85 const size_t& log_num_gates = 9,
86 const size_t& log_num_gates_with_public_inputs = 9)
117 for (
auto [native_comm, rec_comm] :
118 zip_view(verifier_instances[0]->witness_commitments.get_all(),
119 recursive_folding_data.
verifier_inst->witness_commitments.get_all())) {
120 rec_comm = RecursiveCommitment::from_witness(&
builder, native_comm);
124 RecursiveFF::from_witness(&
builder, verifier_instances[0]->target_sum);
126 for (
auto [native_relation_parameters, rec_relation_parameters] :
127 zip_view(verifier_instances[0]->relation_parameters.get_to_fold(),
128 recursive_folding_data.
verifier_inst->relation_parameters.get_to_fold())) {
129 rec_relation_parameters = RecursiveFF::from_witness(&
builder, native_relation_parameters);
132 for (
auto [native_alpha, rec_alphas] :
134 rec_alphas = RecursiveFF::from_witness(&
builder, native_alpha);
137 for (
auto [native_gate_challenge, rec_gate_challenge] :
138 zip_view(verifier_instances[0]->gate_challenges, recursive_folding_data.
verifier_inst->gate_challenges)) {
139 rec_gate_challenge = RecursiveFF::from_witness(&
builder, native_gate_challenge);
142 RecursiveFF::from_witness(&
builder, verifier_instances[0]->target_sum);
145 return recursive_folding_data;
166 recursive_transcript->enable_manifest();
170 auto accumulator_hash =
171 recursive_folding_data.verifier_inst->hash_through_transcript(
"-", *recursive_transcript);
172 recursive_transcript->add_to_hash_buffer(
"accumulator_hash", accumulator_hash);
175 &
builder, recursive_folding_data.verifier_inst, recursive_folding_data.vk_and_hash, recursive_transcript);
177 auto folded_verifier_instance = recursive_folding_verifier.
verify_folding_proof(recursive_folding_proof);
180 recursive_transcript };
191 bool is_valid =
true;
192 auto prover_inst = get<0>(accumulator);
193 auto verifier_inst = get<1>(accumulator);
195 prover_inst->commitment_key =
CommitmentKey(prover_inst->get_precomputed().metadata.dyadic_size);
200 is_valid = check_accumulator_target_sum_manual(prover_inst);
203 prover_inst->polynomials.w_l.at(2) +=
NativeFF(1);
204 verifier_inst->witness_commitments.get_wires()[0] =
205 prover_inst->commitment_key.commit(prover_inst->polynomials.w_l);
206 is_valid = check_accumulator_target_sum_manual(prover_inst);
209 prover_inst->alphas[1] +=
211 verifier_inst->alphas[1] = prover_inst->alphas[1];
212 is_valid = check_accumulator_target_sum_manual(prover_inst);
215 prover_inst->gate_challenges[0] +=
NativeFF(42);
216 verifier_inst->gate_challenges[0] = prover_inst->gate_challenges[0];
217 is_valid = check_accumulator_target_sum_manual(prover_inst);
220 prover_inst->relation_parameters.get_to_fold()[0] +=
NativeFF(3009);
221 verifier_inst->relation_parameters.get_to_fold()[0] = prover_inst->relation_parameters.get_to_fold()[0];
222 is_valid = check_accumulator_target_sum_manual(prover_inst);
225 prover_inst->target_sum +=
NativeFF(2025);
226 verifier_inst->target_sum = prover_inst->target_sum;
227 is_valid = check_accumulator_target_sum_manual(prover_inst);
231 EXPECT_EQ(is_valid, expected);
260 auto prover_inst = get<0>(instance);
262 auto run_oink = [&prover_inst]() {
268 bool is_valid =
true;
275 prover_inst->polynomials.w_l.at(1) +=
NativeFF(1);
277 is_valid = check_accumulator_target_sum_manual(prover_inst);
279 prover_inst->is_complete =
false;
284 EXPECT_EQ(is_valid, expected);
328 bool is_no_tampering_mode = !(is_accumulator_tampering_mode || is_instance_tampering_mode ||
329 is_folded_accumulator_tampering_mode || is_proof_tampering_mode);
338 keys, native_builder, 1,
TraceSettings{ SMALL_TEST_STRUCTURE });
346 auto [folded_accumulator, folding_proof] =
354 auto [folded_verifier_accumulator, recursive_transcript] =
361 auto [native_folded_verifier_accumulator, native_transcript] =
363 auto [compare_verifiers, msg_verifiers] =
365 EXPECT_TRUE(compare_verifiers) << msg_verifiers;
368 auto native_manifest = native_transcript->get_manifest();
369 auto recursive_manifest = recursive_transcript->get_manifest();
370 EXPECT_EQ(native_manifest.size(), recursive_manifest.size());
372 for (
size_t idx = 0; idx < native_manifest.size(); idx++) {
373 EXPECT_EQ(recursive_manifest[idx], native_manifest[idx])
374 <<
"Recursive Verifier/Verifier manifest discrepency in round " << idx;
381 auto [compare_prover_verifier, msg_prover_verifier] =
383 EXPECT_EQ(compare_prover_verifier, !(is_accumulator_tampering_mode || is_proof_tampering_mode))
384 << msg_prover_verifier;
393 folded_accumulator_mode,
394 !(is_instance_tampering_mode || is_folded_accumulator_tampering_mode));
398 bool is_folded_accumulator_valid =
400 EXPECT_EQ(is_folded_accumulator_valid, is_no_tampering_mode);
406 protogalaxy_testing(AccumulatorTamperingMode::None,
407 InstanceTamperingMode::None,
408 AccumulatorTamperingMode::None,
409 ProofTamperingMode::None);
415 protogalaxy_testing(AccumulatorTamperingMode::Wires,
416 InstanceTamperingMode::None,
417 AccumulatorTamperingMode::None,
418 ProofTamperingMode::None);
424 protogalaxy_testing(AccumulatorTamperingMode::Alphas,
425 InstanceTamperingMode::None,
426 AccumulatorTamperingMode::None,
427 ProofTamperingMode::None);
433 protogalaxy_testing(AccumulatorTamperingMode::GateChallenges,
434 InstanceTamperingMode::None,
435 AccumulatorTamperingMode::None,
436 ProofTamperingMode::None);
442 protogalaxy_testing(AccumulatorTamperingMode::RelationParameters,
443 InstanceTamperingMode::None,
444 AccumulatorTamperingMode::None,
445 ProofTamperingMode::None);
451 protogalaxy_testing(AccumulatorTamperingMode::TargetSum,
452 InstanceTamperingMode::None,
453 AccumulatorTamperingMode::None,
454 ProofTamperingMode::None);
459 protogalaxy_testing(AccumulatorTamperingMode::None,
460 InstanceTamperingMode::Wires,
461 AccumulatorTamperingMode::None,
462 ProofTamperingMode::None);
467 protogalaxy_testing(AccumulatorTamperingMode::None,
468 InstanceTamperingMode::None,
469 AccumulatorTamperingMode::Wires,
470 ProofTamperingMode::None);
475 protogalaxy_testing(AccumulatorTamperingMode::None,
476 InstanceTamperingMode::None,
477 AccumulatorTamperingMode::Alphas,
478 ProofTamperingMode::None);
483 protogalaxy_testing(AccumulatorTamperingMode::None,
484 InstanceTamperingMode::None,
485 AccumulatorTamperingMode::GateChallenges,
486 ProofTamperingMode::None);
491 protogalaxy_testing(AccumulatorTamperingMode::None,
492 InstanceTamperingMode::None,
493 AccumulatorTamperingMode::RelationParameters,
494 ProofTamperingMode::None);
499 protogalaxy_testing(AccumulatorTamperingMode::None,
500 InstanceTamperingMode::None,
501 AccumulatorTamperingMode::TargetSum,
502 ProofTamperingMode::None);
507 protogalaxy_testing(AccumulatorTamperingMode::None,
508 InstanceTamperingMode::None,
509 AccumulatorTamperingMode::None,
510 ProofTamperingMode::Perturbator);
515 protogalaxy_testing(AccumulatorTamperingMode::None,
516 InstanceTamperingMode::None,
517 AccumulatorTamperingMode::None,
518 ProofTamperingMode::CombinerQuotient);
529 TupleOfKeys keys_to_be_accumulated;
531 NativeBuilder native_builder_1;
532 create_function_circuit(native_builder_1, log_num_gates, log_num_gates);
533 ProtogalaxyTestUtils::construct_instances_and_add_to_tuple(
534 keys_to_be_accumulated, native_builder_1, 0,
TraceSettings{ SMALL_TEST_STRUCTURE });
536 NativeBuilder native_builder_2;
537 create_function_circuit(native_builder_2, log_num_gates, log_num_gates);
538 ProtogalaxyTestUtils::construct_instances_and_add_to_tuple(
539 keys_to_be_accumulated, native_builder_2, 1,
TraceSettings{ SMALL_TEST_STRUCTURE });
541 auto [prover_instance, verifier_instance] =
542 ProtogalaxyTestUtils::fold_and_verify(get<0>(keys_to_be_accumulated), get<1>(keys_to_be_accumulated));
544 get<0>(keys)[0] = prover_instance;
545 get<1>(keys)[0] = verifier_instance;
548 NativeBuilder native_builder_3;
549 create_function_circuit(native_builder_3);
551 ProtogalaxyTestUtils::construct_instances_and_add_to_tuple(
552 keys, native_builder_3, 1,
TraceSettings{ SMALL_TEST_STRUCTURE });
554 auto [folded_accumulator, folding_proof] =
555 ProtogalaxyTestUtils::fold(get<0>(keys), get<1>(keys),
true);
558 [[maybe_unused]]
auto _ = create_folding_circuit(
builder, get<1>(keys), folding_proof);
562 return { folding_proof.size(),
builder };
565 auto [proof_size_1, circuit_1] = compute_circuit_size(11);
566 auto [proof_size_2, circuit_2] = compute_circuit_size(12);
568 EXPECT_EQ(proof_size_1, proof_size_2);
569 EXPECT_EQ(circuit_1.get_estimated_num_finalized_gates(), circuit_2.get_estimated_num_finalized_gates());
570 EXPECT_EQ(circuit_1.blocks, circuit_2.blocks);
#define BB_ASSERT_GT(left, right,...)
#define BB_DISABLE_ASSERTS()
CommitmentKey object over a pairing group 𝔾₁.
bb::CommitmentKey< Curve > CommitmentKey
Curve::AffineElement Commitment
The recursive counterpart to the "native" Mega flavor.
typename Curve::Element Commitment
BuilderType CircuitBuilder
typename Curve::ScalarField FF
Class for all the oink rounds, which are shared between the folding prover and ultra prover.
void prove()
Oink Prover function that runs all the rounds of the verifier.
std::array< std::shared_ptr< VerifierInstance >, NUM_INSTANCES > VerifierInstances
typename Flavor::VerificationKey VerificationKey
static void create_function_circuit(Builder &builder, const size_t &log_num_gates=9, const size_t &log_num_gates_with_public_inputs=9)
Create a circuit with the specified number of arithmetic gates and arithmetic gates with public input...
static FoldingVerificationResult verify_folding_proof(const VerifierInstances &verification_keys, const HonkProof &folding_proof, bool hash_accumulator=false)
Verify a folding proof. Return the folded accumulator and the verifier transcript.
std::tuple< std::shared_ptr< ProverInstance >, std::shared_ptr< VerifierInstance > > FoldingData
static FoldingResult< Flavor > fold(const ProverInstances &prover_instances, const VerifierInstances &verification_keys, bool hash_accumulator=false, ExecutionTraceUsageTracker trace_usage_tracker=ExecutionTraceUsageTracker{})
Fold two prover instances. Return folded accumulator and folding proof.
ProtogalaxyVerifier_< VerifierInstance > FoldingVerifier
ProtogalaxyProver_< Flavor > FoldingProver
std::array< std::shared_ptr< ProverInstance >, NUM_INSTANCES > ProverInstances
std::tuple< ProverInstances, VerifierInstances > TupleOfKeys
static bool run_decider(const std::shared_ptr< ProverInstance > &prover_accumulator, const std::shared_ptr< VerifierInstance > &verifier_accumulator)
Run the decider on the given accumulator.
static void construct_instances_and_add_to_tuple(TupleOfKeys &keys, Builder &builder, size_t idx=0, TraceSettings trace_settings=TraceSettings{})
Construct Prover and Verifier instances for a provided circuit and add to tuple.
static FoldingData get_folding_data(const TupleOfKeys &keys, size_t idx)
Get folding data at index idx in the tuple of keys.
Flavor::CircuitBuilder Builder
VerifierInstance_< Flavor > VerifierInstance
static std::pair< bool, std::string > compare_accumulators(const std::shared_ptr< VerifierInstance > &lhs, const std::shared_ptr< VerifierInstance > &rhs)
Compare two accumulators. Return the result of the comparison and error message.
static void construct_accumulator_and_add_to_tuple(TupleOfKeys &keys, size_t idx=0, TraceSettings trace_settings=TraceSettings{})
Construct Prover and Verifier accumulators and add to tuple.
ProverInstance_< Flavor > ProverInstance
A ProverInstance is normally constructed from a finalized circuit and it contains all the information...
static bool check(const Builder &circuit)
Check the witness satisifies the circuit.
The VerifierInstance encapsulates all the necessary information for a Mega Honk Verifier to verify a ...
static byte_array_ct hash(const byte_array_ct &input)
A simple wrapper around a vector of stdlib field elements representing a proof.
Represents a dynamic array of bytes in-circuit.
static field_ct hash(const std::vector< field_ct > &in, GeneratorContext context={})
Computes a pedersen hash of the provided inputs.
static constexpr size_t INDEX_FIRST_COMBINER_QUOTIENT_COEFF
NativeFlavor::FF NativeFF
ProtogalaxyTestUtils::Builder NativeBuilder
RecursiveFlavor::Commitment RecursiveCommitment
static void SetUpTestSuite()
static void tamper_with_accumulator(const NativeFoldingData &accumulator, const AccumulatorTamperingMode &mode, bool expected)
Tamper with an accumulator by changing one of its values: wires, alphas, gate challenge,...
static RecursiveFoldingData create_recursive_folding_data(RecursiveBuilder &builder, const NativeVerifierInstances &verifier_instances)
Create a recursive verifier instances from native ones.
ProtogalaxyTestUtils::VerificationKey NativeVerificationKey
static void tamper_with_folding_proof(HonkProof &folding_proof, const ProofTamperingMode &mode)
Tamper with folding proof by changing either the first coefficient of the perturbator,...
NativeFlavor::CommitmentKey CommitmentKey
RecursiveVerifierInstance::VerificationKey RecursiveVerificationKey
NativeFlavor::Commitment Commitment
static std::pair< std::shared_ptr< NativeVerifierInstance >, std::shared_ptr< RecursiveFoldingVerifier::Transcript > > create_folding_circuit(RecursiveBuilder &builder, const NativeVerifierInstances &verifier_instances, const HonkProof &folding_proof)
Create the circuit that verifies the folding proof. Return folded verifier accumulator and the verifi...
static constexpr size_t INDEX_FIRST_PERTURBATOR_COEFF
RecursiveFlavor::FF RecursiveFF
ProtogalaxyTestUtils::ProverInstances NativeProverInstances
ProtogalaxyTestUtils::TupleOfKeys TupleOfKeys
static void tamper_with_instance(const NativeFoldingData &instance, const InstanceTamperingMode &mode)
Tamper with an instance by changing its wire values.
static void create_function_circuit(NativeBuilder &builder, const size_t &log_num_gates=9, const size_t &log_num_gates_with_public_inputs=9)
Create a non-trivial arbitrary inner circuit, the proof of which will be recursively verified.
RecursiveFlavor::CircuitBuilder RecursiveBuilder
RecursiveVerifierInstance::VKAndHash RecursiveVKAndHash
ProtogalaxyTestUtils::FoldingData NativeFoldingData
ProtogalaxyTestUtils::VerifierInstances NativeVerifierInstances
std::shared_ptr< VerifierInstance > verify_folding_proof(const stdlib::Proof< Builder > &)
Run the folding protocol on the verifier side to establish whether the public data of the new accumu...
The stdlib counterpart of VerifierInstance, used in recursive folding verification.
typename Flavor::VerificationKey VerificationKey
typename Flavor::VKAndHash VKAndHash
RNG & get_debug_randomness(bool reset, std::uint_fast64_t seed)
std::filesystem::path bb_crs_path()
void init_file_crs_factory(const std::filesystem::path &path)
TEST_F(BoomerangGoblinRecursiveVerifierTests, graph_description_basic)
Construct and check a goblin recursive verification circuit.
std::vector< fr > HonkProof
VerifierCommitmentKey< Curve > vk
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
field_t< CircuitBuilder > ScalarField
byte_array< CircuitBuilder > byte_array_ct
curve::BN254::ScalarField ScalarFieldNative
std::shared_ptr< RecursiveVerifierInstance > verifier_inst
std::shared_ptr< RecursiveVKAndHash > vk_and_hash
1.9.8