* ECC scalar multiplication (first draft)
* fix clippy nits
* start implementing the ro gadget: 1st design Poseidon + truncate
* truncate to 128 bits
* implement add + double in constraints
* finish implementing constraints for ecc
* cargo fmt
* input of smul should be an array of bits
* cleanup ro a bit. Make the challenge returned be a vec of allocated bits
* switch to neptune 6.0
* start implementing high level circuit
* incomplete version of the verifier circuit with many TODOS
* optimize ecc ops. add i ==0 case to the circuit
* fix 0/1 constants at the circuit
* wrap CompressedGroupElement of Pallas and Vesta
* cargo fmt
* generate poseidon constants once instead of every time we call get_challenge
* Implement RO-based poseidon to use outside of circuit. Reorganize the repo
* add inner circuit to verification circuit
* start adding folding of the io. there is an error in the first call to mult_mod
* add test to check that bellperson-nonnative is compatible with nova
* remove swap file
* add another test that fails
* add inputs to the circuits in tests
* rename q to m in circuit.rs. add more tests in test_bellperson_non_native. change a in test_mult_mod to expose error
* push test for equal_with_carried. fix the issue is src/r1cs.rs
* cargo fmt + update the verifier circuit: add folding of X and update all hashes with X
* make limb_width and n_limbs parameters
* make params part of h1
* allocate the field order as constant. add check that z0 == zi when i == 0
* fix error in test_poseidon_ro
* remove merge error
* small fixes
* small fixes to comments
* clippy lints
* small edits; rename tests
* move inputize before from_num
* _limbs --> _bn
* _limbs --> _bn
Co-authored-by: Ioanna <iontzialla@gmail.com>
* Separate types for Relaxed R1CS and R1CS instances and witnesses
* Allows creating default values for Relaxed R1CS types
* StepSNARK now folds a regular R1CS instance-witness into a running Relaxed R1CS instance-witness
* We additionally enforce input chaining checks: the incoming instance must have input that matches the output of the incremental computation thus far