diff --git a/Cargo.lock b/Cargo.lock
index 29a5ffb7f..a025f7e29 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -3153,7 +3153,6 @@ dependencies = [
[[package]]
name = "whir"
version = "0.1.0"
-source = "git+https://github.com/scroll-tech/whir?branch=feat%2Fceno-binding-batch#cc05cba75d96a5c3caa78e06a6279ca741954c2b"
dependencies = [
"ark-crypto-primitives",
"ark-ff",
diff --git a/Cargo.toml b/Cargo.toml
index 462acb8c5..615ed199f 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -12,6 +12,7 @@ members = [
"poseidon",
"sumcheck",
"transcript",
+ "whir",
]
resolver = "2"
diff --git a/mpcs/Cargo.toml b/mpcs/Cargo.toml
index 318ff6a31..54305ecc7 100644
--- a/mpcs/Cargo.toml
+++ b/mpcs/Cargo.toml
@@ -35,7 +35,7 @@ rand_chacha.workspace = true
rayon = { workspace = true, optional = true }
serde.workspace = true
transcript = { path = "../transcript" }
-whir = { git = "https://github.com/scroll-tech/whir", branch = "feat/ceno-binding-batch", features = ["ceno"] }
+whir = { path = "../whir", features = ["ceno"] }
zeroize = "1.8"
[dev-dependencies]
diff --git a/whir/.github/workflows/rust.yml b/whir/.github/workflows/rust.yml
new file mode 100644
index 000000000..11b7199e8
--- /dev/null
+++ b/whir/.github/workflows/rust.yml
@@ -0,0 +1,24 @@
+name: Rust
+
+on:
+ push:
+ branches: [ "main" ]
+ pull_request:
+ branches: [ "main" ]
+
+env:
+ CARGO_TERM_COLOR: always
+
+jobs:
+ build:
+
+ runs-on: ubuntu-latest
+
+ steps:
+ - uses: actions/checkout@v4
+ - name: Switch toolchain
+ run: rustup update nightly && rustup default nightly
+ - name: Build
+ run: cargo build --release --verbose
+ - name: Run tests
+ run: cargo test --release --verbose
diff --git a/whir/.gitignore b/whir/.gitignore
new file mode 100644
index 000000000..83fff18b6
--- /dev/null
+++ b/whir/.gitignore
@@ -0,0 +1,12 @@
+/target
+scripts/temp/
+bench_utils/target
+*_proof
+artifacts
+outputs/temp/
+*.pdf
+scripts/__pycache__/
+.DS_Store
+outputs/
+.idea
+.vscode
\ No newline at end of file
diff --git a/whir/Cargo.lock b/whir/Cargo.lock
new file mode 100644
index 000000000..c3207f271
--- /dev/null
+++ b/whir/Cargo.lock
@@ -0,0 +1,1300 @@
+# This file is automatically @generated by Cargo.
+# It is not intended for manual editing.
+version = 4
+
+[[package]]
+name = "ahash"
+version = "0.8.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e89da841a80418a9b391ebaea17f5c112ffaaa96f621d2c285b5174da76b9011"
+dependencies = [
+ "cfg-if",
+ "once_cell",
+ "version_check",
+ "zerocopy",
+]
+
+[[package]]
+name = "allocator-api2"
+version = "0.2.20"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "45862d1c77f2228b9e10bc609d5bc203d86ebc9b87ad8d5d5167a6c9abf739d9"
+
+[[package]]
+name = "anstream"
+version = "0.6.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8acc5369981196006228e28809f761875c0327210a891e941f4c683b3a99529b"
+dependencies = [
+ "anstyle",
+ "anstyle-parse",
+ "anstyle-query",
+ "anstyle-wincon",
+ "colorchoice",
+ "is_terminal_polyfill",
+ "utf8parse",
+]
+
+[[package]]
+name = "anstyle"
+version = "1.0.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "55cc3b69f167a1ef2e161439aa98aed94e6028e5f9a59be9a6ffb47aef1651f9"
+
+[[package]]
+name = "anstyle-parse"
+version = "0.2.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3b2d16507662817a6a20a9ea92df6652ee4f94f914589377d69f3b21bc5798a9"
+dependencies = [
+ "utf8parse",
+]
+
+[[package]]
+name = "anstyle-query"
+version = "1.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "79947af37f4177cfead1110013d678905c37501914fba0efea834c3fe9a8d60c"
+dependencies = [
+ "windows-sys",
+]
+
+[[package]]
+name = "anstyle-wincon"
+version = "3.0.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2109dbce0e72be3ec00bed26e6a7479ca384ad226efdd66db8fa2e3a38c83125"
+dependencies = [
+ "anstyle",
+ "windows-sys",
+]
+
+[[package]]
+name = "ark-crypto-primitives"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1e0c292754729c8a190e50414fd1a37093c786c709899f29c9f7daccecfa855e"
+dependencies = [
+ "ahash",
+ "ark-crypto-primitives-macros",
+ "ark-ec",
+ "ark-ff",
+ "ark-relations",
+ "ark-serialize",
+ "ark-snark",
+ "ark-std",
+ "blake2",
+ "derivative",
+ "digest",
+ "fnv",
+ "hashbrown 0.14.5",
+ "merlin",
+ "rayon",
+ "sha2",
+]
+
+[[package]]
+name = "ark-crypto-primitives-macros"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e7e89fe77d1f0f4fe5b96dfc940923d88d17b6a773808124f21e764dfb063c6a"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.87",
+]
+
+[[package]]
+name = "ark-ec"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "43d68f2d516162846c1238e755a7c4d131b892b70cc70c471a8e3ca3ed818fce"
+dependencies = [
+ "ahash",
+ "ark-ff",
+ "ark-poly",
+ "ark-serialize",
+ "ark-std",
+ "educe",
+ "fnv",
+ "hashbrown 0.15.1",
+ "itertools 0.13.0",
+ "num-bigint",
+ "num-integer",
+ "num-traits",
+ "rayon",
+ "zeroize",
+]
+
+[[package]]
+name = "ark-ff"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a177aba0ed1e0fbb62aa9f6d0502e9b46dad8c2eab04c14258a1212d2557ea70"
+dependencies = [
+ "ark-ff-asm",
+ "ark-ff-macros",
+ "ark-serialize",
+ "ark-std",
+ "arrayvec",
+ "digest",
+ "educe",
+ "itertools 0.13.0",
+ "num-bigint",
+ "num-traits",
+ "paste",
+ "rayon",
+ "zeroize",
+]
+
+[[package]]
+name = "ark-ff-asm"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "62945a2f7e6de02a31fe400aa489f0e0f5b2502e69f95f853adb82a96c7a6b60"
+dependencies = [
+ "quote",
+ "syn 2.0.87",
+]
+
+[[package]]
+name = "ark-ff-macros"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "09be120733ee33f7693ceaa202ca41accd5653b779563608f1234f78ae07c4b3"
+dependencies = [
+ "num-bigint",
+ "num-traits",
+ "proc-macro2",
+ "quote",
+ "syn 2.0.87",
+]
+
+[[package]]
+name = "ark-poly"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "579305839da207f02b89cd1679e50e67b4331e2f9294a57693e5051b7703fe27"
+dependencies = [
+ "ahash",
+ "ark-ff",
+ "ark-serialize",
+ "ark-std",
+ "educe",
+ "fnv",
+ "hashbrown 0.15.1",
+ "rayon",
+]
+
+[[package]]
+name = "ark-relations"
+version = "0.5.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ec46ddc93e7af44bcab5230937635b06fb5744464dd6a7e7b083e80ebd274384"
+dependencies = [
+ "ark-ff",
+ "ark-std",
+ "tracing",
+ "tracing-subscriber",
+]
+
+[[package]]
+name = "ark-serialize"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3f4d068aaf107ebcd7dfb52bc748f8030e0fc930ac8e360146ca54c1203088f7"
+dependencies = [
+ "ark-serialize-derive",
+ "ark-std",
+ "arrayvec",
+ "digest",
+ "num-bigint",
+ "rayon",
+]
+
+[[package]]
+name = "ark-serialize-derive"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "213888f660fddcca0d257e88e54ac05bca01885f258ccdf695bafd77031bb69d"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.87",
+]
+
+[[package]]
+name = "ark-snark"
+version = "0.5.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d368e2848c2d4c129ce7679a7d0d2d612b6a274d3ea6a13bad4445d61b381b88"
+dependencies = [
+ "ark-ff",
+ "ark-relations",
+ "ark-serialize",
+ "ark-std",
+]
+
+[[package]]
+name = "ark-std"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "246a225cc6131e9ee4f24619af0f19d67761fff15d7ccc22e42b80846e69449a"
+dependencies = [
+ "colored",
+ "num-traits",
+ "rand",
+ "rayon",
+]
+
+[[package]]
+name = "ark-test-curves"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5cc137bb3271671a597ae79157030f88affe9fa7975207c3b781a01cb9ed0372"
+dependencies = [
+ "ark-ec",
+ "ark-ff",
+ "ark-std",
+]
+
+[[package]]
+name = "arrayref"
+version = "0.3.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "76a2e8124351fda1ef8aaaa3bbd7ebbcb486bbcd4225aca0aa0d84bb2db8fecb"
+
+[[package]]
+name = "arrayvec"
+version = "0.7.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7c02d123df017efcdfbd739ef81735b36c5ba83ec3c59c80a9d7ecc718f92e50"
+
+[[package]]
+name = "autocfg"
+version = "1.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ace50bade8e6234aa140d9a2f552bbee1db4d353f69b8217bc503490fc1a9f26"
+
+[[package]]
+name = "bitvec"
+version = "1.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1bc2832c24239b0141d5674bb9174f9d68a8b5b3f2753311927c172ca46f7e9c"
+dependencies = [
+ "funty",
+ "radium",
+ "tap",
+ "wyz",
+]
+
+[[package]]
+name = "blake2"
+version = "0.10.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "46502ad458c9a52b69d4d4d32775c788b7a1b85e8bc9d482d92250fc0e3f8efe"
+dependencies = [
+ "digest",
+]
+
+[[package]]
+name = "blake2b_simd"
+version = "1.0.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "23285ad32269793932e830392f2fe2f83e26488fd3ec778883a93c8323735780"
+dependencies = [
+ "arrayref",
+ "arrayvec",
+ "constant_time_eq",
+]
+
+[[package]]
+name = "blake3"
+version = "1.5.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d82033247fd8e890df8f740e407ad4d038debb9eb1f40533fffb32e7d17dc6f7"
+dependencies = [
+ "arrayref",
+ "arrayvec",
+ "cc",
+ "cfg-if",
+ "constant_time_eq",
+]
+
+[[package]]
+name = "block-buffer"
+version = "0.10.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3078c7629b62d3f0439517fa394996acacc5cbc91c5a20d8c658e77abd503a71"
+dependencies = [
+ "generic-array",
+]
+
+[[package]]
+name = "bytemuck"
+version = "1.19.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8334215b81e418a0a7bdb8ef0849474f40bb10c8b71f1c4ed315cff49f32494d"
+
+[[package]]
+name = "byteorder"
+version = "1.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1fd0f2584146f6f2ef48085050886acf353beff7305ebd1ae69500e27c67f64b"
+
+[[package]]
+name = "cc"
+version = "1.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fd9de9f2205d5ef3fd67e685b0df337994ddd4495e2a28d185500d0e1edfea47"
+dependencies = [
+ "shlex",
+]
+
+[[package]]
+name = "cfg-if"
+version = "1.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"
+
+[[package]]
+name = "clap"
+version = "4.5.21"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fb3b4b9e5a7c7514dfa52869339ee98b3156b0bfb4e8a77c4ff4babb64b1604f"
+dependencies = [
+ "clap_builder",
+ "clap_derive",
+]
+
+[[package]]
+name = "clap_builder"
+version = "4.5.21"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b17a95aa67cc7b5ebd32aa5370189aa0d79069ef1c64ce893bd30fb24bff20ec"
+dependencies = [
+ "anstream",
+ "anstyle",
+ "clap_lex",
+ "strsim",
+]
+
+[[package]]
+name = "clap_derive"
+version = "4.5.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4ac6a0c7b1a9e9a5186361f67dfa1b88213572f427fb9ab038efb2bd8c582dab"
+dependencies = [
+ "heck",
+ "proc-macro2",
+ "quote",
+ "syn 2.0.87",
+]
+
+[[package]]
+name = "clap_lex"
+version = "0.7.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "afb84c814227b90d6895e01398aee0d8033c00e7466aca416fb6a8e0eb19d8a7"
+
+[[package]]
+name = "colorchoice"
+version = "1.0.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5b63caa9aa9397e2d9480a9b13673856c78d8ac123288526c37d7839f2a86990"
+
+[[package]]
+name = "colored"
+version = "2.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "117725a109d387c937a1533ce01b450cbde6b88abceea8473c4d7a85853cda3c"
+dependencies = [
+ "lazy_static",
+ "windows-sys",
+]
+
+[[package]]
+name = "constant_time_eq"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7c74b8349d32d297c9134b8c88677813a227df8f779daa29bfc29c183fe3dca6"
+
+[[package]]
+name = "cpufeatures"
+version = "0.2.15"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0ca741a962e1b0bff6d724a1a0958b686406e853bb14061f218562e1896f95e6"
+dependencies = [
+ "libc",
+]
+
+[[package]]
+name = "crossbeam-deque"
+version = "0.8.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "613f8cc01fe9cf1a3eb3d7f488fd2fa8388403e97039e2f73692932e291a770d"
+dependencies = [
+ "crossbeam-epoch",
+ "crossbeam-utils",
+]
+
+[[package]]
+name = "crossbeam-epoch"
+version = "0.9.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5b82ac4a3c2ca9c3460964f020e1402edd5753411d7737aa39c3714ad1b5420e"
+dependencies = [
+ "crossbeam-utils",
+]
+
+[[package]]
+name = "crossbeam-utils"
+version = "0.8.20"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "22ec99545bb0ed0ea7bb9b8e1e9122ea386ff8a48c0922e43f36d45ab09e0e80"
+
+[[package]]
+name = "crypto-common"
+version = "0.1.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1bfb12502f3fc46cca1bb51ac28df9d618d813cdc3d2f25b9fe775a34af26bb3"
+dependencies = [
+ "generic-array",
+ "typenum",
+]
+
+[[package]]
+name = "derivative"
+version = "2.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fcc3dd5e9e9c0b295d6e1e4d811fb6f157d5ffd784b8d202fc62eac8035a770b"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 1.0.109",
+]
+
+[[package]]
+name = "derive_more"
+version = "1.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4a9b99b9cbbe49445b21764dc0625032a89b145a2642e67603e1c936f5458d05"
+dependencies = [
+ "derive_more-impl",
+]
+
+[[package]]
+name = "derive_more-impl"
+version = "1.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cb7330aeadfbe296029522e6c40f315320aba36fc43a5b3632f3795348f3bd22"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.87",
+ "unicode-xid",
+]
+
+[[package]]
+name = "digest"
+version = "0.10.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9ed9a281f7bc9b7576e61468ba615a66a5c8cfdff42420a70aa82701a3b1e292"
+dependencies = [
+ "block-buffer",
+ "crypto-common",
+ "subtle",
+]
+
+[[package]]
+name = "educe"
+version = "0.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1d7bc049e1bd8cdeb31b68bbd586a9464ecf9f3944af3958a7a9d0f8b9799417"
+dependencies = [
+ "enum-ordinalize",
+ "proc-macro2",
+ "quote",
+ "syn 2.0.87",
+]
+
+[[package]]
+name = "either"
+version = "1.13.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "60b1af1c220855b6ceac025d3f6ecdd2b7c4894bfe9cd9bda4fbb4bc7c0d4cf0"
+
+[[package]]
+name = "enum-ordinalize"
+version = "4.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fea0dcfa4e54eeb516fe454635a95753ddd39acda650ce703031c6973e315dd5"
+dependencies = [
+ "enum-ordinalize-derive",
+]
+
+[[package]]
+name = "enum-ordinalize-derive"
+version = "4.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0d28318a75d4aead5c4db25382e8ef717932d0346600cacae6357eb5941bc5ff"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.87",
+]
+
+[[package]]
+name = "ff"
+version = "0.13.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ded41244b729663b1e574f1b4fb731469f69f79c17667b5d776b16cda0479449"
+dependencies = [
+ "bitvec",
+ "rand_core",
+ "subtle",
+]
+
+[[package]]
+name = "fnv"
+version = "1.0.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1"
+
+[[package]]
+name = "funty"
+version = "2.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e6d5a32815ae3f33302d95fdcb2ce17862f8c65363dcfd29360480ba1001fc9c"
+
+[[package]]
+name = "generic-array"
+version = "0.14.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "85649ca51fd72272d7821adaf274ad91c288277713d9c18820d8499a7ff69e9a"
+dependencies = [
+ "typenum",
+ "version_check",
+]
+
+[[package]]
+name = "getrandom"
+version = "0.2.15"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c4567c8db10ae91089c99af84c68c38da3ec2f087c3f82960bcdbf3656b6f4d7"
+dependencies = [
+ "cfg-if",
+ "libc",
+ "wasi",
+]
+
+[[package]]
+name = "goldilocks"
+version = "0.1.0"
+source = "git+https://github.com/scroll-tech/ceno-Goldilocks#29a15d186ce4375dab346a3cc9eca6e43540cb8d"
+dependencies = [
+ "ff",
+ "halo2curves",
+ "itertools 0.12.1",
+ "rand_core",
+ "serde",
+ "subtle",
+]
+
+[[package]]
+name = "group"
+version = "0.13.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f0f9ef7462f7c099f518d754361858f86d8a07af53ba9af0fe635bbccb151a63"
+dependencies = [
+ "ff",
+ "rand_core",
+ "subtle",
+]
+
+[[package]]
+name = "halo2curves"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e6b1142bd1059aacde1b477e0c80c142910f1ceae67fc619311d6a17428007ab"
+dependencies = [
+ "blake2b_simd",
+ "ff",
+ "group",
+ "lazy_static",
+ "num-bigint",
+ "num-traits",
+ "pasta_curves",
+ "paste",
+ "rand",
+ "rand_core",
+ "static_assertions",
+ "subtle",
+]
+
+[[package]]
+name = "hashbrown"
+version = "0.14.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e5274423e17b7c9fc20b6e7e208532f9b19825d82dfd615708b70edd83df41f1"
+dependencies = [
+ "allocator-api2",
+]
+
+[[package]]
+name = "hashbrown"
+version = "0.15.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3a9bfc1af68b1726ea47d3d5109de126281def866b33970e10fbab11b5dafab3"
+dependencies = [
+ "allocator-api2",
+]
+
+[[package]]
+name = "heck"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2304e00983f87ffb38b55b444b5e3b60a884b5d30c0fca7d82fe33449bbe55ea"
+
+[[package]]
+name = "hex"
+version = "0.4.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70"
+
+[[package]]
+name = "is_terminal_polyfill"
+version = "1.70.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7943c866cc5cd64cbc25b2e01621d07fa8eb2a1a23160ee81ce38704e97b8ecf"
+
+[[package]]
+name = "itertools"
+version = "0.12.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ba291022dbbd398a455acf126c1e341954079855bc60dfdda641363bd6922569"
+dependencies = [
+ "either",
+]
+
+[[package]]
+name = "itertools"
+version = "0.13.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "413ee7dfc52ee1a4949ceeb7dbc8a33f2d6c088194d9f922fb8318faf1f01186"
+dependencies = [
+ "either",
+]
+
+[[package]]
+name = "itertools"
+version = "0.14.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2b192c782037fadd9cfa75548310488aabdbf3d2da73885b31bd0abd03351285"
+dependencies = [
+ "either",
+]
+
+[[package]]
+name = "itoa"
+version = "1.0.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "49f1f14873335454500d59611f1cf4a4b0f786f9ac11f4312a78e4cf2566695b"
+
+[[package]]
+name = "keccak"
+version = "0.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ecc2af9a1119c51f12a14607e783cb977bde58bc069ff0c3da1095e635d70654"
+dependencies = [
+ "cpufeatures",
+]
+
+[[package]]
+name = "lazy_static"
+version = "1.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bbd2bcb4c963f2ddae06a2efc7e9f3591312473c50c6685e1f298068316e66fe"
+dependencies = [
+ "spin",
+]
+
+[[package]]
+name = "libc"
+version = "0.2.162"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "18d287de67fe55fd7e1581fe933d965a5a9477b38e949cfa9f8574ef01506398"
+
+[[package]]
+name = "log"
+version = "0.4.22"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a7a70ba024b9dc04c27ea2f0c0548feb474ec5c54bba33a7f72f873a39d07b24"
+
+[[package]]
+name = "memchr"
+version = "2.7.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "78ca9ab1a0babb1e7d5695e3530886289c18cf2f87ec19a575a0abdce112e3a3"
+
+[[package]]
+name = "merlin"
+version = "3.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "58c38e2799fc0978b65dfff8023ec7843e2330bb462f19198840b34b6582397d"
+dependencies = [
+ "byteorder",
+ "keccak",
+ "rand_core",
+ "zeroize",
+]
+
+[[package]]
+name = "nimue"
+version = "0.2.0"
+source = "git+https://github.com/arkworks-rs/nimue#b28eb124420eede1a890e3c64b37adfff94938d3"
+dependencies = [
+ "ark-ec",
+ "ark-ff",
+ "ark-serialize",
+ "digest",
+ "generic-array",
+ "hex",
+ "keccak",
+ "log",
+ "rand",
+ "zeroize",
+]
+
+[[package]]
+name = "nimue-pow"
+version = "0.1.0"
+source = "git+https://github.com/arkworks-rs/nimue#b28eb124420eede1a890e3c64b37adfff94938d3"
+dependencies = [
+ "blake3",
+ "bytemuck",
+ "keccak",
+ "nimue",
+ "rayon",
+]
+
+[[package]]
+name = "num-bigint"
+version = "0.4.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a5e44f723f1133c9deac646763579fdb3ac745e418f2a7af9cd0c431da1f20b9"
+dependencies = [
+ "num-integer",
+ "num-traits",
+]
+
+[[package]]
+name = "num-integer"
+version = "0.1.46"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7969661fd2958a5cb096e56c8e1ad0444ac2bbcd0061bd28660485a44879858f"
+dependencies = [
+ "num-traits",
+]
+
+[[package]]
+name = "num-traits"
+version = "0.2.19"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "071dfc062690e90b734c0b2273ce72ad0ffa95f0c74596bc250dcfd960262841"
+dependencies = [
+ "autocfg",
+]
+
+[[package]]
+name = "once_cell"
+version = "1.20.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1261fe7e33c73b354eab43b1273a57c8f967d0391e80353e51f764ac02cf6775"
+
+[[package]]
+name = "pasta_curves"
+version = "0.5.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d3e57598f73cc7e1b2ac63c79c517b31a0877cd7c402cdcaa311b5208de7a095"
+dependencies = [
+ "blake2b_simd",
+ "ff",
+ "group",
+ "lazy_static",
+ "rand",
+ "static_assertions",
+ "subtle",
+]
+
+[[package]]
+name = "paste"
+version = "1.0.15"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "57c0d7b74b563b49d38dae00a0c37d4d6de9b432382b2892f0574ddcae73fd0a"
+
+[[package]]
+name = "pin-project-lite"
+version = "0.2.15"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "915a1e146535de9163f3987b8944ed8cf49a18bb0056bcebcdcece385cece4ff"
+
+[[package]]
+name = "ppv-lite86"
+version = "0.2.20"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "77957b295656769bb8ad2b6a6b09d897d94f05c41b069aede1fcdaa675eaea04"
+dependencies = [
+ "zerocopy",
+]
+
+[[package]]
+name = "proc-macro2"
+version = "1.0.89"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f139b0662de085916d1fb67d2b4169d1addddda1919e696f3252b740b629986e"
+dependencies = [
+ "unicode-ident",
+]
+
+[[package]]
+name = "quote"
+version = "1.0.37"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b5b9d34b8991d19d98081b46eacdd8eb58c6f2b201139f7c5f643cc155a633af"
+dependencies = [
+ "proc-macro2",
+]
+
+[[package]]
+name = "radium"
+version = "0.7.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "dc33ff2d4973d518d823d61aa239014831e521c75da58e3df4840d3f47749d09"
+
+[[package]]
+name = "rand"
+version = "0.8.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404"
+dependencies = [
+ "libc",
+ "rand_chacha",
+ "rand_core",
+]
+
+[[package]]
+name = "rand_chacha"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e6c10a63a0fa32252be49d21e7709d4d4baf8d231c2dbce1eaa8141b9b127d88"
+dependencies = [
+ "ppv-lite86",
+ "rand_core",
+]
+
+[[package]]
+name = "rand_core"
+version = "0.6.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ec0be4795e2f6a28069bec0b5ff3e2ac9bafc99e6a9a7dc3547996c5c816922c"
+dependencies = [
+ "getrandom",
+]
+
+[[package]]
+name = "rayon"
+version = "1.10.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b418a60154510ca1a002a752ca9714984e21e4241e804d32555251faf8b78ffa"
+dependencies = [
+ "either",
+ "rayon-core",
+]
+
+[[package]]
+name = "rayon-core"
+version = "1.12.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1465873a3dfdaa8ae7cb14b4383657caab0b3e8a0aa9ae8e04b044854c8dfce2"
+dependencies = [
+ "crossbeam-deque",
+ "crossbeam-utils",
+]
+
+[[package]]
+name = "ryu"
+version = "1.0.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f3cb5ba0dc43242ce17de99c180e96db90b235b8a9fdc9543c96d2209116bd9f"
+
+[[package]]
+name = "serde"
+version = "1.0.215"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6513c1ad0b11a9376da888e3e0baa0077f1aed55c17f50e7b2397136129fb88f"
+dependencies = [
+ "serde_derive",
+]
+
+[[package]]
+name = "serde_derive"
+version = "1.0.215"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ad1e866f866923f252f05c889987993144fb74e722403468a4ebd70c3cd756c0"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.87",
+]
+
+[[package]]
+name = "serde_json"
+version = "1.0.132"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d726bfaff4b320266d395898905d0eba0345aae23b54aee3a737e260fd46db03"
+dependencies = [
+ "itoa",
+ "memchr",
+ "ryu",
+ "serde",
+]
+
+[[package]]
+name = "sha2"
+version = "0.10.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "793db75ad2bcafc3ffa7c68b215fee268f537982cd901d132f89c6343f3a3dc8"
+dependencies = [
+ "cfg-if",
+ "cpufeatures",
+ "digest",
+]
+
+[[package]]
+name = "sha3"
+version = "0.10.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "75872d278a8f37ef87fa0ddbda7802605cb18344497949862c0d4dcb291eba60"
+dependencies = [
+ "digest",
+ "keccak",
+]
+
+[[package]]
+name = "shlex"
+version = "1.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64"
+
+[[package]]
+name = "spin"
+version = "0.9.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6980e8d7511241f8acf4aebddbb1ff938df5eebe98691418c4468d0b72a96a67"
+
+[[package]]
+name = "static_assertions"
+version = "1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a2eb9349b6444b326872e140eb1cf5e7c522154d69e7a0ffb0fb81c06b37543f"
+
+[[package]]
+name = "strength_reduce"
+version = "0.2.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fe895eb47f22e2ddd4dabc02bce419d2e643c8e3b585c78158b349195bc24d82"
+
+[[package]]
+name = "strsim"
+version = "0.11.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7da8b5736845d9f2fcb837ea5d9e2628564b3b043a70948a3f0b778838c5fb4f"
+
+[[package]]
+name = "subtle"
+version = "2.6.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292"
+
+[[package]]
+name = "syn"
+version = "1.0.109"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "72b64191b275b66ffe2469e8af2c1cfe3bafa67b529ead792a6d0160888b4237"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "unicode-ident",
+]
+
+[[package]]
+name = "syn"
+version = "2.0.87"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "25aa4ce346d03a6dcd68dd8b4010bcb74e54e62c90c573f394c46eae99aba32d"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "unicode-ident",
+]
+
+[[package]]
+name = "tap"
+version = "1.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "55937e1799185b12863d447f42597ed69d9928686b8d88a1df17376a097d8369"
+
+[[package]]
+name = "thiserror"
+version = "1.0.69"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b6aaf5339b578ea85b50e080feb250a3e8ae8cfcdff9a461c9ec2904bc923f52"
+dependencies = [
+ "thiserror-impl",
+]
+
+[[package]]
+name = "thiserror-impl"
+version = "1.0.69"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4fee6c4efc90059e10f81e6d42c60a18f76588c3d74cb83a0b242a2b6c7504c1"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.87",
+]
+
+[[package]]
+name = "tracing"
+version = "0.1.40"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c3523ab5a71916ccf420eebdf5521fcef02141234bbc0b8a49f2fdc4544364ef"
+dependencies = [
+ "pin-project-lite",
+ "tracing-core",
+]
+
+[[package]]
+name = "tracing-core"
+version = "0.1.32"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c06d3da6113f116aaee68e4d601191614c9053067f9ab7f6edbcb161237daa54"
+dependencies = [
+ "once_cell",
+ "valuable",
+]
+
+[[package]]
+name = "tracing-subscriber"
+version = "0.2.25"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0e0d2eaa99c3c2e41547cfa109e910a68ea03823cccad4a0525dcbc9b01e8c71"
+dependencies = [
+ "tracing-core",
+]
+
+[[package]]
+name = "transpose"
+version = "0.2.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1ad61aed86bc3faea4300c7aee358b4c6d0c8d6ccc36524c96e4c92ccf26e77e"
+dependencies = [
+ "num-integer",
+ "strength_reduce",
+]
+
+[[package]]
+name = "typenum"
+version = "1.17.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "42ff0bf0c66b8238c6f3b578df37d0b7848e55df8577b3f74f92a69acceeb825"
+
+[[package]]
+name = "unicode-ident"
+version = "1.0.13"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e91b56cd4cadaeb79bbf1a5645f6b4f8dc5bde8834ad5894a8db35fda9efa1fe"
+
+[[package]]
+name = "unicode-xid"
+version = "0.2.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f962df74c8c05a667b5ee8bcf162993134c104e96440b663c8daa176dc772d8c"
+
+[[package]]
+name = "utf8parse"
+version = "0.2.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "06abde3611657adf66d383f00b093d7faecc7fa57071cce2578660c9f1010821"
+
+[[package]]
+name = "valuable"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "830b7e5d4d90034032940e4ace0d9a9a057e7a45cd94e6c007832e39edb82f6d"
+
+[[package]]
+name = "version_check"
+version = "0.9.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0b928f33d975fc6ad9f86c8f283853ad26bdd5b10b7f1542aa2fa15e2289105a"
+
+[[package]]
+name = "wasi"
+version = "0.11.0+wasi-snapshot-preview1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423"
+
+[[package]]
+name = "whir"
+version = "0.1.0"
+dependencies = [
+ "ark-crypto-primitives",
+ "ark-ff",
+ "ark-poly",
+ "ark-serialize",
+ "ark-std",
+ "ark-test-curves",
+ "blake2",
+ "blake3",
+ "clap",
+ "derivative",
+ "derive_more",
+ "goldilocks",
+ "itertools 0.14.0",
+ "lazy_static",
+ "nimue",
+ "nimue-pow",
+ "rand",
+ "rand_chacha",
+ "rayon",
+ "serde",
+ "serde_json",
+ "sha3",
+ "thiserror",
+ "transpose",
+]
+
+[[package]]
+name = "windows-sys"
+version = "0.59.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1e38bc4d79ed67fd075bcc251a1c39b32a1776bbe92e5bef1f0bf1f8c531853b"
+dependencies = [
+ "windows-targets",
+]
+
+[[package]]
+name = "windows-targets"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9b724f72796e036ab90c1021d4780d4d3d648aca59e491e6b98e725b84e99973"
+dependencies = [
+ "windows_aarch64_gnullvm",
+ "windows_aarch64_msvc",
+ "windows_i686_gnu",
+ "windows_i686_gnullvm",
+ "windows_i686_msvc",
+ "windows_x86_64_gnu",
+ "windows_x86_64_gnullvm",
+ "windows_x86_64_msvc",
+]
+
+[[package]]
+name = "windows_aarch64_gnullvm"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "32a4622180e7a0ec044bb555404c800bc9fd9ec262ec147edd5989ccd0c02cd3"
+
+[[package]]
+name = "windows_aarch64_msvc"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "09ec2a7bb152e2252b53fa7803150007879548bc709c039df7627cabbd05d469"
+
+[[package]]
+name = "windows_i686_gnu"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8e9b5ad5ab802e97eb8e295ac6720e509ee4c243f69d781394014ebfe8bbfa0b"
+
+[[package]]
+name = "windows_i686_gnullvm"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0eee52d38c090b3caa76c563b86c3a4bd71ef1a819287c19d586d7334ae8ed66"
+
+[[package]]
+name = "windows_i686_msvc"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "240948bc05c5e7c6dabba28bf89d89ffce3e303022809e73deaefe4f6ec56c66"
+
+[[package]]
+name = "windows_x86_64_gnu"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "147a5c80aabfbf0c7d901cb5895d1de30ef2907eb21fbbab29ca94c5b08b1a78"
+
+[[package]]
+name = "windows_x86_64_gnullvm"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "24d5b23dc417412679681396f2b49f3de8c1473deb516bd34410872eff51ed0d"
+
+[[package]]
+name = "windows_x86_64_msvc"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "589f6da84c646204747d1270a2a5661ea66ed1cced2631d546fdfb155959f9ec"
+
+[[package]]
+name = "wyz"
+version = "0.5.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "05f360fc0b24296329c78fda852a1e9ae82de9cf7b27dae4b7f62f118f77b9ed"
+dependencies = [
+ "tap",
+]
+
+[[package]]
+name = "zerocopy"
+version = "0.7.35"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1b9b4fd18abc82b8136838da5d50bae7bdea537c574d8dc1a34ed098d6c166f0"
+dependencies = [
+ "byteorder",
+ "zerocopy-derive",
+]
+
+[[package]]
+name = "zerocopy-derive"
+version = "0.7.35"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fa4f8080344d4671fb4e831a13ad1e68092748387dfc4f55e356242fae12ce3e"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.87",
+]
+
+[[package]]
+name = "zeroize"
+version = "1.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ced3678a2879b30306d323f4542626697a464a97c0a07c9aebf7ebca65cd4dde"
+dependencies = [
+ "zeroize_derive",
+]
+
+[[package]]
+name = "zeroize_derive"
+version = "1.4.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ce36e65b0d2999d2aafac989fb249189a141aee1f53c612c1f37d72631959f69"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.87",
+]
diff --git a/whir/Cargo.toml b/whir/Cargo.toml
new file mode 100644
index 000000000..66124c294
--- /dev/null
+++ b/whir/Cargo.toml
@@ -0,0 +1,56 @@
+[package]
+categories = ["cryptography", "zk", "blockchain", "pcs"]
+description = "Multilinear Polynomial Commitment Scheme"
+edition = "2021"
+keywords = ["cryptography", "zk", "blockchain", "pcs"]
+license = "MIT OR Apache-2.0"
+name = "whir"
+readme = "README.md"
+repository = "https://github.com/WizardOfMenlo/whir/"
+version = "0.1.0"
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+default-run = "main"
+
+[dependencies]
+ark-crypto-primitives = { version = "0.5", features = ["merkle_tree"] }
+ark-ff = { version = "0.5", features = ["asm", "std"] }
+ark-poly = "0.5"
+ark-serialize = "0.5"
+ark-std = { version = "0.5", features = ["std"] }
+ark-test-curves = { version = "0.5", features = ["bls12_381_curve"] }
+blake2 = "0.10"
+blake3 = "1.5.0"
+clap = { version = "4.4.17", features = ["derive"] }
+derivative = { version = "2", features = ["use_core"] }
+lazy_static = "1.4"
+nimue = { git = "https://github.com/arkworks-rs/nimue", features = ["ark"] }
+nimue-pow = { git = "https://github.com/arkworks-rs/nimue" }
+rand = "0.8"
+rand_chacha = "0.3"
+rayon = { version = "1.10.0", optional = true }
+serde = { version = "1.0", features = ["derive"] }
+serde_json = "1.0"
+sha3 = "0.10"
+transpose = "0.2.3"
+
+derive_more = { version = "1.0.0", features = ["debug"] }
+goldilocks = { git = "https://github.com/scroll-tech/ceno-Goldilocks" }
+itertools = "0.14.0"
+thiserror = "1"
+
+[profile.release]
+debug = true
+
+[features]
+asm = []
+ceno = []
+default = ["parallel", "ceno"]
+parallel = [
+ "dep:rayon",
+ "ark-poly/parallel",
+ "ark-ff/parallel",
+ "ark-crypto-primitives/parallel",
+]
+print-trace = ["ark-std/print-trace"]
+rayon = ["dep:rayon"]
diff --git a/whir/LICENSE-APACHE b/whir/LICENSE-APACHE
new file mode 100644
index 000000000..261eeb9e9
--- /dev/null
+++ b/whir/LICENSE-APACHE
@@ -0,0 +1,201 @@
+ Apache License
+ Version 2.0, January 2004
+ http://www.apache.org/licenses/
+
+ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+ 1. Definitions.
+
+ "License" shall mean the terms and conditions for use, reproduction,
+ and distribution as defined by Sections 1 through 9 of this document.
+
+ "Licensor" shall mean the copyright owner or entity authorized by
+ the copyright owner that is granting the License.
+
+ "Legal Entity" shall mean the union of the acting entity and all
+ other entities that control, are controlled by, or are under common
+ control with that entity. For the purposes of this definition,
+ "control" means (i) the power, direct or indirect, to cause the
+ direction or management of such entity, whether by contract or
+ otherwise, or (ii) ownership of fifty percent (50%) or more of the
+ outstanding shares, or (iii) beneficial ownership of such entity.
+
+ "You" (or "Your") shall mean an individual or Legal Entity
+ exercising permissions granted by this License.
+
+ "Source" form shall mean the preferred form for making modifications,
+ including but not limited to software source code, documentation
+ source, and configuration files.
+
+ "Object" form shall mean any form resulting from mechanical
+ transformation or translation of a Source form, including but
+ not limited to compiled object code, generated documentation,
+ and conversions to other media types.
+
+ "Work" shall mean the work of authorship, whether in Source or
+ Object form, made available under the License, as indicated by a
+ copyright notice that is included in or attached to the work
+ (an example is provided in the Appendix below).
+
+ "Derivative Works" shall mean any work, whether in Source or Object
+ form, that is based on (or derived from) the Work and for which the
+ editorial revisions, annotations, elaborations, or other modifications
+ represent, as a whole, an original work of authorship. For the purposes
+ of this License, Derivative Works shall not include works that remain
+ separable from, or merely link (or bind by name) to the interfaces of,
+ the Work and Derivative Works thereof.
+
+ "Contribution" shall mean any work of authorship, including
+ the original version of the Work and any modifications or additions
+ to that Work or Derivative Works thereof, that is intentionally
+ submitted to Licensor for inclusion in the Work by the copyright owner
+ or by an individual or Legal Entity authorized to submit on behalf of
+ the copyright owner. For the purposes of this definition, "submitted"
+ means any form of electronic, verbal, or written communication sent
+ to the Licensor or its representatives, including but not limited to
+ communication on electronic mailing lists, source code control systems,
+ and issue tracking systems that are managed by, or on behalf of, the
+ Licensor for the purpose of discussing and improving the Work, but
+ excluding communication that is conspicuously marked or otherwise
+ designated in writing by the copyright owner as "Not a Contribution."
+
+ "Contributor" shall mean Licensor and any individual or Legal Entity
+ on behalf of whom a Contribution has been received by Licensor and
+ subsequently incorporated within the Work.
+
+ 2. Grant of Copyright License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ copyright license to reproduce, prepare Derivative Works of,
+ publicly display, publicly perform, sublicense, and distribute the
+ Work and such Derivative Works in Source or Object form.
+
+ 3. Grant of Patent License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ (except as stated in this section) patent license to make, have made,
+ use, offer to sell, sell, import, and otherwise transfer the Work,
+ where such license applies only to those patent claims licensable
+ by such Contributor that are necessarily infringed by their
+ Contribution(s) alone or by combination of their Contribution(s)
+ with the Work to which such Contribution(s) was submitted. If You
+ institute patent litigation against any entity (including a
+ cross-claim or counterclaim in a lawsuit) alleging that the Work
+ or a Contribution incorporated within the Work constitutes direct
+ or contributory patent infringement, then any patent licenses
+ granted to You under this License for that Work shall terminate
+ as of the date such litigation is filed.
+
+ 4. Redistribution. You may reproduce and distribute copies of the
+ Work or Derivative Works thereof in any medium, with or without
+ modifications, and in Source or Object form, provided that You
+ meet the following conditions:
+
+ (a) You must give any other recipients of the Work or
+ Derivative Works a copy of this License; and
+
+ (b) You must cause any modified files to carry prominent notices
+ stating that You changed the files; and
+
+ (c) You must retain, in the Source form of any Derivative Works
+ that You distribute, all copyright, patent, trademark, and
+ attribution notices from the Source form of the Work,
+ excluding those notices that do not pertain to any part of
+ the Derivative Works; and
+
+ (d) If the Work includes a "NOTICE" text file as part of its
+ distribution, then any Derivative Works that You distribute must
+ include a readable copy of the attribution notices contained
+ within such NOTICE file, excluding those notices that do not
+ pertain to any part of the Derivative Works, in at least one
+ of the following places: within a NOTICE text file distributed
+ as part of the Derivative Works; within the Source form or
+ documentation, if provided along with the Derivative Works; or,
+ within a display generated by the Derivative Works, if and
+ wherever such third-party notices normally appear. The contents
+ of the NOTICE file are for informational purposes only and
+ do not modify the License. You may add Your own attribution
+ notices within Derivative Works that You distribute, alongside
+ or as an addendum to the NOTICE text from the Work, provided
+ that such additional attribution notices cannot be construed
+ as modifying the License.
+
+ You may add Your own copyright statement to Your modifications and
+ may provide additional or different license terms and conditions
+ for use, reproduction, or distribution of Your modifications, or
+ for any such Derivative Works as a whole, provided Your use,
+ reproduction, and distribution of the Work otherwise complies with
+ the conditions stated in this License.
+
+ 5. Submission of Contributions. Unless You explicitly state otherwise,
+ any Contribution intentionally submitted for inclusion in the Work
+ by You to the Licensor shall be under the terms and conditions of
+ this License, without any additional terms or conditions.
+ Notwithstanding the above, nothing herein shall supersede or modify
+ the terms of any separate license agreement you may have executed
+ with Licensor regarding such Contributions.
+
+ 6. Trademarks. This License does not grant permission to use the trade
+ names, trademarks, service marks, or product names of the Licensor,
+ except as required for reasonable and customary use in describing the
+ origin of the Work and reproducing the content of the NOTICE file.
+
+ 7. Disclaimer of Warranty. Unless required by applicable law or
+ agreed to in writing, Licensor provides the Work (and each
+ Contributor provides its Contributions) on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ implied, including, without limitation, any warranties or conditions
+ of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+ PARTICULAR PURPOSE. You are solely responsible for determining the
+ appropriateness of using or redistributing the Work and assume any
+ risks associated with Your exercise of permissions under this License.
+
+ 8. Limitation of Liability. In no event and under no legal theory,
+ whether in tort (including negligence), contract, or otherwise,
+ unless required by applicable law (such as deliberate and grossly
+ negligent acts) or agreed to in writing, shall any Contributor be
+ liable to You for damages, including any direct, indirect, special,
+ incidental, or consequential damages of any character arising as a
+ result of this License or out of the use or inability to use the
+ Work (including but not limited to damages for loss of goodwill,
+ work stoppage, computer failure or malfunction, or any and all
+ other commercial damages or losses), even if such Contributor
+ has been advised of the possibility of such damages.
+
+ 9. Accepting Warranty or Additional Liability. While redistributing
+ the Work or Derivative Works thereof, You may choose to offer,
+ and charge a fee for, acceptance of support, warranty, indemnity,
+ or other liability obligations and/or rights consistent with this
+ License. However, in accepting such obligations, You may act only
+ on Your own behalf and on Your sole responsibility, not on behalf
+ of any other Contributor, and only if You agree to indemnify,
+ defend, and hold each Contributor harmless for any liability
+ incurred by, or claims asserted against, such Contributor by reason
+ of your accepting any such warranty or additional liability.
+
+ END OF TERMS AND CONDITIONS
+
+ APPENDIX: How to apply the Apache License to your work.
+
+ To apply the Apache License to your work, attach the following
+ boilerplate notice, with the fields enclosed by brackets "[]"
+ replaced with your own identifying information. (Don't include
+ the brackets!) The text should be enclosed in the appropriate
+ comment syntax for the file format. We also recommend that a
+ file or class name and description of purpose be included on the
+ same "printed page" as the copyright notice for easier
+ identification within third-party archives.
+
+ Copyright [yyyy] [name of copyright owner]
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
diff --git a/whir/LICENSE-MIT b/whir/LICENSE-MIT
new file mode 100644
index 000000000..c67929c8b
--- /dev/null
+++ b/whir/LICENSE-MIT
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 Gal Arnon, Alessandro Chiesa, Giacomo Fenzi, Eylon Yogev
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/whir/README.md b/whir/README.md
new file mode 100644
index 000000000..ef91b05da
--- /dev/null
+++ b/whir/README.md
@@ -0,0 +1,47 @@
+WHIR 🌪️
+
+This library was developed using the [arkworks](https://arkworks.rs) ecosystem to accompany [WHIR 🌪️](https://eprint.iacr.org/2024/1586).
+By [Gal Arnon](https://galarnon42.github.io/) [Alessandro Chiesa](https://ic-people.epfl.ch/~achiesa/), [Giacomo Fenzi](https://gfenzi.io), and [Eylon Yogev](https://www.eylonyogev.com/about).
+
+**WARNING:** This is an academic prototype and has not received careful code review. This implementation is NOT ready for production use.
+
+
+ 
+ 
+
+
+# Usage
+```
+cargo run --release -- --help
+
+Usage: main [OPTIONS]
+
+Options:
+ -t, --type [default: PCS]
+ -l, --security-level [default: 100]
+ -p, --pow-bits
+ -d, --num-variables [default: 20]
+ -e, --evaluations [default: 1]
+ -r, --rate [default: 1]
+ --reps [default: 1000]
+ -k, --fold [default: 4]
+ --sec [default: ConjectureList]
+ --fold_type [default: ProverHelps]
+ -f, --field [default: Goldilocks2]
+ --hash [default: Blake3]
+ -h, --help Print help
+ -V, --version Print version
+```
+
+Options:
+- `-t` can be either `PCS` or `LDT` to run as a (multilinear) PCS or a LDT
+- `-l` sets the (overall) security level of the scheme
+- `-p` sets the number of PoW bits (used for the query-phase). PoW bits for proximity gaps are set automatically.
+- `-d` sets the number of variables of the scheme.
+- `-e` sets the number of evaluations to prove. Only meaningful in PCS mode.
+- `-r` sets the log_inv of the rate
+- `-k` sets the number of variables to fold at each iteration.
+- `--sec` sets the settings used to compute security. Available `UniqueDecoding`, `ProvableList`, `ConjectureList`
+- `--fold_type` sets the settings used to compute folds. Available `Naive`, `ProverHelps`
+- `-f` sets the field used, available are `Goldilocks2, Goldilocks3, Field192, Field256`.
+- `--hash` sets the hash used for the Merkle tree, available are `SHA3` and `Blake3`
diff --git a/whir/rust-toolchain.toml b/whir/rust-toolchain.toml
new file mode 100644
index 000000000..5d1274a3e
--- /dev/null
+++ b/whir/rust-toolchain.toml
@@ -0,0 +1,2 @@
+[toolchain]
+channel = "nightly-2024-10-03"
diff --git a/whir/src/bin/benchmark.rs b/whir/src/bin/benchmark.rs
new file mode 100644
index 000000000..a9c388124
--- /dev/null
+++ b/whir/src/bin/benchmark.rs
@@ -0,0 +1,446 @@
+use std::{
+ fs::OpenOptions,
+ time::{Duration, Instant},
+};
+
+use ark_crypto_primitives::{
+ crh::{CRHScheme, TwoToOneCRHScheme},
+ merkle_tree::Config,
+};
+use ark_ff::{FftField, Field};
+use ark_serialize::CanonicalSerialize;
+use nimue::{Arthur, DefaultHash, IOPattern, Merlin};
+use nimue_pow::blake3::Blake3PoW;
+use whir::{
+ cmdline_utils::{AvailableFields, AvailableMerkle},
+ crypto::{
+ fields,
+ merkle_tree::{self, HashCounter},
+ },
+ parameters::*,
+ poly_utils::coeffs::CoefficientList,
+ whir::Statement,
+};
+
+use serde::Serialize;
+
+use clap::Parser;
+use whir::whir::{
+ fs_utils::{DigestReader, DigestWriter},
+ iopattern::DigestIOPattern,
+};
+
+#[derive(Parser, Debug)]
+#[command(author, version, about, long_about = None)]
+struct Args {
+ #[arg(short = 'l', long, default_value = "100")]
+ security_level: usize,
+
+ #[arg(short = 'p', long)]
+ pow_bits: Option,
+
+ #[arg(short = 'd', long, default_value = "20")]
+ num_variables: usize,
+
+ #[arg(short = 'e', long = "evaluations", default_value = "1")]
+ num_evaluations: usize,
+
+ #[arg(short = 'r', long, default_value = "1")]
+ rate: usize,
+
+ #[arg(long = "reps", default_value = "1000")]
+ verifier_repetitions: usize,
+
+ #[arg(short = 'i', long = "initfold", default_value = "4")]
+ first_round_folding_factor: usize,
+
+ #[arg(short = 'k', long = "fold", default_value = "4")]
+ folding_factor: usize,
+
+ #[arg(long = "sec", default_value = "ConjectureList")]
+ soundness_type: SoundnessType,
+
+ #[arg(long = "fold_type", default_value = "ProverHelps")]
+ fold_optimisation: FoldType,
+
+ #[arg(short = 'f', long = "field", default_value = "Goldilocks2")]
+ field: AvailableFields,
+
+ #[arg(long = "hash", default_value = "Blake3")]
+ merkle_tree: AvailableMerkle,
+}
+
+#[derive(Debug, Serialize)]
+struct BenchmarkOutput {
+ security_level: usize,
+ pow_bits: usize,
+ starting_rate: usize,
+ num_variables: usize,
+ repetitions: usize,
+ folding_factor: usize,
+ soundness_type: SoundnessType,
+ field: AvailableFields,
+ merkle_tree: AvailableMerkle,
+
+ // Whir
+ whir_evaluations: usize,
+ whir_argument_size: usize,
+ whir_prover_time: Duration,
+ whir_prover_hashes: usize,
+ whir_verifier_time: Duration,
+ whir_verifier_hashes: usize,
+
+ // Whir LDT
+ whir_ldt_argument_size: usize,
+ whir_ldt_prover_time: Duration,
+ whir_ldt_prover_hashes: usize,
+ whir_ldt_verifier_time: Duration,
+ whir_ldt_verifier_hashes: usize,
+}
+
+type PowStrategy = Blake3PoW;
+
+fn main() {
+ let mut args = Args::parse();
+ let field = args.field;
+ let merkle = args.merkle_tree;
+
+ if args.pow_bits.is_none() {
+ args.pow_bits = Some(default_max_pow(args.num_variables, args.rate));
+ }
+
+ let mut rng = ark_std::test_rng();
+
+ match (field, merkle) {
+ (AvailableFields::Goldilocks1, AvailableMerkle::Blake3) => {
+ use fields::Field64 as F;
+ use merkle_tree::blake3 as mt;
+
+ let (leaf_hash_params, two_to_one_params) = mt::default_config::(&mut rng);
+ run_whir::>(args, leaf_hash_params, two_to_one_params);
+ }
+
+ (AvailableFields::Goldilocks1, AvailableMerkle::Keccak256) => {
+ use fields::Field64 as F;
+ use merkle_tree::keccak as mt;
+
+ let (leaf_hash_params, two_to_one_params) = mt::default_config::(&mut rng);
+ run_whir::>(args, leaf_hash_params, two_to_one_params);
+ }
+
+ (AvailableFields::Goldilocks2, AvailableMerkle::Blake3) => {
+ use fields::Field64_2 as F;
+ use merkle_tree::blake3 as mt;
+
+ let (leaf_hash_params, two_to_one_params) = mt::default_config::(&mut rng);
+ run_whir::>(args, leaf_hash_params, two_to_one_params);
+ }
+
+ (AvailableFields::Goldilocks2, AvailableMerkle::Keccak256) => {
+ use fields::Field64_2 as F;
+ use merkle_tree::keccak as mt;
+
+ let (leaf_hash_params, two_to_one_params) = mt::default_config::(&mut rng);
+ run_whir::>(args, leaf_hash_params, two_to_one_params);
+ }
+
+ (AvailableFields::Goldilocks3, AvailableMerkle::Blake3) => {
+ use fields::Field64_3 as F;
+ use merkle_tree::blake3 as mt;
+
+ let (leaf_hash_params, two_to_one_params) = mt::default_config::(&mut rng);
+ run_whir::>(args, leaf_hash_params, two_to_one_params);
+ }
+
+ (AvailableFields::Goldilocks3, AvailableMerkle::Keccak256) => {
+ use fields::Field64_3 as F;
+ use merkle_tree::keccak as mt;
+
+ let (leaf_hash_params, two_to_one_params) = mt::default_config::(&mut rng);
+ run_whir::>(args, leaf_hash_params, two_to_one_params);
+ }
+
+ (AvailableFields::Field128, AvailableMerkle::Blake3) => {
+ use fields::Field128 as F;
+ use merkle_tree::blake3 as mt;
+
+ let (leaf_hash_params, two_to_one_params) = mt::default_config::(&mut rng);
+ run_whir::>(args, leaf_hash_params, two_to_one_params);
+ }
+
+ (AvailableFields::Field128, AvailableMerkle::Keccak256) => {
+ use fields::Field128 as F;
+ use merkle_tree::keccak as mt;
+
+ let (leaf_hash_params, two_to_one_params) = mt::default_config::(&mut rng);
+ run_whir::>(args, leaf_hash_params, two_to_one_params);
+ }
+
+ (AvailableFields::Field192, AvailableMerkle::Blake3) => {
+ use fields::Field192 as F;
+ use merkle_tree::blake3 as mt;
+
+ let (leaf_hash_params, two_to_one_params) = mt::default_config::(&mut rng);
+ run_whir::>(args, leaf_hash_params, two_to_one_params);
+ }
+
+ (AvailableFields::Field192, AvailableMerkle::Keccak256) => {
+ use fields::Field192 as F;
+ use merkle_tree::keccak as mt;
+
+ let (leaf_hash_params, two_to_one_params) = mt::default_config::(&mut rng);
+ run_whir::>(args, leaf_hash_params, two_to_one_params);
+ }
+
+ (AvailableFields::Field256, AvailableMerkle::Blake3) => {
+ use fields::Field256 as F;
+ use merkle_tree::blake3 as mt;
+
+ let (leaf_hash_params, two_to_one_params) = mt::default_config::(&mut rng);
+ run_whir::>(args, leaf_hash_params, two_to_one_params);
+ }
+
+ (AvailableFields::Field256, AvailableMerkle::Keccak256) => {
+ use fields::Field256 as F;
+ use merkle_tree::keccak as mt;
+
+ let (leaf_hash_params, two_to_one_params) = mt::default_config::(&mut rng);
+ run_whir::>(args, leaf_hash_params, two_to_one_params);
+ }
+ }
+}
+
+fn run_whir(
+ args: Args,
+ leaf_hash_params: <::LeafHash as CRHScheme>::Parameters,
+ two_to_one_params: <::TwoToOneHash as TwoToOneCRHScheme>::Parameters,
+) where
+ F: FftField + CanonicalSerialize,
+ MerkleConfig: Config + Clone,
+ MerkleConfig::InnerDigest: AsRef<[u8]> + From<[u8; 32]>,
+ IOPattern: DigestIOPattern,
+ Merlin: DigestWriter,
+ for<'a> Arthur<'a>: DigestReader,
+{
+ let security_level = args.security_level;
+ let pow_bits = args.pow_bits.unwrap();
+ let num_variables = args.num_variables;
+ let starting_rate = args.rate;
+ let reps = args.verifier_repetitions;
+ let folding_factor = args.folding_factor;
+ let first_round_folding_factor = args.first_round_folding_factor;
+ let soundness_type = args.soundness_type;
+ let fold_optimisation = args.fold_optimisation;
+
+ std::fs::create_dir_all("outputs").unwrap();
+
+ let num_coeffs = 1 << num_variables;
+
+ let mv_params = MultivariateParameters::::new(num_variables);
+
+ let whir_params = WhirParameters:: {
+ initial_statement: true,
+ security_level,
+ pow_bits,
+ folding_factor: FoldingFactor::ConstantFromSecondRound(
+ first_round_folding_factor,
+ folding_factor,
+ ),
+ leaf_hash_params,
+ two_to_one_params,
+ soundness_type,
+ fold_optimisation,
+ _pow_parameters: Default::default(),
+ starting_log_inv_rate: starting_rate,
+ };
+
+ let polynomial = CoefficientList::new(
+ (0..num_coeffs)
+ .map(::BasePrimeField::from)
+ .collect(),
+ );
+
+ let (
+ whir_ldt_prover_time,
+ whir_ldt_argument_size,
+ whir_ldt_prover_hashes,
+ whir_ldt_verifier_time,
+ whir_ldt_verifier_hashes,
+ ) = {
+ // Run LDT
+ use whir::whir::{
+ committer::Committer, iopattern::WhirIOPattern, parameters::WhirConfig, prover::Prover,
+ verifier::Verifier, whir_proof_size,
+ };
+
+ let whir_params = WhirParameters:: {
+ initial_statement: false,
+ ..whir_params.clone()
+ };
+ let params =
+ WhirConfig::::new(mv_params, whir_params.clone());
+ if !params.check_pow_bits() {
+ println!("WARN: more PoW bits required than what specified.");
+ }
+
+ let io = IOPattern::::new("🌪️")
+ .commit_statement(¶ms)
+ .add_whir_proof(¶ms)
+ .clone();
+
+ let mut merlin = io.to_merlin();
+
+ let whir_ldt_prover_time = Instant::now();
+
+ HashCounter::reset();
+
+ let committer = Committer::new(params.clone());
+ let witness = committer.commit(&mut merlin, polynomial.clone()).unwrap();
+
+ let prover = Prover(params.clone());
+
+ let proof = prover
+ .prove(&mut merlin, Statement::default(), witness)
+ .unwrap();
+
+ let whir_ldt_prover_time = whir_ldt_prover_time.elapsed();
+ let whir_ldt_argument_size = whir_proof_size(merlin.transcript(), &proof);
+ let whir_ldt_prover_hashes = HashCounter::get();
+
+ // Just not to count that initial inversion (which could be precomputed)
+ let verifier = Verifier::new(params);
+
+ HashCounter::reset();
+ let whir_ldt_verifier_time = Instant::now();
+ for _ in 0..reps {
+ let mut arthur = io.to_arthur(merlin.transcript());
+ verifier
+ .verify(&mut arthur, &Statement::default(), &proof)
+ .unwrap();
+ }
+
+ let whir_ldt_verifier_time = whir_ldt_verifier_time.elapsed();
+ let whir_ldt_verifier_hashes = HashCounter::get() / reps;
+
+ (
+ whir_ldt_prover_time,
+ whir_ldt_argument_size,
+ whir_ldt_prover_hashes,
+ whir_ldt_verifier_time,
+ whir_ldt_verifier_hashes,
+ )
+ };
+
+ let (
+ whir_prover_time,
+ whir_argument_size,
+ whir_prover_hashes,
+ whir_verifier_time,
+ whir_verifier_hashes,
+ ) = {
+ // Run PCS
+ use whir::{
+ poly_utils::MultilinearPoint,
+ whir::{
+ committer::Committer, iopattern::WhirIOPattern, parameters::WhirConfig,
+ prover::Prover, verifier::Verifier, whir_proof_size,
+ },
+ };
+
+ let params = WhirConfig::::new(mv_params, whir_params);
+ if !params.check_pow_bits() {
+ println!("WARN: more PoW bits required than what specified.");
+ }
+
+ let io = IOPattern::::new("🌪️")
+ .commit_statement(¶ms)
+ .add_whir_proof(¶ms)
+ .clone();
+
+ let mut merlin = io.to_merlin();
+
+ let points: Vec<_> = (0..args.num_evaluations)
+ .map(|i| MultilinearPoint(vec![F::from(i as u64); num_variables]))
+ .collect();
+ let evaluations = points
+ .iter()
+ .map(|point| polynomial.evaluate_at_extension(point))
+ .collect();
+ let statement = Statement {
+ points,
+ evaluations,
+ };
+
+ HashCounter::reset();
+ let whir_prover_time = Instant::now();
+
+ let committer = Committer::new(params.clone());
+ let witness = committer.commit(&mut merlin, polynomial.clone()).unwrap();
+
+ let prover = Prover(params.clone());
+
+ let proof = prover
+ .prove(&mut merlin, statement.clone(), witness)
+ .unwrap();
+
+ let whir_prover_time = whir_prover_time.elapsed();
+ let whir_argument_size = whir_proof_size(merlin.transcript(), &proof);
+ let whir_prover_hashes = HashCounter::get();
+
+ // Just not to count that initial inversion (which could be precomputed)
+ let verifier = Verifier::new(params);
+
+ HashCounter::reset();
+ let whir_verifier_time = Instant::now();
+ for _ in 0..reps {
+ let mut arthur = io.to_arthur(merlin.transcript());
+ verifier.verify(&mut arthur, &statement, &proof).unwrap();
+ }
+
+ let whir_verifier_time = whir_verifier_time.elapsed();
+ let whir_verifier_hashes = HashCounter::get() / reps;
+
+ (
+ whir_prover_time,
+ whir_argument_size,
+ whir_prover_hashes,
+ whir_verifier_time,
+ whir_verifier_hashes,
+ )
+ };
+
+ let output = BenchmarkOutput {
+ security_level,
+ pow_bits,
+ starting_rate,
+ num_variables,
+ repetitions: reps,
+ folding_factor,
+ soundness_type,
+ field: args.field,
+ merkle_tree: args.merkle_tree,
+
+ // Whir
+ whir_evaluations: args.num_evaluations,
+ whir_prover_time,
+ whir_argument_size,
+ whir_prover_hashes,
+ whir_verifier_time,
+ whir_verifier_hashes,
+
+ // Whir LDT
+ whir_ldt_prover_time,
+ whir_ldt_argument_size,
+ whir_ldt_prover_hashes,
+ whir_ldt_verifier_time,
+ whir_ldt_verifier_hashes,
+ };
+
+ let mut out_file = OpenOptions::new()
+ .append(true)
+ .create(true)
+ .open("outputs/bench_output.json")
+ .unwrap();
+ use std::io::Write;
+ writeln!(out_file, "{}", serde_json::to_string(&output).unwrap()).unwrap();
+}
diff --git a/whir/src/bin/main.rs b/whir/src/bin/main.rs
new file mode 100644
index 000000000..0fc804d3a
--- /dev/null
+++ b/whir/src/bin/main.rs
@@ -0,0 +1,438 @@
+use std::time::Instant;
+
+use ark_crypto_primitives::{
+ crh::{CRHScheme, TwoToOneCRHScheme},
+ merkle_tree::Config,
+};
+use ark_ff::FftField;
+use ark_serialize::CanonicalSerialize;
+use nimue::{Arthur, DefaultHash, IOPattern, Merlin};
+use whir::{
+ cmdline_utils::{AvailableFields, AvailableMerkle, WhirType},
+ crypto::{
+ fields,
+ merkle_tree::{self, HashCounter},
+ },
+ parameters::*,
+ poly_utils::{MultilinearPoint, coeffs::CoefficientList},
+ whir::Statement,
+};
+
+use nimue_pow::blake3::Blake3PoW;
+
+use clap::Parser;
+use whir::whir::{
+ fs_utils::{DigestReader, DigestWriter},
+ iopattern::DigestIOPattern,
+};
+
+#[derive(Parser, Debug)]
+#[command(author, version, about, long_about = None)]
+struct Args {
+ #[arg(short = 't', long = "type", default_value = "PCS")]
+ protocol_type: WhirType,
+
+ #[arg(short = 'l', long, default_value = "100")]
+ security_level: usize,
+
+ #[arg(short = 'p', long)]
+ pow_bits: Option,
+
+ #[arg(short = 'd', long, default_value = "20")]
+ num_variables: usize,
+
+ #[arg(short = 'e', long = "evaluations", default_value = "1")]
+ num_evaluations: usize,
+
+ #[arg(short = 'r', long, default_value = "1")]
+ rate: usize,
+
+ #[arg(long = "reps", default_value = "1000")]
+ verifier_repetitions: usize,
+
+ #[arg(short = 'i', long = "initfold", default_value = "4")]
+ first_round_folding_factor: usize,
+
+ #[arg(short = 'k', long = "fold", default_value = "4")]
+ folding_factor: usize,
+
+ #[arg(long = "sec", default_value = "ConjectureList")]
+ soundness_type: SoundnessType,
+
+ #[arg(long = "fold_type", default_value = "ProverHelps")]
+ fold_optimisation: FoldType,
+
+ #[arg(short = 'f', long = "field", default_value = "Goldilocks2")]
+ field: AvailableFields,
+
+ #[arg(long = "hash", default_value = "Blake3")]
+ merkle_tree: AvailableMerkle,
+}
+
+type PowStrategy = Blake3PoW;
+
+fn main() {
+ let mut args = Args::parse();
+ let field = args.field;
+ let merkle = args.merkle_tree;
+
+ if args.pow_bits.is_none() {
+ args.pow_bits = Some(default_max_pow(args.num_variables, args.rate));
+ }
+
+ let mut rng = ark_std::test_rng();
+
+ match (field, merkle) {
+ (AvailableFields::Goldilocks1, AvailableMerkle::Blake3) => {
+ use fields::Field64 as F;
+ use merkle_tree::blake3 as mt;
+
+ let (leaf_hash_params, two_to_one_params) = mt::default_config::(&mut rng);
+ run_whir::>(args, leaf_hash_params, two_to_one_params);
+ }
+
+ (AvailableFields::Goldilocks1, AvailableMerkle::Keccak256) => {
+ use fields::Field64 as F;
+ use merkle_tree::keccak as mt;
+
+ let (leaf_hash_params, two_to_one_params) = mt::default_config::(&mut rng);
+ run_whir::>(args, leaf_hash_params, two_to_one_params);
+ }
+
+ (AvailableFields::Goldilocks2, AvailableMerkle::Blake3) => {
+ use fields::Field64_2 as F;
+ use merkle_tree::blake3 as mt;
+
+ let (leaf_hash_params, two_to_one_params) = mt::default_config::(&mut rng);
+ run_whir::>(args, leaf_hash_params, two_to_one_params);
+ }
+
+ (AvailableFields::Goldilocks2, AvailableMerkle::Keccak256) => {
+ use fields::Field64_2 as F;
+ use merkle_tree::keccak as mt;
+
+ let (leaf_hash_params, two_to_one_params) = mt::default_config::(&mut rng);
+ run_whir::>(args, leaf_hash_params, two_to_one_params);
+ }
+
+ (AvailableFields::Goldilocks3, AvailableMerkle::Blake3) => {
+ use fields::Field64_3 as F;
+ use merkle_tree::blake3 as mt;
+
+ let (leaf_hash_params, two_to_one_params) = mt::default_config::(&mut rng);
+ run_whir::>(args, leaf_hash_params, two_to_one_params);
+ }
+
+ (AvailableFields::Goldilocks3, AvailableMerkle::Keccak256) => {
+ use fields::Field64_3 as F;
+ use merkle_tree::keccak as mt;
+
+ let (leaf_hash_params, two_to_one_params) = mt::default_config::(&mut rng);
+ run_whir::>(args, leaf_hash_params, two_to_one_params);
+ }
+
+ (AvailableFields::Field128, AvailableMerkle::Blake3) => {
+ use fields::Field128 as F;
+ use merkle_tree::blake3 as mt;
+
+ let (leaf_hash_params, two_to_one_params) = mt::default_config::(&mut rng);
+ run_whir::>(args, leaf_hash_params, two_to_one_params);
+ }
+
+ (AvailableFields::Field128, AvailableMerkle::Keccak256) => {
+ use fields::Field128 as F;
+ use merkle_tree::keccak as mt;
+
+ let (leaf_hash_params, two_to_one_params) = mt::default_config::(&mut rng);
+ run_whir::>(args, leaf_hash_params, two_to_one_params);
+ }
+
+ (AvailableFields::Field192, AvailableMerkle::Blake3) => {
+ use fields::Field192 as F;
+ use merkle_tree::blake3 as mt;
+
+ let (leaf_hash_params, two_to_one_params) = mt::default_config::(&mut rng);
+ run_whir::>(args, leaf_hash_params, two_to_one_params);
+ }
+
+ (AvailableFields::Field192, AvailableMerkle::Keccak256) => {
+ use fields::Field192 as F;
+ use merkle_tree::keccak as mt;
+
+ let (leaf_hash_params, two_to_one_params) = mt::default_config::(&mut rng);
+ run_whir::>(args, leaf_hash_params, two_to_one_params);
+ }
+
+ (AvailableFields::Field256, AvailableMerkle::Blake3) => {
+ use fields::Field256 as F;
+ use merkle_tree::blake3 as mt;
+
+ let (leaf_hash_params, two_to_one_params) = mt::default_config::(&mut rng);
+ run_whir::>(args, leaf_hash_params, two_to_one_params);
+ }
+
+ (AvailableFields::Field256, AvailableMerkle::Keccak256) => {
+ use fields::Field256 as F;
+ use merkle_tree::keccak as mt;
+
+ let (leaf_hash_params, two_to_one_params) = mt::default_config::(&mut rng);
+ run_whir::>(args, leaf_hash_params, two_to_one_params);
+ }
+ }
+}
+
+fn run_whir(
+ args: Args,
+ leaf_hash_params: <::LeafHash as CRHScheme>::Parameters,
+ two_to_one_params: <::TwoToOneHash as TwoToOneCRHScheme>::Parameters,
+) where
+ F: FftField + CanonicalSerialize,
+ MerkleConfig: Config + Clone,
+ MerkleConfig::InnerDigest: AsRef<[u8]> + From<[u8; 32]>,
+ IOPattern: DigestIOPattern,
+ Merlin: DigestWriter,
+ for<'a> Arthur<'a>: DigestReader,
+{
+ match args.protocol_type {
+ WhirType::PCS => run_whir_pcs::(args, leaf_hash_params, two_to_one_params),
+ WhirType::LDT => {
+ run_whir_as_ldt::(args, leaf_hash_params, two_to_one_params)
+ }
+ }
+}
+
+fn run_whir_as_ldt(
+ args: Args,
+ leaf_hash_params: <::LeafHash as CRHScheme>::Parameters,
+ two_to_one_params: <::TwoToOneHash as TwoToOneCRHScheme>::Parameters,
+) where
+ F: FftField + CanonicalSerialize,
+ MerkleConfig: Config + Clone,
+ MerkleConfig::InnerDigest: AsRef<[u8]> + From<[u8; 32]>,
+ IOPattern: DigestIOPattern,
+ Merlin: DigestWriter,
+ for<'a> Arthur<'a>: DigestReader,
+{
+ use whir::whir::{
+ committer::Committer, iopattern::WhirIOPattern, parameters::WhirConfig, prover::Prover,
+ verifier::Verifier,
+ };
+
+ // Runs as a LDT
+ let security_level = args.security_level;
+ let pow_bits = args.pow_bits.unwrap();
+ let num_variables = args.num_variables;
+ let starting_rate = args.rate;
+ let reps = args.verifier_repetitions;
+ let first_round_folding_factor = args.first_round_folding_factor;
+ let folding_factor = args.folding_factor;
+ let fold_optimisation = args.fold_optimisation;
+ let soundness_type = args.soundness_type;
+
+ if args.num_evaluations > 1 {
+ println!("Warning: running as LDT but a number of evaluations to be proven was specified.");
+ }
+
+ let num_coeffs = 1 << num_variables;
+
+ let mv_params = MultivariateParameters::::new(num_variables);
+
+ let whir_params = WhirParameters:: {
+ initial_statement: false,
+ security_level,
+ pow_bits,
+ folding_factor: FoldingFactor::ConstantFromSecondRound(
+ first_round_folding_factor,
+ folding_factor,
+ ),
+ leaf_hash_params,
+ two_to_one_params,
+ soundness_type,
+ fold_optimisation,
+ _pow_parameters: Default::default(),
+ starting_log_inv_rate: starting_rate,
+ };
+
+ let params = WhirConfig::::new(mv_params, whir_params.clone());
+
+ let io = IOPattern::::new("🌪️")
+ .commit_statement(¶ms)
+ .add_whir_proof(¶ms);
+
+ let mut merlin = io.to_merlin();
+
+ println!("=========================================");
+ println!("Whir (LDT) 🌪️");
+ println!("Field: {:?} and MT: {:?}", args.field, args.merkle_tree);
+ println!("{}", params);
+ if !params.check_pow_bits() {
+ println!("WARN: more PoW bits required than what specified.");
+ }
+
+ use ark_ff::Field;
+ let polynomial = CoefficientList::new(
+ (0..num_coeffs)
+ .map(::BasePrimeField::from)
+ .collect(),
+ );
+
+ let whir_prover_time = Instant::now();
+
+ let committer = Committer::new(params.clone());
+ let witness = committer.commit(&mut merlin, polynomial).unwrap();
+
+ let prover = Prover(params.clone());
+
+ let proof = prover
+ .prove(&mut merlin, Statement::default(), witness)
+ .unwrap();
+
+ dbg!(whir_prover_time.elapsed());
+
+ // Serialize proof
+ let transcript = merlin.transcript().to_vec();
+ let mut proof_bytes = vec![];
+ proof.serialize_compressed(&mut proof_bytes).unwrap();
+
+ let proof_size = transcript.len() + proof_bytes.len();
+ dbg!(proof_size);
+
+ // Just not to count that initial inversion (which could be precomputed)
+ let verifier = Verifier::new(params.clone());
+
+ HashCounter::reset();
+ let whir_verifier_time = Instant::now();
+ for _ in 0..reps {
+ let mut arthur = io.to_arthur(&transcript);
+ verifier
+ .verify(&mut arthur, &Statement::default(), &proof)
+ .unwrap();
+ }
+ dbg!(whir_verifier_time.elapsed() / reps as u32);
+ dbg!(HashCounter::get() as f64 / reps as f64);
+}
+
+fn run_whir_pcs(
+ args: Args,
+ leaf_hash_params: <::LeafHash as CRHScheme>::Parameters,
+ two_to_one_params: <::TwoToOneHash as TwoToOneCRHScheme>::Parameters,
+) where
+ F: FftField + CanonicalSerialize,
+ MerkleConfig: Config + Clone,
+ MerkleConfig::InnerDigest: AsRef<[u8]> + From<[u8; 32]>,
+ IOPattern: DigestIOPattern,
+ Merlin: DigestWriter,
+ for<'a> Arthur<'a>: DigestReader,
+{
+ use whir::whir::{
+ Statement, committer::Committer, iopattern::WhirIOPattern, parameters::WhirConfig,
+ prover::Prover, verifier::Verifier, whir_proof_size,
+ };
+
+ // Runs as a PCS
+ let security_level = args.security_level;
+ let pow_bits = args.pow_bits.unwrap();
+ let num_variables = args.num_variables;
+ let starting_rate = args.rate;
+ let reps = args.verifier_repetitions;
+ let first_round_folding_factor = args.first_round_folding_factor;
+ let folding_factor = args.folding_factor;
+ let fold_optimisation = args.fold_optimisation;
+ let soundness_type = args.soundness_type;
+ let num_evaluations = args.num_evaluations;
+
+ if num_evaluations == 0 {
+ println!("Warning: running as PCS but no evaluations specified.");
+ }
+
+ let num_coeffs = 1 << num_variables;
+
+ let mv_params = MultivariateParameters::::new(num_variables);
+
+ let whir_params = WhirParameters:: {
+ initial_statement: true,
+ security_level,
+ pow_bits,
+ folding_factor: FoldingFactor::ConstantFromSecondRound(
+ first_round_folding_factor,
+ folding_factor,
+ ),
+ leaf_hash_params,
+ two_to_one_params,
+ soundness_type,
+ fold_optimisation,
+ _pow_parameters: Default::default(),
+ starting_log_inv_rate: starting_rate,
+ };
+
+ let params = WhirConfig::::new(mv_params, whir_params);
+
+ let io = IOPattern::::new("🌪️")
+ .commit_statement(¶ms)
+ .add_whir_proof(¶ms)
+ .clone();
+
+ let mut merlin = io.to_merlin();
+
+ println!("=========================================");
+ println!("Whir (PCS) 🌪️");
+ println!("Field: {:?} and MT: {:?}", args.field, args.merkle_tree);
+ println!("{}", params);
+ if !params.check_pow_bits() {
+ println!("WARN: more PoW bits required than what specified.");
+ }
+
+ use ark_ff::Field;
+ let polynomial = CoefficientList::new(
+ (0..num_coeffs)
+ .map(::BasePrimeField::from)
+ .collect(),
+ );
+ let points: Vec<_> = (0..num_evaluations)
+ .map(|i| MultilinearPoint(vec![F::from(i as u64); num_variables]))
+ .collect();
+ let evaluations = points
+ .iter()
+ .map(|point| polynomial.evaluate_at_extension(point))
+ .collect();
+
+ let statement = Statement {
+ points,
+ evaluations,
+ };
+
+ let whir_prover_time = Instant::now();
+
+ let committer = Committer::new(params.clone());
+ let witness = committer.commit(&mut merlin, polynomial).unwrap();
+
+ let prover = Prover(params.clone());
+
+ let proof = prover
+ .prove(&mut merlin, statement.clone(), witness)
+ .unwrap();
+
+ println!("Prover time: {:.1?}", whir_prover_time.elapsed());
+ println!(
+ "Proof size: {:.1} KiB",
+ whir_proof_size(merlin.transcript(), &proof) as f64 / 1024.0
+ );
+
+ // Just not to count that initial inversion (which could be precomputed)
+ let verifier = Verifier::new(params);
+
+ HashCounter::reset();
+ let whir_verifier_time = Instant::now();
+ for _ in 0..reps {
+ let mut arthur = io.to_arthur(merlin.transcript());
+ verifier.verify(&mut arthur, &statement, &proof).unwrap();
+ }
+ println!(
+ "Verifier time: {:.1?}",
+ whir_verifier_time.elapsed() / reps as u32
+ );
+ println!(
+ "Average hashes: {:.1}k",
+ (HashCounter::get() as f64 / reps as f64) / 1000.0
+ );
+}
diff --git a/whir/src/ceno_binding/merkle_config.rs b/whir/src/ceno_binding/merkle_config.rs
new file mode 100644
index 000000000..84eb804da
--- /dev/null
+++ b/whir/src/ceno_binding/merkle_config.rs
@@ -0,0 +1,292 @@
+use ark_crypto_primitives::merkle_tree::Config;
+use ark_ff::FftField;
+use nimue::{Arthur, DefaultHash, IOPattern, Merlin, ProofResult};
+use nimue_pow::PowStrategy;
+
+use crate::{
+ crypto::merkle_tree::{
+ blake3::MerkleTreeParams as Blake3Params, keccak::MerkleTreeParams as KeccakParams,
+ },
+ poly_utils::{MultilinearPoint, coeffs::CoefficientList},
+ whir::{
+ Statement, WhirProof,
+ batch::{WhirBatchIOPattern, Witnesses},
+ committer::{Committer, Witness},
+ fs_utils::DigestWriter,
+ iopattern::WhirIOPattern,
+ parameters::WhirConfig,
+ prover::Prover,
+ verifier::Verifier,
+ },
+};
+
+pub trait WhirMerkleConfigWrapper {
+ type MerkleConfig: Config + Clone;
+ type PowStrategy: PowStrategy;
+
+ fn commit_to_merlin(
+ committer: &Committer,
+ merlin: &mut Merlin,
+ poly: CoefficientList,
+ ) -> ProofResult>;
+
+ fn commit_to_merlin_batch(
+ committer: &Committer,
+ merlin: &mut Merlin,
+ polys: &[CoefficientList],
+ ) -> ProofResult>;
+
+ fn prove_with_merlin(
+ prover: &Prover,
+ merlin: &mut Merlin,
+ statement: Statement,
+ witness: Witness,
+ ) -> ProofResult>;
+
+ fn prove_with_merlin_simple_batch(
+ prover: &Prover,
+ merlin: &mut Merlin,
+ point: &[F],
+ evals: &[F],
+ witness: &Witnesses,
+ ) -> ProofResult>;
+
+ fn verify_with_arthur(
+ verifier: &Verifier,
+ arthur: &mut Arthur,
+ statement: &Statement,
+ whir_proof: &WhirProof,
+ ) -> ProofResult<::InnerDigest>;
+
+ fn verify_with_arthur_simple_batch(
+ verifier: &Verifier,
+ arthur: &mut Arthur,
+ point: &[F],
+ evals: &[F],
+ whir_proof: &WhirProof,
+ ) -> ProofResult<::InnerDigest>;
+
+ fn commit_statement_to_io_pattern(
+ iopattern: IOPattern,
+ params: &WhirConfig,
+ ) -> IOPattern;
+
+ fn add_whir_proof_to_io_pattern(
+ iopattern: IOPattern,
+ params: &WhirConfig,
+ ) -> IOPattern;
+
+ fn commit_batch_statement_to_io_pattern(
+ iopattern: IOPattern,
+ params: &WhirConfig,
+ batch_size: usize,
+ ) -> IOPattern;
+
+ fn add_whir_batch_proof_to_io_pattern(
+ iopattern: IOPattern,
+ params: &WhirConfig,
+ batch_size: usize,
+ ) -> IOPattern;
+
+ fn add_digest_to_merlin(
+ merlin: &mut Merlin,
+ digest: ::InnerDigest,
+ ) -> ProofResult<()>;
+}
+
+pub struct Blake3ConfigWrapper(Blake3Params);
+pub struct KeccakConfigWrapper(KeccakParams);
+
+impl WhirMerkleConfigWrapper for Blake3ConfigWrapper {
+ type MerkleConfig = Blake3Params;
+ type PowStrategy = nimue_pow::blake3::Blake3PoW;
+ fn commit_to_merlin(
+ committer: &Committer,
+ merlin: &mut Merlin,
+ poly: CoefficientList,
+ ) -> ProofResult> {
+ committer.commit(merlin, poly)
+ }
+
+ fn commit_to_merlin_batch(
+ committer: &Committer,
+ merlin: &mut Merlin,
+ polys: &[CoefficientList],
+ ) -> ProofResult> {
+ committer.batch_commit(merlin, polys)
+ }
+
+ fn prove_with_merlin(
+ prover: &Prover,
+ merlin: &mut Merlin,
+ statement: Statement,
+ witness: Witness,
+ ) -> ProofResult> {
+ prover.prove(merlin, statement, witness)
+ }
+
+ fn prove_with_merlin_simple_batch(
+ prover: &Prover,
+ merlin: &mut Merlin,
+ point: &[F],
+ evals: &[F],
+ witness: &Witnesses,
+ ) -> ProofResult> {
+ let points = [MultilinearPoint(point.to_vec())];
+ prover.simple_batch_prove(merlin, &points, &[evals.to_vec()], witness)
+ }
+
+ fn verify_with_arthur(
+ verifier: &Verifier,
+ arthur: &mut Arthur,
+ statement: &Statement,
+ whir_proof: &WhirProof,
+ ) -> ProofResult<::InnerDigest> {
+ verifier.verify(arthur, statement, whir_proof)
+ }
+
+ fn verify_with_arthur_simple_batch(
+ verifier: &Verifier,
+ arthur: &mut Arthur,
+ point: &[F],
+ evals: &[F],
+ whir_proof: &WhirProof,
+ ) -> ProofResult<::InnerDigest> {
+ let points = [MultilinearPoint(point.to_vec())];
+ verifier.simple_batch_verify(arthur, evals.len(), &points, &[evals.to_vec()], whir_proof)
+ }
+
+ fn commit_statement_to_io_pattern(
+ iopattern: IOPattern,
+ params: &WhirConfig,
+ ) -> IOPattern {
+ iopattern.commit_statement(params)
+ }
+
+ fn add_whir_proof_to_io_pattern(
+ iopattern: IOPattern,
+ params: &WhirConfig,
+ ) -> IOPattern {
+ iopattern.add_whir_proof(params)
+ }
+
+ fn commit_batch_statement_to_io_pattern(
+ iopattern: IOPattern,
+ params: &WhirConfig,
+ batch_size: usize,
+ ) -> IOPattern {
+ iopattern.commit_batch_statement(params, batch_size)
+ }
+
+ fn add_whir_batch_proof_to_io_pattern(
+ iopattern: IOPattern,
+ params: &WhirConfig,
+ batch_size: usize,
+ ) -> IOPattern {
+ iopattern.add_whir_batch_proof(params, batch_size)
+ }
+
+ fn add_digest_to_merlin(
+ merlin: &mut Merlin,
+ digest: ::InnerDigest,
+ ) -> ProofResult<()> {
+ >::add_digest(merlin, digest)
+ }
+}
+
+impl WhirMerkleConfigWrapper for KeccakConfigWrapper {
+ type MerkleConfig = KeccakParams;
+ type PowStrategy = nimue_pow::keccak::KeccakPoW;
+ fn commit_to_merlin(
+ committer: &Committer,
+ merlin: &mut Merlin,
+ poly: CoefficientList,
+ ) -> ProofResult> {
+ committer.commit(merlin, poly)
+ }
+
+ fn commit_to_merlin_batch(
+ committer: &Committer,
+ merlin: &mut Merlin,
+ polys: &[CoefficientList],
+ ) -> ProofResult> {
+ committer.batch_commit(merlin, polys)
+ }
+
+ fn prove_with_merlin(
+ prover: &Prover,
+ merlin: &mut Merlin,
+ statement: Statement,
+ witness: Witness,
+ ) -> ProofResult> {
+ prover.prove(merlin, statement, witness)
+ }
+
+ fn prove_with_merlin_simple_batch(
+ prover: &Prover,
+ merlin: &mut Merlin,
+ point: &[F],
+ evals: &[F],
+ witness: &Witnesses,
+ ) -> ProofResult> {
+ let points = [MultilinearPoint(point.to_vec())];
+ prover.simple_batch_prove(merlin, &points, &[evals.to_vec()], witness)
+ }
+
+ fn verify_with_arthur(
+ verifier: &Verifier,
+ arthur: &mut Arthur,
+ statement: &Statement,
+ whir_proof: &WhirProof,
+ ) -> ProofResult<::InnerDigest> {
+ verifier.verify(arthur, statement, whir_proof)
+ }
+
+ fn verify_with_arthur_simple_batch(
+ verifier: &Verifier,
+ arthur: &mut Arthur,
+ point: &[F],
+ evals: &[F],
+ whir_proof: &WhirProof,
+ ) -> ProofResult<::InnerDigest> {
+ let points = [MultilinearPoint(point.to_vec())];
+ verifier.simple_batch_verify(arthur, evals.len(), &points, &[evals.to_vec()], whir_proof)
+ }
+
+ fn commit_statement_to_io_pattern(
+ iopattern: IOPattern,
+ params: &WhirConfig,
+ ) -> IOPattern {
+ iopattern.commit_statement(params)
+ }
+
+ fn add_whir_proof_to_io_pattern(
+ iopattern: IOPattern,
+ params: &WhirConfig,
+ ) -> IOPattern {
+ iopattern.add_whir_proof(params)
+ }
+
+ fn commit_batch_statement_to_io_pattern(
+ iopattern: IOPattern,
+ params: &WhirConfig,
+ batch_size: usize,
+ ) -> IOPattern {
+ iopattern.commit_batch_statement(params, batch_size)
+ }
+
+ fn add_whir_batch_proof_to_io_pattern(
+ iopattern: IOPattern,
+ params: &WhirConfig,
+ batch_size: usize,
+ ) -> IOPattern {
+ iopattern.add_whir_batch_proof(params, batch_size)
+ }
+
+ fn add_digest_to_merlin(
+ merlin: &mut Merlin,
+ digest: ::InnerDigest,
+ ) -> ProofResult<()> {
+ >::add_digest(merlin, digest)
+ }
+}
diff --git a/whir/src/ceno_binding/mod.rs b/whir/src/ceno_binding/mod.rs
new file mode 100644
index 000000000..7299cf99a
--- /dev/null
+++ b/whir/src/ceno_binding/mod.rs
@@ -0,0 +1,80 @@
+mod merkle_config;
+mod pcs;
+pub use ark_crypto_primitives::merkle_tree::Config;
+pub use pcs::{DefaultHash, InnerDigestOf, Whir, WhirDefaultSpec, WhirSpec};
+
+use ark_ff::FftField;
+use ark_serialize::{CanonicalDeserialize, CanonicalSerialize};
+use serde::{Serialize, de::DeserializeOwned};
+use std::fmt::Debug;
+
+pub use nimue::{
+ ProofResult,
+ plugins::ark::{FieldChallenges, FieldWriter},
+};
+
+#[derive(Debug, Clone, thiserror::Error)]
+pub enum Error {
+ #[error(transparent)]
+ ProofError(#[from] nimue::ProofError),
+ #[error("CommitmentMismatchFromDigest")]
+ CommitmentMismatchFromDigest,
+ #[error("InvalidPcsParams")]
+ InvalidPcsParam,
+}
+
+/// The trait for a non-interactive polynomial commitment scheme.
+/// This trait serves as the intermediate step between WHIR and the
+/// trait required in Ceno mpcs. Because Ceno and the WHIR implementation
+/// in this crate assume different types of transcripts, to connect
+/// them we can provide a non-interactive interface from WHIR.
+pub trait PolynomialCommitmentScheme: Clone {
+ type Param: Clone + Debug + Serialize + DeserializeOwned;
+ type Commitment: Clone + Debug;
+ type CommitmentWithWitness: Clone + Debug;
+ type Proof: Clone + CanonicalSerialize + CanonicalDeserialize + Serialize + DeserializeOwned;
+ type Poly: Clone + Debug + Serialize + DeserializeOwned;
+
+ fn setup(poly_size: usize) -> Self::Param;
+
+ fn commit(pp: &Self::Param, poly: &Self::Poly) -> Result;
+
+ fn batch_commit(
+ pp: &Self::Param,
+ polys: &[Self::Poly],
+ ) -> Result;
+
+ fn open(
+ pp: &Self::Param,
+ comm: &Self::CommitmentWithWitness,
+ point: &[E],
+ eval: &E,
+ ) -> Result;
+
+ /// This is a simple version of batch open:
+ /// 1. Open at one point
+ /// 2. All the polynomials share the same commitment.
+ /// 3. The point is already a random point generated by a sum-check.
+ fn simple_batch_open(
+ pp: &Self::Param,
+ comm: &Self::CommitmentWithWitness,
+ point: &[E],
+ evals: &[E],
+ ) -> Result;
+
+ fn verify(
+ vp: &Self::Param,
+ comm: &Self::Commitment,
+ point: &[E],
+ eval: &E,
+ proof: &Self::Proof,
+ ) -> Result<(), Error>;
+
+ fn simple_batch_verify(
+ vp: &Self::Param,
+ comm: &Self::Commitment,
+ point: &[E],
+ evals: &[E],
+ proof: &Self::Proof,
+ ) -> Result<(), Error>;
+}
diff --git a/whir/src/ceno_binding/pcs.rs b/whir/src/ceno_binding/pcs.rs
new file mode 100644
index 000000000..2c8f8ed80
--- /dev/null
+++ b/whir/src/ceno_binding/pcs.rs
@@ -0,0 +1,442 @@
+use super::{
+ Error, PolynomialCommitmentScheme,
+ merkle_config::{Blake3ConfigWrapper, WhirMerkleConfigWrapper},
+};
+use crate::{
+ crypto::merkle_tree::blake3::{self as mt},
+ parameters::{
+ FoldType, FoldingFactor, MultivariateParameters, SoundnessType, WhirParameters,
+ default_max_pow,
+ },
+ poly_utils::{MultilinearPoint, coeffs::CoefficientList},
+ whir::{
+ Statement, WhirProof, batch::Witnesses, committer::Committer, parameters::WhirConfig,
+ prover::Prover, verifier::Verifier,
+ },
+};
+
+use ark_crypto_primitives::merkle_tree::Config;
+use ark_ff::FftField;
+use ark_serialize::{CanonicalDeserialize, CanonicalSerialize};
+pub use nimue::DefaultHash;
+use nimue::{
+ IOPattern,
+ plugins::ark::{FieldChallenges, FieldWriter},
+};
+use nimue_pow::blake3::Blake3PoW;
+use rand::prelude::*;
+use rand_chacha::ChaCha8Rng;
+use serde::{Deserialize, Serialize, de::DeserializeOwned};
+use std::{
+ fmt::{self, Debug, Formatter},
+ marker::PhantomData,
+};
+
+pub trait WhirSpec: Default + std::fmt::Debug + Clone {
+ type MerkleConfigWrapper: WhirMerkleConfigWrapper;
+ fn get_parameters(
+ num_variables: usize,
+ for_batch: bool,
+ ) -> WhirParameters, PowOf>;
+
+ fn prepare_whir_config(
+ num_variables: usize,
+ for_batch: bool,
+ ) -> WhirConfig, PowOf> {
+ let whir_params = Self::get_parameters(num_variables, for_batch);
+ let mv_params = MultivariateParameters::new(num_variables);
+ ConfigOf::::new(mv_params, whir_params)
+ }
+
+ fn prepare_io_pattern(num_variables: usize) -> IOPattern {
+ let params = Self::prepare_whir_config(num_variables, false);
+
+ let io = IOPattern::::new("🌪️");
+ let io = >::commit_statement_to_io_pattern(
+ io, ¶ms,
+ );
+ >::add_whir_proof_to_io_pattern(
+ io, ¶ms,
+ )
+ }
+
+ fn prepare_batch_io_pattern(num_variables: usize, batch_size: usize) -> IOPattern {
+ let params = Self::prepare_whir_config(num_variables, true);
+
+ let io = IOPattern::::new("🌪️");
+ let io = >::commit_batch_statement_to_io_pattern(
+ io, ¶ms, batch_size
+ );
+
+ >::add_whir_batch_proof_to_io_pattern(
+ io, ¶ms, batch_size
+ )
+ }
+}
+
+type MerkleConfigOf =
+ <>::MerkleConfigWrapper as WhirMerkleConfigWrapper>::MerkleConfig;
+type ConfigOf = WhirConfig, PowOf>;
+
+pub type InnerDigestOf = as Config>::InnerDigest;
+
+type PowOf =
+ <>::MerkleConfigWrapper as WhirMerkleConfigWrapper>::PowStrategy;
+
+#[derive(Debug, Clone, Default)]
+pub struct WhirDefaultSpec;
+
+impl WhirSpec for WhirDefaultSpec {
+ type MerkleConfigWrapper = Blake3ConfigWrapper;
+ fn get_parameters(
+ num_variables: usize,
+ for_batch: bool,
+ ) -> WhirParameters, Blake3PoW> {
+ let mut rng = ChaCha8Rng::from_seed([0u8; 32]);
+ let (leaf_hash_params, two_to_one_params) = mt::default_config::(&mut rng);
+ WhirParameters::, Blake3PoW> {
+ initial_statement: true,
+ security_level: 100,
+ pow_bits: default_max_pow(num_variables, 1),
+ // For batching, the first round folding factor should be set small
+ // to avoid large leaf nodes in proof
+ folding_factor: if for_batch {
+ FoldingFactor::ConstantFromSecondRound(1, 4)
+ } else {
+ FoldingFactor::Constant(4)
+ },
+ leaf_hash_params,
+ two_to_one_params,
+ soundness_type: SoundnessType::ConjectureList,
+ fold_optimisation: FoldType::ProverHelps,
+ _pow_parameters: Default::default(),
+ starting_log_inv_rate: 1,
+ }
+ }
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize, Default)]
+pub struct WhirSetupParams {
+ pub num_variables: usize,
+ _phantom: PhantomData,
+}
+
+#[derive(Debug, Clone, Default, Serialize, Deserialize)]
+pub struct Whir>(PhantomData<(E, Spec)>);
+
+// Wrapper for WhirProof
+#[derive(Clone, CanonicalSerialize, CanonicalDeserialize)]
+pub struct WhirProofWrapper
+where
+ MerkleConfig: Config,
+ F: Sized + Clone + CanonicalSerialize + CanonicalDeserialize,
+{
+ pub proof: WhirProof,
+ pub transcript: Vec,
+}
+
+impl Serialize for WhirProofWrapper
+where
+ MerkleConfig: Config,
+ F: Sized + Clone + CanonicalSerialize + CanonicalDeserialize,
+{
+ fn serialize(&self, serializer: S) -> Result