Reduce information in transcript of LIP proofs.

mathsjames · copybara-github · commit 53b301b23ad1 · 2026-01-08T06:23:24.000-08:00
Have the linear inner product proofs only commit to the seeds used to generate parameters in the transcript. This more than halves the run time of the LIP prove and verify functions. Corresponding to saving about 21% of the computation in forming and verifying a single client message.

PiperOrigin-RevId: 853711463
diff --git a/willow/src/zk/linear_ip.rs b/willow/src/zk/linear_ip.rs
@@ -36,6 +36,7 @@ pub struct LinearInnerProductParameters {
     F: RistrettoPoint,
     F_: RistrettoPoint,
     G: Vec<RistrettoPoint>,
+    seed: Vec<u8>,
 }
 
 pub fn inner_product(a: &[Scalar], b: &[Scalar]) -> Scalar {
@@ -59,6 +60,7 @@ fn common_setup(length: usize, parameter_seed: &[u8]) -> LinearInnerProductParam
                 )
             })
             .collect(),
+        seed: parameter_seed.to_vec(),
     }
 }
 
@@ -67,11 +69,9 @@ fn append_params_to_transcript(
     params: &LinearInnerProductParameters,
 ) {
     transcript.append_u64(b"n", params.n as u64);
-    for G_i in &params.G {
-        transcript.append_message(b"G_i", G_i.compress().as_bytes());
-    }
-    transcript.append_message(b"F", params.F.compress().as_bytes());
-    transcript.append_message(b"F_", params.F_.compress().as_bytes());
+    // We append the seed not the resulting params themselves because appending that many params
+    // more than doubles the run time of both prove and verify.
+    transcript.append_message(b"seed", &params.seed);
 }
 
 fn validate_and_append_point(

Original file line number	Diff line number	Diff line change
`@@ -36,6 +36,7 @@ pub struct LinearInnerProductParameters {`
`36`	`36`	`F: RistrettoPoint,`
`37`	`37`	`F_: RistrettoPoint,`
`38`	`38`	`G: Vec<RistrettoPoint>,`
	`39`	`+ seed: Vec<u8>,`
`39`	`40`	`}`
`40`	`41`
`41`	`42`	`pub fn inner_product(a: &[Scalar], b: &[Scalar]) -> Scalar {`
`@@ -59,6 +60,7 @@ fn common_setup(length: usize, parameter_seed: &[u8]) -> LinearInnerProductParam`
`59`	`60`	`)`
`60`	`61`	`})`
`61`	`62`	`.collect(),`
	`63`	`+ seed: parameter_seed.to_vec(),`
`62`	`64`	`}`
`63`	`65`	`}`
`64`	`66`
`@@ -67,11 +69,9 @@ fn append_params_to_transcript(`
`67`	`69`	`params: &LinearInnerProductParameters,`
`68`	`70`	`) {`
`69`	`71`	`transcript.append_u64(b"n", params.n as u64);`
`70`		`- for G_i in &params.G {`
`71`		`- transcript.append_message(b"G_i", G_i.compress().as_bytes());`
`72`		`- }`
`73`		`- transcript.append_message(b"F", params.F.compress().as_bytes());`
`74`		`- transcript.append_message(b"F_", params.F_.compress().as_bytes());`
	`72`	`+ // We append the seed not the resulting params themselves because appending that many params`
	`73`	`+ // more than doubles the run time of both prove and verify.`
	`74`	`+ transcript.append_message(b"seed", &params.seed);`
`75`	`75`	`}`
`76`	`76`
`77`	`77`	`fn validate_and_append_point(`