zal: via extra parameter - stashing before meeting

privacy-scaling-explorations · Feb 15, 2024 · 1007ec9 · 1007ec9
1 parent 3cb3723
commit 1007ec9
Show file tree

Hide file tree

Showing 26 changed files with 251 additions and 101 deletions.
diff --git a/halo2_backend/src/plonk/keygen.rs b/halo2_backend/src/plonk/keygen.rs
@@ -2,6 +2,7 @@
 
 use group::Curve;
 use halo2_middleware::ff::{Field, FromUniformBytes};
+use halo2curves::zal::H2cEngine;
 
 use super::{evaluation::Evaluator, permutation, Polynomial, ProvingKey, VerifyingKey};
 use crate::{
@@ -72,6 +73,7 @@ where
         .map(|poly| {
             params
                 .commit_lagrange(
+                    &H2cEngine::new(),
                     &Polynomial::new_lagrange_from_vec(poly.clone()),
                     Blind::default(),
                 )

diff --git a/halo2_backend/src/plonk/lookup/prover.rs b/halo2_backend/src/plonk/lookup/prover.rs
@@ -18,6 +18,7 @@ use halo2_common::plonk::{
 };
 use halo2_middleware::ff::WithSmallOrderMulGroup;
 use halo2_middleware::poly::Rotation;
+use halo2curves::zal::MsmAccel;
 use rand_core::RngCore;
 use std::{
     collections::BTreeMap,
@@ -71,6 +72,7 @@ pub(in crate::plonk) fn lookup_commit_permuted<
     R: RngCore,
     T: TranscriptWrite<C, E>,
 >(
+    engine: &impl MsmAccel<C>,
     arg: &Argument<F>,
     pk: &ProvingKey<C>,
     params: &P,
@@ -128,7 +130,7 @@ where
     let mut commit_values = |values: &Polynomial<C::Scalar, LagrangeCoeff>| {
         let poly = pk.vk.domain.lagrange_to_coeff(values.clone());
         let blind = Blind(C::Scalar::random(&mut rng));
-        let commitment = params.commit_lagrange(values, blind).to_affine();
+        let commitment = params.commit_lagrange(engine, values, blind).to_affine();
         (poly, blind, commitment)
     };
 
@@ -172,6 +174,7 @@ impl<C: CurveAffine> Permuted<C> {
         T: TranscriptWrite<C, E>,
     >(
         self,
+        engine: &impl MsmAccel<C>,
         pk: &ProvingKey<C>,
         params: &P,
         beta: ChallengeBeta<C>,
@@ -288,7 +291,9 @@ impl<C: CurveAffine> Permuted<C> {
         }
 
         let product_blind = Blind(C::Scalar::random(rng));
-        let product_commitment = params.commit_lagrange(&z, product_blind).to_affine();
+        let product_commitment = params
+            .commit_lagrange(engine, &z, product_blind)
+            .to_affine();
         let z = pk.vk.domain.lagrange_to_coeff(z);
 
         // Hash product commitment

diff --git a/halo2_backend/src/plonk/permutation/keygen.rs b/halo2_backend/src/plonk/permutation/keygen.rs
@@ -1,5 +1,6 @@
 use group::Curve;
 use halo2_middleware::ff::{Field, PrimeField};
+use halo2curves::zal::H2cEngine;
 
 use super::{Argument, ProvingKey, VerifyingKey};
 use crate::{
@@ -477,7 +478,7 @@ pub(crate) fn build_vk<'params, C: CurveAffine, P: Params<'params, C>>(
         // Compute commitment to permutation polynomial
         commitments.push(
             params
-                .commit_lagrange(permutation, Blind::default())
+                .commit_lagrange(&H2cEngine::new(), permutation, Blind::default())
                 .to_affine(),
         );
     }

diff --git a/halo2_backend/src/plonk/permutation/prover.rs b/halo2_backend/src/plonk/permutation/prover.rs
@@ -3,6 +3,7 @@ use group::{
     Curve,
 };
 use halo2_middleware::ff::PrimeField;
+use halo2curves::zal::MsmAccel;
 use rand_core::RngCore;
 use std::iter::{self, ExactSizeIterator};
 
@@ -55,6 +56,7 @@ pub(in crate::plonk) fn permutation_commit<
     R: RngCore,
     T: TranscriptWrite<C, E>,
 >(
+    engine: &impl MsmAccel<C>,
     arg: &Argument,
     params: &P,
     pk: &plonk::ProvingKey<C>,
@@ -172,7 +174,7 @@ pub(in crate::plonk) fn permutation_commit<
 
         let blind = Blind(C::Scalar::random(&mut rng));
 
-        let permutation_product_commitment_projective = params.commit_lagrange(&z, blind);
+        let permutation_product_commitment_projective = params.commit_lagrange(engine, &z, blind);
         let permutation_product_blind = blind;
         let z = domain.lagrange_to_coeff(z);
         let permutation_product_poly = z.clone();

diff --git a/halo2_backend/src/plonk/prover.rs b/halo2_backend/src/plonk/prover.rs
@@ -1,5 +1,6 @@
 use group::Curve;
 use halo2_middleware::ff::{Field, FromUniformBytes, WithSmallOrderMulGroup};
+use halo2curves::zal::{H2cEngine, MsmAccel};
 use rand_core::RngCore;
 use std::collections::{BTreeSet, HashSet};
 use std::{collections::HashMap, iter};
@@ -59,6 +60,7 @@ impl<
 {
     /// Create a new prover object
     pub fn new(
+        engine: &impl MsmAccel<Scheme::Curve>,
         params: &'params Scheme::ParamsProver,
         pk: &'a ProvingKey<Scheme::Curve>,
         // TODO: If this was a vector the usage would be simpler
@@ -71,6 +73,7 @@ impl<
         Scheme::Scalar: WithSmallOrderMulGroup<3> + FromUniformBytes<64>,
     {
         Ok(Self(ProverV2::new(
+            engine,
             params,
             pk,
             &[instance],
@@ -82,22 +85,33 @@ impl<
     /// Commit the `witness` at `phase` and return the challenges after `phase`.
     pub fn commit_phase(
         &mut self,
+        engine: &impl MsmAccel<Scheme::Curve>,
         phase: u8,
         witness: Vec<Option<Vec<Scheme::Scalar>>>,
     ) -> Result<HashMap<usize, Scheme::Scalar>, Error>
     where
         Scheme::Scalar: WithSmallOrderMulGroup<3> + FromUniformBytes<64>,
     {
-        self.0.commit_phase(phase, vec![witness])
+        self.0.commit_phase(engine, phase, vec![witness])
     }
 
     /// Finalizes the proof creation.
     pub fn create_proof(self) -> Result<(), Error>
     where
         Scheme::Scalar: WithSmallOrderMulGroup<3> + FromUniformBytes<64>,
     {
-        self.0.create_proof()
+        self.create_proof_with_engine(&H2cEngine::new())
     }
+
+    /// Finalizes the proof creation.
+    /// TODO: change to "ZalEngine" which will contain MsmAccel and FftAccel trait accelerators
+    pub fn create_proof_with_engine(self, engine: &impl MsmAccel<Scheme::Curve>) -> Result<(), Error>
+    where
+        Scheme::Scalar: WithSmallOrderMulGroup<3> + FromUniformBytes<64>,
+    {
+        self.0.create_proof_with_engine(engine)
+    }
+
 }
 
 /// The prover object used to create proofs interactively by passing the witnesses to commit at
@@ -139,6 +153,7 @@ impl<
 {
     /// Create a new prover object
     pub fn new(
+        engine: &impl MsmAccel<Scheme::Curve>,
         params: &'params Scheme::ParamsProver,
         pk: &'a ProvingKey<Scheme::Curve>,
         // TODO: If this was a vector the usage would be simpler.
@@ -187,7 +202,7 @@ impl<
                 if P::QUERY_INSTANCE {
                     let instance_commitments_projective: Vec<_> = instance_values
                         .iter()
-                        .map(|poly| params.commit_lagrange(poly, Blind::default()))
+                        .map(|poly| params.commit_lagrange(engine, poly, Blind::default()))
                         .collect();
                     let mut instance_commitments =
                         vec![Scheme::Curve::identity(); instance_commitments_projective.len()];
@@ -252,6 +267,7 @@ impl<
     #[allow(clippy::type_complexity)]
     pub fn commit_phase(
         &mut self,
+        engine: &impl MsmAccel<Scheme::Curve>,
         phase: u8,
         witness: Vec<Vec<Option<Vec<Scheme::Scalar>>>>,
     ) -> Result<HashMap<usize, Scheme::Scalar>, Error>
@@ -369,7 +385,7 @@ impl<
                 let advice_commitments_projective: Vec<_> = advice_values
                     .iter()
                     .zip(blinds.iter())
-                    .map(|(poly, blind)| params.commit_lagrange(poly, *blind))
+                    .map(|(poly, blind)| params.commit_lagrange(engine, poly, *blind))
                     .collect();
                 let mut advice_commitments =
                     vec![Scheme::Curve::identity(); advice_commitments_projective.len()];
@@ -415,7 +431,7 @@ impl<
     }
 
     /// Finalizes the proof creation.
-    pub fn create_proof(mut self) -> Result<(), Error>
+    pub fn create_proof_with_engine(mut self, engine: &impl MsmAccel<Scheme::Curve>) -> Result<(), Error>
     where
         Scheme::Scalar: WithSmallOrderMulGroup<3> + FromUniformBytes<64>,
     {
@@ -447,6 +463,7 @@ impl<
                     .iter()
                     .map(|lookup| {
                         lookup_commit_permuted(
+                            engine,
                             lookup,
                             pk,
                             params,
@@ -483,6 +500,7 @@ impl<
             .zip(advice.iter())
             .map(|(instance, advice)| {
                 permutation_commit(
+                    engine,
                     &meta.permutation,
                     params,
                     pk,
@@ -505,7 +523,7 @@ impl<
                 lookups
                     .into_iter()
                     .map(|lookup| {
-                        lookup.commit_product(pk, params, beta, gamma, &mut rng, self.transcript)
+                        lookup.commit_product(engine, pk, params, beta, gamma, &mut rng, self.transcript)
                     })
                     .collect::<Result<Vec<_>, _>>()
             })
@@ -520,6 +538,7 @@ impl<
                     .iter()
                     .map(|shuffle| {
                         shuffle_commit_product(
+                            engine,
                             shuffle,
                             pk,
                             params,
@@ -539,7 +558,7 @@ impl<
             .collect::<Result<Vec<_>, _>>()?;
 
         // Commit to the vanishing argument's random polynomial for blinding h(x_3)
-        let vanishing = vanishing::Argument::commit(params, domain, &mut rng, self.transcript)?;
+        let vanishing = vanishing::Argument::commit(engine, params, domain, &mut rng, self.transcript)?;
 
         // Obtain challenge for keeping all separate gates linearly independent
         let y: ChallengeY<_> = self.transcript.squeeze_challenge_scalar();
@@ -585,7 +604,7 @@ impl<
         );
 
         // Construct the vanishing argument's h(X) commitments
-        let vanishing = vanishing.construct(params, domain, h_poly, &mut rng, self.transcript)?;
+        let vanishing = vanishing.construct(engine, params, domain, h_poly, &mut rng, self.transcript)?;
 
         let x: ChallengeX<_> = self.transcript.squeeze_challenge_scalar();
         let xn = x.pow([params.n()]);
@@ -725,9 +744,18 @@ impl<
 
         let prover = P::new(params);
         prover
-            .create_proof(rng, self.transcript, instances)
+            .create_proof(engine, rng, self.transcript, instances)
             .map_err(|_| Error::ConstraintSystemFailure)?;
 
         Ok(())
     }
+
+    /// Finalizes the proof creation.
+    pub fn create_proof(mut self) -> Result<(), Error>
+    where
+        Scheme::Scalar: WithSmallOrderMulGroup<3> + FromUniformBytes<64>,
+    {
+        self.create_proof_with_engine(&H2cEngine::new())
+    }
+
 }
diff --git a/halo2_backend/src/plonk/shuffle/prover.rs b/halo2_backend/src/plonk/shuffle/prover.rs
@@ -13,6 +13,7 @@ use group::{ff::BatchInvert, Curve};
 use halo2_common::plonk::{ChallengeGamma, ChallengeTheta, ChallengeX, Error, Expression};
 use halo2_middleware::ff::WithSmallOrderMulGroup;
 use halo2_middleware::poly::Rotation;
+use halo2curves::zal::MsmAccel;
 use rand_core::RngCore;
 use std::{
     iter,
@@ -103,6 +104,7 @@ pub(in crate::plonk) fn shuffle_commit_product<
     R: RngCore,
     T: TranscriptWrite<C, E>,
 >(
+    engine: &impl MsmAccel<C>,
     arg: &Argument<F>,
     pk: &ProvingKey<C>,
     params: &P,
@@ -188,7 +190,7 @@ where
     }
 
     let product_blind = Blind(C::Scalar::random(rng));
-    let product_commitment = params.commit_lagrange(&z, product_blind).to_affine();
+    let product_commitment = params.commit_lagrange(engine, &z, product_blind).to_affine();
     let z = pk.vk.domain.lagrange_to_coeff(z);
 
     // Hash product commitment

diff --git a/halo2_backend/src/plonk/vanishing/prover.rs b/halo2_backend/src/plonk/vanishing/prover.rs
@@ -3,6 +3,7 @@ use std::{collections::HashMap, iter};
 use group::Curve;
 use halo2_common::plonk::{ChallengeX, Error};
 use halo2_middleware::ff::Field;
+use halo2curves::zal::MsmAccel;
 use rand_chacha::ChaCha20Rng;
 use rand_core::{RngCore, SeedableRng};
 
@@ -42,6 +43,7 @@ impl<C: CurveAffine> Argument<C> {
         R: RngCore,
         T: TranscriptWrite<C, E>,
     >(
+        engine: &impl MsmAccel<C>,
         params: &P,
         domain: &EvaluationDomain<C::Scalar>,
         mut rng: R,
@@ -83,7 +85,9 @@ impl<C: CurveAffine> Argument<C> {
         let random_blind = Blind(C::Scalar::random(rng));
 
         // Commit
-        let c = params.commit(&random_poly, random_blind).to_affine();
+        let c = params
+            .commit(engine, &random_poly, random_blind)
+            .to_affine();
         transcript.write_point(c)?;
 
         Ok(Committed {
@@ -102,6 +106,7 @@ impl<C: CurveAffine> Committed<C> {
         T: TranscriptWrite<C, E>,
     >(
         self,
+        engine: &impl MsmAccel<C>,
         params: &P,
         domain: &EvaluationDomain<C::Scalar>,
         h_poly: Polynomial<C::Scalar, ExtendedLagrangeCoeff>,
@@ -129,7 +134,7 @@ impl<C: CurveAffine> Committed<C> {
         let h_commitments_projective: Vec<_> = h_pieces
             .iter()
             .zip(h_blinds.iter())
-            .map(|(h_piece, blind)| params.commit(h_piece, *blind))
+            .map(|(h_piece, blind)| params.commit(engine, h_piece, *blind))
             .collect();
         let mut h_commitments = vec![C::identity(); h_commitments_projective.len()];
         C::Curve::batch_normalize(&h_commitments_projective, &mut h_commitments);

diff --git a/halo2_backend/src/plonk/verifier.rs b/halo2_backend/src/plonk/verifier.rs
@@ -3,6 +3,7 @@ use halo2_common::plonk::{
     ChallengeBeta, ChallengeGamma, ChallengeTheta, ChallengeX, ChallengeY, Error,
 };
 use halo2_middleware::ff::{Field, FromUniformBytes, WithSmallOrderMulGroup};
+use halo2curves::zal::H2cEngine;
 use std::iter;
 
 use super::{vanishing, VerifyingKey};
@@ -63,6 +64,9 @@ pub fn verify_proof<
 where
     Scheme::Scalar: WithSmallOrderMulGroup<3> + FromUniformBytes<64>,
 {
+    // ZAL: Verification is (supposedly) cheap, hence we don't use an accelerator engine
+    let default_engine = H2cEngine::new();
+
     // Check that instances matches the expected number of instance columns
     for instances in instances.iter() {
         if instances.len() != vk.cs.num_instance_columns {
@@ -84,7 +88,9 @@ where
                         poly.resize(params.n() as usize, Scheme::Scalar::ZERO);
                         let poly = vk.domain.lagrange_from_vec(poly);
 
-                        Ok(params.commit_lagrange(&poly, Blind::default()).to_affine())
+                        Ok(params
+                            .commit_lagrange(&default_engine, &poly, Blind::default())
+                            .to_affine())
                     })
                     .collect::<Result<Vec<_>, _>>()
             })

diff --git a/halo2_backend/src/plonk/verifier/batch.rs b/halo2_backend/src/plonk/verifier/batch.rs
@@ -1,7 +1,7 @@
 use group::ff::Field;
 use halo2_common::plonk::Error;
 use halo2_middleware::ff::FromUniformBytes;
-use halo2curves::CurveAffine;
+use halo2curves::{zal::H2cEngine, CurveAffine};
 use rand_core::OsRng;
 
 use super::{verify_proof, VerificationStrategy};
@@ -129,7 +129,8 @@ where
             );
 
         match final_msm {
-            Ok(msm) => msm.check(),
+            // ZAL: Verification is (supposedly) cheap, hence we don't use an accelerator engine
+            Ok(msm) => msm.check(&H2cEngine::new()),
             Err(_) => false,
         }
     }