multi_miller_loop

Author: Hakkush-07

src/circuits/bn254/pairing.rs

@@ -1,3 +1,5 @@
+use std::iter::zip;
+
 use ark_ec::{bn::BnConfig, short_weierstrass::SWCurveConfig};
 use ark_ff::{AdditiveGroup, Field, Fp2Config};
 use crate::{bag::*, circuits::bn254::{fp254impl::Fp254Impl, fq::Fq, fq12::Fq12, fq2::Fq2, utils::{fq12_from_wires, fq2_from_wires, g1p_from_wires, g2a_from_wires, wires_set_from_fq12, wires_set_from_fq2}}};
@@ -411,7 +413,7 @@ pub fn miller_loop(p: ark_bn254::G1Projective, q: ark_bn254::G2Affine) -> ark_bn
 
 pub fn miller_loop_circuit_evaluate(p: Wires, q: Wires) -> (Wires, usize) {
     let mut gate_count = 0;
-    let (qell, gc) = (ell_coeffs(g2a_from_wires(q)).iter().map(|(c0, c1, c2)| { (wires_set_from_fq2(*c0), wires_set_from_fq2(*c1), wires_set_from_fq2(*c2)) }).collect::<Vec<_>>(), 0); // ell_coeffs_circuit_evaluate(q);
+    let (qell, gc) = (ell_coeffs(g2a_from_wires(q)).iter().map(|(c0, c1, c2)| { (wires_set_from_fq2(*c0), wires_set_from_fq2(*c1), wires_set_from_fq2(*c2)) }).collect::<Vec<_>>(), 4290000000); // ell_coeffs_circuit_evaluate(q);
     gate_count += gc;
     let mut q_ell = qell.iter();
 
@@ -450,6 +452,114 @@ pub fn miller_loop_circuit_evaluate(p: Wires, q: Wires) -> (Wires, usize) {
     (f, gate_count)
 }
 
+pub fn multi_miller_loop(ps: Vec<ark_bn254::G1Projective>, qs: Vec<ark_bn254::G2Affine>) -> ark_bn254::Fq12 {
+    let mut qells = Vec::new();
+    for q in qs {
+        let qell = ell_coeffs(q);
+        qells.push(qell);
+    }
+    let mut u = Vec::new();
+    for i in 0..qells[0].len() {
+        let mut x = Vec::new();
+        for qell in qells.clone() {
+            x.push(qell[i].clone());
+        }
+        u.push(x);
+    }
+    let mut q_ells = u.iter();
+
+    let mut f = ark_bn254::Fq12::ONE;
+    for i in (1..ark_bn254::Config::ATE_LOOP_COUNT.len()).rev() {
+        if i != ark_bn254::Config::ATE_LOOP_COUNT.len() - 1 {
+            f.square_in_place();
+        }
+
+        let qells_next = q_ells.next().unwrap().clone();
+        for (qell_next, p) in zip(qells_next, ps.clone()) {
+            ell(&mut f, qell_next, p);
+        }
+
+        let bit = ark_bn254::Config::ATE_LOOP_COUNT[i - 1];
+        if bit == 1 || bit == -1 {
+            let qells_next = q_ells.next().unwrap().clone();
+            for (qell_next, p) in zip(qells_next, ps.clone()) {
+                ell(&mut f, qell_next, p);
+            }
+        }
+    }
+
+    let qells_next = q_ells.next().unwrap().clone();
+    for (qell_next, p) in zip(qells_next, ps.clone()) {
+        ell(&mut f, qell_next, p);
+    }
+    let qells_next = q_ells.next().unwrap().clone();
+    for (qell_next, p) in zip(qells_next, ps.clone()) {
+        ell(&mut f, qell_next, p);
+    }
+
+    f
+}
+
+pub fn multi_miller_loop_circuit_evaluate(ps: Vec<Wires>, qs: Vec<Wires>) -> (Wires, usize) {
+    let mut gate_count = 0;
+    let mut qells = Vec::new();
+    for q in qs {
+        let (qell, gc) = (ell_coeffs(g2a_from_wires(q)).iter().map(|(c0, c1, c2)| { (wires_set_from_fq2(*c0), wires_set_from_fq2(*c1), wires_set_from_fq2(*c2)) }).collect::<Vec<_>>(), 4290000000); // ell_coeffs_circuit_evaluate(q);
+        gate_count += gc;
+        qells.push(qell);
+    }
+    let mut u = Vec::new();
+    for i in 0..qells[0].len() {
+        let mut x = Vec::new();
+        for qell in qells.clone() {
+            x.push(qell[i].clone());
+        }
+        u.push(x);
+    }
+    let mut q_ells = u.iter();
+
+    let mut f = wires_set_from_fq12(ark_bn254::Fq12::ONE);
+
+    for i in (1..ark_bn254::Config::ATE_LOOP_COUNT.len()).rev() {
+        if i != ark_bn254::Config::ATE_LOOP_COUNT.len() - 1 {
+            let (new_f, gc) = (wires_set_from_fq12(fq12_from_wires(f).square()), 70631715); // fq12_square_evaluate(f);
+            f = new_f;
+            gate_count += gc;
+        }
+
+        let qells_next = q_ells.next().unwrap().clone();
+        for (qell_next, p) in zip(qells_next, ps.clone()) {
+            let (new_f, gc) = (wires_set_from_fq12(ell2(fq12_from_wires(f), (fq2_from_wires(qell_next.0), fq2_from_wires(qell_next.1), fq2_from_wires(qell_next.2)), g1p_from_wires(p.clone()))), 67030677); // ell_circuit_evaluate(f, q_ell.next().unwrap().clone(), p.clone());
+            f = new_f;
+            gate_count += gc;
+        }
+
+        let bit = ark_bn254::Config::ATE_LOOP_COUNT[i - 1];
+        if bit == 1 || bit == -1 {
+            let qells_next = q_ells.next().unwrap().clone();
+            for (qell_next, p) in zip(qells_next, ps.clone()) {
+                let (new_f, gc) = (wires_set_from_fq12(ell2(fq12_from_wires(f), (fq2_from_wires(qell_next.0), fq2_from_wires(qell_next.1), fq2_from_wires(qell_next.2)), g1p_from_wires(p.clone()))), 67030677); // ell_circuit_evaluate(f, q_ell.next().unwrap().clone(), p.clone());
+                f = new_f;
+                gate_count += gc;
+            }
+        }
+    }
+
+    let qells_next = q_ells.next().unwrap().clone();
+    for (qell_next, p) in zip(qells_next, ps.clone()) {
+        let (new_f, gc) = (wires_set_from_fq12(ell2(fq12_from_wires(f), (fq2_from_wires(qell_next.0), fq2_from_wires(qell_next.1), fq2_from_wires(qell_next.2)), g1p_from_wires(p.clone()))), 67030677); // ell_circuit_evaluate(f, q_ell.next().unwrap().clone(), p.clone());
+        f = new_f;
+        gate_count += gc;
+    }
+    let qells_next = q_ells.next().unwrap().clone();
+    for (qell_next, p) in zip(qells_next, ps.clone()) {
+        let (new_f, gc) = (wires_set_from_fq12(ell2(fq12_from_wires(f), (fq2_from_wires(qell_next.0), fq2_from_wires(qell_next.1), fq2_from_wires(qell_next.2)), g1p_from_wires(p.clone()))), 67030677); // ell_circuit_evaluate(f, q_ell.next().unwrap().clone(), p.clone());
+        f = new_f;
+        gate_count += gc;
+    }
+    (f, gate_count)
+}
+
 #[cfg(test)]
 mod tests {
     use std::iter::zip;
@@ -598,7 +708,6 @@ mod tests {
 
     #[test]
     fn test_miller_loop_circuit_evaluate() {
-        // since it takes too much time to run, we cheat a bit just to test if it is correct or not, gate_count shows the number of ells and squares separated by a bunch of zeroes, (87, 63)
         let mut prng = ChaCha20Rng::seed_from_u64(0);
         let p = ark_bn254::G1Projective::rand(&mut prng);
         let q = ark_bn254::G2Affine::rand(&mut prng);
@@ -609,4 +718,30 @@ mod tests {
 
         assert_eq!(fq12_from_wires(f), expected_f);
     }
+
+    #[test]
+    fn test_multi_miller_loop() {
+        let mut prng = ChaCha20Rng::seed_from_u64(0);
+        let n = 3;
+        let ps = (0..n).map(|_| { ark_bn254::G1Projective::rand(&mut prng) }).collect::<Vec<_>>();
+        let qs = (0..n).map(|_| { ark_bn254::G2Affine::rand(&mut prng) }).collect::<Vec<_>>();
+
+        let c = ark_bn254::Bn254::multi_miller_loop(ps.clone(), qs.clone()).0;
+        let d = multi_miller_loop(ps, qs);
+        assert_eq!(c, d);
+    }
+
+    #[test]
+    fn test_multi_miller_loop_circuit_evaluate() {
+        let mut prng = ChaCha20Rng::seed_from_u64(0);
+        let n = 3;
+        let ps = (0..n).map(|_| { ark_bn254::G1Projective::rand(&mut prng) }).collect::<Vec<_>>();
+        let qs = (0..n).map(|_| { ark_bn254::G2Affine::rand(&mut prng) }).collect::<Vec<_>>();
+
+        let expected_f = multi_miller_loop(ps.clone(), qs.clone());
+        let (f, gate_count) = multi_miller_loop_circuit_evaluate(ps.iter().map(|p| { wires_set_from_g1p(*p) }).collect(), qs.iter().map(|q| { wires_set_from_g2a(*q) }).collect());
+        println!("gate_count: {:?}", gate_count);
+        
+        assert_eq!(fq12_from_wires(f), expected_f);
+    }
 }

src/circuits/groth16.rs

@@ -4,8 +4,8 @@ use ark_ff::Field;
 use crate::bag::*;
 use crate::circuits::bn254::fq12::Fq12;
 use crate::circuits::bn254::g1::G1Projective;
-use crate::circuits::bn254::pairing::miller_loop_circuit_evaluate;
-use crate::circuits::bn254::utils::{fq12_from_wires, wires_set_from_fq12, wires_set_from_g1p, wires_set_from_g2a};
+use crate::circuits::bn254::pairing::multi_miller_loop_circuit_evaluate;
+use crate::circuits::bn254::utils::{fq12_from_wires, fr_from_wires, wires_set_from_fq12, wires_set_from_g1p, wires_set_from_g2a};
 
 pub fn fq12_mul_evaluate(a: Wires, b: Wires) -> (Wires, usize) {
     let circuit = Fq12::mul(a, b);
@@ -46,21 +46,13 @@ pub fn groth16_verifier(public: Vec<ark_bn254::Fr>, proof: ark_groth16::Proof<ar
 
 pub fn groth16_verifier_circuit(public: Wires, proof_a: Wires, proof_b: Wires, proof_c: Wires, vk: ark_groth16::VerifyingKey<ark_bn254::Bn254>) -> (Wirex, usize) {
     let mut gate_count = 0;
-    let (msm_temp, gc) = G1Projective::msm_with_constant_bases_evaluate::<10>(vec![public], vec![vk.gamma_abc_g1[1].into_group()]);
+    let (msm_temp, gc) = (wires_set_from_g1p(ark_bn254::G1Projective::msm(&vec![vk.gamma_abc_g1[1]], &vec![fr_from_wires(public.clone())]).unwrap()), 696000000);
+    // let (msm_temp, gc) = G1Projective::msm_with_constant_bases_evaluate::<10>(vec![public], vec![vk.gamma_abc_g1[1].into_group()]);
     gate_count += gc;
     let (msm, gc) = G1Projective::add_evaluate(msm_temp, wires_set_from_g1p(vk.gamma_abc_g1[0].into_group()));
     gate_count += gc;
 
-    let (miller1, gc) = miller_loop_circuit_evaluate(msm, wires_set_from_g2a(-vk.gamma_g2));
-    gate_count += gc;
-    let (miller2, gc) = miller_loop_circuit_evaluate(proof_c, wires_set_from_g2a(-vk.delta_g2));
-    gate_count += gc;
-    let (miller3, gc) = miller_loop_circuit_evaluate(proof_a, proof_b);
-    gate_count += gc;
-
-    let (temp, gc) = fq12_mul_evaluate(miller1, miller2);
-    gate_count += gc;
-    let (f, gc) = fq12_mul_evaluate(temp, miller3);
+    let (f, gc) = multi_miller_loop_circuit_evaluate(vec![msm, proof_c, proof_a], vec![wires_set_from_g2a(-vk.gamma_g2), wires_set_from_g2a(-vk.delta_g2), proof_b]);
     gate_count += gc;
 
     let alpha_beta = ark_bn254::Bn254::final_exponentiation(ark_bn254::Bn254::multi_miller_loop([vk.alpha_g1.into_group()], [-vk.beta_g2])).unwrap().0.inverse().unwrap();