Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
translator_verifier.cpp
Go to the documentation of this file.
1// === AUDIT STATUS ===
2// internal: { status: not started, auditors: [], date: YYYY-MM-DD }
3// external_1: { status: not started, auditors: [], date: YYYY-MM-DD }
4// external_2: { status: not started, auditors: [], date: YYYY-MM-DD }
5// =====================
6
7#include "./translator_verifier.hpp"
8#include "barretenberg/commitment_schemes/shplonk/shplemini.hpp"
9#include "barretenberg/sumcheck/sumcheck.hpp"
10#include "barretenberg/transcript/transcript.hpp"
11
12namespace bb {
13
14TranslatorVerifier::TranslatorVerifier(const std::shared_ptr<Transcript>& transcript)
15 : transcript(transcript)
16{}
17
18TranslatorVerifier::TranslatorVerifier(const std::shared_ptr<VerificationKey>& verifier_key,
19 const std::shared_ptr<Transcript>& transcript)
20 : key(verifier_key)
21 , transcript(transcript)
22{}
23
24void TranslatorVerifier::put_translation_data_in_relation_parameters(const uint256_t& evaluation_input_x,
25 const BF& batching_challenge_v,
26 const uint256_t& accumulated_result)
27{
28
29 const auto compute_four_limbs = [](const auto& in) {
30 constexpr size_t NUM_LIMB_BITS = Flavor::NUM_LIMB_BITS;
31 return std::array<FF, 4>{ in.slice(0, NUM_LIMB_BITS),
32 in.slice(NUM_LIMB_BITS, NUM_LIMB_BITS * 2),
33 in.slice(NUM_LIMB_BITS * 2, NUM_LIMB_BITS * 3),
34 in.slice(NUM_LIMB_BITS * 3, NUM_LIMB_BITS * 4) };
35 };
36
37 const auto compute_five_limbs = [](const auto& in) {
38 constexpr size_t NUM_LIMB_BITS = Flavor::NUM_LIMB_BITS;
39 return std::array<FF, 5>{ in.slice(0, NUM_LIMB_BITS),
40 in.slice(NUM_LIMB_BITS, NUM_LIMB_BITS * 2),
41 in.slice(NUM_LIMB_BITS * 2, NUM_LIMB_BITS * 3),
42 in.slice(NUM_LIMB_BITS * 3, NUM_LIMB_BITS * 4),
43 in };
44 };
45
46 relation_parameters.evaluation_input_x = compute_five_limbs(evaluation_input_x);
47
48 uint256_t batching_challenge_v_power{ batching_challenge_v };
49 for (size_t i = 0; i < 4; i++) {
50 relation_parameters.batching_challenge_v[i] = compute_five_limbs(batching_challenge_v_power);
51 batching_challenge_v_power = BF(batching_challenge_v_power) * batching_challenge_v;
52 }
53
54 relation_parameters.accumulated_result = compute_four_limbs(accumulated_result);
55};
56
60bool TranslatorVerifier::verify_proof(
61 const HonkProof& proof,
62 const uint256_t& evaluation_input_x,
63 const BF& batching_challenge_v,
64 const uint256_t& accumulated_result,
65 const std::array<Commitment, TranslatorFlavor::NUM_OP_QUEUE_WIRES>& op_queue_wire_commitments)
66{
67 using Curve = Flavor::Curve;
68 using PCS = Flavor::PCS;
69 using Shplemini = ShpleminiVerifier_<Curve>;
70 using ClaimBatcher = ClaimBatcher_<Curve>;
71 using ClaimBatch = ClaimBatcher::Batch;
72 using InterleavedBatch = ClaimBatcher::InterleavedBatch;
73 using Sumcheck = SumcheckVerifier<Flavor>;
74 using VerifierCommitmentKey = typename Flavor::VerifierCommitmentKey;
75
76 // Load the proof produced by the translator prover
77 transcript->load_proof(proof);
78
79 // Fiat-Shamir the vk hash
80 typename Flavor::FF vk_hash = key->hash();
81 transcript->add_to_hash_buffer("vk_hash", vk_hash);
82 vinfo("Translator vk hash in verifier: ", vk_hash);
83
84 Flavor::VerifierCommitments commitments{ key };
85 Flavor::CommitmentLabels commitment_labels;
86
87 // Use accumulated_result from ECCVM verifier
88 put_translation_data_in_relation_parameters(evaluation_input_x, batching_challenge_v, accumulated_result);
89
90 // Receive Gemini masking polynomial commitment (for ZK-PCS)
91 commitments.gemini_masking_poly = transcript->template receive_from_prover<Commitment>("Gemini:masking_poly_comm");
92
93 // Set op queue wire commitments (provided by merge protocol, not from translator proof)
94 commitments.op = op_queue_wire_commitments[0];
95 commitments.x_lo_y_hi = op_queue_wire_commitments[1];
96 commitments.x_hi_z_1 = op_queue_wire_commitments[2];
97 commitments.y_lo_z_2 = op_queue_wire_commitments[3];
98
99 // Receive commitments to non-op-queue wires and ordered range constraints
100 for (auto [comm, label] : zip_view(commitments.get_non_opqueue_wires_and_ordered_range_constraints(),
101 commitment_labels.get_non_opqueue_wires_and_ordered_range_constraints())) {
102 comm = transcript->template receive_from_prover<Commitment>(label);
103 }
104
105 // Get permutation challenges
106 FF beta = transcript->template get_challenge<FF>("beta");
107 FF gamma = transcript->template get_challenge<FF>("gamma");
108
109 relation_parameters.beta = beta;
110 relation_parameters.gamma = gamma;
111
112 // Get commitment to permutation and lookup grand products
113 commitments.z_perm = transcript->template receive_from_prover<Commitment>(commitment_labels.z_perm);
114
115 // Each linearly independent subrelation contribution is multiplied by `alpha^i`, where
116 // i = 0, ..., NUM_SUBRELATIONS- 1.
117 const FF alpha = transcript->template get_challenge<FF>("Sumcheck:alpha");
118
119 // Execute Sumcheck Verifier
120 Sumcheck sumcheck(transcript, alpha, Flavor::CONST_TRANSLATOR_LOG_N);
121
122 std::vector<FF> gate_challenges(Flavor::CONST_TRANSLATOR_LOG_N);
123 for (size_t idx = 0; idx < gate_challenges.size(); idx++) {
124 gate_challenges[idx] = transcript->template get_challenge<FF>("Sumcheck:gate_challenge_" + std::to_string(idx));
125 }
126
127 // Receive commitments to Libra masking polynomials
128 std::array<Commitment, NUM_LIBRA_COMMITMENTS> libra_commitments = {};
129 libra_commitments[0] = transcript->template receive_from_prover<Commitment>("Libra:concatenation_commitment");
130
131 std::vector<FF> padding_indicator_array(Flavor::CONST_TRANSLATOR_LOG_N);
132 std::ranges::fill(padding_indicator_array, FF{ 1 });
133
134 auto sumcheck_output = sumcheck.verify(relation_parameters, gate_challenges, padding_indicator_array);
135
136 // If Sumcheck did not verify, return false
137 if (!sumcheck_output.verified) {
138 return false;
139 }
140
141 libra_commitments[1] = transcript->template receive_from_prover<Commitment>("Libra:grand_sum_commitment");
142 libra_commitments[2] = transcript->template receive_from_prover<Commitment>("Libra:quotient_commitment");
143
144 // Execute Shplemini
145 bool consistency_checked = false;
146 ClaimBatcher claim_batcher{
147 .unshifted = ClaimBatch{ commitments.get_unshifted_without_interleaved(),
148 sumcheck_output.claimed_evaluations.get_unshifted_without_interleaved() },
149 .shifted = ClaimBatch{ commitments.get_to_be_shifted(), sumcheck_output.claimed_evaluations.get_shifted() },
150 .interleaved = InterleavedBatch{ .commitments_groups = commitments.get_groups_to_be_interleaved(),
151 .evaluations = sumcheck_output.claimed_evaluations.get_interleaved() }
152 };
153 auto opening_claim = Shplemini::compute_batch_opening_claim(padding_indicator_array,
154 claim_batcher,
155 sumcheck_output.challenge,
156 Commitment::one(),
157 transcript,
158 Flavor::REPEATED_COMMITMENTS,
159 Flavor::HasZK,
160 &consistency_checked,
161 libra_commitments,
162 sumcheck_output.claimed_libra_evaluation);
163 const auto pairing_points = PCS::reduce_verify_batch_opening_claim(std::move(opening_claim), transcript);
164
165 VerifierCommitmentKey pcs_vkey{};
166 auto verified = pcs_vkey.pairing_check(pairing_points[0], pairing_points[1]);
167 return verified && consistency_checked;
168}
169} // namespace bb
bb::ShpleminiVerifier_
An efficient verifier for the evaluation proofs of multilinear polynomials and their shifts.
Definition shplemini.hpp:190
bb::SumcheckVerifier
Implementation of the sumcheck Verifier for statements of the form for multilinear polynomials .
Definition sumcheck.hpp:786
bb::TranslatorFlavor::CommitmentLabels
A container for commitment labels.
Definition translator_flavor.hpp:935
bb::TranslatorFlavor::VerifierCommitments_
Definition translator_flavor.hpp:1046
bb::TranslatorFlavor::WitnessEntities::get_non_opqueue_wires_and_ordered_range_constraints
auto get_non_opqueue_wires_and_ordered_range_constraints()
Non-op-queue wires and ordered range constraints (committed to by translator prover)
Definition translator_flavor.hpp:432
bb::TranslatorFlavor::REPEATED_COMMITMENTS
static constexpr RepeatedCommitmentsData REPEATED_COMMITMENTS
Definition translator_flavor.hpp:151
bb::TranslatorFlavor::CONST_TRANSLATOR_LOG_N
static constexpr size_t CONST_TRANSLATOR_LOG_N
Definition translator_flavor.hpp:71
bb::TranslatorFlavor::HasZK
static constexpr bool HasZK
Definition translator_flavor.hpp:49
bb::TranslatorFlavor::NUM_LIMB_BITS
static constexpr size_t NUM_LIMB_BITS
Definition translator_flavor.hpp:117
bb::TranslatorFlavor::VerifierCommitmentKey
bb::VerifierCommitmentKey< Curve > VerifierCommitmentKey
Definition translator_flavor.hpp:39
bb::TranslatorVerifier::put_translation_data_in_relation_parameters
void put_translation_data_in_relation_parameters(const uint256_t &evaluation_input_x, const BF &batching_challenge_v, const uint256_t &accumulated_result)
Definition translator_verifier.cpp:24
bb::TranslatorVerifier::key
std::shared_ptr< VerificationKey > key
Definition translator_verifier.hpp:30
bb::TranslatorVerifier::relation_parameters
RelationParameters< FF > relation_parameters
Definition translator_verifier.hpp:32
bb::TranslatorVerifier::TranslatorVerifier
TranslatorVerifier(const std::shared_ptr< Transcript > &transcript)
Definition translator_verifier.cpp:14
bb::TranslatorVerifier::verify_proof
bool verify_proof(const HonkProof &proof, const uint256_t &evaluation_input_x, const BF &batching_challenge_v, const uint256_t &accumulated_result, const std::array< Commitment, TranslatorFlavor::NUM_OP_QUEUE_WIRES > &op_queue_wire_commitments)
This function verifies a TranslatorFlavor Honk proof for given program settings.
Definition translator_verifier.cpp:60
bb::TranslatorVerifier::transcript
std::shared_ptr< Transcript > transcript
Definition translator_verifier.hpp:31
bb::numeric::uint256_t
Definition uint256.hpp:32
zip_view
Definition zip_view.hpp:166
vinfo
#define vinfo(...)
Definition log.hpp:80
key
FF key
Definition indexed_memory_tree.test.cpp:18
bb
Entry point for Barretenberg command-line interface.
Definition api.hpp:5
bb::HonkProof
std::vector< fr > HonkProof
Definition proof.hpp:15
std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13
std::to_string
std::string to_string(bb::avm2::ValueTag tag)
Definition tagged_value.cpp:402
bb::ClaimBatcher_
Logic to support batching opening claims for unshifted and shifted polynomials in Shplemini.
Definition claim_batcher.hpp:28
bb::RelationParameters::batching_challenge_v
std::array< std::array< T, NUM_BINARY_LIMBS_IN_GOBLIN_TRANSLATOR+NUM_NATIVE_LIMBS_IN_GOBLIN_TRANSLATOR >, NUM_CHALLENGE_POWERS_IN_GOBLIN_TRANSLATOR > batching_challenge_v
Definition relation_parameters.hpp:48
bb::RelationParameters::accumulated_result
std::array< T, NUM_BINARY_LIMBS_IN_GOBLIN_TRANSLATOR > accumulated_result
Definition relation_parameters.hpp:42
bb::RelationParameters::evaluation_input_x
std::array< T, NUM_BINARY_LIMBS_IN_GOBLIN_TRANSLATOR+NUM_NATIVE_LIMBS_IN_GOBLIN_TRANSLATOR > evaluation_input_x
Definition relation_parameters.hpp:43
translator_verifier.hpp