proof-systems icon indicating copy to clipboard operation
proof-systems copied to clipboard
verified publisher icon o1-labs

enforce power of alpha for public polynomial

Open mimoo opened this issue 3 years ago • 4 comments

in the prover:

        let public = witness[0][0..index.cs.public].to_vec();
        let public_poly = -Evaluations::<Fr<G>, D<Fr<G>>>::from_vec_and_domain(
            public.clone(),
            index.cs.domain.d1,
        )
        .interpolate();

From a quick glance I believe this should use the first alpha for the generic gate.

Note: if this is correct, we could also add a future tweak to halve the size of the public input (cc @imeckler), where the public polynomial values are computed as l1 + alpha^i * l2 where l1 and l2 are the two left registers for the double generic gate.

is this correct?

  • Maybe it's not, because we sample alpha after absorbing the public polynomial. Does this mean that we are forced to use alpha^0 as the first alpha for the gates? Need to think more about this (the spec will help hopefully).
  • We absorb the public input as part of the fiat shamir transform, why is this necessary? The PLONK paper doesn't do that, and we don't actually use that in the proof. I think we could remove this part.

mimoo avatar Mar 09 '22 18:03 mimoo

From a quick glance I believe this should use the first alpha for the generic gate.

This relies on the fact that the 'first alpha' for the generic gate is alpha^0. I would prefer if we assert that this is the case instead of using alpha for this.

where the public polynomial values are computed as l1 + alpha^i * l2 where l1 and l2 are the two left registers for the double generic gate

To compute alpha^1 * l2 in the verifier circuit for the indexth public input, we need lagrange(index / 2) ^ (alpha * public_input[index/2 + 1]) (for the second input). This works out as the more expensive (lagrange(0) ^ alpha) ^ public_input[1]. I'm not that a ~3/2 increase in cost for the verifier circuit to handle public input is a good trade-off, even if it halves the number of gates used for public input by the prover.

mrmr1993 avatar Mar 13 '22 09:03 mrmr1993

sounds like a better path indeed!

Yeah I discussed this with @imeckler as well and it seems to be a bad idea, at least because of the verifier circuit.

mimoo avatar Mar 13 '22 19:03 mimoo

Stale issue message

github-actions[bot] avatar May 13 '22 07:05 github-actions[bot]

Stale issue message

github-actions[bot] avatar Jul 25 '22 07:07 github-actions[bot]

Stale issue message

github-actions[bot] avatar Sep 24 '22 07:09 github-actions[bot]