Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
eccvm_relation_corruption.test.cpp
Go to the documentation of this file.
1
8#include "barretenberg/eccvm/eccvm_flavor.hpp"
9#include "barretenberg/eccvm/eccvm_test_utils.hpp"
10#include "barretenberg/honk/library/grand_product_library.hpp"
11#include "barretenberg/honk/proof_system/logderivative_library.hpp"
12#include "barretenberg/honk/relation_checker.hpp"
13#include <gtest/gtest.h>
14
15using namespace bb;
16
17namespace {
18
19using Flavor = ECCVMFlavor;
20using FF = typename Flavor::FF;
21using G1 = bb::g1;
22using Fr = typename G1::Fr;
23using Polynomial = typename Flavor::Polynomial;
24using ProverPolynomials = typename Flavor::ProverPolynomials;
25using eccvm_test_utils::add_hiding_op_for_test;
26
27auto& engine = numeric::get_debug_randomness();
28
34std::vector<Polynomial*> get_msm_polynomials(ProverPolynomials& polys)
35{
36 return {
37 // From WireNonShiftedEntities (columns 21-44)
38 &polys.msm_size_of_msm,
39 &polys.msm_add2,
40 &polys.msm_add3,
41 &polys.msm_add4,
42 &polys.msm_x1,
43 &polys.msm_y1,
44 &polys.msm_x2,
45 &polys.msm_y2,
46 &polys.msm_x3,
47 &polys.msm_y3,
48 &polys.msm_x4,
49 &polys.msm_y4,
50 &polys.msm_collision_x1,
51 &polys.msm_collision_x2,
52 &polys.msm_collision_x3,
53 &polys.msm_collision_x4,
54 &polys.msm_lambda1,
55 &polys.msm_lambda2,
56 &polys.msm_lambda3,
57 &polys.msm_lambda4,
58 &polys.msm_slice1,
59 &polys.msm_slice2,
60 &polys.msm_slice3,
61 &polys.msm_slice4,
62 // From WireToBeShiftedWithoutAccumulatorsEntities (columns 68-77)
63 &polys.msm_transition,
64 &polys.msm_add,
65 &polys.msm_double,
66 &polys.msm_skew,
67 &polys.msm_accumulator_x,
68 &polys.msm_accumulator_y,
69 &polys.msm_count,
70 &polys.msm_round,
71 &polys.msm_add1,
72 &polys.msm_pc,
73 };
74}
75
79ProverPolynomials build_valid_eccvm_msm_state()
80{
81 auto generators = G1::derive_generators("test generators", 3);
82 auto a = generators[0];
83 auto b = generators[1];
84 Fr x = Fr::random_element(&engine);
85 Fr y = Fr::random_element(&engine);
86
87 auto op_queue = std::make_shared<ECCOpQueue>();
88 op_queue->mul_accumulate(a, x);
89 op_queue->mul_accumulate(b, y);
90 op_queue->eq_and_reset();
91 op_queue->merge();
92 add_hiding_op_for_test(op_queue);
93
94 ECCVMCircuitBuilder builder{ op_queue };
95 return ProverPolynomials(builder);
96}
97
102RelationParameters<FF> compute_full_relation_params(ProverPolynomials& polynomials)
103{
104 const FF beta = FF::random_element(&engine);
105 const FF gamma = FF::random_element(&engine);
106 const FF beta_sqr = beta.sqr();
107 const FF beta_cube = beta_sqr * beta;
108 auto eccvm_set_permutation_delta =
109 gamma * (gamma + beta_sqr) * (gamma + beta_sqr + beta_sqr) * (gamma + beta_sqr + beta_sqr + beta_sqr);
110 eccvm_set_permutation_delta = eccvm_set_permutation_delta.invert();
111
112 RelationParameters<FF> params{
113 .eta = 0,
114 .beta = beta,
115 .gamma = gamma,
116 .public_input_delta = 0,
117 .beta_sqr = beta_sqr,
118 .beta_cube = beta_cube,
119 .eccvm_set_permutation_delta = eccvm_set_permutation_delta,
120 };
121
122 compute_logderivative_inverse<FF, ECCVMLookupRelation<FF>>(polynomials, params, Flavor::TRACE_OFFSET);
123 compute_grand_product<Flavor, ECCVMSetRelation<FF>>(polynomials, params);
124 polynomials.z_perm_shift = Polynomial(polynomials.z_perm.shifted());
125
126 return params;
127}
128
132size_t find_transcript_noop_row(const ProverPolynomials& polynomials)
133{
134 const size_t num_rows = polynomials.get_polynomial_size();
135 for (size_t i = Flavor::TRACE_OFFSET; i < num_rows - 1; i++) {
136 if (polynomials.transcript_add[i] == FF(0) && polynomials.transcript_mul[i] == FF(0) &&
137 polynomials.transcript_eq[i] == FF(0) && polynomials.transcript_reset_accumulator[i] == FF(0) &&
138 polynomials.lagrange_first[i] == FF(0) && polynomials.lagrange_last[i] == FF(0)) {
139 return i;
140 }
141 }
142 return 0;
143}
144
145} // anonymous namespace
146
147class ECCVMRelationCorruptionTests : public ::testing::Test {
148 protected:
149 static void SetUpTestSuite() { bb::srs::init_file_crs_factory(bb::srs::bb_crs_path()); }
150};
151
161TEST_F(ECCVMRelationCorruptionTests, MSMAccumulatorCorruptionAtTransitionRowIsHarmless)
162{
163 auto polynomials = build_valid_eccvm_msm_state();
164 RelationParameters<FF> params{};
165
166 auto baseline = RelationChecker<void>::check<ECCVMMSMRelation<FF>>(
167 polynomials, params, "ECCVMMSMRelation", Flavor::TRACE_OFFSET);
168 EXPECT_TRUE(baseline.empty()) << "Baseline MSM relation should pass";
169
170 // Confirm the first active MSM row is the transition row (offset by disabled head region)
171 constexpr size_t first_msm_row = Flavor::TRACE_OFFSET + 1;
172 ASSERT_EQ(polynomials.msm_add[first_msm_row], FF(1)) << "First MSM row should be an active MSM add row";
173 ASSERT_EQ(polynomials.msm_transition[first_msm_row], FF(1)) << "First MSM row should have msm_transition=1";
174
175 // Corrupt the accumulator at the transition row
176 polynomials.msm_accumulator_x.at(first_msm_row) = FF::random_element(&engine);
177 polynomials.msm_accumulator_y.at(first_msm_row) = FF::random_element(&engine);
178 polynomials.set_shifted();
179
180 auto failures = RelationChecker<void>::check<ECCVMMSMRelation<FF>>(
181 polynomials, params, "ECCVMMSMRelation", Flavor::TRACE_OFFSET);
182 EXPECT_TRUE(failures.empty()) << "MSM relation should STILL PASS — acc is unused when msm_transition=1";
183}
184
195TEST_F(ECCVMRelationCorruptionTests, MSMAccumulatorCorruptionAtInteriorAndNoOpRows)
196{
197 RelationParameters<FF> params{};
198
199 // --- Part 1: corrupt the accumulator at an interior active MSM row (q_add=1, msm_transition=0) ---
200 {
201 auto polynomials = build_valid_eccvm_msm_state();
202
203 auto baseline = RelationChecker<void>::check<ECCVMMSMRelation<FF>>(
204 polynomials, params, "ECCVMMSMRelation", Flavor::TRACE_OFFSET);
205 EXPECT_TRUE(baseline.empty()) << "Baseline MSM relation should pass";
206
207 // Find an interior addition row: q_add=1, msm_transition=0
208 const size_t num_rows = polynomials.get_polynomial_size();
209 size_t active_row = 0;
210 for (size_t i = Flavor::TRACE_OFFSET; i < num_rows - 1; i++) {
211 if (polynomials.msm_add[i] == FF(1) && polynomials.msm_transition[i] == FF(0)) {
212 active_row = i;
213 break;
214 }
215 }
216 ASSERT_NE(active_row, 0) << "Should find an interior active MSM add row";
217
218 polynomials.msm_accumulator_x.at(active_row) = FF::random_element(&engine);
219 polynomials.msm_accumulator_y.at(active_row) = FF::random_element(&engine);
220 polynomials.set_shifted();
221
222 auto failures = RelationChecker<void>::check<ECCVMMSMRelation<FF>>(
223 polynomials, params, "ECCVMMSMRelation", Flavor::TRACE_OFFSET);
224 EXPECT_FALSE(failures.empty()) << "MSM relation should fail after active-row accumulator corruption";
225 }
226
227 // --- Part 2: corrupt the accumulator at a trailing no-op row ---
228 {
229 auto polynomials = build_valid_eccvm_msm_state();
230
231 // Find the first no-op row (all MSM selectors zero, not lagrange_first)
232 const size_t num_rows = polynomials.get_polynomial_size();
233 size_t no_op_row = 0;
234 for (size_t i = Flavor::TRACE_OFFSET; i < num_rows - 1; i++) {
235 if (polynomials.msm_add[i] == FF(0) && polynomials.msm_double[i] == FF(0) &&
236 polynomials.msm_skew[i] == FF(0) && polynomials.msm_transition[i] == FF(0) &&
237 polynomials.lagrange_first[i] == FF(0)) {
238 no_op_row = i;
239 break;
240 }
241 }
242 ASSERT_NE(no_op_row, 0) << "Should find a no-op row in the MSM table";
243
244 polynomials.msm_accumulator_x.at(no_op_row) = FF::random_element(&engine);
245 polynomials.msm_accumulator_y.at(no_op_row) = FF::random_element(&engine);
246 polynomials.set_shifted();
247
248 auto failures = RelationChecker<void>::check<ECCVMMSMRelation<FF>>(
249 polynomials, params, "ECCVMMSMRelation", Flavor::TRACE_OFFSET);
250 EXPECT_FALSE(failures.empty()) << "MSM relation should fail after no-op accumulator corruption";
251
252 // The failure should be in subrelations 45 or 46 (the no-op accumulator preservation constraints)
253 bool found_noop_subrelation_failure = failures.contains(45) || failures.contains(46);
254 EXPECT_TRUE(found_noop_subrelation_failure)
255 << "Failure should be detected by subrelations 45/46 (no-op accumulator preservation)";
256 }
257}
258
274TEST_F(ECCVMRelationCorruptionTests, MSMRelationFailsOnShiftedMSMTable)
275{
276 auto polynomials = build_valid_eccvm_msm_state();
277 RelationParameters<FF> params{};
278
279 // Baseline: MSM relation passes on clean data
280 auto baseline = RelationChecker<void>::check<ECCVMMSMRelation<FF>>(
281 polynomials, params, "ECCVMMSMRelation", Flavor::TRACE_OFFSET);
282 EXPECT_TRUE(baseline.empty()) << "Baseline MSM relation should pass";
283
284 auto msm_polys = get_msm_polynomials(polynomials);
285
286 // Shift every MSM column down by 1 within the active region
287 constexpr size_t ofs = Flavor::TRACE_OFFSET;
288 for (auto* poly : msm_polys) {
289 for (size_t k = poly->end_index() - 1; k >= ofs + 2; k--) {
290 poly->at(k) = (*poly)[k - 1];
291 }
292 poly->at(ofs + 1) = FF(0);
293 }
294
295 // Patch msm_size_of_msm at the injected row so the pc-continuity constraint is satisfied
296 polynomials.msm_size_of_msm.at(ofs + 1) = polynomials.msm_pc[ofs + 1] - polynomials.msm_pc[ofs + 2];
297
298 // Refresh shifted views
299 polynomials.set_shifted();
300
301 auto failures = RelationChecker<void>::check<ECCVMMSMRelation<FF>>(
302 polynomials, params, "ECCVMMSMRelation", Flavor::TRACE_OFFSET);
303 EXPECT_FALSE(failures.empty()) << "MSM relation should fail after shifting MSM table by one row";
304
305 // Log all failing subrelations for visibility
306 for (const auto& [subrelation_idx, row_idx] : failures) {
307 info("Shifted MSM table: subrelation ", subrelation_idx, " first failed at row ", row_idx);
308 }
309
310 // Only subrelations 45 and 46 (no-op accumulator preservation) should fail
311 EXPECT_EQ(failures.size(), 2U) << "Exactly two subrelations should fail (45 and 46)";
312 EXPECT_TRUE(failures.contains(45)) << "Subrelation 45 (no-op acc_x preservation) should fail";
313 EXPECT_TRUE(failures.contains(46)) << "Subrelation 46 (no-op acc_y preservation) should fail";
314
315 // Verify that all other ECCVM relations still pass after the shift.
316 // We compute random Fiat-Shamir challenges and derived polynomials (logderivative inverse, grand product)
317 // so we can also check ECCVMSetRelation and ECCVMLookupRelation.
318 auto full_params = compute_full_relation_params(polynomials);
319
320 // Relations that don't touch MSM columns should be completely unaffected.
321 auto transcript_failures = RelationChecker<void>::check<ECCVMTranscriptRelation<FF>>(
322 polynomials, full_params, "ECCVMTranscriptRelation", Flavor::TRACE_OFFSET);
323 EXPECT_TRUE(transcript_failures.empty()) << "ECCVMTranscriptRelation should still pass";
324
325 auto point_table_failures = RelationChecker<void>::check<ECCVMPointTableRelation<FF>>(
326 polynomials, full_params, "ECCVMPointTableRelation", Flavor::TRACE_OFFSET);
327 EXPECT_TRUE(point_table_failures.empty()) << "ECCVMPointTableRelation should still pass";
328
329 auto wnaf_failures = RelationChecker<void>::check<ECCVMWnafRelation<FF>>(
330 polynomials, full_params, "ECCVMWnafRelation", Flavor::TRACE_OFFSET);
331 EXPECT_TRUE(wnaf_failures.empty()) << "ECCVMWnafRelation should still pass";
332
333 auto bools_failures = RelationChecker<void>::check<ECCVMBoolsRelation<FF>>(
334 polynomials, full_params, "ECCVMBoolsRelation", Flavor::TRACE_OFFSET);
335 EXPECT_TRUE(bools_failures.empty()) << "ECCVMBoolsRelation should still pass";
336
337 // The Set relation enforces a multiset equality between MSM output tuples (pc, acc_x, acc_y, msm_size)
338 // and the transcript. Shifting the MSM columns corrupts these tuples, so the grand product (computed
339 // post-shift) reflects mismatched reads/writes and the relation correctly fails. It is possible that with more
340 // care, we could make this also pass.
341 auto set_failures = RelationChecker<void>::check<ECCVMSetRelation<FF>>(
342 polynomials, full_params, "ECCVMSetRelation", Flavor::TRACE_OFFSET);
343 EXPECT_FALSE(set_failures.empty()) << "ECCVMSetRelation should also fail (MSM output tuples are shifted)";
344
345 // The Lookup relation's logderivative inverse is computed post-shift, so it adapts to the
346 // shifted column values. The per-row subrelation passes, and the sum-over-trace (linearly
347 // dependent) subrelation also vanishes since the inverse was derived from the current data.
348 auto lookup_failures = RelationChecker<void>::check<ECCVMLookupRelation<FF>, /*has_linearly_dependent=*/true>(
349 polynomials, full_params, "ECCVMLookupRelation", Flavor::TRACE_OFFSET);
350 EXPECT_TRUE(lookup_failures.empty()) << "ECCVMLookupRelation should still pass (inverse computed post-shift)";
351}
352
360TEST_F(ECCVMRelationCorruptionTests, TranscriptNoOpRowRejectsAccumulatorNotEmpty)
361{
362 auto polynomials = build_valid_eccvm_msm_state();
363 RelationParameters<FF> params{};
364
365 auto baseline = RelationChecker<void>::check<ECCVMTranscriptRelation<FF>>(
366 polynomials, params, "ECCVMTranscriptRelation", Flavor::TRACE_OFFSET);
367 EXPECT_TRUE(baseline.empty()) << "Baseline transcript relation should pass";
368
369 size_t noop_row = find_transcript_noop_row(polynomials);
370 ASSERT_NE(noop_row, 0) << "Should find a transcript no-op row";
371
372 // The no-op constraint at row `noop_row` constrains is_accumulator_empty_shift,
373 // which reads from accumulator_not_empty at row `noop_row + 1`.
374 polynomials.transcript_accumulator_not_empty.at(noop_row + 1) = FF(1);
375 polynomials.set_shifted();
376
377 auto failures = RelationChecker<void>::check<ECCVMTranscriptRelation<FF>>(
378 polynomials, params, "ECCVMTranscriptRelation", Flavor::TRACE_OFFSET);
379 EXPECT_FALSE(failures.empty()) << "Transcript relation should fail after corrupting accumulator_not_empty on "
380 "the row following a no-op";
381 EXPECT_TRUE(failures.contains(22)) << "Subrelation 22 (accumulator_infinity) should catch the corruption";
382}
383
394TEST_F(ECCVMRelationCorruptionTests, SetRelationFailsOnZPermNonZeroAtFirstRow)
395{
396 auto polynomials = build_valid_eccvm_msm_state();
397 auto params = compute_full_relation_params(polynomials);
398
399 // Baseline: set relation passes (skip disabled head rows where masking values break relations)
400 auto baseline = RelationChecker<void>::check<ECCVMSetRelation<FF>>(
401 polynomials, params, "ECCVMSetRelation", Flavor::TRACE_OFFSET);
402 EXPECT_TRUE(baseline.empty()) << "Baseline set relation should pass";
403
404 // Derive expected lagrange_first position from z_perm shiftable structure
405 ASSERT_TRUE(polynomials.z_perm.is_shiftable());
406 size_t structural_first_row = Flavor::TRACE_OFFSET;
407
408 // Independently scan lagrange_first for its non-zero entry
409 const auto& lagrange_first = polynomials.lagrange_first;
410 size_t scanned_first_row = 0;
411 bool found = false;
412 for (size_t i = lagrange_first.start_index(); i < lagrange_first.end_index(); ++i) {
413 if (lagrange_first[i] != FF(0)) {
414 scanned_first_row = i;
415 found = true;
416 break;
417 }
418 }
419 ASSERT_TRUE(found) << "lagrange_first has no non-zero entry";
420 ASSERT_EQ(structural_first_row, scanned_first_row)
421 << "lagrange_first position doesn't match z_perm shiftable structure";
422
423 const size_t first_row = scanned_first_row;
424
425 // Expand to full polynomials so we can write at index 0
426 polynomials.z_perm = polynomials.z_perm.full();
427 polynomials.z_perm_shift = polynomials.z_perm_shift.full();
428
429 ASSERT_EQ(polynomials.z_perm[first_row], FF(0));
430
431 // Tamper: set z_perm to non-zero where lagrange_first is active
432 polynomials.z_perm.at(first_row) = FF(1);
433
434 auto failures = RelationChecker<void>::check<ECCVMSetRelation<FF>>(
435 polynomials, params, "ECCVMSetRelation - After setting z_perm != 0 at lagrange_first", Flavor::TRACE_OFFSET);
436 EXPECT_FALSE(failures.empty()) << "Set relation should fail after z_perm init corruption";
437 EXPECT_TRUE(failures.contains(ECCVMSetRelationImpl<FF>::Z_PERM_INIT))
438 << "Sub-relation Z_PERM_INIT should catch the corruption";
439 EXPECT_EQ(failures.at(ECCVMSetRelationImpl<FF>::Z_PERM_INIT), first_row)
440 << "Failure should be at lagrange_first row";
441}
bb::ECCVMFlavor::ProverPolynomials
A container for the prover polynomials.
Definition eccvm_flavor.hpp:484
bb::ECCVMFlavor::FF
typename Curve::ScalarField FF
Definition eccvm_flavor.hpp:43
bb::ECCVMFlavor::Polynomial
bb::Polynomial< FF > Polynomial
Definition eccvm_flavor.hpp:45
bb::ECCVMFlavor::TRACE_OFFSET
static constexpr size_t TRACE_OFFSET
Definition eccvm_flavor.hpp:62
bb::Polynomial
Structured polynomial class that represents the coefficients 'a' of a_0 + a_1 x .....
Definition polynomial.hpp:75
bb::RelationChecker
A debugging utility for checking whether a set of polynomials satisfies the relations for a given Fla...
Definition relation_checker.hpp:19
bb::Relation
A wrapper for Relations to expose methods used by the Sumcheck prover or verifier to add the contribu...
Definition relation_types.hpp:96
info
#define info(...)
Definition log.hpp:93
builder
AluTraceBuilder builder
Definition alu.test.cpp:124
a
FF a
Definition field_gt.test.cpp:52
b
FF b
Definition field_gt.test.cpp:53
eccvm_flavor.hpp
eccvm_test_utils.hpp
ProverPolynomials
typename ECCVMFlavor::ProverPolynomials ProverPolynomials
Definition eccvm_trace_checker.cpp:10
engine
numeric::RNG & engine
Definition eccvm_transcript.test.cpp:282
grand_product_library.hpp
logderivative_library.hpp
bb::eccvm_test_utils::add_hiding_op_for_test
void add_hiding_op_for_test(const std::shared_ptr< ECCOpQueue > &op_queue)
Set a hiding op on the op_queue for testing.
Definition eccvm_test_utils.hpp:70
bb::numeric::get_debug_randomness
RNG & get_debug_randomness(bool reset, std::uint_fast64_t seed)
Definition engine.cpp:245
bb::srs::bb_crs_path
std::filesystem::path bb_crs_path()
Definition global_crs.cpp:14
bb::srs::init_file_crs_factory
void init_file_crs_factory(const std::filesystem::path &path)
Definition global_crs.hpp:14
bb
Entry point for Barretenberg command-line interface.
Definition api.hpp:5
bb::g1
group< fq, fr, Bn254G1Params > g1
Definition g1.hpp:34
bb::TEST_F
TEST_F(IPATest, ChallengesAreZero)
Definition ipa.test.cpp:155
std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13
G1
Curve::AffineElement G1
Definition pippenger.bench.cpp:22
relation_checker.hpp
bb::RelationParameters
Container for parameters used by the grand product (permutation, lookup) Honk relations.
Definition relation_parameters.hpp:18
bb::field::invert
constexpr field invert() const noexcept
Definition field_impl.hpp:386
bb::field< Bn254FrParams >::random_element
static field random_element(numeric::RNG *engine=nullptr) noexcept
Definition field_impl.hpp:777
bb::field::sqr
BB_INLINE constexpr field sqr() const noexcept
Definition field_impl.hpp:72