Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
translator_verifier.cpp
Go to the documentation of this file.
1// === AUDIT STATUS ===
2// internal: { status: Complete, auditors: [Sergei], commit: }
3// external_1: { status: not started, auditors: [], commit: }
4// external_2: { status: not started, auditors: [], commit: }
5// =====================
6
7#include "./translator_verifier.hpp"
8#include "barretenberg/commitment_schemes/shplonk/shplemini.hpp"
9#include "barretenberg/relations/translator_vm/translator_decomposition_relation_impl.hpp"
10#include "barretenberg/relations/translator_vm/translator_delta_range_constraint_relation_impl.hpp"
11#include "barretenberg/relations/translator_vm/translator_extra_relations_impl.hpp"
12#include "barretenberg/relations/translator_vm/translator_non_native_field_relation_impl.hpp"
13#include "barretenberg/relations/translator_vm/translator_permutation_relation_impl.hpp"
14#include "barretenberg/sumcheck/sumcheck.hpp"
15#include "barretenberg/transcript/origin_tag.hpp"
16#include "barretenberg/transcript/transcript.hpp"
17
18namespace bb {
19
20namespace {
21// Native helper: slice uint256_t values into limbs
22template <typename Flavor>
23void put_translation_data_in_relation_parameters_impl(RelationParameters<typename Flavor::FF>& relation_parameters,
24 const uint256_t& evaluation_input_x,
25 const typename Flavor::BF& batching_challenge_v,
26 const uint256_t& accumulated_result)
27 requires(!Flavor::Curve::is_stdlib_type)
28{
29 using FF = typename Flavor::FF;
30 using BF = typename Flavor::BF;
31
32 const auto compute_four_limbs = [](const auto& in) {
33 constexpr size_t NUM_LIMB_BITS = Flavor::NUM_LIMB_BITS;
34 return std::array<FF, 4>{ in.slice(0, NUM_LIMB_BITS),
35 in.slice(NUM_LIMB_BITS, NUM_LIMB_BITS * 2),
36 in.slice(NUM_LIMB_BITS * 2, NUM_LIMB_BITS * 3),
37 in.slice(NUM_LIMB_BITS * 3, NUM_LIMB_BITS * 4) };
38 };
39
40 const auto compute_five_limbs = [](const auto& in) {
41 constexpr size_t NUM_LIMB_BITS = Flavor::NUM_LIMB_BITS;
42 return std::array<FF, 5>{ in.slice(0, NUM_LIMB_BITS),
43 in.slice(NUM_LIMB_BITS, NUM_LIMB_BITS * 2),
44 in.slice(NUM_LIMB_BITS * 2, NUM_LIMB_BITS * 3),
45 in.slice(NUM_LIMB_BITS * 3, NUM_LIMB_BITS * 4),
46 in };
47 };
48
49 relation_parameters.evaluation_input_x = compute_five_limbs(evaluation_input_x);
50
51 uint256_t batching_challenge_v_power{ batching_challenge_v };
52 for (size_t i = 0; i < 4; i++) {
53 relation_parameters.batching_challenge_v[i] = compute_five_limbs(batching_challenge_v_power);
54 batching_challenge_v_power = BF(batching_challenge_v_power) * batching_challenge_v;
55 }
56
57 relation_parameters.accumulated_result = compute_four_limbs(accumulated_result);
58}
59
60// Recursive helper: extract limbs from bigfield elements
61template <typename Flavor>
62void put_translation_data_in_relation_parameters_impl(RelationParameters<typename Flavor::FF>& relation_parameters,
63 const typename Flavor::BF& evaluation_input_x,
64 const typename Flavor::BF& batching_challenge_v,
65 const typename Flavor::BF& accumulated_result)
66 requires(Flavor::Curve::is_stdlib_type)
67{
68 using FF = typename Flavor::FF;
69 using BF = typename Flavor::BF;
70
71 const auto compute_four_limbs = [](const BF& in) {
72 auto result = std::array<FF, 4>{ FF(in.binary_basis_limbs[0].element),
73 FF(in.binary_basis_limbs[1].element),
74 FF(in.binary_basis_limbs[2].element),
75 FF(in.binary_basis_limbs[3].element) };
76 // Ensure extracted limbs are witnesses, not constants
77 for (const auto& limb : result) {
78 BB_ASSERT(!limb.is_constant());
79 }
80 return result;
81 };
82
83 const auto compute_five_limbs = [](const BF& in) {
84 auto result = std::array<FF, 5>{ FF(in.binary_basis_limbs[0].element),
85 FF(in.binary_basis_limbs[1].element),
86 FF(in.binary_basis_limbs[2].element),
87 FF(in.binary_basis_limbs[3].element),
88 FF(in.prime_basis_limb) };
89 // Ensure extracted limbs are witnesses, not constants
90 for (const auto& limb : result) {
91 BB_ASSERT(!limb.is_constant());
92 }
93 return result;
94 };
95
96 relation_parameters.evaluation_input_x = compute_five_limbs(evaluation_input_x);
97
98 BF batching_challenge_v_power = batching_challenge_v;
99 for (size_t i = 0; i < 4; i++) {
100 relation_parameters.batching_challenge_v[i] = compute_five_limbs(batching_challenge_v_power);
101 batching_challenge_v_power = batching_challenge_v_power * batching_challenge_v;
102 }
103
104 relation_parameters.accumulated_result = compute_four_limbs(accumulated_result);
105
106 // OriginTag false positive: The accumulated_result limbs originate from ECCVM verifier (different protocol phase)
107 // and are used directly in Translator relations. The fact that these values do not interact
108 // with any other value from the Translator circuit would trigger the round provenance mechanism if we didn't clear
109 // the round provenance. This cross-protocol usage is sound because:
110 // 1. ECCVM proves correctness of translation evaluations via its own sumcheck + IPA
111 // 2. ECCVM computes accumulated_result = (op + v·Px + v²·Py + v³·z1 + v⁴·z2 - masking) / x
112 // 3. Translator re-computes the same accumulator non-natively in its circuit
113 // 4. TranslatorAccumulatorTransferRelationImpl enforces exact equality at the final row:
114 // accumulators_binary_limbs_i == accumulated_result[i] for i ∈ {0,1,2,3}
115 // This binds the two protocols - Translator output must match ECCVM claim.
116 for (auto& limb : relation_parameters.accumulated_result) {
117 limb.clear_round_provenance();
118 }
119}
120} // namespace
121
122template <typename Flavor> void TranslatorVerifier_<Flavor>::put_translation_data_in_relation_parameters()
123{
124 put_translation_data_in_relation_parameters_impl<Flavor>(
125 relation_parameters, evaluation_input_x, batching_challenge_v, accumulated_result);
126}
127
133template <typename Flavor>
134typename TranslatorVerifier_<Flavor>::ReductionResult TranslatorVerifier_<Flavor>::reduce_to_pairing_check()
135{
136 using PCS = typename Flavor::PCS;
137 using Shplemini = ShpleminiVerifier_<Curve, Flavor::HasZK>;
138 using ClaimBatcher = ClaimBatcher_<Curve>;
139 using ClaimBatch = typename ClaimBatcher::Batch;
140 using Sumcheck = SumcheckVerifier<Flavor>;
141
142 transcript->load_proof(proof);
143
144 // Fiat-Shamir the vk hash
145 transcript->add_to_hash_buffer("vk_hash", vk_hash);
146 vinfo("Translator vk hash in verifier: ", vk_hash);
147
148 VerifierCommitments commitments{ key };
149 CommitmentLabels commitment_labels;
150
151 // For recursive verification, mark the accumulated result's prime basis limb as used
152 // (it can be recovered from binary basis limbs, so no need to constrain it further)
153 if constexpr (IsRecursive) {
154 mark_witness_as_used(accumulated_result.prime_basis_limb);
155 }
156
157 // Use accumulated_result from ECCVM verifier
158 put_translation_data_in_relation_parameters();
159
160 // Receive Gemini masking polynomial commitment (for ZK-PCS)
161 commitments.gemini_masking_poly = transcript->template receive_from_prover<Commitment>("Gemini:masking_poly_comm");
162
163 // Set op queue wire commitments (provided by merge protocol, not from translator proof)
164 commitments.op = op_queue_wire_commitments[0];
165 commitments.x_lo_y_hi = op_queue_wire_commitments[1];
166 commitments.x_hi_z_1 = op_queue_wire_commitments[2];
167 commitments.y_lo_z_2 = op_queue_wire_commitments[3];
168
169 // Receive commitments to non-op-queue wires and ordered range constraints
170 for (auto [comm, label] : zip_view(commitments.get_non_opqueue_wires_and_ordered_range_constraints(),
171 commitment_labels.get_non_opqueue_wires_and_ordered_range_constraints())) {
172 comm = transcript->template receive_from_prover<Commitment>(label);
173 }
174
175 // Get permutation challenges
176 FF beta = transcript->template get_challenge<FF>("beta");
177 FF gamma = transcript->template get_challenge<FF>("gamma");
178
179 relation_parameters.beta = beta;
180 relation_parameters.gamma = gamma;
181
182 // Get commitment to permutation and lookup grand products
183 commitments.z_perm = transcript->template receive_from_prover<Commitment>(commitment_labels.z_perm);
184
185 // Each linearly independent subrelation contribution is multiplied by `alpha^i`, where
186 // i = 0, ..., NUM_SUBRELATIONS- 1.
187 const FF alpha = transcript->template get_challenge<FF>("Sumcheck:alpha");
188
189 // Execute Sumcheck Verifier
190 Sumcheck sumcheck(transcript, alpha, TranslatorFlavor::CONST_TRANSLATOR_LOG_N);
191
192 std::vector<FF> gate_challenges(TranslatorFlavor::CONST_TRANSLATOR_LOG_N);
193 for (size_t idx = 0; idx < gate_challenges.size(); idx++) {
194 gate_challenges[idx] = transcript->template get_challenge<FF>("Sumcheck:gate_challenge_" + std::to_string(idx));
195 }
196
197 // Receive commitments to Libra masking polynomials
198 std::array<Commitment, NUM_LIBRA_COMMITMENTS> libra_commitments = {};
199 libra_commitments[0] = transcript->template receive_from_prover<Commitment>("Libra:concatenation_commitment");
200
201 // Create padding indicator array
202 std::vector<FF> padding_indicator_array(TranslatorFlavor::CONST_TRANSLATOR_LOG_N, FF(1));
203
204 auto sumcheck_output = sumcheck.verify(relation_parameters, gate_challenges, padding_indicator_array);
205
206 libra_commitments[1] = transcript->template receive_from_prover<Commitment>("Libra:grand_sum_commitment");
207 libra_commitments[2] = transcript->template receive_from_prover<Commitment>("Libra:quotient_commitment");
208
209 // Unshifted concat evals are reconstructed inside sumcheck (via complete_full_circuit_evaluations).
210 // Here we only need the shifted concat evals for PCS, which are not stored in AllEntities.
211 auto& claimed = sumcheck_output.claimed_evaluations;
212 auto concat_shift_evals = TranslatorFlavor::reconstruct_concatenated_evaluations(
213 claimed.get_groups_to_be_concatenated_shifted(), std::span<const FF>(sumcheck_output.challenge));
214
215 // --- PCS: build opening claims and verify ---
216 auto combined_unshifted_comms = commitments.get_pcs_unshifted();
217 auto combined_unshifted_evals = claimed.get_pcs_unshifted();
218
219 // For shifted: commitments use the getter, but evals must be assembled manually since
220 // the reconstructed shifted concat evals live in a local array, not in AllEntities.
221 auto combined_shifted_comms = commitments.get_pcs_to_be_shifted();
222 RefVector<FF> combined_shifted_evals(claimed.get_pcs_shifted());
223 for (auto& eval : concat_shift_evals) {
224 combined_shifted_evals.push_back(eval);
225 }
226
227 BB_ASSERT_EQ(combined_unshifted_comms.size(), TranslatorFlavor::NUM_PCS_UNSHIFTED);
228 BB_ASSERT_EQ(combined_unshifted_evals.size(), TranslatorFlavor::NUM_PCS_UNSHIFTED);
229 BB_ASSERT_EQ(combined_shifted_comms.size(), TranslatorFlavor::NUM_PCS_TO_BE_SHIFTED);
230 BB_ASSERT_EQ(combined_shifted_evals.size(), TranslatorFlavor::NUM_PCS_TO_BE_SHIFTED);
231
232 ClaimBatcher claim_batcher{ .unshifted = ClaimBatch{ combined_unshifted_comms, combined_unshifted_evals },
233 .shifted = ClaimBatch{ combined_shifted_comms, combined_shifted_evals } };
234
235 Commitment commitment_one;
236 if constexpr (IsRecursive) {
237 commitment_one = Commitment::one(builder);
238 } else {
239 commitment_one = Commitment::one();
240 }
241
242 auto [opening_claim, consistency_checked] =
243 Shplemini::compute_batch_opening_claim(padding_indicator_array,
244 claim_batcher,
245 sumcheck_output.challenge,
246 commitment_one,
247 transcript,
248 Flavor::REPEATED_COMMITMENTS,
249 libra_commitments,
250 sumcheck_output.claimed_libra_evaluation);
251
252 auto pairing_points = PCS::reduce_verify_batch_opening_claim(std::move(opening_claim), transcript);
253
254 vinfo("Translator Verifier: sumcheck verified: ", sumcheck_output.verified);
255 vinfo("Translator Verifier: consistency checked: ", consistency_checked);
256
257 return { pairing_points, sumcheck_output.verified && consistency_checked };
258}
259
260// Explicit instantiations
261template class TranslatorVerifier_<TranslatorFlavor>;
262template class TranslatorVerifier_<TranslatorRecursiveFlavor>;
263
264} // namespace bb
BB_ASSERT
#define BB_ASSERT(expression,...)
Definition assert.hpp:70
BB_ASSERT_EQ
#define BB_ASSERT_EQ(actual, expected,...)
Definition assert.hpp:83
FF
bb::field< bb::Bn254FrParams > FF
Definition field.cpp:24
bb::ECCVMFlavor::FF
typename Curve::ScalarField FF
Definition eccvm_flavor.hpp:43
bb::ECCVMFlavor::BF
typename Curve::BaseField BF
Definition eccvm_flavor.hpp:44
bb::ECCVMFlavor::REPEATED_COMMITMENTS
static constexpr RepeatedCommitmentsData REPEATED_COMMITMENTS
Definition eccvm_flavor.hpp:90
bb::IPA
IPA (inner product argument) commitment scheme class.
Definition ipa.hpp:85
bb::RefVector
A template class for a reference vector. Behaves as if std::vector<T&> was possible.
Definition ref_vector.hpp:24
bb::RefVector::size
std::size_t size() const
Definition ref_vector.hpp:109
bb::RefVector::push_back
void push_back(T &element)
Definition ref_vector.hpp:111
bb::ShpleminiVerifier_
Definition shplemini.hpp:175
bb::SumcheckVerifier
Implementation of the sumcheck Verifier for statements of the form for multilinear polynomials .
Definition sumcheck.hpp:747
bb::TranslatorFlavor::NUM_PCS_UNSHIFTED
static constexpr size_t NUM_PCS_UNSHIFTED
Definition translator_flavor.hpp:728
bb::TranslatorFlavor::CONST_TRANSLATOR_LOG_N
static constexpr size_t CONST_TRANSLATOR_LOG_N
Definition translator_flavor.hpp:75
bb::TranslatorFlavor::reconstruct_concatenated_evaluations
static std::array< FFType, NUM_CONCATENATED_POLYS > reconstruct_concatenated_evaluations(const std::vector< RefVector< FFType > > &groups, std::span< const FFType > challenge)
Reconstruct concatenated polynomial evaluations from individual wire evaluations using the Lagrange b...
Definition translator_flavor.hpp:925
bb::TranslatorFlavor::NUM_PCS_TO_BE_SHIFTED
static constexpr size_t NUM_PCS_TO_BE_SHIFTED
Definition translator_flavor.hpp:731
bb::TranslatorVerifier_
Translator verifier class that verifies the proof of the Translator circuit.
Definition translator_verifier.hpp:23
bb::TranslatorVerifier_::reduce_to_pairing_check
ReductionResult reduce_to_pairing_check()
Reduce the translator proof to a pairing check.
Definition translator_verifier.cpp:134
bb::TranslatorVerifier_::put_translation_data_in_relation_parameters
void put_translation_data_in_relation_parameters()
Populate relation parameters with translation data from ECCVM verifier.
Definition translator_verifier.cpp:122
bb::TranslatorVerifier_::VerifierCommitments
typename Flavor::VerifierCommitments VerifierCommitments
Definition translator_verifier.hpp:30
bb::TranslatorVerifier_::FF
typename Flavor::FF FF
Definition translator_verifier.hpp:25
bb::TranslatorVerifier_::CommitmentLabels
typename Flavor::CommitmentLabels CommitmentLabels
Definition translator_verifier.hpp:31
bb::TranslatorVerifier_::Commitment
typename Flavor::Commitment Commitment
Definition translator_verifier.hpp:28
bb::numeric::uint256_t
Definition uint256.hpp:32
zip_view
Definition zip_view.hpp:166
vinfo
#define vinfo(...)
Definition log.hpp:94
builder
AluTraceBuilder builder
Definition alu.test.cpp:124
key
FF key
Definition indexed_memory_tree.test.cpp:18
bb
Entry point for Barretenberg command-line interface.
Definition api.hpp:5
std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13
std::to_string
std::string to_string(bb::avm2::ValueTag tag)
Definition tagged_value.cpp:402
origin_tag.hpp
This file contains part of the logic for the Origin Tag mechanism that tracks the use of in-circuit p...
bb::ClaimBatcher_
Logic to support batching opening claims for unshifted and shifted polynomials in Shplemini.
Definition claim_batcher.hpp:26
bb::TranslatorVerifier_::ReductionResult
Result of reducing translator proof to pairing check.
Definition translator_verifier.hpp:50
translator_decomposition_relation_impl.hpp
translator_delta_range_constraint_relation_impl.hpp
translator_extra_relations_impl.hpp
translator_non_native_field_relation_impl.hpp
translator_permutation_relation_impl.hpp
translator_verifier.hpp