Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refactory #39

Merged
merged 34 commits into from
Nov 8, 2024
Merged

Refactory #39

merged 34 commits into from
Nov 8, 2024

Conversation

davxy
Copy link
Collaborator

@davxy davxy commented Nov 2, 2024
edited
Loading

  • test-vectors feature: zk rows set to zero for deterministic proof
  • share some code between te and sw cond add
  • reduced explicit trait dependencies using AffineCondAdd trait
  • default transcript type set to ArkTranscript

davxy and others added 29 commits August 10, 2024 17:26
@davxy
Remove redundant hiding state value
8da011c
@davxy
Test vectors feature
d159e59
@davxy
Merge branch 'test-vectors' into extended
35b1b66
@davxy
Remove blake2_simd
74d9d85
@davxy
Simplify
cd59d49
@davxy
Minimize diff
1080a5d
@davxy
Set custom padding point
39a4b09
@davxy
Expose padding point
7870dda
@davxy
Switch to ark-transcript
70a0289
@davxy
Use ArkTranscript by default
01d2673
@davxy
Merge pull request #4 from davxy/ark-transcript
3b9f20b 
Switch to ark-transcript
@davxy
Merge branch 'master' into extended
d3e37f9
@davxy
Merge branch 'master' into extended
86e3ce0
@drskalman @davxy
Apply @davxy suggestions from code review
5192cdd 
naming convention and clean up.

Co-authored-by: Davide Galassi <[email protected]>
@drskalman
Merge branch 'skalman--allow-ec-in-te' of https://github.com/w3f/ring…
8a8af80 
…-proof into skalman--powers-of-two-gadget
@drskalman
- feature-control time consuming benchmarking tests.
c6d42b2 
- make test compiles for std (and fails due to lack of rng).
@drskalman
- move find_random_point to test helpers.
bd362e2 
- make sure random and hashed points are not identity elements.
@drskalman
VrfAffineT → P because @davxy said so
f6ec1d8
@davxy
Merge branch 'skalman--allow-ec-in-te' into extendend-with-te
7f77102
@davxy
Fix
681041c
@davxy
Default to ArkTranscript
24e5d80
@davxy
Refactory
e9d31c4
@davxy
Expose AffineCondAdd
43cd73d
@davxy
Further cleanup
db0ef42
@davxy
Docs
ccd9bcb
@davxy
Remove unused gadget
cc68185
@davxy
Allow user to specify the padding point
6e45942
@davxy
Merge pull request #6 from davxy/extendend-with-te
5e9ba2d 
Cond Add extendend with TE
@davxy
Restore powers of two multiples gadget
7e416c8
@davxy davxy requested a review from drskalman November 2, 2024 18:34
drskalman
drskalman requested changes Nov 5, 2024
View reviewed changes
common/src/gadgets/cond_add.rs Outdated Show resolved Hide resolved
common/src/gadgets/sw_cond_add.rs Show resolved Hide resolved
common/src/gadgets/te_cond_add.rs Show resolved Hide resolved
common/src/gadgets/cond_add.rs Show resolved Hide resolved
ring/src/piop/params.rs Show resolved Hide resolved
ring/src/lib.rs Show resolved Hide resolved
common/src/gadgets/te_cond_add.rs
{
type CondAddValT = TeCondAddValues<F, Curve>;
type Values = TECondAddValues<C>;

// Populates the acc column starting from the supplied seed (as 0 doesn't work with the addition formula).
// As the TE addition formula used is not complete, the seed must be selected in a way that would prevent
// exceptional cases (doublings or adding the opposite point).
// The last point of the input column is ignored, as adding it would made the acc column overflow due the initial point.
fn init(
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here you could check if the seed is inside the group.

Copy link
Collaborator Author

@davxy davxy Nov 7, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In general, SW "works" even when the seed is within the prime order subgroup, provided that the cond add do not (maliciously or not) stumble to the identity.

Does TE strictly require the seed to be within the prime order subgroup, or could it also operate with a seed outside the prime order subgroup (with some failure cases that are more or less probable)?
Specifically, if for TE a point outside the prime order group is chosen as a seed, what would be the resulting behavior? I haven't yet analyzed the constraint formula for the TE construction...

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, there is a slightly higher risk. Given you have enforced PoP, I think the probablity of failure if you choose S outside the group is like 8-9 times higher than if you choose it inside, for the TE case. For

$$P = (x1, y1)$$,

$$P+Q$$ fails, if $Q$ 's is inside one of these sets.
failing-set

You could argue that 8 times of negligible is still negligble. I'd have put a check to prevent choosing out of the prime subgroup here, as it doesn't have performance hit, but I agree it is somehow a subjective, so your choice.

common/src/gadgets/sw_cond_add.rs
{
type CondAddValT = SwCondAddValues<F>;
type Values = SWCondAddValues<C>;

// Populates the acc column starting from the supplied seed (as 0 doesn't have an affine SW representation).
// As the SW addition formula used is not complete, the seed must be selected in a way that would prevent
// exceptional cases (doublings or adding the opposite point).
// The last point of the input column is ignored, as adding it would made the acc column overflow due the initial point.
fn init(
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here you could check if the seed is outside of the group.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wouldn't this be more of a suggestion? From my understanding, it is recommended to select a seed point outside the prime order subgroup. However, the implementation still functions even if the seed is within the group (in this case we need PoP). In the codebase there are generic tests that simply use a random point from the prime order group as a seed for SW, which avoids the need for separate code for seed generation (TE vs SW)

I would prefer to add a comment that suggests choosing a seed outside the group, possibly generated via find_complement_point.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This true. Sure. You could add a comment saying you need to check PoP unless if S is outside of the group.

@davxy davxy mentioned this pull request Nov 6, 2024
Open
@davxy
Copy link
Collaborator Author

davxy commented Nov 7, 2024

@drskalman I applied some of your suggestions. I have questions for the assertions you suggested to introduce

@davxy davxy requested a review from drskalman November 7, 2024 09:53
drskalman
drskalman approved these changes Nov 7, 2024
View reviewed changes
Copy link
Collaborator

@drskalman drskalman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I left a nonbinding comment :-)

common/src/gadgets/sw_cond_add.rs
{
type CondAddValT = SwCondAddValues<F>;
type Values = SWCondAddValues<C>;

// Populates the acc column starting from the supplied seed (as 0 doesn't have an affine SW representation).
// As the SW addition formula used is not complete, the seed must be selected in a way that would prevent
// exceptional cases (doublings or adding the opposite point).
// The last point of the input column is ignored, as adding it would made the acc column overflow due the initial point.
fn init(
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This true. Sure. You could add a comment saying you need to check PoP unless if S is outside of the group.

common/src/gadgets/te_cond_add.rs
{
type CondAddValT = TeCondAddValues<F, Curve>;
type Values = TECondAddValues<C>;

// Populates the acc column starting from the supplied seed (as 0 doesn't work with the addition formula).
// As the TE addition formula used is not complete, the seed must be selected in a way that would prevent
// exceptional cases (doublings or adding the opposite point).
// The last point of the input column is ignored, as adding it would made the acc column overflow due the initial point.
fn init(
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, there is a slightly higher risk. Given you have enforced PoP, I think the probablity of failure if you choose S outside the group is like 8-9 times higher than if you choose it inside, for the TE case. For

$$P = (x1, y1)$$,

$$P+Q$$ fails, if $Q$ 's is inside one of these sets.
failing-set

You could argue that 8 times of negligible is still negligble. I'd have put a check to prevent choosing out of the prime subgroup here, as it doesn't have performance hit, but I agree it is somehow a subjective, so your choice.

@davxy davxy merged commit 2d6e73a into w3f:skalman--powers-of-two-gadget Nov 8, 2024
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@drskalman drskalman drskalman approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@davxy @drskalman