feat: update honk ultra_recursive_verifier to do aggregation

barretenberg/cpp/src/barretenberg/bb/main.cpp

@@ -576,6 +576,37 @@ void prove_tube(const std::string& output_path)
     ClientIVC verifier{ builder, input };
 
     verifier.verify(proof);
+
+    std::array<uint32_t, acir_format::HonkRecursionConstraint::AGGREGATION_OBJECT_SIZE> current_aggregation_object = {
+        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
+    };
+    fq x0("0x031e97a575e9d05a107acb64952ecab75c020998797da7842ab5d6d1986846cf");
+    fq y0("0x178cbf4206471d722669117f9758a4c410db10a01750aebb5666547acf8bd5a4");
+    fq x1("0x0f94656a2ca489889939f81e9c74027fd51009034b3357f0e91b8a11e7842c38");
+    fq y1("0x1b52c2020d7464a0c80c0da527a08193fe27776f50224bd6fb128b46c1ddb67f");
+    std::vector<fq> aggregation_object_fq_values = { x0, y0, x1, y1 };
+    size_t agg_obj_indices_idx = 0;
+    for (fq val : aggregation_object_fq_values) {
+        const uint256_t x = val;
+        std::array<fr, acir_format::fq_ct::NUM_LIMBS> val_limbs = {
+            x.slice(0, acir_format::fq_ct::NUM_LIMB_BITS),
+            x.slice(acir_format::fq_ct::NUM_LIMB_BITS, acir_format::fq_ct::NUM_LIMB_BITS * 2),
+            x.slice(acir_format::fq_ct::NUM_LIMB_BITS * 2, acir_format::fq_ct::NUM_LIMB_BITS * 3),
+            x.slice(acir_format::fq_ct::NUM_LIMB_BITS * 3, stdlib::field_conversion::TOTAL_BITS)
+        };
+        for (size_t i = 0; i < acir_format::fq_ct::NUM_LIMBS; ++i) {
+            uint32_t idx = builder->add_variable(val_limbs[i]);
+            builder->set_public_input(idx);
+            current_aggregation_object[agg_obj_indices_idx] = idx;
+            agg_obj_indices_idx++;
+        }
+    }
+    // Make sure the verification key records the public input indices of the
+    // final recursion output.
+    std::vector<uint32_t> proof_output_witness_indices(current_aggregation_object.begin(),
+                                                       current_aggregation_object.end());
+    builder->set_recursive_proof(proof_output_witness_indices);
+
     info("num gates in tube circuit: ", builder->get_num_gates());
     using Prover = UltraProver_<UltraFlavor>;
     using Verifier = UltraVerifier_<UltraFlavor>;

barretenberg/cpp/src/barretenberg/dsl/acir_format/acir_format.cpp

@@ -348,20 +348,19 @@ void build_constraints(Builder& builder,
             // constants set by keeping the nested aggregation object attached to the proof as public inputs.
             std::array<uint32_t, HonkRecursionConstraint::AGGREGATION_OBJECT_SIZE> nested_aggregation_object = {};
             // TODO(https://github.com/AztecProtocol/barretenberg/issues/1044): Reinstate aggregation
-            // for (size_t i = 0; i < HonkRecursionConstraint::AGGREGATION_OBJECT_SIZE; ++i) {
-            //     // Set the nested aggregation object indices to witness indices from the proof
-            //     nested_aggregation_object[i] =
-            //         static_cast<uint32_t>(constraint.proof[HonkRecursionConstraint::inner_public_input_offset + i]);
-            //     // Adding the nested aggregation object to the constraint's public inputs
-            //     constraint.public_inputs.emplace_back(nested_aggregation_object[i]);
-            // }
+            for (size_t i = 0; i < HonkRecursionConstraint::AGGREGATION_OBJECT_SIZE; ++i) {
+                // Set the nested aggregation object indices to witness indices from the proof
+                nested_aggregation_object[i] =
+                    static_cast<uint32_t>(constraint.proof[HonkRecursionConstraint::inner_public_input_offset + i]);
+                // Adding the nested aggregation object to the constraint's public inputs
+                constraint.public_inputs.emplace_back(nested_aggregation_object[i]);
+            }
             // Remove the aggregation object so that they can be handled as normal public inputs
             // in they way that the recursion constraint expects
-            // constraint.proof.erase(constraint.proof.begin() + HonkRecursionConstraint::inner_public_input_offset,
-            //                        constraint.proof.begin() +
-            //                            static_cast<std::ptrdiff_t>(HonkRecursionConstraint::inner_public_input_offset
-            //                            +
-            //                                                        HonkRecursionConstraint::AGGREGATION_OBJECT_SIZE));
+            constraint.proof.erase(constraint.proof.begin() + HonkRecursionConstraint::inner_public_input_offset,
+                                   constraint.proof.begin() +
+                                       static_cast<std::ptrdiff_t>(HonkRecursionConstraint::inner_public_input_offset +
+                                                                   HonkRecursionConstraint::AGGREGATION_OBJECT_SIZE));
             current_aggregation_object = create_honk_recursion_constraints(builder,
                                                                            constraint,
                                                                            current_aggregation_object,
@@ -379,51 +378,48 @@ void build_constraints(Builder& builder,
             // Set the indices as public inputs because they are no longer being
             // created in ACIR
             // TODO(https://github.com/AztecProtocol/barretenberg/issues/1044): Reinstate aggregation
-            // for (const auto& idx : current_aggregation_object) {
-            //     builder.set_public_input(idx);
-            // }
-
-            // // Make sure the verification key records the public input indices of the
-            // // final recursion output.
-            // std::vector<uint32_t> proof_output_witness_indices(current_aggregation_object.begin(),
-            //                                                    current_aggregation_object.end());
-            // builder.set_recursive_proof(proof_output_witness_indices);
+            for (const auto& idx : current_aggregation_object) {
+                builder.set_public_input(idx);
+            }
+
+            // Make sure the verification key records the public input indices of the
+            // final recursion output.
+            std::vector<uint32_t> proof_output_witness_indices(current_aggregation_object.begin(),
+                                                               current_aggregation_object.end());
+            builder.set_recursive_proof(proof_output_witness_indices);
+        } else if (honk_recursion &&
+                   builder.is_recursive_circuit) { // Set a default aggregation object if we don't have one.
+            // TODO(https://github.com/AztecProtocol/barretenberg/issues/911): These are pairing points extracted
+            // from a valid proof. This is a workaround because we can't represent the point at infinity in biggroup
+            // yet.
+            fq x0("0x031e97a575e9d05a107acb64952ecab75c020998797da7842ab5d6d1986846cf");
+            fq y0("0x178cbf4206471d722669117f9758a4c410db10a01750aebb5666547acf8bd5a4");
+
+            fq x1("0x0f94656a2ca489889939f81e9c74027fd51009034b3357f0e91b8a11e7842c38");
+            fq y1("0x1b52c2020d7464a0c80c0da527a08193fe27776f50224bd6fb128b46c1ddb67f");
+            std::vector<fq> aggregation_object_fq_values = { x0, y0, x1, y1 };
+            size_t agg_obj_indices_idx = 0;
+            for (fq val : aggregation_object_fq_values) {
+                const uint256_t x = val;
+                std::array<fr, fq_ct::NUM_LIMBS> val_limbs = {
+                    x.slice(0, fq_ct::NUM_LIMB_BITS),
+                    x.slice(fq_ct::NUM_LIMB_BITS, fq_ct::NUM_LIMB_BITS * 2),
+                    x.slice(fq_ct::NUM_LIMB_BITS * 2, fq_ct::NUM_LIMB_BITS * 3),
+                    x.slice(fq_ct::NUM_LIMB_BITS * 3, stdlib::field_conversion::TOTAL_BITS)
+                };
+                for (size_t i = 0; i < fq_ct::NUM_LIMBS; ++i) {
+                    uint32_t idx = builder.add_variable(val_limbs[i]);
+                    builder.set_public_input(idx);
+                    current_aggregation_object[agg_obj_indices_idx] = idx;
+                    agg_obj_indices_idx++;
+                }
+            }
+            // Make sure the verification key records the public input indices of the
+            // final recursion output.
+            std::vector<uint32_t> proof_output_witness_indices(current_aggregation_object.begin(),
+                                                               current_aggregation_object.end());
+            builder.set_recursive_proof(proof_output_witness_indices);
         }
-        static_cast<void>(honk_recursion);
-        // TODO(https://github.com/AztecProtocol/barretenberg/issues/1044): Reinstate aggregation
-        // else if (honk_recursion &&
-        //            builder.is_recursive_circuit) { // Set a default aggregation object if we don't have one.
-        //     // TODO(https://github.com/AztecProtocol/barretenberg/issues/911): These are pairing points extracted
-        //     from
-        //     // a valid proof. This is a workaround because we can't represent the point at infinity in biggroup
-        //     yet. fq x0("0x031e97a575e9d05a107acb64952ecab75c020998797da7842ab5d6d1986846cf"); fq
-        //     y0("0x178cbf4206471d722669117f9758a4c410db10a01750aebb5666547acf8bd5a4");
-
-        //     fq x1("0x0f94656a2ca489889939f81e9c74027fd51009034b3357f0e91b8a11e7842c38");
-        //     fq y1("0x1b52c2020d7464a0c80c0da527a08193fe27776f50224bd6fb128b46c1ddb67f");
-        //     std::vector<fq> aggregation_object_fq_values = { x0, y0, x1, y1 };
-        //     size_t agg_obj_indices_idx = 0;
-        //     for (fq val : aggregation_object_fq_values) {
-        //         const uint256_t x = val;
-        //         std::array<fr, fq_ct::NUM_LIMBS> val_limbs = {
-        //             x.slice(0, fq_ct::NUM_LIMB_BITS),
-        //             x.slice(fq_ct::NUM_LIMB_BITS, fq_ct::NUM_LIMB_BITS * 2),
-        //             x.slice(fq_ct::NUM_LIMB_BITS * 2, fq_ct::NUM_LIMB_BITS * 3),
-        //             x.slice(fq_ct::NUM_LIMB_BITS * 3, stdlib::field_conversion::TOTAL_BITS)
-        //         };
-        //         for (size_t i = 0; i < fq_ct::NUM_LIMBS; ++i) {
-        //             uint32_t idx = builder.add_variable(val_limbs[i]);
-        //             builder.set_public_input(idx);
-        //             current_aggregation_object[agg_obj_indices_idx] = idx;
-        //             agg_obj_indices_idx++;
-        //         }
-        //     }
-        //     // Make sure the verification key records the public input indices of the
-        //     // final recursion output.
-        //     std::vector<uint32_t> proof_output_witness_indices(current_aggregation_object.begin(),
-        //                                                        current_aggregation_object.end());
-        //     builder.set_recursive_proof(proof_output_witness_indices);
-        // }
     }
 }
 

barretenberg/cpp/src/barretenberg/dsl/acir_format/honk_recursion_constraint.cpp

@@ -211,13 +211,13 @@ std::array<uint32_t, HonkRecursionConstraint::AGGREGATION_OBJECT_SIZE> create_ho
     // Recursively verify the proof
     auto vkey = std::make_shared<RecursiveVerificationKey>(builder, key_fields);
     RecursiveVerifier verifier(&builder, vkey);
-    std::array<typename Flavor::GroupElement, 2> pairing_points = verifier.verify_proof(proof_fields);
+    aggregation_state_ct pairing_points = verifier.verify_proof(proof_fields);
 
     // Aggregate the current aggregation object with these pairing points from verify_proof
     // TODO(https://github.com/AztecProtocol/barretenberg/issues/1044): Reinstate aggregation
     aggregation_state_ct cur_aggregation_object;
-    cur_aggregation_object.P0 = pairing_points[0]; // * recursion_separator;
-    cur_aggregation_object.P1 = pairing_points[1]; // * recursion_separator;
+    cur_aggregation_object.P0 = pairing_points.P0; // * recursion_separator;
+    cur_aggregation_object.P1 = pairing_points.P1; // * recursion_separator;
 
     std::vector<uint32_t> proof_witness_indices = {
         cur_aggregation_object.P0.x.binary_basis_limbs[0].element.normalize().witness_index,

barretenberg/cpp/src/barretenberg/dsl/acir_format/honk_recursion_constraint.test.cpp

@@ -162,13 +162,15 @@ class AcirHonkRecursionConstraint : public ::testing::Test {
             std::vector<fr> inner_public_input_values(
                 proof_witnesses.begin() + static_cast<std::ptrdiff_t>(inner_public_input_offset),
                 proof_witnesses.begin() +
-                    static_cast<std::ptrdiff_t>(inner_public_input_offset + num_inner_public_inputs));
+                    static_cast<std::ptrdiff_t>(inner_public_input_offset + num_inner_public_inputs -
+                                                RecursionConstraint::AGGREGATION_OBJECT_SIZE));
 
             // We want to make sure that we do not remove the nested aggregation object.
             // TODO(https://github.com/AztecProtocol/barretenberg/issues/1044): Reinstate aggregation
             proof_witnesses.erase(proof_witnesses.begin() + static_cast<std::ptrdiff_t>(inner_public_input_offset),
                                   proof_witnesses.begin() +
-                                      static_cast<std::ptrdiff_t>(inner_public_input_offset + num_inner_public_inputs));
+                                      static_cast<std::ptrdiff_t>(inner_public_input_offset + num_inner_public_inputs -
+                                                                  RecursionConstraint::AGGREGATION_OBJECT_SIZE));
 
             std::vector<bb::fr> key_witnesses = verification_key->to_field_elements();
 
@@ -179,9 +181,9 @@ class AcirHonkRecursionConstraint : public ::testing::Test {
             const uint32_t public_input_start_idx =
                 static_cast<uint32_t>(inner_public_input_offset + witness_offset); // points to public_input_0
             const uint32_t proof_indices_start_idx =
-                static_cast<uint32_t>(public_input_start_idx + num_inner_public_inputs);
+                static_cast<uint32_t>(public_input_start_idx + num_inner_public_inputs -
+                                      RecursionConstraint::AGGREGATION_OBJECT_SIZE); // points to agg_obj_0
             // TODO(https://github.com/AztecProtocol/barretenberg/issues/1044): Reinstate aggregation
-            //  - RecursionConstraint::AGGREGATION_OBJECT_SIZE); // points to agg_obj_0
             const uint32_t key_indices_start_idx =
                 static_cast<uint32_t>(proof_indices_start_idx + proof_witnesses.size() -
                                       inner_public_input_offset); // would point to vkey_3 without the -
@@ -205,7 +207,7 @@ class AcirHonkRecursionConstraint : public ::testing::Test {
             // thus we do not explicitly have to keep the public inputs while setting up the initial recursion
             // constraint. They will later be attached as public inputs when creating the circuit.
             // TODO(https://github.com/AztecProtocol/barretenberg/issues/1044): Reinstate aggregation
-            for (size_t i = 0; i < num_inner_public_inputs; ++i) {
+            for (size_t i = 0; i < num_inner_public_inputs - RecursionConstraint::AGGREGATION_OBJECT_SIZE; ++i) {
                 inner_public_inputs.push_back(static_cast<uint32_t>(i + public_input_start_idx));
             }
 
@@ -245,7 +247,7 @@ class AcirHonkRecursionConstraint : public ::testing::Test {
             // We once again have to check whether we have a nested proof, because if we do have one
             // then we could get a segmentation fault as `inner_public_inputs` was never filled with values.
             // TODO(https://github.com/AztecProtocol/barretenberg/issues/1044): Reinstate aggregation
-            for (size_t i = 0; i < num_inner_public_inputs; ++i) {
+            for (size_t i = 0; i < num_inner_public_inputs - RecursionConstraint::AGGREGATION_OBJECT_SIZE; ++i) {
                 witness[inner_public_inputs[i]] = inner_public_input_values[i];
             }
 

barretenberg/cpp/src/barretenberg/stdlib/honk_recursion/verifier/ultra_recursive_verifier.cpp

@@ -24,19 +24,20 @@ UltraRecursiveVerifier_<Flavor>::UltraRecursiveVerifier_(Builder* builder, const
  *
  */
 template <typename Flavor>
-std::array<typename Flavor::GroupElement, 2> UltraRecursiveVerifier_<Flavor>::verify_proof(const HonkProof& proof)
+UltraRecursiveVerifier_<Flavor>::PairingPoints UltraRecursiveVerifier_<Flavor>::verify_proof(
+    const HonkProof& proof, const aggregation_state<typename Flavor::Curve>& agg_obj)
 {
     StdlibProof<Builder> stdlib_proof = bb::convert_proof_to_witness(builder, proof);
-    return verify_proof(stdlib_proof);
+    return verify_proof(stdlib_proof, agg_obj);
 }
 
 /**
  * @brief This function constructs a recursive verifier circuit for a native Ultra Honk proof of a given flavor.
  *
  */
 template <typename Flavor>
-std::array<typename Flavor::GroupElement, 2> UltraRecursiveVerifier_<Flavor>::verify_proof(
-    const StdlibProof<Builder>& proof)
+UltraRecursiveVerifier_<Flavor>::PairingPoints UltraRecursiveVerifier_<Flavor>::verify_proof(
+    const StdlibProof<Builder>& proof, const aggregation_state<typename Flavor::Curve>& agg_obj)
 {
     using Sumcheck = ::bb::SumcheckVerifier<Flavor>;
     using PCS = typename Flavor::PCS;
@@ -67,6 +68,7 @@ std::array<typename Flavor::GroupElement, 2> UltraRecursiveVerifier_<Flavor>::ve
     for (size_t i = 0; i < key->num_public_inputs; ++i) {
         public_inputs.emplace_back(transcript->template receive_from_prover<FF>("public_input_" + std::to_string(i)));
     }
+    // WORKTODO: parse out the aggregation object here
 
     // Get commitments to first three wire polynomials
     commitments.w_l = transcript->template receive_from_prover<Commitment>(commitment_labels.w_l);
@@ -154,7 +156,9 @@ std::array<typename Flavor::GroupElement, 2> UltraRecursiveVerifier_<Flavor>::ve
                                            transcript);
     auto pairing_points = PCS::reduce_verify(opening_claim, transcript);
 
-    return pairing_points;
+    // WORKTODO: aggregate here
+    static_cast<void>(pairing_points);
+    return agg_obj;
 }
 
 template class UltraRecursiveVerifier_<bb::UltraRecursiveFlavor_<UltraCircuitBuilder>>;

barretenberg/cpp/src/barretenberg/stdlib/honk_recursion/verifier/ultra_recursive_verifier.hpp

@@ -1,6 +1,7 @@
 #pragma once
 #include "barretenberg/honk/proof_system/types/proof.hpp"
 #include "barretenberg/stdlib/honk_recursion/transcript/transcript.hpp"
+#include "barretenberg/stdlib/plonk_recursion/aggregation_state/aggregation_state.hpp"
 #include "barretenberg/stdlib_circuit_builders/mega_recursive_flavor.hpp"
 #include "barretenberg/stdlib_circuit_builders/ultra_recursive_flavor.hpp"
 #include "barretenberg/sumcheck/sumcheck.hpp"
@@ -16,7 +17,7 @@ template <typename Flavor> class UltraRecursiveVerifier_ {
     using VerifierCommitmentKey = typename Flavor::VerifierCommitmentKey;
     using Builder = typename Flavor::CircuitBuilder;
     using RelationSeparator = typename Flavor::RelationSeparator;
-    using PairingPoints = std::array<GroupElement, 2>;
+    using PairingPoints = aggregation_state<typename Flavor::Curve>;
     using Transcript = bb::BaseTranscript<bb::stdlib::recursion::honk::StdlibTranscriptParams<Builder>>;
 
     explicit UltraRecursiveVerifier_(Builder* builder,
@@ -25,8 +26,12 @@ template <typename Flavor> class UltraRecursiveVerifier_ {
 
     // TODO(luke): Eventually this will return something like aggregation_state but I'm simplifying for now until we
     // determine the exact interface. Simply returns the two pairing points.
-    PairingPoints verify_proof(const HonkProof& proof);
-    PairingPoints verify_proof(const StdlibProof<Builder>& proof);
+    PairingPoints verify_proof(
+        const HonkProof& proof,
+        const aggregation_state<typename Flavor::Curve>& previous_output = aggregation_state<typename Flavor::Curve>());
+    PairingPoints verify_proof(
+        const StdlibProof<Builder>& proof,
+        const aggregation_state<typename Flavor::Curve>& previous_output = aggregation_state<typename Flavor::Curve>());
 
     std::shared_ptr<VerificationKey> key;
     std::map<std::string, Commitment> commitments;