Zyga

A high-performance zero-knowledge proof system implementation in Rust, featuring the ZYGA proof system with BN254 elliptic curve pairings. Now with no_std support for embedded and blockchain environments!

Installation

Install from crates.io

cargo install zyga

Build from source

git clone https://github.com/darklakefi/py-zk-tiago
cd py-zk-tiago/rust
cargo build --release

Usage

Command Line Interface (two-step)

ZYGA now uses a setup/prove workflow:

1. Setup: compile constraints and generate proving key + on-chain helpers

zyga setup -c constraints.aoa -o test --prefix test

Outputs:

• test.zyga (proving key)
• test_public_coefficients.rs (public coefficients for on-chain)
• test_proving_key.rs (static VK elements for on-chain)

2. Prove: create a proof using the proving key and a witness

zyga prove -s test.zyga -w witness.json -o proof.json

Flags:

• -v, --verbose: verbose logs
• --debug-matrices: embed matrices and witness info in output JSON

Library Usage

use zyga::{compile_constraints, generate_trusted_setup, create_pairing_proof};

// Load and compile constraints
let constraints_str = std::fs::read_to_string("constraints.aoa")?;
let compilation_result = compile_constraints(&constraints_str)?;

// Generate trusted setup
let rng = &mut rand::thread_rng();
let trusted_setup = generate_trusted_setup(compilation_result.num_constraints, rng)?;

// Create proof
let proof = create_pairing_proof(
    &compilation_result,
    &processed_witness,
    &trusted_setup,
)?;

Features

• ZYGA Proof System: Optimized zero-knowledge proof generation
• BN254 Curve: Compatible with Ethereum's alt_bn128 precompile and Solana's BN254 syscalls
• No-std Support: Use in embedded and blockchain environments like Solana
• Constraint Compilation: Compile constraints from AOA format (std only)
• Trusted Setup Generation: Generate trusted setup parameters (std only)
• Proof Generation: Create succinct zero-knowledge proofs (std only)
• Proof Verification: Verify proofs on-chain with customizable coefficient functions (no_std compatible)
• Public Coefficient Generation: Automatically generates verifier code for on-chain deployment
• Modular Design: Support multiple proof systems in the same project via --prefix

Constraint File Format (AOA)

AOA (Arithmetic Operation Algebra) files define the constraint system:

# Variable declarations
decl a[4] privat    # Private variables (known only to prover)
decl b[4] public    # Public variables (known to verifier)
decl c defer        # Deferred variables (provided at verification time)

# Constraints (must be in the form A*B == C)
constraint a[0]*a[0] == b[0]
constraint a[1]*a[1] == b[1]
constraint (a[2]+a[3])*(a[2]-a[3]) == b[2]

Variable types:

• privat: Secret inputs known only to the prover
• public: Public inputs known to both prover and verifier
• defer: Variables provided by the verifier at verification time

Public Coefficient Generation

When generating a proof, ZYGA automatically creates a public_coefficients.rs file that maps public inputs to their contributions in the verification equation:

// Auto-generated public coefficients for on-chain verification
pub const NUM_PUBLIC_INPUTS: usize = 4;
pub const PUBLIC_INPUT_NAMES: [&str; 4] = ["b[0]", "b[1]", "b[2]", "b[3]"];

// Coefficients for computing a2, b2, c2 from public inputs
pub const PUBLIC_COEFFICIENTS: [InputCoefficients; 4] = [
    InputCoefficients { coeff_a: 0, coeff_b: 1, coeff_c: 0 },
    // ... more coefficients
];

This file is used by the on-chain verifier to compute the verification equation without needing the full constraint system. It is auto-generated during setup and should not be edited.

Architecture

The crate is organized into several modules:

• constraint: Constraint system compilation and processing (std only)
• polynomial: Polynomial arithmetic and Lagrange interpolation (std only)
• pairing: BN254 pairing-based proof generation (std only)
• symbol: Symbolic value processing for witness handling (std only)
• code_generation: Generate verifier code for on-chain deployment (std only)
• verification: On-chain proof verification for Solana BPF (no_std compatible)
• dag: Expression DAG for constraint evaluation (std only)
• errors: Error types (always available)
• common: Shared types for G1/G2 points and proof elements (always available)

Examples

Basic Square Proof

Create a proof that you know values whose squares equal public values:

# constraints.aoa
decl secret[4] privat
decl squares[4] public
constraint secret[0]*secret[0] == squares[0]
constraint secret[1]*secret[1] == squares[1]
constraint secret[2]*secret[2] == squares[2]
constraint secret[3]*secret[3] == squares[3]

# witness.json
{
  "secret": [1, 2, 3, 4],
  "squares": [1, 4, 9, 16]
}

# Generate proof
zyga -c constraints.aoa -w witness.json -o proof.json

64-bit Comparison Proof

Prove that one 64-bit number is greater than another:

# uint64-gt.aoa contains bit-by-bit comparison logic
zyga setup -c uint64-gt.aoa -o uint64gt --prefix uint64gt
zyga prove -s uint64gt.zyga -w witness-64.json -o uint64gt_output.json

# Copy generated coefficients for on-chain verification
cp uint64gt_public_coefficients.rs ../onchain-verifier/src/

Proof JSON Shape

proof.json contains a single proof object and optional debug data:

{
  "pairing_proof": {
    "proof": {
      "a_curve": "…64-byte hex…",
      "g2_b2": "…128-byte hex…",
      "c_curve": "…64-byte hex…",
      "g1_a2": "…64-byte hex…",
      "g1_c2": "…64-byte hex…",
      "g1_hz": "…64-byte hex…"
    },
    "trusted_setup": { "h1": "…", "h2": "…", "alpha": "…", "beta": "…" },
    "n_constraints": 1
  },
  "public_inputs": { "b[0]": 1, "b[1]": 0, … }
}

The on-chain verifier expects:

• Proof serialized fields in order: a_curve, g2_b2, c_curve, g1_a2, g1_c2, g1_hz.
• Public inputs provided as a Vec<i64> (values only) in the transaction; names are used only off-chain.

Testing

Run the test suite:

# Unit tests
cargo test

# Build and test everything
cargo build --release
cargo test --all-features

License

MIT

Contributing

Contributions are welcome! Please feel free to submit a Pull Request.

Repository

For more information, visit the GitHub repository.