1. 引言
此文包含在写halo2 circuit时可能有用的各种想法和片段。
2. Small range constraints
R1CS circuit中,常用的constraint为boolean constraint: b ∗ ( 1 − b ) = 0 b*(1-b)=0 b∗(1−b)=0,当且仅当 b = 0 b=0 b=0或 b = 1 b=1 b=1时,该constraint才satisfied。
类似地,在halo2 circuit中,也可constrain a cell to have one of a small set of values。如,constrain
a
a
a to the range
[
0..5
]
[0..5]
[0..5],则可构建如下形式的gate:
a
⋅
(
1
−
a
)
⋅
(
2
−
a
)
⋅
(
3
−
a
)
⋅
(
4
−
a
)
=
0
a\cdot (1-a)\cdot (2-a)\cdot (3-a)\cdot (4-a)=0
a⋅(1−a)⋅(2−a)⋅(3−a)⋅(4−a)=0
当constrain
c
c
c为
7
7
7或
13
13
13时,可:
(
7
−
c
)
⋅
(
13
−
c
)
=
0
(7-c)\cdot (13-c)=0
(7−c)⋅(13−c)=0
底层核心思想为将set内的所有值作为constraint多项式的根。在R1CS circuit中,支持的最大polynomial degree 为 2 2 2(因为所有constraints的形式均为 a ∗ b = c a*b=c a∗b=c)。在halo2 circuit中,可使用任意degree的多项式——但是,degree越高,使用成本也越高。
注意,此处并不限制根必须是常量,如 ( a − x ) ⋅ ( a − y ) ⋅ ( a − z ) = 0 (a-x)\cdot (a-y)\cdot (a-z)=0 (a−x)⋅(a−y)⋅(a−z)=0,将constrain a a a to be equal to one of { x , y , z } \{x,y,z\} {x,y,z},而 x , y , z x,y,z x,y,z可为任意多项式,只要整个表达式的degree不超过maximum degree bound。
3. Small set interpolation
可使用Lagrange interpolation来创建a polynomial constraint that maps f ( X ) = Y f(X)=Y f(X)=Y for small sets of X ∈ { x i } , Y ∈ { y i } X\in\{x_i\}, Y\in\{y_i\} X∈{xi},Y∈{yi}。
如,将a 2-bit value map为 a “spread” version interleaved with zeros:
-
首先,precompute the evaluations at each point:
00 → 0000 ⇒ 0 → 0 00\rightarrow 0000 \Rightarrow 0\rightarrow 0 00→0000⇒0→0
01 → 0001 ⇒ 1 → 1 01\rightarrow 0001 \Rightarrow 1\rightarrow 1 01→0001⇒1→1
10 → 0100 ⇒ 2 → 4 10\rightarrow 0100 \Rightarrow 2\rightarrow 4 10→0100⇒2→4
11 → 0101 ⇒ 3 → 5 11\rightarrow 0101 \Rightarrow 3\rightarrow 5 11→0101⇒3→5 -
然后,构建the Lagrange basis polynomial for each point using the identity:
l j ( X ) = ∏ i ≤ m < k , m ≠ j x − x m x j − x m l_j(X)=\prod_{i\leq m<k,m\neq j}\frac{x-x_m}{x_j-x_m} lj(X)=∏i≤m<k,m=jxj−xmx−xm
其中 k k k为the number of data points。(本例中对应 k = 4 k=4 k=4。)
注意,Lagrange basis polynomial l j ( X ) l_j(X) lj(X) evaluates to 1 1 1 at x j x_j xj and 0 0 0 at all other x i , j ≠ i x_i,j\neq i xi,j=i。
从而可获得相应4个Lagrange basis polynomials:
l 0 ( X ) = ( X − 3 ) ( X − 2 ) ( X − 1 ) ( − 3 ) ( − 2 ) ( − 1 ) l 1 ( X ) = ( X − 3 ) ( X − 2 ) ( X ) ( − 2 ) ( − 1 ) ( 1 ) l 2 ( X ) = ( X − 3 ) ( X − 1 ) ( X ) ( − 1 ) ( 1 ) ( 2 ) l 3 ( X ) = ( X − 2 ) ( X − 1 ) ( X ) ( 1 ) ( 2 ) ( 3 ) \begin{array}{ccc} l_0(X) &=& \frac{(X - 3)(X - 2)(X - 1)}{(-3)(-2)(-1)} \\[1ex] l_1(X) &=& \frac{(X - 3)(X - 2)(X)}{(-2)(-1)(1)} \\[1ex] l_2(X) &=& \frac{(X - 3)(X - 1)(X)}{(-1)(1)(2)} \\[1ex] l_3(X) &=& \frac{(X - 2)(X - 1)(X)}{(1)(2)(3)} \end{array} l0(X)l1(X)l2(X)l3(X)====(−3)(−2)(−1)(X−3)(X−2)(X−1)(−2)(−1)(1)(X−3)(X−2)(X)(−1)(1)(2)(X−3)(X−1)(X)(1)(2)(3)(X−2)(X−1)(X)
对应的polynomial constraint即为:
f ( 0 ) ⋅ l 0 ( X ) + f ( 1 ) ⋅ l 1 ( X ) + f ( 2 ) ⋅ l 2 ( X ) + f ( 3 ) ⋅ l 3 ( X ) − f ( X ) = 0 ⟹ 0 ⋅ l 0 ( X ) + 1 ⋅ l 1 ( X ) + 4 ⋅ l 2 ( X ) + 5 ⋅ l 3 ( X ) − f ( X ) = 0. \begin{array}{cccccccccccl} &f(0) \cdot l_0(X) &+& f(1) \cdot l_1(X) &+& f(2) \cdot l_2(X) &+& f(3) \cdot l_3(X) &-& f(X) &=& 0 \\ \implies& 0 \cdot l_0(X) &+& 1 \cdot l_1(X) &+& 4 \cdot l_2(X) &+& 5 \cdot l_3(X) &-& f(X) &=& 0. \\ \end{array} ⟹f(0)⋅l0(X)0⋅l0(X)++f(1)⋅l1(X)1⋅l1(X)++f(2)⋅l2(X)4⋅l2(X)++f(3)⋅l3(X)5⋅l3(X)−−f(X)f(X)==00.