You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

49 lines
2.5 KiB

  1. # Tables Pre-calculation
  2. The most time consuming part of a ZKSnark proof calculation is the scalar multiplication of elliptic curve points. Direct mechanism accumulates each multiplication. However, prover only needs the total accumulation.
  3. There are two potential improvements to the naive approach:
  4. 1. Apply Strauss-Shamir method (https://stackoverflow.com/questions/50993471/ec-scalar-multiplication-with-strauss-shamir-method).
  5. 2. Leave the doubling operation for the last step
  6. Both options can be combined.
  7. In the following table, we show the results of using the naive method, Srauss-Shamir and Strauss-Shamir + No doubling. These last two options are repeated for different table grouping order.
  8. There are 50000 G1 Elliptical Curve Points, and the scalars are 254 bits (BN256 curve).
  9. There may be some concern on the additional size of the tables since they need to be loaded into a smartphone during the proof, and the time required to load these tables may exceed the benefits. If this is a problem, another althernative is to compute the tables during the proof itself. Depending on the Group Size, timing may be better than the naive approach.
  10. | Algorithm (G1) | GS 2 | GS 3 | GS 4 | GS 5 | GS 6 | GS 7 | GS 8 | GS 9 |
  11. |---|---|---|--|---|---|---|---|---|
  12. | Naive | 6.63s | - | - | - | - | - | - | - |
  13. | Strauss | 13.16s | 9.03s | 6.95s | 5.61s | 4.91s | 4.26s | 3.88s | 3.54 s |
  14. | Strauss + Table Computation | 16.13s | 11.32s | 8.47s | 7.10s | 6.2s | 5.94s | 6.01s | 6.69s |
  15. | No Doubling | 3.74s | 3.00s | 2.38s | 1.96s | 1.79s | 1.54s | 1.50s | 1.44s|
  16. | No Doubling + Table Computation | 6.83s | 5.1s | 4.16s | 3.52s| 3.22s | 3.21s | 3.57s | 4.56s |
  17. There are 5000 G2 Elliptical Curve Points, and the scalars are 254 bits (BN256 curve).
  18. | Algorithm (G2) | GS 2 | GS 3 | GS 4 | GS 5 | GS 6 | GS 7 | GS 8 | GS 9 |
  19. |---|---|---|--|---|---|---|---|---|
  20. | Naive | 3.55s | | | | | | | |
  21. | Strauss | 3.55s | 2.54s | 1.96s | 1.58s | 1.38s | 1.20s | 1.03s | 937ms |
  22. | Strauss + Table Computation | 3.59s | 2.58s | 2.04s | 1.71s | 1.51s | 1.46s | 1.51s | 1.82s |
  23. | No Doubling | 1.49s | 1.16s | 952ms | 719ms | 661ms | 548ms | 506ms| 444ms |
  24. | No Doubling + Table Computation | 1.55s | 1.21s | 984ms | 841ms | 826ms | 847ms | 1.03s | 1.39s |
  25. | GS | Extra Disk Space per Constraint (G1)|
  26. |----|--------|
  27. | 2 | 64 B |
  28. | 3 | 106 B |
  29. | 4 | 192 B |
  30. | 5 | 346 B |
  31. | 6 | 618 B |
  32. | 7 | 1106 B |
  33. | 8 | 1984 B |
  34. | 9 | 3577 B |
  35. | N | 2^(N+6)/N - 64 B |
  36. Extra disk space per constraint in G2 is twice the requirements for G1