fix(evm_arithmetization): remove duplicate constraint in keccak_stark #48
Conversation
|
I have a feeling that even the first constraint might be unnecessary since the zk_evm/evm_arithmetization/src/keccak/round_flags.rs Lines 14 to 40 in d0bc5ec However, I'm not sure how this But if you replace everything except the first row with all zeros then it'll still satisfy the constraints. For example, with the following first two rows the |
|
Hi @shuklaayush! Thank you for this PR! Regarding your following comment:
I agree the current constraints do not enforce a proper continuation of the permutation rounds. I think a simple way to address it however is to update the constraint in If that sounds correct to you, would you mind updating your PR to update this constraint? Thank you for reviewing this part of the codebase! 🙏🏼 |
Nashtare
added
the
soundness
Do you mean changing it to something like this? // Flags should circularly increment, or be all zero for padding rows.
let next_any_flag = (0..NUM_ROUNDS).map(|i| next_values[reg_step(i)]).sum::<P>();
let not_last_row = local_values[reg_step(NUM_ROUNDS - 1)] - F::ONE;
for i in 0..NUM_ROUNDS {
let current_round_flag = local_values[reg_step(i)];
let next_round_flag = next_values[reg_step((i + 1) % NUM_ROUNDS)];
yield_constr.constraint_transition(
not_last_row * next_any_flag * (next_round_flag - current_round_flag),
);
}I don't think this works either since you can still put any subsequent row as all zeros. Something that might work is adding a yield_constr.constraint_transition(
next_any_flag * (next_round_flag - current_round_flag)
+ + (next_any_flag - F::ONE) * current_any_flag * (last_row_flag - F::ONE),
);Btw, why not just do away with handling padding separately and just fill the extra rows with more keccak permutations? Seems like that's how it's done in plonky3 |
|
Ah sorry yeah what I suggested isn't fine, yours is.
|
|
Minor nits, otherwise it looks good! Thank you for fixing this @shuklaayush! |
|
Another concern that I have is that we're not constraining individual elements of a row to be bits while using the sum as a proxy for whether the row contains any |
Hmm yeah it seems we're missing boolean constraints on all flags except the first (through CTLs) and last one (used as filter). We definitely need to address those. Would you mind adding it to this PR? Thank you for catching this as well! |
I think all the flags before the padding rows are properly constrained to be 0 or 1 since they can only be equal to the value in the previous row and in the base case, the values in the first row are constrained to be 0 or 1. Only the values in the padding rows need to be additionally constrained to be bits. |
|
Yes they are, what I had in mind when writing this is that specifically constraining them to be boolean only for padding rows would increase the degree, either through filtering or arbitrary periodic selectors (which starky doesn't support), so it's probably best to just add the boolean constraints globally. |
|
Cool, should I create another PR for that? |
|
Sure go ahead and I'll merge this one! Thanks again! |
* feat: provide IR for debugging upon failure * fix: fix clippy issues * fix: fix pr comments * fix: make evm_arithmetization non optional for ops * fix: fix pr comments * fix: fix clippy issues * fix: fix clippy issue * fix: fix pr comment * fix: fix clippy issue * fix: fix cargo lock * fix: fix pr comments * fix: fix format issues * fix: fix save input on error for test-only * fix: fix pr comments * fix: fix * fix: fix clippy issue * fix: fmt fix --------- Co-authored-by: Vladimir Trifonov <[email protected]>
Both the following constraints evaluate to the same constraint:
zk_evm/evm_arithmetization/src/keccak/keccak_stark.rs
Lines 278 to 285 in d0bc5ec
If$f = \text{local\_values[reg\_step(NUM\_ROUNDS - 1)]}$ then
corresponds to$f * (f - 1)$ and
corresponds to$(1-f)*f$