chore: Doc, unit test, minors #289
Conversation
Co-authored-by: Carlos Pérez <37264926+CPerezz@users.noreply.github.com>
There was a problem hiding this comment.
I've left a lot of comments, most of them are suggestions or discussions.
In particular many comments refer to bind vs blind. After seeing so many instances of bind I'm no longer sure if bind is a thing, or it's a common typo.
The documentation is just great! Specially all the details in prover/verifier, and the references to follow how the transcript is written in proving and then read in verifying, great job!
| @@ -169,46 +173,59 @@ impl Calculation { | |||
| #[derive(Clone, Default, Debug)] | |||
| pub struct Evaluator<C: CurveAffine> { | |||
| /// Custom gates evalution | |||
| pub custom_gates: GraphEvaluator<C>, | |||
| custom_gates: GraphEvaluator<C>, | |||
There was a problem hiding this comment.
These were pub before the frontend-backend split:
halo2/halo2_proofs/src/plonk/evaluation.rs
Lines 169 to 173 in 73408a1
I wonder why...
I checked this and it comes from an improvement that Brecht did, so this is not inherited from zcash. I guess this was unneeded pub that was unnoticed.
| /// - 4. Generate commited shuffle polys | ||
| /// - 5. Commit to the vanishing argument's random polynomial | ||
| /// - 6. Generate the advice polys | ||
| /// - 7. Evaluate the h(X) polynomial |
There was a problem hiding this comment.
This is confusing for me (even if this is a reference to the original code, which has the function evaluate_h, and there was even a comment saying Evaluate the h(X) polynomial).
The way I see it, we're not evaluating h(X), instead we're calculating h(X). I say this because in my mind, if we evaluate a polynomial, the result is a field value. But the result of step 7 is a polynomial.
| @@ -563,14 +643,19 @@ impl< | |||
| ) | |||
| .collect(); | |||
|
|
|||
| // Evaluate the h(X) polynomial | |||
| // 7. Evaluate the h(X) polynomial ----------------------------------------------------------- | |||
There was a problem hiding this comment.
I would change this to the following
// 7. Given `h(X) = g(X) / t(X)` where:
// - `g(X)` is the gates and arguments polynomial
// - `t(X)` is the vanishing polynomial
// - `h(X)` is the quotient polynomial
// Calculate the g(X) polynomial
The reason I say g(X) instead of h(X) is because if you look at the implementation of evaluate_h it actually returns g
There was a problem hiding this comment.
It was added here 70cfe70#diff-6fd234fc283be7a2c59f305cdd5f15f4bb074fa6b56866452a06b34c6803fc1fR274
I agree on changing it, and to also update the MD book with a reference to g(X)
There was a problem hiding this comment.
I think we should ref the paper naming always.
Aside from that, happy to adapt to anything you consider better! :)
There was a problem hiding this comment.
For reference, I took h and t from the halo2 book https://zcash.github.io/halo2/design/proving-system/vanishing.html
As for g, it's not called like that in the halo2 book, it just doesn't have a name.
Then the plonk paper uses different names.
There was a problem hiding this comment.
Alternatively we can say also evaluate_h_dividend
There was a problem hiding this comment.
Far from helping, I come to add more confusion 😅
I like the notation of the original Plonk paper, in which t is the quotient polynomial, and z_H (zero over the set H) is the vanishing poly.
I would say we should stick to the halo2 book names, h for the quotient and t for the vanishing.
With respect to g, I'm not sure if this polynomial ever needs to be computed explicitly. In any case, it could be h_times_t.
| // Obtain challenge for keeping all separate gates linearly independent | ||
| // [TRANSCRIPT-13] | ||
| let y: ChallengeY<_> = self.transcript.squeeze_challenge_scalar(); | ||
|
|
||
| let h_poly = pk.ev.evaluate_h( |
There was a problem hiding this comment.
I would change this to:
let g_poly = pk.ev.calculate_g(
Please if somebody knows why this was called evaluate_h, can they explain it to me?
There was a problem hiding this comment.
H is usually how the Vanishing polynomial is called in the Plonk paper.
Maybe it's due to that?
There was a problem hiding this comment.
hm, but in the code this variable holds the polynomial that contains gate_1(X) + alpha * gate_2(X) + alpha^2 * gate_3(X) + ..., which is not the vanishing polynomial right?
There was a problem hiding this comment.
Agree with @ed255, I would rename this to g. Currently h is both the quotient poly and the quotient poly * vanishing.
halo2/halo2_backend/src/plonk/vanishing/prover.rs
Lines 112 to 116 in 13fa01f
| ), | ||
| shuffles, | ||
| )| { | ||
| .flat_map(|((((((instance_commitments, instance_evals), advice_commitments),advice_evals),permutation),lookups),shuffles)| { |
There was a problem hiding this comment.
This is madness 😆
This must feel like home to fans of LISP.
halo2_backend/src/plonk/prover.rs
Outdated
| @@ -355,7 +394,7 @@ impl< | |||
| } | |||
| } | |||
|
|
|||
| // Compute commitments to advice column polynomials | |||
| // Compute affine commitments to advice column polynomials. | |||
There was a problem hiding this comment.
I think the explicit distinction between affine and projective in this section is nice, but I'd leave this comment as is. Mainly because "affine commitment" doesn't sound quite right, they are unrelated concepts.
halo2_backend/src/plonk/prover.rs
Outdated
| @@ -392,6 +435,9 @@ impl< | |||
| Ok(()) | |||
| }; | |||
|
|
|||
| // Update bindings for each advice column | |||
There was a problem hiding this comment.
blinding or blinding factors maybe?
halo2_backend/src/plonk/prover.rs
Outdated
| @@ -203,6 +217,8 @@ impl< | |||
| } | |||
| } | |||
|
|
|||
| // Convert the lagrange polynomials to coefficients | |||
There was a problem hiding this comment.
Same comment as before, I wouldn't call these Lagrange polynomials.
Convert from evaluation to coefficient form. maybe?
| @@ -563,14 +643,19 @@ impl< | |||
| ) | |||
| .collect(); | |||
|
|
|||
| // Evaluate the h(X) polynomial | |||
| // 7. Evaluate the h(X) polynomial ----------------------------------------------------------- | |||
There was a problem hiding this comment.
Far from helping, I come to add more confusion 😅
I like the notation of the original Plonk paper, in which t is the quotient polynomial, and z_H (zero over the set H) is the vanishing poly.
I would say we should stick to the halo2 book names, h for the quotient and t for the vanishing.
With respect to g, I'm not sure if this polynomial ever needs to be computed explicitly. In any case, it could be h_times_t.
| // Obtain challenge for keeping all separate gates linearly independent | ||
| // [TRANSCRIPT-13] | ||
| let y: ChallengeY<_> = self.transcript.squeeze_challenge_scalar(); | ||
|
|
||
| let h_poly = pk.ev.evaluate_h( |
There was a problem hiding this comment.
Agree with @ed255, I would rename this to g. Currently h is both the quotient poly and the quotient poly * vanishing.
halo2/halo2_backend/src/plonk/vanishing/prover.rs
Lines 112 to 116 in 13fa01f
This PR adds some documentation, improves code readeability and adds an unit test for
GraphEvaluator