improve: apply tachyon optimizations(2 & 5)

halo2_backend/src/plonk/keygen.rs

@@ -64,20 +64,23 @@ where
     )?
     .build_vk(params, &domain, &cs.permutation);
 
-    let fixed_commitments = circuit
-        .preprocessing
-        .fixed
-        .iter()
-        .map(|poly| {
-            params
-                .commit_lagrange(
+    let fixed_commitments = {
+        let fixed_commitments_projective: Vec<C::CurveExt> = circuit
+            .preprocessing
+            .fixed
+            .iter()
+            .map(|poly| {
+                params.commit_lagrange(
                     &H2cEngine::new(),
                     &Polynomial::new_lagrange_from_vec(poly.clone()),
                     Blind::default(),
                 )
-                .to_affine()
-        })
-        .collect();
+            })
+            .collect();
+        let mut fixed_commitments = vec![C::identity(); fixed_commitments_projective.len()];
+        C::CurveExt::batch_normalize(&fixed_commitments_projective, &mut fixed_commitments);
+        fixed_commitments
+    };
 
     Ok(VerifyingKey::from_parts(
         domain,

halo2_backend/src/plonk/lookup/prover.rs

@@ -130,20 +130,30 @@ where
     let mut commit_values = |values: &Polynomial<C::Scalar, LagrangeCoeff>| {
         let poly = pk.vk.domain.lagrange_to_coeff(values.clone());
         let blind = Blind(C::Scalar::random(&mut rng));
-        let commitment = params
-            .commit_lagrange(&engine.msm_backend, values, blind)
-            .to_affine();
+        let commitment = params.commit_lagrange(&engine.msm_backend, values, blind);
         (poly, blind, commitment)
     };
 
     // Commit to permuted input expression
-    let (permuted_input_poly, permuted_input_blind, permuted_input_commitment) =
+    let (permuted_input_poly, permuted_input_blind, permuted_input_commitment_projective) =
         commit_values(&permuted_input_expression);
 
     // Commit to permuted table expression
-    let (permuted_table_poly, permuted_table_blind, permuted_table_commitment) =
+    let (permuted_table_poly, permuted_table_blind, permuted_table_commitment_projective) =
         commit_values(&permuted_table_expression);
 
+    let [permuted_input_commitment, permuted_table_commitment] = {
+        let mut affines = [C::identity(); 2];
+        C::CurveExt::batch_normalize(
+            &[
+                permuted_input_commitment_projective,
+                permuted_table_commitment_projective,
+            ],
+            &mut affines,
+        );
+        affines
+    };
+
     // Hash permuted input commitment
     transcript.write_point(permuted_input_commitment)?;
 

halo2_backend/src/plonk/permutation/keygen.rs

@@ -261,15 +261,20 @@ pub(crate) fn build_vk<'params, C: CurveAffine, P: Params<'params, C>>(
     }
 
     // Pre-compute commitments for the URS.
-    let mut commitments = Vec::with_capacity(p.columns.len());
-    for permutation in &permutations {
-        // Compute commitment to permutation polynomial
-        commitments.push(
-            params
-                .commit_lagrange(&H2cEngine::new(), permutation, Blind::default())
-                .to_affine(),
-        );
-    }
+    let commitments = {
+        let mut commitments_projective = Vec::with_capacity(p.columns.len());
+        for permutation in &permutations {
+            // Compute commitment to permutation polynomial
+            commitments_projective.push(params.commit_lagrange(
+                &H2cEngine::new(),
+                permutation,
+                Blind::default(),
+            ));
+        }
+        let mut commitments = vec![C::identity(); p.columns.len()];
+        C::CurveExt::batch_normalize(&commitments_projective, &mut commitments);
+        commitments
+    };
 
     VerifyingKey { commitments }
 }

halo2_backend/src/plonk/permutation/prover.rs

@@ -174,15 +174,14 @@ pub(in crate::plonk) fn permutation_commit<
 
         let blind = Blind(C::Scalar::random(&mut rng));
 
-        let permutation_product_commitment_projective =
-            params.commit_lagrange(&engine.msm_backend, &z, blind);
+        let permutation_product_commitment = params
+            .commit_lagrange(&engine.msm_backend, &z, blind)
+            .to_affine();
         let permutation_product_blind = blind;
         let z = domain.lagrange_to_coeff(z);
         let permutation_product_poly = z.clone();
 
-        let permutation_product_coset = domain.coeff_to_extended(z.clone());
-
-        let permutation_product_commitment = permutation_product_commitment_projective.to_affine();
+        let permutation_product_coset = domain.coeff_to_extended(z);
 
         // Hash the permutation product commitment
         transcript.write_point(permutation_product_commitment)?;

halo2_backend/src/plonk/verifier.rs

@@ -1,9 +1,11 @@
 //! Verify a plonk proof
 
+use group::prime::PrimeCurveAffine;
 use group::Curve;
 use halo2_middleware::circuit::Any;
 use halo2_middleware::ff::{Field, FromUniformBytes, WithSmallOrderMulGroup};
 use halo2_middleware::zal::impls::H2cEngine;
+use halo2curves::CurveAffine;
 use std::iter;
 
 use super::{vanishing, VerifyingKey};
@@ -78,7 +80,9 @@ where
     // 1. Get the commitments of the instance polynomials. ----------------------------------------
 
     let instance_commitments = if V::QUERY_INSTANCE {
-        instances
+        let mut instance_commitments = Vec::with_capacity(instances.len());
+
+        let instances_projective = instances
             .iter()
             .map(|instance| {
                 instance
@@ -91,13 +95,22 @@ where
                         poly.resize(params.n() as usize, Scheme::Scalar::ZERO);
                         let poly = vk.domain.lagrange_from_vec(poly);
 
-                        Ok(params
-                            .commit_lagrange(&default_engine, &poly, Blind::default())
-                            .to_affine())
+                        Ok(params.commit_lagrange(&default_engine, &poly, Blind::default()))
                     })
                     .collect::<Result<Vec<_>, _>>()
             })
-            .collect::<Result<Vec<_>, _>>()?
+            .collect::<Result<Vec<_>, _>>()?;
+
+        for instance_projective in instances_projective {
+            let mut affines =
+                vec![<Scheme as CommitmentScheme>::Curve::identity(); instance_projective.len()];
+            <<Scheme as CommitmentScheme>::Curve as CurveAffine>::CurveExt::batch_normalize(
+                &instance_projective,
+                &mut affines,
+            );
+            instance_commitments.push(affines);
+        }
+        instance_commitments
     } else {
         vec![vec![]; instances.len()]
     };

halo2_backend/src/poly/ipa/commitment.rs

@@ -195,8 +195,13 @@ impl<'params, C: CurveAffine> ParamsProver<'params, C> for ParamsIPA<C> {
         let g_lagrange = g_to_lagrange(g_projective, k);
 
         let hasher = C::CurveExt::hash_to_curve("Halo2-Parameters");
-        let w = hasher(&[1]).to_affine();
-        let u = hasher(&[2]).to_affine();
+
+        let [w, u] = {
+            let projectives = vec![hasher(&[1]), hasher(&[2])];
+            let mut affines = [C::identity(); 2];
+            C::CurveExt::batch_normalize(&projectives, &mut affines);
+            affines
+        };
 
         ParamsIPA {
             k,

halo2_backend/src/poly/ipa/commitment/prover.rs

@@ -114,8 +114,11 @@ pub fn create_proof_with_engine<
         let r_j_randomness = C::Scalar::random(&mut rng);
         let l_j = l_j + engine.msm(&[value_l_j * z, l_j_randomness], &[params.u, params.w]);
         let r_j = r_j + engine.msm(&[value_r_j * z, r_j_randomness], &[params.u, params.w]);
-        let l_j = l_j.to_affine();
-        let r_j = r_j.to_affine();
+        let [l_j, r_j] = {
+            let mut affines = [C::identity(); 2];
+            C::CurveExt::batch_normalize(&[l_j, r_j], &mut affines);
+            affines
+        };
 
         // Feed L and R into the real transcript
         transcript.write_point(l_j)?;