chore: Fetch master for DSL recursion

.github/workflows/nix.yml

@@ -3,7 +3,7 @@ name: Nix builds
 on:
   push:
     branches:
-      - phated/**
+      - master
   schedule:
     - cron: "0 2 * * *" # run at 2 AM UTC
   workflow_dispatch:
@@ -32,6 +32,11 @@ jobs:
           nix_path: nixpkgs=channel:nixos-22.11
           github_access_token: ${{ secrets.GITHUB_TOKEN }}
 
+      - uses: cachix/cachix-action@v12
+        with:
+          name: barretenberg
+          authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}"
+
       - name: Check nix flake
         run: |
           nix flake check

cpp/src/barretenberg/crypto/pedersen_hash/pedersen_lookup.cpp

@@ -1,5 +1,7 @@
 #include "./pedersen_lookup.hpp"
 
+#include <mutex>
+
 #include "barretenberg/ecc/curves/grumpkin/grumpkin.hpp"
 
 namespace crypto {
@@ -10,6 +12,12 @@ std::array<std::vector<grumpkin::g1::affine_element>, NUM_PEDERSEN_TABLES> peder
 std::vector<grumpkin::g1::affine_element> pedersen_iv_table;
 std::array<grumpkin::g1::affine_element, NUM_PEDERSEN_TABLES> generators;
 
+// Mutex is not available in the WASM context.
+// WASM runs in a single-thread so this is acceptable.
+#if !defined(__wasm__)
+std::mutex init_mutex;
+#endif
+
 static bool inited = false;
 
 void init_single_lookup_table(const size_t index)
@@ -66,6 +74,11 @@ void init()
 {
     ASSERT(BITS_PER_TABLE < BITS_OF_BETA);
     ASSERT(BITS_PER_TABLE + BITS_OF_BETA < BITS_ON_CURVE);
+
+#if !defined(__wasm__)
+    const std::lock_guard<std::mutex> lock(init_mutex);
+#endif
+
     if (inited) {
         return;
     }

cpp/src/barretenberg/dsl/acir_format/acir_format.test.cpp

@@ -31,6 +31,7 @@ TEST(acir_format, test_a_single_constraint_no_pub_inputs)
         .hash_to_field_constraints = {},
         .pedersen_constraints = {},
         .merkle_membership_constraints = {},
+        .recursion_constraints = {},
         .constraints = { constraint },
     };
 
@@ -129,6 +130,7 @@ TEST(acir_format, test_logic_gate_from_noir_circuit)
         .hash_to_field_constraints = {},
         .pedersen_constraints = {},
         .merkle_membership_constraints = {},
+        .recursion_constraints = {},
         .constraints = { expr_a, expr_b, expr_c, expr_d },
     };
 
@@ -193,6 +195,7 @@ TEST(acir_format, test_schnorr_verify_pass)
         .hash_to_field_constraints = {},
         .pedersen_constraints = {},
         .merkle_membership_constraints = {},
+        .recursion_constraints = {},
         .constraints = { poly_triple{
             .a = schnorr_constraint.result,
             .b = schnorr_constraint.result,
@@ -262,6 +265,7 @@ TEST(acir_format, test_schnorr_verify_small_range)
         .hash_to_field_constraints = {},
         .pedersen_constraints = {},
         .merkle_membership_constraints = {},
+        .recursion_constraints = {},
         .constraints = { poly_triple{
             .a = schnorr_constraint.result,
             .b = schnorr_constraint.result,

cpp/src/barretenberg/dsl/acir_format/recursion_constraint.test.cpp

@@ -92,6 +92,7 @@ acir_format::Composer create_inner_circuit()
         .hash_to_field_constraints = {},
         .pedersen_constraints = {},
         .merkle_membership_constraints = {},
+        .recursion_constraints = {},
         .constraints = { expr_a, expr_b, expr_c, expr_d },
     };
 

cpp/src/barretenberg/dsl/acir_proofs/acir_proofs.cpp

@@ -185,12 +185,11 @@ size_t new_proof(void* pippenger,
         reinterpret_cast<scalar_multiplication::Pippenger*>(pippenger), g2x);
     proving_key->reference_string = crs_factory->get_prover_crs(proving_key->circuit_size);
 
-    // TODO: either need a context flag for recursive proofs or a new_recursive_proof method that uses regular
-    // UltraProver
     acir_format::Composer composer(proving_key, nullptr);
 
     create_circuit_with_witness(composer, constraint_system, witness);
 
+    // Either need a context flag for recursive proofs or a new_recursive_proof method that uses regular UltraProver
     if (is_recursive) {
         auto prover = composer.create_prover();
         auto heapProver = new acir_format::RecursiveProver(std::move(prover));
@@ -228,8 +227,8 @@ bool verify_proof(uint8_t const* g2x,
         create_circuit(composer, constraint_system);
         plonk::proof pp = { std::vector<uint8_t>(proof, proof + length) };
 
-        // for inner circuit use new prover and verifier method for outer circuit use the normal prover and verifier
-        // TODO: either need a context flag for recursive verify or a new_recursive_verify_proof method that uses
+        // For inner circuit use recursive prover and verifier, then for outer circuit use the normal prover and
+        // verifier Either need a context flag for recursive verify or a new_recursive_verify_proof method that uses
         // regular UltraVerifier
         if (is_recursive) {
             auto verifier = composer.create_verifier();

cpp/src/barretenberg/dsl/acir_proofs/acir_proofs.test.cpp

@@ -87,6 +87,7 @@ void create_inner_circuit(acir_format::acir_format& constraint_system, std::vect
         .hash_to_field_constraints = {},
         .pedersen_constraints = {},
         .merkle_membership_constraints = {},
+        .recursion_constraints = {},
         .constraints = { expr_a, expr_b, expr_c, expr_d },
     };
 

cpp/src/barretenberg/env/crs.cpp

@@ -3,17 +3,19 @@
 #include "crs.hpp"
 
 #include "barretenberg/srs/reference_string/file_reference_string.hpp"
+// TODO: Will get `undefined reference to `bbmalloc'` error when linking
 #include "barretenberg/ecc/curves/bn254/scalar_multiplication/c_bind.hpp"
+#include "barretenberg/common/mem.hpp"
 
 const int NUM_POINTS_IN_TRANSCRIPT = 5040001;
 
-
 extern "C" {
 /**
  * @brief In WASM, loads the verifier reference string.
  * Used in native code to quickly create an in-memory reference string.
  */
-uint8_t* env_load_verifier_crs() {
+uint8_t* env_load_verifier_crs()
+{
     std::ifstream transcript;
     transcript.open("../srs_db/ignition/monomial/transcript00.dat", std::ifstream::binary);
     // We need two g2 points, each 64 bytes.
@@ -22,7 +24,7 @@ uint8_t* env_load_verifier_crs() {
     transcript.seekg(28 + NUM_POINTS_IN_TRANSCRIPT * 64);
     transcript.read((char*)g2_points.data(), (std::streamsize)g2_points_size);
     transcript.close();
-    auto* g2_points_copy = (uint8_t*)bbmalloc(g2_points_size);
+    auto* g2_points_copy = (uint8_t*)aligned_alloc(64, g2_points_size);
     memcpy(g2_points_copy, g2_points.data(), g2_points_size);
     return g2_points_copy;
 }
@@ -33,20 +35,20 @@ uint8_t* env_load_verifier_crs() {
  * In native code, not intended to be used.
  * @param num_points The number of points to load.
  */
-uint8_t* env_load_prover_crs(size_t num_points) {
+uint8_t* env_load_prover_crs(size_t num_points)
+{
     // Note: This implementation is only meant to be instructive.
     // This should only be used in c-binds to implement the C++ abstractions.
     std::ifstream transcript;
     transcript.open("../srs_db/ignition/monomial/transcript00.dat", std::ifstream::binary);
     // Each g1 point is 64 bytes.
-    size_t g1_points_size = (num_points) * 64;
+    size_t g1_points_size = (num_points)*64;
     std::vector<uint8_t> g1_points(g1_points_size);
     transcript.seekg(28);
     transcript.read((char*)g1_points.data(), (std::streamsize)g1_points_size);
     transcript.close();
-    auto* g1_points_copy = (uint8_t*)bbmalloc(g1_points_size);
+    auto* g1_points_copy = (uint8_t*)aligned_alloc(64, g1_points_size);
     memcpy(g1_points_copy, g1_points.data(), g1_points_size);
     return g1_points_copy;
 }
-
 }

cpp/src/barretenberg/honk/composer/composer_helper/ultra_honk_composer_helper.cpp

@@ -270,15 +270,18 @@ std::shared_ptr<plonk::proving_key> UltraHonkComposerHelper<CircuitConstructor>:
     // // all four columns. We don't want to have equal commitments, because biggroup operations assume no points are
     // // equal, so if we tried to verify an ultra proof in a circuit, the biggroup operations would fail. To combat
     // // this, we just choose distinct values:
-    size_t num_selectors = circuit_constructor.num_selectors;
-    ASSERT(offset == subgroup_size - 1);
-    auto unique_last_value = num_selectors + 1; // Note: in compute_proving_key_base, moments earlier, each selector
-                                                // vector was given a unique last value from 1..num_selectors. So we
-                                                // avoid those values and continue the count, to ensure uniqueness.
-    poly_q_table_column_1[subgroup_size - 1] = unique_last_value;
-    poly_q_table_column_2[subgroup_size - 1] = ++unique_last_value;
-    poly_q_table_column_3[subgroup_size - 1] = ++unique_last_value;
-    poly_q_table_column_4[subgroup_size - 1] = ++unique_last_value;
+
+    // TODO(#217)(luke): Similar to the selectors, enforcing non-zero values by inserting an arbitrary final element
+    // in the table polys will result in lookup relations not being satisfied. Address this with issue #217.
+    // size_t num_selectors = circuit_constructor.num_selectors;
+    // ASSERT(offset == subgroup_size - 1);
+    // auto unique_last_value = num_selectors + 1; // Note: in compute_proving_key_base, moments earlier, each selector
+    //                                             // vector was given a unique last value from 1..num_selectors. So we
+    //                                             // avoid those values and continue the count, to ensure uniqueness.
+    // poly_q_table_column_1[subgroup_size - 1] = unique_last_value;
+    // poly_q_table_column_2[subgroup_size - 1] = ++unique_last_value;
+    // poly_q_table_column_3[subgroup_size - 1] = ++unique_last_value;
+    // poly_q_table_column_4[subgroup_size - 1] = ++unique_last_value;
 
     circuit_proving_key->polynomial_store.put("table_value_1_lagrange", std::move(poly_q_table_column_1));
     circuit_proving_key->polynomial_store.put("table_value_2_lagrange", std::move(poly_q_table_column_2));

cpp/src/barretenberg/honk/composer/standard_honk_composer.test.cpp

@@ -7,7 +7,7 @@
 #include "barretenberg/honk/sumcheck/sumcheck_round.hpp"
 #include "barretenberg/honk/sumcheck/relations/grand_product_computation_relation.hpp"
 #include "barretenberg/honk/sumcheck/relations/grand_product_initialization_relation.hpp"
-#include "barretenberg/honk/utils/public_inputs.hpp"
+#include "barretenberg/honk/utils/grand_product_delta.hpp"
 
 #include <gtest/gtest.h>
 

cpp/src/barretenberg/honk/composer/ultra_honk_composer.hpp

@@ -357,11 +357,10 @@ class UltraHonkComposer {
     };
     // std::array<uint32_t, 2> decompose_non_native_field_double_width_limb(
     //     const uint32_t limb_idx, const size_t num_limb_bits = (2 * DEFAULT_NON_NATIVE_FIELD_LIMB_BITS));
-    std::array<uint32_t, 2> evaluate_non_native_field_multiplication(
+    std::array<uint32_t, 2> queue_non_native_field_multiplication(
         const non_native_field_witnesses& input, const bool range_constrain_quotient_and_remainder = true)
     {
-        return circuit_constructor.evaluate_non_native_field_multiplication(input,
-                                                                            range_constrain_quotient_and_remainder);
+        return circuit_constructor.queue_non_native_field_multiplication(input, range_constrain_quotient_and_remainder);
     };
     // std::array<uint32_t, 2> evaluate_partial_non_native_field_multiplication(const non_native_field_witnesses&
     // input); typedef std::pair<uint32_t, barretenberg::fr> scaled_witness; typedef std::tuple<scaled_witness,

cpp/src/barretenberg/honk/composer/ultra_honk_composer.test.cpp

@@ -10,7 +10,7 @@
 #include "barretenberg/honk/sumcheck/sumcheck_round.hpp"
 #include "barretenberg/honk/sumcheck/relations/grand_product_computation_relation.hpp"
 #include "barretenberg/honk/sumcheck/relations/grand_product_initialization_relation.hpp"
-#include "barretenberg/honk/utils/public_inputs.hpp"
+#include "barretenberg/honk/utils/grand_product_delta.hpp"
 
 // TODO(luke): TEMPORARY; for testing only (comparison with Ultra Plonk composers)
 #include "barretenberg/plonk/composer/ultra_composer.hpp"
@@ -39,34 +39,30 @@ std::vector<uint32_t> add_variables(auto& composer, std::vector<fr> variables)
  * @param honk_prover
  * @param plonk_prover
  */
-// NOTE: Currently checking exact consistency for witness polynomials (wires, sorted lists) and table polys.
-// The permutation polys are computed differently between plonk and honk so we do not expect consistency.
-// Equality is checked on all selectors but we ignore the final entry since we do not enforce non-zero selectors in
-// Honk.
 void verify_consistency(honk::UltraProver& honk_prover, plonk::UltraProver& plonk_prover)
 {
     auto& honk_store = honk_prover.key->polynomial_store;
     auto& plonk_store = plonk_prover.key->polynomial_store;
 
-    // Check that all selectors agree (aside from the final element which will differ due to not enforcing non-zero
-    // selectors in Honk).
+    // Check that all selectors and table polynomials agree (aside from the final element which will differ
+    // due to not enforcing non-zero polynomials in Honk).
     for (auto& entry : honk_store) {
         std::string key = entry.first;
         bool is_selector = (key.find("q_") != std::string::npos) || (key.find("table_type") != std::string::npos);
-        if (plonk_store.contains(key) && is_selector) {
+        bool is_table = (key.find("table_value_") != std::string::npos);
+        if (plonk_store.contains(key) && (is_selector || is_table)) {
             // check equality for all but final entry
             for (size_t i = 0; i < honk_store.get(key).size() - 1; ++i) {
                 ASSERT_EQ(honk_store.get(key)[i], plonk_store.get(key)[i]);
             }
         }
     }
 
-    // Check that sorted witness-table and table polys agree
+    // Check that sorted witness-table polynomials agree
     for (auto& entry : honk_store) {
         std::string key = entry.first;
         bool is_sorted_table = (key.find("s_") != std::string::npos);
-        bool is_table = (key.find("table_value_") != std::string::npos);
-        if (plonk_store.contains(key) && (is_sorted_table || is_table)) {
+        if (plonk_store.contains(key) && is_sorted_table) {
             ASSERT_EQ(honk_store.get(key), plonk_store.get(key));
         }
     }
@@ -755,7 +751,7 @@ TEST(UltraHonkComposer, non_native_field_multiplication)
         proof_system::non_native_field_witnesses inputs{
             a_indices, b_indices, q_indices, r_indices, modulus_limbs, fr(uint256_t(modulus)),
         };
-        const auto [lo_1_idx, hi_1_idx] = honk_composer.evaluate_non_native_field_multiplication(inputs);
+        const auto [lo_1_idx, hi_1_idx] = honk_composer.queue_non_native_field_multiplication(inputs);
         honk_composer.range_constrain_two_limbs(lo_1_idx, hi_1_idx, 70, 70);
     }
     {
@@ -802,7 +798,7 @@ TEST(UltraHonkComposer, non_native_field_multiplication)
         proof_system::plonk::UltraComposer::non_native_field_witnesses inputs{
             a_indices, b_indices, q_indices, r_indices, modulus_limbs, fr(uint256_t(modulus)),
         };
-        const auto [lo_1_idx, hi_1_idx] = plonk_composer.evaluate_non_native_field_multiplication(inputs);
+        const auto [lo_1_idx, hi_1_idx] = plonk_composer.queue_non_native_field_multiplication(inputs);
         plonk_composer.range_constrain_two_limbs(lo_1_idx, hi_1_idx, 70, 70);
     }
 

cpp/src/barretenberg/honk/flavor/flavor.hpp

@@ -219,6 +219,10 @@ struct UltraArithmetization {
         ID_2,
         ID_3,
         ID_4,
+        TABLE_1,
+        TABLE_2,
+        TABLE_3,
+        TABLE_4,
         LAGRANGE_FIRST,
         LAGRANGE_LAST, // = LAGRANGE_N-1 whithout ZK, but can be less
         /* --- WITNESS POLYNOMIALS --- */
@@ -230,11 +234,19 @@ struct UltraArithmetization {
         S_2,
         S_3,
         S_4,
+        S_ACCUM,
         Z_PERM,
         Z_LOOKUP,
         /* --- SHIFTED POLYNOMIALS --- */
         W_1_SHIFT,
+        W_2_SHIFT,
+        W_3_SHIFT,
         W_4_SHIFT,
+        TABLE_1_SHIFT,
+        TABLE_2_SHIFT,
+        TABLE_3_SHIFT,
+        TABLE_4_SHIFT,
+        S_ACCUM_SHIFT,
         Z_PERM_SHIFT,
         Z_LOOKUP_SHIFT,
         /* --- --- */

cpp/src/barretenberg/honk/sumcheck/relations/grand_product_computation_relation.hpp

@@ -2,6 +2,7 @@
 #include "relation.hpp"
 #include "barretenberg/honk/flavor/flavor.hpp"
 #include "../polynomials/univariate.hpp"
+// TODO(luke): change name of this file to permutation_grand_product_relation(s).hpp and move 'init' relation into it.
 
 namespace proof_system::honk::sumcheck {