chore: Introduce data structures to hold inputs/outputs of the Merge verification#15735
Merged
federicobarbacovi merged 43 commits intoJul 18, 2025
Merged
Conversation
We modify the Merge protocol so that it enforces that the subtable polynomial `t_j` has degree smaller than `subtable_size` as read from the proof. Closes AztecProtocol/barretenberg#1442 **Details** As per the linked issue, we want to support ecc operations in app circuits. To ensure that app ecc ops do not modify ecc ops that happened before them, we need to ensure that the subtable length `t.size()` is smaller than the constant `l` by which we right shift `T_prev`. This is to ensure that `t + X^{l-1} T_prev` is indeed the polynomial corresponding to the column `t || T_prev`. We enforce this degree check in the merge protocol by requiring the prover to commit to `g(X) := X^{l-1} t(1/X)` and provide openings `c`, `d` of `t`, `g` at challenges `1/kappa`, `kappa`, respectively, for which we check `c * kappa^{l-1} = d`. To save on the number of MSMs performed, we use Shplonk to verify the following claims: - `t(X)` opens to `c` at `1/kappa` - `p(X) = t(X) + X^{l-1} T_prev(X) - T(X)` opens to `0` at `kappa` - `g(X) := X^{l-1} t(1/X)` opens to `d` at `kappa` --------- Co-authored-by: AztecBot <tech@aztecprotocol.com> Co-authored-by: sergei iakovenko <105737703+iakovenkos@users.noreply.github.com> Co-authored-by: ludamad <adam.domurad@gmail.com> Co-authored-by: Suyash Bagad <suyash@aztecprotocol.com> Co-authored-by: Jonathan Hao <jonathan@aztec-labs.com> Co-authored-by: ledwards2225 <98505400+ledwards2225@users.noreply.github.com> Co-authored-by: Raju Krishnamoorthy <krishnamoorthy@gmail.com> Co-authored-by: notnotraju <raju@aztec-labs.com> Co-authored-by: Lucas Xia <lucasxia01@gmail.com> Co-authored-by: Khashayar Barooti <khashayar@aztecprotocol.com> Co-authored-by: Jean M <132435771+jeanmon@users.noreply.github.com> Co-authored-by: Alex Gherghisan <alexghr@users.noreply.github.com> Co-authored-by: Santiago Palladino <spalladino@users.noreply.github.com> Co-authored-by: Santiago Palladino <santiago@aztec-labs.com> Co-authored-by: ludamad <domuradical@gmail.com> Co-authored-by: maramihali <mara@aztecprotocol.com>
federicobarbacovi
requested review from
IlyasRidhuan,
fcarreiro and
jeanmon
as code owners
…b/merge_verifier_api
…b/merge_verifier_api
federicobarbacovi
changed the title
MergeVerificationData
ledwards2225
approved these changes
Jul 17, 2025
ledwards2225
left a comment
ledwards2225
left a comment
Contributor
There was a problem hiding this comment.
Great, thanks for the updates. I think this is ready to get merged - any further updates to the model can be done in follow ons
| // Recursively verify the corresponding merge proof | ||
| PairingPoints pairing_points = goblin.recursively_verify_merge( | ||
| circuit, decider_vk->witness_commitments.get_ecc_op_wires(), accumulation_recursive_transcript); | ||
| circuit, merge_commitments, merge_commitments.T_commitments, accumulation_recursive_transcript); |
Contributor
There was a problem hiding this comment.
I appreciate what you've done here but I do still find it to be a bit funny because we're passing in the same data (T_commitments) twice, albeit as a const ref in one case. It does make it slightly clearer because I know exactly what data might be altered.
Is it eventually the case that we'll always pass in {t, T_prev} and always return T? If so it seems pretty natural to have those inputs passed in to the method (as a const) and have the output passed out (making the output {pairing_points, T}. FWIW I'm perfectly happy to merge this as it is and continue to iterate. I think it will become clearer what to do as this work progresses
Contributor
Author
There was a problem hiding this comment.
Yes, it is always going to be the case that we pass in {t, T_prev}, and return T. I thought it would be better to have them all in one structure (mostly for ClientIVC), but maybe you're right and it's better to simply return T. We can discuss in next iterations.
github-merge-queue Bot
pushed a commit
that referenced
this pull request
Jul 21, 2025
See [merge-train-readme.md](https://github.com/AztecProtocol/aztec-packages/blob/next/.github/workflows/merge-train-readme.md). BEGIN_COMMIT_OVERRIDE chore!: Remove circuit_size from all VKs (#15747) chore: Introduce data structures to hold inputs/outputs of the Merge verification (#15735) chore: replace asserts with runtime errors. (#15671) chore: kernels start with eq and reset (#15734) chore: Introduce Native IO mechanism (#15820) fix: Update Cargo.lock in avm-transpiler (#15837) END_COMMIT_OVERRIDE --------- Co-authored-by: AztecBot <tech@aztecprotocol.com> Co-authored-by: ledwards2225 <98505400+ledwards2225@users.noreply.github.com> Co-authored-by: federicobarbacovi <171914500+federicobarbacovi@users.noreply.github.com> Co-authored-by: sergei iakovenko <105737703+iakovenkos@users.noreply.github.com> Co-authored-by: ludamad <adam.domurad@gmail.com> Co-authored-by: Suyash Bagad <suyash@aztecprotocol.com> Co-authored-by: Jonathan Hao <jonathan@aztec-labs.com> Co-authored-by: Raju Krishnamoorthy <krishnamoorthy@gmail.com> Co-authored-by: notnotraju <raju@aztec-labs.com> Co-authored-by: Lucas Xia <lucasxia01@gmail.com> Co-authored-by: Khashayar Barooti <khashayar@aztecprotocol.com> Co-authored-by: Jean M <132435771+jeanmon@users.noreply.github.com> Co-authored-by: Alex Gherghisan <alexghr@users.noreply.github.com> Co-authored-by: Santiago Palladino <spalladino@users.noreply.github.com> Co-authored-by: Santiago Palladino <santiago@aztec-labs.com> Co-authored-by: ludamad <domuradical@gmail.com> Co-authored-by: maramihali <mara@aztecprotocol.com> Co-authored-by: Sarkoxed <75146596+Sarkoxed@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Introduce the classes
SubtableWitnessCommitmentswhich storest_commitments(and in the futureT_prev_commitments) andWitnessCommitments, which storest_commitments,T_commitments(and in the futureT_prev_commitments). The role of these classes is to facilitate the introduction of consistency checks between two consecutive merges, see #1351.t_commitmentsis populated by extracting the commitments from the VK of the PG verifier.T_prev_commitmentsis populated by taking the previous value ofT_commitmentsT_commitmentsis populated by the Merge verifier