feat: quicksilver

[sinui0]

This PR provides a zkVM implementation using Quicksilver. Builds on work from @xiangxiecrypto and supercedes #172 and #182.

[th4s]

Very nice 👍, looking pretty clean. Not much to add.

[xiangxiecrypto]

I think you meant VOPE in this file?
This implementation simplies figure 4 for a polynomial with degree 1.

[sinui0]

Isn't degree 1 VOPE equivalent to VOLE?

[xiangxiecrypto]

It is different. For boolean circuits, VOLE is Random COT. VOLE is a generalized version to extend boolean to arithmetic circuits.
VOPE focuses on polynomial relations. B = A_0 + A_1*Delta +..., but all the B and A_i are in F_2^{128}.

[sinui0]

My understanding is that VOLE is exactly equivalent to VOPE for degree 1, ie a linear function. All the terms in a VOLE are of the same field $\mathbb{F}_{2^{128}}$. The "boolean" variant is often referred to as subfield VOLE (or COT) where A_1 is in $\mathbb{F}_2$.

If I'm not mistaken, the algorithm used here is the typical way to construct a VOLE from sVOLEs. The QS paper generalizes it for proving higher degrees but we won't be needing that

[xiangxiecrypto]

I do not have too much context of the vm design here. But I checked the impl. of the protocol itself, and it looks pretty good to me.

Just one more thing. In the current implementation, check always occurs at the end of executing the circuit?

[sinui0]

Just one more thing. In the current implementation, check always occurs at the end of executing the circuit?

Yes, the consistency check is always performed after executing the entire callstack. It batches the checks of all circuits together

[xiangxiecrypto]

Just one more thing. In the current implementation, check always occurs at the end of executing the circuit?

Yes, the consistency check is always performed after executing the entire callstack. It batches the checks of all circuits together

So that means if the circuit is huge, we have to handle very long vectors of F_2^{128} for the check, which may cause memory issues?

[sinui0]

So that means if the circuit is huge, we have to handle very long vectors of F_2^{128} for the check, which may cause memory issues?

This is true, and something which we may need to address by introducing a buffer limit which triggers a check. There is a round complexity vs memory trade off there. Shouldn't be an issue and implementing said limit is fairly simple

[xiangxiecrypto]

So that means if the circuit is huge, we have to handle very long vectors of F_2^{128} for the check, which may cause memory issues?

This is true, and something which we may need to address by introducing a buffer limit which triggers a check. There is a round complexity vs memory trade off there. Shouldn't be an issue and implementing said limit is fairly simple

Ok, the original version uses a buffer to handle this. I think it wont increase round complexity, since there is only one round. But anyway it is not a big issue.

[sinui0]

Ok, the original version uses a buffer to handle this. I think it wont increase round complexity, since there is only one round. But anyway it is not a big issue.

Good point, I forgot that it is only 1 message from P to V. I was focused on batching multiple circuits together and lost that detail.