goblin_verifier.test.cpp

Go to the documentation of this file.

#include "barretenberg/goblin/goblin_verifier.hpp"
#include "barretenberg/circuit_checker/circuit_checker.hpp"
#include "barretenberg/common/test.hpp"
#include "barretenberg/goblin/goblin.hpp"
#include "barretenberg/goblin/mock_circuits.hpp"
#include "barretenberg/srs/global_crs.hpp"
#include "barretenberg/stdlib/honk_verifier/ultra_verification_keys_comparator.hpp"
#include "barretenberg/ultra_honk/ultra_prover.hpp"
#include "barretenberg/ultra_honk/ultra_verifier.hpp"
 
namespace bb::stdlib::recursion::honk {
class GoblinRecursiveVerifierTests : public testing::Test {
  public:
    using Builder = UltraCircuitBuilder;
    using ECCVMVK = Goblin::ECCVMVerificationKey;
    using TranslatorVK = Goblin::TranslatorVerificationKey;
 
    using OuterFlavor = UltraFlavor;
    using OuterProver = UltraProver_<OuterFlavor>;
    using OuterVerifier = UltraRollupVerifier;
    using OuterProverInstance = ProverInstance_<OuterFlavor>;
 
    using Commitment = MergeVerifier::Commitment;
    using RecursiveCommitment = bb::GoblinRecursiveVerifier::MergeVerifier::Commitment;
    using MergeCommitments = MergeVerifier::InputCommitments;
    using RecursiveMergeCommitments = bb::GoblinRecursiveVerifier::MergeVerifier::InputCommitments;
    using Transcript = UltraStdlibTranscript;
    using FF = TranslatorFlavor::FF;
    static void SetUpTestSuite() { bb::srs::init_file_crs_factory(bb::srs::bb_crs_path()); }
 
    struct ProverOutput {
        GoblinProof proof;
        MergeCommitments merge_commitments;
        RecursiveMergeCommitments recursive_merge_commitments;
    };
    static void tamper_with_op_commitment(MergeCommitments& merge_commitments)
    {
        // The first commitment in merged table is the `op` wire commitment
        merge_commitments.t_commitments[0] = merge_commitments.t_commitments[0] * FF(2);
    };
 
    // ECCVM pre-IPA proof ends with evaluations including `op`. We tamper with the `op` evaluation.
    // The structure is: [..., op_eval, x_lo_y_hi_eval, x_hi_z_1_eval, y_lo_z_2_eval, IPA_proof...]
    // So op_eval is 3 fields before the IPA proof starts.
    static void tamper_with_eccvm_op_eval(HonkProof& eccvm_proof)
    {
        // The `op` evaluation is located 3 evaluations before the end of pre-IPA proof
        // (followed by x_lo_y_hi, x_hi_z_1, y_lo_z_2 evaluations)
        static constexpr size_t evals_after_op = 3; // x_lo_y_hi, x_hi_z_1, y_lo_z_2
        const size_t op_eval_idx = eccvm_proof.size() - evals_after_op;
 
        // Tamper with the op evaluation
        eccvm_proof[op_eval_idx] += FF(1);
    };
 
    static ProverOutput create_goblin_prover_output(Builder* outer_builder = nullptr, const size_t num_circuits = 5)
    {
 
        Goblin goblin;
        GoblinMockCircuits::construct_and_merge_mock_circuits(goblin, num_circuits);
 
        // Merge the ecc ops from the newly constructed circuit
        auto goblin_proof = goblin.prove();
        // Subtable values and commitments - needed for (Recursive)MergeVerifier
        MergeCommitments merge_commitments;
        auto t_current = goblin.op_queue->construct_current_ultra_ops_subtable_columns();
        auto T_prev = goblin.op_queue->construct_previous_ultra_ops_table_columns();
        CommitmentKey<curve::BN254> pcs_commitment_key(goblin.op_queue->get_ultra_ops_table_num_rows());
        for (size_t idx = 0; idx < MegaFlavor::NUM_WIRES; idx++) {
            merge_commitments.t_commitments[idx] = pcs_commitment_key.commit(t_current[idx]);
            merge_commitments.T_prev_commitments[idx] = pcs_commitment_key.commit(T_prev[idx]);
        }
 
        RecursiveMergeCommitments recursive_merge_commitments;
        if (outer_builder != nullptr) {
            for (size_t idx = 0; idx < MegaFlavor::NUM_WIRES; idx++) {
                recursive_merge_commitments.t_commitments[idx] =
                    RecursiveCommitment::from_witness(outer_builder, merge_commitments.t_commitments[idx]);
                recursive_merge_commitments.T_prev_commitments[idx] =
                    RecursiveCommitment::from_witness(outer_builder, merge_commitments.T_prev_commitments[idx]);
                // Removing the free witness tag, since the merge commitments in the full scheme are supposed to
                // be fiat-shamirred earlier
                recursive_merge_commitments.t_commitments[idx].unset_free_witness_tag();
                recursive_merge_commitments.T_prev_commitments[idx].unset_free_witness_tag();
            }
        }
 
        // Output is a goblin proof plus merge commitments
        return { goblin_proof, merge_commitments, recursive_merge_commitments };
    }
};
 
TEST_F(GoblinRecursiveVerifierTests, NativeVerification)
{
    auto [proof, merge_commitments, _] = create_goblin_prover_output();
 
    auto transcript = std::make_shared<NativeTranscript>();
    bb::GoblinVerifier verifier(transcript, proof, merge_commitments, MergeSettings::APPEND);
    auto result = verifier.reduce_to_pairing_check_and_ipa_opening();
 
    // Check pairing points (aggregate merge + translator)
    result.translator_pairing_points.aggregate(result.merge_pairing_points);
    bool pairing_verified = result.translator_pairing_points.check();
 
    // Verify IPA opening
    auto ipa_transcript = std::make_shared<NativeTranscript>(result.ipa_proof);
    auto ipa_vk = VerifierCommitmentKey<curve::Grumpkin>{ ECCVMFlavor::ECCVM_FIXED_SIZE };
    bool ipa_verified = IPA<curve::Grumpkin>::reduce_verify(ipa_vk, result.ipa_claim, ipa_transcript);
 
    EXPECT_TRUE(pairing_verified && ipa_verified);
}
 
TEST_F(GoblinRecursiveVerifierTests, Basic)
{
    Builder builder;
 
    auto [proof, merge_commitments, recursive_merge_commitments] = create_goblin_prover_output(&builder);
 
    auto transcript = std::make_shared<Transcript>();
    GoblinStdlibProof stdlib_proof(builder, proof);
    bb::GoblinRecursiveVerifier verifier{
        transcript, stdlib_proof, recursive_merge_commitments, MergeSettings::APPEND
    };
    auto output = verifier.reduce_to_pairing_check_and_ipa_opening();
 
    // Aggregate merge + translator pairing points
    output.translator_pairing_points.aggregate(output.merge_pairing_points);
 
    stdlib::recursion::honk::RollupIO inputs;
    inputs.pairing_inputs = output.translator_pairing_points;
    inputs.ipa_claim = output.ipa_claim;
    inputs.set_public();
 
    builder.ipa_proof = output.ipa_proof.get_value();
 
    info("Recursive Verifier: num gates = ", builder.num_gates());
 
    EXPECT_EQ(builder.failed(), false) << builder.err();
 
    EXPECT_TRUE(CircuitChecker::check(builder));
 
    // Construct and verify a proof for the Goblin Recursive Verifier circuit
    {
        auto prover_instance = std::make_shared<OuterProverInstance>(builder);
        auto verification_key =
            std::make_shared<typename OuterFlavor::VerificationKey>(prover_instance->get_precomputed());
        auto vk_and_hash = std::make_shared<typename OuterFlavor::VKAndHash>(verification_key);
        OuterProver prover(prover_instance, verification_key);
        OuterVerifier verifier(vk_and_hash);
        auto proof = prover.construct_proof();
        bool verified = verifier.verify_proof(proof).result;
 
        ASSERT_TRUE(verified);
    }
}
 
// Check that the GoblinRecursiveVerifier circuit does not depend on the inputs.
TEST_F(GoblinRecursiveVerifierTests, IndependentVKHash)
{
    // Retrieves the trace blocks (each consisting of a specific gate) from the recursive verifier circuit
    auto get_blocks = [](size_t inner_size)
        -> std::tuple<typename Builder::ExecutionTrace, std::shared_ptr<OuterFlavor::VerificationKey>> {
        Builder builder;
 
        auto [proof, merge_commitments, recursive_merge_commitments] =
            create_goblin_prover_output(&builder, inner_size);
 
        auto transcript = std::make_shared<Transcript>();
        GoblinStdlibProof stdlib_proof(builder, proof);
        bb::GoblinRecursiveVerifier verifier{
            transcript, stdlib_proof, recursive_merge_commitments, MergeSettings::APPEND
        };
        auto output = verifier.reduce_to_pairing_check_and_ipa_opening();
 
        // Aggregate merge + translator pairing points
        output.translator_pairing_points.aggregate(output.merge_pairing_points);
 
        stdlib::recursion::honk::RollupIO inputs;
        inputs.pairing_inputs = output.translator_pairing_points;
        inputs.ipa_claim = output.ipa_claim;
        inputs.set_public();
 
        builder.ipa_proof = output.ipa_proof.get_value();
 
        info("Recursive Verifier: num gates = ", builder.num_gates());
 
        // Construct and verify a proof for the Goblin Recursive Verifier circuit
        auto prover_instance = std::make_shared<OuterProverInstance>(builder);
        auto outer_verification_key =
            std::make_shared<typename OuterFlavor::VerificationKey>(prover_instance->get_precomputed());
        auto vk_and_hash = std::make_shared<typename OuterFlavor::VKAndHash>(outer_verification_key);
        OuterProver prover(prover_instance, outer_verification_key);
        OuterVerifier outer_verifier(vk_and_hash);
        return { builder.blocks, outer_verification_key };
    };
 
    auto [blocks_5, verification_key_5] = get_blocks(5);
    auto [blocks_6, verification_key_6] = get_blocks(6);
 
    compare_ultra_blocks_and_verification_keys<OuterFlavor>({ blocks_5, blocks_6 },
                                                            { verification_key_5, verification_key_6 });
}
 
TEST_F(GoblinRecursiveVerifierTests, MergeToTranslatorBindingFailure)
{
    auto [proof, merge_commitments, _] = create_goblin_prover_output();
 
    // Tamper with the op commitment in merge commitments (used by Translator verifier)
    MergeCommitments tampered_merge_commitments = merge_commitments;
    tamper_with_op_commitment(tampered_merge_commitments);
    Builder builder;
 
    RecursiveMergeCommitments recursive_merge_commitments;
    for (size_t idx = 0; idx < MegaFlavor::NUM_WIRES; idx++) {
        recursive_merge_commitments.t_commitments[idx] =
            RecursiveCommitment::from_witness(&builder, tampered_merge_commitments.t_commitments[idx]);
        recursive_merge_commitments.T_prev_commitments[idx] =
            RecursiveCommitment::from_witness(&builder, tampered_merge_commitments.T_prev_commitments[idx]);
        recursive_merge_commitments.t_commitments[idx].fix_witness();
        recursive_merge_commitments.T_prev_commitments[idx].fix_witness();
    }
 
    auto transcript = std::make_shared<Transcript>();
    GoblinStdlibProof stdlib_proof(builder, proof);
    bb::GoblinRecursiveVerifier verifier{
        transcript, stdlib_proof, recursive_merge_commitments, MergeSettings::APPEND
    };
    auto goblin_rec_verifier_output = verifier.reduce_to_pairing_check_and_ipa_opening();
 
    // Aggregate merge + translator pairing points
    goblin_rec_verifier_output.translator_pairing_points.aggregate(goblin_rec_verifier_output.merge_pairing_points);
 
    // Circuit is correct but pairing check should fail
    EXPECT_TRUE(CircuitChecker::check(builder));
 
    // Check that the pairing fails natively
    bb::PairingPoints<curve::BN254> native_pairing_points(
        goblin_rec_verifier_output.translator_pairing_points.P0().get_value(),
        goblin_rec_verifier_output.translator_pairing_points.P1().get_value());
    bool pairing_result = native_pairing_points.check();
    EXPECT_FALSE(pairing_result);
}
 
TEST_F(GoblinRecursiveVerifierTests, ECCVMToTranslatorBindingFailure)
{
    Builder builder;
 
    auto [proof, merge_commitments, recursive_merge_commitments] = create_goblin_prover_output(&builder);
 
    // Tamper with the `op` evaluation in the ECCVM proof
    tamper_with_eccvm_op_eval(proof.eccvm_proof);
 
    auto transcript = std::make_shared<Transcript>();
    GoblinStdlibProof stdlib_proof(builder, proof);
    bb::GoblinRecursiveVerifier verifier{
        transcript, stdlib_proof, recursive_merge_commitments, MergeSettings::APPEND
    };
    [[maybe_unused]] auto goblin_rec_verifier_output = verifier.reduce_to_pairing_check_and_ipa_opening();
 
    EXPECT_FALSE(CircuitChecker::check(builder));
}
} // namespace bb::stdlib::recursion::honk