Single-threaded generation of random poly is slow #151
Assignees
Labels
enhancement
New feature or request
Comments
|
I remember we had an implementation that speeded this up so that it wasn't an issue at all. Thet's weird.. Will investigate on that and follow up! |
|
Hey @jonathanpwang I've not been able to find any popular rust libs that allow for fast random vec instanciation. What about this: On that way the seeds of each thread are crypto secure. And so, the derived computations. |
I wasn't sure what trait |
|
@jonathanpwang Sorry I not explained correctly. I'm assuming that even inside the pieces, scalars have a known relation between them, you can't do anything with it as when the next piece comes the relation is broken + the initial scalar was random. let num_cpus = GET_NUM_CPUS;
let rand_scalars_needed_per_thread = (2<<DOMAIN.degree()) / num_cpus;
// This is still single threaded. We compute N random scalars.
let scalars = (0..num_cpus).iter().map(|| Scalar::random(&mut rng)).collect();
let handler = thread::spawn(|| {
let starting_rand_scalar = scalars[i].clone();
let mut piece = vec![starting_random_scalar];
for _ in 0..rand_scalars_needed_per_thread {
piece.push(piece.last().unwrap() * starting_rand_scalar);
}
piece
});
handler.join().unwrap();
// Then we join all the pieces and we have the random vec computed in parallel. |
|
Ah I see. This is a nice solution. I'm also not totally sure how safe it is to use the powers for randomness, but it is done in many other places in the prover, so it's probably ok? :) |
|
@jonathanpwang I hope the solution purposed in #152 works well enough. |
CPerezz
added a commit
to CPerezz/halo2
that referenced
this issue
Feb 27, 2023
As noted in privacy-scaling-explorations#151 the generation of a random poly for degrees bigger than 20 starts to get quite slow. This PR tries to include some minimal changes in the `commit` fn so that we upstream the improvements achieved in PSE/halo2
CPerezz
added a commit
that referenced
this issue
Feb 28, 2023
* feat: Parallelize `commit` blinder poly generator method Solves the concerns raised in #151 related to the performance of the random poly generator inside of `commit`. Resolves: #151 * chore: add `from_evals` for Polynomial * chore: add benches for commit_zk serial vs par * fix: Correct thread_seeds iter size * fix: Clippy * chore: apply review suggestions * fix: Inconsisten num of Scalars generated parallely This fix from @ed255 fixes an error on the code proposal which was rounding the num of Scalars to be generated and so, was producing failures. Co-authored-by: Edu <[email protected]> * remove: legacy comments & code --------- Co-authored-by: Edu <[email protected]>
|
Btw in scroll fork,we set the random poly full of 1s so the commitment is (1,2) point.. Since we don't need blinding as a rollup |
|
@lispc makes complete sense. But we want to allow for other usages. And, so, we leave correct settings for blinders in case you want to use them :) |
rrrliu
pushed a commit
to zkwebauthn/halo2
that referenced
this issue
Mar 31, 2023
…#152) * feat: Parallelize `commit` blinder poly generator method Solves the concerns raised in privacy-scaling-explorations#151 related to the performance of the random poly generator inside of `commit`. Resolves: privacy-scaling-explorations#151 * chore: add `from_evals` for Polynomial * chore: add benches for commit_zk serial vs par * fix: Correct thread_seeds iter size * fix: Clippy * chore: apply review suggestions * fix: Inconsisten num of Scalars generated parallely This fix from @ed255 fixes an error on the code proposal which was rounding the num of Scalars to be generated and so, was producing failures. Co-authored-by: Edu <[email protected]> * remove: legacy comments & code --------- Co-authored-by: Edu <[email protected]>
jonathanpwang
added a commit
to axiom-crypto/halo2
that referenced
this issue
Jun 20, 2023
* feat: remove `Result` from `assign_advice` return value * apply `cargo clippy --fix` * feat: remove `Result` from `assign_advice` return value * apply `cargo clippy --fix` * feat: add timers to "profile" feature * FFT opt * chore: fix measurement display when "profile" is on only * feat: parallelize vanishing random poly generation; remove `Result`s and unwrap instead * feat: add new parallel implementation for `permute_expression_pair` to get (A', S') that is fully multi-threaded: this is a different algorithm than the original `permute_expression_pair_seq` * revert: go back to `Rng` without `Clone` * chore: remove rng: Sync requirement for compatibility reasons * Expose mod `permutation` and re-export `permutation::keygen::Assembly` (privacy-scaling-explorations#149) * feat: expose mod ule `permutation` and re-export `permutation::keygen::Assembly` * feat: derive `lone` for `permutation::keygen::Assembly` * feat: bump MSRV for `inferno` * feat(MockProver): replace errors by asserts In MockProver, replace all code that returns an error by an assert that panics instead of returning the error. This change aims to make it easier to debug circuit code bugs by getting backtraces. * feat: parallelize vanishing rand poly using `thread_rng()` for now * MockProver test utililities (privacy-scaling-explorations#153) * test/unwrap_value: escape Value safety in the dev module * test/mock-prover-values: MockProver exposes the generated columns to tests * test/mock-prover-values: doc * mockprover-util: remove unwrap_value --------- Co-authored-by: Aurélien Nicolas <[email protected]> * feat: Parallel random blinder poly impl (privacy-scaling-explorations#152) * feat: Parallelize `commit` blinder poly generator method Solves the concerns raised in privacy-scaling-explorations#151 related to the performance of the random poly generator inside of `commit`. Resolves: privacy-scaling-explorations#151 * chore: add `from_evals` for Polynomial * chore: add benches for commit_zk serial vs par * fix: Correct thread_seeds iter size * fix: Clippy * chore: apply review suggestions * fix: Inconsisten num of Scalars generated parallely This fix from @ed255 fixes an error on the code proposal which was rounding the num of Scalars to be generated and so, was producing failures. Co-authored-by: Edu <[email protected]> * remove: legacy comments & code --------- Co-authored-by: Edu <[email protected]> * chore: remove debug_assert on phase to allow non-specialized circuits to pass --------- Co-authored-by: kilic <[email protected]> Co-authored-by: NoCtrlZ <[email protected]> Co-authored-by: Brechtpd <[email protected]> Co-authored-by: David Nevado <[email protected]> Co-authored-by: han0110 <[email protected]> Co-authored-by: Nalin Bhardwaj <[email protected]> Co-authored-by: Jonathan Wang <[email protected]> Co-authored-by: adria0 <nowhere@> Co-authored-by: Carlos Pérez <[email protected]> Co-authored-by: adria0.eth <[email protected]> Co-authored-by: dante <[email protected]> Co-authored-by: pinkiebell <[email protected]> Co-authored-by: Eduard S <[email protected]> Co-authored-by: naure <[email protected]> Co-authored-by: Aurélien Nicolas <[email protected]>
jonathanpwang
added a commit
to axiom-crypto/halo2
that referenced
this issue
Aug 15, 2023
* - Implements `PartialOrd` for `Value<F>` - Adds a `transpose` method to turn `Value<Result<_>>` into `Result<Value<_>>` - `Expression::identifier()` remove string memory reallocation * Fix MockProver `assert_verify` panic errors (privacy-scaling-explorations#118) * fix: Support dynamic lookups in `MockProver::assert_verify` Since lookups can only be `Fixed` in Halo2-upstream, we need to add custom suport for the error rendering of dynamic lookups which doesn't come by default when we rebase to upstream. This means that now we have to print not only `AdviceQuery` results to render the `Expression` that is being looked up. But also support `Instance`, `Advice`, `Challenge` or any other expression types that are avaliable. This addresses the rendering issue, renaming also the `table_columns` variable for `lookup_columns` as the columns do not have the type `TableColumn` by default as opposite to what happens upstream. * fix: Don't error and emit empty String for Empty queries * feat: Add `assert_sarisfied_par` fn to `MockProver` * fix: Address clippy errors * chore: Address review comments * chore: Fix clippy lints Resolves: privacy-scaling-explorations#116 * Remove partial ordering for value * Remove transpose * Parallelize SHPLONK multi-open prover (privacy-scaling-explorations#114) * feat: parallelize (cpu) shplonk prover * shplonk: improve `construct_intermediate_sets` using `BTreeSet` and `BTreeMap` more aggressively * shplonk: add `Send` and `Sync` to `Query` trait for more parallelization * fix: ensure the order of the collection of rotation sets is independent of the values of the opening points Co-authored-by: Jonathan Wang <[email protected]> * fix: FailureLocation::find empty-region handling (privacy-scaling-explorations#121) After working on fixing privacy-scaling-explorations/zkevm-circuits#1024, a bug was found in the verification fn of the MockProver which implies that while finding a FailureLocation, if a Region doesn't contain any rows. This is fixed by introducing a 2-line solution suggested by @lispc. Resolves: privacy-scaling-explorations#117 * Feature: Expose Fixed columns & Assembly permutation structs in MockProver instance (privacy-scaling-explorations#123) * feat: Expose fixed columns in MockProver * change: Make `Assembly` object public & add getters * chore: Address leftover TODOs * Feature to serialize/deserialize KZG params, verifying key, and proving key into uncompressed Montgomery form (privacy-scaling-explorations#111) * feat: read `VerifyingKey` and `ProvingKey` does not require `params` as long as we serialize `params.k()` * feat: add features "serde-raw" and "raw-unchecked" to serialize/deserialize KZG params, verifying key, and proving key directly into raw bytes in internal memory format. So field elements are stored in Montgomery form `a * R (mod p)` and curve points are stored without compression. * chore: switch to halo2curves 0.3.1 tag * feat: add enum `SerdeFormat` for user to select serialization/deserialization format of curve and field elements Co-authored-by: Jonathan Wang <[email protected]> * Add support for Column annotations for MockProver debugging (privacy-scaling-explorations#109) * feat: Add `name_column` to `Layouter` & `RegionLayouter` This adds the trait-associated function `name_column` in order to enable the possibility of the Layouter to store annotations aobut the colums. This function does nothing for all the trait implementors (V1, SimpleFloor, Assembly....) except for the `MockProver`. Which is responsible of storing a map that links within a `Region` index, the `column::Metadata` to the annotation `String`. * feta: Update metadata/dbg structs to hold Col->Ann mapping * feat: Update emitter module to print Column annotations * feat: Add lookup column annotations This adds the fn `annotate_lookup_column` for `ConstraintSystem` which allows to carry annotations for the lookup columns declared for a circuit within a CS. * feat: Add Lookup TableColumn annotations This allows to annotate lookup `TableColumn`s and print it's annotation within the `assert_satisfied` fn. This has required to change the `ConstraintSystem::lookup_annotations` to have keys as `metadata::Column` rather than `usize` as otherwise it's impossible within the `emitter` scope to distinguish between regular advice columns (local to the Region) and fixed columns which come from `TableColumn`s. * fix: Customly derive PartialEq for metadata::Region This allows to ignore the annotation map of the metadata::Region so that is easier to match against `VerifyFailure` errors in tests. * fix: Update ConstraintNotSatisfied testcase * fix: Update Debug & Display for VerifyFailure It was necessary to improve the `prover.verify` output also. To do so, this required auxiliary types which are obfuscated to any other part of the lib but that are necessary in order to be able to inject the Column names inside of the `Column` section itself. This also required to re-implement manually `Debug` and `Display` for this enum. This closes zcash#705 * fix: Address clippy & warnings * fix: Add final comments & polish * fix: Resolve cherry-pick merge conflics & errors * chore: Change DebugColumn visibility * chore: Allow to fetch annotations from metadata * chore: Fix clippy lints * chore: Remove comments from code for testing * feat: Add support for Advice and Instance anns in lookups * feat: Allow `V1` layouter to annotate columns too * fix: Support `Constant` & `Selector` for lookup exprs * chore: Address review comments * chore: Propagete write! result in `VerifyFailure::Display` * chore: Address clippy lints * chore: Move Codecov, wasm-build, Bitrot & doc-tests to push (privacy-scaling-explorations#125) * chore: Move Codecov, wasm-build, Bitrot & doc-tests to push This should cut down significantly the CI times on every push done to a branch for a PR. Resolves: privacy-scaling-explorations#124 * chore: Add back `push` on CI checks * fix: Allow to compare `Assembly` structs (privacy-scaling-explorations#126) This was missing in privacy-scaling-explorations#123 so this PR fixes it. * Add keccak256 hasher for transcript (#2) * Add keccak256 hasher for transcript * Fix keccak256 common point prefix * Remove unnecessary hasher_* variables * fix: transcript instantiation in poseidon benchmark loop (privacy-scaling-explorations#128) * Improve performance of vk & pk keygen and of default `parallelize` chunking size (privacy-scaling-explorations#127) * Squashed commit of the following: commit 17e3c4e Author: Mickey <[email protected]> Date: Fri Jul 15 11:10:32 2022 +0800 speed up generate vk pk with multi-thread * fix * Improve performance of vk & pk keygen and of default `parallelize` chunking size. Reduces proving time on large circuits consistently >=3%. Builts upon [speed up generate vk pk with multi-thread](privacy-scaling-explorations#88) Fixes: privacy-scaling-explorations#83 * fix: Force `VerifyFailure` to own the annotations map (privacy-scaling-explorations#131) * fix: Force `VerifyFailure` to own the annotations map Since otherwise we can't move the `VerifyFailure` vec's confortably, and also, we're required to have a lot of lifetime annotations, it was decided to force the `VerifyFailure` to own the Annotation maps. This shouldn't be too harmful as it only triggers when testing. Resolves: privacy-scaling-explorations#130 * chore: Address clippy lints * feat: call synthesize in `MockProver` multiple times to behave same as real prover * feat: check advice assignment consistency between different phases * fix: Support annotations for CellNotAssigned in verify_par (privacy-scaling-explorations#138) * feat: Add `assert_satisfied_at_rows_par` variant (privacy-scaling-explorations#139) Resolves: privacy-scaling-explorations#133 * Expose mod `permutation` and re-export `permutation::keygen::Assembly` (privacy-scaling-explorations#149) * feat: expose mod ule `permutation` and re-export `permutation::keygen::Assembly` * feat: derive `lone` for `permutation::keygen::Assembly` * feat: bump MSRV for `inferno` * feat(MockProver): replace errors by asserts In MockProver, replace all code that returns an error by an assert that panics instead of returning the error. This change aims to make it easier to debug circuit code bugs by getting backtraces. * MockProver test utililities (privacy-scaling-explorations#153) * test/unwrap_value: escape Value safety in the dev module * test/mock-prover-values: MockProver exposes the generated columns to tests * test/mock-prover-values: doc * mockprover-util: remove unwrap_value --------- Co-authored-by: Aurélien Nicolas <[email protected]> * feat: Parallel random blinder poly impl (privacy-scaling-explorations#152) * feat: Parallelize `commit` blinder poly generator method Solves the concerns raised in privacy-scaling-explorations#151 related to the performance of the random poly generator inside of `commit`. Resolves: privacy-scaling-explorations#151 * chore: add `from_evals` for Polynomial * chore: add benches for commit_zk serial vs par * fix: Correct thread_seeds iter size * fix: Clippy * chore: apply review suggestions * fix: Inconsisten num of Scalars generated parallely This fix from @ed255 fixes an error on the code proposal which was rounding the num of Scalars to be generated and so, was producing failures. Co-authored-by: Edu <[email protected]> * remove: legacy comments & code --------- Co-authored-by: Edu <[email protected]> * change: Migrate workspace to pasta_curves-0.5 (privacy-scaling-explorations#157) * change: Migrate workspace to pasta_curves-0.5 This ports the majority of the workspace to the `pasta_curves-0.5.0` leaving some tricky edge-cases that we need to handle carefully. Resolves: privacy-scaling-explorations#132 * fix: Complete latest trait bounds to compile halo2proofs * change: Migrate examples & benches to pasta 0.5 * change: Migrate halo2_gadgets to pasta-0.5 * change: Update gadgets outdated code with latest upstream * fix: Sha3 gadget circuit * fix: doc tests * chore: Update merged main * fix: Apply review suggestions * fix: pin `halo2curves` version to `0.3.2` * Extend Circuit trait to take parameters in config (privacy-scaling-explorations#168) * Extend Circuit trait to take parameters in config The Circuit trait is extended with the following: ``` pub trait Circuit<F: Field> { /// [...] type Params: Default; fn params(&self) -> Self::Params { Self::Params::default() } fn configure_with_params(meta: &mut ConstraintSystem<F>, params: &Self::Params) -> Self::Config { Self::configure(meta) } fn configure(meta: &mut ConstraintSystem<F>) -> Self::Config; } ``` This allows runtime parametrization of the circuit configuration. The extension to the Circuit trait has been designed to minimize the breaking change: existing circuits only need to define the associated `type Params`. Unfortunately "Associated type defaults" are unstable in Rust, otherwise this would be a non-breaking change. See rust-lang/rust#29661 * Implement circuit params under feature flag * Don't overwrite configure method * Fix doc test * Allow halo2 constraint names to have non static names (privacy-scaling-explorations#156) * static ref to String type in Gates, Constraints, VirtualCell, Argument * 'lookup'.to_string() * return &str for gate name and constriant_name, also run fmt * Update halo2_gadgets/Cargo.toml Co-authored-by: Han <[email protected]> * upgrade rust-toochain --------- Co-authored-by: Carlos Pérez <[email protected]> Co-authored-by: Han <[email protected]> * Improve halo2 query calls (privacy-scaling-explorations#154) * return expression from cell * add example * selector * recurse Expression to fill in index * minimized changes from the original * backword compatible meta.query_X & challange.expr() * cargo fmt * fixed lookup to pass all tests * Update comments Co-authored-by: Brecht Devos <[email protected]> * Update comments Co-authored-by: Brecht Devos <[email protected]> * Update comments Co-authored-by: Brecht Devos <[email protected]> * Update comments Co-authored-by: Brecht Devos <[email protected]> * Update comments Co-authored-by: Brecht Devos <[email protected]> * Update comments Co-authored-by: Brecht Devos <[email protected]> * update Co-authored-by: Brecht Devos <[email protected]> * add primitives.rs back * remove example2 * backward compatible meta.query_X & Column.cur(), next(), prev(), at(usize) * impl Debug & make side effects only when query.index.is_none() * change impl Debug for Expression instead & revert test in plonk_api * upgrade rust-toolchain * Update halo2_proofs/src/plonk/circuit.rs Co-authored-by: Han <[email protected]> * Update halo2_proofs/src/plonk/circuit.rs Co-authored-by: Han <[email protected]> * ran clippy * Update halo2_proofs/src/plonk/circuit.rs Co-authored-by: Han <[email protected]> --------- Co-authored-by: Brecht Devos <[email protected]> Co-authored-by: Han <[email protected]> * fix: compute `num_chunks` more precisely (privacy-scaling-explorations#172) * Implement Clone trait for Hash, Absorbing, and Sponge structs (privacy-scaling-explorations#171) * Revert double-assignment mock prover check Revert the check introduced in privacy-scaling-explorations#129 to detect double assignments with different values, because it breaks some tests in the zkevm project. There's a legitimate use case of double assignment with different values, which is overwriting cells in order to perform negative tests (tests with bad witness that should not pass the constraints). Also in the EVM Circuit from the zkevm project we "abuse" the assignment of cells as a cache: sometimes we assign some cells with a guess value, and later on we reassign with the correct value. I believe this check is interesting to have, so we could think of ways to add it back as an optional feature. * fix: Fix serialization for VerifyingKey (privacy-scaling-explorations#178) Now the value returned when the number of selectors is a multiple of 8 is correct. Resolves: privacy-scaling-explorations#175 * Add more getters to expose internal fields * add a constructor (privacy-scaling-explorations#164) * add a constructor * add more comment * fix as review * remove clone * remove * no need to use new variable * change comment * fix clippy * rename to from_parts * remove n declaration * feat: send sync region (privacy-scaling-explorations#180) * feat: send / sync region * Update layout.rs * update * lol * debug * Update keygen.rs * Update keygen.rs * Update keygen.rs * Update keygen.rs * thread-safe-region feature flag * cleanup * patch dev-graph * patch non-determinism in mapping creation * reduce mem usage for vk and pk * mock proving examples * swap for hashmap for insertion speed * reduce update overhead * replace BTree with Vec * add benchmarks * make the benchmarks massive * patch clippy * simplify lifetimes * patch benches * Update halo2_proofs/src/plonk/permutation/keygen.rs Co-authored-by: Han <[email protected]> * Update halo2_proofs/examples/vector-mul.rs Co-authored-by: Han <[email protected]> * rm benches * order once * patch lints --------- Co-authored-by: Han <[email protected]> * Fix `parallelize` workload imbalance (privacy-scaling-explorations#186) * fix parallelize workload imbalance * remove the need of unsafe * implement native shuffle argument and api * fix: remove nonsense comment * strictly check shuffle rows * address doc typos * move compression into product commitment * typo * add shuffle errors for `verify_at_rows_par` * dedup expression evaluation * cargo fmt * fix fields in sanity-checks feature * Updates halo2_curves dependency to released package (privacy-scaling-explorations#190) THe package release ressets the version from those inherited by the legacy halo2curves repo's fork history. The upstream diff is: https://github.com/privacy-scaling-explorations/halo2curves/compare/9f5c50810bbefe779ee5cf1d852b2fe85dc35d5e..9a7f726fa74c8765bc7cdab11519cf285d169ecf * chore: remove monorepo Go back to having halo2curves and poseidon in separate repos. * chore: fix clippy and tests * fix: remove thread-safe-regions feature `WitnessCollection` in `create_proof` isn't thread-safe. We removed `Region`s from `SimpleLayouter` anyways. * fix: rustfmt * fix: dev-graph * chore: update lint CI name * chore: fix clippy * chore: autoexample = false turn off examples that use layouter * chore(CI): separate job for examples * chore: remove prefetch from asm, not used * chore: fix asm feature --------- Co-authored-by: adria0 <nowhere@> Co-authored-by: Carlos Pérez <[email protected]> Co-authored-by: adria0.eth <[email protected]> Co-authored-by: Jonathan Wang <[email protected]> Co-authored-by: kilic <[email protected]> Co-authored-by: dante <[email protected]> Co-authored-by: pinkiebell <[email protected]> Co-authored-by: han0110 <[email protected]> Co-authored-by: Eduard S <[email protected]> Co-authored-by: naure <[email protected]> Co-authored-by: Aurélien Nicolas <[email protected]> Co-authored-by: CeciliaZ030 <[email protected]> Co-authored-by: Brecht Devos <[email protected]> Co-authored-by: Enrico Bottazzi <[email protected]> Co-authored-by: Ethan-000 <[email protected]> Co-authored-by: Mamy Ratsimbazafy <[email protected]> Co-authored-by: kilic <[email protected]> Co-authored-by: François Garillot <[email protected]>
iquerejeta
pushed a commit
to input-output-hk/halo2
that referenced
this issue
May 8, 2024
…-hk/dev-feature/explain-negc Explain the use of `c` instead of `neg_c`
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
halo2/halo2_proofs/src/plonk/vanishing/prover.rs
Line 51 in 9e6d1b7
When
k > 20or so, this single-threaded generation of a random polynomial is actually quite slow and can even dominate the proving cost(!). If zero-knowledge is not necessary, then you can simply set the polynomial to1, 0, 0, ...(note0, 0, ...makes the commitment the identity point, which sometimes causes trouble).When zero-knowledge is needed, you can still parallelize this generation using
parallelizeandpar_iter_mutbut I think it might require some care around what properties you want the random number generator to have. You can't pass&mutbetween threads. I previously just addedSend + Cloneto theRtrait, but I thinkrng.clone()is not good practice between threads? If you use a specific rng such asStdRngthen you can either seed it usingthread_rngper thread or useset_stream.I did not have strong opinions about how to proceed, so just leaving this here as a PSA for now.
The text was updated successfully, but these errors were encountered: