design: blob background #21
Conversation
|
|
||
| $$p(z) = \frac{z^{4096} - 1}{4096} \sum_{i=0}^{4095} \frac{d_i\omega^i}{z - \omega^i}.$$ | ||
|
|
||
| We can precompute all the $\omega^i$, $-\omega^i$ s and $4096^{-1}$, the $d_i$ s are our tx effects, and $z$ is the challenge point (discussed more below). This means computing $p(z)$ is threoretically 4096 wrong-field multiplications and 4096 wrong-field divisions, far fewer than would be required for BLS12-381 elliptic curve operations. |
There was a problem hiding this comment.
Under the current design, we wouldn't actually be computing p(z) in a circuit right?
But could/should we?
I.e. is it possible to effectively perform verify_kzg_proof(commitment, z, y, proof) in a circuit, and then have the user provide commitment, y, and proof.
This convinces the circuit that any blob with that commitment has all the tx effects.
Then on L1 we:
- store the commitments of the blobs at the time the block is proposed
- match the stored commitments against the user provided ones when circuit verified the opening
That convinces L1 that the blobs the circuit proved against matched the ones that were previously published.
There was a problem hiding this comment.
@MirandaWood mentioned this as a possible approach to me recently. But she has dismissed it (and I agree) that computing a BLS12-381 pairing inside a Noir circuit would be many many constraints and very difficult to audit (a huge blow-up in complexity that we should avoid)
There was a problem hiding this comment.
Under the current design, we wouldn't actually be computing p(z) in a circuit right
The barycentric formula is a way of computing p(z), so technically we are computing it in the circuit with this proposal
|
Hey @LHerskind , @iAmMichaelConnor , @MirandaWood , Just to confirm, the design presented here is the one we're planning to implement in the immediate term right? |
I do need to make some small changes/clarifications to the write up, but for the maths/rollup circuits sections, generally yes. As for L1, I think @iAmMichaelConnor is still thinking about the multi-commitment multi-opening method so unsure on that. |
Adds a small initial background for blobs. To be completed