Barretenberg: src/barretenberg/chonk/chonk_verifier.cpp Source File

// === AUDIT STATUS ===

// internal:    { status: Complete, auditors: [Sergei], commit: }

// external_1:  { status: not started, auditors: [], commit: }

// external_2:  { status: not started, auditors: [], commit: }

// =====================


#include "chonk_verifier.hpp"

#include "barretenberg/commitment_schemes/ipa/ipa.hpp"

#include "barretenberg/commitment_schemes/verification_key.hpp"

#include "barretenberg/common/bb_bench.hpp"


namespace bb {


template <> ChonkVerifier<false>::IPAReductionResult ChonkVerifier<false>::reduce_to_ipa_claim(const Proof& proof)

{

    BB_BENCH_NAME("ChonkVerifier::reduce_to_ipa_claim");

    // Step 1: Verify the Hiding kernel proof (includes pairing check)

    HidingKernelVerifier verifier{ vk_and_hash, transcript };

    auto verifier_output = verifier.verify_proof(proof.mega_proof);

    if (!verifier_output.result) {

        info("ChonkVerifier: verification failed at MegaZK verification step");

        return { {}, {}, false };

    }


    // Extract public inputs and kernel data

    HidingKernelIO kernel_io;

    kernel_io.reconstruct_from_public(verifier.get_public_inputs());


    // Step 2: Perform databus consistency check

    const Commitment calldata_commitment = verifier.get_calldata_commitment();

    const Commitment return_data_commitment = kernel_io.kernel_return_data;

    bool databus_consistency_verified = (calldata_commitment == return_data_commitment);

    vinfo("ChonkVerifier: databus consistency verified: ", databus_consistency_verified);

    if (!databus_consistency_verified) {

        info("Chonk Verifier: verification failed at databus consistency check");

        return { {}, {}, false };

    }


    // Step 3: Goblin verification (merge, eccvm, translator)

    MergeCommitments merge_commitments{ .t_commitments = verifier.get_ecc_op_wires(),

                                        .T_prev_commitments = kernel_io.ecc_op_tables };

    GoblinVerifier goblin_verifier{ transcript, proof.goblin_proof, merge_commitments, MergeSettings::APPEND };

    GoblinReductionResult goblin_output = goblin_verifier.reduce_to_pairing_check_and_ipa_opening();


    if (!goblin_output.all_checks_passed) {

        info("ChonkVerifier: chonk verification failed at Goblin checks (merge/eccvm/translator reduction + pairing)");

        return { {}, {}, false };

    }


    return { std::move(goblin_output.ipa_claim), std::move(goblin_output.ipa_proof), true };

}


template <> ChonkVerifier<false>::Output ChonkVerifier<false>::verify(const Proof& proof)

{

    BB_BENCH_NAME("ChonkVerifier::verify");

    auto result = reduce_to_ipa_claim(proof);

    if (!result.all_checks_passed) {

        return false;

    }


    // Step 4: Verify IPA opening

    auto ipa_transcript = std::make_shared<Goblin::Transcript>(result.ipa_proof);

    auto ipa_vk = VerifierCommitmentKey<curve::Grumpkin>{ ECCVMFlavor::ECCVM_FIXED_SIZE };

    bool ipa_verified = IPA<curve::Grumpkin>::reduce_verify(ipa_vk, result.ipa_claim, ipa_transcript);

    vinfo("ChonkVerifier: Goblin IPA verified: ", ipa_verified);

    if (!ipa_verified) {

        info("ChonkVerifier: Chonk verification failed at IPA check");

        return false;

    }


    return true;

}


template <> ChonkVerifier<true>::Output ChonkVerifier<true>::verify(const Proof& proof)

{

    // Step 1: Reduce the Hiding kernel proof to pairing check

    HidingKernelVerifier verifier{ vk_and_hash, transcript };

    auto [mega_pcs_pairing_points, mega_reduction_succeeded] = verifier.reduce_to_pairing_check(proof.mega_proof);

    vinfo("ChonkRecursiveVerifier: MegaZK reduced to pairing check: ", mega_reduction_succeeded ? "true" : "false");


    // Extract public inputs and kernel data

    HidingKernelIO kernel_io;

    kernel_io.reconstruct_from_public(verifier.get_public_inputs());


    // Step 2: Perform databus consistency check (in-circuit)

    const Commitment calldata_commitment = verifier.get_calldata_commitment();

    if (kernel_io.kernel_return_data.get_value() != calldata_commitment.get_value()) {

        info("ChonkRecursiveVerifier: Databus Consistency check failure");

    }

    kernel_io.kernel_return_data.incomplete_assert_equal(calldata_commitment);


    // Step 3: Goblin verification (merge, eccvm, translator)

    MergeCommitments merge_commitments{ .t_commitments = verifier.get_ecc_op_wires(),

                                        .T_prev_commitments = kernel_io.ecc_op_tables };

    GoblinVerifier goblin_verifier{ transcript, proof.goblin_proof, merge_commitments, MergeSettings::APPEND };

    GoblinReductionResult goblin_output = goblin_verifier.reduce_to_pairing_check_and_ipa_opening();


    // Step 4: Batch aggregate all pairing points

    std::vector<PairingPoints> pairing_points_to_aggregate;

    pairing_points_to_aggregate.reserve(NUM_PAIRING_POINTS);


    // Collect all pairing points: PI, PCS, Merge, Translator

    pairing_points_to_aggregate.push_back(kernel_io.pairing_inputs);

    pairing_points_to_aggregate.push_back(std::move(mega_pcs_pairing_points));

    pairing_points_to_aggregate.push_back(std::move(goblin_output.merge_pairing_points));

    pairing_points_to_aggregate.push_back(std::move(goblin_output.translator_pairing_points));


    // Edge case handling disabled: Safe because:

    // 1. Verifier-computed points (PCS, Merge, Translator) are deterministic and won't collide

    // 2. PI points are added to to the result of batching of the above points, biggroup point addition gracefully

    // handles edge cases.

    constexpr bool handle_edge_cases = false;

    PairingPoints aggregated_pairing_points =

        PairingPoints::aggregate_multiple(pairing_points_to_aggregate, handle_edge_cases);


    // Return reduction result with aggregated pairing points

    return ReductionResult{ .pairing_points = std::move(aggregated_pairing_points),

                            .ipa_claim = std::move(goblin_output.ipa_claim),

                            .ipa_proof = std::move(goblin_output.ipa_proof),

                            .all_checks_passed = mega_reduction_succeeded && goblin_output.all_checks_passed };

}


template <>


ChonkVerifier<true>::IPAReductionResult ChonkVerifier<true>::reduce_to_ipa_claim([[maybe_unused]] const Proof& proof)

{

    throw_or_abort("reduce_to_ipa_claim is only available for native (non-recursive) ChonkVerifier");

}


// Template instantiations

template class ChonkVerifier<false>; // Native verifier

template class ChonkVerifier<true>;  // Recursive verifier


} // namespace bb

bb_bench.hpp

BB_BENCH_NAME
#define BB_BENCH_NAME(name)
Definition bb_bench.hpp:225

chonk_verifier.hpp

bb::ChonkVerifier
Verifier for Chonk IVC proofs (both native and recursive).
Definition chonk_verifier.hpp:43

bb::ChonkVerifier::Output
std::conditional_t< IsRecursive, ReductionResult, bool > Output
Definition chonk_verifier.hpp:72

bb::ChonkVerifier::HidingKernelVerifier
std::conditional_t< IsRecursive, bb::MegaZKRecursiveVerifier, bb::MegaZKVerifier > HidingKernelVerifier
Definition chonk_verifier.hpp:46

bb::ChonkVerifier::reduce_to_ipa_claim
IPAReductionResult reduce_to_ipa_claim(const Proof &proof)
Run Chonk verification up to but not including IPA, returning the IPA claim for deferred verification...

bb::ChonkVerifier::PairingPoints
typename GoblinVerifier::ReductionResult::PairingPoints PairingPoints
Definition chonk_verifier.hpp:52

bb::ChonkVerifier::MergeCommitments
typename GoblinVerifier::MergeVerifier::InputCommitments MergeCommitments
Definition chonk_verifier.hpp:55

bb::ChonkVerifier::verify
Output verify(const Proof &proof)
Verify a Chonk proof.

bb::ChonkVerifier::HidingKernelIO
std::conditional_t< IsRecursive, stdlib::recursion::honk::HidingKernelIO< Builder >, bb::HidingKernelIO > HidingKernelIO
Definition chonk_verifier.hpp:51

bb::ChonkVerifier::GoblinReductionResult
typename GoblinVerifier::ReductionResult GoblinReductionResult
Definition chonk_verifier.hpp:49

bb::ChonkVerifier::GoblinVerifier
std::conditional_t< IsRecursive, bb::GoblinRecursiveVerifier, bb::GoblinVerifier > GoblinVerifier
Definition chonk_verifier.hpp:47

bb::ChonkVerifier::Commitment
typename HidingKernelVerifier::Commitment Commitment
Definition chonk_verifier.hpp:75

bb::ChonkVerifier::Proof
std::conditional_t< IsRecursive, ChonkStdlibProof, ChonkProof > Proof
Definition chonk_verifier.hpp:76

bb::ECCVMFlavor::ECCVM_FIXED_SIZE
static constexpr size_t ECCVM_FIXED_SIZE
Definition eccvm_flavor.hpp:66

bb::IPA
IPA (inner product argument) commitment scheme class.
Definition ipa.hpp:86

bb::VerifierCommitmentKey
Representation of the Grumpkin Verifier Commitment Key inside a bn254 circuit.
Definition verifier_commitment_key.hpp:16

info
#define info(...)
Definition log.hpp:93

vinfo
#define vinfo(...)
Definition log.hpp:94

ipa.hpp

bb
Entry point for Barretenberg command-line interface.
Definition api.hpp:5

bb::APPEND
@ APPEND
Definition ecc_ops_table.hpp:21

std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13

bb::ChonkVerifier::IPAReductionResult
Result of reducing Chonk verification to an IPA opening claim (native mode only).
Definition chonk_verifier.hpp:112

bb::ChonkVerifier::ReductionResult
Result of Chonk verification reduction (recursive mode only)
Definition chonk_verifier.hpp:65

bb::ChonkVerifier::ReductionResult::pairing_points
PairingPoints pairing_points
Definition chonk_verifier.hpp:66

throw_or_abort
void throw_or_abort(std::string const &err)
Definition throw_or_abort.hpp:6

verification_key.hpp