recursion: add R1CS dump/shrink tooling

Cargo.toml

@@ -79,6 +79,7 @@ p3-field = { version = "=0.2.3-succinct" }
 p3-air = { version = "=0.2.3-succinct" }
 p3-baby-bear = { version = "=0.2.3-succinct" }
 p3-bn254-fr = { version = "=0.2.3-succinct" }
+p3-bls12-377-fr = { path = "crates/p3-bls12-377-fr", version = "0.2.3-succinct-pvugc.0" }
 p3-poseidon2 = { version = "=0.2.3-succinct" }
 p3-symmetric = { version = "=0.2.3-succinct" }
 p3-dft = { version = "=0.2.3-succinct" }
@@ -120,3 +121,4 @@ print_stdout = "deny"
 
 [patch.crates-io]
 sp1-lib = { path = "crates/zkvm/lib" }
+p3-field = { git = "https://github.com/syscoin/p3-field", branch = "main" }

PVUGC_FORK.md

@@ -0,0 +1,110 @@
+# SP1 Fork for PVUGC (BLS12-377)
+
+This is a minimal fork of [SP1](https://github.com/succinctlabs/sp1) that changes the final Groth16 wrapper from BN254 to BLS12-377 for PVUGC integration.
+
+## Changes Made
+
+### 0. `p3-field` `reduce_32` packing base (Fr377 soundness / consistency)
+
+SP1’s outer recursion uses the Plonky3 “multi-field” sponge/challenger (`p3-symmetric` /
+`p3-challenger`) which packs BabyBear limbs into the native field via `p3_field::reduce_32`.
+After migrating the Groth16 wrapper to **BLS12-377 Fr (~252 bits)**, the historical base \(2^{32}\)
+packing is **not injective** under our limb bounds (BabyBear limbs are < \(2^{31}\)), and it can also cause native-vs-circuit transcript mismatches.
+
+We therefore vendor `p3-field` and patch `reduce_32` to use **base \(2^{31}\)** so:
+- the packing is injective under SP1’s limb bounds for Fr377, and
+- the **native** prover transcript matches the **circuit** transcript.
+
+This is related to the general “multi-field challenger packing/bias” audit themes (see `audits/rkm0959.md`).
+
+### 1. `crates/recursion/gnark-ffi/go/sp1/build.go`
+
+Modified the existing `BuildGroth16(...)` path to compile and set up the Groth16 circuit over **BLS12-377** (instead of BN254):
+
+```go
+// Key change: ecc.BN254 → ecc.BLS12_377
+r1cs, err := frontend.Compile(ecc.BLS12_377.ScalarField(), r1cs.NewBuilder, &circuit)
+```
+
+### 2. `crates/recursion/gnark-ffi/go/sp1/prove.go`
+
+Modified the existing `ProveGroth16(...)` path to use **BLS12-377** (including its in-process caches):
+
+```go
+var globalR1cs constraint.ConstraintSystem = groth16.NewCS(ecc.BLS12_377)
+var globalPk groth16.ProvingKey = groth16.NewProvingKey(ecc.BLS12_377)
+```
+
+### 3. `crates/recursion/gnark-ffi/go/main.go`
+
+The CGO exports remain (historically) named `*Bn254` for compatibility, but they invoke the Groth16 path which is now **BLS12-377**:
+- `ProveGroth16Bn254`
+- `BuildGroth16Bn254`
+- `FreeGroth16Bn254Proof`
+
+## What's Unchanged
+
+- **SP1 Core**: All BabyBear STARK proving remains unchanged
+- **Recursion layers**: Reduce, Compress, Shrink - all unchanged
+- **Circuit logic**: The wrapper circuit verifies the same SP1 recursive proof
+- **Constraint IR**: The opcodes and simulation logic are identical
+
+## Poseidon2 (outer recursion) parameters
+
+- **Field**: BLS12-377 scalar field (Fr)
+- **Width**: \(t = 3\)
+- **S-box exponent**: \(\alpha = 11\)
+- **Rounds**: \(R_F = 8\), \(R_P = 37\) (ICICLE instance)
+- **Round constants (RC3)**:
+  - Rust: `crates/recursion/core/src/stark/poseidon2_bls12377_rc3.rs`
+  - Go: `crates/recursion/gnark-ffi/go/sp1/poseidon2/constants.go` (inlined in `init_rc3()`)
+
+## Usage
+
+### Build the Circuit (One-time setup)
+
+```bash
+# Generate Groth16 artifacts for BLS12-377
+BuildGroth16("/path/to/data")
+```
+
+### Prove
+
+```bash
+# Generate BLS12-377 Groth16 proof
+proof := ProveGroth16("/path/to/data", "/path/to/witness.json")
+```
+
+### In Rust (PVUGC)
+
+```rust
+use pvugc::sp1_bridge::{
+    decode_sp1_proof_hex,
+    parse_gnark_proof_bls12_377,
+};
+
+// Decode SP1's hex output
+let proof_bytes = decode_sp1_proof_hex(&sp1_proof.raw_proof)?;
+let proof = parse_gnark_proof_bls12_377(&proof_bytes)?;
+
+// Use with PVUGC outer circuit
+```
+
+#### Note on proof/VK wire formats
+
+- This fork standardizes on gnark's **`WriteRawTo` / `ReadFrom`** encoding for Groth16 proof + verifying key.
+- `raw_proof` is the hex encoding of gnark `(*Proof).WriteRawTo(...)`.
+- `encoded_proof` is unused for Groth16(BLS12-377) and is left empty (no Solidity encoding).
+
+## Upstream Tracking
+
+- **Base**: Forked from upstream SP1
+- **SP1 repo**: https://github.com/succinctlabs/sp1
+
+## Security Notes
+
+1. **New trusted setup required**: BLS12-377 requires its own trusted setup
+2. **VK changes**: The verification key will be different from BN254
+3. **Proof format**: Same structure, different curve points
+
+

crates/p3-bls12-377-fr/Cargo.toml

@@ -0,0 +1,26 @@
+[package]
+name = "p3-bls12-377-fr"
+version = "0.2.3-succinct-pvugc.0"
+edition = "2021"
+license = "MIT OR Apache-2.0"
+description = "Plonky3 field wrapper for the BLS12-377 scalar field (PVUGC local crate)."
+
+[lib]
+name = "p3_bls12_377_fr"
+path = "src/lib.rs"
+
+[dependencies]
+ff = { version = "0.13", features = ["derive", "derive_bits"] }
+num-bigint = { version = "0.4.3", default-features = false }
+p3-field = { version = "=0.2.3-succinct" }
+p3-poseidon2 = { version = "=0.2.3-succinct" }
+p3-symmetric = { version = "=0.2.3-succinct" }
+rand = "0.8.5"
+serde = { version = "1.0", features = ["derive"], default-features = false }
+
+[dev-dependencies]
+p3-field-testing = { version = "=0.2.3-succinct" }
+num-traits = "0.2.16"
+serde_json = "1.0.113"
+
+