feat: merge-train/barretenberg

barretenberg/cpp/scripts/audit/audit_scopes/dsl_audit_scope.md

@@ -12,8 +12,6 @@ Commit hash: 2094fd1467dd9a94803b2c5007cf60ac357aa7d2 (22.12.2025)
 4. `dsl/acir_format/acir_format.cpp`
 5. `dsl/acir_format/arithmetic_constraints.hpp`
 6. `dsl/acir_format/arithmetic_constraints.cpp`
-7. `dsl/acir_format/round.hpp`
-8. `dsl/acir_format/round.cpp`
 9. `dsl/acir_format/utils.hpp`
 10. `dsl/acir_format/utils.cpp`
 
@@ -27,15 +25,13 @@ All constraints except arithmetic constraints work as follows:
 1. Bytes deserialised into Barretenberg's internal representation (`acir_to_constraint_buf`)
 2. Iterate through all instances of the given constraint and add the constraint to the circuit (`acir_format`)
 
-Arithmetic constraints work slighly differently because we leverage the UltraHonk arithmetisation to efficiently encode expressions of the following form:
+Arithmetic constraints work slighly differently because we leverage the UltraHonk arithmetization to efficiently encode expressions of the following form:
 $
 \sum_{i, j} c_{i,j} w_i w_j + \sum_i c_i w_i + c = 0
-$ where $w_i$ are witnesses, $c_{i,j}, c_i$ are the coefficients of the equation, and $c$ is the constant term. For a detailed explanation of how we leverage the UltraHonk arithmetisation to encode arithmetic constraints see the documentation for the functions `acir_to_constraint_buf::split_into_mul_quad_gates` and `arithmetic_constraints::create_big_quad_constraint`.
+$ where $w_i$ are witnesses, $c_{i,j}, c_i$ are the coefficients of the equation, and $c$ is the constant term. For a detailed explanation of how we leverage the UltraHonk arithmetization to encode arithmetic constraints see the documentation for the functions `acir_to_constraint_buf::split_into_mul_quad_gates` and `arithmetic_constraints::create_big_quad_constraint`.
 
 The difference in how arithmetic constraints are handled is the reason why they are the only constraints that are part of this audit scope: to be sure that no bugs are present, the entire flow (from bytes to to constraints) has to be audited for arithmetic constraints.
 
-
-
 ## Test Files
 1. `dsl/acir_format/acir_format.test.cpp`
 2. `dsl/acir_format/arithmetic_constraints.test.cpp`

barretenberg/cpp/scripts/audit/audit_scopes/honk_proving_system_audit_scope.md

@@ -71,6 +71,8 @@ Note: Paths relative to `aztec-packages/barretenberg/cpp/src/barretenberg`
 50. `dsl/acir_format/recursion_constraint.cpp`
 51. `dsl/acir_format/recursion_constraint_output.hpp`
 52. `dsl/acir_format/recursion_constraint_output.cpp`
+53. `dsl/acir_format/honk_recursion_constraint.hpp`
+54. `dsl/acir_format/honk_recursion_constraint.cpp`
 53. `dsl/acir_format/mock_verifier_inputs.hpp`
 
 ## Summary of Module
@@ -93,6 +95,7 @@ The Honk proving system is Barretenberg's core SNARK proving system implementing
 13. `ultra_honk/lookup.test.cpp`
 14. `ultra_honk/rom_ram.test.cpp`
 15. `ultra_honk/range_constraint.test.cpp`
+16. `dsl/acir_format/honk_recursion_constraint.test.cpp`
 
 ## Security Mechanisms
 

barretenberg/cpp/scripts/test_chonk_standalone_vks_havent_changed.sh

@@ -13,7 +13,7 @@ cd ..
 # - Generate a hash for versioning: sha256sum bb-chonk-inputs.tar.gz
 # - Upload the compressed results: aws s3 cp bb-chonk-inputs.tar.gz s3://aztec-ci-artifacts/protocol/bb-chonk-inputs-[hash(0:8)].tar.gz
 # Note: In case of the "Test suite failed to run ... Unexpected token 'with' " error, need to run: docker pull aztecprotocol/build:3.0
-pinned_short_hash="c288d94d"
+pinned_short_hash="04d835ae"
 pinned_chonk_inputs_url="https://aztec-ci-artifacts.s3.us-east-2.amazonaws.com/protocol/bb-chonk-inputs-${pinned_short_hash}.tar.gz"
 
 function compress_and_upload {

barretenberg/cpp/src/barretenberg/api/api_chonk.cpp

@@ -123,7 +123,7 @@ bool ChonkAPI::verify([[maybe_unused]] const Flags& flags,
     auto proof_fields = many_from_buffer<fr>(read_file(proof_path));
     auto proof = ChonkProof::from_field_elements(proof_fields);
 
-    auto vk_buffer = read_file(vk_path);
+    auto vk_buffer = read_vk_file(vk_path);
 
     auto response = bbapi::ChonkVerify{ .proof = std::move(proof), .vk = std::move(vk_buffer) }.execute();
     return response.valid;

barretenberg/cpp/src/barretenberg/api/api_ultra_honk.cpp

@@ -101,7 +101,7 @@ bool UltraHonkAPI::verify(const Flags& flags,
     // Read input files
     auto public_inputs = many_from_buffer<uint256_t>(read_file(public_inputs_path));
     auto proof = many_from_buffer<uint256_t>(read_file(proof_path));
-    auto vk_bytes = read_file(vk_path);
+    auto vk_bytes = read_vk_file(vk_path);
 
     // Convert flags to ProofSystemSettings
     bbapi::ProofSystemSettings settings{ .ipa_accumulation = flags.ipa_accumulation,
@@ -209,7 +209,7 @@ void UltraHonkAPI::write_solidity_verifier(const Flags& flags,
 {
     BB_BENCH_NAME("UltraHonkAPI::write_solidity_verifier");
     // Read VK file
-    auto vk_bytes = read_file(vk_path);
+    auto vk_bytes = read_vk_file(vk_path);
 
     // Convert flags to ProofSystemSettings
     bbapi::ProofSystemSettings settings{ .ipa_accumulation = flags.ipa_accumulation,

barretenberg/cpp/src/barretenberg/api/api_ultra_honk.test.cpp

@@ -233,3 +233,35 @@ TEST_F(ApiUltraHonkTest, GatesWithOpcodesSmokeTest)
     // Check that output contains per-opcode information
     EXPECT_TRUE(output.find("gates_per_opcode") != std::string::npos);
 }
+
+TEST_F(ApiUltraHonkTest, VerifyWithMissingVkGivesActionableError)
+{
+    auto [bytecode_path, witness_path] = create_test_circuit_files(test_dir);
+
+    API::Flags flags;
+    flags.oracle_hash_type = "poseidon2";
+    flags.write_vk = true;
+
+    UltraHonkAPI api;
+
+    // Generate proof with vk
+    auto proof_output_dir = test_dir / "proof";
+    std::filesystem::create_directories(proof_output_dir);
+    api.prove(flags, bytecode_path, witness_path, "", proof_output_dir);
+
+    // Try to verify with a non-existent vk path
+    auto nonexistent_vk_path = test_dir / "nonexistent_vk";
+    try {
+        api.verify(flags, proof_output_dir / "public_inputs", proof_output_dir / "proof", nonexistent_vk_path);
+        FAIL() << "Expected an exception to be thrown";
+    } catch (const std::runtime_error& e) {
+        std::string error_msg = e.what();
+        // Check that the error message contains actionable guidance
+        EXPECT_TRUE(error_msg.find("--write_vk") != std::string::npos)
+            << "Error message should mention --write_vk flag. Got: " << error_msg;
+        EXPECT_TRUE(error_msg.find("bb write_vk") != std::string::npos)
+            << "Error message should mention bb write_vk command. Got: " << error_msg;
+        EXPECT_TRUE(error_msg.find("--vk_path") != std::string::npos)
+            << "Error message should mention --vk_path option. Got: " << error_msg;
+    }
+}

barretenberg/cpp/src/barretenberg/api/aztec_process.cpp

@@ -324,7 +324,7 @@ bool process_all_artifacts(const std::string& search_path, bool force)
     auto artifacts = find_contract_artifacts(search_path);
 
     if (artifacts.empty()) {
-        info("No contract artifacts found. Please compile your contracts first with 'nargo compile'.");
+        info("No contract artifacts found in '", search_path, "'.");
         return false;
     }
 

barretenberg/cpp/src/barretenberg/api/file_io.hpp

@@ -5,6 +5,7 @@
 #include <cstdint>
 #include <cstring>
 #include <fcntl.h>
+#include <filesystem>
 #include <fstream>
 #include <ios>
 #include <iostream>
@@ -100,4 +101,23 @@ template <typename Fr> inline std::string field_elements_to_json(const std::vect
     ss << "]";
     return ss.str();
 }
+
+/**
+ * @brief Read a verification key file with an actionable error message if not found.
+ *
+ * @param vk_path Path to the verification key file
+ * @return std::vector<uint8_t> The verification key bytes
+ * @throws std::runtime_error with actionable message if vk file not found
+ */
+inline std::vector<uint8_t> read_vk_file(const std::filesystem::path& vk_path)
+{
+    try {
+        return read_file(vk_path);
+    } catch (const std::runtime_error&) {
+        THROW std::runtime_error("Unable to open file: " + vk_path.string() +
+                                 "\nGenerate a vk during proving by running `bb prove` with an additional `--write_vk` "
+                                 "flag, or run `bb write_vk` to generate a standalone vk."
+                                 "\nIf you already have a vk file, specify its path with `--vk_path <path>`.");
+    }
+}
 } // namespace bb

barretenberg/cpp/src/barretenberg/boomerang_value_detection/graph.cpp

@@ -1241,9 +1241,6 @@ inline void StaticAnalyzer_<FF, CircuitBuilder>::remove_unnecessary_sha256_plook
                                                             BasicTableId::SHA256_WITNESS_SLICE_14_ROTATE_1,
                                                             BasicTableId::SHA256_BASE16,
                                                             BasicTableId::SHA256_BASE16_ROTATE2,
-                                                            BasicTableId::SHA256_BASE16_ROTATE6,
-                                                            BasicTableId::SHA256_BASE16_ROTATE7,
-                                                            BasicTableId::SHA256_BASE16_ROTATE8,
                                                             BasicTableId::SHA256_BASE28,
                                                             BasicTableId::SHA256_BASE28_ROTATE3,
                                                             BasicTableId::SHA256_BASE28_ROTATE6 };

barretenberg/cpp/src/barretenberg/chonk/README.md

@@ -726,7 +726,7 @@ This chain ensures the op queue history is maintained correctly. The Merge proto
 
 ```cpp
 // In OinkVerifier::verify() (called by HypernovaFoldingVerifier for each instance)
-FF vk_hash = vk->hash_with_origin_tagging(domain_separator, *transcript);
+FF vk_hash = vk->hash_with_origin_tagging(*transcript);
 transcript->add_to_hash_buffer(domain_separator + "vk_hash", vk_hash);
 // All subsequent challenges now depend on this hash
 ```

barretenberg/cpp/src/barretenberg/chonk/chonk.cpp

@@ -117,7 +117,7 @@ Chonk::perform_recursive_verification_and_databus_consistency_checks(
 
     // Update previous accumulator hash so that we can check it against the one extracted from the public inputs
     if (verifier_inputs.is_kernel) {
-        prev_accum_hash = input_verifier_accumulator->hash_with_origin_tagging("", *accumulation_recursive_transcript);
+        prev_accum_hash = input_verifier_accumulator->hash_with_origin_tagging(*accumulation_recursive_transcript);
     }
 
     RecursiveFoldingVerifier folding_verifier(accumulation_recursive_transcript);
@@ -340,7 +340,7 @@ void Chonk::complete_kernel_circuit_logic(ClientCircuit& circuit)
         kernel_output.ecc_op_tables = T_prev_commitments;
         RecursiveTranscript hash_transcript;
         kernel_output.output_hn_accum_hash =
-            current_stdlib_verifier_accumulator->hash_with_origin_tagging("", hash_transcript);
+            current_stdlib_verifier_accumulator->hash_with_origin_tagging(hash_transcript);
         info("Kernel output accumulator hash: ", kernel_output.output_hn_accum_hash);
 #ifndef NDEBUG
         info("Chonk recursive verification: accumulator hash set in the public inputs matches the one "
@@ -602,7 +602,7 @@ void Chonk::update_native_verifier_accumulator(const VerifierInputs& queue_entry
     }
 
     if (!queue_entry.is_kernel) {
-        native_verifier_accum_hash = native_verifier_accum.hash_with_origin_tagging("", *verifier_transcript);
+        native_verifier_accum_hash = native_verifier_accum.hash_with_origin_tagging(*verifier_transcript);
     }
 
     info("Chonk accumulate: prover and verifier accumulators match: ",
@@ -628,7 +628,7 @@ void Chonk::debug_incoming_circuit(ClientCircuit& circuit,
     // Compare precomputed VK with the one generated during accumulation
     auto vk = std::make_shared<MegaVerificationKey>(prover_instance->get_precomputed());
     info("Does the precomputed vk match with the one generated during accumulation? ",
-         vk->compare(*precomputed_vk) ? "true" : "false");
+         vk->compare(*precomputed_vk, MegaFlavor::CommitmentLabels().get_precomputed()) ? "true" : "false");
 
     info("======= END OF DEBUGGING INFO FOR INCOMING CIRCUIT =======");
 }

barretenberg/cpp/src/barretenberg/chonk/chonk_transcript_invariants.test.cpp

@@ -157,9 +157,8 @@ TEST_F(ChonkTranscriptInvariantTests, RecursiveVerificationTranscriptCount)
     UltraCircuitBuilder builder;
     size_t index_before_verify = bb::unique_transcript_index.load();
 
-    // Create stdlib VK from native VK and wrap it in VKAndHash
-    auto stdlib_vk = std::make_shared<RecursiveVerifier::VK>(&builder, vk_and_hash->vk);
-    auto stdlib_vk_and_hash = std::make_shared<RecursiveVerifier::VKAndHash>(stdlib_vk);
+    // Create stdlib VK and hash from native VK
+    auto stdlib_vk_and_hash = std::make_shared<RecursiveVerifier::VKAndHash>(builder, vk_and_hash->vk);
 
     RecursiveVerifier verifier(stdlib_vk_and_hash);
     ChonkStdlibProof stdlib_proof(builder, proof);

barretenberg/cpp/src/barretenberg/dsl/acir_format/blake2s_constraint.cpp

@@ -8,7 +8,6 @@
 #include "barretenberg/common/assert.hpp"
 #include "barretenberg/stdlib/hash/blake2s/blake2s.hpp"
 #include "barretenberg/stdlib/primitives/byte_array/byte_array.hpp"
-#include "round.hpp"
 
 namespace acir_format {
 
@@ -24,16 +23,12 @@ template <typename Builder> void create_blake2s_constraints(Builder& builder, co
 
     for (const auto& witness_index_num_bits : constraint.inputs) {
         auto witness_index = witness_index_num_bits.blackbox_input;
-        auto num_bits = witness_index_num_bits.num_bits;
-
-        // XXX: The implementation requires us to truncate the element to the nearest byte and not bit
-        auto num_bytes = round_to_nearest_byte(num_bits);
-        BB_ASSERT_LTE(num_bytes, 32U, "Input num_bytes exceeds 32 per element in blake2s");
-
         field_ct element = to_field_ct(witness_index, builder);
 
-        // byte_array_ct(field, num_bytes) constructor adds range constraints for each byte
-        byte_array_ct element_bytes(element, num_bytes);
+        // byte_array_ct(field, num_bytes) constructor adds range constraints for each byte. Note that num_bytes =
+        // ceil(witness_index_num_bits.num_bits/8). Here, num_bits is set to 8 when constructing the vector of inputs in
+        // the Blake2s constraint. Hence, we set num_bytes = 1.
+        byte_array_ct element_bytes(element, 1);
 
         // Safe write: both arr and element_bytes are constrained
         arr.write(element_bytes);

barretenberg/cpp/src/barretenberg/dsl/acir_format/blake3_constraint.cpp

@@ -8,7 +8,6 @@
 #include "barretenberg/common/assert.hpp"
 #include "barretenberg/stdlib/hash/blake3s/blake3s.hpp"
 #include "barretenberg/stdlib/primitives/byte_array/byte_array.hpp"
-#include "round.hpp"
 
 namespace acir_format {
 
@@ -22,15 +21,12 @@ template <typename Builder> void create_blake3_constraints(Builder& builder, con
 
     for (const auto& witness_index_num_bits : constraint.inputs) {
         auto witness_index = witness_index_num_bits.blackbox_input;
-        auto num_bits = witness_index_num_bits.num_bits;
-
-        // XXX: The implementation requires us to truncate the element to the nearest byte and not bit
-        auto num_bytes = round_to_nearest_byte(num_bits);
-        BB_ASSERT_LTE(num_bytes, 32U, "Input num_bytes exceeds 32 per element in blake3s");
         field_ct element = to_field_ct(witness_index, builder);
 
-        // byte_array_ct(field, num_bytes) constructor adds range constraints for each byte
-        byte_array_ct element_bytes(element, num_bytes);
+        // byte_array_ct(field, num_bytes) constructor adds range constraints for each byte. Note that num_bytes =
+        // ceil(witness_index_num_bits.num_bits/8). Here, num_bits is set to 8 when constructing the vector of inputs in
+        // the Blake3 constraint. Hence, we set num_bytes = 1.
+        byte_array_ct element_bytes(element, 1);
 
         // Safe write: both arr and element_bytes are constrained
         arr.write(element_bytes);

barretenberg/cpp/src/barretenberg/dsl/acir_format/gate_count_constants.hpp

@@ -38,8 +38,8 @@ template <typename Builder> inline constexpr size_t ECDSA_SECP256K1 = 41994 + ZE
 template <typename Builder>
 inline constexpr size_t ECDSA_SECP256R1 = 72209 + ZERO_GATE + (IsMegaBuilder<Builder> ? 2 : 0);
 
-template <typename Builder> inline constexpr size_t BLAKE2S = 2959 + ZERO_GATE + MEGA_OFFSET<Builder>;
-template <typename Builder> inline constexpr size_t BLAKE3 = 2165 + ZERO_GATE + MEGA_OFFSET<Builder>;
+template <typename Builder> inline constexpr size_t BLAKE2S = 2952 + ZERO_GATE + MEGA_OFFSET<Builder>;
+template <typename Builder> inline constexpr size_t BLAKE3 = 2158 + ZERO_GATE + MEGA_OFFSET<Builder>;
 template <typename Builder> inline constexpr size_t KECCAK_PERMUTATION = 17387 + ZERO_GATE + MEGA_OFFSET<Builder>;
 template <typename Builder> inline constexpr size_t POSEIDON2_PERMUTATION = 73 + ZERO_GATE + MEGA_OFFSET<Builder>;
 template <typename Builder> inline constexpr size_t MULTI_SCALAR_MUL = 3550 + ZERO_GATE;

barretenberg/cpp/src/barretenberg/dsl/acir_format/honk_recursion_constraint.cpp

@@ -1,5 +1,5 @@
 // === AUDIT STATUS ===
-// internal:    { status: completed, auditors: [Federico], commit: }
+// internal:    { status: completed, auditors: [Federico], commit: 8b4e1279ef130eeb18bce9ce2a9f0fa39a243697}
 // external_1:  { status: not started, auditors: [], commit: }
 // external_2:  { status: not started, auditors: [], commit: }
 // =====================

barretenberg/cpp/src/barretenberg/dsl/acir_format/honk_recursion_constraint.hpp

@@ -1,5 +1,5 @@
 // === AUDIT STATUS ===
-// internal:    { status: completed, auditors: [Federico], commit: }
+// internal:    { status: completed, auditors: [Federico], commit: 8b4e1279ef130eeb18bce9ce2a9f0fa39a243697}
 // external_1:  { status: not started, auditors: [], commit: }
 // external_2:  { status: not started, auditors: [], commit: }
 // =====================

barretenberg/cpp/src/barretenberg/dsl/acir_format/keccak_constraint.cpp

@@ -7,7 +7,6 @@
 #include "keccak_constraint.hpp"
 #include "barretenberg/stdlib/hash/keccak/keccak.hpp"
 #include "barretenberg/stdlib/primitives/circuit_builders/circuit_builders_fwd.hpp"
-#include "round.hpp"
 
 namespace acir_format {
 

barretenberg/cpp/src/barretenberg/dsl/acir_format/opcode_gate_count.test.cpp

@@ -436,7 +436,7 @@ TYPED_TEST(OpcodeGateCountTests, Blake2s)
 
     blake2s_constraint.inputs.push_back(Blake2sInput{
         .blackbox_input = WitnessOrConstant<bb::fr>::from_index(0),
-        .num_bits = 32,
+        .num_bits = 8,
     });
 
     for (size_t i = 0; i < 32; ++i) {
@@ -466,7 +466,7 @@ TYPED_TEST(OpcodeGateCountTests, Blake3)
 
     blake3_constraint.inputs.push_back(Blake3Input{
         .blackbox_input = WitnessOrConstant<bb::fr>::from_index(0),
-        .num_bits = 32,
+        .num_bits = 8,
     });
 
     for (size_t i = 0; i < 32; ++i) {