-
Notifications
You must be signed in to change notification settings - Fork 405
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
perf: bounded scalar multiplication #934
Conversation
I also tried implementing Maybe, if there is a way to make current scalar multiplication wide (by sharing some computation), then makes sense to revert the commit. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks great! I looked into WideScalarMul
for instance size 2 and I didn't neither come with a nice algorithm given the algorithms we use in ScalarMul
and ScalarMulBase
. For 2-chains GLV, indeed I don't think it would save constraints because the loop size there is bounded by lambda
the (fixed) endomorphism eigenvalue size. Maybe for later we can try the approach of using GLV only if the scalar is uniformly random in Fr
and using the bounded scalar approach if the scalar are of a particular form e.g. smaller than half lambda
. But this not crucial for now and it needs benchmarking to confirm.
046d814
to
80deb09
Compare
Description
This PR adds options for algebra methods to allow changing the behaviour of the curve operations. Particular options what I added are:
P_0 + r P_1 + r^2 P_2 + ... + r^n P_n
then instead computes asP_0 + r(P_1 + r(P_2 + r(...))
. This option becomes particularly useful when combined withWithNbDigits
as we don't have to compute the powers ofr
and every scalar multiplication is bounded.In PLONK verifier circuit for verifying BW6 in BN254 allows to save approximately 19% (12M constraints) as most of the cost is actually in MSMs not in pairing computation.
I implemented bounded scalar multiplication only for emulated scalar multiplication as we use GLV for 2-chains and I'm not sure the bound would help (imo we can only assume the scalars
s1, s2 < lambda
). Maybe @yelhousni can confirm?Should be merged after #880.
Type of change
How has this been tested?
TestScalarMulBounded
How has this been benchmarked?
Benchmarked PLONK verifier circuit size, going from 78M to 66M (with #749 and #925 included).
Checklist:
golangci-lint
does not output errors locally