feat: merge-train/barretenberg (#18823)

BEGIN_COMMIT_OVERRIDE
fix: `accumulated_result` fully random (#18736)
END_COMMIT_OVERRIDE

Author: AztecBot

barretenberg/cpp/scripts/test_chonk_standalone_vks_havent_changed.sh

@@ -13,7 +13,7 @@ cd ..
 # - Generate a hash for versioning: sha256sum bb-chonk-inputs.tar.gz
 # - Upload the compressed results: aws s3 cp bb-chonk-inputs.tar.gz s3://aztec-ci-artifacts/protocol/bb-chonk-inputs-[hash(0:8)].tar.gz
 # Note: In case of the "Test suite failed to run ... Unexpected token 'with' " error, need to run: docker pull aztecprotocol/build:3.0
-pinned_short_hash="069bd3d2"
+pinned_short_hash="b3c2a68c"
 pinned_chonk_inputs_url="https://aztec-ci-artifacts.s3.us-east-2.amazonaws.com/protocol/bb-chonk-inputs-${pinned_short_hash}.tar.gz"
 
 function compress_and_upload {

barretenberg/cpp/src/barretenberg/chonk/chonk.cpp

@@ -7,6 +7,7 @@
 #include "barretenberg/chonk/chonk.hpp"
 #include "barretenberg/common/bb_bench.hpp"
 #include "barretenberg/common/streams.hpp"
+#include "barretenberg/ecc/curves/grumpkin/grumpkin.hpp"
 #include "barretenberg/honk/prover_instance_inspector.hpp"
 #include "barretenberg/multilinear_batching/multilinear_batching_prover.hpp"
 #include "barretenberg/serialize/msgpack_impl.hpp"
@@ -143,8 +144,6 @@ Chonk::perform_recursive_verification_and_databus_consistency_checks(
         vinfo("Recursively verifying accumulation of the tail kernel.");
         BB_ASSERT_EQ(stdlib_verification_queue.size(), size_t(1));
 
-        hide_op_queue_accumulation_result(circuit);
-
         auto [_first_verified, _second_verified, final_verifier_accumulator] =
             folding_verifier.verify_folding_proof(verifier_instance, verifier_inputs.proof);
 
@@ -253,6 +252,9 @@ void Chonk::complete_kernel_circuit_logic(ClientCircuit& circuit)
         // Add randomness at the begining of the tail kernel (whose ecc ops fall at the beginning of the op queue table)
         // to ensure the CHONK proof doesn't leak information about the actual content of the op queue
         hide_op_queue_content_in_tail(circuit);
+
+        // Add the hiding op with random (non-curve) Px, Py values for statistical hiding of accumulated_result.
+        hide_op_queue_accumulation_result(circuit);
     }
     circuit.queue_ecc_eq();
 
@@ -447,23 +449,19 @@ void Chonk::accumulate(ClientCircuit& circuit, const std::shared_ptr<MegaVerific
 }
 
 /**
- * @brief Add a valid operation with random data to the op queue to prevent information leakage in Translator
- * proof.
+ * @brief Add a hiding op with fully random Px, Py field elements to prevent information leakage in Translator proof.
  *
  * @details The Translator circuit builder evaluates a batched polynomial (representing the four op queue polynomials
  * in UltraOp format) at a random challenge x. This evaluation result (called accumulated_result in translator) is
  * included in the translator proof and verified against the equivalent computation performed by ECCVM (in
- * verify_translation, establishing equivalence between ECCVM and UltraOp format). To ensure the accumulated_result
- * doesn't reveal information about actual ecc operations in the transaction, when the proof is sent to the rollup, we
- * add a random yet valid operation to the op queue. This guarantees the batched polynomial over Grumpkin contains at
- * least one random coefficient.
+ * verify_translation, establishing equivalence between ECCVM and UltraOp format).
+ *
  */
 void Chonk::hide_op_queue_accumulation_result(ClientCircuit& circuit)
 {
-    Point random_point = Point::random_element();
-    FF random_scalar = FF::random_element();
-    circuit.queue_ecc_mul_accum(random_point, random_scalar);
-    circuit.queue_ecc_eq();
+    // Use random Fq field elements as Px and Py.
+    using Fq = curve::Grumpkin::ScalarField; // Same as BN254::BaseField
+    circuit.queue_ecc_hiding_op(Fq::random_element(), Fq::random_element());
 }
 
 /**

barretenberg/cpp/src/barretenberg/commitment_schemes_recursion/shplemini.test.cpp

@@ -264,6 +264,9 @@ template <class PCS> class ShpleminiRecursionTest : public CommitmentTest<typena
         if constexpr (std::is_same_v<Builder, MegaCircuitBuilder>) {
             validate_num_eccvm_rows(num_polys, num_shifted, short_scalars, &builder);
             if (prove_eccvm) {
+                // Add hiding op for ECCVM ZK (prepended to ECCVM ops at row 1)
+                using Fq = curve::Grumpkin::ScalarField;
+                builder.queue_ecc_hiding_op(Fq::random_element(), Fq::random_element());
                 builder.op_queue->merge();
                 using clock = std::chrono::steady_clock;
                 auto start_total = clock::now();

barretenberg/cpp/src/barretenberg/dsl/acir_format/gate_count_constants.hpp

@@ -81,7 +81,7 @@ inline constexpr std::tuple<size_t, size_t, size_t> HONK_RECURSION_CONSTANTS = [
 // ========================================
 
 // Gate count for Chonk recursive verification (UltraRollup builder)
-inline constexpr size_t CHONK_RECURSION_GATES = 2494057;
+inline constexpr size_t CHONK_RECURSION_GATES = 2495208;
 
 // ========================================
 // Hypernova Recursion Constants
@@ -103,11 +103,11 @@ inline constexpr size_t INNER_KERNEL_ULTRA_OPS = 179;
 // Tail kernel gate counts (verifies HN_TAIL proof)
 inline constexpr size_t TAIL_KERNEL_GATE_COUNT = 33968;
 inline constexpr size_t TAIL_KERNEL_ECC_ROWS = 914 + MSM_ROWS_OFFSET;
-inline constexpr size_t TAIL_KERNEL_ULTRA_OPS = 95;
+inline constexpr size_t TAIL_KERNEL_ULTRA_OPS = 96;
 
 // Hiding kernel gate counts (verifies HN_FINAL proof)
 inline constexpr size_t HIDING_KERNEL_GATE_COUNT = 37212;
-inline constexpr size_t HIDING_KERNEL_ECC_ROWS = 1405 + MSM_ROWS_OFFSET;
-inline constexpr size_t HIDING_KERNEL_ULTRA_OPS = 126;
+inline constexpr size_t HIDING_KERNEL_ECC_ROWS = 1341 + MSM_ROWS_OFFSET;
+inline constexpr size_t HIDING_KERNEL_ULTRA_OPS = 124;
 
 } // namespace acir_format

barretenberg/cpp/src/barretenberg/dsl/acir_format/mock_verifier_inputs.test.cpp

@@ -50,7 +50,7 @@ TEST(MockVerifierInputsTest, MockMergeProofSize)
  */
 TEST(MockVerifierInputsTest, MockPreIpaProofSize)
 {
-    size_t CURRENT_ECCVM_PROOF_SIZE = 606;
+    size_t CURRENT_ECCVM_PROOF_SIZE = 608;
     EXPECT_EQ(ECCVMFlavor::PROOF_LENGTH_WITHOUT_PUB_INPUTS, CURRENT_ECCVM_PROOF_SIZE)
         << "The length of the Pre-IPA proof changed.";
 
@@ -244,7 +244,7 @@ TEST(MockVerifierInputsTest, MockChonkProofSize)
 
     // If this value changes, we need to update the corresponding constants in noir and in yarn-project. Also, we need
     // to update the Prover.toml file for rollup-tx-private to reflect the new length of the Chonk proof.
-    size_t CURRENT_CHONK_PROOF_SIZE_WITHOUT_PUB_INPUTS = 1905;
+    size_t CURRENT_CHONK_PROOF_SIZE_WITHOUT_PUB_INPUTS = 1907;
     HonkProof chonk_proof = create_mock_chonk_proof<Builder>();
     EXPECT_EQ(chonk_proof.size(), Chonk::Proof::PROOF_LENGTH());
     EXPECT_EQ(chonk_proof.size(),

barretenberg/cpp/src/barretenberg/eccvm/eccvm.test.cpp

@@ -29,7 +29,20 @@ class ECCVMTests : public ::testing::Test {
 };
 namespace {
 auto& engine = numeric::get_debug_randomness();
+
+/**
+ * @brief Add a hiding op to the op_queue for testing.
+ * @details The ECCVM relation constraints expect q_eq = 1 at row 1 (lagrange_second).
+ * In production (Chonk flow), a hiding op with random Px, Py is prepended for statistical hiding.
+ * For tests, we also use random values to match production behavior.
+ */
+void add_hiding_op_for_test(const std::shared_ptr<ECCOpQueue>& op_queue)
+{
+    using Fq = curve::BN254::BaseField;
+    // Prepend a hiding op with random coordinates - provides statistical hiding
+    op_queue->append_hiding_op(Fq::random_element(), Fq::random_element());
 }
+} // namespace
 
 /**
  * @brief Adds operations in BN254 to the op_queue and then constructs and ECCVM circuit from the op_queue.
@@ -65,6 +78,7 @@ ECCVMCircuitBuilder generate_circuit(numeric::RNG* engine = nullptr)
     op_queue->mul_accumulate(b, x);
     op_queue->mul_accumulate(c, x);
     op_queue->merge();
+    add_hiding_op_for_test(op_queue);
     ECCVMCircuitBuilder builder{ op_queue };
     return builder;
 }
@@ -91,6 +105,7 @@ ECCVMCircuitBuilder generate_zero_circuit([[maybe_unused]] numeric::RNG* engine
         }
     }
     op_queue->merge();
+    add_hiding_op_for_test(op_queue);
 
     ECCVMCircuitBuilder builder{ op_queue };
     return builder;
@@ -186,6 +201,7 @@ TEST_F(ECCVMTests, ScalarEdgeCase)
     op_queue->mul_accumulate(a, Fr(uint256_t(1) << 128));
     op_queue->eq_and_reset();
     op_queue->merge();
+    add_hiding_op_for_test(op_queue);
     ECCVMCircuitBuilder builder{ op_queue };
 
     std::shared_ptr<Transcript> prover_transcript = std::make_shared<Transcript>();

barretenberg/cpp/src/barretenberg/eccvm/eccvm_circuit_builder.test.cpp

@@ -10,6 +10,18 @@ using Fr = typename G1::Fr;
 
 namespace {
 auto& engine = numeric::get_debug_randomness();
+
+/**
+ * @brief Add a hiding op with random Px, Py to the op_queue for testing.
+ * @details The ECCVM relation constraints expect q_eq = 1 at row 1 (lagrange_second).
+ * This mirrors production behavior where random field elements are used for statistical hiding.
+ */
+void add_hiding_op_for_test(const std::shared_ptr<ECCOpQueue>& op_queue)
+{
+    using Fq = curve::BN254::BaseField;
+    // Prepend an eq op with random coordinates - same as production
+    op_queue->append_hiding_op(Fq::random_element(), Fq::random_element());
+}
 } // namespace
 
 TEST(ECCVMCircuitBuilderTests, BaseCase)
@@ -63,6 +75,7 @@ TEST(ECCVMCircuitBuilderTests, BaseCase)
     op_queue->add_accumulate(a);
     op_queue->eq_and_reset();
     op_queue->merge();
+    add_hiding_op_for_test(op_queue);
     ECCVMCircuitBuilder circuit{ op_queue };
     bool result = ECCVMTraceChecker::check(circuit);
     EXPECT_EQ(result, true);
@@ -71,6 +84,7 @@ TEST(ECCVMCircuitBuilderTests, BaseCase)
 TEST(ECCVMCircuitBuilderTests, NoOp)
 {
     std::shared_ptr<ECCOpQueue> op_queue = std::make_shared<ECCOpQueue>();
+    add_hiding_op_for_test(op_queue);
 
     ECCVMCircuitBuilder circuit{ op_queue };
     bool result = ECCVMTraceChecker::check(circuit, &engine);
@@ -86,6 +100,7 @@ TEST(ECCVMCircuitBuilderTests, Add)
 
     op_queue->add_accumulate(a);
     op_queue->merge();
+    add_hiding_op_for_test(op_queue);
 
     ECCVMCircuitBuilder circuit{ op_queue };
     bool result = ECCVMTraceChecker::check(circuit, &engine);
@@ -102,6 +117,7 @@ TEST(ECCVMCircuitBuilderTests, Mul)
 
     op_queue->mul_accumulate(a, x);
     op_queue->merge();
+    add_hiding_op_for_test(op_queue);
 
     ECCVMCircuitBuilder circuit{ op_queue };
     bool result = ECCVMTraceChecker::check(circuit, &engine);
@@ -121,6 +137,7 @@ TEST(ECCVMCircuitBuilderTests, MulInfinity)
     op_queue->mul_accumulate(a, x);
     op_queue->eq_and_reset();
     op_queue->merge();
+    add_hiding_op_for_test(op_queue);
 
     ECCVMCircuitBuilder circuit{ op_queue };
     bool result = ECCVMTraceChecker::check(circuit);
@@ -139,6 +156,7 @@ TEST(ECCVMCircuitBuilderTests, MulOverIdenticalInputs)
     op_queue->mul_accumulate(a, x);
     op_queue->eq_and_reset();
     op_queue->merge();
+    add_hiding_op_for_test(op_queue);
 
     ECCVMCircuitBuilder circuit{ op_queue };
     bool result = ECCVMTraceChecker::check(circuit);
@@ -157,6 +175,7 @@ TEST(ECCVMCircuitBuilderTests, MSMProducesInfinity)
     op_queue->mul_accumulate(a, -x);
     op_queue->eq_and_reset();
     op_queue->merge();
+    add_hiding_op_for_test(op_queue);
 
     ECCVMCircuitBuilder circuit{ op_queue };
     bool result = ECCVMTraceChecker::check(circuit);
@@ -179,6 +198,7 @@ TEST(ECCVMCircuitBuilderTests, MSMOverPointAtInfinity)
         op_queue->mul_accumulate(point_at_infinity, x);
         op_queue->eq_and_reset();
         op_queue->merge();
+        add_hiding_op_for_test(op_queue);
 
         ECCVMCircuitBuilder circuit{ op_queue };
         bool result = ECCVMTraceChecker::check(circuit);
@@ -243,6 +263,7 @@ TEST(ECCVMCircuitBuilderTests, ShortMul)
     op_queue->mul_accumulate(a, x);
     op_queue->eq_and_reset();
     op_queue->merge();
+    add_hiding_op_for_test(op_queue);
 
     ECCVMCircuitBuilder circuit{ op_queue };
     bool result = ECCVMTraceChecker::check(circuit, &engine);
@@ -261,6 +282,7 @@ TEST(ECCVMCircuitBuilderTests, EqFails)
     // Tamper with the eq op such that the expected value is incorect
     op_queue->add_erroneous_equality_op_for_testing();
     op_queue->merge();
+    add_hiding_op_for_test(op_queue);
 
     ECCVMCircuitBuilder circuit{ op_queue };
     bool result = ECCVMTraceChecker::check(circuit, &engine);
@@ -273,6 +295,7 @@ TEST(ECCVMCircuitBuilderTests, EmptyRow)
 
     op_queue->empty_row_for_testing();
     op_queue->merge();
+    add_hiding_op_for_test(op_queue);
 
     ECCVMCircuitBuilder circuit{ op_queue };
     bool result = ECCVMTraceChecker::check(circuit, &engine);
@@ -291,6 +314,7 @@ TEST(ECCVMCircuitBuilderTests, EmptyRowBetweenOps)
     op_queue->empty_row_for_testing();
     op_queue->eq_and_reset();
     op_queue->merge();
+    add_hiding_op_for_test(op_queue);
 
     ECCVMCircuitBuilder circuit{ op_queue };
     bool result = ECCVMTraceChecker::check(circuit, &engine);
@@ -308,6 +332,7 @@ TEST(ECCVMCircuitBuilderTests, EndWithEq)
     op_queue->mul_accumulate(a, x);
     op_queue->eq_and_reset();
     op_queue->merge();
+    add_hiding_op_for_test(op_queue);
 
     ECCVMCircuitBuilder circuit{ op_queue };
     bool result = ECCVMTraceChecker::check(circuit, &engine);
@@ -326,6 +351,7 @@ TEST(ECCVMCircuitBuilderTests, EndWithAdd)
     op_queue->eq_and_reset();
     op_queue->add_accumulate(a);
     op_queue->merge();
+    add_hiding_op_for_test(op_queue);
 
     ECCVMCircuitBuilder circuit{ op_queue };
     bool result = ECCVMTraceChecker::check(circuit, &engine);
@@ -344,6 +370,7 @@ TEST(ECCVMCircuitBuilderTests, EndWithMul)
     op_queue->eq_and_reset();
     op_queue->mul_accumulate(a, x);
     op_queue->merge();
+    add_hiding_op_for_test(op_queue);
 
     ECCVMCircuitBuilder circuit{ op_queue };
     bool result = ECCVMTraceChecker::check(circuit, &engine);
@@ -364,6 +391,7 @@ TEST(ECCVMCircuitBuilderTests, EndWithNoop)
 
     op_queue->empty_row_for_testing();
     op_queue->merge();
+    add_hiding_op_for_test(op_queue);
 
     ECCVMCircuitBuilder circuit{ op_queue };
     bool result = ECCVMTraceChecker::check(circuit, &engine);
@@ -394,6 +422,7 @@ TEST(ECCVMCircuitBuilderTests, MSM)
         std::shared_ptr<ECCOpQueue> op_queue = std::make_shared<ECCOpQueue>();
 
         compute_msms(j, op_queue);
+        add_hiding_op_for_test(op_queue);
         ECCVMCircuitBuilder circuit{ op_queue };
         bool result = ECCVMTraceChecker::check(circuit);
         EXPECT_EQ(result, true);
@@ -404,6 +433,7 @@ TEST(ECCVMCircuitBuilderTests, MSM)
     for (size_t j = 1; j < 9; ++j) {
         compute_msms(j, op_queue);
     }
+    add_hiding_op_for_test(op_queue);
     ECCVMCircuitBuilder circuit{ op_queue };
     bool result = ECCVMTraceChecker::check(circuit, &engine);
     EXPECT_EQ(result, true);
@@ -420,6 +450,7 @@ TEST(ECCVMCircuitBuilderTests, EqAgainstPointAtInfinity)
     op_queue->add_accumulate(a);
     op_queue->eq_and_reset();
     op_queue->merge();
+    add_hiding_op_for_test(op_queue);
 
     ECCVMCircuitBuilder circuit{ op_queue };
     bool result = ECCVMTraceChecker::check(circuit);
@@ -439,6 +470,7 @@ TEST(ECCVMCircuitBuilderTests, AddPointAtInfinity)
     op_queue->add_accumulate(b);
     op_queue->eq_and_reset();
     op_queue->merge();
+    add_hiding_op_for_test(op_queue);
 
     ECCVMCircuitBuilder circuit{ op_queue };
     bool result = ECCVMTraceChecker::check(circuit);
@@ -456,6 +488,7 @@ TEST(ECCVMCircuitBuilderTests, AddProducesPointAtInfinity)
     op_queue->add_accumulate(-a);
     op_queue->eq_and_reset();
     op_queue->merge();
+    add_hiding_op_for_test(op_queue);
 
     ECCVMCircuitBuilder circuit{ op_queue };
     bool result = ECCVMTraceChecker::check(circuit);
@@ -473,6 +506,7 @@ TEST(ECCVMCircuitBuilderTests, AddProducesDouble)
     op_queue->add_accumulate(a);
     op_queue->eq_and_reset();
     op_queue->merge();
+    add_hiding_op_for_test(op_queue);
 
     ECCVMCircuitBuilder circuit{ op_queue };
     bool result = ECCVMTraceChecker::check(circuit);
@@ -510,15 +544,17 @@ TEST(ECCVMCircuitBuilderTests, InfinityFailure)
         op_queue->mul_accumulate(P1, Fr(0));
     }
     op_queue->merge();
+    add_hiding_op_for_test(op_queue);
 
     auto eccvm_builder = ECCVMCircuitBuilder(op_queue);
 
+    // Note: With the hiding op at index 0, the mul op is at index 1, so we check row 2
     auto transcript_rows = ECCVMTranscriptBuilder::compute_rows(op_queue->get_eccvm_ops(), 1);
 
-    // check that the corresponding op is mul
-    bool row_op_code_correct = transcript_rows[1].opcode == 4;
+    // check that the corresponding op is mul (now at row 2 due to hiding op at row 1)
+    bool row_op_code_correct = transcript_rows[2].opcode == 4;
     // row.base_x populate the transcript polynomial transcript_Px in ECCVM Flavor
-    bool failure = Fr(transcript_rows[1].base_x) == Fr(0);
+    bool failure = Fr(transcript_rows[2].base_x) == Fr(0);
 
     bool circuit_checked = ECCVMTraceChecker::check(eccvm_builder);
 
@@ -541,6 +577,7 @@ TEST(ECCVMCircuitBuilderTests, ScalarEdgeCase)
     op_queue->mul_accumulate(a, two_to_the_128);
 
     op_queue->merge();
+    add_hiding_op_for_test(op_queue);
 
     ECCVMCircuitBuilder circuit{ op_queue };
     bool result = ECCVMTraceChecker::check(circuit, &engine);