Skip to content

feat: add Groth16+BSB22 backend#427

Open
rose2221 wants to merge 23 commits into
mainfrom
rs/groth16_impl
Open

feat: add Groth16+BSB22 backend#427
rose2221 wants to merge 23 commits into
mainfrom
rs/groth16_impl

Conversation

@rose2221
Copy link
Copy Markdown
Collaborator

@rose2221 rose2221 commented Apr 29, 2026
edited
Loading

Adds an end-to-end Groth16 proving/verifying backend on BN254 with the BSB22 Pedersen-commitment extension, alongside the existing WHIR pipeline. Selectable at prepare time via --backend whir|groth16.

@rose2221 rose2221 marked this pull request as draft April 29, 2026 12:11
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 29, 2026
edited
Loading

CSP benchmarks

Metric Value
Workflow status [PASS] success
Commit c62a72bf05c0
Run #26636330974
Distinct circuits 21
Backends benchmarked WHIR backend (21), Groth16 backend (21)
Iterations averaged per (circuit, backend) 3

Prover time, peak RSS, peak heap, and verifier time are arithmetic means across the iterations. Peak heap comes from the largest peak memory entry in provekit-cli prove's tracing output; peak RSS is reported by /usr/bin/time -v (max-resident-set-size).

Each metric cell shows the current value followed by the percentage delta against the latest successful main run #26627835985. (new) marks (circuit, backend) pairs absent from the baseline.

WHIR backend

Results
Circuit Constraints Witnesses Prover time Peak RSS Peak heap Verifier time Proof size PKP size
ecdsa_p256 143,293 (±0.0%) 258,158 (±0.0%) 2.54 s (-14.9%) 190 MB (-26.0%) 167 MB (-26.0%) 333 ms (-2.1%) 2.70 MB (-3.4%) 2.76 MB (+249.4%)
keccak_1024 822,880 (±0.0%) 1,543,366 (±0.0%) 6.07 s (-5.0%) 980 MB (-0.5%) 953 MB (±0.0%) 919 ms (+8.1%) 3.13 MB (-0.2%) 21.30 MB (+250.6%)
keccak_128 163,065 (±0.0%) 313,707 (±0.0%) 2.09 s (-0.9%) 273 MB (-0.3%) 241 MB (-0.3%) 384 ms (+3.9%) 2.78 MB (-0.6%) 4.14 MB (+238.9%)
keccak_2048 1,575,617 (±0.0%) 2,945,822 (±0.0%) 11.33 s (-4.3%) 1.81 GB (-0.1%) 1.80 GB (±0.0%) 1.57 s (+9.3%) 3.27 MB (-0.7%) 41.64 MB (+236.7%)
keccak_256 256,216 (±0.0%) 487,012 (±0.0%) 2.27 s (-2.2%) 328 MB (±0.0%) 290 MB (-0.2%) 435 ms (+6.2%) 2.83 MB (-0.9%) 6.58 MB (+234.0%)
keccak_512 445,104 (±0.0%) 839,130 (±0.0%) 3.51 s (-3.2%) 588 MB (-1.0%) 509 MB (-0.1%) 594 ms (+8.7%) 3.03 MB (+1.6%) 11.54 MB (+239.3%)
poseidon2_12 479 (±0.0%) 563 (±0.0%) 350 ms (±0.0%) 22.63 MB (-5.1%) 14.69 MB (±0.0%) 111 ms (+11.3%) 1.02 MB (-2.9%) 453 KB (+3.9%)
poseidon2_16 556 (±0.0%) 719 (±0.0%) 350 ms (-1.9%) 23.15 MB (-4.2%) 14.88 MB (±0.0%) 113 ms (+13.3%) 1.06 MB (+2.5%) 552 KB (+4.1%)
poseidon2_2 231 (±0.0%) 278 (±0.0%) 340 ms (-3.8%) 22.03 MB (-4.4%) 14.11 MB (±0.0%) 110 ms (+10.0%) 1.03 MB (+0.4%) 113 KB (+4.2%)
poseidon2_4 529 (±0.0%) 535 (±0.0%) 340 ms (-1.9%) 22.38 MB (-4.2%) 14.31 MB (±0.0%) 110 ms (+10.0%) 1.05 MB (+1.0%) 42.72 KB (+34.9%)
poseidon2_8 363 (±0.0%) 423 (±0.0%) 343 ms (-1.9%) 22.64 MB (-6.3%) 14.50 MB (±0.0%) 112 ms (+11.7%) 1.03 MB (+1.9%) 379 KB (+3.7%)
poseidon_12 504 (±0.0%) 524 (±0.0%) 350 ms (-0.9%) 22.68 MB (-6.3%) 14.69 MB (±0.0%) 113 ms (+12.7%) 1.03 MB (-0.2%) 426 KB (+3.9%)
poseidon_16 609 (±0.0%) 633 (±0.0%) 353 ms (-1.0%) 23.02 MB (-5.1%) 14.97 MB (±0.0%) 113 ms (+12.7%) 1.03 MB (-0.7%) 558 KB (+3.9%)
poseidon_2 240 (±0.0%) 249 (±0.0%) 340 ms (±0.0%) 21.99 MB (-3.8%) 14.02 MB (±0.0%) 110 ms (+9.7%) 1.03 MB (-2.3%) 56.28 KB (+4.6%)
poseidon_4 297 (±0.0%) 309 (±0.0%) 343 ms (-1.9%) 22.50 MB (-4.0%) 14.31 MB (±0.0%) 110 ms (+10.3%) 1.05 MB (-0.3%) 217 KB (+3.4%)
poseidon_8 402 (±0.0%) 418 (±0.0%) 350 ms (-0.9%) 22.67 MB (-2.6%) 14.50 MB (±0.0%) 110 ms (+10.3%) 1.03 MB (±0.0%) 316 KB (+3.7%)
sha256_1024 196,959 (±0.0%) 339,764 (±0.0%) 2.15 s (-2.9%) 306 MB (-2.0%) 273 MB (-0.1%) 444 ms (+5.6%) 2.82 MB (+1.3%) 5.39 MB (+184.9%)
sha256_128 46,417 (±0.0%) 80,974 (±0.0%) 1.07 s (-1.5%) 99.25 MB (-1.1%) 83.61 MB (-0.2%) 273 ms (+5.1%) 2.50 MB (+0.5%) 1.24 MB (+151.9%)
sha256_2048 345,419 (±0.0%) 612,724 (±0.0%) 3.53 s (-1.7%) 546 MB (-1.0%) 484 MB (±0.0%) 669 ms (+11.5%) 2.96 MB (-1.8%) 9.33 MB (+207.1%)
sha256_256 67,923 (±0.0%) 117,944 (±0.0%) 1.37 s (-1.4%) 149 MB (-1.2%) 131 MB (+0.5%) 312 ms (+7.5%) 2.65 MB (+0.3%) 1.84 MB (+164.5%)
sha256_512 110,935 (±0.0%) 191,884 (±0.0%) 1.48 s (-2.2%) 176 MB (-3.6%) 158 MB (±0.0%) 344 ms (+7.4%) 2.66 MB (-1.2%) 3.00 MB (+173.0%)

Groth16 backend

Results
Circuit Constraints Witnesses Prover time Peak RSS Peak heap Verifier time Proof size PKP size
ecdsa_p256 143,293 (new) 258,158 (new) 3.27 s (new) 236 MB (new) 249 MB (new) 35 ms (new) 234 B (new) 74.24 MB (new)
keccak_1024 822,880 (new) 1,543,366 (new) 8.86 s (new) 984 MB (new) 995 MB (new) 168 ms (new) 234 B (new) 399 MB (new)
keccak_128 163,065 (new) 313,707 (new) 1.88 s (new) 272 MB (new) 237 MB (new) 40 ms (new) 234 B (new) 82.04 MB (new)
keccak_2048 1,575,617 (new) 2,945,822 (new) 17.17 s (new) 1.71 GB (new) 1.87 GB (new) 326 ms (new) 234 B (new) 770 MB (new)
keccak_256 256,216 (new) 487,012 (new) 2.71 s (new) 338 MB (new) 310 MB (new) 60 ms (new) 234 B (new) 120 MB (new)
keccak_512 445,104 (new) 839,130 (new) 4.80 s (new) 553 MB (new) 527 MB (new) 97 ms (new) 234 B (new) 213 MB (new)
poseidon2_12 479 (new) 563 (new) 23 ms (new) 9.10 MB (new) 3.24 MB (new) 8 ms (new) 205 B (new) 649 KB (new)
poseidon2_16 556 (new) 719 (new) 30 ms (new) 9.39 MB (new) 3.68 MB (new) 8 ms (new) 205 B (new) 818 KB (new)
poseidon2_2 231 (new) 278 (new) 13 ms (new) 8.48 MB (new) 2.06 MB (new) 5 ms (new) 205 B (new) 207 KB (new)
poseidon2_4 529 (new) 535 (new) 20 ms (new) 9.63 MB (new) 2.28 MB (new) 4 ms (new) 205 B (new) 228 KB (new)
poseidon2_8 363 (new) 423 (new) 23 ms (new) 8.84 MB (new) 2.93 MB (new) 7 ms (new) 205 B (new) 526 KB (new)
poseidon_12 504 (new) 524 (new) 20 ms (new) 9.07 MB (new) 3.13 MB (new) 8 ms (new) 205 B (new) 599 KB (new)
poseidon_16 609 (new) 633 (new) 30 ms (new) 9.63 MB (new) 3.62 MB (new) 8 ms (new) 204 B (new) 798 KB (new)
poseidon_2 240 (new) 249 (new) 10 ms (new) 8.22 MB (new) 1.92 MB (new) 4 ms (new) 205 B (new) 140 KB (new)
poseidon_4 297 (new) 309 (new) 20 ms (new) 8.51 MB (new) 2.40 MB (new) 6 ms (new) 205 B (new) 334 KB (new)
poseidon_8 402 (new) 418 (new) 20 ms (new) 8.87 MB (new) 2.75 MB (new) 7 ms (new) 205 B (new) 470 KB (new)
sha256_1024 196,959 (new) 339,764 (new) 2.59 s (new) 282 MB (new) 264 MB (new) 64 ms (new) 334 B (new) 94.84 MB (new)
sha256_128 46,417 (new) 80,974 (new) 720 ms (new) 84.94 MB (new) 68.95 MB (new) 20 ms (new) 377 B (new) 22.48 MB (new)
sha256_2048 345,419 (new) 612,724 (new) 4.77 s (new) 479 MB (new) 483 MB (new) 139 ms (new) 337 B (new) 170 MB (new)
sha256_256 67,923 (new) 117,944 (new) 1.07 s (new) 123 MB (new) 100 MB (new) 26 ms (new) 379 B (new) 35.10 MB (new)
sha256_512 110,935 (new) 191,884 (new) 1.49 s (new) 172 MB (new) 156 MB (new) 39 ms (new) 362 B (new) 52.36 MB (new)

@rose2221 rose2221 marked this pull request as ready for review May 6, 2026 11:53
rose2221 and others added 10 commits May 8, 2026 14:15
@rose2221
Implement Groth16+BSB22 Prover, Verifier, and Setup with Core Types
b98bc37 
- Added prover implementation in  to generate Groth16+BSB22 proofs from R1CS and witness.
- Introduced setup functionality in  to create ProvingKey and VerifyingKey from R1CS, including toxic waste management.
- Defined core types in  for Proof, ProvingKey, and VerifyingKey, following DIZK notation.
- Implemented verifier logic in  to validate proofs against the verifying key, including BSB22 commitment verification.
- Added utility functions for hashing and commitment challenge derivation.
- Included tests for hashing and setup with trivial R1CS to ensure correctness.
@rose2221
feat: update prover and verifier to support Groth16 proof scheme
9b93e57 
- Incremented PROVER_VERSION to 1.3 and VERIFIER_VERSION to 1.4 in binary_format.rs.
- Added Groth16 prover struct and integrated it into the Prover enum.
- Enhanced NoirProof to include Groth16 variant with public inputs and proof data.
- Implemented Groth16 proving logic in the Prove trait for Groth16Prover.
- Updated Verifier to handle Groth16 proofs and added serialization for VerifyingKey.
- Modified CLI commands to support Groth16 backend for preparing proofs.
- Adjusted tests and examples to accommodate changes in proof handling.
@rose2221
feat: add BSB22 commitment support to Groth16 prover and setup
6354754
@rose2221
Enhance Groth16 setup and verification process with multi-challenge s…
9c96c6a 
…upport

- Updated the setup function to accept multiple challenges per commitment, allowing for more flexible challenge generation.
- Modified the Proof struct to include validation checks for proof elements on the curve and in the correct subgroup.
- Improved the verifier to handle multiple challenges derived from a single commitment, ensuring proper serialization and verification.
- Refactored the Prover implementation to streamline the commitment process, utilizing a single Pedersen commitment for multiple challenges.
- Enhanced error handling and logging throughout the setup and verification processes for better debugging and traceability.
@rose2221
fixes
6997560
@rose2221
refactor: remove unused dependencies and functions from Cargo.toml an…
9b41261 
…d setup.rs
@rose2221
cargo fmt
ebe85d8
@Bisht13 @rose2221
perf(groth16): cut prove peak memory ~48% and time ~25%
ce3d4b3 
- Move Prover/Groth16Prover/Groth16CommitmentInfo from provekit-common to
  a new provekit_prover::prover_types, breaking the dep cycle that kept
  the Groth16 PK stored as raw Vec<u8> rather than a typed ProvingKey.
- Add provekit_prover::pkp_io with split-section .pkp v1.4 layout:
  header + single zstd stream of postcard-encoded metadata followed by
  raw arkworks-encoded ProvingKey bytes. Streaming postcard reader feeds
  directly off the zstd Decoder; no decompressed Vec<u8> is materialised.
- Switch .pkp compression from xz to zstd (~2.5x faster reads, +4% size).
- Custom Serde adapter on provekit_groth16::ProvingKey emits/decodes a
  zero-byte placeholder so the typed PK rides through serde transparently
  while its actual bytes live in the appended section.
- Split groth16::prover::prove into bsb22_pok / prove_ar_bs_bs1 /
  prove_krs so the outer prove_with_witness can run compute_h in parallel
  with the H-independent stages via rayon::join.
- Inside prove_ar_bs_bs1 run the three MSMs sequentially: arkworks MSM
  is already rayon-parallel internally, so concurrent calls only stack
  bucket allocators without speeding up wall clock.
- Chunk Pedersen commit/PoK MSMs (100k-element chunks) to cap arkworks'
  per-call transient state.
- Destructure the typed PK in prove_with_witness and drop each base
  vector immediately after its MSM finishes; drop program /
  witness_generator after public-input extraction.

Measured on complete_age_check (~1M wires, 636k constraints):
  peak memory: 1.51 GB -> 789 MB (-48%)
  end-to-end:  3.84 s -> 2.87 s   (-25%)
@rose2221
style: clean up formatting and improve readability in multiple files
4e9ad40
@rose2221
style: format mathematical expressions in comments for consistency
1d62725
@rose2221 rose2221 force-pushed the rs/groth16_impl branch from fec17a2 to 1d62725 Compare May 8, 2026 09:05
@rose2221 rose2221 changed the title groth16 impl feat(: add Groth16+BSB22 backend May 8, 2026
@rose2221 rose2221 changed the title feat(: add Groth16+BSB22 backend feat: add Groth16+BSB22 backend May 8, 2026
rose2221 added 11 commits May 8, 2026 16:04
@rose2221
chore: remove unused dependencies from Cargo.lock and Cargo.toml
822b6b6
@rose2221
fix: correct PROVER_VERSION to match the intended versioning scheme
bc92313
@rose2221
feat: enhance CSP benchmarks to support multiple backends and improve…
9d7a58d 
… output structure
@rose2221
feat: add zeroize support for secure memory handling and enhance benc…
6a0c74a 
…hmark helpers
@rose2221
docs: improve documentation for CommitmentInfo and VerifyingKey struc…
622c276 
…ts; clarify wire index conventions and Krs validation
@rose2221
Refactor Groth16 proving key handling to support mmap-backed I/O
b910fe8 
- Introduced  for a borrowed view over  bases, allowing for polymorphic access to either owned or mmap'd bases without runtime overhead.
- Updated  to use  instead of  directly, enhancing memory efficiency.
- Added  module for mmap-backed  file I/O, providing a faster alternative to the legacy zstd format.
- Implemented  and  functions for handling mmap files, including necessary metadata and alignment.
- Updated  to support both owned and mmap-backed proving keys, ensuring zero-byte serialization for compatibility.
- Enhanced command-line interface to allow users to specify mmap usage for Groth16 backends, improving load times at the cost of larger artifact sizes.
@rose2221
feat: Enhance Groth16+BSB22 implementation with precomputed wire indices
1a32520 
- Added  and  fields to  for optimized MSM input construction.
- Updated  function to utilize  for challenge generation, ensuring consistency with prover.
- Refactored  to improve memory management and reduce peak memory usage during proof generation.
- Introduced global BSB22 power chains in the R1CS compiler to optimize challenge allocation across multiple LogUp instances.
- Enhanced range check and spread table constraints to utilize shared challenge roots, minimizing witness allocation.
- Added new commands for exporting EVM proofs and Solidity contracts in the CLI.
@rose2221
refactor: simplify assignment of G1 and G2 variables using array dest…
460ec1d 
…ructuring
@rose2221
remove dangling export-* module references
704c927
@rose2221
chore: remove unused dependencies from Cargo.toml files
833b1c4
@rose2221
docs: update hash_to_fr documentation to clarify multi-field element …
0cdaa9f 
…hashing
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rose2221 @Bisht13