[Design Discussion] Zk Accel API via extra function parameter [Don't merge]

halo2_proofs/Cargo.toml

@@ -53,7 +53,7 @@ backtrace = { version = "0.3", optional = true }
 rayon = "1.5.1"
 ff = "0.13"
 group = "0.13"
-halo2curves = { git = 'https://github.com/privacy-scaling-explorations/halo2curves', tag = "0.3.2" }
+halo2curves = { git = 'https://github.com/taikoxyz/halo2curves', branch = "zal-on-0.3.2" }
 rand_core = { version = "0.6", default-features = false }
 tracing = "0.1"
 blake2b_simd = "1"

halo2_proofs/benches/arithmetic.rs

@@ -1,10 +1,10 @@
 #[macro_use]
 extern crate criterion;
 
-use crate::arithmetic::small_multiexp;
-use crate::halo2curves::pasta::{EqAffine, Fp};
 use group::ff::Field;
 use halo2_proofs::*;
+use halo2curves::pasta::{EqAffine, Fp};
+use halo2curves::zal::{H2cEngine, MsmAccel};
 
 use halo2_proofs::poly::{commitment::ParamsProver, ipa::commitment::ParamsIPA};
 
@@ -16,6 +16,7 @@ fn criterion_benchmark(c: &mut Criterion) {
 
     // small multiexp
     {
+        let engine = H2cEngine::new();
         let params: ParamsIPA<EqAffine> = ParamsIPA::new(5);
         let g = &mut params.get_g().to_vec();
         let len = g.len() / 2;
@@ -27,7 +28,7 @@ fn criterion_benchmark(c: &mut Criterion) {
         c.bench_function("double-and-add", |b| {
             b.iter(|| {
                 for (g_lo, g_hi) in g_lo.iter().zip(g_hi.iter()) {
-                    small_multiexp(&[black_box(coeff_1), black_box(coeff_2)], &[*g_lo, *g_hi]);
+                    engine.msm(&[black_box(coeff_1), black_box(coeff_2)], &[*g_lo, *g_hi]);
                 }
             })
         });

halo2_proofs/examples/cost-model.rs

@@ -8,8 +8,10 @@ use std::{
 use ff::Field;
 use group::{Curve, Group};
 use gumdrop::Options;
-use halo2_proofs::arithmetic::best_multiexp;
-use halo2curves::pasta::pallas;
+use halo2curves::{
+    pasta::pallas,
+    zal::{H2cEngine, MsmAccel},
+};
 
 struct Estimator {
     /// Scalars for estimating multiexp performance.
@@ -41,7 +43,10 @@ impl Estimator {
 
     fn multiexp(&self, size: usize) -> Duration {
         let start = Instant::now();
-        best_multiexp(&self.multiexp_scalars[..size], &self.multiexp_bases[..size]);
+        // TODO: at the moment we use the default MSM for estimating cost.
+        //       is it beneficial to use the real engine?
+        let engine = H2cEngine::new();
+        engine.msm(&self.multiexp_scalars[..size], &self.multiexp_bases[..size]);
         Instant::now().duration_since(start)
     }
 }

halo2_proofs/examples/serialization.rs

@@ -24,6 +24,7 @@ use halo2_proofs::{
     SerdeFormat,
 };
 use halo2curves::bn256::{Bn256, Fr, G1Affine};
+use halo2curves::zal::H2cEngine;
 use rand_core::OsRng;
 
 #[derive(Clone, Copy)]
@@ -129,6 +130,7 @@ impl Circuit<Fr> for StandardPlonk {
 }
 
 fn main() {
+    let engine = H2cEngine::new();
     let k = 4;
     let circuit = StandardPlonk(Fr::random(OsRng));
     let params = ParamsKZG::<Bn256>::setup(k, OsRng);
@@ -163,6 +165,7 @@ fn main() {
         Blake2bWrite<Vec<u8>, G1Affine, Challenge255<_>>,
         _,
     >(
+        &engine,
         &params,
         &pk,
         &[circuit],

halo2_proofs/examples/shuffle.rs

@@ -18,6 +18,7 @@ use halo2_proofs::{
         Blake2bRead, Blake2bWrite, Challenge255, TranscriptReadBuffer, TranscriptWriterBuffer,
     },
 };
+use halo2curves::zal::{H2cEngine, MsmAccel};
 use rand_core::{OsRng, RngCore};
 use std::iter;
 
@@ -275,6 +276,7 @@ fn test_mock_prover<F: Ord + FromUniformBytes<64>, const W: usize, const H: usiz
 }
 
 fn test_prover<C: CurveAffine, const W: usize, const H: usize>(
+    engine: &dyn MsmAccel<C>,
     k: u32,
     circuit: MyCircuit<C::Scalar, W, H>,
     expected: bool,
@@ -289,6 +291,7 @@ fn test_prover<C: CurveAffine, const W: usize, const H: usize>(
         let mut transcript = Blake2bWrite::<_, _, Challenge255<_>>::init(vec![]);
 
         create_proof::<IPACommitmentScheme<C>, ProverIPA<C>, _, _, _, _>(
+            engine,
             &params,
             &pk,
             &[circuit],
@@ -324,11 +327,12 @@ fn main() {
     const H: usize = 32;
     const K: u32 = 8;
 
+    let engine = H2cEngine::new();
     let circuit = &MyCircuit::<_, W, H>::rand(&mut OsRng);
 
     {
         test_mock_prover(K, circuit.clone(), Ok(()));
-        test_prover::<EqAffine, W, H>(K, circuit.clone(), true);
+        test_prover::<EqAffine, W, H>(&engine, K, circuit.clone(), true);
     }
 
     #[cfg(not(feature = "sanity-checks"))]
@@ -352,6 +356,6 @@ fn main() {
                 },
             )]),
         );
-        test_prover::<EqAffine, W, H>(K, circuit, false);
+        test_prover::<EqAffine, W, H>(&engine, K, circuit, false);
     }
 }

halo2_proofs/src/arithmetic.rs

@@ -38,6 +38,10 @@ where
 /// TEMP
 pub static mut MULTIEXP_TOTAL_TIME: usize = 0;
 
+#[deprecated(
+    since = "0.3.2",
+    note = "please use ZAL api engine instead,\nsee: https://github.com/privacy-scaling-explorations/halo2/issues/216"
+)]
 fn multiexp_serial<C: CurveAffine>(coeffs: &[C::Scalar], bases: &[C], acc: &mut C::Curve) {
     let coeffs: Vec<_> = coeffs.iter().map(|a| a.to_repr()).collect();
 
@@ -130,6 +134,10 @@ fn multiexp_serial<C: CurveAffine>(coeffs: &[C::Scalar], bases: &[C], acc: &mut
 
 /// Performs a small multi-exponentiation operation.
 /// Uses the double-and-add algorithm with doublings shared across points.
+#[deprecated(
+    since = "0.3.2",
+    note = "please use ZAL api engine instead,\nsee: https://github.com/privacy-scaling-explorations/halo2/issues/216"
+)]
 pub fn small_multiexp<C: CurveAffine>(coeffs: &[C::Scalar], bases: &[C]) -> C::Curve {
     let coeffs: Vec<_> = coeffs.iter().map(|a| a.to_repr()).collect();
     let mut acc = C::Curve::identity();
@@ -157,6 +165,10 @@ pub fn small_multiexp<C: CurveAffine>(coeffs: &[C::Scalar], bases: &[C]) -> C::C
 /// This function will panic if coeffs and bases have a different length.
 ///
 /// This will use multithreading if beneficial.
+#[deprecated(
+    since = "0.3.2",
+    note = "please use ZAL api engine instead,\nsee: https://github.com/privacy-scaling-explorations/halo2/issues/216"
+)]
 pub fn best_multiexp<C: CurveAffine>(coeffs: &[C::Scalar], bases: &[C]) -> C::Curve {
     assert_eq!(coeffs.len(), bases.len());
 
@@ -177,13 +189,15 @@ pub fn best_multiexp<C: CurveAffine>(coeffs: &[C::Scalar], bases: &[C]) -> C::Cu
                 .zip(results.iter_mut())
             {
                 scope.spawn(move |_| {
+                    #[allow(deprecated)]
                     multiexp_serial(coeffs, bases, acc);
                 });
             }
         });
         results.iter().fold(C::Curve::identity(), |a, b| a + b)
     } else {
         let mut acc = C::Curve::identity();
+        #[allow(deprecated)]
         multiexp_serial(coeffs, bases, &mut acc);
         acc
     };

halo2_proofs/src/plonk/keygen.rs

@@ -4,6 +4,7 @@ use std::ops::Range;
 
 use ff::{Field, FromUniformBytes};
 use group::Curve;
+use halo2curves::zal::H2cEngine;
 
 use super::{
     circuit::{
@@ -214,6 +215,8 @@ where
     ConcreteCircuit: Circuit<C::Scalar>,
     C::Scalar: FromUniformBytes<64>,
 {
+    // ZAL: Verification is (supposedly) cheap, hence we don't use an accelerator engine
+    let default_engine = H2cEngine::new();
     let (domain, cs, config) = create_domain::<C, ConcreteCircuit>(
         params.k(),
         #[cfg(feature = "circuit-params")]
@@ -249,13 +252,18 @@ where
             .map(|poly| domain.lagrange_from_vec(poly)),
     );
 
-    let permutation_vk = assembly
-        .permutation
-        .build_vk(params, &domain, &cs.permutation);
+    let permutation_vk =
+        assembly
+            .permutation
+            .build_vk(&default_engine, params, &domain, &cs.permutation);
 
     let fixed_commitments = fixed
         .iter()
-        .map(|poly| params.commit_lagrange(poly, Blind::default()).to_affine())
+        .map(|poly| {
+            params
+                .commit_lagrange(&default_engine, poly, Blind::default())
+                .to_affine()
+        })
         .collect();
 
     Ok(VerifyingKey::from_parts(

halo2_proofs/src/plonk/lookup/prover.rs

@@ -18,6 +18,7 @@ use group::{
     ff::{BatchInvert, Field},
     Curve,
 };
+use halo2curves::zal::MsmAccel;
 use rand_core::RngCore;
 use std::{any::TypeId, convert::TryInto, num::ParseIntError, ops::Index};
 use std::{
@@ -72,6 +73,7 @@ impl<F: WithSmallOrderMulGroup<3>> Argument<F> {
         T: TranscriptWrite<C, E>,
     >(
         &self,
+        engine: &dyn MsmAccel<C>,
         pk: &ProvingKey<C>,
         params: &P,
         domain: &EvaluationDomain<C::Scalar>,
@@ -128,7 +130,7 @@ impl<F: WithSmallOrderMulGroup<3>> Argument<F> {
         let mut commit_values = |values: &Polynomial<C::Scalar, LagrangeCoeff>| {
             let poly = pk.vk.domain.lagrange_to_coeff(values.clone());
             let blind = Blind(C::Scalar::random(&mut rng));
-            let commitment = params.commit_lagrange(values, blind).to_affine();
+            let commitment = params.commit_lagrange(engine, values, blind).to_affine();
             (poly, blind, commitment)
         };
 
@@ -173,6 +175,7 @@ impl<C: CurveAffine> Permuted<C> {
         T: TranscriptWrite<C, E>,
     >(
         self,
+        engine: &dyn MsmAccel<C>,
         pk: &ProvingKey<C>,
         params: &P,
         beta: ChallengeBeta<C>,
@@ -289,7 +292,9 @@ impl<C: CurveAffine> Permuted<C> {
         }
 
         let product_blind = Blind(C::Scalar::random(rng));
-        let product_commitment = params.commit_lagrange(&z, product_blind).to_affine();
+        let product_commitment = params
+            .commit_lagrange(engine, &z, product_blind)
+            .to_affine();
         let z = pk.vk.domain.lagrange_to_coeff(z);
 
         // Hash product commitment

halo2_proofs/src/plonk/permutation/keygen.rs

@@ -1,5 +1,6 @@
 use ff::{Field, PrimeField};
 use group::Curve;
+use halo2curves::zal::MsmAccel;
 
 use super::{Argument, ProvingKey, VerifyingKey};
 use crate::{
@@ -104,6 +105,7 @@ impl Assembly {
 
     pub(crate) fn build_vk<'params, C: CurveAffine, P: Params<'params, C>>(
         self,
+        engine: &dyn MsmAccel<C>,
         params: &P,
         domain: &EvaluationDomain<C::Scalar>,
         p: &Argument,
@@ -156,7 +158,7 @@ impl Assembly {
             // Compute commitment to permutation polynomial
             commitments.push(
                 params
-                    .commit_lagrange(permutation, Blind::default())
+                    .commit_lagrange(engine, permutation, Blind::default())
                     .to_affine(),
             );
         }

halo2_proofs/src/plonk/permutation/prover.rs

@@ -3,6 +3,7 @@ use group::{
     ff::{BatchInvert, Field},
     Curve,
 };
+use halo2curves::zal::MsmAccel;
 use rand_core::RngCore;
 use std::iter::{self, ExactSizeIterator};
 
@@ -51,6 +52,7 @@ impl Argument {
         T: TranscriptWrite<C, E>,
     >(
         &self,
+        engine: &dyn MsmAccel<C>,
         params: &P,
         pk: &plonk::ProvingKey<C>,
         pkey: &ProvingKey<C>,
@@ -167,7 +169,8 @@ impl Argument {
 
             let blind = Blind(C::Scalar::random(&mut rng));
 
-            let permutation_product_commitment_projective = params.commit_lagrange(&z, blind);
+            let permutation_product_commitment_projective =
+                params.commit_lagrange(engine, &z, blind);
             let permutation_product_blind = blind;
             let z = domain.lagrange_to_coeff(z);
             let permutation_product_poly = z.clone();