Barretenberg: src/barretenberg/chonk/chonk_verifier.cpp Source File

// === AUDIT STATUS ===

// internal:    { status: Complete, auditors: [Sergei], commit: }

// external_1:  { status: not started, auditors: [], commit: }

// external_2:  { status: not started, auditors: [], commit: }

// =====================


#include "chonk_verifier.hpp"

#include "barretenberg/chonk/batched_honk_translator/batched_honk_translator_verifier.hpp"

#include "barretenberg/commitment_schemes/ipa/ipa.hpp"

#include "barretenberg/commitment_schemes/verification_key.hpp"

#include "barretenberg/common/bb_bench.hpp"

#include "barretenberg/goblin/goblin.hpp"


namespace bb {


template <> ChonkVerifier<false>::IPAReductionResult ChonkVerifier<false>::reduce_to_ipa_claim(const Proof& proof)

{

    BB_BENCH_NAME("ChonkVerifier::reduce_to_ipa_claim");


    // Step 1: Verify MegaZK Oink on the shared transcript

    BatchedHonkTranslatorVerifier batched_verifier(vk_and_hash, transcript);

    auto oink_result = batched_verifier.verify_mega_zk_oink(proof.hiding_oink_proof);


    // Extract public inputs and kernel data

    HidingKernelIO kernel_io;

    kernel_io.reconstruct_from_public(oink_result.public_inputs);


    // Check accumulated pairing points from the IVC chain (inner recursive verifications)

    if (!kernel_io.pairing_inputs.check()) {

        info("ChonkVerifier: verification failed at PI pairing points check");

        return { {}, {}, false };

    }


    // Step 2: Databus consistency check

    const Commitment kernel_calldata_commitment = oink_result.kernel_calldata_commitment;

    const Commitment return_data_commitment = kernel_io.kernel_return_data;

    bool databus_consistency_verified = (kernel_calldata_commitment == return_data_commitment);

    vinfo("ChonkVerifier: databus consistency verified: ", databus_consistency_verified);

    if (!databus_consistency_verified) {

        info("ChonkVerifier: verification failed at databus consistency check");

        return { {}, {}, false };

    }


    // Step 3: Merge verification

    MergeCommitments merge_commitments{ .t_commitments = oink_result.ecc_op_wires,

                                        .T_prev_commitments = kernel_io.ecc_op_tables };

    GoblinVerifier::MergeVerifier merge_verifier{ transcript };

    auto merge_result = merge_verifier.reduce_to_pairing_check(proof.merge_proof, merge_commitments);

    vinfo("ChonkVerifier: Merge reduced to pairing check: ", merge_result.reduction_succeeded ? "true" : "false");


    if (!merge_result.reduction_succeeded) {

        info("ChonkVerifier: verification failed at Merge reduction");

        return { {}, {}, false };

    }

    if (!merge_result.pairing_points.check()) {

        info("ChonkVerifier: verification failed at Merge pairing check");

        return { {}, {}, false };

    }


    // Step 4: ECCVM verification

    ECCVMVerifier_<ECCVMFlavor> eccvm_verifier{ transcript, proof.eccvm_proof };

    auto eccvm_result = eccvm_verifier.reduce_to_ipa_opening();

    vinfo("ChonkVerifier: ECCVM reduced to IPA opening: ", eccvm_result.reduction_succeeded ? "true" : "false");


    if (!eccvm_result.reduction_succeeded) {

        info("ChonkVerifier: verification failed at ECCVM step");

        return { {}, {}, false };

    }

    auto translator_input = eccvm_verifier.get_translator_input_data();


    // Step 5: Translator Oink + Joint sumcheck + Joint PCS

    auto batched_result = batched_verifier.verify(proof.joint_proof,

                                                  translator_input.evaluation_challenge_x,

                                                  translator_input.batching_challenge_v,

                                                  translator_input.accumulated_result,

                                                  merge_result.merged_commitments);

    vinfo("ChonkVerifier: Batched translator+joint reduction: ", batched_result.reduction_succeeded ? "true" : "false");


    if (!batched_result.reduction_succeeded) {

        info("ChonkVerifier: verification failed at batched translator+joint reduction");

        return { {}, {}, false };

    }

    if (!batched_result.pairing_points.check()) {

        info("ChonkVerifier: verification failed at batched translator+joint pairing check");

        return { {}, {}, false };

    }


    return { std::move(eccvm_result.ipa_claim), proof.ipa_proof, true };

}


template <> ChonkVerifier<false>::Output ChonkVerifier<false>::verify(const Proof& proof)

{

    BB_BENCH_NAME("ChonkVerifier::verify");

    auto result = reduce_to_ipa_claim(proof);

    if (!result.all_checks_passed) {

        return false;

    }


    // Step 6: Verify IPA opening

    auto ipa_transcript = std::make_shared<Goblin::Transcript>(result.ipa_proof);

    auto ipa_vk = VerifierCommitmentKey<curve::Grumpkin>{ ECCVMFlavor::ECCVM_FIXED_SIZE };

    bool ipa_verified = IPA<curve::Grumpkin>::reduce_verify(ipa_vk, result.ipa_claim, ipa_transcript);

    vinfo("ChonkVerifier: Goblin IPA verified: ", ipa_verified);

    if (!ipa_verified) {

        info("ChonkVerifier: Chonk verification failed at IPA check");

        return false;

    }


    return true;

}


template <> ChonkVerifier<true>::Output ChonkVerifier<true>::verify(const Proof& proof)

{

    // Step 1: Verify MegaZK Oink on the shared transcript

    BatchedHonkTranslatorRecursiveVerifier batched_verifier(vk_and_hash, transcript);

    auto oink_result = batched_verifier.verify_mega_zk_oink(proof.hiding_oink_proof);


    // Extract public inputs and kernel data

    HidingKernelIO kernel_io;

    kernel_io.reconstruct_from_public(oink_result.public_inputs);


    // Step 2: Databus consistency check (in-circuit)

    const Commitment kernel_calldata_commitment = oink_result.kernel_calldata_commitment;

    if (kernel_io.kernel_return_data.get_value() != kernel_calldata_commitment.get_value()) {

        info("ChonkRecursiveVerifier: Databus Consistency check failure");

    }

    kernel_io.kernel_return_data.incomplete_assert_equal(kernel_calldata_commitment);


    // Step 3: Merge verification

    MergeCommitments merge_commitments{ .t_commitments = oink_result.ecc_op_wires,

                                        .T_prev_commitments = kernel_io.ecc_op_tables };

    typename GoblinVerifier::MergeVerifier merge_verifier{ transcript };

    auto merge_result = merge_verifier.reduce_to_pairing_check(proof.merge_proof, merge_commitments);

    vinfo("ChonkRecursiveVerifier: Merge reduced to pairing check: ",

          merge_result.reduction_succeeded ? "true" : "false");


    // Step 4: ECCVM verification

    typename GoblinVerifier::ECCVMVerifier eccvm_verifier{ transcript, proof.eccvm_proof };

    auto eccvm_result = eccvm_verifier.reduce_to_ipa_opening();

    vinfo("ChonkRecursiveVerifier: ECCVM reduced to IPA opening: ",

          eccvm_result.reduction_succeeded ? "true" : "false");

    auto translator_input = eccvm_verifier.get_translator_input_data();


    // Step 5: Translator Oink + Joint sumcheck + Joint PCS

    auto batched_result = batched_verifier.verify(proof.joint_proof,

                                                  translator_input.evaluation_challenge_x,

                                                  translator_input.batching_challenge_v,

                                                  translator_input.accumulated_result,

                                                  merge_result.merged_commitments);

    vinfo("ChonkRecursiveVerifier: Batched translator+joint reduction: ",

          batched_result.reduction_succeeded ? "true" : "false");


    // Step 6: Aggregate all pairing points (PI, Merge, Batched PCS)

    std::vector<PairingPoints> pairing_points_to_aggregate;

    pairing_points_to_aggregate.reserve(NUM_PAIRING_POINTS);


    pairing_points_to_aggregate.push_back(kernel_io.pairing_inputs);

    pairing_points_to_aggregate.push_back(std::move(merge_result.pairing_points));

    pairing_points_to_aggregate.push_back(std::move(batched_result.pairing_points));


    // Edge case handling disabled: Safe because:

    // 1. Verifier-computed points (Merge, Batched PCS) are deterministic and won't collide

    // 2. PI points are added to the result of batching the above points; biggroup addition

    //    gracefully handles edge cases.

    constexpr bool handle_edge_cases = false;

    PairingPoints aggregated_pairing_points =

        PairingPoints::aggregate_multiple(pairing_points_to_aggregate, handle_edge_cases);


    bool all_checks_passed =

        merge_result.reduction_succeeded && eccvm_result.reduction_succeeded && batched_result.reduction_succeeded;


    return ReductionResult{ .pairing_points = std::move(aggregated_pairing_points),

                            .ipa_claim = std::move(eccvm_result.ipa_claim),

                            .ipa_proof = proof.ipa_proof,

                            .all_checks_passed = all_checks_passed };

}


template <>


ChonkVerifier<true>::IPAReductionResult ChonkVerifier<true>::reduce_to_ipa_claim([[maybe_unused]] const Proof& proof)

{

    throw_or_abort("reduce_to_ipa_claim is only available for native (non-recursive) ChonkVerifier");

}


// Template instantiations

template class ChonkVerifier<false>; // Native verifier

template class ChonkVerifier<true>;  // Recursive verifier


} // namespace bb

batched_honk_translator_verifier.hpp

bb_bench.hpp

BB_BENCH_NAME
#define BB_BENCH_NAME(name)
Definition bb_bench.hpp:264

chonk_verifier.hpp

bb::BatchedHonkTranslatorVerifier_
Verifier for the batched MegaZK circuit + translator sumcheck and PCS.
Definition batched_honk_translator_verifier.hpp:32

bb::BatchedHonkTranslatorVerifier_::verify
ReductionResult verify(const Proof &joint_proof, const TransBF &evaluation_input_x, const TransBF &batching_challenge_v, const TransBF &accumulated_result, const std::array< Commitment, TranslatorFlavor::NUM_OP_QUEUE_WIRES > &op_queue_wire_commitments)
Phase 2: Verify translator Oink + joint sumcheck + joint PCS.
Definition batched_honk_translator_verifier.cpp:296

bb::BatchedHonkTranslatorVerifier_::verify_mega_zk_oink
OinkResult verify_mega_zk_oink(const Proof &mega_zk_proof)
Phase 1: Verify the MegaZK Oink phase on the shared transcript.
Definition batched_honk_translator_verifier.cpp:34

bb::ChonkVerifier
Verifier for Chonk IVC proofs (both native and recursive).
Definition chonk_verifier.hpp:44

bb::ChonkVerifier::Output
std::conditional_t< IsRecursive, ReductionResult, bool > Output
Definition chonk_verifier.hpp:73

bb::ChonkVerifier::reduce_to_ipa_claim
IPAReductionResult reduce_to_ipa_claim(const Proof &proof)
Run Chonk verification up to but not including IPA, returning the IPA claim for deferred verification...

bb::ChonkVerifier::PairingPoints
typename GoblinVerifier::ReductionResult::PairingPoints PairingPoints
Definition chonk_verifier.hpp:53

bb::ChonkVerifier::MergeCommitments
typename GoblinVerifier::MergeVerifier::InputCommitments MergeCommitments
Definition chonk_verifier.hpp:56

bb::ChonkVerifier::verify
Output verify(const Proof &proof)
Verify a Chonk proof.

bb::ChonkVerifier::HidingKernelIO
std::conditional_t< IsRecursive, stdlib::recursion::honk::HidingKernelIO< Builder >, bb::HidingKernelIO > HidingKernelIO
Definition chonk_verifier.hpp:52

bb::ChonkVerifier::Commitment
typename HidingKernelVerifier::Commitment Commitment
Definition chonk_verifier.hpp:76

bb::ChonkVerifier::Proof
std::conditional_t< IsRecursive, ChonkStdlibProof, ChonkProof > Proof
Definition chonk_verifier.hpp:77

bb::ECCVMFlavor::ECCVM_FIXED_SIZE
static constexpr size_t ECCVM_FIXED_SIZE
Definition eccvm_flavor.hpp:68

bb::ECCVMVerifier_
Unified ECCVM verifier class for both native and recursive verification.
Definition eccvm_verifier.hpp:19

bb::ECCVMVerifier_::reduce_to_ipa_opening
ReductionResult reduce_to_ipa_opening()
Reduce the ECCVM proof to an IPA opening claim.
Definition eccvm_verifier.cpp:21

bb::IPA
IPA (inner product argument) commitment scheme class.
Definition ipa.hpp:86

bb::MergeVerifier_
Verifier for the single-step Goblin ECC op queue merge protocol.
Definition merge_verifier.hpp:25

bb::MergeVerifier_::reduce_to_pairing_check
ReductionResult reduce_to_pairing_check(const Proof &proof, const InputCommitments &input_commitments)
Reduce the merge proof to a pairing check.
Definition merge_verifier.cpp:117

bb::VerifierCommitmentKey
Representation of the Grumpkin Verifier Commitment Key inside a bn254 circuit.
Definition verifier_commitment_key.hpp:16

info
#define info(...)
Definition log.hpp:93

vinfo
#define vinfo(...)
Definition log.hpp:94

goblin.hpp

ipa.hpp

bb
Entry point for Barretenberg command-line interface.
Definition api.hpp:5

std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13

bb::BatchedHonkTranslatorVerifier_::OinkResult::kernel_calldata_commitment
Commitment kernel_calldata_commitment
Definition batched_honk_translator_verifier.hpp:102

bb::ChonkVerifier::IPAReductionResult
Result of reducing Chonk verification to an IPA opening claim (native mode only).
Definition chonk_verifier.hpp:113

bb::ChonkVerifier::ReductionResult
Result of Chonk verification reduction (recursive mode only)
Definition chonk_verifier.hpp:66

bb::ChonkVerifier::ReductionResult::pairing_points
PairingPoints pairing_points
Definition chonk_verifier.hpp:67

throw_or_abort
void throw_or_abort(std::string const &err)
Definition throw_or_abort.hpp:6

verification_key.hpp