Skip to content

feat(grumpkin): GLV scalar decomposition + generic MSM crate #1211

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
quangvdao wants to merge 15 commits into
base: main
Choose a base branch
from
Open

feat(grumpkin): GLV scalar decomposition + generic MSM crate #1211

quangvdao wants to merge 15 commits into from

Conversation

@quangvdao
Copy link
Contributor

@quangvdao quangvdao commented Jan 18, 2026
edited
Loading

Summary

This PR adds GLV (Gallant-Lambert-Vanstone) scalar decomposition for Grumpkin and a modular, trait-based MSM implementation.

⚠️ Disclaimer

This code has only been lightly audited and may contain bugs. While a security review was conducted covering the critical cryptographic invariants (GLV decomposition correctness, endomorphism properties, Pippenger algorithm), the implementation has not undergone a formal third-party audit. Use with caution in production systems.

Dependencies

⚠️ Depends on #1209 (Grumpkin division inlines)

This PR builds on top of the base Grumpkin field division inlines. Please merge #1209 first.

What's New

GLV Scalar Decomposition (jolt-inlines/grumpkin/)

  • Endomorphism: GrumpkinPoint::endomorphism() — maps (x, y) → (βx, y) where β³ = 1
  • Decomposition: GrumpkinPoint::decompose_scalar(k) — splits 256-bit scalar into two ~128-bit half-scalars (k₁, k₂) where k ≡ k₁ + k₂·λ (mod n)
  • Soundness: Guest-side verifies decomposition via recomposition check; calls hcf() to spoil proof on mismatch
  • Inline instruction: New GRUMPKIN_GLVR_ADV virtual instruction for non-deterministic decomposition advice

Generic MSM Crate (examples/msm/)

  • Trait-based design: MsmGroup, WindowedScalar, GlvCapable traits for curve-agnostic MSM
  • Pippenger bucket MSM: Variable and fixed window sizes, MSB-to-LSB processing
  • GLV-accelerated MSM: Expands scalars via decomposition, then runs Pippenger on 2× half-scalar pairs
  • Fixed-base precomputation: FixedBaseTable for generator multiplication (lookups + additions only)

Security Hardening

  • Tests for cryptographic invariants: β³ = 1, λ² + λ + 1 = 0, φ³ = Id, φ(P) = [λ]P
  • GLV lattice determinant verification: n₁₁·n₂₂ − n₁₂·n₂₁ = n
  • Edge case tests for decomposition: k = 0, 1, n-1, λ, λ±1, λ²
  • Window size bounds validation (≤ 16 bits)
  • Host-side bounds check for half-scalars (≤ 128 bits)

Benchmarks (MSM_SIZE = 1024)

Method RV64IMAC Virtual Total
Pippenger (256-bit, no GLV) ~453M
GLV + Pippenger (w=8) 48.5M 55.2M 103.7M
Fixed-base table (w=14) 24.5M 26.7M 51.2M

Key results:

  • GLV+Pippenger is ~4.4× faster than naive Pippenger
  • Fixed-base is ~2× faster than GLV+Pippenger (for generator-only MSM)

Files Changed

  • jolt-inlines/grumpkin/src/sdk.rs — GLV constants, endomorphism, decompose_scalar
  • jolt-inlines/grumpkin/src/lib.rs — GLV inline opcode registration
  • jolt-inlines/grumpkin/src/sequence_builder.rs — GLV advice implementation
  • jolt-inlines/grumpkin/src/host.rs — Inline registration
  • jolt-inlines/grumpkin/src/tests.rs — Security invariant tests
  • examples/msm/ — New generic MSM crate with Grumpkin integration

mathmasterzach and others added 10 commits January 16, 2026 17:11
@mathmasterzach
grumpkin div inlines
b177c07
@quangvdao
feat: add grumpkin msm bench example
8db17e0
@quangvdao
feat(grumpkin): add GLV decomposition, separate window params, and wi…
b446b25 
…ndow sweep

- Add GLV inline constants and decompose_scalar for Grumpkin
- Split PIPPENGER_WINDOW into BASELINE_WINDOW and GLV_WINDOW
- Add window sweep benchmarks: GLV_WINDOW=10 is ~2x faster than 12
- Add GLV_PROGRESS.md tracking benchmarks and findings
@quangvdao
perf(grumpkin): tune GLV_WINDOW=8 as optimal for MSM_SIZE=1024
879e208 
Window sweep results: w=8 gives 105M cycles vs 261M at w=12 (2.5x speedup)
@quangvdao
bench(grumpkin): add fixed-base generator table benchmarks
a68bf50
@quangvdao
perf(grumpkin): sweep fixed-base window, optimal w=14 gives 2.1x vs G…
9811d0f 
…LV+Pippenger

- Use heap allocation (Box) for large precompute tables
- Increase guest memory to 128MB, stack to 64MB
- Document precompute sizes and full sweep results
@quangvdao
perf(grumpkin): micro-optimize GrumpkinPoint::add() hot path
94f8d39
@quangvdao
feat(msm): add generic MSM crate with trait-based abstractions
820eeb6 
- Add examples/msm/ with modular Pippenger, GLV, and fixed-base MSM
- Define MsmGroup, WindowedScalar, GlvCapable traits
- Implement Grumpkin curve integration in curves/grumpkin.rs
- GLV+Pippenger is ~1.2% faster than old impl (103.8M vs 105.1M cycles)
- Fixed-base has ~2% overhead due to trait indirection (acceptable)
- Update GLV_PROGRESS.md with benchmark comparison
@quangvdao
chore: remove old grumpkin-msm-bench example
fa6c9cd 
Replaced by generic examples/msm/ with trait-based abstractions.
@quangvdao
fix: remove grumpkin-msm-bench from workspace members
2014132
graphite-app[bot]
graphite-app bot reviewed Jan 18, 2026
View reviewed changes
@quangvdao
fix: add runtime buffer size assertions in msm_glv_with_scratch_const
3a0bbbd
@quangvdao
test(grumpkin): add GLV security invariant tests and timing docs
ea699fe 
- Add edge case tests for GLV decomposition (k=0, k=n-1, k=λ, etc.)
- Add GLV lattice determinant verification test
- Add timing documentation for variable-time MSM operations
- Untrack GLV_PROGRESS.md (local development notes)
@quangvdao
fix(grumpkin): inline format arg in test assertion
72e2882
graphite-app[bot]
graphite-app bot reviewed Jan 18, 2026
View reviewed changes
@quangvdao
fix(grumpkin): add bounds check in sequence_builder serialize_k
f36e6ab 
Adds missing assertion that half-scalar bytes.len() <= 16, matching
the check in sdk.rs. Prevents potential out-of-bounds panic during
trace generation if GLV decomposition somehow produces oversized values.
@quangvdao
fix(grumpkin): harden point ops and inline tests
892c12e
quangvdao added a commit to quangvdao/jolt that referenced this pull request Jan 23, 2026
@quangvdao
Merge grumpkin branch (PR a16z#1211): GLV scalar decomposition + gene…
8020567 
…ric MSM crate
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@graphite-app graphite-app[bot] graphite-app[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@quangvdao @mathmasterzach