You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

2.5 KiB

Tables Pre-calculation

The most time consuming part of a ZKSnark proof calculation is the scalar multiplication of elliptic curve points. Direct mechanism accumulates each multiplication. However, prover only needs the total accumulation.

There are two potential improvements to the naive approach:

  1. Apply Strauss-Shamir method (https://stackoverflow.com/questions/50993471/ec-scalar-multiplication-with-strauss-shamir-method).
  2. Leave the doubling operation for the last step

Both options can be combined.

In the following table, we show the results of using the naive method, Srauss-Shamir and Strauss-Shamir + No doubling. These last two options are repeated for different table grouping order.

There are 50000 G1 Elliptical Curve Points, and the scalars are 254 bits (BN256 curve).

There may be some concern on the additional size of the tables since they need to be loaded into a smartphone during the proof, and the time required to load these tables may exceed the benefits. If this is a problem, another althernative is to compute the tables during the proof itself. Depending on the Group Size, timing may be better than the naive approach.

Algorithm (G1) GS / Time
Naive 6.63s
Algorithm GS 2 GS 3
--- --- ---
Naive 6.63s -
Strauss 13.16s 9.03s
Strauss + Table Computation 16.13s 11.32s
No Doubling 3.74s 3.00s
No Doubling + Table Computation 6.83s 5.1s

There are 5000 G2 Elliptical Curve Points, and the scalars are 254 bits (BN256 curve).

Algorithm (G2) GS / Time
Naive 3.55s
Strauss 3.55s 2.54s
Strauss + Table Computation 3.59s 2.58s
No Doubling 1.49s 1.16s
No Doubling + Table Computation 1.55s 1.21s
GS Extra Disk Space per Constraint (G1)
2 64 B
3 106 B
4 192 B
5 346 B
6 618 B
7 1106 B
8 1984 B
9 3577 B
N 2^(N+6)/N - 64 B

Extra disk space per constraint in G2 is twice the requirements for G1