30 return static_cast<size_t>(Flavor::VIRTUAL_LOG_N);
33 return static_cast<size_t>(verifier_instance->get_vk()->log_circuit_size);
44template <
typename Flavor,
class IO>
50 std::vector<FF> padding_indicator_array(log_n,
FF{ 1 });
52 auto vk_ptr = verifier_instance->get_vk();
53 if constexpr (IsRecursive) {
56 padding_indicator_array =
57 stdlib::compute_padding_indicator_array<Curve, Flavor::VIRTUAL_LOG_N>(vk_ptr->log_circuit_size);
60 const size_t log_circuit_size =
static_cast<size_t>(vk_ptr->log_circuit_size);
61 for (
size_t idx = 0; idx < log_n; idx++) {
62 padding_indicator_array[idx] = (idx < log_circuit_size) ?
FF{ 1 } :
FF{ 0 };
67 return padding_indicator_array;
86template <
typename Flavor,
class IO>
89 IO>::split_rollup_proof(
const Proof& combined_proof)
const
95 "Combined rollup proof is too small to contain IPA proof. Expected at least " +
99 const auto honk_proof_length =
static_cast<std::ptrdiff_t>(combined_proof.size() - IPA_PROOF_LENGTH);
101 Proof honk_proof(combined_proof.begin(), combined_proof.begin() + honk_proof_length);
102 Proof ipa_proof(combined_proof.begin() + honk_proof_length, combined_proof.end());
110template <
typename Flavor,
class IO>
115 ipa_transcript->load_proof(ipa_proof);
117 vinfo(
"UltraVerifier: IPA check: ", ipa_verified ?
"true" :
"false");
120 info(
"UltraVerifier: verification failed at IPA check");
131template <
typename Flavor,
class IO>
137 using ClaimBatch = ClaimBatcher::Batch;
139 transcript->load_proof(proof);
142 const size_t log_n = compute_log_n();
148 "Proof size too small. Got " +
std::to_string(proof.size()) +
" field elements, but need at least " +
158 auto padding_indicator_array = compute_padding_indicator_array(log_n);
159 verifier_instance->gate_challenges =
160 transcript->template get_dyadic_powers_of_challenge<FF>(
"Sumcheck:gate_challenge", log_n);
163 VerifierCommitments commitments{ verifier_instance->get_vk(), verifier_instance->witness_commitments };
166 commitments.gemini_masking_poly = verifier_instance->gemini_masking_commitment;
172 std::array<Commitment, NUM_LIBRA_COMMITMENTS> libra_commitments = {};
175 libra_commitments[0] = transcript->template receive_from_prover<Commitment>(
"Libra:concatenation_commitment");
179 verifier_instance->relation_parameters, verifier_instance->gate_challenges, padding_indicator_array);
182 libra_commitments[1] = transcript->template receive_from_prover<Commitment>(
"Libra:grand_sum_commitment");
183 libra_commitments[2] = transcript->template receive_from_prover<Commitment>(
"Libra:quotient_commitment");
186 ClaimBatcher claim_batcher{
187 .unshifted = ClaimBatch{ commitments.get_unshifted(), sumcheck_output.
claimed_evaluations.get_unshifted() },
188 .shifted = ClaimBatch{ commitments.get_to_be_shifted(), sumcheck_output.
claimed_evaluations.get_shifted() }
192 if constexpr (IsRecursive) {
193 return Commitment::one(
builder);
195 return Commitment::one();
199 auto shplemini_output = Shplemini::compute_batch_opening_claim(padding_indicator_array,
211 std::move(shplemini_output.batch_opening_claim), transcript, Flavor::FINAL_PCS_MSM_SIZE(log_n));
213 bool consistency_checked =
true;
215 consistency_checked = shplemini_output.consistency_checked;
216 vinfo(
"Ultra Verifier (with ZK): Libra evals consistency checked ", consistency_checked ?
"true" :
"false");
218 vinfo(
"Ultra Verifier sumcheck_verified: ", sumcheck_output.
verified ?
"true" :
"false");
231template <
typename Flavor,
class IO>
239 if constexpr (IO::HasIPA) {
240 std::tie(honk_proof, ipa_proof) = split_rollup_proof(proof);
246 auto [pcs_pairing_points, reduction_succeeded] = reduce_to_pairing_check(honk_proof);
247 vinfo(
"UltraVerifier: reduced to pairing check: ", reduction_succeeded ?
"true" :
"false");
249 if constexpr (!IsRecursive) {
250 if (!reduction_succeeded) {
251 info(
"UltraVerifier: verification failed at reduction step");
258 inputs.reconstruct_from_public(verifier_instance->public_inputs);
262 pi_pairing_points.aggregate(pcs_pairing_points);
267 if constexpr (IsRecursive) {
269 output.points_accumulator =
std::move(pi_pairing_points);
270 if constexpr (IO::HasIPA) {
271 output.ipa_proof = ipa_proof;
275 bool pairing_verified = pi_pairing_points.check();
276 vinfo(
"UltraVerifier: pairing check: ", pairing_verified ?
"true" :
"false");
278 if (!pairing_verified) {
279 info(
"UltraVerifier: verification failed at pairing check");
284 if constexpr (IO::HasIPA) {
285 if (!verify_ipa(ipa_proof,
inputs.ipa_claim)) {
290 output.result =
true;
307#ifdef STARKNET_GARAGA_FLAVORS
#define BB_ASSERT_GTE(left, right,...)
#define BB_BENCH_NAME(name)
static constexpr bool HasZK
static constexpr bool USE_PADDING
static constexpr RepeatedCommitmentsData REPEATED_COMMITMENTS
IPA (inner product argument) commitment scheme class.
Verifier counterpart to OinkProver: receives witness commitments, computes relation parameters,...
void verify(bool emit_alpha=true)
Receive witness commitments, compute relation parameters, and prepare for Sumcheck.
Unverified claim (C,r,v) for some witness polynomial p(X) such that.
Implementation of the sumcheck Verifier for statements of the form for multilinear polynomials .
SumcheckOutput< Flavor > verify(const bb::RelationParameters< FF > &relation_parameters, const std::vector< FF > &gate_challenges, const std::vector< FF > &padding_indicator_array)
The Sumcheck verification method. First it extracts round univariate, checks sum (the sumcheck univar...
bool verify_ipa(const Proof &ipa_proof, const IPAClaim &ipa_claim)
Verify IPA proof for rollup circuits (native verifier only)
ReductionResult reduce_to_pairing_check(const Proof &proof)
Reduce ultra proof to verification claims (works for both native and recursive)
typename Transcript::Proof Proof
std::conditional_t< IsRecursive, stdlib::recursion::PairingPoints< Curve >, bb::PairingPoints< Curve > > PairingPoints
size_t compute_log_n() const
Compute log_n based on flavor.
std::vector< FF > compute_padding_indicator_array(size_t log_n) const
Compute padding indicator array based on flavor configuration.
std::conditional_t< IsRecursive, stdlib::recursion::honk::UltraRecursiveVerifierOutput< Builder >, UltraVerifierOutput< Flavor > > Output
typename Flavor::VerifierCommitments VerifierCommitments
typename Flavor::Commitment Commitment
Output verify_proof(const Proof &proof)
Perform ultra verification.
Representation of the Grumpkin Verifier Commitment Key inside a bn254 circuit.
Manages the data that is propagated on the public inputs of an application/function circuit.
The data that is propagated on the public inputs of the inner GoblinAvmRecursiveVerifier circuit.
Manages the data that is propagated on the public inputs of a hiding kernel circuit.
The data that is propagated on the public inputs of a rollup circuit.
Entry point for Barretenberg command-line interface.
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
std::string to_string(bb::avm2::ValueTag tag)
For a small integer N = virtual_log_n and a given witness x = log_n, compute in-circuit an indicator_...
Logic to support batching opening claims for unshifted and shifted polynomials in Shplemini.
static constexpr size_t LENGTH_WITHOUT_PUB_INPUTS(size_t log_n)
static constexpr size_t derive_num_public_inputs(size_t proof_size, size_t log_n)
Derive num_public_inputs from proof size.
Contains the evaluations of multilinear polynomials at the challenge point . These are computed by S...
FF claimed_libra_evaluation
ClaimedEvaluations claimed_evaluations
std::vector< FF > challenge
Result of reducing ultra proof to pairing points check. Contains pairing points and the aggregate res...
PairingPoints pairing_points
1.9.8