Sin7Y Tech Review (27): Combined Selector

Image Not Showing Possible Reasons

The image file may be corrupted
The server hosting the image is unavailable
The image path is incorrect
The image format is not supported

Customized gate

When designing the zkvm circuit, because of many custom gates determined, there are a lot of binary selectors are introduced. Taking the (field) division gate as an example, we plan to design a gate to verify that the relationship

q = x / y

works among three elements

q, x, y

. For convenience, we will not perform the field division operation at the circuit level, instead, we will make it by verifying the following logical relationship:

x * i n v_{y} = q i n v_{y} * y = 1 / / e n s u r e y \neq 0

Between the two elements, there is an equal relationship. Therefore, we have the following Trace table:

Step	$s_{*}$	…	$s_{d i v}$	…	$w_{0}$	$w_{1}$	$w_{2}$	$w_{3}$
…	…	…	…	…
k	0	0	1	0	x	y	q	$i n v_{y}$	//division
…	…	…	…	…

Define the polynomial

w_{0} (x), w_{1} (x), w_{2} (x), w_{3} (x)

for columns

w_{0}, w_{1}, w_{2}, w_{3}

, then the rows corresponding to the division operation shall satisfy：

w_{0} (x) \cdot w_{3} (x) - w_{2} (x) = 0 w_{1} (x) \cdot w_{3} (x) - 1 = 0

To ensure that the relationship above can be satisfied in the corresponding row, a selector is needed to make the corresponding division to constrain the verification. Therefore, we have introduced a new column

s_{d i v} = {0, 0, . . .1, . . .0}

$. When it is transformed to the polynomial

s_{d i v} (x)

, the above equation will be:

s_{d i v} (x) \cdot (w_{0} (x) \cdot w_{3} (x) - w_{2} (x)) = 0 s_{d i v} (x) \cdot (w_{1} (x) \cdot w_{3} (x) - 1) = 0

Combined selector

From the example above, we can see that when we define a new customized gate, a selector column

s_{*}

needs to be introduced to correspond to the gate. If we represent the corresponding constraint polynomial of the gate with

t_{*} (x)

, we can obtain the following constraints finally:

s_{a d d} (x) \cdot t_{a d d} (x) = 0 s_{d i v} (x) \cdot t_{a d d} (x) = 0 s_{c u b e} (x) \cdot t_{c u b e} (x) = 0 s_{s q r t} (x) \cdot t_{s q r t} (x) = 0 . . .

For the prover needs to conduct commitments to all polynomials during the proof generation, overmuch selector polynomials introduced will increase the workload of the prover and the verifier. Therefore, it is necessary to optimize the selector number while the following two conditions must be satisfied:

There is no loss for the meaning of selector polynomial, that is, only specific gates can be used;
Less selector polynomial

In "Plonky2: Fast Recursive Arguments with PLONK and FRI"(https://github.com/mir-protocol/plonky2/blob/main/plonky2/plonky2.pdf), there is an optimization method "Binary-Tree Based Selector", which reduces the number of the select polynomial to

l o g (k)

, and

k

is the number of the customized gate. In the Halo2 paper, the zcash team has put forward a new optimization method, which may realize a smaller number of the polynomial (in correlation with the constraint polynomial

t_{*} (x)

and the parameters set for the constraint polynomial max_degree).

To understand it easier, let's take a simple example (for specific algorithm, please refer to Selector combining - The halo2 Book)

Step	$s_{a d d}$	$s_{d i v}$	$s_{c u b e}$	$s_{s q r t}$	$w_{0}$	$w_{1}$	$w_{2}$	$w_{3}$
0	1	0	0	0	$a_{0}$	$b_{0}$	$c_{0}$	$d_{0}$	//add
1	0	1	0	0	$a_{1}$	$b_{1}$	$c_{1}$	$d_{1}$	//division
2	0	0	1	0	$a_{2}$	$b_{2}$	$c_{2}$	$d_{2}$	//cube
3	0	0	0	1	$a_{3}$	$b_{3}$	$c_{3}$	$d_{3}$	//sqrt

We can see that we have set 4 selector columns for 4 kinds of customized gates, which are not what we want just like the aforementioned. Therefore, this will increase the workload of the prover and the verifier. Here we define a new column

q

, satisfying:

q = {\begin{cases} k & if t h e s e l e c t o r l a b e l l e d k i s 1 \\ 0 & if a l l t h e s e l e c t o r s i s 0 \end{cases}

If we define a set

{s_{a d d}, s_{d i v}, s_{c u b e}, s_{s q r t}}

(called as disjoint, that is to make there is no common point between possible rows) for selectors

s_{a d d}, s_{d i v}, s_{c u b e}, s_{s q r t}

, then based on the definition of column

q

, we have:

Step	$s_{a d d}$	$s_{d i v}$	$s_{c u b e}$	$s_{s q r t}$	$q$	$w_{0}$	$w_{1}$	$w_{2}$	$w_{3}$
0	1	0	0	0	1	$a_{0}$	$b_{0}$	$c_{0}$	$d_{0}$	//add
1	0	1	0	0	2	$a_{1}$	$b_{1}$	$c_{1}$	$d_{1}$	//division
2	0	0	1	0	3	$a_{2}$	$b_{2}$	$c_{2}$	$d_{2}$	//cube
3	0	0	0	1	4	$a_{3}$	$b_{3}$	$c_{3}$	$d_{3}$	//sqrt

Here, define a new selector polynomial form based on column

q

, and for the number

k

selector polynomial, we have:

q (x) \prod_{1 \leq h \leq l e n (s e l e c t o r s), h \neq k} (h - q (x))

For example, for the constraint:

s_{a d d} \cdot t_{a d d} (x) = 0

, can be rewritten into:

q (x) \prod_{1 \leq h \leq l e n (s e l e c t o r s), h \neq 1} (h - q (x)) \cdot t_{a d d} (x) = 0

The above formula can be expanded into:

q (x) \cdot (2 - q (x)) \cdot (3 - q (x)) \cdot (4 - q (x)) \cdot t_{a d d} (x) = 0

Set

c o m b i n e d_{q} (x) = q (x) \cdot (2 - q (x)) \cdot (3 - q (x)) \cdot (4 - q (x))

Then, the true value figure is obtained:

x	$c o m b i n e d_{q} (x)$	$s_{a d d} (x)$
0	1	1
1	0	0
2	0	0
3	0	0

It can be seen that it does the same thing as the original selector. Therefore, for constraints

s_{a d d} (x) \cdot t_{a d d} (x) = 0 s_{d i v} (x) \cdot t_{a d d} (x) = 0 s_{c u b e} (x) \cdot t_{c u b e} (x) = 0 s_{s q r t} (x) \cdot t_{s q r t} (x) = 0 . . .

We can rewrite the constrains into:

q (x) \prod_{1 \leq h \leq l e n (s e l e c t o r s), h \neq 1} (h - q (x)) \cdot t_{a d d} (x) = 0 q (x) \prod_{1 \leq h \leq l e n (s e l e c t o r s), h \neq 2} (h - q (x)) \cdot t_{a d d} (x) = 0 q (x) \prod_{1 \leq h \leq l e n (s e l e c t o r s), h \neq 3} (h - q (x)) (x) \cdot t_{c u b e} (x) = 0 q (x) \prod_{1 \leq h \leq l e n (s e l e c t o r s), h \neq 4} (h - q (x)) \cdot t_{s q r t} (x) = 0 . . .

For the constraints above, we only need to conduct commitment to the polynomial

q (x)

. But it is worth noting that, this method has also increased the degree of the constraint.

So far, we have achieved the two points mentioned above:

There is no loss for the meaning of selector polynomial, that is, only specific gates can be used;
Less selector polynomial

Of course, there are limitations to the constrained Degree in the protocol, so the selector number participating in the combine is bounded, that is, the number of the single combined selector depends on the boundary value of the Degree and max_degree of the constraint polynomial

t_{*} (x)

. Therefore, more combined columns are needed, and anyway, the number is still much smaller than the original one.

For more handling cases and algorithm details, please refer to Selector combining - The halo2 Book.

References

"The halo2 Book", https://zcash.github.io/halo2/design/implementation/selector-combining.html
Polygon Zero Team, "Plonky2: Fast Recursive Arguments with PLONK and FRI", https://github.com/mir-protocol/plonky2/blob/main/plonky2/plonky2.pdf, accessed: 2022-02-06

Sin7Y Tech Review (27): Combined Selector

Customized gate

Combined selector

References

Read more

Circle FFT and its implementation

Babylon: An Extremely Appealing Protocol Scaling Bitcoin to Secure PoS Chains

Onis Litepaper of Ola

A basic of Binius: Towers of Binary Fields