feat!: Merge with degree check#15562
Merged
federicobarbacovi merged 118 commits intoJul 15, 2025
Merged
Conversation
* Our basic binary ops produce a new gate iff both operands are witnesses. Most of the implementations contained deeply branched logic that is now replaced with simple `int` arithmetic that looks more robust and is much easier to read. * Added documentation in various places. The constraints are made more explicit * Removed redundant assignments * Re-worked the test suite. Now all basic ops and functions are tested for all combinations of flags (`is_constant`, `witness_bool`, `witness_inverted`). Added missing tests, checked various edge cases. * Removed a couple of tests that seemed less expressive * Removed `must_imply()` method for a vector of implications, as it is not used anymore * Fixed a `normalize()` regression - previously it wouldn't check if (`witness_inverted == false`) and would normalize a witness `bool_t` even if the condition is satisfied. It is the reason for the VK changes
We enhance the Shplonk verifier api so that it can efficiently handle openings of polynomials that are linearly dependent --------- Co-authored-by: AztecBot <tech@aztecprotocol.com> Co-authored-by: ludamad <adam.domurad@gmail.com> Co-authored-by: Suyash Bagad <suyash@aztecprotocol.com> Co-authored-by: sergei iakovenko <105737703+iakovenkos@users.noreply.github.com> Co-authored-by: Jonathan Hao <jonathan@aztec-labs.com> Co-authored-by: ledwards2225 <98505400+ledwards2225@users.noreply.github.com>
… on rebase logic (#15508)
The `bit_array` stdlib primitive is not used in the production code --> deleted Had to change a couple of headers that included `bit_array` to access`plookup` or `uint`. Fixed some misleading comments in a couple of fuzzers
`ECCVM-` and `Translator-` `RecursiveFlavors` are only used with `UltraCircuitBuilder`, which allows us to decouple them and the corresponding `RecursiveVerifiers` from `Flavor` template parameter.
Removes the `ProvingKey` altogether from the Ultra/Mega proving systems. TLDR: "proving key" used to mean "the precomputable data used by the prover." The Honk PK hasn't been that for a long time since it stores the `ProverPolynomials` which contains _all_ polynomials used by the prover, including witnesses. This meant there was no clear logic behind what was stored in the `DeciderProvingKey` vs the `ProvingKey`. Since we don't have much use for the traditional notion of a proving key in Honk (unlike in Plonk), I've opted to remove it entirely and place its data directly in the `DeciderProvingKey`. Most lines in this PR relate to one of these changes: - There is a single circuit-size-like parameter in the DPK, accessed via `dyadic_size()` - A honk VK is now constructed as `vk(pk->get_precomputed())` (instead of `vk(pk->proving_key)`) - Lines containing `proving_key->proving_key.foo` have been reduced to `proving_key->foo` - "metadata" (circuit size and public inputs metadata) live in a `MetaData` struct. (Note: I'm open to a better name..) --------- Co-authored-by: AztecBot <tech@aztecprotocol.com> Co-authored-by: ludamad <adam.domurad@gmail.com> Co-authored-by: federicobarbacovi <171914500+federicobarbacovi@users.noreply.github.com> Co-authored-by: Suyash Bagad <suyash@aztecprotocol.com> Co-authored-by: sergei iakovenko <105737703+iakovenkos@users.noreply.github.com>
The tube propagates the public inputs of the hiding circuit (received in the CIVC proof) via its own public inputs. Previously, those public inputs were being extracted from the native proof meaning they were disconnected from those used by the CIVC recursive verifier. A previous PR made the CIVC rec verifier take a stdlib proof so it is now easy to directly set the pub inputs of the stdlib proof public, making the connection proper. Partially (entirely?) addresses AztecProtocol/barretenberg#1048
Addresses [1140](AztecProtocol/barretenberg#1140), native IPA verifier computes inverses of the challenges via a `batch_invert()` call. --------- Co-authored-by: notnotraju <raju@aztec-labs.com>
Moves the `uint_plookup` class into the `uint` class in stdlib. This is done because the plookup-based uint version is now the default (since we no more the old `standard` or `turbo` arithmetisation). As a result, we remove any conditionals using `HasPlookup` from uint related code.
| CommitmentKey commitment_key, | ||
| const std::shared_ptr<Transcript>& transcript) | ||
| : op_queue(op_queue) | ||
| // TODO(https://github.com/AztecProtocol/barretenberg/issues/1420): pass commitment keys by value |
Contributor
Author
There was a problem hiding this comment.
Issue is closed
I had thought that const ref can't get a default parameter but it can!
AztecBot
force-pushed
the
merge-train/barretenberg
branch
from
42b65c1 to
8369b3f
Compare
| } | ||
| } | ||
|
|
||
| TYPED_TEST(MegaHonkTests, MultipleCircuitsMergeOnlyAppend) |
Contributor
Author
There was a problem hiding this comment.
Removed as discussed (it would fail because Shplonk doesn't handle empty polynomials #1474 and in an append-only scenario the table to be prepended is the empty table, hence the empty polynomial)
maramihali
reviewed
Jul 14, 2025
maramihali
left a comment
maramihali
left a comment
There was a problem hiding this comment.
thanks for the modifications, another bulk of comments but mostly nits! :)
…b/merge_with_degree_check
…b/merge_with_degree_check
maramihali
approved these changes
Jul 15, 2025
maramihali
left a comment
maramihali
left a comment
There was a problem hiding this comment.
thanks for bearing through my endless review :D
| std::string suffix = std::to_string(idx); | ||
| T_prev_commitments[idx] = transcript->template receive_from_prover<Commitment>("T_PREV_" + suffix); | ||
| T_commitments[idx] = transcript->template receive_from_prover<Commitment>("T_CURRENT_" + suffix); | ||
| if (settings == MergeSettings::PREPEND) { |
There was a problem hiding this comment.
ah right, so this if clause will go away once issue 1473 is resolved
johnathan79717
added a commit
that referenced
this pull request
Jul 15, 2025
Restore accidentally deleted files in a previous PR. #15562
github-merge-queue Bot
pushed a commit
that referenced
this pull request
Jul 16, 2025
See [merge-train-readme.md](https://github.com/AztecProtocol/aztec-packages/blob/next/.github/workflows/merge-train-readme.md). BEGIN_COMMIT_OVERRIDE feat!: Merge with degree check (#15562) fix: Fix the docker build action for fuzzing (#15719) fix: restore accidentally deleted files (#15724) fix: civc wasm memory regression (#15722) feat: mmap backed polynomials (#15531) feat(bbapi): CLI uses bbapi CIVC (#15702) fix(ci): brittle benchmark behavior (#15771) END_COMMIT_OVERRIDE --------- Co-authored-by: AztecBot <tech@aztecprotocol.com> Co-authored-by: federicobarbacovi <171914500+federicobarbacovi@users.noreply.github.com> Co-authored-by: sergei iakovenko <105737703+iakovenkos@users.noreply.github.com> Co-authored-by: ludamad <adam.domurad@gmail.com> Co-authored-by: Suyash Bagad <suyash@aztecprotocol.com> Co-authored-by: Jonathan Hao <jonathan@aztec-labs.com> Co-authored-by: ledwards2225 <98505400+ledwards2225@users.noreply.github.com> Co-authored-by: Raju Krishnamoorthy <krishnamoorthy@gmail.com> Co-authored-by: notnotraju <raju@aztec-labs.com> Co-authored-by: Lucas Xia <lucasxia01@gmail.com> Co-authored-by: Khashayar Barooti <khashayar@aztecprotocol.com> Co-authored-by: Jean M <132435771+jeanmon@users.noreply.github.com> Co-authored-by: Alex Gherghisan <alexghr@users.noreply.github.com> Co-authored-by: Santiago Palladino <spalladino@users.noreply.github.com> Co-authored-by: Santiago Palladino <santiago@aztec-labs.com> Co-authored-by: ludamad <domuradical@gmail.com> Co-authored-by: maramihali <mara@aztecprotocol.com> Co-authored-by: Sarkoxed <75146596+Sarkoxed@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
9 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
We modify the Merge protocol so that it enforces that the subtable polynomial
t_jhas degree smaller thansubtable_sizeas read from the proof.Closes AztecProtocol/barretenberg#1442
Details
As per the linked issue, we want to support ecc operations in app circuits. To ensure that app ecc ops do not modify ecc ops that happened before them, we need to ensure that the subtable length
t.size()is smaller than the constantlby which we right shiftT_prev. This is to ensure thatt + X^{l-1} T_previs indeed the polynomial corresponding to the columnt || T_prev.We enforce this degree check in the merge protocol by requiring the prover to commit to
g(X) := X^{l-1} t(1/X)and provide openingsc,doft,gat challenges1/kappa,kappa, respectively, for which we checkc * kappa^{l-1} = d.To save on the number of MSMs performed, we use Shplonk to verify the following claims:
t(X)opens tocat1/kappap(X) = t(X) + X^{l-1} T_prev(X) - T(X)opens to0atkappag(X) := X^{l-1} t(1/X)opens todatkappa