master merged

Author: swasilyev

Cargo.toml

@@ -1,8 +1,8 @@
 [workspace]
 resolver = "2"
 members = [
-    "common",
-    "ring",
+    "w3f-plonk-common",
+    "w3f-ring-proof",
 ]
 
 [workspace.dependencies]
@@ -11,5 +11,5 @@ ark-ff = { version = "0.5", default-features = false }
 ark-ec = { version = "0.5", default-features = false }
 ark-poly = { version = "0.5", default-features = false }
 ark-serialize = { version = "0.5", default-features = false, features = ["derive"] }
-fflonk = { git = "https://github.com/w3f/fflonk", default-features = false }
+w3f-pcs = { version = "0.0.1", default-features = false }
 rayon = { version = "1", default-features = false }

LICENSE LICENSE-APACHE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Web3 Foundation
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

LICENSE-MIT

@@ -1,20 +1,8 @@
+### The code has not been audited. Use on your own risk.
+
 ## Contents
 
-* [`common`](common) provides infrastucture for creating plonk-like proofs.
-* [`ring`](ring) for a vector commitment to a list of public keys, and a Pedersen commitment to one of the secret keys,
+* [`w3f-plonk-common`](w3f-plonk-common) provides infrastructure for creating plonkish proofs.
+* [`w3f-ring-proof`](w3f-ring-proof) for a vector commitment to a list of public keys, and a Pedersen commitment to one of the secret keys,
   implements a zk proof of knowledge of the blinding factor for the Pedersen commitment, and the position of the
   corresponding public key in the list.
-
-## TODOs
-
-* Fix FiatShamir:
-    - add instance to the transcript,
-    - verifier uses Fiat-Shamir rng to batch verify the pairings,
-    - remove test_rng from not_test,
-* Verifier evaluates selectors efficiently
-* Find points from the prime-subgroup complements to seed the acc. How should it be encapsulated?
-* Check paddings for the precommitted columns
-* Refactor common/piop.rs to have types shared between prover nad verifier
-* Add zk
-* Batch verification
-* Batch proving

README.md

@@ -1,6 +1,6 @@
 [package]
-name = "common"
-version = "0.1.0"
+name = "w3f-plonk-common"
+version = "0.0.1"
 edition = "2021"
 authors = ["Sergey Vasilyev <[email protected]>"]
 license = "MIT/Apache-2.0"
@@ -13,7 +13,7 @@ ark-ff.workspace = true
 ark-ec.workspace = true
 ark-poly.workspace = true
 ark-serialize.workspace = true
-fflonk.workspace = true
+w3f-pcs.workspace = true
 rayon = { workspace = true, optional = true }
 getrandom_or_panic = { version = "0.0.3", default-features = false }
 rand_core = "0.6"
@@ -29,18 +29,18 @@ std = [
   "ark-ec/std",
   "ark-poly/std",
   "ark-serialize/std",
-  "fflonk/std",
+  "w3f-pcs/std",
   "getrandom_or_panic/std",
-  "rand_core/std"
+  "rand_core/std",
 ]
 parallel = [
   "std",
   "rayon",
-  "fflonk/parallel",
   "ark-std/parallel",
   "ark-ff/parallel",
   "ark-ec/parallel",
-  "ark-poly/parallel"
+  "ark-poly/parallel",
+  "w3f-pcs/parallel",
 ]
 print-trace = ["ark-std/print-trace"]
-asm = ["fflonk/asm"]
+asm = ["w3f-pcs/asm"]

common/Cargo.toml w3f-plonk-common/Cargo.toml

@@ -0,0 +1,3 @@
+### The code has not been audited. Use on your own risk.
+
+Infrastructure for creating plonkish proofs.

w3f-plonk-common/README.md

@@ -198,4 +198,4 @@ mod tests {
         _test_sw_cond_add_gadget(false);
         _test_sw_cond_add_gadget(true);
     }
-}
+}

common/src/domain.rs w3f-plonk-common/src/domain.rs

@@ -5,7 +5,7 @@ use ark_poly::univariate::DensePolynomial;
 use ark_poly::{EvaluationDomain, Evaluations, GeneralEvaluationDomain, Polynomial};
 use ark_serialize::{CanonicalDeserialize, CanonicalSerialize};
 use ark_std::{vec, vec::Vec};
-use fflonk::pcs::{Commitment, PCS};
+use w3f_pcs::pcs::{Commitment, PCS};
 
 pub mod domain;
 pub mod gadgets;

common/src/gadgets/booleanity.rs w3f-plonk-common/src/gadgets/booleanity.rs

@@ -3,7 +3,7 @@ use ark_poly::univariate::DensePolynomial;
 use ark_poly::Evaluations;
 use ark_serialize::{CanonicalDeserialize, CanonicalSerialize};
 use ark_std::vec::Vec;
-use fflonk::pcs::Commitment;
+use w3f_pcs::pcs::Commitment;
 
 use crate::domain::{Domain, EvaluatedDomain};
 use crate::{ColumnsCommited, ColumnsEvaluated};

common/src/gadgets/ec/mod.rs w3f-plonk-common/src/gadgets/ec/mod.rs

@@ -2,8 +2,8 @@ use ark_ff::PrimeField;
 use ark_poly::{Evaluations, Polynomial};
 use ark_serialize::CanonicalSerialize;
 use ark_std::vec;
-use fflonk::aggregation::single::aggregate_polys;
-use fflonk::pcs::PCS;
+use w3f_pcs::aggregation::single::aggregate_polys;
+use w3f_pcs::pcs::PCS;
 
 use crate::piop::ProverPiop;
 use crate::transcript::PlonkTranscript;

common/src/gadgets/ec/sw_cond_add.rs w3f-plonk-common/src/gadgets/ec/sw_cond_add.rs

@@ -1,7 +1,7 @@
 use ark_ff::PrimeField;
 use ark_poly::{EvaluationDomain, GeneralEvaluationDomain};
 use ark_std::rand::Rng;
-use fflonk::pcs::{PCS, PcsParams};
+use w3f_pcs::pcs::{PCS, PcsParams};
 
 use crate::{Column, FieldColumn};
 

common/src/gadgets/ec/te_cond_add.rs w3f-plonk-common/src/gadgets/ec/te_cond_add.rs

@@ -2,7 +2,7 @@ use ark_ff::PrimeField;
 use ark_poly::GeneralEvaluationDomain;
 use ark_serialize::CanonicalSerialize;
 use ark_std::vec::Vec;
-use fflonk::pcs::{PcsParams, PCS};
+use w3f_pcs::pcs::{PcsParams, PCS};
 use rand_core::RngCore;
 
 use crate::{ColumnsCommited, ColumnsEvaluated};

common/src/gadgets/fixed_cells.rs w3f-plonk-common/src/gadgets/fixed_cells.rs

@@ -2,7 +2,7 @@ use ark_ff::{Field, PrimeField};
 use ark_serialize::CanonicalSerialize;
 use ark_std::rand::Rng;
 use ark_std::{vec, vec::Vec};
-use fflonk::pcs::{Commitment, PcsParams, PCS};
+use w3f_pcs::pcs::{Commitment, PcsParams, PCS};
 use rand_core::RngCore;
 
 use crate::piop::VerifierPiop;

common/src/gadgets/inner_prod.rs w3f-plonk-common/src/gadgets/inner_prod.rs

@@ -1,6 +1,6 @@
 [package]
-name = "ring"
-version = "0.1.0"
+name = "w3f-ring-proof"
+version = "0.0.1"
 edition = "2021"
 authors = ["Sergey Vasilyev <[email protected]>"]
 license = "MIT/Apache-2.0"
@@ -13,11 +13,11 @@ ark-ff.workspace = true
 ark-ec.workspace = true
 ark-poly.workspace = true
 ark-serialize.workspace = true
-fflonk.workspace = true
+w3f-pcs.workspace = true
 rayon = { workspace = true, optional = true }
-common = { path = "../common", default-features = false }
+w3f-plonk-common = { path="../w3f-plonk-common", default-features = false }
 blake2 = { version = "0.10", default-features = false }
-ark-transcript = { git = "https://github.com/w3f/ark-transcript", default-features = false }
+ark-transcript = { version = "0.0.3", default-features = false }
 
 [dev-dependencies]
 ark-bls12-381 = { version = "0.5", default-features = false, features = ["curve"] }
@@ -31,8 +31,8 @@ std = [
   "ark-ec/std",
   "ark-poly/std",
   "ark-serialize/std",
-  "fflonk/std",
-  "common/std"
+  "w3f-pcs/std",
+  "w3f-plonk-common/std"
 ]
 parallel = [
   "std",
@@ -41,11 +41,11 @@ parallel = [
   "ark-ff/parallel",
   "ark-ec/parallel",
   "ark-poly/parallel",
-  "common/parallel",
-  "fflonk/parallel"
+  "w3f-plonk-common/parallel",
+  "w3f-pcs/parallel"
 ]
 print-trace = [
   "ark-std/print-trace",
-  "common/print-trace"
+  "w3f-plonk-common/print-trace"
 ]
-asm = [ "fflonk/asm" ]
+asm = [ "w3f-pcs/asm" ]

common/src/gadgets/inner_prod_pub.rs w3f-plonk-common/src/gadgets/inner_prod_pub.rs

@@ -0,0 +1,3 @@
+### The code has not been audited. Use on your own risk.
+
+For a vector commitment to a list of public keys, and a Pedersen commitment to one of the secret keys, implements a zk proof of knowledge of the blinding factor for the Pedersen commitment, and the position of the corresponding public key in the list.

common/src/gadgets/mod.rs w3f-plonk-common/src/gadgets/mod.rs

@@ -7,10 +7,10 @@ use ark_ec::{
 use ark_ff::{One, PrimeField, Zero};
 use ark_serialize::CanonicalSerialize;
 use ark_std::rand::RngCore;
-use fflonk::pcs::PCS;
+use w3f_pcs::pcs::PCS;
 
-pub use common::domain::Domain;
-use common::Proof;
+pub use w3f_plonk_common::domain::Domain;
+use w3f_plonk_common::Proof;
 pub use piop::index;
 
 pub use crate::piop::{params::PiopParams, FixedColumnsCommitted, ProverKey, VerifierKey};
@@ -24,7 +24,7 @@ pub mod ring_verifier;
 pub type RingProof<F, CS> = Proof<F, CS, RingCommitments<F, <CS as PCS<F>>::C>, RingEvaluations<F>>;
 
 /// Polynomial Commitment Schemes.
-pub use fflonk::pcs;
+pub use w3f_pcs::pcs;
 
 // Calling the method for a prime-order curve results in an infinite loop.
 pub fn find_complement_point<Curve: SWCurveConfig>() -> Affine<Curve> {
@@ -61,7 +61,7 @@ pub(crate) fn hash_to_curve<F: PrimeField, Curve: SWCurveConfig<BaseField = F>>(
 #[derive(Clone)]
 pub struct ArkTranscript(ark_transcript::Transcript);
 
-impl<F: PrimeField, CS: PCS<F>> common::transcript::PlonkTranscript<F, CS> for ArkTranscript {
+impl<F: PrimeField, CS: PCS<F>> w3f_plonk_common::transcript::PlonkTranscript<F, CS> for ArkTranscript {
     fn _128_bit_point(&mut self, label: &'static [u8]) -> F {
         self.0.challenge(label).read_reduce()
     }
@@ -91,9 +91,9 @@ mod tests {
     use ark_std::ops::Mul;
     use ark_std::rand::Rng;
     use ark_std::{end_timer, start_timer, test_rng, UniformRand};
-    use fflonk::pcs::kzg::KZG;
+    use w3f_pcs::pcs::kzg::KZG;
 
-    use common::test_helpers::random_vec;
+    use w3f_plonk_common::test_helpers::random_vec;
 
     use crate::piop::FixedColumnsCommitted;
     use crate::ring::{Ring, RingBuilderKey};
@@ -122,7 +122,7 @@ mod tests {
             prover_key,
             piop_params.clone(),
             k,
-            ArkTranscript::new(b"ring-vrf-test"),
+            ArkTranscript::new(b"w3f-ring-proof-test"),
         );
         let t_prove = start_timer!(|| "Prove");
         let proof = ring_prover.prove(secret);
@@ -131,7 +131,7 @@ mod tests {
         let ring_verifier = RingVerifier::init(
             verifier_key,
             piop_params,
-            ArkTranscript::new(b"ring-vrf-test"),
+            ArkTranscript::new(b"w3f-ring-proof-test"),
         );
         let t_verify = start_timer!(|| "Verify");
         let res = ring_verifier.verify_ring_proof(proof, result.into_affine());
@@ -201,6 +201,6 @@ mod tests {
 
     #[test]
     fn test_ring_proof_id() {
-        _test_ring_proof::<fflonk::pcs::IdentityCommitment>(2usize.pow(10));
+        _test_ring_proof::<w3f_pcs::pcs::IdentityCommitment>(2usize.pow(10));
     }
 }

common/src/lib.rs w3f-plonk-common/src/lib.rs

@@ -5,13 +5,13 @@ use ark_ff::PrimeField;
 use ark_serialize::{CanonicalDeserialize, CanonicalSerialize};
 use ark_std::marker::PhantomData;
 use ark_std::{vec, vec::Vec};
-use fflonk::pcs::kzg::commitment::KzgCommitment;
-use fflonk::pcs::kzg::params::RawKzgVerifierKey;
-use fflonk::pcs::kzg::KZG;
-use fflonk::pcs::{Commitment, PcsParams, PCS};
+use w3f_pcs::pcs::kzg::commitment::KzgCommitment;
+use w3f_pcs::pcs::kzg::params::RawKzgVerifierKey;
+use w3f_pcs::pcs::kzg::KZG;
+use w3f_pcs::pcs::{Commitment, PcsParams, PCS};
 
-use common::gadgets::ec::AffineColumn;
-use common::{Column, ColumnsCommited, ColumnsEvaluated, FieldColumn};
+use w3f_plonk_common::gadgets::ec::AffineColumn;
+use w3f_plonk_common::{Column, ColumnsCommited, ColumnsEvaluated, FieldColumn};
 pub(crate) use prover::PiopProver;
 pub(crate) use verifier::PiopVerifier;
 
@@ -82,8 +82,8 @@ pub struct FixedColumns<F: PrimeField, G: AffineRepr<BaseField = F>> {
 #[derive(Clone, CanonicalSerialize, CanonicalDeserialize, PartialEq, Eq, Debug)]
 pub struct FixedColumnsCommitted<F: PrimeField, C: Commitment<F>> {
     pub points: [C; 2],
-    ring_selector: C,
-    phantom: PhantomData<F>,
+    pub ring_selector: C,
+    pub phantom: PhantomData<F>,
 }
 
 impl<F: PrimeField, C: Commitment<F>> FixedColumnsCommitted<F, C> {

common/src/piop.rs w3f-plonk-common/src/piop.rs

@@ -3,8 +3,8 @@ use ark_ec::{AdditiveGroup, AffineRepr, CurveGroup};
 use ark_ff::{BigInteger, PrimeField};
 use ark_std::{vec, vec::Vec};
 
-use common::domain::Domain;
-use common::gadgets::ec::AffineColumn;
+use w3f_plonk_common::domain::Domain;
+use w3f_plonk_common::gadgets::ec::AffineColumn;
 
 use crate::piop::FixedColumns;
 
@@ -32,7 +32,7 @@ pub struct PiopParams<F: PrimeField, Curve: SWCurveConfig<BaseField = F>> {
 
 impl<F: PrimeField, Curve: SWCurveConfig<BaseField = F>> PiopParams<F, Curve> {
     pub fn setup(domain: Domain<F>, h: Affine<Curve>, seed: Affine<Curve>) -> Self {
-        let padding_point = crate::hash_to_curve(b"/w3f/ring-proof/padding");
+        let padding_point = crate::hash_to_curve(b"/w3f/w3f-ring-proof/padding");
         let scalar_bitlen = Curve::ScalarField::MODULUS_BIT_SIZE as usize;
         // 1 accounts for the last cells of the points and bits columns that remain unconstrained
         let keyset_part_size = domain.capacity - scalar_bitlen - 1;
@@ -97,8 +97,8 @@ mod tests {
     use ark_std::ops::Mul;
     use ark_std::{test_rng, UniformRand};
 
-    use common::domain::Domain;
-    use common::test_helpers::cond_sum;
+    use w3f_plonk_common::domain::Domain;
+    use w3f_plonk_common::test_helpers::cond_sum;
 
     use crate::piop::params::PiopParams;
 

common/src/prover.rs w3f-plonk-common/src/prover.rs

@@ -4,20 +4,20 @@ use ark_poly::univariate::DensePolynomial;
 use ark_poly::Evaluations;
 use ark_std::marker::PhantomData;
 use ark_std::{vec, vec::Vec};
-use fflonk::pcs::Commitment;
+use w3f_pcs::pcs::Commitment;
 
 use crate::piop::params::PiopParams;
 use crate::piop::FixedColumns;
 use crate::piop::{RingCommitments, RingEvaluations};
-use common::domain::Domain;
-use common::gadgets::booleanity::{BitColumn, Booleanity};
-use common::gadgets::ec::AffineColumn;
-use common::gadgets::ec::CondAdd;
-use common::gadgets::fixed_cells::FixedCells;
-use common::gadgets::inner_prod::InnerProd;
-use common::gadgets::ProverGadget;
-use common::piop::ProverPiop;
-use common::{Column, FieldColumn};
+use w3f_plonk_common::domain::Domain;
+use w3f_plonk_common::gadgets::booleanity::{BitColumn, Booleanity};
+use w3f_plonk_common::gadgets::ec::AffineColumn;
+use w3f_plonk_common::gadgets::ec::CondAdd;
+use w3f_plonk_common::gadgets::fixed_cells::FixedCells;
+use w3f_plonk_common::gadgets::inner_prod::InnerProd;
+use w3f_plonk_common::gadgets::ProverGadget;
+use w3f_plonk_common::piop::ProverPiop;
+use w3f_plonk_common::{Column, FieldColumn};
 
 // The 'table': columns representing the execution trace of the computation
 // and the constraints -- polynomials that vanish on every 2 consecutive rows.