Continue doc

o1-labs · Jul 14, 2024 · 00b6f0e · 00b6f0e
1 parent 0526a50
commit 00b6f0e
Showing 1 changed file with 46 additions and 2 deletions.
diff --git a/ivc/src/superivc/mod.rs b/ivc/src/superivc/mod.rs
@@ -1,7 +1,10 @@
 //! This module contains an implementation of a variant of the non uniform IVC
 //! circuit (NIVC) described in the paper
 //! [SuperNova](https://eprint.iacr.org/2022/1758) to be used with the library
-//! [folding](folding) of this monorepo.
+//! [folding](folding) of this monorepo. The curve will be supposed to be the
+//! curve BN254. We will also suppose that the scalar multiplication can be
+//! performed in two steps and that the NIVC circuit can simply perform a
+//! foreign field elliptic curve addition.
 //!
 //! The circuit generalizes the IVC circuit described in the paper
 //! [Nova](https://eprint.iacr.org/2021/370) to support non-uniform circuit by
@@ -36,7 +39,48 @@
 //! We will suppose that the execution of the function `F_i` is simply given by
 //! hashing the commitments to the columns generated by the execution of the
 //! function `F_i`. It will give us the value `z_i`.
-
+//!
+//! We will also suppose that the polynomials representing the functions `F_i`
+//! are over 435 variables. The number 435 is explained below.
+// FIXME: maybe 435 will be different.
+//!
+//! The NIVC circuit described by the SuperNova paper needs to pass the public
+//! IO to the next iteration. For that, we will use an instantiation of the
+//! Poseidon hash function. For BN254, we decide to use the following parameters
+//! to reach a security level of 128 bits: - The number of full rounds is 8.
+//! - The number of partial rounds is 56.
+//! - The number of state elements is 3.
+//!
+//! We decide to encode one full execution of the Poseidon hash function in one
+//! row. It gives us a total of 435 columns and 192 public inputs to encode the
+//! round constants.
+//!
+//! ## Layout of the circuit
+//!
+//! TODO
+//! 1. Encode the polynomial φ.
+//! 2. Check that the execution of the instruction is allowed by providing a
+//! merkle path.
+//! 3. Execute the function `F_(phi)`.
+//! 4. Encode the verifier
+//!   a. Compute FF EC addition.
+//! 5. Compute a merkle root.
+//!
+//! ## Encode parallelisation
+//!
+//! The NIVC circuit as described in the SuperNova paper only allow one
+//! instruction to be executed at the next step `i + 1`, as at step `i`, the
+//! prover must execute the function `phi` to select the next instruction, and
+//! compute the hash of the public IO to pass it to the next step. At the next
+//! step, the NIVC circuit will check that the hash of the public IO is correct,
+//! by recomputing the instruction to be run, and by checking the hash.
+//!
+//! To allow parallelisation (i.e. at step i + 1, the prover can run any
+//! instruction in a set of instructions), we will instead compute a merkle
+//! root at step i. At step i + 1, the prover will provide the path in the
+//! merkle tree. This will allow to run any instruction in the set of the predefined
+//! instructions. The overhead for the prover is to compute the merkle root at
+//! the end of the step i.
 pub mod columns;
 pub mod constraints;
 pub mod interpreter;