feat: IPA Accumulator in Builder

barretenberg/cpp/CMakeLists.txt

@@ -27,7 +27,7 @@ endif(DOXYGEN_FOUND)
 
 option(DISABLE_ASM "Disable custom assembly" OFF)
 option(DISABLE_ADX "Disable ADX assembly variant" OFF)
-option(DISABLE_AZTEC_VM "Don't build Aztec VM (acceptable if iterating on core proving)" OFF)
+option(DISABLE_AZTEC_VM "Don't build Aztec VM (acceptable if iterating on core proving)" ON)
 option(MULTITHREADING "Enable multi-threading" ON)
 option(OMP_MULTITHREADING "Enable OMP multi-threading" OFF)
 option(FUZZING "Build ONLY fuzzing harnesses" OFF)

barretenberg/cpp/src/barretenberg/bb/main.cpp

@@ -590,7 +590,8 @@ void prove_tube(const std::string& output_path)
     }
     ClientIVC verifier{ builder, input };
 
-    verifier.verify(proof);
+    stdlib::recursion::honk::ClientIVCRecursiveVerifier::ClientIVCRecursiveVerifierOutput
+        client_ivc_rec_verifier_output = verifier.verify(proof);
 
     PairingPointAccumulatorIndices current_aggregation_object =
         stdlib::recursion::init_default_agg_obj_indices<Builder>(*builder);
@@ -599,6 +600,10 @@ void prove_tube(const std::string& output_path)
     // This is currently just setting the aggregation object to the default one.
     builder->add_pairing_point_accumulator(current_aggregation_object);
 
+    // The tube only calls an IPA recursive verifier once, so we can just add this IPA claim and proof
+    builder->add_ipa_claim(client_ivc_rec_verifier_output.opening_claim.get_witness_indices());
+    builder->ipa_proof = convert_stdlib_proof_to_native(client_ivc_rec_verifier_output.ipa_transcript->proof_data);
+
     using Prover = UltraProver_<UltraFlavor>;
     using Verifier = UltraVerifier_<UltraFlavor>;
     Prover tube_prover{ *builder };

barretenberg/cpp/src/barretenberg/client_ivc/client_ivc.cpp

@@ -25,7 +25,7 @@ void ClientIVC::instantiate_stdlib_verification_queue(
     size_t key_idx = 0;
     for (auto& [proof, vkey, type] : verification_queue) {
         // Construct stdlib proof directly from the internal native queue data
-        auto stdlib_proof = bb::convert_proof_to_witness(&circuit, proof);
+        auto stdlib_proof = bb::convert_native_proof_to_stdlib(&circuit, proof);
 
         // Use the provided stdlib vkey if present, otherwise construct one from the internal native queue
         auto stdlib_vkey =
@@ -261,7 +261,7 @@ HonkProof ClientIVC::construct_and_prove_hiding_circuit()
     auto stdlib_decider_vk =
         std::make_shared<RecursiveVerificationKey>(&builder, verification_queue[0].honk_verification_key);
 
-    auto stdlib_proof = bb::convert_proof_to_witness(&builder, fold_proof);
+    auto stdlib_proof = bb::convert_native_proof_to_stdlib(&builder, fold_proof);
 
     // Perform recursive folding verification of the last folding proof
     FoldingRecursiveVerifier folding_verifier{ &builder, stdlib_verifier_accumulator, { stdlib_decider_vk } };

barretenberg/cpp/src/barretenberg/commitment_schemes/claim.hpp

@@ -1,7 +1,9 @@
 #pragma once
 
 #include "barretenberg/commitment_schemes/commitment_key.hpp"
+#include "barretenberg/plonk_honk_shared/types/aggregation_object_type.hpp"
 #include "barretenberg/polynomials/polynomial.hpp"
+#include "barretenberg/stdlib/primitives/curves/grumpkin.hpp"
 
 namespace bb {
 /**
@@ -51,6 +53,20 @@ template <typename Curve> class OpeningClaim {
     // commitment to univariate polynomial p(X)
     Commitment commitment;
 
+    IPAClaimIndices get_witness_indices() const
+        requires(std::is_same_v<Curve, stdlib::grumpkin<UltraCircuitBuilder>>)
+    {
+        return { opening_pair.challenge.binary_basis_limbs[0].element.normalize().witness_index,
+                 opening_pair.challenge.binary_basis_limbs[1].element.normalize().witness_index,
+                 opening_pair.challenge.binary_basis_limbs[2].element.normalize().witness_index,
+                 opening_pair.challenge.binary_basis_limbs[3].element.normalize().witness_index,
+                 //  opening_pair.evaluation.binary_basis_limbs[0].element.normalize().witness_index,
+                 //  opening_pair.evaluation.binary_basis_limbs[1].element.normalize().witness_index,
+                 //  opening_pair.evaluation.binary_basis_limbs[2].element.normalize().witness_index,
+                 //  opening_pair.evaluation.binary_basis_limbs[3].element.normalize().witness_index,
+                 commitment.x.normalize().witness_index, // no idea if we need these normalize() calls...
+                 commitment.y.normalize().witness_index };
+    }
     /**
      * @brief inefficiently check that the claim is correct by recomputing the commitment
      * and evaluating the polynomial in r.

barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.hpp

@@ -749,20 +749,21 @@ template <typename Curve_> class IPA {
     }
 
     /**
-     * @brief Takes two IPA claims and accumulates them into 1 IPA claim.
-     * @details We create an IPA accumulator by running the IPA recursive verifier on each claim. Then, we generate challenges, and use these challenges to compute the new accumulator. We also create the accumulated polynomial. 
+     * @brief Takes two IPA claims and accumulates them into 1 IPA claim. Also computes IPA proof for the claim.
+     * @details We create an IPA accumulator by running the IPA recursive verifier on each claim. Then, we generate challenges, and use these challenges to compute the new accumulator. We also create the accumulated polynomial, and generate the IPA proof for the accumulated claim.
      * More details are described here: https://hackmd.io/IXoLIPhVT_ej8yhZ_Ehvuw?both.
      * 
      * @param verifier_ck 
      * @param transcript_1 
      * @param claim_1 
      * @param transcript_2 
      * @param claim_2 
-     * @return std::pair<OpeningClaim<Curve>, Polynomial<bb::fq>> 
+     * @return std::pair<OpeningClaim<Curve>, HonkProof> 
      */
-    static std::pair<OpeningClaim<Curve>, Polynomial<bb::fq>> accumulate(auto& transcript_1, OpeningClaim<Curve> claim_1, auto& transcript_2, OpeningClaim<Curve> claim_2)
+    static std::pair<OpeningClaim<Curve>, HonkProof> accumulate(const std::shared_ptr<CommitmentKey<curve::Grumpkin>>& ck, auto& transcript_1, OpeningClaim<Curve> claim_1, auto& transcript_2, OpeningClaim<Curve> claim_2)
     requires Curve::is_stdlib_type
     {
+        using NativeCurve = curve::Grumpkin;
         using Builder = typename Curve::Builder;
         // Step 1: Run the verifier for each IPA instance
         VerifierAccumulator pair_1 = reduce_verify(claim_1, transcript_1);
@@ -793,7 +794,21 @@ template <typename Curve_> class IPA {
         for (Fr u_inv_i : pair_2.u_challenges_inv) {
             native_u_challenges_inv_2.push_back(bb::fq(u_inv_i.get_value()));
         }
-        return {output_claim, create_challenge_poly(uint32_t(pair_1.log_poly_length.get_value()), native_u_challenges_inv_1, uint32_t(pair_2.log_poly_length.get_value()), native_u_challenges_inv_2, fq(alpha.get_value()))};
+        // Add IPA Claim to public inputs of circuit
+        Builder* builder = r.get_context();
+        builder->add_ipa_claim(output_claim.get_witness_indices());
+
+        // Compute proof for the claim
+        auto prover_transcript = std::make_shared<NativeTranscript>();
+        const OpeningPair<NativeCurve> opening_pair{ bb::fq(output_claim.opening_pair.challenge.get_value()),
+                                                     bb::fq(output_claim.opening_pair.evaluation.get_value()) };
+        Polynomial<fq> challenge_poly = create_challenge_poly(uint32_t(pair_1.log_poly_length.get_value()), native_u_challenges_inv_1, uint32_t(pair_2.log_poly_length.get_value()), native_u_challenges_inv_2, fq(alpha.get_value()));
+
+        ASSERT(challenge_poly.evaluate(opening_pair.challenge) == opening_pair.evaluation && "Opening claim does not hold for challenge polynomial.");
+
+        IPA<NativeCurve>::compute_opening_proof(ck, { challenge_poly, opening_pair }, prover_transcript);
+
+        return {output_claim, prover_transcript->proof_data};
     }
 };
 

barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/ipa_recursive.test.cpp

@@ -56,8 +56,8 @@ class IPARecursiveTests : public CommitmentTest<NativeCurve> {
         OpeningClaim<Curve> stdlib_opening_claim{ { stdlib_x, stdlib_eval }, stdlib_comm };
 
         // Construct stdlib verifier transcript
-        auto recursive_verifier_transcript =
-            std::make_shared<StdlibTranscript>(bb::convert_proof_to_witness(&builder, prover_transcript->proof_data));
+        auto recursive_verifier_transcript = std::make_shared<StdlibTranscript>(
+            bb::convert_native_proof_to_stdlib(&builder, prover_transcript->proof_data));
         return { recursive_verifier_transcript, stdlib_opening_claim };
     }
 
@@ -158,25 +158,21 @@ class IPARecursiveTests : public CommitmentTest<NativeCurve> {
 
         // Creates two IPA accumulators and accumulators from the two claims. Also constructs the accumulated h
         // polynomial.
-        auto [output_claim, challenge_poly] = RecursiveIPA::accumulate(transcript_1, claim_1, transcript_2, claim_2);
+        auto [output_claim, ipa_proof] =
+            RecursiveIPA::accumulate(this->ck(), transcript_1, claim_1, transcript_2, claim_2);
         builder.finalize_circuit(/*ensure_nonzero=*/false);
         info("Circuit with 2 IPA Recursive Verifiers and IPA Accumulation num finalized gates = ",
              builder.get_num_finalized_gates());
 
         EXPECT_TRUE(CircuitChecker::check(builder));
 
-        // Run the IPA prover on this new accumulated claim.
-        auto prover_transcript = std::make_shared<NativeTranscript>();
         const OpeningPair<NativeCurve> opening_pair{ bb::fq(output_claim.opening_pair.challenge.get_value()),
                                                      bb::fq(output_claim.opening_pair.evaluation.get_value()) };
         Commitment native_comm = output_claim.commitment.get_value();
         const OpeningClaim<NativeCurve> opening_claim{ opening_pair, native_comm };
 
-        NativeIPA::compute_opening_proof(this->ck(), { challenge_poly, opening_pair }, prover_transcript);
-
-        EXPECT_EQ(challenge_poly.evaluate(opening_pair.challenge), opening_pair.evaluation);
         // Natively verify this proof to check it.
-        auto verifier_transcript = std::make_shared<NativeTranscript>(prover_transcript->proof_data);
+        auto verifier_transcript = std::make_shared<NativeTranscript>(ipa_proof);
 
         auto result = NativeIPA::reduce_verify(this->vk(), opening_claim, verifier_transcript);
         EXPECT_TRUE(result);

barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/shplemini.test.cpp

@@ -88,7 +88,7 @@ TEST(ShpleminiRecursionTest, ProveAndVerifySingle)
             N, RefVector(f_polynomials), RefVector(g_polynomials), u_challenge, commitment_key, prover_transcript);
         KZG<NativeCurve>::compute_opening_proof(commitment_key, prover_opening_claims, prover_transcript);
         Builder builder;
-        StdlibProof<Builder> stdlib_proof = bb::convert_proof_to_witness(&builder, prover_transcript->proof_data);
+        StdlibProof<Builder> stdlib_proof = bb::convert_native_proof_to_stdlib(&builder, prover_transcript->proof_data);
         auto stdlib_verifier_transcript = std::make_shared<Transcript>(stdlib_proof);
         stdlib_verifier_transcript->template receive_from_prover<Fr>("Init");
 

barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/zeromorph.test.cpp

@@ -95,7 +95,7 @@ TEST(ZeroMorphRecursionTest, ProveAndVerifySingle)
                            prover_transcript);
 
     Builder builder;
-    StdlibProof<Builder> stdlib_proof = bb::convert_proof_to_witness(&builder, prover_transcript->proof_data);
+    StdlibProof<Builder> stdlib_proof = bb::convert_native_proof_to_stdlib(&builder, prover_transcript->proof_data);
     auto stdlib_verifier_transcript = std::make_shared<Transcript>(stdlib_proof);
     [[maybe_unused]] auto _ = stdlib_verifier_transcript->template receive_from_prover<Fr>("Init");
 

barretenberg/cpp/src/barretenberg/dsl/acir_format/acir_format.cpp

@@ -299,7 +299,7 @@ void process_plonk_recursion_constraints(Builder& builder,
         // they want these constants set by keeping the nested aggregation object attached to
         // the proof as public inputs. As this is the only object that can prepended to the
         // proof if the proof is above the expected size (with public inputs stripped)
-        PairingPointAccumPubInputIndices nested_aggregation_object = {};
+        PairingPointAccumulatorPubInputIndices nested_aggregation_object = {};
         // If the proof has public inputs attached to it, we should handle setting the nested
         // aggregation object
         if (constraint.proof.size() > proof_size_no_pub_inputs) {
@@ -343,16 +343,9 @@ void process_plonk_recursion_constraints(Builder& builder,
     // inputs.
     if (!constraint_system.recursion_constraints.empty()) {
 
-        // First add the output aggregation object as public inputs
-        // Set the indices as public inputs because they are no longer being
-        // created in ACIR
-        for (const auto& idx : current_output_aggregation_object) {
-            builder.set_public_input(idx);
-        }
-
         // Make sure the verification key records the public input indices of the
         // final recursion output.
-        builder.set_pairing_point_accumulator(current_output_aggregation_object);
+        builder.add_pairing_point_accumulator(current_output_aggregation_object);
     }
 }
 

barretenberg/cpp/src/barretenberg/examples/join_split/join_split.test.cpp

@@ -33,8 +33,8 @@ using namespace bb::join_split_example::proofs::notes::native;
 using key_pair = join_split_example::fixtures::grumpkin_key_pair;
 
 auto create_account_leaf_data(fr const& account_alias_hash,
-                              grumpkin::g1::affine_element const& owner_key,
-                              grumpkin::g1::affine_element const& signing_key)
+                              bb::grumpkin::g1::affine_element const& owner_key,
+                              bb::grumpkin::g1::affine_element const& signing_key)
 {
     return notes::native::account::account_note{ account_alias_hash, owner_key, signing_key }.commit();
 }
@@ -869,7 +869,7 @@ TEST_P(test_allow_chain_to_other_users_fail, )
 {
     join_split_tx tx = simple_setup();
     tx.allow_chain = GetParam();
-    tx.output_note[tx.allow_chain - 1].owner = grumpkin::g1::element::random_element(); // i.e. not owned by self.
+    tx.output_note[tx.allow_chain - 1].owner = bb::grumpkin::g1::element::random_element(); // i.e. not owned by self.
     auto result = sign_and_verify_logic(tx, user.owner);
     EXPECT_FALSE(result.valid);
     EXPECT_EQ(result.err, "inter-user chaining disallowed");
@@ -1028,7 +1028,7 @@ TEST_F(join_split_tests, test_total_output_value_larger_than_total_input_value_f
 TEST_F(join_split_tests, test_different_input_note_owners_fails)
 {
     join_split_tx tx = simple_setup({ 1, 2 });
-    tx.input_note[0].owner = grumpkin::g1::affine_element::hash_to_curve({ 1 });
+    tx.input_note[0].owner = bb::grumpkin::g1::affine_element::hash_to_curve({ 1 });
 
     auto result = sign_and_verify_logic(tx, user.owner);
     EXPECT_FALSE(result.valid);
@@ -1073,7 +1073,7 @@ TEST_F(join_split_tests, test_different_note_account_required_vs_account_require
 TEST_F(join_split_tests, test_wrong_input_note_owner_fails)
 {
     join_split_tx tx = simple_setup();
-    tx.input_note[0].owner = grumpkin::g1::element::random_element();
+    tx.input_note[0].owner = bb::grumpkin::g1::element::random_element();
     tx.input_note[1].owner = tx.input_note[0].owner;
 
     auto result = sign_and_verify_logic(tx, user.owner);
@@ -1084,8 +1084,8 @@ TEST_F(join_split_tests, test_wrong_input_note_owner_fails)
 TEST_F(join_split_tests, test_random_output_note_owners)
 {
     join_split_tx tx = simple_setup();
-    tx.output_note[0].owner = grumpkin::g1::element::random_element();
-    tx.output_note[1].owner = grumpkin::g1::element::random_element();
+    tx.output_note[0].owner = bb::grumpkin::g1::element::random_element();
+    tx.output_note[1].owner = bb::grumpkin::g1::element::random_element();
 
     EXPECT_TRUE(sign_and_verify_logic(tx, user.owner).valid);
 }
@@ -1097,7 +1097,7 @@ TEST_F(join_split_tests, test_random_output_note_owners)
 TEST_F(join_split_tests, test_wrong_account_private_key_fails)
 {
     join_split_tx tx = simple_setup();
-    tx.account_private_key = grumpkin::fr::random_element();
+    tx.account_private_key = bb::grumpkin::fr::random_element();
 
     auto result = sign_and_verify_logic(tx, user.owner);
     EXPECT_FALSE(result.valid);

barretenberg/cpp/src/barretenberg/flavor/flavor.hpp

@@ -110,7 +110,7 @@ template <typename FF, typename CommitmentKey_> class ProvingKey_ {
   public:
     size_t circuit_size;
     bool contains_pairing_point_accumulator;
-    PairingPointAccumPubInputIndices pairing_point_accumulator_public_input_indices;
+    PairingPointAccumulatorPubInputIndices pairing_point_accumulator_public_input_indices;
     bb::EvaluationDomain<FF> evaluation_domain;
     std::shared_ptr<CommitmentKey_> commitment_key;
     size_t num_public_inputs;
@@ -152,7 +152,7 @@ class VerificationKey_ : public PrecomputedCommitments {
     using Commitment = typename VerifierCommitmentKey::Commitment;
     std::shared_ptr<VerifierCommitmentKey> pcs_verification_key;
     bool contains_pairing_point_accumulator = false;
-    PairingPointAccumPubInputIndices pairing_point_accumulator_public_input_indices = {};
+    PairingPointAccumulatorPubInputIndices pairing_point_accumulator_public_input_indices = {};
     uint64_t pub_inputs_offset = 0;
 
     bool operator==(const VerificationKey_&) const = default;
@@ -379,6 +379,9 @@ MegaZKRecursiveFlavor_<UltraCircuitBuilder>>;
 template <typename T>
 concept HasDataBus = IsMegaFlavor<T>;
 
+template <typename T>
+concept DoesRecursiveIPA = IsAnyOf<T, UltraFlavor, UltraFlavorWithZK>;
+
 template <typename T>
 concept IsRecursiveFlavor = IsAnyOf<T, UltraRecursiveFlavor_<UltraCircuitBuilder>,
                                        UltraRecursiveFlavor_<MegaCircuitBuilder>,

barretenberg/cpp/src/barretenberg/goblin/mock_circuits.hpp

@@ -212,7 +212,7 @@ class GoblinMockCircuits {
 
         // Execute recursive aggregation of function proof
         auto verification_key = std::make_shared<RecursiveVerificationKey>(&builder, function_accum.verification_key);
-        auto proof = bb::convert_proof_to_witness(&builder, function_accum.proof);
+        auto proof = bb::convert_native_proof_to_stdlib(&builder, function_accum.proof);
         RecursiveVerifier verifier1{ &builder, verification_key };
         verifier1.verify_proof(
             proof, stdlib::recursion::init_default_aggregation_state<MegaBuilder, RecursiveFlavor::Curve>(builder));
@@ -221,7 +221,7 @@ class GoblinMockCircuits {
         if (!prev_kernel_accum.proof.empty()) {
             auto verification_key =
                 std::make_shared<RecursiveVerificationKey>(&builder, prev_kernel_accum.verification_key);
-            auto proof = bb::convert_proof_to_witness(&builder, prev_kernel_accum.proof);
+            auto proof = bb::convert_native_proof_to_stdlib(&builder, prev_kernel_accum.proof);
             RecursiveVerifier verifier2{ &builder, verification_key };
             verifier2.verify_proof(
                 proof, stdlib::recursion::init_default_aggregation_state<MegaBuilder, RecursiveFlavor::Curve>(builder));

barretenberg/cpp/src/barretenberg/plonk/proof_system/proving_key/proving_key.hpp

@@ -25,7 +25,7 @@ struct proving_key_data {
     uint32_t circuit_size;
     uint32_t num_public_inputs;
     bool contains_pairing_point_accumulator;
-    PairingPointAccumPubInputIndices pairing_point_accumulator_public_input_indices;
+    PairingPointAccumulatorPubInputIndices pairing_point_accumulator_public_input_indices;
     std::vector<uint32_t> memory_read_records;
     std::vector<uint32_t> memory_write_records;
 #ifdef __wasm__
@@ -60,7 +60,7 @@ struct proving_key {
     size_t log_circuit_size;
     size_t num_public_inputs;
     bool contains_pairing_point_accumulator = false;
-    PairingPointAccumPubInputIndices pairing_point_accumulator_public_input_indices;
+    PairingPointAccumulatorPubInputIndices pairing_point_accumulator_public_input_indices;
     std::vector<uint32_t> memory_read_records;  // Used by UltraPlonkComposer only; for ROM, RAM reads.
     std::vector<uint32_t> memory_write_records; // Used by UltraPlonkComposer only, for RAM writes.