fe1e67165a
I believe I was mistaken earlier, and hash-based commitments actually call for `r = 2*security_bits` bits of randomness. I.e. I believe breaking a particular commitment requires `O(2^r)` work (more if the committed value adds entropy, but assume it doesn't), but breaking one of `n` commitments requires less work. It seems like this should be a well-known thing, but I can't find much in the literature. The IOP paper does mention using `2*security_bits` of randomness though.
plonky2
plonky2 is an implementation of recursive arguments based on Plonk and FRI. It uses FRI to check systems of polynomial constraints, similar to the DEEP-ALI method described in the DEEP-FRI paper. It is the successor of plonky, which was based on Plonk and Halo.
plonky2 is largely focused on recursion performance. We use custom gates to mitigate the bottlenecks of FRI verification, such as hashing and interpolation. We also encode witness data in a ~64 bit field, so field operations take just a few cycles. To achieve 128-bit security, we repeat certain checks, and run certain parts of the argument in an extension field.
Running
To see recursion performance, one can run this test, which generates a chain of three recursion proofs:
RUST_LOG=debug RUSTFLAGS=-Ctarget-cpu=native cargo test --release test_recursive_recursive_verifier -- --ignored
Disclaimer
This code has not been thoroughly reviewed or tested, and should not be used in any production systems.