Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
eccvm_recursive_verifier.test.cpp
Go to the documentation of this file.
1#include "barretenberg/circuit_checker/circuit_checker.hpp"
2#include "barretenberg/commitment_schemes/commitment_key.test.hpp"
3#include "barretenberg/commitment_schemes/ipa/ipa.hpp"
4#include "barretenberg/eccvm/eccvm_flavor.hpp"
5#include "barretenberg/eccvm/eccvm_prover.hpp"
6#include "barretenberg/eccvm/eccvm_verifier.hpp"
7#include "barretenberg/stdlib/honk_verifier/ultra_verification_keys_comparator.hpp"
8#include "barretenberg/stdlib/primitives/pairing_points.hpp"
9#include "barretenberg/stdlib/special_public_inputs/special_public_inputs.hpp"
10#include "barretenberg/stdlib/test_utils/tamper_proof.hpp"
11#include "barretenberg/ultra_honk/ultra_prover.hpp"
12#include "barretenberg/ultra_honk/ultra_verifier.hpp"
13
14#include <gtest/gtest.h>
15
16namespace {
17auto& engine = bb::numeric::get_debug_randomness();
18}
19namespace bb {
20class ECCVMRecursiveTests : public ::testing::Test {
21 public:
22 using RecursiveFlavor = ECCVMRecursiveFlavor;
23 using InnerFlavor = RecursiveFlavor::NativeFlavor;
24 using InnerBuilder = InnerFlavor::CircuitBuilder;
25 using InnerProver = ECCVMProver;
26 using InnerVerifier = ECCVMVerifier;
27 using InnerG1 = InnerFlavor::Commitment;
28 using InnerFF = InnerFlavor::FF;
29 using InnerBF = InnerFlavor::BF;
30 using InnerPK = InnerFlavor::ProvingKey;
31 using InnerVK = InnerFlavor::VerificationKey;
32
33 using Transcript = InnerFlavor::Transcript;
34 using StdlibTranscript = RecursiveFlavor::Transcript;
35
36 using RecursiveVerifier = ECCVMRecursiveVerifier;
37
38 using OuterBuilder = RecursiveFlavor::CircuitBuilder;
39 using OuterFlavor = std::conditional_t<IsMegaBuilder<OuterBuilder>, MegaFlavor, UltraFlavor>;
40 using OuterProver = UltraProver_<OuterFlavor>;
41 using OuterVerifier = UltraVerifier_<OuterFlavor>;
42 using OuterProverInstance = ProverInstance_<OuterFlavor>;
43 static void SetUpTestSuite() { bb::srs::init_file_crs_factory(bb::srs::bb_crs_path()); }
44
51 static InnerBuilder generate_circuit(numeric::RNG* engine = nullptr, const size_t num_iterations = 1)
52 {
53 using Curve = curve::BN254;
54 using G1 = Curve::Element;
55 using Fr = Curve::ScalarField;
56 using Fq = curve::Grumpkin::ScalarField;
57
58 std::shared_ptr<ECCOpQueue> op_queue = std::make_shared<ECCOpQueue>();
59 G1 a = G1::random_element(engine);
60 G1 b = G1::random_element(engine);
61 G1 c = G1::random_element(engine);
62 Fr x = Fr::random_element(engine);
63 Fr y = Fr::random_element(engine);
64 for (size_t idx = 0; idx < num_iterations; idx++) {
65 op_queue->add_accumulate(a);
66 op_queue->mul_accumulate(a, x);
67 op_queue->mul_accumulate(b, x);
68 op_queue->mul_accumulate(b, y);
69 op_queue->add_accumulate(a);
70 op_queue->mul_accumulate(b, x);
71 op_queue->eq_and_reset();
72 op_queue->add_accumulate(c);
73 op_queue->mul_accumulate(a, x);
74 op_queue->mul_accumulate(b, x);
75 op_queue->eq_and_reset();
76 op_queue->mul_accumulate(a, x);
77 op_queue->mul_accumulate(b, x);
78 op_queue->mul_accumulate(c, x);
79 op_queue->merge();
80 }
81 // Set hiding op for ECCVM ZK (required before ECCVMCircuitBuilder construction)
82 op_queue->append_hiding_op(Fq::random_element(engine), Fq::random_element(engine));
83 InnerBuilder builder{ op_queue };
84 return builder;
85 }
86
87 static void test_recursive_verification()
88 {
89 InnerBuilder builder = generate_circuit(&engine);
90 std::shared_ptr<Transcript> prover_transcript = std::make_shared<Transcript>();
91 InnerProver prover(builder, prover_transcript);
92 auto [proof, opening_claim] = prover.construct_proof();
93
94 // Compute IPA proof
95 auto ipa_transcript = std::make_shared<Transcript>();
96 ECCVMFlavor::PCS::compute_opening_proof(prover.key->commitment_key, opening_claim, ipa_transcript);
97 HonkProof ipa_proof = ipa_transcript->export_proof();
98
99 auto verification_key = std::make_shared<InnerFlavor::VerificationKey>(prover.key);
100
101 info("ECCVM Recursive Verifier");
102 OuterBuilder outer_circuit;
103 auto stdlib_proof = stdlib::Proof<OuterBuilder>(outer_circuit, proof);
104 std::shared_ptr<StdlibTranscript> stdlib_verifier_transcript = std::make_shared<StdlibTranscript>();
105 RecursiveVerifier verifier{ stdlib_verifier_transcript, stdlib_proof };
106 verifier.transcript->enable_manifest();
107 [[maybe_unused]] auto recursive_opening_claim = verifier.verify_proof();
108 stdlib::recursion::honk::DefaultIO<OuterBuilder>::add_default(outer_circuit);
109
110 info("Recursive Verifier: num gates = ", outer_circuit.get_num_finalized_gates_inefficient());
111
112 // Check for a failure flag in the recursive verifier circuit
113 EXPECT_EQ(outer_circuit.failed(), false) << outer_circuit.err();
114
115 bool result = CircuitChecker::check(outer_circuit);
116 EXPECT_TRUE(result);
117
118 std::shared_ptr<Transcript> verifier_transcript = std::make_shared<Transcript>();
119 InnerVerifier native_verifier(verifier_transcript, proof);
120 native_verifier.transcript->enable_manifest();
121 auto native_opening_claim = native_verifier.verify_proof();
122
123 // Verify IPA
124 auto ipa_verify_transcript = std::make_shared<Transcript>();
125 ipa_verify_transcript->load_proof(ipa_proof);
126 bool ipa_verified = ECCVMFlavor::PCS::reduce_verify(
127 native_verifier.key->pcs_verification_key, native_opening_claim, ipa_verify_transcript);
128 bool native_result = ipa_verified && native_verifier.sumcheck_verified && native_verifier.consistency_checked &&
129 native_verifier.translation_masking_consistency_checked;
130 EXPECT_TRUE(native_result);
131 auto recursive_manifest = verifier.transcript->get_manifest();
132 auto native_manifest = native_verifier.transcript->get_manifest();
133
134 ASSERT_GT(recursive_manifest.size(), 0);
135 for (size_t i = 0; i < recursive_manifest.size(); ++i) {
136 EXPECT_EQ(recursive_manifest[i], native_manifest[i])
137 << "Recursive Verifier/Verifier manifest discrepency in round " << i;
138 }
139
140 // Ensure verification key is the same
141 EXPECT_EQ(static_cast<uint64_t>(verifier.key->log_circuit_size.get_value()),
142 verification_key->log_circuit_size);
143 EXPECT_EQ(static_cast<uint64_t>(verifier.key->num_public_inputs.get_value()),
144 verification_key->num_public_inputs);
145 for (auto [vk_poly, native_vk_poly] : zip_view(verifier.key->get_all(), verification_key->get_all())) {
146 EXPECT_EQ(vk_poly.get_value(), native_vk_poly);
147 }
148
149 // Construct a full proof from the recursive verifier circuit
150 {
151 auto prover_instance = std::make_shared<OuterProverInstance>(outer_circuit);
152 auto verification_key = std::make_shared<OuterFlavor::VerificationKey>(prover_instance->get_precomputed());
153 OuterProver prover(prover_instance, verification_key);
154 OuterVerifier verifier(verification_key);
155 auto proof = prover.construct_proof();
156 bool verified = verifier.template verify_proof<DefaultIO>(proof).result;
157
158 ASSERT_TRUE(verified);
159 }
160
161 // Check that the size of the recursive verifier is consistent with historical expectation
162 uint32_t NUM_GATES_EXPECTED = 215193;
163 ASSERT_EQ(static_cast<uint32_t>(outer_circuit.get_num_finalized_gates()), NUM_GATES_EXPECTED)
164 << "Ultra-arithmetized ECCVM Recursive verifier gate count changed! Update this value if you are sure this "
165 "is expected.";
166 }
167
168 static void test_recursive_verification_failure()
169 {
170 InnerBuilder builder = generate_circuit(&engine);
171 builder.op_queue->add_erroneous_equality_op_for_testing();
172 builder.op_queue->merge();
173 std::shared_ptr<Transcript> prover_transcript = std::make_shared<Transcript>();
174 InnerProver prover(builder, prover_transcript);
175 auto [proof, opening_claim] = prover.construct_proof();
176
177 // Compute IPA proof
178 auto ipa_transcript = std::make_shared<Transcript>();
179 ECCVMFlavor::PCS::compute_opening_proof(prover.key->commitment_key, opening_claim, ipa_transcript);
180 HonkProof ipa_proof = ipa_transcript->export_proof();
181
182 auto verification_key = std::make_shared<InnerFlavor::VerificationKey>(prover.key);
183
184 OuterBuilder outer_circuit;
185 auto stdlib_proof = stdlib::Proof<OuterBuilder>(outer_circuit, proof);
186
187 std::shared_ptr<StdlibTranscript> stdlib_verifier_transcript = std::make_shared<StdlibTranscript>();
188 RecursiveVerifier verifier{ stdlib_verifier_transcript, stdlib_proof };
189 [[maybe_unused]] auto output = verifier.verify_proof();
190 stdlib::recursion::honk::DefaultIO<OuterBuilder>::add_default(outer_circuit);
191 info("Recursive Verifier: estimated num finalized gates = ",
192 outer_circuit.get_num_finalized_gates_inefficient());
193
194 // Check for a failure flag in the recursive verifier circuit
195 EXPECT_FALSE(CircuitChecker::check(outer_circuit));
196 }
197
198 static void test_recursive_verification_failure_tampered_proof()
199 {
200 for (size_t idx = 0; idx < 2; idx++) {
201 InnerBuilder builder = generate_circuit(&engine);
202 std::shared_ptr<Transcript> prover_transcript = std::make_shared<Transcript>();
203 InnerProver prover(builder, prover_transcript);
204 auto [proof, opening_claim] = prover.construct_proof();
205
206 // Compute IPA proof
207 auto ipa_transcript_prover = std::make_shared<Transcript>();
208 ECCVMFlavor::PCS::compute_opening_proof(prover.key->commitment_key, opening_claim, ipa_transcript_prover);
209 HonkProof ipa_proof_native = ipa_transcript_prover->export_proof();
210
211 // Tamper with the proof to be verified
212 tamper_with_proof<InnerProver, InnerFlavor>(proof, static_cast<bool>(idx));
213
214 OuterBuilder outer_circuit;
215 auto stdlib_proof = stdlib::Proof<OuterBuilder>(outer_circuit, proof);
216 std::shared_ptr<StdlibTranscript> stdlib_verifier_transcript = std::make_shared<StdlibTranscript>();
217 RecursiveVerifier verifier{ stdlib_verifier_transcript, stdlib_proof };
218 auto recursive_opening_claim = verifier.verify_proof();
219 stdlib::recursion::honk::DefaultIO<OuterBuilder>::add_default(outer_circuit);
220
221 if (idx == 0) {
222 // In this case, we changed the first non-zero value in the proof. It leads to a circuit check failure.
223 EXPECT_FALSE(CircuitChecker::check(outer_circuit));
224 } else {
225 // Changing the last commitment in the `proof_data` would not result in a circuit check failure at
226 // this stage.
227 EXPECT_TRUE(CircuitChecker::check(outer_circuit));
228
229 // However, IPA recursive verifier must fail, as one of the commitments is incorrect.
230 VerifierCommitmentKey<InnerFlavor::Curve> native_pcs_vk(1UL << CONST_ECCVM_LOG_N);
231 VerifierCommitmentKey<stdlib::grumpkin<OuterBuilder>> stdlib_pcs_vkey(
232 &outer_circuit, 1UL << CONST_ECCVM_LOG_N, native_pcs_vk);
233
234 // Construct ipa_transcript from proof
235 auto stdlib_ipa_proof = stdlib::Proof<OuterBuilder>(outer_circuit, ipa_proof_native);
236 std::shared_ptr<StdlibTranscript> ipa_transcript = std::make_shared<StdlibTranscript>(stdlib_ipa_proof);
237 EXPECT_FALSE(IPA<RecursiveFlavor::Curve>::full_verify_recursive(
238 stdlib_pcs_vkey, recursive_opening_claim, ipa_transcript));
239 }
240 }
241 }
242
243 static void test_independent_vk_hash()
244 {
245
246 // Retrieves the trace blocks (each consisting of a specific gate) from the recursive verifier circuit
247 auto get_blocks = [](size_t inner_size)
248 -> std::tuple<OuterBuilder::ExecutionTrace, std::shared_ptr<OuterFlavor::VerificationKey>> {
249 auto inner_circuit = generate_circuit(&engine, inner_size);
250 std::shared_ptr<Transcript> prover_transcript = std::make_shared<Transcript>();
251 InnerProver inner_prover(inner_circuit, prover_transcript);
252
253 auto [proof, opening_claim] = inner_prover.construct_proof();
254
255 // Compute IPA proof
256 auto ipa_transcript = std::make_shared<Transcript>();
257 ECCVMFlavor::PCS::compute_opening_proof(inner_prover.key->commitment_key, opening_claim, ipa_transcript);
258 HonkProof ipa_proof = ipa_transcript->export_proof();
259
260 // Create a recursive verification circuit for the proof of the inner circuit
261 OuterBuilder outer_circuit;
262 auto stdlib_proof = stdlib::Proof<OuterBuilder>(outer_circuit, proof);
263
264 std::shared_ptr<StdlibTranscript> stdlib_verifier_transcript = std::make_shared<StdlibTranscript>();
265 RecursiveVerifier verifier{ stdlib_verifier_transcript, stdlib_proof };
266
267 [[maybe_unused]] auto recursive_opening_claim = verifier.verify_proof();
268 stdlib::recursion::honk::DefaultIO<OuterBuilder>::add_default(outer_circuit);
269
270 auto outer_proving_key = std::make_shared<OuterProverInstance>(outer_circuit);
271 auto outer_verification_key =
272 std::make_shared<OuterFlavor::VerificationKey>(outer_proving_key->get_precomputed());
273
274 return { outer_circuit.blocks, outer_verification_key };
275 };
276
277 auto [blocks_20, verification_key_20] = get_blocks(20);
278 auto [blocks_40, verification_key_40] = get_blocks(40);
279
280 compare_ultra_blocks_and_verification_keys<OuterFlavor>({ blocks_20, blocks_40 },
281 { verification_key_20, verification_key_40 });
282 };
283};
284
289
290TEST_F(ECCVMRecursiveTests, SingleRecursiveVerificationFailure)
291{
292 ECCVMRecursiveTests::test_recursive_verification_failure();
293};
294
295TEST_F(ECCVMRecursiveTests, SingleRecursiveVerificationFailureTamperedProof)
296{
297 BB_DISABLE_ASSERTS(); // Avoid on_curve assertion failure in cycle_group constructor
298 ECCVMRecursiveTests::test_recursive_verification_failure_tampered_proof();
299};
300
305} // namespace bb
BB_DISABLE_ASSERTS
#define BB_DISABLE_ASSERTS()
Definition assert.hpp:32
circuit_checker.hpp
bb::BaseTranscript
Common transcript class for both parties. Stores the data for the current round, as well as the manif...
Definition transcript.hpp:41
bb::CircuitBuilderBase::err
const std::string & err() const
Definition circuit_builder_base_impl.hpp:173
bb::ECCVMFlavor::ProvingKey
The proving key is responsible for storing the polynomials used by the prover.
Definition eccvm_flavor.hpp:792
bb::ECCVMFlavor::VerificationKey
The verification key is responsible for storing the commitments to the precomputed (non-witnessk) pol...
Definition eccvm_flavor.hpp:818
bb::ECCVMFlavor::FF
typename Curve::ScalarField FF
Definition eccvm_flavor.hpp:42
bb::ECCVMFlavor::CircuitBuilder
ECCVMCircuitBuilder CircuitBuilder
Definition eccvm_flavor.hpp:37
bb::ECCVMFlavor::Commitment
typename G1::affine_element Commitment
Definition eccvm_flavor.hpp:46
bb::ECCVMFlavor::BF
typename Curve::BaseField BF
Definition eccvm_flavor.hpp:43
bb::ECCVMFlavor::Transcript
NativeTranscript Transcript
Definition eccvm_flavor.hpp:50
bb::ECCVMProver::construct_proof
std::pair< Proof, OpeningClaim > construct_proof()
Definition eccvm_prover.cpp:197
bb::ECCVMProver::key
std::shared_ptr< ProvingKey > key
Definition eccvm_prover.hpp:74
bb::ECCVMRecursiveFlavor::Transcript
StdlibTranscript< CircuitBuilder > Transcript
Definition eccvm_recursive_flavor.hpp:142
bb::ECCVMRecursiveTests::generate_circuit
static InnerBuilder generate_circuit(numeric::RNG *engine=nullptr, const size_t num_iterations=1)
Adds operations in BN254 to the op_queue and then constructs and ECCVM circuit from the op_queue.
Definition eccvm_recursive_verifier.test.cpp:51
bb::ECCVMRecursiveTests::test_recursive_verification_failure_tampered_proof
static void test_recursive_verification_failure_tampered_proof()
Definition eccvm_recursive_verifier.test.cpp:198
bb::ECCVMRecursiveTests::OuterFlavor
std::conditional_t< IsMegaBuilder< OuterBuilder >, MegaFlavor, UltraFlavor > OuterFlavor
Definition eccvm_recursive_verifier.test.cpp:39
bb::ECCVMVerifier_
Unified ECCVM verifier class for both native and recursive verification.
Definition eccvm_verifier.hpp:19
bb::ECCVMVerifier_::translation_masking_consistency_checked
bool translation_masking_consistency_checked
Definition eccvm_verifier.hpp:91
bb::ECCVMVerifier_::consistency_checked
bool consistency_checked
Definition eccvm_verifier.hpp:87
bb::ECCVMVerifier_::transcript
std::shared_ptr< Transcript > transcript
Definition eccvm_verifier.hpp:88
bb::ECCVMVerifier_::sumcheck_verified
bool sumcheck_verified
Definition eccvm_verifier.hpp:86
bb::ECCVMVerifier_::key
std::shared_ptr< VerificationKey > key
Definition eccvm_verifier.hpp:72
bb::ECCVMVerifier_::verify_proof
OpeningClaim< Curve > verify_proof()
Verifies an ECCVM Honk proof for given program settings.
Definition eccvm_verifier.cpp:19
bb::IPA
IPA (inner product argument) commitment scheme class.
Definition ipa.hpp:93
bb::ProverInstance_
A ProverInstance is normally constructed from a finalized circuit and it contains all the information...
Definition prover_instance.hpp:33
bb::TranslatorCircuitChecker::check
static bool check(const Builder &circuit)
Check the witness satisifies the circuit.
Definition translator_circuit_checker.cpp:20
bb::UltraCircuitBuilder_
Definition ultra_circuit_builder.hpp:41
bb::UltraCircuitBuilder_::get_num_finalized_gates
size_t get_num_finalized_gates() const override
Get the number of gates in a finalized circuit.
Definition ultra_circuit_builder.hpp:347
bb::UltraCircuitBuilder_::blocks
ExecutionTrace blocks
Definition ultra_circuit_builder.hpp:190
bb::UltraCircuitBuilder_::ExecutionTrace
ExecutionTrace_ ExecutionTrace
Definition ultra_circuit_builder.hpp:43
bb::UltraCircuitBuilder_::get_num_finalized_gates_inefficient
size_t get_num_finalized_gates_inefficient(bool ensure_nonzero=true) const
Get the number of gates in the finalized version of the circuit.
Definition ultra_circuit_builder.hpp:361
bb::UltraProver_
Definition ultra_prover.hpp:20
bb::UltraProver_::construct_proof
Proof construct_proof()
Definition ultra_prover.cpp:90
bb::UltraVerifier_
Definition ultra_verifier.hpp:18
bb::VerifierCommitmentKey
Representation of the Grumpkin Verifier Commitment Key inside a bn254 circuit.
Definition verifier_commitment_key.hpp:16
bb::curve::Grumpkin::Element
typename Group::element Element
Definition grumpkin.hpp:62
bb::stdlib::Proof
A simple wrapper around a vector of stdlib field elements representing a proof.
Definition proof.hpp:19
bb::stdlib::recursion::honk::DefaultIO::add_default
static void add_default(Builder &builder)
Add default public inputs when they are not present.
Definition special_public_inputs.hpp:195
zip_view
Definition zip_view.hpp:166
commitment_key.test.hpp
info
void info(Args... args)
Definition log.hpp:75
builder
AluTraceBuilder builder
Definition alu.test.cpp:124
a
FF a
Definition field_gt.test.cpp:52
b
FF b
Definition field_gt.test.cpp:53
eccvm_flavor.hpp
eccvm_prover.hpp
engine
numeric::RNG & engine
Definition eccvm_transcript.test.cpp:295
eccvm_verifier.hpp
bb::numeric::get_debug_randomness
RNG & get_debug_randomness(bool reset, std::uint_fast64_t seed)
Definition engine.cpp:190
bb::srs::bb_crs_path
std::filesystem::path bb_crs_path()
Definition global_crs.cpp:14
bb::srs::init_file_crs_factory
void init_file_crs_factory(const std::filesystem::path &path)
Definition global_crs.hpp:14
bb
Entry point for Barretenberg command-line interface.
Definition api.hpp:5
bb::HonkProof
std::vector< fr > HonkProof
Definition proof.hpp:15
bb::ECCVMRecursiveVerifier
ECCVMVerifier_< ECCVMRecursiveFlavor > ECCVMRecursiveVerifier
Definition eccvm_verifier.hpp:105
bb::TEST_F
TEST_F(IPATest, ChallengesAreZero)
Definition ipa.test.cpp:185
bb::ECCVMVerifier
ECCVMVerifier_< ECCVMFlavor > ECCVMVerifier
Definition eccvm_verifier.hpp:104
std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13
G1
Curve::AffineElement G1
Definition pippenger.bench.cpp:29
pairing_points.hpp
special_public_inputs.hpp
bb::field< Bn254FrParams >::random_element
static field random_element(numeric::RNG *engine=nullptr) noexcept
Definition field_impl.hpp:675
tamper_proof.hpp
ultra_prover.hpp
ultra_verification_keys_comparator.hpp
ultra_verifier.hpp