feat: merge-train/barretenberg (#20511)

BEGIN_COMMIT_OVERRIDE
chore!: pairing points audit (#20456)
fix: default pp handling (#20516)
chore: Address DSL audit comments (#20074)
fix: skip default pp in sol aggregation (#20521)
chore: address informational findings in biggroup (#20549)
END_COMMIT_OVERRIDE

Author: AztecBot

barretenberg/cpp/scripts/test_chonk_standalone_vks_havent_changed.sh

@@ -13,7 +13,7 @@ cd ..
 # - Generate a hash for versioning: sha256sum bb-chonk-inputs.tar.gz
 # - Upload the compressed results: aws s3 cp bb-chonk-inputs.tar.gz s3://aztec-ci-artifacts/protocol/bb-chonk-inputs-[hash(0:8)].tar.gz
 # Note: In case of the "Test suite failed to run ... Unexpected token 'with' " error, need to run: docker pull aztecprotocol/build:3.0
-pinned_short_hash="be87b42c"
+pinned_short_hash="600b85bd"
 pinned_chonk_inputs_url="https://aztec-ci-artifacts.s3.us-east-2.amazonaws.com/protocol/bb-chonk-inputs-${pinned_short_hash}.tar.gz"
 
 script_path="$(cd "$(dirname "${BASH_SOURCE[0]}")/scripts" && pwd)/$(basename "${BASH_SOURCE[0]}")"

barretenberg/cpp/src/barretenberg/chonk/chonk.test.cpp

@@ -160,10 +160,9 @@ class ChonkTests : public ::testing::Test {
                 // Tamper with the specified field
                 switch (field_to_tamper) {
                 case KernelIOField::PAIRING_INPUTS: {
-                    // Replace with valid default pairing points (different from actual accumulated values)
-                    using namespace bb::stdlib::recursion;
-                    kernel_io.pairing_inputs.P0() = Commitment(DEFAULT_PAIRING_POINT_P0_X, DEFAULT_PAIRING_POINT_P0_Y);
-                    kernel_io.pairing_inputs.P1() = Commitment(DEFAULT_PAIRING_POINT_P1_X, DEFAULT_PAIRING_POINT_P1_Y);
+                    // Replace with valid pairing points at infinity (different from actual accumulated values)
+                    kernel_io.pairing_inputs.P0() = Commitment::infinity();
+                    kernel_io.pairing_inputs.P1() = Commitment::infinity();
                     EXPECT_TRUE(kernel_io.pairing_inputs.check());
                     break;
                 }

barretenberg/cpp/src/barretenberg/commitment_schemes/kzg/kzg.test.cpp

@@ -48,7 +48,7 @@ class KZGTest : public CommitmentTest<Curve> {
         auto verifier_transcript = NativeTranscript::test_verifier_init_empty(prover_transcript);
         const auto pairing_points = PCS::reduce_verify(opening_claim, verifier_transcript);
 
-        EXPECT_EQ(vk.pairing_check(pairing_points[0], pairing_points[1]), true);
+        EXPECT_EQ(pairing_points.check(), true);
     }
 };
 
@@ -91,7 +91,7 @@ TEST_F(KZGTest, WrongEvaluationFails)
     auto verifier_transcript = NativeTranscript::test_verifier_init_empty(prover_transcript);
     auto pairing_point = PCS::reduce_verify(opening_claim, verifier_transcript);
     // Make sure that the pairing check fails
-    EXPECT_EQ(vk.pairing_check(pairing_point[0], pairing_point[1]), false);
+    EXPECT_EQ(pairing_point.check(), false);
 }
 
 TEST_F(KZGTest, ZeroPolynomial)
@@ -169,7 +169,7 @@ TEST_F(KZGTest, SingleInLagrangeBasis)
     auto verifier_transcript = NativeTranscript::test_verifier_init_empty(prover_transcript);
     auto pairing_points = PCS::reduce_verify(opening_claim, verifier_transcript);
 
-    EXPECT_EQ(vk.pairing_check(pairing_points[0], pairing_points[1]), true);
+    EXPECT_EQ(pairing_points.check(), true);
 }
 TEST_F(KZGTest, ShpleminiKzgWithShift)
 {
@@ -222,7 +222,7 @@ TEST_F(KZGTest, ShpleminiKzgWithShift)
         PCS::reduce_verify_batch_opening_claim(std::move(batch_opening_claim), verifier_transcript);
     // Final pairing check: e([Q] - [Q_z] + z[W], [1]_2) = e([W], [x]_2)
 
-    EXPECT_EQ(vk.pairing_check(pairing_points[0], pairing_points[1]), true);
+    EXPECT_EQ(pairing_points.check(), true);
 }
 
 TEST_F(KZGTest, ShpleminiKzgWithShiftAndInterleaving)
@@ -281,7 +281,7 @@ TEST_F(KZGTest, ShpleminiKzgWithShiftAndInterleaving)
         PCS::reduce_verify_batch_opening_claim(std::move(batch_opening_claim), verifier_transcript);
     // Final pairing check: e([Q] - [Q_z] + z[W], [1]_2) = e([W], [x]_2)
 
-    EXPECT_EQ(vk.pairing_check(pairing_points[0], pairing_points[1]), true);
+    EXPECT_EQ(pairing_points.check(), true);
 }
 TEST_F(KZGTest, ShpleminiKzgShiftsRemoval)
 {
@@ -347,7 +347,7 @@ TEST_F(KZGTest, ShpleminiKzgShiftsRemoval)
         PCS::reduce_verify_batch_opening_claim(std::move(batch_opening_claim), verifier_transcript);
 
     // Final pairing check: e([Q] - [Q_z] + z[W], [1]_2) = e([W], [x]_2)
-    EXPECT_EQ(vk.pairing_check(pairing_points[0], pairing_points[1]), true);
+    EXPECT_EQ(pairing_points.check(), true);
 }
 
 } // namespace bb

barretenberg/cpp/src/barretenberg/commitment_schemes/pairing_points.hpp

@@ -1,12 +1,11 @@
 // === AUDIT STATUS ===
-// internal:    { status: Planned, auditors: [Khashayar], commit: }
+// internal:    { status: complete, auditors: [Luke], commit: }
 // external_1:  { status: not started, auditors: [], commit: }
 // external_2:  { status: not started, auditors: [], commit: }
 // =====================
 
 #pragma once
 
-#include "barretenberg/commitment_schemes/commitment_key.hpp"
 #include "barretenberg/commitment_schemes/verification_key.hpp"
 #include "barretenberg/common/assert.hpp"
 
@@ -22,7 +21,6 @@ namespace bb {
 template <typename Curve_> class PairingPoints {
   public:
     using Curve = Curve_;
-    using CK = CommitmentKey<Curve>;
     using Point = typename Curve::AffineElement;
     using Fr = typename Curve::ScalarField;
     using Fq = typename Curve::BaseField;
@@ -34,8 +32,6 @@ template <typename Curve_> class PairingPoints {
     using value_type = Point;
     static constexpr size_t SIZE = 2;
 
-    std::array<Point, 2> _points = { Point::infinity(), Point::infinity() };
-
     // Named accessors
     Point& P0() { return _points[0]; }
     Point& P1() { return _points[1]; }
@@ -47,9 +43,6 @@ template <typename Curve_> class PairingPoints {
         : _points{ p0, p1 }
     {}
 
-    auto& operator[](size_t idx) { return _points[idx]; }
-    const auto& operator[](size_t idx) const { return _points[idx]; }
-
     // Iterator support for range-based for (required by Codec)
     auto begin() { return _points.begin(); }
     auto end() { return _points.end(); }
@@ -58,32 +51,38 @@ template <typename Curve_> class PairingPoints {
     static constexpr size_t size() { return SIZE; }
 
     /**
-     * @brief Aggregate the current pairing points with another set of pairing points using a random scalar
+     * @brief Aggregate the current pairing points with another set of pairing points using a random scalar.
+     * @details If this is at infinity (default-constructed), simply copies other. The incoming points must not be at
+     * infinity since they should always represent the output of actual PCS verification.
      */
     void aggregate(const PairingPoints<Curve>& other)
     {
-        if (P0() == Point::infinity() || P1() == Point::infinity() || other.P0() == Point::infinity() ||
-            other.P1() == Point::infinity()) {
-            throw_or_abort("WARNING: Shouldn't be aggregating with Point at infinity! The pairing points are probably "
-                           "uninitialized.");
+        if (other.P0() == Point::infinity() || other.P1() == Point::infinity()) {
+            throw_or_abort("Cannot aggregate: incoming pairing points are at infinity (probably uninitialized).");
+        }
+        // If this is at infinity (default/uninitialized), just adopt the incoming points
+        if (P0() == Point::infinity() || P1() == Point::infinity()) {
+            *this = other;
+            return;
         }
         Fr aggregation_separator = Fr::random_element();
         P0() = P0() + other.P0() * aggregation_separator;
         P1() = P1() + other.P1() * aggregation_separator;
     }
 
     /**
-     * @brief Perform the pairing check
+     * @brief Verify the pairing equation e(P0, [1]₂) · e(P1, [x]₂) = 1.
      */
     bool check() const
     {
-        VerifierCK pcs_vkey{};
+        VerifierCK vck{};
         // TODO(https://github.com/AztecProtocol/barretenberg/issues/1423): Rename to verifier_pcs_key or vckey or
         // something. Issue exists in many places besides just here.
-        return pcs_vkey.pairing_check(P0(), P1());
+        return vck.pairing_check(P0(), P1());
     }
 
-    bool operator==(const PairingPoints<Curve>& other) const = default;
+  private:
+    std::array<Point, 2> _points = { Point::infinity(), Point::infinity() };
 };
 
 } // namespace bb

barretenberg/cpp/src/barretenberg/commitment_schemes/pairing_points.test.cpp

@@ -0,0 +1,83 @@
+#include "barretenberg/commitment_schemes/pairing_points.hpp"
+#include "barretenberg/commitment_schemes/commitment_key.hpp"
+#include "barretenberg/srs/global_crs.hpp"
+
+#include <gtest/gtest.h>
+
+namespace bb {
+
+class NativePairingPointsTests : public ::testing::Test {
+  public:
+    using Curve = curve::BN254;
+    using PP = PairingPoints<Curve>;
+    using Point = Curve::AffineElement;
+
+    static void SetUpTestSuite() { srs::init_file_crs_factory(srs::bb_crs_path()); }
+
+    // P0 = [s]₁, P1 = -[1]₁ satisfies e(P0,[1]₂)·e(P1,[s]₂) = 1
+    static PP make_valid_pairing_points()
+    {
+        CommitmentKey<Curve> ck(2);
+        auto srs = ck.get_monomial_points();
+        return PP(srs[1], -srs[0]);
+    }
+};
+
+// Default construction produces infinity points
+TEST_F(NativePairingPointsTests, DefaultConstructionIsInfinity)
+{
+    PP pp;
+    EXPECT_EQ(pp.P0(), Point::infinity());
+    EXPECT_EQ(pp.P1(), Point::infinity());
+}
+
+// Infinity points pass the pairing check: e(∞, Q) = 1
+TEST_F(NativePairingPointsTests, InfinityPassesPairingCheck)
+{
+    PP pp;
+    EXPECT_TRUE(pp.check());
+}
+
+// Valid SRS-derived points pass the pairing check
+TEST_F(NativePairingPointsTests, ValidPointsPassPairingCheck)
+{
+    PP pp = make_valid_pairing_points();
+    EXPECT_TRUE(pp.check());
+}
+
+// Arbitrary non-trivial points fail the pairing check
+TEST_F(NativePairingPointsTests, InvalidPointsFailPairingCheck)
+{
+    Point G = Point::one();
+    PP pp(G, G);
+    EXPECT_FALSE(pp.check());
+}
+
+// Aggregating into default (infinity) adopts the incoming points
+TEST_F(NativePairingPointsTests, AggregateIntoDefaultAdoptsOther)
+{
+    PP acc;
+    PP other = make_valid_pairing_points();
+    acc.aggregate(other);
+    EXPECT_EQ(acc.P0(), other.P0());
+    EXPECT_EQ(acc.P1(), other.P1());
+}
+
+// Aggregating two populated sets produces a valid result
+TEST_F(NativePairingPointsTests, AggregatePopulatedPoints)
+{
+    PP acc = make_valid_pairing_points();
+    PP other = make_valid_pairing_points();
+    acc.aggregate(other);
+    EXPECT_TRUE(acc.check());
+}
+
+// Aggregating infinity into a populated accumulator throws
+TEST_F(NativePairingPointsTests, AggregateInfinityIntoPopulatedThrows)
+{
+    PP acc = make_valid_pairing_points();
+    PP empty;
+    EXPECT_THROW(acc.aggregate(empty), std::runtime_error);
+}
+
+} // namespace bb

barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.test.cpp

@@ -364,7 +364,7 @@ TYPED_TEST(ShpleminiTest, ShpleminiZKNoSumcheckOpenings)
         const auto pairing_points =
             KZG<Curve>::reduce_verify_batch_opening_claim(std::move(batch_opening_claim), verifier_transcript);
         // Final pairing check: e([Q] - [Q_z] + z[W], [1]_2) = e([W], [x]_2)
-        EXPECT_EQ(this->vk().pairing_check(pairing_points[0], pairing_points[1]), true);
+        EXPECT_EQ(pairing_points.check(), true);
     }
     EXPECT_EQ(consistency_checked, true);
 }
@@ -473,7 +473,7 @@ TYPED_TEST(ShpleminiTest, ShpleminiZKWithSumcheckOpenings)
         const auto pairing_points =
             KZG<Curve>::reduce_verify_batch_opening_claim(std::move(batch_opening_claim), verifier_transcript);
         // Final pairing check: e([Q] - [Q_z] + z[W], [1]_2) = e([W], [x]_2)
-        EXPECT_EQ(this->vk().pairing_check(pairing_points[0], pairing_points[1]), true);
+        EXPECT_EQ(pairing_points.check(), true);
     }
 }
 
@@ -548,7 +548,7 @@ TYPED_TEST(ShpleminiTest, HighDegreeAttackAccept)
     } else {
         const auto pairing_points =
             KZG<Curve>::reduce_verify_batch_opening_claim(std::move(batch_opening_claim), verifier_transcript);
-        EXPECT_EQ(this->vk().pairing_check(pairing_points[0], pairing_points[1]), true);
+        EXPECT_EQ(pairing_points.check(), true);
     }
 }
 
@@ -615,7 +615,7 @@ TYPED_TEST(ShpleminiTest, HighDegreeAttackReject)
     } else {
         const auto pairing_points =
             KZG<Curve>::reduce_verify_batch_opening_claim(std::move(batch_opening_claim), verifier_transcript);
-        EXPECT_EQ(this->vk().pairing_check(pairing_points[0], pairing_points[1]), false);
+        EXPECT_EQ(pairing_points.check(), false);
     }
 }
 
@@ -817,7 +817,7 @@ void run_libra_tampering_test(ShpleminiTest<TypeParam>* test,
     } else {
         const auto pairing_points =
             KZG<Curve>::reduce_verify_batch_opening_claim(std::move(batch_opening_claim), verifier_transcript);
-        EXPECT_FALSE(test->vk().pairing_check(pairing_points[0], pairing_points[1]));
+        EXPECT_FALSE(pairing_points.check());
     }
 }
 

barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplonk.test.cpp

@@ -85,7 +85,7 @@ TYPED_TEST(ShplonkTest, ExportBatchClaimAndVerify)
         // KZG verifier
         auto final_proof_points = KZG<curve::BN254>::reduce_verify_batch_opening_claim(
             std::move(batched_verifier_claim), verifier_transcript);
-        ASSERT_TRUE(this->vk().pairing_check(final_proof_points[0], final_proof_points[1]));
+        ASSERT_TRUE(final_proof_points.check());
     } else {
         // Verify IPA proof
         auto vk = create_verifier_commitment_key<VerifierCommitmentKey<curve::Grumpkin>>();

barretenberg/cpp/src/barretenberg/commitment_schemes/verification_key.hpp

@@ -1,5 +1,5 @@
 // === AUDIT STATUS ===
-// internal:    { status: Planned, auditors: [Khashayar], commit: }
+// internal:    { status: Complete, auditors: [Luke], commit: }
 // external_1:  { status: not started, auditors: [], commit: }
 // external_2:  { status: not started, auditors: [], commit: }
 // =====================
@@ -11,18 +11,12 @@
  *
  */
 
-#include "barretenberg/commitment_schemes/commitment_key.hpp"
 #include "barretenberg/ecc/curves/bn254/bn254.hpp"
 #include "barretenberg/ecc/curves/bn254/pairing.hpp"
 #include "barretenberg/ecc/curves/grumpkin/grumpkin.hpp"
-#include "barretenberg/ecc/scalar_multiplication/scalar_multiplication.hpp"
-#include "barretenberg/numeric/bitop/pow.hpp"
-#include "barretenberg/polynomials/polynomial_arithmetic.hpp"
 #include "barretenberg/srs/global_crs.hpp"
 
-#include <cstddef>
 #include <memory>
-#include <string_view>
 
 namespace bb {
 
@@ -47,7 +41,6 @@ template <> class VerifierCommitmentKey<curve::BN254> {
             srs = srs::get_crs_factory<Curve>()->get_verifier_crs();
         }
     };
-    bool operator==(const VerifierCommitmentKey&) const = default;
 
     bool initialized() const { return srs != nullptr; }
 
@@ -58,19 +51,14 @@ template <> class VerifierCommitmentKey<curve::BN254> {
     }
 
     /**
-     * @brief verifies a pairing equation over 2 points using the verifier SRS
-     *
-     * @param p0 = P₀
-     * @param p1 = P₁
-     * @return e(P₀,[1]₁)e(P₁,[x]₂) ≡ [1]ₜ
+     * @brief Verify the pairing equation e(P₀,[1]₂) · e(P₁,[x]₂) = [1]ₜ
      */
     bool pairing_check(const GroupElement& p0, const GroupElement& p1)
     {
         initialize();
-        Commitment pairing_points[2]{ p0, p1 };
-        // The final pairing check of step 12.
-        Curve::TargetField result =
-            bb::pairing::reduced_ate_pairing_batch_precomputed(pairing_points, srs->get_precomputed_g2_lines(), 2);
+        std::array<Commitment, 2> pairing_points{ p0, p1 };
+        Curve::TargetField result = bb::pairing::reduced_ate_pairing_batch_precomputed(
+            pairing_points.data(), srs->get_precomputed_g2_lines(), 2);
 
         return (result == Curve::TargetField::one());
     }
@@ -93,9 +81,8 @@ template <> class VerifierCommitmentKey<curve::Grumpkin> {
     /**
      * @brief Construct a new IPA Verification Key object from existing SRS
      *
-     *
      * @param num_points specifies the length of the SRS
-     * @param path is the location to the SRS file
+     * @param crs_factory the CRS factory to use
      */
     VerifierCommitmentKey(size_t num_points, const std::shared_ptr<bb::srs::factories::CrsFactory<Curve>>& crs_factory)
         : srs(crs_factory->get_crs(num_points))
@@ -105,8 +92,6 @@ template <> class VerifierCommitmentKey<curve::Grumpkin> {
 
     VerifierCommitmentKey() = default;
 
-    bool operator==(const VerifierCommitmentKey&) const = default;
-
     bool initialized() const { return srs != nullptr; }
 
     Commitment get_g1_identity() const { return srs->get_g1_identity(); }