feat: Goblin proof construction (#3332)

The last PR that splits out and completes work from #3022 We add composer, prover and verifier classes for the Goblin Translator VM. We also further flesh out the full Goblin composer tests. Modulo some missing challenge generation, we have our first Goblin proofs (i.e., something worth measuring)! Spawned issues AztecProtocol/barretenberg#783 AztecProtocol/barretenberg#784 AztecProtocol/barretenberg#785 AztecProtocol/barretenberg#786 AztecProtocol/barretenberg#787
AztecProtocol · Nov 22, 2023 · 6a7ebb6 · 6a7ebb6
1 parent 112740e
commit 6a7ebb6
Show file tree

Hide file tree

Showing 37 changed files with 1,534 additions and 461 deletions.
diff --git a/barretenberg/cpp/scripts/bb-tests.sh b/barretenberg/cpp/scripts/bb-tests.sh
@@ -35,6 +35,7 @@ TESTS=(
   srs_tests
   sumcheck_tests
   transcript_tests
+  translator_vm_tests
   ultra_honk_tests
 )
 TESTS_STR="${TESTS[@]}"

diff --git a/barretenberg/cpp/src/CMakeLists.txt b/barretenberg/cpp/src/CMakeLists.txt
@@ -74,6 +74,7 @@ add_subdirectory(barretenberg/srs)
 add_subdirectory(barretenberg/stdlib)
 add_subdirectory(barretenberg/sumcheck)
 add_subdirectory(barretenberg/transcript)
+add_subdirectory(barretenberg/translator_vm)
 add_subdirectory(barretenberg/ultra_honk)
 add_subdirectory(barretenberg/wasi)
 

diff --git a/barretenberg/cpp/src/barretenberg/benchmark/relations_bench/relations.bench.cpp b/barretenberg/cpp/src/barretenberg/benchmark/relations_bench/relations.bench.cpp
@@ -1,3 +1,4 @@
+#include "barretenberg/flavor/ecc_vm.hpp"
 #include "barretenberg/flavor/goblin_translator.hpp"
 #include "barretenberg/flavor/goblin_ultra.hpp"
 #include "barretenberg/flavor/ultra.hpp"
@@ -7,12 +8,16 @@ namespace {
 auto& engine = numeric::random::get_debug_engine();
 }
 
+using namespace proof_system::honk::sumcheck;
+
 namespace proof_system::benchmark::relations {
 
-using FF = barretenberg::fr;
+using Fr = barretenberg::fr;
+using Fq = grumpkin::fr;
 
 template <typename Flavor, typename Relation> void execute_relation(::benchmark::State& state)
 {
+    using FF = typename Flavor::FF;
     using AllValues = typename Flavor::AllValues;
     using SumcheckArrayOfValuesOverSubrelations = typename Relation::SumcheckArrayOfValuesOverSubrelations;
 
@@ -29,82 +34,118 @@ template <typename Flavor, typename Relation> void execute_relation(::benchmark:
     }
 }
 
-void auxiliary_relation(::benchmark::State& state) noexcept
+void ultra_auxiliary_relation(::benchmark::State& state) noexcept
 {
-    execute_relation<honk::flavor::Ultra, AuxiliaryRelation<FF>>(state);
+    execute_relation<honk::flavor::Ultra, AuxiliaryRelation<Fr>>(state);
 }
-BENCHMARK(auxiliary_relation);
+BENCHMARK(ultra_auxiliary_relation);
 
-void elliptic_relation(::benchmark::State& state) noexcept
+void ultra_elliptic_relation(::benchmark::State& state) noexcept
 {
-    execute_relation<honk::flavor::Ultra, EllipticRelation<FF>>(state);
+    execute_relation<honk::flavor::Ultra, EllipticRelation<Fr>>(state);
 }
-BENCHMARK(elliptic_relation);
+BENCHMARK(ultra_elliptic_relation);
 
-void ecc_op_queue_relation(::benchmark::State& state) noexcept
+void ultra_ecc_op_queue_relation(::benchmark::State& state) noexcept
 {
-    execute_relation<honk::flavor::GoblinUltra, EccOpQueueRelation<FF>>(state);
+    execute_relation<honk::flavor::GoblinUltra, EccOpQueueRelation<Fr>>(state);
 }
-BENCHMARK(ecc_op_queue_relation);
+BENCHMARK(ultra_ecc_op_queue_relation);
 
-void gen_perm_sort_relation(::benchmark::State& state) noexcept
+void ultra_gen_perm_sort_relation(::benchmark::State& state) noexcept
 {
-    execute_relation<honk::flavor::Ultra, GenPermSortRelation<FF>>(state);
+    execute_relation<honk::flavor::Ultra, GenPermSortRelation<Fr>>(state);
 }
-BENCHMARK(gen_perm_sort_relation);
+BENCHMARK(ultra_gen_perm_sort_relation);
 
-void lookup_relation(::benchmark::State& state) noexcept
+void ultralookup_relation(::benchmark::State& state) noexcept
 {
-    execute_relation<honk::flavor::Ultra, LookupRelation<FF>>(state);
+    execute_relation<honk::flavor::Ultra, LookupRelation<Fr>>(state);
 }
-BENCHMARK(lookup_relation);
+BENCHMARK(ultralookup_relation);
 
 void ultra_permutation_relation(::benchmark::State& state) noexcept
 {
-    execute_relation<honk::flavor::Ultra, UltraPermutationRelation<FF>>(state);
+    execute_relation<honk::flavor::Ultra, UltraPermutationRelation<Fr>>(state);
 }
 BENCHMARK(ultra_permutation_relation);
 
 void ultra_arithmetic_relation(::benchmark::State& state) noexcept
 {
-    execute_relation<honk::flavor::Ultra, UltraArithmeticRelation<FF>>(state);
+    execute_relation<honk::flavor::Ultra, UltraArithmeticRelation<Fr>>(state);
 }
 BENCHMARK(ultra_arithmetic_relation);
 
 void translator_decomposition_relation(::benchmark::State& state) noexcept
 {
-    execute_relation<honk::flavor::GoblinTranslator, GoblinTranslatorDecompositionRelation<FF>>(state);
+    execute_relation<honk::flavor::GoblinTranslator, GoblinTranslatorDecompositionRelation<Fr>>(state);
 }
 BENCHMARK(translator_decomposition_relation);
 
 void translator_opcode_constraint_relation(::benchmark::State& state) noexcept
 {
-    execute_relation<honk::flavor::GoblinTranslator, GoblinTranslatorOpcodeConstraintRelation<FF>>(state);
+    execute_relation<honk::flavor::GoblinTranslator, GoblinTranslatorOpcodeConstraintRelation<Fr>>(state);
 }
 BENCHMARK(translator_opcode_constraint_relation);
 
 void translator_accumulator_transfer_relation(::benchmark::State& state) noexcept
 {
-    execute_relation<honk::flavor::GoblinTranslator, GoblinTranslatorAccumulatorTransferRelation<FF>>(state);
+    execute_relation<honk::flavor::GoblinTranslator, GoblinTranslatorAccumulatorTransferRelation<Fr>>(state);
 }
 BENCHMARK(translator_accumulator_transfer_relation);
 
 void translator_gen_perm_sort_relation(::benchmark::State& state) noexcept
 {
-    execute_relation<honk::flavor::GoblinTranslator, GoblinTranslatorGenPermSortRelation<FF>>(state);
+    execute_relation<honk::flavor::GoblinTranslator, GoblinTranslatorGenPermSortRelation<Fr>>(state);
 }
 BENCHMARK(translator_gen_perm_sort_relation);
 
 void translator_non_native_field_relation(::benchmark::State& state) noexcept
 {
-    execute_relation<honk::flavor::GoblinTranslator, GoblinTranslatorNonNativeFieldRelation<FF>>(state);
+    execute_relation<honk::flavor::GoblinTranslator, GoblinTranslatorNonNativeFieldRelation<Fr>>(state);
 }
 BENCHMARK(translator_non_native_field_relation);
 
 void translator_permutation_relation(::benchmark::State& state) noexcept
 {
-    execute_relation<honk::flavor::GoblinTranslator, GoblinTranslatorPermutationRelation<FF>>(state);
+    execute_relation<honk::flavor::GoblinTranslator, GoblinTranslatorPermutationRelation<Fr>>(state);
 }
 BENCHMARK(translator_permutation_relation);
 
+void eccvm_lookup_relation(::benchmark::State& state) noexcept
+{
+    execute_relation<honk::flavor::ECCVM, ECCVMLookupRelation<Fq>>(state);
+}
+BENCHMARK(eccvm_lookup_relation);
+
+void eccvm_msm_relation(::benchmark::State& state) noexcept
+{
+    execute_relation<honk::flavor::ECCVM, ECCVMMSMRelation<Fq>>(state);
+}
+BENCHMARK(eccvm_msm_relation);
+
+void eccvm_point_table_relation(::benchmark::State& state) noexcept
+{
+    execute_relation<honk::flavor::ECCVM, ECCVMPointTableRelation<Fq>>(state);
+}
+BENCHMARK(eccvm_point_table_relation);
+
+void eccvm_set_relation(::benchmark::State& state) noexcept
+{
+    execute_relation<honk::flavor::ECCVM, ECCVMSetRelation<Fq>>(state);
+}
+BENCHMARK(eccvm_set_relation);
+
+void eccvm_transcript_relation(::benchmark::State& state) noexcept
+{
+    execute_relation<honk::flavor::ECCVM, ECCVMTranscriptRelation<Fq>>(state);
+}
+BENCHMARK(eccvm_transcript_relation);
+
+void eccvm_wnaf_relation(::benchmark::State& state) noexcept
+{
+    execute_relation<honk::flavor::ECCVM, ECCVMWnafRelation<Fq>>(state);
+}
+BENCHMARK(eccvm_wnaf_relation);
+
 } // namespace proof_system::benchmark::relations
diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/zeromorph/zeromorph.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/zeromorph/zeromorph.hpp
@@ -319,9 +319,9 @@ template <typename Curve> class ZeroMorphProver_ {
                       auto& multilinear_challenge,
                       auto& commitment_key,
                       auto& transcript,
-                      const std::vector<Polynomial>& concatenated_polynomials = {},
+                      const std::vector<std::span<FF>>& concatenated_polynomials = {},
                       const std::vector<FF>& concatenated_evaluations = {},
-                      const std::vector<std::vector<Polynomial>>& concatenation_groups = {})
+                      const std::vector<std::vector<std::span<FF>>>& concatenation_groups = {})
     {
         // Generate batching challenge \rho and powers 1,...,\rho^{m-1}
         FF rho = transcript.get_challenge("rho");

diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/zeromorph/zeromorph.test.cpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/zeromorph/zeromorph.test.cpp
@@ -225,6 +225,17 @@ template <class Curve> class ZeroMorphWithConcatenationTest : public CommitmentT
         // Initialize an empty BaseTranscript
         auto prover_transcript = BaseTranscript<Fr>::prover_init_empty();
 
+        std::vector<std::span<Fr>> concatenated_polynomials_views;
+        for (auto& poly : concatenated_polynomials) {
+            concatenated_polynomials_views.emplace_back(poly);
+        }
+
+        std::vector<std::vector<std::span<Fr>>> concatenation_groups_views(concatenation_groups.size());
+        for (auto [group_of_polys, group_of_views] : zip_view(concatenation_groups, concatenation_groups_views)) {
+            for (auto& poly : group_of_polys) {
+                group_of_views.emplace_back(poly);
+            }
+        }
         // Execute Prover protocol
         ZeroMorphProver::prove(f_polynomials, // unshifted
                                g_polynomials, // to-be-shifted
@@ -233,9 +244,9 @@ template <class Curve> class ZeroMorphWithConcatenationTest : public CommitmentT
                                u_challenge,
                                this->commitment_key,
                                prover_transcript,
-                               concatenated_polynomials,
+                               concatenated_polynomials_views,
                                c_evaluations,
-                               concatenation_groups);
+                               concatenation_groups_views);
 
         auto verifier_transcript = BaseTranscript<Fr>::verifier_init_empty(prover_transcript);
 

diff --git a/barretenberg/cpp/src/barretenberg/common/benchmark.hpp b/barretenberg/cpp/src/barretenberg/common/benchmark.hpp
@@ -8,6 +8,8 @@
 #include <string>
 #include <unistd.h>
 
+#pragma GCC diagnostic ignored "-Wunused-result" // GCC13 hits this
+
 namespace {
 /**
  * If user provides the env var BENCHMARK_FD write benchmarks to this fd, otherwise default to -1 (disable).

diff --git a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_prover.cpp b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_prover.cpp
@@ -320,35 +320,38 @@ template <ECCVMFlavor Flavor> void ECCVMProver_<Flavor>::execute_transcript_cons
     transcript.send_to_verifier("Translation:hack_commitment", commitment_key->commit(hack));
 
     // Get the challenge at which we evaluate the polynomials as univariates
-    FF evaluation_challenge_x = transcript.get_challenge("Translation:evaluation_challenge_x");
+    evaluation_challenge_x = transcript.get_challenge("Translation:evaluation_challenge_x");
 
-    // Collect the polynomials and evaluations to be batched
-    const size_t NUM_UNIVARIATES = 6; // 5 transcript polynomials plus the constant hack poly
-    std::array<Polynomial, NUM_UNIVARIATES> univariate_polynomials = { key->transcript_op, key->transcript_Px,
-                                                                       key->transcript_Py, key->transcript_z1,
-                                                                       key->transcript_z2, hack };
-    std::array<FF, NUM_UNIVARIATES> univariate_evaluations;
-    for (auto [eval, polynomial] : zip_view(univariate_evaluations, univariate_polynomials)) {
-        eval = polynomial.evaluate(evaluation_challenge_x);
-    }
+    translation_evaluations.op = key->transcript_op.evaluate(evaluation_challenge_x);
+    translation_evaluations.Px = key->transcript_Px.evaluate(evaluation_challenge_x);
+    translation_evaluations.Py = key->transcript_Py.evaluate(evaluation_challenge_x);
+    translation_evaluations.z1 = key->transcript_z1.evaluate(evaluation_challenge_x);
+    translation_evaluations.z2 = key->transcript_z2.evaluate(evaluation_challenge_x);
 
     // Add the univariate evaluations to the transcript
-    transcript.send_to_verifier("Translation:op", univariate_evaluations[0]);
-    transcript.send_to_verifier("Translation:Px", univariate_evaluations[1]);
-    transcript.send_to_verifier("Translation:Py", univariate_evaluations[2]);
-    transcript.send_to_verifier("Translation:z1", univariate_evaluations[3]);
-    transcript.send_to_verifier("Translation:z2", univariate_evaluations[4]);
-    transcript.send_to_verifier("Translation:hack_evaluation", univariate_evaluations[5]);
+    transcript.send_to_verifier("Translation:op", translation_evaluations.op);
+    transcript.send_to_verifier("Translation:Px", translation_evaluations.Px);
+    transcript.send_to_verifier("Translation:Py", translation_evaluations.Py);
+    transcript.send_to_verifier("Translation:z1", translation_evaluations.z1);
+    transcript.send_to_verifier("Translation:z2", translation_evaluations.z2);
+    transcript.send_to_verifier("Translation:hack_evaluation", hack.evaluate(evaluation_challenge_x));
 
     // Get another challenge for batching the univariate claims
     FF batching_challenge = transcript.get_challenge("Translation:batching_challenge");
 
+    // Collect the polynomials and evaluations to be batched
+    const size_t NUM_UNIVARIATES = 6; // 5 transcript polynomials plus the constant hack poly
+    std::array<Polynomial*, NUM_UNIVARIATES> univariate_polynomials = { &key->transcript_op, &key->transcript_Px,
+                                                                        &key->transcript_Py, &key->transcript_z1,
+                                                                        &key->transcript_z2, &hack };
+    std::array<FF, NUM_UNIVARIATES> univariate_evaluations;
+
     // Constuct the batched polynomial and batched evaluation
     Polynomial batched_univariate{ key->circuit_size };
     FF batched_evaluation{ 0 };
     auto batching_scalar = FF(1);
     for (auto [eval, polynomial] : zip_view(univariate_evaluations, univariate_polynomials)) {
-        batched_univariate.add_scaled(polynomial, batching_scalar);
+        batched_univariate.add_scaled(*polynomial, batching_scalar);
         batched_evaluation += eval * batching_scalar;
         batching_scalar *= batching_challenge;
     }

diff --git a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_prover.hpp b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_prover.hpp
@@ -2,6 +2,7 @@
 #include "barretenberg/commitment_schemes/gemini/gemini.hpp"
 #include "barretenberg/commitment_schemes/shplonk/shplonk.hpp"
 #include "barretenberg/flavor/ecc_vm.hpp"
+#include "barretenberg/goblin/translation_evaluations.hpp"
 #include "barretenberg/plonk/proof_system/types/proof.hpp"
 #include "barretenberg/relations/relation_parameters.hpp"
 #include "barretenberg/sumcheck/sumcheck_output.hpp"
@@ -22,6 +23,7 @@ template <ECCVMFlavor Flavor> class ECCVMProver_ {
     using CommitmentLabels = typename Flavor::CommitmentLabels;
     using Curve = typename Flavor::Curve;
     using Transcript = typename Flavor::Transcript;
+    using TranslationEvaluations = barretenberg::TranslationEvaluations;
 
   public:
     explicit ECCVMProver_(std::shared_ptr<ProvingKey> input_key, std::shared_ptr<PCSCommitmentKey> commitment_key);
@@ -43,6 +45,8 @@ template <ECCVMFlavor Flavor> class ECCVMProver_ {
 
     Transcript transcript;
 
+    TranslationEvaluations translation_evaluations;
+
     std::vector<FF> public_inputs;
 
     proof_system::RelationParameters<FF> relation_parameters;
@@ -62,6 +66,8 @@ template <ECCVMFlavor Flavor> class ECCVMProver_ {
 
     Polynomial quotient_W;
 
+    FF evaluation_challenge_x;
+
     sumcheck::SumcheckOutput<Flavor> sumcheck_output;
     pcs::gemini::ProverOutput<Curve> gemini_output;
     pcs::shplonk::ProverOutput<Curve> shplonk_output;

diff --git a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_transcript.test.cpp b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_transcript.test.cpp
@@ -227,7 +227,8 @@ TYPED_TEST_SUITE(ECCVMTranscriptTests, FlavorTypes);
  */
 TYPED_TEST(ECCVMTranscriptTests, ProverManifestConsistency)
 {
-    GTEST_SKIP() << "WORKTODO: update and reinstate after the protocol is finalized.";
+    GTEST_SKIP() << "TODO(https://github.com/AztecProtocol/barretenberg/issues/782): update and reinstate after the "
+                    "protocol is finalized.";
     using Flavor = TypeParam;
 
     // Construct a simple circuit
@@ -256,7 +257,8 @@ TYPED_TEST(ECCVMTranscriptTests, ProverManifestConsistency)
  */
 TYPED_TEST(ECCVMTranscriptTests, VerifierManifestConsistency)
 {
-    GTEST_SKIP() << "WORKTODO: update and reinstate after the protocol is finalized.";
+    GTEST_SKIP() << "TODO(https://github.com/AztecProtocol/barretenberg/issues/782): update and reinstate after the "
+                    "protocol is finalized.";
 
     using Flavor = TypeParam;
 
@@ -310,7 +312,8 @@ TYPED_TEST(ECCVMTranscriptTests, ChallengeGenerationTest)
 
 TYPED_TEST(ECCVMTranscriptTests, StructureTest)
 {
-    GTEST_SKIP() << "WORKTODO: update and reinstate after the protocol is finalized.";
+    GTEST_SKIP() << "TODO(https://github.com/AztecProtocol/barretenberg/issues/782): update and reinstate after the "
+                    "protocol is finalized.";
 
     using Flavor = TypeParam;
 

diff --git a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.cpp b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.cpp
@@ -270,7 +270,7 @@ template <typename Flavor> bool ECCVMVerifier_<Flavor>::verify_proof(const plonk
         univariate_opening_verified = PCS::verify(pcs_verification_key, batched_univariate_claim, transcript);
     }
 
-    return multivariate_opening_verified && univariate_opening_verified;
+    return sumcheck_verified.value() && multivariate_opening_verified && univariate_opening_verified;
 }
 
 template class ECCVMVerifier_<honk::flavor::ECCVM>;

diff --git a/barretenberg/cpp/src/barretenberg/flavor/flavor.test.cpp b/barretenberg/cpp/src/barretenberg/flavor/flavor.test.cpp
@@ -4,9 +4,6 @@
 #include <cstddef>
 #include <gtest/gtest.h>
 
-#pragma GCC diagnostic ignored "-Wunused-local-typedefs"
-#pragma GCC diagnostic ignored "-Wunused-variable"
-
 namespace proof_system::test_flavor {
 TEST(Flavor, Getters)
 {
@@ -139,7 +136,6 @@ TEST(Flavor, GetRow)
         return std::vector<FF>({ FF::random_element(), FF::random_element() });
     });
     Flavor::ProverPolynomials prover_polynomials;
-    size_t poly_idx = 0;
     for (auto [poly, entry] : zip_view(prover_polynomials.pointer_view(), data)) {
         *poly = entry;
     }