Barretenberg: src/barretenberg/dsl/acir_format/honk_recursion_constraint.cpp Source File

// === AUDIT STATUS ===

// internal:    { status: completed, auditors: [Federico], commit: 8b4e1279ef130eeb18bce9ce2a9f0fa39a243697}

// external_1:  { status: not started, auditors: [], commit: }

// external_2:  { status: not started, auditors: [], commit: }

// =====================


#include "honk_recursion_constraint.hpp"

#include "barretenberg/common/assert.hpp"

#include "barretenberg/dsl/acir_format/mock_verifier_inputs.hpp"

#include "barretenberg/dsl/acir_format/utils.hpp"

#include "barretenberg/dsl/acir_format/witness_constant.hpp"

#include "barretenberg/flavor/flavor.hpp"

#include "barretenberg/flavor/ultra_recursive_flavor.hpp"

#include "barretenberg/flavor/ultra_zk_recursive_flavor.hpp"

#include "barretenberg/honk/proof_system/types/proof.hpp"

#include "barretenberg/stdlib/primitives/circuit_builders/circuit_builders_fwd.hpp"

#include "barretenberg/stdlib/special_public_inputs/special_public_inputs.hpp"

#include "barretenberg/ultra_honk/ultra_verifier.hpp"

#include "recursion_constraint.hpp"


#include <cstddef>


namespace acir_format {


using namespace bb;

using namespace bb::stdlib::recursion::honk;


template <typename Flavor, typename IO>


HonkRecursionConstraintOutput<typename Flavor::CircuitBuilder> create_honk_recursion_constraints(

    typename Flavor::CircuitBuilder& builder, const RecursionConstraint& input)

    requires(IsRecursiveFlavor<Flavor> && IsUltraHonk<typename Flavor::NativeFlavor>)

{

    using Builder = Flavor::CircuitBuilder;

    using field_ct = stdlib::field_t<Builder>;

    using bool_ct = bb::stdlib::bool_t<Builder>;

    using RecursiveVerificationKey = Flavor::VerificationKey;

    using RecursiveVKAndHash = Flavor::VKAndHash;

    using RecursiveVerifier = bb::UltraVerifier_<Flavor, IO>;

    using NativeFlavor = Flavor::NativeFlavor;

    using NativeVerificationKey = NativeFlavor::VerificationKey;


    BB_ASSERT(input.proof_type == HONK || input.proof_type == HONK_ZK || input.proof_type == ROLLUP_HONK ||

                  input.proof_type == ROOT_ROLLUP_HONK,

              "create_honk_recursion_constraints: Only HONK, HONK_ZK, ROLLUP_HONK, ROOT_ROLLUP_HONK proof types are "

              "supported.");

    BB_ASSERT_EQ(input.proof_type == ROLLUP_HONK || input.proof_type == ROOT_ROLLUP_HONK,

                 IO::HasIPA,

                 "create_honk_recursion_constraints: ROLLUP_HONK and ROOT_ROLLUP_HONK must be recursively verified "

                 "using an IO type with HasIPA=true.");


    // Step 1.

    // Construct in-circuit representations of the recursion data

    std::vector<field_ct> vk_fields = fields_from_witnesses(builder, input.key);

    field_ct vk_hash = field_ct::from_witness_index(&builder, input.key_hash);

    std::vector<field_ct> proof_fields =

        fields_from_witnesses(builder, add_public_inputs_to_proof(input.proof, input.public_inputs));

    bool_ct predicate(to_field_ct(input.predicate, builder)); // Constructor enforces predicate = 0 or 1


    // Determine the stdlib IO type for creating mock proofs/VKs (need add_default method)

    using StdlibIO = std::conditional_t<IO::HasIPA,

                                        stdlib::recursion::honk::RollupIO,

                                        stdlib::recursion::honk::DefaultIO<typename NativeFlavor::CircuitBuilder>>;


    // Construct a Honk proof and vk with the correct number of public inputs.

    // If we are in a write vk scenario, the proof and vk are not necessarily valid

    const auto [honk_proof_to_be_set,

                honk_vk_to_be_set] = [&]() -> std::pair<HonkProof, std::shared_ptr<NativeVerificationKey>> {

        if (builder.is_write_vk_mode()) {

            return std::make_pair(

                create_mock_honk_proof<NativeFlavor, StdlibIO>(/*acir_public_inputs_size=*/input.public_inputs.size()),

                create_mock_honk_vk<NativeFlavor, StdlibIO>(

                    /*dyadic_size=*/1 << NativeFlavor::VIRTUAL_LOG_N,

                    /*acir_public_inputs_size=*/input.public_inputs.size()));

        }


        return construct_arbitrary_valid_honk_proof_and_vk<NativeFlavor, StdlibIO>(

            /*acir_public_inputs_size=*/input.public_inputs.size());

    }();


    // Step 2.

    if (builder.is_write_vk_mode()) {

        // Set honk vk in builder

        populate_fields(builder, vk_fields, honk_vk_to_be_set->to_field_elements());


        // Set honk proof in builder

        populate_fields(builder, proof_fields, honk_proof_to_be_set);

    }


    // Step 3.

    if (!predicate.is_constant()) {

        // If the predicate is a witness, we conditionally assign a valid vk, proof and vk hash so that verification

        // succeeds. Note: in doing this, we create some new witnesses that are only used in the conditional assignment.

        // It would be optimal to hard-code these values in the selectors, but due to the randomness needed to generate

        // valid ZK proofs, we cannot do that without adding a dependency of the VKs on the witness values. Note that

        // the new witnesses are used only in the recursive verification when the predicate is set to true, so they

        // don't create a soundness issue and can be filled with anything - as long as they contain a valid vk, proof

        // and vk hash

        for (auto [vk_witness, vk_element] : zip_view(vk_fields, honk_vk_to_be_set->to_field_elements())) {

            field_ct valid_vk_witness = field_ct::from_witness(&builder, vk_element);

            valid_vk_witness.unset_free_witness_tag(); // Avoid tooling catching this as a free witness

            vk_witness = field_ct::conditional_assign(predicate, vk_witness, valid_vk_witness);

        }


        for (auto [proof_witness, proof_element] : zip_view(proof_fields, honk_proof_to_be_set)) {

            field_ct valid_proof_witness = field_ct::from_witness(&builder, proof_element);

            valid_proof_witness.unset_free_witness_tag(); // Avoid tooling catching this as a free witness

            proof_witness = field_ct::conditional_assign(predicate, proof_witness, valid_proof_witness);

        }


        field_ct valid_vk_hash = field_ct::from_witness(&builder, honk_vk_to_be_set->hash());

        valid_vk_hash.unset_free_witness_tag();

        vk_hash = field_ct::conditional_assign(predicate, vk_hash, valid_vk_hash);

    }


    // Recursively verify the proof

    auto vkey = std::make_shared<RecursiveVerificationKey>(vk_fields);

    auto vk_and_hash = std::make_shared<RecursiveVKAndHash>(vkey, vk_hash);

    RecursiveVerifier verifier(vk_and_hash);

    UltraRecursiveVerifierOutput<Builder> verifier_output = verifier.verify_proof(proof_fields);


#ifndef NDEBUG

    native_verification_debug<Flavor, IO>(vkey, vk_hash.get_value(), proof_fields);

#endif


    return verifier_output;

}


#ifndef NDEBUG

template <typename Flavor, typename IO>


void native_verification_debug(const std::shared_ptr<typename Flavor::VerificationKey> vkey,

                               const typename Flavor::NativeFlavor::FF vkey_hash,

                               const bb::stdlib::Proof<typename Flavor::CircuitBuilder>& proof_fields)

{

    using NativeVerificationKey = typename Flavor::NativeFlavor::VerificationKey;

    // Use RollupIO for native verification if IO::HasIPA is true, otherwise DefaultIO

    using NativeIO = std::conditional_t<IO::HasIPA, bb::RollupIO, bb::DefaultIO>;


    auto native_vkey = std::make_shared<NativeVerificationKey>(vkey->get_value());

    auto native_vk_and_hash = std::make_shared<typename Flavor::NativeFlavor::VKAndHash>(native_vkey, vkey_hash);

    const bool vkey_and_hash_match = native_vkey->hash() == vkey_hash;

    HonkProof native_proof = proof_fields.get_value();


    UltraVerifier_<typename Flavor::NativeFlavor, NativeIO> native_verifier(native_vk_and_hash);

    bool is_valid_proof = native_verifier.verify_proof(native_proof).result;


    info("===== HONK RECURSION CONSTRAINT DEBUG INFO =====");

    std::string flavor;

    if constexpr (IO::HasIPA) {

        flavor = "Ultra Flavor with IPA (Rollup)";

    } else if constexpr (Flavor::HasZK) {

        flavor = "Ultra ZK Flavor";

    } else {

        flavor = "Ultra Flavor";

    }

    info("Flavor used: ", flavor);

    info("Honk recursion constraint: native vk hash matches witness vk hash: ", vkey_and_hash_match ? "true" : "false");

    info("Honk recursion constraint: input proof verifies natively: ", is_valid_proof ? "true" : "false");

    info("===== END OF HONK RECURSION CONSTRAINT DEBUG INFO =====");

}


#endif


#define INSTANTIATE_HONK_RECURSION_CONSTRAINT(Flavor, IO)                                                              \

    template HonkRecursionConstraintOutput<typename Flavor::CircuitBuilder>                                            \

    create_honk_recursion_constraints<Flavor, IO>(typename Flavor::CircuitBuilder & builder,                           \

                                                  const RecursionConstraint& input);


INSTANTIATE_HONK_RECURSION_CONSTRAINT(UltraRecursiveFlavor_<UltraCircuitBuilder>,

                                      stdlib::recursion::honk::DefaultIO<UltraCircuitBuilder>)

INSTANTIATE_HONK_RECURSION_CONSTRAINT(UltraRecursiveFlavor_<UltraCircuitBuilder>, stdlib::recursion::honk::RollupIO)

INSTANTIATE_HONK_RECURSION_CONSTRAINT(UltraRecursiveFlavor_<MegaCircuitBuilder>,

                                      stdlib::recursion::honk::DefaultIO<MegaCircuitBuilder>)

INSTANTIATE_HONK_RECURSION_CONSTRAINT(UltraZKRecursiveFlavor_<MegaCircuitBuilder>,

                                      stdlib::recursion::honk::DefaultIO<MegaCircuitBuilder>)

INSTANTIATE_HONK_RECURSION_CONSTRAINT(UltraZKRecursiveFlavor_<UltraCircuitBuilder>,

                                      stdlib::recursion::honk::DefaultIO<UltraCircuitBuilder>)


#undef INSTANTIATE_HONK_RECURSION_CONSTRAINT


#ifndef NDEBUG


#define INSTANTIATE_NATIVE_VERIFICATION_DEBUG(Flavor, IO)                                                              \

    template void native_verification_debug<Flavor, IO>(const std::shared_ptr<typename Flavor::VerificationKey>,       \

                                                        const typename Flavor::NativeFlavor::FF vkey_hash,             \

                                                        const bb::stdlib::Proof<typename Flavor::CircuitBuilder>&);


INSTANTIATE_NATIVE_VERIFICATION_DEBUG(UltraRecursiveFlavor_<UltraCircuitBuilder>,

                                      stdlib::recursion::honk::DefaultIO<UltraCircuitBuilder>)

INSTANTIATE_NATIVE_VERIFICATION_DEBUG(UltraRecursiveFlavor_<UltraCircuitBuilder>, stdlib::recursion::honk::RollupIO)

INSTANTIATE_NATIVE_VERIFICATION_DEBUG(UltraRecursiveFlavor_<MegaCircuitBuilder>,

                                      stdlib::recursion::honk::DefaultIO<MegaCircuitBuilder>)

INSTANTIATE_NATIVE_VERIFICATION_DEBUG(UltraZKRecursiveFlavor_<MegaCircuitBuilder>,

                                      stdlib::recursion::honk::DefaultIO<MegaCircuitBuilder>)

INSTANTIATE_NATIVE_VERIFICATION_DEBUG(UltraZKRecursiveFlavor_<UltraCircuitBuilder>,

                                      stdlib::recursion::honk::DefaultIO<UltraCircuitBuilder>)


#undef INSTANTIATE_NATIVE_VERIFICATION_DEBUG


#endif


} // namespace acir_format

assert.hpp

BB_ASSERT
#define BB_ASSERT(expression,...)
Definition assert.hpp:70

BB_ASSERT_EQ
#define BB_ASSERT_EQ(actual, expected,...)
Definition assert.hpp:83

circuit_builders_fwd.hpp

bb::DefaultIO
Manages the data that is propagated on the public inputs of an application/function circuit.
Definition special_public_inputs.hpp:20

bb::ECCVMCircuitBuilder
Definition eccvm_circuit_builder.hpp:24

bb::ECCVMFlavor::CircuitBuilder
ECCVMCircuitBuilder CircuitBuilder
Definition eccvm_flavor.hpp:39

bb::MegaCircuitBuilder_
Definition mega_circuit_builder.hpp:19

bb::UltraCircuitBuilder_
Definition ultra_circuit_builder.hpp:40

bb::UltraRecursiveFlavor_
The recursive counterpart to the "native" Ultra flavor.
Definition ultra_recursive_flavor.hpp:28

bb::UltraVerifier_
Definition ultra_verifier.hpp:79

bb::UltraVerifier_::verify_proof
Output verify_proof(const Proof &proof)
Perform ultra verification.
Definition ultra_verifier.cpp:232

bb::UltraZKRecursiveFlavor_
The recursive counterpart to UltraZKFlavor.
Definition ultra_zk_recursive_flavor.hpp:18

bb::avm2::AvmFlavor::FF
AvmFlavorSettings::FF FF
Definition flavor.hpp:43

bb::avm2::AvmFlavor::VerificationKey
FixedVKAndHash_< PrecomputedEntities< Commitment >, FF, typename constraining::AvmHardCodedVKAndHash > VerificationKey
Verification key of the AVM. It is fixed and reconstructed from precomputed values.
Definition flavor.hpp:226

bb::avm2::AvmFlavor::HasZK
static constexpr bool HasZK
Definition flavor.hpp:57

bb::stdlib::Proof
A simple wrapper around a vector of stdlib field elements representing a proof.
Definition proof.hpp:19

bb::stdlib::Proof::get_value
HonkProof get_value() const
Definition proof.hpp:38

bb::stdlib::bool_t
Implements boolean logic in-circuit.
Definition bool.hpp:60

bb::stdlib::field_t< Builder >

bb::stdlib::field_t< Builder >::from_witness_index
static field_t from_witness_index(Builder *ctx, uint32_t witness_index)
Definition field.cpp:67

bb::stdlib::field_t::unset_free_witness_tag
void unset_free_witness_tag() const
Unset the free witness flag for the field element's tag.
Definition field.hpp:368

bb::stdlib::field_t::get_value
bb::fr get_value() const
Given a := *this, compute its value given by a.v * a.mul + a.add.
Definition field.cpp:836

bb::stdlib::field_t< Builder >::from_witness
static field_t from_witness(Builder *ctx, const bb::fr &input)
Definition field.hpp:466

bb::stdlib::field_t< Builder >::conditional_assign
static field_t conditional_assign(const bool_t< Builder > &predicate, const field_t &lhs, const field_t &rhs)
Definition field.hpp:384

bb::stdlib::recursion::honk::DefaultIO
Manages the data that is propagated on the public inputs of an application/function circuit.
Definition special_public_inputs.hpp:154

bb::stdlib::recursion::honk::RollupIO
The data that is propagated on the public inputs of a rollup circuit.
Definition special_public_inputs.hpp:347

zip_view
Definition zip_view.hpp:166

info
#define info(...)
Definition log.hpp:93

builder
AluTraceBuilder builder
Definition alu.test.cpp:124

utils.hpp

flavor.hpp
Base class templates shared across Honk flavors.

proof.hpp

honk_recursion_constraint.hpp

mock_verifier_inputs.hpp

acir_format
Definition acir_format.cpp:30

acir_format::INSTANTIATE_NATIVE_VERIFICATION_DEBUG
stdlib::recursion::honk::DefaultIO< MegaCircuitBuilder > INSTANTIATE_NATIVE_VERIFICATION_DEBUG(UltraZKRecursiveFlavor_< MegaCircuitBuilder >, stdlib::recursion::honk::DefaultIO< MegaCircuitBuilder >) INSTANTIATE_NATIVE_VERIFICATION_DEBUG(UltraZKRecursiveFlavor_< UltraCircuitBuilder >

acir_format::HONK_ZK
@ HONK_ZK
Definition recursion_constraint.hpp:33

acir_format::ROOT_ROLLUP_HONK
@ ROOT_ROLLUP_HONK
Definition recursion_constraint.hpp:33

acir_format::HONK
@ HONK
Definition recursion_constraint.hpp:33

acir_format::ROLLUP_HONK
@ ROLLUP_HONK
Definition recursion_constraint.hpp:33

acir_format::populate_fields
void populate_fields(Builder &builder, const std::vector< field_t< Builder > > &fields, const std::vector< bb::fr > &values)
========== WRITE_VK UTILITIES ========== ///
Definition utils.cpp:78

acir_format::fields_from_witnesses
std::vector< field_t< Builder > > fields_from_witnesses(Builder &builder, std::span< const uint32_t > witness_indices)
========== ACIR TO BARRETENBERG ========== ///
Definition utils.cpp:16

acir_format::native_verification_debug
void native_verification_debug(const std::shared_ptr< typename Flavor::VerificationKey > vkey, const typename Flavor::NativeFlavor::FF vkey_hash, const bb::stdlib::Proof< typename Flavor::CircuitBuilder > &proof_fields)
Natively verify the stdlib proof for debugging.
Definition honk_recursion_constraint.cpp:133

acir_format::add_public_inputs_to_proof
std::vector< uint32_t > add_public_inputs_to_proof(const std::vector< uint32_t > &proof_in, const std::vector< uint32_t > &public_inputs)
Reconstruct a barretenberg style proof from an ACIR style proof + public inputs.
Definition utils.cpp:40

acir_format::create_honk_recursion_constraints
HonkRecursionConstraintOutput< typename Flavor::CircuitBuilder > create_honk_recursion_constraints(typename Flavor::CircuitBuilder &builder, const RecursionConstraint &input)
Add to the builder the constraints to recursively verify a Honk proof.
Definition honk_recursion_constraint.cpp:29

acir_format::INSTANTIATE_HONK_RECURSION_CONSTRAINT
stdlib::recursion::honk::DefaultIO< MegaCircuitBuilder > INSTANTIATE_HONK_RECURSION_CONSTRAINT(UltraZKRecursiveFlavor_< MegaCircuitBuilder >, stdlib::recursion::honk::DefaultIO< MegaCircuitBuilder >) INSTANTIATE_HONK_RECURSION_CONSTRAINT(UltraZKRecursiveFlavor_< UltraCircuitBuilder >

acir_format::to_field_ct
bb::stdlib::field_t< Builder > to_field_ct(const WitnessOrConstant< typename Builder::FF > &input, Builder &builder)
Definition witness_constant.hpp:39

bb::stdlib::recursion::honk
Definition graph_description_goblin.test.cpp:13

bb
Entry point for Barretenberg command-line interface.
Definition api.hpp:5

bb::HonkProof
std::vector< fr > HonkProof
Definition proof.hpp:15

std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13

recursion_constraint.hpp

special_public_inputs.hpp

acir_format::RecursionConstraint
RecursionConstraint struct contains information required to recursively verify a proof.
Definition recursion_constraint.hpp:119

bb::stdlib::recursion::honk::UltraRecursiveVerifierOutput
Output type for recursive ultra verification.
Definition ultra_verifier.hpp:25

ultra_recursive_flavor.hpp

ultra_verifier.hpp

ultra_zk_recursive_flavor.hpp

witness_constant.hpp