microsoft · srinathsetty · Mar 16, 2026 · Mar 16, 2026 · Mar 16, 2026 · Mar 16, 2026
diff --git a/Cargo.toml b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "nova-snark"
-version = "0.65.0"
+version = "0.66.0"
 authors = ["Srinath Setty <srinath@microsoft.com>"]
 edition = "2021"
 description = "High-speed recursive arguments from folding schemes"

diff --git a/src/frontend/gadgets/poseidon/circuit2.rs b/src/frontend/gadgets/poseidon/circuit2.rs
@@ -36,30 +36,32 @@ impl<Scalar: PrimeField> Elt<Scalar> {
     Self::Num(num.add_bool_with_coeff(CS::one(), &Boolean::Constant(true), fr))
   }
 
-  /// Ensure Elt is allocated.
+  /// Ensure Elt is allocated as a fresh variable with an equality constraint.
+  /// The `enforce` parameter must always be `true` to maintain circuit soundness;
+  /// passing `false` would produce an unconstrained variable.
   pub fn ensure_allocated<CS: ConstraintSystem<Scalar>>(
     &self,
     cs: &mut CS,
     enforce: bool,
   ) -> Result<AllocatedNum<Scalar>, SynthesisError> {
-    match self {
-      Self::Allocated(v) => Ok(v.clone()),
-      Self::Num(num) => {
-        let v = AllocatedNum::alloc(cs.namespace(|| "allocate for Elt::Num"), || {
-          num.get_value().ok_or(SynthesisError::AssignmentMissing)
-        })?;
-
-        if enforce {
-          cs.enforce(
-            || "enforce num allocation preserves lc".to_string(),
-            |_| num.lc(Scalar::ONE),
-            |lc| lc + CS::one(),
-            |lc| lc + v.get_variable(),
-          );
-        }
-        Ok(v)
-      }
+    debug_assert!(enforce, "ensure_allocated must always enforce equality");
+    // Always allocate a fresh variable to guarantee consistent R1CS variable
+    // count regardless of whether `self` is `Allocated` or `Num`.
+    // Without this, compact-mode Poseidon produces different variable counts
+    // for different inputs, breaking IVC schemes with fixed R1CS shapes.
+    let v = AllocatedNum::alloc(cs.namespace(|| "ensure_allocated"), || {
+      self.val().ok_or(SynthesisError::AssignmentMissing)
+    })?;
+
+    if enforce {
+      cs.enforce(
+        || "enforce allocation preserves value".to_string(),
+        |_| self.lc(),
+        |lc| lc + CS::one(),
+        |lc| lc + v.get_variable(),
+      );
     }
+    Ok(v)
   }
 
   /// Get the value of the Elt.

diff --git a/src/frontend/util_cs/witness_cs.rs b/src/frontend/util_cs/witness_cs.rs
@@ -47,6 +47,26 @@ impl<Scalar> WitnessCS<Scalar>
 where
   Scalar: PrimeField,
 {
+  /// Create a new WitnessCS with pre-allocated capacity for aux and input variables.
+  /// This avoids repeated reallocations during synthesis for large circuits.
+  pub fn with_capacity(aux_capacity: usize, input_capacity: usize) -> Self {
+    let mut input_assignment = Vec::with_capacity(input_capacity + 1);
+    input_assignment.push(Scalar::ONE);
+    Self {
+      input_assignment,
+      aux_assignment: Vec::with_capacity(aux_capacity),
+    }
+  }
+
+  /// Clear the assignments while retaining allocated capacity.
+  /// This allows reusing the same WitnessCS across multiple synthesis calls
+  /// without reallocating.
+  pub fn clear(&mut self) {
+    self.input_assignment.clear();
+    self.input_assignment.push(Scalar::ONE);
+    self.aux_assignment.clear();
+  }
+
   /// Get input assignment
   pub fn input_assignment(&self) -> &[Scalar] {
     &self.input_assignment

diff --git a/src/gadgets/nonnative/bignat.rs b/src/gadgets/nonnative/bignat.rs
@@ -40,9 +40,38 @@ pub fn nat_to_limbs<Scalar: PrimeField>(
   limb_width: usize,
   n_limbs: usize,
 ) -> Result<Vec<Scalar>, SynthesisError> {
-  let mask = int_with_n_ones(limb_width);
-  let mut nat = nat.clone();
-  if nat.bits() as usize <= n_limbs * limb_width {
+  if nat.sign() == num_bigint::Sign::Minus {
+    return Err(SynthesisError::Unsatisfiable(format!(
+      "nat_to_limbs called with negative value {nat}"
+    )));
+  }
+  if nat.bits() as usize > n_limbs * limb_width {
+    return Err(SynthesisError::Unsatisfiable(format!(
+      "nat {nat} does not fit in {n_limbs} limbs of width {limb_width}"
+    )));
+  }
+  let bytes_per_limb = limb_width / 8;
+  if limb_width % 8 == 0 && bytes_per_limb <= 8 {
+    // Fast path: extract limbs directly from bytes
+    let (_, bytes) = nat.to_bytes_le();
+    Ok(
+      (0..n_limbs)
+        .map(|i| {
+          let start = i * bytes_per_limb;
+          let mut limb_val: u64 = 0;
+          for j in 0..bytes_per_limb {
+            if start + j < bytes.len() {
+              limb_val |= (bytes[start + j] as u64) << (j * 8);
+            }
+          }
+          Scalar::from(limb_val)
+        })
+        .collect(),
+    )
+  } else {
+    // Fallback for non-byte-aligned limb widths
+    let mask = int_with_n_ones(limb_width);
+    let mut nat = nat.clone();
     Ok(
       (0..n_limbs)
         .map(|_| {
@@ -52,10 +81,6 @@ pub fn nat_to_limbs<Scalar: PrimeField>(
         })
         .collect(),
     )
-  } else {
-    Err(SynthesisError::Unsatisfiable(format!(
-      "nat {nat} does not fit in {n_limbs} limbs of width {limb_width}"
-    )))
   }
 }
 

diff --git a/src/gadgets/nonnative/mod.rs b/src/gadgets/nonnative/mod.rs
@@ -2,7 +2,6 @@
 //! Code in this module is adapted from [bellman-bignat](https://github.com/alex-ozdemir/bellman-bignat), which is licenced under MIT
 
 use crate::frontend::SynthesisError;
-use ff::PrimeField;
 
 trait OptionExt<T> {
   fn grab(&self) -> Result<&T, SynthesisError>;
@@ -14,23 +13,6 @@ impl<T> OptionExt<T> for Option<T> {
   }
 }
 
-trait BitAccess {
-  fn get_bit(&self, i: usize) -> Option<bool>;
-}
-
-impl<Scalar: PrimeField> BitAccess for Scalar {
-  fn get_bit(&self, i: usize) -> Option<bool> {
-    if i as u32 >= Scalar::NUM_BITS {
-      return None;
-    }
-
-    let (byte_pos, bit_pos) = (i / 8, i % 8);
-    let byte = self.to_repr().as_ref()[byte_pos];
-    let bit = (byte >> bit_pos) & 1;
-    Some(bit == 1)
-  }
-}
-
 /// Module providing big natural number arithmetic in circuits.
 pub mod bignat;
 

diff --git a/src/gadgets/nonnative/util.rs b/src/gadgets/nonnative/util.rs
@@ -1,4 +1,4 @@
-use super::{BitAccess, OptionExt};
+use super::OptionExt;
 use crate::frontend::{
   num::AllocatedNum, ConstraintSystem, LinearCombination, SynthesisError, Variable,
 };
@@ -100,15 +100,37 @@ impl<Scalar: PrimeField> Num<Scalar> {
     mut cs: CS,
     n_bits: usize,
   ) -> Result<(), SynthesisError> {
+    assert!(
+      n_bits as u32 <= Scalar::NUM_BITS,
+      "n_bits ({n_bits}) exceeds field capacity ({})",
+      Scalar::NUM_BITS
+    );
     let v = self.value;
 
+    // Pre-compute all bit values from the field element's byte representation
+    // to avoid calling to_repr() per bit (which does Montgomery reduction each time).
+    let bit_values: Option<Vec<bool>> = v.map(|val| {
+      let repr = val.to_repr();
+      let bytes = repr.as_ref();
+      (0..n_bits)
+        .map(|i| {
+          let (byte_pos, bit_pos) = (i / 8, i % 8);
+          if byte_pos < bytes.len() {
+            (bytes[byte_pos] >> bit_pos) & 1 == 1
+          } else {
+            false
+          }
+        })
+        .collect()
+    });
+
     // Allocate all but the first bit.
     let bits: Vec<Variable> = (1..n_bits)
       .map(|i| {
         cs.alloc(
           || format!("bit {i}"),
           || {
-            let r = if *v.grab()?.get_bit(i).grab()? {
+            let r = if bit_values.as_ref().ok_or(SynthesisError::AssignmentMissing)?[i] {
               Scalar::ONE
             } else {
               Scalar::ZERO
@@ -179,9 +201,20 @@ impl<Scalar: PrimeField> Num<Scalar> {
     mut cs: CS,
     n_bits: usize,
   ) -> Result<Bitvector<Scalar>, SynthesisError> {
+    // Pre-compute all bit values with a single to_repr() call
     let values: Option<Vec<bool>> = self.value.as_ref().map(|v| {
-      let num = *v;
-      (0..n_bits).map(|i| num.get_bit(i).unwrap()).collect()
+      let repr = v.to_repr();
+      let bytes = repr.as_ref();
+      (0..n_bits)
+        .map(|i| {
+          let (byte_pos, bit_pos) = (i / 8, i % 8);
+          if byte_pos < bytes.len() {
+            (bytes[byte_pos] >> bit_pos) & 1 == 1
+          } else {
+            false
+          }
+        })
+        .collect()
     });
     let allocations: Vec<Bit<Scalar>> = (0..n_bits)
       .map(|bit_i| {
@@ -243,7 +276,17 @@ pub fn f_to_nat<Scalar: PrimeField>(f: &Scalar) -> BigInt {
 /// Convert a natural number to a field element.
 /// Returns `None` if the number is too big for the field.
 pub fn nat_to_f<Scalar: PrimeField>(n: &BigInt) -> Option<Scalar> {
-  Scalar::from_str_vartime(&format!("{n}"))
+  let (sign, bytes) = n.to_bytes_le();
+  if sign == Sign::Minus {
+    return None;
+  }
+  let mut repr = Scalar::Repr::default();
+  let repr_bytes = repr.as_mut();
+  if bytes.len() > repr_bytes.len() {
+    return None;
+  }
+  repr_bytes[..bytes.len()].copy_from_slice(&bytes);
+  Scalar::from_repr(repr).into()
 }
 
 use super::bignat::BigNat;