feat: Complete ECCVM recursive verifier

barretenberg/barretenberg.code-workspace

@@ -58,26 +58,10 @@
             "ms-vscode.cpptools"
         ]
     },
-    "launch": {
-        // Configure LLDB
-        "configurations": [
-            {
-                "name": "(lldb) Launch Target",
-                "type": "lldb",
-                "request": "launch",
-                "program": "${command:cmake.launchTargetPath}",
-                "args": [],
-                "cwd": "${workspaceFolder}/cpp/build",
-                "internalConsoleOptions": "openOnSessionStart",
-                "console": "internalConsole",
-            }
-        ],
-    },
     // Global settings which will apply to all subprojects.
     // Each subproject may have their own `.vscode/settings.json`
     // for configuring extensions which are specific to a certain project.
     // Some settings can only be configured here.
-    // The following are just provided as example.
     "settings": {
         "files.associations": {
             "*.tcc": "cpp",
@@ -96,7 +80,6 @@
         //
         // Location of base CMakeLists file
         "cmake.sourceDirectory": "${workspaceFolder}/cpp/",
-        "cmake.buildDirectory": "${workspaceFolder}/cpp/build",
         //
         // C/C++ (should be disabled)
         //
@@ -116,9 +99,9 @@
         //
         // Ensures tests are run from the `build` directory
         // which ensures SRS can be read
-        "testMate.cpp.test.workingDirectory": "${workspaceFolder}/cpp/build",
+        "testMate.cpp.test.workingDirectory": "${command:cmake.buildDirectory}",
         // Filter all binaries that are not tests or benchmarks
-        "testMate.cpp.test.executables": "${workspaceFolder}/cpp/{build}/bin/*{test,Test,TEST,bench}*",
+        "testMate.cpp.test.executables": "${command:cmake.buildDirectory}/bin/*{test,Test,TEST,bench}*",
         //
         // Other
         //
@@ -144,21 +127,24 @@
                 }
             ]
         },
-        //
-        // GTest adapter (not currently used)
-        //
-        "gtest-adapter.debugConfig": [
-            "(lldb) Launch Target"
-        ],
         "[cpp]": {
             "editor.defaultFormatter": "llvm-vs-code-extensions.vscode-clangd"
         },
         "cmake.configureArgs": [
-            "--preset clang16",
             "-G Ninja"
         ],
-        "cmake.useCMakePresets": "auto",
+        "cmake.useCMakePresets": "always",
         "editor.inlayHints.enabled": "offUnlessPressed",
-        "git.detectSubmodules": false
+        "git.detectSubmodules": false,
+        "testMate.cpp.discovery.loadOnStartup": false,
+        "testMate.cpp.debug.configTemplate": {
+            "type": "lldb",
+            "MIMode": "lldb",
+            "program": "${exec}",
+            "args": "${argsArray}",
+            "cwd": "${command:cmake.buildDirectory}",
+            "internalConsoleOptions": "openOnSessionStart",
+            "console": "internalConsole",
+        }    
     },
 }

barretenberg/cpp/src/barretenberg/commitment_schemes/zeromorph/zeromorph.hpp

@@ -541,12 +541,8 @@ template <typename PCS> class ZeroMorphVerifier_ {
         auto phi_n_x = phi_numerator / (x_challenge - 1);
 
         // Add contribution: -v * x * \Phi_n(x) * [1]_1
-        if constexpr (Curve::is_stdlib_type) {
-            auto builder = x_challenge.get_context();
-            scalars.emplace_back(FF(builder, -1) * batched_evaluation * x_challenge * phi_n_x);
-        } else {
-            scalars.emplace_back(FF(-1) * batched_evaluation * x_challenge * phi_n_x);
-        }
+        scalars.emplace_back(FF(-1) * batched_evaluation * x_challenge * phi_n_x);
+
         commitments.emplace_back(first_g1);
 
         // Add contribution: x * \sum_{i=0}^{m-1} \rho^i*[f_i]
@@ -704,20 +700,18 @@ template <typename PCS> class ZeroMorphVerifier_ {
 
         // Compute commitment C_{\zeta,Z}
         Commitment C_zeta_Z;
-        FF evaluation;
         if constexpr (Curve::is_stdlib_type) {
+
             // Express operation as a batch_mul in order to use Goblinization if available
             auto builder = z_challenge.get_context();
             std::vector<FF> scalars = { FF(builder, 1), z_challenge };
             std::vector<Commitment> points = { C_zeta_x, C_Z_x };
             C_zeta_Z = Commitment::batch_mul(points, scalars);
-            evaluation = FF(builder, 0);
         } else {
             C_zeta_Z = C_zeta_x + C_Z_x * z_challenge;
-            evaluation = FF(0);
         }
 
-        return { .opening_pair = { .challenge = x_challenge, .evaluation = evaluation }, .commitment = C_zeta_Z };
+        return { .opening_pair = { .challenge = x_challenge, .evaluation = FF(0) }, .commitment = C_zeta_Z };
     }
 
     /**
@@ -782,14 +776,8 @@ template <typename PCS> class ZeroMorphVerifier_ {
                                       const std::vector<RefVector<Commitment>>& concatenation_group_commitments = {},
                                       RefSpan<FF> concatenated_evaluations = {})
     {
-        Commitment first_g1;
-        // Retrieve the first element in the SRS [1]_1 which will be different depending on the curve we operate on
-        if constexpr (Curve::is_stdlib_type) {
-            auto builder = multivariate_challenge[0].get_context();
-            first_g1 = Commitment(builder, vk->srs->get_first_g1());
-        } else {
-            first_g1 = vk->get_first_g1();
-        }
+        Commitment first_g1 = vk->get_first_g1();
+
         auto opening_claim = compute_univariate_evaluation_opening_claim(unshifted_commitments,
                                                                          to_be_shifted_commitments,
                                                                          unshifted_evaluations,

barretenberg/cpp/src/barretenberg/dsl/acir_format/multi_scalar_mul.cpp

@@ -34,7 +34,7 @@ template <typename Builder> void create_multi_scalar_mul_constraint(Builder& bui
     }
 
     // Call batch_mul to multiply the points and scalars and sum the results
-    auto output_point = cycle_group_ct::batch_mul(scalars, points);
+    auto output_point = cycle_group_ct::batch_mul(points, scalars);
 
     // Add the constraints
     builder.assert_equal(output_point.x.get_witness_index(), input.out_point_x);

barretenberg/cpp/src/barretenberg/eccvm/eccvm_prover.cpp

@@ -33,7 +33,7 @@ ECCVMProver::ECCVMProver(CircuitBuilder& builder, const std::shared_ptr<Transcri
 void ECCVMProver::execute_preamble_round()
 {
     const auto circuit_size = static_cast<uint32_t>(key->circuit_size);
-
+    info("circuit_size");
     transcript->send_to_verifier("circuit_size", circuit_size);
 }
 

barretenberg/cpp/src/barretenberg/eccvm_recursion/eccvm_recursive_flavor.hpp

@@ -25,11 +25,13 @@ template <typename BuilderType> class ECCVMRecursiveFlavor_ {
     using CircuitBuilder = BuilderType; // determines the arithmetisation of recursive verifier
     using Curve = stdlib::grumpkin<CircuitBuilder>;
     using Commitment = Curve::AffineElement;
+    using GroupElement = Curve::Element;
     using FF = Curve::ScalarField;
     using BF = Curve::BaseField;
     using RelationSeparator = FF;
     using NativeFlavor = ECCVMFlavor;
     using NativeVerificationKey = NativeFlavor::VerificationKey;
+    using PCS = IPA<Curve>;
 
     static constexpr size_t NUM_WIRES = ECCVMFlavor::NUM_WIRES;
     // The number of multivariate polynomials on which a sumcheck prover sumcheck operates (including shifts). We often

barretenberg/cpp/src/barretenberg/eccvm_recursion/eccvm_recursive_verifier.cpp

@@ -18,7 +18,7 @@ ECCVMRecursiveVerifier_<Flavor>::ECCVMRecursiveVerifier_(
 // TODO(https://github.com/AztecProtocol/barretenberg/issues/1007): Finish this
 template <typename Flavor> void ECCVMRecursiveVerifier_<Flavor>::verify_proof(const HonkProof& proof)
 {
-
+    using ZeroMorph = ZeroMorphVerifier_<PCS>;
     RelationParameters<FF> relation_parameters;
 
     StdlibProof<Builder> stdlib_proof = bb::convert_proof_to_witness(builder, proof);
@@ -30,6 +30,12 @@ template <typename Flavor> void ECCVMRecursiveVerifier_<Flavor>::verify_proof(co
     const auto circuit_size = transcript->template receive_from_prover<BF>("circuit_size");
     for (auto [comm, label] : zip_view(commitments.get_wires(), commitment_labels.get_wires())) {
         comm = transcript->template receive_from_prover<Commitment>(label);
+        // TODO(https://github.com/AztecProtocol/barretenberg/issues/1017): This is a hack to ensure zero commitments
+        // are still on curve as the transcript doesn't currently support a point at infinity representation for
+        // cycle_group
+        if (!comm.get_value().on_curve()) {
+            comm.set_point_at_infinity(true);
+        }
     }
 
     // Get challenge for sorted list batching and wire four memory records
@@ -64,6 +70,58 @@ template <typename Flavor> void ECCVMRecursiveVerifier_<Flavor>::verify_proof(co
 
     auto [multivariate_challenge, claimed_evaluations, sumcheck_verified] =
         sumcheck.verify(relation_parameters, alpha, gate_challenges);
+
+    // removed return bool
+    bool multivariate_opening_verified = ZeroMorph::verify(commitments.get_unshifted(),
+                                                           commitments.get_to_be_shifted(),
+                                                           claimed_evaluations.get_unshifted(),
+                                                           claimed_evaluations.get_shifted(),
+                                                           multivariate_challenge,
+                                                           key->pcs_verification_key,
+                                                           transcript);
+    // Execute transcript consistency univariate opening round
+    // TODO(#768): Find a better way to do this. See issue for details.
+    bool univariate_opening_verified = false;
+    {
+        auto hack_commitment = transcript->template receive_from_prover<Commitment>("Translation:hack_commitment");
+
+        FF evaluation_challenge_x = transcript->template get_challenge<FF>("Translation:evaluation_challenge_x");
+
+        // Construct arrays of commitments and evaluations to be batched
+        const size_t NUM_UNIVARIATES = 6;
+        std::array<Commitment, NUM_UNIVARIATES> transcript_commitments = {
+            commitments.transcript_op, commitments.transcript_Px, commitments.transcript_Py,
+            commitments.transcript_z1, commitments.transcript_z2, hack_commitment
+        };
+        std::array<FF, NUM_UNIVARIATES> transcript_evaluations = {
+            transcript->template receive_from_prover<FF>("Translation:op"),
+            transcript->template receive_from_prover<FF>("Translation:Px"),
+            transcript->template receive_from_prover<FF>("Translation:Py"),
+            transcript->template receive_from_prover<FF>("Translation:z1"),
+            transcript->template receive_from_prover<FF>("Translation:z2"),
+            transcript->template receive_from_prover<FF>("Translation:hack_evaluation")
+        };
+
+        // Get another challenge for batching the univariate claims
+        FF ipa_batching_challenge = transcript->template get_challenge<FF>("Translation:ipa_batching_challenge");
+
+        // Construct batched commitment and batched evaluation
+        auto batched_commitment = transcript_commitments[0];
+        auto batched_transcript_eval = transcript_evaluations[0];
+        auto batching_scalar = ipa_batching_challenge;
+        for (size_t idx = 1; idx < transcript_commitments.size(); ++idx) {
+            batched_commitment = batched_commitment + transcript_commitments[idx] * batching_scalar;
+            batched_transcript_eval += batching_scalar * transcript_evaluations[idx];
+            batching_scalar *= ipa_batching_challenge;
+        }
+
+        // Construct and verify batched opening claim
+        OpeningClaim<Curve> batched_univariate_claim = { { evaluation_challenge_x, batched_transcript_eval },
+                                                         batched_commitment };
+        univariate_opening_verified =
+            PCS::reduce_verify(key->pcs_verification_key, batched_univariate_claim, transcript);
+    }
+    ASSERT(sumcheck_verified && multivariate_opening_verified && univariate_opening_verified);
 }
 
 template class ECCVMRecursiveVerifier_<ECCVMRecursiveFlavor_<UltraCircuitBuilder>>;

barretenberg/cpp/src/barretenberg/eccvm_recursion/eccvm_recursive_verifier.hpp

@@ -12,9 +12,10 @@ template <typename Flavor> class ECCVMRecursiveVerifier_ {
     using NativeVerificationKey = typename Flavor::NativeVerificationKey;
     using VerifierCommitmentKey = typename Flavor::VerifierCommitmentKey;
     using Builder = typename Flavor::CircuitBuilder;
-    // using PCS = typename Flavor::PCS;
+    using PCS = typename Flavor::PCS;
     using Transcript = bb::BaseTranscript<bb::stdlib::recursion::honk::StdlibTranscriptParams<Builder>>;
-    using VerifierCommitments = typename Flavor::VerifierCommitments; // dunno if I need thos
+    using VerifierCommitments = typename Flavor::VerifierCommitments;
+
   public:
     explicit ECCVMRecursiveVerifier_(Builder* builder,
                                      const std::shared_ptr<NativeVerificationKey>& native_verifier_key);

barretenberg/cpp/src/barretenberg/eccvm_recursion/eccvm_recursive_verifier.test.cpp

@@ -20,6 +20,8 @@ template <typename RecursiveFlavor> class ECCVMRecursiveTests : public ::testing
     using InnerFF = InnerFlavor::FF;
     using InnerBF = InnerFlavor::BF;
 
+    using Transcript = InnerFlavor::Transcript;
+
     using RecursiveVerifier = ECCVMRecursiveVerifier_<RecursiveFlavor>;
 
     using OuterBuilder = typename RecursiveFlavor::CircuitBuilder;
@@ -74,6 +76,7 @@ template <typename RecursiveFlavor> class ECCVMRecursiveTests : public ::testing
     {
         InnerBuilder builder = generate_circuit(&engine);
         InnerProver prover(builder);
+        info(builder.get_num_gates());
         auto proof = prover.construct_proof();
         auto verification_key = std::make_shared<typename InnerFlavor::VerificationKey>(prover.key);
 
@@ -85,6 +88,17 @@ template <typename RecursiveFlavor> class ECCVMRecursiveTests : public ::testing
         // Check for a failure flag in the recursive verifier circuit
         EXPECT_EQ(outer_circuit.failed(), false) << outer_circuit.err();
 
+        InnerVerifier native_verifier(prover.key);
+        bool native_result = native_verifier.verify_proof(proof);
+        EXPECT_TRUE(native_result);
+
+        auto recursive_manifest = verifier.transcript->get_manifest();
+        auto native_manifest = native_verifier.transcript->get_manifest();
+        for (size_t i = 0; i < recursive_manifest.size(); ++i) {
+            EXPECT_EQ(recursive_manifest[i], native_manifest[i])
+                << "Recursive Verifier/Verifier manifest discrepency in round " << i;
+        }
+
         // Ensure verification key is the same
         EXPECT_EQ(verifier.key->circuit_size, verification_key->circuit_size);
         EXPECT_EQ(verifier.key->log_circuit_size, verification_key->log_circuit_size);

barretenberg/cpp/src/barretenberg/eccvm_recursion/verifier_commitment_key.hpp

@@ -1,7 +1,5 @@
 #pragma once
 #include "barretenberg/commitment_schemes/verification_key.hpp"
-#include "barretenberg/stdlib/primitives/curves/bn254.hpp"
-#include "barretenberg/stdlib/primitives/group/cycle_group.hpp"
 namespace bb {
 
 /**
@@ -11,13 +9,15 @@ namespace bb {
  */
 template <typename Curve> class VerifierCommitmentKey {
     using Builder = Curve::Builder;
-    using Commitment = stdlib::cycle_group<Builder>;
+    using Commitment = Curve::AffineElement;
     using NativeEmbeddedCurve = typename Builder::EmbeddedCurve;
 
   public:
     /**
      * @brief Construct a new Verifier Commitment Key object from its native counterpart. instantiated on Grumpkin.
-     * This will potentially be part of the ECCVMRecursiveFlavor once implemented.
+     * This will be part of the ECCVMRecursiveFlavor once implemented. The Grumpkin SRS points are represented after
+     * applying the pippenger point table so the values at odd indices contain the point {srs[i-1].x * beta,
+     * srs[i-1].y}, where beta is the endomorphism. We retrieve only the original SRS for IPA verification.
      *
      * @details The Grumpkin SRS points will be initialised as constants in the circuit but might be subsequently
      * turned into constant witnesses to make operations in the circuit more efficient.
@@ -29,7 +29,7 @@ template <typename Curve> class VerifierCommitmentKey {
     {
 
         auto* native_points = native_pcs_verification_key->get_monomial_points();
-        for (size_t i = 0; i < num_points; i++) {
+        for (size_t i = 0; i < num_points * 2; i += 2) {
             monomial_points.emplace_back(Commitment(native_points[i]));
         }
     }

barretenberg/cpp/src/barretenberg/eccvm_recursion/verifier_commitment_key.test.cpp

@@ -1,5 +1,6 @@
 
 #include "barretenberg/eccvm_recursion/verifier_commitment_key.hpp"
+#include "barretenberg/stdlib/primitives/curves/grumpkin.hpp"
 #include <gtest/gtest.h>
 namespace bb {
 template <typename Curve> class RecursiveVeriferCommitmentKeyTest : public testing::Test {
@@ -27,13 +28,16 @@ template <typename Curve> class RecursiveVeriferCommitmentKeyTest : public testi
         EXPECT_EQ(native_vk->get_first_g1(), recursive_vk->get_first_g1().get_value());
         auto* native_monomial_points = native_vk->get_monomial_points();
         auto recursive_monomial_points = recursive_vk->get_monomial_points();
-        for (size_t i = 0; i < num_points; i++) {
-            EXPECT_EQ(native_monomial_points[i], recursive_monomial_points[i].get_value());
+
+        // The recursive verifier commitment key only stores the SRS so we verify against the even indices of the native
+        // key (the odd containt elements produced after applying the pippenger point table).
+        for (size_t i = 0; i < num_points * 2; i += 2) {
+            EXPECT_EQ(native_monomial_points[i], recursive_monomial_points[i >> 1].get_value());
         }
     }
 };
 
-using Curves = testing::Types<stdlib::bn254<UltraCircuitBuilder>, stdlib::bn254<MegaCircuitBuilder>>;
+using Curves = testing::Types<stdlib::grumpkin<UltraCircuitBuilder>, stdlib::grumpkin<MegaCircuitBuilder>>;
 
 TYPED_TEST_SUITE(RecursiveVeriferCommitmentKeyTest, Curves);
 

barretenberg/cpp/src/barretenberg/stdlib/commitment/pedersen/pedersen.cpp

@@ -22,7 +22,7 @@ cycle_group<C> pedersen_commitment<C>::commit(const std::vector<field_t>& inputs
         points.emplace_back(base_points[i]);
     }
 
-    return cycle_group::batch_mul(scalars, points);
+    return cycle_group::batch_mul(points, scalars);
 }
 
 template <typename C>
@@ -37,7 +37,7 @@ cycle_group<C> pedersen_commitment<C>::commit(const std::vector<std::pair<field_
         points.emplace_back(context.generators->get(1, context.offset, context.domain_separator)[0]);
     }
 
-    return cycle_group::batch_mul(scalars, points);
+    return cycle_group::batch_mul(points, scalars);
 }
 
 template class pedersen_commitment<bb::StandardCircuitBuilder>;

barretenberg/cpp/src/barretenberg/stdlib/encryption/schnorr/schnorr.cpp

@@ -45,7 +45,7 @@ std::array<field_t<C>, 2> schnorr_verify_signature_internal(const byte_array<C>&
     cycle_group<C> g1(grumpkin::g1::one);
     // compute g1 * sig.s + key * sig,e
 
-    auto x_3 = cycle_group<C>::batch_mul({ sig.s, sig.e }, { g1, pub_key }).x;
+    auto x_3 = cycle_group<C>::batch_mul({ g1, pub_key }, { sig.s, sig.e }).x;
     // build input (pedersen(([s]g + [e]pub).x | pub.x | pub.y) | message) to hash function
     // pedersen hash ([r].x | pub.x) to make sure the size of `hash_input` is <= 64 bytes for a 32 byte message
     byte_array<C> hash_input(pedersen_hash<C>::hash({ x_3, pub_key.x, pub_key.y }));