Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
hypernova_verifier.test.cpp
Go to the documentation of this file.
1#include "barretenberg/hypernova/hypernova_verifier.hpp"
2#include "barretenberg/circuit_checker/circuit_checker.hpp"
3#include "barretenberg/hypernova/hypernova_prover.hpp"
4#include "barretenberg/stdlib_circuit_builders/mega_circuit_builder.hpp"
5#include "barretenberg/stdlib_circuit_builders/mock_circuits.hpp"
6#include "gtest/gtest.h"
7
8using namespace bb;
9
10// TODO(https://github.com/AztecProtocol/barretenberg/issues/1553): improve testing
11class HypernovaFoldingVerifierTests : public ::testing::Test {
12 protected:
13 static void SetUpTestSuite() { bb::srs::init_file_crs_factory(bb::srs::bb_crs_path()); }
14
15 public:
16 // Recursive verifier
17 using RecursiveHypernovaVerifier = HypernovaFoldingVerifier<bb::MegaRecursiveFlavor_<bb::MegaCircuitBuilder>>;
18 using RecursiveFlavor = RecursiveHypernovaVerifier::Flavor;
19 using RecursiveVerifierInstance = RecursiveHypernovaVerifier::VerifierInstance;
20 using Builder = RecursiveFlavor::CircuitBuilder;
21 using RecursiveTranscript = RecursiveHypernovaVerifier::Transcript;
22 using RecursiveProof = RecursiveHypernovaVerifier::Proof;
23
24 // Native verifier
25 using NativeHypernovaVerifier = HypernovaFoldingVerifier<bb::MegaFlavor>;
26 using NativeFlavor = NativeHypernovaVerifier::Flavor;
27 using NativeFF = NativeFlavor::FF;
28 using NativeVerifierAccumulator = NativeHypernovaVerifier::Accumulator;
29 using NativeVerificationKey = NativeFlavor::VerificationKey;
30 using NativeVerifierInstance = NativeHypernovaVerifier::VerifierInstance;
31 using NativeTranscript = NativeHypernovaVerifier::Transcript;
32
33 // Prover
34 using HypernovaFoldingProver = bb::HypernovaFoldingProver;
35 using NativeProverAccumulator = HypernovaFoldingProver::Accumulator;
36 using ProverInstance = HypernovaFoldingProver::ProverInstance;
37
38 enum class TamperingMode : uint8_t {
39 None,
40 Instance,
41 };
42
55
56 static bool compare_prover_verifier_accumulators(const NativeProverAccumulator& lhs,
57 const NativeVerifierAccumulator& rhs)
58 {
59 for (size_t idx = 0; auto [challenge_lhs, challenge_rhs] : zip_view(lhs.challenge, rhs.challenge)) {
60 if (challenge_lhs != challenge_rhs) {
61 info("Mismatch in the challenges at index ", idx);
62 return false;
63 }
64 }
65 if (lhs.non_shifted_commitment != rhs.non_shifted_commitment) {
66 info("Mismatch in the unshifted commitments");
67 return false;
68 }
69 if (lhs.shifted_commitment != rhs.shifted_commitment) {
70 info("Mismatch in the shifted commitments");
71 return false;
72 }
73 if (lhs.non_shifted_evaluation != rhs.non_shifted_evaluation) {
74 info("Mismatch in the unshifted evaluations");
75 return false;
76 }
77 if (lhs.shifted_evaluation != rhs.shifted_evaluation) {
78 info("Mismatch in the shifted evaluations");
79 return false;
80 }
81 return true;
82 }
83
88 static std::shared_ptr<RecursiveVerifierInstance> create_recursive_verifier_instance(
89 Builder* builder, const std::shared_ptr<NativeVerifierInstance>& native_instance)
90 {
91 using FF = RecursiveFlavor::FF;
92 using Commitment = RecursiveFlavor::Commitment;
93 using VerificationKey = RecursiveFlavor::VerificationKey;
94 using VKAndHash = RecursiveFlavor::VKAndHash;
95
96 // Create recursive VK from native VK
97 auto recursive_vk =
98 std::make_shared<VKAndHash>(std::make_shared<VerificationKey>(builder, native_instance->get_vk()),
99 FF::from_witness(builder, native_instance->get_vk()->hash()));
100
101 // Create recursive instance with the recursive VK
102 auto recursive_instance = std::make_shared<RecursiveVerifierInstance>(recursive_vk);
103
104 // Convert alpha
105 recursive_instance->alpha = FF::from_witness(builder, native_instance->alpha);
106
107 // Convert witness commitments
108 auto native_comms = native_instance->witness_commitments.get_all();
109 for (auto [native_comm, recursive_comm] :
110 zip_view(native_comms, recursive_instance->witness_commitments.get_all())) {
111 recursive_comm = Commitment::from_witness(builder, native_comm);
112 }
113
114 // Convert gate challenges
115 recursive_instance->gate_challenges = std::vector<FF>(native_instance->gate_challenges.size());
116 for (auto [native_challenge, recursive_challenge] :
117 zip_view(native_instance->gate_challenges, recursive_instance->gate_challenges)) {
118 recursive_challenge = FF::from_witness(builder, native_challenge);
119 }
120
121 // Convert relation parameters
122 recursive_instance->relation_parameters.eta =
123 FF::from_witness(builder, native_instance->relation_parameters.eta);
124 recursive_instance->relation_parameters.eta_two =
125 FF::from_witness(builder, native_instance->relation_parameters.eta_two);
126 recursive_instance->relation_parameters.eta_three =
127 FF::from_witness(builder, native_instance->relation_parameters.eta_three);
128 recursive_instance->relation_parameters.beta =
129 FF::from_witness(builder, native_instance->relation_parameters.beta);
130 recursive_instance->relation_parameters.gamma =
131 FF::from_witness(builder, native_instance->relation_parameters.gamma);
132 recursive_instance->relation_parameters.public_input_delta =
133 FF::from_witness(builder, native_instance->relation_parameters.public_input_delta);
134
135 // For ZK flavors: convert gemini_masking_commitment
136 if constexpr (NativeFlavor::HasZK) {
137 recursive_instance->gemini_masking_commitment =
138 Commitment::from_witness(builder, native_instance->gemini_masking_commitment);
139 }
140
141 return recursive_instance;
142 }
143
144 static void tampering(std::shared_ptr<ProverInstance>& instance, const TamperingMode& mode)
145 {
146 switch (mode) {
147 case TamperingMode::None:
148 break;
149 case TamperingMode::Instance: {
150 // Tamper with w_l at the first row where q_arith is non-zero (an active arithmetic gate).
151 auto& q_arith = instance->polynomials.q_arith;
152 for (size_t i = ProverInstance::TRACE_OFFSET; i < q_arith.end_index(); i++) {
153 if (!q_arith[i].is_zero()) {
154 instance->polynomials.w_l.at(i) = NativeFF::random_element();
155 break;
156 }
157 }
158 } break;
159 }
160 };
161
172 static TranscriptManifest build_expected_folding_manifest()
173 {
174 TranscriptManifest manifest;
175 constexpr size_t frs_per_G = FrCodec::calc_num_fields<curve::BN254::AffineElement>();
176 constexpr size_t NUM_SUMCHECK_UNIVARIATES = NativeFlavor::VIRTUAL_LOG_N; // 21
177
178 size_t round = 0;
179
180 // Round 0: Oink preamble + wires + ECC ops + databus -> eta challenge
181 manifest.add_challenge(round, "eta");
182 manifest.add_entry(round, "vk_hash", 1);
183 for (size_t i = 0; i < 4; ++i) {
184 manifest.add_entry(round, "public_input_" + std::to_string(i), 1);
185 }
186 for (const auto& wire : { "W_L", "W_R", "W_O" }) {
187 manifest.add_entry(round, wire, frs_per_G);
188 }
189 for (const auto& wire : { "ECC_OP_WIRE_1", "ECC_OP_WIRE_2", "ECC_OP_WIRE_3", "ECC_OP_WIRE_4" }) {
190 manifest.add_entry(round, wire, frs_per_G);
191 }
192 for (const auto& bus :
193 { "KERNEL_CALLDATA", "FIRST_APP_CALLDATA", "SECOND_APP_CALLDATA", "THIRD_APP_CALLDATA", "RETURN_DATA" }) {
194 manifest.add_entry(round, bus, frs_per_G);
195 manifest.add_entry(round, std::string(bus) + "_READ_COUNTS", frs_per_G);
196 }
197 round++;
198
199 // Round 1: lookup + w_4 -> beta, gamma challenges
200 manifest.add_challenge(round, std::array{ "beta", "gamma" });
201 manifest.add_entry(round, "LOOKUP_READ_COUNTS", frs_per_G);
202 manifest.add_entry(round, "LOOKUP_READ_TAGS", frs_per_G);
203 manifest.add_entry(round, "W_4", frs_per_G);
204 round++;
205
206 // Round 2: inverses + z_perm -> alpha + gate_challenge (consecutive challenges in same round)
207 manifest.add_challenge(round, "alpha");
208 manifest.add_challenge(round, "HypernovaFoldingProver:gate_challenge");
209 manifest.add_entry(round, "LOOKUP_INVERSES", frs_per_G);
210 manifest.add_entry(round, "KERNEL_CALLDATA_INVERSES", frs_per_G);
211 manifest.add_entry(round, "FIRST_APP_CALLDATA_INVERSES", frs_per_G);
212 manifest.add_entry(round, "SECOND_APP_CALLDATA_INVERSES", frs_per_G);
213 manifest.add_entry(round, "THIRD_APP_CALLDATA_INVERSES", frs_per_G);
214 manifest.add_entry(round, "RETURN_DATA_INVERSES", frs_per_G);
215 manifest.add_entry(round, "Z_PERM", frs_per_G);
216 round++;
217
218 // Rounds 3-23: main sumcheck univariates (21 rounds)
219 for (size_t i = 0; i < NUM_SUMCHECK_UNIVARIATES; ++i) {
220 manifest.add_challenge(round, "Sumcheck:u_" + std::to_string(i));
221 manifest.add_entry(round, "Sumcheck:univariate_" + std::to_string(i), 8);
222 round++;
223 }
224
225 // Round 24: unshifted batching challenges + shifted batching challenges + evaluations
226 for (size_t i = 0; i < MegaFlavor::NUM_UNSHIFTED_ENTITIES - 1; ++i) {
227 manifest.add_challenge(round, "unshifted_challenge_" + std::to_string(i));
228 }
229 for (size_t i = 0; i < MegaFlavor::NUM_SHIFTED_ENTITIES - 1; ++i) {
230 manifest.add_challenge(round, "shifted_challenge_" + std::to_string(i));
231 }
232 manifest.add_entry(round, "Sumcheck:evaluations", MegaFlavor::NUM_ALL_ENTITIES);
233 round++;
234
235 // Round 25: Sumcheck:alpha + MLB accumulator data (Sumcheck:alpha is consecutive challenge)
236 manifest.add_challenge(round, "Sumcheck:alpha");
237 manifest.add_entry(round, "non_shifted_accumulator_commitment", frs_per_G);
238 manifest.add_entry(round, "shifted_accumulator_commitment", frs_per_G);
239 for (size_t i = 0; i < NUM_SUMCHECK_UNIVARIATES; ++i) {
240 manifest.add_entry(round, "accumulator_challenge_" + std::to_string(i), 1);
241 }
242 manifest.add_entry(round, "accumulator_evaluation_0", 1);
243 manifest.add_entry(round, "accumulator_evaluation_1", 1);
244 round++;
245
246 // Rounds 26-46: MLB sumcheck univariates (21 rounds)
247 for (size_t i = 0; i < NUM_SUMCHECK_UNIVARIATES; ++i) {
248 manifest.add_challenge(round, "Sumcheck:u_" + std::to_string(i));
249 manifest.add_entry(round, "Sumcheck:univariate_" + std::to_string(i), 4);
250 round++;
251 }
252
253 // Round 47: final evaluations + claim_batching_challenge
254 manifest.add_challenge(round, "claim_batching_challenge");
255 manifest.add_entry(round, "Sumcheck:evaluations", 6);
256
257 return manifest;
258 }
259
260 static void test_folding(const TamperingMode& mode)
261 {
262 // Generate accumulator
263 auto instance = generate_new_instance();
264 auto transcript = std::make_shared<NativeTranscript>();
265
266 bb::HypernovaFoldingProver prover(transcript);
267 auto accumulator = prover.instance_to_accumulator(instance);
268
269 // Folding
270 auto incoming_instance = generate_new_instance(5);
271 tampering(incoming_instance, mode);
272 auto incoming_vk = std::make_shared<NativeVerificationKey>(incoming_instance->get_precomputed());
273 auto incoming_verifier_instance =
274 std::make_shared<NativeVerifierInstance>(std::make_shared<NativeFlavor::VKAndHash>(incoming_vk));
275
276 auto folding_transcript = std::make_shared<NativeTranscript>();
277 HypernovaFoldingProver folding_prover(folding_transcript);
278 auto [folding_proof, folded_accumulator] = folding_prover.fold(std::move(accumulator), incoming_instance);
279
280 // Natively verify the folding (with manifest tracking)
281 auto native_verifier_transcript = std::make_shared<NativeTranscript>();
282 native_verifier_transcript->enable_manifest();
283 NativeHypernovaVerifier native_verifier(native_verifier_transcript);
284 auto [first_sumcheck_native, second_sumcheck_native, folded_verifier_accumulator_native] =
285 native_verifier.verify_folding_proof(incoming_verifier_instance, folding_proof);
286
287 // Recursively verify the folding
288 Builder builder;
289
290 auto stdlib_incoming_instance = create_recursive_verifier_instance(&builder, incoming_verifier_instance);
291 auto recursive_verifier_transcript = std::make_shared<RecursiveTranscript>();
292 RecursiveHypernovaVerifier recursive_verifier(recursive_verifier_transcript);
293 RecursiveProof proof(builder, folding_proof);
294 auto [first_sumcheck_recursive, second_sumcheck_recursive, folded_verifier_accumulator] =
295 recursive_verifier.verify_folding_proof(stdlib_incoming_instance, proof);
296
297 // If the instance has been tampered with, then the first sumcheck should fail (hence the circuit is not
298 // satisfied), but the second should pass
299 EXPECT_EQ(bb::CircuitChecker::check(builder), mode == TamperingMode::None);
300 EXPECT_EQ(first_sumcheck_recursive, mode == TamperingMode::None);
301 EXPECT_EQ(first_sumcheck_recursive, first_sumcheck_native);
302 EXPECT_TRUE(second_sumcheck_recursive);
303 EXPECT_EQ(second_sumcheck_recursive, second_sumcheck_native);
304 EXPECT_TRUE(compare_prover_verifier_accumulators(
305 folded_accumulator, folded_verifier_accumulator.get_value<NativeVerifierAccumulator>()));
306
307 // Pin the folding transcript manifest (only check when not tampering)
308 if (mode == TamperingMode::None) {
309 auto expected_manifest = build_expected_folding_manifest();
310 auto verifier_manifest = native_verifier_transcript->get_manifest();
311 EXPECT_EQ(verifier_manifest, expected_manifest);
312 }
313 }
314};
315
316TEST_F(HypernovaFoldingVerifierTests, Fold)
317{
318 test_folding(TamperingMode::None);
319}
320
321TEST_F(HypernovaFoldingVerifierTests, TamperInstance)
322{
323 BB_DISABLE_ASSERTS();
324 test_folding(TamperingMode::Instance);
325}
BB_DISABLE_ASSERTS
#define BB_DISABLE_ASSERTS()
Definition assert.hpp:33
instance
std::shared_ptr< Napi::ThreadSafeFunction > instance
Definition avm_simulate_napi.cpp:128
circuit_checker.hpp
HypernovaFoldingVerifierTests::NativeVerificationKey
NativeFlavor::VerificationKey NativeVerificationKey
Definition hypernova_verifier.test.cpp:29
HypernovaFoldingVerifierTests::tampering
static void tampering(std::shared_ptr< ProverInstance > &instance, const TamperingMode &mode)
Definition hypernova_verifier.test.cpp:144
HypernovaFoldingVerifierTests::generate_new_instance
static std::shared_ptr< ProverInstance > generate_new_instance(size_t log_num_gates=4)
Definition hypernova_verifier.test.cpp:43
HypernovaFoldingVerifierTests::create_recursive_verifier_instance
static std::shared_ptr< RecursiveVerifierInstance > create_recursive_verifier_instance(Builder *builder, const std::shared_ptr< NativeVerifierInstance > &native_instance)
Test helper to create a recursive verifier instance from a native one.
Definition hypernova_verifier.test.cpp:88
HypernovaFoldingVerifierTests::RecursiveFlavor
RecursiveHypernovaVerifier::Flavor RecursiveFlavor
Definition hypernova_verifier.test.cpp:18
HypernovaFoldingVerifierTests::build_expected_folding_manifest
static TranscriptManifest build_expected_folding_manifest()
Build the expected transcript manifest for HyperNova folding.
Definition hypernova_verifier.test.cpp:172
HypernovaFoldingVerifierTests::test_folding
static void test_folding(const TamperingMode &mode)
Definition hypernova_verifier.test.cpp:260
HypernovaFoldingVerifierTests::NativeFlavor
NativeHypernovaVerifier::Flavor NativeFlavor
Definition hypernova_verifier.test.cpp:26
HypernovaFoldingVerifierTests::Builder
RecursiveFlavor::CircuitBuilder Builder
Definition hypernova_verifier.test.cpp:20
HypernovaFoldingVerifierTests::compare_prover_verifier_accumulators
static bool compare_prover_verifier_accumulators(const NativeProverAccumulator &lhs, const NativeVerifierAccumulator &rhs)
Definition hypernova_verifier.test.cpp:56
HypernovaFoldingVerifierTests::RecursiveProof
RecursiveHypernovaVerifier::Proof RecursiveProof
Definition hypernova_verifier.test.cpp:22
bb::BaseTranscript
Common transcript class for both parties. Stores the data for the current round, as well as the manif...
Definition transcript.hpp:41
bb::HypernovaFoldingProver
HyperNova folding prover. Folds circuit instances into accumulators, deferring PCS verification.
Definition hypernova_prover.hpp:38
bb::HypernovaFoldingProver::Accumulator
MultilinearBatchingProverClaim Accumulator
Definition hypernova_prover.hpp:44
bb::HypernovaFoldingProver::ProverInstance
ProverInstance_< Flavor > ProverInstance
Definition hypernova_prover.hpp:43
bb::HypernovaFoldingProver::instance_to_accumulator
Accumulator instance_to_accumulator(const std::shared_ptr< ProverInstance > &instance, const std::shared_ptr< VerificationKey > &honk_vk=nullptr)
Turn an instance into an accumulator by running Sumcheck.
Definition hypernova_prover.cpp:116
bb::HypernovaFoldingProver::fold
std::pair< HonkProof, Accumulator > fold(Accumulator &&accumulator, const std::shared_ptr< ProverInstance > &instance, const std::shared_ptr< VerificationKey > &honk_vk=nullptr)
Fold an instance into an accumulator.
Definition hypernova_prover.cpp:158
bb::HypernovaFoldingVerifier
HyperNova folding verifier (native + recursive). Verifies folding proofs and maintains accumulators.
Definition hypernova_verifier.hpp:22
bb::HypernovaFoldingVerifier::verify_folding_proof
std::tuple< bool, bool, Accumulator > verify_folding_proof(const std::shared_ptr< typename HypernovaFoldingVerifier::VerifierInstance > &instance, const Proof &proof)
Verify folding proof. Return the new accumulator and the results of the two sumchecks.
Definition hypernova_verifier.cpp:114
bb::HypernovaFoldingVerifier::Proof
std::conditional_t< IsRecursiveFlavor< Flavor >, stdlib::Proof< MegaCircuitBuilder >, HonkProof > Proof
Definition hypernova_verifier.hpp:39
bb::HypernovaFoldingVerifier::VerifierInstance
VerifierInstance_< Flavor > VerifierInstance
Definition hypernova_verifier.hpp:37
bb::HypernovaFoldingVerifier::Accumulator
MultilinearBatchingVerifierClaim< Curve > Accumulator
Definition hypernova_verifier.hpp:30
bb::MegaFlavor::NUM_SHIFTED_ENTITIES
static constexpr size_t NUM_SHIFTED_ENTITIES
Definition mega_flavor.hpp:338
bb::MegaFlavor::NUM_ALL_ENTITIES
static constexpr size_t NUM_ALL_ENTITIES
Definition mega_flavor.hpp:340
bb::MegaFlavor::NUM_UNSHIFTED_ENTITIES
static constexpr size_t NUM_UNSHIFTED_ENTITIES
Definition mega_flavor.hpp:339
bb::MockCircuits::add_arithmetic_gates_with_public_inputs
static void add_arithmetic_gates_with_public_inputs(Builder &builder, const size_t num_gates=4)
Add a specified number of arithmetic gates (with public inputs) to the provided circuit.
Definition mock_circuits.hpp:23
bb::MockCircuits::add_lookup_gates
static void add_lookup_gates(Builder &builder, size_t num_iterations=1)
Add lookup gates using the uint32 XOR lookup table (table size 4096)
Definition mock_circuits.hpp:69
bb::MockCircuits::add_arithmetic_gates
static void add_arithmetic_gates(Builder &builder, const size_t num_gates=4)
Add a specified number of arithmetic gates to the provided circuit.
Definition mock_circuits.hpp:46
bb::NativeVerificationKey_
Base Native verification key class.
Definition flavor.hpp:135
bb::ProverInstance_
Contains all the information required by a Honk prover to create a proof, constructed from a finalize...
Definition prover_instance.hpp:26
bb::ProverInstance_::TRACE_OFFSET
static constexpr size_t TRACE_OFFSET
Definition prover_instance.hpp:32
bb::TranscriptManifest::add_entry
void add_entry(size_t round, const std::string &element_label, size_t element_size)
Definition transcript_manifest.hpp:78
bb::TranscriptManifest::add_challenge
void add_challenge(size_t round, const std::string &label)
Add a single challenge label to the manifest for the given round.
Definition transcript_manifest.hpp:45
bb::TranslatorCircuitChecker::check
static bool check(const Builder &circuit)
Check the witness satisifies the circuit.
Definition translator_circuit_checker.cpp:107
bb::VerifierInstance_
The VerifierInstance encapsulates all the necessary information for a Honk Verifier to verify a proof...
Definition verifier_instance.hpp:18
zip_view
Definition zip_view.hpp:166
info
#define info(...)
Definition log.hpp:93
builder
AluTraceBuilder builder
Definition alu.test.cpp:124
hypernova_prover.hpp
hypernova_verifier.hpp
mega_circuit_builder.hpp
bb::srs::bb_crs_path
std::filesystem::path bb_crs_path()
Definition global_crs.cpp:14
bb::srs::init_file_crs_factory
void init_file_crs_factory(const std::filesystem::path &path)
Definition global_crs.hpp:14
bb
Entry point for Barretenberg command-line interface.
Definition api.hpp:5
bb::TEST_F
TEST_F(IPATest, ChallengesAreZero)
Definition ipa.test.cpp:155
std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13
std::to_string
std::string to_string(bb::avm2::ValueTag tag)
Definition tagged_value.cpp:402
mock_circuits.hpp
bb::MultilinearBatchingFlavor::ProverClaim
Prover's claim for multilinear batching - contains polynomials and their evaluation claims.
Definition multilinear_batching_flavor.hpp:138
bb::MultilinearBatchingVerifierClaim
Verifier's claim for multilinear batching - contains commitments and evaluation claims.
Definition multilinear_batching_claims.hpp:18