From 7f016d8b3ce17daa0cdee397e4706453d2ee15d0 Mon Sep 17 00:00:00 2001 From: iakovenkos Date: Thu, 26 Sep 2024 14:20:54 +0000 Subject: [PATCH 1/2] hack commitment gone + 1 mock step in goblin --- .../src/barretenberg/eccvm/eccvm_flavor.hpp | 8 ----- .../src/barretenberg/eccvm/eccvm_prover.cpp | 30 +++++++------------ .../eccvm/eccvm_transcript.test.cpp | 2 -- .../src/barretenberg/eccvm/eccvm_verifier.cpp | 28 ++++++++--------- .../cpp/src/barretenberg/goblin/goblin.hpp | 8 ----- .../eccvm_recursive_verifier.cpp | 23 +++++++------- 6 files changed, 34 insertions(+), 65 deletions(-) diff --git a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_flavor.hpp b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_flavor.hpp index b307ec7a4c9..f2af55e8d13 100644 --- a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_flavor.hpp +++ b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_flavor.hpp @@ -937,13 +937,11 @@ class ECCVMFlavor { std::array sumcheck_evaluations; std::vector zm_cq_comms; Commitment zm_cq_comm; - Commitment translation_hack_comm; FF translation_eval_op; FF translation_eval_px; FF translation_eval_py; FF translation_eval_z1; FF translation_eval_z2; - FF hack_eval; Commitment shplonk_q_comm; uint32_t ipa_poly_degree; std::vector ipa_l_comms; @@ -1151,8 +1149,6 @@ class ECCVMFlavor { } zm_cq_comm = NativeTranscript::template deserialize_from_buffer(proof_data, num_frs_read); - translation_hack_comm = NativeTranscript::template deserialize_from_buffer( - NativeTranscript::proof_data, num_frs_read); translation_eval_op = NativeTranscript::template deserialize_from_buffer(NativeTranscript::proof_data, num_frs_read); translation_eval_px = @@ -1163,8 +1159,6 @@ class ECCVMFlavor { NativeTranscript::template deserialize_from_buffer(NativeTranscript::proof_data, num_frs_read); translation_eval_z2 = NativeTranscript::template deserialize_from_buffer(NativeTranscript::proof_data, num_frs_read); - hack_eval = - NativeTranscript::template deserialize_from_buffer(NativeTranscript::proof_data, num_frs_read); shplonk_q_comm = NativeTranscript::template deserialize_from_buffer(proof_data, num_frs_read); @@ -1297,13 +1291,11 @@ class ECCVMFlavor { } NativeTranscript::template serialize_to_buffer(zm_cq_comm, NativeTranscript::proof_data); - NativeTranscript::template serialize_to_buffer(translation_hack_comm, NativeTranscript::proof_data); NativeTranscript::template serialize_to_buffer(translation_eval_op, NativeTranscript::proof_data); NativeTranscript::template serialize_to_buffer(translation_eval_px, NativeTranscript::proof_data); NativeTranscript::template serialize_to_buffer(translation_eval_py, NativeTranscript::proof_data); NativeTranscript::template serialize_to_buffer(translation_eval_z1, NativeTranscript::proof_data); NativeTranscript::template serialize_to_buffer(translation_eval_z2, NativeTranscript::proof_data); - NativeTranscript::template serialize_to_buffer(hack_eval, NativeTranscript::proof_data); NativeTranscript::template serialize_to_buffer(shplonk_q_comm, NativeTranscript::proof_data); diff --git a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_prover.cpp b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_prover.cpp index 76a64e54fd6..cdef38ee63f 100644 --- a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_prover.cpp +++ b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_prover.cpp @@ -129,16 +129,6 @@ void ECCVMProver::execute_pcs_rounds() commitment_key, transcript); - // Batch open the transcript polynomials as univariates for Translator consistency check. Since IPA cannot - // currently handle polynomials for which the latter half of the coefficients are 0, we hackily - // batch the constant polynomial 1 in with the 5 transcript polynomials. - // TODO(https://github.com/AztecProtocol/barretenberg/issues/768): fix IPA to avoid the need for the hack polynomial - Polynomial hack(key->circuit_size); - for (size_t idx = 0; idx < key->circuit_size; idx++) { - hack.at(idx) = 1; - } - transcript->send_to_verifier("Translation:hack_commitment", commitment_key->commit(hack)); - // Get the challenge at which we evaluate all transcript polynomials as univariates evaluation_challenge_x = transcript->template get_challenge("Translation:evaluation_challenge_x"); @@ -156,20 +146,20 @@ void ECCVMProver::execute_pcs_rounds() transcript->send_to_verifier("Translation:z1", translation_evaluations.z1); transcript->send_to_verifier("Translation:z2", translation_evaluations.z2); - FF hack_evaluation = hack.evaluate(evaluation_challenge_x); - transcript->send_to_verifier("Translation:hack_evaluation", hack_evaluation); - // Get another challenge for batching the univariates and evaluations FF ipa_batching_challenge = transcript->template get_challenge("Translation:ipa_batching_challenge"); // Collect the polynomials and evaluations to be batched - RefArray univariate_polynomials{ key->polynomials.transcript_op, key->polynomials.transcript_Px, - key->polynomials.transcript_Py, key->polynomials.transcript_z1, - key->polynomials.transcript_z2, hack }; - std::array univariate_evaluations{ - translation_evaluations.op, translation_evaluations.Px, translation_evaluations.Py, - translation_evaluations.z1, translation_evaluations.z2, hack_evaluation - }; + RefArray univariate_polynomials{ key->polynomials.transcript_op, + key->polynomials.transcript_Px, + key->polynomials.transcript_Py, + key->polynomials.transcript_z1, + key->polynomials.transcript_z2 }; + std::array univariate_evaluations{ translation_evaluations.op, + translation_evaluations.Px, + translation_evaluations.Py, + translation_evaluations.z1, + translation_evaluations.z2 }; // Construct the batched polynomial and batched evaluation to produce the batched opening claim Polynomial batched_univariate{ key->circuit_size }; diff --git a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_transcript.test.cpp b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_transcript.test.cpp index 3f06d27aed1..9fb878c044c 100644 --- a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_transcript.test.cpp +++ b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_transcript.test.cpp @@ -162,7 +162,6 @@ class ECCVMTranscriptTests : public ::testing::Test { manifest_expected.add_challenge(round, "ZM:x", "ZM:z"); round++; - manifest_expected.add_entry(round, "Translation:hack_commitment", frs_per_G); manifest_expected.add_challenge(round, "Translation:evaluation_challenge_x"); round++; @@ -171,7 +170,6 @@ class ECCVMTranscriptTests : public ::testing::Test { manifest_expected.add_entry(round, "Translation:Py", frs_per_Fr); manifest_expected.add_entry(round, "Translation:z1", frs_per_Fr); manifest_expected.add_entry(round, "Translation:z2", frs_per_Fr); - manifest_expected.add_entry(round, "Translation:hack_evaluation", frs_per_Fr); manifest_expected.add_challenge(round, "Translation:ipa_batching_challenge"); round++; diff --git a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.cpp b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.cpp index 26bd5ac6ce6..c7bbd7ec456 100644 --- a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.cpp @@ -69,35 +69,33 @@ bool ECCVMVerifier::verify_proof(const HonkProof& proof) multivariate_challenge, key->pcs_verification_key->get_g1_identity(), transcript); - // Execute transcript consistency univariate opening round - auto hack_commitment = transcript->template receive_from_prover("Translation:hack_commitment"); - FF evaluation_challenge_x = transcript->template get_challenge("Translation:evaluation_challenge_x"); + const FF evaluation_challenge_x = transcript->template get_challenge("Translation:evaluation_challenge_x"); // Construct arrays of commitments and evaluations to be batched, the evaluations being received from the prover - const size_t NUM_UNIVARIATES = 6; - std::array transcript_commitments = { - commitments.transcript_op, commitments.transcript_Px, commitments.transcript_Py, - commitments.transcript_z1, commitments.transcript_z2, hack_commitment - }; + const size_t NUM_UNIVARIATES = 5; + std::array transcript_commitments = { commitments.transcript_op, + commitments.transcript_Px, + commitments.transcript_Py, + commitments.transcript_z1, + commitments.transcript_z2 }; std::array transcript_evaluations = { transcript->template receive_from_prover("Translation:op"), transcript->template receive_from_prover("Translation:Px"), transcript->template receive_from_prover("Translation:Py"), transcript->template receive_from_prover("Translation:z1"), - transcript->template receive_from_prover("Translation:z2"), - transcript->template receive_from_prover("Translation:hack_evaluation") + transcript->template receive_from_prover("Translation:z2") }; // Get the batching challenge for commitments and evaluations - FF ipa_batching_challenge = transcript->template get_challenge("Translation:ipa_batching_challenge"); + const FF ipa_batching_challenge = transcript->template get_challenge("Translation:ipa_batching_challenge"); // Compute the batched commitment and batched evaluation for the univariate opening claim - auto batched_commitment = transcript_commitments[0]; - auto batched_transcript_eval = transcript_evaluations[0]; - auto batching_scalar = ipa_batching_challenge; - for (size_t idx = 1; idx < transcript_commitments.size(); ++idx) { + Commitment batched_commitment = transcript_commitments[0]; + FF batched_transcript_eval = transcript_evaluations[0]; + FF batching_scalar = ipa_batching_challenge; + for (size_t idx = 1; idx < NUM_UNIVARIATES; ++idx) { batched_commitment = batched_commitment + transcript_commitments[idx] * batching_scalar; batched_transcript_eval += batching_scalar * transcript_evaluations[idx]; batching_scalar *= ipa_batching_challenge; diff --git a/barretenberg/cpp/src/barretenberg/goblin/goblin.hpp b/barretenberg/cpp/src/barretenberg/goblin/goblin.hpp index 134db00a929..36d28114df5 100644 --- a/barretenberg/cpp/src/barretenberg/goblin/goblin.hpp +++ b/barretenberg/cpp/src/barretenberg/goblin/goblin.hpp @@ -147,14 +147,6 @@ class GoblinProver { MergeProof prove_merge(MegaCircuitBuilder& circuit_builder) { BB_OP_COUNT_TIME_NAME("Goblin::merge"); - // TODO(https://github.com/AztecProtocol/barretenberg/issues/993): Some circuits (particularly on the first call - // to accumulate) may not have any goblin ecc ops prior to the call to merge(), so the commitment to the new - // contribution (C_t_shift) in the merge prover will be the point at infinity. (Note: Some dummy ops are added - // in 'add_gates_to_ensure...' but not until proving_key construction which comes later). See issue for ideas - // about how to resolve. - if (circuit_builder.blocks.ecc_op.size() == 0) { - MockCircuits::construct_goblin_ecc_op_circuit(circuit_builder); // Add some arbitrary goblin ECC ops - } if (!merge_proof_exists) { merge_proof_exists = true; diff --git a/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.cpp b/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.cpp index eeb04cddc99..b190110ef8f 100644 --- a/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.cpp @@ -40,7 +40,7 @@ template void ECCVMRecursiveVerifier_::verify_proof(co } // Get challenge for sorted list batching and wire four memory records - auto [beta, gamma] = transcript->template get_challenges("beta", "gamma"); + const auto [beta, gamma] = transcript->template get_challenges("beta", "gamma"); auto beta_sqr = beta * beta; @@ -63,7 +63,7 @@ template void ECCVMRecursiveVerifier_::verify_proof(co // sumcheck is dependent on circuit size. const size_t log_circuit_size = numeric::get_msb(static_cast(circuit_size.get_value())); auto sumcheck = SumcheckVerifier(log_circuit_size, transcript, FF(0)); - FF alpha = transcript->template get_challenge("Sumcheck:alpha"); + const FF alpha = transcript->template get_challenge("Sumcheck:alpha"); std::vector gate_challenges(static_cast(numeric::get_msb(key->circuit_size))); for (size_t idx = 0; idx < gate_challenges.size(); idx++) { gate_challenges[idx] = transcript->template get_challenge("Sumcheck:gate_challenge_" + std::to_string(idx)); @@ -80,25 +80,24 @@ template void ECCVMRecursiveVerifier_::verify_proof(co multivariate_challenge, key->pcs_verification_key->get_g1_identity(), transcript); - auto hack_commitment = transcript->template receive_from_prover("Translation:hack_commitment"); - FF evaluation_challenge_x = transcript->template get_challenge("Translation:evaluation_challenge_x"); + const FF evaluation_challenge_x = transcript->template get_challenge("Translation:evaluation_challenge_x"); // Construct the vector of commitments (needs to be vector for the batch_mul) and array of evaluations to be batched - std::vector transcript_commitments = { commitments.transcript_op, commitments.transcript_Px, - commitments.transcript_Py, commitments.transcript_z1, - commitments.transcript_z2, hack_commitment }; + std::vector transcript_commitments = { commitments.transcript_op, + commitments.transcript_Px, + commitments.transcript_Py, + commitments.transcript_z1, + commitments.transcript_z2 }; std::vector transcript_evaluations = { transcript->template receive_from_prover("Translation:op"), transcript->template receive_from_prover("Translation:Px"), transcript->template receive_from_prover("Translation:Py"), transcript->template receive_from_prover("Translation:z1"), - transcript->template receive_from_prover("Translation:z2"), - transcript->template receive_from_prover( - "Translation:hack_evaluation") }; + transcript->template receive_from_prover("Translation:z2") }; // Get the batching challenge for commitments and evaluations - FF ipa_batching_challenge = transcript->template get_challenge("Translation:ipa_batching_challenge"); + const FF ipa_batching_challenge = transcript->template get_challenge("Translation:ipa_batching_challenge"); // Compute the batched commitment and batched evaluation for the univariate opening claim auto batched_transcript_eval = transcript_evaluations[0]; @@ -110,7 +109,7 @@ template void ECCVMRecursiveVerifier_::verify_proof(co batching_challenges.emplace_back(batching_scalar); batching_scalar *= ipa_batching_challenge; } - auto batched_commitment = Commitment::batch_mul(transcript_commitments, batching_challenges); + const Commitment batched_commitment = Commitment::batch_mul(transcript_commitments, batching_challenges); // Construct and verify the combined opening claim OpeningClaim batched_univariate_claim = { { evaluation_challenge_x, batched_transcript_eval }, From 8755b6f1762d701bed0e5ba30fc83ce814a1773a Mon Sep 17 00:00:00 2001 From: iakovenkos Date: Thu, 26 Sep 2024 15:02:41 +0000 Subject: [PATCH 2/2] goblin changes undone --- barretenberg/cpp/src/barretenberg/goblin/goblin.hpp | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/barretenberg/cpp/src/barretenberg/goblin/goblin.hpp b/barretenberg/cpp/src/barretenberg/goblin/goblin.hpp index 36d28114df5..134db00a929 100644 --- a/barretenberg/cpp/src/barretenberg/goblin/goblin.hpp +++ b/barretenberg/cpp/src/barretenberg/goblin/goblin.hpp @@ -147,6 +147,14 @@ class GoblinProver { MergeProof prove_merge(MegaCircuitBuilder& circuit_builder) { BB_OP_COUNT_TIME_NAME("Goblin::merge"); + // TODO(https://github.com/AztecProtocol/barretenberg/issues/993): Some circuits (particularly on the first call + // to accumulate) may not have any goblin ecc ops prior to the call to merge(), so the commitment to the new + // contribution (C_t_shift) in the merge prover will be the point at infinity. (Note: Some dummy ops are added + // in 'add_gates_to_ensure...' but not until proving_key construction which comes later). See issue for ideas + // about how to resolve. + if (circuit_builder.blocks.ecc_op.size() == 0) { + MockCircuits::construct_goblin_ecc_op_circuit(circuit_builder); // Add some arbitrary goblin ECC ops + } if (!merge_proof_exists) { merge_proof_exists = true;