feat!: optimized Poseidon2 (#22652)

More efficient Poseidon2 thanks to quad compression trick
---------

Co-authored-by: ledwards2225 <l.edwards.d@gmail.com>
Co-authored-by: notnotraju <raju@aztec.foundation>

Author: 3 people

barretenberg/cpp/scripts/test_chonk_standalone_vks_havent_changed.sh

@@ -21,7 +21,7 @@ script_path="$root/barretenberg/cpp/scripts/test_chonk_standalone_vks_havent_cha
 # - Generate a hash for versioning: sha256sum bb-chonk-inputs.tar.gz
 # - Upload the compressed results: aws s3 cp bb-chonk-inputs.tar.gz s3://aztec-ci-artifacts/protocol/bb-chonk-inputs-[hash(0:8)].tar.gz
 # Note: In case of the "Test suite failed to run ... Unexpected token 'with' " error, need to run: docker pull aztecprotocol/build:3.0
-pinned_short_hash="341842bf"
+pinned_short_hash="20c388cc"
 pinned_chonk_inputs_url="https://aztec-ci-artifacts.s3.us-east-2.amazonaws.com/protocol/bb-chonk-inputs-${pinned_short_hash}.tar.gz"
 
 function update_pinned_hash_in_script {

barretenberg/cpp/src/barretenberg/benchmark/relations_bench/relations.bench.cpp

@@ -61,7 +61,9 @@ BENCHMARK(execute_relation_for_univariates<UltraFlavor, UltraPermutationRelation
 BENCHMARK(execute_relation_for_univariates<MegaFlavor, EccOpQueueRelation<Fr>>);
 BENCHMARK(execute_relation_for_univariates<MegaFlavor, DatabusLookupRelation<Fr>>);
 BENCHMARK(execute_relation_for_univariates<MegaFlavor, Poseidon2ExternalRelation<Fr>>);
-BENCHMARK(execute_relation_for_univariates<MegaFlavor, Poseidon2InternalRelation<Fr>>);
+BENCHMARK(execute_relation_for_univariates<MegaFlavor, Poseidon2QuadInternalRelation<Fr>>);
+BENCHMARK(execute_relation_for_univariates<MegaFlavor, Poseidon2QuadInternalTerminalRelation<Fr>>);
+BENCHMARK(execute_relation_for_univariates<MegaFlavor, Poseidon2TransitionEntryRelation<Fr>>);
 
 // Ultra relations (verifier work)
 BENCHMARK(execute_relation_for_values<UltraFlavor, ArithmeticRelation<Fr>>);
@@ -76,7 +78,9 @@ BENCHMARK(execute_relation_for_values<UltraFlavor, UltraPermutationRelation<Fr>>
 BENCHMARK(execute_relation_for_values<MegaFlavor, EccOpQueueRelation<Fr>>);
 BENCHMARK(execute_relation_for_values<MegaFlavor, DatabusLookupRelation<Fr>>);
 BENCHMARK(execute_relation_for_values<MegaFlavor, Poseidon2ExternalRelation<Fr>>);
-BENCHMARK(execute_relation_for_values<MegaFlavor, Poseidon2InternalRelation<Fr>>);
+BENCHMARK(execute_relation_for_values<MegaFlavor, Poseidon2QuadInternalRelation<Fr>>);
+BENCHMARK(execute_relation_for_values<MegaFlavor, Poseidon2QuadInternalTerminalRelation<Fr>>);
+BENCHMARK(execute_relation_for_values<MegaFlavor, Poseidon2TransitionEntryRelation<Fr>>);
 
 // Translator VM
 BENCHMARK(execute_relation_for_values<TranslatorFlavor, TranslatorDecompositionRelation<Fr>>);

barretenberg/cpp/src/barretenberg/benchmark/ultra_bench/mega_honk.bench.cpp

@@ -1,6 +1,7 @@
 #include <benchmark/benchmark.h>
 
 #include "barretenberg/benchmark/ultra_bench/mock_circuits.hpp"
+#include "barretenberg/common/bb_bench.hpp"
 #include "barretenberg/stdlib_circuit_builders/mega_circuit_builder.hpp"
 
 using namespace benchmark;
@@ -41,7 +42,37 @@ static void get_row_power_of_2(State& state) noexcept
     }
 }
 
+/**
+ * @brief Benchmark: Mega Honk proof of a single poseidon2 hash over a vector of state.range(0) elements.
+ */
+static void construct_proof_megahonk_poseidon2_hash(State& state) noexcept
+{
+    const auto num_inputs = static_cast<size_t>(state.range(0));
+
+    MegaCircuitBuilder builder;
+    bb::generate_poseidon2_hash_test_circuit<MegaCircuitBuilder>(builder, num_inputs);
+    auto instance = std::make_shared<ProverInstance_<MegaFlavor>>(builder);
+    info("construct_proof_megahonk_poseidon2_hash: num_inputs=",
+         num_inputs,
+         ", actual_gates=",
+         builder.num_gates(),
+         ", dyadic_size=",
+         instance->dyadic_size());
+
+    bb::mock_circuits::construct_proof_with_specified_num_iterations<MegaProver>(
+        state, &bb::generate_poseidon2_hash_test_circuit<MegaCircuitBuilder>, num_inputs);
+}
+
 // Define benchmarks
+// Sweep input sizes so dyadic domain ranges 2^15..2^19 (Mega: ~12 gates/input).
+BENCHMARK(construct_proof_megahonk_poseidon2_hash)
+    ->Arg(1500)
+    ->Arg(3000)
+    ->Arg(6000)
+    ->Arg(12000)
+    ->Arg(24000)
+    ->Arg(50000)
+    ->Unit(kMillisecond);
 
 // This exists due to an issue where get_row was blowing up in time
 BENCHMARK_CAPTURE(construct_proof_megahonk, sha256, &generate_sha256_test_circuit<MegaCircuitBuilder>)
@@ -61,4 +92,18 @@ BENCHMARK(construct_proof_megahonk_power_of_2)
     ->DenseRange(15, 20)
     ->Unit(kMillisecond);
 
-BENCHMARK_MAIN();
+int main(int argc, char** argv)
+{
+    bb::detail::use_bb_bench = true;
+
+    ::benchmark::Initialize(&argc, argv);
+    if (::benchmark::ReportUnrecognizedArguments(argc, argv))
+        return 1;
+    ::benchmark::RunSpecifiedBenchmarks();
+    ::benchmark::Shutdown();
+
+    std::cout << "\n=== Detailed BB_BENCH Profiling Stats ===\n";
+    bb::detail::GLOBAL_BENCH_STATS.print_aggregate_counts_hierarchical(std::cout);
+
+    return 0;
+}

barretenberg/cpp/src/barretenberg/benchmark/ultra_bench/ultra_honk.bench.cpp

@@ -88,7 +88,38 @@ static void construct_proof_ultrahonk_1M_gates_dyadic_2_21(State& state) noexcep
         state, &bb::mock_circuits::generate_basic_arithmetic_circuit_with_target_gates<UltraCircuitBuilder>, num_gates);
 }
 
+/**
+ * @brief Benchmark: Ultra Honk proof of a single poseidon2 hash over a vector of state.range(0) elements.
+ */
+static void construct_proof_ultrahonk_poseidon2_hash(State& state) noexcept
+{
+    const auto num_inputs = static_cast<size_t>(state.range(0));
+
+    UltraCircuitBuilder builder;
+    bb::generate_poseidon2_hash_test_circuit<UltraCircuitBuilder>(builder, num_inputs);
+    auto instance = std::make_shared<ProverInstance_<UltraFlavor>>(builder);
+    info("construct_proof_ultrahonk_poseidon2_hash: num_inputs=",
+         num_inputs,
+         ", actual_gates=",
+         builder.num_gates(),
+         ", dyadic_size=",
+         instance->dyadic_size());
+
+    bb::mock_circuits::construct_proof_with_specified_num_iterations<UltraProver>(
+        state, &bb::generate_poseidon2_hash_test_circuit<UltraCircuitBuilder>, num_inputs);
+}
+
 // Define benchmarks
+// Sweep input sizes so dyadic domain ranges 2^15..2^19 (Ultra: ~25 gates/input).
+BENCHMARK(construct_proof_ultrahonk_poseidon2_hash)
+    ->Arg(750)
+    ->Arg(1500)
+    ->Arg(3000)
+    ->Arg(6000)
+    ->Arg(12000)
+    ->Arg(50000)
+    ->Unit(kMillisecond);
+
 BENCHMARK_CAPTURE(construct_proof_ultrahonk, sha256, &generate_sha256_test_circuit<UltraCircuitBuilder>)
     ->Unit(kMillisecond);
 BENCHMARK_CAPTURE(construct_proof_ultrahonk,

barretenberg/cpp/src/barretenberg/boomerang_value_detection/gate_patterns.hpp

@@ -322,6 +322,81 @@ inline const GatePattern POSEIDON2_EXTERNAL = { .name = "poseidon2_external",
                                                     { Wire::W_4_SHIFT, [](const Selectors&) { return true; } },
                                                 } };
 
+// ============================================================================
+// Poseidon2 Initial External Pattern (from poseidon2_initial_external_relation.hpp)
+//
+// All 4 current wires and all 4 shifted wires are constrained
+//
+// gate_selector = q_poseidon2_external_initial
+// ============================================================================
+
+inline const GatePattern POSEIDON2_INITIAL_EXTERNAL = { .name = "poseidon2_initial_external",
+                                                        .wires = {
+                                                            { Wire::W_L, [](const Selectors&) { return true; } },
+                                                            { Wire::W_R, [](const Selectors&) { return true; } },
+                                                            { Wire::W_O, [](const Selectors&) { return true; } },
+                                                            { Wire::W_4, [](const Selectors&) { return true; } },
+                                                            { Wire::W_L_SHIFT, [](const Selectors&) { return true; } },
+                                                            { Wire::W_R_SHIFT, [](const Selectors&) { return true; } },
+                                                            { Wire::W_O_SHIFT, [](const Selectors&) { return true; } },
+                                                            { Wire::W_4_SHIFT, [](const Selectors&) { return true; } },
+                                                        } };
+
+// ============================================================================
+// Poseidon2 Quad-Internal Pattern (from poseidon2_quad_internal_relation.hpp)
+//
+// gate_selector = q_poseidon2_quad_internal
+// ============================================================================
+
+inline const GatePattern POSEIDON2_QUAD_INTERNAL = { .name = "poseidon2_quad_internal",
+                                                     .wires = {
+                                                         { Wire::W_L, [](const Selectors&) { return true; } },
+                                                         { Wire::W_R, [](const Selectors&) { return true; } },
+                                                         { Wire::W_O, [](const Selectors&) { return true; } },
+                                                         { Wire::W_4, [](const Selectors&) { return true; } },
+                                                         { Wire::W_L_SHIFT, [](const Selectors&) { return true; } },
+                                                         { Wire::W_R_SHIFT, [](const Selectors&) { return true; } },
+                                                         { Wire::W_O_SHIFT, [](const Selectors&) { return true; } },
+                                                         { Wire::W_4_SHIFT, [](const Selectors&) { return true; } },
+                                                     } };
+
+// ============================================================================
+// Poseidon2 Quad-Internal Terminal Pattern
+// (from poseidon2_quad_internal_terminal_relation.hpp)
+//
+// gate_selector = q_poseidon2_quad_internal_terminal
+// ============================================================================
+
+inline const GatePattern
+    POSEIDON2_QUAD_INTERNAL_TERMINAL = { .name = "poseidon2_quad_internal_terminal",
+                                         .wires = {
+                                             { Wire::W_L, [](const Selectors&) { return true; } },
+                                             { Wire::W_R, [](const Selectors&) { return true; } },
+                                             { Wire::W_O, [](const Selectors&) { return true; } },
+                                             { Wire::W_4, [](const Selectors&) { return true; } },
+                                             { Wire::W_L_SHIFT, [](const Selectors&) { return true; } },
+                                             { Wire::W_R_SHIFT, [](const Selectors&) { return true; } },
+                                             { Wire::W_O_SHIFT, [](const Selectors&) { return true; } },
+                                             { Wire::W_4_SHIFT, [](const Selectors&) { return true; } },
+                                         } };
+
+// ============================================================================
+// Poseidon2 Transition Entry Pattern (from poseidon2_transition_entry_relation.hpp)
+//
+// gate_selector = q_poseidon2_transition_entry
+// ============================================================================
+
+inline const GatePattern POSEIDON2_TRANSITION_ENTRY = { .name = "poseidon2_transition_entry",
+                                                        .wires = {
+                                                            { Wire::W_L, [](const Selectors&) { return true; } },
+                                                            { Wire::W_R, [](const Selectors&) { return true; } },
+                                                            { Wire::W_O, [](const Selectors&) { return true; } },
+                                                            { Wire::W_4, [](const Selectors&) { return true; } },
+                                                            { Wire::W_R_SHIFT, [](const Selectors&) { return true; } },
+                                                            { Wire::W_O_SHIFT, [](const Selectors&) { return true; } },
+                                                            { Wire::W_4_SHIFT, [](const Selectors&) { return true; } },
+                                                        } };
+
 // ============================================================================
 // Databus Pattern (from databus_lookup_relation.hpp)
 //

barretenberg/cpp/src/barretenberg/boomerang_value_detection/gate_patterns.test.cpp

@@ -11,13 +11,15 @@
 
 #include "gate_patterns.hpp"
 #include "barretenberg/flavor/mega_flavor.hpp"
+#include "barretenberg/flavor/ultra_flavor.hpp"
 #include "barretenberg/relations/databus_lookup_relation.hpp"
 #include "barretenberg/relations/delta_range_constraint_relation.hpp"
 #include "barretenberg/relations/elliptic_relation.hpp"
 #include "barretenberg/relations/logderiv_lookup_relation.hpp"
 #include "barretenberg/relations/memory_relation.hpp"
 #include "barretenberg/relations/non_native_field_relation.hpp"
 #include "barretenberg/relations/poseidon2_external_relation.hpp"
+#include "barretenberg/relations/poseidon2_initial_external_relation.hpp"
 #include "barretenberg/relations/poseidon2_internal_relation.hpp"
 #include "barretenberg/relations/relation_parameters.hpp"
 #include "barretenberg/relations/ultra_arithmetic_relation.hpp"
@@ -30,16 +32,16 @@ using namespace bb::gate_patterns;
 using FF = fr;
 using Entities = MegaFlavor::AllValues;
 
-Entities get_random_entities()
+template <typename E> E get_random_entities()
 {
-    Entities entities;
+    E entities;
     for (auto& field : entities.get_all()) {
         field = FF::random_element();
     }
     return entities;
 }
 
-FF& get_wire(Entities& entities, Wire wire)
+template <typename E> FF& get_wire(E& entities, Wire wire)
 {
     switch (wire) {
     case Wire::W_L:
@@ -62,7 +64,7 @@ FF& get_wire(Entities& entities, Wire wire)
     __builtin_unreachable();
 }
 
-Selectors make_selectors(const Entities& entities, int64_t gate_selector_value)
+template <typename E> Selectors make_selectors(const E& entities, int64_t gate_selector_value)
 {
     return Selectors{
         .gate_selector = gate_selector_value,
@@ -94,8 +96,8 @@ std::set<Wire> get_pattern_wires(const GatePattern& pattern, const Selectors& se
  *
  * This is the ground truth: perturb each wire and see if the output changes.
  */
-template <typename Relation>
-std::set<Wire> get_actually_constrained_wires(const Entities& entities, const auto& parameters)
+template <typename Relation, typename E>
+std::set<Wire> get_actually_constrained_wires(const E& entities, const auto& parameters)
 {
     std::set<Wire> constrained;
 
@@ -112,7 +114,7 @@ std::set<Wire> get_actually_constrained_wires(const Entities& entities, const au
                        Wire::W_R_SHIFT,
                        Wire::W_O_SHIFT,
                        Wire::W_4_SHIFT }) {
-        Entities perturbed = entities;
+        E perturbed = entities;
         get_wire(perturbed, wire) += FF::random_element();
 
         typename Relation::SumcheckArrayOfValuesOverSubrelations perturbed_result{};
@@ -131,17 +133,18 @@ std::set<Wire> get_actually_constrained_wires(const Entities& entities, const au
  *
  * @param configure_selectors Lambda that configures entity selectors and returns the gate selector field value
  */
-template <typename Relation> void verify_pattern(const GatePattern& pattern, auto configure_selectors)
+template <typename Relation, typename E = Entities>
+void verify_pattern(const GatePattern& pattern, auto configure_selectors)
 {
-    Entities entities = get_random_entities();
+    E entities = get_random_entities<E>();
     FF gate_selector = configure_selectors(entities);
     int64_t gate_selector_value = static_cast<int64_t>(uint64_t(gate_selector));
 
     Selectors selectors = make_selectors(entities, gate_selector_value);
     auto pattern_claims = get_pattern_wires(pattern, selectors);
 
     auto parameters = RelationParameters<FF>::get_random();
-    auto actually_constrained = get_actually_constrained_wires<Relation>(entities, parameters);
+    auto actually_constrained = get_actually_constrained_wires<Relation, E>(entities, parameters);
 
     EXPECT_EQ(actually_constrained, pattern_claims);
 }
@@ -288,8 +291,11 @@ TEST(PatternTest, MemoryRamConsistency)
 
 TEST(PatternTest, Poseidon2Internal)
 {
-    verify_pattern<Poseidon2InternalRelation<FF>>(POSEIDON2_INTERNAL,
-                                                  [](Entities& e) { return e.q_poseidon2_internal = FF(1); });
+    // q_poseidon2_internal lives on UltraFlavor only; MegaFlavor covers all internal rounds via the
+    // compressed quad-internal block.
+    using UltraEntities = UltraFlavor::AllValues;
+    verify_pattern<Poseidon2InternalRelation<FF>, UltraEntities>(
+        POSEIDON2_INTERNAL, [](UltraEntities& e) { return e.q_poseidon2_internal = FF(1); });
 }
 
 TEST(PatternTest, Poseidon2External)
@@ -298,6 +304,12 @@ TEST(PatternTest, Poseidon2External)
                                                   [](Entities& e) { return e.q_poseidon2_external = FF(1); });
 }
 
+TEST(PatternTest, Poseidon2InitialExternal)
+{
+    verify_pattern<Poseidon2InitialExternalRelation<FF>>(
+        POSEIDON2_INITIAL_EXTERNAL, [](Entities& e) { return e.q_poseidon2_external_initial = FF(1); });
+}
+
 TEST(PatternTest, LookupBasic)
 {
     verify_pattern<LogDerivLookupRelation<FF>>(LOOKUP, [](Entities& e) {
@@ -363,7 +375,7 @@ TEST(PatternTest, DetectOverConstrained)
                                                   } };
 
     // q_arith=3 disables mul term, q_2=0 means w_r has no linear term, so w_r is unconstrained
-    Entities entities = get_random_entities();
+    Entities entities = get_random_entities<Entities>();
     entities.q_arith = FF(3);
     entities.q_m = FF(1);
     entities.q_l = FF(1);
@@ -373,7 +385,7 @@ TEST(PatternTest, DetectOverConstrained)
     auto pattern_claims = get_pattern_wires(OVERCONSTRAINED_PATTERN, selectors);
     auto correct_claims = get_pattern_wires(ARITHMETIC, selectors);
     auto parameters = RelationParameters<FF>::get_random();
-    auto actually_constrained = get_actually_constrained_wires<ArithmeticRelation<FF>>(entities, parameters);
+    auto actually_constrained = get_actually_constrained_wires<ArithmeticRelation<FF>, Entities>(entities, parameters);
 
     EXPECT_TRUE(pattern_claims.contains(Wire::W_R)) << "Over-constrained pattern claims W_R";
     EXPECT_FALSE(actually_constrained.contains(Wire::W_R)) << "Relation does not constrain W_R in this config";
@@ -402,15 +414,15 @@ TEST(PatternTest, DetectUnderConstrained)
                                      } };
 
     // RAM consistency check: q_3 != 0
-    Entities entities = get_random_entities();
+    Entities entities = get_random_entities<Entities>();
     entities.q_memory = FF(1);
     entities.q_o = FF(1); // q_3
 
     Selectors selectors = make_selectors(entities, 1);
     auto pattern_claims = get_pattern_wires(UNDERCONSTRAINED_PATTERN, selectors);
     auto correct_claims = get_pattern_wires(MEMORY, selectors);
     auto parameters = RelationParameters<FF>::get_random();
-    auto actually_constrained = get_actually_constrained_wires<MemoryRelation<FF>>(entities, parameters);
+    auto actually_constrained = get_actually_constrained_wires<MemoryRelation<FF>, Entities>(entities, parameters);
 
     EXPECT_FALSE(pattern_claims.contains(Wire::W_L)) << "Under-constrained pattern missing W_L";
     EXPECT_FALSE(pattern_claims.contains(Wire::W_R)) << "Under-constrained pattern missing W_R";