-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use a generic group abstraction supporting G1 and GT #1
Draft
jsign
wants to merge
26
commits into
main
Choose a base branch
from
jsign-gt
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Ignacio Hagopian <[email protected]>
Signed-off-by: Ignacio Hagopian <[email protected]>
Signed-off-by: Ignacio Hagopian <[email protected]>
Signed-off-by: Ignacio Hagopian <[email protected]>
Jsign gt
Signed-off-by: Ignacio Hagopian <[email protected]>
group: add constraint that order is r
Signed-off-by: Ignacio Hagopian <[email protected]>
Signed-off-by: Ignacio Hagopian <[email protected]>
Signed-off-by: Ignacio Hagopian <[email protected]>
innerproductargument: support for Gt
Signed-off-by: Ignacio Hagopian <[email protected]>
Signed-off-by: Ignacio Hagopian <[email protected]>
Signed-off-by: Ignacio Hagopian <[email protected]>
Signed-off-by: Ignacio Hagopian <[email protected]>
Signed-off-by: Ignacio Hagopian <[email protected]>
Signed-off-by: Ignacio Hagopian <[email protected]>
Signed-off-by: Ignacio Hagopian <[email protected]>
Signed-off-by: Ignacio Hagopian <[email protected]>
Signed-off-by: Ignacio Hagopian <[email protected]>
Signed-off-by: Ignacio Hagopian <[email protected]>
Complete Curdleproof migration to generic group backend
Signed-off-by: Ignacio Hagopian <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR completes migrating to the generic backend that can run G1 and GT (or any group with order
Fr
field size).TL;DR - Show me the numbers
Here’s the benchmark for a complete curdleproofs run in various setups:
Prover:
Verifier (please see the "Notes and caveats" section):
Internal arguments:
Note: the
(Ams+Bms)
refers toAms
for the verifier logic, andBms
for the accumulated MSM check.Note: the setups for these are scaled down; IIRC length is usually 128. We could do "more serious" benchmarks for different sizes if needed.
Notes and caveats
The implementation for G1 is the same as the original implementation, so nothing is interesting to say here. There're some inefficiencies due to the generic group abstraction layer. In any case, if G1 is decided to be used we can remove that an probably avoid those inefficiencies (i.e: the original impl).
The implementation for GT is fine but naive/optimizable. The most naive and inefficient implementation is doing MSMs in GT. Mostly because this is implemented now as a sum of scalar multiplications, which could be better. This was done now since the plan was to have this working for a generic group so that we can improve on that. We could use a Pippenger variant over GT, apply any trick for the GT algebraic structure (if any?), or any other idea. This means that the "GT verifier" numbers should be taken with a grain of salt, so adjust your interpretation accordingly.
I'm using a version of gnark-crypto that has a patch I did some days ago to improve the performance of G1 equality checks, which became relevant for the new way the MSM accumulator works. The gnark team still has to review that, but I'm taking that out of the way so it doesn't interfere with the results. When (and if) gets merged, I'll switch back to
gnark-crypto@master
, just to avoid pointing to a my fork.Correctness
I also migrated all existing tests, which exist for completeness and soundness. I mostly did this to gain some confidence that things were working as expected; like, the chance of all this working with all that passing and having a mistake is quite low. (And actually, I got into some bug-fixing rabbit holes “thanks” to that).
Run with
go test ./... -v
. (I won't paste the output; it's too long).Reproduce in your machine
For curdleproofs:
For tests and internal arguments ~benchs, run:
go test ./... -v -parallel=1