From 6cf74202ebe9a768b67d688eb0ffd8768e73ad50 Mon Sep 17 00:00:00 2001 From: Albert Rubio <34064782+alrubio@users.noreply.github.com> Date: Sat, 17 Feb 2024 09:04:01 +0100 Subject: [PATCH] circom constraint simplification explanation extended with comments on PLONK system --- mkdocs/docs/circom-language/circom-insight/simplification.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/mkdocs/docs/circom-language/circom-insight/simplification.md b/mkdocs/docs/circom-language/circom-insight/simplification.md index 7aeb36e4e..3a506cc5f 100644 --- a/mkdocs/docs/circom-language/circom-insight/simplification.md +++ b/mkdocs/docs/circom-language/circom-insight/simplification.md @@ -14,7 +14,9 @@ This means that we can remove any constraint E = 0 if E is linear, by choosing o In the context of [Groth16], the statement to be proved is that given the public inputs and outputs and the relation between them expressed by means of quadratic constrains of the form A*B-C = 0 (where A, B and C are linear expressions) we know a witness (an assignment to the signals that includes the given public inputs and outputs) that satisfies the relation (i.e. the constraints for the given public inputs and outputs). Therefore, we cannot remove the public inputs and outputs (even if they occur in a linear constraint) but we can remove any other private signal if it is equivalent to a linear combination of the other signals (i.e. just using additions), since `we can skip the computation of such signal` (because `addition gates are handled for free`) and we are not changing the relation between public inputs and outputs, i.e. the statement. -Once we have explained why removing any private signal (including the private inputs) is correct, let us explain what kind of simplification is applied when we enable the flag `--O1` or the flag `--O2` (which is activated by default). Notice if we do not want to apply any simplification we must use the flag `--O0`. +In case we are using the PLONK proof system (instead of Groth16), since additions are not free we cannot remove linear constraints anymore. Still we can remove equalities between signals or equalities between signals and constants which is made with the flag --O1 (see below). Moreover, note that if we apply linear simplification to a constraint system in PLONK format, the resulting constraints will in general not be in PLONK format anymore, and transforming the result back to PLONK format may lead to a worse result than the original. For this reason, when using PLONK, it is always recommended to use the --O1 flag. + +Once we have explained why removing any private signal (including the private inputs) and applying linear simplification is correct, let us explain what kind of simplification is applied when we enable the flag `--O1` or the flag `--O2` (which is activated by default). Notice that if we do not want to apply any simplification we must use the flag `--O0`. * Flag ```--O1``` removes two kinds of simple constraints: a) ```signal = K```, being K is a constant in $F_p$ and b) ```signal1 = signal2```. In both cases, at least one of the signals must be private, and it is the one that will be replaced by the other side. Note that there are usually many equalities between two signals in constraints defined by circom programs as they are many times used to connect components with their sub components.