-
Notifications
You must be signed in to change notification settings - Fork 10
CHUNG: Understanding Chung's construction in the ZIgZag graph #144
Comments
@porcuquine: is this "close enough" to what we do in the code? :) Question (@nicola): in each layer we use the permutation P and its inverse, P^{-1}. Because of this, each node can have more than d parents. Right? |
For reference, this is the (not correctly formatted) Chung spec: |
We only use one permutation (direct or inverse) per layer, the rest seems close enough. (Yes, we invert nodes indexes in the reverse.) |
Yes, that would be my intuition. Looking at the paper pseudo-code, we iterate 8 times ( |
On a personal note, I would also like to better understand the intuition behind simultaneously using
|
Thanks @schomatis ! |
@schomatis
To understand the second case: recall that if the standard Chung construction creates an edge |
Thanks for the explanation! I agree with the necessity of the property that parent/child relation should be invertible, but I'm not sure I can extract from that the rationale of using the current construction, in contrast with the other two proposals I submitted as example, e.g., using only To put a simple example (because I sense there might be a gap in my understanding of the Chung permutation or its properties), in the even layer (
is there any guarantee that, for example, if
In this case do I have different probabilities of having |
@irenegiacomelli I think @schomatis understands both the implementation and my specific question about the implications of changing it. For that reason, I'll leave this to him. Please one of you ping me here if something new comes up, we reach a resolution, or we reach a decision point where input is valuable. |
To me it looks like on expectation, there will be half less parents in one layer, since the other half have lower indices than their parents (following @irenegiacomelli algo. notation) so these are "invalid" given the direction of the layer (again, on expectation). For example, the first 10% of the nodes (low indices) will often get valid parents since each of these parents is randomly chosen so has a 90% chance of having a higher index. On the other hand, the last 10% of the nodes (higher indices) will often get invalid parents because each parent has a 90% chance to have a lower index. Hence imo it's the reason why we are using the inverse permutation to get another "valid half". So it seems problematic that the implementation is not doing that since then the Chung's -based analysis can't apply. As a side note, because it appeared in Slack at some point: the "reversing of direction each other layer" goal is different though, as Ben put it in the paper p.31 without it the whole construction wouldn't be a tight proof of space. |
From what I understand of permutations, there's no guarantees at all. It's even how Ben wrote the algorithm in the filecoin / porep paper p.17: if puts a condition on the reverse permutaiton: But if we were using a second random permutation, since there's a negl. pr. of finding that exact same |
@nikkolasg Why? If I understand correctly you're saying that if In any case, that discussion is just for improving my personal understanding of the model (I'm not challenging the original construction), the important part is that I agree with your assessment, the expectation of "valid" (not padding) parent nodes of our implementation is indeed From the implementation side, I'm trying to better understand a solution (like actually implementing the paper's algorithm) that would produce the expected Again from the side of implementation, ideally I'd stop adding parents once I reached the desired target of, say, 8, but that would put an upper bound while leaving the lower at 0 and will drop the expectancy (not as low as our current implementation but still). Is there any middle ground acceptable from the theoretical side here? |
@schomatis I think limiting the parents could also leading to a violation of the assumption that all edges are shared between layers (just with direction reversed). One thought for everyone to consider (cc: @nico): since we already intend to fully cache expansion parents, we could commit to this strategy, require precomputation, and implement some approach which requires global analysis of the graph (losing localization). This might be expensive, but if it saves us from (for example) having to double the number of expansion parents (to 16) just to guarantee an expected 8, it may be worth it. I do not have a concrete suggestion for how to do that, but we should consider whether such a solution would be acceptable in general. |
If that (or something along those lines) were possible we could extend the number of Feistel rounds to increase the chances of finding parents within the acceptable |
@schomatis So let's call the permutation |
I'm not sure we're meaning the same by permutation here, for me the bit permutation of Feistel is just "generate random int of bits length", but let's continue this on Slack later, I feel I already diverted the discussion too far from the original (important) issue you raised earlier. |
I am not sure your analysis holds for all For example: If I could be seeing this wrong, but do you think this case is handled by your description? I think it's still possible to pick the same parent twice by either method. (I am not saying the probability is identical: not sure without more thought.) |
Good catch. My condition is wrong indeed and here is the correct one that catches your example I believe:
So the condition is |
This comment has been minimized.
This comment has been minimized.
This is very interesting, thank you all! Unfortunately, I am still stuck still at the very begging of this discussion.
|
It's an interesting question! Have you considered if this would impact cache expiry at all? |
Thank you, @nico — and what a wonderfully gracious way to respond to my mistake. For clarity, I had meant to mention @nicola. To your question: the cache will remain valid for as long as the graph seed remains unchanged. Individual parts will not have different lifetimes than the graph as a whole, regardless of how they are computed. |
Quick update: I finally started to follow better this part of the security proof more and in my understating we should use both P and its inverse P^-1 in each layer. The difference between odd and even layers is the re-numbering of nodes (we invert them ivy two layers) and the direction of edges. |
I am not sure what you mean by this. Assuming you are only talking about the expansion (Chung) parents and not the DRG (bucket sample) parents, then there is no re-numbering between layers. I agree that edges are simply reversed between layers but believe this would not be the case if we were also renumbering nodes. (It's possible we are just using different terminology, in which case hopefully this discussion will clear it up.) Also, is your comment about the need for P and inverse P in the context of the discussion above, or more general? In other words, are you specifically ruling that doubling the number of expansion parents would not be equivalent? Or are you just noting that our current implementation yields too few parents. Either way, do you agree that making this change can theoretically lead to up to 16 parents? (An extra eight more become possible at each layer.) If we make this changes, as it seems we must, we should strongly consider implementing #142. Otherwise this will significantly increase our circuit size. Can you comment there on whether we are on the same page, and whether you believe we can safely perform that optimization? |
Yes, there is no re-numbering. I meant that node i becomes node n-i+1, bad choice of words. |
That's what I thought, but I don't think this transformation affects expansion parents. I think it's only used when calculating the DRG parents (bucket sampling). We may be agreeing; I just want to make sure since if we aren't, something will have to change somewhere (implementation or ideas). |
Yes, for sure our current implementation of ZigZag has too few parents. Substituting inverse P with another random permutation doesn't work with current analysis and parameter. It basically means that we use a different (new?) construction for the bipartite expander (instead of Chung.) So, if we need to do this, we have to carefully study this new construction. |
Got it, thanks. |
Yes... we are doubling the number of expander parents, but only for some (half?) nodes. For the others we are actually reducing it. So, you are right that if we want to not double the circuit size, we should do the bucket trick... I'll look at that. Other solution: we can try to start form Chung's construction with degree 4! |
Can we do both? That would be fantastic. |
mmmh... I think this transformation is used also for the expansion parents of odd layers (the reverted ones). But let' me check this! |
@irenegiacomelli I looked a this and for a moment thought you were right, but @schomatis pointed out otherwise. So everything I wrote below does not correspond to p.17. The paper describe using the same numbering with each layer. That having been said. Wouldn't it be better to reverse the numbering ( My quoted text below describes implications of doing it that way. This seems far better than using a method which will cause expansion-parent count to vary between 0 and 16 parents, require special challenges and circuit changes as in #142, etc. Is it possible that
|
I am not sure that I understand: in the way I see this, the numbering of nodes does not change the number of parents that a node has. So, unfortunately I don't see how we can save parents.... Notice that 16 is an upper-bound, I think in practice we can have less parents (there is even intersection between expander and DRG parents). |
You can ignore what I wrote. I have convinced myself that this misinterpretation doesn't actually make any sense. I concur with your unfortunate assessment, though I think we can still use #142 to reduce parents. I think in addition to adding the inverse permutations at each layer, we also have to add the renumbering (which we use for DRG parents but not expander parents, currently). I don't actually understand why this is done, since it seems to destroy the property that expander edges are the same between layers just with directions reversed. (Do you agree, or do you think I'm confused about that, which is possible?) However, if you are sure that we should implement what is described in the pseudocode on p. 17, then I think we need to do that also. Let us know when you are confident in the changes required, and we can create an implementation issue. |
The pseudocode on p.17 convinces me for the way expander edges are added. But I don't understand with the DRG edges/parents are added in the same way for odd and even layers. I believe that is a typo (refer to the very first line in the algorithm). I'll check and let you know. |
I re-wrote the pseudocode of p.17 applying the re-numbering only to DRG parents (and not to chung parents) following what is explained in Ben's paper. @schomatis, @nikkolasg @porcuquine |
Chung construction written up here: https://www.overleaf.com/3456316943pfxsqxkdghsy Possible improvements on expander parents: #157 |
implementation issue being created here: filecoin-project/rust-fil-proofs#827 |
Can you ack, so that we can close this: |
Standard Chung's construction:
This always gives at most d parents.
My understanding is that if N is large, then this gives exactly d parent with high probability.
How to modify the previous to get the "alternate" construction we need for ZIgZag?
In ZigZag, the expander edges in layer j (j=2, 3,...) are constructed by taking the edges between layer j-1 (upper) and layer j (lower) given by Chung construction and projecting them on the lower layer following this rules:
This means that the
Chung.Parents(i)
functionality need to be changed!This is an attempt for the new parent functionality:
EDIT:
my main concern is the following:
given that we modify Chung.Parents(i), can we still use the expansion factor of Chung to analysis the security of the proof ???
The text was updated successfully, but these errors were encountered: