Onchain decider circuit for Protogalaxy (#145)

* Move r1cs and ccs to standalone folders * Simplify type bounds of SparseMatrixVar * Implement `EquivalenceGadget` trait for `FpVar` and `NonNativeUintVar`. Together with the existing `MatrixGadget` and `VectorGadget`, we can now use the same logic for checking R1CS satisfiability of `R1CSVar` both natively and non-natively. * Simplify trait bounds * Implement `ArithGadget` for `R1CSMatricesVar` and `CCSMatricesVar` * `PedersenGadget::commit` now takes slices as input * Structs for proofs and auxiliary values in protogalaxy * `u` in LCCCS should be `z[0]` * `Inputize` trait * Generic decider circuits * Verifier should check the commitments in committed instances * Update the comments according to the new docs * Fix examples * Add `DeciderEnabledNIFS::fold_group_elements_native` to wrap code for folding commitments * Fix incorrect endian * Format * Get rid of `unwrap` when possible
2026-01-08 15:01:30 +01:00 · 2024-11-04 17:34:50 +08:00
parent 6d8f297f11
commit b812dd66df
46 changed files with 2735 additions and 2408 deletions
--- a/solidity-verifiers/src/utils/mod.rs
+++ b/solidity-verifiers/src/utils/mod.rs
@@ -22,7 +22,7 @@ pub fn get_function_selector_for_nova_cyclefold_verifier(
    first_param_array_length: usize,
 ) -> [u8; 4] {
    let mut hasher = Sha3::keccak256();
-    let fn_sig = format!("verifyNovaProof(uint256[{}],uint256[4],uint256[3],uint256[4],uint256[4],uint256[2],uint256[2][2],uint256[2],uint256[4],uint256[2][2])", first_param_array_length);
+    let fn_sig = format!("verifyNovaProof(uint256[{}],uint256[4],uint256[2],uint256[3],uint256[2],uint256[2][2],uint256[2],uint256[4],uint256[2][2])", first_param_array_length);
    hasher.input_str(&fn_sig);
    let hash = &mut [0u8; 32];
    hasher.result(hash);
--- a/solidity-verifiers/src/verifiers/nova_cyclefold.rs
+++ b/solidity-verifiers/src/verifiers/nova_cyclefold.rs
@@ -153,9 +153,12 @@ mod tests {

    use folding_schemes::{
        commitment::{kzg::KZG, pedersen::Pedersen},
-        folding::nova::{
-            decider_eth::{prepare_calldata, Decider as DeciderEth},
-            Nova, PreprocessorParam,
+        folding::{
+            nova::{
+                decider_eth::{prepare_calldata, Decider as DeciderEth},
+                Nova, PreprocessorParam,
+            },
+            traits::CommittedInstanceOps,
        },
        frontend::FCircuit,
        transcript::poseidon::poseidon_canonical_config,
@@ -366,7 +369,6 @@ mod tests {
        n_steps: usize,
    ) {
        let (decider_pp, decider_vp) = decider_params;
-        let pp_hash = fs_params.1.pp_hash().unwrap();

        let f_circuit = FC::new(()).unwrap();

@@ -389,8 +391,8 @@ mod tests {
            nova.i,
            nova.z_0.clone(),
            nova.z_i.clone(),
-            &nova.U_i,
-            &nova.u_i,
+            &nova.U_i.get_commitments(),
+            &nova.u_i.get_commitments(),
            &proof,
        )
        .unwrap();
@@ -401,7 +403,6 @@ mod tests {

        let calldata: Vec<u8> = prepare_calldata(
            function_selector,
-            pp_hash,
            nova.i,
            nova.z_0,
            nova.z_i,
--- a/solidity-verifiers/templates/nova_cyclefold_decider.askama.sol
+++ b/solidity-verifiers/templates/nova_cyclefold_decider.askama.sol
@@ -63,9 +63,8 @@ contract NovaDecider is Groth16Verifier, KZG10Verifier {
        // inputs are grouped to prevent errors due stack too deep
        uint256[{{ 1 + z_len * 2 }}] calldata i_z0_zi, // [i, z0, zi] where |z0| == |zi|
        uint256[4] calldata U_i_cmW_U_i_cmE, // [U_i_cmW[2], U_i_cmE[2]]
-        uint256[3] calldata U_i_u_u_i_u_r, // [U_i_u, u_i_u, r]
-        uint256[4] calldata U_i_x_u_i_cmW, // [U_i_x[2], u_i_cmW[2]]
-        uint256[4] calldata u_i_x_cmT, // [u_i_x[2], cmT[2]]
+        uint256[2] calldata u_i_cmW, // [u_i_cmW[2]]
+        uint256[3] calldata cmT_r, // [cmT[2], r]
        uint256[2] calldata pA, // groth16 
        uint256[2][2] calldata pB, // groth16
        uint256[2] calldata pC, // groth16
@@ -85,75 +84,63 @@ contract NovaDecider is Groth16Verifier, KZG10Verifier {
            public_inputs[2 + i] = i_z0_zi[1 + i];
        }

-        {
-            // U_i.u + r * u_i.u
-            uint256 u = rlc(U_i_u_u_i_u_r[0], U_i_u_u_i_u_r[2], U_i_u_u_i_u_r[1]);
-            // U_i.x + r * u_i.x
-            uint256 x0 = rlc(U_i_x_u_i_cmW[0], U_i_u_u_i_u_r[2], u_i_x_cmT[0]);
-            uint256 x1 = rlc(U_i_x_u_i_cmW[1], U_i_u_u_i_u_r[2], u_i_x_cmT[1]);
-
-            public_inputs[{{ z_len * 2 + 2 }}] = u;
-            public_inputs[{{ z_len * 2 + 3 }}] = x0;
-            public_inputs[{{ z_len * 2 + 4 }}] = x1;
-        }
-
-        {
-            // U_i.cmE + r * u_i.cmT
-            uint256[2] memory mulScalarPoint = super.mulScalar([u_i_x_cmT[2], u_i_x_cmT[3]], U_i_u_u_i_u_r[2]);
-            uint256[2] memory cmE = super.add([U_i_cmW_U_i_cmE[2], U_i_cmW_U_i_cmE[3]], mulScalarPoint);
-
-            {
-                uint256[{{num_limbs}}] memory cmE_x_limbs = LimbsDecomposition.decompose(cmE[0]);
-                uint256[{{num_limbs}}] memory cmE_y_limbs = LimbsDecomposition.decompose(cmE[1]);
-            
-                for (uint8 k = 0; k < {{num_limbs}}; k++) {
-                    public_inputs[{{ z_len * 2 + 5 }} + k] = cmE_x_limbs[k];
-                    public_inputs[{{ z_len * 2 + 5 + num_limbs }} + k] = cmE_y_limbs[k];
-                }
-            }
-
-            require(this.check(cmE, kzg_proof[1], challenge_W_challenge_E_kzg_evals[1], challenge_W_challenge_E_kzg_evals[3]), "KZG: verifying proof for challenge E failed");
-        }
-
        {
            // U_i.cmW + r * u_i.cmW
-            uint256[2] memory mulScalarPoint = super.mulScalar([U_i_x_u_i_cmW[2], U_i_x_u_i_cmW[3]], U_i_u_u_i_u_r[2]);
+            uint256[2] memory mulScalarPoint = super.mulScalar([u_i_cmW[0], u_i_cmW[1]], cmT_r[2]);
            uint256[2] memory cmW = super.add([U_i_cmW_U_i_cmE[0], U_i_cmW_U_i_cmE[1]], mulScalarPoint);
-        
+
            {
                uint256[{{num_limbs}}] memory cmW_x_limbs = LimbsDecomposition.decompose(cmW[0]);
                uint256[{{num_limbs}}] memory cmW_y_limbs = LimbsDecomposition.decompose(cmW[1]);
        
                for (uint8 k = 0; k < {{num_limbs}}; k++) {
-                    public_inputs[{{ z_len * 2 + 5 + num_limbs * 2 }} + k] = cmW_x_limbs[k];
-                    public_inputs[{{ z_len * 2 + 5 + num_limbs * 3 }} + k] = cmW_y_limbs[k];
+                    public_inputs[{{ z_len * 2 + 2 }} + k] = cmW_x_limbs[k];
+                    public_inputs[{{ z_len * 2 + 2 + num_limbs }} + k] = cmW_y_limbs[k];
                }
            }
        
            require(this.check(cmW, kzg_proof[0], challenge_W_challenge_E_kzg_evals[0], challenge_W_challenge_E_kzg_evals[2]), "KZG: verifying proof for challenge W failed");
        }

+        {
+            // U_i.cmE + r * cmT
+            uint256[2] memory mulScalarPoint = super.mulScalar([cmT_r[0], cmT_r[1]], cmT_r[2]);
+            uint256[2] memory cmE = super.add([U_i_cmW_U_i_cmE[2], U_i_cmW_U_i_cmE[3]], mulScalarPoint);
+
+            {
+                uint256[{{num_limbs}}] memory cmE_x_limbs = LimbsDecomposition.decompose(cmE[0]);
+                uint256[{{num_limbs}}] memory cmE_y_limbs = LimbsDecomposition.decompose(cmE[1]);
+            
+                for (uint8 k = 0; k < {{num_limbs}}; k++) {
+                    public_inputs[{{ z_len * 2 + 2 + num_limbs * 2 }} + k] = cmE_x_limbs[k];
+                    public_inputs[{{ z_len * 2 + 2 + num_limbs * 3 }} + k] = cmE_y_limbs[k];
+                }
+            }
+
+            require(this.check(cmE, kzg_proof[1], challenge_W_challenge_E_kzg_evals[1], challenge_W_challenge_E_kzg_evals[3]), "KZG: verifying proof for challenge E failed");
+        }
+
        {
            // add challenges
-            public_inputs[{{ z_len * 2 + 5 + num_limbs * 4 }}] = challenge_W_challenge_E_kzg_evals[0];
-            public_inputs[{{ z_len * 2 + 5 + num_limbs * 4 + 1 }}] = challenge_W_challenge_E_kzg_evals[1];
-            public_inputs[{{ z_len * 2 + 5 + num_limbs * 4 + 2 }}] = challenge_W_challenge_E_kzg_evals[2];
-            public_inputs[{{ z_len * 2 + 5 + num_limbs * 4 + 3 }}] = challenge_W_challenge_E_kzg_evals[3];
-        
+            public_inputs[{{ z_len * 2 + 2 + num_limbs * 4 }}] = challenge_W_challenge_E_kzg_evals[0];
+            public_inputs[{{ z_len * 2 + 2 + num_limbs * 4 + 1 }}] = challenge_W_challenge_E_kzg_evals[1];
+            public_inputs[{{ z_len * 2 + 2 + num_limbs * 4 + 2 }}] = challenge_W_challenge_E_kzg_evals[2];
+            public_inputs[{{ z_len * 2 + 2 + num_limbs * 4 + 3 }}] = challenge_W_challenge_E_kzg_evals[3];
+
            uint256[{{num_limbs}}] memory cmT_x_limbs;
            uint256[{{num_limbs}}] memory cmT_y_limbs;
        
-            cmT_x_limbs = LimbsDecomposition.decompose(u_i_x_cmT[2]);
-            cmT_y_limbs = LimbsDecomposition.decompose(u_i_x_cmT[3]);
+            cmT_x_limbs = LimbsDecomposition.decompose(cmT_r[0]);
+            cmT_y_limbs = LimbsDecomposition.decompose(cmT_r[1]);
        
            for (uint8 k = 0; k < {{num_limbs}}; k++) {
-                public_inputs[{{ z_len * 2 + 5 + num_limbs * 4 }} + 4 + k] = cmT_x_limbs[k]; 
-                public_inputs[{{ z_len * 2 + 5 + num_limbs * 5}} + 4 + k] = cmT_y_limbs[k];
+                public_inputs[{{ z_len * 2 + 2 + num_limbs * 4 }} + 4 + k] = cmT_x_limbs[k]; 
+                public_inputs[{{ z_len * 2 + 2 + num_limbs * 5 }} + 4 + k] = cmT_y_limbs[k];
            }
        
            // last element of the groth16 proof's public inputs is `r`
-            public_inputs[{{ public_inputs_len - 2 }}] = U_i_u_u_i_u_r[2];
-            
+            public_inputs[{{ public_inputs_len - 2 }}] = cmT_r[2];
+
            bool success_g16 = this.verifyProof(pA, pB, pC, public_inputs);
            require(success_g16 == true, "Groth16: verifying proof failed");
        }