chore: use the bb predicates when generating constraints

[guipublic]

This PR adds support for using the acir predicates for some black-box function calls on barretenberg side

• For recursive proving, we conditionally assign the inputs when the predicate is false to a placeholder verifiable proof and vk
• For elliptic curve points, we conditionally assign the inputs when the predicate is false, to valid dummy values

ecdsa r1 is not done on purpose (it'll be merged into one ecdsa file)

[iakovenkos]

I don't have enough context here, but it seems a bit suspicious that any predicate_value except for 1 is getting converted to 0. Can you please explain why it's safe?

[iakovenkos]

Is it because inside of the to_grumkin_point(...) we have
auto infinite = bool_ct(to_field_ct(input_infinite, builder));?
Should we maybe add a from_bool_witness_index in bool_t?

[guipublic]

The predicate is coming from Noir, as a condition guarding a conditional branch.
For instance, if you have:
if x ==3 { C = ec_add(A,B); }, the predicate will be x==3, which is a boolean value. When it is computed by Noir, it is properly constrained to be boolean.

Should we maybe add a from_bool_witness_index in bool_t?

Yes that could be useful for this case.

[iakovenkos]

Thanks for the explanation! I'm spinning up a PR to add this constructor

[iakovenkos]

my PR got merged to next, so you can use from_witness_undex_unsafe() on bool_t

[TomAFrench]

@guipublic looks like this has been affected by changes the crypto team has made to how we handle ECDSA opcodes. Can you update this please?

[ledwards2225]

@guipublic hope this hasn't been waiting on me - I got the sense that it wasn't ready for review yet. Lmk!

[TomAFrench]

Nope, don't worry. This has been semi-blocked by us getting the acir serialization PR in until recently.

[ledwards2225]

Overall these changes seem ok to me but I think there's still some work to do to get this to a merge-able state. My main concerns are

• Ensuring all of this new functionality is fully tested
• Making sure @iakovenkos and @federicobarbacovi are happy with and aware of the changes in bool / ecdsa respectively
• Making sure the complex portions (especially of verifier input mocking) are isolated, clean and well documented

[ledwards2225]

Would be good to have @federicobarbacovi take a quick look since this code has been audited

[ledwards2225]

unrelated change?

[guipublic]

This line is giving me compilation error because entry_witness is not used.

[federicobarbacovi]

Suggested change

	if (!input.predicate.is_constant) {
	if (!input.predicate.is_constant) {
	// We need to use a point which is different from the generator otherwise secp256r1 ECDSA verification fails
	auto default_point = Curve::g1::one + Curve::g1::one;
	bool_ct predicate_witness =
	bool_ct::from_witness_index_unsafe(&builder, input.predicate.index);
	pub_x = Fq::conditional_assign(predicate_witness, pub_x, default_point.x);
	pub_y = Fq::conditional_assign(predicate_witness, pub_y, default_point.y);
	} else {
	BB_ASSERT_EQ(input.predicate.value, true, "Creating ECDSA constraints with a constant predicate equal to false.");
	}

[federicobarbacovi]

conditional_assign works in reverse respect to conditional_select, I think the code as written above might be easier to read. Also, we need to use a point which is not ± the generator to avoid issues with secp256r1

Could you please also add documentation regarding this change in the doxygen documentation for the function create_ecdsa_verify_constraints, and documentation regarding predicate to the doxygen documentation of the class EcdsaConstraint? Thanks!

Finally, I think it would be good to add some tests in ecdsa_constraints.test.cpp testing that when we supply the predicate things work as expected.

[guipublic]

Done

[ledwards2225]

LGTM, thanks for making updates!

[ledwards2225]

flagging this again

[TomAFrench]

LGTM