Pippenger inclusion (#120)

* Add dusk Bls12_381 fork as dep

- Document that ´multiscalar_mul` found in `utils.rs`
will no longer be used. Instead we will use the pippenger
implementation added to the BLS fork.

* Refactor repo to use pippenger for multiscalar_mul

- Renamed the `single_base_multiscalar_mul` and added comments
to show that it is just used to compute the SRS and it's not
PLONK's responsability to make it faster. We just have it for
tests.

Co-authored-by: decentralisedkev <kevtheappdev@gmail.com>

Cargo.toml

@@ -12,7 +12,8 @@ edition = "2018"
 merlin = "2.0.0"
 rand = "0.7.2"
 rand_core = { version = "0.5", default-features = false }
-bls12_381 = { git = "https://github.com/zkcrypto/bls12_381", branch = "master" }
+# Built by default with "std", "alloc", "pairing", "groups" and "endo" features.
+bls12_381 = { git = "https://github.com/dusk-network/bls12_381", branch = "master" }
 itertools = "0.8.2"
 rand_chacha = "0.2"
 rayon = "1.3.0"

benchmarks/plonk_benchmarks.rs

@@ -0,0 +1,25 @@
+#![allow(non_snake_case)]
+
+#[macro_use]
+extern crate criterion;
+extern crate plonk;
+
+use bls12_381::{G1Projective, Scalar};
+use criterion::{criterion_group, criterion_main, BenchmarkId, Criterion};
+use plonk::commitment_scheme::kzg10::SRS;
+use rand::thread_rng;
+
+mod poly_commit_benches {
+
+    use super::*;
+    pub fn bench_polynomial_commitment(c: &mut Criterion) {
+        // Generate the powers with size = 1_000_000
+        let srs = SRS::setup(1_000_000, &mut thread_rng());
+        let (ck, vk) = srs.trim(1_000_000usize);
+        let random_poly = (0..1000000)
+            .iter()
+            .map(|| Scalar::rand(&mut thread_rng()))
+            .collect();
+        let mut group = c.benchmark_group("Poly commit");
+    }
+}

src/commitment_scheme/kzg10/key.rs

@@ -5,7 +5,7 @@ use crate::fft::Polynomial;
 use crate::transcript::TranscriptProtocol;
 use crate::util::powers_of;
 
-use bls12_381::{G1Affine, G1Projective, G2Affine, G2Prepared, Scalar};
+use bls12_381::{multiscalar_mul::pippenger, G1Affine, G1Projective, G2Affine, G2Prepared, Scalar};
 
 /// Verifier Key is used to verify claims made about a committed polynomial
 #[derive(Clone, Debug)]
@@ -67,11 +67,11 @@ impl ProverKey {
         self.check_commit_degree_is_within_bounds(polynomial.degree())?;
 
         // Compute commitment
-        use crate::util::{multiscalar_mul, sum_points};
-        let points: Vec<G1Projective> = multiscalar_mul(&polynomial.coeffs, &self.powers_of_g);
-        let committed_point = sum_points(&points);
-        let commitment = Commitment::from_projective(committed_point);
-        Ok(commitment)
+        let mut commitment = pippenger(
+            self.powers_of_g.iter().map(|P| G1Projective::from(P)),
+            polynomial.coeffs.to_owned().into_iter(),
+        );
+        Ok(Commitment::from_projective(commitment))
     }
 
     /// For a given commitment to a polynomial

src/commitment_scheme/kzg10/srs.rs

@@ -1,6 +1,6 @@
 use super::errors::Error;
 use super::key::{ProverKey, VerifierKey};
-use crate::util::multiscalar_mul_single_base;
+use crate::util::slow_multiscalar_mul_single_base;
 use bls12_381::{G1Affine, G1Projective, G2Affine, G2Prepared, G2Projective, Scalar};
 use rand_core::RngCore;
 /// Structured Reference String (SRS) is the main component in KZG10
@@ -29,7 +29,7 @@ impl SRS {
 
         // powers of g will be used to commit to the polynomial
         let g = random_g1_point(&mut rng);
-        let powers_of_g: Vec<G1Projective> = multiscalar_mul_single_base(&powers_of_beta, g);
+        let powers_of_g: Vec<G1Projective> = slow_multiscalar_mul_single_base(&powers_of_beta, g);
         assert_eq!(powers_of_g.len(), max_degree + 1);
 
         // Normalise all projective points

src/constraint_system/standard/proof.rs

@@ -5,8 +5,7 @@ use crate::commitment_scheme::kzg10::{Commitment, VerifierKey};
 use crate::fft::{EvaluationDomain, Polynomial};
 use crate::permutation::constants::{K1, K2};
 use crate::transcript::TranscriptProtocol;
-use crate::util::{multiscalar_mul, sum_points};
-use bls12_381::{G1Affine, G1Projective, Scalar};
+use bls12_381::{multiscalar_mul::pippenger, pairing, G1Affine, G1Projective, Scalar};
 pub struct Proof {
     // Commitment to the witness polynomial for the left wires
     pub a_comm: Commitment,
@@ -313,8 +312,9 @@ impl Proof {
         scalars.push(y);
         points.push(preprocessed_circuit.out_sigma_comm().0);
 
-        let points = multiscalar_mul(&scalars, &points);
-        let commitment = sum_points(&points);
-        Commitment::from_projective(commitment)
+        Commitment::from_projective(pippenger(
+            points.iter().map(|P| G1Projective::from(P)),
+            scalars.into_iter(),
+        ))
     }
 }

src/util.rs

@@ -11,31 +11,15 @@ pub fn powers_of(scalar: &Scalar, max_degree: usize) -> Vec<Scalar> {
     powers
 }
 
-// While we do not have multiscalar mul in bls12-381; this function will be used as a stub
-pub(crate) fn multiscalar_mul<K, T: Mul<Scalar, Output = K> + Copy>(
-    scalars: &Vec<Scalar>,
-    bases: &Vec<T>,
-) -> Vec<K> {
-    scalars
-        .iter()
-        .zip(bases.iter())
-        .map(|(s, b)| *b * *s)
-        .collect()
-}
-
-pub(crate) fn multiscalar_mul_single_base<K, T: Mul<Scalar, Output = K> + Copy>(
+/// This function is only used to generate the SRS.
+/// The intention is just to compute the resulting points
+/// of the operation `a*P, b*P, c*P ... (n-1)*P` into a `Vec`.
+pub(crate) fn slow_multiscalar_mul_single_base<K, T: Mul<Scalar, Output = K> + Copy>(
     scalars: &Vec<Scalar>,
     base: T,
 ) -> Vec<K> {
     scalars.iter().map(|s| base * *s).collect()
 }
-pub(crate) fn sum_points<T: Add<T, Output = T> + Copy>(points: &Vec<T>) -> T {
-    let mut sum = points[0];
-    for i in 1..points.len() {
-        sum = sum + points[i]
-    }
-    sum
-}
 
 // while we do not have batch inversion for scalars
 use std::ops::MulAssign;