Barretenberg: src/barretenberg/boomerang_value_detection/graph_description_merge_recursive_verifier.test.cpp Source File

#include "barretenberg/boomerang_value_detection/graph.hpp"

#include "barretenberg/common/test.hpp"

#include "barretenberg/goblin/merge_prover.hpp"

#include "barretenberg/goblin/merge_verifier.hpp"

#include "barretenberg/goblin/mock_circuits.hpp"

#include "barretenberg/stdlib/primitives/curves/bn254.hpp"


using namespace cdg;


namespace bb::stdlib::recursion::goblin {


template <class RecursiveBuilder> class BoomerangRecursiveMergeVerifierTest : public testing::Test {


    // Types for recursive verifier circuit

    using RecursiveMergeVerifier = MergeRecursiveVerifier<RecursiveBuilder>;

    using RecursiveTableCommitments = MergeRecursiveVerifier<RecursiveBuilder>::TableCommitments;

    using RecursiveMergeCommitments = MergeRecursiveVerifier<RecursiveBuilder>::InputCommitments;


    // Define types relevant for inner circuit

    using InnerFlavor = MegaFlavor;

    using InnerProverInstance = ProverInstance_<InnerFlavor>;

    using InnerBuilder = typename InnerFlavor::CircuitBuilder;


    // Define additional types for testing purposes

    using Commitment = InnerFlavor::Commitment;

    using FF = InnerFlavor::FF;

    using VerifierCommitmentKey = bb::VerifierCommitmentKey<curve::BN254>;

    using MergeProof = MergeProver::MergeProof;

    using TableCommitments = MergeVerifier::TableCommitments;

    using MergeCommitments = MergeVerifier::InputCommitments;


  public:

    static void SetUpTestSuite() { bb::srs::init_file_crs_factory(bb::srs::bb_crs_path()); }


    static void analyze_circuit(RecursiveBuilder& outer_circuit)

    {

        // AUDITTODO: The 8 under-constrained variables are the _is_infinity boolean flags from the 8

        // commitments created via goblin_element::from_witness (4 t_commitments + 4 T_prev_commitments).

        // Each boolean is only constrained by a single bool gate (x * (x - 1) = 0) and is not

        // connected to the point coordinates. This may be a security issue if the infinity flag is not

        // properly bound to the coordinates via Fiat-Shamir - a malicious prover could potentially

        // set the flag independently of the actual point value.

        constexpr size_t EXPECTED_UNCONSTRAINED_INFINITY_FLAGS = 4;


        if constexpr (IsMegaBuilder<RecursiveBuilder>) {

            MegaStaticAnalyzer tool = MegaStaticAnalyzer(outer_circuit);

            auto result = tool.analyze_circuit();

            EXPECT_EQ(result.first.size(), 1);

            EXPECT_EQ(result.second.size(), EXPECTED_UNCONSTRAINED_INFINITY_FLAGS);

        }

        if constexpr (IsUltraBuilder<RecursiveBuilder>) {

            StaticAnalyzer tool = StaticAnalyzer(outer_circuit);

            auto result = tool.analyze_circuit();

            EXPECT_EQ(result.first.size(), 1);

            EXPECT_EQ(result.second.size(), EXPECTED_UNCONSTRAINED_INFINITY_FLAGS);

        }

    }


    static void prove_and_verify_merge(const std::shared_ptr<ECCOpQueue>& op_queue,

                                       const MergeSettings settings = MergeSettings::PREPEND,

                                       const bool run_analyzer = false)


    {

        RecursiveBuilder outer_circuit;


        auto prover_transcript = std::make_shared<NativeTranscript>();

        MergeProver merge_prover{ op_queue, prover_transcript, settings };

        auto merge_proof = merge_prover.construct_proof();


        // Subtable values and commitments - needed for (Recursive)MergeVerifier

        MergeCommitments merge_commitments;

        RecursiveMergeCommitments recursive_merge_commitments;

        auto t_current = op_queue->construct_current_ultra_ops_subtable_columns();

        auto T_prev = op_queue->construct_previous_ultra_ops_table_columns();

        for (size_t idx = 0; idx < InnerFlavor::NUM_WIRES; idx++) {

            merge_commitments.t_commitments[idx] = merge_prover.pcs_commitment_key.commit(t_current[idx]);

            merge_commitments.T_prev_commitments[idx] = merge_prover.pcs_commitment_key.commit(T_prev[idx]);

            recursive_merge_commitments.t_commitments[idx] =

                RecursiveMergeVerifier::Commitment::from_witness(&outer_circuit, merge_commitments.t_commitments[idx]);

            recursive_merge_commitments.T_prev_commitments[idx] = RecursiveMergeVerifier::Commitment::from_witness(

                &outer_circuit, merge_commitments.T_prev_commitments[idx]);

            // Removing the free witness tag, since the merge commitments in the full scheme are supposed to

            // be fiat-shamirred earlier

            recursive_merge_commitments.t_commitments[idx].unset_free_witness_tag();

            recursive_merge_commitments.T_prev_commitments[idx].unset_free_witness_tag();

        }


        // Create a recursive merge verification circuit for the merge proof

        auto merge_transcript = std::make_shared<StdlibTranscript<RecursiveBuilder>>();

        RecursiveMergeVerifier verifier{ settings, merge_transcript };

        const stdlib::Proof<RecursiveBuilder> stdlib_merge_proof(outer_circuit, merge_proof);

        [[maybe_unused]] auto [pairing_points, merged_commitments, reduction_succeeded] =

            verifier.reduce_to_pairing_check(stdlib_merge_proof, recursive_merge_commitments);


        // Check for a failure flag in the recursive verifier circuit

        EXPECT_FALSE(outer_circuit.failed());

        if (run_analyzer) {

            analyze_circuit(outer_circuit);

        }

    }


    static void test_recursive_merge_verification_prepend()

    {

        auto op_queue = std::make_shared<ECCOpQueue>();


        InnerBuilder circuit{ op_queue };

        GoblinMockCircuits::construct_simple_circuit(circuit);

        prove_and_verify_merge(op_queue);


        InnerBuilder circuit2{ op_queue };

        GoblinMockCircuits::construct_simple_circuit(circuit2);

        prove_and_verify_merge(op_queue);


        InnerBuilder circuit3{ op_queue };

        GoblinMockCircuits::construct_simple_circuit(circuit3);

        prove_and_verify_merge(op_queue, MergeSettings::PREPEND, true);

    }


    static void test_recursive_merge_verification_append()

    {

        auto op_queue = std::make_shared<ECCOpQueue>();


        InnerBuilder circuit{ op_queue };

        GoblinMockCircuits::construct_simple_circuit(circuit);

        prove_and_verify_merge(op_queue);


        InnerBuilder circuit2{ op_queue };

        GoblinMockCircuits::construct_simple_circuit(circuit2);

        prove_and_verify_merge(op_queue);


        InnerBuilder circuit3{ op_queue };

        GoblinMockCircuits::construct_simple_circuit(circuit3);

        prove_and_verify_merge(op_queue, MergeSettings::APPEND, true);

    }


};


using Builder = testing::Types<MegaCircuitBuilder>;


TYPED_TEST_SUITE(BoomerangRecursiveMergeVerifierTest, Builder);


TYPED_TEST(BoomerangRecursiveMergeVerifierTest, RecursiveVerificationPrepend)

{

    TestFixture::test_recursive_merge_verification_prepend();

};


TYPED_TEST(BoomerangRecursiveMergeVerifierTest, RecursiveVerificationAppend)

{

    TestFixture::test_recursive_merge_verification_append();

};


} // namespace bb::stdlib::recursion::goblin


bb::GoblinMockCircuits::construct_simple_circuit
static void construct_simple_circuit(MegaBuilder &builder)
Generate a simple test circuit with some ECC op gates and conventional arithmetic gates.
Definition mock_circuits.hpp:140

bb::MegaFlavor
Definition mega_flavor.hpp:34

bb::MegaFlavor::FF
Curve::ScalarField FF
Definition mega_flavor.hpp:38

bb::MegaFlavor::NUM_WIRES
static constexpr size_t NUM_WIRES
Definition mega_flavor.hpp:60

bb::MegaFlavor::CircuitBuilder
MegaCircuitBuilder CircuitBuilder
Definition mega_flavor.hpp:36

bb::MegaFlavor::Commitment
Curve::AffineElement Commitment
Definition mega_flavor.hpp:40

bb::MergeProver
Prover class for the Goblin ECC op queue transcript merge protocol.
Definition merge_prover.hpp:22

bb::MergeProver::MergeProof
std::vector< FF > MergeProof
Definition merge_prover.hpp:34

bb::MergeProver::construct_proof
BB_PROFILE MergeProof construct_proof()
Prove proper construction of the aggregate Goblin ECC op queue polynomials T_j.
Definition merge_prover.cpp:156

bb::MergeVerifier_
Unified verifier class for the Goblin ECC op queue transcript merge protocol.
Definition merge_verifier.hpp:23

bb::MergeVerifier_::TableCommitments
std::array< Commitment, NUM_WIRES > TableCommitments
Definition merge_verifier.hpp:42

bb::ProverInstance_
A ProverInstance is normally constructed from a finalized circuit and it contains all the information...
Definition prover_instance.hpp:32

bb::VerifierCommitmentKey< curve::BN254 >
Specialization for bn254.
Definition verification_key.hpp:36

bb::VerifierCommitmentKey
Representation of the Grumpkin Verifier Commitment Key inside a bn254 circuit.
Definition verifier_commitment_key.hpp:16

bb::stdlib::Proof
A simple wrapper around a vector of stdlib field elements representing a proof.
Definition proof.hpp:19

bb::stdlib::recursion::goblin::BoomerangRecursiveMergeVerifierTest
Test suite for recursive verification of Goblin Merge proofs.
Definition graph_description_merge_recursive_verifier.test.cpp:19

bb::stdlib::recursion::goblin::BoomerangRecursiveMergeVerifierTest::prove_and_verify_merge
static void prove_and_verify_merge(const std::shared_ptr< ECCOpQueue > &op_queue, const MergeSettings settings=MergeSettings::PREPEND, const bool run_analyzer=false)
Definition graph_description_merge_recursive_verifier.test.cpp:66

bb::stdlib::recursion::goblin::BoomerangRecursiveMergeVerifierTest::InnerBuilder
typename InnerFlavor::CircuitBuilder InnerBuilder
Definition graph_description_merge_recursive_verifier.test.cpp:29

bb::stdlib::recursion::goblin::BoomerangRecursiveMergeVerifierTest::test_recursive_merge_verification_append
static void test_recursive_merge_verification_append()
Definition graph_description_merge_recursive_verifier.test.cpp:126

bb::stdlib::recursion::goblin::BoomerangRecursiveMergeVerifierTest::test_recursive_merge_verification_prepend
static void test_recursive_merge_verification_prepend()
Definition graph_description_merge_recursive_verifier.test.cpp:109

bb::stdlib::recursion::goblin::BoomerangRecursiveMergeVerifierTest::RecursiveTableCommitments
MergeRecursiveVerifier< RecursiveBuilder >::TableCommitments RecursiveTableCommitments
Definition graph_description_merge_recursive_verifier.test.cpp:23

bb::stdlib::recursion::goblin::BoomerangRecursiveMergeVerifierTest::analyze_circuit
static void analyze_circuit(RecursiveBuilder &outer_circuit)
Definition graph_description_merge_recursive_verifier.test.cpp:42

bb::stdlib::recursion::goblin::BoomerangRecursiveMergeVerifierTest::SetUpTestSuite
static void SetUpTestSuite()
Definition graph_description_merge_recursive_verifier.test.cpp:40

bb::stdlib::recursion::goblin::BoomerangRecursiveMergeVerifierTest::TableCommitments
MergeVerifier::TableCommitments TableCommitments
Definition graph_description_merge_recursive_verifier.test.cpp:36

bb::stdlib::recursion::goblin::BoomerangRecursiveMergeVerifierTest::Commitment
InnerFlavor::Commitment Commitment
Definition graph_description_merge_recursive_verifier.test.cpp:32

bb::stdlib::recursion::goblin::BoomerangRecursiveMergeVerifierTest::MergeProof
MergeProver::MergeProof MergeProof
Definition graph_description_merge_recursive_verifier.test.cpp:35

cdg::StaticAnalyzer_
Definition graph.hpp:80

cdg::StaticAnalyzer_::analyze_circuit
std::pair< std::vector< ConnectedComponent >, std::unordered_set< uint32_t > > analyze_circuit(bool filter_cc=true)
this functions was made for more convenient testing process
Definition graph.cpp:1402

IsMegaBuilder
Definition circuit_builders.hpp:15

IsUltraBuilder
Definition circuit_builders.hpp:13

mock_circuits.hpp

graph.hpp

merge_prover.hpp

merge_verifier.hpp

bb::srs::bb_crs_path
std::filesystem::path bb_crs_path()
Definition global_crs.cpp:14

bb::srs::init_file_crs_factory
void init_file_crs_factory(const std::filesystem::path &path)
Definition global_crs.hpp:14

bb::stdlib::recursion::goblin
Definition graph_description_merge_recursive_verifier.test.cpp:10

bb::stdlib::recursion::goblin::TYPED_TEST_SUITE
TYPED_TEST_SUITE(BoomerangRecursiveMergeVerifierTest, Builder)

bb::stdlib::recursion::goblin::TYPED_TEST
TYPED_TEST(BoomerangRecursiveMergeVerifierTest, RecursiveVerificationPrepend)
Definition graph_description_merge_recursive_verifier.test.cpp:148

bb::stdlib::recursion::goblin::Builder
testing::Types< MegaCircuitBuilder > Builder
Definition graph_description_merge_recursive_verifier.test.cpp:144

bb::MergeSettings
MergeSettings
The MergeSettings define whether an current subtable will be added at the beginning (PREPEND) or at t...
Definition ecc_ops_table.hpp:21

bb::PREPEND
@ PREPEND
Definition ecc_ops_table.hpp:21

bb::APPEND
@ APPEND
Definition ecc_ops_table.hpp:21

cdg
Definition graph.cpp:21

cdg::MegaStaticAnalyzer
StaticAnalyzer_< bb::fr, bb::MegaCircuitBuilder > MegaStaticAnalyzer
Definition graph.hpp:189

cdg::StaticAnalyzer
UltraStaticAnalyzer StaticAnalyzer
Definition graph.hpp:190

std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13

bn254.hpp

bb::MergeVerifier_::InputCommitments
Definition merge_verifier.hpp:50

bb::MergeVerifier_::InputCommitments::T_prev_commitments
TableCommitments T_prev_commitments
Definition merge_verifier.hpp:52

bb::MergeVerifier_::InputCommitments::t_commitments
TableCommitments t_commitments
Definition merge_verifier.hpp:51

bb::field< Bn254FrParams >

test.hpp