-
Notifications
You must be signed in to change notification settings - Fork 36
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Parellel NIVC #256
base: dev
Are you sure you want to change the base?
Parellel NIVC #256
Conversation
…rk-lang#256) * chore: Update bellpepper and neptune dependencies - Updated `bellpepper-core` and `bellpepper` dependencies to version `0.4.0` - Upgraded `neptune` dependency to version `13.0.0` * refactor of SatisfyingAssignment as type alias of WitnessCS (lurk-lang#89) * initial refactor of WitnessCS with ex of new constr generic changes * explicit type information for usages of `SatisfyingAssignment::new` * use `scalar_` public getters for the aliased WitnessCS * go back to `_assignment` public fields * remove reference --------- Co-authored-by: johann bestowrous <[email protected]>
CycleFold
|
Native NIFS unificationSource: https://github.com/adr1anh/arecibo/blob/para-circuit/src/parafold/nifs/prover.rs The NIFS module in the native setting should work the same for both curves. However, we currently have two implementations for handling the subtleties on both curves. The main reasons for this are Different commitment types: If we parametrize the Scalar multiplication accumulator:
The scalar multiplications required for the folding proof on the secondary curve are computed normally and therefore do not need to be added to the transcript or proved later, so the folding methods specific to the secondary curve do not have a We could implement a It may be useful to make this an associated type of the |
Expanding
|
Public Parameter digestFor security, the public parameter digest of the different circuits needs to be included in the transcript in some form. This is not currently handled in this branch, but needs to be addressed differently from the existing SuperNova implementation. In the NIVC setting, the recursive verifier needs to store a representation of the accumulator instances for each circuit. In SuperNova, these are stored as their "raw representation" which means that at every iteration, the entire list of accumulators needs to be hashed. Instead, we noted that the verifier only needs to store a list of hashes of each accumulator. During the folding verification, the verifier must prove knowledge of the pre-image of the hash corresponding to the accumulator being folded. This simplifies the recursion circuit since we no longer need to conditionally select a vector of accumulator, but only a vector of hashes. The pre-image of the accumulator should include the public parameter digest of the circuit it corresponds to. This provides a strong link between the accumulator values ( |
3fb9da7
to
64db5b5
Compare
New thoughts on unifying NIFS for both curvesTrying to unify the implementations of the After some discussions, it seems likely we will want a different folding argument for the primary curve, whether that is HyperNova or an extension of Nova that supports more features. However, due to the tight constraints around the verifiability of secondary curve circuits, it does not seem likely we will replace Nova on the secondary curve with another arguments. Even if that did happen, we will likely end up with two arguments to maintain anyway. Even at this point, the two implementation diverge significantly enough that the only thing they really have in common is the
It is also almost certain that the secondary circuit will only be used to perform a single scalar multiplication of primary curve commitments. For this reason, I'd like to refactor the current PR as follows:
|
- replace nivc merge with merge_many - add alloc for circuit types
- define nivc state hasher
visibility
- Rework fold API - add ECC copy with Engine->Group - Replace E::TE with own transcript - placeholder NIFS secondary
- make accumulator fold mutate self - add engine type constraint - add `to_native` for converting back to the normal type
- Wrap ECC and EmulatedFieldElement - Make all structs CurveCycleEquipped - Specialize R1CS for both curves - Update Transcript
64db5b5
to
79bb090
Compare
- remove unused/commented out functions - revert to 128-bit limb hashing due to security concern - make ScalarMulAccumulator take ownership of R1CS accumulator - add ability to generate dummy input proof for circuit - use sponge for hashing the NIVC instance due to problems with variable-sized hashing - add test for `from_proof` - comment out merge-related code - ensure namespaces have unique names - remove wrong mersenne prime parameters - add emulatedbase tests - add cycle fold circuit - add inputize_hashed methods in allocated point for cyclefold circuit
- Rework primary IO. - Return transcript and state hash - Use correct Poseidon for sponge - Impl `eq_native` methods for comparing allocated types - Add ability to generate dummy proofs as initial input to the circuit - Fix `AllocatedPoint::enforce_trivial` - Impl CycleFold circuit - Ensure IO matches - Add Poseidon hashing of points - Fix AllocatedBase - fix `big_int_to_limbs` - fix other limb issues - add test - Fix `enforce_trivial` for `AllocatedBase` elements - Fix r_bits to r conversion - add recursive snark verification - use sponge for hashing state due to variable size
This (draft) PR introduces a new architecture for parallel folding. The goal is to support the current NIVC architecture introduced with SuperNova, while leaving room for generalizing to more complex PCD settings.