feat: Zw/goblin avm tests (#12904)

ledwards2225 · zac-williamson · web-flow · commit baea4b30a8fa · 2025-03-31T20:55:34.000-07:00
Introduces a new class `AvmGoblinRecursiveVerifier` that manages the Goblinized AVM recursive verification algorithm. The algorithm involves the construction of two circuits. The first is a Mega-arithmetized AVM recursive verifier. The second is an Ultra circuit that recursively verifies the proof of the first (which consists of a Mega proof plus a Goblin proof). The output of the algorithm is equivalent to a that of a Rollup Honk recursive verifier: a pairing point accumulator plus an IPA claim/proof (stemming from recursive verification of the ECCVM). See the class description for a more detailed description of the algorithm. Currently the algorithm is tested in a standalone test only and is not yet integrated into ACIR. E.g. at this stage a noir program with a verify_proof call of type AVM will still generate a vanilla Ultra recursive verifier. Note: This work is incomplete in a number of ways, the most significant of which I've documented in several sub-issues under this umbrella [issue](AztecProtocol/barretenberg#1303). --------- Co-authored-by: zac-williamson <blorktronics@gmail.com>
diff --git a/barretenberg/cpp/src/barretenberg/dsl/acir_format/acir_format.cpp b/barretenberg/cpp/src/barretenberg/dsl/acir_format/acir_format.cpp
@@ -520,6 +520,8 @@ PairingPointAccumulatorIndices process_avm_recursion_constraints(
     // Add recursion constraints
     size_t idx = 0;
     for (auto& constraint : constraint_system.avm_recursion_constraints) {
+        // TODO(https://github.com/AztecProtocol/barretenberg/issues/1303): Utilize the version of this method that
+        // employs the Goblinized AVM recursive verifier.
         current_aggregation_object = create_avm_recursion_constraints(
             builder, constraint, current_aggregation_object, has_valid_witness_assignments);
 
diff --git a/barretenberg/cpp/src/barretenberg/dsl/acir_format/avm_recursion_constraint.cpp b/barretenberg/cpp/src/barretenberg/dsl/acir_format/avm_recursion_constraint.cpp
@@ -6,6 +6,7 @@
 #include "barretenberg/stdlib/plonk_recursion/aggregation_state/aggregation_state.hpp"
 #include "barretenberg/stdlib/primitives/curves/bn254.hpp"
 #include "barretenberg/stdlib_circuit_builders/ultra_flavor.hpp"
+#include "barretenberg/vm/avm/recursion/goblin_avm_recursive_verifier.hpp"
 #include "barretenberg/vm/avm/recursion/recursive_flavor.hpp"
 #include "barretenberg/vm/avm/recursion/recursive_verifier.hpp"
 #include "barretenberg/vm/avm/trace/common.hpp"
@@ -161,24 +162,17 @@ PairingPointAccumulatorIndices create_avm_recursion_constraints(
 
     ASSERT(input.proof_type == AVM);
 
-    // Construct an in-circuit representation of the verification key.
-    std::vector<field_ct> key_fields;
-    key_fields.reserve(input.key.size());
-    for (const auto& idx : input.key) {
-        auto field = field_ct::from_witness_index(&builder, idx);
-        key_fields.emplace_back(field);
-    }
-
     auto fields_from_witnesses = [&](std::vector<uint32_t> const& input) {
         std::vector<field_ct> result;
         result.reserve(input.size());
         for (const auto& idx : input) {
-            auto field = field_ct::from_witness_index(&builder, idx);
-            result.emplace_back(field);
+            result.emplace_back(field_ct::from_witness_index(&builder, idx));
         }
         return result;
     };
 
+    // Construct in-circuit representation of the verification key, proof and public inputs
+    const auto key_fields = fields_from_witnesses(input.key);
     const auto proof_fields = fields_from_witnesses(input.proof);
     const auto public_inputs_flattened = fields_from_witnesses(input.public_inputs);
 
@@ -209,5 +203,67 @@ PairingPointAccumulatorIndices create_avm_recursion_constraints(
     return output_agg_object.get_witness_indices();
 }
 
+/**
+ * @brief Add constraints associated with recursive verification an AVM proof using Goblin
+ *
+ * @param builder
+ * @param input
+ * @param input_aggregation_object_indices
+ * @param has_valid_witness_assignments
+ * @return HonkRecursionConstraintOutput {pairing agg object, ipa claim, ipa proof}
+ */
+HonkRecursionConstraintOutput create_avm_recursion_constraints_goblin(
+    Builder& builder,
+    const RecursionConstraint& input,
+    PairingPointAccumulatorIndices input_aggregation_object_indices,
+    bool has_valid_witness_assignments)
+{
+    using RecursiveVerifier = bb::avm::AvmGoblinRecursiveVerifier;
+
+    ASSERT(input.proof_type == AVM);
+
+    auto fields_from_witnesses = [&](std::vector<uint32_t> const& input) {
+        std::vector<field_ct> result;
+        result.reserve(input.size());
+        for (const auto& idx : input) {
+            result.emplace_back(field_ct::from_witness_index(&builder, idx));
+        }
+        return result;
+    };
+
+    // Construct in-circuit representations of the verification key, proof and public inputs
+    const auto key_fields = fields_from_witnesses(input.key);
+    const auto proof_fields = fields_from_witnesses(input.proof);
+    const auto public_inputs_flattened = fields_from_witnesses(input.public_inputs);
+
+    auto it = public_inputs_flattened.begin();
+    VmPublicInputs vm_public_inputs =
+        avm_trace::convert_public_inputs(std::vector(it, it + PUBLIC_CIRCUIT_PUBLIC_INPUTS_LENGTH));
+    it += PUBLIC_CIRCUIT_PUBLIC_INPUTS_LENGTH;
+    std::vector<field_ct> calldata(it, it + AVM_PUBLIC_COLUMN_MAX_SIZE);
+    it += AVM_PUBLIC_COLUMN_MAX_SIZE;
+    std::vector<field_ct> return_data(it, it + AVM_PUBLIC_COLUMN_MAX_SIZE);
+
+    auto public_inputs_vectors = avm_trace::copy_public_inputs_columns(vm_public_inputs, calldata, return_data);
+
+    // Populate the key fields and proof fields with dummy values to prevent issues (e.g. points must be on curve).
+    if (!has_valid_witness_assignments) {
+        create_dummy_vkey_and_proof(builder, input.proof.size(), input.public_inputs.size(), key_fields, proof_fields);
+    }
+
+    // Execute the Goblin AVM recursive verifier
+    RecursiveVerifier verifier(&builder, key_fields);
+    aggregation_state_ct input_agg_obj = bb::stdlib::recursion::convert_witness_indices_to_agg_obj<Builder, bn254>(
+        builder, input_aggregation_object_indices);
+    auto output_agg_object = verifier.verify_proof(proof_fields, public_inputs_vectors, input_agg_obj);
+    // TODO(https://github.com/AztecProtocol/barretenberg/issues/996): investigate whether assert_equal on public
+    // inputs is important, like what the plonk recursion constraint does.
+
+    HonkRecursionConstraintOutput result{ .agg_obj_indices = output_agg_object.aggregation_object.get_witness_indices(),
+                                          .ipa_claim = output_agg_object.ipa_claim,
+                                          .ipa_proof = output_agg_object.ipa_proof };
+    return result;
+}
+
 } // namespace acir_format
 #endif // DISABLE_AZTEC_VM
diff --git a/barretenberg/cpp/src/barretenberg/dsl/acir_format/avm_recursion_constraint.hpp b/barretenberg/cpp/src/barretenberg/dsl/acir_format/avm_recursion_constraint.hpp
@@ -1,8 +1,8 @@
 #ifndef DISABLE_AZTEC_VM
 #pragma once
+#include "barretenberg/dsl/acir_format/honk_recursion_constraint.hpp"
 #include "barretenberg/dsl/acir_format/recursion_constraint.hpp"
 #include "barretenberg/stdlib/primitives/bigfield/bigfield.hpp"
-
 namespace acir_format {
 using Builder = bb::UltraCircuitBuilder;
 
@@ -13,5 +13,11 @@ PairingPointAccumulatorIndices create_avm_recursion_constraints(Builder& builder
                                                                 PairingPointAccumulatorIndices input_aggregation_object,
                                                                 bool has_valid_witness_assignments);
 
+HonkRecursionConstraintOutput create_avm_recursion_constraints_goblin(
+    Builder& builder,
+    const RecursionConstraint& input,
+    PairingPointAccumulatorIndices input_aggregation_object,
+    bool has_valid_witness_assignments);
+
 } // namespace acir_format
-#endif // DISABLE_AZTEC_VM
+#endif // DISABLE_AZTEC_VM
diff --git a/barretenberg/cpp/src/barretenberg/dsl/acir_format/avm_recursion_constraint.test.cpp b/barretenberg/cpp/src/barretenberg/dsl/acir_format/avm_recursion_constraint.test.cpp
@@ -42,7 +42,11 @@ class AcirAvmRecursionConstraint : public ::testing::Test {
     using OuterVerificationKey = UltraFlavor::VerificationKey;
     using OuterBuilder = UltraCircuitBuilder;
 
-    static void SetUpTestSuite() { bb::srs::init_crs_factory(bb::srs::get_ignition_crs_path()); }
+    static void SetUpTestSuite()
+    {
+        bb::srs::init_crs_factory(bb::srs::get_ignition_crs_path());
+        bb::srs::init_grumpkin_crs_factory(bb::srs::get_grumpkin_crs_path());
+    }
 
     // mutate the input kernel_public_inputs_vec to add end gas values
     static InnerBuilder create_inner_circuit([[maybe_unused]] std::vector<FF>& kernel_public_inputs_vec)
diff --git a/barretenberg/cpp/src/barretenberg/flavor/flavor.hpp b/barretenberg/cpp/src/barretenberg/flavor/flavor.hpp
@@ -406,7 +406,8 @@ concept IsRecursiveFlavor = IsAnyOf<T, UltraRecursiveFlavor_<UltraCircuitBuilder
                                         TranslatorRecursiveFlavor_<MegaCircuitBuilder>,
                                         TranslatorRecursiveFlavor_<CircuitSimulatorBN254>,
                                         ECCVMRecursiveFlavor_<UltraCircuitBuilder>,
-                                        AvmRecursiveFlavor_<UltraCircuitBuilder>>;
+                                        AvmRecursiveFlavor_<UltraCircuitBuilder>,
+                                        AvmRecursiveFlavor_<MegaCircuitBuilder>>;
 
 // These concepts are relevant for Sumcheck, where the logic is different for BN254 and Grumpkin Flavors
 template <typename T> concept IsGrumpkinFlavor = IsAnyOf<T, ECCVMFlavor, ECCVMRecursiveFlavor_<UltraCircuitBuilder>>;
diff --git a/barretenberg/cpp/src/barretenberg/stdlib/goblin_verifier/goblin_recursive_verifier.cpp b/barretenberg/cpp/src/barretenberg/stdlib/goblin_verifier/goblin_recursive_verifier.cpp
@@ -4,6 +4,9 @@ namespace bb::stdlib::recursion::honk {
 
 /**
  * @brief Runs the Goblin recursive verifier consisting of ECCVM, Translator and Merge verifiers.
+ * // TODO(https://github.com/AztecProtocol/barretenberg/issues/1309): Implement correct pairing point aggregation.
+ * Method needs to accept an input agg object, aggregate the pairing points from both translator and merge, then return
+ * the updated agg object.
  */
 GoblinRecursiveVerifierOutput GoblinRecursiveVerifier::verify(const GoblinProof& proof)
 {
@@ -15,8 +18,7 @@ GoblinRecursiveVerifierOutput GoblinRecursiveVerifier::verify(const GoblinProof&
     TranslatorVerifier translator_verifier{ builder,
                                             verification_keys.translator_verification_key,
                                             eccvm_verifier.transcript };
-
-    translator_verifier.verify_proof(
+    [[maybe_unused]] auto translator_pairing_points = translator_verifier.verify_proof(
         proof.translator_proof, eccvm_verifier.evaluation_challenge_x, eccvm_verifier.batching_challenge_v);
 
     // Verify the consistency between the ECCVM and Translator transcript polynomial evaluations
@@ -35,7 +37,7 @@ GoblinRecursiveVerifierOutput GoblinRecursiveVerifier::verify(const GoblinProof&
 
     MergeVerifier merge_verifier{ builder };
     StdlibProof<Builder> stdlib_merge_proof = bb::convert_native_proof_to_stdlib(builder, proof.merge_proof);
-    merge_verifier.verify_proof(stdlib_merge_proof);
+    [[maybe_unused]] auto merge_pairing_points = merge_verifier.verify_proof(stdlib_merge_proof);
     return { opening_claim, ipa_transcript };
 }
 } // namespace bb::stdlib::recursion::honk
diff --git a/barretenberg/cpp/src/barretenberg/stdlib/honk_verifier/ultra_recursive_verifier.cpp b/barretenberg/cpp/src/barretenberg/stdlib/honk_verifier/ultra_recursive_verifier.cpp
@@ -100,7 +100,7 @@ UltraRecursiveVerifier_<Flavor>::Output UltraRecursiveVerifier_<Flavor>::verify_
     // TODO(https://github.com/AztecProtocol/barretenberg/issues/995): generate this challenge properly.
     typename Curve::ScalarField recursion_separator =
         Curve::ScalarField::from_witness_index(builder, builder->add_variable(42));
-    agg_obj.template aggregate<Builder>(nested_agg_obj, recursion_separator);
+    agg_obj.aggregate(nested_agg_obj, recursion_separator);
 
     // Execute Sumcheck Verifier and extract multivariate opening point u = (u_0, ..., u_{d-1}) and purported
     // multivariate evaluations at u
@@ -144,7 +144,7 @@ UltraRecursiveVerifier_<Flavor>::Output UltraRecursiveVerifier_<Flavor>::verify_
     pairing_points[0] = pairing_points[0].normalize();
     pairing_points[1] = pairing_points[1].normalize();
     // TODO(https://github.com/AztecProtocol/barretenberg/issues/995): generate recursion separator challenge properly.
-    agg_obj.template aggregate<Builder>(pairing_points, recursion_separator);
+    agg_obj.aggregate(pairing_points, recursion_separator);
     output.agg_obj = std::move(agg_obj);
 
     // Extract the IPA claim from the public inputs
diff --git a/barretenberg/cpp/src/barretenberg/stdlib/plonk_recursion/aggregation_state/aggregation_state.hpp b/barretenberg/cpp/src/barretenberg/stdlib/plonk_recursion/aggregation_state/aggregation_state.hpp
@@ -20,10 +20,12 @@ template <typename Curve> struct aggregation_state {
     {
         return P0 == other.P0 && P1 == other.P1;
     };
-    template <typename BuilderType = void>
+
     void aggregate(aggregation_state const& other, typename Curve::ScalarField recursion_separator)
     {
-        if constexpr (std::is_same_v<BuilderType, MegaCircuitBuilder>) {
+        using Builder = typename Curve::Builder;
+
+        if constexpr (std::is_same_v<Builder, MegaCircuitBuilder>) {
             P0 += other.P0 * recursion_separator;
             P1 += other.P1 * recursion_separator;
         } else {
@@ -36,10 +38,11 @@ template <typename Curve> struct aggregation_state {
         }
     }
 
-    template <typename BuilderType = void>
     void aggregate(std::array<typename Curve::Group, 2> const& other, typename Curve::ScalarField recursion_separator)
     {
-        if constexpr (std::is_same_v<BuilderType, MegaCircuitBuilder>) {
+        using Builder = typename Curve::Builder;
+
+        if constexpr (std::is_same_v<Builder, MegaCircuitBuilder>) {
             P0 += other[0] * recursion_separator;
             P1 += other[1] * recursion_separator;
         } else {
@@ -74,6 +77,7 @@ template <typename Curve> struct aggregation_state {
         };
         return witness_indices;
     }
+
     void assign_object_to_proof_outputs()
     {
         P0 = P0.reduce();
diff --git a/barretenberg/cpp/src/barretenberg/stdlib/primitives/biggroup/biggroup_goblin.hpp b/barretenberg/cpp/src/barretenberg/stdlib/primitives/biggroup/biggroup_goblin.hpp
@@ -349,6 +349,11 @@ template <class Builder_, class Fq, class Fr, class NativeGroup> class goblin_el
     bool_ct _is_infinity;
 };
 
+using BiggroupGoblin = goblin_element<bb::MegaCircuitBuilder,
+                                      bb::stdlib::goblin_field<MegaCircuitBuilder>,
+                                      stdlib::field_t<MegaCircuitBuilder>,
+                                      bb::g1>;
+
 template <typename C, typename Fq, typename Fr, typename G>
 inline std::ostream& operator<<(std::ostream& os, goblin_element<C, Fq, Fr, G> const& v)
 {
diff --git a/barretenberg/cpp/src/barretenberg/vm/CMakeLists.txt b/barretenberg/cpp/src/barretenberg/vm/CMakeLists.txt
@@ -1,3 +1,3 @@
 if(NOT DISABLE_AZTEC_VM)
-  barretenberg_module(vm sumcheck stdlib_honk_verifier)
-endif()
+  barretenberg_module(vm sumcheck stdlib_honk_verifier stdlib_goblin_verifier)
+endif()
diff --git a/barretenberg/cpp/src/barretenberg/vm/avm/generated/recursive_verifier.cpp b/barretenberg/cpp/src/barretenberg/vm/avm/generated/recursive_verifier.cpp
@@ -170,5 +170,6 @@ AvmRecursiveVerifier_<Flavor>::AggregationObject AvmRecursiveVerifier_<Flavor>::
 }
 
 template class AvmRecursiveVerifier_<AvmRecursiveFlavor_<UltraCircuitBuilder>>;
+template class AvmRecursiveVerifier_<AvmRecursiveFlavor_<MegaCircuitBuilder>>;
 
-} // namespace bb::avm
+} // namespace bb::avm
diff --git a/barretenberg/cpp/src/barretenberg/vm/avm/recursion/goblin_avm_recursive_verifier.hpp b/barretenberg/cpp/src/barretenberg/vm/avm/recursion/goblin_avm_recursive_verifier.hpp
diff --git a/barretenberg/cpp/src/barretenberg/vm/avm/recursion/recursive_flavor.hpp b/barretenberg/cpp/src/barretenberg/vm/avm/recursion/recursive_flavor.hpp
diff --git a/barretenberg/cpp/src/barretenberg/vm/avm/tests/recursive_verifier.test.cpp b/barretenberg/cpp/src/barretenberg/vm/avm/tests/recursive_verifier.test.cpp

Original file line number	Diff line number	Diff line change
`@@ -20,10 +20,12 @@ template <typename Curve> struct aggregation_state {`
`20`	`20`	`{`
`21`	`21`	`return P0 == other.P0 && P1 == other.P1;`
`22`	`22`	`};`
`23`		`- template <typename BuilderType = void>`
	`23`	`+`
`24`	`24`	`void aggregate(aggregation_state const& other, typename Curve::ScalarField recursion_separator)`
`25`	`25`	`{`
`26`		`- if constexpr (std::is_same_v<BuilderType, MegaCircuitBuilder>) {`
	`26`	`+ using Builder = typename Curve::Builder;`
	`27`	`+`
	`28`	`+ if constexpr (std::is_same_v<Builder, MegaCircuitBuilder>) {`
`27`	`29`	`P0 += other.P0 * recursion_separator;`
`28`	`30`	`P1 += other.P1 * recursion_separator;`
`29`	`31`	`} else {`
`@@ -36,10 +38,11 @@ template <typename Curve> struct aggregation_state {`
`36`	`38`	`}`
`37`	`39`	`}`
`38`	`40`
`39`		`- template <typename BuilderType = void>`
`40`	`41`	`void aggregate(std::array<typename Curve::Group, 2> const& other, typename Curve::ScalarField recursion_separator)`
`41`	`42`	`{`
`42`		`- if constexpr (std::is_same_v<BuilderType, MegaCircuitBuilder>) {`
	`43`	`+ using Builder = typename Curve::Builder;`
	`44`	`+`
	`45`	`+ if constexpr (std::is_same_v<Builder, MegaCircuitBuilder>) {`
`43`	`46`	`P0 += other[0] * recursion_separator;`
`44`	`47`	`P1 += other[1] * recursion_separator;`
`45`	`48`	`} else {`
`@@ -74,6 +77,7 @@ template <typename Curve> struct aggregation_state {`
`74`	`77`	`};`
`75`	`78`	`return witness_indices;`
`76`	`79`	`}`
	`80`	`+`
`77`	`81`	`void assign_object_to_proof_outputs()`
`78`	`82`	`{`
`79`	`83`	`P0 = P0.reduce();`