[Design Discussion] Zk Accel API via extra function parameter [Don't merge]

halo2_gadgets/Cargo.toml

@@ -28,7 +28,7 @@ ff = { version = "0.13", features = ["bits"] }
 group = "0.13"
 halo2_proofs = { version = "0.2", path = "../halo2_proofs" }
 lazy_static = "1"
-halo2curves = { git = 'https://github.com/privacy-scaling-explorations/halo2curves', tag = "0.3.2" }
+halo2curves = { git = 'https://github.com/taikoxyz/halo2curves', branch = "zal-on-0.3.2" }
 proptest = { version = "1.0.0", optional = true }
 rand = "0.8"
 subtle = "2.3"
@@ -40,6 +40,7 @@ plotters = { version = "0.3.0", optional = true }
 [dev-dependencies]
 criterion = "0.3"
 proptest = "1.0.0"
+constantine-halo2-zal = {git = 'https://github.com/mratsim/constantine', branch = "master" }
 
 [target.'cfg(unix)'.dev-dependencies]
 pprof = { version = "0.8", features = ["criterion", "flamegraph"] } # MSRV 1.56

halo2_gadgets/benches/poseidon.rs

@@ -20,6 +20,8 @@ use halo2_proofs::{
 };
 use halo2curves::pasta::{pallas, vesta, EqAffine, Fp};
 
+use halo2curves::zal::{H2cEngine, MsmAccel};
+
 use halo2_gadgets::poseidon::{
     primitives::{self as poseidon, generate_constants, ConstantLength, Mds, Spec},
     Hash, Pow5Chip, Pow5Config,
@@ -151,6 +153,7 @@ const K: u32 = 7;
 
 fn bench_poseidon<S, const WIDTH: usize, const RATE: usize, const L: usize>(
     name: &str,
+    engine: &dyn MsmAccel<vesta::Affine>,
     c: &mut Criterion,
 ) where
     S: Spec<Fp, WIDTH, RATE> + Copy + Clone,
@@ -188,6 +191,7 @@ fn bench_poseidon<S, const WIDTH: usize, const RATE: usize, const L: usize>(
         let mut transcript = Blake2bWrite::<_, EqAffine, Challenge255<_>>::init(vec![]);
         b.iter(|| {
             create_proof::<IPACommitmentScheme<_>, ProverIPA<_>, _, _, _, _>(
+                engine,
                 &params,
                 &pk,
                 &[circuit],
@@ -202,6 +206,7 @@ fn bench_poseidon<S, const WIDTH: usize, const RATE: usize, const L: usize>(
     // Create a proof
     let mut transcript = Blake2bWrite::<_, EqAffine, Challenge255<_>>::init(vec![]);
     create_proof::<IPACommitmentScheme<_>, ProverIPA<_>, _, _, _, _>(
+        engine,
         &params,
         &pk,
         &[circuit],
@@ -229,9 +234,10 @@ fn bench_poseidon<S, const WIDTH: usize, const RATE: usize, const L: usize>(
 }
 
 fn criterion_benchmark(c: &mut Criterion) {
-    bench_poseidon::<MySpec<3, 2>, 3, 2, 2>("WIDTH = 3, RATE = 2", c);
-    bench_poseidon::<MySpec<9, 8>, 9, 8, 8>("WIDTH = 9, RATE = 8", c);
-    bench_poseidon::<MySpec<12, 11>, 12, 11, 11>("WIDTH = 12, RATE = 11", c);
+    let engine = H2cEngine::new();
+    bench_poseidon::<MySpec<3, 2>, 3, 2, 2>("WIDTH = 3, RATE = 2, halo2-engine", &engine, c);
+    bench_poseidon::<MySpec<9, 8>, 9, 8, 8>("WIDTH = 9, RATE = 8, halo2-engine", &engine, c);
+    bench_poseidon::<MySpec<12, 11>, 12, 11, 11>("WIDTH = 12, RATE = 11, halo2-engine", &engine, c);
 }
 
 criterion_group!(benches, criterion_benchmark);

halo2_gadgets/benches/sha256.rs

@@ -7,6 +7,8 @@ use halo2_proofs::{
 use halo2curves::pasta::{pallas, EqAffine};
 use rand::rngs::OsRng;
 
+use halo2curves::zal::{H2cEngine, MsmAccel};
+
 use std::{
     fs::File,
     io::{prelude::*, BufReader},
@@ -30,7 +32,7 @@ use halo2_proofs::{
 };
 
 #[allow(dead_code)]
-fn bench(name: &str, k: u32, c: &mut Criterion) {
+fn bench(name: &str, engine: &dyn MsmAccel<vesta::Affine>, k: u32, c: &mut Criterion) {
     #[derive(Default)]
     struct MyCircuit {}
 
@@ -131,6 +133,7 @@ fn bench(name: &str, k: u32, c: &mut Criterion) {
     if File::open(proof_path).is_err() {
         let mut transcript = Blake2bWrite::<_, _, Challenge255<_>>::init(vec![]);
         create_proof::<IPACommitmentScheme<_>, ProverIPA<_>, _, _, _, _>(
+            engine,
             &params,
             &pk,
             &[circuit],
@@ -170,8 +173,9 @@ fn bench(name: &str, k: u32, c: &mut Criterion) {
 
 #[allow(dead_code)]
 fn criterion_benchmark(c: &mut Criterion) {
-    bench("sha256", 17, c);
-    // bench("sha256", 20, c);
+    let engine = H2cEngine::new();
+    bench("sha256-halo2-engine", &engine, 17, c);
+    // bench("sha256-halo2-engine", &engine, 20, c);
 }
 
 criterion_group!(benches, criterion_benchmark);

halo2_proofs/Cargo.toml

@@ -53,7 +53,7 @@ backtrace = { version = "0.3", optional = true }
 rayon = "1.5.1"
 ff = "0.13"
 group = "0.13"
-halo2curves = { git = 'https://github.com/privacy-scaling-explorations/halo2curves', tag = "0.3.2" }
+halo2curves = { git = 'https://github.com/taikoxyz/halo2curves', branch = "zal-on-0.3.2" }
 rand_core = { version = "0.6", default-features = false }
 tracing = "0.1"
 blake2b_simd = "1"
@@ -71,6 +71,8 @@ criterion = "0.3"
 gumdrop = "0.8"
 proptest = "1"
 rand_core = { version = "0.6", default-features = false, features = ["getrandom"] }
+constantine-core = {git = 'https://github.com/mratsim/constantine', branch = "zal-plonk-ipa" }
+constantine-halo2-zal = {git = 'https://github.com/mratsim/constantine', branch = "zal-plonk-ipa" }
 
 [target.'cfg(all(target_arch = "wasm32", target_os = "unknown"))'.dev-dependencies]
 getrandom = { version = "0.2", features = ["js"] }

halo2_proofs/benches/arithmetic.rs

@@ -1,10 +1,10 @@
 #[macro_use]
 extern crate criterion;
 
-use crate::arithmetic::small_multiexp;
-use crate::halo2curves::pasta::{EqAffine, Fp};
 use group::ff::Field;
 use halo2_proofs::*;
+use halo2curves::pasta::{EqAffine, Fp};
+use halo2curves::zal::{H2cEngine, MsmAccel};
 
 use halo2_proofs::poly::{commitment::ParamsProver, ipa::commitment::ParamsIPA};
 
@@ -16,6 +16,7 @@ fn criterion_benchmark(c: &mut Criterion) {
 
     // small multiexp
     {
+        let engine = H2cEngine::new();
         let params: ParamsIPA<EqAffine> = ParamsIPA::new(5);
         let g = &mut params.get_g().to_vec();
         let len = g.len() / 2;
@@ -27,7 +28,7 @@ fn criterion_benchmark(c: &mut Criterion) {
         c.bench_function("double-and-add", |b| {
             b.iter(|| {
                 for (g_lo, g_hi) in g_lo.iter().zip(g_hi.iter()) {
-                    small_multiexp(&[black_box(coeff_1), black_box(coeff_2)], &[*g_lo, *g_hi]);
+                    engine.msm(&[black_box(coeff_1), black_box(coeff_2)], &[*g_lo, *g_hi]);
                 }
             })
         });

halo2_proofs/benches/plonk.rs

@@ -6,9 +6,13 @@ use halo2_proofs::circuit::{Cell, Layouter, SimpleFloorPlanner, Value};
 use halo2_proofs::plonk::*;
 use halo2_proofs::poly::{commitment::ParamsProver, Rotation};
 use halo2_proofs::transcript::{Blake2bRead, Blake2bWrite, Challenge255};
-use halo2curves::pasta::{EqAffine, Fp};
+use halo2curves::pasta::{pallas, vesta};
 use rand_core::OsRng;
 
+use halo2curves::zal::{H2cEngine, MsmAccel};
+use constantine_halo2_zal::CttEngine;
+use constantine_core::hardware;
+
 use halo2_proofs::{
     poly::{
         ipa::{
@@ -25,7 +29,11 @@ use std::marker::PhantomData;
 
 use criterion::{BenchmarkId, Criterion};
 
-fn criterion_benchmark(c: &mut Criterion) {
+fn bench_plonk(
+    engine_name: &str,
+    engine: &dyn MsmAccel<vesta::Affine>,
+    c: &mut Criterion,
+) {
     /// This represents an advice column at a certain row in the ConstraintSystem
     #[derive(Copy, Clone, Debug)]
     pub struct Variable(Column<Advice>, usize);
@@ -261,9 +269,9 @@ fn criterion_benchmark(c: &mut Criterion) {
         }
     }
 
-    fn keygen(k: u32) -> (ParamsIPA<EqAffine>, ProvingKey<EqAffine>) {
-        let params: ParamsIPA<EqAffine> = ParamsIPA::new(k);
-        let empty_circuit: MyCircuit<Fp> = MyCircuit {
+    fn keygen(k: u32) -> (ParamsIPA<vesta::Affine>, ProvingKey<vesta::Affine>) {
+        let params: ParamsIPA<vesta::Affine> = ParamsIPA::new(k);
+        let empty_circuit: MyCircuit<pallas::Base> = MyCircuit {
             a: Value::unknown(),
             k,
         };
@@ -272,16 +280,17 @@ fn criterion_benchmark(c: &mut Criterion) {
         (params, pk)
     }
 
-    fn prover(k: u32, params: &ParamsIPA<EqAffine>, pk: &ProvingKey<EqAffine>) -> Vec<u8> {
+    fn prover(engine: &dyn MsmAccel<vesta::Affine>, k: u32, params: &ParamsIPA<vesta::Affine>, pk: &ProvingKey<vesta::Affine>) -> Vec<u8> {
         let rng = OsRng;
 
-        let circuit: MyCircuit<Fp> = MyCircuit {
-            a: Value::known(Fp::random(rng)),
+        let circuit: MyCircuit<pallas::Base> = MyCircuit {
+            a: Value::known(pallas::Base::random(rng)),
             k,
         };
 
-        let mut transcript = Blake2bWrite::<_, _, Challenge255<EqAffine>>::init(vec![]);
-        create_proof::<IPACommitmentScheme<EqAffine>, ProverIPA<EqAffine>, _, _, _, _>(
+        let mut transcript = Blake2bWrite::<_, _, Challenge255<vesta::Affine>>::init(vec![]);
+        create_proof::<IPACommitmentScheme<vesta::Affine>, ProverIPA<vesta::Affine>, _, _, _, _>(
+            engine,
             params,
             pk,
             &[circuit],
@@ -293,7 +302,7 @@ fn criterion_benchmark(c: &mut Criterion) {
         transcript.finalize()
     }
 
-    fn verifier(params: &ParamsIPA<EqAffine>, vk: &VerifyingKey<EqAffine>, proof: &[u8]) {
+    fn verifier(params: &ParamsIPA<vesta::Affine>, vk: &VerifyingKey<vesta::Affine>, proof: &[u8]) {
         let strategy = SingleStrategy::new(params);
         let mut transcript = Blake2bRead::<_, _, Challenge255<_>>::init(proof);
         assert!(verify_proof(params, vk, strategy, &[&[]], &mut transcript).is_ok());
@@ -310,7 +319,7 @@ fn criterion_benchmark(c: &mut Criterion) {
     }
     keygen_group.finish();
 
-    let mut prover_group = c.benchmark_group("plonk-prover");
+    let mut prover_group = c.benchmark_group("plonk-prover-".to_string() + engine_name);
     prover_group.sample_size(10);
     for k in k_range.clone() {
         let (params, pk) = keygen(k);
@@ -319,7 +328,7 @@ fn criterion_benchmark(c: &mut Criterion) {
             BenchmarkId::from_parameter(k),
             &(k, &params, &pk),
             |b, &(k, params, pk)| {
-                b.iter(|| prover(k, params, pk));
+                b.iter(|| prover(engine, k, params, pk));
             },
         );
     }
@@ -328,7 +337,7 @@ fn criterion_benchmark(c: &mut Criterion) {
     let mut verifier_group = c.benchmark_group("plonk-verifier");
     for k in k_range {
         let (params, pk) = keygen(k);
-        let proof = prover(k, &params, &pk);
+        let proof = prover(engine, k, &params, &pk);
 
         verifier_group.bench_with_input(
             BenchmarkId::from_parameter(k),
@@ -341,5 +350,12 @@ fn criterion_benchmark(c: &mut Criterion) {
     verifier_group.finish();
 }
 
+fn criterion_benchmark(c: &mut Criterion) {
+    let h2c_engine = H2cEngine::new();
+    bench_plonk("halo2-engine", &h2c_engine, c);
+    let ctt_engine = CttEngine::new(hardware::get_num_threads_os());
+    bench_plonk("constantine-engine", &ctt_engine, c)
+}
+
 criterion_group!(benches, criterion_benchmark);
 criterion_main!(benches);

halo2_proofs/examples/cost-model.rs

@@ -8,8 +8,10 @@ use std::{
 use ff::Field;
 use group::{Curve, Group};
 use gumdrop::Options;
-use halo2_proofs::arithmetic::best_multiexp;
-use halo2curves::pasta::pallas;
+use halo2curves::{
+    pasta::pallas,
+    zal::{H2cEngine, MsmAccel},
+};
 
 struct Estimator {
     /// Scalars for estimating multiexp performance.
@@ -41,7 +43,10 @@ impl Estimator {
 
     fn multiexp(&self, size: usize) -> Duration {
         let start = Instant::now();
-        best_multiexp(&self.multiexp_scalars[..size], &self.multiexp_bases[..size]);
+        // TODO: at the moment we use the default MSM for estimating cost.
+        //       is it beneficial to use the real engine?
+        let engine = H2cEngine::new();
+        engine.msm(&self.multiexp_scalars[..size], &self.multiexp_bases[..size]);
         Instant::now().duration_since(start)
     }
 }

halo2_proofs/examples/serialization.rs

@@ -24,6 +24,7 @@ use halo2_proofs::{
     SerdeFormat,
 };
 use halo2curves::bn256::{Bn256, Fr, G1Affine};
+use halo2curves::zal::H2cEngine;
 use rand_core::OsRng;
 
 #[derive(Clone, Copy)]
@@ -129,6 +130,7 @@ impl Circuit<Fr> for StandardPlonk {
 }
 
 fn main() {
+    let engine = H2cEngine::new();
     let k = 4;
     let circuit = StandardPlonk(Fr::random(OsRng));
     let params = ParamsKZG::<Bn256>::setup(k, OsRng);
@@ -163,6 +165,7 @@ fn main() {
         Blake2bWrite<Vec<u8>, G1Affine, Challenge255<_>>,
         _,
     >(
+        &engine,
         &params,
         &pk,
         &[circuit],

halo2_proofs/examples/shuffle.rs

@@ -18,6 +18,7 @@ use halo2_proofs::{
         Blake2bRead, Blake2bWrite, Challenge255, TranscriptReadBuffer, TranscriptWriterBuffer,
     },
 };
+use halo2curves::zal::{H2cEngine, MsmAccel};
 use rand_core::{OsRng, RngCore};
 use std::iter;
 
@@ -275,6 +276,7 @@ fn test_mock_prover<F: Ord + FromUniformBytes<64>, const W: usize, const H: usiz
 }
 
 fn test_prover<C: CurveAffine, const W: usize, const H: usize>(
+    engine: &dyn MsmAccel<C>,
     k: u32,
     circuit: MyCircuit<C::Scalar, W, H>,
     expected: bool,
@@ -289,6 +291,7 @@ fn test_prover<C: CurveAffine, const W: usize, const H: usize>(
         let mut transcript = Blake2bWrite::<_, _, Challenge255<_>>::init(vec![]);
 
         create_proof::<IPACommitmentScheme<C>, ProverIPA<C>, _, _, _, _>(
+            engine,
             &params,
             &pk,
             &[circuit],
@@ -324,11 +327,12 @@ fn main() {
     const H: usize = 32;
     const K: u32 = 8;
 
+    let engine = H2cEngine::new();
     let circuit = &MyCircuit::<_, W, H>::rand(&mut OsRng);
 
     {
         test_mock_prover(K, circuit.clone(), Ok(()));
-        test_prover::<EqAffine, W, H>(K, circuit.clone(), true);
+        test_prover::<EqAffine, W, H>(&engine, K, circuit.clone(), true);
     }
 
     #[cfg(not(feature = "sanity-checks"))]
@@ -352,6 +356,6 @@ fn main() {
                 },
             )]),
         );
-        test_prover::<EqAffine, W, H>(K, circuit, false);
+        test_prover::<EqAffine, W, H>(&engine, K, circuit, false);
     }
 }