* Add solidity verifier of the nova+cyclefold, and add method to prepare the calldata from Decider's proof. Missing conversion of the point coordinates into limbs (ark compatible)
* chore: adding comments linking to the contract's signature
* chore: update .gitignore
* chore: add num-bigint as dev dependency
* fix: work with abs path for storing generated sol code
* chore: update comment
* feat: solidity verifier working on single and multi-input circuits
* feat: multi-input folding verification working + fixing encoding of additive identity in calldata
* chore: make bigint a dependency
* refactor: import utils functions from utils.rs and make them available from anywhere
* chore: make utils and evm available publicly
* fix: pub mod instead
* chore: make relevant method public and add `get_decider_template_for_cyclefold_decider` to exported objects
* solidity-verifiers: move tests to their corresponding files
* small update: Cyclefold -> CycleFold at the missing places
* abstract nova-cyclefold solidity verifiers tests to avoid code duplication, and abstract also the computed setup params (FS & Decider) to compute them only once for all related tests to save test time
* small polish after rebase to last main branch changes
* rm unneeded Option for KZGData::g1_crs_batch_points
* add checks modifying z_0 & z_i to nova_cyclefold_solidity_verifier test
* add light-test feature to decider_eth_circuit to use it in solidity-verifier tests without the big circuit
* solidity-verifiers: groth16 template: port the fix from https://github.com/iden3/snarkjs/pull/480 & https://github.com/iden3/snarkjs/issues/479
* add print warning msg for light-test in DeciderEthCircuit
* solidity-verifiers: update limbs logic to nonnative last version, parametrize limbs params
solidity-verifiers:
* update solidity limbs logic to last nonnative impl version, and to
last u_i.x impl
* parametrize limbs params
* add light-test feature: replace the '#[cfg(not(test))]' by the
'light-test' feature that by default is not enabled, so when running
the github actions we enable the feature 'light-tests', and then we can
have a full-test that runs the test without the 'light-tests' flag, but
we don't run this big test every time. The choice of a feature is to
allow us to control this from other-crates tests (for example for the
solidity-verifier separated crate tests, to avoid running the full heavy
circuit in the solidity tests)
* move solidity constants into template constants for auto compute of params
* polishing
* revm use only needed feature
This is to avoid c depencency for c-kzg which is behind the c-kzg flag
and not needed.
* nova_cyclefold_decider.sol header
* rearrange test helpers position, add error for min number of steps
* in solidity-verifiers: 'data'->'vk/verifier key'
* add From for NovaCycleFoldVerifierKey from original vks to simplify dev flow, also conditionally template the batchCheck related structs and methods from the KZG10 solidity template
---------
Co-authored-by: dmpierre <pdaixmoreux@gmail.com>
* Add a dedicated variant of `mat_vec_mul_sparse` for `NonNativeFieldVar`
* Switch to a customized in-circuit nonnative implementation for efficiency
* Comments and tests for `NonNativeUintVar`
* Make `CycleFoldCircuit` a bit smaller
* Faster trusted setup and proof generation by avoiding some nested LCs
* Check the remaining limbs in a more safe way
* Format
* Disable the non-native checks in tests again
* Clarify the group operation in `enforce_equal_unaligned`
* Explain the rationale behind non-native mat-vec multiplication
* Explain the difference with some other impls of `enforce_equal_unaligned`
* Format
* initial
* improved z_i
* improved
* Redefined the .circom and the test code for CircomWrapper
* added test function for wrapper_circuit which has circom_fcircuit, but incompatibility error of Pairing and Pallas
* changed the path in the gitignore
* Remove circom generated path
* improved variable vector
* Pallas::Fr
* improved to the primefield
* mentioned the issues:1. extract z_i1(only public output) 2.constraintsSystem and its Ref
* modified
* public input in circom
* generalized; removed the hardcorded value
* Generalization using FpVar::<Fr>::new_input
* initial
* improved z_i
* improved
* Redefined the .circom and the test code for CircomWrapper
* added test function for wrapper_circuit which has circom_fcircuit, but incompatibility error of Pairing and Pallas
* Remove circom generated path
* improved variable vector
* Pallas::Fr
* improved to the primefield
* mentioned the issues:1. extract z_i1(only public output) 2.constraintsSystem and its Ref
* modified
* Small updates:
- update cubic_circuit.circom: remove extra constraint, remove public
inputs
- remove allocations of inputs in arkworks
- add return of z_{i+1} at the end of CircomtoFCircuit::generate_step_constraints
With this tmp fix the `test_circom_step_constraints` passes, but needs to be iterated and polished.
* Update circom-compat to re-allocate inputs
* update after rebase to latest main: add usage of self.state_len() to circom frontend
* move circom frontend related structs into frontend/circom dir
* clippy lints
* extract_witness
* add comments
* clean
* fmt, lint, and spell
* CI Check trigger
* fmt
* applied the feedback
---------
Co-authored-by: Y5 <76672645+yugonsan@users.noreply.github.com>
Co-authored-by: arnaucube <root@arnaucube.com>
* Compute Decider's CM challenges in Groth16 circuit, link G16 & KZG proofs in Onchain Decider, refactor CommitmentScheme trait
- Refactor commitment package
- Refactor `Commitment` trait and the kzg, ipa, pedersen impls
- Add methods to prove & verify given challenges (not computing them in-method)
- Add KZG challenges computation in decider_eth_circuit
- Add cmE & cmW KZG proving & verification in DeciderEth
- Link Decider's Groth16 proof & KZG proofs data
- Fix point to bytes arkworks inconsistency
- Patch ark_curves to use a cherry-picked version with bn254::constraints & grumpkin for v0.4.0 (once arkworks v0.5.0 is released this will no longer be needed)
* DeciderEthCircuit: Add check eval=p(c) for E & W
The check is temporary disabled due
https://github.com/privacy-scaling-explorations/folding-schemes/issues/80,
but the public inputs and logic are there, to be able to continue the
other parts development while issue #80 is solved.
* change: Refactor structure into workspace
* chore: Add empty readme
* change: Transform repo into workspace
* add: Create folding-verifier-solidity crate
* add: Include askama.toml for `sol` extension escaper
* add: Jordi's old Groth16 verifier .sol template and adapt it
* tmp: create simple template struct to test
* Update FoldingSchemes trait, fit Nova+CycleFold
- update lib.rs's `FoldingScheme` trait interface
- fit Nova+CycleFold into the `FoldingScheme` trait
- refactor `src/nova/*`
* chore: add serialization assets for testing
Now we include an `assets` folder with a serialized proof & vk for tests
* Add `examples` dir, with Nova's `FoldingScheme` example
* polishing
* expose poseidon_test_config outside tests
* change: Refactor structure into workspace
* chore: Add empty readme
* change: Transform repo into workspace
* add: Create folding-verifier-solidity crate
* add: Include askama.toml for `sol` extension escaper
* add: Jordi's old Groth16 verifier .sol template and adapt it
* tmp: create simple template struct to test
* feat: templating kzg working
* chore: add emv and revm
* feat: start evm file
* chore: add ark-poly-commit
* chore: move `commitment` to `folding-schemes`
* chore: update `.gitignore` to ignore generated contracts
* chore: update template with bn254 lib on it (avoids import), update for loop to account for whitespaces
* refactor: update template with no lib
* feat: add evm deploy code, compile and create kzg verifier
* chore: update `Cargo.toml` to have `folding-schemes` available with verifiers
* feat: start kzg prove and verify with sol
* chore: compute crs from kzg prover
* feat: evm kzg verification passing
* tmp
* change: Swap order of G2 coordinates within the template
* Update way to serialize proof with correct order
* chore: update `Cargo.toml`
* chore: add revm
* chore: add `save_solidity`
* refactor: verifiers in dedicated mod
* refactor: have dedicated `utils` module
* chore: expose modules
* chore: update verifier for kzg
* chore: rename templates
* fix: look for binary using also name of contract
* refactor: generate groth16 proof for sha256 pre-image, generate groth16 template with verifying key
* chore: template renaming
* fix: switch circuit for circuit that simply adds
* feat: generates test data on the fly
* feat: update to latest groth16 verifier
* refactor: rename folder, update `.gitignore`
* chore: update `Cargo.toml`
* chore: update templates extension to indicate that they are templates
* chore: rename templates, both files and structs
* fix: template inheritance working
* feat: template spdx and pragma statements
* feat: decider verifier compiles, update test for kzg10 and groth16 templates
* feat: parameterize which size of the crs should be stored on the contract
* chore: add comment on how the groth16 and kzg10 proofs will be linked together
* chore: cargo clippy run
* chore: cargo clippy tests
* chore: cargo fmt
* refactor: remove unused lifetime parameter
* chore: end merge
* chore: move examples to `folding-schemes` workspace
* get latest main changes
* fix: temp fix clippy warnings, will remove lints once not used in tests only
* fix: cargo clippy lint added on `code_size`
* fix: update path to test circuit and add step for installing solc
* chore: remove `save_solidity` steps
* fix: the borrowed expression implements the required traits
* chore: update `Cargo.toml`
* chore: remove extra `[patch.crates-io]`
* fix: update to patch at the workspace level and add comment explaining this
* refactor: correct `staticcall` with valid input/output sizes and change return syntax for pairing
* refactor: expose modules and remove `dead_code` calls
* chore: update `README.md`, add additional comments on `kzg10` template and update `groth16` template comments
* chore: be clearer on attributions on `kzg10`
---------
Co-authored-by: CPerezz <c.perezbaro@gmail.com>
Co-authored-by: arnaucube <root@arnaucube.com>
* Add Decider impl for Nova onchain
Add Decider impl for Nova onchain.
Update also the Decider trait.
Nova onchain decider: (compressed SNARK / final proof), in order to
later verify the Nova+CycleFold proofs onchain (in Ethereum’s EVM).
* PR review updates and few other changes
* Add KZG commitment scheme adapted to vector commitment
Add KZG commitment scheme adapted to vector commitment
Also move the `src/pedersen.rs` into `src/commitment/pedersen.rs` where
it will coexist with `kzg.rs` and the trait defined in
`src/commitment/mod.rs`.
* Adapt Pedersen into the new CommitmentProver trait
* add CommitmentProver (Pedersen&KZG) homomorphic property test
* polishing
* Use divide_with_q_and_r, rename skip_first_zero_coeffs
Co-authored-by: han0110 <tinghan0110@gmail.com>
---------
Co-authored-by: han0110 <tinghan0110@gmail.com>
Port ProtoGalaxy initial version from
https://github.com/arnaucube/protogalaxy-poc adapting it to the current
folding-schemes lib, which is a first iteration that implements the
Lagrange-basis version from
[ProtoGalaxy](https://eprint.iacr.org/2023/1106) folding scheme. There
are some pending optimizations, but is a first step towards integrating
ProtoGalaxy in the library.
* impl AugmentedFCircuit non-base case
* add multiple iterations to AugmentedFCircuit test
* implement base case on AugmentedFCircuit and test
* Update cmE of E=0-vec to work as zero point
Update cmE of E=0-vec to work as zero point instead of as cm(0-vec)
* patch r1cs-std dep to a cherry-picked version with the zero-scalar-mult fix
* refactor FCircuit to make it more suitable inside the AugmentedFCircuit
* r1cs_parser
* z vector calculation
* test function done
* improved
* Brushuped
* add comment
* Added description of test_circuit
* found mistake
* fixed cargo.toml
* Imported ark-circom as crate
* improved l in R1CS as the number of public I/O
* separate test functions into success/failure and unify variable to pub_io_len
* removed bn254 & abstracted to PrimeField, but still some work
* add comments and clean up code
* move ark-bn254 in dev-dependencies
* abstracted test function
* fixed github action's error
* cargo fmt
* remove convert_constraints_bigint_to_scalar function
* fixed n_cols
* fixed n_cols
* Add functionality to compile Circom files in tests
* Remove test_circuit.r1cs
* Introduce CircomFrontend trait and simplify with CircomWrapper struct
* deleted the CircomFrontend
* improved
* fixed clippy lint checks of github actions
* probably fixed github actions error by changing the github yaml
* fixed github yaml, fmt, and clippy
---------
Co-authored-by: Carlos Pérez <37264926+CPerezz@users.noreply.github.com>
* Port HyperNova's multifolding from https://github.com/privacy-scaling-explorations/multifolding-poc adapting and refactoring some of its methods and structs.
Note: adapted mle.rs methods from dense to sparse repr.
Co-authored-by: George Kadianakis <desnacked@riseup.net>
* HyperNova: move CCS struct outside of LCCCS & CCCS
HyperNova nimfs: move CCS structure outside of LCCCS & CCCS, to avoid
carrying around the whole CCS and duplicating data when is not needed.
Also add feature flags for the folding schemes.
---------
Co-authored-by: George Kadianakis <desnacked@riseup.net>
- Add naive decider circuit `RelaxedR1CSGadget`, which in-circuit checks
that the given z satisfies the given RelaxedR1CS instance
- Add method to relax the R1CS instance
- Add check_relation (for testing only) to R1CS & RelaxedR1CS
- Migrate from own SparseMatrix to use ark_relations::r1cs::Matrix
- Add frontend helper to use arkworks circuits
* Implement Nova's NIFS.Verify circuits (with CycleFold)
- Add circuit for NIFS.Verify on the main curve to check the folded `u`
& `x`
- Add circuit for NIFS.Verify on the CycleFold's auxiliary curve to
check the folded `cm(E)` & `cm(W)`
- Add transcript.get_challenge_nbits
- Add tests for utils::vec.rs
* replace bls12-377 & bw6-761 by pallas & vesta curves (only affects tests)
We will use pallas & vesta curves (for tests only, the non-tests code
uses generics) for the logic that does not require pairings, and while
Grumpkin is not available
(https://github.com/privacy-scaling-explorations/folding-schemes/issues/12).
* update links to papers to markdown style
Port Espresso/hyperplonk's `virtualpolynomial`, `multilinearpolynomial`
and `sum_check` utils from
https://github.com/EspressoSystems/hyperplonk/tree/main
Each file contains the reference to the original file.
Porting it into a subdirectory `src/utils/espresso`, to have it
self-contained. In future iterations we might replace part of it but we
can keep focusing on the folding schemes part for now.
* feat: draft traits `FoldingScheme` and `Decider`
Co-authored-by: arnaucube <root@arnaucube.com>
* Add Transcript trait, with PoseidonTranscript impl (#1)
Add also the PoseidonTranscriptVar (gadget).
* Update FoldingScheme trait to take C1 & C2 as params (#2)
* Update FoldingScheme trait to take C1 & C2 as params
Update FoldingScheme trait to take C1 & C2 as params which are used by
the diverse folding schemes as a cycle of curves.
* Add constraint to FoldingScheme C1,C2 fields swap.
Co-authored-by: Han <tinghan0110@gmail.com>
---------
Co-authored-by: Han <tinghan0110@gmail.com>
* move transcript to it's own mod
---------
Co-authored-by: han0110 <tinghan0110@gmail.com>