Merge branch 'main' into dev-avx2

Author: dloghin

Diff for: .github/CODEOWNERS

@@ -1 +1 @@
-* @muursh @wborgeaud @Nashtare
+* @muursh @wborgeaud @Nashtare @LindaGuiga

Diff for: CHANGELOG.md

@@ -7,8 +7,41 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [1.0.0] - 2024-11-25
+
+### Changed
+- Unified Recursion Circuit for Multi-Degree Starky Proof Verification ([#1635](https://github.com/0xPolygonZero/plonky2/pull/1635))
+- Fix `DummyProofGenerator` serialization ([#1634](https://github.com/0xPolygonZero/plonky2/pull/1634))
+- Refactor CTL Handling ([#1629](https://github.com/0xPolygonZero/plonky2/pull/1629))
+- Added serialize and deserialize to starky proofs ([#1630](https://github.com/0xPolygonZero/plonky2/pull/1630))
+- changed to web-time in circuit_builder ([#1624](https://github.com/0xPolygonZero/plonky2/pull/1624))
+- Fix example and documentation rendering ([#1614](https://github.com/0xPolygonZero/plonky2/pull/1614))
+- Add `connect_array` convenience method in `CircuitBuilder` ([#1620](https://github.com/0xPolygonZero/plonky2/pull/1620))
+- chore: remove compressed StarkProof variant ([#1618](https://github.com/0xPolygonZero/plonky2/pull/1618))
+- Do not panic on `wire set twice` or `generator not run` issues ([#1611](https://github.com/0xPolygonZero/plonky2/pull/1611))
+- Add Support for Batch STARKs with Proving, Verification, and Recursion ([#1600](https://github.com/0xPolygonZero/plonky2/pull/1600))
+- chore: fix clippy ([#1609](https://github.com/0xPolygonZero/plonky2/pull/1609))
+- fix(starky): observe public inputs ([#1607](https://github.com/0xPolygonZero/plonky2/pull/1607))
+- ci: add PR check job ([#1604](https://github.com/0xPolygonZero/plonky2/pull/1604))
+- Add `Field::shifted_powers` and some iterator niceties ([#1599](https://github.com/0xPolygonZero/plonky2/pull/1599))
+- fix(field): Re-enable `alloc` for tests ([#1601](https://github.com/0xPolygonZero/plonky2/pull/1601))
+- Add row index to constraint failure message ([#1598](https://github.com/0xPolygonZero/plonky2/pull/1598))
+- doc: clarify that `zk` is disabled with `starky` ([#1596](https://github.com/0xPolygonZero/plonky2/pull/1596))
+- Allow multiple `extra_looking_sums` for the same looked table ([#1591](https://github.com/0xPolygonZero/plonky2/pull/1591))
+- Fix CTL generation of last row ([#1585](https://github.com/0xPolygonZero/plonky2/pull/1585))
+- change `set_stark_proof_target`'s witness to `WitnessWrite` ([#1592](https://github.com/0xPolygonZero/plonky2/pull/1592))
+- doc+fix: `clippy::doc-lazy-continuation` ([#1594](https://github.com/0xPolygonZero/plonky2/pull/1594))
+- fix: remove clippy unexpected_cfgs warning ([#1588](https://github.com/0xPolygonZero/plonky2/pull/1588))
+- Changes to prepare for dummy segment removal in zk_evm's continuations ([#1587](https://github.com/0xPolygonZero/plonky2/pull/1587))
+- update 2-adic generator to `0x64fdd1a46201e246` ([#1579](https://github.com/0xPolygonZero/plonky2/pull/1579))
+- Fix `verify_cross_table_lookups` with no `ctl_extra_looking_sums` ([#1584](https://github.com/0xPolygonZero/plonky2/pull/1584))
+- Remove restriction to binary-only multiplicities ([#1577](https://github.com/0xPolygonZero/plonky2/pull/1577))
+- Remove obsolete function `ceil_div_usize` ([#1574](https://github.com/0xPolygonZero/plonky2/pull/1574))
+
+
 ## [0.2.3] - 2024-04-16
 
+### Changed
 - Code refactoring ([#1558](https://github.com/0xPolygonZero/plonky2/pull/1558))
 - Simplify types: remove option from CTL filters ([#1567](https://github.com/0xPolygonZero/plonky2/pull/1567))
 - Add stdarch_x86_avx512 feature ([#1566](https://github.com/0xPolygonZero/plonky2/pull/1566))

Diff for: LICENSE-APACHE

@@ -186,7 +186,7 @@ APPENDIX: How to apply the Apache License to your work.
    same "printed page" as the copyright notice for easier
    identification within third-party archives.
 
-Copyright [yyyy] [name of copyright owner]
+Copyright [2022-2025] The Plonky2 Authors
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

Diff for: LICENSE-MIT

@@ -1,6 +1,6 @@
 The MIT License (MIT)
 
-Copyright (c) 2022 The Plonky2 Authors
+Copyright (c) 2022-2025 The Plonky2 Authors
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

Diff for: README.md

@@ -84,7 +84,10 @@ at your option.
 
 ## Security
 
-This code has not yet been audited, and should not be used in any production systems.
+This code has been audited prior to the `v1.0.0` release. The audits reports and findings are available in the [audits](./audits/) folder of this repository.
+An audited codebase isn't necessarily free of bugs and security exploits, hence we recommend care when using `plonky2` in production settings.
+
+If you find a security issue in the codebase, please refer to our [Security guidelines](./SECURITY.md) for private disclosure.
 
 While Plonky2 is configurable, its defaults generally target 100 bits of security. The default FRI configuration targets 100 bits of *conjectured* security based on the conjecture in [ethSTARK](https://eprint.iacr.org/2021/582).
 
@@ -93,12 +96,7 @@ Plonky2's default hash function is Poseidon, configured with 8 full rounds, 22 p
 
 ## Links
 
-#### Actively maintained
-
 - [Polygon Zero's zkEVM](https://github.com/0xPolygonZero/zk_evm), an efficient Type 1 zkEVM built on top of Starky and plonky2
-
-#### No longer maintained
-
 - [System Zero](https://github.com/0xPolygonZero/system-zero), a zkVM built on top of Starky
 - [Waksman](https://github.com/0xPolygonZero/plonky2-waksman), Plonky2 gadgets for permutation checking using Waksman networks
 - [Insertion](https://github.com/0xPolygonZero/plonky2-insertion), Plonky2 gadgets for insertion into a list

Diff for: SECURITY.md

@@ -1,5 +1,11 @@
 # Polygon Technology Security Information
 
+For findings related to plonky2 repository, please contact us with relevant information privately 
+through our security contact details: [email protected].
+
+Depending on the severity of the findings, the team may reserve the rights to keep the information private
+while addressing it internally, and disclose it along a new release after having informed relevant parties.
+
 ## Link to vulnerability disclosure details (Bug Bounty).
 - Websites and Applications: https://hackerone.com/polygon-technology
 - Smart Contracts: https://immunefi.com/bounty/polygon

Diff for: field/Cargo.toml

@@ -1,7 +1,7 @@
 [package]
 name = "plonky2_field"
 description = "Finite field arithmetic"
-version = "0.2.2"
+version = "1.0.0"
 authors = ["Daniel Lubarov <[email protected]>", "William Borgeaud <[email protected]>", "Jacqueline Nabaglo <[email protected]>", "Hamish Ivey-Law <[email protected]>"]
 edition.workspace = true
 license.workspace = true
@@ -20,7 +20,7 @@ static_assertions = { workspace = true }
 unroll = { workspace = true }
 
 # Local dependencies
-plonky2_util = { version = "0.2.0", path = "../util", default-features = false }
+plonky2_util = { version = "1.0.0", path = "../util", default-features = false }
 
 
 # Display math equations properly in documentation

Diff for: field/src/fft.rs

@@ -222,7 +222,7 @@ mod tests {
         // "random", the last degree_padded-degree of them are zero.
         let coeffs = (0..degree)
             .map(|i| F::from_canonical_usize(i * 1337 % 100))
-            .chain(core::iter::repeat(F::ZERO).take(degree_padded - degree))
+            .chain(core::iter::repeat_n(F::ZERO, degree_padded - degree))
             .collect::<Vec<_>>();
         assert_eq!(coeffs.len(), degree_padded);
         let coefficients = PolynomialCoeffs { coeffs };

Diff for: field/src/prime_field_testing.rs

@@ -160,7 +160,7 @@ macro_rules! test_prime_field_arithmetic {
             fn subtraction_double_wraparound() {
                 type F = $field;
 
-                let (a, b) = (F::from_canonical_u64((F::ORDER + 1u64) / 2u64), F::TWO);
+                let (a, b) = (F::from_canonical_u64(F::ORDER.div_ceil(2u64)), F::TWO);
                 let x = a * b;
                 assert_eq!(x, F::ONE);
                 assert_eq!(F::ZERO - x, F::NEG_ONE);

Diff for: field/src/types.rs

@@ -369,7 +369,7 @@ pub trait Field:
         let mut product = Self::ONE;
 
         for j in 0..bits_u64(power) {
-            if (power >> j & 1) != 0 {
+            if ((power >> j) & 1) != 0 {
                 product *= current;
             }
             current = current.square();

Diff for: maybe_rayon/Cargo.toml

@@ -1,7 +1,7 @@
 [package]
 name = "plonky2_maybe_rayon"
 description = "Feature-gated wrapper around rayon"
-version = "0.2.0"
+version = "1.0.0"
 edition.workspace = true
 license.workspace = true
 homepage.workspace = true

Diff for: plonky2/Cargo.toml

@@ -1,7 +1,7 @@
 [package]
 name = "plonky2"
 description = "Recursive SNARKs based on PLONK and FRI"
-version = "0.2.2"
+version = "1.0.2"
 authors = ["Daniel Lubarov <[email protected]>", "William Borgeaud <[email protected]>", "Nicholas Ward <[email protected]>"]
 readme = "README.md"
 edition.workspace = true
@@ -34,9 +34,9 @@ unroll = { workspace = true }
 web-time = { version = "1.0.0", optional = true }
 
 # Local dependencies
-plonky2_field = { version = "0.2.2", path = "../field", default-features = false }
-plonky2_maybe_rayon = { version = "0.2.0", path = "../maybe_rayon", default-features = false }
-plonky2_util = { version = "0.2.0", path = "../util", default-features = false }
+plonky2_field = { version = "1.0.0", path = "../field", default-features = false }
+plonky2_maybe_rayon = { version = "1.0.0", path = "../maybe_rayon", default-features = false }
+plonky2_util = { version = "1.0.0", path = "../util", default-features = false }
 
 
 [target.'cfg(all(target_arch = "wasm32", target_os = "unknown"))'.dependencies]

Diff for: plonky2/src/batch_fri/oracle.rs

@@ -450,6 +450,8 @@ mod test {
             proof.pow_witness,
             k0,
             &fri_params.config,
+            None,
+            None,
         );
         let degree_bits = [k0, k1, k2];
         let merkle_cap = trace_oracle.batch_merkle_tree.cap;

Diff for: plonky2/src/batch_fri/prover.rs

@@ -318,6 +318,8 @@ mod tests {
             proof.pow_witness,
             k,
             &fri_params.config,
+            None,
+            None,
         );
 
         let fri_opening_batch = FriOpeningBatch {
@@ -440,6 +442,8 @@ mod tests {
             proof.pow_witness,
             k0,
             &fri_params.config,
+            None,
+            None,
         );
         let fri_opening_batch_0 = FriOpenings {
             batches: vec![FriOpeningBatch {

Diff for: plonky2/src/fri/challenges.rs

@@ -1,10 +1,14 @@
+#[cfg(not(feature = "std"))]
+use alloc::vec;
+
 use crate::field::extension::Extendable;
 use crate::field::polynomial::PolynomialCoeffs;
+use crate::field::types::Field;
 use crate::fri::proof::{FriChallenges, FriChallengesTarget};
 use crate::fri::structure::{FriOpenings, FriOpeningsTarget};
 use crate::fri::FriConfig;
 use crate::gadgets::polynomial::PolynomialCoeffsExtTarget;
-use crate::hash::hash_types::{MerkleCapTarget, RichField};
+use crate::hash::hash_types::{MerkleCapTarget, RichField, NUM_HASH_OUT_ELTS};
 use crate::hash::merkle_tree::MerkleCap;
 use crate::iop::challenger::{Challenger, RecursiveChallenger};
 use crate::iop::target::Target;
@@ -28,6 +32,8 @@ impl<F: RichField, H: Hasher<F>> Challenger<F, H> {
         pow_witness: F,
         degree_bits: usize,
         config: &FriConfig,
+        final_poly_coeff_len: Option<usize>,
+        max_num_query_steps: Option<usize>,
     ) -> FriChallenges<F, D>
     where
         F: RichField + Extendable<D>,
@@ -46,7 +52,26 @@ impl<F: RichField, H: Hasher<F>> Challenger<F, H> {
             })
             .collect();
 
+        // When this proof was generated in a circuit with a different number of query steps,
+        // the challenger needs to observe the additional hash caps.
+        if let Some(step_count) = max_num_query_steps {
+            let cap_len = (1 << config.cap_height) * NUM_HASH_OUT_ELTS;
+            let zero_cap = vec![F::ZERO; cap_len];
+            for _ in commit_phase_merkle_caps.len()..step_count {
+                self.observe_elements(&zero_cap);
+                self.get_extension_challenge::<D>();
+            }
+        }
+
         self.observe_extension_elements(&final_poly.coeffs);
+        // When this proof was generated in a circuit with a different final polynomial length,
+        // the challenger needs to observe the full length of the final polynomial.
+        if let Some(len) = final_poly_coeff_len {
+            let current_len = final_poly.coeffs.len();
+            for _ in current_len..len {
+                self.observe_extension_element(&F::Extension::ZERO);
+            }
+        }
 
         self.observe_element(pow_witness);
         let fri_pow_response = self.get_challenge();

Diff for: plonky2/src/fri/oracle.rs

@@ -178,6 +178,8 @@ impl<F: RichField + Extendable<D>, C: GenericConfig<D, F = F>, const D: usize>
         oracles: &[&Self],
         challenger: &mut Challenger<F, C::Hasher>,
         fri_params: &FriParams,
+        final_poly_coeff_len: Option<usize>,
+        max_num_query_steps: Option<usize>,
         timing: &mut TimingTree,
     ) -> FriProof<F, C::Hasher, D> {
         assert!(D > 1, "Not implemented for D=1.");
@@ -226,6 +228,8 @@ impl<F: RichField + Extendable<D>, C: GenericConfig<D, F = F>, const D: usize>
             lde_final_values,
             challenger,
             fri_params,
+            final_poly_coeff_len,
+            max_num_query_steps,
             timing,
         );
 

Diff for: plonky2/src/fri/prover.rs

@@ -1,13 +1,16 @@
 #[cfg(not(feature = "std"))]
+use alloc::vec;
+#[cfg(not(feature = "std"))]
 use alloc::vec::Vec;
 
+use plonky2_field::types::Field;
 use plonky2_maybe_rayon::*;
 
 use crate::field::extension::{flatten, unflatten, Extendable};
 use crate::field::polynomial::{PolynomialCoeffs, PolynomialValues};
 use crate::fri::proof::{FriInitialTreeProof, FriProof, FriQueryRound, FriQueryStep};
 use crate::fri::{FriConfig, FriParams};
-use crate::hash::hash_types::RichField;
+use crate::hash::hash_types::{RichField, NUM_HASH_OUT_ELTS};
 use crate::hash::hashing::PlonkyPermutation;
 use crate::hash::merkle_tree::MerkleTree;
 use crate::iop::challenger::Challenger;
@@ -26,6 +29,8 @@ pub fn fri_proof<F: RichField + Extendable<D>, C: GenericConfig<D, F = F>, const
     lde_polynomial_values: PolynomialValues<F::Extension>,
     challenger: &mut Challenger<F, C::Hasher>,
     fri_params: &FriParams,
+    final_poly_coeff_len: Option<usize>,
+    max_num_query_steps: Option<usize>,
     timing: &mut TimingTree,
 ) -> FriProof<F, C::Hasher, D> {
     let n = lde_polynomial_values.len();
@@ -40,6 +45,8 @@ pub fn fri_proof<F: RichField + Extendable<D>, C: GenericConfig<D, F = F>, const
             lde_polynomial_values,
             challenger,
             fri_params,
+            final_poly_coeff_len,
+            max_num_query_steps,
         )
     );
 
@@ -67,11 +74,20 @@ pub(crate) type FriCommitedTrees<F, C, const D: usize> = (
     PolynomialCoeffs<<F as Extendable<D>>::Extension>,
 );
 
+pub fn final_poly_coeff_len(mut degree_bits: usize, reduction_arity_bits: &Vec<usize>) -> usize {
+    for arity_bits in reduction_arity_bits {
+        degree_bits -= *arity_bits;
+    }
+    1 << degree_bits
+}
+
 fn fri_committed_trees<F: RichField + Extendable<D>, C: GenericConfig<D, F = F>, const D: usize>(
     mut coeffs: PolynomialCoeffs<F::Extension>,
     mut values: PolynomialValues<F::Extension>,
     challenger: &mut Challenger<F, C::Hasher>,
     fri_params: &FriParams,
+    final_poly_coeff_len: Option<usize>,
+    max_num_query_steps: Option<usize>,
 ) -> FriCommitedTrees<F, C, D> {
     let mut trees = Vec::with_capacity(fri_params.reduction_arity_bits.len());
 
@@ -103,12 +119,33 @@ fn fri_committed_trees<F: RichField + Extendable<D>, C: GenericConfig<D, F = F>,
         values = coeffs.coset_fft(shift.into())
     }
 
+    // When verifying this proof in a circuit with a different number of query steps,
+    // we need the challenger to stay in sync with the verifier. Therefore, the challenger
+    // must observe the additional hash caps and generate dummy challenges.
+    if let Some(step_count) = max_num_query_steps {
+        let cap_len = (1 << fri_params.config.cap_height) * NUM_HASH_OUT_ELTS;
+        let zero_cap = vec![F::ZERO; cap_len];
+        for _ in fri_params.reduction_arity_bits.len()..step_count {
+            challenger.observe_elements(&zero_cap);
+            challenger.get_extension_challenge::<D>();
+        }
+    }
+
     // The coefficients being removed here should always be zero.
     coeffs
         .coeffs
         .truncate(coeffs.len() >> fri_params.config.rate_bits);
 
     challenger.observe_extension_elements(&coeffs.coeffs);
+    // When verifying this proof in a circuit with a different final polynomial length,
+    // the challenger needs to observe the full length of the final polynomial.
+    if let Some(len) = final_poly_coeff_len {
+        let current_len = coeffs.coeffs.len();
+        for _ in current_len..len {
+            challenger.observe_extension_element(&F::Extension::ZERO);
+        }
+    }
+
     (trees, coeffs)
 }