einar/pr/extended.jacobian.coordinates

[einar-taiko]

This resolves taikoxyz/zkevm-circuits#121

To measure the performance impact:

cd /tmp
git clone https://github.com/einar-taiko/halo2curves.git
cd halo2curves
git checkout b09144e
cargo bench multiexp
git checkout einar/pr/extended.jacobian.coordinates
cargo bench multiexp

[mratsim]

I get even less improvement than previously reported which is quite strange

git clone https://github.com/taikoxyz/halo2curves taiko-halo2curves
cd taiko-halo2curves/
git fetch origin pull/1/head
git checkout 9692b29
cargo bench multiexp
git checkout -b review-pr1 FETCH_HEAD
cargo bench multiexp

[mratsim]

Is the plan to remove this after the review? This duplicates halo2_proofs https://github.com/privacy-scaling-explorations/halo2/blob/f3487575f00e627705fcb7778d7d1049eed79601/halo2_proofs/src/arithmetic.rs#L28-L174

[mratsim]

The EC implementation is correct with a small issue on inline usage that will lead to code explosion.

The multiexp implementation should be done by just modifying the buckets accumulation scheme in https://github.com/privacy-scaling-explorations/halo2/blob/f3487575f00e627705fcb7778d7d1049eed79601/halo2_proofs/src/arithmetic.rs#L67-L71

Also, there are 2 passes over the coeffs+base instead of 1 in this PR which should explain most of the slowness compared to theoretical (15%) and conservative estimate (10% speedup).

[mratsim]

Is it from affine to homogeneous or from affine to Jacobian?

This seems to contradict the comment above

[einar-taiko]

Agreed. I added the comment because I found it confusing too, since $name refers to homogeneous coordinates and $name_affine to affine coordinates. Alternatively, I can remove the first comment, since non-extended Jacobian coordinates should be gone anyway.

[mratsim]

a is always equal to 0 for pairing curves (those needed for Snarks) and it's also equal to 0 for secp256k1.

If Rust provides compile time evaluation, it would be extremely useful to specialize for a == 0

[mratsim]

At the very least a comment is needed to point out an future easy optimization opportunity

[einar-taiko]

a is always equal to 0 for pairing curves (those needed for Snarks) and it's also equal to 0 for secp256k1.

If Rust provides compile time evaluation, it would be extremely useful to specialize for a == 0

I have changed it to:

// curve constants
const A: $base = $name_jac_ext::curve_constant_a();

This should enforce compile time evaluation and hopefully imply that

let m = (x1_sqr.double()+x1_sqr) + A*zz1.square();

gets optimized to

let m = (x1_sqr.double()+x1_sqr) 

for the curves where $a=0$. But I am currently not sure how to verify this.

[mratsim]

You should use if A == 0 and if A != 0.

The multiplication and addition operations are pure assembly and will not be optimized away.

[einar-taiko]

We can make it that way, no problem, but I politely remain skeptical of the argument. When the value is known to be 0 at compile time, like in our case, the assembly will indeed be optimized away. I tested it with -opt-level=2 here https://godbolt.org/z/4Gr41o8Kr

[einar-taiko]

We can make it that way, no problem, but I politely remain skeptical of the argument. When the value is known to be 0 at compile time, like in our case, the assembly will indeed be optimized away. I tested it with -opt-level=2 here https://godbolt.org/z/4Gr41o8Kr

I realise that * is overloaded for field arithmetic, so my argument may or may not be applicable.

[mratsim]

with a = 0, a*zz1.square() can be skipped

[einar-taiko]

I tried commenting out the last term and then ran cargo test. All tests pass.

I put in a debug_assert_eq!(a, 0);, so if we can catch future curves where a != 0.

[mratsim]

#[inline] is likely not worth it here. Especially because the underlying field operations are already inline so it will lead to code size explosion:

halo2curves/src/bn256/assembly.rs

Lines 11 to 12 in 2264867

	#[inline]
	pub fn double(&self) -> $field {

[einar-taiko]

Okay. I will remove it from the add as well then.

[mratsim]

Only the inner buckets result should be collected in Extended Jacobian.

Extended Jacobian mixed addition is faster than projective, but for plain addition, projective is faster.

[mratsim]

So the signature of best_multiexp should stay with projective coordinates

[mratsim]

To measure perf of this PR without multithreading interference, a serial benchmark is needed as well.

[mratsim]

similarly, the signature of multiexp_serial should stay homogeneous projective

[mratsim]

The map and for are inefficient, you loop twice over the data.

You should loop over the coeff+base and directly mutate/add_assign in the matching bucket

[mratsim]

The final reduction should use projective coordinates (and explicitly convert the bucket sum to projective)

[mratsim]

Note on our discussion on constant_a, some more changes upstream privacy-ethereum#82.