Open patrickmao93 opened 1 year ago
I haven't looked into this that deeply, so I can't say I know for sure exactly why, but I can list a bunch of things that come to mind:
rate_bits
all the way down 1, which makes FRI significantly faster (4X+). In plonky2, we can't turn it below 3.It's also worth metioning there's inherent tradeoffs here. For instance, the starky proof is quite large (~2MB), and starky doesn't support zk, so to use it in pracitce you might need to add a few steps of recursion on top of the initial proof.
Also, Jump recently published some plonky2 gadgets worth checking out, they might be better optimized. https://github.com/JumpCrypto/plonky2-crypto
Awesome work on implementing the SHA256 algo in Starky. I found another guy's impl of SHA in Plonky2. The proof gen time differs very wildly. Your 15 SHA proof runs in the milliseconds while their Plonky2 benchmark takes 16s for a single SHA.
I ran both your benchmark and their's (tweaked to 15 SHAs) with the same rate_bits = 3 and the results still differs by 4 orders of magnitude.
Have you checked out their implementation of SHA256 in Plonky2? If so, maybe you could sprinkle some insight or thoughts?