Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Perf: variant of the Karabina cyclotomic squaring #933

Merged
merged 3 commits into from Nov 24, 2023

Conversation

yelhousni
Copy link
Contributor

Description

Currently we implement Theorem 3.2 from https://eprint.iacr.org/2010/542.pdf whenever we have 3 repeated squaring or more in the final exponentiation. It is the fastest variant of cyclotomic squaring but in-circuit the selector logic to handle branching cases when denominators are zero makes it not always the best in some cases. This PR compares different variants in Sec. 5 and proposes a tradeoff:

  • For the native case, when repeated squaring size is:

    • 1 or 2 --> we choose Granger-Scott
    • 3 --> we choose Karabina SQR12345 (implemented in this PR)
    • 4 or more --> we choose Karabina SQR2345 (implemented previously)
      So nothing changes concretely for BLS12-377 since we do not encouter the case of size 3.
  • For emulated case, it difficult to theoretically set a threshold due to emulated arithmetic but empirically for BW6-761:

    • for sizes 1 and 2 --> we use Granger-Scott
    • for sizes 3, 4, 5, 7 and 11 --> we use Karabina SQR12345 (implemented in this PR)
    • for size 46 and 92 --> we use Karabina SQR2345 (implemented previously)

Type of change

  • New feature (non-breaking change which adds functionality)

How has this been tested?

TestExptFp6 and TestFinalExponentiationTestSolve are used here to test the new Karabina variants. Otherwise we need to implement the go version of these in gnark-crypto.

How has this been benchmarked?

For BW6-761, this saves 290826 SCS in the Final exp.

Checklist:

  • I have performed a self-review of my code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have added tests that prove my fix is effective or that my feature works
  • I did not modify files generated from templates
  • golangci-lint does not output errors locally
  • New and existing unit tests pass locally with my changes
  • Any dependent changes have been merged and published in downstream modules

@yelhousni yelhousni added the perf label Nov 23, 2023
@yelhousni yelhousni added this to the v0.9.0 milestone Nov 23, 2023
@yelhousni yelhousni self-assigned this Nov 23, 2023
std/algebra/emulated/fields_bw6761/e6.go Outdated Show resolved Hide resolved
std/algebra/emulated/fields_bw6761/e6.go Outdated Show resolved Hide resolved
@yelhousni yelhousni merged commit 62b52ea into master Nov 24, 2023
7 checks passed
@yelhousni yelhousni deleted the perf/karabina-cycloSq branch November 24, 2023 15:44
ivokub added a commit that referenced this pull request Nov 28, 2023
commit 6c05ea4
Author: Ivo Kubjas <ivo.kubjas@consensys.net>
Date:   Tue Nov 28 16:24:47 2023 +0100

    perf: use G2 precomputed lines for Miller loop (#930)

    * feat: add lazy line eval for Miller loop

    * chore: go mod

    * fix: DoublePairFixed order

    * refactor: remove fixed Q specialized methods

    * chore: serialize lines for KZG key

    * chore: go generate

    * docs: add init docs

    * feat: add fixed KZG verification key init

    * test: add constant and fixed VK test cases

    * test: use fixed init

    * feat: add fixed Groth16 verification

    * fix: unused import

    * refactor: merge last manual iteration

commit a99d198
Author: Ivo Kubjas <ivo.kubjas@consensys.net>
Date:   Tue Nov 28 16:20:44 2023 +0100

    feat: add PLONK in-circuit verifier (#880)

    * test: add recursion hash tests

    * fix: accumulate MSM result

    * refactor: take emulated element for additional data

    * fix: handled infinity point in native multi scalar exp

    * fix: use only nbBits when creating scalar

    * feat: add PLONK verifier

    * feat: PlaceholderVerifyingKey takes the vk as argument

    * feat: f -> scalarApi

    * feat: addition of computeIthLagrangeAtZeta

    * feat: bsb commitments are added to pi

    * refactor: PlaceholderProof takes the proof as argument

    * fix: compute ith lagrange ok, hashToField failing

    * fix: native short hash output size

    * feat: add bw6

    * docs: add package documentation

    * refactor: describe error in panic

    * refactor: init curve and pairing implicitly

    * refactor: remove comments

    * docs: add package examples

    * feat: add all supported witness assignments

    * test: add MSM test

    * fix: remove todo panic

    * feat: add option shortcuts

    * fix: include hash to field in shortcut option

    * feat: use only CCS for placeholder proof and verifyingkey

    * chore: typos and cleanup

    * docs: add KZG package documentation

    ---------

    Co-authored-by: Thomas Piellard <thomas.piellard@consensys.net>

commit 62b52ea
Merge: ec07217 97156f3
Author: Youssef El Housni <youssef.elhousni@consensys.net>
Date:   Fri Nov 24 10:44:33 2023 -0500

    Merge pull request #933 from Consensys/perf/karabina-cycloSq

    Perf: variant of the Karabina cyclotomic squaring

commit 97156f3
Author: Youssef El Housni <youssef.housni21@gmail.com>
Date:   Fri Nov 24 10:27:00 2023 -0500

    refactor: apply PR review suggestions

commit f52c4cb
Author: Youssef El Housni <youssef.housni21@gmail.com>
Date:   Thu Nov 23 01:50:41 2023 -0500

    perf(bls12-377): implement a variant of Karabina cyclo square

commit d7e8d78
Author: Youssef El Housni <youssef.housni21@gmail.com>
Date:   Wed Nov 22 23:28:26 2023 -0500

    perf(bw6): implement a variant of Karabina cyclo square

commit ec07217
Merge: 3aa2559 5479586
Author: Youssef El Housni <youssef.elhousni@consensys.net>
Date:   Wed Nov 22 18:16:46 2023 -0500

    Merge pull request #931 from Consensys/perf/bw6-finalExp

    Perf: optimize addition chains in BW6-761 final exponentiation

commit 5479586
Author: Youssef El Housni <youssef.housni21@gmail.com>
Date:   Wed Nov 22 13:07:50 2023 -0500

    perf(bw6/finalExp): replace Add(x,x) by MulConst(x,2)

commit 65cd6ee
Author: Youssef El Housni <youssef.housni21@gmail.com>
Date:   Tue Nov 21 21:39:55 2023 -0500

    fix(linter): ineffectual assignment

commit d948c7c
Author: Youssef El Housni <youssef.housni21@gmail.com>
Date:   Tue Nov 21 21:27:02 2023 -0500

    perf(bw6/finalExp): optimize addition chains

commit 3aa2559
Author: Gautam Botrel <gautam.botrel@gmail.com>
Date:   Mon Nov 20 14:03:52 2023 -0600

    feat: if we don't compress we don't need the dict (#929)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants