feat: mv_lookup module

halo2_proofs/Cargo.toml

@@ -47,6 +47,11 @@ harness = false
 name = "fft"
 harness = false
 
+[[bench]]
+name = "lookups"
+harness = false
+
+
 [dependencies]
 backtrace = { version = "0.3", optional = true }
 rayon = "1.5.1"
@@ -62,6 +67,8 @@ rand_chacha = "0.3"
 # Developer tooling dependencies
 plotters = { version = "0.3.0", optional = true }
 tabbycat = { version = "0.1", features = ["attributes"], optional = true }
+lazy_static = { version = "1", optional = true }
+
 
 [dev-dependencies]
 assert_matches = "1.5"
@@ -81,6 +88,8 @@ thread-safe-region = []
 sanity-checks = []
 batch = ["rand_core/getrandom"]
 circuit-params = []
+counter = ["lazy_static"]
+
 
 [lib]
 bench = false

halo2_proofs/benches/lookups.rs

@@ -0,0 +1,241 @@
+#[macro_use]
+extern crate criterion;
+
+use ff::PrimeField;
+use halo2_proofs::circuit::{Layouter, SimpleFloorPlanner, Value};
+use halo2_proofs::plonk::*;
+use halo2_proofs::poly::kzg::multiopen::VerifierGWC;
+use halo2_proofs::poly::{commitment::ParamsProver, Rotation};
+use halo2_proofs::transcript::{Blake2bRead, Blake2bWrite, Challenge255};
+use halo2curves::bn256::{Bn256, G1Affine};
+use halo2curves::pairing::Engine;
+use rand_core::OsRng;
+
+use halo2_proofs::{
+    poly::kzg::{
+        commitment::{KZGCommitmentScheme, ParamsKZG},
+        multiopen::ProverGWC,
+        strategy::SingleStrategy,
+    },
+    transcript::{TranscriptReadBuffer, TranscriptWriterBuffer},
+};
+
+use std::marker::PhantomData;
+
+use criterion::{BenchmarkId, Criterion};
+
+fn criterion_benchmark(c: &mut Criterion) {
+    #[derive(Clone, Default)]
+    struct MyCircuit<F: PrimeField> {
+        _marker: PhantomData<F>,
+    }
+
+    #[derive(Clone)]
+    struct MyConfig {
+        selector: Selector,
+        table: TableColumn,
+        advice: Column<Advice>,
+        other_advice: Column<Advice>,
+    }
+
+    impl<F: PrimeField> Circuit<F> for MyCircuit<F> {
+        type Config = MyConfig;
+        type FloorPlanner = SimpleFloorPlanner;
+        #[cfg(feature = "circuit-params")]
+        type Params = ();
+
+        fn without_witnesses(&self) -> Self {
+            Self::default()
+        }
+
+        fn configure(meta: &mut ConstraintSystem<F>) -> MyConfig {
+            let config = MyConfig {
+                selector: meta.complex_selector(),
+                table: meta.lookup_table_column(),
+                advice: meta.advice_column(),
+                other_advice: meta.advice_column(),
+            };
+
+            let dummy_selector = meta.complex_selector();
+
+            meta.create_gate("degree 6 gate", |meta| {
+                let dummy_selector = meta.query_selector(dummy_selector);
+                let constraints = vec![dummy_selector.clone(); 4]
+                    .iter()
+                    .fold(dummy_selector.clone(), |acc, val| acc * val.clone());
+                Constraints::with_selector(dummy_selector, Some(constraints))
+            });
+
+            meta.lookup("lookup", |meta| {
+                let advice = meta.query_advice(config.advice, Rotation::cur());
+                vec![(advice, config.table)]
+            });
+
+            meta.lookup("lookup", |meta| {
+                let advice = meta.query_advice(config.advice, Rotation::cur());
+                vec![(advice, config.table)]
+            });
+
+            meta.lookup("lookup", |meta| {
+                let advice = meta.query_advice(config.advice, Rotation::cur());
+                vec![(advice, config.table)]
+            });
+
+            meta.lookup("lookup", |meta| {
+                let advice = meta.query_advice(config.advice, Rotation::cur());
+                vec![(advice, config.table)]
+            });
+
+            meta.lookup("lookup", |meta| {
+                let advice = meta.query_advice(config.advice, Rotation::cur());
+                vec![(advice, config.table)]
+            });
+
+            /*
+                - We need degree at least 6 because 6 - 1 = 5 and we need to go to extended domain of 8n
+                - Our goal is to get to max degree of 9 because now 9 - 1 = 8 and that will fit into domain
+
+                - base degree = table_deg + 2
+                - if we put input_expression_degree = 1
+                => degree = base + 1 = 3 + 1 = 4
+                - we can batch one more with 5 more lookups
+            */
+
+            config
+        }
+
+        fn synthesize(
+            &self,
+            config: MyConfig,
+            mut layouter: impl Layouter<F>,
+        ) -> Result<(), Error> {
+            layouter.assign_table(
+                || "8-bit table",
+                |mut table| {
+                    for row in 0u64..(1 << 8) {
+                        table.assign_cell(
+                            || format!("row {}", row),
+                            config.table,
+                            row as usize,
+                            || Value::known(F::from(row)),
+                        )?;
+                    }
+
+                    Ok(())
+                },
+            )?;
+
+            layouter.assign_region(
+                || "assign values",
+                |mut region| {
+                    for offset in 0u64..(1 << 10) {
+                        config.selector.enable(&mut region, offset as usize)?;
+                        region.assign_advice(
+                            || format!("offset {}", offset),
+                            config.advice,
+                            offset as usize,
+                            || Value::known(F::from(offset % 256)),
+                        )?;
+                    }
+                    for offset in 1u64..(1 << 10) {
+                        config.selector.enable(&mut region, offset as usize)?;
+                        region.assign_advice(
+                            || format!("offset {}", offset),
+                            config.other_advice,
+                            offset as usize - 1,
+                            || Value::known(F::from(offset % 256)),
+                        )?;
+                    }
+                    Ok(())
+                },
+            )
+        }
+    }
+
+    fn keygen(k: u32) -> (ParamsKZG<Bn256>, ProvingKey<G1Affine>) {
+        let params: ParamsKZG<Bn256> = ParamsKZG::new(k);
+        let empty_circuit: MyCircuit<<Bn256 as Engine>::Scalar> = MyCircuit {
+            _marker: PhantomData,
+        };
+        let vk = keygen_vk(&params, &empty_circuit).expect("keygen_vk should not fail");
+        let pk = keygen_pk(&params, vk, &empty_circuit).expect("keygen_pk should not fail");
+        (params, pk)
+    }
+
+    fn prover(_k: u32, params: &ParamsKZG<Bn256>, pk: &ProvingKey<G1Affine>) -> Vec<u8> {
+        let rng = OsRng;
+
+        let circuit: MyCircuit<<Bn256 as Engine>::Scalar> = MyCircuit {
+            _marker: PhantomData,
+        };
+
+        let mut transcript = Blake2bWrite::<_, _, Challenge255<G1Affine>>::init(vec![]);
+        create_proof::<KZGCommitmentScheme<Bn256>, ProverGWC<'_, Bn256>, _, _, _, _>(
+            params,
+            pk,
+            &[circuit],
+            &[&[]],
+            rng,
+            &mut transcript,
+        )
+        .expect("proof generation should not fail");
+        transcript.finalize()
+    }
+
+    fn verifier(params: &ParamsKZG<Bn256>, vk: &VerifyingKey<G1Affine>, proof: &[u8]) {
+        let strategy = SingleStrategy::new(params);
+        let mut transcript = Blake2bRead::<_, _, Challenge255<G1Affine>>::init(proof);
+        assert!(verify_proof::<
+            KZGCommitmentScheme<Bn256>,
+            VerifierGWC<'_, Bn256>,
+            Challenge255<G1Affine>,
+            Blake2bRead<&[u8], G1Affine, Challenge255<G1Affine>>,
+            SingleStrategy<'_, Bn256>,
+        >(params, vk, strategy, &[&[]], &mut transcript)
+        .is_ok());
+    }
+
+    let k_range = 16..=16;
+
+    let mut keygen_group = c.benchmark_group("plonk-keygen");
+    keygen_group.sample_size(10);
+    for k in k_range.clone() {
+        keygen_group.bench_with_input(BenchmarkId::from_parameter(k), &k, |b, &k| {
+            b.iter(|| keygen(k));
+        });
+    }
+    keygen_group.finish();
+
+    let mut prover_group = c.benchmark_group("plonk-prover");
+    prover_group.sample_size(10);
+    for k in k_range.clone() {
+        let (params, pk) = keygen(k);
+
+        prover_group.bench_with_input(
+            BenchmarkId::from_parameter(k),
+            &(k, &params, &pk),
+            |b, &(k, params, pk)| {
+                b.iter(|| prover(k, params, pk));
+            },
+        );
+    }
+    prover_group.finish();
+
+    let mut verifier_group = c.benchmark_group("plonk-verifier");
+    for k in k_range {
+        let (params, pk) = keygen(k);
+        let proof = prover(k, &params, &pk);
+
+        verifier_group.bench_with_input(
+            BenchmarkId::from_parameter(k),
+            &(&params, pk.get_vk(), &proof[..]),
+            |b, &(params, vk, proof)| {
+                b.iter(|| verifier(params, vk, proof));
+            },
+        );
+    }
+    verifier_group.finish();
+}
+
+criterion_group!(benches, criterion_benchmark);
+criterion_main!(benches);

halo2_proofs/src/arithmetic.rs

@@ -145,6 +145,17 @@ pub fn small_multiexp<C: CurveAffine>(coeffs: &[C::Scalar], bases: &[C]) -> C::C
 ///
 /// This will use multithreading if beneficial.
 pub fn best_multiexp<C: CurveAffine>(coeffs: &[C::Scalar], bases: &[C]) -> C::Curve {
+    #[cfg(feature = "counter")]
+    {
+        use crate::MSM_COUNTER;
+        *MSM_COUNTER
+            .lock()
+            .unwrap()
+            .entry(coeffs.len())
+            .and_modify(|cnt| *cnt += 1)
+            .or_insert(1);
+    }
+
     assert_eq!(coeffs.len(), bases.len());
 
     let num_threads = multicore::current_num_threads();
@@ -184,6 +195,17 @@ pub fn best_multiexp<C: CurveAffine>(coeffs: &[C::Scalar], bases: &[C]) -> C::Cu
 ///
 /// This will use multithreading if beneficial.
 pub fn best_fft<Scalar: Field, G: FftGroup<Scalar>>(a: &mut [G], omega: Scalar, log_n: u32) {
+    #[cfg(feature = "counter")]
+    {
+        use crate::FFT_COUNTER;
+        *FFT_COUNTER
+            .lock()
+            .unwrap()
+            .entry(a.len())
+            .and_modify(|cnt| *cnt += 1)
+            .or_insert(1);
+    }
+
     fn bitreverse(mut n: usize, l: usize) -> usize {
         let mut r = 0;
         for _ in 0..l {
@@ -195,7 +217,7 @@ pub fn best_fft<Scalar: Field, G: FftGroup<Scalar>>(a: &mut [G], omega: Scalar,
 
     let threads = multicore::current_num_threads();
     let log_threads = log2_floor(threads);
-    let n = a.len();
+    let n = a.len() as usize;
     assert_eq!(n, 1 << log_n);
 
     for k in 0..n {
@@ -206,7 +228,7 @@ pub fn best_fft<Scalar: Field, G: FftGroup<Scalar>>(a: &mut [G], omega: Scalar,
     }
 
     // precompute twiddle factors
-    let twiddles: Vec<_> = (0..(n / 2))
+    let twiddles: Vec<_> = (0..(n / 2) as usize)
         .scan(Scalar::ONE, |w, _| {
             let tw = *w;
             *w *= &omega;
@@ -216,7 +238,7 @@ pub fn best_fft<Scalar: Field, G: FftGroup<Scalar>>(a: &mut [G], omega: Scalar,
 
     if log_n <= log_threads {
         let mut chunk = 2_usize;
-        let mut twiddle_chunk = n / 2;
+        let mut twiddle_chunk = (n / 2) as usize;
         for _ in 0..log_n {
             a.chunks_mut(chunk).for_each(|coeffs| {
                 let (left, right) = coeffs.split_at_mut(chunk / 2);
@@ -290,7 +312,7 @@ pub fn recursive_butterfly_arithmetic<Scalar: Field, G: FftGroup<Scalar>>(
 
 /// Convert coefficient bases group elements to lagrange basis by inverse FFT.
 pub fn g_to_lagrange<C: CurveAffine>(g_projective: Vec<C::Curve>, k: u32) -> Vec<C> {
-    let n_inv = C::Scalar::TWO_INV.pow_vartime([k as u64, 0, 0, 0]);
+    let n_inv = C::Scalar::TWO_INV.pow_vartime(&[k as u64, 0, 0, 0]);
     let mut omega_inv = C::Scalar::ROOT_OF_UNITY_INV;
     for _ in k..C::Scalar::S {
         omega_inv = omega_inv.square();
@@ -335,7 +357,7 @@ pub fn eval_polynomial<F: Field>(poly: &[F], point: F) -> F {
             {
                 scope.spawn(move |_| {
                     let start = chunk_idx * chunk_size;
-                    out[0] = evaluate(poly, point) * point.pow_vartime([start as u64, 0, 0, 0]);
+                    out[0] = evaluate(poly, point) * point.pow_vartime(&[start as u64, 0, 0, 0]);
                 });
             }
         });