feat: use circom R1CS-to-QAP reduction #1
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
capossele
reviewed
Jan 29, 2025
| go func() { | ||
| _, err := krs2.MultiExp(pk.G1.Z, h[:sizeH], ecc.MultiExpConfig{NbTasks: n / 2}) | ||
| _, err := krs2.MultiExp(pk.G1.Z, h, ecc.MultiExpConfig{NbTasks: n / 2}) |
There was a problem hiding this comment.
I see we now use the full h here. Are we safe to assume that any indices beyond the n-2 degree are 0?
There was a problem hiding this comment.
I saw the new computeH, all good here. Maybe we can add a comment or something though, referring to how snarkjs does it in the same way
capossele
approved these changes
Jan 29, 2025
There was a problem hiding this comment.
Nice work!
I'd just add some note maybe in the computeH function or somewhere that this new implementation is meant to be compatible with snarkjs (rather than the standard groth16 of gnark). That is just to make sure that people looking at the code understand why we have all this changes (e.g., a different root of unity shifting mechanism)
Wollac
added a commit
that referenced
this pull request
Jan 31, 2025
* use R1CS-to-QAP circom reduction * address review comment
Wollac
added a commit
that referenced
this pull request
Jan 31, 2025
* use R1CS-to-QAP circom reduction * address review comment
pdg744
added a commit
to risc0/risc0
that referenced
this pull request
Jan 31, 2025
Create Groth16 proofs using `gnark`instead of `rapidsnark`. This process consists of the following parts: - **`circom-compat`:** the Gnark bindings to Circom's R1CS, WTNS, and ZKEY for Groth16 proof generation in Go. - An update to the **`risczero/risc0-groth16-prover` Dockerfile**: - During the Docker build process, it runs the `circom-compat` converter to convert the `r1cs` and `zkey` files to their gnark counterparts. - It replaces `rapidsnark` with the `circom-compat` prover that reads these converted files plus the witness file. - In the entrypoint script, it creates a named Unix pipe to write the witness data to, allowing the prover to start and read the constraint system while the witness generation is still running. - A **patched `gnark`** version to match circom's R1CS-to-QAP reduction. (See risc0/gnark#1) The resulting docker image has been deployed as [risczero/risc0-groth16-prover:v2025-01-24.1](https://hub.docker.com/layers/risczero/risc0-groth16-prover/v2025-01-24.1/images/sha256-434755bb2ccc0fb886f67855b67f37ba61c4983cb405dd3159588ce15016bbc3) and `risc0/groth16/src/docker.rs` has been updated to use that image. The `circom-compat` Go tests have been added to the CI. Closes ZKVM-906 --------- Co-authored-by: Paul <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Make gnark proves
snarkjscompatible:snarkjsprecomputes the Lagrange form of the powers of tau bases in a domain twice as large and the witness map is computed as the odd coefficients of (AB-C) in that domain. This serves as Z when computing the proof.Closes ZKVM-902