ZKEVM - Lookup Usage Efficiency

Introduction

In EVM circuit, ExecutionState are not well balanced, some are very complicated and require many lookups, some are not. But the cost of EVM circuit is determined by the worst case, this note shows how we strike the balance by folding the layout and improve the lookup usage efficiency.

Approach

For example, we want to perform 2 lookup (bitwise and and bitwise or) to the same table without too much overhead.

Naive Layout

\begin{array}{cc} a1 & a2 & a3 (a1 & a2) & a4 (a1 | a2) \\ 0b0101 & 0b1010 & 0b0000 & 0b1111 \end{array}

The pseudo code looks like:

assert subset(
    input=rlc(Tag::BitwiseAnd, a1, a2, a3),
    table=rlc(fixed_table),
)
assert subset(
    input=rlc(Tag::BitwiseOr, a1, a2, a4),
    table=rlc(fixed_table),
)

Folded Layout

In folded layout, we try to enable the lookup by constraining the compressed input to the same column of some rotation, to reuse the same subset argument as much as possible.

This layout helps reduce the amount of lookups in EVM circuit a lot.

\begin{array}{cc} a1 & a2 & a3 (a1 & a2) & a4 (a1 | a2) & a5 (compressed input) \\ 0b0101 & 0b1010 & 0b0000 & 0b1111 & rlc(Tag::BitwiseAnd, a1, a2, a3) \\ rlc(Tag::BitwiseOr, a1, a2, a4) \end{array}

The pseudo code looks like:

assert a5 == rlc(Tag::BitwiseAnd, a1, a2, a3)
assert a5_w == rlc(Tag::BitwiseOr, a1, a2, a4)
assert subset(
    input=a5,
    table=rlc(fixed_table),
)

Misc

Multiple inputs to same table

To argue

n

degree-1 inputs are all subset to the same table, the cost comparison:

	$plonkup$	$halo 2 subset argument$
$N_{point}$	$2 + n$	$1 + 2 n$
$N_{evaluation}$	$5 + n$	$2 + 3 n$
$D$	$2 + n$	$1 + 2 n$

Obviously,

plonkup

has more advantages in such case. With extra challenge support in halo2, we can roll our own

plonkup

$plonkup$

\begin{matrix} Prover & Transcript & Verifier \\ \begin{aligned} {[f_{i}]_{1}} = {com (f_{i})} \\ {[t_{i}]_{1}} = {com (t_{i})} \end{aligned} & \overset{{[f_{i}]_{1}}, {[t_{i}]_{1}}}{\to} \\ \overset{θ}{\leftarrow} & θ \overset{$}{\leftarrow} F \\ {[h_{i}]_{1}}_{i \in [n + 1]} = {com (h_{i})}_{i \in [n + 1]} & \overset{{[h_{i}]_{1}}_{i \in [n + 1]}}{\to} \\ \overset{β, γ}{\leftarrow} & β, γ \overset{$}{\leftarrow} F \\ [z]_{1} = com (z) & \overset{[z]_{1}}{\to} \\ \overset{x}{\leftarrow} & x \overset{$}{\leftarrow} F \\ \begin{aligned} {{\bar{f}}_{i}} & = {eval (f_{i}, x)} \\ {{\bar{t}}_{i}} & = {eval (t_{i}, x)} \\ {\bar{t}}_{ω}^{'} & = eval (t^{'}, ω x) \\ {{\bar{h}}_{i}}_{i \in [n + 1]} & = {eval (h_{i}, x)}_{i \in [n + 1]} \\ {\bar{h}}_{0 ω} & = eval (h_{i}, ω x) \\ \bar{z} & = eval (z, x) \\ {\bar{z}}_{ω} & = eval (z, ω x) \end{aligned} & \overset{\begin{aligned} {{\bar{f}}_{i}}, {{\bar{t}}_{i}}, {\bar{t}}_{ω}^{'}, {{\bar{h}}_{i}}_{i \in [n + 1]}, {\bar{h}}_{0 ω}, \bar{z}, {\bar{z}}_{ω} \end{aligned}}{\to} \end{matrix}

$halo 2 subset argument$

\begin{matrix} Prover & Transcript & Verifier \\ \begin{aligned} {[f_{i}]_{1}} = {com (f_{i})} \\ {[t_{i}]_{1}} = {com (t_{i})} \end{aligned} & \overset{{[f_{i}]_{1}}, {[t_{i}]_{1}}}{\to} \\ \overset{θ}{\leftarrow} & θ \overset{$}{\leftarrow} F \\ {\begin{aligned} [f_{i}^{'}]_{1} \\ [t_{i}^{'}]_{1} \end{aligned}}_{i \in [n]} = {\begin{aligned} com (f_{i}^{'}) \\ com (t_{i}^{'}) \end{aligned}}_{i \in [n]} & \overset{{[f_{i}^{'}]_{1}, [t_{i}^{'}]_{1}}_{i \in [n]}}{\to} \\ \overset{β, γ}{\leftarrow} & β, γ \overset{$}{\leftarrow} F \\ [z]_{1} = com (z) & \overset{[z]_{1}}{\to} \\ \overset{x}{\leftarrow} & x \overset{$}{\leftarrow} F \\ \begin{aligned} {{\bar{f}}_{i}} & = {eval (f_{i}, x)} \\ {{\bar{t}}_{i}} & = {eval (t_{i}, x)} \\ {\begin{aligned} {\bar{f}}_{i}^{'} \\ {\bar{f}}_{i ω}^{'} \\ {\bar{t}}_{i}^{'} \end{aligned}}_{i \in [n]} & = {\begin{aligned} eval (f_{i}^{'}, x) \\ eval (f_{i}^{'}, ω x) \\ eval (t_{i}^{'}, x) \end{aligned}}_{i \in [n]} \\ \bar{z} & = eval (z, x) \\ {\bar{z}}_{ω} & = eval (z, ω x) \end{aligned} & \overset{\begin{aligned} {{\bar{f}}_{i}}, {{\bar{t}}_{i}}, {{\bar{f}}_{i}^{'}, {\bar{f}}_{i ω}^{'}, {\bar{t}}_{i}^{'}}_{i \in [n]}, \bar{z}, {\bar{z}}_{ω} \end{aligned}}{\to} \end{matrix}

Introduction

Approach

Naive Layout

Folded Layout

Misc

Multiple inputs to same table

plonkup

halo2 subset argument

Read more

2024 zkVM team summary (PRECON)

Halo2 Peak Memory Usage

2024-01-11 Milestone review

2023-11-18 PSE tooling

$plonkup$

$halo 2 subset argument$