From 9b93bad0288a23fc66a04b8c135767d9abb8a6b8 Mon Sep 17 00:00:00 2001
From: arnaucube <root@arnaucube.com>
Date: Tue, 21 Apr 2020 15:38:50 +0200
Subject: [PATCH] Use fft on calculateH polynomial multiplication

For a circuit arround 22500 constraints:
- before: the proof was generated aprox in `80 seconds`
- now: the proof is generated aprox in `16 seconds`
---
 prover/ifft.go        | 18 ++++++++++------
 prover/prover.go      | 29 +++++++++++++++++--------
 prover/prover_test.go | 49 +++++++++++++++++++++++++++++++++++++++++--
 3 files changed, 79 insertions(+), 17 deletions(-)

diff --git a/prover/ifft.go b/prover/ifft.go
index 4ca72ff..a454024 100644
--- a/prover/ifft.go
+++ b/prover/ifft.go
@@ -48,7 +48,7 @@ func (roots rootsT) setRoots(n int) {
 	}
 }
 
-func fft(roots rootsT, pall []*ff.Element, bits, offset, step int) []*ff.Element {
+func fftroots(roots rootsT, pall []*ff.Element, bits, offset, step int) []*ff.Element {
 	n := 1 << bits
 	if n == 1 {
 		return []*ff.Element{pall[offset]}
@@ -60,19 +60,18 @@ func fft(roots rootsT, pall []*ff.Element, bits, offset, step int) []*ff.Element
 	}
 
 	ndiv2 := n >> 1
-	p1 := fft(roots, pall, bits-1, offset, step*2)
-	p2 := fft(roots, pall, bits-1, offset+step, step*2)
+	p1 := fftroots(roots, pall, bits-1, offset, step*2)
+	p2 := fftroots(roots, pall, bits-1, offset+step, step*2)
 
 	out := make([]*ff.Element, n)
 	for i := 0; i < ndiv2; i++ {
-		// fmt.Println(i, len(roots.roots))
 		out[i] = ff.NewElement().Add(p1[i], ff.NewElement().Mul(roots.roots[bits][i], p2[i]))
 		out[i+ndiv2] = ff.NewElement().Sub(p1[i], ff.NewElement().Mul(roots.roots[bits][i], p2[i]))
 	}
 	return out
 }
 
-func ifft(p []*ff.Element) []*ff.Element {
+func fft(p []*ff.Element) []*ff.Element {
 	if len(p) <= 1 {
 		return p
 	}
@@ -81,7 +80,14 @@ func ifft(p []*ff.Element) []*ff.Element {
 	roots.setRoots(int(bits))
 	m := 1 << int(bits)
 	ep := extend(p, m)
-	res := fft(roots, ep, int(bits), 0, 1)
+	res := fftroots(roots, ep, int(bits), 0, 1)
+	return res
+}
+
+func ifft(p []*ff.Element) []*ff.Element {
+	res := fft(p)
+	bits := math.Log2(float64(len(p)-1)) + 1
+	m := 1 << int(bits)
 
 	twoinvm := ff.NewElement().SetBigInt(fInv(fMul(big.NewInt(1), big.NewInt(int64(m)))))
 
diff --git a/prover/prover.go b/prover/prover.go
index 70798b0..648e322 100644
--- a/prover/prover.go
+++ b/prover/prover.go
@@ -2,10 +2,12 @@ package prover
 
 import (
 	"crypto/rand"
+	"math"
 	"math/big"
 
 	bn256 "github.com/ethereum/go-ethereum/crypto/bn256/cloudflare"
 	"github.com/iden3/go-circom-prover-verifier/types"
+	"github.com/iden3/go-iden3-crypto/ff"
 	"github.com/iden3/go-iden3-crypto/utils"
 )
 
@@ -111,7 +113,6 @@ func calculateH(pk *types.Pk, w types.Witness) []*big.Int {
 	m := pk.DomainSize
 	polAT := arrayOfZeroes(m)
 	polBT := arrayOfZeroes(m)
-	polCT := arrayOfZeroes(m)
 
 	for i := 0; i < pk.NVars; i++ {
 		for j := range pk.PolsA[i] {
@@ -120,22 +121,32 @@ func calculateH(pk *types.Pk, w types.Witness) []*big.Int {
 		for j := range pk.PolsB[i] {
 			polBT[j] = fAdd(polBT[j], fMul(w[i], pk.PolsB[i][j]))
 		}
-		for j := range pk.PolsC[i] {
-			polCT[j] = fAdd(polCT[j], fMul(w[i], pk.PolsC[i][j]))
-		}
 	}
 	polATe := utils.BigIntArrayToElementArray(polAT)
 	polBTe := utils.BigIntArrayToElementArray(polBT)
-	polCTe := utils.BigIntArrayToElementArray(polCT)
 
 	polASe := ifft(polATe)
 	polBSe := ifft(polBTe)
-	polABSe := polynomialMulE(polASe, polBSe)
 
-	polCSe := ifft(polCTe)
+	r := int(math.Log2(float64(m))) + 1
+	roots := newRootsT()
+	roots.setRoots(r)
+	for i := 0; i < len(polASe); i++ {
+		polASe[i] = ff.NewElement().Mul(polASe[i], roots.roots[r][i])
+		polBSe[i] = ff.NewElement().Mul(polBSe[i], roots.roots[r][i])
+	}
+
+	polATodd := fft(polASe)
+	polBTodd := fft(polBSe)
+
+	polABT := arrayOfZeroesE(len(polASe) * 2)
+	for i := 0; i < len(polASe); i++ {
+		polABT[2*i] = ff.NewElement().Mul(polATe[i], polBTe[i])
+		polABT[2*i+1] = ff.NewElement().Mul(polATodd[i], polBTodd[i])
+	}
 
-	polABCSe := polynomialSubE(polABSe, polCSe)
+	hSeFull := ifft(polABT)
 
-	hSe := polABCSe[m:]
+	hSe := hSeFull[m:]
 	return ElementArrayToBigIntArray(hSe)
 }
diff --git a/prover/prover_test.go b/prover/prover_test.go
index 6964353..957ba03 100644
--- a/prover/prover_test.go
+++ b/prover/prover_test.go
@@ -2,6 +2,7 @@ package prover
 
 import (
 	"encoding/json"
+	"fmt"
 	"io/ioutil"
 	"math/big"
 	"testing"
@@ -13,7 +14,7 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
-func TestSmallCircuitGenerateProf(t *testing.T) {
+func TestSmallCircuitGenerateProof(t *testing.T) {
 	provingKeyJson, err := ioutil.ReadFile("../testdata/small/proving_key.json")
 	require.Nil(t, err)
 	pk, err := parsers.ParsePk(provingKeyJson)
@@ -52,7 +53,7 @@ func TestSmallCircuitGenerateProf(t *testing.T) {
 	// snarkjs verify --vk testdata/small/verification_key.json -p testdata/small/proof.json --pub testdata/small/public.json
 }
 
-func TestBigCircuitGenerateProf(t *testing.T) {
+func TestBigCircuitGenerateProof(t *testing.T) {
 	provingKeyJson, err := ioutil.ReadFile("../testdata/big/proving_key.json")
 	require.Nil(t, err)
 	pk, err := parsers.ParsePk(provingKeyJson)
@@ -89,6 +90,50 @@ func TestBigCircuitGenerateProf(t *testing.T) {
 	// snarkjs verify --vk testdata/big/verification_key.json -p testdata/big/proof.json --pub testdata/big/public.json
 }
 
+func TestIdStateCircuitGenerateProof(t *testing.T) {
+	// this test is to execute the proof generation for a bigger circuit
+	// (arround 22500 constraints)
+	//
+	// to see the time needed to execute this
+	// test Will need the ../testdata/idstate-circuit compiled &
+	// trustedsetup files (generated in
+	// https://github.com/iden3/go-zksnark-full-flow-example)
+	if false {
+		fmt.Println("TestIdStateCircuitGenerateProof activated")
+		provingKeyJson, err := ioutil.ReadFile("../testdata/idstate-circuit/proving_key.json")
+		require.Nil(t, err)
+		pk, err := parsers.ParsePk(provingKeyJson)
+		require.Nil(t, err)
+
+		witnessJson, err := ioutil.ReadFile("../testdata/idstate-circuit/witness.json")
+		require.Nil(t, err)
+		w, err := parsers.ParseWitness(witnessJson)
+		require.Nil(t, err)
+
+		proof, pubSignals, err := GenerateProof(pk, w)
+		assert.Nil(t, err)
+
+		proofStr, err := parsers.ProofToJson(proof)
+		assert.Nil(t, err)
+
+		err = ioutil.WriteFile("../testdata/idstate-circuit/proof.json", proofStr, 0644)
+		assert.Nil(t, err)
+		publicStr, err := json.Marshal(parsers.ArrayBigIntToString(pubSignals))
+		assert.Nil(t, err)
+		err = ioutil.WriteFile("../testdata/idstate-circuit/public.json", publicStr, 0644)
+		assert.Nil(t, err)
+
+		// verify the proof
+		vkJson, err := ioutil.ReadFile("../testdata/idstate-circuit/verification_key.json")
+		require.Nil(t, err)
+		vk, err := parsers.ParseVk(vkJson)
+		require.Nil(t, err)
+
+		v := verifier.Verify(vk, proof, pubSignals)
+		assert.True(t, v)
+	}
+}
+
 func BenchmarkGenerateProof(b *testing.B) {
 	provingKeyJson, err := ioutil.ReadFile("../testdata/big/proving_key.json")
 	require.Nil(b, err)