feat: IPA accumulators setup for Rollup (#10040)

Creates a new flavor, UltraRollupFlavor, that handles IPA accumulators.
Currently unused in the rollup, but will be used there.

Adds IPA claim to builder, pk, vk, so that the verifier knows where to
look to extract the IPA claim from. Modifies the UltraRecursiveVerifier
to extract out the IPA claim from the public inputs and return it.

Also modifies native verifier to check the IPA claim and proof.

Author: lucasxia01

barretenberg/cpp/src/barretenberg/bb/main.cpp

@@ -590,7 +590,7 @@ void prove_tube(const std::string& output_path)
     }
     ClientIVC verifier{ builder, input };
 
-    verifier.verify(proof);
+    ClientIVC::Output client_ivc_rec_verifier_output = verifier.verify(proof);
 
     PairingPointAccumulatorIndices current_aggregation_object =
         stdlib::recursion::init_default_agg_obj_indices<Builder>(*builder);
@@ -599,6 +599,12 @@ void prove_tube(const std::string& output_path)
     // This is currently just setting the aggregation object to the default one.
     builder->add_pairing_point_accumulator(current_aggregation_object);
 
+    // The tube only calls an IPA recursive verifier once, so we can just add this IPA claim and proof
+    // TODO(https://github.com/AztecProtocol/barretenberg/issues/1154): We shouldn't add these to the public inputs for
+    // now since we don't handle them correctly. Uncomment when we start using UltraRollupHonk in the rollup.
+    // builder->add_ipa_claim(client_ivc_rec_verifier_output.opening_claim.get_witness_indices());
+    // builder->ipa_proof = convert_stdlib_proof_to_native(client_ivc_rec_verifier_output.ipa_transcript->proof_data);
+
     using Prover = UltraProver_<UltraFlavor>;
     using Verifier = UltraVerifier_<UltraFlavor>;
     Prover tube_prover{ *builder };
@@ -622,8 +628,9 @@ void prove_tube(const std::string& output_path)
     write_file(tubeAsFieldsVkPath, { data.begin(), data.end() });
 
     info("Native verification of the tube_proof");
-    Verifier tube_verifier(tube_verification_key);
-    bool verified = tube_verifier.verify_proof(tube_proof);
+    auto ipa_verification_key = std::make_shared<VerifierCommitmentKey<curve::Grumpkin>>(1 << CONST_ECCVM_LOG_N);
+    Verifier tube_verifier(tube_verification_key, ipa_verification_key);
+    bool verified = tube_verifier.verify_proof(tube_proof, builder->ipa_proof);
     info("Tube proof verification: ", verified);
 }
 
@@ -1066,7 +1073,7 @@ UltraProver_<Flavor> compute_valid_prover(const std::string& bytecodePath,
     using Prover = UltraProver_<Flavor>;
 
     bool honk_recursion = false;
-    if constexpr (IsAnyOf<Flavor, UltraFlavor, UltraKeccakFlavor>) {
+    if constexpr (IsAnyOf<Flavor, UltraFlavor, UltraKeccakFlavor, UltraRollupFlavor>) {
         honk_recursion = true;
     }
     auto constraint_system = get_constraint_system(bytecodePath, honk_recursion);
@@ -1132,14 +1139,22 @@ template <IsUltraFlavor Flavor> bool verify_honk(const std::string& proof_path,
 {
     using VerificationKey = Flavor::VerificationKey;
     using Verifier = UltraVerifier_<Flavor>;
-    using VerifierCommitmentKey = bb::VerifierCommitmentKey<curve::BN254>;
 
     auto g2_data = get_bn254_g2_data(CRS_PATH);
     srs::init_crs_factory({}, g2_data);
     auto proof = from_buffer<std::vector<bb::fr>>(read_file(proof_path));
     auto vk = std::make_shared<VerificationKey>(from_buffer<VerificationKey>(read_file(vk_path)));
-    vk->pcs_verification_key = std::make_shared<VerifierCommitmentKey>();
-    Verifier verifier{ vk };
+    vk->pcs_verification_key = std::make_shared<VerifierCommitmentKey<curve::BN254>>();
+
+    // TODO(https://github.com/AztecProtocol/barretenberg/issues/1154): Remove this and pass in the IPA proof to the
+    // verifier.
+    std::shared_ptr<VerifierCommitmentKey<curve::Grumpkin>> ipa_verification_key = nullptr;
+    if constexpr (HasIPAAccumulatorFlavor<Flavor>) {
+        init_grumpkin_crs(1 << 16);
+        vk->contains_ipa_claim = false;
+        ipa_verification_key = std::make_shared<VerifierCommitmentKey<curve::Grumpkin>>(1 << CONST_ECCVM_LOG_N);
+    }
+    Verifier verifier{ vk, ipa_verification_key };
 
     bool verified = verifier.verify_proof(proof);
 

barretenberg/cpp/src/barretenberg/client_ivc/client_ivc.cpp

@@ -25,7 +25,7 @@ void ClientIVC::instantiate_stdlib_verification_queue(
     size_t key_idx = 0;
     for (auto& [proof, vkey, type] : verification_queue) {
         // Construct stdlib proof directly from the internal native queue data
-        auto stdlib_proof = bb::convert_proof_to_witness(&circuit, proof);
+        auto stdlib_proof = bb::convert_native_proof_to_stdlib(&circuit, proof);
 
         // Use the provided stdlib vkey if present, otherwise construct one from the internal native queue
         auto stdlib_vkey =
@@ -261,7 +261,7 @@ HonkProof ClientIVC::construct_and_prove_hiding_circuit()
     auto stdlib_decider_vk =
         std::make_shared<RecursiveVerificationKey>(&builder, verification_queue[0].honk_verification_key);
 
-    auto stdlib_proof = bb::convert_proof_to_witness(&builder, fold_proof);
+    auto stdlib_proof = bb::convert_native_proof_to_stdlib(&builder, fold_proof);
 
     // Perform recursive folding verification of the last folding proof
     FoldingRecursiveVerifier folding_verifier{ &builder, stdlib_verifier_accumulator, { stdlib_decider_vk } };

barretenberg/cpp/src/barretenberg/commitment_schemes/claim.hpp

@@ -1,7 +1,9 @@
 #pragma once
 
 #include "barretenberg/commitment_schemes/commitment_key.hpp"
+#include "barretenberg/plonk_honk_shared/types/aggregation_object_type.hpp"
 #include "barretenberg/polynomials/polynomial.hpp"
+#include "barretenberg/stdlib/primitives/curves/grumpkin.hpp"
 
 namespace bb {
 /**
@@ -51,6 +53,32 @@ template <typename Curve> class OpeningClaim {
     // commitment to univariate polynomial p(X)
     Commitment commitment;
 
+    IPAClaimIndices get_witness_indices() const
+        requires(std::is_same_v<Curve, stdlib::grumpkin<UltraCircuitBuilder>>)
+    {
+        return { opening_pair.challenge.binary_basis_limbs[0].element.normalize().witness_index,
+                 opening_pair.challenge.binary_basis_limbs[1].element.normalize().witness_index,
+                 opening_pair.challenge.binary_basis_limbs[2].element.normalize().witness_index,
+                 opening_pair.challenge.binary_basis_limbs[3].element.normalize().witness_index,
+                 // TODO(https://github.com/AztecProtocol/barretenberg/issues/1153): Uncomment this when we turn the
+                 // eval into witnesses.
+                 //  opening_pair.evaluation.binary_basis_limbs[0].element.normalize().witness_index,
+                 //  opening_pair.evaluation.binary_basis_limbs[1].element.normalize().witness_index,
+                 //  opening_pair.evaluation.binary_basis_limbs[2].element.normalize().witness_index,
+                 //  opening_pair.evaluation.binary_basis_limbs[3].element.normalize().witness_index,
+                 commitment.x.normalize().witness_index, // no idea if we need these normalize() calls...
+                 commitment.y.normalize().witness_index };
+    }
+
+    auto get_native_opening_claim() const
+        requires(Curve::is_stdlib_type)
+    {
+        return OpeningClaim<typename Curve::NativeCurve>{
+            { static_cast<typename Curve::NativeCurve::ScalarField>(opening_pair.challenge.get_value()),
+              static_cast<typename Curve::NativeCurve::ScalarField>(opening_pair.evaluation.get_value()) },
+            commitment.get_value()
+        };
+    }
     /**
      * @brief inefficiently check that the claim is correct by recomputing the commitment
      * and evaluating the polynomial in r.

barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.hpp

@@ -749,20 +749,21 @@ template <typename Curve_> class IPA {
     }
 
     /**
-     * @brief Takes two IPA claims and accumulates them into 1 IPA claim.
-     * @details We create an IPA accumulator by running the IPA recursive verifier on each claim. Then, we generate challenges, and use these challenges to compute the new accumulator. We also create the accumulated polynomial. 
+     * @brief Takes two IPA claims and accumulates them into 1 IPA claim. Also computes IPA proof for the claim.
+     * @details We create an IPA accumulator by running the IPA recursive verifier on each claim. Then, we generate challenges, and use these challenges to compute the new accumulator. We also create the accumulated polynomial, and generate the IPA proof for the accumulated claim.
      * More details are described here: https://hackmd.io/IXoLIPhVT_ej8yhZ_Ehvuw?both.
      * 
      * @param verifier_ck 
      * @param transcript_1 
      * @param claim_1 
      * @param transcript_2 
      * @param claim_2 
-     * @return std::pair<OpeningClaim<Curve>, Polynomial<bb::fq>> 
+     * @return std::pair<OpeningClaim<Curve>, HonkProof> 
      */
-    static std::pair<OpeningClaim<Curve>, Polynomial<bb::fq>> accumulate(auto& transcript_1, OpeningClaim<Curve> claim_1, auto& transcript_2, OpeningClaim<Curve> claim_2)
+    static std::pair<OpeningClaim<Curve>, HonkProof> accumulate(const std::shared_ptr<CommitmentKey<curve::Grumpkin>>& ck, auto& transcript_1, OpeningClaim<Curve> claim_1, auto& transcript_2, OpeningClaim<Curve> claim_2)
     requires Curve::is_stdlib_type
     {
+        using NativeCurve = curve::Grumpkin;
         using Builder = typename Curve::Builder;
         // Step 1: Run the verifier for each IPA instance
         VerifierAccumulator pair_1 = reduce_verify(claim_1, transcript_1);
@@ -793,7 +794,23 @@ template <typename Curve_> class IPA {
         for (Fr u_inv_i : pair_2.u_challenges_inv) {
             native_u_challenges_inv_2.push_back(bb::fq(u_inv_i.get_value()));
         }
-        return {output_claim, create_challenge_poly(uint32_t(pair_1.log_poly_length.get_value()), native_u_challenges_inv_1, uint32_t(pair_2.log_poly_length.get_value()), native_u_challenges_inv_2, fq(alpha.get_value()))};
+        
+        // Compute proof for the claim
+        auto prover_transcript = std::make_shared<NativeTranscript>();
+        const OpeningPair<NativeCurve> opening_pair{ bb::fq(output_claim.opening_pair.challenge.get_value()),
+                                                     bb::fq(output_claim.opening_pair.evaluation.get_value()) };
+        Polynomial<fq> challenge_poly = create_challenge_poly(uint32_t(pair_1.log_poly_length.get_value()), native_u_challenges_inv_1, uint32_t(pair_2.log_poly_length.get_value()), native_u_challenges_inv_2, fq(alpha.get_value()));
+
+        ASSERT(challenge_poly.evaluate(opening_pair.challenge) == opening_pair.evaluation && "Opening claim does not hold for challenge polynomial.");
+
+        IPA<NativeCurve>::compute_opening_proof(ck, { challenge_poly, opening_pair }, prover_transcript);
+
+        // Since we know this circuit will not have any more IPA claims to accumulate, add IPA Claim to public inputs of circuit and add the proof to the builder.
+        Builder* builder = r.get_context();
+        builder->add_ipa_claim(output_claim.get_witness_indices());
+        builder->ipa_proof = prover_transcript->proof_data;
+
+        return {output_claim, prover_transcript->proof_data};
     }
 };
 

barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/ipa_recursive.test.cpp

@@ -56,8 +56,8 @@ class IPARecursiveTests : public CommitmentTest<NativeCurve> {
         OpeningClaim<Curve> stdlib_opening_claim{ { stdlib_x, stdlib_eval }, stdlib_comm };
 
         // Construct stdlib verifier transcript
-        auto recursive_verifier_transcript =
-            std::make_shared<StdlibTranscript>(bb::convert_proof_to_witness(&builder, prover_transcript->proof_data));
+        auto recursive_verifier_transcript = std::make_shared<StdlibTranscript>(
+            bb::convert_native_proof_to_stdlib(&builder, prover_transcript->proof_data));
         return { recursive_verifier_transcript, stdlib_opening_claim };
     }
 
@@ -158,25 +158,21 @@ class IPARecursiveTests : public CommitmentTest<NativeCurve> {
 
         // Creates two IPA accumulators and accumulators from the two claims. Also constructs the accumulated h
         // polynomial.
-        auto [output_claim, challenge_poly] = RecursiveIPA::accumulate(transcript_1, claim_1, transcript_2, claim_2);
+        auto [output_claim, ipa_proof] =
+            RecursiveIPA::accumulate(this->ck(), transcript_1, claim_1, transcript_2, claim_2);
         builder.finalize_circuit(/*ensure_nonzero=*/false);
         info("Circuit with 2 IPA Recursive Verifiers and IPA Accumulation num finalized gates = ",
              builder.get_num_finalized_gates());
 
         EXPECT_TRUE(CircuitChecker::check(builder));
 
-        // Run the IPA prover on this new accumulated claim.
-        auto prover_transcript = std::make_shared<NativeTranscript>();
         const OpeningPair<NativeCurve> opening_pair{ bb::fq(output_claim.opening_pair.challenge.get_value()),
                                                      bb::fq(output_claim.opening_pair.evaluation.get_value()) };
         Commitment native_comm = output_claim.commitment.get_value();
         const OpeningClaim<NativeCurve> opening_claim{ opening_pair, native_comm };
 
-        NativeIPA::compute_opening_proof(this->ck(), { challenge_poly, opening_pair }, prover_transcript);
-
-        EXPECT_EQ(challenge_poly.evaluate(opening_pair.challenge), opening_pair.evaluation);
         // Natively verify this proof to check it.
-        auto verifier_transcript = std::make_shared<NativeTranscript>(prover_transcript->proof_data);
+        auto verifier_transcript = std::make_shared<NativeTranscript>(ipa_proof);
 
         auto result = NativeIPA::reduce_verify(this->vk(), opening_claim, verifier_transcript);
         EXPECT_TRUE(result);

barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/shplemini.test.cpp

@@ -88,7 +88,7 @@ TEST(ShpleminiRecursionTest, ProveAndVerifySingle)
             N, RefVector(f_polynomials), RefVector(g_polynomials), u_challenge, commitment_key, prover_transcript);
         KZG<NativeCurve>::compute_opening_proof(commitment_key, prover_opening_claims, prover_transcript);
         Builder builder;
-        StdlibProof<Builder> stdlib_proof = bb::convert_proof_to_witness(&builder, prover_transcript->proof_data);
+        StdlibProof<Builder> stdlib_proof = bb::convert_native_proof_to_stdlib(&builder, prover_transcript->proof_data);
         auto stdlib_verifier_transcript = std::make_shared<Transcript>(stdlib_proof);
         stdlib_verifier_transcript->template receive_from_prover<Fr>("Init");
 

barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/zeromorph.test.cpp

@@ -95,7 +95,7 @@ TEST(ZeroMorphRecursionTest, ProveAndVerifySingle)
                            prover_transcript);
 
     Builder builder;
-    StdlibProof<Builder> stdlib_proof = bb::convert_proof_to_witness(&builder, prover_transcript->proof_data);
+    StdlibProof<Builder> stdlib_proof = bb::convert_native_proof_to_stdlib(&builder, prover_transcript->proof_data);
     auto stdlib_verifier_transcript = std::make_shared<Transcript>(stdlib_proof);
     [[maybe_unused]] auto _ = stdlib_verifier_transcript->template receive_from_prover<Fr>("Init");
 

barretenberg/cpp/src/barretenberg/dsl/acir_format/acir_format.cpp

@@ -299,7 +299,7 @@ void process_plonk_recursion_constraints(Builder& builder,
         // they want these constants set by keeping the nested aggregation object attached to
         // the proof as public inputs. As this is the only object that can prepended to the
         // proof if the proof is above the expected size (with public inputs stripped)
-        PairingPointAccumPubInputIndices nested_aggregation_object = {};
+        PairingPointAccumulatorPubInputIndices nested_aggregation_object = {};
         // If the proof has public inputs attached to it, we should handle setting the nested
         // aggregation object
         if (constraint.proof.size() > proof_size_no_pub_inputs) {
@@ -343,16 +343,9 @@ void process_plonk_recursion_constraints(Builder& builder,
     // inputs.
     if (!constraint_system.recursion_constraints.empty()) {
 
-        // First add the output aggregation object as public inputs
-        // Set the indices as public inputs because they are no longer being
-        // created in ACIR
-        for (const auto& idx : current_output_aggregation_object) {
-            builder.set_public_input(idx);
-        }
-
         // Make sure the verification key records the public input indices of the
         // final recursion output.
-        builder.set_pairing_point_accumulator(current_output_aggregation_object);
+        builder.add_pairing_point_accumulator(current_output_aggregation_object);
     }
 }
 

barretenberg/cpp/src/barretenberg/examples/join_split/join_split.test.cpp

@@ -33,8 +33,8 @@ using namespace bb::join_split_example::proofs::notes::native;
 using key_pair = join_split_example::fixtures::grumpkin_key_pair;
 
 auto create_account_leaf_data(fr const& account_alias_hash,
-                              grumpkin::g1::affine_element const& owner_key,
-                              grumpkin::g1::affine_element const& signing_key)
+                              bb::grumpkin::g1::affine_element const& owner_key,
+                              bb::grumpkin::g1::affine_element const& signing_key)
 {
     return notes::native::account::account_note{ account_alias_hash, owner_key, signing_key }.commit();
 }
@@ -869,7 +869,7 @@ TEST_P(test_allow_chain_to_other_users_fail, )
 {
     join_split_tx tx = simple_setup();
     tx.allow_chain = GetParam();
-    tx.output_note[tx.allow_chain - 1].owner = grumpkin::g1::element::random_element(); // i.e. not owned by self.
+    tx.output_note[tx.allow_chain - 1].owner = bb::grumpkin::g1::element::random_element(); // i.e. not owned by self.
     auto result = sign_and_verify_logic(tx, user.owner);
     EXPECT_FALSE(result.valid);
     EXPECT_EQ(result.err, "inter-user chaining disallowed");
@@ -1028,7 +1028,7 @@ TEST_F(join_split_tests, test_total_output_value_larger_than_total_input_value_f
 TEST_F(join_split_tests, test_different_input_note_owners_fails)
 {
     join_split_tx tx = simple_setup({ 1, 2 });
-    tx.input_note[0].owner = grumpkin::g1::affine_element::hash_to_curve({ 1 });
+    tx.input_note[0].owner = bb::grumpkin::g1::affine_element::hash_to_curve({ 1 });
 
     auto result = sign_and_verify_logic(tx, user.owner);
     EXPECT_FALSE(result.valid);
@@ -1073,7 +1073,7 @@ TEST_F(join_split_tests, test_different_note_account_required_vs_account_require
 TEST_F(join_split_tests, test_wrong_input_note_owner_fails)
 {
     join_split_tx tx = simple_setup();
-    tx.input_note[0].owner = grumpkin::g1::element::random_element();
+    tx.input_note[0].owner = bb::grumpkin::g1::element::random_element();
     tx.input_note[1].owner = tx.input_note[0].owner;
 
     auto result = sign_and_verify_logic(tx, user.owner);
@@ -1084,8 +1084,8 @@ TEST_F(join_split_tests, test_wrong_input_note_owner_fails)
 TEST_F(join_split_tests, test_random_output_note_owners)
 {
     join_split_tx tx = simple_setup();
-    tx.output_note[0].owner = grumpkin::g1::element::random_element();
-    tx.output_note[1].owner = grumpkin::g1::element::random_element();
+    tx.output_note[0].owner = bb::grumpkin::g1::element::random_element();
+    tx.output_note[1].owner = bb::grumpkin::g1::element::random_element();
 
     EXPECT_TRUE(sign_and_verify_logic(tx, user.owner).valid);
 }
@@ -1097,7 +1097,7 @@ TEST_F(join_split_tests, test_random_output_note_owners)
 TEST_F(join_split_tests, test_wrong_account_private_key_fails)
 {
     join_split_tx tx = simple_setup();
-    tx.account_private_key = grumpkin::fr::random_element();
+    tx.account_private_key = bb::grumpkin::fr::random_element();
 
     auto result = sign_and_verify_logic(tx, user.owner);
     EXPECT_FALSE(result.valid);