Plonky2 proofs verification

[ekovalev]

Plonky2 proofs onchain verification.

The change implements a framework for zk-related apps. Specifically, it allows to verify Plonky2 proofs for arbitrary circuits.
A general flow might look like so:

+------------+                          +-------------------------------+
|            |           proof          |     Application Contract      |
|   Prover   | -----------------------> |                               |
|            |                          |    (verifier_circuit_data)    |
+------------+                          +-------------------------------+
                                                        |
                                                        | concatenate( verifier_circuit_data, 
                                                        |              proof )
                                                        v
                                        +-------------------------------+
                                        |       Verifier Contract       |
                                        |                               |
                                        |       plonky2::verify()       |
                                        +-------------------------------+

Application contract is supposed to store circuit-specific data, and prepend with it a proof it wants verified.
The Verifier contract imports the original plonky2 code for verification; however, the underlying primitives (Goldilocks field and Poseidon hasher) are custom-implemented in such a way that heavy operations are offloaded to host (through a dedicated syscall).

Specifically, the change includes:

• A syscall for Poseidon permutation computation;
• Host call for efficient Poseidon permutation computation;
• Example verifier contract with a custom Goldilocks field implementation to plug into the out-of-the-box plonky2 verifier;
• Crypto primitives on the host (client) side: necessary Goldilocks field arithmetic and Poseidon hashing primitives to back up the Poseidon permutation host call.

Note: To make plonky2 compile for wasm target we need to use our fork with a different feature enabled for the getrandom crate.

Hardware acceleration of field arithmetics and hashing

• original plonky2 provides specialisations for the field ops and Poseidon hashing over the Goldilocks field. However, currently SIMD parallelisation of Poseidon only works on the aarch64 architecture; it has been disabled for x86_64 after the MDS matrix constants update in plonky2 and haven't been aligned with those changes ever since.
• field arithmetics on x86_64 allows SIMD with avx2 or avx512 target features enabled. The avx512 has been completely removed in our implementation because it requires unstable language features to compile. As for the avx2 support, it is there but, as mentioned, not used in Poseidon. We keep it in the codebase though in case we want to benefit from polynomials evaluation on the host some day.

That being said, on an x86_u64 machine we won't have any parallelisation yet. Nevertheless, even as is it gives about 4.5-5x speed-up on Poseidon permute operation with respect to fully wasm-based solution.

[mertwole]

Looks great, just 2 things:

• Do bls12_381 changes belong to this PR?
• I think gr_permute is not very descriptive, maybe gr_poseidon_permute will be better

[mertwole]

Have you measured how much gas will it take for a recursive proof verification? It's interesting to know

[ekovalev]

Provided the benchmarks of the syscall/hostcall combo are correct, a recursive proof verification would take slightly above 100 bln gas. Or roughly ~15% of a block gas allowance.