In preparation for adding the zkEVM aggregation circuit. Mainly,
- Adds a `WitnessWrite` trait, a sub-trait of `Witness`, and move the write methods to it. `GeneratedValues` impls `WitnessWrite`, which lets generators like `DummyProofGenerator` access all our write methods like `set_proof_with_pis_target`. Also removes some duplication.
- Remove `set_cyclic_recursion_data_target` - now that dummy proof data is automatically populated, all that remains is populating `condition` and the cyclic proof + VK. I think it's easy enough for callers to do this; the steps are the same as with `conditionally_verify_proof`. This way there's no cyclic-recursion-specific API to learn about.
- Split `cyclic_recursion` into two variants, one which checks the current circuit or a dummy, and a more general one which checks the current circuit or some other circuit. We can use the latter to build a more efficient aggregation circuit, where we check another aggregation proof or an EVM proof, with no dummy proofs involved.
- Have the caller to `cyclic_recursion` create and pass in the virtual proof
- Split `dummy_proof` into preprocessing and proving, so that we don't need to redo the preprocessing work in each `set_cyclic_recursion_data_target` call
- Have the caller update `num_public_inputs` instead of doing it in `cyclic_recursion`. This is a little less convenient but I think it's best not to modify the caller's config (principle of least surprise)
- Have `set_cyclic_recursion_data_target` take a sparse set of public inputs. Taking some PIs with the lowest indices didn't seem very general. I still have some reservations about this part of the API - I think it would seem cleaner if PIs of a proof which wasn't selected for verification were simply ignored - but perhaps there are some optimization reasons to keep using them.
Followup to #806.
A few goals here
- Zero dependencies on std. (Previously deserialization depended on std for `Cursor`.)
- Provide a single (memory buffering) impl of `Write` to make sure there's no confusion. (Previously `Buffer` and `Vec<u8>` both implemented it.)
- Move closer to the `std::io` APIs. Hopefully they will be available without std at some point (there have been some discussions...).
More specifically, this
- Changes `Buffer` to not use std's `Cursor`.
- Removes `impl Write` for `Buffer`, since it's implemented for `Vec<u8>`.
- Adds a concrete I/O error type to mimic `std::io`'s.
- Combines `Position` and `Size` into `Remaining`.
We don't think this is required for soundness, but just to remove any doubt.
Old protocol:
```
...
P sends final_poly
V samples random r
P sends pow_witness (not in transcript)
V computes pow_response = H(r, pow_witness)
V asserts pow_response has N leading 0s
...
```
New protocol:
```
...
P sends final_poly
P sends pow_witness
V samples random pow_response
V asserts pow_response has N leading 0s
...
```
* Use static `KERNEL` in tests
* Print opcode count
* Update criterion
* Combine all syscalls into one flag (#802)
* Combine all syscalls into one flag
* Minor: typo
* Daniel PR comments
* Check that `le_sum` won't overflow
* security notes
* Test reverse_index_bits
Thanks to Least Authority for this
* clippy
* EVM shift left/right operations (#801)
* First parts of shift implementation.
* Disable range check errors.
* Tidy up ASM.
* Update comments; fix some .sum() expressions.
* First full draft of shift left/right.
* Missed a +1.
* Clippy.
* Address Jacqui's comments.
* Add comment.
* Fix missing filter.
* Address second round of comments from Jacqui.
* Remove signed operation placeholders from arithmetic table. (#812)
Co-authored-by: wborgeaud <williamborgeaud@gmail.com>
Co-authored-by: Daniel Lubarov <daniel@lubarov.com>
Co-authored-by: Jacqueline Nabaglo <jakub@mirprotocol.org>
Co-authored-by: Hamish Ivey-Law <426294+unzvfu@users.noreply.github.com>
