Barretenberg: src/barretenberg/goblin/mock_circuits.hpp Source File

#pragma once


#include "barretenberg/commitment_schemes/commitment_key.hpp"

#include "barretenberg/common/bb_bench.hpp"

#include "barretenberg/crypto/ecdsa/ecdsa.hpp"

#include "barretenberg/crypto/merkle_tree/memory_store.hpp"

#include "barretenberg/crypto/merkle_tree/merkle_tree.hpp"

#include "barretenberg/flavor/mega_flavor.hpp"

#include "barretenberg/goblin/goblin.hpp"

#include "barretenberg/srs/global_crs.hpp"

#include "barretenberg/stdlib/encryption/ecdsa/ecdsa.hpp"

#include "barretenberg/stdlib/hash/keccak/keccak.hpp"

#include "barretenberg/stdlib/hash/sha256/sha256.hpp"

#include "barretenberg/stdlib/primitives/curves/secp256k1.hpp"

#include "barretenberg/stdlib/special_public_inputs/special_public_inputs.hpp"

#include "barretenberg/stdlib_circuit_builders/mock_circuits.hpp"

#include "barretenberg/ultra_honk/ultra_verifier.hpp"


namespace bb {


template <typename Builder> void generate_sha256_test_circuit(Builder& builder, size_t num_iterations)

{

    using field_ct = stdlib::field_t<Builder>;

    using witness_ct = stdlib::witness_t<Builder>;


    // SHA-256 initial hash values (FIPS 180-4 section 5.3.3)

    constexpr std::array<uint32_t, 8> H_INIT = { 0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a,

                                                 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19 };


    // Initialize h_init as witnesses

    std::array<field_ct, 8> h_init;

    for (size_t i = 0; i < 8; i++) {

        h_init[i] = witness_ct(&builder, H_INIT[i]);

    }


    // Create a block of zeros as witnesses

    std::array<field_ct, 16> block;

    for (size_t i = 0; i < 16; i++) {

        block[i] = witness_ct(&builder, 0);

    }


    // Iterate: feed output of compression back as h_init for next round

    for (size_t i = 0; i < num_iterations; i++) {

        h_init = stdlib::SHA256<Builder>::sha256_block(h_init, block);

    }

}


class GoblinMockCircuits {

  public:

    using Curve = curve::BN254;

    using FF = Curve::ScalarField;

    using Fbase = Curve::BaseField;

    using Point = Curve::AffineElement;

    using CommitmentKey = bb::CommitmentKey<Curve>;

    using OpQueue = bb::ECCOpQueue;

    using MegaBuilder = bb::MegaCircuitBuilder;

    using Flavor = bb::MegaFlavor;

    using RecursiveFlavor = bb::MegaRecursiveFlavor_<MegaBuilder>;

    using RecursiveVerifier = bb::UltraVerifier_<RecursiveFlavor, bb::stdlib::recursion::honk::DefaultIO<MegaBuilder>>;

    using VerifierInstance = VerifierInstance_<Flavor>;

    using RecursiveVerifierInstance = VerifierInstance_<RecursiveFlavor>;

    using RecursiveVKAndHash = RecursiveVerifierInstance::VKAndHash;

    using RecursiveVerifierAccumulator = std::shared_ptr<RecursiveVerifierInstance>;

    using VerificationKey = Flavor::VerificationKey;


    static constexpr size_t NUM_WIRES = Flavor::NUM_WIRES;


    static void construct_mock_app_circuit(MegaBuilder& builder, bool large = false)

    {

        BB_BENCH();


        if (large) { // Results in circuit size 2^19

            generate_sha256_test_circuit<MegaBuilder>(builder, 9);

            stdlib::generate_ecdsa_verification_test_circuit(builder, 8);

        } else { // Results in circuit size 2^17

            generate_sha256_test_circuit<MegaBuilder>(builder, 8);

            stdlib::generate_ecdsa_verification_test_circuit(builder, 2);

        }


        // TODO(https://github.com/AztecProtocol/barretenberg/issues/911): We require goblin ops to be added to the

        // function circuit because we cannot support zero commtiments. While the builder handles this at

        // ProverInstance creation stage via the add_gates_to_ensure_all_polys_are_non_zero function for other

        // MegaHonk circuits (where we don't explicitly need to add goblin ops), in IVC merge proving happens prior to

        // folding where the absense of goblin ecc ops will result in zero commitments.

        MockCircuits::construct_goblin_ecc_op_circuit(builder);

    }


    static void add_some_ecc_op_gates(MegaBuilder& builder)

    {

        BB_BENCH();


        // Add some arbitrary ecc op gates

        for (size_t i = 0; i < 3; ++i) {

            auto point = Point::random_element(&engine);

            auto scalar = FF::random_element(&engine);

            builder.queue_ecc_add_accum(point);

            builder.queue_ecc_mul_accum(point, scalar);

        }

        // queues the result of the preceding ECC

        builder.queue_ecc_eq(); // should be eq and reset

    }


    static void randomise_op_queue(MegaBuilder& builder, size_t num_ops)

    {


        for (size_t i = 0; i < num_ops; ++i) {

            builder.queue_ecc_random_op();

        }

    }


    static void construct_simple_circuit(MegaBuilder& builder)

    {

        BB_BENCH();


        add_some_ecc_op_gates(builder);

        MockCircuits::construct_arithmetic_circuit(builder);

        bb::stdlib::recursion::honk::DefaultIO<MegaBuilder>::add_default(builder);

    }


    static void construct_and_merge_mock_circuits(Goblin& goblin, const size_t num_circuits = 3)

    {

        using Fq = curve::Grumpkin::ScalarField;

        for (size_t idx = 0; idx < num_circuits - 1; ++idx) {

            MegaCircuitBuilder builder{ goblin.op_queue };

            if (idx == num_circuits - 2) {

                // Last circuit appended needs to begin with a no-op for translator to be shiftable

                builder.queue_ecc_no_op();

                // Add random ops at START for Translator ZK (lands at beginning of op queue table)

                randomise_op_queue(builder, TranslatorCircuitBuilder::NUM_RANDOM_OPS_START);

                // Add hiding op for ECCVM ZK (prepended to ECCVM ops at row 1)

                builder.queue_ecc_hiding_op(Fq::random_element(), Fq::random_element());

            }

            construct_simple_circuit(builder);

            goblin.prove_merge();

            // Pop the merge proof from the queue, Goblin will be verified at the end

            goblin.merge_verification_queue.pop_front();

        }

        MegaCircuitBuilder builder{ goblin.op_queue };

        GoblinMockCircuits::construct_simple_circuit(builder);

        // Add random ops at END for Translator ZK

        randomise_op_queue(builder, TranslatorCircuitBuilder::NUM_RANDOM_OPS_END);

    }


    static void construct_mock_folding_kernel(MegaBuilder& builder)

    {

        BB_BENCH();


        // Add operations representing general kernel logic e.g. state updates. Note: these are structured to make

        // the kernel "full" within the dyadic size 2^17

        const size_t NUM_ECDSA_VERIFICATIONS = 2;

        const size_t NUM_SHA_HASHES = 10;

        stdlib::generate_ecdsa_verification_test_circuit(builder, NUM_ECDSA_VERIFICATIONS);

        generate_sha256_test_circuit<MegaBuilder>(builder, NUM_SHA_HASHES);

    }


};


} // namespace bb

bb_bench.hpp

BB_BENCH
#define BB_BENCH()
Definition bb_bench.hpp:223

bb::CommitmentKey
CommitmentKey object over a pairing group 𝔾₁.
Definition commitment_key.hpp:43

bb::ECCOpQueue
Manages ECC operations for the Goblin proving system.
Definition ecc_op_queue.hpp:38

bb::ECCVMCircuitBuilder
Definition eccvm_circuit_builder.hpp:24

bb::Goblin
Definition goblin.hpp:22

bb::Goblin::prove_merge
void prove_merge(const std::shared_ptr< Transcript > &transcript=std::make_shared< Transcript >(), const MergeSettings merge_settings=MergeSettings::PREPEND)
Construct a merge proof for the goblin ECC ops in the provided circuit; append the proof to the merge...
Definition goblin.cpp:29

bb::Goblin::op_queue
std::shared_ptr< OpQueue > op_queue
Definition goblin.hpp:48

bb::Goblin::merge_verification_queue
std::deque< MergeProof > merge_verification_queue
Definition goblin.hpp:57

bb::GoblinMockCircuits
Definition mock_circuits.hpp:55

bb::GoblinMockCircuits::Point
Curve::AffineElement Point
Definition mock_circuits.hpp:60

bb::GoblinMockCircuits::add_some_ecc_op_gates
static void add_some_ecc_op_gates(MegaBuilder &builder)
Generate a simple test circuit with some ECC op gates and conventional arithmetic gates.
Definition mock_circuits.hpp:109

bb::GoblinMockCircuits::construct_mock_app_circuit
static void construct_mock_app_circuit(MegaBuilder &builder, bool large=false)
Populate a builder with some arbitrary but nontrivial constraints.
Definition mock_circuits.hpp:84

bb::GoblinMockCircuits::construct_simple_circuit
static void construct_simple_circuit(MegaBuilder &builder)
Generate a simple test circuit with some ECC op gates and conventional arithmetic gates.
Definition mock_circuits.hpp:140

bb::GoblinMockCircuits::construct_mock_folding_kernel
static void construct_mock_folding_kernel(MegaBuilder &builder)
Construct a mock kernel circuit.
Definition mock_circuits.hpp:182

bb::GoblinMockCircuits::randomise_op_queue
static void randomise_op_queue(MegaBuilder &builder, size_t num_ops)
Add some randomness into the op queue.
Definition mock_circuits.hpp:127

bb::GoblinMockCircuits::RecursiveVKAndHash
RecursiveVerifierInstance::VKAndHash RecursiveVKAndHash
Definition mock_circuits.hpp:69

bb::GoblinMockCircuits::construct_and_merge_mock_circuits
static void construct_and_merge_mock_circuits(Goblin &goblin, const size_t num_circuits=3)
Definition mock_circuits.hpp:149

bb::GoblinMockCircuits::NUM_WIRES
static constexpr size_t NUM_WIRES
Definition mock_circuits.hpp:73

bb::GoblinMockCircuits::RecursiveVerifierAccumulator
std::shared_ptr< RecursiveVerifierInstance > RecursiveVerifierAccumulator
Definition mock_circuits.hpp:70

bb::MegaCircuitBuilder_
Definition mega_circuit_builder.hpp:19

bb::MegaFlavor
Definition mega_flavor.hpp:33

bb::MegaFlavor::NUM_WIRES
static constexpr size_t NUM_WIRES
Definition mega_flavor.hpp:59

bb::MegaFlavor::VerificationKey
NativeVerificationKey_< PrecomputedEntities< Commitment >, Codec, HashFunction, CommitmentKey > VerificationKey
The verification key is responsible for storing the commitments to the precomputed (non-witness) poly...
Definition mega_flavor.hpp:456

bb::MegaRecursiveFlavor_
The recursive counterpart to the "native" Mega flavor.
Definition mega_recursive_flavor.hpp:37

bb::MockCircuits::construct_arithmetic_circuit
static void construct_arithmetic_circuit(Builder &builder, const size_t target_log2_dyadic_size=4, bool include_public_inputs=true)
Populate a builder with a specified number of arithmetic gates; includes a PI.
Definition mock_circuits.hpp:133

bb::MockCircuits::construct_goblin_ecc_op_circuit
static void construct_goblin_ecc_op_circuit(MegaCircuitBuilder &builder)
Populate a builder with some arbitrary goblinized ECC ops, one of each type.
Definition mock_circuits.hpp:167

bb::NativeVerificationKey_
Base Native verification key class.
Definition flavor.hpp:141

bb::TranslatorCircuitBuilder::NUM_RANDOM_OPS_END
static constexpr size_t NUM_RANDOM_OPS_END
Definition translator_circuit_builder.hpp:244

bb::TranslatorCircuitBuilder::NUM_RANDOM_OPS_START
static constexpr size_t NUM_RANDOM_OPS_START
Definition translator_circuit_builder.hpp:240

bb::UltraVerifier_
Definition ultra_verifier.hpp:82

bb::VerifierInstance_
The VerifierInstance encapsulates all the necessary information for a Honk Verifier to verify a proof...
Definition verifier_instance.hpp:20

bb::VerifierInstance_::VKAndHash
typename Flavor::VKAndHash VKAndHash
Definition verifier_instance.hpp:30

bb::curve::BN254
Definition bn254.hpp:16

bb::curve::BN254::BaseField
bb::fq BaseField
Definition bn254.hpp:19

bb::curve::BN254::AffineElement
typename Group::affine_element AffineElement
Definition bn254.hpp:22

bb::curve::BN254::ScalarField
bb::fr ScalarField
Definition bn254.hpp:18

bb::curve::Grumpkin::ScalarField
bb::fq ScalarField
Definition grumpkin.hpp:59

bb::stdlib::SHA256::sha256_block
static std::array< field_ct, 8 > sha256_block(const std::array< field_ct, 8 > &h_init, const std::array< field_ct, 16 > &input)
Apply the SHA-256 compression function to a single 512-bit message block.
Definition sha256.cpp:379

bb::stdlib::field_t
Definition field.hpp:45

bb::stdlib::recursion::honk::DefaultIO::add_default
static void add_default(Builder &builder)
Add default public inputs when they are not present.
Definition special_public_inputs.hpp:206

bb::stdlib::witness_t
Definition witness.hpp:16

commitment_key.hpp

builder
AluTraceBuilder builder
Definition alu.test.cpp:124

ecdsa.hpp

engine
numeric::RNG & engine
Definition eccvm_transcript.test.cpp:286

global_crs.hpp

goblin.hpp

witness_ct
bn254::witness_ct witness_ct
Definition graph_description_bigfield.test.cpp:31

field_ct
stdlib::field_t< Builder > field_ct
Definition graph_description_blake2s.test.cpp:12

mega_flavor.hpp

memory_store.hpp

merkle_tree.hpp

bb::stdlib::generate_ecdsa_verification_test_circuit
void generate_ecdsa_verification_test_circuit(Builder &builder, size_t num_iterations)
Generate a simple ecdsa verification circuit for testing purposes.
Definition ecdsa_impl.hpp:172

bb
Entry point for Barretenberg command-line interface.
Definition api.hpp:5

bb::generate_sha256_test_circuit
void generate_sha256_test_circuit(Builder &builder, size_t num_iterations)
Generate a test circuit using SHA256 compression (sha256_block)
Definition mock_circuits.hpp:28

bb::MegaCircuitBuilder
MegaCircuitBuilder_< field< Bn254FrParams > > MegaCircuitBuilder
Definition circuit_builders_fwd.hpp:20

std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13

ecdsa.hpp

keccak.hpp

sha256.hpp

secp256k1.hpp

special_public_inputs.hpp

mock_circuits.hpp

bb::field< Bn254FrParams >

bb::field< Bn254FrParams >::random_element
static field random_element(numeric::RNG *engine=nullptr) noexcept
Definition field_impl.hpp:677

Fq
curve::BN254::BaseField Fq
Definition translator.fuzzer.hpp:21

ultra_verifier.hpp