github/powdr
1
1
Fork 0
mirror of https://github.com/powdr-labs/powdr.git synced 2026-04-20 03:03:25 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
bb4412656acaae79d23d8f3b0bd42fa7ce90bcce
powdr/std/math
History
Georg Wiese 7a851317bc Implement permutation argument using extension field (#1306) 
Makes the permutation argument sound on the Goldilocks field by
evaluating polynomials on the extension field introduced in #1310.

I also used the new `Constr::Permutation` variant!

A few test cases (also tested in CI):

#### No extension field
`cargo run pil test_data/std/permutation_via_challenges.asm -o output -f
--field bn254 --prove-with halo2-mock`

This still works and produces the same output as before, thanks to the
PIL evaluator removing multiplications by 0 etc:

```
    col witness stage(1) z;
    (std::protocols::permutation::is_first * (main.z - 1)) = 0;
    ((((1 - main.first_four) * ((std::protocols::permutation::beta1 - ((std::protocols::permutation::alpha1 * main.b1) + main.b2)) - 1)) + 1) * main.z') = (((main.first_four * ((std::protocols::permutation::beta1 - ((std::protocols::permutation::alpha1 * main.a1) + main.a2)) - 1)) + 1) * main.z);
```

#### With extension field
`cargo run pil test_data/std/permutation_via_challenges_ext.asm -o
output -f --field bn254 --prove-with halo2-mock`

The constraints are significantly more complex but seem correct to me:

```
    col witness stage(1) z1;
    col witness stage(1) z2;
    (std::protocols::permutation::is_first * (main.z1 - 1)) = 0;
    (std::protocols::permutation::is_first * main.z2) = 0;
    (((((1 - main.first_four) * ((std::protocols::permutation::beta1 - ((std::protocols::permutation::alpha1 * main.b1) + main.b2)) - 1)) + 1) * main.z1') + ((7 * ((1 - main.first_four) * (std::protocols::permutation::beta2 - (std::protocols::permutation::alpha2 * main.b1)))) * main.z2')) = ((((main.first_four * ((std::protocols::permutation::beta1 - ((std::protocols::permutation::alpha1 * main.a1) + main.a2)) - 1)) + 1) * main.z1) + ((7 * (main.first_four * (std::protocols::permutation::beta2 - (std::protocols::permutation::alpha2 * main.a1)))) * main.z2));
    ((((1 - main.first_four) * (std::protocols::permutation::beta2 - (std::protocols::permutation::alpha2 * main.b1))) * main.z1') + ((((1 - main.first_four) * ((std::protocols::permutation::beta1 - ((std::protocols::permutation::alpha1 * main.b1) + main.b2)) - 1)) + 1) * main.z2')) = (((main.first_four * (std::protocols::permutation::beta2 - (std::protocols::permutation::alpha2 * main.a1))) * main.z1) + (((main.first_four * ((std::protocols::permutation::beta1 - ((std::protocols::permutation::alpha1 * main.a1) + main.a2)) - 1)) + 1) * main.z2));
```

#### On Goldilocks

Running the first example on GL fails, because using the permutation
argument without the extension field would not be sound. The second
example works, but because we don't support challenges on GL yet, it
doesn't actually run the second-phase witness generation.

---------

Co-authored-by: chriseth <chris@ethereum.org>
2024-06-12 11:15:50 +00:00
..
ff.asm
Patterns in let statements and function parameters (#1214)
2024-04-03 18:39:19 +00:00
fp2.asm
Implement permutation argument using extension field (#1306)
2024-06-12 11:15:50 +00:00
mod.asm
Add std::math::fp2 module (#1310)
2024-05-10 16:17:29 +00:00