Add spartan zkSNARK with Zeromorph PCS by nicole-graus · Pull Request #1193 · lambdaclass/lambdaworks

nicole-graus · 2026-03-11T20:10:10Z

Add spartan zkSNARK with Zeromorph PCS

Description

Spartan is a zkSNARK that proves R1CS satisfiability using two rounds of the Sumcheck Protocol and a multilinear PCS, with $O(n)$ prover work and no per-circuit trusted setup.

This PR adds a full implementation of Spartan with a Zeromorph PCS backend backed by BLS12-381 KZG. You can find this implementation in crates/provers/spartan.

Protocol:

Prover draws $\tau$ from transcript and runs an outer sumcheck on $\sum_x \widetilde{eq}(\tau,x)(v_A v_B - v_C) = 0$.
Prover batches $\tilde{A}, \tilde{B}, \tilde{C}$ with random scalars and runs an inner sumcheck reducing to a single witness evaluation $\tilde{z}(r_y)$.
Prover opens $\tilde{z}$ at $r_y$ using Zeromorph, which commits the witness as a univariate KZG polynomial and produces quotient commitments for each variable.

How to Test

cargo test -p lambdaworks-spartan

Type of change

New feature

…end-to-end

github-actions · 2026-03-11T20:10:54Z

Kimi AI Review

The PR diff introduces a new crate, spartan, which implements the Spartan zero-knowledge proof system for R1CS satisfiability. The changes include adding the crate to Cargo.toml, updating README.md with documentation and usage examples, and implementing the core functionality in Rust. Below are the findings from the review:

`Cargo.toml`

Added dependency: The new crate spartan is added to the workspace members list and as a dependency with a path. This is correct and necessary for including the new crate in the project.

`README.md`

Documentation: The README.md updates are appropriate, providing an overview of the Spartan prover, its features, and usage examples. The addition of Spartan to the list of provers and the explanation of its properties are well-structured and informative.

`crates/provers/spartan/`

`Cargo.toml`

New file: The Cargo.toml file is correctly set up for the new spartan crate, including dependencies on thiserror, lambdaworks-math, and lambdaworks-crypto.

`README.md`

Documentation: The README provides a detailed explanation of the Spartan protocol, its features, and API usage examples. The information is comprehensive and aligns with the implementation.

`src/`

`errors.rs`

Error handling: The custom error enum SpartanError is well-defined, covering potential error cases in R1CS, MLE encoding, sumcheck, and PCS operations. This is crucial for robust error handling in the library.

`lib.rs`

Public API: The public API provides convenience functions spartan_prove and spartan_verify, which abstract away the complexity of the underlying prover and verifier implementations. This is a good design choice for usability.
Transcript handling: The use of DefaultTranscript for Fiat-Shamir heuristic is appropriate. Ensuring that the transcript is used consistently between the prover and verifier is essential for protocol security.

`mle.rs`

Multilinear extension utilities: The functions for encoding witnesses and matrices as multilinear polynomials, computing the equality polynomial, and matrix-vector product MLEs are correctly implemented. These utilities are fundamental to the Spartan protocol.

`pcs/`

Trait IsMultilinearPCS: The trait defines the interface for polynomial commitment schemes, including commit, open, and verify operations. This abstraction allows for different PCS implementations, such as the provided TrivialPCS and ZeromorphPCS.
TrivialPCS: The trivial implementation serves as a non-hiding, non-succinct PCS for testing purposes. It is correctly implemented and documented.
ZeromorphPCS: The ZeromorphPCS implementation reduces multilinear evaluations to univariate KZG openings, following the Zeromorph protocol. The implementation appears to be correct, with proper handling of quotient polynomials and challenges.

`prover.rs`

Spartan prover implementation: The prover follows the Spartan protocol steps, including committing to the witness, running sumchecks, and opening the witness polynomial at the required points. The use of Fiat-Shamir challenges and transcript interactions is correctly handled.

`r1cs.rs`

R1CS structure and validation: The R1CS structure is well-defined, with validation ensuring consistent dimensions and non-empty constraints. The is_satisfied method correctly checks if a given witness satisfies the R1CS constraints.

`transcript.rs`

Transcript helpers: The functions for appending R1CS instances, public inputs, and drawing challenges are correctly implemented. These helpers ensure that the Fiat-Shamir heuristic is applied consistently between the prover and verifier.

Overall

The PR introduces a well-structured and documented implementation of the Spartan zero-knowledge proof system. The code is clear, follows best practices for Rust development, and adheres to cryptographic standards. The use of traits, modular design, and comprehensive error handling contribute to the maintainability and extensibility of the code.

The only minor suggestion is to consider adding more detailed documentation comments within the code, especially for complex functions and algorithms, to aid future maintainers in understanding the implementation details.

github-actions

Code review by ChatGPT

github-actions · 2026-03-11T20:13:05Z

+lambdaworks-spartan = { path = "./crates/provers/spartan" }
 lambdaworks-winterfell-adapter = { path = "./crates/provers/winterfell_adapter" }
 stark-platinum-prover = { path = "./crates/provers/stark" }
 iai-callgrind = "0.3.1"


Code Review Comments

Correctness:

The provided diff only shows the addition of a new member crates/provers/spartan in the dependency section. Ensure any new mathematical implementations introduced in the spartan package follow the correct protocols for handling edge cases like zero or infinity. Without the actual code changes, it's essential to verify that these are handled correctly.

Security:

Again, while the changes here do not directly relate to any operations, if the spartan crate handles cryptographic computations, it is vital to ensure no timing side-channels, proper zeroization of secrets, and secure randomness usage. This should be verified in the implementation of the spartan crate.

Ensure that there is no secret-dependent branching in the spartan or any other newly added code.

Performance:

There's no performance-related code shown in the diff. However, for the new crate, ensure that there are no unnecessary allocations or redundant field inversions. Optimizing MSM (Multi-Scalar Multiplications) and FFT implementations within the spartan crate if applicable can yield better performance.

Bugs & Errors:

The diff doesn't point to specific code segments, but ensure within the spartan crate that there is a strong check against potential panics, especially from unwrap calls, memory safety issues, and common pitfalls like off-by-one errors or integer overflows.

Code Simplicity:

Check the spartan code base for any overly complex implementations that can be simplified. Avoid code duplication by abstracting out common functionalities.

Since the actual code for the spartan crate was not provided in the diff, the review primarily emphasizes verifying the correctness and security within that new crate. Without concrete code examples, this review remains speculative concerning its implementation integrity.

github-actions · 2026-03-11T20:13:05Z

+| Spartan    | :heavy_check_mark: | :x:                | :x:         | :x:                | :x:             | :x:                |
 | **Polynomial Commitment Schemes** | **Lambdaworks**    | **Arkworks**       | **Plonky3**        | **gnark**          | **Constantine**    | **Halo2**          |
 | KZG10                             | :heavy_check_mark: | :heavy_check_mark: | :x:                | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | 
 | FRI                               | :heavy_check_mark: | :x:                | :heavy_check_mark: | :heavy_check_mark: | :x:                | :x:                |


Correctness

Ensure that the Spartan prover and verifier implementations correctly follow the mathematical protocol specifications. Without seeing the implementation details specific to these protocols, it's crucial to validate their adherence to the theoretical descriptions.

Confirm that any implementations involving elliptic curve operations handle edge cases such as point doubling and infinity points correctly, especially in the new Spartan addition.

Security

Verify that all operations involved in the Spartan implementation, especially those handling private data, are constant-time to avoid timing side channels.

Check zeroization of all sensitive cryptographic material after use.

Ensure that random number generation in Spartan uses cryptographically secure generators.

Carefully inspect areas for possible secret-dependent branching within the Spartan implementation.

Performance

Review the Spartan prover's use of memory and allocations. Avoid unnecessary memory allocations or ensure they're done efficiently.

Ensure that any multi-scalar multiplications (MSM) and FFTs used in Spartan are optimized in terms of computational complexity.

Bugs & Errors

Ensure any panics or unwraps within this added code are caught and appropriately handled. Since the code change is brief, this is just a proactive note based on typical issues.

Confirm there's no possibility of integer overflow or underflow in new arithmetic operations introduced by Spartan.

Validate any boundary conditions particularly related to indexing to prevent off-by-one errors.

Code Simplicity

Assess if the code added around Spartan introduces complexity that could instead be simplified or abstracted efficiently.

Ensure implementations are not duplicating existing functionality, which could be an opportunity for code reuse or modularization.

The outlined concerns, especially around correctness and security, suggest it's necessary to perform additional checks before merging the code.

github-actions · 2026-03-11T20:13:05Z

+- Spartan: Transparent (no trusted setup). Proves R1CS satisfiability directly using two rounds of the Sumcheck Protocol and a multilinear PCS. $O(n)$ prover work.

 ## Using provers



Specific Concerns

Edge Cases: Ensure that the implementation of Spartan properly handles finite field arithmetic, and particularly watch for zero divisors in field operations, which could lead to panics or undefined behavior. Verify that the implementation correctly initializes and handles identity elements and infinity points, especially in curve operations.

Security Considerations:

Review the Spartan implementation for potential timing side-channel leaks. Ensure that all operations on secret data are constant-time.

Check for proper zeroization of sensitive data when it is no longer needed.

Validate that any randomness used in the Spartan proof generation is cryptographically secure.

Ensure there are no secret-dependent branches in the code that could lead to vulnerabilities.

Performance: Evaluate the Spartan implementation for unnecessary allocations and ensure efficient use of resources. Check if field inversions are minimized and utilize iterative methods like Newton-Raphson for potential performance improvements. Multi-scalar multiplication (MSM) and FFT algorithms should be optimized for efficiency.

Bugs & Errors:

Confirm that all potential panics or unwraps have been appropriately handled.

Ensure that the code is free of integer overflows or underflows, possibly using Rust's checked arithmetic features.

Be vigilant about off-by-one errors, particularly in loop iterations or array indexing.

Code Simplicity:

Review the code for any overly complex implementations that could be simplified for better readability and maintenance.

Identify and eliminate duplicated code by using appropriate abstractions to improve maintainability.

General Comments

This MR includes the addition of Spartan as a supported prover system, and while the basic structure looks appropriate, it's crucial to ensure the mathematical logic and security principles specific to cryptographic applications are diligently followed. Further testing, both unit and integration, is necessary to validate the correctness and performance of all components introduced or altered in this update.

github-actions · 2026-03-11T20:13:05Z

+lambdaworks-sumcheck = { workspace = true }
+
+[dev-dependencies]
+lambdaworks-groth16 = { workspace = true }


The provided code snippet only contains a Cargo.toml file configuration without actual implementation details, which makes it challenging to assess correctness, security, performance, and potential bugs directly in the Rust code. However, based on the dependencies setup, ensure the following:

Correctness: Ensure that the lambdaworks-math, lambdaworks-crypto, and lambdaworks-sumcheck libraries correctly implement the mathematical and cryptographic operations, addressing potential issues such as edge cases, polynomial operations, and proof system logic.

Security: Review the implementation for constant-time operations and the secure handling and zeroization of sensitive data in lambdaworks-crypto. Check for secure random number generation if randomness is part of the library.

Performance: Optimize any unnecessary memory allocations or redundant operations across the workspace for efficiency in operations like FFT and MSM.

Bugs & Errors: Validate that within the actual code, there's proper error handling without unwarranted panics or unwrap calls and ensure that integer overflows are safely handled.

Code Simplicity: Make sure the included dependencies and their interactions lead to straightforward abstractions and minimize code duplication across the library implementations.

Please provide the relevant source code files to allow an in-depth review for potential correctness, security, and performance issues.

github-actions · 2026-03-11T20:13:05Z

+
+- [Spartan: Efficient and general-purpose zkSNARKs without trusted setup — Setty (2020)](https://eprint.iacr.org/2019/550)
+- [Zeromorph: Zero-Knowledge Multilinear-Evaluation Proofs from Homomorphic Univariate Commitments — Kohrita & Towa (2023)](https://eprint.iacr.org/2023/917)
+- [Proofs, Arguments, and Zero-Knowledge — Thaler (2022)](https://people.cs.georgetown.edu/jthaler/ProofsArgsAndZK.pdf)


Correctness:

Field Operations: Ensure that all field operations, especially divisions or inversions, handle division by zero properly without causing panics.

Edge Cases: Check that identities and boundary cases like the identity elements and zeroes are appropriately managed to avoid incorrect arithmetic results, especially in polynomial or matrix operations.

Polynomial and FFT: The polynomial commitments and evaluations should ensure that polynomials of edge-case degrees (zero, maximal) are handled without errors, and that FFTs utilize optimization strategies suited for the input size.

Proof System Correctness: The description implies correctness, but detailed testing against known-good values is essential, particularly for complex protocols like SNARKs.

Security:

Constant-Time Operations: Operations involving private data (e.g., witness in zero-knowledge proofs) must be constant-time to prevent timing attacks. Especially focus on PCS and field operations.

Sensitive Data Handling: Ensure private data is zeroized after use to prevent leakage through memory.

RNG Security: The randomness for Fiat-Shamir or PCS commitments should be sourced from a reliable cryptographic RNG to prevent predictability.

Hash Functions: Use domain separation for any hash functions to avoid cross-protocol forgery risks.

Performance:

Unnecessary Allocations: Examine polynomial and matrix handling to avoid excessive allocations, especially during matrix conversion or PCS routines.

Redundancies: Check the usage of pre-computed values or cached inversions where feasible in the proof generation.

Bugs & Errors:

Potential Panics: There are unwrap() usages which could panic; consider using expect() with error messages or handle errors gracefully.

Memory Safety: Verify that operations on large inputs or recursive protocols (like sumcheck) do not inadvertently cause memory issues.

Off-by-One Errors: Ensure that any loops or array accesses are boundary-checked.

Overflow/Underflow: Ensure arithmetic operations are checked for overflow/underflow, especially if not using native big integer types.

Code Simplicity:

Complex Implementations: The use of multilinear PCS and sumchecks should be broken down sufficiently to verify each step clearly.

Duplications: Abstract common routines such as field operations over the same data types to avoid repetition.

Overall, the code requires attention to security and correctness details, particularly around edge cases and securing operations to timing attacks. Additional testing on the path from protocol specification to implementation is advised before production deployment.

github-actions · 2026-03-11T20:13:06Z

+        let ok = pcs.verify(&commitment, &point, &value, &proof).unwrap();
+        assert!(ok, "4-var Zeromorph proof should verify");
+    }
+}


Correctness

Edge cases: There is no explicit handling for zero or identity elements within the compute_zeromorph_quotients or other functions. Ensure that when halving or evaluating polynomials, zero and identity cases are properly managed.

Polynomial operations: The method phi_eval and psi_eval correctly implement the mathematical operations based on the provided equations.

Security

Timing side-channels: Ensure that operations on sensitive data, such as compute_zeromorph_quotients, are constant-time, especially when manipulating field elements based on secret values.

Zeroization: There is no visible zeroization of sensitive data after use, such as field elements or points.

Cryptographically secure randomness: The challenges derived from transcript.sample_field_element() should be securely randomized, assuming the transcript uses a cryptographic RNG.

Hash function domain separation: Appending b"zeromorph_v1" provides domain separation for challenges; this should be sufficient but ensure the appended context is unique enough.

Performance

Unnecessary allocations: The conversion of iterators to Vec may introduce unnecessary allocations. Consider using iterators directly where possible in functions like compute_zeromorph_quotients.

FFT/MSM efficiency: The efficiency of MSM and FFT operations wasn't directly reviewed due to lack of specific code focusing on these.

Bugs & Errors

Potential panics: Use of indexing and length checks like in compute_zeromorph_quotients should be verified to ensure no out-of-bounds access, although debug_assert helps.

Code Simplicity

Complexity: While the code has a clear mathematical grounding, certain parts like psi_eval and phi_eval could be abstracted for reuse or clarity.

Duplicated code: The creation of G1 powers in test setup is repeated; consider a utility function for reusability.

Overall, the code presents a promising implementation of the Zeromorph scheme, but given the cryptographic context, further assurance on security and handling of edge cases is necessary before merging.

github-actions · 2026-03-11T20:13:06Z

+    }
+
+    Ok((round_polys, challenges))
+}


Mathemtical Correctness

In the sumcheck protocol, consider the case where num_constraints or num_variables is zero. Ensure that these cases are handled correctly as the current guards might not suffice if the R1CS instance or witness is malformed with zero values.

Security

Ensure the Fiat-Shamir transform uses cryptographically secure randomness for challenges. The use of transcripts for randomness generation should be reviewed to ensure it adheres to constant-time properties, especially the method transcript.sample_field_element().

Check that transcript.append_bytes and append_field_element functions are implemented in a way that prevents timing side-channels, particularly during field element conversion.

Performance

Review the multiplicative Evals like az_mle.evals() and bz_mle.evals() to determine if unnecessary reevaluations occur across the proof. Caching these where possible might improve performance.

The method matrix_vector_product_mle appears in multiple places; if this involves substantial computation for MLE polynomials, consider optimizing its evaluation.

Bugs & Errors

In the compute_sum_of_product function, verify that the input factor_evals length matches across input polynomials. A mismatch might result in incorrect results due to summed elements mismatch between terms.

Code Simplicity

The abstraction using DenseMultilinearPolynomial appears repeatedly; consider using a helper function or macro if operations are repeated with minimal changes.

General

The error handling for sections like pcs.commit, pcs.open, and sumcheck operations should handle and report errors more explicitly to aid debugging.

Overall, review especially focuses on ensuring all branches of the transcript implementations are constant-time for cryptographic security. Math correctness, while seemingly adhered to well, should be thoroughly checked by dynamic set tests for infinity or non-standard zero behavior in edge cases. Check test coverage comprehensively. Verification functions for the proof should be verified on edge-case zkSNARk outputs.

github-actions · 2026-03-11T20:13:06Z

+        let result = R1CS::new(a, b, c, 0);
+        assert!(result.is_err());
+    }
+}


Correctness

Edge Cases: The code correctly checks for zero constraints and variables, avoiding construction of empty systems.

Proof System Correctness: The is_satisfied method correctly checks that the R1CS is satisfied by computing <(A[i], z)> * <(B[i], z)> = <(C[i], z)>.

Security

Timing Attacks: The is_satisfied method iterates over constraints and performs field operations, which should be constant-time to protect against timing attacks involving sensitive data. Ensure field operations, especially multiplication, are constant-time.

Zeroization: There's no indication of sensitive data being zeroized after use. Consider implementing zeroization for witness data after processing.

Cryptographically Secure Randomness: Not relevant in the given context since there's no randomness involved in setup or checks.

Secret-Dependent Branching: No secret-dependent branching is evident in the provided code.

Hash Function Domain Separation: Not applicable in this context.

Performance

Unnecessary Allocations: The is_satisfied method could be optimized by using iterators without intermediate Vec allocations (zip and map can be efficiently chained).

Redundant Field Inversions: Not applicable as division or inversions aren't performed here.

MSM and FFT Efficiency: Not relevant to the provided code.

Bugs & Errors

Potential Panics: No visible potential for panics, except if Field implementations panic. Ensure proper handling of potential panics within used field operations.

Off-by-one Errors: None detected. Indexing is correctly handled in loops.

Integer Overflow/Underflow: Utilizing usize for indexing mitigates underflow, and field operations should inherently handle wrapping.

Code Simplicity

Complexity: The current structure of the code is reasonable for the operations implemented. The construction and satisfaction checks are straightforward and easy to understand.

Duplication: Minimal code duplication is observed.

Abstractions: The abstraction over FieldElement is appropriately used, though careful attention to underlying operations is necessary to ensure security properties.

Summary

Security Concerns: Ensure that all field operations are constant-time to prevent timing attacks, and consider implementing zeroization for sensitive data handling. Currently, the code doesn't guarantee security against timing attacks. Therefore, it is marked not good to merge. Address these points to ensure a stronger security posture in the cryptographic implementations.

github-actions · 2026-03-11T20:13:06Z

+            transcript.append_field_element(coeff);
+        }
+    }
+}


Correctness

The use of FieldElement::zero() for comparisons in sparse matrix handling should be safe due to the expected behavior of overloaded operators, assuming the FieldElement implementation is correct.

The drawing of challenges with transcript.sample_field_element() must ensure uniformity and correct sampling within the field; this is dependent on the sample_field_element() implementation in DefaultTranscript.

Security

There is a potential timing side-channel vulnerability since comparisons like *val != FieldElement::zero() might not be constant-time due to branching on non-zero entries.

Ensure that sensitive data is zeroized after use, although the given code does not appear to handle sensitive values directly.

Make sure transcript.sample_field_element() uses cryptographically secure randomness, which is crucial for Fiat-Shamir-based protocols.

Performance

The implementation uses nested loops to iterate over the R1CS matrices, which might become a performance bottleneck for large systems. Consider more efficient sparse matrix representations.

The repeated conversion of indices and counts to byte arrays (to_be_bytes) in multiple loops could be optimized.

Bugs & Errors

Since this code is reliant on external libraries (e.g., lambdaworks_crypto, lambdaworks_math), it's important to ensure that functions like append_field_element and sample_field_element properly handle edge cases and errors.

Code Simplicity

The code seems generally well-organized with functions logically separated.

General Recommendations

Review dependency implementations like FieldElement::zero() and sample_field_element() to ensure they meet the cryptographic standards required for security.

Double-check if DefaultTranscript handles domain separation correctly throughout different stages to avoid transcript collision issues.

Consider employing Rust's debug_assert or other debugging measures during development to catch any unauthorized assumptions about data being non-zero or any indices being within bounds.

Overall, although the code handles many expected operations, additional scrutiny on the cryptographic assumptions and side-channel resilience is necessary before merging.

github-actions · 2026-03-11T20:13:06Z

+    }
+
+    Ok((true, challenges))
+}


Correctness:

Polynomial Evaluation: The verification process largely relies on the correct implementation of polynomial evaluations. Ensure that the implementations of evaluate in FieldElement and Polynomial handle edge cases, such as zero polynomials and polynomials with high degrees, correctly.

Edge Cases: It's crucial to verify how edge cases (like zero elements, identity elements, etc.) are handled. Particularly, ensure that operations on FieldElement<F>::zero() behave as expected.

Oracle Check: Ensure that the oracle checks (e.g., last_outer_eval vs. outer_oracle) correctly verify the polynomial evaluations as both additions and multiplications are involved.

Fiat-Shamir Transcript: Replay of the Fiat-Shamir transcript needs to be perfect. Verify the appending and challenge-drawing processes for accuracy.

Security:

Timing Side-Channels: The sampling of r using sample_field_element() should ensure constant-time execution. Also, ensure that all arithmetic operations on field elements are performed in constant time.

Sensitive Data Zeroization: Particularly information like transcript, rho, tau, etc., should be zeroized after use to avoid leakage.

Secret-Dependent Branching: Ensure no data-dependent branching or loop lengths, potentially introducing side-channels.

Hash Function Domain Separation: Label strings (e.g., b"v_a", b"outer_sumcheck") are used multiple times in the context of transcript. Ensure clear separation and uniqueness of these labels throughout to avoid domain issues.

Performance:

Unnecessary Allocations: There's a potential for unnecessary re-allocations. For example, creating challenges vectors could use reserved space based on expected polynomial counts.

Efficiency Considerations: Evaluate the efficiency of matrix_mle_eval as nested evaluations are potentially redundant.

Memory and Resource Utilization: Check the transcript's growing size, especially with high constraint count; consider structuring as a streaming hash to minimize memory pressure.

Bugs & Errors:

Possible Panics: Accessing last() on proof.outer_sumcheck_polys, proof.inner_sumcheck_polys, and r_y assumes that these vectors are not empty, which could cause panics otherwise.

Error Handling: Ensure that all potential points of failure, especially around arithmetic operations and evaluations, have corresponding error returns.

Overflow: Rust natively protects against integer overflow, but cross-verify any manual FieldElement arithmetic for potential overflows.

Code Simplicity:

Complex Implementations: Logic in verify can be broken down into smaller, more testable units to enhance readability and maintainability.

Duplicated Code: verify_two_term_sumcheck_round_polys and verify_sumcheck_round_polys have similar logic and could benefit from consolidation or shared abstraction.

Abstractions: Consider abstracting repeated operations such as transcript handling and polynomial verification into separate utilities.

greptile-apps · 2026-03-11T20:15:42Z

Greptile Summary

This PR adds a complete Spartan zkSNARK implementation for R1CS satisfiability, using two rounds of the Sumcheck Protocol and a new Zeromorph PCS backed by BLS12-381 KZG. The core cryptographic protocol logic (sumcheck, MLE encoding, oracle checks, PCS opening, Fiat-Shamir transcript) is well-structured and the protocol flow correctly implements the Spartan paper.

Key observations:

Missing SRS size validation in ZeromorphPCS: commit and open pass polynomials of size 2^num_vars to the underlying KZG without first verifying the SRS holds enough powers. An undersized SRS either panics or silently truncates coefficients, producing invalid commitments with no diagnostic error.
Independent Zeromorph internal transcript: The Zeromorph PCS derives its own challenges (x, upsilon) from a fresh transcript, completely decoupled from the outer Spartan transcript. The code includes a TODO(security) comment explaining the trade-off; for standalone Spartan this is acceptable, but it becomes a security concern if the construction is ever used in recursive or IVC settings.
Duplicate transcript serialization code: The outer sumcheck's round polynomial transcript logic is written inline in both run_two_term_sumcheck (prover) and verify_two_term_sumcheck_round_polys (verifier), instead of using the already-existing append_round_poly_to_transcript helper that the inner sumcheck uses. Any future encoding change must be updated in three places.
Redundant log_constraints computation: Both prover and verifier contain an identical manual bit-counting loop that could be replaced with .trailing_zeros(), which is already used in the verifier for n_witness_vars.

Confidence Score: 3/5

The protocol logic is sound for standalone use, but the missing SRS size validation in ZeromorphPCS is a real defect that should be addressed before merging.
The Spartan protocol implementation is mathematically correct and well-tested. The Fiat-Shamir transcript, oracle checks, and public-input binding all appear sound. The score is held at 3 rather than 4 primarily due to the unguarded SRS-size assumption in ZeromorphPCS: passing an undersized SRS will either panic or silently commit to a truncated polynomial, which can produce proofs that look structurally valid yet are cryptographically broken. The independent Zeromorph transcript is a known limitation acknowledged in the code, and the duplicate transcript code introduces maintenance risk. These issues should be addressed before production use.
Pay close attention to crates/crypto/src/commitments/zeromorph.rs (SRS validation and transcript independence) and the run_two_term_sumcheck / verify_two_term_sumcheck_round_polys pairing in prover.rs / verifier.rs (duplicated transcript format code).

Important Files Changed

Filename	Overview
crates/crypto/src/commitments/zeromorph.rs	New Zeromorph PCS implementation reducing multilinear evaluations to univariate KZG. Core math (quotient halving, phi/psi evaluations, batch KZG) appears correct. Two concerns: (1) no SRS-size validation before committing, which can silently fail; (2) uses an independent internal Fiat-Shamir transcript isolated from the outer Spartan transcript, acknowledged with a TODO but a real security concern for composed protocols.
crates/provers/spartan/src/prover.rs	Full Spartan prover with two-phase sumcheck and PCS opening. Input validation (witness length, public input consistency), transcript binding, and oracle computations are correct. Minor: the outer sumcheck uses inline transcript appending code instead of the reusable `append_round_poly_to_transcript` helper, creating duplication with the verifier.
crates/provers/spartan/src/verifier.rs	Verifier correctly replays the Fiat-Shamir transcript, checks degree bounds on round polynomials, performs oracle checks for both sumchecks, and independently recomputes matrix MLE evaluations. Public input consistency verification is implemented. Logic appears sound for both satisfied and unsatisfied R1CS instances.
crates/provers/spartan/src/mle.rs	MLE utilities are well-tested and correct. The eq_poly expansion, matrix_vector_product_mle, mz_eval, and index_to_multilinear_point functions all implement correct MSB-first variable ordering consistent with the rest of the codebase.
crates/provers/spartan/src/r1cs.rs	Generic R1CS type with good validation: checks consistent matrix dimensions, non-empty constraints/variables, and that num_public_inputs < num_variables (reserving variable 0 for the constant 1).
crates/provers/spartan/src/lib.rs	Integration test file with comprehensive coverage: R1CS satisfaction, MLE encoding, eq_poly, full prove/verify round-trips, soundness tests for corrupted witnesses, wrong public inputs, and Zeromorph PCS integration. Tests use a small prime field (mod 101) for the sumcheck tests and BLS12-381 for the Zeromorph tests.
crates/crypto/src/commitments/multilinear.rs	Clean trait definition for IsMultilinearPCS. Correctly documents the transcript binding requirement via serialize_commitment. Design is sound for the current standalone use case.
crates/provers/spartan/src/transcript.rs	Transcript helpers are consistent and encode R1CS structure unambiguously (includes NNZ count, row/col indices, and values for each matrix). The public inputs are length-prefixed. No issues found.

Sequence Diagram

sequenceDiagram
    participant P as Prover
    participant T as Fiat-Shamir Transcript
    participant V as Verifier

    P->>T: domain_sep + R1CS instance + public_inputs
    P->>P: Encode witness z as MLE z_tilde and commit via PCS
    P->>T: witness_commitment bytes
    T-->>P: tau (log_constraints challenges)

    rect rgb(200, 230, 255)
        Note over P,V: Phase 1 - Outer Sumcheck
        P->>P: Build eq(tau) and AZ/BZ/CZ MLEs over boolean hypercube
        P->>P: Run 2-term sumcheck on sum_x eq(tau_x)(AZ*BZ - CZ) = 0
        P->>T: outer round polynomials g_0 to g_{s-1}
        T-->>P: challenges r_x (one per round)
        P->>P: Compute v_A = mz_eval(A,z,r_x) and v_B and v_C
        P->>T: v_A + v_B + v_C
        T-->>P: batching scalars rho_A + rho_B + rho_C
    end

    rect rgb(200, 255, 220)
        Note over P,V: Phase 2 - Inner Sumcheck
        P->>P: Build combined matrix poly at r_x
        P->>P: Run quadratic sumcheck on sum_y M(y)*z_tilde(y)
        P->>T: inner round polynomials h_0 to h_{t-1}
        T-->>P: challenges r_y (one per round)
    end

    rect rgb(255, 230, 200)
        Note over P,V: Phase 3 - PCS Opening
        P->>P: Open z_tilde at r_y via ZeromorphPCS (uses internal transcript)
        P->>P: Open z_tilde at boolean points for each public input
    end

    P-->>V: SpartanProof with commitment + outer_polys + r_x + vA/vB/vC + inner_polys + r_y + pcs_proof

    rect rgb(240, 220, 255)
        Note over V: Verification
        V->>T: Replay same transcript steps
        T-->>V: tau
        V->>V: Verify outer round polys degree and consistency
        V->>V: Oracle check: g_last(r_x_last) == eq(tau,r_x)*(vA*vB - vC)
        V->>V: Verify inner round polys degree and consistency
        V->>V: Recompute A/B/C MLE evals at (r_x,r_y) from raw matrices
        V->>V: Oracle check: combined_matrix(r_x,r_y)*witness_eval == h_last(r_y_last)
        V->>V: PCS verify z_tilde at r_y
        V->>V: Verify public input openings z_tilde(bits(i)) == pi_i
    end

Comments Outside Diff (5)

crates/crypto/src/commitments/zeromorph.rs, line 329-336 (link)

Missing SRS size validation before committing

commit constructs f_hat with poly.evals().len() coefficients (up to 2^n) and immediately calls self.kzg.commit(&f_hat), but never verifies that the underlying SRS holds enough powers. If the caller provides an SRS with fewer than 2^num_vars powers, the KZG commit will either panic or silently produce an incorrect commitment by dropping high-degree terms — neither outcome surfaces a helpful error.

The same problem exists in open, where quotient polynomials up to degree 2^{n-1} - 1 are also committed without size checks.

Consider adding an upfront guard:
```
fn commit(
    &self,
    poly: &DenseMultilinearPolynomial<F>,
) -> Result<Self::Commitment, Self::Error> {
    let required = poly.evals().len(); // 2^num_vars
    if self.kzg.srs().powers_main_group().len() < required {
        return Err(PcsError(format!(
            "SRS too small: need {} powers, have {}",
            required,
            self.kzg.srs().powers_main_group().len()
        )));
    }
    let f_hat = Polynomial::new(poly.evals());
    let g1 = self.kzg.commit(&f_hat);
    Ok(ZeromorphCommitment { g1 })
}
```
(The exact accessor name for the SRS powers may differ; adjust accordingly.)
crates/crypto/src/commitments/zeromorph.rs, line 281-315 (link)

Independent internal transcript weakens composability

derive_zeromorph_challenges spins up a brand-new DefaultTranscript every time it is called, so the Zeromorph challenges x and upsilon are derived purely from the Zeromorph-local view of the proof (commitment, point, value, quotient commitments). They do not incorporate any state from the outer Spartan transcript.

The code acknowledges this with a TODO(security) comment, which is appreciated. However, the implications are worth spelling out for future readers:
- Proof transplant / context confusion: a Zeromorph proof produced for evaluation point r_y under one R1CS instance is cryptographically indistinguishable from one produced for the same point under a different instance, because nothing from the outer context is mixed into x / upsilon.
- IVC / recursive settings: if Spartan proofs are ever composed or verified inside a circuit, the independent transcript breaks the standard Fiat-Shamir composition argument.
For standalone use the current design is acceptable (as the comment explains, r_y is itself transcript-bound). If the codebase eventually adds recursive or IVC use, open and verify should accept an external transcript hash to bind the outer context — aligning the interface with the comment's suggested fix.
crates/provers/spartan/src/prover.rs, line 2355-2395 (link)

Outer sumcheck inlines transcript logic already covered by append_round_poly_to_transcript

The loop body in run_two_term_sumcheck manually replicates the exact same byte sequence that append_round_poly_to_transcript produces:
```
let round_label = format!("round_{round}_poly");
transcript.append_bytes(round_label.as_bytes());
let coeffs = g_j.coefficients();
transcript.append_bytes(&(coeffs.len() as u64).to_be_bytes());
if coeffs.is_empty() { ... } else { for coeff in coeffs { ... } }
```
append_round_poly_to_transcript in transcript.rs contains identical code. The inner sumcheck already uses the helper. The duplication means any future change to the transcript encoding format (e.g. a breaking upgrade) must be applied in three places: the helper, the inner sumcheck verifier, and this function — creating a divergence risk.

(After removing the inline transcript block in the loop body. The mirror change is needed in verify_two_term_sumcheck_round_polys in verifier.rs.)
crates/provers/spartan/src/verifier.rs, line 3110-3145 (link)

verify_two_term_sumcheck_round_polys also inlines the transcript format

Same duplication as noted in run_two_term_sumcheck: the round polynomial bytes are appended inline rather than through append_round_poly_to_transcript. Consider using the shared helper here as well to keep the encoding in one canonical place.

_{Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!}
crates/provers/spartan/src/prover.rs, line 2124-2134 (link)

log_constraints can be simplified with usize::ilog2 or trailing_zeros

The manual bit-counting loop to compute log2(num_constraints_padded) is repeated verbatim in both the prover and verifier. Since num_constraints_padded is guaranteed to be a power of two (by next_power_of_two(...).max(2)), trailing_zeros() gives the same result and avoids the loop. The verifier already uses trailing_zeros() for n_witness_vars:

This would also remove the duplication between prover and verifier.

_{Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!}

Prompt To Fix All With AI

This is a comment left during a code review.
Path: crates/crypto/src/commitments/zeromorph.rs
Line: 329-336

Comment:
**Missing SRS size validation before committing**

`commit` constructs `f_hat` with `poly.evals().len()` coefficients (up to `2^n`) and immediately calls `self.kzg.commit(&f_hat)`, but never verifies that the underlying SRS holds enough powers. If the caller provides an SRS with fewer than `2^num_vars` powers, the KZG `commit` will either panic or silently produce an incorrect commitment by dropping high-degree terms — neither outcome surfaces a helpful error.

The same problem exists in `open`, where quotient polynomials up to degree `2^{n-1} - 1` are also committed without size checks.

Consider adding an upfront guard:

```rust
fn commit(
    &self,
    poly: &DenseMultilinearPolynomial<F>,
) -> Result<Self::Commitment, Self::Error> {
    let required = poly.evals().len(); // 2^num_vars
    if self.kzg.srs().powers_main_group().len() < required {
        return Err(PcsError(format!(
            "SRS too small: need {} powers, have {}",
            required,
            self.kzg.srs().powers_main_group().len()
        )));
    }
    let f_hat = Polynomial::new(poly.evals());
    let g1 = self.kzg.commit(&f_hat);
    Ok(ZeromorphCommitment { g1 })
}
```

(The exact accessor name for the SRS powers may differ; adjust accordingly.)

How can I resolve this? If you propose a fix, please make it concise.

---

This is a comment left during a code review.
Path: crates/crypto/src/commitments/zeromorph.rs
Line: 281-315

Comment:
**Independent internal transcript weakens composability**

`derive_zeromorph_challenges` spins up a brand-new `DefaultTranscript` every time it is called, so the Zeromorph challenges `x` and `upsilon` are derived purely from the Zeromorph-local view of the proof (commitment, point, value, quotient commitments). They do not incorporate any state from the outer Spartan transcript.

The code acknowledges this with a `TODO(security)` comment, which is appreciated. However, the implications are worth spelling out for future readers:

- **Proof transplant / context confusion**: a Zeromorph proof produced for evaluation point `r_y` under one R1CS instance is cryptographically indistinguishable from one produced for the same point under a different instance, because nothing from the outer context is mixed into `x` / `upsilon`.
- **IVC / recursive settings**: if Spartan proofs are ever composed or verified inside a circuit, the independent transcript breaks the standard Fiat-Shamir composition argument.

For standalone use the current design is acceptable (as the comment explains, `r_y` is itself transcript-bound). If the codebase eventually adds recursive or IVC use, `open` and `verify` should accept an external transcript hash to bind the outer context — aligning the interface with the comment's suggested fix.

How can I resolve this? If you propose a fix, please make it concise.

---

This is a comment left during a code review.
Path: crates/provers/spartan/src/prover.rs
Line: 2355-2395

Comment:
**Outer sumcheck inlines transcript logic already covered by `append_round_poly_to_transcript`**

The loop body in `run_two_term_sumcheck` manually replicates the exact same byte sequence that `append_round_poly_to_transcript` produces:

```rust
let round_label = format!("round_{round}_poly");
transcript.append_bytes(round_label.as_bytes());
let coeffs = g_j.coefficients();
transcript.append_bytes(&(coeffs.len() as u64).to_be_bytes());
if coeffs.is_empty() { ... } else { for coeff in coeffs { ... } }
```

`append_round_poly_to_transcript` in `transcript.rs` contains identical code. The inner sumcheck already uses the helper. The duplication means any future change to the transcript encoding format (e.g. a breaking upgrade) must be applied in three places: the helper, the inner sumcheck verifier, and this function — creating a divergence risk.

```suggestion
        append_round_poly_to_transcript(transcript, round, &g_j);
        round_polys.push(g_j);
```

(After removing the inline transcript block in the loop body. The mirror change is needed in `verify_two_term_sumcheck_round_polys` in `verifier.rs`.)

How can I resolve this? If you propose a fix, please make it concise.

---

This is a comment left during a code review.
Path: crates/provers/spartan/src/verifier.rs
Line: 3110-3145

Comment:
**`verify_two_term_sumcheck_round_polys` also inlines the transcript format**

Same duplication as noted in `run_two_term_sumcheck`: the round polynomial bytes are appended inline rather than through `append_round_poly_to_transcript`. Consider using the shared helper here as well to keep the encoding in one canonical place.

How can I resolve this? If you propose a fix, please make it concise.

---

This is a comment left during a code review.
Path: crates/provers/spartan/src/prover.rs
Line: 2124-2134

Comment:
**`log_constraints` can be simplified with `usize::ilog2` or `trailing_zeros`**

The manual bit-counting loop to compute `log2(num_constraints_padded)` is repeated verbatim in both the prover and verifier. Since `num_constraints_padded` is guaranteed to be a power of two (by `next_power_of_two(...).max(2)`), `trailing_zeros()` gives the same result and avoids the loop. The verifier already uses `trailing_zeros()` for `n_witness_vars`:

```suggestion
        let log_constraints = num_constraints_padded.trailing_zeros() as usize;
```

This would also remove the duplication between prover and verifier.

How can I resolve this? If you propose a fix, please make it concise.

_{Last reviewed commit: 8cdf0ae}

codecov-commenter · 2026-03-11T20:19:24Z

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

❌ Patch coverage is 94.13188% with 97 lines in your changes missing coverage. Please review.
✅ Project coverage is 77.16%. Comparing base (f8c0a51) to head (4e69c5a).

Files with missing lines	Patch %	Lines
crates/provers/spartan/src/r1cs.rs	85.44%	23 Missing ⚠️
crates/provers/spartan/src/mle.rs	91.73%	19 Missing ⚠️
crates/crypto/src/commitments/zeromorph.rs	95.04%	18 Missing ⚠️
crates/provers/spartan/src/verifier.rs	88.81%	18 Missing ⚠️
crates/provers/spartan/src/prover.rs	96.05%	9 Missing ⚠️
crates/provers/spartan/src/lib.rs	96.99%	8 Missing ⚠️
crates/provers/spartan/src/transcript.rs	97.05%	2 Missing ⚠️
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1193      +/-   ##
==========================================
+ Coverage   76.61%   77.16%   +0.55%     
==========================================
  Files         224      234      +10     
  Lines       50646    52299    +1653     
==========================================
+ Hits        38801    40357    +1556     
- Misses      11845    11942      +97

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

github-actions · 2026-03-11T20:39:24Z

Kimi AI Review

This PR introduces a new crate, lambdaworks-spartan, which implements the Spartan zero-knowledge proof system for R1CS satisfiability. The changes include adding the new crate to Cargo.toml, updating README.md files with documentation and examples, and implementing the core functionality in src/.

Here are my specific comments and feedback:

General Feedback

Documentation and Examples: The README.md updates provide a good overview of the Spartan prover and its features. Including examples in the documentation is helpful for users to understand how to use the crate.
Code Structure: The code is well-organized into modules (r1cs, mle, pcs, prover, verifier), which makes it easier to navigate and understand the different components of the implementation.
Error Handling: The use of thiserror for defining error types is consistent and makes error handling more ergonomic.

Specific Issues

Missing Clone Trait for R1CS Struct:
- In src/prover.rs, the prove function takes a reference to &R1CS<F>. However, the R1CS struct does not implement the Clone trait, which might be necessary for internal processing or if the struct needs to be copied. Consider adding #[derive(Clone)] to the R1CS struct if cloning is required.
Transcript Handling:
- In src/prover.rs, the transcript is initialized with DefaultTranscript::<F>::default(). This might not be suitable for all use cases, especially if the transcript needs to be persisted or if a specific transcript protocol is required. Consider allowing users to provide a transcript instance or configuring the transcript through the API.
Public Input Consistency:
- In src/prover.rs, public input consistency is checked by comparing witness_z[i + 1] with public_inputs[i]. This assumes that public inputs are stored in the witness after the constant 1. Ensure that this assumption holds in all cases, or document the requirement clearly.
PCS Commitment Serialization:
- In src/pcs/mod.rs, the serialize_commitment method is defined for the IsMultilinearPCS trait. However, the implementation might vary depending on the specific PCS used. Consider providing a default implementation or ensuring that each PCS implementation handles serialization correctly.
Zeromorph PCS Implementation:
- The ZeromorphPCS implementation in src/pcs/zeromorph.rs relies on the KateZaveruchaGoldberg commitment scheme. Ensure that the underlying commitment scheme is secure and suitable for the intended use cases.
Performance Considerations:
- The SpartanProver and SpartanVerifier implementations should be reviewed for performance optimizations, such as minimizing allocations and using efficient algorithms for polynomial operations.
Security Audits:
- Given the cryptographic nature of the code, consider conducting a security audit to identify any potential vulnerabilities or weaknesses in the implementation.

Conclusion

The PR introduces a new crate for the Spartan zero-knowledge proof system, which is a valuable addition to the lambdaworks cryptographic library. The implementation appears to be well-structured and documented. However, some minor issues and considerations should be addressed to ensure the correctness, security, and performance of the code.

github-actions

Code review by ChatGPT

github-actions · 2026-03-11T20:39:46Z

+    proof: &SpartanProof<F, PCS>,
+    pcs: PCS,
+) -> Result<bool, SpartanError>
+where


Correctness

The tests introduced seem to correctly validate important edge cases such as incorrect witness length and public input mismatch. However, please ensure that all related functions handle these cases without leading to undefined behaviors or panics.

The modification of proof.public_input_proofs in test_spartan_tampered_public_input_proof should be reviewed to ensure that the manual mutation reflects realistic conditions unless this is specifically meant for testing. Manual mutations might not simulate genuine edge cases and could have limitations in mimicking potential bugs if the context isn't identical.

Security

There's no indication of constant-time operation checks, which might lead to timing side-channels, especially in cryptographic contexts. Ensure all operations on secrets, such as elliptic curve or finite field elements, are constant time to prevent leak of information.

Proper zeroization of sensitive data (e.g., private keys) is not covered in these tests. Make sure that any sensitive data in cryptographic operations is safely zeroized after use.

Ensure that randomness used in cryptographic operations (e.g., nonce generation) is from cryptographically secure sources.

Performance

The test code does not seem to illustrate potential inefficiencies directly, but consider using FE::zero() and FE::one() sparingly within loops to prevent possible performance hits from repeated function calls.

Bugs & Errors

Relying on unwrap can cause panics if the function does not return Some. Consider using more robust error handling to mitigate unexpected panics that could occur, such as through pattern matching or the ? operator.

The test test_spartan_tampered_public_input_proof mutates the proof directly. This could potentially lead to panics if not properly managed and the mutation logic leads to bounds access issues.

Code Simplicity

Current test aims to test specific subcases comprehensively. However, manually mutating the proof object introduces complexity that might be obscure to other developers. Simulating tampering through a more simplified API would be beneficial for clarity and maintenance.

In conclusion, while the tests seem well thought out in capturing potential errors in the integration of proofs, ensure that all other concerns mentioned above are actively checked and mitigated. This is especially true for constant-time operations and data zeroization in the context of cryptographic operations.

github-actions · 2026-03-11T20:39:46Z

+///
+/// The evaluation at boolean point (b₀, b₁, ..., b_{k-1}) where bi ∈ {0,1}
+/// equals z[i] where i is the integer with binary representation b₀b₁...b_{k-1}.
+pub fn encode_witness<F: IsField>(z: &[FieldElement<F>]) -> DenseMultilinearPolynomial<F>


Correctness:

Ensure that the function utility of index_to_multilinear_point correctly relates to the MLE and does not inadvertently assume i being in range of n in a way that breaks limits on maximum i values that might cause unexpected behavior.

Security:

The method index_to_multilinear_point uses branching depending on the bit value, which could be a potential timing side-channel. Consider a branchless approach by leveraging choice functions that return either FieldElement::one() or FieldElement::zero() without branching.

Performance:

The .collect() operation initiates memory allocation in index_to_multilinear_point. While inherent due to vector use, evaluate if it is critical in tight loops or if an alternative continuous memory structure can be utilized if reused frequently with predictable sizes.

Bugs & Errors:

No immediate panics, unwraps, or overflows are evident from index_to_multilinear_point, but consider handling the case if n is excessively large relative to the bit-width of usize.

Code Simplicity:

Code in index_to_multilinear_point is straightforward but ensure it is consistent with similar field utilities for uniformity in representations and conversions.

github-actions · 2026-03-11T20:39:46Z

+        Self {
+            pcs,
+            _f: PhantomData,
+        }


Correctness:

The check for public_inputs.len() + 1 > r1cs.num_variables seems incorrect as it does not necessarily relate to the number of variables directly, rather it should ensure that the public inputs fit in the capacity already accommodated for witness_z, considering its starting offset.

Edge cases are generally well-handled, especially the consistency checks between public inputs and witness entries, which are crucial for correctness.

Security:

Timing Side-channels: Use of conditional checks like if &witness_z[i + 1] != pi and debug_assert_eq! potentially leak timing information. These should be constant-time operations.

Consider zeroizing point, eval, and proof after use, especially given they relate directly to sensitive data like public_input_proofs.

Accidental misuse of debug_assert_eq! potentially skips verification in release builds, undermining security and correctness.

Performance:

The creation of Vec::with_capacity for public_input_proofs is appropriate, minimizing unnecessary allocations.

Bugs & Errors:

Ensure that error messages provide enough context for debugging while maintaining security (avoiding leaking too much info about internal state).

Code Simplicity:

The use of guards improves the clarity of the expected behaviors, although could consider compartmentalizing error cases for more simplified error traceability and management.

General Feedback:

Overall, the code improvements show good attention to detail in critical areas but require finer examination on timing attacks and constant-time checks. Look into using libraries or utilities that ensure such operations are implemented safely without relying on debug asserts in sensitive contexts.

github-actions · 2026-03-11T20:39:46Z

+    /// structurally sound, or Err if there's a structural error.
+    pub fn verify(
+        &self,
+        r1cs: &R1CS<F>,


Correctness

Index Calculations: The index_to_multilinear_point function uses an index base of i + 1. Ensure this matches the indexing expected in your protocol. Off-by-one errors are common in such transformations.

Edge Case Handling: The comparison of proof.public_input_proofs.len() with public_inputs.len() is essential for consistency but make sure the lengths are also validated for other mismatches beyond equality (e.g., both being zero).

R1CS and Polynomial Checks: There is no explicit check for edge cases in polynomial calculations, e.g., zero polynomials or ensuring multiplication is within valid field boundaries. Check that zero and infinity are appropriately handled within these calculations.

Security

Constant-time operations: Check if all comparisons, particularly in public input consistency checks, are done in constant-time to avoid side-channel leaks.

Zeroization of sensitive data: Ensure temporary sensitive data like expected_point or other intermediate calculations are cleared from memory after use.

Performance

Redundant Computations: Calculating n_witness_vars from num_cols_padded.trailing_zeros() may be redundant if it's derived elsewhere and doesn't change state.

Bugs & Errors

Error Handling in PCS Verification: .map_err(|e| SpartanError::PcsError(e.to_string()))? may propagate errors, but ensure you have sufficient logging to diagnose PCS discrepancies.

Potential Panics: No direct panics observed, but continue ensuring all map accessors and unwraps are cautiously used.

Code Simplicity

Repeated Logic: The repetitive verification loop for (point, pi_proof) could be abstracted into a function to improve maintainability and reduce code duplication.

Overall, there are significant concerns regarding correctness and security that need addressing before this can be merged.

…lic input consistency proofs to Spartan

github-actions

Code review by ChatGPT

github-actions · 2026-03-11T20:53:37Z

+pub mod multilinear;
 pub mod traits;
+#[cfg(feature = "std")]
+pub mod zeromorph;


Correctness

The new modules multilinear and zeromorph added under the std feature appear to be missing from the review context. Ensure these are properly implemented with respect to cryptographic and mathematical operations like polynomial evaluations and zero-knowledge proofs. Without reviewing these parts, it's hard to assert correctness.

Security

Ensure all cryptographic operations are constant-time, especially those involving secret data. There is no information provided on this aspect.

It's crucial to handle zeroization of sensitive data securely. Verify that sensitive data (e.g., secret keys) are securely erased from memory after use.

Verify the randomness source used in any cryptographic operations; these should use a CSPRNG.

Ensure there are no branching operations based on secret data within the implementations of cryptographic protocols.

Ensure hash functions used for different purposes employ domain separation techniques to avoid potential vulnerabilities.

Performance

No explicit code indications related to MSM and FFT implementations are visible in the provided changes. Ensure these implementations are efficient in the entire context of the code base.

Review new modules for unnecessary allocations or redundant operations, particularly within polynomial and elliptic curve mathematics.

Bugs & Errors

No details on potential panics or unwraps. Ensure any new code avoids panics by handling errors gracefully, particularly in cryptographic contexts.

Verify for memory safety issues, especially around unsafe Rust code blocks.

Check for potential off-by-one errors in array or slice indexing.

Ensure operations protect against integer overflow/underflow where applicable.

Code Simplicity

Review if the abstracted modules offer clean and simple APIs without redundancy.

Check if implementations can be simplified; avoid duplicated code wherever possible.

Overall, before providing a 'looks good to merge' (LGTM) rating, a more thorough review of the new functionality introduced by multilinear and zeromorph is needed to ensure adherence to the principles mentioned above.

github-actions · 2026-03-11T20:53:37Z

+    /// Must be implemented so that the prover and verifier can both absorb the
+    /// commitment into the transcript before drawing challenges.
+    fn serialize_commitment(commitment: &Self::Commitment) -> Vec<u8>;
+}


Here are some points regarding the correctness, security, and performance related to the provided code implementation:

Correctness:

Mathematical Operations: The methods commit, open, and verify must ensure correct implementation of multilinear PCS operations, particularly handling cases like zero polynomials or boundary points in multi-dimensional space. However, these implementations are not shown in the snippet.

Edge Cases: Treatment of extremes like zero-length point arrays could be addressed, as those might lead to unexpected behavior in open and verify functions.

Security:

Timing Side-Channels: There is no detail on how operations are executed, e.g., constant-time operations across sensitive data paths, which could be a potential issue. The functions should ensure that no operations reveal sensitive data through timing differences.

Proper Zeroization: Ensure that sensitive information is zeroized after use, if applicable.

Cryptographically Secure Randomness: Commitment and proof generation/transmission should use secure random number generation, though this depends on the rest of the code not visible in the snippet.

Secret-Dependent Branching: Verify if internal implementations avoid branching based on secret values.

Hash Function Domain Separation: If any hashes are used within this trait, proper domain separation must be ensured. Currently, this aspect isn't detailed here.

Performance:

Unnecessary Allocations: The use of Vec<u8> could involve multiple heap allocations due to dynamic growth. Consider optimizing how the allocations for vectors are handled, especially for serialize_commitment.

Redundant Calculations: Consider possible redundancies in complex operations of polynomial commitments or openings.

Bugs & Errors:

Erroneous Errors: Custom error handling should be properly integrated with polynomial operations to avoid nested unwraps or panics.

Off-by-One and Overflow Errors: Make sure that lines dealing with indexing or arithmetic are protected against overflows. The missing concrete implementation makes this hard to verify.

Code Simplicity:

Abstractions: The interface is clean and abstracts the polynomial commitment operations. But ensure implementations do not deviate from simplicity or introduce unnecessary complexity not visible here.

In summary, the provided code gives a clear and abstract outline for implementing a multilinear polynomial commitment scheme via Rust traits. The critical aspects like practical implementations, mathematical soundness, and security guarantees heavily rely on the part not covered by this code review snippet.

github-actions · 2026-03-11T20:53:46Z

Kimi AI Review

This PR introduces a new crate, spartan, which implements the Spartan zkSNARK prover for R1CS satisfiability. The implementation is based on the paper by Setty (2019) and combines two phases of the Sumcheck Protocol with a multilinear Polynomial Commitment Scheme (PCS) to produce a succinct proof.

Here are my specific comments and feedback on the PR:

Overall Structure and Documentation:
- The crate structure is well-organized, with clear separation of concerns across modules (r1cs, mle, pcs, prover, verifier).
- README.md provides a good overview of the Spartan protocol and its implementation details.
- Each module has a brief comment describing its purpose.
R1CS Implementation (r1cs.rs):
- The R1CS struct is defined generically over any field F, which is a good design choice for reusability.
- Validation in the new function ensures that the input matrices have consistent dimensions, which is important for correctness.
Multilinear Extension Utilities (mle.rs):
- The encode_witness function correctly pads the witness vector to the next power of two, which is necessary for the MLE encoding.
- The eq_poly function efficiently computes the equality polynomial evaluations using the expansion algorithm.
- The matrix_vector_product_mle function correctly computes the matrix-vector product MLE for a given row index.
Polynomial Commitment Schemes (pcs Module):
- The IsMultilinearPCS trait defines the necessary methods for committing to, opening, and verifying multilinear polynomials.
- The TrivialPCS implementation is useful for testing the Spartan protocol independently of the PCS security.
- The ZeromorphPCS implementation leverages the Zeromorph reduction to univariate KZG openings, providing a succinct and secure PCS.
Spartan Prover (prover.rs):
- The SpartanProver struct and its prove method implement the main logic of the Spartan protocol.
- The use of the Fiat-Shamir heuristic to derive challenges from a transcript ensures that the prover's output is deterministic.
- The prover correctly handles the encoding of the witness, commitment to the witness polynomial, and execution of the sumcheck protocols.
Potential Improvements:
- Consider adding more unit tests to cover edge cases and potential error scenarios.
- The SpartanProof struct could benefit from a Debug implementation for easier debugging and logging.
- The pcs module could be extended with additional PCS implementations, such as Kate commitments, to provide more options for users.
Security Considerations:
- The use of the Fiat-Shamir heuristic introduces a trade-off between soundness and performance. It would be good to document this trade-off and any potential implications for users.
- The security of the Spartan protocol relies on the hardness of the R1CS satisfiability problem and the security of the underlying PCS. It is important to ensure that these assumptions hold in practice.

Overall, this PR introduces a well-structured and documented implementation of the Spartan zkSNARK prover. The code is clear, and the mathematical correctness and cryptographic security appear to be well-handled. With some additional testing and documentation, this crate would be a valuable addition to the lambdaworks cryptographic library.

… fixes

github-actions · 2026-03-11T21:06:21Z

Kimi AI Review

This PR introduces a new crate, lambdaworks-spartan, which implements the Spartan zkSNARK prover for R1CS satisfiability. The code is well-structured and follows good cryptographic and Rust practices. Here are some specific comments:

Cryptographic Security:
- The use of DefaultTranscript for deriving challenges ensures that the Fiat-Shamir heuristic is applied consistently across different parts of the protocol. This is important for maintaining the soundness of the proof system.
- The ZeromorphPCS implementation correctly reduces multilinear evaluations to univariate KZG openings, which is a key component of the Spartan protocol's efficiency.
Performance:
- The use of DenseMultilinearPolynomial for encoding witness and matrix polynomials is appropriate for the small polynomial degrees typically encountered in R1CS proofs.
- The compute_zeromorph_quotients function efficiently computes the quotient polynomials using the halving algorithm, which is crucial for the prover's performance.
Bugs and Errors:
- The R1CS::new function correctly checks for consistent matrix dimensions and ensures that the number of public inputs does not exceed the number of variables. This prevents invalid R1CS instances from being created.
Code Simplicity and Maintainability:
- The code is well-commented, with clear explanations of the protocol's steps and the purpose of each function.
- The use of Rust's Result and Error types for error handling makes the code more robust and easier to maintain.
Specific Comments:
- In crates/provers/spartan/src/prover.rs, the prove function correctly handles the initialization of the Fiat-Shamir transcript and the drawing of challenges. However, it might be beneficial to add more detailed comments explaining the purpose of each transcript append operation and how it relates to the Spartan protocol.
- In crates/provers/spartan/src/pcs/trivial.rs, the TrivialPCS implementation is a good example of how to create a simple PCS for testing purposes. It would be useful to add a warning comment indicating that this implementation is not secure and should not be used in production.

Overall, this PR is well-written and introduces a valuable new crate to the lambdaworks library. The implementation of the Spartan protocol is correct and follows best practices for cryptographic code in Rust.

nicole-graus · 2026-03-12T12:29:47Z

@greptileai please review again.

github-actions

Code review by ChatGPT

github-actions · 2026-03-12T12:48:58Z

+//! Given R1CS matrices A, B, C ∈ F^{m×n} and witness z = (1, x, w) ∈ F^n:
+//!
+//! 1. **Commit**: Commit to witness polynomial z̃
+//! 2. **Outer sumcheck**: Prove ∑_{x ∈ {0,1}^s} eq(τ,x)·[ÃZ(x)·B̃Z(x) − C̃Z(x)] = 0


Correctness

Statement Mistake: The comment change seems to indicate a different reasoning for rejection in the spartan_prove function. Ensure that the code logic for early rejection due to public_inputs[0]=6 ≠ witness[1]=7 is correctly implemented as described.

Security

Constant-Time Operations: Ensure that all cryptographic operations involved in spartan_prove and related functions are conducted in constant time to avoid timing side-channel attacks.

Sensitive Data Handling: Check for proper zeroization of sensitive data after use, particularly in proof-related functions to prevent leakage.

Performance

Efficient Field Operations: Audit the code for unnecessary allocations or field inversions that could be optimized. Ensure MSM (multiscalar multiplication) and FFT (Fast Fourier Transform) are efficiently implemented.

Bugs & Errors

Error Handling: The use of unwrap or similar functions can cause panics if the operation fails. Ensure error handling gracefully returns an error instead of panicking within cryptographic protocols.

Memory Safety: Look out for any unsafe code blocks that may lead to memory safety issues. Make sure operations are checked for integer overflow/underflow.

Code Simplicity

Complexity Reduction: While the code segment provided doesn't show major complexity issues, review related code blocks for opportunities to simplify complex logic or eliminate duplicated code. Ensure proper abstractions are used.

Action Required: Verify the change reasons in comments align with actual logic and address the highlighted concerns for correctness, security, and bugs before considering for merge.

github-actions · 2026-03-12T12:49:14Z

Kimi AI Review

This PR introduces a new crate, lambdaworks-spartan, which implements the Spartan zero-knowledge proof system for R1CS satisfiability. The implementation is comprehensive and includes the prover, verifier, and necessary mathematical utilities. Here are some specific comments on the changes:

Overall Structure and Documentation:

The crate is well-structured, with clear separation of concerns between the prover, verifier, and mathematical utilities. This modularity aids maintainability and testing.
The README.md files provide a good overview of the Spartan protocol and its implementation. It would be helpful to include a brief example of how to use the crate in the lambdaworks-spartan README.

Cryptographic Security:

The use of the Fiat-Shamir heuristic to derive challenges from a transcript is appropriate for constructing a non-interactive proof system. However, it's important to note that this introduces a limitation on the number of times the same witness can be used, as the transcript (and thus challenges) must be unique for each proof to maintain soundness.
The ZeromorphPCS implementation relies on the KZG commitment scheme, which in turn relies on the BLS12-381 pairing-friendly curve. The security of the overall system depends on the hardness of the SXDH problem over BLS12-381, which is well-studied but not yet proven to be quantum-resistant.

Performance:

The use of dense multilinear polynomials for representing the witness and matrices is efficient in terms of both space and computation. However, the prover's work is linear in the number of constraints and variables, which may become a bottleneck for large circuits.
The implementation uses the lambdaworks-sumcheck crate for the sumcheck protocol, which is a good choice for leveraging existing, optimized sumcheck implementations.

Bugs and Errors:

In crates/provers/spartan/src/prover.rs, the run_two_term_sumcheck function appends the initial sum to the transcript using the format [num_vars, 1, claimed_sum]. This assumes that the sumcheck implementation expects the number of variables and a "1" as the first two field elements. It would be good to confirm that this matches the lambdaworks-sumcheck crate's expectations.
The R1CS struct's is_satisfied method checks if the witness satisfies the constraints by computing the matrix-vector products and comparing them to the output matrix. This is correct, but it's worth noting that this method does not account for potential overflows or underflows in the field arithmetic, which could lead to incorrect results if the field size is small.

Code Simplicity and Maintainability:

The code is generally clean and well-commented, making it easy to understand the high-level logic and implementation details.
The use of generic fields (F: IsField) allows the crate to be used with different field implementations, increasing its flexibility and reusability.

Overall, this PR represents a significant addition to the lambdaworks cryptographic library, providing an efficient and transparent zkSNARK implementation for R1CS satisfiability. With some minor improvements and confirmations regarding the interaction with the lambdaworks-sumcheck crate, this implementation could be a valuable tool for applications requiring zero-knowledge proofs.

…icking.

github-actions

Code review by ChatGPT

github-actions · 2026-03-12T13:16:18Z

+    }
 }

 impl<const N: usize, F: IsPrimeField<CanonicalType = UnsignedInteger<N>>, P: IsPairing>


Correctness:

The function srs_size appears correct for counting elements in srs.powers_main_group, assuming powers_main_group correctly represents the number of powers for the SRS.

Security:

Ensure wherever self.srs.powers_main_group is used (especially in operations involving secrets), it operates without exposing timing side-channels. Ensure all related operations are carried out in constant time.

Verify that self.srs and any secret data related to the SRS are properly zeroed out when their lifecycle ends to avoid data leaks.

Performance:

The method srs_size efficiently returns the length of a vector. However, check the context where this method is used to ensure there's no unnecessary computation or indirect impact on performance.

Bugs & Errors:

The code does not appear to have any explicit unwraps or panic scenarios in the provided changes. Ensure that the srs.powers_main_group initialization can't lead to a panic elsewhere.

Code Simplicity:

The addition of the srs_size method simplifies access to the size of the SRS powers and seems to follow good practices. There is no indication of increased complexity.

Additional Note:

Cross-verify if powers_main_group is correctly populated elsewhere in the codebase to ensure that its length is always valid and accurate.

Overall, the code doesn't show any immediate threat regarding correctness or security but lacks context for complete assurance. Focus on verifying the assumptions made about srs. Therefore, the changes aren't ready to be merged without further validation of security and correctness in the complete context.

github-actions · 2026-03-12T13:16:18Z

+    pub z_f: FieldElement<F>,
+    /// Evaluations of each q̂_k at the random challenge x.
+    pub z_qs: Vec<FieldElement<F>>,
+    /// Batched KZG opening proof.


Correctness:

The added checks for SRS size are correct in ensuring that the polynomial has a proper number of evaluations compared to the SRS size.

Security:

Ensure constant-time operations in the KZG commitment if not already guaranteed. This is crucial for avoiding timing side-channel attacks.

The error message potentially leaks the size of the polynomial and the SRS. Consider if this is appropriate or if it might reveal too much information in certain contexts.

Performance:

No immediate concerns with performance based on the given changes.

Bugs & Errors:

In the test test_zeromorph_undersized_srs_returns_error, directly unwrapping the error message might panic if the result is Ok. This is guarded by the assert!(result.is_err()..., but be aware of tight coupling between the assertion and the error extraction logic.

Code Simplicity:

Code additions are clear and straightforward with appropriate error handling.

Recommendations:

Review any cryptographic operations for constant-time execution to prevent side-channel attacks. Specifically, check the underlying Kzg::commit method.

Consider refining error messages to avoid revealing potentially sensitive information about internal stateslessly that does not undermine their usefulness for debugging.

Overall, the changes introduce necessary checks to prevent incorrect polynomial commitments when the SRS is undersized, but minor adjustments for error handling and security should be considered before merging.

github-actions · 2026-03-12T13:16:28Z

Kimi AI Review

The PR diff you've provided introduces a new crate for the Spartan zero-knowledge proof system, including its implementation and associated documentation. Here are my reviews on the changes:

Cargo.toml

a/Cargo.toml

No issues found.

b/Cargo.toml

The addition of crates/provers/spartan is correct and follows the existing pattern for other prover crates.
The new dependency lambdaworks-spartan is correctly added under [dependencies] and [dev-dependencies] where needed.

README.md

a/README.md

No issues found.

b/README.md

The addition of the Spartan section is appropriate and provides a good overview of the prover.
The reference to the Spartan paper is correct and the description accurately reflects the properties of the Spartan prover.

crypto/src/commitments/kzg.rs

a/crypto/src/commitments/kzg.rs

No issues found.

b/crypto/src/commitments/kzg.rs

The new method srs_size is a useful addition for determining the size of the SRS. This is important for ensuring the SRS is large enough for a given application.
The method signature and implementation look correct.

crypto/src/commitments/mod.rs

a/crypto/src/commitments/mod.rs

No issues found.

b/crypto/src/commitments/mod.rs

The new modules multilinear and zeromorph are correctly added to the commitments module.
This change is consistent with the existing structure and naming conventions.

crypto/src/commitments/multilinear.rs

b/crypto/src/commitments/multilinear.rs

This is a new file introducing a trait for multilinear polynomial commitment schemes.
The trait IsMultilinearPCS is well-defined and includes necessary methods for committing, opening, and verifying.
The error type PcsError is a simple but effective way to handle errors in the PCS implementations.

crypto/src/commitments/zeromorph.rs

b/crypto/src/commitments/zeromorph.rs

This is a new file implementing the Zeromorph PCS.
The implementation is comprehensive and includes methods for committing, opening, and verifying.
The use of DenseMultilinearPolynomial is appropriate for representing the polynomials involved in the Zeromorph scheme.
The ZeromorphPCS struct and associated types are well-defined and follow the IsMultilinearPCS trait correctly.

provers/README.md

a/provers/README.md

No issues found.

b/provers/README.md

The addition of the Spartan section is correct and provides a good overview of the prover.
The reference to the Spartan paper is correct and the description accurately reflects the properties of the Spartan prover.

provers/spartan/Cargo.toml

b/provers/spartan/Cargo.toml

This is a new file for the Spartan crate.
The dependencies are correctly specified, including thiserror, lambdaworks-math, lambdaworks-crypto, and lambdaworks-sumcheck.
The crate name and version are correctly set.

provers/spartan/README.md

b/provers/spartan/README.md

This is a new file providing an overview of the Spartan implementation.
The description is accurate and provides a good understanding of the Spartan protocol.
The API documentation is clear and the example usage is helpful for understanding how to use the Spartan prover.

provers/spartan/src/errors.rs

b/provers/spartan/src/errors.rs

This is a new file defining error types for the Spartan prover.
The SpartanError enum is well-defined and covers various error cases that can occur during the proving process.
The use of thiserror for error implementation is appropriate and provides clear error messages.

provers/spartan/src/lib.rs

b/provers/spartan/src/lib.rs

This is a new file implementing the Spartan prover.
The structure is clear and modular, with separate modules for errors, MLE, PCS, prover, R1CS, and verifier.
The spartan_prove and spartan_verify functions are convenient entry points for using the Spartan prover.
The tests cover various scenarios, including R1CS satisfaction, MLE encoding, and prove/verify correctness.

provers/spartan/src/mle.rs

b/provers/spartan/src/mle.rs

This is a new file providing utilities for encoding R1CS matrices and witness vectors as multilinear extensions (MLEs).
The functions for encoding witnesses and matrices as MLEs are correct and

github-actions

Code review by ChatGPT

github-actions · 2026-03-12T13:22:02Z

+{
+    kzg: KateZaveruchaGoldberg<F, P>,
+}
+


Correctness:

Polynomial and FFT implementations: The test is checking that committing with an undersized SRS fails, which is good. However, it's critical to ensure elsewhere in the library that polynomial operations, especially those involving FFT, handle edge cases such as zero polynomials correctly.

Security:

Timing side-channels: Ensure that secret operations within the commit function and any polynomial-related computations are constant-time.

Proper zeroization of sensitive data: Check that sensitive data, once used, is properly zeroized.

Cryptographically secure randomness: No issues here regarding randomness in the test, but ensure that other parts of the library use a cryptographically secure PRNG.

No secret-dependent branching: Ensure the commit method and related operations do not branch on secret data.

Hash function domain separation: Ensure hash functions used in proof systems properly separate different domains to avoid cross-domain collisions.

Performance:

Unnecessary allocations: The construction of the evals vector could be more efficient if performance is critical, but the current setup for readability is reasonable within a test context.

Redundant field inversions: Ensure that inversions are minimized throughout the library.

Bugs & Errors:

Potential panics or unwraps: Using .unwrap() on result.err() assumes the result is always Err, given the preceding assertion passes. Consider using more robust error handling to avoid panics in unexpected cases.

Memory safety issues, Off-by-one errors, Integer overflow/underflow: No new issues introduced in this test context, but verify in commit and elsewhere.

Code Simplicity:

Duplicated code: The formatting change of evals improves readability; confirm similar clarity elsewhere in the codebase.

Based on the current changes, while the test addition itself is not problematic, there are broader security and error-handling aspects that need attention before a confident approval can be given.

github-actions · 2026-03-12T13:22:16Z

Kimi AI Review

This PR introduces a new crate, spartan, which implements the Spartan zero-knowledge proof system for R1CS satisfiability. The code is well-structured and follows good Rust practices. Here are some specific comments on the changes:

Cargo.toml

The new crate spartan is added correctly with its dependencies. (a/Cargo.toml)
The crate is also added to the workspace members list. (a/Cargo.toml)

README.md

The README file is updated to include the new spartan crate, which is good for documentation. (a/README.md)

src/commitments/mod.rs

The new multilinear and zeromorph modules are added correctly. (a/crates/crypto/src/commitments/mod.rs)

src/commitments/multilinear.rs

This file defines the IsMultilinearPCS trait and the PcsError type. It looks good and follows the expected interface for a polynomial commitment scheme. (a/crates/crypto/src/commitments/multilinear.rs)

src/commitments/zeromorph.rs

This file implements the Zeromorph PCS, which is a reduction from multilinear evaluations to univariate KZG openings. The code seems correct and well-documented. (a/crates/crypto/src/commitments/zeromorph.rs)

src/provers/spartan/Cargo.toml

The new spartan crate's Cargo.toml is set up correctly with dependencies on lambdaworks-math and lambdaworks-crypto. (a/crates/provers/spartan/Cargo.toml)

src/provers/spartan/README.md

The README file for the spartan crate provides a good overview of the implementation and usage. (a/crates/provers/spartan/README.md)

src/provers/spartan/src/errors.rs

The SpartanError enum is defined correctly, covering various error cases that can occur during the proving process. (a/crates/provers/spartan/src/errors.rs)

src/provers/spartan/src/lib.rs

The main library file for spartan is well-organized, with clear separation of concerns between the prover and verifier implementations. The use of the IsMultilinearPCS trait allows for flexibility in choosing the underlying PCS. (a/crates/provers/spartan/src/lib.rs)

src/provers/spartan/src/mle.rs

This file provides utility functions for encoding R1CS matrices and witness vectors as multilinear extensions (MLEs). The functions seem correct and well-tested. (a/crates/provers/spartan/src/mle.rs)

src/provers/spartan/src/pcs/mod.rs

The pcs module is organized well, with separate implementations for TrivialPCS and ZeromorphPCS. (a/crates/provers/spartan/src/pcs/mod.rs)

src/provers/spartan/src/pcs/trivial.rs

The TrivialPCS implementation is a simple non-hiding PCS used for testing. It works as expected. (a/crates/provers/spartan/src/pcs/trivial.rs)

src/provers/spartan/src/prover.rs

The SpartanProver implementation follows the Spartan protocol correctly, with clear steps for committing to the witness polynomial, running sumcheck protocols, and opening the PCS. The code is well-commented and easy to follow. (a/crates/provers/spartan/src/prover.rs)

src/provers/spartan/src/r1cs.rs

The R1CS struct and its implementation are correct, providing a generic R1CS definition that can be used with different fields. (a/crates/provers/spartan/src/r1cs.rs)

Overall, the PR is well-done and introduces a new crate for the Spartan zero-knowledge proof system. The code is clean, well-documented, and follows good Rust practices. The implementation seems correct, and the tests cover various aspects of the protocol. I would recommend approving this PR.

github-actions · 2026-03-16T15:05:23Z

Kimi AI Review

This PR introduces a new cryptographic library component for lambdaworks, specifically focusing on the Spartan zero-knowledge proof system. The changes include additions to the Cargo.toml files for dependency management, README updates for documentation, and implementation files for the cryptographic protocols. Here are my detailed comments on the changes:

`Cargo.toml` Changes

Added spartan crate: The spartan crate has been added to the workspace members and dependencies. This is correct and necessary for including the new crate in the build process.

README Updates

Documentation Updates: The README files have been updated to include documentation for the spartan crate. This is important for users to understand the new functionality and usage.

Implementation Files

kzg.rs:
- The addition of the srs_size method is a useful utility for determining the size of the SRS. This is correct and improves the usability of the KateZaveruchaGoldberg struct.
multilinear.rs:
- This new file introduces a trait IsMultilinearPCS for multilinear polynomial commitment schemes. The trait and error handling are correctly defined.
zeromorph.rs:
- This new file implements the Zeromorph PCS, which is a reduction from multilinear evaluations to univariate KZG openings. The implementation seems thorough and includes necessary components like ZeromorphPCS, ZeromorphCommitment, and ZeromorphProof.
spartan/src/errors.rs:
- The SpartanError enum is correctly defined to handle various error cases in the Spartan protocol. This is necessary for robust error handling.
spartan/src/lib.rs:
- This file provides the main API for the Spartan prover and verifier. The functions spartan_prove and spartan_verify are correctly implemented to use the SpartanProver and SpartanVerifier structs.
spartan/src/mle.rs:
- The multilinear extension utilities are correctly implemented. Functions like encode_witness, eq_poly, and matrix_vector_product_mle are essential for the Spartan protocol.
spartan/src/pcs/mod.rs:
- The module correctly re-exports the IsMultilinearPCS trait and provides implementations for TrivialPCS and ZeromorphPCS.
spartan/src/pcs/trivial.rs:
- The TrivialPCS implementation is a simple commitment scheme for testing purposes. It correctly stores all evaluations as the commitment.
spartan/src/prover.rs:
- The SpartanProver struct and its prove method are correctly implemented. The method follows the Spartan protocol steps, including committing to the witness polynomial, running sumcheck protocols, and providing a PCS opening.
spartan/src/r1cs.rs:
- The R1CS struct is correctly defined to represent a generic Rank-1 Constraint System. The new method correctly validates the input matrices.

General Comments

Documentation: The documentation in the README files and implementation files is thorough and helpful for understanding the new spartan crate.
Error Handling: The use of the SpartanError enum for error handling is consistent and covers various error cases.
Security: The implementation appears to follow the Spartan protocol correctly, which is designed to be a secure zero-knowledge proof system without a trusted setup.
Performance: The use of DenseMultilinearPolynomial and other mathematical utilities should provide good performance for the cryptographic operations.

Overall, the changes introduce a well-structured and secure implementation of the Spartan zero-knowledge proof system. The code is well-documented, follows best practices for error handling and security, and should perform well in practice.

…tely The R1CS constant z[0]=1 is a public input like any other. Instead of a separate constant_proof field, include index 0 in the public_input_proofs loop alongside x_1..x_l. The verifier now checks indices 0..=l where: index 0: z̃(bits(0)) = 1 (constant term) index i: z̃(bits(i)) = public_inputs[i-1] for i in 1..=l This matches the paper's treatment of (1, io) as a single public vector.

github-actions

Code review by ChatGPT

github-actions · 2026-03-16T23:34:08Z

+pub struct SpartanProver<F, PCS>
+where
+    F: IsField,
+    F::BaseType: Send + Sync,


Correctness:

The removal of the constant_proof and its corresponding proof verification step is concerning. This proof ensures that the R1CS constant term equals 1, which is crucial for the authenticity of the R1CS system. Without it, a malicious prover could set z[0] ≠ 1.

Security:

The code does not mention specific measures for preventing timing side-channel attacks, particularly in operations involving secret data. Ensure operations are constant-time where necessary.

Ensure that sensitive data is properly zeroized when no longer needed, especially if the library is intended for cryptographic uses.

Randomness in cryptographic protocols must be securely generated, with no indication in the snippet if this is handled elsewhere.

Performance:

The code does not explain if any optimizations like batch verification or pre-computation are used for proof systems. Consider adding comments if these optimizations are present or possible.

Ensure that there are no redundant field inversions or unnecessary memory allocations in the remainder of the code, as these can impact performance.

Bugs & Errors:

The error handling wraps errors in SpartanError::PcsError, which is good practice. Ensure that this pattern is consistently applied to cover potential panics or unwraps.

Verify that memory safety is maintained throughout, especially in areas not shown in this snippet.

Code Simplicity:

The code reduction appears to simplify by consolidating public input proof handling, which is beneficial provided this change does not affect correctness. However, verify that the simplification aligns with the system's mathematical requirements.

Consider documenting the rationale for changes that involve mathematical transformations or security properties shifts, as this aids in understanding the implication of changes.

The code is generally well-structured for clarity, but due to the potential security issue related to the missing constant_proof, it is not ready for merging.

github-actions · 2026-03-16T23:34:08Z

+        transcript.append_bytes(b"witness_commitment");
+        transcript.append_bytes(&PCS::serialize_commitment(&proof.witness_commitment));
+
+        // -----------------------------------------------------------------------


Correctness:

The change from i + 1 to i in index_to_multilinear_point::<F>(i, n_witness_vars) raises a concern. This alteration means that verification will now begin with the first element z[0] and move accordingly, which does not align with the comment stating index i: z̃(bits(i)) = public_inputs[i-1] for i in 1..=l. This could skip the step for constant term z[0] = 1, thus causing inconsistency with proof checks.

The removal of step 11 checking z̃(0,...,0) = 1 directly from the R1CS terms appears risky. The comment z̃(bits(0)) = 1 (R1CS constant) seems to overlook explicit checks, raising potential vulnerabilities when ensuring conventions are intact.

Security:

The transitioning removal of explicit zero-point checks for z[0] = 1 could indicate a side-channel attack vector, permitting unchecked variances in proofs.

Performance:

No evident performance issues arise since this modification mainly pertains to validation logic.

Bugs & Errors:

Given that iter::enumerate() is used, skipping logic upon adjustments now may result in incorrect incremental steps or overlooked validations.

Code Simplicity:

The code has introduced more implicit checks and compactness, however at the potential expense of clarity in handling edge cases like identity or constant term verifications.

Overall, due to the mentioned discrepancies in proof validation logic and the risk of bypassing constant term requirements, these changes should be further evaluated before merging.

github-actions · 2026-03-16T23:34:10Z

Kimi AI Review

The PR diff introduces a significant amount of new code for the Spartan zero-knowledge proof system, including its prover, verifier, and polynomial commitment scheme (PCS) components. Here are my specific feedback and concerns:

General Feedback

Documentation and Comments: The code is well-documented with extensive comments and a README that explains the Spartan protocol and its implementation details. This is crucial for maintainability and understanding the codebase.
Modular Design: The code is modular, with separate files for the R1CS, PCS, prover, and verifier. This organization helps in isolating functionality and managing complexity.
Use of Generics and Traits: The use of generics and traits like IsField and IsMultilinearPCS ensures flexibility and reusability across different fields and PCS implementations.

Specific Concerns

Error Handling:
- In kzg.rs, line 142: The new method srs_size is added. Ensure that this method is used consistently and correctly across the codebase where SRS size is required.
- In spartan/src/pcs/trivial.rs, the TrivialPCS implementation does not handle potential errors in polynomial evaluation. Consider adding error handling for cases where polynomial evaluation might fail.
Cryptographic Security:
- In spartan/src/prover.rs, the Fiat-Shamir heuristic is used to derive challenges. While this is common practice, it's essential to note that the security of the system relies on the cryptographic hash function used by the transcript. Ensure that the transcript uses a secure hash function.
- The ZeromorphPCS implementation relies on the KZG commitment scheme. Verify that the KZG scheme is implemented securely, especially regarding the generation and use of the structured reference string (SRS).
Performance:
- The SpartanProver and SpartanVerifier involve multiple polynomial evaluations and commitments. Profile the performance of these operations, especially for large R1CS instances, and optimize if necessary.
- Consider the impact of serialization and deserialization of polynomials and commitments on performance, especially in the context of IPC or networked applications.
Code Simplicity and Maintainability:
- The SpartanProof struct contains many fields, which can make it complex to manage. Consider simplifying the proof structure if possible, or adding methods to manipulate or verify the proof more easily.
- The use of PhantomData in SpartanProver and SpartanVerifier is correct for generic types, but ensure that it does not lead to unnecessary complexity or confusion for maintainers.
Testing:
- The tests in spartan/src/mle.rs and spartan/src/pcs/trivial.rs are thorough. However, consider adding more tests for edge cases, such as empty polynomials or maximum-sized R1CS instances.
- Add tests for the SpartanProver and SpartanVerifier to ensure they handle various inputs correctly, including invalid or malicious inputs.
Potential Bugs and Panics:
- In spartan/src/prover.rs, ensure that the prover handles cases where the witness does not satisfy the R1CS constraints. The prover should either reject the witness or produce a proof that the verifier will reject.
- In spartan/src/pcs/mod.rs, verify that the IsMultilinearPCS trait is implemented correctly for all PCS backends, especially regarding error handling and commitment scheme properties.

Conclusion

The PR introduces a comprehensive implementation of the Spartan zero-knowledge proof system. While the code is well-structured and documented, it is crucial to focus on security aspects, performance optimization, and thorough testing to ensure the system's reliability and security in various scenarios.

Rustcraft review fixes: - Replace manual log2 loops with trailing_zeros() in prover and verifier - Use -v instead of FieldElement::zero() - v for negation - Extract dot_product helper, deduplicate AZ/BZ/CZ computation - Use append_round_poly_to_transcript in outer sumcheck (was inlined) - Unify two nearly-identical sumcheck verifier functions into one with a num_terms parameter - Extract append_sparse_matrix helper in transcript.rs (3x copy-paste -> 1) - Hoist (1 - tau_i) out of inner loop in eq_poly - Remove redundant is_power_of_two branch in next_power_of_two

github-actions · 2026-03-17T00:07:33Z

Kimi AI Review

This PR introduces a new crate lambdaworks-spartan for implementing the Spartan zero-knowledge proof system. The changes are extensive and involve multiple files. Here are my specific comments and feedback:

`Cargo.toml` Changes

New dependency lambdaworks-spartan:
- The new crate is added correctly with the path dependency.
- The feature flags should be consistent with other crates. If std is required, it should be added.

`README.md` Changes

Spartan Documentation:
- The new section on Spartan is well-written and provides a good overview.
- Consider adding a brief mention of the security assumptions and any limitations.

`kzg.rs` Changes

srs_size Method:
- This method is useful for determining the size of the SRS. Ensure it is used consistently throughout the codebase.

`multilinear.rs` Changes

New File:
- This file defines the IsMultilinearPCS trait, which is crucial for the Spartan implementation.
- The error handling and trait methods are well-defined.

`zeromorph.rs` Changes

New File:
- This file implements the Zeromorph PCS, which is a key component of the Spartan prover.
- The implementation is comprehensive and follows the Zeromorph paper closely.
- Consider adding more comments to explain the halving algorithm and other critical parts.

`provers/README.md` Changes

Spartan Description:
- The description of Spartan is accurate and informative.
- Consider adding a brief comparison with other provers in terms of performance and security assumptions.

`spartan/Cargo.toml` Changes

New Crate:
- The crate is set up correctly with the necessary dependencies.
- Ensure that the std feature is used consistently across all crates.

`spartan/src/errors.rs` Changes

Error Handling:
- The error types are well-defined and cover various aspects of the Spartan prover.
- Consider using a common error handling approach with other crates in the lambdaworks ecosystem.

`spartan/src/lib.rs` Changes

Public API:
- The public API is clean and well-organized.
- Consider adding more documentation to the main functions, especially spartan_prove and spartan_verify.

`spartan/src/mle.rs` Changes

Multilinear Extension Utilities:
- These utilities are essential for the Spartan prover and are implemented correctly.
- The eq_poly and matrix_vector_product_mle functions are particularly important and should be thoroughly tested.

`spartan/src/pcs/mod.rs` Changes

PCS Trait and Implementations:
- The IsMultilinearPCS trait is correctly re-exported.
- The TrivialPCS and ZeromorphPCS implementations are necessary for testing and production use cases.

`spartan/src/pcs/trivial.rs` Changes

Trivial PCS:
- This implementation is useful for testing and should be clearly marked as non-production code.
- Consider adding more comments to explain the limitations and use cases.

`spartan/src/prover.rs` Changes

Spartan Prover Implementation:
- The prover follows the Spartan protocol correctly.
- The use of Fiat-Shamir for challenge generation is appropriate.
- Consider adding more comments to explain the protocol steps and error handling.

`spartan/src/r1cs.rs` Changes

R1CS Structure:
- The R1CS structure is well-defined and generic over any field.
- Consider adding more methods to validate the R1CS instance or to perform common operations.

Overall, the PR is well-structured and introduces a significant new feature to the lambdaworks ecosystem. The implementation is thorough and follows best practices. However, ensure that the documentation and comments are comprehensive to aid maintainability and understanding.

github-actions

Code review by ChatGPT

github-actions · 2026-03-17T00:07:33Z

+///
+/// The witness z is padded to the next power of 2 with zeros.
+/// The resulting MLE has log₂(padded_len) variables.
+///


Correctness

The updated next_power_of_two function no longer correctly handles cases where n is already a power of two, as it previously checked n.is_power_of_two(). Now, it will only correctly return n if n.next_power_of_two() actually returns n itself.

Security

Ensure that removing if n.is_power_of_two() still guarantees constant-time execution with respect to public inputs, as this might introduce subtle timing variations otherwise.

Bugs & Errors

Since n = 0 does not satisfy any logical power computation besides the one hardcoded as mentioned, it is correctly being addressed, but the removal of checking n.is_power_of_two() could lead to incorrect behavior, especially when efficiency is paramount.

Performance

The reordering in the loop starting on line 93 may slightly optimize cache locality by constructing one_minus_tau_i outside of the loop, but this reordering seems unnecessary if the values of tau_i have locality to begin with.

Code Simplicity

The function logic for next_power_of_two is simplified, but the simplification led to a correctness issue as mentioned earlier. The removed check for n.is_power_of_two() was serving a functional purpose.

github-actions · 2026-03-17T00:07:33Z

+    FieldElement<F>: ByteConversion,
+{
+    transcript.append_bytes(b"public_inputs");
+    transcript.append_bytes(&(public_inputs.len() as u64).to_be_bytes());


Correctness

Polynomial and FFT Implementations: The code provided does not directly show FFT implementations, but ensure any polynomial transformations maintain correctness.

Security

Timing Side-Channels: It's not clear if cryptographic operations such as FieldElement::zero() checks or transcript.append_field_element are constant time. Ensure these operations are constant-time to avoid timing attacks.

Zeroization: No explicit zeroization or secure clearing of sensitive cryptographic data is observed, which could leave data vulnerable in memory.

Cryptographically Secure Randomness: Not directly visible in the diff, but ensure any randomness is cryptographically secure.

Performance

Unnecessary Allocations: The refactoring to the append_sparse_matrix function looks beneficial in reducing code duplication, but it's not clear from the diff if there are unnecessary allocations elsewhere, such as inside loops where items can be reused.

Bugs & Errors

Potential Panics or Unwraps: There's no obvious unwrap or explicit panic calls in the provided diff, but broader checks should be performed across the library.

Code Simplicity

Duplicated Code: The refactored function considerably reduces repeated code by abstracting the matrix appending logic. This is a positive change towards simplicity and readability.

Overall

The refactor to use a function for appending sparse matrices reduces code duplication and simplifies the original code. However, there is a potential concern regarding the security implications of the cryptographic operations and memory handling which could affect the library's security profile. Addressing these issues should precede merging.

github-actions · 2026-03-17T00:07:33Z

+        // Step 7: Verify inner sumcheck
+        // -----------------------------------------------------------------------
+        transcript.append_bytes(b"inner_sumcheck");
+


Correctness:

The changes in the verify_sumcheck_round_polys function simplify the code by merging two implementations, but they require careful validation to ensure correctness. It's crucial to ensure that the new combined function verify_sumcheck_round_polys correctly handles both the outer (cubic) and inner (quadratic) sumcheck cases. Please double-check that the handling of num_terms and the transcript format for both cases are correct and align with the protocol specifications.

Security:

The changes have retained the approach to appending critical elements to the transcript and sampling challenges. Ensure that these operations are done securely and in constant time to avoid timing side-channels.

Verify that FieldElement operations, especially in situations like g_j.evaluate, are constant-time to prevent leaking information about the input.

Performance:

The rewritten loop and functions appear to avoid unnecessary allocations, which is good. Ensure that the recursion and challenge sampling do not introduce performance regressions.

Bugs & Errors:

Ensure no off-by-one errors were introduced by changes in iterating over rounds or in polynomial operations. Any incorrect handling of indices or degree calculations could compromise the proof system's validity.

Double-check for any potential issues with field element conversions that could result in implicit panics.

Code Simplicity:

The refactoring to use a single function (verify_sumcheck_round_polys) instead of two distinct ones simplifies the code base and reduces duplication. However, strict validation is necessary to ensure that this does not introduce incorrect behavior when handling different types of sumchecks.

Overall, there are improvements in code simplicity but concerns about correctness, especially regarding the handling of different sumcheck cases, need to be addressed before merging.

Introduce SparseMatrix<F> storing Vec<SparseEntry<F>> in (row, col)-sorted COO format. All matrix operations in R1CS, MLE, prover, verifier, and transcript now iterate only non-zero entries, fixing the O(m*n) asymptotics to O(k + m) where k = number of non-zero entries. - Add sparse_matrix.rs with SparseEntry, SparseMatrix types and from_dense() - Convert R1CS struct fields to SparseMatrix, add from_dense() constructor - Rewrite mle.rs matrix operations for sparse iteration - Update transcript to iterate COO entries directly - Update prover compute_mz closure, remove dead dot_product helper - Update all tests to use from_dense(), add sparse construction tests - Update benchmarks to build circuits with sparse construction - Add criterion dev-dependency for benchmarks

The chain circuit placed x_0 at variable index 1 but claimed x_n as the public input. The prover correctly rejected this mismatch. Fix by placing the output at index 1 to match the R1CS convention z = (1, x, w).

- Use += instead of manual assign-op pattern in mle.rs and prover.rs - Use Vec::with_capacity + push instead of zero-fill in eq_poly - Use iterator instead of index loop in eq_poly - Remove redundant intermediate binding in eq_evals - Use into_iter for consumed cz_evals negation (avoid clone) - Move instead of clone for MLE polynomials consumed by sumcheck - Swap clone to avoid cloning into challenges vec - Remove unnecessary .clone() on Copy field elements in benchmarks

github-actions · 2026-03-17T18:24:03Z

Kimi AI Review

The PR diff introduces a new cryptographic prover, Spartan, along with its dependencies and implementations for multilinear polynomial commitment schemes (PCS). Here are my specific feedback and concerns:

General Feedback

Documentation and Comments: The code is well-documented with comments explaining the purpose and functionality of each module and struct. This is crucial for maintainability and understanding the codebase.
Modular Design: The separation of concerns is well-handled, with different crates and modules handling specific aspects of the Spartan prover, such as R1CS, PCS, and sumcheck protocols.
Use of Generics and Traits: The use of generics and traits allows for flexibility and reusability of the code across different fields and cryptographic primitives.

Specific Concerns

Security of Spartan Implementation:
- Trusted Setup: Spartan is claimed to be trustless. However, the implementation relies on a PCS (e.g., ZeromorphPCS) which itself might require a trusted setup depending on its construction. Ensure that the PCS used in production does not introduce a trusted setup vulnerability.
- Soundness: The soundness of the Spartan prover relies on the correctness and security of the underlying sumcheck protocol and PCS. Verify that the implementation aligns with the security proofs of the underlying primitives.
Performance:
- Allocations: The code seems to use dynamic memory allocations extensively (e.g., Vec, Result, Option). Consider the performance implications, especially in the context of proving and verification, where these operations might be nested or repeated. Profile the code to identify bottlenecks and optimize if necessary.
- Optimization Opportunities: Look for opportunities to optimize polynomial evaluations and commitments, as these are performance-critical paths in the prover.
Correctness:
- Field Operations: Verify that all field operations are correct and consistent with the mathematical definitions. Pay special attention to modular arithmetic and field element representations.
- Polynomial Commitments: Ensure that the polynomial commitment scheme correctly implements the required properties, such as binding, hiding, and computational soundness.
Cryptographic Security:
- Constant-Time Operations: Verify that the implementation uses constant-time operations where necessary to prevent timing attacks.
- Randomness: Ensure that the source of randomness is cryptographically secure and suitable for the application.
Code Simplicity and Maintainability:
- Error Handling: The use of Result and SpartanError for error handling is appropriate. However, ensure that error messages are informative and help with debugging.
- Testing: The code includes unit tests, which is good. Consider adding integration tests that cover the end-to-end flow of the prover and verifier to ensure the system works correctly in various scenarios.
Documentation:
- README.md: The README.md files provide an overview of the Spartan prover and its components. Consider adding more details about the security assumptions, performance characteristics, and usage examples.
License and Attribution:
- Third-Party Code: If the implementation relies on third-party code or algorithms, ensure proper attribution and compliance with the respective licenses.

Conclusion

The PR introduces a significant addition to the lambdaworks cryptographic library. It is important to thoroughly review the security, correctness, and performance aspects of the implementation. The provided feedback should be addressed to ensure the robustness and reliability of the Spartan prover.

github-actions

Code review by ChatGPT

github-actions · 2026-03-17T18:24:20Z

+    let mut a_entries = Vec::with_capacity(n);
+    let mut b_entries = Vec::with_capacity(n);
+    let mut c_entries = Vec::with_capacity(n);
+


Correctness:

Zero, identity elements, infinity points: Ensure that field operations correctly handle identity elements and check edge case handling in matrix and polynomial operations. No specific issues were identified regarding modular arithmetic, polynomial, and FFT implementations in this snippet.

Security:

Unwrap/Expect: Make sure that unwrap() calls, particularly when creating the sparse matrices or R1CS, are checked for situations where they might panic on failure. Consider using error handling with Result instead of ignoring potential errors.

Timing side-channels: There is no immediate indication of timing side-channel issues from the code, but ensure that all operations dealing with secrets are constant-time once incorporated into broader library context.

Performance:

Allocation: No unnecessary allocations are observed apart from extending the vector witness, which is efficient given the use of Vec::with_capacity.

Redundant Operations: Consider reviewing how frequently elements like one and chain are being cloned or utilized without consideration for borrowing or cheap copies, although currently refactored to avoid redudancy.

Bugs & Errors:

Panics: The unwrap() usage with SparseMatrix::new and R1CS::new poses a risk for panics, which should be handled properly to avoid error bounds disruption.

Memory Safety: No explicit memory safety issues are apparent; the use of Vec suggests safe encoding.

Code Simplicity:

Code Reuse: The cloning removal for one is a positive adjustment, reducing duplicative effort. However, ensure the expectations around mutability and lifetime are maintained.

Without addressing the use of unwrap() and ensuring proper error handling, especially in a cryptographic context where a failure can be systemic, merging the changes could pose a risk. Please refactor to incorporate these checks for safekeeping.

github-actions · 2026-03-17T18:24:20Z

+    DenseMultilinearPolynomial::new(results)
+}
+
+/// Computes eq(tau, x) multilinear polynomial evaluations on {0,1}^s.


Correctness:

The operation and logic look correct in the context of polynomial evaluations and expansions. However, the edge cases like zero or identity element handling in finite field operations were not explicitly covered in the given diff, and it should be ensured that such cases are tested elsewhere.

Security:

Timing side-channels: Arithmetic operations on FieldElement should be checked if they are implemented in a constant-time manner to avoid leaking secret-dependent timing information.

Zeroization of sensitive data: There is no clear handling or zeroization of sensitive data once it's no longer needed, which is important for security-critical applications.

Performance:

Unnecessary Allocations: The use of Vec::with_capacity instead of vec![FieldElement::zero(); half * 2] is a good performance improvement as it avoids initial zeroization which might not be necessary.

MSM and FFT Efficiency: Concern regarding FFT efficiency cannot be fully evaluated with the provided diff context, but should be reviewed in the larger scope.

Bugs & Errors:

No evident panics, unwraps, or memory safety issues in the provided code segment. However, it is essential to know how FieldElement is implemented to prevent integer overflow/underflow.

Code Simplicity:

Simplification & Abstractions: The removal of the to_vec call reduces redundant operations.

The code uses domain-specific operations adequately but should ensure that these functionalities are abstracted correctly, especially if used often.

General Recommendation:

Ensure sufficient test coverage for edge cases.

Verify that all arithmetic operations on potentially sensitive data are constant-time.

Zeroize data that shouldn't remain in memory longer than necessary.

Consider a review of the complete FieldElement type to ensure the integrity of mathematical operations regarding security and correctness.

github-actions · 2026-03-17T18:24:21Z

+    F::BaseType: Send + Sync,
+    PCS: IsMultilinearPCS<F>,
+{
+    /// Commitment to the witness polynomial z̃


Correctness

The change from evals[entry.row] = &evals[entry.row] + &entry.val * &witness_z[entry.col]; to evals[entry.row] += &entry.val * &witness_z[entry.col]; is correct and maintains the intended mathematical operation. There are no immediate correctness concerns here.

Using cz_evals.into_iter() instead of cz_evals.iter() will consume the cz_evals vector, which prevents its future use. Ensure this is intended.

Security

Ensure that operations on secret field elements (if any) are implemented in constant time to prevent timing side-channel attacks.

Evaluate whether sensitive data needs explicit clearing/zeroization after use to prevent residual data leaks.

Confirm that transcript.sample_field_element() uses a cryptographically secure random number generator.

Performance

The current change set does not include any unnecessary allocations or redundant operations. The in-place operations with += could improve performance by avoiding temporary allocations.

Bugs & Errors

Ensure any arithmetic operations that could potentially panic (such as division by zero) are carefully evaluated, even if not explicitly noted in this diff.

The use of ? for error propagation is appropriate, but ensure that upward method signatures handle potential errors effectively.

Code Simplicity

Some cloning (e.g., r.clone()) might be unnecessary since FieldElement should efficiently handle copies if it's small. Consider the implications of these clones on both readability and performance.

Other Recommendations

Consider adding unit tests if more edge cases arise during this refactoring, especially when changing from iterators to into_iter or vice versa.

Review overall lifecycle and ownership of the variables post-modification to avoid unexpected behaviors or use-after-move errors.

Conclusion

While the current changes seem to be in the right direction, a few concerns about iterator consumption, potential zeroization, and security arise that require further verification before merging.

Remove .clone() calls on Copy field elements (U64PrimeField<101>) and unnecessary reference operators on Copy operands in test code.

github-actions

Code review by ChatGPT

github-actions · 2026-03-17T18:30:26Z

+//! 4. **PCS opening**: Open z̃ at inner sumcheck challenge point r_y
+//!
+//! # References
+//!


Correctness

Modular Arithmetic: Ensure the field element operations utilize traits that implement modular arithmetic rather than relying on assumptions about overflow behavior.

Edge Cases: The code doesn't explicitly check for zero or identity handling. Review to ensure zero multiplication and identity elements are properly managed.

Security

Constant-time Operations: The code is handling field elements, ensure the arithmetic is performed in a constant-time manner, especially in loops over secret data.

Zeroization: Sensitive data (e.g., witness elements) should be zeroized after use. Ensure proper memory management and avoid caching secrets in unprotected memory.

Secret-dependent Branching: The loop operations are currently unspecified on whether they use secret-dependent conditions. Review this aspect.

Performance

Redundant Field Inversions: No apparent inversions here, but ensure elsewhere avoid needless inversions as they are costly.

FFT Implementation: Ensure any FFTs utilize an efficient implementation respecting field properties to avoid unnecessary overheads.

Memory Allocations: Using vec![FE::zero(); r1cs.num_constraints] assumes it is optimized but does not assess for memory reuse, which should be encouraged.

Bugs & Errors

Potential Panics: Verify all indexing operations to ensure they are within bounds (e.g., witness[e.col]).

Integer Overflow/Underflow: Since you are dealing with indices and field elements, ensure Rust's checked arithmetic or field-safe arithmetic negates possible overflow.

Code Simplicity

Code Duplication: Consider abstracting patterns like sum accumulation into helper functions if they repeat elsewhere in the codebase.

Complex Implementations: "result[e.row] += e.val * witness[e.col];" is less cumbersome than using references, but confirm there is no misused operator overload internally.

This code does not look ready for merge as there are potential side-channel and correctness issues that require examination and appropriate verification. Address the highlighted concerns and conduct further testing, especially around arithmetic and security assumptions, before proceeding.

github-actions · 2026-03-17T18:30:26Z

+
+/// Sparse matrix in COO (Coordinate) format, sorted by (row, col).
+#[derive(Clone, Debug)]
+pub struct SparseMatrix<F: IsField>


Correctness:

The changes simplify the code by removing unnecessary clones, which is good for correctness and readability.

Security:

Ensure that secret-dependent operations (like those in finite field arithmetic) do not introduce timing side channels. As this code snippet is from a test, it doesn't directly affect security, but ensure similar changes in production code are constant-time.

Performance:

No performance issues detected from the changes themselves, as they remove redundant clones, which reduces unnecessary allocations.

Bugs & Errors:

The code doesn't introduce any new unwraps or potential panics. Ensure that wherever these methods are used, the assumptions about dimensions are maintained to avoid runtime panics.

Code Simplicity:

The refactoring to remove .clone() calls is good for simplicity and performance. However, in test scenarios, repeated declarations can sometimes be an indicator of a need for macro-driven test scenarios or parameterized tests for simplification.

In conclusion, while the changes themselves don't introduce issues, ensure attention to constant-time operations and proper abstraction handling in the broader code base. Verify that similar changes in operational code consider these factors carefully.

github-actions · 2026-03-17T18:30:30Z

Kimi AI Review

The PR diff introduces a new crate named spartan for implementing the Spartan zkSNARK prover in the lambdaworks codebase. Here are my specific feedback and review comments:

General Feedback

New Dependencies: The spartan crate introduces new dependencies on lambdaworks-math and lambdaworks-crypto. Ensure these dependencies are compatible with the existing codebase and that their licenses are compatible with lambdaworks.
Documentation: The README.md files in the spartan crate provide a good overview of the implementation and usage. Consider adding similar documentation for the other crates in the lambdaworks repository for consistency.
Testing: The spartan crate includes a comprehensive set of unit tests, which is great for ensuring correctness. Consider adding integration tests that test the interaction between spartan and other crates.

Specific Issues

File: Cargo.toml
- The addition of the spartan crate and its dependencies looks correct. However, ensure that the features specified for lambdaworks-math and lambdaworks-crypto are necessary and do not introduce unnecessary bloat or complexity.
File: kzg.rs
- The introduction of the srs_size method on KateZaveruchaGoldberg is useful for determining the size of the Structured Reference String (SRS). Ensure that this method is correctly implemented and returns the expected value.
File: prover.rs
- The prove function in SpartanProver performs several critical steps in the Spartan protocol. Ensure that the Fiat-Shamir challenges are correctly drawn from the transcript and that the polynomial commitments are correctly computed and verified.
- The error handling in the prove function is comprehensive. However, consider using more specific error types instead of SpartanError::R1CSError for better error granularity.
File: pcs/mod.rs
- The IsMultilinearPCS trait is correctly re-exported from lambdaworks-crypto. Ensure that the TrivialPCS and ZeromorphPCS implementations satisfy this trait correctly.
File: pcs/trivial.rs
- The TrivialPCS implementation is useful for testing. However, consider adding more comments explaining why this implementation is not secure and should not be used in production.
File: r1cs.rs
- The R1CS struct represents a generic R1CS instance. Ensure that the num_constraints, num_variables, and num_public_inputs fields are correctly set and validated.

Performance Considerations

Allocations: The spartan crate performs several allocations, especially when working with polynomials and transcripts. Consider using more in-place operations or reducing the number of allocations to improve performance.
Algorithm Efficiency: The sumcheck protocol and polynomial commitments are performance-critical parts of the Spartan prover. Ensure that these algorithms are implemented efficiently and consider using more efficient data structures or algorithms if possible.

Security Considerations

Constant-Time Operations: Ensure that the spartan crate uses constant-time operations where necessary to prevent timing attacks.
Randomness: The Fiat-Shamir heuristic relies on the transcript to provide randomness. Ensure that the transcript's randomness is sufficient for the security of the Spartan protocol.

Overall, the PR diff introduces a significant new feature to the lambdaworks codebase. With the above considerations and potential improvements, the spartan crate could provide a valuable addition to the library.

github-actions · 2026-03-19T19:00:47Z

Kimi AI Review

This PR introduces a new crate, lambdaworks-spartan, which implements the Spartan zero-knowledge proof system for R1CS satisfiability. The codebase is well-structured and follows good Rust practices. Here are some specific comments and suggestions:

Documentation and README:
- The README.md files in crates/provers/spartan provide a good overview of the Spartan protocol and its implementation. It would be helpful to include a brief example of how to use the crate, similar to what is done in other crates like lambdaworks-sumcheck.
Error Handling:
- The SpartanError enum in crates/provers/spartan/src/errors.rs effectively captures various error types that can occur during the proving process. Consider implementing the std::fmt::Display trait for better error messages.
Performance:
- In crates/crypto/src/commitments/kzg.rs, the srs_size method is added to the KateZaveruchaGoldberg struct. This is a useful utility function for determining the size of the SRS, which can help in optimizing memory usage and performance.
- The ZeromorphPCS implementation in crates/crypto/src/commitments/zeromorph.rs uses a batching technique to reduce the number of KZG openings, which is a performance optimization. Ensure that the batching is correctly implemented and does not introduce any security vulnerabilities.
Cryptographic Security:
- The use of DefaultTranscript in crates/provers/spartan/src/prover.rs for Fiat-Shamir heuristics is standard practice. However, consider documenting any known limitations or security assumptions related to this approach.
- The PCS implementations should be audited for constant-time operations, especially in the context of potential side-channel attacks.
Code Simplicity and Maintainability:
- The code is generally well-organized and modular. The separation of concerns between the R1CS struct, SpartanProver, and SpartanVerifier makes the codebase easier to maintain and extend.
- Consider adding more unit tests, especially for edge cases and error conditions, to improve code coverage and ensure long-term maintainability.
Potential Bugs and Errors:
- In crates/provers/spartan/src/prover.rs, the prove function checks the length of the witness against the number of variables. However, it does not check if the witness values are valid field elements or if they satisfy the R1CS constraints. Consider adding additional validation to ensure the witness is valid before proceeding with the proof generation.

Overall, this PR introduces a significant new feature to the lambdaworks library, providing an efficient and secure zero-knowledge proof system for R1CS. With some minor improvements and additional testing, this codebase will be a valuable addition to the library.

…comments - Add explicit Err check for witness_z[0] != 1 in prove(), matching the pattern of the other guards. Previously only a debug_assert checked this, so release builds would silently produce invalid proofs. - Fix doc comments on outer_challenges and inner_challenges: they contain one element per sumcheck round (log2 of padded dimension), not one per variable.

github-actions

Code review by ChatGPT

github-actions · 2026-03-19T19:02:16Z

+use crate::transcript::{
+    append_public_inputs, append_r1cs_instance, append_round_poly_to_transcript, draw_challenges,
+};
+


Correctness

Sumcheck Challenges: The change clarifies the comments on outer_challenges and inner_challenges, which seems correct unless there were previous misunderstandings about the number of challenges. Ensure this matches the actual code logic elsewhere that uses these values.

Security

Sensitive Data Zeroization: The code snippet does not show any attempt to zero sensitive buffers before they go out of scope. Ensure zeroization of any sensitive data like secrets in the entire library to maintain security.

Timing Side-Channels: Verify whether operations, especially related to cryptographic primitives, are constant-time, particularly those involving secrets.

Performance

Efficiency Considerations: No changes apparent here directly affect performance, but be aware of the underlying performance optimizations related to FFTs or MSMs outside the provided snippet.

Bugs & Errors

R1CS Constant Term Check: Adding the check for witness_z[0] being equal to 1 is a good guard against incorrect proofs. Verify that the error message and condition are sufficient for all edge cases.

Potential Panics: There is no visible unwrap or panic in the changed code. Ensure similar checks and error handling is present throughout the library.

Code Simplicity

Complexity and Duplications: No immediate issues with complexity in this snippet, but cross-check if similar checks are repeated elsewhere unnecessarily and encapsulate them if needed.

Overall, the changes indicate improvements in code correctness and documentation clarity by explaining the purpose of sumcheck challenges and adding a necessary validation condition. However, the overall security posture regarding side-channels and data zeroization remains unclear from this snippet.

github-actions · 2026-03-19T19:02:34Z

Kimi AI Review

The PR diff introduces a new crate named spartan for implementing the Spartan zero-knowledge proof system. Here are the main points reviewed:

Overall Structure: The new crate is well-structured with clear separation of concerns across modules (prover, verifier, pcs, mle, r1cs, sparse_matrix, transcript). This modularity is good for maintainability and testing.
R1CS Implementation (r1cs.rs):
- The R1CS struct is defined generically over a field F, which is a good approach for reusability and generic algebraic operations.
- The new function correctly checks for matrix dimensionality consistency, which is crucial for ensuring the R1CS is well-formed.
Multilinear Extension (MLE) Utilities (mle.rs):
- Functions like encode_witness, eq_poly, and matrix_vector_product_mle are implemented to support the Spartan protocol's needs.
- The use of DenseMultilinearPolynomial is appropriate for representing MLEs.
Polynomial Commitment Schemes (PCS) (pcs module):
- The IsMultilinearPCS trait is used to define the interface for committing to multilinear polynomials, which is essential for the Spartan protocol.
- The TrivialPCS implementation serves as a non-hiding, non-succinct commitment scheme for testing purposes.
- The ZeromorphPCS implementation利用KZG承诺方案实现多线性多项式承诺，这对于生产环境是实用的。
Prover Implementation (prover.rs):
- The SpartanProver struct and its prove method follow the Spartan protocol steps accurately.
- The use of Fiat-Shamir heuristic for challenge generation is standard practice in converting an interactive proof to a non-interactive one.
- The prover correctly handles the commitment to the witness polynomial, sumcheck protocols, and PCS opening.
Verifier Implementation (verifier.rs):
- The SpartanVerifier struct and its verify method need to be implemented to complete the Spartan protocol. The current diff does not include this, which is a critical part of the system.
Error Handling:
- The SpartanError enum is used consistently for error reporting across the crate, which is good for error management.
Security Considerations:
- The use of Fiat-Shamir heuristic introduces a security trade-off. The crate should document this and consider the security implications clearly.
- The ZeromorphPCS implementation relies on the KZG scheme, which should be carefully implemented to avoid vulnerabilities like small subgroup attacks.
Performance:
- The crate should consider performance optimizations, especially for the PCS operations, which can be computationally expensive.
Documentation and Comments:
- The code is well-commented, which aids in understanding the implementation details and the rationale behind certain design choices.
Testing:
- The tests module includes a variety of tests to verify the correctness of the implementation. However, more extensive testing, especially for edge cases and performance benchmarks, would be beneficial.
Missing Pieces:
- The verifier implementation is missing, which is a critical component of the Spartan protocol.
- The crate does not yet handle serialization or deserialization of proofs, which is necessary for practical use cases.

In conclusion, the PR diff makes significant progress towards implementing the Spartan zero-knowledge proof system in Rust. However, the verifier implementation and additional testing are needed to complete the system. Security considerations and performance optimizations should also be addressed before considering this code for production use.

Adds `open_with_commitment` default method to `IsMultilinearPCS` and overrides it in `ZeromorphPCS` to reuse the caller's precomputed G1 commitment for Fiat-Shamir seeding, avoiding a redundant O(n) MSM on every open call. The Spartan prover now passes the witness commitment through both `open` call sites.

Add a debug_assert after outer_claimed_sum that fires only when the R1CS is satisfied but the sum is non-zero (guards against prover logic bugs). Remove duplicate lines in the Step 8 comment block.

github-actions · 2026-03-20T16:25:55Z

Kimi AI Review

This PR introduces a new crate, lambdaworks-spartan, which implements the Spartan zero-knowledge proof system for R1CS satisfiability. The implementation includes the prover, verifier, and necessary mathematical utilities. Here are some specific comments and feedback on the changes:

Overall Structure and Documentation:
- The crate is well-structured, with clear separation of concerns among modules such as prover, verifier, pcs, mle, and r1cs. This modularity aids in maintainability and testing.
- README files are provided for the crate and the prover directory, which is good practice. They offer an overview of the Spartan protocol and its implementation details.
Cryptographic Security:
- The use of DefaultTranscript for Fiat-Shamir heuristics is appropriate. However, it's crucial to note that the security of the system relies on the cryptographic hash function used by the transcript. Ensure that the underlying hash function is secure and suitable for cryptographic purposes.
- The ZeromorphPCS implementation uses KZG commitments, which are based on pairings. The security of this commitment scheme relies on the hardness of the BDH problem in the chosen pairing-friendly curve. Ensure that the curve and pairing implementation are secure and well-reviewed.
Performance:
- The use of DenseMultilinearPolynomial for encoding witness polynomials and other polynomial commitments is efficient in terms of space. However, ensure that the polynomial evaluation and commitment operations are optimized for performance, as they can be computationally expensive.
- The implementation of sumcheck protocols seems to be done correctly, but it's essential to benchmark and optimize these critical components for performance.
Bugs and Errors:
- In crates/crypto/src/commitments/kzg.rs, the new method srs_size is added. Ensure that this method is used consistently across the codebase where the SRS size is required.
- In crates/provers/spartan/src/prover.rs, the prover's logic seems correct, but thorough testing is necessary to ensure there are no logical errors or edge cases that might lead to incorrect proofs or verification failures.
Code Simplicity and Maintainability:
- The code is generally clean and well-commented, which is good for maintainability.
- Consider adding more detailed comments or documentation for complex sections of the code, such as the sumcheck protocols and the inner workings of the ZeromorphPCS implementation.
Testing:
- The presence of unit tests for critical components like the TrivialPCS, ZeromorphPCS, and the prover's logic is good. However, consider adding more comprehensive tests, including property-based tests and integration tests with different R1CS instances.
- Test the boundary conditions and edge cases, such as R1CS instances with a small number of constraints, to ensure the implementation handles these scenarios correctly.

Overall, the PR introduces a significant new feature to the lambdaworks library, and the implementation appears to be on the right track. However, it's crucial to thoroughly test the implementation, especially the cryptographic components, to ensure the security and correctness of the Spartan proof system.

github-actions

Code review by ChatGPT

github-actions · 2026-03-20T16:26:02Z

+use crate::commitments::traits::IsCommitmentScheme;
+use crate::fiat_shamir::default_transcript::DefaultTranscript;
+use crate::fiat_shamir::is_transcript::IsTranscript;
+use lambdaworks_math::elliptic_curve::traits::IsPairing;


Correctness

Mathematical Operations: There are no changes in mathematical operations in the current diff; however, ensure prior computations like compute_zeromorph_quotients are properly validated.

Security

Timing Side-Channels: Please ensure that the commit function in your KZG implementation is constant-time. Any data-dependent operations or branching should be audited.

Proper Zeroization: Check if sensitive data, especially points in q_commitments, are properly zeroized after use.

Performance

Unnecessary Allocations: The use of .collect() suggests unnecessary heap allocations. Consider computing in-place if possible or using iterators efficiently without materializing intermediate collections unless necessary for the performance benefit.

Redundant Field Inversions: There's no visible redundancy introduced, but double-check the necessity of every field inversion if any are used elsewhere.

Bugs & Errors

Potential Panics or Unwraps: Ensure that any function calls like self.kzg.commit handle errors gracefully and don't panic if an expected condition isn't met.

Memory Safety: Nothing indicates direct issues in this diff, but review any unsafe blocks elsewhere to ensure they're necessary and correct.

Code Simplicity

Duplicated Code: Although no duplication is introduced here, maintain vigilance to avoid proliferation of similar functions or calculations.

Review required corrections, especially regarding the security and performance aspects, before merging.

github-actions · 2026-03-20T16:28:29Z

Kimi AI Review

The PR diff introduces a new crate lambdaworks-spartan for the Spartan zero-knowledge proof system, including its dependencies, implementation, and tests. Here are my specific comments and feedback on the changes:

`Cargo.toml` Changes

The addition of the spartan crate and its dependencies looks correct. Make sure that the features for lambdaworks-math and lambdaworks-crypto are appropriate for the spartan crate's needs.

`README.md` Changes

The documentation updates for the spartan crate in README.md are appropriate. Ensure that the descriptions and references accurately represent the crate's functionality and purpose.

`kzg.rs` Changes

The introduction of the srs_size method on KateZaveruchaGoldberg is useful for determining the size of the Structured Reference String (SRS). This is important for ensuring the SRS can handle the maximum polynomial degree.

`mod.rs` Changes

The addition of the multilinear module under commitments is a good organization choice, separating the multilinear commitment schemes from other commitment types.

`multilinear.rs` Changes

The new file multilinear.rs defines the IsMultilinearPCS trait, which is essential for the spartan crate's operations. Ensure that the trait methods are correctly defined and align with the expected behavior of a Polynomial Commitment Scheme (PCS).

`zeromorph.rs` Changes

The zeromorph.rs file implements the Zeromorph PCS, which is a crucial part of the spartan crate. The implementation should be reviewed for correctness, especially the compute_zeromorph_quotients and open methods, which are central to the Zeromorph protocol.

`spartan` Crate

The spartan crate's structure and implementation are comprehensive. Here are some specific comments:
- Errors: The SpartanError enum is well-defined, covering various error cases that can occur during the proving process.
- MLE Utilities: The mle module contains essential functions for encoding witnesses and computing equality polynomials, which are crucial for the Spartan protocol. Ensure that these utilities are correctly implemented and tested.
- Prover Implementation: The SpartanProver struct and its prove method implement the core of the Spartan protocol. The method's logic should be carefully reviewed to ensure it follows the Spartan paper's specifications accurately. Pay special attention to the Fiat-Shamir heuristic application, challenge extraction, and polynomial commitments.
- Verifier Implementation: The SpartanVerifier struct and its verify method should be reviewed to ensure they correctly verify the proof generated by SpartanProver. The verification process is critical for the security of the system.
- Tests: The tests provided in the spartan crate cover various aspects of the implementation, including R1CS satisfaction checks, MLE encoding, and PCS round trips. Ensure that these tests are comprehensive and cover edge cases.

General Feedback

Documentation: Ensure that all public structs, methods, and traits are well-documented, explaining their purpose, behavior, and any assumptions or preconditions.
Security Review: Given the cryptographic nature of the spartan crate, a thorough security review is essential. This includes reviewing the constant-time implementation, randomness usage, and potential side-channel attacks.
Performance: Review the implementation for any performance bottlenecks, especially in the polynomial commitment and verification processes.
Correctness: Verify that the mathematical correctness of the field operations, curve arithmetic, and polynomial operations is maintained throughout the implementation.

Overall, the PR diff introduces a significant new feature to the lambdaworks cryptographic library. A detailed review of the mathematical correctness, cryptographic security, and performance aspects is essential to ensure the spartan crate's reliability and security.

github-actions

Code review by ChatGPT

github-actions · 2026-03-20T16:28:31Z

+};
+use lambdaworks_math::polynomial::Polynomial;
+use lambdaworks_math::traits::ByteConversion;
+


Correctness

Polynomial and FFT Implementations: The function batch_matrix_mle_eval needs further inspection for correctness in handling polynomials and ensuring the evaluations are computed correctly. Ensure that it is correctly implementing any FFT or polynomial evaluations required.

Security

Timing Side-channels: Ensure that any arithmetic involving potentially sensitive data (especially modular arithmetic in cryptographic contexts) is implemented in a constant-time manner to prevent timing attacks.

Cryptographically Secure Randomness: If randomness is involved in this process (not clear from the snippet), ensure the use of a secure RNG (e.g., rand::RngCore with rand_core::OsRng).

Performance

Redundant Field Inversions: Check for any unnecessary field inversions when combining evaluations. Inversions are typically costly operations and should be minimized.

Bugs & Errors

Potential Panics: Review surrounding code for any unchecked operations on vectors that can cause panics, especially if using indexing operations instead of safe methods like get().

Integer Overflow/Underflow: Ensure that fields like num_constraints_padded and num_cols_padded are correctly managed to avoid overflow.

Code Simplicity

Overly Complex Implementations: While not directly visible in this snippet, ensure that the matrix evaluation logic is not unnecessarily complex. Abstractions (e.g., helper functions) may help if this code is repeated or more complex than necessary.

Overall, ensure that the implementations of mathematical operations, FFTs, and curve operations follow known reliable algorithms and libraries to ensure correctness and security against side-channel attacks.

nicole-graus added 5 commits March 11, 2026 12:33

add spartan

6f63698

Replace TrivialPCS with proper Zeromorph PCS backed by BLS12-381 KZG

a6fe02b

Add Clone to ZeromorphPCS and integration test for Spartan+Zeromorph …

289dcf0

…end-to-end

fix clippy and update readmes

9554eb6

add soundness test for prover using zeromorph

e28c494

nicole-graus requested a review from a team as a code owner March 11, 2026 20:10

github-actions Bot reviewed Mar 11, 2026

View reviewed changes

Add witness length check and public input consistency proofs

7d253c1

github-actions Bot reviewed Mar 11, 2026

View reviewed changes

Move ZeromorphPCS and IsMultilinearPCS to lambdaworks-crypto; add pub…

7524fd0

…lic input consistency proofs to Spartan

github-actions Bot reviewed Mar 11, 2026

View reviewed changes

Add missing files from ZeromorphPCS move and public input consistency…

8cdf0ae

… fixes

fix comment

d1ca739

github-actions Bot reviewed Mar 12, 2026

View reviewed changes

Add SRS size validation in ZeromorphPCS, returning Err instead of pan…

a948e96

…icking.

github-actions Bot reviewed Mar 12, 2026

View reviewed changes

fix fmt

9e79a50

github-actions Bot reviewed Mar 12, 2026

View reviewed changes

Merge branch 'main' into feat/spartan

da8a50e

github-actions Bot reviewed Mar 16, 2026

View reviewed changes

github-actions Bot reviewed Mar 17, 2026

View reviewed changes

diegokingston added 3 commits March 17, 2026 14:53

fix(spartan): fix benchmark circuit variable layout for public inputs

7a9d93e

The chain circuit placed x_0 at variable index 1 but claimed x_n as the public input. The prover correctly rejected this mismatch. Fix by placing the output at index 1 to match the R1CS convention z = (1, x, w).

github-actions Bot reviewed Mar 17, 2026

View reviewed changes

fix(spartan): remove clone-on-copy and unnecessary op_ref in tests

768ec54

Remove .clone() calls on Copy field elements (U64PrimeField<101>) and unnecessary reference operators on Copy operands in test code.

github-actions Bot reviewed Mar 17, 2026

View reviewed changes

Merge branch 'main' into feat/spartan

56ff6d2

github-actions Bot reviewed Mar 19, 2026

View reviewed changes

diegokingston added 6 commits March 20, 2026 12:54

perf(spartan): precompute eq_weights once for v_a/v_b/v_c in prover

eaa37d8

perf(spartan): reuse eq_rx for inner sumcheck matrix MLE construction

543b5d9

perf(spartan): precompute eq_x/eq_y once for verifier matrix evaluation

a9162dc

fix(spartan): add debug_assert for outer sum, clean up duplicate comment

3747a56

Add a debug_assert after outer_claimed_sum that fires only when the R1CS is satisfied but the sum is non-zero (guards against prover logic bugs). Remove duplicate lines in the Step 8 comment block.

style(zeromorph): apply rustfmt to open_with_commitment

aca463f

github-actions Bot reviewed Mar 20, 2026

View reviewed changes

style(spartan): apply rustfmt to batch_matrix_mle_eval call

4e69c5a

github-actions Bot reviewed Mar 20, 2026

View reviewed changes

		- Spartan: Transparent (no trusted setup). Proves R1CS satisfiability directly using two rounds of the Sumcheck Protocol and a multilinear PCS. $O(n)$ prover work.

		## Using provers

Conversation

nicole-graus commented Mar 11, 2026

Add spartan zkSNARK with Zeromorph PCS

Description

Protocol:

How to Test

Type of change

Uh oh!

github-actions Bot commented Mar 11, 2026

Kimi AI Review

Cargo.toml

README.md

crates/provers/spartan/

Cargo.toml

README.md

src/

errors.rs

lib.rs

mle.rs

pcs/

prover.rs

r1cs.rs

transcript.rs

Overall

Uh oh!

github-actions Bot left a comment

Choose a reason for hiding this comment

Uh oh!

github-actions Bot Mar 11, 2026

Choose a reason for hiding this comment

Code Review Comments

Uh oh!

github-actions Bot Mar 11, 2026

Choose a reason for hiding this comment

Correctness

Security

Performance

Bugs & Errors

Code Simplicity

Uh oh!

github-actions Bot Mar 11, 2026

Choose a reason for hiding this comment

Specific Concerns

General Comments

Uh oh!

github-actions Bot Mar 11, 2026

Choose a reason for hiding this comment

Uh oh!

github-actions Bot Mar 11, 2026

Choose a reason for hiding this comment

Correctness:

Security:

Performance:

Bugs & Errors:

Code Simplicity:

Uh oh!

github-actions Bot Mar 11, 2026

Choose a reason for hiding this comment

Correctness

Security

Performance

Bugs & Errors

Code Simplicity

Uh oh!

github-actions Bot Mar 11, 2026

Choose a reason for hiding this comment

Mathemtical Correctness

Security

Performance

Bugs & Errors

Code Simplicity

General

Uh oh!

github-actions Bot Mar 11, 2026

Choose a reason for hiding this comment

Correctness

Security

Performance

Bugs & Errors

Code Simplicity

`Cargo.toml`

`README.md`

`crates/provers/spartan/`

`Cargo.toml`

`README.md`

`src/`

`errors.rs`

`lib.rs`

`mle.rs`

`pcs/`

`prover.rs`

`r1cs.rs`

`transcript.rs`

greptile-apps Bot commented Mar 11, 2026 •

edited

Loading

codecov-commenter commented Mar 11, 2026 •

edited

Loading