Merge ea25f68 into 72a2cd9

barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.hpp

@@ -267,17 +267,15 @@ template <typename Curve> class GeminiVerifier_ {
             // Divide by the denominator
             batched_eval_round_acc *= (challenge_power * (Fr(1) - u) + u).invert();
 
-            bool is_dummy_round = (l > num_variables);
-
             if constexpr (Curve::is_stdlib_type) {
                 auto builder = evaluation_point[0].get_context();
                 // TODO(https://github.com/AztecProtocol/barretenberg/issues/1114): insecure!
-                stdlib::bool_t dummy_round = stdlib::bool_t(builder, is_dummy_round);
+                stdlib::bool_t dummy_round = stdlib::witness_t(builder, l > num_variables);
                 batched_eval_accumulator =
                     Fr::conditional_assign(dummy_round, batched_eval_accumulator, batched_eval_round_acc);
 
             } else {
-                if (!is_dummy_round) {
+                if (l <= num_variables) {
                     batched_eval_accumulator = batched_eval_round_acc;
                 }
             }

barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp

@@ -338,28 +338,26 @@ template <typename Curve> class ShpleminiVerifier_ {
         // Initialize batching challenge as ν²
         Fr current_batching_challenge = shplonk_batching_challenge.sqr();
         for (size_t j = 0; j < CONST_PROOF_SIZE_LOG_N - 1; ++j) {
-            bool is_dummy_round = j >= (log_circuit_size - 1);
             // Compute the scaling factor  (ν²⁺ⁱ) / (z + r²⁽ⁱ⁺²⁾) for i = 0, … , d-2
             Fr scaling_factor = current_batching_challenge * inverse_vanishing_evals[j + 2];
 
+            // Add Aᵢ(−r²ⁱ) for i = 1, … , n-1 to the constant term accumulator
+            constant_term_accumulator += scaling_factor * gemini_evaluations[j + 1];
+
+            // Update the batching challenge
+            current_batching_challenge *= shplonk_batching_challenge;
+
             if constexpr (Curve::is_stdlib_type) {
                 auto builder = shplonk_batching_challenge.get_context();
                 // TODO(https://github.com/AztecProtocol/barretenberg/issues/1114): insecure!
-                stdlib::bool_t dummy_round = stdlib::bool_t(builder, is_dummy_round);
+                stdlib::bool_t dummy_round = stdlib::witness_t(builder, j >= (log_circuit_size - 1));
                 Fr zero = Fr(0);
-                zero.convert_constant_to_fixed_witness(builder);
                 scaling_factor = Fr::conditional_assign(dummy_round, zero, scaling_factor);
             } else {
-                if (is_dummy_round) {
+                if (j >= (log_circuit_size - 1)) {
                     scaling_factor = 0;
                 }
             }
-
-            // Add Aᵢ(−r²ⁱ) for i = 1, … , n-1 to the constant term accumulator
-            constant_term_accumulator += scaling_factor * gemini_evaluations[j + 1];
-            // Update the batching challenge
-            current_batching_challenge *= shplonk_batching_challenge;
-
             // Place the scaling factor to the 'scalars' vector
             scalars.emplace_back(-scaling_factor);
             // Move com(Aᵢ) to the 'commitments' vector

barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplonk.hpp

@@ -285,24 +285,9 @@ template <typename Curve> class ShplonkVerifier_ {
         std::vector<Fr> inverted_denominators;
         inverted_denominators.reserve(num_gemini_claims);
         inverted_denominators.emplace_back((shplonk_eval_challenge - gemini_eval_challenge_powers[0]).invert());
-        size_t i = 0;
         for (const auto& gemini_eval_challenge_power : gemini_eval_challenge_powers) {
-            bool is_dummy_round = i > num_gemini_claims;
             Fr round_inverted_denominator = (shplonk_eval_challenge + gemini_eval_challenge_power).invert();
-            if constexpr (Curve::is_stdlib_type) {
-                auto builder = shplonk_eval_challenge.get_context();
-                // TODO(https://github.com/AztecProtocol/barretenberg/issues/1114): insecure!
-                stdlib::bool_t dummy_round = stdlib::bool_t(builder, is_dummy_round);
-                Fr zero = Fr(0);
-                zero.convert_constant_to_fixed_witness(builder);
-                round_inverted_denominator = Fr::conditional_assign(dummy_round, zero, round_inverted_denominator);
-            } else {
-                if (is_dummy_round) {
-                    round_inverted_denominator = 0;
-                }
-            }
             inverted_denominators.emplace_back(round_inverted_denominator);
-            i++;
         }
         return inverted_denominators;
     }

barretenberg/cpp/src/barretenberg/commitment_schemes/zeromorph/zeromorph.hpp

@@ -527,7 +527,6 @@ template <typename Curve> class ZeroMorphVerifier_ {
             if constexpr (Curve::is_stdlib_type) {
                 auto builder = x_challenge.get_context();
                 FF zero = FF(0);
-                zero.convert_constant_to_fixed_witness(builder);
                 stdlib::bool_t dummy_round = stdlib::witness_t(builder, is_dummy_round);
                 // TODO(https://github.com/AztecProtocol/barretenberg/issues/1039): is it kosher to reassign like this?
                 scalar = FF::conditional_assign(dummy_round, zero, scalar);

barretenberg/cpp/src/barretenberg/dsl/acir_format/honk_recursion_constraint.cpp

@@ -94,7 +94,7 @@ void create_dummy_vkey_and_proof(Builder& builder,
         offset++;
     }
 
-    // first 7 commitments
+    // first 8 witness commitments
     for (size_t i = 0; i < Flavor::NUM_WITNESS_ENTITIES; i++) {
         auto comm = curve::BN254::AffineElement::one() * fr::random_element();
         auto frs = field_conversion::convert_to_bn254_frs(comm);
@@ -105,20 +105,20 @@ void create_dummy_vkey_and_proof(Builder& builder,
         offset += 4;
     }
 
-    // now the univariates, which can just be 0s (7*CONST_PROOF_SIZE_LOG_N Frs)
+    // now the univariates, which can just be 0s (8*CONST_PROOF_SIZE_LOG_N Frs, where 8 is the maximum relation degree)
     for (size_t i = 0; i < CONST_PROOF_SIZE_LOG_N * Flavor::BATCHED_RELATION_PARTIAL_LENGTH; i++) {
         builder.assert_equal(builder.add_variable(fr::random_element()), proof_fields[offset].witness_index);
         offset++;
     }
 
-    // now the sumcheck evaluations, which is just 43 0s
+    // now the sumcheck evaluations, which is just 44 0s
     for (size_t i = 0; i < Flavor::NUM_ALL_ENTITIES; i++) {
         builder.assert_equal(builder.add_variable(fr::random_element()), proof_fields[offset].witness_index);
         offset++;
     }
 
-    // now the zeromorph commitments, which are CONST_PROOF_SIZE_LOG_N comms
-    for (size_t i = 0; i < CONST_PROOF_SIZE_LOG_N; i++) {
+    // now the gemini fold commitments which are CONST_PROOF_SIZE_LOG_N - 1
+    for (size_t i = 1; i < CONST_PROOF_SIZE_LOG_N; i++) {
         auto comm = curve::BN254::AffineElement::one() * fr::random_element();
         auto frs = field_conversion::convert_to_bn254_frs(comm);
         builder.assert_equal(builder.add_variable(frs[0]), proof_fields[offset].witness_index);
@@ -128,7 +128,13 @@ void create_dummy_vkey_and_proof(Builder& builder,
         offset += 4;
     }
 
-    // lastly the 2 commitments
+    // the gemini fold evaluations which are also CONST_PROOF_SIZE_LOG_N
+    for (size_t i = 1; i <= CONST_PROOF_SIZE_LOG_N; i++) {
+        builder.assert_equal(builder.add_variable(fr::random_element()), proof_fields[offset].witness_index);
+        offset++;
+    }
+
+    // lastly the shplonk batched quotient commitment and kzg quotient commitment
     for (size_t i = 0; i < 2; i++) {
         auto comm = curve::BN254::AffineElement::one() * fr::random_element();
         auto frs = field_conversion::convert_to_bn254_frs(comm);

barretenberg/cpp/src/barretenberg/stdlib/honk_verifier/decider_recursive_verifier.cpp

@@ -1,5 +1,5 @@
 #include "barretenberg/stdlib/honk_verifier/decider_recursive_verifier.hpp"
-#include "barretenberg/commitment_schemes/zeromorph/zeromorph.hpp"
+#include "barretenberg/commitment_schemes/shplonk/shplemini.hpp"
 #include "barretenberg/numeric/bitop/get_msb.hpp"
 #include "barretenberg/transcript/transcript.hpp"
 
@@ -15,7 +15,7 @@ std::array<typename Flavor::GroupElement, 2> DeciderRecursiveVerifier_<Flavor>::
     using Sumcheck = ::bb::SumcheckVerifier<Flavor>;
     using PCS = typename Flavor::PCS;
     using Curve = typename Flavor::Curve;
-    using ZeroMorph = ::bb::ZeroMorphVerifier_<Curve>;
+    using Shplemini = ::bb::ShpleminiVerifier_<Curve>;
     using VerifierCommitments = typename Flavor::VerifierCommitments;
     using Transcript = typename Flavor::Transcript;
 
@@ -30,17 +30,16 @@ std::array<typename Flavor::GroupElement, 2> DeciderRecursiveVerifier_<Flavor>::
     auto [multivariate_challenge, claimed_evaluations, sumcheck_verified] =
         sumcheck.verify(accumulator->relation_parameters, accumulator->alphas, accumulator->gate_challenges);
 
-    // Execute ZeroMorph rounds. See https://hackmd.io/dlf9xEwhTQyE3hiGbq4FsA?view for a complete description of the
-    // unrolled protocol.
-    auto opening_claim = ZeroMorph::verify(accumulator->verification_key->circuit_size,
-                                           commitments.get_unshifted(),
-                                           commitments.get_to_be_shifted(),
-                                           claimed_evaluations.get_unshifted(),
-                                           claimed_evaluations.get_shifted(),
-                                           multivariate_challenge,
-                                           Commitment::one(builder),
-                                           transcript);
-    auto pairing_points = PCS::reduce_verify(opening_claim, transcript);
+    // Execute Shplemini rounds.
+    auto opening_claim = Shplemini::compute_batch_opening_claim(accumulator->verification_key->circuit_size,
+                                                                commitments.get_unshifted(),
+                                                                commitments.get_to_be_shifted(),
+                                                                claimed_evaluations.get_unshifted(),
+                                                                claimed_evaluations.get_shifted(),
+                                                                multivariate_challenge,
+                                                                Commitment::one(builder),
+                                                                transcript);
+    auto pairing_points = PCS::reduce_verify_batch_opening_claim(opening_claim, transcript);
 
     return pairing_points;
 }

barretenberg/cpp/src/barretenberg/stdlib/honk_verifier/ultra_recursive_verifier.cpp

@@ -1,5 +1,5 @@
 #include "barretenberg/stdlib/honk_verifier/ultra_recursive_verifier.hpp"
-#include "barretenberg/commitment_schemes/zeromorph/zeromorph.hpp"
+#include "barretenberg/commitment_schemes/shplonk/shplemini.hpp"
 #include "barretenberg/numeric/bitop/get_msb.hpp"
 #include "barretenberg/plonk_honk_shared/library/grand_product_delta.hpp"
 #include "barretenberg/transcript/transcript.hpp"
@@ -42,7 +42,7 @@ UltraRecursiveVerifier_<Flavor>::AggregationObject UltraRecursiveVerifier_<Flavo
     using Sumcheck = ::bb::SumcheckVerifier<Flavor>;
     using PCS = typename Flavor::PCS;
     using Curve = typename Flavor::Curve;
-    using ZeroMorph = ::bb::ZeroMorphVerifier_<Curve>;
+    using Shplemini = ::bb::ShpleminiVerifier_<Curve>;
     using VerifierCommitments = typename Flavor::VerifierCommitments;
     using Transcript = typename Flavor::Transcript;
 
@@ -91,16 +91,16 @@ UltraRecursiveVerifier_<Flavor>::AggregationObject UltraRecursiveVerifier_<Flavo
     auto [multivariate_challenge, claimed_evaluations, sumcheck_verified] =
         sumcheck.verify(verification_key->relation_parameters, verification_key->alphas, gate_challenges);
 
-    // Execute ZeroMorph to produce an opening claim subsequently verified by a univariate PCS
-    auto opening_claim = ZeroMorph::verify(key->circuit_size,
-                                           commitments.get_unshifted(),
-                                           commitments.get_to_be_shifted(),
-                                           claimed_evaluations.get_unshifted(),
-                                           claimed_evaluations.get_shifted(),
-                                           multivariate_challenge,
-                                           Commitment::one(builder),
-                                           transcript);
-    auto pairing_points = PCS::reduce_verify(opening_claim, transcript);
+    // Execute Shplemini to produce a batch opening claim subsequently verified by a univariate PCS
+    auto opening_claim = Shplemini::compute_batch_opening_claim(key->circuit_size,
+                                                                commitments.get_unshifted(),
+                                                                commitments.get_to_be_shifted(),
+                                                                claimed_evaluations.get_unshifted(),
+                                                                claimed_evaluations.get_shifted(),
+                                                                multivariate_challenge,
+                                                                Commitment::one(builder),
+                                                                transcript);
+    auto pairing_points = PCS::reduce_verify_batch_opening_claim(opening_claim, transcript);
 
     pairing_points[0] = pairing_points[0].normalize();
     pairing_points[1] = pairing_points[1].normalize();

barretenberg/cpp/src/barretenberg/stdlib/honk_verifier/ultra_recursive_verifier.test.cpp

@@ -170,14 +170,10 @@ template <typename RecursiveFlavor> class RecursiveVerifierTest : public testing
         size_t block_idx = 0;
         for (auto [b_10, b_11] : zip_view(blocks_10.get(), blocks_11.get())) {
             info("block index: ", block_idx);
-            size_t sel_idx = 0;
             EXPECT_TRUE(b_10.selectors.size() == 13);
             EXPECT_TRUE(b_11.selectors.size() == 13);
             for (auto [p_10, p_11] : zip_view(b_10.selectors, b_11.selectors)) {
-
-                info("sel index: ", sel_idx);
                 check_eq(p_10, p_11);
-                sel_idx++;
             }
             block_idx++;
         }
@@ -215,10 +211,7 @@ template <typename RecursiveFlavor> class RecursiveVerifierTest : public testing
         // Create a recursive verification circuit for the proof of the inner circuit
         OuterBuilder outer_circuit;
         RecursiveVerifier verifier{ &outer_circuit, verification_key };
-        typename RecursiveFlavor::CommitmentLabels commitment_labels;
-        for (auto [label, key] : zip_view(commitment_labels.get_precomputed(), verifier.key->get_all())) {
-            info("label: ", label, " value: ", key.get_value());
-        }
+
         aggregation_state<typename RecursiveFlavor::Curve> agg_obj =
             init_default_aggregation_state<OuterBuilder, typename RecursiveFlavor::Curve>(outer_circuit);
         auto pairing_points = verifier.verify_proof(inner_proof, agg_obj);

barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/mega_flavor.hpp

@@ -872,8 +872,9 @@ class MegaFlavor {
         Commitment lookup_read_tags_comm;
         std::vector<bb::Univariate<FF, BATCHED_RELATION_PARTIAL_LENGTH>> sumcheck_univariates;
         std::array<FF, NUM_ALL_ENTITIES> sumcheck_evaluations;
-        std::vector<Commitment> zm_cq_comms;
-        Commitment zm_cq_comm;
+        std::vector<Commitment> gemini_fold_comms;
+        std::vector<FF> gemini_fold_evals;
+        Commitment shplonk_q_comm;
         Commitment kzg_w_comm;
 
         Transcript_() = default;
@@ -938,10 +939,14 @@ class MegaFlavor {
                                                                                                  num_frs_read));
             }
             sumcheck_evaluations = deserialize_from_buffer<std::array<FF, NUM_ALL_ENTITIES>>(proof_data, num_frs_read);
+            for (size_t i = 0; i < CONST_PROOF_SIZE_LOG_N - 1; ++i) {
+                gemini_fold_comms.push_back(deserialize_from_buffer<Commitment>(proof_data, num_frs_read));
+            }
             for (size_t i = 0; i < CONST_PROOF_SIZE_LOG_N; ++i) {
-                zm_cq_comms.push_back(deserialize_from_buffer<Commitment>(proof_data, num_frs_read));
+                gemini_fold_evals.push_back(deserialize_from_buffer<FF>(proof_data, num_frs_read));
             }
-            zm_cq_comm = deserialize_from_buffer<Commitment>(proof_data, num_frs_read);
+            shplonk_q_comm = deserialize_from_buffer<Commitment>(proof_data, num_frs_read);
+
             kzg_w_comm = deserialize_from_buffer<Commitment>(proof_data, num_frs_read);
         }
 
@@ -983,10 +988,13 @@ class MegaFlavor {
                 serialize_to_buffer(sumcheck_univariates[i], proof_data);
             }
             serialize_to_buffer(sumcheck_evaluations, proof_data);
+            for (size_t i = 0; i < CONST_PROOF_SIZE_LOG_N - 1; ++i) {
+                serialize_to_buffer(gemini_fold_comms[i], proof_data);
+            }
             for (size_t i = 0; i < CONST_PROOF_SIZE_LOG_N; ++i) {
-                serialize_to_buffer(zm_cq_comms[i], proof_data);
+                serialize_to_buffer(gemini_fold_evals[i], proof_data);
             }
-            serialize_to_buffer(zm_cq_comm, proof_data);
+            serialize_to_buffer(shplonk_q_comm, proof_data);
             serialize_to_buffer(kzg_w_comm, proof_data);
 
             ASSERT(proof_data.size() == old_proof_length);

barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/ultra_flavor.hpp

@@ -720,10 +720,10 @@ class UltraFlavor {
         Commitment lookup_inverses_comm;
         std::vector<bb::Univariate<FF, BATCHED_RELATION_PARTIAL_LENGTH>> sumcheck_univariates;
         std::array<FF, NUM_ALL_ENTITIES> sumcheck_evaluations;
-        std::vector<Commitment> zm_cq_comms;
-        Commitment zm_cq_comm;
+        std::vector<Commitment> gemini_fold_comms;
+        std::vector<FF> gemini_fold_evals;
+        Commitment shplonk_q_comm;
         Commitment kzg_w_comm;
-
         Transcript() = default;
 
         // Used by verifier to initialize the transcript
@@ -777,10 +777,14 @@ class UltraFlavor {
                                                                                                  num_frs_read));
             }
             sumcheck_evaluations = deserialize_from_buffer<std::array<FF, NUM_ALL_ENTITIES>>(proof_data, num_frs_read);
+            for (size_t i = 0; i < CONST_PROOF_SIZE_LOG_N - 1; ++i) {
+                gemini_fold_comms.push_back(deserialize_from_buffer<Commitment>(proof_data, num_frs_read));
+            }
             for (size_t i = 0; i < CONST_PROOF_SIZE_LOG_N; ++i) {
-                zm_cq_comms.push_back(deserialize_from_buffer<Commitment>(proof_data, num_frs_read));
+                gemini_fold_evals.push_back(deserialize_from_buffer<FF>(proof_data, num_frs_read));
             }
-            zm_cq_comm = deserialize_from_buffer<Commitment>(proof_data, num_frs_read);
+            shplonk_q_comm = deserialize_from_buffer<Commitment>(proof_data, num_frs_read);
+
             kzg_w_comm = deserialize_from_buffer<Commitment>(proof_data, num_frs_read);
         }
 
@@ -812,10 +816,13 @@ class UltraFlavor {
                 serialize_to_buffer(sumcheck_univariates[i], proof_data);
             }
             serialize_to_buffer(sumcheck_evaluations, proof_data);
+            for (size_t i = 0; i < CONST_PROOF_SIZE_LOG_N - 1; ++i) {
+                serialize_to_buffer(gemini_fold_comms[i], proof_data);
+            }
             for (size_t i = 0; i < CONST_PROOF_SIZE_LOG_N; ++i) {
-                serialize_to_buffer(zm_cq_comms[i], proof_data);
+                serialize_to_buffer(gemini_fold_evals[i], proof_data);
             }
-            serialize_to_buffer(zm_cq_comm, proof_data);
+            serialize_to_buffer(shplonk_q_comm, proof_data);
             serialize_to_buffer(kzg_w_comm, proof_data);
 
             // sanity check to make sure we generate the same length of proof as before.