Cairo Serde

Author: Gali-StarkWare

.github/workflows/ci.yaml

@@ -98,7 +98,7 @@ jobs:
       - name: Check verifier compiles on stable
         env:
           RUSTUP_TOOLCHAIN: ${{ env.STABLE_VERSION }}
-        run: cargo check --workspace --exclude circuit-prover --exclude circuits-stark-verifier-examples
+        run: cargo check --workspace --exclude circuit-prover --exclude circuit-cairo-serialize --exclude circuits-stark-verifier-examples
 
   machete:
     runs-on: ubuntu-latest

CLAUDE.md

@@ -120,7 +120,7 @@ RUSTDOCFLAGS="-Dwarnings" cargo doc --document-private-items --no-deps --all-fea
 
 # Verifier stable check (must compile on stable 1.88.0)
 RUSTUP_TOOLCHAIN=1.88.0 cargo check --workspace \
-  --exclude circuit-prover --exclude circuits-stark-verifier-examples
+  --exclude circuit-prover --exclude circuit-cairo-serialize --exclude circuits-stark-verifier-examples
 
 # Unused dependency check
 cargo machete
@@ -227,8 +227,10 @@ Before modifying ANY [SOUNDNESS-CRITICAL] or [SECURITY-CRITICAL] file:
 5. **AIR code generation**: Component constraint evaluators and subroutines in `circuit_air`
    and `cairo_air` are generated by stwo-air-infra. Manual edits to generated files will be lost.
 
-6. **Stable Rust compatibility**: All crates except `circuit-prover` and
-   `circuits-stark-verifier-examples` must compile on stable Rust (1.88.0). This is enforced by CI.
+6. **Stable Rust compatibility**: All crates except `circuit-prover`,
+   `circuit-cairo-serialize` (depends on `circuit-prover` for the prover-output bridge),
+   and `circuits-stark-verifier-examples` must compile on stable Rust (1.88.0).
+   This is enforced by CI.
 
 7. **Optimized test profile**: `circuit-prover` and `stwo` are compiled at opt-level 3 even
    in the test profile to keep Blake-related tests performant.

Cargo.lock

@@ -3,6 +3,7 @@ members = [
     "crates/cairo_air",
     "crates/circuits",
     "crates/circuit_air",
+    "crates/circuit_cairo_serialize",
     "crates/circuit_common",
     "crates/circuit_serialize",
     "crates/circuit_prover",
@@ -48,6 +49,8 @@ stwo_cairo_prover = { package = "stwo-cairo-prover", git = "https://github.com/s
 stwo_cairo_common = { package = "stwo-cairo-common", git = "https://github.com/starkware-libs/stwo-cairo", rev = "0a5e70b7" }
 stwo_cairo_dev_utils = { package = "stwo-cairo-dev-utils", git = "https://github.com/starkware-libs/stwo-cairo", rev = "0a5e70b7" }
 stwo_cairo_utils = { package = "stwo-cairo-utils", git = "https://github.com/starkware-libs/stwo-cairo", rev = "0a5e70b7" }
+stwo-cairo-serialize = { git = "https://github.com/starkware-libs/stwo-cairo", rev = "0a5e70b7" }
+starknet-ff = "0.3"
 
 # local crates
 circuits = { path = "crates/circuits"}

Cargo.toml

@@ -0,0 +1,18 @@
+[package]
+name = "circuit-cairo-serialize"
+version.workspace = true
+edition.workspace = true
+description = "Serializes circuit prover output into the Cairo verifier's input format."
+
+[dependencies]
+cairo-air.workspace = true
+circuit-air.workspace = true
+circuit-prover.workspace = true
+starknet-ff.workspace = true
+stwo.workspace = true
+stwo-cairo-serialize.workspace = true
+
+[dev-dependencies]
+circuit-common.workspace = true
+circuits.workspace = true
+num-traits.workspace = true

crates/circuit_cairo_serialize/Cargo.toml

@@ -0,0 +1,100 @@
+//! Owned mirror structs for Cairo `CircuitClaim` and `CircuitInteractionClaim`.
+//!
+//! These mirror, field-by-field, the structs in
+//! `stwo-cairo/stwo_cairo_verifier/crates/circuit_air/src/claims.cairo`. The Cairo `Serde`
+//! derive serializes a struct by emitting each field in declaration order; the field
+//! order here MUST match the Cairo side exactly. Components with empty `Claim {}` on the
+//! Cairo side (fixed-size LOG_SIZE constants) contribute no fields.
+//!
+//! Both `CairoSerialize` and `CairoDeserialize` are derived, giving symmetric serde so
+//! these types can round-trip in tests.
+
+use circuit_air::circuit_claim::{CircuitClaim, CircuitInteractionClaim};
+use circuit_air::circuit_components::ComponentList;
+use stwo::core::fields::qm31::QM31;
+use stwo_cairo_serialize::{CairoDeserialize, CairoSerialize};
+
+/// Mirror of Cairo `CircuitClaim`.
+///
+/// Cairo layout:
+/// - `public_data: CircuitPublicData { output_values: Array<QM31> }`
+/// - one `log_size: u32` per variable-size component, in `ComponentList` order
+/// - fixed-size components have empty `Claim {}` and contribute zero felts.
+#[derive(Clone, Debug, PartialEq, Eq, CairoSerialize, CairoDeserialize)]
+pub struct CairoCircuitClaim {
+    pub output_values: Vec<QM31>,
+    pub eq_log_size: u32,
+    pub qm31_ops_log_size: u32,
+    pub blake_gate_log_size: u32,
+    pub blake_round_log_size: u32,
+    pub blake_g_log_size: u32,
+    pub blake_output_log_size: u32,
+    pub triple_xor_32_log_size: u32,
+    pub m_31_to_u_32_log_size: u32,
+}
+
+impl From<&CircuitClaim> for CairoCircuitClaim {
+    fn from(c: &CircuitClaim) -> Self {
+        let CircuitClaim { log_sizes, output_values } = c;
+        Self {
+            output_values: output_values.clone(),
+            eq_log_size: log_sizes[ComponentList::Eq as usize],
+            qm31_ops_log_size: log_sizes[ComponentList::Qm31Ops as usize],
+            blake_gate_log_size: log_sizes[ComponentList::BlakeGate as usize],
+            blake_round_log_size: log_sizes[ComponentList::BlakeRound as usize],
+            blake_g_log_size: log_sizes[ComponentList::BlakeG as usize],
+            blake_output_log_size: log_sizes[ComponentList::BlakeOutput as usize],
+            triple_xor_32_log_size: log_sizes[ComponentList::TripleXor32 as usize],
+            m_31_to_u_32_log_size: log_sizes[ComponentList::M31ToU32 as usize],
+        }
+    }
+}
+
+/// Mirror of Cairo `CircuitInteractionClaim`.
+///
+/// Cairo layout: 16 named QM31 fields in `ComponentList` order. The Rust prover stores
+/// the same data as `[QM31; 16]`; this struct just gives each entry a name so the derive
+/// macro can produce identical felt output.
+#[derive(Clone, Debug, PartialEq, Eq, CairoSerialize, CairoDeserialize)]
+pub struct CairoCircuitInteractionClaim {
+    pub eq: QM31,
+    pub qm31_ops: QM31,
+    pub blake_gate: QM31,
+    pub blake_round: QM31,
+    pub blake_round_sigma: QM31,
+    pub blake_g: QM31,
+    pub blake_output: QM31,
+    pub triple_xor_32: QM31,
+    pub m_31_to_u_32: QM31,
+    pub verify_bitwise_xor_8: QM31,
+    pub verify_bitwise_xor_12: QM31,
+    pub verify_bitwise_xor_4: QM31,
+    pub verify_bitwise_xor_7: QM31,
+    pub verify_bitwise_xor_9: QM31,
+    pub range_check_15: QM31,
+    pub range_check_16: QM31,
+}
+
+impl From<&CircuitInteractionClaim> for CairoCircuitInteractionClaim {
+    fn from(c: &CircuitInteractionClaim) -> Self {
+        let s = &c.claimed_sums;
+        Self {
+            eq: s[ComponentList::Eq as usize],
+            qm31_ops: s[ComponentList::Qm31Ops as usize],
+            blake_gate: s[ComponentList::BlakeGate as usize],
+            blake_round: s[ComponentList::BlakeRound as usize],
+            blake_round_sigma: s[ComponentList::BlakeRoundSigma as usize],
+            blake_g: s[ComponentList::BlakeG as usize],
+            blake_output: s[ComponentList::BlakeOutput as usize],
+            triple_xor_32: s[ComponentList::TripleXor32 as usize],
+            m_31_to_u_32: s[ComponentList::M31ToU32 as usize],
+            verify_bitwise_xor_8: s[ComponentList::VerifyBitwiseXor8 as usize],
+            verify_bitwise_xor_12: s[ComponentList::VerifyBitwiseXor12 as usize],
+            verify_bitwise_xor_4: s[ComponentList::VerifyBitwiseXor4 as usize],
+            verify_bitwise_xor_7: s[ComponentList::VerifyBitwiseXor7 as usize],
+            verify_bitwise_xor_9: s[ComponentList::VerifyBitwiseXor9 as usize],
+            range_check_15: s[ComponentList::RangeCheck15 as usize],
+            range_check_16: s[ComponentList::RangeCheck16 as usize],
+        }
+    }
+}

crates/circuit_cairo_serialize/src/claim.rs

@@ -0,0 +1,24 @@
+//! Rust mirror of the Cairo `CircuitVerifierConfig` struct.
+//!
+//! Field order MUST match
+//! `stwo-cairo/stwo_cairo_verifier/crates/circuit_air/src/lib.cairo::CircuitVerifierConfig`.
+
+use stwo::core::vcs::blake2_hash::Blake2sHash;
+use stwo_cairo_serialize::{CairoDeserialize, CairoSerialize};
+
+#[derive(Clone, Debug, PartialEq, Eq, CairoSerialize, CairoDeserialize)]
+pub struct CairoCircuitVerifierConfig {
+    /// Variable indices of the circuit's `Output` gates. One entry per public output value.
+    pub output_addresses: Vec<u32>,
+    /// Number of Blake gates in the circuit.
+    pub n_blake_gates: u32,
+    /// Expected preprocessed-trace root.
+    pub preprocessed_root: Blake2sHash,
+    /// Per-column log sizes in the circuit's preprocessed trace, in canonical column order.
+    pub preprocessed_column_log_sizes: Vec<u32>,
+    /// `trace_log_size + log_blowup_factor`. The rust circuit prover packs this into the
+    /// channel via `PcsConfig::mix_into` (in `stwo::core::pcs`), but cairo's `PcsConfig`
+    /// has no such field, so the verifier needs it via out-of-band config — analogous to
+    /// the rust in-circuit verifier reading it from `ProofConfig.fri.log_trace_size`.
+    pub lifting_log_size: u32,
+}

crates/circuit_cairo_serialize/src/config.rs

@@ -0,0 +1,23 @@
+//! Serializes circuit prover output into the format expected by the Cairo verifier
+//! (`stwo-cairo/stwo_cairo_verifier/crates/circuit_verifier`).
+//!
+//! The Cairo verifier's executable signature is:
+//!
+//! ```cairo
+//! fn main(proof: CircuitProof, config: CircuitVerifierConfig) -> VerificationOutput
+//! ```
+//!
+//! and uses the standard `#[derive(Serde)]` to deserialize each argument from the
+//! felt252 input stream produced by `scarb execute --arguments-file`. This crate emits
+//! the corresponding stream from the Rust prover output.
+
+pub mod claim;
+pub mod config;
+pub mod proof;
+
+#[cfg(test)]
+mod test;
+
+pub use claim::{CairoCircuitClaim, CairoCircuitInteractionClaim};
+pub use config::CairoCircuitVerifierConfig;
+pub use proof::{CairoCircuitProof, CairoStarkProofForCircuit, prepare_cairo_verifier_input};

crates/circuit_cairo_serialize/src/lib.rs

@@ -0,0 +1,153 @@
+//! Top-level Cairo verifier input.
+//!
+//! Mirrors the Cairo verifier's `main(proof: CircuitProof, config: CircuitVerifierConfig)`
+//! signature. Field order MUST match the Cairo `CircuitProof` struct in
+//! `stwo-cairo/stwo_cairo_verifier/crates/circuit_air/src/lib.cairo`.
+//!
+//! The serializer is asymmetric on `queried_values`: the prover stores them in tree-major
+//! order, the Cairo verifier reads them sorted by column size and transposed (see
+//! `cairo_air::utils::sort_and_transpose_queried_values`). The conversion in
+//! [`prepare_cairo_verifier_input`] applies the sort before the derive emits felts.
+
+use cairo_air::utils::sort_and_transpose_queried_values;
+use circuit_prover::prover::CircuitProof as CircuitProverOutput;
+use starknet_ff::FieldElement;
+use stwo::core::ColumnVec;
+use stwo::core::pcs::TreeVec;
+use stwo::core::pcs::quotients::CommitmentSchemeProof;
+use stwo::core::proof::StarkProof;
+use stwo::core::vcs::blake2_hash::Blake2sHash;
+use stwo::core::vcs_lifted::blake2_merkle::Blake2sM31MerkleHasher;
+use stwo::core::vcs_lifted::merkle_hasher::MerkleHasherLifted;
+use stwo_cairo_serialize::{CairoDeserialize, CairoSerialize};
+
+use crate::CairoCircuitVerifierConfig;
+use crate::claim::{CairoCircuitClaim, CairoCircuitInteractionClaim};
+
+/// Owned mirror of the Cairo `CircuitProof` struct, with `queried_values` already sorted
+/// and transposed into the layout the Cairo verifier expects.
+///
+/// Symmetric `CairoSerialize`/`CairoDeserialize` derive — both directions read fields in
+/// declaration order, so this round-trips cleanly.
+// Note: cannot derive `PartialEq`/`Eq` because `FriProof`/`MerkleDecommitmentLifted` do
+// not implement them. Roundtrip tests compare serialized bytes instead.
+#[derive(Clone, Debug, CairoSerialize, CairoDeserialize)]
+pub struct CairoCircuitProof<H: MerkleHasherLifted<Hash = Blake2sHash> = Blake2sM31MerkleHasher> {
+    pub claim: CairoCircuitClaim,
+    pub interaction_pow: u64,
+    pub interaction_claim: CairoCircuitInteractionClaim,
+    pub stark_proof: CairoStarkProofForCircuit<H>,
+    pub channel_salt: u32,
+}
+
+/// Owned counterpart of `CommitmentSchemeProof` with `queried_values` already in the
+/// 2D sorted-and-transposed layout (one `Vec<BaseField>` per tree, concatenated across
+/// queries) that the Cairo verifier deserializes.
+#[derive(Clone, Debug, CairoSerialize, CairoDeserialize)]
+pub struct CairoStarkProofForCircuit<
+    H: MerkleHasherLifted<Hash = Blake2sHash> = Blake2sM31MerkleHasher,
+> {
+    pub config: stwo::core::pcs::PcsConfig,
+    pub commitments: Vec<Blake2sHash>,
+    pub sampled_values: Vec<ColumnVec<Vec<stwo::core::fields::qm31::QM31>>>,
+    pub decommitments: Vec<stwo::core::vcs_lifted::verifier::MerkleDecommitmentLifted<H>>,
+    /// Sorted+transposed queried values (per tree).
+    pub queried_values: Vec<Vec<stwo::core::fields::m31::M31>>,
+    pub proof_of_work: u64,
+    pub fri_proof: stwo::core::fri::FriProof<H>,
+}
+
+impl<H: MerkleHasherLifted<Hash = Blake2sHash>> CairoStarkProofForCircuit<H> {
+    /// Builds the Cairo-ready stark proof from a Rust `StarkProof` plus per-tree column
+    /// log sizes for the [trace, interaction] trees (used to sort `queried_values`).
+    pub fn from_stark_proof(
+        proof: &StarkProof<H>,
+        trace_and_interaction_trace_log_sizes: &[&[u32]; 2],
+    ) -> Self {
+        let CommitmentSchemeProof {
+            config,
+            commitments,
+            sampled_values,
+            decommitments,
+            queried_values,
+            proof_of_work,
+            fri_proof,
+        } = &proof.0;
+
+        let sorted = sort_and_transpose_queried_values(
+            queried_values,
+            trace_and_interaction_trace_log_sizes.to_vec(),
+        );
+
+        Self {
+            config: *config,
+            commitments: (**commitments).clone(),
+            sampled_values: (**sampled_values).clone(),
+            decommitments: (**decommitments).clone(),
+            queried_values: (*sorted).clone(),
+            proof_of_work: *proof_of_work,
+            fri_proof: fri_proof.clone(),
+        }
+    }
+}
+
+impl<H: MerkleHasherLifted<Hash = Blake2sHash>> CairoCircuitProof<H> {
+    /// Builds from the live circuit prover output. Errors if the prover failed.
+    pub fn from_prover_output(
+        prover_output: &CircuitProverOutput<H>,
+    ) -> Result<Self, &'static str> {
+        let extended = prover_output
+            .stark_proof
+            .as_ref()
+            .map_err(|_| "circuit prover failed to produce a stark proof")?;
+        let stark_proof = &extended.proof;
+
+        let log_sizes = column_log_sizes_by_tree(prover_output);
+        let stark_proof = CairoStarkProofForCircuit::<H>::from_stark_proof(
+            stark_proof,
+            &[log_sizes[0].as_slice(), log_sizes[1].as_slice()],
+        );
+
+        Ok(Self {
+            claim: CairoCircuitClaim::from(&prover_output.claim),
+            interaction_pow: prover_output.interaction_pow_nonce,
+            interaction_claim: CairoCircuitInteractionClaim::from(&prover_output.interaction_claim),
+            stark_proof,
+            channel_salt: prover_output.channel_salt,
+        })
+    }
+}
+
+/// Builds the felt252 input stream for the Cairo circuit verifier from a live prover
+/// output and a verifier config.
+pub fn prepare_cairo_verifier_input<H: MerkleHasherLifted<Hash = Blake2sHash>>(
+    prover_output: &CircuitProverOutput<H>,
+    config: &CairoCircuitVerifierConfig,
+) -> Result<Vec<FieldElement>, &'static str> {
+    let proof = CairoCircuitProof::<H>::from_prover_output(prover_output)?;
+    let mut bytes = Vec::new();
+    CairoSerialize::serialize(&proof, &mut bytes);
+    CairoSerialize::serialize(config, &mut bytes);
+    Ok(bytes)
+}
+
+/// `[trace_log_sizes, interaction_log_sizes]` from the prover output's components, in
+/// the order in which the prover committed columns. Each component contributes
+/// `n_trace_columns` cells for tree 1 and `n_interaction_columns` for tree 2, all
+/// tagged with that component's `log_size`.
+fn column_log_sizes_by_tree<H: MerkleHasherLifted<Hash = Blake2sHash>>(
+    prover_output: &CircuitProverOutput<H>,
+) -> [Vec<u32>; 2] {
+    let mut trace = Vec::new();
+    let mut interaction = Vec::new();
+    for component in &prover_output.components {
+        let bounds: TreeVec<ColumnVec<u32>> = component.trace_log_degree_bounds();
+        if let Some(t) = bounds.get(1) {
+            trace.extend_from_slice(t);
+        }
+        if let Some(i) = bounds.get(2) {
+            interaction.extend_from_slice(i);
+        }
+    }
+    [trace, interaction]
+}