Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
batch_merge.test.cpp
Go to the documentation of this file.
1// === AUDIT STATUS ===
2// internal: { status: not started, auditors: [], commit: }
3// external_1: { status: not started, auditors: [], commit: }
4// external_2: { status: not started, auditors: [], commit: }
5// =====================
6
7#include "barretenberg/boomerang_value_detection/graph.hpp"
8#include "barretenberg/circuit_checker/circuit_checker.hpp"
9#include "barretenberg/commitment_schemes/shplonk/shplonk.hpp"
10#include "barretenberg/common/test.hpp"
11#include "barretenberg/crypto/poseidon2/poseidon2.hpp"
12#include "barretenberg/goblin/batch_merge_prover.hpp"
13#include "barretenberg/goblin/batch_merge_verifier.hpp"
14#include "barretenberg/op_queue/ecc_op_queue.hpp"
15#include "barretenberg/srs/global_crs.hpp"
16#include "barretenberg/stdlib/primitives/curves/bn254.hpp"
17#include "barretenberg/stdlib/proof/proof.hpp"
18#include "barretenberg/transcript/transcript.hpp"
19
20namespace bb {
21
22using NativeCurve = curve::BN254;
23using NativeG1 = NativeCurve::AffineElement;
24
25static constexpr size_t NUM_WIRES = MegaExecutionTraceBlocks::NUM_WIRES;
26static constexpr size_t NUM_FRS_COMM = NativeTranscript::Codec::template calc_num_fields<NativeG1>();
27
28template <typename Curve, typename = void> struct BuilderTypeHelper {
29 struct DummyBuilder {};
30 using type = DummyBuilder;
31};
32
33template <typename Curve> struct BuilderTypeHelper<Curve, std::enable_if_t<Curve::is_stdlib_type>> {
34 using type = typename Curve::Builder;
35};
36
37enum class FaultMode : uint8_t {
38 NONE,
39 WRONG_MERGED_TABLE, // merged table commitment/evals/opening are self-consistent but table is wrong
40 BAD_DEGREE_CHECK_POLY, // degree-check commitment/eval/opening are self-consistent but polynomial is wrong
41 PADDING_NOT_INFINITY, // padded slot sends non-zero shift size and non-zero commitment/eval
42 SHIFT_SIZE_MINUS_ONE, // send k-1 as shift size for a subtable polynomial of size k
43 ZK_TABLE_DEGREE_TOO_HIGH, // zk table has degree above verifier hard-coded ZK shift
44 ZERO_SUBTABLES_CLAIM // send 0 as number of subtables
45};
46
47void populate_subtable(const std::shared_ptr<ECCOpQueue>& op_queue, size_t num_ops)
48{
49 for (size_t i = 0; i < num_ops; ++i) {
50 op_queue->add_accumulate(NativeG1::random_element());
51 op_queue->mul_accumulate(NativeG1::random_element(), bb::fr::random_element());
52 op_queue->eq_and_reset();
53 }
54}
55
56std::shared_ptr<ECCOpQueue> make_op_queue_with_n_subtables(size_t n)
57{
58 const size_t max_op_queue_ops = 10;
59 auto op_queue = std::make_shared<ECCOpQueue>();
60 for (size_t i = 0; i < n; ++i) {
61 if (i > 0) {
62 op_queue->initialize_new_subtable();
63 }
64 populate_subtable(op_queue, ((1 + i) % max_op_queue_ops) + 1); // +1 to avoid empty subtables
65 op_queue->merge();
66 }
67 return op_queue;
68}
69
75bb::fr compute_running_hash(const std::vector<bb::fr>& proof, size_t N)
76{
77 std::vector<bb::fr> round_inputs;
78 bb::fr previous_challenge(0);
79 bool is_first_challenge = true;
80
81 for (size_t subtable_idx = 0; subtable_idx < N; ++subtable_idx) {
82 round_inputs.clear();
83 if (!is_first_challenge) {
84 round_inputs.push_back(previous_challenge);
85 }
86 for (size_t col = 0; col < NUM_WIRES; ++col) {
87 const size_t global_col_idx = (subtable_idx * NUM_WIRES) + col;
88 const size_t base = (global_col_idx * NUM_FRS_COMM);
89 for (size_t j = 0; j < NUM_FRS_COMM; ++j) {
90 round_inputs.push_back(proof[base + j]);
91 }
92 }
93
94 // Transcript logic: hash full round buffer, then split into two challenge parts; get_challenge uses part[0].
95 const bb::fr full_hash = crypto::Poseidon2<crypto::Poseidon2Bn254ScalarFieldParams>::hash(round_inputs);
96 previous_challenge = full_hash;
97 is_first_challenge = false;
98 }
99
100 return previous_challenge;
101}
102
107class TweakableBatchMergeProver : public BatchMergeProver {
108 using Curve = curve::BN254;
109 using FF = Curve::ScalarField;
110 using PCS = KZG<Curve>;
111 using Polynomial = bb::Polynomial<FF>;
112 using OpeningClaim = ProverOpeningClaim<Curve>;
113 using Transcript = NativeTranscript;
114
115 public:
122
123 MergeProof construct_proof()
124 {
125 const size_t M = max_subtables;
126
127 // Step 1
128 std::vector<std::array<Polynomial, NUM_WIRES>> subtable_cols = op_queue->construct_subtable_columns();
129
130 size_t N = subtable_cols.size();
131
132 std::vector<size_t> shift_sizes(N);
133 size_t max_shift_size = 0;
134 for (size_t i = 0; i < N; ++i) {
135 shift_sizes[i] = subtable_cols[i][0].size();
136 max_shift_size = std::max(max_shift_size, shift_sizes[i]);
137 }
138
139 // Step 2: commit subtable columns
140 Polynomial zero_poly(0);
141 for (size_t idx = 0; idx < N; ++idx) {
142 for (size_t col = 0; col < NUM_WIRES; ++col) {
143 const Polynomial& col_to_commit =
144 (fault_mode == FaultMode::ZERO_SUBTABLES_CLAIM) ? zero_poly : subtable_cols[idx][col];
145 transcript->send_to_verifier("COLUMN_" + std::to_string(col) + "_" + std::to_string(idx),
146 pcs_commitment_key.commit(col_to_commit));
147 }
148 [[maybe_unused]] FF _ = transcript->template get_challenge<FF>("HASH_" + std::to_string(idx));
149 }
150
151 Polynomial one_poly(1);
152 one_poly.at(0) = 1;
153 for (size_t idx = N; idx < M; ++idx) {
154 for (size_t col = 0; col < NUM_WIRES; ++col) {
155 const bool non_infinity_padding =
156 (fault_mode == FaultMode::PADDING_NOT_INFINITY && idx == N && col == 0);
157 transcript->send_to_verifier("COLUMN_" + std::to_string(col) + "_" + std::to_string(idx),
158 pcs_commitment_key.commit(non_infinity_padding ? one_poly : zero_poly));
159 }
160 [[maybe_unused]] FF _ = transcript->template get_challenge<FF>("HASH_" + std::to_string(idx));
161 }
162
163 // Step 2.b: Send the masking table
164 std::array<Polynomial, NUM_WIRES> zk_columns = op_queue->construct_zk_columns();
165
166 if (fault_mode == FaultMode::ZK_TABLE_DEGREE_TOO_HIGH) {
167 for (size_t col = 0; col < NUM_WIRES; ++col) {
168 // Make zk column degree exceed verifier's hard-coded ZK shift (= ZK_ULTRA_OPS).
169 Polynomial larger_zk_col(zk_columns[col], zk_columns[col].size() + 1);
170 larger_zk_col.at(larger_zk_col.size() - 1) = FF(1);
171 zk_columns[col] = std::move(larger_zk_col);
172 }
173 }
174
175 for (size_t col = 0; col < NUM_WIRES; ++col) {
176 transcript->send_to_verifier("ZK_COLUMN_" + std::to_string(col),
177 pcs_commitment_key.commit(zk_columns[col]));
178 }
179 max_shift_size = std::max(max_shift_size, zk_columns[0].size());
180
181 // Step 2.c: Flatten the columns for easier utilisation
182 std::vector<Polynomial> flattened_cols;
183 flattened_cols.reserve((subtable_cols.size() * NUM_WIRES) + NUM_WIRES);
184 for (size_t col = 0; col < NUM_WIRES; ++col) {
185 flattened_cols.push_back(std::move(zk_columns[col]));
186 }
187 for (auto& subtable_col : subtable_cols) {
188 for (size_t col = 0; col < NUM_WIRES; ++col) {
189 if (fault_mode == FaultMode::ZERO_SUBTABLES_CLAIM) {
190 flattened_cols.push_back(Polynomial(1));
191 } else {
192 flattened_cols.push_back(std::move(subtable_col[col]));
193 }
194 }
195 }
196
197 // Step 3
198 uint32_t sent_num_subtables = static_cast<uint32_t>(N);
199 if (fault_mode == FaultMode::ZERO_SUBTABLES_CLAIM) {
200 sent_num_subtables = 0;
201 }
202 transcript->send_to_verifier("NUM_SUBTABLES", sent_num_subtables);
203 for (size_t i = 0; i < M; ++i) {
204 uint32_t sent_shift_size = static_cast<uint32_t>(i < N ? shift_sizes[i] : 0);
205 if (fault_mode == FaultMode::PADDING_NOT_INFINITY && i == N && N < M) {
206 sent_shift_size = 1;
207 }
208 if (fault_mode == FaultMode::SHIFT_SIZE_MINUS_ONE && i == 0 && N > 0) {
209 BB_ASSERT_GT(shift_sizes[0], 0U);
210 sent_shift_size = static_cast<uint32_t>(shift_sizes[0] - 1);
211 }
212 if (fault_mode == FaultMode::ZERO_SUBTABLES_CLAIM && i == N && N < M) {
213 sent_shift_size = 0;
214 }
215 transcript->send_to_verifier("SHIFT_SIZE_" + std::to_string(i), sent_shift_size);
216 }
217
218 // Step 4: merged table
219 std::array<Polynomial, NUM_WIRES> merged_table(op_queue->construct_ultra_ops_table_columns());
220 if (fault_mode == FaultMode::WRONG_MERGED_TABLE && !merged_table[0].is_empty()) {
221 merged_table[0].at(0) += FF(1);
222 } else if (fault_mode == FaultMode::ZERO_SUBTABLES_CLAIM) {
223 for (size_t col = 0; col < NUM_WIRES; ++col) {
224 merged_table[col] = Polynomial(1);
225 }
226 }
227 for (size_t col = 0; col < NUM_WIRES; ++col) {
228 transcript->send_to_verifier("MERGED_COLUMN_" + std::to_string(col),
229 pcs_commitment_key.commit(merged_table[col]));
230 }
231
232 // Step 5
233 const FF degree_check_challenge = transcript->template get_challenge<FF>("DEGREE_CHECK_CHALLENGE");
234 const size_t num_degree_check_challenges = (M * NUM_WIRES) + NUM_WIRES;
235 std::vector<FF> degree_check_challenges = { FF(1), degree_check_challenge };
236 for (size_t idx = 2; idx < num_degree_check_challenges; ++idx) {
237 degree_check_challenges.push_back(degree_check_challenges.back() * degree_check_challenge);
238 }
239
240 // Step 6: degree-check poly
241 Polynomial degree_check_poly =
242 compute_degree_check_polynomial(flattened_cols, degree_check_challenges, max_shift_size);
243 if (fault_mode == FaultMode::BAD_DEGREE_CHECK_POLY && !degree_check_poly.is_empty()) {
244 degree_check_poly.at(0) += FF(1);
245 }
246 transcript->send_to_verifier("DEGREE_CHECK_POLY", pcs_commitment_key.commit(degree_check_poly));
247
248 // Step 7
249 const FF kappa = transcript->template get_challenge<FF>("KAPPA");
250 const FF kappa_inv = kappa.invert();
251
252 // Step 8: evals
253 std::vector<FF> evals;
254 const size_t num_actual_flattened_cols = (N * NUM_WIRES) + NUM_WIRES;
255 const size_t num_flattened_col_evals = (M * NUM_WIRES) + NUM_WIRES;
256 for (size_t flat_idx = 0; flat_idx < num_flattened_col_evals; ++flat_idx) {
257 FF eval = FF(0);
258 if (flat_idx < num_actual_flattened_cols) {
259 eval = flattened_cols[flat_idx].evaluate(kappa);
260 } else if (fault_mode == FaultMode::PADDING_NOT_INFINITY && flat_idx == num_actual_flattened_cols) {
261 eval = FF(1); // matches one_poly commitment at the first padded slot
262 }
263 evals.push_back(eval);
264 transcript->send_to_verifier("C_EVAL_" + std::to_string(flat_idx), eval);
265 }
266
267 for (size_t col = 0; col < NUM_WIRES; ++col) {
268 evals.push_back(merged_table[col].evaluate(kappa));
269 transcript->send_to_verifier("MERGED_EVAL_" + std::to_string(col), evals.back());
270 }
271
272 evals.push_back(degree_check_poly.evaluate(kappa_inv));
273 transcript->send_to_verifier("DEGREE_CHECK_EVAL", evals.back());
274
275 // Step 9
276 const size_t num_opening_claims = ((M + 1) * NUM_WIRES) + 1 + NUM_WIRES;
277 std::vector<OpeningClaim> opening_claims;
278 opening_claims.reserve(num_opening_claims);
279
280 for (size_t idx = 0; idx < num_flattened_col_evals; ++idx) {
281 if (idx < num_actual_flattened_cols) {
282 opening_claims.push_back({ std::move(flattened_cols[idx]), { kappa, evals[idx] } });
283 } else {
284 opening_claims.push_back({ Polynomial(1), { kappa, FF(0) } });
285 }
286 }
287
288 for (size_t idx = 0; idx < NUM_WIRES; ++idx) {
289 opening_claims.push_back(
290 { std::move(merged_table[idx]), { kappa, evals[(M * NUM_WIRES) + NUM_WIRES + idx] } });
291 }
292
293 opening_claims.push_back({ std::move(degree_check_poly), { kappa_inv, evals.back() } });
294
295 auto shplonk_opening_claim = ShplonkProver::prove(pcs_commitment_key, opening_claims, transcript);
296
297 PCS::compute_opening_proof(pcs_commitment_key, shplonk_opening_claim, transcript);
298 return transcript->export_proof();
299 }
300
301 private:
302 FaultMode fault_mode;
303};
304
305// Custom parameter struct to hold both Curve type and NumSubtables value
306template <typename Curve, size_t N> struct TestParam {
307 using CurveType = Curve;
308 static constexpr size_t NumSubtables = N;
309};
310
311// Specialize the fixture to extract both template parameters from TypeParam
312template <typename Param> class BatchMergeTests : public testing::Test {
313 public:
314 using Curve = typename Param::CurveType;
315 static constexpr size_t NumSubtables = Param::NumSubtables;
316 using FF = typename Curve::ScalarField;
317 using Verifier = BatchMergeVerifier_<Curve, NumSubtables>;
318 using Proof = typename Verifier::Proof;
319 using Transcript = typename Verifier::Transcript;
320 static constexpr bool IsRecursive = Curve::is_stdlib_type;
321 using BuilderType = typename BuilderTypeHelper<Curve>::type;
322
323 static constexpr size_t VERIFIER_NUM_GATES = NumSubtables == 9 ? 10456 : 47322;
324 static constexpr size_t ZK_OFFSET = NumSubtables == 9 ? 666 : 520;
325
331
332 static void SetUpTestSuite() { bb::srs::init_file_crs_factory(bb::srs::bb_crs_path()); }
333
334 static Proof create_proof(BuilderType& builder, const std::vector<bb::fr>& native_proof)
335 {
336 if constexpr (IsRecursive) {
337 stdlib::Proof<BuilderType> stdlib_proof(builder, native_proof);
338 return stdlib_proof;
339 } else {
340 (void)builder;
341 return native_proof;
342 }
343 }
344
345 static FF create_hash(BuilderType& builder, const bb::fr& native_hash)
346 {
347 if constexpr (IsRecursive) {
348 auto hash = FF::from_witness(&builder, native_hash);
349 hash.unset_free_witness_tag();
350 return hash;
351 } else {
352 (void)builder;
353 return native_hash;
354 }
355 }
356
357 static bool check_circuit(BuilderType& builder)
358 {
359 if constexpr (IsRecursive) {
360 return CircuitChecker::check(builder);
361 } else {
362 (void)builder;
363 return true;
364 }
365 }
366
367 static VerifyResult prove_and_verify(const std::shared_ptr<ECCOpQueue>& op_queue,
368 FaultMode fault_mode = FaultMode::NONE,
369 bool wrong_hash = false,
370 bool check_manifest = false)
371 {
372 TranscriptManifest prover_manifest;
373 std::vector<bb::fr> native_proof;
374 if (fault_mode == FaultMode::NONE) {
375 BatchMergeProver prover{ op_queue, NumSubtables };
376 if (check_manifest) {
377 prover.transcript->enable_manifest();
378 }
379
380 native_proof = prover.construct_proof();
381 if (check_manifest) {
382 prover_manifest = prover.transcript->get_manifest();
383 }
384 } else {
385 TweakableBatchMergeProver prover{ op_queue, NumSubtables, fault_mode };
386 if (check_manifest) {
387 prover.transcript->enable_manifest();
388 }
389
390 native_proof = prover.construct_proof();
391 if (check_manifest) {
392 prover_manifest = prover.transcript->get_manifest();
393 }
394 }
395
396 bb::fr native_hash = compute_running_hash(native_proof, op_queue->num_subtables());
397 if (wrong_hash) {
398 native_hash += bb::fr(1);
399 }
400
401 BuilderType builder;
402 Proof proof = create_proof(builder, native_proof);
403 FF hash = create_hash(builder, native_hash);
404
405 Verifier verifier;
406 if (check_manifest) {
407 verifier.transcript->enable_manifest();
408 }
409 auto result = verifier.reduce_to_pairing_check(proof, hash);
410
411 if (check_manifest) {
412 // Check consistency of manifests
413 auto verifier_manifest = verifier.transcript->get_manifest();
414 EXPECT_EQ(prover_manifest.size(), verifier_manifest.size());
415 for (size_t i = 0; i < prover_manifest.size(); ++i) {
416 EXPECT_EQ(prover_manifest[i], verifier_manifest[i]);
417 }
418 }
419
420 if constexpr (Curve::is_stdlib_type) {
421 EXPECT_EQ(builder.get_num_finalized_gates_inefficient(), VERIFIER_NUM_GATES + ZK_OFFSET);
422 }
423
424 return { result.reduction_succeeded, result.pairing_points.check(), check_circuit(builder) };
425 }
426};
427
428using TestParams = ::testing::Types<TestParam<curve::BN254, 9>,
429 TestParam<curve::BN254, CHONK_MAX_NUM_CIRCUITS>,
430 TestParam<stdlib::bn254<MegaCircuitBuilder>, 9>,
431 TestParam<stdlib::bn254<MegaCircuitBuilder>, CHONK_MAX_NUM_CIRCUITS>>;
432TYPED_TEST_SUITE(BatchMergeTests, TestParams);
433
434// Completeness
435
436TYPED_TEST(BatchMergeTests, ValidProofPassesWithPadding)
437{
438 auto op_queue = make_op_queue_with_n_subtables(3);
439 auto res = TestFixture::prove_and_verify(op_queue, FaultMode::NONE, false, /*check_manifest*/ true);
440 EXPECT_TRUE(res.reduction_ok);
441 EXPECT_TRUE(res.pairing_ok);
442 EXPECT_TRUE(res.circuit_ok);
443}
444
445TYPED_TEST(BatchMergeTests, ValidProofMaxSizePasses)
446{
447 auto op_queue = make_op_queue_with_n_subtables(TestFixture::NumSubtables);
448 auto res = TestFixture::prove_and_verify(op_queue);
449 EXPECT_TRUE(res.reduction_ok);
450 EXPECT_TRUE(res.pairing_ok);
451 EXPECT_TRUE(res.circuit_ok);
452}
453
454// Soundness
455
456TYPED_TEST(BatchMergeTests, ZeroSubtablesFails)
457{
458 BB_DISABLE_ASSERTS();
459 auto op_queue = make_op_queue_with_n_subtables(3);
460 auto res = TestFixture::prove_and_verify(op_queue, FaultMode::ZERO_SUBTABLES_CLAIM);
461 EXPECT_FALSE(res.reduction_ok); // Caught by product check
462 EXPECT_TRUE(res.pairing_ok);
463 if constexpr (TestFixture::IsRecursive) {
464 EXPECT_FALSE(res.circuit_ok);
465 }
466}
467
468TYPED_TEST(BatchMergeTests, TooManySubtablesFails)
469{
470 if constexpr (!TestFixture::Curve::is_stdlib_type) {
471 GTEST_SKIP() << "This test in native setting fails due to a deserialization failure. The verifier path in the "
472 "same for native and recursive code, so it's enough to test the recursive code.";
473 } else {
474 BB_DISABLE_ASSERTS();
475 auto op_queue = make_op_queue_with_n_subtables(TestFixture::NumSubtables + 1);
476 auto res = TestFixture::prove_and_verify(op_queue);
477 EXPECT_FALSE(res.reduction_ok); // Caught by product check
478 EXPECT_FALSE(res.pairing_ok); // Verifier uses fewer commitments than the one sent
479 if constexpr (TestFixture::IsRecursive) {
480 EXPECT_FALSE(res.circuit_ok); // Assertions fail
481 }
482 }
483}
484
485TYPED_TEST(BatchMergeTests, WrongMergedTableFails)
486{
487 auto op_queue = make_op_queue_with_n_subtables(2);
488 auto res = TestFixture::prove_and_verify(op_queue, FaultMode::WRONG_MERGED_TABLE);
489 EXPECT_FALSE(res.reduction_ok); // Caught by the concatenation check
490 EXPECT_TRUE(res.pairing_ok);
491 if constexpr (TestFixture::IsRecursive) {
492 EXPECT_FALSE(res.circuit_ok);
493 }
494}
495
496TYPED_TEST(BatchMergeTests, WrongHashFails)
497{
498 auto op_queue = make_op_queue_with_n_subtables(4);
499 auto res = TestFixture::prove_and_verify(op_queue, FaultMode::NONE, true);
500 EXPECT_FALSE(res.reduction_ok); // Caught by the hash check
501 EXPECT_TRUE(res.pairing_ok);
502 if constexpr (TestFixture::IsRecursive) {
503 EXPECT_FALSE(res.circuit_ok);
504 }
505}
506
507TYPED_TEST(BatchMergeTests, BadSubtableDegreeCheckFails)
508{
509 auto op_queue = make_op_queue_with_n_subtables(6);
510 auto res = TestFixture::prove_and_verify(op_queue, FaultMode::BAD_DEGREE_CHECK_POLY);
511 EXPECT_FALSE(res.reduction_ok); // Caught by the degree check
512 EXPECT_TRUE(res.pairing_ok);
513 if constexpr (TestFixture::IsRecursive) {
514 EXPECT_FALSE(res.circuit_ok);
515 }
516}
517
518TYPED_TEST(BatchMergeTests, PaddingTableNotInfinityFails)
519{
520 auto op_queue = make_op_queue_with_n_subtables(3);
521 auto res = TestFixture::prove_and_verify(op_queue, FaultMode::PADDING_NOT_INFINITY);
522 EXPECT_FALSE(res.reduction_ok); // Caught by the degree check: shift sizes are zeroed out >= N
523 EXPECT_TRUE(res.pairing_ok); // PCS is consistent
524 if constexpr (TestFixture::IsRecursive) {
525 EXPECT_FALSE(res.circuit_ok); // Caught by the degree check: shift sizes are zeroed out >= N
526 }
527}
528
529TYPED_TEST(BatchMergeTests, ShiftSizeMinusOneFailsReductionOnly)
530{
531 auto op_queue = make_op_queue_with_n_subtables(7);
532 auto res = TestFixture::prove_and_verify(op_queue, FaultMode::SHIFT_SIZE_MINUS_ONE);
533 EXPECT_FALSE(res.reduction_ok); // Caught by the degree check
534 EXPECT_TRUE(res.pairing_ok);
535 if constexpr (TestFixture::IsRecursive) {
536 EXPECT_FALSE(res.circuit_ok);
537 }
538}
539
540TYPED_TEST(BatchMergeTests, ZKTableDegreeTooHighFailsReductionOnly)
541{
542 auto op_queue = make_op_queue_with_n_subtables(5);
543 auto res = TestFixture::prove_and_verify(op_queue, FaultMode::ZK_TABLE_DEGREE_TOO_HIGH);
544 EXPECT_FALSE(res.reduction_ok); // Caught by degree/concatenation reductions via hard-coded ZK shift.
545 EXPECT_TRUE(res.pairing_ok); // PCS opening remains self-consistent with sent commitments/evals.
546 if constexpr (TestFixture::IsRecursive) {
547 EXPECT_FALSE(res.circuit_ok);
548 }
549}
550
551// Static analysis of the recursive verifier circuit: every variable must belong to a single connected
552// component (no disjoint subgraphs) and there must be no variables that participate in only one gate
553// (i.e. no unconstrained witnesses).
554TYPED_TEST(BatchMergeTests, GraphDescription)
555{
556 if constexpr (!TestFixture::IsRecursive) {
557 GTEST_SKIP() << "Graph description analysis only applies to stdlib (recursive) verifier circuits.";
558 } else {
559 using BuilderType = typename TestFixture::BuilderType;
560 using FF = typename TestFixture::FF;
561 using Proof = typename TestFixture::Proof;
562 using Verifier = typename TestFixture::Verifier;
563
564 auto op_queue = make_op_queue_with_n_subtables(5);
565 BatchMergeProver prover{ op_queue, TestFixture::NumSubtables };
566 auto native_proof = prover.construct_proof();
567 const bb::fr native_hash = compute_running_hash(native_proof, op_queue->num_subtables());
568
569 BuilderType builder;
570 Proof proof = TestFixture::create_proof(builder, native_proof);
571 FF hash = TestFixture::create_hash(builder, native_hash);
572 // The hash is consumed only via split_challenge, which yields a low/high pair via a single arithmetic
573 // gate: hash = lo + 2^127 * hi. The verifier subsequently uses only the low half, so hash itself
574 // appears in only that one gate. Pin it so the StaticAnalyzer doesn't flag it as unconstrained.
575 hash.fix_witness();
576
577 Verifier verifier;
578 auto result = verifier.reduce_to_pairing_check(proof, hash);
579
580 // The pairing points are public outputs from the recursive verifier that will be verified externally via a
581 // pairing check. Their output coordinates may not appear in multiple constraint gates; fix_witness() pins
582 // them so the StaticAnalyzer doesn't flag the coordinate limbs as unconstrained.
583 result.pairing_points.fix_witness();
584
585 builder.finalize_circuit();
586
587 using Analyzer =
588 std::conditional_t<IsMegaBuilder<BuilderType>, cdg::MegaStaticAnalyzer, cdg::UltraStaticAnalyzer>;
589 auto graph = Analyzer(builder);
590 auto [cc, variables_in_one_gate] = graph.analyze_circuit(/*filter_cc=*/true);
591
592 EXPECT_EQ(cc.size(), 1);
593 EXPECT_EQ(variables_in_one_gate.size(), 0);
594 }
595}
596
597} // namespace bb
BB_ASSERT_GT
#define BB_ASSERT_GT(left, right,...)
Definition assert.hpp:113
BB_DISABLE_ASSERTS
#define BB_DISABLE_ASSERTS()
Definition assert.hpp:33
batch_merge_prover.hpp
batch_merge_verifier.hpp
circuit_checker.hpp
bb::BaseTranscript
Common transcript class for both parties. Stores the data for the current round, as well as the manif...
Definition transcript.hpp:41
bb::BatchMergeProver
Batch merge prover.
Definition batch_merge_prover.hpp:25
bb::BatchMergeProver::NUM_WIRES
static constexpr size_t NUM_WIRES
Definition batch_merge_prover.hpp:40
bb::BatchMergeProver::transcript
std::shared_ptr< Transcript > transcript
Definition batch_merge_prover.hpp:63
bb::BatchMergeProver::op_queue
std::shared_ptr< ECCOpQueue > op_queue
Definition batch_merge_prover.hpp:66
bb::BatchMergeProver::MergeProof
std::vector< FF > MergeProof
Definition batch_merge_prover.hpp:38
bb::BatchMergeProver::construct_proof
MergeProof construct_proof()
Construct the batch merge proof.
Definition batch_merge_prover.cpp:52
bb::BatchMergeProver::compute_degree_check_polynomial
static Polynomial compute_degree_check_polynomial(const std::vector< Polynomial > &flattened_columns, const std::vector< FF > &degree_check_challenges, const size_t max_size)
Definition batch_merge_prover.cpp:23
bb::BatchMergeTests::ZK_OFFSET
static constexpr size_t ZK_OFFSET
Definition batch_merge.test.cpp:324
bb::BatchMergeTests::Transcript
typename Verifier::Transcript Transcript
Definition batch_merge.test.cpp:319
bb::BatchMergeTests::Curve
typename Param::CurveType Curve
Definition batch_merge.test.cpp:314
bb::BatchMergeTests::create_proof
static Proof create_proof(BuilderType &builder, const std::vector< bb::fr > &native_proof)
Definition batch_merge.test.cpp:334
bb::BatchMergeTests::IsRecursive
static constexpr bool IsRecursive
Definition batch_merge.test.cpp:320
bb::BatchMergeTests::NumSubtables
static constexpr size_t NumSubtables
Definition batch_merge.test.cpp:315
bb::BatchMergeTests::Proof
typename Verifier::Proof Proof
Definition batch_merge.test.cpp:318
bb::BatchMergeTests::check_circuit
static bool check_circuit(BuilderType &builder)
Definition batch_merge.test.cpp:357
bb::BatchMergeTests::create_hash
static FF create_hash(BuilderType &builder, const bb::fr &native_hash)
Definition batch_merge.test.cpp:345
bb::BatchMergeTests::BuilderType
typename BuilderTypeHelper< Curve >::type BuilderType
Definition batch_merge.test.cpp:321
bb::BatchMergeTests::VERIFIER_NUM_GATES
static constexpr size_t VERIFIER_NUM_GATES
Definition batch_merge.test.cpp:323
bb::BatchMergeTests::prove_and_verify
static VerifyResult prove_and_verify(const std::shared_ptr< ECCOpQueue > &op_queue, FaultMode fault_mode=FaultMode::NONE, bool wrong_hash=false, bool check_manifest=false)
Definition batch_merge.test.cpp:367
bb::BatchMergeTests::FF
typename Curve::ScalarField FF
Definition batch_merge.test.cpp:316
bb::BatchMergeVerifier_
Unified batch verifier for the batch Goblin ECC op queue merge protocol.
Definition batch_merge_verifier.hpp:26
bb::BatchMergeVerifier_::transcript
std::shared_ptr< Transcript > transcript
Definition batch_merge_verifier.hpp:60
bb::BatchMergeVerifier_::reduce_to_pairing_check
ReductionResult reduce_to_pairing_check(const Proof &proof, const FF hash)
Reduce the batch merge proof to a pairing check.
Definition batch_merge_verifier.cpp:16
bb::BatchMergeVerifier_::Transcript
TranscriptFor_t< Curve > Transcript
Definition batch_merge_verifier.hpp:34
bb::BatchMergeVerifier_::Proof
std::vector< FF > Proof
Definition batch_merge_verifier.hpp:33
bb::CommitmentKey::commit
Commitment commit(PolynomialSpan< const Fr > polynomial) const
Uses the ProverSRS to create a commitment to p(X)
Definition commitment_key.hpp:73
bb::KZG::compute_opening_proof
static void compute_opening_proof(const CK &ck, const ProverOpeningClaim< Curve > &opening_claim, const std::shared_ptr< Transcript > &prover_trancript)
Computes the KZG commitment to an opening proof polynomial at a single evaluation point.
Definition kzg.hpp:43
bb::Polynomial::is_empty
bool is_empty() const
Definition polynomial.hpp:179
bb::Polynomial::evaluate
Fr evaluate(const Fr &z) const
Definition polynomial.cpp:192
bb::Polynomial::at
Fr & at(size_t index)
Our mutable accessor, unlike operator[]. We abuse precedent a bit to differentiate at() and operator[...
Definition polynomial.hpp:276
bb::Polynomial::size
std::size_t size() const
Definition polynomial.hpp:261
bb::ProverOpeningClaim
Polynomial p and an opening pair (r,v) such that p(r) = v.
Definition claim.hpp:36
bb::ShplonkProver_::prove
static ProverOpeningClaim< Curve > prove(const CommitmentKey< Curve > &commitment_key, std::span< ProverOpeningClaim< Curve > > opening_claims, const std::shared_ptr< Transcript > &transcript, std::span< ProverOpeningClaim< Curve > > libra_opening_claims={}, std::span< ProverOpeningClaim< Curve > > sumcheck_round_claims={}, const size_t virtual_log_n=0)
Returns a batched opening claim equivalent to a set of opening claims consisting of polynomials,...
Definition shplonk.hpp:254
bb::TranslatorCircuitChecker::check
static bool check(const Builder &circuit)
Check the witness satisifies the circuit.
Definition translator_circuit_checker.cpp:107
bb::TweakableBatchMergeProver::TweakableBatchMergeProver
TweakableBatchMergeProver(const std::shared_ptr< ECCOpQueue > &op_queue, size_t max_subtables, FaultMode mode=FaultMode::NONE)
Definition batch_merge.test.cpp:116
bb::crypto::Poseidon2::hash
static FF hash(const std::vector< FF > &input)
Hashes a vector of field elements.
bb::curve::BN254::AffineElement
typename Group::affine_element AffineElement
Definition bn254.hpp:22
bb::curve::BN254::ScalarField
bb::fr ScalarField
Definition bn254.hpp:18
bb::curve::Grumpkin::is_stdlib_type
static constexpr bool is_stdlib_type
Definition grumpkin.hpp:67
bb::stdlib::Proof
A simple wrapper around a vector of stdlib field elements representing a proof.
Definition proof.hpp:19
cdg::StaticAnalyzer_
Definition graph.hpp:80
builder
AluTraceBuilder builder
Definition alu.test.cpp:124
ecc_op_queue.hpp
global_crs.hpp
bb::srs::bb_crs_path
std::filesystem::path bb_crs_path()
Definition global_crs.cpp:14
bb::srs::init_file_crs_factory
void init_file_crs_factory(const std::filesystem::path &path)
Definition global_crs.hpp:14
bb
Entry point for Barretenberg command-line interface.
Definition api.hpp:5
bb::FaultMode::ZK_TABLE_DEGREE_TOO_HIGH
@ ZK_TABLE_DEGREE_TOO_HIGH
bb::TYPED_TEST_SUITE
TYPED_TEST_SUITE(CommitmentKeyTest, Curves)
bb::fr
field< Bn254FrParams > fr
Definition fr.hpp:155
bb::compute_running_hash
bb::fr compute_running_hash(const std::vector< bb::fr > &proof, size_t N)
Definition batch_merge.test.cpp:75
bb::populate_subtable
void populate_subtable(const std::shared_ptr< ECCOpQueue > &op_queue, size_t num_ops)
Definition batch_merge.test.cpp:47
bb::TYPED_TEST
TYPED_TEST(CommitmentKeyTest, CommitToZeroPoly)
Definition commitment_key.test.cpp:217
bb::Curve
curve::Grumpkin Curve
Definition ipa.fuzzer.cpp:19
bb::NativeG1
NativeCurve::AffineElement NativeG1
Definition batch_merge.test.cpp:23
bb::make_op_queue_with_n_subtables
std::shared_ptr< ECCOpQueue > make_op_queue_with_n_subtables(size_t n)
Definition batch_merge.test.cpp:56
bb::TestParams
::testing::Types< TestParam< curve::BN254, 9 >, TestParam< curve::BN254, CHONK_MAX_NUM_CIRCUITS >, TestParam< stdlib::bn254< MegaCircuitBuilder >, 9 >, TestParam< stdlib::bn254< MegaCircuitBuilder >, CHONK_MAX_NUM_CIRCUITS > > TestParams
Definition batch_merge.test.cpp:431
bb::NativeTranscript
BaseTranscript< FrCodec, bb::crypto::Poseidon2< bb::crypto::Poseidon2Bn254ScalarFieldParams > > NativeTranscript
Definition transcript.hpp:502
cdg::MegaStaticAnalyzer
StaticAnalyzer_< bb::fr, bb::MegaCircuitBuilder > MegaStaticAnalyzer
Definition graph.hpp:189
std
STL namespace.
std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13
std::to_string
std::string to_string(bb::avm2::ValueTag tag)
Definition tagged_value.cpp:402
bb::BuilderTypeHelper< Curve, std::enable_if_t< Curve::is_stdlib_type > >::type
typename Curve::Builder type
Definition batch_merge.test.cpp:34
bb::TestParam::NumSubtables
static constexpr size_t NumSubtables
Definition batch_merge.test.cpp:308
bb::field::invert
constexpr field invert() const noexcept
Definition field_impl.hpp:386
bb::field< Bn254FrParams >::random_element
static field random_element(numeric::RNG *engine=nullptr) noexcept
Definition field_impl.hpp:772