arnaucube
/
sonobe
mirror of https://github.com/arnaucube/sonobe.git
1
1
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
48 Commits
1 Branch
0 Tags
11 MiB
Tree: 8b233031a6
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '8b233031a6'
${ noResults }
sonobe/solidity-verifiers/templates/kzg10_verifier.askama.sol

271 lines
9.9 KiB
Raw Normal View History

Add solidity groth16, kzg10 and final decider verifiers in a dedicated workspace (#70) * change: Refactor structure into workspace * chore: Add empty readme * change: Transform repo into workspace * add: Create folding-verifier-solidity crate * add: Include askama.toml for `sol` extension escaper * add: Jordi's old Groth16 verifier .sol template and adapt it * tmp: create simple template struct to test * Update FoldingSchemes trait, fit Nova+CycleFold - update lib.rs's `FoldingScheme` trait interface - fit Nova+CycleFold into the `FoldingScheme` trait - refactor `src/nova/*` * chore: add serialization assets for testing Now we include an `assets` folder with a serialized proof & vk for tests * Add `examples` dir, with Nova's `FoldingScheme` example * polishing * expose poseidon_test_config outside tests * change: Refactor structure into workspace * chore: Add empty readme * change: Transform repo into workspace * add: Create folding-verifier-solidity crate * add: Include askama.toml for `sol` extension escaper * add: Jordi's old Groth16 verifier .sol template and adapt it * tmp: create simple template struct to test * feat: templating kzg working * chore: add emv and revm * feat: start evm file * chore: add ark-poly-commit * chore: move `commitment` to `folding-schemes` * chore: update `.gitignore` to ignore generated contracts * chore: update template with bn254 lib on it (avoids import), update for loop to account for whitespaces * refactor: update template with no lib * feat: add evm deploy code, compile and create kzg verifier * chore: update `Cargo.toml` to have `folding-schemes` available with verifiers * feat: start kzg prove and verify with sol * chore: compute crs from kzg prover * feat: evm kzg verification passing * tmp * change: Swap order of G2 coordinates within the template * Update way to serialize proof with correct order * chore: update `Cargo.toml` * chore: add revm * chore: add `save_solidity` * refactor: verifiers in dedicated mod * refactor: have dedicated `utils` module * chore: expose modules * chore: update verifier for kzg * chore: rename templates * fix: look for binary using also name of contract * refactor: generate groth16 proof for sha256 pre-image, generate groth16 template with verifying key * chore: template renaming * fix: switch circuit for circuit that simply adds * feat: generates test data on the fly * feat: update to latest groth16 verifier * refactor: rename folder, update `.gitignore` * chore: update `Cargo.toml` * chore: update templates extension to indicate that they are templates * chore: rename templates, both files and structs * fix: template inheritance working * feat: template spdx and pragma statements * feat: decider verifier compiles, update test for kzg10 and groth16 templates * feat: parameterize which size of the crs should be stored on the contract * chore: add comment on how the groth16 and kzg10 proofs will be linked together * chore: cargo clippy run * chore: cargo clippy tests * chore: cargo fmt * refactor: remove unused lifetime parameter * chore: end merge * chore: move examples to `folding-schemes` workspace * get latest main changes * fix: temp fix clippy warnings, will remove lints once not used in tests only * fix: cargo clippy lint added on `code_size` * fix: update path to test circuit and add step for installing solc * chore: remove `save_solidity` steps * fix: the borrowed expression implements the required traits * chore: update `Cargo.toml` * chore: remove extra `[patch.crates-io]` * fix: update to patch at the workspace level and add comment explaining this * refactor: correct `staticcall` with valid input/output sizes and change return syntax for pairing * refactor: expose modules and remove `dead_code` calls * chore: update `README.md`, add additional comments on `kzg10` template and update `groth16` template comments * chore: be clearer on attributions on `kzg10` --------- Co-authored-by: CPerezz <c.perezbaro@gmail.com> Co-authored-by: arnaucube <root@arnaucube.com>
7 months ago
add README.md (#39) * Initialize the README.md with a sketch of the structure * add warning and draft diagram * add authors & years to schemes, add a pre-sketch of the 'development' section * Readme: add link to Carlos talk on folding schemes * readme: sketch sections: offchain & onchain decider, add todo for references * readme: add example of FCircuit & folding * Readme: add lib pipeline diagram, add decider code example * add cyclefold-nova-diagram.png, decider-onchain-flow-diagram.png * polish cli descriptions * small update in the Warning box * add sonobe naming * add folding-main-idea-diagram.png * missing sonobe renaming * migrate part of the README.md to sonobe-docs * rm imgs/, load them from sonobe-docs * tiny update * chore: start update README * add acknolwedgments links and text, small polishing of the overall text * extend folding introduction & sonobe overview * img text alignment * chore: update readme * chore: typos, bits of reformulation, centering images * chore: remove btc example since can not be used as is * rm .vscode dir * readme: merge the duplicated sections into a single one adapting the texts * add Docs badge with link, update acknowledgments * add ci & license badges * fix cli link, add solc mention in solidity-verifiers/readme * small polishing * fix img alignment * rm badges, the reasoning is: - The License badge is not needed since there are already many links to the license both in the readme and in the GitHub UI - The CI checks badge, already appears in the GitHub UI in the last commit preview at the main repo page. Furthermore, after some months of inactivity, the badge would be 'gray' as 'inactive'. - The only badge that I was trying to get there is the 'docs' badge, to make it very clear that the docs page exists, but it was a bit to hard visually to have a single badge there, and furthermore the docs link already appears in the readme twice, and also in the GitHub UI right-panel. --------- Co-authored-by: dmpierre <pdaixmoreux@gmail.com>
5 months ago
Add solidity groth16, kzg10 and final decider verifiers in a dedicated workspace (#70) * change: Refactor structure into workspace * chore: Add empty readme * change: Transform repo into workspace * add: Create folding-verifier-solidity crate * add: Include askama.toml for `sol` extension escaper * add: Jordi's old Groth16 verifier .sol template and adapt it * tmp: create simple template struct to test * Update FoldingSchemes trait, fit Nova+CycleFold - update lib.rs's `FoldingScheme` trait interface - fit Nova+CycleFold into the `FoldingScheme` trait - refactor `src/nova/*` * chore: add serialization assets for testing Now we include an `assets` folder with a serialized proof & vk for tests * Add `examples` dir, with Nova's `FoldingScheme` example * polishing * expose poseidon_test_config outside tests * change: Refactor structure into workspace * chore: Add empty readme * change: Transform repo into workspace * add: Create folding-verifier-solidity crate * add: Include askama.toml for `sol` extension escaper * add: Jordi's old Groth16 verifier .sol template and adapt it * tmp: create simple template struct to test * feat: templating kzg working * chore: add emv and revm * feat: start evm file * chore: add ark-poly-commit * chore: move `commitment` to `folding-schemes` * chore: update `.gitignore` to ignore generated contracts * chore: update template with bn254 lib on it (avoids import), update for loop to account for whitespaces * refactor: update template with no lib * feat: add evm deploy code, compile and create kzg verifier * chore: update `Cargo.toml` to have `folding-schemes` available with verifiers * feat: start kzg prove and verify with sol * chore: compute crs from kzg prover * feat: evm kzg verification passing * tmp * change: Swap order of G2 coordinates within the template * Update way to serialize proof with correct order * chore: update `Cargo.toml` * chore: add revm * chore: add `save_solidity` * refactor: verifiers in dedicated mod * refactor: have dedicated `utils` module * chore: expose modules * chore: update verifier for kzg * chore: rename templates * fix: look for binary using also name of contract * refactor: generate groth16 proof for sha256 pre-image, generate groth16 template with verifying key * chore: template renaming * fix: switch circuit for circuit that simply adds * feat: generates test data on the fly * feat: update to latest groth16 verifier * refactor: rename folder, update `.gitignore` * chore: update `Cargo.toml` * chore: update templates extension to indicate that they are templates * chore: rename templates, both files and structs * fix: template inheritance working * feat: template spdx and pragma statements * feat: decider verifier compiles, update test for kzg10 and groth16 templates * feat: parameterize which size of the crs should be stored on the contract * chore: add comment on how the groth16 and kzg10 proofs will be linked together * chore: cargo clippy run * chore: cargo clippy tests * chore: cargo fmt * refactor: remove unused lifetime parameter * chore: end merge * chore: move examples to `folding-schemes` workspace * get latest main changes * fix: temp fix clippy warnings, will remove lints once not used in tests only * fix: cargo clippy lint added on `code_size` * fix: update path to test circuit and add step for installing solc * chore: remove `save_solidity` steps * fix: the borrowed expression implements the required traits * chore: update `Cargo.toml` * chore: remove extra `[patch.crates-io]` * fix: update to patch at the workspace level and add comment explaining this * refactor: correct `staticcall` with valid input/output sizes and change return syntax for pairing * refactor: expose modules and remove `dead_code` calls * chore: update `README.md`, add additional comments on `kzg10` template and update `groth16` template comments * chore: be clearer on attributions on `kzg10` --------- Co-authored-by: CPerezz <c.perezbaro@gmail.com> Co-authored-by: arnaucube <root@arnaucube.com>
7 months ago
Add typos tool to CI to automate typo detection (#76) * Add typos to CI * Apply typos suggestions * missing typos
6 months ago
Add solidity groth16, kzg10 and final decider verifiers in a dedicated workspace (#70) * change: Refactor structure into workspace * chore: Add empty readme * change: Transform repo into workspace * add: Create folding-verifier-solidity crate * add: Include askama.toml for `sol` extension escaper * add: Jordi's old Groth16 verifier .sol template and adapt it * tmp: create simple template struct to test * Update FoldingSchemes trait, fit Nova+CycleFold - update lib.rs's `FoldingScheme` trait interface - fit Nova+CycleFold into the `FoldingScheme` trait - refactor `src/nova/*` * chore: add serialization assets for testing Now we include an `assets` folder with a serialized proof & vk for tests * Add `examples` dir, with Nova's `FoldingScheme` example * polishing * expose poseidon_test_config outside tests * change: Refactor structure into workspace * chore: Add empty readme * change: Transform repo into workspace * add: Create folding-verifier-solidity crate * add: Include askama.toml for `sol` extension escaper * add: Jordi's old Groth16 verifier .sol template and adapt it * tmp: create simple template struct to test * feat: templating kzg working * chore: add emv and revm * feat: start evm file * chore: add ark-poly-commit * chore: move `commitment` to `folding-schemes` * chore: update `.gitignore` to ignore generated contracts * chore: update template with bn254 lib on it (avoids import), update for loop to account for whitespaces * refactor: update template with no lib * feat: add evm deploy code, compile and create kzg verifier * chore: update `Cargo.toml` to have `folding-schemes` available with verifiers * feat: start kzg prove and verify with sol * chore: compute crs from kzg prover * feat: evm kzg verification passing * tmp * change: Swap order of G2 coordinates within the template * Update way to serialize proof with correct order * chore: update `Cargo.toml` * chore: add revm * chore: add `save_solidity` * refactor: verifiers in dedicated mod * refactor: have dedicated `utils` module * chore: expose modules * chore: update verifier for kzg * chore: rename templates * fix: look for binary using also name of contract * refactor: generate groth16 proof for sha256 pre-image, generate groth16 template with verifying key * chore: template renaming * fix: switch circuit for circuit that simply adds * feat: generates test data on the fly * feat: update to latest groth16 verifier * refactor: rename folder, update `.gitignore` * chore: update `Cargo.toml` * chore: update templates extension to indicate that they are templates * chore: rename templates, both files and structs * fix: template inheritance working * feat: template spdx and pragma statements * feat: decider verifier compiles, update test for kzg10 and groth16 templates * feat: parameterize which size of the crs should be stored on the contract * chore: add comment on how the groth16 and kzg10 proofs will be linked together * chore: cargo clippy run * chore: cargo clippy tests * chore: cargo fmt * refactor: remove unused lifetime parameter * chore: end merge * chore: move examples to `folding-schemes` workspace * get latest main changes * fix: temp fix clippy warnings, will remove lints once not used in tests only * fix: cargo clippy lint added on `code_size` * fix: update path to test circuit and add step for installing solc * chore: remove `save_solidity` steps * fix: the borrowed expression implements the required traits * chore: update `Cargo.toml` * chore: remove extra `[patch.crates-io]` * fix: update to patch at the workspace level and add comment explaining this * refactor: correct `staticcall` with valid input/output sizes and change return syntax for pairing * refactor: expose modules and remove `dead_code` calls * chore: update `README.md`, add additional comments on `kzg10` template and update `groth16` template comments * chore: be clearer on attributions on `kzg10` --------- Co-authored-by: CPerezz <c.perezbaro@gmail.com> Co-authored-by: arnaucube <root@arnaucube.com>
7 months ago
  1. /**
  2. * @author Privacy and Scaling Explorations team - pse.dev
  3. * @dev Contains utility functions for ops in BN254; in G_1 mostly.
  4. * @notice Forked from https://github.com/weijiekoh/libkzg.
  5. * Among others, a few of the changes we did on this fork were:
  6. * - Templating the pragma version
  7. * - Removing type wrappers and use uints instead
  8. * - Performing changes on arg types
  9. * - Update some of the `require` statements
  10. * - Use the bn254 scalar field instead of checking for overflow on the babyjub prime
  11. * - In batch checking, we compute auxiliary polynomials and their commitments at the same time.
  12. */
  13. contract KZG10Verifier {
  15. // prime of field F_p over which y^2 = x^3 + 3 is defined
  16. uint256 public constant BN254_PRIME_FIELD =
  17. 21888242871839275222246405745257275088696311157297823662689037894645226208583;
  18. uint256 public constant BN254_SCALAR_FIELD =
  19. 21888242871839275222246405745257275088548364400416034343698204186575808495617;
  21. /**
  22. * @notice Performs scalar multiplication in G_1.
  23. * @param p G_1 point to multiply
  24. * @param s Scalar to multiply by
  25. * @return r G_1 point p multiplied by scalar s
  26. */
  27. function mulScalar(uint256[2] memory p, uint256 s) internal view returns (uint256[2] memory r) {
  28. uint256[3] memory input;
  29. input[0] = p[0];
  30. input[1] = p[1];
  31. input[2] = s;
  32. bool success;
  33. assembly {
  34. success := staticcall(sub(gas(), 2000), 7, input, 0x60, r, 0x40)
  35. switch success
  36. case 0 { invalid() }
  37. }
  38. require(success, "bn254: scalar mul failed");
  39. }
  41. /**
  42. * @notice Negates a point in G_1.
  43. * @param p G_1 point to negate
  44. * @return uint256[2] G_1 point -p
  45. */
  46. function negate(uint256[2] memory p) internal pure returns (uint256[2] memory) {
  47. if (p[0] == 0 && p[1] == 0) {
  48. return p;
  49. }
  50. return [p[0], BN254_PRIME_FIELD - (p[1] % BN254_PRIME_FIELD)];
  51. }
  53. /**
  54. * @notice Adds two points in G_1.
  55. * @param p1 G_1 point 1
  56. * @param p2 G_1 point 2
  57. * @return r G_1 point p1 + p2
  58. */
  59. function add(uint256[2] memory p1, uint256[2] memory p2) internal view returns (uint256[2] memory r) {
  60. bool success;
  61. uint256[4] memory input = [p1[0], p1[1], p2[0], p2[1]];
  62. assembly {
  63. success := staticcall(sub(gas(), 2000), 6, input, 0x80, r, 0x40)
  64. switch success
  65. case 0 { invalid() }
  66. }
  68. require(success, "bn254: point add failed");
  69. }
  71. /**
  72. * @notice Computes the pairing check e(p1, p2) * e(p3, p4) == 1
  73. * @dev Note that G_2 points a*i + b are encoded as two elements of F_p, (a, b)
  74. * @param a_1 G_1 point 1
  75. * @param a_2 G_2 point 1
  76. * @param b_1 G_1 point 2
  77. * @param b_2 G_2 point 2
  78. * @return result true if pairing check is successful
  79. */
  80. function pairing(uint256[2] memory a_1, uint256[2][2] memory a_2, uint256[2] memory b_1, uint256[2][2] memory b_2)
  81. internal
  82. view
  83. returns (bool result)
  84. {
  85. uint256[12] memory input = [
  86. a_1[0],
  87. a_1[1],
  88. a_2[0][1], // imaginary part first
  89. a_2[0][0],
  90. a_2[1][1], // imaginary part first
  91. a_2[1][0],
  92. b_1[0],
  93. b_1[1],
  94. b_2[0][1], // imaginary part first
  95. b_2[0][0],
  96. b_2[1][1], // imaginary part first
  97. b_2[1][0]
  98. ];
  100. uint256[1] memory out;
  101. bool success;
  103. assembly {
  104. success := staticcall(sub(gas(), 2000), 8, input, 0x180, out, 0x20)
  105. switch success
  106. case 0 { invalid() }
  107. }
  109. require(success, "bn254: pairing failed");
  111. return out[0] == 1;
  112. }
  114. uint256[2] G_1 = [
  115. {{ g1.0[0] }},
  116. {{ g1.0[1] }}
  117. ];
  118. uint256[2][2] G_2 = [
  119. [
  120. {{ g2.0[0][0] }},
  121. {{ g2.0[0][1] }}
  122. ],
  123. [
  124. {{ g2.0[1][0] }},
  125. {{ g2.0[1][1] }}
  126. ]
  127. ];
  128. uint256[2][2] VK = [
  129. [
  130. {{ vk.0[0][0] }},
  131. {{ vk.0[0][1] }}
  132. ],
  133. [
  134. {{ vk.0[1][0] }},
  135. {{ vk.0[1][1] }}
  136. ]
  137. ];
  139. uint256[2][{{ g1_crs_len }}] G1_CRS = [
  140. {%- for (i, point) in g1_crs.iter().enumerate() %}
  141. [
  142. {{ point.0[0] }},
  143. {{ point.0[1] }}
  144. {% if loop.last -%}
  145. ]
  146. {%- else -%}
  147. ],
  148. {%- endif -%}
  149. {% endfor -%}
  150. ];
  152. /**
  153. * @notice Verifies a single point evaluation proof. Function name follows `ark-poly`.
  154. * @dev To avoid ops in G_2, we slightly tweak how the verification is done.
  155. * @param c G_1 point commitment to polynomial.
  156. * @param pi G_1 point proof.
  157. * @param x Value to prove evaluation of polynomial at.
  158. * @param y Evaluation poly(x).
  159. * @return result Indicates if KZG proof is correct.
  160. */
  161. function check(uint256[2] calldata c, uint256[2] calldata pi, uint256 x, uint256 y)
  162. public
  163. view
  164. returns (bool result)
  165. {
  166. //
  167. // we want to:
  168. // 1. avoid gas intensive ops in G2
  169. // 2. format the pairing check in line with what the evm opcode expects.
  170. //
  171. // we can do this by tweaking the KZG check to be:
  172. //
  173. // e(pi, vk - x * g2) = e(c - y * g1, g2) [initial check]
  174. // e(pi, vk - x * g2) * e(c - y * g1, g2)^{-1} = 1
  175. // e(pi, vk - x * g2) * e(-c + y * g1, g2) = 1 [bilinearity of pairing for all subsequent steps]
  176. // e(pi, vk) * e(pi, -x * g2) * e(-c + y * g1, g2) = 1
  177. // e(pi, vk) * e(-x * pi, g2) * e(-c + y * g1, g2) = 1
  178. // e(pi, vk) * e(x * -pi - c + y * g1, g2) = 1 [done]
  179. // |_ rhs_pairing _|
  180. //
  181. uint256[2] memory rhs_pairing =
  182. add(mulScalar(negate(pi), x), add(negate(c), mulScalar(G_1, y)));
  183. return pairing(pi, VK, rhs_pairing, G_2);
  184. }
  186. function evalPolyAt(uint256[] memory _coefficients, uint256 _index) public pure returns (uint256) {
  187. uint256 m = BN254_SCALAR_FIELD;
  188. uint256 result = 0;
  189. uint256 powerOfX = 1;
  191. for (uint256 i = 0; i < _coefficients.length; i++) {
  192. uint256 coeff = _coefficients[i];
  193. assembly {
  194. result := addmod(result, mulmod(powerOfX, coeff, m), m)
  195. powerOfX := mulmod(powerOfX, _index, m)
  196. }
  197. }
  198. return result;
  199. }
  201. /**
  202. * @notice Ensures that z(x) == 0 and l(x) == y for all x in x_vals and y in y_vals. It returns the commitment to z(x) and l(x).
  203. * @param z_coeffs coefficients of the zero polynomial z(x) = (x - x_1)(x - x_2)...(x - x_n).
  204. * @param l_coeffs coefficients of the lagrange polynomial l(x).
  205. * @param x_vals x values to evaluate the polynomials at.
  206. * @param y_vals y values to which l(x) should evaluate to.
  207. * @return uint256[2] commitment to z(x).
  208. * @return uint256[2] commitment to l(x).
  209. */
  210. function checkAndCommitAuxPolys(
  211. uint256[] memory z_coeffs,
  212. uint256[] memory l_coeffs,
  213. uint256[] memory x_vals,
  214. uint256[] memory y_vals
  215. ) public view returns (uint256[2] memory, uint256[2] memory) {
  216. // z(x) is of degree len(x_vals), it is a product of linear polynomials (x - x_i)
  217. // l(x) is of degree len(x_vals) - 1
  218. uint256[2] memory z_commit;
  219. uint256[2] memory l_commit;
  220. for (uint256 i = 0; i < x_vals.length; i++) {
  221. z_commit = add(z_commit, mulScalar(G1_CRS[i], z_coeffs[i])); // update commitment to z(x)
  222. l_commit = add(l_commit, mulScalar(G1_CRS[i], l_coeffs[i])); // update commitment to l(x)
  224. uint256 eval_z = evalPolyAt(z_coeffs, x_vals[i]);
  225. uint256 eval_l = evalPolyAt(l_coeffs, x_vals[i]);
  227. require(eval_z == 0, "checkAndCommitAuxPolys: wrong zero poly");
  228. require(eval_l == y_vals[i], "checkAndCommitAuxPolys: wrong lagrange poly");
  229. }
  230. // z(x) has len(x_vals) + 1 coeffs, we add to the commitment the last coeff of z(x)
  231. z_commit = add(z_commit, mulScalar(G1_CRS[z_coeffs.length - 1], z_coeffs[z_coeffs.length - 1]));
  233. return (z_commit, l_commit);
  234. }
  236. /**
  237. * @notice Verifies a batch of point evaluation proofs. Function name follows `ark-poly`.
  238. * @dev To avoid ops in G_2, we slightly tweak how the verification is done.
  239. * @param c G1 point commitment to polynomial.
  240. * @param pi G2 point proof.
  241. * @param x_vals Values to prove evaluation of polynomial at.
  242. * @param y_vals Evaluation poly(x).
  243. * @param l_coeffs Coefficients of the lagrange polynomial.
  244. * @param z_coeffs Coefficients of the zero polynomial z(x) = (x - x_1)(x - x_2)...(x - x_n).
  245. * @return result Indicates if KZG proof is correct.
  246. */
  247. function batchCheck(
  248. uint256[2] calldata c,
  249. uint256[2][2] calldata pi,
  250. uint256[] calldata x_vals,
  251. uint256[] calldata y_vals,
  252. uint256[] calldata l_coeffs,
  253. uint256[] calldata z_coeffs
  254. ) public view returns (bool result) {
  255. //
  256. // we want to:
  257. // 1. avoid gas intensive ops in G2
  258. // 2. format the pairing check in line with what the evm opcode expects.
  259. //
  260. // we can do this by tweaking the KZG check to be:
  261. //
  262. // e(z(r) * g1, pi) * e(g1, l(r) * g2) = e(c, g2) [initial check]
  263. // e(z(r) * g1, pi) * e(l(r) * g1, g2) * e(c, g2)^{-1} = 1 [bilinearity of pairing]
  264. // e(z(r) * g1, pi) * e(l(r) * g1 - c, g2) = 1 [done]
  265. //
  266. (uint256[2] memory z_commit, uint256[2] memory l_commit) =
  267. checkAndCommitAuxPolys(z_coeffs, l_coeffs, x_vals, y_vals);
  268. uint256[2] memory neg_commit = negate(c);
  269. return pairing(z_commit, pi, add(l_commit, neg_commit), G_2);
  270. }
  271. }