From 3750b262af14ec00edced670d1fbc3d79dfb6b11 Mon Sep 17 00:00:00 2001 From: ledwards2225 <98505400+ledwards2225@users.noreply.github.com> Date: Thu, 8 Feb 2024 12:50:07 -0700 Subject: [PATCH] fix: Convert folding recursive verifier ops to batch mul (#4517) Updates folding recursive verifier to use batch_mul for optimal goblin ec op efficiency. This reduces a single recursive verification from 1144 ECC ops to 264. (Note: 264 = 6*44 where 6 is the number of ecc op gate rows needed for two scalar muls (one for each instance) plus an "equals" op and 44 is the number of witnesses plus precomputed polys, not including shifts) Closes https://github.com/AztecProtocol/barretenberg/issues/849 New benchmark result: ``` ----------------------------------------------------------------- Benchmark Time CPU Iterations ----------------------------------------------------------------- IvcBench/Full/6 54156 ms 51691 ms 1 ``` Old benchmark result: ``` ----------------------------------------------------------------- Benchmark Time CPU Iterations ----------------------------------------------------------------- IvcBench/Full/6 66891 ms 63569 ms 1 ``` --- .../protogalaxy_recursive_verifier.cpp | 27 ++++++++++--------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/barretenberg/cpp/src/barretenberg/stdlib/recursion/honk/verifier/protogalaxy_recursive_verifier.cpp b/barretenberg/cpp/src/barretenberg/stdlib/recursion/honk/verifier/protogalaxy_recursive_verifier.cpp index e0fed9ac6a2..482f078add8 100644 --- a/barretenberg/cpp/src/barretenberg/stdlib/recursion/honk/verifier/protogalaxy_recursive_verifier.cpp +++ b/barretenberg/cpp/src/barretenberg/stdlib/recursion/honk/verifier/protogalaxy_recursive_verifier.cpp @@ -188,8 +188,6 @@ template void ProtoGalaxyRecursiveVerifier_::verify_folding_proof(const HonkProof& proof) { using Transcript = typename Flavor::Transcript; - using ElementNative = typename Flavor::Curve::ElementNative; - using AffineElementNative = typename Flavor::Curve::AffineElementNative; using ScalarNative = typename Flavor::Curve::ScalarFieldNative; transcript = std::make_shared(builder, proof); @@ -244,18 +242,19 @@ void ProtoGalaxyRecursiveVerifier_::verify_folding_proof(cons WitnessCommitments acc_witness_commitments; auto witness_labels = commitment_labels.get_witness(); size_t comm_idx = 0; - auto random_generator = Commitment::from_witness(builder, AffineElementNative(ElementNative::random_element())); for (auto& expected_comm : acc_witness_commitments.get_all()) { - expected_comm = random_generator; + std::vector scalars; + std::vector commitments; size_t inst = 0; for (auto& instance : instances) { - expected_comm = expected_comm + instance->witness_commitments.get_all()[comm_idx] * lagranges[inst]; + scalars.emplace_back(lagranges[inst]); + commitments.emplace_back(instance->witness_commitments.get_all()[comm_idx]); inst++; } + expected_comm = Commitment::batch_mul(commitments, scalars); auto comm = transcript->template receive_from_prover("next_" + witness_labels[comm_idx]); - auto res = expected_comm - comm; - random_generator.x.assert_equal(res.x); - random_generator.y.assert_equal(res.y); + comm.x.assert_equal(expected_comm.x); + comm.y.assert_equal(expected_comm.y); comm_idx++; } @@ -321,15 +320,17 @@ void ProtoGalaxyRecursiveVerifier_::verify_folding_proof(cons size_t vk_idx = 0; for (auto& expected_vk : acc_vk->get_all()) { size_t inst = 0; - expected_vk = random_generator; + std::vector scalars; + std::vector commitments; for (auto& instance : instances) { - expected_vk = expected_vk + instance->verification_key->get_all()[vk_idx] * lagranges[inst]; + scalars.emplace_back(lagranges[inst]); + commitments.emplace_back(instance->verification_key->get_all()[vk_idx]); inst++; } + expected_vk = Commitment::batch_mul(commitments, scalars); auto vk = transcript->template receive_from_prover("next_" + vk_labels[vk_idx]); - auto res = expected_vk - vk; - random_generator.x.assert_equal(res.x); - random_generator.y.assert_equal(res.y); + vk.x.assert_equal(expected_vk.x); + vk.y.assert_equal(expected_vk.y); vk_idx++; } }