Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
verifier.cpp
Go to the documentation of this file.
1#include "barretenberg/vm2/constraining/verifier.hpp"
2
3#include "barretenberg/commitment_schemes/shplonk/shplemini.hpp"
4#include "barretenberg/common/log.hpp"
5#include "barretenberg/numeric/bitop/get_msb.hpp"
6#include "barretenberg/transcript/transcript.hpp"
7#include "barretenberg/vm2/common/constants.hpp"
8
9namespace bb::avm2 {
10
11AvmVerifier::AvmVerifier(std::shared_ptr<Flavor::VerificationKey> verifier_key)
12 : key(std::move(verifier_key))
13{}
14
15AvmVerifier::AvmVerifier(AvmVerifier&& other) noexcept
16 : key(std::move(other.key))
17 , transcript(std::move(other.transcript))
18{}
19
20AvmVerifier& AvmVerifier::operator=(AvmVerifier&& other) noexcept
21{
22 key = other.key;
23 transcript = other.transcript;
24 commitments.clear();
25 return *this;
26}
27
28using FF = AvmFlavor::FF;
29
30// Evaluate the given public input column over the multivariate challenge points
31inline FF AvmVerifier::evaluate_public_input_column(const std::vector<FF>& points, std::vector<FF> challenges)
32{
33 Polynomial<FF> polynomial(points, (1 << key->log_circuit_size));
34 return polynomial.evaluate_mle(challenges);
35}
36
41bool AvmVerifier::verify_proof(const HonkProof& proof, const std::vector<std::vector<FF>>& public_inputs)
42{
43 using Flavor = AvmFlavor;
44 using FF = Flavor::FF;
45 using Commitment = Flavor::Commitment;
46 using PCS = Flavor::PCS;
47 using Curve = Flavor::Curve;
48 using VerifierCommitments = Flavor::VerifierCommitments;
49 using Shplemini = ShpleminiVerifier_<Curve>;
50 using ClaimBatcher = ClaimBatcher_<Curve>;
51 using ClaimBatch = ClaimBatcher::Batch;
52 using VerifierCommitmentKey = typename Flavor::VerifierCommitmentKey;
53
54 RelationParameters<FF> relation_parameters;
55
56 transcript->load_proof(proof);
57
58 // TODO(#15892): Fiat-Shamir the vk hash by uncommenting the line below.
59 FF vk_hash = key->hash();
60 // transcript->add_to_hash_buffer("avm_vk_hash", vk_hash);
61 vinfo("AVM vk hash in verifier: ", vk_hash);
62
63 // Check public inputs size.
64 if (public_inputs.size() != AVM_NUM_PUBLIC_INPUT_COLUMNS) {
65 vinfo("Public inputs size mismatch");
66 return false;
67 }
68 // Public inputs from proof
69 for (size_t i = 0; i < AVM_NUM_PUBLIC_INPUT_COLUMNS; i++) {
70 if (public_inputs[i].size() != AVM_PUBLIC_INPUTS_COLUMNS_MAX_LENGTH) {
71 vinfo("Public input size mismatch");
72 return false;
73 }
74 // TODO(https://github.com/AztecProtocol/aztec-packages/pull/17045): make the protocols secure at some point
75 // for (size_t j = 0; j < public_inputs[i].size(); j++) {
76 // transcript->add_to_hash_buffer("public_input_" + std::to_string(i) + "_" + std::to_string(j),
77 // public_inputs[i][j]);
78 // }
79 }
80 VerifierCommitments commitments{ key };
81 // Get commitments to VM wires
82 for (auto [comm, label] : zip_view(commitments.get_wires(), commitments.get_wires_labels())) {
83 comm = transcript->template receive_from_prover<Commitment>(label);
84 }
85
86 auto [beta, gamm] = transcript->template get_challenges<FF>("beta", "gamma");
87 relation_parameters.beta = beta;
88 relation_parameters.gamma = gamm;
89
90 // Get commitments to inverses
91 for (auto [label, commitment] : zip_view(commitments.get_derived_labels(), commitments.get_derived())) {
92 commitment = transcript->template receive_from_prover<Commitment>(label);
93 }
94
95 // Execute Sumcheck Verifier
96 std::vector<FF> padding_indicator_array(key->log_circuit_size, 1);
97
98 // Multiply each linearly independent subrelation contribution by `alpha^i` for i = 0, ..., NUM_SUBRELATIONS - 1.
99 const FF alpha = transcript->template get_challenge<FF>("Sumcheck:alpha");
100
101 SumcheckVerifier<Flavor> sumcheck(transcript, alpha, key->log_circuit_size);
102
103 // Get the gate challenges for sumcheck computation
104 std::vector<FF> gate_challenges =
105 transcript->template get_powers_of_challenge<FF>("Sumcheck:gate_challenge", key->log_circuit_size);
106
107 SumcheckOutput<Flavor> output = sumcheck.verify(relation_parameters, gate_challenges, padding_indicator_array);
108
109 // If Sumcheck did not verify, return false
110 if (!output.verified) {
111 vinfo("Sumcheck verification failed");
112 return false;
113 }
114
115 using C = ColumnAndShifts;
116 std::array<FF, AVM_NUM_PUBLIC_INPUT_COLUMNS> claimed_evaluations = {
117 output.claimed_evaluations.get(C::public_inputs_cols_0_),
118 output.claimed_evaluations.get(C::public_inputs_cols_1_),
119 output.claimed_evaluations.get(C::public_inputs_cols_2_),
120 output.claimed_evaluations.get(C::public_inputs_cols_3_),
121 };
122 for (size_t i = 0; i < AVM_NUM_PUBLIC_INPUT_COLUMNS; i++) {
123 FF public_input_evaluation = evaluate_public_input_column(public_inputs[i], output.challenge);
124 if (public_input_evaluation != claimed_evaluations[i]) {
125 vinfo("public_input_evaluation failed, public inputs col ", i);
126 return false;
127 }
128 }
129
130 ClaimBatcher claim_batcher{
131 .unshifted = ClaimBatch{ .commitments = RefVector<Commitment>::from_span(commitments.get_unshifted()),
132 .evaluations = RefVector<FF>::from_span(output.claimed_evaluations.get_unshifted()) },
133 .shifted = ClaimBatch{ .commitments = RefVector<Commitment>::from_span(commitments.get_to_be_shifted()),
134 .evaluations = RefVector<FF>::from_span(output.claimed_evaluations.get_shifted()) }
135 };
136 const BatchOpeningClaim<Curve> opening_claim = Shplemini::compute_batch_opening_claim(
137 padding_indicator_array, claim_batcher, output.challenge, Commitment::one(), transcript);
138
139 const auto pairing_points = PCS::reduce_verify_batch_opening_claim(opening_claim, transcript);
140 VerifierCommitmentKey pcs_vkey{};
141 const auto shplemini_verified = pcs_vkey.pairing_check(pairing_points[0], pairing_points[1]);
142
143 if (!shplemini_verified) {
144 vinfo("Shplemini verification failed");
145 return false;
146 }
147
148 return true;
149}
150
151} // namespace bb::avm2
AVM_NUM_PUBLIC_INPUT_COLUMNS
#define AVM_NUM_PUBLIC_INPUT_COLUMNS
Definition aztec_constants.hpp:171
AVM_PUBLIC_INPUTS_COLUMNS_MAX_LENGTH
#define AVM_PUBLIC_INPUTS_COLUMNS_MAX_LENGTH
Definition aztec_constants.hpp:170
bb::Polynomial
Structured polynomial class that represents the coefficients 'a' of a_0 + a_1 x .....
Definition polynomial.hpp:75
bb::Polynomial::evaluate_mle
Fr evaluate_mle(std::span< const Fr > evaluation_points, bool shift=false) const
evaluate multi-linear extension p(X_0,…,X_{n-1}) = \sum_i a_i*L_i(X_0,…,X_{n-1}) at u = (u_0,...
Definition polynomial.cpp:205
bb::RefVector::from_span
static RefVector from_span(const std::span< T > &span)
Definition ref_vector.hpp:54
bb::ShpleminiVerifier_
An efficient verifier for the evaluation proofs of multilinear polynomials and their shifts.
Definition shplemini.hpp:189
bb::SumcheckVerifier
Implementation of the sumcheck Verifier for statements of the form for multilinear polynomials .
Definition sumcheck.hpp:698
bb::SumcheckVerifier::verify
SumcheckOutput< Flavor > verify(const bb::RelationParameters< FF > &relation_parameters, std::vector< FF > &gate_challenges, const std::vector< FF > &padding_indicator_array)
Extract round univariate, check sum, generate challenge, compute next target sum.....
Definition sumcheck.hpp:771
bb::avm2::AvmFlavor::FF
AvmFlavorSettings::FF FF
Definition flavor.hpp:36
bb::avm2::AvmFlavor::VerifierCommitmentKey
AvmFlavorSettings::VerifierCommitmentKey VerifierCommitmentKey
Definition flavor.hpp:43
bb::avm2::AvmFlavor::VerifierCommitments
VerifierCommitments_< Commitment, VerificationKey > VerifierCommitments
Definition flavor.hpp:353
bb::avm2::AvmFlavor::PCS
AvmFlavorSettings::PCS PCS
Definition flavor.hpp:34
bb::avm2::AvmFlavor::Commitment
AvmFlavorSettings::Commitment Commitment
Definition flavor.hpp:40
bb::avm2::AvmFlavor::Curve
AvmFlavorSettings::Curve Curve
Definition flavor.hpp:32
bb::avm2::AvmVerifier::AvmVerifier
AvmVerifier(std::shared_ptr< VerificationKey > verifier_key)
Definition verifier.cpp:11
bb::avm2::AvmVerifier::transcript
std::shared_ptr< Transcript > transcript
Definition verifier.hpp:31
bb::avm2::AvmVerifier::operator=
AvmVerifier & operator=(const AvmVerifier &other)=delete
bb::avm2::AvmVerifier::evaluate_public_input_column
FF evaluate_public_input_column(const std::vector< FF > &points, std::vector< FF > challenges)
Definition verifier.cpp:31
bb::avm2::AvmVerifier::key
std::shared_ptr< VerificationKey > key
Definition verifier.hpp:29
bb::avm2::AvmVerifier::verify_proof
virtual bool verify_proof(const HonkProof &proof, const std::vector< std::vector< FF > > &public_inputs)
This function verifies an Avm Honk proof for given program settings.
Definition verifier.cpp:41
bb::avm2::AvmVerifier::commitments
std::map< std::string, Commitment > commitments
Definition verifier.hpp:30
bb::avm2::AvmVerifier::Commitment
Flavor::Commitment Commitment
Definition verifier.hpp:12
zip_view
Definition zip_view.hpp:166
vinfo
#define vinfo(...)
Definition log.hpp:79
get_msb.hpp
key
FF key
Definition indexed_memory_tree.test.cpp:18
bb::avm2::ColumnAndShifts
ColumnAndShifts
Definition columns.hpp:34
bb::avm2::FF
AvmFlavorSettings::FF FF
Definition field.hpp:10
bb::HonkProof
std::vector< fr > HonkProof
Definition proof.hpp:15
std
STL namespace.
std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13
bb::BatchOpeningClaim
An accumulator consisting of the Shplonk evaluation challenge and vectors of commitments and scalars.
Definition claim.hpp:169
bb::ClaimBatcher_
Logic to support batching opening claims for unshifted and shifted polynomials in Shplemini.
Definition claim_batcher.hpp:28
bb::RelationParameters
Container for parameters used by the grand product (permutation, lookup) Honk relations.
Definition relation_parameters.hpp:19
bb::SumcheckOutput
Contains the evaluations of multilinear polynomials at the challenge point . These are computed by S...
Definition sumcheck_output.hpp:22
bb::SumcheckOutput::claimed_evaluations
ClaimedEvaluations claimed_evaluations
Definition sumcheck_output.hpp:30
bb::SumcheckOutput::challenge
std::vector< FF > challenge
Definition sumcheck_output.hpp:28