-
sarang
A quick note that after some discussion with the BP+ proposers, there's agreement that the verification benefits they listed would not be present to the same degree in a Monero implementation
-
sethsimmons
So still a size improvement, but no tangible verification time improvement?
-
sarang
Their original BP implementation did not use weighting across verification equations to combine common generators, which is likely why they saw the results they did when comparing to BP+
-
sarang
Yeah, the size benefits would be present (noting that we require >= 2 outputs and a single proof per transaction)
-
sarang
There would be a marginal verification improvement, but not to the extent in the table they presented
-
moneromooo
I'd rather have had it the other way around :/
-
sarang
yeah
-
sarang
but this is still good
-
sethsimmons
An improvement to either is still great
-
moneromooo
What is it, 64 bytes per tx ?
-
sarang
96 bytes
-
sethsimmons
nice
-
moneromooo
Still good if small changes.
-
sarang
The verification is no worse :)
-
sarang
Slightly better, but still better
-
sethsimmons
That will get us down to almost 1200b/TX after CLSAG, IIRC
-
sarang
For a 1-2 txn you mean?
-
sethsimmons
yes
-
sethsimmons
I might be off by 100b
-
sarang
Aye, and 2-2 would drop to about 1.8 kB
-
sethsimmons
Nice
-
sarang
Right now 2-2 is 2.54 kB
-
sethsimmons
That's a great improvement between the two changes
-
sethsimmons
exciting stuff :)
-
sarang
At any rate, it's good to know why they saw so much better improvement
-
dEBRUYNE
I do wonder whether it is worth touching sensitive code for mere size gains
-
sarang
This is the tradeoff
-
hyc
have we reached the boundary of the 80/20 rule already? diminishing returns from here on out?
-
sarang
Well, saving 96 bytes is nontrivial
-
sarang
In terms of verification, we've likely hit a limit on trust-free range proofs unless there are underlying library changes/optimizations
-
hyc
might be worth running a benchmark under valgrind/cachegrind and look for any obvious hot spots
-
sarang
BP+ does appear to save a lot in terms of scalar-only computations, but those are orders of magnitude faster than the bulky Pippenger operation
-
sarang
I'd be very surprised if the savings there would be noticeable
-
sarang
One idea I had a while back was combining generators between next-gen signature constructions and range proofs
-
sarang
It wouldn't be game-changing by any means (and would add a lot of complexity)
-
dEBRUYNE
<sarang> There would be a marginal verification improvement, <= Can we quantify marginal here?
-
sarang
Maybe a percent or two
-
sarang
The benefits decrease as the number of aggregated outputs increase (due to the way generators work)