-
Notifications
You must be signed in to change notification settings - Fork 47
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add decider circuit RelaxedR1CS #21
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Only have a question on the decider usecase.
14d49dc
to
029829a
Compare
Update: @han0110 made a great point here: #21 (comment) 🙌 |
029829a
to
5aab2be
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
Left some nits to be addressed optionally.
5aab2be
to
30bb79b
Compare
- Add naive decider circuit `RelaxedR1CSGadget`, which in-circuit checks that the given z satisfies the given RelaxedR1CS instance - Add method to relax the R1CS instance - Add check_relation (for testing only) to R1CS & RelaxedR1CS - Migrate from own SparseMatrix to use ark_relations::r1cs::Matrix - Add frontend helper to use arkworks circuits
30bb79b
to
fafbe82
Compare
May I ask how we're gonna use Sha256Gadget? |
The Sha256Gadget only was used only for the test to have some numbers about the constraints of a 'real circuit' passed through the relaxed-r1cs verifier circuit. No plans (at least for now) to use it in the library itself (other than in the mentioned test). |
This PR implements the approach that @nalinbhardwaj proposed (#19), in order to avoid needing to modify an existing SNARK prover to work with Relaxed R1CS. The main idea is to have a R1CS circuit that checks the Relaxed R1CS relation (
Az∘Bz - uCz-E=0
), and is this circuit the one which is then proved with the SNARK prover.As an example, for an
original circuit
of1k constraints
, it takes~3k constraints
for theRelaxedR1CS checker circuit
.The following table provides some approximate results to have a bit of intuition on the numbers:
(
CustomTestCircuit
logic is just a loop of multiplications in order to generate the number of constraints desired, it's logic can be found here)Note that the
CustomTestCircuit
is very sparse, that's why although original circuits with similar number of constraints for sha256 & CustomTestCircuit, they will have a bit different number of constraints for the RelaxedR1CS checker circuit.For the circuit implementation I'm using sparse matrices shape, which I'm not 100% sure that is the proper way to handle the circuit matrices in terms of constraints. If needed I could update it implementing it with dense matrices.
Commit msg:
Add decider circuit RelaxedR1CS
RelaxedR1CSGadget
, which in-circuit checks that the given z satisfies the given RelaxedR1CS instanceresolves #19
Edit1: I've requested also review from @nalinbhardwaj (through chat as I can not put him as reviewer through the GitHub interface), since this approach was originally proposed by him.
Edit2: updated the table with the most-right column.