* add new NIFSGadgetTrait
* implement Mova's NIFSGadget
* refactor Nova NIFSGadget to fit into the new NIFSGadgetTrait
* abstract NIFSGadget related tests for all implementors of
NIFSGadgetTrait to avoid duplicated code in the tests between the
different Nova variants gadget tests
* frontends/noir update mimc usage since it has been migrated from
noir's std into it's own repo
* Move r1cs and ccs to standalone folders
* Simplify type bounds of SparseMatrixVar
* Implement `EquivalenceGadget` trait for `FpVar` and `NonNativeUintVar`.
Together with the existing `MatrixGadget` and `VectorGadget`, we can now use the same logic for checking R1CS satisfiability of `R1CSVar` both natively and non-natively.
* Simplify trait bounds
* Implement `ArithGadget` for `R1CSMatricesVar` and `CCSMatricesVar`
* `PedersenGadget::commit` now takes slices as input
* Structs for proofs and auxiliary values in protogalaxy
* `u` in LCCCS should be `z[0]`
* `Inputize` trait
* Generic decider circuits
* Verifier should check the commitments in committed instances
* Update the comments according to the new docs
* Fix examples
* Add `DeciderEnabledNIFS::fold_group_elements_native` to wrap code for folding commitments
* Fix incorrect endian
* Format
* Get rid of `unwrap` when possible
* Adding Mova
Co-Authored-By: Togzhan Barakbayeva <45527668+btogzhan2000@users.noreply.github.com>
Co-Authored-By: Ilia Vlasov <5365540+elijahvlasov@users.noreply.github.com>
Co-Authored-By: matthew-a-klein <96837318+matthew-a-klein@users.noreply.github.com>
* Fix CLI
* Updated from main
* Solution to stop the CLI from complaining about deadcode
PR comment
Co-authored-by: arnaucube <root@arnaucube.com>
* Requested changes and update from main
* Refactor NIFSTrait & port Mova impl to it
* refactor NIFSTrait interface to fit Nova variants (Nova,Mova,Ova)
Refactor NIFSTrait interface to fit Nova variants (Nova,Mova,Ova). The relevant
change is instead of passing the challenge as input, now it passes the
transcript and computes the challenges internally (Nova & Ova still compute a
single challenge, but Mova computes multiple while absorbing at different
steps).
* port Mova impl to the NIFSTrait
* remove unnecessary wrappers in the nova/zk.rs
* remove Nova NIFS methods that are no longer needed after the refactor
* put together the different NIFS implementations (Nova, Mova, Ova) so
that they can interchanged at usage.
The idea is that Nova and its variants (Ova & Mova) share most of the
logic for the circuits & IVC & Deciders, so with the abstracted NIFS
interface we will be able to reuse most of the already existing Nova
code for having the Mova & Ova circuits, IVC, and Decider.
* adapt Nova's DeciderEth prepare_calldata & update examples to it
* small update to fix solidity tests
---------
Co-authored-by: Togzhan Barakbayeva <45527668+btogzhan2000@users.noreply.github.com>
Co-authored-by: Ilia Vlasov <5365540+elijahvlasov@users.noreply.github.com>
Co-authored-by: matthew-a-klein <96837318+matthew-a-klein@users.noreply.github.com>
Co-authored-by: arnaucube <root@arnaucube.com>
Co-authored-by: arnaucube <git@arnaucube.com>
This saves several minutes (and MBs of data) on compilation time both
when running tests in this repo, but also when using the sonobe lib as a
dependency in external repos.
* Add IVCProof to the existing folding schemes (Nova,HyperNova,ProtoGalaxy)
* Implement `from_ivc_proof` for the FoldingSchemes trait (and Nova,
HyperNova, ProtoGalaxy), so that the FoldingScheme IVC's instance can be
constructed from the given parameters and the last IVCProof, which
allows to sent the IVCProof between different parties, so that they can
continue iterating the IVC from the received IVCProof. Also the
serializers allow for the IVCProof to be sent to a verifier that can
deserialize it and verify it.
This allows to remove the logic from the file
[folding/nova/serialize.rs](f1d82418ba/folding-schemes/src/folding/nova/serialize.rs)
and
[folding/hypernova/serialize.rs](f1d82418ba/folding-schemes/src/folding/hypernova/serialize.rs)
(removing the whole files), which is now covered by the `IVCProof`
generated serializers (generated by macro instead of handwritten), and
the test that the file contained is now abstracted and applied to all
the 3 existing folding schemes (Nova, HyperNova, ProtoGalaxy) at the
folding/mod.rs file.
* update Nova VerifierParams serializers to avoid serializing the R1CS to save big part of the old serialized size
* rm .instances() since it's not needed
* add nova params serialization to nova's ivc test to ensure that IVC verification works with deserialized data
* Add unified FS::ProverParam & VerifierParam serialization & deserialization (for all Nova, HyperNova and ProtoGalaxy), without serializing the R1CS/CCS and thus saving substantial serialized bytes space.
* rm CanonicalDeserialize warnings msgs for VerifierParams
* add NIFS trait abstraction (based on the needs for Nova, Mova, Ova), defining a common interface between the three Nova variants
The recent Ova NIFS PR #163 (https://github.com/privacy-scaling-explorations/sonobe/pull/163)
and Mova NIFS PR #161 (https://github.com/privacy-scaling-explorations/sonobe/pull/161)
PRs add Nova NIFS variants implementations which differ from Nova in the
logic done for the `E` error terms of the instances.
The current Ova implementation (https://github.com/privacy-scaling-explorations/sonobe/pull/163)
is based on the existing Nova NIFS code base and adds the modifications
to the `E` logic on top of it, and thus duplicating the code. Similarly
for the Mova NIFS impl.
The rest of the Mova & Ova schemes logic that is not yet implemented is
pretty similar to Nova one (ie. the IVC logic, the circuits and the
Decider), so ideally that can be done reusing most of the already
existing Nova code without duplicating it. This PR is a first step in
that direction for the existing Ova NIFS code.
This commit adds the NIFS trait abstraction with the idea of allowing to
reduce the amount of duplicated code for the Ova's NIFS impl on top of
the Nova's code.
* add Ova variant on top of the new NIFS trait abstraction
This is done from the existing Ova implementation at
`folding/ova/{mod.rs,nofs.rs}`, but removing when possible code that is not
needed or duplicated from the Nova logic.
* rm old Ova duplicated code
This commit combined with the other ones (add nifs abstraction & port
Ova to the nifs abstraction) allows to effectively get rid of ~400 lines
of code that were duplicated in the Ova NIFS impl from the Nova impl.
* small polishing & rebase to latest `main` branch updates
* feat: Basic Ova NIFS impl working
The implementation follows the spec outlined by Bunz in:
https://hackmd.io/V4838nnlRKal9ZiTHiGYzw?view.
With this, the NIFS works and passes all tests.
* chore: Resolve all TODOs and warnings
* add: Docs for the NIMFS of the scheme and related structs
* chore: update imports
* add: Docs for all Ova NIFS functions
* fix: Unify nomenclature for all variables and elements within NIFS tests
* fix: Uniformize instance order in fn calls
* chore: pass clippy
* chore: clear all clippy findings in tests
* chore: Remove `mimc` from spelling checks
* chore: Address PR reviews
* `Dummy` trait
* More generic design for `Arith`
* Distinguish between incoming and running instances in ProtoGalaxy
* Format
* Fix unit test
* Fix incorrect arguments supplied to `CycleFoldWitness::dummy`
* `RUNNING` and `INCOMING` constants
* Better name and docs for `eval_core`
* More docs for `Arith` methods and implementations
* Fix missing imports
* Add traits for witness and committed instance
* Implement witness and committed instance traits for Nova and HyperNova
* Implement witness and committed instance traits for ProtoGalaxy
* Improve the clarity of docs for `Witness{Var}Ext::get_openings`
* Avoid cloning `z_i`
* Fix grammar issues
* Rename `Ext` traits for committed instances and witnesses to `Ops`
* Implement `to_sponge_bytes`
* Parallelize vector and matrix operations
* Implement convenient methods for `NonNativeAffineVar`
* Return `L_X_evals` and intermediate `phi_star`s from ProtoGalaxy prover.
These values will be used as hints to the augmented circuit
* Correctly use number of variables, number of constraints, and `t`
* Fix the size of `F_coeffs` and `K_coeffs` for in-circuit consistency
* Improve prover's performance
* Make `prepare_inputs` generic
* Remove redundant parameters in verifier
* Move `eval_f` to arith
* `u` is unnecessary in ProtoGalaxy
* Convert `RelaxedR1CS` to a trait that can be used in both Nova and ProtoGalaxy
* Implement several traits for ProtoGalaxy
* Move `FCircuit` impls to `utils.rs` and add `DummyCircuit`
* `AugmentedFCircuit` and ProtoGalaxy-based IVC
* Add explanations about IVC prover and in-circuit operations
* Avoid using unstable features
* Rename `PROTOGALAXY` to `PG` to make clippy happy
* Fix merge conflicts in `RelaxedR1CS::sample`
* Fix merge conflicts in `CycleFoldCircuit`
* Swap `m` and `n` for protogalaxy
* Add `#[cfg(test)]` to test-only util circuits
* Prefer unit struct over empty struct
* Add documents to `AugmentedFCircuit` for ProtoGalaxy
* Fix the names for CycleFold cricuits in ProtoGalaxy
* Fix usize conversion when targeting wasm
* Restrict the visibility of fields in `AugmentedFCircuit` to `pub(super)`
* Make CycleFold circuits and configs public
* Add docs for `ProverParams` and `VerifierParams`
* Refactor `pow_i`
* Fix imports
* Remove lint reasons
* Fix type inference
* change: CircomWrapper constructor to use raw bytes
* chore: tmp update to latest circom-compat
* feat: Introduce PathOrBin to support in-browser CircomWrapper usage
This changes the associated type `Params` of the `CircomFCircuit` to use
the newly created `PathOrBin` type.
This allows the user of the lib to directly send the binary of the files
already read or instead, provide a path to it and let `sonobe` do the
work.
With this, Circom should be already usable from the browser if we allow
JS to take care of reading the `.wasm` and `.r1cs` files.
* feat: Introduce PathOrBin to support in-browser NoirFCircuit usage
This commit temporarilly stands on top of
https://github.com/dmpierre/arkworks_backend/pull/1 referenced as `rev`.
This changes the associated type `Params` of the `CircomFCircuit` to use
the newly created `PathOrBin` type.
This allows the user of the lib to directly send the binary of the files
already read or instead, provide a path to it and let `sonobe` do the
work.
With this, Noir should be already usable from the browser if we allow
JS to take care of reading the `circuit.json` files
* chore: Update deps to branch instead of `rev`
* fix: use PathOrBin in examples
* fix: clippy
* fix: read file length for initializing vec size
---------
Co-authored-by: dmpierre <pdaixmoreux@gmail.com>
In CycleFold we want to compute
$P_{folded} = P_0 + r ⋅ P_1 + r^2 ⋅ P_2 + r^3 ⋅ P_3 + ... + r^{n-2} ⋅ P_{n-2} + r^{n-1} ⋅ P_{n-1}$,
since the scalars follow the pattern r^i Youssef El Housni (@yelhousni)
proposed to update the approach of the CycleFold circuit to reduce the
number of constraints needed, by computing
$P_{folded} = (((P_{n-1} ⋅ r + P_{n-2}) ⋅ r + P_{n-3})... ) ⋅ r + P_0$.
By itself, this update reduces the number of constraints as the number
of points being folded in the CycleFold circuit grows. But it also has
impact at the HyperNova circuit, where it removes the need of using the
bit representations of the powers of the random value, substancially
reducing the amount of constraints used by the HyperNova
AugmentedFCircuit.
The number of constraints difference in the CycleFold circuit and in
the HyperNova's AugmentedFCircuit:
- CycleFold circuit:
| num points* | old | new | diff |
|-------------|-----------|-----------|----------|
| 2 | 1_354 | 1_354 | 0 |
| 3 | 2_683 | 2_554 | -129 |
| 4 | 4_012 | 3_754 | -258 |
| 8 | 9_328 | 8_554 | -744 |
| 16 | 19_960 | 18_154 | -1_806 |
| 32 | 41_224 | 37_354 | -3_870 |
| 64 | 83_752 | 75_754 | -7_998 |
| 128 | 168_808 | 152_554 | -16_254 |
| 1024 | 1_359_592 | 1_227_754 | -131_838 |
*num points: number of points being folded by the CycleFold circuit.
- HyperNova AugmentedFCircuit circuit
| folded instances* | old | new | diff |
|-------------------|---------|---------|----------|
| 5 | 90_285 | 80_150 | -10_135 |
| 10 | 144_894 | 117_655 | -27_239 |
| 20 | 249_839 | 192_949 | -56_890 |
| 40 | 463_078 | 344_448 | -118_630 |
*folded instances: folded instances per step, half of them being LCCCS
and the other half CCCS.
Co-authored-by: Youssef El Housni <youssef.housni21@gmail.com>
* feat: zk nova layer
* chore: clippy + trigger CI
* chore: add comment for `new` (generating a zk nova ivc proof)
* chore: adding text reference to `sample`
* chore: use `debug_assert` instead of `cfg(test)`
* improve: pass `poseidon_config` by ref
Co-authored-by: Carlos Pérez <37264926+CPerezz@users.noreply.github.com>
* improve: pass `z_0` by ref
Co-authored-by: Carlos Pérez <37264926+CPerezz@users.noreply.github.com>
* improve: pass `r1cs` and `cf_r1cs` by ref
Co-authored-by: Carlos Pérez <37264926+CPerezz@users.noreply.github.com>
* chore: appropriate docs (2)
* chore: pass by ref modifications
* improve: use single sponge
* fix: remove blinding the cyclefold instance, add verifier checks on the
prover provided cyclefold intance
* fix: assert that the sampled relaxed r1cs is correct
* fix: check length of `u_i.x`
---------
Co-authored-by: Carlos Pérez <37264926+CPerezz@users.noreply.github.com>
* fix: Use `target_pointer_size` conditional compilation
There are some parts of the code where is needed to de/serialze
`usize`s. These, have sizes that vary depending on the target
achitecture the code is compiled for.
Hence, this adapts the de/serialization to the specific pointer size for
which the crate is being compiled to.
* change: Support WASM-compatibility and polish Cargo.toml
In order to support Wasm-compat and to simplify and improve `Cargo.toml`
readability, the follwing changes have been made:
- All the deps that can use `parallel` feature, do so. As `rayon`
supports non-threaded targets with a fallback option. See: https://docs.rs/rayon-core/1.12.1/rayon_core/index.html#global-fallback-when-threading-is-unsupported
- `ark-grumpking` has been brought to `0.5.0-alpha.0` as `0.4.0` appears
to not be in `crates.io` anymore. See: https://crates.io/crates/ark-grumpkin/versions
- By default, the crate uses `"ark-circom/default"` which selects the
`wasmer/sys` feature such that it knows where wasmer is
suposed to be run`.
- Added a `wasm` feature which forces `ark-circom/wasm` to be used
instead. Which internally selects the `wasmer/js` backend to be used
such that in-browser execution is possible.
- Added `getrandom` with `js` feature as dependency when `wasm32-unknown-unknown` target is selected such
that compilation of the crate for testing or simply building is possible. Notice that with `wasi` and other wasm targets,
this is not the case as they're automatically supported.
For more info, please check: https://docs.rs/getrandom/latest/getrandom/#webassembly-support
* feat: Support WASM-compatibility tests in CI
Add support for both testing the build of `sonobe/folding-schemes` for
WASM-targets and also, it's build as a dependency for a WASM-crate.
This includes a build job for the three main supported rust-WASM targets
and the same but for a thrid crate creted on-the-fly which uses
`sonobe/folding-schemes` as a dependency.
* chore: Add README docs about WASM-compat & feats
* ci: don't run WASM-compat job if PR is draft
* chore: depend on `arnaucube/circom-compat` fork.
Since https://github.com/arnaucube/circom-compat/pull/2 was merged, we
can already switch to it as we were depending before.
* chore: minimal build/test instructions
* fix: CI typos
* fix: Update CI to use correct feature sets
* fix: `ark-grumpkin` versioning issues
As mentioned in
https://github.com/privacy-scaling-explorations/sonobe/issues/146
there's a big issue that involves some dependencies of the crate.
As a temporary fix, this forces the workspace to rely on a
"non-existing" version of `ark-grumpkin` which is immediately patched at
workspace-level for a custom version that @arnaucube owns with some
cherry-picked commits.
While this allows the CI to pass and crate to build, a better solution
is needed.
* fix: Clippy CI avoiding --all-targets
* fix: use `wasm` feat only with folding-schemes
* Support randomness of arbitrary length
* Rename `N_BITS_RO` to `NOVA_N_BITS_RO`
* Compute `r_nonnat` inside `NIFSFullGadget::fold_committed_instance`
* Format
* Use `CycleFold{CommittedInstance, Witness}` in the context of cyclefold
* Format
* Fix the creation of dummy witness
* Make clippy happy
* Improve docs
* feat: enable hiding commitments in nova and hypernova
* fix: set blinding values for witness vector
* fix: remove cloning of the cyclefold running instance
* fix: do not re-use blinding values between prove steps
* fix: specify whether the witness should use blinding values using a
const generic
* feat: create a `dummy` method for nova witnesses as well
* chore: clippy - removed unused imports
* Add in-circuit couterparts of util functions
* Support folding `CommittedInstance`s with `u` and `x`
* Initial implementation of protogalaxy verifier circuit
* Fix the edge case in `all_powers_var`
* Absorb `u` and `x` as well
* Fix imports
* Rename some test functions for clarity
* Format
* Avoid the use of magic numbers
- Adds the logic to support multi-instances folding in HyperNova's
AugmentedFCircuit & IVC.
- Adds also methods to generate new LCCCS & CCCS instances that don't
depend on the main folding chain, to be folded in in the next step
- Updates CycleFold circuit & methods to work other folding schemes than
Nova, adapting it to fold multiple points per circuit (instead of
2-to-1 as till now)
- Handle multi-instances folding in the FoldingScheme trait
interface, which expects 'None' in Nova, and 'Some' in HyperNova &
other multi-folding schemes.
* Remove the trait bound `C::BaseField: PrimeField` for better DX
* Methods in `TranscriptVar` now exactly matches the ones in `Transcript`
* Add `ProtoGalaxyTranscriptVar` and `CommittedInstanceVar` for protogalaxy
* betas are unnecessary in "plain" (incoming) instances
* Absorb the result of `get_challenge_nbits` as well
* `ProtoGalaxyTranscript` now allows absorbing mulitple instances
* Always return `Result<(), SynthesisError>` in `ProtoGalaxyTranscriptVar`
* Impl `Transcript{Var}` for `PoseidonSponge{Var}` directly and remove `PoseidonTranscript{Var}`
* `Transcript::absorb_point` doesn't need to return `Error`
* Add `AbsorbNonNative` trait for hashing non-native values
Note that now `absorb_point` only supports hashing points whose BaseField is equal to the sponge's field
* More efficient `TranscriptVar::absorb_point` by securely removing `is_inf`
* Use `sponge` and `transcript` consistently
* Clarify the usage of `AbsorbNonNative{Gadget}`
* Generic `sponge` and `transcript` params
* Avoid unstable `associated_type_bounds`
* Reuse `sponge` in hypernova
* Clean up redundant imports
* Remove unstable code
* Clarify the usage of `absorb_point` and `absorb_nonnative`
- implement hash of public params for Nova & HyperNova
- abstract pp_hash computation for folding schemes
- add pp_hash to solidity contract generator to verify the decider proof
- implement the IVC `FoldingScheme` trait for HyperNova
- refactor Nova's preprocess logic to make it simplier to use
- add to Decider trait (& Nova's DeciderEth) a preprocess method
- get rid of the `init_nova_ivc_params` and `init_ivc_and_decider_params` methods in `examples` since this is achieved with the `FS::preprocess` & `Decider::preprocess` methods
- (update the examples code to the simplified interface using
FS::preprocess & Decider::preprocess)
* feat: `Nova` can be serialized and deserialized
* chore: (temp) allow dead code as serde is not yet used
* fix: require trait in `where` to not increase restrictions on
`CommitmentScheme`
* feat: add file with nova serialization methods
* fix: change call to get poseidon config and chore: update traits for serde
* chore: remove clang install from CI, move tests and remove unnecessary
allow
* feat: remove serializing r1cs and cs params and provide them at
deserialization time
* chore: initialize r1cs within deserialization function directly
* Optimize the HyperNova `compute_g`, `compute_Ls` and `to_lcccs` methods
- Optimize the HyperNova `compute_g`, `compute_Ls` and `to_lcccs` methods
- in some tests, increase the size of test matrices to a more real-world size.
| method | matrix size | old version seconds | new version seconds |
| --------------------- | ------------- | ------------------- | ------------------- |
| compute_g | 2^8 x 2^8 | 16.48 | 0.16 |
| compute_g | 2^9 x 2^9 | 122.62 | 0.51 |
| compute_Ls | 2^8 x 2^8 | 9.73 | 0.11 |
| compute_Ls | 2^9 x 2^9 | 67.16 | 0.38 |
| to_lcccs | 2^8 x 2^8 | 4.56 | 0.21 |
| to_lcccs | 2^9 x 2^9 | 67.65 | 0.84 |
- Note: 2^16 x 2^16 is the actual size (upperbound) of the circuit,
which is not represented in the table since it was needing too much
ram to even be computed.
* Optimize HyperNova's `compute_sigmas_thetas` and `compute_Q`
| method | matrix size | old version seconds | new version seconds |
| ------------- | ------------- | ------------------- | ------------------- |
| compute_sigmas_thetas | 2^8 x 2^8 | 12.86 | 0.13 |
| compute_sigmas_thetas | 2^9 x 2^9 | 100.01 | 0.51 |
| compute_Q | 2^8 x 2^8 | 4.49 | 0.07 |
| compute_Q | 2^9 x 2^9 | 70.77 | 0.55 |
* optimize LCCCS::check_relation & CCCS::check_relation, and remove unnessary methods after last reimplementations
* refactor test of compute_c circuit to use multiple lcccs&cccs instances
* refactor hypernova's compute_c circuit to reduce from `110635` to `553` constraints
* fix: change circom fcircuit to extract indexes of inputs and add keccak satisfaction test
* fix: disable wire mapping when loading r1cs
* chore: update .gitignore and compile.sh
* fix: use fixed circom-compat branch
* fix: use slice rather than vec ref
* chore: add keccak-chain circom
* chore: trigger checks
* fix: make typos check circom files names but not their content
* chore: remove keccak, add tests with more lightweight circom templates, test that circom circuits correctly result in Ok and Err when needed
* chore: trigger checks
* fix: re-add circuit for full flow example, change naming
* chore: comment with link to issue 104, disable constraints check
* chore: remove `full_flow_example` from the examples and its
corresponding circom circuit
* chore: update `circom-compat` repo
* chore: clippy
* chore: stop excluding circom files from typos checker
* chore: remove changes on `typos.toml`
---------
Co-authored-by: arnaucube <root@arnaucube.com>
* migrate from CurveGroup to PrimeField in hypernova & ccs when curve whas not needed to simplify the code
* refactor test of compute_c circuit to use multiple lcccs&cccs instances
* refactor hypernova's compute_c circuit to reduce from `110635` to `553` constraints
* apply review nits
* fix clippy lints after rust-toolchain v1.76.0
* circom: add external_inputs
* adapt new external_inputs interface to the FoldingScheme trait and Nova impl
* adapt examples to new FCircuit external_inputs interface
* add state_len & external_inputs_len params to CircomFCircuit
* add examples/circom_full_flow.rs
* merge the params initializer functions, clippy
* circom: move r1cs reading to FCircuit::new instead of each step
* CI/examples: add circom so it can run the circom_full_flow example
* Add solidity verifier of the nova+cyclefold, and add method to prepare the calldata from Decider's proof. Missing conversion of the point coordinates into limbs (ark compatible)
* chore: adding comments linking to the contract's signature
* chore: update .gitignore
* chore: add num-bigint as dev dependency
* fix: work with abs path for storing generated sol code
* chore: update comment
* feat: solidity verifier working on single and multi-input circuits
* feat: multi-input folding verification working + fixing encoding of additive identity in calldata
* chore: make bigint a dependency
* refactor: import utils functions from utils.rs and make them available from anywhere
* chore: make utils and evm available publicly
* fix: pub mod instead
* chore: make relevant method public and add `get_decider_template_for_cyclefold_decider` to exported objects
* solidity-verifiers: move tests to their corresponding files
* small update: Cyclefold -> CycleFold at the missing places
* abstract nova-cyclefold solidity verifiers tests to avoid code duplication, and abstract also the computed setup params (FS & Decider) to compute them only once for all related tests to save test time
* small polish after rebase to last main branch changes
* rm unneeded Option for KZGData::g1_crs_batch_points
* add checks modifying z_0 & z_i to nova_cyclefold_solidity_verifier test
* add light-test feature to decider_eth_circuit to use it in solidity-verifier tests without the big circuit
* solidity-verifiers: groth16 template: port the fix from https://github.com/iden3/snarkjs/pull/480 & https://github.com/iden3/snarkjs/issues/479
* add print warning msg for light-test in DeciderEthCircuit
* solidity-verifiers: update limbs logic to nonnative last version, parametrize limbs params
solidity-verifiers:
* update solidity limbs logic to last nonnative impl version, and to
last u_i.x impl
* parametrize limbs params
* add light-test feature: replace the '#[cfg(not(test))]' by the
'light-test' feature that by default is not enabled, so when running
the github actions we enable the feature 'light-tests', and then we can
have a full-test that runs the test without the 'light-tests' flag, but
we don't run this big test every time. The choice of a feature is to
allow us to control this from other-crates tests (for example for the
solidity-verifier separated crate tests, to avoid running the full heavy
circuit in the solidity tests)
* move solidity constants into template constants for auto compute of params
* polishing
* revm use only needed feature
This is to avoid c depencency for c-kzg which is behind the c-kzg flag
and not needed.
* nova_cyclefold_decider.sol header
* rearrange test helpers position, add error for min number of steps
* in solidity-verifiers: 'data'->'vk/verifier key'
* add From for NovaCycleFoldVerifierKey from original vks to simplify dev flow, also conditionally template the batchCheck related structs and methods from the KZG10 solidity template
---------
Co-authored-by: dmpierre <pdaixmoreux@gmail.com>
* Initialize the README.md with a sketch of the structure
* add warning and draft diagram
* add authors & years to schemes, add a pre-sketch of the 'development' section
* Readme: add link to Carlos talk on folding schemes
* readme: sketch sections: offchain & onchain decider, add todo for references
* readme: add example of FCircuit & folding
* Readme: add lib pipeline diagram, add decider code example
* add cyclefold-nova-diagram.png, decider-onchain-flow-diagram.png
* polish cli descriptions
* small update in the Warning box
* add sonobe naming
* add folding-main-idea-diagram.png
* missing sonobe renaming
* migrate part of the README.md to sonobe-docs
* rm imgs/, load them from sonobe-docs
* tiny update
* chore: start update README
* add acknolwedgments links and text, small polishing of the overall text
* extend folding introduction & sonobe overview
* img text alignment
* chore: update readme
* chore: typos, bits of reformulation, centering images
* chore: remove btc example since can not be used as is
* rm .vscode dir
* readme: merge the duplicated sections into a single one adapting the texts
* add Docs badge with link, update acknowledgments
* add ci & license badges
* fix cli link, add solc mention in solidity-verifiers/readme
* small polishing
* fix img alignment
* rm badges, the reasoning is:
- The License badge is not needed since there are already many links to
the license both in the readme and in the GitHub UI
- The CI checks badge, already appears in the GitHub UI in the last
commit preview at the main repo page. Furthermore, after some months
of inactivity, the badge would be 'gray' as 'inactive'.
- The only badge that I was trying to get there is the 'docs' badge, to
make it very clear that the docs page exists, but it was a bit to hard
visually to have a single badge there, and furthermore the docs link
already appears in the readme twice, and also in the GitHub UI
right-panel.
---------
Co-authored-by: dmpierre <pdaixmoreux@gmail.com>
* Add a dedicated variant of `mat_vec_mul_sparse` for `NonNativeFieldVar`
* Switch to a customized in-circuit nonnative implementation for efficiency
* Comments and tests for `NonNativeUintVar`
* Make `CycleFoldCircuit` a bit smaller
* Faster trusted setup and proof generation by avoiding some nested LCs
* Check the remaining limbs in a more safe way
* Format
* Disable the non-native checks in tests again
* Clarify the group operation in `enforce_equal_unaligned`
* Explain the rationale behind non-native mat-vec multiplication
* Explain the difference with some other impls of `enforce_equal_unaligned`
* Format
* initial
* improved z_i
* improved
* Redefined the .circom and the test code for CircomWrapper
* added test function for wrapper_circuit which has circom_fcircuit, but incompatibility error of Pairing and Pallas
* changed the path in the gitignore
* Remove circom generated path
* improved variable vector
* Pallas::Fr
* improved to the primefield
* mentioned the issues:1. extract z_i1(only public output) 2.constraintsSystem and its Ref
* modified
* public input in circom
* generalized; removed the hardcorded value
* Generalization using FpVar::<Fr>::new_input
* initial
* improved z_i
* improved
* Redefined the .circom and the test code for CircomWrapper
* added test function for wrapper_circuit which has circom_fcircuit, but incompatibility error of Pairing and Pallas
* Remove circom generated path
* improved variable vector
* Pallas::Fr
* improved to the primefield
* mentioned the issues:1. extract z_i1(only public output) 2.constraintsSystem and its Ref
* modified
* Small updates:
- update cubic_circuit.circom: remove extra constraint, remove public
inputs
- remove allocations of inputs in arkworks
- add return of z_{i+1} at the end of CircomtoFCircuit::generate_step_constraints
With this tmp fix the `test_circom_step_constraints` passes, but needs to be iterated and polished.
* Update circom-compat to re-allocate inputs
* update after rebase to latest main: add usage of self.state_len() to circom frontend
* move circom frontend related structs into frontend/circom dir
* clippy lints
* extract_witness
* add comments
* clean
* fmt, lint, and spell
* CI Check trigger
* fmt
* applied the feedback
---------
Co-authored-by: Y5 <76672645+yugonsan@users.noreply.github.com>
Co-authored-by: arnaucube <root@arnaucube.com>
* Reduce the number of constraints in `AugmentedFCircuit`
For the test `folding::nova::tests::test_ivc`
Before: 138240
After: 86756 (1.6x improvement)
Two notable optimization techniques:
1. Instead of allocating two witness variables `a, b` and enforce their equality by calling `a.conditional_enforce_equal(&b, &cond)`, we can avoid the allocation of `b` and directly set `b = a`. The former might be costly due to the checks in allocation and `conditional_enforce_equal`. See `nova/circuits.rs` for details.
2. Before this commit, `NonNativeFieldVar::to_constraint_field` was majorly called for generating the inputs (preimage) to hash functions. However, it turns out that the underlying conversion strategy (optimized for weight) is not optimal for reducing the length of hash preimage. We can go further by maximizing the number of bits per limb, thereby minimizing the preimage length. See `circuits/nonnative.rs` for details.
* Format
* Fix clippy warnings
* Move the comments to the right position
* Cleanup unnecessary code
