For the test folding::nova::tests::test_ivc:
Before 520db300f3f8929b211b91897ec1ed4387d06d7a: 138240
After 520db300f3f8929b211b91897ec1ed4387d06d7a: 86756 (1.6x improvement)
Two notable optimization techniques are employed:
Instead of allocating two witness variables a, b and enforce their equality by calling a.conditional_enforce_equal(&b, &cond), we can avoid the allocation of b and directly set b = a. The former might be costly due to the checks in allocation and conditional_enforce_equal. See nova/circuits.rs for details.
Before 520db300f3f8929b211b91897ec1ed4387d06d7a, NonNativeFieldVar::to_constraint_field was majorly called for generating the inputs (preimage) to hash functions. However, it turns out that the underlying conversion strategy (optimized for weight), although aimed to reducing the number of limbs, is suboptimal for reducing the length of hash preimage. We can go further by maximizing the number of bits per limb, thereby minimizing the preimage length. See circuits/nonnative.rs for details.
This PR depends on #84.
For the test
folding::nova::tests::test_ivc: Before 520db300f3f8929b211b91897ec1ed4387d06d7a: 138240 After 520db300f3f8929b211b91897ec1ed4387d06d7a: 86756 (1.6x improvement)Two notable optimization techniques are employed:
a, band enforce their equality by callinga.conditional_enforce_equal(&b, &cond), we can avoid the allocation ofband directly setb = a. The former might be costly due to the checks in allocation andconditional_enforce_equal. Seenova/circuits.rsfor details.NonNativeFieldVar::to_constraint_fieldwas majorly called for generating the inputs (preimage) to hash functions. However, it turns out that the underlying conversion strategy (optimized for weight), although aimed to reducing the number of limbs, is suboptimal for reducing the length of hash preimage. We can go further by maximizing the number of bits per limb, thereby minimizing the preimage length. Seecircuits/nonnative.rsfor details.