The IVC scheme used by the aztec client for private function execution. More...
#include <sumcheck_client_ivc.hpp>
Classes | |
| struct | FirstSumcheckOutput |
| struct | Proof |
| A full proof for the IVC scheme containing a Mega proof showing correctness of the hiding circuit (which recursive verified the last folding and decider proof) and a Goblin proof (translator VM, ECCVM and last merge proof). More... | |
| struct | ProverAccumulator |
| struct | RecursiveFirstSumcheckOutput |
| struct | RecursiveVerifierAccumulator |
| struct | StdlibVerifierInputs |
| struct | VerificationKey |
| struct | VerifierAccumulator |
| struct | VerifierInputs |
Public Member Functions | |
| size_t | get_num_circuits () const |
| Goblin & | get_goblin () override |
| const Goblin & | get_goblin () const override |
| SumcheckClientIVC (size_t num_circuits) | |
| void | instantiate_stdlib_verification_queue (ClientCircuit &circuit, const std::vector< std::shared_ptr< RecursiveVKAndHash > > &input_keys={}) |
| Instantiate a stdlib verification queue for use in the kernel completion logic. | |
| std::tuple< std::optional< RecursiveVerifierAccumulator >, PairingPoints, TableCommitments > | perform_recursive_verification_and_databus_consistency_checks (ClientCircuit &circuit, const StdlibVerifierInputs &verifier_inputs, const std::optional< RecursiveVerifierAccumulator > &input_verifier_accumulator, const TableCommitments &T_prev_commitments, const std::shared_ptr< RecursiveTranscript > &accumulation_recursive_transcript) |
| Populate the provided circuit with constraints for (1) recursive verification of the provided accumulation proof and (2) the associated databus commitment consistency checks. | |
| void | complete_kernel_circuit_logic (ClientCircuit &circuit) |
| Append logic to complete a kernel circuit. | |
| void | accumulate (ClientCircuit &circuit, const std::shared_ptr< MegaVerificationKey > &precomputed_vk) override |
| Perform prover work for accumulation (e.g. PG folding, merge proving) | |
| Proof | prove () |
| Construct a proof for the IVC, which, if verified, fully establishes its correctness. | |
| HonkProof | construct_pcs_proof (const std::shared_ptr< Transcript > &transcript) |
| Internal method for constructing a decider proof. | |
| VerificationKey | get_vk () const |
 Public Member Functions inherited from bb::IVCBase | |
| virtual | ~IVCBase ()=default |
Static Public Member Functions | |
| static void | hide_op_queue_accumulation_result (ClientCircuit &circuit) |
| Add a valid operation with random data to the op queue to prevent information leakage in Translator proof. | |
| static void | hide_op_queue_content_in_tail (ClientCircuit &circuit) |
| Adds three random ops to the tail kernel. | |
| static void | hide_op_queue_content_in_hiding (ClientCircuit &circuit) |
| Adds two random ops to the hiding kernel. | |
| static bool | verify (const Proof &proof, const VerificationKey &vk) |
Private Member Functions | |
| void | update_native_verifier_accumulator (const VerifierInputs &queue_entry, const std::shared_ptr< Transcript > &verifier_transcript) |
| Runs either Oink or PG native verifier to update the native verifier accumulator. | |
| HonkProof | construct_sumcheck_proof (const std::shared_ptr< ProverInstance > &prover_instance, const std::shared_ptr< MegaVerificationKey > &honk_vk, const std::shared_ptr< Transcript > &transcript) |
| HonkProof | construct_folding_proof (const std::shared_ptr< ProverInstance > &prover_instance, const std::shared_ptr< MegaVerificationKey > &honk_vk, const std::shared_ptr< Transcript > &transcript) |
| HonkProof | construct_honk_proof_for_hiding_kernel (ClientCircuit &circuit, const std::shared_ptr< MegaVerificationKey > &verification_key) |
| Construct a zero-knowledge proof for the hiding circuit, which recursively verifies the last folding, merge and decider proof. | |
| QUEUE_TYPE | get_queue_type () const |
| Get queue type for the proof of a circuit about to be accumulated based on num circuits accumulated so far. | |
Private Attributes | |
| std::shared_ptr< Transcript > | transcript = std::make_shared<Transcript>() |
| std::shared_ptr< Transcript > | prover_accumulation_transcript = std::make_shared<Transcript>() |
| size_t | num_circuits |
Additional Inherited Members | |
| Protected Member Functions inherited from bb::IVCBase | |
| IVCBase ()=default | |
Detailed Description
The IVC scheme used by the aztec client for private function execution.
Combines Protogalaxy with Goblin to accumulate one circuit at a time with efficient EC group operations. It is assumed that the circuits being accumulated correspond alternatingly to an app and a kernel, as is the case in Aztec. Two recursive folding verifiers are appended to each kernel (except the first one) to verify the folding of a previous kernel and an app/function circuit. Due to this structure it is enforced that the total number of circuits being accumulated is even.
Definition at line 38 of file sumcheck_client_ivc.hpp.
Member Typedef Documentation
◆ AppIO
Definition at line 80 of file sumcheck_client_ivc.hpp.
◆ ClientCircuit
Definition at line 52 of file sumcheck_client_ivc.hpp.
◆ Commitment
Definition at line 45 of file sumcheck_client_ivc.hpp.
◆ Curve
Definition at line 85 of file sumcheck_client_ivc.hpp.
◆ DataBusDepot
Definition at line 75 of file sumcheck_client_ivc.hpp.
◆ DeciderProver
Definition at line 53 of file sumcheck_client_ivc.hpp.
◆ DeciderRecursiveVerifier
| using bb::SumcheckClientIVC::DeciderRecursiveVerifier = stdlib::recursion::honk::DeciderRecursiveVerifier_<RecursiveFlavor> |
Definition at line 72 of file sumcheck_client_ivc.hpp.
◆ DeciderVerifier
Definition at line 54 of file sumcheck_client_ivc.hpp.
◆ DeciderZKProvingKey
Definition at line 50 of file sumcheck_client_ivc.hpp.
◆ ECCVMVerificationKey
Definition at line 57 of file sumcheck_client_ivc.hpp.
◆ FF
| using bb::SumcheckClientIVC::FF = Flavor::FF |
Definition at line 44 of file sumcheck_client_ivc.hpp.
◆ Flavor
Definition at line 41 of file sumcheck_client_ivc.hpp.
◆ FoldingProver
Definition at line 55 of file sumcheck_client_ivc.hpp.
◆ FoldingRecursiveVerifier
| using bb::SumcheckClientIVC::FoldingRecursiveVerifier = bb::stdlib::recursion::honk::ProtogalaxyRecursiveVerifier_<RecursiveVerifierInstance> |
Definition at line 69 of file sumcheck_client_ivc.hpp.
◆ FoldingVerifier
Definition at line 56 of file sumcheck_client_ivc.hpp.
◆ FoldProof
| using bb::SumcheckClientIVC::FoldProof = std::vector<FF> |
Definition at line 48 of file sumcheck_client_ivc.hpp.
◆ HidingKernelIO
| using bb::SumcheckClientIVC::HidingKernelIO = bb::stdlib::recursion::honk::HidingKernelIO<ClientCircuit> |
Definition at line 79 of file sumcheck_client_ivc.hpp.
◆ KernelIO
Definition at line 78 of file sumcheck_client_ivc.hpp.
◆ MegaProver
Definition at line 59 of file sumcheck_client_ivc.hpp.
◆ MegaVerificationKey
Definition at line 42 of file sumcheck_client_ivc.hpp.
◆ MegaVerifier
Definition at line 60 of file sumcheck_client_ivc.hpp.
◆ MegaZKVerificationKey
Definition at line 43 of file sumcheck_client_ivc.hpp.
◆ OinkRecursiveVerifier
Definition at line 71 of file sumcheck_client_ivc.hpp.
◆ PairingPoints
Definition at line 76 of file sumcheck_client_ivc.hpp.
◆ Point
| using bb::SumcheckClientIVC::Point = Flavor::Curve::AffineElement |
Definition at line 47 of file sumcheck_client_ivc.hpp.
◆ PolynomialBatcher
| using bb::SumcheckClientIVC::PolynomialBatcher = GeminiProver_<Curve>::PolynomialBatcher |
Definition at line 86 of file sumcheck_client_ivc.hpp.
◆ ProverInstance
Definition at line 49 of file sumcheck_client_ivc.hpp.
◆ ProverPolynomials
Definition at line 46 of file sumcheck_client_ivc.hpp.
◆ PublicPairingPoints
Definition at line 77 of file sumcheck_client_ivc.hpp.
◆ RecursiveCommitment
Definition at line 65 of file sumcheck_client_ivc.hpp.
◆ RecursiveFlavor
Definition at line 63 of file sumcheck_client_ivc.hpp.
◆ RecursiveTranscript
Definition at line 73 of file sumcheck_client_ivc.hpp.
◆ RecursiveVerificationKey
Definition at line 67 of file sumcheck_client_ivc.hpp.
◆ RecursiveVerifierInstance
| using bb::SumcheckClientIVC::RecursiveVerifierInstance = stdlib::recursion::honk::RecursiveVerifierInstance_<RecursiveFlavor> |
Definition at line 66 of file sumcheck_client_ivc.hpp.
◆ RecursiveVKAndHash
Definition at line 68 of file sumcheck_client_ivc.hpp.
◆ StdlibFF
Definition at line 64 of file sumcheck_client_ivc.hpp.
◆ StdlibProof
Definition at line 81 of file sumcheck_client_ivc.hpp.
◆ StdlibVerificationQueue
| using bb::SumcheckClientIVC::StdlibVerificationQueue = std::deque<StdlibVerifierInputs> |
Definition at line 595 of file sumcheck_client_ivc.hpp.
◆ TableCommitments
| using bb::SumcheckClientIVC::TableCommitments = std::array<RecursiveFlavor::Commitment, ClientCircuit::NUM_WIRES> |
Definition at line 89 of file sumcheck_client_ivc.hpp.
◆ Transcript
Definition at line 61 of file sumcheck_client_ivc.hpp.
◆ TranslatorVerificationKey
Definition at line 58 of file sumcheck_client_ivc.hpp.
◆ VerificationQueue
| using bb::SumcheckClientIVC::VerificationQueue = std::deque<VerifierInputs> |
Definition at line 586 of file sumcheck_client_ivc.hpp.
◆ VerifierInstance
Definition at line 51 of file sumcheck_client_ivc.hpp.
◆ WitnessCommitments
Definition at line 82 of file sumcheck_client_ivc.hpp.
Member Enumeration Documentation
◆ QUEUE_TYPE
|
strong |
| Enumerator | |
|---|---|
| OINK | |
| PG | |
| PG_FINAL | |
| PG_TAIL | |
| MEGA | |
Definition at line 571 of file sumcheck_client_ivc.hpp.
Constructor & Destructor Documentation
◆ SumcheckClientIVC()
| bb::SumcheckClientIVC::SumcheckClientIVC | ( | size_t | num_circuits | ) |
Definition at line 20 of file sumcheck_client_ivc.cpp.
Member Function Documentation
◆ accumulate()
|
overridevirtual |
Perform prover work for accumulation (e.g. PG folding, merge proving)
Execute prover work for accumulation.
- Parameters
-
circuit The incoming statement precomputed_vk The verification key of the incoming statement OR a mocked key whose metadata needs to be set using the proving key produced from circuitin order to pass some assertions in the Oink prover.mock_vk A boolean to say whether the precomputed vk should have its metadata set.
Construct an prover instance for the provided circuit. If this is the first step in the IVC, simply initialize the folding accumulator. Otherwise, execute the PG prover to fold the prover instance into the accumulator and produce a folding proof. Also execute the merge protocol to produce a merge proof.
- Parameters
-
circuit this case, just produce a Honk proof for that circuit and do no folding. precomputed_vk
Implements bb::IVCBase.
Definition at line 584 of file sumcheck_client_ivc.cpp.
◆ complete_kernel_circuit_logic()
| void bb::SumcheckClientIVC::complete_kernel_circuit_logic | ( | ClientCircuit & | circuit | ) |
Append logic to complete a kernel circuit.
A kernel circuit may contain some combination of PG recursive verification, merge recursive verification, and databus commitment consistency checks. This method appends this logic to a provided kernel circuit.
- Parameters
-
circuit
Definition at line 333 of file sumcheck_client_ivc.cpp.
◆ construct_folding_proof()
|
private |
Definition at line 494 of file sumcheck_client_ivc.cpp.
◆ construct_honk_proof_for_hiding_kernel()
|
private |
Construct a zero-knowledge proof for the hiding circuit, which recursively verifies the last folding, merge and decider proof.
Definition at line 741 of file sumcheck_client_ivc.cpp.
◆ construct_pcs_proof()
| HonkProof bb::SumcheckClientIVC::construct_pcs_proof | ( | const std::shared_ptr< Transcript > & | transcript | ) |
Internal method for constructing a decider proof.
- Returns
- HonkProof
Definition at line 803 of file sumcheck_client_ivc.cpp.
◆ construct_sumcheck_proof()
|
private |
Definition at line 486 of file sumcheck_client_ivc.cpp.
◆ execute_first_sumcheck()
|
staticprivate |
Definition at line 418 of file sumcheck_client_ivc.cpp.
◆ execute_first_sumcheck_native_verification()
|
staticprivate |
Definition at line 452 of file sumcheck_client_ivc.cpp.
◆ execute_first_sumcheck_recursive_verification()
|
staticprivate |
Definition at line 74 of file sumcheck_client_ivc.cpp.
◆ get_goblin() [1/2]
|
inlineoverridevirtual |
Implements bb::IVCBase.
Definition at line 631 of file sumcheck_client_ivc.hpp.
◆ get_goblin() [2/2]
|
inlineoverridevirtual |
Implements bb::IVCBase.
Definition at line 630 of file sumcheck_client_ivc.hpp.
◆ get_num_circuits()
|
inline |
Definition at line 627 of file sumcheck_client_ivc.hpp.
◆ get_queue_type()
|
private |
Get queue type for the proof of a circuit about to be accumulated based on num circuits accumulated so far.
Definition at line 549 of file sumcheck_client_ivc.cpp.
◆ get_vk()
| SumcheckClientIVC::VerificationKey bb::SumcheckClientIVC::get_vk | ( | ) | const |
Definition at line 950 of file sumcheck_client_ivc.cpp.
◆ hide_op_queue_accumulation_result()
|
static |
Add a valid operation with random data to the op queue to prevent information leakage in Translator proof.
The Translator circuit builder evaluates a batched polynomial (representing the four op queue polynomials in UltraOp format) at a random challenge x. This evaluation result (called accumulated_result in translator) is included in the translator proof and verified against the equivalent computation performed by ECCVM (in verify_translation, establishing equivalence between ECCVM and UltraOp format). To ensure the accumulated_result doesn't reveal information about actual ecc operations in the transaction, when the proof is sent to the rollup, we add a random yet valid operation to the op queue. This guarantees the batched polynomial over Grumpkin contains at least one random coefficient.
Definition at line 664 of file sumcheck_client_ivc.cpp.
◆ hide_op_queue_content_in_hiding()
|
static |
Adds two random ops to the hiding kernel.
For the last subtable of ecc ops belonging to the hiding kernel, merged via appended to the full op queue, its data appears as the ecc_op_wires in the MegaZK proof, wires that are not going to be shifted, so the proof containts, for each wire, its commitment and evaluation to the Sumcheck challenge. As at least 3 random coefficients are needed in each op queue polynomial, we add 2 random ops. More details in hide_op_queue_content_in_tail.
Definition at line 731 of file sumcheck_client_ivc.cpp.
◆ hide_op_queue_content_in_tail()
|
static |
Adds three random ops to the tail kernel.
- Note
- The explanation below does not serve as a proof of zero-knowledge but rather as intuition for why the number of random ops and their position in the op queue.
The ClientIVC proof is sent to the rollup and so it has to be zero-knowledge. In turn, this implies that commitments and evaluations to the op queue, when regarded as 4 polynomials in UltraOp format (op, x_lo_y_hi, x_hi_z_1, y_lo_z_2), should not leak information about the actual content of the op queue with provenance from circuit operations that have been accumulated in CIVC. Since the op queue is used across several provers, randomising these polynomials has to be handled in a special way. Normally, to hide a witness we'd add random coefficients at proving time when populating ProverPolynomials. However, due to the consistency checks present throughout CIVC, to ensure all components use the same op queue data (Merge and Translator on the entire op queue table and Merge and Oink on each subtable), randomness has to be added in a common place, this place naturally being ClientIVC. ECCVM is not affected by the concerns above, randomness being added to wires at proving time as per usual, because the consistency of ECCVMOps processing and UltraOps processing between Translator and ECCVM is achieved via the translation evaluation check and avoiding an information leak there is ensured by ClientIVC::hide_op_queue_accumulation_result() and SmallSubgroupIPA in ECCVM.
We need each op queue polynomial to have 9 random coefficients (so the op queue needs to contain 5 random ops, every UltraOp adding two coefficients to each of the 4 polynomials).
For the last subtable of ecc ops belonging to the hiding kernel, merged via appended to the full op queue, its data appears as the ecc_op_wires in the MegaZK proof, wires that are not going to be shifted, so the proof contains, for each wire, its commitment and evaluation to the Sumcheck challenge. As at least 3 random coefficients are needed in each op queue polynomial, we add 2 random ops to the hiding kernel.
The op queue state previous to the append of the last subtable, is the left_table in the merge protocol, so for the degree check, we construct its inverse polynomial left_table_inverse. The MergeProof will contain the commitment to the left_table_inverse plus its evaluation at Merge protocol challenge κ. Also for the degree check, prover needs to send the evaluation of the left_table at κ⁻¹. We need to ensure random coefficients are added to one of the kernels as not to affect Apps verification keys so the best choice is to add them to the beginning of the tail kernel as to not complicate Translator relations. The above advises that another 4 random coefficients are needed in the left_table (so, 2 random ops).
Finally, the 4 polynomials representing the full ecc op queue table are committed to (in fact, in both Merge protocol and Translator but they are commitments to the same data). x_lo_y_hi, x_hi_z_1 and x_lo_z_2 are shifted polynomials in Translator so the Translator proof will contain their evaluation and evaluation of their shifts at the Sumcheck challenge. On top of that, the Shplonk proof sent in the last iteration of Merge also ascertains the opening of partially_evaluated_difference = left_table + κ^{shift -1 } * right_table - merged_table at κ is 0, so a batched quotient commitment is sent in the Merge proof. In total, for each op queue polynomial (or parts of its data), there are 4 commitments and 5 evaluations across the CIVC proof so the sweet spot is 5 random ops.
Definition at line 716 of file sumcheck_client_ivc.cpp.
◆ instantiate_stdlib_verification_queue()
| void bb::SumcheckClientIVC::instantiate_stdlib_verification_queue | ( | ClientCircuit & | circuit, |
| const std::vector< std::shared_ptr< RecursiveVKAndHash > > & | input_keys = {} |
||
| ) |
Instantiate a stdlib verification queue for use in the kernel completion logic.
Construct a stdlib proof/verification_key for each entry in the native verification queue. By default, both are constructed from their counterpart in the native queue. Alternatively, Stdlib verification keys can be provided directly as input to this method. (The later option is used, for example, when constructing recursive verifiers based on the verification key witnesses from an acir recursion constraint. This option is not provided for proofs since valid proof witnesses are in general not known at the time of acir constraint generation).
- Parameters
-
circuit
Definition at line 42 of file sumcheck_client_ivc.cpp.
◆ perform_folding_recursive_verification()
|
staticprivate |
Definition at line 111 of file sumcheck_client_ivc.cpp.
◆ perform_recursive_verification_and_databus_consistency_checks()
| std::tuple< std::optional< SumcheckClientIVC::RecursiveVerifierAccumulator >, SumcheckClientIVC::PairingPoints, SumcheckClientIVC::TableCommitments > bb::SumcheckClientIVC::perform_recursive_verification_and_databus_consistency_checks | ( | ClientCircuit & | circuit, |
| const StdlibVerifierInputs & | verifier_inputs, | ||
| const std::optional< RecursiveVerifierAccumulator > & | input_verifier_accumulator, | ||
| const TableCommitments & | T_prev_commitments, | ||
| const std::shared_ptr< RecursiveTranscript > & | accumulation_recursive_transcript | ||
| ) |
Populate the provided circuit with constraints for (1) recursive verification of the provided accumulation proof and (2) the associated databus commitment consistency checks.
The recursive verifier will be either Oink or Protogalaxy depending on the specified proof type. In either case, the verifier accumulator is updated in place via the verification algorithm. Databus commitment consistency checks are performed on the witness commitments and public inputs extracted from the proof by the verifier. Merge verification is performed with commitments to the subtable t_j extracted from the PG verifier. The computed commitment T is propagated to the next step of recursive verification.
- Parameters
-
circuit verifier_inputs {proof, vkey, type (Oink/PG)} A set of inputs for recursive verification merge_commitments Container for the commitments for the Merge recursive verification to be performed accumulation_recursive_transcript Transcript shared across recursive verification of the folding of K_{i-1} (kernel), A_{i,1} (app), .., A_{i, n} (app)
- Returns
- Triple of output verifier accumulator, PairingPoints for final verification and commitments to the merged tables as read from the proof by the Merge verifier
Definition at line 164 of file sumcheck_client_ivc.cpp.
◆ prove()
| SumcheckClientIVC::Proof bb::SumcheckClientIVC::prove | ( | ) |
Construct a proof for the IVC, which, if verified, fully establishes its correctness.
- Returns
- Proof
Definition at line 759 of file sumcheck_client_ivc.cpp.
◆ update_native_verifier_accumulator()
|
private |
Runs either Oink or PG native verifier to update the native verifier accumulator.
- Parameters
-
queue_entry The verifier inputs from the queue. verifier_transcript Verifier transcript corresponding to the prover transcript.
Definition at line 960 of file sumcheck_client_ivc.cpp.
◆ verify()
|
static |
Definition at line 777 of file sumcheck_client_ivc.cpp.
Member Data Documentation
◆ bn254_commitment_key
| MegaFlavor::CommitmentKey bb::SumcheckClientIVC::bn254_commitment_key |
Definition at line 623 of file sumcheck_client_ivc.hpp.
◆ bus_depot
| DataBusDepot bb::SumcheckClientIVC::bus_depot |
Definition at line 621 of file sumcheck_client_ivc.hpp.
◆ goblin
| Goblin bb::SumcheckClientIVC::goblin |
Definition at line 625 of file sumcheck_client_ivc.hpp.
◆ native_verifier_accum
| VerifierAccumulator bb::SumcheckClientIVC::native_verifier_accum |
Definition at line 613 of file sumcheck_client_ivc.hpp.
◆ num_circuits
|
private |
Definition at line 604 of file sumcheck_client_ivc.hpp.
◆ num_circuits_accumulated
| size_t bb::SumcheckClientIVC::num_circuits_accumulated = 0 |
Definition at line 606 of file sumcheck_client_ivc.hpp.
◆ pcs_proof
| HonkProof bb::SumcheckClientIVC::pcs_proof |
Definition at line 610 of file sumcheck_client_ivc.hpp.
◆ prover_accumulation_transcript
|
private |
Definition at line 602 of file sumcheck_client_ivc.hpp.
◆ prover_accumulator
| ProverAccumulator bb::SumcheckClientIVC::prover_accumulator |
Definition at line 608 of file sumcheck_client_ivc.hpp.
◆ recursive_verifier_native_accum
| VerifierAccumulator bb::SumcheckClientIVC::recursive_verifier_native_accum |
Definition at line 612 of file sumcheck_client_ivc.hpp.
◆ stdlib_verification_queue
| StdlibVerificationQueue bb::SumcheckClientIVC::stdlib_verification_queue |
Definition at line 618 of file sumcheck_client_ivc.hpp.
◆ transcript
|
private |
Definition at line 599 of file sumcheck_client_ivc.hpp.
◆ verification_queue
| VerificationQueue bb::SumcheckClientIVC::verification_queue |
Definition at line 616 of file sumcheck_client_ivc.hpp.
The documentation for this class was generated from the following files:
- src/barretenberg/client_ivc/sumcheck_client_ivc.hpp
- src/barretenberg/client_ivc/sumcheck_client_ivc.cpp
