ledwards2225

Constraints are currently not added when hashing in an Ultra arithmetized circuit (i.e. a recursive verifier). This was done for convenience since Ultra does not have poseidon.

Currently we generate log_n many gate challenges (the challenges used to construct the pow polynomial for sumcheck). For consistency with the constant honk proof size work, this would need to...

This is a catch all issue for a handful of known (and likely some unknown) issues with constraints in the recursive verifiers, particularly in Sumcheck/Zeromorph where native and circuit code...

The set of tests in Dockerfile.bb.js is newer. Some tests (3?) were added to Dockerfile.bb.js instead of the Earthfile due to confusion about which was active. Some of these tests...

Does the public inputs offset leak information? Definitely not if we use a structured trace, but otherwise yes. Historically the public inputs were placed at the top of the wires....

Currently, to verify a ClientIvc proof, the same `ClientIvc` instance needs to be used for both proving and verifying. This is not viable in practice since in general the prover...

The method `commit_structured_with_nonzero_complement` involves making a full copy of the srs points corresponding to the complement of the "active" region of the execution trace. These points are then summed into...

The `MsmSorter` class was designed to facilitate efficient commitment to polynomials with many repeated coefficients. The idea was to sort the scalars/points by scalar, sum the points sharing a common...

The tube circuit takes the public inputs from the tail kernel proof and converts them to its own public inputs. We do not include the aggregation object or databus commitments...

Currently an ACIR ivc recursion constraint requires witnesses corresponding to the VK, the public inputs, and the proof (without public inputs). The VK and public inputs are genuinely known in...