2 challenges, 28 routed wires (#310)

* 2 challenges, 28 routed wires 2 challenges gives certain checks approximately (field_bits - degree_bits) * 2 bits of security, so we maintain our target of 100 bits for circuits with 2^14 gates or fewer. 28 routed wires is the min for `InterpolationGate`. A lower number helps reduce proof sizes. We can go back to a high number if there's any strong reason to reduce our gate count (e.g. if we were trying to hit 2^12). * Check FRI conjectured security * Fix
2026-01-02 13:53:07 +00:00 · 2021-10-19 12:38:20 -07:00 · 2021-10-19 12:38:20 -07:00 · 64cd2e5686
commit 64cd2e5686
parent 019ccf537b
3 changed files with 36 additions and 24 deletions
--- a/src/fri/recursive_verifier.rs
+++ b/src/fri/recursive_verifier.rs
@ -59,7 +59,7 @@ impl<F: RichField + Extendable<D>, const D: usize> CircuitBuilder<F, D> {
    /// Make sure we have enough wires and routed wires to do the FRI checks efficiently. This check
    /// isn't required -- without it we'd get errors elsewhere in the stack -- but just gives more
    /// helpful errors.
-    fn check_config(&self, max_fri_arity: usize) {
+    fn check_recursion_config(&self, max_fri_arity: usize) {
        let random_access = RandomAccessGate::<F, D>::new_from_config(
            &self.config,
            max_fri_arity.max(1 << self.config.cap_height),
@ -118,7 +118,7 @@ impl<F: RichField + Extendable<D>, const D: usize> CircuitBuilder<F, D> {
        let config = &common_data.config;

        if let Some(max_arity) = common_data.fri_params.max_arity() {
-            self.check_config(max_arity);
+            self.check_recursion_config(max_arity);
        }

        debug_assert_eq!(
--- a/src/plonk/circuit_builder.rs
+++ b/src/plonk/circuit_builder.rs
@ -9,9 +9,9 @@ use crate::field::cosets::get_unique_coset_shifts;
 use crate::field::extension_field::target::ExtensionTarget;
 use crate::field::extension_field::{Extendable, FieldExtension};
 use crate::field::fft::fft_root_table;
-use crate::field::field_types::RichField;
+use crate::field::field_types::{Field, RichField};
 use crate::fri::commitment::PolynomialBatchCommitment;
-use crate::fri::FriParams;
+use crate::fri::{FriConfig, FriParams};
 use crate::gates::arithmetic::ArithmeticExtensionGate;
 use crate::gates::constant::ConstantGate;
 use crate::gates::gate::{Gate, GateInstance, GateRef, PrefixedGate};
@ -86,7 +86,7 @@ pub struct CircuitBuilder<F: RichField + Extendable<D>, const D: usize> {

 impl<F: RichField + Extendable<D>, const D: usize> CircuitBuilder<F, D> {
    pub fn new(config: CircuitConfig) -> Self {
-        CircuitBuilder {
+        let builder = CircuitBuilder {
            config,
            gates: HashSet::new(),
            gate_instances: Vec::new(),
@ -101,7 +101,32 @@ impl<F: RichField + Extendable<D>, const D: usize> CircuitBuilder<F, D> {
            free_arithmetic: HashMap::new(),
            free_random_access: HashMap::new(),
            current_switch_gates: Vec::new(),
-        }
+        };
+        builder.check_config();
+        builder
+    }
+
+    fn check_config(&self) {
+        let &CircuitConfig {
+            security_bits,
+            rate_bits,
+            fri_config:
+                FriConfig {
+                    proof_of_work_bits,
+                    num_query_rounds,
+                    ..
+                },
+            ..
+        } = &self.config;
+
+        // Conjectured FRI security; see the ethSTARK paper.
+        let fri_field_bits = F::Extension::order().bits() as usize;
+        let fri_query_security_bits = num_query_rounds * rate_bits + proof_of_work_bits as usize;
+        let fri_security_bits = fri_field_bits.min(fri_query_security_bits);
+        assert!(
+            fri_security_bits >= security_bits,
+            "FRI params fall short of target security"
+        );
    }

    pub fn num_gates(&self) -> usize {
--- a/src/plonk/circuit_data.rs
+++ b/src/plonk/circuit_data.rs
@ -38,20 +38,7 @@ pub struct CircuitConfig {

 impl Default for CircuitConfig {
    fn default() -> Self {
-        CircuitConfig {
-            num_wires: 4,
-            num_routed_wires: 4,
-            security_bits: 128,
-            rate_bits: 3,
-            num_challenges: 3,
-            zero_knowledge: true,
-            cap_height: 1,
-            fri_config: FriConfig {
-                proof_of_work_bits: 1,
-                reduction_strategy: FriReductionStrategy::ConstantArityBits(3, 5),
-                num_query_rounds: 1,
-            },
-        }
+        CircuitConfig::standard_recursion_config()
    }
 }

@ -64,10 +51,10 @@ impl CircuitConfig {
    pub(crate) fn standard_recursion_config() -> Self {
        Self {
            num_wires: 143,
-            num_routed_wires: 64,
-            security_bits: 128,
+            num_routed_wires: 28,
+            security_bits: 100,
            rate_bits: 3,
-            num_challenges: 3,
+            num_challenges: 2,
            zero_knowledge: false,
            cap_height: 3,
            fri_config: FriConfig {
@ -83,7 +70,7 @@ impl CircuitConfig {
        Self {
            num_wires: 143,
            num_routed_wires: 64,
-            security_bits: 128,
+            security_bits: 4,
            rate_bits: 3,
            num_challenges: 3,
            zero_knowledge: false,