Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
recursive_flavor.hpp
Go to the documentation of this file.
1// === AUDIT STATUS ===
2// internal: { status: Completed, auditors: [Federico], commit: 0e37cb8}
3// external_1: { status: not started, auditors: [], commit: }
4// external_2: { status: not started, auditors: [], commit: }
5// =====================
6
7#pragma once
8
9#include <cstdint>
10
11#include "barretenberg/commitment_schemes/kzg/kzg.hpp"
12#include "barretenberg/flavor/flavor.hpp"
13#include "barretenberg/stdlib/primitives/curves/bn254.hpp"
14#include "barretenberg/stdlib/proof/proof.hpp"
15#include "barretenberg/stdlib_circuit_builders/mega_circuit_builder.hpp"
16#include "barretenberg/stdlib_circuit_builders/ultra_circuit_builder.hpp"
17#include "barretenberg/vm2/constraining/avm_fixed_vk.hpp"
18#include "barretenberg/vm2/constraining/flavor.hpp"
19
20namespace bb::avm2 {
21
22class AvmRecursiveFlavor {
23 public:
24 using CircuitBuilder = MegaCircuitBuilder;
25 using Curve = stdlib::bn254<CircuitBuilder>;
26 using PCS = KZG<Curve>;
27 using GroupElement = Curve::Element;
28 using Commitment = Curve::AffineElement;
29 using FF = Curve::ScalarField;
30 using BF = Curve::BaseField;
31
32 using NativeFlavor = avm2::AvmFlavor;
33 using NativeVerificationKey = NativeFlavor::VerificationKey;
34
35 // Native one is used!
36 using VerifierCommitmentKey = NativeFlavor::VerifierCommitmentKey;
37
38 using Relations = NativeFlavor::Relations_<FF>;
39
40 static constexpr size_t NUM_ALL_ENTITIES = NativeFlavor::NUM_ALL_ENTITIES;
41 static constexpr size_t BATCHED_RELATION_PARTIAL_LENGTH = NativeFlavor::BATCHED_RELATION_PARTIAL_LENGTH;
42 static constexpr size_t NUM_RELATIONS = std::tuple_size_v<Relations>;
43
44 static constexpr size_t NUM_SUBRELATIONS = NativeFlavor::NUM_SUBRELATIONS;
45 using SubrelationSeparators = std::array<FF, NUM_SUBRELATIONS - 1>;
46
47 // This flavor would not be used with ZK Sumcheck
48 static constexpr bool HasZK = false;
49
50 // To achieve fixed proof size so that the recursive verifier circuit is constant, we are using padding in Sumcheck
51 // and Shplemini
52 static constexpr bool USE_PADDING = true;
53
58 class AllValues : public NativeFlavor::AllEntities<FF> {
59 public:
60 using Base = NativeFlavor::AllEntities<FF>;
61 using Base::Base;
62 };
63
70 using VerificationKey =
71 FixedStdlibVKAndHash_<CircuitBuilder, AvmFlavor::PrecomputedEntities<Commitment>, NativeVerificationKey>;
72
73 template <typename Builder> class TemplatedTranscript : public StdlibTranscript<Builder> {
74 using Base = StdlibTranscript<Builder>;
75 using FF = stdlib::field_t<Builder>;
76 using StdlibCurve = stdlib::bn254<Builder>;
77 using StdlibCommitment = typename StdlibCurve::AffineElement;
78
79 private:
90 static std::shared_ptr<TemplatedTranscript<Builder>> perform_avm_transcript_operations(
91 Builder& builder,
92 const stdlib::Proof<Builder>& stdlib_proof,
93 const std::vector<std::vector<stdlib::field_t<Builder>>>& public_inputs,
94 const bool enable_manifest = false)
95 {
96 // Container for challenges used in the PCS. Also used to get correct labels for transcript hashing.
97 using Challenges = AllValues;
98 Challenges challenges;
99
100 auto native_vk = std::make_shared<NativeVerificationKey>();
101 NativeFlavor::FF native_vk_hash = native_vk->get_hash();
102 FF vk_hash = FF::from_witness(&builder, native_vk_hash);
103 vk_hash.fix_witness();
104
105 auto transcript = std::make_shared<TemplatedTranscript<Builder>>();
106 if (enable_manifest) {
107 transcript->enable_manifest();
108 }
109
110 transcript->load_proof(stdlib_proof);
111
112 transcript->add_to_hash_buffer("avm_vk_hash", vk_hash);
113
114 for (size_t i = 0; i < AVM_NUM_PUBLIC_INPUT_COLUMNS; i++) {
115 for (size_t j = 0; j < public_inputs[i].size(); j++) {
116 transcript->add_to_hash_buffer("public_input_" + std::to_string(i) + "_" + std::to_string(j),
117 public_inputs[i][j]);
118 }
119 }
120
121 for (const auto& wire_label : challenges.get_wires_labels()) {
122 [[maybe_unused]] auto _ = transcript->template receive_from_prover<StdlibCommitment>(wire_label);
123 }
124
125 [[maybe_unused]] auto [_beta, _gamma] =
126 transcript->template get_challenges<FF>(std::array<std::string, 2>{ "beta", "gamma" });
127
128 for (const auto& derived_label : challenges.get_derived_labels()) {
129 [[maybe_unused]] auto _ = transcript->template receive_from_prover<StdlibCommitment>(derived_label);
130 }
131
132 [[maybe_unused]] const FF _alpha = transcript->template get_challenge<FF>("Sumcheck:alpha");
133
134 [[maybe_unused]] const FF _initial_gate_challenge =
135 transcript->template get_challenge<FF>("Sumcheck:gate_challenge");
136
137 using SumcheckUnivariate = std::array<FF, BATCHED_RELATION_PARTIAL_LENGTH>;
138 for (size_t i = 0; i < MAX_AVM_TRACE_LOG_SIZE; i++) {
139 std::string round_univariate_label = "Sumcheck:univariate_" + std::to_string(i);
140 [[maybe_unused]] auto _ =
141 transcript->template receive_from_prover<SumcheckUnivariate>(round_univariate_label);
142 [[maybe_unused]] FF _round_challenge =
143 transcript->template get_challenge<FF>("Sumcheck:u_" + std::to_string(i));
144 }
145
146 [[maybe_unused]] auto _evals =
147 transcript->template receive_from_prover<std::array<FF, NUM_ALL_ENTITIES>>("Sumcheck:evaluations");
148
149 [[maybe_unused]] auto _unshifted_challenges =
150 transcript->template get_challenges<FF>(challenges.get_unshifted_labels());
151
152 [[maybe_unused]] const FF _gemini_batching_challenge = transcript->template get_challenge<FF>("rho");
153
154 for (size_t i = 1; i < MAX_AVM_TRACE_LOG_SIZE; ++i) {
155 [[maybe_unused]] auto _ =
156 transcript->template receive_from_prover<StdlibCommitment>("Gemini:FOLD_" + std::to_string(i));
157 }
158
159 [[maybe_unused]] const FF _gemini_evaluation_challenge = transcript->template get_challenge<FF>("Gemini:r");
160
161 for (size_t i = 1; i <= MAX_AVM_TRACE_LOG_SIZE; ++i) {
162 [[maybe_unused]] auto _ = transcript->template receive_from_prover<FF>("Gemini:a_" + std::to_string(i));
163 }
164
165 [[maybe_unused]] const FF _shplonk_batching_challenge =
166 transcript->template get_challenge<FF>("Shplonk:nu");
167
168 [[maybe_unused]] auto _shplonk_q = transcript->template receive_from_prover<StdlibCommitment>("Shplonk:Q");
169
170 [[maybe_unused]] const FF _shplonk_evaluation_challenge =
171 transcript->template get_challenge<FF>("Shplonk:z");
172
173 [[maybe_unused]] auto _kzg_w = transcript->template receive_from_prover<StdlibCommitment>("KZG:W");
174
175 return transcript;
176 };
177
184 static stdlib::field_t<Builder> pad_and_hash_avm_transcript(
185 const std::shared_ptr<TemplatedTranscript<Builder>>& transcript, const stdlib::Proof<Builder>& stdlib_proof)
186 {
187 if (stdlib_proof.size() == AVM_V2_PROOF_LENGTH_IN_FIELDS_PADDED) {
188 // If the proof is padded, we need to add the padding values to the transcript because recursive
189 // verification doesn't do that
190 transcript->add_element_frs_to_hash_buffer(
191 "proof_padding",
192 std::span(stdlib_proof)
193 .subspan(AvmFlavor::COMPUTED_AVM_PROOF_LENGTH_IN_FIELDS,
194 AVM_V2_PROOF_LENGTH_IN_FIELDS_PADDED -
195 AvmFlavor::COMPUTED_AVM_PROOF_LENGTH_IN_FIELDS));
196 }
197 return transcript->template get_challenge<stdlib::field_t<Builder>>("final_transcript_state");
198 };
199
200 public:
206 static stdlib::field_t<Builder> hash_avm_transcript(
207 Builder& builder,
208 const stdlib::Proof<Builder>& stdlib_proof,
209 const std::vector<std::vector<stdlib::field_t<Builder>>>& public_inputs)
210 {
211 auto transcript = perform_avm_transcript_operations(builder, stdlib_proof, public_inputs);
212 return pad_and_hash_avm_transcript(transcript, stdlib_proof);
213 }
214
220 static stdlib::field_t<Builder> hash_avm_transcript(
221 const std::shared_ptr<TemplatedTranscript<Builder>>& transcript, const stdlib::Proof<Builder>& stdlib_proof)
222 {
223 return pad_and_hash_avm_transcript(transcript, stdlib_proof);
224 }
225
231 static std::pair<stdlib::field_t<Builder>, std::shared_ptr<TemplatedTranscript<Builder>>>
232 hash_avm_transcript_for_testing(Builder& builder,
233 const stdlib::Proof<Builder>& stdlib_proof,
234 const std::vector<std::vector<stdlib::field_t<Builder>>>& public_inputs)
235 {
236 auto transcript = perform_avm_transcript_operations(builder, stdlib_proof, public_inputs, true);
237
238 return { pad_and_hash_avm_transcript(transcript, stdlib_proof), transcript };
239 }
240 };
241
242 using Transcript = TemplatedTranscript<CircuitBuilder>;
243 using UltraTranscript = TemplatedTranscript<UltraCircuitBuilder>;
244 using WitnessCommitments = NativeFlavor::WitnessEntities<Commitment>;
245 using VerifierCommitments = NativeFlavor::VerifierCommitments_<Commitment, VerificationKey>;
246};
247
248} // namespace bb::avm2
avm_fixed_vk.hpp
AVM_V2_PROOF_LENGTH_IN_FIELDS_PADDED
#define AVM_V2_PROOF_LENGTH_IN_FIELDS_PADDED
Definition aztec_constants.hpp:180
AVM_NUM_PUBLIC_INPUT_COLUMNS
#define AVM_NUM_PUBLIC_INPUT_COLUMNS
Definition aztec_constants.hpp:178
bb::BaseTranscript
Common transcript class for both parties. Stores the data for the current round, as well as the manif...
Definition transcript.hpp:41
bb::FixedStdlibVKAndHash_
Simple stdlib verification key class for fixed-size circuits (ECCVM, Translator, AVM).
Definition flavor.hpp:330
bb::FixedVKAndHash_
Simple verification key class for fixed-size circuits (ECCVM, Translator, AVM).
Definition flavor.hpp:101
bb::MegaCircuitBuilder_
Definition mega_circuit_builder.hpp:19
bb::VerifierCommitmentKey
Representation of the Grumpkin Verifier Commitment Key inside a bn254 circuit.
Definition verifier_commitment_key.hpp:16
bb::avm2::AvmFlavor::VerifierCommitments_
Definition flavor.hpp:307
bb::avm2::AvmFlavor::Relations_
tuple_cat_t< MainRelations_< FF_ >, LookupRelations_< FF_ > > Relations_
Definition flavor.hpp:78
bb::avm2::AvmFlavor::COMPUTED_AVM_PROOF_LENGTH_IN_FIELDS
static constexpr size_t COMPUTED_AVM_PROOF_LENGTH_IN_FIELDS
Definition flavor.hpp:99
bb::avm2::AvmFlavor::NUM_SUBRELATIONS
static constexpr size_t NUM_SUBRELATIONS
Definition flavor.hpp:81
bb::avm2::AvmFlavor::FF
AvmFlavorSettings::FF FF
Definition flavor.hpp:43
bb::avm2::AvmFlavor::VerificationKey
FixedVKAndHash_< PrecomputedEntities< Commitment >, FF, typename constraining::AvmHardCodedVKAndHash > VerificationKey
Verification key of the AVM. It is fixed and reconstructed from precomputed values.
Definition flavor.hpp:226
bb::avm2::AvmFlavor::VerifierCommitmentKey
AvmFlavorSettings::VerifierCommitmentKey VerifierCommitmentKey
Definition flavor.hpp:50
bb::avm2::AvmFlavor::BATCHED_RELATION_PARTIAL_LENGTH
static constexpr size_t BATCHED_RELATION_PARTIAL_LENGTH
Definition flavor.hpp:90
bb::avm2::AvmFlavor::NUM_ALL_ENTITIES
static constexpr size_t NUM_ALL_ENTITIES
Definition flavor.hpp:65
bb::avm2::AvmRecursiveFlavor::AllValues
A field element for each entity of the flavor. These entities represent the prover polynomials evalua...
Definition recursive_flavor.hpp:58
bb::avm2::AvmRecursiveFlavor::TemplatedTranscript::hash_avm_transcript_for_testing
static std::pair< stdlib::field_t< Builder >, std::shared_ptr< TemplatedTranscript< Builder > > > hash_avm_transcript_for_testing(Builder &builder, const stdlib::Proof< Builder > &stdlib_proof, const std::vector< std::vector< stdlib::field_t< Builder > > > &public_inputs)
Testing method to hash the transcript after having replicated the operations performed on the AVM tra...
Definition recursive_flavor.hpp:232
bb::avm2::AvmRecursiveFlavor::TemplatedTranscript::pad_and_hash_avm_transcript
static stdlib::field_t< Builder > pad_and_hash_avm_transcript(const std::shared_ptr< TemplatedTranscript< Builder > > &transcript, const stdlib::Proof< Builder > &stdlib_proof)
Hash a transcript that has recorded the operations performed during AVM proof verification.
Definition recursive_flavor.hpp:184
bb::avm2::AvmRecursiveFlavor::TemplatedTranscript::hash_avm_transcript
static stdlib::field_t< Builder > hash_avm_transcript(Builder &builder, const stdlib::Proof< Builder > &stdlib_proof, const std::vector< std::vector< stdlib::field_t< Builder > > > &public_inputs)
Construct a transcript replicating the operations performed on the AVM transcript during proof verifi...
Definition recursive_flavor.hpp:206
bb::avm2::AvmRecursiveFlavor::TemplatedTranscript::perform_avm_transcript_operations
static std::shared_ptr< TemplatedTranscript< Builder > > perform_avm_transcript_operations(Builder &builder, const stdlib::Proof< Builder > &stdlib_proof, const std::vector< std::vector< stdlib::field_t< Builder > > > &public_inputs, const bool enable_manifest=false)
Replicate the operations performed on the AVM transcript during proof verification.
Definition recursive_flavor.hpp:90
bb::avm2::AvmRecursiveFlavor::TemplatedTranscript::hash_avm_transcript
static stdlib::field_t< Builder > hash_avm_transcript(const std::shared_ptr< TemplatedTranscript< Builder > > &transcript, const stdlib::Proof< Builder > &stdlib_proof)
Hash the AVM verifier transcript after having performed proof verification. Then, hash the transcript...
Definition recursive_flavor.hpp:220
bb::avm2::AvmRecursiveFlavor::TemplatedTranscript::StdlibCommitment
typename StdlibCurve::AffineElement StdlibCommitment
Definition recursive_flavor.hpp:77
bb::avm2::AvmRecursiveFlavor::NUM_SUBRELATIONS
static constexpr size_t NUM_SUBRELATIONS
Definition recursive_flavor.hpp:44
bb::avm2::AvmRecursiveFlavor::Relations
NativeFlavor::Relations_< FF > Relations
Definition recursive_flavor.hpp:38
bb::avm2::AvmRecursiveFlavor::NUM_RELATIONS
static constexpr size_t NUM_RELATIONS
Definition recursive_flavor.hpp:42
bb::avm2::AvmRecursiveFlavor::BATCHED_RELATION_PARTIAL_LENGTH
static constexpr size_t BATCHED_RELATION_PARTIAL_LENGTH
Definition recursive_flavor.hpp:41
bb::avm2::AvmRecursiveFlavor::NUM_ALL_ENTITIES
static constexpr size_t NUM_ALL_ENTITIES
Definition recursive_flavor.hpp:40
bb::avm2::AvmRecursiveFlavor::USE_PADDING
static constexpr bool USE_PADDING
Definition recursive_flavor.hpp:52
bb::avm2::AvmRecursiveFlavor::SubrelationSeparators
std::array< FF, NUM_SUBRELATIONS - 1 > SubrelationSeparators
Definition recursive_flavor.hpp:45
bb::avm2::AvmRecursiveFlavor::Commitment
Curve::AffineElement Commitment
Definition recursive_flavor.hpp:28
bb::stdlib::Proof
A simple wrapper around a vector of stdlib field elements representing a proof.
Definition proof.hpp:19
bb::stdlib::field_t
Definition field.hpp:46
bb::stdlib::field_t< Builder >::from_witness
static field_t from_witness(Builder *ctx, const bb::fr &input)
Definition field.hpp:466
bb::stdlib::field_t::fix_witness
void fix_witness()
Definition field.hpp:487
builder
AluTraceBuilder builder
Definition alu.test.cpp:124
flavor.hpp
Base class templates shared across Honk flavors.
mega_circuit_builder.hpp
bb::avm2::MAX_AVM_TRACE_LOG_SIZE
constexpr std::size_t MAX_AVM_TRACE_LOG_SIZE
Definition constants.hpp:12
bb::MegaCircuitBuilder
MegaCircuitBuilder_< field< Bn254FrParams > > MegaCircuitBuilder
Definition circuit_builders_fwd.hpp:20
std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13
std::to_string
std::string to_string(bb::avm2::ValueTag tag)
Definition tagged_value.cpp:402
bb::stdlib::bn254::ScalarField
field_t< CircuitBuilder > ScalarField
Definition bn254.hpp:30
bb::stdlib::bn254::BaseField
Group::BaseField BaseField
Definition bn254.hpp:32
bb::stdlib::bn254::AffineElement
Group AffineElement
Definition bn254.hpp:34
ultra_circuit_builder.hpp