Implemented Mova folding scheme (#161)

* Adding Mova Co-Authored-By: Togzhan Barakbayeva <45527668+btogzhan2000@users.noreply.github.com> Co-Authored-By: Ilia Vlasov <5365540+elijahvlasov@users.noreply.github.com> Co-Authored-By: matthew-a-klein <96837318+matthew-a-klein@users.noreply.github.com> * Fix CLI * Updated from main * Solution to stop the CLI from complaining about deadcode PR comment Co-authored-by: arnaucube <root@arnaucube.com> * Requested changes and update from main * Refactor NIFSTrait & port Mova impl to it * refactor NIFSTrait interface to fit Nova variants (Nova,Mova,Ova) Refactor NIFSTrait interface to fit Nova variants (Nova,Mova,Ova). The relevant change is instead of passing the challenge as input, now it passes the transcript and computes the challenges internally (Nova & Ova still compute a single challenge, but Mova computes multiple while absorbing at different steps). * port Mova impl to the NIFSTrait * remove unnecessary wrappers in the nova/zk.rs * remove Nova NIFS methods that are no longer needed after the refactor * put together the different NIFS implementations (Nova, Mova, Ova) so that they can interchanged at usage. The idea is that Nova and its variants (Ova & Mova) share most of the logic for the circuits & IVC & Deciders, so with the abstracted NIFS interface we will be able to reuse most of the already existing Nova code for having the Mova & Ova circuits, IVC, and Decider. * adapt Nova's DeciderEth prepare_calldata & update examples to it * small update to fix solidity tests --------- Co-authored-by: Togzhan Barakbayeva <45527668+btogzhan2000@users.noreply.github.com> Co-authored-by: Ilia Vlasov <5365540+elijahvlasov@users.noreply.github.com> Co-authored-by: matthew-a-klein <96837318+matthew-a-klein@users.noreply.github.com> Co-authored-by: arnaucube <root@arnaucube.com> Co-authored-by: arnaucube <git@arnaucube.com>
2026-01-19 20:31:35 +01:00 · 2024-10-23 09:42:34 +01:00
parent 234600b39f
commit 6d8f297f11
19 changed files with 1239 additions and 485 deletions
--- a/folding-schemes/src/folding/nova/traits.rs
+++ b/folding-schemes/src/folding/nova/traits.rs
@@ -1,6 +1,4 @@
-use ark_crypto_primitives::sponge::Absorb;
 use ark_ec::CurveGroup;
-use ark_std::fmt::Debug;
 use ark_std::{rand::RngCore, UniformRand};

 use super::{CommittedInstance, Witness};
@@ -8,79 +6,8 @@ use crate::arith::ArithSampler;
 use crate::arith::{r1cs::R1CS, Arith};
 use crate::commitment::CommitmentScheme;
 use crate::folding::circuits::CF1;
-use crate::transcript::Transcript;
 use crate::Error;

-/// Defines the NIFS (Non-Interactive Folding Scheme) trait, initially defined in
-/// [Nova](https://eprint.iacr.org/2021/370.pdf), and it's variants
-/// [Ova](https://hackmd.io/V4838nnlRKal9ZiTHiGYzw) and
-/// [Mova](https://eprint.iacr.org/2024/1220.pdf).
-/// `H` specifies whether the NIFS will use a blinding factor.
-pub trait NIFSTrait<C: CurveGroup, CS: CommitmentScheme<C, H>, const H: bool = false> {
-    type CommittedInstance: Debug + Clone + Absorb;
-    type Witness: Debug + Clone;
-    type ProverAux: Debug + Clone; // Prover's aux params
-    type VerifierAux: Debug + Clone; // Verifier's aux params
-
-    fn new_witness(w: Vec<C::ScalarField>, e_len: usize, rng: impl RngCore) -> Self::Witness;
-    fn new_instance(
-        w: &Self::Witness,
-        params: &CS::ProverParams,
-        x: Vec<C::ScalarField>,
-        aux: Vec<C::ScalarField>, // t_or_e in Ova, empty for Nova
-    ) -> Result<Self::CommittedInstance, Error>;
-
-    fn fold_witness(
-        r: C::ScalarField,
-        W: &Self::Witness, // running witness
-        w: &Self::Witness, // incoming witness
-        aux: &Self::ProverAux,
-    ) -> Result<Self::Witness, Error>;
-
-    /// computes the auxiliary parameters, eg. in Nova: (T, cmT), in Ova: T
-    fn compute_aux(
-        cs_prover_params: &CS::ProverParams,
-        r1cs: &R1CS<C::ScalarField>,
-        W_i: &Self::Witness,
-        U_i: &Self::CommittedInstance,
-        w_i: &Self::Witness,
-        u_i: &Self::CommittedInstance,
-    ) -> Result<(Self::ProverAux, Self::VerifierAux), Error>;
-
-    fn get_challenge<T: Transcript<C::ScalarField>>(
-        transcript: &mut T,
-        pp_hash: C::ScalarField, // public params hash
-        U_i: &Self::CommittedInstance,
-        u_i: &Self::CommittedInstance,
-        aux: &Self::VerifierAux, // ie. in Nova wouild be cmT, in Ova it's empty
-    ) -> Vec<bool>;
-
-    /// NIFS.P. Notice that this method is implemented at the trait level, and depends on the other
-    /// two methods `fold_witness` and `verify`.
-    fn prove(
-        r: C::ScalarField,
-        W_i: &Self::Witness,           // running witness
-        U_i: &Self::CommittedInstance, // running committed instance
-        w_i: &Self::Witness,           // incoming witness
-        u_i: &Self::CommittedInstance, // incoming committed instance
-        aux_p: &Self::ProverAux,
-        aux_v: &Self::VerifierAux,
-    ) -> Result<(Self::Witness, Self::CommittedInstance), Error> {
-        let w = Self::fold_witness(r, W_i, w_i, aux_p)?;
-        let ci = Self::verify(r, U_i, u_i, aux_v);
-        Ok((w, ci))
-    }
-
-    /// NIFS.V
-    fn verify(
-        // r comes from the transcript, and is a n-bit (N_BITS_CHALLENGE) element
-        r: C::ScalarField,
-        U_i: &Self::CommittedInstance,
-        u_i: &Self::CommittedInstance,
-        aux: &Self::VerifierAux,
-    ) -> Self::CommittedInstance;
-}
-
 /// Implements `Arith` for R1CS, where the witness is of type [`Witness`], and
 /// the committed instance is of type [`CommittedInstance`].
 ///