29 return static_cast<size_t>(Flavor::VIRTUAL_LOG_N);
32 return static_cast<size_t>(verifier_instance->get_vk()->log_circuit_size);
43template <
typename Flavor,
class IO>
49 std::vector<FF> padding_indicator_array(log_n,
FF{ 1 });
51 auto vk_ptr = verifier_instance->get_vk();
52 if constexpr (IsRecursive) {
55 padding_indicator_array =
56 stdlib::compute_padding_indicator_array<Curve, Flavor::VIRTUAL_LOG_N>(vk_ptr->log_circuit_size);
59 const size_t log_circuit_size =
static_cast<size_t>(vk_ptr->log_circuit_size);
60 for (
size_t idx = 0; idx < log_n; idx++) {
61 padding_indicator_array[idx] = (idx < log_circuit_size) ?
FF{ 1 } :
FF{ 0 };
66 return padding_indicator_array;
85template <
typename Flavor,
class IO>
88 IO>::split_rollup_proof(
const Proof& combined_proof)
const
94 "Combined rollup proof is too small to contain IPA proof. Expected at least " +
98 const auto honk_proof_length =
static_cast<std::ptrdiff_t>(combined_proof.size() - IPA_PROOF_LENGTH);
100 Proof honk_proof(combined_proof.begin(), combined_proof.begin() + honk_proof_length);
101 Proof ipa_proof(combined_proof.begin() + honk_proof_length, combined_proof.end());
109template <
typename Flavor,
class IO>
114 ipa_transcript->load_proof(ipa_proof);
116 vinfo(
"UltraVerifier: IPA check: ", ipa_verified ?
"true" :
"false");
119 info(
"UltraVerifier: verification failed at IPA check");
130template <
typename Flavor,
class IO>
136 using ClaimBatch = ClaimBatcher::Batch;
138 transcript->load_proof(proof);
141 const size_t log_n = compute_log_n();
147 "Proof size too small. Got " +
std::to_string(proof.size()) +
" field elements, but need at least " +
157 auto padding_indicator_array = compute_padding_indicator_array(log_n);
158 verifier_instance->gate_challenges =
159 transcript->template get_dyadic_powers_of_challenge<FF>(
"Sumcheck:gate_challenge", log_n);
162 VerifierCommitments commitments{ verifier_instance->get_vk(), verifier_instance->witness_commitments };
165 commitments.gemini_masking_poly = verifier_instance->gemini_masking_commitment;
174 libra_commitments[0] = transcript->template receive_from_prover<Commitment>(
"Libra:concatenation_commitment");
178 verifier_instance->relation_parameters, verifier_instance->gate_challenges, padding_indicator_array);
181 libra_commitments[1] = transcript->template receive_from_prover<Commitment>(
"Libra:grand_sum_commitment");
182 libra_commitments[2] = transcript->template receive_from_prover<Commitment>(
"Libra:quotient_commitment");
185 ClaimBatcher claim_batcher{
186 .unshifted = ClaimBatch{ commitments.get_unshifted(), sumcheck_output.
claimed_evaluations.get_unshifted() },
187 .shifted = ClaimBatch{ commitments.get_to_be_shifted(), sumcheck_output.
claimed_evaluations.get_shifted() }
191 if constexpr (IsRecursive) {
192 return Commitment::one(
builder);
194 return Commitment::one();
198 auto shplemini_output = Shplemini::compute_batch_opening_claim(padding_indicator_array,
210 std::move(shplemini_output.batch_opening_claim), transcript, Flavor::FINAL_PCS_MSM_SIZE(log_n));
212 bool consistency_checked =
true;
214 consistency_checked = shplemini_output.consistency_checked;
215 vinfo(
"Ultra Verifier (with ZK): Libra evals consistency checked ", consistency_checked ?
"true" :
"false");
217 vinfo(
"Ultra Verifier sumcheck_verified: ", sumcheck_output.
verified ?
"true" :
"false");
230template <
typename Flavor,
class IO>
237 if constexpr (IO::HasIPA) {
238 std::tie(honk_proof, ipa_proof) = split_rollup_proof(proof);
244 auto [pcs_pairing_points, reduction_succeeded] = reduce_to_pairing_check(honk_proof);
245 vinfo(
"UltraVerifier: reduced to pairing check: ", reduction_succeeded ?
"true" :
"false");
247 if constexpr (!IsRecursive) {
248 if (!reduction_succeeded) {
249 info(
"UltraVerifier: verification failed at reduction step");
256 inputs.reconstruct_from_public(verifier_instance->public_inputs);
260 pi_pairing_points.aggregate(pcs_pairing_points);
265 if constexpr (IsRecursive) {
267 output.points_accumulator =
std::move(pi_pairing_points);
268 if constexpr (IO::HasIPA) {
269 output.ipa_proof = ipa_proof;
273 bool pairing_verified = pi_pairing_points.check();
274 vinfo(
"UltraVerifier: pairing check: ", pairing_verified ?
"true" :
"false");
276 if (!pairing_verified) {
277 info(
"UltraVerifier: verification failed at pairing check");
282 if constexpr (IO::HasIPA) {
283 if (!verify_ipa(ipa_proof,
inputs.ipa_claim)) {
288 output.result =
true;
305#ifdef STARKNET_GARAGA_FLAVORS
#define BB_ASSERT_GTE(left, right,...)
static constexpr bool HasZK
static constexpr bool USE_PADDING
static constexpr RepeatedCommitmentsData REPEATED_COMMITMENTS
IPA (inner product argument) commitment scheme class.
Verifier counterpart to OinkProver: receives witness commitments, computes relation parameters,...
void verify()
Receive witness commitments, compute relation parameters, and prepare for Sumcheck.
Unverified claim (C,r,v) for some witness polynomial p(X) such that.
Implementation of the sumcheck Verifier for statements of the form for multilinear polynomials .
SumcheckOutput< Flavor > verify(const bb::RelationParameters< FF > &relation_parameters, const std::vector< FF > &gate_challenges, const std::vector< FF > &padding_indicator_array)
The Sumcheck verification method. First it extracts round univariate, checks sum (the sumcheck univar...
bool verify_ipa(const Proof &ipa_proof, const IPAClaim &ipa_claim)
Verify IPA proof for rollup circuits (native verifier only)
ReductionResult reduce_to_pairing_check(const Proof &proof)
Reduce ultra proof to verification claims (works for both native and recursive)
typename Transcript::Proof Proof
std::conditional_t< IsRecursive, stdlib::recursion::PairingPoints< Curve >, bb::PairingPoints< Curve > > PairingPoints
size_t compute_log_n() const
Compute log_n based on flavor.
std::vector< FF > compute_padding_indicator_array(size_t log_n) const
Compute padding indicator array based on flavor configuration.
std::conditional_t< IsRecursive, stdlib::recursion::honk::UltraRecursiveVerifierOutput< Builder >, UltraVerifierOutput< Flavor > > Output
typename Flavor::VerifierCommitments VerifierCommitments
typename Flavor::Commitment Commitment
Output verify_proof(const Proof &proof)
Perform ultra verification.
Representation of the Grumpkin Verifier Commitment Key inside a bn254 circuit.
Manages the data that is propagated on the public inputs of an application/function circuit.
The data that is propagated on the public inputs of the inner GoblinAvmRecursiveVerifier circuit.
Manages the data that is propagated on the public inputs of a hiding kernel circuit.
The data that is propagated on the public inputs of a rollup circuit.
Entry point for Barretenberg command-line interface.
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
std::string to_string(bb::avm2::ValueTag tag)
For a small integer N = virtual_log_n and a given witness x = log_n, compute in-circuit an indicator_...
Logic to support batching opening claims for unshifted and shifted polynomials in Shplemini.
static constexpr size_t LENGTH_WITHOUT_PUB_INPUTS(size_t log_n)
static constexpr size_t derive_num_public_inputs(size_t proof_size, size_t log_n)
Derive num_public_inputs from proof size.
Contains the evaluations of multilinear polynomials at the challenge point . These are computed by S...
FF claimed_libra_evaluation
ClaimedEvaluations claimed_evaluations
std::vector< FF > challenge
Result of reducing ultra proof to pairing points check. Contains pairing points and the aggregate res...
PairingPoints pairing_points
1.9.8