feat: Use oink in IVC #8161
feat: Use oink in IVC #8161
Conversation
| struct FoldingVerifierInputs { | ||
| FoldProof proof; | ||
| std::shared_ptr<VerificationKey> instance_vk; | ||
| QUEUE_TYPE type; |
There was a problem hiding this comment.
Seems like this struct and the proof type inside should be renamed now because it's not about folding in the Oink case, right?
There was a problem hiding this comment.
Also, why not handle the merge steps using this queue as well?
There was a problem hiding this comment.
Thanks, updated the naming. You're right that the merge stuff could be handled in the same way. I didn't do it because there are no verification keys for the merge protocol and also because I'm hoping that the merge recursive verifier goes away altogether. If it doesn't tho, you're right that it should probably be made to conform
| */ | ||
| void execute(RecursiveVerifierInstances& instances) | ||
| void execute(WitnessCommitments& commitments, |
There was a problem hiding this comment.
Will you please make this const correct if it's not?
There was a problem hiding this comment.
Good call, thanks. consts added to basically everything
Prior to this work the first call to IVC accumulate initialized an incomplete (un-oinked) instance for the circuit. The second round then executed folding on two incomplete instances, requiring a call to oink for each. Subsequent folding rounds only required a single oink since the instance being folded into is a "complete" accumulator. This pattern creates additional special case handling in IVC/databus. It also results in the first folding proof having a complicated structure (two internal oink proofs) which makes acir constraint construction and the corresponding proof surgery quite complicated. (The current noir framework can't even support this since recursive verification of the first fold proof involves a single proof but two verification keys).
With the present work, the first round of accumulation now uses oink to complete the instance and create an oink proof. The first kernel (instead of doing no recursive work) now does a single recursive oink verification. This allows for all subsequent rounds to have identical structure - they fold two instances where only the new one is incomplete and thus only one oink proof is contained in the fold proof. It also allows every recursive verification (there are now two types: oink and PG) to be associated with a single proof and a single verification key, in line with how recursion is currently specified from noir.
Note: This change also simplifies the databus consistency checks since there is no longer any need to treat the first round of folding as a special case.