improve: apply tachyon optimizations(1)

halo2_backend/src/plonk/evaluation.rs

@@ -408,8 +408,16 @@ impl<C: CurveAffine> Evaluator<C> {
                 let chunk_len = pk.vk.cs.degree() - 2;
                 let delta_start = beta * C::Scalar::ZETA;
 
-                let first_set = sets.first().unwrap();
-                let last_set = sets.last().unwrap();
+                let permutation_product_cosets: Vec<
+                    Polynomial<C::ScalarExt, ExtendedLagrangeCoeff>,
+                > = sets
+                    .iter()
+                    .map(|set| domain.coeff_to_extended(set.permutation_product_poly.clone()))
+                    .collect();
+
+                let first_set_permutation_product_coset =
+                    permutation_product_cosets.first().unwrap();
+                let last_set_permutation_product_coset = permutation_product_cosets.last().unwrap();
 
                 // Permutation constraints
                 parallelize(&mut values, |values, start| {
@@ -422,22 +430,21 @@ impl<C: CurveAffine> Evaluator<C> {
                         // Enforce only for the first set.
                         // l_0(X) * (1 - z_0(X)) = 0
                         *value = *value * y
-                            + ((one - first_set.permutation_product_coset[idx]) * l0[idx]);
+                            + ((one - first_set_permutation_product_coset[idx]) * l0[idx]);
                         // Enforce only for the last set.
                         // l_last(X) * (z_l(X)^2 - z_l(X)) = 0
                         *value = *value * y
-                            + ((last_set.permutation_product_coset[idx]
-                                * last_set.permutation_product_coset[idx]
-                                - last_set.permutation_product_coset[idx])
+                            + ((last_set_permutation_product_coset[idx]
+                                * last_set_permutation_product_coset[idx]
+                                - last_set_permutation_product_coset[idx])
                                 * l_last[idx]);
                         // Except for the first set, enforce.
                         // l_0(X) * (z_i(X) - z_{i-1}(\omega^(last) X)) = 0
-                        for (set_idx, set) in sets.iter().enumerate() {
+                        for set_idx in 0..sets.len() {
                             if set_idx != 0 {
                                 *value = *value * y
-                                    + ((set.permutation_product_coset[idx]
-                                        - permutation.sets[set_idx - 1].permutation_product_coset
-                                            [r_last])
+                                    + ((permutation_product_cosets[set_idx][idx]
+                                        - permutation_product_cosets[set_idx - 1][r_last])
                                         * l0[idx]);
                             }
                         }
@@ -447,12 +454,13 @@ impl<C: CurveAffine> Evaluator<C> {
                         // - z_i(X) \prod_j (p(X) + \delta^j \beta X + \gamma)
                         // )
                         let mut current_delta = delta_start * beta_term;
-                        for ((set, columns), cosets) in sets
-                            .iter()
-                            .zip(p.columns.chunks(chunk_len))
-                            .zip(pk.permutation.cosets.chunks(chunk_len))
+                        for ((permutation_product_coset, columns), cosets) in
+                            permutation_product_cosets
+                                .iter()
+                                .zip(p.columns.chunks(chunk_len))
+                                .zip(pk.permutation.cosets.chunks(chunk_len))
                         {
-                            let mut left = set.permutation_product_coset[r_next];
+                            let mut left = permutation_product_coset[r_next];
                             for (values, permutation) in columns
                                 .iter()
                                 .map(|&column| match column.column_type {
@@ -465,7 +473,7 @@ impl<C: CurveAffine> Evaluator<C> {
                                 left *= values[idx] + beta * permutation[idx] + gamma;
                             }
 
-                            let mut right = set.permutation_product_coset[idx];
+                            let mut right = permutation_product_coset[idx];
                             for values in columns.iter().map(|&column| match column.column_type {
                                 Any::Advice => &advice[column.index],
                                 Any::Fixed => &fixed[column.index],

halo2_backend/src/plonk/permutation/prover.rs

@@ -13,7 +13,7 @@ use crate::{
     plonk::{self, permutation::ProvingKey, ChallengeBeta, ChallengeGamma, ChallengeX, Error},
     poly::{
         commitment::{Blind, Params},
-        Coeff, ExtendedLagrangeCoeff, LagrangeCoeff, Polynomial, ProverQuery,
+        Coeff, LagrangeCoeff, Polynomial, ProverQuery,
     },
     transcript::{EncodedChallenge, TranscriptWrite},
 };
@@ -25,25 +25,15 @@ use halo2_middleware::poly::Rotation;
 
 pub(crate) struct CommittedSet<C: CurveAffine> {
     pub(crate) permutation_product_poly: Polynomial<C::Scalar, Coeff>,
-    pub(crate) permutation_product_coset: Polynomial<C::Scalar, ExtendedLagrangeCoeff>,
     permutation_product_blind: Blind<C::Scalar>,
 }
 
 pub(crate) struct Committed<C: CurveAffine> {
     pub(crate) sets: Vec<CommittedSet<C>>,
 }
 
-pub(crate) struct ConstructedSet<C: CurveAffine> {
-    permutation_product_poly: Polynomial<C::Scalar, Coeff>,
-    permutation_product_blind: Blind<C::Scalar>,
-}
-
-pub(crate) struct Constructed<C: CurveAffine> {
-    sets: Vec<ConstructedSet<C>>,
-}
-
 pub(crate) struct Evaluated<C: CurveAffine> {
-    constructed: Constructed<C>,
+    constructed: Committed<C>,
 }
 
 #[allow(clippy::too_many_arguments)]
@@ -177,39 +167,20 @@ pub(in crate::plonk) fn permutation_commit<
             .commit_lagrange(&engine.msm_backend, &z, blind)
             .to_affine();
         let permutation_product_blind = blind;
-        let z = domain.lagrange_to_coeff(z);
-        let permutation_product_poly = z.clone();
-
-        let permutation_product_coset = domain.coeff_to_extended(z);
+        let permutation_product_poly = domain.lagrange_to_coeff(z);
 
         // Hash the permutation product commitment
         transcript.write_point(permutation_product_commitment)?;
 
         sets.push(CommittedSet {
             permutation_product_poly,
-            permutation_product_coset,
             permutation_product_blind,
         });
     }
 
     Ok(Committed { sets })
 }
 
-impl<C: CurveAffine> Committed<C> {
-    pub(in crate::plonk) fn construct(self) -> Constructed<C> {
-        Constructed {
-            sets: self
-                .sets
-                .iter()
-                .map(|set| ConstructedSet {
-                    permutation_product_poly: set.permutation_product_poly.clone(),
-                    permutation_product_blind: set.permutation_product_blind,
-                })
-                .collect(),
-        }
-    }
-}
-
 impl<C: CurveAffine> super::ProvingKey<C> {
     pub(in crate::plonk) fn open(
         &self,
@@ -236,7 +207,7 @@ impl<C: CurveAffine> super::ProvingKey<C> {
     }
 }
 
-impl<C: CurveAffine> Constructed<C> {
+impl<C: CurveAffine> Committed<C> {
     pub(in crate::plonk) fn evaluate<E: EncodedChallenge<C>, T: TranscriptWrite<C, E>>(
         self,
         pk: &plonk::ProvingKey<C>,

halo2_backend/src/plonk/prover.rs

@@ -507,7 +507,7 @@
     /// - 10. Compute and hash instance evals for the circuit instance
     /// - 11. Compute and hash fixed evals
     /// - 12. Evaluate permutation, lookups and shuffles at x
     /// - 13. Generate all queries ([`ProverQuery`])
     /// - 14. Send the queries to the [`Prover`]
     pub fn create_proof(mut self) -> Result<(), Error>
     where
@@ -804,9 +804,7 @@
         let permutations_evaluated: Vec<permutation::prover::Evaluated<Scheme::Curve>> =
             permutations_commited
                 .into_iter()
-                .map(|permutation| -> Result<_, _> {
-                    permutation.construct().evaluate(pk, x, self.transcript)
-                })
+                .map(|permutation| -> Result<_, _> { permutation.evaluate(pk, x, self.transcript) })
                 .collect::<Result<Vec<_>, _>>()?;
 
         // Evaluate the lookups, if any, at omega^i x.

halo2_backend/src/plonk/vanishing/prover.rs

@@ -131,18 +131,20 @@ impl<C: CurveAffine> Committed<C> {
             .collect();
 
         // Compute commitments to each h(X) piece
-        let h_commitments_projective: Vec<_> = h_pieces
-            .iter()
-            .zip(h_blinds.iter())
-            .map(|(h_piece, blind)| params.commit(&engine.msm_backend, h_piece, *blind))
-            .collect();
-        let mut h_commitments = vec![C::identity(); h_commitments_projective.len()];
-        C::Curve::batch_normalize(&h_commitments_projective, &mut h_commitments);
-        let h_commitments = h_commitments;
+        let h_commitments = {
+            let h_commitments_projective: Vec<_> = h_pieces
+                .iter()
+                .zip(h_blinds.iter())
+                .map(|(h_piece, blind)| params.commit(&engine.msm_backend, h_piece, *blind))
+                .collect();
+            let mut h_commitments = vec![C::identity(); h_commitments_projective.len()];
+            C::Curve::batch_normalize(&h_commitments_projective, &mut h_commitments);
+            h_commitments
+        };
 
         // Hash each h(X) piece
-        for c in h_commitments.iter() {
-            transcript.write_point(*c)?;
+        for c in h_commitments {
+            transcript.write_point(c)?;
         }
 
         Ok(Constructed {