Merge pull request #949 from Consensys/perf/plonk-verifier

Perf: plonk verifier gadget
Consensys · Dec 13, 2023 · 17fa8eb · 17fa8eb
2 parents 59e1671 + e76b231
commit 17fa8eb
Show file tree

Hide file tree

Showing 49 changed files with 2,958 additions and 4,063 deletions.
diff --git a/internal/generator/backend/template/zkpschemes/plonk/plonk.marshal.go.tmpl b/internal/generator/backend/template/zkpschemes/plonk/plonk.marshal.go.tmpl
@@ -3,7 +3,7 @@ import (
 	{{ template "import_fr" . }}
 	{{ template "import_kzg" . }}
 	"github.com/consensys/gnark-crypto/ecc/{{toLower .Curve}}/fr/iop"
-	"io" 
+	"io"
 	"errors"
 )
 
@@ -385,4 +385,4 @@ func (vk *VerifyingKey) ReadFrom(r io.Reader) (int64, error) {
 	}
 
 	return dec.BytesRead(), nil
-}
+}
diff --git a/internal/generator/backend/template/zkpschemes/plonk/tests/marshal.go.tmpl b/internal/generator/backend/template/zkpschemes/plonk/tests/marshal.go.tmpl
@@ -3,7 +3,7 @@ import (
     {{ template "import_curve" . }}
     {{ template "import_fr" . }}
     {{ template "import_fft" . }}
-	"testing" 
+	"testing"
 	"math/big"
 	"math/rand"
 	"github.com/consensys/gnark/io"

diff --git a/internal/stats/latest.stats b/internal/stats/latest.stats
diff --git a/internal/stats/snippet.go b/internal/stats/snippet.go
@@ -110,10 +110,10 @@ func initSnippets() {
 		var dummyG2 sw_bls12377.G2Affine
 		dummyG1.X = newVariable()
 		dummyG1.Y = newVariable()
-		dummyG2.X.A0 = newVariable()
-		dummyG2.X.A1 = newVariable()
-		dummyG2.Y.A0 = newVariable()
-		dummyG2.Y.A1 = newVariable()
+		dummyG2.P.X.A0 = newVariable()
+		dummyG2.P.X.A1 = newVariable()
+		dummyG2.P.Y.A0 = newVariable()
+		dummyG2.P.Y.A1 = newVariable()
 
 		// e(psi0, -gamma)*e(-πC, -δ)*e(πA, πB)
 		_, _ = sw_bls12377.Pair(api, []sw_bls12377.G1Affine{dummyG1}, []sw_bls12377.G2Affine{dummyG2})
@@ -126,14 +126,14 @@ func initSnippets() {
 		var dummyG2 sw_bls24315.G2Affine
 		dummyG1.X = newVariable()
 		dummyG1.Y = newVariable()
-		dummyG2.X.B0.A0 = newVariable()
-		dummyG2.X.B0.A1 = newVariable()
-		dummyG2.X.B1.A0 = newVariable()
-		dummyG2.X.B1.A1 = newVariable()
-		dummyG2.Y.B0.A0 = newVariable()
-		dummyG2.Y.B0.A1 = newVariable()
-		dummyG2.Y.B1.A0 = newVariable()
-		dummyG2.Y.B1.A1 = newVariable()
+		dummyG2.P.X.B0.A0 = newVariable()
+		dummyG2.P.X.B0.A1 = newVariable()
+		dummyG2.P.X.B1.A0 = newVariable()
+		dummyG2.P.X.B1.A1 = newVariable()
+		dummyG2.P.Y.B0.A0 = newVariable()
+		dummyG2.P.Y.B0.A1 = newVariable()
+		dummyG2.P.Y.B1.A0 = newVariable()
+		dummyG2.P.Y.B1.A1 = newVariable()
 
 		// e(psi0, -gamma)*e(-πC, -δ)*e(πA, πB)
 		_, _ = sw_bls24315.Pair(api, []sw_bls24315.G1Affine{dummyG1}, []sw_bls24315.G2Affine{dummyG2})

diff --git a/std/algebra/emulated/fields_bw6761/e3.go b/std/algebra/emulated/fields_bw6761/e3.go
@@ -150,8 +150,8 @@ func (e Ext3) MulBy01(z *E3, c0, c1 *baseEl) *E3 {
 
 	tmp := e.fp.Add(&z.A1, &z.A2)
 	t0 := e.fp.Mul(c1, tmp)
-	t0 = e.fp.Sub(t0, b)
-	t0 = mulFpByNonResidue(e.fp, t0)
+	t0 = e.fp.Sub(b, t0)
+	t0 = e.fp.MulConst(t0, big.NewInt(4))
 	t0 = e.fp.Add(t0, a)
 
 	tmp = e.fp.Add(&z.A0, &z.A2)
@@ -176,12 +176,10 @@ func (e Ext3) MulBy01(z *E3, c0, c1 *baseEl) *E3 {
 func (e Ext3) MulBy1(z *E3, c1 *baseEl) *E3 {
 
 	b := e.fp.Mul(&z.A1, c1)
-
 	tmp := e.fp.Add(&z.A1, &z.A2)
 	t0 := e.fp.Mul(c1, tmp)
-	t0 = e.fp.Sub(t0, b)
-	t0 = mulFpByNonResidue(e.fp, t0)
-
+	t0 = e.fp.Sub(b, t0)
+	t0 = e.fp.MulConst(t0, big.NewInt(4))
 	tmp = e.fp.Add(&z.A0, &z.A1)
 	t1 := e.fp.Mul(c1, tmp)
 	t1 = e.fp.Sub(t1, b)
@@ -201,8 +199,8 @@ func (e Ext3) MulBy12(x *E3, b1, b2 *baseEl) *E3 {
 	tmp := e.fp.Add(b1, b2)
 	c0 = e.fp.Mul(c0, tmp)
 	c0 = e.fp.Sub(c0, t1)
-	c0 = e.fp.Sub(c0, t2)
-	c0 = mulFpByNonResidue(e.fp, c0)
+	c0 = e.fp.Sub(t2, c0)
+	c0 = e.fp.MulConst(c0, big.NewInt(4))
 	c1 := e.fp.Add(&x.A0, &x.A1)
 	c1 = e.fp.Mul(c1, b1)
 	c1 = e.fp.Sub(c1, t1)
@@ -238,8 +236,8 @@ func (e Ext3) Mul01By01(c0, c1, d0, d1 *baseEl) *E3 {
 	a := e.fp.Mul(d0, c0)
 	b := e.fp.Mul(d1, c1)
 	t0 := e.fp.Mul(c1, d1)
-	t0 = e.fp.Sub(t0, b)
-	t0 = mulFpByNonResidue(e.fp, t0)
+	t0 = e.fp.Sub(b, t0)
+	t0 = e.fp.MulConst(t0, big.NewInt(4))
 	t0 = e.fp.Add(t0, a)
 	t2 := e.fp.Mul(c0, d0)
 	t2 = e.fp.Sub(t2, a)
@@ -266,8 +264,8 @@ func (e Ext3) Mul(x, y *E3) *E3 {
 	tmp := e.fp.Add(&y.A1, &y.A2)
 	c0 = e.fp.Mul(c0, tmp)
 	c0 = e.fp.Sub(c0, t1)
-	c0 = e.fp.Sub(c0, t2)
-	c0 = mulFpByNonResidue(e.fp, c0)
+	c0 = e.fp.Sub(t2, c0)
+	c0 = e.fp.MulConst(c0, big.NewInt(4))
 
 	tmp = e.fp.Add(&x.A0, &x.A2)
 	c2 := e.fp.Add(&y.A0, &y.A2)

diff --git a/std/algebra/emulated/fields_bw6761/e6.go b/std/algebra/emulated/fields_bw6761/e6.go
@@ -119,8 +119,8 @@ func (e Ext6) CyclotomicSquareKarabina12345(x *E6) *E6 {
 	t := e.fp.Add(&x.B1.A0, &x.B1.A2)
 	h4 = e.fp.Mul(h4, t)
 	h4 = e.fp.Sub(h4, g1g5)
-	t = mulFpByNonResidue(e.fp, g3g2)
-	h4 = e.fp.Sub(h4, t)
+	t = e.fp.MulConst(g3g2, big.NewInt(4))
+	h4 = e.fp.Add(h4, t)
 	h4 = e.fp.MulConst(h4, big.NewInt(3))
 	h4 = e.fp.Sub(h4, &x.B1.A1)
 
@@ -182,8 +182,8 @@ func (e Ext6) DecompressKarabina12345(x *E6) *E6 {
 	h0 := e.fp.Mul(&x.B1.A1, &x.B1.A1)
 	h0 = e.fp.MulConst(h0, big.NewInt(2))
 	h0 = e.fp.Add(h0, t1)
-	h0 = e.fp.Sub(h0, t0)
-	h0 = mulFpByNonResidue(e.fp, h0)
+	h0 = e.fp.Sub(t0, h0)
+	h0 = e.fp.MulConst(h0, big.NewInt(4))
 	h0 = e.fp.Add(h0, e.fp.One())
 
 	return &E6{
@@ -217,7 +217,7 @@ func (e Ext6) CyclotomicSquareKarabina2345(x *E6) *E6 {
 	// t3 = g1² + g5²
 	t[3] = e.fp.Add(t[0], t[1])
 	// t5 = 2 * g1 * g5
-	t[5] = e.fp.Sub(t[2], t[3])
+	t[5] = e.fp.Sub(t[3], t[2])
 
 	// t6 = g3 + g2
 	t[6] = e.fp.Add(&x.B1.A0, &x.B0.A2)
@@ -227,7 +227,7 @@ func (e Ext6) CyclotomicSquareKarabina2345(x *E6) *E6 {
 	t[2] = e.fp.Mul(&x.B1.A0, &x.B1.A0)
 
 	// t6 = 2 * nr * g1 * g5
-	t[6] = mulFpByNonResidue(e.fp, t[5])
+	t[6] = e.fp.MulConst(t[5], big.NewInt(4))
 	// t5 = 4 * nr * g1 * g5 + 2 * g3
 	t[5] = e.fp.Add(t[6], &x.B1.A0)
 	t[5] = e.fp.MulConst(t[5], big.NewInt(2))
@@ -383,8 +383,8 @@ func (e Ext6) CyclotomicSquare(x *E6) *E6 {
 	t[8] = e.fp.Add(&x.B1.A2, &x.B0.A1)
 	t[8] = e.fp.Mul(t[8], t[8])
 	t[8] = e.fp.Sub(t[8], t[4])
-	t[8] = e.fp.Sub(t[8], t[5])
-	t[8] = mulFpByNonResidue(e.fp, t[8]) // 2*x5*x1*u
+	t[8] = e.fp.Sub(t[5], t[8])
+	t[8] = e.fp.MulConst(t[8], big.NewInt(4)) // 2*x5*x1*u
 
 	t[0] = mulFpByNonResidue(e.fp, t[0])
 	t[0] = e.fp.Add(t[0], t[1]) // x4²*u + x0²

diff --git a/std/algebra/emulated/fields_bw6761/e6_pairing.go b/std/algebra/emulated/fields_bw6761/e6_pairing.go
@@ -6,17 +6,11 @@ import (
 	"github.com/consensys/gnark/std/math/emulated"
 )
 
-func (e Ext6) nSquareKarabina2345(z *E6, n int) *E6 {
-	for i := 0; i < n; i++ {
-		z = e.CyclotomicSquareKarabina2345(z)
-	}
-	return z
-}
-
 func (e Ext6) nSquareKarabina12345(z *E6, n int) *E6 {
 	for i := 0; i < n; i++ {
 		z = e.CyclotomicSquareKarabina12345(z)
 	}
+	z = e.DecompressKarabina12345(z)
 	return z
 }
 
@@ -26,19 +20,15 @@ func (e Ext6) ExpX0Minus1(z *E6) *E6 {
 	z = e.Reduce(z)
 	result := e.Copy(z)
 	result = e.nSquareKarabina12345(result, 5)
-	result = e.DecompressKarabina12345(result)
 	result = e.Mul(result, z)
 	z33 := e.Copy(result)
 	result = e.nSquareKarabina12345(result, 7)
-	result = e.DecompressKarabina12345(result)
 	result = e.Mul(result, z33)
 	result = e.nSquareKarabina12345(result, 4)
-	result = e.DecompressKarabina12345(result)
 	result = e.Mul(result, z)
 	result = e.CyclotomicSquare(result)
 	result = e.Mul(result, z)
-	result = e.nSquareKarabina2345(result, 46)
-	result = e.DecompressKarabina2345(result)
+	result = e.nSquareKarabina12345(result, 46)
 
 	return result
 }
@@ -49,28 +39,22 @@ func (e Ext6) ExpX0Minus1Square(z *E6) *E6 {
 	z = e.Reduce(z)
 	result := e.Copy(z)
 	result = e.nSquareKarabina12345(result, 3)
-	result = e.DecompressKarabina12345(result)
 	t0 := e.CyclotomicSquare(result)
 	t2 := e.Mul(z, t0)
 	result = e.Mul(result, t2)
 	t0 = e.Mul(z, result)
 	t1 := e.CyclotomicSquare(t0)
 	t1 = e.Mul(t2, t1)
 	t3 := e.nSquareKarabina12345(t1, 7)
-	t3 = e.DecompressKarabina12345(t3)
 	t2 = e.Mul(t2, t3)
 	t2 = e.nSquareKarabina12345(t2, 11)
-	t2 = e.DecompressKarabina12345(t2)
 	t1 = e.Mul(t1, t2)
 	t0 = e.Mul(t0, t1)
 	t0 = e.nSquareKarabina12345(t0, 7)
-	t0 = e.DecompressKarabina12345(t0)
 	result = e.Mul(result, t0)
 	result = e.nSquareKarabina12345(result, 3)
-	result = e.DecompressKarabina12345(result)
 	result = e.Mul(z, result)
-	result = e.nSquareKarabina2345(result, 92)
-	result = e.DecompressKarabina2345(result)
+	result = e.nSquareKarabina12345(result, 92)
 
 	return result
 
@@ -83,19 +67,15 @@ func (e Ext6) ExpX0Plus1(z *E6) *E6 {
 	result := e.Copy(z)
 	t := e.CyclotomicSquare(result)
 	result = e.nSquareKarabina12345(t, 4)
-	result = e.DecompressKarabina12345(result)
 	result = e.Mul(result, z)
 	z33 := e.Copy(result)
 	result = e.nSquareKarabina12345(result, 7)
-	result = e.DecompressKarabina12345(result)
 	result = e.Mul(result, z33)
 	result = e.nSquareKarabina12345(result, 4)
-	result = e.DecompressKarabina12345(result)
 	result = e.Mul(result, z)
 	result = e.CyclotomicSquare(result)
 	result = e.Mul(result, z)
-	result = e.nSquareKarabina2345(result, 46)
-	result = e.DecompressKarabina2345(result)
+	result = e.nSquareKarabina12345(result, 46)
 	result = e.Mul(result, t)
 
 	return result
@@ -112,13 +92,10 @@ func (e Ext6) ExptMinus1Div3(z *E6) *E6 {
 	result = e.CyclotomicSquare(result)
 	result = e.Mul(result, z)
 	t0 := e.nSquareKarabina12345(result, 7)
-	t0 = e.DecompressKarabina2345(t0)
 	result = e.Mul(result, t0)
 	result = e.nSquareKarabina12345(result, 5)
-	result = e.DecompressKarabina12345(result)
 	result = e.Mul(result, z)
-	result = e.nSquareKarabina2345(result, 46)
-	result = e.DecompressKarabina2345(result)
+	result = e.nSquareKarabina12345(result, 46)
 
 	return result
 }
@@ -146,7 +123,6 @@ func (e Ext6) ExpC2(z *E6) *E6 {
 	result := e.CyclotomicSquare(z)
 	result = e.Mul(result, z)
 	t0 := e.nSquareKarabina12345(result, 4)
-	t0 = e.DecompressKarabina12345(t0)
 	result = e.Mul(result, t0)
 	result = e.CyclotomicSquare(result)
 	result = e.Mul(result, z)
@@ -167,18 +143,23 @@ func (e *Ext6) MulBy014(z *E6, c0, c1 *baseEl) *E6 {
 
 	var b E3
 	// Mul by E3{0, 1, 0}
-	b.A0 = *mulFpByNonResidue(e.fp, &z.B1.A2)
-	b.A2 = z.B1.A1
-	b.A1 = z.B1.A0
+	b.A0 = *e.fp.MulConst(&z.B1.A2, big.NewInt(4))
+	b.A2 = *e.fp.Neg(&z.B1.A1)
+	b.A1 = *e.fp.Neg(&z.B1.A0)
 
 	one := e.fp.One()
 	d := e.fp.Add(c1, one)
 
 	zC1 := e.Ext3.Add(&z.B1, &z.B0)
 	zC1 = e.Ext3.MulBy01(zC1, c0, d)
 	zC1 = e.Ext3.Sub(zC1, a)
-	zC1 = e.Ext3.Sub(zC1, &b)
-	zC0 := e.Ext3.MulByNonResidue(&b)
+	zC1 = e.Ext3.Add(zC1, &b)
+	zC0 := &E3{
+		A0: *e.fp.MulConst(&b.A2, big.NewInt(4)),
+		A1: *e.fp.Neg(&b.A0),
+		A2: *e.fp.Neg(&b.A1),
+	}
+
 	zC0 = e.Ext3.Add(zC0, a)
 
 	return &E6{
@@ -250,13 +231,18 @@ func (e *Ext6) Mul01245By014(x [5]*baseEl, d0, d1 *baseEl) *E6 {
 	a := e.Ext3.MulBy01(b, d0, e.fp.Add(d1, e.fp.One()))
 	b = e.Ext3.MulBy01(c0, d0, d1)
 	c := &E3{
-		A0: *mulFpByNonResidue(e.fp, x[4]),
-		A1: *zero,
-		A2: *x[3],
+		A0: *e.fp.MulConst(x[4], big.NewInt(4)),
+		A1: *e.fp.Neg(zero),
+		A2: *e.fp.Neg(x[3]),
 	}
 	z1 := e.Ext3.Sub(a, b)
-	z1 = e.Ext3.Sub(z1, c)
-	z0 := e.Ext3.MulByNonResidue(c)
+	z1 = e.Ext3.Add(z1, c)
+	z0 := &E3{
+		A0: *e.fp.MulConst(&c.A2, big.NewInt(4)),
+		A1: *e.fp.Neg(&c.A0),
+		A2: *e.fp.Neg(&c.A1),
+	}
+
 	z0 = e.Ext3.Add(z0, b)
 	return &E6{
 		B0: *z0,