Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update the root circuit to conditionally verify Keccak proofs #652

Merged
merged 40 commits into from
Oct 7, 2024

Conversation

sai-deng
Copy link
Contributor

@sai-deng sai-deng commented Sep 23, 2024

Implements the new root circuits in #620
This PR has been tested in combination with #657 and #648
Please review the circuit carefully, as it may impact the security of the system.

The gate number increased by 3083 when using the table ranges in .env.

Circuit size before this PR:

 33780 gates to root
 | 294 gates to evaluate the vanishing polynomial at our challenge point, zeta.
 | | 243 gates to evaluate gate constraints
 | | | 123 gates to evaluate PoseidonGate(PhantomData<plonky2_field::goldilocks_field::GoldilocksField>)<WIDTH=12> constraints
 | 3244 gates to verify FRI proof
 | | 113 gates to verify one (of 28) query rounds
 | 292 gates to evaluate the vanishing polynomial at our challenge point, zeta.
 | | 243 gates to evaluate gate constraints
 | | | 124 gates to evaluate PoseidonGate(PhantomData<plonky2_field::goldilocks_field::GoldilocksField>)<WIDTH=12> constraints
 | 3226 gates to verify FRI proof
 | | 114 gates to verify one (of 28) query rounds
 | 293 gates to evaluate the vanishing polynomial at our challenge point, zeta.
 | | 243 gates to evaluate gate constraints
 | | | 124 gates to evaluate PoseidonGate(PhantomData<plonky2_field::goldilocks_field::GoldilocksField>)<WIDTH=12> constraints
 | 3243 gates to verify FRI proof
 | | 113 gates to verify one (of 28) query rounds
 | 291 gates to evaluate the vanishing polynomial at our challenge point, zeta.
 | | 241 gates to evaluate gate constraints
 | | | 123 gates to evaluate PoseidonGate(PhantomData<plonky2_field::goldilocks_field::GoldilocksField>)<WIDTH=12> constraints
 | 3226 gates to verify FRI proof
 | | 113 gates to verify one (of 28) query rounds
 | 293 gates to evaluate the vanishing polynomial at our challenge point, zeta.
 | | 244 gates to evaluate gate constraints
 | | | 124 gates to evaluate PoseidonGate(PhantomData<plonky2_field::goldilocks_field::GoldilocksField>)<WIDTH=12> constraints
 | 3223 gates to verify FRI proof
 | | 113 gates to verify one (of 28) query rounds
 | 293 gates to evaluate the vanishing polynomial at our challenge point, zeta.
 | | 243 gates to evaluate gate constraints
 | | | 125 gates to evaluate PoseidonGate(PhantomData<plonky2_field::goldilocks_field::GoldilocksField>)<WIDTH=12> constraints
 | 3244 gates to verify FRI proof
 | | 114 gates to verify one (of 28) query rounds
 | 292 gates to evaluate the vanishing polynomial at our challenge point, zeta.
 | | 242 gates to evaluate gate constraints
 | | | 123 gates to evaluate PoseidonGate(PhantomData<plonky2_field::goldilocks_field::GoldilocksField>)<WIDTH=12> constraints
 | 3226 gates to verify FRI proof
 | | 113 gates to verify one (of 28) query rounds
 | 292 gates to evaluate the vanishing polynomial at our challenge point, zeta.
 | | 243 gates to evaluate gate constraints
 | | | 124 gates to evaluate PoseidonGate(PhantomData<plonky2_field::goldilocks_field::GoldilocksField>)<WIDTH=12> constraints
 | 3242 gates to verify FRI proof
 | | 112 gates to verify one (of 28) query rounds
 | 294 gates to evaluate the vanishing polynomial at our challenge point, zeta.
 | | 244 gates to evaluate gate constraints
 | | | 125 gates to evaluate PoseidonGate(PhantomData<plonky2_field::goldilocks_field::GoldilocksField>)<WIDTH=12> constraints
 | 3227 gates to verify FRI proof
 | | 115 gates to verify one (of 28) query rounds
 Total gate counts:
 - 423 instances of ReducingExtensionGate { num_coeffs: 32 }
 - 513 instances of BaseSumGate { num_limbs: 63 } + Base: 2
 - 833 instances of MulExtensionGate { num_ops: 13 }
 - 1849 instances of RandomAccessGate { bits: 4, num_copies: 4, num_extra_constants: 2, _phantom: PhantomData<plonky2_field::goldilocks_field::GoldilocksField> }<D=2>
 - 1260 instances of ReducingGate { num_coeffs: 43 }
 - 504 instances of CosetInterpolationGate { subgroup_bits: 4, degree: 6, barycentric_weights: , _phantom: PhantomData<plonky2_field::goldilocks_field::GoldilocksField> }<D=2>
 - 26 instances of RandomAccessGate { bits: 3, num_copies: 8, num_extra_constants: 0, _phantom: PhantomData<plonky2_field::goldilocks_field::GoldilocksField> }<D=2>
 - 25346 instances of PoseidonGate(PhantomData<plonky2_field::goldilocks_field::GoldilocksField>)<WIDTH=12>
 - 1 instances of ConstantGate { num_consts: 2 }
 - 34 instances of RandomAccessGate { bits: 5, num_copies: 2, num_extra_constants: 2, _phantom: PhantomData<plonky2_field::goldilocks_field::GoldilocksField> }<D=2>
 - 1723 instances of ArithmeticExtensionGate { num_ops: 10 }
 - 270 instances of PoseidonMdsGate(PhantomData<plonky2_field::goldilocks_field::GoldilocksField>)<WIDTH=12>
 - 998 instances of ArithmeticGate { num_ops: 20 }
 Degree before blinding & padding: 36054
 Degree after blinding & padding: 65536

After this PR:

36863 gates to root
 | 295 gates to evaluate the vanishing polynomial at our challenge point, zeta.
 | | 243 gates to evaluate gate constraints
 | | | 123 gates to evaluate PoseidonGate(PhantomData<plonky2_field::goldilocks_field::GoldilocksField>)<WIDTH=12> constraints
 | 3243 gates to verify FRI proof
 | | 112 gates to verify one (of 28) query rounds
 | 292 gates to evaluate the vanishing polynomial at our challenge point, zeta.
 | | 243 gates to evaluate gate constraints
 | | | 125 gates to evaluate PoseidonGate(PhantomData<plonky2_field::goldilocks_field::GoldilocksField>)<WIDTH=12> constraints
 | 3225 gates to verify FRI proof
 | | 114 gates to verify one (of 28) query rounds
 | 294 gates to evaluate the vanishing polynomial at our challenge point, zeta.
 | | 244 gates to evaluate gate constraints
 | | | 124 gates to evaluate PoseidonGate(PhantomData<plonky2_field::goldilocks_field::GoldilocksField>)<WIDTH=12> constraints
 | 3242 gates to verify FRI proof
 | | 113 gates to verify one (of 28) query rounds
 | 1521 gates to select proof
 | 292 gates to evaluate the vanishing polynomial at our challenge point, zeta.
 | | 242 gates to evaluate gate constraints
 | | | 124 gates to evaluate PoseidonGate(PhantomData<plonky2_field::goldilocks_field::GoldilocksField>)<WIDTH=12> constraints
 | 3228 gates to verify FRI proof
 | | 113 gates to verify one (of 28) query rounds
 | 1521 gates to select proof
 | 294 gates to evaluate the vanishing polynomial at our challenge point, zeta.
 | | 244 gates to evaluate gate constraints
 | | | 124 gates to evaluate PoseidonGate(PhantomData<plonky2_field::goldilocks_field::GoldilocksField>)<WIDTH=12> constraints
 | 3223 gates to verify FRI proof
 | | 114 gates to verify one (of 28) query rounds
 | 293 gates to evaluate the vanishing polynomial at our challenge point, zeta.
 | | 243 gates to evaluate gate constraints
 | | | 125 gates to evaluate PoseidonGate(PhantomData<plonky2_field::goldilocks_field::GoldilocksField>)<WIDTH=12> constraints
 | 3244 gates to verify FRI proof
 | | 115 gates to verify one (of 28) query rounds
 | 293 gates to evaluate the vanishing polynomial at our challenge point, zeta.
 | | 243 gates to evaluate gate constraints
 | | | 124 gates to evaluate PoseidonGate(PhantomData<plonky2_field::goldilocks_field::GoldilocksField>)<WIDTH=12> constraints
 | 3227 gates to verify FRI proof
 | | 114 gates to verify one (of 28) query rounds
 | 292 gates to evaluate the vanishing polynomial at our challenge point, zeta.
 | | 243 gates to evaluate gate constraints
 | | | 125 gates to evaluate PoseidonGate(PhantomData<plonky2_field::goldilocks_field::GoldilocksField>)<WIDTH=12> constraints
 | 3242 gates to verify FRI proof
 | | 112 gates to verify one (of 28) query rounds
 | 293 gates to evaluate the vanishing polynomial at our challenge point, zeta.
 | | 242 gates to evaluate gate constraints
 | | | 124 gates to evaluate PoseidonGate(PhantomData<plonky2_field::goldilocks_field::GoldilocksField>)<WIDTH=12> constraints
 | 3228 gates to verify FRI proof
 | | 114 gates to verify one (of 28) query rounds
 Total gate counts:
 - 423 instances of ReducingExtensionGate { num_coeffs: 32 }
 - 513 instances of BaseSumGate { num_limbs: 63 } + Base: 2
 - 833 instances of MulExtensionGate { num_ops: 13 }
 - 1849 instances of RandomAccessGate { bits: 4, num_copies: 4, num_extra_constants: 2, _phantom: PhantomData<plonky2_field::goldilocks_field::GoldilocksField> }<D=2>
 - 1260 instances of ReducingGate { num_coeffs: 43 }
 - 504 instances of CosetInterpolationGate { subgroup_bits: 4, degree: 6, barycentric_weights: , _phantom: PhantomData<plonky2_field::goldilocks_field::GoldilocksField> }<D=2>
 - 26 instances of RandomAccessGate { bits: 3, num_copies: 8, num_extra_constants: 0, _phantom: PhantomData<plonky2_field::goldilocks_field::GoldilocksField> }<D=2>
 - 25355 instances of PoseidonGate(PhantomData<plonky2_field::goldilocks_field::GoldilocksField>)<WIDTH=12>
 - 1 instances of ConstantGate { num_consts: 2 }
 - 34 instances of RandomAccessGate { bits: 5, num_copies: 2, num_extra_constants: 2, _phantom: PhantomData<plonky2_field::goldilocks_field::GoldilocksField> }<D=2>
 - 2183 instances of ArithmeticExtensionGate { num_ops: 10 }
 - 270 instances of PoseidonMdsGate(PhantomData<plonky2_field::goldilocks_field::GoldilocksField>)<WIDTH=12>
 - 3612 instances of ArithmeticGate { num_ops: 20 }
 Degree before blinding & padding: 39137
 Degree after blinding & padding: 65536

@github-actions github-actions bot added the crate: evm_arithmetization Anything related to the evm_arithmetization crate. label Sep 23, 2024
@sai-deng sai-deng changed the base branch from develop to sai/skip_table_in_root_circuit September 23, 2024 22:41
@sai-deng sai-deng changed the title Update root circuit to conditionally verify Keccak proofs Update the root circuit to conditionally verify Keccak proofs Sep 25, 2024
@sai-deng sai-deng marked this pull request as ready for review September 25, 2024 17:39
Copy link
Collaborator

@Nashtare Nashtare left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Sai, just a couple nits for readability

evm_arithmetization/src/fixed_recursive_verifier.rs Outdated Show resolved Hide resolved
evm_arithmetization/src/fixed_recursive_verifier.rs Outdated Show resolved Hide resolved
Comment on lines +330 to +332
builder.add_gate_to_gate_set(GateRef::new(ConstantGate::new(
builder.config.num_constants,
)));
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe unrelated, but if we add this to the common recursion gates, I think we may be able to remove this from the root circuit definition?

builder.add_gate(
            ConstantGate::new(inner_common_data[0].config.num_constants),
            vec![],
        );

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We may get trouble without it in the recursion circuits after it. Since in conditional verifying, we need a dummy circuit. But the dummy circuit will generate a constant gate while this one (root circuit) will not generate it.

sai-deng and others added 3 commits September 30, 2024 11:02
Co-authored-by: Robin Salen <30937548+Nashtare@users.noreply.github.com>
Co-authored-by: Robin Salen <30937548+Nashtare@users.noreply.github.com>
@sai-deng
Copy link
Contributor Author

Thanks for reviewing. I just tested the root circuit size changes.
The gate number increased by 3083.
But it still has the same degree after padding:

Degree after blinding & padding: 65536
See the updated PR description for more details.

@sai-deng sai-deng force-pushed the sai/conditionally_verify_in_root_circuit branch from 04aaffc to a23eaf0 Compare September 30, 2024 18:52
@sai-deng sai-deng force-pushed the sai/conditionally_verify_in_root_circuit branch from 75f6452 to baba9da Compare September 30, 2024 19:09
Base automatically changed from sai/skip_table_in_root_circuit to develop October 2, 2024 16:03
@Nashtare Nashtare added this to the Performance Tuning milestone Oct 3, 2024
@sai-deng sai-deng merged commit 1816253 into develop Oct 7, 2024
20 checks passed
@sai-deng sai-deng deleted the sai/conditionally_verify_in_root_circuit branch October 7, 2024 15:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
crate: evm_arithmetization Anything related to the evm_arithmetization crate.
Projects
Status: Done
Development

Successfully merging this pull request may close these issues.

3 participants