Add decider circuit RelaxedR1CS #21
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
han0110
approved these changes
Sep 6, 2023
arnaucube
force-pushed
the
feature/decider-circuit-rel-r1cs
branch
from
14d49dc
to
029829a
Compare
|
Update: @han0110 made a great point here: #21 (comment) 🙌 |
arnaucube
force-pushed
the
feature/decider-circuit-rel-r1cs
branch
from
029829a
to
5aab2be
Compare
CPerezz
approved these changes
Sep 7, 2023
arnaucube
force-pushed
the
feature/decider-circuit-rel-r1cs
branch
from
5aab2be
to
30bb79b
Compare
- Add naive decider circuit `RelaxedR1CSGadget`, which in-circuit checks that the given z satisfies the given RelaxedR1CS instance - Add method to relax the R1CS instance - Add check_relation (for testing only) to R1CS & RelaxedR1CS - Migrate from own SparseMatrix to use ark_relations::r1cs::Matrix - Add frontend helper to use arkworks circuits
arnaucube
force-pushed
the
feature/decider-circuit-rel-r1cs
branch
from
30bb79b
to
fafbe82
Compare
|
May I ask how we're gonna use Sha256Gadget? |
The Sha256Gadget only was used only for the test to have some numbers about the constraints of a 'real circuit' passed through the relaxed-r1cs verifier circuit. No plans (at least for now) to use it in the library itself (other than in the mentioned test). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR implements the approach that @nalinbhardwaj proposed (#19), in order to avoid needing to modify an existing SNARK prover to work with Relaxed R1CS. The main idea is to have a R1CS circuit that checks the Relaxed R1CS relation (
Az∘Bz - uCz-E=0), and is this circuit the one which is then proved with the SNARK prover.As an example, for an
original circuitof1k constraints, it takes~3k constraintsfor theRelaxedR1CS checker circuit.The following table provides some approximate results to have a bit of intuition on the numbers:
(
CustomTestCircuitlogic is just a loop of multiplications in order to generate the number of constraints desired, it's logic can be found here)Note that the
CustomTestCircuitis very sparse, that's why although original circuits with similar number of constraints for sha256 & CustomTestCircuit, they will have a bit different number of constraints for the RelaxedR1CS checker circuit.For the circuit implementation I'm using sparse matrices shape, which I'm not 100% sure that is the proper way to handle the circuit matrices in terms of constraints. If needed I could update it implementing it with dense matrices.
Commit msg:
Add decider circuit RelaxedR1CS
RelaxedR1CSGadget, which in-circuit checks that the given z satisfies the given RelaxedR1CS instanceresolves #19
Edit1: I've requested also review from @nalinbhardwaj (through chat as I can not put him as reviewer through the GitHub interface), since this approach was originally proposed by him.
Edit2: updated the table with the most-right column.