fix: [ECCVM] explicit constrain precompute_select and q_transition (#20358)

notnotraju · web-flow · commit 7fb92e8cdf2d · 2026-02-15T21:14:42.000Z
force `precompute_select` to be monotonically non-increasing after the
0th row, force `q_transition == 0` when `precompute_select == 0`.
diff --git a/barretenberg/cpp/src/barretenberg/dsl/acir_format/gate_count_constants.hpp b/barretenberg/cpp/src/barretenberg/dsl/acir_format/gate_count_constants.hpp
@@ -113,7 +113,7 @@ constexpr std::tuple<size_t, size_t> HONK_RECURSION_CONSTANTS(
 // ========================================
 
 // Gate count for Chonk recursive verification (Ultra with RollupIO)
-inline constexpr size_t CHONK_RECURSION_GATES = 2394245;
+inline constexpr size_t CHONK_RECURSION_GATES = 2394559;
 
 // ========================================
 // Hypernova Recursion Constants
@@ -147,7 +147,7 @@ inline constexpr size_t HIDING_KERNEL_ULTRA_OPS = 124;
 // ========================================
 
 // Gate count for ECCVM recursive verifier (Ultra-arithmetized)
-inline constexpr size_t ECCVM_RECURSIVE_VERIFIER_GATE_COUNT = 223363;
+inline constexpr size_t ECCVM_RECURSIVE_VERIFIER_GATE_COUNT = 223675;
 
 // ========================================
 // Goblin AVM Recursive Verifier Constants
diff --git a/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_wnaf_relation.hpp b/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_wnaf_relation.hpp
@@ -44,9 +44,8 @@ template <typename FF_> class ECCVMWnafRelationImpl {
   public:
     using FF = FF_;
 
-    static constexpr std::array<size_t, 21> SUBRELATION_PARTIAL_LENGTHS{
-        5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5,
-    };
+    static constexpr std::array<size_t, 23> SUBRELATION_PARTIAL_LENGTHS{ 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5,
+                                                                         5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5 };
 
     template <typename ContainerOverSubrelations, typename AllEntities, typename Parameters>
     static void accumulate(ContainerOverSubrelations& accumulator,
diff --git a/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_wnaf_relation_impl.hpp b/barretenberg/cpp/src/barretenberg/relations/ecc_vm/ecc_wnaf_relation_impl.hpp
@@ -165,7 +165,13 @@ void ECCVMWnafRelationImpl<FF>::accumulate(ContainerOverSubrelations& accumulato
     auto sum_delta = scalar_sum * FF(1ULL << 16) + row_slice;
     const auto check_sum = scalar_sum_shift - sum_delta;
     std::get<8>(accumulator) += precompute_select * check_sum * scaled_transition_is_zero;
-
+    // We must constrain `precompute_select` to be of the correct shape: 0 1 1 ... 1 0 ...0. In other words, after the
+    // first row, it is monotonically non-decreasing. In other words, a malicious prover cannot inject the value '0' in
+    // the middle.
+    const auto scaled_lagrange_first_minus_one =
+        scaled_lagrange_first - scaling_factor; // (if not at the first row, is -1, else 0) * scaling_factor
+    const auto precompute_select_check = precompute_select_shift * (precompute_select - 1);
+    std::get<22>(accumulator) += scaled_lagrange_first_minus_one * precompute_select_check;
     /**
      * @brief Transition logic with `round` and `q_transition`.
      * Goal: `round` is an integer in [0, ... 7] that tracks how many slices we have processed for a given scalar.
@@ -250,7 +256,8 @@ void ECCVMWnafRelationImpl<FF>::accumulate(ContainerOverSubrelations& accumulato
     std::get<13>(accumulator) += precompute_select * (precompute_skew * (precompute_skew - 7)) * scaling_factor;
 
     // Set slices (a.k.a. compressed digits), pc, and round all to zero when `precompute_select == 0`.
-    // (this is for one of the multiset equality checks.)
+    // (this is for one of the multiset equality checks.) Defensively, we also set precompute_point_transition to 0 when
+    // precompute_select == 0.
     const auto precompute_select_zero = (-precompute_select + 1) * scaling_factor;
     std::get<14>(accumulator) += precompute_select_zero * (w0 + 15);
     std::get<15>(accumulator) += precompute_select_zero * (w1 + 15);
@@ -259,14 +266,6 @@ void ECCVMWnafRelationImpl<FF>::accumulate(ContainerOverSubrelations& accumulato
 
     std::get<18>(accumulator) += precompute_select_zero * round;
     std::get<19>(accumulator) += precompute_select_zero * pc;
-
-    // Note(@zac-williamson #2226)
-    // if precompute_select = 0, validate pc, round, slice values are all zero
-    // If we do this we can reduce the degree of the set equivalence relations
-    // (currently when checking pc/round/wnaf tuples from WNAF columns match those from MSM columns,
-    //  we conditionally include tuples depending on if precompute_select = 1 (for WNAF columns) or if q_add1/2/3/4 = 1
-    //  (for MSM columns).
-    // If we KNOW that the wnaf tuple values are 0 when precompute_select = 0, we can remove the conditional checks in
-    // the set equivalence relation
+    std::get<21>(accumulator) += precompute_select_zero * q_transition;
 }
 } // namespace bb
