Test vectors & benchmark for PCS

[tchataigner]

Goal of this PR

The goal of this PR is to implement test vectors & benchmark for PCS.

Current progress

Implemented two generic test functions that we can use over any <Engine, EvaluationEngine<Engine>> for both the correct prove/verify flow and a bad proof verification flow.

Left TODO

• Part of the issue is to tackle benchmark for proof size, proving time and verification time.

Related issue

This is part of tackling the issue #212

[tchataigner]

I think that I've got the bulk of the logic down.

A sample of what the benches look like can be found here: https://phnmlt.csb.app/

Now, I would like to iterate on what we actually display on the benchmark and how it should be formatted. Currently, the results are divided in two groups: proving and verifying. They are displayed per the power of two used to generate the polynomial we are testing over.

I'm not sure this fully corresponds to what we wanted. I started to look into the Throughput measurements to capture proof size but I'm not sure on how to capture a proof size in a generic manner.

[huitseeker]

This mostly looks great, I left some inline comments for simplification.
A rebase would be great, as it would allow us to see improvements from #216.

[huitseeker]

This should use random to avoid code duplication.

[huitseeker]

The name throws me off: if you have an &mut rng as an argument, are you creating something deterministic?

(I notice you are using this with a seeded rng, but the determinism isn't an invariant upheld by your function, rather by your usage of it)

[tchataigner]

You're right that the naming here is off. I specified it at deterministic... because if was a pre-determined polynomial size used to generate the assets. I've the implementation to be over BenchAssets and the name of the method to from_num_vars. should be more explicit this way.

[huitseeker]

The use case for generating a random polynomial, a random point, and the corresponding evaluation is pretty narrow. So it may be quite confusing to see this in the public API.

Do we need this somewhere not in benchmark/testing code, or can we just move it to benchmark/testing code where it's needed?
If we need this both in benchmarks and testing, can we just inline this short function?

[tchataigner]

This was actually an update on my code based on a discussion with @adr1anh that pointed out to me that if we had a random we could have a random_with_eval.

What you're saying about it being a test function is true, and it is also the same for random. I could remove both from the public API and instead inline their code where we have some usage.

Would that be alright with you?

[huitseeker]

The use case for random is a bit larger than random_with_eval, so I'd tend to leave random, and move random_with_eval. I think my overall point is that as long as we don't add things to the public API of Arecibo, any decision we take is a 2-way door.

[tchataigner]

Moved random_with_eval only to eval :)

[huitseeker]

You can use type_name! to avoid the need for the last parameter

[huitseeker]

Once you populate the eval_engine, type inference should populate the first parameter. IOW, this should work and remove the need for the engine param:
deterministic_assets::<_, $eval_engine, StdRng>($ell, &mut $rng);

[huitseeker]

This function looks great, though I'm not sure about its name: ell isn't a standard nomenclature.
Here are things that would help me grok what this function is for out of context, and that you could use to edit the comment, the name of this function, or more likely both :

• make it clear we're testing the prove and verify flow of Multilinear Polynomial Commitment Schemes (PCS),
• which in Nova are represented by EvaluationEngineTrait implementations for proving,
• replacing ell by the more evocative num_var, which becomes clear once the first bullet point has been stated clearly,
• avoid the mention of an Engine, which is implied and selected by a choice of EvaluationEngineTrait implementation,

[huitseeker]

Weird that cargo fmt didn't complain with the original indentation!?

[tchataigner]

Yes pretty strange, I kept the update as it seemed ok

[huitseeker]

One issue that only pops off the page now: at large values of ell, the generation of a proof is expensive, as you've no doubt noticed. Nonetheless, the output is completely deterministic.

One bad thing that's obscured by the benchmark_engines macro is that you're generating assets for a specific size (and EE choice), benching the proving, then re-generating those assets for the verification, and finally benching the verification. The assets could and should be shared between proving and verification I think.

[huitseeker]

I'm not sure we need all points in the [10-20] interval. [10, 12, 14 ,16, 18, 20] seem amply sufficient to me.
/cc @adr1anh

[adr1anh]

Given that the protocols we are benchmarking are linear in ell, I think it's fair to sample fewer iterations as we should be able to interpolate the results to the odd sizes.

[adr1anh]

Given that the protocols we are benchmarking are linear in ell, I think it's fair to sample fewer iterations as we should be able to interpolate the results to the odd sizes.

[adr1anh]

Instead of running the verification twice, you can do something like

let point = if evaluate_bad_proof {
    altered_verifier_point
} else {
  point
}
// Verify proof, should fail.
let mut verifier_transcript = E::TE::new(b"TestEval");
let res = EE::verify(
        &verifier_key,
        &mut verifier_transcript,
        commitment,
        &altered_verifier_point,
        &altered_verifier_eval,
        &proof,
);
assert_eq!(res.is_err(), evaluate_bad_proof); 

[tchataigner]

That's true, however this would also change how the method behave. Currently if evaluate_bad_proof is set to true it allows the method to test both a valid and a non valid proof. While your proposal makes it that I only test one of the two cases. The downside is that I would then have to call this helper method twice for unit tests, doubling the number of prove method call instead.

Even after this comment, if you still think I should go with your proposal I'll be happy to do it :)

[storojs72]

LGTM!

Obviously, it is hard to make some statements about performance without running benchmarks on variety of ELLs but I would may be consider specifying the ELL as a single digit via a command-line which can be useful while running single instance of the benchmark on developer's machine in order to get very rough information whether performance has been increased / decreased / left unchanged after some PR merged.

[storojs72]

As far as I understand, Flat is only suitable to use for very long-running benchmarks. Probably Auto can be more appropriate for the short-running ones, where ell is say 10 / 11 / 12. Does it make sense to split the benchmarks into short / long running categories?

[huitseeker]

Funny enough: in general the Flat sampling mode is fine for most cases ... except I looked at the sample distribution for this PR, and the standard deviation for ZM verification at ell = 10 doesn't look great. You're probably right @storojs72, good catch!

Though I would note one very simple way of addressing this is noting the bench runtimes, which are reasonable (<20s per ell setting, see the bench log on my M1 Mac at https://gist.github.com/huitseeker/015f07534f410e94d615684ecd86876f) re-run them without setting the sampling mode (defaulting to Auto), and see if the runtimes are still reasonable.

[tchataigner]

As we have removed all odds sizes we are only left with 10 and 12 from your example. I'm not sure that there is a need to split the code for 2 cases.

I would either make it Auto for all (might not be great for higher-end number of variables) or Flat (losing a bit of iterations on smaller number of variables but we should still get enough to have convincing results).

[huitseeker]

I'm explicitly suggesting Auto for all, and then revisiting the question if the overall bench runtime is larger than say 15 min.

[tchataigner]

I don't know why I couldn't see your comment when I put mine up. I'll update to Auto

[storojs72]

BenchAssets?

[tchataigner]

Assets used during our benchmark that are shared between the proving and verification steps. Useful to avoid having lengthy methods signatures.

[huitseeker]

Obviously, it is hard to make some statements about performance without running benchmarks on variety of ELLs but I would may be consider specifying the ELL as a single digit via a command-line which can be useful while running single instance of the benchmark on developer's machine in order to get very rough information whether performance has been increased / decreased / left unchanged after some PR merged.

A way to do this is to have the ELL array (currently a constant) be overridden by an environment variable. We can probably open an issue and tackle this after merging this PR.

[huitseeker]

I've re-run the benches on the same machine and the end-to-end runtime stands at 00:16:30, which I deem acceptable.
This looks great @tchataigner, thank you so much!