Restructure for more kind of verifier (axiom-crypto#21)

* feat: restructure to monorepo and expand the project scope to be generic (s)nark verifier

* feat: reorganize mods and traits for further new features

* refactor: simplify trait bounds

* chore: use hyphen case for crate name (`snark_verifier` -> `snark-verifier`)

Cargo.toml

@@ -1,60 +1,4 @@
-[package]
-name = "plonk_verifier"
-version = "0.1.0"
-edition = "2021"
-
-[dependencies]
-itertools = "0.10.3"
-lazy_static = "1.4.0"
-num-bigint = "0.4.3"
-num-integer = "0.1.45"
-num-traits = "0.2.15"
-rand = "0.8"
-hex = "0.4"
-halo2_curves = { git = "https://github.com/privacy-scaling-explorations/halo2curves", tag = "0.3.0", package = "halo2curves" }
-
-# parallel
-rayon = { version = "1.5.3", optional = true }
-
-# system_halo2
-halo2_proofs = { git = "https://github.com/privacy-scaling-explorations/halo2", tag = "v2022_10_22", optional = true }
-
-# loader_evm
-sha3 = { version = "0.10", optional = true }
-bytes = { version = "1.1.0", default-features = false, optional = true }
-primitive-types = { version = "0.12.1", default-features = false, features = ["std"], optional = true }
-rlp = { version = "0.5.2", default-features = false, features = ["std"], optional = true }
-revm = { version = "= 2.3.1", optional = true }
-
-# loader_halo2
-halo2_wrong_ecc = { git = "https://github.com/privacy-scaling-explorations/halo2wrong", tag = "v2022_10_22", package = "ecc", optional = true }
-poseidon = { git = "https://github.com/privacy-scaling-explorations/poseidon", tag = "v2022_10_22", optional = true }
-
-[dev-dependencies]
-rand_chacha = "0.3.1"
-paste = "1.0.7"
-
-# system_halo2
-halo2_wrong_ecc = { git = "https://github.com/privacy-scaling-explorations/halo2wrong", tag = "v2022_10_22", package = "ecc" }
-
-# loader_evm
-crossterm = { version = "0.25" }
-tui = { version = "0.19", default-features = false, features = ["crossterm"] }
-
-[features]
-default = ["loader_evm", "loader_halo2", "system_halo2"]
-
-parallel = ["dep:rayon"]
-
-loader_evm = ["dep:bytes", "dep:sha3", "dep:primitive-types", "dep:rlp", "dep:revm"]
-loader_halo2 = ["dep:halo2_proofs", "dep:halo2_wrong_ecc", "dep:poseidon"]
-
-system_halo2 = ["dep:halo2_proofs"]
-
-[[example]]
-name = "evm-verifier"
-required-features = ["loader_evm", "system_halo2"]
-
-[[example]]
-name = "evm-verifier-with-accumulator"
-required-features = ["loader_halo2", "loader_evm", "system_halo2"]
+[workspace]
+members = [
+    "snark-verifier",
+]

README.md

@@ -1,3 +1,3 @@
-# PLONK Verifier
+# SNARK Verifier
 
-Generic PLONK verifier.
+Generic (S)NARK verifier.

snark-verifier/Cargo.toml

@@ -0,0 +1,60 @@
+[package]
+name = "snark-verifier"
+version = "0.1.0"
+edition = "2021"
+
+[dependencies]
+itertools = "0.10.3"
+lazy_static = "1.4.0"
+num-bigint = "0.4.3"
+num-integer = "0.1.45"
+num-traits = "0.2.15"
+rand = "0.8"
+hex = "0.4"
+halo2_curves = { git = "https://github.com/privacy-scaling-explorations/halo2curves", tag = "0.3.0", package = "halo2curves" }
+
+# parallel
+rayon = { version = "1.5.3", optional = true }
+
+# system_halo2
+halo2_proofs = { git = "https://github.com/privacy-scaling-explorations/halo2", tag = "v2022_10_22", optional = true }
+
+# loader_evm
+sha3 = { version = "0.10", optional = true }
+bytes = { version = "1.1.0", default-features = false, optional = true }
+primitive-types = { version = "0.12.1", default-features = false, features = ["std"], optional = true }
+rlp = { version = "0.5.2", default-features = false, features = ["std"], optional = true }
+revm = { version = "= 2.3.1", optional = true }
+
+# loader_halo2
+halo2_wrong_ecc = { git = "https://github.com/privacy-scaling-explorations/halo2wrong", tag = "v2022_10_22", package = "ecc", optional = true }
+poseidon = { git = "https://github.com/privacy-scaling-explorations/poseidon", tag = "v2022_10_22", optional = true }
+
+[dev-dependencies]
+rand_chacha = "0.3.1"
+paste = "1.0.7"
+
+# system_halo2
+halo2_wrong_ecc = { git = "https://github.com/privacy-scaling-explorations/halo2wrong", tag = "v2022_10_22", package = "ecc" }
+
+# loader_evm
+crossterm = { version = "0.25" }
+tui = { version = "0.19", default-features = false, features = ["crossterm"] }
+
+[features]
+default = ["loader_evm", "loader_halo2", "system_halo2"]
+
+parallel = ["dep:rayon"]
+
+loader_evm = ["dep:bytes", "dep:sha3", "dep:primitive-types", "dep:rlp", "dep:revm"]
+loader_halo2 = ["dep:halo2_proofs", "dep:halo2_wrong_ecc", "dep:poseidon"]
+
+system_halo2 = ["dep:halo2_proofs"]
+
+[[example]]
+name = "evm-verifier"
+required-features = ["loader_evm", "system_halo2"]
+
+[[example]]
+name = "evm-verifier-with-accumulator"
+required-features = ["loader_halo2", "loader_evm", "system_halo2"]

examples/evm-verifier-with-accumulator.rs → snark-verifier/examples/evm-verifier-with-accumulator.rs

@@ -14,24 +14,24 @@ use halo2_proofs::{
     transcript::{EncodedChallenge, TranscriptReadBuffer, TranscriptWriterBuffer},
 };
 use itertools::Itertools;
-use plonk_verifier::{
+use rand::rngs::OsRng;
+use snark_verifier::{
     loader::{
         evm::{self, encode_calldata, Address, EvmLoader, ExecutorBuilder},
         native::NativeLoader,
     },
-    pcs::kzg::{Gwc19, Kzg, KzgAs, LimbsEncoding},
+    pcs::kzg::{Gwc19, KzgAs, LimbsEncoding},
     system::halo2::{compile, transcript::evm::EvmTranscript, Config},
-    verifier::{self, PlonkVerifier},
+    verifier::{self, SnarkVerifier},
 };
-use rand::rngs::OsRng;
 use std::{io::Cursor, rc::Rc};
 
 const LIMBS: usize = 4;
 const BITS: usize = 68;
 
-type Pcs = Kzg<Bn256, Gwc19>;
-type As = KzgAs<Pcs>;
-type Plonk = verifier::Plonk<Pcs, LimbsEncoding<LIMBS, BITS>>;
+type As = KzgAs<Bn256, Gwc19>;
+type PlonkSuccinctVerifier = verifier::plonk::PlonkSuccinctVerifier<As, LimbsEncoding<LIMBS, BITS>>;
+type PlonkVerifier = verifier::plonk::PlonkVerifier<As, LimbsEncoding<LIMBS, BITS>>;
 
 mod application {
     use halo2_curves::bn256::Fr;
@@ -161,7 +161,7 @@ mod application {
 }
 
 mod aggregation {
-    use super::{As, Plonk, BITS, LIMBS};
+    use super::{As, PlonkSuccinctVerifier, BITS, LIMBS};
     use halo2_curves::bn256::{Bn256, Fq, Fr, G1Affine};
     use halo2_proofs::{
         circuit::{Layouter, SimpleFloorPlanner, Value},
@@ -177,18 +177,17 @@ mod aggregation {
         EccConfig,
     };
     use itertools::Itertools;
-    use plonk_verifier::{
+    use rand::rngs::OsRng;
+    use snark_verifier::{
         loader::{self, native::NativeLoader},
         pcs::{
             kzg::{KzgAccumulator, KzgSuccinctVerifyingKey, LimbsEncodingInstructions},
             AccumulationScheme, AccumulationSchemeProver,
         },
         system,
         util::arithmetic::{fe_to_limbs, FieldExt},
-        verifier::PlonkVerifier,
-        Protocol,
+        verifier::{plonk::PlonkProtocol, SnarkVerifier},
     };
-    use rand::rngs::OsRng;
     use std::rc::Rc;
 
     const T: usize = 5;
@@ -203,13 +202,17 @@ mod aggregation {
         system::halo2::transcript::halo2::PoseidonTranscript<G1Affine, L, S, T, RATE, R_F, R_P>;
 
     pub struct Snark {
-        protocol: Protocol<G1Affine>,
+        protocol: PlonkProtocol<G1Affine>,
         instances: Vec<Vec<Fr>>,
         proof: Vec<u8>,
     }
 
     impl Snark {
-        pub fn new(protocol: Protocol<G1Affine>, instances: Vec<Vec<Fr>>, proof: Vec<u8>) -> Self {
+        pub fn new(
+            protocol: PlonkProtocol<G1Affine>,
+            instances: Vec<Vec<Fr>>,
+            proof: Vec<u8>,
+        ) -> Self {
             Self {
                 protocol,
                 instances,
@@ -234,7 +237,7 @@ mod aggregation {
 
     #[derive(Clone)]
     pub struct SnarkWitness {
-        protocol: Protocol<G1Affine>,
+        protocol: PlonkProtocol<G1Affine>,
         instances: Vec<Vec<Value<Fr>>>,
         proof: Value<Vec<u8>>,
     }
@@ -282,8 +285,10 @@ mod aggregation {
                 let instances = assign_instances(&snark.instances);
                 let mut transcript =
                     PoseidonTranscript::<Rc<Halo2Loader>, _>::new(loader, snark.proof());
-                let proof = Plonk::read_proof(svk, &protocol, &instances, &mut transcript).unwrap();
-                Plonk::succinct_verify(svk, &protocol, &instances, &proof).unwrap()
+                let proof =
+                    PlonkSuccinctVerifier::read_proof(svk, &protocol, &instances, &mut transcript)
+                        .unwrap();
+                PlonkSuccinctVerifier::verify(svk, &protocol, &instances, &proof).unwrap()
             })
             .collect_vec();
 
@@ -352,10 +357,15 @@ mod aggregation {
                 .flat_map(|snark| {
                     let mut transcript =
                         PoseidonTranscript::<NativeLoader, _>::new(snark.proof.as_slice());
-                    let proof =
-                        Plonk::read_proof(&svk, &snark.protocol, &snark.instances, &mut transcript)
-                            .unwrap();
-                    Plonk::succinct_verify(&svk, &snark.protocol, &snark.instances, &proof).unwrap()
+                    let proof = PlonkSuccinctVerifier::read_proof(
+                        &svk,
+                        &snark.protocol,
+                        &snark.instances,
+                        &mut transcript,
+                    )
+                    .unwrap();
+                    PlonkSuccinctVerifier::verify(&svk, &snark.protocol, &snark.instances, &proof)
+                        .unwrap()
                 })
                 .collect_vec();
 
@@ -551,23 +561,22 @@ fn gen_aggregation_evm_verifier(
     num_instance: Vec<usize>,
     accumulator_indices: Vec<(usize, usize)>,
 ) -> Vec<u8> {
-    let svk = params.get_g()[0].into();
-    let dk = (params.g2(), params.s_g2()).into();
     let protocol = compile(
         params,
         vk,
         Config::kzg()
             .with_num_instance(num_instance.clone())
             .with_accumulator_indices(Some(accumulator_indices)),
     );
+    let vk = (params.get_g()[0], params.g2(), params.s_g2()).into();
 
     let loader = EvmLoader::new::<Fq, Fr>();
     let protocol = protocol.loaded(&loader);
     let mut transcript = EvmTranscript::<_, Rc<EvmLoader>, _, _>::new(&loader);
 
     let instances = transcript.load_instances(num_instance);
-    let proof = Plonk::read_proof(&svk, &protocol, &instances, &mut transcript).unwrap();
-    Plonk::verify(&svk, &dk, &protocol, &instances, &proof).unwrap();
+    let proof = PlonkVerifier::read_proof(&vk, &protocol, &instances, &mut transcript).unwrap();
+    PlonkVerifier::verify(&vk, &protocol, &instances, &proof).unwrap();
 
     evm::compile_yul(&loader.yul_code())
 }

examples/evm-verifier.rs → snark-verifier/examples/evm-verifier.rs

@@ -18,16 +18,16 @@ use halo2_proofs::{
     transcript::{TranscriptReadBuffer, TranscriptWriterBuffer},
 };
 use itertools::Itertools;
-use plonk_verifier::{
+use rand::{rngs::OsRng, RngCore};
+use snark_verifier::{
     loader::evm::{self, encode_calldata, Address, EvmLoader, ExecutorBuilder},
-    pcs::kzg::{Gwc19, Kzg},
+    pcs::kzg::{Gwc19, KzgAs},
     system::halo2::{compile, transcript::evm::EvmTranscript, Config},
-    verifier::{self, PlonkVerifier},
+    verifier::{self, SnarkVerifier},
 };
-use rand::{rngs::OsRng, RngCore};
 use std::rc::Rc;
 
-type Plonk = verifier::Plonk<Kzg<Bn256, Gwc19>>;
+type PlonkVerifier = verifier::plonk::PlonkVerifier<KzgAs<Bn256, Gwc19>>;
 
 #[derive(Clone, Copy)]
 struct StandardPlonkConfig {
@@ -205,21 +205,20 @@ fn gen_evm_verifier(
     vk: &VerifyingKey<G1Affine>,
     num_instance: Vec<usize>,
 ) -> Vec<u8> {
-    let svk = params.get_g()[0].into();
-    let dk = (params.g2(), params.s_g2()).into();
     let protocol = compile(
         params,
         vk,
         Config::kzg().with_num_instance(num_instance.clone()),
     );
+    let vk = (params.get_g()[0], params.g2(), params.s_g2()).into();
 
     let loader = EvmLoader::new::<Fq, Fr>();
     let protocol = protocol.loaded(&loader);
     let mut transcript = EvmTranscript::<_, Rc<EvmLoader>, _, _>::new(&loader);
 
     let instances = transcript.load_instances(num_instance);
-    let proof = Plonk::read_proof(&svk, &protocol, &instances, &mut transcript).unwrap();
-    Plonk::verify(&svk, &dk, &protocol, &instances, &proof).unwrap();
+    let proof = PlonkVerifier::read_proof(&vk, &protocol, &instances, &mut transcript).unwrap();
+    PlonkVerifier::verify(&vk, &protocol, &instances, &proof).unwrap();
 
     evm::compile_yul(&loader.yul_code())
 }

snark-verifier/src/cost.rs

@@ -0,0 +1,29 @@
+use std::ops::Add;
+
+#[derive(Debug, Default, Clone, PartialEq, Eq)]
+pub struct Cost {
+    pub num_instance: usize,
+    pub num_commitment: usize,
+    pub num_evaluation: usize,
+    pub num_msm: usize,
+    pub num_pairing: usize,
+}
+
+impl Add<Cost> for Cost {
+    type Output = Cost;
+
+    fn add(mut self, rhs: Cost) -> Self::Output {
+        self.num_instance += rhs.num_instance;
+        self.num_commitment += rhs.num_commitment;
+        self.num_evaluation += rhs.num_evaluation;
+        self.num_msm += rhs.num_msm;
+        self.num_pairing += rhs.num_pairing;
+        self
+    }
+}
+
+pub trait CostEstimation<T> {
+    type Input;
+
+    fn estimate_cost(input: &Self::Input) -> Cost;
+}

snark-verifier/src/lib.rs

@@ -0,0 +1,18 @@
+#![allow(clippy::type_complexity)]
+#![allow(clippy::too_many_arguments)]
+#![allow(clippy::upper_case_acronyms)]
+
+pub mod cost;
+pub mod loader;
+pub mod pcs;
+pub mod system;
+pub mod util;
+pub mod verifier;
+
+#[derive(Clone, Debug)]
+pub enum Error {
+    InvalidInstances,
+    InvalidProtocol(String),
+    AssertionFailure(String),
+    Transcript(std::io::ErrorKind, String),
+}

src/loader/evm/util.rs → snark-verifier/src/loader/evm/util.rs

@@ -95,7 +95,7 @@ pub fn estimate_gas(cost: Cost) -> usize {
 
     let intrinsic_cost = 21000;
     let calldata_cost = (proof_size as f64 * 15.25).ceil() as usize;
-    let ec_operation_cost = 113100 + (cost.num_msm - 2) * 6350;
+    let ec_operation_cost = (45100 + cost.num_pairing * 34000) + (cost.num_msm - 2) * 6350;
 
     intrinsic_cost + calldata_cost + ec_operation_cost
 }