fix: add missing ecc doubling gate into ultra plonk and ultra honk #2610
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
zac-williamson
changed the title
…s for double_verify_proof in Noir
kevaundray
reviewed
Oct 3, 2023
...nberg/cpp/src/barretenberg/plonk/proof_system/widgets/transition_widgets/elliptic_widget.hpp
Show resolved
Hide resolved
kevaundray
reviewed
Oct 3, 2023
...nberg/cpp/src/barretenberg/plonk/proof_system/widgets/transition_widgets/elliptic_widget.hpp
Show resolved
Hide resolved
kevaundray
reviewed
Oct 3, 2023
barretenberg/cpp/src/barretenberg/proof_system/arithmetization/arithmetization.hpp
Show resolved
Hide resolved
kevaundray
reviewed
Oct 3, 2023
barretenberg/cpp/src/barretenberg/proof_system/circuit_builder/ultra_circuit_builder.cpp
Show resolved
Hide resolved
kevaundray
reviewed
Oct 3, 2023
barretenberg/cpp/src/barretenberg/proof_system/circuit_builder/ultra_circuit_builder.cpp
Show resolved
Hide resolved
kevaundray
reviewed
Oct 3, 2023
barretenberg/cpp/src/barretenberg/proof_system/circuit_builder/ultra_circuit_builder.cpp
Show resolved
Hide resolved
…artifacts for double_verify_proof in Noir" This reverts commit 00bc2d5.
kevaundray
reviewed
Oct 3, 2023
| @@ -56,6 +57,7 @@ struct InputElements { | |||
| FF& q_arith = std::get<6>(_data); | |||
| FF& q_sort = std::get<7>(_data); | |||
| FF& q_elliptic = std::get<8>(_data); | |||
| FF& q_double = std::get<9>(_data); | |||
There was a problem hiding this comment.
why is this here and why does it have the same index as q_aux?
There was a problem hiding this comment.
whoops I need to remove this
kevaundray
reviewed
Oct 3, 2023
|
|
||
| return (result == pairing_target_field::one()); | ||
| } | ||
| return true; |
There was a problem hiding this comment.
To confirm; if builder.contains_recursive_proof and there are only 15 proof elements for example, this will return true -- is that what we want?
There was a problem hiding this comment.
I think this needs a separate issue - I copied this code from stdlib_recursion so it exists elsewhere
There was a problem hiding this comment.
actually I'll just fix. If it's not 16 that's a problem
Maddiaa0
reviewed
Oct 3, 2023
| @@ -292,6 +296,9 @@ abstract contract BaseUltraVerifier { | |||
| error EC_SCALAR_MUL_FAILURE(); | |||
| error PROOF_FAILURE(); | |||
|
|
|||
| bytes4 internal constant ERR_S = 0xf7b44074; | |||
There was a problem hiding this comment.
Thanks. I removed this code as it was just debug code that shouldn't have been there anyways
| * y_double_identity = x_1_sqr_mul_3 * (x_1 - x_3) - (y_1 + y_1) * (y_1 + y_3); | ||
| */ | ||
| { | ||
| let x1_sqr := mulmod(mload(X1_EVAL_LOC), mload(X1_EVAL_LOC), p) |
There was a problem hiding this comment.
Can save some gas throughout by duping on stack instead of mloading twice
There was a problem hiding this comment.
yup. I was focusing on just getting a relatively clear implementation down. We can make a separate issue to optimise if this is something we want to tackle
There was a problem hiding this comment.
Added an issue for this #2636
| @@ -2317,6 +2399,7 @@ abstract contract BaseUltraVerifier { | |||
| batch_evaluation := addmod(batch_evaluation, mulmod(mload(C_V13_LOC), mload(QARITH_EVAL_LOC), p), p) | |||
| batch_evaluation := addmod(batch_evaluation, mulmod(mload(C_V14_LOC), mload(QSORT_EVAL_LOC), p), p) | |||
| batch_evaluation := addmod(batch_evaluation, mulmod(mload(C_V15_LOC), mload(QELLIPTIC_EVAL_LOC), p), p) | |||
| batch_evaluation := addmod(batch_evaluation, mulmod(mload(C_V30_LOC), mload(QDOUBLE_EVAL_LOC), p), p) | |||
There was a problem hiding this comment.
nit: using chall 30 here sticks out, could 16 be used and the rest bumped
There was a problem hiding this comment.
yeah it was odd. Later changes removed the need for this entirely
| @@ -3492,35 +3425,16 @@ template <typename FF> bool UltraCircuitBuilder_<FF>::check_circuit() | |||
| w_2_value + q_m_value * w_2_shifted_value, | |||
| w_3_value + q_c_value * w_3_shifted_value, | |||
| q_3_value))) { | |||
| #ifndef FUZZING | |||
There was a problem hiding this comment.
was the removal of all of these for debugging or intentional?
There was a problem hiding this comment.
accidental. I've added back in
| @@ -431,75 +426,95 @@ template <typename FF> class UltraCircuitBuilder_ : public CircuitBuilderBase<ar | |||
| template <typename CircuitBuilder> bool is_same_state(const CircuitBuilder& builder) | |||
| { | |||
| if (!(public_inputs == builder.public_inputs)) { | |||
| std::cout << "pubinp" << std::endl; | |||
There was a problem hiding this comment.
thanks for spotting, removed
| @@ -1157,96 +1157,126 @@ abstract contract BaseUltraVerifier { | |||
| * sign_term += sign_term | |||
| * sign_term *= q_sign | |||
| */ | |||
| let x_diff := addmod(mload(X2_EVAL_LOC), sub(p, mload(X1_EVAL_LOC)), p) | |||
There was a problem hiding this comment.
// q_elliptic * (x3 + x2 + x1)(x2 - x1)(x2 - x1) - y2^2 - y1^2 + 2(y2y1)*q_sign = 0
| p | ||
| ), | ||
| mload(QBETA_LOC), | ||
| mload(C_ALPHA_BASE_LOC), | ||
| p | ||
| ) | ||
|
|
There was a problem hiding this comment.
// q_elliptic * (x3 + x2 + x1)(x2 - x1)(x2 - x1) - y2^2 - y1^2 + 2(y2y1)*q_sign = 0
| * x_double_identity = (x_3 + x_1 + x_1) * y_1_sqr_mul_4 - x_1_pow_4_mul_9; | ||
| * y_double_identity = x_1_sqr_mul_3 * (x_1 - x_3) - (y_1 + y_1) * (y_1 + y_3); | ||
| */ | ||
| let x1_sqr := mulmod(mload(X1_EVAL_LOC), mload(X1_EVAL_LOC), p) |
There was a problem hiding this comment.
// (x3 + x1 + x1) (4y1*y1) - 9 * x1 * x1 * x1 * x1 = 0
| p | ||
| ) | ||
| leftovers := | ||
| let y_double_identity := |
There was a problem hiding this comment.
// (y1 + y1) (2y1) - (3 * x1 * x1)(x1 - x3) = 0
| */ | ||
| let x1_sqr := mulmod(mload(X1_EVAL_LOC), mload(X1_EVAL_LOC), p) | ||
| let y1_sqr := mulmod(mload(Y1_EVAL_LOC), mload(Y1_EVAL_LOC), p) | ||
| let x_pow_4 := mulmod(addmod(y1_sqr, 17, p), mload(X1_EVAL_LOC), p) |
There was a problem hiding this comment.
b here could probably be a constant, rather than a magic 17
There was a problem hiding this comment.
good point. I've added 17 as a constant
kevaundray
approved these changes
Oct 3, 2023
5 tasks
kevaundray
pushed a commit
that referenced
this pull request
Oct 3, 2023
🤖 I have created a release *beep* *boop* --- <details><summary>aztec-packages: 0.8.1</summary> ## [0.8.1](aztec-packages-v0.8.0...aztec-packages-v0.8.1) (2023-10-03) ### Bug Fixes * Add missing ecc doubling gate into ultra plonk and ultra honk ([#2610](#2610)) ([7cb7c58](7cb7c58)) * Benchmark script fixes for master branch ([#2638](#2638)) ([0a161a4](0a161a4)) * Redirect sunset instructions ([#2646](#2646)) ([9253442](9253442)) * Remove -u from build_wasm script so that we can skip the build when SKIP_CPP_BUILD is unset ([#2649](#2649)) ([84b8ff4](84b8ff4)) ### Miscellaneous * **benchmark:** Measure block sync time ([#2637](#2637)) ([d11343f](d11343f)) * Update acir_tests script to point to master ([#2650](#2650)) ([51d1e79](51d1e79)) </details> <details><summary>barretenberg.js: 0.8.1</summary> ## [0.8.1](barretenberg.js-v0.8.0...barretenberg.js-v0.8.1) (2023-10-03) ### Bug Fixes * Remove -u from build_wasm script so that we can skip the build when SKIP_CPP_BUILD is unset ([#2649](#2649)) ([84b8ff4](84b8ff4)) </details> <details><summary>barretenberg: 0.8.1</summary> ## [0.8.1](barretenberg-v0.8.0...barretenberg-v0.8.1) (2023-10-03) ### Bug Fixes * Add missing ecc doubling gate into ultra plonk and ultra honk ([#2610](#2610)) ([7cb7c58](7cb7c58)) ### Miscellaneous * Update acir_tests script to point to master ([#2650](#2650)) ([51d1e79](51d1e79)) </details> --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
AztecBot
added a commit
to AztecProtocol/barretenberg
that referenced
this pull request
Oct 5, 2023
🤖 I have created a release *beep* *boop* --- <details><summary>aztec-packages: 0.8.1</summary> ## [0.8.1](AztecProtocol/aztec-packages@aztec-packages-v0.8.0...aztec-packages-v0.8.1) (2023-10-03) ### Bug Fixes * Add missing ecc doubling gate into ultra plonk and ultra honk ([#2610](AztecProtocol/aztec-packages#2610)) ([7cb7c58](AztecProtocol/aztec-packages@7cb7c58)) * Benchmark script fixes for master branch ([#2638](AztecProtocol/aztec-packages#2638)) ([0a161a4](AztecProtocol/aztec-packages@0a161a4)) * Redirect sunset instructions ([#2646](AztecProtocol/aztec-packages#2646)) ([9253442](AztecProtocol/aztec-packages@9253442)) * Remove -u from build_wasm script so that we can skip the build when SKIP_CPP_BUILD is unset ([#2649](AztecProtocol/aztec-packages#2649)) ([84b8ff4](AztecProtocol/aztec-packages@84b8ff4)) ### Miscellaneous * **benchmark:** Measure block sync time ([#2637](AztecProtocol/aztec-packages#2637)) ([d11343f](AztecProtocol/aztec-packages@d11343f)) * Update acir_tests script to point to master ([#2650](AztecProtocol/aztec-packages#2650)) ([51d1e79](AztecProtocol/aztec-packages@51d1e79)) </details> <details><summary>barretenberg.js: 0.8.1</summary> ## [0.8.1](AztecProtocol/aztec-packages@barretenberg.js-v0.8.0...barretenberg.js-v0.8.1) (2023-10-03) ### Bug Fixes * Remove -u from build_wasm script so that we can skip the build when SKIP_CPP_BUILD is unset ([#2649](AztecProtocol/aztec-packages#2649)) ([84b8ff4](AztecProtocol/aztec-packages@84b8ff4)) </details> <details><summary>barretenberg: 0.8.1</summary> ## [0.8.1](AztecProtocol/aztec-packages@barretenberg-v0.8.0...barretenberg-v0.8.1) (2023-10-03) ### Bug Fixes * Add missing ecc doubling gate into ultra plonk and ultra honk ([#2610](AztecProtocol/aztec-packages#2610)) ([7cb7c58](AztecProtocol/aztec-packages@7cb7c58)) ### Miscellaneous * Update acir_tests script to point to master ([#2650](AztecProtocol/aztec-packages#2650)) ([51d1e79](AztecProtocol/aztec-packages@51d1e79)) </details> --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
Maddiaa0
pushed a commit
that referenced
this pull request
Oct 6, 2023
…2610) PR #1945 added a new selector into the Ultra arithmetisation (elliptic curve point doubling). However this change was not propagated to the polynomial relations evaluated by the UltraPlonk and UltraHonk Prover/Verifier algorithms. This PR fixes this, as well as upgrades the BaseUltraVerifier.sol contract to use the new gate. # Checklist: Remove the checklist to signal you've completed it. Enable auto-merge if the PR is ready to merge. - [x] If the pull request requires a cryptography review (e.g. cryptographic algorithm implementations) I have added the 'crypto' tag. - [x] I have reviewed my diff in github, line by line and removed unexpected formatting changes, testing logs, or commented-out code. - [x] Every change is related to the PR description. - [x] I have [linked](https://docs.github.com/en/issues/tracking-your-work-with-issues/linking-a-pull-request-to-an-issue) this pull request to relevant issues (if any exist). --------- Co-authored-by: vezenovm <[email protected]> Co-authored-by: kevaundray <[email protected]>
Maddiaa0
pushed a commit
that referenced
this pull request
Oct 6, 2023
🤖 I have created a release *beep* *boop* --- <details><summary>aztec-packages: 0.8.1</summary> ## [0.8.1](aztec-packages-v0.8.0...aztec-packages-v0.8.1) (2023-10-03) ### Bug Fixes * Add missing ecc doubling gate into ultra plonk and ultra honk ([#2610](#2610)) ([7cb7c58](7cb7c58)) * Benchmark script fixes for master branch ([#2638](#2638)) ([0a161a4](0a161a4)) * Redirect sunset instructions ([#2646](#2646)) ([9253442](9253442)) * Remove -u from build_wasm script so that we can skip the build when SKIP_CPP_BUILD is unset ([#2649](#2649)) ([84b8ff4](84b8ff4)) ### Miscellaneous * **benchmark:** Measure block sync time ([#2637](#2637)) ([d11343f](d11343f)) * Update acir_tests script to point to master ([#2650](#2650)) ([51d1e79](51d1e79)) </details> <details><summary>barretenberg.js: 0.8.1</summary> ## [0.8.1](barretenberg.js-v0.8.0...barretenberg.js-v0.8.1) (2023-10-03) ### Bug Fixes * Remove -u from build_wasm script so that we can skip the build when SKIP_CPP_BUILD is unset ([#2649](#2649)) ([84b8ff4](84b8ff4)) </details> <details><summary>barretenberg: 0.8.1</summary> ## [0.8.1](barretenberg-v0.8.0...barretenberg-v0.8.1) (2023-10-03) ### Bug Fixes * Add missing ecc doubling gate into ultra plonk and ultra honk ([#2610](#2610)) ([7cb7c58](7cb7c58)) ### Miscellaneous * Update acir_tests script to point to master ([#2650](#2650)) ([51d1e79](51d1e79)) </details> --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
PR #1945 added a new selector into the Ultra arithmetisation (elliptic curve point doubling). However this change was not propagated to the polynomial relations evaluated by the UltraPlonk and UltraHonk Prover/Verifier algorithms.
This PR fixes this, as well as upgrades the BaseUltraVerifier.sol contract to use the new gate.
Checklist:
Remove the checklist to signal you've completed it. Enable auto-merge if the PR is ready to merge.