Implemented Mova folding scheme (#161)
* Adding Mova
Co-Authored-By: Togzhan Barakbayeva <45527668+btogzhan2000@users.noreply.github.com>
Co-Authored-By: Ilia Vlasov <5365540+elijahvlasov@users.noreply.github.com>
Co-Authored-By: matthew-a-klein <96837318+matthew-a-klein@users.noreply.github.com>
* Fix CLI
* Updated from main
* Solution to stop the CLI from complaining about deadcode
PR comment
Co-authored-by: arnaucube <root@arnaucube.com>
* Requested changes and update from main
* Refactor NIFSTrait & port Mova impl to it
* refactor NIFSTrait interface to fit Nova variants (Nova,Mova,Ova)
Refactor NIFSTrait interface to fit Nova variants (Nova,Mova,Ova). The relevant
change is instead of passing the challenge as input, now it passes the
transcript and computes the challenges internally (Nova & Ova still compute a
single challenge, but Mova computes multiple while absorbing at different
steps).
* port Mova impl to the NIFSTrait
* remove unnecessary wrappers in the nova/zk.rs
* remove Nova NIFS methods that are no longer needed after the refactor
* put together the different NIFS implementations (Nova, Mova, Ova) so
that they can interchanged at usage.
The idea is that Nova and its variants (Ova & Mova) share most of the
logic for the circuits & IVC & Deciders, so with the abstracted NIFS
interface we will be able to reuse most of the already existing Nova
code for having the Mova & Ova circuits, IVC, and Decider.
* adapt Nova's DeciderEth prepare_calldata & update examples to it
* small update to fix solidity tests
---------
Co-authored-by: Togzhan Barakbayeva <45527668+btogzhan2000@users.noreply.github.com>
Co-authored-by: Ilia Vlasov <5365540+elijahvlasov@users.noreply.github.com>
Co-authored-by: matthew-a-klein <96837318+matthew-a-klein@users.noreply.github.com>
Co-authored-by: arnaucube <root@arnaucube.com>
Co-authored-by: arnaucube <git@arnaucube.com> 2 months ago Add IVCProof to the existing folding schemes (Nova,HyperNova,ProtoGalaxy) (#167)
* Add IVCProof to the existing folding schemes (Nova,HyperNova,ProtoGalaxy)
* Implement `from_ivc_proof` for the FoldingSchemes trait (and Nova,
HyperNova, ProtoGalaxy), so that the FoldingScheme IVC's instance can be
constructed from the given parameters and the last IVCProof, which
allows to sent the IVCProof between different parties, so that they can
continue iterating the IVC from the received IVCProof. Also the
serializers allow for the IVCProof to be sent to a verifier that can
deserialize it and verify it.
This allows to remove the logic from the file
[folding/nova/serialize.rs](https://github.com/privacy-scaling-explorations/sonobe/blob/f1d82418ba047cf90805f2d0505370246df24d68/folding-schemes/src/folding/nova/serialize.rs)
and
[folding/hypernova/serialize.rs](https://github.com/privacy-scaling-explorations/sonobe/blob/f1d82418ba047cf90805f2d0505370246df24d68/folding-schemes/src/folding/hypernova/serialize.rs)
(removing the whole files), which is now covered by the `IVCProof`
generated serializers (generated by macro instead of handwritten), and
the test that the file contained is now abstracted and applied to all
the 3 existing folding schemes (Nova, HyperNova, ProtoGalaxy) at the
folding/mod.rs file.
* update Nova VerifierParams serializers to avoid serializing the R1CS to save big part of the old serialized size
* rm .instances() since it's not needed
* add nova params serialization to nova's ivc test to ensure that IVC verification works with deserialized data
* Add unified FS::ProverParam & VerifierParam serialization & deserialization (for all Nova, HyperNova and ProtoGalaxy), without serializing the R1CS/CCS and thus saving substantial serialized bytes space.
* rm CanonicalDeserialize warnings msgs for VerifierParams 2 months ago Add IVCProof to the existing folding schemes (Nova,HyperNova,ProtoGalaxy) (#167)
* Add IVCProof to the existing folding schemes (Nova,HyperNova,ProtoGalaxy)
* Implement `from_ivc_proof` for the FoldingSchemes trait (and Nova,
HyperNova, ProtoGalaxy), so that the FoldingScheme IVC's instance can be
constructed from the given parameters and the last IVCProof, which
allows to sent the IVCProof between different parties, so that they can
continue iterating the IVC from the received IVCProof. Also the
serializers allow for the IVCProof to be sent to a verifier that can
deserialize it and verify it.
This allows to remove the logic from the file
[folding/nova/serialize.rs](https://github.com/privacy-scaling-explorations/sonobe/blob/f1d82418ba047cf90805f2d0505370246df24d68/folding-schemes/src/folding/nova/serialize.rs)
and
[folding/hypernova/serialize.rs](https://github.com/privacy-scaling-explorations/sonobe/blob/f1d82418ba047cf90805f2d0505370246df24d68/folding-schemes/src/folding/hypernova/serialize.rs)
(removing the whole files), which is now covered by the `IVCProof`
generated serializers (generated by macro instead of handwritten), and
the test that the file contained is now abstracted and applied to all
the 3 existing folding schemes (Nova, HyperNova, ProtoGalaxy) at the
folding/mod.rs file.
* update Nova VerifierParams serializers to avoid serializing the R1CS to save big part of the old serialized size
* rm .instances() since it's not needed
* add nova params serialization to nova's ivc test to ensure that IVC verification works with deserialized data
* Add unified FS::ProverParam & VerifierParam serialization & deserialization (for all Nova, HyperNova and ProtoGalaxy), without serializing the R1CS/CCS and thus saving substantial serialized bytes space.
* rm CanonicalDeserialize warnings msgs for VerifierParams 2 months ago Implemented Mova folding scheme (#161)
* Adding Mova
Co-Authored-By: Togzhan Barakbayeva <45527668+btogzhan2000@users.noreply.github.com>
Co-Authored-By: Ilia Vlasov <5365540+elijahvlasov@users.noreply.github.com>
Co-Authored-By: matthew-a-klein <96837318+matthew-a-klein@users.noreply.github.com>
* Fix CLI
* Updated from main
* Solution to stop the CLI from complaining about deadcode
PR comment
Co-authored-by: arnaucube <root@arnaucube.com>
* Requested changes and update from main
* Refactor NIFSTrait & port Mova impl to it
* refactor NIFSTrait interface to fit Nova variants (Nova,Mova,Ova)
Refactor NIFSTrait interface to fit Nova variants (Nova,Mova,Ova). The relevant
change is instead of passing the challenge as input, now it passes the
transcript and computes the challenges internally (Nova & Ova still compute a
single challenge, but Mova computes multiple while absorbing at different
steps).
* port Mova impl to the NIFSTrait
* remove unnecessary wrappers in the nova/zk.rs
* remove Nova NIFS methods that are no longer needed after the refactor
* put together the different NIFS implementations (Nova, Mova, Ova) so
that they can interchanged at usage.
The idea is that Nova and its variants (Ova & Mova) share most of the
logic for the circuits & IVC & Deciders, so with the abstracted NIFS
interface we will be able to reuse most of the already existing Nova
code for having the Mova & Ova circuits, IVC, and Decider.
* adapt Nova's DeciderEth prepare_calldata & update examples to it
* small update to fix solidity tests
---------
Co-authored-by: Togzhan Barakbayeva <45527668+btogzhan2000@users.noreply.github.com>
Co-authored-by: Ilia Vlasov <5365540+elijahvlasov@users.noreply.github.com>
Co-authored-by: matthew-a-klein <96837318+matthew-a-klein@users.noreply.github.com>
Co-authored-by: arnaucube <root@arnaucube.com>
Co-authored-by: arnaucube <git@arnaucube.com> 2 months ago |
|
#![allow(non_snake_case)]
#![allow(non_camel_case_types)]
#![allow(clippy::upper_case_acronyms)]
///
/// This example performs the full flow:
/// - define the circuit to be folded
/// - fold the circuit with Nova+CycleFold's IVC
/// - generate a DeciderEthCircuit final proof
/// - generate the Solidity contract that verifies the proof
/// - verify the proof in the EVM
///
use ark_bn254::{constraints::GVar, Bn254, Fr, G1Projective as G1};
use noname::backends::r1cs::R1csBn254Field;
use ark_groth16::Groth16;
use ark_grumpkin::{constraints::GVar as GVar2, Projective as G2};
use folding_schemes::{
commitment::{kzg::KZG, pedersen::Pedersen},
folding::nova::{
decider_eth::{prepare_calldata, Decider as DeciderEth},
Nova, PreprocessorParam,
},
frontend::FCircuit,
transcript::poseidon::poseidon_canonical_config,
Decider, FoldingScheme,
};
use frontends::noname::NonameFCircuit;
use std::time::Instant;
use solidity_verifiers::{
evm::{compile_solidity, Evm},
utils::get_function_selector_for_nova_cyclefold_verifier,
verifiers::nova_cyclefold::get_decider_template_for_cyclefold_decider,
NovaCycleFoldVerifierKey,
};
fn main() {
const NONAME_CIRCUIT_EXTERNAL_INPUTS: &str =
"fn main(pub ivc_inputs: [Field; 2], external_inputs: [Field; 2]) -> [Field; 2] {
let xx = external_inputs[0] + ivc_inputs[0];
let yy = external_inputs[1] * ivc_inputs[1];
assert_eq(yy, xx);
return [xx, yy];
}";
// set the initial state
let z_0 = vec![Fr::from(2), Fr::from(5)];
// set the external inputs to be used at each step of the IVC, it has length of 10 since this
// is the number of steps that we will do
let external_inputs = vec![
vec![Fr::from(8u32), Fr::from(2u32)],
vec![Fr::from(40), Fr::from(5)],
];
// initialize the noname circuit
let f_circuit_params = (NONAME_CIRCUIT_EXTERNAL_INPUTS.to_owned(), 2, 2);
let f_circuit = NonameFCircuit::<Fr, R1csBn254Field>::new(f_circuit_params).unwrap();
pub type N = Nova<
G1,
GVar,
G2,
GVar2,
NonameFCircuit<Fr, R1csBn254Field>,
KZG<'static, Bn254>,
Pedersen<G2>,
>;
pub type D = DeciderEth<
G1,
GVar,
G2,
GVar2,
NonameFCircuit<Fr, R1csBn254Field>,
KZG<'static, Bn254>,
Pedersen<G2>,
Groth16<Bn254>,
N,
>;
let poseidon_config = poseidon_canonical_config::<Fr>();
let mut rng = rand::rngs::OsRng;
// prepare the Nova prover & verifier params
let nova_preprocess_params = PreprocessorParam::new(poseidon_config, f_circuit.clone());
let nova_params = N::preprocess(&mut rng, &nova_preprocess_params).unwrap();
let pp_hash = nova_params.1.pp_hash().unwrap();
// initialize the folding scheme engine, in our case we use Nova
let mut nova = N::init(&nova_params, f_circuit.clone(), z_0).unwrap();
// prepare the Decider prover & verifier params
let (decider_pp, decider_vp) =
D::preprocess(&mut rng, nova_params.clone(), nova.clone()).unwrap();
// run n steps of the folding iteration
for (i, external_inputs_at_step) in external_inputs.iter().enumerate() {
let start = Instant::now();
nova.prove_step(rng, external_inputs_at_step.clone(), None)
.unwrap();
println!("Nova::prove_step {}: {:?}", i, start.elapsed());
}
// verify the last IVC proof
let ivc_proof = nova.ivc_proof();
N::verify(
nova_params.1, // Nova's verifier params
ivc_proof,
)
.unwrap();
let start = Instant::now();
let proof = D::prove(rng, decider_pp, nova.clone()).unwrap();
println!("generated Decider proof: {:?}", start.elapsed());
let verified = D::verify(
decider_vp.clone(),
nova.i,
nova.z_0.clone(),
nova.z_i.clone(),
&nova.U_i,
&nova.u_i,
&proof,
)
.unwrap();
assert!(verified);
println!("Decider proof verification: {}", verified);
// Now, let's generate the Solidity code that verifies this Decider final proof
let function_selector =
get_function_selector_for_nova_cyclefold_verifier(nova.z_0.len() * 2 + 1);
let calldata: Vec<u8> = prepare_calldata(
function_selector,
pp_hash,
nova.i,
nova.z_0,
nova.z_i,
&nova.U_i,
&nova.u_i,
proof,
)
.unwrap();
// prepare the setup params for the solidity verifier
let nova_cyclefold_vk = NovaCycleFoldVerifierKey::from((decider_vp, f_circuit.state_len()));
// generate the solidity code
let decider_solidity_code = get_decider_template_for_cyclefold_decider(nova_cyclefold_vk);
// verify the proof against the solidity code in the EVM
let nova_cyclefold_verifier_bytecode = compile_solidity(&decider_solidity_code, "NovaDecider");
let mut evm = Evm::default();
let verifier_address = evm.create(nova_cyclefold_verifier_bytecode);
let (_, output) = evm.call(verifier_address, calldata.clone());
assert_eq!(*output.last().unwrap(), 1);
// save smart contract and the calldata
println!("storing nova-verifier.sol and the calldata into files");
use std::fs;
fs::write(
"./examples/nova-verifier.sol",
decider_solidity_code.clone(),
)
.unwrap();
fs::write("./examples/solidity-calldata.calldata", calldata.clone()).unwrap();
let s = solidity_verifiers::utils::get_formatted_calldata(calldata.clone());
fs::write("./examples/solidity-calldata.inputs", s.join(",\n")).expect("");
}
|