From 216e1af9ea9999ee1656c0e67ad1e242b0b16a61 Mon Sep 17 00:00:00 2001 From: lucasxia01 Date: Fri, 1 Nov 2024 20:36:51 +0000 Subject: [PATCH 01/12] constify sumcheck gate challenges for eccvm and translator --- .../cpp/src/barretenberg/eccvm/eccvm_prover.cpp | 4 ++-- .../src/barretenberg/eccvm/eccvm_transcript.test.cpp | 2 +- .../cpp/src/barretenberg/eccvm/eccvm_verifier.cpp | 2 +- .../src/barretenberg/polynomials/gate_separator.hpp | 10 ++-------- .../barretenberg/translator_vm/translator_prover.cpp | 2 +- .../barretenberg/translator_vm/translator_verifier.cpp | 2 +- 6 files changed, 8 insertions(+), 14 deletions(-) diff --git a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_prover.cpp b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_prover.cpp index db62c810d80..c7f9ff738b8 100644 --- a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_prover.cpp +++ b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_prover.cpp @@ -96,8 +96,8 @@ void ECCVMProver::execute_relation_check_rounds() auto sumcheck = Sumcheck(key->circuit_size, transcript); FF alpha = transcript->template get_challenge("Sumcheck:alpha"); - std::vector gate_challenges(numeric::get_msb(key->circuit_size)); - for (size_t idx = 0; idx < gate_challenges.size(); idx++) { + std::vector gate_challenges(CONST_PROOF_SIZE_LOG_N); + for (size_t idx = 0; idx < CONST_PROOF_SIZE_LOG_N; idx++) { gate_challenges[idx] = transcript->template get_challenge("Sumcheck:gate_challenge_" + std::to_string(idx)); } sumcheck_output = sumcheck.prove(key->polynomials, relation_parameters, alpha, gate_challenges); diff --git a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_transcript.test.cpp b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_transcript.test.cpp index de882d3954a..f85e262a055 100644 --- a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_transcript.test.cpp +++ b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_transcript.test.cpp @@ -132,7 +132,7 @@ class ECCVMTranscriptTests : public ::testing::Test { manifest_expected.add_entry(round, "Z_PERM", frs_per_G); manifest_expected.add_challenge(round, "Sumcheck:alpha"); - for (size_t i = 0; i < log_n; i++) { + for (size_t i = 0; i < CONST_PROOF_SIZE_LOG_N; i++) { round++; std::string label = "Sumcheck:gate_challenge_" + std::to_string(i); manifest_expected.add_challenge(round, label); diff --git a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.cpp b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.cpp index 90761596a5e..301cca65997 100644 --- a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_verifier.cpp @@ -48,7 +48,7 @@ bool ECCVMVerifier::verify_proof(const HonkProof& proof) const size_t log_circuit_size = numeric::get_msb(circuit_size); auto sumcheck = SumcheckVerifier(log_circuit_size, transcript); FF alpha = transcript->template get_challenge("Sumcheck:alpha"); - std::vector gate_challenges(static_cast(numeric::get_msb(key->circuit_size))); + std::vector gate_challenges(CONST_PROOF_SIZE_LOG_N); for (size_t idx = 0; idx < gate_challenges.size(); idx++) { gate_challenges[idx] = transcript->template get_challenge("Sumcheck:gate_challenge_" + std::to_string(idx)); } diff --git a/barretenberg/cpp/src/barretenberg/polynomials/gate_separator.hpp b/barretenberg/cpp/src/barretenberg/polynomials/gate_separator.hpp index 5ef5580fcbc..e850adea640 100644 --- a/barretenberg/cpp/src/barretenberg/polynomials/gate_separator.hpp +++ b/barretenberg/cpp/src/barretenberg/polynomials/gate_separator.hpp @@ -89,14 +89,8 @@ template struct GateSeparatorPolynomial { FF beta_or_dummy; // For the Ultra Recursive flavor to ensure constant size proofs, we perform constant amount of hashing // producing 28 gate betas and we need to use the betas in the dummy rounds to ensure the permutation related - // selectors stay the same regardless of real circuit size. The other recursive verifiers aren't constant for - // the dummy sumcheck rounds we just use 1 as we only generated real log_n betas - if (current_element_idx < betas.size()) { - beta_or_dummy = betas[current_element_idx]; - } else { - beta_or_dummy = FF::from_witness(challenge.get_context(), 1); - } - FF beta_val = FF::conditional_assign(dummy_round, FF::from_witness(challenge.get_context(), 1), beta_or_dummy); + // selectors stay the same regardless of real circuit size. + FF beta_val = FF::conditional_assign(dummy_round, FF(1), betas[current_element_idx]); return (FF(1) + (challenge * (beta_val - FF(1)))); } diff --git a/barretenberg/cpp/src/barretenberg/translator_vm/translator_prover.cpp b/barretenberg/cpp/src/barretenberg/translator_vm/translator_prover.cpp index 49b0e9501d6..08593f055f3 100644 --- a/barretenberg/cpp/src/barretenberg/translator_vm/translator_prover.cpp +++ b/barretenberg/cpp/src/barretenberg/translator_vm/translator_prover.cpp @@ -154,7 +154,7 @@ void TranslatorProver::execute_relation_check_rounds() auto sumcheck = Sumcheck(key->circuit_size, transcript); FF alpha = transcript->template get_challenge("Sumcheck:alpha"); - std::vector gate_challenges(numeric::get_msb(key->circuit_size)); + std::vector gate_challenges(CONST_PROOF_SIZE_LOG_N); for (size_t idx = 0; idx < gate_challenges.size(); idx++) { gate_challenges[idx] = transcript->template get_challenge("Sumcheck:gate_challenge_" + std::to_string(idx)); } diff --git a/barretenberg/cpp/src/barretenberg/translator_vm/translator_verifier.cpp b/barretenberg/cpp/src/barretenberg/translator_vm/translator_verifier.cpp index 5f91b012310..e53020e62a2 100644 --- a/barretenberg/cpp/src/barretenberg/translator_vm/translator_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/translator_vm/translator_verifier.cpp @@ -97,7 +97,7 @@ bool TranslatorVerifier::verify_proof(const HonkProof& proof) const size_t log_circuit_size = numeric::get_msb(circuit_size); auto sumcheck = SumcheckVerifier(log_circuit_size, transcript); FF alpha = transcript->template get_challenge("Sumcheck:alpha"); - std::vector gate_challenges(static_cast(numeric::get_msb(key->circuit_size))); + std::vector gate_challenges(CONST_PROOF_SIZE_LOG_N); for (size_t idx = 0; idx < gate_challenges.size(); idx++) { gate_challenges[idx] = transcript->template get_challenge("Sumcheck:gate_challenge_" + std::to_string(idx)); } From f6915298dabf738c7d13f10907c192044f0e4160 Mon Sep 17 00:00:00 2001 From: lucasxia01 Date: Fri, 1 Nov 2024 20:39:18 +0000 Subject: [PATCH 02/12] fix recursive verifiers --- .../stdlib/eccvm_verifier/eccvm_recursive_verifier.cpp | 2 +- .../translator_vm_verifier/translator_recursive_verifier.cpp | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.cpp b/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.cpp index 2e58d33bc03..f996363c259 100644 --- a/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/stdlib/eccvm_verifier/eccvm_recursive_verifier.cpp @@ -65,7 +65,7 @@ template void ECCVMRecursiveVerifier_::verify_proof(co const size_t log_circuit_size = numeric::get_msb(static_cast(circuit_size.get_value())); auto sumcheck = SumcheckVerifier(log_circuit_size, transcript, FF(0)); const FF alpha = transcript->template get_challenge("Sumcheck:alpha"); - std::vector gate_challenges(static_cast(numeric::get_msb(key->circuit_size))); + std::vector gate_challenges(CONST_PROOF_SIZE_LOG_N); for (size_t idx = 0; idx < gate_challenges.size(); idx++) { gate_challenges[idx] = transcript->template get_challenge("Sumcheck:gate_challenge_" + std::to_string(idx)); } diff --git a/barretenberg/cpp/src/barretenberg/stdlib/translator_vm_verifier/translator_recursive_verifier.cpp b/barretenberg/cpp/src/barretenberg/stdlib/translator_vm_verifier/translator_recursive_verifier.cpp index a4a4befd848..949257935d6 100644 --- a/barretenberg/cpp/src/barretenberg/stdlib/translator_vm_verifier/translator_recursive_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/stdlib/translator_vm_verifier/translator_recursive_verifier.cpp @@ -106,7 +106,7 @@ std::array TranslatorRecursiveVerifier_(circuit_size.get_value())); auto sumcheck = Sumcheck(log_circuit_size, transcript); FF alpha = transcript->template get_challenge("Sumcheck:alpha"); - std::vector gate_challenges(log_circuit_size); + std::vector gate_challenges(CONST_PROOF_SIZE_LOG_N); for (size_t idx = 0; idx < gate_challenges.size(); idx++) { gate_challenges[idx] = transcript->template get_challenge("Sumcheck:gate_challenge_" + std::to_string(idx)); } From 7b45285c1c15042f440401856fbdfc57673e292e Mon Sep 17 00:00:00 2001 From: lucasxia01 Date: Sat, 2 Nov 2024 19:04:08 +0000 Subject: [PATCH 03/12] undo fix --- .../src/barretenberg/polynomials/gate_separator.hpp | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/barretenberg/cpp/src/barretenberg/polynomials/gate_separator.hpp b/barretenberg/cpp/src/barretenberg/polynomials/gate_separator.hpp index e850adea640..5ef5580fcbc 100644 --- a/barretenberg/cpp/src/barretenberg/polynomials/gate_separator.hpp +++ b/barretenberg/cpp/src/barretenberg/polynomials/gate_separator.hpp @@ -89,8 +89,14 @@ template struct GateSeparatorPolynomial { FF beta_or_dummy; // For the Ultra Recursive flavor to ensure constant size proofs, we perform constant amount of hashing // producing 28 gate betas and we need to use the betas in the dummy rounds to ensure the permutation related - // selectors stay the same regardless of real circuit size. - FF beta_val = FF::conditional_assign(dummy_round, FF(1), betas[current_element_idx]); + // selectors stay the same regardless of real circuit size. The other recursive verifiers aren't constant for + // the dummy sumcheck rounds we just use 1 as we only generated real log_n betas + if (current_element_idx < betas.size()) { + beta_or_dummy = betas[current_element_idx]; + } else { + beta_or_dummy = FF::from_witness(challenge.get_context(), 1); + } + FF beta_val = FF::conditional_assign(dummy_round, FF::from_witness(challenge.get_context(), 1), beta_or_dummy); return (FF(1) + (challenge * (beta_val - FF(1)))); } From 4870b02be540e53dd95eab61b5ca16b61b7d33dc Mon Sep 17 00:00:00 2001 From: lucasxia01 Date: Mon, 4 Nov 2024 22:32:03 +0000 Subject: [PATCH 04/12] updating proof size --- barretenberg/cpp/src/barretenberg/constants.hpp | 2 ++ .../cpp/src/barretenberg/eccvm/eccvm_transcript.test.cpp | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/barretenberg/cpp/src/barretenberg/constants.hpp b/barretenberg/cpp/src/barretenberg/constants.hpp index bdfa57e5f95..b5283f31a13 100644 --- a/barretenberg/cpp/src/barretenberg/constants.hpp +++ b/barretenberg/cpp/src/barretenberg/constants.hpp @@ -11,6 +11,8 @@ static constexpr uint32_t CONST_PROOF_SIZE_LOG_N = 28; // circuits being folded. static constexpr uint32_t CONST_PG_LOG_N = 20; +static constexpr uint32_t CONST_ECCVM_LOG_N = 17; + static constexpr uint32_t MAX_LOOKUP_TABLES_SIZE = 70000; static constexpr uint32_t MAX_DATABUS_SIZE = 10000; diff --git a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_transcript.test.cpp b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_transcript.test.cpp index f85e262a055..be0582b2157 100644 --- a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_transcript.test.cpp +++ b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_transcript.test.cpp @@ -202,7 +202,7 @@ class ECCVMTranscriptTests : public ::testing::Test { manifest_expected.add_entry(round, "IPA:poly_degree_plus_1", frs_per_uint32); manifest_expected.add_challenge(round, "IPA:generator_challenge"); - for (size_t i = 0; i < log_n; ++i) { + for (size_t i = 0; i < CONST_ECCVM_LOG_N; ++i) { round++; std::string idx = std::to_string(log_n - i - 1); manifest_expected.add_entry(round, "IPA:L_" + idx, frs_per_G); From b8ff5522ebf5813aaae35f0aafdc14180c3eb549 Mon Sep 17 00:00:00 2001 From: lucasxia01 Date: Mon, 4 Nov 2024 23:40:46 +0000 Subject: [PATCH 05/12] get native tests to pass --- .../commitment_schemes/ipa/ipa.hpp | 64 ++++++++++++------- .../eccvm/eccvm_composer.test.cpp | 2 +- .../src/barretenberg/eccvm/eccvm_flavor.hpp | 3 +- .../eccvm/eccvm_transcript.test.cpp | 2 +- 4 files changed, 43 insertions(+), 28 deletions(-) diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.hpp index aae5484578a..76ed36420f3 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.hpp @@ -235,7 +235,7 @@ template class IPA { // Step 6.c // Send commitments to the verifier - std::string index = std::to_string(log_poly_length - i - 1); + std::string index = std::to_string(CONST_ECCVM_LOG_N - i - 1); transcript->send_to_verifier("IPA:L_" + index, Commitment(L_i)); transcript->send_to_verifier("IPA:R_" + index, Commitment(R_i)); @@ -271,6 +271,14 @@ template class IPA { }, thread_heuristics::FF_ADDITION_COST * 2 + thread_heuristics::FF_MULTIPLICATION_COST * 2); } + // For dummy rounds, send commitments of zero() + for (size_t i = log_poly_length; i < CONST_ECCVM_LOG_N; i++) { + std::string index = std::to_string(CONST_ECCVM_LOG_N - i - 1); + transcript->send_to_verifier("IPA:L_" + index, Commitment::one()); + transcript->send_to_verifier("IPA:R_" + index, Commitment::one()); + transcript->template get_challenge("IPA:round_challenge_" + index); + } + // Step 7 // Send a_0 to the verifier transcript->send_to_verifier("IPA:a_0", a_vec[0]); @@ -336,21 +344,24 @@ template class IPA { // Step 4. // Receive all L_i and R_i and prepare for MSM - for (size_t i = 0; i < log_poly_length; i++) { - std::string index = std::to_string(log_poly_length - i - 1); + for (size_t i = 0; i < CONST_ECCVM_LOG_N; i++) { + std::string index = std::to_string(CONST_ECCVM_LOG_N - i - 1); auto element_L = transcript->template receive_from_prover("IPA:L_" + index); auto element_R = transcript->template receive_from_prover("IPA:R_" + index); - round_challenges[i] = transcript->template get_challenge("IPA:round_challenge_" + index); - if (round_challenges[i].is_zero()) { - throw_or_abort("Round challenges can't be zero"); - } - // TODO(https://github.com/AztecProtocol/barretenberg/issues/1140): Use batch_invert. - round_challenges_inv[i] = round_challenges[i].invert(); + auto round_challenge = transcript->template get_challenge("IPA:round_challenge_" + index); + if (i < log_poly_length) { + round_challenges[i] = round_challenge; + if (round_challenges[i].is_zero()) { + throw_or_abort("Round challenges can't be zero"); + } + // TODO(https://github.com/AztecProtocol/barretenberg/issues/1140): Use batch_invert. + round_challenges_inv[i] = round_challenges[i].invert(); - msm_elements[2 * i] = element_L; - msm_elements[2 * i + 1] = element_R; - msm_scalars[2 * i] = round_challenges_inv[i]; - msm_scalars[2 * i + 1] = round_challenges[i]; + msm_elements[2 * i] = element_L; + msm_elements[2 * i + 1] = element_R; + msm_scalars[2 * i] = round_challenges_inv[i]; + msm_scalars[2 * i + 1] = round_challenges[i]; + } } // Step 5. @@ -440,20 +451,22 @@ template class IPA { // Step 2. // Receive generator challenge u and compute auxiliary generator const Fr generator_challenge = transcript->template get_challenge("IPA:generator_challenge"); - auto builder = generator_challenge.get_context(); + typename Curve::Builder* builder = generator_challenge.get_context(); const auto log_poly_length = numeric::get_msb(static_cast(poly_length)); - auto pippenger_size = 2 * log_poly_length; - std::vector round_challenges(log_poly_length); - std::vector round_challenges_inv(log_poly_length); + auto pippenger_size = 2 * CONST_ECCVM_LOG_N; + std::vector round_challenges(CONST_ECCVM_LOG_N); + std::vector round_challenges_inv(CONST_ECCVM_LOG_N); std::vector msm_elements(pippenger_size); std::vector msm_scalars(pippenger_size); // Step 3. // Receive all L_i and R_i and prepare for MSM - for (size_t i = 0; i < log_poly_length; i++) { - std::string index = std::to_string(log_poly_length - i - 1); + for (size_t i = 0; i < CONST_ECCVM_LOG_N; i++) { + stdlib::bool_t dummy_round = stdlib::witness_t(builder, i >= log_poly_length); + + std::string index = std::to_string(CONST_ECCVM_LOG_N - i - 1); auto element_L = transcript->template receive_from_prover("IPA:L_" + index); auto element_R = transcript->template receive_from_prover("IPA:R_" + index); round_challenges[i] = transcript->template get_challenge("IPA:round_challenge_" + index); @@ -461,8 +474,8 @@ template class IPA { msm_elements[2 * i] = element_L; msm_elements[2 * i + 1] = element_R; - msm_scalars[2 * i] = round_challenges_inv[i]; - msm_scalars[2 * i + 1] = round_challenges[i]; + msm_scalars[2 * i] = Fr::conditional_assign(dummy_round, Fr(0), round_challenges_inv[i]); + msm_scalars[2 * i + 1] = Fr::conditional_assign(dummy_round, Fr(0), round_challenges[i]); } // Step 4. @@ -472,9 +485,12 @@ template class IPA { Fr b_zero = Fr(1); Fr challenge = opening_claim.opening_pair.challenge; - for (size_t i = 0; i < log_poly_length; i++) { - b_zero *= Fr(1) + (round_challenges_inv[log_poly_length - 1 - i] * challenge); - if (i != log_poly_length - 1) + for (size_t i = 0; i < CONST_ECCVM_LOG_N; i++) { + stdlib::bool_t dummy_round = stdlib::witness_t(builder, i >= log_poly_length); + + Fr monomial = Fr::conditional_assign(dummy_round, Fr(0), round_challenges_inv[CONST_ECCVM_LOG_N - 1 - i] * challenge); + b_zero *= Fr(1) + monomial; + if (i != CONST_ECCVM_LOG_N - 1) // this if is fine because the number of iterations is constant { challenge = challenge * challenge; } diff --git a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_composer.test.cpp b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_composer.test.cpp index d77bb7433c5..4fdd99e5610 100644 --- a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_composer.test.cpp +++ b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_composer.test.cpp @@ -63,7 +63,7 @@ TEST_F(ECCVMTests, BaseCase) { ECCVMCircuitBuilder builder = generate_circuit(&engine); ECCVMProver prover(builder); - auto proof = prover.construct_proof(); + HonkProof proof = prover.construct_proof(); ECCVMVerifier verifier(prover.key); bool verified = verifier.verify_proof(proof); diff --git a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_flavor.hpp b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_flavor.hpp index ce15706cc6a..d9e9a0229e8 100644 --- a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_flavor.hpp +++ b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_flavor.hpp @@ -1182,8 +1182,7 @@ class ECCVMFlavor { ipa_poly_degree = NativeTranscript::template deserialize_from_buffer(NativeTranscript::proof_data, num_frs_read); - auto log_poly_degree = static_cast(numeric::get_msb(ipa_poly_degree)); - for (size_t i = 0; i < log_poly_degree; ++i) { + for (size_t i = 0; i < CONST_ECCVM_LOG_N; ++i) { ipa_l_comms.emplace_back(NativeTranscript::template deserialize_from_buffer( NativeTranscript::proof_data, num_frs_read)); ipa_r_comms.emplace_back(NativeTranscript::template deserialize_from_buffer( diff --git a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_transcript.test.cpp b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_transcript.test.cpp index be0582b2157..2a18dae18ea 100644 --- a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_transcript.test.cpp +++ b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_transcript.test.cpp @@ -204,7 +204,7 @@ class ECCVMTranscriptTests : public ::testing::Test { for (size_t i = 0; i < CONST_ECCVM_LOG_N; ++i) { round++; - std::string idx = std::to_string(log_n - i - 1); + std::string idx = std::to_string(CONST_ECCVM_LOG_N - i - 1); manifest_expected.add_entry(round, "IPA:L_" + idx, frs_per_G); manifest_expected.add_entry(round, "IPA:R_" + idx, frs_per_G); std::string label = "IPA:round_challenge_" + idx; From 3ad37602c575840e8b16e2eb74a1060c7b826db0 Mon Sep 17 00:00:00 2001 From: lucasxia01 Date: Mon, 4 Nov 2024 23:42:56 +0000 Subject: [PATCH 06/12] fix serialize test --- barretenberg/cpp/src/barretenberg/eccvm/eccvm_flavor.hpp | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_flavor.hpp b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_flavor.hpp index d9e9a0229e8..e20938d5ff9 100644 --- a/barretenberg/cpp/src/barretenberg/eccvm/eccvm_flavor.hpp +++ b/barretenberg/cpp/src/barretenberg/eccvm/eccvm_flavor.hpp @@ -1328,8 +1328,7 @@ class ECCVMFlavor { NativeTranscript::template serialize_to_buffer(shplonk_q2_comm, NativeTranscript::proof_data); NativeTranscript::template serialize_to_buffer(ipa_poly_degree, NativeTranscript::proof_data); - auto log_poly_degree = static_cast(numeric::get_msb(ipa_poly_degree)); - for (size_t i = 0; i < log_poly_degree; ++i) { + for (size_t i = 0; i < CONST_ECCVM_LOG_N; ++i) { NativeTranscript::template serialize_to_buffer(ipa_l_comms[i], NativeTranscript::proof_data); NativeTranscript::template serialize_to_buffer(ipa_r_comms[i], NativeTranscript::proof_data); } From 9582fee988cae17b6ff33027d3c804a04b0c0732 Mon Sep 17 00:00:00 2001 From: lucasxia01 Date: Tue, 5 Nov 2024 21:37:16 +0000 Subject: [PATCH 07/12] attempt to constify accumulation --- .../commitment_schemes/ipa/ipa.hpp | 75 ++++++++++++------- .../commitment_schemes/ipa/ipa.test.cpp | 2 +- .../ipa_recursive.test.cpp | 17 ++++- .../cpp/src/barretenberg/constants.hpp | 2 +- .../stdlib/honk_verifier/ipa_accumulator.hpp | 1 + 5 files changed, 64 insertions(+), 33 deletions(-) diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.hpp index 76ed36420f3..6de2ecaba3a 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.hpp @@ -282,6 +282,10 @@ template class IPA { // Step 7 // Send a_0 to the verifier transcript->send_to_verifier("IPA:a_0", a_vec[0]); + + info("prove G_zero: ", G_vec_local[0]); + info("prove b_zero: ", b_vec[0]); + info("prove a_zero: ", a_vec[0]); } /** @@ -337,8 +341,8 @@ template class IPA { GroupElement C_prime = opening_claim.commitment + (aux_generator * opening_claim.opening_pair.evaluation); auto pippenger_size = 2 * log_poly_length; - std::vector round_challenges(log_poly_length); - std::vector round_challenges_inv(log_poly_length); + std::vector round_challenges(CONST_ECCVM_LOG_N); + std::vector round_challenges_inv(CONST_ECCVM_LOG_N); std::vector msm_elements(pippenger_size); std::vector msm_scalars(pippenger_size); @@ -348,14 +352,13 @@ template class IPA { std::string index = std::to_string(CONST_ECCVM_LOG_N - i - 1); auto element_L = transcript->template receive_from_prover("IPA:L_" + index); auto element_R = transcript->template receive_from_prover("IPA:R_" + index); - auto round_challenge = transcript->template get_challenge("IPA:round_challenge_" + index); + round_challenges[i] = transcript->template get_challenge("IPA:round_challenge_" + index); + if (round_challenges[i].is_zero()) { + throw_or_abort("Round challenges can't be zero"); + } + // TODO(https://github.com/AztecProtocol/barretenberg/issues/1140): Use batch_invert. + round_challenges_inv[i] = round_challenges[i].invert(); if (i < log_poly_length) { - round_challenges[i] = round_challenge; - if (round_challenges[i].is_zero()) { - throw_or_abort("Round challenges can't be zero"); - } - // TODO(https://github.com/AztecProtocol/barretenberg/issues/1140): Use batch_invert. - round_challenges_inv[i] = round_challenges[i].invert(); msm_elements[2 * i] = element_L; msm_elements[2 * i + 1] = element_R; @@ -378,11 +381,13 @@ template class IPA { for (size_t i = 0; i < log_poly_length; i++) { b_zero *= Fr::one() + (round_challenges_inv[log_poly_length - 1 - i] * opening_claim.opening_pair.challenge.pow(1 << i)); + info("native verify b_zero after i: ", i, " is ", b_zero); + } // Step 7. // Construct vector s - Polynomial s_poly(construct_poly_from_u_challenges_inv(round_challenges_inv)); + Polynomial s_poly(construct_poly_from_u_challenges_inv(log_poly_length, std::span(round_challenges_inv).subspan(0, log_poly_length))); std::span srs_elements = vk->get_monomial_points(); if (poly_length * 2 > srs_elements.size()) { @@ -408,6 +413,9 @@ template class IPA { // Step 9. // Receive a₀ from the prover auto a_zero = transcript->template receive_from_prover("IPA:a_0"); + info("native verify G_zero: ", G_zero); + info("native verify b_zero: ", b_zero); + info("native verify a_zero: ", a_zero); // Step 10. // Compute C_right @@ -486,13 +494,14 @@ template class IPA { Fr b_zero = Fr(1); Fr challenge = opening_claim.opening_pair.challenge; for (size_t i = 0; i < CONST_ECCVM_LOG_N; i++) { - stdlib::bool_t dummy_round = stdlib::witness_t(builder, i >= log_poly_length); + stdlib::bool_t dummy_round = stdlib::witness_t(builder, i < CONST_ECCVM_LOG_N - log_poly_length); Fr monomial = Fr::conditional_assign(dummy_round, Fr(0), round_challenges_inv[CONST_ECCVM_LOG_N - 1 - i] * challenge); b_zero *= Fr(1) + monomial; + info("rec verify b_zero after i: ", i, " is ", b_zero.get_value()); if (i != CONST_ECCVM_LOG_N - 1) // this if is fine because the number of iterations is constant { - challenge = challenge * challenge; + challenge = Fr::conditional_assign(dummy_round, challenge, challenge * challenge); } } @@ -540,6 +549,10 @@ template class IPA { // Compute R = C' + ∑_{j ∈ [k]} u_j^{-1}L_j + ∑_{j ∈ [k]} u_jR_j - G₀ * a₀ - (f(\beta) + a₀ * b₀) ⋅ U // This is a combination of several IPA relations into a large batch mul // which should be equal to -C + info("rec verify G_zero: ", G_zero.get_value()); + info("rec verify b_zero: ", b_zero.get_value()); + info("rec verify a_zero: ", a_zero.get_value()); + msm_elements.emplace_back(-G_zero); msm_elements.emplace_back(-Commitment::one(builder)); msm_scalars.emplace_back(a_zero); @@ -549,7 +562,8 @@ template class IPA { ASSERT(ipa_relation.get_value() == -opening_claim.commitment.get_value()); // This should return an actual VerifierAccumulator - return {round_challenges_inv, G_zero}; + Fr stdlib_log_poly_length(static_cast(log_poly_length)); + return {stdlib_log_poly_length, round_challenges_inv, G_zero}; } public: @@ -680,13 +694,19 @@ template class IPA { * @param r * @return Fr */ - static Fr evaluate_challenge_poly(const std::vector& u_challenges_inv, Fr r) { + static Fr evaluate_challenge_poly(Fr log_poly_length, const std::vector& u_challenges_inv, Fr r) { + using Builder = typename Curve::Builder; + + Builder* builder = r.get_context(); Fr challenge_poly_eval = 1; Fr r_pow = r; - size_t len = u_challenges_inv.size(); - for (size_t i = 0; i < len; i++) { - challenge_poly_eval *= (Fr(1) + u_challenges_inv[len - 1 - i] * r_pow); - r_pow *= r_pow; + for (size_t i = 0; i < CONST_ECCVM_LOG_N; i++) { + stdlib::bool_t dummy_round = stdlib::witness_t(builder, i < CONST_ECCVM_LOG_N - uint32_t(log_poly_length.get_value())); + + Fr monomial = Fr::conditional_assign(dummy_round, Fr(0), u_challenges_inv[CONST_ECCVM_LOG_N - 1 - i] * r_pow); + + challenge_poly_eval *= (Fr(1) + monomial); + r_pow = Fr::conditional_assign(dummy_round, r_pow, r_pow * r_pow); } return challenge_poly_eval; } @@ -700,8 +720,8 @@ template class IPA { * @param alpha * @return Fr */ - static Fr evaluate_and_accumulate_challenge_polys(std::vector u_challenges_inv_1, std::vector u_challenges_inv_2, Fr r, Fr alpha) { - auto result = evaluate_challenge_poly(u_challenges_inv_1, r) + alpha * evaluate_challenge_poly(u_challenges_inv_2, r); + static Fr evaluate_and_accumulate_challenge_polys(Fr log_poly_length_1, std::vector u_challenges_inv_1, Fr log_poly_length_2, std::vector u_challenges_inv_2, Fr r, Fr alpha) { + auto result = evaluate_challenge_poly(log_poly_length_1, u_challenges_inv_1, r) + alpha * evaluate_challenge_poly(log_poly_length_2, u_challenges_inv_2, r); return result; } @@ -711,9 +731,8 @@ template class IPA { * @param u_challenges_inv * @return Polynomial */ - static Polynomial construct_poly_from_u_challenges_inv(const std::vector& u_challenges_inv) { - const size_t poly_length = (1 << u_challenges_inv.size()); - const size_t log_poly_length = u_challenges_inv.size(); + static Polynomial construct_poly_from_u_challenges_inv(const size_t log_poly_length, const std::span& u_challenges_inv) { + const size_t poly_length = (1 << log_poly_length); // Construct vector s in linear time. std::vector s_vec(poly_length, bb::fq::one()); @@ -751,9 +770,9 @@ template class IPA { * @param alpha * @return Polynomial */ - static Polynomial create_challenge_poly(const std::vector& u_challenges_inv_1, const std::vector& u_challenges_inv_2, bb::fq alpha) { - Polynomial challenge_poly = construct_poly_from_u_challenges_inv(u_challenges_inv_1); - Polynomial challenge_poly_2 = construct_poly_from_u_challenges_inv(u_challenges_inv_2); + static Polynomial create_challenge_poly(const size_t log_poly_length_1, const std::vector& u_challenges_inv_1, const size_t log_poly_length_2, const std::vector& u_challenges_inv_2, bb::fq alpha) { + Polynomial challenge_poly = construct_poly_from_u_challenges_inv(log_poly_length_1, u_challenges_inv_1); + Polynomial challenge_poly_2 = construct_poly_from_u_challenges_inv(log_poly_length_2, u_challenges_inv_2); challenge_poly.add_scaled(challenge_poly_2, alpha); return challenge_poly; } @@ -792,7 +811,7 @@ template class IPA { output_claim.commitment = pair_1.comm + pair_2.comm * alpha; output_claim.opening_pair.challenge = r; // Evaluate the challenge_poly polys at r and linearly combine them with alpha challenge - output_claim.opening_pair.evaluation = evaluate_and_accumulate_challenge_polys(pair_1.u_challenges_inv, pair_2.u_challenges_inv, r, alpha); + output_claim.opening_pair.evaluation = evaluate_and_accumulate_challenge_polys(pair_1.log_poly_length, pair_1.u_challenges_inv, pair_2.log_poly_length, pair_2.u_challenges_inv, r, alpha); // Step 4: Compute the new polynomial std::vector native_u_challenges_inv_1; @@ -803,7 +822,7 @@ template class IPA { for (Fr u_inv_i : pair_2.u_challenges_inv) { native_u_challenges_inv_2.push_back(bb::fq(u_inv_i.get_value())); } - return {output_claim, create_challenge_poly(native_u_challenges_inv_1, native_u_challenges_inv_2, fq(alpha.get_value()))}; + return {output_claim, create_challenge_poly(uint32_t(pair_1.log_poly_length.get_value()), native_u_challenges_inv_1, uint32_t(pair_2.log_poly_length.get_value()), native_u_challenges_inv_2, fq(alpha.get_value()))}; } }; diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.test.cpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.test.cpp index 07d22793c0f..7a51b25d553 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.test.cpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.test.cpp @@ -159,7 +159,7 @@ TEST_F(IPATest, AIsZeroAfterOneRound) // initialize an empty mock transcript auto transcript = std::make_shared(); - const size_t num_challenges = numeric::get_msb(n) + 1; + const size_t num_challenges = CONST_ECCVM_LOG_N + 1; std::vector random_vector(num_challenges); // Generate a random element vector with challenges diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/ipa_recursive.test.cpp b/barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/ipa_recursive.test.cpp index 366d17486a2..f1a117b36cd 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/ipa_recursive.test.cpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/ipa_recursive.test.cpp @@ -73,7 +73,7 @@ class IPARecursiveTests : public CommitmentTest { RecursiveIPA::reduce_verify(recursive_verifier_ck, stdlib_claim, stdlib_transcript); builder.finalize_circuit(/*ensure_nonzero=*/false); - info("IPA Recursive Verifier num finalizedgates = ", builder.get_num_finalized_gates()); + info("IPA Recursive Verifier num finalized gates = ", builder.get_num_finalized_gates()); EXPECT_TRUE(CircuitChecker::check(builder)); } @@ -96,7 +96,7 @@ class IPARecursiveTests : public CommitmentTest { // Creates two IPA accumulators and accumulators from the two claims. Also constructs the accumulated h // polynomial. - auto [output_claim, h_poly] = + auto [output_claim, challenge_poly] = RecursiveIPA::accumulate(recursive_verifier_ck, transcript_1, claim_1, transcript_2, claim_2); builder.finalize_circuit(/*ensure_nonzero=*/false); info("Circuit with 2 IPA Recursive Verifiers and IPA Accumulation num finalized gates = ", @@ -111,7 +111,9 @@ class IPARecursiveTests : public CommitmentTest { Commitment native_comm = output_claim.commitment.get_value(); const OpeningClaim opening_claim{ opening_pair, native_comm }; - NativeIPA::compute_opening_proof(this->ck(), { h_poly, opening_pair }, prover_transcript); + NativeIPA::compute_opening_proof(this->ck(), { challenge_poly, opening_pair }, prover_transcript); + + EXPECT_EQ(challenge_poly.evaluate(opening_pair.challenge), opening_pair.evaluation); // Natively verify this proof to check it. auto verifier_transcript = std::make_shared(prover_transcript->proof_data); @@ -141,6 +143,15 @@ TEST_F(IPARecursiveTests, RecursiveMedium) test_recursive_ipa(/*POLY_LENGTH=*/1024); } +/** + * @brief Tests IPA recursion with polynomial of length 1< struct IpaAccumulator { + typename Curve::ScalarField log_poly_length; std::vector u_challenges_inv; // inverses of u challenges that represent the polynomial h typename Curve::Group comm; // commitment to the polynomial h From f67dd2d59696b278c7bfbdd18bcb24d2a7a00857 Mon Sep 17 00:00:00 2001 From: lucasxia01 Date: Tue, 5 Nov 2024 22:16:59 +0000 Subject: [PATCH 08/12] update constant to 16 --- .../commitment_schemes/commitment_key.test.hpp | 14 ++++++++------ barretenberg/cpp/src/barretenberg/constants.hpp | 2 +- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/commitment_key.test.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/commitment_key.test.hpp index 16464cda07f..42ce334d0df 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/commitment_key.test.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/commitment_key.test.hpp @@ -2,6 +2,7 @@ #include "barretenberg/commitment_schemes/commitment_key.hpp" #include "barretenberg/commitment_schemes/verification_key.hpp" +#include "barretenberg/constants.hpp" #include "barretenberg/ecc/curves/bn254/g1.hpp" #include "barretenberg/srs/factories/file_crs_factory.hpp" #include "claim.hpp" @@ -10,20 +11,21 @@ namespace bb { -constexpr size_t COMMITMENT_TEST_NUM_POINTS = 4096; +constexpr size_t COMMITMENT_TEST_NUM_BN254_POINTS = 4096; +constexpr size_t COMMITMENT_TEST_NUM_GRUMPKIN_POINTS = CONST_ECCVM_LOG_N; template inline std::shared_ptr CreateCommitmentKey(); template <> inline std::shared_ptr> CreateCommitmentKey>() { srs::init_crs_factory("../srs_db/ignition"); - return std::make_shared>(COMMITMENT_TEST_NUM_POINTS); + return std::make_shared>(COMMITMENT_TEST_NUM_BN254_POINTS); } // For IPA template <> inline std::shared_ptr> CreateCommitmentKey>() { srs::init_grumpkin_crs_factory("../srs_db/grumpkin"); - return std::make_shared>(COMMITMENT_TEST_NUM_POINTS); + return std::make_shared>(COMMITMENT_TEST_NUM_GRUMPKIN_POINTS); } template inline std::shared_ptr CreateCommitmentKey() @@ -45,9 +47,9 @@ template <> inline std::shared_ptr> CreateVerifierCommitmentKey< VerifierCommitmentKey>() { - auto crs_factory = std::make_shared>("../srs_db/grumpkin", - COMMITMENT_TEST_NUM_POINTS); - return std::make_shared>(COMMITMENT_TEST_NUM_POINTS, crs_factory); + auto crs_factory = std::make_shared>( + "../srs_db/grumpkin", COMMITMENT_TEST_NUM_GRUMPKIN_POINTS); + return std::make_shared>(COMMITMENT_TEST_NUM_GRUMPKIN_POINTS, crs_factory); } template inline std::shared_ptr CreateVerifierCommitmentKey() // requires std::default_initializable diff --git a/barretenberg/cpp/src/barretenberg/constants.hpp b/barretenberg/cpp/src/barretenberg/constants.hpp index 254dae9c416..696eecc0aa5 100644 --- a/barretenberg/cpp/src/barretenberg/constants.hpp +++ b/barretenberg/cpp/src/barretenberg/constants.hpp @@ -11,7 +11,7 @@ static constexpr uint32_t CONST_PROOF_SIZE_LOG_N = 28; // circuits being folded. static constexpr uint32_t CONST_PG_LOG_N = 20; -static constexpr uint32_t CONST_ECCVM_LOG_N = 12; +static constexpr uint32_t CONST_ECCVM_LOG_N = 16; static constexpr uint32_t MAX_LOOKUP_TABLES_SIZE = 70000; From 3e9647976beedfb23134a5a449164a642f79806a Mon Sep 17 00:00:00 2001 From: lucasxia01 Date: Tue, 5 Nov 2024 22:50:19 +0000 Subject: [PATCH 09/12] now actually fix constants in eccvm test --- .../src/barretenberg/commitment_schemes/commitment_key.test.hpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/commitment_key.test.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/commitment_key.test.hpp index 42ce334d0df..f991e1aa164 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/commitment_key.test.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/commitment_key.test.hpp @@ -12,7 +12,7 @@ namespace bb { constexpr size_t COMMITMENT_TEST_NUM_BN254_POINTS = 4096; -constexpr size_t COMMITMENT_TEST_NUM_GRUMPKIN_POINTS = CONST_ECCVM_LOG_N; +constexpr size_t COMMITMENT_TEST_NUM_GRUMPKIN_POINTS = 1 << CONST_ECCVM_LOG_N; template inline std::shared_ptr CreateCommitmentKey(); From cd7e947f44e577d3b4c28f4fb0dd7817af1bb68f Mon Sep 17 00:00:00 2001 From: lucasxia01 Date: Wed, 6 Nov 2024 17:47:17 +0000 Subject: [PATCH 10/12] remove print statements --- .../barretenberg/commitment_schemes/ipa/ipa.hpp | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.hpp index 6de2ecaba3a..e5128c65bcb 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.hpp @@ -282,10 +282,6 @@ template class IPA { // Step 7 // Send a_0 to the verifier transcript->send_to_verifier("IPA:a_0", a_vec[0]); - - info("prove G_zero: ", G_vec_local[0]); - info("prove b_zero: ", b_vec[0]); - info("prove a_zero: ", a_vec[0]); } /** @@ -381,8 +377,6 @@ template class IPA { for (size_t i = 0; i < log_poly_length; i++) { b_zero *= Fr::one() + (round_challenges_inv[log_poly_length - 1 - i] * opening_claim.opening_pair.challenge.pow(1 << i)); - info("native verify b_zero after i: ", i, " is ", b_zero); - } // Step 7. @@ -413,9 +407,6 @@ template class IPA { // Step 9. // Receive a₀ from the prover auto a_zero = transcript->template receive_from_prover("IPA:a_0"); - info("native verify G_zero: ", G_zero); - info("native verify b_zero: ", b_zero); - info("native verify a_zero: ", a_zero); // Step 10. // Compute C_right @@ -498,7 +489,6 @@ template class IPA { Fr monomial = Fr::conditional_assign(dummy_round, Fr(0), round_challenges_inv[CONST_ECCVM_LOG_N - 1 - i] * challenge); b_zero *= Fr(1) + monomial; - info("rec verify b_zero after i: ", i, " is ", b_zero.get_value()); if (i != CONST_ECCVM_LOG_N - 1) // this if is fine because the number of iterations is constant { challenge = Fr::conditional_assign(dummy_round, challenge, challenge * challenge); @@ -549,10 +539,6 @@ template class IPA { // Compute R = C' + ∑_{j ∈ [k]} u_j^{-1}L_j + ∑_{j ∈ [k]} u_jR_j - G₀ * a₀ - (f(\beta) + a₀ * b₀) ⋅ U // This is a combination of several IPA relations into a large batch mul // which should be equal to -C - info("rec verify G_zero: ", G_zero.get_value()); - info("rec verify b_zero: ", b_zero.get_value()); - info("rec verify a_zero: ", a_zero.get_value()); - msm_elements.emplace_back(-G_zero); msm_elements.emplace_back(-Commitment::one(builder)); msm_scalars.emplace_back(a_zero); From 91dff5d3411bc3bd2a018edf28b42cdf5072adc3 Mon Sep 17 00:00:00 2001 From: lucasxia01 Date: Wed, 6 Nov 2024 21:23:15 +0000 Subject: [PATCH 11/12] add TODOs and aborts --- .../commitment_schemes/gemini/gemini.hpp | 2 +- .../commitment_schemes/ipa/ipa.hpp | 18 ++++++++++++++++-- .../commitment_schemes/zeromorph/zeromorph.hpp | 3 +++ .../cpp/src/barretenberg/sumcheck/sumcheck.hpp | 4 +++- 4 files changed, 23 insertions(+), 4 deletions(-) diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.hpp index aa9b6c8d787..648eb34ba52 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.hpp @@ -330,7 +330,7 @@ template class GeminiVerifier_ { if constexpr (Curve::is_stdlib_type) { auto builder = evaluation_point[0].get_context(); - // TODO(https://github.com/AztecProtocol/barretenberg/issues/1114): insecure! + // TODO(https://github.com/AztecProtocol/barretenberg/issues/1114): insecure dummy_round derivation! stdlib::bool_t dummy_round = stdlib::witness_t(builder, l > num_variables); batched_eval_accumulator = Fr::conditional_assign(dummy_round, batched_eval_accumulator, batched_eval_round_acc); diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.hpp index e5128c65bcb..ac46835eab9 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.hpp @@ -199,6 +199,9 @@ template class IPA { // Iterate for log(poly_degree) rounds to compute the round commitments. auto log_poly_length = static_cast(numeric::get_msb(poly_length)); + if (log_poly_length >= CONST_ECCVM_LOG_N) { + throw_or_abort("IPA log_poly_length is too large"); + } // Allocate space for L_i and R_i elements GroupElement L_i; @@ -332,6 +335,9 @@ template class IPA { Commitment aux_generator = Commitment::one() * generator_challenge; auto log_poly_length = static_cast(numeric::get_msb(poly_length)); + if (log_poly_length >= CONST_ECCVM_LOG_N) { + throw_or_abort("IPA log_poly_length is too large"); + } // Step 3. // Compute C' = C + f(\beta) ⋅ U GroupElement C_prime = opening_claim.commitment + (aux_generator * opening_claim.opening_pair.evaluation); @@ -453,6 +459,9 @@ template class IPA { typename Curve::Builder* builder = generator_challenge.get_context(); const auto log_poly_length = numeric::get_msb(static_cast(poly_length)); + if (log_poly_length >= CONST_ECCVM_LOG_N) { + throw_or_abort("IPA log_poly_length is too large"); + } auto pippenger_size = 2 * CONST_ECCVM_LOG_N; std::vector round_challenges(CONST_ECCVM_LOG_N); std::vector round_challenges_inv(CONST_ECCVM_LOG_N); @@ -463,6 +472,7 @@ template class IPA { // Step 3. // Receive all L_i and R_i and prepare for MSM for (size_t i = 0; i < CONST_ECCVM_LOG_N; i++) { + // TODO(https://github.com/AztecProtocol/barretenberg/issues/1114): insecure dummy_round derivation! stdlib::bool_t dummy_round = stdlib::witness_t(builder, i >= log_poly_length); std::string index = std::to_string(CONST_ECCVM_LOG_N - i - 1); @@ -489,7 +499,7 @@ template class IPA { Fr monomial = Fr::conditional_assign(dummy_round, Fr(0), round_challenges_inv[CONST_ECCVM_LOG_N - 1 - i] * challenge); b_zero *= Fr(1) + monomial; - if (i != CONST_ECCVM_LOG_N - 1) // this if is fine because the number of iterations is constant + if (i != CONST_ECCVM_LOG_N - 1) // this if statement is fine because the number of iterations is constant { challenge = Fr::conditional_assign(dummy_round, challenge, challenge * challenge); } @@ -547,7 +557,7 @@ template class IPA { ipa_relation.assert_equal(-opening_claim.commitment); ASSERT(ipa_relation.get_value() == -opening_claim.commitment.get_value()); - // This should return an actual VerifierAccumulator + // TODO(https://github.com/AztecProtocol/barretenberg/issues/1144): Add proper constraints for taking the log of a field_t. Fr stdlib_log_poly_length(static_cast(log_poly_length)); return {stdlib_log_poly_length, round_challenges_inv, G_zero}; } @@ -686,7 +696,11 @@ template class IPA { Builder* builder = r.get_context(); Fr challenge_poly_eval = 1; Fr r_pow = r; + if (uint32_t(log_poly_length.get_value()) >= CONST_ECCVM_LOG_N) { + throw_or_abort("IPA log_poly_length is too large"); + } for (size_t i = 0; i < CONST_ECCVM_LOG_N; i++) { + // TODO(https://github.com/AztecProtocol/barretenberg/issues/1114): insecure dummy_round derivation! stdlib::bool_t dummy_round = stdlib::witness_t(builder, i < CONST_ECCVM_LOG_N - uint32_t(log_poly_length.get_value())); Fr monomial = Fr::conditional_assign(dummy_round, Fr(0), u_challenges_inv[CONST_ECCVM_LOG_N - 1 - i] * r_pow); diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/zeromorph/zeromorph.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/zeromorph/zeromorph.hpp index 33bfade2b35..ff178e0267a 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/zeromorph/zeromorph.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/zeromorph/zeromorph.hpp @@ -527,6 +527,7 @@ template class ZeroMorphVerifier_ { if constexpr (Curve::is_stdlib_type) { auto builder = x_challenge.get_context(); FF zero = FF(0); + // TODO(https://github.com/AztecProtocol/barretenberg/issues/1114): insecure dummy_round derivation! stdlib::bool_t dummy_round = stdlib::witness_t(builder, is_dummy_round); // TODO(https://github.com/AztecProtocol/barretenberg/issues/1039): is it kosher to reassign like this? scalar = FF::conditional_assign(dummy_round, zero, scalar); @@ -589,6 +590,8 @@ template class ZeroMorphVerifier_ { const FF circuit_size, const std::vector>& concatenation_groups_commitments = {}) { + // TODO(https://github.com/AztecProtocol/barretenberg/issues/1144): Add proper constraints for taking the log of + // a field_t. size_t N{ 0 }; size_t log_N{ 0 }; if constexpr (Curve::is_stdlib_type) { diff --git a/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck.hpp b/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck.hpp index abe5443bea4..941579fa969 100644 --- a/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck.hpp +++ b/barretenberg/cpp/src/barretenberg/sumcheck/sumcheck.hpp @@ -719,6 +719,8 @@ template class SumcheckVerifier { // All but final round. // target_total_sum is initialized to zero then mutated in place. + // TODO(https://github.com/AztecProtocol/barretenberg/issues/1144): Add proper constraints for taking the log of + // a field_t link multivariate_d. if (multivariate_d == 0) { throw_or_abort("Number of variables in multivariate is 0."); } @@ -748,7 +750,7 @@ template class SumcheckVerifier { if constexpr (IsRecursiveFlavor) { typename Flavor::CircuitBuilder* builder = round_challenge.get_context(); - // TODO(https://github.com/AztecProtocol/barretenberg/issues/1114): insecure! + // TODO(https://github.com/AztecProtocol/barretenberg/issues/1114): insecure dummy_round derivation! stdlib::bool_t dummy_round = stdlib::witness_t(builder, round_idx >= multivariate_d); bool checked = round.check_sum(round_univariate, dummy_round); // Only utilize the checked value if this is not a constant proof size padding round From 73320096c4ce28e7b8e910d02e5c28f8982fa24d Mon Sep 17 00:00:00 2001 From: lucasxia01 Date: Wed, 6 Nov 2024 21:41:18 +0000 Subject: [PATCH 12/12] fix abort --- .../cpp/src/barretenberg/commitment_schemes/ipa/ipa.hpp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.hpp index ac46835eab9..1ebcb1aff1d 100644 --- a/barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.hpp +++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.hpp @@ -199,7 +199,7 @@ template class IPA { // Iterate for log(poly_degree) rounds to compute the round commitments. auto log_poly_length = static_cast(numeric::get_msb(poly_length)); - if (log_poly_length >= CONST_ECCVM_LOG_N) { + if (log_poly_length > CONST_ECCVM_LOG_N) { throw_or_abort("IPA log_poly_length is too large"); } @@ -335,7 +335,7 @@ template class IPA { Commitment aux_generator = Commitment::one() * generator_challenge; auto log_poly_length = static_cast(numeric::get_msb(poly_length)); - if (log_poly_length >= CONST_ECCVM_LOG_N) { + if (log_poly_length > CONST_ECCVM_LOG_N) { throw_or_abort("IPA log_poly_length is too large"); } // Step 3. @@ -459,7 +459,7 @@ template class IPA { typename Curve::Builder* builder = generator_challenge.get_context(); const auto log_poly_length = numeric::get_msb(static_cast(poly_length)); - if (log_poly_length >= CONST_ECCVM_LOG_N) { + if (log_poly_length > CONST_ECCVM_LOG_N) { throw_or_abort("IPA log_poly_length is too large"); } auto pippenger_size = 2 * CONST_ECCVM_LOG_N; @@ -696,7 +696,7 @@ template class IPA { Builder* builder = r.get_context(); Fr challenge_poly_eval = 1; Fr r_pow = r; - if (uint32_t(log_poly_length.get_value()) >= CONST_ECCVM_LOG_N) { + if (uint32_t(log_poly_length.get_value()) > CONST_ECCVM_LOG_N) { throw_or_abort("IPA log_poly_length is too large"); } for (size_t i = 0; i < CONST_ECCVM_LOG_N; i++) {