Merge pull request #169 from anoma/xuyang/refine_feature_flags

refine feature flags

Author: XuyangSong

README.md

@@ -73,36 +73,24 @@ We have the following feature flags in arm lib:
 | Feature                  | Implies                   | Description                                                                                                                     |
 | ------------------------ | ------------------------- | ------------------------------------------------------------------------------------------------------------------------------- |
 | `compliance_circuit`       |                           | A specific feature for compliance circuit                                                                                       |
-| `transaction (default)`     | `compliance_circuit`, `client` | It provides full transaction processing capabilities and will be in the Anoma SDK and validator with a selected prover feature. Succinct prover is used by default. |
+| `transaction (default)`     | `compliance_circuit`, `client` | It provides full transaction processing capabilities and supports Succinct(STARK) and Groth16 proof types. Groth16 proofs require x86_64 machines. |
 | `prove`                    |                           | Enables RISC0 proving capabilities (required for actual proof generation)                                                       |
 | `bonsai`                    |                           | Enables RISC0 bonsai sdk                                                       |
 | `client`                    |                           | Enables RISC0 client sdk                                                       |
 | `cuda`                    |                           | Enables CUDA GPU acceleration for the prover. Requires CUDA toolkit to be installed.                                                       |
-| `fast_prover`         |                           | Fastest option producing linear-size proofs, and does not support compression via recursion |
-| `composite_prover`         |                           | Fastest option producing linear-size proofs, and supports compression via recursion                                                                 |
-| `groth16_prover`           |                           | Generates groth16 proofs(requires x86_64 machines)                                                                              |
 | `nif`                      |                           | Enables Erlang/Elixir NIF (Native Implemented Function) bindings                                                                |
 | `aggregation_circuit`      |                           | A specific feature for (pcd-based) aggregation circuits |
-| `aggregation`              | `aggregation_circuit`, `transaction`       | Enables proof aggregation (with constant-sized proofs by default) |
-|`fast_aggregation`          | `aggregation`               | Faster aggregation with linear-sized proofs without compression
-|`groth16_aggregation`       | `aggregation`               | Generates groth16 aggregation proofs (requires x86_64 machines)
-
+| `aggregation`              | `aggregation_circuit`, `transaction`       | Enables proof aggregation (only succinct proofs can be aggregated) |
 
 ### Usage Examples
 
 ```toml
-# Default configuration (succinct proofs + transaction support)
+# Default configuration
 arm = "0.12.0"
 
-# Blockchain deployment with Groth16 proofs
-arm = { version = "0.12.0", default-features = false, features = ["groth16_prover", "transaction"] }
-
 # Proof aggregation (a single succinct proof per transaction)
 arm = { version = "0.12.0", features = ["aggregation"] }
 
-# Blockchain deployment with a Groth16 aggregation proof
-arm = { version = "0.12.0", features = ["groth16_aggregation"] }
-
 # Logic-circuit-only usage
 arm = { version = "0.12.0", default-features = false }
 
@@ -137,36 +125,38 @@ cargo install --force --git https://github.com/risc0/risc0 --tag v3.0.3 -Fexperi
 ```
 
 ## Proof aggregation
-If a single transaction bundles too many resources, it is possible to aggregate all compliance and logic proofs into a single aggregation proof, attesting to the validity of them all. This reduces overall verification time and transaction size. 
+If a single transaction bundles too many resources, it is possible to aggregate all compliance and logic proofs into a single aggregation proof, attesting to the validity of them all. This reduces overall verification time and transaction size.
 
 ### Before aggregation
- Generate the transaction in the normal way in your workflow. But note that succinct proofs will yield faster aggregation. 
+ Generate the transaction in the normal way in your workflow. But note that succinct proofs will yield faster aggregation.
 
- **Warning:** Bonsai does not support in-circuit verification of Groth16 proofs. You would need to generate succinct compliance and logic proofs instead.
+ **Warning:** It does not support in-circuit verification of Groth16 proofs. You would need to generate succinct compliance and logic proofs instead.
 
 
 ### Prove aggregations
-You need to enable the `aggregation` feature to be able to prove or verify aggregations. 
+You need to enable the `aggregation` feature to be able to prove or verify aggregations.
 
-The type of the aggregation proof is selected via a feature. It defaults to succinct stark proofs. For on-chain verification, you probably want to aggregate with the `groth16_aggregation` feature enabled. See the features table above for more information.
+The aggregation proof type is specified by the ProofType argument. The inner proofs must be Succinct.
 
 We currently support two different aggregation strategies. The _batch_ strategy aggregates all proofs in the transaction in a single run. It is the default aggregation.
 
 ```rust
 use arm::transaction;
 
-let mut tx = generate_test_transaction(1); // Just a dummy tx, for illustration.
+// Just a dummy tx, for illustration. The inner proofs must be Succinct.
+let mut tx = generate_test_transaction(1, 1, ProofType::Succinct);
 
 // Upon succesful aggregation, compliance and resource logic proofs are erased.
-assert!(tx.aggregate().is_ok());
+// The aggregated proof_type can be ProofType::Succinct or ProofType::Groth16
+assert!(tx.aggregate(proof_type).is_ok());
 ```
 
 The _sequential_ strategy aggregates sequentially, in an IVC style.
 
 ```rust
 use arm::aggregation::AggregationStrategy;
 
-assert!(tx.aggregate_with_strategy(AggregationStrategy::Sequential).is_ok());
+assert!(tx.aggregate_with_strategy(AggregationStrategy::Sequential, proof_type).is_ok());
 ```
 
 **Warning:** Once again, aggregation erases all the individual proofs from `tx` and replaces them with the (single) aggregation proof in a dedicated field. This is why the transaction must be `mut`. This is true independently of the strategy used.

arm/Cargo.toml

@@ -28,14 +28,9 @@ slab = "0.4.11"
 default = ["transaction", "prove"]
 transaction = ["compliance_circuit", "dep:sha3"]
 compliance_circuit = []
-fast_prover = []
-composite_prover = []
-groth16_prover = []
 nif = ["dep:rustler"]
 prove = ["risc0-zkvm/prove"]
 bonsai = ["risc0-zkvm/bonsai"]
 cuda = ["risc0-zkvm/cuda"]
 aggregation = ["aggregation_circuit","transaction"]
 aggregation_circuit = []
-fast_aggregation = ["aggregation"]
-groth16_aggregation = ["aggregation"]

arm/src/aggregation/batch.rs

@@ -9,6 +9,7 @@ use crate::aggregation::{
 use crate::compliance::ComplianceInstanceWords;
 use crate::constants::COMPLIANCE_VK;
 use crate::error::ArmError;
+use crate::proving_system::ProofType;
 use crate::transaction::Transaction;
 use crate::utils::{bytes_to_words, words_to_bytes};
 
@@ -19,7 +20,10 @@ pub struct BatchProof(pub InnerReceipt);
 pub struct BatchAggregation;
 
 impl BatchAggregation {
-    pub fn prove_transaction_aggregation(tx: &Transaction) -> Result<BatchProof, ArmError> {
+    pub fn prove_transaction_aggregation(
+        tx: &Transaction,
+        proof_type: ProofType,
+    ) -> Result<BatchProof, ArmError> {
         // Collect instances, proofs, and keys.
         let BatchCU {
             instances: cu_instances,
@@ -74,17 +78,14 @@ impl BatchAggregation {
             .build()
             .map_err(|_| ArmError::BuildProverEnvFailed)?;
 
-        #[cfg(feature = "fast_aggregation")]
-        let prover_opts = ProverOpts::fast();
-
-        #[cfg(all(not(feature = "fast_aggregation"), feature = "groth16_aggregation"))]
-        let prover_opts = ProverOpts::groth16();
-
-        #[cfg(all(
-            not(feature = "fast_aggregation"),
-            not(feature = "groth16_aggregation")
-        ))]
-        let prover_opts = ProverOpts::succinct();
+        let prover_opts = match proof_type {
+            ProofType::Succinct => {
+                ProverOpts::succinct() // Succinct receipts, constant size.
+            }
+            ProofType::Groth16 => {
+                ProverOpts::groth16() // Groth16 receipts, constant size, blockchain-friendly.
+            }
+        };
 
         let prover = default_prover();
 

arm/src/aggregation/pcd.rs

@@ -2,6 +2,7 @@ use crate::aggregation::{BatchCU, BatchLP};
 use crate::constants::COMPLIANCE_VK;
 use crate::error::ArmError;
 use crate::proving_system;
+use crate::proving_system::ProofType;
 use crate::utils::words_to_bytes;
 use crate::{compliance::ComplianceInstance, logic_instance::LogicInstance};
 use risc0_zkvm::{
@@ -58,6 +59,7 @@ pub trait PCDAggregation {
         step_instance: &StepInstance,
         step_proof: &StepProof,
         output_node: bool,
+        proof_type: ProofType,
     ) -> Result<PcdProof, ArmError> {
         // Sanity check
         if input_aggregations.len() != <Self as PCDAggregation>::INPUT_ARITY {
@@ -110,22 +112,13 @@ pub trait PCDAggregation {
 
         // If not an output node, prove fast.
         let prover_opts = if output_node {
-            #[cfg(feature = "fast_aggregation")]
-            {
-                ProverOpts::fast()
-            }
-
-            #[cfg(all(not(feature = "fast_aggregation"), feature = "groth16_aggregation"))]
-            {
-                ProverOpts::groth16()
-            }
-
-            #[cfg(all(
-                not(feature = "fast_aggregation"),
-                not(feature = "groth16_aggregation")
-            ))]
-            {
-                ProverOpts::succinct()
+            match proof_type {
+                ProofType::Succinct => {
+                    ProverOpts::succinct() // Succinct receipts, constant size.
+                }
+                ProofType::Groth16 => {
+                    ProverOpts::groth16() // Groth16 receipts, constant size, blockchain-friendly.
+                }
             }
         } else {
             ProverOpts::fast()

arm/src/aggregation/sequential.rs

@@ -3,6 +3,7 @@ use risc0_zkvm::Digest;
 use crate::{
     aggregation::constants::{SEQUENTIAL_AGGREGATION_PK, SEQUENTIAL_AGGREGATION_VK},
     error::ArmError,
+    proving_system::ProofType,
     transaction::Transaction,
 };
 
@@ -29,6 +30,7 @@ impl SequentialAggregation {
     pub fn prove_transcript_aggregation(
         instances: &[StepInstance],
         proofs: &[StepProof],
+        proof_type: ProofType,
     ) -> Result<PcdProof, ArmError> {
         if instances.len() != proofs.len() {
             // Can't aggregate.
@@ -46,6 +48,7 @@ impl SequentialAggregation {
                 instance,
                 proof,
                 pos == instances.len() - 1,
+                proof_type,
             )?;
 
             agg = <SequentialAggregation as PCDAggregation>::aggregate_step(&[agg], instance);
@@ -57,9 +60,12 @@ impl SequentialAggregation {
     }
 
     /// Prove correctness of the transcript induced by a transaction.
-    pub fn prove_transaction_aggregation(tx: &Transaction) -> Result<PcdProof, ArmError> {
+    pub fn prove_transaction_aggregation(
+        tx: &Transaction,
+        proof_type: ProofType,
+    ) -> Result<PcdProof, ArmError> {
         if let (instances, Some(proofs)) = &SequentialAggregation::transaction_transcript(tx)? {
-            SequentialAggregation::prove_transcript_aggregation(instances, proofs)
+            SequentialAggregation::prove_transcript_aggregation(instances, proofs, proof_type)
         } else {
             Err(ArmError::ProveFailed(
                 "Error deriving transcript for proving (individual instances and proofs)".into(),

arm/src/compliance_unit.rs

@@ -8,7 +8,11 @@ use k256::ProjectivePoint;
 use serde::{Deserialize, Serialize};
 
 #[cfg(feature = "prove")]
-use crate::{compliance::ComplianceWitness, constants::COMPLIANCE_PK, proving_system::prove};
+use crate::{
+    compliance::ComplianceWitness,
+    constants::COMPLIANCE_PK,
+    proving_system::{prove, ProofType},
+};
 
 #[derive(Clone, Debug, Deserialize, Serialize)]
 pub struct ComplianceUnit {
@@ -21,8 +25,8 @@ impl ComplianceUnit {
     // Proving key and verifying key are constants, so we don't need to pass
     // them as parameters. Instance is generated by proving.
     #[cfg(feature = "prove")]
-    pub fn create(witness: &ComplianceWitness) -> Result<Self, ArmError> {
-        let (proof, instance) = prove(COMPLIANCE_PK, witness)?;
+    pub fn create(witness: &ComplianceWitness, proof_type: ProofType) -> Result<Self, ArmError> {
+        let (proof, instance) = prove(COMPLIANCE_PK, witness, proof_type)?;
         Ok(ComplianceUnit {
             proof: Some(proof),
             instance,

arm/src/logic_proof.rs

@@ -16,7 +16,7 @@ use risc0_zkvm::{serde::to_vec, sha::Digest};
 use serde::{Deserialize, Serialize};
 
 #[cfg(feature = "prove")]
-use crate::proving_system::prove;
+use crate::proving_system::{prove, ProofType};
 
 pub trait LogicProver: Default + Clone + Serialize + for<'de> Deserialize<'de> {
     type Witness: Default + Clone + Serialize + for<'de> Deserialize<'de>;
@@ -32,8 +32,8 @@ pub trait LogicProver: Default + Clone + Serialize + for<'de> Deserialize<'de> {
     fn witness(&self) -> &Self::Witness;
 
     #[cfg(feature = "prove")]
-    fn prove(&self) -> Result<LogicVerifier, ArmError> {
-        let (proof, instance) = prove(Self::proving_key(), self.witness())?;
+    fn prove(&self, proof_type: ProofType) -> Result<LogicVerifier, ArmError> {
+        let (proof, instance) = prove(Self::proving_key(), self.witness(), proof_type)?;
         Ok(LogicVerifier {
             proof: Some(proof),
             instance,
@@ -198,6 +198,6 @@ impl LogicProver for TrivialLogicWitness {
 #[test]
 fn test_padding_logic_prover() {
     let trivial_logic = PaddingResourceLogic::default();
-    let proof = trivial_logic.prove().unwrap();
+    let proof = trivial_logic.prove(ProofType::Succinct).unwrap();
     proof.verify().unwrap();
 }

arm/src/proving_system.rs

@@ -7,13 +7,20 @@ use risc0_zkvm::{default_prover, ExecutorEnv, ProverOpts, VerifierContext};
 #[cfg(feature = "prove")]
 use serde::Serialize;
 
+#[derive(Debug, Clone, Copy)]
+pub enum ProofType {
+    Succinct,
+    Groth16,
+}
+
 // It takes a proving key and a witness, and returns the proof and the instance
 #[cfg(feature = "prove")]
 pub fn prove<T: Serialize>(
     proving_key: &[u8],
     witness: &T,
+    proof_type: ProofType,
 ) -> Result<(Vec<u8>, Vec<u8>), ArmError> {
-    let receipt = prove_inner(witness, proving_key)?;
+    let receipt = prove_inner(witness, proving_key, proof_type)?;
 
     let proof = bincode::serialize(&receipt.inner).map_err(|_| ArmError::SerializationError)?;
     let instance = receipt.journal.bytes;
@@ -57,33 +64,25 @@ pub fn encode_seal(proof: &[u8]) -> Result<Vec<u8>, ArmError> {
 }
 
 #[cfg(feature = "prove")]
-fn prove_inner<T: Serialize>(witness: &T, proving_key: &[u8]) -> Result<Receipt, ArmError> {
+fn prove_inner<T: Serialize>(
+    witness: &T,
+    proving_key: &[u8],
+    proof_type: ProofType,
+) -> Result<Receipt, ArmError> {
     let env = ExecutorEnv::builder()
         .write(witness)
         .map_err(|_| ArmError::WriteWitnessFailed)?
         .build()
         .map_err(|_| ArmError::BuildProverEnvFailed)?;
 
-    #[cfg(feature = "fast_prover")]
-    let prover_opts = ProverOpts::fast(); // Fastest, linear size, no recursion.
-
-    #[cfg(all(not(feature = "fast_prover"), feature = "composite_prover"))]
-    let prover_opts = ProverOpts::composite(); // Composite receipts, linear size, supports recursion.
-
-    #[cfg(all(
-        not(feature = "fast_prover"),
-        not(feature = "composite_prover"),
-        feature = "groth16_prover"
-    ))]
-    let prover_opts = ProverOpts::groth16(); // Groth16 receipts, constant size, blockchain-friendly.
-
-    // If no specific prover feature is enabled, default to succinct prover.
-    #[cfg(all(
-        not(feature = "fast_prover"),
-        not(feature = "composite_prover"),
-        not(feature = "groth16_prover")
-    ))]
-    let prover_opts = ProverOpts::succinct(); // Succinct receipts, constant size.
+    let prover_opts = match proof_type {
+        ProofType::Succinct => {
+            ProverOpts::succinct() // Succinct receipts, constant size.
+        }
+        ProofType::Groth16 => {
+            ProverOpts::groth16() // Groth16 receipts, constant size, blockchain-friendly.
+        }
+    };
 
     let prove_info = default_prover()
         .prove_with_ctx(env, &VerifierContext::default(), proving_key, &prover_opts)