Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Parallelize SHPLONK multi-open prover #114

Merged

Conversation

jonathanpwang
Copy link

The main commit d6f562a basically just changes two iterators to par_iter. On some circuit I tested this sped up the SHPLONK multi-open proving time at the end of create_proof from 12s to 4s.

The other commits are optional and only give minor performance improvements. I used BTreeSet for a slightly more efficient/cleaner implementation of getting the distinct rotation sets. Then the last commit (which can be reverted if necessary) adds Send + Sync to some traits for further parallelization.

@jonathanpwang
Copy link
Author

Using HashSet instead of BTreeSet gives some more microscopic improvements, but I didn't want to impose more trait conditions so I didn't bother.

Copy link
Member

@CPerezz CPerezz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!! Good work with this @jonathanpwang 🥳

@han0110
Copy link

han0110 commented Dec 28, 2022

I think this will make the order of rotation_sets depend on the opening point, which is making the code generated verifier much more difficult to be implement (imagine we need to sort the points in circuit or in evm).

The test below is trying to make sure the order doesn't depend on the opening point.

proptest! {
#[test]
fn test_intermediate_sets(
(queries_1, queries_2) in compare_queries(8, 8, 16)
) {
let IntermediateSets { rotation_sets, .. } = construct_intermediate_sets(queries_1);
let commitment_sets = rotation_sets.iter().map(|data|
data.commitments.iter().map(Commitment::get).collect::<Vec<_>>()
).collect::<Vec<_>>();
// It shouldn't matter what the point or eval values are; we should get
// the same exact point set indices and point indices again.
let IntermediateSets { rotation_sets: new_rotation_sets, .. } = construct_intermediate_sets(queries_2);
let new_commitment_sets = new_rotation_sets.iter().map(|data|
data.commitments.iter().map(Commitment::get).collect::<Vec<_>>()
).collect::<Vec<_>>();
assert_eq!(commitment_sets, new_commitment_sets);
}
}

And it's actually failed with this PR.

One easy approach to make this PR adoptable is to additionally store Rotation in Query, so that we can gain the efficiency without make the order depend on the opening point.

@CPerezz
Copy link
Member

CPerezz commented Dec 28, 2022

One easy approach to make this PR adoptable is to additionally store Rotation in Query, so that we can gain the efficiency without make the order depend on the opening point.

Nice catch @han0110 I totally missed this. 👍

@jonathanpwang
Copy link
Author

Good catch @han0110 !
My understanding is we need the collection of rotation sets to stay in the same order, but the ordering within each rotation set doesn't matter, since the verifier just computes the vanishing polynomial.
I think I fixed it just by not using the second BTreeMap (which was probably overkill anyways). It at least passes the prop test.
Can you take a look again?

Copy link

@han0110 han0110 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The commit makes sense and looks good! As long as the commitments order is static, the verifier doesn't need to care about the opening point's order.

Nice improvement!

@jonathanpwang
Copy link
Author

@kilic can you review this when you get a chance?

@CPerezz CPerezz merged commit b8e458e into privacy-scaling-explorations:main Jan 10, 2023
jonathanpwang added a commit to axiom-crypto/halo2 that referenced this pull request Feb 10, 2023
* VerifyingKey Serialization: merge Nalin's PR
zcash#661 that allows for vkey
serialization/deserialization and fixes the previous selector
optimization issue

* fix: add `num_fixed_commitments` to vkey serialization so correct number
of fixed columns, post selector compression, are read

* fix: serialize/deserialize pkey directly to/from file

* bn256: make `Fq2`, `Fq6`, `Fq12` public

* fq12: fix comments to clarify computation of FQ12 coefficients and use
of Montgomery form

* update: remove serialization from evaluation as we now recalculate directly

* feat: add trait `Hash` to `ff::Field`

* feat: `region.assign_advice` now returns reference `&Assigned<F>` via
`AssignedCell`

* big change: in `prover::WitnessCollection` now use `Arc` to manage smart
pointer to assigned advice value.

* otherwise cannot pass a reference out of `assign_advice` because the
  lifetime of immutable borrow ends up forcing mutable borrow of
constraint system to live too long

* chore: restructure workspace to match halo2-ce monorepo

* Squashed 'primitives/poseidon/' content from commit 5d29df01

git-subtree-dir: primitives/poseidon
git-subtree-split: 5d29df01a95e3df6334080d28e983407f56b5da3

* primitives/poseidon: initial add from PSE repo

* feat: add conversion functions to `ff:PrimeField` to go between `u64`
limbs or `BigInt`

* feat: add `is_zero_vartime` derived implementation for `Fr`

* change `assign_advice` API to take `Value<Assigned<F>>` instead of
  `Value<F>`

* Fix `secp256k1` compressed serialization

* update: remove `region` from `Cell` since we only use one region

* update: remove `?` from `WitnessCollection::assign_advice` due to
performance issues
* See comments for (more) unsafe code version that gets another 3-4%
  performance boost.

* feat: add back `copy_advice` function for `AssignedCell<&Assigned<F>,
F>`

* feat: implement functions `row_offset` and `column` directly for
`AssignedCell` (previously for `Cell`)

* Add serde test for curves

* feat: add `CurveAffineExt::into_coordinates` for raw unchecked affine coordinates of curve point

* update: modify `assign_fixed` slightly for performance

* feat: implement `ProvingKey` serialization without using external crates
`serde` or `bincode`

* examples: add `serialization` example to test `ProvingKey` read and
write on "simple-example"

* curves: switch to using rust nightly "bigint_helper_methods" for finite
field implementations

* further optimize finite field implementations by following gnark

* also improve bigint conversion functions to limbs

* feat: implement `From<$field>` for `[u64; 4]` so field elements can be
converted to their little endian representation with `u64` limbs

* feat: add `From<[u64;4]>` and `To<[u64;4]>` to field implementations

* feat: add default implementation of `CurveAffineExt` for `CurveAffine`

* feat: added `to/from_bytes` for `ProvingKey` and `VerifyingKey`

* add `pack`/`unpack` helper functions between `&[bool]` and `u8`
* made serialization example use smaller example of standard plonk for
  less code bloat

* fix: get multi-phase constraint system to work with our version of
`assign_advice`

* exposed inner `Phase(u8)` to crate

* feat: change `region.assign_advice` to allow any `Into<Assigned<F>>` but
still always return `&Assigned<F>`

* feat: change `layouter.assign_region` to take `FnOnce` closure instead
of `FnMut` now that there is no "get shape" mode

* feat: derive `Serialize`, `Deserialize` for common fields and curves

* chore: derive `PartialEq, Hash` for `bn256::{Fq,Fr}` and
`secp256k1::{Fp,Fq}`
* I see no longer to use `ct_eq` direct implementation of `PartialEq`
* deriving `Hash` for all fields because it may be useful and doesn't
  hurt

* feat: add trait `SerdeObject` for serialization of objects into raw
bytes

* implement `SerdeObject` for all macro-derived prime fields (raw bytes
  means staying in Montgomery form)
* implement `SerdeObject` for `Fq2` directly
* implement `SerdeObject` via macro for curves `bn254` and `secp256k1`
* add tests `test_serialization` for fields and curves

* chore: remote direct `PartialEq` implementation in bn254/assembly

* feat: read `VerifyingKey` and `ProvingKey` does not require `params` as
long as we serialize `params.k()`

* fix: add impl `SerdeObject` to assembly macro

* feat: derive `Hash` for `Fq2, G1Affine, G2Affine` for future use

* fix: change `assert` to `debug_assert` in `read_raw_unchecked` functions

* feat: add `next_phase` and `get_challenge` functions to `Region` so that
a circuit can move onto the next phase during a single call of
`synthesize`
* currently only supports `create_proof` on 1 circuit at a time;
  otherwise it is not compatible with the original API which does
synthesize for all circuits in a single phase before moving onto the
next

* update: change `is_less_than` to use `borrowing_sub` because it is
faster
see
privacy-scaling-explorations/halo2curves#10 (comment)
for context

* optimize: revert to old way of subtracting field elements without
branching

* see jonathanpwang/halo2curves@ea9af0d

* feat: parallelize (cpu) shplonk prover

* shplonk: improve `construct_intermediate_sets` using `BTreeSet` and
`BTreeMap` more aggressively

* shplonk: change `construct_intermediate_sets` to use `FxHashSet` instead
of `BTreeSet`

* shplonk: add `Send` and `Sync` to `Query` trait for more parallelization

* chore: in derive `field`, default `mul` is `const` again

* - Implements `PartialOrd` for `Value<F>`
- Adds a `transpose` method to turn `Value<Result<_>>` into
  `Result<Value<_>>`
- `Expression::identifier()` remove string memory reallocation

* chore: switch to halo2curves 0.3.1 tag

* Fix MockProver `assert_verify` panic errors (privacy-scaling-explorations#118)

* fix: Support dynamic lookups in `MockProver::assert_verify`

Since lookups can only be `Fixed` in Halo2-upstream, we need to add
custom suport for the error rendering of dynamic lookups which doesn't
come by default when we rebase to upstream.

This means that now we have to print not only `AdviceQuery` results to
render the `Expression` that is being looked up. But also support
`Instance`, `Advice`, `Challenge` or any other expression types that are
avaliable.

This addresses the rendering issue, renaming also the `table_columns`
variable for `lookup_columns` as the columns do not have the type
`TableColumn` by default as opposite to what happens upstream.

* fix: Don't error and emit empty String for Empty queries

* feat: Add `assert_sarisfied_par` fn to `MockProver`

* fix: Address clippy errors

Resolves: privacy-scaling-explorations#116

* Remove partial ordering for value

* Remove transpose

* Parallelize SHPLONK multi-open prover (privacy-scaling-explorations#114)

* feat: parallelize (cpu) shplonk prover

* shplonk: improve `construct_intermediate_sets` using `BTreeSet` and
`BTreeMap` more aggressively

* shplonk: add `Send` and `Sync` to `Query` trait for more parallelization

* fix: ensure the order of the collection of rotation sets is independent
of the values of the opening points

Co-authored-by: Jonathan Wang <[email protected]>

* fix: FailureLocation::find empty-region handling (privacy-scaling-explorations#121)

After working on fixing
privacy-scaling-explorations/zkevm-circuits#1024, a bug was found in the
verification fn of the MockProver which implies that while finding a
FailureLocation, if a Region doesn't contain any rows.

This is fixed by introducing a 2-line solution suggested by @lispc.

Resolves: privacy-scaling-explorations#117

* feat: add enum `SerdeFormat` for user to select
serialization/deserialization format of curve and field elements

* fix: revert use of raw pointer in `MockProver` and switch to using `Arc`

* feat: add docs

---------

Co-authored-by: kilic <[email protected]>
Co-authored-by: NoCtrlZ <[email protected]>
Co-authored-by: Brechtpd <[email protected]>
Co-authored-by: David Nevado <[email protected]>
Co-authored-by: han0110 <[email protected]>
Co-authored-by: Nalin Bhardwaj <[email protected]>
Co-authored-by: Jonathan Wang <[email protected]>
Co-authored-by: adria0 <nowhere@>
Co-authored-by: Carlos Pérez <[email protected]>
Co-authored-by: adria0.eth <[email protected]>
jonathanpwang added a commit to axiom-crypto/halo2 that referenced this pull request Aug 15, 2023
* - Implements `PartialOrd` for `Value<F>`
- Adds a `transpose` method to turn `Value<Result<_>>` into
  `Result<Value<_>>`
- `Expression::identifier()` remove string memory reallocation

* Fix MockProver `assert_verify` panic errors (privacy-scaling-explorations#118)

* fix: Support dynamic lookups in `MockProver::assert_verify`

Since lookups can only be `Fixed` in Halo2-upstream, we need to add
custom suport for the error rendering of dynamic lookups which doesn't
come by default when we rebase to upstream.

This means that now we have to print not only `AdviceQuery` results to
render the `Expression` that is being looked up. But also support
`Instance`, `Advice`, `Challenge` or any other expression types that are
avaliable.

This addresses the rendering issue, renaming also the `table_columns`
variable for `lookup_columns` as the columns do not have the type
`TableColumn` by default as opposite to what happens upstream.

* fix: Don't error and emit empty String for Empty queries

* feat: Add `assert_sarisfied_par` fn to `MockProver`

* fix: Address clippy errors

* chore: Address review comments

* chore: Fix clippy lints

Resolves: privacy-scaling-explorations#116

* Remove partial ordering for value

* Remove transpose

* Parallelize SHPLONK multi-open prover (privacy-scaling-explorations#114)

* feat: parallelize (cpu) shplonk prover

* shplonk: improve `construct_intermediate_sets` using `BTreeSet` and
`BTreeMap` more aggressively

* shplonk: add `Send` and `Sync` to `Query` trait for more parallelization

* fix: ensure the order of the collection of rotation sets is independent
of the values of the opening points

Co-authored-by: Jonathan Wang <[email protected]>

* fix: FailureLocation::find empty-region handling (privacy-scaling-explorations#121)

After working on fixing
privacy-scaling-explorations/zkevm-circuits#1024, a bug was found in the
verification fn of the MockProver which implies that while finding a
FailureLocation, if a Region doesn't contain any rows.

This is fixed by introducing a 2-line solution suggested by @lispc.

Resolves: privacy-scaling-explorations#117

* Feature: Expose Fixed columns & Assembly permutation structs in MockProver instance (privacy-scaling-explorations#123)

* feat: Expose fixed columns in MockProver

* change: Make `Assembly` object public & add getters

* chore: Address leftover TODOs

* Feature to serialize/deserialize KZG params, verifying key, and proving key into uncompressed Montgomery form (privacy-scaling-explorations#111)

* feat: read `VerifyingKey` and `ProvingKey` does not require `params` as
long as we serialize `params.k()`

* feat: add features "serde-raw" and "raw-unchecked" to
serialize/deserialize KZG params, verifying key, and proving key
directly into raw bytes in internal memory format.
So field elements are stored in Montgomery form `a * R (mod p)` and
curve points are stored without compression.

* chore: switch to halo2curves 0.3.1 tag

* feat: add enum `SerdeFormat` for user to select
serialization/deserialization format of curve and field elements

Co-authored-by: Jonathan Wang <[email protected]>

* Add support for Column annotations for MockProver debugging (privacy-scaling-explorations#109)

* feat: Add `name_column` to `Layouter` & `RegionLayouter`

This adds the trait-associated function `name_column` in order to enable
the possibility of the Layouter to store annotations aobut the colums.

This function does nothing for all the trait implementors (V1,
SimpleFloor, Assembly....) except for the `MockProver`. Which is
responsible of storing a map that links within a `Region` index, the
`column::Metadata` to the annotation `String`.

* feta: Update metadata/dbg structs to hold Col->Ann mapping

* feat: Update emitter module to print Column annotations

* feat: Add lookup column annotations

This adds the fn `annotate_lookup_column` for `ConstraintSystem` which
allows to carry annotations for the lookup columns declared for a
circuit within a CS.

* feat: Add Lookup TableColumn annotations

This allows to annotate lookup `TableColumn`s and print it's annotation
within the `assert_satisfied` fn.

This has required to change the `ConstraintSystem::lookup_annotations`
to have keys as `metadata::Column` rather than `usize` as otherwise it's
impossible within the `emitter` scope to distinguish between regular
advice columns (local to the Region) and fixed columns which come from
`TableColumn`s.

* fix: Customly derive PartialEq for metadata::Region

This allows to ignore the annotation map of the metadata::Region so that
is easier to match against `VerifyFailure` errors in tests.

* fix: Update ConstraintNotSatisfied testcase

* fix: Update Debug & Display for VerifyFailure

It was necessary to improve the `prover.verify` output also. To do so,
this required auxiliary types which are obfuscated to any other part of the lib
but that are necessary in order to be able to inject the Column names inside of
the `Column` section itself.
This also required to re-implement manually `Debug` and `Display` for this enum.

This closes zcash#705

* fix: Address clippy & warnings

* fix: Add final comments & polish

* fix: Resolve cherry-pick merge conflics & errors

* chore: Change DebugColumn visibility

* chore: Allow to fetch annotations from metadata

* chore: Fix clippy lints

* chore: Remove comments from code for testing

* feat: Add support for Advice and Instance anns in lookups

* feat: Allow `V1` layouter to annotate columns too

* fix: Support `Constant` & `Selector` for lookup exprs

* chore: Address review comments

* chore: Propagete write! result in `VerifyFailure::Display`

* chore: Address clippy lints

* chore: Move Codecov, wasm-build, Bitrot & doc-tests to push (privacy-scaling-explorations#125)

* chore: Move Codecov, wasm-build, Bitrot & doc-tests to push

This should cut down significantly the CI times on every push done to a
branch for a PR.
Resolves: privacy-scaling-explorations#124

* chore: Add back `push` on CI checks

* fix: Allow to compare `Assembly` structs (privacy-scaling-explorations#126)

This was missing in privacy-scaling-explorations#123 so this PR fixes it.

* Add keccak256 hasher for transcript (#2)

* Add keccak256 hasher for transcript

* Fix keccak256 common point prefix

* Remove unnecessary hasher_* variables

* fix: transcript instantiation in poseidon benchmark loop (privacy-scaling-explorations#128)

* Improve performance of vk & pk keygen and of default `parallelize` chunking size (privacy-scaling-explorations#127)

* Squashed commit of the following:

commit 17e3c4e
Author: Mickey <[email protected]>
Date:   Fri Jul 15 11:10:32 2022 +0800

    speed up generate vk pk with multi-thread

* fix

* Improve performance of vk & pk keygen and of default `parallelize` chunking size.

Reduces proving time on large circuits consistently >=3%.
Builts upon [speed up generate vk pk with multi-thread](privacy-scaling-explorations#88)
Fixes: privacy-scaling-explorations#83

* fix: Force `VerifyFailure` to own the annotations map (privacy-scaling-explorations#131)

* fix: Force `VerifyFailure` to own the annotations map

Since otherwise we can't move the `VerifyFailure` vec's confortably, and
also, we're required to have a lot of lifetime annotations, it was
decided to force the `VerifyFailure` to own the Annotation maps.

This shouldn't be too harmful as it only triggers when testing.

Resolves: privacy-scaling-explorations#130

* chore: Address clippy lints

* feat: call synthesize in `MockProver` multiple times to behave same as real prover

* feat: check advice assignment consistency between different phases

* fix: Support annotations for CellNotAssigned in verify_par (privacy-scaling-explorations#138)

* feat: Add `assert_satisfied_at_rows_par` variant (privacy-scaling-explorations#139)

Resolves: privacy-scaling-explorations#133

* Expose mod `permutation` and re-export `permutation::keygen::Assembly` (privacy-scaling-explorations#149)

* feat: expose mod ule `permutation` and re-export `permutation::keygen::Assembly`

* feat: derive `lone` for `permutation::keygen::Assembly`

* feat: bump MSRV for `inferno`

* feat(MockProver): replace errors by asserts

In MockProver, replace all code that returns an error by an assert that panics instead of returning the error.  This change aims to make it easier to debug circuit code bugs by getting backtraces.

* MockProver test utililities (privacy-scaling-explorations#153)

* test/unwrap_value: escape Value safety in the dev module

* test/mock-prover-values: MockProver exposes the generated columns to tests

* test/mock-prover-values: doc

* mockprover-util: remove unwrap_value

---------

Co-authored-by: Aurélien Nicolas <[email protected]>

* feat: Parallel random blinder poly impl (privacy-scaling-explorations#152)

* feat: Parallelize `commit` blinder poly generator method

Solves the concerns raised in privacy-scaling-explorations#151 related to the performance of the
random poly generator inside of `commit`.

Resolves: privacy-scaling-explorations#151

* chore: add `from_evals` for Polynomial

* chore: add benches for commit_zk serial vs par

* fix: Correct thread_seeds iter size

* fix: Clippy

* chore: apply review suggestions

* fix: Inconsisten num of Scalars generated parallely

This fix from @ed255 fixes an error on the code proposal which was
rounding the num of Scalars to be generated and so, was producing
failures.

Co-authored-by: Edu <[email protected]>

* remove: legacy comments & code

---------

Co-authored-by: Edu <[email protected]>

* change: Migrate workspace to pasta_curves-0.5 (privacy-scaling-explorations#157)

* change: Migrate workspace to pasta_curves-0.5

This ports the majority of the workspace to the `pasta_curves-0.5.0`
leaving some tricky edge-cases that we need to handle carefully.

Resolves: privacy-scaling-explorations#132

* fix: Complete latest trait bounds to compile halo2proofs

* change: Migrate examples & benches to pasta 0.5

* change: Migrate halo2_gadgets to pasta-0.5

* change: Update gadgets outdated code with latest upstream

* fix: Sha3 gadget circuit

* fix: doc tests

* chore: Update merged main

* fix: Apply review suggestions

* fix: pin `halo2curves` version to `0.3.2`

* Extend Circuit trait to take parameters in config (privacy-scaling-explorations#168)

* Extend Circuit trait to take parameters in config

The Circuit trait is extended with the following:
```
pub trait Circuit<F: Field> {
    /// [...]
    type Params: Default;

    fn params(&self) -> Self::Params {
        Self::Params::default()
    }

    fn configure_with_params(meta: &mut ConstraintSystem<F>, params: &Self::Params) -> Self::Config {
        Self::configure(meta)
    }

    fn configure(meta: &mut ConstraintSystem<F>) -> Self::Config;
}
```

This allows runtime parametrization of the circuit configuration.  The extension to the Circuit trait has been designed to minimize the breaking change: existing circuits only need to define the associated `type Params`.

Unfortunately "Associated type defaults" are unstable in Rust, otherwise this would be a non-breaking change.  See rust-lang/rust#29661

* Implement circuit params under feature flag

* Don't overwrite configure method

* Fix doc test

* Allow halo2 constraint names to have non static names (privacy-scaling-explorations#156)

* static ref to String type in Gates, Constraints, VirtualCell, Argument

* 'lookup'.to_string()

* return &str for gate name and constriant_name, also run fmt

* Update halo2_gadgets/Cargo.toml

Co-authored-by: Han <[email protected]>

* upgrade rust-toochain

---------

Co-authored-by: Carlos Pérez <[email protected]>
Co-authored-by: Han <[email protected]>

* Improve halo2 query calls (privacy-scaling-explorations#154)

* return expression from cell

* add example

* selector

* recurse Expression to fill in index

* minimized changes from the original

* backword compatible meta.query_X & challange.expr()

* cargo fmt

* fixed lookup to pass all tests

* Update comments

Co-authored-by: Brecht Devos <[email protected]>

* Update comments

Co-authored-by: Brecht Devos <[email protected]>

* Update comments

Co-authored-by: Brecht Devos <[email protected]>

* Update comments

Co-authored-by: Brecht Devos <[email protected]>

* Update comments

Co-authored-by: Brecht Devos <[email protected]>

* Update comments

Co-authored-by: Brecht Devos <[email protected]>

* update

Co-authored-by: Brecht Devos <[email protected]>

* add primitives.rs back

* remove example2

* backward compatible meta.query_X & Column.cur(), next(), prev(), at(usize)

* impl Debug & make side effects only when query.index.is_none()

* change impl Debug for Expression instead & revert test in plonk_api

* upgrade rust-toolchain

* Update halo2_proofs/src/plonk/circuit.rs

Co-authored-by: Han <[email protected]>

* Update halo2_proofs/src/plonk/circuit.rs

Co-authored-by: Han <[email protected]>

* ran clippy

* Update halo2_proofs/src/plonk/circuit.rs

Co-authored-by: Han <[email protected]>

---------

Co-authored-by: Brecht Devos <[email protected]>
Co-authored-by: Han <[email protected]>

* fix: compute `num_chunks` more precisely (privacy-scaling-explorations#172)

* Implement Clone trait for Hash, Absorbing, and Sponge structs (privacy-scaling-explorations#171)

* Revert double-assignment mock prover check

Revert the check introduced in
privacy-scaling-explorations#129 to detect double
assignments with different values, because it breaks some tests in the zkevm
project.

There's a legitimate use case of double assignment with different values, which
is overwriting cells in order to perform negative tests (tests with bad witness
that should not pass the constraints).

Also in the EVM Circuit from the zkevm project we "abuse" the assignment of
cells as a cache: sometimes we assign some cells with a guess value, and later
on we reassign with the correct value.

I believe this check is interesting to have, so we could think of ways to add
it back as an optional feature.

* fix: Fix serialization for VerifyingKey (privacy-scaling-explorations#178)

Now the value returned when the number of selectors is a multiple of 8
is correct.

Resolves: privacy-scaling-explorations#175

* Add more getters to expose internal fields

* add a constructor (privacy-scaling-explorations#164)

* add a constructor

* add more comment

* fix as review

* remove clone

* remove

* no need to use new variable

* change comment

* fix clippy

* rename to from_parts

* remove n declaration

* feat: send sync region (privacy-scaling-explorations#180)

* feat: send / sync region

* Update layout.rs

* update

* lol

* debug

* Update keygen.rs

* Update keygen.rs

* Update keygen.rs

* Update keygen.rs

* thread-safe-region feature flag

* cleanup

* patch dev-graph

* patch non-determinism in mapping creation

* reduce mem usage for vk and pk

* mock proving examples

* swap for hashmap for insertion speed

* reduce update overhead

* replace BTree with Vec

* add benchmarks

* make the benchmarks massive

* patch clippy

* simplify lifetimes

* patch benches

* Update halo2_proofs/src/plonk/permutation/keygen.rs

Co-authored-by: Han <[email protected]>

* Update halo2_proofs/examples/vector-mul.rs

Co-authored-by: Han <[email protected]>

* rm benches

* order once

* patch lints

---------

Co-authored-by: Han <[email protected]>

* Fix `parallelize` workload imbalance (privacy-scaling-explorations#186)

* fix parallelize workload imbalance

* remove the need of unsafe

* implement native shuffle argument and api

* fix: remove nonsense comment

* strictly check shuffle rows

* address doc typos

* move compression into product commitment

* typo

* add shuffle errors for `verify_at_rows_par`

* dedup expression evaluation

* cargo fmt

* fix fields in sanity-checks feature

* Updates halo2_curves dependency to released package (privacy-scaling-explorations#190)

THe package release ressets the version from those inherited by the legacy
halo2curves repo's fork history.

The upstream diff is:
https://github.com/privacy-scaling-explorations/halo2curves/compare/9f5c50810bbefe779ee5cf1d852b2fe85dc35d5e..9a7f726fa74c8765bc7cdab11519cf285d169ecf

* chore: remove monorepo

Go back to having halo2curves and poseidon in separate repos.

* chore: fix clippy and tests

* fix: remove thread-safe-regions feature

`WitnessCollection` in `create_proof` isn't thread-safe.
We removed `Region`s from `SimpleLayouter` anyways.

* fix: rustfmt

* fix: dev-graph

* chore: update lint CI name

* chore: fix clippy

* chore: autoexample = false

turn off examples that use layouter

* chore(CI): separate job for examples

* chore: remove prefetch from asm, not used

* chore: fix asm feature

---------

Co-authored-by: adria0 <nowhere@>
Co-authored-by: Carlos Pérez <[email protected]>
Co-authored-by: adria0.eth <[email protected]>
Co-authored-by: Jonathan Wang <[email protected]>
Co-authored-by: kilic <[email protected]>
Co-authored-by: dante <[email protected]>
Co-authored-by: pinkiebell <[email protected]>
Co-authored-by: han0110 <[email protected]>
Co-authored-by: Eduard S <[email protected]>
Co-authored-by: naure <[email protected]>
Co-authored-by: Aurélien Nicolas <[email protected]>
Co-authored-by: CeciliaZ030 <[email protected]>
Co-authored-by: Brecht Devos <[email protected]>
Co-authored-by: Enrico Bottazzi <[email protected]>
Co-authored-by: Ethan-000 <[email protected]>
Co-authored-by: Mamy Ratsimbazafy <[email protected]>
Co-authored-by: kilic <[email protected]>
Co-authored-by: François Garillot <[email protected]>
iquerejeta pushed a commit to input-output-hk/halo2 that referenced this pull request May 8, 2024
…-hk/dev-feature/gl-113-gen-decomp

Implement K-high-low decomposition and range checking
iquerejeta pushed a commit to input-output-hk/halo2 that referenced this pull request May 8, 2024
…-hk/dev-feature/98-gen-fbsm

Generalize fbsm part of Ecc Chip

# Project Context

Part of the SOW task of generalizing the Ecc Chip to Pluto.

This builds on top of privacy-scaling-explorations#144.

The corresponding Galois internal issue is [Galois#98](https://gitlab-ext.galois.com/iog-midnight/halo2/-/issues/98).

# Issue Description

This issue is concerned with generalizing the fixed-base scalar-mul (fbsm) part of the Ecc Chip to arbitrary curves.

Besides generalizing all of the types, and adding tests for all supported curves, the major technical task is to generalize the canonicity check on the windowed scalar decomposition: this canonicity check ensures that the decomposition of the scalar into 3-bit windows is correct. This is a "range check" type task, similar to existing range checks in variable-base scalar mul.

See the Halo 2 Book [chapter on fbsm](http://localhost:3000/design/gadgets/ecc/fixed-base-scalar-mul.html) for details.

# Notes to Reviewers

* The canonicity check is generalized in ["Generalize canonicity check using 3-high-low decomp"](input-output-hk/galois_recursion@f8d2927) (with corresponding book updates in ["[book] fbsm: generalize, and document simplified canonicity check"](560a7d3b9af6df3031584acce4d80c119388df60)). This is the second example application of the [$K$-high-low decomp](privacy-scaling-explorations#114), and again we see a bunch of complex, bespoke range checking being replaced by a conceptually simple use of the decomp gadget :)

* The fbsm works by precomputing a table of multiples of a fixed base, and then using the values to improve the efficiency (constraint complexity / proof burden) of multiplying the fixed base by scalars. This precomputation is very expensive, already taking 1+ hours for Pallas. For Pluto/Eris the precomputation time jumps to 17+ hours, which makes running the tests impractical. However, in a later PR (privacy-scaling-explorations#147), we cache the precomputation for the test bases to disk, which reduces the test time to a few minutes.

* This PR includes a simple custom gate, that replaces the more complex custom gate for the old canonicity check. The new custom gate should be replaced by calls to the [gen arith gate](input-output-hk/galois_recursion#58) once that's available.
iquerejeta pushed a commit to input-output-hk/halo2 that referenced this pull request May 8, 2024
…-hk/dev-feature/53-gen-eccc

Implement Ecc Chip for Pluto ... and Vesta and Eris

# Project Context

This issue corresponds to the Milestone 3 updated SOW task "New: Extend EccChip to support Pluto". There is no corresponding GitHub issue, since this is the Pluto/Eris analog of supporting Pallas, which was the starting state. However, the work for this issue overlaps significantly with SOW task "zcash#578: Extend EccChip to support ~~Vesta~~ Eris" ([zcash#578](zcash#578)), since it seems easiest to just generalize to all curves at the same time. So, while we only need to ensure Pluto support for Milestone 3, the strategy we're using also gives Eris and Vesta support "for free".

This builds on top of privacy-scaling-explorations#145 directly, depends directly on privacy-scaling-explorations#143 and privacy-scaling-explorations#144 as well, and is the culmination of generalization work that started at a lower level with privacy-scaling-explorations#101, privacy-scaling-explorations#107, and privacy-scaling-explorations#114. 

The corresponding Galois internal issue is [Galois#53](https://gitlab-ext.galois.com/iog-midnight/halo2/-/issues/53).

# Issue Description

Generalize the Ecc Chip to arbitrary curves, allowing any assumptions that apply to all of Pallas, Vesta, Pluto, and Eris. This work is broken up into several subtasks, concerned with updating the major components of the Ecc Chip ([vbsm](privacy-scaling-explorations#143), [fbsm](privacy-scaling-explorations#145), and [point witnessing](privacy-scaling-explorations#144)), along with the final work here of updating the full Ecc Chip to use all of the updated components, have tests for all curves, and provide instantiations for all curves.

Behind the scenes there are various traits associated with the vbsm and fbsm generalizations, but the final Ecc Chip interface exposes `EccCurve` and `EccField` as the traits required for curves and fields used with Ecc Chip (and of course these traits are implemented for Pallas, Vesta, Pluto, Eris, and their fields).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants