diff --git a/src/sonic/helped/helper.rs b/src/sonic/helped/helper.rs index fb7bf96..f8823e7 100644 --- a/src/sonic/helped/helper.rs +++ b/src/sonic/helped/helper.rs @@ -120,22 +120,29 @@ pub fn create_aggregate_on_srs_using_information, S: Sy let mut value = value; value.negate(); - let poly = kate_divison( + polynomial_commitment_opening( + n, + 0, s_poly_negative.iter().rev().chain_ext(Some(value).iter()).chain_ext(s_poly_positive.iter()), w, - ); + &srs + ) - let negative_poly = poly[0..n].iter().rev(); - let positive_poly = poly[n..].iter(); - multiexp( - srs.g_negative_x[1..(negative_poly.len() + 1)].iter().chain_ext( - srs.g_positive_x[0..positive_poly.len()].iter() - ), - negative_poly.chain_ext(positive_poly) - ).into_affine() + // let poly = kate_divison( + // s_poly_negative.iter().rev().chain_ext(Some(value).iter()).chain_ext(s_poly_positive.iter()), + // w, + // ); + + // let negative_poly = poly[0..n].iter().rev(); + // let positive_poly = poly[n..].iter(); + // multiexp( + // srs.g_negative_x[1..(negative_poly.len() + 1)].iter().chain_ext( + // srs.g_positive_x[0..positive_poly.len()].iter() + // ), + // negative_poly.chain_ext(positive_poly) + // ).into_affine() }; - // TODO: parallelize // Let's open up C to every y. fn compute_value(y: &E::Fr, poly_positive: &[E::Fr], poly_negative: &[E::Fr]) -> E::Fr { let mut value = E::Fr::zero(); @@ -173,19 +180,27 @@ pub fn create_aggregate_on_srs_using_information, S: Sy let mut value = value; value.negate(); - let poly = kate_divison( + polynomial_commitment_opening( + n, + 0, s_poly_negative.iter().rev().chain_ext(Some(value).iter()).chain_ext(s_poly_positive.iter()), *y, - ); + &srs + ) - let negative_poly = poly[0..n].iter().rev(); - let positive_poly = poly[n..].iter(); - multiexp( - srs.g_negative_x[1..(negative_poly.len() + 1)].iter().chain_ext( - srs.g_positive_x[0..positive_poly.len()].iter() - ), - negative_poly.chain_ext(positive_poly) - ).into_affine() + // let poly = kate_divison( + // s_poly_negative.iter().rev().chain_ext(Some(value).iter()).chain_ext(s_poly_positive.iter()), + // *y, + // ); + + // let negative_poly = poly[0..n].iter().rev(); + // let positive_poly = poly[n..].iter(); + // multiexp( + // srs.g_negative_x[1..(negative_poly.len() + 1)].iter().chain_ext( + // srs.g_positive_x[0..positive_poly.len()].iter() + // ), + // negative_poly.chain_ext(positive_poly) + // ).into_affine() }; c_openings.push((opening, value)); @@ -213,35 +228,45 @@ pub fn create_aggregate_on_srs_using_information, S: Sy value.mul_assign(&r); expected_value.add_assign(&value); - for (mut coeff, target) in s_poly_negative.into_iter().zip(poly_negative.iter_mut()) { - coeff.mul_assign(&r); - target.add_assign(&coeff); - } + mul_add_polynomials(& mut poly_negative[..], &s_poly_negative[..], r); + mul_add_polynomials(& mut poly_positive[..], &s_poly_positive[..], r); - for (mut coeff, target) in s_poly_positive.into_iter().zip(poly_positive.iter_mut()) { - coeff.mul_assign(&r); - target.add_assign(&coeff); - } + // for (mut coeff, target) in s_poly_negative.into_iter().zip(poly_negative.iter_mut()) { + // coeff.mul_assign(&r); + // target.add_assign(&coeff); + // } + + // for (mut coeff, target) in s_poly_positive.into_iter().zip(poly_positive.iter_mut()) { + // coeff.mul_assign(&r); + // target.add_assign(&coeff); + // } } - // TODO: parallelize let s_opening = { let mut value = expected_value; value.negate(); - let poly = kate_divison( + polynomial_commitment_opening( + n, + 0, poly_negative.iter().rev().chain_ext(Some(value).iter()).chain_ext(poly_positive.iter()), z, - ); + &srs + ) - let negative_poly = poly[0..n].iter().rev(); - let positive_poly = poly[n..].iter(); - multiexp( - srs.g_negative_x[1..(negative_poly.len() + 1)].iter().chain_ext( - srs.g_positive_x[0..positive_poly.len()].iter() - ), - negative_poly.chain_ext(positive_poly) - ).into_affine() + // let poly = kate_divison( + // poly_negative.iter().rev().chain_ext(Some(value).iter()).chain_ext(poly_positive.iter()), + // z, + // ); + + // let negative_poly = poly[0..n].iter().rev(); + // let positive_poly = poly[n..].iter(); + // multiexp( + // srs.g_negative_x[1..(negative_poly.len() + 1)].iter().chain_ext( + // srs.g_positive_x[0..positive_poly.len()].iter() + // ), + // negative_poly.chain_ext(positive_poly) + // ).into_affine() }; Aggregate { diff --git a/src/sonic/helped/prover.rs b/src/sonic/helped/prover.rs index d6558bf..cf11964 100644 --- a/src/sonic/helped/prover.rs +++ b/src/sonic/helped/prover.rs @@ -253,7 +253,7 @@ pub fn create_proof_on_srs, S: SynthesisDriver>( ); // negative powers [-1, -2n], positive [1, n] - let (s_poly_negative, s_poly_positive) = { + let (mut s_poly_negative, s_poly_positive) = { let mut tmp = SxEval::new(y, n); S::synthesize(&mut tmp, circuit)?; @@ -266,18 +266,26 @@ pub fn create_proof_on_srs, S: SynthesisDriver>( { // extend to have powers [n+1, 2n] rxy_prime.resize(4 * n + 1 + NUM_BLINDINGS, E::Fr::zero()); - // add coefficients in front of X^{-2n}...X^{-n-1}, X^{-n}...X^{-1} - for (r, s) in rxy_prime[NUM_BLINDINGS..(2 * n + NUM_BLINDINGS)] - .iter_mut() - .rev() - .zip(s_poly_negative) - { - r.add_assign(&s); - } - // add coefficients in front of X^{1}...X^{n}, X^{n+1}...X^{2*n} - for (r, s) in rxy_prime[(2 * n + 1 + NUM_BLINDINGS)..].iter_mut().zip(s_poly_positive) { - r.add_assign(&s); - } + s_poly_negative.reverse(); + + let neg_poly_len = s_poly_negative.len(); + add_polynomials(&mut rxy_prime[(NUM_BLINDINGS+neg_poly_len)..(2 * n + NUM_BLINDINGS)], &s_poly_negative[..]); + s_poly_negative.reverse(); + + add_polynomials(&mut rxy_prime[(2 * n + 1 + NUM_BLINDINGS)..], &s_poly_positive[..]) + + // // add coefficients in front of X^{-2n}...X^{-n-1}, X^{-n}...X^{-1} + // for (r, s) in rxy_prime[NUM_BLINDINGS..(2 * n + NUM_BLINDINGS)] + // .iter_mut() + // .rev() + // .zip(s_poly_negative) + // { + // r.add_assign(&s); + // } + // // add coefficients in front of X^{1}...X^{n}, X^{n+1}...X^{2*n} + // for (r, s) in rxy_prime[(2 * n + 1 + NUM_BLINDINGS)..].iter_mut().zip(s_poly_positive) { + // r.add_assign(&s); + // } } // by this point all R related polynomials are blinded and evaluated for Y variable @@ -344,12 +352,15 @@ pub fn create_proof_on_srs, S: SynthesisDriver>( let z_opening = { rx1[(2 * n + NUM_BLINDINGS)].add_assign(&rzy); // restore - // skip powers from until reach -2n - NUM_BLINDINGS - for (t, &r) in txy[(2 * n + NUM_BLINDINGS)..].iter_mut().zip(rx1.iter()) { - let mut r = r; - r.mul_assign(&r1); - t.add_assign(&r); - } + let rx1_len = rx1.len(); + mul_add_polynomials(&mut txy[(2 * n + NUM_BLINDINGS)..(2 * n + NUM_BLINDINGS + rx1_len)], &rx1[..], r1); + + // // skip powers from until reach -2n - NUM_BLINDINGS + // for (t, &r) in txy[(2 * n + NUM_BLINDINGS)..].iter_mut().zip(rx1.iter()) { + // let mut r = r; + // r.mul_assign(&r1); + // t.add_assign(&r); + // } let val = { let tmp = z_inv.pow(&[(4*n + 2*NUM_BLINDINGS) as u64]); diff --git a/src/sonic/tests/sonics.rs b/src/sonic/tests/sonics.rs index cbea80c..6bdc59d 100644 --- a/src/sonic/tests/sonics.rs +++ b/src/sonic/tests/sonics.rs @@ -509,9 +509,9 @@ fn test_high_level_sonic_api() { println!("done in {:?}", start.elapsed()); println!("creating aggregate for {} proofs", samples); - let start = Instant::now(); let proofs: Vec<_> = (0..samples).map(|_| (proof.clone(), advice.clone())).collect(); + let start = Instant::now(); let aggregate = create_aggregate::(circuit.clone(), &proofs, ¶ms); println!("done in {:?}", start.elapsed()); diff --git a/src/sonic/util.rs b/src/sonic/util.rs index aa26854..caeaa29 100644 --- a/src/sonic/util.rs +++ b/src/sonic/util.rs @@ -125,11 +125,16 @@ pub fn polynomial_commitment_opening< { // let poly = parallel_kate_divison::(polynomial_coefficients, point); + use std::time::Instant; + let start = Instant::now(); + let poly = kate_divison( polynomial_coefficients, point, ); + println!("Kate division of size {} taken {:?}", poly.len(), start.elapsed()); + let negative_poly = poly[0..largest_negative_power].iter().rev(); let positive_poly = poly[largest_negative_power..].iter(); multiexp(