fix: apply review feedback

Author: Maddiaa0

barretenberg/sol/src/honk/optimised/blake-opt.sol

@@ -909,7 +909,6 @@ contract BlakeOptHonkVerifier is IVerifier {
     /*.•°:°.´+˚.*°.˚:*.´•*.+°.•°:´*.´•*.•°.•°:°.´:•˚°.*°.˚:*.´+°.•*/
 
     // Aliases for scratch space
-    // TODO: work out the stack scheduling for these
     uint256 internal constant CHALL_POW_LOC = 0x0;
     uint256 internal constant SUMCHECK_U_LOC = 0x20;
     uint256 internal constant GEMINI_A_LOC = 0x40;
@@ -933,19 +932,22 @@ contract BlakeOptHonkVerifier is IVerifier {
     uint256 internal constant EC_Q_SIGN = QL_EVAL_LOC;
     uint256 internal constant EC_Q_IS_DOUBLE = QM_EVAL_LOC;
 
-    // -1/2 mod p
     /*´:°•.°+.*•´.*:˚.°*.˚•´.°:°•.°•.*•´.*:˚.°*.˚•´.°:°•.°+.*•´.*:*/
     /*                          CONSTANTS                         */
     /*.•°:°.´+˚.*°.˚:*.´•*.+°.•°:´*.´•*.•°.•°:°.´:•˚°.*°.˚:*.´+°.•*/
-    uint256 internal constant NEG_HALF_MODULO_P = 0x183227397098d014dc2822db40c0ac2e9419f4243cdcb848a1f0fac9f8000000;
     uint256 internal constant GRUMPKIN_CURVE_B_PARAMETER_NEGATED = 17; // -(-17)
 
     // Auxiliary relation constants
+    // In the Non Native Field Arithmetic Relation, large field elements are broken up into 4 LIMBs of 68 `LIMB_SIZE` bits each.
     uint256 internal constant LIMB_SIZE = 0x100000000000000000; // 2<<68
-    uint256 internal constant SUBLIMB_SHIFT = 0x4000; // 2<<14
 
-    // Poseidon internal constants
+    // In the Delta Range Check Relation, there is a range checking relation that can validate 14-bit range checks with only 1
+    // extra relation in the execution trace.
+    // For large range checks, we decompose them into a collection of 14-bit range checks.
+    uint256 internal constant SUBLIMB_SHIFT = 0x4000; // 2<<14
 
+    // Poseidon2 internal constants
+    // https://github.com/HorizenLabs/poseidon2/blob/main/poseidon2_rust_params.sage - derivation code
     uint256 internal constant POS_INTERNAL_MATRIX_D_0 =
         0x10dc6e9c006ea38b04b1e03b4bd9490c0d03f98929ca1d7fb56821fd19d3b6e7;
     uint256 internal constant POS_INTERNAL_MATRIX_D_1 =
@@ -957,6 +959,7 @@ contract BlakeOptHonkVerifier is IVerifier {
 
     // Constants inspecting proof components
     uint256 internal constant NUMBER_OF_UNSHIFTED_ENTITIES = 36;
+    // Shifted columns are columes that are duplicates of existing columns but right-shifted by 1
     uint256 internal constant NUMBER_OF_SHIFTED_ENTITIES = 5;
     uint256 internal constant TOTAL_NUMBER_OF_ENTITIES = 41;
 
@@ -966,9 +969,15 @@ contract BlakeOptHonkVerifier is IVerifier {
     uint256 internal constant G1_LOCATION = 0x60;
     uint256 internal constant G1_Y_LOCATION = 0x80;
     uint256 internal constant SCALAR_LOCATION = 0xa0;
+
     uint256 internal constant LOWER_128_MASK = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF;
 
+    // Group order
+    uint256 internal constant Q = 21888242871839275222246405745257275088696311157297823662689037894645226208583; // EC group order
+
     // Field order constants
+    // -1/2 mod p
+    uint256 internal constant NEG_HALF_MODULO_P = 0x183227397098d014dc2822db40c0ac2e9419f4243cdcb848a1f0fac9f8000000;
     uint256 internal constant P = 21888242871839275222246405745257275088548364400416034343698204186575808495617;
     uint256 internal constant P_SUB_1 = 21888242871839275222246405745257275088548364400416034343698204186575808495616;
     uint256 internal constant P_SUB_2 = 21888242871839275222246405745257275088548364400416034343698204186575808495615;
@@ -978,6 +987,24 @@ contract BlakeOptHonkVerifier is IVerifier {
     uint256 internal constant P_SUB_6 = 21888242871839275222246405745257275088548364400416034343698204186575808495611;
     uint256 internal constant P_SUB_7 = 21888242871839275222246405745257275088548364400416034343698204186575808495610;
 
+    // Barycentric evaluation constants
+    uint256 internal constant BARYCENTRIC_LAGRANGE_DENOMINATOR_0 =
+        0x30644e72e131a029b85045b68181585d2833e84879b9709143e1f593efffec51;
+    uint256 internal constant BARYCENTRIC_LAGRANGE_DENOMINATOR_1 =
+        0x00000000000000000000000000000000000000000000000000000000000002d0;
+    uint256 internal constant BARYCENTRIC_LAGRANGE_DENOMINATOR_2 =
+        0x30644e72e131a029b85045b68181585d2833e84879b9709143e1f593efffff11;
+    uint256 internal constant BARYCENTRIC_LAGRANGE_DENOMINATOR_3 =
+        0x0000000000000000000000000000000000000000000000000000000000000090;
+    uint256 internal constant BARYCENTRIC_LAGRANGE_DENOMINATOR_4 =
+        0x30644e72e131a029b85045b68181585d2833e84879b9709143e1f593efffff71;
+    uint256 internal constant BARYCENTRIC_LAGRANGE_DENOMINATOR_5 =
+        0x00000000000000000000000000000000000000000000000000000000000000f0;
+    uint256 internal constant BARYCENTRIC_LAGRANGE_DENOMINATOR_6 =
+        0x30644e72e131a029b85045b68181585d2833e84879b9709143e1f593effffd31;
+    uint256 internal constant BARYCENTRIC_LAGRANGE_DENOMINATOR_7 =
+        0x00000000000000000000000000000000000000000000000000000000000013b0;
+
     // Constants for computing public input delta
     uint256 constant PERMUTATION_ARGUMENT_VALUE_SEPARATOR = 1 << 28;
 
@@ -991,19 +1018,22 @@ contract BlakeOptHonkVerifier is IVerifier {
     uint256 internal constant MODEXP_FAILED_SELECTOR = 0xf442f1632;
     uint256 internal constant PROOF_POINT_NOT_ON_CURVE_SELECTOR = 0x661e012dec;
 
-    // TOOD: maybe verify vk points are on curve in constructor
     constructor() {}
 
-    function verify(bytes calldata, bytes32[] calldata) public override view returns (bool) {
+    function verify(bytes calldata, /*proof*/ bytes32[] calldata /*public_inputs*/ )
+        public
+        view
+        override
+        returns (bool)
+    {
         // Load the proof from calldata in one large chunk
         assembly {
-            // Inline the verification key code here for the meantime
-            // will be in it's own library
-            // Note the split committments here will make a difference to costs in the end
             /*´:°•.°+.*•´.*:˚.°*.˚•´.°:°•.°•.*•´.*:˚.°*.˚•´.°:°•.°+.*•´.*:*/
             /*                   LOAD VERIFCATION KEY                     */
             /*.•°:°.´+˚.*°.˚:*.´•*.+°.•°:´*.´•*.•°.•°:°.´:•˚°.*°.˚:*.´+°.•*/
             // Write the verification key into memory
+            //
+            // Although defined at the top of the file, it is used towards the end of the algorithm when batching in the commitment scheme.
             function loadVk() {
                 mstore(Q_L_X_LOC, 0x1638b2ed58e539359cbb8efff0c6772b16bfe763ff7d1accf8b7fcfe8a075d5d)
                 mstore(Q_L_Y_LOC, 0x2ddbcd8955a1df6ee2906cd36e4ef311e1961ec5fda0ca087aaca85c577de5cc)
@@ -1063,8 +1093,8 @@ contract BlakeOptHonkVerifier is IVerifier {
                 mstore(LAGRANGE_LAST_Y_LOC, 0x0653455f179c7df626a5b79bf2694c5ceaf36de7f007a4cfa251305b68b50775)
             }
 
-            // Prime field order
-            let p := 21888242871839275222246405745257275088548364400416034343698204186575808495617
+            // Prime field order - placing on the stack
+            let p := P
 
             {
                 let proof_ptr := add(calldataload(0x04), 0x24)
@@ -1075,14 +1105,8 @@ contract BlakeOptHonkVerifier is IVerifier {
                 /*
                  * Proof points (affine coordinates) in the proof are in the following format, where offset is
                  * the offset in the entire proof until the first bit of the x coordinate
-                 * offset + 0x00: x - lower bits
-                 * offset + 0x20: x - higher bits
-                 * offset + 0x40: y - lower bits
-                 * offset + 0x60: y - higher bits
-                 *
-                 * Proof points are in this extended format at the moment as the proofs are optimised for
-                 * consumption by recursive verifiers
-                 * In the future, it is expect that these proofs will be shortened to be 64 bytes
+                 * offset + 0x00: x
+                 * offset + 0x20: y
                  */
 
                 /*´:°•.°+.*•´.*:˚.°*.˚•´.°:°•.°•.*•´.*:˚.°*.˚•´.°:°•.°+.*•´.*:*/
@@ -1225,25 +1249,34 @@ contract BlakeOptHonkVerifier is IVerifier {
                     let prev := mload(sub(gate_off, 0x20))
 
                     mstore(gate_off, mulmod(prev, prev, p))
-
                     gate_off := add(gate_off, 0x20)
                 }
 
+                // Sumcheck Univariate challenges
+                // The algebraic relations of the Honk protocol are max degree-7.
+                // To prove satifiability, we multiply the relation by a random (POW) polynomial. We do this as we want all of our relations
+                // to be zero on every row - not for the sum of the relations to be zero. (Which is all sumcheck can do without this modification)
+                //
+                // As a result, in every round of sumcheck, the prover sends an degree-8 univariate polynomial.
+                // The sumcheck univariate challenge produces a challenge for each round of sumcheck, hashing the prev_challenge with
+                // a hash of the degree 8 univariate polynomial provided by the prover.
+                //
+                // 8 points are sent as it is enough to uniquely identify the polynomial
                 let read_off := SUMCHECK_UNIVARIATE_0_0_LOC
                 let write_off := SUM_U_CHALLENGE_0
                 for {} lt(read_off, QM_EVAL_LOC) {} {
                     // Increase by 20 * batched relation length (8)
-                    // 20 * 8 = 160 (0xa0)
-
+                    // 0x20 * 0x8 = 0x100
                     mcopy(0x20, read_off, 0x100)
 
-                    // Hash 0xa0 + 20 (prev hash) = 0xc0
+                    // Hash 0x100 + 0x20 (prev hash) = 0x120
                     prev_challenge := mod(keccak256(0x00, 0x120), p)
                     mstore(0x00, prev_challenge)
 
                     let sumcheck_u_challenge := and(prev_challenge, LOWER_128_MASK)
                     mstore(write_off, sumcheck_u_challenge)
 
+                    // Progress read / write pointers
                     read_off := add(read_off, 0x100)
                     write_off := add(write_off, 0x20)
                 }
@@ -1265,7 +1298,7 @@ contract BlakeOptHonkVerifier is IVerifier {
                 // - QRANGE
                 // - QELLIPTIC
                 // - QMEMORY
-                // - QNNF
+                // - QNNF (NNF = Non Native Field)
                 // - QPOSEIDON2_EXTERNAL
                 // - QPOSEIDON2_INTERNAL
                 // - SIGMA1
@@ -1374,7 +1407,13 @@ contract BlakeOptHonkVerifier is IVerifier {
              * The above equation enforces that for each cell in the trace, if the id and sigma pair are equal, then the
              * witness value in that cell is equal.
              *
-             * We extra terms to add to this product that correspond to public input values
+             * We extra terms to add to this product that correspond to public input values.
+             *
+             * The values of id_i and σ_i polynomials are related to a generalized PLONK permutation argument, in the original paper, there
+             * were no id_i polynomials.
+             *
+             * These are required under the multilinear setting as we cannot use cosets of the roots of unity to represent unique sets, rather
+             * we just use polynomials that include unique values. In implementation, id_0 can be {0 .. n} and id_1 can be {n .. 2n} and so forth.
              *
              */
             {
@@ -1465,48 +1504,62 @@ contract BlakeOptHonkVerifier is IVerifier {
             /*´:°•.°+.*•´.*:˚.°*.˚•´.°:°•.°•.*•´.*:˚.°*.˚•´.°:°•.°+.*•´.*:*/
             /*                        SUMCHECK                            */
             /*.•°:°.´+˚.*°.˚:*.´•*.+°.•°:´*.´•*.•°.•°:°.´:•˚°.*°.˚:*.´+°.•*/
+            //
+            // Sumcheck is used to prove that every relation 0 on each row of the witness.
+            //
+            // Given each of the columns of our trace is a multilinear polynomial 𝑃1,…,𝑃𝑁∈𝔽[𝑋0,…,𝑋𝑑−1]. We run sumcheck over the polynomial
+            //
+            //                         𝐹̃ (𝑋0,…,𝑋𝑑−1)=𝑝𝑜𝑤𝛽(𝑋0,…,𝑋𝑑−1)⋅𝐹(𝑃1(𝑋0,…,𝑋𝑑−1),…,𝑃𝑁(𝑋0,…,𝑋𝑑−1))
+            //
+            // The Pow polynomial is a random polynomial that allows us to ceritify that the relations sum to 0 on each row of the witness,
+            // rather than the entire sum just targeting 0.
+            //
+            // Each polynomial P in our implementation are the polys in the proof and the verification key. (W_1, W_2, W_3, W_4, Z_PERM, etc....)
+            //
+            // We start with a LOG_N variate multilinear polynomial, each round fixes a variable to a challenge value.
+            // Each round the prover sends a round univariate poly, since the degree of our honk relations is 7 + the pow polynomial the prover
+            // sends a degree-8 univariate on each round.
+            // This is sent efficiently by sending 8 values, enough to represent a unique polynomial.
+            // Barycentric evaluation is used to evaluate the polynomial at any point on the domain, given these 8 unique points.
+            //
+            // In the sumcheck protocol, the target sum for each round is the sum of the round univariate evaluated on 0 and 1.
+            //                                               𝜎𝑖=?𝑆̃ 𝑖(0)+𝑆̃ 𝑖(1)
+            // This is efficiently checked as S(0) and S(1) are sent by the prover as values of the round univariate.
+            //
+            // We compute the next challenge by evaluating the round univariate at a random challenge value.
+            //                                                  𝜎𝑖+1←𝑆̃ 𝑖(𝑢𝑖)
+            // This evaluation is performed via barycentric evaluation.
+            //
+            // Once we have reduced the multilinear polynomials into single dimensional polys, we check the entire sumcheck relation matches the target sum.
+            //
+            // Below this is composed of 8 relations:
+            // 1. Arithmetic relation - constrains arithmetic
+            // 2. Permutaiton Relation - efficiently encodes copy constraints
+            // 3. Log Derivative Lookup Relation - used for lookup operations
+            // 4. Delta Range Relation - used for efficient range checks
+            // 5. Memory Relation - used for efficient memory operations
+            // 6. NNF Relation - used for efficient Non Native Field operations
+            // 7. Poseidon2 External Relation - used for efficient in-circuit hashing
+            // 8. Poseidon2 Internal Relation - used for efficient in-circuit hashing
+            //
+            // These are batched together and evaluated at the same time using the alpha challenges.
+            //
             {
                 // We write the barycentric domain values into memory
                 // These are written once per program execution, and reused across all
                 // sumcheck rounds
-                mstore(
-                    BARYCENTRIC_LAGRANGE_DENOMINATOR_0_LOC,
-                    0x30644e72e131a029b85045b68181585d2833e84879b9709143e1f593efffec51
-                )
-                mstore(
-                    BARYCENTRIC_LAGRANGE_DENOMINATOR_1_LOC,
-                    0x00000000000000000000000000000000000000000000000000000000000002d0
-                )
-                mstore(
-                    BARYCENTRIC_LAGRANGE_DENOMINATOR_2_LOC,
-                    0x30644e72e131a029b85045b68181585d2833e84879b9709143e1f593efffff11
-                )
-                mstore(
-                    BARYCENTRIC_LAGRANGE_DENOMINATOR_3_LOC,
-                    0x0000000000000000000000000000000000000000000000000000000000000090
-                )
-                mstore(
-                    BARYCENTRIC_LAGRANGE_DENOMINATOR_4_LOC,
-                    0x30644e72e131a029b85045b68181585d2833e84879b9709143e1f593efffff71
-                )
-                mstore(
-                    BARYCENTRIC_LAGRANGE_DENOMINATOR_5_LOC,
-                    0x00000000000000000000000000000000000000000000000000000000000000f0
-                )
-                mstore(
-                    BARYCENTRIC_LAGRANGE_DENOMINATOR_6_LOC,
-                    0x30644e72e131a029b85045b68181585d2833e84879b9709143e1f593effffd31
-                )
-                mstore(
-                    BARYCENTRIC_LAGRANGE_DENOMINATOR_7_LOC,
-                    0x00000000000000000000000000000000000000000000000000000000000013b0
-                )
+                mstore(BARYCENTRIC_LAGRANGE_DENOMINATOR_0_LOC, BARYCENTRIC_LAGRANGE_DENOMINATOR_0)
+                mstore(BARYCENTRIC_LAGRANGE_DENOMINATOR_1_LOC, BARYCENTRIC_LAGRANGE_DENOMINATOR_1)
+                mstore(BARYCENTRIC_LAGRANGE_DENOMINATOR_2_LOC, BARYCENTRIC_LAGRANGE_DENOMINATOR_2)
+                mstore(BARYCENTRIC_LAGRANGE_DENOMINATOR_3_LOC, BARYCENTRIC_LAGRANGE_DENOMINATOR_3)
+                mstore(BARYCENTRIC_LAGRANGE_DENOMINATOR_4_LOC, BARYCENTRIC_LAGRANGE_DENOMINATOR_4)
+                mstore(BARYCENTRIC_LAGRANGE_DENOMINATOR_5_LOC, BARYCENTRIC_LAGRANGE_DENOMINATOR_5)
+                mstore(BARYCENTRIC_LAGRANGE_DENOMINATOR_6_LOC, BARYCENTRIC_LAGRANGE_DENOMINATOR_6)
+                mstore(BARYCENTRIC_LAGRANGE_DENOMINATOR_7_LOC, BARYCENTRIC_LAGRANGE_DENOMINATOR_7)
 
                 // Compute the target sums for each round of sumcheck
                 {
                     // This requires the barycentric inverses to be computed for each round
-                    // TODO: PROSE
-
                     // Write all of the non inverted barycentric denominators into memory
                     let accumulator := 1
                     let temp := LATER_SCRATCH_SPACE
@@ -2177,8 +2230,7 @@ contract BlakeOptHonkVerifier is IVerifier {
                         let record_delta := addmod(mload(W4_SHIFT_EVAL_LOC), sub(p, mload(W4_EVAL_LOC)), p)
 
                         // index_is_monotonically_increasing = index_delta * (index_delta - 1)
-                        let index_is_monotonically_increasing :=
-                            mulmod(index_delta, addmod(index_delta, P_SUB_1, p), p)
+                        let index_is_monotonically_increasing := mulmod(index_delta, addmod(index_delta, P_SUB_1, p), p)
 
                         // adjacent_values_match_if_adjacent_indices_match = record_delta * (1 - index_delta)
                         let adjacent_values_match_if_adjacent_indices_match :=
@@ -2708,11 +2760,6 @@ contract BlakeOptHonkVerifier is IVerifier {
             let off := POWERS_OF_EVALUATION_CHALLENGE_0_LOC
             mstore(off, cache)
 
-            ////////////////////////////////////////////
-            ////////////////////////////////////////////
-            // TODO: remove pointer???
-            ////////////////////////////////////////////
-            ////////////////////////////////////////////
             for { let i := 1 } lt(i, LOG_N) { i := add(i, 1) } {
                 off := add(off, 0x20)
                 cache := mulmod(cache, cache, p)
@@ -3599,7 +3646,7 @@ contract BlakeOptHonkVerifier is IVerifier {
             }
 
             let precomp_success_flag := 1
-            let q := 21888242871839275222246405745257275088696311157297823662689037894645226208583 // EC group order
+            let q := Q // EC group order
             {
                 // The initial accumulator = 1 * shplonk_q
                 // WORKTODO(md): we can ignore this accumulation as we are multiplying by 1,