feat: merge-train/barretenberg (#16244)

See
[merge-train-readme.md](https://github.com/AztecProtocol/aztec-packages/blob/next/.github/workflows/merge-train-readme.md).

BEGIN_COMMIT_OVERRIDE
chore: Template ultra verifier `verify_proof` over the public inputs
type (#16239)
END_COMMIT_OVERRIDE

---------

Co-authored-by: AztecBot <tech@aztecprotocol.com>
Co-authored-by: federicobarbacovi <171914500+federicobarbacovi@users.noreply.github.com>
Co-authored-by: ludamad <adam.domurad@gmail.com>

Author: 4 people

barretenberg/cpp/src/barretenberg/api/api_ultra_honk.cpp

@@ -115,8 +115,7 @@ PubInputsProofAndKey<Flavor> _prove(const bool compute_vk,
 }
 
 template <typename Flavor>
-bool _verify(const bool ipa_accumulation,
-             const std::filesystem::path& public_inputs_path,
+bool _verify(const std::filesystem::path& public_inputs_path,
              const std::filesystem::path& proof_path,
              const std::filesystem::path& vk_path)
 {
@@ -134,14 +133,14 @@ bool _verify(const bool ipa_accumulation,
     complete_proof.insert(complete_proof.end(), proof.begin(), proof.end());
 
     VerifierCommitmentKey<curve::Grumpkin> ipa_verification_key;
-    if (ipa_accumulation) {
+    if constexpr (HasIPAAccumulator<Flavor>) {
         ipa_verification_key = VerifierCommitmentKey<curve::Grumpkin>(1 << CONST_ECCVM_LOG_N);
     }
 
     Verifier verifier{ vk, ipa_verification_key };
 
-    bool verified;
-    if (ipa_accumulation) {
+    bool verified = false;
+    if constexpr (HasIPAAccumulator<Flavor>) {
         const size_t HONK_PROOF_LENGTH = Flavor::PROOF_LENGTH_WITHOUT_PUB_INPUTS - IPA_PROOF_LENGTH;
         const size_t num_public_inputs = static_cast<size_t>(vk->num_public_inputs);
         // The extra calculation is for the IPA proof length.
@@ -153,9 +152,9 @@ bool _verify(const bool ipa_accumulation,
         auto ipa_proof = Proof(complete_proof.begin() + honk_proof_with_pub_inputs_length, complete_proof.end());
         auto tube_honk_proof =
             Proof(complete_proof.begin(), complete_proof.begin() + honk_proof_with_pub_inputs_length);
-        verified = verifier.verify_proof(complete_proof, ipa_proof);
+        verified = verifier.template verify_proof<RollupIO>(complete_proof, ipa_proof).result;
     } else {
-        verified = verifier.verify_proof(complete_proof);
+        verified = verifier.template verify_proof<DefaultIO>(complete_proof).result;
     }
 
     if (verified) {
@@ -217,15 +216,15 @@ bool UltraHonkAPI::verify(const Flags& flags,
     const bool ipa_accumulation = flags.ipa_accumulation;
     // if the ipa accumulation flag is set we are using the UltraRollupFlavor
     if (ipa_accumulation) {
-        return _verify<UltraRollupFlavor>(ipa_accumulation, public_inputs_path, proof_path, vk_path);
+        return _verify<UltraRollupFlavor>(public_inputs_path, proof_path, vk_path);
     } else if (flags.oracle_hash_type == "poseidon2" && !flags.disable_zk) {
-        return _verify<UltraZKFlavor>(ipa_accumulation, public_inputs_path, proof_path, vk_path);
+        return _verify<UltraZKFlavor>(public_inputs_path, proof_path, vk_path);
     } else if (flags.oracle_hash_type == "poseidon2" && flags.disable_zk) {
-        return _verify<UltraFlavor>(ipa_accumulation, public_inputs_path, proof_path, vk_path);
+        return _verify<UltraFlavor>(public_inputs_path, proof_path, vk_path);
     } else if (flags.oracle_hash_type == "keccak" && !flags.disable_zk) {
-        return _verify<UltraKeccakZKFlavor>(ipa_accumulation, public_inputs_path, proof_path, vk_path);
+        return _verify<UltraKeccakZKFlavor>(public_inputs_path, proof_path, vk_path);
     } else if (flags.oracle_hash_type == "keccak" && flags.disable_zk) {
-        return _verify<UltraKeccakFlavor>(ipa_accumulation, public_inputs_path, proof_path, vk_path);
+        return _verify<UltraKeccakFlavor>(public_inputs_path, proof_path, vk_path);
 #ifdef STARKNET_GARAGA_FLAVORS
     } else if (flags.oracle_hash_type == "starknet" && !flags.disable_zk) {
         return _verify<UltraStarknetZKFlavor>(ipa_accumulation, public_inputs_path, proof_path, vk_path);

barretenberg/cpp/src/barretenberg/api/prove_tube.cpp

@@ -109,7 +109,7 @@ void prove_tube(const std::string& output_path, const std::string& vk_path)
         HONK_PROOF_LENGTH_WITHOUT_INNER_PUB_INPUTS - IPA_PROOF_LENGTH + num_inner_public_inputs);
     auto ipa_proof = HonkProof(tube_proof.begin() + honk_proof_with_pub_inputs_length, tube_proof.end());
     auto tube_honk_proof = HonkProof(tube_proof.begin(), tube_proof.end() + honk_proof_with_pub_inputs_length);
-    bool verified = tube_verifier.verify_proof(tube_honk_proof, ipa_proof);
+    bool verified = tube_verifier.template verify_proof<bb::RollupIO>(tube_honk_proof, ipa_proof).result;
     info("Tube proof verification: ", verified);
 }
 

barretenberg/cpp/src/barretenberg/boomerang_value_detection/graph_description_goblin.test.cpp

@@ -104,7 +104,7 @@ TEST_F(BoomerangGoblinRecursiveVerifierTests, graph_description_basic)
         OuterProver prover(proving_key, verification_key);
         OuterVerifier verifier(verification_key);
         auto proof = prover.construct_proof();
-        bool verified = verifier.verify_proof(proof);
+        bool verified = verifier.template verify_proof<bb::DefaultIO>(proof).result;
 
         ASSERT_TRUE(verified);
     }

barretenberg/cpp/src/barretenberg/boomerang_value_detection/graph_description_ultra_recursive_verifier.test.cpp

@@ -47,6 +47,7 @@ template <typename RecursiveFlavor> class BoomerangRecursiveVerifierTest : publi
 
     using PairingObject = PairingPoints<OuterBuilder>;
     using VerifierOutput = bb::stdlib::recursion::honk::UltraRecursiveVerifierOutput<OuterBuilder>;
+    using StdlibProof = bb::stdlib::Proof<OuterBuilder>;
 
     /**
      * @brief Create a non-trivial arbitrary inner circuit, the proof of which will be recursively verified
@@ -114,7 +115,8 @@ template <typename RecursiveFlavor> class BoomerangRecursiveVerifierTest : publi
         verifier.key->vk_and_hash->vk->num_public_inputs.fix_witness();
         verifier.key->vk_and_hash->vk->pub_inputs_offset.fix_witness();
 
-        VerifierOutput output = verifier.verify_proof(inner_proof);
+        StdlibProof stdlib_inner_proof(outer_circuit, inner_proof);
+        VerifierOutput output = verifier.template verify_proof<DefaultIO<OuterBuilder>>(stdlib_inner_proof);
         PairingObject pairing_points = output.points_accumulator;
         pairing_points.P0.x.fix_witness();
         pairing_points.P0.y.fix_witness();

barretenberg/cpp/src/barretenberg/client_ivc/client_ivc.cpp

@@ -514,7 +514,7 @@ bool ClientIVC::verify(const Proof& proof, const VerificationKey& vk)
     std::shared_ptr<Goblin::Transcript> civc_verifier_transcript = std::make_shared<Goblin::Transcript>();
     // Verify the hiding circuit proof
     MegaZKVerifier verifier{ vk.mega, /*ipa_verification_key=*/{}, civc_verifier_transcript };
-    auto [mega_verified, T_prev_commitments] = verifier.verify_proof(proof.mega_proof);
+    auto [mega_verified, T_prev_commitments] = verifier.template verify_proof<bb::HidingKernelIO>(proof.mega_proof);
     vinfo("Mega verified: ", mega_verified);
 
     // Extract the commitments to the subtable corresponding to the incoming circuit

barretenberg/cpp/src/barretenberg/dsl/acir_format/acir_integration.test.cpp

@@ -75,11 +75,9 @@ class AcirIntegrationTest : public ::testing::Test {
 
         // Verify Honk proof
         Verifier verifier{ verification_key };
-        if constexpr (IsUltraHonk<Flavor>) {
-            return verifier.verify_proof(proof);
-        } else {
-            return std::get<0>(verifier.verify_proof(proof));
-        }
+        bool result = verifier.template verify_proof<DefaultIO>(proof).result;
+
+        return result;
     }
 
     void add_some_simple_RAM_gates(auto& circuit)

barretenberg/cpp/src/barretenberg/dsl/acir_format/avm2_recursion_constraint.test.cpp

@@ -140,7 +140,8 @@ TEST_F(AcirAvm2RecursionConstraint, TestBasicSingleAvm2RecursionConstraint)
     auto proof = prover.construct_proof();
     VerifierCommitmentKey<curve::Grumpkin> ipa_verification_key(1 << CONST_ECCVM_LOG_N);
     OuterVerifier verifier(verification_key, ipa_verification_key);
-    EXPECT_EQ(verifier.verify_proof(proof, proving_key->ipa_proof), true);
+    bool result = verifier.template verify_proof<bb::RollupIO>(proof, proving_key->ipa_proof).result;
+    EXPECT_TRUE(result);
 }
 
 /**
@@ -173,7 +174,9 @@ TEST_F(AcirAvm2RecursionConstraint, TestGenerateVKFromConstraintsWithoutWitness)
         auto proof = prover.construct_proof();
         VerifierCommitmentKey<curve::Grumpkin> ipa_verification_key(1 << CONST_ECCVM_LOG_N);
         OuterVerifier verifier(expected_vk, ipa_verification_key);
-        EXPECT_TRUE(verifier.verify_proof(proof, proving_key->ipa_proof));
+
+        bool result = verifier.template verify_proof<bb::RollupIO>(proof, proving_key->ipa_proof).result;
+        EXPECT_TRUE(result);
     }
 
     // Now, construct the AVM2 recursive verifier circuit VK by providing the program without a witness

barretenberg/cpp/src/barretenberg/dsl/acir_format/block_constraint.test.cpp

@@ -34,7 +34,8 @@ class MegaHonk : public ::testing::Test {
 
         Verifier verifier{ verification_key };
 
-        return std::get<0>(verifier.verify_proof(proof));
+        bool result = verifier.template verify_proof<DefaultIO>(proof).result;
+        return result;
     }
 
   protected:

barretenberg/cpp/src/barretenberg/dsl/acir_format/honk_recursion_constraint.cpp

@@ -222,6 +222,9 @@ HonkRecursionConstraintOutput<typename Flavor::CircuitBuilder> create_honk_recur
     using RecursiveVerificationKey = Flavor::VerificationKey;
     using RecursiveVKAndHash = Flavor::VKAndHash;
     using RecursiveVerifier = bb::stdlib::recursion::honk::UltraRecursiveVerifier_<Flavor>;
+    using IO = std::conditional_t<HasIPAAccumulator<Flavor>,
+                                  stdlib::recursion::honk::RollupIO,
+                                  stdlib::recursion::honk::DefaultIO<Builder>>;
 
     ASSERT(input.proof_type == HONK || input.proof_type == HONK_ZK || HasIPAAccumulator<Flavor>);
     BB_ASSERT_EQ(input.proof_type == ROLLUP_HONK || input.proof_type == ROOT_ROLLUP_HONK, HasIPAAccumulator<Flavor>);
@@ -254,17 +257,8 @@ HonkRecursionConstraintOutput<typename Flavor::CircuitBuilder> create_honk_recur
     if (!has_valid_witness_assignments) {
         // In the constraint, the agg object public inputs are still contained in the proof. To get the 'raw' size of
         // the proof and public_inputs we subtract and add the corresponding amount from the respective sizes.
-        size_t size_of_proof_with_no_pub_inputs = input.proof.size();
-        size_t total_num_public_inputs = input.public_inputs.size();
-        if constexpr (HasIPAAccumulator<Flavor>) {
-            using RollupIO = stdlib::recursion::honk::RollupIO;
-            size_of_proof_with_no_pub_inputs -= RollupIO::PUBLIC_INPUTS_SIZE;
-            total_num_public_inputs += RollupIO::PUBLIC_INPUTS_SIZE;
-        } else {
-            using DefaultIO = stdlib::recursion::honk::DefaultIO<Builder>;
-            size_of_proof_with_no_pub_inputs -= DefaultIO::PUBLIC_INPUTS_SIZE;
-            total_num_public_inputs += DefaultIO::PUBLIC_INPUTS_SIZE;
-        }
+        size_t size_of_proof_with_no_pub_inputs = input.proof.size() - IO::PUBLIC_INPUTS_SIZE;
+        size_t total_num_public_inputs = input.public_inputs.size() + IO::PUBLIC_INPUTS_SIZE;
 
         create_dummy_vkey_and_proof<Flavor>(
             builder, size_of_proof_with_no_pub_inputs, total_num_public_inputs, key_fields, proof_fields);
@@ -274,7 +268,7 @@ HonkRecursionConstraintOutput<typename Flavor::CircuitBuilder> create_honk_recur
     auto vkey = std::make_shared<RecursiveVerificationKey>(builder, key_fields);
     auto vk_and_hash = std::make_shared<RecursiveVKAndHash>(vkey, vk_hash);
     RecursiveVerifier verifier(&builder, vk_and_hash);
-    UltraRecursiveVerifierOutput<Builder> verifier_output = verifier.verify_proof(proof_fields);
+    UltraRecursiveVerifierOutput<Builder> verifier_output = verifier.template verify_proof<IO>(proof_fields);
     // TODO(https://github.com/AztecProtocol/barretenberg/issues/996): investigate whether assert_equal on public inputs
     // is important, like what the plonk recursion constraint does.
     return verifier_output;

barretenberg/cpp/src/barretenberg/dsl/acir_format/honk_recursion_constraint.test.cpp

@@ -222,36 +222,27 @@ template <typename RecursiveFlavor> class AcirHonkRecursionConstraint : public :
         AcirProgram program{ constraint_system, witness };
         BuilderType outer_circuit = create_circuit<BuilderType>(program, metadata);
 
-        // If BuilderType = Mega, then the proof of outer_circuit will be a Mega proof, and thus will be verified with
-        // a MegaVerifier = UltraVerifier<MegaFlavor>. By design, the MegaVerifier expects the public inputs to be the
-        // ones of the HidingKernel, so we mock the missing part: ecc_op_tables
-        if constexpr (IsMegaBuilder<BuilderType>) {
-            for (auto& commitment :
-                 stdlib::recursion::honk::HidingKernelIO<BuilderType>::default_ecc_op_tables(outer_circuit)) {
-                commitment.set_public();
-            }
-        }
-
         return outer_circuit;
     }
 
     bool verify_proof(const std::shared_ptr<OuterDeciderProvingKey>& proving_key,
                       const std::shared_ptr<OuterVerificationKey>& verification_key,
                       const HonkProof& proof)
     {
-        if constexpr (IsMegaFlavor<OuterFlavor>) {
-            OuterVerifier verifier(verification_key);
-            return std::get<0>(verifier.verify_proof(proof));
+        using IO = std::conditional_t<HasIPAAccumulator<RecursiveFlavor>, RollupIO, DefaultIO>;
+
+        bool result = false;
+
+        if constexpr (HasIPAAccumulator<RecursiveFlavor>) {
+            VerifierCommitmentKey<curve::Grumpkin> ipa_verification_key(1 << CONST_ECCVM_LOG_N);
+            OuterVerifier verifier(verification_key, ipa_verification_key);
+            result = verifier.template verify_proof<IO>(proof, proving_key->ipa_proof).result;
         } else {
-            if constexpr (HasIPAAccumulator<RecursiveFlavor>) {
-                VerifierCommitmentKey<curve::Grumpkin> ipa_verification_key(1 << CONST_ECCVM_LOG_N);
-                OuterVerifier verifier(verification_key, ipa_verification_key);
-                return verifier.verify_proof(proof, proving_key->ipa_proof);
-            } else {
-                OuterVerifier verifier(verification_key);
-                return verifier.verify_proof(proof);
-            }
+            OuterVerifier verifier(verification_key);
+            result = verifier.template verify_proof<IO>(proof).result;
         }
+
+        return result;
     }
 
   protected: