In CycleFold we want to compute
$P_{folded} = P_0 + r ⋅ P_1 + r^2 ⋅ P_2 + r^3 ⋅ P_3 + ... + r^{n-2} ⋅ P_{n-2} + r^{n-1} ⋅ P_{n-1}$,
since the scalars follow the pattern r^i Youssef El Housni (@yelhousni)
proposed to update the approach of the CycleFold circuit to reduce the
number of constraints needed, by computing
$P_{folded} = (((P_{n-1} ⋅ r + P_{n-2}) ⋅ r + P_{n-3})... ) ⋅ r + P_0$.
By itself, this update reduces the number of constraints as the number
of points being folded in the CycleFold circuit grows. But it also has
impact at the HyperNova circuit, where it removes the need of using the
bit representations of the powers of the random value, substancially
reducing the amount of constraints used by the HyperNova
AugmentedFCircuit.
The number of constraints difference in the CycleFold circuit and in
the HyperNova's AugmentedFCircuit:
- CycleFold circuit:
| num points* | old | new | diff |
|-------------|-----------|-----------|----------|
| 2 | 1_354 | 1_354 | 0 |
| 3 | 2_683 | 2_554 | -129 |
| 4 | 4_012 | 3_754 | -258 |
| 8 | 9_328 | 8_554 | -744 |
| 16 | 19_960 | 18_154 | -1_806 |
| 32 | 41_224 | 37_354 | -3_870 |
| 64 | 83_752 | 75_754 | -7_998 |
| 128 | 168_808 | 152_554 | -16_254 |
| 1024 | 1_359_592 | 1_227_754 | -131_838 |
*num points: number of points being folded by the CycleFold circuit.
- HyperNova AugmentedFCircuit circuit
| folded instances* | old | new | diff |
|-------------------|---------|---------|----------|
| 5 | 90_285 | 80_150 | -10_135 |
| 10 | 144_894 | 117_655 | -27_239 |
| 20 | 249_839 | 192_949 | -56_890 |
| 40 | 463_078 | 344_448 | -118_630 |
*folded instances: folded instances per step, half of them being LCCCS
and the other half CCCS.
Co-authored-by: Youssef El Housni <youssef.housni21@gmail.com>
* Support randomness of arbitrary length
* Rename `N_BITS_RO` to `NOVA_N_BITS_RO`
* Compute `r_nonnat` inside `NIFSFullGadget::fold_committed_instance`
* Format
* Use `CycleFold{CommittedInstance, Witness}` in the context of cyclefold
* Format
* Fix the creation of dummy witness
* Make clippy happy
* Improve docs
* feat: enable hiding commitments in nova and hypernova
* fix: set blinding values for witness vector
* fix: remove cloning of the cyclefold running instance
* fix: do not re-use blinding values between prove steps
* fix: specify whether the witness should use blinding values using a
const generic
* feat: create a `dummy` method for nova witnesses as well
* chore: clippy - removed unused imports
- Adds the logic to support multi-instances folding in HyperNova's
AugmentedFCircuit & IVC.
- Adds also methods to generate new LCCCS & CCCS instances that don't
depend on the main folding chain, to be folded in in the next step
- Updates CycleFold circuit & methods to work other folding schemes than
Nova, adapting it to fold multiple points per circuit (instead of
2-to-1 as till now)
- Handle multi-instances folding in the FoldingScheme trait
interface, which expects 'None' in Nova, and 'Some' in HyperNova &
other multi-folding schemes.
* Remove the trait bound `C::BaseField: PrimeField` for better DX
* Methods in `TranscriptVar` now exactly matches the ones in `Transcript`
* Add `ProtoGalaxyTranscriptVar` and `CommittedInstanceVar` for protogalaxy
* betas are unnecessary in "plain" (incoming) instances
* Absorb the result of `get_challenge_nbits` as well
* `ProtoGalaxyTranscript` now allows absorbing mulitple instances
* Always return `Result<(), SynthesisError>` in `ProtoGalaxyTranscriptVar`
* Impl `Transcript{Var}` for `PoseidonSponge{Var}` directly and remove `PoseidonTranscript{Var}`
* `Transcript::absorb_point` doesn't need to return `Error`
* Add `AbsorbNonNative` trait for hashing non-native values
Note that now `absorb_point` only supports hashing points whose BaseField is equal to the sponge's field
* More efficient `TranscriptVar::absorb_point` by securely removing `is_inf`
* Use `sponge` and `transcript` consistently
* Clarify the usage of `AbsorbNonNative{Gadget}`
* Generic `sponge` and `transcript` params
* Avoid unstable `associated_type_bounds`
* Reuse `sponge` in hypernova
* Clean up redundant imports
* Remove unstable code
* Clarify the usage of `absorb_point` and `absorb_nonnative`
- implement hash of public params for Nova & HyperNova
- abstract pp_hash computation for folding schemes
- add pp_hash to solidity contract generator to verify the decider proof
- implement the IVC `FoldingScheme` trait for HyperNova
- refactor Nova's preprocess logic to make it simplier to use
- add to Decider trait (& Nova's DeciderEth) a preprocess method
- get rid of the `init_nova_ivc_params` and `init_ivc_and_decider_params` methods in `examples` since this is achieved with the `FS::preprocess` & `Decider::preprocess` methods
- (update the examples code to the simplified interface using
FS::preprocess & Decider::preprocess)
* Optimize the HyperNova `compute_g`, `compute_Ls` and `to_lcccs` methods
- Optimize the HyperNova `compute_g`, `compute_Ls` and `to_lcccs` methods
- in some tests, increase the size of test matrices to a more real-world size.
| method | matrix size | old version seconds | new version seconds |
| --------------------- | ------------- | ------------------- | ------------------- |
| compute_g | 2^8 x 2^8 | 16.48 | 0.16 |
| compute_g | 2^9 x 2^9 | 122.62 | 0.51 |
| compute_Ls | 2^8 x 2^8 | 9.73 | 0.11 |
| compute_Ls | 2^9 x 2^9 | 67.16 | 0.38 |
| to_lcccs | 2^8 x 2^8 | 4.56 | 0.21 |
| to_lcccs | 2^9 x 2^9 | 67.65 | 0.84 |
- Note: 2^16 x 2^16 is the actual size (upperbound) of the circuit,
which is not represented in the table since it was needing too much
ram to even be computed.
* Optimize HyperNova's `compute_sigmas_thetas` and `compute_Q`
| method | matrix size | old version seconds | new version seconds |
| ------------- | ------------- | ------------------- | ------------------- |
| compute_sigmas_thetas | 2^8 x 2^8 | 12.86 | 0.13 |
| compute_sigmas_thetas | 2^9 x 2^9 | 100.01 | 0.51 |
| compute_Q | 2^8 x 2^8 | 4.49 | 0.07 |
| compute_Q | 2^9 x 2^9 | 70.77 | 0.55 |
* optimize LCCCS::check_relation & CCCS::check_relation, and remove unnessary methods after last reimplementations
arnaucube
winderica
Pierre