feat: Garaga UltraStarknet[Zk]Honk flavours (#11489)

Adds a `ultra_starknet_flavour` and `ultra_starknet_zk_flavour`, forked
from the ultra_keccak_(zk)_flavour.


This was tested with bb 0.82.2 with a reference corresponding
implementation of the transcript in python similar to the keccak one.


See generic proof -> Transcript implementation
https://github.com/keep-starknet-strange/garaga/blob/f5921e0f7e69f474ee0a88b6ecfb52252fc7cc3d/hydra/garaga/precompiled_circuits/honk.py#L526


https://github.com/keep-starknet-strange/garaga/blob/f5921e0f7e69f474ee0a88b6ecfb52252fc7cc3d/hydra/garaga/precompiled_circuits/honk.py#L448-L501


~The Starknet poseidon hash was imported from the reference
implementation from CryptoExperts (used in production in Starkware STONE
prover) https://github.com/CryptoExperts/poseidon~

Starknet field is defined using existing templates and poseidon
implementation re-uses Sponge from poseidon2

---------

Co-authored-by: Rodrigo Ferreira <[email protected]>
Co-authored-by: raugfer <[email protected]>
Co-authored-by: ludamad <[email protected]>
Co-authored-by: ludamad <[email protected]>

Author: 3 people

barretenberg/acir_tests/bbjs-test/src/index.ts

@@ -42,6 +42,7 @@ async function generateProof({
   const witness = await fs.readFile(witnessPath);
   const proof = await backend.generateProof(new Uint8Array(witness), {
     keccak: oracleHash === "keccak",
+    starknet: oracleHash === "starknet",
   });
   assert(
     proof.proof.length === UH_PROOF_LENGTH_IN_BYTES,
@@ -66,6 +67,7 @@ async function generateProof({
 
   const verificationKey = await backend.getVerificationKey({
     keccak: oracleHash === "keccak",
+    starknet: oracleHash === "starknet",
   });
   await fs.writeFile(vkeyPath(outputDirectory), Buffer.from(verificationKey));
   debug("Verification key written to " + vkeyPath(outputDirectory));

barretenberg/acir_tests/bootstrap.sh

@@ -182,6 +182,7 @@ function test_cmds_internal {
   echo SYS=ultra_honk FLOW=prove_then_verify $run_test assert_statement
   echo SYS=ultra_honk FLOW=prove_then_verify $run_test double_verify_honk_proof
   echo SYS=ultra_honk FLOW=prove_then_verify HASH=keccak $run_test assert_statement
+  echo SYS=ultra_honk FLOW=prove_then_verify HASH=starknet $run_test assert_statement
   echo SYS=ultra_honk FLOW=prove_then_verify ROLLUP=true $run_test verify_rollup_honk_proof
 
   # prove and verify using bb.js classes

barretenberg/cpp/src/CMakeLists.txt

@@ -80,6 +80,8 @@ add_subdirectory(barretenberg/eccvm)
 add_subdirectory(barretenberg/env)
 add_subdirectory(barretenberg/trace_to_polynomials)
 add_subdirectory(barretenberg/examples)
+add_subdirectory(barretenberg/ext/starknet/crypto)
+add_subdirectory(barretenberg/ext/starknet/transcript)
 add_subdirectory(barretenberg/flavor)
 add_subdirectory(barretenberg/goblin)
 add_subdirectory(barretenberg/grumpkin_srs_gen)
@@ -141,6 +143,7 @@ set(BARRETENBERG_TARGET_OBJECTS
     $<TARGET_OBJECTS:dsl_objects>
     $<TARGET_OBJECTS:ecc_objects>
     $<TARGET_OBJECTS:eccvm_objects>
+    $<TARGET_OBJECTS:ext_starknet_crypto_poseidon_objects>
     $<TARGET_OBJECTS:trace_to_polynomials_objects>
     $<TARGET_OBJECTS:simple_example_objects>
     $<TARGET_OBJECTS:flavor_objects>

barretenberg/cpp/src/barretenberg/api/api_ultra_honk.cpp

@@ -22,7 +22,12 @@ template <typename Flavor, typename Circuit = typename Flavor::CircuitBuilder>
 Circuit _compute_circuit(const std::string& bytecode_path, const std::string& witness_path)
 {
     uint32_t honk_recursion = 0;
-    if constexpr (IsAnyOf<Flavor, UltraFlavor, UltraKeccakFlavor, UltraKeccakZKFlavor>) {
+    if constexpr (IsAnyOf<Flavor,
+                          UltraFlavor,
+                          UltraKeccakFlavor,
+                          UltraStarknetFlavor,
+                          UltraKeccakZKFlavor,
+                          UltraStarknetZKFlavor>) {
         honk_recursion = 1;
     } else if constexpr (IsAnyOf<Flavor, UltraRollupFlavor>) {
         honk_recursion = 2;
@@ -171,8 +176,12 @@ void UltraHonkAPI::prove(const Flags& flags,
         _write(_prove<UltraFlavor>(flags.write_vk, bytecode_path, witness_path));
     } else if (flags.oracle_hash_type == "keccak" && !flags.zk) {
         _write(_prove<UltraKeccakFlavor>(flags.write_vk, bytecode_path, witness_path));
+    } else if (flags.oracle_hash_type == "starknet" && !flags.zk) {
+        _write(_prove<UltraStarknetFlavor>(flags.write_vk, bytecode_path, witness_path));
     } else if (flags.oracle_hash_type == "keccak" && flags.zk) {
         _write(_prove<UltraKeccakZKFlavor>(flags.write_vk, bytecode_path, witness_path));
+    } else if (flags.oracle_hash_type == "starknet" && flags.zk) {
+        _write(_prove<UltraStarknetZKFlavor>(flags.write_vk, bytecode_path, witness_path));
     } else {
         throw_or_abort("Invalid proving options specified in _prove");
     }
@@ -188,14 +197,23 @@ bool UltraHonkAPI::verify(const Flags& flags,
         return _verify<UltraRollupFlavor>(ipa_accumulation, public_inputs_path, proof_path, vk_path);
     }
     if (flags.zk) {
-        return _verify<UltraKeccakZKFlavor>(ipa_accumulation, public_inputs_path, proof_path, vk_path);
+        if (flags.oracle_hash_type == "keccak") {
+            return _verify<UltraKeccakZKFlavor>(ipa_accumulation, public_inputs_path, proof_path, vk_path);
+        }
+        if (flags.oracle_hash_type == "starknet") {
+            return _verify<UltraStarknetZKFlavor>(ipa_accumulation, public_inputs_path, proof_path, vk_path);
+        }
+        return false;
     }
     if (flags.oracle_hash_type == "poseidon2") {
         return _verify<UltraFlavor>(ipa_accumulation, public_inputs_path, proof_path, vk_path);
     }
     if (flags.oracle_hash_type == "keccak") {
         return _verify<UltraKeccakFlavor>(ipa_accumulation, public_inputs_path, proof_path, vk_path);
     }
+    if (flags.oracle_hash_type == "starknet") {
+        return _verify<UltraStarknetFlavor>(ipa_accumulation, public_inputs_path, proof_path, vk_path);
+    }
     return false;
 }
 
@@ -219,8 +237,12 @@ void UltraHonkAPI::write_vk(const Flags& flags,
         _write(_compute_vk<UltraFlavor>(bytecode_path, ""));
     } else if (flags.oracle_hash_type == "keccak" && !flags.zk) {
         _write(_compute_vk<UltraKeccakFlavor>(bytecode_path, ""));
+    } else if (flags.oracle_hash_type == "starknet" && !flags.zk) {
+        _write(_compute_vk<UltraStarknetFlavor>(bytecode_path, ""));
     } else if (flags.oracle_hash_type == "keccak" && flags.zk) {
         _write(_compute_vk<UltraKeccakZKFlavor>(bytecode_path, ""));
+    } else if (flags.oracle_hash_type == "starknet" && flags.zk) {
+        _write(_compute_vk<UltraStarknetZKFlavor>(bytecode_path, ""));
     } else {
         throw_or_abort("Invalid proving options specified in _prove");
     }

barretenberg/cpp/src/barretenberg/bb/cli.cpp

@@ -178,13 +178,15 @@ int parse_and_run_cli_command(int argc, char* argv[])
 
     const auto add_oracle_hash_option = [&](CLI::App* subcommand) {
         return subcommand
-            ->add_option("--oracle_hash",
-                         flags.oracle_hash_type,
-                         "The hash function used by the prover as random oracle standing in for a verifier's challenge "
-                         "generation. Poseidon2 is to be used for proofs that are intended to be verified inside of a "
-                         "circuit. Keccak is optimized for verification in an Ethereum smart contract, where Keccak "
-                         "has a privileged position due to the existence of an EVM precompile.")
-            ->check(CLI::IsMember({ "poseidon2", "keccak" }).name("is_member"));
+            ->add_option(
+                "--oracle_hash",
+                flags.oracle_hash_type,
+                "The hash function used by the prover as random oracle standing in for a verifier's challenge "
+                "generation. Poseidon2 is to be used for proofs that are intended to be verified inside of a "
+                "circuit. Keccak is optimized for verification in an Ethereum smart contract, where Keccak "
+                "has a privileged position due to the existence of an EVM precompile. Starknet is optimized "
+                "for verification in a Starknet smart contract, which can be generated using the Garaga library.")
+            ->check(CLI::IsMember({ "poseidon2", "keccak", "starknet" }).name("is_member"));
     };
 
     const auto add_output_format_option = [&](CLI::App* subcommand) {

barretenberg/cpp/src/barretenberg/benchmark/append_only_tree_bench/CMakeLists.txt

@@ -1 +1 @@
-barretenberg_module(append_only_tree_bench crypto_poseidon2 crypto_pedersen_hash crypto_merkle_tree)
+barretenberg_module(append_only_tree_bench crypto_poseidon2 ext_starknet_crypto_poseidon crypto_pedersen_hash crypto_merkle_tree)

barretenberg/cpp/src/barretenberg/benchmark/indexed_tree_bench/CMakeLists.txt

@@ -1 +1 @@
-barretenberg_module(indexed_tree_bench crypto_poseidon2 crypto_pedersen_hash crypto_merkle_tree)
+barretenberg_module(indexed_tree_bench crypto_poseidon2 ext_starknet_crypto_poseidon crypto_pedersen_hash crypto_merkle_tree)

barretenberg/cpp/src/barretenberg/benchmark/merkle_tree_bench/CMakeLists.txt

@@ -1 +1 @@
-barretenberg_module(merkle_tree_bench crypto_poseidon2 crypto_pedersen_hash crypto_merkle_tree)
+barretenberg_module(merkle_tree_bench crypto_poseidon2 ext_starknet_crypto_poseidon crypto_pedersen_hash crypto_merkle_tree)

barretenberg/cpp/src/barretenberg/benchmark/poseidon2_bench/CMakeLists.txt

@@ -1 +1 @@
-barretenberg_module(poseidon2_bench crypto_poseidon2)
+barretenberg_module(poseidon2_bench crypto_poseidon2 ext_starknet_crypto_poseidon)

barretenberg/cpp/src/barretenberg/commitment_schemes/small_subgroup_ipa/small_subgroup_ipa.cpp

@@ -4,6 +4,7 @@
 #include "barretenberg/ecc/curves/bn254/bn254.hpp"
 #include "barretenberg/eccvm/eccvm_flavor.hpp"
 #include "barretenberg/eccvm/eccvm_translation_data.hpp"
+#include "barretenberg/ext/starknet/stdlib_circuit_builders/ultra_starknet_zk_flavor.hpp"
 #include "barretenberg/polynomials/polynomial.hpp"
 #include "barretenberg/polynomials/univariate.hpp"
 #include "barretenberg/stdlib/primitives/curves/grumpkin.hpp"
@@ -441,6 +442,7 @@ template class SmallSubgroupIPAProver<TranslatorFlavor>;
 template class SmallSubgroupIPAProver<MegaZKFlavor>;
 template class SmallSubgroupIPAProver<UltraZKFlavor>;
 template class SmallSubgroupIPAProver<UltraKeccakZKFlavor>;
+template class SmallSubgroupIPAProver<UltraStarknetZKFlavor>;
 
 // Instantiations used in tests
 template class SmallSubgroupIPAProver<BN254Settings>;

barretenberg/cpp/src/barretenberg/crypto/poseidon2/sponge/sponge.hpp

@@ -132,8 +132,14 @@ template <typename FF, size_t rate, size_t capacity, size_t t, typename Permutat
     {
         size_t in_len = input.size();
         const uint256_t iv = (static_cast<uint256_t>(in_len) << 64) + out_len - 1;
+        return hash_internal<out_len>(input, iv);
+    }
+
+    template <size_t out_len> static std::array<FF, out_len> hash_internal(std::span<const FF> input, FF iv)
+    {
         FieldSponge sponge(iv);
 
+        size_t in_len = input.size();
         for (size_t i = 0; i < in_len; ++i) {
             sponge.absorb(input[i]);
         }
@@ -146,5 +152,6 @@ template <typename FF, size_t rate, size_t capacity, size_t t, typename Permutat
     }
 
     static FF hash_internal(std::span<const FF> input) { return hash_internal<1>(input)[0]; }
+    static FF hash_internal(std::span<const FF> input, FF iv) { return hash_internal<1>(input, iv)[0]; }
 };
-} // namespace bb::crypto
+} // namespace bb::crypto

barretenberg/cpp/src/barretenberg/dsl/acir_proofs/c_bind.cpp

@@ -254,6 +254,23 @@ WASM_EXPORT void acir_prove_ultra_keccak_honk(uint8_t const* acir_vec, uint8_t c
     *out = to_heap_buffer(to_buffer(proof));
 }
 
+WASM_EXPORT void acir_prove_ultra_starknet_honk(uint8_t const* acir_vec, uint8_t const* witness_vec, uint8_t** out)
+{
+    // Lambda function to ensure things get freed before proving.
+    UltraStarknetProver prover = [&] {
+        const acir_format::ProgramMetadata metadata{ .honk_recursion = 1 };
+        acir_format::AcirProgram program{
+            acir_format::circuit_buf_to_acir_format(from_buffer<std::vector<uint8_t>>(acir_vec)),
+            acir_format::witness_buf_to_witness_data(from_buffer<std::vector<uint8_t>>(witness_vec))
+        };
+        auto builder = acir_format::create_circuit<UltraCircuitBuilder>(program, metadata);
+
+        return UltraStarknetProver(builder);
+    }();
+    auto proof = prover.construct_proof();
+    *out = to_heap_buffer(to_buffer(proof));
+}
+
 WASM_EXPORT void acir_verify_ultra_honk(uint8_t const* proof_buf, uint8_t const* vk_buf, bool* result)
 {
     using VerificationKey = UltraFlavor::VerificationKey;
@@ -280,6 +297,19 @@ WASM_EXPORT void acir_verify_ultra_keccak_honk(uint8_t const* proof_buf, uint8_t
     *result = verifier.verify_proof(proof);
 }
 
+WASM_EXPORT void acir_verify_ultra_starknet_honk(uint8_t const* proof_buf, uint8_t const* vk_buf, bool* result)
+{
+    using VerificationKey = UltraStarknetFlavor::VerificationKey;
+    using Verifier = UltraVerifier_<UltraStarknetFlavor>;
+
+    auto proof = from_buffer<std::vector<bb::fr>>(from_buffer<std::vector<uint8_t>>(proof_buf));
+    auto verification_key = std::make_shared<VerificationKey>(from_buffer<VerificationKey>(vk_buf));
+
+    Verifier verifier{ verification_key };
+
+    *result = verifier.verify_proof(proof);
+}
+
 WASM_EXPORT void acir_write_vk_ultra_honk(uint8_t const* acir_vec, uint8_t** out)
 {
     using DeciderProvingKey = DeciderProvingKey_<UltraFlavor>;
@@ -315,6 +345,24 @@ WASM_EXPORT void acir_write_vk_ultra_keccak_honk(uint8_t const* acir_vec, uint8_
     *out = to_heap_buffer(to_buffer(vk));
 }
 
+WASM_EXPORT void acir_write_vk_ultra_starknet_honk(uint8_t const* acir_vec, uint8_t** out)
+{
+    using DeciderProvingKey = DeciderProvingKey_<UltraStarknetFlavor>;
+    using VerificationKey = UltraStarknetFlavor::VerificationKey;
+
+    // lambda to free the builder
+    DeciderProvingKey proving_key = [&] {
+        const acir_format::ProgramMetadata metadata{ .honk_recursion = 1 };
+        acir_format::AcirProgram program{ acir_format::circuit_buf_to_acir_format(
+            from_buffer<std::vector<uint8_t>>(acir_vec)) };
+        auto builder = acir_format::create_circuit<UltraCircuitBuilder>(program, metadata);
+        return DeciderProvingKey(builder);
+    }();
+    VerificationKey vk(proving_key.proving_key);
+    vinfo("Constructed UltraStarknetHonk verification key");
+    *out = to_heap_buffer(to_buffer(vk));
+}
+
 WASM_EXPORT void acir_honk_solidity_verifier(uint8_t const* proof_buf, uint8_t const* vk_buf, uint8_t** out)
 {
     using VerificationKey = UltraKeccakFlavor::VerificationKey;

barretenberg/cpp/src/barretenberg/dsl/acir_proofs/c_bind.hpp

@@ -78,12 +78,15 @@ WASM_EXPORT void acir_serialize_verification_key_into_fields(in_ptr acir_compose
 
 WASM_EXPORT void acir_prove_ultra_honk(uint8_t const* acir_vec, uint8_t const* witness_vec, uint8_t** out);
 WASM_EXPORT void acir_prove_ultra_keccak_honk(uint8_t const* acir_vec, uint8_t const* witness_vec, uint8_t** out);
+WASM_EXPORT void acir_prove_ultra_starknet_honk(uint8_t const* acir_vec, uint8_t const* witness_vec, uint8_t** out);
 
 WASM_EXPORT void acir_verify_ultra_honk(uint8_t const* proof_buf, uint8_t const* vk_buf, bool* result);
 WASM_EXPORT void acir_verify_ultra_keccak_honk(uint8_t const* proof_buf, uint8_t const* vk_buf, bool* result);
+WASM_EXPORT void acir_verify_ultra_starknet_honk(uint8_t const* proof_buf, uint8_t const* vk_buf, bool* result);
 
 WASM_EXPORT void acir_write_vk_ultra_honk(uint8_t const* acir_vec, uint8_t** out);
 WASM_EXPORT void acir_write_vk_ultra_keccak_honk(uint8_t const* acir_vec, uint8_t** out);
+WASM_EXPORT void acir_write_vk_ultra_starknet_honk(uint8_t const* acir_vec, uint8_t** out);
 
 WASM_EXPORT void acir_proof_as_fields_ultra_honk(uint8_t const* proof_buf, fr::vec_out_buf out);
 

barretenberg/cpp/src/barretenberg/ecc/fields/field_declarations.hpp

@@ -325,7 +325,8 @@ template <class Params_> struct alignas(32) field {
 
     BB_INLINE constexpr field pow(const uint256_t& exponent) const noexcept;
     BB_INLINE constexpr field pow(uint64_t exponent) const noexcept;
-    static_assert(Params::modulus_0 != 1);
+    // STARKNET: next line was commented as stark252 violates the assertion
+    // static_assert(Params::modulus_0 != 1);
     static constexpr uint256_t modulus_minus_two =
         uint256_t(Params::modulus_0 - 2ULL, Params::modulus_1, Params::modulus_2, Params::modulus_3);
     constexpr field invert() const noexcept;

barretenberg/cpp/src/barretenberg/ext/starknet/crypto/CMakeLists.txt

@@ -0,0 +1 @@
+add_subdirectory(poseidon)

barretenberg/cpp/src/barretenberg/ext/starknet/crypto/poseidon/CMakeLists.txt

@@ -0,0 +1 @@
+barretenberg_module(ext_starknet_crypto_poseidon ecc)

barretenberg/cpp/src/barretenberg/ext/starknet/crypto/poseidon/poseidon.cpp

@@ -0,0 +1,19 @@
+#include "poseidon.hpp"
+
+namespace bb::starknet::crypto {
+
+template <typename Params>
+typename Poseidon<Params>::FF Poseidon<Params>::hash(const std::vector<typename Poseidon<Params>::FF>& input)
+{
+    return Sponge::hash_internal(input);
+}
+
+template <typename Params>
+typename Poseidon<Params>::FF Poseidon<Params>::hash(const std::vector<typename Poseidon<Params>::FF>& input, FF iv)
+{
+    return Sponge::hash_internal(input, iv);
+}
+
+template class Poseidon<PoseidonStark252BaseFieldParams>;
+
+} // namespace bb::starknet::crypto

barretenberg/cpp/src/barretenberg/ext/starknet/crypto/poseidon/poseidon.hpp

@@ -0,0 +1,22 @@
+#pragma once
+
+#include "barretenberg/crypto/poseidon2/sponge/sponge.hpp"
+#include "poseidon_params.hpp"
+#include "poseidon_permutation.hpp"
+
+namespace bb::starknet::crypto {
+
+template <typename Params> class Poseidon {
+  public:
+    using FF = typename Params::FF;
+
+    using Sponge = bb::crypto::FieldSponge<FF, Params::t - 1, 1, Params::t, PoseidonPermutation<Params>>;
+
+    static FF hash(const std::vector<FF>& input);
+
+    static FF hash(const std::vector<FF>& input, FF iv);
+};
+
+extern template class Poseidon<PoseidonStark252BaseFieldParams>;
+
+} // namespace bb::starknet::crypto

barretenberg/cpp/src/barretenberg/ext/starknet/crypto/poseidon/poseidon.test.cpp

@@ -0,0 +1,47 @@
+#include "poseidon.hpp"
+#include "barretenberg/ext/starknet/ecc/curves/stark252/stark252.hpp"
+#include "poseidon_params.hpp"
+#include <gtest/gtest.h>
+
+using namespace bb::starknet;
+
+namespace {
+auto& engine = bb::numeric::get_debug_randomness();
+}
+
+TEST(Poseidon, HashBasicTests)
+{
+    using fq = stark252::fq;
+
+    fq a = fq::random_element(&engine);
+    fq b = fq::random_element(&engine);
+    fq c = fq::random_element(&engine);
+    fq d = fq::random_element(&engine);
+
+    std::vector<fq> input1{ a, b, c, d };
+    std::vector<fq> input2{ d, c, b, a };
+
+    auto r0 = crypto::Poseidon<crypto::PoseidonStark252BaseFieldParams>::hash(input1);
+    auto r1 = crypto::Poseidon<crypto::PoseidonStark252BaseFieldParams>::hash(input1);
+    auto r2 = crypto::Poseidon<crypto::PoseidonStark252BaseFieldParams>::hash(input2);
+
+    EXPECT_EQ(r0, r1);
+    EXPECT_NE(r0, r2);
+}
+
+TEST(Poseidon, HashConsistencyCheck)
+{
+    using fq = stark252::fq;
+
+    fq a(std::string("9a807b615c4d3e2fa0b1c2d3e4f56789fedcba9876543210abcdef0123456789"));
+    fq b(std::string("9a807b615c4d3e2fa0b1c2d3e4f56789fedcba9876543210abcdef0123456789"));
+    fq c(std::string("0x9a807b615c4d3e2fa0b1c2d3e4f56789fedcba9876543210abcdef0123456789"));
+    fq d(std::string("0x9a807b615c4d3e2fa0b1c2d3e4f56789fedcba9876543210abcdef0123456789"));
+
+    std::vector<fq> input{ a, b, c, d };
+    auto result = crypto::Poseidon<crypto::PoseidonStark252BaseFieldParams>::hash(input);
+
+    fq expected(std::string("0x0494e3a5a8047943395f79e41f11ba73285be9aa930953fbad060c0649a7c79d"));
+
+    EXPECT_EQ(result, expected);
+}