Pickles: add more documentation regarding verifiers #18362
Conversation
| actually verifies (0, 1, or 2) | ||
| - {b Max Proofs Verified:} The maximum across all branches in a proof system | ||
|
|
||
| Current Pickles supports max_proofs_verified up to 2 (N0, N1, N2). |
There was a problem hiding this comment.
This is what we want to generalize. We have enough "place" in our circuits to add more verification.
src/lib/crypto/pickles/pickles.mli
Outdated
| In code: [challenge_polynomial] in {!module:Wrap_verifier}, | ||
| see also {!module:Step_verifier.finalize_other_proof} | ||
|
|
||
| {4 Challenge Polynomial Commitment (sg)} |
There was a problem hiding this comment.
This is an important part to understand the accumulation scheme. This comes from the paper "Proofs carrying data" in 2020.
| The verifiers ({!module:Step_verifier}, {!module:Wrap_verifier}) use specific | ||
| notation for polynomial commitments and related values: | ||
|
|
||
| {4 Prover Commitments} |
There was a problem hiding this comment.
Note: if we want to digest different kinds of proofs, different than from the Kimchi ones, this is one part to change. The "Prover Commitments" are the prover messages of the protocol, and protocols depend in particular on prover messages.
| time rather than runtime. This eliminates entire classes of bugs and makes | ||
| the code more robust, though it results in complex type signatures. | ||
|
|
||
| {4 MLMB (Max Local Max Proofs Verified)} |
There was a problem hiding this comment.
This is also to change if we want to change Pickles to accept more than two proofs.
|
|
||
| {3 Challenge and Hash Flow Between Circuits} | ||
|
|
||
| {4 Fiat-Shamir Transcript Flow} |
There was a problem hiding this comment.
If we want to add different kinds of proofs, this is also a change we have to make: Fiat-Shamir Transcripts are different for each protocol.
| {4 What Gets Passed vs Recomputed} | ||
|
|
||
| {b Passed from Wrap to Step:} | ||
| - [sponge_digest_before_evaluations]: Hash state at a checkpoint |
There was a problem hiding this comment.
This is important and one of the tricky part.
| let x = f messages in | ||
| absorb sponge ty x ; x ) | ||
| in | ||
| let sample () = squeeze_challenge sponge in |
There was a problem hiding this comment.
Please review carefully these changes.
| {2 Incremental Verification Flow (incrementally_verify_proof)} | ||
|
|
||
| {v | ||
| +-------------------------------------------------------------------------+ |
There was a problem hiding this comment.
This should match the Kimchi verifier implementation.
| {!module:Wrap_verifier} for the IVC step diagrams showing the precise | ||
| transcript flows in each circuit. | ||
|
|
||
| {b Important:} Challenges from previous proof rounds are verified within |
| commitments, public inputs, and prover messages, then squeezes out | ||
| challenges. The general pattern involves: | ||
|
|
||
| - Initializing the sponge with the verification key |
There was a problem hiding this comment.
I hope everything is there.
dannywillems
force-pushed
the
dw/endoscalar-mul-used
branch
2 times, most recently
from
9c0e0d0 to
3a6b941
Compare
dannywillems
force-pushed
the
dw/endoscalar-mul-used
branch
from
3a6b941 to
277599d
Compare
| {3 Parameters} | ||
|
|
||
| - [~index]: The verification key polynomial commitments | ||
| - A function to extract field elements from the application state |
There was a problem hiding this comment.
It would be nice to document all the type variables here. It is mostly for the vector lengths, but still worth it as it would be faster for the reader to parse.
|
|
||
| (** {2 Message Hashing for Recursion} *) | ||
|
|
||
| (** [hash_messages_for_next_step_proof] creates a staged function that hashes |
There was a problem hiding this comment.
To-do: add parameters to the function as it is often done in Caml doc.
| This is the core constraint generation function that builds constraints | ||
| checking a wrap proof's validity by: | ||
| 1. Reconstructing the Fiat-Shamir transcript and verifying challenges | ||
| 2. Generating constraints for polynomial commitment openings via the IPA |
There was a problem hiding this comment.
Missing the challenge polynomial.
dannywillems
force-pushed
the
dw/endoscalar-mul-used
branch
2 times, most recently
from
961e830 to
4f1e6b6
Compare
dannywillems
force-pushed
the
dw/endoscalar-mul-used
branch
from
4f1e6b6 to
32f445f
Compare
There is a change in ffb3fab which is not only documentation. Please check.