Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
eccvm_recursive_verifier.test.cpp
Go to the documentation of this file.
1#include "barretenberg/circuit_checker/circuit_checker.hpp"
2#include "barretenberg/commitment_schemes/commitment_key.test.hpp"
3#include "barretenberg/commitment_schemes/ipa/ipa.hpp"
4#include "barretenberg/dsl/acir_format/gate_count_constants.hpp"
5#include "barretenberg/eccvm/eccvm_flavor.hpp"
6#include "barretenberg/eccvm/eccvm_prover.hpp"
7#include "barretenberg/eccvm/eccvm_verifier.hpp"
8#include "barretenberg/stdlib/honk_verifier/ultra_verification_keys_comparator.hpp"
9#include "barretenberg/stdlib/primitives/pairing_points.hpp"
10#include "barretenberg/stdlib/special_public_inputs/special_public_inputs.hpp"
11#include "barretenberg/stdlib/test_utils/tamper_proof.hpp"
12#include "barretenberg/ultra_honk/ultra_prover.hpp"
13#include "barretenberg/ultra_honk/ultra_verifier.hpp"
14
15#include <gtest/gtest.h>
16
17namespace {
18auto& engine = bb::numeric::get_debug_randomness();
19}
20namespace bb {
21class ECCVMRecursiveTests : public ::testing::Test {
22 public:
23 using RecursiveFlavor = ECCVMRecursiveFlavor;
24 using InnerFlavor = RecursiveFlavor::NativeFlavor;
25 using InnerBuilder = InnerFlavor::CircuitBuilder;
26 using InnerProver = ECCVMProver;
27 using InnerVerifier = ECCVMVerifier;
28 using InnerG1 = InnerFlavor::Commitment;
29 using InnerFF = InnerFlavor::FF;
30 using InnerBF = InnerFlavor::BF;
31 using InnerPK = InnerFlavor::ProvingKey;
32 using InnerVK = InnerFlavor::VerificationKey;
33
34 using Transcript = InnerFlavor::Transcript;
35 using StdlibTranscript = RecursiveFlavor::Transcript;
36
37 using RecursiveVerifier = ECCVMRecursiveVerifier;
38
39 using OuterBuilder = RecursiveFlavor::CircuitBuilder;
40 using OuterFlavor = std::conditional_t<IsMegaBuilder<OuterBuilder>, MegaFlavor, UltraFlavor>;
41 using OuterProver = UltraProver_<OuterFlavor>;
42 using OuterVerifier = UltraVerifier_<OuterFlavor, bb::DefaultIO>;
43 using OuterProverInstance = ProverInstance_<OuterFlavor>;
44
45 using PCS = IPA<ECCVMFlavor::Curve, CONST_ECCVM_LOG_N>;
46 static void SetUpTestSuite() { bb::srs::init_file_crs_factory(bb::srs::bb_crs_path()); }
47
54 static InnerBuilder generate_circuit(numeric::RNG* engine = nullptr, const size_t num_iterations = 1)
55 {
56 using Curve = curve::BN254;
57 using G1 = Curve::Element;
58 using Fr = Curve::ScalarField;
59 using Fq = curve::Grumpkin::ScalarField;
60
61 std::shared_ptr<ECCOpQueue> op_queue = std::make_shared<ECCOpQueue>();
62 G1 a = G1::random_element(engine);
63 G1 b = G1::random_element(engine);
64 G1 c = G1::random_element(engine);
65 Fr x = Fr::random_element(engine);
66 Fr y = Fr::random_element(engine);
67 for (size_t idx = 0; idx < num_iterations; idx++) {
68 op_queue->add_accumulate(a);
69 op_queue->mul_accumulate(a, x);
70 op_queue->mul_accumulate(b, x);
71 op_queue->mul_accumulate(b, y);
72 op_queue->add_accumulate(a);
73 op_queue->mul_accumulate(b, x);
74 op_queue->eq_and_reset();
75 op_queue->add_accumulate(c);
76 op_queue->mul_accumulate(a, x);
77 op_queue->mul_accumulate(b, x);
78 op_queue->eq_and_reset();
79 op_queue->mul_accumulate(a, x);
80 op_queue->mul_accumulate(b, x);
81 op_queue->mul_accumulate(c, x);
82 op_queue->merge();
83 }
84 // Set hiding op for ECCVM ZK (required before ECCVMCircuitBuilder construction)
85 op_queue->append_hiding_op(Fq::random_element(engine), Fq::random_element(engine));
86 InnerBuilder builder{ op_queue };
87 return builder;
88 }
89
90 static void test_recursive_verification()
91 {
92 InnerBuilder builder = generate_circuit(&engine);
93 std::shared_ptr<Transcript> prover_transcript = std::make_shared<Transcript>();
94 InnerProver prover(builder, prover_transcript);
95 auto [proof, opening_claim] = prover.construct_proof();
96
97 // Compute IPA proof
98 auto ipa_transcript = std::make_shared<Transcript>();
99 PCS::compute_opening_proof(prover.key->commitment_key, opening_claim, ipa_transcript);
100 HonkProof ipa_proof = ipa_transcript->export_proof();
101
102 auto verification_key = std::make_shared<InnerFlavor::VerificationKey>(prover.key);
103
104 info("ECCVM Recursive Verifier");
105 OuterBuilder outer_circuit;
106 auto stdlib_proof = stdlib::Proof<OuterBuilder>(outer_circuit, proof);
107 std::shared_ptr<StdlibTranscript> stdlib_verifier_transcript = std::make_shared<StdlibTranscript>();
108 RecursiveVerifier verifier{ stdlib_verifier_transcript, stdlib_proof };
109 verifier.get_transcript()->enable_manifest();
110 [[maybe_unused]] auto recursive_result = verifier.reduce_to_ipa_opening();
111 stdlib::recursion::honk::DefaultIO<OuterBuilder>::add_default(outer_circuit);
112
113 info("Recursive Verifier: num gates = ", outer_circuit.get_num_finalized_gates_inefficient());
114
115 // Check for a failure flag in the recursive verifier circuit
116 EXPECT_EQ(outer_circuit.failed(), false) << outer_circuit.err();
117
118 bool result = CircuitChecker::check(outer_circuit);
119 EXPECT_TRUE(result);
120
121 std::shared_ptr<Transcript> verifier_transcript = std::make_shared<Transcript>();
122 InnerVerifier native_verifier(verifier_transcript, proof);
123 verifier_transcript->enable_manifest();
124 auto native_result = native_verifier.reduce_to_ipa_opening();
125
126 // Verify IPA
127 auto ipa_verify_transcript = std::make_shared<Transcript>();
128 ipa_verify_transcript->load_proof(ipa_proof);
129 auto ipa_vk = VerifierCommitmentKey<curve::Grumpkin>{ ECCVMFlavor::ECCVM_FIXED_SIZE };
130 bool ipa_verified = IPA<curve::Grumpkin>::reduce_verify(ipa_vk, native_result.ipa_claim, ipa_verify_transcript);
131 EXPECT_TRUE(ipa_verified && native_result.reduction_succeeded);
132 auto recursive_manifest = verifier.get_transcript()->get_manifest();
133 auto native_manifest = native_verifier.get_transcript()->get_manifest();
134
135 ASSERT_GT(recursive_manifest.size(), 0);
136 for (size_t i = 0; i < recursive_manifest.size(); ++i) {
137 EXPECT_EQ(recursive_manifest[i], native_manifest[i])
138 << "Recursive Verifier/Verifier manifest discrepency in round " << i;
139 }
140
141 // Ensure verification key is the same
142 EXPECT_EQ(static_cast<uint64_t>(verifier.get_verification_key()->log_circuit_size.get_value()),
143 verification_key->log_circuit_size);
144 EXPECT_EQ(static_cast<uint64_t>(verifier.get_verification_key()->num_public_inputs.get_value()),
145 verification_key->num_public_inputs);
146 for (auto [vk_poly, native_vk_poly] :
147 zip_view(verifier.get_verification_key()->get_all(), verification_key->get_all())) {
148 EXPECT_EQ(vk_poly.get_value(), native_vk_poly);
149 }
150
151 // Construct a full proof from the recursive verifier circuit
152 {
153 auto prover_instance = std::make_shared<OuterProverInstance>(outer_circuit);
154 auto verification_key = std::make_shared<OuterFlavor::VerificationKey>(prover_instance->get_precomputed());
155 auto vk_and_hash = std::make_shared<OuterFlavor::VKAndHash>(verification_key);
156 OuterProver prover(prover_instance, verification_key);
157 OuterVerifier verifier(vk_and_hash);
158 auto proof = prover.construct_proof();
159 bool verified = verifier.verify_proof(proof).result;
160
161 ASSERT_TRUE(verified);
162 }
163
164 // Check that the size of the recursive verifier is consistent with historical expectation
165 ASSERT_EQ(outer_circuit.get_num_finalized_gates(), acir_format::ECCVM_RECURSIVE_VERIFIER_GATE_COUNT)
166 << "Ultra-arithmetized ECCVM Recursive verifier gate count changed! Update this value if you are sure this "
167 "is expected.";
168 }
169
170 static void test_recursive_verification_failure()
171 {
172 InnerBuilder builder = generate_circuit(&engine);
173 builder.op_queue->add_erroneous_equality_op_for_testing();
174 builder.op_queue->merge();
175 std::shared_ptr<Transcript> prover_transcript = std::make_shared<Transcript>();
176 InnerProver prover(builder, prover_transcript);
177 auto [proof, opening_claim] = prover.construct_proof();
178
179 // Compute IPA proof
180 auto ipa_transcript = std::make_shared<Transcript>();
181 PCS::compute_opening_proof(prover.key->commitment_key, opening_claim, ipa_transcript);
182 HonkProof ipa_proof = ipa_transcript->export_proof();
183
184 auto verification_key = std::make_shared<InnerFlavor::VerificationKey>(prover.key);
185
186 OuterBuilder outer_circuit;
187 auto stdlib_proof = stdlib::Proof<OuterBuilder>(outer_circuit, proof);
188
189 std::shared_ptr<StdlibTranscript> stdlib_verifier_transcript = std::make_shared<StdlibTranscript>();
190 RecursiveVerifier verifier{ stdlib_verifier_transcript, stdlib_proof };
191 [[maybe_unused]] auto output = verifier.reduce_to_ipa_opening();
192 stdlib::recursion::honk::DefaultIO<OuterBuilder>::add_default(outer_circuit);
193 info("Recursive Verifier: estimated num finalized gates = ",
194 outer_circuit.get_num_finalized_gates_inefficient());
195
196 // Check for a failure flag in the recursive verifier circuit
197 EXPECT_FALSE(CircuitChecker::check(outer_circuit));
198 }
199
200 static void test_recursive_verification_failure_tampered_proof()
201 {
202 for (size_t idx = 0; idx < 2; idx++) {
203 InnerBuilder builder = generate_circuit(&engine);
204 std::shared_ptr<Transcript> prover_transcript = std::make_shared<Transcript>();
205 InnerProver prover(builder, prover_transcript);
206 auto [proof, opening_claim] = prover.construct_proof();
207
208 // Compute IPA proof
209 auto ipa_transcript_prover = std::make_shared<Transcript>();
210 PCS::compute_opening_proof(prover.key->commitment_key, opening_claim, ipa_transcript_prover);
211 HonkProof ipa_proof_native = ipa_transcript_prover->export_proof();
212
213 // Tamper with the proof to be verified
214 tamper_with_proof<InnerProver, InnerFlavor>(proof, static_cast<bool>(idx));
215
216 OuterBuilder outer_circuit;
217 auto stdlib_proof = stdlib::Proof<OuterBuilder>(outer_circuit, proof);
218 std::shared_ptr<StdlibTranscript> stdlib_verifier_transcript = std::make_shared<StdlibTranscript>();
219 RecursiveVerifier verifier{ stdlib_verifier_transcript, stdlib_proof };
220 auto recursive_result = verifier.reduce_to_ipa_opening();
221 stdlib::recursion::honk::DefaultIO<OuterBuilder>::add_default(outer_circuit);
222
223 if (idx == 0) {
224 // In this case, we changed the first non-zero value in the proof. It leads to a circuit check failure.
225 EXPECT_FALSE(CircuitChecker::check(outer_circuit));
226 } else {
227 // Changing the last commitment in the `proof_data` would not result in a circuit check failure at
228 // this stage.
229 EXPECT_TRUE(CircuitChecker::check(outer_circuit));
230
231 // However, IPA recursive verifier must fail, as one of the commitments is incorrect.
232 VerifierCommitmentKey<InnerFlavor::Curve> native_pcs_vk(1UL << CONST_ECCVM_LOG_N);
233 VerifierCommitmentKey<stdlib::grumpkin<OuterBuilder>> stdlib_pcs_vkey(
234 &outer_circuit, 1UL << CONST_ECCVM_LOG_N, native_pcs_vk);
235
236 // Construct ipa_transcript from proof
237 auto stdlib_ipa_proof = stdlib::Proof<OuterBuilder>(outer_circuit, ipa_proof_native);
238 std::shared_ptr<StdlibTranscript> ipa_transcript = std::make_shared<StdlibTranscript>(stdlib_ipa_proof);
239 EXPECT_FALSE(IPA<RecursiveFlavor::Curve>::full_verify_recursive(
240 stdlib_pcs_vkey, recursive_result.ipa_claim, ipa_transcript));
241 }
242 }
243 }
244
245 static void test_independent_vk_hash()
246 {
247
248 // Retrieves the trace blocks (each consisting of a specific gate) from the recursive verifier circuit
249 auto get_blocks = [](size_t inner_size)
250 -> std::tuple<OuterBuilder::ExecutionTrace, std::shared_ptr<OuterFlavor::VerificationKey>> {
251 auto inner_circuit = generate_circuit(&engine, inner_size);
252 std::shared_ptr<Transcript> prover_transcript = std::make_shared<Transcript>();
253 InnerProver inner_prover(inner_circuit, prover_transcript);
254
255 auto [proof, opening_claim] = inner_prover.construct_proof();
256
257 // Compute IPA proof
258 auto ipa_transcript = std::make_shared<Transcript>();
259 PCS::compute_opening_proof(inner_prover.key->commitment_key, opening_claim, ipa_transcript);
260 HonkProof ipa_proof = ipa_transcript->export_proof();
261
262 // Create a recursive verification circuit for the proof of the inner circuit
263 OuterBuilder outer_circuit;
264 auto stdlib_proof = stdlib::Proof<OuterBuilder>(outer_circuit, proof);
265
266 std::shared_ptr<StdlibTranscript> stdlib_verifier_transcript = std::make_shared<StdlibTranscript>();
267 RecursiveVerifier verifier{ stdlib_verifier_transcript, stdlib_proof };
268
269 [[maybe_unused]] auto recursive_opening_claim = verifier.reduce_to_ipa_opening();
270 stdlib::recursion::honk::DefaultIO<OuterBuilder>::add_default(outer_circuit);
271
272 auto outer_proving_key = std::make_shared<OuterProverInstance>(outer_circuit);
273 auto outer_verification_key =
274 std::make_shared<OuterFlavor::VerificationKey>(outer_proving_key->get_precomputed());
275
276 return { outer_circuit.blocks, outer_verification_key };
277 };
278
279 auto [blocks_20, verification_key_20] = get_blocks(20);
280 auto [blocks_40, verification_key_40] = get_blocks(40);
281
282 compare_ultra_blocks_and_verification_keys<OuterFlavor>({ blocks_20, blocks_40 },
283 { verification_key_20, verification_key_40 });
284 };
285};
286
291
292TEST_F(ECCVMRecursiveTests, SingleRecursiveVerificationFailure)
293{
294 ECCVMRecursiveTests::test_recursive_verification_failure();
295};
296
297TEST_F(ECCVMRecursiveTests, SingleRecursiveVerificationFailureTamperedProof)
298{
299 BB_DISABLE_ASSERTS(); // Avoid on_curve assertion failure in cycle_group constructor
300 ECCVMRecursiveTests::test_recursive_verification_failure_tampered_proof();
301};
302
307} // namespace bb
BB_DISABLE_ASSERTS
#define BB_DISABLE_ASSERTS()
Definition assert.hpp:33
circuit_checker.hpp
bb::BaseTranscript
Common transcript class for both parties. Stores the data for the current round, as well as the manif...
Definition transcript.hpp:41
bb::CircuitBuilderBase::err
const std::string & err() const
Definition circuit_builder_base_impl.hpp:167
bb::ECCVMFlavor::ProvingKey
The proving key is responsible for storing the polynomials used by the prover.
Definition eccvm_flavor.hpp:793
bb::ECCVMFlavor::VerificationKey
The verification key is responsible for storing the commitments to the precomputed (non-witnessk) pol...
Definition eccvm_flavor.hpp:819
bb::ECCVMFlavor::ECCVM_FIXED_SIZE
static constexpr size_t ECCVM_FIXED_SIZE
Definition eccvm_flavor.hpp:64
bb::ECCVMFlavor::FF
typename Curve::ScalarField FF
Definition eccvm_flavor.hpp:41
bb::ECCVMFlavor::CircuitBuilder
ECCVMCircuitBuilder CircuitBuilder
Definition eccvm_flavor.hpp:37
bb::ECCVMFlavor::Commitment
typename G1::affine_element Commitment
Definition eccvm_flavor.hpp:45
bb::ECCVMFlavor::BF
typename Curve::BaseField BF
Definition eccvm_flavor.hpp:42
bb::ECCVMFlavor::Transcript
BaseTranscript< Codec, HashFunction > Transcript
Definition eccvm_flavor.hpp:51
bb::ECCVMProver::construct_proof
std::pair< Proof, OpeningClaim > construct_proof()
Definition eccvm_prover.cpp:202
bb::ECCVMProver::key
std::shared_ptr< ProvingKey > key
Definition eccvm_prover.hpp:73
bb::ECCVMRecursiveFlavor::Transcript
StdlibTranscript< CircuitBuilder > Transcript
Definition eccvm_recursive_flavor.hpp:142
bb::ECCVMRecursiveTests::generate_circuit
static InnerBuilder generate_circuit(numeric::RNG *engine=nullptr, const size_t num_iterations=1)
Adds operations in BN254 to the op_queue and then constructs and ECCVM circuit from the op_queue.
Definition eccvm_recursive_verifier.test.cpp:54
bb::ECCVMRecursiveTests::test_recursive_verification_failure_tampered_proof
static void test_recursive_verification_failure_tampered_proof()
Definition eccvm_recursive_verifier.test.cpp:200
bb::ECCVMRecursiveTests::OuterFlavor
std::conditional_t< IsMegaBuilder< OuterBuilder >, MegaFlavor, UltraFlavor > OuterFlavor
Definition eccvm_recursive_verifier.test.cpp:40
bb::ECCVMVerifier_
Unified ECCVM verifier class for both native and recursive verification.
Definition eccvm_verifier.hpp:19
bb::ECCVMVerifier_::get_transcript
std::shared_ptr< Transcript > get_transcript() const
Definition eccvm_verifier.hpp:91
bb::ECCVMVerifier_::reduce_to_ipa_opening
ReductionResult reduce_to_ipa_opening()
Reduce the ECCVM proof to an IPA opening claim.
Definition eccvm_verifier.cpp:20
bb::IPA
IPA (inner product argument) commitment scheme class.
Definition ipa.hpp:93
bb::ProverInstance_
A ProverInstance is normally constructed from a finalized circuit and it contains all the information...
Definition prover_instance.hpp:33
bb::TranslatorCircuitChecker::check
static bool check(const Builder &circuit)
Check the witness satisifies the circuit.
Definition translator_circuit_checker.cpp:20
bb::UltraCircuitBuilder_
Definition ultra_circuit_builder.hpp:41
bb::UltraCircuitBuilder_::get_num_finalized_gates
size_t get_num_finalized_gates() const override
Get the number of gates in a finalized circuit.
Definition ultra_circuit_builder.hpp:366
bb::UltraCircuitBuilder_::blocks
ExecutionTrace blocks
Definition ultra_circuit_builder.hpp:199
bb::UltraCircuitBuilder_::ExecutionTrace
ExecutionTrace_ ExecutionTrace
Definition ultra_circuit_builder.hpp:43
bb::UltraCircuitBuilder_::get_num_finalized_gates_inefficient
size_t get_num_finalized_gates_inefficient(bool ensure_nonzero=true) const
Get the number of gates in the finalized version of the circuit.
Definition ultra_circuit_builder.hpp:380
bb::UltraProver_
Definition ultra_prover.hpp:20
bb::UltraProver_::construct_proof
Proof construct_proof()
Definition ultra_prover.cpp:91
bb::UltraVerifier_
Definition ultra_verifier.hpp:82
bb::UltraVerifier_::verify_proof
Output verify_proof(const Proof &proof)
Perform ultra verification.
Definition ultra_verifier.cpp:214
bb::VerifierCommitmentKey
Representation of the Grumpkin Verifier Commitment Key inside a bn254 circuit.
Definition verifier_commitment_key.hpp:16
bb::curve::Grumpkin::Element
typename Group::element Element
Definition grumpkin.hpp:62
bb::stdlib::Proof
A simple wrapper around a vector of stdlib field elements representing a proof.
Definition proof.hpp:19
bb::stdlib::recursion::honk::DefaultIO::add_default
static void add_default(Builder &builder)
Add default public inputs when they are not present.
Definition special_public_inputs.hpp:206
zip_view
Definition zip_view.hpp:166
commitment_key.test.hpp
info
void info(Args... args)
Definition log.hpp:89
builder
AluTraceBuilder builder
Definition alu.test.cpp:124
a
FF a
Definition field_gt.test.cpp:52
b
FF b
Definition field_gt.test.cpp:53
eccvm_flavor.hpp
eccvm_prover.hpp
engine
numeric::RNG & engine
Definition eccvm_transcript.test.cpp:286
eccvm_verifier.hpp
gate_count_constants.hpp
acir_format::ECCVM_RECURSIVE_VERIFIER_GATE_COUNT
constexpr size_t ECCVM_RECURSIVE_VERIFIER_GATE_COUNT
Definition gate_count_constants.hpp:156
bb::numeric::get_debug_randomness
RNG & get_debug_randomness(bool reset, std::uint_fast64_t seed)
Definition engine.cpp:190
bb::srs::bb_crs_path
std::filesystem::path bb_crs_path()
Definition global_crs.cpp:14
bb::srs::init_file_crs_factory
void init_file_crs_factory(const std::filesystem::path &path)
Definition global_crs.hpp:14
bb
Entry point for Barretenberg command-line interface.
Definition api.hpp:5
bb::HonkProof
std::vector< fr > HonkProof
Definition proof.hpp:15
bb::ECCVMRecursiveVerifier
ECCVMVerifier_< ECCVMRecursiveFlavor > ECCVMRecursiveVerifier
Definition eccvm_verifier.hpp:124
bb::TEST_F
TEST_F(IPATest, ChallengesAreZero)
Definition ipa.test.cpp:185
bb::ECCVMVerifier
ECCVMVerifier_< ECCVMFlavor > ECCVMVerifier
Definition eccvm_verifier.hpp:123
std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13
G1
Curve::AffineElement G1
Definition pippenger.bench.cpp:29
pairing_points.hpp
special_public_inputs.hpp
bb::field< Bn254FrParams >::random_element
static field random_element(numeric::RNG *engine=nullptr) noexcept
Definition field_impl.hpp:677
tamper_proof.hpp
ultra_prover.hpp
ultra_verification_keys_comparator.hpp
ultra_verifier.hpp