Conversation
| println!( | ||
| "Chunking deg {} polynomial into {} chunks", | ||
| q_deg, | ||
| q_chunks.len() | ||
| ); |
There was a problem hiding this comment.
| println!( | |
| "Chunking deg {} polynomial into {} chunks", | |
| q_deg, | |
| q_chunks.len() | |
| ); |
| use ark_poly::Evaluations; | ||
| use ark_poly::Polynomial; | ||
| use ark_serialize::{CanonicalDeserialize, CanonicalSerialize}; | ||
| use ark_std::vec::Vec; |
There was a problem hiding this comment.
| use ark_std::vec::Vec; | |
| use ark_std::{vec, vec::Vec}; |
| @@ -0,0 +1,39 @@ | |||
| use ark_ff::{Field, PrimeField}; | |||
| use ark_poly::univariate::DensePolynomial; | |||
| use ark_poly::DenseUVPolynomial; | |||
There was a problem hiding this comment.
| use ark_poly::DenseUVPolynomial; | |
| use ark_poly::DenseUVPolynomial; | |
| use ark_std::vec::Vec; |
| let mut bfs = Vec::with_capacity(witness.len() * n_polys); | ||
| // per tree level | ||
| let n_columns = P::VerifierCircuit::N_COLUMNS; | ||
| let n_to_commit = n_columns + 4; // plus the quotient chunks |
There was a problem hiding this comment.
IIUC 4 is the number of chunks the commitment quotient is split into for Pasta.
Nit: what about defining a global constant instead of a magic number?
something like: pub const MAX_QUOTIENT_CHUNKS = 4 in the pasta-tree/src/lib.rs?
For what concerns KZG commitment, we stick to 1 chunk, correct?
I.e. we're using the ProverPiop::quotient() default implementation. If so, AFAICT the proof remains backward compat?
There was a problem hiding this comment.
Thanks for the review, Davide! You're right, currently it's 4, i even assert it elsewhere, but... The highest constraint degree we've is ec_add (no matter sw/te) that is 4n + 3. We also have ZK_ROWS = 3 that makes effective vanishing polynomial degree n - 3. That makes the quotient degree deg(q) = (4n + 3) - (n - 3) = 3n. So the quotient has 3n + 1 coefficients that don't fit into 3 n-sized chunks.
Given that IP commitment is hiding, we can reduce to ZK_ROWS = 2. But chunking requires masking every chunk (see https://eprint.iacr.org/2024/848), that again raises the degree (by 1 i guess). But may be it can be dealt with in monomial form. So it's all a bit undecided right now.
Re KZG, here #84 i've benchmarks that chunking also improves a bit prover time (and, what may be more important, the CRS size) at the price of 2 (or 3) more points in the proof, so we can consider introducing it separately.
| // let (log_n, h) = (9, 2); | ||
| // println!("n = {}, height = {h}, TALL", 1 << log_n); | ||
| // _test_proof::< | ||
| // ark_pallas::Projective, | ||
| // ark_vesta::Projective, | ||
| // CircuitParamsTall<ark_vesta::Affine>, | ||
| // CircuitParamsTall<ark_pallas::Affine>, | ||
| // >(log_n, h); | ||
| // println!(); | ||
|
|
||
| // let (log_n, h) = (10, 2); | ||
| // println!("n = {}, height = {h}, TALL", 1 << log_n); | ||
| // _test_proof::< | ||
| // ark_pallas::Projective, | ||
| // ark_vesta::Projective, | ||
| // CircuitParamsTall<ark_vesta::Affine>, | ||
| // CircuitParamsTall<ark_pallas::Affine>, | ||
| // >(log_n, h); | ||
| // println!(); | ||
|
|
There was a problem hiding this comment.
| // let (log_n, h) = (9, 2); | |
| // println!("n = {}, height = {h}, TALL", 1 << log_n); | |
| // _test_proof::< | |
| // ark_pallas::Projective, | |
| // ark_vesta::Projective, | |
| // CircuitParamsTall<ark_vesta::Affine>, | |
| // CircuitParamsTall<ark_pallas::Affine>, | |
| // >(log_n, h); | |
| // println!(); | |
| // let (log_n, h) = (10, 2); | |
| // println!("n = {}, height = {h}, TALL", 1 << log_n); | |
| // _test_proof::< | |
| // ark_pallas::Projective, | |
| // ark_vesta::Projective, | |
| // CircuitParamsTall<ark_vesta::Affine>, | |
| // CircuitParamsTall<ark_pallas::Affine>, | |
| // >(log_n, h); | |
| // println!(); |
2 participants
No description provided.