Barretenberg: src/barretenberg/eccvm/eccvm.test.cpp Source File

#include <cstddef>

#include <cstdint>

#include <gtest/gtest.h>

#include <vector>


#include "barretenberg/commitment_schemes/ipa/ipa.hpp"

#include "barretenberg/commitment_schemes/verification_key.hpp"

#include "barretenberg/eccvm/eccvm_circuit_builder.hpp"

#include "barretenberg/eccvm/eccvm_prover.hpp"

#include "barretenberg/eccvm/eccvm_test_utils.hpp"

#include "barretenberg/eccvm/eccvm_verifier.hpp"

#include "barretenberg/flavor/test_utils/proof_structures.hpp"

#include "barretenberg/honk/library/grand_product_delta.hpp"

#include "barretenberg/numeric/uint256/uint256.hpp"

#include "barretenberg/relations/permutation_relation.hpp"

#include "barretenberg/relations/relation_parameters.hpp"

#include "barretenberg/srs/global_crs.hpp"

#include "barretenberg/sumcheck/sumcheck.hpp"

#include "barretenberg/sumcheck/sumcheck_round.hpp"


using namespace bb;

using FF = ECCVMFlavor::FF;

using PK = ECCVMFlavor::ProvingKey;

using Transcript = ECCVMFlavor::Transcript;

using ECCVMVerifier = ECCVMVerifier_<ECCVMFlavor>;

using PCS = IPA<ECCVMFlavor::Curve, CONST_ECCVM_LOG_N>;

using eccvm_test_utils::add_hiding_op_for_test;


// Test helper: Create a VK by committing to proving key polynomials (for comparing with fixed VK)


ECCVMFlavor::VerificationKey create_vk_from_proving_key(const std::shared_ptr<PK>& proving_key)

{

    ECCVMFlavor::VerificationKey vk;

    // Overwrite fixed commitments with computed commitments from the proving key

    for (auto [polynomial, commitment] : zip_view(proving_key->polynomials.get_precomputed(), vk.get_all())) {

        commitment = proving_key->commitment_key.commit(polynomial);

    }

    return vk;

}


// Compute VK hash from fixed commitments (for test verification that vk_hash() is correct)


ECCVMFlavor::BF compute_eccvm_vk_hash()

{

    std::vector<ECCVMFlavor::BF> elements;

    // Serialize commitments using the Codec

    for (const auto& commitment : ECCVMHardcodedVKAndHash::get_all()) {

        auto frs = ECCVMFlavor::Codec::serialize_to_fields(commitment);

        for (const auto& fr : frs) {

            elements.push_back(fr);

        }

    }

    return ECCVMFlavor::HashFunction::hash(elements);

}


class ECCVMTests : public ::testing::Test {

  protected:

    void SetUp() override { srs::init_file_crs_factory(bb::srs::bb_crs_path()); };

};


namespace {

auto& engine = numeric::get_debug_randomness();

} // namespace


ECCVMCircuitBuilder generate_circuit(numeric::RNG* engine = nullptr)

{

    using Curve = curve::BN254;

    using G1 = Curve::Element;

    using Fr = Curve::ScalarField;


    std::shared_ptr<ECCOpQueue> op_queue = std::make_shared<ECCOpQueue>();

    G1 a = G1::random_element(engine);

    G1 b = G1::random_element(engine);

    G1 c = G1::random_element(engine);

    Fr x = Fr::random_element(engine);

    Fr y = Fr::random_element(engine);


    op_queue->add_accumulate(a);

    op_queue->mul_accumulate(a, x);

    op_queue->mul_accumulate(b, x);

    op_queue->mul_accumulate(b, y);

    op_queue->add_accumulate(a);

    op_queue->mul_accumulate(b, x);

    op_queue->eq_and_reset();

    op_queue->add_accumulate(c);

    op_queue->mul_accumulate(a, x);

    op_queue->mul_accumulate(b, x);

    op_queue->eq_and_reset();

    op_queue->mul_accumulate(a, x);

    op_queue->mul_accumulate(b, x);

    op_queue->mul_accumulate(c, x);

    op_queue->merge();

    add_hiding_op_for_test(op_queue);

    ECCVMCircuitBuilder builder{ op_queue };

    return builder;

}


// returns a CircuitBuilder consisting of mul_add ops of the following form: either 0*g, for a group element, or

// x * e, where x is a scalar and e is the identity element of the group.


ECCVMCircuitBuilder generate_zero_circuit([[maybe_unused]] numeric::RNG* engine = nullptr, bool zero_scalars = 1)

{

    using Curve = curve::BN254;

    using G1 = Curve::Element;

    using Fr = Curve::ScalarField;


    std::shared_ptr<ECCOpQueue> op_queue = std::make_shared<ECCOpQueue>();


    if (!zero_scalars) {

        for (auto i = 0; i < 8; i++) {

            Fr x = Fr::random_element(engine);

            op_queue->mul_accumulate(Curve::Group::affine_point_at_infinity, x);

        }

    } else {

        for (auto i = 0; i < 8; i++) {

            G1 g = G1::random_element(engine);

            op_queue->mul_accumulate(g, 0);

        }

    }

    op_queue->merge();

    add_hiding_op_for_test(op_queue);


    ECCVMCircuitBuilder builder{ op_queue };

    return builder;

}


void complete_proving_key_for_test(bb::RelationParameters<FF>& relation_parameters,

                                   std::shared_ptr<PK>& pk,

                                   std::vector<FF>& gate_challenges)

{

    // Prepare the inputs for the sumcheck prover:

    // Compute and add beta to relation parameters

    const FF beta = FF::random_element();

    const FF gamma = FF::random_element();

    const FF beta_sqr = beta * beta;

    const FF beta_quartic = beta_sqr * beta_sqr;

    relation_parameters.gamma = gamma;

    relation_parameters.beta = beta;

    relation_parameters.beta_sqr = beta_sqr;

    relation_parameters.beta_cube = beta_sqr * beta;

    relation_parameters.beta_quartic = beta_quartic;

    auto first_term_tag = beta_quartic; // FIRST_TERM_TAG (= 1) * beta_quartic

    relation_parameters.eccvm_set_permutation_delta = (gamma + first_term_tag) * (gamma + beta_sqr + first_term_tag) *

                                                      (gamma + beta_sqr + beta_sqr + first_term_tag) *

                                                      (gamma + beta_sqr + beta_sqr + beta_sqr + first_term_tag);

    relation_parameters.eccvm_set_permutation_delta = relation_parameters.eccvm_set_permutation_delta.invert();


    // Compute z_perm and inverse polynomial for our logarithmic-derivative lookup method

    // Skip the disabled head region to preserve masking values

    compute_logderivative_inverse<FF, ECCVMFlavor::LookupRelation, ECCVMFlavor::ProverPolynomials, true>(

        pk->polynomials, relation_parameters, ECCVMFlavor::TRACE_OFFSET);

    compute_grand_products<ECCVMFlavor>(pk->polynomials, relation_parameters);


    // Generate gate challenges

    for (size_t idx = 0; idx < CONST_ECCVM_LOG_N; idx++) {

        gate_challenges[idx] = FF::random_element();

    }

}


TEST_F(ECCVMTests, ZeroesCoefficients)

{

    ECCVMCircuitBuilder builder = generate_zero_circuit(&engine, 1);


    std::shared_ptr<Transcript> prover_transcript = std::make_shared<Transcript>();

    ECCVMProver prover(builder, prover_transcript);

    auto [proof, opening_claim] = prover.construct_proof();


    // Compute IPA proof

    auto ipa_transcript = std::make_shared<Transcript>();

    PCS::compute_opening_proof(prover.key->commitment_key, opening_claim, ipa_transcript);


    std::shared_ptr<Transcript> verifier_transcript = std::make_shared<Transcript>();

    ECCVMVerifier verifier(verifier_transcript, proof);

    auto eccvm_result = verifier.reduce_to_ipa_opening();


    // Verify IPA

    auto ipa_verifier_transcript = std::make_shared<Transcript>(ipa_transcript->export_proof());

    auto ipa_vk = VerifierCommitmentKey<curve::Grumpkin>{ ECCVMFlavor::ECCVM_FIXED_SIZE };

    bool ipa_verified = IPA<curve::Grumpkin>::reduce_verify(ipa_vk, eccvm_result.ipa_claim, ipa_verifier_transcript);


    ASSERT_TRUE(ipa_verified && eccvm_result.reduction_succeeded);

}


// Calling get_eccvm_ops without a hiding op should throw


TEST_F(ECCVMTests, MissingHidingOpThrows)

{

    std::shared_ptr<ECCOpQueue> op_queue = std::make_shared<ECCOpQueue>();

    // get_eccvm_ops() requires a hiding op to have been set; throws "Hiding op must be set before calling

    // get_eccvm_ops()"

    EXPECT_THROW(op_queue->get_eccvm_ops(), std::runtime_error);

}


// Note that `NullOpQueue` is somewhat misleading, as we add a hiding operation.


TEST_F(ECCVMTests, NullOpQUeue)

{

    std::shared_ptr<ECCOpQueue> op_queue = std::make_shared<ECCOpQueue>();

    add_hiding_op_for_test(op_queue);

    ECCVMCircuitBuilder builder{ op_queue };

    std::shared_ptr<Transcript> prover_transcript = std::make_shared<Transcript>();

    ECCVMProver prover(builder, prover_transcript);

    auto [proof, opening_claim] = prover.construct_proof();


    // Compute IPA proof

    auto ipa_transcript = std::make_shared<Transcript>();

    PCS::compute_opening_proof(prover.key->commitment_key, opening_claim, ipa_transcript);


    std::shared_ptr<Transcript> verifier_transcript = std::make_shared<Transcript>();

    ECCVMVerifier verifier(verifier_transcript, proof);

    auto eccvm_result = verifier.reduce_to_ipa_opening();


    // Verify IPA

    auto ipa_verifier_transcript = std::make_shared<Transcript>(ipa_transcript->export_proof());

    auto ipa_vk = VerifierCommitmentKey<curve::Grumpkin>{ ECCVMFlavor::ECCVM_FIXED_SIZE };

    bool ipa_verified = IPA<curve::Grumpkin>::reduce_verify(ipa_vk, eccvm_result.ipa_claim, ipa_verifier_transcript);


    ASSERT_TRUE(ipa_verified && eccvm_result.reduction_succeeded);

}


TEST_F(ECCVMTests, PointAtInfinity)

{

    ECCVMCircuitBuilder builder = generate_zero_circuit(&engine, 0);


    std::shared_ptr<Transcript> prover_transcript = std::make_shared<Transcript>();

    ECCVMProver prover(builder, prover_transcript);

    auto [proof, opening_claim] = prover.construct_proof();


    auto ipa_transcript = std::make_shared<Transcript>();

    PCS::compute_opening_proof(prover.key->commitment_key, opening_claim, ipa_transcript);


    std::shared_ptr<Transcript> verifier_transcript = std::make_shared<Transcript>();

    ECCVMVerifier verifier(verifier_transcript, proof);

    auto eccvm_result = verifier.reduce_to_ipa_opening();


    auto ipa_verifier_transcript = std::make_shared<Transcript>(ipa_transcript->export_proof());

    auto ipa_vk = VerifierCommitmentKey<curve::Grumpkin>{ ECCVMFlavor::ECCVM_FIXED_SIZE };

    bool ipa_verified = IPA<curve::Grumpkin>::reduce_verify(ipa_vk, eccvm_result.ipa_claim, ipa_verifier_transcript);


    ASSERT_TRUE(ipa_verified && eccvm_result.reduction_succeeded);

}


TEST_F(ECCVMTests, ScalarEdgeCase)

{

    using Curve = curve::BN254;

    using G1 = Curve::Element;

    using Fr = Curve::ScalarField;


    std::shared_ptr<ECCOpQueue> op_queue = std::make_shared<ECCOpQueue>();

    G1 a = G1::one();


    op_queue->mul_accumulate(a, Fr(uint256_t(1) << 128));

    op_queue->eq_and_reset();

    op_queue->merge();

    add_hiding_op_for_test(op_queue);

    ECCVMCircuitBuilder builder{ op_queue };


    std::shared_ptr<Transcript> prover_transcript = std::make_shared<Transcript>();

    ECCVMProver prover(builder, prover_transcript);

    auto [proof, opening_claim] = prover.construct_proof();


    auto ipa_transcript = std::make_shared<Transcript>();

    PCS::compute_opening_proof(prover.key->commitment_key, opening_claim, ipa_transcript);


    std::shared_ptr<Transcript> verifier_transcript = std::make_shared<Transcript>();

    ECCVMVerifier verifier(verifier_transcript, proof);

    auto eccvm_result = verifier.reduce_to_ipa_opening();


    auto ipa_verifier_transcript = std::make_shared<Transcript>(ipa_transcript->export_proof());

    auto ipa_vk = VerifierCommitmentKey<curve::Grumpkin>{ ECCVMFlavor::ECCVM_FIXED_SIZE };

    bool ipa_verified = IPA<curve::Grumpkin>::reduce_verify(ipa_vk, eccvm_result.ipa_claim, ipa_verifier_transcript);


    ASSERT_TRUE(ipa_verified && eccvm_result.reduction_succeeded);

}


TEST_F(ECCVMTests, ProofLengthCheck)

{

    ECCVMCircuitBuilder builder = generate_circuit(&engine);


    std::shared_ptr<Transcript> prover_transcript = std::make_shared<Transcript>();

    ECCVMProver prover(builder, prover_transcript);

    auto [proof, opening_claim] = prover.construct_proof();

    EXPECT_EQ(proof.size(), ECCVMFlavor::PROOF_LENGTH);

}


TEST_F(ECCVMTests, BaseCaseFixedSize)

{

    std::shared_ptr<Transcript> prover_transcript = std::make_shared<Transcript>();

    ECCVMProver prover = [&]() {

        ECCVMCircuitBuilder builder = generate_circuit(&engine);

        return ECCVMProver(builder, prover_transcript);

    }();


    auto [proof, opening_claim] = prover.construct_proof();


    auto ipa_transcript = std::make_shared<Transcript>();

    PCS::compute_opening_proof(prover.key->commitment_key, opening_claim, ipa_transcript);


    std::shared_ptr<Transcript> verifier_transcript = std::make_shared<Transcript>();

    ECCVMVerifier verifier(verifier_transcript, proof);

    auto eccvm_result = verifier.reduce_to_ipa_opening();


    auto ipa_verifier_transcript = std::make_shared<Transcript>(ipa_transcript->export_proof());

    auto ipa_vk = VerifierCommitmentKey<curve::Grumpkin>{ ECCVMFlavor::ECCVM_FIXED_SIZE };

    bool ipa_verified = IPA<curve::Grumpkin>::reduce_verify(ipa_vk, eccvm_result.ipa_claim, ipa_verifier_transcript);


    ASSERT_TRUE(ipa_verified && eccvm_result.reduction_succeeded);

}


TEST_F(ECCVMTests, EqFailsFixedSize)

{

    auto builder = generate_circuit(&engine);

    // Tamper with the eq op such that the expected value is incorect

    builder.op_queue->add_erroneous_equality_op_for_testing();

    builder.op_queue->merge();


    std::shared_ptr<Transcript> prover_transcript = std::make_shared<Transcript>();

    ECCVMProver prover(builder, prover_transcript);


    auto [proof, opening_claim] = prover.construct_proof();


    auto ipa_transcript = std::make_shared<Transcript>();

    PCS::compute_opening_proof(prover.key->commitment_key, opening_claim, ipa_transcript);


    std::shared_ptr<Transcript> verifier_transcript = std::make_shared<Transcript>();

    ECCVMVerifier verifier(verifier_transcript, proof);

    auto eccvm_result = verifier.reduce_to_ipa_opening();


    auto ipa_verifier_transcript = std::make_shared<Transcript>(ipa_transcript->export_proof());

    auto ipa_vk = VerifierCommitmentKey<curve::Grumpkin>{ ECCVMFlavor::ECCVM_FIXED_SIZE };

    bool ipa_verified = IPA<curve::Grumpkin>::reduce_verify(ipa_vk, eccvm_result.ipa_claim, ipa_verifier_transcript);


    ASSERT_FALSE(ipa_verified && eccvm_result.reduction_succeeded);

}


TEST_F(ECCVMTests, CommittedSumcheck)

{

    using Flavor = ECCVMFlavor;

    using ProvingKey = ECCVMFlavor::ProvingKey;

    using FF = ECCVMFlavor::FF;

    using Transcript = Flavor::Transcript;

    using ZKData = ZKSumcheckData<Flavor>;


    bb::RelationParameters<FF> relation_parameters;

    std::vector<FF> gate_challenges(CONST_ECCVM_LOG_N);


    ECCVMCircuitBuilder builder = generate_circuit(&engine);

    std::shared_ptr<Transcript> prover_transcript = std::make_shared<Transcript>();

    ECCVMProver prover(builder, prover_transcript);

    auto pk = std::make_shared<ProvingKey>(builder);


    // Prepare the inputs for the sumcheck prover:

    // Compute and add beta to relation parameters

    const FF alpha = FF::random_element();

    complete_proving_key_for_test(relation_parameters, pk, gate_challenges);


    // Clear the transcript

    prover_transcript = std::make_shared<Transcript>();


    // Run Sumcheck on the ECCVM Prover polynomials

    using SumcheckProver = SumcheckProver<ECCVMFlavor>;

    SumcheckProver sumcheck_prover(pk->circuit_size,

                                   pk->polynomials,

                                   prover_transcript,

                                   alpha,

                                   gate_challenges,

                                   relation_parameters,

                                   CONST_ECCVM_LOG_N);


    ZKData zk_sumcheck_data = ZKData(CONST_ECCVM_LOG_N, prover_transcript);

    auto prover_output = sumcheck_prover.prove(zk_sumcheck_data);


    std::shared_ptr<Transcript> verifier_transcript = std::make_shared<Transcript>(prover_transcript->export_proof());


    // Execute Sumcheck Verifier

    SumcheckVerifier<Flavor> sumcheck_verifier(verifier_transcript, alpha, CONST_ECCVM_LOG_N);

    SumcheckOutput<ECCVMFlavor> verifier_output = sumcheck_verifier.verify(relation_parameters, gate_challenges);


    // Evaluate prover's round univariates at corresponding challenges and compare them with the claimed evaluations

    // computed by the verifier

    for (size_t idx = 0; idx < CONST_ECCVM_LOG_N; idx++) {

        FF true_eval_at_the_challenge = prover_output.round_univariates[idx].evaluate(prover_output.challenge[idx]);

        FF verifier_eval_at_the_challenge = verifier_output.round_univariate_evaluations[idx][2];

        EXPECT_TRUE(true_eval_at_the_challenge == verifier_eval_at_the_challenge);

    }


    // Check that the first sumcheck univariate is consistent with the claimed ZK Sumchek Sum

    FF prover_target_sum = zk_sumcheck_data.libra_challenge * zk_sumcheck_data.libra_total_sum;


    EXPECT_TRUE(prover_target_sum == verifier_output.round_univariate_evaluations[0][0] +

                                         verifier_output.round_univariate_evaluations[0][1]);


    EXPECT_TRUE(verifier_output.verified);

}


TEST_F(ECCVMTests, BaseInfinityForgedCoordinatesRejected)

{

    using Curve = curve::BN254;

    using G1 = Curve::Element;

    using Fr = Curve::ScalarField;


    auto generators = Curve::Group::derive_generators("base_infinity_regression", 2);

    G1 a = generators[0];

    G1 b = generators[1]; // the point the attacker tries to smuggle in

    Fr x = Fr::random_element(&engine);

    Fr y = Fr::random_element(&engine);


    // Honest vs forged results

    G1 honest_result = a * x + b * y;

    G1 forged_result = a * x;

    ASSERT_NE(honest_result, forged_result) << "Need b*y != 0 for a meaningful attack";


    // Build the circuit: mul(a, x), mul(infinity, y), eq_and_reset()

    // The op queue honestly computes a*x + infinity*y = a*x. Eq point = a*x.

    // The builder sets base_infinity=1 at the second mul row.

    std::shared_ptr<ECCOpQueue> op_queue = std::make_shared<ECCOpQueue>();

    op_queue->mul_accumulate(a, x);

    op_queue->mul_accumulate(Curve::Group::affine_point_at_infinity, y);

    op_queue->eq_and_reset();

    op_queue->merge();

    add_hiding_op_for_test(op_queue);


    ECCVMCircuitBuilder builder{ op_queue };


    // Create prover (polynomials are built in the constructor)

    std::shared_ptr<Transcript> prover_transcript = std::make_shared<Transcript>();

    ECCVMProver prover(builder, prover_transcript);


    // Find the mul row with base_infinity=1

    auto& polys = prover.key->polynomials;

    const size_t num_rows = polys.get_polynomial_size();

    size_t forged_row = 0;

    for (size_t i = 0; i < num_rows; i++) {

        if (polys.transcript_op[i] == FF(4) && polys.transcript_base_infinity[i] == FF(1)) {

            forged_row = i;

            break;

        }

    }

    ASSERT_GT(forged_row, size_t(0)) << "Could not find infinity mul row";


    // Replace transcript_Px/Py with valid on-curve point b.

    // After this, the committed transcript says: mul(a,x), mul(b,y), eq(a*x)

    // Honest result = a*x + b*y, but the proof will claim a*x.

    auto b_affine = Curve::Group::affine_element(b);

    polys.transcript_Px.at(forged_row) = b_affine.x;

    polys.transcript_Py.at(forged_row) = b_affine.y;


    // Generate proof from modified polynomials

    auto [proof, opening_claim] = prover.construct_proof();


    // Compute IPA opening proof

    auto ipa_transcript = std::make_shared<Transcript>();

    PCS::compute_opening_proof(prover.key->commitment_key, opening_claim, ipa_transcript);


    // Verify the ECCVM proof

    std::shared_ptr<Transcript> verifier_transcript = std::make_shared<Transcript>();

    ECCVMVerifier verifier(verifier_transcript, proof);

    auto eccvm_result = verifier.reduce_to_ipa_opening();


    // Verify the IPA proof

    auto ipa_verifier_transcript = std::make_shared<Transcript>(ipa_transcript->export_proof());

    auto ipa_vk = VerifierCommitmentKey<curve::Grumpkin>{ ECCVMFlavor::ECCVM_FIXED_SIZE };

    bool ipa_verified = IPA<curve::Grumpkin>::reduce_verify(ipa_vk, eccvm_result.ipa_claim, ipa_verifier_transcript);


    bool proof_verified = ipa_verified && eccvm_result.reduction_succeeded;


    EXPECT_FALSE(proof_verified)

        << "REGRESSION: Forged ECCVM proof must NOT verify after base_infinity coordinate constraints";

}


TEST_F(ECCVMTests, FixedVK)

{

    // Generate a circuit and its verification key (computed at runtime from the proving key)

    ECCVMCircuitBuilder builder = generate_circuit(&engine);

    std::shared_ptr<Transcript> prover_transcript = std::make_shared<Transcript>();

    ECCVMProver prover(builder, prover_transcript);

    auto [proof, opening_claim] = prover.construct_proof();


    std::shared_ptr<Transcript> verifier_transcript = std::make_shared<Transcript>();

    ECCVMVerifier verifier(verifier_transcript, proof);


    // Generate the default fixed VK

    ECCVMFlavor::VerificationKey fixed_vk{};

    // Generate a VK from PK

    ECCVMFlavor::VerificationKey vk_computed_by_prover = create_vk_from_proving_key(prover.key);


    const auto& labels = bb::ECCVMFlavor::VerificationKey::get_labels();

    size_t index = 0;

    for (auto [vk_commitment, fixed_commitment] : zip_view(vk_computed_by_prover.get_all(), fixed_vk.get_all())) {

        EXPECT_EQ(vk_commitment, fixed_commitment)

            << "Mismatch between vk_commitment and fixed_commitment at label: " << labels[index];

        ++index;

    }


    // Check that the fixed VK is equal to the generated VK

    EXPECT_EQ(fixed_vk, vk_computed_by_prover);


    // Verify that the hardcoded VK hash matches the computed hash

    auto computed_hash = compute_eccvm_vk_hash();

    auto hardcoded_hash = ECCVMHardcodedVKAndHash::vk_hash();

    if (computed_hash != hardcoded_hash) {

        info("VK hash mismatch! Update ECCVMHardcodedVKAndHash::vk_hash() with:");

        info("0x", computed_hash);

    }

    EXPECT_EQ(computed_hash, hardcoded_hash) << "Hardcoded VK hash does not match computed hash";

}


TEST_F(ECCVMTests, WitnessPolynomialsMasked)

{

    ECCVMCircuitBuilder builder = generate_circuit(&engine);

    ECCVMFlavor::ProverPolynomials polynomials(builder);


    // Every witness polynomial should have at least one non-zero masking value

    auto check_masked = [](const auto& poly, const std::string& label) {

        bool has_masking = false;

        for (size_t j = 0; j < NUM_MASKED_ROWS; j++) {

            has_masking |= !poly[NUM_ZERO_ROWS + j].is_zero();

        }

        EXPECT_TRUE(has_masking) << label << " should be masked but has all zeros in masking region";

    };


    ECCVMFlavor::CommitmentLabels labels;

    for (auto [poly, label] : zip_view(polynomials.get_wires(), labels.get_wires())) {

        check_masked(poly, label);

    }

    check_masked(polynomials.z_perm, "z_perm");

    check_masked(polynomials.lookup_inverses, "lookup_inverses");

}


TEST_F(ECCVMTests, RepeatedCommitmentsIndicesCorrect)

{

    ECCVMCircuitBuilder builder = generate_circuit(&engine);

    auto pk = std::make_shared<PK>(builder);

    pk->commitment_key = ECCVMFlavor::CommitmentKey(pk->circuit_size);


    auto unshifted = pk->polynomials.get_unshifted();

    auto to_be_shifted = pk->polynomials.get_to_be_shifted();


    constexpr auto repeated = ECCVMFlavor::REPEATED_COMMITMENTS;

    ASSERT_EQ(to_be_shifted.size(), repeated.first.count);


    // Build the commitment vector exactly as Shplemini does: [Q, unshifted..., to_be_shifted...]

    const auto& ck = pk->commitment_key;

    std::vector<ECCVMFlavor::Commitment> commitments;

    commitments.push_back(ECCVMFlavor::Commitment::one()); // dummy Q

    for (auto& poly : unshifted) {

        commitments.push_back(ck.commit(poly));

    }

    for (auto& poly : to_be_shifted) {

        commitments.push_back(ck.commit(poly));

    }


    // Same offset logic as remove_repeated_commitments

    constexpr size_t offset = ECCVMFlavor::HasZK ? 2 : 1;

    for (size_t i = 0; i < repeated.first.count; i++) {

        EXPECT_EQ(commitments[repeated.first.original_start + offset + i],

                  commitments[repeated.first.duplicate_start + offset + i])

            << "REPEATED_COMMITMENTS commitment mismatch at index " << i;

    }

}


ECCVMTests
Definition eccvm.test.cpp:54

ECCVMTests::SetUp
void SetUp() override
Definition eccvm.test.cpp:56

bb::BaseTranscript
Common transcript class for both parties. Stores the data for the current round, as well as the manif...
Definition transcript.hpp:41

bb::ECCVMCircuitBuilder
Definition eccvm_circuit_builder.hpp:24

bb::ECCVMFlavor::CommitmentLabels
A container for commitment labels.
Definition eccvm_flavor.hpp:854

bb::ECCVMFlavor::ProverPolynomials
A container for the prover polynomials.
Definition eccvm_flavor.hpp:484

bb::ECCVMFlavor::ProvingKey
The proving key is responsible for storing the polynomials used by the prover.
Definition eccvm_flavor.hpp:824

bb::ECCVMFlavor
Definition eccvm_flavor.hpp:37

bb::ECCVMFlavor::ECCVM_FIXED_SIZE
static constexpr size_t ECCVM_FIXED_SIZE
Definition eccvm_flavor.hpp:68

bb::ECCVMFlavor::HasZK
static constexpr bool HasZK
Definition eccvm_flavor.hpp:60

bb::ECCVMFlavor::FF
typename Curve::ScalarField FF
Definition eccvm_flavor.hpp:43

bb::ECCVMFlavor::BF
typename Curve::BaseField BF
Definition eccvm_flavor.hpp:44

bb::ECCVMFlavor::PROOF_LENGTH
static constexpr size_t PROOF_LENGTH
Definition eccvm_flavor.hpp:148

bb::ECCVMFlavor::CommitmentKey
bb::CommitmentKey< Curve > CommitmentKey
Definition eccvm_flavor.hpp:48

bb::ECCVMFlavor::REPEATED_COMMITMENTS
static constexpr RepeatedCommitmentsData REPEATED_COMMITMENTS
Definition eccvm_flavor.hpp:103

bb::ECCVMFlavor::Transcript
BaseTranscript< Codec, HashFunction > Transcript
Definition eccvm_flavor.hpp:53

bb::ECCVMFlavor::TRACE_OFFSET
static constexpr size_t TRACE_OFFSET
Definition eccvm_flavor.hpp:62

bb::ECCVMHardcodedVKAndHash::vk_hash
static BF vk_hash()
Definition eccvm_fixed_vk.hpp:28

bb::ECCVMHardcodedVKAndHash::get_all
static std::vector< Commitment > get_all()
Definition eccvm_fixed_vk.hpp:30

bb::ECCVMProver
Definition eccvm_prover.hpp:22

bb::ECCVMProver::construct_proof
std::pair< Proof, OpeningClaim > construct_proof()
Definition eccvm_prover.cpp:207

bb::ECCVMProver::key
std::shared_ptr< ProvingKey > key
Definition eccvm_prover.hpp:69

bb::ECCVMVerifier_
Unified ECCVM verifier class for both native and recursive verification.
Definition eccvm_verifier.hpp:19

bb::ECCVMVerifier_::reduce_to_ipa_opening
ReductionResult reduce_to_ipa_opening()
Reduce the ECCVM proof to an IPA opening claim.
Definition eccvm_verifier.cpp:21

bb::FixedVKAndHash_
Simple verification key class for fixed-size circuits (ECCVM, Translator, AVM).
Definition flavor.hpp:101

bb::FrCodec::serialize_to_fields
static std::vector< fr > serialize_to_fields(const T &val)
Conversion from transcript values to bb::frs.
Definition field_conversion.hpp:156

bb::IPA
IPA (inner product argument) commitment scheme class.
Definition ipa.hpp:86

bb::SumcheckProver
The implementation of the sumcheck Prover for statements of the form  for multilinear polynomials .
Definition sumcheck.hpp:294

bb::SumcheckProver::prove
SumcheckOutput< Flavor > prove()
Non-ZK version: Compute round univariate, place it in transcript, compute challenge,...
Definition sumcheck.hpp:392

bb::SumcheckVerifier
Implementation of the sumcheck Verifier for statements of the form  for multilinear polynomials .
Definition sumcheck.hpp:804

bb::SumcheckVerifier::verify
SumcheckOutput< Flavor > verify(const bb::RelationParameters< FF > &relation_parameters, const std::vector< FF > &gate_challenges)
The Sumcheck verification method. First it extracts round univariate, checks sum (the sumcheck univar...
Definition sumcheck.hpp:859

bb::VerifierCommitmentKey
Representation of the Grumpkin Verifier Commitment Key inside a bn254 circuit.
Definition verifier_commitment_key.hpp:16

bb::crypto::Poseidon2< crypto::Poseidon2Bn254ScalarFieldParams >::hash
static FF hash(const std::vector< FF > &input)
Hashes a vector of field elements.

bb::curve::BN254
Definition bn254.hpp:16

bb::curve::Grumpkin::Element
typename Group::element Element
Definition grumpkin.hpp:63

bb::curve::Grumpkin::ScalarField
bb::fq ScalarField
Definition grumpkin.hpp:60

bb::numeric::RNG
Definition engine.hpp:17

bb::numeric::uint256_t
Definition uint256.hpp:32

zip_view
Definition zip_view.hpp:166

info
#define info(...)
Definition log.hpp:93

VariableRefMutationOptions::index
@ index

builder
AluTraceBuilder builder
Definition alu.test.cpp:124

a
FF a
Definition field_gt.test.cpp:52

b
FF b
Definition field_gt.test.cpp:53

complete_proving_key_for_test
void complete_proving_key_for_test(bb::RelationParameters< FF > &relation_parameters, std::shared_ptr< PK > &pk, std::vector< FF > &gate_challenges)
Definition eccvm.test.cpp:129

create_vk_from_proving_key
ECCVMFlavor::VerificationKey create_vk_from_proving_key(const std::shared_ptr< PK > &proving_key)
Definition eccvm.test.cpp:30

compute_eccvm_vk_hash
ECCVMFlavor::BF compute_eccvm_vk_hash()
Definition eccvm.test.cpp:41

generate_zero_circuit
ECCVMCircuitBuilder generate_zero_circuit(numeric::RNG *engine=nullptr, bool zero_scalars=1)
Definition eccvm.test.cpp:103

generate_circuit
ECCVMCircuitBuilder generate_circuit(numeric::RNG *engine=nullptr)
Adds operations in BN254 to the op_queue and then constructs and ECCVM circuit from the op_queue.
Definition eccvm.test.cpp:68

eccvm_circuit_builder.hpp

eccvm_prover.hpp

eccvm_test_utils.hpp

engine
numeric::RNG & engine
Definition eccvm_transcript.test.cpp:282

eccvm_verifier.hpp

offset
ssize_t offset
Definition engine.cpp:62

global_crs.hpp

grand_product_delta.hpp

ipa.hpp

bb::eccvm_test_utils::add_hiding_op_for_test
void add_hiding_op_for_test(const std::shared_ptr< ECCOpQueue > &op_queue)
Set a hiding op on the op_queue for testing.
Definition eccvm_test_utils.hpp:70

bb::numeric::get_debug_randomness
RNG & get_debug_randomness(bool reset, std::uint_fast64_t seed)
Definition engine.cpp:245

bb::srs::bb_crs_path
std::filesystem::path bb_crs_path()
Definition global_crs.cpp:14

bb::srs::init_file_crs_factory
void init_file_crs_factory(const std::filesystem::path &path)
Definition global_crs.hpp:14

bb
Entry point for Barretenberg command-line interface.
Definition api.hpp:5

bb::TEST_F
TEST_F(IPATest, ChallengesAreZero)
Definition ipa.test.cpp:155

bb::ck
CommitmentKey< Curve > ck
Definition ipa.fuzzer.cpp:20

bb::vk
VerifierCommitmentKey< Curve > vk
Definition ipa.fuzzer.cpp:21

std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13

permutation_relation.hpp

Fr
Curve::ScalarField Fr
Definition pippenger.bench.cpp:21

G1
Curve::AffineElement G1
Definition pippenger.bench.cpp:22

proof_structures.hpp

relation_parameters.hpp

bb::RelationParameters
Container for parameters used by the grand product (permutation, lookup) Honk relations.
Definition relation_parameters.hpp:18

bb::RelationParameters::beta
T beta
Definition relation_parameters.hpp:27

bb::RelationParameters::eccvm_set_permutation_delta
T eccvm_set_permutation_delta
Definition relation_parameters.hpp:57

bb::RelationParameters::beta_quartic
T beta_quartic
Definition relation_parameters.hpp:33

bb::RelationParameters::gamma
T gamma
Definition relation_parameters.hpp:28

bb::RelationParameters::beta_sqr
T beta_sqr
Definition relation_parameters.hpp:31

bb::RelationParameters::beta_cube
T beta_cube
Definition relation_parameters.hpp:32

bb::SumcheckOutput
Contains the evaluations of multilinear polynomials  at the challenge point . These are computed by S...
Definition sumcheck_output.hpp:22

bb::SumcheckOutput::round_univariate_evaluations
std::vector< std::array< FF, 3 > > round_univariate_evaluations
Definition sumcheck_output.hpp:41

bb::SumcheckOutput::verified
bool verified
Definition sumcheck_output.hpp:33

bb::ZKSumcheckData
This structure is created to contain various polynomials and constants required by ZK Sumcheck.
Definition zk_sumcheck_data.hpp:23

bb::field< bb::Bn254FrParams >

bb::field< Bn254FrParams >::random_element
static field random_element(numeric::RNG *engine=nullptr) noexcept
Definition field_impl.hpp:777

sumcheck.hpp

sumcheck_round.hpp

uint256.hpp

verification_key.hpp