From 53b301b23ad172afd67ad8d8d08c3bd1731b3df3 Mon Sep 17 00:00:00 2001 From: James Bell-Clark Date: Thu, 8 Jan 2026 06:22:43 -0800 Subject: [PATCH] Reduce information in transcript of LIP proofs. Have the linear inner product proofs only commit to the seeds used to generate parameters in the transcript. This more than halves the run time of the LIP prove and verify functions. Corresponding to saving about 21% of the computation in forming and verifying a single client message. PiperOrigin-RevId: 853711463 --- willow/src/zk/linear_ip.rs | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/willow/src/zk/linear_ip.rs b/willow/src/zk/linear_ip.rs index d96f4da..2c6a2a2 100644 --- a/willow/src/zk/linear_ip.rs +++ b/willow/src/zk/linear_ip.rs @@ -36,6 +36,7 @@ pub struct LinearInnerProductParameters { F: RistrettoPoint, F_: RistrettoPoint, G: Vec, + seed: Vec, } pub fn inner_product(a: &[Scalar], b: &[Scalar]) -> Scalar { @@ -59,6 +60,7 @@ fn common_setup(length: usize, parameter_seed: &[u8]) -> LinearInnerProductParam ) }) .collect(), + seed: parameter_seed.to_vec(), } } @@ -67,11 +69,9 @@ fn append_params_to_transcript( params: &LinearInnerProductParameters, ) { transcript.append_u64(b"n", params.n as u64); - for G_i in ¶ms.G { - transcript.append_message(b"G_i", G_i.compress().as_bytes()); - } - transcript.append_message(b"F", params.F.compress().as_bytes()); - transcript.append_message(b"F_", params.F_.compress().as_bytes()); + // We append the seed not the resulting params themselves because appending that many params + // more than doubles the run time of both prove and verify. + transcript.append_message(b"seed", ¶ms.seed); } fn validate_and_append_point(