Modify the packing policy to reduce the number of primary inputs processed by the Verifier #52
Labels
arithmetic-circuit/R1CS
Task related to the R1CS programs
optimization
Optimization task
solidity
Task related to the Solidity part of the code base
In the current state of the project, several primary inputs are digest (of bit-length 256) and are packed into field elements. This set of field elements represent the set of primary inputs sent to the Verifier (contract), which then executes the SNARK verification routine. The verification routine of the SNARK used does a number of scalar multiplications linear in the number of primary inputs.
For now, each 256-bit digest (
d
) is packed into 2 field elements:d1
: One field element containing 253 bits from the digestd2
: Another field element containing the 3 remaining bits of the digest (and all zeroes afterwards)This "packing policy" was chosen to keep things simple, but we clearly see that, if we have the following set of primary inputs:
{rt, n1, n2, c1, c2, vpub_in, vpub_out}
, where{n1,n2,c1,c2}
are digests, then, we'll send the set{rt, n11, n12, n21, n22, c11, c12, c21, c22, vpub_in, vpub_out}
of field elements as the set of primary inputs, to the Verifier.This is quite inefficient since we know that
{n12, n22, c12, c22}
will only contain 3 "meaningful bits" (the other bits in the field element representation will be set to 0's).It'd be better to represent the information of the set
{n12, n22, c12, c22}
in a single field element.Doing so would reduce the cardinality of the set of primary inputs and save a few calls to the
bn256ScalarMul
precompiled contract, saving gas on the Verifier side.The text was updated successfully, but these errors were encountered: