Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

perf: ATE_LOOP_COUNT hamming weight reduced from 26 to 22 #852

Merged
merged 2 commits into from
Aug 27, 2024
Merged

perf: ATE_LOOP_COUNT hamming weight reduced from 26 to 22 #852

merged 2 commits into from
Aug 27, 2024

Conversation

FatihSolak
Copy link
Contributor

Description

ATE_LOOP_COUNT in the BN254 curve has been updated, so the new version has a 22 hamming weight, while previous one had 26.

@FatihSolak FatihSolak requested review from a team as code owners August 23, 2024 11:53
@FatihSolak FatihSolak requested review from z-tech, Pratyush and mmagician and removed request for a team August 23, 2024 11:53
@Pratyush
Copy link
Member

Thank you for the PR! Could you add a test showing that the two miller loops are equivalent, or some other justification of how you were able to reduce the hamming weight? Thank you!

@Hakkush-07
Copy link

Hi, we noticed the current ATE_LOOP_COUNT in BN254 curve is not in NAF form since it has consecutive non-zero elements at a few places. It has 26 non-zero elements and its length is 65.
[0, 0, 0, 1, 0, 1, 0, -1, 0, 0, 1, -1, 0, 0, 1, 0, 0, 1, 1, 0, -1, 0, 0, 1, 0, -1, 0, 0, 0, 0, 1, 1, 1, 0, 0, -1, 0, 0, 1, 0, 0, 0, 0, 0, -1, 0, 0, 1, 1, 0, 0, -1, 0, 0, 0, 1, 1, 0, -1, 0, 0, 1, 0, 1, 1]

This is however, is still a signed-digit representation of the correct value $6x+2=29793968203157093288$ but not the most efficient form which is NAF. It being in this form does not affect the correctness of calculations but less Hamming weight is better. Applying the algorithm on Wikipedia gives the following result:
[0, 0, 0, 1, 0, 1, 0, -1, 0, 0, -1, 0, 0, 0, 1, 0, 0, -1, 0, -1, 0, 0, 0, 1, 0, -1, 0, 0, 0, 0, -1, 0, 0, 1, 0, -1, 0, 0, 1, 0, 0, 0, 0, 0, -1, 0, 0, -1, 0, 1, 0, -1, 0, 0, 0, -1, 0, -1, 0, 0, 0, 1, 0, -1, 0, 1]

This version has Hamming weight 22 but has length 66. However, the last 3 bits in this representation (..., -1, 0, 1) is equivalent to the last 2 bits of the current version (..., 1, 1). That is because
$(-1)\cdot 2^k+(0)\cdot 2^{k+1}+(1)\cdot 2^{k+2}=(1)\cdot 2^k+(1)\cdot 2^{k+1}$
Utilizing that equivalence, we arrive at the following representation with 22 Hamming weight and length of 65:
[0, 0, 0, 1, 0, 1, 0, -1, 0, 0, -1, 0, 0, 0, 1, 0, 0, -1, 0, -1, 0, 0, 0, 1, 0, -1, 0, 0, 0, 0, -1, 0, 0, 1, 0, -1, 0, 0, 1, 0, 0, 0, 0, 0, -1, 0, 0, -1, 0, 1, 0, -1, 0, 0, 0, -1, 0, -1, 0, 0, 0, 1, 0, 1, 1]

@Hakkush-07
Copy link

Also, they both passing the following assert would mean they are equivalent.
assert sum([e * 2**i for i, e in enumerate(ATE_LOOP_COUNT)]) == 29793968203157093288

@Pratyush
Copy link
Member

Great, thank you!

@Pratyush Pratyush added this pull request to the merge queue Aug 27, 2024
Merged via the queue into arkworks-rs:master with commit b33df5c Aug 27, 2024
37 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Pratyush Pratyush Pratyush approved these changes

@z-tech z-tech Awaiting requested review from z-tech z-tech is a code owner automatically assigned from arkworks-rs/maintainers

@mmagician mmagician Awaiting requested review from mmagician mmagician is a code owner automatically assigned from arkworks-rs/maintainers

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@FatihSolak @Pratyush @Hakkush-07