mirror of https://github.com/arnaucube/sonobe.git synced 2026-01-22 05:41:34 +01:00

Go to file

arnaucube 97df224579 Add solidity verifier of the nova+cyclefold (#87 )

* Add solidity verifier of the nova+cyclefold, and add method to prepare the calldata from Decider's proof. Missing conversion of the point coordinates into limbs (ark compatible)

* chore: adding comments linking to the contract's signature

* chore: update .gitignore

* chore: add num-bigint as dev dependency

* fix: work with abs path for storing generated sol code

* chore: update comment

* feat: solidity verifier working on single and multi-input circuits

* feat: multi-input folding verification working + fixing encoding of additive identity in calldata

* chore: make bigint a dependency

* refactor: import utils functions from utils.rs and make them available from anywhere

* chore: make utils and evm available publicly

* fix: pub mod instead

* chore: make relevant method public and add `get_decider_template_for_cyclefold_decider` to exported objects

* solidity-verifiers: move tests to their corresponding files

* small update: Cyclefold -> CycleFold at the missing places

* abstract nova-cyclefold solidity verifiers tests to avoid code duplication, and abstract also the computed setup params (FS & Decider) to compute them only once for all related tests to save test time

* small polish after rebase to last main branch changes

* rm unneeded Option for KZGData::g1_crs_batch_points

* add checks modifying z_0 & z_i to nova_cyclefold_solidity_verifier test

* add light-test feature to decider_eth_circuit to use it in solidity-verifier tests without the big circuit

* solidity-verifiers: groth16 template: port the fix from https://github.com/iden3/snarkjs/pull/480 & https://github.com/iden3/snarkjs/issues/479

* add print warning msg for light-test in DeciderEthCircuit

* solidity-verifiers: update limbs logic to nonnative last version, parametrize limbs params

solidity-verifiers:
* update solidity limbs logic to last nonnative impl version, and to
  last u_i.x impl
* parametrize limbs params
* add light-test feature: replace the '#[cfg(not(test))]' by the
  'light-test' feature that by default is not enabled, so when running
  the github actions we enable the feature 'light-tests', and then we can
  have a full-test that runs the test without the 'light-tests' flag, but
  we don't run this big test every time.  The choice of a feature is to
  allow us to control this from other-crates tests (for example for the
  solidity-verifier separated crate tests, to avoid running the full heavy
  circuit in the solidity tests)

* move solidity constants into template constants for auto compute of params

* polishing

* revm use only needed feature

This is to avoid c depencency for c-kzg which is behind the c-kzg flag
and not needed.

* nova_cyclefold_decider.sol header

* rearrange test helpers position, add error for min number of steps

* in solidity-verifiers: 'data'->'vk/verifier key'

* add From for NovaCycleFoldVerifierKey from original vks to simplify dev flow, also conditionally template the batchCheck related structs and methods from the KZG10 solidity template

---------

Co-authored-by: dmpierre <pdaixmoreux@gmail.com>

2024-04-25 09:51:59 +00:00

.config

feat: port CI from halo2curves (#4 )

2023-08-17 11:10:25 +00:00

.github/workflows

Add solidity verifier of the nova+cyclefold (#87 )

2024-04-25 09:51:59 +00:00

cli

Add solidity verifier of the nova+cyclefold (#87 )

2024-04-25 09:51:59 +00:00

folding-schemes

Add solidity verifier of the nova+cyclefold (#87 )

2024-04-25 09:51:59 +00:00

solidity-verifiers

Add solidity verifier of the nova+cyclefold (#87 )

2024-04-25 09:51:59 +00:00

.gitignore

Add solidity verifier of the nova+cyclefold (#87 )

2024-04-25 09:51:59 +00:00

Cargo.toml

Add the digest of the Relaxed R1CS instance for CycleFold as a public input to AugmentedFCircuit (#84 )

2024-04-11 09:07:32 +00:00

LICENSE

Initial commit

2023-08-15 18:05:20 +08:00

README.md

add README.md (#39 )

2024-04-17 09:05:41 +00:00

rust-toolchain

Add CLI interface for verifier contract generation (#74 )

2024-03-18 10:09:22 +00:00

README.md

sonobe

Experimental folding schemes library implemented jointly by 0xPARC and PSE.

Sonobe is a modular library to fold arithmetic circuit instances in an Incremental Verifiable computation (IVC) style. It features multiple folding schemes and decider setups, allowing users to pick the scheme which best fit their needs.

Sonobe is conceived as an exploratory effort with the aim to push forward the practical side of folding schemes and advancing towards onchain (EVM) verification.

"The Sonobe module is one of the many units used to build modular origami. The popularity of Sonobe modular origami models derives from the simplicity of folding the modules, the sturdy and easy assembly, and the flexibility of the system."

Warning

: experimental code, do not use in production.
The code has not been audited. Several optimizations are also pending. Our focus so far has been on implementing the Nova and CycleFold schemes and achieving onchain (EVM) verification.

Schemes implemented

Folding schemes implemented:

Nova: Recursive Zero-Knowledge Arguments from Folding Schemes, Abhiram Kothapalli, Srinath Setty, Ioanna Tzialla. 2021
CycleFold: Folding-scheme-based recursive arguments over a cycle of elliptic curves, Abhiram Kothapalli, Srinath Setty. 2023

Work in progress:

HyperNova: Recursive arguments for customizable constraint systems, Abhiram Kothapalli, Srinath Setty. 2023
ProtoGalaxy: Efficient ProtoStar-style folding of multiple instances, Liam Eagen, Ariel Gabizon. 2023

Available frontends

Available frontends to define the folded circuit:

arkworks, arkworks contributors
Circom, iden3, 0Kims Association

Usage

Docs

Detailed usage and design documentation can be found at Sonobe docs.

Folding Schemes introduction

Folding schemes efficitently achieve incrementally verifiable computation (IVC), where the prover recursively proves the correct execution of the incremental computations. Once the IVC iterations are completed, the IVC proof is compressed into the Decider proof, a zkSNARK proof which proves that applying n times the F function (the circuit being folded) to the initial state (z_0) results in the final state (z_n).

Where w_i are the external witnesses used at each iterative step.

In other words, it allows to prove efficiently that z_n = F(...~F(F(F(F(z_0, w_0), w_1), w_2), ...), w_{n-1}).

Overview of sonobe

Sonobe is a folding schemes modular library to fold arithmetic circuit instances in an incremental verifiable computation (IVC) style. It also provides the tools required to generate a zkSNARK proof out of an IVC proof and to verify it on Ethereum's EVM.

The development flow using Sonobe looks like:

Define a circuit to be folded
Set which folding scheme to be used (eg. Nova with CycleFold)
Set a final decider to generate the final proof (eg. Spartan over Pasta curves)
Generate the the decider verifier

The folding scheme and decider used can be swapped with a few lines of code (eg. switching from a Decider that uses two Spartan proofs over a cycle of curves, to a Decider that uses a single Groth16 proof over the BN254 to be verified in an Ethereum smart contract).

The Sonobe docs contain more details about the usage and design of the library.

Complete examples can be found at folding-schemes/examples

License

Sonobe is MIT Licensed.

Acknowledgments

This project builds on top of multiple arkworks libraries. It uses Espresso system's virtual polynomial abstraction and its SumCheck implementation.

The Solidity templates used in nova_cyclefold_verifier.sol, use iden3's Groth16 implementation and a KZG10 Solidity template adapted from weijiekoh/libkzg.

In addition to the direct code contributors who make this repository possible, this project has been made possible by many conversations with Srinath Setty, Lev Soukhanov, Matej Penciak, Adrian Hamelink, François Garillot, Daniel Marin, Han Jian, Wyatt Benno, Nikkolas Gailly and Nalin Bhardwaj, to whom we are grateful.