From b1c3f7de606d3992dbd28305e677f3fda9bc2be1 Mon Sep 17 00:00:00 2001 From: Han Date: Tue, 12 Dec 2023 18:09:04 +0800 Subject: [PATCH 1/2] doc: redirect to `snark-verifier` and add more context on why this is rebuilt --- README.md | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 5152dfd..bbabf38 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,9 @@ > ⚠️ This repo has NOT been audited and is NOT intended for a production environment yet. -Solidity verifier generator for [`halo2`](http://github.com/privacy-scaling-explorations/halo2) proof with KZG polynomial commitment scheme on BN254 +Solidity verifier generator for [`halo2`](http://github.com/privacy-scaling-explorations/halo2) proof with KZG polynomial commitment scheme on BN254. + +For audited solidity verifier generator and proof aggregation toolkits, please refer to [`snark-verifier`](http://github.com/privacy-scaling-explorations/snark-verifier). ## Usage @@ -30,16 +32,25 @@ let calldata = encode_calldata(vk_address, &proof, &instances); Note that function selector is already included. -## Limitations +## Limitations & Caveats - It only allows circuit with **exact 1 instance column** and **no rotated query to this instance column**. -- Currently even the `configure` is same, the [selector compression](https://github.com/privacy-scaling-explorations/halo2/blob/7a2165617195d8baa422ca7b2b364cef02380390/halo2_proofs/src/plonk/circuit/compress_selectors.rs#L51) might lead to different configuration when selector assignments are different. After PR https://github.com/privacy-scaling-explorations/halo2/pull/212 is merged we will have an alternative API to do key generation without selector compression. +- Currently even the `configure` is same, the [selector compression](https://github.com/privacy-scaling-explorations/halo2/blob/7a2165617195d8baa422ca7b2b364cef02380390/halo2_proofs/src/plonk/circuit/compress_selectors.rs#L51) might lead to different configuration when selector assignments are different. To avoid this, please use [`keygen_vk_custom`](https://github.com/privacy-scaling-explorations/halo2/blob/6fc6d7ca018f3899b030618cb18580249b1e7c82/halo2_proofs/src/plonk/keygen.rs#L223) with `compress_selectors: false` to do key generation without selector compression. - Now it only supports BDFG21 batch open scheme (aka SHPLONK), GWC19 is not yet implemented. ## Compatibility The [`Keccak256Transcript`](./src/transcript.rs#L19) behaves exactly same as the `EvmTranscript` in `snark-verifier`. +## Why + +The existing solidity verifier generator in `snark-verifier` has a few problems: + +- Generator only receives low-level operation like add or mul, without hardwork to analyze these operations, it currently unrolled all the assembly codes, so it's easy to grow out of contract size limit even with a normal size circuit. +- Complicated abstraction & APIs to consumers. + +So this repo is rebuilt from scratch, with focus also on codesize and readability, and surprisingly the gas cost is similar (even a little bit less) compared to the one generated by `snark-verifier` + ## Acknowledgement The template is heavily inspired by Aztec's [`BaseUltraVerifier.sol`](https://github.com/AztecProtocol/barretenberg/blob/4c456a2b196282160fd69bead6a1cea85289af37/sol/src/ultra/BaseUltraVerifier.sol). From 84ea679623140d2e90dc7da55182197f9bc85ad2 Mon Sep 17 00:00:00 2001 From: Han Date: Tue, 12 Dec 2023 18:56:42 +0800 Subject: [PATCH 2/2] Apply suggestions from code review Co-authored-by: Chih Cheng Liang --- README.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index bbabf38..7cae107 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ Solidity verifier generator for [`halo2`](http://github.com/privacy-scaling-explorations/halo2) proof with KZG polynomial commitment scheme on BN254. -For audited solidity verifier generator and proof aggregation toolkits, please refer to [`snark-verifier`](http://github.com/privacy-scaling-explorations/snark-verifier). +For audited solidity verifier generator and proof aggregation toolkits, please refer to [`snark-verifier`](http://github.com/axiom-crypto/snark-verifier). ## Usage @@ -42,14 +42,14 @@ Note that function selector is already included. The [`Keccak256Transcript`](./src/transcript.rs#L19) behaves exactly same as the `EvmTranscript` in `snark-verifier`. -## Why +## Design Rationale -The existing solidity verifier generator in `snark-verifier` has a few problems: +The current solidity verifier generator within `snark-verifier` faces a couple of issues: -- Generator only receives low-level operation like add or mul, without hardwork to analyze these operations, it currently unrolled all the assembly codes, so it's easy to grow out of contract size limit even with a normal size circuit. -- Complicated abstraction & APIs to consumers. +- The generator receives only unoptimized, low-level operations, such as add or mul. As a result, it currently unrolls all assembly codes, making it susceptible to exceeding the contract size limit, even with a moderately sized circuit. +- The existing solution involves complex abstractions and APIs for consumers. -So this repo is rebuilt from scratch, with focus also on codesize and readability, and surprisingly the gas cost is similar (even a little bit less) compared to the one generated by `snark-verifier` +This repository is a ground-up rebuild, addressing these concerns while maintaining a focus on code size and readability. Remarkably, the gas cost is comparable, if not slightly lower, than the one generated by `snark-verifier`. ## Acknowledgement