From ac1e1742ba227142657fa91aeb9d78125f729489 Mon Sep 17 00:00:00 2001 From: ledwards2225 <98505400+ledwards2225@users.noreply.github.com> Date: Thu, 22 Aug 2024 08:20:27 -0700 Subject: [PATCH] feat: oink recursive verifier (#8121) Introduce an Oink recursive verifier and use it to replace the equivalent logic in Ultra and PG recursive verifiers. Closes https://github.com/AztecProtocol/barretenberg/issues/949 --- cpp/src/barretenberg/goblin/mock_circuits.hpp | 16 ++- .../client_ivc_recursive_verifier.test.cpp | 19 +-- .../honk_verifier/oink_recursive_verifier.cpp | 117 ++++++++++++++++++ .../honk_verifier/oink_recursive_verifier.hpp | 39 ++++++ .../ultra_recursive_verifier.cpp | 98 ++------------- .../ultra_recursive_verifier.hpp | 9 +- .../ultra_recursive_verifier.test.cpp | 2 +- .../protogalaxy_recursive_verifier.cpp | 91 ++------------ .../protogalaxy_recursive_verifier.hpp | 5 +- .../stdlib_circuit_builders/mega_flavor.hpp | 64 ++-------- 10 files changed, 212 insertions(+), 248 deletions(-) create mode 100644 cpp/src/barretenberg/stdlib/honk_verifier/oink_recursive_verifier.cpp create mode 100644 cpp/src/barretenberg/stdlib/honk_verifier/oink_recursive_verifier.hpp diff --git a/cpp/src/barretenberg/goblin/mock_circuits.hpp b/cpp/src/barretenberg/goblin/mock_circuits.hpp index c42b10c77..241f546ce 100644 --- a/cpp/src/barretenberg/goblin/mock_circuits.hpp +++ b/cpp/src/barretenberg/goblin/mock_circuits.hpp @@ -32,6 +32,7 @@ class GoblinMockCircuits { using RecursiveVerifier = bb::stdlib::recursion::honk::UltraRecursiveVerifier_; using VerifierInstance = bb::VerifierInstance_; using RecursiveVerifierInstance = ::bb::stdlib::recursion::honk::RecursiveVerifierInstance_; + using RecursiveVerificationKey = RecursiveVerifierInstance::VerificationKey; using RecursiveVerifierAccumulator = std::shared_ptr; using VerificationKey = Flavor::VerificationKey; static constexpr size_t NUM_OP_QUEUE_COLUMNS = Flavor::NUM_WIRES; @@ -195,17 +196,20 @@ class GoblinMockCircuits { const KernelInput& prev_kernel_accum) { // Execute recursive aggregation of function proof - RecursiveVerifier verifier1{ &builder, function_accum.verification_key }; + auto verification_key = std::make_shared(&builder, function_accum.verification_key); + auto proof = bb::convert_proof_to_witness(&builder, function_accum.proof); + RecursiveVerifier verifier1{ &builder, verification_key }; verifier1.verify_proof( - function_accum.proof, - stdlib::recursion::init_default_aggregation_state(builder)); + proof, stdlib::recursion::init_default_aggregation_state(builder)); // Execute recursive aggregation of previous kernel proof if one exists if (!prev_kernel_accum.proof.empty()) { - RecursiveVerifier verifier2{ &builder, prev_kernel_accum.verification_key }; + auto verification_key = + std::make_shared(&builder, prev_kernel_accum.verification_key); + auto proof = bb::convert_proof_to_witness(&builder, prev_kernel_accum.proof); + RecursiveVerifier verifier2{ &builder, verification_key }; verifier2.verify_proof( - prev_kernel_accum.proof, - stdlib::recursion::init_default_aggregation_state(builder)); + proof, stdlib::recursion::init_default_aggregation_state(builder)); } } }; diff --git a/cpp/src/barretenberg/stdlib/client_ivc_verifier/client_ivc_recursive_verifier.test.cpp b/cpp/src/barretenberg/stdlib/client_ivc_verifier/client_ivc_recursive_verifier.test.cpp index 261b54d02..518ea57da 100644 --- a/cpp/src/barretenberg/stdlib/client_ivc_verifier/client_ivc_recursive_verifier.test.cpp +++ b/cpp/src/barretenberg/stdlib/client_ivc_verifier/client_ivc_recursive_verifier.test.cpp @@ -15,6 +15,9 @@ class ClientIVCRecursionTests : public testing::Test { using ECCVMVK = GoblinVerifier::ECCVMVerificationKey; using TranslatorVK = GoblinVerifier::TranslatorVerificationKey; using Proof = ClientIVC::Proof; + using Flavor = UltraRecursiveFlavor_; + using NativeFlavor = Flavor::NativeFlavor; + using UltraRecursiveVerifier = UltraRecursiveVerifier_; static void SetUpTestSuite() { @@ -120,16 +123,16 @@ TEST_F(ClientIVCRecursionTests, ClientTubeBase) // Construct and verify a proof for the ClientIVC Recursive Verifier circuit auto inner_instance = std::make_shared>(*tube_builder); - auto vk = std::make_shared(inner_instance->proving_key); - UltraProver_ tube_prover{ inner_instance }; - auto tube_proof = tube_prover.construct_proof(); + UltraProver tube_prover{ inner_instance }; + auto native_tube_proof = tube_prover.construct_proof(); Builder base_builder; - UltraRecursiveVerifier_> base_verifier{ &base_builder, vk }; - base_verifier.verify_proof( - tube_proof, - stdlib::recursion::init_default_aggregation_state::Curve>( - base_builder)); + auto native_vk = std::make_shared(inner_instance->proving_key); + auto vk = std::make_shared(&base_builder, native_vk); + auto tube_proof = bb::convert_proof_to_witness(&base_builder, native_tube_proof); + UltraRecursiveVerifier base_verifier{ &base_builder, vk }; + base_verifier.verify_proof(tube_proof, + stdlib::recursion::init_default_aggregation_state(base_builder)); info("UH Recursive Verifier: num prefinalized gates = ", base_builder.num_gates); EXPECT_EQ(base_builder.failed(), false) << base_builder.err(); diff --git a/cpp/src/barretenberg/stdlib/honk_verifier/oink_recursive_verifier.cpp b/cpp/src/barretenberg/stdlib/honk_verifier/oink_recursive_verifier.cpp new file mode 100644 index 000000000..25f225796 --- /dev/null +++ b/cpp/src/barretenberg/stdlib/honk_verifier/oink_recursive_verifier.cpp @@ -0,0 +1,117 @@ +#include "barretenberg/stdlib/honk_verifier/oink_recursive_verifier.hpp" + +#include "barretenberg/numeric/bitop/get_msb.hpp" +#include "barretenberg/plonk_honk_shared/library/grand_product_delta.hpp" +#include "barretenberg/transcript/transcript.hpp" +#include + +namespace bb::stdlib::recursion::honk { + +template +OinkRecursiveVerifier_::OinkRecursiveVerifier_(Builder* builder, + const std::shared_ptr& vkey, + std::shared_ptr transcript, + std::string domain_separator) + : key(vkey) + , builder(builder) + , transcript(transcript) + , domain_separator(std::move(domain_separator)) +{} + +/** + * @brief This function constructs a recursive verifier circuit for a native Ultra Honk proof of a given flavor. + * @return Output aggregation object + */ +template OinkRecursiveVerifier_::Output OinkRecursiveVerifier_::verify() +{ + using CommitmentLabels = typename Flavor::CommitmentLabels; + using RelationParams = ::bb::RelationParameters; + + RelationParams relation_parameters; + WitnessCommitments commitments; + CommitmentLabels labels; + + FF circuit_size = transcript->template receive_from_prover(domain_separator + "circuit_size"); + transcript->template receive_from_prover(domain_separator + "public_input_size"); + transcript->template receive_from_prover(domain_separator + "pub_inputs_offset"); + + // TODO(https://github.com/AztecProtocol/barretenberg/issues/1032): Uncomment these once it doesn't cause issues + // with the flows + // ASSERT(static_cast(circuit_size.get_value()) == key->circuit_size); + // ASSERT(static_cast(public_input_size.get_value()) == key->num_public_inputs); + // ASSERT(static_cast(pub_inputs_offset.get_value()) == key->pub_inputs_offset); + + std::vector public_inputs; + for (size_t i = 0; i < key->num_public_inputs; ++i) { + public_inputs.emplace_back( + transcript->template receive_from_prover(domain_separator + "public_input_" + std::to_string(i))); + } + + // Get commitments to first three wire polynomials + commitments.w_l = transcript->template receive_from_prover(domain_separator + labels.w_l); + commitments.w_r = transcript->template receive_from_prover(domain_separator + labels.w_r); + commitments.w_o = transcript->template receive_from_prover(domain_separator + labels.w_o); + + // If Goblin, get commitments to ECC op wire polynomials and DataBus columns + if constexpr (IsGoblinFlavor) { + // Receive ECC op wire commitments + for (auto [commitment, label] : zip_view(commitments.get_ecc_op_wires(), labels.get_ecc_op_wires())) { + commitment = transcript->template receive_from_prover(domain_separator + label); + } + + // Receive DataBus related polynomial commitments + for (auto [commitment, label] : zip_view(commitments.get_databus_entities(), labels.get_databus_entities())) { + commitment = transcript->template receive_from_prover(domain_separator + label); + } + } + + // Get eta challenges; used in RAM/ROM memory records and log derivative lookup argument + auto [eta, eta_two, eta_three] = transcript->template get_challenges( + domain_separator + "eta", domain_separator + "eta_two", domain_separator + "eta_three"); + + // Get commitments to lookup argument polynomials and fourth wire + commitments.lookup_read_counts = + transcript->template receive_from_prover(domain_separator + labels.lookup_read_counts); + commitments.lookup_read_tags = + transcript->template receive_from_prover(domain_separator + labels.lookup_read_tags); + commitments.w_4 = transcript->template receive_from_prover(domain_separator + labels.w_4); + + // Get permutation challenges + auto [beta, gamma] = transcript->template get_challenges(domain_separator + "beta", domain_separator + "gamma"); + + commitments.lookup_inverses = + transcript->template receive_from_prover(domain_separator + labels.lookup_inverses); + + // If Goblin (i.e. using DataBus) receive commitments to log-deriv inverses polynomials + if constexpr (IsGoblinFlavor) { + for (auto [commitment, label] : zip_view(commitments.get_databus_inverses(), labels.get_databus_inverses())) { + commitment = transcript->template receive_from_prover(domain_separator + label); + } + } + + const FF public_input_delta = compute_public_input_delta( + public_inputs, beta, gamma, circuit_size, static_cast(key->pub_inputs_offset)); + + relation_parameters = RelationParameters{ eta, eta_two, eta_three, beta, gamma, public_input_delta }; + + // Get commitment to permutation and lookup grand products + commitments.z_perm = transcript->template receive_from_prover(domain_separator + labels.z_perm); + + RelationSeparator alphas; + for (size_t idx = 0; idx < alphas.size(); idx++) { + alphas[idx] = transcript->template get_challenge(domain_separator + "alpha_" + std::to_string(idx)); + } + + return { .relation_parameters = relation_parameters, + .commitments = std::move(commitments), + .public_inputs = public_inputs, + .alphas = alphas }; +} + +template class OinkRecursiveVerifier_>; +template class OinkRecursiveVerifier_>; +template class OinkRecursiveVerifier_>; +template class OinkRecursiveVerifier_>; +template class OinkRecursiveVerifier_>; +template class OinkRecursiveVerifier_>; +} // namespace bb::stdlib::recursion::honk diff --git a/cpp/src/barretenberg/stdlib/honk_verifier/oink_recursive_verifier.hpp b/cpp/src/barretenberg/stdlib/honk_verifier/oink_recursive_verifier.hpp new file mode 100644 index 000000000..33a392398 --- /dev/null +++ b/cpp/src/barretenberg/stdlib/honk_verifier/oink_recursive_verifier.hpp @@ -0,0 +1,39 @@ +#pragma once +#include "barretenberg/stdlib/transcript/transcript.hpp" +#include "barretenberg/stdlib_circuit_builders/mega_recursive_flavor.hpp" +#include "barretenberg/stdlib_circuit_builders/ultra_recursive_flavor.hpp" + +namespace bb::stdlib::recursion::honk { + +template class OinkRecursiveVerifier_ { + public: + using FF = typename Flavor::FF; + using Commitment = typename Flavor::Commitment; + using GroupElement = typename Flavor::GroupElement; + using VerificationKey = typename Flavor::VerificationKey; + using Builder = typename Flavor::CircuitBuilder; + using RelationSeparator = typename Flavor::RelationSeparator; + using Transcript = bb::BaseTranscript>; + using WitnessCommitments = typename Flavor::WitnessCommitments; + + struct Output { + bb::RelationParameters relation_parameters; + WitnessCommitments commitments; + std::vector public_inputs; + typename Flavor::RelationSeparator alphas; + }; + + explicit OinkRecursiveVerifier_(Builder* builder, + const std::shared_ptr& vkey, + std::shared_ptr transcript, + std::string domain_separator = ""); + + Output verify(); + + std::shared_ptr key; + Builder* builder; + std::shared_ptr transcript; + std::string domain_separator; // used in PG to distinguish between instances in transcript +}; + +} // namespace bb::stdlib::recursion::honk diff --git a/cpp/src/barretenberg/stdlib/honk_verifier/ultra_recursive_verifier.cpp b/cpp/src/barretenberg/stdlib/honk_verifier/ultra_recursive_verifier.cpp index 6517b108d..39d309858 100644 --- a/cpp/src/barretenberg/stdlib/honk_verifier/ultra_recursive_verifier.cpp +++ b/cpp/src/barretenberg/stdlib/honk_verifier/ultra_recursive_verifier.cpp @@ -44,30 +44,19 @@ UltraRecursiveVerifier_::AggregationObject UltraRecursiveVerifier_; using VerifierCommitments = typename Flavor::VerifierCommitments; - using CommitmentLabels = typename Flavor::CommitmentLabels; - using RelationParams = ::bb::RelationParameters; using Transcript = typename Flavor::Transcript; transcript = std::make_shared(proof); + OinkVerifier oink_verifier{ builder, key, transcript }; + auto [relation_parameters, witness_commitments, public_inputs, alphas] = oink_verifier.verify(); - RelationParams relation_parameters; - VerifierCommitments commitments{ key }; - CommitmentLabels commitment_labels; + VerifierCommitments commitments{ key, witness_commitments }; - FF circuit_size = transcript->template receive_from_prover("circuit_size"); - transcript->template receive_from_prover("public_input_size"); - transcript->template receive_from_prover("pub_inputs_offset"); - - // TODO(https://github.com/AztecProtocol/barretenberg/issues/1032): Uncomment these once it doesn't cause issues - // with the flows - // ASSERT(static_cast(circuit_size.get_value()) == key->circuit_size); - // ASSERT(static_cast(public_input_size.get_value()) == key->num_public_inputs); - // ASSERT(static_cast(pub_inputs_offset.get_value()) == key->pub_inputs_offset); - - std::vector public_inputs; - for (size_t i = 0; i < key->num_public_inputs; ++i) { - public_inputs.emplace_back(transcript->template receive_from_prover("public_input_" + std::to_string(i))); + auto gate_challenges = std::vector(CONST_PROOF_SIZE_LOG_N); + for (size_t idx = 0; idx < CONST_PROOF_SIZE_LOG_N; idx++) { + gate_challenges[idx] = transcript->template get_challenge("Sumcheck:gate_challenge_" + std::to_string(idx)); } + // Parse out the aggregation object using the key->recursive_proof_public_inputs_indices aggregation_state nested_agg_obj; size_t idx = 0; @@ -93,82 +82,16 @@ UltraRecursiveVerifier_::AggregationObject UltraRecursiveVerifier_add_variable(42)); agg_obj.aggregate(nested_agg_obj, recursion_separator); - // Get commitments to first three wire polynomials - commitments.w_l = transcript->template receive_from_prover(commitment_labels.w_l); - commitments.w_r = transcript->template receive_from_prover(commitment_labels.w_r); - commitments.w_o = transcript->template receive_from_prover(commitment_labels.w_o); - - // If Goblin, get commitments to ECC op wire polynomials and DataBus columns - if constexpr (IsGoblinFlavor) { - // Receive ECC op wire commitments - for (auto [commitment, label] : - zip_view(commitments.get_ecc_op_wires(), commitment_labels.get_ecc_op_wires())) { - commitment = transcript->template receive_from_prover(label); - } - - // Receive DataBus related polynomial commitments - for (auto [commitment, label] : - zip_view(commitments.get_databus_entities(), commitment_labels.get_databus_entities())) { - commitment = transcript->template receive_from_prover(label); - } - } - - // Get eta challenges; used in RAM/ROM memory records and log derivative lookup argument - auto [eta, eta_two, eta_three] = transcript->template get_challenges("eta", "eta_two", "eta_three"); - relation_parameters.eta = eta; - relation_parameters.eta_two = eta_two; - relation_parameters.eta_three = eta_three; - - // Get commitments to lookup argument polynomials and fourth wire - commitments.lookup_read_counts = - transcript->template receive_from_prover(commitment_labels.lookup_read_counts); - commitments.lookup_read_tags = - transcript->template receive_from_prover(commitment_labels.lookup_read_tags); - commitments.w_4 = transcript->template receive_from_prover(commitment_labels.w_4); - - // Get permutation challenges - auto [beta, gamma] = transcript->template get_challenges("beta", "gamma"); - - commitments.lookup_inverses = - transcript->template receive_from_prover(commitment_labels.lookup_inverses); - - // If Goblin (i.e. using DataBus) receive commitments to log-deriv inverses polynomials - if constexpr (IsGoblinFlavor) { - for (auto [commitment, label] : - zip_view(commitments.get_databus_inverses(), commitment_labels.get_databus_inverses())) { - commitment = transcript->template receive_from_prover(label); - } - } - - const FF public_input_delta = compute_public_input_delta( - public_inputs, beta, gamma, circuit_size, static_cast(key->pub_inputs_offset)); - - relation_parameters.beta = beta; - relation_parameters.gamma = gamma; - relation_parameters.public_input_delta = public_input_delta; - - // Get commitment to permutation and lookup grand products - commitments.z_perm = transcript->template receive_from_prover(commitment_labels.z_perm); - // Execute Sumcheck Verifier and extract multivariate opening point u = (u_0, ..., u_{d-1}) and purported // multivariate evaluations at u const size_t log_circuit_size = numeric::get_msb(static_cast(key->circuit_size)); auto sumcheck = Sumcheck(log_circuit_size, transcript); - RelationSeparator alpha; - for (size_t idx = 0; idx < alpha.size(); idx++) { - alpha[idx] = transcript->template get_challenge("alpha_" + std::to_string(idx)); - } - - auto gate_challenges = std::vector(CONST_PROOF_SIZE_LOG_N); - for (size_t idx = 0; idx < CONST_PROOF_SIZE_LOG_N; idx++) { - gate_challenges[idx] = transcript->template get_challenge("Sumcheck:gate_challenge_" + std::to_string(idx)); - } auto [multivariate_challenge, claimed_evaluations, sumcheck_verified] = - sumcheck.verify(relation_parameters, alpha, gate_challenges); + sumcheck.verify(relation_parameters, alphas, gate_challenges); // Execute ZeroMorph to produce an opening claim subsequently verified by a univariate PCS - auto opening_claim = ZeroMorph::verify(circuit_size, + auto opening_claim = ZeroMorph::verify(key->circuit_size, commitments.get_unshifted(), commitments.get_to_be_shifted(), claimed_evaluations.get_unshifted(), @@ -180,8 +103,7 @@ UltraRecursiveVerifier_::AggregationObject UltraRecursiveVerifier_ class UltraRecursiveVerifier_ { using RelationSeparator = typename Flavor::RelationSeparator; using AggregationObject = aggregation_state; using Transcript = bb::BaseTranscript>; + using OinkVerifier = OinkRecursiveVerifier_; explicit UltraRecursiveVerifier_(Builder* builder, const std::shared_ptr& native_verifier_key); explicit UltraRecursiveVerifier_(Builder* builder, const std::shared_ptr& vkey); - AggregationObject verify_proof(const HonkProof& proof, aggregation_state previous_output); + AggregationObject verify_proof(const HonkProof& proof, aggregation_state agg_obj); AggregationObject verify_proof(const StdlibProof& proof, - aggregation_state previous_output); + aggregation_state agg_obj); std::shared_ptr key; std::map commitments; @@ -35,7 +37,4 @@ template class UltraRecursiveVerifier_ { std::shared_ptr transcript; }; -// Instance declarations for Ultra and Goblin-Ultra verifier circuits with both conventional Ultra and Goblin-Ultra -// arithmetization. -using UltraRecursiveVerifier = UltraRecursiveVerifier_; } // namespace bb::stdlib::recursion::honk diff --git a/cpp/src/barretenberg/stdlib/honk_verifier/ultra_recursive_verifier.test.cpp b/cpp/src/barretenberg/stdlib/honk_verifier/ultra_recursive_verifier.test.cpp index 6939434b6..8d645e667 100644 --- a/cpp/src/barretenberg/stdlib/honk_verifier/ultra_recursive_verifier.test.cpp +++ b/cpp/src/barretenberg/stdlib/honk_verifier/ultra_recursive_verifier.test.cpp @@ -221,7 +221,7 @@ template class RecursiveVerifierTest : public testing aggregation_state agg_obj = init_default_aggregation_state(outer_circuit); auto pairing_points = verifier.verify_proof(inner_proof, agg_obj); - info("Recursive Verifier: num gates = ", outer_circuit.num_gates); + info("Recursive Verifier: num gates = ", outer_circuit.get_num_gates()); // Check for a failure flag in the recursive verifier circuit EXPECT_EQ(outer_circuit.failed(), false) << outer_circuit.err(); diff --git a/cpp/src/barretenberg/stdlib/protogalaxy_verifier/protogalaxy_recursive_verifier.cpp b/cpp/src/barretenberg/stdlib/protogalaxy_verifier/protogalaxy_recursive_verifier.cpp index 4fd6335ef..eca266a15 100644 --- a/cpp/src/barretenberg/stdlib/protogalaxy_verifier/protogalaxy_recursive_verifier.cpp +++ b/cpp/src/barretenberg/stdlib/protogalaxy_verifier/protogalaxy_recursive_verifier.cpp @@ -6,90 +6,15 @@ namespace bb::stdlib::recursion::honk { template void ProtoGalaxyRecursiveVerifier_::receive_and_finalise_instance( - const std::shared_ptr& inst, const std::string& domain_separator) + const std::shared_ptr& inst, std::string& domain_separator) { - // Get circuit parameters and the public inputs - const auto instance_size = transcript->template receive_from_prover(domain_separator + "_circuit_size"); - const auto public_input_size = - transcript->template receive_from_prover(domain_separator + "_public_input_size"); - inst->verification_key->circuit_size = uint32_t(instance_size.get_value()); - inst->verification_key->log_circuit_size = - static_cast(numeric::get_msb(inst->verification_key->circuit_size)); - inst->verification_key->num_public_inputs = uint32_t(public_input_size.get_value()); - const auto pub_inputs_offset = - transcript->template receive_from_prover(domain_separator + "_pub_inputs_offset"); - inst->verification_key->pub_inputs_offset = uint32_t(pub_inputs_offset.get_value()); - - for (size_t i = 0; i < inst->verification_key->num_public_inputs; ++i) { - auto public_input_i = - transcript->template receive_from_prover(domain_separator + "_public_input_" + std::to_string(i)); - inst->public_inputs.emplace_back(public_input_i); - } - - // Get commitments to first three wire polynomials - auto labels = inst->commitment_labels; - auto& witness_commitments = inst->witness_commitments; - witness_commitments.w_l = transcript->template receive_from_prover(domain_separator + "_" + labels.w_l); - witness_commitments.w_r = transcript->template receive_from_prover(domain_separator + "_" + labels.w_r); - witness_commitments.w_o = transcript->template receive_from_prover(domain_separator + "_" + labels.w_o); - - if constexpr (IsGoblinFlavor) { - // Receive ECC op wire commitments - for (auto [commitment, label] : zip_view(witness_commitments.get_ecc_op_wires(), labels.get_ecc_op_wires())) { - commitment = transcript->template receive_from_prover(domain_separator + "_" + label); - } - - // Receive DataBus related polynomial commitments - for (auto [commitment, label] : - zip_view(witness_commitments.get_databus_entities(), labels.get_databus_entities())) { - commitment = transcript->template receive_from_prover(domain_separator + "_" + label); - } - } - - // Get eta challenges - auto [eta, eta_two, eta_three] = transcript->template get_challenges( - domain_separator + "_eta", domain_separator + "_eta_two", domain_separator + "_eta_three"); - - // Receive commitments to lookup argument polynomials - witness_commitments.lookup_read_counts = - transcript->template receive_from_prover(domain_separator + "_" + labels.lookup_read_counts); - witness_commitments.lookup_read_tags = - transcript->template receive_from_prover(domain_separator + "_" + labels.lookup_read_tags); - - // Receive commitments to wire 4 - witness_commitments.w_4 = transcript->template receive_from_prover(domain_separator + "_" + labels.w_4); - - // Get permutation challenges and commitment to permutation and lookup grand products - auto [beta, gamma] = - transcript->template get_challenges(domain_separator + "_beta", domain_separator + "_gamma"); - - witness_commitments.lookup_inverses = transcript->template receive_from_prover( - domain_separator + "_" + commitment_labels.lookup_inverses); - - // If Goblin (i.e. using DataBus) receive commitments to log-deriv inverses polynomial - if constexpr (IsGoblinFlavor) { - for (auto [commitment, label] : - zip_view(witness_commitments.get_databus_inverses(), commitment_labels.get_databus_inverses())) { - commitment = transcript->template receive_from_prover(domain_separator + "_" + label); - } - } - - witness_commitments.z_perm = - transcript->template receive_from_prover(domain_separator + "_" + labels.z_perm); - - // Compute correction terms for grand products - const FF public_input_delta = - compute_public_input_delta(inst->public_inputs, - beta, - gamma, - inst->verification_key->circuit_size, - static_cast(inst->verification_key->pub_inputs_offset)); - inst->relation_parameters = RelationParameters{ eta, eta_two, eta_three, beta, gamma, public_input_delta }; - - // Get the relation separation challenges - for (size_t idx = 0; idx < NUM_SUBRELATIONS - 1; idx++) { - inst->alphas[idx] = transcript->template get_challenge(domain_separator + "_alpha_" + std::to_string(idx)); - } + domain_separator = domain_separator + "_"; + OinkVerifier oink_verifier{ builder, inst->verification_key, transcript, domain_separator }; + auto [relation_parameters, witness_commitments, public_inputs, alphas] = oink_verifier.verify(); + inst->relation_parameters = std::move(relation_parameters); + inst->witness_commitments = std::move(witness_commitments); + inst->public_inputs = std::move(public_inputs); + inst->alphas = std::move(alphas); } // TODO(https://github.com/AztecProtocol/barretenberg/issues/795): The rounds prior to actual verifying are common diff --git a/cpp/src/barretenberg/stdlib/protogalaxy_verifier/protogalaxy_recursive_verifier.hpp b/cpp/src/barretenberg/stdlib/protogalaxy_verifier/protogalaxy_recursive_verifier.hpp index 6a0d8d559..66b79a326 100644 --- a/cpp/src/barretenberg/stdlib/protogalaxy_verifier/protogalaxy_recursive_verifier.hpp +++ b/cpp/src/barretenberg/stdlib/protogalaxy_verifier/protogalaxy_recursive_verifier.hpp @@ -2,6 +2,7 @@ #include "barretenberg/flavor/flavor.hpp" #include "barretenberg/honk/proof_system/types/proof.hpp" #include "barretenberg/protogalaxy/folding_result.hpp" +#include "barretenberg/stdlib/honk_verifier/oink_recursive_verifier.hpp" #include "barretenberg/stdlib/protogalaxy_verifier/recursive_instances.hpp" #include "barretenberg/stdlib/transcript/transcript.hpp" #include "barretenberg/stdlib_circuit_builders/mega_recursive_flavor.hpp" @@ -26,7 +27,7 @@ template class ProtoGalaxyRecursiveVerifier_ { using PairingPoints = std::array; static constexpr size_t NUM = VerifierInstances::NUM; using Transcript = bb::BaseTranscript>; - + using OinkVerifier = OinkRecursiveVerifier_; struct VerifierInput { public: using Instance = NativeInstance; @@ -94,7 +95,7 @@ template class ProtoGalaxyRecursiveVerifier_ { * @brief Process the public data ϕ for the Instances to be folded. * */ - void receive_and_finalise_instance(const std::shared_ptr&, const std::string&); + void receive_and_finalise_instance(const std::shared_ptr&, std::string&); /** * @brief Run the folding protocol on the verifier side to establish whether the public data ϕ of the new diff --git a/cpp/src/barretenberg/stdlib_circuit_builders/mega_flavor.hpp b/cpp/src/barretenberg/stdlib_circuit_builders/mega_flavor.hpp index 71ee188af..4e2e48fe9 100644 --- a/cpp/src/barretenberg/stdlib_circuit_builders/mega_flavor.hpp +++ b/cpp/src/barretenberg/stdlib_circuit_builders/mega_flavor.hpp @@ -770,63 +770,17 @@ class MegaFlavor { VerifierCommitments_(const std::shared_ptr& verification_key, const std::optional>& witness_commitments = std::nullopt) { - this->q_m = verification_key->q_m; - this->q_l = verification_key->q_l; - this->q_r = verification_key->q_r; - this->q_o = verification_key->q_o; - this->q_4 = verification_key->q_4; - this->q_c = verification_key->q_c; - this->q_arith = verification_key->q_arith; - this->q_delta_range = verification_key->q_delta_range; - this->q_elliptic = verification_key->q_elliptic; - this->q_aux = verification_key->q_aux; - this->q_lookup = verification_key->q_lookup; - this->q_busread = verification_key->q_busread; - this->q_poseidon2_external = verification_key->q_poseidon2_external; - this->q_poseidon2_internal = verification_key->q_poseidon2_internal; - this->sigma_1 = verification_key->sigma_1; - this->sigma_2 = verification_key->sigma_2; - this->sigma_3 = verification_key->sigma_3; - this->sigma_4 = verification_key->sigma_4; - this->id_1 = verification_key->id_1; - this->id_2 = verification_key->id_2; - this->id_3 = verification_key->id_3; - this->id_4 = verification_key->id_4; - this->table_1 = verification_key->table_1; - this->table_2 = verification_key->table_2; - this->table_3 = verification_key->table_3; - this->table_4 = verification_key->table_4; - this->lagrange_first = verification_key->lagrange_first; - this->lagrange_last = verification_key->lagrange_last; - this->lagrange_ecc_op = verification_key->lagrange_ecc_op; - this->databus_id = verification_key->databus_id; + // Copy the precomputed polynomial commitments into this + for (auto [precomputed, precomputed_in] : zip_view(this->get_precomputed(), verification_key->get_all())) { + precomputed = precomputed_in; + } + // If provided, copy the witness polynomial commitments into this if (witness_commitments.has_value()) { - auto commitments = witness_commitments.value(); - this->w_l = commitments.w_l; - this->w_r = commitments.w_r; - this->w_o = commitments.w_o; - this->w_4 = commitments.w_4; - this->z_perm = commitments.z_perm; - this->lookup_inverses = commitments.lookup_inverses; - this->lookup_read_counts = commitments.lookup_read_counts; - this->lookup_read_tags = commitments.lookup_read_tags; - this->ecc_op_wire_1 = commitments.ecc_op_wire_1; - this->ecc_op_wire_2 = commitments.ecc_op_wire_2; - this->ecc_op_wire_3 = commitments.ecc_op_wire_3; - this->ecc_op_wire_4 = commitments.ecc_op_wire_4; - this->calldata = commitments.calldata; - this->calldata_read_counts = commitments.calldata_read_counts; - this->calldata_read_tags = commitments.calldata_read_tags; - this->calldata_inverses = commitments.calldata_inverses; - this->secondary_calldata = commitments.secondary_calldata; - this->secondary_calldata_read_counts = commitments.secondary_calldata_read_counts; - this->secondary_calldata_read_tags = commitments.secondary_calldata_read_tags; - this->secondary_calldata_inverses = commitments.secondary_calldata_inverses; - this->return_data = commitments.return_data; - this->return_data_read_counts = commitments.return_data_read_counts; - this->return_data_read_tags = commitments.return_data_read_tags; - this->return_data_inverses = commitments.return_data_inverses; + for (auto [witness, witness_in] : + zip_view(this->get_witness(), witness_commitments.value().get_all())) { + witness = witness_in; + } } } };