plonky2/system_zero/Cargo.toml

[package]
name = "system_zero"
description = "A VM whose execution can be verified with STARKs; designed for proving Ethereum transactions"
version = "0.1.0"
edition = "2021"

[dependencies]
plonky2 = { path = "../plonky2" }
plonky2_util = { path = "../util" }
starky = { path = "../starky" }
anyhow = "1.0.40"
env_logger = "0.9.0"
itertools = "0.10.0"
log = "0.4.14"
rand = "0.8.4"
rand_chacha = "0.3.1"

[dev-dependencies]
criterion = "0.3.5"

[[bench]]
name = "lookup_permuted_cols"
harness = false

[target.'cfg(not(target_env = "msvc"))'.dev-dependencies]
jemallocator = "0.3.2"
Beginning of STARK implementation (#413) * Beginning of STARK implementation * PR feedback * minor * Suppress warnings for now 2022-01-26 00:09:29 -08:00			`[package]`
			`name = "system_zero"`
			`description = "A VM whose execution can be verified with STARKs; designed for proving Ethereum transactions"`
			`version = "0.1.0"`
			`edition = "2021"`

			`[dependencies]`
			`plonky2 = { path = "../plonky2" }`
Implement a mul-add circuit in the ALU (#495) * Implement a mul-add circuit in the ALU The inputs are assumed to be `u32`s, while the output is encoded as four `u16 limbs`. Each output limb is range-checked. So, our basic mul-add constraint looks like out_0 + 2^16 out_1 + 2^32 out_2 + 2^48 out_3 = in_1 * in_2 + in_3 The right hand side will never overflow, since `u32::MAX * u32::MAX + u32::MAX < \|F\|`. However, the left hand side could overflow, even though we know each limb is less than `2^16`. For example, an operation like `0 * 0 + 0` could have two possible outputs, 0 and `\|F\|`, both of which would satisfy the constraint above. To prevent these non-canonical outputs, we need a comparison to enforce that `out < \|F\|`. Thankfully, `F::MAX` has all zeros in its low 32 bits, so `x <= F::MAX` is equivalent to `x_lo == 0 \|\| x_hi != u32::MAX`. `x_hi != u32::MAX` can be checked by showing that `u32::MAX - x_hi` has an inverse. If `x_hi != u32::MAX`, the prover provides this (purported) inverse in an advice column. See @bobbinth's [post](https://hackmd.io/NC-yRmmtRQSvToTHb96e8Q#Checking-element-validity) for details. That post calls the purported inverse column `m`; I named it `canonical_inv` in this code. * fix * PR feedback * naming 2022-02-21 00:39:04 -08:00			`plonky2_util = { path = "../util" }`
Beginning of STARK implementation (#413) * Beginning of STARK implementation * PR feedback * minor * Suppress warnings for now 2022-01-26 00:09:29 -08:00			`starky = { path = "../starky" }`
			`anyhow = "1.0.40"`
			`env_logger = "0.9.0"`
Halo2 style lookup arguments in System Zero (#513) * Halo2 style lookup arguments in System Zero It's a really nice and simple protocol, particularly for the verifier since the constraints are trivial (aside from the underlying batched permutation checks, which we already support). See the [Halo2 book](https://zcash.github.io/halo2/design/proving-system/lookup.html) and this [talk](https://www.youtube.com/watch?v=YlTt12s7vGE&t=5237s) by @daira. Previously we generated the whole trace in row-wise form, but it's much more efficient to generate these "permuted" columns column-wise. So I changed our STARK framework to accept the trace in column-wise form. STARK impls now have the flexibility to do some generation row-wise and some column-wise (without extra costs; there's a single transpose as before). * sorting * fixes * PR feedback * into_iter * timing 2022-03-16 17:37:34 -07:00			`itertools = "0.10.0"`
Beginning of STARK implementation (#413) * Beginning of STARK implementation * PR feedback * minor * Suppress warnings for now 2022-01-26 00:09:29 -08:00			`log = "0.4.14"`
Implement Poseidon in system_zero/permutation_unit (#459) * Implement Poseidon in system_zero/permutation_unit * Minor cleanup * Daniel PR comments * Update dependencies 2022-02-04 16:50:57 -08:00			`rand = "0.8.4"`
			`rand_chacha = "0.3.1"`
Halo2 style lookup arguments in System Zero (#513) * Halo2 style lookup arguments in System Zero It's a really nice and simple protocol, particularly for the verifier since the constraints are trivial (aside from the underlying batched permutation checks, which we already support). See the [Halo2 book](https://zcash.github.io/halo2/design/proving-system/lookup.html) and this [talk](https://www.youtube.com/watch?v=YlTt12s7vGE&t=5237s) by @daira. Previously we generated the whole trace in row-wise form, but it's much more efficient to generate these "permuted" columns column-wise. So I changed our STARK framework to accept the trace in column-wise form. STARK impls now have the flexibility to do some generation row-wise and some column-wise (without extra costs; there's a single transpose as before). * sorting * fixes * PR feedback * into_iter * timing 2022-03-16 17:37:34 -07:00
			`[dev-dependencies]`
			`criterion = "0.3.5"`

			`[[bench]]`
			`name = "lookup_permuted_cols"`
			`harness = false`
Do not export global allocator (#533) * Do not export allocator * Make sure to use jemalloc in all downstream tests * Update readme * Remove test jemalloc boilerplate * One more * Fix clippies * One more * Clippy Co-authored-by: Daniel Lubarov <daniel@lubarov.com> 2022-05-03 13:16:53 -07:00
			`[target.'cfg(not(target_env = "msvc"))'.dev-dependencies]`
			`jemallocator = "0.3.2"`