Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
goblin_verifier.test.cpp
Go to the documentation of this file.
1#include "barretenberg/goblin/goblin_verifier.hpp"
2#include "barretenberg/circuit_checker/circuit_checker.hpp"
3#include "barretenberg/common/test.hpp"
4#include "barretenberg/goblin/goblin.hpp"
5#include "barretenberg/goblin/merge_prover.hpp"
6#include "barretenberg/goblin/mock_circuits.hpp"
7#include "barretenberg/srs/global_crs.hpp"
8#include "barretenberg/stdlib/honk_verifier/ultra_verification_keys_comparator.hpp"
9#include "barretenberg/ultra_honk/ultra_prover.hpp"
10#include "barretenberg/ultra_honk/ultra_verifier.hpp"
11
12namespace bb::stdlib::recursion::honk {
13class GoblinRecursiveVerifierTests : public testing::Test {
14 public:
15 using Builder = UltraCircuitBuilder;
16 using ECCVMVK = Goblin::ECCVMVerificationKey;
17 using TranslatorVK = Goblin::TranslatorVerificationKey;
18
19 using OuterFlavor = UltraFlavor;
20 using OuterProver = UltraProver_<OuterFlavor>;
21 using OuterVerifier = UltraRollupVerifier;
22 using OuterProverInstance = ProverInstance_<OuterFlavor>;
23
24 using Commitment = MergeVerifier::Commitment;
25 using RecursiveCommitment = bb::GoblinRecursiveVerifier::MergeVerifier::Commitment;
26 using MergeCommitments = MergeVerifier::InputCommitments;
27 using RecursiveMergeCommitments = bb::GoblinRecursiveVerifier::MergeVerifier::InputCommitments;
28 using Transcript = UltraStdlibTranscript;
29 using FF = TranslatorFlavor::FF;
30 static void SetUpTestSuite() { bb::srs::init_file_crs_factory(bb::srs::bb_crs_path()); }
31
37 static void tamper_with_op_commitment(MergeCommitments& merge_commitments)
38 {
39 // The first commitment in merged table is the `op` wire commitment
40 merge_commitments.t_commitments[0] = merge_commitments.t_commitments[0] * FF(2);
41 };
42
43 // ECCVM pre-IPA proof ends with evaluations including `op`. We tamper with the `op` evaluation.
44 // The structure is: [..., op_eval, x_lo_y_hi_eval, x_hi_z_1_eval, y_lo_z_2_eval, IPA_proof...]
45 // So op_eval is 3 fields before the IPA proof starts.
46 static void tamper_with_eccvm_op_eval(HonkProof& eccvm_proof)
47 {
48 // The `op` evaluation is located 3 evaluations before the end of pre-IPA proof
49 // (followed by x_lo_y_hi, x_hi_z_1, y_lo_z_2 evaluations)
50 static constexpr size_t evals_after_op = 3; // x_lo_y_hi, x_hi_z_1, y_lo_z_2
51 const size_t op_eval_idx = eccvm_proof.size() - evals_after_op;
52
53 // Tamper with the op evaluation
54 eccvm_proof[op_eval_idx] += FF(1);
55 };
56
62 static ProverOutput create_goblin_prover_output(Builder* outer_builder = nullptr, const size_t num_circuits = 5)
63 {
64
65 Goblin goblin;
66 GoblinMockCircuits::construct_and_merge_mock_circuits(goblin, num_circuits);
67 goblin.op_queue->construct_zk_columns();
68
69 // Merge the ecc ops from the newly constructed circuit
70 auto goblin_proof = goblin.prove();
71 // Subtable values and commitments - needed for (Recursive)MergeVerifier
72 MergeCommitments merge_commitments;
73 auto t_current = goblin.op_queue->construct_current_ultra_ops_subtable_columns();
74 auto T_prev = goblin.op_queue->construct_table_columns_up_to_tail();
75 CommitmentKey<curve::BN254> pcs_commitment_key(goblin.op_queue->get_ultra_ops_table_num_rows() +
76 UltraEccOpsTable::ZK_ULTRA_OPS);
77 for (size_t idx = 0; idx < MegaFlavor::NUM_WIRES; idx++) {
78 merge_commitments.t_commitments[idx] = pcs_commitment_key.commit(t_current[idx]);
79 merge_commitments.T_prev_commitments[idx] = pcs_commitment_key.commit(T_prev[idx]);
80 }
81
82 RecursiveMergeCommitments recursive_merge_commitments;
83 if (outer_builder != nullptr) {
84 for (size_t idx = 0; idx < MegaFlavor::NUM_WIRES; idx++) {
85 recursive_merge_commitments.t_commitments[idx] =
86 RecursiveCommitment::from_witness(outer_builder, merge_commitments.t_commitments[idx]);
87 recursive_merge_commitments.T_prev_commitments[idx] =
88 RecursiveCommitment::from_witness(outer_builder, merge_commitments.T_prev_commitments[idx]);
89 // Removing the free witness tag, since the merge commitments in the full scheme are supposed to
90 // be fiat-shamirred earlier
91 recursive_merge_commitments.t_commitments[idx].unset_free_witness_tag();
92 recursive_merge_commitments.T_prev_commitments[idx].unset_free_witness_tag();
93 }
94 }
95
96 // Output is a goblin proof plus merge commitments
97 return { goblin_proof, merge_commitments, recursive_merge_commitments };
98 }
99};
100
105TEST_F(GoblinRecursiveVerifierTests, NativeVerification)
106{
107 auto [proof, merge_commitments, _] = create_goblin_prover_output();
108
109 auto transcript = std::make_shared<NativeTranscript>();
110 bb::GoblinVerifier verifier(transcript, proof, merge_commitments);
111 auto result = verifier.reduce_to_pairing_check_and_ipa_opening();
112
113 // Check pairing points (aggregate merge + translator)
114 result.translator_pairing_points.aggregate(result.merge_pairing_points);
115 bool pairing_verified = result.translator_pairing_points.check();
116
117 // Verify IPA opening
118 auto ipa_transcript = std::make_shared<NativeTranscript>(result.ipa_proof);
119 auto ipa_vk = VerifierCommitmentKey<curve::Grumpkin>{ ECCVMFlavor::ECCVM_FIXED_SIZE };
120 bool ipa_verified = IPA<curve::Grumpkin>::reduce_verify(ipa_vk, result.ipa_claim, ipa_transcript);
121
122 EXPECT_TRUE(pairing_verified && ipa_verified);
123}
124
129TEST_F(GoblinRecursiveVerifierTests, Basic)
130{
131 Builder builder;
132
133 auto [proof, merge_commitments, recursive_merge_commitments] = create_goblin_prover_output(&builder);
134
135 auto transcript = std::make_shared<Transcript>();
136 GoblinStdlibProof stdlib_proof(builder, proof);
137 bb::GoblinRecursiveVerifier verifier{ transcript, stdlib_proof, recursive_merge_commitments };
138 auto output = verifier.reduce_to_pairing_check_and_ipa_opening();
139
140 // Aggregate merge + translator pairing points
141 output.translator_pairing_points.aggregate(output.merge_pairing_points);
142
143 stdlib::recursion::honk::RollupIO inputs;
144 inputs.pairing_inputs = output.translator_pairing_points;
145 inputs.ipa_claim = output.ipa_claim;
146 inputs.set_public();
147
148 builder.ipa_proof = output.ipa_proof.get_value();
149
150 info("Recursive Verifier: num gates = ", builder.num_gates());
151
152 EXPECT_EQ(builder.failed(), false) << builder.err();
153
154 EXPECT_TRUE(CircuitChecker::check(builder));
155
156 // Construct and verify a proof for the Goblin Recursive Verifier circuit
157 {
158 auto prover_instance = std::make_shared<OuterProverInstance>(builder);
159 auto verification_key =
160 std::make_shared<typename OuterFlavor::VerificationKey>(prover_instance->get_precomputed());
161 auto vk_and_hash = std::make_shared<typename OuterFlavor::VKAndHash>(verification_key);
162 OuterProver prover(prover_instance, verification_key);
163 OuterVerifier verifier(vk_and_hash);
164 auto proof = prover.construct_proof();
165 bool verified = verifier.verify_proof(proof).result;
166
167 ASSERT_TRUE(verified);
168 }
169}
170
171// Check that the GoblinRecursiveVerifier circuit does not depend on the inputs.
172TEST_F(GoblinRecursiveVerifierTests, IndependentVKHash)
173{
174 // Retrieves the trace blocks (each consisting of a specific gate) from the recursive verifier circuit
175 auto get_blocks = [](size_t inner_size)
176 -> std::tuple<typename Builder::ExecutionTrace, std::shared_ptr<OuterFlavor::VerificationKey>> {
177 Builder builder;
178
179 auto [proof, merge_commitments, recursive_merge_commitments] =
180 create_goblin_prover_output(&builder, inner_size);
181
182 auto transcript = std::make_shared<Transcript>();
183 GoblinStdlibProof stdlib_proof(builder, proof);
184 bb::GoblinRecursiveVerifier verifier{ transcript, stdlib_proof, recursive_merge_commitments };
185 auto output = verifier.reduce_to_pairing_check_and_ipa_opening();
186
187 // Aggregate merge + translator pairing points
188 output.translator_pairing_points.aggregate(output.merge_pairing_points);
189
190 stdlib::recursion::honk::RollupIO inputs;
191 inputs.pairing_inputs = output.translator_pairing_points;
192 inputs.ipa_claim = output.ipa_claim;
193 inputs.set_public();
194
195 builder.ipa_proof = output.ipa_proof.get_value();
196
197 info("Recursive Verifier: num gates = ", builder.num_gates());
198
199 // Construct and verify a proof for the Goblin Recursive Verifier circuit
200 auto prover_instance = std::make_shared<OuterProverInstance>(builder);
201 auto outer_verification_key =
202 std::make_shared<typename OuterFlavor::VerificationKey>(prover_instance->get_precomputed());
203 auto vk_and_hash = std::make_shared<typename OuterFlavor::VKAndHash>(outer_verification_key);
204 OuterProver prover(prover_instance, outer_verification_key);
205 OuterVerifier outer_verifier(vk_and_hash);
206 return { builder.blocks, outer_verification_key };
207 };
208
209 auto [blocks_5, verification_key_5] = get_blocks(5);
210 auto [blocks_6, verification_key_6] = get_blocks(6);
211
212 compare_ultra_blocks_and_verification_keys<OuterFlavor>({ blocks_5, blocks_6 },
213 { verification_key_5, verification_key_6 });
214}
215
221TEST_F(GoblinRecursiveVerifierTests, MergeToTranslatorBindingFailure)
222{
223 auto [proof, merge_commitments, _] = create_goblin_prover_output();
224
225 // Tamper with the op commitment in merge commitments (used by Translator verifier)
226 MergeCommitments tampered_merge_commitments = merge_commitments;
227 tamper_with_op_commitment(tampered_merge_commitments);
228 Builder builder;
229
230 RecursiveMergeCommitments recursive_merge_commitments;
231 for (size_t idx = 0; idx < MegaFlavor::NUM_WIRES; idx++) {
232 recursive_merge_commitments.t_commitments[idx] =
233 RecursiveCommitment::from_witness(&builder, tampered_merge_commitments.t_commitments[idx]);
234 recursive_merge_commitments.T_prev_commitments[idx] =
235 RecursiveCommitment::from_witness(&builder, tampered_merge_commitments.T_prev_commitments[idx]);
236 recursive_merge_commitments.t_commitments[idx].fix_witness();
237 recursive_merge_commitments.T_prev_commitments[idx].fix_witness();
238 }
239
240 auto transcript = std::make_shared<Transcript>();
241 GoblinStdlibProof stdlib_proof(builder, proof);
242 bb::GoblinRecursiveVerifier verifier{ transcript, stdlib_proof, recursive_merge_commitments };
243 auto goblin_rec_verifier_output = verifier.reduce_to_pairing_check_and_ipa_opening();
244
245 // Aggregate merge + translator pairing points
246 goblin_rec_verifier_output.translator_pairing_points.aggregate(goblin_rec_verifier_output.merge_pairing_points);
247
248 // Circuit is correct but pairing check should fail
249 EXPECT_TRUE(CircuitChecker::check(builder));
250
251 // Check that the pairing fails natively
252 bb::PairingPoints<curve::BN254> native_pairing_points(
253 goblin_rec_verifier_output.translator_pairing_points.P0().get_value(),
254 goblin_rec_verifier_output.translator_pairing_points.P1().get_value());
255 bool pairing_result = native_pairing_points.check();
256 EXPECT_FALSE(pairing_result);
257}
258
265TEST_F(GoblinRecursiveVerifierTests, ECCVMToTranslatorBindingFailure)
266{
267 Builder builder;
268
269 auto [proof, merge_commitments, recursive_merge_commitments] = create_goblin_prover_output(&builder);
270
271 // Tamper with the `op` evaluation in the ECCVM proof
272 tamper_with_eccvm_op_eval(proof.eccvm_proof);
273
274 auto transcript = std::make_shared<Transcript>();
275 GoblinStdlibProof stdlib_proof(builder, proof);
276 bb::GoblinRecursiveVerifier verifier{ transcript, stdlib_proof, recursive_merge_commitments };
277 [[maybe_unused]] auto goblin_rec_verifier_output = verifier.reduce_to_pairing_check_and_ipa_opening();
278
279 EXPECT_FALSE(CircuitChecker::check(builder));
280}
281} // namespace bb::stdlib::recursion::honk
circuit_checker.hpp
bb::BaseTranscript
Common transcript class for both parties. Stores the data for the current round, as well as the manif...
Definition transcript.hpp:41
bb::CommitmentKey
CommitmentKey object over a pairing group ๐”พโ‚.
Definition commitment_key.hpp:35
bb::CommitmentKey::commit
Commitment commit(PolynomialSpan< const Fr > polynomial) const
Uses the ProverSRS to create a commitment to p(X)
Definition commitment_key.hpp:73
bb::ECCVMFlavor::ECCVM_FIXED_SIZE
static constexpr size_t ECCVM_FIXED_SIZE
Definition eccvm_flavor.hpp:68
bb::FixedVKAndHash_
Simple verification key class for fixed-size circuits (ECCVM, Translator, AVM).
Definition flavor.hpp:101
bb::Goblin::TranslatorVerificationKey
TranslatorFlavor::VerificationKey TranslatorVerificationKey
Definition goblin.hpp:45
bb::Goblin::prove
GoblinProof prove()
Constuct a full Goblin proof (ECCVM, Translator, merge)
Definition goblin.cpp:69
bb::Goblin::op_queue
std::shared_ptr< OpQueue > op_queue
Definition goblin.hpp:59
bb::Goblin::ECCVMVerificationKey
ECCVMFlavor::VerificationKey ECCVMVerificationKey
Definition goblin.hpp:44
bb::GoblinMockCircuits::construct_and_merge_mock_circuits
static void construct_and_merge_mock_circuits(Goblin &goblin, const size_t num_circuits=3)
Definition mock_circuits.hpp:159
bb::GoblinVerifier_
Unified Goblin verifier for both native and recursive verification.
Definition goblin_verifier.hpp:33
bb::GoblinVerifier_::reduce_to_pairing_check_and_ipa_opening
ReductionResult reduce_to_pairing_check_and_ipa_opening()
Reduce Goblin proof to pairing check and IPA opening claim.
Definition goblin_verifier.cpp:19
bb::IPA
IPA (inner product argument) commitment scheme class.
Definition ipa.hpp:86
bb::MegaFlavor::NUM_WIRES
static constexpr size_t NUM_WIRES
Definition mega_flavor.hpp:62
bb::MergeVerifier_::Commitment
typename Curve::AffineElement Commitment
Definition merge_verifier.hpp:28
bb::PairingPoints
An object storing two EC points that represent the inputs to a pairing check.
Definition pairing_points.hpp:22
bb::PairingPoints::check
bool check() const
Verify the pairing equation e(P0, [1]โ‚‚) ยท e(P1, [x]โ‚‚) = 1.
Definition pairing_points.hpp:77
bb::ProverInstance_
Contains all the information required by a Honk prover to create a proof, constructed from a finalize...
Definition prover_instance.hpp:26
bb::TranslatorCircuitChecker::check
static bool check(const Builder &circuit)
Check the witness satisifies the circuit.
Definition translator_circuit_checker.cpp:107
bb::TranslatorFlavor::FF
Curve::ScalarField FF
Definition translator_flavor.hpp:50
bb::UltraCircuitBuilder_
Definition ultra_circuit_builder.hpp:40
bb::UltraEccOpsTable::ZK_ULTRA_OPS
static constexpr size_t ZK_ULTRA_OPS
Definition ecc_ops_table.hpp:214
bb::UltraProver_
Definition ultra_prover.hpp:18
bb::UltraVerifier_
Definition ultra_verifier.hpp:79
bb::VerifierCommitmentKey
Representation of the Grumpkin Verifier Commitment Key inside a bn254 circuit.
Definition verifier_commitment_key.hpp:16
bb::stdlib::recursion::honk::GoblinRecursiveVerifierTests::create_goblin_prover_output
static ProverOutput create_goblin_prover_output(Builder *outer_builder=nullptr, const size_t num_circuits=5)
Create a goblin proof and the VM verification keys needed by the goblin recursive verifier.
Definition goblin_verifier.test.cpp:62
bb::stdlib::recursion::honk::GoblinRecursiveVerifierTests::RecursiveMergeCommitments
bb::GoblinRecursiveVerifier::MergeVerifier::InputCommitments RecursiveMergeCommitments
Definition goblin_verifier.test.cpp:27
bb::stdlib::recursion::honk::GoblinRecursiveVerifierTests::RecursiveCommitment
bb::GoblinRecursiveVerifier::MergeVerifier::Commitment RecursiveCommitment
Definition goblin_verifier.test.cpp:25
bb::stdlib::recursion::honk::GoblinRecursiveVerifierTests::tamper_with_op_commitment
static void tamper_with_op_commitment(MergeCommitments &merge_commitments)
Definition goblin_verifier.test.cpp:37
bb::stdlib::recursion::honk::RollupIO
The data that is propagated on the public inputs of a rollup circuit.
Definition special_public_inputs.hpp:357
info
#define info(...)
Definition log.hpp:93
builder
AluTraceBuilder builder
Definition alu.test.cpp:124
global_crs.hpp
mock_circuits.hpp
goblin_verifier.hpp
inputs
AvmProvingInputs inputs
Definition hinting_dbs.test.cpp:45
merge_prover.hpp
bb::srs::bb_crs_path
std::filesystem::path bb_crs_path()
Definition global_crs.cpp:14
bb::srs::init_file_crs_factory
void init_file_crs_factory(const std::filesystem::path &path)
Definition global_crs.hpp:14
bb::stdlib::recursion::honk::TEST_F
TEST_F(BoomerangGoblinRecursiveVerifierTests, graph_description_basic)
Construct and check a goblin recursive verification circuit.
Definition graph_description_goblin.test.cpp:72
bb::HonkProof
std::vector< fr > HonkProof
Definition proof.hpp:15
bb::UltraRollupVerifier
UltraVerifier_< UltraFlavor, RollupIO > UltraRollupVerifier
Definition ultra_verifier.hpp:234
bb::UltraStdlibTranscript
BaseTranscript< stdlib::StdlibCodec< stdlib::field_t< UltraCircuitBuilder > >, stdlib::poseidon2< UltraCircuitBuilder > > UltraStdlibTranscript
Definition transcript.hpp:508
bb::UltraCircuitBuilder
UltraCircuitBuilder_< UltraExecutionTraceBlocks > UltraCircuitBuilder
Definition circuit_builders_fwd.hpp:18
std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13
bb::GoblinVerifier_::ReductionResult::translator_pairing_points
PairingPoints translator_pairing_points
Definition goblin_verifier.hpp:61
bb::MergeVerifier_::InputCommitments
Definition merge_verifier.hpp:53
bb::MergeVerifier_::InputCommitments::T_prev_commitments
TableCommitments T_prev_commitments
Definition merge_verifier.hpp:55
bb::MergeVerifier_::InputCommitments::t_commitments
TableCommitments t_commitments
Definition merge_verifier.hpp:54
ultra_prover.hpp
ultra_verification_keys_comparator.hpp
ultra_verifier.hpp