Browse Source

Add solidity groth16, kzg10 and final decider verifiers in a dedicated workspace (#70)

* change: Refactor structure into workspace

* chore: Add empty readme

* change: Transform repo into workspace

* add: Create folding-verifier-solidity crate

* add: Include askama.toml for `sol` extension escaper

* add: Jordi's old Groth16 verifier .sol template and adapt it

* tmp: create simple template struct to test

* Update FoldingSchemes trait, fit Nova+CycleFold

- update lib.rs's `FoldingScheme` trait interface
- fit Nova+CycleFold into the `FoldingScheme` trait
- refactor `src/nova/*`

* chore: add serialization assets for testing

Now we include an `assets` folder with a serialized proof & vk for tests

* Add `examples` dir, with Nova's `FoldingScheme` example

* polishing

* expose poseidon_test_config outside tests

* change: Refactor structure into workspace

* chore: Add empty readme

* change: Transform repo into workspace

* add: Create folding-verifier-solidity crate

* add: Include askama.toml for `sol` extension escaper

* add: Jordi's old Groth16 verifier .sol template and adapt it

* tmp: create simple template struct to test

* feat: templating kzg working

* chore: add emv and revm

* feat: start evm file

* chore: add ark-poly-commit

* chore: move `commitment` to `folding-schemes`

* chore: update `.gitignore` to ignore generated contracts

* chore: update template with bn254 lib on it (avoids import), update for loop to account for whitespaces

* refactor: update template with no lib

* feat: add evm deploy code, compile and create kzg verifier

* chore: update `Cargo.toml` to have `folding-schemes` available with verifiers

* feat: start kzg prove and verify with sol

* chore: compute crs from kzg prover

* feat: evm kzg verification passing

* tmp

* change: Swap order of G2 coordinates within the template

* Update way to serialize proof with correct order

* chore: update `Cargo.toml`

* chore: add revm

* chore: add `save_solidity`

* refactor: verifiers in dedicated mod

* refactor: have dedicated `utils` module

* chore: expose modules

* chore: update verifier for kzg

* chore: rename templates

* fix: look for binary using also name of contract

* refactor: generate groth16 proof for sha256 pre-image, generate groth16 template with verifying key

* chore: template renaming

* fix: switch circuit for circuit that simply adds

* feat: generates test data on the fly

* feat: update to latest groth16 verifier

* refactor: rename folder, update `.gitignore`

* chore: update `Cargo.toml`

* chore: update templates extension to indicate that they are templates

* chore: rename templates, both files and structs

* fix: template inheritance working

* feat: template spdx and pragma statements

* feat: decider verifier compiles, update test for kzg10 and groth16 templates

* feat: parameterize which size of the crs should be stored on the contract

* chore: add comment on how the groth16 and kzg10 proofs will be linked together

* chore: cargo clippy run

* chore: cargo clippy tests

* chore: cargo fmt

* refactor: remove unused lifetime parameter

* chore: end merge

* chore: move examples to `folding-schemes` workspace

* get latest main changes

* fix: temp fix clippy warnings, will remove lints once not used in tests only

* fix: cargo clippy lint added on `code_size`

* fix: update path to test circuit and add step for installing solc

* chore: remove `save_solidity` steps

* fix: the borrowed expression implements the required traits

* chore: update `Cargo.toml`

* chore: remove extra `[patch.crates-io]`

* fix: update to patch at the workspace level and add comment explaining this

* refactor: correct `staticcall` with valid input/output sizes and change return syntax for pairing

* refactor: expose modules and remove `dead_code` calls

* chore: update `README.md`, add additional comments on `kzg10` template and update `groth16` template comments

* chore: be clearer on attributions on `kzg10`

---------

Co-authored-by: CPerezz <c.perezbaro@gmail.com>
Co-authored-by: arnaucube <root@arnaucube.com>
main
Pierre 10 months ago
committed by GitHub
parent
commit
63dbbfe1bc
No known key found for this signature in database GPG Key ID: B5690EEEBB952194
67 changed files with 1208 additions and 53 deletions
  1. +5
    -1
      .github/workflows/ci.yml
  2. +4
    -1
      .gitignore
  3. +7
    -49
      Cargo.toml
  4. +39
    -0
      folding-schemes-solidity/Cargo.toml
  5. +3
    -0
      folding-schemes-solidity/README.md
  6. +3
    -0
      folding-schemes-solidity/askama.toml
  7. +181
    -0
      folding-schemes-solidity/src/evm.rs
  8. +5
    -0
      folding-schemes-solidity/src/lib.rs
  9. +43
    -0
      folding-schemes-solidity/src/utils/encoding.rs
  10. +1
    -0
      folding-schemes-solidity/src/utils/mod.rs
  11. +287
    -0
      folding-schemes-solidity/src/verifiers/mod.rs
  12. +113
    -0
      folding-schemes-solidity/src/verifiers/templates.rs
  13. +172
    -0
      folding-schemes-solidity/templates/groth16_verifier.askama.sol
  14. +20
    -0
      folding-schemes-solidity/templates/kzg10_groth16_decider_verifier.askama.sol
  15. +275
    -0
      folding-schemes-solidity/templates/kzg10_verifier.askama.sol
  16. +48
    -0
      folding-schemes/Cargo.toml
  17. +0
    -0
      folding-schemes/examples/fold_sha256.rs
  18. +0
    -0
      folding-schemes/src/ccs/mod.rs
  19. +0
    -0
      folding-schemes/src/ccs/r1cs.rs
  20. +0
    -0
      folding-schemes/src/commitment/kzg.rs
  21. +0
    -0
      folding-schemes/src/commitment/mod.rs
  22. +0
    -0
      folding-schemes/src/commitment/pedersen.rs
  23. +0
    -0
      folding-schemes/src/constants.rs
  24. +0
    -0
      folding-schemes/src/folding/circuits/mod.rs
  25. +0
    -0
      folding-schemes/src/folding/circuits/nonnative.rs
  26. +0
    -0
      folding-schemes/src/folding/circuits/sum_check.rs
  27. +0
    -0
      folding-schemes/src/folding/circuits/utils.rs
  28. +0
    -0
      folding-schemes/src/folding/hypernova/cccs.rs
  29. +0
    -0
      folding-schemes/src/folding/hypernova/circuit.rs
  30. +0
    -0
      folding-schemes/src/folding/hypernova/lcccs.rs
  31. +0
    -0
      folding-schemes/src/folding/hypernova/mod.rs
  32. +0
    -0
      folding-schemes/src/folding/hypernova/nimfs.rs
  33. +0
    -0
      folding-schemes/src/folding/hypernova/utils.rs
  34. +0
    -0
      folding-schemes/src/folding/mod.rs
  35. +0
    -0
      folding-schemes/src/folding/nova/circuits.rs
  36. +0
    -0
      folding-schemes/src/folding/nova/cyclefold.rs
  37. +0
    -0
      folding-schemes/src/folding/nova/decider_eth.rs
  38. +0
    -0
      folding-schemes/src/folding/nova/decider_eth_circuit.rs
  39. +0
    -0
      folding-schemes/src/folding/nova/mod.rs
  40. +0
    -0
      folding-schemes/src/folding/nova/nifs.rs
  41. +0
    -0
      folding-schemes/src/folding/nova/traits.rs
  42. +0
    -0
      folding-schemes/src/folding/protogalaxy/folding.rs
  43. +0
    -0
      folding-schemes/src/folding/protogalaxy/mod.rs
  44. +0
    -0
      folding-schemes/src/folding/protogalaxy/traits.rs
  45. +0
    -0
      folding-schemes/src/folding/protogalaxy/utils.rs
  46. +0
    -0
      folding-schemes/src/frontend/circom/mod.rs
  47. +2
    -0
      folding-schemes/src/frontend/circom/test_folder/compile.sh
  48. +0
    -0
      folding-schemes/src/frontend/circom/test_folder/test_circuit.circom
  49. +0
    -0
      folding-schemes/src/frontend/mod.rs
  50. +0
    -0
      folding-schemes/src/lib.rs
  51. +0
    -0
      folding-schemes/src/transcript/mod.rs
  52. +0
    -0
      folding-schemes/src/transcript/poseidon.rs
  53. +0
    -0
      folding-schemes/src/utils/bit.rs
  54. +0
    -0
      folding-schemes/src/utils/espresso/mod.rs
  55. +0
    -0
      folding-schemes/src/utils/espresso/multilinear_polynomial.rs
  56. +0
    -0
      folding-schemes/src/utils/espresso/sum_check/mod.rs
  57. +0
    -0
      folding-schemes/src/utils/espresso/sum_check/prover.rs
  58. +0
    -0
      folding-schemes/src/utils/espresso/sum_check/structs.rs
  59. +0
    -0
      folding-schemes/src/utils/espresso/sum_check/verifier.rs
  60. +0
    -0
      folding-schemes/src/utils/espresso/virtual_polynomial.rs
  61. +0
    -0
      folding-schemes/src/utils/gadgets.rs
  62. +0
    -0
      folding-schemes/src/utils/hypercube.rs
  63. +0
    -0
      folding-schemes/src/utils/lagrange_poly.rs
  64. +0
    -0
      folding-schemes/src/utils/mle.rs
  65. +0
    -0
      folding-schemes/src/utils/mod.rs
  66. +0
    -0
      folding-schemes/src/utils/vec.rs
  67. +0
    -2
      src/frontend/circom/test_folder/compile.sh

+ 5
- 1
.github/workflows/ci.yml

@ -55,8 +55,12 @@ jobs:
curl -sSfL https://github.com/iden3/circom/releases/download/v2.1.6/circom-linux-amd64 -o $HOME/bin/circom
chmod +x $HOME/bin/circom
echo "$HOME/bin" >> $GITHUB_PATH
- name: Download solc
run: |
curl -sSfL https://github.com/ethereum/solidity/releases/download/v0.8.4/solc-static-linux -o /usr/local/bin/solc
chmod +x /usr/local/bin/solc
- name: Execute compile.sh to generate .r1cs and .wasm from .circom
run: bash ./src/frontend/circom/test_folder/compile.sh
run: bash ./folding-schemes/src/frontend/circom/test_folder/compile.sh
- name: Build
# This build will be reused by nextest,
# and also checks (--all-targets) that benches don't bit-rot

+ 4
- 1
.gitignore

@ -2,4 +2,7 @@
Cargo.lock
# Circom generated files
/src/frontend/circom/test_folder/test_circuit.r1cs
/src/frontend/circom/test_folder/test_circuit_js/
/src/frontend/circom/test_folder/test_circuit_js/
# generated contracts at test time
folding-schemes-solidity/generated

+ 7
- 49
Cargo.toml

@ -1,50 +1,9 @@
[package]
name = "folding-schemes"
version = "0.1.0"
edition = "2021"
[dependencies]
ark-ec = "^0.4.0"
ark-ff = "^0.4.0"
ark-poly = "^0.4.0"
ark-std = "^0.4.0"
ark-crypto-primitives = { version = "^0.4.0", default-features = false, features = ["r1cs", "sponge", "crh"] }
ark-poly-commit = "^0.4.0"
ark-relations = { version = "^0.4.0", default-features = false }
ark-r1cs-std = { default-features = false } # use latest version from the patch
ark-snark = { version = "^0.4.0"}
ark-serialize = "^0.4.0"
ark-circom = { git = "https://github.com/gakonst/ark-circom.git" }
thiserror = "1.0"
rayon = "1.7.0"
num-bigint = "0.4"
color-eyre = "=0.6.2"
# tmp imports for espresso's sumcheck
espresso_subroutines = {git="https://github.com/EspressoSystems/hyperplonk", package="subroutines"}
[dev-dependencies]
ark-pallas = {version="0.4.0", features=["r1cs"]}
ark-vesta = {version="0.4.0", features=["r1cs"]}
ark-bn254 = "0.4.0"
ark-mnt4-298 = {version="0.4.0", features=["r1cs"]}
ark-mnt6-298 = {version="0.4.0", features=["r1cs"]}
ark-groth16 = { version = "^0.4.0" }
rand = "0.8.5"
tracing = { version = "0.1", default-features = false, features = [ "attributes" ] }
tracing-subscriber = { version = "0.2" }
[features]
default = ["parallel"]
parallel = [
"ark-std/parallel",
"ark-ff/parallel",
"ark-ec/parallel",
"ark-poly/parallel",
"ark-crypto-primitives/parallel",
"ark-r1cs-std/parallel",
]
[workspace]
resolver = "1"
members = [
"folding-schemes",
"folding-schemes-solidity"
]
# The following patch is to use a version of ark-r1cs-std compatible with
# v0.4.0 but that includes a cherry-picked commit from after v0.4.0 which fixes
@ -52,5 +11,4 @@ parallel = [
# https://github.com/arkworks-rs/r1cs-std/pull/124, without including other
# changes done between v0.4.0 and this fix which would break compatibility.
[patch.crates-io]
ark-r1cs-std = { git = "https://github.com/arnaucube/ark-r1cs-std-cherry-picked/" }
ark-r1cs-std = { git = "https://github.com/arnaucube/ark-r1cs-std-cherry-picked/" }

+ 39
- 0
folding-schemes-solidity/Cargo.toml

@ -0,0 +1,39 @@
[package]
name = "folding-schemes-solidity"
version = "0.1.0"
edition = "2021"
[dependencies]
ark-ec = "0.4"
ark-ff = "0.4"
ark-poly = "0.4"
ark-std = "0.4"
ark-groth16 = "0.4"
askama = { version = "0.12.0", features = ["config"], default-features = false }
ark-bn254 = "0.4.0"
ark-poly-commit = "0.4.0"
folding-schemes = { path = "../folding-schemes/" }
itertools = "0.12.1"
ark-serialize = "0.4.1"
revm = "3.5.0"
[dev-dependencies]
ark-crypto-primitives = "0.4.0"
ark-groth16 = "0.4"
ark-r1cs-std = "0.4.0"
ark-relations = "0.4.0"
revm = "3.5.0"
tracing = { version = "0.1", default-features = false, features = [ "attributes" ] }
tracing-subscriber = { version = "0.2" }
[features]
default = ["parallel"]
parallel = [
"ark-std/parallel",
"ark-ff/parallel",
"ark-poly/parallel",
]

+ 3
- 0
folding-schemes-solidity/README.md

@ -0,0 +1,3 @@
# `folding-schemes-solidity`
This crate implements templating logic to output verifier contracts for `folding-schemes`-generated decider proofs.

+ 3
- 0
folding-schemes-solidity/askama.toml

@ -0,0 +1,3 @@
[[escaper]]
path = "askama::Text"
extensions = ["sol"]

+ 181
- 0
folding-schemes-solidity/src/evm.rs

@ -0,0 +1,181 @@
pub use revm;
use revm::{
primitives::{hex, Address, CreateScheme, ExecutionResult, Output, TransactTo, TxEnv},
InMemoryDB, EVM,
};
use std::{
fmt::{self, Debug, Formatter},
fs::{create_dir_all, File},
io::{self, Write},
process::{Command, Stdio},
str,
};
// from: https://github.com/privacy-scaling-explorations/halo2-solidity-verifier/blob/85cb77b171ce3ee493628007c7a1cfae2ea878e6/examples/separately.rs#L56
pub fn save_solidity(name: impl AsRef<str>, solidity: &str) {
const DIR_GENERATED: &str = "./generated";
create_dir_all(DIR_GENERATED).unwrap();
File::create(format!("{DIR_GENERATED}/{}", name.as_ref()))
.unwrap()
.write_all(solidity.as_bytes())
.unwrap();
}
/// Compile solidity with `--via-ir` flag, then return creation bytecode.
///
/// # Panics
/// Panics if executable `solc` can not be found, or compilation fails.
pub fn compile_solidity(solidity: impl AsRef<[u8]>, contract_name: &str) -> Vec<u8> {
let mut process = match Command::new("solc")
.stdin(Stdio::piped())
.stdout(Stdio::piped())
.stderr(Stdio::piped())
.arg("--bin")
.arg("--optimize")
.arg("-")
.spawn()
{
Ok(process) => process,
Err(err) if err.kind() == io::ErrorKind::NotFound => {
panic!("Command 'solc' not found");
}
Err(err) => {
panic!("Failed to spawn process with command 'solc':\n{err}");
}
};
process
.stdin
.take()
.unwrap()
.write_all(solidity.as_ref())
.unwrap();
let output = process.wait_with_output().unwrap();
let stdout = str::from_utf8(&output.stdout).unwrap();
if let Some(binary) = find_binary(stdout, contract_name) {
binary
} else {
panic!(
"Compilation fails:\n{}",
str::from_utf8(&output.stderr).unwrap()
)
}
}
/// Find binary from `stdout` with given `contract_name`.
/// `contract_name` is provided since `solc` may compile multiple contracts or libraries.
/// hence, we need to find the correct binary.
fn find_binary(stdout: &str, contract_name: &str) -> Option<Vec<u8>> {
let start_contract = stdout.find(contract_name)?;
let stdout_contract = &stdout[start_contract..];
let start = stdout_contract.find("Binary:")? + 8;
Some(hex::decode(&stdout_contract[start..stdout_contract.len() - 1]).unwrap())
}
/// Evm runner.
pub struct Evm {
evm: EVM<InMemoryDB>,
}
impl Debug for Evm {
fn fmt(&self, f: &mut Formatter<'_>) -> fmt::Result {
let mut debug_struct = f.debug_struct("Evm");
debug_struct
.field("env", &self.evm.env)
.field("db", &self.evm.db.as_ref().unwrap())
.finish()
}
}
impl Default for Evm {
fn default() -> Self {
Self {
evm: EVM {
env: Default::default(),
db: Some(Default::default()),
},
}
}
}
impl Evm {
/// Return code_size of given address.
///
/// # Panics
/// Panics if given address doesn't have bytecode.
pub fn code_size(&mut self, address: Address) -> usize {
self.evm.db.as_ref().unwrap().accounts[&address]
.info
.code
.as_ref()
.unwrap()
.len()
}
/// Apply create transaction with given `bytecode` as creation bytecode.
/// Return created `address`.
///
/// # Panics
/// Panics if execution reverts or halts unexpectedly.
pub fn create(&mut self, bytecode: Vec<u8>) -> Address {
let (_, output) = self.transact_success_or_panic(TxEnv {
gas_limit: u64::MAX,
transact_to: TransactTo::Create(CreateScheme::Create),
data: bytecode.into(),
..Default::default()
});
match output {
Output::Create(_, Some(address)) => address,
_ => unreachable!(),
}
}
/// Apply call transaction to given `address` with `calldata`.
/// Returns `gas_used` and `return_data`.
///
/// # Panics
/// Panics if execution reverts or halts unexpectedly.
pub fn call(&mut self, address: Address, calldata: Vec<u8>) -> (u64, Vec<u8>) {
let (gas_used, output) = self.transact_success_or_panic(TxEnv {
gas_limit: u64::MAX,
transact_to: TransactTo::Call(address),
data: calldata.into(),
..Default::default()
});
match output {
Output::Call(output) => (gas_used, output.into()),
_ => unreachable!(),
}
}
fn transact_success_or_panic(&mut self, tx: TxEnv) -> (u64, Output) {
self.evm.env.tx = tx;
let result = self.evm.transact_commit().unwrap();
self.evm.env.tx = Default::default();
match result {
ExecutionResult::Success {
gas_used,
output,
logs,
..
} => {
if !logs.is_empty() {
println!("--- logs from {} ---", logs[0].address);
for (log_idx, log) in logs.iter().enumerate() {
println!("log#{log_idx}");
for (topic_idx, topic) in log.topics.iter().enumerate() {
println!(" topic{topic_idx}: {topic:?}");
}
}
println!("--- end ---");
}
(gas_used, output)
}
ExecutionResult::Revert { gas_used, output } => {
panic!("Transaction reverts with gas_used {gas_used} and output {output:#x}")
}
ExecutionResult::Halt { reason, gas_used } => panic!(
"Transaction halts unexpectedly with gas_used {gas_used} and reason {reason:?}"
),
}
}
}

+ 5
- 0
folding-schemes-solidity/src/lib.rs

@ -0,0 +1,5 @@
pub use evm::*;
pub use verifiers::templates::*;
mod evm;
mod utils;
mod verifiers;

+ 43
- 0
folding-schemes-solidity/src/utils/encoding.rs

@ -0,0 +1,43 @@
/// Defines encodings of G1 and G2 elements for use in Solidity templates.
use ark_bn254::{Fq, G1Affine, G2Affine};
use std::fmt::{self, Display};
#[derive(Debug, Default)]
pub struct FqWrapper(pub Fq);
impl Display for FqWrapper {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
write!(f, "{}", self.0)
}
}
#[derive(Debug, Default)]
pub struct G1Repr(pub [FqWrapper; 2]);
impl Display for G1Repr {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
write!(f, "{:#?}", self.0)
}
}
/// Converts a G1 element to a representation that can be used in Solidity templates.
pub fn g1_to_fq_repr(g1: G1Affine) -> G1Repr {
G1Repr([FqWrapper(g1.x), FqWrapper(g1.y)])
}
#[derive(Debug, Default)]
pub struct G2Repr(pub [[FqWrapper; 2]; 2]);
impl Display for G2Repr {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
write!(f, "{:#?}", self.0)
}
}
/// Converts a G2 element to a representation that can be used in Solidity templates.
pub fn g2_to_fq_repr(g2: G2Affine) -> G2Repr {
G2Repr([
[FqWrapper(g2.x.c0), FqWrapper(g2.x.c1)],
[FqWrapper(g2.y.c0), FqWrapper(g2.y.c1)],
])
}

+ 1
- 0
folding-schemes-solidity/src/utils/mod.rs

@ -0,0 +1 @@
pub mod encoding;

+ 287
- 0
folding-schemes-solidity/src/verifiers/mod.rs

@ -0,0 +1,287 @@
pub mod templates;
#[cfg(test)]
mod tests {
use crate::evm::{compile_solidity, save_solidity, Evm};
use crate::verifiers::templates::{Groth16Verifier, KZG10Verifier};
use ark_bn254::{Bn254, Fr, G1Projective as G1};
use ark_crypto_primitives::snark::{CircuitSpecificSetupSNARK, SNARK};
use ark_ec::{AffineRepr, CurveGroup};
use ark_ff::{BigInt, BigInteger, PrimeField};
use ark_groth16::Groth16;
use ark_poly_commit::kzg10::VerifierKey;
use ark_r1cs_std::alloc::AllocVar;
use ark_r1cs_std::eq::EqGadget;
use ark_r1cs_std::fields::fp::FpVar;
use ark_relations::r1cs::{ConstraintSynthesizer, ConstraintSystemRef, SynthesisError};
use ark_std::rand::{RngCore, SeedableRng};
use ark_std::Zero;
use ark_std::{test_rng, UniformRand};
use askama::Template;
use folding_schemes::{
commitment::{
kzg::{KZGProver, KZGSetup, ProverKey},
CommitmentProver,
},
transcript::{
poseidon::{poseidon_test_config, PoseidonTranscript},
Transcript,
},
};
use itertools::chain;
use std::marker::PhantomData;
// Function signatures for proof verification on kzg10 and groth16 contracts
pub const FUNCTION_SIGNATURE_KZG10_CHECK: [u8; 4] = [0x9e, 0x78, 0xcc, 0xf7];
pub const FUNCTION_SIGNATURE_GROTH16_VERIFY_PROOF: [u8; 4] = [0x43, 0x75, 0x3b, 0x4d];
// Pragma statements for verifiers
pub const PRAGMA_GROTH16_VERIFIER: &str = "pragma solidity >=0.7.0 <0.9.0;"; // from snarkjs, avoid changing
pub const PRAGMA_KZG10_VERIFIER: &str = "pragma solidity >=0.8.1 <=0.8.4;";
struct TestAddCircuit<F: PrimeField> {
_f: PhantomData<F>,
pub x: u8,
pub y: u8,
pub z: u8,
}
impl<F: PrimeField> ConstraintSynthesizer<F> for TestAddCircuit<F> {
fn generate_constraints(self, cs: ConstraintSystemRef<F>) -> Result<(), SynthesisError> {
let x = FpVar::<F>::new_witness(cs.clone(), || Ok(F::from(self.x)))?;
let y = FpVar::<F>::new_witness(cs.clone(), || Ok(F::from(self.y)))?;
let z = FpVar::<F>::new_input(cs.clone(), || Ok(F::from(self.z)))?;
let comp_z = x.clone() + y.clone();
comp_z.enforce_equal(&z)?;
Ok(())
}
}
#[test]
fn test_groth16_kzg10_decider_template_renders() {
let mut rng = ark_std::rand::rngs::StdRng::seed_from_u64(test_rng().next_u64());
let (x, y, z) = (21, 21, 42);
let (_, vk) = {
let c = TestAddCircuit::<Fr> {
_f: PhantomData,
x,
y,
z,
};
Groth16::<Bn254>::setup(c, &mut rng).unwrap()
};
let groth16_template = Groth16Verifier::from(vk, None);
let (pk, vk): (ProverKey<G1>, VerifierKey<Bn254>) = KZGSetup::<Bn254>::setup(&mut rng, 5);
let kzg10_template = KZG10Verifier::from(&vk, &pk.powers_of_g[..5], None, None);
let decider_template = super::templates::Groth16KZG10DeciderVerifier {
groth16_verifier: groth16_template,
kzg10_verifier: kzg10_template,
};
save_solidity("decider.sol", &decider_template.render().unwrap());
}
#[test]
fn test_groth16_kzg10_decider_template_compiles() {
let mut rng = ark_std::rand::rngs::StdRng::seed_from_u64(test_rng().next_u64());
let (x, y, z) = (21, 21, 42);
let (_, vk) = {
let c = TestAddCircuit::<Fr> {
_f: PhantomData,
x,
y,
z,
};
Groth16::<Bn254>::setup(c, &mut rng).unwrap()
};
// we dont specify any pragma values for both verifiers, the pragma from the decider takes over
let groth16_template = Groth16Verifier::from(vk, None);
let (pk, vk): (ProverKey<G1>, VerifierKey<Bn254>) = KZGSetup::<Bn254>::setup(&mut rng, 5);
let kzg10_template = KZG10Verifier::from(&vk, &pk.powers_of_g[..5], None, None);
let decider_template = super::templates::Groth16KZG10DeciderVerifier {
groth16_verifier: groth16_template,
kzg10_verifier: kzg10_template,
};
let decider_verifier_bytecode =
compile_solidity(decider_template.render().unwrap(), "NovaDecider");
let mut evm = Evm::default();
_ = evm.create(decider_verifier_bytecode);
}
#[test]
fn test_groth16_verifier_template_renders() {
let mut rng = ark_std::rand::rngs::StdRng::seed_from_u64(test_rng().next_u64());
let (x, y, z) = (21, 21, 42);
let (_, vk) = {
let c = TestAddCircuit::<Fr> {
_f: PhantomData,
x,
y,
z,
};
Groth16::<Bn254>::setup(c, &mut rng).unwrap()
};
let template = Groth16Verifier::from(vk, Some(PRAGMA_GROTH16_VERIFIER.to_string()));
save_solidity("groth16_verifier.sol", &template.render().unwrap());
_ = template.render().unwrap();
}
#[test]
fn test_groth16_verifier_template_compiles() {
let mut rng = ark_std::rand::rngs::StdRng::seed_from_u64(test_rng().next_u64());
let (x, y, z) = (21, 21, 42);
let (_, vk) = {
let c = TestAddCircuit::<Fr> {
_f: PhantomData,
x,
y,
z,
};
Groth16::<Bn254>::setup(c, &mut rng).unwrap()
};
let res = Groth16Verifier::from(vk, Some(PRAGMA_GROTH16_VERIFIER.to_string()))
.render()
.unwrap();
let groth16_verifier_bytecode = compile_solidity(res, "Verifier");
let mut evm = Evm::default();
_ = evm.create(groth16_verifier_bytecode);
}
#[test]
fn test_groth16_verifier_accepts_and_rejects_proofs() {
let mut rng = ark_std::rand::rngs::StdRng::seed_from_u64(test_rng().next_u64());
let (x, y, z) = (21, 21, 42);
let (pk, vk) = {
let c = TestAddCircuit::<Fr> {
_f: PhantomData,
x,
y,
z,
};
Groth16::<Bn254>::setup(c, &mut rng).unwrap()
};
let c = TestAddCircuit::<Fr> {
_f: PhantomData,
x,
y,
z,
};
let proof = Groth16::<Bn254>::prove(&pk, c, &mut rng).unwrap();
let res = Groth16Verifier::from(vk, Some(PRAGMA_GROTH16_VERIFIER.to_string()))
.render()
.unwrap();
save_solidity("groth16_verifier.sol", &res);
let groth16_verifier_bytecode = compile_solidity(&res, "Verifier");
let mut evm = Evm::default();
let verifier_address = evm.create(groth16_verifier_bytecode);
let (a_x, a_y) = proof.a.xy().unwrap();
let (b_x, b_y) = proof.b.xy().unwrap();
let (c_x, c_y) = proof.c.xy().unwrap();
let mut calldata: Vec<u8> = chain![
FUNCTION_SIGNATURE_GROTH16_VERIFY_PROOF,
a_x.into_bigint().to_bytes_be(),
a_y.into_bigint().to_bytes_be(),
b_x.c1.into_bigint().to_bytes_be(),
b_x.c0.into_bigint().to_bytes_be(),
b_y.c1.into_bigint().to_bytes_be(),
b_y.c0.into_bigint().to_bytes_be(),
c_x.into_bigint().to_bytes_be(),
c_y.into_bigint().to_bytes_be(),
BigInt::from(Fr::from(z)).to_bytes_be(),
]
.collect();
let (_, output) = evm.call(verifier_address, calldata.clone());
assert_eq!(*output.last().unwrap(), 1);
// change calldata to make it invalid
let last_calldata_element = calldata.last_mut().unwrap();
*last_calldata_element = 0;
let (_, output) = evm.call(verifier_address, calldata);
assert_eq!(*output.last().unwrap(), 0);
}
#[test]
fn test_kzg_verifier_template_renders() {
let rng = &mut test_rng();
let n = 10;
let (pk, vk): (ProverKey<G1>, VerifierKey<Bn254>) = KZGSetup::<Bn254>::setup(rng, n);
let template = KZG10Verifier::from(
&vk,
&pk.powers_of_g[..5],
Some(PRAGMA_KZG10_VERIFIER.to_string()),
None,
);
let res = template.render().unwrap();
assert!(res.contains(&vk.g.x.to_string()));
}
#[test]
fn test_kzg_verifier_compiles() {
let rng = &mut test_rng();
let n = 10;
let (pk, vk): (ProverKey<G1>, VerifierKey<Bn254>) = KZGSetup::<Bn254>::setup(rng, n);
let template = KZG10Verifier::from(
&vk,
&pk.powers_of_g[..5],
Some(PRAGMA_KZG10_VERIFIER.to_string()),
None,
);
let res = template.render().unwrap();
let kzg_verifier_bytecode = compile_solidity(res, "KZG10");
let mut evm = Evm::default();
_ = evm.create(kzg_verifier_bytecode);
}
#[test]
fn test_kzg_verifier_accepts_and_rejects_proofs() {
let rng = &mut test_rng();
let poseidon_config = poseidon_test_config::<Fr>();
let transcript_p = &mut PoseidonTranscript::<G1>::new(&poseidon_config);
let transcript_v = &mut PoseidonTranscript::<G1>::new(&poseidon_config);
let n = 10;
let (pk, vk): (ProverKey<G1>, VerifierKey<Bn254>) = KZGSetup::<Bn254>::setup(rng, n);
let v: Vec<Fr> = std::iter::repeat_with(|| Fr::rand(rng)).take(n).collect();
let cm = KZGProver::<G1>::commit(&pk, &v, &Fr::zero()).unwrap();
let (eval, proof) =
KZGProver::<G1>::prove(&pk, transcript_p, &cm, &v, &Fr::zero()).unwrap();
let template = KZG10Verifier::from(
&vk,
&pk.powers_of_g[..5],
Some(PRAGMA_KZG10_VERIFIER.to_string()),
None,
);
let res = template.render().unwrap();
let kzg_verifier_bytecode = compile_solidity(res, "KZG10");
let mut evm = Evm::default();
let verifier_address = evm.create(kzg_verifier_bytecode);
let (cm_affine, proof_affine) = (cm.into_affine(), proof.into_affine());
let (x_comm, y_comm) = cm_affine.xy().unwrap();
let (x_proof, y_proof) = proof_affine.xy().unwrap();
let y = eval.into_bigint().to_bytes_be();
transcript_v.absorb_point(&cm).unwrap();
let x = transcript_v.get_challenge();
let x = x.into_bigint().to_bytes_be();
let mut calldata: Vec<u8> = chain![
FUNCTION_SIGNATURE_KZG10_CHECK,
x_comm.into_bigint().to_bytes_be(),
y_comm.into_bigint().to_bytes_be(),
x_proof.into_bigint().to_bytes_be(),
y_proof.into_bigint().to_bytes_be(),
x.clone(),
y,
]
.collect();
let (_, output) = evm.call(verifier_address, calldata.clone());
assert_eq!(*output.last().unwrap(), 1);
// change calldata to make it invalid
let last_calldata_element = calldata.last_mut().unwrap();
*last_calldata_element = 0;
let (_, output) = evm.call(verifier_address, calldata);
assert_eq!(*output.last().unwrap(), 0);
}
}

+ 113
- 0
folding-schemes-solidity/src/verifiers/templates.rs

@ -0,0 +1,113 @@
use std::ops::Deref;
use crate::utils::encoding::{g1_to_fq_repr, g2_to_fq_repr};
/// Solidity templates for the verifier contracts.
/// We use askama for templating and define which variables are required for each template.
use crate::utils::encoding::{G1Repr, G2Repr};
use ark_bn254::{Bn254, G1Affine};
use ark_groth16::VerifyingKey;
use ark_poly_commit::kzg10::VerifierKey;
use askama::Template;
#[derive(Template, Default)]
#[template(path = "groth16_verifier.askama.sol", ext = "sol")]
pub struct Groth16Verifier {
/// SPDX-License-Identifier
pub sdpx: String,
/// The `pragma` statement.
pub pragma_version: String,
/// The `alpha * G`, where `G` is the generator of `G1`.
pub vkey_alpha_g1: G1Repr,
/// The `alpha * H`, where `H` is the generator of `G2`.
pub vkey_beta_g2: G2Repr,
/// The `gamma * H`, where `H` is the generator of `G2`.
pub vkey_gamma_g2: G2Repr,
/// The `delta * H`, where `H` is the generator of `G2`.
pub vkey_delta_g2: G2Repr,
/// Length of the `gamma_abc_g1` vector.
pub gamma_abc_len: usize,
/// The `gamma^{-1} * (beta * a_i + alpha * b_i + c_i) * H`, where `H` is the generator of `E::G1`.
pub gamma_abc_g1: Vec<G1Repr>,
}
impl Groth16Verifier {
pub fn from(value: VerifyingKey<Bn254>, pragma: Option<String>) -> Self {
let pragma_version = pragma.unwrap_or_default();
let sdpx = "// SPDX-License-Identifier: GPL-3.0".to_string();
Self {
pragma_version,
sdpx,
vkey_alpha_g1: g1_to_fq_repr(value.alpha_g1),
vkey_beta_g2: g2_to_fq_repr(value.beta_g2),
vkey_gamma_g2: g2_to_fq_repr(value.gamma_g2),
vkey_delta_g2: g2_to_fq_repr(value.delta_g2),
gamma_abc_len: value.gamma_abc_g1.len(),
gamma_abc_g1: value
.gamma_abc_g1
.iter()
.copied()
.map(g1_to_fq_repr)
.collect(),
}
}
}
#[derive(Template, Default)]
#[template(path = "kzg10_verifier.askama.sol", ext = "sol")]
pub struct KZG10Verifier {
/// SPDX-License-Identifier
pub sdpx: String,
/// The `pragma` statement.
pub pragma_version: String,
/// The generator of `G1`.
pub g1: G1Repr,
/// The generator of `G2`.
pub g2: G2Repr,
/// The verification key
pub vk: G2Repr,
/// Length of the trusted setup vector.
pub g1_crs_len: usize,
/// The trusted setup vector.
pub g1_crs: Vec<G1Repr>,
}
impl KZG10Verifier {
pub fn from(
vk: &VerifierKey<Bn254>,
crs: &[G1Affine],
pragma: Option<String>,
sdpx: Option<String>,
) -> KZG10Verifier {
let g1_string_repr = g1_to_fq_repr(vk.g);
let g2_string_repr = g2_to_fq_repr(vk.h);
let vk_string_repr = g2_to_fq_repr(vk.beta_h);
let g1_crs_len = crs.len();
let g1_crs = crs.iter().map(|g1| g1_to_fq_repr(*g1)).collect();
let sdpx = sdpx.unwrap_or_default();
let pragma_version = pragma.unwrap_or_default();
KZG10Verifier {
sdpx,
pragma_version,
g1: g1_string_repr,
g2: g2_string_repr,
vk: vk_string_repr,
g1_crs,
g1_crs_len,
}
}
}
#[derive(Template)]
#[template(path = "kzg10_groth16_decider_verifier.askama.sol", ext = "sol")]
pub struct Groth16KZG10DeciderVerifier {
pub groth16_verifier: Groth16Verifier,
pub kzg10_verifier: KZG10Verifier,
}
impl Deref for Groth16KZG10DeciderVerifier {
type Target = Groth16Verifier;
fn deref(&self) -> &Self::Target {
&self.groth16_verifier
}
}

+ 172
- 0
folding-schemes-solidity/templates/groth16_verifier.askama.sol

@ -0,0 +1,172 @@
{{ sdpx }}
/*
Copyright 2021 0KIMS association.
* `folding-schemes-solidity` added comment
This file is a template built out of [snarkJS](https://github.com/iden3/snarkjs) groth16 verifier.
See the original ejs template [here](https://github.com/iden3/snarkjs/blob/master/templates/verifier_groth16.sol.ejs)
*
snarkJS is a free software: you can redistribute it and/or modify it
under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
snarkJS is distributed in the hope that it will be useful, but WITHOUT
ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
License for more details.
You should have received a copy of the GNU General Public License
along with snarkJS. If not, see <https://www.gnu.org/licenses/>.
*/
{{ pragma_version }}
contract Groth16Verifier {
// Scalar field size
uint256 constant r = 21888242871839275222246405745257275088548364400416034343698204186575808495617;
// Base field size
uint256 constant q = 21888242871839275222246405745257275088696311157297823662689037894645226208583;
// Verification Key data
uint256 constant alphax = {{ vkey_alpha_g1.0[0] }};
uint256 constant alphay = {{ vkey_alpha_g1.0[1] }};
uint256 constant betax1 = {{ vkey_beta_g2.0[0][1] }};
uint256 constant betax2 = {{ vkey_beta_g2.0[0][0] }};
uint256 constant betay1 = {{ vkey_beta_g2.0[1][1] }};
uint256 constant betay2 = {{ vkey_beta_g2.0[1][0] }};
uint256 constant gammax1 = {{ vkey_gamma_g2.0[0][1] }};
uint256 constant gammax2 = {{ vkey_gamma_g2.0[0][0] }};
uint256 constant gammay1 = {{ vkey_gamma_g2.0[1][1] }};
uint256 constant gammay2 = {{ vkey_gamma_g2.0[1][0] }};
uint256 constant deltax1 = {{ vkey_delta_g2.0[0][1] }};
uint256 constant deltax2 = {{ vkey_delta_g2.0[0][0] }};
uint256 constant deltay1 = {{ vkey_delta_g2.0[1][1] }};
uint256 constant deltay2 = {{ vkey_delta_g2.0[1][0] }};
{% for (i, point) in gamma_abc_g1.iter().enumerate() %}
uint256 constant IC{{i}}x = {{ point.0[0] }};
uint256 constant IC{{i}}y = {{ point.0[1] }};
{% endfor %}
// Memory data
uint16 constant pVk = 0;
uint16 constant pPairing = 128;
uint16 constant pLastMem = 896;
function verifyProof(uint[2] calldata _pA, uint[2][2] calldata _pB, uint[2] calldata _pC, uint[{{ gamma_abc_len - 1 }}] calldata _pubSignals) public view returns (bool) {
assembly {
function checkField(v) {
if iszero(lt(v, q)) {
mstore(0, 0)
return(0, 0x20)
}
}
// G1 function to multiply a G1 value(x,y) to value in an address
function g1_mulAccC(pR, x, y, s) {
let success
let mIn := mload(0x40)
mstore(mIn, x)
mstore(add(mIn, 32), y)
mstore(add(mIn, 64), s)
success := staticcall(sub(gas(), 2000), 7, mIn, 96, mIn, 64)
if iszero(success) {
mstore(0, 0)
return(0, 0x20)
}
mstore(add(mIn, 64), mload(pR))
mstore(add(mIn, 96), mload(add(pR, 32)))
success := staticcall(sub(gas(), 2000), 6, mIn, 128, pR, 64)
if iszero(success) {
mstore(0, 0)
return(0, 0x20)
}
}
function checkPairing(pA, pB, pC, pubSignals, pMem) -> isOk {
let _pPairing := add(pMem, pPairing)
let _pVk := add(pMem, pVk)
mstore(_pVk, IC0x)
mstore(add(_pVk, 32), IC0y)
// Compute the linear combination vk_x
{% for (i, _) in gamma_abc_g1.iter().enumerate() %}
{% if loop.first -%}
{%- else -%}
g1_mulAccC(_pVk, IC{{i}}x, IC{{i}}y, calldataload(add(pubSignals, {{(i-1)*32}})))
{%- endif -%}
{% endfor %}
// -A
mstore(_pPairing, calldataload(pA))
mstore(add(_pPairing, 32), mod(sub(q, calldataload(add(pA, 32))), q))
// B
mstore(add(_pPairing, 64), calldataload(pB))
mstore(add(_pPairing, 96), calldataload(add(pB, 32)))
mstore(add(_pPairing, 128), calldataload(add(pB, 64)))
mstore(add(_pPairing, 160), calldataload(add(pB, 96)))
// alpha1
mstore(add(_pPairing, 192), alphax)
mstore(add(_pPairing, 224), alphay)
// beta2
mstore(add(_pPairing, 256), betax1)
mstore(add(_pPairing, 288), betax2)
mstore(add(_pPairing, 320), betay1)
mstore(add(_pPairing, 352), betay2)
// vk_x
mstore(add(_pPairing, 384), mload(add(pMem, pVk)))
mstore(add(_pPairing, 416), mload(add(pMem, add(pVk, 32))))
// gamma2
mstore(add(_pPairing, 448), gammax1)
mstore(add(_pPairing, 480), gammax2)
mstore(add(_pPairing, 512), gammay1)
mstore(add(_pPairing, 544), gammay2)
// C
mstore(add(_pPairing, 576), calldataload(pC))
mstore(add(_pPairing, 608), calldataload(add(pC, 32)))
// delta2
mstore(add(_pPairing, 640), deltax1)
mstore(add(_pPairing, 672), deltax2)
mstore(add(_pPairing, 704), deltay1)
mstore(add(_pPairing, 736), deltay2)
let success := staticcall(sub(gas(), 2000), 8, _pPairing, 768, _pPairing, 0x20)
isOk := and(success, mload(_pPairing))
}
let pMem := mload(0x40)
mstore(0x40, add(pMem, pLastMem))
// Validate that all evaluations F
{% for (i, _) in gamma_abc_g1.iter().enumerate() %}
checkField(calldataload(add(_pubSignals, {{i*32}})))
{% endfor %}
// Validate all evaluations
let isValid := checkPairing(_pA, _pB, _pC, _pubSignals, pMem)
mstore(0, isValid)
return(0, 0x20)
}
}
}

+ 20
- 0
folding-schemes-solidity/templates/kzg10_groth16_decider_verifier.askama.sol

@ -0,0 +1,20 @@
pragma solidity ^0.8.4;
{{ groth16_verifier }}
{{ kzg10_verifier }}
/**
* @author PSE & 0xPARC
* @title NovaDecider contract, for verifying zk-snarks Nova IVC proofs.
* @dev This is an askama template. It will feature a snarkjs groth16 and a kzg10 verifier, from which this contract inherits.
*/
contract NovaDecider is Groth16Verifier, KZG10Verifier {
function verifyProof(uint[2] calldata _pA, uint[2][2] calldata _pB, uint[2] calldata _pC, uint[{{ gamma_abc_len - 1 }}] calldata _pubSignals, uint256[2] calldata c, uint256[2] calldata pi, uint256 x, uint256 y) public view returns (bool) {
require(super.verifyProof(_pA, _pB, _pC, _pubSignals) == true, "Groth16 verification failed");
// for now, we do not relate the Groth16 and KZG10 proofs
// this will done in the future, by computing challenge points from the groth16 proof's data
require(super.check(c, pi, x, y) == true, "KZG10 verification failed");
return true;
}
}

+ 275
- 0
folding-schemes-solidity/templates/kzg10_verifier.askama.sol

@ -0,0 +1,275 @@
{{ sdpx }}
{{ pragma_version }}
/**
* @author Privacy and Scaling Explorations team - pse.dev
* @dev Contains utility functions for ops in BN254; in G_1 mostly.
* @notice Forked from https://github.com/weijiekoh/libkzg/tree/master.
* Among others, a few of the changes we did on this fork were:
* - Templating the pragma version
* - Removing type wrappers and use uints instead
* - Performing changes on arg types
* - Update some of the `require` statements
* - Use the bn254 scalar field instead of checking for overflow on the babyjub prime
* - In batch checking, we compute auxiliary polynomials and their commitments at the same time.
*/
contract KZG10Verifier {
// prime of field F_p over which y^2 = x^3 + 3 is defined
uint256 public constant BN254_PRIME_FIELD =
21888242871839275222246405745257275088696311157297823662689037894645226208583;
uint256 public constant BN254_SCALAR_FIELD =
21888242871839275222246405745257275088548364400416034343698204186575808495617;
/**
* @notice Performs scalar multiplication in G_1.
* @param p G_1 point to multiply
* @param s Scalar to multiply by
* @return r G_1 point p multiplied by scalar s
*/
function mulScalar(uint256[2] memory p, uint256 s) internal view returns (uint256[2] memory r) {
uint256[3] memory input;
input[0] = p[0];
input[1] = p[1];
input[2] = s;
bool success;
assembly {
success := staticcall(sub(gas(), 2000), 7, input, 0x60, r, 0x40)
switch success
case 0 { invalid() }
}
require(success, "bn254: scalar mul failed");
}
/**
* @notice Negates a point in G_1.
* @param p G_1 point to negate
* @return uint256[2] G_1 point -p
*/
function negate(uint256[2] memory p) internal pure returns (uint256[2] memory) {
if (p[0] == 0 && p[1] == 0) {
return p;
}
return [p[0], BN254_PRIME_FIELD - (p[1] % BN254_PRIME_FIELD)];
}
/**
* @notice Adds two points in G_1.
* @param p1 G_1 point 1
* @param p2 G_1 point 2
* @return r G_1 point p1 + p2
*/
function add(uint256[2] memory p1, uint256[2] memory p2) internal view returns (uint256[2] memory r) {
bool success;
uint256[4] memory input = [p1[0], p1[1], p2[0], p2[1]];
assembly {
success := staticcall(sub(gas(), 2000), 6, input, 0x80, r, 0x40)
switch success
case 0 { invalid() }
}
require(success, "bn254: point add failed");
}
/**
* @notice Computes the pairing check e(p1, p2) * e(p3, p4) == 1
* @dev Note that G_2 points a*i + b are encoded as two elements of F_p, (a, b)
* @param a_1 G_1 point 1
* @param a_2 G_2 point 1
* @param b_1 G_1 point 2
* @param b_2 G_2 point 2
* @return result true if pairing check is successful
*/
function pairing(uint256[2] memory a_1, uint256[2][2] memory a_2, uint256[2] memory b_1, uint256[2][2] memory b_2)
internal
view
returns (bool result)
{
uint256[12] memory input = [
a_1[0],
a_1[1],
a_2[0][1], // imaginary part first
a_2[0][0],
a_2[1][1], // imaginary part first
a_2[1][0],
b_1[0],
b_1[1],
b_2[0][1], // imaginary part first
b_2[0][0],
b_2[1][1], // imaginary part first
b_2[1][0]
];
uint256[1] memory out;
bool success;
assembly {
success := staticcall(sub(gas(), 2000), 8, input, 0x180, out, 0x20)
switch success
case 0 { invalid() }
}
require(success, "bn254: pairing failed");
return out[0] == 1;
}
uint256[2] G_1 = [
{{ g1.0[0] }},
{{ g1.0[1] }}
];
uint256[2][2] G_2 = [
[
{{ g2.0[0][0] }},
{{ g2.0[0][1] }}
],
[
{{ g2.0[1][0] }},
{{ g2.0[1][1] }}
]
];
uint256[2][2] VK = [
[
{{ vk.0[0][0] }},
{{ vk.0[0][1] }}
],
[
{{ vk.0[1][0] }},
{{ vk.0[1][1] }}
]
];
uint256[2][{{ g1_crs_len }}] G1_CRS = [
{%- for (i, point) in g1_crs.iter().enumerate() %}
[
{{ point.0[0] }},
{{ point.0[1] }}
{% if loop.last -%}
]
{%- else -%}
],
{%- endif -%}
{% endfor -%}
];
/**
* @notice Verifies a single point evaluation proof. Function name follows `ark-poly`.
* @dev To avoid ops in G_2, we slightly tweak how the verification is done.
* @param c G_1 point commitment to polynomial.
* @param pi G_1 point proof.
* @param x Value to prove evaluation of polynomial at.
* @param y Evaluation poly(x).
* @return result Indicates if KZG proof is correct.
*/
function check(uint256[2] calldata c, uint256[2] calldata pi, uint256 x, uint256 y)
public
view
returns (bool result)
{
//
// we want to:
// 1. avoid gas intensive ops in G2
// 2. format the pairing check in line with what the evm opcode expects.
//
// we can do this by tweaking the KZG check to be:
//
// e(pi, vk - x * g2) = e(c - y * g1, g2) [initial check]
// e(pi, vk - x * g2) * e(c - y * g1, g2)^{-1} = 1
// e(pi, vk - x * g2) * e(-c + y * g1, g2) = 1 [bilinearity of pairing for all subsequent steps]
// e(pi, vk) * e(pi, -x * g2) * e(-c + y * g1, g2) = 1
// e(pi, vk) * e(-x * pi, g2) * e(-c + y * g1, g2) = 1
// e(pi, vk) * e(x * -pi - c + y * g1, g2) = 1 [done]
// |_ rhs_pairing _|
//
uint256[2] memory rhs_pairing =
add(mulScalar(negate(pi), x), add(negate(c), mulScalar(G_1, y)));
return pairing(pi, VK, rhs_pairing, G_2);
}
function evalPolyAt(uint256[] memory _coefficients, uint256 _index) public pure returns (uint256) {
uint256 m = BN254_SCALAR_FIELD;
uint256 result = 0;
uint256 powerOfX = 1;
for (uint256 i = 0; i < _coefficients.length; i++) {
uint256 coeff = _coefficients[i];
assembly {
result := addmod(result, mulmod(powerOfX, coeff, m), m)
powerOfX := mulmod(powerOfX, _index, m)
}
}
return result;
}
/**
* @notice Ensures that z(x) == 0 and l(x) == y for all x in x_vals and y in y_vals. It returns the commitment to z(x) and l(x).
* @param z_coeffs coefficients of the zero polynomial z(x) = (x - x_1)(x - x_2)...(x - x_n).
* @param l_coeffs coefficients of the lagrange polynomial l(x).
* @param x_vals x values to evaluate the polynomials at.
* @param y_vals y values to which l(x) should evaluate to.
* @return uint256[2] commitment to z(x).
* @return uint256[2] commitment to l(x).
*/
function checkAndCommitAuxPolys(
uint256[] memory z_coeffs,
uint256[] memory l_coeffs,
uint256[] memory x_vals,
uint256[] memory y_vals
) public view returns (uint256[2] memory, uint256[2] memory) {
// z(x) is of degree len(x_vals), it is a product of linear polynomials (x - x_i)
// l(x) is of degree len(x_vals) - 1
uint256[2] memory z_commit;
uint256[2] memory l_commit;
for (uint256 i = 0; i < x_vals.length; i++) {
z_commit = add(z_commit, mulScalar(G1_CRS[i], z_coeffs[i])); // update commitment to z(x)
l_commit = add(l_commit, mulScalar(G1_CRS[i], l_coeffs[i])); // update commitment to l(x)
uint256 eval_z = evalPolyAt(z_coeffs, x_vals[i]);
uint256 eval_l = evalPolyAt(l_coeffs, x_vals[i]);
require(eval_z == 0, "checkAndCommitAuxPolys: wrong zero poly");
require(eval_l == y_vals[i], "checkAndCommitAuxPolys: wrong lagrange poly");
}
// z(x) has len(x_vals) + 1 coeffs, we add to the commmitment the last coeff of z(x)
z_commit = add(z_commit, mulScalar(G1_CRS[z_coeffs.length - 1], z_coeffs[z_coeffs.length - 1]));
return (z_commit, l_commit);
}
/**
* @notice Verifies a batch of point evaluation proofs. Function name follows `ark-poly`.
* @dev To avoid ops in G_2, we slightly tweak how the verification is done.
* @param c G1 point commitment to polynomial.
* @param pi G2 point proof.
* @param x_vals Values to prove evaluation of polynomial at.
* @param y_vals Evaluation poly(x).
* @param l_coeffs Coefficients of the lagrange polynomial.
* @param z_coeffs Coefficients of the zero polynomial z(x) = (x - x_1)(x - x_2)...(x - x_n).
* @return result Indicates if KZG proof is correct.
*/
function batchCheck(
uint256[2] calldata c,
uint256[2][2] calldata pi,
uint256[] calldata x_vals,
uint256[] calldata y_vals,
uint256[] calldata l_coeffs,
uint256[] calldata z_coeffs
) public view returns (bool result) {
//
// we want to:
// 1. avoid gas intensive ops in G2
// 2. format the pairing check in line with what the evm opcode expects.
//
// we can do this by tweaking the KZG check to be:
//
// e(z(r) * g1, pi) * e(g1, l(r) * g2) = e(c, g2) [initial check]
// e(z(r) * g1, pi) * e(l(r) * g1, g2) * e(c, g2)^{-1} = 1 [bilinearity of pairing]
// e(z(r) * g1, pi) * e(l(r) * g1 - c, g2) = 1 [done]
//
(uint256[2] memory z_commit, uint256[2] memory l_commit) =
checkAndCommitAuxPolys(z_coeffs, l_coeffs, x_vals, y_vals);
uint256[2] memory neg_commit = negate(c);
return pairing(z_commit, pi, add(l_commit, neg_commit), G_2);
}
}

+ 48
- 0
folding-schemes/Cargo.toml

@ -0,0 +1,48 @@
[package]
name = "folding-schemes"
version = "0.1.0"
edition = "2021"
[dependencies]
ark-ec = "^0.4.0"
ark-ff = "^0.4.0"
ark-poly = "^0.4.0"
ark-std = "^0.4.0"
ark-crypto-primitives = { version = "^0.4.0", default-features = false, features = ["r1cs", "sponge", "crh"] }
ark-poly-commit = "^0.4.0"
ark-relations = { version = "^0.4.0", default-features = false }
ark-r1cs-std = { version = "0.4.0", default-features = false } # this is patched at the workspace level
ark-snark = { version = "^0.4.0"}
ark-serialize = "^0.4.0"
ark-circom = { git = "https://github.com/gakonst/ark-circom.git" }
thiserror = "1.0"
rayon = "1.7.0"
num-bigint = "0.4"
color-eyre = "=0.6.2"
# tmp imports for espresso's sumcheck
espresso_subroutines = {git="https://github.com/EspressoSystems/hyperplonk", package="subroutines"}
[dev-dependencies]
ark-pallas = {version="0.4.0", features=["r1cs"]}
ark-vesta = {version="0.4.0", features=["r1cs"]}
ark-bn254 = "0.4.0"
ark-mnt4-298 = {version="0.4.0", features=["r1cs"]}
ark-mnt6-298 = {version="0.4.0", features=["r1cs"]}
ark-groth16 = { version = "^0.4.0" }
rand = "0.8.5"
tracing = { version = "0.1", default-features = false, features = [ "attributes" ] }
tracing-subscriber = { version = "0.2" }
[features]
default = ["parallel"]
parallel = [
"ark-std/parallel",
"ark-ff/parallel",
"ark-ec/parallel",
"ark-poly/parallel",
"ark-crypto-primitives/parallel",
"ark-r1cs-std/parallel",
]

examples/fold_sha256.rs → folding-schemes/examples/fold_sha256.rs


src/ccs/mod.rs → folding-schemes/src/ccs/mod.rs


src/ccs/r1cs.rs → folding-schemes/src/ccs/r1cs.rs


src/commitment/kzg.rs → folding-schemes/src/commitment/kzg.rs


src/commitment/mod.rs → folding-schemes/src/commitment/mod.rs


src/commitment/pedersen.rs → folding-schemes/src/commitment/pedersen.rs


src/constants.rs → folding-schemes/src/constants.rs


src/folding/circuits/mod.rs → folding-schemes/src/folding/circuits/mod.rs


src/folding/circuits/nonnative.rs → folding-schemes/src/folding/circuits/nonnative.rs


src/folding/circuits/sum_check.rs → folding-schemes/src/folding/circuits/sum_check.rs


src/folding/circuits/utils.rs → folding-schemes/src/folding/circuits/utils.rs


src/folding/hypernova/cccs.rs → folding-schemes/src/folding/hypernova/cccs.rs


src/folding/hypernova/circuit.rs → folding-schemes/src/folding/hypernova/circuit.rs


src/folding/hypernova/lcccs.rs → folding-schemes/src/folding/hypernova/lcccs.rs


src/folding/hypernova/mod.rs → folding-schemes/src/folding/hypernova/mod.rs


src/folding/hypernova/nimfs.rs → folding-schemes/src/folding/hypernova/nimfs.rs


src/folding/hypernova/utils.rs → folding-schemes/src/folding/hypernova/utils.rs


src/folding/mod.rs → folding-schemes/src/folding/mod.rs


src/folding/nova/circuits.rs → folding-schemes/src/folding/nova/circuits.rs


src/folding/nova/cyclefold.rs → folding-schemes/src/folding/nova/cyclefold.rs


src/folding/nova/decider_eth.rs → folding-schemes/src/folding/nova/decider_eth.rs


src/folding/nova/decider_eth_circuit.rs → folding-schemes/src/folding/nova/decider_eth_circuit.rs


src/folding/nova/mod.rs → folding-schemes/src/folding/nova/mod.rs


src/folding/nova/nifs.rs → folding-schemes/src/folding/nova/nifs.rs


src/folding/nova/traits.rs → folding-schemes/src/folding/nova/traits.rs


src/folding/protogalaxy/folding.rs → folding-schemes/src/folding/protogalaxy/folding.rs


src/folding/protogalaxy/mod.rs → folding-schemes/src/folding/protogalaxy/mod.rs


src/folding/protogalaxy/traits.rs → folding-schemes/src/folding/protogalaxy/traits.rs


src/folding/protogalaxy/utils.rs → folding-schemes/src/folding/protogalaxy/utils.rs


src/frontend/circom/mod.rs → folding-schemes/src/frontend/circom/mod.rs


+ 2
- 0
folding-schemes/src/frontend/circom/test_folder/compile.sh

@ -0,0 +1,2 @@
#!/bin/bash
circom ./folding-schemes/src/frontend/circom/test_folder/test_circuit.circom --r1cs --wasm --prime bn128 --output ./folding-schemes/src/frontend/circom/test_folder/

src/frontend/circom/test_folder/test_circuit.circom → folding-schemes/src/frontend/circom/test_folder/test_circuit.circom


src/frontend/mod.rs → folding-schemes/src/frontend/mod.rs


src/lib.rs → folding-schemes/src/lib.rs


src/transcript/mod.rs → folding-schemes/src/transcript/mod.rs


src/transcript/poseidon.rs → folding-schemes/src/transcript/poseidon.rs


src/utils/bit.rs → folding-schemes/src/utils/bit.rs


src/utils/espresso/mod.rs → folding-schemes/src/utils/espresso/mod.rs


src/utils/espresso/multilinear_polynomial.rs → folding-schemes/src/utils/espresso/multilinear_polynomial.rs


src/utils/espresso/sum_check/mod.rs → folding-schemes/src/utils/espresso/sum_check/mod.rs


src/utils/espresso/sum_check/prover.rs → folding-schemes/src/utils/espresso/sum_check/prover.rs


src/utils/espresso/sum_check/structs.rs → folding-schemes/src/utils/espresso/sum_check/structs.rs


src/utils/espresso/sum_check/verifier.rs → folding-schemes/src/utils/espresso/sum_check/verifier.rs


src/utils/espresso/virtual_polynomial.rs → folding-schemes/src/utils/espresso/virtual_polynomial.rs


src/utils/gadgets.rs → folding-schemes/src/utils/gadgets.rs


src/utils/hypercube.rs → folding-schemes/src/utils/hypercube.rs


src/utils/lagrange_poly.rs → folding-schemes/src/utils/lagrange_poly.rs


src/utils/mle.rs → folding-schemes/src/utils/mle.rs


src/utils/mod.rs → folding-schemes/src/utils/mod.rs


src/utils/vec.rs → folding-schemes/src/utils/vec.rs


+ 0
- 2
src/frontend/circom/test_folder/compile.sh

@ -1,2 +0,0 @@
#!/bin/bash
circom ./src/frontend/circom/test_folder/test_circuit.circom --r1cs --wasm --prime bn128 --output ./src/frontend/circom/test_folder/

Loading…
Cancel
Save