Redirect to snark-verifier and add more context on why this is rebuilt

README.md

@@ -2,7 +2,9 @@
 
 > ⚠️ This repo has NOT been audited and is NOT intended for a production environment yet.
 
-Solidity verifier generator for [`halo2`](http://github.com/privacy-scaling-explorations/halo2) proof with KZG polynomial commitment scheme on BN254
+Solidity verifier generator for [`halo2`](http://github.com/privacy-scaling-explorations/halo2) proof with KZG polynomial commitment scheme on BN254.
+
+For audited solidity verifier generator and proof aggregation toolkits, please refer to [`snark-verifier`](http://github.com/privacy-scaling-explorations/snark-verifier).
 
 ## Usage
 
@@ -30,16 +32,25 @@ let calldata = encode_calldata(vk_address, &proof, &instances);
 
 Note that function selector is already included.
 
-## Limitations
+## Limitations & Caveats
 
 - It only allows circuit with **exact 1 instance column** and **no rotated query to this instance column**.
-- Currently even the `configure` is same, the [selector compression](https://github.com/privacy-scaling-explorations/halo2/blob/7a2165617195d8baa422ca7b2b364cef02380390/halo2_proofs/src/plonk/circuit/compress_selectors.rs#L51) might lead to different configuration when selector assignments are different. After PR https://github.com/privacy-scaling-explorations/halo2/pull/212 is merged we will have an alternative API to do key generation without selector compression.
+- Currently even the `configure` is same, the [selector compression](https://github.com/privacy-scaling-explorations/halo2/blob/7a2165617195d8baa422ca7b2b364cef02380390/halo2_proofs/src/plonk/circuit/compress_selectors.rs#L51) might lead to different configuration when selector assignments are different. To avoid this, please use [`keygen_vk_custom`](https://github.com/privacy-scaling-explorations/halo2/blob/6fc6d7ca018f3899b030618cb18580249b1e7c82/halo2_proofs/src/plonk/keygen.rs#L223) with `compress_selectors: false` to do key generation without selector compression.
 - Now it only supports BDFG21 batch open scheme (aka SHPLONK), GWC19 is not yet implemented.
 
 ## Compatibility
 
 The [`Keccak256Transcript`](./src/transcript.rs#L19) behaves exactly same as the `EvmTranscript` in `snark-verifier`.
 
+## Why
+
+The existing solidity verifier generator in `snark-verifier` has a few problems:
+
+- Generator only receives low-level operation like add or mul, without hardwork to analyze these operations, it currently unrolled all the assembly codes, so it's easy to grow out of contract size limit even with a normal size circuit.
+- Complicated abstraction & APIs to consumers.
+
+So this repo is rebuilt from scratch, with focus also on codesize and readability, and surprisingly the gas cost is similar (even a little bit less) compared to the one generated by `snark-verifier`
+
 ## Acknowledgement
 
 The template is heavily inspired by Aztec's [`BaseUltraVerifier.sol`](https://github.com/AztecProtocol/barretenberg/blob/4c456a2b196282160fd69bead6a1cea85289af37/sol/src/ultra/BaseUltraVerifier.sol).