Executable EIP-4844 specs #2901
Conversation
|
@asn-d6 @protolambda |
There was a problem hiding this comment.
This looks great, after an initial review!
I'm gonna be working on integrating ethereum/EIPs#5088 into the consensus-specs this week, so there will be a bunch of new things after that's done. When it's time, I will leave a new comment here with some more information.
Cheers!
| @classmethod | ||
| def sundry_functions(cls) -> str: | ||
| return super().sundry_functions() + ''' | ||
| # TODO: for mainnet, load pre-generated trusted setup file to reduce building time. |
There was a problem hiding this comment.
Here is a py_ecc-based insecure trusted setup you might want to use for this purpose: https://github.com/asn-d6/kzgverify/blob/playground/trusted_setup.py (and corresponding json files on same directory)
|
Hello @hwwhww! I have created the PR for the consensus-side verification logic that uses KZG proofs. Please see #2915 I imagine that this would warrant a bunch of changes to the code of this PR. In particular:
Please let me know if the above did not make any sense! |
|
Hey @asn-d6 Updated some quick fixes after the #2915 patch in 60fdcac.
|
|
Found more bugs: 33829dd
|
|
In validator guide, it described how to pack the blobs into a Should we add notes on how to generate proof to the validator guide? |
Yep! I think that's needed! The notes in the last point of #2901 (comment) could serve as a decent guide here I think. |
Good catches!
I'm a bit sad that we have to do this ugly cast |
|
Updates:
|
hwwhww
changed the title
|
Update: ec7f607 As discussed, rename most
Notes:
|
|
So after discussing with @vbuterin @asn-d6 @GottfriedHerold, we realized that "blob commitment" could be confused with versioned hash. 247850a update:
|
| #### `compute_kzg_proof` | ||
|
|
||
| ```python | ||
| def compute_kzg_proof(polynomial: Sequence[BLSFieldElement], x: BLSFieldElement) -> KZGProof: |
There was a problem hiding this comment.
I think it might be a good idea to document here that the polynomial is in evaluation form
| polynomial = [int(i) for i in polynomial] | ||
|
|
||
| # Convert `polynomial` to coefficient form | ||
| assert pow(ROOTS_OF_UNITY[1], len(polynomial), BLS_MODULUS) == 1 |
There was a problem hiding this comment.
Now that FFT has penetrated into the core of the spec, it might be worth modding our FFT function to do the inverse FFT inside of it, instead of doing it at the caller.
For example see the wrapper fft() function here https://github.com/ethereum/research/blob/master/mimc_stark/fft.py#L31 that internally calls _fft() which is what we have here (we don't need the simple_ft() thing).
Also, since FFT is not exactly polynomial specific it might be worth introducing an FFT section in this file just for FFT stuff.
There was a problem hiding this comment.
After discussion, we don't actually need FFT to make KZG proofs from polynomials in evaluation form.
Please see this branch: https://github.com/asn-d6/consensus-specs/tree/eip4844-exe (pending review)
| return pow(PRIMITIVE_ROOT_OF_UNITY, (BLS_MODULUS - 1) // length, BLS_MODULUS) | ||
|
|
||
|
|
||
| def compute_roots_of_unity(field_elements_per_blob): |
There was a problem hiding this comment.
Might be better to replace field_elements_per_blob with order here and make this function less-application-specific.
We were using `x` as the evaluation point variable in polynomial functions. That can be confused with the indeterminate variable `x` of the polynomial. Hence the convention now is: - `x` for the indeterminate variable of a polynomial - `z` for the point we evaluate it at - `y` for the evaluation result
Previously we were using IFFT to go from evaluation form to coefficient form before computing the KZG proof in the traditional way. We can instead do the KZG proof division directly in evaluation form by using point-by-point division: https://dankradfeist.de/ethereum/2021/06/18/pcs-multiproofs.html#dividing-when-one-of-the-points-is-zero Two fine points: - We need to check that the denominator of the division is not zero. It's very unlikely because `z` comes out of Fiat-Shamir, but we still add an assert to make sure. - We need to shift our main polynomial by `p(z)` as in the traditional KZG proof formula. We can avoid this in coefficient form because with long division we can extract the quotient polynomial and ignore the remainder. However that's not possible when doing point-by-point division in evaluation form and hence we need to ensure that there is no remainder by shifting by `p(z)`.
Previously we were using IFFT to go from evaluation form to coefficient form before computing the KZG proof in the traditional way. We can instead do the KZG proof division directly in evaluation form by using point-by-point division: https://dankradfeist.de/ethereum/2021/06/18/pcs-multiproofs.html#dividing-when-one-of-the-points-is-zero Two fine points: - We need to check that the denominator of the division is not zero. It's very unlikely because `z` comes out of Fiat-Shamir, but we still add an assert to make sure. - We need to shift our main polynomial by `p(z)` as in the traditional KZG proof formula. We can avoid this in coefficient form because with long division we can extract the quotient polynomial and ignore the remainder. However that's not possible when doing point-by-point division in evaluation form and hence we need to ensure that there is no remainder by shifting by `p(z)`.
|
Made an attempt at squashing and rebasing this PR: #2937 |
|
closing in favor of #2937 |
Executable EIP-4844 specs (PR #2901 squashed and rebased)
In this PR:
kzg.pyfor generating testing trusted setup.SHARDING_FORK_VERSION->EIP4844_FORK_VERSIONSHARDING_FORK_EPOCH->EIP4844_FORK_EPOCHtest-eip4844CI jobTODOs:
FIELD_ELEMENTS_PER_BLOB: 4096KZG_SETUP_G2andKZG_SETUP_LAGRANGEare actually minimal config values.