From 56ffdfe2d5fbb13d215d997c012d499990fdc1a0 Mon Sep 17 00:00:00 2001
From: Ivan Mikushin <imikushin@users.noreply.github.com>
Date: Mon, 22 Jul 2024 17:10:50 -0700
Subject: [PATCH] KZG, HyperKZG: speedup pairing checks with multi-pairing

---
 jolt-core/src/poly/commitment/hyperkzg.rs |  5 ++++-
 jolt-core/src/poly/commitment/kzg.rs      | 16 +++++++++-------
 2 files changed, 13 insertions(+), 8 deletions(-)

diff --git a/jolt-core/src/poly/commitment/hyperkzg.rs b/jolt-core/src/poly/commitment/hyperkzg.rs
index 01fcf7f25..11e814b48 100644
--- a/jolt-core/src/poly/commitment/hyperkzg.rs
+++ b/jolt-core/src/poly/commitment/hyperkzg.rs
@@ -270,7 +270,7 @@ where
     let R = W[0] + W[1] * d_0 + W[2] * d_1;
 
     // Check that e(L, vk.H) == e(R, vk.tau_H)
-    (P::pairing(L, vk.kzg_vk.g2)) == (P::pairing(R, vk.kzg_vk.beta_g2))
+    P::multi_pairing([L, -R], [vk.kzg_vk.g2, vk.kzg_vk.beta_g2]).is_zero()
 }
 
 #[derive(Clone)]
@@ -333,6 +333,9 @@ where
             polys.push(Pi);
         }
 
+        assert_eq!(polys.len(), ell);
+        assert_eq!(polys[ell - 1].len(), 2);
+
         // We do not need to commit to the first polynomial as it is already committed.
         // Compute commitments in parallel
         let com: Vec<P::G1Affine> = (1..polys.len())
diff --git a/jolt-core/src/poly/commitment/kzg.rs b/jolt-core/src/poly/commitment/kzg.rs
index 272b5333b..9b7b7999e 100644
--- a/jolt-core/src/poly/commitment/kzg.rs
+++ b/jolt-core/src/poly/commitment/kzg.rs
@@ -5,7 +5,7 @@ use crate::utils::errors::ProofVerifyError;
 use ark_ec::scalar_mul::fixed_base::FixedBase;
 use ark_ec::{pairing::Pairing, AffineRepr, CurveGroup};
 use ark_ff::PrimeField;
-use ark_std::{One, UniformRand};
+use ark_std::{One, UniformRand, Zero};
 use rand_core::{CryptoRng, RngCore};
 use std::marker::PhantomData;
 use std::sync::Arc;
@@ -188,12 +188,14 @@ where
         proof: &P::G1Affine,
         evaluation: &P::ScalarField,
     ) -> Result<bool, ProofVerifyError> {
-        let lhs = P::pairing(
-            commitment.into_group() - vk.g1.into_group() * evaluation,
-            vk.g2,
-        );
-        let rhs = P::pairing(proof, vk.beta_g2.into_group() - (vk.g2 * point));
-        Ok(lhs == rhs)
+        Ok(P::multi_pairing(
+            [
+                commitment.into_group() - vk.g1.into_group() * evaluation,
+                -proof.into_group(),
+            ],
+            [vk.g2, (vk.beta_g2.into_group() - (vk.g2 * point)).into()],
+        )
+        .is_zero())
     }
 }