-
Notifications
You must be signed in to change notification settings - Fork 381
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Perf: plonk verifier gadget #949
Conversation
This reverts commit bdab848.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice! All seems good. I already pushed some cosmetic changes. I think there are still a few issues:
- for two-chain we have wrapper for MillerLoop which goes from
[]G2Affine
argument to[]*G2Affine
. But we compute the lines in the method which uses[]G2Affine
. However, as the slice contains of values then inside a method we are working on a copy ofG2Affine
value and we are not updating the lazy lines of the input. I think we can either changeMillerLoop
to take[]*G2Affine
so that can modify inline or precompute the lines inPairing
wrapper methodPairing.MillerLoop
to already precompute. I like the first approach better because then we always will use lazy line computation. - I would still like to get PLONK verification without commitment working. I'm actually thinking about adding new
algopt
optionalgopts.ForceSafe
which performs safe arithmetic inside MSM. It is suboptimal (we could also only omit the selector we know is 0), but atleast would cover different cases. And I think we already know inside the circuit if there is commitment or not. - there are a few unused functions. I didn't want to remove yet as maybe could be useful in the future - for example Pairing.generators() in packages or addStep() in some packages. If you say they are good to remove then I can.
- I'm not sure, but isn't there regression for ScalarMulBase in 2-chains? Previously we had computed powers of twos, but now we're using generic scalar multiplication (with GLV nontheless). Have you run any comparisons which is better for base scalar mul - generic with GLV or double-and-add with precomputed points.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The PR is good to merge. We can address my other issues in other PR. I think this PR needs to be merged to unblock #960.
It seems all changes are already incorporated here. I'd merge only this and then close 874. |
Description
(first review #874
and Consensys/gnark-crypto#471)Some optimizations for the PLONK verifier gadget:
JointScalarMul
(s1*p1+s2*p2
using Shamir's trick)scalarBitsMul
(scalar binary decomposition only once)MultiScalarMul
to useJointScalarMul
andscalarBitsMul
in the folding case(x-1)^2
has a better addition chain thanx
orx^2
)ScalarMul
andMultiScalarMul
(https://eprint.iacr.org/2019/1021, sec. 6.2)use1/x
as a bijection in bw6 MiMC instead ofx^5
(needs perf: use inverse as a bijection for bw6-761 mimc gnark-crypto#471)TODO:
MarshalG1
ScalarMul
andMultiScalarMul
Type of change
How has this been tested?
All current tests pass.
How has this been benchmarked?
Checklist:
golangci-lint
does not output errors locally