Merge branch 'master' into mm/pg-refactor-new

barretenberg/.gitrepo

@@ -6,7 +6,7 @@
 [subrepo]
 	remote = https://github.com/AztecProtocol/barretenberg
 	branch = master
-	commit = 3c3822d641c0624e21af5825d5c7f2a359cb5528
-	parent = 9cb6daff6330a5675a070334cc88773d6e0bae3a
+	commit = b4344455d2a3dddd51ba14f62294c8d5f5689008
+	parent = 319eea9e4caf1d1ade00fedface5fab9bbf9db16
 	method = merge
 	cmdver = 0.4.6

barretenberg/cpp/src/barretenberg/benchmark/plonk_bench/plonk.bench.cpp

@@ -32,21 +32,6 @@ plonk::Prover provers[NUM_CIRCUITS];
 plonk::Verifier verifiers[NUM_CIRCUITS];
 plonk::proof proofs[NUM_CIRCUITS];
 
-void construct_witnesses_bench(State& state) noexcept
-{
-    for (auto _ : state) {
-        state.PauseTiming();
-        auto builder = Builder(static_cast<size_t>(state.range(0)));
-        generate_test_plonk_circuit(builder, static_cast<size_t>(state.range(0)));
-        auto composer = Composer();
-        composer.compute_proving_key(builder);
-        state.ResumeTiming();
-
-        composer.compute_witness(builder);
-    }
-}
-BENCHMARK(construct_witnesses_bench)->RangeMultiplier(2)->Range(START, MAX_GATES);
-
 void construct_proving_keys_bench(State& state) noexcept
 {
     for (auto _ : state) {

barretenberg/cpp/src/barretenberg/benchmark/ultra_bench/goblin_ultra_honk.bench.cpp

@@ -0,0 +1,54 @@
+#include <benchmark/benchmark.h>
+
+#include "barretenberg/benchmark/ultra_bench/mock_proofs.hpp"
+#include "barretenberg/proof_system/circuit_builder/goblin_ultra_circuit_builder.hpp"
+#include "barretenberg/ultra_honk/ultra_composer.hpp"
+
+using namespace benchmark;
+using namespace bb;
+
+/**
+ * @brief Benchmark: Construction of a Ultra Honk proof for a circuit determined by the provided circuit function
+ */
+static void construct_proof_goblinultrahonk(State& state,
+                                            void (*test_circuit_function)(GoblinUltraCircuitBuilder&, size_t)) noexcept
+{
+    size_t num_iterations = 10; // 10x the circuit
+    bb::mock_proofs::construct_proof_with_specified_num_iterations<GoblinUltraComposer>(
+        state, test_circuit_function, num_iterations);
+}
+
+/**
+ * @brief Benchmark: Construction of a Ultra Plonk proof with 2**n gates
+ */
+static void construct_proof_goblinultrahonk_power_of_2(State& state) noexcept
+{
+    auto log2_of_gates = static_cast<size_t>(state.range(0));
+    bb::mock_proofs::construct_proof_with_specified_num_iterations<GoblinUltraComposer>(
+        state, &bb::mock_proofs::generate_basic_arithmetic_circuit<GoblinUltraCircuitBuilder>, log2_of_gates);
+}
+
+// Define benchmarks
+BENCHMARK_CAPTURE(construct_proof_goblinultrahonk,
+                  sha256,
+                  &stdlib::generate_sha256_test_circuit<GoblinUltraCircuitBuilder>)
+    ->Unit(kMillisecond);
+BENCHMARK_CAPTURE(construct_proof_goblinultrahonk,
+                  keccak,
+                  &stdlib::generate_keccak_test_circuit<GoblinUltraCircuitBuilder>)
+    ->Unit(kMillisecond);
+BENCHMARK_CAPTURE(construct_proof_goblinultrahonk,
+                  ecdsa_verification,
+                  &stdlib::generate_ecdsa_verification_test_circuit<GoblinUltraCircuitBuilder>)
+    ->Unit(kMillisecond);
+BENCHMARK_CAPTURE(construct_proof_goblinultrahonk,
+                  merkle_membership,
+                  &stdlib::generate_merkle_membership_test_circuit<GoblinUltraCircuitBuilder>)
+    ->Unit(kMillisecond);
+
+BENCHMARK(construct_proof_goblinultrahonk_power_of_2)
+    // 2**15 gates to 2**20 gates
+    ->DenseRange(15, 20)
+    ->Unit(kMillisecond);
+
+BENCHMARK_MAIN();

barretenberg/cpp/src/barretenberg/common/ref_array.hpp

@@ -38,8 +38,18 @@ template <typename T, std::size_t N> class RefArray {
 
     T& operator[](std::size_t idx) const
     {
+        // GCC has a bug where it has trouble analyzing zip_view
+        // this is likely due to this bug https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104165
+        // We disable this - if GCC was right, we would have caught this at runtime
+#if !defined(__clang__) && defined(__GNUC__)
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Warray-bounds"
+#endif
         ASSERT(idx < N);
         return *storage[idx];
+#if !defined(__clang__) && defined(__GNUC__)
+#pragma GCC diagnostic pop
+#endif
     }
 
     /**

barretenberg/cpp/src/barretenberg/flavor/flavor.hpp

@@ -115,6 +115,7 @@ class ProvingKey_ : public PrecomputedPolynomials, public WitnessPolynomials {
     auto get_all() { return concatenate(get_precomputed_polynomials(), get_witness_polynomials()); }
     auto get_witness_polynomials() { return WitnessPolynomials::get_all(); }
     auto get_precomputed_polynomials() { return PrecomputedPolynomials::get_all(); }
+    auto get_selectors() { return PrecomputedPolynomials::get_selectors(); }
     ProvingKey_() = default;
     ProvingKey_(const size_t circuit_size, const size_t num_public_inputs)
     {
@@ -285,6 +286,9 @@ namespace bb {
 template <typename T>
 concept IsPlonkFlavor = IsAnyOf<T, plonk::flavor::Standard, plonk::flavor::Ultra>;
 
+template <typename T>
+concept IsUltraPlonkFlavor = IsAnyOf<T, plonk::flavor::Ultra>;
+
 template <typename T> 
 concept IsHonkFlavor = IsAnyOf<T, UltraFlavor, GoblinUltraFlavor>;
 

barretenberg/cpp/src/barretenberg/goblin/mock_circuits.hpp

@@ -51,8 +51,9 @@ class GoblinMockCircuits {
      * @param builder
      * @param num_gates
      */
-    static void construct_arithmetic_circuit(GoblinUltraBuilder& builder, size_t num_gates = 1)
+    static void construct_arithmetic_circuit(GoblinUltraBuilder& builder, size_t log_num_gates = 0)
     {
+        size_t num_gates = 1 << log_num_gates;
         // For good measure, include a gate with some public inputs
         {
             FF a = FF::random_element();
@@ -66,17 +67,18 @@ class GoblinMockCircuits {
 
             builder.create_big_add_gate({ a_idx, b_idx, c_idx, d_idx, FF(1), FF(1), FF(1), FF(-1), FF(0) });
         }
+
         // Add arbitrary arithmetic gates to obtain a total of num_gates-many gates
-        for (size_t i = 0; i < num_gates - 1; ++i) {
-            FF a = FF::random_element();
-            FF b = FF::random_element();
-            FF c = FF::random_element();
-            FF d = a + b + c;
-            uint32_t a_idx = builder.add_variable(a);
-            uint32_t b_idx = builder.add_variable(b);
-            uint32_t c_idx = builder.add_variable(c);
-            uint32_t d_idx = builder.add_variable(d);
+        FF a = FF::random_element();
+        FF b = FF::random_element();
+        FF c = FF::random_element();
+        FF d = a + b + c;
+        uint32_t a_idx = builder.add_variable(a);
+        uint32_t b_idx = builder.add_variable(b);
+        uint32_t c_idx = builder.add_variable(c);
+        uint32_t d_idx = builder.add_variable(d);
 
+        for (size_t i = 0; i < num_gates - 1; ++i) {
             builder.create_big_add_gate({ a_idx, b_idx, c_idx, d_idx, FF(1), FF(1), FF(1), FF(-1), FF(0) });
         }
     }
@@ -110,7 +112,7 @@ class GoblinMockCircuits {
         // that the circuit size does not scale linearly with number of iterations due to e.g. amortization of
         // lookup costs
         const size_t NUM_ITERATIONS_LARGE = 13; // results in circuit size 2^19 (521327 gates) const
-        size_t NUM_ITERATIONS_MEDIUM = 2;       // results in circuit size 2^17 (124843 gates)
+        size_t NUM_ITERATIONS_MEDIUM = 3;       // results in circuit size 2^17 (124843 gates)
         const size_t NUM_ITERATIONS = large ? NUM_ITERATIONS_LARGE : NUM_ITERATIONS_MEDIUM;
 
         stdlib::generate_sha256_test_circuit(builder, NUM_ITERATIONS);             // min gates: ~39k

barretenberg/cpp/src/barretenberg/join_split_example/proofs/join_split/join_split.cpp

@@ -62,7 +62,7 @@ Prover new_join_split_prover(join_split_tx const& tx, bool mock)
 
     info("public inputs: ", builder.public_inputs.size());
 
-    Composer composer(proving_key, nullptr);
+    Composer composer;
     if (!mock) {
         info("composer gates: ", builder.get_num_gates());
         return composer.create_prover(builder);

barretenberg/cpp/src/barretenberg/plonk/composer/composer_lib.hpp

@@ -10,39 +10,6 @@ struct SelectorProperties {
     bool requires_lagrange_base_polynomial = false;
 };
 
-/**
- * @brief Initilalize proving key and load the crs
- *
- * @param circuit_constructor  Object containing the circuit
- * @param crs_factory Produces the prover's reference string
- * @param minimum_circuit_size The minimum size of polynomials without randomized elements
- * @param num_randomized_gates Number of gates with randomized witnesses
- * @param circuit_type This is passed in the case of Plonk since we use flavor-independent proving and verification keys
- * in that case.
- * @return std::shared_ptr<typename Flavor::ProvingKey>
- */
-std::shared_ptr<plonk::proving_key> initialize_proving_key(const auto& circuit_constructor,
-                                                           bb::srs::factories::CrsFactory<curve::BN254>* crs_factory,
-                                                           const size_t minimum_circuit_size,
-                                                           const size_t num_randomized_gates,
-                                                           CircuitType circuit_type)
-{
-    const size_t num_gates = circuit_constructor.num_gates;
-
-    const size_t num_public_inputs = circuit_constructor.public_inputs.size();
-    const size_t num_constraints = num_gates + num_public_inputs;
-    const size_t total_num_constraints = std::max(minimum_circuit_size, num_constraints);
-    const size_t subgroup_size =
-        circuit_constructor.get_circuit_subgroup_size(total_num_constraints + num_randomized_gates); // next power of 2
-
-    auto crs = crs_factory->get_prover_crs(subgroup_size + 1);
-
-    // Differentiate between Honk and Plonk here since Plonk pkey requires crs whereas Honk pkey does not
-    auto proving_key = std::make_shared<plonk::proving_key>(subgroup_size, num_public_inputs, crs, circuit_type);
-
-    return proving_key;
-}
-
 /**
  * @brief Fill the last index of each selector polynomial in lagrange form with a non-zero value
  *

barretenberg/cpp/src/barretenberg/plonk/composer/standard_composer.cpp

@@ -14,39 +14,6 @@
 
 namespace bb::plonk {
 
-/**
- * Compute witness polynomials (w_1, w_2, w_3, w_4).
- *
- * @details Fills 3 or 4 witness polynomials w_1, w_2, w_3, w_4 with the values of in-circuit variables. The beginning
- * of w_1, w_2 polynomials is filled with public_input values.
- * @return Witness with computed witness polynomials.
- *
- * @tparam Program settings needed to establish if w_4 is being used.
- * */
-void StandardComposer::compute_witness(const CircuitBuilder& circuit_constructor, const size_t minimum_circuit_size)
-{
-
-    if (computed_witness) {
-        return;
-    }
-    const size_t num_gates = circuit_constructor.num_gates;
-    const size_t num_public_inputs = circuit_constructor.public_inputs.size();
-
-    const size_t num_constraints = std::max(minimum_circuit_size, num_gates + num_public_inputs);
-
-    const size_t subgroup_size = circuit_constructor.get_circuit_subgroup_size(num_constraints + NUM_RESERVED_GATES);
-
-    auto wire_polynomial_evaluations =
-        construct_wire_polynomials_base<StandardComposer::Flavor>(circuit_constructor, subgroup_size);
-
-    for (size_t j = 0; j < program_width; ++j) {
-        std::string index = std::to_string(j + 1);
-        circuit_proving_key->polynomial_store.put("w_" + index + "_lagrange",
-                                                  std::move(wire_polynomial_evaluations[j]));
-    }
-    computed_witness = true;
-}
-
 /**
  * Compute proving key
  *
@@ -63,27 +30,30 @@ std::shared_ptr<plonk::proving_key> StandardComposer::compute_proving_key(const
     if (circuit_proving_key) {
         return circuit_proving_key;
     }
-    const size_t minimum_circuit_size = 0;
-    const size_t num_randomized_gates = NUM_RESERVED_GATES;
-    // Initialize circuit_proving_key
-    // TODO(#392)(Kesha): replace composer types.
-    circuit_proving_key = initialize_proving_key(
-        circuit_constructor, crs_factory_.get(), minimum_circuit_size, num_randomized_gates, CircuitType::STANDARD);
-    // Compute lagrange selectors
-    construct_selector_polynomials<Flavor>(circuit_constructor, circuit_proving_key.get());
+
+    const size_t total_num_gates =
+        circuit_constructor.num_gates + circuit_constructor.public_inputs.size() + NUM_RESERVED_GATES;
+    const size_t subgroup_size = circuit_constructor.get_circuit_subgroup_size(total_num_gates); // next power of 2
+
+    auto crs = srs::get_crs_factory()->get_prover_crs(subgroup_size + 1);
+    // TODO(https://github.com/AztecProtocol/barretenberg/issues/392): Composer type
+    circuit_proving_key = std::make_shared<plonk::proving_key>(
+        subgroup_size, circuit_constructor.public_inputs.size(), crs, CircuitType::STANDARD);
+
+    // Construct and add to proving key the wire, selector and copy constraint polynomials
+    Trace::generate(circuit_constructor, circuit_proving_key);
+
     // Make all selectors nonzero
     enforce_nonzero_selector_polynomials(circuit_constructor, circuit_proving_key.get());
     // Compute selectors in monomial form
     compute_monomial_and_coset_selector_forms(circuit_proving_key.get(), standard_selector_properties());
 
-    // Compute sigma polynomials (we should update that late)
-    compute_standard_plonk_sigma_permutations<Flavor>(circuit_constructor, circuit_proving_key.get());
-
     circuit_proving_key->recursive_proof_public_input_indices =
         std::vector<uint32_t>(circuit_constructor.recursive_proof_public_input_indices.begin(),
                               circuit_constructor.recursive_proof_public_input_indices.end());
-    // What does this line do exactly?
+
     circuit_proving_key->contains_recursive_proof = circuit_constructor.contains_recursive_proof;
+
     return circuit_proving_key;
 }
 
@@ -144,12 +114,8 @@ plonk::Verifier StandardComposer::create_verifier(const CircuitBuilder& circuit_
  * */
 plonk::Prover StandardComposer::create_prover(const CircuitBuilder& circuit_constructor)
 {
-    // Compute q_l, etc. and sigma polynomials.
     compute_proving_key(circuit_constructor);
 
-    // Compute witness polynomials.
-    compute_witness(circuit_constructor);
-
     plonk::Prover output_state(circuit_proving_key, create_manifest(circuit_constructor.public_inputs.size()));
 
     std::unique_ptr<plonk::ProverPermutationWidget<3, false>> permutation_widget =

barretenberg/cpp/src/barretenberg/plonk/composer/standard_composer.hpp

@@ -7,6 +7,7 @@
 #include "barretenberg/plonk/proof_system/verification_key/verification_key.hpp"
 #include "barretenberg/plonk/proof_system/verifier/verifier.hpp"
 #include "barretenberg/proof_system/circuit_builder/standard_circuit_builder.hpp"
+#include "barretenberg/proof_system/execution_trace/execution_trace.hpp"
 #include "barretenberg/srs/factories/file_crs_factory.hpp"
 #include <utility>
 
@@ -16,6 +17,7 @@ class StandardComposer {
     using Flavor = plonk::flavor::Standard;
 
     using CircuitBuilder = StandardCircuitBuilder;
+    using Trace = ExecutionTrace_<Flavor>;
 
     static constexpr std::string_view NAME_STRING = "StandardPlonk";
     static constexpr size_t NUM_RESERVED_GATES = 4; // equal to the number of evaluations leaked
@@ -60,7 +62,6 @@ class StandardComposer {
     plonk::Verifier create_verifier(const CircuitBuilder& circuit_constructor);
     plonk::Prover create_prover(const CircuitBuilder& circuit_constructor);
 
-    void compute_witness(const CircuitBuilder& circuit_constructor, const size_t minimum_circuit_size = 0);
     /**
      * Create a manifest, which specifies proof rounds, elements and who supplies them.
      *