Batch Verification API

[yaahc]

No description provided.

[dconnolly]

The CI is pinned to 1.44.0 and build failing, on 1.49.0 (latest stable toolchain) it's passing.

[daira]

Untested ACK :-)

[daira]

That's correct.

Suggested change

	acc_Gammas[0] += &z; // a_0 is implicitly set to 1 (??)
	acc_Gammas[0] += &z; // a_0 is implicitly set to 1

[daira]

This pairing could be precomputed.

[daira]

Also, calling the result Y could be a little confusing.

[ebfull]

@daira is right that it can be precomputed, but it's probably not more efficient in practice to do that. We do it in the groth16 verifier because we're just checking one proof and acc_Y = 1 more or less. In your case the multiplication by acc_Y is expensive -- it involves exponentiating by acc_Y because the result of the pairing is an element of a multiplicative subgroup of a large extension field. Instead, in practice it's probably just fine to do

ml_terms.push((E::G1Affine::from(vk.alpha_g1 * acc_Y), E::G2Prepared::from(vk.beta_g2)));

so you multiply the G1 element by acc_Y (because [z] e(A, B) = e([z] A, B) forall z, A, B) and then just add it to your multi-miller loop.

[str4d]

Please remove the last two commits.

[str4d]

This conflicts with #62, where the MSRV is set to 1.47.0.

[dconnolly]

Resolved to 1.47.0

[str4d]

Ditto.

[dconnolly]

Resolved to 1.47.0

[str4d]

We cannot change this until the MSRV is at least 1.48.0 (see zcash/librustzcash#279).

[dconnolly]

Reverted

[str4d]

@dconnolly

The CI is pinned to 1.44.0 and build failing, on 1.49.0 (latest stable toolchain) it's passing.

I believe that specific CI failure is related to #57 (the upstream rustc breakage landed in 1.49 IIRC). It should be possible to similarly work around the issues here.

[ebfull]

Constant factor improvement, but this can be done as a multiexp instead.

[ebfull]

let ml_terms = ml_terms.iter().map(|(a, b)| (a, b)).collect::<Vec<_>>();

[ebfull]

@daira is right that it can be precomputed, but it's probably not more efficient in practice to do that. We do it in the groth16 verifier because we're just checking one proof and acc_Y = 1 more or less. In your case the multiplication by acc_Y is expensive -- it involves exponentiating by acc_Y because the result of the pairing is an element of a multiplicative subgroup of a large extension field. Instead, in practice it's probably just fine to do

ml_terms.push((E::G1Affine::from(vk.alpha_g1 * acc_Y), E::G2Prepared::from(vk.beta_g2)));

so you multiply the G1 element by acc_Y (because [z] e(A, B) = e([z] A, B) forall z, A, B) and then just add it to your multi-miller loop.

[ebfull]

If you fold the change in like I mentioned then this becomes

if E::multi_miller_loop(&terms).final_exponentiation().is_identity().into() {

I think.

[dconnolly]

@ebfull @str4d I can't re-request a review from you in the github UI but 🙏

[dconnolly]

The clippy 'failure' if you do as it recommends it will not compile because:

‘z’: mismatched types
   expected reference `&<E as pairing::Engine>::Fr`
found associated type `<E as pairing::Engine>::Fr`
consider constraining the associated type `<E as pairing::Engine>::Fr` to `&<E as pairing::Engine>::Fr`
for more information, visit https://doc.rust-lang.org/book/ch19-03-advanced-traits.html [E0308]

[dconnolly]

@str4d @ebfull one more look? 🙏

[daira]

Untested ACK.

[str4d]

utACK b9737fc

[dconnolly]

@ebfull one more look por favor? 🙏

[ebfull]

Good job! :)

[dconnolly]

Yay, thank you!