Ligerito
polynomial commitment scheme over binary extension fields.
⚠️ IMPORTANT: For optimal performance (5-6x speedup), install with native CPU optimizations:
RUSTFLAGS="-C target-cpu=native"Without this flag, the prover will be significantly slower. See installation for details.
what it's good for
- committing to large polynomials with small proofs (~150 KB for 2^20 polynomial)
- fast proving on modern cpus with simd (300-600ms for 1M elements)
- verifier-only builds for constrained environments (polkavm, wasm, embedded)
- transparent setup (no trusted setup required)
- enabling verifiable light client p2p networks
what it's not good for
- general-purpose zkp (no arbitrary circuits, only polynomial commitments)
- proving without simd (slow without hardware acceleration)
- tiny polynomials (proof overhead significant below 2^12)
- scenarios requiring smallest possible proofs (starkware/plonky2 may be smaller)
library usage
add to Cargo.toml:
[]
= "0.1.5"
⚠️ for development: clone the workspace to get automatic native optimizations:
example:
use ;
use ;
use PhantomData;
// create prover config
let config = hardcoded_config_20;
// polynomial to commit (2^20 elements)
let poly: = vec!;
// generate proof
let proof = prove.unwrap;
// verify proof
let verifier_config = hardcoded_config_20_verifier;
let valid = verify.unwrap;
assert!;
transcript backends
// sha256 (default, no extra deps, works in no_std)
use ;
let proof = prove_sha256.unwrap;
let valid = verify_sha256.unwrap;
// merlin (requires std + transcript-merlin feature)
use ;
let proof = prove.unwrap;
let valid = verify.unwrap;
supported sizes
configs available: hardcoded_config_{12,16,20,24,28,30} for prover and hardcoded_config_{12,16,20,24,28,30}_verifier for verifier.
build configurations
full-featured (default)
includes: prover, verifier, parallelism, simd
verifier-only
~50% smaller binary, perfect for polkavm/on-chain verification
no_std verifier
minimal build for wasm/embedded (requires alloc)
cli usage
installation
recommended (optimized for your cpu):
# from crates.io
RUSTFLAGS="-C target-cpu=native"
# or from source
the workspace config automatically enables native cpu optimizations (SIMD/PCLMULQDQ) for 5-6x speedup.
performance impact:
WITH native optimizations: 300-600ms for 2^20 prove
WITHOUT native optimizations: 2000-3000ms for 2^20 prove (5-6x slower!)
without optimizations (not recommended):
check your build:
| |
# output should show: [release SIMD] for optimal performance
prove and verify
# generate random test data (2^20 = 1M elements)
# generate proof from polynomial data
|
# verify proof
|
# output: "VALID" with exit code 0
# roundtrip test
| |
transcript backends
prover and verifier must use the same transcript backend:
# sha256 (default)
# merlin (requires transcript-merlin feature)
generate test data
# random data (default)
# all zeros
# all ones
# sequential (0, 1, 2, ...)
# save to file
show configuration
data format
polynomials are binary data: size * 4 bytes (4 bytes per BinaryElem32 element).
example for 2^12:
# 2^12 elements = 4096 elements * 4 bytes = 16384 bytes
| |
features
std(default): standard library supportprover(default): include proving functionalityverifier-only: minimal verifier buildparallel(default): multi-threaded with rayonhardware-accel(default): simd accelerationtranscript-sha256: sha256 transcript (always available)transcript-merlin: merlin transcript (requires std)cli: command-line binary
supported sizes
- 2^12 (4,096 elements, 16 KB)
- 2^16 (65,536 elements, 256 KB)
- 2^20 (1,048,576 elements, 4 MB)
- 2^24 (16,777,216 elements, 64 MB)
- 2^28 (268,435,456 elements, 1 GB)
- 2^30 (1,073,741,824 elements, 4 GB)
performance
benchmarked on amd ryzen 9 7945hx (8 cores, smt disabled):
| size | elements | proving | verification |
|---|---|---|---|
| 2^20 | 1.05m | 68ms | 22ms |
| 2^24 | 16.8m | 1.24s | 470ms |
| 2^28 | 268.4m | 25.1s | 8.5s |
reference
ligerito paper by andrija novakovic and guillermo angeris
license
mit / apache-2.0