bb::Chonk Class Reference

The IVC scheme used by the aztec client for private function execution. More...

#include <chonk.hpp>

Inheritance diagram for bb::Chonk:

Classes
struct	Proof
	A full proof for the IVC scheme containing a Mega proof showing correctness of the Hiding kernel (which recursive verified the last folding and decider proof) and a Goblin proof (translator VM, ECCVM and last merge proof). More...
struct	StdlibVerifierInputs
struct	VerificationKey
struct	VerifierInputs

Public Types
enum class	QUEUE_TYPE : uint8_t {   OINK , HN , HN_FINAL , HN_TAIL ,   MEGA }
using	Flavor = MegaFlavor
using	MegaVerificationKey = Flavor::VerificationKey
using	MegaZKVerificationKey = MegaZKFlavor::VerificationKey
using	FF = Flavor::FF
using	Commitment = Flavor::Commitment
using	ProverPolynomials = Flavor::ProverPolynomials
using	Point = Flavor::Curve::AffineElement
using	ProverInstance = ProverInstance_< Flavor >
using	DeciderZKProvingKey = ProverInstance_< MegaZKFlavor >
using	VerifierInstance = VerifierInstance_< Flavor >
using	ClientCircuit = MegaCircuitBuilder
using	ECCVMVerificationKey = bb::ECCVMFlavor::VerificationKey
using	TranslatorVerificationKey = bb::TranslatorFlavor::VerificationKey
using	MegaProver = UltraProver_< Flavor >
using	MegaVerifier = UltraVerifier_< Flavor >
using	Transcript = NativeTranscript
using	RecursiveFlavor = MegaRecursiveFlavor_< bb::MegaCircuitBuilder >
using	StdlibFF = RecursiveFlavor::FF
using	RecursiveCommitment = RecursiveFlavor::Commitment
using	RecursiveVerifierInstance = stdlib::recursion::honk::RecursiveVerifierInstance_< RecursiveFlavor >
using	RecursiveVerificationKey = RecursiveFlavor::VerificationKey
using	RecursiveVKAndHash = RecursiveFlavor::VKAndHash
using	RecursiveTranscript = RecursiveFlavor::Transcript
using	PairingPoints = stdlib::recursion::PairingPoints< stdlib::bn254< ClientCircuit > >
using	KernelIO = bb::stdlib::recursion::honk::KernelIO
using	HidingKernelIO = bb::stdlib::recursion::honk::HidingKernelIO< ClientCircuit >
using	AppIO = bb::stdlib::recursion::honk::AppIO
using	StdlibProof = stdlib::Proof< ClientCircuit >
using	WitnessCommitments = RecursiveFlavor::WitnessCommitments
using	DataBusDepot = stdlib::DataBusDepot< ClientCircuit >
using	TableCommitments = std::array< RecursiveFlavor::Commitment, ClientCircuit::NUM_WIRES >
using	FoldingProver = HypernovaFoldingProver
using	FoldingVerifier = HypernovaFoldingVerifier< Flavor >
using	RecursiveFoldingVerifier = HypernovaFoldingVerifier< RecursiveFlavor >
using	DeciderProver = HypernovaDeciderProver
using	RecursiveDeciderVerifier = HypernovaDeciderVerifier< RecursiveFlavor >
using	ProverAccumulator = FoldingProver::Accumulator
using	VerifierAccumulator = FoldingVerifier::Accumulator
using	RecursiveVerifierAccumulator = RecursiveFoldingVerifier::Accumulator
using	VerificationQueue = std::deque< VerifierInputs >
using	StdlibVerificationQueue = std::deque< StdlibVerifierInputs >
Public Types inherited from bb::IVCBase
using	ClientCircuit = MegaCircuitBuilder
using	MegaVerificationKey = MegaFlavor::VerificationKey

Public Member Functions
size_t	get_num_circuits () const
Goblin &	get_goblin () override
const Goblin &	get_goblin () const override
	Chonk (size_t num_circuits)
void	instantiate_stdlib_verification_queue (ClientCircuit &circuit, const std::vector< std::shared_ptr< RecursiveVKAndHash > > &input_keys={})
	Instantiate a stdlib verification queue for use in the kernel completion logic.
std::tuple< std::optional< RecursiveVerifierAccumulator >, std::vector< PairingPoints >, TableCommitments >	perform_recursive_verification_and_databus_consistency_checks (ClientCircuit &circuit, const StdlibVerifierInputs &verifier_inputs, const std::optional< RecursiveVerifierAccumulator > &input_verifier_accumulator, const TableCommitments &T_prev_commitments, const std::shared_ptr< RecursiveTranscript > &accumulation_recursive_transcript)
	Populate the provided circuit with constraints for (1) recursive verification of the provided accumulation proof and (2) the associated databus commitment consistency checks.
void	complete_kernel_circuit_logic (ClientCircuit &circuit)
	Append logic to complete a kernel circuit.
void	accumulate (ClientCircuit &circuit, const std::shared_ptr< MegaVerificationKey > &precomputed_vk) override
	Perform prover work for accumulation (e.g. HN folding, merge proving)
Proof	prove ()
	Construct a proof for the IVC, which, if verified, fully establishes its correctness.
VerificationKey	get_vk () const
Public Member Functions inherited from bb::IVCBase
virtual	~IVCBase ()=default

Static Public Member Functions
static void	hide_op_queue_accumulation_result (ClientCircuit &circuit)
	Add a hiding op with fully random Px, Py field elements to prevent information leakage in Translator proof.
static void	hide_op_queue_content_in_tail (ClientCircuit &circuit)
	Adds three random non-ops to the tail kernel for zero-knowledge.
static void	hide_op_queue_content_in_hiding (ClientCircuit &circuit)
	Adds two random non-ops to the hiding kernel for zero-knowledge.
static bool	verify (const Proof &proof, const VerificationKey &vk)

Public Attributes
size_t	num_circuits_accumulated = 0
ProverAccumulator	prover_accumulator
HonkProof	decider_proof
VerifierAccumulator	recursive_verifier_native_accum
VerifierAccumulator	native_verifier_accum
FF	native_verifier_accum_hash
VerificationQueue	verification_queue
StdlibVerificationQueue	stdlib_verification_queue
DataBusDepot	bus_depot
MegaFlavor::CommitmentKey	bn254_commitment_key
Goblin	goblin

Private Member Functions
void	update_native_verifier_accumulator (const VerifierInputs &queue_entry, const std::shared_ptr< Transcript > &verifier_transcript)
	Update native verifier accumulator. Useful for debugging.
void	debug_incoming_circuit (ClientCircuit &circuit, const std::shared_ptr< ProverInstance > &prover_instance, const std::shared_ptr< MegaVerificationKey > &precomputed_vk)
HonkProof	construct_honk_proof_for_hiding_kernel (ClientCircuit &circuit, const std::shared_ptr< MegaVerificationKey > &verification_key)
	Construct a zero-knowledge proof for the Hiding kernel, which recursively verifies the last folding, merge and decider proof.
QUEUE_TYPE	get_queue_type () const
	Get queue type for the proof of a circuit about to be accumulated based on num circuits accumulated so far.

Private Attributes
std::shared_ptr< Transcript >	transcript = std::make_shared<Transcript>()
std::shared_ptr< Transcript >	prover_accumulation_transcript = std::make_shared<Transcript>()
size_t	num_circuits

Additional Inherited Members
Protected Member Functions inherited from bb::IVCBase
	IVCBase ()=default

Detailed Description

The IVC scheme used by the aztec client for private function execution.

Combines HyperNova with Goblin to accumulate one circuit at a time with efficient EC group operations. It is assumed that the circuits being accumulated correspond alternatingly to an app and a kernel, as is the case in Aztec. Two recursive folding verifiers are appended to each kernel (except the first one) to verify the folding of a previous kernel and an app/function circuit. Due to this structure it is enforced that the total number of circuits being accumulated is even.

Definition at line 38 of file chonk.hpp.

Member Typedef Documentation

AppIO

using bb::Chonk::AppIO = bb::stdlib::recursion::honk::AppIO

Definition at line 69 of file chonk.hpp.

ClientCircuit

using bb::Chonk::ClientCircuit = MegaCircuitBuilder

Definition at line 52 of file chonk.hpp.

Commitment

using bb::Chonk::Commitment = Flavor::Commitment

Definition at line 46 of file chonk.hpp.

DataBusDepot

using bb::Chonk::DataBusDepot = stdlib::DataBusDepot<ClientCircuit>

Definition at line 72 of file chonk.hpp.

DeciderProver

using bb::Chonk::DeciderProver = HypernovaDeciderProver

Definition at line 78 of file chonk.hpp.

DeciderZKProvingKey

using bb::Chonk::DeciderZKProvingKey = ProverInstance_<MegaZKFlavor>

Definition at line 50 of file chonk.hpp.

ECCVMVerificationKey

using bb::Chonk::ECCVMVerificationKey = bb::ECCVMFlavor::VerificationKey

Definition at line 53 of file chonk.hpp.

FF

using bb::Chonk::FF = Flavor::FF

Definition at line 45 of file chonk.hpp.

Flavor

using bb::Chonk::Flavor = MegaFlavor

Definition at line 42 of file chonk.hpp.

FoldingProver

using bb::Chonk::FoldingProver = HypernovaFoldingProver

Definition at line 75 of file chonk.hpp.

FoldingVerifier

using bb::Chonk::FoldingVerifier = HypernovaFoldingVerifier<Flavor>

Definition at line 76 of file chonk.hpp.

HidingKernelIO

using bb::Chonk::HidingKernelIO = bb::stdlib::recursion::honk::HidingKernelIO<ClientCircuit>

Definition at line 68 of file chonk.hpp.

KernelIO

using bb::Chonk::KernelIO = bb::stdlib::recursion::honk::KernelIO

Definition at line 67 of file chonk.hpp.

MegaProver

using bb::Chonk::MegaProver = UltraProver_<Flavor>

Definition at line 55 of file chonk.hpp.

MegaVerificationKey

using bb::Chonk::MegaVerificationKey = Flavor::VerificationKey

Definition at line 43 of file chonk.hpp.

MegaVerifier

using bb::Chonk::MegaVerifier = UltraVerifier_<Flavor>

Definition at line 56 of file chonk.hpp.

MegaZKVerificationKey

using bb::Chonk::MegaZKVerificationKey = MegaZKFlavor::VerificationKey

Definition at line 44 of file chonk.hpp.

PairingPoints

using bb::Chonk::PairingPoints = stdlib::recursion::PairingPoints<stdlib::bn254<ClientCircuit> >

Definition at line 66 of file chonk.hpp.

Point

using bb::Chonk::Point = Flavor::Curve::AffineElement

Definition at line 48 of file chonk.hpp.

ProverAccumulator

using bb::Chonk::ProverAccumulator = FoldingProver::Accumulator

Definition at line 80 of file chonk.hpp.

ProverInstance

using bb::Chonk::ProverInstance = ProverInstance_<Flavor>

Definition at line 49 of file chonk.hpp.

ProverPolynomials

using bb::Chonk::ProverPolynomials = Flavor::ProverPolynomials

Definition at line 47 of file chonk.hpp.

RecursiveCommitment

using bb::Chonk::RecursiveCommitment = RecursiveFlavor::Commitment

Definition at line 61 of file chonk.hpp.

RecursiveDeciderVerifier

using bb::Chonk::RecursiveDeciderVerifier = HypernovaDeciderVerifier<RecursiveFlavor>

Definition at line 79 of file chonk.hpp.

RecursiveFlavor

using bb::Chonk::RecursiveFlavor = MegaRecursiveFlavor_<bb::MegaCircuitBuilder>

Definition at line 59 of file chonk.hpp.

RecursiveFoldingVerifier

using bb::Chonk::RecursiveFoldingVerifier = HypernovaFoldingVerifier<RecursiveFlavor>

Definition at line 77 of file chonk.hpp.

RecursiveTranscript

using bb::Chonk::RecursiveTranscript = RecursiveFlavor::Transcript

Definition at line 65 of file chonk.hpp.

RecursiveVerificationKey

using bb::Chonk::RecursiveVerificationKey = RecursiveFlavor::VerificationKey

Definition at line 63 of file chonk.hpp.

RecursiveVerifierAccumulator

using bb::Chonk::RecursiveVerifierAccumulator = RecursiveFoldingVerifier::Accumulator

Definition at line 82 of file chonk.hpp.

RecursiveVerifierInstance

using bb::Chonk::RecursiveVerifierInstance = stdlib::recursion::honk::RecursiveVerifierInstance_<RecursiveFlavor>

Definition at line 62 of file chonk.hpp.

RecursiveVKAndHash

using bb::Chonk::RecursiveVKAndHash = RecursiveFlavor::VKAndHash

Definition at line 64 of file chonk.hpp.

StdlibFF

using bb::Chonk::StdlibFF = RecursiveFlavor::FF

Definition at line 60 of file chonk.hpp.

StdlibProof

using bb::Chonk::StdlibProof = stdlib::Proof<ClientCircuit>

Definition at line 70 of file chonk.hpp.

StdlibVerificationQueue

using bb::Chonk::StdlibVerificationQueue = std::deque<StdlibVerifierInputs>

Definition at line 249 of file chonk.hpp.

TableCommitments

using bb::Chonk::TableCommitments = std::array<RecursiveFlavor::Commitment, ClientCircuit::NUM_WIRES>

Definition at line 73 of file chonk.hpp.

Transcript

using bb::Chonk::Transcript = NativeTranscript

Definition at line 57 of file chonk.hpp.

TranslatorVerificationKey

using bb::Chonk::TranslatorVerificationKey = bb::TranslatorFlavor::VerificationKey

Definition at line 54 of file chonk.hpp.

VerificationQueue

using bb::Chonk::VerificationQueue = std::deque<VerifierInputs>

Definition at line 240 of file chonk.hpp.

VerifierAccumulator

using bb::Chonk::VerifierAccumulator = FoldingVerifier::Accumulator

Definition at line 81 of file chonk.hpp.

VerifierInstance

using bb::Chonk::VerifierInstance = VerifierInstance_<Flavor>

Definition at line 51 of file chonk.hpp.

WitnessCommitments

using bb::Chonk::WitnessCommitments = RecursiveFlavor::WitnessCommitments

Definition at line 71 of file chonk.hpp.

Member Enumeration Documentation

QUEUE_TYPE

enum class bb::Chonk::QUEUE_TYPE : uint8_t

strong

Enumerator
OINK
HN
HN_FINAL
HN_TAIL
MEGA

Definition at line 225 of file chonk.hpp.

Constructor & Destructor Documentation

Chonk()

bb::Chonk::Chonk

(

size_t

num_circuits

)

Definition at line 21 of file chonk.cpp.

Member Function Documentation

accumulate()

void bb::Chonk::accumulate ( ClientCircuit &  circuit, const std::shared_ptr< MegaVerificationKey > &  precomputed_vk  )

overridevirtual

Perform prover work for accumulation (e.g. HN folding, merge proving)

Execute prover work for accumulation.

Parameters

circuit	The incoming statement
precomputed_vk	The verification key of the incoming statement OR a mocked key whose metadata needs to be set using the proving key produced from circuit in order to pass some assertions in the Oink prover.
mock_vk	A boolean to say whether the precomputed vk should have its metadata set.

Construct an prover instance for the provided circuit. If this is the first step in the IVC, simply initialize the folding accumulator. Otherwise, execute the HN prover to fold the prover instance into the accumulator and produce a folding proof. Also execute the merge protocol to produce a merge proof.

Parameters

circuit	this case, just produce a Honk proof for that circuit and do no folding.
precomputed_vk

Implements bb::IVCBase.

Definition at line 361 of file chonk.cpp.

complete_kernel_circuit_logic()

void bb::Chonk::complete_kernel_circuit_logic

(

ClientCircuit &

circuit

)

Append logic to complete a kernel circuit.

A kernel circuit may contain some combination of HN recursive verification, merge recursive verification, and databus commitment consistency checks. This method appends this logic to a provided kernel circuit.

Parameters

circuit

Definition at line 221 of file chonk.cpp.

construct_honk_proof_for_hiding_kernel()

HonkProof bb::Chonk::construct_honk_proof_for_hiding_kernel ( ClientCircuit &  circuit, const std::shared_ptr< MegaVerificationKey > &  verification_key  )

private

Construct a zero-knowledge proof for the Hiding kernel, which recursively verifies the last folding, merge and decider proof.

Definition at line 494 of file chonk.cpp.

debug_incoming_circuit()

void bb::Chonk::debug_incoming_circuit ( ClientCircuit &  circuit, const std::shared_ptr< ProverInstance > &  prover_instance, const std::shared_ptr< MegaVerificationKey > &  precomputed_vk  )

private

Definition at line 727 of file chonk.cpp.

get_goblin() [1/2]

const Goblin & bb::Chonk::get_goblin ( ) const

inlineoverridevirtual

Implements bb::IVCBase.

Definition at line 288 of file chonk.hpp.

get_goblin() [2/2]

Goblin & bb::Chonk::get_goblin ( )

inlineoverridevirtual

Implements bb::IVCBase.

Definition at line 287 of file chonk.hpp.

get_num_circuits()

size_t bb::Chonk::get_num_circuits ( ) const

inline

Definition at line 284 of file chonk.hpp.

get_queue_type()

Chonk::QUEUE_TYPE bb::Chonk::get_queue_type ( ) const

private

Get queue type for the proof of a circuit about to be accumulated based on num circuits accumulated so far.

Definition at line 326 of file chonk.cpp.

get_vk()

Chonk::VerificationKey bb::Chonk::get_vk

(

)

const

Definition at line 674 of file chonk.cpp.

hide_op_queue_accumulation_result()

void bb::Chonk::hide_op_queue_accumulation_result ( ClientCircuit &  circuit )

static

Add a hiding op with fully random Px, Py field elements to prevent information leakage in Translator proof.

The Translator circuit builder evaluates a batched polynomial (representing the four op queue polynomials in UltraOp format) at a random challenge x. This evaluation result (called accumulated_result in translator) is included in the translator proof and verified against the equivalent computation performed by ECCVM (in verify_translation, establishing equivalence between ECCVM and UltraOp format).

Definition at line 460 of file chonk.cpp.

hide_op_queue_content_in_hiding()

void bb::Chonk::hide_op_queue_content_in_hiding ( ClientCircuit &  circuit )

static

Adds two random non-ops to the hiding kernel for zero-knowledge.

See MERGE_PROTOCOL.md (ZK Considerations) for detailed analysis.

Definition at line 484 of file chonk.cpp.

hide_op_queue_content_in_tail()

void bb::Chonk::hide_op_queue_content_in_tail ( ClientCircuit &  circuit )

static

Adds three random non-ops to the tail kernel for zero-knowledge.

See MERGE_PROTOCOL.md (ZK Considerations) for detailed analysis.

Definition at line 472 of file chonk.cpp.

instantiate_stdlib_verification_queue()

void bb::Chonk::instantiate_stdlib_verification_queue	(	ClientCircuit &	circuit,
		const std::vector< std::shared_ptr< RecursiveVKAndHash > > &	input_keys = {}
	)

Instantiate a stdlib verification queue for use in the kernel completion logic.

Construct a stdlib proof/verification_key for each entry in the native verification queue. By default, both are constructed from their counterpart in the native queue. Alternatively, Stdlib verification keys can be provided directly as input to this method. (The later option is used, for example, when constructing recursive verifiers based on the verification key witnesses from an acir recursion constraint. This option is not provided for proofs since valid proof witnesses are in general not known at the time of acir constraint generation).

Parameters

circuit

Definition at line 43 of file chonk.cpp.

perform_recursive_verification_and_databus_consistency_checks()

std::tuple< std::optional< Chonk::RecursiveVerifierAccumulator >, std::vector< Chonk::PairingPoints >, Chonk::TableCommitments > bb::Chonk::perform_recursive_verification_and_databus_consistency_checks	(	ClientCircuit &	circuit,
		const StdlibVerifierInputs &	verifier_inputs,
		const std::optional< RecursiveVerifierAccumulator > &	input_verifier_accumulator,
		const TableCommitments &	T_prev_commitments,
		const std::shared_ptr< RecursiveTranscript > &	accumulation_recursive_transcript
	)

Populate the provided circuit with constraints for (1) recursive verification of the provided accumulation proof and (2) the associated databus commitment consistency checks.

The recursive verifier will be either Oink or Hypernova depending on the specified proof type. In either case, the verifier accumulator is updated in place via the verification algorithm. Databus commitment consistency checks are performed on the witness commitments and public inputs extracted from the proof by the verifier. Merge verification is performed with commitments to the subtable t_j extracted from the HN verifier. The computed commitment T is propagated to the next step of recursive verification.

Parameters

circuit
verifier_inputs	{proof, vkey, type (Oink/HN)} A set of inputs for recursive verification
merge_commitments	Container for the commitments for the Merge recursive verification to be performed
accumulation_recursive_transcript	Transcript shared across recursive verification of the folding of K_{i-1} (kernel), A_{i,1} (app), .., A_{i, n} (app)

Returns

Triple of output verifier accumulator, PairingPoints for final verification and commitments to the merged tables as read from the proof by the Merge verifier

Definition at line 96 of file chonk.cpp.

prove()

Chonk::Proof bb::Chonk::prove

(

)

Construct a proof for the IVC, which, if verified, fully establishes its correctness.

Returns

Proof

Definition at line 511 of file chonk.cpp.

update_native_verifier_accumulator()

void bb::Chonk::update_native_verifier_accumulator ( const VerifierInputs &  queue_entry, const std::shared_ptr< Transcript > &  verifier_transcript  )

private

Update native verifier accumulator. Useful for debugging.

Parameters

queue_entry	The verifier inputs from the queue.
verifier_transcript	Verifier transcript corresponding to the prover transcript.

Definition at line 685 of file chonk.cpp.

verify()

bool bb::Chonk::verify ( const Proof &  proof, const VerificationKey &  vk  )

static

Definition at line 528 of file chonk.cpp.

Member Data Documentation

bn254_commitment_key

MegaFlavor::CommitmentKey bb::Chonk::bn254_commitment_key

Definition at line 280 of file chonk.hpp.

bus_depot

DataBusDepot bb::Chonk::bus_depot

Definition at line 278 of file chonk.hpp.

decider_proof

HonkProof bb::Chonk::decider_proof

Definition at line 264 of file chonk.hpp.

goblin

Goblin bb::Chonk::goblin

Definition at line 282 of file chonk.hpp.

native_verifier_accum

VerifierAccumulator bb::Chonk::native_verifier_accum

Definition at line 268 of file chonk.hpp.

native_verifier_accum_hash

FF bb::Chonk::native_verifier_accum_hash

Definition at line 269 of file chonk.hpp.

num_circuits

size_t bb::Chonk::num_circuits

private

Definition at line 258 of file chonk.hpp.

num_circuits_accumulated

size_t bb::Chonk::num_circuits_accumulated = 0

Definition at line 260 of file chonk.hpp.

prover_accumulation_transcript

std::shared_ptr<Transcript> bb::Chonk::prover_accumulation_transcript = std::make_shared<Transcript>()

private

Definition at line 256 of file chonk.hpp.

prover_accumulator

ProverAccumulator bb::Chonk::prover_accumulator

Definition at line 262 of file chonk.hpp.

recursive_verifier_native_accum

VerifierAccumulator bb::Chonk::recursive_verifier_native_accum

Definition at line 266 of file chonk.hpp.

stdlib_verification_queue

StdlibVerificationQueue bb::Chonk::stdlib_verification_queue

Definition at line 275 of file chonk.hpp.

transcript

std::shared_ptr<Transcript> bb::Chonk::transcript = std::make_shared<Transcript>()

private

Definition at line 253 of file chonk.hpp.

verification_queue

VerificationQueue bb::Chonk::verification_queue

Definition at line 273 of file chonk.hpp.

---

The documentation for this class was generated from the following files:

• src/barretenberg/chonk/chonk.hpp
• src/barretenberg/chonk/chonk.cpp