Following #157 and #162, this PR implements generic on-chain and off-chain decider circuits GenericOnchainDeciderCircuit and GenericOffchainDeciderCircuit{1, 2} that can handle all folding schemes (Nova, HyperNova, and Protogalaxy, hopefully even Mova and Ova in the future).
Below I list several additional modifications made in this PR:
A trait EquivalenceGadget that can check the equivalence (equality for native field elements, congruence for non-native field elements) between two in-circuit variables.
Shorter public inputs in decider. Because the field operations in NIFS.V are handled by the circuit, field values in committed instances (e.g., u and x in Nova) are no longer necessary to be public. They are thus removed from public inputs to reduce the verifier's costs. The smart contract for on-chain verification is also updated.
Simplified trait bounds.
P.S. ~While this PR should already be ready for review, please focus on what you are working on now (such as #133). I don't want to bother the other contributors with merge conflicts due to this huge PR and am happy to rebase at my end after the pending PRs get merged :)~ Conflicts resolved :)
Following #157 and #162, this PR implements generic on-chain and off-chain decider circuits
GenericOnchainDeciderCircuitandGenericOffchainDeciderCircuit{1, 2}that can handle all folding schemes (Nova, HyperNova, and Protogalaxy, hopefully even Mova and Ova in the future).The abstraction in #157 and #162 provide a unified yet flexible usage of these objects, leading to highly reuseable decider circuits. As an example, we can take a look at the definition and internal logic of
GenericOnchainDeciderCircuitbelow: https://github.com/privacy-scaling-explorations/sonobe/blob/7add907762707d91d5579da3ee93c98b9618a810/folding-schemes/src/folding/circuits/decider/on_chain.rs#L64-L110 https://github.com/privacy-scaling-explorations/sonobe/blob/7add907762707d91d5579da3ee93c98b9618a810/folding-schemes/src/folding/circuits/decider/on_chain.rs#L232-L321With
GenericOnchainDeciderCircuit, creating the on-chain decider circuit for Protogalaxy is as simple as giving a type alias and implementing theTryFromtrait: https://github.com/privacy-scaling-explorations/sonobe/blob/7add907762707d91d5579da3ee93c98b9618a810/folding-schemes/src/folding/protogalaxy/decider_eth_circuit.rs#L74-L150Below I list several additional modifications made in this PR:
EquivalenceGadgetthat can check the equivalence (equality for native field elements, congruence for non-native field elements) between two in-circuit variables.DeciderEthCircuitof HyperNova, which verifies the field operations in NIFS.V in-circuit. (Note that in https://github.com/privacy-scaling-explorations/sonobe/pull/145/commits/c447906e97bddc210a21e8ba651fa57cbf8e6202, I mistakenly ignored the group operations in NIFS.V. In fact, these operations are expensive in-circuit and should be handled by the verifier, which is added in https://github.com/privacy-scaling-explorations/sonobe/pull/145/commits/5dc7e5f5a7f3180d7b3b26f5d3f4db918be43d20 .)uandxin Nova) are no longer necessary to be public. They are thus removed from public inputs to reduce the verifier's costs. The smart contract for on-chain verification is also updated.P.S. ~While this PR should already be ready for review, please focus on what you are working on now (such as #133). I don't want to bother the other contributors with merge conflicts due to this huge PR and am happy to rebase at my end after the pending PRs get merged :)~ Conflicts resolved :)