refactor(rotation): move rotation proof to chip level and unify selec…#1299
Open
refactor(rotation): move rotation proof to chip level and unify selec…#1299
Conversation
- restore parallel selector compute path in CPU zerocheck while keeping deterministic merge by structural witness id - make selector-group capacity explicit (including rotation groups) instead of hardcoded capacity - keep zero selector dedup semantics and enforce expression/out-eval ordering consistency
hero78119
force-pushed
the
feat/gkr_iop_module
branch
from
009c122 to
3948257
Compare
…#1300) Also related to #1294 A follow-up soundness PR after rotation-flow refactor, focused on ECC->GKR bridge wiring and selector semantics. ### What changed (high level) This PR hardens ECC bridge integration with GKR by making point-binding semantics explicit and consistent across: - CPU prover path - GPU prover path - native verifier path - recursion verifier path It also tightens selector invariants in `ShardRamCircuit` and layer construction. --- ### Proving-flow diagram (current) ```text create_chip_proof | +--> [optional] prove ECC quark | - input: ec_point_exprs / ec_slope_exprs witnesses | - output: ecc_proof { rt, evals, sum } | +--> build main witness (records / layers) | +--> prove tower relation | - build tower witnesses (r/w/logup) | - sumcheck tower | - output: rt_tower, tower_proof, out_evals | +--> [optional] prove rotation | - output: rotation_proof + rotation points | +--> prove main constraints (GKR) | - initialize out_evals at rt_tower | - wire rotation claims -> selector groups | - wire ECC bridge claims (x/y/s) -> selector groups | - run GKR prove | - output: gkr_iop_proof + opening evals + input_opening_point | +--> PCS opening | '--> assemble ZKVMChipProof ### Next - refactor `prove ECC quark` after `proving tower relation` which make thing much clear
There was a problem hiding this comment.
Pull request overview
Refactors the GKR main-sumcheck pipeline so rotation constraints are handled at the chip proof level (instead of per-layer), and unifies selector/eval wiring across CPU/GPU/native verifier/recursion verifier; additionally introduces explicit selector groups for rotation and ECC “bridge” claims.
Changes:
- Moves rotation proof from
LayerProofintoZKVMChipProof.rotation_proof, and updates prover/verifier + recursion binding accordingly. - Reworks selector-group construction and out-eval assignment to be driven by first-layer
out_sel_and_eval_exprs, including explicit rotation/ECC-bridge selector groups. - Updates CPU/GPU zerocheck provers to compute selector-eq MLEs and splice them into the witness list by structural witness id.
Reviewed changes
Copilot reviewed 22 out of 22 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| gkr_iop/src/gkr/mock.rs | Adjusts mock evaluation plumbing for removed n_instance and updated eval APIs. |
| gkr_iop/src/gkr/layer_constraint_system.rs | Removes n_instance plumbing from layer constraint system construction. |
| gkr_iop/src/gkr/layer/zerocheck_layer.rs | Removes in-layer rotation proving/verification; keeps rotation verifier helpers and unifies main zerocheck expression logic. |
| gkr_iop/src/gkr/layer/sumcheck_layer.rs | Simplifies LayerProof to remove per-layer rotation proof. |
| gkr_iop/src/gkr/layer/gpu/mod.rs | Unifies GPU zerocheck main sumcheck flow; introduces selector-eq replacement by structural wit id; exposes rotation prover helper. |
| gkr_iop/src/gkr/layer/cpu/mod.rs | Same unification as GPU; selector-eq replacement by structural wit id; exposes rotation prover helper. |
| gkr_iop/src/gkr/layer.rs | Removes n_instance; adds explicit rotation/ECC-bridge selector group wiring + indices helpers. |
| gkr_iop/src/circuit_builder.rs | Adds ec_bridge_selectors to constraint system. |
| gkr_iop/src/chip.rs | Updates chip evaluation-count accounting to include rotation + ECC-bridge openings. |
| ceno_zkvm/src/tables/shard_ram.rs | Adds ECC bridge selectors and structural-witness wiring for ShardRam. |
| ceno_zkvm/src/structs.rs | Updates ECC proof eval layout comment. |
| ceno_zkvm/src/scheme/verifier.rs | Verifier now assigns rotation/ECC bridge group evals into out_evals before GKR verification. |
| ceno_zkvm/src/scheme/utils.rs | Adds ECC-bridge claim derivation + rotation/group assignment helpers; removes pub-IO MLE wiring in witness gen. |
| ceno_zkvm/src/scheme/prover.rs | Runs ECC quark + rotation proof at chip scope; passes them into main-constraints proving; stores chip-level rotation proof. |
| ceno_zkvm/src/scheme/hal.rs | Extends device HAL with RotationProver; changes ECC quark prover to return Option. |
| ceno_zkvm/src/scheme/gpu/mod.rs | Adds standalone prove_rotation_impl, adapts main-constraints proving to accept rotation/ECC proofs and fill out-evals. |
| ceno_zkvm/src/scheme/gpu/memory.rs | Updates GPU memory estimation to remove rotation extras at layer scope. |
| ceno_zkvm/src/scheme/cpu/mod.rs | Adds CPU RotationProver and adapts main-constraints proving similarly to GPU. |
| ceno_zkvm/src/scheme.rs | Adds chip-level rotation_proof field to ZKVMChipProof. |
| ceno_zkvm/src/precompiles/lookup_keccakf.rs | Updates test harness to explicitly prove/verify rotation and assign rotation group evals. |
| ceno_recursion/src/zkvm_verifier/verifier.rs | Updates recursive verifier to consume chip-level rotation proof and to build out_evals sized by gkr_circuit.n_evaluations. |
| ceno_recursion/src/zkvm_verifier/binding.rs | Adds chip-level rotation proof fields to recursion proof input binding; removes per-layer rotation fields. |
Collaborator
|
@copilot please summarize/highlight the concrete sumcheck expressions in main sumcheck phase. And update it to the corresponding comments and submit a pull request. |
|
@kunxian-xia I've opened a new pull request, #1310, to work on those changes. Once the pull request is ready, I'll request review from you. |
Collaborator
Author
|
in #1301 adjust the flow to be more concise, where ecc prove is not the first one |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
A pre-requisites PR before batch main-sumcheck across "all" chip.
This PR refactor rotation and unify the gkr-circuit main-sumcheck flow.
What changed (high level)
This PR reshapes the proving/verification pipeline so rotation constraints are handled at chip level instead of being embedded in each GKR layer proof.
Core effect: rotation logic is now a first-class chip-proof component (
rotation_proof) and selector/eval wiring is unified across CPU, GPU, native verifier, and recursion verifier.Changed areas are mainly:
ceno_zkvm/src/scheme/*(prover/verifier flow and proof struct)gkr_iop/src/gkr/layer/*(layer construction, selector grouping, zerocheck/sumcheck behavior)ceno_recursion/src/zkvm_verifier/*(recursive proof input/verification alignment)Major proving-flow changes
1) Rotation proof moved out of per-layer proof and into chip proof
Previously,
LayerProofcarried optional rotation data at layer scope.Now, rotation proof is stored in
ZKVMChipProof.rotation_proofand handled once at chip level.Implications:
LayerProofnow focuses on main sumcheck path).has_rotation_proof+rotation_proofin chip-level input.2) Main constraints and rotation constraints are no longer split into separate in-layer proving phases
Before, zerocheck flow effectively had a special rotation handling path and then main constraints.
Now, main sumcheck flow is unified around
out_sel_and_eval_exprs, while rotation is produced/checked as a dedicated chip-level proof and then mapped back through selector groups.Implications:
3) Selector context construction is unified using first-layer selector groups
CPU/GPU prover and verifier paths now build selector contexts by iterating first-layer selector groups (
out_sel_and_eval_exprs) rather than relying on branchy ad-hoc logic.Implications:
r_selector,w_selector, lookup/zero/whole selectors).4) Rotation selector groups become explicit and dedicated
In
gkr_ioplayer construction, rotation claims reserve dedicated selector groups/opening slots (3-way grouping for left/right/origin-style rotation openings).A helper (
rotation_selector_group_indices) is used to map rotation claims to the right selector groups deterministically.Implications:
Design rationale
Single source of truth for rotation handling
Rotation is conceptually chip-level logic that spans selector/eval organization; storing it at chip level matches that abstraction better than per-layer optional fields.
Reduce proving-flow complexity and duplicated logic
Previous split paths (rotation-specific + main constraints) created duplicated mechanics and increased maintenance burden. Unifying flow lowers cognitive and code complexity.
Net effect
This PR is a proving architecture cleanup: