diff --git a/barretenberg/cpp/src/barretenberg/benchmark/ultra_bench/mega_zk_honk.bench.cpp b/barretenberg/cpp/src/barretenberg/benchmark/ultra_bench/mega_zk_honk.bench.cpp new file mode 100644 index 00000000000..fa794cd723c --- /dev/null +++ b/barretenberg/cpp/src/barretenberg/benchmark/ultra_bench/mega_zk_honk.bench.cpp @@ -0,0 +1,51 @@ +#include + +#include "barretenberg/benchmark/ultra_bench/mock_circuits.hpp" +#include "barretenberg/stdlib_circuit_builders/mega_circuit_builder.hpp" + +using namespace benchmark; +using namespace bb; + +/** + * @brief Benchmark: Construction of a Ultra Honk proof for a circuit determined by the provided circuit function + */ +static void construct_proof_megahonk_zk(State& state, + void (*test_circuit_function)(MegaCircuitBuilder&, size_t)) noexcept +{ + size_t num_iterations = 10; // 10x the circuit + bb::mock_circuits::construct_proof_with_specified_num_iterations( + state, test_circuit_function, num_iterations); +} + +/** + * @brief Benchmark: Construction of a Ultra Plonk proof with 2**n gates + */ +static void construct_proof_megahonk_power_of_2_zk(State& state) noexcept +{ + auto log2_of_gates = static_cast(state.range(0)); + bb::mock_circuits::construct_proof_with_specified_num_iterations( + state, &bb::mock_circuits::generate_basic_arithmetic_circuit, log2_of_gates); +} + +// Define benchmarks + +// This exists due to an issue where get_row was blowing up in time +BENCHMARK_CAPTURE(construct_proof_megahonk_zk, sha256, &stdlib::generate_sha256_test_circuit) + ->Unit(kMillisecond); +BENCHMARK_CAPTURE(construct_proof_megahonk_zk, keccak, &stdlib::generate_keccak_test_circuit) + ->Unit(kMillisecond); +BENCHMARK_CAPTURE(construct_proof_megahonk_zk, + ecdsa_verification, + &stdlib::generate_ecdsa_verification_test_circuit) + ->Unit(kMillisecond); +BENCHMARK_CAPTURE(construct_proof_megahonk_zk, + merkle_membership, + &stdlib::generate_merkle_membership_test_circuit) + ->Unit(kMillisecond); + +BENCHMARK(construct_proof_megahonk_power_of_2_zk) + // 2**15 gates to 2**20 gates + ->DenseRange(15, 20) + ->Unit(kMillisecond); + +BENCHMARK_MAIN(); diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/kzg/kzg.test.cpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/kzg/kzg.test.cpp index 813f612ff60..38d685c3a4a 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/kzg/kzg.test.cpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/kzg/kzg.test.cpp @@ -318,6 +318,8 @@ TYPED_TEST(KZGTest, ShpleminiKzgWithShiftAndConcatenation) mle_opening_point, this->vk()->get_g1_identity(), verifier_transcript, + /* libra commitments = */ {}, + /* libra evaluations = */ {}, to_vector_of_ref_vectors(concatenation_groups_commitments), RefVector(c_evaluations)); const auto pairing_points = KZG::reduce_verify_batch_opening_claim(batch_opening_claim, verifier_transcript); diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp index 59688cdf2e1..e6f398f2302 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp @@ -27,10 +27,10 @@ template class ShpleminiProver_ { std::span multilinear_challenge, const std::shared_ptr>& commitment_key, const std::shared_ptr& transcript, - RefSpan concatenated_polynomials = {}, - const std::vector>& groups_to_be_concatenated = {}, const std::vector>& libra_univariates = {}, - const std::vector& libra_evaluations = {}) + const std::vector& libra_evaluations = {}, + RefSpan concatenated_polynomials = {}, + const std::vector>& groups_to_be_concatenated = {}) { std::vector opening_claims = GeminiProver::prove(circuit_size, f_polynomials, @@ -129,10 +129,10 @@ template class ShpleminiVerifier_ { const std::vector& multivariate_challenge, const Commitment& g1_identity, const std::shared_ptr& transcript, - const std::vector>& concatenation_group_commitments = {}, - RefSpan concatenated_evaluations = {}, RefSpan libra_univariate_commitments = {}, - const std::vector& libra_univariate_evaluations = {}) + const std::vector& libra_univariate_evaluations = {}, + const std::vector>& concatenation_group_commitments = {}, + RefSpan concatenated_evaluations = {}) { diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.test.cpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.test.cpp index 9914b2e092c..3fab01e75c5 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.test.cpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.test.cpp @@ -302,8 +302,6 @@ TYPED_TEST(ShpleminiTest, ShpleminiWithMaskingLibraUnivariates) mle_opening_point, this->ck(), prover_transcript, - /* concatenated_polynomials = */ {}, - /* groups_to_be_concatenated = */ {}, libra_univariates, libra_evaluations); if constexpr (std::is_same_v) { @@ -318,19 +316,16 @@ TYPED_TEST(ShpleminiTest, ShpleminiWithMaskingLibraUnivariates) // Gemini verifier output: // - claim: d+1 commitments to Fold_{r}^(0), Fold_{-r}^(0), Fold^(l), d+1 evaluations a_0_pos, a_l, l = 0:d-1 - auto batch_opening_claim = - ShpleminiVerifier::compute_batch_opening_claim(n, - RefVector(unshifted_commitments), - RefVector(shifted_commitments), - RefArray{ eval1, eval2, eval3, eval4 }, - RefArray{ eval2_shift, eval3_shift }, - mle_opening_point, - this->vk()->get_g1_identity(), - verifier_transcript, - /* concatenation_group_commitments = */ {}, - /* concatenated_evaluations = */ {}, - RefVector(libra_commitments), - libra_evaluations); + auto batch_opening_claim = ShpleminiVerifier::compute_batch_opening_claim(n, + RefVector(unshifted_commitments), + RefVector(shifted_commitments), + RefArray{ eval1, eval2, eval3, eval4 }, + RefArray{ eval2_shift, eval3_shift }, + mle_opening_point, + this->vk()->get_g1_identity(), + verifier_transcript, + RefVector(libra_commitments), + libra_evaluations); if constexpr (std::is_same_v) { auto result = IPA::reduce_verify_batch_opening_claim(batch_opening_claim, this->vk(), verifier_transcript); diff --git a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_prover.cpp b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_prover.cpp index 174e2f917e9..bf10760c8ff 100644 --- a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_prover.cpp +++ b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_prover.cpp @@ -100,7 +100,9 @@ void ECCVMProver::execute_relation_check_rounds() for (size_t idx = 0; idx < CONST_PROOF_SIZE_LOG_N; idx++) { gate_challenges[idx] = transcript->template get_challenge("Sumcheck:gate_challenge_" + std::to_string(idx)); } - zk_sumcheck_data = ZKSumcheckData(key->log_circuit_size, transcript, key); + + auto commitment_key = std::make_shared(Flavor::BATCHED_RELATION_PARTIAL_LENGTH); + zk_sumcheck_data = ZKSumcheckData(key->log_circuit_size, transcript, commitment_key); sumcheck_output = sumcheck.prove(key->polynomials, relation_parameters, alpha, gate_challenges, zk_sumcheck_data); } @@ -127,8 +129,6 @@ void ECCVMProver::execute_pcs_rounds() sumcheck_output.challenge, key->commitment_key, transcript, - /* concatenated_polynomials = */ {}, - /* groups_to_be_concatenated = */ {}, zk_sumcheck_data.libra_univariates_monomial, sumcheck_output.claimed_libra_evaluations); diff --git a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.cpp b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.cpp index 707d6a60142..db1c11170d1 100644 --- a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.cpp @@ -78,8 +78,6 @@ bool ECCVMVerifier::verify_proof(const HonkProof& proof) multivariate_challenge, key->pcs_verification_key->get_g1_identity(), transcript, - /* concatenation_group_commitments = */ {}, - /* concatenated_evaluations = */ {}, RefVector(libra_commitments), libra_evaluations); diff --git a/barretenberg/cpp/src/barretenberg/execution_trace/execution_trace.cpp b/barretenberg/cpp/src/barretenberg/execution_trace/execution_trace.cpp index 93945d1907e..38b20b9891b 100644 --- a/barretenberg/cpp/src/barretenberg/execution_trace/execution_trace.cpp +++ b/barretenberg/cpp/src/barretenberg/execution_trace/execution_trace.cpp @@ -1,7 +1,7 @@ #include "execution_trace.hpp" #include "barretenberg/flavor/plonk_flavors.hpp" #include "barretenberg/plonk/proof_system/proving_key/proving_key.hpp" -#include "barretenberg/stdlib_circuit_builders/mega_flavor.hpp" +#include "barretenberg/stdlib_circuit_builders/mega_zk_flavor.hpp" #include "barretenberg/stdlib_circuit_builders/ultra_flavor.hpp" #include "barretenberg/stdlib_circuit_builders/ultra_keccak_flavor.hpp" namespace bb { @@ -171,6 +171,7 @@ void ExecutionTrace_::add_ecc_op_wires_to_proving_key(Builder& builder, template class ExecutionTrace_; template class ExecutionTrace_; template class ExecutionTrace_; +template class ExecutionTrace_; template class ExecutionTrace_; template class ExecutionTrace_; diff --git a/barretenberg/cpp/src/barretenberg/flavor/flavor.hpp b/barretenberg/cpp/src/barretenberg/flavor/flavor.hpp index 589fdb778b9..3b7fa66b826 100644 --- a/barretenberg/cpp/src/barretenberg/flavor/flavor.hpp +++ b/barretenberg/cpp/src/barretenberg/flavor/flavor.hpp @@ -326,10 +326,12 @@ class UltraFlavorWithZK; class ECCVMFlavor; class UltraKeccakFlavor; class MegaFlavor; +class MegaZKFlavor; class TranslatorFlavor; class AvmFlavor; template class UltraRecursiveFlavor_; template class MegaRecursiveFlavor_; +template class MegaZKRecursiveFlavor_; template class TranslatorRecursiveFlavor_; template class ECCVMRecursiveFlavor_; template class AvmRecursiveFlavor_; @@ -361,15 +363,18 @@ template concept IsUltraPlonkOrHonk = IsAnyOf; template -concept IsHonkFlavor = IsAnyOf; +concept IsHonkFlavor = IsAnyOf; template -concept IsUltraFlavor = IsAnyOf; +concept IsUltraFlavor = IsAnyOf; template -concept IsGoblinFlavor = IsAnyOf, - MegaRecursiveFlavor_, MegaRecursiveFlavor_>; + MegaRecursiveFlavor_, +MegaRecursiveFlavor_, +MegaZKRecursiveFlavor_, +MegaZKRecursiveFlavor_>; template concept HasDataBus = IsGoblinFlavor; @@ -381,6 +386,8 @@ concept IsRecursiveFlavor = IsAnyOf, MegaRecursiveFlavor_, MegaRecursiveFlavor_, +MegaZKRecursiveFlavor_, +MegaZKRecursiveFlavor_, TranslatorRecursiveFlavor_, TranslatorRecursiveFlavor_, TranslatorRecursiveFlavor_, @@ -397,11 +404,15 @@ template concept IsFoldingFlavor = IsAnyOf, UltraRecursiveFlavor_, UltraRecursiveFlavor_, MegaRecursiveFlavor_, - MegaRecursiveFlavor_, MegaRecursiveFlavor_>; + MegaRecursiveFlavor_, +MegaRecursiveFlavor_, +MegaZKRecursiveFlavor_, +MegaZKRecursiveFlavor_>; template concept FlavorHasZK = T::HasZK; diff --git a/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.cpp b/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.cpp index 844f45d840f..f2150c54e75 100644 --- a/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.cpp @@ -92,8 +92,6 @@ template void ECCVMRecursiveVerifier_::verify_proof(co multivariate_challenge, key->pcs_verification_key->get_g1_identity(), transcript, - /* concatenation_group_commitments = */ {}, - /* concatenated_evaluations = */ {}, RefVector(libra_commitments), libra_evaluations); // Reduce the accumulator to a single opening claim diff --git a/barretenberg/cpp/src/barretenberg/stdlib/honk_verifier/oink_recursive_verifier.cpp b/barretenberg/cpp/src/barretenberg/stdlib/honk_verifier/oink_recursive_verifier.cpp index 4292b2b8c95..8c79fa753f0 100644 --- a/barretenberg/cpp/src/barretenberg/stdlib/honk_verifier/oink_recursive_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/stdlib/honk_verifier/oink_recursive_verifier.cpp @@ -2,7 +2,9 @@ #include "barretenberg/numeric/bitop/get_msb.hpp" #include "barretenberg/plonk_honk_shared/library/grand_product_delta.hpp" -#include "barretenberg/transcript/transcript.hpp" +#include "barretenberg/stdlib_circuit_builders/mega_recursive_flavor.hpp" +#include "barretenberg/stdlib_circuit_builders/mega_zk_recursive_flavor.hpp" +#include "barretenberg/stdlib_circuit_builders/ultra_recursive_flavor.hpp" #include namespace bb::stdlib::recursion::honk { @@ -130,6 +132,8 @@ template class OinkRecursiveVerifier_>; template class OinkRecursiveVerifier_>; template class OinkRecursiveVerifier_>; +template class OinkRecursiveVerifier_>; +template class OinkRecursiveVerifier_>; template class OinkRecursiveVerifier_>; template class OinkRecursiveVerifier_>; } // namespace bb::stdlib::recursion::honk diff --git a/barretenberg/cpp/src/barretenberg/stdlib/honk_verifier/oink_recursive_verifier.hpp b/barretenberg/cpp/src/barretenberg/stdlib/honk_verifier/oink_recursive_verifier.hpp index 5b021062313..1e60e004aef 100644 --- a/barretenberg/cpp/src/barretenberg/stdlib/honk_verifier/oink_recursive_verifier.hpp +++ b/barretenberg/cpp/src/barretenberg/stdlib/honk_verifier/oink_recursive_verifier.hpp @@ -1,8 +1,6 @@ #pragma once #include "barretenberg/stdlib/protogalaxy_verifier/recursive_decider_verification_key.hpp" #include "barretenberg/stdlib/transcript/transcript.hpp" -#include "barretenberg/stdlib_circuit_builders/mega_recursive_flavor.hpp" -#include "barretenberg/stdlib_circuit_builders/ultra_recursive_flavor.hpp" namespace bb::stdlib::recursion::honk { diff --git a/barretenberg/cpp/src/barretenberg/stdlib/honk_verifier/ultra_recursive_verifier.cpp b/barretenberg/cpp/src/barretenberg/stdlib/honk_verifier/ultra_recursive_verifier.cpp index 6f585f60013..5928b8a0bff 100644 --- a/barretenberg/cpp/src/barretenberg/stdlib/honk_verifier/ultra_recursive_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/stdlib/honk_verifier/ultra_recursive_verifier.cpp @@ -89,18 +89,36 @@ UltraRecursiveVerifier_::AggregationObject UltraRecursiveVerifier_(key->circuit_size)); auto sumcheck = Sumcheck(log_circuit_size, transcript); - auto [multivariate_challenge, claimed_evaluations, sumcheck_verified] = + // Receive commitments to Libra masking polynomials + std::vector libra_commitments = {}; + if constexpr (Flavor::HasZK) { + for (size_t idx = 0; idx < log_circuit_size; idx++) { + Commitment libra_commitment = + transcript->template receive_from_prover("Libra:commitment_" + std::to_string(idx)); + libra_commitments.push_back(libra_commitment); + }; + } + SumcheckOutput sumcheck_output = sumcheck.verify(verification_key->relation_parameters, verification_key->alphas, gate_challenges); + // For MegaZKFlavor: the sumcheck output contains claimed evaluations of the Libra polynomials + std::vector libra_evaluations = {}; + if constexpr (Flavor::HasZK) { + libra_evaluations = std::move(sumcheck_output.claimed_libra_evaluations); + } + // Execute Shplemini to produce a batch opening claim subsequently verified by a univariate PCS - auto opening_claim = Shplemini::compute_batch_opening_claim(key->circuit_size, - commitments.get_unshifted(), - commitments.get_to_be_shifted(), - claimed_evaluations.get_unshifted(), - claimed_evaluations.get_shifted(), - multivariate_challenge, - Commitment::one(builder), - transcript); + const BatchOpeningClaim opening_claim = + Shplemini::compute_batch_opening_claim(key->circuit_size, + commitments.get_unshifted(), + commitments.get_to_be_shifted(), + sumcheck_output.claimed_evaluations.get_unshifted(), + sumcheck_output.claimed_evaluations.get_shifted(), + sumcheck_output.challenge, + Commitment::one(builder), + transcript, + RefVector(libra_commitments), + libra_evaluations); auto pairing_points = PCS::reduce_verify_batch_opening_claim(opening_claim, transcript); pairing_points[0] = pairing_points[0].normalize(); @@ -114,6 +132,8 @@ template class UltraRecursiveVerifier_>; template class UltraRecursiveVerifier_>; template class UltraRecursiveVerifier_>; +template class UltraRecursiveVerifier_>; +template class UltraRecursiveVerifier_>; template class UltraRecursiveVerifier_>; template class UltraRecursiveVerifier_>; } // namespace bb::stdlib::recursion::honk diff --git a/barretenberg/cpp/src/barretenberg/stdlib/honk_verifier/ultra_recursive_verifier.hpp b/barretenberg/cpp/src/barretenberg/stdlib/honk_verifier/ultra_recursive_verifier.hpp index 40a2dbe7e91..a72692241f8 100644 --- a/barretenberg/cpp/src/barretenberg/stdlib/honk_verifier/ultra_recursive_verifier.hpp +++ b/barretenberg/cpp/src/barretenberg/stdlib/honk_verifier/ultra_recursive_verifier.hpp @@ -4,6 +4,7 @@ #include "barretenberg/stdlib/plonk_recursion/aggregation_state/aggregation_state.hpp" #include "barretenberg/stdlib/transcript/transcript.hpp" #include "barretenberg/stdlib_circuit_builders/mega_recursive_flavor.hpp" +#include "barretenberg/stdlib_circuit_builders/mega_zk_recursive_flavor.hpp" #include "barretenberg/stdlib_circuit_builders/ultra_recursive_flavor.hpp" #include "barretenberg/sumcheck/sumcheck.hpp" diff --git a/barretenberg/cpp/src/barretenberg/stdlib/honk_verifier/ultra_recursive_verifier.test.cpp b/barretenberg/cpp/src/barretenberg/stdlib/honk_verifier/ultra_recursive_verifier.test.cpp index 8e16c7b419e..2059b617358 100644 --- a/barretenberg/cpp/src/barretenberg/stdlib/honk_verifier/ultra_recursive_verifier.test.cpp +++ b/barretenberg/cpp/src/barretenberg/stdlib/honk_verifier/ultra_recursive_verifier.test.cpp @@ -1,10 +1,7 @@ #include "barretenberg/stdlib/honk_verifier/ultra_recursive_verifier.hpp" #include "barretenberg/circuit_checker/circuit_checker.hpp" #include "barretenberg/common/test.hpp" -#include "barretenberg/stdlib/hash/blake3s/blake3s.hpp" -#include "barretenberg/stdlib/hash/pedersen/pedersen.hpp" #include "barretenberg/stdlib/primitives/curves/bn254.hpp" -#include "barretenberg/stdlib_circuit_builders/ultra_recursive_flavor.hpp" #include "barretenberg/ultra_honk/ultra_prover.hpp" #include "barretenberg/ultra_honk/ultra_verifier.hpp" @@ -295,7 +292,9 @@ using Flavors = testing::Types, UltraRecursiveFlavor_, UltraRecursiveFlavor_, UltraRecursiveFlavor_, - MegaRecursiveFlavor_>; + MegaRecursiveFlavor_, + MegaZKRecursiveFlavor_, + MegaZKRecursiveFlavor_>; TYPED_TEST_SUITE(RecursiveVerifierTest, Flavors); diff --git a/barretenberg/cpp/src/barretenberg/stdlib/translator_vm_verifier/translator_recursive_verifier.cpp b/barretenberg/cpp/src/barretenberg/stdlib/translator_vm_verifier/translator_recursive_verifier.cpp index 52180676b95..1dbae562d7d 100644 --- a/barretenberg/cpp/src/barretenberg/stdlib/translator_vm_verifier/translator_recursive_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/stdlib/translator_vm_verifier/translator_recursive_verifier.cpp @@ -129,10 +129,10 @@ std::array TranslatorRecursiveVerifier_(); using RelationSeparator = std::array; diff --git a/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/mega_zk_flavor.hpp b/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/mega_zk_flavor.hpp new file mode 100644 index 00000000000..fd48e263b76 --- /dev/null +++ b/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/mega_zk_flavor.hpp @@ -0,0 +1,210 @@ +#pragma once + +#include "barretenberg/stdlib_circuit_builders/mega_flavor.hpp" + +namespace bb { + +/*! +\brief Child class of MegaFlavor that runs with ZK Sumcheck. + See more in \ref docs/src/sumcheck-outline.md "Sumcheck Outline". +*/ +class MegaZKFlavor : public bb::MegaFlavor { + public: + // Indicates that this flavor runs with non-ZK Sumcheck. + static constexpr bool HasZK = true; + /** + * @brief Derived class that defines proof structure for Mega proofs, as well as supporting functions. + * Note: Made generic for use in MegaRecursive. + * TODO(https://github.com/AztecProtocol/barretenberg/issues/877): Remove this Commitment template parameter + */ + template class Transcript_ : public NativeTranscript { + public: + uint32_t circuit_size; + uint32_t public_input_size; + uint32_t pub_inputs_offset; + std::vector public_inputs; + Commitment w_l_comm; + Commitment w_r_comm; + Commitment w_o_comm; + Commitment ecc_op_wire_1_comm; + Commitment ecc_op_wire_2_comm; + Commitment ecc_op_wire_3_comm; + Commitment ecc_op_wire_4_comm; + Commitment calldata_comm; + Commitment calldata_read_counts_comm; + Commitment calldata_read_tags_comm; + Commitment calldata_inverses_comm; + Commitment secondary_calldata_comm; + Commitment secondary_calldata_read_counts_comm; + Commitment secondary_calldata_read_tags_comm; + Commitment secondary_calldata_inverses_comm; + Commitment return_data_comm; + Commitment return_data_read_counts_comm; + Commitment return_data_read_tags_comm; + Commitment return_data_inverses_comm; + Commitment w_4_comm; + Commitment z_perm_comm; + Commitment lookup_inverses_comm; + Commitment lookup_read_counts_comm; + Commitment lookup_read_tags_comm; + std::vector libra_commitments; + FF libra_sum; + std::vector> sumcheck_univariates; + std::vector libra_evaluations; + std::array sumcheck_evaluations; + std::vector gemini_fold_comms; + std::vector gemini_fold_evals; + Commitment shplonk_q_comm; + Commitment kzg_w_comm; + + Transcript_() = default; + + Transcript_(const HonkProof& proof) + : NativeTranscript(proof) + {} + + static std::shared_ptr prover_init_empty() + { + auto transcript = std::make_shared(); + constexpr uint32_t init{ 42 }; // arbitrary + transcript->send_to_verifier("Init", init); + return transcript; + }; + + static std::shared_ptr verifier_init_empty(const std::shared_ptr& transcript) + { + auto verifier_transcript = std::make_shared(transcript->proof_data); + [[maybe_unused]] auto _ = verifier_transcript->template receive_from_prover("Init"); + return verifier_transcript; + }; + + void deserialize_full_transcript() + { + // take current proof and put them into the struct + size_t num_frs_read = 0; + circuit_size = deserialize_from_buffer(proof_data, num_frs_read); + size_t log_circuit_size = static_cast(numeric::get_msb(circuit_size)); + + public_input_size = deserialize_from_buffer(proof_data, num_frs_read); + pub_inputs_offset = deserialize_from_buffer(proof_data, num_frs_read); + for (size_t i = 0; i < public_input_size; ++i) { + public_inputs.push_back(deserialize_from_buffer(proof_data, num_frs_read)); + } + w_l_comm = deserialize_from_buffer(proof_data, num_frs_read); + w_r_comm = deserialize_from_buffer(proof_data, num_frs_read); + w_o_comm = deserialize_from_buffer(proof_data, num_frs_read); + ecc_op_wire_1_comm = deserialize_from_buffer(proof_data, num_frs_read); + ecc_op_wire_2_comm = deserialize_from_buffer(proof_data, num_frs_read); + ecc_op_wire_3_comm = deserialize_from_buffer(proof_data, num_frs_read); + ecc_op_wire_4_comm = deserialize_from_buffer(proof_data, num_frs_read); + calldata_comm = deserialize_from_buffer(proof_data, num_frs_read); + calldata_read_counts_comm = deserialize_from_buffer(proof_data, num_frs_read); + calldata_read_tags_comm = deserialize_from_buffer(proof_data, num_frs_read); + calldata_inverses_comm = deserialize_from_buffer(proof_data, num_frs_read); + secondary_calldata_comm = deserialize_from_buffer(proof_data, num_frs_read); + secondary_calldata_read_counts_comm = deserialize_from_buffer(proof_data, num_frs_read); + secondary_calldata_read_tags_comm = deserialize_from_buffer(proof_data, num_frs_read); + secondary_calldata_inverses_comm = deserialize_from_buffer(proof_data, num_frs_read); + return_data_comm = deserialize_from_buffer(proof_data, num_frs_read); + return_data_read_counts_comm = deserialize_from_buffer(proof_data, num_frs_read); + return_data_read_tags_comm = deserialize_from_buffer(proof_data, num_frs_read); + return_data_inverses_comm = deserialize_from_buffer(proof_data, num_frs_read); + lookup_read_counts_comm = deserialize_from_buffer(proof_data, num_frs_read); + lookup_read_tags_comm = deserialize_from_buffer(proof_data, num_frs_read); + w_4_comm = deserialize_from_buffer(proof_data, num_frs_read); + lookup_inverses_comm = deserialize_from_buffer(proof_data, num_frs_read); + z_perm_comm = deserialize_from_buffer(proof_data, num_frs_read); + for (size_t i = 0; i < log_circuit_size; i++) { + libra_commitments.emplace_back(NativeTranscript::template deserialize_from_buffer( + NativeTranscript::proof_data, num_frs_read)); + }; + libra_sum = + NativeTranscript::template deserialize_from_buffer(NativeTranscript::proof_data, num_frs_read); + + for (size_t i = 0; i < CONST_PROOF_SIZE_LOG_N; ++i) { + sumcheck_univariates.push_back( + deserialize_from_buffer>(proof_data, + num_frs_read)); + } + for (size_t i = 0; i < log_circuit_size; i++) { + libra_evaluations.emplace_back( + NativeTranscript::template deserialize_from_buffer(NativeTranscript::proof_data, num_frs_read)); + } + sumcheck_evaluations = deserialize_from_buffer>(proof_data, num_frs_read); + for (size_t i = 0; i < CONST_PROOF_SIZE_LOG_N - 1; ++i) { + gemini_fold_comms.push_back(deserialize_from_buffer(proof_data, num_frs_read)); + } + for (size_t i = 0; i < CONST_PROOF_SIZE_LOG_N; ++i) { + gemini_fold_evals.push_back(deserialize_from_buffer(proof_data, num_frs_read)); + } + shplonk_q_comm = deserialize_from_buffer(proof_data, num_frs_read); + + kzg_w_comm = deserialize_from_buffer(proof_data, num_frs_read); + } + + void serialize_full_transcript() + { + size_t old_proof_length = proof_data.size(); + size_t log_circuit_size = static_cast(numeric::get_msb(circuit_size)); + proof_data.clear(); + serialize_to_buffer(circuit_size, proof_data); + serialize_to_buffer(public_input_size, proof_data); + serialize_to_buffer(pub_inputs_offset, proof_data); + for (size_t i = 0; i < public_input_size; ++i) { + serialize_to_buffer(public_inputs[i], proof_data); + } + serialize_to_buffer(w_l_comm, proof_data); + serialize_to_buffer(w_r_comm, proof_data); + serialize_to_buffer(w_o_comm, proof_data); + serialize_to_buffer(ecc_op_wire_1_comm, proof_data); + serialize_to_buffer(ecc_op_wire_2_comm, proof_data); + serialize_to_buffer(ecc_op_wire_3_comm, proof_data); + serialize_to_buffer(ecc_op_wire_4_comm, proof_data); + serialize_to_buffer(calldata_comm, proof_data); + serialize_to_buffer(calldata_read_counts_comm, proof_data); + serialize_to_buffer(calldata_read_tags_comm, proof_data); + serialize_to_buffer(calldata_inverses_comm, proof_data); + serialize_to_buffer(secondary_calldata_comm, proof_data); + serialize_to_buffer(secondary_calldata_read_counts_comm, proof_data); + serialize_to_buffer(secondary_calldata_read_tags_comm, proof_data); + serialize_to_buffer(secondary_calldata_inverses_comm, proof_data); + serialize_to_buffer(return_data_comm, proof_data); + serialize_to_buffer(return_data_read_counts_comm, proof_data); + serialize_to_buffer(return_data_read_tags_comm, proof_data); + serialize_to_buffer(return_data_inverses_comm, proof_data); + serialize_to_buffer(lookup_read_counts_comm, proof_data); + serialize_to_buffer(lookup_read_tags_comm, proof_data); + serialize_to_buffer(w_4_comm, proof_data); + serialize_to_buffer(lookup_inverses_comm, proof_data); + serialize_to_buffer(z_perm_comm, proof_data); + + for (size_t i = 0; i < log_circuit_size; ++i) { + NativeTranscript::template serialize_to_buffer(libra_commitments[i], NativeTranscript::proof_data); + } + NativeTranscript::template serialize_to_buffer(libra_sum, NativeTranscript::proof_data); + + for (size_t i = 0; i < CONST_PROOF_SIZE_LOG_N; ++i) { + serialize_to_buffer(sumcheck_univariates[i], proof_data); + } + for (size_t i = 0; i < log_circuit_size; ++i) { + NativeTranscript::template serialize_to_buffer(libra_evaluations[i], NativeTranscript::proof_data); + } + + serialize_to_buffer(sumcheck_evaluations, proof_data); + for (size_t i = 0; i < CONST_PROOF_SIZE_LOG_N - 1; ++i) { + serialize_to_buffer(gemini_fold_comms[i], proof_data); + } + for (size_t i = 0; i < CONST_PROOF_SIZE_LOG_N; ++i) { + serialize_to_buffer(gemini_fold_evals[i], proof_data); + } + serialize_to_buffer(shplonk_q_comm, proof_data); + serialize_to_buffer(kzg_w_comm, proof_data); + + ASSERT(proof_data.size() == old_proof_length); + } + }; + // Specialize for Mega (general case used in MegaRecursive). + using Transcript = Transcript_; +}; + +} // namespace bb \ No newline at end of file diff --git a/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/mega_zk_recursive_flavor.hpp b/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/mega_zk_recursive_flavor.hpp new file mode 100644 index 00000000000..83bdabd23f3 --- /dev/null +++ b/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/mega_zk_recursive_flavor.hpp @@ -0,0 +1,46 @@ +#pragma once +#include "barretenberg/commitment_schemes/commitment_key.hpp" +#include "barretenberg/commitment_schemes/kzg/kzg.hpp" +#include "barretenberg/ecc/curves/bn254/g1.hpp" +#include "barretenberg/flavor/flavor.hpp" +#include "barretenberg/flavor/flavor_macros.hpp" +#include "barretenberg/polynomials/barycentric.hpp" +#include "barretenberg/polynomials/evaluation_domain.hpp" +#include "barretenberg/polynomials/univariate.hpp" +#include "barretenberg/stdlib/primitives/curves/bn254.hpp" +#include "barretenberg/stdlib/primitives/field/field.hpp" +#include "barretenberg/stdlib/transcript/transcript.hpp" +#include "barretenberg/stdlib_circuit_builders/mega_circuit_builder.hpp" +#include "barretenberg/stdlib_circuit_builders/mega_recursive_flavor.hpp" +#include "barretenberg/stdlib_circuit_builders/mega_zk_flavor.hpp" + +namespace bb { + +/** + * @brief The recursive counterpart to the "native" MegaZKFlavor. + * @details This flavor can be used to instantiate a recursive Mega Honk verifier for a proof created using the + * MegaZKFlavor. It is similar in structure to its native counterpart with two main differences: 1) the + * curve types are stdlib types (e.g. field_t instead of field) and 2) it does not specify any Prover related types + * (e.g. Polynomial, ExtendedEdges, etc.) since we do not emulate prover computation in circuits, i.e. it only makes + * sense to instantiate a Verifier with this flavor. + * + * @note Unlike conventional flavors, "recursive" flavors are templated by a builder (much like native vs stdlib types). + * This is because the flavor itself determines the details of the underlying verifier algorithm (i.e. the set of + * relations), while the Builder determines the arithmetization of that algorithm into a circuit. + * + * @tparam BuilderType Determines the arithmetization of the verifier circuit defined based on this flavor. + */ +template class MegaZKRecursiveFlavor_ : public MegaRecursiveFlavor_ { + public: + using NativeFlavor = MegaZKFlavor; + + // Indicates that this flavor runs with non-ZK Sumcheck. + static constexpr bool HasZK = true; + + // BATCHED_RELATION_PARTIAL_LENGTH = algebraic degree of sumcheck relation *after* multiplying by the `pow_zeta` + // random polynomial e.g. For \sum(x) [A(x) * B(x) + C(x)] * PowZeta(X), relation length = 2 and random relation + // length = 3 + static constexpr size_t BATCHED_RELATION_PARTIAL_LENGTH = NativeFlavor::BATCHED_RELATION_PARTIAL_LENGTH; +}; + +} // namespace bb \ No newline at end of file diff --git a/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck.hpp b/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck.hpp index 3ea3fad4288..f45a5ba402d 100644 --- a/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck.hpp +++ b/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck.hpp @@ -191,8 +191,6 @@ template class SumcheckProver { const std::vector& gate_challenges, ZKSumcheckData zk_sumcheck_data = ZKSumcheckData()) { - // In case the Flavor has ZK, we populate sumcheck data structure with randomness, compute correcting term for - // the total sum, etc. bb::GateSeparatorPolynomial gate_separators(gate_challenges, multivariate_d); @@ -250,12 +248,7 @@ template class SumcheckProver { round.round_size = round.round_size >> 1; vinfo("completed sumcheck round ", round_idx); } - // Check that the challenges \f$ u_0,\ldots, u_{d-1} \f$ do not satisfy the equation \f$ u_0(1-u_0) + \ldots + - // u_{d-1} (1 - u_{d-1}) = 0 \f$. This equation is satisfied with probability ~ 1/|FF|, in such cases the prover - // has to abort and start ZK Sumcheck anew. - if constexpr (Flavor::HasZK) { - check_that_evals_do_not_leak_witness_data(multivariate_challenge); - }; + // Zero univariates are used to pad the proof to the fixed size CONST_PROOF_SIZE_LOG_N. auto zero_univariate = bb::Univariate::zero(); for (size_t idx = multivariate_d; idx < CONST_PROOF_SIZE_LOG_N; idx++) { @@ -426,26 +419,6 @@ polynomials that are sent in clear. } }; } - - /** - * @brief By the design of ZK Sumcheck, instead of claimed evaluations of witness polynomials \f$ P_1, \ldots, - P_{N_w} \f$, the prover sends the evaluations of the witness polynomials masked by the terms \f$ \rho_j - \sum_{i=0}^{d-1} u_i(1-u_i) \f$ for \f$ j= 1, \ldots N_w\f$. If the challenges satisfy the equation - \f$\sum_{i=0}^{d-1} u_i(1-u_i) = 0\f$, each masking term is \f$0 \f$, which could lead to the leakage of witness - * - * @param multivariate_challenge - */ - void check_that_evals_do_not_leak_witness_data(std::vector multivariate_challenge) - { - auto masking_term = FF(0); - for (auto challenge : multivariate_challenge) { - masking_term += challenge * (FF(1) - challenge); - } - if (masking_term == FF(0)) { - throw_or_abort("The evaluations of witness polynomials are not masked, because u_0(1-u_0)+...+u_{d-1} " - "(1-u_{d-1}) = 0 "); - }; - } }; /*! \brief Implementation of the sumcheck Verifier for statements of the form \f$\sum_{\vec \ell \in \{0,1\}^d} pow_{\beta}(\vec \ell) \cdot F \left(P_1(\vec \ell),\ldots, P_N(\vec \ell) \right) = 0 \f$ for multilinear diff --git a/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck.test.cpp b/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck.test.cpp index 174f62fa598..88cdfd405e6 100644 --- a/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck.test.cpp +++ b/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck.test.cpp @@ -6,6 +6,7 @@ #include "barretenberg/relations/elliptic_relation.hpp" #include "barretenberg/relations/permutation_relation.hpp" #include "barretenberg/relations/ultra_arithmetic_relation.hpp" +#include "barretenberg/stdlib_circuit_builders/mega_zk_flavor.hpp" #include "barretenberg/stdlib_circuit_builders/plookup_tables/fixed_base/fixed_base.hpp" #include "barretenberg/stdlib_circuit_builders/ultra_flavor.hpp" #include "barretenberg/stdlib_circuit_builders/ultra_zk_flavor.hpp" @@ -346,13 +347,13 @@ template class SumcheckTests : public ::testing::Test { }; // Define the FlavorTypes -using FlavorTypes = testing::Types; +using FlavorTypes = testing::Types; TYPED_TEST_SUITE(SumcheckTests, FlavorTypes); #define SKIP_IF_ZK() \ - if (std::is_same::value) { \ - GTEST_SKIP() << "Skipping test for UltraFlavorWithZK"; \ + if (std::is_same::value || std::is_same::value) { \ + GTEST_SKIP() << "Skipping test for ZK-enabled flavors"; \ } TYPED_TEST(SumcheckTests, PolynomialNormalization) diff --git a/barretenberg/cpp/src/barretenberg/sumcheck/zk_sumcheck_data.hpp b/barretenberg/cpp/src/barretenberg/sumcheck/zk_sumcheck_data.hpp index 41d4e245a3c..efe7f8d84be 100644 --- a/barretenberg/cpp/src/barretenberg/sumcheck/zk_sumcheck_data.hpp +++ b/barretenberg/cpp/src/barretenberg/sumcheck/zk_sumcheck_data.hpp @@ -27,6 +27,7 @@ template struct ZKSumcheckData { */ static constexpr size_t BATCHED_RELATION_PARTIAL_LENGTH = Flavor::BATCHED_RELATION_PARTIAL_LENGTH; // The size of the LibraUnivariates. We ensure that they do not take extra space when Flavor runs non-ZK Sumcheck. + // The size of the LibraUnivariates. We ensure that they do not take extra space when Flavor runs non-ZK Sumcheck. static constexpr size_t LIBRA_UNIVARIATES_LENGTH = Flavor::HasZK ? Flavor::BATCHED_RELATION_PARTIAL_LENGTH : 0; // Container for the Libra Univariates. Their number depends on the size of the circuit. using LibraUnivariates = std::vector>; @@ -43,43 +44,21 @@ template struct ZKSumcheckData { // Default constructor ZKSumcheckData() = default; - // Constructor + // Main constructor ZKSumcheckData(const size_t multivariate_d, std::shared_ptr transcript, - std::shared_ptr proving_key = nullptr) - { - setup_zk_sumcheck_data(multivariate_d, transcript, proving_key); - } + std::shared_ptr commitment_key = nullptr) + : libra_univariates(generate_libra_univariates(multivariate_d)) // Created in Lagrange basis for Sumcheck + , libra_univariates_monomial(transform_to_monomial(libra_univariates)) // Required for commiting and by Shplonk - public: - /** - * @brief Create and populate the structure required for the ZK Sumcheck. - * - * @details This method creates an array of random field elements \f$ \rho_1,\ldots, \rho_{N_w}\f$ aimed to mask - * the evaluations of witness polynomials, these are contained in \f$ \texttt{eval_masking_scalars} \f$. In order to - * optimize the computation of Sumcheck Round Univariates, it populates a table of univariates \f$ - * \texttt{masking_terms_evaluations} \f$ which contains at the beginning the evaluations of polynomials \f$ \rho_j - * \cdot (1-X)\cdot X \f$ at \f$ 0,\ldots, \text{MAX_PARTIAL_RELATION_LENGTH} - 1\f$. This method also creates Libra - * univariates, computes the Libra total sum and adds it to the transcript, and sets up all auxiliary objects. - * - * @param zk_sumcheck_data - */ - void setup_zk_sumcheck_data(const size_t multivariate_d, - std::shared_ptr transcript, - std::shared_ptr proving_key = nullptr) { - // Generate random Libra polynomials in the Lagrange basis - libra_univariates = generate_libra_univariates(multivariate_d); - // To commit to libra_univariates and open them later, need to get their coefficients in the monomial basis - libra_univariates_monomial = transform_to_monomial(libra_univariates); - // If proving_key is provided, commit to libra_univariates - if (proving_key != nullptr) { + if (commitment_key != nullptr) { size_t idx = 0; for (auto& libra_univariate_monomial : libra_univariates_monomial) { - auto libra_commitment = proving_key->commitment_key->commit(Polynomial(libra_univariate_monomial)); - transcript->send_to_verifier("Libra:commitment_" + std::to_string(idx), libra_commitment); + auto libra_commitment = commitment_key->commit(Polynomial(libra_univariate_monomial)); + transcript->template send_to_verifier("Libra:commitment_" + std::to_string(idx), libra_commitment); idx++; } } @@ -102,7 +81,7 @@ template struct ZKSumcheckData { /** * @brief Given number of univariate polynomials and the number of their evaluations meant to be hidden, this method - * produces a vector of univariate polynomials of degree \ref ZK_BATCHED_LENGTH "ZK_BATCHED_LENGTH - 1" with + * produces a vector of univariate polynomials of length Flavor::BATCHED_RELATION_PARTIAL_LENGTH with * independent uniformly random coefficients. * */ diff --git a/barretenberg/cpp/src/barretenberg/translator_vm/translator_prover.cpp b/barretenberg/cpp/src/barretenberg/translator_vm/translator_prover.cpp index 79f3c7220b1..1c3788e09be 100644 --- a/barretenberg/cpp/src/barretenberg/translator_vm/translator_prover.cpp +++ b/barretenberg/cpp/src/barretenberg/translator_vm/translator_prover.cpp @@ -158,8 +158,10 @@ void TranslatorProver::execute_relation_check_rounds() for (size_t idx = 0; idx < gate_challenges.size(); idx++) { gate_challenges[idx] = transcript->template get_challenge("Sumcheck:gate_challenge_" + std::to_string(idx)); } + // create masking polynomials for sumcheck round univariates and auxiliary data - zk_sumcheck_data = ZKSumcheckData(key->log_circuit_size, transcript, key); + auto commitment_key = std::make_shared(Flavor::BATCHED_RELATION_PARTIAL_LENGTH); + zk_sumcheck_data = ZKSumcheckData(key->log_circuit_size, transcript, commitment_key); sumcheck_output = sumcheck.prove(key->polynomials, relation_parameters, alpha, gate_challenges, zk_sumcheck_data); } @@ -183,10 +185,11 @@ void TranslatorProver::execute_pcs_rounds() sumcheck_output.challenge, key->commitment_key, transcript, - key->polynomials.get_concatenated(), - key->polynomials.get_groups_to_be_concatenated(), zk_sumcheck_data.libra_univariates_monomial, - sumcheck_output.claimed_libra_evaluations); + sumcheck_output.claimed_libra_evaluations, + key->polynomials.get_concatenated(), + key->polynomials.get_groups_to_be_concatenated()); + PCS::compute_opening_proof(key->commitment_key, prover_opening_claim, transcript); } diff --git a/barretenberg/cpp/src/barretenberg/translator_vm/translator_verifier.cpp b/barretenberg/cpp/src/barretenberg/translator_vm/translator_verifier.cpp index 363346ee2ab..1aabba2e607 100644 --- a/barretenberg/cpp/src/barretenberg/translator_vm/translator_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/translator_vm/translator_verifier.cpp @@ -127,10 +127,10 @@ bool TranslatorVerifier::verify_proof(const HonkProof& proof) multivariate_challenge, Commitment::one(), transcript, - commitments.get_groups_to_be_concatenated(), - claimed_evaluations.get_concatenated(), RefVector(libra_commitments), - libra_evaluations); + libra_evaluations, + commitments.get_groups_to_be_concatenated(), + claimed_evaluations.get_concatenated()); const auto pairing_points = PCS::reduce_verify_batch_opening_claim(opening_claim, transcript); auto verified = key->pcs_verification_key->pairing_check(pairing_points[0], pairing_points[1]); diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/decider_prover.cpp b/barretenberg/cpp/src/barretenberg/ultra_honk/decider_prover.cpp index 5c38536fd55..bdee7b3d8cd 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/decider_prover.cpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/decider_prover.cpp @@ -32,11 +32,20 @@ template void DeciderProver_::execute_relation_ch { PROFILE_THIS_NAME("sumcheck.prove"); - - sumcheck_output = sumcheck.prove(proving_key->proving_key.polynomials, - proving_key->relation_parameters, - proving_key->alphas, - proving_key->gate_challenges); + if constexpr (Flavor::HasZK) { + auto commitment_key = std::make_shared(Flavor::BATCHED_RELATION_PARTIAL_LENGTH); + zk_sumcheck_data = ZKSumcheckData(numeric::get_msb(polynomial_size), transcript, commitment_key); + sumcheck_output = sumcheck.prove(proving_key->proving_key.polynomials, + proving_key->relation_parameters, + proving_key->alphas, + proving_key->gate_challenges, + zk_sumcheck_data); + } else { + sumcheck_output = sumcheck.prove(proving_key->proving_key.polynomials, + proving_key->relation_parameters, + proving_key->alphas, + proving_key->gate_challenges); + } } } @@ -55,13 +64,24 @@ template void DeciderProver_::execute_pcs_rounds( vinfo("made commitment key"); using OpeningClaim = ProverOpeningClaim; - const OpeningClaim prover_opening_claim = - ShpleminiProver_::prove(proving_key->proving_key.circuit_size, - proving_key->proving_key.polynomials.get_unshifted(), - proving_key->proving_key.polynomials.get_to_be_shifted(), - sumcheck_output.challenge, - proving_key->proving_key.commitment_key, - transcript); + OpeningClaim prover_opening_claim; + if constexpr (!Flavor::HasZK) { + prover_opening_claim = ShpleminiProver_::prove(proving_key->proving_key.circuit_size, + proving_key->proving_key.polynomials.get_unshifted(), + proving_key->proving_key.polynomials.get_to_be_shifted(), + sumcheck_output.challenge, + proving_key->proving_key.commitment_key, + transcript); + } else { + prover_opening_claim = ShpleminiProver_::prove(proving_key->proving_key.circuit_size, + proving_key->proving_key.polynomials.get_unshifted(), + proving_key->proving_key.polynomials.get_to_be_shifted(), + sumcheck_output.challenge, + proving_key->proving_key.commitment_key, + transcript, + zk_sumcheck_data.libra_univariates_monomial, + sumcheck_output.claimed_libra_evaluations); + } vinfo("executed multivariate-to-univarite reduction"); PCS::compute_opening_proof(proving_key->proving_key.commitment_key, prover_opening_claim, transcript); vinfo("computed opening proof"); @@ -92,5 +112,6 @@ template HonkProof DeciderProver_::construct_proo template class DeciderProver_; template class DeciderProver_; template class DeciderProver_; +template class DeciderProver_; } // namespace bb diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/decider_prover.hpp b/barretenberg/cpp/src/barretenberg/ultra_honk/decider_prover.hpp index d82555bceea..b4f54e9cf96 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/decider_prover.hpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/decider_prover.hpp @@ -3,8 +3,10 @@ #include "barretenberg/honk/proof_system/types/proof.hpp" #include "barretenberg/relations/relation_parameters.hpp" #include "barretenberg/stdlib_circuit_builders/mega_flavor.hpp" +#include "barretenberg/stdlib_circuit_builders/mega_zk_flavor.hpp" #include "barretenberg/stdlib_circuit_builders/ultra_flavor.hpp" #include "barretenberg/sumcheck/sumcheck_output.hpp" +#include "barretenberg/sumcheck/zk_sumcheck_data.hpp" #include "barretenberg/transcript/transcript.hpp" #include "barretenberg/ultra_honk/decider_proving_key.hpp" @@ -43,6 +45,8 @@ template class DeciderProver_ { Polynomial quotient_W; + ZKSumcheckData zk_sumcheck_data; + SumcheckOutput sumcheck_output; private: @@ -51,5 +55,6 @@ template class DeciderProver_ { using UltraDeciderProver = DeciderProver_; using MegaDeciderProver = DeciderProver_; +using MegaZKDeciderProver = DeciderProver_; } // namespace bb diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/decider_proving_key.cpp b/barretenberg/cpp/src/barretenberg/ultra_honk/decider_proving_key.cpp index cac01ed0c47..baa129c691c 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/decider_proving_key.cpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/decider_proving_key.cpp @@ -83,5 +83,6 @@ void DeciderProvingKey_::construct_databus_polynomials(Circuit& circuit) template class DeciderProvingKey_; template class DeciderProvingKey_; template class DeciderProvingKey_; +template class DeciderProvingKey_; } // namespace bb diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/decider_proving_key.hpp b/barretenberg/cpp/src/barretenberg/ultra_honk/decider_proving_key.hpp index c4cc707ab62..010784df2ea 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/decider_proving_key.hpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/decider_proving_key.hpp @@ -6,7 +6,7 @@ #include "barretenberg/plonk_honk_shared/composer/composer_lib.hpp" #include "barretenberg/plonk_honk_shared/composer/permutation_lib.hpp" #include "barretenberg/relations/relation_parameters.hpp" -#include "barretenberg/stdlib_circuit_builders/mega_flavor.hpp" +#include "barretenberg/stdlib_circuit_builders/mega_zk_flavor.hpp" #include "barretenberg/stdlib_circuit_builders/ultra_flavor.hpp" #include "barretenberg/stdlib_circuit_builders/ultra_keccak_flavor.hpp" diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/decider_verifier.cpp b/barretenberg/cpp/src/barretenberg/ultra_honk/decider_verifier.cpp index 72c4ed0b4f7..6f7b1d8e919 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/decider_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/decider_verifier.cpp @@ -45,32 +45,51 @@ template bool DeciderVerifier_::verify() auto sumcheck = SumcheckVerifier( static_cast(accumulator->verification_key->log_circuit_size), transcript, accumulator->target_sum); + // For MegaZKFlavor: receive commitments to Libra masking polynomials + std::vector libra_commitments = {}; + if constexpr (Flavor::HasZK) { + for (size_t idx = 0; idx < static_cast(accumulator->verification_key->log_circuit_size); idx++) { + Commitment libra_commitment = + transcript->template receive_from_prover("Libra:commitment_" + std::to_string(idx)); + libra_commitments.push_back(libra_commitment); + }; + } - auto [multivariate_challenge, claimed_evaluations, sumcheck_verified] = + SumcheckOutput sumcheck_output = sumcheck.verify(accumulator->relation_parameters, accumulator->alphas, accumulator->gate_challenges); + // For MegaZKFlavor: the sumcheck output contains claimed evaluations of the Libra polynomials + std::vector libra_evaluations = {}; + if constexpr (Flavor::HasZK) { + libra_evaluations = std::move(sumcheck_output.claimed_libra_evaluations); + } + // If Sumcheck did not verify, return false - if (sumcheck_verified.has_value() && !sumcheck_verified.value()) { + if (sumcheck_output.verified.has_value() && !sumcheck_output.verified.value()) { info("Sumcheck verification failed."); return false; } - const auto opening_claim = Shplemini::compute_batch_opening_claim(accumulator->verification_key->circuit_size, - commitments.get_unshifted(), - commitments.get_to_be_shifted(), - claimed_evaluations.get_unshifted(), - claimed_evaluations.get_shifted(), - multivariate_challenge, - Commitment::one(), - transcript); + const BatchOpeningClaim opening_claim = + Shplemini::compute_batch_opening_claim(accumulator->verification_key->circuit_size, + commitments.get_unshifted(), + commitments.get_to_be_shifted(), + sumcheck_output.claimed_evaluations.get_unshifted(), + sumcheck_output.claimed_evaluations.get_shifted(), + sumcheck_output.challenge, + Commitment::one(), + transcript, + RefVector(libra_commitments), + libra_evaluations); const auto pairing_points = PCS::reduce_verify_batch_opening_claim(opening_claim, transcript); bool verified = pcs_verification_key->pairing_check(pairing_points[0], pairing_points[1]); - return sumcheck_verified.value() && verified; + return sumcheck_output.verified.value() && verified; } template class DeciderVerifier_; template class DeciderVerifier_; template class DeciderVerifier_; +template class DeciderVerifier_; } // namespace bb diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/decider_verifier.hpp b/barretenberg/cpp/src/barretenberg/ultra_honk/decider_verifier.hpp index b4d013a9fe4..486eba2ed0c 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/decider_verifier.hpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/decider_verifier.hpp @@ -1,8 +1,9 @@ #pragma once #include "barretenberg/honk/proof_system/types/proof.hpp" #include "barretenberg/srs/global_crs.hpp" -#include "barretenberg/stdlib_circuit_builders/mega_flavor.hpp" +#include "barretenberg/stdlib_circuit_builders/mega_zk_flavor.hpp" #include "barretenberg/stdlib_circuit_builders/ultra_flavor.hpp" +#include "barretenberg/sumcheck/sumcheck_output.hpp" #include "barretenberg/ultra_honk/decider_verification_key.hpp" namespace bb { @@ -39,5 +40,6 @@ template class DeciderVerifier_ { using UltraDeciderVerifier = DeciderVerifier_; using MegaDeciderVerifier = DeciderVerifier_; +using MegaZKDeciderVerifier = DeciderVerifier_; } // namespace bb diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/mega_composer.test.cpp b/barretenberg/cpp/src/barretenberg/ultra_honk/mega_honk.test.cpp similarity index 69% rename from barretenberg/cpp/src/barretenberg/ultra_honk/mega_composer.test.cpp rename to barretenberg/cpp/src/barretenberg/ultra_honk/mega_honk.test.cpp index 2bbac0e9a54..ae7ffca7466 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/mega_composer.test.cpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/mega_honk.test.cpp @@ -13,19 +13,24 @@ using namespace bb; -namespace { auto& engine = numeric::get_debug_randomness(); -class MegaHonkTests : public ::testing::Test { - protected: +using FlavorTypes = ::testing::Types; + +template class MegaHonkTests : public ::testing::Test { + public: static void SetUpTestSuite() { bb::srs::init_crs_factory("../srs_db/ignition"); } using Curve = curve::BN254; using FF = Curve::ScalarField; using Point = Curve::AffineElement; using CommitmentKey = bb::CommitmentKey; - using MergeProver = MergeProver_; - using MergeVerifier = MergeVerifier_; + using MergeProver = MergeProver_; + using MergeVerifier = MergeVerifier_; + using Prover = UltraProver_; + using Verifier = UltraVerifier_; + using VerificationKey = typename Flavor::VerificationKey; + using DeciderProvingKey = DeciderProvingKey_; /** * @brief Construct and a verify a Honk proof @@ -33,10 +38,10 @@ class MegaHonkTests : public ::testing::Test { */ bool construct_and_verify_honk_proof(auto& builder) { - auto proving_key = std::make_shared>(builder); - MegaProver prover(proving_key); - auto verification_key = std::make_shared(proving_key->proving_key); - MegaVerifier verifier(verification_key); + auto proving_key = std::make_shared(builder); + Prover prover(proving_key); + auto verification_key = std::make_shared(proving_key->proving_key); + Verifier verifier(verification_key); auto proof = prover.construct_proof(); bool verified = verifier.verify_proof(proof); @@ -57,21 +62,23 @@ class MegaHonkTests : public ::testing::Test { return verified; } }; -} // namespace + +TYPED_TEST_SUITE(MegaHonkTests, FlavorTypes); /** * @brief Test proof construction/verification for a circuit with ECC op gates, public inputs, and basic arithmetic * gates * */ -TEST_F(MegaHonkTests, Basic) +TYPED_TEST(MegaHonkTests, Basic) { - MegaCircuitBuilder builder; + using Flavor = TypeParam; + typename Flavor::CircuitBuilder builder; GoblinMockCircuits::construct_simple_circuit(builder); // Construct and verify Honk proof - bool honk_verified = construct_and_verify_honk_proof(builder); + bool honk_verified = this->construct_and_verify_honk_proof(builder); EXPECT_TRUE(honk_verified); } @@ -79,18 +86,21 @@ TEST_F(MegaHonkTests, Basic) * @brief Test proof construction/verification for a structured execution trace * */ -TEST_F(MegaHonkTests, BasicStructured) +TYPED_TEST(MegaHonkTests, BasicStructured) { - MegaCircuitBuilder builder; + using Flavor = TypeParam; + typename Flavor::CircuitBuilder builder; + using Prover = UltraProver_; + using Verifier = UltraVerifier_; GoblinMockCircuits::construct_simple_circuit(builder); // Construct and verify Honk proof using a structured trace TraceStructure trace_structure = TraceStructure::SMALL_TEST; - auto proving_key = std::make_shared>(builder, trace_structure); - MegaProver prover(proving_key); - auto verification_key = std::make_shared(proving_key->proving_key); - MegaVerifier verifier(verification_key); + auto proving_key = std::make_shared>(builder, trace_structure); + Prover prover(proving_key); + auto verification_key = std::make_shared(proving_key->proving_key); + Verifier verifier(verification_key); auto proof = prover.construct_proof(); EXPECT_TRUE(verifier.verify_proof(proof)); } @@ -102,21 +112,22 @@ TEST_F(MegaHonkTests, BasicStructured) * with non-empty 'previous' data. This avoid complications with zero-commitments etc. * */ -TEST_F(MegaHonkTests, SingleCircuit) +TYPED_TEST(MegaHonkTests, SingleCircuit) { + using Flavor = TypeParam; auto op_queue = std::make_shared(); GoblinMockCircuits::perform_op_queue_interactions_for_mock_first_circuit(op_queue); - auto builder = MegaCircuitBuilder{ op_queue }; + auto builder = typename Flavor::CircuitBuilder{ op_queue }; GoblinMockCircuits::construct_simple_circuit(builder); // Construct and verify Honk proof - bool honk_verified = construct_and_verify_honk_proof(builder); + bool honk_verified = this->construct_and_verify_honk_proof(builder); EXPECT_TRUE(honk_verified); // Construct and verify Goblin ECC op queue Merge proof - auto merge_verified = construct_and_verify_merge_proof(op_queue); + auto merge_verified = this->construct_and_verify_merge_proof(op_queue); EXPECT_TRUE(merge_verified); } @@ -125,8 +136,9 @@ TEST_F(MegaHonkTests, SingleCircuit) * basic arithmetic gates * */ -TEST_F(MegaHonkTests, MultipleCircuitsMergeOnly) +TYPED_TEST(MegaHonkTests, MultipleCircuitsMergeOnly) { + using Flavor = TypeParam; // Instantiate EccOpQueue. This will be shared across all circuits in the series auto op_queue = std::make_shared(); @@ -135,12 +147,12 @@ TEST_F(MegaHonkTests, MultipleCircuitsMergeOnly) // Construct multiple test circuits that share an ECC op queue. Generate and verify a proof for each. size_t NUM_CIRCUITS = 3; for (size_t i = 0; i < NUM_CIRCUITS; ++i) { - auto builder = MegaCircuitBuilder{ op_queue }; + auto builder = typename Flavor::CircuitBuilder{ op_queue }; GoblinMockCircuits::construct_simple_circuit(builder); // Construct and verify Goblin ECC op queue Merge proof - auto merge_verified = construct_and_verify_merge_proof(op_queue); + auto merge_verified = this->construct_and_verify_merge_proof(op_queue); EXPECT_TRUE(merge_verified); } } @@ -150,8 +162,10 @@ TEST_F(MegaHonkTests, MultipleCircuitsMergeOnly) * basic arithmetic gates * */ -TEST_F(MegaHonkTests, MultipleCircuitsHonkOnly) +TYPED_TEST(MegaHonkTests, MultipleCircuitsHonkOnly) { + using Flavor = TypeParam; + // Instantiate EccOpQueue. This will be shared across all circuits in the series auto op_queue = std::make_shared(); @@ -160,12 +174,12 @@ TEST_F(MegaHonkTests, MultipleCircuitsHonkOnly) // Construct multiple test circuits that share an ECC op queue. Generate and verify a proof for each. size_t NUM_CIRCUITS = 3; for (size_t i = 0; i < NUM_CIRCUITS; ++i) { - auto builder = MegaCircuitBuilder{ op_queue }; + auto builder = typename Flavor::CircuitBuilder{ op_queue }; GoblinMockCircuits::construct_simple_circuit(builder); // Construct and verify Honk proof - bool honk_verified = construct_and_verify_honk_proof(builder); + bool honk_verified = this->construct_and_verify_honk_proof(builder); EXPECT_TRUE(honk_verified); } } @@ -175,8 +189,10 @@ TEST_F(MegaHonkTests, MultipleCircuitsHonkOnly) * and basic arithmetic gates * */ -TEST_F(MegaHonkTests, MultipleCircuitsHonkAndMerge) +TYPED_TEST(MegaHonkTests, MultipleCircuitsHonkAndMerge) { + using Flavor = TypeParam; + // Instantiate EccOpQueue. This will be shared across all circuits in the series auto op_queue = std::make_shared(); @@ -185,16 +201,16 @@ TEST_F(MegaHonkTests, MultipleCircuitsHonkAndMerge) // Construct multiple test circuits that share an ECC op queue. Generate and verify a proof for each. size_t NUM_CIRCUITS = 3; for (size_t i = 0; i < NUM_CIRCUITS; ++i) { - auto builder = MegaCircuitBuilder{ op_queue }; + auto builder = typename Flavor::CircuitBuilder{ op_queue }; GoblinMockCircuits::construct_simple_circuit(builder); // Construct and verify Honk proof - bool honk_verified = construct_and_verify_honk_proof(builder); + bool honk_verified = this->construct_and_verify_honk_proof(builder); EXPECT_TRUE(honk_verified); // Construct and verify Goblin ECC op queue Merge proof - auto merge_verified = construct_and_verify_merge_proof(op_queue); + auto merge_verified = this->construct_and_verify_merge_proof(op_queue); EXPECT_TRUE(merge_verified); } @@ -202,7 +218,7 @@ TEST_F(MegaHonkTests, MultipleCircuitsHonkAndMerge) // iteratively during transcript aggregation by the provers and stored in the op queue. size_t aggregate_op_queue_size = op_queue->get_current_size(); auto ultra_ops = op_queue->get_aggregate_transcript(); - auto commitment_key = std::make_shared(aggregate_op_queue_size); + auto commitment_key = std::make_shared(aggregate_op_queue_size); size_t idx = 0; for (const auto& result : op_queue->get_ultra_ops_commitments()) { auto expected = commitment_key->commit({ /* start index */ 0, ultra_ops[idx++] }); diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/mega_transcript.test.cpp b/barretenberg/cpp/src/barretenberg/ultra_honk/mega_transcript.test.cpp index 461ef54a403..d6308b0a37f 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/mega_transcript.test.cpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/mega_transcript.test.cpp @@ -11,15 +11,14 @@ using namespace bb; -class MegaTranscriptTests : public ::testing::Test { +using FlavorTypes = ::testing::Types; + +template class MegaTranscriptTests : public ::testing::Test { public: static void SetUpTestSuite() { bb::srs::init_crs_factory("../srs_db/ignition"); } - using Flavor = MegaFlavor; using DeciderProvingKey = DeciderProvingKey_; using FF = Flavor::FF; - using VerificationKey = Flavor::VerificationKey; - /** * @brief Construct a manifest for a Mega Honk proof * @@ -31,15 +30,17 @@ class MegaTranscriptTests : public ::testing::Test { * * @return TranscriptManifest */ - static TranscriptManifest construct_mega_honk_manifest() + static TranscriptManifest construct_mega_honk_manifest(size_t circuit_size = 0) { + using Commitment = typename Flavor::Commitment; TranscriptManifest manifest_expected; + auto log_n = numeric::get_msb(circuit_size); size_t MAX_PARTIAL_RELATION_LENGTH = Flavor::BATCHED_RELATION_PARTIAL_LENGTH; size_t NUM_SUBRELATIONS = Flavor::NUM_SUBRELATIONS; size_t frs_per_Fr = bb::field_conversion::calc_num_bn254_frs(); - size_t frs_per_G = bb::field_conversion::calc_num_bn254_frs(); + size_t frs_per_G = bb::field_conversion::calc_num_bn254_frs(); size_t frs_per_uni = MAX_PARTIAL_RELATION_LENGTH * frs_per_Fr; size_t frs_per_evals = (Flavor::NUM_ALL_ENTITIES)*frs_per_Fr; size_t frs_per_uint32 = bb::field_conversion::calc_num_bn254_frs(); @@ -95,6 +96,16 @@ class MegaTranscriptTests : public ::testing::Test { round++; } + if constexpr (Flavor::HasZK) { + for (size_t i = 0; i < log_n; i++) { + std::string label = "Libra:commitment_" + std::to_string(i); + manifest_expected.add_entry(round, label, frs_per_G); + } + manifest_expected.add_entry(round, "Libra:Sum", frs_per_Fr); + manifest_expected.add_challenge(round, "Libra:Challenge"); + round++; + } + for (size_t i = 0; i < CONST_PROOF_SIZE_LOG_N; ++i) { std::string idx = std::to_string(i); manifest_expected.add_entry(round, "Sumcheck:univariate_" + idx, frs_per_uni); @@ -103,6 +114,13 @@ class MegaTranscriptTests : public ::testing::Test { round++; } + if constexpr (Flavor::HasZK) { + for (size_t i = 0; i < log_n; i++) { + std::string idx = std::to_string(i); + manifest_expected.add_entry(round, "Libra:evaluation_" + idx, frs_per_Fr); + } + } + manifest_expected.add_entry(round, "Sumcheck:evaluations", frs_per_evals); manifest_expected.add_challenge(round, "rho"); @@ -153,24 +171,28 @@ class MegaTranscriptTests : public ::testing::Test { builder.create_big_add_gate({ a_idx, b_idx, c_idx, d_idx, FF(1), FF(1), FF(1), FF(-1), FF(0) }); } }; - +TYPED_TEST_SUITE(MegaTranscriptTests, FlavorTypes); /** * @brief Ensure consistency between the manifest hard coded in this testing suite and the one generated by the * standard honk prover over the course of proof construction. */ -TEST_F(MegaTranscriptTests, ProverManifestConsistency) +TYPED_TEST(MegaTranscriptTests, ProverManifestConsistency) { + using Flavor = TypeParam; + using DeciderProvingKey = DeciderProvingKey_; + + using Prover = UltraProver_; // Construct a simple circuit of size n = 8 (i.e. the minimum circuit size) auto builder = typename Flavor::CircuitBuilder(); - generate_test_circuit(builder); + TestFixture::generate_test_circuit(builder); // Automatically generate a transcript manifest by constructing a proof auto proving_key = std::make_shared(builder); - MegaProver prover(proving_key); + Prover prover(proving_key); auto proof = prover.construct_proof(); // Check that the prover generated manifest agrees with the manifest hard coded in this suite - auto manifest_expected = construct_mega_honk_manifest(); + auto manifest_expected = TestFixture::construct_mega_honk_manifest(proving_key->proving_key.circuit_size); auto prover_manifest = prover.transcript->get_manifest(); // Note: a manifest can be printed using manifest.print() for (size_t round = 0; round < manifest_expected.size(); ++round) { @@ -188,25 +210,32 @@ TEST_F(MegaTranscriptTests, ProverManifestConsistency) * construction and the one generated by the verifier over the course of proof verification. * */ -TEST_F(MegaTranscriptTests, VerifierManifestConsistency) +TYPED_TEST(MegaTranscriptTests, VerifierManifestConsistency) { + using Flavor = TypeParam; + using DeciderProvingKey = DeciderProvingKey_; + using VerificationKey = Flavor::VerificationKey; + using Prover = UltraProver_; + using Verifier = UltraVerifier_; // Construct a simple circuit of size n = 8 (i.e. the minimum circuit size) - auto builder = Flavor::CircuitBuilder(); - generate_test_circuit(builder); + auto builder = typename Flavor::CircuitBuilder(); + TestFixture::generate_test_circuit(builder); // Automatically generate a transcript manifest in the prover by constructing a proof auto proving_key = std::make_shared(builder); - MegaProver prover(proving_key); + Prover prover(proving_key); auto proof = prover.construct_proof(); // Automatically generate a transcript manifest in the verifier by verifying a proof auto verification_key = std::make_shared(proving_key->proving_key); - MegaVerifier verifier(verification_key); + Verifier verifier(verification_key); verifier.verify_proof(proof); // Check consistency between the manifests generated by the prover and verifier auto prover_manifest = prover.transcript->get_manifest(); + prover_manifest.print(); + auto verifier_manifest = verifier.transcript->get_manifest(); // Note: a manifest can be printed using manifest.print() @@ -225,8 +254,10 @@ TEST_F(MegaTranscriptTests, VerifierManifestConsistency) * @details We generate 6 challenges that are each 128 bits, and check that they are not 0. * */ -TEST_F(MegaTranscriptTests, ChallengeGenerationTest) +TYPED_TEST(MegaTranscriptTests, ChallengeGenerationTest) { + using Flavor = TypeParam; + using FF = Flavor::FF; // initialized with random value sent to verifier auto transcript = Flavor::Transcript::prover_init_empty(); // test a bunch of challenges @@ -244,18 +275,26 @@ TEST_F(MegaTranscriptTests, ChallengeGenerationTest) ASSERT_NE(c, 0) << "Challenge c is 0"; } -TEST_F(MegaTranscriptTests, StructureTest) +TYPED_TEST(MegaTranscriptTests, StructureTest) { + using Flavor = TypeParam; + using DeciderProvingKey = DeciderProvingKey_; + using VerificationKey = Flavor::VerificationKey; + using FF = Flavor::FF; + using Commitment = typename Flavor::Commitment; + using Prover = UltraProver_; + using Verifier = UltraVerifier_; + // Construct a simple circuit of size n = 8 (i.e. the minimum circuit size) - Flavor::CircuitBuilder builder; - generate_test_circuit(builder); + typename Flavor::CircuitBuilder builder; + this->generate_test_circuit(builder); // Automatically generate a transcript manifest by constructing a proof auto proving_key = std::make_shared(builder); - MegaProver prover(proving_key); + Prover prover(proving_key); auto proof = prover.construct_proof(); auto verification_key = std::make_shared(proving_key->proving_key); - MegaVerifier verifier(verification_key); + Verifier verifier(verification_key); EXPECT_TRUE(verifier.verify_proof(proof)); // try deserializing and serializing with no changes and check proof is still valid @@ -263,7 +302,7 @@ TEST_F(MegaTranscriptTests, StructureTest) prover.transcript->serialize_full_transcript(); EXPECT_TRUE(verifier.verify_proof(prover.export_proof())); // we have changed nothing so proof is still valid - Flavor::Commitment one_group_val = Flavor::Commitment::one(); + Commitment one_group_val = Commitment::one(); FF rand_val = FF::random_element(); prover.transcript->z_perm_comm = one_group_val * rand_val; // choose random object to modify EXPECT_TRUE(verifier.verify_proof( @@ -273,5 +312,5 @@ TEST_F(MegaTranscriptTests, StructureTest) EXPECT_FALSE(verifier.verify_proof(prover.export_proof())); // the proof is now wrong after serializing it prover.transcript->deserialize_full_transcript(); - EXPECT_EQ(static_cast(prover.transcript->z_perm_comm), one_group_val * rand_val); + EXPECT_EQ(static_cast(prover.transcript->z_perm_comm), one_group_val * rand_val); } diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/merge_prover.cpp b/barretenberg/cpp/src/barretenberg/ultra_honk/merge_prover.cpp index 283375f3340..d4bb3526c87 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/merge_prover.cpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/merge_prover.cpp @@ -1,4 +1,5 @@ #include "merge_prover.hpp" +#include "barretenberg/stdlib_circuit_builders/mega_zk_flavor.hpp" namespace bb { @@ -123,5 +124,6 @@ template HonkProof MergeProver_::construct_proof() template class MergeProver_; template class MergeProver_; +template class MergeProver_; } // namespace bb diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/merge_verifier.cpp b/barretenberg/cpp/src/barretenberg/ultra_honk/merge_verifier.cpp index 19d525aeecc..13f2bf21ba0 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/merge_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/merge_verifier.cpp @@ -1,4 +1,6 @@ #include "merge_verifier.hpp" +#include "barretenberg/stdlib_circuit_builders/mega_zk_flavor.hpp" +#include "barretenberg/stdlib_circuit_builders/ultra_flavor.hpp" namespace bb { @@ -82,5 +84,6 @@ template bool MergeVerifier_::verify_proof(const HonkP template class MergeVerifier_; template class MergeVerifier_; +template class MergeVerifier_; } // namespace bb diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/merge_verifier.hpp b/barretenberg/cpp/src/barretenberg/ultra_honk/merge_verifier.hpp index 2fef3767656..80e0ccc158a 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/merge_verifier.hpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/merge_verifier.hpp @@ -3,7 +3,6 @@ #include "barretenberg/commitment_schemes/claim.hpp" #include "barretenberg/honk/proof_system/types/proof.hpp" #include "barretenberg/srs/global_crs.hpp" -#include "barretenberg/stdlib_circuit_builders/mega_flavor.hpp" #include "barretenberg/stdlib_circuit_builders/op_queue/ecc_op_queue.hpp" #include "barretenberg/stdlib_circuit_builders/ultra_flavor.hpp" #include "barretenberg/transcript/transcript.hpp" @@ -31,7 +30,7 @@ template class MergeVerifier_ { private: std::shared_ptr pcs_verification_key; - static constexpr size_t NUM_WIRES = MegaFlavor::NUM_WIRES; + static constexpr size_t NUM_WIRES = Flavor::NUM_WIRES; }; } // namespace bb diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/oink_prover.cpp b/barretenberg/cpp/src/barretenberg/ultra_honk/oink_prover.cpp index b9279d2a5ae..594ba28d05c 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/oink_prover.cpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/oink_prover.cpp @@ -264,5 +264,6 @@ template typename Flavor::RelationSeparator OinkProver; template class OinkProver; template class OinkProver; +template class OinkProver; } // namespace bb \ No newline at end of file diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/oink_prover.hpp b/barretenberg/cpp/src/barretenberg/ultra_honk/oink_prover.hpp index e21fe79c829..06e2d884f44 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/oink_prover.hpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/oink_prover.hpp @@ -19,10 +19,6 @@ // clang-format on #include -#include "barretenberg/stdlib_circuit_builders/mega_flavor.hpp" -#include "barretenberg/stdlib_circuit_builders/ultra_flavor.hpp" -#include "barretenberg/stdlib_circuit_builders/ultra_keccak_flavor.hpp" -#include "barretenberg/transcript/transcript.hpp" #include "barretenberg/ultra_honk/decider_proving_key.hpp" namespace bb { diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/oink_verifier.cpp b/barretenberg/cpp/src/barretenberg/ultra_honk/oink_verifier.cpp index 227fa145a44..96ca8161f1d 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/oink_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/oink_verifier.cpp @@ -1,5 +1,8 @@ #include "barretenberg/ultra_honk/oink_verifier.hpp" #include "barretenberg/common/throw_or_abort.hpp" +#include "barretenberg/stdlib_circuit_builders/mega_zk_flavor.hpp" +#include "barretenberg/stdlib_circuit_builders/ultra_flavor.hpp" +#include "barretenberg/stdlib_circuit_builders/ultra_keccak_flavor.hpp" namespace bb { @@ -158,5 +161,6 @@ template typename Flavor::RelationSeparator OinkVerifier< template class OinkVerifier; template class OinkVerifier; template class OinkVerifier; +template class OinkVerifier; } // namespace bb \ No newline at end of file diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/oink_verifier.hpp b/barretenberg/cpp/src/barretenberg/ultra_honk/oink_verifier.hpp index fab7bcdff19..a3d9e48141c 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/oink_verifier.hpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/oink_verifier.hpp @@ -1,11 +1,5 @@ #pragma once -#include "barretenberg/flavor/flavor.hpp" -#include "barretenberg/plonk_honk_shared/library/grand_product_delta.hpp" -#include "barretenberg/relations/relation_parameters.hpp" -#include "barretenberg/stdlib_circuit_builders/mega_flavor.hpp" -#include "barretenberg/stdlib_circuit_builders/ultra_flavor.hpp" -#include "barretenberg/stdlib_circuit_builders/ultra_keccak_flavor.hpp" #include "barretenberg/ultra_honk/decider_verification_key.hpp" namespace bb { diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_prover.cpp b/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_prover.cpp index b7554a90f96..b96d3d80748 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_prover.cpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_prover.cpp @@ -64,5 +64,6 @@ template HonkProof UltraProver_::construct_proof( template class UltraProver_; template class UltraProver_; template class UltraProver_; +template class UltraProver_; } // namespace bb diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_prover.hpp b/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_prover.hpp index 2382e6f934e..1ad13e57374 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_prover.hpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_prover.hpp @@ -53,5 +53,6 @@ template class UltraProver_ { using UltraProver = UltraProver_; using UltraKeccakProver = UltraProver_; using MegaProver = UltraProver_; +using MegaZKProver = UltraProver_; } // namespace bb diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_verifier.cpp b/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_verifier.cpp index f8807a67c68..d43f4cadb1c 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_verifier.cpp @@ -30,5 +30,6 @@ template bool UltraVerifier_::verify_proof(const HonkP template class UltraVerifier_; template class UltraVerifier_; template class UltraVerifier_; +template class UltraVerifier_; } // namespace bb diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_verifier.hpp b/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_verifier.hpp index 71bebc42cf4..7365303b655 100644 --- a/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_verifier.hpp +++ b/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_verifier.hpp @@ -31,5 +31,6 @@ template class UltraVerifier_ { using UltraVerifier = UltraVerifier_; using UltraKeccakVerifier = UltraVerifier_; using MegaVerifier = UltraVerifier_; +using MegaZKVerifier = UltraVerifier_; } // namespace bb