-
Notifications
You must be signed in to change notification settings - Fork 132
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Optional zero-knowledge by const generic #76
Optional zero-knowledge by const generic #76
Conversation
a69d136
to
949b54f
Compare
Would be also nice to simulate an upstream rebase to see how git faces this changes. Just to prevent insane workloads when rebasing in the future. |
f89003e
to
81491bb
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great atm!
Not a big fan of doing a const-associated ZK property as mentioned in the previous issues as it makes the code much harder when a feature would had been much simpler. Or maybe even a trait.
Anyway, it seems it has been decided to go towards this solution which looks fine.
Just left a couple of comments and will approve once the sha256.rs
benches and the cost-model.rs
errors and warnings are fixed :)
8cbf9b6
to
e112ee4
Compare
@han0110 Great great work. Helped me to walk through many polynomial equations. Some points:
|
ec94ed5
to
967bbe6
Compare
967bbe6
to
55839ce
Compare
55839ce
to
44ee401
Compare
44ee401
to
57225ee
Compare
70c11c1
to
ac9839e
Compare
57225ee
to
51c1184
Compare
This PR aims to extend
halo2
to allow developers to enable/disable zero-knowledge with const genericconst ZK: bool
.Protocol adjustment for non-ZK
Notations are following the ones used in halo2 book.
Blinding factors
The final
max(3, max(num_advice_queries)) + 2
rows of every advice column, including permuted columns in lookup argument, and grand-product columns in lookup and permutation argument, are loaded with random blinding factors, which aims for zero knowledge.When we turn off zero-knowledge, we don't need to reserve these final rows, then all rows are usable.
Lookup argument
Currently the constraints of lookup argument are:
When we turn off zero-knowledge, the constraints could be simplified to the orange parts only:
Permutation argument
Currently the constraints of permutation argument are:
When we turn off zero-knowledge, the constraints could be simplified to the orange parts only:
Where the red part is adjustment to make all rows copyable.
Vanishing argument
Currently we add a random polynomial in the vanishing argument to reveal nothing about$h(X)$ . When we turn off zero-knowledge, it's on longer needed.