Merge remote-tracking branch 'bitvm/main' into optimize-polynomials

Author: just-erray

src/cac/mod.rs

@@ -18,16 +18,18 @@ mod tests {
         let n = 181;
         let k = 181 - 7;
 
+        let secp = vsss::Secp256k1::new();
+
         let mut rng = rand::thread_rng();
 
         // step 1: garbler generates secret:
         let polynomial = vsss::Polynomial::rand(&mut rng, k);
 
         // step 2: garbler send commitments to the polynomial coefficients to the evaluator
-        let coefficient_commits = polynomial.coefficient_commits();
+        let coefficient_commits = polynomial.coefficient_commits(&secp);
 
         // step 3: garbler shares commits, sends them to evaluator
-        let share_commits = polynomial.share_commits(n);
+        let share_commits = polynomial.share_commits(&secp, n);
 
         // step 4: evaluator verifies correctness of the share commits:
         share_commits
@@ -46,7 +48,7 @@ mod tests {
 
         // step 7: evaluator checks that the selected shares match the share commits
         share_commits
-            .verify_shares(&selected_shares)
+            .verify_shares(&secp, &selected_shares)
             .expect("Share verification failed");
 
         // step 8: (omitted) evaluator checks the garbled circuit validity

src/cac/vsss.rs

@@ -1,11 +1,62 @@
 use std::ops::{Add, Mul};
 
-use ark_ec::PrimeGroup;
+use ark_ec::{PrimeGroup, scalar_mul::BatchMulPreprocessing};
+use ark_ff::BigInteger;
+use ark_ff::PrimeField;
 use ark_ff::{Field, One, UniformRand, Zero};
 use ark_secp256k1::{Fr, Projective};
 use rand::Rng;
 use serde::{Deserialize, Serialize};
 
+pub struct Secp256k1 {
+    pub generator: BatchMulPreprocessing<Projective>,
+}
+
+impl Default for Secp256k1 {
+    fn default() -> Self {
+        Self::new()
+    }
+}
+
+impl Secp256k1 {
+    pub fn new() -> Self {
+        // 181*176*3 is roughly the number of generator multiplications we do
+        Self {
+            generator: BatchMulPreprocessing::new(Projective::generator(), 181 * 176 * 3),
+        }
+    }
+
+    // Replacement of BatchMulPreprocessing::batch_mul, which (1) uses rayon parallelization
+    // and (2) converts the result to an affine point instead of a projective point.
+    fn generator_batch_mul(&self, scalars: &[Fr]) -> Vec<Projective> {
+        scalars.iter().map(|e| self.windowed_mul(e)).collect()
+    }
+
+    // copied from ark-ec/src/scalar_mul/mod.rs because it's not public
+    fn windowed_mul(&self, scalar: &Fr) -> Projective {
+        let outerc = self
+            .generator
+            .max_scalar_size
+            .div_ceil(self.generator.window);
+        let modulus_size = Fr::MODULUS_BIT_SIZE as usize;
+        let scalar_val = scalar.into_bigint().to_bits_le();
+
+        let mut res = Projective::from(self.generator.table[0][0]);
+        for outer in 0..outerc {
+            let mut inner = 0usize;
+            for i in 0..self.generator.window {
+                if outer * self.generator.window + i < modulus_size
+                    && scalar_val[outer * self.generator.window + i]
+                {
+                    inner |= 1 << i;
+                }
+            }
+            res += &self.generator.table[outer][inner];
+        }
+        res
+    }
+}
+
 // we use this for both polynomials over scalars and over projective points
 #[derive(Clone, Debug, Serialize, Deserialize)]
 pub struct Polynomial<T>(Vec<T>);
@@ -34,9 +85,8 @@ impl Polynomial<Fr> {
         Self((0..degree + 1).map(|_| Fr::rand(&mut rand)).collect())
     }
 
-    pub fn coefficient_commits(&self) -> PolynomialCommits {
-        let generator = Projective::generator();
-        PolynomialCommits(Polynomial(self.0.iter().map(|x| generator * x).collect()))
+    pub fn coefficient_commits(&self, secp: &Secp256k1) -> PolynomialCommits {
+        PolynomialCommits(Polynomial(secp.generator_batch_mul(&self.0)))
     }
 
     // shares are return with 0-based index. However, we evaluate share i at
@@ -47,13 +97,14 @@ impl Polynomial<Fr> {
             .collect()
     }
 
-    pub fn share_commits(&self, num_shares: usize) -> ShareCommits {
-        ShareCommits(
-            self.shares(num_shares)
-                .into_iter()
-                .map(|(_, share)| Projective::generator() * share)
-                .collect(),
-        )
+    pub fn share_commits(&self, secp: &Secp256k1, num_shares: usize) -> ShareCommits {
+        let shares = self
+            .shares(num_shares)
+            .into_iter()
+            .map(|(_, share)| share)
+            .collect::<Vec<_>>();
+        let commits = secp.generator_batch_mul(&shares);
+        ShareCommits(commits)
     }
 }
 
@@ -75,20 +126,22 @@ impl ShareCommits {
         Ok(())
     }
 
-    pub fn verify_shares(&self, shares: &[(usize, Fr)]) -> Result<(), String> {
+    pub fn verify_shares(&self, secp: &Secp256k1, shares: &[(usize, Fr)]) -> Result<(), String> {
         let mut indices = shares.iter().map(|(i, _)| *i).collect::<Vec<_>>();
         indices.sort_unstable();
         if indices.windows(2).any(|arr| arr[0] == arr[1]) {
             return Err("Duplicate share index found".to_owned());
         }
 
-        for (i, share) in shares.iter() {
+        let (indices, shares): (Vec<_>, Vec<_>) = shares.iter().copied().unzip();
+        let recomputed_commits = secp.generator_batch_mul(&shares);
+        for (index, recomputed_commit) in indices.iter().zip(recomputed_commits.into_iter()) {
             let share_commit = self
                 .0
-                .get(*i)
+                .get(*index)
                 .ok_or("Share index out of bounds".to_owned())?;
 
-            if *share_commit != Projective::generator() * share {
+            if *share_commit != recomputed_commit {
                 return Err("Share verification failed".to_owned());
             }
         }
@@ -191,6 +244,10 @@ pub fn lagrange_interpolate_whole_polynomial(
 
 #[cfg(test)]
 mod tests {
+    use std::time::Instant;
+
+    use ark_ec::ScalarMul;
+
     use super::*;
     use rand::{SeedableRng, seq::index::sample};
     use rand_chacha::ChaCha20Rng;
@@ -211,16 +268,48 @@ mod tests {
     #[test]
     fn test_commit_verification() {
         let polynomial_degree = 3;
+
+        let secp = Secp256k1::new();
+
         let polynomial = Polynomial::rand(rand::thread_rng(), polynomial_degree);
 
         let num_shares = polynomial_degree + 1;
-        let poly_commits = polynomial.coefficient_commits();
-        let share_commits = polynomial.share_commits(num_shares);
+        let poly_commits = polynomial.coefficient_commits(&secp);
+        let share_commits = polynomial.share_commits(&secp, num_shares);
 
         share_commits.verify(&poly_commits).unwrap();
 
         let shares = polynomial.shares(num_shares);
-        share_commits.verify_shares(&shares).unwrap();
+        share_commits.verify_shares(&secp, &shares).unwrap();
+    }
+
+    #[test]
+    fn test_batch_mul() {
+        let time_start = Instant::now();
+        let secp = Secp256k1::new();
+        println!(
+            "secp256k1 precalculation time: {:?}",
+            Instant::now() - time_start
+        );
+
+        let approx_size = secp.generator.table.iter().map(|x| x.len()).sum::<usize>()
+            * std::mem::size_of::<<Projective as ScalarMul>::MulBase>();
+        println!("approx_size: {:?}", approx_size);
+
+        let coeffs = (0..174)
+            .map(|_| Fr::rand(&mut rand::thread_rng()))
+            .collect::<Vec<_>>();
+
+        let time_start = Instant::now();
+        let vals_batched = secp.generator_batch_mul(&coeffs);
+        println!("batch_mul time: {:?}", Instant::now() - time_start);
+
+        let generator = Projective::generator();
+        let time_start = Instant::now();
+        let vals_unbatched = coeffs.iter().map(|c| generator * c).collect::<Vec<_>>();
+        println!("unbatched time: {:?}", Instant::now() - time_start);
+
+        assert_eq!(vals_batched, vals_unbatched);
     }
 
     #[test]