Skip to content

Commit 986081a

Browse files
yelhousniyelhousni
authored
Merge pull request #1016 from Consensys/perf/g16-circuit
perf: groth16 verifier circuit uses precomputed lines for all curves
2 parents 4140432 + a133990 commit 986081a

File tree

1 file changed

+113
-81
lines changed

1 file changed

+113
-81
lines changed

std/recursion/groth16/verifier.go

Lines changed: 113 additions & 81 deletions
Original file line numberDiff line numberDiff line change
@@ -118,6 +118,38 @@ func PlaceholderVerifyingKeyFixed[G1El algebra.G1ElementT, G2El algebra.G2Elemen
118118
},
119119
}
120120
switch s := any(&vk).(type) {
121+
case *VerifyingKey[sw_bn254.G1Affine, sw_bn254.G2Affine, sw_bn254.GTEl]:
122+
s.G2 = struct {
123+
GammaNeg sw_bn254.G2Affine
124+
DeltaNeg sw_bn254.G2Affine
125+
}{
126+
GammaNeg: sw_bn254.NewG2AffineFixedPlaceholder(),
127+
DeltaNeg: sw_bn254.NewG2AffineFixedPlaceholder(),
128+
}
129+
case *VerifyingKey[sw_bls12377.G1Affine, sw_bls12377.G2Affine, sw_bls12377.GT]:
130+
s.G2 = struct {
131+
GammaNeg sw_bls12377.G2Affine
132+
DeltaNeg sw_bls12377.G2Affine
133+
}{
134+
GammaNeg: sw_bls12377.NewG2AffineFixedPlaceholder(),
135+
DeltaNeg: sw_bls12377.NewG2AffineFixedPlaceholder(),
136+
}
137+
case *VerifyingKey[sw_bls12381.G1Affine, sw_bls12381.G2Affine, sw_bls12381.GTEl]:
138+
s.G2 = struct {
139+
GammaNeg sw_bls12381.G2Affine
140+
DeltaNeg sw_bls12381.G2Affine
141+
}{
142+
GammaNeg: sw_bls12381.NewG2AffineFixedPlaceholder(),
143+
DeltaNeg: sw_bls12381.NewG2AffineFixedPlaceholder(),
144+
}
145+
case *VerifyingKey[sw_bls24315.G1Affine, sw_bls24315.G2Affine, sw_bls24315.GT]:
146+
s.G2 = struct {
147+
GammaNeg sw_bls24315.G2Affine
148+
DeltaNeg sw_bls24315.G2Affine
149+
}{
150+
GammaNeg: sw_bls24315.NewG2AffineFixedPlaceholder(),
151+
DeltaNeg: sw_bls24315.NewG2AffineFixedPlaceholder(),
152+
}
121153
case *VerifyingKey[sw_bw6761.G1Affine, sw_bw6761.G2Affine, sw_bw6761.GTEl]:
122154
s.G2 = struct {
123155
GammaNeg sw_bw6761.G2Affine
@@ -127,7 +159,7 @@ func PlaceholderVerifyingKeyFixed[G1El algebra.G1ElementT, G2El algebra.G2Elemen
127159
DeltaNeg: sw_bw6761.NewG2AffineFixedPlaceholder(),
128160
}
129161
default:
130-
panic("precomputation not supported")
162+
panic("not supported")
131163
}
132164
return vk
133165
}
@@ -250,86 +282,86 @@ func ValueOfVerifyingKey[G1El algebra.G1ElementT, G2El algebra.G2ElementT, GtEl
250282
func ValueOfVerifyingKeyFixed[G1El algebra.G1ElementT, G2El algebra.G2ElementT, GtEl algebra.GtElementT](vk groth16.VerifyingKey) (VerifyingKey[G1El, G2El, GtEl], error) {
251283
var ret VerifyingKey[G1El, G2El, GtEl]
252284
switch s := any(&ret).(type) {
253-
// case *VerifyingKey[sw_bn254.G1Affine, sw_bn254.G2Affine, sw_bn254.GTEl]:
254-
// tVk, ok := vk.(*groth16backend_bn254.VerifyingKey)
255-
// if !ok {
256-
// return ret, fmt.Errorf("expected bn254.VerifyingKey, got %T", vk)
257-
// }
258-
// // compute E
259-
// e, err := bn254.Pair([]bn254.G1Affine{tVk.G1.Alpha}, []bn254.G2Affine{tVk.G2.Beta})
260-
// if err != nil {
261-
// return ret, fmt.Errorf("precompute pairing: %w", err)
262-
// }
263-
// s.E = sw_bn254.NewGTEl(e)
264-
// s.G1.K = make([]sw_bn254.G1Affine, len(tVk.G1.K))
265-
// for i := range s.G1.K {
266-
// s.G1.K[i] = sw_bn254.NewG1Affine(tVk.G1.K[i])
267-
// }
268-
// var deltaNeg, gammaNeg bn254.G2Affine
269-
// deltaNeg.Neg(&tVk.G2.Delta)
270-
// gammaNeg.Neg(&tVk.G2.Gamma)
271-
// s.G2.DeltaNeg = sw_bn254.NewG2Affine(deltaNeg)
272-
// s.G2.GammaNeg = sw_bn254.NewG2Affine(gammaNeg)
273-
// case *VerifyingKey[sw_bls12377.G1Affine, sw_bls12377.G2Affine, sw_bls12377.GT]:
274-
// tVk, ok := vk.(*groth16backend_bls12377.VerifyingKey)
275-
// if !ok {
276-
// return ret, fmt.Errorf("expected bn254.VerifyingKey, got %T", vk)
277-
// }
278-
// // compute E
279-
// e, err := bls12377.Pair([]bls12377.G1Affine{tVk.G1.Alpha}, []bls12377.G2Affine{tVk.G2.Beta})
280-
// if err != nil {
281-
// return ret, fmt.Errorf("precompute pairing: %w", err)
282-
// }
283-
// s.E = sw_bls12377.NewGTEl(e)
284-
// s.G1.K = make([]sw_bls12377.G1Affine, len(tVk.G1.K))
285-
// for i := range s.G1.K {
286-
// s.G1.K[i] = sw_bls12377.NewG1Affine(tVk.G1.K[i])
287-
// }
288-
// var deltaNeg, gammaNeg bls12377.G2Affine
289-
// deltaNeg.Neg(&tVk.G2.Delta)
290-
// gammaNeg.Neg(&tVk.G2.Gamma)
291-
// s.G2.DeltaNeg = sw_bls12377.NewG2Affine(deltaNeg)
292-
// s.G2.GammaNeg = sw_bls12377.NewG2Affine(gammaNeg)
293-
// case *VerifyingKey[sw_bls12381.G1Affine, sw_bls12381.G2Affine, sw_bls12381.GTEl]:
294-
// tVk, ok := vk.(*groth16backend_bls12381.VerifyingKey)
295-
// if !ok {
296-
// return ret, fmt.Errorf("expected bls12381.VerifyingKey, got %T", vk)
297-
// }
298-
// // compute E
299-
// e, err := bls12381.Pair([]bls12381.G1Affine{tVk.G1.Alpha}, []bls12381.G2Affine{tVk.G2.Beta})
300-
// if err != nil {
301-
// return ret, fmt.Errorf("precompute pairing: %w", err)
302-
// }
303-
// s.E = sw_bls12381.NewGTEl(e)
304-
// s.G1.K = make([]sw_bls12381.G1Affine, len(tVk.G1.K))
305-
// for i := range s.G1.K {
306-
// s.G1.K[i] = sw_bls12381.NewG1Affine(tVk.G1.K[i])
307-
// }
308-
// var deltaNeg, gammaNeg bls12381.G2Affine
309-
// deltaNeg.Neg(&tVk.G2.Delta)
310-
// gammaNeg.Neg(&tVk.G2.Gamma)
311-
// s.G2.DeltaNeg = sw_bls12381.NewG2Affine(deltaNeg)
312-
// s.G2.GammaNeg = sw_bls12381.NewG2Affine(gammaNeg)
313-
// case *VerifyingKey[sw_bls24315.G1Affine, sw_bls24315.G2Affine, sw_bls24315.GT]:
314-
// tVk, ok := vk.(*groth16backend_bls24315.VerifyingKey)
315-
// if !ok {
316-
// return ret, fmt.Errorf("expected bls12381.VerifyingKey, got %T", vk)
317-
// }
318-
// // compute E
319-
// e, err := bls24315.Pair([]bls24315.G1Affine{tVk.G1.Alpha}, []bls24315.G2Affine{tVk.G2.Beta})
320-
// if err != nil {
321-
// return ret, fmt.Errorf("precompute pairing: %w", err)
322-
// }
323-
// s.E = sw_bls24315.NewGTEl(e)
324-
// s.G1.K = make([]sw_bls24315.G1Affine, len(tVk.G1.K))
325-
// for i := range s.G1.K {
326-
// s.G1.K[i] = sw_bls24315.NewG1Affine(tVk.G1.K[i])
327-
// }
328-
// var deltaNeg, gammaNeg bls24315.G2Affine
329-
// deltaNeg.Neg(&tVk.G2.Delta)
330-
// gammaNeg.Neg(&tVk.G2.Gamma)
331-
// s.G2.DeltaNeg = sw_bls24315.NewG2Affine(deltaNeg)
332-
// s.G2.GammaNeg = sw_bls24315.NewG2Affine(gammaNeg)
285+
case *VerifyingKey[sw_bn254.G1Affine, sw_bn254.G2Affine, sw_bn254.GTEl]:
286+
tVk, ok := vk.(*groth16backend_bn254.VerifyingKey)
287+
if !ok {
288+
return ret, fmt.Errorf("expected bn254.VerifyingKey, got %T", vk)
289+
}
290+
// compute E
291+
e, err := bn254.Pair([]bn254.G1Affine{tVk.G1.Alpha}, []bn254.G2Affine{tVk.G2.Beta})
292+
if err != nil {
293+
return ret, fmt.Errorf("precompute pairing: %w", err)
294+
}
295+
s.E = sw_bn254.NewGTEl(e)
296+
s.G1.K = make([]sw_bn254.G1Affine, len(tVk.G1.K))
297+
for i := range s.G1.K {
298+
s.G1.K[i] = sw_bn254.NewG1Affine(tVk.G1.K[i])
299+
}
300+
var deltaNeg, gammaNeg bn254.G2Affine
301+
deltaNeg.Neg(&tVk.G2.Delta)
302+
gammaNeg.Neg(&tVk.G2.Gamma)
303+
s.G2.DeltaNeg = sw_bn254.NewG2AffineFixed(deltaNeg)
304+
s.G2.GammaNeg = sw_bn254.NewG2AffineFixed(gammaNeg)
305+
case *VerifyingKey[sw_bls12377.G1Affine, sw_bls12377.G2Affine, sw_bls12377.GT]:
306+
tVk, ok := vk.(*groth16backend_bls12377.VerifyingKey)
307+
if !ok {
308+
return ret, fmt.Errorf("expected bn254.VerifyingKey, got %T", vk)
309+
}
310+
// compute E
311+
e, err := bls12377.Pair([]bls12377.G1Affine{tVk.G1.Alpha}, []bls12377.G2Affine{tVk.G2.Beta})
312+
if err != nil {
313+
return ret, fmt.Errorf("precompute pairing: %w", err)
314+
}
315+
s.E = sw_bls12377.NewGTEl(e)
316+
s.G1.K = make([]sw_bls12377.G1Affine, len(tVk.G1.K))
317+
for i := range s.G1.K {
318+
s.G1.K[i] = sw_bls12377.NewG1Affine(tVk.G1.K[i])
319+
}
320+
var deltaNeg, gammaNeg bls12377.G2Affine
321+
deltaNeg.Neg(&tVk.G2.Delta)
322+
gammaNeg.Neg(&tVk.G2.Gamma)
323+
s.G2.DeltaNeg = sw_bls12377.NewG2AffineFixed(deltaNeg)
324+
s.G2.GammaNeg = sw_bls12377.NewG2AffineFixed(gammaNeg)
325+
case *VerifyingKey[sw_bls12381.G1Affine, sw_bls12381.G2Affine, sw_bls12381.GTEl]:
326+
tVk, ok := vk.(*groth16backend_bls12381.VerifyingKey)
327+
if !ok {
328+
return ret, fmt.Errorf("expected bls12381.VerifyingKey, got %T", vk)
329+
}
330+
// compute E
331+
e, err := bls12381.Pair([]bls12381.G1Affine{tVk.G1.Alpha}, []bls12381.G2Affine{tVk.G2.Beta})
332+
if err != nil {
333+
return ret, fmt.Errorf("precompute pairing: %w", err)
334+
}
335+
s.E = sw_bls12381.NewGTEl(e)
336+
s.G1.K = make([]sw_bls12381.G1Affine, len(tVk.G1.K))
337+
for i := range s.G1.K {
338+
s.G1.K[i] = sw_bls12381.NewG1Affine(tVk.G1.K[i])
339+
}
340+
var deltaNeg, gammaNeg bls12381.G2Affine
341+
deltaNeg.Neg(&tVk.G2.Delta)
342+
gammaNeg.Neg(&tVk.G2.Gamma)
343+
s.G2.DeltaNeg = sw_bls12381.NewG2AffineFixed(deltaNeg)
344+
s.G2.GammaNeg = sw_bls12381.NewG2AffineFixed(gammaNeg)
345+
case *VerifyingKey[sw_bls24315.G1Affine, sw_bls24315.G2Affine, sw_bls24315.GT]:
346+
tVk, ok := vk.(*groth16backend_bls24315.VerifyingKey)
347+
if !ok {
348+
return ret, fmt.Errorf("expected bls12381.VerifyingKey, got %T", vk)
349+
}
350+
// compute E
351+
e, err := bls24315.Pair([]bls24315.G1Affine{tVk.G1.Alpha}, []bls24315.G2Affine{tVk.G2.Beta})
352+
if err != nil {
353+
return ret, fmt.Errorf("precompute pairing: %w", err)
354+
}
355+
s.E = sw_bls24315.NewGTEl(e)
356+
s.G1.K = make([]sw_bls24315.G1Affine, len(tVk.G1.K))
357+
for i := range s.G1.K {
358+
s.G1.K[i] = sw_bls24315.NewG1Affine(tVk.G1.K[i])
359+
}
360+
var deltaNeg, gammaNeg bls24315.G2Affine
361+
deltaNeg.Neg(&tVk.G2.Delta)
362+
gammaNeg.Neg(&tVk.G2.Gamma)
363+
s.G2.DeltaNeg = sw_bls24315.NewG2AffineFixed(deltaNeg)
364+
s.G2.GammaNeg = sw_bls24315.NewG2AffineFixed(gammaNeg)
333365
case *VerifyingKey[sw_bw6761.G1Affine, sw_bw6761.G2Affine, sw_bw6761.GTEl]:
334366
tVk, ok := vk.(*groth16backend_bw6761.VerifyingKey)
335367
if !ok {

0 commit comments

Comments
 (0)