Chunking RFC

[mrmr1993]

Fix MinaProtocol/mina#12880

[barriebyron]

Congratulations and kudos @mrmr1993 for submitted our first O(1) Labs official PRD.

Your PRD is a model of completeness, context, benefit, and problems solved. Well done!

[barriebyron]

I feel like we "buried the lede" here, this detail would be very helpful in RFC summary section

[barriebyron]

Suggested change

	The `Pickles.compile` function should be modified to check for the number of chunks in each inductive rule's previous rule tags. When these are not consistent between inductive rules, the code must throw an error in order to achieve layout homogeneity.
	The `Pickles.compile` function must be modified to check for the number of chunks in each inductive rule's previous rule tags. When these numbers are not consistent between inductive rules, the code must throw an error in order to achieve layout homogeneity.

[barriebyron]

@mrmr1993 I love this first PRD, congratulations! What do we mean by "these" (these tags? or these numbers?)

[mrmr1993]

These numbers is correct. The pickles recursion layer needs everything to have the 'same shape', but the 'number of chunks' result in different layouts for the proofs that it consumes. Is there a way to word this that would make that detail clearer?

[bkase]

This section needs a little more detail I think -- unit testing what specifically at each layer? Which parts of the system? And then we should sketch out the SnarkyJS test also in a bit more detail, but maybe that entails figuring out the SnarkyJS details first: I suppose something with ZkProgram though?

[bkase]

This is amazing content, but maybe it's better served as a chapter of the Mina book and linked to from this RFC, so it's more accessible? What do you think?

This is of course not clear from the current template, so we can adjust after we settle this.

[bkase]

This part I think is definitely perfect to remain in the RFC

[bkase]

Does this impact anything other than Pickles/Kimchi and SnarkyJS (and the bindings)? Probably not, but just double checking. Maybe worth calling out explicitly? I tried to do that in the RFC I just drafted.

[bkase]

What exactly do we need to expose to the user? The number of chunks? Can't we compute that at circuit compile time? This is important for the SnarkyJS API design

[mitschabaude]

Amazing RFC, @mrmr1993! I was intrigued by this because I love Lagrange polynomials:

Value columns in the Mina proof are represented in evaluation form, as a list of values. In order to support efficient evaluations over these values, the LagrangeBasisEvaluations structure will need to be generalized to support evaluations of the 'chunked lagrange basis'. The approach to achieve this is equivalent to the one used in the SRS's add_lagrange_basis function, but using the explicit powers of z (z^0, z^1, ..., z^n) in place of the SRS curve points. This uses an iFFT, so will result in a performance degradation from linear time (O(n)) to O(c n log(n)) when chunking is in use, where c is the number of chunks.

I hope I didn't misunderstand the problem statement, but I think I found a way to do polynomial evaluations in O(n).

So the problem, as I understood it, is to evaluate $f_0(z), ..., f_3(z)$ at an arbitrary point $z$ (sticking with your example of 4 chunks), given the evaluations of

$$f = f_0 + x^n f_1 + x^{2n} f_2 + x^{3n} f_3$$

over the domain $1,\omega,...,\omega^{4n-1}$. Here $\omega$ is a $4n$-th root of 1.

The rough idea to solve it is to use this formula for the Lagrange polynomials:

$$L_i(x) = \frac{1}{4n} \sum_{j=0}^{4n-1} (\omega^{-i} x)^j$$

And now split up each Lagrange polynomial in a way that matches the splitting up of $f$ into $f_0,...,f_3$. In fact you can split it into

$$L_i(x) = L^0_i + (\omega^{-i}x)^{n}L^0_i + (\omega^{-i}x)^{2n}L^0_i + (\omega^{-i}x)^{3n}L^0_i$$

where

$$L^0_i(x) = \frac{1}{4n} \sum_{j=0}^{n-1} (\omega^{-i} x)^j.$$

Plugging that into the evaluation formula for $f$,

$$f(x) = \sum_{i=0}^{4n-1} f(\omega^i) L_i(x),$$

you arrive at corresponding formulas for the chunks $f_k$, $k = 0,1,2,3$,

$$f_k(x) = \sum_{i=0}^{4n-1} f(\omega^i) \omega^{-ikn} L^0_i(x).$$

All the $L^0_i(x)$ can be evaluated in ${O}(n)$, and so, all the $f_k$ can as well. In fact, if you split up $i$ by its residue modulo 4, like $i \rightarrow 4i + k$, where $i = 0,...,n-1$ and $k=0,1,2,3$, I can show that

$$4 L^0_{4i + k}(x) = \frac{\omega^{4i}}{n} \prod_{j\ne i}^{n-1} (\omega^{-k}x - \omega^{4j}) = L^n_i (\omega^{-k}x)$$

where the right hand side is just the $i$-th Lagrange polynomial with respect to the sub-domain $1,\omega^{4},...,\omega^{4(n-1)}$, generated by the $n$-th root of 1, $\omega^4$.

(As an aside, I think the LagrangeBasisEvaluations can be improved to need fewer multiplications and no division.)

[jspada]

Really nice write-up. Love the detail and the level it was written at. I've asked some questions that occur to me, which may be useful to the reader if answered with some detail.

[jspada]

I really like the way you describe this as what it is.

[jspada]

nit: missing a * here

[jspada]

and here

[jspada]

It would be helpful (at least to me) to explain what shift is

[jspada]

You lost me here. Could you explain what the targeted rows n-zk_rows+1 and n-zk_rows+2 are and why it helps to make them random? How could the verifier guess the ratio? What's the math that works out the negligible (~1/2^254) probability? Why is it important not to guess only those values between n-zk_rows+1 and n-1 and not all the other rows?

[jspada]

I thought we could not have zk_rows = 2c + k because it's too big for the d8 domain size?

[barriebyron]

@mrmr1993 is this PR ready to merge?
I am on deck to write a blog using this content