Merge pull request #130 from ConsenSys/groth16-setup-filter-inf

groth16: filter points at infinity in setup

backend/groth16/groth16.go

@@ -181,8 +181,10 @@ func ReadAndVerify(proof Proof, vk VerifyingKey, publicWitness io.Reader) error
 
 // Prove runs the groth16.Prove algorithm.
 //
-// If force flag is set, executes all the prover computations, even if the witness is invalid
-// (in which case it will produce an invalid proof)
+// if the force flag is set:
+// 	will executes all the prover computations, even if the witness is invalid
+//  will produce an invalid proof
+//	internally, the solution vector to the R1CS will be filled with random values which may impact benchmarking
 func Prove(r1cs frontend.CompiledConstraintSystem, pk ProvingKey, witness frontend.Circuit, force ...bool) (Proof, error) {
 
 	_force := false

frontend/cs.go

@@ -152,6 +152,17 @@ func newR1C(l, r, o Variable, s ...compiled.SolvingMethod) compiled.R1C {
 	if len(s) > 0 {
 		solver = s[0]
 	}
+
+	// interestingly, this is key to groth16 performance.
+	// l * r == r * l == o
+	// but the "l" linear expression is going to end up in the A matrix
+	// the "r" linear expression is going to end up in the B matrix
+	// the less variable we have appearing in the B matrix, the more likely groth16.Setup
+	// is going to produce infinity points in pk.G1.B and pk.G2.B, which will speed up proving time
+	if solver == compiled.SingleOutput && len(l.linExp) > len(r.linExp) {
+		l, r = r, l
+	}
+
 	return compiled.R1C{L: l.linExp.Clone(), R: r.linExp.Clone(), O: o.linExp.Clone(), Solver: solver}
 }
 

frontend/cs_api.go

@@ -244,7 +244,7 @@ func (cs *ConstraintSystem) Div(i1, i2 interface{}) Variable {
 			cs.constraints = append(cs.constraints, newR1C(t2, res, t1))
 		default:
 			tmp := cs.Constant(t2)
-			cs.constraints = append(cs.constraints, newR1C(tmp, res, t1))
+			cs.constraints = append(cs.constraints, newR1C(res, tmp, t1))
 		}
 	default:
 		switch t2 := i2.(type) {
@@ -255,7 +255,7 @@ func (cs *ConstraintSystem) Div(i1, i2 interface{}) Variable {
 		default:
 			tmp1 := cs.Constant(t1)
 			tmp2 := cs.Constant(t2)
-			cs.constraints = append(cs.constraints, newR1C(tmp2, res, tmp1))
+			cs.constraints = append(cs.constraints, newR1C(res, tmp2, tmp1))
 		}
 	}
 
@@ -438,7 +438,7 @@ func (cs *ConstraintSystem) Select(b Variable, i1, i2 interface{}) Variable {
 		v := cs.Sub(t1, i2)  // no constraint is recorded
 		w := cs.Sub(res, i2) // no constraint is recorded
 		//cs.Println("u-v: ", v)
-		cs.constraints = append(cs.constraints, newR1C(b, v, w))
+		cs.constraints = append(cs.constraints, newR1C(v, b, w))
 		return res
 	default:
 		switch t2 := i2.(type) {
@@ -447,7 +447,7 @@ func (cs *ConstraintSystem) Select(b Variable, i1, i2 interface{}) Variable {
 			res = cs.newInternalVariable()
 			v := cs.Sub(t1, t2)  // no constraint is recorded
 			w := cs.Sub(res, t2) // no constraint is recorded
-			cs.constraints = append(cs.constraints, newR1C(b, v, w))
+			cs.constraints = append(cs.constraints, newR1C(v, b, w))
 			return res
 		default:
 			// in this case, no constraint is recorded
@@ -567,7 +567,7 @@ func (cs *ConstraintSystem) markBoolean(v Variable) bool {
 	return true
 }
 
-// AssertIsBoolean adds an assertion in the constraint system (v == 0 || v == 1)
+// AssertIsBoolean adds an assertion in the constraint system (v == 0 || v == 1)
 func (cs *ConstraintSystem) AssertIsBoolean(v Variable) {
 
 	v.assertIsSet()
@@ -576,6 +576,8 @@ func (cs *ConstraintSystem) AssertIsBoolean(v Variable) {
 		return // variable is already constrained
 	}
 
+	// ensure v * (1 - v) == 0
+
 	_v := cs.Sub(1, v)  // no variable is recorded in the cs
 	o := cs.Constant(0) // no variable is recorded in the cs