generic traits for prime field elements and group elements

2026-01-12 00:51:28 +01:00 · 2021-08-31 13:03:54 -07:00
parent 06b1c4d415
commit 732d937b09
5 changed files with 360 additions and 257 deletions
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -11,7 +11,6 @@ license-file = "LICENSE"
 keywords = ["Recursive zkSNARKs", "cryptography", "proofs"]
 [dependencies]
 curve25519-dalek = {version = "3.0.0", features = ["simd_backend"]}
 merlin = "2.0.0"
 rand = "0.7.3"
 digest = "0.8.1"
@@ -19,3 +18,7 @@ sha3 = "0.8.2"
 rayon = "1.3.0"
 rand_core = { version = "0.5", default-features = false }
 itertools = "0.9.0"
 subtle = "2.4"
 [dev-dependencies]
 curve25519-dalek = {version = "3.0.0", features = ["simd_backend"]}
--- a/src/commitments.rs
+++ b/src/commitments.rs
@@ -1,56 +1,53 @@
 use super::errors::NovaError;
 use super::traits::{CompressedGroup, Group};
 use core::fmt::Debug;
 use core::ops::{Add, AddAssign, Mul, MulAssign};
 use curve25519_dalek::traits::VartimeMultiscalarMul;
 use digest::{ExtendableOutput, Input};
 use merlin::Transcript;
 use sha3::Shake256;
 use std::io::Read;
 pub type Scalar = curve25519_dalek::scalar::Scalar;
 type GroupElement = curve25519_dalek::ristretto::RistrettoPoint;
 type CompressedGroup = curve25519_dalek::ristretto::CompressedRistretto;
 #[derive(Debug)]
-pub struct CommitGens {
+pub struct CommitGens<G: Group> {
-  gens: Vec<GroupElement>,
+  gens: Vec<G>,
 }
 #[derive(Clone, Copy, Debug, PartialEq, Eq)]
 pub struct Commitment<G: Group> {
  comm: G,
 }
 #[derive(Clone, Debug, PartialEq, Eq)]
-pub struct Commitment {
+pub struct CompressedCommitment<C: CompressedGroup> {
-  comm: GroupElement,
+  comm: C,
 }
-#[derive(Clone, Debug, PartialEq, Eq)]
+impl<G: Group> CommitGens<G> {
 pub struct CompressedCommitment {
  comm: CompressedGroup,
 }
 impl CommitGens {
  pub fn new(label: &[u8], n: usize) -> Self {
    let mut shake = Shake256::default();
    shake.input(label);
    let mut reader = shake.xof_result();
-    let mut gens: Vec<GroupElement> = Vec::new();
+    let mut gens: Vec<G> = Vec::new();
    let mut uniform_bytes = [0u8; 64];
    for _ in 0..n {
      reader.read_exact(&mut uniform_bytes).unwrap();
-      gens.push(GroupElement::from_uniform_bytes(&uniform_bytes));
+      gens.push(G::from_uniform_bytes(&uniform_bytes).unwrap());
    }
    CommitGens { gens }
  }
 }
-impl Commitment {
+impl<G: Group> Commitment<G> {
-  pub fn compress(&self) -> CompressedCommitment {
+  pub fn compress(&self) -> CompressedCommitment<G::CompressedGroupElement> {
    CompressedCommitment {
      comm: self.comm.compress(),
    }
  }
 }
-impl CompressedCommitment {
+impl<C: CompressedGroup> CompressedCommitment<C> {
-  pub fn decompress(&self) -> Result<Commitment, NovaError> {
+  pub fn decompress(&self) -> Result<Commitment<C::GroupElement>, NovaError> {
    let comm = self.comm.decompress();
    if comm.is_none() {
      return Err(NovaError::DecompressionError);
@@ -61,161 +58,90 @@ impl CompressedCommitment {
  }
 }
-pub trait CommitTrait {
+pub trait CommitTrait<G: Group> {
-  fn commit(&self, gens: &CommitGens) -> Commitment;
+  fn commit(&self, gens: &CommitGens<G>) -> Commitment<G>;
 }
-impl CommitTrait for [Scalar] {
+impl<G: Group> CommitTrait<G> for [G::Scalar] {
-  fn commit(&self, gens: &CommitGens) -> Commitment {
+  fn commit(&self, gens: &CommitGens<G>) -> Commitment<G> {
    assert_eq!(gens.gens.len(), self.len());
    Commitment {
-      comm: GroupElement::vartime_multiscalar_mul(self, &gens.gens),
+      comm: G::vartime_multiscalar_mul(self, &gens.gens),
    }
  }
 }
 pub trait ProofTranscriptTrait {
  fn append_protocol_name(&mut self, protocol_name: &'static [u8]);
  fn challenge_scalar(&mut self, label: &'static [u8]) -> Scalar;
 }
 impl ProofTranscriptTrait for Transcript {
  fn append_protocol_name(&mut self, protocol_name: &'static [u8]) {
    self.append_message(b"protocol-name", protocol_name);
  }
  fn challenge_scalar(&mut self, label: &'static [u8]) -> Scalar {
    let mut buf = [0u8; 64];
    self.challenge_bytes(label, &mut buf);
    Scalar::from_bytes_mod_order_wide(&buf)
  }
 }
 pub trait AppendToTranscriptTrait {
  fn append_to_transcript(&self, label: &'static [u8], transcript: &mut Transcript);
 }
-impl AppendToTranscriptTrait for CompressedCommitment {
+impl<G: Group> AppendToTranscriptTrait for Commitment<G> {
  fn append_to_transcript(&self, label: &'static [u8], transcript: &mut Transcript) {
    transcript.append_message(label, self.comm.compress().as_bytes());
  }
 }
 impl<C: CompressedGroup> AppendToTranscriptTrait for CompressedCommitment<C> {
  fn append_to_transcript(&self, label: &'static [u8], transcript: &mut Transcript) {
    transcript.append_message(label, self.comm.as_bytes());
  }
 }
-impl<'b> MulAssign<&'b Scalar> for Commitment {
+impl<'b, G: Group> MulAssign<&'b G::Scalar> for Commitment<G> {
-  fn mul_assign(&mut self, scalar: &'b Scalar) {
+  fn mul_assign(&mut self, scalar: &'b G::Scalar) {
-    let result = (self as &Commitment).comm * scalar;
+    let result = (self as &Commitment<G>).comm * scalar;
    *self = Commitment { comm: result };
  }
 }
-impl<'a, 'b> Mul<&'b Scalar> for &'a Commitment {
+impl<G: Group> Mul<G::Scalar> for Commitment<G> {
-  type Output = Commitment;
+  type Output = Commitment<G>;
-  fn mul(self, scalar: &'b Scalar) -> Commitment {
+  fn mul(self, scalar: G::Scalar) -> Commitment<G> {
    Commitment {
      comm: self.comm * scalar,
    }
  }
 }
-impl<'a, 'b> Mul<&'b Commitment> for &'a Scalar {
+impl<'b, G: Group> AddAssign<&'b Commitment<G>> for Commitment<G> {
-  type Output = Commitment;
+  fn add_assign(&mut self, other: &'b Commitment<G>) {
-
+    let result = (self as &Commitment<G>).comm + other.comm;
  fn mul(self, comm: &'b Commitment) -> Commitment {
    Commitment {
      comm: self * comm.comm,
    }
  }
 }
 macro_rules! define_mul_variants {
  (LHS = $lhs:ty, RHS = $rhs:ty, Output = $out:ty) => {
    impl<'b> Mul<&'b $rhs> for $lhs {
      type Output = $out;
      fn mul(self, rhs: &'b $rhs) -> $out {
        &self * rhs
      }
    }
    impl<'a> Mul<$rhs> for &'a $lhs {
      type Output = $out;
      fn mul(self, rhs: $rhs) -> $out {
        self * &rhs
      }
    }
    impl Mul<$rhs> for $lhs {
      type Output = $out;
      fn mul(self, rhs: $rhs) -> $out {
        &self * &rhs
      }
    }
  };
 }
 macro_rules! define_mul_assign_variants {
  (LHS = $lhs:ty, RHS = $rhs:ty) => {
    impl MulAssign<$rhs> for $lhs {
      fn mul_assign(&mut self, rhs: $rhs) {
        *self *= &rhs;
      }
    }
  };
 }
 define_mul_assign_variants!(LHS = Commitment, RHS = Scalar);
 define_mul_variants!(LHS = Commitment, RHS = Scalar, Output = Commitment);
 define_mul_variants!(LHS = Scalar, RHS = Commitment, Output = Commitment);
 impl<'b> AddAssign<&'b Commitment> for Commitment {
  fn add_assign(&mut self, other: &'b Commitment) {
    let result = (self as &Commitment).comm + other.comm;
    *self = Commitment { comm: result };
  }
 }
-impl<'a, 'b> Add<&'b Commitment> for &'a Commitment {
+impl<'a, 'b, G: Group> Add<&'b Commitment<G>> for &'a Commitment<G> {
-  type Output = Commitment;
+  type Output = Commitment<G>;
-  fn add(self, other: &'b Commitment) -> Commitment {
+  fn add(self, other: &'b Commitment<G>) -> Commitment<G> {
    Commitment {
      comm: self.comm + other.comm,
    }
  }
 }
-macro_rules! define_add_variants {
+impl<G: Group> AddAssign<Commitment<G>> for Commitment<G> {
-  (LHS = $lhs:ty, RHS = $rhs:ty, Output = $out:ty) => {
+  fn add_assign(&mut self, rhs: Commitment<G>) {
-    impl<'b> Add<&'b $rhs> for $lhs {
+    *self += &rhs;
-      type Output = $out;
+  }
-      fn add(self, rhs: &'b $rhs) -> $out {
+}
 impl<'b, G: Group> Add<&'b Commitment<G>> for Commitment<G> {
  type Output = Commitment<G>;
  fn add(self, rhs: &'b Commitment<G>) -> Commitment<G> {
    &self + rhs
  }
 }
-    impl<'a> Add<$rhs> for &'a $lhs {
+impl<'a, G: Group> Add<Commitment<G>> for &'a Commitment<G> {
-      type Output = $out;
+  type Output = Commitment<G>;
-      fn add(self, rhs: $rhs) -> $out {
+  fn add(self, rhs: Commitment<G>) -> Commitment<G> {
    self + &rhs
  }
 }
-    impl Add<$rhs> for $lhs {
+impl<G: Group> Add<Commitment<G>> for Commitment<G> {
-      type Output = $out;
+  type Output = Commitment<G>;
-      fn add(self, rhs: $rhs) -> $out {
+  fn add(self, rhs: Commitment<G>) -> Commitment<G> {
    &self + &rhs
  }
 }
  };
 }
 macro_rules! define_add_assign_variants {
  (LHS = $lhs:ty, RHS = $rhs:ty) => {
    impl AddAssign<$rhs> for $lhs {
      fn add_assign(&mut self, rhs: $rhs) {
        *self += &rhs;
      }
    }
  };
 }
 define_add_assign_variants!(LHS = Commitment, RHS = Commitment);
 define_add_variants!(LHS = Commitment, RHS = Commitment, Output = Commitment);
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -1,33 +1,25 @@
 //! This library implements core components of Nova.
 #![allow(non_snake_case)]
 #![feature(test)]
 #![deny(missing_docs)]
 #![feature(external_doc)]
 #![doc(include = "../README.md")]
 extern crate core;
 extern crate curve25519_dalek;
 extern crate digest;
 extern crate merlin;
 extern crate rand;
 extern crate rayon;
 extern crate sha3;
 extern crate test;
 mod commitments;
 mod errors;
 mod r1cs;
 mod traits;
-use commitments::{AppendToTranscriptTrait, CompressedCommitment, ProofTranscriptTrait};
+use commitments::{AppendToTranscriptTrait, Commitment};
 use errors::NovaError;
 use merlin::Transcript;
 use r1cs::{R1CSGens, R1CSInstance, R1CSShape, R1CSWitness};
 use traits::{ChallengeTrait, Group};
 /// A SNARK that holds the proof of a step of an incremental computation
-pub struct StepSNARK {
+pub struct StepSNARK<G: Group> {
-  comm_T: CompressedCommitment,
+  comm_T: Commitment<G>,
 }
-impl StepSNARK {
+impl<G: Group> StepSNARK<G> {
  fn protocol_name() -> &'static [u8] {
    b"NovaStepSNARK"
  }
@@ -38,16 +30,17 @@ impl StepSNARK {
  /// with the guarantee that the folded witness `W` satisfies the folded instance `U`
  /// if and only if `W1` satisfies `U1` and `W2` satisfies `U2`.
  pub fn prove(
-    gens: &R1CSGens,
+    gens: &R1CSGens<G>,
-    S: &R1CSShape,
+    S: &R1CSShape<G>,
-    U1: &R1CSInstance,
+    U1: &R1CSInstance<G>,
-    W1: &R1CSWitness,
+    W1: &R1CSWitness<G>,
-    U2: &R1CSInstance,
+    U2: &R1CSInstance<G>,
-    W2: &R1CSWitness,
+    W2: &R1CSWitness<G>,
    transcript: &mut Transcript,
-  ) -> Result<(StepSNARK, (R1CSInstance, R1CSWitness)), NovaError> {
+  ) -> Result<(StepSNARK<G>, (R1CSInstance<G>, R1CSWitness<G>)), NovaError> {
    // append the protocol name to the transcript
-    transcript.append_protocol_name(StepSNARK::protocol_name());
+    //transcript.append_protocol_name(StepSNARK::protocol_name());
    transcript.append_message(b"protocol-name", StepSNARK::<G>::protocol_name());
    // compute a commitment to the cross-term
    let (T, comm_T) = S.commit_T(gens, U1, W1, U2, W2)?;
@@ -56,10 +49,10 @@ impl StepSNARK {
    comm_T.append_to_transcript(b"comm_T", transcript);
    // compute a challenge from the transcript
-    let r = transcript.challenge_scalar(b"r");
+    let r = G::Scalar::challenge(b"r", transcript);
    // fold the instance using `r` and `comm_T`
-    let U = U1.fold(U2, &comm_T, &r)?;
+    let U = U1.fold(U2, &comm_T, &r);
    // fold the witness using `r` and `T`
    let W = W1.fold(W2, &T, &r)?;
@@ -75,21 +68,21 @@ impl StepSNARK {
  /// if and only if `U1` and `U2` are satisfiable.
  pub fn verify(
    &self,
-    U1: &R1CSInstance,
+    U1: &R1CSInstance<G>,
-    U2: &R1CSInstance,
+    U2: &R1CSInstance<G>,
    transcript: &mut Transcript,
-  ) -> Result<R1CSInstance, NovaError> {
+  ) -> Result<R1CSInstance<G>, NovaError> {
    // append the protocol name to the transcript
-    transcript.append_protocol_name(StepSNARK::protocol_name());
+    transcript.append_message(b"protocol-name", StepSNARK::<G>::protocol_name());
    // append `comm_T` to the transcript and obtain a challenge
    self.comm_T.append_to_transcript(b"comm_T", transcript);
    // compute a challenge from the transcript
-    let r = transcript.challenge_scalar(b"r");
+    let r = G::Scalar::challenge(b"r", transcript);
    // fold the instance using `r` and `comm_T`
-    let U = U1.fold(U2, &self.comm_T, &r)?;
+    let U = U1.fold(U2, &self.comm_T, &r);
    // return the folded instance
    Ok(U)
@@ -97,18 +90,23 @@ impl StepSNARK {
 }
 /// A SNARK that holds the proof of the final step of an incremental computation
-pub struct FinalSNARK {
+pub struct FinalSNARK<G: Group> {
-  W: R1CSWitness,
+  W: R1CSWitness<G>,
 }
-impl FinalSNARK {
+impl<G: Group> FinalSNARK<G> {
  /// Produces a proof of a instance given its satisfying witness `W`.
-  pub fn prove(W: &R1CSWitness) -> Result<FinalSNARK, NovaError> {
+  pub fn prove(W: &R1CSWitness<G>) -> Result<FinalSNARK<G>, NovaError> {
    Ok(FinalSNARK { W: W.clone() })
  }
  /// Verifies the proof of a folded instance `U` given its shape `S` public parameters `gens`
-  pub fn verify(&self, gens: &R1CSGens, S: &R1CSShape, U: &R1CSInstance) -> Result<(), NovaError> {
+  pub fn verify(
    &self,
    gens: &R1CSGens<G>,
    S: &R1CSShape<G>,
    U: &R1CSInstance<G>,
  ) -> Result<(), NovaError> {
    // check that the witness is a valid witness to the folded instance `U`
    S.is_sat(gens, U, &self.W)
  }
@@ -116,13 +114,93 @@ impl FinalSNARK {
 #[cfg(test)]
 mod tests {
  use super::commitments::Scalar;
  use super::*;
-  use rand::rngs::OsRng;
+  use crate::traits::{CompressedGroup, Group, PrimeField};
  use core::borrow::Borrow;
  use curve25519_dalek::traits::MultiscalarMul;
  use rand::{rngs::OsRng, CryptoRng, RngCore};
  type S = curve25519_dalek::scalar::Scalar;
  type G = curve25519_dalek::ristretto::RistrettoPoint;
  type C = curve25519_dalek::ristretto::CompressedRistretto;
  impl Group for G {
    type Scalar = S;
    type CompressedGroupElement = C;
    fn vartime_multiscalar_mul<I, J>(scalars: I, points: J) -> Self
    where
      I: IntoIterator,
      I::Item: Borrow<Self::Scalar>,
      J: IntoIterator,
      J::Item: Borrow<Self>,
      Self: Clone,
    {
      Self::multiscalar_mul(scalars, points)
    }
    fn compress(&self) -> Self::CompressedGroupElement {
      self.compress()
    }
    fn from_uniform_bytes(bytes: &[u8]) -> Option<Self> {
      if bytes.len() != 64 {
        None
      } else {
        let mut arr = [0; 64];
        arr.copy_from_slice(&bytes[0..64]);
        Some(Self::from_uniform_bytes(&arr))
      }
    }
  }
  impl PrimeField for S {
    fn zero() -> Self {
      S::zero()
    }
    fn one() -> Self {
      S::one()
    }
    fn from_bytes_mod_order_wide(bytes: &[u8]) -> Option<Self> {
      if bytes.len() != 64 {
        None
      } else {
        let mut arr = [0; 64];
        arr.copy_from_slice(&bytes[0..64]);
        Some(Self::from_bytes_mod_order_wide(&arr))
      }
    }
    fn random(rng: &mut (impl RngCore + CryptoRng)) -> Self {
      S::random(rng)
    }
  }
  impl CompressedGroup for C {
    type GroupElement = G;
    fn decompress(&self) -> Option<Self::GroupElement> {
      self.decompress()
    }
    fn as_bytes(&self) -> &[u8] {
      self.as_bytes()
    }
  }
  impl ChallengeTrait for S {
    fn challenge(label: &'static [u8], transcript: &mut Transcript) -> Self {
      let mut buf = [0u8; 64];
      transcript.challenge_bytes(label, &mut buf);
      S::from_bytes_mod_order_wide(&buf)
    }
  }
  #[test]
  fn test_tiny_r1cs() {
-    let one = Scalar::one();
+    let one = S::one();
    let (num_cons, num_vars, num_inputs, A, B, C) = {
      let num_cons = 4;
      let num_vars = 4;
@@ -138,9 +216,9 @@ mod tests {
      // constraint and a column for every entry in z = (vars, u, inputs)
      // An R1CS instance is satisfiable iff:
      // Az \circ Bz = u \cdot Cz + E, where z = (vars, 1, inputs)
-      let mut A: Vec<(usize, usize, Scalar)> = Vec::new();
+      let mut A: Vec<(usize, usize, S)> = Vec::new();
-      let mut B: Vec<(usize, usize, Scalar)> = Vec::new();
+      let mut B: Vec<(usize, usize, S)> = Vec::new();
-      let mut C: Vec<(usize, usize, Scalar)> = Vec::new();
+      let mut C: Vec<(usize, usize, S)> = Vec::new();
      // constraint 0 entries in (A,B,C)
      A.push((0, 0, one));
@@ -177,11 +255,11 @@ mod tests {
    // generate generators
    let gens = R1CSGens::new(num_cons, num_vars);
-    let rand_inst_witness_generator = |gens: &R1CSGens| -> (R1CSInstance, R1CSWitness) {
+    let rand_inst_witness_generator = |gens: &R1CSGens<G>| -> (R1CSInstance<G>, R1CSWitness<G>) {
      // compute a satisfying (vars, X) tuple
      let (vars, X) = {
        let mut csprng: OsRng = OsRng;
-        let z0 = Scalar::random(&mut csprng);
+        let z0 = S::random(&mut csprng);
        let z1 = z0 * z0; // constraint 0
        let z2 = z1 * z0; // constraint 1
        let z3 = z2 + z0; // constraint 2
@@ -193,14 +271,14 @@ mod tests {
      };
      let W = {
-        let E = vec![Scalar::zero(); num_cons]; // default E
+        let E = vec![S::zero(); num_cons]; // default E
        let res = R1CSWitness::new(&S, &vars, &E);
        assert!(res.is_ok());
        res.unwrap()
      };
      let U = {
        let (comm_W, comm_E) = W.commit(&gens);
-        let u = Scalar::one(); //default u
+        let u = S::one(); //default u
        let res = R1CSInstance::new(&S, &comm_W, &comm_E, &X, &u);
        assert!(res.is_ok());
        res.unwrap()
--- a/src/r1cs.rs
+++ b/src/r1cs.rs
@@ -1,41 +1,41 @@
 #![allow(clippy::type_complexity)]
-use super::commitments::Scalar;
+use super::commitments::{CommitGens, CommitTrait, Commitment};
 use super::commitments::{CommitGens, CommitTrait, Commitment, CompressedCommitment};
 use super::errors::NovaError;
 use super::traits::{Group, PrimeField};
 use itertools::concat;
 use rayon::prelude::*;
-pub struct R1CSGens {
+pub struct R1CSGens<G: Group> {
-  gens_W: CommitGens,
+  gens_W: CommitGens<G>,
-  gens_E: CommitGens,
+  gens_E: CommitGens<G>,
 }
 #[derive(Debug)]
-pub struct R1CSShape {
+pub struct R1CSShape<G: Group> {
  num_cons: usize,
  num_vars: usize,
  num_inputs: usize,
-  A: Vec<(usize, usize, Scalar)>,
+  A: Vec<(usize, usize, G::Scalar)>,
-  B: Vec<(usize, usize, Scalar)>,
+  B: Vec<(usize, usize, G::Scalar)>,
-  C: Vec<(usize, usize, Scalar)>,
+  C: Vec<(usize, usize, G::Scalar)>,
 }
 #[derive(Clone, Debug)]
-pub struct R1CSWitness {
+pub struct R1CSWitness<G: Group> {
-  W: Vec<Scalar>,
+  W: Vec<G::Scalar>,
-  E: Vec<Scalar>,
+  E: Vec<G::Scalar>,
 }
 #[derive(Clone, Debug, PartialEq, Eq)]
-pub struct R1CSInstance {
+pub struct R1CSInstance<G: Group> {
-  comm_W: Commitment,
+  comm_W: Commitment<G>,
-  comm_E: Commitment,
+  comm_E: Commitment<G>,
-  X: Vec<Scalar>,
+  X: Vec<G::Scalar>,
-  u: Scalar,
+  u: G::Scalar,
 }
-impl R1CSGens {
+impl<G: Group> R1CSGens<G> {
-  pub fn new(num_cons: usize, num_vars: usize) -> R1CSGens {
+  pub fn new(num_cons: usize, num_vars: usize) -> R1CSGens<G> {
    // generators to commit to witness vector `W`
    let gens_W = CommitGens::new(b"gens_W", num_vars);
@@ -46,19 +46,19 @@ impl R1CSGens {
  }
 }
-impl R1CSShape {
+impl<G: Group> R1CSShape<G> {
  pub fn new(
    num_cons: usize,
    num_vars: usize,
    num_inputs: usize,
-    A: &[(usize, usize, Scalar)],
+    A: &[(usize, usize, G::Scalar)],
-    B: &[(usize, usize, Scalar)],
+    B: &[(usize, usize, G::Scalar)],
-    C: &[(usize, usize, Scalar)],
+    C: &[(usize, usize, G::Scalar)],
-  ) -> Result<R1CSShape, NovaError> {
+  ) -> Result<R1CSShape<G>, NovaError> {
    let is_valid = |num_cons: usize,
                    num_vars: usize,
                    num_io: usize,
-                    M: &[(usize, usize, Scalar)]|
+                    M: &[(usize, usize, G::Scalar)]|
     -> Result<(), NovaError> {
      let res = (0..num_cons)
        .map(|i| {
@@ -100,8 +100,8 @@ impl R1CSShape {
  fn multiply_vec(
    &self,
-    z: &[Scalar],
+    z: &[G::Scalar],
-  ) -> Result<(Vec<Scalar>, Vec<Scalar>, Vec<Scalar>), NovaError> {
+  ) -> Result<(Vec<G::Scalar>, Vec<G::Scalar>, Vec<G::Scalar>), NovaError> {
    if z.len() != self.num_inputs + self.num_vars + 1 {
      return Err(NovaError::InvalidWitnessLength);
    }
@@ -110,13 +110,13 @@ impl R1CSShape {
    // This does not perform any validation of entries in M (e.g., if entries in `M` reference indexes outside the range of `z`)
    // This is safe since we know that `M` is valid
    let sparse_matrix_vec_product =
-      |M: &Vec<(usize, usize, Scalar)>, num_rows: usize, z: &[Scalar]| -> Vec<Scalar> {
+      |M: &Vec<(usize, usize, G::Scalar)>, num_rows: usize, z: &[G::Scalar]| -> Vec<G::Scalar> {
        (0..M.len())
          .map(|i| {
            let (row, col, val) = M[i];
            (row, val * z[col])
          })
-          .fold(vec![Scalar::zero(); num_rows], |mut Mz, (r, v)| {
+          .fold(vec![G::Scalar::zero(); num_rows], |mut Mz, (r, v)| {
            Mz[r] += v;
            Mz
          })
@@ -131,9 +131,9 @@ impl R1CSShape {
  pub fn is_sat(
    &self,
-    gens: &R1CSGens,
+    gens: &R1CSGens<G>,
-    U: &R1CSInstance,
+    U: &R1CSInstance<G>,
-    W: &R1CSWitness,
+    W: &R1CSWitness<G>,
  ) -> Result<(), NovaError> {
    assert_eq!(W.W.len(), self.num_vars);
    assert_eq!(W.E.len(), self.num_cons);
@@ -177,12 +177,12 @@ impl R1CSShape {
  pub fn commit_T(
    &self,
-    gens: &R1CSGens,
+    gens: &R1CSGens<G>,
-    U1: &R1CSInstance,
+    U1: &R1CSInstance<G>,
-    W1: &R1CSWitness,
+    W1: &R1CSWitness<G>,
-    U2: &R1CSInstance,
+    U2: &R1CSInstance<G>,
-    W2: &R1CSWitness,
+    W2: &R1CSWitness<G>,
-  ) -> Result<(Vec<Scalar>, CompressedCommitment), NovaError> {
+  ) -> Result<(Vec<G::Scalar>, Commitment<G>), NovaError> {
    let (AZ_1, BZ_1, CZ_1) = {
      let Z1 = concat(vec![W1.W.clone(), vec![U1.u], U1.X.clone()]);
      self.multiply_vec(&Z1)?
@@ -195,33 +195,37 @@ impl R1CSShape {
    let AZ_1_circ_BZ_2 = (0..AZ_1.len())
      .map(|i| AZ_1[i] * BZ_2[i])
-      .collect::<Vec<Scalar>>();
+      .collect::<Vec<G::Scalar>>();
    let AZ_2_circ_BZ_1 = (0..AZ_2.len())
      .map(|i| AZ_2[i] * BZ_1[i])
-      .collect::<Vec<Scalar>>();
+      .collect::<Vec<G::Scalar>>();
    let u_1_cdot_CZ_2 = (0..CZ_2.len())
      .map(|i| U1.u * CZ_2[i])
-      .collect::<Vec<Scalar>>();
+      .collect::<Vec<G::Scalar>>();
    let u_2_cdot_CZ_1 = (0..CZ_1.len())
      .map(|i| U2.u * CZ_1[i])
-      .collect::<Vec<Scalar>>();
+      .collect::<Vec<G::Scalar>>();
    let T = AZ_1_circ_BZ_2
      .par_iter()
      .zip(&AZ_2_circ_BZ_1)
      .zip(&u_1_cdot_CZ_2)
      .zip(&u_2_cdot_CZ_1)
-      .map(|(((a, b), c), d)| a + b - c - d)
+      .map(|(((a, b), c), d)| *a + *b - *c - *d)
-      .collect::<Vec<Scalar>>();
+      .collect::<Vec<G::Scalar>>();
-    let comm_T = T.commit(&gens.gens_E).compress();
+    let comm_T = T.commit(&gens.gens_E);
    Ok((T, comm_T))
  }
 }
-impl R1CSWitness {
+impl<G: Group> R1CSWitness<G> {
-  pub fn new(S: &R1CSShape, W: &[Scalar], E: &[Scalar]) -> Result<R1CSWitness, NovaError> {
+  pub fn new(
    S: &R1CSShape<G>,
    W: &[G::Scalar],
    E: &[G::Scalar],
  ) -> Result<R1CSWitness<G>, NovaError> {
    if S.num_vars != W.len() || S.num_cons != E.len() {
      Err(NovaError::InvalidWitnessLength)
    } else {
@@ -232,11 +236,16 @@ impl R1CSWitness {
    }
  }
-  pub fn commit(&self, gens: &R1CSGens) -> (Commitment, Commitment) {
+  pub fn commit(&self, gens: &R1CSGens<G>) -> (Commitment<G>, Commitment<G>) {
    (self.W.commit(&gens.gens_W), self.E.commit(&gens.gens_E))
  }
-  pub fn fold(&self, W2: &R1CSWitness, T: &[Scalar], r: &Scalar) -> Result<R1CSWitness, NovaError> {
+  pub fn fold(
    &self,
    W2: &R1CSWitness<G>,
    T: &[G::Scalar],
    r: &G::Scalar,
  ) -> Result<R1CSWitness<G>, NovaError> {
    let (W1, E1) = (&self.W, &self.E);
    let (W2, E2) = (&W2.W, &W2.E);
@@ -247,26 +256,26 @@ impl R1CSWitness {
    let W = W1
      .par_iter()
      .zip(W2)
-      .map(|(a, b)| a + r * b)
+      .map(|(a, b)| *a + *r * *b)
-      .collect::<Vec<Scalar>>();
+      .collect::<Vec<G::Scalar>>();
    let E = E1
      .par_iter()
      .zip(T)
      .zip(E2)
-      .map(|((a, b), c)| a + r * b + r * r * c)
+      .map(|((a, b), c)| *a + *r * *b + *r * *r * *c)
-      .collect::<Vec<Scalar>>();
+      .collect::<Vec<G::Scalar>>();
    Ok(R1CSWitness { W, E })
  }
 }
-impl R1CSInstance {
+impl<G: Group> R1CSInstance<G> {
  pub fn new(
-    S: &R1CSShape,
+    S: &R1CSShape<G>,
-    comm_W: &Commitment,
+    comm_W: &Commitment<G>,
-    comm_E: &Commitment,
+    comm_E: &Commitment<G>,
-    X: &[Scalar],
+    X: &[G::Scalar],
-    u: &Scalar,
+    u: &G::Scalar,
-  ) -> Result<R1CSInstance, NovaError> {
+  ) -> Result<R1CSInstance<G>, NovaError> {
    if S.num_inputs != X.len() {
      Err(NovaError::InvalidInputLength)
    } else {
@@ -281,11 +290,10 @@ impl R1CSInstance {
  pub fn fold(
    &self,
-    U2: &R1CSInstance,
+    U2: &R1CSInstance<G>,
-    comm_T: &CompressedCommitment,
+    comm_T: &Commitment<G>,
-    r: &Scalar,
+    r: &G::Scalar,
-  ) -> Result<R1CSInstance, NovaError> {
+  ) -> R1CSInstance<G> {
    let comm_T_unwrapped = comm_T.decompress()?;
    let (X1, u1, comm_W_1, comm_E_1) =
      (&self.X, &self.u, &self.comm_W.clone(), &self.comm_E.clone());
    let (X2, u2, comm_W_2, comm_E_2) = (&U2.X, &U2.u, &U2.comm_W, &U2.comm_E);
@@ -294,17 +302,17 @@ impl R1CSInstance {
    let X = X1
      .par_iter()
      .zip(X2)
-      .map(|(a, b)| a + r * b)
+      .map(|(a, b)| *a + *r * *b)
-      .collect::<Vec<Scalar>>();
+      .collect::<Vec<G::Scalar>>();
-    let comm_W = comm_W_1 + r * comm_W_2;
+    let comm_W = comm_W_1 + *comm_W_2 * *r;
-    let comm_E = comm_E_1 + r * comm_T_unwrapped + r * r * comm_E_2;
+    let comm_E = *comm_E_1 + *comm_T * *r + *comm_E_2 * *r * *r;
-    let u = u1 + r * u2;
+    let u = *u1 + *r * *u2;
-    Ok(R1CSInstance {
+    R1CSInstance {
      comm_W,
      comm_E,
      X,
      u,
-    })
+    }
  }
 }
--- a/src/traits.rs
+++ b/src/traits.rs
@@ -0,0 +1,88 @@
 use core::borrow::Borrow;
 use core::fmt::Debug;
 use core::ops::{Add, AddAssign, Mul, MulAssign, Neg, Sub, SubAssign};
 use merlin::Transcript;
 use rand::{CryptoRng, RngCore};
 /// Represents an element of a prime field
 pub trait PrimeField:
  Sized
  + Eq
  + Copy
  + Clone
  + Default
  + Send
  + Sync
  + Debug
  + Add<Output = Self>
  + Sub<Output = Self>
  + Mul<Output = Self>
  + Neg<Output = Self>
  + for<'a> Add<&'a Self, Output = Self>
  + for<'a> Mul<&'a Self, Output = Self>
  + for<'a> Sub<&'a Self, Output = Self>
  + AddAssign
  + MulAssign
  + SubAssign
  + for<'a> AddAssign<&'a Self>
  + for<'a> MulAssign<&'a Self>
  + for<'a> SubAssign<&'a Self>
 {
  /// returns the additive identity of the field
  fn zero() -> Self;
  /// returns the multiplicative identity of the field
  fn one() -> Self;
  /// converts the supplied bytes into an element of the field
  fn from_bytes_mod_order_wide(bytes: &[u8]) -> Option<Self>;
  /// returns an uniformly random element from the finite field
  fn random(rng: &mut (impl RngCore + CryptoRng)) -> Self;
 }
 /// Represents an element of a group
 pub trait Group:
  Clone
  + Copy
  + Debug
  + Eq
  + Sized
  + Mul<<Self as Group>::Scalar, Output = Self>
  + MulAssign<<Self as Group>::Scalar>
  + for<'a> MulAssign<&'a <Self as Group>::Scalar>
  + for<'a> Mul<&'a <Self as Group>::Scalar, Output = Self>
  + Add<Self, Output = Self>
  + AddAssign<Self>
  + for<'a> AddAssign<&'a Self>
  + for<'a> Add<&'a Self, Output = Self>
 {
  type Scalar: PrimeField + ChallengeTrait;
  type CompressedGroupElement: CompressedGroup;
  fn vartime_multiscalar_mul<I, J>(scalars: I, points: J) -> Self
  where
    I: IntoIterator,
    I::Item: Borrow<Self::Scalar>,
    J: IntoIterator,
    J::Item: Borrow<Self>,
    Self: Clone;
  fn compress(&self) -> Self::CompressedGroupElement;
  fn from_uniform_bytes(bytes: &[u8]) -> Option<Self>;
 }
 /// Represents a compressed version of a group element
 pub trait CompressedGroup: Clone + Copy + Debug + Eq + Sized + Send + Sync + 'static {
  type GroupElement: Group;
  fn decompress(&self) -> Option<Self::GroupElement>;
  fn as_bytes(&self) -> &[u8];
 }
 /// A helper trait to generate challenges using a transcript object
 pub trait ChallengeTrait {
  fn challenge(label: &'static [u8], transcript: &mut Transcript) -> Self;
 }