Skip to content

fix/0-instances #521

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Nov 5, 2024
Merged

fix/0-instances #521

merged 7 commits into from
Nov 5, 2024

Conversation

naure
Copy link
Contributor

@naure naure commented Nov 1, 2024
edited
Loading

Issue #433
Extracted from #368

@naure naure mentioned this pull request Nov 1, 2024
Merged
@naure naure linked an issue Nov 1, 2024 that may be closed by this pull request
Support 0 instances #433
Closed
5 tasks
@naure naure requested a review from kunxian-xia November 1, 2024 10:36
@naure naure marked this pull request as ready for review November 1, 2024 11:12
@naure naure mentioned this pull request Nov 1, 2024
Merged
@naure naure requested a review from hero78119 November 1, 2024 11:27
naure
naure commented Nov 1, 2024
View reviewed changes
ceno_zkvm/examples/riscv_opcodes.rs
encode_rv32(ADD, 2, 3, 3, 0), // add x3, x2, x3
encode_rv32(BLTU, 0, 3, 0, -8_i32 as u32), // bltu x0, x3, -8
// End.
encode_rv32(JAL, 0, 0, 1, 4), // jal x1, 4
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Test with 0 instances of JAL. Does nothing anyway.

@naure naure mentioned this pull request Nov 2, 2024
Closed
5 tasks
@naure
Copy link
Contributor Author

naure commented Nov 2, 2024
edited
Loading

@hero78119 I'm not totally convinced by this solution because since the commitments are optional, that gives degrees of freedom for the prover and that's no good with Fiat-Shamir.

There should be some commitment to the choice of circuits in the transcript. For example, the numbers of instances (including number 0). Or some circuit ID.

Is there something like this?

@hero78119
Copy link
Collaborator

hero78119 commented Nov 3, 2024
edited
Loading

@hero78119 I'm not totally convinced by this solution because since the commitments are optional, that gives degrees of freedom for the prover and that's no good with Fiat-Shamir.

There should be some commitment to the choice of circuits in the transcript. For example, the numbers of instances (including number 0). Or some circuit ID.

Is there something like this?

@naure this raises an excellent point for discussion! Including the number of instances in the transcript could be beneficial, but I'd also like to explore the implications of leaving the number of instances out of the transcript. The number of instances holds a particularly significant role in our system, which makes this consideration especially interesting

Giving pc start/halt (+ error code) + public i/o, prover goal is to convince verifier, $\exists$ witnesses, a list of opcode sequences, such that the pc start can transit to halt successfully following the opcode sequences order. A malicious prover manipulation of num of instances, e.g. set to 0, is equivalent in functionality to claim a list of opcode absence in sequence. In a valid sequence, each consecutive opcodes are constrained via pc and next_pc, so a list of opcode absence shouldn't satisfy state transition if it suppose to be there. So degree of freedom of num-instance seem only categories into num = 0, or num > 0 case, which is not that much, and this value also not be called free-input.

However, it bring up a further examine, if prover set number of instance to 0 of an opcode, then the free-input candidate is the witness commitments of this opcode. Thus in verifier, if an opcode instance is set as 0, it commitment need to be excluded from transcript, otherwise the backdoor is there, since we dont verify mpcs on those commitment. So I think this PR also need to check verifier and assure those free-input are excluded.

@hero78119
Copy link
Collaborator

hero78119 commented Nov 3, 2024
edited
Loading

To ensure soundness, also consult @dreamATD’s opinion on whether its necessary to include the number of instances in the transcript :)

In other word, in Ceno paper (Asymmetric Sumcheck Protocol), does n suppose to be included in transcript in Fiat-Shamir heuristic?

image

@naure naure mentioned this pull request Nov 4, 2024
Open
@naure
Copy link
Contributor Author

naure commented Nov 4, 2024
edited
Loading

equivalent in functionality to claim a list of opcode absence

Indeed, no issues with the constraints. It’s about the IOP:

…degree of freedom of num-instance seem only categories into num = 0, or num > 0 case…
…the free-input candidate is the witness commitments…

Right! Or in other words:

  1. The prover can choose the set of circuits while knowing the challenge.
  2. The witness columns can be interpreted as belonging to different circuits. The prover aligns his free sequence of proofs (opcode_proofs) with the committed sequence of polynomials (transcript).

I’m tracking this question in #542. Let’s go with this PR to unblock e2e testing, and continue discussion there?

@matthiasgoergens
Copy link
Contributor

@hero78119 I'm not totally convinced by this solution because since the commitments are optional, that gives degrees of freedom for the prover and that's no good with Fiat-Shamir.

In my previous VM we solved a similar problem by just always requiring people to commit to some positive number of instances, and didn't allow zero. (In our case, all our tables had to be padded to a power of two and for further technical reasons we needed at least four. So that's what we padded everything to.)

I'm not sure if any of this applies here.

In any case, I'm very in favour of making it possible to prove the execution of a program that has 0 occurrences of specific features or instructions.

@kunxian-xia
Copy link
Collaborator

In any case, I'm very in favour of making it possible to prove the execution of a program that has 0 occurrences of specific features or instructions.

If there is no instances of any particular instruction / opcode, why do we bother to prove them as the accumulated r_eval = 1, w_eval = 1, log_sum = 0?

hero78119
hero78119 approved these changes Nov 5, 2024
View reviewed changes
Copy link
Collaborator

@hero78119 hero78119 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

Checked with @dreamATD and also suggested add num_instance to transcript as well for more safety.
I think add stuff in transcript is easiler, but we need to ruling out behind the scene for what need to be added and what needless.
Thanks for raising separete issue #542 and we can move discussion there!

@naure naure enabled auto-merge (squash) November 5, 2024 11:31
@naure naure merged commit 6b91185 into master Nov 5, 2024
6 checks passed
@naure naure deleted the fix/0-instances branch November 5, 2024 11:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hero78119 hero78119 hero78119 approved these changes

@kunxian-xia kunxian-xia Awaiting requested review from kunxian-xia

@matthiasgoergens matthiasgoergens Awaiting requested review from matthiasgoergens

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support 0 instances

4 participants

@naure @hero78119 @matthiasgoergens @kunxian-xia