Plonk: list of suggested changes

[vesselinux]

1. Have explicit struct members of the a,b,c polynomials currently stored as a single vector W_polys_blinded_at_secret_g1[a,b,c] in the plonk_proof class. Similarly, have explicit struct members for the q_L, q_R, q_O, q_M, a_C selector polynomials currently stored as a single vector Q_polys in the circuit struct.

2. Do not store the Lagrange basis L_basis explicitly (e.g. as part of the srs class and circuit_t struct). Instead compute it on-the-fly as needed. For the purpose store the domain instead (obtained through libfqfft::get_evaluation_domain<Field>()) in the srs and circuit_t and pass this as input to functions that use the L_basis parameter.

3. Related to 2.: create the domain once (using libfqfft::get_evaluation_domain<Field>()) and carry it around as necessary. See [BASE] Plonk #49 (comment)

4. In all header files: leave only functions that are externally visible to calling code. If a function is only used "internally" in the implementation then just leave it in the .tcc (and not in the .hpp), potentially in the internal namespace (to hide it from other code). See also discussion: [BASE] Plonk #49 (comment)

5. Move the print_vector function https://github.com/clearmatics/libsnark/blob/plonk/libsnark/zk_proof_systems/plonk/utils.tcc#L19-L25 to libff/.../field_utils.hpp. (Nice print functions in libff stream operators and old serialization code libff#70)

6. Move the plonk main directory from zk_proof_systems/ to zk_proof_systems/ppzksnark/ since technically Plonk is a pre-processed zk-SNARK (ppzksnark).

7. Make sure that all functions do not rely on the caller for allocating the correct sizes of the return parameters. Make the latter to be allocated inside the functions that compute them. See also [BASE] Plonk #49 (comment)

8. When throwing an exception, it should not be up to the function that throws it to decide how it should be handled. Catch and handle must be done by the caller instead, who may wish to handle it in some way other than exiting the process, like retrying. See [BASE] Plonk #49 (comment) , [BASE] Plonk #49 (comment) , [BASE] Plonk #49 (comment)

9. Break down the long functions plonk_prover<ppT>::round_five() and plonk_prover<ppT>::round_three() into several sub-functions for the purposes of unit testing and readability (see next). See [BASE] Plonk #49 (comment)

10. Have a separate unit test under tests/ to verify the value of r_poly, W_zeta and W_zeta_omega in plonk_prover<ppT>::round_five(). See [BASE] Plonk #49 (comment) and [BASE] Plonk #49 (comment)

11. Compute the challenges alpha, beta, gamma, zeta, nu, u using a hash function rather than passing them as pre-computed inputs as part of the transcript_hash_t structure. The latter is done now for the purposes of unit testing. In the long run we might want something like a transcript_hasher which can accept field and group elements as they are available, and then output a digest when required. See discussion at [BASE] Plonk #49 (comment) and [BASE] Plonk #49 (comment)

[dtebbs]

For the immediate future:

• Plonk: error handling #57 error handling (8 above)

• Plonk: transcript hasher #56 transaction hasher (11 above)

• Plonk: code cleanup #58 Basic tidy up issue (1, 4, 7, 8 above)

• Plonk: do not store the Lagrange basis L_basis explicitly and keep domain once #55 error handling + lagrange basis: (2, 3 above)

• Plonk: move print_vector to libff #59 print issue in libff (5 above)

(ignore: 9, 10 for now.)

[vesselinux]

Issue broken down into 5 new issues according to the list above and closed.