diff --git a/w3f-plonk-common/Cargo.toml b/w3f-plonk-common/Cargo.toml index cea986f..ea8afe9 100644 --- a/w3f-plonk-common/Cargo.toml +++ b/w3f-plonk-common/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "w3f-plonk-common" -version = "0.0.5" +version = "0.0.6" edition = "2021" authors = ["Sergey Vasilyev "] license = "MIT/Apache-2.0" diff --git a/w3f-plonk-common/benches/SUMMARY.md b/w3f-plonk-common/benches/SUMMARY.md index 4391e77..bd54b44 100644 --- a/w3f-plonk-common/benches/SUMMARY.md +++ b/w3f-plonk-common/benches/SUMMARY.md @@ -10,10 +10,10 @@ Machine: AMD Ryzen Threadripper 3970X (64 logical cores), 62 GiB RAM, Arch Linux | Domain Size | Hiding | Non-Hiding | |-------------|-----------|------------| -| 512 | 884 us | 865 us | -| 1024 | 1.90 ms | 1.89 ms | -| 4096 | 8.79 ms | 8.85 ms | -| 16384 | 44.2 ms | 44.1 ms | +| 512 | 883 us | 869 us | +| 1024 | 1.89 ms | 1.89 ms | +| 4096 | 9.52 ms | 9.71 ms | +| 16384 | 43.3 ms | 45.3 ms | Hiding vs non-hiding makes no measurable difference. Scales roughly linearly with domain size. @@ -21,11 +21,11 @@ Hiding vs non-hiding makes no measurable difference. Scales roughly linearly wit | Domain Size | private_column | public_column | shifted_4x | |-------------|----------------|---------------|------------| -| 512 | 455 us | 445 us | 2.31 us | -| 1024 | 982 us | 981 us | 4.62 us | -| 4096 | 4.76 ms | 4.68 ms | 22.8 us | +| 512 | 419 us | 418 us | 2.14 us | +| 1024 | 1.02 ms | 1.14 ms | 4.29 us | +| 4096 | 4.45 ms | 4.92 ms | 18.7 us | -Column construction is dominated by FFT (interpolation + 4x evaluation). `shifted_4x` is a cheap rotate+copy. +Column construction is dominated by FFT (interpolation + 4x evaluation). `shifted_4x` clones and rotates the 4x evaluations. ## Booleanity Gadget @@ -33,9 +33,9 @@ Constraint evaluation in 4x domain. | Domain Size | constraints | |-------------|-------------| -| 512 | 45.1 us | -| 1024 | 90.9 us | -| 4096 | 384 us | +| 512 | 48.3 us | +| 1024 | 96.8 us | +| 4096 | 412 us | Single constraint `b(1-b)`. Linear scaling. @@ -43,9 +43,9 @@ Single constraint `b(1-b)`. Linear scaling. | Domain Size | init | constraints | constraints_linearized | |-------------|---------|-------------|------------------------| -| 512 | 1.65 ms | 100 us | 9.73 us | -| 1024 | 3.20 ms | 210 us | 19.6 us | -| 4096 | 13.8 ms | 942 us | 94.2 us | +| 512 | 1.36 ms | 108 us | 10.2 us | +| 1024 | 2.98 ms | 223 us | 20.9 us | +| 4096 | 14.2 ms | 922 us | 81.8 us | Init includes column construction (2 FFTs). Constraints are evaluated pointwise in 4x domain. Linearization is a single polynomial scalar multiplication. @@ -53,8 +53,8 @@ Init includes column construction (2 FFTs). Constraints are evaluated pointwise | Domain Size | init | constraints | constraints_linearized | |-------------|----------|-------------|------------------------| -| 512 | 3.78 ms | 857 us | 75.9 us | -| 1024 | 8.03 ms | 1.72 ms | 162 us | -| 4096 | 35.2 ms | 13.9 ms | 669 us | +| 512 | 2.39 ms | 913 us | 81.1 us | +| 1024 | 5.20 ms | 1.83 ms | 160 us | +| 4096 | 25.5 ms | 11.3 ms | 642 us | -Init includes EC conditional additions (sequential scan) plus column construction. Constraint evaluation is the most expensive gadget due to the degree-4 EC addition formulas. Linearization remains cheap. +Init includes EC conditional additions (batch-normalized) plus column construction. Constraint evaluation is the most expensive gadget due to the degree-4 EC addition formulas. Linearization remains cheap. diff --git a/w3f-plonk-common/src/gadgets/ec/mod.rs b/w3f-plonk-common/src/gadgets/ec/mod.rs index 16bbc64..f99dcb9 100644 --- a/w3f-plonk-common/src/gadgets/ec/mod.rs +++ b/w3f-plonk-common/src/gadgets/ec/mod.rs @@ -73,17 +73,21 @@ where assert_eq!(bitmask.bits.len(), domain.capacity - 1); // assert_eq!(points.points.len(), domain.capacity - 1); //TODO let not_last = domain.not_last_row.clone(); - let acc = bitmask + let mut projective_acc = seed.into_group(); + let projective_points: Vec<_> = bitmask .bits .iter() .zip(points.points.iter()) - .scan(seed, |acc, (&b, point)| { + .map(|(&b, point)| { if b { - *acc = (*acc + point).into_affine(); + projective_acc += point; } - Some(*acc) - }); - let acc: Vec<_> = ark_std::iter::once(seed).chain(acc).collect(); + projective_acc + }) + .collect(); + let mut acc = Vec::with_capacity(projective_points.len() + 1); + acc.push(seed); + acc.extend(P::Group::normalize_batch(&projective_points)); let init_plus_result = acc.last().unwrap(); let result = init_plus_result.into_group() - seed.into_group(); let result = result.into_affine(); diff --git a/w3f-ring-proof/Cargo.toml b/w3f-ring-proof/Cargo.toml index 5432b4e..6f1fef5 100644 --- a/w3f-ring-proof/Cargo.toml +++ b/w3f-ring-proof/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "w3f-ring-proof" -version = "0.0.5" +version = "0.0.6" edition = "2021" authors = ["Sergey Vasilyev "] license = "MIT/Apache-2.0" diff --git a/w3f-ring-proof/benches/SUMMARY.md b/w3f-ring-proof/benches/SUMMARY.md index 9a41a2c..e4b740e 100644 --- a/w3f-ring-proof/benches/SUMMARY.md +++ b/w3f-ring-proof/benches/SUMMARY.md @@ -10,8 +10,8 @@ Machine: AMD Ryzen Threadripper 3970X (64 logical cores), 62 GiB RAM, Arch Linux | Domain Size | Time | |-------------|----------| -| 512 | 61.9 ms | -| 1024 | 86.1 ms | +| 512 | 49.7 ms | +| 1024 | 78.1 ms | Includes KZG trusted setup (`3 * domain_size` degree) and domain/PIOP parameter construction. @@ -19,8 +19,8 @@ Includes KZG trusted setup (`3 * domain_size` degree) and domain/PIOP parameter | Domain Size | Time | |-------------|----------| -| 512 | 48.0 ms | -| 1024 | 92.0 ms | +| 512 | 43.3 ms | +| 1024 | 73.8 ms | Commits the ring key columns and selector polynomial using KZG. Full keyset (max capacity). @@ -28,8 +28,8 @@ Commits the ring key columns and selector polynomial using KZG. Full keyset (max | Domain Size | Time | |-------------|-----------| -| 512 | 159 ms | -| 1024 | 289 ms | +| 512 | 158 ms | +| 1024 | 276 ms | Single proof generation. Includes witness generation (conditional additions, inner product accumulation) and PLONK prover (constraint evaluation, quotient polynomial, KZG commitments and openings). @@ -37,8 +37,8 @@ Single proof generation. Includes witness generation (conditional additions, inn | Domain Size | Time | |-------------|----------| -| 512 | 3.63 ms | -| 1024 | 3.36 ms | +| 512 | 3.21 ms | +| 1024 | 3.08 ms | Single proof verification. Dominated by pairing checks. Near-constant with domain size as the verifier works with evaluations, not full polynomials. @@ -46,10 +46,10 @@ Single proof verification. Dominated by pairing checks. Near-constant with domai | Batch Size | Sequential | KZG Accumulator | Speedup | |------------|------------|-----------------|---------| -| 1 | 3.10 ms | 3.10 ms | 1.0x | -| 4 | 14.0 ms | 5.29 ms | 2.6x | -| 16 | 49.8 ms | 11.3 ms | 4.4x | -| 32 | 99.6 ms | 19.8 ms | 5.0x | +| 1 | 3.33 ms | 3.08 ms | 1.1x | +| 4 | 13.2 ms | 5.64 ms | 2.3x | +| 16 | 52.8 ms | 12.0 ms | 4.4x | +| 32 | 106 ms | 19.8 ms | 5.4x | Sequential verification scales linearly (one pairing check per proof). KZG accumulator batches all pairing equations into a single check via MSM, giving sub-linear scaling. @@ -59,4 +59,4 @@ Sequential verification scales linearly (one pairing check per proof). KZG accum |------------|---------| | Compressed | 592 bytes | -Serialization time: ~771 ns. +Serialization time: ~770 ns.