Remove zk #73
Remove zk #73
Conversation
|
First look: I'd be rather in favor of trait level support for the zk property rather than compile time feature. Mostly because in the same session some circuits might need zk while for others zk can be turned off. Especially thinking about recursion graphs that we want to support in future probably developer would want to turn on zk for some layers and turn off for other levels. |
Would that be better if we set a flag in |
|
I'm not completely sure whether we should define the behavior by a boolean flag or by traits. However traits sounds to me a bit more useful than passing flags around. There also might be more customization in future so there would be many flags and conditionals around. |
|
Make sense to me. I will change that. |
|
By the way, I just found Plonky2 just had the same idea as me: they add a boolean flag in a circuit config and use this to change behaviors of the constraint builder. Here is their code FYI: https://github.com/mir-protocol/plonky2/blob/e10e103933b76d22dcc76b75a4065008d3ce39c0/plonky2/src/plonk/circuit_data.rs#L44 |
There was a problem hiding this comment.
I like this approach of the feature quite more than the one of the flag.
At the end, there's no use case where we might want to have a circuit compiled with and without zk properties. And if so, we can compile it twice.
So I'd rather take the feature approach as done here and not add any changes to the halo2 API.
LGTM. WDYT @kilic ??
What would be the benefit of a trait level ZK property? To define it by circuit instead of binary level? Which can be the use case for the trait-based ZK property?? Do it with a trait is viable of course. It's just that I don't really see the use case for it. |
|
@CPerezz I feel like this fork in the medium run can be a community preference to develop plonk based circuits with various customizations. I agree that in our case (zkevm) we can even remove whole zk stuff. It's not of course crucial to make it trait optional for now and maybe I'm just overthinking. However I've imagined bundle of circuits which have some relationship between them and some of them requires zk some of them not. So for example while synthesizing aggregation circuit it would probably be required know which circuit is zk which is not. Here we have three choices. 1. compile time flag (this PR) 2. boolean flag that @spherel suggest 3. trait level support that I'd think would be the best practice but I can be wrong. I think in circuit definition what customization is followed somehow should be known like option 2 and 3. So I'm also open for booleans. |
|
I have a question: since for circuits with or without zero-knowledge property will have different usable rows, can they still be aggregated together? I am not quite familiar with the aggregation, will it generate a proof of the verification circuit as a part of the whole proof or will it use polynomial commitment to link two circuits? |
|
@spherel Yes they can be aggregated together. We mostly process commitments to the columns (witness or fixed) in aggregation side which are actually some part of the verification algorithm. So content of rows or number of rows shouldn't effect verification algorithm.
And yes aggregation circuit is basically shifting some of verification work of bundle of circuits to prover side |
| let random_eval = eval_polynomial(&self.committed.random_poly, *x); | ||
| #[cfg(feature = "zero-knowledge")] |
There was a problem hiding this comment.
is it better to use brace to put them together? like
#[cfg(feature = "zero-knowledge")]
{
let random_eval = eval_polynomial(&self.committed.random_poly, *x);
transcript.write_scalar(random_eval)?;
}
more easy to read code
I see @kilic . So we can go with the trait if you're more in favour of it. I like it too. But before changing this PR, would be nice to see a design first so that we can all check it and comment on it before is implemented. |
|
Closing due to #76 |
* upgrade sha256 * fix clippy
* feat: call synthesize in `MockProver` multiple times to behave same as real prover * modify previous commit * Expose mod `permutation` and re-export `permutation::keygen::Assembly` (privacy-scaling-explorations#149) * feat: expose mod ule `permutation` and re-export `permutation::keygen::Assembly` * feat: derive `lone` for `permutation::keygen::Assembly` * feat: bump MSRV for `inferno` * change: Migrate workspace to pasta_curves-0.5 (privacy-scaling-explorations#157) * change: Migrate workspace to pasta_curves-0.5 This ports the majority of the workspace to the `pasta_curves-0.5.0` leaving some tricky edge-cases that we need to handle carefully. Resolves: privacy-scaling-explorations#132 * fix: Complete latest trait bounds to compile halo2proofs * change: Migrate examples & benches to pasta 0.5 * change: Migrate halo2_gadgets to pasta-0.5 * change: Update gadgets outdated code with latest upstream * fix: Sha3 gadget circuit * fix: doc tests * chore: Update merged main * fix: Apply review suggestions * fix previous commit * Extend Circuit trait to take parameters in config (privacy-scaling-explorations#168) * Extend Circuit trait to take parameters in config The Circuit trait is extended with the following: ``` pub trait Circuit<F: Field> { /// [...] type Params: Default; fn params(&self) -> Self::Params { Self::Params::default() } fn configure_with_params(meta: &mut ConstraintSystem<F>, params: &Self::Params) -> Self::Config { Self::configure(meta) } fn configure(meta: &mut ConstraintSystem<F>) -> Self::Config; } ``` This allows runtime parametrization of the circuit configuration. The extension to the Circuit trait has been designed to minimize the breaking change: existing circuits only need to define the associated `type Params`. Unfortunately "Associated type defaults" are unstable in Rust, otherwise this would be a non-breaking change. See rust-lang/rust#29661 * Implement circuit params under feature flag * Don't overwrite configure method * Fix doc test * Allow halo2 constraint names to have non static names (privacy-scaling-explorations#156) * static ref to String type in Gates, Constraints, VirtualCell, Argument * 'lookup'.to_string() * return &str for gate name and constriant_name, also run fmt * Update halo2_gadgets/Cargo.toml Co-authored-by: Han <[email protected]> * upgrade rust-toochain --------- Co-authored-by: Carlos Pérez <[email protected]> Co-authored-by: Han <[email protected]> * Improve halo2 query calls (privacy-scaling-explorations#154) * return expression from cell * add example * selector * recurse Expression to fill in index * minimized changes from the original * backword compatible meta.query_X & challange.expr() * cargo fmt * fixed lookup to pass all tests * Update comments Co-authored-by: Brecht Devos <[email protected]> * Update comments Co-authored-by: Brecht Devos <[email protected]> * Update comments Co-authored-by: Brecht Devos <[email protected]> * Update comments Co-authored-by: Brecht Devos <[email protected]> * Update comments Co-authored-by: Brecht Devos <[email protected]> * Update comments Co-authored-by: Brecht Devos <[email protected]> * update Co-authored-by: Brecht Devos <[email protected]> * add primitives.rs back * remove example2 * backward compatible meta.query_X & Column.cur(), next(), prev(), at(usize) * impl Debug & make side effects only when query.index.is_none() * change impl Debug for Expression instead & revert test in plonk_api * upgrade rust-toolchain * Update halo2_proofs/src/plonk/circuit.rs Co-authored-by: Han <[email protected]> * Update halo2_proofs/src/plonk/circuit.rs Co-authored-by: Han <[email protected]> * ran clippy * Update halo2_proofs/src/plonk/circuit.rs Co-authored-by: Han <[email protected]> --------- Co-authored-by: Brecht Devos <[email protected]> Co-authored-by: Han <[email protected]> * Implement Clone trait for Hash, Absorbing, and Sponge structs (privacy-scaling-explorations#171) * fix: Fix serialization for VerifyingKey (privacy-scaling-explorations#178) Now the value returned when the number of selectors is a multiple of 8 is correct. Resolves: privacy-scaling-explorations#175 * Add more getters to expose internal fields * add a constructor (privacy-scaling-explorations#164) * add a constructor * add more comment * fix as review * remove clone * remove * no need to use new variable * change comment * fix clippy * rename to from_parts * remove n declaration * feat: send sync region (privacy-scaling-explorations#180) * feat: send / sync region * Update layout.rs * update * lol * debug * Update keygen.rs * Update keygen.rs * Update keygen.rs * Update keygen.rs * thread-safe-region feature flag * cleanup * patch dev-graph * patch non-determinism in mapping creation * reduce mem usage for vk and pk * mock proving examples * swap for hashmap for insertion speed * reduce update overhead * replace BTree with Vec * add benchmarks * make the benchmarks massive * patch clippy * simplify lifetimes * patch benches * Update halo2_proofs/src/plonk/permutation/keygen.rs Co-authored-by: Han <[email protected]> * Update halo2_proofs/examples/vector-mul.rs Co-authored-by: Han <[email protected]> * rm benches * order once * patch lints --------- Co-authored-by: Han <[email protected]> * fix previous commit * Fix `parallelize` workload imbalance (privacy-scaling-explorations#186) * fix parallelize workload imbalance * remove the need of unsafe * Updates halo2_curves dependency to released package (privacy-scaling-explorations#190) THe package release ressets the version from those inherited by the legacy halo2curves repo's fork history. The upstream diff is: https://github.com/privacy-scaling-explorations/halo2curves/compare/9f5c50810bbefe779ee5cf1d852b2fe85dc35d5e..9a7f726fa74c8765bc7cdab11519cf285d169ecf * fix: explicitly define mds diff type (privacy-scaling-explorations#196) * fix: explicitly define mds diff type * rm paren * feat: expose `transcript_repr` of `VerifyingKey` and reduce the trait constraint (privacy-scaling-explorations#200) * implement native shuffle argument and api fix: remove nonsense comment strictly check shuffle rows address doc typos move compression into product commitment typo add shuffle errors for `verify_at_rows_par` dedup expression evaluation cargo fmt fix fields in sanity-checks feature * feat: public cells to allow for implementations of custom `Layouter` (privacy-scaling-explorations#192) * feat: public cells * Update mds.rs * Update mds.rs * Update single_pass.rs Co-authored-by: Han <[email protected]> * bump toolchain to resolve errors * fix clippy errors for CI run * rustfmt post clippy * plz let it be the last lint * patch clippy lints in gadgets * clippy lints for sha256 bench * patch halo2proof benches * Update assigned.rs * Update halo2_gadgets/src/poseidon/primitives/mds.rs Co-authored-by: Han <[email protected]> * Update halo2_gadgets/src/poseidon/primitives/mds.rs Co-authored-by: Han <[email protected]> --------- Co-authored-by: Han <[email protected]> * Synchronize with upstream (privacy-scaling-explorations#199) * refactor: add default impl for `SyncDeps` for backward compatability * feat: pick changes from zcash#728 and changes of flag `test-dev-graph` * feat: pick changes from zcash#622 * feat: pick changes about mod `circuit` and mod `dev` * feat: pick rest changes of `halo2_proofs` * fix: when `--no-default-features` * ci: sync from upstream, and deduplicate jobs when push to `main`, and remove always failing job `codecov`. * fix: make `commit_zk` runnable when `--no-default-features` * chore: Update rust-toolchain to 1.66 for testing (privacy-scaling-explorations#208) * chore: Update rust-toolchain to 1.66 for testing Note that tests will not compile due to the silent MSRV bump in `blake2b_simd`. Hence, we need to use `1.66` as toolchain. Resolves: privacy-scaling-explorations#207 * change: UIpdate MSRVs in Cargo.toml * fix: clippy (privacy-scaling-explorations#203) * fix: clippy * fmt * fix: Final clippy complains & adjustments --------- Co-authored-by: CPerezz <[email protected]> * Implement Sum and Product for Expression (privacy-scaling-explorations#209) * Make it Eq to make it easier for tests * Implement Sum and Product for Expression * Make it readable * chore: update poseidon dependency * fix: compiling bug with feautes=parallel_syn * feat(MockProver): replace errors by asserts(privacy-scaling-explorations#150) * boundary offset lost when resolving conflict * disable multiphase prover * Sync halo2 lib 0.4.0 merging (privacy-scaling-explorations#81) * Use thread pool for assign_regions (privacy-scaling-explorations#57) * feat: use rayon threadpool * feat: add UT for many subregions * refact: move common struct out to module level * refact: reuse common configure code * fix ci errors --------- Co-authored-by: kunxian xia <[email protected]> * Move `env_logger` dependency to dev-depdendencies (only for test). (privacy-scaling-explorations#69) * sync ff/group 0.13 * fix clippy * fix clippy * fmg * [FEAT] Upgrading table16 for SHA256 (privacy-scaling-explorations#73) * upgrade sha256 * fix clippy * Bus auto (privacy-scaling-explorations#72) * bus: expose global offset of regions * bus-auto: add query_advice and query_fixed function in witness generation * bus-auto: fix clippy --------- Co-authored-by: Aurélien Nicolas <[email protected]> * fix-tob-scroll-21 (privacy-scaling-explorations#59) * fix-tob-scroll-21 * expose param field for re-randomization * enable accessing for table16 (privacy-scaling-explorations#75) * chore: update poseidon link * merge sha256 gadget changes * Fix the CI errors (privacy-scaling-explorations#78) * cargo fmt * fix clippy error * Feat: switch to logup scheme for lookup argument (privacy-scaling-explorations#71) * Multi-input mv-lookup. (privacy-scaling-explorations#49) * Add mv_lookup.rs * mv_lookup::prover, mv_lookup::verifier * Replace lookup with mv_lookup * replace halo2 with mv lookup Co-authored-by: ying tong <[email protected]> * cleanups Co-authored-by: ying tong <[email protected]> * ConstraintSystem: setup lookup_tracker Co-authored-by: Andrija <[email protected]> * mv_lookup::hybrid_prover Co-authored-by: Andrija <[email protected]> * WIP * mv_multi_lookup: enable lookup caching Co-authored-by: therealyingtong <[email protected]> * Rename hybrid_lookup -> lookup * Chunk lookups using user-provided minimum degree Co-authored-by: Andrija <[email protected]> * mv_lookup bench Co-authored-by: Andrija <[email protected]> * Introduce counter feature for FFTs and MSMs Co-authored-by: Andrija <[email protected]> * Fix off-by-one errors in chunk_lookup Co-authored-by: Andrija <[email protected]> * bench wip * time evaluate_h * KZG * more efficient batch inversion * extended lookup example * Finalize mv lookup Author: therealyingtong <[email protected]> * Remove main/ * Fix according to the comments * replace scan with parallel grand sum computation * Revert Cargo.lock * mv lookup Argument name * parallel batch invert --------- Co-authored-by: Andrija <[email protected]> Co-authored-by: ying tong <[email protected]> Co-authored-by: therealyingtong <[email protected]> * fmt * fix unit test * fix clippy errors * add todo in mv_lookup's prover * fmt and clippy * fix clippy * add detailed running time of steps in logup's prover * fmt * add more log hooks * more running time logs * use par invert * use sorted-vector to store how many times a table element occurs in input * par the process to get inputs_inv_sum * use par * fix par * add feature to skip inv sums * add new feature flag * fix clippy error --------- Co-authored-by: Sphere L <[email protected]> Co-authored-by: Andrija <[email protected]> Co-authored-by: ying tong <[email protected]> Co-authored-by: therealyingtong <[email protected]> * fix some simple building errs * upgrade pathfinder_simd to newer version as it can't compile on mac m1 pro * resolve merge conflict * fmt * clippy * more clippy fix * more lint fix * fmt * minor syntax fix * fix ipa multiopen test failure * fix clippy warning * fmt * fix par scan of log_inv diff * remove uncessary clone --------- Co-authored-by: alannotnerd <[email protected]> Co-authored-by: kunxian xia <[email protected]> Co-authored-by: Steven <[email protected]> Co-authored-by: Carlos Pérez <[email protected]> Co-authored-by: zhenfei <[email protected]> Co-authored-by: Ho <[email protected]> Co-authored-by: naure <[email protected]> Co-authored-by: Aurélien Nicolas <[email protected]> Co-authored-by: Sphere L <[email protected]> Co-authored-by: Andrija <[email protected]> Co-authored-by: ying tong <[email protected]> Co-authored-by: therealyingtong <[email protected]> --------- Co-authored-by: han0110 <[email protected]> Co-authored-by: Velaciela <[email protected]> Co-authored-by: Carlos Pérez <[email protected]> Co-authored-by: Eduard S <[email protected]> Co-authored-by: CeciliaZ030 <[email protected]> Co-authored-by: Brecht Devos <[email protected]> Co-authored-by: Enrico Bottazzi <[email protected]> Co-authored-by: Ethan-000 <[email protected]> Co-authored-by: dante <[email protected]> Co-authored-by: Mamy Ratsimbazafy <[email protected]> Co-authored-by: François Garillot <[email protected]> Co-authored-by: kilic <[email protected]> Co-authored-by: Thor <[email protected]> Co-authored-by: CPerezz <[email protected]> Co-authored-by: chokermaxx <[email protected]> Co-authored-by: Zhang Zhuo <[email protected]> Co-authored-by: alannotnerd <[email protected]> Co-authored-by: kunxian xia <[email protected]> Co-authored-by: Steven <[email protected]> Co-authored-by: Ho <[email protected]> Co-authored-by: naure <[email protected]> Co-authored-by: Aurélien Nicolas <[email protected]> Co-authored-by: Sphere L <[email protected]> Co-authored-by: Andrija <[email protected]> Co-authored-by: ying tong <[email protected]> Co-authored-by: therealyingtong <[email protected]>
Summary:
To remove zero-knowledge, we need to
blinding_factorsto be 0. So the column structure should be[usable_rows, last_row].zerois needed).random_polyand its commitment in the vanishing argument.examples/simple-example-4.rsconstructs a circuit with2^k - 1rows.