Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
hypernova_verifier.cpp
Go to the documentation of this file.
1// === AUDIT STATUS ===
2// internal: { status: Complete, auditors: [Sergei], commit: }
3// external_1: { status: not started, auditors: [], commit: }
4// external_2: { status: not started, auditors: [], commit: }
5// =====================
6
7#include "barretenberg/hypernova/hypernova_verifier.hpp"
8#include "barretenberg/honk/proof_length.hpp"
9#include "barretenberg/hypernova/hypernova_batching_challenges.hpp"
10
11namespace bb {
12
13template <typename Flavor_>
14template <size_t N>
15HypernovaFoldingVerifier<Flavor_>::Commitment HypernovaFoldingVerifier<Flavor_>::batch_mul(
16 const RefArray<Commitment, N>& _points, const std::vector<FF>& scalars)
17{
18 std::vector<Commitment> points(N);
19 for (size_t idx = 0; idx < N; ++idx) {
20 points[idx] = _points[idx];
21 }
22 return Commitment::batch_mul(points, scalars);
23}
24
25template <typename Flavor>
26HypernovaFoldingVerifier<Flavor>::Accumulator HypernovaFoldingVerifier<Flavor>::sumcheck_output_to_accumulator(
27 HypernovaFoldingVerifier<Flavor>::MegaSumcheckOutput& sumcheck_output,
28 const std::shared_ptr<HypernovaFoldingVerifier::VerifierInstance>& instance)
29{
30 BB_BENCH_NAME("HypernovaFoldingVerifier::sumcheck_output_to_accumulator");
31
32 // Generate challenges to batch shifted and unshifted polynomials/commitments/evaluation
33 auto [unshifted_challenges, shifted_challenges] =
34 get_hypernova_batching_challenges<FF>(transcript, NUM_UNSHIFTED_ENTITIES, NUM_SHIFTED_ENTITIES);
35
36 // Batch evaluations
37 FF batched_unshifted_evaluation(0);
38 FF batched_shifted_evaluation(0);
39
40 for (auto [eval, challenge] : zip_view(sumcheck_output.claimed_evaluations.get_unshifted(), unshifted_challenges)) {
41 batched_unshifted_evaluation += eval * challenge;
42 }
43 for (auto [eval, challenge] : zip_view(sumcheck_output.claimed_evaluations.get_shifted(), shifted_challenges)) {
44 batched_shifted_evaluation += eval * challenge;
45 }
46
47 // Batch commitments
48 VerifierCommitments verifier_commitments(instance->get_vk(), instance->witness_commitments);
49
50 Commitment batched_unshifted_commitment = batch_mul(verifier_commitments.get_unshifted(), unshifted_challenges);
51 Commitment batched_shifted_commitment = batch_mul(verifier_commitments.get_to_be_shifted(), shifted_challenges);
52
53 return Accumulator{ .challenge = sumcheck_output.challenge,
54 .non_shifted_evaluation = batched_unshifted_evaluation,
55 .shifted_evaluation = batched_shifted_evaluation,
56 .non_shifted_commitment = batched_unshifted_commitment,
57 .shifted_commitment = batched_shifted_commitment };
58};
59
60template <typename Flavor>
61SumcheckOutput<Flavor> HypernovaFoldingVerifier<Flavor>::sumcheck_on_incoming_instance(
62 const std::shared_ptr<typename HypernovaFoldingVerifier::VerifierInstance>& instance,
63 const Proof& proof,
64 size_t num_public_inputs)
65{
66 BB_BENCH_NAME("HypernovaFoldingVerifier::sumcheck_on_incoming_instance");
67
68 vinfo("HypernovaFoldingVerifier: verifying Oink proof...");
69 // Complete the incoming verifier instance
70 transcript->load_proof(proof);
71
72 OinkVerifier verifier{ instance, transcript, num_public_inputs };
73 verifier.verify();
74
75 instance->gate_challenges = transcript->template get_dyadic_powers_of_challenge<FF>(
76 "HypernovaFoldingProver:gate_challenge", Flavor::VIRTUAL_LOG_N);
77
78 // Sumcheck verification
79 vinfo("HypernovaFoldingVerifier: verifying Sumcheck to turn instance into an accumulator...");
80
81 std::vector<FF> padding_indicator_array(Flavor::VIRTUAL_LOG_N, 1);
82 SumcheckVerifier sumcheck(transcript, instance->alpha, Flavor::VIRTUAL_LOG_N);
83 SumcheckOutput<Flavor> sumcheck_output =
84 sumcheck.verify(instance->relation_parameters, instance->gate_challenges, padding_indicator_array);
85
86 return sumcheck_output;
87};
88
89template <typename Flavor>
90std::pair<bool, typename HypernovaFoldingVerifier<Flavor>::Accumulator> HypernovaFoldingVerifier<Flavor>::
91 instance_to_accumulator(const std::shared_ptr<typename HypernovaFoldingVerifier::VerifierInstance>& instance,
92 const Proof& proof)
93{
94 BB_BENCH_NAME("HypernovaFoldingVerifier::instance_to_accumulator");
95
96 // Derive num_public_inputs from proof size (instance-to-accum proof structure)
97 const size_t num_public_inputs =
98 ProofLength::HypernovaInstanceToAccum<Flavor>::derive_num_public_inputs(proof.size(), Flavor::VIRTUAL_LOG_N);
99
100 auto sumcheck_output = sumcheck_on_incoming_instance(instance, proof, num_public_inputs);
101
102 auto accumulator = sumcheck_output_to_accumulator(sumcheck_output, instance);
103
104 if (sumcheck_output.verified) {
105 vinfo("HypernovaFoldingVerifier: Successfully turned instance into accumulator.");
106 } else {
107 vinfo("HypernovaFoldingVerifier: Failed to recursively verify Sumcheck to turn instance into an accumulator. "
108 "Ignore if generating the VKs");
109 }
110
111 return { sumcheck_output.verified, accumulator };
112};
113
114template <typename Flavor>
115std::tuple<bool, bool, typename HypernovaFoldingVerifier<Flavor>::Accumulator> HypernovaFoldingVerifier<
116 Flavor>::verify_folding_proof(const std::shared_ptr<typename HypernovaFoldingVerifier::VerifierInstance>& instance,
117 const HypernovaFoldingVerifier::Proof& proof)
118{
119 BB_BENCH_NAME("HypernovaFoldingVerifier::verify_folding_proof");
120
121 vinfo("HypernovaFoldingVerifier: verifying folding proof...");
122
123 // Derive num_public_inputs from proof size (folding proof structure includes batching)
124 const size_t num_public_inputs =
125 ProofLength::HypernovaFolding<Flavor, MultilinearBatchingFlavor>::derive_num_public_inputs(
126 proof.size(), Flavor::VIRTUAL_LOG_N);
127
128 auto sumcheck_output = sumcheck_on_incoming_instance(instance, proof, num_public_inputs);
129
130 // Generate challenges to batch shifted and unshifted polynomials/commitments/evaluation
131 const auto [unshifted_challenges, shifted_challenges] =
132 get_hypernova_batching_challenges<FF>(transcript, NUM_UNSHIFTED_ENTITIES, NUM_SHIFTED_ENTITIES);
133
134 VerifierCommitments verifier_commitments(instance->get_vk(), instance->witness_commitments);
135
136 MultilinearBatchingVerifier batching_verifier(transcript);
137 auto [sumcheck_batching_result, new_accumulator] =
138 batching_verifier.verify_proof(sumcheck_output, verifier_commitments, unshifted_challenges, shifted_challenges);
139
140 if (sumcheck_output.verified && sumcheck_batching_result) {
141 vinfo("HypernovaFoldingVerifier: successfully verified folding proof.");
142 } else if (!sumcheck_output.verified) {
143 vinfo("HypernovaFoldingVerifier: Failed to recursively verify Sumcheck to turn instance into an accumulator. "
144 "Ignore if generating the VKs");
145 } else {
146 vinfo("HypernovaFoldingVerifier: Failed to recursively verify Sumcheck to batch two accumulators. Ignore if "
147 "generating the VKs");
148 }
149
150 return { sumcheck_output.verified, sumcheck_batching_result, new_accumulator };
151};
152
153template class HypernovaFoldingVerifier<MegaRecursiveFlavor_<MegaCircuitBuilder>>;
154template class HypernovaFoldingVerifier<MegaFlavor>;
155} // namespace bb
instance
std::shared_ptr< Napi::ThreadSafeFunction > instance
Definition avm_simulate_napi.cpp:128
BB_BENCH_NAME
#define BB_BENCH_NAME(name)
Definition bb_bench.hpp:225
bb::ECCVMFlavor::VerifierCommitments_
Definition eccvm_flavor.hpp:913
bb::HypernovaFoldingVerifier
HyperNova folding verifier (native + recursive). Verifies folding proofs and maintains accumulators.
Definition hypernova_verifier.hpp:22
bb::HypernovaFoldingVerifier::Proof
std::conditional_t< IsRecursiveFlavor< Flavor >, stdlib::Proof< MegaCircuitBuilder >, HonkProof > Proof
Definition hypernova_verifier.hpp:39
bb::HypernovaFoldingVerifier::instance_to_accumulator
std::pair< bool, Accumulator > instance_to_accumulator(const std::shared_ptr< VerifierInstance > &instance, const Proof &proof)
Turn an instance into an accumulator by executing sumcheck.
Definition hypernova_verifier.cpp:91
bb::HypernovaFoldingVerifier::batch_mul
Commitment batch_mul(const RefArray< Commitment, N > &_points, const std::vector< FF > &scalars)
Utility to perform batch mul of commitments.
Definition hypernova_verifier.cpp:15
bb::HypernovaFoldingVerifier::sumcheck_output_to_accumulator
Accumulator sumcheck_output_to_accumulator(MegaSumcheckOutput &sumcheck_output, const std::shared_ptr< VerifierInstance > &instance)
Convert the output of the sumcheck run on the incoming instance into an accumulator.
Definition hypernova_verifier.cpp:26
bb::HypernovaFoldingVerifier::sumcheck_on_incoming_instance
SumcheckOutput< Flavor > sumcheck_on_incoming_instance(const std::shared_ptr< VerifierInstance > &instance, const Proof &proof, size_t num_public_inputs)
Perform sumcheck on the incoming instance.
Definition hypernova_verifier.cpp:61
bb::MultilinearBatchingVerifier
Multilinear batching verifier. Verifies claim reduction via sumcheck.
Definition multilinear_batching_verifier.hpp:25
bb::MultilinearBatchingVerifier::verify_proof
std::pair< bool, VerifierClaim > verify_proof(SumcheckOutput< InstanceFlavor > &instance_sumcheck, InstanceCommitments &verifier_commitments, const std::vector< InstanceFF > &unshifted_challenges, const std::vector< InstanceFF > &shifted_challenges)
Definition multilinear_batching_verifier.cpp:116
bb::OinkVerifier
Verifier counterpart to OinkProver: receives witness commitments, computes relation parameters,...
Definition oink_verifier.hpp:30
bb::OinkVerifier::verify
void verify(bool emit_alpha=true)
Receive witness commitments, compute relation parameters, and prepare for Sumcheck.
Definition oink_verifier.cpp:23
bb::RefArray
A template class for a reference array. Behaves as if std::array<T&, N> was possible.
Definition ref_array.hpp:22
bb::SumcheckVerifier
Implementation of the sumcheck Verifier for statements of the form for multilinear polynomials .
Definition sumcheck.hpp:747
bb::SumcheckVerifier::verify
SumcheckOutput< Flavor > verify(const bb::RelationParameters< FF > &relation_parameters, const std::vector< FF > &gate_challenges, const std::vector< FF > &padding_indicator_array)
The Sumcheck verification method. First it extracts round univariate, checks sum (the sumcheck univar...
Definition sumcheck.hpp:803
zip_view
Definition zip_view.hpp:166
vinfo
#define vinfo(...)
Definition log.hpp:94
hypernova_batching_challenges.hpp
hypernova_verifier.hpp
bb
Entry point for Barretenberg command-line interface.
Definition api.hpp:5
std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13
proof_length.hpp
bb::MultilinearBatchingVerifierClaim
Verifier's claim for multilinear batching - contains commitments and evaluation claims.
Definition multilinear_batching_claims.hpp:18
bb::ProofLength::HypernovaFolding::derive_num_public_inputs
static constexpr size_t derive_num_public_inputs(size_t proof_size, size_t log_n)
Definition proof_length.hpp:182
bb::ProofLength::HypernovaInstanceToAccum::derive_num_public_inputs
static constexpr size_t derive_num_public_inputs(size_t proof_size, size_t log_n)
Definition proof_length.hpp:144
bb::SumcheckOutput
Contains the evaluations of multilinear polynomials at the challenge point . These are computed by S...
Definition sumcheck_output.hpp:22
bb::SumcheckOutput::claimed_evaluations
ClaimedEvaluations claimed_evaluations
Definition sumcheck_output.hpp:30
bb::SumcheckOutput::challenge
std::vector< FF > challenge
Definition sumcheck_output.hpp:28