From c266da158b24d59a7bccea7215101ddd844c028b Mon Sep 17 00:00:00 2001 From: sifnoc Date: Mon, 22 Jul 2024 14:27:39 +0000 Subject: [PATCH] Updated prover README --- prover/README.md | 46 +++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 41 insertions(+), 5 deletions(-) diff --git a/prover/README.md b/prover/README.md index 9cc6edcf..fb539c7e 100644 --- a/prover/README.md +++ b/prover/README.md @@ -2,22 +2,58 @@ ## Motivation +While [Summa V2](https://github.com/summa-dev/summa-solvency/tree/v2) significantly improved the generation of inclusion proofs for all users, it faced a performance bottleneck during the interpolation of univariate polynomials. These were generated using the discrete Fourier transform (DFT), which became particularly challenging when interpolating large polynomials. To address this bottleneck, we decided to transition our backend from Plonk to HyperPlonk, an adaptation of Plonk to the boolean hypercube that uses multilinear polynomial commitments and avoids the need for an FFT during proof generation. + +## Implementation and Evaluation of HyperPlonk + +Encoding data into the polynomial that interpolates on the boolean hypercube offers significant performance advantages over interpolating a univariate polynomial. However, we cannot get a "total balance" in the same way as in Summa V2, which uses a method called ["Univariate Grand Sum Calculation"](https://github.com/summa-dev/summa-solvency/tree/v2/prover#univariate-grand-sum-calculation). Therefore, in the Summa V3 circuit, we have added "Running Sum" columns and created constraints to obtain a valid "total balance". This means that the commitment size is exactly double that of Summa V2. + +To mitigate the increase in commitment size in V3, we have implemented two variants, V3b and V3c. These variants introduce a workaround to address the total sum calculation with a "non-zero constraint" in the backend. More details can be found in the ["Summa V3 variations analysis"](https://hackmd.io/hM7panOkTg6MZcqGCA5HDA). + ## Usage To build, test and print the circuits, execute -``` +```bash cargo build cargo test --release --features dev-graph ``` +## Power of Tau Trusted Setup for HyerPlonk + +Summa V1 and V2 have utilized the SRS, known as `hyperplonk-srs-#`, which is formatted for [pse/halo2](https://github.com/privacy-scaling-explorations/halo2). This has been converted using the [han0110/halo2-kzg-srs](https://github.com/han0110/halo2-kzg-srs/) repo. +However, the SRS files for `pse/halo2`, namely `hermez-raw`, are not compatible with HyperPlonk. + +Therefore, we need to create a SRS generator for HyperPlonk. + +You can find the generator script here:
+https://github.com/summa-dev/plonkish/blob/feat-read-params/plonkish_backend/bin/hyperplonk_srs_generator.rs + +You can generate SRS for the HyperPlonk backend using the following commands: + +```bash +$ git clone --branch feat-read-params https://github.com/summa-dev/plonkish +$ cd plonkish/plonkish_backend +plonkish/plonkish_backend $ cargo run --bin generate_hyperplonk_srs hermez-hyperplonk- 17 +``` + +The generate command is structured as "generate_hyperplonk_srs" `output_file_name` `degree_number`. + +If you wish to generate a higher degree of SRS, you should increase the degree_number in the command. + +Alternatively, you can download pre-generated SRS files from [here - Prerequisites of backend](../backend/README.md#prerequisites) + ## Benchmarks -The following benchmarks are available in the `kzg` module: +The following benchmarks are available in the `proof_of_liabilities` module: + +- `grand_sum_proof`: the time to generate a commitment proof of the grand sum with a range check of every balance; +- `inclusion_proof`: the time to generate the KZG opening proof of a user inclusion; +- `grand_sum_verification`: the time to verify the commitment proof of the grand sum of user balances; +- `inclusion_verification`: the time to verify the KZG opening proof of a single user inclusion. -- `grand sum proof`: the time to generate a ZK-SNARK proof of the grand sum with a range check of every balance; - To run the benchmarks with the default full configuration of the circuit (range check enabled), use the following command: +To run the benchmarks use the following command: -```shell +```bash cargo bench ```