Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
transcript.hpp
Go to the documentation of this file.
1// === AUDIT STATUS ===
2// internal: { status: Complete, auditors: [Sergei], commit: 777717f6af324188ecd6bb68c3c86ee7befef94d}
3// external_1: { status: Complete, auditors: [@ed25519 (Spearbit)], commit: }
4// external_2: { status: not started, auditors: [], commit: }
5// =====================
6
7#pragma once
8
9#include "barretenberg/common/assert.hpp"
10#include "barretenberg/common/debug_log.hpp"
11#include "barretenberg/common/serialize.hpp"
12#include "barretenberg/crypto/poseidon2/poseidon2.hpp"
13#include "barretenberg/ecc/curves/bn254/fr.hpp"
14#include "barretenberg/ecc/curves/bn254/g1.hpp"
15#include "barretenberg/ecc/curves/grumpkin/grumpkin.hpp"
16#include "barretenberg/ecc/fields/field_conversion.hpp"
17#include "barretenberg/honk/proof_system/types/proof.hpp"
18#include "barretenberg/stdlib/hash/poseidon2/poseidon2.hpp"
19#include "barretenberg/stdlib/primitives/field/field_conversion.hpp"
20#include "origin_tag.hpp"
21#include "transcript_manifest.hpp"
22#include <atomic>
23#include <concepts>
24
25namespace bb {
26
27// A concept for detecting whether a type is native or in-circuit
28template <typename T>
29concept InCircuit = !IsAnyOf<T, bb::fr, grumpkin::fr, uint256_t>;
30
31// A static counter for the number of transcripts created
32// This is used to generate unique labels for the transcript origin tags
33
34// 'inline' (since C++17) ensures a single shared definition with external linkage.
35inline std::atomic<size_t> unique_transcript_index{ 0 };
36
41template <typename Codec_, typename HashFunction_> class BaseTranscript {
42 public:
43 using Codec = Codec_;
44 using HashFunction = HashFunction_;
45 using DataType = typename Codec::DataType;
46 using Proof = std::vector<DataType>;
47
48 // Detects whether the transcript is in-circuit or not
49 static constexpr bool in_circuit = InCircuit<DataType>;
50 // A `DataType` challenge is split into two limbs that consitute challenge buffer
51 static constexpr size_t CHALLENGE_BUFFER_SIZE = 2;
52
53 BaseTranscript()
54 {
55 // If we are in circuit, we need to get a unique index for the transcript
56 if constexpr (in_circuit) {
57 transcript_index = unique_transcript_index.fetch_add(1);
58 }
59 }
60
61 // Verifier-specific constructor.
62 explicit BaseTranscript(const Proof& proof) { load_proof(proof); }
63
64 protected:
65 Proof proof_data; // Contains the raw data sent by the prover.
66
67 private:
68 // Friend function for secure tag context extraction
69 template <typename T> friend OriginTag bb::extract_transcript_tag(const T& transcript);
70
71 // Fiat-Shamir Round Tracking
72 size_t transcript_index = 0; // Unique transcript ID (PRIVATE - access via extract_transcript_tag)
73 size_t round_index = 0; // Current FS round (PRIVATE - access via extract_transcript_tag)
74 bool challenge_generation_phase = false; // Whether currently generating challenges (vs sending/receiving data)
75
76 // Challenge generatopm state==
77 bool is_first_challenge = true; // Indicates if this is the first challenge this transcript is generating
78 DataType previous_challenge{}; // Previous challenge buffer (default-initialized to zeros)
79 std::vector<DataType> current_round_data; // Data for the current round that will be hashed to generate challenges
80
81 // Proof parsing state
82 std::ptrdiff_t proof_start = 0;
83 size_t num_frs_written = 0; // Number of frs written to proof_data by the prover
84 size_t num_frs_read = 0; // Number of frs read from proof_data by the verifier
85
86 // Manifest (debugging tool)
87 bool use_manifest = false; // Indicates whether the manifest is turned on (only for manifest tests)
88 TranscriptManifest manifest; // Records a summary of the transcript interactions
89
98 [[nodiscard]] std::array<DataType, CHALLENGE_BUFFER_SIZE> get_next_duplex_challenge_buffer()
99 {
100
101 std::vector<DataType> full_buffer;
102
103 const size_t size_bump = (is_first_challenge) ? 0 : 1;
104
105 full_buffer.resize(current_round_data.size() + size_bump);
106
107 // concatenate the previous challenge (if this is not the first challenge) with the current round data.
108 if (!is_first_challenge) {
109 // if not the first challenge, we can use the previous_challenge
110 full_buffer[0] = previous_challenge;
111 } else {
112 // Prevent challenge generation if this is the first challenge we're generating,
113 // AND nothing was sent by the prover.
114 BB_ASSERT(!current_round_data.empty());
115 // Update is_first_challenge for the future
116 is_first_challenge = false;
117 }
118
119 std::copy(current_round_data.begin(),
120 current_round_data.end(),
121 full_buffer.begin() + static_cast<std::ptrdiff_t>(size_bump));
122 current_round_data.clear();
123
124 // Hash the full buffer
125 DataType new_challenge = HashFunction::hash(full_buffer);
126 std::array<DataType, CHALLENGE_BUFFER_SIZE> new_challenges = Codec::split_challenge(new_challenge);
127 // update previous challenge buffer for next time we call this function
128 previous_challenge = new_challenge;
129 return new_challenges;
130 }
131
132 protected:
139 void add_element_frs_to_hash_buffer(const std::string& label, std::span<const DataType> element_frs)
140 {
141 if (use_manifest) {
142 // Add an entry to the current round of the manifest
143 manifest.add_entry(round_index, label, element_frs.size());
144 }
145
146 current_round_data.insert(current_round_data.end(), element_frs.begin(), element_frs.end());
147 }
148
157 template <typename T> void serialize_to_buffer(const T& element, Proof& proof_data)
158 {
159 auto element_frs = Codec::serialize_to_fields(element);
160 proof_data.insert(proof_data.end(), element_frs.begin(), element_frs.end());
161 }
171 template <typename T> T deserialize_from_buffer(const Proof& proof_data, size_t& offset) const
172 {
173 constexpr size_t element_fr_size = Codec::template calc_num_fields<T>();
174 BB_ASSERT_LTE(offset + element_fr_size, proof_data.size());
175
176 auto element_frs = std::span{ proof_data }.subspan(offset, element_fr_size);
177 offset += element_fr_size;
178
179 auto element = Codec::template deserialize_from_fields<T>(element_frs);
180
181 return element;
182 }
183
184 public:
192 std::vector<DataType> export_proof()
193 {
194 std::vector<DataType> result(num_frs_written);
195 std::copy_n(proof_data.begin() + proof_start, num_frs_written, result.begin());
196 proof_start += static_cast<std::ptrdiff_t>(num_frs_written);
197 num_frs_written = 0;
198 return result;
199 };
200
206 void load_proof(const std::vector<DataType>& proof)
207 {
208 std::copy(proof.begin(), proof.end(), std::back_inserter(proof_data));
209 }
210
211 // Return the size of proof_data
212 size_t get_proof_size() { return proof_data.size(); }
213
214 // Enables the manifest
215 void enable_manifest() { use_manifest = true; }
216
227 template <typename ChallengeType> std::vector<ChallengeType> get_challenges(std::span<const std::string> labels)
228 {
229 const size_t num_challenges = labels.size();
230
231 if (use_manifest) {
232 // Add challenge labels for current round to the manifest
233 for (const auto& label : labels) {
234 manifest.add_challenge(round_index, label);
235 }
236 }
237
238 // In case the transcript is used for recursive verification, we need to sanitize current round data so we don't
239 // get an origin tag violation inside the hasher. We are doing this to ensure that the free witness tagged
240 // elements that are sent to the transcript and are assigned tags externally, don't trigger the origin tag
241 // security mechanism while we are hashing them
242 bb::unset_free_witness_tags<in_circuit, DataType>(current_round_data);
243 // Compute the new challenge buffer from which we derive the challenges.
244
245 // Create challenges from Frs.
246 std::vector<ChallengeType> challenges;
247 challenges.resize(num_challenges);
248
249 // Generate the challenges by iteratively hashing over the previous challenge.
250 for (size_t i = 0; i < num_challenges / 2; i += 1) {
251 std::array<DataType, CHALLENGE_BUFFER_SIZE> challenge_buffer = get_next_duplex_challenge_buffer();
252 challenges[2 * i] = Codec::template convert_challenge<ChallengeType>(challenge_buffer[0]);
253 challenges[(2 * i) + 1] = Codec::template convert_challenge<ChallengeType>(challenge_buffer[1]);
254 }
255 if ((num_challenges & 1) == 1) {
256 std::array<DataType, CHALLENGE_BUFFER_SIZE> challenge_buffer = get_next_duplex_challenge_buffer();
257 challenges[num_challenges - 1] = Codec::template convert_challenge<ChallengeType>(challenge_buffer[0]);
258 }
259
260 // Track Fiat-Shamir round transitions: entering challenge generation mode
261 if (!challenge_generation_phase) {
262 challenge_generation_phase = true;
263 }
264
265 // Assign origin tags to the challenges
266 bb::assign_origin_tag<in_circuit>(challenges, OriginTag(transcript_index, round_index, /*is_submitted=*/false));
267
268 return challenges;
269 }
270
277 template <typename ChallengeType, size_t N>
278 std::array<ChallengeType, N> get_challenges(const std::array<std::string, N>& labels)
279 {
280 std::span<const std::string> labels_span{ labels.data(), labels.size() };
281 auto vec = get_challenges<ChallengeType>(labels_span); // calls the const-span overload
282 std::array<ChallengeType, N> out{};
283 std::move(vec.begin(), vec.end(), out.begin());
284 return out;
285 }
286
295 template <typename ChallengeType>
296 std::vector<ChallengeType> get_dyadic_powers_of_challenge(const std::string& label, size_t num_challenges)
297 {
298 ChallengeType challenge = get_challenge<ChallengeType>(label);
299 std::vector<ChallengeType> pows(num_challenges);
300 pows[0] = challenge;
301 for (size_t i = 1; i < num_challenges; i++) {
302 pows[i] = pows[i - 1].sqr();
303 }
304 return pows;
305 }
306
315 template <class T> void add_to_hash_buffer(const std::string& label, const T& element)
316 {
317 DEBUG_LOG(label, element);
318 // Track Fiat-Shamir round transitions: if we were generating challenges,
319 // now we're adding data, which means a new round has started
320 if (challenge_generation_phase) {
321 challenge_generation_phase = false;
322 round_index++;
323 }
324
325 bb::assign_origin_tag<in_circuit>(element, OriginTag(transcript_index, round_index, /*is_submitted=*/true));
326 auto elements = Codec::serialize_to_fields(element);
327
328 add_element_frs_to_hash_buffer(label, elements);
329 }
330
344 template <class T> void send_to_verifier(const std::string& label, const T& element)
345 {
346 DEBUG_LOG(label, element);
347 // Track Fiat-Shamir round transitions: if we were generating challenges,
348 // now we're sending data, which means a new round has started
349 if (challenge_generation_phase) {
350 challenge_generation_phase = false;
351 round_index++;
352 }
353
354 auto element_frs = Codec::template serialize_to_fields<T>(element);
355 proof_data.insert(proof_data.end(), element_frs.begin(), element_frs.end());
356 num_frs_written += element_frs.size();
357
358 add_element_frs_to_hash_buffer(label, element_frs);
359 }
360
368 template <class T> T receive_from_prover(const std::string& label)
369 {
370 const size_t element_size = Codec::template calc_num_fields<T>();
371 BB_ASSERT_LTE(num_frs_read + element_size, proof_data.size());
372
373 auto element_frs = std::span{ proof_data }.subspan(num_frs_read, element_size);
374 // Track Fiat-Shamir round transitions: if we were generating challenges,
375 // now we're receiving data, which means a new round has started
376 if (challenge_generation_phase) {
377 challenge_generation_phase = false;
378 round_index++;
379 }
380 // Assign an origin tag to the elements going into the hash buffer
381 bb::assign_origin_tag<in_circuit>(element_frs, OriginTag(transcript_index, round_index, /*is_submitted=*/true));
382
383 num_frs_read += element_size;
384
385 add_element_frs_to_hash_buffer(label, element_frs);
386
387 auto element = Codec::template deserialize_from_fields<T>(element_frs);
388 DEBUG_LOG(label, element);
389
390 // Ensure that the element got assigned an origin tag
391 bb::check_origin_tag<in_circuit>(element, OriginTag(transcript_index, round_index, /*is_submitted=*/true));
392
393 return element;
394 }
395
396 template <typename ChallengeType> ChallengeType get_challenge(const std::string& label)
397 {
398 std::span<const std::string> label_span(&label, 1);
399 auto result = get_challenges<ChallengeType>(label_span);
400
401 DEBUG_LOG(label, result);
402 return result[0];
403 }
404
411 static std::shared_ptr<BaseTranscript> convert_prover_transcript_to_verifier_transcript(
412 const std::shared_ptr<BaseTranscript>& prover_transcript)
413 {
414 // We expect this function to only be used when the transcript has just been exported.
415 BB_ASSERT_EQ(prover_transcript->num_frs_written, 0UL, "Expected to be empty");
416 auto verifier_transcript = std::make_shared<BaseTranscript>(*prover_transcript);
417 verifier_transcript->num_frs_read = static_cast<size_t>(verifier_transcript->proof_start);
418 verifier_transcript->proof_start = 0;
419 return verifier_transcript;
420 }
421
422 // Serialize an element of type T to a vector of fields
423 template <typename T> static std::vector<DataType> serialize(const T& element)
424 {
425 return Codec::serialize_to_fields(element);
426 }
427
428 template <typename T> static T deserialize(std::span<const DataType> frs)
429 {
430 return Codec::template deserialize_from_fields<T>(frs);
431 }
432
433 [[nodiscard]] TranscriptManifest get_manifest() const { return manifest; };
434
435 void print()
436 {
437 if (!use_manifest) {
438 info("Warning: manifest is not enabled!");
439 }
440 manifest.print();
441 }
442
443 // Test-specific utils
444
451 static std::shared_ptr<BaseTranscript> test_prover_init_empty()
452 {
453 auto transcript = std::make_shared<BaseTranscript>();
454 constexpr uint32_t init{ 42 }; // arbitrary
455 transcript->send_to_verifier("Init", init);
456 return transcript;
457 };
458
466 static std::shared_ptr<BaseTranscript> test_verifier_init_empty(const std::shared_ptr<BaseTranscript>& transcript)
467 {
468 auto verifier_transcript = std::make_shared<BaseTranscript>(transcript->proof_data);
469 [[maybe_unused]] auto _ = verifier_transcript->template receive_from_prover<DataType>("Init");
470 return verifier_transcript;
471 };
472
477 void test_set_proof_parsing_state(std::ptrdiff_t start, size_t written)
478 {
479 this->proof_start = start;
480 this->num_frs_written = written;
481 }
482
487 std::ptrdiff_t test_get_proof_start() const { return proof_start; }
488
493 Proof& test_get_proof_data() { return proof_data; }
494 const Proof& test_get_proof_data() const { return proof_data; }
495};
496
497using NativeTranscript = BaseTranscript<FrCodec, bb::crypto::Poseidon2<bb::crypto::Poseidon2Bn254ScalarFieldParams>>;
498using KeccakTranscript = BaseTranscript<U256Codec, bb::crypto::Keccak>;
499
500template <typename Builder>
501using StdlibTranscript = BaseTranscript<stdlib::StdlibCodec<stdlib::field_t<Builder>>, stdlib::poseidon2<Builder>>;
502using UltraStdlibTranscript =
503 BaseTranscript<stdlib::StdlibCodec<stdlib::field_t<UltraCircuitBuilder>>, stdlib::poseidon2<UltraCircuitBuilder>>;
504using MegaStdlibTranscript =
505 BaseTranscript<stdlib::StdlibCodec<stdlib::field_t<MegaCircuitBuilder>>, stdlib::poseidon2<MegaCircuitBuilder>>;
506
511template <typename Curve, bool = Curve::is_stdlib_type> struct TranscriptFor {
512 using type = NativeTranscript;
513};
514
515template <typename Curve> struct TranscriptFor<Curve, true> {
516 using type = StdlibTranscript<typename Curve::Builder>;
517};
518
519template <typename Curve> using TranscriptFor_t = typename TranscriptFor<Curve>::type;
520
521} // namespace bb
BB_ASSERT
#define BB_ASSERT(expression,...)
Definition assert.hpp:70
BB_ASSERT_EQ
#define BB_ASSERT_EQ(actual, expected,...)
Definition assert.hpp:83
BB_ASSERT_LTE
#define BB_ASSERT_LTE(left, right,...)
Definition assert.hpp:158
bb::BaseTranscript
Common transcript class for both parties. Stores the data for the current round, as well as the manif...
Definition transcript.hpp:41
bb::BaseTranscript::DataType
typename Codec::DataType DataType
Definition transcript.hpp:45
bb::BaseTranscript::in_circuit
static constexpr bool in_circuit
Definition transcript.hpp:49
bb::BaseTranscript::previous_challenge
DataType previous_challenge
Definition transcript.hpp:78
bb::BaseTranscript::BaseTranscript
BaseTranscript(const Proof &proof)
Definition transcript.hpp:62
bb::BaseTranscript::test_prover_init_empty
static std::shared_ptr< BaseTranscript > test_prover_init_empty()
For testing: initializes transcript with some arbitrary data so that a challenge can be generated aft...
Definition transcript.hpp:451
bb::BaseTranscript::test_get_proof_data
const Proof & test_get_proof_data() const
Definition transcript.hpp:494
bb::BaseTranscript::receive_from_prover
T receive_from_prover(const std::string &label)
Reads the next element of type T from the transcript, with a predefined label, only used by verifier.
Definition transcript.hpp:368
bb::BaseTranscript::challenge_generation_phase
bool challenge_generation_phase
Definition transcript.hpp:74
bb::BaseTranscript::get_challenge
ChallengeType get_challenge(const std::string &label)
Definition transcript.hpp:396
bb::BaseTranscript::test_set_proof_parsing_state
void test_set_proof_parsing_state(std::ptrdiff_t start, size_t written)
Test utility: Set proof parsing state for export after deserialization.
Definition transcript.hpp:477
bb::BaseTranscript::current_round_data
std::vector< DataType > current_round_data
Definition transcript.hpp:79
bb::BaseTranscript::add_element_frs_to_hash_buffer
void add_element_frs_to_hash_buffer(const std::string &label, std::span< const DataType > element_frs)
Adds challenge elements to the current_round_buffer and updates the manifest.
Definition transcript.hpp:139
bb::BaseTranscript::test_get_proof_data
Proof & test_get_proof_data()
Test utility: Get mutable reference to proof_data.
Definition transcript.hpp:493
bb::BaseTranscript::serialize_to_buffer
void serialize_to_buffer(const T &element, Proof &proof_data)
Serializes object and appends it to proof_data.
Definition transcript.hpp:157
bb::BaseTranscript::test_verifier_init_empty
static std::shared_ptr< BaseTranscript > test_verifier_init_empty(const std::shared_ptr< BaseTranscript > &transcript)
For testing: initializes transcript based on proof data then receives junk data produced by BaseTrans...
Definition transcript.hpp:466
bb::BaseTranscript::get_dyadic_powers_of_challenge
std::vector< ChallengeType > get_dyadic_powers_of_challenge(const std::string &label, size_t num_challenges)
Get a challenge and compute its dyadic powers [δ, δ², δ⁴, ..., δ^(2^(num_challenges-1))].
Definition transcript.hpp:296
bb::BaseTranscript::export_proof
std::vector< DataType > export_proof()
Return the proof data starting at proof_start.
Definition transcript.hpp:192
bb::BaseTranscript::deserialize
static T deserialize(std::span< const DataType > frs)
Definition transcript.hpp:428
bb::BaseTranscript::add_to_hash_buffer
void add_to_hash_buffer(const std::string &label, const T &element)
Adds an element to the transcript.
Definition transcript.hpp:315
bb::BaseTranscript::send_to_verifier
void send_to_verifier(const std::string &label, const T &element)
Adds a prover message to the transcript, only intended to be used by the prover.
Definition transcript.hpp:344
bb::BaseTranscript::load_proof
void load_proof(const std::vector< DataType > &proof)
Verifier-specific method. The verifier needs to load a proof or its segment before the verification.
Definition transcript.hpp:206
bb::BaseTranscript::HashFunction
HashFunction_ HashFunction
Definition transcript.hpp:44
bb::BaseTranscript::proof_start
std::ptrdiff_t proof_start
Definition transcript.hpp:82
bb::BaseTranscript::get_manifest
TranscriptManifest get_manifest() const
Definition transcript.hpp:433
bb::BaseTranscript::get_next_duplex_challenge_buffer
std::array< DataType, CHALLENGE_BUFFER_SIZE > get_next_duplex_challenge_buffer()
Compute next challenge c_next = H( Compress(c_prev || round_buffer) )
Definition transcript.hpp:98
bb::BaseTranscript::get_challenges
std::array< ChallengeType, N > get_challenges(const std::array< std::string, N > &labels)
Wrapper around get_challenges to handle array of challenges.
Definition transcript.hpp:278
bb::BaseTranscript::manifest
TranscriptManifest manifest
Definition transcript.hpp:88
bb::BaseTranscript::serialize
static std::vector< DataType > serialize(const T &element)
Definition transcript.hpp:423
bb::BaseTranscript::test_get_proof_start
std::ptrdiff_t test_get_proof_start() const
Test utility: Get proof_start for validation.
Definition transcript.hpp:487
bb::BaseTranscript::Proof
std::vector< DataType > Proof
Definition transcript.hpp:46
bb::BaseTranscript::deserialize_from_buffer
T deserialize_from_buffer(const Proof &proof_data, size_t &offset) const
Deserializes the frs starting at offset into the typed element and returns that element.
Definition transcript.hpp:171
bb::BaseTranscript::get_challenges
std::vector< ChallengeType > get_challenges(std::span< const std::string > labels)
After all the prover messages have been sent, finalize the round by hashing all the data and then cre...
Definition transcript.hpp:227
bb::BaseTranscript::CHALLENGE_BUFFER_SIZE
static constexpr size_t CHALLENGE_BUFFER_SIZE
Definition transcript.hpp:51
bb::BaseTranscript::convert_prover_transcript_to_verifier_transcript
static std::shared_ptr< BaseTranscript > convert_prover_transcript_to_verifier_transcript(const std::shared_ptr< BaseTranscript > &prover_transcript)
Convert a prover transcript to a verifier transcript.
Definition transcript.hpp:411
bb::TranscriptManifest::add_entry
void add_entry(size_t round, const std::string &element_label, size_t element_size)
Definition transcript_manifest.hpp:78
bb::TranscriptManifest::add_challenge
void add_challenge(size_t round, const std::string &label)
Add a single challenge label to the manifest for the given round.
Definition transcript_manifest.hpp:45
bb::stdlib::poseidon2
stdlib class that evaluates in-circuit poseidon2 hashes, consistent with behavior in crypto::poseidon...
Definition poseidon2.hpp:20
debug_log.hpp
DEBUG_LOG
#define DEBUG_LOG(...)
Definition debug_log.hpp:105
info
#define info(...)
Definition log.hpp:93
field_conversion.hpp
offset
ssize_t offset
Definition engine.cpp:52
init
const auto init
Definition fr.bench.cpp:135
proof.hpp
bb
Entry point for Barretenberg command-line interface.
Definition api.hpp:5
bb::unique_transcript_index
std::atomic< size_t > unique_transcript_index
Definition transcript.hpp:35
bb::extract_transcript_tag
OriginTag extract_transcript_tag(const TranscriptType &transcript)
Extract origin tag context from a transcript.
Definition origin_tag.hpp:340
bb::NativeTranscript
BaseTranscript< FrCodec, bb::crypto::Poseidon2< bb::crypto::Poseidon2Bn254ScalarFieldParams > > NativeTranscript
Definition transcript.hpp:497
bb::TranscriptFor_t
typename TranscriptFor< Curve >::type TranscriptFor_t
Definition transcript.hpp:519
std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13
origin_tag.hpp
This file contains part of the logic for the Origin Tag mechanism that tracks the use of in-circuit p...
field_conversion.hpp
StdlibCodec for in-circuit (recursive) verification transcript handling.
bb::TranscriptFor
Helper to get the appropriate Transcript type for a given Curve.
Definition transcript.hpp:511
transcript_manifest.hpp