Optional zero-knowledge by const generic

[han0110]

This PR aims to extend halo2 to allow developers to enable/disable zero-knowledge with const generic const ZK: bool.

Protocol adjustment for non-ZK

Notations are following the ones used in halo2 book.

Blinding factors

The final max(3, max(num_advice_queries)) + 2 rows of every advice column, including permuted columns in lookup argument, and grand-product columns in lookup and permutation argument, are loaded with random blinding factors, which aims for zero knowledge.

When we turn off zero-knowledge, we don't need to reserve these final rows, then all rows are usable.

Lookup argument

Currently the constraints of lookup argument are:

• $\ell_0(X) \cdot (1 - Z(X))$
• $q_{last}(X) \cdot (Z(X)^2 - Z(X))$
• $(1 - (q_{last}(X) + q_{blind}(X))) \cdot (Z(\omega X)\cdot(A^\prime(X) + \beta)\cdot(S^\prime(X) + \gamma) - Z(X)\cdot(A(X) + \beta)\cdot(S(X) + \gamma))$
• $\ell_0(X) \cdot (A^\prime(X) - S^\prime(X))$
• $(1 - (q_{last}(X) + q_{blind}(X))) \cdot (A^\prime(X) - S^\prime(X)) \cdot (A^\prime(X) - A^\prime(\omega^{-1}X))$

When we turn off zero-knowledge, the constraints could be simplified to the orange parts only:

• $\color{orange}{\ell_0(X) \cdot (1 - Z(X))}$
• $\color{darkgray}{q_{last}(X) \cdot (Z(X)^2 - Z(X))}$
• $\color{darkgray}{(1 - (q_{last}(X) + q_{blind}(X))) \cdot(}\color{orange}{Z(\omega X)\cdot(A^\prime(X) + \beta)\cdot(S^\prime(X) + \gamma) - Z(X)\cdot(A(X) + \beta)\cdot(S(X) + \gamma)}\color{darkgray}{)}$
• $\color{darkgray}{\ell_0(X) \cdot (A^\prime(X) - S^\prime(X))}$
• $\color{darkgray}{(1 - (q_{last}(X) + q_{blind}(X))) \cdot}\color{orange}{(A^\prime(X) - S^\prime(X)) \cdot (A^\prime(X) - A^\prime(\omega^{-1}X))}$

Permutation argument

Currently the constraints of permutation argument are:

• $\ell_0(X) \cdot (1 - Z_{P,0}(X))$
• $q_{last}(X) \cdot (Z_{P,b}(X)^2 - Z_{P,b}(X))$
• $\text{For}\ 0 < a < b$
  • $\ell_0(X) \cdot (Z_{P,a}(X) - Z_{P,a-1}(\omega^\mu X))$
• $\text{For}\ 0 \le a < b$
  • $(1 - (q_{last}(X) + q_{blind}(X))) \cdot \Big(Z_{P,a}(\omega X) \cdot \prod\limits_{i=am}^{(a+1)m-1}(v_i(X) + \beta \cdot s_i(X) + \gamma) - Z_{P,a}(X) \cdot \prod\limits_{i=am}^{(a+1)m-1}(v_i(X) + \beta \cdot \delta^i \cdot X + \gamma)\Big)$

When we turn off zero-knowledge, the constraints could be simplified to the orange parts only:

• $\text{If}\ m \le d-1, \text{then}\ b = 1$
  • $\color{orange}{\ell_0(X) \cdot (1 - Z_{P,0}(X))}$
  • $\color{darkgray}{q_{last}(X) \cdot (Z_{P,b}(X)^2 - Z_{P,b}(X))}$
  • $\color{darkgray}{\text{For}\ 0 < a < b}$
    • $\color{darkgray}{\ell_0(X) \cdot (Z_{P,a}(X) - Z_{P,a-1}(\omega^\mu X))}$
  • $\color{orange}{\text{For}\ 0 \le a < b}$
    • $\color{darkgray}{(1 - (q_{last}(X) + q_{blind}(X))) \cdot \Big(}\color{orange}{Z_{P,a}(\omega X) \cdot \prod\limits_{i=am}^{(a+1)m-1}(v_i(X) + \beta \cdot s_i(X) + \gamma) - Z_{P,a}(X) \cdot \prod\limits_{i=am}^{(a+1)m-1}(v_i(X) + \beta \cdot \delta^i \cdot X + \gamma)}\color{darkgray}{\Big)}$
• $\text{Otherwise}$
  • $\color{orange}{\ell_0(X) \cdot (1 - Z_{P,0}(X))}$
  • $\color{darkgray}{q_{last}(X) \cdot (Z_{P,b}(X)^2 - Z_{P,b}(X))}$
  • $\color{darkgray}{\text{For}\ 0 < a < b}$
    • $\color{darkgray}{\ell_0(X) \cdot (Z_{P,a}(X) - Z_{P,a-1}(\omega^\mu X))}$
  • $\color{orange}{\text{For}\ 0 \le a < b}$
    • $\color{darkgray}{(1 - (q_{last}(X) + q_{blind}(X))) \cdot \Big(}\color{red}{(}\color{orange}{Z_{P,a}(\omega X)}\color{red}{ + q_{last}(X) \cdot (Z_{P,a+1}(\omega X) - Z_{P,a}(\omega X)))}\color{orange}{ \cdot \prod\limits_{i=am}^{(a+1)m-1}(v_i(X) + \beta \cdot s_i(X) + \gamma) - Z_{P,a}(X) \cdot \prod\limits_{i=am}^{(a+1)m-1}(v_i(X) + \beta \cdot \delta^i \cdot X + \gamma)}\color{darkgray}{\Big)}$

Where the red part is adjustment to make all rows copyable.

Vanishing argument

Currently we add a random polynomial in the vanishing argument to reveal nothing about $h(X)$. When we turn off zero-knowledge, it's on longer needed.

[CPerezz]

Would be also nice to simulate an upstream rebase to see how git faces this changes.

Just to prevent insane workloads when rebasing in the future.

[CPerezz]

Looks great atm!

Not a big fan of doing a const-associated ZK property as mentioned in the previous issues as it makes the code much harder when a feature would had been much simpler. Or maybe even a trait.

Anyway, it seems it has been decided to go towards this solution which looks fine.

Just left a couple of comments and will approve once the sha256.rs benches and the cost-model.rs errors and warnings are fixed :)

[kilic]

@han0110 Great great work. Helped me to walk through many polynomial equations. Some points:

1. Here we have a unique permutation folding trick and I think it should be documented more beyond a commented equation.

2. Using the exactly same if ZK stuff I made another version that moves ZK bound from structs to required function signatures. Here. It was an experiment and not sure atm which approach would be better. But seems like it saved many structs from thisZK bound.

[CPerezz]

@han0110 are we planning to merge this?

Would be nice that the next halo2 release comes with this together with #81 #79 and #77