This PR aims to extend halo2 to allow developers to enable/disable zero-knowledge with const generic const ZK: bool.

Protocol adjustment for non-ZK

Notations are following the ones used in halo2 book.

Blinding factors

The final max(3, max(num_advice_queries)) + 2 rows of every advice column, including permuted columns in lookup argument, and grand-product columns in lookup and permutation argument, are loaded with random blinding factors, which aims for zero knowledge.

When we turn off zero-knowledge, we don't need to reserve these final rows, then all rows are usable.

Lookup argument

Currently the constraints of lookup argument are:

• $\ell_0(X) \cdot (1 - Z(X))$
• $q_{last}(X) \cdot (Z(X)^2 - Z(X))$
• $(1 - (q_{last}(X) + q_{blind}(X))) \cdot (Z(\omega X)\cdot(A^\prime(X) + \beta)\cdot(S^\prime(X) + \gamma) - Z(X)\cdot(A(X) + \beta)\cdot(S(X) + \gamma))$
• $\ell_0(X) \cdot (A^\prime(X) - S^\prime(X))$
• $(1 - (q_{last}(X) + q_{blind}(X))) \cdot (A^\prime(X) - S^\prime(X)) \cdot (A^\prime(X) - A^\prime(\omega^{-1}X))$

When we turn off zero-knowledge, the constraints could be simplified to the orange parts only:

• $\color{orange}{\ell_0(X) \cdot (1 - Z(X))}$
• $\color{darkgray}{q_{last}(X) \cdot (Z(X)^2 - Z(X))}$
• $\color{darkgray}{(1 - (q_{last}(X) + q_{blind}(X))) \cdot(}\color{orange}{Z(\omega X)\cdot(A^\prime(X) + \beta)\cdot(S^\prime(X) + \gamma) - Z(X)\cdot(A(X) + \beta)\cdot(S(X) + \gamma)}\color{darkgray}{)}$
• $\color{darkgray}{\ell_0(X) \cdot (A^\prime(X) - S^\prime(X))}$
• $\color{darkgray}{(1 - (q_{last}(X) + q_{blind}(X))) \cdot}\color{orange}{(A^\prime(X) - S^\prime(X)) \cdot (A^\prime(X) - A^\prime(\omega^{-1}X))}$

Permutation argument

Currently the constraints of permutation argument are:

• $\ell_0(X) \cdot (1 - Z_{P,0}(X))$
• $q_{last}(X) \cdot (Z_{P,b}(X)^2 - Z_{P,b}(X))$
• $\text{For}\ 0 < a < b$
  • $\ell_0(X) \cdot (Z_{P,a}(X) - Z_{P,a-1}(\omega^\mu X))$
• $\text{For}\ 0 \le a < b$
  • $(1 - (q_{last}(X) + q_{blind}(X))) \cdot \Big(Z_{P,a}(\omega X) \cdot \prod\limits_{i=am}^{(a+1)m-1}(v_i(X) + \beta \cdot s_i(X) + \gamma) - Z_{P,a}(X) \cdot \prod\limits_{i=am}^{(a+1)m-1}(v_i(X) + \beta \cdot \delta^i \cdot X + \gamma)\Big)$

When we turn off zero-knowledge, the constraints could be simplified to the orange parts only:

• $\text{If}\ m \le d-1, \text{then}\ b = 1$
  • $\color{orange}{\ell_0(X) \cdot (1 - Z_{P,0}(X))}$
  • $\color{darkgray}{q_{last}(X) \cdot (Z_{P,b}(X)^2 - Z_{P,b}(X))}$
  • $\color{darkgray}{\text{For}\ 0 < a < b}$
    • $\color{darkgray}{\ell_0(X) \cdot (Z_{P,a}(X) - Z_{P,a-1}(\omega^\mu X))}$
  • $\color{orange}{\text{For}\ 0 \le a < b}$
    • $\color{darkgray}{(1 - (q_{last}(X) + q_{blind}(X))) \cdot \Big(}\color{orange}{Z_{P,a}(\omega X) \cdot \prod\limits_{i=am}^{(a+1)m-1}(v_i(X) + \beta \cdot s_i(X) + \gamma) - Z_{P,a}(X) \cdot \prod\limits_{i=am}^{(a+1)m-1}(v_i(X) + \beta \cdot \delta^i \cdot X + \gamma)}\color{darkgray}{\Big)}$
• $\text{Otherwise}$
  • $\color{orange}{\ell_0(X) \cdot (1 - Z_{P,0}(X))}$
  • $\color{darkgray}{q_{last}(X) \cdot (Z_{P,b}(X)^2 - Z_{P,b}(X))}$
  • $\color{darkgray}{\text{For}\ 0 < a < b}$
    • $\color{darkgray}{\ell_0(X) \cdot (Z_{P,a}(X) - Z_{P,a-1}(\omega^\mu X))}$
  • $\color{orange}{\text{For}\ 0 \le a < b}$
    • $\color{darkgray}{(1 - (q_{last}(X) + q_{blind}(X))) \cdot \Big(}\color{red}{(}\color{orange}{Z_{P,a}(\omega X)}\color{red}{ + q_{last}(X) \cdot (Z_{P,a+1}(\omega X) - Z_{P,a}(\omega X)))}\color{orange}{ \cdot \prod\limits_{i=am}^{(a+1)m-1}(v_i(X) + \beta \cdot s_i(X) + \gamma) - Z_{P,a}(X) \cdot \prod\limits_{i=am}^{(a+1)m-1}(v_i(X) + \beta \cdot \delta^i \cdot X + \gamma)}\color{darkgray}{\Big)}$

Where the red part is adjustment to make all rows copyable.

Vanishing argument

Currently we add a random polynomial in the vanishing argument to reveal nothing about $h(X)$. When we turn off zero-knowledge, it's on longer needed.