Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
ultra_verifier.cpp
Go to the documentation of this file.
1// === AUDIT STATUS ===
2// internal: { status: not started, auditors: [], date: YYYY-MM-DD }
3// external_1: { status: not started, auditors: [], date: YYYY-MM-DD }
4// external_2: { status: not started, auditors: [], date: YYYY-MM-DD }
5// =====================
6
7#include "./ultra_verifier.hpp"
8#include "barretenberg/commitment_schemes/ipa/ipa.hpp"
9#include "barretenberg/commitment_schemes/pairing_points.hpp"
10#include "barretenberg/commitment_schemes/shplonk/shplemini.hpp"
11#include "barretenberg/numeric/bitop/get_msb.hpp"
12#include "barretenberg/special_public_inputs/special_public_inputs.hpp"
13#include "barretenberg/transcript/transcript.hpp"
14#include "barretenberg/ultra_honk/oink_verifier.hpp"
15
16namespace bb {
17
23template <typename Flavor>
24template <class IO>
25UltraVerifier_<Flavor>::UltraVerifierOutput UltraVerifier_<Flavor>::verify_proof(
26 const typename UltraVerifier_<Flavor>::Proof& proof, const typename UltraVerifier_<Flavor>::Proof& ipa_proof)
27{
28 using FF = typename Flavor::FF;
29 using PCS = typename Flavor::PCS;
30 using Curve = typename Flavor::Curve;
31 using Shplemini = ShpleminiVerifier_<Curve>;
32 using VerifierCommitments = typename Flavor::VerifierCommitments;
33 using ClaimBatcher = ClaimBatcher_<Curve>;
34 using ClaimBatch = ClaimBatcher::Batch;
35
36 transcript->load_proof(proof);
37 OinkVerifier<Flavor> oink_verifier{ verifier_instance, transcript };
38 oink_verifier.verify();
39
40 // Determine the number of rounds in the sumcheck based on whether or not padding is employed
41 const size_t log_circuit_size = static_cast<size_t>(verifier_instance->vk->log_circuit_size);
42 const size_t log_n = Flavor::USE_PADDING ? Flavor::VIRTUAL_LOG_N : log_circuit_size;
43 verifier_instance->gate_challenges =
44 transcript->template get_dyadic_powers_of_challenge<FF>("Sumcheck:gate_challenge", log_n);
45
46 // Get the witness commitments that the verifier needs to verify
47 VerifierCommitments commitments{ verifier_instance->vk, verifier_instance->witness_commitments };
48 // For ZK flavors: set gemini_masking_poly commitment from accumulator
49 if constexpr (Flavor::HasZK) {
50 commitments.gemini_masking_poly = verifier_instance->gemini_masking_commitment;
51 }
52
53 // Construct the padding indicator array
54 std::vector<FF> padding_indicator_array(log_n, 1);
55 if constexpr (Flavor::HasZK) {
56 for (size_t idx = 0; idx < log_n; idx++) {
57 padding_indicator_array[idx] = (idx < log_circuit_size) ? FF{ 1 } : FF{ 0 };
58 }
59 }
60
61 // Construct the sumcheck verifier
62 SumcheckVerifier<Flavor> sumcheck(transcript, verifier_instance->alpha, log_n);
63 // Receive commitments to Libra masking polynomials for ZKFlavors
64 std::array<Commitment, NUM_LIBRA_COMMITMENTS> libra_commitments = {};
65
66 if constexpr (Flavor::HasZK) {
67 libra_commitments[0] = transcript->template receive_from_prover<Commitment>("Libra:concatenation_commitment");
68 }
69 // Run the sumcheck verifier
70 SumcheckOutput<Flavor> sumcheck_output = sumcheck.verify(
71 verifier_instance->relation_parameters, verifier_instance->gate_challenges, padding_indicator_array);
72 // Get the claimed evaluation of the Libra polynomials for ZKFlavors
73 if constexpr (Flavor::HasZK) {
74 libra_commitments[1] = transcript->template receive_from_prover<Commitment>("Libra:grand_sum_commitment");
75 libra_commitments[2] = transcript->template receive_from_prover<Commitment>("Libra:quotient_commitment");
76 }
77
78 bool consistency_checked = true;
79 ClaimBatcher claim_batcher{
80 .unshifted = ClaimBatch{ commitments.get_unshifted(), sumcheck_output.claimed_evaluations.get_unshifted() },
81 .shifted = ClaimBatch{ commitments.get_to_be_shifted(), sumcheck_output.claimed_evaluations.get_shifted() }
82 };
83
84 auto opening_claim = Shplemini::compute_batch_opening_claim(padding_indicator_array,
85 claim_batcher,
86 sumcheck_output.challenge,
87 Commitment::one(),
88 transcript,
89 Flavor::REPEATED_COMMITMENTS,
90 Flavor::HasZK,
91 &consistency_checked,
92 libra_commitments,
93 sumcheck_output.claimed_libra_evaluation);
94
95 auto pairing_points =
96 PCS::reduce_verify_batch_opening_claim(std::move(opening_claim), transcript, Flavor::FINAL_PCS_MSM_SIZE(log_n));
97 // Reconstruct the public inputs
98 IO inputs;
99 inputs.reconstruct_from_public(verifier_instance->public_inputs);
100
101 // Aggregate new pairing points with those reconstructed from the public inputs
102 pairing_points.aggregate(inputs.pairing_inputs);
103
104 // Construct the output
105 UltraVerifierOutput output;
106
107 // Check that verification passed
108 bool pairing_check_verified = pairing_points.check();
109 vinfo("sumcheck_verified: ", sumcheck_output.verified);
110 vinfo("libra_evals_verified: ", consistency_checked);
111 vinfo("pairing_check_verified: ", pairing_check_verified);
112
113 // Set the output result to be all checks passing
114 output.result = sumcheck_output.verified && consistency_checked && pairing_check_verified;
115
116 if constexpr (HasIPAAccumulator<Flavor>) {
117 // Reconstruct the nested IPA claim from the public inputs and run the native IPA verifier.
118 ipa_transcript->load_proof(ipa_proof);
119 bool ipa_result = IPA<curve::Grumpkin>::reduce_verify(ipa_verification_key, inputs.ipa_claim, ipa_transcript);
120
121 // Logging
122 if (!ipa_result) {
123 info("IPA verification failed!");
124 }
125
126 // Update output
127 output.result &= ipa_result;
128 } else if constexpr (std::is_same_v<IO, HidingKernelIO>) {
129 // Add kernel return data and ecc op tables if we are verifying a Chonk proof
130 output.kernel_return_data = inputs.kernel_return_data;
131 output.ecc_op_tables = inputs.ecc_op_tables;
132 }
133
134 return output;
135}
136
137template class UltraVerifier_<UltraFlavor>;
138template class UltraVerifier_<UltraZKFlavor>;
139template class UltraVerifier_<UltraKeccakFlavor>;
140#ifdef STARKNET_GARAGA_FLAVORS
141template class UltraVerifier_<UltraStarknetFlavor>;
142template class UltraVerifier_<UltraStarknetZKFlavor>;
143#endif
144template class UltraVerifier_<UltraKeccakZKFlavor>;
145template class UltraVerifier_<UltraRollupFlavor>;
146template class UltraVerifier_<MegaFlavor>;
147template class UltraVerifier_<MegaZKFlavor>;
148
149template UltraVerifier_<UltraFlavor>::UltraVerifierOutput UltraVerifier_<UltraFlavor>::verify_proof<DefaultIO>(
150 const Proof& proof, const Proof& ipa_proof);
151
152template UltraVerifier_<UltraZKFlavor>::UltraVerifierOutput UltraVerifier_<UltraZKFlavor>::verify_proof<DefaultIO>(
153 const Proof& proof, const Proof& ipa_proof);
154
155template UltraVerifier_<UltraKeccakFlavor>::UltraVerifierOutput UltraVerifier_<UltraKeccakFlavor>::verify_proof<
156 DefaultIO>(const Proof& proof, const Proof& ipa_proof);
157
158#ifdef STARKNET_GARAGA_FLAVORS
159template UltraVerifier_<UltraStarknetFlavor>::UltraVerifierOutput UltraVerifier_<UltraStarknetFlavor>::verify_proof<
160 DefaultIO>(const Proof& proof, const Proof& ipa_proof);
161
162template UltraVerifier_<UltraStarknetZKFlavor>::UltraVerifierOutput UltraVerifier_<UltraStarknetZKFlavor>::verify_proof<
163 DefaultIO>(const Proof& proof, const Proof& ipa_proof);
164#endif
165
166template UltraVerifier_<UltraKeccakZKFlavor>::UltraVerifierOutput UltraVerifier_<UltraKeccakZKFlavor>::verify_proof<
167 DefaultIO>(const Proof& proof, const Proof& ipa_proof);
168
169template UltraVerifier_<UltraRollupFlavor>::UltraVerifierOutput UltraVerifier_<UltraRollupFlavor>::verify_proof<
170 RollupIO>(const Proof& proof, const Proof& ipa_proof);
171
172template UltraVerifier_<MegaFlavor>::UltraVerifierOutput UltraVerifier_<MegaFlavor>::verify_proof<DefaultIO>(
173 const Proof& proof, const Proof& ipa_proof);
174
175template UltraVerifier_<MegaZKFlavor>::UltraVerifierOutput UltraVerifier_<MegaZKFlavor>::verify_proof<DefaultIO>(
176 const Proof& proof, const Proof& ipa_proof);
177
178// Chonk specialization
179template UltraVerifier_<MegaZKFlavor>::UltraVerifierOutput UltraVerifier_<MegaZKFlavor>::verify_proof<HidingKernelIO>(
180 const Proof& proof, const Proof& ipa_proof);
181
182} // namespace bb
bb::DefaultIO
Manages the data that is propagated on the public inputs of an application/function circuit.
Definition special_public_inputs.hpp:19
bb::ECCVMFlavor::HasZK
static constexpr bool HasZK
Definition eccvm_flavor.hpp:57
bb::ECCVMFlavor::FF
typename Curve::ScalarField FF
Definition eccvm_flavor.hpp:42
bb::ECCVMFlavor::VerifierCommitments
VerifierCommitments_< Commitment, VerificationKey > VerifierCommitments
Definition eccvm_flavor.hpp:993
bb::ECCVMFlavor::Curve
curve::Grumpkin Curve
Definition eccvm_flavor.hpp:39
bb::ECCVMFlavor::PCS
IPA< Curve > PCS
Definition eccvm_flavor.hpp:41
bb::ECCVMFlavor::USE_PADDING
static constexpr bool USE_PADDING
Definition eccvm_flavor.hpp:59
bb::ECCVMFlavor::REPEATED_COMMITMENTS
static constexpr RepeatedCommitmentsData REPEATED_COMMITMENTS
Definition eccvm_flavor.hpp:87
bb::IPA
IPA (inner product argument) commitment scheme class.
Definition ipa.hpp:93
bb::OinkVerifier
Verifier class for all the presumcheck rounds, which are shared between the folding verifier and ultr...
Definition oink_verifier.hpp:35
bb::OinkVerifier::verify
void verify()
Oink Verifier function that runs all the rounds of the verifier.
Definition oink_verifier.cpp:28
bb::RollupIO
The data that is propagated on the public inputs of a rollup circuit.
Definition special_public_inputs.hpp:84
bb::ShpleminiVerifier_
An efficient verifier for the evaluation proofs of multilinear polynomials and their shifts.
Definition shplemini.hpp:190
bb::SumcheckVerifier
Implementation of the sumcheck Verifier for statements of the form for multilinear polynomials .
Definition sumcheck.hpp:786
bb::SumcheckVerifier::verify
SumcheckOutput< Flavor > verify(const bb::RelationParameters< FF > &relation_parameters, const std::vector< FF > &gate_challenges, const std::vector< FF > &padding_indicator_array)
The Sumcheck verification method. First it extracts round univariate, checks sum (the sumcheck univar...
Definition sumcheck.hpp:844
bb::UltraVerifier_
Definition ultra_verifier.hpp:18
bb::UltraVerifier_::Proof
typename Transcript::Proof Proof
Definition ultra_verifier.hpp:25
bb::UltraVerifier_::FF
typename Flavor::FF FF
Definition ultra_verifier.hpp:19
bb::UltraVerifier_::verify_proof
UltraVerifierOutput verify_proof(const Proof &proof, const Proof &ipa_proof={})
pairing_points.hpp
vinfo
#define vinfo(...)
Definition log.hpp:80
info
void info(Args... args)
Definition log.hpp:75
get_msb.hpp
inputs
AvmProvingInputs inputs
Definition hinting_dbs.test.cpp:45
bb
Entry point for Barretenberg command-line interface.
Definition api.hpp:5
std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13
oink_verifier.hpp
special_public_inputs.hpp
bb::ClaimBatcher_
Logic to support batching opening claims for unshifted and shifted polynomials in Shplemini.
Definition claim_batcher.hpp:28
bb::SumcheckOutput
Contains the evaluations of multilinear polynomials at the challenge point . These are computed by S...
Definition sumcheck_output.hpp:22
bb::SumcheckOutput::claimed_evaluations
ClaimedEvaluations claimed_evaluations
Definition sumcheck_output.hpp:30
bb::SumcheckOutput::challenge
std::vector< FF > challenge
Definition sumcheck_output.hpp:28
bb::UltraVerifier_::UltraVerifierOutput
Definition ultra_verifier.hpp:28
bb::UltraVerifier_::UltraVerifierOutput::ecc_op_tables
std::array< Commitment, Flavor::NUM_WIRES > ecc_op_tables
Definition ultra_verifier.hpp:32
bb::UltraVerifier_::UltraVerifierOutput::kernel_return_data
Commitment kernel_return_data
Definition ultra_verifier.hpp:31
bb::UltraVerifier_::UltraVerifierOutput::result
bool result
Definition ultra_verifier.hpp:30
ultra_verifier.hpp