feat: Make public inputs the start of the UH and MH proof

barretenberg/acir_tests/bootstrap.sh

@@ -30,6 +30,7 @@ function build {
     # COMPILE=2 only compiles the test.
     denoise "parallel --joblog joblog.txt --line-buffered 'COMPILE=2 ./run_test.sh \$(basename {})' ::: ./acir_tests/*"
 
+    # TODO(https://github.com/AztecProtocol/barretenberg/issues/1279): Fix this workflow.
     echo "Regenerating verify_honk_proof and verify_rollup_honk_proof recursive inputs."
     local bb=$(realpath ../cpp/build/bin/bb)
     (cd ./acir_tests/assert_statement && \

barretenberg/acir_tests/sol-test/src/index.js

@@ -6,8 +6,8 @@ import solc from "solc";
 
 // Size excluding number of public inputs
 const NUMBER_OF_FIELDS_IN_PLONK_PROOF = 93;
-const NUMBER_OF_FIELDS_IN_HONK_PROOF = 443;
-const NUMBER_OF_FIELDS_IN_HONK_ZK_PROOF = 494;
+const NUMBER_OF_FIELDS_IN_HONK_PROOF = 440;
+const NUMBER_OF_FIELDS_IN_HONK_ZK_PROOF = 491;
 
 const WRONG_PROOF_LENGTH = "0xed74ac0a";
 const WRONG_PUBLIC_INPUTS_LENGTH = "0xfa066593";
@@ -170,15 +170,8 @@ const readPublicInputs = (proofAsFields) => {
   const publicInputs = [];
   // Compute the number of public inputs, not accounted  for in the constant NUMBER_OF_FIELDS_IN_PROOF
   const numPublicInputs = proofAsFields.length - NUMBER_OF_FIELDS_IN_PROOF;
-  let publicInputsOffset = 0;
-
-  // Honk proofs contain 3 pieces of metadata before the public inputs, while plonk does not
-  if (testingHonk) {
-    publicInputsOffset = 3;
-  }
-
   for (let i = 0; i < numPublicInputs; i++) {
-    publicInputs.push(proofAsFields[publicInputsOffset + i]);
+    publicInputs.push(proofAsFields[i]);
   }
   return [numPublicInputs, publicInputs];
 };
@@ -234,10 +227,8 @@ try {
   if (testingHonk) {
     // Cut off the serialised buffer size at start
     proofStr = proofStr.substring(8);
-    // Get the part before and after the public inputs
-    const proofStart = proofStr.slice(0, 64 * 3);
-    const proofEnd = proofStr.substring(64 * 3 + 64 * numPublicInputs);
-    proofStr = proofStart + proofEnd;
+    // Get the part after the public inputs
+    proofStr = proofStr.substring(64 * numPublicInputs);
   } else {
     proofStr = proofStr.substring(64 * numPublicInputs);
   }

barretenberg/cpp/src/barretenberg/api/api_ultra_honk.cpp

@@ -98,7 +98,7 @@ bool _verify(const bool honk_recursion_2, const std::filesystem::path& proof_pat
     bool verified;
     if (honk_recursion_2) {
         const size_t HONK_PROOF_LENGTH = Flavor::PROOF_LENGTH_WITHOUT_PUB_INPUTS - IPA_PROOF_LENGTH;
-        const size_t num_public_inputs = static_cast<size_t>(uint64_t(proof[1]));
+        const size_t num_public_inputs = static_cast<size_t>(vk->num_public_inputs);
         // The extra calculation is for the IPA proof length.
         ASSERT(proof.size() == HONK_PROOF_LENGTH + IPA_PROOF_LENGTH + num_public_inputs);
         const std::ptrdiff_t honk_proof_with_pub_inputs_length =

barretenberg/cpp/src/barretenberg/api/prove_tube.cpp

@@ -40,12 +40,11 @@ void prove_tube(const std::string& output_path)
     // circuit
     // TODO(https://github.com/AztecProtocol/barretenberg/issues/1048): INSECURE - make this tube proof actually use
     // these public inputs by turning proof into witnesses and calling set_public on each witness
-    auto num_inner_public_inputs = static_cast<uint32_t>(static_cast<uint256_t>(proof.mega_proof[1]));
+    auto num_inner_public_inputs = static_cast<uint32_t>(static_cast<uint256_t>(vk.mega->num_public_inputs));
     num_inner_public_inputs -= bb::PAIRING_POINT_ACCUMULATOR_SIZE; // don't add the agg object
 
     for (size_t i = 0; i < num_inner_public_inputs; i++) {
-        auto offset = bb::HONK_PROOF_PUBLIC_INPUT_OFFSET;
-        builder->add_public_variable(proof.mega_proof[i + offset]);
+        builder->add_public_variable(proof.mega_proof[i]);
     }
     ClientIVCRecursiveVerifier verifier{ builder, vk };
 

barretenberg/cpp/src/barretenberg/client_ivc/client_ivc.cpp

@@ -259,12 +259,11 @@ HonkProof ClientIVC::construct_and_prove_hiding_circuit()
     // circuit. So, these have to be preserved as public inputs to the hiding circuit (and, subsequently, as public
     // inputs to the tube circuit) which are intermediate stages.
     // TODO(https://github.com/AztecProtocol/barretenberg/issues/1048): link these properly, likely insecure
-    auto num_public_inputs = static_cast<uint32_t>(static_cast<uint256_t>(fold_proof[PUBLIC_INPUTS_SIZE_INDEX]));
+    auto num_public_inputs = static_cast<uint32_t>(static_cast<uint256_t>(honk_vk->num_public_inputs));
     num_public_inputs -= bb::PAIRING_POINT_ACCUMULATOR_SIZE;      // exclude aggregation object
     num_public_inputs -= bb::PROPAGATED_DATABUS_COMMITMENTS_SIZE; // exclude propagated databus commitments
     for (size_t i = 0; i < num_public_inputs; i++) {
-        size_t offset = HONK_PROOF_PUBLIC_INPUT_OFFSET;
-        builder.add_public_variable(fold_proof[i + offset]);
+        builder.add_public_variable(fold_proof[i]);
     }
 
     process_recursive_merge_verification_queue(builder);

barretenberg/cpp/src/barretenberg/client_ivc/client_ivc.test.cpp

@@ -183,11 +183,6 @@ TEST_F(ClientIVCTests, BadProofFailure)
         // Construct and accumulate a set of mocked private function execution circuits
         size_t NUM_CIRCUITS = 4;
         for (size_t idx = 0; idx < NUM_CIRCUITS; ++idx) {
-            if (idx == 3) { // At idx = 3, we've tampered with the one of the folding proofs so create the recursive
-                            // folding verifier will throw an error.
-                EXPECT_ANY_THROW(circuit_producer.create_next_circuit(ivc, /*log2_num_gates=*/5));
-                break;
-            }
             auto circuit = circuit_producer.create_next_circuit(ivc, /*log2_num_gates=*/5);
             ivc.accumulate(circuit);
 
@@ -196,6 +191,7 @@ TEST_F(ClientIVCTests, BadProofFailure)
                 tamper_with_proof(ivc.verification_queue[0].proof); // tamper with first proof
             }
         }
+        EXPECT_FALSE(ivc.prove_and_verify());
     }
 
     // The IVC fails if the SECOND fold proof is tampered with
@@ -207,11 +203,6 @@ TEST_F(ClientIVCTests, BadProofFailure)
         // Construct and accumulate a set of mocked private function execution circuits
         size_t NUM_CIRCUITS = 4;
         for (size_t idx = 0; idx < NUM_CIRCUITS; ++idx) {
-            if (idx == 3) { // At idx = 3, we've tampered with the one of the folding proofs so create the recursive
-                            // folding verifier will throw an error.
-                EXPECT_ANY_THROW(circuit_producer.create_next_circuit(ivc, /*log2_num_gates=*/5));
-                break;
-            }
             auto circuit = circuit_producer.create_next_circuit(ivc, /*log2_num_gates=*/5);
             ivc.accumulate(circuit);
 
@@ -220,6 +211,7 @@ TEST_F(ClientIVCTests, BadProofFailure)
                 tamper_with_proof(ivc.verification_queue[1].proof); // tamper with second proof
             }
         }
+        EXPECT_FALSE(ivc.prove_and_verify());
     }
 
     // The IVC fails if the 3rd/FINAL fold proof is tampered with
@@ -239,7 +231,7 @@ TEST_F(ClientIVCTests, BadProofFailure)
         EXPECT_EQ(ivc.verification_queue.size(), 1);
         tamper_with_proof(ivc.verification_queue[0].proof); // tamper with the final fold proof
 
-        EXPECT_ANY_THROW(ivc.prove_and_verify());
+        EXPECT_FALSE(ivc.prove_and_verify());
     }
 
     EXPECT_TRUE(true);

barretenberg/cpp/src/barretenberg/dsl/acir_format/honk_recursion_constraint.cpp

@@ -86,11 +86,7 @@ void create_dummy_vkey_and_proof(Builder& builder,
         offset += 4;
     }
 
-    offset = bb::HONK_PROOF_PUBLIC_INPUT_OFFSET;
-    // first 3 things
-    builder.assert_equal(builder.add_variable(1 << log_circuit_size), proof_fields[0].witness_index);
-    builder.assert_equal(builder.add_variable(public_inputs_size), proof_fields[1].witness_index);
-    builder.assert_equal(builder.add_variable(Flavor::has_zero_row ? 1 : 0), proof_fields[2].witness_index);
+    offset = 0; // Reset offset for parsing proof fields
 
     // the inner public inputs
     for (size_t i = 0; i < num_inner_public_inputs; i++) {

barretenberg/cpp/src/barretenberg/dsl/acir_format/ivc_recursion_constraint.cpp

@@ -108,9 +108,9 @@ ClientIVC::VerifierInputs create_mock_verification_queue_entry(const ClientIVC::
     // Construct a mock Oink or PG proof
     std::vector<FF> proof;
     if (verification_type == ClientIVC::QUEUE_TYPE::OINK) {
-        proof = create_mock_oink_proof(dyadic_size, num_public_inputs, pub_inputs_offset);
+        proof = create_mock_oink_proof(num_public_inputs);
     } else { // ClientIVC::QUEUE_TYPE::PG)
-        proof = create_mock_pg_proof(dyadic_size, num_public_inputs, pub_inputs_offset);
+        proof = create_mock_pg_proof(num_public_inputs);
     }
 
     // Construct a mock MegaHonk verification key
@@ -130,20 +130,13 @@ ClientIVC::VerifierInputs create_mock_verification_queue_entry(const ClientIVC::
  * @brief Create a mock oink proof that has the correct structure but is not in general valid
  *
  */
-std::vector<ClientIVC::FF> create_mock_oink_proof(const size_t dyadic_size,
-                                                  const size_t num_public_inputs,
-                                                  const size_t pub_inputs_offset)
+std::vector<ClientIVC::FF> create_mock_oink_proof(const size_t num_public_inputs)
 {
     using Flavor = ClientIVC::Flavor;
     using FF = ClientIVC::FF;
 
     std::vector<FF> proof;
 
-    // Populate proof metadata
-    proof.emplace_back(dyadic_size);
-    proof.emplace_back(num_public_inputs);
-    proof.emplace_back(pub_inputs_offset);
-
     // Populate mock public inputs
     for (size_t i = 0; i < num_public_inputs; ++i) {
         proof.emplace_back(0);
@@ -165,15 +158,13 @@ std::vector<ClientIVC::FF> create_mock_oink_proof(const size_t dyadic_size,
  * @brief Create a mock PG proof that has the correct structure but is not in general valid
  *
  */
-std::vector<ClientIVC::FF> create_mock_pg_proof(const size_t dyadic_size,
-                                                const size_t num_public_inputs,
-                                                const size_t pub_inputs_offset)
+std::vector<ClientIVC::FF> create_mock_pg_proof(const size_t num_public_inputs)
 {
     using FF = ClientIVC::FF;
     using DeciderProvingKeys = ClientIVC::DeciderProvingKeys;
 
     // The first part of a PG proof is an Oink proof
-    std::vector<FF> proof = create_mock_oink_proof(dyadic_size, num_public_inputs, pub_inputs_offset);
+    std::vector<FF> proof = create_mock_oink_proof(num_public_inputs);
 
     // Populate mock perturbator coefficients
     for (size_t idx = 1; idx <= CONST_PG_LOG_N; idx++) {

barretenberg/cpp/src/barretenberg/dsl/acir_format/ivc_recursion_constraint.hpp

@@ -16,13 +16,9 @@ std::shared_ptr<ClientIVC> create_mock_ivc_from_constraints(const std::vector<Re
 
 void mock_ivc_accumulation(const std::shared_ptr<ClientIVC>& ivc, ClientIVC::QUEUE_TYPE type, const bool is_kernel);
 
-std::vector<ClientIVC::FF> create_mock_oink_proof(const size_t dyadic_size,
-                                                  const size_t num_public_inputs,
-                                                  const size_t pub_inputs_offset);
+std::vector<ClientIVC::FF> create_mock_oink_proof(const size_t num_public_inputs);
 
-std::vector<ClientIVC::FF> create_mock_pg_proof(const size_t dyadic_size,
-                                                const size_t num_public_inputs,
-                                                const size_t pub_inputs_offset);
+std::vector<ClientIVC::FF> create_mock_pg_proof(const size_t num_public_inputs);
 
 std::shared_ptr<ClientIVC::MegaVerificationKey> create_mock_honk_vk(const size_t dyadic_size,
                                                                     const size_t num_public_inputs,

barretenberg/cpp/src/barretenberg/dsl/acir_format/proof_surgeon.hpp

@@ -76,9 +76,8 @@ class ProofSurgeon {
         proof.reserve(proof_in.size() + public_inputs.size());
 
         // Construct the complete proof as the concatenation {"initial data" | public_inputs | proof_in}
-        proof.insert(proof.end(), proof_in.begin(), proof_in.begin() + bb::HONK_PROOF_PUBLIC_INPUT_OFFSET);
         proof.insert(proof.end(), public_inputs.begin(), public_inputs.end());
-        proof.insert(proof.end(), proof_in.begin() + bb::HONK_PROOF_PUBLIC_INPUT_OFFSET, proof_in.end());
+        proof.insert(proof.end(), proof_in.begin(), proof_in.end());
 
         return proof;
     }
@@ -94,11 +93,8 @@ class ProofSurgeon {
                                                             const size_t num_public_inputs_to_extract)
     {
         // Construct iterators pointing to the start and end of the public inputs within the proof
-        auto pub_inputs_begin_itr =
-            proof_witnesses.begin() + static_cast<std::ptrdiff_t>(bb::HONK_PROOF_PUBLIC_INPUT_OFFSET);
-        auto pub_inputs_end_itr =
-            proof_witnesses.begin() +
-            static_cast<std::ptrdiff_t>(bb::HONK_PROOF_PUBLIC_INPUT_OFFSET + num_public_inputs_to_extract);
+        auto pub_inputs_begin_itr = proof_witnesses.begin();
+        auto pub_inputs_end_itr = proof_witnesses.begin() + static_cast<std::ptrdiff_t>(num_public_inputs_to_extract);
 
         // Construct the isolated public inputs
         std::vector<bb::fr> public_input_witnesses{ pub_inputs_begin_itr, pub_inputs_end_itr };
@@ -122,7 +118,7 @@ class ProofSurgeon {
         std::vector<uint32_t> public_input_witness_indices;
         public_input_witness_indices.reserve(num_public_inputs_to_extract);
 
-        const size_t start = bb::HONK_PROOF_PUBLIC_INPUT_OFFSET;
+        const size_t start = 0;
         const size_t end = start + num_public_inputs_to_extract;
         for (size_t i = start; i < end; ++i) {
             public_input_witness_indices.push_back(proof[i].get_witness_index());

barretenberg/cpp/src/barretenberg/dsl/acir_proofs/honk_contract.hpp

@@ -268,9 +268,6 @@ library Honk {
 
 
     struct Proof {
-        uint256 circuitSize;
-        uint256 publicInputsSize;
-        uint256 publicInputsOffset;
         // Free wires
         Honk.G1ProofPoint w1;
         Honk.G1ProofPoint w2;
@@ -310,15 +307,14 @@ struct Transcript {
 }
 
 library TranscriptLib {
-    function generateTranscript(Honk.Proof memory proof, bytes32[] calldata publicInputs, uint256 publicInputsSize)
+    function generateTranscript(Honk.Proof memory proof, bytes32[] calldata publicInputs, uint256 circuitSize, uint256 publicInputsSize, uint256 pubInputsOffset)
         internal
         pure
         returns (Transcript memory t)
     {
         Fr previousChallenge;
         (t.relationParameters, previousChallenge) =
-            generateRelationParametersChallenges(proof, publicInputs, publicInputsSize, previousChallenge);
-
+            generateRelationParametersChallenges(proof, publicInputs, circuitSize, publicInputsSize, pubInputsOffset, previousChallenge);
 
         (t.alphas, previousChallenge) = generateAlphaChallenges(previousChallenge, proof);
 
@@ -348,25 +344,27 @@ library TranscriptLib {
     function generateRelationParametersChallenges(
         Honk.Proof memory proof,
         bytes32[] calldata publicInputs,
+        uint256 circuitSize,
         uint256 publicInputsSize,
+        uint256 pubInputsOffset,
         Fr previousChallenge
     ) internal pure returns (Honk.RelationParameters memory rp, Fr nextPreviousChallenge) {
         (rp.eta, rp.etaTwo, rp.etaThree, previousChallenge) =
-            generateEtaChallenge(proof, publicInputs, publicInputsSize);
+            generateEtaChallenge(proof, publicInputs, circuitSize, publicInputsSize, pubInputsOffset);
 
         (rp.beta, rp.gamma, nextPreviousChallenge) = generateBetaAndGammaChallenges(previousChallenge, proof);
 
     }
 
-    function generateEtaChallenge(Honk.Proof memory proof, bytes32[] calldata publicInputs, uint256 publicInputsSize)
+    function generateEtaChallenge(Honk.Proof memory proof, bytes32[] calldata publicInputs, uint256 circuitSize, uint256 publicInputsSize, uint256 pubInputsOffset)
         internal
         pure
         returns (Fr eta, Fr etaTwo, Fr etaThree, Fr previousChallenge)
     {
         bytes32[] memory round0 = new bytes32[](3 + publicInputsSize + 12);
-        round0[0] = bytes32(proof.circuitSize);
-        round0[1] = bytes32(proof.publicInputsSize);
-        round0[2] = bytes32(proof.publicInputsOffset);
+        round0[0] = bytes32(circuitSize);
+        round0[1] = bytes32(publicInputsSize);
+        round0[2] = bytes32(pubInputsOffset);
         for (uint256 i = 0; i < publicInputsSize; i++) {
             round0[3 + i] = bytes32(publicInputs[i]);
         }
@@ -554,24 +552,19 @@ library TranscriptLib {
     }
 
     function loadProof(bytes calldata proof) internal pure returns (Honk.Proof memory p) {
-        // Metadata
-        p.circuitSize = uint256(bytes32(proof[0x00:0x20]));
-        p.publicInputsSize = uint256(bytes32(proof[0x20:0x40]));
-        p.publicInputsOffset = uint256(bytes32(proof[0x40:0x60]));
-
         // Commitments
-        p.w1 = bytesToG1ProofPoint(proof[0x60:0xe0]);
+        p.w1 = bytesToG1ProofPoint(proof[0x0:0x80]);
 
-        p.w2 = bytesToG1ProofPoint(proof[0xe0:0x160]);
-        p.w3 = bytesToG1ProofPoint(proof[0x160:0x1e0]);
+        p.w2 = bytesToG1ProofPoint(proof[0x80:0x100]);
+        p.w3 = bytesToG1ProofPoint(proof[0x100:0x180]);
 
         // Lookup / Permutation Helper Commitments
-        p.lookupReadCounts = bytesToG1ProofPoint(proof[0x1e0:0x260]);
-        p.lookupReadTags = bytesToG1ProofPoint(proof[0x260:0x2e0]);
-        p.w4 = bytesToG1ProofPoint(proof[0x2e0:0x360]);
-        p.lookupInverses = bytesToG1ProofPoint(proof[0x360:0x3e0]);
-        p.zPerm = bytesToG1ProofPoint(proof[0x3e0:0x460]);
-        uint256 boundary = 0x460;
+        p.lookupReadCounts = bytesToG1ProofPoint(proof[0x180:0x200]);
+        p.lookupReadTags = bytesToG1ProofPoint(proof[0x200:0x280]);
+        p.w4 = bytesToG1ProofPoint(proof[0x280:0x300]);
+        p.lookupInverses = bytesToG1ProofPoint(proof[0x300:0x380]);
+        p.zPerm = bytesToG1ProofPoint(proof[0x380:0x400]);
+        uint256 boundary = 0x400;
 
         // Sumcheck univariates
         for (uint256 i = 0; i < CONST_PROOF_SIZE_LOG_N; i++) {
@@ -1436,7 +1429,7 @@ abstract contract BaseHonkVerifier is IVerifier {
     error ShpleminiFailed();
 
     // Number of field elements in a ultra honk zero knowledge proof
-    uint256 constant PROOF_SIZE = 443;
+    uint256 constant PROOF_SIZE = 440;
 
     function loadVerificationKey() internal pure virtual returns (Honk.VerificationKey memory);
 
@@ -1454,11 +1447,13 @@ abstract contract BaseHonkVerifier is IVerifier {
         }
 
         // Generate the fiat shamir challenges for the whole protocol
-        Transcript memory t = TranscriptLib.generateTranscript(p, publicInputs, vk.publicInputsSize);
+        // TODO(https://github.com/AztecProtocol/barretenberg/issues/1281): Add pubInputsOffset to VK or remove entirely.
+        Transcript memory t = TranscriptLib.generateTranscript(p, publicInputs, vk.circuitSize, vk.publicInputsSize, /*pubInputsOffset=*/1);
 
         // Derive public input delta
+        // TODO(https://github.com/AztecProtocol/barretenberg/issues/1281): Add pubInputsOffset to VK or remove entirely.
         t.relationParameters.publicInputsDelta = computePublicInputDelta(
-            publicInputs, t.relationParameters.beta, t.relationParameters.gamma, p.publicInputsOffset
+            publicInputs, t.relationParameters.beta, t.relationParameters.gamma, /*pubInputsOffset=*/1
         );
 
         // Sumcheck