fix: add missing ecc doubling gate into ultra plonk and ultra honk by zac-williamson · Pull Request #2610 · AztecProtocol/aztec-packages

zac-williamson · 2023-10-01T22:57:18Z

PR #1945 added a new selector into the Ultra arithmetisation (elliptic curve point doubling). However this change was not propagated to the polynomial relations evaluated by the UltraPlonk and UltraHonk Prover/Verifier algorithms.

This PR fixes this, as well as upgrades the BaseUltraVerifier.sol contract to use the new gate.

Checklist:

Remove the checklist to signal you've completed it. Enable auto-merge if the PR is ready to merge.

If the pull request requires a cryptography review (e.g. cryptographic algorithm implementations) I have added the 'crypto' tag.
I have reviewed my diff in github, line by line and removed unexpected formatting changes, testing logs, or commented-out code.
Every change is related to the PR description.
I have linked this pull request to relevant issues (if any exist).

…updating)

…uctors

…s for double_verify_proof in Noir

…artifacts for double_verify_proof in Noir" This reverts commit 00bc2d5.

kevaundray · 2023-10-03T11:19:01Z

    FF& q_arith = std::get<6>(_data);
    FF& q_sort = std::get<7>(_data);
    FF& q_elliptic = std::get<8>(_data);
+    FF& q_double = std::get<9>(_data);


why is this here and why does it have the same index as q_aux?

whoops I need to remove this

kevaundray · 2023-10-03T11:21:35Z

+
+            return (result == pairing_target_field::one());
+        }
+        return true;


To confirm; if builder.contains_recursive_proof and there are only 15 proof elements for example, this will return true -- is that what we want?

I think this needs a separate issue - I copied this code from stdlib_recursion so it exists elsewhere

actually I'll just fix. If it's not 16 that's a problem

Maddiaa0

Ive only checked the solidity for equiv with elliptic relation and it looks good, have minor nits about updating / adding new relation formulas in the sol.

Maddiaa0 · 2023-10-02T09:56:12Z

    error EC_SCALAR_MUL_FAILURE();
    error PROOF_FAILURE();

+bytes4 internal constant ERR_S = 0xf7b44074;


You can just emit the message

Thanks. I removed this code as it was just debug code that shouldn't have been there anyways

Maddiaa0 · 2023-10-02T10:00:16Z

+                 * y_double_identity = x_1_sqr_mul_3 * (x_1 - x_3) - (y_1 + y_1) * (y_1 + y_3);
+                 */
+                {
+                    let x1_sqr := mulmod(mload(X1_EVAL_LOC), mload(X1_EVAL_LOC), p)


Can save some gas throughout by duping on stack instead of mloading twice

yup. I was focusing on just getting a relatively clear implementation down. We can make a separate issue to optimise if this is something we want to tackle

Added an issue for this #2636

Maddiaa0 · 2023-10-02T11:11:33Z

                batch_evaluation := addmod(batch_evaluation, mulmod(mload(C_V13_LOC), mload(QARITH_EVAL_LOC), p), p)
                batch_evaluation := addmod(batch_evaluation, mulmod(mload(C_V14_LOC), mload(QSORT_EVAL_LOC), p), p)
                batch_evaluation := addmod(batch_evaluation, mulmod(mload(C_V15_LOC), mload(QELLIPTIC_EVAL_LOC), p), p)
+                batch_evaluation := addmod(batch_evaluation, mulmod(mload(C_V30_LOC), mload(QDOUBLE_EVAL_LOC), p), p)


nit: using chall 30 here sticks out, could 16 be used and the rest bumped

yeah it was odd. Later changes removed the need for this entirely

Maddiaa0 · 2023-10-02T16:46:14Z

                                                     w_2_value + q_m_value * w_2_shifted_value,
                                                     w_3_value + q_c_value * w_3_shifted_value,
                                                     q_3_value))) {
-#ifndef FUZZING


was the removal of all of these for debugging or intentional?

accidental. I've added back in

Maddiaa0 · 2023-10-02T16:46:47Z

        template <typename CircuitBuilder> bool is_same_state(const CircuitBuilder& builder)
        {
            if (!(public_inputs == builder.public_inputs)) {
+                std::cout << "pubinp" << std::endl;


Debugging info?

thanks for spotting, removed

Maddiaa0 · 2023-10-03T11:15:52Z

                 * sign_term += sign_term
                 * sign_term *= q_sign
                 */
+                let x_diff := addmod(mload(X2_EVAL_LOC), sub(p, mload(X1_EVAL_LOC)), p)


// q_elliptic * (x3 + x2 + x1)(x2 - x1)(x2 - x1) - y2^2 - y1^2 + 2(y2y1)*q_sign = 0

Maddiaa0 · 2023-10-03T11:16:58Z

+                        mload(C_ALPHA_BASE_LOC),
                        p
                    )



// q_elliptic * (x3 + x2 + x1)(x2 - x1)(x2 - x1) - y2^2 - y1^2 + 2(y2y1)*q_sign = 0

Maddiaa0 · 2023-10-03T11:19:07Z

+                 * x_double_identity = (x_3 + x_1 + x_1) * y_1_sqr_mul_4 - x_1_pow_4_mul_9;
+                 * y_double_identity = x_1_sqr_mul_3 * (x_1 - x_3) - (y_1 + y_1) * (y_1 + y_3);
+                 */
+                let x1_sqr := mulmod(mload(X1_EVAL_LOC), mload(X1_EVAL_LOC), p)


// (x3 + x1 + x1) (4y1*y1) - 9 * x1 * x1 * x1 * x1 = 0

Maddiaa0 · 2023-10-03T11:20:14Z

                        p
                    )
-                leftovers :=
+                let y_double_identity :=


// (y1 + y1) (2y1) - (3 * x1 * x1)(x1 - x3) = 0

Maddiaa0 · 2023-10-03T11:23:37Z

+                 */
+                let x1_sqr := mulmod(mload(X1_EVAL_LOC), mload(X1_EVAL_LOC), p)
+                let y1_sqr := mulmod(mload(Y1_EVAL_LOC), mload(Y1_EVAL_LOC), p)
+                let x_pow_4 := mulmod(addmod(y1_sqr, 17, p), mload(X1_EVAL_LOC), p)


b here could probably be a constant, rather than a magic 17

good point. I've added 17 as a constant

kevaundray

Left some nits, but overall looks fine to me

🤖 I have created a release *beep* *boop* --- <details><summary>aztec-packages: 0.8.1</summary> ## [0.8.1](aztec-packages-v0.8.0...aztec-packages-v0.8.1) (2023-10-03) ### Bug Fixes * Add missing ecc doubling gate into ultra plonk and ultra honk ([#2610](#2610)) ([7cb7c58](7cb7c58)) * Benchmark script fixes for master branch ([#2638](#2638)) ([0a161a4](0a161a4)) * Redirect sunset instructions ([#2646](#2646)) ([9253442](9253442)) * Remove -u from build_wasm script so that we can skip the build when SKIP_CPP_BUILD is unset ([#2649](#2649)) ([84b8ff4](84b8ff4)) ### Miscellaneous * **benchmark:** Measure block sync time ([#2637](#2637)) ([d11343f](d11343f)) * Update acir_tests script to point to master ([#2650](#2650)) ([51d1e79](51d1e79)) </details> <details><summary>barretenberg.js: 0.8.1</summary> ## [0.8.1](barretenberg.js-v0.8.0...barretenberg.js-v0.8.1) (2023-10-03) ### Bug Fixes * Remove -u from build_wasm script so that we can skip the build when SKIP_CPP_BUILD is unset ([#2649](#2649)) ([84b8ff4](84b8ff4)) </details> <details><summary>barretenberg: 0.8.1</summary> ## [0.8.1](barretenberg-v0.8.0...barretenberg-v0.8.1) (2023-10-03) ### Bug Fixes * Add missing ecc doubling gate into ultra plonk and ultra honk ([#2610](#2610)) ([7cb7c58](7cb7c58)) ### Miscellaneous * Update acir_tests script to point to master ([#2650](#2650)) ([51d1e79](51d1e79)) </details> --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).

🤖 I have created a release *beep* *boop* --- <details><summary>aztec-packages: 0.8.1</summary> ## [0.8.1](AztecProtocol/aztec-packages@aztec-packages-v0.8.0...aztec-packages-v0.8.1) (2023-10-03) ### Bug Fixes * Add missing ecc doubling gate into ultra plonk and ultra honk ([#2610](AztecProtocol/aztec-packages#2610)) ([7cb7c58](AztecProtocol/aztec-packages@7cb7c58)) * Benchmark script fixes for master branch ([#2638](AztecProtocol/aztec-packages#2638)) ([0a161a4](AztecProtocol/aztec-packages@0a161a4)) * Redirect sunset instructions ([#2646](AztecProtocol/aztec-packages#2646)) ([9253442](AztecProtocol/aztec-packages@9253442)) * Remove -u from build_wasm script so that we can skip the build when SKIP_CPP_BUILD is unset ([#2649](AztecProtocol/aztec-packages#2649)) ([84b8ff4](AztecProtocol/aztec-packages@84b8ff4)) ### Miscellaneous * **benchmark:** Measure block sync time ([#2637](AztecProtocol/aztec-packages#2637)) ([d11343f](AztecProtocol/aztec-packages@d11343f)) * Update acir_tests script to point to master ([#2650](AztecProtocol/aztec-packages#2650)) ([51d1e79](AztecProtocol/aztec-packages@51d1e79)) </details> <details><summary>barretenberg.js: 0.8.1</summary> ## [0.8.1](AztecProtocol/aztec-packages@barretenberg.js-v0.8.0...barretenberg.js-v0.8.1) (2023-10-03) ### Bug Fixes * Remove -u from build_wasm script so that we can skip the build when SKIP_CPP_BUILD is unset ([#2649](AztecProtocol/aztec-packages#2649)) ([84b8ff4](AztecProtocol/aztec-packages@84b8ff4)) </details> <details><summary>barretenberg: 0.8.1</summary> ## [0.8.1](AztecProtocol/aztec-packages@barretenberg-v0.8.0...barretenberg-v0.8.1) (2023-10-03) ### Bug Fixes * Add missing ecc doubling gate into ultra plonk and ultra honk ([#2610](AztecProtocol/aztec-packages#2610)) ([7cb7c58](AztecProtocol/aztec-packages@7cb7c58)) ### Miscellaneous * Update acir_tests script to point to master ([#2650](AztecProtocol/aztec-packages#2650)) ([51d1e79](AztecProtocol/aztec-packages@51d1e79)) </details> --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).

…2610) PR #1945 added a new selector into the Ultra arithmetisation (elliptic curve point doubling). However this change was not propagated to the polynomial relations evaluated by the UltraPlonk and UltraHonk Prover/Verifier algorithms. This PR fixes this, as well as upgrades the BaseUltraVerifier.sol contract to use the new gate. # Checklist: Remove the checklist to signal you've completed it. Enable auto-merge if the PR is ready to merge. - [x] If the pull request requires a cryptography review (e.g. cryptographic algorithm implementations) I have added the 'crypto' tag. - [x] I have reviewed my diff in github, line by line and removed unexpected formatting changes, testing logs, or commented-out code. - [x] Every change is related to the PR description. - [x] I have [linked](https://docs.github.com/en/issues/tracking-your-work-with-issues/linking-a-pull-request-to-an-issue) this pull request to relevant issues (if any exist). --------- Co-authored-by: vezenovm <mvezenov@gmail.com> Co-authored-by: kevaundray <kevtheappdev@gmail.com>

🤖 I have created a release *beep* *boop* --- <details><summary>aztec-packages: 0.8.1</summary> ## [0.8.1](aztec-packages-v0.8.0...aztec-packages-v0.8.1) (2023-10-03) ### Bug Fixes * Add missing ecc doubling gate into ultra plonk and ultra honk ([#2610](#2610)) ([7cb7c58](7cb7c58)) * Benchmark script fixes for master branch ([#2638](#2638)) ([0a161a4](0a161a4)) * Redirect sunset instructions ([#2646](#2646)) ([9253442](9253442)) * Remove -u from build_wasm script so that we can skip the build when SKIP_CPP_BUILD is unset ([#2649](#2649)) ([84b8ff4](84b8ff4)) ### Miscellaneous * **benchmark:** Measure block sync time ([#2637](#2637)) ([d11343f](d11343f)) * Update acir_tests script to point to master ([#2650](#2650)) ([51d1e79](51d1e79)) </details> <details><summary>barretenberg.js: 0.8.1</summary> ## [0.8.1](barretenberg.js-v0.8.0...barretenberg.js-v0.8.1) (2023-10-03) ### Bug Fixes * Remove -u from build_wasm script so that we can skip the build when SKIP_CPP_BUILD is unset ([#2649](#2649)) ([84b8ff4](84b8ff4)) </details> <details><summary>barretenberg: 0.8.1</summary> ## [0.8.1](barretenberg-v0.8.0...barretenberg-v0.8.1) (2023-10-03) ### Bug Fixes * Add missing ecc doubling gate into ultra plonk and ultra honk ([#2610](#2610)) ([7cb7c58](7cb7c58)) ### Miscellaneous * Update acir_tests script to point to master ([#2650](#2650)) ([51d1e79](51d1e79)) </details> --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).

zac-williamson added 3 commits September 29, 2023 12:43

added double gate relation to ultraplonk (smart contract still needs …

a32f162

…updating)

added ecc doubling gate into BaseUltraVerifier

0256440

added doubling gate into honk flavor

b5af4af

zac-williamson changed the title ~~bug fix: add missing ecc doubling gate into ultra plonk and ultra honk~~ fix: add missing ecc doubling gate into ultra plonk and ultra honk Oct 1, 2023

zac-williamson and others added 8 commits October 1, 2023 23:10

removed debugging code

c90c83d

ultra composer tests, set up srs

7fb54d5

made plonk composer constructors consistent with honk composer constr…

1f05622

…uctors

fix tests

66e1358

fixed ecc doubling gate to not use extra selector

1468244

test bug fixes

685d101

fix

3368c9f

add simple gen_inner_proof_inputs script to update recursion artifact…

00bc2d5

…s for double_verify_proof in Noir