Permutation argument

Given that gates in halo2 circuits operate "locally" (on cells in the current row or defined relative rows), it is common to need to copy a value from some arbitrary cell into the current row for use in a gate. This is performed with an equality constraint, which enforces that the source and destination cells contain the same value.

We implement these equality constraints by constructing a permutation that represents the constraints, and then using a permutation argument within the proof to enforce them.

Notation

A permutation is a one-to-one and onto mapping of a set onto itself. A permutation can be factored uniquely into a composition of cycles (up to ordering of cycles, and rotation of each cycle).

We sometimes use cycle notation to write permutations. Let $(a b c)$ denote a cycle where $a$ maps to $b$ , $b$ maps to $c$ , and $c$ maps to $a$ (with the obvious generalisation to arbitrary-sized cycles). Writing two or more cycles next to each other denotes a composition of the corresponding permutations. For example, $(a b) (c d)$ denotes the permutation that maps $a$ to $b$ , $b$ to $a$ , $c$ to $d$ , and $d$ to $c$ .

Constructing the permutation

Goal

We want to construct a permutation in which each subset of variables that are in a equality-constraint set form a cycle. For example, suppose that we have a circuit that defines the following equality constraints:

$a \equiv b$
$a \equiv c$
$d \equiv e$

From this we have the equality-constraint sets ${a, b, c}$ and ${d, e}$ . We want to construct the permutation:

$(a b c) (d e)$

which defines the mapping of $[a, b, c, d, e]$ to $[b, c, a, e, d]$ .

Algorithm

We need to keep track of the set of cycles, which is a set of disjoint sets. Efficient data structures for this problem are known; for the sake of simplicity we choose one that is not asymptotically optimal but is easy to implement.

We represent the current state as:

an array $mapping$ for the permutation itself;
an auxiliary array $aux$ that keeps track of a distinguished element of each cycle;
another array $sizes$ that keeps track of the size of each cycle.

We have the invariant that for each element $x$ in a given cycle $C$ , $aux (x)$ points to the same element $c \in C$ . This allows us to quickly decide whether two given elements $x$ and $y$ are in the same cycle, by checking whether $aux (x) = aux (y)$ . Also, $sizes (aux (x))$ gives the size of the cycle containing $x$ . (This is guaranteed only for $sizes (aux (x)))$ , not for $sizes (x)$ .)

The algorithm starts with a representation of the identity permutation: for all $x$ , we set $mapping (x) = x$ , $aux (x) = x$ , and $sizes (x) = 1$ .

To add an equality constraint $left \equiv right$ :

Check whether $left$ and $right$ are already in the same cycle, i.e. whether $aux (left) = aux (right)$ . If so, there is nothing to do.
Otherwise, $left$ and $right$ belong to different cycles. Make $left$ the larger cycle and $right$ the smaller one, by swapping them iff $sizes (aux (left)) < sizes (aux (right))$ .
Set $sizes (aux (left))) := sizes (aux (left))) + sizes (aux (right)))$ .
Following the mapping around the right (smaller) cycle, for each element $x$ set $aux (x) := aux (left)$ .
Splice the smaller cycle into the larger one by swapping $mapping (left)$ with $mapping (right)$ .

For example, given two disjoint cycles $(A B C D)$ and $(E F G H)$ :

A +---> B
^       +
|       |
+       v
D <---+ C       E +---> F
                ^       +
                |       |
                +       v
                H <---+ G

After adding constraint $B \equiv E$ the above algorithm produces the cycle:

A +---> B +-------------+
^                       |
|                       |
+                       v
D <---+ C <---+ E       F
                ^       +
                |       |
                +       v
                H <---+ G

Broken alternatives

If we did not check whether $left$ and $right$ were already in the same cycle, then we could end up undoing an equality constraint. For example, if we have the following constraints:

$a \equiv b$
$b \equiv c$
$c \equiv d$
$b \equiv d$

and we tried to implement adding an equality constraint just using step 5 of the above algorithm, then we would end up constructing the cycle $(a b) (c d)$ , rather than the correct $(a b c d)$ .

Argument specification

We need to check a permutation of cells in $m$ columns, represented in Lagrange basis by polynomials $p_{0}, \dots, p_{m - 1}$ .

We first label each cell in those $m$ columns with a unique element of $F^{\times}$ .

Let $ω$ be a $2^{k}$ root of unity and let $δ$ be a $T$ root of unity, where $T \cdot 2^{S} + 1 = p$ with $T$ odd and $k \leq S$ . We will use $δ^{i} \cdot ω^{j} \in F^{\times}$ as the label for the cell in the $j$ th row of the $i$ th column of the permutation argument.

If we have a permutation $σ (column : i, row : j) = (column : i^{'}, row : j^{'})$ , we can represent it as a vector of $m$ polynomials $s_{i} (X)$ such that $s_{i} (ω^{j}) = δ^{i^{'}} \cdot ω^{j^{'}}$ .

Notice that the identity permutation can be represented by the vector of $m$ polynomials $ID_{i} (X)$ such that $ID_{i} (X) = δ^{i} \cdot X$ .

Now given our permutation represented by $s_{0}, \dots, s_{m - 1}$ over columns represented by $p_{0}, \dots, p_{m - 1}$ , we want to ensure that: $i = 0 \prod m - 1 j = 0 \prod n - 1 (\frac{p _{i} ( ω ^{j} ) + β \cdot δ ^{i} \cdot ω ^{j} + γ}{p _{i} ( ω ^{j} ) + β \cdot s _{i} ( ω ^{j} ) + γ}) = 1$

Let $Z_{P}$ be such that $Z_{P} (ω^{0}) = Z_{P} (ω^{n}) = 1$ and for $0 \leq j < n$ : $Z_{P} (ω^{j + 1}) = h = 0 \prod j i = 0 \prod m - 1 \frac{p _{i} ( ω ^{h} ) + β \cdot δ ^{i} \cdot ω ^{h} + γ}{p _{i} ( ω ^{h} ) + β \cdot s _{i} ( ω ^{h} ) + γ} = Z_{P} (ω^{j}) i = 0 \prod m - 1 \frac{p _{i} ( ω ^{j} ) + β \cdot δ ^{i} \cdot ω ^{j} + γ}{p _{i} ( ω ^{j} ) + β \cdot s _{i} ( ω ^{j} ) + γ}$

Then it is sufficient to enforce the constraints: $l_{0} \cdot (Z_{P} (X) - 1) = 0 Z_{P} (ω X) \cdot i = 0 \prod m - 1 (p_{i} (X) + β \cdot s_{i} (X) + γ) - Z_{P} (X) \cdot i = 0 \prod m - 1 (p_{i} (X) + β \cdot δ^{i} \cdot X + γ) = 0$

The optimization used to obtain the simple representation of the identity permutation was suggested by Vitalik Buterin for PLONK, and is described at the end of section 8 of the PLONK paper. Note that the $δ^{i}$ are all distinct quadratic non-residues.

The halo2 Book