feat: Complete ECCVM recursive verifier #6720
Conversation
…es into mm/eccvm-work
…rotocol/aztec-packages into mm/stdlib-verifier-commitment-key
| // Step 1. | ||
| // Receive polynomial_degree + 1 = d from the prover | ||
| const auto poly_length = static_cast<uint32_t>( | ||
| transcript->template receive_from_prover<typename Curve::BaseField>("IPA:poly_degree_plus_1") |
There was a problem hiding this comment.
Add a todo to actually assert_equal the value received from the prover. Right now it is a spare value to bruteforce challenges
There was a problem hiding this comment.
you mean with the circuit size given in the verification_key or what?
| const auto log_poly_degree = numeric::get_msb(static_cast<uint32_t>(poly_length)); | ||
| // Step 3. | ||
| // Compute C' = C + f(\beta) ⋅ U | ||
| GroupElement C_prime = opening_claim.commitment + aux_generator * opening_claim.opening_pair.evaluation; |
There was a problem hiding this comment.
Why not add f(\beta)*U to the msm?
There was a problem hiding this comment.
will leave things as they are are to not differ from the non-stdlib implementation if not necessary
| // Construct vector s | ||
| std::vector<Fr> s_vec(poly_length); | ||
|
|
||
| for (size_t i = 0; i < poly_length; i++) { |
There was a problem hiding this comment.
Add a TODO to do this in a tree
There was a problem hiding this comment.
There already was one in the parallelised function, copied here as well:)
| // Compute G₀ | ||
| // Unlike the native verification function, the verifier commitment key only containts the SRS so we can apply | ||
| // batch_mul directly on it. | ||
| Commitment G_zero = Commitment::batch_mul(srs_elements, s_vec); |
There was a problem hiding this comment.
Add a todo,please, to make it so that we only have 1 batch_mul
| // TODO(https://github.com/AztecProtocol/barretenberg/issues/1017): This is a hack to ensure zero commitments | ||
| // are still on curve as the transcript doesn't currently support a point at infinity representation for | ||
| // cycle_group | ||
| if (!comm.get_value().on_curve()) { |
There was a problem hiding this comment.
If the point at infinity is at another place, this will fail the circuit. You need to do set_point_at_infinity(x==x_error&&y=y_error)
There was a problem hiding this comment.
⚠️ Performance Alert ⚠️
Possible performance regression was detected for benchmark 'C++ Benchmark'.
Benchmark result of this commit is worse than the previous benchmark result exceeding threshold 1.05.
| Benchmark suite | Current: 77f0b38 | Previous: 1ccab1d | Ratio |
|---|---|---|---|
nativeconstruct_proof_ultrahonk_power_of_2/20 |
5987.959732999997 ms/iter |
5543.083378000006 ms/iter |
1.08 |
This comment was automatically generated by workflow using github-action-benchmark.
CC: @ludamad @codygunton
|
Chatted with Kesha async, we're gonna leave point at inifinity as it is and fix the hack by making transcript handling it correctly as other hacky fixes we tried don't work |
Enable IPA recursive verification and add tests to complete the ECCVM recursive verifier.