(end - start);
vinfo("time to call ClientIVC::prove: ", diff.count(), " ms.");
return verify(proof);

start = end;
const bool verified = verify(proof);
end = std::chrono::steady_clock::now();

diff = std::chrono::duration_cast<std::chrono::milliseconds>(end - start);
vinfo("time to verify ClientIVC proof: ", diff.count(), " ms.");

return verified;
}

/**
Expand Down
10 changes: 8 additions & 2 deletions barretenberg/cpp/src/barretenberg/client_ivc/client_ivc.hpp
Original file line number Diff line number Diff line change
Expand Up @@ -98,8 +98,6 @@ class ClientIVC {
using ProverFoldOutput = FoldingResult<Flavor>;

public:
GoblinProver goblin;

ProverFoldOutput fold_output; // prover accumulator and fold proof

std::shared_ptr<DeciderVerificationKey> verifier_accumulator; // verifier accumulator
Expand All @@ -122,11 +120,19 @@ class ClientIVC {
// Setting auto_verify_mode = true will cause kernel completion logic to be added to kernels automatically
bool auto_verify_mode;

std::shared_ptr<typename MegaFlavor::CommitmentKey> bn254_commitment_key;

GoblinProver goblin;

bool initialized = false; // Is the IVC accumulator initialized

ClientIVC(TraceSettings trace_settings = {}, bool auto_verify_mode = false)
: trace_settings(trace_settings)
, auto_verify_mode(auto_verify_mode)
, bn254_commitment_key(trace_settings.structure.has_value()
? std::make_shared<CommitmentKey<curve::BN254>>(trace_settings.dyadic_size())
: nullptr)
, goblin(bn254_commitment_key)
{}

void instantiate_stdlib_verification_queue(
Expand Down
28 changes: 28 additions & 0 deletions barretenberg/cpp/src/barretenberg/commitment_schemes/claim.hpp
Original file line number Diff line number Diff line change
@@ -1,7 +1,9 @@
#pragma once

#include "barretenberg/commitment_schemes/commitment_key.hpp"
#include "barretenberg/plonk_honk_shared/types/aggregation_object_type.hpp"
#include "barretenberg/polynomials/polynomial.hpp"
#include "barretenberg/stdlib/primitives/curves/grumpkin.hpp"

namespace bb {
/**
Expand Down Expand Up @@ -51,6 +53,32 @@ template <typename Curve> class OpeningClaim {
// commitment to univariate polynomial p(X)
Commitment commitment;

IPAClaimIndices get_witness_indices() const
requires(std::is_same_v<Curve, stdlib::grumpkin<UltraCircuitBuilder>>)
{
return { opening_pair.challenge.binary_basis_limbs[0].element.normalize().witness_index,
opening_pair.challenge.binary_basis_limbs[1].element.normalize().witness_index,
opening_pair.challenge.binary_basis_limbs[2].element.normalize().witness_index,
opening_pair.challenge.binary_basis_limbs[3].element.normalize().witness_index,
// TODO(https://github.com/AztecProtocol/barretenberg/issues/1153): Uncomment this when we turn the
// eval into witnesses.
// opening_pair.evaluation.binary_basis_limbs[0].element.normalize().witness_index,
// opening_pair.evaluation.binary_basis_limbs[1].element.normalize().witness_index,
// opening_pair.evaluation.binary_basis_limbs[2].element.normalize().witness_index,
// opening_pair.evaluation.binary_basis_limbs[3].element.normalize().witness_index,
commitment.x.normalize().witness_index, // no idea if we need these normalize() calls...
commitment.y.normalize().witness_index };
}

auto get_native_opening_claim() const
requires(Curve::is_stdlib_type)
{
return OpeningClaim<typename Curve::NativeCurve>{
{ static_cast<typename Curve::NativeCurve::ScalarField>(opening_pair.challenge.get_value()),
static_cast<typename Curve::NativeCurve::ScalarField>(opening_pair.evaluation.get_value()) },
commitment.get_value()
};
}
/**
* @brief inefficiently check that the claim is correct by recomputing the commitment
* and evaluating the polynomial in r.
Expand Down
27 changes: 22 additions & 5 deletions barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.hpp
Original file line number Diff line number Diff line change
Expand Up @@ -749,20 +749,21 @@ template <typename Curve_> class IPA {
}

/**
* @brief Takes two IPA claims and accumulates them into 1 IPA claim.
* @details We create an IPA accumulator by running the IPA recursive verifier on each claim. Then, we generate challenges, and use these challenges to compute the new accumulator. We also create the accumulated polynomial.
* @brief Takes two IPA claims and accumulates them into 1 IPA claim. Also computes IPA proof for the claim.
* @details We create an IPA accumulator by running the IPA recursive verifier on each claim. Then, we generate challenges, and use these challenges to compute the new accumulator. We also create the accumulated polynomial, and generate the IPA proof for the accumulated claim.
* More details are described here: https://hackmd.io/IXoLIPhVT_ej8yhZ_Ehvuw?both.
*
* @param verifier_ck
* @param transcript_1
* @param claim_1
* @param transcript_2
* @param claim_2
* @return std::pair<OpeningClaim<Curve>, Polynomial<bb::fq>>
* @return std::pair<OpeningClaim<Curve>, HonkProof>
*/
static std::pair<OpeningClaim<Curve>, Polynomial<bb::fq>> accumulate(auto& transcript_1, OpeningClaim<Curve> claim_1, auto& transcript_2, OpeningClaim<Curve> claim_2)
static std::pair<OpeningClaim<Curve>, HonkProof> accumulate(const std::shared_ptr<CommitmentKey<curve::Grumpkin>>& ck, auto& transcript_1, OpeningClaim<Curve> claim_1, auto& transcript_2, OpeningClaim<Curve> claim_2)
requires Curve::is_stdlib_type
{
using NativeCurve = curve::Grumpkin;
using Builder = typename Curve::Builder;
// Step 1: Run the verifier for each IPA instance
VerifierAccumulator pair_1 = reduce_verify(claim_1, transcript_1);
Expand Down Expand Up @@ -793,7 +794,23 @@ template <typename Curve_> class IPA {
for (Fr u_inv_i : pair_2.u_challenges_inv) {
native_u_challenges_inv_2.push_back(bb::fq(u_inv_i.get_value()));
}
return {output_claim, create_challenge_poly(uint32_t(pair_1.log_poly_length.get_value()), native_u_challenges_inv_1, uint32_t(pair_2.log_poly_length.get_value()), native_u_challenges_inv_2, fq(alpha.get_value()))};

// Compute proof for the claim
auto prover_transcript = std::make_shared<NativeTranscript>();
const OpeningPair<NativeCurve> opening_pair{ bb::fq(output_claim.opening_pair.challenge.get_value()),
bb::fq(output_claim.opening_pair.evaluation.get_value()) };
Polynomial<fq> challenge_poly = create_challenge_poly(uint32_t(pair_1.log_poly_length.get_value()), native_u_challenges_inv_1, uint32_t(pair_2.log_poly_length.get_value()), native_u_challenges_inv_2, fq(alpha.get_value()));

ASSERT(challenge_poly.evaluate(opening_pair.challenge) == opening_pair.evaluation && "Opening claim does not hold for challenge polynomial.");

IPA<NativeCurve>::compute_opening_proof(ck, { challenge_poly, opening_pair }, prover_transcript);

// Since we know this circuit will not have any more IPA claims to accumulate, add IPA Claim to public inputs of circuit and add the proof to the builder.
Builder* builder = r.get_context();
builder->add_ipa_claim(output_claim.get_witness_indices());
builder->ipa_proof = prover_transcript->proof_data;

return {output_claim, prover_transcript->proof_data};
}
};

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -56,8 +56,8 @@ class IPARecursiveTests : public CommitmentTest<NativeCurve> {
OpeningClaim<Curve> stdlib_opening_claim{ { stdlib_x, stdlib_eval }, stdlib_comm };

// Construct stdlib verifier transcript
auto recursive_verifier_transcript =
std::make_shared<StdlibTranscript>(bb::convert_proof_to_witness(&builder, prover_transcript->proof_data));
auto recursive_verifier_transcript = std::make_shared<StdlibTranscript>(
bb::convert_native_proof_to_stdlib(&builder, prover_transcript->proof_data));
return { recursive_verifier_transcript, stdlib_opening_claim };
}

Expand Down Expand Up @@ -158,25 +158,21 @@ class IPARecursiveTests : public CommitmentTest<NativeCurve> {

// Creates two IPA accumulators and accumulators from the two claims. Also constructs the accumulated h
// polynomial.
auto [output_claim, challenge_poly] = RecursiveIPA::accumulate(transcript_1, claim_1, transcript_2, claim_2);
auto [output_claim, ipa_proof] =
RecursiveIPA::accumulate(this->ck(), transcript_1, claim_1, transcript_2, claim_2);
builder.finalize_circuit(/*ensure_nonzero=*/false);
info("Circuit with 2 IPA Recursive Verifiers and IPA Accumulation num finalized gates = ",
builder.get_num_finalized_gates());

EXPECT_TRUE(CircuitChecker::check(builder));

// Run the IPA prover on this new accumulated claim.
auto prover_transcript = std::make_shared<NativeTranscript>();
const OpeningPair<NativeCurve> opening_pair{ bb::fq(output_claim.opening_pair.challenge.get_value()),
bb::fq(output_claim.opening_pair.evaluation.get_value()) };
Commitment native_comm = output_claim.commitment.get_value();
const OpeningClaim<NativeCurve> opening_claim{ opening_pair, native_comm };

NativeIPA::compute_opening_proof(this->ck(), { challenge_poly, opening_pair }, prover_transcript);

EXPECT_EQ(challenge_poly.evaluate(opening_pair.challenge), opening_pair.evaluation);
// Natively verify this proof to check it.
auto verifier_transcript = std::make_shared<NativeTranscript>(prover_transcript->proof_data);
auto verifier_transcript = std::make_shared<NativeTranscript>(ipa_proof);

auto result = NativeIPA::reduce_verify(this->vk(), opening_claim, verifier_transcript);
EXPECT_TRUE(result);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,7 @@ TEST(ShpleminiRecursionTest, ProveAndVerifySingle)
N, RefVector(f_polynomials), RefVector(g_polynomials), u_challenge, commitment_key, prover_transcript);
KZG<NativeCurve>::compute_opening_proof(commitment_key, prover_opening_claims, prover_transcript);
Builder builder;
StdlibProof<Builder> stdlib_proof = bb::convert_proof_to_witness(&builder, prover_transcript->proof_data);
StdlibProof<Builder> stdlib_proof = bb::convert_native_proof_to_stdlib(&builder, prover_transcript->proof_data);
auto stdlib_verifier_transcript = std::make_shared<Transcript>(stdlib_proof);
stdlib_verifier_transcript->template receive_from_prover<Fr>("Init");

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -95,7 +95,7 @@ TEST(ZeroMorphRecursionTest, ProveAndVerifySingle)
prover_transcript);

Builder builder;
StdlibProof<Builder> stdlib_proof = bb::convert_proof_to_witness(&builder, prover_transcript->proof_data);
StdlibProof<Builder> stdlib_proof = bb::convert_native_proof_to_stdlib(&builder, prover_transcript->proof_data);
auto stdlib_verifier_transcript = std::make_shared<Transcript>(stdlib_proof);
[[maybe_unused]] auto _ = stdlib_verifier_transcript->template receive_from_prover<Fr>("Init");

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -299,7 +299,7 @@ void process_plonk_recursion_constraints(Builder& builder,
// they want these constants set by keeping the nested aggregation object attached to
// the proof as public inputs. As this is the only object that can prepended to the
// proof if the proof is above the expected size (with public inputs stripped)
PairingPointAccumPubInputIndices nested_aggregation_object = {};
PairingPointAccumulatorPubInputIndices nested_aggregation_object = {};
// If the proof has public inputs attached to it, we should handle setting the nested
// aggregation object
if (constraint.proof.size() > proof_size_no_pub_inputs) {
Expand Down Expand Up @@ -343,16 +343,9 @@ void process_plonk_recursion_constraints(Builder& builder,
// inputs.
if (!constraint_system.recursion_constraints.empty()) {

// First add the output aggregation object as public inputs
// Set the indices as public inputs because they are no longer being
// created in ACIR
for (const auto& idx : current_output_aggregation_object) {
builder.set_public_input(idx);
}

// Make sure the verification key records the public input indices of the
// final recursion output.
builder.set_pairing_point_accumulator(current_output_aggregation_object);
builder.add_pairing_point_accumulator(current_output_aggregation_object);
}
}

Expand Down
Loading

0 comments on commit 1548c9e

Please sign in to comment.