-
Notifications
You must be signed in to change notification settings - Fork 333
/
Copy pathclient_ivc.hpp
182 lines (146 loc) · 8.02 KB
/
client_ivc.hpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
#pragma once
#include "barretenberg/goblin/goblin.hpp"
#include "barretenberg/goblin/mock_circuits.hpp"
#include "barretenberg/plonk_honk_shared/execution_trace/execution_trace_usage_tracker.hpp"
#include "barretenberg/protogalaxy/protogalaxy_prover.hpp"
#include "barretenberg/protogalaxy/protogalaxy_verifier.hpp"
#include "barretenberg/stdlib/honk_verifier/decider_recursive_verifier.hpp"
#include "barretenberg/stdlib/primitives/databus/databus.hpp"
#include "barretenberg/ultra_honk/decider_keys.hpp"
#include "barretenberg/ultra_honk/decider_prover.hpp"
#include "barretenberg/ultra_honk/decider_verifier.hpp"
#include <algorithm>
namespace bb {
/**
* @brief The IVC scheme used by the aztec client for private function execution
* @details Combines Protogalaxy with Goblin to accumulate one circuit at a time with efficient EC group
* operations. It is assumed that the circuits being accumulated correspond alternatingly to an app and a kernel, as is
* the case in Aztec. Two recursive folding verifiers are appended to each kernel (except the first one) to verify the
* folding of a previous kernel and an app/function circuit. Due to this structure it is enforced that the total number
* of circuits being accumulated is even.
*
*/
class ClientIVC {
public:
using Flavor = MegaFlavor;
using VerificationKey = Flavor::VerificationKey;
using FF = Flavor::FF;
using FoldProof = std::vector<FF>;
using MergeProof = std::vector<FF>;
using DeciderProvingKey = DeciderProvingKey_<Flavor>;
using DeciderVerificationKey = DeciderVerificationKey_<Flavor>;
using ClientCircuit = MegaCircuitBuilder; // can only be Mega
using DeciderProver = DeciderProver_<Flavor>;
using DeciderVerifier = DeciderVerifier_<Flavor>;
using DeciderProvingKeys = DeciderProvingKeys_<Flavor>;
using FoldingProver = ProtogalaxyProver_<DeciderProvingKeys>;
using DeciderVerificationKeys = DeciderVerificationKeys_<Flavor>;
using FoldingVerifier = ProtogalaxyVerifier_<DeciderVerificationKeys>;
using ECCVMVerificationKey = bb::ECCVMFlavor::VerificationKey;
using TranslatorVerificationKey = bb::TranslatorFlavor::VerificationKey;
using MegaProver = UltraProver_<Flavor>;
using MegaVerifier = UltraVerifier_<Flavor>;
using RecursiveFlavor = MegaRecursiveFlavor_<bb::MegaCircuitBuilder>;
using RecursiveDeciderVerificationKeys =
bb::stdlib::recursion::honk::RecursiveDeciderVerificationKeys_<RecursiveFlavor, 2>;
using RecursiveDeciderVerificationKey = RecursiveDeciderVerificationKeys::DeciderVK;
using RecursiveVerificationKey = RecursiveFlavor::VerificationKey;
using FoldingRecursiveVerifier =
bb::stdlib::recursion::honk::ProtogalaxyRecursiveVerifier_<RecursiveDeciderVerificationKeys>;
using OinkRecursiveVerifier = stdlib::recursion::honk::OinkRecursiveVerifier_<RecursiveFlavor>;
using DeciderRecursiveVerifier = stdlib::recursion::honk::DeciderRecursiveVerifier_<RecursiveFlavor>;
using DataBusDepot = stdlib::DataBusDepot<ClientCircuit>;
/**
* @brief A full proof for the IVC scheme containing a Mega proof showing correctness of the hiding circuit (which
* recursive verified the last folding and decider proof) and a Goblin proof (translator VM, ECCVM and last merge
* proof).
*
* @details This proof will be zero-knowledge.
*/
struct Proof {
HonkProof mega_proof;
GoblinProof goblin_proof;
size_t size() const { return mega_proof.size() + goblin_proof.size(); }
MSGPACK_FIELDS(mega_proof, goblin_proof);
};
enum class QUEUE_TYPE { OINK, PG }; // for specifying type of proof in the verification queue
// An entry in the native verification queue
struct VerifierInputs {
std::vector<FF> proof; // oink or PG
std::shared_ptr<VerificationKey> honk_verification_key;
QUEUE_TYPE type;
};
using VerificationQueue = std::vector<VerifierInputs>;
// An entry in the stdlib verification queue
struct StdlibVerifierInputs {
StdlibProof<ClientCircuit> proof; // oink or PG
std::shared_ptr<RecursiveVerificationKey> honk_verification_key;
QUEUE_TYPE type;
};
using StdlibVerificationQueue = std::vector<StdlibVerifierInputs>;
// Utility for tracking the max size of each block across the full IVC
ExecutionTraceUsageTracker trace_usage_tracker;
private:
using ProverFoldOutput = FoldingResult<Flavor>;
public:
ProverFoldOutput fold_output; // prover accumulator and fold proof
std::shared_ptr<DeciderVerificationKey> verifier_accumulator; // verifier accumulator
std::shared_ptr<VerificationKey> honk_vk; // honk vk to be completed and folded into the accumulator
// Set of tuples {proof, verification_key, type} to be recursively verified
VerificationQueue verification_queue;
// Set of tuples {stdlib_proof, stdlib_verification_key, type} corresponding to the native verification queue
StdlibVerificationQueue stdlib_verification_queue;
// Set of merge proofs to be recursively verified
std::vector<MergeProof> merge_verification_queue;
// Management of linking databus commitments between circuits in the IVC
DataBusDepot bus_depot;
// Settings related to the use of fixed block sizes for each gate in the execution trace
TraceSettings trace_settings;
// TODO(https://github.com/AztecProtocol/barretenberg/issues/1101): eventually do away with this.
// Setting auto_verify_mode = true will cause kernel completion logic to be added to kernels automatically
bool auto_verify_mode;
std::shared_ptr<typename MegaFlavor::CommitmentKey> bn254_commitment_key;
GoblinProver goblin;
bool initialized = false; // Is the IVC accumulator initialized
ClientIVC(TraceSettings trace_settings = {}, bool auto_verify_mode = false)
: trace_settings(trace_settings)
, auto_verify_mode(auto_verify_mode)
, bn254_commitment_key(trace_settings.structure.has_value()
? std::make_shared<CommitmentKey<curve::BN254>>(trace_settings.dyadic_size())
: nullptr)
, goblin(bn254_commitment_key)
{}
void instantiate_stdlib_verification_queue(
ClientCircuit& circuit, const std::vector<std::shared_ptr<RecursiveVerificationKey>>& input_keys = {});
void perform_recursive_verification_and_databus_consistency_checks(
ClientCircuit& circuit,
const StdlibProof<ClientCircuit>& proof,
const std::shared_ptr<RecursiveVerificationKey>& vkey,
const QUEUE_TYPE type);
void process_recursive_merge_verification_queue(ClientCircuit& circuit);
// Complete the logic of a kernel circuit (e.g. PG/merge recursive verification, databus consistency checks)
void complete_kernel_circuit_logic(ClientCircuit& circuit);
/**
* @brief Perform prover work for accumulation (e.g. PG folding, merge proving)
*
* @param circuit The incoming statement
* @param precomputed_vk The verification key of the incoming statement OR a mocked key whose metadata needs to be
* set using the proving key produced from `circuit` in order to pass some assertions in the Oink prover.
* @param mock_vk A boolean to say whether the precomputed vk shoudl have its metadata set.
*/
void accumulate(ClientCircuit& circuit,
const std::shared_ptr<VerificationKey>& precomputed_vk = nullptr,
bool mock_vk = false);
Proof prove();
HonkProof construct_and_prove_hiding_circuit();
static bool verify(const Proof& proof,
const std::shared_ptr<VerificationKey>& mega_vk,
const std::shared_ptr<ClientIVC::ECCVMVerificationKey>& eccvm_vk,
const std::shared_ptr<ClientIVC::TranslatorVerificationKey>& translator_vk);
bool verify(const Proof& proof);
bool prove_and_verify();
HonkProof decider_prove() const;
std::vector<std::shared_ptr<VerificationKey>> precompute_folding_verification_keys(
std::vector<ClientCircuit> circuits);
};
} // namespace bb