Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
hypernova_verifier.test.cpp
Go to the documentation of this file.
1#include "barretenberg/hypernova/hypernova_verifier.hpp"
2#include "barretenberg/circuit_checker/circuit_checker.hpp"
3#include "barretenberg/hypernova/hypernova_prover.hpp"
4#include "barretenberg/stdlib_circuit_builders/mega_circuit_builder.hpp"
5#include "barretenberg/stdlib_circuit_builders/mock_circuits.hpp"
6#include "gtest/gtest.h"
7
8using namespace bb;
9
10// TODO(https://github.com/AztecProtocol/barretenberg/issues/1553): improve testing
11class HypernovaFoldingVerifierTests : public ::testing::Test {
12 protected:
13 static void SetUpTestSuite() { bb::srs::init_file_crs_factory(bb::srs::bb_crs_path()); }
14
15 public:
16 // Recursive verifier
17 using RecursiveHypernovaVerifier = HypernovaFoldingVerifier<bb::MegaRecursiveFlavor_<bb::MegaCircuitBuilder>>;
18 using RecursiveFlavor = RecursiveHypernovaVerifier::Flavor;
19 using RecursiveVerifierInstance = RecursiveHypernovaVerifier::VerifierInstance;
20 using Builder = RecursiveFlavor::CircuitBuilder;
21 using RecursiveTranscript = RecursiveHypernovaVerifier::Transcript;
22 using RecursiveProof = RecursiveHypernovaVerifier::Proof;
23
24 // Native verifier
25 using NativeHypernovaVerifier = HypernovaFoldingVerifier<bb::MegaFlavor>;
26 using NativeFlavor = NativeHypernovaVerifier::Flavor;
27 using NativeFF = NativeFlavor::FF;
28 using NativeVerifierAccumulator = NativeHypernovaVerifier::Accumulator;
29 using NativeVerificationKey = NativeFlavor::VerificationKey;
30 using NativeVerifierInstance = NativeHypernovaVerifier::VerifierInstance;
31 using NativeTranscript = NativeHypernovaVerifier::Transcript;
32
33 // Prover
34 using HypernovaFoldingProver = bb::HypernovaFoldingProver;
35 using NativeProverAccumulator = HypernovaFoldingProver::Accumulator;
36 using ProverInstance = HypernovaFoldingProver::ProverInstance;
37
38 enum class TamperingMode : uint8_t {
39 None,
40 Instance,
41 };
42
55
56 static bool compare_prover_verifier_accumulators(const NativeProverAccumulator& lhs,
57 const NativeVerifierAccumulator& rhs)
58 {
59 for (size_t idx = 0; auto [challenge_lhs, challenge_rhs] : zip_view(lhs.challenge, rhs.challenge)) {
60 if (challenge_lhs != challenge_rhs) {
61 info("Mismatch in the challenges at index ", idx);
62 return false;
63 }
64 }
65 if (lhs.non_shifted_commitment != rhs.non_shifted_commitment) {
66 info("Mismatch in the unshifted commitments");
67 return false;
68 }
69 if (lhs.shifted_commitment != rhs.shifted_commitment) {
70 info("Mismatch in the shifted commitments");
71 return false;
72 }
73 if (lhs.non_shifted_evaluation != rhs.non_shifted_evaluation) {
74 info("Mismatch in the unshifted evaluations");
75 return false;
76 }
77 if (lhs.shifted_evaluation != rhs.shifted_evaluation) {
78 info("Mismatch in the shifted evaluations");
79 return false;
80 }
81 return true;
82 }
83
88 static std::shared_ptr<RecursiveVerifierInstance> create_recursive_verifier_instance(
89 Builder* builder, const std::shared_ptr<NativeVerifierInstance>& native_instance)
90 {
91 using FF = RecursiveFlavor::FF;
92 using Commitment = RecursiveFlavor::Commitment;
93 using VerificationKey = RecursiveFlavor::VerificationKey;
94 using VKAndHash = RecursiveFlavor::VKAndHash;
95
96 // Create recursive VK from native VK
97 auto recursive_vk =
98 std::make_shared<VKAndHash>(std::make_shared<VerificationKey>(builder, native_instance->get_vk()),
99 FF::from_witness(builder, native_instance->get_vk()->hash()));
100
101 // Create recursive instance with the recursive VK
102 auto recursive_instance = std::make_shared<RecursiveVerifierInstance>(recursive_vk);
103
104 // Convert alpha
105 recursive_instance->alpha = FF::from_witness(builder, native_instance->alpha);
106
107 // Convert witness commitments
108 auto native_comms = native_instance->witness_commitments.get_all();
109 for (auto [native_comm, recursive_comm] :
110 zip_view(native_comms, recursive_instance->witness_commitments.get_all())) {
111 recursive_comm = Commitment::from_witness(builder, native_comm);
112 }
113
114 // Convert gate challenges
115 recursive_instance->gate_challenges = std::vector<FF>(native_instance->gate_challenges.size());
116 for (auto [native_challenge, recursive_challenge] :
117 zip_view(native_instance->gate_challenges, recursive_instance->gate_challenges)) {
118 recursive_challenge = FF::from_witness(builder, native_challenge);
119 }
120
121 // Convert relation parameters
122 recursive_instance->relation_parameters.eta =
123 FF::from_witness(builder, native_instance->relation_parameters.eta);
124 recursive_instance->relation_parameters.eta_two =
125 FF::from_witness(builder, native_instance->relation_parameters.eta_two);
126 recursive_instance->relation_parameters.eta_three =
127 FF::from_witness(builder, native_instance->relation_parameters.eta_three);
128 recursive_instance->relation_parameters.beta =
129 FF::from_witness(builder, native_instance->relation_parameters.beta);
130 recursive_instance->relation_parameters.gamma =
131 FF::from_witness(builder, native_instance->relation_parameters.gamma);
132 recursive_instance->relation_parameters.public_input_delta =
133 FF::from_witness(builder, native_instance->relation_parameters.public_input_delta);
134
135 // For ZK flavors: convert gemini_masking_commitment
136 if constexpr (NativeFlavor::HasZK) {
137 recursive_instance->gemini_masking_commitment =
138 Commitment::from_witness(builder, native_instance->gemini_masking_commitment);
139 }
140
141 return recursive_instance;
142 }
143
144 static void tampering(std::shared_ptr<ProverInstance>& instance, const TamperingMode& mode)
145 {
146 switch (mode) {
147 case TamperingMode::None:
148 break;
149 case TamperingMode::Instance:
150 // Tamper with the instance by changing w_l. This should invalidate the first sumcheck
151 instance->polynomials.w_l.at(1) = NativeFF::random_element();
152 break;
153 }
154 };
155
166 static TranscriptManifest build_expected_folding_manifest()
167 {
168 TranscriptManifest manifest;
169 constexpr size_t frs_per_G = FrCodec::calc_num_fields<curve::BN254::AffineElement>();
170 constexpr size_t NUM_SUMCHECK_UNIVARIATES = NativeFlavor::VIRTUAL_LOG_N; // 21
171
172 size_t round = 0;
173
174 // Round 0: Oink preamble + wires + ECC ops + databus -> eta challenge
175 manifest.add_challenge(round, "eta");
176 manifest.add_entry(round, "vk_hash", 1);
177 for (size_t i = 0; i < 4; ++i) {
178 manifest.add_entry(round, "public_input_" + std::to_string(i), 1);
179 }
180 for (const auto& wire : { "W_L", "W_R", "W_O" }) {
181 manifest.add_entry(round, wire, frs_per_G);
182 }
183 for (const auto& wire : { "ECC_OP_WIRE_1", "ECC_OP_WIRE_2", "ECC_OP_WIRE_3", "ECC_OP_WIRE_4" }) {
184 manifest.add_entry(round, wire, frs_per_G);
185 }
186 for (const auto& bus : { "CALLDATA", "SECONDARY_CALLDATA", "RETURN_DATA" }) {
187 manifest.add_entry(round, bus, frs_per_G);
188 manifest.add_entry(round, std::string(bus) + "_READ_COUNTS", frs_per_G);
189 manifest.add_entry(round, std::string(bus) + "_READ_TAGS", frs_per_G);
190 }
191 round++;
192
193 // Round 1: lookup + w_4 -> beta, gamma challenges
194 manifest.add_challenge(round, std::array{ "beta", "gamma" });
195 manifest.add_entry(round, "LOOKUP_READ_COUNTS", frs_per_G);
196 manifest.add_entry(round, "LOOKUP_READ_TAGS", frs_per_G);
197 manifest.add_entry(round, "W_4", frs_per_G);
198 round++;
199
200 // Round 2: inverses + z_perm -> alpha + gate_challenge (consecutive challenges in same round)
201 manifest.add_challenge(round, "alpha");
202 manifest.add_challenge(round, "HypernovaFoldingProver:gate_challenge");
203 manifest.add_entry(round, "LOOKUP_INVERSES", frs_per_G);
204 manifest.add_entry(round, "CALLDATA_INVERSES", frs_per_G);
205 manifest.add_entry(round, "SECONDARY_CALLDATA_INVERSES", frs_per_G);
206 manifest.add_entry(round, "RETURN_DATA_INVERSES", frs_per_G);
207 manifest.add_entry(round, "Z_PERM", frs_per_G);
208 round++;
209
210 // Rounds 3-23: main sumcheck univariates (21 rounds)
211 for (size_t i = 0; i < NUM_SUMCHECK_UNIVARIATES; ++i) {
212 manifest.add_challenge(round, "Sumcheck:u_" + std::to_string(i));
213 manifest.add_entry(round, "Sumcheck:univariate_" + std::to_string(i), 8);
214 round++;
215 }
216
217 // Round 24: unshifted batching challenges + shifted batching challenges + evaluations
218 for (size_t i = 0; i < MegaFlavor::NUM_UNSHIFTED_ENTITIES - 1; ++i) {
219 manifest.add_challenge(round, "unshifted_challenge_" + std::to_string(i));
220 }
221 for (size_t i = 0; i < MegaFlavor::NUM_SHIFTED_ENTITIES - 1; ++i) {
222 manifest.add_challenge(round, "shifted_challenge_" + std::to_string(i));
223 }
224 manifest.add_entry(round, "Sumcheck:evaluations", 60);
225 round++;
226
227 // Round 25: Sumcheck:alpha + MLB accumulator data (Sumcheck:alpha is consecutive challenge)
228 manifest.add_challenge(round, "Sumcheck:alpha");
229 manifest.add_entry(round, "non_shifted_accumulator_commitment", frs_per_G);
230 manifest.add_entry(round, "shifted_accumulator_commitment", frs_per_G);
231 for (size_t i = 0; i < NUM_SUMCHECK_UNIVARIATES; ++i) {
232 manifest.add_entry(round, "accumulator_challenge_" + std::to_string(i), 1);
233 }
234 manifest.add_entry(round, "accumulator_evaluation_0", 1);
235 manifest.add_entry(round, "accumulator_evaluation_1", 1);
236 round++;
237
238 // Rounds 26-46: MLB sumcheck univariates (21 rounds)
239 for (size_t i = 0; i < NUM_SUMCHECK_UNIVARIATES; ++i) {
240 manifest.add_challenge(round, "Sumcheck:u_" + std::to_string(i));
241 manifest.add_entry(round, "Sumcheck:univariate_" + std::to_string(i), 4);
242 round++;
243 }
244
245 // Round 47: final evaluations + claim_batching_challenge
246 manifest.add_challenge(round, "claim_batching_challenge");
247 manifest.add_entry(round, "Sumcheck:evaluations", 6);
248
249 return manifest;
250 }
251
252 static void test_folding(const TamperingMode& mode)
253 {
254 // Generate accumulator
255 auto instance = generate_new_instance();
256 auto transcript = std::make_shared<NativeTranscript>();
257
258 bb::HypernovaFoldingProver prover(transcript);
259 auto accumulator = prover.instance_to_accumulator(instance);
260
261 // Folding
262 auto incoming_instance = generate_new_instance(5);
263 tampering(incoming_instance, mode);
264 auto incoming_vk = std::make_shared<NativeVerificationKey>(incoming_instance->get_precomputed());
265 auto incoming_verifier_instance =
266 std::make_shared<NativeVerifierInstance>(std::make_shared<NativeFlavor::VKAndHash>(incoming_vk));
267
268 auto folding_transcript = std::make_shared<NativeTranscript>();
269 HypernovaFoldingProver folding_prover(folding_transcript);
270 auto [folding_proof, folded_accumulator] = folding_prover.fold(std::move(accumulator), incoming_instance);
271
272 // Natively verify the folding (with manifest tracking)
273 auto native_verifier_transcript = std::make_shared<NativeTranscript>();
274 native_verifier_transcript->enable_manifest();
275 NativeHypernovaVerifier native_verifier(native_verifier_transcript);
276 auto [first_sumcheck_native, second_sumcheck_native, folded_verifier_accumulator_native] =
277 native_verifier.verify_folding_proof(incoming_verifier_instance, folding_proof);
278
279 // Recursively verify the folding
280 Builder builder;
281
282 auto stdlib_incoming_instance = create_recursive_verifier_instance(&builder, incoming_verifier_instance);
283 auto recursive_verifier_transcript = std::make_shared<RecursiveTranscript>();
284 RecursiveHypernovaVerifier recursive_verifier(recursive_verifier_transcript);
285 RecursiveProof proof(builder, folding_proof);
286 auto [first_sumcheck_recursive, second_sumcheck_recursive, folded_verifier_accumulator] =
287 recursive_verifier.verify_folding_proof(stdlib_incoming_instance, proof);
288
289 // If the instance has been tampered with, then the first sumcheck should fail (hence the circuit is not
290 // satisfied), but the second should pass
291 EXPECT_EQ(bb::CircuitChecker::check(builder), mode == TamperingMode::None);
292 EXPECT_EQ(first_sumcheck_recursive, mode == TamperingMode::None);
293 EXPECT_EQ(first_sumcheck_recursive, first_sumcheck_native);
294 EXPECT_TRUE(second_sumcheck_recursive);
295 EXPECT_EQ(second_sumcheck_recursive, second_sumcheck_native);
296 EXPECT_TRUE(compare_prover_verifier_accumulators(
297 folded_accumulator, folded_verifier_accumulator.get_value<NativeVerifierAccumulator>()));
298
299 // Pin the folding transcript manifest (only check when not tampering)
300 if (mode == TamperingMode::None) {
301 auto expected_manifest = build_expected_folding_manifest();
302 auto verifier_manifest = native_verifier_transcript->get_manifest();
303 EXPECT_EQ(verifier_manifest, expected_manifest);
304 }
305 }
306};
307
308TEST_F(HypernovaFoldingVerifierTests, Fold)
309{
310 test_folding(TamperingMode::None);
311}
312
313TEST_F(HypernovaFoldingVerifierTests, TamperInstance)
314{
315 BB_DISABLE_ASSERTS();
316 test_folding(TamperingMode::Instance);
317}
BB_DISABLE_ASSERTS
#define BB_DISABLE_ASSERTS()
Definition assert.hpp:33
instance
std::shared_ptr< Napi::ThreadSafeFunction > instance
Definition avm_simulate_napi.cpp:128
circuit_checker.hpp
HypernovaFoldingVerifierTests::NativeVerificationKey
NativeFlavor::VerificationKey NativeVerificationKey
Definition hypernova_verifier.test.cpp:29
HypernovaFoldingVerifierTests::tampering
static void tampering(std::shared_ptr< ProverInstance > &instance, const TamperingMode &mode)
Definition hypernova_verifier.test.cpp:144
HypernovaFoldingVerifierTests::generate_new_instance
static std::shared_ptr< ProverInstance > generate_new_instance(size_t log_num_gates=4)
Definition hypernova_verifier.test.cpp:43
HypernovaFoldingVerifierTests::create_recursive_verifier_instance
static std::shared_ptr< RecursiveVerifierInstance > create_recursive_verifier_instance(Builder *builder, const std::shared_ptr< NativeVerifierInstance > &native_instance)
Test helper to create a recursive verifier instance from a native one.
Definition hypernova_verifier.test.cpp:88
HypernovaFoldingVerifierTests::RecursiveFlavor
RecursiveHypernovaVerifier::Flavor RecursiveFlavor
Definition hypernova_verifier.test.cpp:18
HypernovaFoldingVerifierTests::build_expected_folding_manifest
static TranscriptManifest build_expected_folding_manifest()
Build the expected transcript manifest for HyperNova folding.
Definition hypernova_verifier.test.cpp:166
HypernovaFoldingVerifierTests::test_folding
static void test_folding(const TamperingMode &mode)
Definition hypernova_verifier.test.cpp:252
HypernovaFoldingVerifierTests::NativeFlavor
NativeHypernovaVerifier::Flavor NativeFlavor
Definition hypernova_verifier.test.cpp:26
HypernovaFoldingVerifierTests::Builder
RecursiveFlavor::CircuitBuilder Builder
Definition hypernova_verifier.test.cpp:20
HypernovaFoldingVerifierTests::compare_prover_verifier_accumulators
static bool compare_prover_verifier_accumulators(const NativeProverAccumulator &lhs, const NativeVerifierAccumulator &rhs)
Definition hypernova_verifier.test.cpp:56
HypernovaFoldingVerifierTests::RecursiveProof
RecursiveHypernovaVerifier::Proof RecursiveProof
Definition hypernova_verifier.test.cpp:22
bb::BaseTranscript
Common transcript class for both parties. Stores the data for the current round, as well as the manif...
Definition transcript.hpp:41
bb::HypernovaFoldingProver
HyperNova folding prover. Folds circuit instances into accumulators, deferring PCS verification.
Definition hypernova_prover.hpp:38
bb::HypernovaFoldingProver::Accumulator
MultilinearBatchingProverClaim Accumulator
Definition hypernova_prover.hpp:44
bb::HypernovaFoldingProver::ProverInstance
ProverInstance_< Flavor > ProverInstance
Definition hypernova_prover.hpp:43
bb::HypernovaFoldingProver::instance_to_accumulator
Accumulator instance_to_accumulator(const std::shared_ptr< ProverInstance > &instance, const std::shared_ptr< VerificationKey > &honk_vk=nullptr)
Turn an instance into an accumulator by running Sumcheck.
Definition hypernova_prover.cpp:109
bb::HypernovaFoldingProver::fold
std::pair< HonkProof, Accumulator > fold(Accumulator &&accumulator, const std::shared_ptr< ProverInstance > &instance, const std::shared_ptr< VerificationKey > &honk_vk=nullptr)
Fold an instance into an accumulator.
Definition hypernova_prover.cpp:142
bb::HypernovaFoldingVerifier
HyperNova folding verifier (native + recursive). Verifies folding proofs and maintains accumulators.
Definition hypernova_verifier.hpp:22
bb::HypernovaFoldingVerifier::verify_folding_proof
std::tuple< bool, bool, Accumulator > verify_folding_proof(const std::shared_ptr< typename HypernovaFoldingVerifier::VerifierInstance > &instance, const Proof &proof)
Verify folding proof. Return the new accumulator and the results of the two sumchecks.
Definition hypernova_verifier.cpp:116
bb::HypernovaFoldingVerifier::Proof
std::conditional_t< IsRecursiveFlavor< Flavor >, stdlib::Proof< MegaCircuitBuilder >, HonkProof > Proof
Definition hypernova_verifier.hpp:39
bb::HypernovaFoldingVerifier::VerifierInstance
VerifierInstance_< Flavor > VerifierInstance
Definition hypernova_verifier.hpp:37
bb::HypernovaFoldingVerifier::Accumulator
MultilinearBatchingVerifierClaim< Curve > Accumulator
Definition hypernova_verifier.hpp:30
bb::MegaFlavor::NUM_SHIFTED_ENTITIES
static constexpr size_t NUM_SHIFTED_ENTITIES
Definition mega_flavor.hpp:311
bb::MegaFlavor::NUM_UNSHIFTED_ENTITIES
static constexpr size_t NUM_UNSHIFTED_ENTITIES
Definition mega_flavor.hpp:312
bb::MockCircuits::add_arithmetic_gates_with_public_inputs
static void add_arithmetic_gates_with_public_inputs(Builder &builder, const size_t num_gates=4)
Add a specified number of arithmetic gates (with public inputs) to the provided circuit.
Definition mock_circuits.hpp:23
bb::MockCircuits::add_lookup_gates
static void add_lookup_gates(Builder &builder, size_t num_iterations=1)
Add lookup gates using the uint32 XOR lookup table (table size 4096)
Definition mock_circuits.hpp:69
bb::MockCircuits::add_arithmetic_gates
static void add_arithmetic_gates(Builder &builder, const size_t num_gates=4)
Add a specified number of arithmetic gates to the provided circuit.
Definition mock_circuits.hpp:46
bb::NativeVerificationKey_
Base Native verification key class.
Definition flavor.hpp:135
bb::ProverInstance_
Contains all the information required by a Honk prover to create a proof, constructed from a finalize...
Definition prover_instance.hpp:26
bb::TranscriptManifest::add_entry
void add_entry(size_t round, const std::string &element_label, size_t element_size)
Definition transcript_manifest.hpp:78
bb::TranscriptManifest::add_challenge
void add_challenge(size_t round, const std::string &label)
Add a single challenge label to the manifest for the given round.
Definition transcript_manifest.hpp:45
bb::TranslatorCircuitChecker::check
static bool check(const Builder &circuit)
Check the witness satisifies the circuit.
Definition translator_circuit_checker.cpp:20
bb::VerifierInstance_
The VerifierInstance encapsulates all the necessary information for a Honk Verifier to verify a proof...
Definition verifier_instance.hpp:18
zip_view
Definition zip_view.hpp:166
info
#define info(...)
Definition log.hpp:93
builder
AluTraceBuilder builder
Definition alu.test.cpp:124
hypernova_prover.hpp
hypernova_verifier.hpp
mega_circuit_builder.hpp
bb::srs::bb_crs_path
std::filesystem::path bb_crs_path()
Definition global_crs.cpp:14
bb::srs::init_file_crs_factory
void init_file_crs_factory(const std::filesystem::path &path)
Definition global_crs.hpp:14
bb
Entry point for Barretenberg command-line interface.
Definition api.hpp:5
bb::TEST_F
TEST_F(IPATest, ChallengesAreZero)
Definition ipa.test.cpp:155
std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13
std::to_string
std::string to_string(bb::avm2::ValueTag tag)
Definition tagged_value.cpp:402
mock_circuits.hpp
bb::MultilinearBatchingFlavor::ProverClaim
Prover's claim for multilinear batching - contains polynomials and their evaluation claims.
Definition multilinear_batching_flavor.hpp:137
bb::MultilinearBatchingVerifierClaim
Verifier's claim for multilinear batching - contains commitments and evaluation claims.
Definition multilinear_batching_claims.hpp:18