Closed Al-Kindi-0 closed 3 months ago
In addition to the main suggestion I made in the last comment, I'm confused about our use of
CompositionPolynomial
andMultiLinearPoly
. We make aMultiLinearPoly
for each column in our trace, and then useCompositionPolynomial
s to encode looking up these columns to build the numerators and denominators. This confuses me, sinceMultiLinearPoly
is supposed to be the fi's, but it no longer is in the implementation.
MultiLinearPoly
stands for the MLE of a map from the Boolean hyper-cube to the field. In the code MultiLinearPoly
is used for the trace columns (these are maps from the hyper-cube to the (base) field) and is also use for numerators/ denominators in in all sum-checks except the last one.
CompositionPolynomial
stands for a non-linear multi-variate polynomial. This is used when there is a non-linear expression involving MLEs. So, one can have a linear combination of CompositionPolynomial
all of the same arity and composed with the same set of MLEs. We can also have a Merge
operation on such linear combinations and we can multiply such expressions. The result of these operations is again a CompositionPolynomial
. Now if this last CompositionPolynomial
is the one corresponding to the g
in the sum-check docs and the multi-linears it is composed with are the f_i
s therein.
I haven't read through the entire PR, but could we do away with
CompositionPolynomial
s? It seems like they come with a lot of boilerplate (a different type for each numerator/denominator expression, use ofArc<dyn ...>
, etc), and are usually little more than accessing 1-3 trace columns. Basically we could makeMultiLinearPoly
actually represent thef_i
s, and then use functions to represent the various numerator/denominators (haven't thought too much exactly how to best model this yet)?
I would love to simplify this also. Indeed, the use of so much boilerplate is a bit irritating. I have spent some time thinking about it and I think that there might be a simpler way to do things. Will update this comment soon...
Note: changed the base to logup-gkr
so that we may merge follow-up PRs before merging into next
Describe your changes
An initial version of the GKR prover for the LogUp-based global virtual bus for Miden VM.
A few remarks:
.clone()
instances that could and should be avoided.A note about the usage in the context of the overall STARK. After the prover commits to the main-trace and sends the commitment to the verifier, the verifier replies with the LogUp randomness (i.e., the $\alpha$ values). At this point, and as part of the auxiliary trace building logic (see here), the prover initializes and runs
The above
gkr_proof
should be attached to the usual STARK proof so that the STARK verifier can call a GKR verifier to verify it as part of its proof verification. As part of the auxiliary trace building logic still, the prover then usesTo get the randomness defining the Lagrange kernel auxiliary trace column and the openings which will be used to define a boundary constraint against the multi-linear opening helper column (column
s
here) and before that the batching randomness $\lambda$ asAt this point the constraints, both boundary and transition, are updated and both multi-linear opening helper columns of the auxiliary trace are constructed. This concludes the auxiliary trace building stage and at this point the protocol continues as before.
Checklist before requesting a review
next
according to naming convention.