Barretenberg: src/barretenberg/ultra_honk/ultra_verifier.cpp Source File

// === AUDIT STATUS ===

// internal:    { status: Planned, auditors: [], commit: }

// external_1:  { status: not started, auditors: [], commit: }

// external_2:  { status: not started, auditors: [], commit: }

// =====================


#include "./ultra_verifier.hpp"

#include "barretenberg/commitment_schemes/ipa/ipa.hpp"

#include "barretenberg/commitment_schemes/pairing_points.hpp"

#include "barretenberg/commitment_schemes/shplonk/shplemini.hpp"

#include "barretenberg/flavor/mega_avm_recursive_flavor.hpp"

#include "barretenberg/flavor/mega_zk_recursive_flavor.hpp"

#include "barretenberg/flavor/ultra_zk_recursive_flavor.hpp"

#include "barretenberg/honk/proof_length.hpp"

#include "barretenberg/stdlib/primitives/padding_indicator_array/padding_indicator_array.hpp"

#include "barretenberg/sumcheck/sumcheck.hpp"

#include "barretenberg/ultra_honk/oink_verifier.hpp"


namespace bb {


template <typename Flavor, class IO> size_t UltraVerifier_<Flavor, IO>::compute_log_n() const

{

    if constexpr (Flavor::USE_PADDING) {

        return static_cast<size_t>(Flavor::VIRTUAL_LOG_N);

    } else {

        // Non-padded: use actual circuit size from VK (native only)

        return static_cast<size_t>(verifier_instance->get_vk()->log_circuit_size);

    }

}


template <typename Flavor, class IO>


std::vector<typename Flavor::FF> UltraVerifier_<Flavor, IO>::compute_padding_indicator_array(size_t log_n) const

{

    // - Non-ZK flavors: all 1s (no masking needed)

    // - ZK without padding: all 1s (log_n == log_circuit_size, no padded region)

    // - ZK with padding: computed to mask padded rounds (1s for real, 0s for padding)

    std::vector<FF> padding_indicator_array(log_n, FF{ 1 });

    if constexpr (Flavor::HasZK && Flavor::USE_PADDING) {

        auto vk_ptr = verifier_instance->get_vk();

        if constexpr (IsRecursive) {

            // Recursive: use in-circuit computation via Lagrange polynomials

            // Note: Must be called after OinkVerifier so log_circuit_size is properly tagged

            padding_indicator_array =

                stdlib::compute_padding_indicator_array<Curve, Flavor::VIRTUAL_LOG_N>(vk_ptr->log_circuit_size);

        } else {

            // Native: simple loop comparison

            const size_t log_circuit_size = static_cast<size_t>(vk_ptr->log_circuit_size);

            for (size_t idx = 0; idx < log_n; idx++) {

                padding_indicator_array[idx] = (idx < log_circuit_size) ? FF{ 1 } : FF{ 0 };

            }

        }

    }


    return padding_indicator_array;

}


template <typename Flavor, class IO>

std::pair<typename UltraVerifier_<Flavor, IO>::Proof, typename UltraVerifier_<Flavor, IO>::Proof> UltraVerifier_<

    Flavor,


    IO>::split_rollup_proof(const Proof& combined_proof) const

    requires(IO::HasIPA)

{

    // Validate combined proof is large enough to contain IPA proof

    BB_ASSERT_GTE(combined_proof.size(),

                  IPA_PROOF_LENGTH,

                  "Combined rollup proof is too small to contain IPA proof. Expected at least " +

                      std::to_string(IPA_PROOF_LENGTH) + " elements, got " + std::to_string(combined_proof.size()));


    // IPA proof is appended at the end (must match UltraProver_::export_proof())

    const auto honk_proof_length = static_cast<std::ptrdiff_t>(combined_proof.size() - IPA_PROOF_LENGTH);


    Proof honk_proof(combined_proof.begin(), combined_proof.begin() + honk_proof_length);

    Proof ipa_proof(combined_proof.begin() + honk_proof_length, combined_proof.end());


    return std::make_pair(honk_proof, ipa_proof);

}


template <typename Flavor, class IO>


bool UltraVerifier_<Flavor, IO>::verify_ipa(const Proof& ipa_proof, const IPAClaim& ipa_claim)

    requires(!IsRecursiveFlavor<Flavor> && IO::HasIPA)

{

    VerifierCommitmentKey<curve::Grumpkin> ipa_verification_key(1 << CONST_ECCVM_LOG_N);

    ipa_transcript->load_proof(ipa_proof);

    bool ipa_verified = IPA<curve::Grumpkin>::reduce_verify(ipa_verification_key, ipa_claim, ipa_transcript);

    vinfo("UltraVerifier: IPA check: ", ipa_verified ? "true" : "false");


    if (!ipa_verified) {

        info("UltraVerifier: verification failed at IPA check");

    }


    return ipa_verified;

}


template <typename Flavor, class IO>


typename UltraVerifier_<Flavor, IO>::ReductionResult UltraVerifier_<Flavor, IO>::reduce_to_pairing_check(

    const typename UltraVerifier_<Flavor, IO>::Proof& proof)

{

    using Shplemini = ShpleminiVerifier_<Curve, Flavor::HasZK>;

    using ClaimBatcher = ClaimBatcher_<Curve>;

    using ClaimBatch = ClaimBatcher::Batch;


    transcript->load_proof(proof);


    // Compute log_n first (needed for proof layout calculation)

    const size_t log_n = compute_log_n();


    // Derive num_public_inputs from proof size using centralized proof layout

    const size_t num_public_inputs = ProofLength::Honk<Flavor>::derive_num_public_inputs(proof.size(), log_n);


    OinkVerifier<Flavor> oink_verifier{ verifier_instance, transcript, num_public_inputs };

    oink_verifier.verify();


    // Compute padding indicator array AFTER OinkVerifier so VK fields are properly tagged

    auto padding_indicator_array = compute_padding_indicator_array(log_n);

    verifier_instance->gate_challenges =

        transcript->template get_dyadic_powers_of_challenge<FF>("Sumcheck:gate_challenge", log_n);


    // Get the witness commitments that the verifier needs to verify

    VerifierCommitments commitments{ verifier_instance->get_vk(), verifier_instance->witness_commitments };

    // For ZK flavors: set gemini_masking_poly commitment from accumulator

    if constexpr (Flavor::HasZK) {

        commitments.gemini_masking_poly = verifier_instance->gemini_masking_commitment;

    }


    // Construct the sumcheck verifier

    SumcheckVerifier<Flavor> sumcheck(transcript, verifier_instance->alpha, log_n);

    // Receive commitments to Libra masking polynomials for ZKFlavors

    std::array<Commitment, NUM_LIBRA_COMMITMENTS> libra_commitments = {};


    if constexpr (Flavor::HasZK) {

        libra_commitments[0] = transcript->template receive_from_prover<Commitment>("Libra:concatenation_commitment");

    }

    // Run the sumcheck verifier

    SumcheckOutput<Flavor> sumcheck_output = sumcheck.verify(

        verifier_instance->relation_parameters, verifier_instance->gate_challenges, padding_indicator_array);

    // Get the claimed evaluation of the Libra polynomials for ZKFlavors

    if constexpr (Flavor::HasZK) {

        libra_commitments[1] = transcript->template receive_from_prover<Commitment>("Libra:grand_sum_commitment");

        libra_commitments[2] = transcript->template receive_from_prover<Commitment>("Libra:quotient_commitment");

    }


    ClaimBatcher claim_batcher{

        .unshifted = ClaimBatch{ commitments.get_unshifted(), sumcheck_output.claimed_evaluations.get_unshifted() },

        .shifted = ClaimBatch{ commitments.get_to_be_shifted(), sumcheck_output.claimed_evaluations.get_shifted() }

    };


    const Commitment one_commitment = [&]() {

        if constexpr (IsRecursive) {

            return Commitment::one(builder);

        } else {

            return Commitment::one();

        }

    }();


    auto shplemini_output = Shplemini::compute_batch_opening_claim(padding_indicator_array,

                                                                   claim_batcher,

                                                                   sumcheck_output.challenge,

                                                                   one_commitment,

                                                                   transcript,

                                                                   Flavor::REPEATED_COMMITMENTS,

                                                                   libra_commitments,

                                                                   sumcheck_output.claimed_libra_evaluation);


    // Build reduction result

    ReductionResult result;

    result.pairing_points = PCS::reduce_verify_batch_opening_claim(

        std::move(shplemini_output.batch_opening_claim), transcript, Flavor::FINAL_PCS_MSM_SIZE(log_n));


    bool consistency_checked = true;

    if constexpr (Flavor::HasZK) {

        consistency_checked = shplemini_output.consistency_checked;

        vinfo("Ultra Verifier (with ZK): Libra evals consistency checked ", consistency_checked ? "true" : "false");

    }

    vinfo("Ultra Verifier sumcheck_verified: ", sumcheck_output.verified ? "true" : "false");

    result.reduction_succeeded = sumcheck_output.verified && consistency_checked;


    return result;

}


template <typename Flavor, class IO>


typename UltraVerifier_<Flavor, IO>::Output UltraVerifier_<Flavor, IO>::verify_proof(

    const typename UltraVerifier_<Flavor, IO>::Proof& proof)

{

    // Step 1: Split proof if needed

    Proof honk_proof;

    Proof ipa_proof;

    if constexpr (IO::HasIPA) {

        std::tie(honk_proof, ipa_proof) = split_rollup_proof(proof);

    } else {

        honk_proof = proof;

    }


    // Step 2: Reduce to pairing check

    auto [pcs_pairing_points, reduction_succeeded] = reduce_to_pairing_check(honk_proof);

    vinfo("UltraVerifier: reduced to pairing check: ", reduction_succeeded ? "true" : "false");


    if constexpr (!IsRecursive) {

        if (!reduction_succeeded) {

            info("UltraVerifier: verification failed at reduction step");

            return Output{};

        }

    }


    // Step 3: Process the reduction result and public inputs

    IO inputs;

    inputs.reconstruct_from_public(verifier_instance->public_inputs);


    // Aggregate pairing points

    PairingPoints pi_pairing_points = inputs.pairing_inputs;

    pi_pairing_points.aggregate(pcs_pairing_points);


    // Construct output (common to both native and recursive)

    Output output(inputs);


    if constexpr (IsRecursive) {

        // Recursive: populate output for deferred verification

        output.points_accumulator = std::move(pi_pairing_points);

        if constexpr (IO::HasIPA) {

            output.ipa_proof = ipa_proof;

        }

    } else {

        // Perform pairing check

        bool pairing_verified = pi_pairing_points.check();

        vinfo("UltraVerifier: pairing check: ", pairing_verified ? "true" : "false");


        if (!pairing_verified) {

            info("UltraVerifier: verification failed at pairing check");

            return Output{};

        }


        // Perform IPA verification if IO requires it

        if constexpr (IO::HasIPA) {

            if (!verify_ipa(ipa_proof, inputs.ipa_claim)) {

                return Output{};

            }

        }


        output.result = true;

    }


    return output;

}


// ===== NATIVE FLAVOR INSTANTIATIONS =====


template class UltraVerifier_<UltraFlavor, DefaultIO>;

template class UltraVerifier_<UltraZKFlavor, DefaultIO>;

template class UltraVerifier_<UltraKeccakFlavor, DefaultIO>;

template class UltraVerifier_<UltraKeccakZKFlavor, DefaultIO>;

template class UltraVerifier_<UltraFlavor, RollupIO>; // Rollup uses UltraFlavor + RollupIO

template class UltraVerifier_<MegaFlavor, DefaultIO>;

template class UltraVerifier_<MegaZKFlavor, DefaultIO>;

template class UltraVerifier_<MegaZKFlavor, HidingKernelIO>; // Chonk


#ifdef STARKNET_GARAGA_FLAVORS

template class UltraVerifier_<UltraStarknetFlavor, DefaultIO>;

template class UltraVerifier_<UltraStarknetZKFlavor, DefaultIO>;

#endif


// ===== RECURSIVE FLAVOR INSTANTIATIONS =====


// UltraRecursiveFlavor with DefaultIO

template class UltraVerifier_<UltraRecursiveFlavor_<UltraCircuitBuilder>,

                              stdlib::recursion::honk::DefaultIO<UltraCircuitBuilder>>;

template class UltraVerifier_<UltraRecursiveFlavor_<MegaCircuitBuilder>,

                              stdlib::recursion::honk::DefaultIO<MegaCircuitBuilder>>;


// UltraZKRecursiveFlavor with DefaultIO

template class UltraVerifier_<UltraZKRecursiveFlavor_<UltraCircuitBuilder>,

                              stdlib::recursion::honk::DefaultIO<UltraCircuitBuilder>>;

template class UltraVerifier_<UltraZKRecursiveFlavor_<MegaCircuitBuilder>,

                              stdlib::recursion::honk::DefaultIO<MegaCircuitBuilder>>;


// UltraRecursiveFlavor with RollupIO (replaces UltraRollupRecursiveFlavor)

template class UltraVerifier_<UltraRecursiveFlavor_<UltraCircuitBuilder>, stdlib::recursion::honk::RollupIO>;


// MegaRecursiveFlavor with DefaultIO

template class UltraVerifier_<MegaRecursiveFlavor_<UltraCircuitBuilder>,

                              stdlib::recursion::honk::DefaultIO<UltraCircuitBuilder>>;

template class UltraVerifier_<MegaRecursiveFlavor_<MegaCircuitBuilder>,

                              stdlib::recursion::honk::DefaultIO<MegaCircuitBuilder>>;


// MegaZKRecursiveFlavor with DefaultIO

template class UltraVerifier_<MegaZKRecursiveFlavor_<UltraCircuitBuilder>,

                              stdlib::recursion::honk::DefaultIO<UltraCircuitBuilder>>;

template class UltraVerifier_<MegaZKRecursiveFlavor_<MegaCircuitBuilder>,

                              stdlib::recursion::honk::DefaultIO<MegaCircuitBuilder>>;


// MegaZKRecursiveFlavor with HidingKernelIO (Chonk)

template class UltraVerifier_<MegaZKRecursiveFlavor_<UltraCircuitBuilder>,

                              stdlib::recursion::honk::HidingKernelIO<UltraCircuitBuilder>>;


// MegaRecursiveFlavor with GoblinAvmIO

template class UltraVerifier_<MegaAvmRecursiveFlavor_<UltraCircuitBuilder>,

                              stdlib::recursion::honk::GoblinAvmIO<UltraCircuitBuilder>>;


} // namespace bb

BB_ASSERT_GTE
#define BB_ASSERT_GTE(left, right,...)
Definition assert.hpp:128

bb::ECCVMFlavor::HasZK
static constexpr bool HasZK
Definition eccvm_flavor.hpp:59

bb::ECCVMFlavor::USE_PADDING
static constexpr bool USE_PADDING
Definition eccvm_flavor.hpp:61

bb::ECCVMFlavor::REPEATED_COMMITMENTS
static constexpr RepeatedCommitmentsData REPEATED_COMMITMENTS
Definition eccvm_flavor.hpp:89

bb::IPA
IPA (inner product argument) commitment scheme class.
Definition ipa.hpp:85

bb::OinkVerifier
Verifier class for all the presumcheck rounds, which are shared between the folding verifier and ultr...
Definition oink_verifier.hpp:25

bb::OinkVerifier::verify
void verify()
Oink Verifier function that runs all the rounds of the verifier.
Definition oink_verifier.cpp:28

bb::OpeningClaim
Unverified claim (C,r,v) for some witness polynomial p(X) such that.
Definition claim.hpp:55

bb::ShpleminiVerifier_
Definition shplemini.hpp:175

bb::SumcheckVerifier
Implementation of the sumcheck Verifier for statements of the form  for multilinear polynomials .
Definition sumcheck.hpp:721

bb::SumcheckVerifier::verify
SumcheckOutput< Flavor > verify(const bb::RelationParameters< FF > &relation_parameters, const std::vector< FF > &gate_challenges, const std::vector< FF > &padding_indicator_array)
The Sumcheck verification method. First it extracts round univariate, checks sum (the sumcheck univar...
Definition sumcheck.hpp:777

bb::UltraVerifier_
Definition ultra_verifier.hpp:79

bb::UltraVerifier_::verify_ipa
bool verify_ipa(const Proof &ipa_proof, const IPAClaim &ipa_claim)
Verify IPA proof for rollup circuits (native verifier only)
Definition ultra_verifier.cpp:110

bb::UltraVerifier_::reduce_to_pairing_check
ReductionResult reduce_to_pairing_check(const Proof &proof)
Reduce ultra proof to verification claims (works for both native and recursive)
Definition ultra_verifier.cpp:131

bb::UltraVerifier_::Proof
typename Transcript::Proof Proof
Definition ultra_verifier.hpp:98

bb::UltraVerifier_::PairingPoints
std::conditional_t< IsRecursive, stdlib::recursion::PairingPoints< Curve >, bb::PairingPoints< Curve > > PairingPoints
Definition ultra_verifier.hpp:95

bb::UltraVerifier_::compute_log_n
size_t compute_log_n() const
Compute log_n based on flavor.
Definition ultra_verifier.cpp:26

bb::UltraVerifier_::compute_padding_indicator_array
std::vector< FF > compute_padding_indicator_array(size_t log_n) const
Compute padding indicator array based on flavor configuration.
Definition ultra_verifier.cpp:44

bb::UltraVerifier_::Output
std::conditional_t< IsRecursive, stdlib::recursion::honk::UltraRecursiveVerifierOutput< Builder >, UltraVerifierOutput< Flavor > > Output
Definition ultra_verifier.hpp:103

bb::UltraVerifier_::VerifierCommitments
typename Flavor::VerifierCommitments VerifierCommitments
Definition ultra_verifier.hpp:86

bb::UltraVerifier_::Commitment
typename Flavor::Commitment Commitment
Definition ultra_verifier.hpp:82

bb::UltraVerifier_::verify_proof
Output verify_proof(const Proof &proof)
Perform ultra verification.
Definition ultra_verifier.cpp:224

bb::UltraVerifier_::FF
typename Flavor::FF FF
Definition ultra_verifier.hpp:81

bb::VerifierCommitmentKey
Representation of the Grumpkin Verifier Commitment Key inside a bn254 circuit.
Definition verifier_commitment_key.hpp:16

bb::stdlib::recursion::honk::DefaultIO
Manages the data that is propagated on the public inputs of an application/function circuit.
Definition special_public_inputs.hpp:162

bb::stdlib::recursion::honk::GoblinAvmIO
The data that is propagated on the public inputs of the inner GoblinAvmRecursiveVerifier circuit.
Definition special_public_inputs.hpp:225

bb::stdlib::recursion::honk::HidingKernelIO
Manages the data that is propagated on the public inputs of a hiding kernel circuit.
Definition special_public_inputs.hpp:277

bb::stdlib::recursion::honk::RollupIO
The data that is propagated on the public inputs of a rollup circuit.
Definition special_public_inputs.hpp:366

pairing_points.hpp

info
#define info(...)
Definition log.hpp:93

vinfo
#define vinfo(...)
Definition log.hpp:94

bb::IsRecursiveFlavor
Definition flavor_concepts.hpp:46

builder
AluTraceBuilder builder
Definition alu.test.cpp:124

Flavor
ECCVMFlavor Flavor
Definition eccvm.bench.cpp:10

inputs
AvmProvingInputs inputs
Definition hinting_dbs.test.cpp:45

ipa.hpp

mega_avm_recursive_flavor.hpp

mega_zk_recursive_flavor.hpp

bb
Entry point for Barretenberg command-line interface.
Definition api.hpp:5

std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13

std::to_string
std::string to_string(bb::avm2::ValueTag tag)
Definition tagged_value.cpp:402

oink_verifier.hpp

padding_indicator_array.hpp
For a small integer N = virtual_log_n and a given witness x = log_n, compute in-circuit an indicator_...

proof_length.hpp

shplemini.hpp

bb::ClaimBatcher_
Logic to support batching opening claims for unshifted, shifted and interleaved polynomials in Shplem...
Definition claim_batcher.hpp:28

bb::ProofLength::Honk::derive_num_public_inputs
static constexpr size_t derive_num_public_inputs(size_t proof_size, size_t log_n)
Derive num_public_inputs from proof size.
Definition proof_length.hpp:112

bb::SumcheckOutput
Contains the evaluations of multilinear polynomials  at the challenge point . These are computed by S...
Definition sumcheck_output.hpp:22

bb::SumcheckOutput::claimed_libra_evaluation
FF claimed_libra_evaluation
Definition sumcheck_output.hpp:35

bb::SumcheckOutput::verified
bool verified
Definition sumcheck_output.hpp:33

bb::SumcheckOutput::claimed_evaluations
ClaimedEvaluations claimed_evaluations
Definition sumcheck_output.hpp:30

bb::SumcheckOutput::challenge
std::vector< FF > challenge
Definition sumcheck_output.hpp:28

bb::UltraVerifier_::ReductionResult
Result of reducing ultra proof to pairing points check. Contains pairing points and the aggrefate res...
Definition ultra_verifier.hpp:113

bb::UltraVerifier_::ReductionResult::pairing_points
PairingPoints pairing_points
Definition ultra_verifier.hpp:114

bb::UltraVerifier_::ReductionResult::reduction_succeeded
bool reduction_succeeded
Definition ultra_verifier.hpp:115

sumcheck.hpp

ultra_verifier.hpp

ultra_zk_recursive_flavor.hpp