Perf: Poseidon2 GKR circuit

go.mod

@@ -9,7 +9,7 @@ require (
 	github.com/blang/semver/v4 v4.0.0
 	github.com/consensys/bavard v0.1.27
 	github.com/consensys/compress v0.2.5
-	github.com/consensys/gnark-crypto v0.15.0
+	github.com/consensys/gnark-crypto v0.16.1-0.20250213054626-7c56ee003026
 	github.com/fxamacker/cbor/v2 v2.7.0
 	github.com/google/go-cmp v0.6.0
 	github.com/google/pprof v0.0.0-20240727154555-813a5fbdbec8

go.sum

@@ -61,8 +61,8 @@ github.com/consensys/bavard v0.1.27 h1:j6hKUrGAy/H+gpNrpLU3I26n1yc+VMGmd6ID5+gAh
 github.com/consensys/bavard v0.1.27/go.mod h1:k/zVjHHC4B+PQy1Pg7fgvG3ALicQw540Crag8qx+dZs=
 github.com/consensys/compress v0.2.5 h1:gJr1hKzbOD36JFsF1AN8lfXz1yevnJi1YolffY19Ntk=
 github.com/consensys/compress v0.2.5/go.mod h1:pyM+ZXiNUh7/0+AUjUf9RKUM6vSH7T/fsn5LLS0j1Tk=
-github.com/consensys/gnark-crypto v0.15.0 h1:OXsWnhheHV59eXIzhL5OIexa/vqTK8wtRYQCtwfMDtY=
-github.com/consensys/gnark-crypto v0.15.0/go.mod h1:Ke3j06ndtPTVvo++PhGNgvm+lgpLvzbcE2MqljY7diU=
+github.com/consensys/gnark-crypto v0.16.1-0.20250213054626-7c56ee003026 h1:rJe4sZspAP96Sb2NIpEk52x87/CEDQrmHp0NHknGOT0=
+github.com/consensys/gnark-crypto v0.16.1-0.20250213054626-7c56ee003026/go.mod h1:Ke3j06ndtPTVvo++PhGNgvm+lgpLvzbcE2MqljY7diU=
 github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
 github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=

std/gkr/api.go

@@ -44,7 +44,6 @@ func (api *API) Mul(i1, i2 constraint.GkrVariable, in ...constraint.GkrVariable)
 	return api.namedGate2PlusIn("mul", i1, i2, in...)
 }
 
-// TODO @Tabaie This can be useful
-func (api *API) Println(a ...constraint.GkrVariable) {
+func (api *API) Println(...constraint.GkrVariable) {
 	panic("not implemented")
 }

std/gkr/api_test.go

@@ -387,6 +387,7 @@ func (c *benchMiMCMerkleTreeCircuit) Define(api frontend.API) error {
 	return solution.Verify("-20", challenge)
 }
 
+// TODO @Tabaie just try using IsSolved instead?
 func testGroth16(t *testing.T, circuit, assignment frontend.Circuit) {
 	cs, err := frontend.Compile(ecc.BN254.ScalarField(), r1cs.NewBuilder, circuit, frontend.WithCompressThreshold(compressThreshold))
 	require.NoError(t, err)

std/gkr/testing.go

@@ -0,0 +1,104 @@
+package gkr
+
+import (
+	"errors"
+	"fmt"
+	"github.com/consensys/gnark-crypto/ecc"
+	frBls12377 "github.com/consensys/gnark-crypto/ecc/bls12-377/fr"
+	gkrBls12377 "github.com/consensys/gnark-crypto/ecc/bls12-377/fr/gkr"
+	hint "github.com/consensys/gnark/constraint/solver"
+	"github.com/consensys/gnark/frontend"
+	"math/big"
+)
+
+// SolveAll IS A TEST FUNCTION USED ONLY TO DEBUG a GKR circuit
+// The output is the values of all variables, across all instances
+// TODO find better name
+func (api *API) SolveAll(parentApi frontend.API) [][]frontend.Variable {
+	res := make([][]frontend.Variable, len(api.toStore.Circuit))
+	degreeTestedGates := make(map[string]struct{})
+	for i, w := range api.toStore.Circuit { // TODO use assignments
+		res[i] = make([]frontend.Variable, api.nbInstances())
+		copy(res[i], api.assignments[i])
+		if len(w.Inputs) == 0 {
+			continue
+		}
+		degree := Gates[w.Gate].Degree()
+		var degreeFr int
+		if parentApi.Compiler().Field().Cmp(ecc.BLS12_377.ScalarField()) == 0 {
+			degreeFr = gkrBls12377.Gates[w.Gate].Degree()
+		} else {
+			panic("field not yet supported")
+		}
+		if degree != degreeFr {
+			panic(fmt.Errorf("gate \"%s\" degree mismatch: SNARK %d, Raw %d", w.Gate, degree, degreeFr))
+		}
+	}
+	for instanceI := range api.nbInstances() {
+		for wireI, w := range api.toStore.Circuit {
+			if len(w.Dependencies) != 0 && len(w.Inputs) != 0 {
+				panic(fmt.Errorf("non-input wire %d should not have dependencies", wireI))
+			}
+			for _, dep := range w.Dependencies {
+				if dep.InputInstance == instanceI {
+					if dep.OutputInstance >= instanceI {
+						panic(fmt.Errorf("out of order dependency not yet supported in SolveAll; (wire %d, instance %d) depends on (wire %d, instance %d)", wireI, instanceI, dep.OutputWire, dep.OutputInstance))
+					}
+					if res[wireI][instanceI] != nil {
+						panic(fmt.Errorf("dependency (wire %d, instance %d) <- (wire %d, instance %d) attempting to override existing value assignment", wireI, instanceI, dep.OutputWire, dep.OutputInstance))
+					}
+					res[wireI][instanceI] = api.assignments[dep.OutputWire][dep.OutputInstance]
+				}
+			}
+
+			if res[wireI][instanceI] == nil { // no assignment or dependency
+				if len(w.Inputs) == 0 {
+					panic(fmt.Errorf("input wire %d, instance %d has no dependency or explicit assignment", wireI, instanceI))
+				}
+				ins := make([]frontend.Variable, len(w.Inputs))
+				for i, in := range w.Inputs {
+					ins[i] = res[in][instanceI]
+				}
+				expectedV, err := parentApi.Compiler().NewHint(frGateHint(w.Gate, degreeTestedGates), 1, ins...)
+				if err != nil {
+					panic(err)
+				}
+				res[wireI][instanceI] = Gates[w.Gate].Evaluate(parentApi, ins...)
+				parentApi.AssertIsEqual(expectedV[0], res[wireI][instanceI]) // snark and raw gate evaluations must agree
+			}
+
+		}
+	}
+	return res
+}
+
+func frGateHint(gateName string, degreeTestedGates map[string]struct{}) hint.Hint {
+	return func(mod *big.Int, ins, outs []*big.Int) error {
+		if len(outs) != 1 {
+			return errors.New("gate must have one output")
+		} // TODO @Tabaie implement other fields
+		if ecc.BLS12_377.ScalarField().Cmp(mod) == 0 {
+
+			gate := gkrBls12377.Gates[gateName]
+			if gate == nil {
+				return fmt.Errorf("gate \"%s\" not found", gateName)
+			}
+			if _, ok := degreeTestedGates[gateName]; !ok {
+				if err := gkrBls12377.TestGateDegree(gate, len(ins)); err != nil {
+					return fmt.Errorf("gate %s: %w", gateName, err)
+				}
+				degreeTestedGates[gateName] = struct{}{}
+			}
+
+			x := make([]frBls12377.Element, len(ins))
+			for i := range ins {
+				x[i].SetBigInt(ins[i])
+			}
+			y := gate.Evaluate(x...)
+			y.BigInt(outs[0])
+		} else {
+			return errors.New("field not supported")
+		}
+		return nil
+	}
+}

std/hash/hash.go

@@ -5,7 +5,7 @@
 package hash
 
 import (
-	"errors"
+	"fmt"
 	"sync"
 
 	"github.com/consensys/gnark/frontend"
@@ -58,7 +58,7 @@ func GetFieldHasher(name string, api frontend.API) (FieldHasher, error) {
 	defer lock.RUnlock()
 	builder, ok := builderRegistry[name]
 	if !ok {
-		return nil, errors.New("hash function not found")
+		return nil, fmt.Errorf("hash function \"%s\" not registered", name)
 	}
 	return builder(api)
 }
@@ -87,3 +87,48 @@ type BinaryFixedLengthHasher interface {
 	// FixedLengthSum returns digest of the first length bytes.
 	FixedLengthSum(length frontend.Variable) []uints.U8
 }
+
+// Compressor is a 2-1 one-way function. It takes two inputs and compresses
+// them into one output.
+//
+// NB! This is lossy compression, meaning that the output is not guaranteed to
+// be unique for different inputs. The output is guaranteed to be the same for
+// the same inputs.
+//
+// The Compressor is used in the Merkle-Damgard construction to build a hash
+// function.
+type Compressor interface {
+	Compress(frontend.Variable, frontend.Variable) frontend.Variable
+}
+
+type merkleDamgardHasher struct {
+	state frontend.Variable
+	iv    frontend.Variable
+	f     Compressor
+	api   frontend.API
+}
+
+// NewMerkleDamgardHasher transforms a 2-1 one-way function into a hash
+// initialState is a value whose preimage is not known
+func NewMerkleDamgardHasher(api frontend.API, f Compressor, initialState frontend.Variable) FieldHasher {
+	return &merkleDamgardHasher{
+		state: initialState,
+		iv:    initialState,
+		f:     f,
+		api:   api,
+	}
+}
+
+func (h *merkleDamgardHasher) Reset() {
+	h.state = h.iv
+}
+
+func (h *merkleDamgardHasher) Write(data ...frontend.Variable) {
+	for _, d := range data {
+		h.state = h.f.Compress(h.state, d)
+	}
+}
+
+func (h *merkleDamgardHasher) Sum() frontend.Variable {
+	return h.state
+}

std/hash/poseidon2/poseidon2.go

@@ -0,0 +1,19 @@
+package poseidon2
+
+import (
+	"fmt"
+
+	"github.com/consensys/gnark/frontend"
+	"github.com/consensys/gnark/std/hash"
+	poseidon2 "github.com/consensys/gnark/std/permutation/poseidon2"
+)
+
+// NewMerkleDamgardHasher returns a Poseidon2 hasher using the Merkle-Damgard
+// construction with the default parameters.
+func NewMerkleDamgardHasher(api frontend.API) (hash.FieldHasher, error) {
+	f, err := poseidon2.NewPoseidon2(api)
+	if err != nil {
+		return nil, fmt.Errorf("could not create poseidon2 hasher: %w", err)
+	}
+	return hash.NewMerkleDamgardHasher(api, f, 0), nil
+}

std/hash/poseidon2/poseidon2_test.go

@@ -0,0 +1,28 @@
+package poseidon2
+
+import (
+	"testing"
+
+	"github.com/consensys/gnark-crypto/ecc"
+	"github.com/consensys/gnark-crypto/ecc/bls12-377/fr/poseidon2"
+	"github.com/consensys/gnark/frontend"
+	"github.com/consensys/gnark/test"
+	"github.com/stretchr/testify/require"
+)
+
+func TestPoseidon2Hash(t *testing.T) {
+	// prepare expected output
+	h := poseidon2.NewMerkleDamgardHasher()
+	for i := range 5 {
+		_, err := h.Write([]byte{byte(i)})
+		require.NoError(t, err)
+	}
+	res := h.Sum(nil)
+
+	test.SingleFunction(ecc.BLS12_377, func(api frontend.API) []frontend.Variable {
+		hsh, err := NewMerkleDamgardHasher(api)
+		require.NoError(t, err)
+		hsh.Write(0, 1, 2, 3, 4)
+		return []frontend.Variable{hsh.Sum()}
+	}, res)(t)
+}