From 8b233031a6fd84cd97154eaf279befd901d2bc8d Mon Sep 17 00:00:00 2001 From: arnaucube Date: Wed, 17 Apr 2024 11:05:41 +0200 Subject: [PATCH] add README.md (#39) * Initialize the README.md with a sketch of the structure * add warning and draft diagram * add authors & years to schemes, add a pre-sketch of the 'development' section * Readme: add link to Carlos talk on folding schemes * readme: sketch sections: offchain & onchain decider, add todo for references * readme: add example of FCircuit & folding * Readme: add lib pipeline diagram, add decider code example * add cyclefold-nova-diagram.png, decider-onchain-flow-diagram.png * polish cli descriptions * small update in the Warning box * add sonobe naming * add folding-main-idea-diagram.png * missing sonobe renaming * migrate part of the README.md to sonobe-docs * rm imgs/, load them from sonobe-docs * tiny update * chore: start update README * add acknolwedgments links and text, small polishing of the overall text * extend folding introduction & sonobe overview * img text alignment * chore: update readme * chore: typos, bits of reformulation, centering images * chore: remove btc example since can not be used as is * rm .vscode dir * readme: merge the duplicated sections into a single one adapting the texts * add Docs badge with link, update acknowledgments * add ci & license badges * fix cli link, add solc mention in solidity-verifiers/readme * small polishing * fix img alignment * rm badges, the reasoning is: - The License badge is not needed since there are already many links to the license both in the readme and in the GitHub UI - The CI checks badge, already appears in the GitHub UI in the last commit preview at the main repo page. Furthermore, after some months of inactivity, the badge would be 'gray' as 'inactive'. - The only badge that I was trying to get there is the 'docs' badge, to make it very clear that the docs page exists, but it was a bit to hard visually to have a single badge there, and furthermore the docs link already appears in the readme twice, and also in the GitHub UI right-panel. --------- Co-authored-by: dmpierre --- README.md | 89 +++++++++++++++++++ cli/README.md | 21 +++-- cli/src/settings.rs | 11 ++- .../src/folding/nova/decider_eth_circuit.rs | 4 +- solidity-verifiers/README.md | 5 +- .../templates/kzg10_verifier.askama.sol | 2 +- 6 files changed, 111 insertions(+), 21 deletions(-) create mode 100644 README.md diff --git a/README.md b/README.md new file mode 100644 index 00000000..169461b7 --- /dev/null +++ b/README.md @@ -0,0 +1,89 @@ +# sonobe + +Experimental folding schemes library implemented jointly by [0xPARC](https://0xparc.org/) and [PSE](https://pse.dev). + + + +Sonobe is a modular library to fold arithmetic circuit instances in an Incremental Verifiable computation (IVC) style. It features multiple folding schemes and decider setups, allowing users to pick the scheme which best fit their needs. +

+Sonobe is conceived as an exploratory effort with the aim to push forward the practical side of folding schemes and advancing towards onchain (EVM) verification. +

+"The Sonobe module is one of the many units used to build modular origami. The popularity of Sonobe modular origami models derives from the simplicity of folding the modules, the sturdy and easy assembly, and the flexibility of the system." + +
+ +> **Warning**: experimental code, do not use in production.
+> The code has not been audited. Several optimizations are also pending. Our focus so far has been on implementing the Nova and CycleFold schemes and achieving onchain (EVM) verification. + +## Schemes implemented + +Folding schemes implemented: + +- [Nova: Recursive Zero-Knowledge Arguments from Folding Schemes](https://eprint.iacr.org/2021/370.pdf), Abhiram Kothapalli, Srinath Setty, Ioanna Tzialla. 2021 +- [CycleFold: Folding-scheme-based recursive arguments over a cycle of elliptic curves](https://eprint.iacr.org/2023/1192.pdf), Abhiram Kothapalli, Srinath Setty. 2023 + +Work in progress: + +- [HyperNova: Recursive arguments for customizable constraint systems](https://eprint.iacr.org/2023/573.pdf), Abhiram Kothapalli, Srinath Setty. 2023 +- [ProtoGalaxy: Efficient ProtoStar-style folding of multiple instances](https://eprint.iacr.org/2023/1106.pdf), Liam Eagen, Ariel Gabizon. 2023 + +## Available frontends + +Available frontends to define the folded circuit: + +- [arkworks](https://github.com/arkworks-rs), arkworks contributors +- [Circom](https://github.com/iden3/circom), iden3, 0Kims Association + +## Usage + +### Docs + +Detailed usage and design documentation can be found at [Sonobe docs](https://privacy-scaling-explorations.github.io/sonobe-docs/). + +### Folding Schemes introduction + +Folding schemes efficitently achieve incrementally verifiable computation (IVC), where the prover recursively proves the correct execution of the incremental computations. +Once the IVC iterations are completed, the IVC proof is compressed into the Decider proof, a zkSNARK proof which proves that applying $n$ times the $F$ function (the circuit being folded) to the initial state ($z_0$) results in the final state ($z_n$). + + +

+ +

+ +Where $w_i$ are the external witnesses used at each iterative step. + +In other words, it allows to prove efficiently that $z_n = F(...~F(F(F(F(z_0, w_0), w_1), w_2), ...), w_{n-1})$. + + +### Overview of sonobe + +Sonobe is a folding schemes modular library to fold arithmetic circuit instances in an incremental verifiable computation (IVC) style. It also provides the tools required to generate a zkSNARK proof out of an IVC proof and to verify it on Ethereum's EVM. + +The development flow using Sonobe looks like: + +1. Define a circuit to be folded +2. Set which folding scheme to be used (eg. Nova with CycleFold) +3. Set a final decider to generate the final proof (eg. Spartan over Pasta curves) +4. Generate the the decider verifier + +

+ +

+ +The folding scheme and decider used can be swapped with a few lines of code (eg. switching from a Decider that uses two Spartan proofs over a cycle of curves, to a Decider that uses a single Groth16 proof over the BN254 to be verified in an Ethereum smart contract). + +The [Sonobe docs](https://privacy-scaling-explorations.github.io/sonobe-docs/) contain more details about the usage and design of the library. + +Complete examples can be found at [folding-schemes/examples](https://github.com/privacy-scaling-explorations/sonobe/tree/main/folding-schemes/examples) + +## License + +Sonobe is [MIT Licensed](https://github.com/privacy-scaling-explorations/sonobe/blob/main/LICENSE). + +## Acknowledgments + +This project builds on top of multiple [arkworks](https://github.com/arkworks-rs) libraries. It uses Espresso system's [virtual polynomial](https://github.com/EspressoSystems/hyperplonk/blob/main/arithmetic/src/virtual_polynomial.rs) abstraction and its [SumCheck](https://github.com/EspressoSystems/hyperplonk/tree/main/subroutines/src/poly_iop/sum_check) implementation. + +The Solidity templates used in `nova_cyclefold_verifier.sol`, use [iden3](https://github.com/iden3/snarkjs/blob/master/templates/verifier_groth16.sol.ejs)'s Groth16 implementation and a KZG10 Solidity template adapted from [weijiekoh/libkzg](https://github.com/weijiekoh/libkzg). + +In addition to the direct code contributors who make this repository possible, this project has been made possible by many conversations with [Srinath Setty](https://github.com/srinathsetty), [Lev Soukhanov](https://github.com/levs57), [Matej Penciak](https://github.com/mpenciak), [Adrian Hamelink](https://github.com/adr1anh), [François Garillot](https://github.com/huitseeker), [Daniel Marin](https://github.com/danielmarinq), [Han Jian](https://github.com/han0110), [Wyatt Benno](https://github.com/wyattbenno777), [Nikkolas Gailly](https://github.com/nikkolasg) and [Nalin Bhardwaj](https://github.com/nalinbhardwaj), to whom we are grateful. diff --git a/cli/README.md b/cli/README.md index 080f5246..68123ded 100644 --- a/cli/README.md +++ b/cli/README.md @@ -1,4 +1,4 @@ -# Solidity Verifier +# Solidity Verifiers CLI _____ ______ ______ ______ ______ ______ ______ | |__| || |__| || |__| || |__| || |__| || |__| || |__| | | () || () || () || () || () || () || () | @@ -20,9 +20,9 @@ | () || () || () || () || () || () || () | |______||______||______||______||______||______||______| -Welcome to Solidity Verifier, a powerful Command-Line Interface (CLI) tool designed to simplify the generation of Solidity smart contracts that verify proofs of Zero Knowledge cryptographic protocols. This tool is developed by the collaborative efforts of the PSE (Privacy & Scaling Explorations) and 0XPARC teams. +Welcome to Solidity Verifiers CLI, a Command-Line Interface (CLI) tool designed to simplify the generation of Solidity smart contracts that verify proofs of Zero Knowledge cryptographic protocols. This tool is developed by the collaborative efforts of the PSE (Privacy & Scaling Explorations) and 0XPARC teams. -As an open-source project, Solidity Verifier is released under the GPL3 license. +Solidity Verifiers CLI is released under the MIT license, but notice that the Solidity template for the Groth16 verification has GPL-3.0 license, hence the generated Solidity verifiers that use the Groth16 template will have that license too. ## Supported Protocols @@ -37,36 +37,35 @@ Solidity Verifier currently supports the generation of Solidity smart contracts - Example credit: [weijiekoh - KZG10 Verifier Contract](https://github.com/weijiekoh/libkzg/blob/master/sol/KZGVerifier.sol) - **Nova + CycleFold Decider:** - - Implements the decider circuit verification for the Nova zero-knowledge proof system in conjunction with the CycleFold protocol optimization. + - Implements the decider circuit verification for the Nova proof system in conjunction with the CycleFold protocol optimization. - Template inspiration and setup credit: [Han - revm/Solidity Contract Testing Functions](https://github.com/privacy-scaling-explorations/halo2-solidity-verifier/tree/main) ## Usage ```bash -solidity-verifier [OPTIONS] -p -pd -o +solidity-verifiers-cli [OPTIONS] -p -d -o ``` A real use case (which was used to test the tool itself): -`solidity-verifier -p groth16 -pd ./folding-verifier-solidity/assets/G16_test_vk_data` +`solidity-verifiers-cli -p groth16 -d ./solidity-verifiers/assets/G16_test_vk_data` This would generate a Groth16 verifier contract for the given G16 data (which consists on the G16_Vkey only) and store this contract in `$pwd`. ### Options: -v, --verbose: Increase logging verbosity -q, --quiet: Decrease logging verbosity -p, --protocol : Selects the protocol for which to generate the Decider circuit Solidity Verifier (possible values: groth16, kzg, nova-cyclefold) - -o, --out : Sets the output path for all generated artifacts (default: /home/kr0/Desktop/HDD/ethereum/folding-schemes/verifier.sol) + -o, --out : Sets the output path for all generated artifacts -d, --protocol-data : Sets the input path for the file containing all the data required by the chosen protocol for verification contract generation --pragma : Selects the Solidity compiler version to be set in the Solidity Verifier contract artifact -h, --help: Print help (see a summary with '-h') -V, --version: Print version ## License -Solidity Verifier is released under the GPL3 license for any of the protocols that include `Groth16`. See the LICENSE file in the project repository for more details. -For the rest of contracts/protocols and the CLI itself, this tooling is released under MIT/Apache license. +Solidity Verifier CLI is released under the MIT license, but notice that the Solidity template for the Groth16 verification has GPL-3.0 license, hence the generated Solidity verifiers will have that license too. ## Contributing -Feel free to explore, use, and contribute to Solidity Verifier as we strive to enhance privacy and scalability in the blockchain space! -We welcome contributions to Solidity Verifier! If you encounter any issues, have feature requests, or want to contribute to the codebase, please check out the GitHub repository and follow the guidelines outlined in the contributing documentation. +Feel free to explore, use, and contribute to Solidity Verifiers CLI as we strive to enhance privacy and scalability in the blockchain space! +We welcome contributions to Solidity Verifiers CLI! If you encounter any issues, have feature requests, or want to contribute to the codebase, please check out the GitHub repository and follow the guidelines outlined in the contributing documentation. diff --git a/cli/src/settings.rs b/cli/src/settings.rs index 99020bba..c867f584 100644 --- a/cli/src/settings.rs +++ b/cli/src/settings.rs @@ -43,7 +43,7 @@ impl Protocol { } } -const ABOUT: &str = "A powerful Command-Line Interface (CLI) tool designed to simplify the generation of Solidity smart contracts that verify proofs of Zero Knowledge cryptographic protocols. +const ABOUT: &str = "A Command-Line Interface (CLI) tool designed to simplify the generation of Solidity smart contracts that verify proofs of Zero Knowledge cryptographic protocols. "; const LONG_ABOUT: &str = " @@ -68,10 +68,9 @@ const LONG_ABOUT: &str = " | () || () || () || () || () || () || () | |______||______||______||______||______||______||______| -Welcome to Solidity Verifier, a powerful Command-Line Interface (CLI) tool designed to simplify the generation of Solidity smart contracts that verify proofs of Zero Knowledge cryptographic protocols. -for Zero Knowledge protocols. This tool is developed by the collaborative efforts of the PSE (Privacy & Scaling Explorations) and 0XPARC teams. +Welcome to Solidity Verifiers CLI, a Command-Line Interface (CLI) tool designed to simplify the generation of Solidity smart contracts that verify proofs of Zero Knowledge cryptographic protocols. This tool is developed by the collaborative efforts of the PSE (Privacy & Scaling Explorations) and 0XPARC teams. -As an open-source project, Solidity Verifier is released under the GPL3 license. +Solidity Verifiers CLI is released under the MIT license, but notice that the Solidity template for the Groth16 verification has GPL-3.0 license, hence the generated Solidity verifiers that use the Groth16 template will have that license too. Solidity Verifier currently supports the generation of Solidity smart contracts for the verification of proofs in the following Zero Knowledge protocols: @@ -82,13 +81,13 @@ Solidity Verifier currently supports the generation of Solidity smart contracts Uses the Kate-Zaverucha-Goldberg polynomial commitment scheme. Nova + CycleFold Decider: - Implements the decider circuit verification for the Nova zero-knowledge proof system in conjunction with the CycleFold protocol optimization. + Implements the decider circuit verification for the Nova proof system in conjunction with the CycleFold protocol optimization. "; #[derive(Debug, Parser)] #[command(author = "0XPARC & PSE", version, about = ABOUT, long_about = Some(LONG_ABOUT))] #[command(propagate_version = true)] /// A tool to create Solidity Contracts which act as verifiers for the major Folding Schemes implemented -/// within the `folding-schemes` repo. +/// within the `sonobe` repo. pub(crate) struct Cli { #[command(flatten)] pub verbosity: clap_verbosity_flag::Verbosity, diff --git a/folding-schemes/src/folding/nova/decider_eth_circuit.rs b/folding-schemes/src/folding/nova/decider_eth_circuit.rs index bf0032b7..d83a76bc 100644 --- a/folding-schemes/src/folding/nova/decider_eth_circuit.rs +++ b/folding-schemes/src/folding/nova/decider_eth_circuit.rs @@ -493,7 +493,7 @@ where incircuit_c_E.enforce_equal(&kzg_c_E)?; // Check 7 is temporary disabled due - // https://github.com/privacy-scaling-explorations/folding-schemes/issues/80 + // https://github.com/privacy-scaling-explorations/sonobe/issues/80 // // 7. check eval_W==p_W(c_W) and eval_E==p_E(c_E) // let incircuit_eval_W = evaluate_gadget::>(W_i1.W, incircuit_c_W)?; @@ -874,7 +874,7 @@ pub mod tests { } // The test test_polynomial_interpolation is temporary disabled due - // https://github.com/privacy-scaling-explorations/folding-schemes/issues/80 + // https://github.com/privacy-scaling-explorations/sonobe/issues/80 // for n<=11 it will work, but for n>11 it will fail with stack overflow. #[ignore] #[test] diff --git a/solidity-verifiers/README.md b/solidity-verifiers/README.md index 9318de26..8311d654 100644 --- a/solidity-verifiers/README.md +++ b/solidity-verifiers/README.md @@ -1,3 +1,6 @@ # `solidity-verifiers` -This crate implements templating logic to output verifier contracts for `folding-schemes`-generated decider proofs. \ No newline at end of file +This crate implements templating logic to output verifier contracts for `sonobe`-generated decider proofs. +This crate is accompanied with the [cli](https://github.com/privacy-scaling-explorations/sonobe/tree/main/cli) crate, which allows to generate the Solidity contracts from the command line. + +To run the tests it needs [solc](https://docs.soliditylang.org/en/latest/installing-solidity.html) installed. diff --git a/solidity-verifiers/templates/kzg10_verifier.askama.sol b/solidity-verifiers/templates/kzg10_verifier.askama.sol index c708dcf4..c3b55227 100644 --- a/solidity-verifiers/templates/kzg10_verifier.askama.sol +++ b/solidity-verifiers/templates/kzg10_verifier.askama.sol @@ -1,7 +1,7 @@ /** * @author Privacy and Scaling Explorations team - pse.dev * @dev Contains utility functions for ops in BN254; in G_1 mostly. - * @notice Forked from https://github.com/weijiekoh/libkzg/tree/master. + * @notice Forked from https://github.com/weijiekoh/libkzg. * Among others, a few of the changes we did on this fork were: * - Templating the pragma version * - Removing type wrappers and use uints instead