# Plonky2 & more This repository was originally for Plonky2, a SNARK implementation based on techniques from PLONK and FRI. It has since expanded to include tools such as Starky, a highly performant STARK implementation. ## Codex fork This repo is Codex's fork of [Polygon Zero's Plonky2 repository](https://github.com/0xPolygonZero/plonky2/). For now at least, our modifications are in the [`codex` branch](https://github.com/codex-storage/plonky2/tree/codex). These include: - [x] option to turn off randomizing unused wires - [x] option to export the witness and related metadata - [x] simple web-based tool to visualize the witness - [ ] tooling to analyze circuits - [ ] detailed documentation of how Plonky2 actually works - [ ] maybe some additional gates / gadgets - [ ] support for Poseidon2-Goldilocks hash - [ ] support for Poseidon2-BN254 hash (for more efficient BN254 wrapper) - [ ] support for Monolith hash (ideally also for recursion) - [ ] BN254 wrapper circuit (Groth16 and/or Plonk-KZG) ## Documentation For more details about the Plonky2 argument system, see this [writeup](plonky2/plonky2.pdf). Polymer Labs has written up a helpful tutorial [here](https://polymerlabs.medium.com/a-tutorial-on-writing-zk-proofs-with-plonky2-part-i-be5812f6b798)! ## Examples A good starting point for how to use Plonky2 for simple applications is the included examples: * [`factorial`](plonky2/examples/factorial.rs): Proving knowledge of 100! * [`fibonacci`](plonky2/examples/fibonacci.rs): Proving knowledge of the hundredth Fibonacci number * [`range_check`](plonky2/examples/range_check.rs): Proving that a field element is in a given range * [`square_root`](plonky2/examples/square_root.rs): Proving knowledge of the square root of a given field element * [`lookup`](plonky2/examples/lookup_example.rs): Proving that a few members of an arithmetic progression are all primes To run an example, use ```sh cargo run --example ``` ## Building Plonky2 requires a recent nightly toolchain, although we plan to transition to stable in the future. To use a nightly toolchain for Plonky2 by default, you can run ``` rustup override set nightly ``` in the Plonky2 directory. ## Running To see recursion performance, one can run this bench, which generates a chain of three recursion proofs: ```sh RUSTFLAGS=-Ctarget-cpu=native cargo run --release --example bench_recursion -- -vv ``` ## Jemalloc Plonky2 prefers the [Jemalloc](http://jemalloc.net) memory allocator due to its superior performance. To use it, include `jemallocator = "0.5.0"` in your `Cargo.toml` and add the following lines to your `main.rs`: ```rust use jemallocator::Jemalloc; #[global_allocator] static GLOBAL: Jemalloc = Jemalloc; ``` Jemalloc is known to cause crashes when a binary compiled for x86 is run on an Apple silicon-based Mac under [Rosetta 2](https://support.apple.com/en-us/HT211861). If you are experiencing crashes on your Apple silicon Mac, run `rustc --print target-libdir`. The output should contain `aarch64-apple-darwin`. If the output contains `x86_64-apple-darwin`, then you are running the Rust toolchain for x86; we recommend switching to the native ARM version. ## Documentation Generate documentation locally: ```sh cargo doc --no-deps --open ``` ## Contributing guidelines See [CONTRIBUTING.md](./CONTRIBUTING.md). ## Licenses All crates of this monorepo are licensed under either of * Apache License, Version 2.0, ([LICENSE-APACHE](LICENSE-APACHE) or http://www.apache.org/licenses/LICENSE-2.0) * MIT license ([LICENSE-MIT](LICENSE-MIT) or http://opensource.org/licenses/MIT) at your option. ## Security This code has been audited prior to the `v1.0.0` release. The audits reports and findings are available in the [audits](./audits/) folder of this repository. An audited codebase isn't necessarily free of bugs and security exploits, hence we recommend care when using `plonky2` in production settings. If you find a security issue in the codebase, please refer to our [Security guidelines](./SECURITY.md) for private disclosure. While Plonky2 is configurable, its defaults generally target 100 bits of security. The default FRI configuration targets 100 bits of *conjectured* security based on the conjecture in [ethSTARK](https://eprint.iacr.org/2021/582). Plonky2's default hash function is Poseidon, configured with 8 full rounds, 22 partial rounds, a width of 12 field elements (each ~64 bits), and an S-box of `x^7`. [BBLP22](https://tosc.iacr.org/index.php/ToSC/article/view/9850) suggests that this configuration may have around 95 bits of security, falling a bit short of our 100 bit target. ## Links - [Polygon Zero's zkEVM](https://github.com/0xPolygonZero/zk_evm), an efficient Type 1 zkEVM built on top of Starky and plonky2 - [System Zero](https://github.com/0xPolygonZero/system-zero), a zkVM built on top of Starky - [Waksman](https://github.com/0xPolygonZero/plonky2-waksman), Plonky2 gadgets for permutation checking using Waksman networks - [Insertion](https://github.com/0xPolygonZero/plonky2-insertion), Plonky2 gadgets for insertion into a list - [u32](https://github.com/0xPolygonZero/plonky2-u32), Plonky2 gadgets for u32 arithmetic - [ECDSA](https://github.com/0xPolygonZero/plonky2-ecdsa), Plonky2 gadgets for the ECDSA algorithm