The FLP circuit runs a number of independent wraparound checks (NUM_WR_CHECKS); the input is deemed valid if a fraction of the checks succeed (NUM_WR_SUCCESSES / NUM_WR_CHECKS).
We are in the midst of choosing parameters for PINE (#39). One potential outcome of this search: there may be no benefit to allowing wraparound checks to fail, either in terms of performance or ZK/soundness error. On the other hand, if we require all checks to succeed, then we can simplify the circuit a bit.
To allow a fraction of checks to fail, the prover sends the verifiers shares of a bit (denoted g here and in the paper) indicating whether the test succeeded. The circuit proves that:
either the prover asserted success (i.e., that g=1) and the check succeeded or the prover asserted failure (g=0).
The number of successes asserted by the prover is exactly NUM_WR_SUCCESSES / NUM_WR_CHECKS.
If instead we require all tests to succeed, then the verifiers simply need to check that every check was successful. In particular, there is no need for the prover to assert success. Not only is the resulting circuit simpler, it leads to some modest performance improvements:
Shorter input (no need to send g for each wraparound check)
The FLP circuit runs a number of independent wraparound checks (
NUM_WR_CHECKS); the input is deemed valid if a fraction of the checks succeed (NUM_WR_SUCCESSES / NUM_WR_CHECKS).We are in the midst of choosing parameters for PINE (#39). One potential outcome of this search: there may be no benefit to allowing wraparound checks to fail, either in terms of performance or ZK/soundness error. On the other hand, if we require all checks to succeed, then we can simplify the circuit a bit.
To allow a fraction of checks to fail, the prover sends the verifiers shares of a bit (denoted
ghere and in the paper) indicating whether the test succeeded. The circuit proves that:g=1) and the check succeeded or the prover asserted failure (g=0).NUM_WR_SUCCESSES / NUM_WR_CHECKS.If instead we require all tests to succeed, then the verifiers simply need to check that every check was successful. In particular, there is no need for the prover to assert success. Not only is the resulting circuit simpler, it leads to some modest performance improvements:
gfor each wraparound check)