Feat: support public input #30
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
3 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
#17
The PR adds support to public inputs to the circuits. Due to some engineering complications with halo2-lib APIs the way these are support is slightly different to the one described in the paper. In particular, the polynomial
aiandct0i, for eachUimatrix, are assigned to the circuit during phase 0 and exposed to the public during phase 0 . During phase 1 these polynomials are then evaluated at gamma through a constraint. Thecyclopolynomial is evaluated at gamma through a constraint during phase 1.The way of approaching the issue as described in the paper is still technically possible but presents a set of challenges:
instances, but the public inputsai(gamma),ct0i(gamma), for eachUimatrix, andcyclo(gamma)depend on gamma, which is extracted during proof generation. Some solutions I tried are available infeat-public-inputbranch. The biggest issue I see there is that the prover basically has to run the synthesise function once before generating the proof only to extract the challenge gamma, then evaluate the polynomials at gamma and then pass them as public inputs. Unfortunately, there's no API that allows to do soai,ct0i, for eachUimatrix, andcycloby the prover (outside of the proof), fetch the gamma and then evaluate these polynomials at gamma and see if these match with the public inputs of the circuit. Unfortunately, fetching the challenge gamma from the proof transcript is not a trivial task.As a consequence of this approach, there are more constraints to the circuit than originally described in the paper. These are the constraints necessary to evaluate
ai(gamma),ct0i(gamma), for eachUimatrix, andcyclo(gamma)inside the circuit. Nevertheless, the performance downgrade is very minimal, but you can see that its impact grows as the complexity of the circuit grows. You can see the impact with your eyes by checking the updated benchmarks in the README and compare them with the one shown in the paper.