I have profiled our proving process and discovered that a significant portion of the process involves decompressing and parsing gates.

We can decompress and parse the gates during the parameters initialization phase, which means we can move this process from the proving phase to the initialization phase. Since parameter initialization now takes place in the background, preprocessing will mostly be finished before the first proving in most cases.

I've tried to implement it, and here are some results of the decreased proving time:

• Laptop (WASM) (Intel(R) Core(TM) i7-10750H): -18 %
• Laptop (Native) (Intel(R) Core(TM) i7-10750H): -35 %
• Laptop (WASM) (Intel Core i7 (2.9 GHz, 4 cores\8 threads)): -14 %
• MAC M1 (WASM): -16 %
• Android (WASM) (Galaxy S23): -18 %
• iOS (WASM) (iPhone 11): -18 %

But the size of the decompressed gates is huge, it's about 260 MB. Here are some potential drawbacks of this modification:

• Parameter initialization time is likely to increase due to the need to decompress and parse the gates. However, it is important to note that this is a one-time cost during the initialization phase and it can result in significant time savings during the proving phase.
• The RAM usage of the application will increase from 420 MB to 680 MB.
• WebAssembly.Memory.grow(..) is extremely slow on iOS, so we need to compute the necessary memory size and allocate it with a single call. This results in some time overhead during the parameter initialization phase.
• Mobile versions of Chrome and Safari have a strict limit on memory usage (500-800 mb, it depends on fragmentation), and attempting to exceed that limit can cause the application to crash. So this optimization is generally not feasible for mobile devices.

I think that this optimization makes sense for delegated prover and cloud environments, and may also make sense for PC. However, it is definitely not viable for mobile devices due to their limited memory capacity.

Related PRs:

• #13
• zkBob/libzkbob-rs#60

Note: It is necessary to update zkbob-cloud and zkbob-prover to include the changes introduced in this PR.

zkcrypto/bellman#69
zkcrypto/bellman#71
make https://github.com/zeropoolnetwork/phase2-bn254/blob/master/bellman/src/multicore.rs wasm compatible as opposed to
https://github.com/zeropoolnetwork/phase2-bn254/blob/master/bellman/src/multicore.rs

The main bottleneck of the cryptography we're using is the full-width u64 multiplication. In the case of wasm it compiles into __multi3 function that is relatively slow. One easy way to target this problem (probably not the best though) is to replace:

(x as u128) * (y as u128)

with

// x = x_1 * 2^32 + x_0
let x_0 = (x as u32) as u64;
let x_1 = x >> 32;

// y = y_1 * 2^32 + y_0
let y_0 = (y as u32) as u64;
let y_1 = y >> 32;

// x * y = (x_1 * 2^32 + x_0)(y_1 * 2^32 + y_0) = x_1*y_1 * 2^64 + (x_1*y_0 + x_0 * y_1)*2^32 + x_0*y_0 = 
// = z_2 * 2^64 + z_1 * 2^32 + z_0
let z_0 = x_0 * y_0;
let z_2 = x_1 * y_1;

let z_1 = u128::from(x_0 * y_1) + u128::from(x_1 * y_0);

(u128::from(z_2) << 64) + (z_1 << 32) + u128::from(z_0)

for wasm target.

It may not look clear but this way we're replacing one u128 multiplication with four u64 multiplications and a couple additions.

This optimization in the fawkes-crypto leads to speeding up synchronization time by ~15 % and improves proving time a bit. Similarly, we can implement it in phase2-bn254 and it can improve proving time by ~ 13 %.

An efficient implementation of the poseidon is presented in Supplementary Material B of https://eprint.iacr.org/2019/458.pdf.
This optimization can't be applied to circuit and works only for native implementation.