feat: merge-train/barretenberg (#19004)

BEGIN_COMMIT_OVERRIDE
chore: unified stdlib/native translator and goblin verifiers (#18906)
chore: Audit of range-constraints. (#18936)
chore: (PCS audit) shplemini verifier output type and removing bool ptr
(#18998)
END_COMMIT_OVERRIDE

Author: AztecBot

barretenberg/cpp/scripts/test_chonk_standalone_vks_havent_changed.sh

@@ -13,7 +13,7 @@ cd ..
 # - Generate a hash for versioning: sha256sum bb-chonk-inputs.tar.gz
 # - Upload the compressed results: aws s3 cp bb-chonk-inputs.tar.gz s3://aztec-ci-artifacts/protocol/bb-chonk-inputs-[hash(0:8)].tar.gz
 # Note: In case of the "Test suite failed to run ... Unexpected token 'with' " error, need to run: docker pull aztecprotocol/build:3.0
-pinned_short_hash="69e26033"
+pinned_short_hash="b70b6780"
 pinned_chonk_inputs_url="https://aztec-ci-artifacts.s3.us-east-2.amazonaws.com/protocol/bb-chonk-inputs-${pinned_short_hash}.tar.gz"
 
 function compress_and_upload {

barretenberg/cpp/src/CMakeLists.txt

@@ -182,7 +182,6 @@ set(BARRETENBERG_TARGET_OBJECTS
     $<TARGET_OBJECTS:stdlib_chonk_verifier_objects>
     $<TARGET_OBJECTS:stdlib_eccvm_verifier_objects>
     $<TARGET_OBJECTS:stdlib_honk_verifier_objects>
-    $<TARGET_OBJECTS:stdlib_goblin_verifier_objects>
     $<TARGET_OBJECTS:stdlib_keccak_objects>
     $<TARGET_OBJECTS:stdlib_poseidon2_objects>
     $<TARGET_OBJECTS:stdlib_primitives_objects>

barretenberg/cpp/src/barretenberg/boomerang_value_detection/CMakeLists.txt

@@ -1,5 +1,5 @@
 barretenberg_module(boomerang_value_detection stdlib_circuit_builders circuit_checker
                     stdlib_primitives numeric stdlib_aes128 stdlib_sha256 stdlib_blake2s
                     stdlib_blake3s stdlib_poseidon2 stdlib_honk_verifier
-                    stdlib_goblin_verifier goblin
+                    goblin
                     commitment_schemes)

barretenberg/cpp/src/barretenberg/boomerang_value_detection/graph_description.test.cpp

@@ -248,7 +248,7 @@ TEST(boomerang_ultra_circuit_constructor, test_graph_for_sort_constraints)
     auto b_idx = circuit_constructor.add_variable(b);
     auto c_idx = circuit_constructor.add_variable(c);
     auto d_idx = circuit_constructor.add_variable(d);
-    circuit_constructor.create_sort_constraint({ a_idx, b_idx, c_idx, d_idx });
+    circuit_constructor.enforce_small_deltas({ a_idx, b_idx, c_idx, d_idx });
 
     fr e = fr(5);
     fr f = fr(6);
@@ -258,7 +258,7 @@ TEST(boomerang_ultra_circuit_constructor, test_graph_for_sort_constraints)
     auto f_idx = circuit_constructor.add_variable(f);
     auto g_idx = circuit_constructor.add_variable(g);
     auto h_idx = circuit_constructor.add_variable(h);
-    circuit_constructor.create_sort_constraint({ e_idx, f_idx, g_idx, h_idx });
+    circuit_constructor.enforce_small_deltas({ e_idx, f_idx, g_idx, h_idx });
 
     StaticAnalyzer graph = StaticAnalyzer(circuit_constructor);
     auto connected_components = graph.find_connected_components();
@@ -477,7 +477,7 @@ TEST(boomerang_ultra_circuit_constructor, test_variables_gates_counts_for_sorted
     auto b_idx = circuit_constructor.add_variable(b);
     auto c_idx = circuit_constructor.add_variable(c);
     auto d_idx = circuit_constructor.add_variable(d);
-    circuit_constructor.create_sort_constraint({ a_idx, b_idx, c_idx, d_idx });
+    circuit_constructor.enforce_small_deltas({ a_idx, b_idx, c_idx, d_idx });
 
     fr e = fr(5);
     fr f = fr(6);
@@ -487,7 +487,7 @@ TEST(boomerang_ultra_circuit_constructor, test_variables_gates_counts_for_sorted
     auto f_idx = circuit_constructor.add_variable(f);
     auto g_idx = circuit_constructor.add_variable(g);
     auto h_idx = circuit_constructor.add_variable(h);
-    circuit_constructor.create_sort_constraint({ e_idx, f_idx, g_idx, h_idx });
+    circuit_constructor.enforce_small_deltas({ e_idx, f_idx, g_idx, h_idx });
 
     StaticAnalyzer graph = StaticAnalyzer(circuit_constructor);
     auto variables_gate_counts = graph.get_variables_gate_counts();
@@ -639,9 +639,9 @@ TEST(boomerang_ultra_circuit_constructor, test_graph_for_range_constraints)
     };
     auto indices = add_variables({ fr(1), fr(2), fr(3), fr(4) });
     for (size_t i = 0; i < indices.size(); i++) {
-        circuit_constructor.create_new_range_constraint(indices[i], 5);
+        circuit_constructor.create_small_range_constraint(indices[i], 5);
     }
-    circuit_constructor.create_sort_constraint(indices);
+    circuit_constructor.enforce_small_deltas(indices);
     StaticAnalyzer graph = StaticAnalyzer(circuit_constructor);
     auto connected_components = graph.find_connected_components();
     EXPECT_EQ(connected_components.size(), 1);
@@ -663,7 +663,7 @@ TEST(boomerang_ultra_circuit_constructor, composed_range_constraint)
     auto a_idx = circuit_constructor.add_variable(fr(e));
     circuit_constructor.create_add_gate(
         { a_idx, circuit_constructor.zero_idx(), circuit_constructor.zero_idx(), 1, 0, 0, -fr(e) });
-    circuit_constructor.decompose_into_default_range(a_idx, 134);
+    circuit_constructor.create_limbed_range_constraint(a_idx, 134);
 
     StaticAnalyzer graph = StaticAnalyzer(circuit_constructor);
     auto connected_components = graph.find_connected_components();

barretenberg/cpp/src/barretenberg/boomerang_value_detection/graph_description_goblin.test.cpp

@@ -3,17 +3,17 @@
 #include "barretenberg/common/test.hpp"
 
 #include "barretenberg/goblin/goblin.hpp"
+#include "barretenberg/goblin/goblin_verifier.hpp"
 #include "barretenberg/goblin/mock_circuits.hpp"
 #include "barretenberg/srs/global_crs.hpp"
-#include "barretenberg/stdlib/goblin_verifier/goblin_recursive_verifier.hpp"
 #include "barretenberg/stdlib/honk_verifier/ultra_verification_keys_comparator.hpp"
 #include "barretenberg/ultra_honk/ultra_prover.hpp"
 #include "barretenberg/ultra_honk/ultra_verifier.hpp"
 
 namespace bb::stdlib::recursion::honk {
 class BoomerangGoblinRecursiveVerifierTests : public testing::Test {
   public:
-    using Builder = GoblinRecursiveVerifier::Builder;
+    using Builder = UltraCircuitBuilder;
     using ECCVMVK = Goblin::ECCVMVerificationKey;
     using TranslatorVK = Goblin::TranslatorVerificationKey;
 
@@ -83,13 +83,13 @@ TEST_F(BoomerangGoblinRecursiveVerifierTests, graph_description_basic)
         recursive_merge_commitments.T_prev_commitments[idx].unset_free_witness_tag();
     }
 
-    GoblinRecursiveVerifier verifier{ &builder, verifier_input };
+    auto transcript = std::make_shared<GoblinRecursiveVerifier::Transcript>();
     GoblinStdlibProof stdlib_proof(builder, proof);
-    GoblinRecursiveVerifierOutput output =
-        verifier.verify(stdlib_proof, recursive_merge_commitments, MergeSettings::APPEND);
+    GoblinRecursiveVerifier verifier{ transcript, stdlib_proof, recursive_merge_commitments, MergeSettings::APPEND };
+    GoblinRecursiveVerifier::ReductionResult output = verifier.reduce_to_pairing_check_and_ipa_opening();
 
     stdlib::recursion::honk::DefaultIO<Builder> inputs;
-    inputs.pairing_inputs = output.points_accumulator;
+    inputs.pairing_inputs = output.pairing_points;
     inputs.set_public();
 
     // Construct and verify a proof for the Goblin Recursive Verifier circuit
@@ -104,7 +104,7 @@ TEST_F(BoomerangGoblinRecursiveVerifierTests, graph_description_basic)
 
         ASSERT_TRUE(verified);
     }
-    auto translator_pairing_points = output.points_accumulator;
+    auto translator_pairing_points = output.pairing_points;
 
     // The pairing points are public outputs from the recursive verifier that will be verified externally via a pairing
     // check. While they are computed within the circuit (via batch_mul for P0 and negation for P1), their output

barretenberg/cpp/src/barretenberg/boomerang_value_detection/graph_description_merge_recursive_verifier.test.cpp

@@ -91,11 +91,8 @@ template <class RecursiveBuilder> class BoomerangRecursiveMergeVerifierTest : pu
         auto merge_transcript = std::make_shared<StdlibTranscript<RecursiveBuilder>>();
         RecursiveMergeVerifier verifier{ settings, merge_transcript };
         const stdlib::Proof<RecursiveBuilder> stdlib_merge_proof(outer_circuit, merge_proof);
-        [[maybe_unused]] auto [pairing_points,
-                               recursive_merged_table_commitments,
-                               degree_check_verified,
-                               concatenation_check_verified] =
-            verifier.verify_proof(stdlib_merge_proof, recursive_merge_commitments);
+        [[maybe_unused]] auto [pairing_points, merged_commitments, reduction_succeeded] =
+            verifier.reduce_to_pairing_check(stdlib_merge_proof, recursive_merge_commitments);
 
         // Check for a failure flag in the recursive verifier circuit
         EXPECT_FALSE(outer_circuit.failed());

barretenberg/cpp/src/barretenberg/boomerang_value_detection/variable_gates_count.test.cpp

@@ -21,7 +21,7 @@ TEST(boomerang_ultra_circuit_constructor, test_variable_gates_count_for_decompos
     auto a_idx = circuit_constructor.add_variable(fr(e));
     circuit_constructor.create_add_gate(
         { a_idx, circuit_constructor.zero_idx(), circuit_constructor.zero_idx(), 1, 0, 0, -fr(e) });
-    circuit_constructor.decompose_into_default_range(a_idx, 134);
+    circuit_constructor.create_limbed_range_constraint(a_idx, 134);
 
     StaticAnalyzer graph = StaticAnalyzer(circuit_constructor);
     std::unordered_set<uint32_t> variables_in_on_gate = graph.get_variables_in_one_gate();
@@ -37,7 +37,7 @@ TEST(boomerang_ultra_circuit_constructor, test_variable_gates_count_for_decompos
     auto a_idx = circuit_constructor.add_variable(fr(e));
     circuit_constructor.create_add_gate(
         { a_idx, circuit_constructor.zero_idx(), circuit_constructor.zero_idx(), 1, 0, 0, -fr(e) });
-    circuit_constructor.decompose_into_default_range(a_idx, 42);
+    circuit_constructor.create_limbed_range_constraint(a_idx, 42);
 
     StaticAnalyzer graph = StaticAnalyzer(circuit_constructor);
     auto variables_in_on_gate = graph.get_variables_in_one_gate();
@@ -81,8 +81,8 @@ TEST(boomerang_ultra_circuit_constructor, test_variable_gates_count_for_two_deco
         { a1_idx, circuit_constructor.zero_idx(), circuit_constructor.zero_idx(), 1, 0, 0, -fr(e1) });
     circuit_constructor.create_add_gate(
         { a2_idx, circuit_constructor.zero_idx(), circuit_constructor.zero_idx(), 1, 0, 0, -fr(e2) });
-    circuit_constructor.decompose_into_default_range(a1_idx, 42);
-    circuit_constructor.decompose_into_default_range(a2_idx, 42);
+    circuit_constructor.create_limbed_range_constraint(a1_idx, 42);
+    circuit_constructor.create_limbed_range_constraint(a2_idx, 42);
 
     StaticAnalyzer graph = StaticAnalyzer(circuit_constructor);
     std::unordered_set<uint32_t> variables_in_one_gate = graph.get_variables_in_one_gate();
@@ -100,8 +100,8 @@ TEST(boomerang_ultra_circuit_constructor, test_decompose_with_boolean_gates)
     auto e2 = fr(d2);
     auto a1_idx = circuit_constructor.add_variable(fr(e1));
     auto a2_idx = circuit_constructor.add_variable(fr(e2));
-    circuit_constructor.decompose_into_default_range(a1_idx, 42);
-    circuit_constructor.decompose_into_default_range(a2_idx, 42);
+    circuit_constructor.create_limbed_range_constraint(a1_idx, 42);
+    circuit_constructor.create_limbed_range_constraint(a2_idx, 42);
 
     for (size_t i = 0; i < 20; ++i) {
         fr a = fr::zero();
@@ -123,7 +123,7 @@ TEST(boomerang_ultra_circuit_constructor, test_decompose_for_6_bit_number)
     auto a_idx = circuit_constructor.add_variable(fr(d));
     circuit_constructor.create_add_gate(
         { a_idx, circuit_constructor.zero_idx(), circuit_constructor.zero_idx(), 1, 0, 0, -fr(e) });
-    circuit_constructor.decompose_into_default_range(a_idx, 6);
+    circuit_constructor.create_limbed_range_constraint(a_idx, 6);
 
     StaticAnalyzer graph = StaticAnalyzer(circuit_constructor);
     std::unordered_set<uint32_t> variables_in_on_gate = graph.get_variables_in_one_gate();

barretenberg/cpp/src/barretenberg/chonk/chonk.cpp

@@ -8,6 +8,7 @@
 #include "barretenberg/common/bb_bench.hpp"
 #include "barretenberg/common/streams.hpp"
 #include "barretenberg/ecc/curves/grumpkin/grumpkin.hpp"
+#include "barretenberg/goblin/goblin_verifier.hpp"
 #include "barretenberg/honk/prover_instance_inspector.hpp"
 #include "barretenberg/multilinear_batching/multilinear_batching_prover.hpp"
 #include "barretenberg/serialize/msgpack_impl.hpp"
@@ -530,24 +531,51 @@ bool Chonk::verify(const Proof& proof, const VerificationKey& vk)
     using TableCommitments = Goblin::TableCommitments;
     // Create a transcript to be shared by MegaZK-, Merge-, ECCVM-, and Translator- Verifiers.
     std::shared_ptr<Goblin::Transcript> chonk_verifier_transcript = std::make_shared<Goblin::Transcript>();
-    // Verify the Hiding kernel proof
+
+    // Step 1: Verify the Hiding kernel proof
     MegaZKVerifier verifier{ vk.mega, /*ipa_verification_key=*/{}, chonk_verifier_transcript };
     auto [mega_verified, kernel_return_data, T_prev_commitments] =
         verifier.template verify_proof<bb::HidingKernelIO>(proof.mega_proof);
     vinfo("Mega verified: ", mega_verified);
-    // Perform databus consistency checks
+    if (!mega_verified) {
+        info("Chonk verification failed at Mega step");
+        return false;
+    }
+
+    // Step 2: Perform databus consistency checks
     bool databus_consistency_verified = kernel_return_data == verifier.verifier_instance->witness_commitments.calldata;
     vinfo("Databus consistency verified: ", databus_consistency_verified);
+    if (!databus_consistency_verified) {
+        info("Chonk verification failed at databus consistency check");
+        return false;
+    }
+
     // Extract the commitments to the subtable corresponding to the incoming circuit
     TableCommitments t_commitments = verifier.verifier_instance->witness_commitments.get_ecc_op_wires().get_copy();
 
-    // Goblin verification (final merge, eccvm, translator)
-    bool goblin_verified = Goblin::verify(
-        proof.goblin_proof, { t_commitments, T_prev_commitments }, chonk_verifier_transcript, MergeSettings::APPEND);
-    vinfo("Goblin verified: ", goblin_verified);
+    // Step 3: Goblin verification (merge, eccvm, translator)
+    // Reduces Goblin proof to pairing points and IPA claim. In native mode, pairing checks are performed
+    // immediately for fail-fast. goblin_checks_passed includes reduction checks + pairing checks (pairing performed).
+    GoblinVerifier goblin_verifier{
+        chonk_verifier_transcript, proof.goblin_proof, { t_commitments, T_prev_commitments }, MergeSettings::APPEND
+    };
+    auto [_, ipa_claim, ipa_proof, goblin_checks_passed] = goblin_verifier.reduce_to_pairing_check_and_ipa_opening();
+    if (!goblin_checks_passed) {
+        info("Chonk verification failed at Goblin checks (merge/eccvm/translator reduction + pairing)");
+        return false;
+    }
+
+    // Step 4: Verify IPA opening
+    auto ipa_transcript = std::make_shared<Goblin::Transcript>(ipa_proof);
+    auto ipa_vk = VerifierCommitmentKey<curve::Grumpkin>{ ECCVMFlavor::ECCVM_FIXED_SIZE };
+    bool ipa_verified = IPA<curve::Grumpkin>::reduce_verify(ipa_vk, ipa_claim, ipa_transcript);
+    vinfo("Goblin IPA verified: ", ipa_verified);
+    if (!ipa_verified) {
+        info("Chonk verification failed at IPA check");
+        return false;
+    }
 
-    // TODO(https://github.com/AztecProtocol/barretenberg/issues/1396): State tracking in Chonk verifiers.
-    return goblin_verified && mega_verified && databus_consistency_verified;
+    return true;
 }
 
 // Proof methods

barretenberg/cpp/src/barretenberg/chonk/chonk.test.cpp

@@ -227,7 +227,7 @@ TEST_F(ChonkTests, WrongProofComponentFailure)
 
         tampered_proof.goblin_proof.merge_proof = chonk_proof_2.goblin_proof.merge_proof;
 
-        EXPECT_THROW_WITH_MESSAGE(Chonk::verify(tampered_proof, chonk_vk_1), "IPA verification fails");
+        EXPECT_FALSE(Chonk::verify(tampered_proof, chonk_vk_1));
     }
 
     {
@@ -236,7 +236,7 @@ TEST_F(ChonkTests, WrongProofComponentFailure)
 
         tampered_proof.mega_proof = chonk_proof_2.mega_proof;
 
-        EXPECT_THROW_WITH_MESSAGE(Chonk::verify(tampered_proof, chonk_vk_1), "IPA verification fails");
+        EXPECT_FALSE(Chonk::verify(tampered_proof, chonk_vk_1));
     }
 
     {
@@ -245,7 +245,7 @@ TEST_F(ChonkTests, WrongProofComponentFailure)
 
         tampered_proof.goblin_proof.eccvm_proof = chonk_proof_2.goblin_proof.eccvm_proof;
 
-        EXPECT_THROW_WITH_MESSAGE(Chonk::verify(tampered_proof, chonk_vk_1), "IPA verification fails");
+        EXPECT_FALSE(Chonk::verify(tampered_proof, chonk_vk_1));
     }
 
     {

barretenberg/cpp/src/barretenberg/circuit_checker/ultra_circuit_builder_basic.test.cpp

@@ -79,7 +79,7 @@ TEST(UltraCircuitBuilder, CheckCircuitShowcase)
     EXPECT_TRUE(CircuitChecker::check(builder));
 
     // Now let's create a range constraint for b
-    builder.create_new_range_constraint(b, 0xbeef);
+    builder.create_small_range_constraint(b, 0xbeef);
 
     // We can check if this works
     EXPECT_TRUE(CircuitChecker::check(builder));