Barretenberg: src/barretenberg/vm2/constraining/verifier.cpp Source File

// === AUDIT STATUS ===

// internal:    { status: Completed, auditors: [Federico], commit: }

// external_1:  { status: not started, auditors: [], commit: }

// external_2:  { status: not started, auditors: [], commit: }

// =====================

#include "barretenberg/vm2/constraining/verifier.hpp"


#include "barretenberg/commitment_schemes/shplonk/shplemini.hpp"

#include "barretenberg/common/log.hpp"

#include "barretenberg/numeric/bitop/get_msb.hpp"

#include "barretenberg/transcript/transcript.hpp"

#include "barretenberg/vm2/common/constants.hpp"

#include <numeric>


namespace bb::avm2 {


AvmVerifier::AvmVerifier(AvmVerifier&& other) noexcept

    : key(std::move(other.key))

    , transcript(std::move(other.transcript))

{}


AvmVerifier& AvmVerifier::operator=(AvmVerifier&& other) noexcept

{

    key = other.key;

    transcript = other.transcript;

    return *this;

}


AvmVerifier::FF AvmVerifier::evaluate_public_input_column(const std::vector<FF>& points,

                                                          const std::vector<FF>& challenges)

{

    Polynomial<FF> polynomial(points, MAX_AVM_TRACE_SIZE);

    return polynomial.evaluate_mle(challenges);

}


bool AvmVerifier::verify_proof(const HonkProof& proof, const std::vector<std::vector<FF>>& public_inputs)

{

    using PCS = Flavor::PCS;

    using Curve = Flavor::Curve;

    using VerifierCommitments = Flavor::VerifierCommitments;

    using Shplemini = ShpleminiVerifier_<Curve, Flavor::HasZK>;

    using ClaimBatcher = ClaimBatcher_<Curve>;

    using ClaimBatch = ClaimBatcher::Batch;

    using VerifierCommitmentKey = typename Flavor::VerifierCommitmentKey;

    using Challenges = Flavor::AllEntities<FF>;


    RelationParameters<FF> relation_parameters;


    transcript->load_proof(proof);


    // ========== Execute preamble round ==========


    // Add vk hash to transcript

    FF vk_hash = key->get_hash();

    transcript->add_to_hash_buffer("avm_vk_hash", vk_hash);

    vinfo("AVM vk hash in verifier: ", vk_hash);


    // ========== Execute public inputs round ==========


    // Validate number of public input columns

    if (public_inputs.size() != AVM_NUM_PUBLIC_INPUT_COLUMNS) {

        vinfo("Public inputs size mismatch");

        return false;

    }


    // Add public inputs to transcript. This ensures that the Sumcheck challenge depends both on the public inputs sent

    // in the clear and on the committed columns.

    for (size_t i = 0; i < AVM_NUM_PUBLIC_INPUT_COLUMNS; i++) {

        // Validate public input column size

        if (public_inputs[i].size() != AVM_PUBLIC_INPUTS_COLUMNS_MAX_LENGTH) {

            vinfo("Public input size mismatch");

            return false;

        }

        for (size_t j = 0; j < public_inputs[i].size(); j++) {

            transcript->add_to_hash_buffer("public_input_" + std::to_string(i) + "_" + std::to_string(j),

                                           public_inputs[i][j]);

        }

    }


    // ========== Execute wire commitments round ==========


    // Receive commitments to all polynomials except the logderivate ones

    VerifierCommitments commitments{ key };

    for (auto [comm, label] : zip_view(commitments.get_wires(), commitments.get_wires_labels())) {

        comm = transcript->template receive_from_prover<Commitment>(label);

    }


    // ========== Execute log derivative inverse round ==========


    // Generate randomness required by Lookup and Permutation relations

    auto [beta, gamma] = transcript->template get_challenges<FF>(std::array<std::string, 2>{ "beta", "gamma" });

    relation_parameters.beta = beta;

    relation_parameters.gamma = gamma;


    // Receive commitments to all logderivative inverse polynomials

    for (auto [commitment, label] : zip_view(commitments.get_derived(), commitments.get_derived_labels())) {

        commitment = transcript->template receive_from_prover<Commitment>(label);

    }


    // ========== Execute relation check rounds ==========


    // Construct padding indicator array: it is a vector of constant ones as the AVM verifier performs verification of

    // the AVM circuit, so the number of rounds is fixed.

    std::vector<FF> padding_indicator_array(MAX_AVM_TRACE_LOG_SIZE, 1);


    // Multiply each linearly independent subrelation contribution by `alpha^i` for i = 0, ..., NUM_SUBRELATIONS - 1.

    const FF alpha = transcript->template get_challenge<FF>("Sumcheck:alpha");


    SumcheckVerifier<Flavor> sumcheck(transcript, alpha, MAX_AVM_TRACE_LOG_SIZE);


    // Get the gate challenges for sumcheck computation

    std::vector<FF> gate_challenges =

        transcript->template get_dyadic_powers_of_challenge<FF>("Sumcheck:gate_challenge", MAX_AVM_TRACE_LOG_SIZE);

    SumcheckOutput<Flavor> output = sumcheck.verify(relation_parameters, gate_challenges, padding_indicator_array);


    // If Sumcheck did not verify, return false

    if (!output.verified) {

        vinfo("Sumcheck verification failed");

        return false;

    }


    // Validate that the public inputs committed in the public input columns match the public inputs sent in the clear

    // by the Prover

    using C = ColumnAndShifts;

    std::array<FF, AVM_NUM_PUBLIC_INPUT_COLUMNS> claimed_evaluations = {

        output.claimed_evaluations.get(C::public_inputs_cols_0_),

        output.claimed_evaluations.get(C::public_inputs_cols_1_),

        output.claimed_evaluations.get(C::public_inputs_cols_2_),

        output.claimed_evaluations.get(C::public_inputs_cols_3_),

    };

    for (size_t idx = 0;

         const auto& [public_input_column, claimed_evaluation] : zip_view(public_inputs, claimed_evaluations)) {

        FF public_input_evaluation = evaluate_public_input_column(public_input_column, output.challenge);

        if (public_input_evaluation != claimed_evaluation) {

            vinfo("public_input_evaluation failed, public inputs col ", idx);

            return false;

        }

        idx++;

    }


    // ========== Execute PCS verification ==========


    // Batch commitments and evaluations using short scalars to reduce ECCVM circuit size

    std::span<const Commitment> unshifted_comms = commitments.get_unshifted();

    std::span<const FF> unshifted_evals = output.claimed_evaluations.get_unshifted();

    std::span<const Commitment> shifted_comms = commitments.get_to_be_shifted();

    std::span<const FF> shifted_evals = output.claimed_evaluations.get_shifted();


    // Get short batching challenges from transcript

    Challenges challenges;

    auto unshifted_challenges_vec = transcript->template get_challenges<FF>(challenges.get_unshifted_labels());

    std::ranges::move(unshifted_challenges_vec, challenges.get_unshifted().begin());

    auto unshifted_challenges = challenges.get_unshifted();

    auto shifted_challenges = challenges.get_to_be_shifted();


    // Batch shifted commitments

    Commitment batched_shifted = Commitment::batch_mul(shifted_comms, shifted_challenges);


    // Batch unshifted commitments: We reuse the calculation performed for shifted commitments.

    Commitment batched_unshifted =

        batched_shifted +

        Commitment::batch_mul(unshifted_comms.subspan(0, WIRES_TO_BE_SHIFTED_START_IDX),

                              unshifted_challenges.subspan(0, WIRES_TO_BE_SHIFTED_START_IDX)) +

        Commitment::batch_mul(unshifted_comms.subspan(WIRES_TO_BE_SHIFTED_END_IDX),

                              unshifted_challenges.subspan(WIRES_TO_BE_SHIFTED_END_IDX));


    // Batch evaluations: compute inner product with first eval as initial value for unshifted

    FF batched_unshifted_eval =

        std::inner_product(unshifted_challenges.begin(), unshifted_challenges.end(), unshifted_evals.begin(), FF(0));


    FF batched_shifted_eval =

        std::inner_product(shifted_challenges.begin(), shifted_challenges.end(), shifted_evals.begin(), FF(0));


    // Execute Shplemini rounds with batched claims

    ClaimBatcher batched_claim_batcher{ .unshifted = ClaimBatch{ .commitments = RefVector(batched_unshifted),

                                                                 .evaluations = RefVector(batched_unshifted_eval) },

                                        .shifted = ClaimBatch{ .commitments = RefVector(batched_shifted),

                                                               .evaluations = RefVector(batched_shifted_eval) } };

    auto opening_claim =

        Shplemini::compute_batch_opening_claim(

            padding_indicator_array, batched_claim_batcher, output.challenge, Commitment::one(), transcript)

            .batch_opening_claim;


    const auto pairing_points = PCS::reduce_verify_batch_opening_claim(std::move(opening_claim), transcript);

    VerifierCommitmentKey pcs_vkey{};

    const auto shplemini_verified = pcs_vkey.pairing_check(pairing_points[0], pairing_points[1]);


    if (!shplemini_verified) {

        vinfo("Shplemini verification failed");

        return false;

    }


    return true;

}


} // namespace bb::avm2

AVM_NUM_PUBLIC_INPUT_COLUMNS
#define AVM_NUM_PUBLIC_INPUT_COLUMNS
Definition aztec_constants.hpp:176

AVM_PUBLIC_INPUTS_COLUMNS_MAX_LENGTH
#define AVM_PUBLIC_INPUTS_COLUMNS_MAX_LENGTH
Definition aztec_constants.hpp:175

bb::IPA
IPA (inner product argument) commitment scheme class.
Definition ipa.hpp:85

bb::Polynomial
Structured polynomial class that represents the coefficients 'a' of a_0 + a_1 x .....
Definition polynomial.hpp:75

bb::Polynomial::evaluate_mle
Fr evaluate_mle(std::span< const Fr > evaluation_points, bool shift=false) const
evaluate multi-linear extension p(X_0,…,X_{n-1}) = \sum_i a_i*L_i(X_0,…,X_{n-1}) at u = (u_0,...
Definition polynomial.cpp:199

bb::RefVector
A template class for a reference vector. Behaves as if std::vector<T&> was possible.
Definition ref_vector.hpp:24

bb::ShpleminiVerifier_
Definition shplemini.hpp:175

bb::SumcheckVerifier
Implementation of the sumcheck Verifier for statements of the form  for multilinear polynomials .
Definition sumcheck.hpp:721

bb::SumcheckVerifier::verify
SumcheckOutput< Flavor > verify(const bb::RelationParameters< FF > &relation_parameters, const std::vector< FF > &gate_challenges, const std::vector< FF > &padding_indicator_array)
The Sumcheck verification method. First it extracts round univariate, checks sum (the sumcheck univar...
Definition sumcheck.hpp:777

bb::VerifierCommitmentKey
Representation of the Grumpkin Verifier Commitment Key inside a bn254 circuit.
Definition verifier_commitment_key.hpp:16

bb::avm2::AvmFlavor::AllEntities
Definition flavor.hpp:126

bb::avm2::AvmFlavor::VerifierCommitmentKey
AvmFlavorSettings::VerifierCommitmentKey VerifierCommitmentKey
Definition flavor.hpp:49

bb::avm2::AvmFlavor::VerifierCommitments
VerifierCommitments_< Commitment, VerificationKey > VerifierCommitments
Definition flavor.hpp:320

bb::avm2::AvmFlavor::PCS
AvmFlavorSettings::PCS PCS
Definition flavor.hpp:40

bb::avm2::AvmFlavor::Curve
AvmFlavorSettings::Curve Curve
Definition flavor.hpp:38

bb::avm2::AvmVerifier
Definition verifier.hpp:13

bb::avm2::AvmVerifier::transcript
std::shared_ptr< Transcript > transcript
Definition verifier.hpp:33

bb::avm2::AvmVerifier::operator=
AvmVerifier & operator=(const AvmVerifier &other)=delete

bb::avm2::AvmVerifier::evaluate_public_input_column
static FF evaluate_public_input_column(const std::vector< FF > &points, const std::vector< FF > &challenges)
Evaluate the given public input column over the multivariate challenge points.
Definition verifier.cpp:41

bb::avm2::AvmVerifier::key
std::shared_ptr< VerificationKey > key
Definition verifier.hpp:32

bb::avm2::AvmVerifier::verify_proof
bool verify_proof(const HonkProof &proof, const std::vector< std::vector< FF > > &public_inputs)
Verify an AVM proof.
Definition verifier.cpp:52

bb::avm2::AvmVerifier::AvmVerifier
AvmVerifier()=default

bb::avm2::AvmVerifier::FF
Flavor::FF FF
Definition verifier.hpp:16

bb::avm2::AvmVerifier::Commitment
Flavor::Commitment Commitment
Definition verifier.hpp:17

bb::curve::Grumpkin
Definition grumpkin.hpp:57

zip_view
Definition zip_view.hpp:166

log.hpp

vinfo
#define vinfo(...)
Definition log.hpp:94

get_msb.hpp

key
FF key
Definition indexed_memory_tree.test.cpp:18

bb::avm2
Definition dbs.cpp:19

bb::avm2::WIRES_TO_BE_SHIFTED_END_IDX
constexpr auto WIRES_TO_BE_SHIFTED_END_IDX
Definition columns.hpp:67

bb::avm2::Column
Column
Definition columns.hpp:31

bb::avm2::MAX_AVM_TRACE_SIZE
constexpr std::size_t MAX_AVM_TRACE_SIZE
Definition constants.hpp:13

bb::avm2::MAX_AVM_TRACE_LOG_SIZE
constexpr std::size_t MAX_AVM_TRACE_LOG_SIZE
Definition constants.hpp:12

bb::avm2::WIRES_TO_BE_SHIFTED_START_IDX
constexpr auto WIRES_TO_BE_SHIFTED_START_IDX
Definition columns.hpp:66

bb::avm2::ColumnAndShifts
ColumnAndShifts
Definition columns.hpp:34

bb::HonkProof
std::vector< fr > HonkProof
Definition proof.hpp:15

std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13

std::to_string
std::string to_string(bb::avm2::ValueTag tag)
Definition tagged_value.cpp:402

shplemini.hpp

bb::ClaimBatcher_
Logic to support batching opening claims for unshifted, shifted and interleaved polynomials in Shplem...
Definition claim_batcher.hpp:28

bb::RelationParameters
Container for parameters used by the grand product (permutation, lookup) Honk relations.
Definition relation_parameters.hpp:19

bb::RelationParameters::beta
T beta
Definition relation_parameters.hpp:28

bb::RelationParameters::gamma
T gamma
Definition relation_parameters.hpp:29

bb::SumcheckOutput
Contains the evaluations of multilinear polynomials  at the challenge point . These are computed by S...
Definition sumcheck_output.hpp:22

bb::SumcheckOutput::verified
bool verified
Definition sumcheck_output.hpp:33

bb::SumcheckOutput::claimed_evaluations
ClaimedEvaluations claimed_evaluations
Definition sumcheck_output.hpp:30

bb::SumcheckOutput::challenge
std::vector< FF > challenge
Definition sumcheck_output.hpp:28

transcript.hpp

verifier.hpp

constants.hpp