Merge branch 'master' into aux-data

poly-commit/src/kzg10/mod.rs

@@ -8,7 +8,7 @@
 use crate::{BTreeMap, Error, LabeledPolynomial, PCCommitmentState, ToString, Vec};
 use ark_ec::AffineRepr;
 use ark_ec::{pairing::Pairing, CurveGroup};
-use ark_ec::{scalar_mul::fixed_base::FixedBase, VariableBaseMSM};
+use ark_ec::{scalar_mul::ScalarMul, VariableBaseMSM};
 use ark_ff::{One, PrimeField, UniformRand, Zero};
 use ark_poly::DenseUVPolynomial;
 use ark_std::{format, marker::PhantomData, ops::Div, ops::Mul, vec};
@@ -66,36 +66,27 @@ where
         let gamma_g = E::G1::rand(rng);
         let h = E::G2::rand(rng);
 
+        // powers_of_beta = [1, b, ..., b^(max_degree + 1)], len = max_degree + 2
         let mut powers_of_beta = vec![E::ScalarField::one()];
-
         let mut cur = beta;
-        for _ in 0..max_degree {
+        for _ in 0..=max_degree {
             powers_of_beta.push(cur);
             cur *= β
         }
 
-        let window_size = FixedBase::get_mul_window_size(max_degree + 1);
-
-        let scalar_bits = E::ScalarField::MODULUS_BIT_SIZE as usize;
         let g_time = start_timer!(|| "Generating powers of G");
-        let g_table = FixedBase::get_window_table(scalar_bits, window_size, g);
-        let powers_of_g =
-            FixedBase::msm::<E::G1>(scalar_bits, window_size, &g_table, &powers_of_beta);
+        let powers_of_g = g.batch_mul(&powers_of_beta[0..max_degree + 1]);
         end_timer!(g_time);
-        let gamma_g_time = start_timer!(|| "Generating powers of gamma * G");
-        let gamma_g_table = FixedBase::get_window_table(scalar_bits, window_size, gamma_g);
-        let mut powers_of_gamma_g =
-            FixedBase::msm::<E::G1>(scalar_bits, window_size, &gamma_g_table, &powers_of_beta);
-        // Add an additional power of gamma_g, because we want to be able to support
-        // up to D queries.
-        powers_of_gamma_g.push(powers_of_gamma_g.last().unwrap().mul(&beta));
-        end_timer!(gamma_g_time);
 
-        let powers_of_g = E::G1::normalize_batch(&powers_of_g);
-        let powers_of_gamma_g = E::G1::normalize_batch(&powers_of_gamma_g)
+        // Use the entire `powers_of_beta`, since we want to be able to support
+        // up to D queries.
+        let gamma_g_time = start_timer!(|| "Generating powers of gamma * G");
+        let powers_of_gamma_g = gamma_g
+            .batch_mul(&powers_of_beta)
             .into_iter()
             .enumerate()
             .collect();
+        end_timer!(gamma_g_time);
 
         let neg_powers_of_h_time = start_timer!(|| "Generating negative powers of h in G2");
         let neg_powers_of_h = if produce_g2_powers {
@@ -106,20 +97,10 @@ where
                 cur /= &beta;
             }
 
-            let neg_h_table = FixedBase::get_window_table(scalar_bits, window_size, h);
-            let neg_powers_of_h = FixedBase::msm::<E::G2>(
-                scalar_bits,
-                window_size,
-                &neg_h_table,
-                &neg_powers_of_beta,
-            );
-
-            let affines = E::G2::normalize_batch(&neg_powers_of_h);
-            let mut affines_map = BTreeMap::new();
-            affines.into_iter().enumerate().for_each(|(i, a)| {
-                affines_map.insert(i, a);
-            });
-            affines_map
+            h.batch_mul(&neg_powers_of_beta)
+                .into_iter()
+                .enumerate()
+                .collect()
         } else {
             BTreeMap::new()
         };

poly-commit/src/marlin/marlin_pst13_pc/mod.rs

@@ -8,7 +8,11 @@ use crate::{LabeledCommitment, LabeledPolynomial, LinearCombination};
 use crate::{PCCommitmentState, PCUniversalParams, PolynomialCommitment};
 use crate::{ToString, Vec};
 use ark_ec::AffineRepr;
-use ark_ec::{pairing::Pairing, scalar_mul::fixed_base::FixedBase, CurveGroup, VariableBaseMSM};
+use ark_ec::{
+    pairing::Pairing,
+    scalar_mul::{BatchMulPreprocessing, ScalarMul},
+    CurveGroup, VariableBaseMSM,
+};
 use ark_ff::{One, PrimeField, UniformRand, Zero};
 use ark_poly::{multivariate::Term, DenseMVPolynomial};
 use ark_std::rand::RngCore;
@@ -210,47 +214,33 @@ where
             })
             .unzip();
 
-        let scalar_bits = E::ScalarField::MODULUS_BIT_SIZE as usize;
         let g_time = start_timer!(|| "Generating powers of G");
-        let window_size = FixedBase::get_mul_window_size(max_degree + 1);
-        let g_table = FixedBase::get_window_table(scalar_bits, window_size, g);
-        let mut powers_of_g =
-            FixedBase::msm::<E::G1>(scalar_bits, window_size, &g_table, &powers_of_beta);
-        powers_of_g.push(g);
+        let mut powers_of_g = g.batch_mul(&powers_of_beta);
+        powers_of_g.push(g.into_affine());
         powers_of_beta_terms.push(P::Term::new(vec![]));
         end_timer!(g_time);
 
         let gamma_g_time = start_timer!(|| "Generating powers of gamma * G");
-        let window_size = FixedBase::get_mul_window_size(max_degree + 2);
-        let gamma_g_table = FixedBase::get_window_table(scalar_bits, window_size, gamma_g);
         // Each element `i` of `powers_of_gamma_g` is a vector of length `max_degree+1`
         // containing `betas[i]^j \gamma G` for `j` from 1 to `max_degree+1` to support
         // up to `max_degree` queries
         let mut powers_of_gamma_g = vec![Vec::new(); num_vars];
+        let gamma_g_table = BatchMulPreprocessing::new(gamma_g, max_degree + 1);
+
         ark_std::cfg_iter_mut!(powers_of_gamma_g)
             .enumerate()
             .for_each(|(i, v)| {
-                let mut powers_of_beta = Vec::with_capacity(max_degree);
+                let mut powers_of_beta = Vec::with_capacity(max_degree + 1);
                 let mut cur = E::ScalarField::one();
                 for _ in 0..=max_degree {
                     cur *= &betas[i];
                     powers_of_beta.push(cur);
                 }
-                *v = FixedBase::msm::<E::G1>(
-                    scalar_bits,
-                    window_size,
-                    &gamma_g_table,
-                    &powers_of_beta,
-                );
+                *v = gamma_g.batch_mul_with_preprocessing(&powers_of_beta, &gamma_g_table);
             });
         end_timer!(gamma_g_time);
 
-        let powers_of_g = E::G1::normalize_batch(&powers_of_g);
         let gamma_g = gamma_g.into_affine();
-        let powers_of_gamma_g = powers_of_gamma_g
-            .into_iter()
-            .map(|v| E::G1::normalize_batch(&v))
-            .collect();
         let beta_h: Vec<_> = betas.iter().map(|b| h.mul(b).into_affine()).collect();
         let h = h.into_affine();
         let prepared_h = h.into();

poly-commit/src/multilinear_pc/mod.rs

@@ -1,9 +1,10 @@
 use crate::multilinear_pc::data_structures::{
     Commitment, CommitterKey, Proof, UniversalParams, VerifierKey,
 };
+use ark_ec::scalar_mul::BatchMulPreprocessing;
 use ark_ec::AffineRepr;
 use ark_ec::{pairing::Pairing, CurveGroup};
-use ark_ec::{scalar_mul::fixed_base::FixedBase, VariableBaseMSM};
+use ark_ec::{scalar_mul::ScalarMul, VariableBaseMSM};
 use ark_ff::{Field, PrimeField};
 use ark_ff::{One, Zero};
 use ark_poly::{DenseMultilinearExtension, MultilinearExtension};
@@ -27,14 +28,11 @@ impl<E: Pairing> MultilinearPC<E> {
     /// setup
     pub fn setup<R: RngCore>(num_vars: usize, rng: &mut R) -> UniversalParams<E> {
         assert!(num_vars > 0, "constant polynomial not supported");
-        let g: E::G1 = E::G1::rand(rng);
-        let h: E::G2 = E::G2::rand(rng);
-        let g = g.into_affine();
-        let h = h.into_affine();
+        let g = E::G1::rand(rng);
+        let h = E::G2::rand(rng);
         let mut powers_of_g = Vec::new();
         let mut powers_of_h = Vec::new();
         let t: Vec<_> = (0..num_vars).map(|_| E::ScalarField::rand(rng)).collect();
-        let scalar_bits = E::ScalarField::MODULUS_BIT_SIZE as usize;
 
         let mut eq: LinkedList<DenseMultilinearExtension<E::ScalarField>> =
             LinkedList::from_iter(eq_extension(&t).into_iter());
@@ -54,29 +52,15 @@ impl<E: Pairing> MultilinearPC<E> {
         }
 
         let mut pp_powers = Vec::new();
-        let mut total_scalars = 0;
         for i in 0..num_vars {
             let eq = eq_arr.pop_front().unwrap();
             let pp_k_powers = (0..(1 << (num_vars - i))).map(|x| eq[x]);
             pp_powers.extend(pp_k_powers);
-            total_scalars += 1 << (num_vars - i);
         }
-        let window_size = FixedBase::get_mul_window_size(total_scalars);
-        let g_table = FixedBase::get_window_table(scalar_bits, window_size, g.into_group());
-        let h_table = FixedBase::get_window_table(scalar_bits, window_size, h.into_group());
-
-        let pp_g = E::G1::normalize_batch(&FixedBase::msm(
-            scalar_bits,
-            window_size,
-            &g_table,
-            &pp_powers,
-        ));
-        let pp_h = E::G2::normalize_batch(&FixedBase::msm(
-            scalar_bits,
-            window_size,
-            &h_table,
-            &pp_powers,
-        ));
+
+        let g_table = BatchMulPreprocessing::new(g, num_vars);
+        let pp_g = g.batch_mul_with_preprocessing(&pp_powers, &g_table);
+        let pp_h = h.batch_mul(&pp_powers);
         let mut start = 0;
         for i in 0..num_vars {
             let size = 1 << (num_vars - i);
@@ -89,18 +73,14 @@ impl<E: Pairing> MultilinearPC<E> {
 
         // uncomment to measure the time for calculating vp
         // let vp_generation_timer = start_timer!(|| "VP generation");
-        let g_mask = {
-            let window_size = FixedBase::get_mul_window_size(num_vars);
-            let g_table = FixedBase::get_window_table(scalar_bits, window_size, g.into_group());
-            E::G1::normalize_batch(&FixedBase::msm(scalar_bits, window_size, &g_table, &t))
-        };
+        let g_mask = g.batch_mul_with_preprocessing(&t, &g_table);
         // end_timer!(vp_generation_timer);
 
         UniversalParams {
             num_vars,
-            g,
+            g: g.into_affine(),
             g_mask,
-            h,
+            h: h.into_affine(),
             powers_of_g,
             powers_of_h,
         }
@@ -199,11 +179,7 @@ impl<E: Pairing> MultilinearPC<E> {
     ) -> bool {
         let left = E::pairing(commitment.g_product.into_group() - &vk.g.mul(value), vk.h);
 
-        let scalar_size = E::ScalarField::MODULUS_BIT_SIZE as usize;
-        let window_size = FixedBase::get_mul_window_size(vk.nv);
-
-        let g_table = FixedBase::get_window_table(scalar_size, window_size, vk.g.into_group());
-        let g_mul: Vec<E::G1> = FixedBase::msm(scalar_size, window_size, &g_table, point);
+        let g_mul = vk.g.into_group().batch_mul(point);
 
         let pairing_lefts: Vec<_> = (0..vk.nv)
             .map(|i| vk.g_mask_random[i].into_group() - &g_mul[i])

poly-commit/src/streaming_kzg/time.rs

@@ -1,9 +1,9 @@
 //! An impementation of a time-efficient version of Kate et al's polynomial commitment,
 //! with optimization from [\[BDFG20\]](https://eprint.iacr.org/2020/081.pdf).
 use ark_ec::pairing::Pairing;
-use ark_ec::scalar_mul::fixed_base::FixedBase;
+use ark_ec::scalar_mul::ScalarMul;
 use ark_ec::CurveGroup;
-use ark_ff::{PrimeField, Zero};
+use ark_ff::Zero;
 use ark_poly::{univariate::DensePolynomial, DenseUVPolynomial};
 use ark_std::{borrow::Borrow, ops::Div, ops::Mul, rand::RngCore, vec::Vec, UniformRand};
 
@@ -50,11 +50,7 @@ impl<E: Pairing> CommitterKey<E> {
         let powers_of_tau = powers(tau, max_degree + 1);
 
         let g = E::G1::rand(rng);
-        let window_size = FixedBase::get_mul_window_size(max_degree + 1);
-        let scalar_bits = E::ScalarField::MODULUS_BIT_SIZE as usize;
-        let g_table = FixedBase::get_window_table(scalar_bits, window_size, g);
-        let powers_of_g_proj = FixedBase::msm(scalar_bits, window_size, &g_table, &powers_of_tau);
-        let powers_of_g = E::G1::normalize_batch(&powers_of_g_proj);
+        let powers_of_g = g.batch_mul(&powers_of_tau);
 
         let g2 = E::G2::rand(rng).into_affine();
         let powers_of_g2 = powers_of_tau