Barretenberg: src/barretenberg/chonk/chonk.hpp Source File

// === AUDIT STATUS ===

// internal:    { status: Complete, auditors: [Sergei], commit: }

// external_1:  { status: not started, auditors: [], commit: }

// external_2:  { status: not started, auditors: [], commit: }

// =====================


#pragma once


#include "barretenberg/chonk/chonk_base.hpp"

#include "barretenberg/chonk/chonk_proof.hpp"

#include "barretenberg/flavor/mega_zk_recursive_flavor.hpp"

#include "barretenberg/goblin/goblin.hpp"

#include "barretenberg/hypernova/hypernova_decider_prover.hpp"

#include "barretenberg/hypernova/hypernova_decider_verifier.hpp"

#include "barretenberg/hypernova/hypernova_prover.hpp"

#include "barretenberg/hypernova/hypernova_verifier.hpp"

#include "barretenberg/stdlib/primitives/databus/databus.hpp"

#include "barretenberg/stdlib/proof/proof.hpp"

#include "barretenberg/stdlib/special_public_inputs/special_public_inputs.hpp"

#include "barretenberg/ultra_honk/ultra_prover.hpp"

#include "barretenberg/ultra_honk/ultra_verifier.hpp"

#ifndef NDEBUG

#include "barretenberg/circuit_checker/circuit_checker.hpp"

#endif

#include <algorithm>


namespace bb {


class Chonk : public IVCBase {

    // CHONK: "Client Honk" - An UltraHonk variant with incremental folding and delayed non-native arithmetic.


  public:

    using Flavor = MegaFlavor;

    using MegaVerificationKey = Flavor::VerificationKey;

    using MegaZKVerificationKey = MegaZKFlavor::VerificationKey;

    using FF = Flavor::FF;

    using Commitment = Flavor::Commitment;

    using ProverPolynomials = Flavor::ProverPolynomials;

    using Point = Flavor::Curve::AffineElement;

    using ProverInstance = ProverInstance_<Flavor>;

    using DeciderZKProvingKey = ProverInstance_<MegaZKFlavor>;

    using VerifierInstance = VerifierInstance_<Flavor>;

    using ClientCircuit = MegaCircuitBuilder; // can only be Mega

    using ECCVMVerificationKey = bb::ECCVMFlavor::VerificationKey;

    using TranslatorVerificationKey = bb::TranslatorFlavor::VerificationKey;

    using MegaProver = UltraProver_<Flavor>;

    using Transcript = NativeTranscript;

    // Recursive types

    using RecursiveFlavor = MegaRecursiveFlavor_<bb::MegaCircuitBuilder>;

    using StdlibFF = RecursiveFlavor::FF;

    using RecursiveCommitment = RecursiveFlavor::Commitment;

    using RecursiveVerifierInstance = VerifierInstance_<RecursiveFlavor>;

    using RecursiveVerificationKey = RecursiveFlavor::VerificationKey;

    using RecursiveVKAndHash = RecursiveFlavor::VKAndHash;

    using RecursiveTranscript = RecursiveFlavor::Transcript;

    using PairingPoints = stdlib::recursion::PairingPoints<stdlib::bn254<ClientCircuit>>;

    using KernelIO = bb::stdlib::recursion::honk::KernelIO;

    using HidingKernelIO = bb::stdlib::recursion::honk::HidingKernelIO<ClientCircuit>;

    using AppIO = bb::stdlib::recursion::honk::AppIO;

    using StdlibProof = stdlib::Proof<ClientCircuit>;

    using WitnessCommitments = RecursiveFlavor::WitnessCommitments;

    using DataBusDepot = stdlib::DataBusDepot<ClientCircuit>;

    using TableCommitments = std::array<RecursiveFlavor::Commitment, ClientCircuit::NUM_WIRES>;

    // Folding

    using FoldingProver = HypernovaFoldingProver;

    using FoldingVerifier = HypernovaFoldingVerifier<Flavor>;

    using RecursiveFoldingVerifier = HypernovaFoldingVerifier<RecursiveFlavor>;

    using DeciderProver = HypernovaDeciderProver;

    using RecursiveDeciderVerifier = HypernovaDeciderVerifier<RecursiveFlavor>;

    using ProverAccumulator = FoldingProver::Accumulator;

    using VerifierAccumulator = FoldingVerifier::Accumulator;

    using RecursiveVerifierAccumulator = RecursiveFoldingVerifier::Accumulator;


    enum class QUEUE_TYPE : uint8_t { OINK, HN, HN_TAIL, HN_FINAL, MEGA };


    // An entry in the native verification queue


    struct VerifierInputs {

        std::vector<FF> proof; // oink or HN

        std::shared_ptr<MegaVerificationKey> honk_vk;

        QUEUE_TYPE type;

        bool is_kernel = false;

    };


    using VerificationQueue = std::deque<VerifierInputs>;


    // An entry in the stdlib verification queue


    struct StdlibVerifierInputs {

        StdlibProof proof; // oink or HN

        std::shared_ptr<RecursiveVKAndHash> honk_vk_and_hash;

        QUEUE_TYPE type;

        bool is_kernel = false;

    };


    using StdlibVerificationQueue = std::deque<StdlibVerifierInputs>;


  private:

    // Transcript for Chonk prover (shared between Hiding kernel, Merge, ECCVM, and Translator)

    std::shared_ptr<Transcript> transcript = std::make_shared<Transcript>();


    // Transcript to be shared across the folding of K_{i-1} (kernel), A_{i} (app)

    std::shared_ptr<Transcript> prover_accumulation_transcript = std::make_shared<Transcript>();


    size_t num_circuits; // total number of circuits to be accumulated in the IVC

  public:

    size_t num_circuits_accumulated = 0; // number of circuits accumulated so far


    ProverAccumulator prover_accumulator; // current HN prover accumulator instance


    HonkProof decider_proof; // decider proof to be verified in the Hiding kernel


    VerifierAccumulator recursive_verifier_native_accum; // native verifier accumulator used in recursive folding

#ifndef NDEBUG

    VerifierAccumulator native_verifier_accum; //  native verifier accumulator used in prover folding

    FF native_verifier_accum_hash; // hash of the native verifier accumulator when entering recursive verification

#endif


    // PARALLEL QUEUES: These two queues must stay synchronized.

    // - verification_queue: Native proofs created by accumulate() (prover side)

    // - stdlib_verification_queue: Circuit witnesses for complete_kernel_circuit_logic() (verifier side)

    // The stdlib queue is populated from the native queue via instantiate_stdlib_verification_queue().

    VerificationQueue verification_queue;

    StdlibVerificationQueue stdlib_verification_queue;


    // Management of linking databus commitments between circuits in the IVC

    DataBusDepot bus_depot;


    typename MegaFlavor::CommitmentKey bn254_commitment_key;


    Goblin goblin;


    size_t get_num_circuits() const { return num_circuits; }


    // IVCBase interface

    Goblin& get_goblin() override { return goblin; }

    const Goblin& get_goblin() const override { return goblin; }


    Chonk(size_t num_circuits);


    void instantiate_stdlib_verification_queue(ClientCircuit& circuit,

                                               const std::vector<std::shared_ptr<RecursiveVKAndHash>>& input_keys = {});


    [[nodiscard("Pairing points should be accumulated")]] std::

        tuple<std::optional<RecursiveVerifierAccumulator>, std::vector<PairingPoints>, TableCommitments>

        perform_recursive_verification_and_databus_consistency_checks(

            ClientCircuit& circuit,

            const StdlibVerifierInputs& verifier_inputs,

            const std::optional<RecursiveVerifierAccumulator>& input_verifier_accumulator,

            const TableCommitments& T_prev_commitments,

            const std::shared_ptr<RecursiveTranscript>& accumulation_recursive_transcript);


    // Complete the logic of a kernel circuit (e.g. HN/merge recursive verification, databus consistency checks)

    void complete_kernel_circuit_logic(ClientCircuit& circuit);


    void accumulate(ClientCircuit& circuit, const std::shared_ptr<MegaVerificationKey>& precomputed_vk) override;


    ChonkProof prove();


    static void hide_op_queue_accumulation_result(ClientCircuit& circuit);

    static void hide_op_queue_content_in_tail(ClientCircuit& circuit);

    static void hide_op_queue_content_in_hiding(ClientCircuit& circuit);


    std::shared_ptr<MegaZKFlavor::VKAndHash> get_hiding_kernel_vk_and_hash() const;


  private:

#ifndef NDEBUG

    void update_native_verifier_accumulator(const VerifierInputs& queue_entry,

                                            const std::shared_ptr<Transcript>& verifier_transcript);


    void debug_incoming_circuit(ClientCircuit& circuit,

                                const std::shared_ptr<ProverInstance>& prover_instance,

                                const std::shared_ptr<MegaVerificationKey>& precomputed_vk);

#endif


    HonkProof construct_honk_proof_for_hiding_kernel(ClientCircuit& circuit,

                                                     const std::shared_ptr<MegaVerificationKey>& verification_key);


    QUEUE_TYPE get_queue_type() const;

};


} // namespace bb

chonk_base.hpp

chonk_proof.hpp

circuit_checker.hpp

bb::BaseTranscript
Common transcript class for both parties. Stores the data for the current round, as well as the manif...
Definition transcript.hpp:41

bb::Chonk
The IVC scheme used by the aztec client for private function execution.
Definition chonk.hpp:38

bb::Chonk::prover_accumulator
ProverAccumulator prover_accumulator
Definition chonk.hpp:136

bb::Chonk::get_goblin
Goblin & get_goblin() override
Definition chonk.hpp:163

bb::Chonk::instantiate_stdlib_verification_queue
void instantiate_stdlib_verification_queue(ClientCircuit &circuit, const std::vector< std::shared_ptr< RecursiveVKAndHash > > &input_keys={})
Instantiate a stdlib verification queue for use in the kernel completion logic.
Definition chonk.cpp:45

bb::Chonk::construct_honk_proof_for_hiding_kernel
HonkProof construct_honk_proof_for_hiding_kernel(ClientCircuit &circuit, const std::shared_ptr< MegaVerificationKey > &verification_key)
Construct a zero-knowledge proof for the Hiding kernel, which recursively verifies the last folding,...
Definition chonk.cpp:530

bb::Chonk::get_hiding_kernel_vk_and_hash
std::shared_ptr< MegaZKFlavor::VKAndHash > get_hiding_kernel_vk_and_hash() const
Get the hiding kernel verification key and hash for Chonk verification.
Definition chonk.cpp:564

bb::Chonk::complete_kernel_circuit_logic
void complete_kernel_circuit_logic(ClientCircuit &circuit)
Append logic to complete a kernel circuit.
Definition chonk.cpp:246

bb::Chonk::perform_recursive_verification_and_databus_consistency_checks
std::tuple< std::optional< RecursiveVerifierAccumulator >, std::vector< PairingPoints >, TableCommitments > perform_recursive_verification_and_databus_consistency_checks(ClientCircuit &circuit, const StdlibVerifierInputs &verifier_inputs, const std::optional< RecursiveVerifierAccumulator > &input_verifier_accumulator, const TableCommitments &T_prev_commitments, const std::shared_ptr< RecursiveTranscript > &accumulation_recursive_transcript)
Populate the provided circuit with constraints for (1) recursive verification of the provided accumul...
Definition chonk.cpp:98

bb::Chonk::native_verifier_accum
VerifierAccumulator native_verifier_accum
Definition chonk.hpp:142

bb::Chonk::update_native_verifier_accumulator
void update_native_verifier_accumulator(const VerifierInputs &queue_entry, const std::shared_ptr< Transcript > &verifier_transcript)
Update native verifier accumulator. Useful for debugging.
Definition chonk.cpp:572

bb::Chonk::hide_op_queue_content_in_hiding
static void hide_op_queue_content_in_hiding(ClientCircuit &circuit)
Adds two random non-ops to the hiding kernel for zero-knowledge.
Definition chonk.cpp:520

bb::Chonk::TableCommitments
std::array< RecursiveFlavor::Commitment, ClientCircuit::NUM_WIRES > TableCommitments
Definition chonk.hpp:72

bb::Chonk::bus_depot
DataBusDepot bus_depot
Definition chonk.hpp:154

bb::Chonk::transcript
std::shared_ptr< Transcript > transcript
Definition chonk.hpp:127

bb::Chonk::num_circuits_accumulated
size_t num_circuits_accumulated
Definition chonk.hpp:134

bb::Chonk::Commitment
Flavor::Commitment Commitment
Definition chonk.hpp:46

bb::Chonk::debug_incoming_circuit
void debug_incoming_circuit(ClientCircuit &circuit, const std::shared_ptr< ProverInstance > &prover_instance, const std::shared_ptr< MegaVerificationKey > &precomputed_vk)
Definition chonk.cpp:615

bb::Chonk::decider_proof
HonkProof decider_proof
Definition chonk.hpp:138

bb::Chonk::Point
Flavor::Curve::AffineElement Point
Definition chonk.hpp:48

bb::Chonk::native_verifier_accum_hash
FF native_verifier_accum_hash
Definition chonk.hpp:143

bb::Chonk::get_num_circuits
size_t get_num_circuits() const
Definition chonk.hpp:160

bb::Chonk::QUEUE_TYPE
QUEUE_TYPE
Proof type determining recursive verification logic in kernel circuits.
Definition chonk.hpp:105

bb::Chonk::QUEUE_TYPE::OINK
@ OINK

bb::Chonk::QUEUE_TYPE::HN_TAIL
@ HN_TAIL

bb::Chonk::QUEUE_TYPE::HN_FINAL
@ HN_FINAL

bb::Chonk::QUEUE_TYPE::HN
@ HN

bb::Chonk::QUEUE_TYPE::MEGA
@ MEGA

bb::Chonk::get_queue_type
QUEUE_TYPE get_queue_type() const
Get queue type for the proof of a circuit about to be accumulated based on num circuits accumulated s...
Definition chonk.cpp:357

bb::Chonk::StdlibVerificationQueue
std::deque< StdlibVerifierInputs > StdlibVerificationQueue
Definition chonk.hpp:123

bb::Chonk::hide_op_queue_content_in_tail
static void hide_op_queue_content_in_tail(ClientCircuit &circuit)
Adds three random non-ops to the tail kernel for zero-knowledge.
Definition chonk.cpp:508

bb::Chonk::prove
ChonkProof prove()
Construct Chonk proof, which, if verified, fully establishes the correctness of RCG.
Definition chonk.cpp:547

bb::Chonk::StdlibFF
RecursiveFlavor::FF StdlibFF
Definition chonk.hpp:59

bb::Chonk::recursive_verifier_native_accum
VerifierAccumulator recursive_verifier_native_accum
Definition chonk.hpp:140

bb::Chonk::hide_op_queue_accumulation_result
static void hide_op_queue_accumulation_result(ClientCircuit &circuit)
Add a hiding op with fully random Px, Py field elements to prevent information leakage in Translator ...
Definition chonk.cpp:496

bb::Chonk::RecursiveCommitment
RecursiveFlavor::Commitment RecursiveCommitment
Definition chonk.hpp:60

bb::Chonk::bn254_commitment_key
MegaFlavor::CommitmentKey bn254_commitment_key
Definition chonk.hpp:156

bb::Chonk::accumulate
void accumulate(ClientCircuit &circuit, const std::shared_ptr< MegaVerificationKey > &precomputed_vk) override
Perform prover work for accumulation (e.g. HN folding, merge proving)
Definition chonk.cpp:397

bb::Chonk::ClientCircuit
MegaCircuitBuilder ClientCircuit
Definition chonk.hpp:52

bb::Chonk::get_goblin
const Goblin & get_goblin() const override
Definition chonk.hpp:164

bb::Chonk::num_circuits
size_t num_circuits
Definition chonk.hpp:132

bb::Chonk::VerificationQueue
std::deque< VerifierInputs > VerificationQueue
Definition chonk.hpp:114

bb::Chonk::verification_queue
VerificationQueue verification_queue
Definition chonk.hpp:150

bb::Chonk::goblin
Goblin goblin
Definition chonk.hpp:158

bb::Chonk::prover_accumulation_transcript
std::shared_ptr< Transcript > prover_accumulation_transcript
Definition chonk.hpp:130

bb::Chonk::stdlib_verification_queue
StdlibVerificationQueue stdlib_verification_queue
Definition chonk.hpp:151

bb::CommitmentKey
CommitmentKey object over a pairing group 𝔾₁.
Definition commitment_key.hpp:43

bb::ECCVMFlavor::VerificationKey
The verification key is responsible for storing the commitments to the precomputed (non-witnessk) pol...
Definition eccvm_flavor.hpp:819

bb::Goblin
Definition goblin.hpp:22

bb::HypernovaDeciderProver
HyperNova decider prover. Produces final opening proof for the accumulated claim.
Definition hypernova_decider_prover.hpp:18

bb::HypernovaDeciderVerifier
HyperNova decider verifier (native + recursive). Verifies final opening proof.
Definition hypernova_decider_verifier.hpp:19

bb::HypernovaFoldingProver
HyperNova folding prover. Folds circuit instances into accumulators, deferring PCS verification.
Definition hypernova_prover.hpp:38

bb::HypernovaFoldingProver::Accumulator
MultilinearBatchingProverClaim Accumulator
Definition hypernova_prover.hpp:44

bb::HypernovaFoldingVerifier
HyperNova folding verifier (native + recursive). Verifies folding proofs and maintains accumulators.
Definition hypernova_verifier.hpp:25

bb::HypernovaFoldingVerifier::Accumulator
MultilinearBatchingVerifierClaim< Curve > Accumulator
Definition hypernova_verifier.hpp:33

bb::IVCBase
Base class interface for IVC schemes.
Definition chonk_base.hpp:21

bb::MegaCircuitBuilder_
Definition mega_circuit_builder.hpp:19

bb::MegaFlavor::ProverPolynomials_
A container for the prover polynomials handles.
Definition mega_flavor.hpp:375

bb::MegaFlavor::WitnessEntities_
Container for all witness polynomials used/constructed by the prover.
Definition mega_flavor.hpp:276

bb::MegaFlavor
Definition mega_flavor.hpp:33

bb::MegaFlavor::FF
Curve::ScalarField FF
Definition mega_flavor.hpp:37

bb::MegaFlavor::ProverPolynomials
ProverPolynomials_< HasZK > ProverPolynomials
Definition mega_flavor.hpp:443

bb::MegaFlavor::Commitment
Curve::AffineElement Commitment
Definition mega_flavor.hpp:39

bb::MegaFlavor::VerificationKey
NativeVerificationKey_< PrecomputedEntities< Commitment >, Codec, HashFunction, CommitmentKey > VerificationKey
The verification key is responsible for storing the commitments to the precomputed (non-witness) poly...
Definition mega_flavor.hpp:456

bb::MegaRecursiveFlavor_
The recursive counterpart to the "native" Mega flavor.
Definition mega_recursive_flavor.hpp:37

bb::MegaRecursiveFlavor_::Transcript
StdlibTranscript< CircuitBuilder > Transcript
Definition mega_recursive_flavor.hpp:47

bb::MegaRecursiveFlavor_::Commitment
typename Curve::Element Commitment
Definition mega_recursive_flavor.hpp:44

bb::MegaRecursiveFlavor_::VerificationKey
StdlibVerificationKey_< CircuitBuilder, NativeFlavor::PrecomputedEntities< Commitment >, NativeFlavor::VerificationKey > VerificationKey
Definition mega_recursive_flavor.hpp:104

bb::MegaRecursiveFlavor_::FF
typename Curve::ScalarField FF
Definition mega_recursive_flavor.hpp:43

bb::MegaRecursiveFlavor_::VKAndHash
VKAndHash_< FF, VerificationKey > VKAndHash
Definition mega_recursive_flavor.hpp:115

bb::MegaRecursiveFlavor_::WitnessCommitments
MegaFlavor::WitnessEntities< Commitment > WitnessCommitments
A container for the witness commitments.
Definition mega_recursive_flavor.hpp:109

bb::NativeVerificationKey_
Base Native verification key class.
Definition flavor.hpp:141

bb::ProverInstance_
A ProverInstance is normally constructed from a finalized circuit and it contains all the information...
Definition prover_instance.hpp:33

bb::StdlibVerificationKey_
Base Stdlib verification key class.
Definition flavor.hpp:353

bb::TranslatorFlavor::VerificationKey
The verification key is responsible for storing the commitments to the precomputed (non-witnessk) pol...
Definition translator_flavor.hpp:850

bb::UltraProver_
Definition ultra_prover.hpp:20

bb::VKAndHash_
Wrapper holding a verification key and its precomputed hash.
Definition flavor.hpp:521

bb::VerifierInstance_
The VerifierInstance encapsulates all the necessary information for a Honk Verifier to verify a proof...
Definition verifier_instance.hpp:20

bb::stdlib::DataBusDepot< ClientCircuit >

bb::stdlib::Proof< ClientCircuit >

bb::stdlib::recursion::honk::DefaultIO
Manages the data that is propagated on the public inputs of an application/function circuit.
Definition special_public_inputs.hpp:159

bb::stdlib::recursion::honk::HidingKernelIO
Manages the data that is propagated on the public inputs of a hiding kernel circuit.
Definition special_public_inputs.hpp:272

bb::stdlib::recursion::honk::KernelIO
Manages the data that is propagated on the public inputs of a kernel circuit.
Definition special_public_inputs.hpp:61

goblin.hpp

hypernova_decider_prover.hpp

hypernova_decider_verifier.hpp

hypernova_prover.hpp

hypernova_verifier.hpp

mega_zk_recursive_flavor.hpp

bb::stdlib::recursion::honk::AppIO
DefaultIO< MegaCircuitBuilder > AppIO
The data that is propagated on the public inputs of an application/function circuit.
Definition special_public_inputs.hpp:216

bb
Entry point for Barretenberg command-line interface.
Definition api.hpp:5

bb::HonkProof
std::vector< fr > HonkProof
Definition proof.hpp:15

bb::ChonkProof
ChonkProof_< false > ChonkProof
Definition chonk_proof.hpp:173

bb::NativeTranscript
BaseTranscript< FrCodec, bb::crypto::Poseidon2< bb::crypto::Poseidon2Bn254ScalarFieldParams > > NativeTranscript
Definition transcript.hpp:495

bb::MegaCircuitBuilder
MegaCircuitBuilder_< field< Bn254FrParams > > MegaCircuitBuilder
Definition circuit_builders_fwd.hpp:20

std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13

databus.hpp

proof.hpp

special_public_inputs.hpp

bb::Chonk::StdlibVerifierInputs
Definition chonk.hpp:117

bb::Chonk::StdlibVerifierInputs::honk_vk_and_hash
std::shared_ptr< RecursiveVKAndHash > honk_vk_and_hash
Definition chonk.hpp:119

bb::Chonk::StdlibVerifierInputs::is_kernel
bool is_kernel
Definition chonk.hpp:121

bb::Chonk::StdlibVerifierInputs::type
QUEUE_TYPE type
Definition chonk.hpp:120

bb::Chonk::StdlibVerifierInputs::proof
StdlibProof proof
Definition chonk.hpp:118

bb::Chonk::VerifierInputs
Definition chonk.hpp:108

bb::Chonk::VerifierInputs::type
QUEUE_TYPE type
Definition chonk.hpp:111

bb::Chonk::VerifierInputs::honk_vk
std::shared_ptr< MegaVerificationKey > honk_vk
Definition chonk.hpp:110

bb::Chonk::VerifierInputs::is_kernel
bool is_kernel
Definition chonk.hpp:112

bb::Chonk::VerifierInputs::proof
std::vector< FF > proof
Definition chonk.hpp:109

bb::MultilinearBatchingProverClaim
Definition multilinear_batching_claims.hpp:118

bb::MultilinearBatchingVerifierClaim
Definition multilinear_batching_claims.hpp:13

bb::field< Bn254FrParams >

bb::stdlib::recursion::PairingPoints
An object storing two EC points that represent the inputs to a pairing check.
Definition pairing_points.hpp:36

ultra_prover.hpp

ultra_verifier.hpp