* feat: zk nova layer
* chore: clippy + trigger CI
* chore: add comment for `new` (generating a zk nova ivc proof)
* chore: adding text reference to `sample`
* chore: use `debug_assert` instead of `cfg(test)`
* improve: pass `poseidon_config` by ref
Co-authored-by: Carlos Pérez <37264926+CPerezz@users.noreply.github.com>
* improve: pass `z_0` by ref
Co-authored-by: Carlos Pérez <37264926+CPerezz@users.noreply.github.com>
* improve: pass `r1cs` and `cf_r1cs` by ref
Co-authored-by: Carlos Pérez <37264926+CPerezz@users.noreply.github.com>
* chore: appropriate docs (2)
* chore: pass by ref modifications
* improve: use single sponge
* fix: remove blinding the cyclefold instance, add verifier checks on the
prover provided cyclefold intance
* fix: assert that the sampled relaxed r1cs is correct
* fix: check length of `u_i.x`
---------
Co-authored-by: Carlos Pérez <37264926+CPerezz@users.noreply.github.com>
* feat: enable hiding commitments in nova and hypernova
* fix: set blinding values for witness vector
* fix: remove cloning of the cyclefold running instance
* fix: do not re-use blinding values between prove steps
* fix: specify whether the witness should use blinding values using a
const generic
* feat: create a `dummy` method for nova witnesses as well
* chore: clippy - removed unused imports
- Adds the logic to support multi-instances folding in HyperNova's
AugmentedFCircuit & IVC.
- Adds also methods to generate new LCCCS & CCCS instances that don't
depend on the main folding chain, to be folded in in the next step
- Updates CycleFold circuit & methods to work other folding schemes than
Nova, adapting it to fold multiple points per circuit (instead of
2-to-1 as till now)
- Handle multi-instances folding in the FoldingScheme trait
interface, which expects 'None' in Nova, and 'Some' in HyperNova &
other multi-folding schemes.
* feat: add noname as a frontend to sonobe
fix: remove extra `rng` usage
Co-authored-by: Carlos Pérez <37264926+CPerezz@users.noreply.github.com>
* Update README.md
Co-authored-by: arnaucube <root@arnaucube.com>
* chore: move ark-noname to dev dependencies in solidity-verifiers cargo
---------
Co-authored-by: Carlos Pérez <37264926+CPerezz@users.noreply.github.com>
Co-authored-by: arnaucube <root@arnaucube.com>
- implement hash of public params for Nova & HyperNova
- abstract pp_hash computation for folding schemes
- add pp_hash to solidity contract generator to verify the decider proof
- implement the IVC `FoldingScheme` trait for HyperNova
- refactor Nova's preprocess logic to make it simplier to use
- add to Decider trait (& Nova's DeciderEth) a preprocess method
- get rid of the `init_nova_ivc_params` and `init_ivc_and_decider_params` methods in `examples` since this is achieved with the `FS::preprocess` & `Decider::preprocess` methods
- (update the examples code to the simplified interface using
FS::preprocess & Decider::preprocess)
* Optimize the HyperNova `compute_g`, `compute_Ls` and `to_lcccs` methods
- Optimize the HyperNova `compute_g`, `compute_Ls` and `to_lcccs` methods
- in some tests, increase the size of test matrices to a more real-world size.
| method | matrix size | old version seconds | new version seconds |
| --------------------- | ------------- | ------------------- | ------------------- |
| compute_g | 2^8 x 2^8 | 16.48 | 0.16 |
| compute_g | 2^9 x 2^9 | 122.62 | 0.51 |
| compute_Ls | 2^8 x 2^8 | 9.73 | 0.11 |
| compute_Ls | 2^9 x 2^9 | 67.16 | 0.38 |
| to_lcccs | 2^8 x 2^8 | 4.56 | 0.21 |
| to_lcccs | 2^9 x 2^9 | 67.65 | 0.84 |
- Note: 2^16 x 2^16 is the actual size (upperbound) of the circuit,
which is not represented in the table since it was needing too much
ram to even be computed.
* Optimize HyperNova's `compute_sigmas_thetas` and `compute_Q`
| method | matrix size | old version seconds | new version seconds |
| ------------- | ------------- | ------------------- | ------------------- |
| compute_sigmas_thetas | 2^8 x 2^8 | 12.86 | 0.13 |
| compute_sigmas_thetas | 2^9 x 2^9 | 100.01 | 0.51 |
| compute_Q | 2^8 x 2^8 | 4.49 | 0.07 |
| compute_Q | 2^9 x 2^9 | 70.77 | 0.55 |
* optimize LCCCS::check_relation & CCCS::check_relation, and remove unnessary methods after last reimplementations
* circom: add external_inputs
* adapt new external_inputs interface to the FoldingScheme trait and Nova impl
* adapt examples to new FCircuit external_inputs interface
* add state_len & external_inputs_len params to CircomFCircuit
* add examples/circom_full_flow.rs
* merge the params initializer functions, clippy
* circom: move r1cs reading to FCircuit::new instead of each step
* CI/examples: add circom so it can run the circom_full_flow example
* Add solidity verifier of the nova+cyclefold, and add method to prepare the calldata from Decider's proof. Missing conversion of the point coordinates into limbs (ark compatible)
* chore: adding comments linking to the contract's signature
* chore: update .gitignore
* chore: add num-bigint as dev dependency
* fix: work with abs path for storing generated sol code
* chore: update comment
* feat: solidity verifier working on single and multi-input circuits
* feat: multi-input folding verification working + fixing encoding of additive identity in calldata
* chore: make bigint a dependency
* refactor: import utils functions from utils.rs and make them available from anywhere
* chore: make utils and evm available publicly
* fix: pub mod instead
* chore: make relevant method public and add `get_decider_template_for_cyclefold_decider` to exported objects
* solidity-verifiers: move tests to their corresponding files
* small update: Cyclefold -> CycleFold at the missing places
* abstract nova-cyclefold solidity verifiers tests to avoid code duplication, and abstract also the computed setup params (FS & Decider) to compute them only once for all related tests to save test time
* small polish after rebase to last main branch changes
* rm unneeded Option for KZGData::g1_crs_batch_points
* add checks modifying z_0 & z_i to nova_cyclefold_solidity_verifier test
* add light-test feature to decider_eth_circuit to use it in solidity-verifier tests without the big circuit
* solidity-verifiers: groth16 template: port the fix from https://github.com/iden3/snarkjs/pull/480 & https://github.com/iden3/snarkjs/issues/479
* add print warning msg for light-test in DeciderEthCircuit
* solidity-verifiers: update limbs logic to nonnative last version, parametrize limbs params
solidity-verifiers:
* update solidity limbs logic to last nonnative impl version, and to
last u_i.x impl
* parametrize limbs params
* add light-test feature: replace the '#[cfg(not(test))]' by the
'light-test' feature that by default is not enabled, so when running
the github actions we enable the feature 'light-tests', and then we can
have a full-test that runs the test without the 'light-tests' flag, but
we don't run this big test every time. The choice of a feature is to
allow us to control this from other-crates tests (for example for the
solidity-verifier separated crate tests, to avoid running the full heavy
circuit in the solidity tests)
* move solidity constants into template constants for auto compute of params
* polishing
* revm use only needed feature
This is to avoid c depencency for c-kzg which is behind the c-kzg flag
and not needed.
* nova_cyclefold_decider.sol header
* rearrange test helpers position, add error for min number of steps
* in solidity-verifiers: 'data'->'vk/verifier key'
* add From for NovaCycleFoldVerifierKey from original vks to simplify dev flow, also conditionally template the batchCheck related structs and methods from the KZG10 solidity template
---------
Co-authored-by: dmpierre <pdaixmoreux@gmail.com>
* initial
* improved z_i
* improved
* Redefined the .circom and the test code for CircomWrapper
* added test function for wrapper_circuit which has circom_fcircuit, but incompatibility error of Pairing and Pallas
* changed the path in the gitignore
* Remove circom generated path
* improved variable vector
* Pallas::Fr
* improved to the primefield
* mentioned the issues:1. extract z_i1(only public output) 2.constraintsSystem and its Ref
* modified
* public input in circom
* generalized; removed the hardcorded value
* Generalization using FpVar::<Fr>::new_input
* initial
* improved z_i
* improved
* Redefined the .circom and the test code for CircomWrapper
* added test function for wrapper_circuit which has circom_fcircuit, but incompatibility error of Pairing and Pallas
* Remove circom generated path
* improved variable vector
* Pallas::Fr
* improved to the primefield
* mentioned the issues:1. extract z_i1(only public output) 2.constraintsSystem and its Ref
* modified
* Small updates:
- update cubic_circuit.circom: remove extra constraint, remove public
inputs
- remove allocations of inputs in arkworks
- add return of z_{i+1} at the end of CircomtoFCircuit::generate_step_constraints
With this tmp fix the `test_circom_step_constraints` passes, but needs to be iterated and polished.
* Update circom-compat to re-allocate inputs
* update after rebase to latest main: add usage of self.state_len() to circom frontend
* move circom frontend related structs into frontend/circom dir
* clippy lints
* extract_witness
* add comments
* clean
* fmt, lint, and spell
* CI Check trigger
* fmt
* applied the feedback
---------
Co-authored-by: Y5 <76672645+yugonsan@users.noreply.github.com>
Co-authored-by: arnaucube <root@arnaucube.com>
* Compute Decider's CM challenges in Groth16 circuit, link G16 & KZG proofs in Onchain Decider, refactor CommitmentScheme trait
- Refactor commitment package
- Refactor `Commitment` trait and the kzg, ipa, pedersen impls
- Add methods to prove & verify given challenges (not computing them in-method)
- Add KZG challenges computation in decider_eth_circuit
- Add cmE & cmW KZG proving & verification in DeciderEth
- Link Decider's Groth16 proof & KZG proofs data
- Fix point to bytes arkworks inconsistency
- Patch ark_curves to use a cherry-picked version with bn254::constraints & grumpkin for v0.4.0 (once arkworks v0.5.0 is released this will no longer be needed)
* DeciderEthCircuit: Add check eval=p(c) for E & W
The check is temporary disabled due
https://github.com/privacy-scaling-explorations/folding-schemes/issues/80,
but the public inputs and logic are there, to be able to continue the
other parts development while issue #80 is solved.
* Change CycleFold approach:
Instead of having a single CycleFold circuit that checks the 2 forign
scalarmul of the main circuit instances, now there are 2 separated
CycleFold circuits each of them checking a single foreign scalarmul.
Increasing the number of constraints of the AugmentedFCircuit, but
reducing the number of constraints in the CycleFold circuit, which will
translate into reducing the number of constraints in the Decider
circuit.
* CycleFold circuits checks in AugmentedFCircuit:
- update NonNativeAffineVar to work with NonNativeFieldVar directly
instead of FpVar comming from NonNativeFieldVar.to_constraint_field()
- include in AugmentedFCircuit intermediate steps inbetween CycleFold
circuits, and update the internal checks of the CycleFold circuits
Pending to document the new CycleFold circuits approach and better
variable namings, rm unwraps, etc
* matrix_vec_mul_sparse gadget: skip value * v[col_i] mul when value==1
Saves a notable amount of constraints since there is a notable amount of
1 values in R1CS matrices.
* Reuse computed vector of U_i
Reuse computed vector of U_i, saving 4k constraints in AugmentedFCircuit.
* fixes post last rebase to main
* rm test_augmentedfcircuit since it is already tested in test_ivc (and is a slow computation)
* rm dbg!()
* small fixes after last main rebase
* Add IPA commitment native implementation
* Add IPA Gadget verifier
* polish Pedersen & IPA, add blind bool param to IPA
* Optimize IPA gadget constraints (and native):
- optimize <s,b> computation from linear to log time
- optimize s computation from k*2^k to k*(2^k)/2
* add small optimization: delegate u_i^-1 to prover and just check u_i*u_i^-1==1 in verifier circuit
* IPA polish and document
* Add 'BLIND' parameter to CommitmentProver trait (and to Pedersen and KZG impls). Fit IPA into CommitmentProver trait.
* rename 'BLIND' to 'H' (hiding) in commitment
* IPA: rm u_invs from Proof and compute them incircuit
* Update IPA's build_s & gadget to use Halo2 approach following @han0110 's suggestion.
This reduced further the amount of constraints needed.
- for k=4: -9k constraints (-7%)
- for k=8: -473k constr (-31%)
- for k=9: -1123k constr (-35%)
- for k=10: -2578k constr (-39%)
And now IPA verification (without amortizing) is very close to Pedersen
verification (in-circuits).
* rm dbg!(cs.num_constraints()) from multiple tests
* IPA::prove remove intermediate v_lo,v_hi vectors, add doc to build_s_gadget
* move powers_of into utils/mod.rs, update iters to cfg_iter
* change: Refactor structure into workspace
* chore: Add empty readme
* change: Transform repo into workspace
* add: Create folding-verifier-solidity crate
* add: Include askama.toml for `sol` extension escaper
* add: Jordi's old Groth16 verifier .sol template and adapt it
* tmp: create simple template struct to test
* Update FoldingSchemes trait, fit Nova+CycleFold
- update lib.rs's `FoldingScheme` trait interface
- fit Nova+CycleFold into the `FoldingScheme` trait
- refactor `src/nova/*`
* chore: add serialization assets for testing
Now we include an `assets` folder with a serialized proof & vk for tests
* Add `examples` dir, with Nova's `FoldingScheme` example
* polishing
* expose poseidon_test_config outside tests
* change: Refactor structure into workspace
* chore: Add empty readme
* change: Transform repo into workspace
* add: Create folding-verifier-solidity crate
* add: Include askama.toml for `sol` extension escaper
* add: Jordi's old Groth16 verifier .sol template and adapt it
* tmp: create simple template struct to test
* feat: templating kzg working
* chore: add emv and revm
* feat: start evm file
* chore: add ark-poly-commit
* chore: move `commitment` to `folding-schemes`
* chore: update `.gitignore` to ignore generated contracts
* chore: update template with bn254 lib on it (avoids import), update for loop to account for whitespaces
* refactor: update template with no lib
* feat: add evm deploy code, compile and create kzg verifier
* chore: update `Cargo.toml` to have `folding-schemes` available with verifiers
* feat: start kzg prove and verify with sol
* chore: compute crs from kzg prover
* feat: evm kzg verification passing
* tmp
* change: Swap order of G2 coordinates within the template
* Update way to serialize proof with correct order
* chore: update `Cargo.toml`
* chore: add revm
* chore: add `save_solidity`
* refactor: verifiers in dedicated mod
* refactor: have dedicated `utils` module
* chore: expose modules
* chore: update verifier for kzg
* chore: rename templates
* fix: look for binary using also name of contract
* refactor: generate groth16 proof for sha256 pre-image, generate groth16 template with verifying key
* chore: template renaming
* fix: switch circuit for circuit that simply adds
* feat: generates test data on the fly
* feat: update to latest groth16 verifier
* refactor: rename folder, update `.gitignore`
* chore: update `Cargo.toml`
* chore: update templates extension to indicate that they are templates
* chore: rename templates, both files and structs
* fix: template inheritance working
* feat: template spdx and pragma statements
* feat: decider verifier compiles, update test for kzg10 and groth16 templates
* feat: parameterize which size of the crs should be stored on the contract
* chore: add comment on how the groth16 and kzg10 proofs will be linked together
* chore: cargo clippy run
* chore: cargo clippy tests
* chore: cargo fmt
* refactor: remove unused lifetime parameter
* chore: end merge
* chore: move examples to `folding-schemes` workspace
* get latest main changes
* fix: temp fix clippy warnings, will remove lints once not used in tests only
* fix: cargo clippy lint added on `code_size`
* fix: update path to test circuit and add step for installing solc
* chore: remove `save_solidity` steps
* fix: the borrowed expression implements the required traits
* chore: update `Cargo.toml`
* chore: remove extra `[patch.crates-io]`
* fix: update to patch at the workspace level and add comment explaining this
* refactor: correct `staticcall` with valid input/output sizes and change return syntax for pairing
* refactor: expose modules and remove `dead_code` calls
* chore: update `README.md`, add additional comments on `kzg10` template and update `groth16` template comments
* chore: be clearer on attributions on `kzg10`
---------
Co-authored-by: CPerezz <c.perezbaro@gmail.com>
Co-authored-by: arnaucube <root@arnaucube.com>
* Add Decider impl for Nova onchain
Add Decider impl for Nova onchain.
Update also the Decider trait.
Nova onchain decider: (compressed SNARK / final proof), in order to
later verify the Nova+CycleFold proofs onchain (in Ethereum’s EVM).
* PR review updates and few other changes
* Add KZG commitment scheme adapted to vector commitment
Add KZG commitment scheme adapted to vector commitment
Also move the `src/pedersen.rs` into `src/commitment/pedersen.rs` where
it will coexist with `kzg.rs` and the trait defined in
`src/commitment/mod.rs`.
* Adapt Pedersen into the new CommitmentProver trait
* add CommitmentProver (Pedersen&KZG) homomorphic property test
* polishing
* Use divide_with_q_and_r, rename skip_first_zero_coeffs
Co-authored-by: han0110 <tinghan0110@gmail.com>
---------
Co-authored-by: han0110 <tinghan0110@gmail.com>
Port ProtoGalaxy initial version from
https://github.com/arnaucube/protogalaxy-poc adapting it to the current
folding-schemes lib, which is a first iteration that implements the
Lagrange-basis version from
[ProtoGalaxy](https://eprint.iacr.org/2023/1106) folding scheme. There
are some pending optimizations, but is a first step towards integrating
ProtoGalaxy in the library.
* Implement Nova IVC's new & prove_step methods
Implement Nova IVC's new & prove_step methods (without CycleFold part yet)
* transcript.absorb_point err handling, and update C.xy() usage
* add transcript usage to IVC prove, add NovaTranscript trait extending Transcript trait, refactor NIFS.P to allow absorbing in transcript inbetween
* Implement Nova's IVC.V method (without CycleFold part yet)
* clippy lints
* move challenge r computation in-circuit
* reuse computed points with coordinates over CF (non-native) to save constraints in AugmentedFCircuit
(constraint count went down ~6k)
* rm 128 bit constant
* add params to Errors
* Updates from review suggestions. Additionally refactored nova/nifs fold, and rm transcript from nova/IVC.
- Updates from PR suggestions
- Additionally updated:
- in nova/nifs.rs: reuse folded_committed_instance for verify_folded_instance, computationally is the same, but reusing the same code so avoiding duplication and having an error on one of the two versions.
- in nova/ivc.rs: remove transcript from IVC (not needed, it uses the RO)
- Add naive decider circuit `RelaxedR1CSGadget`, which in-circuit checks
that the given z satisfies the given RelaxedR1CS instance
- Add method to relax the R1CS instance
- Add check_relation (for testing only) to R1CS & RelaxedR1CS
- Migrate from own SparseMatrix to use ark_relations::r1cs::Matrix
- Add frontend helper to use arkworks circuits
* Implement Nova's NIFS.Verify circuits (with CycleFold)
- Add circuit for NIFS.Verify on the main curve to check the folded `u`
& `x`
- Add circuit for NIFS.Verify on the CycleFold's auxiliary curve to
check the folded `cm(E)` & `cm(W)`
- Add transcript.get_challenge_nbits
- Add tests for utils::vec.rs
* replace bls12-377 & bw6-761 by pallas & vesta curves (only affects tests)
We will use pallas & vesta curves (for tests only, the non-tests code
uses generics) for the logic that does not require pairings, and while
Grumpkin is not available
(https://github.com/privacy-scaling-explorations/folding-schemes/issues/12).
* update links to papers to markdown style
* feat: draft traits `FoldingScheme` and `Decider`
Co-authored-by: arnaucube <root@arnaucube.com>
* Add Transcript trait, with PoseidonTranscript impl (#1)
Add also the PoseidonTranscriptVar (gadget).
* Update FoldingScheme trait to take C1 & C2 as params (#2)
* Update FoldingScheme trait to take C1 & C2 as params
Update FoldingScheme trait to take C1 & C2 as params which are used by
the diverse folding schemes as a cycle of curves.
* Add constraint to FoldingScheme C1,C2 fields swap.
Co-authored-by: Han <tinghan0110@gmail.com>
---------
Co-authored-by: Han <tinghan0110@gmail.com>
* move transcript to it's own mod
---------
Co-authored-by: han0110 <tinghan0110@gmail.com>
Pierre
omahs
yugocabrio
arnaucube