14static const char HONK_ZK_CONTRACT_SOURCE[] = R
"(
15pragma solidity ^0.8.27;
18 function verify(bytes calldata _proof, bytes32[] calldata _publicInputs) external returns (bool);
23using {add as +} for Fr global;
24using {sub as -} for Fr global;
25using {mul as *} for Fr global;
27using {exp as ^} for Fr global;
28using {notEqual as !=} for Fr global;
29using {equal as ==} for Fr global;
31uint256 constant SUBGROUP_SIZE = 256;
32uint256 constant MODULUS = 21888242871839275222246405745257275088548364400416034343698204186575808495617; // Prime field order
33uint256 constant P = MODULUS;
34Fr constant SUBGROUP_GENERATOR = Fr.wrap(0x07b0c561a6148404f086204a9f36ffb0617942546750f230c893619174a57a76);
35Fr constant SUBGROUP_GENERATOR_INVERSE = Fr.wrap(0x204bd3277422fad364751ad938e2b5e6a54cf8c68712848a692c553d0329f5d6);
36Fr constant MINUS_ONE = Fr.wrap(MODULUS - 1);
37Fr constant ONE = Fr.wrap(1);
38Fr constant ZERO = Fr.wrap(0);
42 function from(uint256 value) internal pure returns (Fr) {
44 return Fr.wrap(value % MODULUS);
48 function fromBytes32(bytes32 value) internal pure returns (Fr) {
50 return Fr.wrap(uint256(value) % MODULUS);
54 function toBytes32(Fr value) internal pure returns (bytes32) {
56 return bytes32(Fr.unwrap(value));
60 function invert(Fr value) internal view returns (Fr) {
61 uint256 v = Fr.unwrap(value);
64 // Call the modexp precompile to invert in the field
66 let free := mload(0x40)
68 mstore(add(free, 0x20), 0x20)
69 mstore(add(free, 0x40), 0x20)
70 mstore(add(free, 0x60), v)
71 mstore(add(free, 0x80), sub(MODULUS, 2))
72 mstore(add(free, 0xa0), MODULUS)
73 let success := staticcall(gas(), 0x05, free, 0xc0, 0x00, 0x20)
78 mstore(0x40, add(free, 0x80))
81 return Fr.wrap(result);
84 function pow(Fr base, uint256 v) internal view returns (Fr) {
85 uint256 b = Fr.unwrap(base);
88 // Call the modexp precompile to invert in the field
90 let free := mload(0x40)
92 mstore(add(free, 0x20), 0x20)
93 mstore(add(free, 0x40), 0x20)
94 mstore(add(free, 0x60), b)
95 mstore(add(free, 0x80), v)
96 mstore(add(free, 0xa0), MODULUS)
97 let success := staticcall(gas(), 0x05, free, 0xc0, 0x00, 0x20)
101 result := mload(0x00)
102 mstore(0x40, add(free, 0x80))
105 return Fr.wrap(result);
108 function div(Fr numerator, Fr denominator) internal view returns (Fr) {
110 return numerator * invert(denominator);
114 function sqr(Fr value) internal pure returns (Fr) {
116 return value * value;
120 function unwrap(Fr value) internal pure returns (uint256) {
122 return Fr.unwrap(value);
126 function neg(Fr value) internal pure returns (Fr) {
128 return Fr.wrap(MODULUS - Fr.unwrap(value));
134function add(Fr a, Fr b) pure returns (Fr) {
136 return Fr.wrap(addmod(Fr.unwrap(a), Fr.unwrap(b), MODULUS));
140function mul(Fr a, Fr b) pure returns (Fr) {
142 return Fr.wrap(mulmod(Fr.unwrap(a), Fr.unwrap(b), MODULUS));
146function sub(Fr a, Fr b) pure returns (Fr) {
148 return Fr.wrap(addmod(Fr.unwrap(a), MODULUS - Fr.unwrap(b), MODULUS));
152function exp(Fr base, Fr exponent) pure returns (Fr) {
153 if (Fr.unwrap(exponent) == 0) return Fr.wrap(1);
154 // Implement exponent with a loop as we will overflow otherwise
155 for (uint256 i = 1; i < Fr.unwrap(exponent); i += i) {
161function notEqual(Fr a, Fr b) pure returns (bool) {
163 return Fr.unwrap(a) != Fr.unwrap(b);
167function equal(Fr a, Fr b) pure returns (bool) {
169 return Fr.unwrap(a) == Fr.unwrap(b);
173uint256 constant CONST_PROOF_SIZE_LOG_N = 28;
175uint256 constant NUMBER_OF_SUBRELATIONS = 28;
176uint256 constant BATCHED_RELATION_PARTIAL_LENGTH = 8;
177uint256 constant ZK_BATCHED_RELATION_PARTIAL_LENGTH = 9;
178uint256 constant NUMBER_OF_ENTITIES = 41;
179// The number of entities added for ZK (gemini_masking_poly)
180uint256 constant NUM_MASKING_POLYNOMIALS = 1;
181uint256 constant NUMBER_OF_ENTITIES_ZK = NUMBER_OF_ENTITIES + NUM_MASKING_POLYNOMIALS;
182uint256 constant NUMBER_UNSHIFTED = 36;
183uint256 constant NUMBER_UNSHIFTED_ZK = NUMBER_UNSHIFTED + NUM_MASKING_POLYNOMIALS;
184uint256 constant NUMBER_TO_BE_SHIFTED = 5;
185uint256 constant PAIRING_POINTS_SIZE = 16;
187uint256 constant FIELD_ELEMENT_SIZE = 0x20;
188uint256 constant GROUP_ELEMENT_SIZE = 0x40;
190// Powers of alpha used to batch subrelations (alpha, alpha^2, ..., alpha^(NUM_SUBRELATIONS-1))
191uint256 constant NUMBER_OF_ALPHAS = NUMBER_OF_SUBRELATIONS - 1;
207 Q_POSEIDON2_EXTERNAL,
208 Q_POSEIDON2_INTERNAL,
244 struct VerificationKey {
247 uint256 logCircuitSize;
248 uint256 publicInputsSize;
256 G1Point qLookup; // Lookup
257 G1Point qArith; // Arithmetic widget
258 G1Point qDeltaRange; // Delta Range sort
259 G1Point qMemory; // Memory
260 G1Point qNnf; // Non-native Field
261 G1Point qElliptic; // Auxillary
262 G1Point qPoseidon2External;
263 G1Point qPoseidon2Internal;
274 // Precomputed lookup table
279 // Fixed first and last
280 G1Point lagrangeFirst;
281 G1Point lagrangeLast;
284 struct RelationParameters {
292 Fr publicInputsDelta;
296 // Pairing point object
297 Fr[PAIRING_POINTS_SIZE] pairingPointObject;
303 // Lookup helpers - Permutations
305 // Lookup helpers - logup
306 G1Point lookupReadCounts;
307 G1Point lookupReadTags;
308 G1Point lookupInverses;
310 Fr[BATCHED_RELATION_PARTIAL_LENGTH][CONST_PROOF_SIZE_LOG_N] sumcheckUnivariates;
311 Fr[NUMBER_OF_ENTITIES] sumcheckEvaluations;
313 G1Point[CONST_PROOF_SIZE_LOG_N - 1] geminiFoldComms;
314 Fr[CONST_PROOF_SIZE_LOG_N] geminiAEvaluations;
321 // Pairing point object
322 Fr[PAIRING_POINTS_SIZE] pairingPointObject;
323 // ZK: Gemini masking polynomial commitment (sent first, right after public inputs)
324 G1Point geminiMaskingPoly;
325 // Commitments to wire polynomials
330 // Commitments to logup witness polynomials
331 G1Point lookupReadCounts;
332 G1Point lookupReadTags;
333 G1Point lookupInverses;
334 // Commitment to grand permutation polynomial
336 G1Point[3] libraCommitments;
339 Fr[ZK_BATCHED_RELATION_PARTIAL_LENGTH][CONST_PROOF_SIZE_LOG_N] sumcheckUnivariates;
341 Fr[NUMBER_OF_ENTITIES_ZK] sumcheckEvaluations; // Includes gemini_masking_poly eval at index 0 (first position)
343 G1Point[CONST_PROOF_SIZE_LOG_N - 1] geminiFoldComms;
344 Fr[CONST_PROOF_SIZE_LOG_N] geminiAEvaluations;
345 Fr[4] libraPolyEvals;
351// ZKTranscript library to generate fiat shamir challenges, the ZK transcript only differest
355 Honk.RelationParameters relationParameters;
356 Fr[NUMBER_OF_ALPHAS] alphas; // Powers of alpha: [alpha, alpha^2, ..., alpha^(NUM_SUBRELATIONS-1)]
357 Fr[CONST_PROOF_SIZE_LOG_N] gateChallenges;
360 Fr[CONST_PROOF_SIZE_LOG_N] sumCheckUChallenges;
367 Fr publicInputsDelta;
370library ZKTranscriptLib {
371 function generateTranscript(
372 Honk.ZKProof memory proof,
373 bytes32[] calldata publicInputs,
375 uint256 publicInputsSize,
377 ) external pure returns (ZKTranscript memory t) {
378 Fr previousChallenge;
379 (t.relationParameters, previousChallenge) =
380 generateRelationParametersChallenges(proof, publicInputs, vkHash, publicInputsSize, previousChallenge);
382 (t.alphas, previousChallenge) = generateAlphaChallenges(previousChallenge, proof);
384 (t.gateChallenges, previousChallenge) = generateGateChallenges(previousChallenge, logN);
385 (t.libraChallenge, previousChallenge) = generateLibraChallenge(previousChallenge, proof);
386 (t.sumCheckUChallenges, previousChallenge) = generateSumcheckChallenges(proof, previousChallenge, logN);
388 (t.rho, previousChallenge) = generateRhoChallenge(proof, previousChallenge);
390 (t.geminiR, previousChallenge) = generateGeminiRChallenge(proof, previousChallenge, logN);
392 (t.shplonkNu, previousChallenge) = generateShplonkNuChallenge(proof, previousChallenge, logN);
394 (t.shplonkZ, previousChallenge) = generateShplonkZChallenge(proof, previousChallenge);
398 function splitChallenge(Fr challenge) internal pure returns (Fr first, Fr second) {
399 uint256 challengeU256 = uint256(Fr.unwrap(challenge));
400 // Split into two equal 127-bit chunks (254/2)
401 uint256 lo = challengeU256 & 0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF; // 127 bits
402 uint256 hi = challengeU256 >> 127;
403 first = FrLib.fromBytes32(bytes32(lo));
404 second = FrLib.fromBytes32(bytes32(hi));
407 function generateRelationParametersChallenges(
408 Honk.ZKProof memory proof,
409 bytes32[] calldata publicInputs,
411 uint256 publicInputsSize,
413 ) internal pure returns (Honk.RelationParameters memory rp, Fr nextPreviousChallenge) {
414 (rp.eta, rp.etaTwo, rp.etaThree, previousChallenge) =
415 generateEtaChallenge(proof, publicInputs, vkHash, publicInputsSize);
417 (rp.beta, rp.gamma, nextPreviousChallenge) = generateBetaAndGammaChallenges(previousChallenge, proof);
420 function generateEtaChallenge(
421 Honk.ZKProof memory proof,
422 bytes32[] calldata publicInputs,
424 uint256 publicInputsSize
425 ) internal pure returns (Fr eta, Fr etaTwo, Fr etaThree, Fr previousChallenge) {
426 // Size: 1 (vkHash) + publicInputsSize + 8 (geminiMask(2) + 3 wires(6))
427 bytes32[] memory round0 = new bytes32[](1 + publicInputsSize + 8);
428 round0[0] = bytes32(vkHash);
430 for (uint256 i = 0; i < publicInputsSize - PAIRING_POINTS_SIZE; i++) {
431 round0[1 + i] = bytes32(publicInputs[i]);
433 for (uint256 i = 0; i < PAIRING_POINTS_SIZE; i++) {
434 round0[1 + publicInputsSize - PAIRING_POINTS_SIZE + i] = FrLib.toBytes32(proof.pairingPointObject[i]);
437 // For ZK flavors: hash the gemini masking poly commitment (sent right after public inputs)
438 round0[1 + publicInputsSize] = bytes32(proof.geminiMaskingPoly.x);
439 round0[1 + publicInputsSize + 1] = bytes32(proof.geminiMaskingPoly.y);
441 // Create the first challenge
442 // Note: w4 is added to the challenge later on
443 round0[1 + publicInputsSize + 2] = bytes32(proof.w1.x);
444 round0[1 + publicInputsSize + 3] = bytes32(proof.w1.y);
445 round0[1 + publicInputsSize + 4] = bytes32(proof.w2.x);
446 round0[1 + publicInputsSize + 5] = bytes32(proof.w2.y);
447 round0[1 + publicInputsSize + 6] = bytes32(proof.w3.x);
448 round0[1 + publicInputsSize + 7] = bytes32(proof.w3.y);
450 previousChallenge = FrLib.fromBytes32(keccak256(abi.encodePacked(round0)));
451 (eta, etaTwo) = splitChallenge(previousChallenge);
452 previousChallenge = FrLib.fromBytes32(keccak256(abi.encodePacked(Fr.unwrap(previousChallenge))));
454 (etaThree,) = splitChallenge(previousChallenge);
457 function generateBetaAndGammaChallenges(Fr previousChallenge, Honk.ZKProof memory proof)
460 returns (Fr beta, Fr gamma, Fr nextPreviousChallenge)
462 bytes32[7] memory round1;
463 round1[0] = FrLib.toBytes32(previousChallenge);
464 round1[1] = bytes32(proof.lookupReadCounts.x);
465 round1[2] = bytes32(proof.lookupReadCounts.y);
466 round1[3] = bytes32(proof.lookupReadTags.x);
467 round1[4] = bytes32(proof.lookupReadTags.y);
468 round1[5] = bytes32(proof.w4.x);
469 round1[6] = bytes32(proof.w4.y);
471 nextPreviousChallenge = FrLib.fromBytes32(keccak256(abi.encodePacked(round1)));
472 (beta, gamma) = splitChallenge(nextPreviousChallenge);
475 // Alpha challenges non-linearise the gate contributions
476 function generateAlphaChallenges(Fr previousChallenge, Honk.ZKProof memory proof)
479 returns (Fr[NUMBER_OF_ALPHAS] memory alphas, Fr nextPreviousChallenge)
481 // Generate the original sumcheck alpha 0 by hashing zPerm and zLookup
482 uint256[5] memory alpha0;
483 alpha0[0] = Fr.unwrap(previousChallenge);
484 alpha0[1] = proof.lookupInverses.x;
485 alpha0[2] = proof.lookupInverses.y;
486 alpha0[3] = proof.zPerm.x;
487 alpha0[4] = proof.zPerm.y;
489 nextPreviousChallenge = FrLib.fromBytes32(keccak256(abi.encodePacked(alpha0)));
491 (alpha,) = splitChallenge(nextPreviousChallenge);
493 // Compute powers of alpha for batching subrelations
495 for (uint256 i = 1; i < NUMBER_OF_ALPHAS; i++) {
496 alphas[i] = alphas[i - 1] * alpha;
500 function generateGateChallenges(Fr previousChallenge, uint256 logN)
503 returns (Fr[CONST_PROOF_SIZE_LOG_N] memory gateChallenges, Fr nextPreviousChallenge)
505 previousChallenge = FrLib.fromBytes32(keccak256(abi.encodePacked(Fr.unwrap(previousChallenge))));
506 (gateChallenges[0],) = splitChallenge(previousChallenge);
507 for (uint256 i = 1; i < logN; i++) {
508 gateChallenges[i] = gateChallenges[i - 1] * gateChallenges[i - 1];
510 nextPreviousChallenge = previousChallenge;
513 function generateLibraChallenge(Fr previousChallenge, Honk.ZKProof memory proof)
516 returns (Fr libraChallenge, Fr nextPreviousChallenge)
518 // 2 comm, 1 sum, 1 challenge
519 uint256[4] memory challengeData;
520 challengeData[0] = Fr.unwrap(previousChallenge);
521 challengeData[1] = proof.libraCommitments[0].x;
522 challengeData[2] = proof.libraCommitments[0].y;
523 challengeData[3] = Fr.unwrap(proof.libraSum);
524 nextPreviousChallenge = FrLib.fromBytes32(keccak256(abi.encodePacked(challengeData)));
525 (libraChallenge,) = splitChallenge(nextPreviousChallenge);
528 function generateSumcheckChallenges(Honk.ZKProof memory proof, Fr prevChallenge, uint256 logN)
531 returns (Fr[CONST_PROOF_SIZE_LOG_N] memory sumcheckChallenges, Fr nextPreviousChallenge)
533 for (uint256 i = 0; i < logN; i++) {
534 Fr[ZK_BATCHED_RELATION_PARTIAL_LENGTH + 1] memory univariateChal;
535 univariateChal[0] = prevChallenge;
537 for (uint256 j = 0; j < ZK_BATCHED_RELATION_PARTIAL_LENGTH; j++) {
538 univariateChal[j + 1] = proof.sumcheckUnivariates[i][j];
540 prevChallenge = FrLib.fromBytes32(keccak256(abi.encodePacked(univariateChal)));
542 (sumcheckChallenges[i],) = splitChallenge(prevChallenge);
544 nextPreviousChallenge = prevChallenge;
547 // We add Libra claimed eval + 2 libra commitments (grand_sum, quotient)
548 function generateRhoChallenge(Honk.ZKProof memory proof, Fr prevChallenge)
551 returns (Fr rho, Fr nextPreviousChallenge)
553 uint256[NUMBER_OF_ENTITIES_ZK + 6] memory rhoChallengeElements;
554 rhoChallengeElements[0] = Fr.unwrap(prevChallenge);
556 for (i = 1; i <= NUMBER_OF_ENTITIES_ZK; i++) {
557 rhoChallengeElements[i] = Fr.unwrap(proof.sumcheckEvaluations[i - 1]);
559 rhoChallengeElements[i] = Fr.unwrap(proof.libraEvaluation);
561 rhoChallengeElements[i] = proof.libraCommitments[1].x;
562 rhoChallengeElements[i + 1] = proof.libraCommitments[1].y;
564 rhoChallengeElements[i] = proof.libraCommitments[2].x;
565 rhoChallengeElements[i + 1] = proof.libraCommitments[2].y;
567 nextPreviousChallenge = FrLib.fromBytes32(keccak256(abi.encodePacked(rhoChallengeElements)));
568 (rho,) = splitChallenge(nextPreviousChallenge);
571 function generateGeminiRChallenge(Honk.ZKProof memory proof, Fr prevChallenge, uint256 logN)
574 returns (Fr geminiR, Fr nextPreviousChallenge)
576 uint256[] memory gR = new uint256[]((logN - 1) * 2 + 1);
577 gR[0] = Fr.unwrap(prevChallenge);
579 for (uint256 i = 0; i < logN - 1; i++) {
580 gR[1 + i * 2] = proof.geminiFoldComms[i].x;
581 gR[2 + i * 2] = proof.geminiFoldComms[i].y;
584 nextPreviousChallenge = FrLib.fromBytes32(keccak256(abi.encodePacked(gR)));
586 (geminiR,) = splitChallenge(nextPreviousChallenge);
589 function generateShplonkNuChallenge(Honk.ZKProof memory proof, Fr prevChallenge, uint256 logN)
592 returns (Fr shplonkNu, Fr nextPreviousChallenge)
594 uint256[] memory shplonkNuChallengeElements = new uint256[](logN + 1 + 4);
595 shplonkNuChallengeElements[0] = Fr.unwrap(prevChallenge);
597 for (uint256 i = 1; i <= logN; i++) {
598 shplonkNuChallengeElements[i] = Fr.unwrap(proof.geminiAEvaluations[i - 1]);
601 uint256 libraIdx = 0;
602 for (uint256 i = logN + 1; i <= logN + 4; i++) {
603 shplonkNuChallengeElements[i] = Fr.unwrap(proof.libraPolyEvals[libraIdx]);
607 nextPreviousChallenge = FrLib.fromBytes32(keccak256(abi.encodePacked(shplonkNuChallengeElements)));
608 (shplonkNu,) = splitChallenge(nextPreviousChallenge);
611 function generateShplonkZChallenge(Honk.ZKProof memory proof, Fr prevChallenge)
614 returns (Fr shplonkZ, Fr nextPreviousChallenge)
616 uint256[3] memory shplonkZChallengeElements;
617 shplonkZChallengeElements[0] = Fr.unwrap(prevChallenge);
619 shplonkZChallengeElements[1] = proof.shplonkQ.x;
620 shplonkZChallengeElements[2] = proof.shplonkQ.y;
622 nextPreviousChallenge = FrLib.fromBytes32(keccak256(abi.encodePacked(shplonkZChallengeElements)));
623 (shplonkZ,) = splitChallenge(nextPreviousChallenge);
626 function loadProof(bytes calldata proof, uint256 logN) internal pure returns (Honk.ZKProof memory p) {
627 uint256 boundary = 0x0;
629 // Pairing point object
630 for (uint256 i = 0; i < PAIRING_POINTS_SIZE; i++) {
631 p.pairingPointObject[i] = bytesToFr(proof[boundary:boundary + FIELD_ELEMENT_SIZE]);
632 boundary += FIELD_ELEMENT_SIZE;
635 // Gemini masking polynomial commitment (sent first in ZK flavors, right after pairing points)
636 p.geminiMaskingPoly = bytesToG1Point(proof[boundary:boundary + GROUP_ELEMENT_SIZE]);
637 boundary += GROUP_ELEMENT_SIZE;
640 p.w1 = bytesToG1Point(proof[boundary:boundary + GROUP_ELEMENT_SIZE]);
641 boundary += GROUP_ELEMENT_SIZE;
642 p.w2 = bytesToG1Point(proof[boundary:boundary + GROUP_ELEMENT_SIZE]);
643 boundary += GROUP_ELEMENT_SIZE;
644 p.w3 = bytesToG1Point(proof[boundary:boundary + GROUP_ELEMENT_SIZE]);
645 boundary += GROUP_ELEMENT_SIZE;
647 // Lookup / Permutation Helper Commitments
648 p.lookupReadCounts = bytesToG1Point(proof[boundary:boundary + GROUP_ELEMENT_SIZE]);
649 boundary += GROUP_ELEMENT_SIZE;
650 p.lookupReadTags = bytesToG1Point(proof[boundary:boundary + GROUP_ELEMENT_SIZE]);
651 boundary += GROUP_ELEMENT_SIZE;
652 p.w4 = bytesToG1Point(proof[boundary:boundary + GROUP_ELEMENT_SIZE]);
653 boundary += GROUP_ELEMENT_SIZE;
654 p.lookupInverses = bytesToG1Point(proof[boundary:boundary + GROUP_ELEMENT_SIZE]);
655 boundary += GROUP_ELEMENT_SIZE;
656 p.zPerm = bytesToG1Point(proof[boundary:boundary + GROUP_ELEMENT_SIZE]);
657 boundary += GROUP_ELEMENT_SIZE;
658 p.libraCommitments[0] = bytesToG1Point(proof[boundary:boundary + GROUP_ELEMENT_SIZE]);
659 boundary += GROUP_ELEMENT_SIZE;
661 p.libraSum = bytesToFr(proof[boundary:boundary + FIELD_ELEMENT_SIZE]);
662 boundary += FIELD_ELEMENT_SIZE;
663 // Sumcheck univariates
664 for (uint256 i = 0; i < logN; i++) {
665 for (uint256 j = 0; j < ZK_BATCHED_RELATION_PARTIAL_LENGTH; j++) {
666 p.sumcheckUnivariates[i][j] = bytesToFr(proof[boundary:boundary + FIELD_ELEMENT_SIZE]);
667 boundary += FIELD_ELEMENT_SIZE;
671 // Sumcheck evaluations (includes gemini_masking_poly eval at index 0 for ZK flavors)
672 for (uint256 i = 0; i < NUMBER_OF_ENTITIES_ZK; i++) {
673 p.sumcheckEvaluations[i] = bytesToFr(proof[boundary:boundary + FIELD_ELEMENT_SIZE]);
674 boundary += FIELD_ELEMENT_SIZE;
677 p.libraEvaluation = bytesToFr(proof[boundary:boundary + FIELD_ELEMENT_SIZE]);
678 boundary += FIELD_ELEMENT_SIZE;
680 p.libraCommitments[1] = bytesToG1Point(proof[boundary:boundary + GROUP_ELEMENT_SIZE]);
681 boundary += GROUP_ELEMENT_SIZE;
682 p.libraCommitments[2] = bytesToG1Point(proof[boundary:boundary + GROUP_ELEMENT_SIZE]);
683 boundary += GROUP_ELEMENT_SIZE;
686 // Read gemini fold univariates
687 for (uint256 i = 0; i < logN - 1; i++) {
688 p.geminiFoldComms[i] = bytesToG1Point(proof[boundary:boundary + GROUP_ELEMENT_SIZE]);
689 boundary += GROUP_ELEMENT_SIZE;
692 // Read gemini a evaluations
693 for (uint256 i = 0; i < logN; i++) {
694 p.geminiAEvaluations[i] = bytesToFr(proof[boundary:boundary + FIELD_ELEMENT_SIZE]);
695 boundary += FIELD_ELEMENT_SIZE;
698 for (uint256 i = 0; i < 4; i++) {
699 p.libraPolyEvals[i] = bytesToFr(proof[boundary:boundary + FIELD_ELEMENT_SIZE]);
700 boundary += FIELD_ELEMENT_SIZE;
704 p.shplonkQ = bytesToG1Point(proof[boundary:boundary + GROUP_ELEMENT_SIZE]);
705 boundary += GROUP_ELEMENT_SIZE;
707 p.kzgQuotient = bytesToG1Point(proof[boundary:boundary + GROUP_ELEMENT_SIZE]);
711// Field arithmetic libraries
713library RelationsLib {
714 Fr internal constant GRUMPKIN_CURVE_B_PARAMETER_NEGATED = Fr.wrap(17); // -(-17)
716 function accumulateRelationEvaluations(
717 Fr[NUMBER_OF_ENTITIES] memory purportedEvaluations,
718 Honk.RelationParameters memory rp,
719 Fr[NUMBER_OF_ALPHAS] memory subrelationChallenges,
721 ) internal pure returns (Fr accumulator) {
722 Fr[NUMBER_OF_SUBRELATIONS] memory evaluations;
724 // Accumulate all relations in Ultra Honk - each with varying number of subrelations
725 accumulateArithmeticRelation(purportedEvaluations, evaluations, powPartialEval);
726 accumulatePermutationRelation(purportedEvaluations, rp, evaluations, powPartialEval);
727 accumulateLogDerivativeLookupRelation(purportedEvaluations, rp, evaluations, powPartialEval);
728 accumulateDeltaRangeRelation(purportedEvaluations, evaluations, powPartialEval);
729 accumulateEllipticRelation(purportedEvaluations, evaluations, powPartialEval);
730 accumulateMemoryRelation(purportedEvaluations, rp, evaluations, powPartialEval);
731 accumulateNnfRelation(purportedEvaluations, evaluations, powPartialEval);
732 accumulatePoseidonExternalRelation(purportedEvaluations, evaluations, powPartialEval);
733 accumulatePoseidonInternalRelation(purportedEvaluations, evaluations, powPartialEval);
735 // batch the subrelations with the precomputed alpha powers to obtain the full honk relation
736 accumulator = scaleAndBatchSubrelations(evaluations, subrelationChallenges);
744 function wire(Fr[NUMBER_OF_ENTITIES] memory p, WIRE _wire) internal pure returns (Fr) {
745 return p[uint256(_wire)];
748 uint256 internal constant NEG_HALF_MODULO_P = 0x183227397098d014dc2822db40c0ac2e9419f4243cdcb848a1f0fac9f8000000;
754 function accumulateArithmeticRelation(
755 Fr[NUMBER_OF_ENTITIES] memory p,
756 Fr[NUMBER_OF_SUBRELATIONS] memory evals,
760 Fr q_arith = wire(p, WIRE.Q_ARITH);
762 Fr neg_half = Fr.wrap(NEG_HALF_MODULO_P);
764 Fr accum = (q_arith - Fr.wrap(3)) * (wire(p, WIRE.Q_M) * wire(p, WIRE.W_R) * wire(p, WIRE.W_L)) * neg_half;
765 accum = accum + (wire(p, WIRE.Q_L) * wire(p, WIRE.W_L)) + (wire(p, WIRE.Q_R) * wire(p, WIRE.W_R))
766 + (wire(p, WIRE.Q_O) * wire(p, WIRE.W_O)) + (wire(p, WIRE.Q_4) * wire(p, WIRE.W_4)) + wire(p, WIRE.Q_C);
767 accum = accum + (q_arith - ONE) * wire(p, WIRE.W_4_SHIFT);
768 accum = accum * q_arith;
769 accum = accum * domainSep;
775 Fr accum = wire(p, WIRE.W_L) + wire(p, WIRE.W_4) - wire(p, WIRE.W_L_SHIFT) + wire(p, WIRE.Q_M);
776 accum = accum * (q_arith - Fr.wrap(2));
777 accum = accum * (q_arith - ONE);
778 accum = accum * q_arith;
779 accum = accum * domainSep;
784 function accumulatePermutationRelation(
785 Fr[NUMBER_OF_ENTITIES] memory p,
786 Honk.RelationParameters memory rp,
787 Fr[NUMBER_OF_SUBRELATIONS] memory evals,
790 Fr grand_product_numerator;
791 Fr grand_product_denominator;
794 Fr num = wire(p, WIRE.W_L) + wire(p, WIRE.ID_1) * rp.beta + rp.gamma;
795 num = num * (wire(p, WIRE.W_R) + wire(p, WIRE.ID_2) * rp.beta + rp.gamma);
796 num = num * (wire(p, WIRE.W_O) + wire(p, WIRE.ID_3) * rp.beta + rp.gamma);
797 num = num * (wire(p, WIRE.W_4) + wire(p, WIRE.ID_4) * rp.beta + rp.gamma);
799 grand_product_numerator = num;
802 Fr den = wire(p, WIRE.W_L) + wire(p, WIRE.SIGMA_1) * rp.beta + rp.gamma;
803 den = den * (wire(p, WIRE.W_R) + wire(p, WIRE.SIGMA_2) * rp.beta + rp.gamma);
804 den = den * (wire(p, WIRE.W_O) + wire(p, WIRE.SIGMA_3) * rp.beta + rp.gamma);
805 den = den * (wire(p, WIRE.W_4) + wire(p, WIRE.SIGMA_4) * rp.beta + rp.gamma);
807 grand_product_denominator = den;
812 Fr acc = (wire(p, WIRE.Z_PERM) + wire(p, WIRE.LAGRANGE_FIRST)) * grand_product_numerator;
815 - ((wire(p, WIRE.Z_PERM_SHIFT) + (wire(p, WIRE.LAGRANGE_LAST) * rp.publicInputsDelta))
816 * grand_product_denominator);
817 acc = acc * domainSep;
823 Fr acc = (wire(p, WIRE.LAGRANGE_LAST) * wire(p, WIRE.Z_PERM_SHIFT)) * domainSep;
828 function accumulateLogDerivativeLookupRelation(
829 Fr[NUMBER_OF_ENTITIES] memory p,
830 Honk.RelationParameters memory rp,
831 Fr[NUMBER_OF_SUBRELATIONS] memory evals,
837 // Calculate the write term (the table accumulation)
839 write_term = wire(p, WIRE.TABLE_1) + rp.gamma + (wire(p, WIRE.TABLE_2) * rp.eta)
840 + (wire(p, WIRE.TABLE_3) * rp.etaTwo) + (wire(p, WIRE.TABLE_4) * rp.etaThree);
843 // Calculate the write term
845 Fr derived_entry_1 = wire(p, WIRE.W_L) + rp.gamma + (wire(p, WIRE.Q_R) * wire(p, WIRE.W_L_SHIFT));
846 Fr derived_entry_2 = wire(p, WIRE.W_R) + wire(p, WIRE.Q_M) * wire(p, WIRE.W_R_SHIFT);
847 Fr derived_entry_3 = wire(p, WIRE.W_O) + wire(p, WIRE.Q_C) * wire(p, WIRE.W_O_SHIFT);
849 read_term = derived_entry_1 + (derived_entry_2 * rp.eta) + (derived_entry_3 * rp.etaTwo)
850 + (wire(p, WIRE.Q_O) * rp.etaThree);
853 Fr read_inverse = wire(p, WIRE.LOOKUP_INVERSES) * write_term;
854 Fr write_inverse = wire(p, WIRE.LOOKUP_INVERSES) * read_term;
856 Fr inverse_exists_xor =
857 wire(p, WIRE.LOOKUP_READ_TAGS) + wire(p, WIRE.Q_LOOKUP)
858 - (wire(p, WIRE.LOOKUP_READ_TAGS) * wire(p, WIRE.Q_LOOKUP));
860 // Inverse calculated correctly relation
861 Fr accumulatorNone = read_term * write_term * wire(p, WIRE.LOOKUP_INVERSES) - inverse_exists_xor;
862 accumulatorNone = accumulatorNone * domainSep;
865 Fr accumulatorOne = wire(p, WIRE.Q_LOOKUP) * read_inverse - wire(p, WIRE.LOOKUP_READ_COUNTS) * write_inverse;
867 Fr read_tag = wire(p, WIRE.LOOKUP_READ_TAGS);
869 Fr read_tag_boolean_relation = read_tag * read_tag - read_tag;
871 evals[4] = accumulatorNone;
872 evals[5] = accumulatorOne;
873 evals[6] = read_tag_boolean_relation * domainSep;
876 function accumulateDeltaRangeRelation(
877 Fr[NUMBER_OF_ENTITIES] memory p,
878 Fr[NUMBER_OF_SUBRELATIONS] memory evals,
881 Fr minus_one = ZERO - ONE;
882 Fr minus_two = ZERO - Fr.wrap(2);
883 Fr minus_three = ZERO - Fr.wrap(3);
885 // Compute wire differences
886 Fr delta_1 = wire(p, WIRE.W_R) - wire(p, WIRE.W_L);
887 Fr delta_2 = wire(p, WIRE.W_O) - wire(p, WIRE.W_R);
888 Fr delta_3 = wire(p, WIRE.W_4) - wire(p, WIRE.W_O);
889 Fr delta_4 = wire(p, WIRE.W_L_SHIFT) - wire(p, WIRE.W_4);
894 acc = acc * (delta_1 + minus_one);
895 acc = acc * (delta_1 + minus_two);
896 acc = acc * (delta_1 + minus_three);
897 acc = acc * wire(p, WIRE.Q_RANGE);
898 acc = acc * domainSep;
905 acc = acc * (delta_2 + minus_one);
906 acc = acc * (delta_2 + minus_two);
907 acc = acc * (delta_2 + minus_three);
908 acc = acc * wire(p, WIRE.Q_RANGE);
909 acc = acc * domainSep;
916 acc = acc * (delta_3 + minus_one);
917 acc = acc * (delta_3 + minus_two);
918 acc = acc * (delta_3 + minus_three);
919 acc = acc * wire(p, WIRE.Q_RANGE);
920 acc = acc * domainSep;
927 acc = acc * (delta_4 + minus_one);
928 acc = acc * (delta_4 + minus_two);
929 acc = acc * (delta_4 + minus_three);
930 acc = acc * wire(p, WIRE.Q_RANGE);
931 acc = acc * domainSep;
936 struct EllipticParams {
944 // push accumulators into memory
945 Fr x_double_identity;
948 function accumulateEllipticRelation(
949 Fr[NUMBER_OF_ENTITIES] memory p,
950 Fr[NUMBER_OF_SUBRELATIONS] memory evals,
953 EllipticParams memory ep;
954 ep.x_1 = wire(p, WIRE.W_R);
955 ep.y_1 = wire(p, WIRE.W_O);
957 ep.x_2 = wire(p, WIRE.W_L_SHIFT);
958 ep.y_2 = wire(p, WIRE.W_4_SHIFT);
959 ep.y_3 = wire(p, WIRE.W_O_SHIFT);
960 ep.x_3 = wire(p, WIRE.W_R_SHIFT);
962 Fr q_sign = wire(p, WIRE.Q_L);
963 Fr q_is_double = wire(p, WIRE.Q_M);
965 // Contribution 10 point addition, x-coordinate check
966 // q_elliptic * (x3 + x2 + x1)(x2 - x1)(x2 - x1) - y2^2 - y1^2 + 2(y2y1)*q_sign = 0
967 Fr x_diff = (ep.x_2 - ep.x_1);
968 Fr y1_sqr = (ep.y_1 * ep.y_1);
971 Fr partialEval = domainSep;
973 Fr y2_sqr = (ep.y_2 * ep.y_2);
974 Fr y1y2 = ep.y_1 * ep.y_2 * q_sign;
975 Fr x_add_identity = (ep.x_3 + ep.x_2 + ep.x_1);
976 x_add_identity = x_add_identity * x_diff * x_diff;
977 x_add_identity = x_add_identity - y2_sqr - y1_sqr + y1y2 + y1y2;
979 evals[11] = x_add_identity * partialEval * wire(p, WIRE.Q_ELLIPTIC) * (ONE - q_is_double);
982 // Contribution 11 point addition, x-coordinate check
983 // q_elliptic * (q_sign * y1 + y3)(x2 - x1) + (x3 - x1)(y2 - q_sign * y1) = 0
985 Fr y1_plus_y3 = ep.y_1 + ep.y_3;
986 Fr y_diff = ep.y_2 * q_sign - ep.y_1;
987 Fr y_add_identity = y1_plus_y3 * x_diff + (ep.x_3 - ep.x_1) * y_diff;
988 evals[12] = y_add_identity * domainSep * wire(p, WIRE.Q_ELLIPTIC) * (ONE - q_is_double);
991 // Contribution 10 point doubling, x-coordinate check
992 // (x3 + x1 + x1) (4y1*y1) - 9 * x1 * x1 * x1 * x1 = 0
993 // N.B. we're using the equivalence x1*x1*x1 === y1*y1 - curve_b to reduce degree by 1
995 Fr x_pow_4 = (y1_sqr + GRUMPKIN_CURVE_B_PARAMETER_NEGATED) * ep.x_1;
996 Fr y1_sqr_mul_4 = y1_sqr + y1_sqr;
997 y1_sqr_mul_4 = y1_sqr_mul_4 + y1_sqr_mul_4;
998 Fr x1_pow_4_mul_9 = x_pow_4 * Fr.wrap(9);
1000 // NOTE: pushed into memory (stack >:'( )
1001 ep.x_double_identity = (ep.x_3 + ep.x_1 + ep.x_1) * y1_sqr_mul_4 - x1_pow_4_mul_9;
1003 Fr acc = ep.x_double_identity * domainSep * wire(p, WIRE.Q_ELLIPTIC) * q_is_double;
1004 evals[11] = evals[11] + acc;
1007 // Contribution 11 point doubling, y-coordinate check
1008 // (y1 + y1) (2y1) - (3 * x1 * x1)(x1 - x3) = 0
1010 Fr x1_sqr_mul_3 = (ep.x_1 + ep.x_1 + ep.x_1) * ep.x_1;
1011 Fr y_double_identity = x1_sqr_mul_3 * (ep.x_1 - ep.x_3) - (ep.y_1 + ep.y_1) * (ep.y_1 + ep.y_3);
1012 evals[12] = evals[12] + y_double_identity * domainSep * wire(p, WIRE.Q_ELLIPTIC) * q_is_double;
1016 // Parameters used within the Memory Relation
1017 // A struct is used to work around stack too deep. This relation has alot of variables
1019 Fr memory_record_check;
1020 Fr partial_record_check;
1021 Fr next_gate_access_type;
1024 Fr adjacent_values_match_if_adjacent_indices_match;
1025 Fr adjacent_values_match_if_adjacent_indices_match_and_next_access_is_a_read_operation;
1027 Fr next_gate_access_type_is_boolean;
1028 Fr ROM_consistency_check_identity;
1029 Fr RAM_consistency_check_identity;
1031 Fr RAM_timestamp_check_identity;
1033 Fr index_is_monotonically_increasing;
1036 function accumulateMemoryRelation(
1037 Fr[NUMBER_OF_ENTITIES] memory p,
1038 Honk.RelationParameters memory rp,
1039 Fr[NUMBER_OF_SUBRELATIONS] memory evals,
1042 MemParams memory ap;
1085 ap.memory_record_check = wire(p, WIRE.W_O) * rp.etaThree;
1086 ap.memory_record_check = ap.memory_record_check + (wire(p, WIRE.W_R) * rp.etaTwo);
1087 ap.memory_record_check = ap.memory_record_check + (wire(p, WIRE.W_L) * rp.eta);
1088 ap.memory_record_check = ap.memory_record_check + wire(p, WIRE.Q_C);
1089 ap.partial_record_check = ap.memory_record_check; // used in RAM consistency check; deg 1 or 4
1090 ap.memory_record_check = ap.memory_record_check - wire(p, WIRE.W_4);
1108 ap.index_delta = wire(p, WIRE.W_L_SHIFT) - wire(p, WIRE.W_L);
1109 ap.record_delta = wire(p, WIRE.W_4_SHIFT) - wire(p, WIRE.W_4);
1111 ap.index_is_monotonically_increasing = ap.index_delta * (ap.index_delta - Fr.wrap(1)); // deg 2
1113 ap.adjacent_values_match_if_adjacent_indices_match = (ap.index_delta * MINUS_ONE + ONE) * ap.record_delta; // deg 2
1115 evals[14] = ap.adjacent_values_match_if_adjacent_indices_match * (wire(p, WIRE.Q_L) * wire(p, WIRE.Q_R))
1116 * (wire(p, WIRE.Q_MEMORY) * domainSep); // deg 5
1117 evals[15] = ap.index_is_monotonically_increasing * (wire(p, WIRE.Q_L) * wire(p, WIRE.Q_R))
1118 * (wire(p, WIRE.Q_MEMORY) * domainSep); // deg 5
1120 ap.ROM_consistency_check_identity = ap.memory_record_check * (wire(p, WIRE.Q_L) * wire(p, WIRE.Q_R)); // deg 3 or 7
1141 Fr access_type = (wire(p, WIRE.W_4) - ap.partial_record_check); // will be 0 or 1 for honest Prover; deg 1 or 4
1142 ap.access_check = access_type * (access_type - Fr.wrap(1)); // check value is 0 or 1; deg 2 or 8
1144 // reverse order we could re-use `ap.partial_record_check` 1 - ((w3' * eta + w2') * eta + w1') * eta
1146 ap.next_gate_access_type = wire(p, WIRE.W_O_SHIFT) * rp.etaThree;
1147 ap.next_gate_access_type = ap.next_gate_access_type + (wire(p, WIRE.W_R_SHIFT) * rp.etaTwo);
1148 ap.next_gate_access_type = ap.next_gate_access_type + (wire(p, WIRE.W_L_SHIFT) * rp.eta);
1149 ap.next_gate_access_type = wire(p, WIRE.W_4_SHIFT) - ap.next_gate_access_type;
1151 Fr value_delta = wire(p, WIRE.W_O_SHIFT) - wire(p, WIRE.W_O);
1152 ap.adjacent_values_match_if_adjacent_indices_match_and_next_access_is_a_read_operation =
1153 (ap.index_delta * MINUS_ONE + ONE) * value_delta * (ap.next_gate_access_type * MINUS_ONE + ONE); // deg 3 or 6
1155 // We can't apply the RAM consistency check identity on the final entry in the sorted list (the wires in the
1156 // next gate would make the identity fail). We need to validate that its 'access type' bool is correct. Can't
1157 // do with an arithmetic gate because of the `eta` factors. We need to check that the *next* gate's access
1158 // type is correct, to cover this edge case
1160 ap.next_gate_access_type_is_boolean =
1161 ap.next_gate_access_type * ap.next_gate_access_type - ap.next_gate_access_type;
1163 // Putting it all together...
1164 evals[16] = ap.adjacent_values_match_if_adjacent_indices_match_and_next_access_is_a_read_operation
1165 * (wire(p, WIRE.Q_O)) * (wire(p, WIRE.Q_MEMORY) * domainSep); // deg 5 or 8
1166 evals[17] = ap.index_is_monotonically_increasing * (wire(p, WIRE.Q_O)) * (wire(p, WIRE.Q_MEMORY) * domainSep); // deg 4
1167 evals[18] = ap.next_gate_access_type_is_boolean * (wire(p, WIRE.Q_O)) * (wire(p, WIRE.Q_MEMORY) * domainSep); // deg 4 or 6
1169 ap.RAM_consistency_check_identity = ap.access_check * (wire(p, WIRE.Q_O)); // deg 3 or 9
1182 ap.timestamp_delta = wire(p, WIRE.W_R_SHIFT) - wire(p, WIRE.W_R);
1183 ap.RAM_timestamp_check_identity = (ap.index_delta * MINUS_ONE + ONE) * ap.timestamp_delta - wire(p, WIRE.W_O); // deg 3
1190 ap.memory_identity = ap.ROM_consistency_check_identity; // deg 3 or 6
1191 ap.memory_identity =
1192 ap.memory_identity + ap.RAM_timestamp_check_identity * (wire(p, WIRE.Q_4) * wire(p, WIRE.Q_L)); // deg 4
1193 ap.memory_identity = ap.memory_identity + ap.memory_record_check * (wire(p, WIRE.Q_M) * wire(p, WIRE.Q_L)); // deg 3 or 6
1194 ap.memory_identity = ap.memory_identity + ap.RAM_consistency_check_identity; // deg 3 or 9
1196 // (deg 3 or 9) + (deg 4) + (deg 3)
1197 ap.memory_identity = ap.memory_identity * (wire(p, WIRE.Q_MEMORY) * domainSep); // deg 4 or 10
1198 evals[13] = ap.memory_identity;
1201 // Constants for the Non-native Field relation
1202 Fr constant LIMB_SIZE = Fr.wrap(uint256(1) << 68);
1203 Fr constant SUBLIMB_SHIFT = Fr.wrap(uint256(1) << 14);
1205 // Parameters used within the Non-Native Field Relation
1206 // A struct is used to work around stack too deep. This relation has alot of variables
1209 Fr non_native_field_gate_1;
1210 Fr non_native_field_gate_2;
1211 Fr non_native_field_gate_3;
1212 Fr limb_accumulator_1;
1213 Fr limb_accumulator_2;
1217 function accumulateNnfRelation(
1218 Fr[NUMBER_OF_ENTITIES] memory p,
1219 Fr[NUMBER_OF_SUBRELATIONS] memory evals,
1222 NnfParams memory ap;
1236 ap.limb_subproduct = wire(p, WIRE.W_L) * wire(p, WIRE.W_R_SHIFT) + wire(p, WIRE.W_L_SHIFT) * wire(p, WIRE.W_R);
1237 ap.non_native_field_gate_2 =
1238 (wire(p, WIRE.W_L) * wire(p, WIRE.W_4) + wire(p, WIRE.W_R) * wire(p, WIRE.W_O) - wire(p, WIRE.W_O_SHIFT));
1239 ap.non_native_field_gate_2 = ap.non_native_field_gate_2 * LIMB_SIZE;
1240 ap.non_native_field_gate_2 = ap.non_native_field_gate_2 - wire(p, WIRE.W_4_SHIFT);
1241 ap.non_native_field_gate_2 = ap.non_native_field_gate_2 + ap.limb_subproduct;
1242 ap.non_native_field_gate_2 = ap.non_native_field_gate_2 * wire(p, WIRE.Q_4);
1244 ap.limb_subproduct = ap.limb_subproduct * LIMB_SIZE;
1245 ap.limb_subproduct = ap.limb_subproduct + (wire(p, WIRE.W_L_SHIFT) * wire(p, WIRE.W_R_SHIFT));
1246 ap.non_native_field_gate_1 = ap.limb_subproduct;
1247 ap.non_native_field_gate_1 = ap.non_native_field_gate_1 - (wire(p, WIRE.W_O) + wire(p, WIRE.W_4));
1248 ap.non_native_field_gate_1 = ap.non_native_field_gate_1 * wire(p, WIRE.Q_O);
1250 ap.non_native_field_gate_3 = ap.limb_subproduct;
1251 ap.non_native_field_gate_3 = ap.non_native_field_gate_3 + wire(p, WIRE.W_4);
1252 ap.non_native_field_gate_3 = ap.non_native_field_gate_3 - (wire(p, WIRE.W_O_SHIFT) + wire(p, WIRE.W_4_SHIFT));
1253 ap.non_native_field_gate_3 = ap.non_native_field_gate_3 * wire(p, WIRE.Q_M);
1255 Fr non_native_field_identity =
1256 ap.non_native_field_gate_1 + ap.non_native_field_gate_2 + ap.non_native_field_gate_3;
1257 non_native_field_identity = non_native_field_identity * wire(p, WIRE.Q_R);
1259 // ((((w2' * 2^14 + w1') * 2^14 + w3) * 2^14 + w2) * 2^14 + w1 - w4) * qm
1261 ap.limb_accumulator_1 = wire(p, WIRE.W_R_SHIFT) * SUBLIMB_SHIFT;
1262 ap.limb_accumulator_1 = ap.limb_accumulator_1 + wire(p, WIRE.W_L_SHIFT);
1263 ap.limb_accumulator_1 = ap.limb_accumulator_1 * SUBLIMB_SHIFT;
1264 ap.limb_accumulator_1 = ap.limb_accumulator_1 + wire(p, WIRE.W_O);
1265 ap.limb_accumulator_1 = ap.limb_accumulator_1 * SUBLIMB_SHIFT;
1266 ap.limb_accumulator_1 = ap.limb_accumulator_1 + wire(p, WIRE.W_R);
1267 ap.limb_accumulator_1 = ap.limb_accumulator_1 * SUBLIMB_SHIFT;
1268 ap.limb_accumulator_1 = ap.limb_accumulator_1 + wire(p, WIRE.W_L);
1269 ap.limb_accumulator_1 = ap.limb_accumulator_1 - wire(p, WIRE.W_4);
1270 ap.limb_accumulator_1 = ap.limb_accumulator_1 * wire(p, WIRE.Q_4);
1272 // ((((w3' * 2^14 + w2') * 2^14 + w1') * 2^14 + w4) * 2^14 + w3 - w4') * qm
1274 ap.limb_accumulator_2 = wire(p, WIRE.W_O_SHIFT) * SUBLIMB_SHIFT;
1275 ap.limb_accumulator_2 = ap.limb_accumulator_2 + wire(p, WIRE.W_R_SHIFT);
1276 ap.limb_accumulator_2 = ap.limb_accumulator_2 * SUBLIMB_SHIFT;
1277 ap.limb_accumulator_2 = ap.limb_accumulator_2 + wire(p, WIRE.W_L_SHIFT);
1278 ap.limb_accumulator_2 = ap.limb_accumulator_2 * SUBLIMB_SHIFT;
1279 ap.limb_accumulator_2 = ap.limb_accumulator_2 + wire(p, WIRE.W_4);
1280 ap.limb_accumulator_2 = ap.limb_accumulator_2 * SUBLIMB_SHIFT;
1281 ap.limb_accumulator_2 = ap.limb_accumulator_2 + wire(p, WIRE.W_O);
1282 ap.limb_accumulator_2 = ap.limb_accumulator_2 - wire(p, WIRE.W_4_SHIFT);
1283 ap.limb_accumulator_2 = ap.limb_accumulator_2 * wire(p, WIRE.Q_M);
1285 Fr limb_accumulator_identity = ap.limb_accumulator_1 + ap.limb_accumulator_2;
1286 limb_accumulator_identity = limb_accumulator_identity * wire(p, WIRE.Q_O); // deg 3
1288 ap.nnf_identity = non_native_field_identity + limb_accumulator_identity;
1289 ap.nnf_identity = ap.nnf_identity * (wire(p, WIRE.Q_NNF) * domainSep);
1290 evals[19] = ap.nnf_identity;
1293 struct PoseidonExternalParams {
1310 Fr q_pos_by_scaling;
1313 function accumulatePoseidonExternalRelation(
1314 Fr[NUMBER_OF_ENTITIES] memory p,
1315 Fr[NUMBER_OF_SUBRELATIONS] memory evals,
1318 PoseidonExternalParams memory ep;
1320 ep.s1 = wire(p, WIRE.W_L) + wire(p, WIRE.Q_L);
1321 ep.s2 = wire(p, WIRE.W_R) + wire(p, WIRE.Q_R);
1322 ep.s3 = wire(p, WIRE.W_O) + wire(p, WIRE.Q_O);
1323 ep.s4 = wire(p, WIRE.W_4) + wire(p, WIRE.Q_4);
1325 ep.u1 = ep.s1 * ep.s1 * ep.s1 * ep.s1 * ep.s1;
1326 ep.u2 = ep.s2 * ep.s2 * ep.s2 * ep.s2 * ep.s2;
1327 ep.u3 = ep.s3 * ep.s3 * ep.s3 * ep.s3 * ep.s3;
1328 ep.u4 = ep.s4 * ep.s4 * ep.s4 * ep.s4 * ep.s4;
1329 // matrix mul v = M_E * u with 14 additions
1330 ep.t0 = ep.u1 + ep.u2; // u_1 + u_2
1331 ep.t1 = ep.u3 + ep.u4; // u_3 + u_4
1332 ep.t2 = ep.u2 + ep.u2 + ep.t1; // 2u_2
1333 // ep.t2 += ep.t1; // 2u_2 + u_3 + u_4
1334 ep.t3 = ep.u4 + ep.u4 + ep.t0; // 2u_4
1335 // ep.t3 += ep.t0; // u_1 + u_2 + 2u_4
1336 ep.v4 = ep.t1 + ep.t1;
1337 ep.v4 = ep.v4 + ep.v4 + ep.t3;
1338 // ep.v4 += ep.t3; // u_1 + u_2 + 4u_3 + 6u_4
1339 ep.v2 = ep.t0 + ep.t0;
1340 ep.v2 = ep.v2 + ep.v2 + ep.t2;
1341 // ep.v2 += ep.t2; // 4u_1 + 6u_2 + u_3 + u_4
1342 ep.v1 = ep.t3 + ep.v2; // 5u_1 + 7u_2 + u_3 + 3u_4
1343 ep.v3 = ep.t2 + ep.v4; // u_1 + 3u_2 + 5u_3 + 7u_4
1345 ep.q_pos_by_scaling = wire(p, WIRE.Q_POSEIDON2_EXTERNAL) * domainSep;
1346 evals[20] = evals[20] + ep.q_pos_by_scaling * (ep.v1 - wire(p, WIRE.W_L_SHIFT));
1348 evals[21] = evals[21] + ep.q_pos_by_scaling * (ep.v2 - wire(p, WIRE.W_R_SHIFT));
1350 evals[22] = evals[22] + ep.q_pos_by_scaling * (ep.v3 - wire(p, WIRE.W_O_SHIFT));
1352 evals[23] = evals[23] + ep.q_pos_by_scaling * (ep.v4 - wire(p, WIRE.W_4_SHIFT));
1355 struct PoseidonInternalParams {
1366 Fr q_pos_by_scaling;
1369 function accumulatePoseidonInternalRelation(
1370 Fr[NUMBER_OF_ENTITIES] memory p,
1371 Fr[NUMBER_OF_SUBRELATIONS] memory evals,
1374 PoseidonInternalParams memory ip;
1376 Fr[4] memory INTERNAL_MATRIX_DIAGONAL = [
1377 FrLib.from(0x10dc6e9c006ea38b04b1e03b4bd9490c0d03f98929ca1d7fb56821fd19d3b6e7),
1378 FrLib.from(0x0c28145b6a44df3e0149b3d0a30b3bb599df9756d4dd9b84a86b38cfb45a740b),
1379 FrLib.from(0x00544b8338791518b2c7645a50392798b21f75bb60e3596170067d00141cac15),
1380 FrLib.from(0x222c01175718386f2e2e82eb122789e352e105a3b8fa852613bc534433ee428b)
1383 // add round constants
1384 ip.s1 = wire(p, WIRE.W_L) + wire(p, WIRE.Q_L);
1386 // apply s-box round
1387 ip.u1 = ip.s1 * ip.s1 * ip.s1 * ip.s1 * ip.s1;
1388 ip.u2 = wire(p, WIRE.W_R);
1389 ip.u3 = wire(p, WIRE.W_O);
1390 ip.u4 = wire(p, WIRE.W_4);
1392 // matrix mul with v = M_I * u 4 muls and 7 additions
1393 ip.u_sum = ip.u1 + ip.u2 + ip.u3 + ip.u4;
1395 ip.q_pos_by_scaling = wire(p, WIRE.Q_POSEIDON2_INTERNAL) * domainSep;
1397 ip.v1 = ip.u1 * INTERNAL_MATRIX_DIAGONAL[0] + ip.u_sum;
1398 evals[24] = evals[24] + ip.q_pos_by_scaling * (ip.v1 - wire(p, WIRE.W_L_SHIFT));
1400 ip.v2 = ip.u2 * INTERNAL_MATRIX_DIAGONAL[1] + ip.u_sum;
1401 evals[25] = evals[25] + ip.q_pos_by_scaling * (ip.v2 - wire(p, WIRE.W_R_SHIFT));
1403 ip.v3 = ip.u3 * INTERNAL_MATRIX_DIAGONAL[2] + ip.u_sum;
1404 evals[26] = evals[26] + ip.q_pos_by_scaling * (ip.v3 - wire(p, WIRE.W_O_SHIFT));
1406 ip.v4 = ip.u4 * INTERNAL_MATRIX_DIAGONAL[3] + ip.u_sum;
1407 evals[27] = evals[27] + ip.q_pos_by_scaling * (ip.v4 - wire(p, WIRE.W_4_SHIFT));
1410 // Batch subrelation evaluations using precomputed powers of alpha
1411 // First subrelation is implicitly scaled by 1, subsequent ones use powers from the subrelationChallenges array
1412 function scaleAndBatchSubrelations(
1413 Fr[NUMBER_OF_SUBRELATIONS] memory evaluations,
1414 Fr[NUMBER_OF_ALPHAS] memory subrelationChallenges
1415 ) internal pure returns (Fr accumulator) {
1416 accumulator = evaluations[0];
1418 for (uint256 i = 1; i < NUMBER_OF_SUBRELATIONS; ++i) {
1419 accumulator = accumulator + evaluations[i] * subrelationChallenges[i - 1];
1424// Field arithmetic libraries - prevent littering the code with modmul / addmul
1426library CommitmentSchemeLib {
1429 // Avoid stack too deep
1430 struct ShpleminiIntermediates {
1433 Fr unshiftedScalarNeg;
1434 Fr shiftedScalarNeg;
1435 // Scalar to be multiplied by [1]₁
1436 Fr constantTermAccumulator;
1437 // Accumulator for powers of rho
1438 Fr batchingChallenge;
1439 // Linear combination of multilinear (sumcheck) evaluations and powers of rho
1440 Fr batchedEvaluation;
1442 Fr[4] batchingScalars;
1443 // 1/(z - r^{2^i}) for i = 0, ..., logSize, dynamically updated
1444 Fr posInvertedDenominator;
1445 // 1/(z + r^{2^i}) for i = 0, ..., logSize, dynamically updated
1446 Fr negInvertedDenominator;
1447 // ν^{2i} * 1/(z - r^{2^i})
1448 Fr scalingFactorPos;
1449 // ν^{2i+1} * 1/(z + r^{2^i})
1450 Fr scalingFactorNeg;
1451 // Fold_i(r^{2^i}) reconstructed by Verifier
1452 Fr[] foldPosEvaluations;
1455 function computeSquares(Fr r, uint256 logN) internal pure returns (Fr[] memory) {
1456 Fr[] memory squares = new Fr[](logN);
1458 for (uint256 i = 1; i < logN; ++i) {
1459 squares[i] = squares[i - 1].sqr();
1463 // Compute the evaluations Aₗ(r^{2ˡ}) for l = 0, ..., m-1
1465 function computeFoldPosEvaluations(
1466 Fr[CONST_PROOF_SIZE_LOG_N] memory sumcheckUChallenges,
1467 Fr batchedEvalAccumulator,
1468 Fr[CONST_PROOF_SIZE_LOG_N] memory geminiEvaluations,
1469 Fr[] memory geminiEvalChallengePowers,
1471 ) internal view returns (Fr[] memory) {
1472 Fr[] memory foldPosEvaluations = new Fr[](logSize);
1473 for (uint256 i = logSize; i > 0; --i) {
1474 Fr challengePower = geminiEvalChallengePowers[i - 1];
1475 Fr u = sumcheckUChallenges[i - 1];
1477 Fr batchedEvalRoundAcc = ((challengePower * batchedEvalAccumulator * Fr.wrap(2)) - geminiEvaluations[i - 1]
1478 * (challengePower * (ONE - u) - u));
1479 // Divide by the denominator
1480 batchedEvalRoundAcc = batchedEvalRoundAcc * (challengePower * (ONE - u) + u).invert();
1482 batchedEvalAccumulator = batchedEvalRoundAcc;
1483 foldPosEvaluations[i - 1] = batchedEvalRoundAcc;
1485 return foldPosEvaluations;
1489uint256 constant Q = 21888242871839275222246405745257275088696311157297823662689037894645226208583; // EC group order. F_q
1491function bytes32ToString(bytes32 value) pure returns (string memory result) {
1492 bytes memory alphabet = "0123456789abcdef";
1494 bytes memory str = new bytes(66);
1497 for (uint256 i = 0; i < 32; i++) {
1498 str[2 + i * 2] = alphabet[uint8(value[i] >> 4)];
1499 str[3 + i * 2] = alphabet[uint8(value[i] & 0x0f)];
1501 result = string(str);
1506function bytesToFr(bytes calldata proofSection) pure returns (Fr scalar) {
1507 scalar = FrLib.fromBytes32(bytes32(proofSection));
1510// EC Point utilities
1511function bytesToG1Point(bytes calldata proofSection) pure returns (Honk.G1Point memory point) {
1512 point = Honk.G1Point({
1513 x: uint256(bytes32(proofSection[0x00:0x20])) % Q, y: uint256(bytes32(proofSection[0x20:0x40])) % Q
1517function negateInplace(Honk.G1Point memory point) pure returns (Honk.G1Point memory) {
1518 point.y = (Q - point.y) % Q;
1534function convertPairingPointsToG1(Fr[PAIRING_POINTS_SIZE] memory pairingPoints)
1536 returns (Honk.G1Point memory lhs, Honk.G1Point memory rhs)
1538 uint256 lhsX = Fr.unwrap(pairingPoints[0]);
1539 lhsX |= Fr.unwrap(pairingPoints[1]) << 68;
1540 lhsX |= Fr.unwrap(pairingPoints[2]) << 136;
1541 lhsX |= Fr.unwrap(pairingPoints[3]) << 204;
1544 uint256 lhsY = Fr.unwrap(pairingPoints[4]);
1545 lhsY |= Fr.unwrap(pairingPoints[5]) << 68;
1546 lhsY |= Fr.unwrap(pairingPoints[6]) << 136;
1547 lhsY |= Fr.unwrap(pairingPoints[7]) << 204;
1550 uint256 rhsX = Fr.unwrap(pairingPoints[8]);
1551 rhsX |= Fr.unwrap(pairingPoints[9]) << 68;
1552 rhsX |= Fr.unwrap(pairingPoints[10]) << 136;
1553 rhsX |= Fr.unwrap(pairingPoints[11]) << 204;
1556 uint256 rhsY = Fr.unwrap(pairingPoints[12]);
1557 rhsY |= Fr.unwrap(pairingPoints[13]) << 68;
1558 rhsY |= Fr.unwrap(pairingPoints[14]) << 136;
1559 rhsY |= Fr.unwrap(pairingPoints[15]) << 204;
1571function generateRecursionSeparator(
1572 Fr[PAIRING_POINTS_SIZE] memory proofPairingPoints,
1573 Honk.G1Point memory accLhs,
1574 Honk.G1Point memory accRhs
1575) pure returns (Fr recursionSeparator) {
1576 // hash the proof aggregated X
1577 // hash the proof aggregated Y
1581 (Honk.G1Point memory proofLhs, Honk.G1Point memory proofRhs) = convertPairingPointsToG1(proofPairingPoints);
1583 uint256[8] memory recursionSeparatorElements;
1586 recursionSeparatorElements[0] = proofLhs.x;
1587 recursionSeparatorElements[1] = proofLhs.y;
1588 recursionSeparatorElements[2] = proofRhs.x;
1589 recursionSeparatorElements[3] = proofRhs.y;
1591 // Accumulator points
1592 recursionSeparatorElements[4] = accLhs.x;
1593 recursionSeparatorElements[5] = accLhs.y;
1594 recursionSeparatorElements[6] = accRhs.x;
1595 recursionSeparatorElements[7] = accRhs.y;
1597 recursionSeparator = FrLib.fromBytes32(keccak256(abi.encodePacked(recursionSeparatorElements)));
1609function mulWithSeperator(Honk.G1Point memory basePoint, Honk.G1Point memory other, Fr recursionSeperator)
1611 returns (Honk.G1Point memory)
1613 Honk.G1Point memory result;
1615 result = ecMul(recursionSeperator, basePoint);
1616 result = ecAdd(result, other);
1629function ecMul(Fr value, Honk.G1Point memory point) view returns (Honk.G1Point memory) {
1630 Honk.G1Point memory result;
1633 let free := mload(0x40)
1634 // Write the point into memory (two 32 byte words)
1638 // free + 0x20| point.y
1639 mstore(free, mload(point))
1640 mstore(add(free, 0x20), mload(add(point, 0x20)))
1641 // Write the scalar into memory (one 32 byte word)
1644 // free + 0x40| value
1645 mstore(add(free, 0x40), value)
1647 // Call the ecMul precompile, it takes in the following
1648 // [point.x, point.y, scalar], and returns the result back into the free memory location.
1649 let success := staticcall(gas(), 0x07, free, 0x60, free, 0x40)
1650 if iszero(success) {
1653 // Copy the result of the multiplication back into the result memory location.
1656 // result | result.x
1657 // result + 0x20| result.y
1658 mstore(result, mload(free))
1659 mstore(add(result, 0x20), mload(add(free, 0x20)))
1661 mstore(0x40, add(free, 0x60))
1675function ecAdd(Honk.G1Point memory lhs, Honk.G1Point memory rhs) view returns (Honk.G1Point memory) {
1676 Honk.G1Point memory result;
1679 let free := mload(0x40)
1680 // Write lhs into memory (two 32 byte words)
1684 // free + 0x20| lhs.y
1685 mstore(free, mload(lhs))
1686 mstore(add(free, 0x20), mload(add(lhs, 0x20)))
1688 // Write rhs into memory (two 32 byte words)
1691 // free + 0x40| rhs.x
1692 // free + 0x60| rhs.y
1693 mstore(add(free, 0x40), mload(rhs))
1694 mstore(add(free, 0x60), mload(add(rhs, 0x20)))
1696 // Call the ecAdd precompile, it takes in the following
1697 // [lhs.x, lhs.y, rhs.x, rhs.y], and returns their addition back into the free memory location.
1698 let success := staticcall(gas(), 0x06, free, 0x80, free, 0x40)
1699 if iszero(success) { revert(0, 0) }
1701 // Copy the result of the addition back into the result memory location.
1704 // result | result.x
1705 // result + 0x20| result.y
1706 mstore(result, mload(free))
1707 mstore(add(result, 0x20), mload(add(free, 0x20)))
1709 mstore(0x40, add(free, 0x80))
1715function validateOnCurve(Honk.G1Point memory point) pure {
1716 uint256 x = point.x;
1717 uint256 y = point.y;
1719 bool success = false;
1721 let xx := mulmod(x, x, Q)
1722 success := eq(mulmod(y, y, Q), addmod(mulmod(x, xx, Q), 3, Q))
1725 require(success, "point is not on the curve");
1728function pairing(Honk.G1Point memory rhs, Honk.G1Point memory lhs) view returns (bool decodedResult) {
1729 bytes memory input = abi.encodePacked(
1733 uint256(0x198e9393920d483a7260bfb731fb5d25f1aa493335a9e71297e485b7aef312c2),
1734 uint256(0x1800deef121f1e76426a00665e5c4479674322d4f75edadd46debd5cd992f6ed),
1735 uint256(0x090689d0585ff075ec9e99ad690c3395bc4b313370b38ef355acdadcd122975b),
1736 uint256(0x12c85ea5db8c6deb4aab71808dcb408fe3d1e7690c43d37b4ce6cc0166fa7daa),
1740 uint256(0x260e01b251f6f1c7e7ff4e580791dee8ea51d87a358e038b4efe30fac09383c1),
1741 uint256(0x0118c4d5b837bcc2bc89b5b398b5974e9f5944073b32078b7e231fec938883b0),
1742 uint256(0x04fc6369f7110fe3d25156c1bb9a72859cf2a04641f99ba4ee413c80da6a5fe4),
1743 uint256(0x22febda3c0c0632a56475b4214e5615e11e6dd3f96e6cea2854a87d4dacc5e55)
1746 (bool success, bytes memory result) = address(0x08).staticcall(input);
1747 decodedResult = success && abi.decode(result, (bool));
1750// Field arithmetic libraries - prevent littering the code with modmul / addmul
1755abstract contract BaseZKHonkVerifier is IVerifier {
1758 uint256 immutable $N;
1759 uint256 immutable $LOG_N;
1760 uint256 immutable $VK_HASH;
1761 uint256 immutable $NUM_PUBLIC_INPUTS;
1762 uint256 immutable $MSMSize;
1764 constructor(uint256 _N, uint256 _logN, uint256 _vkHash, uint256 _numPublicInputs) {
1768 $NUM_PUBLIC_INPUTS = _numPublicInputs;
1769 $MSMSize = NUMBER_UNSHIFTED_ZK + _logN + LIBRA_COMMITMENTS + 2;
1773 error ProofLengthWrong();
1774 error ProofLengthWrongWithLogN(uint256 logN, uint256 actualLength, uint256 expectedLength);
1775 error PublicInputsLengthWrong();
1776 error SumcheckFailed();
1777 error ShpleminiFailed();
1778 error GeminiChallengeInSubgroup();
1779 error ConsistencyCheckFailed();
1781 // Constants for proof length calculation (matching UltraKeccakZKFlavor)
1782 uint256 constant NUM_WITNESS_ENTITIES = 8 + NUM_MASKING_POLYNOMIALS;
1783 uint256 constant NUM_ELEMENTS_COMM = 2; // uint256 elements for curve points
1784 uint256 constant NUM_ELEMENTS_FR = 1; // uint256 elements for field elements
1785 uint256 constant NUM_LIBRA_EVALUATIONS = 4; // libra evaluations
1787 // Calculate proof size based on log_n (matching UltraKeccakZKFlavor formula)
1788 function calculateProofSize(uint256 logN) internal pure returns (uint256) {
1789 // Witness and Libra commitments
1790 uint256 proofLength = NUM_WITNESS_ENTITIES * NUM_ELEMENTS_COMM; // witness commitments
1791 proofLength += NUM_ELEMENTS_COMM * 3; // Libra concat, grand sum, quotient comms + Gemini masking
1794 proofLength += logN * ZK_BATCHED_RELATION_PARTIAL_LENGTH * NUM_ELEMENTS_FR; // sumcheck univariates
1795 proofLength += NUMBER_OF_ENTITIES_ZK * NUM_ELEMENTS_FR; // sumcheck evaluations
1798 proofLength += NUM_ELEMENTS_FR * 2; // Libra sum, claimed eval
1799 proofLength += logN * NUM_ELEMENTS_FR; // Gemini a evaluations
1800 proofLength += NUM_LIBRA_EVALUATIONS * NUM_ELEMENTS_FR; // libra evaluations
1803 proofLength += (logN - 1) * NUM_ELEMENTS_COMM; // Gemini Fold commitments
1804 proofLength += NUM_ELEMENTS_COMM * 2; // Shplonk Q and KZG W commitments
1807 proofLength += PAIRING_POINTS_SIZE; // pairing inputs carried on public inputs
1812 uint256 constant SHIFTED_COMMITMENTS_START = 30;
1814 function loadVerificationKey() internal pure virtual returns (Honk.VerificationKey memory);
1816 function verify(bytes calldata proof, bytes32[] calldata publicInputs)
1820 returns (bool verified)
1822 // Calculate expected proof size based on $LOG_N
1823 uint256 expectedProofSize = calculateProofSize($LOG_N);
1825 // Check the received proof is the expected size where each field element is 32 bytes
1826 if (proof.length != expectedProofSize * 32) {
1827 revert ProofLengthWrongWithLogN($LOG_N, proof.length, expectedProofSize * 32);
1830 Honk.VerificationKey memory vk = loadVerificationKey();
1831 Honk.ZKProof memory p = ZKTranscriptLib.loadProof(proof, $LOG_N);
1833 if (publicInputs.length != vk.publicInputsSize - PAIRING_POINTS_SIZE) {
1834 revert PublicInputsLengthWrong();
1837 // Generate the fiat shamir challenges for the whole protocol
1838 ZKTranscript memory t =
1839 ZKTranscriptLib.generateTranscript(p, publicInputs, $VK_HASH, $NUM_PUBLIC_INPUTS, $LOG_N);
1841 // Derive public input delta
1842 t.relationParameters.publicInputsDelta = computePublicInputDelta(
1844 p.pairingPointObject,
1845 t.relationParameters.beta,
1846 t.relationParameters.gamma, /*pubInputsOffset=*/
1851 if (!verifySumcheck(p, t)) revert SumcheckFailed();
1853 if (!verifyShplemini(p, vk, t)) revert ShpleminiFailed();
1858 uint256 constant PERMUTATION_ARGUMENT_VALUE_SEPARATOR = 1 << 28;
1860 function computePublicInputDelta(
1861 bytes32[] memory publicInputs,
1862 Fr[PAIRING_POINTS_SIZE] memory pairingPointObject,
1866 ) internal view returns (Fr publicInputDelta) {
1867 Fr numerator = Fr.wrap(1);
1868 Fr denominator = Fr.wrap(1);
1870 Fr numeratorAcc = gamma + (beta * FrLib.from(PERMUTATION_ARGUMENT_VALUE_SEPARATOR + offset));
1871 Fr denominatorAcc = gamma - (beta * FrLib.from(offset + 1));
1874 for (uint256 i = 0; i < $NUM_PUBLIC_INPUTS - PAIRING_POINTS_SIZE; i++) {
1875 Fr pubInput = FrLib.fromBytes32(publicInputs[i]);
1877 numerator = numerator * (numeratorAcc + pubInput);
1878 denominator = denominator * (denominatorAcc + pubInput);
1880 numeratorAcc = numeratorAcc + beta;
1881 denominatorAcc = denominatorAcc - beta;
1884 for (uint256 i = 0; i < PAIRING_POINTS_SIZE; i++) {
1885 Fr pubInput = pairingPointObject[i];
1887 numerator = numerator * (numeratorAcc + pubInput);
1888 denominator = denominator * (denominatorAcc + pubInput);
1890 numeratorAcc = numeratorAcc + beta;
1891 denominatorAcc = denominatorAcc - beta;
1895 // Fr delta = numerator / denominator; // TOOO: batch invert later?
1896 publicInputDelta = FrLib.div(numerator, denominator);
1899 function verifySumcheck(Honk.ZKProof memory proof, ZKTranscript memory tp) internal view returns (bool verified) {
1900 Fr roundTargetSum = tp.libraChallenge * proof.libraSum; // default 0
1901 Fr powPartialEvaluation = Fr.wrap(1);
1903 // We perform sumcheck reductions over log n rounds ( the multivariate degree )
1904 for (uint256 round; round < $LOG_N; ++round) {
1905 Fr[ZK_BATCHED_RELATION_PARTIAL_LENGTH] memory roundUnivariate = proof.sumcheckUnivariates[round];
1906 Fr totalSum = roundUnivariate[0] + roundUnivariate[1];
1907 if (totalSum != roundTargetSum) revert SumcheckFailed();
1909 Fr roundChallenge = tp.sumCheckUChallenges[round];
1911 // Update the round target for the next rounf
1912 roundTargetSum = computeNextTargetSum(roundUnivariate, roundChallenge);
1913 powPartialEvaluation =
1914 powPartialEvaluation * (Fr.wrap(1) + roundChallenge * (tp.gateChallenges[round] - Fr.wrap(1)));
1918 // For ZK flavors: sumcheckEvaluations has 42 elements
1919 // Index 0 is gemini_masking_poly, indices 1-41 are the regular entities used in relations
1920 Fr[NUMBER_OF_ENTITIES] memory relationsEvaluations;
1921 for (uint256 i = 0; i < NUMBER_OF_ENTITIES; i++) {
1922 relationsEvaluations[i] = proof.sumcheckEvaluations[i + NUM_MASKING_POLYNOMIALS]; // Skip gemini_masking_poly at index 0
1924 Fr grandHonkRelationSum = RelationsLib.accumulateRelationEvaluations(
1925 relationsEvaluations, tp.relationParameters, tp.alphas, powPartialEvaluation
1928 Fr evaluation = Fr.wrap(1);
1929 for (uint256 i = 2; i < $LOG_N; i++) {
1930 evaluation = evaluation * tp.sumCheckUChallenges[i];
1933 grandHonkRelationSum =
1934 grandHonkRelationSum * (Fr.wrap(1) - evaluation) + proof.libraEvaluation * tp.libraChallenge;
1935 verified = (grandHonkRelationSum == roundTargetSum);
1938 // Return the new target sum for the next sumcheck round
1939 function computeNextTargetSum(Fr[ZK_BATCHED_RELATION_PARTIAL_LENGTH] memory roundUnivariates, Fr roundChallenge)
1942 returns (Fr targetSum)
1944 Fr[ZK_BATCHED_RELATION_PARTIAL_LENGTH] memory BARYCENTRIC_LAGRANGE_DENOMINATORS = [
1945 Fr.wrap(0x0000000000000000000000000000000000000000000000000000000000009d80),
1946 Fr.wrap(0x30644e72e131a029b85045b68181585d2833e84879b9709143e1f593efffec51),
1947 Fr.wrap(0x00000000000000000000000000000000000000000000000000000000000005a0),
1948 Fr.wrap(0x30644e72e131a029b85045b68181585d2833e84879b9709143e1f593effffd31),
1949 Fr.wrap(0x0000000000000000000000000000000000000000000000000000000000000240),
1950 Fr.wrap(0x30644e72e131a029b85045b68181585d2833e84879b9709143e1f593effffd31),
1951 Fr.wrap(0x00000000000000000000000000000000000000000000000000000000000005a0),
1952 Fr.wrap(0x30644e72e131a029b85045b68181585d2833e84879b9709143e1f593efffec51),
1953 Fr.wrap(0x0000000000000000000000000000000000000000000000000000000000009d80)
1956 // To compute the next target sum, we evaluate the given univariate at a point u (challenge).
1958 // Performing Barycentric evaluations
1960 Fr numeratorValue = Fr.wrap(1);
1961 for (uint256 i = 0; i < ZK_BATCHED_RELATION_PARTIAL_LENGTH; ++i) {
1962 numeratorValue = numeratorValue * (roundChallenge - Fr.wrap(i));
1965 Fr[ZK_BATCHED_RELATION_PARTIAL_LENGTH] memory denominatorInverses;
1966 for (uint256 i = 0; i < ZK_BATCHED_RELATION_PARTIAL_LENGTH; ++i) {
1967 denominatorInverses[i] = FrLib.invert(BARYCENTRIC_LAGRANGE_DENOMINATORS[i] * (roundChallenge - Fr.wrap(i)));
1970 for (uint256 i = 0; i < ZK_BATCHED_RELATION_PARTIAL_LENGTH; ++i) {
1971 targetSum = targetSum + roundUnivariates[i] * denominatorInverses[i];
1974 // Scale the sum by the value of B(x)
1975 targetSum = targetSum * numeratorValue;
1978 uint256 constant LIBRA_COMMITMENTS = 3;
1979 uint256 constant LIBRA_EVALUATIONS = 4;
1980 uint256 constant LIBRA_UNIVARIATES_LENGTH = 9;
1982 struct PairingInputs {
1987 function verifyShplemini(Honk.ZKProof memory proof, Honk.VerificationKey memory vk, ZKTranscript memory tp)
1990 returns (bool verified)
1992 CommitmentSchemeLib.ShpleminiIntermediates memory mem; // stack
1994 // - Compute vector (r, r², ... , r²⁽ⁿ⁻¹⁾), where n = log_circuit_size
1995 Fr[] memory powers_of_evaluation_challenge = CommitmentSchemeLib.computeSquares(tp.geminiR, $LOG_N);
1996 // Arrays hold values that will be linearly combined for the gemini and shplonk batch openings
1997 Fr[] memory scalars = new Fr[]($MSMSize);
1998 Honk.G1Point[] memory commitments = new Honk.G1Point[]($MSMSize);
2000 mem.posInvertedDenominator = (tp.shplonkZ - powers_of_evaluation_challenge[0]).invert();
2001 mem.negInvertedDenominator = (tp.shplonkZ + powers_of_evaluation_challenge[0]).invert();
2003 mem.unshiftedScalar = mem.posInvertedDenominator + (tp.shplonkNu * mem.negInvertedDenominator);
2005 tp.geminiR.invert() * (mem.posInvertedDenominator - (tp.shplonkNu * mem.negInvertedDenominator));
2007 scalars[0] = Fr.wrap(1);
2008 commitments[0] = proof.shplonkQ;
2010 /* Batch multivariate opening claims, shifted and unshifted
2011 * The vector of scalars is populated as follows:
2014 * - \left(\frac{1}{z-r} + \nu \times \frac{1}{z+r}\right),
2016 * - \rho^{i+k-1} \times \left(\frac{1}{z-r} + \nu \times \frac{1}{z+r}\right),
2017 * - \rho^{i+k} \times \frac{1}{r} \times \left(\frac{1}{z-r} - \nu \times \frac{1}{z+r}\right),
2019 * - \rho^{k+m-1} \times \frac{1}{r} \times \left(\frac{1}{z-r} - \nu \times \frac{1}{z+r}\right)
2023 * The following vector is concatenated to the vector of commitments:
2025 * f_0, \ldots, f_{m-1}, f_{\text{shift}, 0}, \ldots, f_{\text{shift}, k-1}
2028 * Simultaneously, the evaluation of the multilinear polynomial
2030 * \sum \rho^i \cdot f_i + \sum \rho^{i+k} \cdot f_{\text{shift}, i}
2032 * at the challenge point \f$ (u_0,\ldots, u_{n-1}) \f$ is computed.
2034 * This approach minimizes the number of iterations over the commitments to multilinear polynomials
2035 * and eliminates the need to store the powers of \f$ \rho \f$.
2037 // For ZK flavors: evaluations array is [gemini_masking_poly, qm, qc, ql, qr, ...]
2038 // Start batching challenge at 1, not rho, to match non-ZK pattern
2039 mem.batchingChallenge = Fr.wrap(1);
2040 mem.batchedEvaluation = Fr.wrap(0);
2042 mem.unshiftedScalarNeg = mem.unshiftedScalar.neg();
2043 mem.shiftedScalarNeg = mem.shiftedScalar.neg();
2045 // Process all NUMBER_UNSHIFTED_ZK evaluations (includes gemini_masking_poly at index 0)
2046 for (uint256 i = 1; i <= NUMBER_UNSHIFTED_ZK; ++i) {
2047 scalars[i] = mem.unshiftedScalarNeg * mem.batchingChallenge;
2048 mem.batchedEvaluation = mem.batchedEvaluation
2049 + (proof.sumcheckEvaluations[i - NUM_MASKING_POLYNOMIALS] * mem.batchingChallenge);
2050 mem.batchingChallenge = mem.batchingChallenge * tp.rho;
2052 // g commitments are accumulated at r
2053 // For each of the to be shifted commitments perform the shift in place by
2054 // adding to the unshifted value.
2055 // We do so, as the values are to be used in batchMul later, and as
2056 // `a * c + b * c = (a + b) * c` this will allow us to reduce memory and compute.
2057 // Applied to w1, w2, w3, w4 and zPerm
2058 for (uint256 i = 0; i < NUMBER_TO_BE_SHIFTED; ++i) {
2059 uint256 scalarOff = i + SHIFTED_COMMITMENTS_START;
2060 uint256 evaluationOff = i + NUMBER_UNSHIFTED_ZK;
2062 scalars[scalarOff] = scalars[scalarOff] + (mem.shiftedScalarNeg * mem.batchingChallenge);
2063 mem.batchedEvaluation =
2064 mem.batchedEvaluation + (proof.sumcheckEvaluations[evaluationOff] * mem.batchingChallenge);
2065 mem.batchingChallenge = mem.batchingChallenge * tp.rho;
2068 commitments[1] = proof.geminiMaskingPoly;
2070 commitments[2] = vk.qm;
2071 commitments[3] = vk.qc;
2072 commitments[4] = vk.ql;
2073 commitments[5] = vk.qr;
2074 commitments[6] = vk.qo;
2075 commitments[7] = vk.q4;
2076 commitments[8] = vk.qLookup;
2077 commitments[9] = vk.qArith;
2078 commitments[10] = vk.qDeltaRange;
2079 commitments[11] = vk.qElliptic;
2080 commitments[12] = vk.qMemory;
2081 commitments[13] = vk.qNnf;
2082 commitments[14] = vk.qPoseidon2External;
2083 commitments[15] = vk.qPoseidon2Internal;
2084 commitments[16] = vk.s1;
2085 commitments[17] = vk.s2;
2086 commitments[18] = vk.s3;
2087 commitments[19] = vk.s4;
2088 commitments[20] = vk.id1;
2089 commitments[21] = vk.id2;
2090 commitments[22] = vk.id3;
2091 commitments[23] = vk.id4;
2092 commitments[24] = vk.t1;
2093 commitments[25] = vk.t2;
2094 commitments[26] = vk.t3;
2095 commitments[27] = vk.t4;
2096 commitments[28] = vk.lagrangeFirst;
2097 commitments[29] = vk.lagrangeLast;
2099 // Accumulate proof points
2100 commitments[30] = proof.w1;
2101 commitments[31] = proof.w2;
2102 commitments[32] = proof.w3;
2103 commitments[33] = proof.w4;
2104 commitments[34] = proof.zPerm;
2105 commitments[35] = proof.lookupInverses;
2106 commitments[36] = proof.lookupReadCounts;
2107 commitments[37] = proof.lookupReadTags;
2109 /* Batch gemini claims from the prover
2110 * place the commitments to gemini aᵢ to the vector of commitments, compute the contributions from
2111 * aᵢ(−r²ⁱ) for i=1, … , n−1 to the constant term accumulator, add corresponding scalars
2113 * 1. Moves the vector
2115 * \left( \text{com}(A_1), \text{com}(A_2), \ldots, \text{com}(A_{n-1}) \right)
2117 * to the 'commitments' vector.
2119 * 2. Computes the scalars:
2121 * \frac{\nu^{2}}{z + r^2}, \frac{\nu^3}{z + r^4}, \ldots, \frac{\nu^{n-1}}{z + r^{2^{n-1}}}
2123 * and places them into the 'scalars' vector.
2125 * 3. Accumulates the summands of the constant term:
2127 * \sum_{i=2}^{n-1} \frac{\nu^{i} \cdot A_i(-r^{2^i})}{z + r^{2^i}}
2129 * and adds them to the 'constant_term_accumulator'.
2132 // Add contributions from A₀(r) and A₀(-r) to constant_term_accumulator:
2133 // Compute the evaluations Aₗ(r^{2ˡ}) for l = 0, ..., $LOG_N - 1
2134 Fr[] memory foldPosEvaluations = CommitmentSchemeLib.computeFoldPosEvaluations(
2135 tp.sumCheckUChallenges,
2136 mem.batchedEvaluation,
2137 proof.geminiAEvaluations,
2138 powers_of_evaluation_challenge,
2142 mem.constantTermAccumulator = foldPosEvaluations[0] * mem.posInvertedDenominator;
2143 mem.constantTermAccumulator =
2144 mem.constantTermAccumulator + (proof.geminiAEvaluations[0] * tp.shplonkNu * mem.negInvertedDenominator);
2146 mem.batchingChallenge = tp.shplonkNu.sqr();
2147 uint256 boundary = NUMBER_UNSHIFTED_ZK + 1;
2149 // Compute Shplonk constant term contributions from Aₗ(± r^{2ˡ}) for l = 1, ..., m-1;
2150 // Compute scalar multipliers for each fold commitment
2151 for (uint256 i = 0; i < $LOG_N - 1; ++i) {
2152 bool dummy_round = i >= ($LOG_N - 1);
2155 // Update inverted denominators
2156 mem.posInvertedDenominator = (tp.shplonkZ - powers_of_evaluation_challenge[i + 1]).invert();
2157 mem.negInvertedDenominator = (tp.shplonkZ + powers_of_evaluation_challenge[i + 1]).invert();
2159 // Compute the scalar multipliers for Aₗ(± r^{2ˡ}) and [Aₗ]
2160 mem.scalingFactorPos = mem.batchingChallenge * mem.posInvertedDenominator;
2161 mem.scalingFactorNeg = mem.batchingChallenge * tp.shplonkNu * mem.negInvertedDenominator;
2162 scalars[boundary + i] = mem.scalingFactorNeg.neg() + mem.scalingFactorPos.neg();
2164 // Accumulate the const term contribution given by
2165 // v^{2l} * Aₗ(r^{2ˡ}) /(z-r^{2^l}) + v^{2l+1} * Aₗ(-r^{2ˡ}) /(z+ r^{2^l})
2166 Fr accumContribution = mem.scalingFactorNeg * proof.geminiAEvaluations[i + 1];
2167 accumContribution = accumContribution + mem.scalingFactorPos * foldPosEvaluations[i + 1];
2168 mem.constantTermAccumulator = mem.constantTermAccumulator + accumContribution;
2170 // Update the running power of v
2171 mem.batchingChallenge = mem.batchingChallenge * tp.shplonkNu * tp.shplonkNu;
2173 commitments[boundary + i] = proof.geminiFoldComms[i];
2176 boundary += $LOG_N - 1;
2178 // Finalize the batch opening claim
2179 mem.denominators[0] = Fr.wrap(1).div(tp.shplonkZ - tp.geminiR);
2180 mem.denominators[1] = Fr.wrap(1).div(tp.shplonkZ - SUBGROUP_GENERATOR * tp.geminiR);
2181 mem.denominators[2] = mem.denominators[0];
2182 mem.denominators[3] = mem.denominators[0];
2184 mem.batchingChallenge = mem.batchingChallenge * tp.shplonkNu * tp.shplonkNu;
2185 for (uint256 i = 0; i < LIBRA_EVALUATIONS; i++) {
2186 Fr scalingFactor = mem.denominators[i] * mem.batchingChallenge;
2187 mem.batchingScalars[i] = scalingFactor.neg();
2188 mem.batchingChallenge = mem.batchingChallenge * tp.shplonkNu;
2189 mem.constantTermAccumulator = mem.constantTermAccumulator + scalingFactor * proof.libraPolyEvals[i];
2191 scalars[boundary] = mem.batchingScalars[0];
2192 scalars[boundary + 1] = mem.batchingScalars[1] + mem.batchingScalars[2];
2193 scalars[boundary + 2] = mem.batchingScalars[3];
2195 for (uint256 i = 0; i < LIBRA_COMMITMENTS; i++) {
2196 commitments[boundary++] = proof.libraCommitments[i];
2199 commitments[boundary] = Honk.G1Point({x: 1, y: 2});
2200 scalars[boundary++] = mem.constantTermAccumulator;
2202 if (!checkEvalsConsistency(proof.libraPolyEvals, tp.geminiR, tp.sumCheckUChallenges, proof.libraEvaluation)) {
2203 revert ConsistencyCheckFailed();
2206 Honk.G1Point memory quotient_commitment = proof.kzgQuotient;
2208 commitments[boundary] = quotient_commitment;
2209 scalars[boundary] = tp.shplonkZ; // evaluation challenge
2211 PairingInputs memory pair;
2212 pair.P_0 = batchMul(commitments, scalars);
2213 pair.P_1 = negateInplace(quotient_commitment);
2215 // Aggregate pairing points
2216 Fr recursionSeparator = generateRecursionSeparator(proof.pairingPointObject, pair.P_0, pair.P_1);
2217 (Honk.G1Point memory P_0_other, Honk.G1Point memory P_1_other) =
2218 convertPairingPointsToG1(proof.pairingPointObject);
2220 // Validate the points from the proof are on the curve
2221 validateOnCurve(P_0_other);
2222 validateOnCurve(P_1_other);
2224 // accumulate with aggregate points in proof
2225 pair.P_0 = mulWithSeperator(pair.P_0, P_0_other, recursionSeparator);
2226 pair.P_1 = mulWithSeperator(pair.P_1, P_1_other, recursionSeparator);
2228 return pairing(pair.P_0, pair.P_1);
2231 struct SmallSubgroupIpaIntermediates {
2232 Fr[SUBGROUP_SIZE] challengePolyLagrange;
2233 Fr challengePolyEval;
2237 Fr[SUBGROUP_SIZE] denominators; // this has to disappear
2241 function checkEvalsConsistency(
2242 Fr[LIBRA_EVALUATIONS] memory libraPolyEvals,
2244 Fr[CONST_PROOF_SIZE_LOG_N] memory uChallenges,
2246 ) internal view returns (bool check) {
2247 Fr one = Fr.wrap(1);
2248 Fr vanishingPolyEval = geminiR.pow(SUBGROUP_SIZE) - one;
2249 if (vanishingPolyEval == Fr.wrap(0)) {
2250 revert GeminiChallengeInSubgroup();
2253 SmallSubgroupIpaIntermediates memory mem;
2254 mem.challengePolyLagrange[0] = one;
2255 for (uint256 round = 0; round < $LOG_N; round++) {
2256 uint256 currIdx = 1 + LIBRA_UNIVARIATES_LENGTH * round;
2257 mem.challengePolyLagrange[currIdx] = one;
2258 for (uint256 idx = currIdx + 1; idx < currIdx + LIBRA_UNIVARIATES_LENGTH; idx++) {
2259 mem.challengePolyLagrange[idx] = mem.challengePolyLagrange[idx - 1] * uChallenges[round];
2263 mem.rootPower = one;
2264 mem.challengePolyEval = Fr.wrap(0);
2265 for (uint256 idx = 0; idx < SUBGROUP_SIZE; idx++) {
2266 mem.denominators[idx] = mem.rootPower * geminiR - one;
2267 mem.denominators[idx] = mem.denominators[idx].invert();
2268 mem.challengePolyEval = mem.challengePolyEval + mem.challengePolyLagrange[idx] * mem.denominators[idx];
2269 mem.rootPower = mem.rootPower * SUBGROUP_GENERATOR_INVERSE;
2272 Fr numerator = vanishingPolyEval * Fr.wrap(SUBGROUP_SIZE).invert();
2273 mem.challengePolyEval = mem.challengePolyEval * numerator;
2274 mem.lagrangeFirst = mem.denominators[0] * numerator;
2275 mem.lagrangeLast = mem.denominators[SUBGROUP_SIZE - 1] * numerator;
2277 mem.diff = mem.lagrangeFirst * libraPolyEvals[2];
2279 mem.diff = mem.diff + (geminiR - SUBGROUP_GENERATOR_INVERSE)
2280 * (libraPolyEvals[1] - libraPolyEvals[2] - libraPolyEvals[0] * mem.challengePolyEval);
2281 mem.diff = mem.diff + mem.lagrangeLast * (libraPolyEvals[2] - libraEval) - vanishingPolyEval * libraPolyEvals[3];
2283 check = mem.diff == Fr.wrap(0);
2286 // This implementation is the same as above with different constants
2287 function batchMul(Honk.G1Point[] memory base, Fr[] memory scalars)
2290 returns (Honk.G1Point memory result)
2292 uint256 limit = $MSMSize;
2294 // Validate all points are on the curve
2295 for (uint256 i = 0; i < limit; ++i) {
2296 validateOnCurve(base[i]);
2299 bool success = true;
2301 let free := mload(0x40)
2304 for {} lt(count, add(limit, 1)) { count := add(count, 1) } {
2306 let base_base := add(base, mul(count, 0x20))
2307 let scalar_base := add(scalars, mul(count, 0x20))
2309 mstore(add(free, 0x40), mload(mload(base_base)))
2310 mstore(add(free, 0x60), mload(add(0x20, mload(base_base))))
2312 mstore(add(free, 0x80), mload(scalar_base))
2314 success := and(success, staticcall(gas(), 7, add(free, 0x40), 0x60, add(free, 0x40), 0x40))
2315 // accumulator = accumulator + accumulator_2
2316 success := and(success, staticcall(gas(), 6, free, 0x80, free, 0x40))
2319 // Return the result
2320 mstore(result, mload(free))
2321 mstore(add(result, 0x20), mload(add(free, 0x20)))
2324 require(success, ShpleminiFailed());
2328contract HonkVerifier is BaseZKHonkVerifier(N, LOG_N, VK_HASH, NUMBER_OF_PUBLIC_INPUTS) {
2329 function loadVerificationKey() internal pure override returns (Honk.VerificationKey memory) {
2330 return HonkVerificationKey.loadVerificationKey();
2337 std::ostringstream stream;
2339 return stream.str() + HONK_ZK_CONTRACT_SOURCE;
void output_vk_sol_ultra_honk(std::ostream &os, auto const &key, std::string const &class_name, bool include_types_import=false)
std::string get_honk_zk_solidity_verifier(auto const &verification_key)
1.9.8