From 6a9a80bbae2f746d3f62f3df372f4e132fb8ee3b Mon Sep 17 00:00:00 2001 From: guorong009 Date: Thu, 16 May 2024 11:35:29 +0800 Subject: [PATCH 1/6] fix: replace "fold" with "for" loop in "lookup_commit_permuted" --- halo2_backend/src/plonk/lookup/prover.rs | 29 +++++++++++------------- 1 file changed, 13 insertions(+), 16 deletions(-) diff --git a/halo2_backend/src/plonk/lookup/prover.rs b/halo2_backend/src/plonk/lookup/prover.rs index 149c23c361..e937f3a5a6 100644 --- a/halo2_backend/src/plonk/lookup/prover.rs +++ b/halo2_backend/src/plonk/lookup/prover.rs @@ -91,22 +91,19 @@ where { // Closure to get values of expressions and compress them let compress_expressions = |expressions: &[ExpressionBack]| { - let compressed_expression = expressions - .iter() - .map(|expression| { - pk.vk.domain.lagrange_from_vec(evaluate( - expression, - params.n() as usize, - 1, - fixed_values, - advice_values, - instance_values, - challenges, - )) - }) - .fold(domain.empty_lagrange(), |acc, expression| { - acc * *theta + &expression - }); + let mut compressed_expression = domain.empty_lagrange(); + for expression in expressions.iter() { + let expression = pk.vk.domain.lagrange_from_vec(evaluate( + expression, + params.n() as usize, + 1, + fixed_values, + advice_values, + instance_values, + challenges, + )); + compressed_expression = compressed_expression * *theta + &expression; + } compressed_expression }; From 6f04ec6ca07220090f0059efaf1678810f853449 Mon Sep 17 00:00:00 2001 From: guorong009 Date: Thu, 16 May 2024 11:42:13 +0800 Subject: [PATCH 2/6] fix: remove "z.clone()" in "permutation_commit" --- halo2_backend/src/plonk/permutation/prover.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/halo2_backend/src/plonk/permutation/prover.rs b/halo2_backend/src/plonk/permutation/prover.rs index 91e14919c5..4739df89e7 100644 --- a/halo2_backend/src/plonk/permutation/prover.rs +++ b/halo2_backend/src/plonk/permutation/prover.rs @@ -180,7 +180,7 @@ pub(in crate::plonk) fn permutation_commit< let z = domain.lagrange_to_coeff(z); let permutation_product_poly = z.clone(); - let permutation_product_coset = domain.coeff_to_extended(z.clone()); + let permutation_product_coset = domain.coeff_to_extended(z); let permutation_product_commitment = permutation_product_commitment_projective.to_affine(); From 3c9ee970c2ab3076b8560c75e13009d46794e48e Mon Sep 17 00:00:00 2001 From: guorong009 Date: Thu, 16 May 2024 15:48:18 +0800 Subject: [PATCH 3/6] fix: roll back "fold" op in "lookup_commit_permuted" --- halo2_backend/src/plonk/lookup/prover.rs | 29 +++++++++++++----------- 1 file changed, 16 insertions(+), 13 deletions(-) diff --git a/halo2_backend/src/plonk/lookup/prover.rs b/halo2_backend/src/plonk/lookup/prover.rs index e937f3a5a6..149c23c361 100644 --- a/halo2_backend/src/plonk/lookup/prover.rs +++ b/halo2_backend/src/plonk/lookup/prover.rs @@ -91,19 +91,22 @@ where { // Closure to get values of expressions and compress them let compress_expressions = |expressions: &[ExpressionBack]| { - let mut compressed_expression = domain.empty_lagrange(); - for expression in expressions.iter() { - let expression = pk.vk.domain.lagrange_from_vec(evaluate( - expression, - params.n() as usize, - 1, - fixed_values, - advice_values, - instance_values, - challenges, - )); - compressed_expression = compressed_expression * *theta + &expression; - } + let compressed_expression = expressions + .iter() + .map(|expression| { + pk.vk.domain.lagrange_from_vec(evaluate( + expression, + params.n() as usize, + 1, + fixed_values, + advice_values, + instance_values, + challenges, + )) + }) + .fold(domain.empty_lagrange(), |acc, expression| { + acc * *theta + &expression + }); compressed_expression }; From 3daf5d49327b57258f44fe8fe8c071d433b957b2 Mon Sep 17 00:00:00 2001 From: guorong009 Date: Thu, 16 May 2024 18:04:12 +0800 Subject: [PATCH 4/6] improve: apply "batch_normalize" in "lookup_commit_permuted" --- halo2_backend/src/plonk/lookup/prover.rs | 13 +++++++++---- halo2_backend/src/plonk/permutation/prover.rs | 6 ++---- 2 files changed, 11 insertions(+), 8 deletions(-) diff --git a/halo2_backend/src/plonk/lookup/prover.rs b/halo2_backend/src/plonk/lookup/prover.rs index 149c23c361..3ea4bb51c6 100644 --- a/halo2_backend/src/plonk/lookup/prover.rs +++ b/halo2_backend/src/plonk/lookup/prover.rs @@ -131,19 +131,24 @@ where let poly = pk.vk.domain.lagrange_to_coeff(values.clone()); let blind = Blind(C::Scalar::random(&mut rng)); let commitment = params - .commit_lagrange(&engine.msm_backend, values, blind) - .to_affine(); + .commit_lagrange(&engine.msm_backend, values, blind); (poly, blind, commitment) }; // Commit to permuted input expression - let (permuted_input_poly, permuted_input_blind, permuted_input_commitment) = + let (permuted_input_poly, permuted_input_blind, permuted_input_commitment_projective) = commit_values(&permuted_input_expression); // Commit to permuted table expression - let (permuted_table_poly, permuted_table_blind, permuted_table_commitment) = + let (permuted_table_poly, permuted_table_blind, permuted_table_commitment_projective) = commit_values(&permuted_table_expression); + let [permuted_input_commitment, permuted_table_commitment] = { + let mut affines = [C::identity(); 2]; + C::CurveExt::batch_normalize(&[permuted_input_commitment_projective, permuted_table_commitment_projective], &mut affines); + affines + }; + // Hash permuted input commitment transcript.write_point(permuted_input_commitment)?; diff --git a/halo2_backend/src/plonk/permutation/prover.rs b/halo2_backend/src/plonk/permutation/prover.rs index 4739df89e7..26fc1b9163 100644 --- a/halo2_backend/src/plonk/permutation/prover.rs +++ b/halo2_backend/src/plonk/permutation/prover.rs @@ -174,16 +174,14 @@ pub(in crate::plonk) fn permutation_commit< let blind = Blind(C::Scalar::random(&mut rng)); - let permutation_product_commitment_projective = - params.commit_lagrange(&engine.msm_backend, &z, blind); + let permutation_product_commitment = + params.commit_lagrange(&engine.msm_backend, &z, blind).to_affine(); let permutation_product_blind = blind; let z = domain.lagrange_to_coeff(z); let permutation_product_poly = z.clone(); let permutation_product_coset = domain.coeff_to_extended(z); - let permutation_product_commitment = permutation_product_commitment_projective.to_affine(); - // Hash the permutation product commitment transcript.write_point(permutation_product_commitment)?; From e41a6aeac377295880d57e5f656b17b0dc8db9d2 Mon Sep 17 00:00:00 2001 From: guorong009 Date: Thu, 16 May 2024 22:33:20 +0800 Subject: [PATCH 5/6] fix: use the "batch_normalize" everywhere possible --- halo2_backend/src/plonk/keygen.rs | 23 +++++++++-------- halo2_backend/src/plonk/lookup/prover.rs | 11 +++++--- halo2_backend/src/plonk/permutation/keygen.rs | 23 ++++++++++------- halo2_backend/src/plonk/permutation/prover.rs | 5 ++-- halo2_backend/src/plonk/verifier.rs | 25 +++++++++++++++---- halo2_backend/src/poly/ipa/commitment.rs | 9 +++++-- .../src/poly/ipa/commitment/prover.rs | 7 ++++-- 7 files changed, 70 insertions(+), 33 deletions(-) diff --git a/halo2_backend/src/plonk/keygen.rs b/halo2_backend/src/plonk/keygen.rs index 067434a4d6..7d38f7a914 100644 --- a/halo2_backend/src/plonk/keygen.rs +++ b/halo2_backend/src/plonk/keygen.rs @@ -64,20 +64,23 @@ where )? .build_vk(params, &domain, &cs.permutation); - let fixed_commitments = circuit - .preprocessing - .fixed - .iter() - .map(|poly| { - params - .commit_lagrange( + let fixed_commitments = { + let fixed_commitments_projective: Vec = circuit + .preprocessing + .fixed + .iter() + .map(|poly| { + params.commit_lagrange( &H2cEngine::new(), &Polynomial::new_lagrange_from_vec(poly.clone()), Blind::default(), ) - .to_affine() - }) - .collect(); + }) + .collect(); + let mut fixed_commitments = vec![C::identity(); fixed_commitments_projective.len()]; + C::CurveExt::batch_normalize(&fixed_commitments_projective, &mut fixed_commitments); + fixed_commitments + }; Ok(VerifyingKey::from_parts( domain, diff --git a/halo2_backend/src/plonk/lookup/prover.rs b/halo2_backend/src/plonk/lookup/prover.rs index 3ea4bb51c6..ceafd1a37a 100644 --- a/halo2_backend/src/plonk/lookup/prover.rs +++ b/halo2_backend/src/plonk/lookup/prover.rs @@ -130,8 +130,7 @@ where let mut commit_values = |values: &Polynomial| { let poly = pk.vk.domain.lagrange_to_coeff(values.clone()); let blind = Blind(C::Scalar::random(&mut rng)); - let commitment = params - .commit_lagrange(&engine.msm_backend, values, blind); + let commitment = params.commit_lagrange(&engine.msm_backend, values, blind); (poly, blind, commitment) }; @@ -145,7 +144,13 @@ where let [permuted_input_commitment, permuted_table_commitment] = { let mut affines = [C::identity(); 2]; - C::CurveExt::batch_normalize(&[permuted_input_commitment_projective, permuted_table_commitment_projective], &mut affines); + C::CurveExt::batch_normalize( + &[ + permuted_input_commitment_projective, + permuted_table_commitment_projective, + ], + &mut affines, + ); affines }; diff --git a/halo2_backend/src/plonk/permutation/keygen.rs b/halo2_backend/src/plonk/permutation/keygen.rs index 6a09946fe2..e0bc0319d0 100644 --- a/halo2_backend/src/plonk/permutation/keygen.rs +++ b/halo2_backend/src/plonk/permutation/keygen.rs @@ -261,15 +261,20 @@ pub(crate) fn build_vk<'params, C: CurveAffine, P: Params<'params, C>>( } // Pre-compute commitments for the URS. - let mut commitments = Vec::with_capacity(p.columns.len()); - for permutation in &permutations { - // Compute commitment to permutation polynomial - commitments.push( - params - .commit_lagrange(&H2cEngine::new(), permutation, Blind::default()) - .to_affine(), - ); - } + let commitments = { + let mut commitments_projective = Vec::with_capacity(p.columns.len()); + for permutation in &permutations { + // Compute commitment to permutation polynomial + commitments_projective.push(params.commit_lagrange( + &H2cEngine::new(), + permutation, + Blind::default(), + )); + } + let mut commitments = vec![C::identity(); p.columns.len()]; + C::CurveExt::batch_normalize(&commitments_projective, &mut commitments); + commitments + }; VerifyingKey { commitments } } diff --git a/halo2_backend/src/plonk/permutation/prover.rs b/halo2_backend/src/plonk/permutation/prover.rs index 26fc1b9163..5aa577b680 100644 --- a/halo2_backend/src/plonk/permutation/prover.rs +++ b/halo2_backend/src/plonk/permutation/prover.rs @@ -174,8 +174,9 @@ pub(in crate::plonk) fn permutation_commit< let blind = Blind(C::Scalar::random(&mut rng)); - let permutation_product_commitment = - params.commit_lagrange(&engine.msm_backend, &z, blind).to_affine(); + let permutation_product_commitment = params + .commit_lagrange(&engine.msm_backend, &z, blind) + .to_affine(); let permutation_product_blind = blind; let z = domain.lagrange_to_coeff(z); let permutation_product_poly = z.clone(); diff --git a/halo2_backend/src/plonk/verifier.rs b/halo2_backend/src/plonk/verifier.rs index 88cd06be52..9c692ade8c 100644 --- a/halo2_backend/src/plonk/verifier.rs +++ b/halo2_backend/src/plonk/verifier.rs @@ -1,9 +1,11 @@ //! Verify a plonk proof +use group::prime::PrimeCurveAffine; use group::Curve; use halo2_middleware::circuit::Any; use halo2_middleware::ff::{Field, FromUniformBytes, WithSmallOrderMulGroup}; use halo2_middleware::zal::impls::H2cEngine; +use halo2curves::CurveAffine; use std::iter; use super::{vanishing, VerifyingKey}; @@ -78,7 +80,9 @@ where // 1. Get the commitments of the instance polynomials. ---------------------------------------- let instance_commitments = if V::QUERY_INSTANCE { - instances + let mut instance_commitments = Vec::with_capacity(instances.len()); + + let instances_projective = instances .iter() .map(|instance| { instance @@ -91,13 +95,24 @@ where poly.resize(params.n() as usize, Scheme::Scalar::ZERO); let poly = vk.domain.lagrange_from_vec(poly); - Ok(params - .commit_lagrange(&default_engine, &poly, Blind::default()) - .to_affine()) + Ok(params.commit_lagrange(&default_engine, &poly, Blind::default())) }) .collect::, _>>() }) - .collect::, _>>()? + .collect::, _>>()?; + + for i in 0..instances.len() { + let mut affines = vec![ + ::Curve::identity(); + instances_projective[i].len() + ]; + <::Curve as CurveAffine>::CurveExt::batch_normalize( + &instances_projective[i], + &mut affines, + ); + instance_commitments.push(affines); + } + instance_commitments } else { vec![vec![]; instances.len()] }; diff --git a/halo2_backend/src/poly/ipa/commitment.rs b/halo2_backend/src/poly/ipa/commitment.rs index 0f6b549a4e..7ac521327b 100644 --- a/halo2_backend/src/poly/ipa/commitment.rs +++ b/halo2_backend/src/poly/ipa/commitment.rs @@ -195,8 +195,13 @@ impl<'params, C: CurveAffine> ParamsProver<'params, C> for ParamsIPA { let g_lagrange = g_to_lagrange(g_projective, k); let hasher = C::CurveExt::hash_to_curve("Halo2-Parameters"); - let w = hasher(&[1]).to_affine(); - let u = hasher(&[2]).to_affine(); + + let [w, u] = { + let projectives = vec![hasher(&[1]), hasher(&[2])]; + let mut affines = [C::identity(); 2]; + C::CurveExt::batch_normalize(&projectives, &mut affines); + affines + }; ParamsIPA { k, diff --git a/halo2_backend/src/poly/ipa/commitment/prover.rs b/halo2_backend/src/poly/ipa/commitment/prover.rs index 1f50046449..7e04206e07 100644 --- a/halo2_backend/src/poly/ipa/commitment/prover.rs +++ b/halo2_backend/src/poly/ipa/commitment/prover.rs @@ -114,8 +114,11 @@ pub fn create_proof_with_engine< let r_j_randomness = C::Scalar::random(&mut rng); let l_j = l_j + engine.msm(&[value_l_j * z, l_j_randomness], &[params.u, params.w]); let r_j = r_j + engine.msm(&[value_r_j * z, r_j_randomness], &[params.u, params.w]); - let l_j = l_j.to_affine(); - let r_j = r_j.to_affine(); + let [l_j, r_j] = { + let mut affines = [C::identity(); 2]; + C::CurveExt::batch_normalize(&[l_j, r_j], &mut affines); + affines + }; // Feed L and R into the real transcript transcript.write_point(l_j)?; From fa8d46d8ab37bc1d3220dc680b50eef87cd6ffac Mon Sep 17 00:00:00 2001 From: guorong009 Date: Fri, 17 May 2024 01:05:16 +0800 Subject: [PATCH 6/6] chore: fmt + clippy --- halo2_backend/src/plonk/verifier.rs | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/halo2_backend/src/plonk/verifier.rs b/halo2_backend/src/plonk/verifier.rs index 9c692ade8c..d0e8650ac2 100644 --- a/halo2_backend/src/plonk/verifier.rs +++ b/halo2_backend/src/plonk/verifier.rs @@ -101,13 +101,11 @@ where }) .collect::, _>>()?; - for i in 0..instances.len() { - let mut affines = vec![ - ::Curve::identity(); - instances_projective[i].len() - ]; + for instance_projective in instances_projective { + let mut affines = + vec![::Curve::identity(); instance_projective.len()]; <::Curve as CurveAffine>::CurveExt::batch_normalize( - &instances_projective[i], + &instance_projective, &mut affines, ); instance_commitments.push(affines);