Research-grade verification foundation for v0.3

.github/workflows/ci.yml

@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Rust toolchain
         uses: dtolnay/rust-toolchain@stable
@@ -33,16 +33,31 @@ jobs:
       - name: Test network targets
         run: cargo test --all-targets --features net --locked
 
+      - name: Reproduce sparse conformance vectors
+        run: |
+          cargo run --example conformance_vectors
+          git diff --exit-code -- conformance/v1
+
       - name: Large-domain examples
         run: |
           cargo run --release --example sextillion_verify
           cargo run --release --example hyperscale_affine
           cargo run --release --example sparse_record
           cargo run --release --example committed_workload
 
-      - name: Independent sparse verification
+      - name: Cross-language sparse verification
         run: |
           python3 scripts/verify_sparse_certificate.py target/power_house_sparse_record.phsp
           python3 scripts/verify_sparse_certificate.py \
             target/external_interaction_model.phcp \
             --polynomial target/external_interaction_model.phsm
+
+      - name: Sparse verifier conformance and mutation tests
+        run: python3 scripts/test_sparse_verifier.py
+
+      - name: Soundness budget checks
+        run: |
+          python3 scripts/soundness_budget.py
+          python3 scripts/soundness_budget.py \
+            --field 18446744073709551557 \
+            --repetitions 3

.gitignore

@@ -18,3 +18,5 @@ boot1.anchor
 boot2.anchor
 *.ed25519
 *.key
+__pycache__/
+*.py[cod]

Cargo.toml

@@ -21,9 +21,14 @@ include = [
   "JULIAN_PROTOCOL.md",
   "docs/*.md",
   "artifacts/*.json",
+  "conformance/**",
+  "scripts/benchmark_sparse.py",
+  "scripts/soundness_budget.py",
+  "scripts/test_sparse_verifier.py",
   "scripts/verify_sparse_certificate.py",
   "src/**",
   "examples/**",
+  "tests/**",
 ]
 
 [badges]

JULIAN_PROTOCOL.md

@@ -176,7 +176,8 @@ verified without a polynomial commitment, oracle, or compact algebraic descripti
 
 For the public sparse computation artifact, run `cargo run --release --example sparse_record`.
 The default polynomial has one million variables, 8,192 nonzero monomials, and maximum degree 12.
-Its `PHSPv1` certificate is then replayed by an independent standard-library implementation with:
+Its `PHSPv1` certificate is then replayed by a separate standard-library Python
+implementation with:
 
 ```bash
 python3 scripts/verify_sparse_certificate.py target/power_house_sparse_record.phsp

README.md

@@ -35,6 +35,13 @@ not establish that arbitrary sextillion-step computations can be verified, do
 not replace a quantum computer, and are not currently claimed as a world first.
 See [Research Claim Standard](docs/research_claim.md).
 
+The v1 sparse workflow is specifically a deterministic conformance artifact:
+the verifier reads the public sparse polynomial and recomputes the expected
+transcript. Because this polynomial family also has a closed-form Boolean sum,
+v1 is not a succinct delegated-computation result. The formal boundary and v2
+research target are documented in [Security Model](docs/security_model.md) and
+[Research Protocol](docs/research_protocol.md).
+
 ## Install
 
 ```bash
@@ -59,11 +66,17 @@ python3 scripts/verify_sparse_certificate.py \
 python3 scripts/verify_sparse_certificate.py \
   target/external_interaction_model.phcp \
   --polynomial target/external_interaction_model.phsm
+
+python3 scripts/test_sparse_verifier.py
+python3 scripts/soundness_budget.py
 ```
 
 The full procedure, formats, expected outputs, and failure tests are in
 [Verification Guide](docs/verification_guide.md).
 
+Small canonical files in `conformance/v1` are checked by both languages. Every
+single-byte XOR mutation of each vector must reject.
+
 ## Library
 
 ```rust
@@ -119,6 +132,9 @@ Operations and migration procedures are documented in
 - [Million-Round Sparse Certificate](docs/sparse_record.md)
 - [Hyperscale Seeded-Affine Proof](docs/hyperscale_proof.md)
 - [Research Claim Standard](docs/research_claim.md)
+- [Prior-Art Review](docs/prior_art_review.md)
+- [Sparse Certificate Security Model](docs/security_model.md)
+- [Research Protocol](docs/research_protocol.md)
 - [Orbital Observatory](docs/orbital_observatory.md)
 - [Operations](docs/ops.md)
 

RELEASE_NOTES.md

@@ -1,13 +1,28 @@
 # Release Notes
 
+## Unreleased - v0.3 research foundation
+
+### Added
+- Canonical small `PHSPv1`/`PHSMv1`/`PHCPv1` conformance vectors and manifest.
+- Property-based dense-equivalence tests and full single-byte mutation rejection.
+- Reproducible soundness-budget and benchmark-report tools.
+- Security model, falsifiable research protocol, and primary-source prior-art review.
+
+### Security
+- Enforced deterministic primality validation for every Rust `Field`.
+- Fixed near-`u64::MAX` field addition overflow.
+- Added matching Python primality validation.
+- Added decoder limits for variables, terms, degree, seeds, and total incidences.
+- Rejected oversized polynomial degrees before allocation.
+
 ## v0.2.1 - 2026-06-05
 
 ### Added
 - Closed-form constant sum-check over `2^70` Boolean points.
 - Seeded-affine sum-check over configurable domains, demonstrated at `2^4096`.
 - Stable `PHSPv1` million-round seeded sparse certificates.
 - Stable `PHSMv1` external sparse workloads and commitment-bound `PHCPv1` proofs.
-- Independent standard-library Python verifier for both sparse formats.
+- Separately implemented standard-library Python verifier for both sparse formats.
 - Unified verification guide and reproducible reference artifacts.
 
 ### Changed

conformance/v1/manifest.json

@@ -0,0 +1,29 @@
+{
+  "committed": {
+    "claimed_sum": 890880,
+    "final_evaluation": 13487675,
+    "maximum_degree": 5,
+    "polynomial_commitment": "88efabb63c2c7280be47386afb8b6f862972a01e58d90d3d2a29f31bce0554b8",
+    "polynomial_file": "committed-valid.phsm",
+    "polynomial_sha256": "254a0ae17d9cd2477770dc091e450a42df5a03e97c9569f561a845331cb47754",
+    "proof_file": "committed-valid.phcp",
+    "proof_sha256": "f097fb37298e51370516b41957e2e2a689eb5f40443ef1863017de9f3444642f",
+    "terms": 4,
+    "transcript_digest": "871a0763797cfe8f2e3376f62afad37b2ecc38ea95051530399a86e25ba4d5ca",
+    "variables": 16
+  },
+  "field_modulus": 1000000007,
+  "mutation_rule": "xor each byte with 0x01; every single-byte mutation must reject",
+  "schema": "power-house-sparse-conformance-v1",
+  "seeded": {
+    "claimed_sum": 173856083,
+    "file": "seeded-valid.phsp",
+    "final_evaluation": 130873495,
+    "maximum_degree": 6,
+    "polynomial_digest": "8fcda483c138a9511b62f924af5dc7daf813cfdc16847790e8a96f3dddcdc8db",
+    "sha256": "6717cab7f034df3a6f4ee13c2cc68f802139a58dff928d60dc6e2f52fd0a9853",
+    "terms": 20,
+    "transcript_digest": "a0cae3dca2136090b9e03dc162a429f19f7fd7b41a77a4a695eda829a2c9cd02",
+    "variables": 32
+  }
+}

docs/prior_art_review.md

@@ -0,0 +1,85 @@
+# Prior-Art Review
+
+Status: initial technical review, not an exhaustive novelty opinion.
+
+## Question Under Review
+
+The narrow candidate question is:
+
+> Does Power-House introduce a novel proof protocol, or does it publish a
+> distinctive reproducibility artifact built from established sum-check
+> techniques?
+
+The evidence currently supports the second description.
+
+## Primary Sources
+
+| Work | Relevant result | Consequence for Power-House |
+| --- | --- | --- |
+| Lund, Fortnow, Karloff, and Nisan, 1992, [Algebraic Methods for Interactive Proof Systems](https://doi.org/10.1145/146585.146605) | Introduced the sum-check protocol used to verify sums of low-degree multivariate polynomials over exponentially large domains. | An enormous implicit Boolean domain is established prior art. |
+| Goldwasser, Kalai, and Rothblum, [Delegating Computation: Interactive Proofs for Muggles](https://dl.acm.org/doi/10.1145/2699436) | Applies layered arithmetization and sum-check to delegated computation. | Efficient verification of structured computation is established prior art. |
+| Setty, [Spartan](https://eprint.iacr.org/2019/550) | Builds transparent arguments for R1CS using multilinear extensions and sum-check techniques. | General-purpose transparent arguments already use multilinear sum-check machinery. |
+| Ben-Sasson et al., [Scalable, Transparent, and Post-Quantum Secure Computational Integrity](https://eprint.iacr.org/2018/046) | Introduces the STARK framework for transparent scalable computational integrity. | Large-scale classical verification does not inherently require quantum hardware. |
+| Setty, Thaler, and Wahby, [Unlocking the Lookup Singularity with Lasso](https://eprint.iacr.org/2023/1216) | Uses sum-check-oriented techniques for efficient lookup arguments and includes sparse-structure optimizations. | Sparse structure and sum-check optimization are active established areas. |
+| Arun et al., [Jolt](https://eprint.iacr.org/2023/1217) | Constructs a virtual-machine argument primarily from lookups and sum-check. | Modern systems already verify rich computations over implicit structures. |
+| Chiesa, Fedele, Fenzi, and Zitek-Estrada, [A Time-Space Tradeoff for the Sumcheck Prover](https://eprint.iacr.org/2024/524) | Studies prover memory and running-time tradeoffs for multilinear sum-check. | Prover scaling and streaming constraints are not new research questions. |
+| Baweja et al., [Scribe: Low-memory SNARKs via Read-Write Streaming](https://www.usenix.org/conference/usenixsecurity26/presentation/baweja) | Builds and evaluates a low-memory SNARK using a read-write streaming model and disk-backed prover state. | A low-memory claim must compare against modern streaming proof systems. |
+
+## Feature Comparison
+
+| Property | Power-House v1 | Established systems |
+| --- | --- | --- |
+| Exponential implicit domain | Yes | Core sum-check property since LFKN |
+| Sparse multilinear representation | Yes | Common in modern multilinear protocols |
+| Fiat-Shamir transcript | Yes | Standard non-interactive compilation technique |
+| Public-data hash binding | Yes | Standard collision-resistant commitment pattern |
+| Succinct verifier in workload size | No | Provided by several argument/PCS systems |
+| Hidden witness | No | Supported by zero-knowledge argument systems |
+| General computation arithmetization | No | GKR, Spartan, STARKs, Jolt, and others |
+| Stable million-round public artifact | Yes | Potential benchmark distinction; novelty unverified |
+| Cross-language deterministic replay | Rust and Python | Engineering evidence, not protocol novelty |
+
+## Current Conclusion
+
+No protocol-level historical claim is justified by the current evidence.
+Specifically:
+
+- `2^1,000,000` is a description of an implicit domain, not executed work.
+- the sparse monomial sum is available in closed form,
+- the v1 verifier reads the entire public workload,
+- exact transcript replay is deterministic conformance checking,
+- BLAKE2b binding is not a multilinear polynomial commitment.
+
+The strongest supportable statement is:
+
+> Power-House publishes a stable, cross-language reproducible million-round
+> deterministic sum-check transcript for a separately stored, hash-bound sparse
+> multilinear polynomial over a one-million-variable Boolean domain.
+
+Whether that artifact is the largest or first public artifact of its exact kind
+requires a broader artifact search and independent review.
+
+## Novelty Path
+
+A potentially publishable contribution needs at least one property not supplied
+by the v1 artifact:
+
+1. a genuinely lower-memory or faster prover with a proved complexity
+   improvement over current sparse/streaming sum-check methods,
+2. a commitment/opening construction that avoids full public-workload replay,
+3. a useful computation arithmetization whose verification advantage survives
+   comparison with GKR, Spartan, STARK, Lasso/Jolt, and current sum-check work,
+4. independently measured engineering results that establish a reproducible
+   record without presenting that record as a new protocol.
+
+## Review Procedure
+
+Before any novelty claim:
+
+1. search IACR ePrint, DBLP, ACM, IEEE, USENIX, and artifact repositories using
+   protocol properties rather than only the phrase "million-round";
+2. record inclusion criteria and negative search results;
+3. send the exact claim and protocol specification to at least two unaffiliated
+   specialists;
+4. publish reviewer conflicts and requested corrections;
+5. phrase any surviving claim narrowly enough to be falsifiable.

docs/research_claim.md

@@ -20,18 +20,20 @@ Relevant prior art includes:
 - Recent sub-linear GKR work:
   https://eprint.iacr.org/2025/717
 
-## Current Candidate Result
+## Current Established Result
 
-Power-House has a candidate public engineering record:
+Power-House has a reproducible public engineering artifact:
 
-> A cross-language reproducible, one-million-round sum-check certificate for a
-> separately stored, commitment-bound sparse multilinear polynomial over
-> `2^1,000,000` Boolean points, with a stable 16 MB certificate and no
-> hypercube allocation.
+> A Rust/Python reproducible, one-million-round deterministic sum-check
+> transcript for a separately stored, hash-bound sparse multilinear polynomial
+> over a one-million-variable Boolean domain, with a stable 16 MB certificate
+> and no hypercube allocation.
 
-This wording is a candidate, not an established world-first claim. An exhaustive
-literature and artifact search has not yet been completed, and no independent
-external party has reproduced the result.
+This is an engineering result, not an established world-first claim. The v1
+verifier reads the complete workload and recomputes the exact expected
+transcript. The represented sum also has a closed form. These facts prevent a
+succinct-verification or novel-protocol claim. See
+[Security Model](security_model.md) and [Prior-Art Review](prior_art_review.md).
 
 ## Historical Claim Gates
 
@@ -47,9 +49,9 @@ complete:
    details, and exact commands in a timestamped release or archival DOI.
 
 3. **Independent implementation**  
-   Obtain verification by an implementation not authored from the Rust code.
-   The bundled Python verifier is useful cross-language evidence but is not an
-   independent external audit.
+   Obtain verification by an implementation authored by an unaffiliated team.
+   The bundled Python verifier is useful cross-language conformance evidence
+   but is not an independent external audit.
 
 4. **Prior-art comparison**  
    Compare the result directly against sum-check, sparse-dense sum-check, GKR,
@@ -61,19 +63,21 @@ complete:
    publish machine details and timings.
 
 6. **Cryptographic scope**  
-   The `PHSMv1`/`PHCPv1` workflow now binds public external data with
-   BLAKE2b-256. For a general or succinct verifiable-computation claim, replace
-   full workload replay with a proven multilinear polynomial commitment and an
-   opening proof for an externally supplied computation or witness.
+   The `PHSMv1`/`PHCPv1` workflow binds public external data with BLAKE2b-256.
+   For a general or succinct verifiable-computation claim, replace full
+   workload replay with a reviewed multilinear polynomial commitment and an
+   opening proof for an externally supplied computation or witness. A standard
+   one-repetition sum-check at the published million-round field parameters has
+   only about 9.97 bits under the classical `n/|F|` bound.
 
 7. **Public review**  
    Publish a technical preprint and obtain specialist review or a formal audit.
 
 ## Claim Levels
 
-- **Allowed now:** "Power-House verifies a separately stored,
-  commitment-bound sparse polynomial over `2^1,000,000` points through a
-  million-round reproducible certificate."
+- **Allowed now:** "Power-House deterministically replays a separately stored,
+  hash-bound sparse polynomial transcript over a one-million-variable Boolean
+  domain through a million-round reproducible certificate."
 - **Allowed after external reproduction:** "Power-House publishes an
   independently reproduced million-round sparse sum-check artifact."
 - **Allowed after novelty review:** A narrowly worded "first" claim matching