feat: Add the last merged table to the public inputs of the hiding circuit#15829
Merged
federicobarbacovi merged 79 commits intoJul 25, 2025
Conversation
- Removes `circuit_size` from all VKs (only store `log_circuit_size`) - Updates `compute_public_input_delta()` to correctly take witness values and compute `dyadic_size` via `pow()` Addresses most of AztecProtocol/barretenberg#1283 but one instance remains
…verification (#15735) Introduce the classes `SubtableWitnessCommitments` which stores `t_commitments` (and in the future `T_prev_commitments`) and `WitnessCommitments`, which stores `t_commitments`, `T_commitments` (and in the future `T_prev_commitments`). The role of these classes is to facilitate the introduction of consistency checks between two consecutive merges, see [#1351](AztecProtocol/barretenberg#1351). - The value of `t_commitments` is populated by extracting the commitments from the VK of the PG verifier. - (Future work) The value of `T_prev_commitments` is populated by taking the previous value of `T_commitments` - The value of `T_commitments` is populated by the Merge verifier --------- Co-authored-by: AztecBot <tech@aztecprotocol.com> Co-authored-by: sergei iakovenko <105737703+iakovenkos@users.noreply.github.com> Co-authored-by: ludamad <adam.domurad@gmail.com> Co-authored-by: Suyash Bagad <suyash@aztecprotocol.com> Co-authored-by: Jonathan Hao <jonathan@aztec-labs.com> Co-authored-by: ledwards2225 <98505400+ledwards2225@users.noreply.github.com> Co-authored-by: Raju Krishnamoorthy <krishnamoorthy@gmail.com> Co-authored-by: notnotraju <raju@aztec-labs.com> Co-authored-by: Lucas Xia <lucasxia01@gmail.com> Co-authored-by: Khashayar Barooti <khashayar@aztecprotocol.com> Co-authored-by: Jean M <132435771+jeanmon@users.noreply.github.com> Co-authored-by: Alex Gherghisan <alexghr@users.noreply.github.com> Co-authored-by: Santiago Palladino <spalladino@users.noreply.github.com> Co-authored-by: Santiago Palladino <santiago@aztec-labs.com> Co-authored-by: ludamad <domuradical@gmail.com> Co-authored-by: maramihali <mara@aztecprotocol.com>
1. Asserts now throw runtime errors in non-debug builds. 1. `BB_ASSERT_*` now throw_or_abort in non-debug builds. 2. Replace `ASSERT` in tests with `ASSERT_TRUE` or other gtest functions. 3. Replace `EXPECT_DEATH` and `ASSERT_DEATH` in tests with `EXPECT_THROW_OR_ABORT` or `ASSERT_THROW_OR_ABORT`. 4. Remove `#ifdef NDEBUG` around the above in tests since they work in non-debug builds now. 5. Asserts in `constexpr`s uses info instead of sstream. Fixes AztecProtocol/barretenberg#1460
As a measure of precaution in case of misconfigured ecc ops in an app circuit that might attempt, for example, to link ecc ops between apps and kernels, the subtable of ecc ops in each kernel circuit will start with an eq and reset op. This cannot happen when the API for creating ecc ops is used properly as the logic in `goblin_element` ensures an eq and reset op is present at the end of each `batch_mul`, function also used for `operator+` and `operator-`. Moreover, the `add_gates_to_ensure_nonzero_polynomials` makes sure that an eq and reset exists if no other ecc ops are encountered in the circuit. --------- Co-authored-by: AztecBot <tech@aztecprotocol.com> Co-authored-by: federicobarbacovi <171914500+federicobarbacovi@users.noreply.github.com> Co-authored-by: sergei iakovenko <105737703+iakovenkos@users.noreply.github.com> Co-authored-by: ludamad <adam.domurad@gmail.com> Co-authored-by: Suyash Bagad <suyash@aztecprotocol.com> Co-authored-by: Jonathan Hao <jonathan@aztec-labs.com> Co-authored-by: ledwards2225 <98505400+ledwards2225@users.noreply.github.com> Co-authored-by: Raju Krishnamoorthy <krishnamoorthy@gmail.com> Co-authored-by: notnotraju <raju@aztec-labs.com> Co-authored-by: Lucas Xia <lucasxia01@gmail.com> Co-authored-by: Khashayar Barooti <khashayar@aztecprotocol.com> Co-authored-by: Jean M <132435771+jeanmon@users.noreply.github.com> Co-authored-by: Alex Gherghisan <alexghr@users.noreply.github.com> Co-authored-by: Santiago Palladino <spalladino@users.noreply.github.com> Co-authored-by: Santiago Palladino <santiago@aztec-labs.com> Co-authored-by: ludamad <domuradical@gmail.com> Co-authored-by: Sarkoxed <75146596+Sarkoxed@users.noreply.github.com>
commit 2a5f380 Author: federicobarbacovi <171914500+federicobarbacovi@users.noreply.github.com> Date: Fri Jul 18 11:25:25 2025 +0000 Fixes commit 62c7260 Merge: f96e42c ae67a84 Author: federicobarbacovi <171914500+federicobarbacovi@users.noreply.github.com> Date: Fri Jul 18 11:20:24 2025 +0000 Merge remote-tracking branch 'origin/merge-train/barretenberg' into fb/native_io_mechanism commit f96e42c Author: federicobarbacovi <171914500+federicobarbacovi@users.noreply.github.com> Date: Fri Jul 18 11:17:55 2025 +0000 Introduce native IO mechanism and update ultra verifier interface commit 9c85f50 Author: federicobarbacovi <171914500+federicobarbacovi@users.noreply.github.com> Date: Fri Jul 18 09:43:37 2025 +0000 Changes to function signatures commit 1885708 Author: federicobarbacovi <171914500+federicobarbacovi@users.noreply.github.com> Date: Thu Jul 17 18:00:17 2025 +0200 feat: Implement native reconstruction from public inputs for `AffineElement`, `bb::fq`, and `bb::fr` (#15774) We make public input reconstruction in native land more idiomatic by introducing `reconstruct_from_public` method for `fq`, `fr`, and `affine_element`. --------- Co-authored-by: AztecBot <tech@aztecprotocol.com> Co-authored-by: sergei iakovenko <105737703+iakovenkos@users.noreply.github.com> Co-authored-by: ludamad <adam.domurad@gmail.com> Co-authored-by: Suyash Bagad <suyash@aztecprotocol.com> Co-authored-by: Jonathan Hao <jonathan@aztec-labs.com> Co-authored-by: ledwards2225 <98505400+ledwards2225@users.noreply.github.com> Co-authored-by: Raju Krishnamoorthy <krishnamoorthy@gmail.com> Co-authored-by: notnotraju <raju@aztec-labs.com> Co-authored-by: Lucas Xia <lucasxia01@gmail.com> Co-authored-by: Khashayar Barooti <khashayar@aztecprotocol.com> Co-authored-by: Jean M <132435771+jeanmon@users.noreply.github.com> Co-authored-by: Alex Gherghisan <alexghr@users.noreply.github.com> Co-authored-by: Santiago Palladino <spalladino@users.noreply.github.com> Co-authored-by: Santiago Palladino <santiago@aztec-labs.com> Co-authored-by: ludamad <domuradical@gmail.com> Co-authored-by: maramihali <mara@aztecprotocol.com> Co-authored-by: Sarkoxed <75146596+Sarkoxed@users.noreply.github.com> commit d218481 Merge: 5380e55 afc8002 Author: AztecBot <tech@aztecprotocol.com> Date: Thu Jul 17 15:14:28 2025 +0000 Merge branch 'next' into merge-train/barretenberg commit 5380e55 Merge: 9ac2ef8 4023da4 Author: AztecBot <tech@aztecprotocol.com> Date: Thu Jul 17 14:53:32 2025 +0000 Merge branch 'next' into merge-train/barretenberg commit 9ac2ef8 Merge: 8b71509 710c791 Author: AztecBot <tech@aztecprotocol.com> Date: Thu Jul 17 11:48:55 2025 +0000 Merge branch 'next' into merge-train/barretenberg commit 8b71509 Merge: 7ea4056 4aeb094 Author: AztecBot <tech@aztecprotocol.com> Date: Thu Jul 17 09:01:52 2025 +0000 Merge branch 'next' into merge-train/barretenberg commit 7ea4056 Merge: ad3dea5 980391a Author: AztecBot <tech@aztecprotocol.com> Date: Thu Jul 17 06:19:25 2025 +0000 Merge branch 'next' into merge-train/barretenberg commit ad3dea5 Merge: 8456fac 0ab34ee Author: AztecBot <tech@aztecprotocol.com> Date: Wed Jul 16 22:51:35 2025 +0000 Merge branch 'next' into merge-train/barretenberg commit 8456fac Merge: de7c071 445db95 Author: AztecBot <tech@aztecprotocol.com> Date: Wed Jul 16 22:26:26 2025 +0000 Merge branch 'next' into merge-train/barretenberg commit de7c071 Merge: 0968cf0 9bbff1b Author: AztecBot <tech@aztecprotocol.com> Date: Wed Jul 16 22:04:07 2025 +0000 Merge branch 'next' into merge-train/barretenberg commit 0968cf0 Merge: 921cd03 69bcc53 Author: AztecBot <tech@aztecprotocol.com> Date: Wed Jul 16 21:57:40 2025 +0000 Merge branch 'next' into merge-train/barretenberg commit 921cd03 Merge: 29c5a1f 03138c4 Author: AztecBot <tech@aztecprotocol.com> Date: Wed Jul 16 18:45:54 2025 +0000 Merge branch 'next' into merge-train/barretenberg commit 29c5a1f Merge: 6cd32ca 6205381 Author: AztecBot <tech@aztecprotocol.com> Date: Wed Jul 16 17:59:18 2025 +0000 Merge branch 'next' into merge-train/barretenberg commit 6cd32ca Merge: 6893736 1891f8d Author: AztecBot <tech@aztecprotocol.com> Date: Wed Jul 16 16:55:29 2025 +0000 Merge branch 'next' into merge-train/barretenberg commit 6893736 Merge: 9f27abb 5988a35 Author: AztecBot <tech@aztecprotocol.com> Date: Wed Jul 16 16:44:00 2025 +0000 Merge branch 'next' into merge-train/barretenberg commit 9f27abb Author: AztecBot <tech@aztecprotocol.com> Date: Wed Jul 16 16:21:05 2025 +0000 [empty] Start merge-train. Choo choo.
Contributor
Author
There was a problem hiding this comment.
Removed as I imagine it was added by mistake
| val += 1; | ||
| break; | ||
| } | ||
| // Tamper with the commitment in the proof |
Contributor
Author
There was a problem hiding this comment.
Modified so that it is always a correct tampering. Adding 1 messes up entries in the proof that correspond to point on the curve
We introduce native counterparts for our IO mechanism so that the reconstruction of public inputs in from native field elements is similar to that in-circuit --------- Co-authored-by: AztecBot <tech@aztecprotocol.com> Co-authored-by: sergei iakovenko <105737703+iakovenkos@users.noreply.github.com> Co-authored-by: ludamad <adam.domurad@gmail.com> Co-authored-by: Suyash Bagad <suyash@aztecprotocol.com> Co-authored-by: Jonathan Hao <jonathan@aztec-labs.com> Co-authored-by: ledwards2225 <98505400+ledwards2225@users.noreply.github.com> Co-authored-by: Raju Krishnamoorthy <krishnamoorthy@gmail.com> Co-authored-by: notnotraju <raju@aztec-labs.com> Co-authored-by: Lucas Xia <lucasxia01@gmail.com> Co-authored-by: Khashayar Barooti <khashayar@aztecprotocol.com> Co-authored-by: Jean M <132435771+jeanmon@users.noreply.github.com> Co-authored-by: Alex Gherghisan <alexghr@users.noreply.github.com> Co-authored-by: Santiago Palladino <spalladino@users.noreply.github.com> Co-authored-by: Santiago Palladino <santiago@aztec-labs.com> Co-authored-by: ludamad <domuradical@gmail.com> Co-authored-by: maramihali <mara@aztecprotocol.com> Co-authored-by: Sarkoxed <75146596+Sarkoxed@users.noreply.github.com>
…b/add_merge_table_to_hiding_circuit_pub_inputs
commit 3dbca03 Author: federicobarbacovi <171914500+federicobarbacovi@users.noreply.github.com> Date: Thu Jul 24 13:24:16 2025 +0000 Typos commit 6a8a523 Author: federicobarbacovi <171914500+federicobarbacovi@users.noreply.github.com> Date: Thu Jul 24 13:11:25 2025 +0000 Fixes commit b9e62d6 Author: federicobarbacovi <171914500+federicobarbacovi@users.noreply.github.com> Date: Thu Jul 24 12:15:59 2025 +0000 Update remaining files commit 37088cd Author: federicobarbacovi <171914500+federicobarbacovi@users.noreply.github.com> Date: Thu Jul 24 11:47:45 2025 +0000 Update Goblin boomerang test commit 39ac8c2 Author: federicobarbacovi <171914500+federicobarbacovi@users.noreply.github.com> Date: Thu Jul 24 11:46:02 2025 +0000 Update goblin commit 888fc82 Author: federicobarbacovi <171914500+federicobarbacovi@users.noreply.github.com> Date: Thu Jul 24 11:26:40 2025 +0000 Update merge verifier api commit 4fb769b Merge: eaf251e f70e99d Author: AztecBot <tech@aztecprotocol.com> Date: Thu Jul 24 09:38:03 2025 +0000 Merge branch 'next' into merge-train/barretenberg commit f70e99d Author: Nicolás Venturo <nicolas.venturo@gmail.com> Date: Thu Jul 24 05:55:55 2025 -0300 docs: updated code docs (#15701) With `Empty` being a supertrait of `Eq`, `Empty + Eq` becomes meaningless - this was emitting warnings. @LeilaWang what do you think about setting up a CI job that checks the protocol circuit crates emit no warnings? That's what we use in aztec-nr and it's been working wonderfully. tldr you need to run `nargo check --deny-warnings`.
| // Check the size of the recursive verifier | ||
| if constexpr (std::same_as<RecursiveFlavor, MegaZKRecursiveFlavor_<UltraCircuitBuilder>>) { | ||
| uint32_t NUM_GATES_EXPECTED = 873673; | ||
| uint32_t NUM_GATES_EXPECTED = 874803; |
Contributor
Author
There was a problem hiding this comment.
Bump in size is due to the new public inputs. There are 32 new public inputs (4 commitments, which amount to 4 * 2 elements in bigfield, each of which accounts for 4 public inputs), they account for the raise in gates as follows:
(32 // 3 + 1) * 76 = 836new gates due to hashing to generate the first challenge inOink192new gates to computepublic_input_delta(32 * 2new additions)- Finalisation (there are more range lists)
federicobarbacovi
added a commit
that referenced
this pull request
Jul 25, 2025
…ments as input and returns the commitment to the merged table (#15949) We modify the `MergeVerifier` so that it gets the subtable commitments as input and returns the commitment to the merged table. The reason for this change is that given the new structure of `ClientIVC` following [#15704](#15704), we can't access the merged table commitments from inside `complete_hiding_circuit_logic`. This PR is in preparation for [#15829](#15829) --------- Co-authored-by: AztecBot <tech@aztecprotocol.com>
…b/add_merge_table_to_hiding_circuit_pub_inputs
| HonkRecursionConstraintOutput<typename Flavor::CircuitBuilder> create_honk_recursion_constraints( | ||
| typename Flavor::CircuitBuilder& builder, const RecursionConstraint& input, bool has_valid_witness_assignments) | ||
| requires IsRecursiveFlavor<Flavor> | ||
| requires(IsRecursiveFlavor<Flavor> && IsUltraHonk<typename Flavor::NativeFlavor>) |
Contributor
Author
There was a problem hiding this comment.
Added because this function is used only when IsUltraHonk is true. It avoids confusion now that the public inputs for MegaFlavor are different
iakovenkos
reviewed
Jul 25, 2025
| builder->finalize_public_inputs(); | ||
| } | ||
|
|
||
| static std::array<G1, Builder::NUM_WIRES> empty_ecc_op_tables(Builder& builder) |
Contributor
Author
There was a problem hiding this comment.
We could, but in some places we will need to instantiate ecc op tables to the points at infinity as the starting point of the Goblin recursion. More precisely, we'll need to do it in the init Kernel, and in the Goblin AVM verifier. I thought it was nicer to have a method that produces such tables rather than having a loop every time
iakovenkos
approved these changes
Jul 25, 2025
iakovenkos
left a comment
iakovenkos
left a comment
Contributor
There was a problem hiding this comment.
Looks great, thanks for avoiding points at infinity in the default ecc tables!
federicobarbacovi
deleted the
fb/add_merge_table_to_hiding_circuit_pub_inputs
branch
github-merge-queue Bot
pushed a commit
that referenced
this pull request
Jul 30, 2025
See [merge-train-readme.md](https://github.com/AztecProtocol/aztec-packages/blob/next/.github/workflows/merge-train-readme.md). BEGIN_COMMIT_OVERRIDE chore: remove `logic` operations from `uint` (#15975) chore: Modify the `MergeVerifier` so that it gets the subtable commitments as input and returns the commitment to the merged table (#15949) fix: delete tar generated by test-vk-havent-changed script (#15988) chore: replace q_arith with q_3 in memory relation (#15953) chore: simplify `uint` logic by removing `witness_status` (#15976) Revert "chore: remove `logic` operations from `uint`" (#15997) Revert "chore: simplify `uint` logic by removing `witness_status`" (#16000) feat: Add the last merged table to the public inputs of the hiding circuit (#15829) chore: combined `uint` audit (#16030) chore: delete and ignore barretenberg/src/honk/keys/ (#16042) fix: Fix tube proof construction (#16052) feat: Link successive recursive Merge verifications (#16032) chore: Package inputs to Merge verifier into a single struct (#16075) END_COMMIT_OVERRIDE --------- Co-authored-by: AztecBot <tech@aztecprotocol.com> Co-authored-by: Suyash Bagad <suyash@aztecprotocol.com> Co-authored-by: federicobarbacovi <171914500+federicobarbacovi@users.noreply.github.com> Co-authored-by: Jonathan Hao <jonathan@aztec-labs.com> Co-authored-by: ledwards2225 <98505400+ledwards2225@users.noreply.github.com> Co-authored-by: sergei iakovenko <105737703+iakovenkos@users.noreply.github.com> Co-authored-by: ludamad <adam.domurad@gmail.com> Co-authored-by: Raju Krishnamoorthy <krishnamoorthy@gmail.com> Co-authored-by: notnotraju <raju@aztec-labs.com> Co-authored-by: Lucas Xia <lucasxia01@gmail.com> Co-authored-by: Khashayar Barooti <khashayar@aztecprotocol.com> Co-authored-by: Jean M <132435771+jeanmon@users.noreply.github.com> Co-authored-by: Alex Gherghisan <alexghr@users.noreply.github.com> Co-authored-by: Santiago Palladino <spalladino@users.noreply.github.com> Co-authored-by: Santiago Palladino <santiago@aztec-labs.com> Co-authored-by: ludamad <domuradical@gmail.com> Co-authored-by: maramihali <mara@aztecprotocol.com> Co-authored-by: Sarkoxed <75146596+Sarkoxed@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
We make the merged table received by the Merge verifier in the hiding circuit a public input to the hiding circuit. This is needed because the Merge verifier will soon receive
t_commitments,T_prev_commitmentsas inputs rather than reading them from the proof.EDIT:
To complete the work on the consistency checks, and to ensure the soundness of the Goblin verification, the merged table received by the Merge verifier in the last step of a Goblin accumulation must be set to be a public input of the circuit that performs the verification, so that the verifier can extract that public input and use it as the commitment to the previous table in the Merge verification.
For example, in ClientIVC the last Merge verification before the final Goblin verification happens in the HidingKernel, so we need to add the merged table commitments received by the Merge verifier inside the HidingKernel to be public inputs of the HidingKernel.
After this PR,
MegaVerifier = UltraVerifier<MegaFlavor>always expects the inputs to bePairingInputs+ commitments to ECC op tables. These inputs are produced by the classHidingKernelIO(even though in the future we might consider changing this name)The PR required changes to various tests to accommodate the new structure of the public inputs.