From 4d1e504025bf30cfe6957868293f506502bc96cd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Carlos=20P=C3=A9rez?= <37264926+CPerezz@users.noreply.github.com> Date: Thu, 7 Sep 2023 14:15:36 +0200 Subject: [PATCH] Add Grumpkin support for arkworks (#174) Co-authored-by: Pratyush Mishra --- Cargo.toml | 1 + README.md | 1 + grumpkin/Cargo.toml | 37 ++++++++++ grumpkin/LICENSE-APACHE | 1 + grumpkin/LICENSE-MIT | 1 + grumpkin/benches/grumpkin.rs | 9 +++ grumpkin/scripts/base_field.sage | 28 ++++++++ grumpkin/scripts/scalar_field.sage | 28 ++++++++ grumpkin/src/constraints/curves.rs | 11 +++ grumpkin/src/constraints/fields.rs | 11 +++ grumpkin/src/constraints/mod.rs | 107 +++++++++++++++++++++++++++++ grumpkin/src/curves/mod.rs | 54 +++++++++++++++ grumpkin/src/curves/tests.rs | 4 ++ grumpkin/src/fields/fq.rs | 1 + grumpkin/src/fields/fr.rs | 1 + grumpkin/src/fields/mod.rs | 8 +++ grumpkin/src/fields/tests.rs | 5 ++ grumpkin/src/lib.rs | 33 +++++++++ 18 files changed, 341 insertions(+) create mode 100644 grumpkin/Cargo.toml create mode 120000 grumpkin/LICENSE-APACHE create mode 120000 grumpkin/LICENSE-MIT create mode 100644 grumpkin/benches/grumpkin.rs create mode 100644 grumpkin/scripts/base_field.sage create mode 100644 grumpkin/scripts/scalar_field.sage create mode 100644 grumpkin/src/constraints/curves.rs create mode 100644 grumpkin/src/constraints/fields.rs create mode 100644 grumpkin/src/constraints/mod.rs create mode 100644 grumpkin/src/curves/mod.rs create mode 100755 grumpkin/src/curves/tests.rs create mode 100644 grumpkin/src/fields/fq.rs create mode 100644 grumpkin/src/fields/fr.rs create mode 100644 grumpkin/src/fields/mod.rs create mode 100644 grumpkin/src/fields/tests.rs create mode 100644 grumpkin/src/lib.rs diff --git a/Cargo.toml b/Cargo.toml index caf5ded..eb589e5 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -20,6 +20,7 @@ members = [ "bn254", "ed_on_bn254", + "grumpkin", "mnt4_298", "mnt6_298", diff --git a/README.md b/README.md index e0b2995..24545dd 100644 --- a/README.md +++ b/README.md @@ -20,6 +20,7 @@ This repository contains implementations of some popular elliptic curves. The cu ### BN254 and related curves * [`ark-bn254`](bn254): Implements the BN254 pairing-friendly curve * [`ark-ed-on-bn254`](ed_on_bn254): Implements a Twisted Edwards curve atop the scalar field of BN254 +* [`ark-grumpkin`](grumpkin): Implements the Grumpkin curve. A curve that forms a cycle with bn254. ### MNT-298 cycle of curves and related curves * [`ark-mnt4-298`](mnt4_298): Implements the MNT4-298 pairing-friendly curve. This curve forms a pairing-friendly cycle with MNT6-298 diff --git a/grumpkin/Cargo.toml b/grumpkin/Cargo.toml new file mode 100644 index 0000000..a480f17 --- /dev/null +++ b/grumpkin/Cargo.toml @@ -0,0 +1,37 @@ +[package] +name = "ark-grumpkin" +version = "0.4.0" +authors = [ "CPerezz", "arkworks contributors" ] +description = "The Grumpkin prime-order elliptic curve" +homepage = "https://arkworks.rs" +repository = "https://github.com/arkworks-rs/curves" +documentation = "https://docs.rs/ark-grumpkin/" +keywords = ["cryptography", "finite-fields", "elliptic-curves" ] +categories = ["cryptography"] +include = ["Cargo.toml", "src"] +license = "MIT/Apache-2.0" +edition = "2021" + +[dependencies] +ark-ff = { version = "0.4.0", default-features = false } +ark-ec = { version = "0.4.0", default-features = false } +ark-r1cs-std = { version = "0.4.0", default-features = false, optional = true } +ark-std = { version = "0.4.0", default-features = false } +ark-bn254 = { version = "0.4.0", path = "../bn254", default-features = false, features = [ "scalar_field", "curve" ] } + +[dev-dependencies] +ark-relations = { version = "0.4.0", default-features = false } +ark-serialize = { version = "0.4.0", default-features = false } +ark-algebra-test-templates = { version = "0.4.0", default-features = false } +ark-algebra-bench-templates = { version = "0.4.0", default-features = false } +ark-curve-constraint-tests = { path = "../curve-constraint-tests", default-features = false } + +[features] +default = [] +std = [ "ark-std/std", "ark-ff/std", "ark-ec/std" ] +r1cs = [ "ark-r1cs-std" ] + +[[bench]] +name = "grumpkin" +path = "benches/grumpkin.rs" +harness = false diff --git a/grumpkin/LICENSE-APACHE b/grumpkin/LICENSE-APACHE new file mode 120000 index 0000000..965b606 --- /dev/null +++ b/grumpkin/LICENSE-APACHE @@ -0,0 +1 @@ +../LICENSE-APACHE \ No newline at end of file diff --git a/grumpkin/LICENSE-MIT b/grumpkin/LICENSE-MIT new file mode 120000 index 0000000..76219eb --- /dev/null +++ b/grumpkin/LICENSE-MIT @@ -0,0 +1 @@ +../LICENSE-MIT \ No newline at end of file diff --git a/grumpkin/benches/grumpkin.rs b/grumpkin/benches/grumpkin.rs new file mode 100644 index 0000000..f95bbc3 --- /dev/null +++ b/grumpkin/benches/grumpkin.rs @@ -0,0 +1,9 @@ +use ark_algebra_bench_templates::*; +use ark_grumpkin::{fq::Fq, fr::Fr, Projective as G}; + +bench!( + Name = "Grumpkin", + Group = G, + ScalarField = Fr, + PrimeBaseField = Fq, +); diff --git a/grumpkin/scripts/base_field.sage b/grumpkin/scripts/base_field.sage new file mode 100644 index 0000000..a8a4b5c --- /dev/null +++ b/grumpkin/scripts/base_field.sage @@ -0,0 +1,28 @@ +modulus = 21888242871839275222246405745257275088548364400416034343698204186575808495617 + +assert(modulus.is_prime()) + +Fp = GF(modulus) + +generator = Fp(0); +for i in range(0, 20): + i = Fp(i); + neg_i = Fp(-i) + if not(i.is_primitive_root() or neg_i.is_primitive_root()): + continue + elif i.is_primitive_root(): + assert(i.is_primitive_root()); + print("Generator: %d" % i) + generator = i + break + else: + assert(neg_i.is_primitive_root()); + print("Generator: %d" % neg_i) + generator = neg_i + break + + +two_adicity = valuation(modulus - 1, 2); +trace = (modulus - 1) / 2**two_adicity; +two_adic_root_of_unity = generator^trace +print("2-adic Root of Unity: %d " % two_adic_root_of_unity) diff --git a/grumpkin/scripts/scalar_field.sage b/grumpkin/scripts/scalar_field.sage new file mode 100644 index 0000000..cf47baf --- /dev/null +++ b/grumpkin/scripts/scalar_field.sage @@ -0,0 +1,28 @@ +modulus = 21888242871839275222246405745257275088696311157297823662689037894645226208583 + +assert(modulus.is_prime()) + +Fp = GF(modulus) + +generator = Fp(0); +for i in range(0, 20): + i = Fp(i); + neg_i = Fp(-i) + if not(i.is_primitive_root() or neg_i.is_primitive_root()): + continue + elif i.is_primitive_root(): + assert(i.is_primitive_root()); + print("Generator: %d" % i) + generator = i + break + else: + assert(neg_i.is_primitive_root()); + print("Generator: %d" % neg_i) + generator = neg_i + break + + +two_adicity = valuation(modulus - 1, 2); +trace = (modulus - 1) / 2**two_adicity; +two_adic_root_of_unity = generator^trace +print("2-adic Root of Unity: %d " % two_adic_root_of_unity) diff --git a/grumpkin/src/constraints/curves.rs b/grumpkin/src/constraints/curves.rs new file mode 100644 index 0000000..289b905 --- /dev/null +++ b/grumpkin/src/constraints/curves.rs @@ -0,0 +1,11 @@ +use ark_r1cs_std::groups::curves::short_weierstrass::ProjectiveVar; + +use crate::{constraints::FBaseVar, *}; + +/// A group element in the Grumpkin prime-order group. +pub type GVar = ProjectiveVar; + +#[test] +fn test() { + ark_curve_constraint_tests::curves::sw_test::().unwrap(); +} diff --git a/grumpkin/src/constraints/fields.rs b/grumpkin/src/constraints/fields.rs new file mode 100644 index 0000000..6956735 --- /dev/null +++ b/grumpkin/src/constraints/fields.rs @@ -0,0 +1,11 @@ +use ark_r1cs_std::fields::fp::FpVar; + +use crate::fq::Fq; + +/// A variable that is the R1CS equivalent of `crate::Fq`. +pub type FBaseVar = FpVar; + +#[test] +fn test() { + ark_curve_constraint_tests::fields::field_test::<_, _, FBaseVar>().unwrap(); +} diff --git a/grumpkin/src/constraints/mod.rs b/grumpkin/src/constraints/mod.rs new file mode 100644 index 0000000..72bf1a1 --- /dev/null +++ b/grumpkin/src/constraints/mod.rs @@ -0,0 +1,107 @@ +//! This module implements the R1CS equivalent of `ark_grumpkin`. +//! +//! It implements field variables for `crate::Fq`, +//! and group variables for `crate::Projective`. +//! +//! The field underlying these constraints is `crate::Fq`. +//! +//! # Examples +//! +//! One can perform standard algebraic operations on `FBaseVar`: +//! +//! ``` +//! # fn main() -> Result<(), ark_relations::r1cs::SynthesisError> { +//! use ark_std::UniformRand; +//! use ark_relations::r1cs::*; +//! use ark_r1cs_std::prelude::*; +//! use ark_grumpkin::{*, constraints::*}; +//! +//! let cs = ConstraintSystem::::new_ref(); +//! // This rng is just for test purposes; do not use it +//! // in real applications. +//! let mut rng = ark_std::test_rng(); +//! +//! // Generate some random `Fq` elements. +//! let a_native = Fq::rand(&mut rng); +//! let b_native = Fq::rand(&mut rng); +//! +//! // Allocate `a_native` and `b_native` as witness variables in `cs`. +//! let a = FBaseVar::new_witness(ark_relations::ns!(cs, "generate_a"), || Ok(a_native))?; +//! let b = FBaseVar::new_witness(ark_relations::ns!(cs, "generate_b"), || Ok(b_native))?; +//! +//! // Allocate `a_native` and `b_native` as constants in `cs`. This does not add any +//! // constraints or variables. +//! let a_const = FBaseVar::new_constant(ark_relations::ns!(cs, "a_as_constant"), a_native)?; +//! let b_const = FBaseVar::new_constant(ark_relations::ns!(cs, "b_as_constant"), b_native)?; +//! +//! let one = FBaseVar::one(); +//! let zero = FBaseVar::zero(); +//! +//! // Sanity check one + one = two +//! let two = &one + &one + &zero; +//! two.enforce_equal(&one.double()?)?; +//! +//! assert!(cs.is_satisfied()?); +//! +//! // Check that the value of &a + &b is correct. +//! assert_eq!((&a + &b).value()?, a_native + &b_native); +//! +//! // Check that the value of &a * &b is correct. +//! assert_eq!((&a * &b).value()?, a_native * &b_native); +//! +//! // Check that operations on variables and constants are equivalent. +//! (&a + &b).enforce_equal(&(&a_const + &b_const))?; +//! assert!(cs.is_satisfied()?); +//! # Ok(()) +//! # } +//! ``` +//! +//! One can also perform standard algebraic operations on `GVar`: +//! +//! ``` +//! # fn main() -> Result<(), ark_relations::r1cs::SynthesisError> { +//! # use ark_std::UniformRand; +//! # use ark_relations::r1cs::*; +//! # use ark_r1cs_std::prelude::*; +//! # use ark_grumpkin::{*, constraints::*}; +//! +//! # let cs = ConstraintSystem::::new_ref(); +//! # let mut rng = ark_std::test_rng(); +//! +//! // Generate some random `Projective` elements. +//! let a_native = Projective::rand(&mut rng); +//! let b_native = Projective::rand(&mut rng); +//! +//! // Allocate `a_native` and `b_native` as witness variables in `cs`. +//! let a = GVar::new_witness(ark_relations::ns!(cs, "a"), || Ok(a_native))?; +//! let b = GVar::new_witness(ark_relations::ns!(cs, "b"), || Ok(b_native))?; +//! +//! // Allocate `a_native` and `b_native` as constants in `cs`. This does not add any +//! // constraints or variables. +//! let a_const = GVar::new_constant(ark_relations::ns!(cs, "a_as_constant"), a_native)?; +//! let b_const = GVar::new_constant(ark_relations::ns!(cs, "b_as_constant"), b_native)?; +//! +//! // This returns the identity. +//! let zero = GVar::zero(); +//! +//! // Sanity check one + one = two +//! let two_a = &a + &a + &zero; +//! two_a.enforce_equal(&a.double()?)?; +//! +//! assert!(cs.is_satisfied()?); +//! +//! // Check that the value of &a + &b is correct. +//! assert_eq!((&a + &b).value()?, a_native + &b_native); +//! +//! // Check that operations on variables and constants are equivalent. +//! (&a + &b).enforce_equal(&(&a_const + &b_const))?; +//! assert!(cs.is_satisfied()?); +//! # Ok(()) +//! # } +//! ``` + +mod curves; +mod fields; + +pub use curves::*; +pub use fields::*; diff --git a/grumpkin/src/curves/mod.rs b/grumpkin/src/curves/mod.rs new file mode 100644 index 0000000..11d625f --- /dev/null +++ b/grumpkin/src/curves/mod.rs @@ -0,0 +1,54 @@ +// The parameters for the curve have been taken from +// https://github.com/AztecProtocol/barretenberg/blob/97ccf76c42db581a8b8f8bfbcffe8ca015a3dd22/cpp/src/barretenberg/ecc/curves/grumpkin/grumpkin.hpp + +use crate::{fq::Fq, fr::Fr}; +use ark_ec::{ + models::CurveConfig, + short_weierstrass::{self as sw, SWCurveConfig}, +}; +use ark_ff::{AdditiveGroup, Field, MontFp, Zero}; + +#[cfg(test)] +mod tests; + +#[derive(Copy, Clone, Default, PartialEq, Eq)] +pub struct GrumpkinConfig; + +impl CurveConfig for GrumpkinConfig { + type BaseField = Fq; + type ScalarField = Fr; + + /// COFACTOR = 1 + const COFACTOR: &'static [u64] = &[0x1]; + + /// COFACTOR_INV = 1 + const COFACTOR_INV: Fr = Fr::ONE; +} + +pub type Affine = sw::Affine; +pub type Projective = sw::Projective; + +impl SWCurveConfig for GrumpkinConfig { + /// COEFF_A = 0 + const COEFF_A: Fq = Fq::ZERO; + + /// COEFF_B = -17 + const COEFF_B: Fq = MontFp!("-17"); + + /// AFFINE_GENERATOR_COEFFS = (G1_GENERATOR_X, G1_GENERATOR_Y) + const GENERATOR: Affine = Affine::new_unchecked(G_GENERATOR_X, G_GENERATOR_Y); + + #[inline(always)] + fn mul_by_a(_: Self::BaseField) -> Self::BaseField { + Self::BaseField::zero() + } +} + +/// G_GENERATOR_X = 1 +/// Encoded in Montgomery form, so the value here is R mod p. +pub const G_GENERATOR_X: Fq = MontFp!("1"); + +/// G_GENERATOR_Y = sqrt(-16) +/// Encoded in Montgomery form, so the value here is 2R mod p. +pub const G_GENERATOR_Y: Fq = + MontFp!("17631683881184975370165255887551781615748388533673675138860"); diff --git a/grumpkin/src/curves/tests.rs b/grumpkin/src/curves/tests.rs new file mode 100755 index 0000000..f7bc50c --- /dev/null +++ b/grumpkin/src/curves/tests.rs @@ -0,0 +1,4 @@ +use crate::Projective; +use ark_algebra_test_templates::*; + +test_group!(g1; Projective; sw); diff --git a/grumpkin/src/fields/fq.rs b/grumpkin/src/fields/fq.rs new file mode 100644 index 0000000..e4ae199 --- /dev/null +++ b/grumpkin/src/fields/fq.rs @@ -0,0 +1 @@ +pub use ark_bn254::{Fr as Fq, FrConfig as FqConfig}; diff --git a/grumpkin/src/fields/fr.rs b/grumpkin/src/fields/fr.rs new file mode 100644 index 0000000..e83d05f --- /dev/null +++ b/grumpkin/src/fields/fr.rs @@ -0,0 +1 @@ +pub use ark_bn254::{Fq as Fr, FqConfig as FrConfig}; diff --git a/grumpkin/src/fields/mod.rs b/grumpkin/src/fields/mod.rs new file mode 100644 index 0000000..5156179 --- /dev/null +++ b/grumpkin/src/fields/mod.rs @@ -0,0 +1,8 @@ +pub mod fq; +pub use self::fq::*; + +pub mod fr; +pub use self::fr::*; + +#[cfg(test)] +mod tests; diff --git a/grumpkin/src/fields/tests.rs b/grumpkin/src/fields/tests.rs new file mode 100644 index 0000000..bd978b4 --- /dev/null +++ b/grumpkin/src/fields/tests.rs @@ -0,0 +1,5 @@ +use crate::{Fq, Fr}; +use ark_algebra_test_templates::*; + +test_field!(fr; Fr; mont_prime_field); +test_field!(fq; Fq; mont_prime_field); diff --git a/grumpkin/src/lib.rs b/grumpkin/src/lib.rs new file mode 100644 index 0000000..ae92c19 --- /dev/null +++ b/grumpkin/src/lib.rs @@ -0,0 +1,33 @@ +#![cfg_attr(not(feature = "std"), no_std)] +#![deny( + warnings, + unused, + future_incompatible, + nonstandard_style, + rust_2018_idioms +)] +#![forbid(unsafe_code)] + +//! This library implements the prime-order curve Grumpkin, generated by +//! Zachary J. Williamson from Aztec protocol. The main feature of this +//! curve is that it forms a cycle with bn254, i.e. its scalar field and base +//! field respectively are the base field and scalar field of bn254. +//! +//! +//! Curve information: +//! Grumpkin: +//! * Base field: q = +//! 21888242871839275222246405745257275088548364400416034343698204186575808495617 +//! * Scalar field: r = +//! 21888242871839275222246405745257275088696311157297823662689037894645226208583 +//! * Curve equation: y^2 = x^3 - 17 +//! * Valuation(q - 1, 2) = 28 +//! * Valuation(r - 1, 2) = 1 + +#[cfg(feature = "r1cs")] +pub mod constraints; +mod curves; +mod fields; + +pub use curves::*; +pub use fields::*;