Support R1CS

[katat]

snarkjs testing workflow

Here are the commands to verify the whole process.

# create new noname package. this will create a new folder test, containing the noname code.
cargo run new -p test

# trigger the noname run subcommand to generate .r1cs and .wtns binary files
cargo run run --backend r1cs --path test --private-inputs '{"yy": "1"}' --public-inputs '{"xx": "2"}'

# check the consistency between the witness and r1cs constraints via snarkjs
snarkjs wchk test/output.r1cs test/output.wtns

# for generating a proof and verify with it via snarkjs
snarkjs powersoftau new bls12-381 12 pot12_0000.ptau -v
snarkjs powersoftau contribute pot12_0000.ptau pot12_0001.ptau --name="First contribution" -v
snarkjs powersoftau prepare phase2 pot12_0001.ptau pot12_final.ptau -v
snarkjs groth16 setup test/output.r1cs pot12_final.ptau test_0000.zkey
snarkjs zkey contribute test_0000.zkey test_0001.zkey --name="1st Contributor Name" -v
snarkjs zkey export verificationkey test_0001.zkey verification_key.json
snarkjs groth16 prove test_0001.zkey test/output.wtns proof.json public.json
snarkjs groth16 verify verification_key.json public.json proof.json

# at the end, it should display "snarkJS: OK!"

Missing meta data

• It currently doesn't store the number of outputs and private inputs to the r1cs file.
• Maybe we can shift and have the backend store the public outputs and private inputs?
• [x] Either we can pass these meta data from the circuit writer or from within backend. The latter approach seems cleaner.

witness data arrangement

• snarkjs expect the public inputs are arranged at first. This is crucial for generating the correct proving index.
• [x] Make sure the public inputs are always arranged at first (relating to how the new vars are recorded in witness_vars)

constraint public inputs / outputs

• in kimchi backend, it needs to add constraints that will be cancelled by the verifier.
• [x] research: it seems we don't need to do this in r1cs as long as the public inputs can be correctly recognized from the witness data

Implement finalize_circuit interface

• [x] what do we need to check before finalizing it?

[katat]

Updated to defer the output calculation and optimize the circuit finalization.