Skip to content

BatchVerifier #66

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
davxy wants to merge 13 commits into
base: batch-ring-proof
Choose a base branch
from
Open

BatchVerifier #66

davxy wants to merge 13 commits into from
+165 −37

Conversation

@davxy
Copy link
Member

@davxy davxy commented Jan 28, 2026
edited
Loading

This PR targets batching branch

Introduce a batching structure for ring proofs that bundles the KzgAccumulator and the RingVerifier, providing greater flexibility for downstream users.

This would be further improved if KzgAccumulator implemented CanonicalSerialize and CanonicalDeserialize, enabling batching across blocks.

Proofs can be prepared for batch verification in parallel. Prepared proofs can be accumulated.
Performance boost ~2x

Some benches

Batch vs sequential verification times (ms):

Sequential prepare+accumulate

// | proofs | sequential | batch  | speedup |
// |--------|------------|--------|---------|
// | 1      | 3.032      | 2.790  | 1.09x   |
// | 2      | 6.425      | 3.218  | 2.00x   |
// | 4      | 11.968     | 5.122  | 2.34x   |
// | 8      | 23.922     | 6.487  | 3.69x   |
// | 16     | 47.773     | 10.002 | 4.78x   |
// | 32     | 95.570     | 16.601 | 5.76x   |
// | 64     | 210.959    | 29.484 | 7.15x   |
// | 128    | 422.217    | 52.170 | 8.09x   |
// | 256    | 762.874    | 85.164 | 8.96x   |

Sequential verification scales linearly with proof count.
Batch verification scales sub-linearly.

Parallel prepare + final sequential accumulate

NOTE: Parallel preparation can roughly yield an extra 2x speedup.
The parallel crate feature does not enable this.
Downstream users can perform parallel preparation themselves. Each Prepared proof consumes ~3K, which may introduce significant hidden overhead when preparing big batches, so it may be preferable to accumulate every X proofs rather than the entire batch at once to save memory.

@davxy davxy mentioned this pull request Jan 28, 2026
Draft
@davxy davxy requested review from drskalman and swasilyev January 28, 2026 17:48
ggwpez
ggwpez reviewed Jan 29, 2026
View reviewed changes
@davxy davxy requested a review from ggwpez January 29, 2026 17:56
@davxy davxy requested review from burdges and removed request for ggwpez January 29, 2026 18:43
davxy
davxy commented Jan 29, 2026
View reviewed changes
w3f-ring-proof/src/ring_verifier.rs
Comment on lines +147 to +157
// Pick some entropy from plonk verifier for later usage
let mut entropy = [0_u8; 32];
rng.fill_bytes(&mut entropy);

PreparedBatchItem {
piop,
proof,
challenges,
entropy,
}
}
Copy link
Member Author

@davxy davxy Jan 29, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@swasilyev @burdges @drskalman Need some extra attention here.
In practice, instead of immediately using the returned rng, we pick some randomness from it to be used later in the push_prepared

davxy
davxy commented Jan 29, 2026
View reviewed changes
w3f-ring-proof/src/ring_verifier.rs
Comment on lines +159 to +164
pub fn push_prepared(&mut self, item: PreparedBatchItem<E, J>) {
let mut ts = self.verifier.plonk_verifier.transcript_prelude.clone();
ts._add_serializable(b"batch-entropy", &item.entropy);
self.acc
.accumulate(item.piop, item.proof, item.challenges, &mut ts.to_rng());
}
Copy link
Member Author

@davxy davxy Jan 29, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@swasilyev @burdges @drskalman here I pick the randomness back to:

  • extend verifier transcript
  • and use the derived rng in accumulate

ggwpez
ggwpez approved these changes Feb 2, 2026
View reviewed changes
@davxy davxy changed the title BatchVerifier structure BatchVerifier Feb 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ggwpez ggwpez ggwpez approved these changes

@swasilyev swasilyev Awaiting requested review from swasilyev

@drskalman drskalman Awaiting requested review from drskalman

@burdges burdges Awaiting requested review from burdges

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@davxy @ggwpez