feat: integrate zk into spartan (#7)

* checkpoint

* checkpoint 1

* remove adapter

* debug logs removed

* nit

* remove option

* remove

* verify evals at the end

* unify transcript except tau

* same transcript for tau

* move to sumcheck

* delete more code

* nits

* snake

* tau check verifier

* remove interactive session

* remove unwrap or

* remove _orig

* naming

* process round returning chal

* move the conversion to reg to setup

* move inner/outer sumcheck

* call validate

* spartan_verifier_circuit

* refactor sumcheck

* include chal

* cleanup

---------

Co-authored-by: Srinath Setty <[email protected]>

Author: daryakaviani

src/bellpepper/mod.rs

@@ -66,10 +66,13 @@ pub mod tests {
   // ------------------------------------------------------------
   // Multi-round circuit test
   // ------------------------------------------------------------
-  use crate::bellpepper::r1cs::{MultiRoundSpartanShape, MultiRoundSpartanWitness};
-  use crate::bellpepper::shape_cs::ShapeCS;
-  use crate::traits::circuit::MultiRoundCircuit;
-  use crate::traits::transcript::TranscriptEngineTrait;
+  use crate::{
+    bellpepper::{
+      r1cs::{MultiRoundSpartanShape, MultiRoundSpartanWitness},
+      shape_cs::ShapeCS,
+    },
+    traits::{circuit::MultiRoundCircuit, transcript::TranscriptEngineTrait},
+  };
 
   #[derive(Clone)]
   pub struct TwoRoundBitsCircuit;

src/bellpepper/r1cs.rs

@@ -89,7 +89,7 @@ pub trait MultiRoundSpartanWitness<E: Engine> {
     is_small: bool,
   ) -> Result<Self::MultiRoundState, SpartanError>;
 
-  /// Process a specific round and update the state.
+  /// Process a specific round and update the state, returning the challenges generated.
   fn process_round<C: MultiRoundCircuit<E>>(
     state: &mut Self::MultiRoundState,
     s: &SplitMultiRoundR1CSShape<E>,
@@ -98,7 +98,7 @@ pub trait MultiRoundSpartanWitness<E: Engine> {
     round_index: usize,
     is_small: bool,
     transcript: &mut E::TE,
-  ) -> Result<(), SpartanError>;
+  ) -> Result<Vec<E::Scalar>, SpartanError>;
 
   /// Finalize the multi-round witness and return the instance and witness.
   fn finalize_multiround_witness<C: MultiRoundCircuit<E>>(
@@ -213,43 +213,6 @@ impl<E: Engine> SpartanShape<E> for ShapeCS<E> {
   }
 }
 
-impl<E: Engine> SatisfyingAssignment<E> {
-  /// Helper to process a round and return the concrete challenges generated for that round.
-  /// This enables interleaving with external computations that need the verifier randomness.
-  pub fn process_round_returning_challenges<C: MultiRoundCircuit<E>>(
-    state: &mut MultiRoundState<E>,
-    s: &SplitMultiRoundR1CSShape<E>,
-    ck: &CommitmentKey<E>,
-    circuit: &C,
-    round_index: usize,
-    is_small: bool,
-    transcript: &mut E::TE,
-  ) -> Result<Vec<E::Scalar>, SpartanError> {
-    // Capture how many challenge rounds we had before
-    let prev_len = state.challenges_per_round.len();
-    <SatisfyingAssignment<E> as MultiRoundSpartanWitness<E>>::process_round(
-      state,
-      s,
-      ck,
-      circuit,
-      round_index,
-      is_small,
-      transcript,
-    )?;
-    // Extract newly appended challenges for this round
-    let new_len = state.challenges_per_round.len();
-    if new_len == prev_len {
-      return Ok(vec![]);
-    }
-    let last = &state.challenges_per_round[new_len - 1];
-    let chals = last
-      .iter()
-      .map(|a| a.get_value().unwrap_or(E::Scalar::ZERO))
-      .collect::<Vec<_>>();
-    Ok(chals)
-  }
-}
-
 pub(crate) fn add_constraint<S: PrimeField>(
   X: &mut (
     &mut SparseMatrix<S>,
@@ -646,7 +609,7 @@ impl<E: Engine> MultiRoundSpartanWitness<E> for SatisfyingAssignment<E> {
     round_index: usize,
     is_small: bool,
     transcript: &mut E::TE,
-  ) -> Result<(), SpartanError> {
+  ) -> Result<Vec<E::Scalar>, SpartanError> {
     if round_index != state.current_round {
       return Err(SpartanError::SynthesisError {
         reason: format!(
@@ -656,16 +619,6 @@ impl<E: Engine> MultiRoundSpartanWitness<E> for SatisfyingAssignment<E> {
       });
     }
 
-    // If this is the first round, absorb the public values into the transcript.
-    if round_index == 0 {
-      let public_values = circuit
-        .public_values()
-        .map_err(|e| SpartanError::SynthesisError {
-          reason: format!("Unable to get public values: {e}"),
-        })?;
-      transcript.absorb(b"public_values", &public_values.as_slice());
-    }
-
     // Absorb commitment from the immediately preceding round (if any)
     if let Some(comm) = state.comm_w_per_round.last() {
       transcript.absorb(b"comm_w_round", comm);
@@ -721,7 +674,8 @@ impl<E: Engine> MultiRoundSpartanWitness<E> for SatisfyingAssignment<E> {
     state.comm_w_per_round.push(comm_w_round);
     state.current_round += 1;
 
-    Ok(())
+    // Return the challenges that were generated for this round
+    Ok(challenges)
   }
 
   fn finalize_multiround_witness<C: MultiRoundCircuit<E>>(
@@ -740,7 +694,6 @@ impl<E: Engine> MultiRoundSpartanWitness<E> for SatisfyingAssignment<E> {
       });
     }
 
-    // Get public values
     let public_values = circuit
       .public_values()
       .map_err(|e| SpartanError::SynthesisError {

src/nifs.rs

@@ -29,9 +29,9 @@ where
     W1: &RelaxedR1CSWitness<E>,
     U2: &R1CSInstance<E>,
     W2: &R1CSWitness<E>,
+    transcript: &mut E::TE,
   ) -> Result<(Self, (RelaxedR1CSInstance<E>, RelaxedR1CSWitness<E>)), SpartanError> {
-    // Initialize transcript and absorb both instances.
-    let mut transcript = E::TE::new(b"nifs");
+    // Use the caller-provided transcript and absorb both instances.
     transcript.absorb(b"U1", U1);
     transcript.absorb(b"U2", U2);
 
@@ -49,31 +49,21 @@ where
     Ok((Self { comm_T }, (U, W)))
   }
 
-  /// Verify folding when the second instance is supplied as a split multi-round
-  /// R1CS instance. The method first validates the commitments of the split
-  /// instance and then reproduces the prover’s transcript to derive `r`.
+  /// Verify folding given a regular instance `U2` that corresponds to the
+  /// prover's split multi-round instance after conversion.
   pub fn verify(
     &self,
+    transcript: &mut E::TE,
     U1: &RelaxedR1CSInstance<E>,
-    U2_split: &crate::r1cs::SplitMultiRoundR1CSInstance<E>,
-    S_split: &crate::r1cs::SplitMultiRoundR1CSShape<E>,
+    U2: &R1CSInstance<E>,
   ) -> Result<RelaxedR1CSInstance<E>, SpartanError> {
-    // 1. Validate the commitments / structure of the split instance.
-    let mut tmp = E::TE::new(b"nifs");
-    U2_split.validate(S_split, &mut tmp)?;
-
-    // 2. Convert to a regular instance (the form used by the prover).
-    let U2_reg = U2_split.to_regular_instance()?;
-
-    // 3. Re-run the prover’s transcript schedule to obtain `r`.
-    let mut transcript = E::TE::new(b"nifs");
+    // Re-run the prover’s transcript schedule to obtain `r` using caller transcript.
     transcript.absorb(b"U1", U1);
-    transcript.absorb(b"U2", &U2_reg);
+    transcript.absorb(b"U2", U2);
     transcript.absorb(b"comm_T", &self.comm_T);
     let r = transcript.squeeze(b"r")?;
 
-    // 4. Return the folded instance.
-    Ok(U1.fold(&U2_reg, &self.comm_T, &r))
+    Ok(U1.fold(U2, &self.comm_T, &r))
   }
 }
 
@@ -147,10 +137,22 @@ mod tests {
     let (running_U, running_W) = S_reg.sample_random_instance_witness(&ck).unwrap();
 
     // Prove & verify
-    let (proof, (folded_U, folded_W)) =
-      NIFS::<E>::prove(&ck, &S_reg, &running_U, &running_W, &inst_reg, &wit_reg).unwrap();
+    let mut transcript = <E as Engine>::TE::new(b"nifs");
+    let (proof, (folded_U, folded_W)) = NIFS::<E>::prove(
+      &ck,
+      &S_reg,
+      &running_U,
+      &running_W,
+      &inst_reg,
+      &wit_reg,
+      &mut transcript,
+    )
+    .unwrap();
 
-    let verified_U = proof.verify(&running_U, &inst_mr, &shape_mr).unwrap();
+    // Validation now happens at callsite; here we provide a regular U2 and transcript
+    let mut transcript = <E as Engine>::TE::new(b"nifs");
+    let U2_reg = inst_mr.to_regular_instance().unwrap();
+    let verified_U = proof.verify(&mut transcript, &running_U, &U2_reg).unwrap();
     assert_eq!(verified_U, folded_U);
     assert!(S_reg.is_sat_relaxed(&ck, &folded_U, &folded_W).is_ok());
   }
@@ -215,10 +217,21 @@ mod tests {
     let (running_U, running_W) = S_reg.sample_random_instance_witness(&ck).unwrap();
 
     // NIFS prove + verify
-    let (proof, (folded_U, folded_W)) =
-      NIFS::<E>::prove(&ck, &S_reg, &running_U, &running_W, &inst_reg, &wit_reg).unwrap();
+    let mut transcript_nifs = <E as Engine>::TE::new(b"nifs");
+    let (proof, (folded_U, folded_W)) = NIFS::<E>::prove(
+      &ck,
+      &S_reg,
+      &running_U,
+      &running_W,
+      &inst_reg,
+      &wit_reg,
+      &mut transcript_nifs,
+    )
+    .unwrap();
 
-    let verified_U = proof.verify(&running_U, &inst_split, &shape_mr).unwrap();
+    let mut transcript = <E as Engine>::TE::new(b"nifs");
+    let U2_reg = inst_split.to_regular_instance().unwrap();
+    let verified_U = proof.verify(&mut transcript, &running_U, &U2_reg).unwrap();
     assert_eq!(verified_U, folded_U);
     assert!(S_reg.is_sat_relaxed(&ck, &folded_U, &folded_W).is_ok());
   }

src/r1cs/mod.rs

@@ -76,6 +76,7 @@ pub struct R1CSInstance<E: Engine> {
 
 /// A type that holds a witness for a given Relaxed R1CS instance
 #[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
+#[serde(bound = "")]
 pub struct RelaxedR1CSWitness<E: Engine> {
   pub(crate) W: Vec<E::Scalar>,
   pub(crate) r_W: Blind<E>,
@@ -1009,9 +1010,6 @@ impl<E: Engine> SplitR1CSInstance<E> {
     S: &SplitR1CSShape<E>,
     transcript: &mut E::TE,
   ) -> Result<(), SpartanError> {
-    // absorb the public IO into the transcript
-    transcript.absorb(b"public_values", &self.public_values.as_slice());
-
     if S.num_shared > 0 {
       if let Some(comm) = &self.comm_W_shared {
         E::PCS::check_partial(comm, S.num_shared)?;
@@ -1258,16 +1256,18 @@ impl<E: Engine> SplitMultiRoundR1CSInstance<E> {
     s: &SplitMultiRoundR1CSShape<E>,
     transcript: &mut E::TE,
   ) -> Result<(), SpartanError> {
-    // absorb the public IO into the transcript
-    transcript.absorb(b"public_values", &self.public_values.as_slice());
-
-    // Process each round
+    // Process each round, absorbing the previous round's commitment before deriving this round's challenges
     for round in 0..s.num_rounds {
-      // Generate and validate challenges for this round BEFORE absorbing the current round's commitment.
-      // This mirrors the order used by the prover, where challenges for round `r` are derived
-      // after absorbing the commitment from the *previous* round (if any), but **before** the
-      // commitment of the current round is absorbed. This ensures that the commitment of round `r`
-      // cannot influence the challenges of the same round.
+      if round > 0 {
+        // Absorb commitment of previous round to influence current round's challenges
+        E::PCS::check_partial(
+          &self.comm_w_per_round[round - 1],
+          s.num_vars_per_round[round - 1],
+        )?;
+        transcript.absorb(b"comm_w_round", &self.comm_w_per_round[round - 1]);
+      }
+
+      // Derive and validate challenges for this round
       let expected_challenges = (0..s.num_challenges_per_round[round])
         .map(|_| transcript.squeeze(b"challenge"))
         .collect::<Result<Vec<E::Scalar>, SpartanError>>()?;
@@ -1277,11 +1277,6 @@ impl<E: Engine> SplitMultiRoundR1CSInstance<E> {
           reason: format!("Challenges for round {round} do not match"),
         });
       }
-
-      // After validating challenges, absorb the commitment for the current round so that it
-      // affects the transcript state for the *next* round's challenges.
-      E::PCS::check_partial(&self.comm_w_per_round[round], s.num_vars_per_round[round])?;
-      transcript.absorb(b"comm_w_round", &self.comm_w_per_round[round]);
     }
 
     Ok(())