Barretenberg: src/barretenberg/hypernova/hypernova_verifier.cpp Source File

// === AUDIT STATUS ===

// internal:    { status: Complete, auditors: [Sergei], commit: }

// external_1:  { status: not started, auditors: [], commit: }

// external_2:  { status: not started, auditors: [], commit: }

// =====================


#include "barretenberg/hypernova/hypernova_verifier.hpp"

#include "barretenberg/honk/proof_length.hpp"

#include "barretenberg/hypernova/hypernova_batching_challenges.hpp"


namespace bb {


template <typename Flavor_>

template <size_t N>


HypernovaFoldingVerifier<Flavor_>::Commitment HypernovaFoldingVerifier<Flavor_>::batch_mul(

    const RefArray<Commitment, N>& _points, std::vector<FF>& scalars)

{

    std::vector<Commitment> points(N);

    for (size_t idx = 0; idx < N; ++idx) {

        points[idx] = _points[idx];

    }

    return Commitment::batch_mul(points, scalars);

}


template <typename Flavor>


HypernovaFoldingVerifier<Flavor>::Accumulator HypernovaFoldingVerifier<Flavor>::sumcheck_output_to_accumulator(

    HypernovaFoldingVerifier<Flavor>::MegaSumcheckOutput& sumcheck_output,

    const std::shared_ptr<HypernovaFoldingVerifier::VerifierInstance>& instance)

{

    BB_BENCH_NAME("HypernovaFoldingVerifier::sumcheck_output_to_accumulator");


    // Generate challenges to batch shifted and unshifted polynomials/commitments/evaluation

    auto [unshifted_challenges, shifted_challenges] =

        get_hypernova_batching_challenges<FF>(transcript, NUM_UNSHIFTED_ENTITIES, NUM_SHIFTED_ENTITIES);


    // Batch evaluations

    FF batched_unshifted_evaluation(0);

    FF batched_shifted_evaluation(0);


    for (auto [eval, challenge] : zip_view(sumcheck_output.claimed_evaluations.get_unshifted(), unshifted_challenges)) {

        batched_unshifted_evaluation += eval * challenge;

    }

    for (auto [eval, challenge] : zip_view(sumcheck_output.claimed_evaluations.get_shifted(), shifted_challenges)) {

        batched_shifted_evaluation += eval * challenge;

    }


    // Batch commitments

    VerifierCommitments verifier_commitments(instance->get_vk(), instance->witness_commitments);


    Commitment batched_unshifted_commitment = batch_mul(verifier_commitments.get_unshifted(), unshifted_challenges);

    Commitment batched_shifted_commitment = batch_mul(verifier_commitments.get_to_be_shifted(), shifted_challenges);


    return Accumulator{ .challenge = sumcheck_output.challenge,

                        .non_shifted_evaluation = batched_unshifted_evaluation,

                        .shifted_evaluation = batched_shifted_evaluation,

                        .non_shifted_commitment = batched_unshifted_commitment,

                        .shifted_commitment = batched_shifted_commitment };

};


template <typename Flavor>


SumcheckOutput<Flavor> HypernovaFoldingVerifier<Flavor>::sumcheck_on_incoming_instance(

    const std::shared_ptr<typename HypernovaFoldingVerifier::VerifierInstance>& instance,

    const Proof& proof,

    size_t num_public_inputs)

{

    BB_BENCH_NAME("HypernovaFoldingVerifier::sumcheck_on_incoming_instance");


    vinfo("HypernovaFoldingVerifier: verifying Oink proof...");

    // Complete the incoming verifier instance

    transcript->load_proof(proof);


    OinkVerifier verifier{ instance, transcript, num_public_inputs };

    verifier.verify();


    instance->gate_challenges = transcript->template get_dyadic_powers_of_challenge<FF>(

        "HypernovaFoldingProver:gate_challenge", Flavor::VIRTUAL_LOG_N);


    // Sumcheck verification

    vinfo("HypernovaFoldingVerifier: verifying Sumcheck to turn instance into an accumulator...");


    SumcheckVerifier sumcheck(transcript, instance->alpha, Flavor::VIRTUAL_LOG_N);

    SumcheckOutput<Flavor> sumcheck_output = sumcheck.verify(instance->relation_parameters, instance->gate_challenges);


    return sumcheck_output;

};


template <typename Flavor>


std::pair<bool, typename HypernovaFoldingVerifier<Flavor>::Accumulator> HypernovaFoldingVerifier<Flavor>::

    instance_to_accumulator(const std::shared_ptr<typename HypernovaFoldingVerifier::VerifierInstance>& instance,

                            const Proof& proof)

{

    BB_BENCH_NAME("HypernovaFoldingVerifier::instance_to_accumulator");


    // Derive num_public_inputs from proof size (instance-to-accum proof structure)

    const size_t num_public_inputs =

        ProofLength::HypernovaInstanceToAccum<Flavor>::derive_num_public_inputs(proof.size(), Flavor::VIRTUAL_LOG_N);


    auto sumcheck_output = sumcheck_on_incoming_instance(instance, proof, num_public_inputs);


    auto accumulator = sumcheck_output_to_accumulator(sumcheck_output, instance);


    if (sumcheck_output.verified) {

        vinfo("HypernovaFoldingVerifier: Successfully turned instance into accumulator.");

    } else {

        vinfo("HypernovaFoldingVerifier: Failed to recursively verify Sumcheck to turn instance into an accumulator. "

              "Ignore if generating the VKs");

    }


    return { sumcheck_output.verified, accumulator };

};


template <typename Flavor>

std::tuple<bool, bool, typename HypernovaFoldingVerifier<Flavor>::Accumulator> HypernovaFoldingVerifier<


    Flavor>::verify_folding_proof(const std::shared_ptr<typename HypernovaFoldingVerifier::VerifierInstance>& instance,

                                  const HypernovaFoldingVerifier::Proof& proof)

{

    BB_BENCH_NAME("HypernovaFoldingVerifier::verify_folding_proof");


    vinfo("HypernovaFoldingVerifier: verifying folding proof...");


    // Derive num_public_inputs from proof size (folding proof structure includes batching)

    const size_t num_public_inputs =

        ProofLength::HypernovaFolding<Flavor, MultilinearBatchingFlavor>::derive_num_public_inputs(

            proof.size(), Flavor::VIRTUAL_LOG_N);


    auto sumcheck_output = sumcheck_on_incoming_instance(instance, proof, num_public_inputs);


    // Generate challenges to batch shifted and unshifted polynomials/commitments/evaluation

    const auto [unshifted_challenges, shifted_challenges] =

        get_hypernova_batching_challenges<FF>(transcript, NUM_UNSHIFTED_ENTITIES, NUM_SHIFTED_ENTITIES);


    VerifierCommitments verifier_commitments(instance->get_vk(), instance->witness_commitments);


    MultilinearBatchingVerifier batching_verifier(transcript);

    auto [sumcheck_batching_result, new_accumulator] =

        batching_verifier.verify_proof(sumcheck_output, verifier_commitments, unshifted_challenges, shifted_challenges);


    if (sumcheck_output.verified && sumcheck_batching_result) {

        vinfo("HypernovaFoldingVerifier: successfully verified folding proof.");

    } else if (!sumcheck_output.verified) {

        vinfo("HypernovaFoldingVerifier: Failed to recursively verify Sumcheck to turn instance into an accumulator. "

              "Ignore if generating the VKs");

    } else {

        vinfo("HypernovaFoldingVerifier: Failed to recursively verify Sumcheck to batch two accumulators. Ignore if "

              "generating the VKs");

    }


    return { sumcheck_output.verified, sumcheck_batching_result, new_accumulator };

};


template class HypernovaFoldingVerifier<MegaRecursiveFlavor_<MegaCircuitBuilder>>;

template class HypernovaFoldingVerifier<MegaFlavor>;

} // namespace bb

instance
std::shared_ptr< Napi::ThreadSafeFunction > instance
Definition avm_simulate_napi.cpp:128

BB_BENCH_NAME
#define BB_BENCH_NAME(name)
Definition bb_bench.hpp:264

bb::ECCVMFlavor::AllEntities::get_to_be_shifted
auto get_to_be_shifted()
Definition eccvm_flavor.hpp:454

bb::ECCVMFlavor::VerifierCommitments_
Definition eccvm_flavor.hpp:959

bb::HypernovaFoldingVerifier
HyperNova folding verifier (native + recursive). Verifies folding proofs and maintains accumulators.
Definition hypernova_verifier.hpp:22

bb::HypernovaFoldingVerifier::Commitment
Flavor::Commitment Commitment
Definition hypernova_verifier.hpp:27

bb::HypernovaFoldingVerifier::Proof
std::conditional_t< IsRecursiveFlavor< Flavor >, stdlib::Proof< MegaCircuitBuilder >, HonkProof > Proof
Definition hypernova_verifier.hpp:39

bb::HypernovaFoldingVerifier::instance_to_accumulator
std::pair< bool, Accumulator > instance_to_accumulator(const std::shared_ptr< VerifierInstance > &instance, const Proof &proof)
Turn an instance into an accumulator by executing sumcheck.
Definition hypernova_verifier.cpp:89

bb::HypernovaFoldingVerifier::sumcheck_output_to_accumulator
Accumulator sumcheck_output_to_accumulator(MegaSumcheckOutput &sumcheck_output, const std::shared_ptr< VerifierInstance > &instance)
Convert the output of the sumcheck run on the incoming instance into an accumulator.
Definition hypernova_verifier.cpp:26

bb::HypernovaFoldingVerifier::batch_mul
Commitment batch_mul(const RefArray< Commitment, N > &_points, std::vector< FF > &scalars)
Utility to perform batch mul of commitments.
Definition hypernova_verifier.cpp:15

bb::HypernovaFoldingVerifier::Flavor
Flavor_ Flavor
Definition hypernova_verifier.hpp:24

bb::HypernovaFoldingVerifier::sumcheck_on_incoming_instance
SumcheckOutput< Flavor > sumcheck_on_incoming_instance(const std::shared_ptr< VerifierInstance > &instance, const Proof &proof, size_t num_public_inputs)
Perform sumcheck on the incoming instance.
Definition hypernova_verifier.cpp:61

bb::HypernovaFoldingVerifier::FF
Flavor::FF FF
Definition hypernova_verifier.hpp:25

bb::MultilinearBatchingVerifier
Multilinear batching verifier. Verifies claim reduction via sumcheck.
Definition multilinear_batching_verifier.hpp:25

bb::MultilinearBatchingVerifier::verify_proof
std::pair< bool, VerifierClaim > verify_proof(SumcheckOutput< InstanceFlavor > &instance_sumcheck, InstanceCommitments &verifier_commitments, const std::vector< InstanceFF > &unshifted_challenges, const std::vector< InstanceFF > &shifted_challenges)
Definition multilinear_batching_verifier.cpp:116

bb::OinkVerifier
Verifier counterpart to OinkProver: receives witness commitments, computes relation parameters,...
Definition oink_verifier.hpp:30

bb::OinkVerifier::verify
void verify(bool emit_alpha=true)
Receive witness commitments, compute relation parameters, and prepare for Sumcheck.
Definition oink_verifier.cpp:23

bb::RefArray
A template class for a reference array. Behaves as if std::array<T&, N> was possible.
Definition ref_array.hpp:22

bb::SumcheckVerifier
Implementation of the sumcheck Verifier for statements of the form  for multilinear polynomials .
Definition sumcheck.hpp:804

bb::SumcheckVerifier::verify
SumcheckOutput< Flavor > verify(const bb::RelationParameters< FF > &relation_parameters, const std::vector< FF > &gate_challenges)
The Sumcheck verification method. First it extracts round univariate, checks sum (the sumcheck univar...
Definition sumcheck.hpp:859

zip_view
Definition zip_view.hpp:166

vinfo
#define vinfo(...)
Definition log.hpp:94

hypernova_batching_challenges.hpp

hypernova_verifier.hpp

bb
Entry point for Barretenberg command-line interface.
Definition api.hpp:5

std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13

proof_length.hpp

bb::MultilinearBatchingVerifierClaim
Verifier's claim for multilinear batching - contains commitments and evaluation claims.
Definition multilinear_batching_claims.hpp:18

bb::MultilinearBatchingVerifierClaim::challenge
std::vector< FF > challenge
Definition multilinear_batching_claims.hpp:22

bb::ProofLength::HypernovaFolding::derive_num_public_inputs
static size_t derive_num_public_inputs(size_t proof_size, size_t log_n)
Definition proof_length.hpp:186

bb::ProofLength::HypernovaInstanceToAccum::derive_num_public_inputs
static size_t derive_num_public_inputs(size_t proof_size, size_t log_n)
Definition proof_length.hpp:146

bb::SumcheckOutput
Contains the evaluations of multilinear polynomials  at the challenge point . These are computed by S...
Definition sumcheck_output.hpp:22

bb::SumcheckOutput::claimed_evaluations
ClaimedEvaluations claimed_evaluations
Definition sumcheck_output.hpp:30

bb::SumcheckOutput::challenge
std::vector< FF > challenge
Definition sumcheck_output.hpp:28