Enabling GLV for Bandersnatch

[zhenfeizhang]

Description

closes: #XXXX

---

Before we can merge this PR, please make sure that all the following items have been
checked off. If any of the checklist items are not applicable, please leave them but
write a little note why.

• Targeted PR against correct branch (master)
• Linked to Github issue with discussion and accepted design OR have an explanation in the PR that describes this work.
• Wrote unit tests
• Updated relevant documentation in the code
• Added a relevant changelog entry to the Pending section in CHANGELOG.md
• Re-reviewed Files changed in the Github PR explorer

This PR enables the GLV algorithm for bandersnatch curve. It improves group operations from 75 us to around 40 us on an AMD 5900x.

Additional todos:

• update the dependencies once Add GLVParameters trait definition algebra#301 is approved and merged
• currently GLV is not the default multiplication algorithm. Make it into the default algorithm (need help: I need a pointer to the code where I can overwrite the multiplicand)
• impl R1CS for GLV this is a future work, and will not be included in this PR
  • here is an implementation of GLV circuit https://github.com/zhenfeizhang/bandersnatch/blob/main/bandersnatch/src/constraints/glv.rs
  • will create another PR to for those code once this PR is merged

[zhenfeizhang]

thanks for merging arkworks-rs/algebra#301
turns out that the repo still cannot compile due to dependencies hell.
Now that bandersnatch with GLV is depending on a newer version of ark-ec (GitHub version) than the rest of repos in this workspace (version 0.3.0).

One solution is to fix dependency to Github for every repo in this workspace. This is ugly.
The other solution is to bump up ark-ec to 0.3.1 on crates.io, and update the rest of the dependencies accordingly.

[weikengchen]

Let me try to find a way.

The common solution I use is to point this new repo to, not the crates.io version, but the GitHub version, so we can examine the PR and likely merge it.

Then, during the next version release (we will improve this part), it would be adjusted accordingly.

[weikengchen]

(And although I would be very happy for Translucence to use the arkworks-rs main branch, during this time we are still making adjustment and having the engineers onboard, I have to say that maybe you would be interested in a fork of arkworks...)

[zhenfeizhang]

Let me try to find a way.

The common solution I use is to point this new repo to, not the crates.io version, but the GitHub version, so we can examine the PR and likely merge it.

Then, during the next version release (we will improve this part), it would be adjusted accordingly.

That sounds good to me. I can push a change for this

[weikengchen]

Let me add a quick clarification: by "pointing to", I mean "patches".

[zhenfeizhang]

hmmm... turns out this is not easy. A curve repo depends on ark-r1cs-std which is external and depends on a different version of ark-ec.

an alternative temp solution is to copy the GLVParameter trait from https://github.com/arkworks-rs/algebra/pull/301/files to ed_on_bls12_381_bandersnatch for review purpose, so that ed_on_bls12_381_bandersnatch can depend on current ark-ec 0.3.0. And have the real fix during next release.

WDYT?

(This is none-work related, so it is definitely not a high priority anyway)

[Pratyush]

I believe if you use the patch directive (like what is in master), then you can avoid the dependency mismatch

[zhenfeizhang]

I believe if you use the patch directive (like what is in master), then you can avoid the dependency mismatch

Thanks! Yes this solved the issue, and CI is passing :-)

One more question:

currently GLV is not the default multiplication algorithm. Make it into the default algorithm (need help: I need a pointer to the code where I can overwrite the multiplicand)

Where should I change the code for this? Or should we leave as it is (i.e., the default multiplication use non-GLV, the caller need to specify GLV to get the speed improvement)

[zhenfeizhang]

Also FYI: this branch has rebased based on #76 for consistency

[Pratyush]

currently GLV is not the default multiplication algorithm. Make it into the default algorithm (need help: I need a pointer to the code where I can overwrite the multiplicand)

Where should I change the code for this? Or should we leave as it is (i.e., the default multiplication use non-GLV, the caller need to specify GLV to get the speed improvement)

I think the right approach for this is to enable overriding scalar_mul via ModelParameters, like in https://github.com/arkworks-rs/algebra/blob/6e568cdaf154806365823d48d547b3864412a516/ec/src/models/mod.rs#L41

[zhenfeizhang]

currently GLV is not the default multiplication algorithm. Make it into the default algorithm (need help: I need a pointer to the code where I can overwrite the multiplicand)

Where should I change the code for this? Or should we leave as it is (i.e., the default multiplication use non-GLV, the caller need to specify GLV to get the speed improvement)

I think the right approach for this is to enable overriding scalar_mul via ModelParameters, like in https://github.com/arkworks-rs/algebra/blob/6e568cdaf154806365823d48d547b3864412a516/ec/src/models/mod.rs#L41

Not sure about it.
mul is defined in ark_ec::short_weierstrass_jacobian::AffineCurve for ark_ec::twisted_edwards_extended::GroupAffine. Both are foreign to this crate. I don't think we can overload it.

I can think of two solutions:

1. either caller will have to manually call glv_mul
2. or write glv_mul in generic for ark_ec, similar to AffineCurve crate

WDYT?

[Pratyush]

Ah I meant do as follows. In ark-ec, change ModelParameters to have a (defaulted) impl of mul. Then, change AffineCurve::mul to invoke this method. Finally, in bandersnatch::ModelParameters, use the glv_mul method to implement ModelParameters::mul.

[Pratyush]

@zhenfeizhang any updates on this?

[weikengchen]

We might be able to push the updated code from Espresso's Jellyfish. It is under the MIT license.

[Pratyush]

Sounds good, whatever's convenient.

[zhenfeizhang]

Ah I meant do as follows. In ark-ec, change ModelParameters to have a (defaulted) impl of mul. Then, change AffineCurve::mul to invoke this method. Finally, in bandersnatch::ModelParameters, use the glv_mul method to implement ModelParameters::mul.

Ok. I implemented the suggested solution.

The current PR is blocked by arkworks-rs/algebra#396
We will need that to be merged for this PR to pass CI.
Will review this PR again for correctness once arkworks-rs/algebra#396 is merged.

[zhenfeizhang]

We might be able to push the updated code from Espresso's Jellyfish. It is under the MIT license.

Jellyfish does not really have those code as it does not use R1CS. The code are here
https://github.com/zhenfeizhang/bandersnatch/blob/main/bandersnatch/src/constraints/glv.rs
which is also under MIT.

I will create a separate PR to for glv constraints

[ivokub]

Jellyfish does not really have those code as it does not use R1CS. The code are here https://github.com/zhenfeizhang/bandersnatch/blob/main/bandersnatch/src/constraints/glv.rs which is also under MIT.

I will create a separate PR to for glv constraints

I'll reply here before PR for the Bandersnatch gadget is created.
The value of t in the circuit is not range checked - this would allow t * r1 and t * r2 to overflow Fq (comments on lines 219-220). Shouldn't t also be range constrained?

[zhenfeizhang]

Jellyfish does not really have those code as it does not use R1CS. The code are here https://github.com/zhenfeizhang/bandersnatch/blob/main/bandersnatch/src/constraints/glv.rs which is also under MIT.
I will create a separate PR to for glv constraints

I'll reply here before PR for the Bandersnatch gadget is created. The value of t in the circuit is not range checked - this would allow t * r1 and t * r2 to overflow Fq (comments on lines 219-220). Shouldn't t also be range constrained?

Not sure that is necessary.

We are proving over ZZ the following eq:

(0) lambda * k2_sign * k2 + s = t * Fr::modulus + k1

regardless the size of t.
Here lambda is public, and ~256 bits; k1 and k2 are both range checked.
Then, if there is a t that satisfies this equation, it must be of ~128 bits

Suppose that both t*r1 and t*r2 wrapped around with some parameters alpha and beta. That is, we obtain, over ZZ the following

(f') tmp1 + 2^128 tmp2 =  lambda_1 * k2_sign * k2 + s - t' * r1 - k1 + alpha * r  // note that tmp1 = 0
(g') tmp2 + lambda_2 * k2_sign * k2   = t' * r2 + beta * r

which is

2^128( t' * r2 + beta * r -  lambda_2 * k2_sign * k2) 
    = lambda_1 * k2_sign * k2 + s - t' * r1 - k1 + alpha * r  

That is

(2^128 * r2 + r1) * t' + k1 -  (2^128 * lambda_2 + lambda_1)  * k2_sign * k2  + (2^128 beta -alpha) r = 0

which is

t' * Fr::modulus + k1 + (2^128 beta -alpha) r  = lambda * k2_sign * k2 + s 

That means t' + 2^128 beta -alpha = t and (0) remains correct.

[Pratyush]

Suggested change

	///

[Pratyush]

could you provide a better name for this? What does this method do?

[Pratyush]

@zhenfeizhang is there a way to derive the GLV parameters at compile-time in Rust itself?

[zhenfeizhang]

Had to close this one because the target branch (master at my forked branch) is changed.
Recreated PR here: #102