Update tests

manual_check

@@ -14,7 +14,6 @@ for cargo_toml in $(git ls-files '**/Cargo.toml'); do
 done
 
 ./setup.sh
-./encode_ceno.sh
-
-# This one is expected to fail at the moment, but it's still useful to run:
+# ./encode_ceno.sh
 # ./verify_ceno.sh
+./test_poseidon.sh 1000

spartan_parallel/src/r1csinstance.rs

@@ -492,11 +492,6 @@ impl<S: SpartanExtensionField + Send + Sync> R1CSInstance<S> {
 
     // Group the instances based on number of variables, which are already orders of 2^4
     for i in 0..self.num_instances {
-      println!(
-        "I: {}, NUM_CONS: {}, NUM_VARS: {}",
-        i, self.num_cons[i], self.num_vars[i]
-      );
-
       let var_len = self.num_vars[i];
       // A_list, B_list, C_list
       if let Some(index) = vars_size.get(&var_len) {

zok_tests/benchmarks/tests/compact_cert/compact_cert.zok

@@ -0,0 +1,207 @@
+from "./poseidon_struct.zok" import DoubleHash
+from "./poseidon2.zok" import poseidon2_batch2
+from "./poseidon3.zok" import poseidon3
+from "./poseidon5.zok" import poseidon5_batch2
+from "./merkle.zok" import MerkleProof, verify_merkle, verify_merkle_batch
+from "./schnorr.zok" import WIDTH, Point, DoublePoint, QuadPoint, PublicKey, Signature, verify_signature, point_add, point_mul, point_double_add_batch, point_mul_batch
+
+// Reveal Proof Entry
+struct T {
+    u32 i
+    field[ro 5] s // sig_r_x, sig_r_y, sig_s, l, r
+    field[ro 5] p // pk_p_x, pk_p_y, pk_q_x, pk_q_y, w
+}
+
+struct CompactCertProof {
+    field sig_root
+    u64 signed_weight
+    u32[ro 0] t_i_list
+    field[ro 0][ro 5] t_p_list
+}
+
+// Verifier of a compact certificate function
+def verifier(
+    CompactCertProof compact_cert_proof,
+    u64 proven_weight,
+    u32 num_reveals,
+    field message,
+    u32 merkle_depth,
+    field att_root,
+    field[ro 0] coins
+) -> field:
+    u64 signed_weight = compact_cert_proof.signed_weight
+    assert(signed_weight > proven_weight)
+    // let num_reveals: usize = (k + q).div_ceil((signed_weight / proven_weight).ilog2() as usize);
+
+    for u32 j in 0..num_reveals do
+        // Reproduce coin
+        // field[5] inputs = [(F)j, compact_cert_proof.sig_root, (F)proven_weight, message, att_root]
+        // field coin_hash = poseidon(5, inputs)
+        // field coin = coin_hash % (F)signed_weight
+        field coin = coins[j]
+
+        u32 t_i = compact_cert_proof.t_i_list[j]
+        field[ro 5] t_p = compact_cert_proof.t_p_list[j]
+        witness field sig_r_x
+        witness field sig_r_y
+        witness field sig_s
+        witness field l
+        witness field r
+        // Sig Opening & Att Opening
+        assert(verify_merkle_batch(t_i, compact_cert_proof.sig_root, sig_r_x, sig_r_y, sig_s, l, r, att_root, t_p, merkle_depth) == 1)
+        // Validity of signature
+        PublicKey pk = PublicKey {
+            p: Point { x: t_p[0], y: t_p[1] },
+            q: Point { x: t_p[2], y: t_p[3] }
+        }
+        Signature sig = Signature {
+            r: Point{ x: sig_r_x, y: sig_r_y },
+            s: sig_s
+        }
+        assert(verify_signature(message, pk, sig) == 1)
+        // L < coin <= L + Weight
+        field t_p_4 = t_p[4]
+        assert(l + t_p_4 == r)
+        assert(l <= coin && coin < r)
+    endfor
+
+    return 1
+
+// Parse out the inputs in simple register - memory form
+def main(
+    u32 num_attestors,
+    // For compact_cert_proof
+    field sig_root,
+    u64 signed_weight,
+    u32[ro 0] t_i_list,
+    // All memory entries within T (p)
+    field[ro 0] t_mem,
+    // List of pointers (input format field[0])
+    field[ro 0][ro 5] t_p_list,
+    // For others
+    u64 proven_weight,
+    u32 num_reveals,
+    field message,
+    u32 merkle_depth,
+    field att_root,
+    field[ro 0] coins
+) -> field:
+    CompactCertProof compact_cert_proof = CompactCertProof {
+        sig_root: sig_root,
+        signed_weight: signed_weight,
+        t_i_list: t_i_list,
+        t_p_list: t_p_list
+    }
+
+    return verifier(
+        compact_cert_proof,
+        proven_weight,
+        num_reveals,
+        message,
+        merkle_depth,
+        att_root,
+        coins
+    )
+/*
+def main() -> u32:
+    field message = 6908441180828167112785246881494320159273940089327447106269949444716788494909
+
+    // Let all attestors use the same pk & weight, does not affect performance
+    u32 num_attestors = 8
+    u32 weight = 5
+    u32 proven_weight = num_attestors * weight - 1
+    u32 signed_weight = num_attestors * weight
+    array_decl PublicKey[num_attestors] pk_list
+    array_decl Signature[num_attestors] sig_list
+    // Constant folding to avoid constructing new blocks
+    for u32 i in 0..8 do
+        pk_list[i] = PublicKey {
+            p: Point {
+                x: 2023776050662786605020065854616777351003832247628992350849206310281785027488,
+                y: 1079270832837170318396516616249394502719834190979906495690419930531357954746
+            },
+            q: Point {
+                x: 7101684830137506950821434332972100736705268320764486193269722119377250644660,
+                y: 1764840689618624173098512281158161439147043396136846829753116276022936136130
+            }
+        }
+        sig_list[i] = Signature {
+            r: Point {
+                x: 5824293800188062938533237344790739102726705128562220570802448947038150657007,
+                y: 340848841123394720212279364279745606262149681372696003943728267198931244360
+            },
+            s: 4415915127126372096757067153593537022657929051278082364476489088715040314973
+        }
+    endfor
+    // Pre-compute merkle tree
+    field att_l3 = 3568540802966646228682833257557760865097881745527951700421217637177394578913
+    field att_l2 = 2484212816056817413898735043111201825935337234900653303346593633698983423094
+    field att_l1 = 5903852974969142884799701163972075918012827147993384813454715036777418930530
+    field att_root = 5370923878175693173927301385262983018969346333984379995904147798742460333298
+    field[8] sig_l3 = [2143011384822392262595217693211276733745818975285573378412503830433633959080, 5158845522944913588713567773900368475672965537784145747547478088857012853666, 5894431764744941209369386797811063446586114379583965613751294306331542502696, 3667283647262791680030373214327691510807066264550220904438401348778560171091, 1932762137729700956492443572973924935698339638272997763907569306777878106609, 1418160613934592350074019113722063326372415219334378482966622875040143984418, 1123602082019234105093136610853837217580120360581368113294785447946335970166, 677162234791219704923474809188832072777286476135280817077786787139967839874]
+    field[4] sig_l2 = [4160497668328416341124388728115946100594341504290452585444083838585144458368, 1786009993478681170835177129397965607571769106910016212295375778662767436399, 6323428707993845638065745016939134132792346703598261115088661703160553949516, 1179006504278106626617144731083403287975523722023953894416803973871305137607]
+    field[2] sig_l1 = [2082031909420678479574926408191366694068435842853798548085170995138065656765, 2509162190273150374531803693747128200974026349740956653847078957273579771806]
+    field sig_root = 2845540671766269799140204035187166219383492292318390575781563565945781070871
+    u32 merkle_depth = 3
+
+    u32 num_reveals = 3
+    // coin = [7, 30, 34]
+    // entry = [1, 6, 6]
+    // All bits in big endian
+    bool[num_reveals][WIDTH] e_bits_list = [[false, false, false, false, true, false, true, true, true, false, true, true, true, true, true, true, false, false, false, true, false, true, false, false, true, false, false, true, true, true, false, true, false, true, true, true, false, false, true, false, false, true, false, false, false, true, true, false, false, false, true, false, false, false, false, true, true, false, false, false, true, false, false, false, false, true, false, false, true, true, true, true, false, true, false, true, false, false, true, true, false, true, false, false, false, true, false, true, false, false, false, false, true, false, true, true, false, false, false, false, true, false, true, false, true, false, false, false, true, true, false, false, true, true, false, true, true, false, true, false, true, true, true, false, true, false, true, false, true, true, true, true, true, true, false, false, false, true, false, true, false, false, true, false, false, false, true, true, false, false, true, false, false, true, false, false, false, true, false, false, false, true, false, false, true, true, true, false, false, false, true, true, true, false, false, false, false, false, true, true, true, false, true, true, false, true, false, true, false, true, false, true, false, false, true, true, false, false, false, false, true, true, false, false, false, false, true, false, true, true, false, true, false, false, true, true, true, false, true, false, true, true, true, true, false, true, true, false, false, true, false, false, true, false, false, false, true, false, false, false, false, false, false, true, false, true, true, false, true, true, false, false, true]; num_reveals]
+    bool[num_reveals][WIDTH] s_bits_list = [[false, true, false, false, true, true, true, false, false, false, false, true, true, false, true, false, true, false, false, false, true, true, true, false, false, false, false, true, true, true, false, false, false, false, false, false, true, false, false, true, false, false, true, true, true, false, true, true, false, true, false, false, true, true, true, true, false, true, true, true, true, true, false, false, true, false, true, true, false, false, true, false, true, true, true, true, true, true, false, false, true, false, false, true, true, true, false, true, false, false, true, false, false, false, false, true, true, true, false, true, true, false, false, true, true, true, true, true, false, false, false, true, false, true, true, true, true, false, true, false, true, true, false, false, true, false, false, false, false, true, false, false, false, true, true, true, true, false, true, true, false, false, false, true, true, false, false, false, true, false, true, true, true, false, true, true, true, false, true, false, false, true, true, false, false, true, false, false, false, false, true, true, false, true, false, true, false, false, false, true, true, false, true, true, false, true, true, false, true, true, true, false, true, true, false, true, false, true, true, false, true, true, true, false, true, true, false, false, true, true, false, false, true, false, true, false, false, false, false, true, false, false, true, false, true, true, true, true, true, false, false, false, true, false, false, false, true, false, true, false, true, false, true, true, false, false, true, false, true, true, true, false, true]; num_reveals]
+
+    CompactCertProof compact_cert_proof = CompactCertProof {
+        sig_root: sig_root,
+        signed_weight: signed_weight,
+        t_list: [
+            T {
+                i: 1,
+                i_bits: [false, false, true],
+                s: [sig_list[1].r.x, sig_list[1].r.y, sig_list[1].s, 5, 10],
+                pi_s: MerkleProof {
+                    path: [sig_l3[0], sig_l2[1], sig_l1[1]]
+                },
+                p: [pk_list[1].p.x, pk_list[1].p.y, pk_list[1].q.x, pk_list[1].q.y, (F)weight],
+                pi_p: MerkleProof {
+                    path: [att_l3, att_l2, att_l1]
+                }
+            },
+            T {
+                i: 6,
+                i_bits: [true, true, false],
+                s: [sig_list[6].r.x, sig_list[6].r.y, sig_list[6].s, 30, 35],
+                pi_s: MerkleProof {
+                    path: [sig_l3[7], sig_l2[2], sig_l1[0]]
+                },
+                p: [pk_list[6].p.x, pk_list[6].p.y, pk_list[6].q.x, pk_list[6].q.y, (F)weight],
+                pi_p: MerkleProof {
+                    path: [att_l3, att_l2, att_l1]
+                }
+            },
+            T {
+                i: 6,
+                i_bits: [true, true, false],
+                s: [sig_list[6].r.x, sig_list[6].r.y, sig_list[6].s, 30, 35],
+                pi_s: MerkleProof {
+                    path: [sig_l3[7], sig_l2[2], sig_l1[0]]
+                },
+                p: [pk_list[6].p.x, pk_list[6].p.y, pk_list[6].q.x, pk_list[6].q.y, (F)weight],
+                pi_p: MerkleProof {
+                    path: [att_l3, att_l2, att_l1]
+                }
+            }
+        ]
+    }
+
+    return verifier(
+        compact_cert_proof,
+        proven_weight,
+        num_reveals,
+        message,
+        merkle_depth,
+        att_root,
+        e_bits_list,
+        s_bits_list
+    )
+    */

zok_tests/benchmarks/tests/compact_cert/merkle.zok

@@ -0,0 +1,48 @@
+from "./poseidon_struct.zok" import DoubleHash
+from "./poseidon2.zok" import poseidon2_batch2
+from "./poseidon5.zok" import poseidon5_batch2
+
+// Merkle paths are now directly supplied as witnesses
+// struct MerkleProof {
+//     // All internal nodes on the path
+//     field[ro 0] path
+// }
+
+// Perform two merkle tree verification together
+// Both tree are of the same size, opening the same index
+// Specifically built for compact certificate
+def verify_merkle_batch(
+    u32 index,
+    field root_0, 
+    field sig_r_x,
+    field sig_r_y,
+    field sig_s,
+    field l,
+    field r,
+    field root_1, 
+    field[ro 5] entry_1, 
+    u32 depth
+) -> field:
+    field index_assemb = 0
+    // hash of leaf
+    DoubleHash cur_nodes = poseidon5_batch2(sig_r_x, sig_r_y, sig_s, l, r, entry_1[0], entry_1[1], entry_1[2], entry_1[3], entry_1[4])
+    field factor = 1
+    // hash of internal nodes
+    for u32 i in 0..depth do
+        // Depending on index, cur_node and proof[i] will be on two sides of the inputs
+        witness field next_bit
+        assert(next_bit * (next_bit - 1) == 0)
+        index_assemb = index_assemb + next_bit * factor
+        factor = factor * 2
+        witness field next_path
+        field state1 = next_bit == 0 ? cur_nodes.hash0 : next_path
+        field state2 = next_bit == 0 ? next_path : cur_nodes.hash0
+        witness field next_path
+        field state3 = next_bit == 0 ? cur_nodes.hash1 : next_path
+        field state4 = next_bit == 0 ? next_path : cur_nodes.hash1
+        cur_nodes = poseidon2_batch2(state1, state2, state3, state4)
+    endfor
+    assert(index_assemb == (F)index)
+    assert(cur_nodes.hash0 == root_0)
+    assert(cur_nodes.hash1 == root_1)
+    return 1