Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
transcript.hpp
Go to the documentation of this file.
1// === AUDIT STATUS ===
2// internal: { status: not started, auditors: [], date: YYYY-MM-DD }
3// external_1: { status: not started, auditors: [], date: YYYY-MM-DD }
4// external_2: { status: not started, auditors: [], date: YYYY-MM-DD }
5// =====================
6
7#pragma once
8
9#include "barretenberg/common/assert.hpp"
10#include "barretenberg/common/debug_log.hpp"
11#include "barretenberg/common/serialize.hpp"
12#include "barretenberg/crypto/poseidon2/poseidon2.hpp"
13#include "barretenberg/ecc/curves/bn254/fr.hpp"
14#include "barretenberg/ecc/curves/bn254/g1.hpp"
15#include "barretenberg/ecc/curves/grumpkin/grumpkin.hpp"
16#include "barretenberg/ecc/fields/field_conversion.hpp"
17#include "barretenberg/honk/proof_system/types/proof.hpp"
18#include "barretenberg/stdlib/hash/poseidon2/poseidon2.hpp"
19#include "barretenberg/stdlib/primitives/field/field_conversion.hpp"
20#include "origin_tag.hpp"
21#include "transcript_manifest.hpp"
22#include <atomic>
23#include <concepts>
24
25namespace bb {
26
27// A concept for detecting whether a type is native or in-circuit
28template <typename T>
29concept InCircuit = !IsAnyOf<T, bb::fr, grumpkin::fr, uint256_t>;
30
31// A static counter for the number of transcripts created
32// This is used to generate unique labels for the transcript origin tags
33
34// 'inline' (since C++17) ensures a single shared definition with external linkage.
35inline std::atomic<size_t> unique_transcript_index{ 0 };
36
41template <typename Codec_, typename HashFunction_> class BaseTranscript {
42 public:
43 using Codec = Codec_;
44 using HashFunction = HashFunction_;
45 using DataType = typename Codec::DataType;
46 using Proof = std::vector<DataType>;
47
48 // Detects whether the transcript is in-circuit or not
49 static constexpr bool in_circuit = InCircuit<DataType>;
50 // A `DataType` challenge is split into two limbs that consitute challenge buffer
51 static constexpr size_t CHALLENGE_BUFFER_SIZE = 2;
52
53 BaseTranscript()
54 {
55 // If we are in circuit, we need to get a unique index for the transcript
56 if constexpr (in_circuit) {
57 transcript_index = unique_transcript_index.fetch_add(1);
58 }
59 }
60
61 // Verifier-specific constructor.
62 explicit BaseTranscript(const Proof& proof) { load_proof(proof); }
63
64 protected:
65 Proof proof_data; // Contains the raw data sent by the prover.
66
67 private:
68 // Friend function for secure tag context extraction
69 template <typename T> friend OriginTag bb::extract_transcript_tag(const T& transcript);
70
71 // Fiat-Shamir Round Tracking
72 size_t transcript_index = 0; // Unique transcript ID (PRIVATE - access via extract_transcript_tag)
73 size_t round_index = 0; // Current FS round (PRIVATE - access via extract_transcript_tag)
74 bool reception_phase = true; // Whether receiving from prover or generating challenges
75
76 // Challenge generatopm state==
77 bool is_first_challenge = true; // Indicates if this is the first challenge this transcript is generating
78 DataType previous_challenge{}; // Previous challenge buffer (default-initialized to zeros)
79 std::vector<DataType> current_round_data; // Data for the current round that will be hashed to generate challenges
80
81 // Proof parsing state
82 std::ptrdiff_t proof_start = 0;
83 size_t num_frs_written = 0; // Number of frs written to proof_data by the prover
84 size_t num_frs_read = 0; // Number of frs read from proof_data by the verifier
85 size_t round_number = 0; // Current round number for manifest
86
87 // Manifest (debugging tool)
88 bool use_manifest = false; // Indicates whether the manifest is turned on (only for manifest tests)
89 TranscriptManifest manifest; // Records a summary of the transcript interactions
90
99 [[nodiscard]] std::array<DataType, CHALLENGE_BUFFER_SIZE> get_next_duplex_challenge_buffer()
100 {
101
102 std::vector<DataType> full_buffer;
103
104 const size_t size_bump = (is_first_challenge) ? 0 : 1;
105
106 full_buffer.resize(current_round_data.size() + size_bump);
107
108 // concatenate the previous challenge (if this is not the first challenge) with the current round data.
109 if (!is_first_challenge) {
110 // if not the first challenge, we can use the previous_challenge
111 full_buffer[0] = previous_challenge;
112 } else {
113 // Prevent challenge generation if this is the first challenge we're generating,
114 // AND nothing was sent by the prover.
115 BB_ASSERT(!current_round_data.empty());
116 // Update is_first_challenge for the future
117 is_first_challenge = false;
118 }
119
120 std::copy(current_round_data.begin(),
121 current_round_data.end(),
122 full_buffer.begin() + static_cast<std::ptrdiff_t>(size_bump));
123 current_round_data.clear();
124
125 // Hash the full buffer
126 DataType new_challenge = HashFunction::hash(full_buffer);
127 std::array<DataType, CHALLENGE_BUFFER_SIZE> new_challenges = Codec::split_challenge(new_challenge);
128 // update previous challenge buffer for next time we call this function
129 previous_challenge = new_challenge;
130 return new_challenges;
131 }
132
133 protected:
140 void add_element_frs_to_hash_buffer(const std::string& label, std::span<const DataType> element_frs)
141 {
142 if (use_manifest) {
143 // Add an entry to the current round of the manifest
144 manifest.add_entry(round_number, label, element_frs.size());
145 }
146
147 current_round_data.insert(current_round_data.end(), element_frs.begin(), element_frs.end());
148 }
149
158 template <typename T> void serialize_to_buffer(const T& element, Proof& proof_data)
159 {
160 auto element_frs = Codec::serialize_to_fields(element);
161 proof_data.insert(proof_data.end(), element_frs.begin(), element_frs.end());
162 }
172 template <typename T> T deserialize_from_buffer(const Proof& proof_data, size_t& offset) const
173 {
174 constexpr size_t element_fr_size = Codec::template calc_num_fields<T>();
175 BB_ASSERT_LTE(offset + element_fr_size, proof_data.size());
176
177 auto element_frs = std::span{ proof_data }.subspan(offset, element_fr_size);
178 offset += element_fr_size;
179
180 auto element = Codec::template deserialize_from_fields<T>(element_frs);
181
182 return element;
183 }
184
185 public:
193 std::vector<DataType> export_proof()
194 {
195 std::vector<DataType> result(num_frs_written);
196 std::copy_n(proof_data.begin() + proof_start, num_frs_written, result.begin());
197 proof_start += static_cast<std::ptrdiff_t>(num_frs_written);
198 num_frs_written = 0;
199 return result;
200 };
201
207 void load_proof(const std::vector<DataType>& proof)
208 {
209 std::copy(proof.begin(), proof.end(), std::back_inserter(proof_data));
210 }
211
212 // Return the size of proof_data
213 size_t get_proof_size() { return proof_data.size(); }
214
215 // Enables the manifest
216 void enable_manifest() { use_manifest = true; }
217
228 template <typename ChallengeType> std::vector<ChallengeType> get_challenges(std::span<const std::string> labels)
229 {
230 const size_t num_challenges = labels.size();
231
232 if (use_manifest) {
233 // Add challenge labels for current round to the manifest
234 for (const auto& label : labels) {
235 manifest.add_challenge(round_number, label);
236 }
237 }
238
239 // In case the transcript is used for recursive verification, we need to sanitize current round data so we don't
240 // get an origin tag violation inside the hasher. We are doing this to ensure that the free witness tagged
241 // elements that are sent to the transcript and are assigned tags externally, don't trigger the origin tag
242 // security mechanism while we are hashing them
243 bb::unset_free_witness_tags<in_circuit, DataType>(current_round_data);
244 // Compute the new challenge buffer from which we derive the challenges.
245
246 // Create challenges from Frs.
247 std::vector<ChallengeType> challenges;
248 challenges.resize(num_challenges);
249
250 // Generate the challenges by iteratively hashing over the previous challenge.
251 for (size_t i = 0; i < num_challenges / 2; i += 1) {
252 std::array<DataType, CHALLENGE_BUFFER_SIZE> challenge_buffer = get_next_duplex_challenge_buffer();
253 challenges[2 * i] = Codec::template convert_challenge<ChallengeType>(challenge_buffer[0]);
254 challenges[(2 * i) + 1] = Codec::template convert_challenge<ChallengeType>(challenge_buffer[1]);
255 }
256 if ((num_challenges & 1) == 1) {
257 std::array<DataType, CHALLENGE_BUFFER_SIZE> challenge_buffer = get_next_duplex_challenge_buffer();
258 challenges[num_challenges - 1] = Codec::template convert_challenge<ChallengeType>(challenge_buffer[0]);
259 }
260
261 // In case the transcript is used for recursive verification, we can track proper Fiat-Shamir usage
262 // We are in challenge generation mode
263 if (reception_phase) {
264 reception_phase = false;
265 }
266
267 // Assign origin tags to the challenges
268 bb::assign_origin_tag<in_circuit>(challenges, OriginTag(transcript_index, round_index, /*is_submitted=*/false));
269
270 // Prepare for next round.
271 ++round_number;
272
273 return challenges;
274 }
275
282 template <typename ChallengeType, size_t N>
283 std::array<ChallengeType, N> get_challenges(const std::array<std::string, N>& labels)
284 {
285 std::span<const std::string> labels_span{ labels.data(), labels.size() };
286 auto vec = get_challenges<ChallengeType>(labels_span); // calls the const-span overload
287 std::array<ChallengeType, N> out{};
288 std::move(vec.begin(), vec.end(), out.begin());
289 return out;
290 }
291
300 template <typename ChallengeType>
301 std::vector<ChallengeType> get_dyadic_powers_of_challenge(const std::string& label, size_t num_challenges)
302 {
303 ChallengeType challenge = get_challenge<ChallengeType>(label);
304 std::vector<ChallengeType> pows(num_challenges);
305 pows[0] = challenge;
306 for (size_t i = 1; i < num_challenges; i++) {
307 pows[i] = pows[i - 1].sqr();
308 }
309 return pows;
310 }
311
320 template <class T> void add_to_hash_buffer(const std::string& label, const T& element)
321 {
322 DEBUG_LOG(label, element);
323 // In case the transcript is used for recursive verification, we can track proper Fiat-Shamir usage
324 // The verifier is receiving data from the prover. If before this we were in the challenge generation phase,
325 // then we need to increment the round index
326 if (!reception_phase) {
327 reception_phase = true;
328 round_index++;
329 }
330
331 bb::assign_origin_tag<in_circuit>(element, OriginTag(transcript_index, round_index, /*is_submitted=*/true));
332 auto elements = Codec::serialize_to_fields(element);
333
334 add_element_frs_to_hash_buffer(label, elements);
335 }
336
350 template <class T> void send_to_verifier(const std::string& label, const T& element)
351 {
352 DEBUG_LOG(label, element);
353 auto element_frs = Codec::template serialize_to_fields<T>(element);
354 proof_data.insert(proof_data.end(), element_frs.begin(), element_frs.end());
355 num_frs_written += element_frs.size();
356
357 add_element_frs_to_hash_buffer(label, element_frs);
358 }
359
367 template <class T> T receive_from_prover(const std::string& label)
368 {
369 const size_t element_size = Codec::template calc_num_fields<T>();
370 BB_ASSERT_LTE(num_frs_read + element_size, proof_data.size());
371
372 auto element_frs = std::span{ proof_data }.subspan(num_frs_read, element_size);
373 // In case the transcript is used for recursive verification, we can track proper Fiat-Shamir usage
374 // The verifier is receiving data from the prover. If before this we were in the challenge generation phase,
375 // then we need to increment the round index
376 if (!reception_phase) {
377 reception_phase = true;
378 round_index++;
379 }
380 // Assign an origin tag to the elements going into the hash buffer
381 bb::assign_origin_tag<in_circuit>(element_frs, OriginTag(transcript_index, round_index, /*is_submitted=*/true));
382
383 num_frs_read += element_size;
384
385 add_element_frs_to_hash_buffer(label, element_frs);
386
387 auto element = Codec::template deserialize_from_fields<T>(element_frs);
388 DEBUG_LOG(label, element);
389
390 // Ensure that the element got assigned an origin tag
391 bb::check_origin_tag<in_circuit>(element, OriginTag(transcript_index, round_index, /*is_submitted=*/true));
392
393 return element;
394 }
395
396 template <typename ChallengeType> ChallengeType get_challenge(const std::string& label)
397 {
398 std::span<const std::string> label_span(&label, 1);
399 auto result = get_challenges<ChallengeType>(label_span);
400
401 DEBUG_LOG(label, result);
402 return result[0];
403 }
404
411 static std::shared_ptr<BaseTranscript> convert_prover_transcript_to_verifier_transcript(
412 const std::shared_ptr<BaseTranscript>& prover_transcript)
413 {
414 // We expect this function to only be used when the transcript has just been exported.
415 BB_ASSERT_EQ(prover_transcript->num_frs_written, 0UL, "Expected to be empty");
416 auto verifier_transcript = std::make_shared<BaseTranscript>(*prover_transcript);
417 verifier_transcript->num_frs_read = static_cast<size_t>(verifier_transcript->proof_start);
418 verifier_transcript->proof_start = 0;
419 return verifier_transcript;
420 }
421
422 // Serialize an element of type T to a vector of fields
423 template <typename T> static std::vector<DataType> serialize(const T& element)
424 {
425 return Codec::serialize_to_fields(element);
426 }
427
428 template <typename T> static T deserialize(std::span<const DataType> frs)
429 {
430 return Codec::template deserialize_from_fields<T>(frs);
431 }
438 static std::shared_ptr<BaseTranscript> prover_init_empty()
439 {
440 auto transcript = std::make_shared<BaseTranscript>();
441 constexpr uint32_t init{ 42 }; // arbitrary
442 transcript->send_to_verifier("Init", init);
443 return transcript;
444 };
445
453 static std::shared_ptr<BaseTranscript> verifier_init_empty(const std::shared_ptr<BaseTranscript>& transcript)
454 {
455 auto verifier_transcript = std::make_shared<BaseTranscript>(transcript->proof_data);
456 [[maybe_unused]] auto _ = verifier_transcript->template receive_from_prover<DataType>("Init");
457 return verifier_transcript;
458 };
459 [[nodiscard]] TranscriptManifest get_manifest() const { return manifest; };
460
461 void print()
462 {
463 if (!use_manifest) {
464 info("Warning: manifest is not enabled!");
465 }
466 manifest.print();
467 }
468
469 // Test-specific utils
470
475 void test_set_proof_parsing_state(std::ptrdiff_t start, size_t written)
476 {
477 this->proof_start = start;
478 this->num_frs_written = written;
479 }
480
485 std::ptrdiff_t test_get_proof_start() const { return proof_start; }
486};
487
488using NativeTranscript = BaseTranscript<FrCodec, bb::crypto::Poseidon2<bb::crypto::Poseidon2Bn254ScalarFieldParams>>;
489using KeccakTranscript = BaseTranscript<U256Codec, bb::crypto::Keccak>;
490
491template <typename Builder>
492using StdlibTranscript = BaseTranscript<stdlib::StdlibCodec<stdlib::field_t<Builder>>, stdlib::poseidon2<Builder>>;
493using UltraStdlibTranscript =
494 BaseTranscript<stdlib::StdlibCodec<stdlib::field_t<UltraCircuitBuilder>>, stdlib::poseidon2<UltraCircuitBuilder>>;
495using MegaStdlibTranscript =
496 BaseTranscript<stdlib::StdlibCodec<stdlib::field_t<MegaCircuitBuilder>>, stdlib::poseidon2<MegaCircuitBuilder>>;
497
502template <typename Curve, bool = Curve::is_stdlib_type> struct TranscriptFor {
503 using type = NativeTranscript;
504};
505
506template <typename Curve> struct TranscriptFor<Curve, true> {
507 using type = StdlibTranscript<typename Curve::Builder>;
508};
509
510template <typename Curve> using TranscriptFor_t = typename TranscriptFor<Curve>::type;
511
512} // namespace bb
BB_ASSERT
#define BB_ASSERT(expression,...)
Definition assert.hpp:67
BB_ASSERT_EQ
#define BB_ASSERT_EQ(actual, expected,...)
Definition assert.hpp:77
BB_ASSERT_LTE
#define BB_ASSERT_LTE(left, right,...)
Definition assert.hpp:152
bb::BaseTranscript
Common transcript class for both parties. Stores the data for the current round, as well as the manif...
Definition transcript.hpp:41
bb::BaseTranscript::DataType
typename Codec::DataType DataType
Definition transcript.hpp:45
bb::BaseTranscript::in_circuit
static constexpr bool in_circuit
Definition transcript.hpp:49
bb::BaseTranscript::previous_challenge
DataType previous_challenge
Definition transcript.hpp:78
bb::BaseTranscript::BaseTranscript
BaseTranscript(const Proof &proof)
Definition transcript.hpp:62
bb::BaseTranscript::receive_from_prover
T receive_from_prover(const std::string &label)
Reads the next element of type T from the transcript, with a predefined label, only used by verifier.
Definition transcript.hpp:367
bb::BaseTranscript::get_challenge
ChallengeType get_challenge(const std::string &label)
Definition transcript.hpp:396
bb::BaseTranscript::test_set_proof_parsing_state
void test_set_proof_parsing_state(std::ptrdiff_t start, size_t written)
Test utility: Set proof parsing state for export after deserialization.
Definition transcript.hpp:475
bb::BaseTranscript::current_round_data
std::vector< DataType > current_round_data
Definition transcript.hpp:79
bb::BaseTranscript::add_element_frs_to_hash_buffer
void add_element_frs_to_hash_buffer(const std::string &label, std::span< const DataType > element_frs)
Adds challenge elements to the current_round_buffer and updates the manifest.
Definition transcript.hpp:140
bb::BaseTranscript::serialize_to_buffer
void serialize_to_buffer(const T &element, Proof &proof_data)
Serializes object and appends it to proof_data.
Definition transcript.hpp:158
bb::BaseTranscript::get_dyadic_powers_of_challenge
std::vector< ChallengeType > get_dyadic_powers_of_challenge(const std::string &label, size_t num_challenges)
Get a challenge and compute its dyadic powers [δ, δ², δ⁴, ..., δ^(2^(num_challenges-1))].
Definition transcript.hpp:301
bb::BaseTranscript::export_proof
std::vector< DataType > export_proof()
Return the proof data starting at proof_start.
Definition transcript.hpp:193
bb::BaseTranscript::deserialize
static T deserialize(std::span< const DataType > frs)
Definition transcript.hpp:428
bb::BaseTranscript::add_to_hash_buffer
void add_to_hash_buffer(const std::string &label, const T &element)
Adds an element to the transcript.
Definition transcript.hpp:320
bb::BaseTranscript::send_to_verifier
void send_to_verifier(const std::string &label, const T &element)
Adds a prover message to the transcript, only intended to be used by the prover.
Definition transcript.hpp:350
bb::BaseTranscript::load_proof
void load_proof(const std::vector< DataType > &proof)
Verifier-specific method. The verifier needs to load a proof or its segment before the verification.
Definition transcript.hpp:207
bb::BaseTranscript::HashFunction
HashFunction_ HashFunction
Definition transcript.hpp:44
bb::BaseTranscript::proof_start
std::ptrdiff_t proof_start
Definition transcript.hpp:82
bb::BaseTranscript::get_manifest
TranscriptManifest get_manifest() const
Definition transcript.hpp:459
bb::BaseTranscript::prover_init_empty
static std::shared_ptr< BaseTranscript > prover_init_empty()
For testing: initializes transcript with some arbitrary data so that a challenge can be generated aft...
Definition transcript.hpp:438
bb::BaseTranscript::get_next_duplex_challenge_buffer
std::array< DataType, CHALLENGE_BUFFER_SIZE > get_next_duplex_challenge_buffer()
Compute next challenge c_next = H( Compress(c_prev || round_buffer) )
Definition transcript.hpp:99
bb::BaseTranscript::get_challenges
std::array< ChallengeType, N > get_challenges(const std::array< std::string, N > &labels)
Wrapper around get_challenges to handle array of challenges.
Definition transcript.hpp:283
bb::BaseTranscript::manifest
TranscriptManifest manifest
Definition transcript.hpp:89
bb::BaseTranscript::serialize
static std::vector< DataType > serialize(const T &element)
Definition transcript.hpp:423
bb::BaseTranscript::test_get_proof_start
std::ptrdiff_t test_get_proof_start() const
Test utility: Get proof_start for validation.
Definition transcript.hpp:485
bb::BaseTranscript::Proof
std::vector< DataType > Proof
Definition transcript.hpp:46
bb::BaseTranscript::deserialize_from_buffer
T deserialize_from_buffer(const Proof &proof_data, size_t &offset) const
Deserializes the frs starting at offset into the typed element and returns that element.
Definition transcript.hpp:172
bb::BaseTranscript::verifier_init_empty
static std::shared_ptr< BaseTranscript > verifier_init_empty(const std::shared_ptr< BaseTranscript > &transcript)
For testing: initializes transcript based on proof data then receives junk data produced by BaseTrans...
Definition transcript.hpp:453
bb::BaseTranscript::get_challenges
std::vector< ChallengeType > get_challenges(std::span< const std::string > labels)
After all the prover messages have been sent, finalize the round by hashing all the data and then cre...
Definition transcript.hpp:228
bb::BaseTranscript::CHALLENGE_BUFFER_SIZE
static constexpr size_t CHALLENGE_BUFFER_SIZE
Definition transcript.hpp:51
bb::BaseTranscript::convert_prover_transcript_to_verifier_transcript
static std::shared_ptr< BaseTranscript > convert_prover_transcript_to_verifier_transcript(const std::shared_ptr< BaseTranscript > &prover_transcript)
Convert a prover transcript to a verifier transcript.
Definition transcript.hpp:411
bb::TranscriptManifest::add_entry
void add_entry(size_t round, const std::string &element_label, size_t element_size)
Definition transcript_manifest.hpp:84
bb::TranscriptManifest::add_challenge
void add_challenge(size_t round, const std::string &label)
Add a single challenge label to the manifest for the given round.
Definition transcript_manifest.hpp:51
bb::stdlib::poseidon2
stdlib class that evaluates in-circuit poseidon2 hashes, consistent with behavior in crypto::poseidon...
Definition poseidon2.hpp:20
debug_log.hpp
DEBUG_LOG
#define DEBUG_LOG(...)
Definition debug_log.hpp:105
info
void info(Args... args)
Definition log.hpp:75
field_conversion.hpp
offset
ssize_t offset
Definition engine.cpp:36
init
const auto init
Definition fr.bench.cpp:141
proof.hpp
bb
Entry point for Barretenberg command-line interface.
Definition api.hpp:5
bb::unique_transcript_index
std::atomic< size_t > unique_transcript_index
Definition transcript.hpp:35
bb::extract_transcript_tag
OriginTag extract_transcript_tag(const TranscriptType &transcript)
Extract origin tag context from a transcript.
Definition origin_tag.hpp:298
bb::NativeTranscript
BaseTranscript< FrCodec, bb::crypto::Poseidon2< bb::crypto::Poseidon2Bn254ScalarFieldParams > > NativeTranscript
Definition transcript.hpp:488
bb::TranscriptFor_t
typename TranscriptFor< Curve >::type TranscriptFor_t
Definition transcript.hpp:510
std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13
origin_tag.hpp
This file contains part of the logic for the Origin Tag mechanism that tracks the use of in-circuit p...
field_conversion.hpp
bb::TranscriptFor
Helper to get the appropriate Transcript type for a given Curve.
Definition transcript.hpp:502
transcript_manifest.hpp