Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Pairing speed relative to the herumi/mcl implementation #84

Open
JustinDrake opened this issue May 30, 2018 · 4 comments
Open

Pairing speed relative to the herumi/mcl implementation #84

JustinDrake opened this issue May 30, 2018 · 4 comments

Comments

@JustinDrake
Copy link

For BN254, Dfinity's implementation does pairing in less than 0.8ms (see here):

Notably, we see the signature validation time is 0.8 ms which involves a pairing evaluation.

This contrasts very favourably compared to the numbers given in this post where a BN254 pairing is done 2.5ms with USE_ASM. Why is the discrepancy so high, and does this suggest that this implementation can be sped up significantly?

@daira
Copy link
Collaborator

daira commented May 31, 2018

The BN254 implementation compared in that post is from libsnark. Should this be refiled as a ticket against libsnark?

@daira
Copy link
Collaborator

daira commented May 31, 2018

Oh, also the BLS12-381 pairing implemented in bellman takes 2.5ms in that post (on @ebfull's i7-3770S).

@ebfull
Copy link
Collaborator

ebfull commented Jun 1, 2018

Also, BN254 can mean a lot of different things. It can mean some 254-bit BN curve or it can mean the specific 254-bit BN curve implemented in libsnark, which could have different performance for pairings due to the parameter and the extension tower.

@daira
Copy link
Collaborator

daira commented Dec 3, 2018

https://github.com/dfinity/random-beacon is a bit of a red herring; the actual pairing implementation it uses is https://github.com/herumi/mcl (which supports BLS12-381 now). The readme says that it is using code from xbyak, so it is presumably doing JIT compilation. We're fine with the safe Rust code for now, but it's probably worth investigating whether we can achieve comparable performance without the JIT compilation.

(On the other hand, implementing batch proof validation would be a lower-hanging performance win.)

@daira daira changed the title Pairing speed relative to Dfinity's implementation Pairing speed relative to the herumi/mcl implementation Apr 15, 2019
str4d added a commit that referenced this issue Aug 25, 2020
Checking for spent notes in a block is still not completely constant
time, due to filtering out negative results of the constant-time
comparison.

Part of #84.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants