Groth16 Circom is slower than Rapidsnark when circuit constraint is large

kroma-network / tachyon

Modular ZK(Zero Knowledge) backend accelerated by GPU

MIT License

7.78k stars 227 forks source link

Groth16 Circom is slower than Rapidsnark when circuit constraint is large #460

Open doutv opened 6 days ago

doutv commented 6 days ago

Issue type

Performance

OS platform and distribution

Ubuntu 22

Current behavior?

Machine: AMD Ryzen Threadripper PRO 5975WX 32-Cores I benchmark tachyon circom vendor and rapidsnark, and compare their performance. When circuit constraint < 400k, tachyon is faster and requires less memory Especially when circuit size is small, tachyon is much better.

However, when circuit constraint > 400k, rapidsnark is faster and requires less memory

Circuit	Device	System	Time	Memory	zkey size	Constraints
RSA	Server 32 Cores	Tachyon	0.4	473	78	157746
RSA	Server 32 Cores	Rapidsnark	1.0	1300	78	157746
Dummy-1200k	Server 32 Cores	Rapidsnark	3.0	2420	600	1200000
Dummy-1200k	Server 32 Cores	Tachyon	3.3	2410	600	1200000

Expected Behavior?

I want to figure out the reason.

Standalone code or description to reproduce the issue

Repo: https://github.com/doutv/circom-benchmark.git

Additional context

No response

chokobole commented 6 days ago

One big difference is that the Tachyon prover parses ZKey, whereas Rapidsnark avoids parsing ZKey and just takes pointers. When the ZKey gets larger, the Tachyon prover takes more overhead because of this.

chokobole commented 6 days ago

We also tried to avoid parsing ZKey as Rapidsnark does in this branch, but encountered some issues and got stuck. Basically what we should do is that first, the Groth16 proving key or verifying key should be modified to allow members of pointers instead of std::vector. Then, it should take the pointer after reading data from the ZKey file.

chokobole commented 6 days ago

To be fair, the code to benchmark using num_runs should include only this portion.

doutv commented 6 days ago

Thanks!

Rapidsnark has a server mode. It will read the ZKey and load it to memory.

To avoid parsing ZKey, you may consider adding a server mode. I think it is not hard to add a server mode.

chokobole commented 5 days ago

Yes, it's possible, but it isn't prioritized at this moment. By the way, could you tell me what purpose you use Circom for?

doutv commented 1 day ago

Server proving and mobile proving, since Tachyon is better than rapidsnark

Mopro plans to integrate Tachyon Circom for mobile proving: https://github.com/zkmopro/mopro/issues/143

They benchmark and find Tachyon is the fastest: https://docs.google.com/spreadsheets/d/1irKg_TOP-yXms8igwCN_3OjVrtFe5gTHkuF0RbrVuho/edit?gid=289866675#gid=289866675