feat(grumpkin): GLV scalar decomposition + generic MSM crate#1211
Open
feat(grumpkin): GLV scalar decomposition + generic MSM crate#1211
Conversation
…ndow sweep - Add GLV inline constants and decompose_scalar for Grumpkin - Split PIPPENGER_WINDOW into BASELINE_WINDOW and GLV_WINDOW - Add window sweep benchmarks: GLV_WINDOW=10 is ~2x faster than 12 - Add GLV_PROGRESS.md tracking benchmarks and findings
Window sweep results: w=8 gives 105M cycles vs 261M at w=12 (2.5x speedup)
…LV+Pippenger - Use heap allocation (Box) for large precompute tables - Increase guest memory to 128MB, stack to 64MB - Document precompute sizes and full sweep results
- Add examples/msm/ with modular Pippenger, GLV, and fixed-base MSM - Define MsmGroup, WindowedScalar, GlvCapable traits - Implement Grumpkin curve integration in curves/grumpkin.rs - GLV+Pippenger is ~1.2% faster than old impl (103.8M vs 105.1M cycles) - Fixed-base has ~2% overhead due to trait indirection (acceptable) - Update GLV_PROGRESS.md with benchmark comparison
Replaced by generic examples/msm/ with trait-based abstractions.
![graphite-app[bot]](https://avatars.githubusercontent.com/in/158384?s=60&v=4){kind=small}
- Add edge case tests for GLV decomposition (k=0, k=n-1, k=λ, etc.) - Add GLV lattice determinant verification test - Add timing documentation for variable-time MSM operations - Untrack GLV_PROGRESS.md (local development notes)
Adds missing assertion that half-scalar bytes.len() <= 16, matching the check in sdk.rs. Prevents potential out-of-bounds panic during trace generation if GLV decomposition somehow produces oversized values.
quangvdao
added a commit
to quangvdao/jolt
that referenced
this pull request
Jan 23, 2026
# Conflicts: # Cargo.lock # Cargo.toml # jolt-inlines/grumpkin/src/host.rs # jolt-inlines/grumpkin/src/lib.rs # jolt-inlines/grumpkin/src/sdk.rs # jolt-inlines/grumpkin/src/sequence_builder.rs # jolt-inlines/grumpkin/src/tests.rs
# Conflicts: # Cargo.lock # jolt-inlines/grumpkin/src/sdk.rs
… .unwrap → hcf - Remove accidentally committed state-handoff.md (unrelated BN254 GT_MUL notes) - Remove section separator comments banned by project style guide - Replace .unwrap() with .unwrap_or_spoil_proof() in decompose_scalar RISC-V path so invalid advice spoils proof via hcf() instead of producing a valid proof of panic
Collaborator
|
Everything seems good in the inlines crate. But what's the purpose of "Generic MSM Crate (examples/msm/)"? Is it intended to be used by developers using jolt? Or just for internal benchmarks? Just seems overly complex for an example? |
Collaborator
|
I think either we should remove the MSM example from this PR, or if we want a more opinionated/ergonomic wrapper around the inlines, we should move it into |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR adds GLV (Gallant-Lambert-Vanstone) scalar decomposition for Grumpkin and a modular, trait-based MSM implementation.
This code has only been lightly audited and may contain bugs. While a security review was conducted covering the critical cryptographic invariants (GLV decomposition correctness, endomorphism properties, Pippenger algorithm), the implementation has not undergone a formal third-party audit. Use with caution in production systems.
Dependencies
This PR builds on top of the base Grumpkin field division inlines. Please merge #1209 first.
What's New
GLV Scalar Decomposition (
jolt-inlines/grumpkin/)GrumpkinPoint::endomorphism()— maps(x, y) → (βx, y)whereβ³ = 1GrumpkinPoint::decompose_scalar(k)— splits 256-bit scalar into two ~128-bit half-scalars(k₁, k₂)wherek ≡ k₁ + k₂·λ (mod n)hcf()to spoil proof on mismatchGRUMPKIN_GLVR_ADVvirtual instruction for non-deterministic decomposition adviceGeneric MSM Crate (
examples/msm/)MsmGroup,WindowedScalar,GlvCapabletraits for curve-agnostic MSMFixedBaseTablefor generator multiplication (lookups + additions only)Security Hardening
β³ = 1,λ² + λ + 1 = 0,φ³ = Id,φ(P) = [λ]Pn₁₁·n₂₂ − n₁₂·n₂₁ = nk = 0, 1, n-1, λ, λ±1, λ²Benchmarks (MSM_SIZE = 1024)
Key results:
Files Changed
jolt-inlines/grumpkin/src/sdk.rs— GLV constants, endomorphism, decompose_scalarjolt-inlines/grumpkin/src/lib.rs— GLV inline opcode registrationjolt-inlines/grumpkin/src/sequence_builder.rs— GLV advice implementationjolt-inlines/grumpkin/src/host.rs— Inline registrationjolt-inlines/grumpkin/src/tests.rs— Security invariant testsexamples/msm/— New generic MSM crate with Grumpkin integration