improve: apply tachyon optimizations(1)

halo2_backend/src/plonk/evaluation.rs

@@ -408,8 +408,16 @@ impl<C: CurveAffine> Evaluator<C> {
                 let chunk_len = pk.vk.cs.degree() - 2;
                 let delta_start = beta * C::Scalar::ZETA;
 
-                let first_set = sets.first().unwrap();
-                let last_set = sets.last().unwrap();
+                let permutation_product_cosets: Vec<
+                    Polynomial<C::ScalarExt, ExtendedLagrangeCoeff>,
+                > = sets
+                    .iter()
+                    .map(|set| domain.coeff_to_extended(set.permutation_product_poly.clone()))
+                    .collect();
+
+                let first_set_permutation_product_coset =
+                    permutation_product_cosets.first().unwrap();
+                let last_set_permutation_product_coset = permutation_product_cosets.last().unwrap();
 
                 // Permutation constraints
                 parallelize(&mut values, |values, start| {
@@ -422,22 +430,21 @@ impl<C: CurveAffine> Evaluator<C> {
                         // Enforce only for the first set.
                         // l_0(X) * (1 - z_0(X)) = 0
                         *value = *value * y
-                            + ((one - first_set.permutation_product_coset[idx]) * l0[idx]);
+                            + ((one - first_set_permutation_product_coset[idx]) * l0[idx]);
                         // Enforce only for the last set.
                         // l_last(X) * (z_l(X)^2 - z_l(X)) = 0
                         *value = *value * y
-                            + ((last_set.permutation_product_coset[idx]
-                                * last_set.permutation_product_coset[idx]
-                                - last_set.permutation_product_coset[idx])
+                            + ((last_set_permutation_product_coset[idx]
+                                * last_set_permutation_product_coset[idx]
+                                - last_set_permutation_product_coset[idx])
                                 * l_last[idx]);
                         // Except for the first set, enforce.
                         // l_0(X) * (z_i(X) - z_{i-1}(\omega^(last) X)) = 0
-                        for (set_idx, set) in sets.iter().enumerate() {
+                        for (set_idx, _) in sets.iter().enumerate() {
                             if set_idx != 0 {
                                 *value = *value * y
-                                    + ((set.permutation_product_coset[idx]
-                                        - permutation.sets[set_idx - 1].permutation_product_coset
-                                            [r_last])
+                                    + ((permutation_product_cosets[set_idx][idx]
+                                        - permutation_product_cosets[set_idx - 1][r_last])
                                         * l0[idx]);
                             }
                         }
@@ -447,12 +454,13 @@ impl<C: CurveAffine> Evaluator<C> {
                         // - z_i(X) \prod_j (p(X) + \delta^j \beta X + \gamma)
                         // )
                         let mut current_delta = delta_start * beta_term;
-                        for ((set, columns), cosets) in sets
+                        for (((set_idx, _), columns), cosets) in sets
                             .iter()
+                            .enumerate()
                             .zip(p.columns.chunks(chunk_len))
                             .zip(pk.permutation.cosets.chunks(chunk_len))
                         {
-                            let mut left = set.permutation_product_coset[r_next];
+                            let mut left = permutation_product_cosets[set_idx][r_next];
                             for (values, permutation) in columns
                                 .iter()
                                 .map(|&column| match column.column_type {
@@ -465,7 +473,7 @@ impl<C: CurveAffine> Evaluator<C> {
                                 left *= values[idx] + beta * permutation[idx] + gamma;
                             }
 
-                            let mut right = set.permutation_product_coset[idx];
+                            let mut right = permutation_product_cosets[set_idx][idx];
                             for values in columns.iter().map(|&column| match column.column_type {
                                 Any::Advice => &advice[column.index],
                                 Any::Fixed => &fixed[column.index],

halo2_backend/src/plonk/permutation/prover.rs

@@ -13,7 +13,7 @@ use crate::{
     plonk::{self, permutation::ProvingKey, ChallengeBeta, ChallengeGamma, ChallengeX, Error},
     poly::{
         commitment::{Blind, Params},
-        Coeff, ExtendedLagrangeCoeff, LagrangeCoeff, Polynomial, ProverQuery,
+        Coeff, LagrangeCoeff, Polynomial, ProverQuery,
     },
     transcript::{EncodedChallenge, TranscriptWrite},
 };
@@ -25,7 +25,6 @@ use halo2_middleware::poly::Rotation;
 
 pub(crate) struct CommittedSet<C: CurveAffine> {
     pub(crate) permutation_product_poly: Polynomial<C::Scalar, Coeff>,
-    pub(crate) permutation_product_coset: Polynomial<C::Scalar, ExtendedLagrangeCoeff>,
     permutation_product_blind: Blind<C::Scalar>,
 }
 
@@ -177,17 +176,13 @@ pub(in crate::plonk) fn permutation_commit<
             .commit_lagrange(&engine.msm_backend, &z, blind)
             .to_affine();
         let permutation_product_blind = blind;
-        let z = domain.lagrange_to_coeff(z);
-        let permutation_product_poly = z.clone();
-
-        let permutation_product_coset = domain.coeff_to_extended(z);
+        let permutation_product_poly = domain.lagrange_to_coeff(z);
 
         // Hash the permutation product commitment
         transcript.write_point(permutation_product_commitment)?;
 
         sets.push(CommittedSet {
             permutation_product_poly,
-            permutation_product_coset,
             permutation_product_blind,
         });
     }

halo2_backend/src/plonk/vanishing/prover.rs

@@ -131,18 +131,20 @@ impl<C: CurveAffine> Committed<C> {
             .collect();
 
         // Compute commitments to each h(X) piece
-        let h_commitments_projective: Vec<_> = h_pieces
-            .iter()
-            .zip(h_blinds.iter())
-            .map(|(h_piece, blind)| params.commit(&engine.msm_backend, h_piece, *blind))
-            .collect();
-        let mut h_commitments = vec![C::identity(); h_commitments_projective.len()];
-        C::Curve::batch_normalize(&h_commitments_projective, &mut h_commitments);
-        let h_commitments = h_commitments;
+        let h_commitments = {
+            let h_commitments_projective: Vec<_> = h_pieces
+                .iter()
+                .zip(h_blinds.iter())
+                .map(|(h_piece, blind)| params.commit(&engine.msm_backend, h_piece, *blind))
+                .collect();
+            let mut h_commitments = vec![C::identity(); h_commitments_projective.len()];
+            C::Curve::batch_normalize(&h_commitments_projective, &mut h_commitments);
+            h_commitments
+        };
 
         // Hash each h(X) piece
-        for c in h_commitments.iter() {
-            transcript.write_point(*c)?;
+        for c in h_commitments {
+            transcript.write_point(c)?;
         }
 
         Ok(Constructed {