|
| 1 | +--- |
| 2 | +title: Thinking in Circuits |
| 3 | +description: Considerations when writing Noir programs |
| 4 | +keywords: [Noir, programming, rust] |
| 5 | +tags: [Optimization] |
| 6 | +sidebar_position: 0 |
| 7 | +--- |
| 8 | + |
| 9 | + |
| 10 | +This article intends to set you up with key concepts essential for writing more viable applications that use zero knowledge proofs, namely around efficient circuits. |
| 11 | + |
| 12 | +## Context - 'Efficient' is subjective |
| 13 | + |
| 14 | +When writing a web application for a performant computer with high-speed internet connection, writing efficient code sometimes is seen as an afterthought only if needed. Large multiplications running at the innermost of nested loops may not even be on a dev's radar. |
| 15 | +When writing firmware for a battery-powered microcontroller, you think of cpu cycles as rations to keep within a product's power budget. |
| 16 | + |
| 17 | +> Code is written to create applications that perform specific tasks within specific constraints |
| 18 | +
|
| 19 | +And these constraints differ depending on where the compiled code is execute. |
| 20 | + |
| 21 | +### The Ethereum Virtual Machine (EVM) |
| 22 | + |
| 23 | +In scenarios where extremely low gas costs are required for an Ethereum application to be viable/competitive, Ethereum smart contract developers get into what is colloquially known as: "*gas golfing*". Finding the lowest execution cost of their compiled code (EVM bytecode) to achieve a specific task. |
| 24 | + |
| 25 | +The equivalent optimization task when writing zk circuits is affectionately referred to as "*gate golfing*", finding the lowest gate representation of the compiled Noir code. |
| 26 | + |
| 27 | +### Coding for circuits - a paradigm shift |
| 28 | + |
| 29 | +In zero knowledge cryptography, code is compiled to "circuits" consisting of arithmetic gates, and gate count is the significant cost. Depending on the proving system this is linearly proportionate to proof size and proving time, so from a product point of view this should be kept as low as possible. |
| 30 | + |
| 31 | +Whilst writing efficient code for web apps and Solidity have some differences, writing efficient circuits have a different set of considerations. It is a bit of a paradigm shift, like writing code for GPUs for the first time... |
| 32 | + |
| 33 | +For example, drawing a circle at (0, 0) of radius `r`: |
| 34 | +- For a single CPU thread, |
| 35 | +``` |
| 36 | +for theta in 0..2*pi { |
| 37 | + let x = r * cos(theta); |
| 38 | + let y = r * sin(theta); |
| 39 | + draw(x, y); |
| 40 | +} // note: would do 0 - pi/2 and draw +ve/-ve x and y. |
| 41 | +``` |
| 42 | + |
| 43 | +- For GPUs (simultaneous parallel calls with x, y across image), |
| 44 | +``` |
| 45 | +if (x^2 + y^2 = r^2) { |
| 46 | + draw(x, y); |
| 47 | +} |
| 48 | +``` |
| 49 | + |
| 50 | +([Related](https://www.youtube.com/watch?v=-P28LKWTzrI)) |
| 51 | + |
| 52 | +Whilst this CPU -> GPU does not translate to circuits exactly, it is intended to exemplify the difference in intuition when coding for different machine capabilities/constraints. |
| 53 | + |
| 54 | +### Context Takeaway |
| 55 | + |
| 56 | +For those coming from a primarily web app background, this article will explain what you need to consider when writing circuits. Furthermore, for those experienced writing efficient machine code, prepare to shift what you think is efficient 😬 |
| 57 | + |
| 58 | +## Translating from Rust |
| 59 | + |
| 60 | +Programs written in anything from pseudo code to C, can be translated into Noir. A Rust program written for execution can be readily ported to Noir thanks to the similarities in syntax. |
| 61 | + |
| 62 | +:::note |
| 63 | +Many valuable functions and algorithms have been written in more established languages (C/C++), and converted to modern ones (like Rust). |
| 64 | +::: |
| 65 | + |
| 66 | +Fortunately for Noir developers, when needing a particular function a Rust implementation can be readily compiled into Noir with some key changes. While the compiler does a decent amount of optimizations, it won't be able to change code that has been optimized for clock-cycles into code optimized for arithmetic gates. |
| 67 | + |
| 68 | +A few things to do when converting Rust code to Noir: |
| 69 | +- `println!` is not a macro, use `println` function (same for `assert_eq`) |
| 70 | +- No early `return` in function. Use constrain via assertion instead |
| 71 | +- No passing by reference. Remove `&` operator to pass by value (copy) |
| 72 | +- No boolean operators (`&&`, `||`). Use bitwise operators (`&`, `|`) with boolean values |
| 73 | +- No type `usize`. Use types `u8`, `u32`, `u64`, ... |
| 74 | +- `main` return must be public, `pub` |
| 75 | +- No `const`, use `global` |
| 76 | +- Noir's LSP is your friend, so error message should be informative enough to resolve syntax issues. |
| 77 | + |
| 78 | +## Writing efficient Noir for performant products |
| 79 | + |
| 80 | +The following points help refine our understanding over time. |
| 81 | + |
| 82 | +:::note |
| 83 | +A Noir program makes a statement that can be verified. |
| 84 | +::: |
| 85 | + |
| 86 | +It compiles to a structure that represents the calculation, and can assert results within the calculation at any stage (via the `constrain` keyword). |
| 87 | + |
| 88 | +A Noir program compiles to an Abstract Circuit Intermediate Representation which is: |
| 89 | + - Conceptually a tree structure |
| 90 | + - Leaves (inputs) are the `Field` type |
| 91 | + - Nodes contain arithmetic operations to combine them (gates) |
| 92 | + - The root is the final result (return value) |
| 93 | + |
| 94 | +:::tip |
| 95 | +The command `nargo info` shows the programs circuit size, and is useful to compare the value of changes made. |
| 96 | +You can dig deeper and use the `--print-acir` param to take a closer look at individual ACIR opcodes, and the proving backend to see its gate count (eg for barretenberg, the `bb` binary has a `gates` option). |
| 97 | +::: |
| 98 | + |
| 99 | +### Numerical types |
| 100 | + |
| 101 | +As mentioned earlier Noir has many familiar integer types (eg `i8`, `u64`). Ideally after bringing a program into Noir, proving/verifying of its execution just works where needed: client/server side, on an evm, or on the Aztec network. |
| 102 | + |
| 103 | +A program optimized for execution may leverage the binary representations of integers, reducing the number of clock cycles, and thus time of execution. |
| 104 | +The cryptography in a proving backend makes use of a `Field` type, and leveraging this lower level type correctly can reduce gate count, and thus proof size and proving time. |
| 105 | + |
| 106 | +In some instances simply replacing the integer type with a `Field` could save on some range checks (and hence gates). |
| 107 | +Note: when casting a `Field` to an integer type, the value is converted based on the integer binary representation. Eg a Field variable with a value of 260 `as u8` becomes 4 |
| 108 | + |
| 109 | +### `Field`s for efficiency |
| 110 | + |
| 111 | +`Field` types have their own underlying representation that is efficient for cryptography, which is different to binary representations efficient for CPUs. So, mathematically speaking, things like bitwise operations do not directly translate to fields. That said, the same outcome can be achieved if wanting to use the Field type as a number with lower overhead. |
| 112 | + |
| 113 | +For instance shift (`<<`) and or (`|`) work seamlessly with integer types (bit-packing `u8`'s into a `u16`): |
| 114 | +``` |
| 115 | + high as u16 << 8 | low as u16 |
| 116 | +``` |
| 117 | + |
| 118 | +More efficiently with `Field` types, the equivalent is: |
| 119 | +``` |
| 120 | + low.assert_max_bit_size::<8>(); // ensure Field values could be represented as 8 bit numbers |
| 121 | + high.assert_max_bit_size::<8>(); |
| 122 | + (high * 2.pow_32(8) + low) |
| 123 | +``` |
| 124 | +(Note, the power of two can instead be a constant (256) or global evaluated at compile time) |
| 125 | + |
| 126 | +The first snippet is good for compatibility when using existing code, converting to the latter can help optimize frequently used functions. |
| 127 | + |
| 128 | +:::tip |
| 129 | +Where possible, use the `Field` type for values. Writing code with smaller value types and bit-packing strategies will result in MORE gates |
| 130 | +::: |
| 131 | + |
| 132 | +### Use Arithmetic over non-arithmetic operations |
| 133 | + |
| 134 | +Since circuits are made of arithmetic gates, the cost of arithmetic operations tends to be one gate. Whereas for procedural code, they represent several clock cycles. |
| 135 | + |
| 136 | +Inversely, non-arithmetic operators are achieved with multiple gates, vs 1 clock cycle for procedural code. |
| 137 | + |
| 138 | +| (cost\op) | arithmetic<br>(`*`, `+`) | bit-wise ops<br>(eg `<`, `\|`, `>>`) | |
| 139 | +| - | - | - | |
| 140 | +| **cycles** | 10+ | 1 | |
| 141 | +| **gates** | 1 | 10+ | |
| 142 | + |
| 143 | +Bit-wise operations (e.g. bit shifts `<<` and `>>`), albeit commonly used in general programming and especially for clock cycle optimizations, are on the contrary expensive in gates when performed within circuits. |
| 144 | + |
| 145 | +Translate away from bit shifts when writing constrained functions for the best performance. |
| 146 | + |
| 147 | +On the flip side, feel free to use bit shifts in unconstrained functions and tests if necessary, as they are executed outside of circuits and does not induce performance hits. |
| 148 | + |
| 149 | +### Use static over dynamic values |
| 150 | + |
| 151 | +Another general theme that manifests in different ways is that static reads are represented with less gates than dynamic ones. |
| 152 | + |
| 153 | +Reading from read-only memory (ROM) adds less gates than random-access memory (RAM), 2 vs ~3.25 due to the additional bounds checks. Arrays of fixed length (albeit used at a lower capacity), will generate less gates than dynamic storage. |
| 154 | + |
| 155 | +Related to this, if an index used to access an array is not known at compile time (ie unknown until run time), then ROM will be converted to RAM, expanding the gate count. |
| 156 | + |
| 157 | +:::tip |
| 158 | +Use arrays and indices that are known at compile time where possible. |
| 159 | +Using `assert_constant(i);` before an index, `i`, is used in an array will give a compile error if `i` is NOT known at compile time. |
| 160 | +::: |
| 161 | + |
| 162 | +### Reduce what is inside loops and conditional logic |
| 163 | + |
| 164 | +Putting less logic inside an `if` (`else`, etc) paths, or inside a loop, translates to less gates required to represent the program. The compiler should mostly take care of this. |
| 165 | + |
| 166 | +A loop duplicates the gates for each iteration of the loop, or put another way, "unrolls" the loop. Any calculations/calls that are unchanged in the loop should be calculated once before, and the result used in the loop. |
| 167 | + |
| 168 | +An `if` statement is "flattened" and gates created for each path even if execution uses only one path. Furthermore, there are additional operations required for each path. Sometimes this can have a multiplying effect on the operations in the `if` and `else` etc. |
| 169 | + |
| 170 | +:::tip |
| 171 | +Only have essential computation inside conditional logic and loops, and calculate anything else once (before, or after, depending). |
| 172 | +::: |
| 173 | + |
| 174 | +### Leverage unconstrained execution |
| 175 | + |
| 176 | +Constrained verification can leverage unconstrained execution, this is especially useful for operations that are represented by many gates. |
| 177 | +Use an [unconstrained function](../noir/concepts/unconstrained.md) to perform gate-heavy calculations, then verify and constrain the result. |
| 178 | + |
| 179 | +Eg division generates more gates than multiplication, so calculating the quotient in an unconstrained function then constraining the product for the quotient and divisor (+ any remainder) equals the dividend will be more efficient. |
| 180 | + |
| 181 | +Use ` if is_unconstrained() { /`, to conditionally execute code if being called in an unconstrained vs constrained way. |
| 182 | + |
| 183 | +## Advanced |
| 184 | + |
| 185 | +Unless you're well into the depth of gate optimization, this advanced section can be ignored. |
| 186 | + |
| 187 | +### Combine arithmetic operations |
| 188 | + |
| 189 | +A Noir program can be honed further by combining arithmetic operators in a way that makes the most of each constraint of the backend proving system. This is in scenarios where the backend might not be doing this perfectly. |
| 190 | + |
| 191 | +Eg Barretenberg backend (current default for Noir) is a width-4 PLONKish constraint system |
| 192 | +$ w_1*w_2*q_m + w_1*q_1 + w_2*q_2 + w_3*q_3 + w_4*q_4 + q_c = 0 $ |
| 193 | + |
| 194 | +Here we see there is one occurrence of witness 1 and 2 ($w_1$, $w_2$) being multiplied together, with addition to witnesses 1-4 ($w_1$ .. $w_4$) multiplied by 4 corresponding circuit constants ($q_1$ .. $q_4$) (plus a final circuit constant, $q_c$). |
| 195 | + |
| 196 | +Use `nargo info --print-acir`, to inspect the ACIR opcodes (and the proving system for gates), and it may present opportunities to amend the order of operations and reduce the number of constraints. |
| 197 | + |
| 198 | +#### Variable as witness vs expression |
| 199 | + |
| 200 | +If you've come this far and really know what you're doing at the equation level, a temporary lever (that will become unnecessary/useless over time) is: `std::as_witness`. This informs the compiler to save a variable as a witness not an expression. |
| 201 | + |
| 202 | +The compiler will mostly be correct and optimal, but this may help some near term edge cases that are yet to optimize. |
| 203 | +Note: When used incorrectly it will create **less** efficient circuits (higher gate count). |
| 204 | + |
| 205 | +## References |
| 206 | +- Guillaume's ["`Crypdoku`" talk](https://www.youtube.com/watch?v=MrQyzuogxgg) (Jun'23) |
| 207 | +- [Idiomatic Noir](https://www.vlayer.xyz/blog/idiomatic-noir-part-1-collections) blog post |
0 commit comments