perf(point_evaluation): precompute tau*G2 prepared + fuse G1 scalar muls by 0xVolosnikov · Pull Request #661 · matter-labs/zksync-os

0xVolosnikov · 2026-05-15T16:08:08Z

What ❔

Two follow-up optimizations on top of the rearranged KZG verifier (PR #660). Each commit is one optimization; benched A/B at the same parent commit using test_kzg_regression under ZKSYNC_RISC_V_RUN=true with the for-tests-benchmarking RISC-V binary.

Commit 1 — precompute `PREPARED_G2_BY_TAU` as a const

τ·G2 is the fixed KZG trusted-setup point. Every call to verify_kzg_proof previously ran the 68-step BLS12-381 Miller-loop coefficient precomputation (63 G2 doublings + 5 G2 adds in Fq²) on it. Moved to compile time as a const PREPARED_G2_BY_TAU. Same pattern as the upstream PREPARED_G2_GENERATOR const in airbender-crypto, applied to τ·G2.

Two cfg-gated variants:

host (#[cfg(not(feature = "proving"))]): 6-limb ark_bls12_381::Fp
proving (#[cfg(feature = "proving")]): 8-limb ark_ff_delegation::Fp (delegation-aligned)

A prepared_g2_by_tau_const_matches_runtime test asserts byte-equality vs G2_BY_TAU_POINT.into() in each variant — catches stale literals if upstream τ·G2 or the Miller-loop precomputation shape ever changes.

Commit 2 — fuse the two G1 scalar mults into a 2-base interleaved double-and-add

The rearranged verifier still did y * G1_gen and z * proof as two independent sw_double_and_add_projective calls — ~510 doublings total. Fused into a single interleaved loop over the 256 bits of the two scalars (~255 doublings + ~256 conditional adds).

Avoids arkworks' VariableBaseMSM::msm_bigint, which traps with an illegal instruction in the proving simulator because of internal allocation. Same pattern as the existing small-N path in basic_system::system_functions::bls12_381::msm — the local hand-rolled loop is allocation-free.

Negation of z (to fold the subtraction into an MSM-style positive-scalar form) is done once via Fr::from_bigint(z).neg().into_bigint(). z is canonical by upstream parse_scalar / Fr::into_bigint, so the from_bigint Option is statically safe to unwrap.

Why ❔

Cumulative effect on point_evaluation cycles:

Metric	Rearranged (#660) baseline	+ τG2 const	+ fused 2-base mul
`point_evaluation` raw cycles	31,791,155	29,615,041 (−6.84%)	29,391,408 (−7.55%)
`point_evaluation` bigint delegations	2,513,437	2,330,478 (−7.28%)	2,308,496 (−8.15%)
effective (raw + 4·bigint)	41,844,903	38,936,953 (−6.95%)	38,625,392 (−7.69%)
`dist/for_tests/app.bin`	1,337,196 B	1,343,276 B (+6,080 B)	1,340,044 B (+2,848 B)

vs the original pre-rearrangement verifier: −24.77% effective.

The bigger of the two wins is the τG2 const — about 6 KB binary cost for ~7% cycle savings, which more than pays back compared to the residual binary headroom (still under the original baseline). The fused-mul is a smaller win (~0.8%) but is also a net binary-size reduction because it replaces two inlined mul_bigint instantiations with one short loop.

The diminishing returns reflect that the residual cost is now dominated by the Miller loop + final exponentiation — primitives that live inside airbender-crypto and aren't reachable from this codepath.

Is this a breaking change?

Yes
No

Checklist

PR title corresponds to the body of PR.
Tests for the changes have been added / updated.
Documentation comments have been added / updated.
Code has been formatted.

Stacked on

Based on vv/kzg-rearranged-verifier (PR #660). Lands cleanly on top once #660 merges.

Follow-ups not in this PR

The τG2 const should eventually move into airbender-crypto next to PREPARED_G2_GENERATOR, so other consumers benefit and the const lives next to the source of truth.
Investigate why VariableBaseMSM::msm_bigint traps in the proving simulator; if fixable, the small-N hand-rolled loop could be replaced by the upstream Pippenger path with its 3-bit windows for an additional ~2-3% in this codepath. (Probably an allocator quirk, since the precompiles crate hits the same issue.)

🤖 Generated with Claude Code

Replace the per-call G2Prepared::from(G2_BY_TAU_POINT) — which runs the 68-step BLS12-381 Miller-loop coefficient precomputation (63 G2 doublings + 5 G2 adds in Fq2) on every KZG verification — with a compile-time const PREPARED_G2_BY_TAU. The const is generated for both field representations (6-limb ark_bls12_381 Fp for host, 8-limb ark_ff_delegation Fp for proving / RISC-V) and cfg-gated on the `proving` feature so the right variant compiles in each build. A sanity test asserts the const matches G2_BY_TAU_POINT.into() at runtime in both variants — catches stale literals if G2_BY_TAU_POINT or the Miller-loop precomputation shape ever changes upstream. Bench (test_kzg_regression under ZKSYNC_RISC_V_RUN=true with the for-tests-benchmarking RISC-V binary; A/B against the rearranged-only version from the previous commit, same parent commit): point_evaluation raw cycles 31,791,155 → 29,615,041 −6.84% point_evaluation bigint deleg. 2,513,437 → 2,330,478 −7.28% effective (raw + 4·bigint) 41,844,903 → 38,936,953 −6.95% Combined with the rearrangement, point_evaluation is now down 24.16% effective from the original verifier. Binary grows by 6,080 bytes (the inlined ell-coeffs literal — 68 ell_coeff triples × 6 Fq elements × 8 u64 limbs in the proving variant), still 9,824 bytes smaller than the pre-rearrangement baseline. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

The rearranged verifier did two independent 255-bit G1 scalar multiplications back-to-back: y * G1_gen and z * proof. Each sw_double_and_add_projective does ~255 doublings + ~127 adds, so the two-scalar form pays ~510 doublings. Fuse them into a single interleaved double-and-add over the two bases. Same pattern as the small-N path in bls12_381::msm — we avoid arkworks' VariableBaseMSM::msm_bigint because it allocates internally and the proving binary's allocator setup makes it trap with an illegal instruction in the simulator. The local hand-rolled loop has no allocations and matches the reference verifier byte-for-byte (test_rearranged_kzg_verifier_matches_reference still passes). To express y*G1 - z*proof as a 2-base MSM with positive scalars we need -z mod r; computed once via Fr::from_bigint(z).neg().into_bigint() (z is canonical by upstream parse_scalar / Fr::into_bigint). Bench (test_kzg_regression under ZKSYNC_RISC_V_RUN=true with the for-tests-benchmarking RISC-V binary; A/B vs the previous commit which precomputed PREPARED_G2_BY_TAU): point_evaluation raw cycles 29,615,041 -> 29,391,408 -0.76% point_evaluation bigint deleg. 2,330,478 -> 2,308,496 -0.94% effective (raw + 4*bigint) 38,936,953 -> 38,625,392 -0.80% dist/for_tests/app.bin size 1,343,276 -> 1,340,044 -3,232 B Cumulative against the original (pre-rearrangement) verifier this is now 24.77% off effective; the smaller gain than the previous two commits reflects that the residual cost is now dominated by the Miller loop + final exponentiation, which are inside the pairing primitive itself. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

github-actions · 2026-05-29T20:51:34Z

Block-level effective cycles

Average across all block fixtures (process_block). Per-block breakdown below.

Benchmark	Symbol	Base Eff	Head Eff (%)	Base Raw	Head Raw (%)	Base Blake	Head Blake (%)	Base Bigint	Head Bigint (%)	Base Keccak	Head Keccak (%)
`all blocks (keccak DA)`	`process_block`	645,510,860	642,596,297 (-0.45%)	515,778,805	513,606,424 (-0.42%)	781,526	781,526 (+0.00%)	22,835,212	22,649,666 (-0.81%)	6,471,698	6,471,698 (+0.00%)
`all blocks (blobs DA)`	`process_block`	689,562,976	683,758,504 (-0.84%)	549,739,513	545,345,362 (-0.80%)	791,605	791,605 (+0.00%)	25,625,438	25,272,858 (-1.38%)	6,164,007	6,164,007 (+0.00%)

Per-block effective cycles

Benchmark	Symbol	Base Eff	Head Eff (%)	Base Raw	Head Raw (%)	Base Blake	Head Blake (%)	Base Bigint	Head Bigint (%)	Base Keccak	Head Keccak (%)
`block_25188855 (keccak DA)`	`process_block`	237,657,747	237,660,270 (+0.00%)	184,564,543	184,567,066 (+0.00%)	498,230	498,230 (+0.00%)	8,457,231	8,457,231 (+0.00%)	2,823,150	2,823,150 (+0.00%)
`block_25188855 (blobs DA)`	`process_block`	282,353,306	279,553,756 (-0.99%)	218,677,686	216,516,180 (-0.99%)	502,810	502,810 (+0.00%)	11,224,050	11,064,539 (-1.42%)	2,683,615	2,683,615 (+0.00%)
`block_25188862 (keccak DA)`	`process_block`	549,525,194	549,520,332 (-0.00%)	421,362,246	421,357,384 (-0.00%)	831,340	831,340 (+0.00%)	22,892,549	22,892,549 (+0.00%)	5,822,828	5,822,828 (+0.00%)
`block_25188862 (blobs DA)`	`process_block`	593,636,955	590,640,749 (-0.50%)	455,355,139	453,062,701 (-0.50%)	841,550	841,550 (+0.00%)	25,692,946	25,517,004 (-0.68%)	5,511,308	5,511,308 (+0.00%)
`block_25188863 (keccak DA)`	`process_block`	229,913,146	229,913,176 (+0.00%)	177,029,506	177,029,536 (+0.00%)	419,790	419,790 (+0.00%)	8,150,725	8,150,725 (+0.00%)	3,391,025	3,391,025 (+0.00%)
`block_25188863 (blobs DA)`	`process_block`	274,591,426	271,895,201 (-0.98%)	211,147,226	209,054,709 (-0.99%)	424,750	424,750 (+0.00%)	10,922,242	10,771,315 (-1.38%)	3,239,808	3,239,808 (+0.00%)
`block_25188937 (keccak DA)`	`process_block`	720,636,582	720,636,678 (+0.00%)	566,510,310	566,510,406 (+0.00%)	1,209,910	1,209,910 (+0.00%)	21,884,022	21,884,022 (+0.00%)	11,807,906	11,807,906 (+0.00%)
`block_25188937 (blobs DA)`	`process_block`	764,000,556	761,167,889 (-0.37%)	600,263,640	598,078,585 (-0.36%)	1,224,860	1,224,860 (+0.00%)	24,683,779	24,521,876 (-0.66%)	11,351,010	11,351,010 (+0.00%)
`block_25188945 (keccak DA)`	`process_block`	421,930,894	421,930,910 (+0.00%)	341,291,474	341,291,490 (+0.00%)	930,920	930,920 (+0.00%)	11,233,142	11,233,142 (+0.00%)	5,203,033	5,203,033 (+0.00%)
`block_25188945 (blobs DA)`	`process_block`	465,575,574	462,463,747 (-0.67%)	375,219,942	372,850,655 (-0.63%)	945,470	945,470 (+0.00%)	14,048,560	13,862,925 (-1.32%)	4,758,468	4,758,468 (+0.00%)
`block_25188950 (keccak DA)`	`process_block`	529,834,412	526,806,159 (-0.57%)	426,760,996	424,484,967 (-0.53%)	659,000	659,000 (+0.00%)	18,702,929	18,514,873 (-1.01%)	4,429,425	4,429,425 (+0.00%)
`block_25188950 (blobs DA)`	`process_block`	574,413,357	568,478,786 (-1.03%)	460,876,253	456,369,502 (-0.98%)	665,270	665,270 (+0.00%)	21,485,226	21,128,271 (-1.66%)	4,237,970	4,237,970 (+0.00%)
`block_25189014 (keccak DA)`	`process_block`	379,907,714	379,902,779 (-0.00%)	296,127,822	296,122,887 (-0.00%)	577,680	577,680 (+0.00%)	13,434,465	13,434,465 (+0.00%)	5,199,788	5,199,788 (+0.00%)
`block_25189014 (blobs DA)`	`process_block`	424,686,075	421,694,426 (-0.70%)	330,320,999	328,032,598 (-0.69%)	582,880	582,880 (+0.00%)	16,218,317	16,042,505 (-1.08%)	5,041,432	5,041,432 (+0.00%)
`block_25189128 (keccak DA)`	`process_block`	426,196,711	426,196,728 (+0.00%)	342,425,715	342,425,732 (+0.00%)	773,970	773,970 (+0.00%)	11,463,305	11,463,305 (+0.00%)	6,383,564	6,383,564 (+0.00%)
`block_25189128 (blobs DA)`	`process_block`	470,036,988	467,079,267 (-0.63%)	376,349,584	374,083,359 (-0.60%)	786,150	786,150 (+0.00%)	14,265,564	14,092,690 (-1.21%)	6,011,687	6,011,687 (+0.00%)
`block_25189151 (keccak DA)`	`process_block`	732,173,781	732,173,823 (+0.00%)	556,213,169	556,213,211 (+0.00%)	1,085,470	1,085,470 (+0.00%)	29,031,931	29,031,931 (+0.00%)	10,616,342	10,616,342 (+0.00%)
`block_25189151 (blobs DA)`	`process_block`	775,055,786	772,088,430 (-0.38%)	589,836,190	587,560,750 (-0.39%)	1,104,220	1,104,220 (+0.00%)	31,844,095	31,671,116 (-0.54%)	10,043,924	10,043,924 (+0.00%)
`block_25189153 (keccak DA)`	`process_block`	2,227,332,417	2,201,222,112 (-1.17%)	1,845,502,269	1,826,061,564 (-1.05%)	828,950	828,950 (+0.00%)	83,101,816	81,434,416 (-2.01%)	9,039,921	9,039,921 (+0.00%)
`block_25189153 (blobs DA)`	`process_block`	2,271,279,738	2,242,522,784 (-1.27%)	1,879,348,470	1,857,844,580 (-1.14%)	838,090	838,090 (+0.00%)	85,869,606	84,056,340 (-2.11%)	8,760,851	8,760,851 (+0.00%)

Block-level sub-phases

Benchmark	Symbol	Base Eff	Head Eff (%)	Base Raw	Head Raw (%)	Base Blake	Head Blake (%)	Base Bigint	Head Bigint (%)	Base Keccak	Head Keccak (%)
`block_25188855 (blobs DA)`	`blob_versioned_hash`	45,689,154	42,887,079 (-6.13%)	34,548,598	32,384,567 (-6.26%)	4,580	4,580 (+0.00%)	2,766,819	2,607,308 (-5.77%)	0	0 (+0.00%)
`block_25188862 (blobs DA)`	`blob_versioned_hash`	46,358,317	43,366,971 (-6.45%)	34,993,369	32,705,791 (-6.54%)	10,210	10,210 (+0.00%)	2,800,397	2,624,455 (-6.28%)	0	0 (+0.00%)
`block_25188863 (blobs DA)`	`blob_versioned_hash`	45,755,015	43,058,758 (-5.89%)	34,589,587	32,497,038 (-6.05%)	4,960	4,960 (+0.00%)	2,771,517	2,620,590 (-5.45%)	0	0 (+0.00%)
`block_25188937 (blobs DA)`	`blob_versioned_hash`	46,603,829	43,771,064 (-6.08%)	35,165,601	32,980,448 (-6.21%)	14,950	14,950 (+0.00%)	2,799,757	2,637,854 (-5.78%)	0	0 (+0.00%)
`block_25188945 (blobs DA)`	`blob_versioned_hash`	46,761,390	43,649,545 (-6.65%)	35,266,918	32,897,613 (-6.72%)	14,550	14,550 (+0.00%)	2,815,418	2,629,783 (-6.59%)	0	0 (+0.00%)
`block_25188950 (blobs DA)`	`blob_versioned_hash`	45,949,308	43,042,988 (-6.33%)	34,719,800	32,489,076 (-6.42%)	6,270	6,270 (+0.00%)	2,782,297	2,613,398 (-6.07%)	0	0 (+0.00%)
`block_25189014 (blobs DA)`	`blob_versioned_hash`	45,910,698	42,923,982 (-6.51%)	34,692,090	32,408,622 (-6.58%)	5,200	5,200 (+0.00%)	2,783,852	2,608,040 (-6.32%)	0	0 (+0.00%)
`block_25189128 (blobs DA)`	`blob_versioned_hash`	46,480,645	43,522,905 (-6.36%)	35,076,729	32,810,485 (-6.46%)	12,180	12,180 (+0.00%)	2,802,259	2,629,385 (-6.17%)	0	0 (+0.00%)
`block_25189151 (blobs DA)`	`blob_versioned_hash`	46,953,883	43,986,483 (-6.32%)	35,405,227	33,129,743 (-6.43%)	18,750	18,750 (+0.00%)	2,812,164	2,639,185 (-6.15%)	0	0 (+0.00%)
`block_25189153 (blobs DA)`	`blob_versioned_hash`	45,935,746	43,289,095 (-5.76%)	34,718,346	32,655,159 (-5.94%)	9,140	9,140 (+0.00%)	2,767,790	2,621,924 (-5.27%)	0	0 (+0.00%)
`block_25188855 (blobs DA)`	`da_commitment`	2,520,840	2,520,840 (+0.00%)	2,408,840	2,408,840 (+0.00%)	7,000	7,000 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)
`block_25188855 (keccak DA)`	`da_commitment`	3,513,442	3,513,442 (+0.00%)	2,845,898	2,845,898 (+0.00%)	7,000	7,000 (+0.00%)	0	0 (+0.00%)	138,886	138,886 (+0.00%)
`block_25188862 (blobs DA)`	`da_commitment`	5,542,919	5,542,919 (+0.00%)	5,290,119	5,290,119 (+0.00%)	15,800	15,800 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)
`block_25188862 (keccak DA)`	`da_commitment`	7,785,080	7,785,080 (+0.00%)	6,288,796	6,288,796 (+0.00%)	15,800	15,800 (+0.00%)	0	0 (+0.00%)	310,871	310,871 (+0.00%)
`block_25188863 (blobs DA)`	`da_commitment`	2,557,099	2,557,099 (+0.00%)	2,441,579	2,441,579 (+0.00%)	7,220	7,220 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)
`block_25188863 (keccak DA)`	`da_commitment`	3,629,435	3,629,435 (+0.00%)	2,911,643	2,911,643 (+0.00%)	7,220	7,220 (+0.00%)	0	0 (+0.00%)	150,568	150,568 (+0.00%)
`block_25188937 (blobs DA)`	`da_commitment`	7,684,897	7,684,897 (+0.00%)	7,328,897	7,328,897 (+0.00%)	22,250	22,250 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)
`block_25188937 (keccak DA)`	`da_commitment`	10,920,391	10,920,391 (+0.00%)	8,739,403	8,739,403 (+0.00%)	22,250	22,250 (+0.00%)	0	0 (+0.00%)	456,247	456,247 (+0.00%)
`block_25188945 (blobs DA)`	`da_commitment`	6,766,623	6,766,623 (+0.00%)	6,450,463	6,450,463 (+0.00%)	19,760	19,760 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)
`block_25188945 (keccak DA)`	`da_commitment`	9,878,984	9,878,984 (+0.00%)	7,787,160	7,787,160 (+0.00%)	19,760	19,760 (+0.00%)	0	0 (+0.00%)	443,916	443,916 (+0.00%)
`block_25188950 (blobs DA)`	`da_commitment`	3,338,915	3,338,915 (+0.00%)	3,188,995	3,188,995 (+0.00%)	9,370	9,370 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)
`block_25188950 (keccak DA)`	`da_commitment`	4,700,642	4,700,642 (+0.00%)	3,787,498	3,787,498 (+0.00%)	9,370	9,370 (+0.00%)	0	0 (+0.00%)	190,806	190,806 (+0.00%)
`block_25189014 (blobs DA)`	`da_commitment`	2,978,030	2,978,030 (+0.00%)	2,850,670	2,850,670 (+0.00%)	7,960	7,960 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)
`block_25189014 (keccak DA)`	`da_commitment`	4,106,010	4,106,010 (+0.00%)	3,347,822	3,347,822 (+0.00%)	7,960	7,960 (+0.00%)	0	0 (+0.00%)	157,707	157,707 (+0.00%)
`block_25189128 (blobs DA)`	`da_commitment`	6,135,237	6,135,237 (+0.00%)	5,844,517	5,844,517 (+0.00%)	18,170	18,170 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)
`block_25189128 (keccak DA)`	`da_commitment`	8,771,258	8,771,258 (+0.00%)	6,995,626	6,995,626 (+0.00%)	18,170	18,170 (+0.00%)	0	0 (+0.00%)	371,228	371,228 (+0.00%)
`block_25189151 (blobs DA)`	`da_commitment`	8,058,835	8,058,835 (+0.00%)	7,691,795	7,691,795 (+0.00%)	22,940	22,940 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)
`block_25189151 (keccak DA)`	`da_commitment`	12,126,349	12,126,349 (+0.00%)	9,472,233	9,472,233 (+0.00%)	22,940	22,940 (+0.00%)	0	0 (+0.00%)	571,769	571,769 (+0.00%)
`block_25189153 (blobs DA)`	`da_commitment`	4,816,784	4,816,784 (+0.00%)	4,587,984	4,587,984 (+0.00%)	14,300	14,300 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)
`block_25189153 (keccak DA)`	`da_commitment`	6,800,863	6,800,863 (+0.00%)	5,458,379	5,458,379 (+0.00%)	14,300	14,300 (+0.00%)	0	0 (+0.00%)	278,421	278,421 (+0.00%)
`block_25188855 (keccak DA)`	`run_tx_loop`	212,949,827	212,952,350 (+0.00%)	162,437,559	162,440,082 (+0.00%)	373,590	373,590 (+0.00%)	8,457,231	8,457,231 (+0.00%)	2,676,476	2,676,476 (+0.00%)
`block_25188862 (keccak DA)`	`run_tx_loop`	500,660,710	500,655,848 (-0.00%)	377,720,718	377,715,856 (-0.00%)	584,570	584,570 (+0.00%)	22,892,549	22,892,549 (+0.00%)	5,504,169	5,504,169 (+0.00%)
`block_25188863 (keccak DA)`	`run_tx_loop`	205,441,519	205,441,549 (+0.00%)	155,175,303	155,175,333 (+0.00%)	295,790	295,790 (+0.00%)	8,150,725	8,150,725 (+0.00%)	3,232,669	3,232,669 (+0.00%)
`block_25188937 (keccak DA)`	`run_tx_loop`	646,275,755	646,275,851 (+0.00%)	499,927,863	499,927,959 (+0.00%)	839,770	839,770 (+0.00%)	21,884,022	21,884,022 (+0.00%)	11,343,871	11,343,871 (+0.00%)
`block_25188945 (keccak DA)`	`run_tx_loop`	370,090,278	370,090,294 (+0.00%)	295,673,194	295,673,210 (+0.00%)	654,950	654,950 (+0.00%)	11,233,142	11,233,142 (+0.00%)	4,751,329	4,751,329 (+0.00%)
`block_25188950 (keccak DA)`	`run_tx_loop`	497,058,570	494,030,317 (-0.61%)	397,413,930	395,137,901 (-0.57%)	494,350	494,350 (+0.00%)	18,702,929	18,514,873 (-1.01%)	4,230,831	4,230,831 (+0.00%)
`block_25189014 (keccak DA)`	`run_tx_loop`	348,919,029	348,914,094 (-0.00%)	268,259,997	268,255,062 (-0.00%)	424,000	424,000 (+0.00%)	13,434,465	13,434,465 (+0.00%)	5,034,293	5,034,293 (+0.00%)
`block_25189128 (keccak DA)`	`run_tx_loop`	374,412,182	374,412,199 (+0.00%)	296,517,090	296,517,107 (+0.00%)	501,480	501,480 (+0.00%)	11,463,305	11,463,305 (+0.00%)	6,004,548	6,004,548 (+0.00%)
`block_25189151 (keccak DA)`	`run_tx_loop`	664,400,608	664,400,650 (+0.00%)	496,277,104	496,277,146 (+0.00%)	740,540	740,540 (+0.00%)	29,031,931	29,031,931 (+0.00%)	10,036,785	10,036,785 (+0.00%)
`block_25189153 (keccak DA)`	`run_tx_loop`	2,179,700,427	2,153,590,122 (-1.20%)	1,802,866,475	1,783,425,770 (-1.08%)	588,240	588,240 (+0.00%)	83,101,816	81,434,416 (-2.01%)	8,753,712	8,753,712 (+0.00%)
`block_25188855 (blobs DA)`	`state_commitment_update`	17,558,979	17,558,979 (+0.00%)	16,023,619	16,023,619 (+0.00%)	95,960	95,960 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)
`block_25188855 (keccak DA)`	`state_commitment_update`	17,555,562	17,555,562 (+0.00%)	16,020,202	16,020,202 (+0.00%)	95,960	95,960 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)
`block_25188862 (blobs DA)`	`state_commitment_update`	32,412,499	32,412,499 (+0.00%)	29,506,419	29,506,419 (+0.00%)	181,630	181,630 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)
`block_25188862 (keccak DA)`	`state_commitment_update`	32,412,499	32,412,499 (+0.00%)	29,506,419	29,506,419 (+0.00%)	181,630	181,630 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)
`block_25188863 (blobs DA)`	`state_commitment_update`	16,942,399	16,942,399 (+0.00%)	15,443,519	15,443,519 (+0.00%)	93,680	93,680 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)
`block_25188863 (keccak DA)`	`state_commitment_update`	16,942,399	16,942,399 (+0.00%)	15,443,519	15,443,519 (+0.00%)	93,680	93,680 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)
`block_25188937 (blobs DA)`	`state_commitment_update`	53,739,347	53,739,347 (+0.00%)	49,136,947	49,136,947 (+0.00%)	287,650	287,650 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)
`block_25188937 (keccak DA)`	`state_commitment_update`	53,739,347	53,739,347 (+0.00%)	49,136,947	49,136,947 (+0.00%)	287,650	287,650 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)
`block_25188945 (blobs DA)`	`state_commitment_update`	31,127,413	31,127,413 (+0.00%)	28,100,053	28,100,053 (+0.00%)	189,210	189,210 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)
`block_25188945 (keccak DA)`	`state_commitment_update`	31,127,413	31,127,413 (+0.00%)	28,100,053	28,100,053 (+0.00%)	189,210	189,210 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)
`block_25188950 (blobs DA)`	`state_commitment_update`	23,369,260	23,369,260 (+0.00%)	21,334,060	21,334,060 (+0.00%)	127,200	127,200 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)
`block_25188950 (keccak DA)`	`state_commitment_update`	23,373,478	23,373,478 (+0.00%)	21,338,278	21,338,278 (+0.00%)	127,200	127,200 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)
`block_25189014 (blobs DA)`	`state_commitment_update`	23,000,664	23,000,664 (+0.00%)	21,036,504	21,036,504 (+0.00%)	122,760	122,760 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)
`block_25189014 (keccak DA)`	`state_commitment_update`	23,000,666	23,000,666 (+0.00%)	21,036,506	21,036,506 (+0.00%)	122,760	122,760 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)
`block_25189128 (blobs DA)`	`state_commitment_update`	34,326,398	34,326,398 (+0.00%)	31,148,158	31,148,158 (+0.00%)	198,640	198,640 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)
`block_25189128 (keccak DA)`	`state_commitment_update`	34,326,398	34,326,398 (+0.00%)	31,148,158	31,148,158 (+0.00%)	198,640	198,640 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)
`block_25189151 (blobs DA)`	`state_commitment_update`	44,869,541	44,869,541 (+0.00%)	40,801,861	40,801,861 (+0.00%)	254,230	254,230 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)
`block_25189151 (keccak DA)`	`state_commitment_update`	44,869,541	44,869,541 (+0.00%)	40,801,861	40,801,861 (+0.00%)	254,230	254,230 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)
`block_25189153 (blobs DA)`	`state_commitment_update`	34,928,995	34,928,995 (+0.00%)	31,910,595	31,910,595 (+0.00%)	188,650	188,650 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)
`block_25189153 (keccak DA)`	`state_commitment_update`	34,928,995	34,928,995 (+0.00%)	31,910,595	31,910,595 (+0.00%)	188,650	188,650 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)
`block_25188855 (keccak DA)`	`system_init`	48,086	48,086 (+0.00%)	48,086	48,086 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)
`block_25188862 (keccak DA)`	`system_init`	48,086	48,086 (+0.00%)	48,086	48,086 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)
`block_25188863 (keccak DA)`	`system_init`	48,086	48,086 (+0.00%)	48,086	48,086 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)
`block_25188937 (keccak DA)`	`system_init`	48,086	48,086 (+0.00%)	48,086	48,086 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)
`block_25188945 (keccak DA)`	`system_init`	48,086	48,086 (+0.00%)	48,086	48,086 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)
`block_25188950 (keccak DA)`	`system_init`	48,086	48,086 (+0.00%)	48,086	48,086 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)
`block_25189014 (keccak DA)`	`system_init`	48,086	48,086 (+0.00%)	48,086	48,086 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)
`block_25189128 (keccak DA)`	`system_init`	48,086	48,086 (+0.00%)	48,086	48,086 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)
`block_25189151 (keccak DA)`	`system_init`	48,086	48,086 (+0.00%)	48,086	48,086 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)
`block_25189153 (keccak DA)`	`system_init`	48,086	48,086 (+0.00%)	48,086	48,086 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)

Precompiles test-crate bench (synthetic workload, all labels)

Benchmark	Symbol	Base Eff	Head Eff (%)	Base Raw	Head Raw (%)	Base Blake	Head Blake (%)	Base Bigint	Head Bigint (%)	Base Keccak	Head Keccak (%)
`precompiles`	`bn254_ecadd`	53,340	53,340 (+0.00%)	47,888	47,888 (+0.00%)	0	0 (+0.00%)	1,363	1,363 (+0.00%)	0	0 (+0.00%)
`precompiles`	`bn254_ecmul`	732,100	732,100 (+0.00%)	567,912	567,912 (+0.00%)	0	0 (+0.00%)	41,047	41,047 (+0.00%)	0	0 (+0.00%)
`precompiles`	`bn254_pairing`	71,722,248	71,739,896 (+0.02%)	57,194,104	57,211,752 (+0.03%)	0	0 (+0.00%)	3,632,036	3,632,036 (+0.00%)	0	0 (+0.00%)
`precompiles`	`da_commitment`	16,711	16,711 (+0.00%)	13,635	13,635 (+0.00%)	30	30 (+0.00%)	0	0 (+0.00%)	649	649 (+0.00%)
`precompiles`	`ecrecover`	369,784	369,235 (-0.15%)	241,496	241,023 (-0.20%)	0	0 (+0.00%)	31,423	31,404 (-0.06%)	649	649 (+0.00%)
`precompiles`	`id`	925	925 (+0.00%)	925	925 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)
`precompiles`	`keccak`	31,678	31,678 (+0.00%)	10,906	10,906 (+0.00%)	0	0 (+0.00%)	1	1 (+0.00%)	5,192	5,192 (+0.00%)
`precompiles`	`modexp`	31,947,552	31,947,552 (+0.00%)	21,289,732	21,289,732 (+0.00%)	0	0 (+0.00%)	2,664,455	2,664,455 (+0.00%)	0	0 (+0.00%)
`precompiles`	`p256_verify`	747,503	747,503 (+0.00%)	468,811	468,811 (+0.00%)	0	0 (+0.00%)	69,673	69,673 (+0.00%)	0	0 (+0.00%)
`precompiles`	`process_block`	145,047,537	145,091,276 (+0.03%)	115,454,257	115,494,804 (+0.04%)	5,320	5,370 (+0.94%)	7,325,120	7,325,718 (+0.01%)	51,920	51,920 (+0.00%)
`precompiles`	`process_transaction`	72,314,686	72,329,263 (+0.02%)	57,569,702	57,585,083 (+0.03%)	160	160 (+0.00%)	3,663,540	3,663,339 (-0.01%)	22,066	22,066 (+0.00%)
`precompiles`	`ripemd`	8,015	8,015 (+0.00%)	8,015	8,015 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)
`precompiles`	`run_tx_loop`	144,565,750	144,606,406 (+0.03%)	115,088,458	115,126,722 (+0.03%)	180	180 (+0.00%)	7,325,120	7,325,718 (+0.01%)	43,483	43,483 (+0.00%)
`precompiles`	`sha256`	13,319	13,319 (+0.00%)	13,319	13,319 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)
`precompiles`	`state_commitment_update`	183,298	183,227 (-0.04%)	143,618	143,547 (-0.05%)	2,480	2,480 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)
`precompiles`	`system_init`	49,856	49,856 (+0.00%)	49,856	49,856 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)

FRI precompile bench (FriProofTx + sidecar + contract call)

Benchmark	Symbol	Base Eff	Head Eff (%)	Base Raw	Head Raw (%)	Base Blake	Head Blake (%)	Base Bigint	Head Bigint (%)	Base Keccak	Head Keccak (%)
`fri_precompile`	`da_commitment`	11,354	11,354 (+0.00%)	11,034	11,034 (+0.00%)	20	20 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)
`fri_precompile`	`ecrecover`	365,283	365,113 (-0.05%)	238,383	238,261 (-0.05%)	0	0 (+0.00%)	31,076	31,064 (-0.04%)	649	649 (+0.00%)
`fri_precompile`	`keccak`	4,700	4,700 (+0.00%)	2,100	2,100 (+0.00%)	0	0 (+0.00%)	1	1 (+0.00%)	649	649 (+0.00%)
`fri_precompile`	`process_block`	17,011,374	17,011,158 (-0.00%)	11,162,666	11,163,246 (+0.01%)	354,210	354,210 (+0.00%)	31,708	31,509 (-0.63%)	13,629	13,629 (+0.00%)
`fri_precompile`	`process_transaction`	16,536,042	16,535,832 (-0.00%)	10,801,882	10,802,468 (+0.01%)	349,160	349,160 (+0.00%)	31,708	31,509 (-0.63%)	5,192	5,192 (+0.00%)
`fri_precompile`	`run_tx_loop`	16,545,804	16,545,593 (-0.00%)	10,809,048	10,809,633 (+0.01%)	349,160	349,160 (+0.00%)	31,708	31,509 (-0.63%)	5,841	5,841 (+0.00%)
`fri_precompile`	`state_commitment_update`	163,215	164,338 (+0.69%)	125,615	127,058 (+1.15%)	2,350	2,330 (-0.85%)	0	0 (+0.00%)	0	0 (+0.00%)
`fri_precompile`	`system_init`	50,176	50,176 (+0.00%)	50,176	50,176 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)

Per-precompile

Per-precompile per-execution ratios (head)

cycles = effective (raw + Blake×16 + BigInt×4 + Keccak×4)
precompile                count    med c/g    p95 c/g    p99 c/g    max c/g    med n/g    p95 n/g    p99 n/g    max n/g
------------------------------------------------------------------------------------------------------------------------
keccak                    42872      111.9      126.7      209.2     4295.9      478.8      478.8      626.8      681.4
modexp                     2501       63.3       63.5      187.0     2877.1      500.0      500.0      500.0     4814.0
bls12_g1add                  12      895.0      896.6      896.6      896.6        0.0        0.0        0.0        0.0
blake2f                       2      803.7      803.7      803.7      803.7        0.0        0.0        0.0        0.0
point_eval                   11      776.7      778.4      778.4      778.4     1262.1     1262.1     1262.1     1262.1
bls12_pairing_check           4      217.8      427.5      427.5      427.5        0.0        0.0        0.0        0.0
ecadd                       617      352.1      360.8      364.2      368.1      350.7      350.7      350.7      350.7
bls12_g1msm                  12      157.8      318.6      318.6      318.6        0.0        0.0        0.0        0.0
ecpairing                    40      169.1      186.3      186.3      186.3      398.2      428.6      428.6      428.6
sha256                       28       96.4      143.6      143.6      143.6      104.2      148.9      148.9      148.9
ecmul                       597      120.9      125.3      126.5      128.6      127.3      127.3      127.3      127.3
ecrecover                   713      119.7      121.9      123.2      123.6      174.0      174.0      174.0      174.0
p256_verify                  22      107.7      108.3      108.4      108.4      113.6      113.6      113.6      113.6
bls12_g2msm                   2       88.4       88.4       88.4       88.4        0.0        0.0        0.0        0.0
identity                    292       29.2       41.7       44.4       50.8       40.8       59.0       62.8       72.2
bls12_g2add                   2       46.0       46.0       46.0       46.0        0.0        0.0        0.0        0.0
ripemd160                     4        4.4        7.4        7.4        7.4        8.1       13.1       13.1       13.1

0xVolosnikov force-pushed the vv/kzg-rearranged-verifier branch from ff58d23 to 4e6a520 Compare May 15, 2026 16:26

0xVolosnikov force-pushed the vv/kzg-prepared-g2-tau branch from bfe2ded to bde7e33 Compare May 15, 2026 16:26

0xVolosnikov force-pushed the vv/kzg-rearranged-verifier branch from 4e6a520 to a6b35e7 Compare May 19, 2026 13:33

0xVolosnikov force-pushed the vv/kzg-prepared-g2-tau branch from bde7e33 to cb9e354 Compare May 19, 2026 13:34

0xVolosnikov force-pushed the vv/kzg-rearranged-verifier branch from a6b35e7 to 7e05a97 Compare May 29, 2026 20:27

0xVolosnikov and others added 2 commits May 29, 2026 15:29

0xVolosnikov force-pushed the vv/kzg-prepared-g2-tau branch from cb9e354 to 540d622 Compare May 29, 2026 20:30

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

perf(point_evaluation): precompute tau*G2 prepared + fuse G1 scalar muls#661

perf(point_evaluation): precompute tau*G2 prepared + fuse G1 scalar muls#661
0xVolosnikov wants to merge 2 commits into
vv/kzg-rearranged-verifierfrom
vv/kzg-prepared-g2-tau

0xVolosnikov commented May 15, 2026

Uh oh!

github-actions Bot commented May 29, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

0xVolosnikov commented May 15, 2026

What ❔

Commit 1 — precompute PREPARED_G2_BY_TAU as a const

Commit 2 — fuse the two G1 scalar mults into a 2-base interleaved double-and-add

Why ❔

Is this a breaking change?

Checklist

Stacked on

Follow-ups not in this PR

Uh oh!

github-actions Bot commented May 29, 2026

Block-level effective cycles

Per-precompile

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Commit 1 — precompute `PREPARED_G2_BY_TAU` as a const