Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
crs_factory.test.cpp
Go to the documentation of this file.
1#include "barretenberg/api/file_io.hpp"
2#include "barretenberg/common/serialize.hpp"
3#include "barretenberg/crypto/sha256/sha256.hpp"
4#include "barretenberg/ecc/curves/bn254/bn254.hpp"
5#include "barretenberg/ecc/curves/bn254/pairing.hpp"
6#include "barretenberg/srs/factories/bn254_crs_data.hpp"
7#include "barretenberg/srs/factories/bn254_g1_chunk_hashes.hpp"
8#include "barretenberg/srs/factories/get_bn254_crs.hpp"
9#include "barretenberg/srs/factories/mem_bn254_crs_factory.hpp"
10#include "barretenberg/srs/factories/mem_grumpkin_crs_factory.hpp"
11#include "barretenberg/srs/factories/native_crs_factory.hpp"
12#include "barretenberg/srs/global_crs.hpp"
13#include "http_download.hpp"
14#include <gtest/gtest.h>
15#include <span>
16#include <utility>
17
18using namespace bb;
19using namespace bb::srs::factories;
20using namespace bb::curve;
21namespace fs = std::filesystem;
22
23namespace {
24// BN254 consistency checker
25void check_bn254_consistency(const fs::path& crs_download_path, size_t num_points, bool allow_download)
26{
27 NativeBn254CrsFactory file_crs(crs_download_path, allow_download);
28
29 // Use get_bn254_g1_data to load reference points (handles compressed/uncompressed automatically)
30 auto g1_points = bb::get_bn254_g1_data(bb::srs::bb_crs_path(), num_points, /*allow_download=*/false);
31
32 // read and verify G2 (SHA-256-pinned + subgroup-checked)
33 auto g2_point = bb::get_bn254_g2_data(bb::srs::bb_crs_path());
34
35 // build in-memory CRS
36 MemBn254CrsFactory mem_crs(g1_points, g2_point);
37
38 // prover CRS
39 auto f_prover = file_crs.get_crs(num_points);
40 auto m_prover = mem_crs.get_crs(num_points);
41 EXPECT_EQ(m_prover->get_monomial_size(), f_prover->get_monomial_size());
42 for (size_t i = 0; i < num_points; ++i) {
43 EXPECT_EQ(std::make_pair(i, m_prover->get_monomial_points()[i]),
44 std::make_pair(i, f_prover->get_monomial_points()[i]));
45 }
46 // verifier CRS
47 auto f_ver = file_crs.get_verifier_crs();
48 auto m_ver = mem_crs.get_verifier_crs();
49 EXPECT_EQ(m_ver->get_g2x(), f_ver->get_g2x());
50 EXPECT_EQ(0,
51 memcmp(m_ver->get_precomputed_g2_lines(),
52 f_ver->get_precomputed_g2_lines(),
53 sizeof(pairing::miller_lines) * 2));
54}
55
56// Grumpkin consistency checker
57void check_grumpkin_consistency(const fs::path& crs_download_path, size_t num_points, bool allow_download)
58{
59 NativeGrumpkinCrsFactory file_crs(crs_download_path, allow_download);
60
61 // read G1
62 std::vector<Grumpkin::AffineElement> points(num_points);
63 auto data =
64 read_file(bb::srs::bb_crs_path() / "grumpkin_g1.flat.dat", num_points * sizeof(Grumpkin::AffineElement));
65
66 for (size_t i = 0; i < num_points; ++i) {
67 points[i] = from_buffer<Grumpkin::AffineElement>(data, i * sizeof(g1::affine_element));
68 }
69 MemGrumpkinCrsFactory mem_crs(points);
70
71 // prover CRS
72 auto f_prover = file_crs.get_crs(num_points);
73 auto m_prover = mem_crs.get_crs(num_points);
74 EXPECT_EQ(m_prover->get_monomial_size(), f_prover->get_monomial_size());
75 for (size_t i = 0; i < num_points; ++i) {
76 EXPECT_EQ(std::make_pair(i, m_prover->get_monomial_points()[i]),
77 std::make_pair(i, f_prover->get_monomial_points()[i]));
78 }
79}
80} // namespace
81
82TEST(CrsFactory, bn254)
83{
84 check_bn254_consistency(bb::srs::bb_crs_path(), 1024, /*allow_download=*/false);
85 const std::filesystem::path& temp_crs_path = "barretenberg_srs_test_crs_bn254";
86 fs::remove_all(temp_crs_path);
87 fs::create_directories(temp_crs_path);
88 // Tiny download check to test the 'net CRS' path
89 ASSERT_ANY_THROW(check_bn254_consistency(temp_crs_path, 1, /*allow_download=*/false));
90 check_bn254_consistency(temp_crs_path, 1, /*allow_download=*/true);
91}
92
93TEST(CrsFactory, grumpkin)
94{
95 check_grumpkin_consistency(bb::srs::bb_crs_path(), 1024, /*allow_download=*/false);
96 const std::filesystem::path& temp_crs_path = "barretenberg_srs_test_crs_grumpkin";
97 fs::remove_all(temp_crs_path);
98 fs::create_directories(temp_crs_path);
99 // Tiny download check to test the 'net CRS' path
100 ASSERT_ANY_THROW(check_grumpkin_consistency(temp_crs_path, 1, /*allow_download=*/false));
101 check_grumpkin_consistency(temp_crs_path, 1, /*allow_download=*/true);
102}
103
104// TODO: Re-enable once g1_compressed.dat is deployed to S3 fallback
105TEST(CrsFactory, DISABLED_Bn254Fallback)
106{
107 // Test that fallback works when primary URL fails
108 const std::filesystem::path& temp_crs_path = "barretenberg_srs_test_crs_bn254_fallback";
109 fs::remove_all(temp_crs_path);
110 fs::create_directories(temp_crs_path);
111
112 // Use a bad primary URL that will fail, forcing fallback to the real S3 URL
113 std::string bad_primary = "http://nonexistent.invalid/g1_compressed.dat";
114 std::string good_fallback = "http://crs.aztec-labs.com/g1_compressed.dat";
115
116 // This should succeed by falling back to the working URL
117 auto points = bb::get_bn254_g1_data(temp_crs_path, 1, /*allow_download=*/true, bad_primary, good_fallback);
118 EXPECT_EQ(points.size(), 1);
119 // Verify the downloaded point matches the expected first element
120 EXPECT_EQ(points[0], bb::srs::BN254_G1_FIRST_ELEMENT);
121
122 fs::remove_all(temp_crs_path);
123}
124
125// The hardcoded `[x]_2` baked into the BB native binary must be a member of the BN254 G2 prime-order subgroup.
126TEST(CrsFactory, Bn254HardcodedG2IsInPrimeSubgroup)
127{
128 auto g2_point = bb::srs::get_bn254_g2_crs_element();
129 ASSERT_TRUE(g2_point.on_curve());
130 EXPECT_TRUE(g2_point.is_in_prime_subgroup());
131}
132
133// Locks `BN254_G2_ELEMENT_SHA256` to the actual hash of `BN254_G2_ELEMENT_BYTES`. If anyone edits
134// the bytes without recomputing the hash (or vice versa), this fails and forces them to fix it.
135TEST(CrsFactory, Bn254G2HashMatchesPinnedBytes)
136{
137 auto hash = bb::crypto::sha256(
138 std::span<const uint8_t>(bb::srs::BN254_G2_ELEMENT_BYTES.data(), bb::srs::BN254_G2_ELEMENT_BYTES.size()));
139 EXPECT_EQ(hash, bb::srs::BN254_G2_ELEMENT_SHA256);
140}
141
142// Round-trip: the on-disk `bn254_g2.dat` provisioned by `barretenberg/crs/bootstrap.sh` must
143// match the pinned canonical bytes byte-for-byte and pass subgroup validation. This catches
144// corruption, accidental SRS swaps, or an outdated CDN payload.
145TEST(CrsFactory, Bn254G2DataLoadsAndVerifies)
146{
147 auto g2_point = bb::get_bn254_g2_data(bb::srs::bb_crs_path());
148 EXPECT_EQ(g2_point, bb::srs::get_bn254_g2_crs_element());
149}
150
151// A tampered `bn254_g2.dat` (corrupted single byte) must be rejected by the SHA-256 check.
152TEST(CrsFactory, Bn254G2CorruptionDetected)
153{
154 const std::filesystem::path temp_path = "barretenberg_srs_test_crs_g2_corruption";
155 fs::remove_all(temp_path);
156 fs::create_directories(temp_path);
157
158 auto corrupted =
159 std::vector<uint8_t>(bb::srs::BN254_G2_ELEMENT_BYTES.begin(), bb::srs::BN254_G2_ELEMENT_BYTES.end());
160 corrupted[64] ^= 0xFF;
161 bb::write_file(temp_path / "bn254_g2.dat", corrupted);
162
163 EXPECT_THROW_OR_ABORT(bb::get_bn254_g2_data(temp_path), "SHA-256 mismatch");
164
165 fs::remove_all(temp_path);
166}
167
168// Check that a `bn254_g2.dat` containing the point at infinity is rejected, even though it is technically on-curve.
169TEST(CrsFactory, Bn254G2InfinityRejected)
170{
171 const std::filesystem::path temp_path = "barretenberg_srs_test_crs_g2_infinity";
172 fs::remove_all(temp_path);
173 fs::create_directories(temp_path);
174
175 std::vector<uint8_t> infinity_bytes(128, 0xFF);
176 bb::write_file(temp_path / "bn254_g2.dat", infinity_bytes);
177
178 EXPECT_THROW_OR_ABORT(bb::get_bn254_g2_data(temp_path), "point at infinity");
179
180 fs::remove_all(temp_path);
181}
182
183TEST(CrsFactory, Bn254CompressedChunkHashFirstChunk)
184{
185 // Download the first chunk of compressed CRS from CDN and verify its hash.
186 // We don't require compressed data on disk; only uncompressed is cached.
187 auto data = bb::srs::http_download(
188 "http://crs.aztec-cdn.foundation/g1_compressed.dat", 0, bb::srs::SRS_CHUNK_SIZE_BYTES - 1);
189 auto chunk = std::span<const uint8_t>(data.data(), data.size());
190 auto hash = bb::crypto::sha256(chunk);
191 EXPECT_EQ(hash, bb::srs::BN254_G1_CHUNK_HASHES[0]);
192}
193
194TEST(CrsFactory, Bn254CompressedChunkHashCorruptionDetected)
195{
196 // Download compressed data and verify that corruption is detected.
197 auto data = bb::srs::http_download(
198 "http://crs.aztec-cdn.foundation/g1_compressed.dat", 0, bb::srs::SRS_CHUNK_SIZE_BYTES - 1);
199
200 data[bb::srs::SRS_CHUNK_SIZE_BYTES / 2] ^= 0xFF;
201 auto chunk = std::span<const uint8_t>(data.data(), data.size());
202 auto hash = bb::crypto::sha256(chunk);
203 EXPECT_NE(hash, bb::srs::BN254_G1_CHUNK_HASHES[0]);
204}
EXPECT_THROW_OR_ABORT
#define EXPECT_THROW_OR_ABORT(statement, matcher)
Definition assert.hpp:192
bn254_crs_data.hpp
bn254_g1_chunk_hashes.hpp
bb::curve::Grumpkin::AffineElement
typename Group::affine_element AffineElement
Definition grumpkin.hpp:64
bb::group_elements::affine_element
Definition affine_element.hpp:27
data
const std::vector< MemoryValue > data
Definition data_copy.test.cpp:70
file_io.hpp
get_bn254_crs.hpp
global_crs.hpp
http_download.hpp
mem_bn254_crs_factory.hpp
mem_grumpkin_crs_factory.hpp
bb::crypto::sha256
Sha256Hash sha256(const ByteContainer &input)
SHA-256 hash function (FIPS 180-4)
Definition sha256.cpp:150
bb::group_elements::num_points
const size_t num_points
Definition element_impl.hpp:756
bb::srs::get_bn254_g2_crs_element
g2::affine_element get_bn254_g2_crs_element()
Reference BN254 G2 element from the trusted setup CRS.
Definition bn254_crs_data.hpp:66
bb::srs::http_download
std::vector< uint8_t > http_download(const std::string &url, size_t start_byte=0, size_t end_byte=0)
Download data from a URL with optional Range header support.
Definition http_download.hpp:46
bb::srs::bb_crs_path
std::filesystem::path bb_crs_path()
Definition global_crs.cpp:14
bb::srs::BN254_G2_ELEMENT_BYTES
constexpr std::array< uint8_t, 128 > BN254_G2_ELEMENT_BYTES
Raw 128-byte serialization of the BN254 G2 trusted-setup point [x]_2.
Definition bn254_crs_data.hpp:39
bb::srs::BN254_G2_ELEMENT_SHA256
constexpr std::array< uint8_t, 32 > BN254_G2_ELEMENT_SHA256
SHA-256 hash of BN254_G2_ELEMENT_BYTES.
Definition bn254_crs_data.hpp:56
bb::srs::BN254_G1_FIRST_ELEMENT
constexpr g1::affine_element BN254_G1_FIRST_ELEMENT
Expected first G1 element from BN254 CRS.
Definition bn254_crs_data.hpp:14
bb
Entry point for Barretenberg command-line interface.
Definition api.hpp:5
bb::get_bn254_g1_data
std::vector< g1::affine_element > get_bn254_g1_data(const std::filesystem::path &path, size_t num_points, bool allow_download, const std::string &primary_url, const std::string &fallback_url)
Definition get_bn254_crs.cpp:203
bb::read_file
std::vector< uint8_t > read_file(const std::string &filename, size_t bytes=0)
Definition file_io.hpp:31
bb::TEST
TEST(BoomerangMegaCircuitBuilder, BasicCircuit)
Definition graph_description_megacircuitbuilder.test.cpp:22
bb::get_bn254_g2_data
g2::affine_element get_bn254_g2_data(const std::filesystem::path &path)
Definition get_bn254_crs.cpp:281
bb::write_file
void write_file(const std::string &filename, std::span< const uint8_t > data)
Definition file_io.hpp:101
std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13
native_crs_factory.hpp
bb::pairing::miller_lines
Definition pairing.hpp:49