21 : num_circuits(num_circuits)
22 , goblin(bn254_commitment_key)
28 info(
"BN254 commitment key size: ", commitment_key_size);
43 ClientCircuit& circuit,
const std::vector<std::shared_ptr<RecursiveVKAndHash>>& input_keys)
45 bool vkeys_provided = !input_keys.empty();
49 "Incorrect number of verification keys provided in "
50 "stdlib verification queue instantiation.");
61 std::shared_ptr<RecursiveVKAndHash> stdlib_vk_and_hash;
63 stdlib_vk_and_hash = input_keys[key_idx++];
87 verifier_instance->target_sum = StdlibFF::from_witness_index(&circuit, circuit.
zero_idx());
89 verifier_instance->gate_challenges =
92 VerifierCommitments commitments{ verifier_instance->vk_and_hash->vk, verifier_instance->witness_commitments };
98 verifier_instance->relation_parameters, verifier_instance->gate_challenges, padding_indicator_array);
102 "Sumcheck: Failed to recursively verify first sumcheck.");
106 auto recursive_accumulator = output.batch(verifier_instance,
transcript);
108 return recursive_accumulator;
122 "verifier_accumulator cannot be null in folding recursive verification");
124 auto incoming_verifier_accumulator =
129 prev_accum_hash = verifier_accumulator->hash_through_transcript(
"", *
transcript);
133 auto [verified, new_accumulator] = batching_verifier.
verify_proof();
136 "Batching Sumcheck: Failed to recursively verify sumcheck batching.");
139 { new_accumulator.non_shifted_evaluation, new_accumulator.shifted_evaluation },
140 { new_accumulator.non_shifted_commitment, new_accumulator.shifted_commitment });
171 auto num_rows = circuit.
op_queue->get_num_rows();
172 auto num_ops = circuit.
op_queue->get_current_subtable_size();
173 info(
"NUM ROWS WHEN ENTERING: ", num_rows);
174 info(
"NUM OPS WHEN ENTERING: ", num_ops);
182 MergeCommitments merge_commitments{ .T_prev_commitments = T_prev_commitments };
189 bool is_hiding_kernel = !
pcs_proof.empty();
191 switch (verifier_inputs.
type) {
193 BB_ASSERT_EQ(input_verifier_accumulator.has_value(),
false);
196 circuit, verifier_instance, accumulation_recursive_transcript, verifier_inputs.
proof);
205 input_verifier_accumulator,
207 accumulation_recursive_transcript,
208 verifier_inputs.
proof,
215 using ClaimBatch = ClaimBatcher::Batch;
224 input_verifier_accumulator,
226 accumulation_recursive_transcript,
227 verifier_inputs.
proof,
232 accumulation_recursive_transcript->load_proof(stdlib_pcs_proof);
238 ClaimBatcher claim_batcher{ .unshifted = ClaimBatch{ final_verifier_accumulator.batched_commitments[0],
239 final_verifier_accumulator.batched_evaluations[0] },
240 .shifted = ClaimBatch{ final_verifier_accumulator.batched_commitments[1],
241 final_verifier_accumulator.batched_evaluations[1] } };
242 const auto opening_claim = Shplemini::compute_batch_opening_claim(padding_indicator_array,
244 final_verifier_accumulator.challenge,
245 RecursiveCommitment::one(&circuit),
246 accumulation_recursive_transcript);
247 decider_pairing_points =
248 PCS::reduce_verify_batch_opening_claim(opening_claim, accumulation_recursive_transcript);
250 BB_ASSERT_EQ(output_verifier_accumulator.has_value(),
false);
254 throw_or_abort(
"Invalid queue type! Only OINK, PG, PG_TAIL and PG_FINAL are supported");
260 std::vector<StdlibFF> public_inputs =
std::move(verifier_instance->public_inputs);
270 kernel_input.
kernel_return_data.incomplete_assert_equal(witness_commitments.calldata);
271 kernel_input.
app_return_data.incomplete_assert_equal(witness_commitments.secondary_calldata);
281 "Kernel circuits should be folded.");
284 ASSERT(prev_accum_hash.has_value());
287 if (!is_hiding_kernel) {
301 info(
"NUM ROWS DIFF: ", circuit.
op_queue->get_num_rows() - num_rows);
302 info(
"NUM OPS DIFF: ", circuit.
op_queue->get_current_subtable_size() - num_ops);
305 merge_commitments.t_commitments = witness_commitments.
get_ecc_op_wires().get_copy();
308 auto [pairing_points, merged_table_commitments] =
311 pairing_points.aggregate(nested_pairing_points);
312 if (is_hiding_kernel) {
313 pairing_points.aggregate(decider_pairing_points);
319 info(
"NUM ROWS DIFF AT THE END: ", circuit.
op_queue->get_num_rows() - num_rows);
320 info(
"NUM OPS DIFF AT THE END: ", circuit.
op_queue->get_current_subtable_size() - num_ops);
322 return { output_verifier_accumulator, pairing_points, merged_table_commitments };
348 bool is_init_kernel =
351 bool is_tail_kernel =
354 bool is_hiding_kernel =
361 if (is_tail_kernel) {
364 "tail kernel ecc ops table should be empty at this point");
375 if (!is_init_kernel) {
381 auto [output_stdlib_verifier_accumulator, pairing_points, merged_table_commitments] =
384 current_stdlib_verifier_accumulator,
386 accumulation_recursive_transcript);
387 points_accumulator.
aggregate(pairing_points);
389 T_prev_commitments = merged_table_commitments;
391 current_stdlib_verifier_accumulator = output_stdlib_verifier_accumulator;
396 if (is_hiding_kernel) {
397 BB_ASSERT_EQ(current_stdlib_verifier_accumulator.has_value(),
false);
398 HidingKernelIO hiding_output{ points_accumulator, T_prev_commitments };
401 BB_ASSERT_NEQ(current_stdlib_verifier_accumulator.has_value(),
false);
412 current_stdlib_verifier_accumulator->hash_through_transcript(
"", hash_transcript);
419 const std::shared_ptr<ProverInstance>& prover_instance,
421 const std::shared_ptr<Transcript>& transcript)
423 vinfo(
"computing sumcheck proof...");
430 prover_instance->gate_challenges =
431 transcript->template get_powers_of_challenge<FF>(
"Sumcheck:gate_challenge", virtual_log_n);
438 info(
"Dyadic size: ", prover_instance->dyadic_size());
440 .claimed_evaluations = decider_prover.
sumcheck_output.claimed_evaluations,
441 .full_batched_size = prover_instance->dyadic_size() };
453 const std::shared_ptr<VerifierInstance>& verifier_instance,
454 const std::shared_ptr<Transcript>& transcript,
464 verifier_instance->target_sum = 0;
466 verifier_instance->gate_challenges =
469 VerifierCommitments commitments{ verifier_instance->vk, verifier_instance->witness_commitments };
475 verifier_instance->relation_parameters, verifier_instance->gate_challenges, padding_indicator_array);
477 BB_ASSERT_EQ(sumcheck_output.
verified,
true,
"Sumcheck: Failed native first sumcheck verification.");
481 auto accumulator = output.batch(verifier_instance,
transcript);
488 const std::shared_ptr<Transcript>& transcript)
496 const std::shared_ptr<Transcript>& transcript)
498 vinfo(
"computing folding proof...");
517 .
challenge = incoming_accumulator.challenge,
518 .shifted_evaluation = incoming_accumulator.batched_evaluations[1],
519 .non_shifted_evaluation = incoming_accumulator.batched_evaluations[0],
520 .non_shifted_polynomial = incoming_accumulator.batched_polynomials[0],
521 .shifted_polynomial = incoming_accumulator.batched_polynomials[1],
522 .non_shifted_commitment = incoming_accumulator.batched_commitments[0],
523 .shifted_commitment = incoming_accumulator.batched_commitments[1],
524 .dyadic_size = incoming_accumulator.dyadic_size
537 .batched_evaluations = { new_accumulator.non_shifted_evaluation, new_accumulator.shifted_evaluation },
538 .batched_polynomials = { new_accumulator.non_shifted_polynomial, new_accumulator.shifted_polynomial },
539 .batched_commitments = { new_accumulator.non_shifted_commitment, new_accumulator.shifted_commitment },
540 .dyadic_size = new_accumulator.dyadic_size,
588 "SumcheckClientIVC: Attempting to accumulate more circuits than expected.");
590 ASSERT(precomputed_vk !=
nullptr,
"SumcheckClientIVC::accumulate - VK expected for the provided circuit");
615 auto verifier_transcript =
620 switch (queue_type) {
622 vinfo(
"Accumulating first app circuit with OINK");
623 BB_ASSERT_EQ(is_kernel,
false,
"First circuit accumulated must always be an app");
666 Point random_point = Point::random_element();
784 auto [mega_verified, T_prev_commitments] = verifier.template verify_proof<bb::HidingKernelIO>(proof.
mega_proof);
785 vinfo(
"Mega verified: ", mega_verified);
787 TableCommitments t_commitments = verifier.verifier_instance->witness_commitments.get_ecc_op_wires().get_copy();
792 vinfo(
"Goblin verified: ", goblin_verified);
795 return goblin_verified && mega_verified;
805 vinfo(
"prove PCS...");
818 prover_opening_claim =
821 vinfo(
"executed multivariate-to-univariate reduction");
822 Flavor::PCS::compute_opening_proof(
ck, prover_opening_claim,
transcript);
823 vinfo(
"computed opening proof");
838 proof.insert(proof.end(), mega_proof.begin(), mega_proof.end());
839 proof.insert(proof.end(), goblin_proof.merge_proof.begin(), goblin_proof.merge_proof.end());
841 proof.end(), goblin_proof.eccvm_proof.pre_ipa_proof.begin(), goblin_proof.eccvm_proof.pre_ipa_proof.end());
842 proof.insert(proof.end(), goblin_proof.eccvm_proof.ipa_proof.begin(), goblin_proof.eccvm_proof.ipa_proof.end());
843 proof.insert(proof.end(), goblin_proof.translator_proof.begin(), goblin_proof.translator_proof.end());
855 auto start_idx = fields.begin();
859 mega_proof.insert(mega_proof.end(), start_idx, end_idx);
881 return { mega_proof, goblin_proof };
887 msgpack::pack(
buffer, *
this);
893 msgpack::sbuffer
buffer = to_msgpack_buffer();
901 auto uint8_buffer = from_buffer<std::vector<uint8_t>>(
buffer);
903 msgpack::sbuffer sbuf;
904 sbuf.write(
reinterpret_cast<char*
>(uint8_buffer.data()), uint8_buffer.size());
906 return from_msgpack_buffer(sbuf);
911 msgpack::object_handle oh = msgpack::unpack(
buffer.data(),
buffer.size());
912 msgpack::object obj = oh.get();
920 msgpack::sbuffer
buffer = to_msgpack_buffer();
921 std::ofstream ofs(filename, std::ios::binary);
922 if (!ofs.is_open()) {
931 std::ifstream ifs(filename, std::ios::binary);
932 if (!ifs.is_open()) {
936 ifs.seekg(0, std::ios::end);
937 size_t file_size =
static_cast<size_t>(ifs.tellg());
938 ifs.seekg(0, std::ios::beg);
943 msgpack::sbuffer msgpack_buffer;
944 msgpack_buffer.write(
buffer.data(), file_size);
955 return { verification_key,
961 const std::shared_ptr<Transcript>& verifier_transcript)
965 auto incoming_accumulator =
970 auto [verified, new_accumulator] = batching_verifier.
verify_proof();
971 BB_ASSERT_EQ(verified,
true,
"Batching Sumcheck: Failed native sumcheck batching verification");
975 .batched_evaluations = { new_accumulator.non_shifted_evaluation, new_accumulator.shifted_evaluation },
976 .batched_commitments = { new_accumulator.non_shifted_commitment, new_accumulator.shifted_commitment },
#define BB_ASSERT_GT(left, right,...)
#define BB_ASSERT_NEQ(actual, expected,...)
#define BB_ASSERT_EQ(actual, expected,...)
#define BB_ASSERT_LT(left, right,...)
#define ASSERT(expression,...)
Common transcript class for both parties. Stores the data for the current round, as well as the manif...
static std::shared_ptr< BaseTranscript > convert_prover_transcript_to_verifier_transcript(const std::shared_ptr< BaseTranscript > &prover_transcript)
Convert a prover transcript to a verifier transcript.
bool has_dummy_witnesses() const
uint32_t zero_idx() const
CommitmentKey object over a pairing group 𝔾₁.
SumcheckOutput< Flavor > sumcheck_output
BB_PROFILE void execute_relation_check_rounds()
Run Sumcheck to establish that ∑_i pow(\vec{β*})f_i(ω) = e*. This results in u = (u_1,...
static constexpr size_t PROOF_LENGTH_WITHOUT_PUB_INPUTS
Class responsible for computation of the batched multilinear polynomials required by the Gemini proto...
void set_to_be_shifted_by_one(RefVector< Polynomial > polynomials)
void set_unshifted(RefVector< Polynomial > polynomials)
static bool verify(const GoblinProof &proof, const MergeCommitments &merge_commitments, const std::shared_ptr< Transcript > &transcript, const MergeSettings merge_settings=MergeSettings::PREPEND)
Verify a full Goblin proof (ECCVM, Translator, merge)
std::pair< PairingPoints, RecursiveTableCommitments > recursively_verify_merge(MegaBuilder &builder, const RecursiveMergeCommitments &merge_commitments, const std::shared_ptr< RecursiveTranscript > &transcript, const MergeSettings merge_settings=MergeSettings::PREPEND)
Recursively verify the next merge proof in the merge verification queue.
MergeVerifier::TableCommitments TableCommitments
void prove_merge(const std::shared_ptr< Transcript > &transcript=std::make_shared< Transcript >(), const MergeSettings merge_settings=MergeSettings::PREPEND)
Construct a merge proof for the goblin ECC ops in the provided circuit; append the proof to the merge...
GoblinProof prove(const MergeSettings merge_settings=MergeSettings::PREPEND)
Constuct a full Goblin proof (ECCVM, Translator, merge)
CommitmentKey< curve::BN254 > commitment_key
std::shared_ptr< Transcript > transcript
static constexpr size_t PUBLIC_INPUTS_SIZE
void queue_ecc_random_op()
Mechanism for populating two rows with randomness. This "operation" doesn't return a tuple representi...
ecc_op_tuple queue_ecc_mul_accum(const g1::affine_element &point, const FF &scalar, bool in_finalize=false)
Add point mul-then-accumulate operation to the op queue and add corresponding gates.
std::shared_ptr< ECCOpQueue > op_queue
ecc_op_tuple queue_ecc_eq(bool in_finalize=true)
Add point equality operation to the op queue based on the value of the internal accumulator and add c...
ecc_op_tuple queue_ecc_no_op()
Logic for a no-op operation.
Container for all witness polynomials used/constructed by the prover.
static constexpr size_t VIRTUAL_LOG_N
VerifierCommitments_< Commitment, VerificationKey > VerifierCommitments
static constexpr size_t VIRTUAL_LOG_N
MegaFlavor::VerifierCommitments_< Commitment, VerificationKey > VerifierCommitments
static constexpr size_t PROOF_LENGTH_WITHOUT_PUB_INPUTS(size_t virtual_log_n=MegaFlavor::VIRTUAL_LOG_N)
BB_PROFILE void compute_new_claim()
HonkProof construct_proof()
MultilinearBatchingProverClaim get_new_claim()
std::pair< bool, VerifierClaim > verify_proof()
Class for all the oink rounds, which are shared between the folding prover and ultra prover.
void prove()
Oink Prover function that runs all the rounds of the verifier.
Verifier class for all the presumcheck rounds, which are shared between the folding verifier and ultr...
void verify()
Oink Verifier function that runs all the rounds of the verifier.
Unverified claim (C,r,v) for some witness polynomial p(X) such that.
Polynomial p and an opening pair (r,v) such that p(r) = v.
static OpeningClaim prove(const FF circuit_size, PolynomialBatcher &polynomial_batcher, std::span< FF > multilinear_challenge, const CommitmentKey< Curve > &commitment_key, const std::shared_ptr< Transcript > &transcript, const std::array< Polynomial, NUM_SMALL_IPA_EVALUATIONS > &libra_polynomials={}, const std::vector< Polynomial > &sumcheck_round_univariates={}, const std::vector< std::array< FF, 3 > > &sumcheck_round_evaluations={})
An efficient verifier for the evaluation proofs of multilinear polynomials and their shifts.
VerificationKey get_vk() const
static VerifierAccumulator execute_first_sumcheck_native_verification(const std::shared_ptr< VerifierInstance > &verifier_instance, const std::shared_ptr< Transcript > &transcript, const HonkProof &proof)
MegaFlavor::CommitmentKey bn254_commitment_key
std::shared_ptr< Transcript > prover_accumulation_transcript
Proof prove()
Construct a proof for the IVC, which, if verified, fully establishes its correctness.
static void hide_op_queue_accumulation_result(ClientCircuit &circuit)
Add a valid operation with random data to the op queue to prevent information leakage in Translator p...
stdlib::recursion::PairingPoints< ClientCircuit > PairingPoints
void instantiate_stdlib_verification_queue(ClientCircuit &circuit, const std::vector< std::shared_ptr< RecursiveVKAndHash > > &input_keys={})
Instantiate a stdlib verification queue for use in the kernel completion logic.
std::shared_ptr< Transcript > transcript
QUEUE_TYPE get_queue_type() const
Get queue type for the proof of a circuit about to be accumulated based on num circuits accumulated s...
VerifierAccumulator recursive_verifier_native_accum
static RecursiveVerifierAccumulator perform_folding_recursive_verification(ClientCircuit &circuit, const std::optional< RecursiveVerifierAccumulator > &verifier_accumulator, const std::shared_ptr< RecursiveVerifierInstance > &verifier_instance, const std::shared_ptr< RecursiveTranscript > &transcript, const StdlibProof &proof, std::optional< StdlibFF > &prev_accum_hash, bool is_kernel)
static bool verify(const Proof &proof, const VerificationKey &vk)
std::array< RecursiveFlavor::Commitment, ClientCircuit::NUM_WIRES > TableCommitments
VerifierAccumulator native_verifier_accum
size_t num_circuits_accumulated
VerificationQueue verification_queue
void update_native_verifier_accumulator(const VerifierInputs &queue_entry, const std::shared_ptr< Transcript > &verifier_transcript)
Runs either Oink or PG native verifier to update the native verifier accumulator.
Flavor::Curve::AffineElement Point
ProverAccumulator prover_accumulator
HonkProof construct_sumcheck_proof(const std::shared_ptr< ProverInstance > &prover_instance, const std::shared_ptr< MegaVerificationKey > &honk_vk, const std::shared_ptr< Transcript > &transcript)
HonkProof construct_honk_proof_for_hiding_kernel(ClientCircuit &circuit, const std::shared_ptr< MegaVerificationKey > &verification_key)
Construct a zero-knowledge proof for the hiding circuit, which recursively verifies the last folding,...
static ProverAccumulator execute_first_sumcheck(const std::shared_ptr< ProverInstance > &prover_instance, const std::shared_ptr< MegaVerificationKey > &honk_vk, const std::shared_ptr< Transcript > &transcript)
std::tuple< std::optional< RecursiveVerifierAccumulator >, PairingPoints, TableCommitments > perform_recursive_verification_and_databus_consistency_checks(ClientCircuit &circuit, const StdlibVerifierInputs &verifier_inputs, const std::optional< RecursiveVerifierAccumulator > &input_verifier_accumulator, const TableCommitments &T_prev_commitments, const std::shared_ptr< RecursiveTranscript > &accumulation_recursive_transcript)
Populate the provided circuit with constraints for (1) recursive verification of the provided accumul...
HonkProof construct_folding_proof(const std::shared_ptr< ProverInstance > &prover_instance, const std::shared_ptr< MegaVerificationKey > &honk_vk, const std::shared_ptr< Transcript > &transcript)
HonkProof construct_pcs_proof(const std::shared_ptr< Transcript > &transcript)
Internal method for constructing a decider proof.
StdlibVerificationQueue stdlib_verification_queue
void accumulate(ClientCircuit &circuit, const std::shared_ptr< MegaVerificationKey > &precomputed_vk) override
Perform prover work for accumulation (e.g. PG folding, merge proving)
static void hide_op_queue_content_in_tail(ClientCircuit &circuit)
Adds three random ops to the tail kernel.
SumcheckClientIVC(size_t num_circuits)
void complete_kernel_circuit_logic(ClientCircuit &circuit)
Append logic to complete a kernel circuit.
static RecursiveVerifierAccumulator execute_first_sumcheck_recursive_verification(ClientCircuit &circuit, const std::shared_ptr< RecursiveVerifierInstance > &verifier_instance, const std::shared_ptr< RecursiveTranscript > &transcript, const StdlibProof &proof)
static void hide_op_queue_content_in_hiding(ClientCircuit &circuit)
Adds two random ops to the hiding kernel.
Implementation of the sumcheck Verifier for statements of the form for multilinear polynomials .
static constexpr size_t CONST_TRANSLATOR_LOG_N
static constexpr size_t PROOF_LENGTH_WITHOUT_PUB_INPUTS
Commitment get_kernel_return_data_commitment(Builder &builder)
Get the previously set kernel return data commitment if it exists, else a default one.
Commitment get_app_return_data_commitment(Builder &builder)
Get the previously set app return data commitment if it exists, else a default one.
void set_app_return_data_commitment(const Commitment &commitment)
void set_kernel_return_data_commitment(const Commitment &commitment)
Manages the data that is propagated on the public inputs of an application/function circuit.
void reconstruct_from_public(const std::vector< FF > &public_inputs)
Reconstructs the IO components from a public inputs array.
PairingInputs pairing_inputs
Manages the data that is propagated on the public inputs of a hiding kernel circuit.
Manages the data that is propagated on the public inputs of a kernel circuit.
void reconstruct_from_public(const std::vector< FF > &public_inputs)
Reconstructs the IO components from a public inputs array.
PairingInputs pairing_inputs
void set_public()
Set each IO component to be a public input of the underlying circuit.
TableCommitments ecc_op_tables
uint8_t buffer[RANDOM_BUFFER_SIZE]
std::array< typename bn254< Builder >::Group, Builder::NUM_WIRES > empty_ecc_op_tables(Builder &builder)
Construct commitments to empty subtables.
Entry point for Barretenberg command-line interface.
std::vector< fr > HonkProof
CommitmentKey< Curve > ck
VerifierCommitmentKey< Curve > vk
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
uint8_t * to_heap_buffer(T const &value)
Logic to support batching opening claims for unshifted and shifted polynomials in Shplemini.
HonkProof translator_proof
std::vector< FF > challenge
std::vector< FF > challenge
A full proof for the IVC scheme containing a Mega proof showing correctness of the hiding circuit (wh...
static constexpr size_t PROOF_LENGTH(size_t virtual_log_n=MegaZKFlavor::VIRTUAL_LOG_N)
The size of a ClientIVC proof with backend-added public inputs: HidingKernelIO.
static Proof from_msgpack_buffer(uint8_t const *&buffer)
static Proof from_file_msgpack(const std::string &filename)
static Proof from_field_elements(const std::vector< SumcheckClientIVC::FF > &fields)
msgpack::sbuffer to_msgpack_buffer() const
std::vector< FF > to_field_elements() const
Serialize proof to field elements.
void to_file_msgpack(const std::string &filename) const
uint8_t * to_msgpack_heap_buffer() const
Very quirky method to convert a msgpack buffer to a "heap" buffer.
std::array< FF, 2 > batched_evaluations
std::array< Commitment, 2 > batched_commitments
std::vector< FF > challenge
std::array< Polynomial< FF >, 2 > batched_polynomials
std::vector< StdlibFF > challenge
std::vector< FF > challenge
Contains the evaluations of multilinear polynomials at the challenge point . These are computed by S...
ClaimedEvaluations claimed_evaluations
std::vector< FF > challenge
static field random_element(numeric::RNG *engine=nullptr) noexcept
An object storing two EC points that represent the inputs to a pairing check.
void aggregate(PairingPoints const &other)
Compute a linear combination of the present pairing points with an input set of pairing points.
uint32_t set_public()
Set the witness indices for the limbs of the pairing points to public.
void throw_or_abort(std::string const &err)
1.9.8