In privacy-scaling-explorations/halo2 fork we have implemented many experimental features to cover different use cases, especially for those with huge circuits. We collect them in this page for easier tracking and referencing.
To support different kinds of polynomial commitment schemes, we've added a trait CommitmentScheme to allow create/verify proofs with different commitment scheme implementations, currently there are 2 available implementations in this fork:
-
The original implementation from
zcash/halo2with the original multi-open strategy{Prover,Verifier}IPA -
KZG commitment scheme as in GWC19, which doesn't commit the instance columns, with 2 multi-open strategies available:
When using create_proof and verify_proof, we need to specify the commitment scheme and multi-open strategy like:
// Using IPA
create_proof<IPACommitmentScheme<_>, ProverIPA<_>, _, _, _, _>
verify_proof<IPACommitmentScheme<_>, ProverIPA<_>, _, _, _>
// Using KZG with GWC19 mutli-open strategy
create_proof<KZGCommitmentScheme<_>, ProverGWC<_>, _, _, _, _>
verify_proof<KZGCommitmentScheme<_>, ProverGWC<_>, _, _, _>
// Using KZG with BDFG20 mutli-open strategy
create_proof<KZGCommitmentScheme<_>, ProverSHPLONK<_>, _, _, _, _>
verify_proof<KZGCommitmentScheme<_>, ProverSHPLONK<_>, _, _, _>ConstraintSystem::lookup_any is added for use cases that need to lookup dynamic table instead of fixed table.
Unlike ConstraintSystem::lookup which only allows TableColumn(s) as table, it allows any Expression(s) without simple selector.
ConstraintSystem::shuffle is added for use cases that only need shuffle without pre-defined mapping.
It allows us to prove any Expression(s) without simple selector is shuffled from the other. For example halo2_proofs/examples/shuffle_api.rs shows how to prove two lists of 2-tuples are shuffled of each other.
ConstraintSystem::advice_column_in and ConstraintSystem::challenge_usable_after are added for use cases that build PIOP sub-routine themselves, currently it supports up-to 3 phases as {First,Second,Third}Phase.
It allows us to allocate advice column in different interactive phases with extra challenges squeezed in-between. For example in halo2_proofs/examples/shuffle.rs it shows how to build a customized shuffle argument with such API.
ConstraintSystem::unblinded_advice_column is added for use cases that want to re-use advice column commitment among different proofs. For example in halo2_proofs/examples/vector-ops-unblinded.rs it shows with this API and same assignment, two advice commitment frmo different proof can be same.
Worth mentioning, re-using advice column commitment in different proofs will need more blinding factors than the amount that prover adds, otherwise some information will be leaked and it's no longer perfect zero-knowledge.
Expression extension
-
A variant added for multi-phase. It can be obtained by
ConstraintSystem::challenge_usable_afterand used as a pseudo-random constant. -
It prints
Expressionin a less verbose and human-readable way.
Circuit extension
-
To use this, feature
circuit-paramsneeds to be turned on.A associated type added for configuring circuit with runtime parameter.
It allows us to implement
Circuit::paramsto return the parameter of a circuit, and implementCircuit::configure_with_paramsto configure circuit with runtime parameter retrieved earlier.
ProvingKey & VerifyingKey de/serialization and SerdeFormat
ProvingKey::{read,write} and VerifyingKey::{read,write} is added to serialize proving key and verifying key.
For field elements and elliptic curve points inside pk and vk, currently we have 3 different de/serialization format:
-
It de/serializes them as
PrimeField::ReprandGroupEncoding::Reprrespectively, and checks all elements are valid. -
It de/serializes them as
SerdeObject::{from_raw_bytes,to_raw_bytes}respectively, and checks all elements are valid. -
SerdeFormat::RawBytesUncheckedIt de/serializes them as
SerdeObject::{from_raw_bytes,to_raw_bytes}respectively, without checking if elements are valid.
Also ParamsKZG::{read_custom,write_custom} follows the same rule, and by default ParamsKZG::{read,write} uses SerdeFormat::RawBytes for efficiency.
Thread safe Region
To use this, feature thread-safe-region needs to be turned on.
It constrains the RegionLayouter to be Send so we can have a Region in different threads. It's useful when we want to arrange witness computation and assignment in the same place, but still keep the function Send so the caller can parallelize multiple of them.
For example halo2_proofs/examples/vector-mul.rs shows how to parallelize region computation and assignment.
Currently keygen_vk changes configured ConstraintSystem to compresses simple selectors into smaller set of fixed columns to reduce cost.
For some use cases that want to keep configured ConstraintSystem unchanged they can do the verifying key generation by calling keygen_vk_custom with second argument as false instead, which disables the selector compression.
MockProver improvement
-
Same checks as
MockProver::verify, but parallelized. -
Same checks as
MockProver::verify, but only on specified rows. -
MockProver::verify_at_rows_parSame checks as
MockProver::verify_at_rows, but parallelized. -
MockProver::assert_satisfied_parSame assertions as
MockProver::assert_satisfied, but parallelized. -
MockProver::assert_satisfied_at_rows_parSame assertions as
MockProver::assert_satisfied_par, but only on specified rows.
They are introduced to improve quotient computation speed and memory usage for circuit with complicated Expression.