* `Dummy` trait
* More generic design for `Arith`
* Distinguish between incoming and running instances in ProtoGalaxy
* Format
* Fix unit test
* Fix incorrect arguments supplied to `CycleFoldWitness::dummy`
* `RUNNING` and `INCOMING` constants
* Better name and docs for `eval_core`
* More docs for `Arith` methods and implementations
* Fix missing imports
* Add traits for witness and committed instance
* Implement witness and committed instance traits for Nova and HyperNova
* Implement witness and committed instance traits for ProtoGalaxy
* Improve the clarity of docs for `Witness{Var}Ext::get_openings`
* Avoid cloning `z_i`
* Fix grammar issues
* Rename `Ext` traits for committed instances and witnesses to `Ops`
* Implement `to_sponge_bytes`
* Parallelize vector and matrix operations
* Implement convenient methods for `NonNativeAffineVar`
* Return `L_X_evals` and intermediate `phi_star`s from ProtoGalaxy prover.
These values will be used as hints to the augmented circuit
* Correctly use number of variables, number of constraints, and `t`
* Fix the size of `F_coeffs` and `K_coeffs` for in-circuit consistency
* Improve prover's performance
* Make `prepare_inputs` generic
* Remove redundant parameters in verifier
* Move `eval_f` to arith
* `u` is unnecessary in ProtoGalaxy
* Convert `RelaxedR1CS` to a trait that can be used in both Nova and ProtoGalaxy
* Implement several traits for ProtoGalaxy
* Move `FCircuit` impls to `utils.rs` and add `DummyCircuit`
* `AugmentedFCircuit` and ProtoGalaxy-based IVC
* Add explanations about IVC prover and in-circuit operations
* Avoid using unstable features
* Rename `PROTOGALAXY` to `PG` to make clippy happy
* Fix merge conflicts in `RelaxedR1CS::sample`
* Fix merge conflicts in `CycleFoldCircuit`
* Swap `m` and `n` for protogalaxy
* Add `#[cfg(test)]` to test-only util circuits
* Prefer unit struct over empty struct
* Add documents to `AugmentedFCircuit` for ProtoGalaxy
* Fix the names for CycleFold cricuits in ProtoGalaxy
* Fix usize conversion when targeting wasm
* Restrict the visibility of fields in `AugmentedFCircuit` to `pub(super)`
* Make CycleFold circuits and configs public
* Add docs for `ProverParams` and `VerifierParams`
* Refactor `pow_i`
* Fix imports
* Remove lint reasons
* Fix type inference
In CycleFold we want to compute
$P_{folded} = P_0 + r ⋅ P_1 + r^2 ⋅ P_2 + r^3 ⋅ P_3 + ... + r^{n-2} ⋅ P_{n-2} + r^{n-1} ⋅ P_{n-1}$,
since the scalars follow the pattern r^i Youssef El Housni (@yelhousni)
proposed to update the approach of the CycleFold circuit to reduce the
number of constraints needed, by computing
$P_{folded} = (((P_{n-1} ⋅ r + P_{n-2}) ⋅ r + P_{n-3})... ) ⋅ r + P_0$.
By itself, this update reduces the number of constraints as the number
of points being folded in the CycleFold circuit grows. But it also has
impact at the HyperNova circuit, where it removes the need of using the
bit representations of the powers of the random value, substancially
reducing the amount of constraints used by the HyperNova
AugmentedFCircuit.
The number of constraints difference in the CycleFold circuit and in
the HyperNova's AugmentedFCircuit:
- CycleFold circuit:
| num points* | old | new | diff |
|-------------|-----------|-----------|----------|
| 2 | 1_354 | 1_354 | 0 |
| 3 | 2_683 | 2_554 | -129 |
| 4 | 4_012 | 3_754 | -258 |
| 8 | 9_328 | 8_554 | -744 |
| 16 | 19_960 | 18_154 | -1_806 |
| 32 | 41_224 | 37_354 | -3_870 |
| 64 | 83_752 | 75_754 | -7_998 |
| 128 | 168_808 | 152_554 | -16_254 |
| 1024 | 1_359_592 | 1_227_754 | -131_838 |
*num points: number of points being folded by the CycleFold circuit.
- HyperNova AugmentedFCircuit circuit
| folded instances* | old | new | diff |
|-------------------|---------|---------|----------|
| 5 | 90_285 | 80_150 | -10_135 |
| 10 | 144_894 | 117_655 | -27_239 |
| 20 | 249_839 | 192_949 | -56_890 |
| 40 | 463_078 | 344_448 | -118_630 |
*folded instances: folded instances per step, half of them being LCCCS
and the other half CCCS.
Co-authored-by: Youssef El Housni <youssef.housni21@gmail.com>
* feat: zk nova layer
* chore: clippy + trigger CI
* chore: add comment for `new` (generating a zk nova ivc proof)
* chore: adding text reference to `sample`
* chore: use `debug_assert` instead of `cfg(test)`
* improve: pass `poseidon_config` by ref
Co-authored-by: Carlos Pérez <37264926+CPerezz@users.noreply.github.com>
* improve: pass `z_0` by ref
Co-authored-by: Carlos Pérez <37264926+CPerezz@users.noreply.github.com>
* improve: pass `r1cs` and `cf_r1cs` by ref
Co-authored-by: Carlos Pérez <37264926+CPerezz@users.noreply.github.com>
* chore: appropriate docs (2)
* chore: pass by ref modifications
* improve: use single sponge
* fix: remove blinding the cyclefold instance, add verifier checks on the
prover provided cyclefold intance
* fix: assert that the sampled relaxed r1cs is correct
* fix: check length of `u_i.x`
---------
Co-authored-by: Carlos Pérez <37264926+CPerezz@users.noreply.github.com>
* fix: Use `target_pointer_size` conditional compilation
There are some parts of the code where is needed to de/serialze
`usize`s. These, have sizes that vary depending on the target
achitecture the code is compiled for.
Hence, this adapts the de/serialization to the specific pointer size for
which the crate is being compiled to.
* change: Support WASM-compatibility and polish Cargo.toml
In order to support Wasm-compat and to simplify and improve `Cargo.toml`
readability, the follwing changes have been made:
- All the deps that can use `parallel` feature, do so. As `rayon`
supports non-threaded targets with a fallback option. See: https://docs.rs/rayon-core/1.12.1/rayon_core/index.html#global-fallback-when-threading-is-unsupported
- `ark-grumpking` has been brought to `0.5.0-alpha.0` as `0.4.0` appears
to not be in `crates.io` anymore. See: https://crates.io/crates/ark-grumpkin/versions
- By default, the crate uses `"ark-circom/default"` which selects the
`wasmer/sys` feature such that it knows where wasmer is
suposed to be run`.
- Added a `wasm` feature which forces `ark-circom/wasm` to be used
instead. Which internally selects the `wasmer/js` backend to be used
such that in-browser execution is possible.
- Added `getrandom` with `js` feature as dependency when `wasm32-unknown-unknown` target is selected such
that compilation of the crate for testing or simply building is possible. Notice that with `wasi` and other wasm targets,
this is not the case as they're automatically supported.
For more info, please check: https://docs.rs/getrandom/latest/getrandom/#webassembly-support
* feat: Support WASM-compatibility tests in CI
Add support for both testing the build of `sonobe/folding-schemes` for
WASM-targets and also, it's build as a dependency for a WASM-crate.
This includes a build job for the three main supported rust-WASM targets
and the same but for a thrid crate creted on-the-fly which uses
`sonobe/folding-schemes` as a dependency.
* chore: Add README docs about WASM-compat & feats
* ci: don't run WASM-compat job if PR is draft
* chore: depend on `arnaucube/circom-compat` fork.
Since https://github.com/arnaucube/circom-compat/pull/2 was merged, we
can already switch to it as we were depending before.
* chore: minimal build/test instructions
* fix: CI typos
* fix: Update CI to use correct feature sets
* fix: `ark-grumpkin` versioning issues
As mentioned in
https://github.com/privacy-scaling-explorations/sonobe/issues/146
there's a big issue that involves some dependencies of the crate.
As a temporary fix, this forces the workspace to rely on a
"non-existing" version of `ark-grumpkin` which is immediately patched at
workspace-level for a custom version that @arnaucube owns with some
cherry-picked commits.
While this allows the CI to pass and crate to build, a better solution
is needed.
* fix: Clippy CI avoiding --all-targets
* fix: use `wasm` feat only with folding-schemes
* Support randomness of arbitrary length
* Rename `N_BITS_RO` to `NOVA_N_BITS_RO`
* Compute `r_nonnat` inside `NIFSFullGadget::fold_committed_instance`
* Format
* Use `CycleFold{CommittedInstance, Witness}` in the context of cyclefold
* Format
* Fix the creation of dummy witness
* Make clippy happy
* Improve docs
* feat: enable hiding commitments in nova and hypernova
* fix: set blinding values for witness vector
* fix: remove cloning of the cyclefold running instance
* fix: do not re-use blinding values between prove steps
* fix: specify whether the witness should use blinding values using a
const generic
* feat: create a `dummy` method for nova witnesses as well
* chore: clippy - removed unused imports
- Adds the logic to support multi-instances folding in HyperNova's
AugmentedFCircuit & IVC.
- Adds also methods to generate new LCCCS & CCCS instances that don't
depend on the main folding chain, to be folded in in the next step
- Updates CycleFold circuit & methods to work other folding schemes than
Nova, adapting it to fold multiple points per circuit (instead of
2-to-1 as till now)
- Handle multi-instances folding in the FoldingScheme trait
interface, which expects 'None' in Nova, and 'Some' in HyperNova &
other multi-folding schemes.
* Remove the trait bound `C::BaseField: PrimeField` for better DX
* Methods in `TranscriptVar` now exactly matches the ones in `Transcript`
* Add `ProtoGalaxyTranscriptVar` and `CommittedInstanceVar` for protogalaxy
* betas are unnecessary in "plain" (incoming) instances
* Absorb the result of `get_challenge_nbits` as well
* `ProtoGalaxyTranscript` now allows absorbing mulitple instances
* Always return `Result<(), SynthesisError>` in `ProtoGalaxyTranscriptVar`
* Impl `Transcript{Var}` for `PoseidonSponge{Var}` directly and remove `PoseidonTranscript{Var}`
* `Transcript::absorb_point` doesn't need to return `Error`
* Add `AbsorbNonNative` trait for hashing non-native values
Note that now `absorb_point` only supports hashing points whose BaseField is equal to the sponge's field
* More efficient `TranscriptVar::absorb_point` by securely removing `is_inf`
* Use `sponge` and `transcript` consistently
* Clarify the usage of `AbsorbNonNative{Gadget}`
* Generic `sponge` and `transcript` params
* Avoid unstable `associated_type_bounds`
* Reuse `sponge` in hypernova
* Clean up redundant imports
* Remove unstable code
* Clarify the usage of `absorb_point` and `absorb_nonnative`
- implement hash of public params for Nova & HyperNova
- abstract pp_hash computation for folding schemes
- add pp_hash to solidity contract generator to verify the decider proof
- implement the IVC `FoldingScheme` trait for HyperNova
- refactor Nova's preprocess logic to make it simplier to use
- add to Decider trait (& Nova's DeciderEth) a preprocess method
- get rid of the `init_nova_ivc_params` and `init_ivc_and_decider_params` methods in `examples` since this is achieved with the `FS::preprocess` & `Decider::preprocess` methods
- (update the examples code to the simplified interface using
FS::preprocess & Decider::preprocess)
* feat: `Nova` can be serialized and deserialized
* chore: (temp) allow dead code as serde is not yet used
* fix: require trait in `where` to not increase restrictions on
`CommitmentScheme`
* feat: add file with nova serialization methods
* fix: change call to get poseidon config and chore: update traits for serde
* chore: remove clang install from CI, move tests and remove unnecessary
allow
* feat: remove serializing r1cs and cs params and provide them at
deserialization time
* chore: initialize r1cs within deserialization function directly
* circom: add external_inputs
* adapt new external_inputs interface to the FoldingScheme trait and Nova impl
* adapt examples to new FCircuit external_inputs interface
* add state_len & external_inputs_len params to CircomFCircuit
* add examples/circom_full_flow.rs
* merge the params initializer functions, clippy
* circom: move r1cs reading to FCircuit::new instead of each step
* CI/examples: add circom so it can run the circom_full_flow example
* Add a dedicated variant of `mat_vec_mul_sparse` for `NonNativeFieldVar`
* Switch to a customized in-circuit nonnative implementation for efficiency
* Comments and tests for `NonNativeUintVar`
* Make `CycleFoldCircuit` a bit smaller
* Faster trusted setup and proof generation by avoiding some nested LCs
* Check the remaining limbs in a more safe way
* Format
* Disable the non-native checks in tests again
* Clarify the group operation in `enforce_equal_unaligned`
* Explain the rationale behind non-native mat-vec multiplication
* Explain the difference with some other impls of `enforce_equal_unaligned`
* Format
* Reduce the number of constraints in `AugmentedFCircuit`
For the test `folding::nova::tests::test_ivc`
Before: 138240
After: 86756 (1.6x improvement)
Two notable optimization techniques:
1. Instead of allocating two witness variables `a, b` and enforce their equality by calling `a.conditional_enforce_equal(&b, &cond)`, we can avoid the allocation of `b` and directly set `b = a`. The former might be costly due to the checks in allocation and `conditional_enforce_equal`. See `nova/circuits.rs` for details.
2. Before this commit, `NonNativeFieldVar::to_constraint_field` was majorly called for generating the inputs (preimage) to hash functions. However, it turns out that the underlying conversion strategy (optimized for weight) is not optimal for reducing the length of hash preimage. We can go further by maximizing the number of bits per limb, thereby minimizing the preimage length. See `circuits/nonnative.rs` for details.
* Format
* Fix clippy warnings
* Move the comments to the right position
* Cleanup unnecessary code
* Treat (the digest of) `cf_U_i1` as an additional public input to `AugmentedFCircuit` for full soundness
* Fix the y-coordinate in the affine form of zero points
This in turn fixes the inconsistency between the digest of a constant affine point and that of a witness affine point in circuits.
* Set `cf_u_i1_x` to the correct value
* Fix the number of public inputs in dummy instance and witness
* Unify the logic behind `CycleFoldCommittedInstanceVar::hash` and `CycleFoldChallengeGadget::get_challenge_gadget`
* Add `ToConstraintFieldGadget` bound to `GC2`
* Remove unnecessary code used for debugging
* Make clippy and rustfmt happy
* Move conversion methods for `NonNativeFieldVar` to `folding/circuits/nonnative.rs`
* Simplify the check of zero coordinates
* Gracefully handle the result of `nonnative_field_var_to_constraint_field`
* Make clippy happy again
* Compute Decider's CM challenges in Groth16 circuit, link G16 & KZG proofs in Onchain Decider, refactor CommitmentScheme trait
- Refactor commitment package
- Refactor `Commitment` trait and the kzg, ipa, pedersen impls
- Add methods to prove & verify given challenges (not computing them in-method)
- Add KZG challenges computation in decider_eth_circuit
- Add cmE & cmW KZG proving & verification in DeciderEth
- Link Decider's Groth16 proof & KZG proofs data
- Fix point to bytes arkworks inconsistency
- Patch ark_curves to use a cherry-picked version with bn254::constraints & grumpkin for v0.4.0 (once arkworks v0.5.0 is released this will no longer be needed)
* DeciderEthCircuit: Add check eval=p(c) for E & W
The check is temporary disabled due
https://github.com/privacy-scaling-explorations/folding-schemes/issues/80,
but the public inputs and logic are there, to be able to continue the
other parts development while issue #80 is solved.
* Change CycleFold approach:
Instead of having a single CycleFold circuit that checks the 2 forign
scalarmul of the main circuit instances, now there are 2 separated
CycleFold circuits each of them checking a single foreign scalarmul.
Increasing the number of constraints of the AugmentedFCircuit, but
reducing the number of constraints in the CycleFold circuit, which will
translate into reducing the number of constraints in the Decider
circuit.
* CycleFold circuits checks in AugmentedFCircuit:
- update NonNativeAffineVar to work with NonNativeFieldVar directly
instead of FpVar comming from NonNativeFieldVar.to_constraint_field()
- include in AugmentedFCircuit intermediate steps inbetween CycleFold
circuits, and update the internal checks of the CycleFold circuits
Pending to document the new CycleFold circuits approach and better
variable namings, rm unwraps, etc
* matrix_vec_mul_sparse gadget: skip value * v[col_i] mul when value==1
Saves a notable amount of constraints since there is a notable amount of
1 values in R1CS matrices.
* Reuse computed vector of U_i
Reuse computed vector of U_i, saving 4k constraints in AugmentedFCircuit.
* fixes post last rebase to main
* rm test_augmentedfcircuit since it is already tested in test_ivc (and is a slow computation)
* rm dbg!()
* small fixes after last main rebase
* change: Refactor structure into workspace
* chore: Add empty readme
* change: Transform repo into workspace
* add: Create folding-verifier-solidity crate
* add: Include askama.toml for `sol` extension escaper
* add: Jordi's old Groth16 verifier .sol template and adapt it
* tmp: create simple template struct to test
* Update FoldingSchemes trait, fit Nova+CycleFold
- update lib.rs's `FoldingScheme` trait interface
- fit Nova+CycleFold into the `FoldingScheme` trait
- refactor `src/nova/*`
* chore: add serialization assets for testing
Now we include an `assets` folder with a serialized proof & vk for tests
* Add `examples` dir, with Nova's `FoldingScheme` example
* polishing
* expose poseidon_test_config outside tests
* change: Refactor structure into workspace
* chore: Add empty readme
* change: Transform repo into workspace
* add: Create folding-verifier-solidity crate
* add: Include askama.toml for `sol` extension escaper
* add: Jordi's old Groth16 verifier .sol template and adapt it
* tmp: create simple template struct to test
* feat: templating kzg working
* chore: add emv and revm
* feat: start evm file
* chore: add ark-poly-commit
* chore: move `commitment` to `folding-schemes`
* chore: update `.gitignore` to ignore generated contracts
* chore: update template with bn254 lib on it (avoids import), update for loop to account for whitespaces
* refactor: update template with no lib
* feat: add evm deploy code, compile and create kzg verifier
* chore: update `Cargo.toml` to have `folding-schemes` available with verifiers
* feat: start kzg prove and verify with sol
* chore: compute crs from kzg prover
* feat: evm kzg verification passing
* tmp
* change: Swap order of G2 coordinates within the template
* Update way to serialize proof with correct order
* chore: update `Cargo.toml`
* chore: add revm
* chore: add `save_solidity`
* refactor: verifiers in dedicated mod
* refactor: have dedicated `utils` module
* chore: expose modules
* chore: update verifier for kzg
* chore: rename templates
* fix: look for binary using also name of contract
* refactor: generate groth16 proof for sha256 pre-image, generate groth16 template with verifying key
* chore: template renaming
* fix: switch circuit for circuit that simply adds
* feat: generates test data on the fly
* feat: update to latest groth16 verifier
* refactor: rename folder, update `.gitignore`
* chore: update `Cargo.toml`
* chore: update templates extension to indicate that they are templates
* chore: rename templates, both files and structs
* fix: template inheritance working
* feat: template spdx and pragma statements
* feat: decider verifier compiles, update test for kzg10 and groth16 templates
* feat: parameterize which size of the crs should be stored on the contract
* chore: add comment on how the groth16 and kzg10 proofs will be linked together
* chore: cargo clippy run
* chore: cargo clippy tests
* chore: cargo fmt
* refactor: remove unused lifetime parameter
* chore: end merge
* chore: move examples to `folding-schemes` workspace
* get latest main changes
* fix: temp fix clippy warnings, will remove lints once not used in tests only
* fix: cargo clippy lint added on `code_size`
* fix: update path to test circuit and add step for installing solc
* chore: remove `save_solidity` steps
* fix: the borrowed expression implements the required traits
* chore: update `Cargo.toml`
* chore: remove extra `[patch.crates-io]`
* fix: update to patch at the workspace level and add comment explaining this
* refactor: correct `staticcall` with valid input/output sizes and change return syntax for pairing
* refactor: expose modules and remove `dead_code` calls
* chore: update `README.md`, add additional comments on `kzg10` template and update `groth16` template comments
* chore: be clearer on attributions on `kzg10`
---------
Co-authored-by: CPerezz <c.perezbaro@gmail.com>
Co-authored-by: arnaucube <root@arnaucube.com>
* Add Decider impl for Nova onchain
Add Decider impl for Nova onchain.
Update also the Decider trait.
Nova onchain decider: (compressed SNARK / final proof), in order to
later verify the Nova+CycleFold proofs onchain (in Ethereum’s EVM).
* PR review updates and few other changes
* Add KZG commitment scheme adapted to vector commitment
Add KZG commitment scheme adapted to vector commitment
Also move the `src/pedersen.rs` into `src/commitment/pedersen.rs` where
it will coexist with `kzg.rs` and the trait defined in
`src/commitment/mod.rs`.
* Adapt Pedersen into the new CommitmentProver trait
* add CommitmentProver (Pedersen&KZG) homomorphic property test
* polishing
* Use divide_with_q_and_r, rename skip_first_zero_coeffs
Co-authored-by: han0110 <tinghan0110@gmail.com>
---------
Co-authored-by: han0110 <tinghan0110@gmail.com>
* Implement Nova IVC's new & prove_step methods
Implement Nova IVC's new & prove_step methods (without CycleFold part yet)
* transcript.absorb_point err handling, and update C.xy() usage
* add transcript usage to IVC prove, add NovaTranscript trait extending Transcript trait, refactor NIFS.P to allow absorbing in transcript inbetween
* Implement Nova's IVC.V method (without CycleFold part yet)
* clippy lints
* move challenge r computation in-circuit
* reuse computed points with coordinates over CF (non-native) to save constraints in AugmentedFCircuit
(constraint count went down ~6k)
* rm 128 bit constant
* add params to Errors
* Updates from review suggestions. Additionally refactored nova/nifs fold, and rm transcript from nova/IVC.
- Updates from PR suggestions
- Additionally updated:
- in nova/nifs.rs: reuse folded_committed_instance for verify_folded_instance, computationally is the same, but reusing the same code so avoiding duplication and having an error on one of the two versions.
- in nova/ivc.rs: remove transcript from IVC (not needed, it uses the RO)
* impl AugmentedFCircuit non-base case
* add multiple iterations to AugmentedFCircuit test
* implement base case on AugmentedFCircuit and test
* Update cmE of E=0-vec to work as zero point
Update cmE of E=0-vec to work as zero point instead of as cm(0-vec)
* patch r1cs-std dep to a cherry-picked version with the zero-scalar-mult fix
* refactor FCircuit to make it more suitable inside the AugmentedFCircuit
* Port HyperNova's multifolding from https://github.com/privacy-scaling-explorations/multifolding-poc adapting and refactoring some of its methods and structs.
Note: adapted mle.rs methods from dense to sparse repr.
Co-authored-by: George Kadianakis <desnacked@riseup.net>
* HyperNova: move CCS struct outside of LCCCS & CCCS
HyperNova nimfs: move CCS structure outside of LCCCS & CCCS, to avoid
carrying around the whole CCS and duplicating data when is not needed.
Also add feature flags for the folding schemes.
---------
Co-authored-by: George Kadianakis <desnacked@riseup.net>
* Implement Nova's NIFS.Verify circuits (with CycleFold)
- Add circuit for NIFS.Verify on the main curve to check the folded `u`
& `x`
- Add circuit for NIFS.Verify on the CycleFold's auxiliary curve to
check the folded `cm(E)` & `cm(W)`
- Add transcript.get_challenge_nbits
- Add tests for utils::vec.rs
* replace bls12-377 & bw6-761 by pallas & vesta curves (only affects tests)
We will use pallas & vesta curves (for tests only, the non-tests code
uses generics) for the logic that does not require pairings, and while
Grumpkin is not available
(https://github.com/privacy-scaling-explorations/folding-schemes/issues/12).
* update links to papers to markdown style
arnaucube
winderica
Pierre
Carlos Pérez
Ahmad Afuni