Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: proof of correct derivation #13

Merged
merged 58 commits into from
Aug 29, 2024
Merged

feat: proof of correct derivation #13

merged 58 commits into from
Aug 29, 2024

Conversation

mrain
Copy link
Contributor

@mrain mrain commented Jul 18, 2024
edited
Loading

mega PR for all prover works

Closes: #6 #9

This PR:

This PR does not:

Key places to review:

mrain and others added 18 commits July 9, 2024 10:33
@mrain
develop setup
b422705
@mrain
Merge branch 'main' of github.com:EspressoSystems/zkrollup-integratio…
b93ed9a 
…n into develop
@mrain
ns filtering gadget
dddd849
@mrain
Merge branch 'main' of github.com:EspressoSystems/zkrollup-integratio…
6c77c81 
…n into develop
@mrain
Merge branch 'develop' of github.com:EspressoSystems/zkrollup-integra…
e1738c5 
…tion into cl/ns-filter
@mrain
cargo workspace clean
3084c1a
@mrain
scan for ns_id
f22f093
@mrain
namespace table filtering & mock input
8c7db61
@mrain
update document; wrap public inputs
4e487a0
@mrain @ggutoski
Update sp1/program/src/main.rs
c154d9d 
Co-authored-by: Gus Gutoski <[email protected]>
@mrain
global mark
73f8100
@mrain
Merge pull request #10 from EspressoSystems/cl/ns-filter
f9d7658 
feat: proof of correct namespace filtering
@mrain
tried namespace proof
827665f
@mrain
redo srs
62f7445
@mrain
manual (de)ser for VidParam
f375191
@mrain
Merge pull request #18 from EspressoSystems/cl/comm-equiv
4cb2bef 
feat: commitment equivalence gadget
@mrain
serde_json for header
e575f39
@mrain
Merge branch 'main' of github.com:EspressoSystems/zkrollup-integratio…
8c0e65d 
…n into develop
@mrain
Copy link
Contributor Author

mrain commented Aug 5, 2024

Partially done. @alxiong will take care of the contract part.

@alxiong
Copy link
Collaborator

alxiong commented Aug 15, 2024
edited
Loading

CI is fixed now, only fails due to out of memory (got killed).

I'll review your work first, then update the contract part.

The first part of my review attempts to improve the documentation (my next commit) to align our understanding/spec.

@alxiong
Copy link
Collaborator

alxiong commented Aug 16, 2024

@mrain see if you agree with the spec in 62d292d

let's improve on it to make it self-contained and clear to engineers.

@philippecamacho philippecamacho removed the request for review from akonring August 27, 2024 15:53
@mrain
Copy link
Contributor Author

mrain commented Aug 27, 2024
edited
Loading

cf21fee this commit uses customized deser. It brings down the cycle count from 11,063,261 to 5,711,260.

cc @alxiong

mrain
mrain commented Aug 27, 2024
View reviewed changes
sp1/utils/src/block/header.rs
/// Types for block Merkle tree. This struct is essentially the same as
/// `LightWeightSha3MerkleTree`, as the later one only keeps a frontier
pub type BlockMerkleTree = SHA3MerkleTree<Commitment<BlockHeader>>;
pub type BlockMerkleTreeProof = <BlockMerkleTree as MerkleTreeScheme>::MembershipProof;
Copy link
Contributor Author

@mrain mrain Aug 27, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Deserialization of this struct still takes over 1m cycles.
MerkleNode is a enum so we can't derive CanonicalSerialize for it.

@alxiong
Copy link
Collaborator

alxiong commented Aug 28, 2024
edited
Loading

prover log for 0f11a12

2024-08-27T16:21:43.705811Z  INFO prove_core: summary: cycles=12219695, e2e=141.774203634s, khz=86.19, proofSize=18662310
2024-08-27T16:21:43.709496Z  INFO prove_core: close time.busy=128s time.idle=14.3s
2024-08-27T16:27:26.742320Z  INFO shrink:prove_shards: close time.busy=41.1s time.idle=3.34µs
2024-08-27T16:27:26.746435Z  INFO shrink: close time.busy=61.8s time.idle=2.20µs
2024-08-27T16:29:48.857398Z  INFO wrap_bn254:prove_shards: close time.busy=86.8s time.idle=3.84µs
2024-08-27T16:29:49.028493Z  INFO wrap_bn254:verify: close time.busy=171ms time.idle=2.00µs
2024-08-27T16:29:49.028530Z  INFO wrap_bn254: Proof verified successfully
2024-08-27T16:29:49.028535Z  INFO wrap_bn254: Wrapping successful
2024-08-27T16:29:49.032878Z  INFO wrap_bn254: close time.busy=142s time.idle=1.74µs

Status: Downloaded newer image for ghcr.io/succinctlabs/sp1-gnark:v1.1.0
16:32:11 DBG constraint system solver done nbConstraints=33331520 took=7566.921938
16:33:20 DBG prover done backend=plonk curve=bn254 nbConstraints=33331520 took=87284.434861
16:33:20 DBG verifier done backend=plonk curve=bn254 took=1.45622
2024-08-27T16:33:23.618879Z  INFO wrap_plonk_bn254: Running verify-plonk in docker
ignoring uninitialized slice: Vars []frontend.Variable
ignoring uninitialized slice: Vars []frontend.Variable
ignoring uninitialized slice: Vars []frontend.Variable
16:33:23 DBG verifier done backend=plonk curve=bn254 took=1.78716
2024-08-27T16:33:23.938986Z  INFO wrap_plonk_bn254: close time.busy=141s time.idle=3.81µs
Verification Key: 0x00d1c2d64c73d09ffe0defbf1c9b59fa36d9f808b8bc5aedc5e52ecfa4262474
Public Values: 0x42000000000000003078396532386431626166323839343438363438633561393631333737663961613038356139326339643366336632333734353761656431326165336635363661394200000000000000307836653139306162616465633133386236653539393938393533383936333339383933386462343531613463303133623262313532366362303434353332646233f842a8984c000000000000000b000000000000004d45524b4c455f434f4d4d30000000000000007a343f5c1d5e7c6f14e99611c2e3a0b9d9347fa4663a3d0bba4ee26804712879200000000000000005000000000000007f
Proof Bytes: 2915676a503eaa20e7ef5bdd3096005d8e688126ac88177ac684b612c622b8f30c5c65ee10403ddff4957c844f292eba4a2646e37faad2119428724653bb66fd19fc4cc94f2685bb13edf485886d07ad31ab6af4a6aa8b0ea44cbb80b97562c81acaa1f269fd173b767b01a615f9c794d2ba04ebc5e75d6ca1cfed60da8a2cc00fcce259769275e67de533f538e570d5330e2a7f99d27a7152f0586789a60e2414814cc73c2f756eeeb81129618a6e80daca86cdf484d3d1e0d0d867585a6ff81e6cbc57e107fbf5df2d97e1eafad190ccb19434410967d58ca8a839d21f7b4317d412da5928a3d95929f651a1c8b84f36d295a20ac8157c8148e5dc7ec65b4e2d82dbc7feda28d964d833ae7db6cd1db463877c60f6f82565b525ddf9b6e0aa2b506693368152a808867015086c756b535eb1cdf7bd8679fe95bb9fc52edd3a07e9857551330c29e0e536c68fb91ec6ee9fc85cba31cd26d4b65fdbf857cb2e0c49a9b0a6d50bb27473ce7c6d0c3fd500e96db14de5da7ad402a84a5d5b9de31072044c53da455a7f854d0bfa7af5e96ecd2c01ff569df200014a63d7d83f2f292cb98ebacc37384866bb9a31cba00c627617fd2aa83f444eae340e273ef39729404b07cbc4e388b3cdfcb580acbdef82d08ef319fcfbcd4bd256b7f52ac5591279c0775f36e60b6c8833d72bb0a2a2344ec9bf9c88bb330fb66815b34805d800000007134a9aac8fd0ec8818dd8cb342aace6bb04489840a8ee1bff7f56e2eb122ecda077adadb220f77bf0bbee0bc39584520fff6cb88aef442527f3179974e3f1ec81472a869bb2eab08a7fe9e10da7c6dc09dab1055824e640f335bd39c3162705b28c77592a49e164075be633293b6f30400b68f0e48a62fc9128b9c1a5b21fc94260ea8bfd85a7aa95c4da1b994513cad0cc886389d1ecc811338eb77c4b3db8f01086791faf4fe2fc43a37ec623258251ff6b836e8d9489a8b5906a5f77595e2052374d965a32df68b33a6e5ad0c04c6d05a8f3674e8800dde4f720254302bf60c62dad5c4fcfc71dbce34767cc64255404bf5ae1066826994888cd01716095f05eb0211427daeba8f523b282e520675e76e1ace2368983c54caee8d347ac6e02d6d12eb759706ea395f57e741f4ad4f97fb0cb03453459d59c703decef262540000000105cd6220b03e98bce2c01e6b63e14df07b002c5b03a0653abc424ef2a9fc0cb51e9ae8a883c3318eb93e4c1446138108719ef3fe045b7312187efa56150ea593

wait, so it's actually not that slow. not sure why it differs from the previous run outside the tmux.. maybe bad seed?
it's still 12m cycles

@alxiong
Copy link
Collaborator

alxiong commented Aug 28, 2024

prover log for cf21fee

2024-08-28T01:29:17.148388Z  INFO prove_core: execution report (syscall counts):
2024-08-28T01:29:17.148400Z  INFO prove_core:   14280 bn254_double
2024-08-28T01:29:17.148403Z  INFO prove_core:    7096 bn254_add
2024-08-28T01:29:17.148406Z  INFO prove_core:     210 keccak_permute
2024-08-28T01:29:17.148410Z  INFO prove_core:      88 write
2024-08-28T01:29:17.148413Z  INFO prove_core:      46 sha_compress
2024-08-28T01:29:17.148418Z  INFO prove_core:      46 sha_extend
2024-08-28T01:29:17.148422Z  INFO prove_core:       8 commit
2024-08-28T01:29:17.148425Z  INFO prove_core:       8 commit_deferred_proofs
2024-08-28T01:29:17.148427Z  INFO prove_core:       5 hint_len
2024-08-28T01:29:17.148431Z  INFO prove_core:       5 hint_read
2024-08-28T01:29:17.148434Z  INFO prove_core:       1 halt
2024-08-28T01:29:17.163076Z  INFO prove_core: summary: cycles=5838954, e2e=92.426051442s, khz=63.17, proofSize=16940384
2024-08-28T01:29:17.166957Z  INFO prove_core: close time.busy=92.4s time.idle=21.7ms
2024-08-28T01:35:00.040043Z  INFO shrink:prove_shards: close time.busy=41.8s time.idle=2.78µs
2024-08-28T01:35:00.044137Z  INFO shrink: close time.busy=62.4s time.idle=2.27µs
2024-08-28T01:37:16.804188Z  INFO wrap_bn254:prove_shards: close time.busy=83.3s time.idle=3.31µs
2024-08-28T01:37:16.974937Z  INFO wrap_bn254:verify: close time.busy=171ms time.idle=1.89µs
2024-08-28T01:37:16.974968Z  INFO wrap_bn254: Proof verified successfully
2024-08-28T01:37:16.974972Z  INFO wrap_bn254: Wrapping successful
2024-08-28T01:37:16.975377Z  INFO wrap_bn254: close time.busy=137s time.idle=1.60µs
01:37:49 DBG constraint system solver done nbConstraints=33331520 took=7433.126573
01:38:55 DBG prover done backend=plonk curve=bn254 nbConstraints=33331520 took=83323.401467
01:38:55 DBG verifier done backend=plonk curve=bn254 took=1.556179
2024-08-28T01:38:58.625996Z  INFO wrap_plonk_bn254: Running verify-plonk in docker
ignoring uninitialized slice: Vars []frontend.Variable
ignoring uninitialized slice: Vars []frontend.Variable
ignoring uninitialized slice: Vars []frontend.Variable
01:38:58 DBG verifier done backend=plonk curve=bn254 took=1.983889
2024-08-28T01:38:58.940175Z  INFO wrap_plonk_bn254: close time.busy=102s time.idle=2.16µs
Verification Key: 0x007f9f0f59840d09b9a754b516d6716ec30e45eb6a6423c3a3b51f6c84f955c0
Public Values: 0x42000000000000003078313132343863376437663138613737323666306337353734366264343439653037383136366337306639643338383866366562303435313265363030336232634200000000000000307836653139306162616465
6331333862366535393939383935333839363333393839333864623435316134633031336232623135323663623034343533326462339bf49a6a4c000000000000000b000000000000004d45524b4c455f434f4d4d3000000000000000b0f1b60f2db6ccd4c6d
4d849c0afd14a0f7bbc32a714e292964b673e818cc1a120000000000000000500000000000000a9
Proof Bytes: 1ec04271341e5d0fc7f48c3fbacd486b524d40b3b19e0f75f7dbdc9d1f8ebbf70080102bb430017a306d564506fca14c0fa1e9a126c98df8684e002f29ff292405997d007800d327226e94108d83640df331abcfaa50ced87b408c819d0528d0
21b0ef9b2b1260420e6e06a9a8469e4eb314a69e25e4933f2aee49ed9bd4d47823277aec005089be01aeb8bd053ec8870f0e5b1917c4ec209d4c8f723c041054147cd36ecae7021fca75a19935a229e0befa57354b3668e8c6ad5f724078147d27708691794ea
c0d3a8ce242e9e9f6dd66f0c941d5b0d76d9efb99a66d461e5716aff075050fe133729c2a4bf175a522294a478563b3b29e74626b6810c2d5761f0b1f4eccb9880e7926964f6db4fd75ea3b7e4afc697a19c75a9553b2c0a01a2ff3aa399b0fcb0f83c54c7073
778b38677336be2de36c6cd10de457c6740b1c06aafc946d7894fd527eaadfa794be9e3d153bc11489fff59aeae6ee66c6bf9518a74db500fbdffc13344f2fa7a5242f54447d19fdee215e15c4b859cf12da9511857b2a23449b2a5dbb0933230e747c9c47a06
beae8b241811bf103648788c51fdfb6e1fecfe711ba77f9b9858f4ebb644fff23982bd709dff0730cac62613b280a810d2ddeea23bb5f7057e3afadfaed4ea1fbf76a9aadd13f89147204e5531068f9a5717c2aefb82f602b7e973e08050d1bc29f6eacb86dc8
1edfa318e14a00000007289dc6193014965a8732a20549a7fac372e464e5a01a4e9106480e84b9342b9913c692a9e8d0296f221c2a56568cb0bcf98b01548b99791384bc385ed2ac14242dd02f3416fc9cae3793919843323d6e8c59dce11447cd0dc176814c9
23d22511d1c7a7830b989b31131aa7ef6010c51ac2a1041ac2ea0f60201bda77906c3991f93d4c18aaa387b0f20a25cb0458fae039b057307374fe4198ec71520f0fd2219e59239a3e4de757ec5e990d4c0d36ce4bff56edb29cf49411a636a0f2a1dc12bdd2c
482327044c2bdecee2522250cf61c27f21ae108b995341deb1a5205e831362b4529dde7d98c147bfd8e7d4ca83e9854e0c1d501b9fd1a25ae40623c64f2b6d3b4a79c9106ab1e5fb06763b4750152ebfae0718f51fd08e374e2bd2c44f1692ea9d77f0d4544e2
9351c1a6b4c752f59bb3bdab7d19c0ea64175706f32b8000000012673d948555179a323521d42028fa13178699cd0fe9e1ae0673aa52e0215f8711243b84feea6386417a458d9364e6803f3262dd8c3a8aaadbe0dc5aa7fc5bed5

@alxiong alxiong marked this pull request as ready for review August 28, 2024 04:25
@alxiong alxiong requested a review from akonring as a code owner August 28, 2024 04:25
alxiong
alxiong approved these changes Aug 28, 2024
View reviewed changes
sp1/utils/src/block/payload.rs
Comment on lines +51 to +61
impl Serialize for VidCommon {
fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
where
S: serde::Serializer,
{
let mut bytes = Vec::new();
self.0
.serialize_uncompressed(&mut bytes)
.map_err(|e| S::Error::custom(format!("{e:?}")))?;
Serialize::serialize(&bytes, serializer)
}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you help us understand why this manual CanonicalSerde leads to fewer cycles than the serde's default?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No maybe not the validity checking. It's about compression and extra layer of TaggedBase64: https://github.com/EspressoSystems/jellyfish/blob/main/utilities/src/serialize.rs#L44-L87

For prime field element the overhead is not too much, just a TaggedBase64 wrapper. But for curve points, compression really makes a huge difference.

akonring
akonring approved these changes Aug 28, 2024
View reviewed changes
Copy link
Contributor

@akonring akonring left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work.
(Prioritized reviewing the README.md and test running the prover logic)

README.md Outdated Show resolved Hide resolved
README.md Show resolved Hide resolved
README.md Outdated Show resolved Hide resolved
README.md Outdated Show resolved Hide resolved
README.md Outdated Show resolved Hide resolved
README.md Show resolved Hide resolved
@akonring
Copy link
Contributor

akonring commented Aug 28, 2024
edited
Loading

Cycle count tracing suggests that we spend 1.8M instructions (30% of total instructions) in ark_ff::fields::models::fp::montgomery_backend::MontConfig::inverse (computing Montgomery inverse).
Is this correct?

Looking at the implementation it seems that the algorithm is already optimized (uses binary extended euclidian and avoids unnecessary reduction step).

Did we explore optimizations in this part of our code?

trace-output:

espressosystems@Espressos-MBP zkrollup-integration % cargo prove trace --elf sp1/program/elf/riscv32im-succinct-zkvm-elf --trace trace.log
  [00:00:04] [########################################] 5838889/5838889 (0s)

Total instructions in trace: 5838889


 Instruction counts considering call graph
+----------------------------------------------------------------------------------------------------------------+-------------------+
| Function Name                                                                                                  | Instruction Count |
| __start                                                                                                        | 5838881           |
| main                                                                                                           | 5838018           |
| espresso_derivation::main                                                                                      | 5838016           |
| espresso_derivation_utils::block::payload::vid_scheme                                                          | 2345780           |
| jf_vid::advz::AdvzInternal::with_multiplicity_internal                                                         | 2342085           |
| ark_poly::domain::radix2::Radix2EvaluationDomain::new                                                          | 2319350           |
| ark_ff::fields::models::fp::montgomery_backend::MontConfig::inverse                                            | 2018595           |
| sp1_lib::io::read                                                                                              | 1582150           |
| serde::de::impls::<impl serde::de::Deserialize for alloc::vec::Vec::visit_seq                                  | 1582017           |
| &mut bincode::de::Deserializer::deserialize_struct                                                             | 1576784           |
| serde::de::impls::<impl serde::de::Deserialize for alloc::vec::Vec::visit_seq                                  | 1283904           |
| &mut bincode::de::Deserializer::next_element_seed                                                              | 1260259           |
| jf_merkle_tree::internal::_::<impl serde::de::Deserialize for jf_merkle_tree::internal::MerkleNode::visit_enum | 1241534           |
| &mut bincode::de::Deserializer::struct_variant                                                                 | 1195689           |
| jf_pcs::UnivariatePCS::multi_open_rou_eval_domain                                                              | 1146490           |
| jf_vid::advz::payload_prover::<impl jf_vid::payload_prover::PayloadProver::payload_verify                      | 1138722           |
| jf_utils::serialize::canonical::deserialize                                                                    | 996542            |
| tagged_base64::TaggedBase64::deserialize                                                                       | 971858            |
| jf_pcs::univariate_kzg::UnivariateKzgPCS::commit                                                               | 715473            |
| jf_pcs::univariate_kzg::succinct::msm                                                                          | 714773            |
| serde::de::impls::<impl serde::de::Deserialize for alloc::vec::Vec::visit_seq                                  | 692549            |
| jf_pcs::univariate_kzg::succinct::bn254_double_and_add                                                         | 617263            |
| serde::de::impls::<impl serde::de::Deserialize for alloc::boxed::Box::deserialize                              | 606309            |
| ark_serialize::impls::<impl ark_serialize::CanonicalDeserialize for alloc::vec::Vec::deserialize_with_mode     | 545649            |
| &mut bincode::de::Deserializer::struct_variant                                                                 | 522979            |
| memcpy                                                                                                         | 510947            |
| serde::de::impls::<impl serde::de::Deserialize for alloc::vec::Vec::visit_seq                                  | 416138            |
| jf_merkle_tree::internal::MerkleProof::verify_membership_proof                                                 | 320872            |
| ark_poly::domain::radix2::fft::<impl ark_poly::domain::radix2::Radix2EvaluationDomain::in_order_ifft_in_place  | 285647            |
| ark_ff::fields::fft_friendly::FftField::get_root_of_unity                                                      | 281680            |
+----------------------------------------------------------------------------------------------------------------+-------------------+


 Instruction counts ignoring call graph
+------------------------------------------------------------------------------------------------------------+-------------------+
| Function Name                                                                                              | Instruction Count |
| ark_ff::fields::models::fp::montgomery_backend::MontConfig::inverse                                        | 1807305           |
| memcpy                                                                                                     | 516650            |
| jf_pcs::univariate_kzg::succinct::bn254_double_and_add                                                     | 470803            |
| serde::de::impls::<impl serde::de::Deserialize for alloc::vec::Vec::visit_seq                              | 409491            |
| ark_serialize::impls::<impl ark_serialize::CanonicalDeserialize for alloc::vec::Vec::deserialize_with_mode | 352483            |
| ark_ff::fields::fft_friendly::FftField::get_root_of_unity                                                  | 281320            |
| ark_ff::fields::models::fp::montgomery_backend::MontBackend::mul_assign                                    | 191215            |
| compiler_builtins::mem::memcmp                                                                             | 167169            |
| ark_ff::fields::models::fp::montgomery_backend::MontConfig::from_bigint                                    | 96837             |
| sha3::Sha3_256Core::finalize_fixed_core                                                                    | 86240             |
| ark_ff::fields::models::fp::montgomery_backend::MontConfig::from_bigint                                    | 81858             |
| memcmp                                                                                                     | 79857             |
| sp1_zkvm::heap::SimpleAlloc::alloc                                                                         | 75008             |
| jf_pcs::univariate_kzg::succinct::wrap_g1affine                                                            | 73570             |
| alloc::raw_vec::finish_grow                                                                                | 71962             |
| jf_merkle_tree::internal::MerkleProof::verify_membership_proof                                             | 66992             |
| jf_utils::serialize::canonical::deserialize                                                                | 59150             |
| syscall_bn254_double                                                                                       | 57120             |
| memset                                                                                                     | 54467             |
| alloc::raw_vec::RawVec::grow_one                                                                           | 52687             |
| core::str::converts::from_utf8                                                                             | 45611             |
| anonymous                                                                                                  | 42060             |
| tagged_base64::TaggedBase64::deserialize                                                                   | 35904             |
| syscall_bn254_add                                                                                          | 28384             |
| serde::de::impls::<impl serde::de::Deserialize for alloc::vec::Vec::visit_seq                              | 26880             |
| ark_ec::models::short_weierstrass::affine::Affine::to_flags                                                | 25836             |
| &mut bincode::de::Deserializer::struct_variant                                                             | 23040             |
| block_buffer::BlockBuffer::digest_blocks                                                                   | 21690             |
| serde::de::impls::<impl serde::de::Deserialize for alloc::boxed::Box::deserialize                          | 21237             |
| ark_ff::fields::models::fp::montgomery_backend::MontConfig::from_bigint                                    | 19740             |
+------------------------------------------------------------------------------------------------------------+-------------------+

@mrain @akonring
Update README.md
d9bf339 
Co-authored-by: Anders Konring <[email protected]>
@mrain
Copy link
Contributor Author

mrain commented Aug 28, 2024

Thanks @akonring for pointing out this. You are right that most of instructions are spent on the Montgomery inversion. And quite a lot of them are related to (de)serialization. Some serializations are necessary, e.g. the one inside payload_prove to check consistency between vid_common and payload_commitment.
But most non-trivial serializations (especially during I/O) are not necessary. Default CanonicalSerialization for field elements is doing this unnecessary Montgomery transform:
https://github.com/arkworks-rs/algebra/blob/master/ff/src/fields/models/fp/mod.rs#L572
and
https://github.com/arkworks-rs/algebra/blob/master/ff/src/fields/models/fp/mod.rs#L624

It will be great to remove these. But I don't know a good way to do it. cc @alxiong

@mrain
Copy link
Contributor Author

mrain commented Aug 28, 2024

Also further optimizations will be done in a separate PR. Here let's focus on the functionality.

@alxiong
Copy link
Collaborator

alxiong commented Aug 29, 2024

But most non-trivial serializations (especially during I/O) are not necessary. Default CanonicalSerialization for field elements is doing this unnecessary Montgomery transform:
https://github.com/arkworks-rs/algebra/blob/master/ff/src/fields/models/fp/mod.rs#L572
and
https://github.com/arkworks-rs/algebra/blob/master/ff/src/fields/models/fp/mod.rs#L624

I can't think of an easy way, but here's what's possible:

iiuc, places where we don't need normal form, or don't expect to interpret from random bytes into field elements, we can keep the byte repr directly from Mont form.
instead of using CanonicalSerde, in the utils/ we provide extra method on the struct that needs to be trivially serialized: Foo.bytes_dump() and directly access the 4 limbs in Fp.0 as they are public, and dump them into continuous bytes.

^^ this would incur some code repetition, but we don't have to fork arkworks.
example of repetition: Foo { a: Field} and Bar { b: Field}, since the Field doesn't support .bytes_dump(), we will have to implement the same code for both struct. Goot thing is any outer struct that uses Bar, Foo, don't have to repeat.

Alternatively, we can fork algebra, create sp1-patches branch, and add a new API on their struct Fp<> directly.

@alxiong
Copy link
Collaborator

alxiong commented Aug 29, 2024
edited
Loading

Also further optimizations will be done in a separate PR. Here let's focus on the functionality.

agree!

Furthermore, if we look at the prover time reported at #13 (comment) and #13 (comment):
the former is 12.2m cycles, the latter is 5.8m cycles.

but the inner SNARK generation (128s v.s. 94s) is a minority portion of the overall prover time (473 v.s. 393s)
roughly 25% of overall prover time for both. even if we 10x reduce our cycles, it would still takes ~310 sec
There's a constant overhead of ~302 sec for shrinking, wrapping, and final plonk wrapping.

That said, we set the parameters to be small in this PR,

/// low degree for demo only
pub const SRS_DEGREE: usize = 8usize;
/// payload bytes for each block shouldn't exceed max size
/// during encoding, every 30 bytes is converted to a 254-bit field element
pub const MAX_PAYLOAD_BYTES_PER_BLOCK: usize = SRS_DEGREE * 30;
/// number of storage node for VID
pub const NUM_STORAGE_NODES: u32 = 10;
/// produce derivation proof for a batch of espresso blocks
pub const NUM_BLOCKS: u64 = 5;

Plus, we greatly simplify the rollup commitment by assuming it's a sha256, and this part for actual rollup would contribute much more cycles.

it's still very important to optimize for real integration (beyond demo)

@mrain mrain mentioned this pull request Aug 29, 2024
Open
3 tasks
@mrain mrain merged commit 20217c9 into main Aug 29, 2024
2 checks passed
@mrain mrain deleted the develop branch August 29, 2024 12:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alxiong alxiong alxiong approved these changes

@akonring akonring akonring approved these changes

@philippecamacho philippecamacho Awaiting requested review from philippecamacho philippecamacho is a code owner

@ggutoski ggutoski Awaiting requested review from ggutoski

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[PARENT] Implement prover for correct derivation
3 participants
@mrain @alxiong @akonring