feat: merge-train/barretenberg (#18096)

BEGIN_COMMIT_OVERRIDE
chore!: EC add from ACIR, part 1 (#18013)
chore: `logderiv_lookup_relation` audit, cleanups and documentation
(#17336)
chore: remove unused stdlib schnorr (#18103)
END_COMMIT_OVERRIDE

Author: AztecBot

barretenberg/cpp/scripts/stdlib-tests

@@ -6,5 +6,4 @@ stdlib_ecdsa_tests
 stdlib_pedersen_commitment_tests
 stdlib_pedersen_hash_tests
 stdlib_poseidon2_tests
-stdlib_schnorr_tests
 stdlib_sha256_tests

barretenberg/cpp/scripts/test_chonk_standalone_vks_havent_changed.sh

@@ -13,7 +13,7 @@ cd ..
 # - Generate a hash for versioning: sha256sum bb-chonk-inputs.tar.gz
 # - Upload the compressed results: aws s3 cp bb-chonk-inputs.tar.gz s3://aztec-ci-artifacts/protocol/bb-chonk-inputs-[hash(0:8)].tar.gz
 # Note: In case of the "Test suite failed to run ... Unexpected token 'with' " error, need to run: docker pull aztecprotocol/build:3.0
-pinned_short_hash="16dc4478"
+pinned_short_hash="84c467db"
 pinned_chonk_inputs_url="https://aztec-ci-artifacts.s3.us-east-2.amazonaws.com/protocol/bb-chonk-inputs-${pinned_short_hash}.tar.gz"
 
 function compress_and_upload {

barretenberg/cpp/src/CMakeLists.txt

@@ -184,7 +184,6 @@ set(BARRETENBERG_TARGET_OBJECTS
     $<TARGET_OBJECTS:stdlib_pedersen_hash_objects>
     $<TARGET_OBJECTS:stdlib_poseidon2_objects>
     $<TARGET_OBJECTS:stdlib_primitives_objects>
-    $<TARGET_OBJECTS:stdlib_schnorr_objects>
     $<TARGET_OBJECTS:stdlib_sha256_objects>
     $<TARGET_OBJECTS:stdlib_translator_vm_verifier_objects>
     $<TARGET_OBJECTS:sumcheck_objects>

barretenberg/cpp/src/barretenberg/dsl/CMakeLists.txt

@@ -3,10 +3,10 @@ set(DSL_DEPENDENCIES
     ultra_honk
     stdlib_sha256
     stdlib_aes128
+    stdlib_blake2s
     stdlib_blake3s
     stdlib_keccak
     stdlib_poseidon2
-    stdlib_schnorr
     stdlib_honk_verifier
     stdlib_chonk_verifier)
 

barretenberg/cpp/src/barretenberg/dsl/acir_format/ec_operations.cpp

@@ -13,32 +13,70 @@
 
 namespace acir_format {
 
+/**
+ * @brief Create constraints for addition of two points on the Grumpkin curve.
+ *
+ * @details We proceed in 2 steps:
+ * 1. We reconstruct the Grumpkin points input1, input2 and input_result for which we must check input1 + input2 =
+ *    input_result. The reconstruction handles all cases: has_valid_witness_assignments equal to false (write_vk
+ *    scenario) and a witness predicate. If:
+ *      - has_valid_witness_assignments is false, then we set input1 = input2 = input_result equal to the generator of
+ *        Grumpkin
+ *      - the predicate is witness false, we set input1 and input2 to be the generator of Grumpkin.
+ * 2. We compute input1 + input2 and check that it agrees with input_result.
+ *
+ * @note We do not need to enforce in-circuit that input_result is on the curve because we check that input_result is
+ * equal to result, which we know is on the curve as it is the sum of two points on the curve. In the case of predicate
+ * equal to witness false, the constraint is supposed to be inactive, so we even if input_result is not checked to be on
+ * the curve in this case, it is OK.
+ *
+ * @tparam Builder
+ * @param builder
+ * @param input
+ * @param has_valid_witness_assignments
+ */
 template <typename Builder>
 void create_ec_add_constraint(Builder& builder, const EcAdd& input, bool has_valid_witness_assignments)
 {
-    // Input to cycle_group points
     using cycle_group_ct = bb::stdlib::cycle_group<Builder>;
     using field_ct = bb::stdlib::field_t<Builder>;
     using bool_ct = bb::stdlib::bool_t<Builder>;
 
-    auto input1_point = to_grumpkin_point(
-        input.input1_x, input.input1_y, input.input1_infinite, has_valid_witness_assignments, input.predicate, builder);
-    auto input2_point = to_grumpkin_point(
-        input.input2_x, input.input2_y, input.input2_infinite, has_valid_witness_assignments, input.predicate, builder);
+    // Step 1.
+    bool_ct predicate = bool_ct(to_field_ct(input.predicate, builder));
 
-    // Compute the result of the addition
-    cycle_group_ct result = input1_point + input2_point;
-    // AUDITTODO: Is this necessary? If so, ensure cycle_group addition always returns standard form. If not, clarify.
-    result.standardize();
-
-    // Create copy-constraints between the computed result and the expected result stored in the input witness indices
     field_ct input_result_x = field_ct::from_witness_index(&builder, input.result_x);
     field_ct input_result_y = field_ct::from_witness_index(&builder, input.result_y);
     bool_ct input_result_infinite = bool_ct(field_ct::from_witness_index(&builder, input.result_infinite));
 
-    result.x().assert_equal(input_result_x);
-    result.y().assert_equal(input_result_y);
-    result.is_point_at_infinity().assert_equal(input_result_infinite);
+    if (!has_valid_witness_assignments) {
+        builder.set_variable(input_result_x.get_witness_index(), bb::grumpkin::g1::affine_one.x);
+        builder.set_variable(input_result_y.get_witness_index(), bb::grumpkin::g1::affine_one.y);
+        builder.set_variable(input_result_infinite.get_witness_index(), bb::fr(0));
+    }
+
+    cycle_group_ct input1_point = to_grumpkin_point(
+        input.input1_x, input.input1_y, input.input1_infinite, has_valid_witness_assignments, predicate, builder);
+    cycle_group_ct input2_point = to_grumpkin_point(
+        input.input2_x, input.input2_y, input.input2_infinite, has_valid_witness_assignments, predicate, builder);
+    // Note that input_result is computed by Noir and passed to bb via ACIR. Hence, it is always a valid point on
+    // Grumpkin.
+    cycle_group_ct input_result(input_result_x, input_result_y, input_result_infinite, /*assert_on_curve=*/false);
+
+    // Step 2.
+    cycle_group_ct result = input1_point + input2_point;
+
+    if (!predicate.is_constant()) {
+        cycle_group_ct to_be_asserted_equal = cycle_group_ct::conditional_assign(predicate, input_result, result);
+        result.assert_equal(to_be_asserted_equal);
+    } else {
+        // The assert_equal method standardizes both points before comparing, so if either of them is the point at
+        // infinity, the coordinates will be assigned to be (0,0). This is OK as long as Noir developers do not use the
+        // coordinates of a point at infinity (otherwise input_result might be the point at infinity different from (0,
+        // 0, true), and the fact that assert_equal passes doesn't imply anything for the original coordinates of
+        // input_result).
+        result.assert_equal(input_result);
+    }
 }
 
 template void create_ec_add_constraint<bb::UltraCircuitBuilder>(bb::UltraCircuitBuilder& builder,

barretenberg/cpp/src/barretenberg/dsl/acir_format/ec_operations.hpp

@@ -11,6 +11,24 @@
 
 namespace acir_format {
 
+/**
+ * @brief Constraints for addition of two points on the Grumpkin curve.
+ *
+ * @details EcAdd constraints have 10 components:
+ * - input1_x: x-coordinate of the first input point
+ * - input1_y: y-coordinate of the first input point
+ * - input1_infinite: flag indicating if the first input point is the point at infinity
+ * - input2_x: x-coordinate of the second input point
+ * - input2_y: y-coordinate of the second input point
+ * - input2_infinite: flag indicating if the second input point is the point at infinity
+ * - predicate: flag indicating whether the constraint is active
+ * - result_x: witness index for the x-coordinate of the resulting point
+ * - result_y: witness index for the y-coordinate of the resulting point
+ * - result_infinite: witness index for the flag indicating if the result is the point at infinity
+ *
+ * The data related to input1 and input2 can either be given by witnesses or constants. However, x and y coordinates
+ * pertaining to the same input must be either all witnesses or all constants.
+ */
 struct EcAdd {
     WitnessOrConstant<bb::fr> input1_x;
     WitnessOrConstant<bb::fr> input1_y;

barretenberg/cpp/src/barretenberg/dsl/acir_format/multi_scalar_mul.cpp

@@ -26,6 +26,8 @@ void create_multi_scalar_mul_constraint(Builder& builder,
     using field_ct = stdlib::field_t<Builder>;
     using bool_ct = stdlib::bool_t<Builder>;
 
+    bool_ct predicate = bool_ct(to_field_ct(input.predicate, builder));
+
     std::vector<cycle_group_ct> points;
     std::vector<cycle_scalar_ct> scalars;
 
@@ -35,7 +37,7 @@ void create_multi_scalar_mul_constraint(Builder& builder,
                                                        input.points[i + 1],
                                                        input.points[i + 2],
                                                        has_valid_witness_assignments,
-                                                       input.predicate,
+                                                       predicate,
                                                        builder);
 
         //  Reconstruct the scalar from the low and high limbs

barretenberg/cpp/src/barretenberg/dsl/acir_format/witness_constant.cpp

@@ -14,10 +14,11 @@ using namespace bb::stdlib;
 
 /**
  * @brief Convert inputs representing a Grumpkin point into a cycle_group element.
- * @details Inputs x, y, and is_infinite are used to construct the point. If no valid witness is provided or if the
- * predicate is constant false, the point is set to the generator point. If the predicate is a non-constant witness, the
- * point is conditionally assigned to the generator point based on the predicate value. This ensures that the point is
- * always valid and will not trigger any on_curve assertions.
+ * @details Inputs x, y, and is_infinite are used to construct the point. We handle two cases:
+ *  1. has_valid_witness_assignments is false:  we are in a write_vk scenario. In this case, we set the point to be the
+ *     generator of Grumpkin.
+ *  2. predicate is a witness: we conditionally assign the point depending on the predicate; if it is witness true, we
+ *     use the witnesses provided, otherwise, we set the point to be the generator of Grumpkin.
  *
  * @tparam Builder
  * @tparam FF
@@ -29,69 +30,59 @@ using namespace bb::stdlib;
  * @param builder
  * @return bb::stdlib::cycle_group<Builder>
  */
-template <typename Builder, typename FF>
-bb::stdlib::cycle_group<Builder> to_grumpkin_point(const WitnessOrConstant<FF>& input_x,
-                                                   const WitnessOrConstant<FF>& input_y,
-                                                   const WitnessOrConstant<FF>& input_infinite,
+template <typename Builder>
+bb::stdlib::cycle_group<Builder> to_grumpkin_point(const WitnessOrConstant<typename Builder::FF>& input_x,
+                                                   const WitnessOrConstant<typename Builder::FF>& input_y,
+                                                   const WitnessOrConstant<typename Builder::FF>& input_infinite,
                                                    bool has_valid_witness_assignments,
-                                                   const WitnessOrConstant<FF>& predicate,
+                                                   const bb::stdlib::bool_t<Builder>& predicate,
                                                    Builder& builder)
 {
     using bool_ct = bb::stdlib::bool_t<Builder>;
     using field_ct = bb::stdlib::field_t<Builder>;
+
+    bool constant_coordinates = input_x.is_constant && input_y.is_constant;
+
     auto point_x = to_field_ct(input_x, builder);
     auto point_y = to_field_ct(input_y, builder);
     auto infinite = bool_ct(to_field_ct(input_infinite, builder));
 
-    // Coordinates should not have mixed constancy. In the case they do, convert constant coordinate to fixed witness.
-    BB_ASSERT_EQ(input_x.is_constant, input_y.is_constant, "to_grumpkin_point: Inconsistent constancy of coordinates");
-    // TODO(https://github.com/AztecProtocol/aztec-packages/issues/17514): Avoid mixing constant/witness coordinates
-    if (point_x.is_constant() != point_y.is_constant()) {
-        if (point_x.is_constant()) {
-            point_x.convert_constant_to_fixed_witness(&builder);
-        } else if (point_y.is_constant()) {
-            point_y.convert_constant_to_fixed_witness(&builder);
-        }
-    }
-
-    bool constant_coordinates = input_x.is_constant && input_y.is_constant;
-
-    // In a witness is not provided, or the relevant predicate is constant false, we ensure the coordinates correspond
-    // to a valid point to avoid erroneous failures during circuit construction. We only do this if the coordinates are
-    // non-constant since otherwise no variable indices exist.
-    bool constant_false_predicate = predicate.is_constant && predicate.value == FF(0);
-    if ((!has_valid_witness_assignments || constant_false_predicate) && !constant_coordinates) {
-        auto one = bb::grumpkin::g1::affine_one;
-        builder.set_variable(input_x.index, one.x);
-        builder.set_variable(input_y.index, one.y);
+    // If a witness is not provided (we are in a write_vk scenario) we ensure the coordinates correspond to a valid
+    // point to avoid erroneous failures during circuit construction. We only do this if the coordinates are
+    // non-constant since otherwise no variable indices exist. Note that there is no need to assign the infinite flag
+    // because native on-curve checks will always pass as long x and y coordinates correspond to a valid point on
+    // Grumpkin.
+    if (!has_valid_witness_assignments && !constant_coordinates) {
+        builder.set_variable(input_x.index, bb::grumpkin::g1::affine_one.x);
+        builder.set_variable(input_y.index, bb::grumpkin::g1::affine_one.y);
     }
 
     // If the predicate is a non-constant witness, conditionally replace coordinates with a valid point.
-    // Note: this must be done before constructing the cycle_group to avoid triggering on_curve assertions
-    if (!predicate.is_constant) {
-        bool_ct predicate_witness = bool_ct::from_witness_index_unsafe(&builder, predicate.index);
-        auto generator = bb::grumpkin::g1::affine_one;
-        point_x = field_ct::conditional_assign(predicate_witness, point_x, generator.x);
-        point_y = field_ct::conditional_assign(predicate_witness, point_y, generator.y);
-        bool_ct generator_is_infinity = bool_ct(&builder, generator.is_point_at_infinity());
-        infinite = bool_ct::conditional_assign(predicate_witness, infinite, generator_is_infinity);
+    if (!predicate.is_constant()) {
+        point_x = field_ct::conditional_assign(predicate, point_x, field_ct(bb::grumpkin::g1::affine_one.x));
+        point_y = field_ct::conditional_assign(predicate, point_y, field_ct(bb::grumpkin::g1::affine_one.y));
+        infinite = bool_ct::conditional_assign(predicate, infinite, bool_ct(false));
+    } else {
+        BB_ASSERT(predicate.get_value(), "Creating Grumpkin point with a constant predicate equal to false.");
     }
 
     cycle_group<Builder> input_point(point_x, point_y, infinite, /*assert_on_curve=*/true);
     return input_point;
 }
 
-template bb::stdlib::cycle_group<UltraCircuitBuilder> to_grumpkin_point(const WitnessOrConstant<fr>& input_x,
-                                                                        const WitnessOrConstant<fr>& input_y,
-                                                                        const WitnessOrConstant<fr>& input_infinite,
-                                                                        bool has_valid_witness_assignments,
-                                                                        const WitnessOrConstant<fr>& predicate,
-                                                                        UltraCircuitBuilder& builder);
-template bb::stdlib::cycle_group<MegaCircuitBuilder> to_grumpkin_point(const WitnessOrConstant<fr>& input_x,
-                                                                       const WitnessOrConstant<fr>& input_y,
-                                                                       const WitnessOrConstant<fr>& input_infinite,
-                                                                       bool has_valid_witness_assignments,
-                                                                       const WitnessOrConstant<fr>& predicate,
-                                                                       MegaCircuitBuilder& builder);
+template bb::stdlib::cycle_group<UltraCircuitBuilder> to_grumpkin_point(
+    const WitnessOrConstant<UltraCircuitBuilder::FF>& input_x,
+    const WitnessOrConstant<UltraCircuitBuilder::FF>& input_y,
+    const WitnessOrConstant<UltraCircuitBuilder::FF>& input_infinite,
+    bool has_valid_witness_assignments,
+    const bb::stdlib::bool_t<UltraCircuitBuilder>& predicate,
+    UltraCircuitBuilder& builder);
 
+template bb::stdlib::cycle_group<MegaCircuitBuilder> to_grumpkin_point(
+    const WitnessOrConstant<MegaCircuitBuilder::FF>& input_x,
+    const WitnessOrConstant<MegaCircuitBuilder::FF>& input_y,
+    const WitnessOrConstant<MegaCircuitBuilder::FF>& input_infinite,
+    bool has_valid_witness_assignments,
+    const bb::stdlib::bool_t<MegaCircuitBuilder>& predicate,
+    MegaCircuitBuilder& builder);
 } // namespace acir_format

barretenberg/cpp/src/barretenberg/dsl/acir_format/witness_constant.hpp

@@ -36,8 +36,8 @@ template <typename FF> struct WitnessOrConstant {
     }
 };
 
-template <typename Builder, typename FF>
-bb::stdlib::field_t<Builder> to_field_ct(const WitnessOrConstant<FF>& input, Builder& builder)
+template <typename Builder>
+bb::stdlib::field_t<Builder> to_field_ct(const WitnessOrConstant<typename Builder::FF>& input, Builder& builder)
 {
     using field_ct = bb::stdlib::field_t<Builder>;
     if (input.is_constant) {
@@ -46,12 +46,12 @@ bb::stdlib::field_t<Builder> to_field_ct(const WitnessOrConstant<FF>& input, Bui
     return field_ct::from_witness_index(&builder, input.index);
 }
 
-template <typename Builder, typename FF>
-bb::stdlib::cycle_group<Builder> to_grumpkin_point(const WitnessOrConstant<FF>& input_x,
-                                                   const WitnessOrConstant<FF>& input_y,
-                                                   const WitnessOrConstant<FF>& input_infinite,
+template <typename Builder>
+bb::stdlib::cycle_group<Builder> to_grumpkin_point(const WitnessOrConstant<typename Builder::FF>& input_x,
+                                                   const WitnessOrConstant<typename Builder::FF>& input_y,
+                                                   const WitnessOrConstant<typename Builder::FF>& input_infinite,
                                                    bool has_valid_witness_assignments,
-                                                   const WitnessOrConstant<FF>& predicate,
+                                                   const bb::stdlib::bool_t<Builder>& predicate,
                                                    Builder& builder);
 
 } // namespace acir_format

barretenberg/cpp/src/barretenberg/relations/databus_lookup_relation.hpp

@@ -46,7 +46,7 @@ namespace bb {
  * Each column of the DataBus requires its own pair of subrelations. The column being read is selected via a unique
  * product, i.e. a lookup from bus column j is selected via q_busread * q_j (j = 1,2,...).
  *
- * To not compute the inverse terms packed in I_i for indices that not included in the sum we introduce a
+ * To not compute the inverse terms packed in I_i for indices not included in the sum we introduce a
  * witness called inverse_exists, which is zero when either read_count_i is nonzero (a boolean called read_tag) or we
  * have a read gate. This is represented by setting inverse_exists = 1- (1- read_tag)*(1- is_read_gate). Since read_gate
  * is only dependent on selector values, we can assume that the verifier can check that it is boolean. However, if