Barretenberg: src/barretenberg/dsl/acir_format/recursion_constraint_output.cpp Source File

// === AUDIT STATUS ===

// internal:    { status: Planned, auditors: [], commit: }

// external_1:  { status: not started, auditors: [], commit: }

// external_2:  { status: not started, auditors: [], commit: }

// =====================


#include "barretenberg/dsl/acir_format/recursion_constraint_output.hpp"


namespace acir_format {


template <typename Builder>


void HonkRecursionConstraintsOutput<Builder>::update(const HonkRecursionConstraintOutput<Builder>& other,

                                                     bool update_ipa_data)

{

    // Update points accumulator

    if (this->points_accumulator.has_data) {

        this->points_accumulator.aggregate(other.points_accumulator);

    } else {

        this->points_accumulator = other.points_accumulator;

    }


    if (update_ipa_data) {

        // Update ipa proofs and claims

        this->nested_ipa_proofs.push_back(other.ipa_proof);

        this->nested_ipa_claims.push_back(other.ipa_claim);

    }

}


template <typename Builder>


void HonkRecursionConstraintsOutput<Builder>::update(const HonkRecursionConstraintsOutput<Builder>& other,

                                                     bool update_ipa_data)

{

    // Update points accumulator

    if (this->points_accumulator.has_data) {

        this->points_accumulator.aggregate(other.points_accumulator);

    } else {

        this->points_accumulator = other.points_accumulator;

    }


    if (update_ipa_data) {

        // Update ipa proofs and claims (if other has no proofs/claims, we are not appending anything)

        this->nested_ipa_proofs.insert(

            this->nested_ipa_proofs.end(), other.nested_ipa_proofs.begin(), other.nested_ipa_proofs.end());

        this->nested_ipa_claims.insert(

            this->nested_ipa_claims.end(), other.nested_ipa_claims.begin(), other.nested_ipa_claims.end());

    }

}


template <>

std::pair<OpeningClaim<stdlib::grumpkin<UltraCircuitBuilder>>, HonkProof> HonkRecursionConstraintsOutput<


    UltraCircuitBuilder>::perform_IPA_accumulation(UltraCircuitBuilder& builder) const

{

    BB_ASSERT_EQ(

        nested_ipa_claims.size(), nested_ipa_proofs.size(), "Mismatched number of nested IPA claims and proofs.");


    OpeningClaim<stdlib::grumpkin<UltraCircuitBuilder>> final_ipa_claim;

    HonkProof final_ipa_proof;


    if (nested_ipa_claims.size() == 2) {

        // If we have two claims, accumulate.

        CommitmentKey<curve::Grumpkin> commitment_key(1 << CONST_ECCVM_LOG_N);

        using StdlibTranscript = UltraStdlibTranscript;


        auto ipa_transcript_1 = std::make_shared<StdlibTranscript>(nested_ipa_proofs[0]);

        auto ipa_transcript_2 = std::make_shared<StdlibTranscript>(nested_ipa_proofs[1]);

        auto [ipa_claim, ipa_proof] = IPA<stdlib::grumpkin<UltraCircuitBuilder>>::accumulate(

            commitment_key, ipa_transcript_1, nested_ipa_claims[0], ipa_transcript_2, nested_ipa_claims[1]);


        final_ipa_claim = ipa_claim;

        final_ipa_proof = ipa_proof;

    } else if (nested_ipa_claims.size() == 1) {

        // If we have one claim, just forward it along.

        final_ipa_claim = nested_ipa_claims[0];

        // This conversion looks suspicious but there's no need to make this an output of the circuit since

        // its a proof that will be checked anyway.

        final_ipa_proof = nested_ipa_proofs[0].get_value();

    } else if (nested_ipa_claims.empty()) {

        // If we don't have any claims, we may need to inject a fake one if we're proving with

        // UltraRollupHonk, indicated by the manual setting of the honk_recursion metadata to 2.

        info("Proving with UltraRollupHonk but no IPA claims exist.");

        auto [stdlib_opening_claim, ipa_proof] =

            IPA<stdlib::grumpkin<UltraCircuitBuilder>>::create_random_valid_ipa_claim_and_proof(builder);


        final_ipa_claim = stdlib_opening_claim;

        final_ipa_proof = ipa_proof;

    } else {

        // We don't support and shouldn't expect to support circuits with 3+ IPA recursive verifiers.

        throw_or_abort("Too many nested IPA claims to accumulate");

    }


    BB_ASSERT_EQ(final_ipa_proof.size(), IPA_PROOF_LENGTH);


    // Return the IPA claim and proof

    return { final_ipa_claim, final_ipa_proof };

}


template <>


void HonkRecursionConstraintsOutput<UltraCircuitBuilder>::perform_full_IPA_verification(

    UltraCircuitBuilder& builder) const

{

    using StdlibTranscript = UltraStdlibTranscript;


    BB_ASSERT_EQ(

        nested_ipa_claims.size(), nested_ipa_proofs.size(), "Mismatched number of nested IPA claims and proofs.");

    BB_ASSERT_EQ(nested_ipa_claims.size(), 2U, "Root rollup must have two nested IPA claims.");


    auto [ipa_claim, ipa_proof] = perform_IPA_accumulation(builder);


    // IPA verification

    VerifierCommitmentKey<stdlib::grumpkin<UltraCircuitBuilder>> verifier_commitment_key(

        &builder, 1 << CONST_ECCVM_LOG_N, VerifierCommitmentKey<curve::Grumpkin>(1 << CONST_ECCVM_LOG_N));


    auto accumulated_ipa_transcript =

        std::make_shared<StdlibTranscript>(stdlib::Proof<UltraCircuitBuilder>(builder, ipa_proof));

    IPA<stdlib::grumpkin<UltraCircuitBuilder>>::full_verify_recursive(

        verifier_commitment_key, ipa_claim, accumulated_ipa_transcript);

}


template <>


void HonkRecursionConstraintsOutput<UltraCircuitBuilder>::finalize(UltraCircuitBuilder& builder,

                                                                   [[maybe_unused]] bool is_hn_recursion_constraints,

                                                                   [[maybe_unused]] bool has_ipa_claim)

{

    if (has_ipa_claim) {

        using IO = stdlib::recursion::honk::RollupIO;


        // We have multiple IPA claims, we need to accumulate them

        auto [ipa_claim, ipa_proof] = perform_IPA_accumulation(builder);


        // Set proof

        builder.ipa_proof = ipa_proof;


        // Propagate pairing points and ipa claim

        IO inputs;

        inputs.pairing_inputs =

            points_accumulator.has_data

                ? points_accumulator

                : stdlib::recursion::PairingPoints<stdlib::bn254<UltraCircuitBuilder>>::construct_default();

        inputs.ipa_claim = ipa_claim;

        inputs.set_public();

    } else {

        using IO = stdlib::recursion::honk::DefaultIO<UltraCircuitBuilder>;


        if (is_root_rollup) {

            // The root rollup performs full IPA verification

            perform_full_IPA_verification(builder);

        } else {

            // We shouldn't accidentally have IPA proofs.

            BB_ASSERT_EQ(nested_ipa_proofs.size(), static_cast<size_t>(0), "IPA proofs present when not expected.");

        }


        // Propagate public inputs

        if (points_accumulator.has_data) {

            IO inputs;

            inputs.pairing_inputs = points_accumulator;

            inputs.set_public();

        } else {

            IO::add_default(builder);

        }

    }

}


template <>


void HonkRecursionConstraintsOutput<MegaCircuitBuilder>::finalize(MegaCircuitBuilder& builder,

                                                                  [[maybe_unused]] bool is_hn_recursion_constraints,

                                                                  [[maybe_unused]] bool has_ipa_claim)

{

    using IO = stdlib::recursion::honk::AppIO;


    BB_ASSERT_EQ(

        nested_ipa_claims.size(), static_cast<size_t>(0), "IPA claims present when not expected in MegaBuilder.");


    // If the recursion constraints from HN, the public inputs have already been set. Otherwise, we need to propagate

    // the pairing points

    if (!is_hn_recursion_constraints) {

        if (points_accumulator.has_data) {

            IO inputs;

            inputs.pairing_inputs = points_accumulator;

            inputs.set_public();

        } else {

            IO::add_default(builder);

        }

    }

}


template void HonkRecursionConstraintsOutput<UltraCircuitBuilder>::update(

    const HonkRecursionConstraintOutput<UltraCircuitBuilder>&, bool);


template void HonkRecursionConstraintsOutput<MegaCircuitBuilder>::update(

    const HonkRecursionConstraintOutput<MegaCircuitBuilder>&, bool);


template void HonkRecursionConstraintsOutput<UltraCircuitBuilder>::update(

    const HonkRecursionConstraintsOutput<UltraCircuitBuilder>&, bool);


template void HonkRecursionConstraintsOutput<MegaCircuitBuilder>::update(

    const HonkRecursionConstraintsOutput<MegaCircuitBuilder>&, bool);


} // namespace acir_format

BB_ASSERT_EQ
#define BB_ASSERT_EQ(actual, expected,...)
Definition assert.hpp:93

bb::BaseTranscript
Common transcript class for both parties. Stores the data for the current round, as well as the manif...
Definition transcript.hpp:41

bb::CommitmentKey
CommitmentKey object over a pairing group 𝔾₁.
Definition commitment_key.hpp:43

bb::IPA
IPA (inner product argument) commitment scheme class.
Definition ipa.hpp:93

bb::MegaCircuitBuilder_
Definition mega_circuit_builder.hpp:19

bb::OpeningClaim
Unverified claim (C,r,v) for some witness polynomial p(X) such that.
Definition claim.hpp:53

bb::UltraCircuitBuilder_
Definition ultra_circuit_builder.hpp:41

bb::VerifierCommitmentKey
Representation of the Grumpkin Verifier Commitment Key inside a bn254 circuit.
Definition verifier_commitment_key.hpp:16

bb::stdlib::Proof
A simple wrapper around a vector of stdlib field elements representing a proof.
Definition proof.hpp:19

bb::stdlib::recursion::honk::DefaultIO
Manages the data that is propagated on the public inputs of an application/function circuit.
Definition special_public_inputs.hpp:159

bb::stdlib::recursion::honk::RollupIO
The data that is propagated on the public inputs of a rollup circuit.
Definition special_public_inputs.hpp:356

info
void info(Args... args)
Definition log.hpp:89

builder
AluTraceBuilder builder
Definition alu.test.cpp:124

inputs
AvmProvingInputs inputs
Definition hinting_dbs.test.cpp:45

acir_format
Definition acir_format.cpp:30

bb::stdlib::recursion::honk::AppIO
DefaultIO< MegaCircuitBuilder > AppIO
The data that is propagated on the public inputs of an application/function circuit.
Definition special_public_inputs.hpp:216

bb::HonkProof
std::vector< fr > HonkProof
Definition proof.hpp:15

bb::UltraStdlibTranscript
BaseTranscript< stdlib::StdlibCodec< stdlib::field_t< UltraCircuitBuilder > >, stdlib::poseidon2< UltraCircuitBuilder > > UltraStdlibTranscript
Definition transcript.hpp:501

std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13

recursion_constraint_output.hpp

acir_format::HonkRecursionConstraintsOutput
Container for the output of multiple recursive verifications.
Definition recursion_constraint_output.hpp:30

acir_format::HonkRecursionConstraintsOutput::finalize
void finalize(Builder &builder, bool is_hn_recursion_constraints=false, bool has_ipa_claim=false)
Finalize the output by accumulating IPA claims/proofs, performing full IPA verification,...

acir_format::HonkRecursionConstraintsOutput::nested_ipa_proofs
std::vector< stdlib::Proof< Builder > > nested_ipa_proofs
Definition recursion_constraint_output.hpp:33

acir_format::HonkRecursionConstraintsOutput::perform_full_IPA_verification
void perform_full_IPA_verification(Builder &builder) const
Perform full IPA recursive verification of the IPA claims and proofs contained in this output.

acir_format::HonkRecursionConstraintsOutput::points_accumulator
stdlib::recursion::PairingPoints< stdlib::bn254< Builder > > points_accumulator
Definition recursion_constraint_output.hpp:31

acir_format::HonkRecursionConstraintsOutput::nested_ipa_claims
std::vector< OpeningClaim< stdlib::grumpkin< Builder > > > nested_ipa_claims
Definition recursion_constraint_output.hpp:32

acir_format::HonkRecursionConstraintsOutput::update
void update(const HonkRecursionConstraintOutput< Builder > &other, bool update_ipa_data)
Update the current output with another recursion constraint output.
Definition recursion_constraint_output.cpp:12

bb::stdlib::recursion::PairingPoints
An object storing two EC points that represent the inputs to a pairing check.
Definition pairing_points.hpp:36

bb::stdlib::recursion::honk::UltraRecursiveVerifierOutput
Output type for recursive ultra verification.
Definition ultra_verifier.hpp:28

bb::stdlib::recursion::honk::UltraRecursiveVerifierOutput::ipa_claim
OpeningClaim< grumpkin< Builder > > ipa_claim
Definition ultra_verifier.hpp:34

bb::stdlib::recursion::honk::UltraRecursiveVerifierOutput::points_accumulator
PairingPoints< Curve > points_accumulator
Definition ultra_verifier.hpp:33

bb::stdlib::recursion::honk::UltraRecursiveVerifierOutput::ipa_proof
stdlib::Proof< Builder > ipa_proof
Definition ultra_verifier.hpp:35

throw_or_abort
void throw_or_abort(std::string const &err)
Definition throw_or_abort.hpp:6