Skip to content

feat: add Groth16+BSB22 backend#427

Open
rose2221 wants to merge 18 commits into
mainfrom
rs/groth16_impl
Open

feat: add Groth16+BSB22 backend#427
rose2221 wants to merge 18 commits into
mainfrom
rs/groth16_impl

Conversation

@rose2221
Copy link
Copy Markdown
Collaborator

@rose2221 rose2221 commented Apr 29, 2026
edited
Loading

Adds an end-to-end Groth16 proving/verifying backend on BN254 with the BSB22 Pedersen-commitment extension, alongside the existing WHIR pipeline. Selectable at prepare time via --backend whir|groth16.

@rose2221 rose2221 marked this pull request as draft April 29, 2026 12:11
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 29, 2026
edited
Loading

CSP benchmarks

Metric Value
Workflow status [PASS] success
Commit 6c5869b81499
Run #25729761461
Distinct circuits 21
Backends benchmarked WHIR backend (21), Groth16 backend (21)
Iterations averaged per (circuit, backend) 3

Prover time, peak RSS, peak heap, and verifier time are arithmetic means across the iterations. Peak heap comes from the largest peak memory entry in provekit-cli prove's tracing output; peak RSS is reported by /usr/bin/time -v (max-resident-set-size).

Each metric cell shows the current value followed by the percentage delta against the latest successful main run #25494153164. (new) marks (circuit, backend) pairs absent from the baseline.

WHIR backend

Results
Circuit Constraints Witnesses Prover time Peak RSS Peak heap Verifier time Proof size PKP size
ecdsa_p256 143,282 (±0.0%) 258,158 (±0.0%) 3.05 s (+1.6%) 253 MB (-2.3%) 225 MB (±0.0%) 370 ms (+5.6%) 2.79 MB (-0.7%) 2.79 MB (+253.1%)
keccak_1024 822,870 (±0.0%) 1,543,366 (±0.0%) 6.18 s (-4.0%) 980 MB (-0.6%) 953 MB (±0.0%) 966 ms (+12.4%) 3.11 MB (-0.6%) 21.30 MB (+250.6%)
keccak_128 163,058 (±0.0%) 313,707 (±0.0%) 2.11 s (-1.2%) 272 MB (-1.5%) 242 MB (+0.1%) 397 ms (+7.2%) 2.78 MB (-1.5%) 4.13 MB (+237.9%)
keccak_2048 1,575,606 (±0.0%) 2,945,822 (±0.0%) 11.52 s (-3.5%) 1.81 GB (-0.2%) 1.80 GB (±0.0%) 1.66 s (+12.7%) 3.25 MB (+0.5%) 41.74 MB (+237.6%)
keccak_256 256,206 (±0.0%) 487,012 (±0.0%) 2.26 s (-3.1%) 330 MB (+0.6%) 290 MB (-0.1%) 441 ms (+5.9%) 2.84 MB (-0.3%) 6.56 MB (+233.2%)
keccak_512 445,094 (±0.0%) 839,130 (±0.0%) 3.52 s (-4.2%) 592 MB (-0.3%) 509 MB (±0.0%) 601 ms (+7.3%) 3.02 MB (-0.5%) 11.53 MB (+238.8%)
poseidon2_12 479 (±0.0%) 563 (±0.0%) 347 ms (-2.8%) 22.34 MB (-7.9%) 14.69 MB (±0.0%) 111 ms (+11.0%) 1.02 MB (-0.7%) 453 KB (+3.9%)
poseidon2_16 556 (±0.0%) 719 (±0.0%) 350 ms (-2.8%) 22.80 MB (-7.5%) 14.88 MB (±0.0%) 112 ms (+8.4%) 1.02 MB (+0.1%) 552 KB (+4.1%)
poseidon2_2 231 (±0.0%) 278 (±0.0%) 340 ms (-2.9%) 21.65 MB (-8.2%) 14.11 MB (±0.0%) 116 ms (+12.0%) 1.04 MB (+0.8%) 113 KB (+4.2%)
poseidon2_4 529 (±0.0%) 535 (±0.0%) 340 ms (-1.9%) 22.08 MB (-7.5%) 14.31 MB (±0.0%) 109 ms (+9.3%) 1.04 MB (+3.3%) 42.72 KB (+34.9%)
poseidon2_8 363 (±0.0%) 423 (±0.0%) 343 ms (-3.8%) 22.20 MB (-9.4%) 14.50 MB (±0.0%) 110 ms (+10.3%) 1.04 MB (+0.2%) 379 KB (+3.7%)
poseidon_12 504 (±0.0%) 524 (±0.0%) 350 ms (-1.9%) 22.37 MB (-9.5%) 14.69 MB (±0.0%) 112 ms (+8.1%) 1.04 MB (+1.2%) 426 KB (+3.9%)
poseidon_16 609 (±0.0%) 633 (±0.0%) 350 ms (-0.9%) 22.72 MB (-7.6%) 14.97 MB (±0.0%) 112 ms (+12.0%) 1.05 MB (+1.3%) 558 KB (+3.9%)
poseidon_2 240 (±0.0%) 249 (±0.0%) 340 ms (-1.0%) 21.48 MB (-8.2%) 14.02 MB (±0.0%) 110 ms (+10.3%) 1.03 MB (-1.1%) 56.28 KB (+4.6%)
poseidon_4 297 (±0.0%) 309 (±0.0%) 340 ms (-3.8%) 22.11 MB (-7.6%) 14.31 MB (±0.0%) 111 ms (+10.7%) 1.04 MB (+1.8%) 217 KB (+3.4%)
poseidon_8 402 (±0.0%) 418 (±0.0%) 350 ms (±0.0%) 22.30 MB (-6.8%) 14.50 MB (±0.0%) 112 ms (+11.7%) 1.01 MB (-2.4%) 316 KB (+3.7%)
sha256_1024 196,940 (±0.0%) 339,764 (±0.0%) 2.13 s (-4.9%) 304 MB (-1.3%) 273 MB (+0.1%) 447 ms (+5.5%) 2.81 MB (-1.0%) 5.44 MB (+186.4%)
sha256_128 46,398 (±0.0%) 80,974 (±0.0%) 1.07 s (-1.8%) 98.92 MB (-1.2%) 83.73 MB (+0.1%) 273 ms (+4.9%) 2.52 MB (+0.7%) 1.24 MB (+149.9%)
sha256_2048 345,399 (±0.0%) 612,724 (±0.0%) 3.50 s (-3.1%) 545 MB (-0.6%) 484 MB (+0.1%) 674 ms (+10.5%) 3.00 MB (+0.3%) 9.42 MB (+210.7%)
sha256_256 67,904 (±0.0%) 117,944 (±0.0%) 1.35 s (-3.3%) 148 MB (-2.9%) 130 MB (+0.2%) 308 ms (+4.9%) 2.63 MB (-1.3%) 1.85 MB (+162.5%)
sha256_512 110,916 (±0.0%) 191,884 (±0.0%) 1.49 s (-2.8%) 179 MB (-1.3%) 158 MB (±0.0%) 344 ms (+5.4%) 2.67 MB (-0.9%) 3.03 MB (+178.2%)

Groth16 backend

Results
Circuit Constraints Witnesses Prover time Peak RSS Peak heap Verifier time Proof size PKP size
ecdsa_p256 143,282 (new) 258,158 (new) 3.33 s (new) 301 MB (new) 250 MB (new) 39 ms (new) 234 B (new) 73.71 MB (new)
keccak_1024 822,870 (new) 1,543,366 (new) 9.20 s (new) 1.14 GB (new) 1.13 GB (new) 189 ms (new) 234 B (new) 398 MB (new)
keccak_128 163,058 (new) 313,707 (new) 1.95 s (new) 320 MB (new) 277 MB (new) 46 ms (new) 234 B (new) 81.75 MB (new)
keccak_2048 1,575,606 (new) 2,945,822 (new) 17.11 s (new) 2.07 GB (new) 2.17 GB (new) 355 ms (new) 234 B (new) 764 MB (new)
keccak_256 256,206 (new) 487,012 (new) 2.69 s (new) 416 MB (new) 345 MB (new) 65 ms (new) 234 B (new) 119 MB (new)
keccak_512 445,094 (new) 839,130 (new) 4.78 s (new) 677 MB (new) 618 MB (new) 104 ms (new) 234 B (new) 212 MB (new)
poseidon2_12 479 (new) 563 (new) 20 ms (new) 9.23 MB (new) 3.23 MB (new) 8 ms (new) 205 B (new) 648 KB (new)
poseidon2_16 556 (new) 719 (new) 30 ms (new) 9.70 MB (new) 3.67 MB (new) 8 ms (new) 205 B (new) 816 KB (new)
poseidon2_2 231 (new) 278 (new) 10 ms (new) 8.68 MB (new) 2.06 MB (new) 5 ms (new) 205 B (new) 206 KB (new)
poseidon2_4 529 (new) 535 (new) 20 ms (new) 9.73 MB (new) 2.28 MB (new) 4 ms (new) 205 B (new) 227 KB (new)
poseidon2_8 363 (new) 423 (new) 20 ms (new) 8.98 MB (new) 2.92 MB (new) 7 ms (new) 205 B (new) 527 KB (new)
poseidon_12 504 (new) 524 (new) 20 ms (new) 9.19 MB (new) 3.13 MB (new) 7 ms (new) 205 B (new) 600 KB (new)
poseidon_16 609 (new) 633 (new) 30 ms (new) 9.85 MB (new) 3.61 MB (new) 8 ms (new) 205 B (new) 798 KB (new)
poseidon_2 240 (new) 249 (new) 10 ms (new) 8.41 MB (new) 1.92 MB (new) 4 ms (new) 205 B (new) 140 KB (new)
poseidon_4 297 (new) 309 (new) 20 ms (new) 8.70 MB (new) 2.40 MB (new) 6 ms (new) 205 B (new) 333 KB (new)
poseidon_8 402 (new) 418 (new) 20 ms (new) 9.20 MB (new) 2.75 MB (new) 6 ms (new) 205 B (new) 469 KB (new)
sha256_1024 196,940 (new) 339,764 (new) 2.62 s (new) 406 MB (new) 293 MB (new) 69 ms (new) 334 B (new) 94.51 MB (new)
sha256_128 46,398 (new) 80,974 (new) 710 ms (new) 97.84 MB (new) 71.72 MB (new) 21 ms (new) 377 B (new) 22.40 MB (new)
sha256_2048 345,399 (new) 612,724 (new) 4.56 s (new) 587 MB (new) 523 MB (new) 148 ms (new) 336 B (new) 169 MB (new)
sha256_256 67,904 (new) 117,944 (new) 1.07 s (new) 162 MB (new) 123 MB (new) 28 ms (new) 379 B (new) 34.95 MB (new)
sha256_512 110,916 (new) 191,884 (new) 1.47 s (new) 193 MB (new) 164 MB (new) 42 ms (new) 362 B (new) 52.18 MB (new)

@rose2221 rose2221 marked this pull request as ready for review May 6, 2026 11:53
rose2221 and others added 10 commits May 8, 2026 14:15
@rose2221
Implement Groth16+BSB22 Prover, Verifier, and Setup with Core Types
b98bc37 
- Added prover implementation in  to generate Groth16+BSB22 proofs from R1CS and witness.
- Introduced setup functionality in  to create ProvingKey and VerifyingKey from R1CS, including toxic waste management.
- Defined core types in  for Proof, ProvingKey, and VerifyingKey, following DIZK notation.
- Implemented verifier logic in  to validate proofs against the verifying key, including BSB22 commitment verification.
- Added utility functions for hashing and commitment challenge derivation.
- Included tests for hashing and setup with trivial R1CS to ensure correctness.
@rose2221
feat: update prover and verifier to support Groth16 proof scheme
9b93e57 
- Incremented PROVER_VERSION to 1.3 and VERIFIER_VERSION to 1.4 in binary_format.rs.
- Added Groth16 prover struct and integrated it into the Prover enum.
- Enhanced NoirProof to include Groth16 variant with public inputs and proof data.
- Implemented Groth16 proving logic in the Prove trait for Groth16Prover.
- Updated Verifier to handle Groth16 proofs and added serialization for VerifyingKey.
- Modified CLI commands to support Groth16 backend for preparing proofs.
- Adjusted tests and examples to accommodate changes in proof handling.
@rose2221
feat: add BSB22 commitment support to Groth16 prover and setup
6354754
@rose2221
Enhance Groth16 setup and verification process with multi-challenge s…
9c96c6a 
…upport

- Updated the setup function to accept multiple challenges per commitment, allowing for more flexible challenge generation.
- Modified the Proof struct to include validation checks for proof elements on the curve and in the correct subgroup.
- Improved the verifier to handle multiple challenges derived from a single commitment, ensuring proper serialization and verification.
- Refactored the Prover implementation to streamline the commitment process, utilizing a single Pedersen commitment for multiple challenges.
- Enhanced error handling and logging throughout the setup and verification processes for better debugging and traceability.
@rose2221
fixes
6997560
@rose2221
refactor: remove unused dependencies and functions from Cargo.toml an…
9b41261 
…d setup.rs
@rose2221
cargo fmt
ebe85d8
@Bisht13 @rose2221
perf(groth16): cut prove peak memory ~48% and time ~25%
ce3d4b3 
- Move Prover/Groth16Prover/Groth16CommitmentInfo from provekit-common to
  a new provekit_prover::prover_types, breaking the dep cycle that kept
  the Groth16 PK stored as raw Vec<u8> rather than a typed ProvingKey.
- Add provekit_prover::pkp_io with split-section .pkp v1.4 layout:
  header + single zstd stream of postcard-encoded metadata followed by
  raw arkworks-encoded ProvingKey bytes. Streaming postcard reader feeds
  directly off the zstd Decoder; no decompressed Vec<u8> is materialised.
- Switch .pkp compression from xz to zstd (~2.5x faster reads, +4% size).
- Custom Serde adapter on provekit_groth16::ProvingKey emits/decodes a
  zero-byte placeholder so the typed PK rides through serde transparently
  while its actual bytes live in the appended section.
- Split groth16::prover::prove into bsb22_pok / prove_ar_bs_bs1 /
  prove_krs so the outer prove_with_witness can run compute_h in parallel
  with the H-independent stages via rayon::join.
- Inside prove_ar_bs_bs1 run the three MSMs sequentially: arkworks MSM
  is already rayon-parallel internally, so concurrent calls only stack
  bucket allocators without speeding up wall clock.
- Chunk Pedersen commit/PoK MSMs (100k-element chunks) to cap arkworks'
  per-call transient state.
- Destructure the typed PK in prove_with_witness and drop each base
  vector immediately after its MSM finishes; drop program /
  witness_generator after public-input extraction.

Measured on complete_age_check (~1M wires, 636k constraints):
  peak memory: 1.51 GB -> 789 MB (-48%)
  end-to-end:  3.84 s -> 2.87 s   (-25%)
@rose2221
style: clean up formatting and improve readability in multiple files
4e9ad40
@rose2221
style: format mathematical expressions in comments for consistency
1d62725
@rose2221 rose2221 force-pushed the rs/groth16_impl branch from fec17a2 to 1d62725 Compare May 8, 2026 09:05
@rose2221 rose2221 changed the title groth16 impl feat(: add Groth16+BSB22 backend May 8, 2026
@rose2221 rose2221 changed the title feat(: add Groth16+BSB22 backend feat: add Groth16+BSB22 backend May 8, 2026
rose2221 added 6 commits May 8, 2026 16:04
@rose2221
chore: remove unused dependencies from Cargo.lock and Cargo.toml
822b6b6
@rose2221
fix: correct PROVER_VERSION to match the intended versioning scheme
bc92313
@rose2221
feat: enhance CSP benchmarks to support multiple backends and improve…
9d7a58d 
… output structure
@rose2221
feat: add zeroize support for secure memory handling and enhance benc…
6a0c74a 
…hmark helpers
@rose2221
docs: improve documentation for CommitmentInfo and VerifyingKey struc…
622c276 
…ts; clarify wire index conventions and Krs validation
@rose2221
Refactor Groth16 proving key handling to support mmap-backed I/O
b910fe8 
- Introduced  for a borrowed view over  bases, allowing for polymorphic access to either owned or mmap'd bases without runtime overhead.
- Updated  to use  instead of  directly, enhancing memory efficiency.
- Added  module for mmap-backed  file I/O, providing a faster alternative to the legacy zstd format.
- Implemented  and  functions for handling mmap files, including necessary metadata and alignment.
- Updated  to support both owned and mmap-backed proving keys, ensuring zero-byte serialization for compatibility.
- Enhanced command-line interface to allow users to specify mmap usage for Groth16 backends, improving load times at the cost of larger artifact sizes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rose2221 @Bisht13