Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
avm2_recursion_constraint.test.cpp
Go to the documentation of this file.
1#include "barretenberg/dsl/acir_format/avm2_recursion_constraint.hpp"
2#include "barretenberg/dsl/acir_format/acir_format.hpp"
3#include "barretenberg/dsl/acir_format/gate_count_constants.hpp"
4#include "barretenberg/dsl/acir_format/test_class.hpp"
5#include "barretenberg/dsl/acir_format/utils.hpp"
6#include "barretenberg/srs/global_crs.hpp"
7#include "barretenberg/stdlib/primitives/circuit_builders/circuit_builders_fwd.hpp"
8#include "barretenberg/ultra_honk/ultra_prover.hpp"
9#include "barretenberg/ultra_honk/ultra_verifier.hpp"
10#include "barretenberg/vm2/common/avm_io.hpp"
11#include "barretenberg/vm2/constraining/prover.hpp"
12#include "barretenberg/vm2/constraining/recursion/goblin_avm_recursive_verifier.hpp"
13#include "barretenberg/vm2/constraining/recursion/recursive_flavor.hpp"
14#include "barretenberg/vm2/constraining/recursion/recursive_verifier.hpp"
15#include "barretenberg/vm2/constraining/verifier.hpp"
16#include "barretenberg/vm2/proving_helper.hpp"
17#include "barretenberg/vm2/testing/fixtures.hpp"
18
19#include <gtest/gtest.h>
20#include <memory>
21#include <vector>
22
23using namespace acir_format;
24using namespace bb;
25using namespace bb::avm2;
26
27class AvmRecursionConstraintTestingFunctions {
28 public:
29 using AcirConstraint = RecursionConstraint;
30 using Builder = UltraCircuitBuilder;
31
32 using AvmProver = bb::avm2::AvmProvingHelper;
33 using FF = Builder::FF;
34
35 class InvalidWitness {
36 public:
37 enum class Target : uint8_t { None, PublicInputs, Proof };
38 static std::vector<Target> get_all()
39 {
40 std::vector<Target> targets = { Target::None, Target::PublicInputs, Target::Proof };
41 return targets;
42 };
43 static std::vector<std::string> get_labels()
44 {
45 std::vector<std::string> labels = { "None", "PublicInputs", "Proof" };
46 return labels;
47 };
48 };
49
50 static std::pair<AvmProver::Proof, std::vector<FF>> create_avm_data()
51 {
52 auto [trace, public_inputs] = avm2::testing::get_minimal_trace_with_pi();
53
54 AvmProver prover;
55 auto proof = prover.prove(std::move(trace));
56 proof.resize(AVM_V2_PROOF_LENGTH_IN_FIELDS_PADDED, FF::zero()); // Pad proof
57
58 const bool verified = prover.verify(proof, public_inputs);
59 EXPECT_TRUE(verified) << "native proof verification failed";
60
61 auto public_inputs_flat = PublicInputs::columns_to_flat(public_inputs.to_columns());
62 public_inputs_flat.resize(AVM_PUBLIC_INPUTS_COLUMNS_COMBINED_LENGTH, FF::zero()); // Pad public inputs
63
64 return { proof, public_inputs_flat };
65 }
66
67 static ProgramMetadata generate_metadata() { return ProgramMetadata{ .has_ipa_claim = true }; }
68
69 static void generate_constraints(AcirConstraint& avm_recursion_constraint, WitnessVector& witness_values)
70 {
71 const auto [proof, public_inputs_flat] = create_avm_data();
72 avm_recursion_constraint = RecursionConstraint{
73 .key = {}, // Unused, the key is hard-coded in the circuit
74 .proof = add_to_witness_and_track_indices(witness_values, proof),
75 .public_inputs = add_to_witness_and_track_indices(witness_values, public_inputs_flat),
76 .key_hash = IS_CONSTANT, // Unused, the key hash is hard-coded in the circuit
77 .proof_type = AVM,
78 .predicate = WitnessOrConstant<typename Builder::FF>::from_constant(1),
79 };
80 }
81
82 static std::pair<AcirConstraint, WitnessVector> invalidate_witness(
83 AcirConstraint constraint, WitnessVector witness_values, const InvalidWitness::Target& invalid_witness_target)
84 {
85 switch (invalid_witness_target) {
86 case InvalidWitness::Target::None:
87 break;
88 case InvalidWitness::Target::PublicInputs: {
89 // Tamper with the public inputs
90 witness_values[constraint.public_inputs[0]] += FF::one();
91 break;
92 }
93 case InvalidWitness::Target::Proof: {
94 // Tamper with the proof by changing one of the univariate coefficients
95 witness_values[constraint.proof[FrCodec::calc_num_fields<AvmFlavor::Commitment>() *
96 AvmFlavor::NUM_WITNESS_ENTITIES]] += FF::one();
97 break;
98 }
99 }
100
101 return { constraint, witness_values };
102 }
103};
104
105class AvmRecursionConstraintTest : public ::testing::Test, public TestClass<AvmRecursionConstraintTestingFunctions> {
106 protected:
107 static void SetUpTestSuite() { bb::srs::init_file_crs_factory(bb::srs::bb_crs_path()); }
108};
109
110TEST_F(AvmRecursionConstraintTest, GenerateVKFromConstraints)
111{
112 if (avm2::testing::skip_slow_tests()) {
113 GTEST_SKIP() << "Skipping slow test";
114 }
115 // AVM constraints are always proven with UltraRollupFlavor (they are part of the base rollup circuit)
116 size_t num_gates = test_vk_independence<UltraRollupFlavor>();
117
118 EXPECT_EQ(num_gates, FINALIZED_GOBLIN_AVM_GATE_COUNT);
119}
120
121TEST_F(AvmRecursionConstraintTest, Tampering)
122{
123 if (avm2::testing::skip_slow_tests()) {
124 GTEST_SKIP() << "Skipping slow test";
125 }
126 std::vector<std::string> _ = test_tampering();
127}
128
129TEST_F(AvmRecursionConstraintTest, GateCountAndVKCheck)
130{
131 if (avm2::testing::skip_slow_tests()) {
132 GTEST_SKIP() << "Skipping slow test";
133 }
134 using ProverInstance = ProverInstance_<UltraRollupFlavor>;
135
136 AcirConstraint constraint;
137 WitnessVector witness;
138 Base::generate_constraints(constraint, witness);
139
140 AcirFormat acir_format = constraint_to_acir_format(constraint, static_cast<uint32_t>(witness.size() - 1));
141
142 AcirProgram program = { acir_format, {} };
143 ProgramMetadata metadata = Base::generate_metadata();
144 metadata.collect_gates_per_opcode = true;
145 auto builder = create_circuit<Builder>(program, metadata);
146
147 EXPECT_EQ(program.constraints.gates_per_opcode.size(), 1);
148 EXPECT_EQ(program.constraints.gates_per_opcode[0], GOBLIN_AVM_GATE_COUNT);
149
150 auto prover_instance = std::make_shared<ProverInstance>(builder);
151 auto vk = std::make_shared<typename UltraRollupFlavor::VerificationKey>(prover_instance->get_precomputed());
152
153 // TODO(fcarreiro): Re-enable when the VK is fixed.
154 // static constexpr FF EXPECTED_OUTER_VK_HASH =
155 // FF("0x195059523571dbadeae1b213250567e17b4994568b736b73a1aae2b0c65fd2cd");
156 // EXPECT_EQ(vk->hash(), EXPECTED_OUTER_VK_HASH)
157 // << "The VK hash of the outer circuit in the Goblinized AVM recursive verifier has changed. If this is "
158 // "expected, update the expected value in the test.";
159}
160
161class AvmRecursionInnerCircuitTests : public ::testing::Test {
162 public:
163 using Builder = UltraCircuitBuilder;
164 using InnerProverOutput = AvmGoblinRecursiveVerifier::InnerProverOutput;
165 using RecursiveAvmGoblinOutput = AvmGoblinRecursiveVerifier::RecursiveAvmGoblinOutput;
166 using FF = Builder::FF;
167
168 static constexpr FF EXPECTED_INNER_VK_HASH =
169 FF("0x01caba77a068a59190885beaf6c30240dcd92b0515064b36dd4a3035b39154ea");
170
171 static void SetUpTestSuite() { bb::srs::init_file_crs_factory(bb::srs::bb_crs_path()); }
172
173 static std::tuple<stdlib::Proof<Builder>, std::vector<std::vector<field_t<Builder>>>, InnerProverOutput>
174 create_and_prove_inner_circuit(Builder& outer_builder,
175 const HonkProof& proof,
176 const std::vector<FF>& public_inputs_flat)
177 {
178 std::vector<field_t<Builder>> stdlib_public_inputs_flat;
179 stdlib_public_inputs_flat.reserve(AVM_PUBLIC_INPUTS_COLUMNS_COMBINED_LENGTH);
180 for (const auto public_input : public_inputs_flat) {
181 stdlib_public_inputs_flat.emplace_back(field_t<Builder>::from_witness(&outer_builder, public_input));
182 }
183 stdlib::Proof<Builder> stdlib_proof;
184 stdlib_proof.reserve(AVM_V2_PROOF_LENGTH_IN_FIELDS_PADDED);
185 for (const auto proof_element : proof) {
186 stdlib_proof.emplace_back(field_t<Builder>::from_witness(&outer_builder, proof_element));
187 }
188
189 AvmGoblinRecursiveVerifier goblin_avm_verifier(outer_builder);
190 std::vector<std::vector<field_t<Builder>>> public_inputs =
191 PublicInputs::flat_to_columns<field_t<Builder>>(stdlib_public_inputs_flat);
192 auto [mega_proof, goblin_proof, mega_vk] =
193 goblin_avm_verifier.construct_and_prove_inner_recursive_verification_circuit(stdlib_proof, public_inputs);
194
195 return { stdlib_proof, public_inputs, { mega_proof, goblin_proof, mega_vk } };
196 }
197};
198
199// TODO(fcarreiro): Re-enable when the VK is fixed.
200TEST_F(AvmRecursionInnerCircuitTests, DISABLED_VKCheck)
201{
202 if (avm2::testing::skip_slow_tests()) {
203 GTEST_SKIP() << "Skipping slow test";
204 }
205 const auto [proof, public_inputs_flat] = AvmRecursionConstraintTestingFunctions::create_avm_data();
206
207 Builder outer_builder;
208 auto [_stdlib_proof, _public_inputs, inner_prover_output] =
209 create_and_prove_inner_circuit(outer_builder, proof, public_inputs_flat);
210 EXPECT_EQ(inner_prover_output.mega_vk->hash(), EXPECTED_INNER_VK_HASH)
211 << "The VK hash of the inner circuit in the Goblinized AVM recursive verifier has changed. If this is "
212 "expected, update the expected value in the test.";
213}
214
220TEST_F(AvmRecursionInnerCircuitTests, Tampering)
221{
222 if (avm2::testing::skip_slow_tests()) {
223 GTEST_SKIP() << "Skipping slow test";
224 }
225 const auto [proof, public_inputs_flat] = AvmRecursionConstraintTestingFunctions::create_avm_data();
226
227 {
228 Builder outer_builder;
229 auto [stdlib_proof, public_inputs, inner_prover_output] =
230 create_and_prove_inner_circuit(outer_builder, proof, public_inputs_flat);
231
232 auto mega_proof_tampered = inner_prover_output.mega_proof;
233 mega_proof_tampered[0] += FF::one(); // Tamper with the first public input
234
235 AvmGoblinRecursiveVerifier goblin_avm_verifier(outer_builder);
236 RecursiveAvmGoblinOutput output = goblin_avm_verifier.construct_outer_recursive_verification_circuit(
237 stdlib_proof,
238 public_inputs,
239 { mega_proof_tampered, inner_prover_output.goblin_proof, inner_prover_output.mega_vk });
240
241 EXPECT_TRUE(outer_builder.failed());
242 }
243
244 {
245 Builder outer_builder;
246 auto [stdlib_proof, public_inputs, inner_prover_output] =
247 create_and_prove_inner_circuit(outer_builder, proof, public_inputs_flat);
248
249 auto goblin_proof_tampered = inner_prover_output.goblin_proof;
250 goblin_proof_tampered.merge_proof[0] -= FF::one(); // Tamper with merge proof shift size
251
252 AvmGoblinRecursiveVerifier goblin_avm_verifier(outer_builder);
253 RecursiveAvmGoblinOutput output = goblin_avm_verifier.construct_outer_recursive_verification_circuit(
254 stdlib_proof,
255 public_inputs,
256 { inner_prover_output.mega_proof, goblin_proof_tampered, inner_prover_output.mega_vk });
257
258 EXPECT_TRUE(outer_builder.failed());
259 }
260
261 {
262 Builder outer_builder;
263 auto [stdlib_proof, public_inputs, inner_prover_output] =
264 create_and_prove_inner_circuit(outer_builder, proof, public_inputs_flat);
265
266 auto mega_vk_tampered = inner_prover_output.mega_vk;
267 mega_vk_tampered->q_m = mega_vk_tampered->q_m + MegaAvmFlavor::Commitment::one(); // Tamper with q_m commitment
268
269 AvmGoblinRecursiveVerifier goblin_avm_verifier(outer_builder);
270 RecursiveAvmGoblinOutput output = goblin_avm_verifier.construct_outer_recursive_verification_circuit(
271 stdlib_proof,
272 public_inputs,
273 { inner_prover_output.mega_proof, inner_prover_output.goblin_proof, mega_vk_tampered });
274
275 EXPECT_TRUE(outer_builder.failed());
276 }
277}
acir_format.hpp
avm_io.hpp
AVM_PUBLIC_INPUTS_COLUMNS_COMBINED_LENGTH
#define AVM_PUBLIC_INPUTS_COLUMNS_COMBINED_LENGTH
Definition aztec_constants.hpp:177
AVM_V2_PROOF_LENGTH_IN_FIELDS_PADDED
#define AVM_V2_PROOF_LENGTH_IN_FIELDS_PADDED
Definition aztec_constants.hpp:178
circuit_builders_fwd.hpp
AvmRecursionConstraintTestingFunctions::create_avm_data
static std::pair< AvmProver::Proof, std::vector< FF > > create_avm_data()
Definition avm2_recursion_constraint.test.cpp:50
AvmRecursionConstraintTestingFunctions::invalidate_witness
static std::pair< AcirConstraint, WitnessVector > invalidate_witness(AcirConstraint constraint, WitnessVector witness_values, const InvalidWitness::Target &invalid_witness_target)
Definition avm2_recursion_constraint.test.cpp:82
AvmRecursionConstraintTestingFunctions::generate_constraints
static void generate_constraints(AcirConstraint &avm_recursion_constraint, WitnessVector &witness_values)
Definition avm2_recursion_constraint.test.cpp:69
AvmRecursionInnerCircuitTests::create_and_prove_inner_circuit
static std::tuple< stdlib::Proof< Builder >, std::vector< std::vector< field_t< Builder > > >, InnerProverOutput > create_and_prove_inner_circuit(Builder &outer_builder, const HonkProof &proof, const std::vector< FF > &public_inputs_flat)
Definition avm2_recursion_constraint.test.cpp:174
AvmRecursionInnerCircuitTests::InnerProverOutput
AvmGoblinRecursiveVerifier::InnerProverOutput InnerProverOutput
Definition avm2_recursion_constraint.test.cpp:164
acir_format::TestClass
Definition test_class.hpp:586
bb::ProverInstance_
A ProverInstance is normally constructed from a finalized circuit and it contains all the information...
Definition prover_instance.hpp:33
bb::UltraCircuitBuilder_
Definition ultra_circuit_builder.hpp:41
bb::UltraCircuitBuilder_::FF
typename ExecutionTrace::FF FF
Definition ultra_circuit_builder.hpp:44
bb::avm2::AvmFlavor::NUM_WITNESS_ENTITIES
static constexpr size_t NUM_WITNESS_ENTITIES
Definition flavor.hpp:55
bb::avm2::AvmGoblinRecursiveVerifier
Recursive verifier of AVM2 proofs that utilizes the Goblin mechanism for efficient EC operations.
Definition goblin_avm_recursive_verifier.hpp:51
bb::avm2::AvmGoblinRecursiveVerifier::construct_and_prove_inner_recursive_verification_circuit
InnerProverOutput construct_and_prove_inner_recursive_verification_circuit(const stdlib::Proof< UltraBuilder > &stdlib_proof, const std::vector< std::vector< UltraFF > > &public_inputs) const
Construct and prove the inner Mega-arithmetized AVM recursive verifier circuit.
Definition goblin_avm_recursive_verifier.hpp:190
bb::avm2::AvmGoblinRecursiveVerifier::RecursiveAvmGoblinOutput
stdlib::recursion::honk::UltraRecursiveVerifierOutput< UltraBuilder > RecursiveAvmGoblinOutput
Definition goblin_avm_recursive_verifier.hpp:63
bb::avm2::AvmGoblinRecursiveVerifier::construct_outer_recursive_verification_circuit
RecursiveAvmGoblinOutput construct_outer_recursive_verification_circuit(const stdlib::Proof< UltraBuilder > &stdlib_proof, const std::vector< std::vector< UltraFF > > &public_inputs, const InnerProverOutput &inner_output) const
Construct the outer circuit which recursively verifies a Mega proof and a Goblin proof.
Definition goblin_avm_recursive_verifier.hpp:112
bb::avm2::AvmProvingHelper::verify
bool verify(const Proof &proof, const PublicInputs &pi)
Definition proving_helper.cpp:100
bb::avm2::AvmProvingHelper::prove
Proof prove(tracegen::TraceContainer &&trace)
Definition proving_helper.cpp:54
bb::stdlib::Proof
A simple wrapper around a vector of stdlib field elements representing a proof.
Definition proof.hpp:19
bb::stdlib::field_t
Definition field.hpp:45
builder
AluTraceBuilder builder
Definition alu.test.cpp:124
trace
TestTraceContainer trace
Definition data_copy.test.cpp:63
avm2_recursion_constraint.hpp
utils.hpp
gate_count_constants.hpp
global_crs.hpp
goblin_avm_recursive_verifier.hpp
acir_format
Definition acir_format.cpp:30
acir_format::AVM
@ AVM
Definition recursion_constraint.hpp:33
acir_format::FINALIZED_GOBLIN_AVM_GATE_COUNT
constexpr size_t FINALIZED_GOBLIN_AVM_GATE_COUNT
Definition gate_count_constants.hpp:163
acir_format::constraint_to_acir_format
AcirFormat constraint_to_acir_format(const ConstraintType &constraint, uint32_t varnum)
Convert an AcirConstraint (single or vector) to AcirFormat by going through the full ACIR serde flow.
Definition test_class.hpp:506
acir_format::GOBLIN_AVM_GATE_COUNT
constexpr size_t GOBLIN_AVM_GATE_COUNT
Definition gate_count_constants.hpp:162
acir_format::WitnessVector
std::vector< bb::fr > WitnessVector
Definition acir_format.hpp:35
acir_format::add_to_witness_and_track_indices
std::vector< uint32_t > add_to_witness_and_track_indices(std::vector< bb::fr > &witness, const T &input)
Append values to a witness vector and track their indices.
Definition utils.hpp:90
bb::avm2::testing::skip_slow_tests
bool skip_slow_tests()
Check if slow tests should be skipped.
Definition fixtures.cpp:199
bb::avm2::testing::get_minimal_trace_with_pi
std::pair< tracegen::TraceContainer, PublicInputs > get_minimal_trace_with_pi()
Definition fixtures.cpp:183
bb::srs::bb_crs_path
std::filesystem::path bb_crs_path()
Definition global_crs.cpp:14
bb::srs::init_file_crs_factory
void init_file_crs_factory(const std::filesystem::path &path)
Definition global_crs.hpp:14
bb::stdlib::recursion::honk::TEST_F
TEST_F(BoomerangGoblinRecursiveVerifierTests, graph_description_basic)
Construct and check a goblin recursive verification circuit.
Definition graph_description_goblin.test.cpp:69
bb
Entry point for Barretenberg command-line interface.
Definition api.hpp:5
bb::HonkProof
std::vector< fr > HonkProof
Definition proof.hpp:15
bb::UltraCircuitBuilder
UltraCircuitBuilder_< UltraExecutionTraceBlocks > UltraCircuitBuilder
Definition circuit_builders_fwd.hpp:18
bb::vk
VerifierCommitmentKey< Curve > vk
Definition ipa.fuzzer.cpp:21
std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13
proving_helper.hpp
recursive_flavor.hpp
recursive_verifier.hpp
acir_format::AcirFormat
Barretenberg's representation of ACIR constraints.
Definition acir_format.hpp:82
acir_format::AcirFormat::gates_per_opcode
std::vector< size_t > gates_per_opcode
Definition acir_format.hpp:110
acir_format::AcirProgram
Struct containing both the constraints to be added to the circuit and the witness vector.
Definition acir_format.hpp:122
acir_format::AcirProgram::constraints
AcirFormat constraints
Definition acir_format.hpp:123
acir_format::ProgramMetadata
Metadata required to create a circuit.
Definition acir_format.hpp:137
acir_format::ProgramMetadata::has_ipa_claim
bool has_ipa_claim
Definition acir_format.hpp:141
acir_format::ProgramMetadata::collect_gates_per_opcode
bool collect_gates_per_opcode
Definition acir_format.hpp:145
acir_format::RecursionConstraint
RecursionConstraint struct contains information required to recursively verify a proof.
Definition recursion_constraint.hpp:60
acir_format::RecursionConstraint::key
std::vector< uint32_t > key
Definition recursion_constraint.hpp:61
acir_format::RecursionConstraint::public_inputs
std::vector< uint32_t > public_inputs
Definition recursion_constraint.hpp:63
acir_format::RecursionConstraint::proof
std::vector< uint32_t > proof
Definition recursion_constraint.hpp:62
acir_format::WitnessOrConstant::from_constant
static WitnessOrConstant from_constant(FF value)
Definition witness_constant.hpp:28
bb::avm2::PublicInputs::columns_to_flat
static std::vector< FF > columns_to_flat(std::vector< std::vector< FF > > const &columns)
Definition avm_io.cpp:289
bb::stdlib::recursion::honk::UltraRecursiveVerifierOutput
Output type for recursive ultra verification.
Definition ultra_verifier.hpp:28
test_class.hpp
ultra_prover.hpp
ultra_verifier.hpp