feat!: remove the compress_selectors field from VerifyingKey

halo2_backend/src/plonk.rs

@@ -52,9 +52,6 @@ pub struct VerifyingKey<C: CurveAffine> {
     cs_degree: usize,
     /// The representative of this `VerifyingKey` in transcripts.
     transcript_repr: C::Scalar,
-    /// Legacy field that indicates wether the circuit was compiled with compressed selectors or
-    /// not using the legacy API.
-    pub compress_selectors: Option<bool>,
 }
 
 // Current version of the VK
@@ -187,7 +184,6 @@ impl<C: CurveAffine> VerifyingKey<C> {
             cs_degree,
             // Temporary, this is not pinned.
             transcript_repr: C::Scalar::ZERO,
-            compress_selectors: None,
         };
 
         let mut hasher = Blake2bParams::new()

halo2_proofs/benches/plonk.rs

@@ -266,18 +266,24 @@ fn criterion_benchmark(c: &mut Criterion) {
         }
     }
 
-    fn keygen(k: u32) -> (ParamsIPA<EqAffine>, ProvingKey<EqAffine>) {
+    fn keygen(k: u32) -> (ParamsIPA<EqAffine>, ProvingKey<EqAffine>, bool) {
         let params: ParamsIPA<EqAffine> = ParamsIPA::new(k);
         let empty_circuit: MyCircuit<Fp> = MyCircuit {
             a: Value::unknown(),
             k,
         };
         let vk = keygen_vk(&params, &empty_circuit).expect("keygen_vk should not fail");
         let pk = keygen_pk(&params, vk, &empty_circuit).expect("keygen_pk should not fail");
-        (params, pk)
+        let compress_selectors = true; // legacy "keygen_vk" & "keygen_pk" compress selectors by default
+        (params, pk, compress_selectors)
     }
 
-    fn prover(k: u32, params: &ParamsIPA<EqAffine>, pk: &ProvingKey<EqAffine>) -> Vec<u8> {
+    fn prover(
+        k: u32,
+        params: &ParamsIPA<EqAffine>,
+        pk: &ProvingKey<EqAffine>,
+        compress_selectors: bool,
+    ) -> Vec<u8> {
         let rng = OsRng;
 
         let circuit: MyCircuit<Fp> = MyCircuit {
@@ -289,6 +295,7 @@ fn criterion_benchmark(c: &mut Criterion) {
         create_proof::<IPACommitmentScheme<EqAffine>, ProverIPA<EqAffine>, _, _, _, _>(
             params,
             pk,
+            compress_selectors,
             &[circuit],
             &[&[]],
             rng,
@@ -318,22 +325,22 @@ fn criterion_benchmark(c: &mut Criterion) {
     let mut prover_group = c.benchmark_group("plonk-prover");
     prover_group.sample_size(10);
     for k in k_range.clone() {
-        let (params, pk) = keygen(k);
+        let (params, pk, compress_selectors) = keygen(k);
 
         prover_group.bench_with_input(
             BenchmarkId::from_parameter(k),
             &(k, &params, &pk),
             |b, &(k, params, pk)| {
-                b.iter(|| prover(k, params, pk));
+                b.iter(|| prover(k, params, pk, compress_selectors));
             },
         );
     }
     prover_group.finish();
 
     let mut verifier_group = c.benchmark_group("plonk-verifier");
     for k in k_range {
-        let (params, pk) = keygen(k);
-        let proof = prover(k, &params, &pk);
+        let (params, pk, compress_selectors) = keygen(k);
+        let proof = prover(k, &params, &pk, compress_selectors);
 
         verifier_group.bench_with_input(
             BenchmarkId::from_parameter(k),

halo2_proofs/examples/serialization.rs

@@ -167,6 +167,7 @@ fn main() {
     >(
         &params,
         &pk,
+        compress_selectors,
         &[circuit],
         &[instances],
         OsRng,

halo2_proofs/examples/shuffle.rs

@@ -279,13 +279,15 @@ fn test_prover<C: CurveAffine, const W: usize, const H: usize>(
     let params = ParamsIPA::<C>::new(k);
     let vk = keygen_vk(&params, &circuit).unwrap();
     let pk = keygen_pk(&params, vk, &circuit).unwrap();
+    let compress_selectors = true; // legacy "keygen_vk" & "keygen_pk" compress selectors by default
 
     let proof = {
         let mut transcript = Blake2bWrite::<_, _, Challenge255<_>>::init(vec![]);
 
         create_proof::<IPACommitmentScheme<C>, ProverIPA<C>, _, _, _, _>(
             &params,
             &pk,
+            compress_selectors,
             &[circuit],
             &[&[]],
             OsRng,

halo2_proofs/examples/shuffle_api.rs

@@ -155,13 +155,15 @@ where
     let params = ParamsIPA::<C>::new(k);
     let vk = keygen_vk(&params, &circuit).unwrap();
     let pk = keygen_pk(&params, vk, &circuit).unwrap();
+    let compress_selectors = true; // legacy "keygen_vk" & "keygen_pk" compress selectors by default
 
     let proof = {
         let mut transcript = Blake2bWrite::<_, _, Challenge255<_>>::init(vec![]);
 
         create_proof::<IPACommitmentScheme<C>, ProverIPA<C>, _, _, _, _>(
             &params,
             &pk,
+            compress_selectors,
             &[circuit],
             &[&[]],
             OsRng,

halo2_proofs/examples/vector-ops-unblinded.rs

@@ -478,13 +478,15 @@ where
     let params = ParamsIPA::<C>::new(k);
     let vk = keygen_vk(&params, &circuit).unwrap();
     let pk = keygen_pk(&params, vk, &circuit).unwrap();
+    let compress_selectors = true; // legacy "keygen_vk" & "keygen_pk" compress selectors by default
 
     let proof = {
         let mut transcript = Blake2bWrite::<_, _, Challenge255<_>>::init(vec![]);
 
         create_proof::<IPACommitmentScheme<C>, ProverIPA<C>, _, _, _, _>(
             &params,
             &pk,
+            compress_selectors,
             &[circuit],
             &[&[&instances]],
             OsRng,

halo2_proofs/src/plonk/keygen.rs

@@ -9,7 +9,11 @@ use halo2_frontend::plonk::Circuit;
 use halo2_middleware::ff::FromUniformBytes;
 
 /// Generate a `VerifyingKey` from an instance of `Circuit`.
-/// By default, selector compression is turned **off**.
+/// By default, selector compression is turned **ON**.
+///
+/// **NOTE**: This `keygen_vk` is legacy one, assuming that `compress_selector: true`.
+/// Hence, this one MUST be paired with `keygen_pk` util.
+/// In addition, when using this for key generation, user MUST use `compress_selectors: true`.
 pub fn keygen_vk<'params, C, P, ConcreteCircuit>(
     params: &P,
     circuit: &ConcreteCircuit,
@@ -26,6 +30,9 @@ where
 /// Generate a `VerifyingKey` from an instance of `Circuit`.
 ///
 /// The selector compression optimization is turned on only if `compress_selectors` is `true`.
+///
+/// **NOTE**: This `keygen_vk_custom` MUST share the same `compress_selectors` with `keygen_pk_custom`.
+/// Otherwise, the user would get unmatching pk/vk pair.
 pub fn keygen_vk_custom<'params, C, P, ConcreteCircuit>(
     params: &P,
     circuit: &ConcreteCircuit,
@@ -38,12 +45,15 @@ where
     C::Scalar: FromUniformBytes<64>,
 {
     let (compiled_circuit, _, _) = compile_circuit(params.k(), circuit, compress_selectors)?;
-    let mut vk = keygen_vk_v2(params, &compiled_circuit)?;
-    vk.compress_selectors = Some(compress_selectors);
-    Ok(vk)
+    Ok(keygen_vk_v2(params, &compiled_circuit)?)
 }
 
 /// Generate a `ProvingKey` from a `VerifyingKey` and an instance of `Circuit`.
+/// By default, selector compression is turned **ON**.
+///
+/// **NOTE**: This `keygen_pk` is legacy one, assuming that `compress_selector: true`.
+/// Hence, this one MUST be paired with `keygen_vk` util.
+/// In addition, when using this for key generation, user MUST use `compress_selectors: true`.
 pub fn keygen_pk<'params, C, P, ConcreteCircuit>(
     params: &P,
     vk: VerifyingKey<C>,
@@ -54,10 +64,26 @@ where
     P: Params<'params, C>,
     ConcreteCircuit: Circuit<C::Scalar>,
 {
-    let (compiled_circuit, _, _) = compile_circuit(
-        params.k(),
-        circuit,
-        vk.compress_selectors.unwrap_or_default(),
-    )?;
+    keygen_pk_custom(params, vk, circuit, true)
+}
+
+/// Generate a `ProvingKey` from an instance of `Circuit`.
+///
+/// The selector compression optimization is turned on only if `compress_selectors` is `true`.
+///
+/// **NOTE**: This `keygen_pk_custom` MUST share the same `compress_selectors` with `keygen_vk_custom`.
+/// Otherwise, the user would get unmatching pk/vk pair.
+pub fn keygen_pk_custom<'params, C, P, ConcreteCircuit>(
+    params: &P,
+    vk: VerifyingKey<C>,
+    circuit: &ConcreteCircuit,
+    compress_selectors: bool,
+) -> Result<ProvingKey<C>, Error>
+where
+    C: CurveAffine,
+    P: Params<'params, C>,
+    ConcreteCircuit: Circuit<C::Scalar>,
+{
+    let (compiled_circuit, _, _) = compile_circuit(params.k(), circuit, compress_selectors)?;
     Ok(keygen_pk_v2(params, vk, &compiled_circuit)?)
 }

halo2_proofs/src/plonk/prover.rs

@@ -23,6 +23,7 @@ pub fn create_proof<
 >(
     params: &'params Scheme::ParamsProver,
     pk: &ProvingKey<Scheme::Curve>,
+    compress_selectors: bool,
     circuits: &[ConcreteCircuit],
     instances: &[&[&[Scheme::Scalar]]],
     rng: R,
@@ -35,7 +36,7 @@ where
         return Err(Error::Backend(ErrorBack::InvalidInstances));
     }
     let (config, cs, _) = compile_circuit_cs::<_, ConcreteCircuit>(
-        pk.get_vk().compress_selectors.unwrap_or_default(),
+        compress_selectors,
         #[cfg(feature = "circuit-params")]
         circuits[0].params(),
     );
@@ -99,12 +100,14 @@ fn test_create_proof() {
     let params: ParamsKZG<Bn256> = ParamsKZG::setup(3, OsRng);
     let vk = keygen_vk(&params, &MyCircuit).expect("keygen_vk should not fail");
     let pk = keygen_pk(&params, vk, &MyCircuit).expect("keygen_pk should not fail");
+    let compress_selectors = true; // legacy "keygen_vk" & "keygen_pk" compress selectors by default
     let mut transcript = Blake2bWrite::<_, _, Challenge255<_>>::init(vec![]);
 
     // Create proof with wrong number of instances
     let proof = create_proof::<KZGCommitmentScheme<_>, ProverSHPLONK<_>, _, _, _, _>(
         &params,
         &pk,
+        compress_selectors,
         &[MyCircuit, MyCircuit],
         &[],
         OsRng,
@@ -119,6 +122,7 @@ fn test_create_proof() {
     create_proof::<KZGCommitmentScheme<_>, ProverSHPLONK<_>, _, _, _, _>(
         &params,
         &pk,
+        true,
         &[MyCircuit, MyCircuit],
         &[&[], &[]],
         OsRng,

halo2_proofs/tests/frontend_backend_split.rs

@@ -520,6 +520,7 @@ fn test_mycircuit_full_legacy() {
     let start = Instant::now();
     let vk = keygen_vk(&params, &circuit).expect("keygen_vk should not fail");
     let pk = keygen_pk(&params, vk.clone(), &circuit).expect("keygen_pk should not fail");
+    let compress_selectors = true; // legacy "keygen_vk" & "keygen_pk" compress selectors by default
     println!("Keygen: {:?}", start.elapsed());
 
     // Proving
@@ -534,6 +535,7 @@ fn test_mycircuit_full_legacy() {
     create_proof::<KZGCommitmentScheme<Bn256>, ProverSHPLONK<'_, Bn256>, _, _, _, _>(
         &params,
         &pk,
+        compress_selectors,
         &[circuit],
         &[instances_slice],
         &mut rng,

halo2_proofs/tests/plonk_api.rs

@@ -451,7 +451,9 @@ fn plonk_api() {
         }};
     }
 
-    fn keygen<Scheme: CommitmentScheme>(params: &Scheme::ParamsProver) -> ProvingKey<Scheme::Curve>
+    fn keygen<Scheme: CommitmentScheme>(
+        params: &Scheme::ParamsProver,
+    ) -> (ProvingKey<Scheme::Curve>, bool)
     where
         Scheme::Scalar: FromUniformBytes<64> + WithSmallOrderMulGroup<3>,
     {
@@ -464,7 +466,11 @@ fn plonk_api() {
         // Initialize the proving key
         let vk = keygen_vk(params, &empty_circuit).expect("keygen_vk should not fail");
 
-        keygen_pk(params, vk, &empty_circuit).expect("keygen_pk should not fail")
+        let pk = keygen_pk(params, vk, &empty_circuit).expect("keygen_pk should not fail");
+
+        let compress_selectors = true; // legacy "keygen_vk" & "keygen_pk" compress selectors by default
+
+        (pk, compress_selectors)
     }
 
     fn create_proof<
@@ -478,6 +484,7 @@ fn plonk_api() {
         rng: R,
         params: &'params Scheme::ParamsProver,
         pk: &ProvingKey<Scheme::Curve>,
+        compress_selectors: bool,
     ) -> Vec<u8>
     where
         Scheme::Scalar: Ord + WithSmallOrderMulGroup<3> + FromUniformBytes<64>,
@@ -494,6 +501,7 @@ fn plonk_api() {
         create_plonk_proof::<Scheme, P, _, _, _, _>(
             params,
             pk,
+            compress_selectors,
             &[circuit.clone(), circuit.clone()],
             &[&[&[instance]], &[&[instance]]],
             rng,
@@ -556,10 +564,13 @@ fn plonk_api() {
         let params = ParamsKZG::<Bn256>::new(K);
         let rng = OsRng;
 
-        let pk = keygen::<KZGCommitmentScheme<_>>(&params);
+        let (pk, compress_selectors) = keygen::<KZGCommitmentScheme<_>>(&params);
 
         let proof = create_proof::<_, ProverGWC<_>, _, _, Blake2bWrite<_, _, Challenge255<_>>>(
-            rng, &params, &pk,
+            rng,
+            &params,
+            &pk,
+            compress_selectors,
         );
 
         let verifier_params = params.verifier_params();
@@ -585,10 +596,13 @@ fn plonk_api() {
         let params = ParamsKZG::<Bn256>::new(K);
         let rng = OsRng;
 
-        let pk = keygen::<KZGCommitmentScheme<_>>(&params);
+        let (pk, compress_selectors) = keygen::<KZGCommitmentScheme<_>>(&params);
 
         let proof = create_proof::<_, ProverSHPLONK<_>, _, _, Blake2bWrite<_, _, Challenge255<_>>>(
-            rng, &params, &pk,
+            rng,
+            &params,
+            &pk,
+            compress_selectors,
         );
 
         let verifier_params = params.verifier_params();
@@ -614,10 +628,13 @@ fn plonk_api() {
         let params = ParamsIPA::<EqAffine>::new(K);
         let rng = OsRng;
 
-        let pk = keygen::<IPACommitmentScheme<EqAffine>>(&params);
+        let (pk, compress_selectors) = keygen::<IPACommitmentScheme<EqAffine>>(&params);
 
         let proof = create_proof::<_, ProverIPA<_>, _, _, Blake2bWrite<_, _, Challenge255<_>>>(
-            rng, &params, &pk,
+            rng,
+            &params,
+            &pk,
+            compress_selectors,
         );
 
         let verifier_params = params.verifier_params();