implement Nova's Offchain Decider (prover & verifier) for non-ethereu…

…m cases (#164) The idea & motivation is that the [onchain decider](https://privacy-scaling-explorations.github.io/sonobe-docs/design/nova-decider-onchain.html) could still be used for non-onchain verification but the proving time is big (eg. a little bit less than 3 minutes on my laptop) since the circuit is big due the EVM constraints. Whereas with this new [offchain decider](https://privacy-scaling-explorations.github.io/sonobe-docs/design/nova-decider-offchain.html) we can generate the proofs much faster for the cases where it is not required to verify the proofs in the EVM. The code is mostly abstracted from any specifics of the current usage of Groth16 & KZG10, with the idea that eventually in the future we can have Spartan plugged in and use non-pairing-curves such as pallas&vesta. For the current version it relies on KZG10 commitments. The logic implemented in the code of this commit can be found at the updated docs section 'offchain decider': https://privacy-scaling-explorations.github.io/sonobe-docs/design/nova-decider-offchain.html
privacy-scaling-explorations · Oct 3, 2024 · edcef6c · edcef6c
1 parent 88bbd9c
commit edcef6c
Show file tree

Hide file tree

Showing 6 changed files with 541 additions and 39 deletions.
diff --git a/folding-schemes/Cargo.toml b/folding-schemes/Cargo.toml
@@ -41,6 +41,10 @@ ark-pallas = {version="0.4.0", features=["r1cs"]}
 ark-vesta = {version="0.4.0", features=["r1cs"]}
 ark-bn254 = {version="0.4.0", features=["r1cs"]}
 ark-grumpkin = {version="0.4.0", features=["r1cs"]}
+# Note: do not use the MNTx_298 curves in practice due security reasons, here
+# we only use them in the tests.
+ark-mnt4-298 = {version="0.4.0", features=["r1cs"]}
+ark-mnt6-298 = {version="0.4.0", features=["r1cs"]}
 rand = "0.8.5"
 tracing = { version = "0.1", default-features = false, features = [ "attributes" ] }
 tracing-subscriber = { version = "0.2" }

diff --git a/folding-schemes/src/folding/circuits/cyclefold.rs b/folding-schemes/src/folding/circuits/cyclefold.rs
@@ -61,8 +61,10 @@ where
         f().and_then(|val| {
             let cs = cs.into();
 
-            let u = NonNativeUintVar::new_variable(cs.clone(), || Ok(val.borrow().u), mode)?;
-            let x = Vec::new_variable(cs.clone(), || Ok(val.borrow().x.clone()), mode)?;
+            let u =
+                NonNativeUintVar::<CF2<C>>::new_variable(cs.clone(), || Ok(val.borrow().u), mode)?;
+            let x: Vec<NonNativeUintVar<CF2<C>>> =
+                Vec::new_variable(cs.clone(), || Ok(val.borrow().x.clone()), mode)?;
             let cmE = GC::new_variable(cs.clone(), || Ok(val.borrow().cmE), mode)?;
             let cmW = GC::new_variable(cs.clone(), || Ok(val.borrow().cmW), mode)?;