Skip to content

v0.2.0-phase2 — PLONK + Groth16 batch production

Pre-release
Pre-release

Choose a tag to compare

View all tags
@kh0ra kh0ra released this 20 Apr 14:02
· 176 commits to main since this release
v0.2.0-phase2
326a1f5

Phase 2 technical scope frozen. Two production verifier additions plus infrastructure work that unblocks Phase 3.

Headline: two new verifier paths on Solana L1

Mode Measured CU vs Phase 1
Groth16 BN254 single 80,296 baseline
Groth16 BN254 batch N=5 230,626 (46K/proof) -42.6%
KZG-PLONK BN254 747,666 new

Groth16 batch beats the loop path at N≥2. PLONK is the first non-Groth16 production verifier in the Solana ecosystem — byte-for-byte compatible with snarkjs 0.7.x, verified end-to-end against a real snarkjs fixture.

What's new

Verifiers

  • mosaic-plonk — full KZG-PLONK BN254 verifier. Six rounds of Fiat-Shamir via Keccak-256 transcript, linearization polynomial reconstruction (MSM over VK + proof commitments), KZG batched opening pairing. Six library modules: canonical, fr, field, transcript, challenges, linearization.
  • mosaic-groth16::batch — Bowe-Gabizon randomized aggregation. N proofs sharing a VK → one alt_bn128_pairing syscall with N+3 pairs. Independent SHA-256 challenges keep derivation free of on-chain Fr multiplication.
  • VerifyProofBatch instruction (0x02) exposes batch verification to on-chain callers and CPI.

Infrastructure

  • sol_poseidon syscall wired via solana-poseidon 2.3 (#8) — unblocks Circom-compatible transcripts for Phase 3 KZG-based systems.
  • Real snarkjs 0.7.6 PLONK fixture + SnarkjsPlonkCodec — decoder for snarkjs JSON → canonical wire bytes.
  • cargo-vet attestation baseline (#59): 74 audited / 2 partial / 689 exempted.
  • Threat model expanded with 4 scope-boundary axes: under-constrained circuits, malleable proofs, validator determinism, replay safety (#63).
  • Audit-readiness pass (#60): SECURITY.md, AUDIT.md, disclosure timeline, supply-chain README, pre-audit RFQ/outreach templates.
  • bpf-bench now tracks three regression gates: Groth16 single, Groth16 batch N=5, PLONK single.

Stats

  • 119 tests passing (was 36 at v0.1.0-phase1).
  • SBF ELF 557 KB (was 112 KB, growth owed to arkworks Fr + PLONK linearization + batch path). Well under Solana's 1 MB program size limit.
  • Clippy strict green (correctness + suspicious + todo + unimplemented hard-deny).

Bugs caught along the way

  • PLONK u-challenge absorb order was missing — snarkjs only absorbs Wxi + Wxiω for u, not v. Pre-fix would have silently failed all valid PLONK proofs.
  • Host G1 decode rejected (0, 0) as off-curve. Solana alt_bn128 treats all-zero bytes as identity; snarkjs emits this for zero-polynomial selector commitments (e.g. Qr in our mul-circuit).
  • SBF stack-frame overflow in PLONK linearization (>10 KB at worst). Resolved by splitting monolithic functions into many #[inline(never)] sub-helpers.

Closed issues

#1 PLONK verifier · #5 batch_verify · #8 Poseidon · #33 devnet integration · #59 cargo-vet · #60 audit-readiness · #63 threat model

Compatibility

  • Host: Rust 1.85.0 stable (unchanged)
  • SBF: cargo build-sbf --tools-version v1.52 (unchanged)
  • Solana program SDK: ^2.1 (unchanged, tested against 2.3.0)
  • Wire format: Phase-1 canonical byte layouts stable; PLONK adds its own 768 B proof / 744 B VK layout
  • OnChainError discriminants: all Phase-1 values unchanged; no new variants

Phase 3 preview

Next freeze targets HyperPlonk-KZG, Halo2-KZG, gnark adapter, FRI-STARK, Nova/HyperNova folding. See the [Unreleased] section of CHANGELOG.md for the full list.

Full changelog

CHANGELOG.md § 0.2.0-phase2

Assets 2
Loading