-
Notifications
You must be signed in to change notification settings - Fork 97
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Plonky3 keccak optimization #2089
base: main
Are you sure you want to change the base?
Conversation
…w, but still won't work due to not enough auto witgen passes for memory read and write
…neration time is similar as using links to add_sub
It's also based on a different commit from #1832 so a few comments addressed in that PR are not addressed here, as it's quite non trivial to move them here. I'd wait for that PR merged to merge main to this. |
Can be rebased now :) The error you have looks like a constraint has a too high degree. The error message is terrible, so I just opened #2091 to fix it. |
Thanks and that makes sense. It gotta be the degree-4 constraint I added then (https://github.com/powdr-labs/powdr/pull/2089/files#diff-f9fcf1597f4c7e16da854fd1ded4cbcfed738cc44655382ec0cec5140701f8e9R67-R69), because prior versions with degree-3 constraints worked. However, it's confusing from the Plonky3 doc that they seem to support arbitrary high degree, so in theory degree 4 constraint should work here, but with a proving time cost: https://docs.polygon.technology/learn/plonky3/examples/rangecheck/#constraint-degree I'm not sure for folks writing Plonky3 circuits, are we concerned about the degree of constraints and what's the max degree we are targeting for so far? @leonardoalt |
So, currently in Plonky3, there is a dependency between the "blow up" parameter of FRI (which we set to 2) and the maximum degree (for this parameter, it would be 3). Otherwise this assertion fails. From the TODO comment above the assertion I conclude that it doesn't have to be like this, but right now it is... But a degree bound of 3 seems to a typical choice (our parameters are inspired from Plonky3's examples), so I think we should make it work for a bound of 3. You can always make it work by introducing more witness columns. BTW, in the future, this should be done automatically (see section "Intermediate polynomials can be turned into witness polynomials to reduce the constraint degree" in #2009). But currently, it still needs to be done manually. |
Fully makes sense now. Technically I can make it work by sticking data to the next next row of the first row and the third last row, but might need to do hints to make witgen more efficient. I might also just use more columns if needed. |
…d carry; correct calculation of first round values; however witgen stopped by the bug 'we have been stuck in the same row for 100 rounds'; i suspect that if we set this parameter higher, we can solve the bug, but am not sure how to do that
@georgwiese Sorry for the delay, but this is ready for a final-ish review except one caveat. The issue is to reduce the degree-4 constraint required by the increment pointer by 4 logic in the main Keccak machine. My final solution is to add 50 I also tried some more optimized version initially, which sticks intermediate columns for calculating the increment 4 logic to the first three rows of the address columns. This has the benefit of shaving off the 50
|
FYI this can be merged now. @georgwiese |
1b8c8ca
to
096560e
Compare
Issue
#1832 is ready to be merged, but currently uses 100 links to increment memory pointer using
add_sub
machine, which is quite inefficient for proving.increment_ptr
constraint API won't work in #1832, as explained in issue #2022. It succeeds at the witness generation stage but fails at the proving/verification stage, depending on which prover is used.Solution Implemented
This PR aims to implement the same increment pointer logic without relying on
increment_ptr
, by directly implementing the constraints in the Keccak main machine. On the high level, instead of creatingcarry
andinverse
columns, which is used to check if the next memory address will overflow using a zero check, I moved these two columns to the second and the penultimate (second last) rows of each 24 row blocks. Becauseaddr_h[50]
andaddr_l[50]
only uses the first and last row of each block, I put theinverse
values a row below/above the first/last row ofaddr_l[50]
and thecarry
values a row below/above the first/last row ofaddr_h[50]
. This solution should be more efficient than theincrement_ptr
API in the context of this machine, because we avoid creating 50inverse
columns and 50carry
columns. It also solves the prior issue withincrement_ptr
mentioned in #1832 by only enabling the is zero check constraint in proper rows.Current Status
Witness generation is functional, proving works with Halo2 mock prover when using dynamic vadcop limiting dynamic machines to
min_degree: 1024, max_degree: 2048
(though not setting this limit kills the process after a very long run). Proving doesn't work with Plonky3 (see CI error). It's a polynomial commitment scheme on commit polynomial evaluation. I never reached a constraint error for Plonky3, which is what blocked our priorincrement_ptr
solution, but this could mean that we didn't even reach the stage for constraint errors. Previously Plonky3 errored out at verification stage.I think this means that the implementation is correct, but am not sure how to debug the Plonky3 error. It seems that we might be able to just set some external parameters regarding size to make this work, so I'd appreciate some insights.
Here's my Plonky3 error:
Additional Questions
Do we have a CLI option to provide the witness in future runs after it's generated in a specific run? I couldn't find an example from our official docs. This has been costing quite a bit of time as I was good with the witness but just wanted to test the prover with different parameters.