-
Notifications
You must be signed in to change notification settings - Fork 129
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Parallelize SHPLONK multi-open prover #114
Parallelize SHPLONK multi-open prover #114
Conversation
Using |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!! Good work with this @jonathanpwang 🥳
I think this will make the order of The test below is trying to make sure the order doesn't depend on the opening point. halo2/halo2_proofs/src/poly/kzg/multiopen/shplonk.rs Lines 236 to 255 in 6a46bc9
And it's actually failed with this PR. One easy approach to make this PR adoptable is to additionally store |
Nice catch @han0110 I totally missed this. 👍 |
of the values of the opening points
Good catch @han0110 ! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The commit makes sense and looks good! As long as the commitments order is static, the verifier doesn't need to care about the opening point's order.
Nice improvement!
@kilic can you review this when you get a chance? |
* VerifyingKey Serialization: merge Nalin's PR zcash#661 that allows for vkey serialization/deserialization and fixes the previous selector optimization issue * fix: add `num_fixed_commitments` to vkey serialization so correct number of fixed columns, post selector compression, are read * fix: serialize/deserialize pkey directly to/from file * bn256: make `Fq2`, `Fq6`, `Fq12` public * fq12: fix comments to clarify computation of FQ12 coefficients and use of Montgomery form * update: remove serialization from evaluation as we now recalculate directly * feat: add trait `Hash` to `ff::Field` * feat: `region.assign_advice` now returns reference `&Assigned<F>` via `AssignedCell` * big change: in `prover::WitnessCollection` now use `Arc` to manage smart pointer to assigned advice value. * otherwise cannot pass a reference out of `assign_advice` because the lifetime of immutable borrow ends up forcing mutable borrow of constraint system to live too long * chore: restructure workspace to match halo2-ce monorepo * Squashed 'primitives/poseidon/' content from commit 5d29df01 git-subtree-dir: primitives/poseidon git-subtree-split: 5d29df01a95e3df6334080d28e983407f56b5da3 * primitives/poseidon: initial add from PSE repo * feat: add conversion functions to `ff:PrimeField` to go between `u64` limbs or `BigInt` * feat: add `is_zero_vartime` derived implementation for `Fr` * change `assign_advice` API to take `Value<Assigned<F>>` instead of `Value<F>` * Fix `secp256k1` compressed serialization * update: remove `region` from `Cell` since we only use one region * update: remove `?` from `WitnessCollection::assign_advice` due to performance issues * See comments for (more) unsafe code version that gets another 3-4% performance boost. * feat: add back `copy_advice` function for `AssignedCell<&Assigned<F>, F>` * feat: implement functions `row_offset` and `column` directly for `AssignedCell` (previously for `Cell`) * Add serde test for curves * feat: add `CurveAffineExt::into_coordinates` for raw unchecked affine coordinates of curve point * update: modify `assign_fixed` slightly for performance * feat: implement `ProvingKey` serialization without using external crates `serde` or `bincode` * examples: add `serialization` example to test `ProvingKey` read and write on "simple-example" * curves: switch to using rust nightly "bigint_helper_methods" for finite field implementations * further optimize finite field implementations by following gnark * also improve bigint conversion functions to limbs * feat: implement `From<$field>` for `[u64; 4]` so field elements can be converted to their little endian representation with `u64` limbs * feat: add `From<[u64;4]>` and `To<[u64;4]>` to field implementations * feat: add default implementation of `CurveAffineExt` for `CurveAffine` * feat: added `to/from_bytes` for `ProvingKey` and `VerifyingKey` * add `pack`/`unpack` helper functions between `&[bool]` and `u8` * made serialization example use smaller example of standard plonk for less code bloat * fix: get multi-phase constraint system to work with our version of `assign_advice` * exposed inner `Phase(u8)` to crate * feat: change `region.assign_advice` to allow any `Into<Assigned<F>>` but still always return `&Assigned<F>` * feat: change `layouter.assign_region` to take `FnOnce` closure instead of `FnMut` now that there is no "get shape" mode * feat: derive `Serialize`, `Deserialize` for common fields and curves * chore: derive `PartialEq, Hash` for `bn256::{Fq,Fr}` and `secp256k1::{Fp,Fq}` * I see no longer to use `ct_eq` direct implementation of `PartialEq` * deriving `Hash` for all fields because it may be useful and doesn't hurt * feat: add trait `SerdeObject` for serialization of objects into raw bytes * implement `SerdeObject` for all macro-derived prime fields (raw bytes means staying in Montgomery form) * implement `SerdeObject` for `Fq2` directly * implement `SerdeObject` via macro for curves `bn254` and `secp256k1` * add tests `test_serialization` for fields and curves * chore: remote direct `PartialEq` implementation in bn254/assembly * feat: read `VerifyingKey` and `ProvingKey` does not require `params` as long as we serialize `params.k()` * fix: add impl `SerdeObject` to assembly macro * feat: derive `Hash` for `Fq2, G1Affine, G2Affine` for future use * fix: change `assert` to `debug_assert` in `read_raw_unchecked` functions * feat: add `next_phase` and `get_challenge` functions to `Region` so that a circuit can move onto the next phase during a single call of `synthesize` * currently only supports `create_proof` on 1 circuit at a time; otherwise it is not compatible with the original API which does synthesize for all circuits in a single phase before moving onto the next * update: change `is_less_than` to use `borrowing_sub` because it is faster see privacy-scaling-explorations/halo2curves#10 (comment) for context * optimize: revert to old way of subtracting field elements without branching * see jonathanpwang/halo2curves@ea9af0d * feat: parallelize (cpu) shplonk prover * shplonk: improve `construct_intermediate_sets` using `BTreeSet` and `BTreeMap` more aggressively * shplonk: change `construct_intermediate_sets` to use `FxHashSet` instead of `BTreeSet` * shplonk: add `Send` and `Sync` to `Query` trait for more parallelization * chore: in derive `field`, default `mul` is `const` again * - Implements `PartialOrd` for `Value<F>` - Adds a `transpose` method to turn `Value<Result<_>>` into `Result<Value<_>>` - `Expression::identifier()` remove string memory reallocation * chore: switch to halo2curves 0.3.1 tag * Fix MockProver `assert_verify` panic errors (privacy-scaling-explorations#118) * fix: Support dynamic lookups in `MockProver::assert_verify` Since lookups can only be `Fixed` in Halo2-upstream, we need to add custom suport for the error rendering of dynamic lookups which doesn't come by default when we rebase to upstream. This means that now we have to print not only `AdviceQuery` results to render the `Expression` that is being looked up. But also support `Instance`, `Advice`, `Challenge` or any other expression types that are avaliable. This addresses the rendering issue, renaming also the `table_columns` variable for `lookup_columns` as the columns do not have the type `TableColumn` by default as opposite to what happens upstream. * fix: Don't error and emit empty String for Empty queries * feat: Add `assert_sarisfied_par` fn to `MockProver` * fix: Address clippy errors Resolves: privacy-scaling-explorations#116 * Remove partial ordering for value * Remove transpose * Parallelize SHPLONK multi-open prover (privacy-scaling-explorations#114) * feat: parallelize (cpu) shplonk prover * shplonk: improve `construct_intermediate_sets` using `BTreeSet` and `BTreeMap` more aggressively * shplonk: add `Send` and `Sync` to `Query` trait for more parallelization * fix: ensure the order of the collection of rotation sets is independent of the values of the opening points Co-authored-by: Jonathan Wang <[email protected]> * fix: FailureLocation::find empty-region handling (privacy-scaling-explorations#121) After working on fixing privacy-scaling-explorations/zkevm-circuits#1024, a bug was found in the verification fn of the MockProver which implies that while finding a FailureLocation, if a Region doesn't contain any rows. This is fixed by introducing a 2-line solution suggested by @lispc. Resolves: privacy-scaling-explorations#117 * feat: add enum `SerdeFormat` for user to select serialization/deserialization format of curve and field elements * fix: revert use of raw pointer in `MockProver` and switch to using `Arc` * feat: add docs --------- Co-authored-by: kilic <[email protected]> Co-authored-by: NoCtrlZ <[email protected]> Co-authored-by: Brechtpd <[email protected]> Co-authored-by: David Nevado <[email protected]> Co-authored-by: han0110 <[email protected]> Co-authored-by: Nalin Bhardwaj <[email protected]> Co-authored-by: Jonathan Wang <[email protected]> Co-authored-by: adria0 <nowhere@> Co-authored-by: Carlos Pérez <[email protected]> Co-authored-by: adria0.eth <[email protected]>
* - Implements `PartialOrd` for `Value<F>` - Adds a `transpose` method to turn `Value<Result<_>>` into `Result<Value<_>>` - `Expression::identifier()` remove string memory reallocation * Fix MockProver `assert_verify` panic errors (privacy-scaling-explorations#118) * fix: Support dynamic lookups in `MockProver::assert_verify` Since lookups can only be `Fixed` in Halo2-upstream, we need to add custom suport for the error rendering of dynamic lookups which doesn't come by default when we rebase to upstream. This means that now we have to print not only `AdviceQuery` results to render the `Expression` that is being looked up. But also support `Instance`, `Advice`, `Challenge` or any other expression types that are avaliable. This addresses the rendering issue, renaming also the `table_columns` variable for `lookup_columns` as the columns do not have the type `TableColumn` by default as opposite to what happens upstream. * fix: Don't error and emit empty String for Empty queries * feat: Add `assert_sarisfied_par` fn to `MockProver` * fix: Address clippy errors * chore: Address review comments * chore: Fix clippy lints Resolves: privacy-scaling-explorations#116 * Remove partial ordering for value * Remove transpose * Parallelize SHPLONK multi-open prover (privacy-scaling-explorations#114) * feat: parallelize (cpu) shplonk prover * shplonk: improve `construct_intermediate_sets` using `BTreeSet` and `BTreeMap` more aggressively * shplonk: add `Send` and `Sync` to `Query` trait for more parallelization * fix: ensure the order of the collection of rotation sets is independent of the values of the opening points Co-authored-by: Jonathan Wang <[email protected]> * fix: FailureLocation::find empty-region handling (privacy-scaling-explorations#121) After working on fixing privacy-scaling-explorations/zkevm-circuits#1024, a bug was found in the verification fn of the MockProver which implies that while finding a FailureLocation, if a Region doesn't contain any rows. This is fixed by introducing a 2-line solution suggested by @lispc. Resolves: privacy-scaling-explorations#117 * Feature: Expose Fixed columns & Assembly permutation structs in MockProver instance (privacy-scaling-explorations#123) * feat: Expose fixed columns in MockProver * change: Make `Assembly` object public & add getters * chore: Address leftover TODOs * Feature to serialize/deserialize KZG params, verifying key, and proving key into uncompressed Montgomery form (privacy-scaling-explorations#111) * feat: read `VerifyingKey` and `ProvingKey` does not require `params` as long as we serialize `params.k()` * feat: add features "serde-raw" and "raw-unchecked" to serialize/deserialize KZG params, verifying key, and proving key directly into raw bytes in internal memory format. So field elements are stored in Montgomery form `a * R (mod p)` and curve points are stored without compression. * chore: switch to halo2curves 0.3.1 tag * feat: add enum `SerdeFormat` for user to select serialization/deserialization format of curve and field elements Co-authored-by: Jonathan Wang <[email protected]> * Add support for Column annotations for MockProver debugging (privacy-scaling-explorations#109) * feat: Add `name_column` to `Layouter` & `RegionLayouter` This adds the trait-associated function `name_column` in order to enable the possibility of the Layouter to store annotations aobut the colums. This function does nothing for all the trait implementors (V1, SimpleFloor, Assembly....) except for the `MockProver`. Which is responsible of storing a map that links within a `Region` index, the `column::Metadata` to the annotation `String`. * feta: Update metadata/dbg structs to hold Col->Ann mapping * feat: Update emitter module to print Column annotations * feat: Add lookup column annotations This adds the fn `annotate_lookup_column` for `ConstraintSystem` which allows to carry annotations for the lookup columns declared for a circuit within a CS. * feat: Add Lookup TableColumn annotations This allows to annotate lookup `TableColumn`s and print it's annotation within the `assert_satisfied` fn. This has required to change the `ConstraintSystem::lookup_annotations` to have keys as `metadata::Column` rather than `usize` as otherwise it's impossible within the `emitter` scope to distinguish between regular advice columns (local to the Region) and fixed columns which come from `TableColumn`s. * fix: Customly derive PartialEq for metadata::Region This allows to ignore the annotation map of the metadata::Region so that is easier to match against `VerifyFailure` errors in tests. * fix: Update ConstraintNotSatisfied testcase * fix: Update Debug & Display for VerifyFailure It was necessary to improve the `prover.verify` output also. To do so, this required auxiliary types which are obfuscated to any other part of the lib but that are necessary in order to be able to inject the Column names inside of the `Column` section itself. This also required to re-implement manually `Debug` and `Display` for this enum. This closes zcash#705 * fix: Address clippy & warnings * fix: Add final comments & polish * fix: Resolve cherry-pick merge conflics & errors * chore: Change DebugColumn visibility * chore: Allow to fetch annotations from metadata * chore: Fix clippy lints * chore: Remove comments from code for testing * feat: Add support for Advice and Instance anns in lookups * feat: Allow `V1` layouter to annotate columns too * fix: Support `Constant` & `Selector` for lookup exprs * chore: Address review comments * chore: Propagete write! result in `VerifyFailure::Display` * chore: Address clippy lints * chore: Move Codecov, wasm-build, Bitrot & doc-tests to push (privacy-scaling-explorations#125) * chore: Move Codecov, wasm-build, Bitrot & doc-tests to push This should cut down significantly the CI times on every push done to a branch for a PR. Resolves: privacy-scaling-explorations#124 * chore: Add back `push` on CI checks * fix: Allow to compare `Assembly` structs (privacy-scaling-explorations#126) This was missing in privacy-scaling-explorations#123 so this PR fixes it. * Add keccak256 hasher for transcript (#2) * Add keccak256 hasher for transcript * Fix keccak256 common point prefix * Remove unnecessary hasher_* variables * fix: transcript instantiation in poseidon benchmark loop (privacy-scaling-explorations#128) * Improve performance of vk & pk keygen and of default `parallelize` chunking size (privacy-scaling-explorations#127) * Squashed commit of the following: commit 17e3c4e Author: Mickey <[email protected]> Date: Fri Jul 15 11:10:32 2022 +0800 speed up generate vk pk with multi-thread * fix * Improve performance of vk & pk keygen and of default `parallelize` chunking size. Reduces proving time on large circuits consistently >=3%. Builts upon [speed up generate vk pk with multi-thread](privacy-scaling-explorations#88) Fixes: privacy-scaling-explorations#83 * fix: Force `VerifyFailure` to own the annotations map (privacy-scaling-explorations#131) * fix: Force `VerifyFailure` to own the annotations map Since otherwise we can't move the `VerifyFailure` vec's confortably, and also, we're required to have a lot of lifetime annotations, it was decided to force the `VerifyFailure` to own the Annotation maps. This shouldn't be too harmful as it only triggers when testing. Resolves: privacy-scaling-explorations#130 * chore: Address clippy lints * feat: call synthesize in `MockProver` multiple times to behave same as real prover * feat: check advice assignment consistency between different phases * fix: Support annotations for CellNotAssigned in verify_par (privacy-scaling-explorations#138) * feat: Add `assert_satisfied_at_rows_par` variant (privacy-scaling-explorations#139) Resolves: privacy-scaling-explorations#133 * Expose mod `permutation` and re-export `permutation::keygen::Assembly` (privacy-scaling-explorations#149) * feat: expose mod ule `permutation` and re-export `permutation::keygen::Assembly` * feat: derive `lone` for `permutation::keygen::Assembly` * feat: bump MSRV for `inferno` * feat(MockProver): replace errors by asserts In MockProver, replace all code that returns an error by an assert that panics instead of returning the error. This change aims to make it easier to debug circuit code bugs by getting backtraces. * MockProver test utililities (privacy-scaling-explorations#153) * test/unwrap_value: escape Value safety in the dev module * test/mock-prover-values: MockProver exposes the generated columns to tests * test/mock-prover-values: doc * mockprover-util: remove unwrap_value --------- Co-authored-by: Aurélien Nicolas <[email protected]> * feat: Parallel random blinder poly impl (privacy-scaling-explorations#152) * feat: Parallelize `commit` blinder poly generator method Solves the concerns raised in privacy-scaling-explorations#151 related to the performance of the random poly generator inside of `commit`. Resolves: privacy-scaling-explorations#151 * chore: add `from_evals` for Polynomial * chore: add benches for commit_zk serial vs par * fix: Correct thread_seeds iter size * fix: Clippy * chore: apply review suggestions * fix: Inconsisten num of Scalars generated parallely This fix from @ed255 fixes an error on the code proposal which was rounding the num of Scalars to be generated and so, was producing failures. Co-authored-by: Edu <[email protected]> * remove: legacy comments & code --------- Co-authored-by: Edu <[email protected]> * change: Migrate workspace to pasta_curves-0.5 (privacy-scaling-explorations#157) * change: Migrate workspace to pasta_curves-0.5 This ports the majority of the workspace to the `pasta_curves-0.5.0` leaving some tricky edge-cases that we need to handle carefully. Resolves: privacy-scaling-explorations#132 * fix: Complete latest trait bounds to compile halo2proofs * change: Migrate examples & benches to pasta 0.5 * change: Migrate halo2_gadgets to pasta-0.5 * change: Update gadgets outdated code with latest upstream * fix: Sha3 gadget circuit * fix: doc tests * chore: Update merged main * fix: Apply review suggestions * fix: pin `halo2curves` version to `0.3.2` * Extend Circuit trait to take parameters in config (privacy-scaling-explorations#168) * Extend Circuit trait to take parameters in config The Circuit trait is extended with the following: ``` pub trait Circuit<F: Field> { /// [...] type Params: Default; fn params(&self) -> Self::Params { Self::Params::default() } fn configure_with_params(meta: &mut ConstraintSystem<F>, params: &Self::Params) -> Self::Config { Self::configure(meta) } fn configure(meta: &mut ConstraintSystem<F>) -> Self::Config; } ``` This allows runtime parametrization of the circuit configuration. The extension to the Circuit trait has been designed to minimize the breaking change: existing circuits only need to define the associated `type Params`. Unfortunately "Associated type defaults" are unstable in Rust, otherwise this would be a non-breaking change. See rust-lang/rust#29661 * Implement circuit params under feature flag * Don't overwrite configure method * Fix doc test * Allow halo2 constraint names to have non static names (privacy-scaling-explorations#156) * static ref to String type in Gates, Constraints, VirtualCell, Argument * 'lookup'.to_string() * return &str for gate name and constriant_name, also run fmt * Update halo2_gadgets/Cargo.toml Co-authored-by: Han <[email protected]> * upgrade rust-toochain --------- Co-authored-by: Carlos Pérez <[email protected]> Co-authored-by: Han <[email protected]> * Improve halo2 query calls (privacy-scaling-explorations#154) * return expression from cell * add example * selector * recurse Expression to fill in index * minimized changes from the original * backword compatible meta.query_X & challange.expr() * cargo fmt * fixed lookup to pass all tests * Update comments Co-authored-by: Brecht Devos <[email protected]> * Update comments Co-authored-by: Brecht Devos <[email protected]> * Update comments Co-authored-by: Brecht Devos <[email protected]> * Update comments Co-authored-by: Brecht Devos <[email protected]> * Update comments Co-authored-by: Brecht Devos <[email protected]> * Update comments Co-authored-by: Brecht Devos <[email protected]> * update Co-authored-by: Brecht Devos <[email protected]> * add primitives.rs back * remove example2 * backward compatible meta.query_X & Column.cur(), next(), prev(), at(usize) * impl Debug & make side effects only when query.index.is_none() * change impl Debug for Expression instead & revert test in plonk_api * upgrade rust-toolchain * Update halo2_proofs/src/plonk/circuit.rs Co-authored-by: Han <[email protected]> * Update halo2_proofs/src/plonk/circuit.rs Co-authored-by: Han <[email protected]> * ran clippy * Update halo2_proofs/src/plonk/circuit.rs Co-authored-by: Han <[email protected]> --------- Co-authored-by: Brecht Devos <[email protected]> Co-authored-by: Han <[email protected]> * fix: compute `num_chunks` more precisely (privacy-scaling-explorations#172) * Implement Clone trait for Hash, Absorbing, and Sponge structs (privacy-scaling-explorations#171) * Revert double-assignment mock prover check Revert the check introduced in privacy-scaling-explorations#129 to detect double assignments with different values, because it breaks some tests in the zkevm project. There's a legitimate use case of double assignment with different values, which is overwriting cells in order to perform negative tests (tests with bad witness that should not pass the constraints). Also in the EVM Circuit from the zkevm project we "abuse" the assignment of cells as a cache: sometimes we assign some cells with a guess value, and later on we reassign with the correct value. I believe this check is interesting to have, so we could think of ways to add it back as an optional feature. * fix: Fix serialization for VerifyingKey (privacy-scaling-explorations#178) Now the value returned when the number of selectors is a multiple of 8 is correct. Resolves: privacy-scaling-explorations#175 * Add more getters to expose internal fields * add a constructor (privacy-scaling-explorations#164) * add a constructor * add more comment * fix as review * remove clone * remove * no need to use new variable * change comment * fix clippy * rename to from_parts * remove n declaration * feat: send sync region (privacy-scaling-explorations#180) * feat: send / sync region * Update layout.rs * update * lol * debug * Update keygen.rs * Update keygen.rs * Update keygen.rs * Update keygen.rs * thread-safe-region feature flag * cleanup * patch dev-graph * patch non-determinism in mapping creation * reduce mem usage for vk and pk * mock proving examples * swap for hashmap for insertion speed * reduce update overhead * replace BTree with Vec * add benchmarks * make the benchmarks massive * patch clippy * simplify lifetimes * patch benches * Update halo2_proofs/src/plonk/permutation/keygen.rs Co-authored-by: Han <[email protected]> * Update halo2_proofs/examples/vector-mul.rs Co-authored-by: Han <[email protected]> * rm benches * order once * patch lints --------- Co-authored-by: Han <[email protected]> * Fix `parallelize` workload imbalance (privacy-scaling-explorations#186) * fix parallelize workload imbalance * remove the need of unsafe * implement native shuffle argument and api * fix: remove nonsense comment * strictly check shuffle rows * address doc typos * move compression into product commitment * typo * add shuffle errors for `verify_at_rows_par` * dedup expression evaluation * cargo fmt * fix fields in sanity-checks feature * Updates halo2_curves dependency to released package (privacy-scaling-explorations#190) THe package release ressets the version from those inherited by the legacy halo2curves repo's fork history. The upstream diff is: https://github.com/privacy-scaling-explorations/halo2curves/compare/9f5c50810bbefe779ee5cf1d852b2fe85dc35d5e..9a7f726fa74c8765bc7cdab11519cf285d169ecf * chore: remove monorepo Go back to having halo2curves and poseidon in separate repos. * chore: fix clippy and tests * fix: remove thread-safe-regions feature `WitnessCollection` in `create_proof` isn't thread-safe. We removed `Region`s from `SimpleLayouter` anyways. * fix: rustfmt * fix: dev-graph * chore: update lint CI name * chore: fix clippy * chore: autoexample = false turn off examples that use layouter * chore(CI): separate job for examples * chore: remove prefetch from asm, not used * chore: fix asm feature --------- Co-authored-by: adria0 <nowhere@> Co-authored-by: Carlos Pérez <[email protected]> Co-authored-by: adria0.eth <[email protected]> Co-authored-by: Jonathan Wang <[email protected]> Co-authored-by: kilic <[email protected]> Co-authored-by: dante <[email protected]> Co-authored-by: pinkiebell <[email protected]> Co-authored-by: han0110 <[email protected]> Co-authored-by: Eduard S <[email protected]> Co-authored-by: naure <[email protected]> Co-authored-by: Aurélien Nicolas <[email protected]> Co-authored-by: CeciliaZ030 <[email protected]> Co-authored-by: Brecht Devos <[email protected]> Co-authored-by: Enrico Bottazzi <[email protected]> Co-authored-by: Ethan-000 <[email protected]> Co-authored-by: Mamy Ratsimbazafy <[email protected]> Co-authored-by: kilic <[email protected]> Co-authored-by: François Garillot <[email protected]>
…-hk/dev-feature/gl-113-gen-decomp Implement K-high-low decomposition and range checking
…-hk/dev-feature/98-gen-fbsm Generalize fbsm part of Ecc Chip # Project Context Part of the SOW task of generalizing the Ecc Chip to Pluto. This builds on top of privacy-scaling-explorations#144. The corresponding Galois internal issue is [Galois#98](https://gitlab-ext.galois.com/iog-midnight/halo2/-/issues/98). # Issue Description This issue is concerned with generalizing the fixed-base scalar-mul (fbsm) part of the Ecc Chip to arbitrary curves. Besides generalizing all of the types, and adding tests for all supported curves, the major technical task is to generalize the canonicity check on the windowed scalar decomposition: this canonicity check ensures that the decomposition of the scalar into 3-bit windows is correct. This is a "range check" type task, similar to existing range checks in variable-base scalar mul. See the Halo 2 Book [chapter on fbsm](http://localhost:3000/design/gadgets/ecc/fixed-base-scalar-mul.html) for details. # Notes to Reviewers * The canonicity check is generalized in ["Generalize canonicity check using 3-high-low decomp"](input-output-hk/galois_recursion@f8d2927) (with corresponding book updates in ["[book] fbsm: generalize, and document simplified canonicity check"](560a7d3b9af6df3031584acce4d80c119388df60)). This is the second example application of the [$K$-high-low decomp](privacy-scaling-explorations#114), and again we see a bunch of complex, bespoke range checking being replaced by a conceptually simple use of the decomp gadget :) * The fbsm works by precomputing a table of multiples of a fixed base, and then using the values to improve the efficiency (constraint complexity / proof burden) of multiplying the fixed base by scalars. This precomputation is very expensive, already taking 1+ hours for Pallas. For Pluto/Eris the precomputation time jumps to 17+ hours, which makes running the tests impractical. However, in a later PR (privacy-scaling-explorations#147), we cache the precomputation for the test bases to disk, which reduces the test time to a few minutes. * This PR includes a simple custom gate, that replaces the more complex custom gate for the old canonicity check. The new custom gate should be replaced by calls to the [gen arith gate](input-output-hk/galois_recursion#58) once that's available.
…-hk/dev-feature/53-gen-eccc Implement Ecc Chip for Pluto ... and Vesta and Eris # Project Context This issue corresponds to the Milestone 3 updated SOW task "New: Extend EccChip to support Pluto". There is no corresponding GitHub issue, since this is the Pluto/Eris analog of supporting Pallas, which was the starting state. However, the work for this issue overlaps significantly with SOW task "zcash#578: Extend EccChip to support ~~Vesta~~ Eris" ([zcash#578](zcash#578)), since it seems easiest to just generalize to all curves at the same time. So, while we only need to ensure Pluto support for Milestone 3, the strategy we're using also gives Eris and Vesta support "for free". This builds on top of privacy-scaling-explorations#145 directly, depends directly on privacy-scaling-explorations#143 and privacy-scaling-explorations#144 as well, and is the culmination of generalization work that started at a lower level with privacy-scaling-explorations#101, privacy-scaling-explorations#107, and privacy-scaling-explorations#114. The corresponding Galois internal issue is [Galois#53](https://gitlab-ext.galois.com/iog-midnight/halo2/-/issues/53). # Issue Description Generalize the Ecc Chip to arbitrary curves, allowing any assumptions that apply to all of Pallas, Vesta, Pluto, and Eris. This work is broken up into several subtasks, concerned with updating the major components of the Ecc Chip ([vbsm](privacy-scaling-explorations#143), [fbsm](privacy-scaling-explorations#145), and [point witnessing](privacy-scaling-explorations#144)), along with the final work here of updating the full Ecc Chip to use all of the updated components, have tests for all curves, and provide instantiations for all curves. Behind the scenes there are various traits associated with the vbsm and fbsm generalizations, but the final Ecc Chip interface exposes `EccCurve` and `EccField` as the traits required for curves and fields used with Ecc Chip (and of course these traits are implemented for Pallas, Vesta, Pluto, Eris, and their fields).
The main commit d6f562a basically just changes two iterators to
par_iter
. On some circuit I tested this sped up the SHPLONK multi-open proving time at the end ofcreate_proof
from12s
to4s
.The other commits are optional and only give minor performance improvements. I used
BTreeSet
for a slightly more efficient/cleaner implementation of getting the distinct rotation sets. Then the last commit (which can be reverted if necessary) addsSend + Sync
to some traits for further parallelization.