optimizations for prover & verifier

[quangvdao]

PR title

Reduce verifier to O(nu) time and optimize first-round D2 pairings

Summary

• Verifier no longer folds 2^nu-length tensors. It computes final s1, s2 via O(nu) accumulators using per-dimension coordinates.
• Prover first round: compute D2L/D2R as MSM(G1, scalars) + one pairing with h2 instead of multi-pairing.
• Correct round-to-dimension mapping on verifier (last dimension folds first).
• Keep C+/C− unchanged, since v2 is no longer fixed-base after the first combine.
• Cleanups: remove dead imports, no behavior change elsewhere.

Details

• Verifier math
  • s1_final = ∏(y_t + α_t·(1 − y_t))
  • s2_final = ∏(x_t + α_t^{-1}·(1 − x_t))
  • Consume y_t, x_t in reverse of variable order, matching folding.
• Implementation
  • DoryVerifierState now holds s1_acc, s2_acc and s1_coords, s2_coords. No tensor folding.
  • verify_evaluation_proof passes per-dimension coords; if sigma < nu, pad s2 coords with 1.
  • process_round derives index from nu and updates accumulators per round.
  • Prover state carries optional v2_scalars only for round 1; compute_first_message uses MSM+pairing for D2L/D2R when available; apply_first_challenge drops scalars.
• Compatibility
  • Public API functions setup, prove, verify unchanged.
  • Internal DoryVerifierState::new and DoryProverState::new signatures changed; all internal call sites updated.
• Performance impact
  • Verifier memory drops from O(2^nu) to O(1) and time per round becomes O(1) for s1/s2 folding.
  • Prover first round replaces two multi-pairings with two MSMs + two pairings.
• Testing
  • Run: cargo test --features backends
  • The accumulator indexing uses idx = nu - 1 to match fold order.
• Follow-ups
  • Add Criterion benches under benches/ to quantify improvements.
  • Cache affine bases in setup for faster MSMs.

Why this is correct

• Folding a Kronecker product with per-round [α, 1] weights factorizes into a product of 2-term dot products, giving the O(nu) formulas above.
• For round 1, v2[i] = h2·s_i, so ⟨Γ1', v2_half⟩ = e(Σ s_i·Γ1'[i], h2).

[markosg04]

Thanks a lot! Just bunch of nits

[markosg04]

can we avoid this clone? seems that prover_state is the last thing to consume v_vec

[markosg04]

could we use sigma for the remainder? we are requiring square dimensions anyways. It might make the comments here clearer as well

[markosg04]

Suggested change

	/// - `v2_scalars`: If v2 = h2 * scalars (first round), pass scalars for MSM+pair optimization
	/// - `v2_scalars`: Use the scalars in the first round to avoid a multi-pairing by instead performing a (cheaper) MSM + Pairing

[markosg04]

Suggested change

	if let Some(ref sc) = v2_scalars {
	debug_assert_eq!(sc.len(), v2.len(), "v2_scalars must match v2 length");
	}
	if let Some(sc) = v2_scalars.as_ref() {
	debug_assert_eq!(sc.len(), v2.len(), "v2_scalars must match v2 length");
	}

ref is older rust and as_ref() is clearer anyways

[markosg04]

Suggested change

	// If v2 was constructed as h2 * scalars (first round), compute MSM(Γ₁', scalars) then one pairing.
	// In the first round, v2 = h2 * scalars, so we can compute this as the Pairing of MSM(Γ₁', scalars)

[markosg04]

let's use as_ref() here as well

[markosg04]

Suggested change

	// After first combine, v2 is no longer fixed-base; drop scalars to avoid misuse
	// After first combine, the `v2_scalars` optimization does not apply.

[markosg04]

would it be possible to avoid having both s1/2_final and s1/2_acc ?

[markosg04]

question: (last dimension folds first) -> this is because of endian-ness?