zkevm-circuits icon indicating copy to clipboard operation
zkevm-circuits copied to clipboard

Published 20 hours ago verified publisher icon privacy-scaling-explorations

Public Inputs Circuit: have a sound randomness

Open andyguzmaneth opened this issue 3 years ago • 6 comments

andyguzmaneth avatar Oct 27 '22 12:10 andyguzmaneth

How to obtain the randomness to compress the inputs. Is this part of the challenge API?

andyguzmaneth avatar Oct 27 '22 12:10 andyguzmaneth

We had a meeting with Han, David and me to discuss this. Here are the notes: https://hackmd.io/0Vj4K1_BR6GX7UV5HSaWsg?view These were the conclusions:

  • We need to remove the blinding factors to implement either shortcut 1 or KZG
    • https://github.com/privacy-scaling-explorations/halo2/issues/105
  • Until we don’t do it, we will have an unsound system (for example, we could implement shortcut 1 with a fixed rand_rpi that doesn’t depend on the raw_public_inputs commitment, but that would mean a prover can generate fake proofs)

And this snippet summarizes how the randomness is obtained and how it's used (following shortcut 1 spec):

// prover
let mut transcript = Transcript::new();
// Here we calculate the public inputs
let rand_rpi = hash(circuit.raw_pi_comm() | raw_public_inputs);
// p = RLC(raw_public_inputs, rand_rpi);
create_proof(&circuit, &mut transcript);
let proof = transcript.finalize();

// verifier
let raw_pi_comm = extract_raw_pi_comm(proof);
let rand_rpi = hash(circuit.raw_pi_comm() | raw_public_inputs);
verify_proof(&mut transcript);

ed255 avatar Nov 02 '22 10:11 ed255

Let's keep this issue to track the sound implementation of the Public Inputs Circuit. Depends on:

  • https://github.com/privacy-scaling-explorations/halo2/issues/105

ed255 avatar Nov 10 '22 10:11 ed255

Possible idea: have a local Halo2 but comment ~3 lines of code in the device column. It should unblock

andyguzmaneth avatar Nov 17 '22 12:11 andyguzmaneth

In case #105 takes too much time to be merged, one can comment out this line to remove the blinding factors in advice columns, and the commitment of advice column should be predictable.

han0110 avatar Nov 17 '22 12:11 han0110

@han0110 has suggested an alternative approach that eliminates the dependency on https://github.com/privacy-scaling-explorations/halo2/issues/105 : A new deterministic Rng can be implemented, NoOpRng which always outputs 0. Then if it is used in create_proof we will also get a deterministic result without the need of changing the API to remove the blinding rows.

davidnevadoc avatar Nov 25 '22 17:11 davidnevadoc

Question. Do you know if #1345 fixes this issue? cc @davidnevadoc @hero78119

ChihChengLiang avatar Jun 30 '23 10:06 ChihChengLiang

Question. Do you know if #1345 fixes this issue? cc @davidnevadoc @hero78119

It does! Previously we needed a random challange to be used to calculate the circuit public input which was an RLC of a bunch of field elements. Now the randomness is not required to calculate the public inputs, as we pass a keccak hash of all the data as input..

ed255 avatar Jun 30 '23 10:06 ed255

Nice. Let's mark it completed by #1345.

ChihChengLiang avatar Jun 30 '23 10:06 ChihChengLiang