proof-systems icon indicating copy to clipboard operation
proof-systems copied to clipboard
verified publisher icon o1-labs

Remove endo from SRS

Open mimoo opened this issue 3 years ago • 3 comments

the SRS struct has two endo fields endo_r and endo_q:

pub struct SRS<G: CommitmentCurve> {
    /// The vector of group elements for committing to polynomials in coefficient form
    #[serde_as(as = "Vec<o1_utils::serialization::SerdeAs>")]
    pub g: Vec<G>,
    /// A group element used for blinding commitments
    #[serde_as(as = "o1_utils::serialization::SerdeAs")]
    pub h: G,

    // TODO: the following field should be separated, as they are optimization values
    /// Commitments to Lagrange bases, per domain size
    #[serde(skip)]
    pub lagrange_bases: HashMap<usize, Vec<G>>,
    /// Coefficient for the curve endomorphism
    #[serde(skip)]
    pub endo_r: G::ScalarField,
    /// Coefficient for the curve endomorphism
    #[serde(skip)]
    pub endo_q: G::BaseField,
}

We should be able to remove these fields, as they are part of the KimchiCurve trait now: https://github.com/o1-labs/proof-systems/blob/master/kimchi/src/curve.rs#L25

mimoo avatar Jul 23 '22 12:07 mimoo

the "SRS.endo_r" and "SRS.endo_q" are used in https://github.com/o1-labs/proof-systems/blob/master/poly-commitment/src/evaluation_proof.rs#L244 and https://github.com/o1-labs/proof-systems/blob/master/poly-commitment/src/evaluation_proof.rs#L274.

does the whole system design allows the kimchi trait to be imported into the files mentioned above to provide the "endo_r" and "endo_q" variables?

vivanraaj avatar Jul 27 '22 14:07 vivanraaj

No because poly-commitment is a dependency of kimchi, and so you'd get a dependency cycle if you would do that.

I guess there's two solutions:

  1. Moving the KimchiCurve trait to a crate that can be imported by both would fix that (for example mina-curves).
  2. Pass these endo values as argument in the functions that need them

I liked solution 2 initially, as I was thinking that a poly-commitment library should only be aware of one curve, and not two, but I guess our poly-commitment might be aware of that. So maybe solution 1 is better here. cc @mrmr1993 who probably has a better opinion

mimoo avatar Jul 27 '22 17:07 mimoo

Stale issue message

github-actions[bot] avatar Sep 26 '22 07:09 github-actions[bot]

@mimoo I have one question about the issue. In fact, the endo_q and endo_r are initialized with endos::<G>() in here. Also, this endos::<G>() is also used for KimchiCurve implementation.

Is there any need to explicitly remove the endo_q and endo_r from the SRS struct? My point is that endos::<G>() is already used everywhere.

duguorong009 avatar Nov 14 '22 20:11 duguorong009

I thought I had answered this but apparently not, the point is that it doesn't really seem related to the SRS which should be a "commitment"-focused data structure (https://o1-labs.github.io/proof-systems/specs/urs.html). Semantically it doesn't seem to make sense to keep it there.

mimoo avatar Dec 02 '22 01:12 mimoo

@mimoo Please review the PR #895 I created for the solution.

duguorong009 avatar Dec 02 '22 03:12 duguorong009