The IVC scheme used by the aztec client for private function execution. More...
#include <chonk.hpp>
Classes | |
| struct | StdlibVerifierInputs |
| struct | VerifierInputs |
Public Member Functions | |
| size_t | get_num_circuits () const |
| Goblin & | get_goblin () override |
| const Goblin & | get_goblin () const override |
| Chonk (size_t num_circuits) | |
| void | instantiate_stdlib_verification_queue (ClientCircuit &circuit, const std::vector< std::shared_ptr< RecursiveVKAndHash > > &input_keys={}) |
| Instantiate a stdlib verification queue for use in the kernel completion logic. | |
| std::tuple< std::optional< RecursiveVerifierAccumulator >, std::vector< PairingPoints >, TableCommitments > | perform_recursive_verification_and_databus_consistency_checks (ClientCircuit &circuit, const StdlibVerifierInputs &verifier_inputs, const std::optional< RecursiveVerifierAccumulator > &input_verifier_accumulator, const TableCommitments &T_prev_commitments, const std::shared_ptr< RecursiveTranscript > &accumulation_recursive_transcript) |
| Populate the provided circuit with constraints for (1) recursive verification of the provided accumulation proof and (2) the associated databus commitment consistency checks. | |
| void | complete_kernel_circuit_logic (ClientCircuit &circuit) |
| Append logic to complete a kernel circuit. | |
| void | accumulate (ClientCircuit &circuit, const std::shared_ptr< MegaVerificationKey > &precomputed_vk) override |
| Perform prover work for accumulation (e.g. HN folding, merge proving) | |
| ChonkProof | prove () |
| Construct Chonk proof, which, if verified, fully establishes the correctness of RCG. | |
| std::shared_ptr< MegaZKFlavor::VKAndHash > | get_hiding_kernel_vk_and_hash () const |
| Get the hiding kernel verification key and hash for Chonk verification. | |
 Public Member Functions inherited from bb::IVCBase | |
| virtual | ~IVCBase ()=default |
Static Public Member Functions | |
| static void | hide_op_queue_accumulation_result (ClientCircuit &circuit) |
| Add a hiding op with fully random Px, Py field elements to prevent information leakage in Translator proof. | |
| static void | hide_op_queue_content_in_tail (ClientCircuit &circuit) |
| Adds three random non-ops to the tail kernel for zero-knowledge. | |
| static void | hide_op_queue_content_in_hiding (ClientCircuit &circuit) |
| Adds two random non-ops to the hiding kernel for zero-knowledge. | |
Private Member Functions | |
| void | update_native_verifier_accumulator (const VerifierInputs &queue_entry, const std::shared_ptr< Transcript > &verifier_transcript) |
| Update native verifier accumulator. Useful for debugging. | |
| void | debug_incoming_circuit (ClientCircuit &circuit, const std::shared_ptr< ProverInstance > &prover_instance, const std::shared_ptr< MegaVerificationKey > &precomputed_vk) |
| HonkProof | construct_honk_proof_for_hiding_kernel (ClientCircuit &circuit, const std::shared_ptr< MegaVerificationKey > &verification_key) |
| Construct a zero-knowledge proof for the Hiding kernel, which recursively verifies the last folding, merge and decider proof. | |
| QUEUE_TYPE | get_queue_type () const |
| Get queue type for the proof of a circuit about to be accumulated based on num circuits accumulated so far. | |
Private Attributes | |
| std::shared_ptr< Transcript > | transcript = std::make_shared<Transcript>() |
| std::shared_ptr< Transcript > | prover_accumulation_transcript = std::make_shared<Transcript>() |
| size_t | num_circuits |
Additional Inherited Members | |
| Protected Member Functions inherited from bb::IVCBase | |
| IVCBase ()=default | |
Detailed Description
The IVC scheme used by the aztec client for private function execution.
Combines HyperNova with Goblin to accumulate one circuit at a time with efficient EC group operations. It is assumed that the circuits being accumulated correspond alternatingly to an app and a kernel, as is the case in Aztec. Two recursive folding verifiers are appended to each kernel (except the first one) to verify the folding of a previous kernel and an app/function circuit. Due to this structure it is enforced that the total number of circuits being accumulated is even.
Member Typedef Documentation
◆ AppIO
◆ ClientCircuit
◆ Commitment
◆ DataBusDepot
◆ DeciderProver
◆ DeciderZKProvingKey
◆ ECCVMVerificationKey
◆ FF
| using bb::Chonk::FF = Flavor::FF |
◆ Flavor
| using bb::Chonk::Flavor = MegaFlavor |
◆ FoldingProver
◆ FoldingVerifier
◆ HidingKernelIO
◆ KernelIO
◆ MegaProver
| using bb::Chonk::MegaProver = UltraProver_<Flavor> |
◆ MegaVerificationKey
◆ MegaZKVerificationKey
◆ PairingPoints
◆ Point
| using bb::Chonk::Point = Flavor::Curve::AffineElement |
◆ ProverAccumulator
◆ ProverInstance
◆ ProverPolynomials
◆ RecursiveCommitment
◆ RecursiveDeciderVerifier
◆ RecursiveFlavor
◆ RecursiveFoldingVerifier
◆ RecursiveTranscript
◆ RecursiveVerificationKey
◆ RecursiveVerifierAccumulator
◆ RecursiveVerifierInstance
◆ RecursiveVKAndHash
◆ StdlibFF
◆ StdlibProof
◆ StdlibVerificationQueue
| using bb::Chonk::StdlibVerificationQueue = std::deque<StdlibVerifierInputs> |
◆ TableCommitments
| using bb::Chonk::TableCommitments = std::array<RecursiveFlavor::Commitment, ClientCircuit::NUM_WIRES> |
◆ Transcript
◆ TranslatorVerificationKey
◆ VerificationQueue
| using bb::Chonk::VerificationQueue = std::deque<VerifierInputs> |
◆ VerifierAccumulator
◆ VerifierInstance
◆ WitnessCommitments
Member Enumeration Documentation
◆ QUEUE_TYPE
|
strong |
Proof type determining recursive verification logic in kernel circuits.
This enum has dual semantics depending on context:
PROVER PERSPECTIVE (in accumulate): Type assigned to the circuit being accumulated. State machine transitions based on num_circuits_accumulated:
- OINK: First app (circuit 0) - no prior accumulator, just Oink verification
- HN: Apps 1..n-3, inner kernels, and reset kernels - full HyperNova folding verification
- HN_TAIL: Circuit n-3 (last kernel before tail) - adds ZK masking at op queue start
- HN_FINAL: Circuit n-2 (tail kernel) - final folding + decider verification
- MEGA: Circuit n-1 (hiding kernel) - MegaZK proof, no folding
VERIFIER PERSPECTIVE (in complete_kernel_circuit_logic): Type of the proof being verified.
- If verifying OINK proof → this kernel is the init kernel (circuit 1)
- If verifying HN proof → this kernel is an inner/reset kernel
- If verifying HN_TAIL proof → this kernel IS the tail kernel (circuit n-2)
- If verifying HN_FINAL proof → this kernel IS the hiding kernel (circuit n-1)
See get_queue_type() for assignment logic and README.md::circuit-structure for overview.
| Enumerator | |
|---|---|
| OINK | |
| HN | |
| HN_TAIL | |
| HN_FINAL | |
| MEGA | |
Constructor & Destructor Documentation
◆ Chonk()
Member Function Documentation
◆ accumulate()
|
overridevirtual |
Perform prover work for accumulation (e.g. HN folding, merge proving)
Execute prover work for accumulation.
- Parameters
-
circuit The incoming statement precomputed_vk The verification key of the incoming statement OR a mocked key whose metadata needs to be set using the proving key produced from circuitin order to pass some assertions in the Oink prover.mock_vk A boolean to say whether the precomputed vk should have its metadata set.
Creates proofs that will later be recursively verified in kernel circuits.
Prover actions per QUEUE_TYPE (see chonk.hpp for verifier perspective):
- OINK: instance_to_accumulator (first app, circuit 0)
- HN: fold (circuits 1..n-4: apps, inner kernels, reset kernels)
- HN_TAIL: fold (circuit n-3)
- HN_FINAL: fold + decider (tail kernel, circuit n-2)
- MEGA: MegaZK proof (hiding kernel, circuit n-1)
- Parameters
-
circuit The circuit to accumulate precomputed_vk Precomputed verification key for the circuit
Implements bb::IVCBase.
◆ complete_kernel_circuit_logic()
| void bb::Chonk::complete_kernel_circuit_logic | ( | ClientCircuit & | circuit | ) |
Append logic to complete a kernel circuit.
This is the verifier counterpart to prover's accumulate(). While accumulate() creates proofs for each circuit, this method adds recursive verification constraints to kernel circuits.
The method performs the following steps:
- SETUP: Initialize transcript, determine kernel type, add ZK masking for tail kernel
- VERIFICATION LOOP: Process each entry in stdlib_verification_queue (folding + merge + databus)
- OUTPUT: Set public inputs (KernelIO or HidingKernelIO) for propagation to next kernel
- Parameters
-
circuit The kernel circuit to append verification logic to
◆ construct_honk_proof_for_hiding_kernel()
|
private |
◆ debug_incoming_circuit()
|
private |
◆ get_goblin() [1/2]
|
inlineoverridevirtual |
Implements bb::IVCBase.
◆ get_goblin() [2/2]
|
inlineoverridevirtual |
Implements bb::IVCBase.
◆ get_hiding_kernel_vk_and_hash()
| std::shared_ptr< MegaZKFlavor::VKAndHash > bb::Chonk::get_hiding_kernel_vk_and_hash | ( | ) | const |
◆ get_num_circuits()
◆ get_queue_type()
|
private |
◆ hide_op_queue_accumulation_result()
|
static |
Add a hiding op with fully random Px, Py field elements to prevent information leakage in Translator proof.
The Translator circuit builder evaluates a batched polynomial (representing the four op queue polynomials in UltraOp format) at a random challenge x. This evaluation result (called accumulated_result in translator) is included in the translator proof and verified against the equivalent computation performed by ECCVM (in verify_translation, establishing equivalence between ECCVM and UltraOp format).
◆ hide_op_queue_content_in_hiding()
|
static |
Adds two random non-ops to the hiding kernel for zero-knowledge.
See MERGE_PROTOCOL.md (ZK Considerations) for detailed analysis.
◆ hide_op_queue_content_in_tail()
|
static |
Adds three random non-ops to the tail kernel for zero-knowledge.
See MERGE_PROTOCOL.md (ZK Considerations) for detailed analysis.
◆ instantiate_stdlib_verification_queue()
| void bb::Chonk::instantiate_stdlib_verification_queue | ( | ClientCircuit & | circuit, |
| const std::vector< std::shared_ptr< RecursiveVKAndHash > > & | input_keys = {} |
||
| ) |
Instantiate a stdlib verification queue for use in the kernel completion logic.
Construct a stdlib proof/verification_key for each entry in the native verification queue. By default, both are constructed from their counterpart in the native queue. Alternatively, Stdlib verification keys can be provided directly as input to this method. (The later option is used, for example, when constructing recursive verifiers based on the verification key witnesses from an acir recursion constraint. This option is not provided for proofs since valid proof witnesses are in general not known at the time of acir constraint generation).
- Parameters
-
circuit
◆ perform_recursive_verification_and_databus_consistency_checks()
| std::tuple< std::optional< Chonk::RecursiveVerifierAccumulator >, std::vector< Chonk::PairingPoints >, Chonk::TableCommitments > bb::Chonk::perform_recursive_verification_and_databus_consistency_checks | ( | ClientCircuit & | circuit, |
| const StdlibVerifierInputs & | verifier_inputs, | ||
| const std::optional< RecursiveVerifierAccumulator > & | input_verifier_accumulator, | ||
| const TableCommitments & | T_prev_commitments, | ||
| const std::shared_ptr< RecursiveTranscript > & | accumulation_recursive_transcript | ||
| ) |
Populate the provided circuit with constraints for (1) recursive verification of the provided accumulation proof and (2) the associated databus commitment consistency checks.
The recursive verifier will be either Oink or Hypernova depending on the specified proof type. In either case, the verifier accumulator is updated in place via the verification algorithm. Databus commitment consistency checks are performed on the witness commitments and public inputs extracted from the proof by the verifier. Merge verification is performed with commitments to the subtable t_j extracted from the HN verifier. The computed commitment T is propagated to the next step of recursive verification.
- Parameters
-
circuit verifier_inputs {proof, vkey, type (Oink/HN)} A set of inputs for recursive verification merge_commitments Container for the commitments for the Merge recursive verification to be performed accumulation_recursive_transcript Transcript shared across recursive verification of the folding of K_{i-1} (kernel), A_{i,1} (app), .., A_{i, n} (app)
- Returns
- Triple of output verifier accumulator, PairingPoints for final verification and commitments to the merged tables as read from the proof by the Merge verifier
◆ prove()
| ChonkProof bb::Chonk::prove | ( | ) |
◆ update_native_verifier_accumulator()
|
private |
Member Data Documentation
◆ bn254_commitment_key
| MegaFlavor::CommitmentKey bb::Chonk::bn254_commitment_key |
◆ bus_depot
| DataBusDepot bb::Chonk::bus_depot |
◆ decider_proof
◆ goblin
◆ native_verifier_accum
| VerifierAccumulator bb::Chonk::native_verifier_accum |
◆ native_verifier_accum_hash
◆ num_circuits
◆ num_circuits_accumulated
◆ prover_accumulation_transcript
|
private |
◆ prover_accumulator
| ProverAccumulator bb::Chonk::prover_accumulator |
◆ recursive_verifier_native_accum
| VerifierAccumulator bb::Chonk::recursive_verifier_native_accum |
◆ stdlib_verification_queue
| StdlibVerificationQueue bb::Chonk::stdlib_verification_queue |
◆ transcript
|
private |
◆ verification_queue
| VerificationQueue bb::Chonk::verification_queue |
The documentation for this class was generated from the following files:
