feat: add R1CS extension foundations

[markosg04]

Part of the draft Jolt prover stack.

Base: prover-stack/02-jolt-claims-protocol-formulas
Head: prover-stack/03-r1cs-extensions

Adds shared R1CS, transcript, polynomial, field, BlindFold, and crypto foundations used by protocol wrappers.

Validation before submission:

• cargo fmt -q -- --check
• cargo metadata --no-deps --format-version 1
• local gh stack push simulation against a temporary bare remote
• forbidden-path scan for handoffs/, old STACK.md, stack/, and old stack workflow

[github-actions]

Warning

This PR has more than 500 changed lines and does not include a spec.

Large features and architectural changes benefit from a spec-driven workflow.
See CONTRIBUTING.md for details on how to create a spec.

If this PR is a bug fix, refactor, or doesn't warrant a spec, feel free to ignore this message.

[0xAndoroid]

Stack maintenance — Pika is rebasing this PR onto #1597 (prover-stack/02-jolt-claims-protocol-formulas) and fixing CI as part of the prover stack (#1596–#1606). Rebase + CI summary to follow.

[0xAndoroid]

Stack maintenance — rebased onto #1597 (prover-stack/02-jolt-claims-protocol-formulas); CI fixed.

📚 Stack A: #1596 → #1597 → #1598 (this PR) → #1599 → #1600 → #1601 → #1602 → #1603
📚 Stack B: #1596 → #1597 → #1604 → #1605 → #1606

#1596 and #1597 are shared by both stacks; each PR targets the one before it.

Conflict resolution

• crates/jolt-claims/src/protocols/jolt/formulas/bytecode.rs — kept feat: extend Jolt claim protocol formulas #1597's committed-program / two-phase bytecode formulas; feat: add R1CS extension foundations #1598's overlapping single-phase formula expansion was superseded by the parent stack.
• crates/jolt-claims/src/protocols/jolt/formulas/claim_reductions/advice.rs — kept feat: extend Jolt claim protocol formulas #1597's shared precommitted reduction layout/scheduling; feat: add R1CS extension foundations #1598's older local split helpers were superseded.
• crates/jolt-claims/src/protocols/jolt/formulas/error.rs — kept feat: extend Jolt claim protocol formulas #1597's richer precommitted/bytecode error variants and retained the evaluation-domain overflow variant.
• crates/jolt-poly/src/{dense.rs,eq.rs} — kept feat: extend Jolt claim protocol formulas #1597's current optimized/equivalent helpers; feat: add R1CS extension foundations #1598's overlapping helper edits were already present or equivalent.
• crates/jolt-transcript/{Cargo.toml,src/digest.rs,src/lib.rs} — kept feat: extend Jolt claim protocol formulas #1597's spongefish-compatible transcript surface, added only the R1CS transcript feature/module from feat: add R1CS extension foundations #1598, and resolved the add/add on digest.rs by keeping feat: extend Jolt claim protocol formulas #1597's core-compatible digest transcript implementation.

[github-actions]

Claude code review session started: https://claude.ai/code/session_01QkiBw7VPFYPPVdBDnKTKAy

[moodlezoup]

Reviewed the R1CS foundations across the nonnative-field, EC-gadget, Poseidon-transcript, polynomial, and BlindFold/sumcheck additions. No soundness-critical issues found — the nonnative Fq-in-Fr arithmetic (range checks, carry chains, modular-reduction uniqueness), the Grumpkin EC gadgets, and the Nova-fold/Spartan structure all check out, and the split-eq/Lt/Lagrange/one-hot ports are validated against dense references. The inline comments are mostly latent (these foundations have few or no callers yet), but worth pinning down before they get wired up.

A few smaller notes not worth inline comments:

• poseidon.rs: the in-circuit transcript only self-validates against a hand-rolled NativeTranscript in the same file, not against the actual jolt-core PoseidonTranscript it's meant to reproduce bit-for-bit. There are two divergent native transcripts in the repo (LE/32-byte/n_rounds vs BE/31-byte/length-prefixed); the gadget matches the former. A pinned known-answer test against the real prover transcript would catch silent desync.
• split_eq.rs:275-315: e_out_in_for_window/e_active_for_window are caller-less and untested, with index math guarded only by debug_assert!. Add tests against a dense reference or defer to the PR that introduces a caller.
• nonnative.rs: CARRY_BITS = 68 is load-bearing for both completeness and the no-wrap soundness argument (honest max carry is 66 bits) — worth a WHY comment.
• prove.rs BlindFold outer/inner sumcheck accumulation loops are serial in the dominant first rounds (unlike the par_iter hot sumchecks in jolt-core); fine for a small verifier R1CS but worth revisiting if the circuit grows.

---

Generated by Claude Code

[moodlezoup]

pos/neg are only Limbs<5> (320 bits), but fmadd_magnitude adds terms up to value (~254 bits) × scalar (~64 bits) ≈ 2^318, and add_assign_trunc::<5> truncates with no overflow check or debug_assert. Summing only a few full-width terms wraps silently and reduce() returns a wrong value with no signal (confirmed empirically). Nothing calls this yet so it's dormant, but fmadd_u64/add accept arbitrary Fr values, so a caller passing full field elements gets silent corruption. Unlike WideAccumulator/FrSignedProductAccumulator (u128 slots, documented headroom), the capacity here is undocumented. Either widen to u128-based slots or document the small-value precondition on SignedScalarAccumulator and add a debug_assert on the carry-out limb.

---

Generated by Claude Code

[moodlezoup]

pack_bytes computes Σ byte_i · 256^i over the byte witnesses' lc but never range-constrains each byte to [0,256). The native from_le_bytes_mod_order has no such freedom, so for the gadget to bind to a canonical byte string the caller must guarantee each Byte is in range — otherwise a malicious witness (e.g. byte_0 = 256, byte_1 = 0 vs byte_0 = 0, byte_1 = 1) produces the same packed scalar and the same transcript state from different "byte strings", breaking the binding of absorb_bytes. This obligation is currently undocumented on R1csByteTranscript::Byte/absorb_bytes. Either range-check internally or document the [0,256) invariant prominently.

---

Generated by Claude Code

[moodlezoup]

Transcript asymmetry: the verifier appends bf_witness_opening/bf_witness_blind here, but the prover (prove.rs, after open_rows for the folded witness) never appends it — it only appends bf_error_opening. Harmless today since this is the last transcript op and no challenge is derived afterward, but it's a real prover/verifier divergence. If this BlindFold transcript is ever chained into a larger protocol (the stated direction of this stack), the verifier's transcript state will diverge from the prover's. Either append it on the prover side too, or drop this append.

---

Generated by Claude Code

[moodlezoup]

constant_mul_terms is a byte-for-byte copy of convolution_terms above (lines 521-529). Both callers (the product convolution at line 300 and the modulus·quotient reduction at line 314) can share a single helper — drop one.

---

Generated by Claude Code

[moodlezoup]

The 4×4 u128-slot product loop and the normalize carry-propagation pass here are identical to wide_accumulator.rs (fmadd/normalize), differing only in Limbs<9> vs BigInt<9> return type (which interconvert via arkworks/mod.rs). This signed-product accumulator is essentially two wide accumulators (pos/neg) plus a sign branch in reduce. Extract a shared fmadd_into(slots, a, b) + normalize(slots) so the carry logic lives in one place.

---

Generated by Claude Code