Auto merge of #1760 - ebfull:vk-preprocess, r=bitcartel

Process verification keys to perform online verification Checking proofs involves some arithmetic with pairings using components of the proof and the verification key. If you already have some curve points, like those in the verification key, you can amortize the cost of some of the more expensive arithmetic. This PR adopts libsnark's precomputation of G2 elements in the verification key. We *currently* call `r1cs_ppzksnark_verifier_strong_IC`: ```c++ template<typename ppT> bool r1cs_ppzksnark_verifier_strong_IC(const r1cs_ppzksnark_verification_key<ppT> &vk, const r1cs_ppzksnark_primary_input<ppT> &primary_input, const r1cs_ppzksnark_proof<ppT> &proof) { enter_block("Call to r1cs_ppzksnark_verifier_strong_IC"); r1cs_ppzksnark_processed_verification_key<ppT> pvk = r1cs_ppzksnark_verifier_process_vk<ppT>(vk); bool result = r1cs_ppzksnark_online_verifier_strong_IC<ppT>(pvk, primary_input, proof); leave_block("Call to r1cs_ppzksnark_verifier_strong_IC"); return result; } ``` Notice that this merely performs precomputation of the verification key, and then calls `r1cs_ppzksnark_online_verifier_strong_IC`. This PR merely performs the precomputation during verification key initialization, and calls that function directly.
2016-11-15 14:56:22 +00:00 · 2016-11-15 14:56:22 +00:00 · 057ab6b4d1
parent 4e4ca6d31b 78df9f0211
commit 057ab6b4d1
2 changed files with 19 additions and 4 deletions
--- a/src/init.cpp
+++ b/src/init.cpp
@ -987,13 +987,14 @@ bool AppInit2(boost::thread_group& threadGroup, CScheduler& scheduler)
        threadGroup.create_thread(&ThreadShowMetricsScreen);
    }

-    // Initialize Zcash circuit parameters
-    ZC_LoadParams();
    // These must be disabled for now, they are buggy and we probably don't
    // want any of libsnark's profiling in production anyway.
    libsnark::inhibit_profiling_info = true;
    libsnark::inhibit_profiling_counters = true;

+    // Initialize Zcash circuit parameters
+    ZC_LoadParams();
+
    /* Start the RPC server already.  It will be started in "warmup" mode
     * and not really process calls already (but it will signify connections
     * that the server is there and will be ready later).  Warmup mode will
--- a/src/zcash/JoinSplit.cpp
+++ b/src/zcash/JoinSplit.cpp
@ -26,6 +26,7 @@ namespace libzcash {

 CCriticalSection cs_ParamsIO;
 CCriticalSection cs_InitializeParams;
+CCriticalSection cs_LoadKeys;

 template<typename T>
 void saveToFile(std::string path, T& obj) {
@ -71,6 +72,7 @@ public:

    boost::optional<r1cs_ppzksnark_proving_key<ppzksnark_ppT>> pk;
    boost::optional<r1cs_ppzksnark_verification_key<ppzksnark_ppT>> vk;
+    boost::optional<r1cs_ppzksnark_processed_verification_key<ppzksnark_ppT>> vk_precomp;
    boost::optional<std::string> pkPath;

    JoinSplitCircuit() {}
@ -87,6 +89,8 @@ public:
    }

    void loadProvingKey() {
+        LOCK(cs_LoadKeys);
+
        if (!pk) {
            if (!pkPath) {
                throw std::runtime_error("proving key path unknown");
@ -103,7 +107,14 @@ public:
        }
    }
    void loadVerifyingKey(std::string path) {
+        LOCK(cs_LoadKeys);
+
        loadFromFile(path, vk);
+
+        processVerifyingKey();
+    }
+    void processVerifyingKey() {
+        vk_precomp = r1cs_ppzksnark_verifier_process_vk(*vk);
    }
    void saveVerifyingKey(std::string path) {
        if (vk) {
@ -128,11 +139,14 @@ public:
    }

    void generate() {
+        LOCK(cs_LoadKeys);
+
        const r1cs_constraint_system<FieldT> constraint_system = generate_r1cs();
        r1cs_ppzksnark_keypair<ppzksnark_ppT> keypair = r1cs_ppzksnark_generator<ppzksnark_ppT>(constraint_system);

        pk = keypair.pk;
        vk = keypair.vk;
+        processVerifyingKey();
    }

    bool verify(
@ -146,7 +160,7 @@ public:
        uint64_t vpub_new,
        const uint256& rt
    ) {
-        if (!vk) {
+        if (!vk || !vk_precomp) {
            throw std::runtime_error("JoinSplit verifying key not loaded");
        }

@ -165,7 +179,7 @@ public:
                vpub_new
            );

-            return r1cs_ppzksnark_verifier_strong_IC<ppzksnark_ppT>(*vk, witness, r1cs_proof);
+            return r1cs_ppzksnark_online_verifier_strong_IC<ppzksnark_ppT>(*vk_precomp, witness, r1cs_proof);
        } catch (...) {
            return false;
        }