From 323483ea0e8706eb5fd80ce8055992d547e1b94c Mon Sep 17 00:00:00 2001 From: Youssef El Housni Date: Sat, 22 Apr 2023 12:01:51 +0200 Subject: [PATCH] perf(kzg): remove G2 scalar mul in single verification --- ecc/bls12-377/fr/kzg/kzg.go | 27 +++++++-------------- ecc/bls12-378/fr/kzg/kzg.go | 27 +++++++-------------- ecc/bls12-381/fr/kzg/kzg.go | 27 +++++++-------------- ecc/bls24-315/fr/kzg/kzg.go | 27 +++++++-------------- ecc/bls24-317/fr/kzg/kzg.go | 27 +++++++-------------- ecc/bn254/fr/kzg/kzg.go | 27 +++++++-------------- ecc/bw6-633/fr/kzg/kzg.go | 27 +++++++-------------- ecc/bw6-756/fr/kzg/kzg.go | 27 +++++++-------------- ecc/bw6-761/fr/kzg/kzg.go | 27 +++++++-------------- internal/generator/kzg/template/kzg.go.tmpl | 26 +++++++------------- 10 files changed, 90 insertions(+), 179 deletions(-) diff --git a/ecc/bls12-377/fr/kzg/kzg.go b/ecc/bls12-377/fr/kzg/kzg.go index 1de592d089..3c139caf92 100644 --- a/ecc/bls12-377/fr/kzg/kzg.go +++ b/ecc/bls12-377/fr/kzg/kzg.go @@ -195,28 +195,19 @@ func Verify(commitment *Digest, proof *OpeningProof, point fr.Element, vk Verify var negH bls12377.G1Affine negH.Neg(&proof.H) - // [α-a]G₂ - var alphaMinusaG2Jac, genG2Jac, alphaG2Jac bls12377.G2Jac + // [f(α) - f(a) + a*H(α)]G₁ + var totalG1 bls12377.G1Jac var pointBigInt big.Int point.BigInt(&pointBigInt) - genG2Jac.FromAffine(&vk.G2[0]) - alphaG2Jac.FromAffine(&vk.G2[1]) - alphaMinusaG2Jac.ScalarMultiplication(&genG2Jac, &pointBigInt). - Neg(&alphaMinusaG2Jac). - AddAssign(&alphaG2Jac) + totalG1.ScalarMultiplicationAffine(&proof.H, &pointBigInt) + totalG1.AddAssign(&fminusfaG1Jac) + var totalG1Aff bls12377.G1Affine + totalG1Aff.FromJacobian(&totalG1) - // [α-a]G₂ - var xminusaG2Aff bls12377.G2Affine - xminusaG2Aff.FromJacobian(&alphaMinusaG2Jac) - - // [f(α) - f(a)]G₁ - var fminusfaG1Aff bls12377.G1Affine - fminusfaG1Aff.FromJacobian(&fminusfaG1Jac) - - // e([f(α) - f(a)]G₁, G₂).e([-H(α)]G₁, [α-a]G₂) ==? 1 + // e([f(α)-f(a)+aH(α)]G₁], G₂).e([-H(α)]G₁, [α]G₂) == 1 check, err := bls12377.PairingCheck( - []bls12377.G1Affine{fminusfaG1Aff, negH}, - []bls12377.G2Affine{vk.G2[0], xminusaG2Aff}, + []bls12377.G1Affine{totalG1Aff, negH}, + []bls12377.G2Affine{vk.G2[0], vk.G2[1]}, ) if err != nil { return err diff --git a/ecc/bls12-378/fr/kzg/kzg.go b/ecc/bls12-378/fr/kzg/kzg.go index 3348a73ce9..cd51d243ac 100644 --- a/ecc/bls12-378/fr/kzg/kzg.go +++ b/ecc/bls12-378/fr/kzg/kzg.go @@ -195,28 +195,19 @@ func Verify(commitment *Digest, proof *OpeningProof, point fr.Element, vk Verify var negH bls12378.G1Affine negH.Neg(&proof.H) - // [α-a]G₂ - var alphaMinusaG2Jac, genG2Jac, alphaG2Jac bls12378.G2Jac + // [f(α) - f(a) + a*H(α)]G₁ + var totalG1 bls12378.G1Jac var pointBigInt big.Int point.BigInt(&pointBigInt) - genG2Jac.FromAffine(&vk.G2[0]) - alphaG2Jac.FromAffine(&vk.G2[1]) - alphaMinusaG2Jac.ScalarMultiplication(&genG2Jac, &pointBigInt). - Neg(&alphaMinusaG2Jac). - AddAssign(&alphaG2Jac) + totalG1.ScalarMultiplicationAffine(&proof.H, &pointBigInt) + totalG1.AddAssign(&fminusfaG1Jac) + var totalG1Aff bls12378.G1Affine + totalG1Aff.FromJacobian(&totalG1) - // [α-a]G₂ - var xminusaG2Aff bls12378.G2Affine - xminusaG2Aff.FromJacobian(&alphaMinusaG2Jac) - - // [f(α) - f(a)]G₁ - var fminusfaG1Aff bls12378.G1Affine - fminusfaG1Aff.FromJacobian(&fminusfaG1Jac) - - // e([f(α) - f(a)]G₁, G₂).e([-H(α)]G₁, [α-a]G₂) ==? 1 + // e([f(α)-f(a)+aH(α)]G₁], G₂).e([-H(α)]G₁, [α]G₂) == 1 check, err := bls12378.PairingCheck( - []bls12378.G1Affine{fminusfaG1Aff, negH}, - []bls12378.G2Affine{vk.G2[0], xminusaG2Aff}, + []bls12378.G1Affine{totalG1Aff, negH}, + []bls12378.G2Affine{vk.G2[0], vk.G2[1]}, ) if err != nil { return err diff --git a/ecc/bls12-381/fr/kzg/kzg.go b/ecc/bls12-381/fr/kzg/kzg.go index c56313f7c4..ab879ec514 100644 --- a/ecc/bls12-381/fr/kzg/kzg.go +++ b/ecc/bls12-381/fr/kzg/kzg.go @@ -195,28 +195,19 @@ func Verify(commitment *Digest, proof *OpeningProof, point fr.Element, vk Verify var negH bls12381.G1Affine negH.Neg(&proof.H) - // [α-a]G₂ - var alphaMinusaG2Jac, genG2Jac, alphaG2Jac bls12381.G2Jac + // [f(α) - f(a) + a*H(α)]G₁ + var totalG1 bls12381.G1Jac var pointBigInt big.Int point.BigInt(&pointBigInt) - genG2Jac.FromAffine(&vk.G2[0]) - alphaG2Jac.FromAffine(&vk.G2[1]) - alphaMinusaG2Jac.ScalarMultiplication(&genG2Jac, &pointBigInt). - Neg(&alphaMinusaG2Jac). - AddAssign(&alphaG2Jac) + totalG1.ScalarMultiplicationAffine(&proof.H, &pointBigInt) + totalG1.AddAssign(&fminusfaG1Jac) + var totalG1Aff bls12381.G1Affine + totalG1Aff.FromJacobian(&totalG1) - // [α-a]G₂ - var xminusaG2Aff bls12381.G2Affine - xminusaG2Aff.FromJacobian(&alphaMinusaG2Jac) - - // [f(α) - f(a)]G₁ - var fminusfaG1Aff bls12381.G1Affine - fminusfaG1Aff.FromJacobian(&fminusfaG1Jac) - - // e([f(α) - f(a)]G₁, G₂).e([-H(α)]G₁, [α-a]G₂) ==? 1 + // e([f(α)-f(a)+aH(α)]G₁], G₂).e([-H(α)]G₁, [α]G₂) == 1 check, err := bls12381.PairingCheck( - []bls12381.G1Affine{fminusfaG1Aff, negH}, - []bls12381.G2Affine{vk.G2[0], xminusaG2Aff}, + []bls12381.G1Affine{totalG1Aff, negH}, + []bls12381.G2Affine{vk.G2[0], vk.G2[1]}, ) if err != nil { return err diff --git a/ecc/bls24-315/fr/kzg/kzg.go b/ecc/bls24-315/fr/kzg/kzg.go index 8e18919920..dcca454ffd 100644 --- a/ecc/bls24-315/fr/kzg/kzg.go +++ b/ecc/bls24-315/fr/kzg/kzg.go @@ -195,28 +195,19 @@ func Verify(commitment *Digest, proof *OpeningProof, point fr.Element, vk Verify var negH bls24315.G1Affine negH.Neg(&proof.H) - // [α-a]G₂ - var alphaMinusaG2Jac, genG2Jac, alphaG2Jac bls24315.G2Jac + // [f(α) - f(a) + a*H(α)]G₁ + var totalG1 bls24315.G1Jac var pointBigInt big.Int point.BigInt(&pointBigInt) - genG2Jac.FromAffine(&vk.G2[0]) - alphaG2Jac.FromAffine(&vk.G2[1]) - alphaMinusaG2Jac.ScalarMultiplication(&genG2Jac, &pointBigInt). - Neg(&alphaMinusaG2Jac). - AddAssign(&alphaG2Jac) + totalG1.ScalarMultiplicationAffine(&proof.H, &pointBigInt) + totalG1.AddAssign(&fminusfaG1Jac) + var totalG1Aff bls24315.G1Affine + totalG1Aff.FromJacobian(&totalG1) - // [α-a]G₂ - var xminusaG2Aff bls24315.G2Affine - xminusaG2Aff.FromJacobian(&alphaMinusaG2Jac) - - // [f(α) - f(a)]G₁ - var fminusfaG1Aff bls24315.G1Affine - fminusfaG1Aff.FromJacobian(&fminusfaG1Jac) - - // e([f(α) - f(a)]G₁, G₂).e([-H(α)]G₁, [α-a]G₂) ==? 1 + // e([f(α)-f(a)+aH(α)]G₁], G₂).e([-H(α)]G₁, [α]G₂) == 1 check, err := bls24315.PairingCheck( - []bls24315.G1Affine{fminusfaG1Aff, negH}, - []bls24315.G2Affine{vk.G2[0], xminusaG2Aff}, + []bls24315.G1Affine{totalG1Aff, negH}, + []bls24315.G2Affine{vk.G2[0], vk.G2[1]}, ) if err != nil { return err diff --git a/ecc/bls24-317/fr/kzg/kzg.go b/ecc/bls24-317/fr/kzg/kzg.go index cf29d8c780..f136128bab 100644 --- a/ecc/bls24-317/fr/kzg/kzg.go +++ b/ecc/bls24-317/fr/kzg/kzg.go @@ -195,28 +195,19 @@ func Verify(commitment *Digest, proof *OpeningProof, point fr.Element, vk Verify var negH bls24317.G1Affine negH.Neg(&proof.H) - // [α-a]G₂ - var alphaMinusaG2Jac, genG2Jac, alphaG2Jac bls24317.G2Jac + // [f(α) - f(a) + a*H(α)]G₁ + var totalG1 bls24317.G1Jac var pointBigInt big.Int point.BigInt(&pointBigInt) - genG2Jac.FromAffine(&vk.G2[0]) - alphaG2Jac.FromAffine(&vk.G2[1]) - alphaMinusaG2Jac.ScalarMultiplication(&genG2Jac, &pointBigInt). - Neg(&alphaMinusaG2Jac). - AddAssign(&alphaG2Jac) + totalG1.ScalarMultiplicationAffine(&proof.H, &pointBigInt) + totalG1.AddAssign(&fminusfaG1Jac) + var totalG1Aff bls24317.G1Affine + totalG1Aff.FromJacobian(&totalG1) - // [α-a]G₂ - var xminusaG2Aff bls24317.G2Affine - xminusaG2Aff.FromJacobian(&alphaMinusaG2Jac) - - // [f(α) - f(a)]G₁ - var fminusfaG1Aff bls24317.G1Affine - fminusfaG1Aff.FromJacobian(&fminusfaG1Jac) - - // e([f(α) - f(a)]G₁, G₂).e([-H(α)]G₁, [α-a]G₂) ==? 1 + // e([f(α)-f(a)+aH(α)]G₁], G₂).e([-H(α)]G₁, [α]G₂) == 1 check, err := bls24317.PairingCheck( - []bls24317.G1Affine{fminusfaG1Aff, negH}, - []bls24317.G2Affine{vk.G2[0], xminusaG2Aff}, + []bls24317.G1Affine{totalG1Aff, negH}, + []bls24317.G2Affine{vk.G2[0], vk.G2[1]}, ) if err != nil { return err diff --git a/ecc/bn254/fr/kzg/kzg.go b/ecc/bn254/fr/kzg/kzg.go index 5f7811a2d5..b53097d640 100644 --- a/ecc/bn254/fr/kzg/kzg.go +++ b/ecc/bn254/fr/kzg/kzg.go @@ -195,28 +195,19 @@ func Verify(commitment *Digest, proof *OpeningProof, point fr.Element, vk Verify var negH bn254.G1Affine negH.Neg(&proof.H) - // [α-a]G₂ - var alphaMinusaG2Jac, genG2Jac, alphaG2Jac bn254.G2Jac + // [f(α) - f(a) + a*H(α)]G₁ + var totalG1 bn254.G1Jac var pointBigInt big.Int point.BigInt(&pointBigInt) - genG2Jac.FromAffine(&vk.G2[0]) - alphaG2Jac.FromAffine(&vk.G2[1]) - alphaMinusaG2Jac.ScalarMultiplication(&genG2Jac, &pointBigInt). - Neg(&alphaMinusaG2Jac). - AddAssign(&alphaG2Jac) + totalG1.ScalarMultiplicationAffine(&proof.H, &pointBigInt) + totalG1.AddAssign(&fminusfaG1Jac) + var totalG1Aff bn254.G1Affine + totalG1Aff.FromJacobian(&totalG1) - // [α-a]G₂ - var xminusaG2Aff bn254.G2Affine - xminusaG2Aff.FromJacobian(&alphaMinusaG2Jac) - - // [f(α) - f(a)]G₁ - var fminusfaG1Aff bn254.G1Affine - fminusfaG1Aff.FromJacobian(&fminusfaG1Jac) - - // e([f(α) - f(a)]G₁, G₂).e([-H(α)]G₁, [α-a]G₂) ==? 1 + // e([f(α)-f(a)+aH(α)]G₁], G₂).e([-H(α)]G₁, [α]G₂) == 1 check, err := bn254.PairingCheck( - []bn254.G1Affine{fminusfaG1Aff, negH}, - []bn254.G2Affine{vk.G2[0], xminusaG2Aff}, + []bn254.G1Affine{totalG1Aff, negH}, + []bn254.G2Affine{vk.G2[0], vk.G2[1]}, ) if err != nil { return err diff --git a/ecc/bw6-633/fr/kzg/kzg.go b/ecc/bw6-633/fr/kzg/kzg.go index 7973d03e40..461b4be1c6 100644 --- a/ecc/bw6-633/fr/kzg/kzg.go +++ b/ecc/bw6-633/fr/kzg/kzg.go @@ -195,28 +195,19 @@ func Verify(commitment *Digest, proof *OpeningProof, point fr.Element, vk Verify var negH bw6633.G1Affine negH.Neg(&proof.H) - // [α-a]G₂ - var alphaMinusaG2Jac, genG2Jac, alphaG2Jac bw6633.G2Jac + // [f(α) - f(a) + a*H(α)]G₁ + var totalG1 bw6633.G1Jac var pointBigInt big.Int point.BigInt(&pointBigInt) - genG2Jac.FromAffine(&vk.G2[0]) - alphaG2Jac.FromAffine(&vk.G2[1]) - alphaMinusaG2Jac.ScalarMultiplication(&genG2Jac, &pointBigInt). - Neg(&alphaMinusaG2Jac). - AddAssign(&alphaG2Jac) + totalG1.ScalarMultiplicationAffine(&proof.H, &pointBigInt) + totalG1.AddAssign(&fminusfaG1Jac) + var totalG1Aff bw6633.G1Affine + totalG1Aff.FromJacobian(&totalG1) - // [α-a]G₂ - var xminusaG2Aff bw6633.G2Affine - xminusaG2Aff.FromJacobian(&alphaMinusaG2Jac) - - // [f(α) - f(a)]G₁ - var fminusfaG1Aff bw6633.G1Affine - fminusfaG1Aff.FromJacobian(&fminusfaG1Jac) - - // e([f(α) - f(a)]G₁, G₂).e([-H(α)]G₁, [α-a]G₂) ==? 1 + // e([f(α)-f(a)+aH(α)]G₁], G₂).e([-H(α)]G₁, [α]G₂) == 1 check, err := bw6633.PairingCheck( - []bw6633.G1Affine{fminusfaG1Aff, negH}, - []bw6633.G2Affine{vk.G2[0], xminusaG2Aff}, + []bw6633.G1Affine{totalG1Aff, negH}, + []bw6633.G2Affine{vk.G2[0], vk.G2[1]}, ) if err != nil { return err diff --git a/ecc/bw6-756/fr/kzg/kzg.go b/ecc/bw6-756/fr/kzg/kzg.go index 53d5e142f8..fd7f724473 100644 --- a/ecc/bw6-756/fr/kzg/kzg.go +++ b/ecc/bw6-756/fr/kzg/kzg.go @@ -195,28 +195,19 @@ func Verify(commitment *Digest, proof *OpeningProof, point fr.Element, vk Verify var negH bw6756.G1Affine negH.Neg(&proof.H) - // [α-a]G₂ - var alphaMinusaG2Jac, genG2Jac, alphaG2Jac bw6756.G2Jac + // [f(α) - f(a) + a*H(α)]G₁ + var totalG1 bw6756.G1Jac var pointBigInt big.Int point.BigInt(&pointBigInt) - genG2Jac.FromAffine(&vk.G2[0]) - alphaG2Jac.FromAffine(&vk.G2[1]) - alphaMinusaG2Jac.ScalarMultiplication(&genG2Jac, &pointBigInt). - Neg(&alphaMinusaG2Jac). - AddAssign(&alphaG2Jac) + totalG1.ScalarMultiplicationAffine(&proof.H, &pointBigInt) + totalG1.AddAssign(&fminusfaG1Jac) + var totalG1Aff bw6756.G1Affine + totalG1Aff.FromJacobian(&totalG1) - // [α-a]G₂ - var xminusaG2Aff bw6756.G2Affine - xminusaG2Aff.FromJacobian(&alphaMinusaG2Jac) - - // [f(α) - f(a)]G₁ - var fminusfaG1Aff bw6756.G1Affine - fminusfaG1Aff.FromJacobian(&fminusfaG1Jac) - - // e([f(α) - f(a)]G₁, G₂).e([-H(α)]G₁, [α-a]G₂) ==? 1 + // e([f(α)-f(a)+aH(α)]G₁], G₂).e([-H(α)]G₁, [α]G₂) == 1 check, err := bw6756.PairingCheck( - []bw6756.G1Affine{fminusfaG1Aff, negH}, - []bw6756.G2Affine{vk.G2[0], xminusaG2Aff}, + []bw6756.G1Affine{totalG1Aff, negH}, + []bw6756.G2Affine{vk.G2[0], vk.G2[1]}, ) if err != nil { return err diff --git a/ecc/bw6-761/fr/kzg/kzg.go b/ecc/bw6-761/fr/kzg/kzg.go index 7307212e86..d90d4c7f37 100644 --- a/ecc/bw6-761/fr/kzg/kzg.go +++ b/ecc/bw6-761/fr/kzg/kzg.go @@ -195,28 +195,19 @@ func Verify(commitment *Digest, proof *OpeningProof, point fr.Element, vk Verify var negH bw6761.G1Affine negH.Neg(&proof.H) - // [α-a]G₂ - var alphaMinusaG2Jac, genG2Jac, alphaG2Jac bw6761.G2Jac + // [f(α) - f(a) + a*H(α)]G₁ + var totalG1 bw6761.G1Jac var pointBigInt big.Int point.BigInt(&pointBigInt) - genG2Jac.FromAffine(&vk.G2[0]) - alphaG2Jac.FromAffine(&vk.G2[1]) - alphaMinusaG2Jac.ScalarMultiplication(&genG2Jac, &pointBigInt). - Neg(&alphaMinusaG2Jac). - AddAssign(&alphaG2Jac) + totalG1.ScalarMultiplicationAffine(&proof.H, &pointBigInt) + totalG1.AddAssign(&fminusfaG1Jac) + var totalG1Aff bw6761.G1Affine + totalG1Aff.FromJacobian(&totalG1) - // [α-a]G₂ - var xminusaG2Aff bw6761.G2Affine - xminusaG2Aff.FromJacobian(&alphaMinusaG2Jac) - - // [f(α) - f(a)]G₁ - var fminusfaG1Aff bw6761.G1Affine - fminusfaG1Aff.FromJacobian(&fminusfaG1Jac) - - // e([f(α) - f(a)]G₁, G₂).e([-H(α)]G₁, [α-a]G₂) ==? 1 + // e([f(α)-f(a)+aH(α)]G₁], G₂).e([-H(α)]G₁, [α]G₂) == 1 check, err := bw6761.PairingCheck( - []bw6761.G1Affine{fminusfaG1Aff, negH}, - []bw6761.G2Affine{vk.G2[0], xminusaG2Aff}, + []bw6761.G1Affine{totalG1Aff, negH}, + []bw6761.G2Affine{vk.G2[0], vk.G2[1]}, ) if err != nil { return err diff --git a/internal/generator/kzg/template/kzg.go.tmpl b/internal/generator/kzg/template/kzg.go.tmpl index b967a26d81..d5918e535f 100644 --- a/internal/generator/kzg/template/kzg.go.tmpl +++ b/internal/generator/kzg/template/kzg.go.tmpl @@ -177,28 +177,20 @@ func Verify(commitment *Digest, proof *OpeningProof, point fr.Element, vk Verify var negH {{ .CurvePackage }}.G1Affine negH.Neg(&proof.H) - // [α-a]G₂ - var alphaMinusaG2Jac, genG2Jac, alphaG2Jac {{ .CurvePackage }}.G2Jac + // [f(α) - f(a) + a*H(α)]G₁ + var totalG1 {{ .CurvePackage }}.G1Jac var pointBigInt big.Int point.BigInt(&pointBigInt) - genG2Jac.FromAffine(&vk.G2[0]) - alphaG2Jac.FromAffine(&vk.G2[1]) - alphaMinusaG2Jac.ScalarMultiplication(&genG2Jac, &pointBigInt). - Neg(&alphaMinusaG2Jac). - AddAssign(&alphaG2Jac) + totalG1.ScalarMultiplicationAffine(&proof.H, &pointBigInt) + totalG1.AddAssign(&fminusfaG1Jac) + var totalG1Aff {{ .CurvePackage }}.G1Affine + totalG1Aff.FromJacobian(&totalG1) - // [α-a]G₂ - var xminusaG2Aff {{ .CurvePackage }}.G2Affine - xminusaG2Aff.FromJacobian(&alphaMinusaG2Jac) - // [f(α) - f(a)]G₁ - var fminusfaG1Aff {{ .CurvePackage }}.G1Affine - fminusfaG1Aff.FromJacobian(&fminusfaG1Jac) - - // e([f(α) - f(a)]G₁, G₂).e([-H(α)]G₁, [α-a]G₂) ==? 1 + // e([f(α)-f(a)+aH(α)]G₁], G₂).e([-H(α)]G₁, [α]G₂) == 1 check, err := {{ .CurvePackage }}.PairingCheck( - []{{ .CurvePackage }}.G1Affine{fminusfaG1Aff, negH}, - []{{ .CurvePackage }}.G2Affine{vk.G2[0], xminusaG2Aff}, + []{{ .CurvePackage }}.G1Affine{totalG1Aff, negH}, + []{{ .CurvePackage }}.G2Affine{vk.G2[0], vk.G2[1]}, ) if err != nil { return err