Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: commitment equivalence gadget #18

Merged
merged 3 commits into from
Jul 29, 2024
Merged

feat: commitment equivalence gadget #18

merged 3 commits into from
Jul 29, 2024

Conversation

mrain
Copy link
Contributor

@mrain mrain commented Jul 25, 2024
edited
Loading

Closes: #8

Known problem:

  • Very inefficient, deserializing the SRS takes almost forever.
  • cc @ggutoski: is it possible to verify a namespace proof without constructing a VidScheme? Current APIs doesn't feel ergonomic to me.
  • Merkle tree proof verification is not ergonomic, either.

This PR:

  • takes a namespace payload and compute a hash for rollup
  • checks the namespace proof of this payload against vid commitment

This PR does not:

Key places to review:

@mrain mrain marked this pull request as ready for review July 25, 2024 13:53
@ggutoski
Copy link
Contributor

  • cc @ggutoski: is it possible to verify a namespace proof without constructing a VidScheme? Current APIs doesn't feel ergonomic to me.

I agree the need for a VidScheme is not ergonomic. I tried to eliminate it when I originally wrote the code. But verification uses many things from a VidScheme. So if we remove the VidScheme then we would need to add most VidScheme fields to the arglist for payload_verify, which is even worse.

https://github.com/EspressoSystems/jellyfish/blob/89b9345dc018d9bdb3d385aefd2036d5e42e9f17/vid/src/advz/payload_prover.rs#L238-L242

payload_verify needs the following things from VidScheme:

  • recovery_threshold, multiplicity just integers, no big deal.
  • ck: KzgProverParam the SRS (ugh) to re-compute a KZG commitment.
  • eval_domain: Radix2EvaluationDomain for FFT (ugh). This is temporary; needed only because we don't yet have KZG in eval form.

@mrain
Copy link
Contributor Author

mrain commented Jul 26, 2024

Now I highly doubt that we can make any further meaningful improvement on the efficiency.

As tested here: https://github.com/mrain/sp1-project-template/blob/main/program/src/main.rs
Ark implemented msm (with 1 point/scalar) compiles to over 6m instructions in sp1 env. Even one single scalar multiplication costs over 4m instructions.

cc @ggutoski @alxiong @philippecamacho @akonring

@alxiong
Copy link
Collaborator

alxiong commented Jul 27, 2024

we can make any further meaningful improvement on the efficiency.

we should open an issue upstream to request Succinct to include a MSM precompile. I guess that's only reasonable way out?

@mrain mrain merged commit 4cb2bef into develop Jul 29, 2024
@mrain mrain deleted the cl/comm-equiv branch July 29, 2024 17:48
@mrain
Copy link
Contributor Author

mrain commented Jul 29, 2024

we can make any further meaningful improvement on the efficiency.

we should open an issue upstream to request Succinct to include a MSM precompile. I guess that's only reasonable way out?

There're precompiles: https://docs.succinct.xyz/writing-programs/precompiles.html and #21
I'll look into it later.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mrain @ggutoski @alxiong