diff --git a/halo2_backend/src/plonk/keygen.rs b/halo2_backend/src/plonk/keygen.rs index 067434a4d6..7d38f7a914 100644 --- a/halo2_backend/src/plonk/keygen.rs +++ b/halo2_backend/src/plonk/keygen.rs @@ -64,20 +64,23 @@ where )? .build_vk(params, &domain, &cs.permutation); - let fixed_commitments = circuit - .preprocessing - .fixed - .iter() - .map(|poly| { - params - .commit_lagrange( + let fixed_commitments = { + let fixed_commitments_projective: Vec = circuit + .preprocessing + .fixed + .iter() + .map(|poly| { + params.commit_lagrange( &H2cEngine::new(), &Polynomial::new_lagrange_from_vec(poly.clone()), Blind::default(), ) - .to_affine() - }) - .collect(); + }) + .collect(); + let mut fixed_commitments = vec![C::identity(); fixed_commitments_projective.len()]; + C::CurveExt::batch_normalize(&fixed_commitments_projective, &mut fixed_commitments); + fixed_commitments + }; Ok(VerifyingKey::from_parts( domain, diff --git a/halo2_backend/src/plonk/lookup/prover.rs b/halo2_backend/src/plonk/lookup/prover.rs index 149c23c361..ceafd1a37a 100644 --- a/halo2_backend/src/plonk/lookup/prover.rs +++ b/halo2_backend/src/plonk/lookup/prover.rs @@ -130,20 +130,30 @@ where let mut commit_values = |values: &Polynomial| { let poly = pk.vk.domain.lagrange_to_coeff(values.clone()); let blind = Blind(C::Scalar::random(&mut rng)); - let commitment = params - .commit_lagrange(&engine.msm_backend, values, blind) - .to_affine(); + let commitment = params.commit_lagrange(&engine.msm_backend, values, blind); (poly, blind, commitment) }; // Commit to permuted input expression - let (permuted_input_poly, permuted_input_blind, permuted_input_commitment) = + let (permuted_input_poly, permuted_input_blind, permuted_input_commitment_projective) = commit_values(&permuted_input_expression); // Commit to permuted table expression - let (permuted_table_poly, permuted_table_blind, permuted_table_commitment) = + let (permuted_table_poly, permuted_table_blind, permuted_table_commitment_projective) = commit_values(&permuted_table_expression); + let [permuted_input_commitment, permuted_table_commitment] = { + let mut affines = [C::identity(); 2]; + C::CurveExt::batch_normalize( + &[ + permuted_input_commitment_projective, + permuted_table_commitment_projective, + ], + &mut affines, + ); + affines + }; + // Hash permuted input commitment transcript.write_point(permuted_input_commitment)?; diff --git a/halo2_backend/src/plonk/permutation/keygen.rs b/halo2_backend/src/plonk/permutation/keygen.rs index 6a09946fe2..e0bc0319d0 100644 --- a/halo2_backend/src/plonk/permutation/keygen.rs +++ b/halo2_backend/src/plonk/permutation/keygen.rs @@ -261,15 +261,20 @@ pub(crate) fn build_vk<'params, C: CurveAffine, P: Params<'params, C>>( } // Pre-compute commitments for the URS. - let mut commitments = Vec::with_capacity(p.columns.len()); - for permutation in &permutations { - // Compute commitment to permutation polynomial - commitments.push( - params - .commit_lagrange(&H2cEngine::new(), permutation, Blind::default()) - .to_affine(), - ); - } + let commitments = { + let mut commitments_projective = Vec::with_capacity(p.columns.len()); + for permutation in &permutations { + // Compute commitment to permutation polynomial + commitments_projective.push(params.commit_lagrange( + &H2cEngine::new(), + permutation, + Blind::default(), + )); + } + let mut commitments = vec![C::identity(); p.columns.len()]; + C::CurveExt::batch_normalize(&commitments_projective, &mut commitments); + commitments + }; VerifyingKey { commitments } } diff --git a/halo2_backend/src/plonk/permutation/prover.rs b/halo2_backend/src/plonk/permutation/prover.rs index 91e14919c5..5aa577b680 100644 --- a/halo2_backend/src/plonk/permutation/prover.rs +++ b/halo2_backend/src/plonk/permutation/prover.rs @@ -174,15 +174,14 @@ pub(in crate::plonk) fn permutation_commit< let blind = Blind(C::Scalar::random(&mut rng)); - let permutation_product_commitment_projective = - params.commit_lagrange(&engine.msm_backend, &z, blind); + let permutation_product_commitment = params + .commit_lagrange(&engine.msm_backend, &z, blind) + .to_affine(); let permutation_product_blind = blind; let z = domain.lagrange_to_coeff(z); let permutation_product_poly = z.clone(); - let permutation_product_coset = domain.coeff_to_extended(z.clone()); - - let permutation_product_commitment = permutation_product_commitment_projective.to_affine(); + let permutation_product_coset = domain.coeff_to_extended(z); // Hash the permutation product commitment transcript.write_point(permutation_product_commitment)?; diff --git a/halo2_backend/src/plonk/verifier.rs b/halo2_backend/src/plonk/verifier.rs index 88cd06be52..d0e8650ac2 100644 --- a/halo2_backend/src/plonk/verifier.rs +++ b/halo2_backend/src/plonk/verifier.rs @@ -1,9 +1,11 @@ //! Verify a plonk proof +use group::prime::PrimeCurveAffine; use group::Curve; use halo2_middleware::circuit::Any; use halo2_middleware::ff::{Field, FromUniformBytes, WithSmallOrderMulGroup}; use halo2_middleware::zal::impls::H2cEngine; +use halo2curves::CurveAffine; use std::iter; use super::{vanishing, VerifyingKey}; @@ -78,7 +80,9 @@ where // 1. Get the commitments of the instance polynomials. ---------------------------------------- let instance_commitments = if V::QUERY_INSTANCE { - instances + let mut instance_commitments = Vec::with_capacity(instances.len()); + + let instances_projective = instances .iter() .map(|instance| { instance @@ -91,13 +95,22 @@ where poly.resize(params.n() as usize, Scheme::Scalar::ZERO); let poly = vk.domain.lagrange_from_vec(poly); - Ok(params - .commit_lagrange(&default_engine, &poly, Blind::default()) - .to_affine()) + Ok(params.commit_lagrange(&default_engine, &poly, Blind::default())) }) .collect::, _>>() }) - .collect::, _>>()? + .collect::, _>>()?; + + for instance_projective in instances_projective { + let mut affines = + vec![::Curve::identity(); instance_projective.len()]; + <::Curve as CurveAffine>::CurveExt::batch_normalize( + &instance_projective, + &mut affines, + ); + instance_commitments.push(affines); + } + instance_commitments } else { vec![vec![]; instances.len()] }; diff --git a/halo2_backend/src/poly/ipa/commitment.rs b/halo2_backend/src/poly/ipa/commitment.rs index 0f6b549a4e..7ac521327b 100644 --- a/halo2_backend/src/poly/ipa/commitment.rs +++ b/halo2_backend/src/poly/ipa/commitment.rs @@ -195,8 +195,13 @@ impl<'params, C: CurveAffine> ParamsProver<'params, C> for ParamsIPA { let g_lagrange = g_to_lagrange(g_projective, k); let hasher = C::CurveExt::hash_to_curve("Halo2-Parameters"); - let w = hasher(&[1]).to_affine(); - let u = hasher(&[2]).to_affine(); + + let [w, u] = { + let projectives = vec![hasher(&[1]), hasher(&[2])]; + let mut affines = [C::identity(); 2]; + C::CurveExt::batch_normalize(&projectives, &mut affines); + affines + }; ParamsIPA { k, diff --git a/halo2_backend/src/poly/ipa/commitment/prover.rs b/halo2_backend/src/poly/ipa/commitment/prover.rs index 1f50046449..7e04206e07 100644 --- a/halo2_backend/src/poly/ipa/commitment/prover.rs +++ b/halo2_backend/src/poly/ipa/commitment/prover.rs @@ -114,8 +114,11 @@ pub fn create_proof_with_engine< let r_j_randomness = C::Scalar::random(&mut rng); let l_j = l_j + engine.msm(&[value_l_j * z, l_j_randomness], &[params.u, params.w]); let r_j = r_j + engine.msm(&[value_r_j * z, r_j_randomness], &[params.u, params.w]); - let l_j = l_j.to_affine(); - let r_j = r_j.to_affine(); + let [l_j, r_j] = { + let mut affines = [C::identity(); 2]; + C::CurveExt::batch_normalize(&[l_j, r_j], &mut affines); + affines + }; // Feed L and R into the real transcript transcript.write_point(l_j)?;