Add IVCProof to the existing folding schemes (Nova,HyperNova,ProtoGal…

…axy)
privacy-scaling-explorations · Oct 4, 2024 · 8130ab8 · 8130ab8
1 parent ed14889
commit 8130ab8
Show file tree

Hide file tree

Showing 16 changed files with 203 additions and 141 deletions.
diff --git a/examples/circom_full_flow.rs b/examples/circom_full_flow.rs
@@ -99,6 +99,14 @@ fn main() {
         println!("Nova::prove_step {}: {:?}", i, start.elapsed());
     }
 
+    // verify the last IVC proof
+    let ivc_proof = nova.ivc_proof();
+    N::verify(
+        nova_params.1, // Nova's verifier params
+        ivc_proof,
+    )
+    .unwrap();
+
     let start = Instant::now();
     let proof = D::prove(rng, decider_pp, nova.clone()).unwrap();
     println!("generated Decider proof: {:?}", start.elapsed());

diff --git a/examples/external_inputs.rs b/examples/external_inputs.rs
@@ -210,14 +210,10 @@ fn main() {
     let (running_instance, incoming_instance, cyclefold_instance) = folding_scheme.instances();
 
     println!("Run the Nova's IVC verifier");
+    let ivc_proof = nova.ivc_proof();
     N::verify(
-        nova_params.1,
-        initial_state.clone(),
-        folding_scheme.state(), // latest state
-        Fr::from(num_steps as u32),
-        running_instance,
-        incoming_instance,
-        cyclefold_instance,
+        nova_params.1, // Nova's verifier params
+        ivc_proof,
     )
     .unwrap();
 }
diff --git a/examples/multi_inputs.rs b/examples/multi_inputs.rs
@@ -157,14 +157,10 @@ fn main() {
     let (running_instance, incoming_instance, cyclefold_instance) = folding_scheme.instances();
 
     println!("Run the Nova's IVC verifier");
+    let ivc_proof = nova.ivc_proof();
     N::verify(
-        nova_params.1,
-        initial_state.clone(),
-        folding_scheme.state(), // latest state
-        Fr::from(num_steps as u32),
-        running_instance,
-        incoming_instance,
-        cyclefold_instance,
+        nova_params.1, // Nova's verifier params
+        ivc_proof,
     )
     .unwrap();
 }
diff --git a/examples/noir_full_flow.rs b/examples/noir_full_flow.rs
@@ -87,6 +87,13 @@ fn main() {
         nova.prove_step(rng, vec![], None).unwrap();
         println!("Nova::prove_step {}: {:?}", i, start.elapsed());
     }
+    // verify the last IVC proof
+    let ivc_proof = nova.ivc_proof();
+    N::verify(
+        nova_params.1, // Nova's verifier params
+        ivc_proof,
+    )
+    .unwrap();
 
     let start = Instant::now();
     let proof = D::prove(rng, decider_pp, nova.clone()).unwrap();

diff --git a/examples/noname_full_flow.rs b/examples/noname_full_flow.rs
@@ -99,6 +99,14 @@ fn main() {
         println!("Nova::prove_step {}: {:?}", i, start.elapsed());
     }
 
+    // verify the last IVC proof
+    let ivc_proof = nova.ivc_proof();
+    N::verify(
+        nova_params.1, // Nova's verifier params
+        ivc_proof,
+    )
+    .unwrap();
+
     let start = Instant::now();
     let proof = D::prove(rng, decider_pp, nova.clone()).unwrap();
     println!("generated Decider proof: {:?}", start.elapsed());

diff --git a/examples/sha256.rs b/examples/sha256.rs
@@ -141,14 +141,10 @@ fn main() {
     let (running_instance, incoming_instance, cyclefold_instance) = folding_scheme.instances();
 
     println!("Run the Nova's IVC verifier");
+    let ivc_proof = nova.ivc_proof();
     N::verify(
-        nova_params.1,
-        initial_state,
-        folding_scheme.state(), // latest state
-        Fr::from(num_steps as u32),
-        running_instance,
-        incoming_instance,
-        cyclefold_instance,
+        nova_params.1, // Nova's verifier params
+        ivc_proof,
     )
     .unwrap();
 }
diff --git a/folding-schemes/ivc_proof-hypernova.serialized b/folding-schemes/ivc_proof-hypernova.serialized
diff --git a/folding-schemes/ivc_proof-nova.serialized b/folding-schemes/ivc_proof-nova.serialized
diff --git a/folding-schemes/ivc_proof-protogalaxy.serialized b/folding-schemes/ivc_proof-protogalaxy.serialized
diff --git a/folding-schemes/src/folding/hypernova/decider_eth_circuit.rs b/folding-schemes/src/folding/hypernova/decider_eth_circuit.rs
@@ -509,7 +509,6 @@ pub mod tests {
     use ark_bn254::{constraints::GVar, Fr, G1Projective as Projective};
     use ark_grumpkin::{constraints::GVar as GVar2, Projective as Projective2};
     use ark_relations::r1cs::ConstraintSystem;
-    use ark_std::One;
     use ark_std::{test_rng, UniformRand};
 
     use super::*;
@@ -587,18 +586,8 @@ pub mod tests {
             .prove_step(&mut rng, vec![], Some((vec![], vec![])))
             .unwrap();
 
-        let ivc_v = hypernova.clone();
-        let (running_instance, incoming_instance, cyclefold_instance) = ivc_v.instances();
-        HN::verify(
-            hn_params.1, // HN's verifier_params
-            z_0,
-            ivc_v.z_i,
-            Fr::one(),
-            running_instance,
-            incoming_instance,
-            cyclefold_instance,
-        )
-        .unwrap();
+        let ivc_proof = hypernova.ivc_proof();
+        HN::verify(hn_params.1, ivc_proof).unwrap();
 
         // load the DeciderEthCircuit from the generated Nova instance
         let decider_circuit = DeciderEthCircuit::<

diff --git a/folding-schemes/src/folding/hypernova/mod.rs b/folding-schemes/src/folding/hypernova/mod.rs
@@ -157,6 +157,23 @@ where
     }
 }
 
+#[derive(Debug, Clone, CanonicalSerialize, CanonicalDeserialize)]
+pub struct IVCProof<C1, C2>
+where
+    C1: CurveGroup,
+    C2: CurveGroup,
+{
+    pub i: C1::ScalarField,
+    pub z_0: Vec<C1::ScalarField>,
+    pub z_i: Vec<C1::ScalarField>,
+    pub W_i: Witness<C1::ScalarField>,
+    pub U_i: LCCCS<C1>,
+    pub w_i: Witness<C1::ScalarField>,
+    pub u_i: CCCS<C1>,
+    pub cf_W_i: CycleFoldWitness<C2>,
+    pub cf_U_i: CycleFoldCommittedInstance<C2>,
+}
+
 /// Implements HyperNova+CycleFold's IVC, described in
 /// [HyperNova](https://eprint.iacr.org/2023/573.pdf) and
 /// [CycleFold](https://eprint.iacr.org/2023/1192.pdf), following the FoldingScheme trait
@@ -419,6 +436,7 @@ where
     type MultiCommittedInstanceWithWitness =
         (Vec<Self::RunningInstance>, Vec<Self::IncomingInstance>);
     type CFInstance = (CycleFoldCommittedInstance<C2>, CycleFoldWitness<C2>);
+    type IVCProof = IVCProof<C1, C2>;
 
     fn preprocess(
         mut rng: impl RngCore,
@@ -863,17 +881,35 @@ where
         )
     }
 
-    /// Implements IVC.V of HyperNova+CycleFold. Notice that this method does not include the
+    fn ivc_proof(&self) -> Self::IVCProof {
+        Self::IVCProof {
+            i: self.i,
+            z_0: self.z_0.clone(),
+            z_i: self.z_i.clone(),
+            W_i: self.W_i.clone(),
+            U_i: self.U_i.clone(),
+            w_i: self.w_i.clone(),
+            u_i: self.u_i.clone(),
+            cf_W_i: self.cf_W_i.clone(),
+            cf_U_i: self.cf_U_i.clone(),
+        }
+    }
+
+    /// Implements IVC.V of Hyp.clone()erNova+CycleFold. Notice that this method does not include the
     /// commitments verification, which is done in the Decider.
-    fn verify(
-        vp: Self::VerifierParam,
-        z_0: Vec<C1::ScalarField>, // initial state
-        z_i: Vec<C1::ScalarField>, // last state
-        num_steps: C1::ScalarField,
-        running_instance: Self::RunningInstance,
-        incoming_instance: Self::IncomingInstance,
-        cyclefold_instance: Self::CFInstance,
-    ) -> Result<(), Error> {
+    fn verify(vp: Self::VerifierParam, ivc_proof: Self::IVCProof) -> Result<(), Error> {
+        let Self::IVCProof {
+            i: num_steps,
+            z_0,
+            z_i,
+            W_i,
+            U_i,
+            w_i,
+            u_i,
+            cf_W_i,
+            cf_U_i,
+        } = ivc_proof;
+
         if num_steps == C1::ScalarField::zero() {
             if z_0 != z_i {
                 return Err(Error::IVCVerificationFail);
@@ -883,9 +919,6 @@ where
         // `sponge` is for digest computation.
         let sponge = PoseidonSponge::<C1::ScalarField>::new(&vp.poseidon_config);
 
-        let (U_i, W_i) = running_instance;
-        let (u_i, w_i) = incoming_instance;
-        let (cf_U_i, cf_W_i) = cyclefold_instance;
         if u_i.x.len() != 2 || U_i.x.len() != 2 {
             return Err(Error::IVCVerificationFail);
         }
@@ -1024,18 +1057,14 @@ mod tests {
         }
         assert_eq!(Fr::from(num_steps as u32), hypernova.i);
 
-        let (running_instance, incoming_instance, cyclefold_instance) = hypernova.instances();
+        let ivc_proof = hypernova.ivc_proof();
         HN::verify(
             hypernova_params.1.clone(), // verifier_params
-            z_0,
-            hypernova.z_i.clone(),
-            hypernova.i,
-            running_instance.clone(),
-            incoming_instance.clone(),
-            cyclefold_instance.clone(),
+            ivc_proof,
         )
         .unwrap();
 
+        let (running_instance, incoming_instance, cyclefold_instance) = hypernova.instances();
         (
             hypernova,
             hypernova_params,

diff --git a/folding-schemes/src/folding/nova/decider_circuits.rs b/folding-schemes/src/folding/nova/decider_circuits.rs
@@ -491,7 +491,6 @@ where
 pub mod tests {
     use ark_pallas::{constraints::GVar, Fq, Fr, Projective};
     use ark_relations::r1cs::ConstraintSystem;
-    use ark_std::One;
     use ark_vesta::{constraints::GVar as GVar2, Projective as Projective2};
 
     use super::*;
@@ -533,18 +532,9 @@ pub mod tests {
         // generate a Nova instance and do a step of it
         let mut nova = N::init(&nova_params, F_circuit, z_0.clone()).unwrap();
         nova.prove_step(&mut rng, vec![], None).unwrap();
-        let ivc_v = nova.clone();
-        let (running_instance, incoming_instance, cyclefold_instance) = ivc_v.instances();
-        N::verify(
-            nova_params.1, // verifier_params
-            z_0,
-            ivc_v.z_i,
-            Fr::one(),
-            running_instance,
-            incoming_instance,
-            cyclefold_instance,
-        )
-        .unwrap();
+        // verify the IVC
+        let ivc_proof = nova.ivc_proof();
+        N::verify(nova_params.1, ivc_proof).unwrap();
 
         // load the DeciderCircuit 1 & 2 from the Nova instance
         let decider_circuit1 =

diff --git a/folding-schemes/src/folding/nova/decider_eth_circuit.rs b/folding-schemes/src/folding/nova/decider_eth_circuit.rs
@@ -589,7 +589,7 @@ pub mod tests {
     use ark_relations::r1cs::ConstraintSystem;
     use ark_std::{
         rand::{thread_rng, Rng},
-        One, UniformRand,
+        UniformRand,
     };
     use ark_vesta::{constraints::GVar as GVar2, Projective as Projective2};
 
@@ -810,18 +810,8 @@ pub mod tests {
         // generate a Nova instance and do a step of it
         let mut nova = N::init(&nova_params, F_circuit, z_0.clone()).unwrap();
         nova.prove_step(&mut rng, vec![], None).unwrap();
-        let ivc_v = nova.clone();
-        let (running_instance, incoming_instance, cyclefold_instance) = ivc_v.instances();
-        N::verify(
-            nova_params.1, // verifier_params
-            z_0,
-            ivc_v.z_i,
-            Fr::one(),
-            running_instance,
-            incoming_instance,
-            cyclefold_instance,
-        )
-        .unwrap();
+        let ivc_proof = nova.ivc_proof();
+        N::verify(nova_params.1, ivc_proof).unwrap();
 
         // load the DeciderEthCircuit from the Nova instance
         let decider_eth_circuit = DeciderEthCircuit::<