WEB3-92: Bootstrap control root with segment sizes up to po2 21 #205
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
changed the title
capossele
approved these changes
Aug 27, 2024
Wollac
approved these changes
Aug 27, 2024
nategraf
added a commit
to risc0/risc0
that referenced
this pull request
Aug 28, 2024
…rs (#2276) As part of our continual security analysis work, we've created a calculated for the "bits of security" given all the system parameters relevant to the soundness of the proof of knowledge property guaranteed to the verifier. With this, we find that the lookup argument may not achieve our targeted 97 bits of soundness under worse case assumptions grounded in the Schwartz-Zippel lemma. Under these assumptions, up to 3 bits of security are given up by including segment sizes up to power of two 24, relative to po2 21. This PR implements the cautious approach of removing po2s above 21 from the default verifier parameters. Developers that wish to use po2 22, 23, or 24 may opt-in by using a non-default `VerifierContext`. Additionally, this PR fixes a pair of off-by-one errors that had removed the rv32im control IDs for po2 24. Technically, this constitutes a breaking change in the `risc0-circuit-rv32im` crate since the public type `ControlIds` is not a fixed array of length n+1. https://github.com/risc0/risc0/pull/2276/files#diff-ce2293a7cee10116f619bedf007ecfedd524505b764cfe5383785b7bd17dd7c4 Note: It is expected that the `risc0-ethereum` CI job will fail right now, because the control root is changed. It will pass again once we've merged this and risc0/risc0-ethereum#205 to their respective `main`. --------- Co-authored-by: Frank Laub <flaub@risc0.com>
nategraf
added a commit
that referenced
this pull request
Aug 29, 2024
Related to risc0/risc0#2276, this PR uses the new control root created by excluding po2 22, 23, and 24 as the default for the Groth16 verifier contract.
SchmErik
pushed a commit
to risc0/risc0
that referenced
this pull request
Aug 29, 2024
…rs (#2276) As part of our continual security analysis work, we've created a calculated for the "bits of security" given all the system parameters relevant to the soundness of the proof of knowledge property guaranteed to the verifier. With this, we find that the lookup argument may not achieve our targeted 97 bits of soundness under worse case assumptions grounded in the Schwartz-Zippel lemma. Under these assumptions, up to 3 bits of security are given up by including segment sizes up to power of two 24, relative to po2 21. This PR implements the cautious approach of removing po2s above 21 from the default verifier parameters. Developers that wish to use po2 22, 23, or 24 may opt-in by using a non-default `VerifierContext`. Additionally, this PR fixes a pair of off-by-one errors that had removed the rv32im control IDs for po2 24. Technically, this constitutes a breaking change in the `risc0-circuit-rv32im` crate since the public type `ControlIds` is not a fixed array of length n+1. https://github.com/risc0/risc0/pull/2276/files#diff-ce2293a7cee10116f619bedf007ecfedd524505b764cfe5383785b7bd17dd7c4 Note: It is expected that the `risc0-ethereum` CI job will fail right now, because the control root is changed. It will pass again once we've merged this and risc0/risc0-ethereum#205 to their respective `main`. --------- Co-authored-by: Frank Laub <flaub@risc0.com>
SchmErik
added a commit
to risc0/risc0
that referenced
this pull request
Aug 29, 2024
…er parameters (#2276) (#2281) As part of our continual security analysis work, we've created a calculated for the "bits of security" given all the system parameters relevant to the soundness of the proof of knowledge property guaranteed to the verifier. With this, we find that the lookup argument may not achieve our targeted 97 bits of soundness under worse case assumptions grounded in the Schwartz-Zippel lemma. Under these assumptions, up to 3 bits of security are given up by including segment sizes up to power of two 24, relative to po2 21. This PR implements the cautious approach of removing po2s above 21 from the default verifier parameters. Developers that wish to use po2 22, 23, or 24 may opt-in by using a non-default `VerifierContext`. Additionally, this PR fixes a pair of off-by-one errors that had removed the rv32im control IDs for po2 24. Technically, this constitutes a breaking change in the `risc0-circuit-rv32im` crate since the public type `ControlIds` is not a fixed array of length n+1. https://github.com/risc0/risc0/pull/2276/files#diff-ce2293a7cee10116f619bedf007ecfedd524505b764cfe5383785b7bd17dd7c4 Note: It is expected that the `risc0-ethereum` CI job will fail right now, because the control root is changed. It will pass again once we've merged this and risc0/risc0-ethereum#205 to their respective `main`. --------- Co-authored-by: Victor Graf <victor@risczero.com> Co-authored-by: Frank Laub <flaub@risc0.com>
nategraf
added a commit
that referenced
this pull request
Sep 5, 2024
Cherry picks #205, which contains the updated control root for 1.1, which is updated in `1.1.0-rc.3`
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Related to risc0/risc0#2276, this PR uses the new control root created by excluding po2 22, 23, and 24 as the default for the Groth16 verifier contract.