Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
goblin_recursive_verifier.test.cpp
Go to the documentation of this file.
1#include "barretenberg/stdlib/goblin_verifier/goblin_recursive_verifier.hpp"
2#include "barretenberg/circuit_checker/circuit_checker.hpp"
3#include "barretenberg/common/assert.hpp"
4#include "barretenberg/common/test.hpp"
5#include "barretenberg/goblin/goblin.hpp"
6#include "barretenberg/goblin/mock_circuits.hpp"
7#include "barretenberg/srs/global_crs.hpp"
8#include "barretenberg/stdlib/honk_verifier/ultra_verification_keys_comparator.hpp"
9#include "barretenberg/ultra_honk/ultra_prover.hpp"
10#include "barretenberg/ultra_honk/ultra_verifier.hpp"
11
12namespace bb::stdlib::recursion::honk {
13class GoblinRecursiveVerifierTests : public testing::Test {
14 public:
15 using Builder = GoblinRecursiveVerifier::Builder;
16 using ECCVMVK = Goblin::ECCVMVerificationKey;
17 using TranslatorVK = Goblin::TranslatorVerificationKey;
18
19 using OuterFlavor = UltraFlavor;
20 using OuterProver = UltraProver_<OuterFlavor>;
21 using OuterVerifier = UltraVerifier_<OuterFlavor>;
22 using OuterProverInstance = ProverInstance_<OuterFlavor>;
23
24 using Commitment = MergeVerifier::Commitment;
25 using RecursiveCommitment = GoblinRecursiveVerifier::MergeVerifier::Commitment;
26 using MergeCommitments = MergeVerifier::InputCommitments;
27 using RecursiveMergeCommitments = GoblinRecursiveVerifier::MergeVerifier::InputCommitments;
28 using FF = TranslatorFlavor::FF;
29 using BF = TranslatorFlavor::BF;
30 static void SetUpTestSuite() { bb::srs::init_file_crs_factory(bb::srs::bb_crs_path()); }
31
32 // Compute the size of a Translator commitment (in bb::fr's)
33 static constexpr size_t comm_frs = FrCodec::calc_num_fields<Commitment>(); // 4
34 static constexpr size_t eval_frs = FrCodec::calc_num_fields<FF>(); // 1
35
42 // TODO(https://github.com/AztecProtocol/barretenberg/issues/1298):
43 // Better recursion testing - create more flexible proof tampering tests.
44 // Tamper with the `op` commitment in the merge commitments (op commitments are no longer in translator proof)
45 static void tamper_with_op_commitment(MergeCommitments& merge_commitments)
46 {
47 // The first commitment in merged table is the `op` wire commitment
48 merge_commitments.t_commitments[0] = merge_commitments.t_commitments[0] * FF(2);
49 };
50
51 // Translator proof ends with [..., Libra:quotient_eval, Shplonk:Q, KZG:W]. We invalidate the proof by multiplying
52 // the eval by 2 (it leads to a Libra consistency check failure).
53 static void tamper_with_libra_eval(HonkProof& translator_proof)
54 {
55 // Proof tail size
56 static constexpr size_t tail_size = 2 * comm_frs + eval_frs; // 2*4 + 1 = 9
57
58 // Index of the target field (one fr) from the beginning
59 const size_t idx = translator_proof.size() - tail_size;
60
61 // Tamper: multiply by 2 (or tweak however you like)
62 translator_proof[idx] = translator_proof[idx] + translator_proof[idx];
63 };
64
65 // ECCVM pre-IPA proof ends with evaluations including `op`. We tamper with the `op` evaluation.
66 // The structure is: [..., op_eval, x_lo_y_hi_eval, x_hi_z_1_eval, y_lo_z_2_eval, IPA_proof...]
67 // So op_eval is 3 fields before the IPA proof starts.
68 static void tamper_with_eccvm_op_eval(HonkProof& eccvm_proof)
69 {
70 // The `op` evaluation is located 3 evaluations before the end of pre-IPA proof
71 // (followed by x_lo_y_hi, x_hi_z_1, y_lo_z_2 evaluations)
72 static constexpr size_t evals_after_op = 3; // x_lo_y_hi, x_hi_z_1, y_lo_z_2
73 const size_t op_eval_idx = eccvm_proof.size() - evals_after_op;
74
75 // Tamper with the op evaluation
76 eccvm_proof[op_eval_idx] += FF(1);
77 };
78
84 static ProverOutput create_goblin_prover_output(Builder* outer_builder = nullptr, const size_t num_circuits = 5)
85 {
86
87 Goblin goblin;
88 GoblinMockCircuits::construct_and_merge_mock_circuits(goblin, num_circuits);
89
90 // Merge the ecc ops from the newly constructed circuit
91 auto goblin_proof = goblin.prove(MergeSettings::APPEND);
92 // Subtable values and commitments - needed for (Recursive)MergeVerifier
93 MergeCommitments merge_commitments;
94 auto t_current = goblin.op_queue->construct_current_ultra_ops_subtable_columns();
95 auto T_prev = goblin.op_queue->construct_previous_ultra_ops_table_columns();
96 CommitmentKey<curve::BN254> pcs_commitment_key(goblin.op_queue->get_ultra_ops_table_num_rows());
97 for (size_t idx = 0; idx < MegaFlavor::NUM_WIRES; idx++) {
98 merge_commitments.t_commitments[idx] = pcs_commitment_key.commit(t_current[idx]);
99 merge_commitments.T_prev_commitments[idx] = pcs_commitment_key.commit(T_prev[idx]);
100 }
101
102 RecursiveMergeCommitments recursive_merge_commitments;
103 if (outer_builder != nullptr) {
104 for (size_t idx = 0; idx < MegaFlavor::NUM_WIRES; idx++) {
105 recursive_merge_commitments.t_commitments[idx] =
106 RecursiveCommitment::from_witness(outer_builder, merge_commitments.t_commitments[idx]);
107 recursive_merge_commitments.T_prev_commitments[idx] =
108 RecursiveCommitment::from_witness(outer_builder, merge_commitments.T_prev_commitments[idx]);
109 // Removing the free witness tag, since the merge commitments in the full scheme are supposed to
110 // be fiat-shamirred earlier
111 recursive_merge_commitments.t_commitments[idx].unset_free_witness_tag();
112 recursive_merge_commitments.T_prev_commitments[idx].unset_free_witness_tag();
113 }
114 }
115
116 // Output is a goblin proof plus ECCVM/Translator verification keys
117 return { goblin_proof,
118 { std::make_shared<ECCVMVK>(), std::make_shared<TranslatorVK>() },
119 merge_commitments,
120 recursive_merge_commitments };
121 }
122};
123
128TEST_F(GoblinRecursiveVerifierTests, NativeVerification)
129{
130 auto [proof, verifier_input, merge_commitments, _] = create_goblin_prover_output();
131
132 std::shared_ptr<Goblin::Transcript> verifier_transcript = std::make_shared<Goblin::Transcript>();
133
134 EXPECT_TRUE(Goblin::verify(proof, merge_commitments, verifier_transcript, MergeSettings::APPEND));
135}
136
141TEST_F(GoblinRecursiveVerifierTests, Basic)
142{
143 Builder builder;
144
145 auto [proof, verifier_input, merge_commitments, recursive_merge_commitments] =
146 create_goblin_prover_output(&builder);
147
148 GoblinRecursiveVerifier verifier{ &builder, verifier_input };
149 GoblinRecursiveVerifierOutput output = verifier.verify(proof, recursive_merge_commitments, MergeSettings::APPEND);
150
151 stdlib::recursion::honk::DefaultIO<Builder> inputs;
152 inputs.pairing_inputs = output.points_accumulator;
153 inputs.set_public();
154
155 info("Recursive Verifier: num gates = ", builder.num_gates());
156
157 EXPECT_EQ(builder.failed(), false) << builder.err();
158
159 EXPECT_TRUE(CircuitChecker::check(builder));
160
161 // Construct and verify a proof for the Goblin Recursive Verifier circuit
162 {
163 auto prover_instance = std::make_shared<OuterProverInstance>(builder);
164 auto verification_key =
165 std::make_shared<typename OuterFlavor::VerificationKey>(prover_instance->get_precomputed());
166 OuterProver prover(prover_instance, verification_key);
167 OuterVerifier verifier(verification_key);
168 auto proof = prover.construct_proof();
169 bool verified = verifier.template verify_proof<bb::DefaultIO>(proof).result;
170
171 ASSERT_TRUE(verified);
172 }
173}
174
175// Check that the GoblinRecursiveVerifier circuit does not depend on the inputs.
176TEST_F(GoblinRecursiveVerifierTests, IndependentVKHash)
177{
178 // Retrieves the trace blocks (each consisting of a specific gate) from the recursive verifier circuit
179 auto get_blocks = [](size_t inner_size)
180 -> std::tuple<typename Builder::ExecutionTrace, std::shared_ptr<OuterFlavor::VerificationKey>> {
181 Builder builder;
182
183 auto [proof, verifier_input, merge_commitments, recursive_merge_commitments] =
184 create_goblin_prover_output(&builder, inner_size);
185
186 GoblinRecursiveVerifier verifier{ &builder, verifier_input };
187 GoblinRecursiveVerifierOutput output =
188 verifier.verify(proof, recursive_merge_commitments, MergeSettings::APPEND);
189
190 stdlib::recursion::honk::DefaultIO<Builder> inputs;
191 inputs.pairing_inputs = output.points_accumulator;
192 inputs.set_public();
193
194 info("Recursive Verifier: num gates = ", builder.num_gates());
195
196 // Construct and verify a proof for the Goblin Recursive Verifier circuit
197 auto prover_instance = std::make_shared<OuterProverInstance>(builder);
198 auto outer_verification_key =
199 std::make_shared<typename OuterFlavor::VerificationKey>(prover_instance->get_precomputed());
200 OuterProver prover(prover_instance, outer_verification_key);
201 OuterVerifier outer_verifier(outer_verification_key);
202 return { builder.blocks, outer_verification_key };
203 };
204
205 auto [blocks_5, verification_key_5] = get_blocks(5);
206 auto [blocks_6, verification_key_6] = get_blocks(6);
207
208 compare_ultra_blocks_and_verification_keys<OuterFlavor>({ blocks_5, blocks_6 },
209 { verification_key_5, verification_key_6 });
210}
211
216TEST_F(GoblinRecursiveVerifierTests, ECCVMFailure)
217{
218 BB_DISABLE_ASSERTS(); // Avoid on_curve assertion failure in cycle_group etc
219 Builder builder;
220
221 auto [proof, verifier_input, merge_commitments, recursive_merge_commitments] =
222 create_goblin_prover_output(&builder);
223
224 // Tamper with the ECCVM proof
225 for (auto& val : proof.eccvm_proof) {
226 if (val > 0) { // tamper by finding the first non-zero value and incrementing it by 1
227 val += 1;
228 break;
229 }
230 }
231
232 GoblinRecursiveVerifier verifier{ &builder, verifier_input };
233 GoblinRecursiveVerifierOutput goblin_rec_verifier_output = verifier.verify(proof, recursive_merge_commitments);
234 EXPECT_FALSE(CircuitChecker::check(builder));
235
236 srs::init_file_crs_factory(bb::srs::bb_crs_path());
237 auto crs_factory = srs::get_grumpkin_crs_factory();
238 VerifierCommitmentKey<curve::Grumpkin> grumpkin_verifier_commitment_key(1 << CONST_ECCVM_LOG_N, crs_factory);
239 OpeningClaim<curve::Grumpkin> native_claim = goblin_rec_verifier_output.opening_claim.get_native_opening_claim();
240 auto native_ipa_transcript = std::make_shared<NativeTranscript>(goblin_rec_verifier_output.ipa_proof.get_value());
241
242 bool native_result =
243 IPA<curve::Grumpkin>::reduce_verify(grumpkin_verifier_commitment_key, native_claim, native_ipa_transcript);
244 EXPECT_FALSE(native_result);
245}
246
251TEST_F(GoblinRecursiveVerifierTests, TranslatorFailure)
252{
253 auto [proof, verifier_input, merge_commitments, _] = create_goblin_prover_output();
254
255 // Tamper with the op commitment in merge commitments (used by Translator verifier)
256 {
257 MergeCommitments tampered_merge_commitments = merge_commitments;
258 tamper_with_op_commitment(tampered_merge_commitments);
259 Builder builder;
260
261 RecursiveMergeCommitments recursive_merge_commitments;
262 for (size_t idx = 0; idx < MegaFlavor::NUM_WIRES; idx++) {
263 recursive_merge_commitments.t_commitments[idx] =
264 RecursiveCommitment::from_witness(&builder, tampered_merge_commitments.t_commitments[idx]);
265 recursive_merge_commitments.T_prev_commitments[idx] =
266 RecursiveCommitment::from_witness(&builder, tampered_merge_commitments.T_prev_commitments[idx]);
267 recursive_merge_commitments.t_commitments[idx].fix_witness();
268 recursive_merge_commitments.T_prev_commitments[idx].fix_witness();
269 }
270
271 GoblinRecursiveVerifier verifier{ &builder, verifier_input };
272 auto goblin_rec_verifier_output = verifier.verify(proof, recursive_merge_commitments, MergeSettings::APPEND);
273
274 // Circuit is correct but pairing check should fail
275 EXPECT_TRUE(CircuitChecker::check(builder));
276
277 // Check that the pairing fails natively
278 bb::PairingPoints<curve::BN254> native_pairing_points(
279 goblin_rec_verifier_output.points_accumulator.P0.get_value(),
280 goblin_rec_verifier_output.points_accumulator.P1.get_value());
281 bool pairing_result = native_pairing_points.check();
282 EXPECT_FALSE(pairing_result);
283 }
284 // Tamper with the Translator proof non - preamble values
285 {
286 auto tampered_proof = proof;
287 tamper_with_libra_eval(tampered_proof.translator_proof);
288
289 Builder builder;
290
291 RecursiveMergeCommitments recursive_merge_commitments;
292 for (size_t idx = 0; idx < MegaFlavor::NUM_WIRES; idx++) {
293 recursive_merge_commitments.t_commitments[idx] =
294 RecursiveCommitment::from_witness(&builder, merge_commitments.t_commitments[idx]);
295 recursive_merge_commitments.T_prev_commitments[idx] =
296 RecursiveCommitment::from_witness(&builder, merge_commitments.T_prev_commitments[idx]);
297 recursive_merge_commitments.t_commitments[idx].fix_witness();
298 recursive_merge_commitments.T_prev_commitments[idx].fix_witness();
299 }
300
301 GoblinRecursiveVerifier verifier{ &builder, verifier_input };
302 [[maybe_unused]] auto goblin_rec_verifier_output =
303 verifier.verify(tampered_proof, recursive_merge_commitments, MergeSettings::APPEND);
304 EXPECT_FALSE(CircuitChecker::check(builder));
305 }
306}
307
312TEST_F(GoblinRecursiveVerifierTests, TranslationEvaluationsFailure)
313{
314 Builder builder;
315
316 auto [proof, verifier_input, merge_commitments, recursive_merge_commitments] =
317 create_goblin_prover_output(&builder);
318
319 // Tamper with the `op` evaluation in the ECCVM proof using the helper function
320 tamper_with_eccvm_op_eval(proof.eccvm_proof);
321
322 GoblinRecursiveVerifier verifier{ &builder, verifier_input };
323 [[maybe_unused]] auto goblin_rec_verifier_output =
324 verifier.verify(proof, recursive_merge_commitments, MergeSettings::APPEND);
325
326 EXPECT_FALSE(CircuitChecker::check(builder));
327}
328
333TEST_F(GoblinRecursiveVerifierTests, TranslatorMergeConsistencyFailure)
334{
335
336 {
337
338 Builder builder;
339
340 auto [proof, verifier_input, merge_commitments, recursive_merge_commitments] =
341 create_goblin_prover_output(&builder);
342
343 std::shared_ptr<Goblin::Transcript> verifier_transcript = std::make_shared<Goblin::Transcript>();
344
345 // Check natively that the proof is correct.
346 EXPECT_TRUE(Goblin::verify(proof, merge_commitments, verifier_transcript, MergeSettings::APPEND));
347
348 // Tamper with the op commitment in merge commitments (used by Translator verifier)
349 MergeCommitments tampered_merge_commitments = merge_commitments;
350 tamper_with_op_commitment(tampered_merge_commitments);
351
352 // Construct and check the Goblin Recursive Verifier circuit
353
354 RecursiveMergeCommitments tampered_recursive_merge_commitments;
355 for (size_t idx = 0; idx < MegaFlavor::NUM_WIRES; idx++) {
356 tampered_recursive_merge_commitments.t_commitments[idx] =
357 RecursiveCommitment::from_witness(&builder, tampered_merge_commitments.t_commitments[idx]);
358 tampered_recursive_merge_commitments.T_prev_commitments[idx] =
359 RecursiveCommitment::from_witness(&builder, tampered_merge_commitments.T_prev_commitments[idx]);
360 tampered_recursive_merge_commitments.t_commitments[idx].fix_witness();
361 tampered_recursive_merge_commitments.T_prev_commitments[idx].fix_witness();
362 }
363
364 GoblinRecursiveVerifier verifier{ &builder, verifier_input };
365 auto goblin_rec_verifier_output =
366 verifier.verify(proof, tampered_recursive_merge_commitments, MergeSettings::APPEND);
367
368 // Circuit is correct but pairing check should fail
369 EXPECT_TRUE(CircuitChecker::check(builder));
370
371 // Check that the pairing fails natively
372 bb::PairingPoints<curve::BN254> native_pairing_points(
373 goblin_rec_verifier_output.points_accumulator.P0.get_value(),
374 goblin_rec_verifier_output.points_accumulator.P1.get_value());
375 bool pairing_result = native_pairing_points.check();
376 EXPECT_FALSE(pairing_result);
377 }
378}
379} // namespace bb::stdlib::recursion::honk
BB_DISABLE_ASSERTS
#define BB_DISABLE_ASSERTS()
Definition assert.hpp:32
circuit_checker.hpp
bb::CommitmentKey
CommitmentKey object over a pairing group 𝔾₁.
Definition commitment_key.hpp:43
bb::CommitmentKey::commit
Commitment commit(PolynomialSpan< const Fr > polynomial) const
Uses the ProverSRS to create a commitment to p(X)
Definition commitment_key.hpp:88
bb::ECCVMFlavor::VerificationKey
The verification key is responsible for storing the commitments to the precomputed (non-witnessk) pol...
Definition eccvm_flavor.hpp:818
bb::Goblin::verify
static bool verify(const GoblinProof &proof, const MergeCommitments &merge_commitments, const std::shared_ptr< Transcript > &transcript, const MergeSettings merge_settings=MergeSettings::PREPEND)
Verify a full Goblin proof (ECCVM, Translator, merge)
Definition goblin.cpp:102
bb::Goblin::TranslatorVerificationKey
TranslatorFlavor::VerificationKey TranslatorVerificationKey
Definition goblin.hpp:37
bb::Goblin::op_queue
std::shared_ptr< OpQueue > op_queue
Definition goblin.hpp:48
bb::Goblin::prove
GoblinProof prove(const MergeSettings merge_settings=MergeSettings::PREPEND)
Constuct a full Goblin proof (ECCVM, Translator, merge)
Definition goblin.cpp:61
bb::Goblin::ECCVMVerificationKey
ECCVMFlavor::VerificationKey ECCVMVerificationKey
Definition goblin.hpp:36
bb::GoblinMockCircuits::construct_and_merge_mock_circuits
static void construct_and_merge_mock_circuits(Goblin &goblin, const size_t num_circuits=3)
Definition mock_circuits.hpp:155
bb::IPA
IPA (inner product argument) commitment scheme class.
Definition ipa.hpp:93
bb::MegaFlavor::NUM_WIRES
static constexpr size_t NUM_WIRES
Definition mega_flavor.hpp:57
bb::MergeVerifier_::Commitment
typename Curve::AffineElement Commitment
Definition merge_verifier.hpp:26
bb::OpeningClaim
Unverified claim (C,r,v) for some witness polynomial p(X) such that.
Definition claim.hpp:53
bb::PairingPoints
An object storing two EC points that represent the inputs to a pairing check.
Definition pairing_points.hpp:24
bb::PairingPoints::check
bool check() const
Perform the pairing check.
Definition pairing_points.hpp:93
bb::ProverInstance_
A ProverInstance is normally constructed from a finalized circuit and it contains all the information...
Definition prover_instance.hpp:33
bb::TranslatorCircuitChecker::check
static bool check(const Builder &circuit)
Check the witness satisifies the circuit.
Definition translator_circuit_checker.cpp:20
bb::TranslatorFlavor::VerificationKey
The verification key is responsible for storing the commitments to the precomputed (non-witnessk) pol...
Definition translator_flavor.hpp:848
bb::TranslatorFlavor::FF
Curve::ScalarField FF
Definition translator_flavor.hpp:40
bb::UltraCircuitBuilder_
Definition ultra_circuit_builder.hpp:41
bb::UltraProver_
Definition ultra_prover.hpp:20
bb::UltraVerifier_
Definition ultra_verifier.hpp:18
bb::VerifierCommitmentKey
Representation of the Grumpkin Verifier Commitment Key inside a bn254 circuit.
Definition verifier_commitment_key.hpp:16
bb::stdlib::recursion::honk::DefaultIO
Manages the data that is propagated on the public inputs of an application/function circuit.
Definition special_public_inputs.hpp:148
bb::stdlib::recursion::honk::GoblinRecursiveVerifier::verify
GoblinRecursiveVerifierOutput verify(const GoblinProof &, const MergeCommitments &merge_commitments, const MergeSettings merge_settings=MergeSettings::PREPEND)
Creates a circuit that executes the ECCVM, Translator and Merge verifiers.
Definition goblin_recursive_verifier.cpp:18
bb::stdlib::recursion::honk::GoblinRecursiveVerifierTests::RecursiveCommitment
GoblinRecursiveVerifier::MergeVerifier::Commitment RecursiveCommitment
Definition goblin_recursive_verifier.test.cpp:25
bb::stdlib::recursion::honk::GoblinRecursiveVerifierTests::create_goblin_prover_output
static ProverOutput create_goblin_prover_output(Builder *outer_builder=nullptr, const size_t num_circuits=5)
Create a goblin proof and the VM verification keys needed by the goblin recursive verifier.
Definition goblin_recursive_verifier.test.cpp:84
bb::stdlib::recursion::honk::GoblinRecursiveVerifierTests::tamper_with_op_commitment
static void tamper_with_op_commitment(MergeCommitments &merge_commitments)
Definition goblin_recursive_verifier.test.cpp:45
info
void info(Args... args)
Definition log.hpp:75
builder
AluTraceBuilder builder
Definition alu.test.cpp:124
global_crs.hpp
mock_circuits.hpp
goblin_recursive_verifier.hpp
inputs
AvmProvingInputs inputs
Definition hinting_dbs.test.cpp:45
bb::srs::bb_crs_path
std::filesystem::path bb_crs_path()
Definition global_crs.cpp:14
bb::srs::init_file_crs_factory
void init_file_crs_factory(const std::filesystem::path &path)
Definition global_crs.hpp:14
bb::srs::get_grumpkin_crs_factory
std::shared_ptr< factories::CrsFactory< curve::Grumpkin > > get_grumpkin_crs_factory()
Definition global_crs.cpp:80
bb::stdlib::recursion::honk::TEST_F
TEST_F(BoomerangGoblinRecursiveVerifierTests, graph_description_basic)
Construct and check a goblin recursive verification circuit.
Definition graph_description_goblin.test.cpp:69
bb::HonkProof
std::vector< fr > HonkProof
Definition proof.hpp:15
std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13
bb::MergeVerifier_::InputCommitments
Definition merge_verifier.hpp:50
bb::MergeVerifier_::InputCommitments::T_prev_commitments
TableCommitments T_prev_commitments
Definition merge_verifier.hpp:52
bb::MergeVerifier_::InputCommitments::t_commitments
TableCommitments t_commitments
Definition merge_verifier.hpp:51
bb::stdlib::recursion::PairingPoints::set_public
uint32_t set_public()
Set the witness indices for the limbs of the pairing points to public.
Definition pairing_points.hpp:190
ultra_prover.hpp
ultra_verification_keys_comparator.hpp
ultra_verifier.hpp