Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
bbapi_ultra_honk.cpp
Go to the documentation of this file.
1#include "barretenberg/bbapi/bbapi_ultra_honk.hpp"
2#include "barretenberg/bbapi/bbapi_shared.hpp"
3#include "barretenberg/common/serialize.hpp"
4#include "barretenberg/dsl/acir_format/acir_to_constraint_buf.hpp"
5#include "barretenberg/dsl/acir_format/serde/witness_stack.hpp"
6#include "barretenberg/dsl/acir_proofs/honk_contract.hpp"
7#include "barretenberg/dsl/acir_proofs/honk_optimized_contract.hpp"
8#include "barretenberg/dsl/acir_proofs/honk_zk_contract.hpp"
9#include "barretenberg/dsl/acir_proofs/honk_zk_optimized_contract.hpp"
10#include "barretenberg/numeric/uint256/uint256.hpp"
11#include "barretenberg/ultra_honk/ultra_prover.hpp"
12#include "barretenberg/ultra_honk/ultra_verifier.hpp"
13
14namespace bb::bbapi {
15
16template <typename IO> acir_format::ProgramMetadata _create_program_metadata()
17{
18 return acir_format::ProgramMetadata{ .has_ipa_claim = IO::HasIPA };
19}
20
21template <typename Flavor, typename IO, typename Circuit = typename Flavor::CircuitBuilder>
22Circuit _compute_circuit(std::vector<uint8_t>&& bytecode, std::vector<uint8_t>&& witness)
23{
24 const acir_format::ProgramMetadata metadata = _create_program_metadata<IO>();
25 acir_format::AcirProgram program{ acir_format::circuit_buf_to_acir_format(std::move(bytecode)), {} };
26
27 if (!witness.empty()) {
28 program.witness = acir_format::witness_buf_to_witness_vector(std::move(witness));
29 }
30 return acir_format::create_circuit<Circuit>(program, metadata);
31}
32
33template <typename Flavor, typename IO>
34std::shared_ptr<ProverInstance_<Flavor>> _compute_prover_instance(std::vector<uint8_t>&& bytecode,
35 std::vector<uint8_t>&& witness)
36{
37 // Measure function time and debug print
38 auto initial_time = std::chrono::high_resolution_clock::now();
39 typename Flavor::CircuitBuilder builder = _compute_circuit<Flavor, IO>(std::move(bytecode), std::move(witness));
40 auto prover_instance = std::make_shared<ProverInstance_<Flavor>>(builder);
41 auto final_time = std::chrono::high_resolution_clock::now();
42 auto duration = std::chrono::duration_cast<std::chrono::milliseconds>(final_time - initial_time);
43 info("CircuitProve: Proving key computed in ", duration.count(), " ms");
44
45 // Validate consistency between IO type and IPA proof presence
46 // IO::HasIPA indicates the circuit type requires IPA accumulation (rollup circuits)
47 // prover_instance->ipa_proof contains the actual IPA proof data from the circuit
48 if constexpr (IO::HasIPA) {
49 BB_ASSERT(!prover_instance->ipa_proof.empty(),
50 "RollupIO circuit expected IPA proof but none was provided. "
51 "Ensure the circuit includes IPA accumulation data.");
52 } else {
53 BB_ASSERT(prover_instance->ipa_proof.empty(),
54 "Non-rollup circuit should not have IPA proof. "
55 "Use ipa_accumulation=true in settings for rollup circuits.");
56 }
57
58 return prover_instance;
59}
60template <typename Flavor, typename IO>
61CircuitProve::Response _prove(std::vector<uint8_t>&& bytecode,
62 std::vector<uint8_t>&& witness,
63 std::vector<uint8_t>&& vk_bytes)
64{
65 using Proof = typename Flavor::Transcript::Proof;
66 using VerificationKey = typename Flavor::VerificationKey;
67
68 auto prover_instance = _compute_prover_instance<Flavor, IO>(std::move(bytecode), std::move(witness));
69
70 // Create or deserialize VK
71 std::shared_ptr<VerificationKey> vk;
72 if (vk_bytes.empty()) {
73 info("WARNING: computing verification key while proving. Pass in a precomputed vk for better performance.");
74 vk = std::make_shared<VerificationKey>(prover_instance->get_precomputed());
75 } else {
76 validate_vk_size<VerificationKey>(vk_bytes);
77 vk = std::make_shared<VerificationKey>(from_buffer<VerificationKey>(vk_bytes));
78 }
79
80 // Construct proof
81 UltraProver_<Flavor> prover{ prover_instance, vk };
82 Proof full_proof = prover.construct_proof();
83
84 // Compute where to split (inner public inputs vs everything else)
85 size_t num_public_inputs = prover.num_public_inputs();
86 BB_ASSERT_GTE(num_public_inputs, IO::PUBLIC_INPUTS_SIZE, "Public inputs should contain the expected IO structure.");
87 size_t num_inner_public_inputs = num_public_inputs - IO::PUBLIC_INPUTS_SIZE;
88
89 // Optimization: if vk not provided, include it in response
90 CircuitComputeVk::Response vk_response;
91 if (vk_bytes.empty()) {
92 vk_response = { .bytes = to_buffer(*vk), .fields = vk_to_uint256_fields(*vk), .hash = to_buffer(vk->hash()) };
93 }
94
95 // Split proof: inner public inputs at front, rest is the "proof"
96 return { .public_inputs =
97 std::vector<uint256_t>{ full_proof.begin(),
98 full_proof.begin() + static_cast<std::ptrdiff_t>(num_inner_public_inputs) },
99 .proof = std::vector<uint256_t>{ full_proof.begin() + static_cast<std::ptrdiff_t>(num_inner_public_inputs),
100 full_proof.end() },
101 .vk = std::move(vk_response) };
102}
103
104template <typename Flavor, typename IO>
105bool _verify(const std::vector<uint8_t>& vk_bytes,
106 const std::vector<uint256_t>& public_inputs,
107 const std::vector<uint256_t>& proof)
108{
109 using VerificationKey = typename Flavor::VerificationKey;
110 using VKAndHash = typename Flavor::VKAndHash;
111 using Verifier = UltraVerifier_<Flavor, IO>;
112
113 // Validate VK size upfront before deserialization
114 const size_t expected_vk_size = VerificationKey::calc_num_data_types() * sizeof(bb::fr);
115 if (vk_bytes.size() != expected_vk_size) {
116 info(
117 "Proof verification failed: invalid VK size. Expected ", expected_vk_size, " bytes, got ", vk_bytes.size());
118 return false;
119 }
120
121 std::shared_ptr<VerificationKey> vk = std::make_shared<VerificationKey>(from_buffer<VerificationKey>(vk_bytes));
122 auto vk_and_hash = std::make_shared<VKAndHash>(vk);
123 Verifier verifier{ vk_and_hash };
124
125 // Validate proof size
126 const size_t log_n = verifier.compute_log_n();
127 const size_t expected_size = ProofLength::Honk<Flavor>::template expected_proof_size<IO>(log_n);
128 if (proof.size() != expected_size) {
129 info("Proof verification failed: invalid proof size. Expected ", expected_size, ", got ", proof.size());
130 return false;
131 }
132
133 auto complete_proof = concatenate_proof<Flavor>(public_inputs, proof);
134 bool verified = verifier.verify_proof(complete_proof).result;
135
136 if (verified) {
137 info("Proof verified successfully");
138 } else {
139 info("Proof verification failed");
140 }
141
142 return verified;
143}
144
145CircuitProve::Response CircuitProve::execute(BB_UNUSED const BBApiRequest& request) &&
146{
147 BB_BENCH_NAME(MSGPACK_SCHEMA_NAME);
148 return dispatch_by_settings(settings, [&]<typename Flavor, typename IO>() {
149 return _prove<Flavor, IO>(std::move(circuit.bytecode), std::move(witness), std::move(circuit.verification_key));
150 });
151}
152
153CircuitComputeVk::Response CircuitComputeVk::execute(BB_UNUSED const BBApiRequest& request) &&
154{
155 BB_BENCH_NAME(MSGPACK_SCHEMA_NAME);
156 return dispatch_by_settings(settings, [&]<typename Flavor, typename IO>() {
157 auto prover_instance = _compute_prover_instance<Flavor, IO>(std::move(circuit.bytecode), {});
158 auto vk = std::make_shared<typename Flavor::VerificationKey>(prover_instance->get_precomputed());
159 return CircuitComputeVk::Response{ .bytes = to_buffer(*vk),
160 .fields = vk_to_uint256_fields(*vk),
161 .hash = to_buffer(vk->hash()) };
162 });
163}
164
165template <typename Flavor, typename IO>
166CircuitStats::Response _stats(std::vector<uint8_t>&& bytecode, bool include_gates_per_opcode)
167{
168 using Circuit = typename Flavor::CircuitBuilder;
169 // Parse the circuit to get gate count information
170 auto constraint_system = acir_format::circuit_buf_to_acir_format(std::move(bytecode));
171
172 acir_format::ProgramMetadata metadata = _create_program_metadata<IO>();
173 metadata.collect_gates_per_opcode = include_gates_per_opcode;
174 CircuitStats::Response response;
175 response.num_acir_opcodes = static_cast<uint32_t>(constraint_system.num_acir_opcodes);
176
177 acir_format::AcirProgram program{ std::move(constraint_system), {} };
178 auto builder = acir_format::create_circuit<Circuit>(program, metadata);
179 builder.finalize_circuit();
180
181 response.num_gates = static_cast<uint32_t>(builder.get_finalized_total_circuit_size());
182 response.num_gates_dyadic = static_cast<uint32_t>(builder.get_circuit_subgroup_size(response.num_gates));
183 // note: will be empty if collect_gates_per_opcode is false
184 response.gates_per_opcode =
185 std::vector<uint32_t>(program.constraints.gates_per_opcode.begin(), program.constraints.gates_per_opcode.end());
186
187 return response;
188}
189
190CircuitStats::Response CircuitStats::execute(BB_UNUSED const BBApiRequest& request) &&
191{
192 BB_BENCH_NAME(MSGPACK_SCHEMA_NAME);
193 return dispatch_by_settings(settings, [&]<typename Flavor, typename IO>() {
194 return _stats<Flavor, IO>(std::move(circuit.bytecode), include_gates_per_opcode);
195 });
196}
197
198CircuitVerify::Response CircuitVerify::execute(BB_UNUSED const BBApiRequest& request) &&
199{
200 BB_BENCH_NAME(MSGPACK_SCHEMA_NAME);
201 bool verified = dispatch_by_settings(settings, [&]<typename Flavor, typename IO>() {
202 return _verify<Flavor, IO>(verification_key, public_inputs, proof);
203 });
204 return { verified };
205}
206
207VkAsFields::Response VkAsFields::execute(BB_UNUSED const BBApiRequest& request) &&
208{
209 BB_BENCH_NAME(MSGPACK_SCHEMA_NAME);
210
211 using VK = UltraFlavor::VerificationKey;
212 validate_vk_size<VK>(verification_key);
213
214 // Standard UltraHonk flavors
215 auto vk = from_buffer<VK>(verification_key);
216 std::vector<bb::fr> fields;
217 fields = vk.to_field_elements();
218
219 return { std::move(fields) };
220}
221
222MegaVkAsFields::Response MegaVkAsFields::execute(BB_UNUSED const BBApiRequest& request) &&
223{
224 BB_BENCH_NAME(MSGPACK_SCHEMA_NAME);
225
226 using VK = MegaFlavor::VerificationKey;
227 validate_vk_size<VK>(verification_key);
228
229 // MegaFlavor for private function verification keys
230 auto vk = from_buffer<VK>(verification_key);
231 std::vector<bb::fr> fields;
232 fields = vk.to_field_elements();
233
234 return { std::move(fields) };
235}
236
237CircuitWriteSolidityVerifier::Response CircuitWriteSolidityVerifier::execute(BB_UNUSED const BBApiRequest& request) &&
238{
239 BB_BENCH_NAME(MSGPACK_SCHEMA_NAME);
240 using VK = UltraKeccakFlavor::VerificationKey;
241 validate_vk_size<VK>(verification_key);
242
243 auto vk = std::make_shared<VK>(from_buffer<VK>(verification_key));
244
245 std::string contract = settings.disable_zk ? get_honk_solidity_verifier(vk) : get_honk_zk_solidity_verifier(vk);
246
247// If in wasm, we dont include the optimized solidity verifier - due to its large bundle size
248// This will run generate twice, but this should only be run before deployment and not frequently
249#ifndef __wasm__
250 if (settings.optimized_solidity_verifier) {
251 contract = settings.disable_zk ? get_optimized_honk_solidity_verifier(vk)
252 : get_optimized_honk_zk_solidity_verifier(vk);
253 }
254#endif
255
256 return { std::move(contract) };
257}
258
259} // namespace bb::bbapi
acir_to_constraint_buf.hpp
BB_ASSERT
#define BB_ASSERT(expression,...)
Definition assert.hpp:70
BB_ASSERT_GTE
#define BB_ASSERT_GTE(left, right,...)
Definition assert.hpp:128
bytecode
std::shared_ptr< Napi::ThreadSafeFunction > bytecode
Definition avm_simulate_napi.cpp:131
BB_BENCH_NAME
#define BB_BENCH_NAME(name)
Definition bb_bench.hpp:264
bbapi_shared.hpp
Shared type definitions for the Barretenberg RPC API.
bbapi_ultra_honk.hpp
UltraHonk-specific command definitions for the Barretenberg RPC API.
bb::ECCVMFlavor::CircuitBuilder
ECCVMCircuitBuilder CircuitBuilder
Definition eccvm_flavor.hpp:39
bb::ECCVMFlavor::VerificationKey
FixedVKAndHash_< PrecomputedEntities< Commitment >, BF, ECCVMHardcodedVKAndHash > VerificationKey
The verification key stores commitments to the precomputed polynomials used by the verifier.
Definition eccvm_flavor.hpp:846
bb::MegaFlavor::VerificationKey
NativeVerificationKey_< PrecomputedEntities< Commitment >, Codec, HashFunction, CommitmentKey > VerificationKey
The verification key stores commitments to the precomputed (non-witness) polynomials used by the veri...
Definition mega_flavor.hpp:373
bb::NativeVerificationKey_
Base Native verification key class.
Definition flavor.hpp:135
bb::NativeVerificationKey_::calc_num_data_types
static constexpr size_t calc_num_data_types()
Calculate the number of field elements needed for serialization.
Definition flavor.hpp:200
bb::UltraFlavor::VerificationKey
NativeVerificationKey_< PrecomputedEntities< Commitment >, Codec, HashFunction, CommitmentKey > VerificationKey
The verification key stores commitments to the precomputed (non-witness) polynomials used by the veri...
Definition ultra_flavor.hpp:274
bb::UltraKeccakFlavor::VerificationKey
NativeVerificationKey_< PrecomputedEntities< Commitment >, Codec, HashFunction, CommitmentKey > VerificationKey
Definition ultra_keccak_flavor.hpp:20
bb::UltraProver_
Definition ultra_prover.hpp:18
bb::UltraProver_::construct_proof
Proof construct_proof()
Definition ultra_prover.cpp:62
bb::UltraVerifier_
Definition ultra_verifier.hpp:79
info
#define info(...)
Definition log.hpp:93
BB_UNUSED
#define BB_UNUSED
Definition compiler_hints.hpp:30
builder
AluTraceBuilder builder
Definition alu.test.cpp:124
honk_contract.hpp
get_honk_solidity_verifier
std::string get_honk_solidity_verifier(auto const &verification_key)
Definition honk_contract.hpp:2196
honk_optimized_contract.hpp
get_optimized_honk_solidity_verifier
std::string get_optimized_honk_solidity_verifier(auto const &verification_key)
Definition honk_optimized_contract.hpp:3206
honk_zk_contract.hpp
get_honk_zk_solidity_verifier
std::string get_honk_zk_solidity_verifier(auto const &verification_key)
Definition honk_zk_contract.hpp:2351
honk_zk_optimized_contract.hpp
get_optimized_honk_zk_solidity_verifier
std::string get_optimized_honk_zk_solidity_verifier(auto const &verification_key)
Definition honk_zk_optimized_contract.hpp:3625
acir_format::witness_buf_to_witness_vector
WitnessVector witness_buf_to_witness_vector(std::vector< uint8_t > &&buf)
Convert a buffer representing a witness vector into Barretenberg's internal WitnessVector format.
Definition acir_to_constraint_buf.cpp:409
acir_format::circuit_buf_to_acir_format
AcirFormat circuit_buf_to_acir_format(std::vector< uint8_t > &&buf)
Convert a buffer representing a circuit into Barretenberg's internal AcirFormat representation.
Definition acir_to_constraint_buf.cpp:387
bb::bbapi::_compute_prover_instance
std::shared_ptr< ProverInstance_< Flavor > > _compute_prover_instance(std::vector< uint8_t > &&bytecode, std::vector< uint8_t > &&witness)
Definition bbapi_ultra_honk.cpp:34
bb::bbapi::_verify
bool _verify(const std::vector< uint8_t > &vk_bytes, const std::vector< uint256_t > &public_inputs, const std::vector< uint256_t > &proof)
Definition bbapi_ultra_honk.cpp:105
bb::bbapi::_create_program_metadata
acir_format::ProgramMetadata _create_program_metadata()
Definition bbapi_ultra_honk.cpp:16
bb::bbapi::_compute_circuit
Circuit _compute_circuit(std::vector< uint8_t > &&bytecode, std::vector< uint8_t > &&witness)
Definition bbapi_ultra_honk.cpp:22
bb::bbapi::_stats
CircuitStats::Response _stats(std::vector< uint8_t > &&bytecode, bool include_gates_per_opcode)
Definition bbapi_ultra_honk.cpp:166
bb::bbapi::vk_to_uint256_fields
std::vector< uint256_t > vk_to_uint256_fields(const VK &vk)
Convert VK to uint256 field elements, handling flavor-specific return types.
Definition bbapi_shared.hpp:269
bb::bbapi::_prove
CircuitProve::Response _prove(std::vector< uint8_t > &&bytecode, std::vector< uint8_t > &&witness, std::vector< uint8_t > &&vk_bytes)
Definition bbapi_ultra_honk.cpp:61
bb::bbapi::dispatch_by_settings
auto dispatch_by_settings(const ProofSystemSettings &settings, Operation &&operation)
Dispatch to the correct Flavor and IO type based on proof system settings.
Definition bbapi_shared.hpp:317
bb::fr
field< Bn254FrParams > fr
Definition fr.hpp:155
bb::vk
VerifierCommitmentKey< Curve > vk
Definition ipa.fuzzer.cpp:21
std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13
to_buffer
std::vector< uint8_t > to_buffer(T const &value)
Definition serialize.hpp:414
acir_format::AcirProgram
Struct containing both the constraints to be added to the circuit and the witness vector.
Definition acir_format.hpp:122
acir_format::ProgramMetadata
Metadata required to create a circuit.
Definition acir_format.hpp:137
acir_format::ProgramMetadata::has_ipa_claim
bool has_ipa_claim
Definition acir_format.hpp:141
acir_format::ProgramMetadata::collect_gates_per_opcode
bool collect_gates_per_opcode
Definition acir_format.hpp:145
bb::ProofLength::Honk
Full Honk proof layout (used by UltraVerifier).
Definition proof_length.hpp:100
bb::bbapi::CircuitComputeVk::execute
Response execute(const BBApiRequest &request={}) &&
Definition bbapi_ultra_honk.cpp:153
bb::bbapi::CircuitProve::Response
Contains proof and public inputs. Both are given as vectors of fields. To be used for verification....
Definition bbapi_ultra_honk.hpp:55
bb::bbapi::CircuitProve::execute
Response execute(const BBApiRequest &request={}) &&
Definition bbapi_ultra_honk.cpp:145
bb::bbapi::CircuitStats::Response::gates_per_opcode
std::vector< uint32_t > gates_per_opcode
Definition bbapi_ultra_honk.hpp:87
bb::bbapi::CircuitStats::execute
Response execute(const BBApiRequest &request={}) &&
Definition bbapi_ultra_honk.cpp:190
bb::bbapi::CircuitVerify::execute
Response execute(const BBApiRequest &request={}) &&
Definition bbapi_ultra_honk.cpp:198
bb::bbapi::CircuitWriteSolidityVerifier::execute
Response execute(const BBApiRequest &request={}) &&
Definition bbapi_ultra_honk.cpp:237
bb::bbapi::MegaVkAsFields::execute
Response execute(const BBApiRequest &request={}) &&
Definition bbapi_ultra_honk.cpp:222
bb::bbapi::VkAsFields::execute
Response execute(const BBApiRequest &request={}) &&
Definition bbapi_ultra_honk.cpp:207
ultra_prover.hpp
ultra_verifier.hpp
witness_stack.hpp