Add IVCProof to the existing folding schemes (Nova,HyperNova,ProtoGal…

…axy) (#167) * Add IVCProof to the existing folding schemes (Nova,HyperNova,ProtoGalaxy) * Implement `from_ivc_proof` for the FoldingSchemes trait (and Nova, HyperNova, ProtoGalaxy), so that the FoldingScheme IVC's instance can be constructed from the given parameters and the last IVCProof, which allows to sent the IVCProof between different parties, so that they can continue iterating the IVC from the received IVCProof. Also the serializers allow for the IVCProof to be sent to a verifier that can deserialize it and verify it. This allows to remove the logic from the file [folding/nova/serialize.rs](https://github.com/privacy-scaling-explorations/sonobe/blob/f1d82418ba047cf90805f2d0505370246df24d68/folding-schemes/src/folding/nova/serialize.rs) and [folding/hypernova/serialize.rs](https://github.com/privacy-scaling-explorations/sonobe/blob/f1d82418ba047cf90805f2d0505370246df24d68/folding-schemes/src/folding/hypernova/serialize.rs) (removing the whole files), which is now covered by the `IVCProof` generated serializers (generated by macro instead of handwritten), and the test that the file contained is now abstracted and applied to all the 3 existing folding schemes (Nova, HyperNova, ProtoGalaxy) at the folding/mod.rs file. * update Nova VerifierParams serializers to avoid serializing the R1CS to save big part of the old serialized size * rm .instances() since it's not needed * add nova params serialization to nova's ivc test to ensure that IVC verification works with deserialized data * Add unified FS::ProverParam & VerifierParam serialization & deserialization (for all Nova, HyperNova and ProtoGalaxy), without serializing the R1CS/CCS and thus saving substantial serialized bytes space. * rm CanonicalDeserialize warnings msgs for VerifierParams
privacy-scaling-explorations · Oct 11, 2024 · cb1b8e3 · cb1b8e3
1 parent ed14889
commit cb1b8e3
Show file tree

Hide file tree

Showing 20 changed files with 1,021 additions and 1,027 deletions.
diff --git a/.gitignore b/.gitignore
@@ -14,3 +14,5 @@ solidity-verifiers/generated
 examples/*.sol
 examples/*.calldata
 examples/*.inputs
+*.serialized
+*/*.serialized
diff --git a/examples/circom_full_flow.rs b/examples/circom_full_flow.rs
@@ -89,7 +89,8 @@ fn main() {
     let mut nova = N::init(&nova_params, f_circuit.clone(), z_0).unwrap();
 
     // prepare the Decider prover & verifier params
-    let (decider_pp, decider_vp) = D::preprocess(&mut rng, nova_params, nova.clone()).unwrap();
+    let (decider_pp, decider_vp) =
+        D::preprocess(&mut rng, nova_params.clone(), nova.clone()).unwrap();
 
     // run n steps of the folding iteration
     for (i, external_inputs_at_step) in external_inputs.iter().enumerate() {
@@ -99,6 +100,14 @@ fn main() {
         println!("Nova::prove_step {}: {:?}", i, start.elapsed());
     }
 
+    // verify the last IVC proof
+    let ivc_proof = nova.ivc_proof();
+    N::verify(
+        nova_params.1, // Nova's verifier params
+        ivc_proof,
+    )
+    .unwrap();
+
     let start = Instant::now();
     let proof = D::prove(rng, decider_pp, nova.clone()).unwrap();
     println!("generated Decider proof: {:?}", start.elapsed());

diff --git a/examples/external_inputs.rs b/examples/external_inputs.rs
@@ -207,17 +207,11 @@ fn main() {
         folding_scheme.state()
     );
 
-    let (running_instance, incoming_instance, cyclefold_instance) = folding_scheme.instances();
-
     println!("Run the Nova's IVC verifier");
+    let ivc_proof = folding_scheme.ivc_proof();
     N::verify(
-        nova_params.1,
-        initial_state.clone(),
-        folding_scheme.state(), // latest state
-        Fr::from(num_steps as u32),
-        running_instance,
-        incoming_instance,
-        cyclefold_instance,
+        nova_params.1, // Nova's verifier params
+        ivc_proof,
     )
     .unwrap();
 }
diff --git a/examples/multi_inputs.rs b/examples/multi_inputs.rs
@@ -154,17 +154,11 @@ fn main() {
         println!("Nova::prove_step {}: {:?}", i, start.elapsed());
     }
 
-    let (running_instance, incoming_instance, cyclefold_instance) = folding_scheme.instances();
-
     println!("Run the Nova's IVC verifier");
+    let ivc_proof = folding_scheme.ivc_proof();
     N::verify(
-        nova_params.1,
-        initial_state.clone(),
-        folding_scheme.state(), // latest state
-        Fr::from(num_steps as u32),
-        running_instance,
-        incoming_instance,
-        cyclefold_instance,
+        nova_params.1, // Nova's verifier params
+        ivc_proof,
     )
     .unwrap();
 }
diff --git a/examples/noir_full_flow.rs b/examples/noir_full_flow.rs
@@ -79,14 +79,22 @@ fn main() {
     let mut nova = N::init(&nova_params, f_circuit.clone(), z_0).unwrap();
 
     // prepare the Decider prover & verifier params
-    let (decider_pp, decider_vp) = D::preprocess(&mut rng, nova_params, nova.clone()).unwrap();
+    let (decider_pp, decider_vp) =
+        D::preprocess(&mut rng, nova_params.clone(), nova.clone()).unwrap();
 
     // run n steps of the folding iteration
     for i in 0..5 {
         let start = Instant::now();
         nova.prove_step(rng, vec![], None).unwrap();
         println!("Nova::prove_step {}: {:?}", i, start.elapsed());
     }
+    // verify the last IVC proof
+    let ivc_proof = nova.ivc_proof();
+    N::verify(
+        nova_params.1, // Nova's verifier params
+        ivc_proof,
+    )
+    .unwrap();
 
     let start = Instant::now();
     let proof = D::prove(rng, decider_pp, nova.clone()).unwrap();

diff --git a/examples/noname_full_flow.rs b/examples/noname_full_flow.rs
@@ -89,7 +89,8 @@ fn main() {
     let mut nova = N::init(&nova_params, f_circuit.clone(), z_0).unwrap();
 
     // prepare the Decider prover & verifier params
-    let (decider_pp, decider_vp) = D::preprocess(&mut rng, nova_params, nova.clone()).unwrap();
+    let (decider_pp, decider_vp) =
+        D::preprocess(&mut rng, nova_params.clone(), nova.clone()).unwrap();
 
     // run n steps of the folding iteration
     for (i, external_inputs_at_step) in external_inputs.iter().enumerate() {
@@ -99,6 +100,14 @@ fn main() {
         println!("Nova::prove_step {}: {:?}", i, start.elapsed());
     }
 
+    // verify the last IVC proof
+    let ivc_proof = nova.ivc_proof();
+    N::verify(
+        nova_params.1, // Nova's verifier params
+        ivc_proof,
+    )
+    .unwrap();
+
     let start = Instant::now();
     let proof = D::prove(rng, decider_pp, nova.clone()).unwrap();
     println!("generated Decider proof: {:?}", start.elapsed());

diff --git a/examples/sha256.rs b/examples/sha256.rs
@@ -138,17 +138,11 @@ fn main() {
         println!("Nova::prove_step {}: {:?}", i, start.elapsed());
     }
 
-    let (running_instance, incoming_instance, cyclefold_instance) = folding_scheme.instances();
-
     println!("Run the Nova's IVC verifier");
+    let ivc_proof = folding_scheme.ivc_proof();
     N::verify(
-        nova_params.1,
-        initial_state,
-        folding_scheme.state(), // latest state
-        Fr::from(num_steps as u32),
-        running_instance,
-        incoming_instance,
-        cyclefold_instance,
+        nova_params.1, // Nova's verifier params
+        ivc_proof,
     )
     .unwrap();
 }
diff --git a/folding-schemes/src/folding/hypernova/cccs.rs b/folding-schemes/src/folding/hypernova/cccs.rs
@@ -18,7 +18,7 @@ use crate::utils::virtual_polynomial::{build_eq_x_r_vec, VirtualPolynomial};
 use crate::Error;
 
 /// Committed CCS instance
-#[derive(Debug, Clone, CanonicalSerialize, CanonicalDeserialize)]
+#[derive(Debug, Clone, PartialEq, Eq, CanonicalSerialize, CanonicalDeserialize)]
 pub struct CCCS<C: CurveGroup> {
     // Commitment to witness
     pub C: C,

diff --git a/folding-schemes/src/folding/hypernova/decider_eth.rs b/folding-schemes/src/folding/hypernova/decider_eth.rs
@@ -234,9 +234,7 @@ pub mod tests {
     use super::*;
     use crate::commitment::{kzg::KZG, pedersen::Pedersen};
     use crate::folding::hypernova::cccs::CCCS;
-    use crate::folding::hypernova::{
-        PreprocessorParam, ProverParams, VerifierParams as HyperNovaVerifierParams,
-    };
+    use crate::folding::hypernova::PreprocessorParam;
     use crate::folding::nova::decider_eth::VerifierParam;
     use crate::frontend::utils::CubicFCircuit;
     use crate::transcript::poseidon::poseidon_canonical_config;
@@ -371,33 +369,19 @@ pub mod tests {
             .serialize_compressed(&mut hypernova_vp_serialized)
             .unwrap();
 
-        let hypernova_pp_deserialized = ProverParams::<
-            Projective,
-            Projective2,
-            KZG<'static, Bn254>,
-            Pedersen<Projective2>,
-            false,
-        >::deserialize_prover_params(
+        let hypernova_pp_deserialized = HN::pp_deserialize_with_mode(
             hypernova_pp_serialized.as_slice(),
             Compress::Yes,
             Validate::No,
-            &hypernova_params.0.ccs,
-            &poseidon_config,
+            (), // FCircuit's Params
         )
         .unwrap();
 
-        let hypernova_vp_deserialized = HyperNovaVerifierParams::<
-            Projective,
-            Projective2,
-            KZG<'static, Bn254>,
-            Pedersen<Projective2>,
-            false,
-        >::deserialize_verifier_params(
+        let hypernova_vp_deserialized = HN::vp_deserialize_with_mode(
             hypernova_vp_serialized.as_slice(),
             Compress::Yes,
             Validate::No,
-            &hypernova_params.0.ccs.unwrap(),
-            &poseidon_config,
+            (), // FCircuit's Params
         )
         .unwrap();
 

diff --git a/folding-schemes/src/folding/hypernova/decider_eth_circuit.rs b/folding-schemes/src/folding/hypernova/decider_eth_circuit.rs
@@ -509,7 +509,6 @@ pub mod tests {
     use ark_bn254::{constraints::GVar, Fr, G1Projective as Projective};
     use ark_grumpkin::{constraints::GVar as GVar2, Projective as Projective2};
     use ark_relations::r1cs::ConstraintSystem;
-    use ark_std::One;
     use ark_std::{test_rng, UniformRand};
 
     use super::*;
@@ -583,22 +582,10 @@ pub mod tests {
 
         // generate a Nova instance and do a step of it
         let mut hypernova = HN::init(&hn_params, F_circuit, z_0.clone()).unwrap();
-        hypernova
-            .prove_step(&mut rng, vec![], Some((vec![], vec![])))
-            .unwrap();
+        hypernova.prove_step(&mut rng, vec![], None).unwrap();
 
-        let ivc_v = hypernova.clone();
-        let (running_instance, incoming_instance, cyclefold_instance) = ivc_v.instances();
-        HN::verify(
-            hn_params.1, // HN's verifier_params
-            z_0,
-            ivc_v.z_i,
-            Fr::one(),
-            running_instance,
-            incoming_instance,
-            cyclefold_instance,
-        )
-        .unwrap();
+        let ivc_proof = hypernova.ivc_proof();
+        HN::verify(hn_params.1, ivc_proof).unwrap();
 
         // load the DeciderEthCircuit from the generated Nova instance
         let decider_circuit = DeciderEthCircuit::<