Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
ultra_honk.test.cpp
Go to the documentation of this file.
1#include "ultra_honk.test.hpp"
2#include "barretenberg/honk/proof_length.hpp"
3#include "barretenberg/honk/relation_checker.hpp"
4#include "barretenberg/ultra_honk/oink_prover.hpp"
5
6#include <gtest/gtest.h>
7
8using namespace bb;
9
10using AggregationState = stdlib::recursion::PairingPoints<UltraCircuitBuilder>;
11
12#ifdef STARKNET_GARAGA_FLAVORS
13using FlavorTypes = testing::Types<UltraFlavor,
14 UltraZKFlavor,
15 UltraKeccakFlavor,
16 UltraKeccakZKFlavor,
17 UltraStarknetFlavor,
18 UltraStarknetZKFlavor>;
19#else
20using FlavorTypes = testing::Types<UltraFlavor, UltraZKFlavor, UltraKeccakFlavor, UltraKeccakZKFlavor>;
21#endif
22TYPED_TEST_SUITE(UltraHonkTests, FlavorTypes);
32TYPED_TEST(UltraHonkTests, ProofLengthCheck)
33{
34 using Flavor = TypeParam;
35 using Builder = Flavor::CircuitBuilder;
36 using IO = typename TestFixture::IO;
37 using Proof = typename Flavor::Transcript::Proof;
38
39 auto builder = Builder{};
40 IO::add_default(builder);
41 // Construct a UH proof and ensure its size matches expectation; if not, the constant may need to be updated
42 auto prover_instance = std::make_shared<ProverInstance_<Flavor>>(builder);
43 auto verification_key = std::make_shared<typename Flavor::VerificationKey>(prover_instance->get_precomputed());
44 UltraProver_<Flavor> prover(prover_instance, verification_key);
45 Proof ultra_proof = prover.construct_proof();
46 const size_t virtual_log_n = Flavor::USE_PADDING ? CONST_PROOF_SIZE_LOG_N : prover_instance->log_dyadic_size();
47 size_t expected_proof_length =
48 ProofLength::Honk<Flavor>::LENGTH_WITHOUT_PUB_INPUTS(virtual_log_n) + IO::PUBLIC_INPUTS_SIZE;
49 EXPECT_EQ(ultra_proof.size(), expected_proof_length);
50}
51
56TYPED_TEST(UltraHonkTests, PublicInputs)
57{
58 auto builder = UltraCircuitBuilder();
59 size_t num_gates = 10;
60
61 // Add some arbitrary arithmetic gates that utilize public inputs
62 MockCircuits::add_arithmetic_gates_with_public_inputs(builder, num_gates);
63 TestFixture::set_default_pairing_points_and_ipa_claim_and_proof(builder);
64
65 TestFixture::prove_and_verify(builder, /*expected_result=*/true);
66}
67
68TYPED_TEST(UltraHonkTests, TestNoLookupProof)
69{
70 auto circuit_builder = UltraCircuitBuilder();
71
72 for (size_t i = 0; i < 16; ++i) {
73 for (size_t j = 0; j < 16; ++j) {
74 uint64_t left = static_cast<uint64_t>(j);
75 uint64_t right = static_cast<uint64_t>(i);
76 uint32_t left_idx = circuit_builder.add_variable(fr(left));
77 uint32_t right_idx = circuit_builder.add_variable(fr(right));
78 uint32_t result_idx = circuit_builder.add_variable(fr(left ^ right));
79
80 uint32_t add_idx =
81 circuit_builder.add_variable(fr(left) + fr(right) + circuit_builder.get_variable(result_idx));
82 circuit_builder.create_big_add_gate(
83 { left_idx, right_idx, result_idx, add_idx, fr(1), fr(1), fr(1), fr(-1), fr(0) });
84 }
85 }
86 TestFixture::set_default_pairing_points_and_ipa_claim_and_proof(circuit_builder);
87
88 TestFixture::prove_and_verify(circuit_builder, /*expected_result=*/true);
89}
90
91TYPED_TEST(UltraHonkTests, TestEllipticGate)
92{
93 typedef grumpkin::g1::affine_element affine_element;
94 typedef grumpkin::g1::element element;
95 auto circuit_builder = UltraCircuitBuilder();
96
97 affine_element p1 = affine_element::random_element();
98 affine_element p2 = affine_element::random_element();
99
100 affine_element p3(element(p1) + element(p2));
101
102 uint32_t x1 = circuit_builder.add_variable(p1.x);
103 uint32_t y1 = circuit_builder.add_variable(p1.y);
104 uint32_t x2 = circuit_builder.add_variable(p2.x);
105 uint32_t y2 = circuit_builder.add_variable(p2.y);
106 uint32_t x3 = circuit_builder.add_variable(p3.x);
107 uint32_t y3 = circuit_builder.add_variable(p3.y);
108
109 circuit_builder.create_ecc_add_gate({ x1, y1, x2, y2, x3, y3, /*is_addition=*/true });
110
111 p3 = affine_element(element(p1) + element(p2));
112 x3 = circuit_builder.add_variable(p3.x);
113 y3 = circuit_builder.add_variable(p3.y);
114 circuit_builder.create_ecc_add_gate({ x1, y1, x2, y2, x3, y3, /*is_addition=*/true });
115
116 p3 = affine_element(element(p1) - element(p2));
117 x3 = circuit_builder.add_variable(p3.x);
118 y3 = circuit_builder.add_variable(p3.y);
119 circuit_builder.create_ecc_add_gate({ x1, y1, x2, y2, x3, y3, /*is_addition=*/false });
120
121 TestFixture::set_default_pairing_points_and_ipa_claim_and_proof(circuit_builder);
122
123 TestFixture::prove_and_verify(circuit_builder, /*expected_result=*/true);
124}
125
126TYPED_TEST(UltraHonkTests, NonNativeFieldMultiplication)
127{
128 using fq = fq;
129 auto circuit_builder = UltraCircuitBuilder();
130
131 fq a = fq::random_element();
132 fq b = fq::random_element();
133 uint256_t modulus = fq::modulus;
134
135 uint1024_t a_big = uint512_t(uint256_t(a));
136 uint1024_t b_big = uint512_t(uint256_t(b));
137 uint1024_t p_big = uint512_t(uint256_t(modulus));
138
139 uint1024_t q_big = (a_big * b_big) / p_big;
140 uint1024_t r_big = (a_big * b_big) % p_big;
141
142 uint256_t q(q_big.lo.lo);
143 uint256_t r(r_big.lo.lo);
144
145 const auto split_into_limbs = [&](const uint512_t& input) {
146 constexpr size_t NUM_BITS = 68;
147 std::array<fr, 4> limbs;
148 limbs[0] = input.slice(0, NUM_BITS).lo;
149 limbs[1] = input.slice(NUM_BITS * 1, NUM_BITS * 2).lo;
150 limbs[2] = input.slice(NUM_BITS * 2, NUM_BITS * 3).lo;
151 limbs[3] = input.slice(NUM_BITS * 3, NUM_BITS * 4).lo;
152 return limbs;
153 };
154
155 const auto get_limb_witness_indices = [&](const std::array<fr, 4>& limbs) {
156 std::array<uint32_t, 4> limb_indices;
157 limb_indices[0] = circuit_builder.add_variable(limbs[0]);
158 limb_indices[1] = circuit_builder.add_variable(limbs[1]);
159 limb_indices[2] = circuit_builder.add_variable(limbs[2]);
160 limb_indices[3] = circuit_builder.add_variable(limbs[3]);
161 return limb_indices;
162 };
163 const uint512_t BINARY_BASIS_MODULUS = uint512_t(1) << (68 * 4);
164 auto modulus_limbs = split_into_limbs(BINARY_BASIS_MODULUS - uint512_t(modulus));
165
166 const auto a_indices = get_limb_witness_indices(split_into_limbs(uint256_t(a)));
167 const auto b_indices = get_limb_witness_indices(split_into_limbs(uint256_t(b)));
168 const auto q_indices = get_limb_witness_indices(split_into_limbs(uint256_t(q)));
169 const auto r_indices = get_limb_witness_indices(split_into_limbs(uint256_t(r)));
170
171 non_native_multiplication_witnesses<fr> inputs{
172 a_indices, b_indices, q_indices, r_indices, modulus_limbs,
173 };
174 const auto [lo_1_idx, hi_1_idx] = circuit_builder.evaluate_non_native_field_multiplication(inputs);
175
176 // Range constrain the lo and hi carry outputs
177 const bool is_low_70_bits = uint256_t(circuit_builder.get_variable(lo_1_idx)).get_msb() < 70;
178 const bool is_high_70_bits = uint256_t(circuit_builder.get_variable(hi_1_idx)).get_msb() < 70;
179 if (is_low_70_bits && is_high_70_bits) {
180 // Uses more efficient NNF range check if both limbs are < 2^70
181 circuit_builder.range_constrain_two_limbs(lo_1_idx, hi_1_idx, 70, 70);
182 } else {
183 // Fallback to default range checks
184 circuit_builder.create_limbed_range_constraint(lo_1_idx, 72);
185 circuit_builder.create_limbed_range_constraint(hi_1_idx, 72);
186 }
187
188 TestFixture::set_default_pairing_points_and_ipa_claim_and_proof(circuit_builder);
189
190 TestFixture::prove_and_verify(circuit_builder, /*expected_result=*/true);
191}
192
193TYPED_TEST(UltraHonkTests, RangeChecksOnDuplicates)
194{
195 auto circuit_builder = UltraCircuitBuilder();
196
197 uint32_t a = circuit_builder.add_variable(fr(100));
198 uint32_t b = circuit_builder.add_variable(fr(100));
199 uint32_t c = circuit_builder.add_variable(fr(100));
200 uint32_t d = circuit_builder.add_variable(fr(100));
201
202 circuit_builder.assert_equal(a, b);
203 circuit_builder.assert_equal(a, c);
204 circuit_builder.assert_equal(a, d);
205
206 circuit_builder.create_small_range_constraint(a, 1000);
207 circuit_builder.create_small_range_constraint(b, 1001);
208 circuit_builder.create_small_range_constraint(c, 999);
209 circuit_builder.create_small_range_constraint(d, 1000);
210
211 circuit_builder.create_big_add_gate(
212 {
213 a,
214 b,
215 c,
216 d,
217 0,
218 0,
219 0,
220 0,
221 0,
222 },
223 false);
224
225 TestFixture::set_default_pairing_points_and_ipa_claim_and_proof(circuit_builder);
226
227 TestFixture::prove_and_verify(circuit_builder, /*expected_result=*/true);
228}
229
230// Ensure copy constraints added on variables smaller than 2^14, which have been previously
231// range constrained, do not break the set equivalence checks because of indices mismatch.
232// 2^14 is DEFAULT_PLOOKUP_RANGE_BITNUM i.e. the maximum size before a variable gets sliced
233// before range constraints are applied to it.
234TYPED_TEST(UltraHonkTests, RangeConstraintSmallVariable)
235{
236 auto circuit_builder = UltraCircuitBuilder();
237
238 uint16_t mask = (1 << 8) - 1;
239 int a = engine.get_random_uint16() & mask;
240 uint32_t a_idx = circuit_builder.add_variable(fr(a));
241 uint32_t b_idx = circuit_builder.add_variable(fr(a));
242 ASSERT_NE(a_idx, b_idx);
243 uint32_t c_idx = circuit_builder.add_variable(fr(a));
244 ASSERT_NE(c_idx, b_idx);
245 circuit_builder.create_dyadic_range_constraint(b_idx, 8, "bad range");
246 circuit_builder.assert_equal(a_idx, b_idx);
247 circuit_builder.create_dyadic_range_constraint(c_idx, 8, "bad range");
248 circuit_builder.assert_equal(a_idx, c_idx);
249
250 TestFixture::set_default_pairing_points_and_ipa_claim_and_proof(circuit_builder);
251
252 TestFixture::prove_and_verify(circuit_builder, /*expected_result=*/true);
253}
254
261TYPED_TEST(UltraHonkTests, NativeVKHashMismatchDetected)
262{
263 using Flavor = TypeParam;
264 using IO = typename TestFixture::IO;
265 using Builder = typename Flavor::CircuitBuilder;
266 using Prover = UltraProver_<Flavor>;
267 using ProverInstance = ProverInstance_<Flavor>;
268 using VerificationKey = typename Flavor::VerificationKey;
269 using VKAndHash = typename Flavor::VKAndHash;
270 using Verifier = UltraVerifier_<Flavor, IO>;
271
272 // Create a simple circuit
273 Builder builder;
274 MockCircuits::add_arithmetic_gates(builder);
275 this->set_default_pairing_points_and_ipa_claim_and_proof(builder);
276
277 // Create prover instance and VK
278 auto prover_instance = std::make_shared<ProverInstance>(builder);
279 auto vk = std::make_shared<VerificationKey>(prover_instance->get_precomputed());
280
281 // Create prover and prove
282 Prover prover(prover_instance, vk);
283 auto proof = prover.construct_proof();
284 auto vk_and_hash = std::make_shared<VKAndHash>(vk);
285
286 // Corrupt the stored hash
287 vk_and_hash->hash = fr::random_element();
288
289 // Verification should fail with BB_ASSERT_EQ detecting the mismatch
290 Verifier verifier(vk_and_hash);
291 EXPECT_THROW_WITH_MESSAGE(verifier.verify_proof(proof), "VK Hash Mismatch");
292}
293
299TYPED_TEST(UltraHonkTests, TooShortProofRejected)
300{
301 using Flavor = TypeParam;
302 using IO = typename TestFixture::IO;
303 using Builder = typename Flavor::CircuitBuilder;
304 using Prover = UltraProver_<Flavor>;
305 using ProverInstance = ProverInstance_<Flavor>;
306 using VerificationKey = typename Flavor::VerificationKey;
307 using VKAndHash = typename Flavor::VKAndHash;
308 using Verifier = UltraVerifier_<Flavor, IO>;
309 using Proof = typename Flavor::Transcript::Proof;
310
311 // Create a simple circuit and produce a valid proof
312 Builder builder;
313 MockCircuits::add_arithmetic_gates(builder);
314 this->set_default_pairing_points_and_ipa_claim_and_proof(builder);
315
316 auto prover_instance = std::make_shared<ProverInstance>(builder);
317 auto vk = std::make_shared<VerificationKey>(prover_instance->get_precomputed());
318
319 Prover prover(prover_instance, vk);
320 auto proof = prover.construct_proof();
321
322 // Truncate the proof by removing the last 10 elements
323 Proof truncated_proof(proof.begin(), proof.end() - 10);
324
325 auto vk_and_hash = std::make_shared<VKAndHash>(vk);
326 Verifier verifier(vk_and_hash);
327 EXPECT_THROW_WITH_MESSAGE(verifier.verify_proof(truncated_proof), "Proof size too small");
328}
329
335TYPED_TEST(UltraHonkTests, TooLongProofRejected)
336{
337 using Flavor = TypeParam;
338 using IO = typename TestFixture::IO;
339 using Builder = typename Flavor::CircuitBuilder;
340 using Prover = UltraProver_<Flavor>;
341 using ProverInstance = ProverInstance_<Flavor>;
342 using VerificationKey = typename Flavor::VerificationKey;
343 using VKAndHash = typename Flavor::VKAndHash;
344 using Verifier = UltraVerifier_<Flavor, IO>;
345 using Proof = typename Flavor::Transcript::Proof;
346 using FF = typename Flavor::FF;
347
348 // Create a simple circuit and produce a valid proof
349 Builder builder;
350 MockCircuits::add_arithmetic_gates(builder);
351 this->set_default_pairing_points_and_ipa_claim_and_proof(builder);
352
353 auto prover_instance = std::make_shared<ProverInstance>(builder);
354 auto vk = std::make_shared<VerificationKey>(prover_instance->get_precomputed());
355
356 Prover prover(prover_instance, vk);
357 auto proof = prover.construct_proof();
358
359 // Append extra elements to the proof
360 Proof extended_proof(proof);
361 for (size_t i = 0; i < 10; i++) {
362 extended_proof.push_back(FF::random_element());
363 }
364
365 auto vk_and_hash = std::make_shared<VKAndHash>(vk);
366 Verifier verifier(vk_and_hash);
367 EXPECT_THROW_WITH_MESSAGE(verifier.verify_proof(extended_proof), "num_public_inputs mismatch");
368}
369
380TYPED_TEST(UltraHonkTests, DyadicSizeJumpsToProtectMaskingArea)
381{
382 using Flavor = TypeParam;
383 if constexpr (!Flavor::HasZK) {
384 GTEST_SKIP() << "Masking area only exists for ZK flavors";
385 } else {
386 using Builder = typename Flavor::CircuitBuilder;
387 using ProverInstance = ProverInstance_<Flavor>;
388
389 // Determine the baseline dyadic size (pairing points + finalization overhead, no user gates)
390 Builder baseline_builder;
391 this->set_default_pairing_points_and_ipa_claim_and_proof(baseline_builder);
392 auto baseline_instance = std::make_shared<ProverInstance>(baseline_builder);
393 const size_t baseline_dyadic = baseline_instance->dyadic_size();
394
395 // The disabled head region (rows 0..TRACE_OFFSET-1)
396 // is always present. Verify that the active trace starts after the disabled region and that
397 // the dyadic size doubles when the trace gets tightly packed.
398 size_t prev_dyadic = 0;
399 bool found_jump = false;
400 for (size_t num_extra_gates = 0; num_extra_gates <= baseline_dyadic; num_extra_gates++) {
401 Builder builder;
402 if (num_extra_gates > 0) {
403 MockCircuits::add_arithmetic_gates(builder, num_extra_gates);
404 }
405 this->set_default_pairing_points_and_ipa_claim_and_proof(builder);
406
407 auto prover_instance = std::make_shared<ProverInstance>(builder);
408
409 const size_t dyadic_size = prover_instance->dyadic_size();
410 const size_t final_active_idx = prover_instance->get_final_active_wire_idx();
411
412 // Invariant: active trace doesn't overlap the disabled head region
413 ASSERT_GE(final_active_idx, ProverInstance::TRACE_OFFSET)
414 << "final_active_idx (" << final_active_idx << ") is within the disabled head region";
415
416 if (prev_dyadic != 0 && dyadic_size > prev_dyadic) {
417 // Dyadic size should exactly double
418 EXPECT_EQ(dyadic_size, 2 * prev_dyadic);
419
420 // Prove and verify at the tightest packing (right before the jump)
421 Builder tight_builder;
422 MockCircuits::add_arithmetic_gates(tight_builder, num_extra_gates - 1);
423 this->set_default_pairing_points_and_ipa_claim_and_proof(tight_builder);
424 auto tight_instance = std::make_shared<ProverInstance>(tight_builder);
425 this->prove_and_verify(tight_instance, /*expected_result=*/true);
426
427 found_jump = true;
428 break;
429 }
430
431 prev_dyadic = dyadic_size;
432 }
433
434 EXPECT_TRUE(found_jump) << "should have found a dyadic size jump within " << baseline_dyadic << " extra gates";
435 }
436}
437
444TYPED_TEST(UltraHonkTests, DyadicSizeAccountsForTableOffset)
445{
446 using Flavor = TypeParam;
447 using Builder = typename Flavor::CircuitBuilder;
448 using IO = typename TestFixture::IO;
449
450 // Test with several lookup table types of varying sizes
451 for (auto table_id : { plookup::MultiTableId::UINT32_XOR,
452 plookup::MultiTableId::UINT32_AND,
453 plookup::MultiTableId::SHA256_CH_INPUT }) {
454 auto builder = Builder{};
455 uint32_t left_idx = builder.add_variable(fr(engine.get_random_uint32()));
456 uint32_t right_idx = builder.add_variable(fr(engine.get_random_uint32()));
457 auto accumulators = plookup::get_lookup_accumulators(
458 table_id, builder.get_variable(left_idx), builder.get_variable(right_idx), true);
459 builder.create_gates_from_plookup_accumulators(table_id, accumulators, left_idx, right_idx);
460 IO::add_default(builder);
461
462 auto prover_instance = std::make_shared<ProverInstance_<Flavor>>(builder);
463
464 const size_t tables_size = builder.get_tables_size();
465 ASSERT_GT(tables_size, 0) << "expected non-empty lookup tables";
466
467 const size_t table_offset = builder.blocks.lookup.trace_offset();
468 const size_t tables_end = table_offset + tables_size;
469
470 EXPECT_GE(table_offset, ProverInstance_<Flavor>::TRACE_OFFSET)
471 << "lookup block should be past the disabled region";
472 EXPECT_GE(prover_instance->dyadic_size(), tables_end)
473 << "dyadic size (" << prover_instance->dyadic_size() << ") must accommodate tables_end (" << tables_end
474 << ") for table_offset=" << table_offset << " tables_size=" << tables_size;
475 }
476}
477
482TYPED_TEST(UltraHonkTests, WitnessPolynomialsMasked)
483{
484 using Flavor = TypeParam;
485 if constexpr (!Flavor::HasZK) {
486 GTEST_SKIP() << "Masking only applies to ZK flavors";
487 } else {
488 using Builder = typename Flavor::CircuitBuilder;
489 using IO = typename TestFixture::IO;
490
491 auto builder = Builder{};
492 IO::add_default(builder);
493 auto prover_instance = std::make_shared<ProverInstance_<Flavor>>(builder);
494
495 auto check_masked = [](const auto& poly, const std::string& label) {
496 bool has_masking = false;
497 for (size_t j = 0; j < NUM_MASKED_ROWS; j++) {
498 has_masking |= !poly[NUM_ZERO_ROWS + j].is_zero();
499 }
500 EXPECT_TRUE(has_masking) << label << " should be masked";
501 };
502
503 auto& polys = prover_instance->polynomials;
504 check_masked(polys.w_l, "w_l");
505 check_masked(polys.w_r, "w_r");
506 check_masked(polys.w_o, "w_o");
507 check_masked(polys.w_4, "w_4");
508 check_masked(polys.z_perm, "z_perm");
509 check_masked(polys.lookup_read_counts, "lookup_read_counts");
510 check_masked(polys.lookup_read_tags, "lookup_read_tags");
511 check_masked(polys.lookup_inverses, "lookup_inverses");
512 }
513}
514
520TYPED_TEST(UltraHonkTests, RepeatedCommitmentsIndicesCorrect)
521{
522 using Flavor = TypeParam;
523 using Builder = typename Flavor::CircuitBuilder;
524 using IO = typename TestFixture::IO;
525 using CommitmentKey = typename Flavor::CommitmentKey;
526 using Commitment = typename Flavor::Commitment;
527
528 auto builder = Builder{};
529 IO::add_default(builder);
530 auto prover_instance = std::make_shared<ProverInstance_<Flavor>>(builder);
531 CommitmentKey ck(prover_instance->dyadic_size());
532
533 auto unshifted = prover_instance->polynomials.get_unshifted();
534 auto to_be_shifted = prover_instance->polynomials.get_to_be_shifted();
535
536 constexpr auto repeated = Flavor::REPEATED_COMMITMENTS;
537 ASSERT_EQ(to_be_shifted.size(), repeated.first.count);
538
539 // Build the commitment vector exactly as Shplemini does: [Q, unshifted..., to_be_shifted...]
540 std::vector<Commitment> commitments;
541 commitments.push_back(Commitment::one()); // dummy Q
542 for (auto& poly : unshifted) {
543 commitments.push_back(ck.commit(poly));
544 }
545 for (auto& poly : to_be_shifted) {
546 commitments.push_back(ck.commit(poly));
547 }
548
549 // Same offset logic as remove_repeated_commitments
550 constexpr size_t offset = Flavor::HasZK ? 2 : 1;
551 for (size_t i = 0; i < repeated.first.count; i++) {
552 EXPECT_EQ(commitments[repeated.first.original_start + offset + i],
553 commitments[repeated.first.duplicate_start + offset + i])
554 << "REPEATED_COMMITMENTS commitment mismatch at index " << i;
555 }
556}
EXPECT_THROW_WITH_MESSAGE
#define EXPECT_THROW_WITH_MESSAGE(code, expectedMessageRegex)
Definition assert.hpp:193
bb::CommitmentKey
CommitmentKey object over a pairing group 𝔾₁.
Definition commitment_key.hpp:35
bb::ECCVMFlavor::HasZK
static constexpr bool HasZK
Definition eccvm_flavor.hpp:60
bb::ECCVMFlavor::FF
typename Curve::ScalarField FF
Definition eccvm_flavor.hpp:43
bb::ECCVMFlavor::CircuitBuilder
ECCVMCircuitBuilder CircuitBuilder
Definition eccvm_flavor.hpp:39
bb::ECCVMFlavor::Commitment
typename G1::affine_element Commitment
Definition eccvm_flavor.hpp:47
bb::ECCVMFlavor::CommitmentKey
bb::CommitmentKey< Curve > CommitmentKey
Definition eccvm_flavor.hpp:48
bb::ECCVMFlavor::VerificationKey
FixedVKAndHash_< PrecomputedEntities< Commitment >, BF, ECCVMHardcodedVKAndHash > VerificationKey
The verification key stores commitments to the precomputed polynomials used by the verifier.
Definition eccvm_flavor.hpp:846
bb::ECCVMFlavor::USE_PADDING
static constexpr bool USE_PADDING
Definition eccvm_flavor.hpp:64
bb::ECCVMFlavor::REPEATED_COMMITMENTS
static constexpr RepeatedCommitmentsData REPEATED_COMMITMENTS
Definition eccvm_flavor.hpp:103
bb::MockCircuits::add_arithmetic_gates_with_public_inputs
static void add_arithmetic_gates_with_public_inputs(Builder &builder, const size_t num_gates=4)
Add a specified number of arithmetic gates (with public inputs) to the provided circuit.
Definition mock_circuits.hpp:23
bb::MockCircuits::add_arithmetic_gates
static void add_arithmetic_gates(Builder &builder, const size_t num_gates=4)
Add a specified number of arithmetic gates to the provided circuit.
Definition mock_circuits.hpp:46
bb::NativeVerificationKey_
Base Native verification key class.
Definition flavor.hpp:135
bb::ProverInstance_
Contains all the information required by a Honk prover to create a proof, constructed from a finalize...
Definition prover_instance.hpp:26
bb::ProverInstance_::TRACE_OFFSET
static constexpr size_t TRACE_OFFSET
Definition prover_instance.hpp:32
bb::UltraProver_
Definition ultra_prover.hpp:18
bb::UltraProver_::construct_proof
Proof construct_proof()
Definition ultra_prover.cpp:62
bb::UltraVerifier_
Definition ultra_verifier.hpp:79
bb::UltraZKFlavor
Child class of UltraFlavor that runs with ZK Sumcheck.
Definition ultra_zk_flavor.hpp:23
bb::group_elements::affine_element
Definition affine_element.hpp:27
bb::group_elements::element
element class. Implements ecc group arithmetic using Jacobian coordinates See https://hyperelliptic....
Definition element.hpp:35
bb::numeric::RNG::get_random_uint16
virtual uint16_t get_random_uint16()=0
bb::numeric::RNG::get_random_uint32
virtual uint32_t get_random_uint32()=0
bb::numeric::uint256_t
Definition uint256.hpp:32
bb::numeric::uint256_t::get_msb
constexpr uint64_t get_msb() const
Definition uint256_impl.hpp:376
builder
AluTraceBuilder builder
Definition alu.test.cpp:124
a
FF a
Definition field_gt.test.cpp:52
b
FF b
Definition field_gt.test.cpp:53
engine
numeric::RNG & engine
Definition eccvm_transcript.test.cpp:282
offset
ssize_t offset
Definition engine.cpp:62
FlavorTypes
testing::Types< UltraFlavor, UltraKeccakFlavor, MegaFlavor > FlavorTypes
Definition flavor_serialization.test.cpp:34
inputs
AvmProvingInputs inputs
Definition hinting_dbs.test.cpp:45
bb::numeric::uint512_t
uintx< uint256_t > uint512_t
Definition uintx.hpp:309
bb::plookup::get_lookup_accumulators
ReadData< bb::fr > get_lookup_accumulators(const MultiTableId id, const fr &key_a, const fr &key_b, const bool is_2_to_1_lookup)
Given a table ID and the key(s) for a key-value lookup, return the lookup accumulators.
Definition plookup_tables.cpp:152
bb
Entry point for Barretenberg command-line interface.
Definition api.hpp:5
bb::fq
field< Bn254FqParams > fq
Definition fq.hpp:153
bb::TYPED_TEST_SUITE
TYPED_TEST_SUITE(CommitmentKeyTest, Curves)
bb::fr
field< Bn254FrParams > fr
Definition fr.hpp:155
bb::TYPED_TEST
TYPED_TEST(CommitmentKeyTest, CommitToZeroPoly)
Definition commitment_key.test.cpp:217
bb::UltraCircuitBuilder
UltraCircuitBuilder_< UltraExecutionTraceBlocks > UltraCircuitBuilder
Definition circuit_builders_fwd.hpp:18
bb::ck
CommitmentKey< Curve > ck
Definition ipa.fuzzer.cpp:20
bb::vk
VerifierCommitmentKey< Curve > vk
Definition ipa.fuzzer.cpp:21
std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13
oink_prover.hpp
proof_length.hpp
relation_checker.hpp
bb::ProofLength::Honk::LENGTH_WITHOUT_PUB_INPUTS
static constexpr size_t LENGTH_WITHOUT_PUB_INPUTS(size_t log_n)
Definition proof_length.hpp:101
bb::field< Bn254FqParams >::modulus
static constexpr uint256_t modulus
Definition field_declarations.hpp:234
bb::field< Bn254FqParams >::random_element
static field random_element(numeric::RNG *engine=nullptr) noexcept
Definition field_impl.hpp:777
bb::non_native_multiplication_witnesses
Definition ultra_circuit_builder.hpp:24
bb::stdlib::recursion::PairingPoints
An object storing two EC points that represent the inputs to a pairing check.
Definition pairing_points.hpp:26
ultra_honk.test.hpp