chore: Standardise native public input handling#16050
Merged
federicobarbacovi merged 84 commits intoAug 4, 2025
Merged
Conversation
In `stdlib_uint` we no longer need logical operations because the only places they were used in, i.e., std/turbo version of sha256, blake2s, blake3s, have been removed. So its best to reduce complexity of the `uint` class and keep it minimal. Removed the following functions from the `uint` class: ```cpp operator^ operator& operator| operator~ operator>> operator<< ror rol logic_operator ```
…ments as input and returns the commitment to the merged table (#15949) We modify the `MergeVerifier` so that it gets the subtable commitments as input and returns the commitment to the merged table. The reason for this change is that given the new structure of `ClientIVC` following [#15704](#15704), we can't access the merged table commitments from inside `complete_hiding_circuit_logic`. This PR is in preparation for [#15829](#15829) --------- Co-authored-by: AztecBot <tech@aztecprotocol.com>
The tar is not supposed to be checked in according to 50a1bd3#r2229436867
TLDR: `uint` arithmetic operators `+` and `-` had a coding error and as
a result, we weren't actually supporting lazy arithmetic over integers.
This PR simplifies the `uint` class to now allow any "unbounded" values.
#### The Issue
In the current `uint` class, we allow "unbounded" values, for example, a
`uint32_ct` can contain a value > 32 bits. This was done to allow lazy
arithmetic before such values were "normalized". This is because a call
to `normalize()` is expensive: it decomposes the value in 12-bit slices
and range-constrains each slice.
In practice though, the addition and subtraction operator actually
didn't allow any overflow due to a coding error.
On adding two $\textsf{uint}x$ values $a$ and $b$ (where $x \in [8, 16,
32, 64]$), we currently do:
https://github.com/AztecProtocol/aztec-packages/blob/5c2c217a2f1b05ae226a16ee19a99079dbba8fec/barretenberg/cpp/src/barretenberg/stdlib/primitives/uint/arithmetic.cpp#L27-L47
Assume $a, b$ are both witnesses, the `create_balanced_add_gate` creates
the following constraint:
$$a + b = q \cdot \textcolor{grey}{2^x} + r$$
where the quotient $q$ and remainder $r$ are computed as:
$$q := \frac{(a \textsf{ mod } 2^x) + (b \textsf{ mod } 2^x)}{2^x},
\quad r := \left((a \textsf{ mod } 2^x) + (b \textsf{ mod } 2^x)\right)
\textsf{ mod } 2^x.$$
In other words, the quotient and remainder are computed from the
"truncated" values of $a$ and $b$ when it should have been from the
"unbounded" values. Effectively, this means we are not actually
supporting lazy arithmetic (i.e., arithmetic operations expect inputs to
be "normalized"). I wrote a test
[here](https://github.com/AztecProtocol/aztec-packages/blob/ace0afdb4fb773cfc50af92930ecb94993ab72a5/barretenberg/cpp/src/barretenberg/stdlib/primitives/uint/uint.test.cpp#L243-L271)
that fails when, ideally, it should have passed. This confirmed the
coding error.
#### Solution(s)
One way to fix this is to actually use `get_unbounded_value()` in place
of `get_value()` (on lines 27 and 28 in `operator+` above). But we never
really were using the benefits of lazy addition (because of this silly
error). So we decided its better to remove functionality related to
"unbounded" uint values.
Thus, we remove the `witness_status` member of the `uint` class as it
tracks if a `uint` needs to be "normalized". As a consequence, we now
need to "normalize" in every constructor where we weren't constraining
the accumulators (i.e., `byte_array` and `std::vector<bool_t>`).
Further, in `operator+` and `operator-` we normalize the result. Also,
removed the `get_unbounded_value()` as it isn't being used anywhere.
…rcuit (#15829) We make the merged table received by the Merge verifier in the hiding circuit a public input to the hiding circuit. This is needed because the Merge verifier will soon receive `t_commitments`, `T_prev_commitments` as inputs rather than reading them from the proof. **EDIT:** To complete the work on the consistency checks, and to ensure the soundness of the Goblin verification, the merged table received by the Merge verifier in the last step of a Goblin accumulation must be set to be a public input of the circuit that performs the verification, so that the verifier can extract that public input and use it as the commitment to the previous table in the Merge verification. For example, in ClientIVC the last Merge verification before the final Goblin verification happens in the HidingKernel, so we need to add the merged table commitments received by the Merge verifier inside the HidingKernel to be public inputs of the HidingKernel. After this PR, `MegaVerifier = UltraVerifier<MegaFlavor>` always expects the inputs to be `PairingInputs` + commitments to ECC op tables. These inputs are produced by the class `HidingKernelIO` (even though in the future we might consider changing this name) The PR required changes to various tests to accommodate the new structure of the public inputs. --------- Co-authored-by: AztecBot <tech@aztecprotocol.com> Co-authored-by: ledwards2225 <98505400+ledwards2225@users.noreply.github.com> Co-authored-by: sergei iakovenko <105737703+iakovenkos@users.noreply.github.com> Co-authored-by: ludamad <adam.domurad@gmail.com> Co-authored-by: Suyash Bagad <suyash@aztecprotocol.com> Co-authored-by: Jonathan Hao <jonathan@aztec-labs.com> Co-authored-by: Raju Krishnamoorthy <krishnamoorthy@gmail.com> Co-authored-by: notnotraju <raju@aztec-labs.com> Co-authored-by: Lucas Xia <lucasxia01@gmail.com> Co-authored-by: Khashayar Barooti <khashayar@aztecprotocol.com> Co-authored-by: Jean M <132435771+jeanmon@users.noreply.github.com> Co-authored-by: Alex Gherghisan <alexghr@users.noreply.github.com> Co-authored-by: Santiago Palladino <spalladino@users.noreply.github.com> Co-authored-by: Santiago Palladino <santiago@aztec-labs.com> Co-authored-by: ludamad <domuradical@gmail.com> Co-authored-by: maramihali <mara@aztecprotocol.com> Co-authored-by: Sarkoxed <75146596+Sarkoxed@users.noreply.github.com>
These are auto-generated by bootstrap.
this PR adds a proof type and queue type for the tail kernel circuit so we would be able to add the extra operations required for this circuit in the client's IVC. --------- Co-authored-by: AztecBot <tech@aztecprotocol.com> Co-authored-by: Suyash Bagad <suyash@aztecprotocol.com> Co-authored-by: federicobarbacovi <171914500+federicobarbacovi@users.noreply.github.com> Co-authored-by: maramihali <mara@aztecprotocol.com> Co-authored-by: Jonathan Hao <jonathan@aztec-labs.com>
federicobarbacovi
changed the base branch from
next
to
merge-train/barretenberg
…b/standardise_native_public_inputs
federicobarbacovi
requested review from
LHerskind,
Maddiaa0,
charlielye and
just-mitch
as code owners
federicobarbacovi
changed the base branch from
next
to
merge-train/barretenberg
…b/standardise_native_public_inputs
federicobarbacovi
force-pushed
the
fb/standardise_native_public_inputs
branch
from
36d9008 to
041b6f0
Compare
federicobarbacovi
removed request for
LHerskind,
LeilaWang,
Maddiaa0,
charlielye and
just-mitch
arielgabizon
approved these changes
Aug 4, 2025
…b/standardise_native_public_inputs
github-merge-queue Bot
pushed a commit
that referenced
this pull request
Aug 4, 2025
See [merge-train-readme.md](https://github.com/AztecProtocol/aztec-packages/blob/next/.github/workflows/merge-train-readme.md). BEGIN_COMMIT_OVERRIDE chore: remove `uint` (#16062) chore: remove `decompose_into_bits()` function from `field_t` class (#15795) chore: Standardise native public input handling (#16050) END_COMMIT_OVERRIDE --------- Co-authored-by: AztecBot <tech@aztecprotocol.com> Co-authored-by: Suyash Bagad <suyash@aztecprotocol.com> Co-authored-by: federicobarbacovi <171914500+federicobarbacovi@users.noreply.github.com> Co-authored-by: Jonathan Hao <jonathan@aztec-labs.com> Co-authored-by: ledwards2225 <98505400+ledwards2225@users.noreply.github.com> Co-authored-by: sergei iakovenko <105737703+iakovenkos@users.noreply.github.com> Co-authored-by: ludamad <adam.domurad@gmail.com> Co-authored-by: Raju Krishnamoorthy <krishnamoorthy@gmail.com> Co-authored-by: notnotraju <raju@aztec-labs.com> Co-authored-by: Lucas Xia <lucasxia01@gmail.com> Co-authored-by: Khashayar Barooti <khashayar@aztecprotocol.com> Co-authored-by: Jean M <132435771+jeanmon@users.noreply.github.com> Co-authored-by: Alex Gherghisan <alexghr@users.noreply.github.com> Co-authored-by: Santiago Palladino <spalladino@users.noreply.github.com> Co-authored-by: Santiago Palladino <santiago@aztec-labs.com> Co-authored-by: ludamad <domuradical@gmail.com> Co-authored-by: maramihali <mara@aztecprotocol.com> Co-authored-by: Sarkoxed <75146596+Sarkoxed@users.noreply.github.com>
federicobarbacovi
pushed a commit
that referenced
this pull request
Aug 5, 2025
Addressing feedback from @benesjan. Also using his prompt idea to see how well it works. --- This PR refactors validator staking terminology throughout the Aztec codebase to improve clarity and better reflect the purpose of key staking parameters. The main changes involve renaming `depositAmount` to `activationThreshold` and `minimumStake` to `ejectionThreshold`, along with related library and method renames. - **`depositAmount` → `activationThreshold`**: The amount of tokens required to activate a validator and join the validator set - **`minimumStake` → `ejectionThreshold`**: The minimum token balance below which a validator is ejected from the active set - **Solidity Contracts**: Updated all references in `Rollup.sol`, `IStaking.sol`, `GSE.sol`, and related contracts - **Libraries**: - `UserLib` → `CheckpointedUintLib` (more descriptive name for checkpoint management) - `DelegationLib` → `StakeDelegationLib` (clearer purpose indication) - **Methods**: `finaliseHelper()` → `finaliseWithdraw()` in GSE contract for better clarity - Updated environment variables: - `AZTEC_DEPOSIT_AMOUNT` → `AZTEC_ACTIVATION_THRESHOLD` - `AZTEC_MINIMUM_STAKE` → `AZTEC_EJECTION_THRESHOLD` - Updated all configuration files, test constants, and deployment scripts - Updated CLI reference documentation to reflect new parameter names - Updated all code comments to use the new terminology 1. **Improved Clarity**: The new names clearly indicate the purpose of each parameter - one for entering the validator set, one for being removed from it 2. **Better Developer Experience**: Developers can immediately understand what these thresholds represent without needing additional context 3. **Consistency**: Uniform terminology across the entire codebase reduces confusion 4. **Future-Proof**: The new names are more generic and adaptable to potential future staking mechanism changes⚠️ **This is a breaking change** that affects: 1. **Environment Variables**: Any deployment or configuration using the old environment variable names (`AZTEC_DEPOSIT_AMOUNT`, `AZTEC_MINIMUM_STAKE`) must be updated 2. **Contract Interfaces**: External systems calling `getDepositAmount()`, `getMinimumStake()`, or `finaliseHelper()` must update to use the new method names 3. **Configuration Files**: Any JSON/YAML configuration files using the old parameter names need updates 4. **Deployment Scripts**: Custom deployment scripts referencing the old names will need modification - Replace `depositAmount` with `activationThreshold` in all configurations - Replace `minimumStake` with `ejectionThreshold` in all configurations - Update contract calls: - `getDepositAmount()` → `getActivationThreshold()` - `getMinimumStake()` → `getEjectionThreshold()` - `finaliseHelper()` → `finaliseWithdraw()` feat(sol): vk hashing (#16015) Perform vk hashing in the solidity verifier Takes a different approach to the traditional verifiers. As the vk is fixed ahead of time, we hash it and include it in the precompiled contract, therefore it is preprocessed and does not need to be recomputed by the verifier. chore: minor fixes and docs improvements in governance (#16039) When doing my internal review of governance contracts I stumbled upon plenty of small and uncontroversial issues with which it didn't really make sense to clutter my review document. --------- Co-authored-by: LHerskind <16536249+LHerskind@users.noreply.github.com> chore: updated fmt settings foundry.toml (#16155) Updated the `foundry.toml` to also wrap the comments and use the default line_length of 120 instead of the previous 100. Threw some thousands separators in there as well for constant values. ```toml [fmt] line_length = 120 tab_width = 2 variable_override_spacing=false wrap_comments = true number_underscore = "thousands" override_spacing = false ``` chore: address comments (#16175) Please read [contributing guidelines](CONTRIBUTING.md) and remove this line. For audit-related pull requests, please use the [audit PR template](?expand=1&template=audit.md). chore: invert check (#16181) Looks like this condition should have been inverted. [Nightly CI logs](https://github.com/AztecProtocol/aztec-packages/actions/runs/16712826743/job/47300588722) ``` 03:18:35 + case "$cmd" in 03:18:35 + release 03:18:35 + semver check v1.0.0-nightly.20250804 03:18:35 + echo_stderr 'Release tag must be a valid semver version. Found: v1.0.0-nightly.20250804' 03:18:35 + echo Release tag must be a valid semver version. Found: v1.0.0-nightly.20250804 03:18:35 Release tag must be a valid semver version. Found: v1.0.0-nightly.20250804 03:18:35 + exit 1 ``` chore: remove `uint` (#16062) Removed `uint` module from `stdlib`. Had to change two modules that used `uint`: 1. `edcsa`: an ecdsa signature contains a byte `v` and we were using `uint8` to represent it in circuits. Replaced that with `byte_array` (of size 1). 2. `keccak`: variable length keccak (i.e., the number of bytes being hashed is a circuit-variable) was using `uint32` to represent `num_bytes`. We are not using this version of keccak anywhere so its better to get rid of than to maintain/audit. feat(bb): allow for different transcript types depending on the flavor (#16017) This change changes the transcript type in the solidity verifier case to be a uint256 instead of serialising as field elements It should reduce the size of the proof by 2368 bytes. This significantly reduces hashing costs + calldata costs, and should amount to a gas savings in the region of 50k This pr just performs the plumbing into bb that makes these changes, and does not apply the changes - changing the TranscriptType to uint256_t and does not make the changes to solidity. Expect this in a follow on **Note: still needs a cleanup but leaving this here for review from others on the approach** chore: remove `decompose_into_bits()` function from `field_t` class (#15795) Since we're removing the merkle membership circuit implementation from cpp code, we no longer use the function `decompose_into_bits()` in the `field_t` class. Best to remove it instead of maintaining. chore: Standardise native public input handling (#16050) Public inputs in `stdlib` are handled via the special public input mechanisms: we have classes (`KernelIO`, `DefaultIO`, `HidingKernelIO`, `RollupIO`) that set public inputs, reconstruct them, create defaults, etc. Native public inputs have a similar mechanism, but the mechanism has many hacks built-in as native structures are used in more extensively than their `stdlib` counterparts (e.g., we use `field` also to construct the base/scalar field of `secp256k1`, which we never need to deserialise from public inputs). This PR standardises usage of native public inputs by creating a structure similar to the one used in `stdlib`: we define a `PublicInputComponent` class that works as a wrapper around classes that can be deserialised from the public inputs, and we use this wrapper class to reconstruct special public inputs (pairing points, IPA claims, etc.). To use the class, we make choices about how elements that are not currently used in circuit should be serialised. This pertains to base/scalar fields of `secp256k1` and `secp256r1` (and therefore to affine points on these curves). For consistency with the base field of `BN254`, we set `PUBLIC_INPUTS_SIZE = 4` for an element in each of these fields. This PR also cleans up the usage of the constants `PAIRING_POINTS_SIZE` and `IPA_CLAIM_SIZE`, as they can now be extracted from the respective classes `PairingPoints` and `OpeningClaim<Curve>` where `Curve` is `Grumpkin` (either native or `stdlib`) Closes AztecProtocol/barretenberg#1478 --------- Co-authored-by: AztecBot <tech@aztecprotocol.com> Co-authored-by: Suyash Bagad <suyash@aztecprotocol.com> Co-authored-by: Jonathan Hao <jonathan@aztec-labs.com> Co-authored-by: ledwards2225 <98505400+ledwards2225@users.noreply.github.com> Co-authored-by: sergei iakovenko <105737703+iakovenkos@users.noreply.github.com> Co-authored-by: ludamad <adam.domurad@gmail.com> Co-authored-by: Raju Krishnamoorthy <krishnamoorthy@gmail.com> Co-authored-by: notnotraju <raju@aztec-labs.com> Co-authored-by: Lucas Xia <lucasxia01@gmail.com> Co-authored-by: Khashayar Barooti <khashayar@aztecprotocol.com> Co-authored-by: Jean M <132435771+jeanmon@users.noreply.github.com> Co-authored-by: Alex Gherghisan <alexghr@users.noreply.github.com> Co-authored-by: Santiago Palladino <spalladino@users.noreply.github.com> Co-authored-by: Santiago Palladino <santiago@aztec-labs.com> Co-authored-by: ludamad <domuradical@gmail.com> Co-authored-by: maramihali <mara@aztecprotocol.com> Co-authored-by: Sarkoxed <75146596+Sarkoxed@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Public inputs in
stdlibare handled via the special public input mechanisms: we have classes (KernelIO,DefaultIO,HidingKernelIO,RollupIO) that set public inputs, reconstruct them, create defaults, etc. Native public inputs have a similar mechanism, but the mechanism has many hacks built-in as native structures are used in more extensively than theirstdlibcounterparts (e.g., we usefieldalso to construct the base/scalar field ofsecp256k1, which we never need to deserialise from public inputs).This PR standardises usage of native public inputs by creating a structure similar to the one used in
stdlib: we define aPublicInputComponentclass that works as a wrapper around classes that can be deserialised from the public inputs, and we use this wrapper class to reconstruct special public inputs (pairing points, IPA claims, etc.).To use the class, we make choices about how elements that are not currently used in circuit should be serialised. This pertains to base/scalar fields of
secp256k1andsecp256r1(and therefore to affine points on these curves). For consistency with the base field ofBN254, we setPUBLIC_INPUTS_SIZE = 4for an element in each of these fields.This PR also cleans up the usage of the constants
PAIRING_POINTS_SIZEandIPA_CLAIM_SIZE, as they can now be extracted from the respective classesPairingPointsandOpeningClaim<Curve>whereCurveisGrumpkin(either native orstdlib)Closes AztecProtocol/barretenberg#1478