Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
poseidon2.circuit.failure.test.cpp
Go to the documentation of this file.
1#include "barretenberg/flavor/ultra_flavor.hpp"
2#include "barretenberg/relations/relation_parameters.hpp"
3#include "barretenberg/sumcheck/sumcheck.hpp"
4#include "barretenberg/ultra_honk/witness_computation_test_utils.hpp"
5
6#include <gtest/gtest.h>
7
8using namespace bb;
9
10class Poseidon2FailureTests : public ::testing::Test {
11 public:
12 using Flavor = UltraFlavor;
13 using ProverInstance = ProverInstance_<Flavor>;
14 using SumcheckProver = bb::SumcheckProver<Flavor>;
15 using SumcheckVerifier = bb::SumcheckVerifier<Flavor>;
16 using FF = Flavor::FF;
17 using Builder = Flavor::CircuitBuilder;
18 using Transcript = Flavor::Transcript;
19 using SubrelationSeparator = Flavor::SubrelationSeparator;
20 using RelationParameters = bb::RelationParameters<FF>;
21
22 void modify_witness(const auto& selector, auto& witness)
23 {
24 size_t start_idx = selector.start_index();
25 size_t end_idx = selector.end_index();
26
27 size_t selector_enabled_idx{ 0 };
28 // Find the first row index where the selector is enabled.
29 for (size_t idx = start_idx; idx < end_idx; idx++) {
30 if (selector.at(idx) == 1) {
31 selector_enabled_idx = idx;
32 break;
33 }
34 }
35 // Modify the witness
36 witness.at(selector_enabled_idx) += 1;
37 }
38 void tamper_with_shifts(const auto& selector, auto& witness, bool external)
39 {
40 size_t start_idx = selector.start_index();
41 size_t end_idx = selector.end_index();
42
43 size_t selector_enabled_idx{ 0 };
44
45 for (size_t idx = start_idx; idx < end_idx; idx++) {
46 if (selector.at(idx) == 1) {
47 selector_enabled_idx = idx;
48 break;
49 }
50 }
51 const size_t round_size = external ? 4 : 56;
52 size_t shift_idx = selector_enabled_idx + round_size;
53 // The selector must be zero at the row corresponding to the shift.
54 EXPECT_EQ(selector.at(shift_idx), 0);
55 // Modify the witness value. As Poseidon2ExternalRelation is comparing this value to the result of applying the
56 // S-box and M_E to the previous row, this must lead to a sumcheck failure.
57 witness.at(shift_idx) += 1;
58 }
59
60 void hash_single_input(Builder& builder)
61 {
62 stdlib::field_t<Builder> random_input(stdlib::witness_t<Builder>(&builder, fr::random_element()));
63 random_input.fix_witness();
64 [[maybe_unused]] auto hash = stdlib::poseidon2<Builder>::hash({ random_input });
65 }
66
67 void prove_and_verify(std::shared_ptr<ProverInstance>& prover_instance, bool expected_result)
68 {
69 const size_t virtual_log_n = Flavor::VIRTUAL_LOG_N;
70
71 // Complete the prover instance (compute selectors, relation parameters, etc.)
72 complete_prover_instance_for_test<Flavor>(prover_instance);
73
74 auto prover_transcript = Transcript::test_prover_init_empty();
75
76 // Generate challenges via transcript for Fiat-Shamir
77 SubrelationSeparator subrelation_separator = prover_transcript->template get_challenge<FF>("Sumcheck:alpha");
78
79 std::vector<FF> gate_challenges(virtual_log_n);
80 for (size_t idx = 0; idx < virtual_log_n; idx++) {
81 gate_challenges[idx] =
82 prover_transcript->template get_challenge<FF>("Sumcheck:gate_challenge_" + std::to_string(idx));
83 }
84
85 // Set gate challenges on prover instance
86 prover_instance->gate_challenges = gate_challenges;
87
88 SumcheckProver sumcheck_prover(prover_instance->dyadic_size(),
89 prover_instance->polynomials,
90 prover_transcript,
91 subrelation_separator,
92 gate_challenges,
93 prover_instance->relation_parameters,
94 virtual_log_n);
95 auto proof = sumcheck_prover.prove();
96
97 auto verifier_transcript = Transcript::test_verifier_init_empty(prover_transcript);
98
99 SubrelationSeparator verifier_subrelation_separator =
100 verifier_transcript->template get_challenge<FF>("Sumcheck:alpha");
101 std::vector<FF> verifier_gate_challenges(virtual_log_n);
102 for (size_t idx = 0; idx < virtual_log_n; idx++) {
103 verifier_gate_challenges[idx] =
104 verifier_transcript->template get_challenge<FF>("Sumcheck:gate_challenge_" + std::to_string(idx));
105 }
106
107 // Run sumcheck verifier
108 SumcheckVerifier verifier(verifier_transcript, verifier_subrelation_separator, virtual_log_n);
109 auto result = verifier.verify(
110 prover_instance->relation_parameters, verifier_gate_challenges, std::vector<FF>(virtual_log_n, 1));
111 EXPECT_EQ(result.verified, expected_result);
112 };
113};
114
115TEST_F(Poseidon2FailureTests, ValidCircuitVerifies)
116{
117 Builder builder;
118
119 // Construct a circuit that hashes a single witness field element.
120 hash_single_input(builder);
121
122 // Convert circuit to polynomials.
123 auto prover_instance = std::make_shared<ProverInstance_<Flavor>>(builder);
124
125 // Run sumcheck on the UNMODIFIED valid data - this should pass
126 prove_and_verify(prover_instance, true);
127}
128
129TEST_F(Poseidon2FailureTests, WrongWitnessValues)
130{
131 Builder builder;
132
133 hash_single_input(builder);
134
135 auto prover_instance = std::make_shared<ProverInstance_<Flavor>>(builder);
136 {
137 modify_witness(prover_instance->polynomials.q_poseidon2_external, prover_instance->polynomials.w_l);
138 prove_and_verify(prover_instance, false);
139 }
140 {
141 modify_witness(prover_instance->polynomials.q_poseidon2_internal, prover_instance->polynomials.w_r);
142 prove_and_verify(prover_instance, false);
143 }
144}
145
146TEST_F(Poseidon2FailureTests, TamperingWithShifts)
147{
148 Builder builder;
149
150 hash_single_input(builder);
151
152 auto prover_instance = std::make_shared<ProverInstance_<Flavor>>(builder);
153 {
154 bool external_round = true;
155 tamper_with_shifts(
156 prover_instance->polynomials.q_poseidon2_external, prover_instance->polynomials.w_l, external_round);
157 prove_and_verify(prover_instance, false);
158 }
159
160 {
161 bool external_round = false;
162 tamper_with_shifts(
163 prover_instance->polynomials.q_poseidon2_internal, prover_instance->polynomials.w_l, external_round);
164 prove_and_verify(prover_instance, false);
165 }
166}
Poseidon2FailureTests::tamper_with_shifts
void tamper_with_shifts(const auto &selector, auto &witness, bool external)
Definition poseidon2.circuit.failure.test.cpp:38
Poseidon2FailureTests::modify_witness
void modify_witness(const auto &selector, auto &witness)
Definition poseidon2.circuit.failure.test.cpp:22
Poseidon2FailureTests::prove_and_verify
void prove_and_verify(std::shared_ptr< ProverInstance > &prover_instance, bool expected_result)
Definition poseidon2.circuit.failure.test.cpp:67
bb::BaseTranscript
Common transcript class for both parties. Stores the data for the current round, as well as the manif...
Definition transcript.hpp:41
bb::BaseTranscript::test_prover_init_empty
static std::shared_ptr< BaseTranscript > test_prover_init_empty()
For testing: initializes transcript with some arbitrary data so that a challenge can be generated aft...
Definition transcript.hpp:451
bb::BaseTranscript::test_verifier_init_empty
static std::shared_ptr< BaseTranscript > test_verifier_init_empty(const std::shared_ptr< BaseTranscript > &transcript)
For testing: initializes transcript based on proof data then receives junk data produced by BaseTrans...
Definition transcript.hpp:466
bb::ProverInstance_
Contains all the information required by a Honk prover to create a proof, constructed from a finalize...
Definition prover_instance.hpp:26
bb::SumcheckProver
The implementation of the sumcheck Prover for statements of the form for multilinear polynomials .
Definition sumcheck.hpp:298
bb::SumcheckProver::prove
SumcheckOutput< Flavor > prove()
Non-ZK version: Compute round univariate, place it in transcript, compute challenge,...
Definition sumcheck.hpp:396
bb::SumcheckVerifier
Implementation of the sumcheck Verifier for statements of the form for multilinear polynomials .
Definition sumcheck.hpp:747
bb::SumcheckVerifier::verify
SumcheckOutput< Flavor > verify(const bb::RelationParameters< FF > &relation_parameters, const std::vector< FF > &gate_challenges, const std::vector< FF > &padding_indicator_array)
The Sumcheck verification method. First it extracts round univariate, checks sum (the sumcheck univar...
Definition sumcheck.hpp:803
bb::UltraCircuitBuilder_
Definition ultra_circuit_builder.hpp:40
bb::UltraFlavor::Transcript
BaseTranscript< Codec, HashFunction > Transcript
Definition ultra_flavor.hpp:44
bb::UltraFlavor::FF
Curve::ScalarField FF
Definition ultra_flavor.hpp:36
bb::UltraFlavor::CircuitBuilder
UltraCircuitBuilder CircuitBuilder
Definition ultra_flavor.hpp:34
bb::UltraFlavor::VIRTUAL_LOG_N
static constexpr size_t VIRTUAL_LOG_N
Definition ultra_flavor.hpp:46
bb::crypto::Poseidon2::hash
static FF hash(const std::vector< FF > &input)
Hashes a vector of field elements.
bb::stdlib::field_t
Definition field.hpp:46
bb::stdlib::field_t::fix_witness
void fix_witness()
Definition field.hpp:487
bb::stdlib::witness_t
Definition witness.hpp:16
builder
AluTraceBuilder builder
Definition alu.test.cpp:124
expected_result
bool expected_result
Definition field_gt.test.cpp:54
bb
Entry point for Barretenberg command-line interface.
Definition api.hpp:5
bb::TEST_F
TEST_F(IPATest, ChallengesAreZero)
Definition ipa.test.cpp:155
std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13
std::to_string
std::string to_string(bb::avm2::ValueTag tag)
Definition tagged_value.cpp:402
relation_parameters.hpp
bb::field< Bn254FrParams >::random_element
static field random_element(numeric::RNG *engine=nullptr) noexcept
Definition field_impl.hpp:783
ultra_flavor.hpp
witness_computation_test_utils.hpp