-
Notifications
You must be signed in to change notification settings - Fork 293
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Use oink in IVC #8161
Merged
Merged
feat: Use oink in IVC #8161
Changes from 10 commits
Commits
Show all changes
11 commits
Select commit
Hold shift + click to select a range
564e7eb
first accumulation uses oink, basic test passes
ledwards2225 c84d232
WiP debugging; solution is oink as an instance completer
ledwards2225 548776f
Merge branch 'master' into lde/oink_in_ivc
ledwards2225 e2d4143
correctly init gate challanges in oink case
ledwards2225 e20c77f
return ivc integration tests to their original state
ledwards2225 6c3ce5c
coments and cleanup
ledwards2225 60f931f
more comments
ledwards2225 5a2ab8b
more comments and cleanup
ledwards2225 8b8fe33
remove spare WORKTODOs
ledwards2225 073553f
couple more comment corrections
ledwards2225 87f411e
const-ify and do fix some naming in response to review
ledwards2225 File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -71,74 +71,58 @@ template <class Builder> class DataBusDepot { | |
|
||
using RecursiveFlavor = MegaRecursiveFlavor_<Builder>; | ||
using RecursiveVerifierInstances = bb::stdlib::recursion::honk::RecursiveVerifierInstances_<RecursiveFlavor, 2>; | ||
using WitnessCommitments = RecursiveFlavor::WitnessCommitments; | ||
|
||
static constexpr size_t NUM_FR_LIMBS_PER_FQ = Fq::NUM_LIMBS; | ||
static constexpr size_t NUM_FR_LIMBS_PER_COMMITMENT = NUM_FR_LIMBS_PER_FQ * 2; | ||
|
||
/** | ||
* @brief Execute circuit logic to establish proper transfer of databus data between circuits | ||
* @details The databus mechanism establishes the transfer of data between two circuits (i-1 and i) in a third | ||
* circuit (i+1) via commitment equality checks of the form [R_{i-1}] = [C_i]. In practice, circuit (i+1) is given | ||
* access to [R_{i-1}] via the public inputs of \pi_i, and it has access to [C_i] directly from \pi_i. The | ||
* consistency checks in circuit (i+1) are thus of the form \pi_i.public_inputs.[R_{i-1}] = \pi_i.[C_i]. This method | ||
* peforms the two primary operations required for these checks: (1) extract commitments [R] from proofs received as | ||
* private witnesses and propagate them to the next circuit via adding them to the public inputs. (2) Assert | ||
* equality of commitments. | ||
* circuit (i+1) via commitment equality checks of the form [R_{i-1}] = [C_i], where R and C represent return data | ||
* and calldata, respectively. In practice, circuit (i+1) is given access to [R_{i-1}] via the public inputs of | ||
* \pi_i, and it has access to [C_i] directly from \pi_i. The consistency checks in circuit (i+1) are thus of the | ||
* form \pi_i.public_inputs.[R_{i-1}] = \pi_i.[C_i]. This method peforms the two primary operations required for | ||
* these checks: (1) extract commitments [R] from proofs received as private witnesses and propagate them to the | ||
* next circuit via adding them to the public inputs. (2) Assert equality of commitments. | ||
* | ||
* In Aztec private function execution, this mechanism is used as follows. Kernel circuit K_{i+1} must in general | ||
* perform two databus consistency checks: (1) that the return_data of app circuit A_{i} was calldata to K_{i}, and | ||
* (2) that the return_data of K_{i-1} was calldata to K_{i}. (Note that kernel circuits have two databus calldata | ||
* columns). The relevant databus column commitments are extracted from non-accumulator verifier instances (which | ||
* contain all witness polynomial commitments extracted from a proof in oink). | ||
* perform two databus consistency checks: (1) that the return_data of app circuit A_{i} was secondary calldata to | ||
* K_{i}, and (2) that the return_data of K_{i-1} was calldata to K_{i}. | ||
* | ||
* @param instances Completed verifier instances corresponding to prover instances that have been folded | ||
* @param commitments Witness polynomial commitments for an instance that has been accumulated | ||
* @param public_inputs The public inputs of that instance | ||
* @param propagation_data Data about the presence of databus commitments on the public inputs of the instance | ||
*/ | ||
void execute(RecursiveVerifierInstances& instances) | ||
void execute(WitnessCommitments& commitments, | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Will you please make this const correct if it's not? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Good call, thanks. consts added to basically everything |
||
std::vector<Fr>& public_inputs, | ||
DatabusPropagationData& propagation_data) | ||
{ | ||
// Upon completion of folding recursive verfication, the verifier contains two completed verifier instances | ||
// which store data from a fold proof. The first is the instance into which we're folding and the second | ||
// corresponds to an instance being folded. | ||
auto inst_1 = instances[0]; // instance into which we're folding (an accumulator, except on the initial round) | ||
auto inst_2 = instances[1]; // instance that has been folded | ||
|
||
// The first folding round is a special case in that it folds an instance into a non-accumulator instance. The | ||
// fold proof thus contains two oink proofs. The first oink proof (stored in first instance) contains the return | ||
// data R_0' from the first app, and its calldata counterpart C_0' in the kernel will be contained in the second | ||
// oink proof (stored in second instance). In this special case, we can check directly that \pi_0.R_0' = | ||
// \pi_0.C_0', without having had to propagate the return data commitment via the public inputs. | ||
if (!inst_1->is_accumulator) { | ||
// Assert equality of \pi_0.R_0' and \pi_0.C_0' | ||
auto& app_return_data = inst_1->witness_commitments.return_data; // \pi_0.R_0' | ||
auto& secondary_calldata = inst_2->witness_commitments.secondary_calldata; // \pi_0.C_0' | ||
assert_equality_of_commitments(app_return_data, secondary_calldata); // assert equality R_0' == C_0' | ||
} | ||
|
||
// Define aliases for members in the second (non-accumulator) instance | ||
bool is_kernel_instance = inst_2->verification_key->databus_propagation_data.is_kernel; | ||
auto& propagation_data = inst_2->verification_key->databus_propagation_data; | ||
auto& public_inputs = inst_2->public_inputs; | ||
auto& commitments = inst_2->witness_commitments; | ||
// Flag indicating whether the input data corresponds to a kernel instance (else, an app instance). This is | ||
// used to indicate whether the return data commitment being propagated belongs to a kernel or an app so that it | ||
// can be checked against the appropriate calldata commitment in a subsequent round. | ||
bool is_kernel_data = propagation_data.is_kernel; | ||
|
||
// Assert equality between return data commitments propagated via the public inputs and the corresponding | ||
// calldata commitment | ||
if (is_kernel_instance) { // only kernels can contain commitments propagated via public inputs | ||
if (propagation_data.contains_app_return_data_commitment) { | ||
// Assert equality between the app return data commitment and the kernel secondary calldata commitment | ||
size_t start_idx = propagation_data.app_return_data_public_input_idx; | ||
Commitment app_return_data = reconstruct_commitment_from_public_inputs(public_inputs, start_idx); | ||
assert_equality_of_commitments(app_return_data, commitments.secondary_calldata); | ||
} | ||
|
||
if (propagation_data.contains_kernel_return_data_commitment) { | ||
// Assert equality between the previous kernel return data commitment and the kernel calldata commitment | ||
size_t start_idx = propagation_data.kernel_return_data_public_input_idx; | ||
Commitment kernel_return_data = reconstruct_commitment_from_public_inputs(public_inputs, start_idx); | ||
assert_equality_of_commitments(kernel_return_data, commitments.calldata); | ||
} | ||
if (propagation_data.contains_app_return_data_commitment) { // public inputs contain [R]_app | ||
ASSERT(is_kernel_data); // Only kernels should contain databus commitments in their public inputs | ||
size_t start_idx = propagation_data.app_return_data_public_input_idx; | ||
Commitment app_return_data = reconstruct_commitment_from_public_inputs(public_inputs, start_idx); | ||
// App return data should correspond to the secondary calldata of the subsequent kernel | ||
assert_equality_of_commitments(app_return_data, commitments.secondary_calldata); | ||
} | ||
|
||
if (propagation_data.contains_kernel_return_data_commitment) { // pub inputs contain [R]_kernel | ||
ASSERT(is_kernel_data); // Only kernels should contain databus commitments in their public inputs | ||
size_t start_idx = propagation_data.kernel_return_data_public_input_idx; | ||
Commitment kernel_return_data = reconstruct_commitment_from_public_inputs(public_inputs, start_idx); | ||
// Previous kernel return data should correspond to the calldata of the subsequent kernel | ||
assert_equality_of_commitments(kernel_return_data, commitments.calldata); | ||
} | ||
|
||
// Propagate the return data commitment via the public inputs mechanism | ||
propagate_commitment_via_public_inputs(commitments.return_data, is_kernel_instance); | ||
propagate_commitment_via_public_inputs(commitments.return_data, is_kernel_data); | ||
}; | ||
|
||
/** | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems like this struct and the proof type inside should be renamed now because it's not about folding in the Oink case, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, why not handle the merge steps using this queue as well?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, updated the naming. You're right that the merge stuff could be handled in the same way. I didn't do it because there are no verification keys for the merge protocol and also because I'm hoping that the merge recursive verifier goes away altogether. If it doesn't tho, you're right that it should probably be made to conform