feat: merge-train/barretenberg (#17127)

BEGIN_COMMIT_OVERRIDE
chore: ECCVM audit skip conditions (#17108)
END_COMMIT_OVERRIDE

Author: AztecBot

barretenberg/cpp/src/barretenberg/eccvm/eccvm.test.cpp

@@ -66,18 +66,26 @@ ECCVMCircuitBuilder generate_circuit(numeric::RNG* engine = nullptr)
     return builder;
 }
 
-ECCVMCircuitBuilder generate_zero_circuit([[maybe_unused]] numeric::RNG* engine = nullptr)
+// returns a CircuitBuilder consisting of mul_add ops of the following form: either 0*g, for a group element, or
+// x * e, where x is a scalar and e is the identity element of the group.
+ECCVMCircuitBuilder generate_zero_circuit([[maybe_unused]] numeric::RNG* engine = nullptr, bool zero_scalars = 1)
 {
     using Curve = curve::BN254;
     using G1 = Curve::Element;
     using Fr = Curve::ScalarField;
 
     std::shared_ptr<ECCOpQueue> op_queue = std::make_shared<ECCOpQueue>();
-    [[maybe_unused]] G1 a = G1::random_element(engine);
 
-    [[maybe_unused]] Fr x = Fr::random_element(engine);
-    for (auto i = 0; i < 8; i++) {
-        op_queue->mul_accumulate(Curve::Group::affine_point_at_infinity, 0);
+    if (!zero_scalars) {
+        for (auto i = 0; i < 8; i++) {
+            Fr x = Fr::random_element(engine);
+            op_queue->mul_accumulate(Curve::Group::affine_point_at_infinity, x);
+        }
+    } else {
+        for (auto i = 0; i < 8; i++) {
+            G1 g = G1::random_element(engine);
+            op_queue->mul_accumulate(g, 0);
+        }
     }
     op_queue->merge();
 
@@ -113,9 +121,23 @@ void complete_proving_key_for_test(bb::RelationParameters<FF>& relation_paramete
         gate_challenges[idx] = FF::random_element();
     }
 }
-TEST_F(ECCVMTests, Zeroes)
+TEST_F(ECCVMTests, ZeroesCoefficients)
 {
-    ECCVMCircuitBuilder builder = generate_zero_circuit(&engine);
+    ECCVMCircuitBuilder builder = generate_zero_circuit(&engine, 1);
+
+    std::shared_ptr<Transcript> prover_transcript = std::make_shared<Transcript>();
+    ECCVMProver prover(builder, prover_transcript);
+    ECCVMProof proof = prover.construct_proof();
+
+    std::shared_ptr<Transcript> verifier_transcript = std::make_shared<Transcript>();
+    ECCVMVerifier verifier(verifier_transcript);
+    bool verified = verifier.verify_proof(proof);
+
+    ASSERT_TRUE(verified);
+}
+TEST_F(ECCVMTests, PointAtInfinity)
+{
+    ECCVMCircuitBuilder builder = generate_zero_circuit(&engine, 0);
 
     std::shared_ptr<Transcript> prover_transcript = std::make_shared<Transcript>();
     ECCVMProver prover(builder, prover_transcript);

barretenberg/cpp/src/barretenberg/eccvm/eccvm_flavor.hpp

@@ -1018,33 +1018,37 @@ class ECCVMFlavor {
     };
 
     /**
-     * @brief When evaluating the sumcheck protocol - can we skip evaluation of all relations for a given row?
+     * @brief   When evaluating the sumcheck protocol - can we skip evaluation of _all_ relations for a given row? This
+     *          is purely a prover-side optimization.
      *
      * @details When used in ClientIVC, the ECCVM has a large fixed size, which is often not fully utilized.
-     *          If a row is completely empty, the values of z_perm and z_perm_shift will match,
-     *          we can use this as a proxy to determine if we can skip Sumcheck::compute_univariate_with_row_skipping
+     *          If a row is completely empty, the values of `z_perm` and `z_perm_shift` will match,
+     *          we can use this as a proxy to determine if we can skip `Sumcheck::compute_univariate_with_row_skipping`.
+     *          In fact, here are several other conditions that need to be checked to see if we can skip the computation
+     *          of all relations in the row.
      **/
     template <typename ProverPolynomialsOrPartiallyEvaluatedMultivariates, typename EdgeType>
     static bool skip_entire_row([[maybe_unused]] const ProverPolynomialsOrPartiallyEvaluatedMultivariates& polynomials,
                                 [[maybe_unused]] const EdgeType edge_idx)
     {
-        // skip conditions. TODO: add detailed commentary during audit.
+        // SKIP CONDITIONS:
         // The most important skip condition is that `z_perm == z_perm_shift`. This implies that none of the wire values
         // for the present input are involved in non-trivial copy constraints. Edge cases where nonzero rows do not
         // contribute to permutation:
         //
         // 1: If `lagrange_last != 0`, the permutation polynomial identity is updated even if
-        // z_perm == z_perm_shift
+        //    z_perm == z_perm_shift. Therefore, we must force it to be zero.
         //
         // 2: The final MSM row won't add to the permutation but still has polynomial identitiy
         //    contributions. This is because the permutation argument uses the SHIFTED msm columns when performing
-        //    lookups i.e. `polynomials.msm_accumulator_x[last_edge_idx] will change z_perm[last_edge_idx - 1] and
-        //    z_perm_shift[last_edge_idx - 1]
+        //    lookups i.e. `msm_accumulator_x[last_edge_idx]` will change `z_perm[last_edge_idx - 1]` and
+        //    `z_perm_shift[last_edge_idx - 1]`
         //
-        // 3. The value of `transcript_mul` can be non-zero at the end of an MSM of points-at-infinity, which will
-        //    cause `full_msm_count` to be non-zero while `transcript_msm_count` vanishes.
+        // 3. The value of `transcript_mul` is non-zero at the end of an MSM of points-at-infinity, which will
+        //    cause `full_msm_count` to be non-zero while `transcript_msm_count` vanishes. We therefore force
+        //    transcript_mul == 0 as a skip-row condition.
         //
-        // 4. For similar reasons, we must add that `transcript_op==0`.
+        // 4: We also force that `transcript_op==0`.
         return (polynomials.z_perm[edge_idx] == polynomials.z_perm_shift[edge_idx]) &&
                (polynomials.z_perm[edge_idx + 1] == polynomials.z_perm_shift[edge_idx + 1]) &&
                (polynomials.lagrange_last[edge_idx] == 0 && polynomials.lagrange_last[edge_idx + 1]) == 0 &&

barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_set_relation.hpp

@@ -22,13 +22,27 @@ template <typename FF_> class ECCVMSetRelationImpl {
         22, // grand product construction sub-relation
         3   // left-shiftable polynomial sub-relation
     };
-
+    // prover optimization to allow for skipping the computation of sub-relations at certain points in sumcheck.
     template <typename AllEntities> inline static bool skip(const AllEntities& in)
     {
-        // If z_perm == z_perm_shift, this implies that none of the wire values for the present input are involved in
-        // non-trivial copy constraints. The value of `transcript_mul` can be non-zero at the end of an MSM of
-        // points-at-infinity, which will cause `full_msm_count` to be non-zero while `transcript_msm_count` vanishes.
-        // Therefore, we add this as a skip condition.
+        // For the first accumulator in the set relation, the added-on term is 0 if the following vanishes:
+        //
+        // `(z_perm + lagrange_first) * numerator_evaluation - (z_perm_shift + lagrange_last) * denominator_evaluation`,
+        //
+        // i.e., if z_perm is well-formed.
+        //
+        // For the second accumulator in the set relation, the added-on term is 0 if the following vanishes:
+        //
+        // `lagrange_last_short * z_perm_shift_short`
+        //
+        // To know when we can skip this computation (i.e., when it is "automatically" 0), most cases are handled by the
+        // condtion `z_perm == z_perf_shift`. In most circumstances, this implies that with overwhelming probability,
+        // none of the wire values for the present input are involved in non-trivial copy constraints.
+        //
+        // There are two other edge-cases we need to check for to know we can skip the computation. First,
+        // `transcript_mul` can be 1 even though the multiplication is "degenerate" (and not handled by the MSM table):
+        // this holds if either the scalar is 0 or the point is the neutral element. Therefore we force this. Second, we
+        // must force lagrange_last == 0.
         return (in.z_perm - in.z_perm_shift).is_zero() && in.transcript_mul.is_zero() && in.lagrange_last.is_zero();
     }
 

barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_set_relation_impl.hpp

@@ -144,9 +144,6 @@ Accumulator ECCVMSetRelationImpl<FF>::compute_grand_product_numerator(const AllE
         // if `precompute_select == 1`, don't change the numerator. if it is 0, then to get the grand product argument
         // to work (as we have zero-padded the rows of the MSM table), we must multiply by
         // `eccvm_set_permutation_delta` == (γ)·(γ + β²)·(γ + 2β²)·(γ + 3β²)
-        // if `precompute_select == 1`, don't change the numerator. if it is 0, then to get the grand product argument
-        // to work (as we have zero-padded the rows of the MSM table), we must multiply by
-        // `eccvm_set_permutation_delta` == (γ)·(γ + β²)·(γ + 2β²)·(γ + 3β²)
         numerator *= precompute_select * (-eccvm_set_permutation_delta + 1) + eccvm_set_permutation_delta; // degree-7
     }