feat: merge-train/barretenberg (#19038)

See
[merge-train-readme.md](https://github.com/AztecProtocol/aztec-packages/blob/next/.github/workflows/merge-train-readme.md).
This is a merge-train.

Author: AztecBot

barretenberg/cpp/src/barretenberg/dsl/acir_format/acir_dsl.fuzzer.cpp

@@ -1232,9 +1232,7 @@ bool test_acir_circuit(const uint8_t* data, size_t size)
         // Build circuit using the proper constructor that initializes witnesses
         // NOTE: Must use the witness-aware constructor, not default constructor!
         // The default constructor leaves witnesses uninitialized, causing false negatives.
-        UltraCircuitBuilder builder{
-            /*size_hint*/ 0, witness_vec, acir_format.public_inputs, /*is_write_vk_mode=*/false
-        };
+        UltraCircuitBuilder builder{ witness_vec, acir_format.public_inputs, /*is_write_vk_mode=*/false };
 
         build_constraints(builder, acir_format, ProgramMetadata{});
 

barretenberg/cpp/src/barretenberg/dsl/acir_format/acir_format.cpp

@@ -1,5 +1,5 @@
 // === AUDIT STATUS ===
-// internal:    { status: not started, auditors: [], date: YYYY-MM-DD }
+// internal:    { status: Completed, auditors: [Federico], date: 2025-12-12 }
 // external_1:  { status: not started, auditors: [], date: YYYY-MM-DD }
 // external_2:  { status: not started, auditors: [], date: YYYY-MM-DD }
 // =====================
@@ -70,7 +70,10 @@ void build_constraints(Builder& builder, AcirFormat& constraints, const ProgramM
     // Add range constraint
     for (const auto& [constraint, opcode_idx] :
          zip_view(constraints.range_constraints, constraints.original_opcode_indices.range_constraints)) {
-        builder.create_dyadic_range_constraint(constraint.witness, constraint.num_bits, "");
+        builder.create_dyadic_range_constraint(
+            constraint.witness,
+            constraint.num_bits,
+            std::format("acir_format::build_constraints: range constraint at opcode index {} failed", opcode_idx));
         gate_counter.track_diff(constraints.gates_per_opcode, opcode_idx);
     }
 
@@ -150,6 +153,8 @@ void build_constraints(Builder& builder, AcirFormat& constraints, const ProgramM
          zip_view(constraints.block_constraints, constraints.original_opcode_indices.block_constraints)) {
         create_block_constraints(builder, constraint);
         if (collect_gates_per_opcode) {
+            // Each block constraint may correspond to multiple opcodes, so we record the average number of gates added
+            // by the entire constraint as the number of gates for each opcode.
             size_t avg_gates_per_opcode = gate_counter.compute_diff() / opcode_indices.size();
             for (size_t opcode_index : opcode_indices) {
                 constraints.gates_per_opcode[opcode_index] = avg_gates_per_opcode;
@@ -193,13 +198,13 @@ template <> UltraCircuitBuilder create_circuit(AcirProgram& program, const Progr
     if (!is_write_vk_mode) {
         BB_ASSERT_EQ(witness.size(),
                      constraints.max_witness_index + 1,
-                     "ACIR witness size (" << witness.size() << ") does not match max witness index ("
-                                           << constraints.max_witness_index << ").");
+                     "ACIR witness size (" << witness.size() << ") does not match max witness index + 1 ("
+                                           << (constraints.max_witness_index + 1) << ").");
     } else {
         witness.resize(constraints.max_witness_index + 1, 0);
     }
 
-    UltraCircuitBuilder builder{ metadata.size_hint, witness, constraints.public_inputs, is_write_vk_mode };
+    UltraCircuitBuilder builder{ witness, constraints.public_inputs, is_write_vk_mode };
 
     // Populate constraints in the builder
     build_constraints(builder, constraints, metadata);
@@ -225,8 +230,8 @@ template <> MegaCircuitBuilder create_circuit(AcirProgram& program, const Progra
     if (!is_write_vk_mode) {
         BB_ASSERT_EQ(witness.size(),
                      constraints.max_witness_index + 1,
-                     "ACIR witness size (" << witness.size() << ") does not match max witness index ("
-                                           << constraints.max_witness_index << ").");
+                     "ACIR witness size (" << witness.size() << ") does not match max witness index + 1 ("
+                                           << (constraints.max_witness_index + 1) << ").");
     } else {
         witness.resize(constraints.max_witness_index + 1, 0);
     }

barretenberg/cpp/src/barretenberg/dsl/acir_format/acir_format.hpp

@@ -59,7 +59,6 @@ struct AcirFormatOriginalOpcodeIndices {
     std::vector<size_t> avm_recursion_constraints;
     std::vector<size_t> hn_recursion_constraints;
     std::vector<size_t> chonk_recursion_constraints;
-    std::vector<size_t> arithmetic_triple_constraints;
     std::vector<size_t> quad_constraints;
     std::vector<size_t> big_quad_constraints;
     // Multiple opcode indices per block:
@@ -105,9 +104,9 @@ struct AcirFormat {
     std::vector<RecursionConstraint> hn_recursion_constraints;
     std::vector<RecursionConstraint> chonk_recursion_constraints;
     std::vector<QuadConstraints> quad_constraints; // Standard honk arithmetic constraint of width 4
-    // A vector of vector of mul_quad gates (i.e arithmetic constraints of width 4)
+    // A vector of vector of QuadConstraints gates (i.e arithmetic constraints of width 4)
     // Each vector of gates represente a 'big' expression (a polynomial of degree 1 or 2 which does not fit inside one
-    // mul_gate) that has been splitted into multiple mul_gates, using w4_shift (the 4th wire of the next gate), to
+    // mul_gate) that has been split into multiple mul_gates, using w4_shift (the 4th wire of the next gate), to
     // reduce the number of intermediate variables.
     std::vector<std::vector<QuadConstraints>> big_quad_constraints;
     std::vector<BlockConstraint> block_constraints;
@@ -172,7 +171,6 @@ struct ProgramMetadata {
                // should propagate an IPA claim. In our codebase, circuits that propagate IPA claims are the ones whose
                // proof is constructed/verified using Rollup flavors.
     bool collect_gates_per_opcode = false;
-    size_t size_hint = 0;
 };
 
 /**

barretenberg/cpp/src/barretenberg/dsl/acir_format/acir_format_mocks.cpp

@@ -27,7 +27,6 @@ AcirFormatOriginalOpcodeIndices create_empty_original_opcode_indices()
         .avm_recursion_constraints = {},
         .hn_recursion_constraints = {},
         .chonk_recursion_constraints = {},
-        .arithmetic_triple_constraints = {},
         .quad_constraints = {},
         .big_quad_constraints = {},
         .block_constraints = {},

barretenberg/cpp/src/barretenberg/dsl/acir_format/acir_to_constraint_buf.cpp

@@ -472,6 +472,9 @@ std::vector<mul_quad_<fr>> split_into_mul_quad_gates(Acir::Expression const& arg
     // We cannot precompute the exact number of gates that will result from the expression. Therefore, we reserve the
     // maximum number of gates that could ever be needed: one per multiplication term plus one per linear term. The real
     // number of gates will in general be lower than this.
+    BB_ASSERT_LTE(arg.mul_terms.size(),
+                  SIZE_MAX - linear_terms.size(),
+                  "split_into_mul_quad_gates: overflow when reserving space for mul_quad_ gates.");
     result.reserve(arg.mul_terms.size() + linear_terms.size());
 
     // Step 1. Add multiplication terms and linear terms with the same witness index

barretenberg/cpp/src/barretenberg/dsl/acir_format/arithmetic_constraints.cpp

@@ -1,5 +1,5 @@
 // === AUDIT STATUS ===
-// internal:    { status: not started, auditors: [], date: YYYY-MM-DD }
+// internal:    { status: Completed, auditors: [Federico], date: 2025-12-12 }
 // external_1:  { status: not started, auditors: [], date: YYYY-MM-DD }
 // external_2:  { status: not started, auditors: [], date: YYYY-MM-DD }
 // =====================
@@ -21,6 +21,10 @@ template <typename Builder> void set_zero_idx(const Builder& builder, mul_quad_<
         }
     };
 
+    BB_ASSERT_NEQ(mul_quad.a,
+                  bb::stdlib::IS_CONSTANT,
+                  "mul_quad_ gate cannot have IS_CONSTANT for witness a. An error here probably means a conversion "
+                  "issue in acir_to_constraint_buf.");
     replace_and_check_zero_scaling(mul_quad.b, mul_quad.b_scaling);
     replace_and_check_zero_scaling(mul_quad.c, mul_quad.c_scaling);
     replace_and_check_zero_scaling(mul_quad.d, mul_quad.d_scaling);

barretenberg/cpp/src/barretenberg/dsl/acir_format/blake2s_constraint.cpp

@@ -39,8 +39,10 @@ template <typename Builder> void create_blake2s_constraints(Builder& builder, co
 
     byte_array_ct output_bytes = stdlib::Blake2s<Builder>::hash(arr);
 
-    for (size_t i = 0; i < output_bytes.size(); ++i) {
-        output_bytes[i].assert_equal(field_ct::from_witness_index(&builder, constraint.result[i]));
+    for (const auto& [output_byte, result_byte_idx] : zip_view(output_bytes.bytes(), constraint.result)) {
+        // Constrain each output byte to equal the corresponding witness
+        // This equality also constrains the result witnesses to be bytes
+        output_byte.assert_equal(field_ct::from_witness_index(&builder, result_byte_idx));
     }
 }
 

barretenberg/cpp/src/barretenberg/dsl/acir_format/blake2s_constraint.test.cpp

@@ -12,10 +12,11 @@
 using namespace bb;
 using namespace acir_format;
 
-template <class BuilderType> class Blake2sTestingFunctions {
+template <class BuilderType, bool IsInputConstant> class Blake2sTestingFunctions {
   public:
     using Builder = BuilderType;
     using AcirConstraint = Blake2sConstraint;
+    using FF = Builder::FF;
 
     struct InvalidWitness {
       public:
@@ -37,7 +38,12 @@ template <class BuilderType> class Blake2sTestingFunctions {
         switch (invalid_witness_target) {
         case InvalidWitness::Target::Input: {
             // Tamper with the first input element
-            witness_values[constraint.inputs[0].blackbox_input.index] += bb::fr(1);
+            if constexpr (IsInputConstant) {
+                constraint.inputs[0].blackbox_input =
+                    WitnessOrConstant<FF>::from_constant(constraint.inputs[0].blackbox_input.value + bb::fr(1));
+            } else {
+                witness_values[constraint.inputs[0].blackbox_input.index] += bb::fr(1);
+            }
             break;
         }
         case InvalidWitness::Target::Output: {
@@ -55,53 +61,83 @@ template <class BuilderType> class Blake2sTestingFunctions {
      */
     void generate_constraints(Blake2sConstraint& blake2s_constraint, WitnessVector& witness_values)
     {
-        // Start with the zero variable at index 0
-        witness_values.emplace_back(bb::fr(0));
+        // Helper to add a state: either as witness or constant
+        auto construct_state = [&](const std::vector<uint8_t>& state,
+                                   bool as_constant) -> std::vector<WitnessOrConstant<FF>> {
+            std::vector<WitnessOrConstant<FF>> result;
+            if (as_constant) {
+                for (const auto& byte : state) {
+                    result.push_back(WitnessOrConstant<FF>::from_constant(FF(byte)));
+                }
+                return result;
+            }
+            auto indices = add_to_witness_and_track_indices(witness_values, state);
+            for (const auto& idx : indices) {
+                result.push_back(WitnessOrConstant<FF>::from_index(idx));
+            }
+            return result;
+        };
 
         // Input: 64-byte message
         std::vector<uint8_t> input_state(64);
 
         // Expected Blake2s hash output
         std::array<uint8_t, 32> output_state = crypto::blake2s(input_state);
 
-        // Add input and output state to witness
-        auto input_indices = add_to_witness_and_track_indices<std::vector<uint8_t>, 64>(witness_values, input_state);
-        auto output_indices =
-            add_to_witness_and_track_indices<std::array<uint8_t, 32>, 32>(witness_values, output_state);
-
         // Create the constraint
         blake2s_constraint.inputs.reserve(input_state.size());
-        for (size_t i = 0; i < input_state.size(); ++i) {
-            Blake2sInput input{
-                .blackbox_input = WitnessOrConstant<fr>::from_index(static_cast<uint32_t>(input_indices[i])),
-                .num_bits = 8,
-            };
+        for (const auto& state : construct_state(input_state, IsInputConstant)) {
+            Blake2sInput input{ .blackbox_input = state, .num_bits = 8 };
             blake2s_constraint.inputs.push_back(input);
         }
-        for (size_t i = 0; i < 32; ++i) {
-            blake2s_constraint.result[i] = static_cast<uint32_t>(output_indices[i]);
+
+        // Add output state to witness
+        auto output_indices = add_to_witness_and_track_indices(witness_values, output_state);
+        // Add output indices to constraint
+        for (auto [blake_result, output_idx] : zip_view(blake2s_constraint.result, output_indices)) {
+            blake_result = output_idx;
         }
     }
 };
 
 template <class Builder>
-class Blake2sConstraintsTest : public ::testing::Test, public TestClass<Blake2sTestingFunctions<Builder>> {
+class Blake2sConstraintsTestInputConstant : public ::testing::Test,
+                                            public TestClass<Blake2sTestingFunctions<Builder, true>> {
   protected:
     static void SetUpTestSuite() { srs::init_file_crs_factory(srs::bb_crs_path()); }
 };
 
 using BuilderTypes = testing::Types<UltraCircuitBuilder, MegaCircuitBuilder>;
 
-TYPED_TEST_SUITE(Blake2sConstraintsTest, BuilderTypes);
+TYPED_TEST_SUITE(Blake2sConstraintsTestInputConstant, BuilderTypes);
+TYPED_TEST(Blake2sConstraintsTestInputConstant, GenerateVKFromConstraints)
+{
+    using Flavor = std::conditional_t<std::is_same_v<TypeParam, UltraCircuitBuilder>, UltraFlavor, MegaFlavor>;
+    TestFixture::template test_vk_independence<Flavor>();
+}
+
+TYPED_TEST(Blake2sConstraintsTestInputConstant, Tampering)
+{
+    [[maybe_unused]] std::vector<std::string> _ = TestFixture::test_tampering();
+}
+
+template <class Builder>
+class Blake2sConstraintsTestInputWitness : public ::testing::Test,
+                                           public TestClass<Blake2sTestingFunctions<Builder, false>> {
+  protected:
+    static void SetUpTestSuite() { srs::init_file_crs_factory(srs::bb_crs_path()); }
+};
+
+using BuilderTypes = testing::Types<UltraCircuitBuilder, MegaCircuitBuilder>;
 
-TYPED_TEST(Blake2sConstraintsTest, GenerateVKFromConstraints)
+TYPED_TEST_SUITE(Blake2sConstraintsTestInputWitness, BuilderTypes);
+TYPED_TEST(Blake2sConstraintsTestInputWitness, GenerateVKFromConstraints)
 {
     using Flavor = std::conditional_t<std::is_same_v<TypeParam, UltraCircuitBuilder>, UltraFlavor, MegaFlavor>;
     TestFixture::template test_vk_independence<Flavor>();
 }
 
-TYPED_TEST(Blake2sConstraintsTest, Tampering)
+TYPED_TEST(Blake2sConstraintsTestInputWitness, Tampering)
 {
-    BB_DISABLE_ASSERTS();
     [[maybe_unused]] std::vector<std::string> _ = TestFixture::test_tampering();
 }

barretenberg/cpp/src/barretenberg/dsl/acir_format/blake3_constraint.cpp

@@ -38,10 +38,10 @@ template <typename Builder> void create_blake3_constraints(Builder& builder, con
 
     byte_array_ct output_bytes = bb::stdlib::Blake3s<Builder>::hash(arr);
 
-    // Convert byte array to vector of field_t
-
-    for (size_t i = 0; i < output_bytes.size(); ++i) {
-        output_bytes[i].assert_equal(field_ct::from_witness_index(&builder, constraint.result[i]));
+    for (const auto& [output_byte, result_byte_idx] : zip_view(output_bytes.bytes(), constraint.result)) {
+        // Constrain each output byte to equal the corresponding witness
+        // This equality also constrains the result witnesses to be bytes
+        output_byte.assert_equal(field_ct::from_witness_index(&builder, result_byte_idx));
     }
 }