fix: set gate challenges in initial accumulator (#16613)

Fixes the bug exploiting the initial gate_challenges being 0
demonstrated here:
https://github.com/AztecProtocol/aztec-packages/pull/16593/files.

Closes AztecProtocol/barretenberg#1531.

Sets the gate challenges in the initial accumulator with a challenge
rather than being all 0s. Also makes gate challenges generate from 1
challenge to reduce the amount of hashing. Adds some functionality to
transcript to aid this.

Author: lucasxia01

barretenberg/cpp/scripts/test_civc_standalone_vks_havent_changed.sh

@@ -11,7 +11,7 @@ cd ..
 # - Generate a hash for versioning: sha256sum bb-civc-inputs.tar.gz
 # - Upload the compressed results: aws s3 cp bb-civc-inputs.tar.gz s3://aztec-ci-artifacts/protocol/bb-civc-inputs-[hash(0:8)].tar.gz
 # Note: In case of the "Test suite failed to run ... Unexpected token 'with' " error, need to run: docker pull aztecprotocol/build:3.0
-pinned_short_hash="197c2f73"
+pinned_short_hash="8657fa15"
 pinned_civc_inputs_url="https://aztec-ci-artifacts.s3.us-east-2.amazonaws.com/protocol/bb-civc-inputs-${pinned_short_hash}.tar.gz"
 
 function compress_and_upload {

barretenberg/cpp/src/barretenberg/client_ivc/client_ivc.cpp

@@ -128,9 +128,11 @@ ClientIVC::perform_recursive_verification_and_databus_consistency_checks(
 
         output_stdlib_verifier_accumulator = verifier_instance;
         output_stdlib_verifier_accumulator->target_sum = StdlibFF::from_witness_index(&circuit, circuit.zero_idx);
-        output_stdlib_verifier_accumulator->gate_challenges.assign(
-            CONST_PG_LOG_N, StdlibFF::from_witness_index(&circuit, circuit.zero_idx));
 
+        // Get the gate challenges for sumcheck/combiner computation
+        output_stdlib_verifier_accumulator->gate_challenges =
+            accumulation_recursive_transcript->template get_powers_of_challenge<StdlibFF>("gate_challenge",
+                                                                                          CONST_PG_LOG_N);
         // T_prev = 0 in the first recursive verification
         merge_commitments.T_prev_commitments = stdlib::recursion::honk::empty_ecc_op_tables(circuit);
 
@@ -373,7 +375,7 @@ void ClientIVC::accumulate(ClientCircuit& circuit, const std::shared_ptr<MegaVer
     BB_ASSERT_LT(
         num_circuits_accumulated, num_circuits, "ClientIVC: Attempting to accumulate more circuits than expected.");
 
-    ASSERT(precomputed_vk != nullptr, "ClientIVC::acumulate - VK expected for the provided circuit");
+    ASSERT(precomputed_vk != nullptr, "ClientIVC::accumulate - VK expected for the provided circuit");
 
     // Construct the proving key for circuit
     std::shared_ptr<DeciderProvingKey> proving_key = std::make_shared<DeciderProvingKey>(circuit, trace_settings);
@@ -412,6 +414,10 @@ void ClientIVC::accumulate(ClientCircuit& circuit, const std::shared_ptr<MegaVer
         MegaOinkProver oink_prover{ proving_key, honk_vk, prover_accumulation_transcript };
         vinfo("computing oink proof...");
         oink_prover.prove();
+        proving_key->target_sum = 0;
+        // Get the gate challenges for sumcheck/combiner computation
+        proving_key->gate_challenges =
+            prover_accumulation_transcript->template get_powers_of_challenge<FF>("gate_challenge", CONST_PG_LOG_N);
         HonkProof oink_proof = oink_prover.export_proof();
         vinfo("oink proof constructed");
 
@@ -706,7 +712,10 @@ void ClientIVC::update_native_verifier_accumulator(const VerifierInputs& queue_e
         OinkVerifier<Flavor> oink_verifier{ decider_vk, verifier_transcript };
         oink_verifier.verify();
         native_verifier_accum = decider_vk;
-        native_verifier_accum->gate_challenges = std::vector<FF>(CONST_PG_LOG_N, 0);
+        native_verifier_accum->target_sum = 0;
+        // Get the gate challenges for sumcheck/combiner computation
+        native_verifier_accum->gate_challenges =
+            verifier_transcript->template get_powers_of_challenge<FF>("gate_challenge", CONST_PG_LOG_N);
     } else {
         if (queue_entry.is_kernel) {
             // Fiat-Shamir the verifier accumulator

barretenberg/cpp/src/barretenberg/dsl/acir_format/mock_verifier_inputs.cpp

@@ -453,7 +453,8 @@ template <typename Flavor> std::shared_ptr<DeciderVerificationKey_<Flavor>> crea
             0, 0); // metadata does not need to be accurate
     decider_verification_key->vk = vk;
     decider_verification_key->is_complete = true;
-    decider_verification_key->gate_challenges = std::vector<FF>(static_cast<size_t>(CONST_PG_LOG_N), 0);
+    decider_verification_key->gate_challenges =
+        std::vector<FF>(static_cast<size_t>(CONST_PG_LOG_N), FF::random_element());
 
     for (auto& commitment : decider_verification_key->witness_commitments.get_all()) {
         commitment = curve::BN254::AffineElement::one(); // arbitrary mock commitment

barretenberg/cpp/src/barretenberg/protogalaxy/protogalaxy.test.cpp

@@ -206,7 +206,10 @@ template <typename Flavor> class ProtogalaxyTests : public testing::Test {
         accumulator->relation_parameters = relation_parameters;
         accumulator->alphas = alphas;
 
-        auto deltas = compute_round_challenge_pows(log_size, FF::random_element());
+        std::vector<FF> deltas(log_size);
+        for (size_t idx = 0; idx < log_size; idx++) {
+            deltas[idx] = FF::random_element();
+        }
         auto perturbator = pg_internal.compute_perturbator(accumulator, deltas);
 
         // Ensure the constant coefficient of the perturbator is equal to the target sum as indicated by the paper

barretenberg/cpp/src/barretenberg/protogalaxy/protogalaxy_prover_impl.hpp

@@ -35,6 +35,9 @@ void ProtogalaxyProver_<Flavor, NUM_KEYS>::run_oink_prover_on_each_incomplete_ke
     auto& verifier_accum = vks_to_fold[0];
     if (!key->is_complete) {
         run_oink_prover_on_one_incomplete_key(key, verifier_accum, domain_separator);
+        // Get the gate challenges for sumcheck/combiner computation
+        key->gate_challenges =
+            transcript->template get_powers_of_challenge<FF>(domain_separator + "_gate_challenge", CONST_PG_LOG_N);
     }
 
     idx++;
@@ -54,10 +57,9 @@ std::tuple<std::vector<typename Flavor::FF>, Polynomial<typename Flavor::FF>> Pr
 {
     PROFILE_THIS_NAME("ProtogalaxyProver_::perturbator_round");
 
-    const FF delta = transcript->template get_challenge<FF>("delta");
-    const std::vector<FF> deltas = compute_round_challenge_pows(CONST_PG_LOG_N, delta);
+    const std::vector<FF> deltas = transcript->template get_powers_of_challenge<FF>("delta", CONST_PG_LOG_N);
     // An honest prover with valid initial key computes that the perturbator is 0 in the first round
-    const Polynomial<FF> perturbator = accumulator->is_accumulator
+    const Polynomial<FF> perturbator = accumulator->from_first_instance
                                            ? pg_internal.compute_perturbator(accumulator, deltas)
                                            : Polynomial<FF>(CONST_PG_LOG_N + 1);
     // Prover doesn't send the constant coefficient of F because this is supposed to be equal to the target sum of
@@ -122,7 +124,7 @@ void ProtogalaxyProver_<Flavor, NUM_KEYS>::update_target_sum_and_fold(
 
     std::shared_ptr<DeciderPK> accumulator = keys[0];
     std::shared_ptr<DeciderPK> incoming = keys[1];
-    accumulator->is_accumulator = true;
+    accumulator->from_first_instance = true;
 
     // At this point the virtual sizes of the polynomials should already agree
     BB_ASSERT_EQ(accumulator->polynomials.w_l.virtual_size(), incoming->polynomials.w_l.virtual_size());

barretenberg/cpp/src/barretenberg/protogalaxy/protogalaxy_verifier.cpp

@@ -22,7 +22,10 @@ void ProtogalaxyVerifier_<DeciderVerificationKeys>::run_oink_verifier_on_each_in
     if (!key->is_complete) {
         OinkVerifier<Flavor> oink_verifier{ key, transcript, domain_separator + '_' };
         oink_verifier.verify();
-        key->gate_challenges = std::vector<FF>(CONST_PG_LOG_N, 0);
+        key->target_sum = 0;
+        // Get the gate challenges for sumcheck/combiner computation
+        key->gate_challenges =
+            transcript->template get_powers_of_challenge<FF>(domain_separator + "_gate_challenge", CONST_PG_LOG_N);
     }
 
     key = keys_to_fold[1];
@@ -76,8 +79,8 @@ std::shared_ptr<typename DeciderVerificationKeys::DeciderVK> ProtogalaxyVerifier
     run_oink_verifier_on_each_incomplete_key(proof);
 
     // Perturbator round
-    const FF delta = transcript->template get_challenge<FF>("delta");
-    const std::vector<FF> deltas = compute_round_challenge_pows(CONST_PG_LOG_N, delta);
+    const std::vector<FF> deltas = transcript->template get_powers_of_challenge<FF>("delta", CONST_PG_LOG_N);
+
     std::vector<FF> perturbator_coeffs(CONST_PG_LOG_N + 1, 0);
     for (size_t idx = 1; idx <= CONST_PG_LOG_N; idx++) {
         perturbator_coeffs[idx] = transcript->template receive_from_prover<FF>("perturbator_" + std::to_string(idx));

barretenberg/cpp/src/barretenberg/protogalaxy/prover_verifier_shared.hpp

@@ -17,6 +17,8 @@ std::vector<FF> update_gate_challenges(const FF& perturbator_challenge,
                                        const std::vector<FF>& gate_challenges,
                                        const std::vector<FF>& init_challenges)
 {
+    BB_ASSERT_EQ(
+        gate_challenges.size(), init_challenges.size(), "gate_challenges and init_challenges must have same size");
     const size_t num_challenges = gate_challenges.size();
     std::vector<FF> next_gate_challenges(num_challenges);
 
@@ -25,19 +27,6 @@ std::vector<FF> update_gate_challenges(const FF& perturbator_challenge,
     }
     return next_gate_challenges;
 }
-/**
- * @brief Given δ, compute the vector [δ, δ^2,..., δ^num_powers].
- * @details This is Step 2 of the protocol as written in the paper.
- */
-template <typename FF> std::vector<FF> compute_round_challenge_pows(const size_t num_powers, const FF& round_challenge)
-{
-    std::vector<FF> pows(num_powers);
-    pows[0] = round_challenge;
-    for (size_t i = 1; i < num_powers; i++) {
-        pows[i] = pows[i - 1].sqr();
-    }
-    return pows;
-}
 
 /**
  * @brief Evaluates the perturbator at a  given scalar, in a sequential manner for the recursive setting.

barretenberg/cpp/src/barretenberg/stdlib/honk_verifier/ultra_recursive_verifier.cpp

@@ -70,10 +70,8 @@ UltraRecursiveVerifier_<Flavor>::Output UltraRecursiveVerifier_<Flavor>::verify_
 
     VerifierCommitments commitments{ key->vk_and_hash->vk, key->witness_commitments };
     static constexpr size_t VIRTUAL_LOG_N = Flavor::NativeFlavor::VIRTUAL_LOG_N;
-    auto gate_challenges = std::vector<FF>(VIRTUAL_LOG_N);
-    for (size_t idx = 0; idx < VIRTUAL_LOG_N; idx++) {
-        gate_challenges[idx] = transcript->template get_challenge<FF>("Sumcheck:gate_challenge_" + std::to_string(idx));
-    }
+    // Get the gate challenges for sumcheck computation
+    key->gate_challenges = transcript->template get_powers_of_challenge<FF>("Sumcheck:gate_challenge", VIRTUAL_LOG_N);
 
     // Execute Sumcheck Verifier and extract multivariate opening point u = (u_0, ..., u_{d-1}) and purported
     // multivariate evaluations at u
@@ -95,7 +93,7 @@ UltraRecursiveVerifier_<Flavor>::Output UltraRecursiveVerifier_<Flavor>::verify_
         libra_commitments[0] = transcript->template receive_from_prover<Commitment>("Libra:concatenation_commitment");
     }
     SumcheckOutput<Flavor> sumcheck_output =
-        sumcheck.verify(key->relation_parameters, gate_challenges, padding_indicator_array);
+        sumcheck.verify(key->relation_parameters, key->gate_challenges, padding_indicator_array);
 
     // For MegaZKFlavor: the sumcheck output contains claimed evaluations of the Libra polynomials
     if constexpr (Flavor::HasZK) {

barretenberg/cpp/src/barretenberg/stdlib/honk_verifier/ultra_recursive_verifier.test.cpp

@@ -291,7 +291,7 @@ template <typename RecursiveFlavor> class RecursiveVerifierTest : public testing
         }
         // Check the size of the recursive verifier
         if constexpr (std::same_as<RecursiveFlavor, MegaZKRecursiveFlavor_<UltraCircuitBuilder>>) {
-            uint32_t NUM_GATES_EXPECTED = 799269;
+            uint32_t NUM_GATES_EXPECTED = 797234;
             ASSERT_EQ(static_cast<uint32_t>(outer_circuit.get_num_finalized_gates()), NUM_GATES_EXPECTED)
                 << "MegaZKHonk Recursive verifier changed in Ultra gate count! Update this value if you "
                    "are sure this is expected.";

barretenberg/cpp/src/barretenberg/stdlib/protogalaxy_verifier/protogalaxy_recursive_verifier.cpp

@@ -24,7 +24,10 @@ void ProtogalaxyRecursiveVerifier_<DeciderVerificationKeys>::run_oink_verifier_o
     if (!key->is_complete) {
         OinkRecursiveVerifier_<Flavor> oink_verifier{ builder, key, transcript, domain_separator + '_' };
         oink_verifier.verify();
-        key->gate_challenges = std::vector<FF>(CONST_PG_LOG_N, 0);
+        key->target_sum = FF::from_witness(builder, builder->zero_idx);
+        // Get the gate challenges for sumcheck/combiner computation
+        key->gate_challenges =
+            transcript->template get_powers_of_challenge<FF>(domain_separator + "_gate_challenge", CONST_PG_LOG_N);
     }
 
     key = keys_to_fold[1];
@@ -48,8 +51,7 @@ std::shared_ptr<typename DeciderVerificationKeys::DeciderVK> ProtogalaxyRecursiv
     const std::shared_ptr<DeciderVK>& accumulator = keys_to_fold[0];
 
     // Perturbator round
-    const FF delta = transcript->template get_challenge<FF>("delta");
-    const std::vector<FF> deltas = compute_round_challenge_pows(CONST_PG_LOG_N, delta);
+    const std::vector<FF> deltas = transcript->template get_powers_of_challenge<FF>("delta", CONST_PG_LOG_N);
     std::vector<FF> perturbator_coeffs(CONST_PG_LOG_N + 1, 0);
     for (size_t idx = 1; idx <= CONST_PG_LOG_N; idx++) {
         perturbator_coeffs[idx] = transcript->template receive_from_prover<FF>("perturbator_" + std::to_string(idx));