Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Onchain decider for Protogalaxy #172

Merged
merged 5 commits into from
Nov 27, 2024
Merged

Onchain decider for Protogalaxy #172

merged 5 commits into from
Nov 27, 2024

Conversation

winderica
Copy link
Collaborator

Depends on #145.

This PR implements the onchain decider for Protogalaxy, which follows the design of Nova's decider described in Sonobe docs.

Specifically, the prover generates a Groth16 proof for the decider circuit and a KZG proof for the commitment $\phi$ in Protogalaxy's committed instance.

sonobe/folding-schemes/src/folding/protogalaxy/decider_eth.rs

Lines 160 to 171 in 6a8ccad

let kzg_proofs = circuit
.W_i1
.get_openings()
.iter()
.zip(&kzg_challenges)
.map(|((v, _), &c)| {
CS1::prove_with_challenge(&cs_pk, c, v, &C1::ScalarField::zero(), None)
})
.collect::<Result<Vec<_>, _>>()?;
let snark_proof =
S::prove(&snark_pk, circuit, &mut rng).map_err(|e| Error::Other(e.to_string()))?;

In addition, the randomness (i.e., the evaluations of $L_0(X), ..., L_k(X)$ at $\gamma$) are also included in the proof.

sonobe/folding-schemes/src/folding/protogalaxy/decider_eth.rs

Line 153 in 6a8ccad

let L_X_evals = circuit.randomness.clone();

sonobe/folding-schemes/src/folding/protogalaxy/decider_eth.rs

Lines 173 to 178 in 6a8ccad

Ok(Self::Proof {
snark_proof,
L_X_evals,
kzg_proofs: kzg_proofs.try_into().unwrap(),
kzg_challenges: kzg_challenges.try_into().unwrap(),
})

Later, the verifier uses the randomness to compute the group operations in NIFS.V, i.e., the random linear combination of commitments in the running and incoming instances.

sonobe/folding-schemes/src/folding/protogalaxy/decider_eth.rs

Lines 201 to 207 in 6a8ccad

// 6.2. Fold the commitments
let U_final_commitments = DeciderProtoGalaxyGadget::fold_group_elements_native(
running_commitments,
incoming_commitments,
None,
proof.L_X_evals.clone(),
)?;

With the folded commitment U_final_commitments as a public input, the verifier checks the validity of Groth16 proof. The KZG proof is also verified against U_final_commitments.

sonobe/folding-schemes/src/folding/protogalaxy/decider_eth.rs

Lines 209 to 237 in 6a8ccad

let public_input = [
&[pp_hash, i][..],
&z_0,
&z_i,
&U_final_commitments
.iter()
.flat_map(|c| c.inputize())
.collect::<Vec<_>>(),
&proof.kzg_challenges,
&proof.kzg_proofs.iter().map(|p| p.eval).collect::<Vec<_>>(),
&proof.L_X_evals,
]
.concat();
let snark_v = S::verify(&snark_vp, &public_input, &proof.snark_proof)
.map_err(|e| Error::Other(e.to_string()))?;
if !snark_v {
return Err(Error::SNARKVerificationFail);
}
// 7.3. Verify the KZG proofs
for ((cm, &c), pi) in U_final_commitments
.iter()
.zip(&proof.kzg_challenges)
.zip(&proof.kzg_proofs)
{
// we're at the Ethereum EVM case, so the CS1 is KZG commitments
CS1::verify_with_challenge(&cs_vp, c, cm, pi)?;
}

Note that the decider circuit already enforces that the randomness indeed consists of the evaluations of $L_i(X)$, so the prover cannot cheat by providing the verifier with incorrect randomness.

@winderica winderica mentioned this pull request Nov 11, 2024
Open
13 tasks
@arnaucube arnaucube added ProtoGalaxy decider decider/compressed snark labels Nov 25, 2024
@arnaucube arnaucube mentioned this pull request Nov 25, 2024
Merged
arnaucube
arnaucube approved these changes Nov 27, 2024
View reviewed changes
Copy link
Collaborator

@arnaucube arnaucube left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great job!

@arnaucube arnaucube added this pull request to the merge queue Nov 27, 2024
Merged via the queue into privacy-scaling-explorations:main with commit 40dccb1 Nov 27, 2024
8 checks passed
arnaucube added a commit that referenced this pull request Nov 27, 2024
@arnaucube
Revert "Onchain decider for Protogalaxy (#172)"
129c828 
This reverts commit 40dccb1.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@arnaucube arnaucube arnaucube approved these changes

Assignees
No one assigned
Labels
decider decider/compressed snark ProtoGalaxy
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@winderica @arnaucube