perf(plonk): reduce LRO commitment MSM size via s0-padding identity

[gbotrel]

Summary

• Exploit the identity Σ G1_lag[i] = [1]₁ = Kzg.G1[0] to rewrite L, R, O commitments as partial MSMs over only the non-padding entries, plus a single scalar multiplication correction s0·G1[0]
• For R and O, also skip the public placeholder region (also filled with s0), further reducing MSM size
• Add BenchmarkLargeProver with a 2.2M-constraint circuit (domain 1<<22, ~47.5% padding)

How it works

L, R, O are defined on a domain of size n = 2^k, but only offset = nbPublic + nbConstraints entries carry actual values. The rest are s0 = witness[0].

[P] = Σ P[i]·G1_lag[i]
    = Σ (P[i]-s0)·G1_lag[i] + s0·Σ G1_lag[i]
    = MSM((P[i]-s0), G1_lag[i]) + s0·Kzg.G1[0]

The (P[i]-s0) terms are zero in the padding region, so the MSM only covers [0, offset) for L and [nbPublic, offset) for R/O.

Benchmark (BN254, 2.2M constraints, Apple M1 Max)

Metric	Value
MSM speedup (micro-benchmark)	1.94x (1.75s → 0.90s per commitment)
End-to-end prover	~30s (LRO commitment is ~5% of total)

Test plan

• TestProver passes on all 4 curves (bn254, bls12-377, bls12-381, bw6-761)
• TestCustomHashToField, TestCustomChallengeHash, TestCustomKZGFoldingHash pass on all curves
• Proof verifies on 2.2M constraint circuit
• MSM micro-benchmark confirms 1.94x speedup on commitment step

🤖 Generated with Claude Code

---

Note

Medium Risk
Touches core proving cryptography (KZG commitments) and introduces in-place coefficient adjustments and partial-slice MSMs, so subtle indexing/padding assumptions could affect proof correctness despite being a contained, well-motivated optimization.

Overview
Speeds up PLONK proving by rewriting commitToLRO commitments for L, R, and O to avoid MSM work over padding/public-placeholder regions: it subtracts the padding value s0 from the relevant Lagrange coefficients, runs a reduced-size MultiExp only over the non-zero slice, then adds back a single correction point s0·Kzg.G1[0] plus the existing blinding contribution.

Applies the same optimization across all generated curve backends (bn254, bls12-377, bls12-381, bw6-761) and updates the codegen template accordingly. Adds BenchmarkLargeProver to exercise the optimization on a ~2.2M-constraint circuit with substantial domain padding.

^{Written by Cursor Bugbot for commit 63d4dad. This will update automatically on new commits. Configure here.}

[Copilot]

Pull request overview

This PR implements a performance optimization for the PLONK prover by reducing the size of multi-scalar multiplications (MSMs) used when committing to the L, R, and O polynomials. The optimization exploits the mathematical identity that the sum of all Lagrange basis polynomial commitments equals the identity element in G1.

Changes:

• Rewrites L, R, O polynomial commitments to use partial MSMs covering only non-padding entries
• For circuits with significant padding (e.g., 2.2M constraints on a 4M domain), this nearly halves the MSM size for each commitment
• Adds BenchmarkLargeProver to demonstrate the optimization with a 2.2M-constraint circuit showing ~1.94x MSM speedup

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
internal/generator/backend/template/zkpschemes/plonk/plonk.prove.go.tmpl	Template implementing the optimized commitToLRO function with detailed mathematical documentation
backend/plonk/bn254/prove.go	Generated implementation for BN254 curve
backend/plonk/bls12-377/prove.go	Generated implementation for BLS12-377 curve
backend/plonk/bls12-381/prove.go	Generated implementation for BLS12-381 curve
backend/plonk/bw6-761/prove.go	Generated implementation for BW6-761 curve
backend/plonk/plonk_test.go	Adds benchmark test for large circuits to validate the optimization

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.