Open
Description
We have ECDSA and pairing circuits using field emulation in-circuit. However, for large instances (500+ ECDSA, 16+ pairings), this results in few hundred M PLONK constraints, which is very slow in the context of zkevm.
Instead, we should try performing the operations using GKR. Right now we verify GKR proofs in-circuit in native fields, but I propose trying verifying GKR in-circuit using field emulation. In that case, we could perform ECDSA/pairings in native field with GKR and then verify the GKR proof using field emulation. For Fiat-Shamir challenges (verifier challengers in sumcheck rounds), we can use SNARK native field for more efficient operations.
Need to do:
- initialise mismatching-field GKR instance in-circuit. Consider approaches which uses generics or as an argument to API
- implement non-native GKR verification
- perform hashing natively. Even better, we should automatically register the hashes in the GKR hash registry for simpler usage.
- implement inverse and division in GKR. If not, then we have to implement projective EC arithmetic.
- (maybe?) use a multilinear polynomial commitment scheme for optimising verifier work in the last round. For example Zeromorph
cc: @Tabaie and @yelhousni