ultra_verifier.hpp

Go to the documentation of this file.

// === AUDIT STATUS ===
// internal:    { status: Completed, auditors: [Sergei], commit: }
// external_1:  { status: not started, auditors: [], commit: }
// external_2:  { status: not started, auditors: [], commit: }
// =====================
 
#pragma once
#include "barretenberg/ecc/curves/grumpkin/grumpkin.hpp"
#include "barretenberg/flavor/mega_zk_recursive_flavor.hpp"
#include "barretenberg/flavor/ultra_zk_recursive_flavor.hpp"
#include "barretenberg/honk/proof_system/types/proof.hpp"
#include "barretenberg/special_public_inputs/special_public_inputs.hpp"
#include "barretenberg/stdlib/primitives/pairing_points.hpp"
#include "barretenberg/stdlib/proof/proof.hpp"
#include "barretenberg/stdlib/special_public_inputs/special_public_inputs.hpp"
#include "barretenberg/ultra_honk/verifier_instance.hpp"
 
namespace bb::stdlib::recursion::honk {
 
template <typename Builder> struct UltraRecursiveVerifierOutput {
    using Curve = bn254<Builder>;
    using FF = typename Curve::ScalarField;
    using G1 = typename Curve::Group;
 
    PairingPoints<Curve> points_accumulator;
    OpeningClaim<grumpkin<Builder>> ipa_claim;
    stdlib::Proof<Builder> ipa_proof;
    G1 kernel_return_data;
    std::array<G1, Builder::NUM_WIRES> ecc_op_tables; // Ecc op tables' commitments (HidingKernel/Chonk only)
    FF transcript_hash; // The final state of the transcript of the AVM recursive verifier (GoblinAvm only)
 
    UltraRecursiveVerifierOutput() = default;
 
    template <class IO> UltraRecursiveVerifierOutput(IO& inputs)
    {
        if constexpr (std::is_same_v<IO, RollupIO>) {
            ipa_claim = inputs.ipa_claim;
        } else if constexpr (std::is_same_v<IO, HidingKernelIO<Builder>>) {
            kernel_return_data = inputs.kernel_return_data;
            ecc_op_tables = inputs.ecc_op_tables;
        } else if constexpr (std::is_same_v<IO, GoblinAvmIO<Builder>>) {
            transcript_hash = inputs.transcript_hash;
        } else if constexpr (!std::is_same_v<IO, DefaultIO<Builder>>) {
            throw_or_abort("Invalid public input type.");
        }
    }
};
 
} // namespace bb::stdlib::recursion::honk
 
namespace bb {
 
// Native verifier output
template <typename Flavor> struct UltraVerifierOutput {
  public:
    using Commitment = typename Flavor::Commitment;
    bool result = false;
    typename Flavor::Commitment kernel_return_data;
    std::array<Commitment, Flavor::NUM_WIRES> ecc_op_tables;
 
    UltraVerifierOutput() = default;
 
    template <class IO> UltraVerifierOutput(IO& inputs)
    {
        if constexpr (std::is_same_v<IO, HidingKernelIO>) {
            kernel_return_data = inputs.kernel_return_data;
            ecc_op_tables = inputs.ecc_op_tables;
        } else if constexpr (!std::is_same_v<IO, DefaultIO> && !std::is_same_v<IO, RollupIO>) {
            throw_or_abort("Invalid public input type.");
        }
    }
};
 
template <typename Flavor, class IO> class UltraVerifier_ {
  public:
    using FF = typename Flavor::FF;
    using Commitment = typename Flavor::Commitment;
    using Curve = typename Flavor::Curve;
    using PCS = typename Flavor::PCS;
    using VerificationKey = typename Flavor::VerificationKey;
    using VerifierCommitments = typename Flavor::VerifierCommitments;
    using Transcript = typename Flavor::Transcript;
    using Instance = VerifierInstance_<Flavor>;
 
    static constexpr bool IsRecursive = IsRecursiveFlavor<Flavor>;
 
    // Conditional types based on recursion
    using Builder = std::conditional_t<IsRecursive, typename Flavor::CircuitBuilder, void>;
    using PairingPoints =
        std::conditional_t<IsRecursive, stdlib::recursion::PairingPoints<Curve>, bb::PairingPoints<Curve>>;
 
    using PublicInputs = std::vector<FF>;
    using Proof = typename Transcript::Proof;
 
    // Conditional output type: UltraVerifierOutput for native, UltraRecursiveVerifierOutput for recursive
    using Output = std::conditional_t<IsRecursive,
                                      stdlib::recursion::honk::UltraRecursiveVerifierOutput<Builder>,
                                      UltraVerifierOutput<Flavor>>;
 
    // IPA claim type: native uses curve::Grumpkin, recursive uses stdlib::grumpkin<Builder>
    using IPACurve = std::conditional_t<IsRecursive, stdlib::grumpkin<Builder>, curve::Grumpkin>;
    using IPAClaim = OpeningClaim<IPACurve>;
 
    struct ReductionResult {
        PairingPoints pairing_points;     // KZG pairing points for deferred verification
        bool reduction_succeeded = false; // Sumcheck and libra evaluation consistency checks
    };
 
    using VKAndHash = typename Flavor::VKAndHash;
    explicit UltraVerifier_(const std::shared_ptr<VKAndHash>& vk_and_hash,
                            const std::shared_ptr<Transcript>& transcript = std::make_shared<Transcript>())
        : vk_and_hash(vk_and_hash)
        , verifier_instance(std::make_shared<Instance>(vk_and_hash))
        , transcript(transcript)
    {
        if constexpr (!IsRecursive) {
            // Native only: create IPA transcript
            ipa_transcript = std::make_shared<Transcript>();
        } else {
            // Recursive only: extract builder from VKAndHash for later use
            // Safe since VKAndHash contains field_t elements (hash) with builder context
            builder = vk_and_hash->hash.get_context();
        }
    }
 
    size_t compute_log_n() const;
 
    std::vector<FF> compute_padding_indicator_array(size_t log_n) const;
 
    [[nodiscard("Reduction result should be verified")]] ReductionResult reduce_to_pairing_check(const Proof& proof);
 
    std::pair<Proof, Proof> split_rollup_proof(const Proof& combined_proof) const
        requires(IO::HasIPA);
 
    bool verify_ipa(const Proof& ipa_proof, const IPAClaim& ipa_claim)
        requires(!IsRecursiveFlavor<Flavor> && IO::HasIPA);
 
    Output verify_proof(const Proof& proof);
 
    const std::shared_ptr<Transcript>& get_transcript() const { return transcript; }
 
    const std::shared_ptr<Instance>& get_verifier_instance() const { return verifier_instance; }
 
    const PublicInputs& get_public_inputs() const { return verifier_instance->public_inputs; }
 
    const typename Flavor::WitnessCommitments& get_witness_commitments() const
    {
        return verifier_instance->witness_commitments;
    }
 
    const Commitment& get_calldata_commitment() const
        requires IsMegaFlavor<Flavor>
    {
        return verifier_instance->witness_commitments.calldata;
    }
 
    auto get_ecc_op_wires() const
        requires IsMegaFlavor<Flavor>
    {
        return verifier_instance->witness_commitments.get_ecc_op_wires().get_copy();
    }
 
  private:
    std::shared_ptr<VKAndHash> vk_and_hash;
    std::shared_ptr<Instance> verifier_instance;
    std::shared_ptr<Transcript> transcript;
    std::shared_ptr<Transcript> ipa_transcript; // Native only
 
    // Builder pointer (extracted from VKAndHash for recursive, nullptr for native)
    Builder* builder = nullptr;
};
 
// Native verifier type aliases
using UltraVerifier = UltraVerifier_<UltraFlavor, DefaultIO>;
using UltraZKVerifier = UltraVerifier_<UltraZKFlavor, DefaultIO>;
using UltraRollupVerifier = UltraVerifier_<UltraFlavor, RollupIO>;
using UltraKeccakVerifier = UltraVerifier_<UltraKeccakFlavor, DefaultIO>;
using UltraKeccakZKVerifier = UltraVerifier_<UltraKeccakZKFlavor, DefaultIO>;
#ifdef STARKNET_GARAGA_FLAVORS
using UltraStarknetVerifier = UltraVerifier_<UltraStarknetFlavor, DefaultIO>;
using UltraStarknetZKVerifier = UltraVerifier_<UltraStarknetZKFlavor, DefaultIO>;
#endif
using MegaVerifier = UltraVerifier_<MegaFlavor, DefaultIO>;
using MegaZKVerifier = UltraVerifier_<MegaZKFlavor, HidingKernelIO>;
using MegaZKRecursiveVerifier = UltraVerifier_<MegaZKRecursiveFlavor_<UltraCircuitBuilder>,
                                               stdlib::recursion::honk::HidingKernelIO<UltraCircuitBuilder>>;
 
} // namespace bb