Does the public inputs offset leak information? Definitely not if we use a structured trace, but otherwise yes.
Historically the public inputs were placed at the top of the wires. However, for Mega it is convenient to have the goblin ecc op gates at the top of the wires instead, which pushes the PI down by the number of goblin ecc op rows, or equivalently, the length of the transcript contributions from the circuit. We send this public_inputs_offset as part of the proof so that the verifier can compute the public input delta. But this is equivalent to sending the number of goblin ecc op gates. Is that an unacceptable information leak?
When we use a structured trace there is no problem since the number of ecc op gates (and thus the PI offset) is some fixed constant.
Does the public inputs offset leak information? Definitely not if we use a structured trace, but otherwise yes.
Historically the public inputs were placed at the top of the wires. However, for Mega it is convenient to have the goblin ecc op gates at the top of the wires instead, which pushes the PI down by the number of goblin ecc op rows, or equivalently, the length of the transcript contributions from the circuit. We send this
public_inputs_offsetas part of the proof so that the verifier can compute the public input delta. But this is equivalent to sending the number of goblin ecc op gates. Is that an unacceptable information leak?When we use a structured trace there is no problem since the number of ecc op gates (and thus the PI offset) is some fixed constant.