philsippl / circom-witness-rs

🏎️ circom-witness-rs

Description

This crate provides a fast witness generator for Circom circuits, serving as a drop-in replacement for Circom's witness generator. It was created in response to the slow performance of Circom's WASM generator for larger circuits, which also necessitates a WASM runtime, often a cumbersome requirement. The native C++ generator, though faster, depends on x86 assembly for field operations, rendering it impractical for use on other platforms (e.g., cross-compiling to ARM for mobile devices).

circom-witness-rs comes with two modes:

Generate the static execution graph required for the witness generation at build time (--features=build-witness).
Generate the witness elements at runtime from serialized graph.

In the first mode, it generates the c++ version of the witness generator through circom and links itself against it. The c++ code is made accessible to rust through cxx. It hooks all field functions (which are x86 assembly in the original generator), such that it can recreate the execution graph through symblic execution. The execution graph is further optimized through constant propagation and dead code elimination. The resulting graph is then serialized to a binary format. At runtime, the graph can be embedded in the binary and interpreted to generate the witness.

Usage

See this example project for Semaphore with more details on building.

See semaphore-rs for an example at runtime.

All of those example were used with circom compiler 2.1.6 (dcf7d68). Using a different version of circom might cause issues due to different c++ code being generated.

Benchmarks

semaphore-rs

TLDR: For semaphore circuit (depth 30) circom-witness-rs is ~25x faster than wasm and ~10x faster than native c++ version.

cargo bench --bench=criterion --features=bench,depth_30

With circom-witness-rs:q

witness_30              time:   [993.84 µs 996.62 µs 999.42 µs]

With wasm witness generator from circom-compat:

witness_30              time:   [24.630 ms 24.693 ms 24.759 ms]

With native c++ witness generator from circom: 9.640ms

As a nice side effect of the graph optimizations, the binary size is also reduced heavily. In the example of Semaphore the binary size is reduced from 1.3MB (semaphore.wasm) to 350KB (graph.bin).

Unimplemented features

There are still quite a few missing operations that need to be implemented. The list of supported and unsupported operations can be found here. Support for the missing operations is very straighfoward and will be added in the future.

circom-witness-rs/src/generate.rs

Lines 61 to 89 in e889ced

    
           // Field operations 
        
           unsafe fn Fr_mul(to: *mut FrElement, a: *const FrElement, b: *const FrElement); 
        
           unsafe fn Fr_add(to: *mut FrElement, a: *const FrElement, b: *const FrElement); 
        
           unsafe fn Fr_sub(to: *mut FrElement, a: *const FrElement, b: *const FrElement); 
        
           unsafe fn Fr_copy(to: *mut FrElement, a: *const FrElement); 
        
           unsafe fn Fr_copyn(to: *mut FrElement, a: *const FrElement, n: usize); 
        
           // fn Fr_neg(to: &mut FrElement, a: &FrElement); 
        
           // fn Fr_inv(to: &mut FrElement, a: &FrElement); 
        
           // fn Fr_div(to: &mut FrElement, a: &FrElement, b: &FrElement); 
        
           // fn Fr_square(to: &mut FrElement, a: &FrElement); 
        
           // fn Fr_shl(to: &mut FrElement, a: &FrElement, b: u32); 
        
           // fn Fr_shr(to: &mut FrElement, a: &FrElement, b: u32); 
        
           // fn Fr_band(to: &mut FrElement, a: &FrElement, b: &FrElement); 
        
           // fn Fr_bor(to: &mut FrElement, a: &FrElement, b: &FrElement); 
        
           // fn Fr_bxor(to: &mut FrElement, a: &FrElement, b: &FrElement); 
        
           // fn Fr_bnot(to: &mut FrElement, a: &FrElement); 
        
           unsafe fn Fr_eq(to: *mut FrElement, a: *const FrElement, b: *const FrElement); 
        
           unsafe fn Fr_neq(to: *mut FrElement, a: *const FrElement, b: *const FrElement); 
        
           unsafe fn Fr_lt(to: *mut FrElement, a: *const FrElement, b: *const FrElement); 
        
           unsafe fn Fr_gt(to: *mut FrElement, a: *const FrElement, b: *const FrElement); 
        
           unsafe fn Fr_leq(to: *mut FrElement, a: *const FrElement, b: *const FrElement); 
        
           unsafe fn Fr_geq(to: *mut FrElement, a: *const FrElement, b: *const FrElement); 
        
           unsafe fn Fr_isTrue(a: *mut FrElement) -> bool; 
        
           // fn Fr_fromBool(to: &mut FrElement, a: bool); 
        
           unsafe fn Fr_toInt(a: *mut FrElement) -> u64; 
        
           unsafe fn Fr_lor(to: *mut FrElement, a: *const FrElement, b: *const FrElement); 
        
           unsafe fn print(a: *mut FrElement); 
        
           // fn Fr_pow(to: &mut FrElement, a: &FrElement, b: &FrElement); 
        
           // fn Fr_idiv(to: &mut FrElement, a: &FrElement, b: &FrElement);