zyga 0.5.1

ZYGA zero-knowledge proof system - CLI and library for generating ZK proofs
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221

# Zyga

A high-performance zero-knowledge proof system implementation in Rust, featuring the ZYGA proof system with BN254 elliptic curve pairings. Now with no_std support for embedded and blockchain environments!

## Installation

### Install from crates.io

```bash
cargo install zyga
```

### Build from source

```bash
git clone https://github.com/darklakefi/py-zk-tiago
cd py-zk-tiago/rust
cargo build --release
```

## Usage

### Command Line Interface (two-step)

ZYGA now uses a setup/prove workflow:

1) Setup: compile constraints and generate proving key + on-chain helpers

```bash
zyga setup -c constraints.aoa -o test --prefix test
```

Outputs:
- `test.zyga` (proving key)
- `test_public_coefficients.rs` (public coefficients for on-chain)
- `test_proving_key.rs` (static VK elements for on-chain)

2) Prove: create a proof using the proving key and a witness

```bash
zyga prove -s test.zyga -w witness.json -o proof.json
```

Flags:
- `-v, --verbose`: verbose logs
- `--debug-matrices`: embed matrices and witness info in output JSON

### Library Usage

```rust
use zyga::{compile_constraints, generate_trusted_setup, create_pairing_proof};

// Load and compile constraints
let constraints_str = std::fs::read_to_string("constraints.aoa")?;
let compilation_result = compile_constraints(&constraints_str)?;

// Generate trusted setup
let rng = &mut rand::thread_rng();
let trusted_setup = generate_trusted_setup(compilation_result.num_constraints, rng)?;

// Create proof
let proof = create_pairing_proof(
    &compilation_result,
    &processed_witness,
    &trusted_setup,
)?;
```

## Features

- **ZYGA Proof System**: Optimized zero-knowledge proof generation
- **BN254 Curve**: Compatible with Ethereum's alt_bn128 precompile and Solana's BN254 syscalls
- **No-std Support**: Use in embedded and blockchain environments like Solana
- **Constraint Compilation**: Compile constraints from AOA format (std only)
- **Trusted Setup Generation**: Generate trusted setup parameters (std only)
- **Proof Generation**: Create succinct zero-knowledge proofs (std only)
- **Proof Verification**: Verify proofs on-chain with customizable coefficient functions (no_std compatible)
- **Public Coefficient Generation**: Automatically generates verifier code for on-chain deployment
- **Modular Design**: Support multiple proof systems in the same project via `--prefix`

## Constraint File Format (AOA)

AOA (Arithmetic Operation Algebra) files define the constraint system:

```
# Variable declarations
decl a[4] privat    # Private variables (known only to prover)
decl b[4] public    # Public variables (known to verifier)
decl c defer        # Deferred variables (provided at verification time)

# Constraints (must be in the form A*B == C)
constraint a[0]*a[0] == b[0]
constraint a[1]*a[1] == b[1]
constraint (a[2]+a[3])*(a[2]-a[3]) == b[2]
```

Variable types:
- `privat`: Secret inputs known only to the prover
- `public`: Public inputs known to both prover and verifier
- `defer`: Variables provided by the verifier at verification time

## Public Coefficient Generation

When generating a proof, ZYGA automatically creates a `public_coefficients.rs` file that maps public inputs to their contributions in the verification equation:

```rust
// Auto-generated public coefficients for on-chain verification
pub const NUM_PUBLIC_INPUTS: usize = 4;
pub const PUBLIC_INPUT_NAMES: [&str; 4] = ["b[0]", "b[1]", "b[2]", "b[3]"];

// Coefficients for computing a2, b2, c2 from public inputs
pub const PUBLIC_COEFFICIENTS: [InputCoefficients; 4] = [
    InputCoefficients { coeff_a: 0, coeff_b: 1, coeff_c: 0 },
    // ... more coefficients
];
```

This file is used by the on-chain verifier to compute the verification equation without needing the full constraint system. It is auto-generated during `setup` and should not be edited.

## Architecture

The crate is organized into several modules:

- `constraint`: Constraint system compilation and processing (std only)
- `polynomial`: Polynomial arithmetic and Lagrange interpolation (std only)
- `pairing`: BN254 pairing-based proof generation (std only)
- `symbol`: Symbolic value processing for witness handling (std only)
- `code_generation`: Generate verifier code for on-chain deployment (std only)
- `verification`: On-chain proof verification for Solana BPF (no_std compatible)
- `dag`: Expression DAG for constraint evaluation (std only)
- `errors`: Error types (always available)
- `common`: Shared types for G1/G2 points and proof elements (always available)

## Examples

### Basic Square Proof

Create a proof that you know values whose squares equal public values:

```bash
# constraints.aoa
decl secret[4] privat
decl squares[4] public
constraint secret[0]*secret[0] == squares[0]
constraint secret[1]*secret[1] == squares[1]
constraint secret[2]*secret[2] == squares[2]
constraint secret[3]*secret[3] == squares[3]

# witness.json
{
  "secret": [1, 2, 3, 4],
  "squares": [1, 4, 9, 16]
}

# Generate proof
zyga -c constraints.aoa -w witness.json -o proof.json
```

### 64-bit Comparison Proof

Prove that one 64-bit number is greater than another:

```bash
# uint64-gt.aoa contains bit-by-bit comparison logic
zyga setup -c uint64-gt.aoa -o uint64gt --prefix uint64gt
zyga prove -s uint64gt.zyga -w witness-64.json -o uint64gt_output.json

# Copy generated coefficients for on-chain verification
cp uint64gt_public_coefficients.rs ../onchain-verifier/src/
```

## Proof JSON Shape

`proof.json` contains a single proof object and optional debug data:

```json
{
  "pairing_proof": {
    "proof": {
      "a_curve": "…64-byte hex…",
      "g2_b2": "…128-byte hex…",
      "c_curve": "…64-byte hex…",
      "g1_a2": "…64-byte hex…",
      "g1_c2": "…64-byte hex…",
      "g1_hz": "…64-byte hex…"
    },
    "trusted_setup": { "h1": "…", "h2": "…", "alpha": "…", "beta": "…" },
    "n_constraints": 1
  },
  "public_inputs": { "b[0]": 1, "b[1]": 0, … }
}
```

The on-chain verifier expects:
- `Proof` serialized fields in order: `a_curve`, `g2_b2`, `c_curve`, `g1_a2`, `g1_c2`, `g1_hz`.
- Public inputs provided as a `Vec<i64>` (values only) in the transaction; names are used only off-chain.

## Testing

Run the test suite:

```bash
# Unit tests
cargo test

# Build and test everything
cargo build --release
cargo test --all-features
```

## License

MIT

## Contributing

Contributions are welcome! Please feel free to submit a Pull Request.

## Repository

For more information, visit the [GitHub repository](https://github.com/darklakefi/zyga).