Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
proof_compression.hpp
Go to the documentation of this file.
1#pragma once
2
3#include "barretenberg/chonk/chonk_proof.hpp"
4#include "barretenberg/common/assert.hpp"
5#include "barretenberg/constants.hpp"
6#include "barretenberg/ecc/curves/bn254/bn254.hpp"
7#include "barretenberg/ecc/curves/grumpkin/grumpkin.hpp"
8#include "barretenberg/eccvm/eccvm_flavor.hpp"
9#include "barretenberg/flavor/mega_zk_flavor.hpp"
10#include "barretenberg/honk/proof_length.hpp"
11#include "barretenberg/honk/proof_system/types/proof.hpp"
12#include "barretenberg/translator_vm/translator_flavor.hpp"
13#include <cstddef>
14#include <cstdint>
15#include <vector>
16
17namespace bb {
18
33class ProofCompressor {
34 using Fr = curve::BN254::ScalarField;
35 using Fq = curve::BN254::BaseField;
36
37 static constexpr uint256_t SIGN_BIT_MASK = uint256_t(1) << 255;
38
39 // Fq values are stored as (lo, hi) Fr pairs split at 2*NUM_LIMB_BITS = 136 bits.
40 static constexpr uint64_t NUM_LIMB_BITS = 68;
41 static constexpr uint64_t FQ_SPLIT_BITS = NUM_LIMB_BITS * 2; // 136
42
44 template <typename Field> static bool y_is_negative(const Field& y)
45 {
46 return uint256_t(y) > (uint256_t(Field::modulus) - 1) / 2;
47 }
48
49 // =========================================================================
50 // Serialization helpers
51 // =========================================================================
52
53 static void write_u256(std::vector<uint8_t>& out, const uint256_t& val)
54 {
55 for (int i = 31; i >= 0; --i) {
56 out.push_back(static_cast<uint8_t>(val.data[i / 8] >> (8 * (i % 8))));
57 }
58 }
59
60 static uint256_t read_u256(const std::vector<uint8_t>& data, size_t& pos)
61 {
62 if (pos + 32 > data.size()) {
63 throw_or_abort("proof_compression: read_u256 out of bounds");
64 }
65 uint256_t val{ 0, 0, 0, 0 };
66 for (int i = 31; i >= 0; --i) {
67 val.data[i / 8] |= static_cast<uint64_t>(data[pos++]) << (8 * (i % 8));
68 }
69 return val;
70 }
71
72 static Fq reconstruct_fq(const Fr& lo, const Fr& hi)
73 {
74 return Fq(uint256_t(lo) + (uint256_t(hi) << FQ_SPLIT_BITS));
75 }
76
77 static std::pair<Fr, Fr> split_fq(const Fq& val)
78 {
79 constexpr uint256_t LOWER_MASK = (uint256_t(1) << FQ_SPLIT_BITS) - 1;
80 const uint256_t v = uint256_t(val);
81 return { Fr(v & LOWER_MASK), Fr(v >> FQ_SPLIT_BITS) };
82 }
83
84 // =========================================================================
85 // Walk functions — define proof layouts once for compress/decompress
86 // =========================================================================
87
93 template <typename ScalarFn, typename CommitmentFn>
94 static void walk_mega_zk_oink_proof(ScalarFn&& process_scalar,
95 CommitmentFn&& process_commitment,
96 size_t num_public_inputs)
97 {
98 // Public inputs
99 for (size_t i = 0; i < num_public_inputs; i++) {
100 process_scalar();
101 }
102 // Witness commitments (wires + lookup + databus + z_perm = NUM_WITNESS_ENTITIES)
103 for (size_t i = 0; i < MegaZKFlavor::NUM_WITNESS_ENTITIES; i++) {
104 process_commitment();
105 }
106 }
107
112 template <typename ScalarFn, typename CommitmentFn>
113 static void walk_merge_proof(ScalarFn&& process_scalar, CommitmentFn&& process_commitment)
114 {
115 // shift_size
116 process_scalar();
117 // 4 merged table commitments
118 for (size_t i = 0; i < 4; i++) {
119 process_commitment();
120 }
121 // Reversed batched left tables commitment
122 process_commitment();
123 // 4 left + 4 right + 4 merged table evaluations + 1 reversed eval = 13 scalars
124 for (size_t i = 0; i < 13; i++) {
125 process_scalar();
126 }
127 // Shplonk Q + KZG W
128 process_commitment();
129 process_commitment();
130 }
131
138 template <typename ScalarFn, typename CommitmentFn>
139 static void walk_eccvm_proof(ScalarFn&& process_scalar, CommitmentFn&& process_commitment)
140 {
141 constexpr size_t log_n = CONST_ECCVM_LOG_N;
142 constexpr size_t num_witness = ECCVMFlavor::NUM_WITNESS_ENTITIES + ECCVMFlavor::NUM_MASKING_POLYNOMIALS;
143
144 // Witness commitments (wires + derived + masking poly)
145 for (size_t i = 0; i < num_witness; i++) {
146 process_commitment();
147 }
148 // Libra concatenation commitment
149 process_commitment();
150 // Libra sum
151 process_scalar();
152 // Sumcheck round univariates: per round, Grumpkin commits then sends 2 evaluations
153 for (size_t i = 0; i < log_n; i++) {
154 process_commitment(); // univariate commitment for round i
155 process_scalar(); // eval at 0 for round i
156 process_scalar(); // eval at 1 for round i
157 }
158 // Sumcheck evaluations
159 for (size_t i = 0; i < ECCVMFlavor::NUM_ALL_ENTITIES; i++) {
160 process_scalar();
161 }
162 // Libra claimed evaluation
163 process_scalar();
164 // Libra grand sum + quotient commitments
165 process_commitment();
166 process_commitment();
167 // Gemini fold commitments
168 for (size_t i = 0; i < log_n - 1; i++) {
169 process_commitment();
170 }
171 // Gemini fold evaluations
172 for (size_t i = 0; i < log_n; i++) {
173 process_scalar();
174 }
175 // Small IPA evaluations (for sumcheck libra)
176 for (size_t i = 0; i < NUM_SMALL_IPA_EVALUATIONS; i++) {
177 process_scalar();
178 }
179 // Shplonk Q
180 process_commitment();
181
182 // --- Translation section ---
183 // Translator concatenated masking commitment
184 process_commitment();
185 // 5 translation evaluations (op, Px, Py, z1, z2)
186 for (size_t i = 0; i < NUM_TRANSLATION_EVALUATIONS; i++) {
187 process_scalar();
188 }
189 // Translation masking term evaluation
190 process_scalar();
191 // Translation grand sum + quotient commitments
192 process_commitment();
193 process_commitment();
194 // Translation SmallSubgroupIPA evaluations
195 for (size_t i = 0; i < NUM_SMALL_IPA_EVALUATIONS; i++) {
196 process_scalar();
197 }
198 // Translation Shplonk Q
199 process_commitment();
200 }
201
206 template <typename ScalarFn, typename CommitmentFn>
207 static void walk_ipa_proof(ScalarFn&& process_scalar, CommitmentFn&& process_commitment)
208 {
209 // L and R commitments per round
210 for (size_t i = 0; i < CONST_ECCVM_LOG_N; i++) {
211 process_commitment(); // L_i
212 process_commitment(); // R_i
213 }
214 // G_0 commitment
215 process_commitment();
216 // a_0 scalar
217 process_scalar();
218 }
219
226 template <typename ScalarFn, typename CommitmentFn>
227 static void walk_joint_proof(ScalarFn&& process_scalar, CommitmentFn&& process_commitment)
228 {
229 constexpr size_t JOINT_LOG_N = TranslatorFlavor::CONST_TRANSLATOR_LOG_N; // 17
230 // --- Translator Oink ---
231 // Gemini masking poly commitment
232 process_commitment();
233 // Wire commitments: concatenated + ordered range constraints
234 for (size_t i = 0; i < TranslatorFlavor::NUM_COMMITMENTS_IN_PROOF; i++) {
235 process_commitment();
236 }
237 // Z_PERM commitment
238 process_commitment();
239
240 // --- Joint Sumcheck (Libra header) ---
241 // Libra concatenation commitment
242 process_commitment();
243 // Libra sum
244 process_scalar();
245
246 // Committed sumcheck rounds 0..JOINT_LOG_N-1 (commitment + 2 evals per round)
247 for (size_t round = 0; round < JOINT_LOG_N; round++) {
248 // Minicircuit evaluations sent at round LOG_MINI_CIRCUIT_SIZE - 1
249 if (round == TranslatorFlavor::LOG_MINI_CIRCUIT_SIZE) {
250 for (size_t j = 0; j < TranslatorFlavor::NUM_MINICIRCUIT_EVALUATIONS; j++) {
251 process_scalar();
252 }
253 }
254 process_commitment(); // round univariate commitment
255 process_scalar(); // eval at 0
256 process_scalar(); // eval at 1
257 }
258
259 // MegaZK evaluations (sent after all sumcheck rounds)
260 for (size_t i = 0; i < MegaZKFlavor::NUM_ALL_ENTITIES; i++) {
261 process_scalar();
262 }
263
264 // Translator evaluations (sent after all rounds)
265 for (size_t i = 0; i < TranslatorFlavor::NUM_FULL_CIRCUIT_EVALUATIONS; i++) {
266 process_scalar();
267 }
268
269 // --- Joint Sumcheck (Libra footer) ---
270 // Libra claimed evaluation
271 process_scalar();
272 // Libra grand sum + quotient commitments
273 process_commitment();
274 process_commitment();
275
276 // --- Joint PCS ---
277 // Gemini fold commitments
278 for (size_t i = 0; i < JOINT_LOG_N - 1; i++) {
279 process_commitment();
280 }
281 // Gemini fold evaluations
282 for (size_t i = 0; i < JOINT_LOG_N; i++) {
283 process_scalar();
284 }
285 // Small IPA evaluations
286 for (size_t i = 0; i < NUM_SMALL_IPA_EVALUATIONS; i++) {
287 process_scalar();
288 }
289 // Shplonk Q + KZG W
290 process_commitment();
291 process_commitment();
292 }
293
298 template <typename BN254ScalarFn, typename BN254CommFn, typename GrumpkinScalarFn, typename GrumpkinCommFn>
299 static void walk_chonk_proof(BN254ScalarFn&& bn254_scalar,
300 BN254CommFn&& bn254_comm,
301 GrumpkinScalarFn&& grumpkin_scalar,
302 GrumpkinCommFn&& grumpkin_comm,
303 size_t mega_num_public_inputs)
304 {
305 walk_mega_zk_oink_proof(bn254_scalar, bn254_comm, mega_num_public_inputs);
306 walk_merge_proof(bn254_scalar, bn254_comm);
307 walk_eccvm_proof(grumpkin_scalar, grumpkin_comm);
308 walk_ipa_proof(grumpkin_scalar, grumpkin_comm);
309 walk_joint_proof(bn254_scalar, bn254_comm);
310 }
311
312 // =========================================================================
313 // Walk count validation — ensure the constants used in walks match PROOF_LENGTH.
314 // These mirror the walk logic using the same constants; if a PROOF_LENGTH formula
315 // changes, the static_assert fires, prompting an update to the corresponding walk.
316 // =========================================================================
317
318 // Fr-elements per element type for each curve
319 static constexpr size_t BN254_FRS_PER_SCALAR = 1;
320 static constexpr size_t BN254_FRS_PER_COMM = 4; // Fq x,y each as (lo,hi) Fr pair
321 static constexpr size_t GRUMPKIN_FRS_PER_SCALAR = 2; // Fq stored as (lo,hi) Fr pair
322 static constexpr size_t GRUMPKIN_FRS_PER_COMM = 2; // Fr x,y coordinates
323
324 // clang-format off
325 // Hiding Oink (without public inputs) — mirrors walk_mega_zk_oink_proof with num_public_inputs=0
326 static constexpr size_t EXPECTED_HIDING_OINK_FRS =
327 MegaZKFlavor::NUM_WITNESS_ENTITIES * BN254_FRS_PER_COMM; // witness comms
328 static_assert(EXPECTED_HIDING_OINK_FRS == ProofLength::Oink<MegaZKFlavor>::LENGTH_WITHOUT_PUB_INPUTS);
329
330 // Merge — mirrors walk_merge_proof
331 static constexpr size_t EXPECTED_MERGE_FRS =
332 1 * BN254_FRS_PER_SCALAR + // shift_size
333 5 * BN254_FRS_PER_COMM + // 4 merged tables + 1 reversed batched left
334 13 * BN254_FRS_PER_SCALAR + // evaluations
335 2 * BN254_FRS_PER_COMM; // shplonk Q + KZG W
336 static_assert(EXPECTED_MERGE_FRS == MERGE_PROOF_SIZE);
337
338 // ECCVM — mirrors walk_eccvm_proof
339 static constexpr size_t EXPECTED_ECCVM_FRS =
340 (ECCVMFlavor::NUM_WITNESS_ENTITIES + ECCVMFlavor::NUM_MASKING_POLYNOMIALS) * GRUMPKIN_FRS_PER_COMM + // witnesses
341 1 * GRUMPKIN_FRS_PER_COMM + // libra concat
342 1 * GRUMPKIN_FRS_PER_SCALAR + // libra sum
343 CONST_ECCVM_LOG_N * GRUMPKIN_FRS_PER_COMM + // sumcheck univariate comms
344 2 * CONST_ECCVM_LOG_N * GRUMPKIN_FRS_PER_SCALAR + // sumcheck univariate evals (2 per round)
345 ECCVMFlavor::NUM_ALL_ENTITIES * GRUMPKIN_FRS_PER_SCALAR + // sumcheck evals
346 1 * GRUMPKIN_FRS_PER_SCALAR + // libra claimed eval
347 2 * GRUMPKIN_FRS_PER_COMM + // libra grand sum + quotient
348 (CONST_ECCVM_LOG_N - 1) * GRUMPKIN_FRS_PER_COMM + // gemini folds
349 CONST_ECCVM_LOG_N * GRUMPKIN_FRS_PER_SCALAR + // gemini evals
350 NUM_SMALL_IPA_EVALUATIONS * GRUMPKIN_FRS_PER_SCALAR + // small IPA evals
351 1 * GRUMPKIN_FRS_PER_COMM + // shplonk Q
352 1 * GRUMPKIN_FRS_PER_COMM + // translator masking comm
353 NUM_TRANSLATION_EVALUATIONS * GRUMPKIN_FRS_PER_SCALAR + // translation evals
354 1 * GRUMPKIN_FRS_PER_SCALAR + // masking term eval
355 2 * GRUMPKIN_FRS_PER_COMM + // translation grand sum + quotient
356 NUM_SMALL_IPA_EVALUATIONS * GRUMPKIN_FRS_PER_SCALAR + // translation small IPA evals
357 1 * GRUMPKIN_FRS_PER_COMM; // translation shplonk Q
358 static_assert(EXPECTED_ECCVM_FRS == ECCVMFlavor::PROOF_LENGTH);
359
360 // IPA — mirrors walk_ipa_proof
361 static constexpr size_t EXPECTED_IPA_FRS =
362 2 * CONST_ECCVM_LOG_N * GRUMPKIN_FRS_PER_COMM + // L and R per round
363 1 * GRUMPKIN_FRS_PER_COMM + // G_0
364 1 * GRUMPKIN_FRS_PER_SCALAR; // a_0
365 static_assert(EXPECTED_IPA_FRS == IPA_PROOF_LENGTH);
366
367 // Joint proof — mirrors walk_joint_proof (translator oink + joint sumcheck + joint PCS)
368 static constexpr size_t JOINT_LOG_N = TranslatorFlavor::CONST_TRANSLATOR_LOG_N;
369 static constexpr size_t EXPECTED_JOINT_FRS =
370 // Translator oink
371 1 * BN254_FRS_PER_COMM + // gemini masking poly
372 TranslatorFlavor::NUM_COMMITMENTS_IN_PROOF * BN254_FRS_PER_COMM + // wire comms
373 1 * BN254_FRS_PER_COMM + // z_perm
374 // Joint sumcheck (libra header)
375 1 * BN254_FRS_PER_COMM + // libra concat
376 1 * BN254_FRS_PER_SCALAR + // libra sum
377 // Committed sumcheck rounds (commitment + 2 evals per round)
378 JOINT_LOG_N * BN254_FRS_PER_COMM + // round univariate comms
379 2 * JOINT_LOG_N * BN254_FRS_PER_SCALAR + // round univariate evals
380 // Minicircuit evaluations (sent once at round LOG_MINI_CIRCUIT_SIZE - 1)
381 TranslatorFlavor::NUM_MINICIRCUIT_EVALUATIONS * BN254_FRS_PER_SCALAR + // minicircuit evals
382 // MegaZK evaluations (sent after all sumcheck rounds)
383 MegaZKFlavor::NUM_ALL_ENTITIES * BN254_FRS_PER_SCALAR + // mega_zk evals
384 // Translator evaluations (sent after all rounds)
385 TranslatorFlavor::NUM_FULL_CIRCUIT_EVALUATIONS * BN254_FRS_PER_SCALAR + // translator evals
386 // Joint sumcheck (libra footer)
387 1 * BN254_FRS_PER_SCALAR + // libra claimed eval
388 2 * BN254_FRS_PER_COMM + // libra grand sum + quotient
389 // Joint PCS
390 (JOINT_LOG_N - 1) * BN254_FRS_PER_COMM + // gemini folds
391 JOINT_LOG_N * BN254_FRS_PER_SCALAR + // gemini evals
392 NUM_SMALL_IPA_EVALUATIONS * BN254_FRS_PER_SCALAR + // small IPA evals
393 2 * BN254_FRS_PER_COMM; // shplonk Q + KZG W
394 // Cross-check: walk-based count must match ChonkProof's structural constants
395 static_assert(EXPECTED_HIDING_OINK_FRS + EXPECTED_MERGE_FRS + EXPECTED_ECCVM_FRS + EXPECTED_IPA_FRS +
396 EXPECTED_JOINT_FRS ==
397 ChonkProof::PROOF_LENGTH_WITHOUT_PUB_INPUTS);
398 // clang-format on
399
400 public:
405 static size_t compressed_element_count(size_t mega_num_public_inputs = 0)
406 {
407 size_t count = 0;
408 auto counter = [&]() { count++; };
409 walk_chonk_proof(counter, counter, counter, counter, mega_num_public_inputs);
410 return count;
411 }
412
417 static size_t compressed_mega_num_public_inputs(size_t compressed_bytes)
418 {
419 if (compressed_bytes % 32 != 0) {
420 throw_or_abort("proof_compression: compressed size not aligned to 32 bytes");
421 }
422 size_t total_elements = compressed_bytes / 32;
423 size_t fixed_elements = compressed_element_count(0);
424 if (total_elements < fixed_elements) {
425 throw_or_abort("proof_compression: compressed proof too short");
426 }
427 return total_elements - fixed_elements;
428 }
429
430 // =========================================================================
431 // Chonk proof compression
432 // =========================================================================
433
434 static std::vector<uint8_t> compress_chonk_proof(const ChonkProof& proof)
435 {
436 auto flat = proof.to_field_elements();
437 std::vector<uint8_t> out;
438 out.reserve(flat.size() * 32); // upper bound: every element compresses to 32 bytes
439 size_t offset = 0;
440
441 // BN254 callbacks
442 auto bn254_scalar = [&]() { write_u256(out, uint256_t(flat[offset++])); };
443
444 auto bn254_comm = [&]() {
445 bool is_infinity = flat[offset].is_zero() && flat[offset + 1].is_zero() && flat[offset + 2].is_zero() &&
446 flat[offset + 3].is_zero();
447 if (is_infinity) {
448 write_u256(out, uint256_t(0));
449 offset += 4;
450 return;
451 }
452
453 Fq x = reconstruct_fq(flat[offset], flat[offset + 1]);
454 Fq y = reconstruct_fq(flat[offset + 2], flat[offset + 3]);
455 offset += 4;
456
457 uint256_t x_val = uint256_t(x);
458 if (y_is_negative(y)) {
459 x_val |= SIGN_BIT_MASK;
460 }
461 write_u256(out, x_val);
462 };
463
464 // Grumpkin callbacks
465 // Grumpkin commitments have coordinates in BN254::ScalarField (Fr), so x and y are each 1 Fr.
466 auto grumpkin_comm = [&]() {
467 Fr x = flat[offset];
468 Fr y = flat[offset + 1];
469 offset += 2;
470
471 if (x.is_zero() && y.is_zero()) {
472 write_u256(out, uint256_t(0));
473 return;
474 }
475
476 uint256_t x_val = uint256_t(x);
477 if (y_is_negative(y)) {
478 x_val |= SIGN_BIT_MASK;
479 }
480 write_u256(out, x_val);
481 };
482
483 // Grumpkin scalars are Fq values stored as (lo, hi) Fr pairs
484 auto grumpkin_scalar = [&]() {
485 Fq fq_val = reconstruct_fq(flat[offset], flat[offset + 1]);
486 offset += 2;
487 write_u256(out, uint256_t(fq_val));
488 };
489
490 size_t mega_num_pub_inputs =
491 proof.hiding_oink_proof.size() - ProofLength::Oink<MegaZKFlavor>::LENGTH_WITHOUT_PUB_INPUTS;
492 walk_chonk_proof(bn254_scalar, bn254_comm, grumpkin_scalar, grumpkin_comm, mega_num_pub_inputs);
493 if (offset != flat.size()) {
494 throw_or_abort("proof_compression: compress did not consume all proof elements");
495 }
496 return out;
497 }
498
499 static ChonkProof decompress_chonk_proof(const std::vector<uint8_t>& compressed, size_t mega_num_public_inputs)
500 {
501 HonkProof flat;
502 size_t pos = 0;
503
504 // BN254 callbacks
505 auto bn254_scalar = [&]() {
506 uint256_t raw = read_u256(compressed, pos);
507 if (raw >= Fr::modulus) {
508 throw_or_abort("proof_compression: BN254 scalar out of range");
509 }
510 flat.emplace_back(raw);
511 };
512
513 auto bn254_comm = [&]() {
514 uint256_t raw = read_u256(compressed, pos);
515 bool sign = (raw & SIGN_BIT_MASK) != 0;
516 uint256_t x_val = raw & ~SIGN_BIT_MASK;
517
518 // Point-at-infinity is encoded as all zeros (x=0, sign=false).
519 // Unambiguous because x=0 is not on BN254
520 if (x_val == uint256_t(0) && !sign) {
521 for (int j = 0; j < 4; j++) {
522 flat.emplace_back(Fr::zero());
523 }
524 return;
525 }
526
527 if (x_val >= Fq::modulus) {
528 throw_or_abort("proof_compression: BN254 x-coordinate out of range");
529 }
530 Fq x(x_val);
531 Fq y_squared = x * x * x + Bn254G1Params::b;
532 auto [is_square, y] = y_squared.sqrt();
533 if (!is_square) {
534 throw_or_abort("proof_compression: BN254 point not on curve");
535 }
536
537 if (y_is_negative(y) != sign) {
538 y = -y;
539 }
540
541 auto [x_lo, x_hi] = split_fq(x);
542 auto [y_lo, y_hi] = split_fq(y);
543 flat.emplace_back(x_lo);
544 flat.emplace_back(x_hi);
545 flat.emplace_back(y_lo);
546 flat.emplace_back(y_hi);
547 };
548
549 // Grumpkin callbacks
550 auto grumpkin_comm = [&]() {
551 uint256_t raw = read_u256(compressed, pos);
552 bool sign = (raw & SIGN_BIT_MASK) != 0;
553 uint256_t x_val = raw & ~SIGN_BIT_MASK;
554
555 // Point-at-infinity is encoded as all zeros (x=0, sign=false).
556 // Unambiguous because x=0 is not on Grumpkin
557 if (x_val == uint256_t(0) && !sign) {
558 flat.emplace_back(Fr::zero());
559 flat.emplace_back(Fr::zero());
560 return;
561 }
562
563 if (x_val >= Fr::modulus) {
564 throw_or_abort("proof_compression: Grumpkin x-coordinate out of range");
565 }
566 Fr x(x_val);
567 Fr y_squared = x * x * x + grumpkin::G1Params::b;
568 auto [is_square, y] = y_squared.sqrt();
569 if (!is_square) {
570 throw_or_abort("proof_compression: Grumpkin point not on curve");
571 }
572
573 if (y_is_negative(y) != sign) {
574 y = -y;
575 }
576
577 flat.emplace_back(x);
578 flat.emplace_back(y);
579 };
580
581 auto grumpkin_scalar = [&]() {
582 uint256_t raw = read_u256(compressed, pos);
583 if (raw >= Fq::modulus) {
584 throw_or_abort("proof_compression: Grumpkin scalar out of range");
585 }
586 Fq fq_val(raw);
587 auto [lo, hi] = split_fq(fq_val);
588 flat.emplace_back(lo);
589 flat.emplace_back(hi);
590 };
591
592 walk_chonk_proof(bn254_scalar, bn254_comm, grumpkin_scalar, grumpkin_comm, mega_num_public_inputs);
593 if (pos != compressed.size()) {
594 throw_or_abort("proof_compression: decompression did not consume all bytes");
595 }
596 return ChonkProof::from_field_elements(flat);
597 }
598};
599
600} // namespace bb
chonk_proof.hpp
bb::ECCVMFlavor::NUM_MASKING_POLYNOMIALS
static constexpr size_t NUM_MASKING_POLYNOMIALS
Definition eccvm_flavor.hpp:73
bb::ECCVMFlavor::NUM_ALL_ENTITIES
static constexpr size_t NUM_ALL_ENTITIES
Definition eccvm_flavor.hpp:79
bb::ECCVMFlavor::PROOF_LENGTH
static constexpr size_t PROOF_LENGTH
Definition eccvm_flavor.hpp:148
bb::ECCVMFlavor::NUM_WITNESS_ENTITIES
static constexpr size_t NUM_WITNESS_ENTITIES
Definition eccvm_flavor.hpp:85
bb::MegaFlavor::NUM_ALL_ENTITIES
static constexpr size_t NUM_ALL_ENTITIES
Definition mega_flavor.hpp:340
bb::MegaFlavor::NUM_WITNESS_ENTITIES
static constexpr size_t NUM_WITNESS_ENTITIES
Definition mega_flavor.hpp:337
bb::ProofCompressor
Compresses Chonk proofs from vector<fr> to compact byte representations.
Definition proof_compression.hpp:33
bb::ProofCompressor::walk_joint_proof
static void walk_joint_proof(ScalarFn &&process_scalar, CommitmentFn &&process_commitment)
Walk the joint proof (translator oink + joint sumcheck + joint PCS, all BN254).
Definition proof_compression.hpp:227
bb::ProofCompressor::BN254_FRS_PER_COMM
static constexpr size_t BN254_FRS_PER_COMM
Definition proof_compression.hpp:320
bb::ProofCompressor::EXPECTED_MERGE_FRS
static constexpr size_t EXPECTED_MERGE_FRS
Definition proof_compression.hpp:331
bb::ProofCompressor::FQ_SPLIT_BITS
static constexpr uint64_t FQ_SPLIT_BITS
Definition proof_compression.hpp:41
bb::ProofCompressor::compress_chonk_proof
static std::vector< uint8_t > compress_chonk_proof(const ChonkProof &proof)
Definition proof_compression.hpp:434
bb::ProofCompressor::decompress_chonk_proof
static ChonkProof decompress_chonk_proof(const std::vector< uint8_t > &compressed, size_t mega_num_public_inputs)
Definition proof_compression.hpp:499
bb::ProofCompressor::EXPECTED_ECCVM_FRS
static constexpr size_t EXPECTED_ECCVM_FRS
Definition proof_compression.hpp:339
bb::ProofCompressor::compressed_element_count
static size_t compressed_element_count(size_t mega_num_public_inputs=0)
Count the total compressed elements for a Chonk proof. Each element (scalar or commitment,...
Definition proof_compression.hpp:405
bb::ProofCompressor::walk_eccvm_proof
static void walk_eccvm_proof(ScalarFn &&process_scalar, CommitmentFn &&process_commitment)
Walk an ECCVM proof (all Grumpkin).
Definition proof_compression.hpp:139
bb::ProofCompressor::Fr
curve::BN254::ScalarField Fr
Definition proof_compression.hpp:34
bb::ProofCompressor::SIGN_BIT_MASK
static constexpr uint256_t SIGN_BIT_MASK
Definition proof_compression.hpp:37
bb::ProofCompressor::Fq
curve::BN254::BaseField Fq
Definition proof_compression.hpp:35
bb::ProofCompressor::GRUMPKIN_FRS_PER_SCALAR
static constexpr size_t GRUMPKIN_FRS_PER_SCALAR
Definition proof_compression.hpp:321
bb::ProofCompressor::EXPECTED_JOINT_FRS
static constexpr size_t EXPECTED_JOINT_FRS
Definition proof_compression.hpp:369
bb::ProofCompressor::write_u256
static void write_u256(std::vector< uint8_t > &out, const uint256_t &val)
Definition proof_compression.hpp:53
bb::ProofCompressor::EXPECTED_IPA_FRS
static constexpr size_t EXPECTED_IPA_FRS
Definition proof_compression.hpp:361
bb::ProofCompressor::y_is_negative
static bool y_is_negative(const Field &y)
True if y is in the "upper half" of its field, used for point compression sign bit.
Definition proof_compression.hpp:44
bb::ProofCompressor::walk_merge_proof
static void walk_merge_proof(ScalarFn &&process_scalar, CommitmentFn &&process_commitment)
Walk a Merge proof (42 Fr, all BN254).
Definition proof_compression.hpp:113
bb::ProofCompressor::GRUMPKIN_FRS_PER_COMM
static constexpr size_t GRUMPKIN_FRS_PER_COMM
Definition proof_compression.hpp:322
bb::ProofCompressor::compressed_mega_num_public_inputs
static size_t compressed_mega_num_public_inputs(size_t compressed_bytes)
Derive mega_num_public_inputs from compressed proof size.
Definition proof_compression.hpp:417
bb::ProofCompressor::walk_chonk_proof
static void walk_chonk_proof(BN254ScalarFn &&bn254_scalar, BN254CommFn &&bn254_comm, GrumpkinScalarFn &&grumpkin_scalar, GrumpkinCommFn &&grumpkin_comm, size_t mega_num_public_inputs)
Walk a full Chonk proof (5 sub-proofs across two curves).
Definition proof_compression.hpp:299
bb::ProofCompressor::reconstruct_fq
static Fq reconstruct_fq(const Fr &lo, const Fr &hi)
Definition proof_compression.hpp:72
bb::ProofCompressor::walk_ipa_proof
static void walk_ipa_proof(ScalarFn &&process_scalar, CommitmentFn &&process_commitment)
Walk an IPA proof (64 Fr, all Grumpkin).
Definition proof_compression.hpp:207
bb::ProofCompressor::EXPECTED_HIDING_OINK_FRS
static constexpr size_t EXPECTED_HIDING_OINK_FRS
Definition proof_compression.hpp:326
bb::ProofCompressor::read_u256
static uint256_t read_u256(const std::vector< uint8_t > &data, size_t &pos)
Definition proof_compression.hpp:60
bb::ProofCompressor::walk_mega_zk_oink_proof
static void walk_mega_zk_oink_proof(ScalarFn &&process_scalar, CommitmentFn &&process_commitment, size_t num_public_inputs)
Walk a MegaZK Oink-only proof (BN254).
Definition proof_compression.hpp:94
bb::ProofCompressor::NUM_LIMB_BITS
static constexpr uint64_t NUM_LIMB_BITS
Definition proof_compression.hpp:40
bb::ProofCompressor::JOINT_LOG_N
static constexpr size_t JOINT_LOG_N
Definition proof_compression.hpp:368
bb::ProofCompressor::split_fq
static std::pair< Fr, Fr > split_fq(const Fq &val)
Definition proof_compression.hpp:77
bb::ProofCompressor::BN254_FRS_PER_SCALAR
static constexpr size_t BN254_FRS_PER_SCALAR
Definition proof_compression.hpp:319
bb::TranslatorFlavor::NUM_FULL_CIRCUIT_EVALUATIONS
static constexpr size_t NUM_FULL_CIRCUIT_EVALUATIONS
Definition translator_flavor.hpp:718
bb::TranslatorFlavor::CONST_TRANSLATOR_LOG_N
static constexpr size_t CONST_TRANSLATOR_LOG_N
Definition translator_flavor.hpp:84
bb::TranslatorFlavor::NUM_MINICIRCUIT_EVALUATIONS
static constexpr size_t NUM_MINICIRCUIT_EVALUATIONS
Definition translator_flavor.hpp:713
bb::TranslatorFlavor::LOG_MINI_CIRCUIT_SIZE
static constexpr size_t LOG_MINI_CIRCUIT_SIZE
Definition translator_flavor.hpp:81
bb::TranslatorFlavor::NUM_COMMITMENTS_IN_PROOF
static constexpr size_t NUM_COMMITMENTS_IN_PROOF
Definition translator_flavor.hpp:745
bb::curve::BN254::BaseField
bb::fq BaseField
Definition bn254.hpp:19
bb::curve::BN254::ScalarField
bb::fr ScalarField
Definition bn254.hpp:18
bb::numeric::uint256_t
Definition uint256.hpp:32
bb::numeric::uint256_t::data
uint64_t data[4]
Definition uint256.hpp:219
data
const std::vector< MemoryValue > data
Definition data_copy.test.cpp:70
eccvm_flavor.hpp
offset
ssize_t offset
Definition engine.cpp:62
proof.hpp
mega_zk_flavor.hpp
bb
Entry point for Barretenberg command-line interface.
Definition api.hpp:5
bb::HonkProof
std::vector< fr > HonkProof
Definition proof.hpp:15
std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13
proof_length.hpp
bb::Bn254G1Params::b
static constexpr fq b
Definition g1.hpp:30
bb::ChonkProof_< false >
bb::ChonkProof_< false >::PROOF_LENGTH_WITHOUT_PUB_INPUTS
static constexpr size_t PROOF_LENGTH_WITHOUT_PUB_INPUTS
Definition chonk_proof.hpp:54
bb::ChonkProof_< false >::from_field_elements
static ChonkProof_ from_field_elements(const std::vector< FF > &fields)
Reconstruct proof from field elements.
Definition chonk_proof.cpp:36
bb::ChonkProof_::hiding_oink_proof
HonkProof hiding_oink_proof
Definition chonk_proof.hpp:41
bb::ChonkProof_::to_field_elements
std::vector< FF > to_field_elements() const
Serialize proof to field elements (native mode)
Definition chonk_proof.cpp:18
bb::ProofLength::Oink
Computes Oink proof length from flavor traits.
Definition proof_length.hpp:37
bb::field< Bn254FrParams >::modulus
static constexpr uint256_t modulus
Definition field_declarations.hpp:234
bb::field::sqrt
constexpr std::pair< bool, field > sqrt() const noexcept
Compute square root of the field element.
Definition field_impl.hpp:705
bb::field::is_zero
BB_INLINE constexpr bool is_zero() const noexcept
Definition field_impl.hpp:753
bb::field< Bn254FrParams >::zero
static constexpr field zero()
Definition field_declarations.hpp:277
bb::grumpkin::G1Params::b
static constexpr bb::fr b
Definition grumpkin.hpp:30
throw_or_abort
void throw_or_abort(std::string const &err)
Definition throw_or_abort.hpp:6
translator_flavor.hpp