-
Notifications
You must be signed in to change notification settings - Fork 265
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: circuit simulator for Ultra and GoblinUltra verifiers #1195
Changes from 58 commits
3497303
c4d7963
42878d0
4ea80be
5aa32cf
0fcabd8
ca674c3
daa37eb
d818dfd
c0790fe
2cb9f9d
b707765
378b899
c42b000
6a2c226
65a3997
19ed7b5
dfe4af6
7c67671
3f2862a
b963361
6e0069b
8744b27
ec3346a
dfbf067
1709038
05101f3
f4665e0
e81f015
94d5afd
890c374
5659262
39f6efe
9e2042f
586241e
fed8f7e
999451d
0a5f699
a168a6d
38882cf
7c0f781
20dfb60
581fbb3
15ed3a9
f4a62bb
560f7bf
05f9913
75dd2dd
8df0c86
3132542
2edbcf7
7462d38
60d7197
ebe0996
f7183b5
9bee66b
1f4a260
96eb8df
b429bef
80b06c6
6b5ae50
3728048
4a169b4
4d98946
2d4355e
ca81f60
ff03998
424b670
cbda9ec
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
barretenberg_module(simulator_bench stdlib_honk_recursion stdlib_sha256 crypto_merkle_tree) |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,134 @@ | ||
#include "barretenberg/goblin/goblin.hpp" | ||
#include "barretenberg/goblin/mock_circuits.hpp" | ||
#include "barretenberg/stdlib_circuit_builders/ultra_circuit_builder.hpp" | ||
#include <benchmark/benchmark.h> | ||
|
||
using namespace benchmark; | ||
using namespace bb; | ||
|
||
namespace { | ||
template <typename RecursiveFlavor> class SimulatorFixture : public benchmark::Fixture { | ||
|
||
public: | ||
using Flavor = typename RecursiveFlavor::NativeFlavor; | ||
using ProverInstance = ProverInstance_<Flavor>; | ||
using Builder = typename Flavor::CircuitBuilder; | ||
using VerificationKey = typename Flavor::VerificationKey; | ||
using CircuitSimulator = typename RecursiveFlavor::CircuitBuilder; | ||
using SimulatingVerifier = stdlib::recursion::honk::UltraRecursiveVerifier_<RecursiveFlavor>; | ||
|
||
struct VerifierInput { | ||
HonkProof proof; | ||
std::shared_ptr<VerificationKey> verification_key; | ||
}; | ||
|
||
void SetUp([[maybe_unused]] const ::benchmark::State& state) override | ||
{ | ||
bb::srs::init_crs_factory("../srs_db/ignition"); | ||
} | ||
|
||
/** | ||
* @brief Create a Honk proof (either Ultra or GoblinUltra) for a non-trivial circuit. | ||
* | ||
* @param large determines whether the circuit is 2^17 or 2^19 | ||
*/ | ||
static VerifierInput create_proof(bool large = false) | ||
{ | ||
|
||
auto builder = construct_mock_function_circuit(large); | ||
auto instance = std::make_shared<ProverInstance>(builder); | ||
UltraProver_<Flavor> prover(instance); | ||
auto ultra_proof = prover.construct_proof(); | ||
auto verification_key = std::make_shared<VerificationKey>(instance->proving_key); | ||
return { ultra_proof, verification_key }; | ||
} | ||
|
||
/** | ||
* @brief Populate the builder with non-trivial operations that mock a circuit encountered in practice. | ||
* | ||
* @param large determines whether the circuit is 2^17 or 2^19 | ||
*/ | ||
static Builder construct_mock_function_circuit(bool large = false) | ||
{ | ||
using InnerCurve = bb::stdlib::bn254<Builder>; | ||
using fr_ct = InnerCurve::ScalarField; | ||
using point_ct = InnerCurve::AffineElement; | ||
using fr = typename InnerCurve::ScalarFieldNative; | ||
using point = typename InnerCurve::GroupNative::affine_element; | ||
Builder builder; | ||
|
||
// Perform a batch mul which will add some arbitrary goblin-style ECC op gates if the circuit arithmetic is | ||
// goblinisied otherwise it will add the conventional nonnative gates | ||
size_t num_points = 5; | ||
std::vector<point_ct> circuit_points; | ||
std::vector<fr_ct> circuit_scalars; | ||
for (size_t i = 0; i < num_points; ++i) { | ||
circuit_points.push_back(point_ct::from_witness(&builder, point::random_element())); | ||
circuit_scalars.push_back(fr_ct::from_witness(&builder, fr::random_element())); | ||
} | ||
point_ct::batch_mul(circuit_points, circuit_scalars); | ||
|
||
// Determine number of times to execute the below operations that constitute the mock circuit logic. Note | ||
// that the circuit size does not scale linearly with number of iterations due to e.g. amortization of lookup | ||
|
||
const size_t NUM_ITERATIONS_LARGE = 12; // results in circuit size 2^19 (502238 gates) | ||
const size_t NUM_ITERATIONS_MEDIUM = 3; // results in circuit size 2^17 (124843 gates) | ||
const size_t NUM_ITERATIONS = large ? NUM_ITERATIONS_LARGE : NUM_ITERATIONS_MEDIUM; | ||
|
||
stdlib::generate_sha256_test_circuit(builder, NUM_ITERATIONS); // min gates: ~39k | ||
stdlib::generate_ecdsa_verification_test_circuit(builder, NUM_ITERATIONS); // min gates: ~41k | ||
stdlib::generate_merkle_membership_test_circuit(builder, NUM_ITERATIONS); // min gates: ~29k | ||
|
||
return builder; | ||
} | ||
}; | ||
|
||
BENCHMARK_TEMPLATE_F(SimulatorFixture, GoblinNative, bb::GoblinUltraRecursiveFlavor_<bb::CircuitSimulatorBN254>) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This and UltraNative are basically the same code (ditto for the simulated ones) but I haven't managed to instantiate same benchmark functions with multiple templates, not even sure it's supported. Very much open to suggestions |
||
(benchmark::State& state) | ||
{ | ||
auto verifier_input = SimulatorFixture::create_proof(); | ||
for (auto _ : state) { | ||
UltraVerifier_<Flavor> ultra_verifier{ verifier_input.verification_key }; | ||
ultra_verifier.verify_proof((verifier_input.proof)); | ||
} | ||
} | ||
|
||
BENCHMARK_TEMPLATE_F(SimulatorFixture, GoblinSimulated, bb::GoblinUltraRecursiveFlavor_<bb::CircuitSimulatorBN254>) | ||
(benchmark::State& state) | ||
{ | ||
auto verifier_input = SimulatorFixture::create_proof(); | ||
for (auto _ : state) { | ||
CircuitSimulator simulator; | ||
SimulatingVerifier ultra_verifier{ &simulator, verifier_input.verification_key }; | ||
ultra_verifier.verify_proof((verifier_input.proof)); | ||
} | ||
} | ||
|
||
BENCHMARK_TEMPLATE_F(SimulatorFixture, UltraNative, bb::UltraRecursiveFlavor_<bb::CircuitSimulatorBN254>) | ||
(benchmark::State& state) | ||
{ | ||
auto verifier_input = SimulatorFixture::create_proof(); | ||
for (auto _ : state) { | ||
UltraVerifier_<typename SimulatorFixture::Flavor> ultra_verifier{ verifier_input.verification_key }; | ||
ultra_verifier.verify_proof((verifier_input.proof)); | ||
} | ||
} | ||
|
||
BENCHMARK_TEMPLATE_F(SimulatorFixture, UltraSimulated, bb::UltraRecursiveFlavor_<bb::CircuitSimulatorBN254>) | ||
(benchmark::State& state) | ||
{ | ||
auto verifier_input = SimulatorFixture::create_proof(); | ||
for (auto _ : state) { | ||
CircuitSimulator simulator; | ||
SimulatingVerifier ultra_verifier{ &simulator, verifier_input.verification_key }; | ||
ultra_verifier.verify_proof((verifier_input.proof)); | ||
} | ||
} | ||
|
||
BENCHMARK_REGISTER_F(SimulatorFixture, GoblinSimulated)->Unit(benchmark::kMillisecond); | ||
BENCHMARK_REGISTER_F(SimulatorFixture, UltraSimulated)->Unit(benchmark::kMillisecond); | ||
BENCHMARK_REGISTER_F(SimulatorFixture, GoblinNative)->Unit(benchmark::kMillisecond); | ||
BENCHMARK_REGISTER_F(SimulatorFixture, UltraNative)->Unit(benchmark::kMillisecond); | ||
|
||
} // namespace | ||
BENCHMARK_MAIN(); |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -220,7 +220,11 @@ void compute_wnaf_states(uint64_t* point_schedule, | |
} | ||
|
||
parallel_for(num_threads, [&](size_t i) { | ||
Fr T0; | ||
// NOTE: to appease GCC array-bounds checks, we need an extra Fr at the end of 'T0' | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Is this related to the simulator? If so we should probably document why. Otherwise this should go in a separate PR because it feels pretty fundamental There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. i think it can be reverted |
||
// This is why it is an Fr[2]. Otherwise, GCC really doesn't like us type-punning in endo_scalar_upper_limbs as | ||
// it encompasses undefined memory (even though it doesn't use it). | ||
Fr T0_buffer[2]; | ||
Fr& T0 = T0_buffer[0]; | ||
uint64_t* wnaf_table = &point_schedule[(2 * i) * num_initial_points_per_thread]; | ||
const Fr* thread_scalars = &scalars[i * num_initial_points_per_thread]; | ||
bool* skew_table = &input_skew_table[(2 * i) * num_initial_points_per_thread]; | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,6 @@ | ||
#pragma once | ||
|
||
namespace bb::merkle { | ||
// TODO(Cody) Get rid of this? | ||
enum HashType { FIXED_BASE_PEDERSEN, LOOKUP_PEDERSEN }; | ||
} // namespace bb::merkle | ||
// TODO(https://github.com/AztecProtocol/barretenberg/issues/426) | ||
enum HashType { FIXED_BASE_PEDERSEN, LOOKUP_PEDERSEN, NONE }; | ||
} // namespace bb::merkle |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,6 @@ | ||
#pragma once | ||
|
||
namespace bb::pedersen { | ||
// TODO(Cody) Get rid of this? | ||
enum CommitmentType { FIXED_BASE_PEDERSEN, LOOKUP_PEDERSEN }; | ||
} // namespace bb::pedersen | ||
// TODO(https://github.com/AztecProtocol/barretenberg/issues/426) | ||
enum CommitmentType { FIXED_BASE_PEDERSEN, LOOKUP_PEDERSEN, NONE }; | ||
} // namespace bb::pedersen |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -814,14 +814,21 @@ stdlib::byte_array<Builder> keccak<Builder>::hash(byte_array_ct& input, const ui | |
|
||
ASSERT(uint256_t(num_bytes.get_value()) <= input.size()); | ||
|
||
if (ctx == nullptr) { | ||
// if buffer is constant compute hash and return w/o creating constraints | ||
byte_array_ct output(nullptr, 32); | ||
const auto constant_case = [&] { // if buffer is constant, compute hash and return w/o creating constraints | ||
byte_array_ct output(nullptr, static_cast<uint32_t>(num_bytes.get_value() >> 1)); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The magic There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I don't recall adding this, but it has been a long time. Maybe it's an artifact of the merge? Does resetting to 32 cause tests to break? If not I would revert to the magic number. |
||
const std::vector<uint8_t> result = hash_native(input.get_value()); | ||
for (size_t i = 0; i < 32; ++i) { | ||
for (size_t i = 0; i < static_cast<uint32_t>(num_bytes.get_value() >> 1); ++i) { | ||
output.set_byte(i, result[i]); | ||
} | ||
return output; | ||
}; | ||
|
||
if constexpr (IsSimulator<Builder>) { | ||
return constant_case(); | ||
} | ||
|
||
if (ctx == nullptr) { | ||
return constant_case(); | ||
} | ||
|
||
// convert the input byte array into 64-bit keccak lanes (+ apply padding) | ||
|
@@ -906,6 +913,7 @@ template <typename Builder> void generate_keccak_test_circuit(Builder& builder, | |
} | ||
} | ||
|
||
template class keccak<bb::CircuitSimulatorBN254>; | ||
template class keccak<bb::UltraCircuitBuilder>; | ||
template class keccak<bb::GoblinUltraCircuitBuilder>; | ||
template void generate_keccak_test_circuit(bb::UltraCircuitBuilder&, size_t); | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
was this change intended?