arnaucube
/
ark-r1cs-std-cherry-picked
mirror of https://github.com/arnaucube/ark-r1cs-std-cherry-picked.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Update curve variables in `r1cs-std`.

master
Pratyush Mishra 4 years ago
parent
8022b598fb
commit
5e65926a5e
6 changed files with 1995 additions and 3047 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +139
    -188
      r1cs-std/src/groups/curves/short_weierstrass/bls12/mod.rs
  2. +236
    -424
      r1cs-std/src/groups/curves/short_weierstrass/mnt4/mod.rs
  3. +247
    -442
      r1cs-std/src/groups/curves/short_weierstrass/mnt6/mod.rs
  4. +565
    -621
      r1cs-std/src/groups/curves/short_weierstrass/mod.rs
  5. +680
    -1236
      r1cs-std/src/groups/curves/twisted_edwards/mod.rs
  6. +128
    -136
      r1cs-std/src/groups/mod.rs

+ 139
- 188
r1cs-std/src/groups/curves/short_weierstrass/bls12/mod.rs
View File

@ -1,234 +1,195 @@
use algebra::{
curves::bls12::{Bls12Parameters, G1Prepared, G2Prepared, TwistType},
curves::{
bls12::{Bls12Parameters, G1Prepared, G2Prepared, TwistType},
short_weierstrass_jacobian::GroupAffine,
},
fields::Field,
BitIterator, One, ProjectiveCurve,
BitIterator, One,
};
use r1cs_core::{ConstraintSystem, SynthesisError};
use r1cs_core::SynthesisError;
use crate::{
fields::{fp::FpGadget, fp2::Fp2Gadget, FieldGadget},
groups::curves::short_weierstrass::AffineGadget,
prelude::*,
fields::{fp::FpVar, fp2::Fp2Var, FieldVar},
groups::curves::short_weierstrass::*,
Vec,
};
use core::{borrow::Borrow, fmt::Debug, ops::Mul};
use core::fmt::Debug;
pub type G1Gadget<P> = AffineGadget<
<P as Bls12Parameters>::G1Parameters,
<P as Bls12Parameters>::Fp,
FpGadget<<P as Bls12Parameters>::Fp>,
>;
pub type G1Var<P> =
ProjectiveVar<<P as Bls12Parameters>::G1Parameters, FpVar<<P as Bls12Parameters>::Fp>>;
pub type G1AffineVar<P> =
AffineVar<<P as Bls12Parameters>::G1Parameters, FpVar<<P as Bls12Parameters>::Fp>>;
pub type G2Gadget<P> =
AffineGadget<<P as Bls12Parameters>::G2Parameters, <P as Bls12Parameters>::Fp, Fp2G<P>>;
pub type G2Var<P> = ProjectiveVar<<P as Bls12Parameters>::G2Parameters, Fp2G<P>>;
pub type G2AffineVar<P> = AffineVar<<P as Bls12Parameters>::G2Parameters, Fp2G<P>>;
#[derive(Derivative)]
#[derivative(
Clone(bound = "G1Gadget<P>: Clone"),
Debug(bound = "G1Gadget<P>: Debug")
)]
pub struct G1PreparedGadget<P: Bls12Parameters>(pub G1Gadget<P>);
impl<P: Bls12Parameters> AllocGadget<G1Prepared<P>, P::Fp> for G1PreparedGadget<P> {
fn alloc_constant<T, CS: ConstraintSystem<P::Fp>>(
mut cs: CS,
t: T,
) -> Result<Self, SynthesisError>
where
T: Borrow<G1Prepared<P>>,
{
let obj = t.borrow();
Ok(Self(G1Gadget::<P>::alloc_constant(
&mut cs.ns(|| "g1"),
&obj.0.into(),
)?))
}
fn alloc<F, T, CS: ConstraintSystem<P::Fp>>(_cs: CS, _f: F) -> Result<Self, SynthesisError>
where
F: FnOnce() -> Result<T, SynthesisError>,
T: Borrow<G1Prepared<P>>,
{
todo!()
#[derivative(Clone(bound = "G1Var<P>: Clone"), Debug(bound = "G1Var<P>: Debug"))]
pub struct G1PreparedVar<P: Bls12Parameters>(pub AffineVar<P::G1Parameters, FpVar<P::Fp>>);
impl<P: Bls12Parameters> G1PreparedVar<P> {
pub fn value(&self) -> Result<G1Prepared<P>, SynthesisError> {
let x = self.0.x.value()?;
let y = self.0.y.value()?;
let infinity = self.0.infinity.value()?;
let g = GroupAffine::new(x, y, infinity);
Ok(g.into())
}
fn alloc_input<F, T, CS: ConstraintSystem<P::Fp>>(
_cs: CS,
_f: F,
) -> Result<Self, SynthesisError>
where
F: FnOnce() -> Result<T, SynthesisError>,
T: Borrow<G1Prepared<P>>,
{
todo!()
pub fn from_group_var(q: &G1Var<P>) -> Result<Self, SynthesisError> {
let g = q.to_affine()?;
Ok(Self(g))
}
}
impl<P: Bls12Parameters> G1PreparedGadget<P> {
pub fn get_value(&self) -> Option<G1Prepared<P>> {
Some(G1Prepared::from(self.0.get_value().unwrap().into_affine()))
}
pub fn from_affine<CS: ConstraintSystem<P::Fp>>(
_cs: CS,
q: &G1Gadget<P>,
impl<P: Bls12Parameters> AllocVar<G1Prepared<P>, P::Fp> for G1PreparedVar<P> {
fn new_variable<T: Borrow<G1Prepared<P>>>(
cs: impl Into<Namespace<P::Fp>>,
f: impl FnOnce() -> Result<T, SynthesisError>,
mode: AllocationMode,
) -> Result<Self, SynthesisError> {
Ok(G1PreparedGadget(q.clone()))
let ns = cs.into();
let cs = ns.cs();
let g1_prep = f().map(|b| b.borrow().0);
let x = FpVar::new_variable(cs.ns("x"), || g1_prep.map(|g| g.x), mode)?;
let y = FpVar::new_variable(cs.ns("y"), || g1_prep.map(|g| g.y), mode)?;
let infinity = Boolean::new_variable(cs.ns("inf"), || g1_prep.map(|g| g.infinity), mode)?;
let g = AffineVar::new(x, y, infinity);
Ok(Self(g))
}
}
impl<P: Bls12Parameters> ToBytesGadget<P::Fp> for G1PreparedGadget<P> {
impl<P: Bls12Parameters> ToBytesGadget<P::Fp> for G1PreparedVar<P> {
#[inline]
fn to_bytes<CS: ConstraintSystem<P::Fp>>(
&self,
mut cs: CS,
) -> Result<Vec<UInt8>, SynthesisError> {
self.0.to_bytes(&mut cs.ns(|| "g_alpha to bytes"))
fn to_bytes(&self) -> Result<Vec<UInt8<P::Fp>>, SynthesisError> {
let mut bytes = self.0.x.to_bytes()?;
let y_bytes = self.0.y.to_bytes()?;
let inf_bytes = self.0.infinity.to_bytes()?;
bytes.extend_from_slice(&y_bytes);
bytes.extend_from_slice(&inf_bytes);
Ok(bytes)
}
fn to_non_unique_bytes<CS: ConstraintSystem<P::Fp>>(
&self,
mut cs: CS,
) -> Result<Vec<UInt8>, SynthesisError> {
self.0
.to_non_unique_bytes(&mut cs.ns(|| "g_alpha to bytes"))
fn to_non_unique_bytes(&self) -> Result<Vec<UInt8<P::Fp>>, SynthesisError> {
let mut bytes = self.0.x.to_bytes()?;
let y_bytes = self.0.y.to_bytes()?;
let inf_bytes = self.0.infinity.to_bytes()?;
bytes.extend_from_slice(&y_bytes);
bytes.extend_from_slice(&inf_bytes);
Ok(bytes)
}
}
type Fp2G<P> = Fp2Gadget<<P as Bls12Parameters>::Fp2Params, <P as Bls12Parameters>::Fp>;
type Fp2G<P> = Fp2Var<<P as Bls12Parameters>::Fp2Params>;
type LCoeff<P> = (Fp2G<P>, Fp2G<P>);
#[derive(Derivative)]
#[derivative(
Clone(bound = "Fp2Gadget<P::Fp2Params, P::Fp>: Clone"),
Debug(bound = "Fp2Gadget<P::Fp2Params, P::Fp>: Debug")
Clone(bound = "Fp2Var<P::Fp2Params>: Clone"),
Debug(bound = "Fp2Var<P::Fp2Params>: Debug")
)]
pub struct G2PreparedGadget<P: Bls12Parameters> {
pub struct G2PreparedVar<P: Bls12Parameters> {
pub ell_coeffs: Vec<LCoeff<P>>,
}
impl<P: Bls12Parameters> AllocGadget<G2Prepared<P>, P::Fp> for G2PreparedGadget<P> {
fn alloc_constant<T, CS: ConstraintSystem<P::Fp>>(
mut cs: CS,
t: T,
) -> Result<Self, SynthesisError>
where
T: Borrow<G2Prepared<P>>,
{
let obj = t.borrow();
let mut res = Vec::<LCoeff<P>>::new();
for (i, (x, y, z)) in obj.ell_coeffs.iter().enumerate() {
let z_inverse = z.inverse().unwrap();
let x_normalized = x.mul(&z_inverse);
let y_normalized = y.mul(&z_inverse);
let x_gadget =
Fp2Gadget::alloc_constant(&mut cs.ns(|| format!("alloc_x#{}", i)), x_normalized)?;
let y_gadget =
Fp2Gadget::alloc_constant(&mut cs.ns(|| format!("alloc_y#{}", i)), y_normalized)?;
res.push((x_gadget, y_gadget));
}
Ok(Self { ell_coeffs: res })
}
fn alloc<F, T, CS: ConstraintSystem<P::Fp>>(_cs: CS, _f: F) -> Result<Self, SynthesisError>
where
F: FnOnce() -> Result<T, SynthesisError>,
T: Borrow<G2Prepared<P>>,
{
todo!()
}
fn alloc_input<F, T, CS: ConstraintSystem<P::Fp>>(
_cs: CS,
_f: F,
) -> Result<Self, SynthesisError>
where
F: FnOnce() -> Result<T, SynthesisError>,
T: Borrow<G2Prepared<P>>,
{
todo!()
impl<P: Bls12Parameters> AllocVar<G2Prepared<P>, P::Fp> for G2PreparedVar<P> {
fn new_variable<T: Borrow<G2Prepared<P>>>(
cs: impl Into<Namespace<P::Fp>>,
f: impl FnOnce() -> Result<T, SynthesisError>,
mode: AllocationMode,
) -> Result<Self, SynthesisError> {
let ns = cs.into();
let cs = ns.cs();
let g2_prep = f().map(|b| {
let projective_coeffs = &b.borrow().ell_coeffs;
let mut z_s = projective_coeffs
.iter()
.map(|(_, _, z)| *z)
.collect::<Vec<_>>();
algebra::fields::batch_inversion(&mut z_s);
projective_coeffs
.iter()
.zip(z_s)
.map(|((x, y, _), z_inv)| (*x * &z_inv, *y * &z_inv))
.collect::<Vec<_>>()
});
let l = Vec::new_variable(
cs.ns("l"),
|| {
g2_prep
.clone()
.map(|c| c.iter().map(|(l, _)| *l).collect::<Vec<_>>())
},
mode,
)?;
let r = Vec::new_variable(
cs.ns("r"),
|| g2_prep.map(|c| c.iter().map(|(_, r)| *r).collect::<Vec<_>>()),
mode,
)?;
let ell_coeffs = l.into_iter().zip(r).collect();
Ok(Self { ell_coeffs })
}
}
impl<P: Bls12Parameters> ToBytesGadget<P::Fp> for G2PreparedGadget<P> {
impl<P: Bls12Parameters> ToBytesGadget<P::Fp> for G2PreparedVar<P> {
#[inline]
fn to_bytes<CS: ConstraintSystem<P::Fp>>(
&self,
mut cs: CS,
) -> Result<Vec<UInt8>, SynthesisError> {
fn to_bytes(&self) -> Result<Vec<UInt8<P::Fp>>, SynthesisError> {
let mut bytes = Vec::new();
for (i, coeffs) in self.ell_coeffs.iter().enumerate() {
let mut cs = cs.ns(|| format!("Iteration {}", i));
bytes.extend_from_slice(&coeffs.0.to_bytes(&mut cs.ns(|| "c0"))?);
bytes.extend_from_slice(&coeffs.1.to_bytes(&mut cs.ns(|| "c1"))?);
for coeffs in &self.ell_coeffs {
bytes.extend_from_slice(&coeffs.0.to_bytes()?);
bytes.extend_from_slice(&coeffs.1.to_bytes()?);
}
Ok(bytes)
}
fn to_non_unique_bytes<CS: ConstraintSystem<P::Fp>>(
&self,
mut cs: CS,
) -> Result<Vec<UInt8>, SynthesisError> {
fn to_non_unique_bytes(&self) -> Result<Vec<UInt8<P::Fp>>, SynthesisError> {
let mut bytes = Vec::new();
for (i, coeffs) in self.ell_coeffs.iter().enumerate() {
let mut cs = cs.ns(|| format!("Iteration {}", i));
bytes.extend_from_slice(&coeffs.0.to_non_unique_bytes(&mut cs.ns(|| "c0"))?);
bytes.extend_from_slice(&coeffs.1.to_non_unique_bytes(&mut cs.ns(|| "c1"))?);
for coeffs in &self.ell_coeffs {
bytes.extend_from_slice(&coeffs.0.to_non_unique_bytes()?);
bytes.extend_from_slice(&coeffs.1.to_non_unique_bytes()?);
}
Ok(bytes)
}
}
impl<P: Bls12Parameters> G2PreparedGadget<P> {
pub fn from_affine<CS: ConstraintSystem<P::Fp>>(
mut cs: CS,
q: &G2Gadget<P>,
) -> Result<Self, SynthesisError> {
impl<P: Bls12Parameters> G2PreparedVar<P> {
pub fn from_group_var(q: &G2Var<P>) -> Result<Self, SynthesisError> {
let q = q.to_affine()?;
let two_inv = P::Fp::one().double().inverse().unwrap();
let zero = G2Gadget::<P>::zero(cs.ns(|| "zero"))?;
q.enforce_not_equal(cs.ns(|| "enforce not zero"), &zero)?;
// Enforce that `q` is not the point at infinity.
q.infinity.enforce_not_equal(&Boolean::Constant(true))?;
let mut ell_coeffs = vec![];
let mut r = q.clone();
for (j, i) in BitIterator::new(P::X).skip(1).enumerate() {
let mut cs = cs.ns(|| format!("Iteration {}", j));
ell_coeffs.push(Self::double(cs.ns(|| "double"), &mut r, &two_inv)?);
for i in BitIterator::new(P::X).skip(1) {
ell_coeffs.push(Self::double(&mut r, &two_inv)?);
if i {
ell_coeffs.push(Self::add(cs.ns(|| "add"), &mut r, &q)?);
ell_coeffs.push(Self::add(&mut r, &q)?);
}
}
Ok(Self { ell_coeffs })
}
fn double<CS: ConstraintSystem<P::Fp>>(
mut cs: CS,
r: &mut G2Gadget<P>,
two_inv: &P::Fp,
) -> Result<LCoeff<P>, SynthesisError> {
let a = r.y.inverse(cs.ns(|| "Inverse"))?;
let mut b = r.x.square(cs.ns(|| "square x"))?;
fn double(r: &mut G2AffineVar<P>, two_inv: &P::Fp) -> Result<LCoeff<P>, SynthesisError> {
let a = r.y.inverse()?;
let mut b = r.x.square()?;
let b_tmp = b.clone();
b.mul_by_fp_constant_in_place(cs.ns(|| "mul by two_inv"), two_inv)?;
b.add_in_place(cs.ns(|| "compute b"), &b_tmp)?;
let c = a.mul(cs.ns(|| "compute c"), &b)?;
let d = r.x.double(cs.ns(|| "compute d"))?;
let x3 = c.square(cs.ns(|| "c^2"))?.sub(cs.ns(|| "sub d"), &d)?;
let e = c
.mul(cs.ns(|| "c*r.x"), &r.x)?
.sub(cs.ns(|| "sub r.y"), &r.y)?;
let c_x3 = c.mul(cs.ns(|| "c*x_3"), &x3)?;
let y3 = e.sub(cs.ns(|| "e = c * x3"), &c_x3)?;
b.mul_assign_by_base_field_constant(*two_inv);
b += &b_tmp;
let c = &a * &b;
let d = r.x.double()?;
let x3 = c.square()? - &d;
let e = &c * &r.x - &r.y;
let c_x3 = &c * &x3;
let y3 = &e - &c_x3;
let mut f = c;
f.negate_in_place(cs.ns(|| "c = -c"))?;
f.negate_in_place()?;
r.x = x3;
r.y = y3;
match P::TWIST_TYPE {
@ -237,28 +198,18 @@ impl G2PreparedGadget

{
}
}
fn add<CS: ConstraintSystem<P::Fp>>(
mut cs: CS,
r: &mut G2Gadget<P>,
q: &G2Gadget<P>,
) -> Result<LCoeff<P>, SynthesisError> {
let a =
q.x.sub(cs.ns(|| "q.x - r.x"), &r.x)?
.inverse(cs.ns(|| "calc a"))?;
let b = q.y.sub(cs.ns(|| "q.y - r.y"), &r.y)?;
let c = a.mul(cs.ns(|| "compute c"), &b)?;
let d = r.x.add(cs.ns(|| "r.x + q.x"), &q.x)?;
let x3 = c.square(cs.ns(|| "c^2"))?.sub(cs.ns(|| "sub d"), &d)?;
fn add(r: &mut G2AffineVar<P>, q: &G2AffineVar<P>) -> Result<LCoeff<P>, SynthesisError> {
let a = (&q.x - &r.x).inverse()?;
let b = &q.y - &r.y;
let c = &a * &b;
let d = &r.x + &q.x;
let x3 = c.square()? - &d;
let e =
r.x.sub(cs.ns(|| "r.x - x3"), &x3)?
.mul(cs.ns(|| "c * (r.x - x3)"), &c)?;
let y3 = e.sub(cs.ns(|| "calc y3"), &r.y)?;
let g = c
.mul(cs.ns(|| "c*r.x"), &r.x)?
.sub(cs.ns(|| "calc g"), &r.y)?;
let e = (&r.x - &x3) * &c;
let y3 = e - &r.y;
let g = &c * &r.x - &r.y;
let mut f = c;
f.negate_in_place(cs.ns(|| "c = -c"))?;
f.negate_in_place()?;
r.x = x3;
r.y = y3;
match P::TWIST_TYPE {

+ 236
- 424
r1cs-std/src/groups/curves/short_weierstrass/mnt4/mod.rs
View File

@ -5,94 +5,64 @@ use algebra::{
},
Field,
};
use r1cs_core::{ConstraintSystem, SynthesisError};
use r1cs_core::{Namespace, SynthesisError};
use crate::{
fields::{fp::FpGadget, fp2::Fp2Gadget, FieldGadget},
groups::curves::short_weierstrass::AffineGadget,
pairing::mnt4::PairingGadget,
fields::{fp::FpVar, fp2::Fp2Var, FieldVar},
groups::curves::short_weierstrass::ProjectiveVar,
pairing::mnt4::PairingVar,
prelude::*,
Vec,
};
use core::borrow::Borrow;
pub type G1Gadget<P> = AffineGadget<
<P as MNT4Parameters>::G1Parameters,
<P as MNT4Parameters>::Fp,
FpGadget<<P as MNT4Parameters>::Fp>,
>;
pub type G1Var<P> =
ProjectiveVar<<P as MNT4Parameters>::G1Parameters, FpVar<<P as MNT4Parameters>::Fp>>;
pub type G2Gadget<P> =
AffineGadget<<P as MNT4Parameters>::G2Parameters, <P as MNT4Parameters>::Fp, Fp2G<P>>;
pub type G2Var<P> = ProjectiveVar<<P as MNT4Parameters>::G2Parameters, Fp2G<P>>;
#[derive(Derivative)]
#[derivative(Clone(bound = "P: MNT4Parameters"), Debug(bound = "P: MNT4Parameters"))]
pub struct G1PreparedGadget<P: MNT4Parameters> {
pub x: FpGadget<P::Fp>,
pub y: FpGadget<P::Fp>,
pub x_twist: Fp2Gadget<P::Fp2Params, P::Fp>,
pub y_twist: Fp2Gadget<P::Fp2Params, P::Fp>,
pub struct G1PreparedVar<P: MNT4Parameters> {
pub x: FpVar<P::Fp>,
pub y: FpVar<P::Fp>,
pub x_twist: Fp2Var<P::Fp2Params>,
pub y_twist: Fp2Var<P::Fp2Params>,
}
impl<P: MNT4Parameters> G1PreparedGadget<P> {
pub fn get_value(&self) -> Option<G1Prepared<P>> {
match (
self.x.get_value(),
self.y.get_value(),
self.x_twist.get_value(),
self.y_twist.get_value(),
) {
(Some(x), Some(y), Some(x_twist), Some(y_twist)) => Some(G1Prepared {
x,
y,
x_twist,
y_twist,
}),
_ => None,
}
}
pub fn from_affine<CS: ConstraintSystem<P::Fp>>(
mut cs: CS,
q: &G1Gadget<P>,
impl<P: MNT4Parameters> AllocVar<G1Prepared<P>, P::Fp> for G1PreparedVar<P> {
fn new_variable<T: Borrow<G1Prepared<P>>>(
cs: impl Into<Namespace<P::Fp>>,
f: impl FnOnce() -> Result<T, SynthesisError>,
mode: AllocationMode,
) -> Result<Self, SynthesisError> {
let x_twist = Fp2Gadget::new(
q.x.mul_by_constant(cs.ns(|| "g1.x * twist.c0"), &P::TWIST.c0)?,
q.x.mul_by_constant(cs.ns(|| "g1.x * twist.c1"), &P::TWIST.c1)?,
);
let y_twist = Fp2Gadget::new(
q.y.mul_by_constant(cs.ns(|| "g1.y * twist.c0"), &P::TWIST.c0)?,
q.y.mul_by_constant(cs.ns(|| "g1.y * twist.c1"), &P::TWIST.c1)?,
);
Ok(G1PreparedGadget {
x: q.x.clone(),
y: q.y.clone(),
let ns = cs.into();
let cs = ns.cs();
let g1_prep = f().map(|b| *b.borrow());
let x = FpVar::new_variable(cs.ns("x"), || g1_prep.map(|g| g.x), mode)?;
let y = FpVar::new_variable(cs.ns("y"), || g1_prep.map(|g| g.y), mode)?;
let x_twist = Fp2Var::new_variable(cs.ns("x_twist"), || g1_prep.map(|g| g.x_twist), mode)?;
let y_twist = Fp2Var::new_variable(cs.ns("y_twist"), || g1_prep.map(|g| g.y_twist), mode)?;
Ok(Self {
x,
y,
x_twist,
y_twist,
})
}
}
impl<P: MNT4Parameters> AllocGadget<G1Prepared<P>, P::Fp> for G1PreparedGadget<P> {
fn alloc_constant<T, CS: ConstraintSystem<P::Fp>>(
mut cs: CS,
t: T,
) -> Result<Self, SynthesisError>
where
T: Borrow<G1Prepared<P>>,
{
let obj = t.borrow();
let x = FpGadget::<P::Fp>::alloc_constant(&mut cs.ns(|| "alloc_x"), &obj.x)?;
let y = FpGadget::<P::Fp>::alloc_constant(&mut cs.ns(|| "alloc_y"), &obj.y)?;
let x_twist = Fp2Gadget::<P::Fp2Params, P::Fp>::alloc_constant(
&mut cs.ns(|| "alloc_x_twist"),
&obj.x_twist,
)?;
let y_twist = Fp2Gadget::<P::Fp2Params, P::Fp>::alloc_constant(
&mut cs.ns(|| "alloc_y_twist"),
&obj.y_twist,
)?;
Ok(G1PreparedGadget {
impl<P: MNT4Parameters> G1PreparedVar<P> {
pub fn value(&self) -> Result<G1Prepared<P>, SynthesisError> {
let (x, y, x_twist, y_twist) = (
self.x.value()?,
self.y.value()?,
self.x_twist.value()?,
self.y_twist.value()?,
);
Ok(G1Prepared {
x,
y,
x_twist,
@ -100,36 +70,26 @@ impl AllocGadget, P::Fp> for G1PreparedGadget
})
}
fn alloc<F, T, CS: ConstraintSystem<P::Fp>>(_cs: CS, _f: F) -> Result<Self, SynthesisError>
where
F: FnOnce() -> Result<T, SynthesisError>,
T: Borrow<G1Prepared<P>>,
{
todo!()
}
fn alloc_input<F, T, CS: ConstraintSystem<P::Fp>>(
_cs: CS,
_f: F,
) -> Result<Self, SynthesisError>
where
F: FnOnce() -> Result<T, SynthesisError>,
T: Borrow<G1Prepared<P>>,
{
todo!()
pub fn from_group_var(q: &G1Var<P>) -> Result<Self, SynthesisError> {
let q = q.to_affine()?;
let x_twist = Fp2Var::new(&q.x * P::TWIST.c0, &q.x * P::TWIST.c1);
let y_twist = Fp2Var::new(&q.y * P::TWIST.c0, &q.y * P::TWIST.c1);
Ok(G1PreparedVar {
x: q.x.clone(),
y: q.y.clone(),
x_twist,
y_twist,
})
}
}
impl<P: MNT4Parameters> ToBytesGadget<P::Fp> for G1PreparedGadget<P> {
impl<P: MNT4Parameters> ToBytesGadget<P::Fp> for G1PreparedVar<P> {
#[inline]
fn to_bytes<CS: ConstraintSystem<P::Fp>>(
&self,
mut cs: CS,
) -> Result<Vec<UInt8>, SynthesisError> {
let mut x = self.x.to_bytes(&mut cs.ns(|| "x to bytes"))?;
let mut y = self.y.to_bytes(&mut cs.ns(|| "y to bytes"))?;
let mut x_twist = self.x_twist.to_bytes(&mut cs.ns(|| "x_twist to bytes"))?;
let mut y_twist = self.y_twist.to_bytes(&mut cs.ns(|| "y_twist to bytes"))?;
fn to_bytes(&self) -> Result<Vec<UInt8<P::Fp>>, SynthesisError> {
let mut x = self.x.to_bytes()?;
let mut y = self.y.to_bytes()?;
let mut x_twist = self.x_twist.to_bytes()?;
let mut y_twist = self.y_twist.to_bytes()?;
x.append(&mut y);
x.append(&mut x_twist);
@ -137,18 +97,11 @@ impl ToBytesGadget for G1PreparedGadget

{
Ok(x)
}
fn to_non_unique_bytes<CS: ConstraintSystem<P::Fp>>(
&self,
mut cs: CS,
) -> Result<Vec<UInt8>, SynthesisError> {
let mut x = self.x.to_non_unique_bytes(&mut cs.ns(|| "x to bytes"))?;
let mut y = self.y.to_non_unique_bytes(&mut cs.ns(|| "y to bytes"))?;
let mut x_twist = self
.x_twist
.to_non_unique_bytes(&mut cs.ns(|| "x_twist to bytes"))?;
let mut y_twist = self
.y_twist
.to_non_unique_bytes(&mut cs.ns(|| "y_twist to bytes"))?;
fn to_non_unique_bytes(&self) -> Result<Vec<UInt8<P::Fp>>, SynthesisError> {
let mut x = self.x.to_non_unique_bytes()?;
let mut y = self.y.to_non_unique_bytes()?;
let mut x_twist = self.x_twist.to_non_unique_bytes()?;
let mut y_twist = self.y_twist.to_non_unique_bytes()?;
x.append(&mut y);
x.append(&mut x_twist);
@ -157,53 +110,48 @@ impl ToBytesGadget for G1PreparedGadget

{
}
}
type Fp2G<P> = Fp2Gadget<<P as MNT4Parameters>::Fp2Params, <P as MNT4Parameters>::Fp>;
type Fp2G<P> = Fp2Var<<P as MNT4Parameters>::Fp2Params>;
#[derive(Derivative)]
#[derivative(Clone(bound = "P: MNT4Parameters"), Debug(bound = "P: MNT4Parameters"))]
pub struct G2PreparedGadget<P: MNT4Parameters> {
pub x: Fp2Gadget<P::Fp2Params, P::Fp>,
pub y: Fp2Gadget<P::Fp2Params, P::Fp>,
pub x_over_twist: Fp2Gadget<P::Fp2Params, P::Fp>,
pub y_over_twist: Fp2Gadget<P::Fp2Params, P::Fp>,
pub double_coefficients: Vec<AteDoubleCoefficientsGadget<P>>,
pub addition_coefficients: Vec<AteAdditionCoefficientsGadget<P>>,
pub struct G2PreparedVar<P: MNT4Parameters> {
pub x: Fp2Var<P::Fp2Params>,
pub y: Fp2Var<P::Fp2Params>,
pub x_over_twist: Fp2Var<P::Fp2Params>,
pub y_over_twist: Fp2Var<P::Fp2Params>,
pub double_coefficients: Vec<AteDoubleCoefficientsVar<P>>,
pub addition_coefficients: Vec<AteAdditionCoefficientsVar<P>>,
}
impl<P: MNT4Parameters> AllocGadget<G2Prepared<P>, P::Fp> for G2PreparedGadget<P> {
fn alloc_constant<T, CS: ConstraintSystem<P::Fp>>(
mut cs: CS,
t: T,
) -> Result<Self, SynthesisError>
where
T: Borrow<G2Prepared<P>>,
{
let obj = t.borrow();
let x = Fp2Gadget::<P::Fp2Params, P::Fp>::alloc_constant(&mut cs.ns(|| "alloc_x"), &obj.x)?;
let y = Fp2Gadget::<P::Fp2Params, P::Fp>::alloc_constant(&mut cs.ns(|| "alloc_y"), &obj.y)?;
let x_over_twist = Fp2Gadget::<P::Fp2Params, P::Fp>::alloc_constant(
&mut cs.ns(|| "alloc_x_over_twist"),
&obj.x_over_twist,
impl<P: MNT4Parameters> AllocVar<G2Prepared<P>, P::Fp> for G2PreparedVar<P> {
fn new_variable<T: Borrow<G2Prepared<P>>>(
cs: impl Into<Namespace<P::Fp>>,
f: impl FnOnce() -> Result<T, SynthesisError>,
mode: AllocationMode,
) -> Result<Self, SynthesisError> {
let ns = cs.into();
let cs = ns.cs();
let g2_prep = f().map(|b| b.borrow().clone());
let g2 = g2_prep.as_ref().map_err(|e| *e);
let x = Fp2Var::new_variable(cs.ns("x"), || g2.map(|g| g.x), mode)?;
let y = Fp2Var::new_variable(cs.ns("y"), || g2.map(|g| g.y), mode)?;
let x_over_twist =
Fp2Var::new_variable(cs.ns("x_over_twist"), || g2.map(|g| g.x_over_twist), mode)?;
let y_over_twist =
Fp2Var::new_variable(cs.ns("y_over_twist"), || g2.map(|g| g.y_over_twist), mode)?;
let double_coefficients = Vec::new_variable(
cs.ns("double coeffs"),
|| g2.map(|g| g.double_coefficients.clone()),
mode,
)?;
let y_over_twist = Fp2Gadget::<P::Fp2Params, P::Fp>::alloc_constant(
&mut cs.ns(|| "alloc_y_over_twist"),
&obj.y_over_twist,
let addition_coefficients = Vec::new_variable(
cs.ns("add coeffs"),
|| g2.map(|g| g.addition_coefficients.clone()),
mode,
)?;
let mut double_coefficients = Vec::<AteDoubleCoefficientsGadget<P>>::new();
for (i, item) in obj.double_coefficients.iter().enumerate() {
double_coefficients.push(AteDoubleCoefficientsGadget::<P>::alloc_constant(
&mut cs.ns(|| format!("alloc_double_coefficients_{}", i)),
item,
)?);
}
let mut addition_coefficients = Vec::<AteAdditionCoefficientsGadget<P>>::new();
for (i, item) in obj.addition_coefficients.iter().enumerate() {
addition_coefficients.push(AteAdditionCoefficientsGadget::<P>::alloc_constant(
&mut cs.ns(|| format!("alloc_addition_coefficients_{}", i)),
item,
)?);
}
Ok(G2PreparedGadget {
Ok(Self {
x,
y,
x_over_twist,
@ -212,142 +160,93 @@ impl AllocGadget, P::Fp> for G2PreparedGadget
addition_coefficients,
})
}
fn alloc<F, T, CS: ConstraintSystem<P::Fp>>(_cs: CS, _f: F) -> Result<Self, SynthesisError>
where
F: FnOnce() -> Result<T, SynthesisError>,
T: Borrow<G2Prepared<P>>,
{
todo!()
}
fn alloc_input<F, T, CS: ConstraintSystem<P::Fp>>(
_cs: CS,
_f: F,
) -> Result<Self, SynthesisError>
where
F: FnOnce() -> Result<T, SynthesisError>,
T: Borrow<G2Prepared<P>>,
{
todo!()
}
}
impl<P: MNT4Parameters> ToBytesGadget<P::Fp> for G2PreparedGadget<P> {
impl<P: MNT4Parameters> ToBytesGadget<P::Fp> for G2PreparedVar<P> {
#[inline]
fn to_bytes<CS: ConstraintSystem<P::Fp>>(
&self,
mut cs: CS,
) -> Result<Vec<UInt8>, SynthesisError> {
let mut x = self.x.to_bytes(&mut cs.ns(|| "x to bytes"))?;
let mut y = self.y.to_bytes(&mut cs.ns(|| "y to bytes"))?;
let mut x_over_twist = self
.x_over_twist
.to_bytes(&mut cs.ns(|| "x_over_twist to bytes"))?;
let mut y_over_twist = self
.y_over_twist
.to_bytes(&mut cs.ns(|| "y_over_twist to bytes"))?;
fn to_bytes(&self) -> Result<Vec<UInt8<P::Fp>>, SynthesisError> {
let mut x = self.x.to_bytes()?;
let mut y = self.y.to_bytes()?;
let mut x_over_twist = self.x_over_twist.to_bytes()?;
let mut y_over_twist = self.y_over_twist.to_bytes()?;
x.append(&mut y);
x.append(&mut x_over_twist);
x.append(&mut y_over_twist);
for (i, coeff) in self.double_coefficients.iter().enumerate() {
x.extend_from_slice(&coeff.to_bytes(cs.ns(|| format!("double_coefficients {}", i)))?);
for coeff in &self.double_coefficients {
x.extend_from_slice(&coeff.to_bytes()?);
}
for (i, coeff) in self.addition_coefficients.iter().enumerate() {
x.extend_from_slice(&coeff.to_bytes(cs.ns(|| format!("addition_coefficients {}", i)))?);
for coeff in &self.addition_coefficients {
x.extend_from_slice(&coeff.to_bytes()?);
}
Ok(x)
}
fn to_non_unique_bytes<CS: ConstraintSystem<P::Fp>>(
&self,
mut cs: CS,
) -> Result<Vec<UInt8>, SynthesisError> {
let mut x = self.x.to_non_unique_bytes(&mut cs.ns(|| "x to bytes"))?;
let mut y = self.y.to_non_unique_bytes(&mut cs.ns(|| "y to bytes"))?;
let mut x_over_twist = self
.x_over_twist
.to_non_unique_bytes(&mut cs.ns(|| "x_over_twist to bytes"))?;
let mut y_over_twist = self
.y_over_twist
.to_non_unique_bytes(&mut cs.ns(|| "y_over_twist to bytes"))?;
fn to_non_unique_bytes(&self) -> Result<Vec<UInt8<P::Fp>>, SynthesisError> {
let mut x = self.x.to_non_unique_bytes()?;
let mut y = self.y.to_non_unique_bytes()?;
let mut x_over_twist = self.x_over_twist.to_non_unique_bytes()?;
let mut y_over_twist = self.y_over_twist.to_non_unique_bytes()?;
x.append(&mut y);
x.append(&mut x_over_twist);
x.append(&mut y_over_twist);
for (i, coeff) in self.double_coefficients.iter().enumerate() {
x.extend_from_slice(
&coeff.to_non_unique_bytes(cs.ns(|| format!("double_coefficients {}", i)))?,
);
for coeff in &self.double_coefficients {
x.extend_from_slice(&coeff.to_non_unique_bytes()?);
}
for (i, coeff) in self.addition_coefficients.iter().enumerate() {
x.extend_from_slice(
&coeff.to_non_unique_bytes(cs.ns(|| format!("addition_coefficients {}", i)))?,
);
for coeff in &self.addition_coefficients {
x.extend_from_slice(&coeff.to_non_unique_bytes()?);
}
Ok(x)
}
}
impl<P: MNT4Parameters> G2PreparedGadget<P> {
pub fn get_value(&self) -> Option<G2Prepared<P>> {
match (
self.x.get_value(),
self.y.get_value(),
self.x_over_twist.get_value(),
self.y_over_twist.get_value(),
self.double_coefficients
.iter()
.map(|coeff| coeff.get_value())
.collect::<Option<Vec<AteDoubleCoefficients<P>>>>(),
self.addition_coefficients
.iter()
.map(|coeff| coeff.get_value())
.collect::<Option<Vec<AteAdditionCoefficients<P>>>>(),
) {
(
Some(x),
Some(y),
Some(x_over_twist),
Some(y_over_twist),
Some(double_coefficients),
Some(addition_coefficients),
) => Some(G2Prepared {
x,
y,
x_over_twist,
y_over_twist,
double_coefficients,
addition_coefficients,
}),
_ => None,
}
impl<P: MNT4Parameters> G2PreparedVar<P> {
pub fn value(&self) -> Result<G2Prepared<P>, SynthesisError> {
let x = self.x.value()?;
let y = self.y.value()?;
let x_over_twist = self.x_over_twist.value()?;
let y_over_twist = self.y_over_twist.value()?;
let double_coefficients = self
.double_coefficients
.iter()
.map(|coeff| coeff.value())
.collect::<Result<Vec<AteDoubleCoefficients<P>>, _>>()?;
let addition_coefficients = self
.addition_coefficients
.iter()
.map(|coeff| coeff.value())
.collect::<Result<Vec<AteAdditionCoefficients<P>>, _>>()?;
Ok(G2Prepared {
x,
y,
x_over_twist,
y_over_twist,
double_coefficients,
addition_coefficients,
})
}
pub fn from_affine<CS: ConstraintSystem<P::Fp>>(
mut cs: CS,
q: &G2Gadget<P>,
) -> Result<Self, SynthesisError> {
pub fn from_group_var(q: &G2Var<P>) -> Result<Self, SynthesisError> {
let twist_inv = P::TWIST.inverse().unwrap();
let q = q.to_affine()?;
let mut g2p = G2PreparedGadget {
let mut g2p = G2PreparedVar {
x: q.x.clone(),
y: q.y.clone(),
x_over_twist: q.x.mul_by_constant(cs.ns(|| "x over twist"), &twist_inv)?,
y_over_twist: q.y.mul_by_constant(cs.ns(|| "y over twist"), &twist_inv)?,
x_over_twist: &q.x * twist_inv,
y_over_twist: &q.y * twist_inv,
double_coefficients: vec![],
addition_coefficients: vec![],
};
let fp2_one = Fp2G::<P>::one(cs.ns(|| "one"))?;
let mut r = G2ProjectiveExtendedGadget {
let mut r = G2ProjectiveExtendedVar {
x: q.x.clone(),
y: q.y.clone(),
z: fp2_one.clone(),
t: fp2_one,
z: Fp2G::<P>::one(),
t: Fp2G::<P>::one(),
};
for (idx, value) in P::ATE_LOOP_COUNT.iter().rev().enumerate() {
@ -362,24 +261,15 @@ impl G2PreparedGadget

{
tmp >>= 1;
}
let mut cs = cs.ns(|| format!("ate loop iteration {}", idx));
for (j, bit) in v.iter().rev().enumerate() {
let (r2, coeff) = PairingGadget::<P>::doubling_step_for_flipped_miller_loop(
cs.ns(|| format!("doubling step {}", j)),
&r,
)?;
for bit in v.iter().rev() {
let (r2, coeff) = PairingVar::<P>::doubling_step_for_flipped_miller_loop(&r)?;
g2p.double_coefficients.push(coeff);
r = r2;
if *bit {
let (r2, coeff) =
PairingGadget::<P>::mixed_addition_step_for_flipped_miller_loop(
cs.ns(|| format!("mixed addition step {}", j)),
&q.x,
&q.y,
&r,
)?;
let (r2, coeff) = PairingVar::<P>::mixed_addition_step_for_flipped_miller_loop(
&q.x, &q.y, &r,
)?;
g2p.addition_coefficients.push(coeff);
r = r2;
}
@ -389,17 +279,14 @@ impl G2PreparedGadget

{
}
if P::ATE_IS_LOOP_COUNT_NEG {
let rz_inv = r.z.inverse(cs.ns(|| "inverse r.z"))?;
let rz2_inv = rz_inv.square(cs.ns(|| "rz_inv^2"))?;
let rz3_inv = rz_inv.mul(cs.ns(|| "rz_inv * rz_inv^2"), &rz2_inv)?;
let rz_inv = r.z.inverse()?;
let rz2_inv = rz_inv.square()?;
let rz3_inv = &rz_inv * &rz2_inv;
let minus_r_affine_x = r.x.mul(cs.ns(|| "r.x * rz2_inv"), &rz2_inv)?;
let minus_r_affine_y =
r.y.negate(cs.ns(|| "-r.y"))?
.mul(cs.ns(|| "-r.y * rz3_inv"), &rz3_inv)?;
let minus_r_affine_x = &r.x * &rz2_inv;
let minus_r_affine_y = r.y.negate()? * &rz3_inv;
let add_result = PairingGadget::<P>::mixed_addition_step_for_flipped_miller_loop(
cs.ns(|| "mixed_addition step"),
let add_result = PairingVar::<P>::mixed_addition_step_for_flipped_miller_loop(
&minus_r_affine_x,
&minus_r_affine_y,
&r,
@ -413,73 +300,45 @@ impl G2PreparedGadget

{
#[derive(Derivative)]
#[derivative(Clone(bound = "P: MNT4Parameters"), Debug(bound = "P: MNT4Parameters"))]
pub struct AteDoubleCoefficientsGadget<P: MNT4Parameters> {
pub c_h: Fp2Gadget<P::Fp2Params, P::Fp>,
pub c_4c: Fp2Gadget<P::Fp2Params, P::Fp>,
pub c_j: Fp2Gadget<P::Fp2Params, P::Fp>,
pub c_l: Fp2Gadget<P::Fp2Params, P::Fp>,
pub struct AteDoubleCoefficientsVar<P: MNT4Parameters> {
pub c_h: Fp2Var<P::Fp2Params>,
pub c_4c: Fp2Var<P::Fp2Params>,
pub c_j: Fp2Var<P::Fp2Params>,
pub c_l: Fp2Var<P::Fp2Params>,
}
impl<P: MNT4Parameters> AllocGadget<AteDoubleCoefficients<P>, P::Fp>
for AteDoubleCoefficientsGadget<P>
{
fn alloc_constant<T, CS: ConstraintSystem<P::Fp>>(
mut cs: CS,
t: T,
) -> Result<Self, SynthesisError>
where
T: Borrow<AteDoubleCoefficients<P>>,
{
let obj = t.borrow();
let c_h =
Fp2Gadget::<P::Fp2Params, P::Fp>::alloc_constant(&mut cs.ns(|| "alloc_c_h"), &obj.c_h)?;
let c_4c = Fp2Gadget::<P::Fp2Params, P::Fp>::alloc_constant(
&mut cs.ns(|| "alloc_c_4c"),
&obj.c_4c,
)?;
let c_j =
Fp2Gadget::<P::Fp2Params, P::Fp>::alloc_constant(&mut cs.ns(|| "alloc_c_j"), &obj.c_j)?;
let c_l =
Fp2Gadget::<P::Fp2Params, P::Fp>::alloc_constant(&mut cs.ns(|| "alloc_c_l"), &obj.c_l)?;
impl<P: MNT4Parameters> AllocVar<AteDoubleCoefficients<P>, P::Fp> for AteDoubleCoefficientsVar<P> {
fn new_variable<T: Borrow<AteDoubleCoefficients<P>>>(
cs: impl Into<Namespace<P::Fp>>,
f: impl FnOnce() -> Result<T, SynthesisError>,
mode: AllocationMode,
) -> Result<Self, SynthesisError> {
let ns = cs.into();
let cs = ns.cs();
Ok(AteDoubleCoefficientsGadget {
let c_prep = f().map(|c| c.borrow().clone());
let c = c_prep.as_ref().map_err(|e| *e);
let c_h = Fp2Var::new_variable(cs.ns("c_h"), || c.map(|c| c.c_h), mode)?;
let c_4c = Fp2Var::new_variable(cs.ns("c_4c"), || c.map(|c| c.c_4c), mode)?;
let c_j = Fp2Var::new_variable(cs.ns("c_j"), || c.map(|c| c.c_j), mode)?;
let c_l = Fp2Var::new_variable(cs.ns("c_l"), || c.map(|c| c.c_l), mode)?;
Ok(Self {
c_h,
c_4c,
c_j,
c_l,
})
}
fn alloc<F, T, CS: ConstraintSystem<P::Fp>>(_cs: CS, _f: F) -> Result<Self, SynthesisError>
where
F: FnOnce() -> Result<T, SynthesisError>,
T: Borrow<AteDoubleCoefficients<P>>,
{
todo!()
}
fn alloc_input<F, T, CS: ConstraintSystem<P::Fp>>(
_cs: CS,
_f: F,
) -> Result<Self, SynthesisError>
where
F: FnOnce() -> Result<T, SynthesisError>,
T: Borrow<AteDoubleCoefficients<P>>,
{
todo!()
}
}
impl<P: MNT4Parameters> ToBytesGadget<P::Fp> for AteDoubleCoefficientsGadget<P> {
impl<P: MNT4Parameters> ToBytesGadget<P::Fp> for AteDoubleCoefficientsVar<P> {
#[inline]
fn to_bytes<CS: ConstraintSystem<P::Fp>>(
&self,
mut cs: CS,
) -> Result<Vec<UInt8>, SynthesisError> {
let mut c_h = self.c_h.to_bytes(&mut cs.ns(|| "c_h to bytes"))?;
let mut c_4c = self.c_4c.to_bytes(&mut cs.ns(|| "c_4c to bytes"))?;
let mut c_j = self.c_j.to_bytes(&mut cs.ns(|| "c_j to bytes"))?;
let mut c_l = self.c_l.to_bytes(&mut cs.ns(|| "c_l to bytes"))?;
fn to_bytes(&self) -> Result<Vec<UInt8<P::Fp>>, SynthesisError> {
let mut c_h = self.c_h.to_bytes()?;
let mut c_4c = self.c_4c.to_bytes()?;
let mut c_j = self.c_j.to_bytes()?;
let mut c_l = self.c_l.to_bytes()?;
c_h.append(&mut c_4c);
c_h.append(&mut c_j);
@ -487,22 +346,11 @@ impl ToBytesGadget for AteDoubleCoefficientsGadget
Ok(c_h)
}
fn to_non_unique_bytes<CS: ConstraintSystem<P::Fp>>(
&self,
mut cs: CS,
) -> Result<Vec<UInt8>, SynthesisError> {
let mut c_h = self
.c_h
.to_non_unique_bytes(&mut cs.ns(|| "c_h to bytes"))?;
let mut c_4c = self
.c_4c
.to_non_unique_bytes(&mut cs.ns(|| "c_4c to bytes"))?;
let mut c_j = self
.c_j
.to_non_unique_bytes(&mut cs.ns(|| "c_j to bytes"))?;
let mut c_l = self
.c_l
.to_non_unique_bytes(&mut cs.ns(|| "c_l to bytes"))?;
fn to_non_unique_bytes(&self) -> Result<Vec<UInt8<P::Fp>>, SynthesisError> {
let mut c_h = self.c_h.to_non_unique_bytes()?;
let mut c_4c = self.c_4c.to_non_unique_bytes()?;
let mut c_j = self.c_j.to_non_unique_bytes()?;
let mut c_l = self.c_l.to_non_unique_bytes()?;
c_h.append(&mut c_4c);
c_h.append(&mut c_j);
@ -511,115 +359,79 @@ impl ToBytesGadget for AteDoubleCoefficientsGadget
}
}
impl<P: MNT4Parameters> AteDoubleCoefficientsGadget<P> {
pub fn get_value(&self) -> Option<AteDoubleCoefficients<P>> {
match (
self.c_h.get_value(),
self.c_4c.get_value(),
self.c_j.get_value(),
self.c_l.get_value(),
) {
(Some(c_h), Some(c_4c), Some(c_j), Some(c_l)) => Some(AteDoubleCoefficients {
c_h,
c_4c,
c_j,
c_l,
}),
_ => None,
}
impl<P: MNT4Parameters> AteDoubleCoefficientsVar<P> {
pub fn value(&self) -> Result<AteDoubleCoefficients<P>, SynthesisError> {
let (c_h, c_4c, c_j, c_l) = (
self.c_l.value()?,
self.c_4c.value()?,
self.c_j.value()?,
self.c_l.value()?,
);
Ok(AteDoubleCoefficients {
c_h,
c_4c,
c_j,
c_l,
})
}
}
#[derive(Derivative)]
#[derivative(Clone(bound = "P: MNT4Parameters"), Debug(bound = "P: MNT4Parameters"))]
pub struct AteAdditionCoefficientsGadget<P: MNT4Parameters> {
pub c_l1: Fp2Gadget<P::Fp2Params, P::Fp>,
pub c_rz: Fp2Gadget<P::Fp2Params, P::Fp>,
pub struct AteAdditionCoefficientsVar<P: MNT4Parameters> {
pub c_l1: Fp2Var<P::Fp2Params>,
pub c_rz: Fp2Var<P::Fp2Params>,
}
impl<P: MNT4Parameters> AllocGadget<AteAdditionCoefficients<P>, P::Fp>
for AteAdditionCoefficientsGadget<P>
impl<P: MNT4Parameters> AllocVar<AteAdditionCoefficients<P>, P::Fp>
for AteAdditionCoefficientsVar<P>
{
fn alloc_constant<T, CS: ConstraintSystem<P::Fp>>(
mut cs: CS,
t: T,
) -> Result<Self, SynthesisError>
where
T: Borrow<AteAdditionCoefficients<P>>,
{
let obj = t.borrow();
let c_l1 = Fp2Gadget::<P::Fp2Params, P::Fp>::alloc_constant(
&mut cs.ns(|| "alloc_c_l1"),
&obj.c_l1,
)?;
let c_rz = Fp2Gadget::<P::Fp2Params, P::Fp>::alloc_constant(
&mut cs.ns(|| "alloc_c_rz"),
&obj.c_rz,
)?;
Ok(AteAdditionCoefficientsGadget { c_l1, c_rz })
}
fn new_variable<T: Borrow<AteAdditionCoefficients<P>>>(
cs: impl Into<Namespace<P::Fp>>,
f: impl FnOnce() -> Result<T, SynthesisError>,
mode: AllocationMode,
) -> Result<Self, SynthesisError> {
let ns = cs.into();
let cs = ns.cs();
fn alloc<F, T, CS: ConstraintSystem<P::Fp>>(_cs: CS, _f: F) -> Result<Self, SynthesisError>
where
F: FnOnce() -> Result<T, SynthesisError>,
T: Borrow<AteAdditionCoefficients<P>>,
{
todo!()
}
let c_prep = f().map(|c| c.borrow().clone());
let c = c_prep.as_ref().map_err(|e| *e);
fn alloc_input<F, T, CS: ConstraintSystem<P::Fp>>(
_cs: CS,
_f: F,
) -> Result<Self, SynthesisError>
where
F: FnOnce() -> Result<T, SynthesisError>,
T: Borrow<AteAdditionCoefficients<P>>,
{
todo!()
let c_l1 = Fp2Var::new_variable(cs.ns("c_l1"), || c.map(|c| c.c_l1), mode)?;
let c_rz = Fp2Var::new_variable(cs.ns("c_rz"), || c.map(|c| c.c_rz), mode)?;
Ok(Self { c_l1, c_rz })
}
}
impl<P: MNT4Parameters> ToBytesGadget<P::Fp> for AteAdditionCoefficientsGadget<P> {
impl<P: MNT4Parameters> ToBytesGadget<P::Fp> for AteAdditionCoefficientsVar<P> {
#[inline]
fn to_bytes<CS: ConstraintSystem<P::Fp>>(
&self,
mut cs: CS,
) -> Result<Vec<UInt8>, SynthesisError> {
let mut c_l1 = self.c_l1.to_bytes(&mut cs.ns(|| "c_l1 to bytes"))?;
let mut c_rz = self.c_rz.to_bytes(&mut cs.ns(|| "c_rz to bytes"))?;
fn to_bytes(&self) -> Result<Vec<UInt8<P::Fp>>, SynthesisError> {
let mut c_l1 = self.c_l1.to_bytes()?;
let mut c_rz = self.c_rz.to_bytes()?;
c_l1.append(&mut c_rz);
Ok(c_l1)
}
fn to_non_unique_bytes<CS: ConstraintSystem<P::Fp>>(
&self,
mut cs: CS,
) -> Result<Vec<UInt8>, SynthesisError> {
let mut c_l1 = self
.c_l1
.to_non_unique_bytes(&mut cs.ns(|| "c_l1 to bytes"))?;
let mut c_rz = self
.c_rz
.to_non_unique_bytes(&mut cs.ns(|| "c_rz to bytes"))?;
fn to_non_unique_bytes(&self) -> Result<Vec<UInt8<P::Fp>>, SynthesisError> {
let mut c_l1 = self.c_l1.to_non_unique_bytes()?;
let mut c_rz = self.c_rz.to_non_unique_bytes()?;
c_l1.append(&mut c_rz);
Ok(c_l1)
}
}
impl<P: MNT4Parameters> AteAdditionCoefficientsGadget<P> {
pub fn get_value(&self) -> Option<AteAdditionCoefficients<P>> {
match (self.c_l1.get_value(), self.c_rz.get_value()) {
(Some(c_l1), Some(c_rz)) => Some(AteAdditionCoefficients { c_l1, c_rz }),
_ => None,
}
impl<P: MNT4Parameters> AteAdditionCoefficientsVar<P> {
pub fn value(&self) -> Result<AteAdditionCoefficients<P>, SynthesisError> {
let (c_l1, c_rz) = (self.c_l1.value()?, self.c_rz.value()?);
Ok(AteAdditionCoefficients { c_l1, c_rz })
}
}
pub struct G2ProjectiveExtendedGadget<P: MNT4Parameters> {
pub x: Fp2Gadget<P::Fp2Params, P::Fp>,
pub y: Fp2Gadget<P::Fp2Params, P::Fp>,
pub z: Fp2Gadget<P::Fp2Params, P::Fp>,
pub t: Fp2Gadget<P::Fp2Params, P::Fp>,
pub struct G2ProjectiveExtendedVar<P: MNT4Parameters> {
pub x: Fp2Var<P::Fp2Params>,
pub y: Fp2Var<P::Fp2Params>,
pub z: Fp2Var<P::Fp2Params>,
pub t: Fp2Var<P::Fp2Params>,
}

+ 247
- 442
r1cs-std/src/groups/curves/short_weierstrass/mnt6/mod.rs
View File

@ -5,135 +5,91 @@ use algebra::{
},
Field,
};
use core::borrow::Borrow;
use r1cs_core::{ConstraintSystem, SynthesisError};
use r1cs_core::{Namespace, SynthesisError};
use crate::{
fields::{fp::FpGadget, fp3::Fp3Gadget, FieldGadget},
groups::curves::short_weierstrass::AffineGadget,
pairing::mnt6::PairingGadget,
fields::{fp::FpVar, fp3::Fp3Var, FieldVar},
groups::curves::short_weierstrass::ProjectiveVar,
pairing::mnt6::PairingVar,
prelude::*,
Vec,
};
use core::borrow::Borrow;
pub type G1Gadget<P> = AffineGadget<
<P as MNT6Parameters>::G1Parameters,
<P as MNT6Parameters>::Fp,
FpGadget<<P as MNT6Parameters>::Fp>,
>;
pub type G1Var<P> =
ProjectiveVar<<P as MNT6Parameters>::G1Parameters, FpVar<<P as MNT6Parameters>::Fp>>;
pub type G2Gadget<P> =
AffineGadget<<P as MNT6Parameters>::G2Parameters, <P as MNT6Parameters>::Fp, Fp3G<P>>;
pub type G2Var<P> = ProjectiveVar<<P as MNT6Parameters>::G2Parameters, Fp3G<P>>;
#[derive(Derivative)]
#[derivative(Clone(bound = "P: MNT6Parameters"), Debug(bound = "P: MNT6Parameters"))]
pub struct G1PreparedGadget<P: MNT6Parameters> {
pub x: FpGadget<P::Fp>,
pub y: FpGadget<P::Fp>,
pub x_twist: Fp3Gadget<P::Fp3Params, P::Fp>,
pub y_twist: Fp3Gadget<P::Fp3Params, P::Fp>,
pub struct G1PreparedVar<P: MNT6Parameters> {
pub x: FpVar<P::Fp>,
pub y: FpVar<P::Fp>,
pub x_twist: Fp3Var<P::Fp3Params>,
pub y_twist: Fp3Var<P::Fp3Params>,
}
impl<P: MNT6Parameters> AllocGadget<G1Prepared<P>, P::Fp> for G1PreparedGadget<P> {
fn alloc_constant<T, CS: ConstraintSystem<P::Fp>>(
mut cs: CS,
t: T,
) -> Result<Self, SynthesisError>
where
T: Borrow<G1Prepared<P>>,
{
let obj = t.borrow();
let x_gadget = FpGadget::<P::Fp>::alloc_constant(&mut cs.ns(|| "x"), &obj.x)?;
let y_gadget = FpGadget::<P::Fp>::alloc_constant(&mut cs.ns(|| "y"), &obj.y)?;
let x_twist_gadget = Fp3Gadget::<P::Fp3Params, P::Fp>::alloc_constant(
&mut cs.ns(|| "x_twist"),
&obj.x_twist,
)?;
let y_twist_gadget = Fp3Gadget::<P::Fp3Params, P::Fp>::alloc_constant(
&mut cs.ns(|| "y_twist"),
&obj.y_twist,
)?;
Ok(Self {
x: x_gadget,
y: y_gadget,
x_twist: x_twist_gadget,
y_twist: y_twist_gadget,
impl<P: MNT6Parameters> G1PreparedVar<P> {
pub fn value(&self) -> Result<G1Prepared<P>, SynthesisError> {
let x = self.x.value()?;
let y = self.y.value()?;
let x_twist = self.x_twist.value()?;
let y_twist = self.y_twist.value()?;
Ok(G1Prepared {
x,
y,
x_twist,
y_twist,
})
}
fn alloc<F, T, CS: ConstraintSystem<P::Fp>>(_cs: CS, _f: F) -> Result<Self, SynthesisError>
where
F: FnOnce() -> Result<T, SynthesisError>,
T: Borrow<G1Prepared<P>>,
{
todo!()
}
fn alloc_input<F, T, CS: ConstraintSystem<P::Fp>>(
_cs: CS,
_f: F,
) -> Result<Self, SynthesisError>
where
F: FnOnce() -> Result<T, SynthesisError>,
T: Borrow<G1Prepared<P>>,
{
todo!()
pub fn from_group_var(q: &G1Var<P>) -> Result<Self, SynthesisError> {
let q = q.to_affine()?;
let zero = FpVar::<P::Fp>::zero();
let x_twist = Fp3Var::new(q.x.clone(), zero.clone(), zero.clone()) * P::TWIST;
let y_twist = Fp3Var::new(q.y.clone(), zero.clone(), zero.clone()) * P::TWIST;
let result = G1PreparedVar {
x: q.x.clone(),
y: q.y.clone(),
x_twist,
y_twist,
};
Ok(result)
}
}
impl<P: MNT6Parameters> G1PreparedGadget<P> {
pub fn get_value(&self) -> Option<G1Prepared<P>> {
match (
self.x.get_value(),
self.y.get_value(),
self.x_twist.get_value(),
self.y_twist.get_value(),
) {
(Some(x), Some(y), Some(x_twist), Some(y_twist)) => Some(G1Prepared {
x,
y,
x_twist,
y_twist,
}),
_ => None,
}
}
pub fn from_affine<CS: ConstraintSystem<P::Fp>>(
mut cs: CS,
q: &G1Gadget<P>,
impl<P: MNT6Parameters> AllocVar<G1Prepared<P>, P::Fp> for G1PreparedVar<P> {
fn new_variable<T: Borrow<G1Prepared<P>>>(
cs: impl Into<Namespace<P::Fp>>,
f: impl FnOnce() -> Result<T, SynthesisError>,
mode: AllocationMode,
) -> Result<Self, SynthesisError> {
let x_twist = Fp3Gadget::new(
q.x.mul_by_constant(cs.ns(|| "g1.x * twist.c0"), &P::TWIST.c0)?,
q.x.mul_by_constant(cs.ns(|| "g1.x * twist.c1"), &P::TWIST.c1)?,
q.x.mul_by_constant(cs.ns(|| "g1.x * twist.c2"), &P::TWIST.c2)?,
);
let y_twist = Fp3Gadget::new(
q.y.mul_by_constant(cs.ns(|| "g1.y * twist.c0"), &P::TWIST.c0)?,
q.y.mul_by_constant(cs.ns(|| "g1.y * twist.c1"), &P::TWIST.c1)?,
q.y.mul_by_constant(cs.ns(|| "g1.y * twist.c2"), &P::TWIST.c2)?,
);
Ok(G1PreparedGadget {
x: q.x.clone(),
y: q.y.clone(),
let ns = cs.into();
let cs = ns.cs();
let g1_prep = f().map(|b| *b.borrow());
let x = FpVar::new_variable(cs.ns("x"), || g1_prep.map(|g| g.x), mode)?;
let y = FpVar::new_variable(cs.ns("y"), || g1_prep.map(|g| g.y), mode)?;
let x_twist = Fp3Var::new_variable(cs.ns("x_twist"), || g1_prep.map(|g| g.x_twist), mode)?;
let y_twist = Fp3Var::new_variable(cs.ns("y_twist"), || g1_prep.map(|g| g.y_twist), mode)?;
Ok(Self {
x,
y,
x_twist,
y_twist,
})
}
}
impl<P: MNT6Parameters> ToBytesGadget<P::Fp> for G1PreparedGadget<P> {
impl<P: MNT6Parameters> ToBytesGadget<P::Fp> for G1PreparedVar<P> {
#[inline]
fn to_bytes<CS: ConstraintSystem<P::Fp>>(
&self,
mut cs: CS,
) -> Result<Vec<UInt8>, SynthesisError> {
let mut x = self.x.to_bytes(&mut cs.ns(|| "x to bytes"))?;
let mut y = self.y.to_bytes(&mut cs.ns(|| "y to bytes"))?;
let mut x_twist = self.x_twist.to_bytes(&mut cs.ns(|| "x_twist to bytes"))?;
let mut y_twist = self.y_twist.to_bytes(&mut cs.ns(|| "y_twist to bytes"))?;
fn to_bytes(&self) -> Result<Vec<UInt8<P::Fp>>, SynthesisError> {
let mut x = self.x.to_bytes()?;
let mut y = self.y.to_bytes()?;
let mut x_twist = self.x_twist.to_bytes()?;
let mut y_twist = self.y_twist.to_bytes()?;
x.append(&mut y);
x.append(&mut x_twist);
@ -141,18 +97,11 @@ impl ToBytesGadget for G1PreparedGadget

{
Ok(x)
}
fn to_non_unique_bytes<CS: ConstraintSystem<P::Fp>>(
&self,
mut cs: CS,
) -> Result<Vec<UInt8>, SynthesisError> {
let mut x = self.x.to_non_unique_bytes(&mut cs.ns(|| "x to bytes"))?;
let mut y = self.y.to_non_unique_bytes(&mut cs.ns(|| "y to bytes"))?;
let mut x_twist = self
.x_twist
.to_non_unique_bytes(&mut cs.ns(|| "x_twist to bytes"))?;
let mut y_twist = self
.y_twist
.to_non_unique_bytes(&mut cs.ns(|| "y_twist to bytes"))?;
fn to_non_unique_bytes(&self) -> Result<Vec<UInt8<P::Fp>>, SynthesisError> {
let mut x = self.x.to_non_unique_bytes()?;
let mut y = self.y.to_non_unique_bytes()?;
let mut x_twist = self.x_twist.to_non_unique_bytes()?;
let mut y_twist = self.y_twist.to_non_unique_bytes()?;
x.append(&mut y);
x.append(&mut x_twist);
@ -161,203 +110,142 @@ impl ToBytesGadget for G1PreparedGadget

{
}
}
type Fp3G<P> = Fp3Gadget<<P as MNT6Parameters>::Fp3Params, <P as MNT6Parameters>::Fp>;
type Fp3G<P> = Fp3Var<<P as MNT6Parameters>::Fp3Params>;
#[derive(Derivative)]
#[derivative(Clone(bound = "P: MNT6Parameters"), Debug(bound = "P: MNT6Parameters"))]
pub struct G2PreparedGadget<P: MNT6Parameters> {
pub x: Fp3Gadget<P::Fp3Params, P::Fp>,
pub y: Fp3Gadget<P::Fp3Params, P::Fp>,
pub x_over_twist: Fp3Gadget<P::Fp3Params, P::Fp>,
pub y_over_twist: Fp3Gadget<P::Fp3Params, P::Fp>,
pub double_coefficients: Vec<AteDoubleCoefficientsGadget<P>>,
pub addition_coefficients: Vec<AteAdditionCoefficientsGadget<P>>,
pub struct G2PreparedVar<P: MNT6Parameters> {
pub x: Fp3Var<P::Fp3Params>,
pub y: Fp3Var<P::Fp3Params>,
pub x_over_twist: Fp3Var<P::Fp3Params>,
pub y_over_twist: Fp3Var<P::Fp3Params>,
pub double_coefficients: Vec<AteDoubleCoefficientsVar<P>>,
pub addition_coefficients: Vec<AteAdditionCoefficientsVar<P>>,
}
impl<P: MNT6Parameters> AllocGadget<G2Prepared<P>, P::Fp> for G2PreparedGadget<P> {
fn alloc_constant<T, CS: ConstraintSystem<P::Fp>>(
mut cs: CS,
t: T,
) -> Result<Self, SynthesisError>
where
T: Borrow<G2Prepared<P>>,
{
let obj = t.borrow();
let x_gadget =
Fp3Gadget::<P::Fp3Params, P::Fp>::alloc_constant(&mut cs.ns(|| "x"), &obj.x)?;
let y_gadget =
Fp3Gadget::<P::Fp3Params, P::Fp>::alloc_constant(&mut cs.ns(|| "y"), &obj.y)?;
let x_over_twist_gadget = Fp3Gadget::<P::Fp3Params, P::Fp>::alloc_constant(
&mut cs.ns(|| "x_over_twist"),
&obj.x_over_twist,
impl<P: MNT6Parameters> AllocVar<G2Prepared<P>, P::Fp> for G2PreparedVar<P> {
fn new_variable<T: Borrow<G2Prepared<P>>>(
cs: impl Into<Namespace<P::Fp>>,
f: impl FnOnce() -> Result<T, SynthesisError>,
mode: AllocationMode,
) -> Result<Self, SynthesisError> {
let ns = cs.into();
let cs = ns.cs();
let g2_prep = f().map(|b| b.borrow().clone());
let g2 = g2_prep.as_ref().map_err(|e| *e);
let x = Fp3Var::new_variable(cs.ns("x"), || g2.map(|g| g.x), mode)?;
let y = Fp3Var::new_variable(cs.ns("y"), || g2.map(|g| g.y), mode)?;
let x_over_twist =
Fp3Var::new_variable(cs.ns("x_over_twist"), || g2.map(|g| g.x_over_twist), mode)?;
let y_over_twist =
Fp3Var::new_variable(cs.ns("y_over_twist"), || g2.map(|g| g.y_over_twist), mode)?;
let double_coefficients = Vec::new_variable(
cs.ns("double coeffs"),
|| g2.map(|g| g.double_coefficients.clone()),
mode,
)?;
let y_over_twist_gadget = Fp3Gadget::<P::Fp3Params, P::Fp>::alloc_constant(
&mut cs.ns(|| "y_over_twist"),
&obj.y_over_twist,
let addition_coefficients = Vec::new_variable(
cs.ns("add coeffs"),
|| g2.map(|g| g.addition_coefficients.clone()),
mode,
)?;
let mut double_coefficients_gadget = Vec::<AteDoubleCoefficientsGadget<P>>::new();
for (i, double_coefficient) in obj.double_coefficients.iter().enumerate() {
double_coefficients_gadget.push(AteDoubleCoefficientsGadget::<P>::alloc_constant(
&mut cs.ns(|| format!("double_coefficient#{}", i)),
double_coefficient,
)?);
}
let mut addition_coefficients_gadget = Vec::<AteAdditionCoefficientsGadget<P>>::new();
for (i, addition_coefficient) in obj.addition_coefficients.iter().enumerate() {
addition_coefficients_gadget.push(AteAdditionCoefficientsGadget::<P>::alloc_constant(
&mut cs.ns(|| format!("addition_coefficient#{}", i)),
addition_coefficient,
)?);
}
Ok(Self {
x: x_gadget,
y: y_gadget,
x_over_twist: x_over_twist_gadget,
y_over_twist: y_over_twist_gadget,
double_coefficients: double_coefficients_gadget,
addition_coefficients: addition_coefficients_gadget,
x,
y,
x_over_twist,
y_over_twist,
double_coefficients,
addition_coefficients,
})
}
fn alloc<F, T, CS: ConstraintSystem<P::Fp>>(_cs: CS, _f: F) -> Result<Self, SynthesisError>
where
F: FnOnce() -> Result<T, SynthesisError>,
T: Borrow<G2Prepared<P>>,
{
todo!()
}
fn alloc_input<F, T, CS: ConstraintSystem<P::Fp>>(
_cs: CS,
_f: F,
) -> Result<Self, SynthesisError>
where
F: FnOnce() -> Result<T, SynthesisError>,
T: Borrow<G2Prepared<P>>,
{
todo!()
}
}
impl<P: MNT6Parameters> ToBytesGadget<P::Fp> for G2PreparedGadget<P> {
impl<P: MNT6Parameters> ToBytesGadget<P::Fp> for G2PreparedVar<P> {
#[inline]
fn to_bytes<CS: ConstraintSystem<P::Fp>>(
&self,
mut cs: CS,
) -> Result<Vec<UInt8>, SynthesisError> {
let mut x = self.x.to_bytes(&mut cs.ns(|| "x to bytes"))?;
let mut y = self.y.to_bytes(&mut cs.ns(|| "y to bytes"))?;
let mut x_over_twist = self
.x_over_twist
.to_bytes(&mut cs.ns(|| "x_over_twist to bytes"))?;
let mut y_over_twist = self
.y_over_twist
.to_bytes(&mut cs.ns(|| "y_over_twist to bytes"))?;
fn to_bytes(&self) -> Result<Vec<UInt8<P::Fp>>, SynthesisError> {
let mut x = self.x.to_bytes()?;
let mut y = self.y.to_bytes()?;
let mut x_over_twist = self.x_over_twist.to_bytes()?;
let mut y_over_twist = self.y_over_twist.to_bytes()?;
x.append(&mut y);
x.append(&mut x_over_twist);
x.append(&mut y_over_twist);
for (i, coeff) in self.double_coefficients.iter().enumerate() {
x.extend_from_slice(&coeff.to_bytes(cs.ns(|| format!("double_coefficients {}", i)))?);
for coeff in self.double_coefficients.iter() {
x.extend_from_slice(&coeff.to_bytes()?);
}
for (i, coeff) in self.addition_coefficients.iter().enumerate() {
x.extend_from_slice(&coeff.to_bytes(cs.ns(|| format!("addition_coefficients {}", i)))?);
for coeff in self.addition_coefficients.iter() {
x.extend_from_slice(&coeff.to_bytes()?);
}
Ok(x)
}
fn to_non_unique_bytes<CS: ConstraintSystem<P::Fp>>(
&self,
mut cs: CS,
) -> Result<Vec<UInt8>, SynthesisError> {
let mut x = self.x.to_non_unique_bytes(&mut cs.ns(|| "x to bytes"))?;
let mut y = self.y.to_non_unique_bytes(&mut cs.ns(|| "y to bytes"))?;
let mut x_over_twist = self
.x_over_twist
.to_non_unique_bytes(&mut cs.ns(|| "x_over_twist to bytes"))?;
let mut y_over_twist = self
.y_over_twist
.to_non_unique_bytes(&mut cs.ns(|| "y_over_twist to bytes"))?;
fn to_non_unique_bytes(&self) -> Result<Vec<UInt8<P::Fp>>, SynthesisError> {
let mut x = self.x.to_non_unique_bytes()?;
let mut y = self.y.to_non_unique_bytes()?;
let mut x_over_twist = self.x_over_twist.to_non_unique_bytes()?;
let mut y_over_twist = self.y_over_twist.to_non_unique_bytes()?;
x.append(&mut y);
x.append(&mut x_over_twist);
x.append(&mut y_over_twist);
for (i, coeff) in self.double_coefficients.iter().enumerate() {
x.extend_from_slice(
&coeff.to_non_unique_bytes(cs.ns(|| format!("double_coefficients {}", i)))?,
);
for coeff in self.double_coefficients.iter() {
x.extend_from_slice(&coeff.to_non_unique_bytes()?);
}
for (i, coeff) in self.addition_coefficients.iter().enumerate() {
x.extend_from_slice(
&coeff.to_non_unique_bytes(cs.ns(|| format!("addition_coefficients {}", i)))?,
);
for coeff in self.addition_coefficients.iter() {
x.extend_from_slice(&coeff.to_non_unique_bytes()?);
}
Ok(x)
}
}
impl<P: MNT6Parameters> G2PreparedGadget<P> {
pub fn get_value(&self) -> Option<G2Prepared<P>> {
match (
self.x.get_value(),
self.y.get_value(),
self.x_over_twist.get_value(),
self.y_over_twist.get_value(),
self.double_coefficients
.iter()
.map(|coeff| coeff.get_value())
.collect::<Option<Vec<AteDoubleCoefficients<P>>>>(),
self.addition_coefficients
.iter()
.map(|coeff| coeff.get_value())
.collect::<Option<Vec<AteAdditionCoefficients<P>>>>(),
) {
(
Some(x),
Some(y),
Some(x_over_twist),
Some(y_over_twist),
Some(double_coefficients),
Some(addition_coefficients),
) => Some(G2Prepared {
x,
y,
x_over_twist,
y_over_twist,
double_coefficients,
addition_coefficients,
}),
_ => None,
}
impl<P: MNT6Parameters> G2PreparedVar<P> {
pub fn value(&self) -> Result<G2Prepared<P>, SynthesisError> {
let x = self.x.value()?;
let y = self.y.value()?;
let x_over_twist = self.x_over_twist.value()?;
let y_over_twist = self.y_over_twist.value()?;
let double_coefficients = self
.double_coefficients
.iter()
.map(|coeff| coeff.value())
.collect::<Result<Vec<_>, SynthesisError>>()?;
let addition_coefficients = self
.addition_coefficients
.iter()
.map(|coeff| coeff.value())
.collect::<Result<Vec<_>, SynthesisError>>()?;
Ok(G2Prepared {
x,
y,
x_over_twist,
y_over_twist,
double_coefficients,
addition_coefficients,
})
}
pub fn from_affine<CS: ConstraintSystem<P::Fp>>(
mut cs: CS,
q: &G2Gadget<P>,
) -> Result<Self, SynthesisError> {
pub fn from_group_var(q: &G2Var<P>) -> Result<Self, SynthesisError> {
let q = q.to_affine()?;
let twist_inv = P::TWIST.inverse().unwrap();
let mut g2p = G2PreparedGadget {
let mut g2p = G2PreparedVar {
x: q.x.clone(),
y: q.y.clone(),
x_over_twist: q.x.mul_by_constant(cs.ns(|| "x over twist"), &twist_inv)?,
y_over_twist: q.y.mul_by_constant(cs.ns(|| "y over twist"), &twist_inv)?,
x_over_twist: &q.x * twist_inv,
y_over_twist: &q.y * twist_inv,
double_coefficients: vec![],
addition_coefficients: vec![],
};
let fp2_one = Fp3G::<P>::one(cs.ns(|| "one"))?;
let mut r = G2ProjectiveExtendedGadget {
let mut r = G2ProjectiveExtendedVar {
x: q.x.clone(),
y: q.y.clone(),
z: fp2_one.clone(),
t: fp2_one,
z: Fp3G::<P>::one(),
t: Fp3G::<P>::one(),
};
for (idx, value) in P::ATE_LOOP_COUNT.iter().rev().enumerate() {
@ -372,24 +260,15 @@ impl G2PreparedGadget

{
tmp >>= 1;
}
let mut cs = cs.ns(|| format!("ate loop iteration {}", idx));
for (j, bit) in v.iter().rev().enumerate() {
let (r2, coeff) = PairingGadget::<P>::doubling_step_for_flipped_miller_loop(
cs.ns(|| format!("doubling step {}", j)),
&r,
)?;
for bit in v.iter().rev() {
let (r2, coeff) = PairingVar::<P>::doubling_step_for_flipped_miller_loop(&r)?;
g2p.double_coefficients.push(coeff);
r = r2;
if *bit {
let (r2, coeff) =
PairingGadget::<P>::mixed_addition_step_for_flipped_miller_loop(
cs.ns(|| format!("mixed addition step {}", j)),
&q.x,
&q.y,
&r,
)?;
let (r2, coeff) = PairingVar::<P>::mixed_addition_step_for_flipped_miller_loop(
&q.x, &q.y, &r,
)?;
g2p.addition_coefficients.push(coeff);
r = r2;
}
@ -399,17 +278,14 @@ impl G2PreparedGadget

{
}
if P::ATE_IS_LOOP_COUNT_NEG {
let rz_inv = r.z.inverse(cs.ns(|| "inverse r.z"))?;
let rz2_inv = rz_inv.square(cs.ns(|| "rz_inv^2"))?;
let rz3_inv = rz_inv.mul(cs.ns(|| "rz_inv * rz_inv^2"), &rz2_inv)?;
let rz_inv = r.z.inverse()?;
let rz2_inv = rz_inv.square()?;
let rz3_inv = &rz_inv * &rz2_inv;
let minus_r_affine_x = r.x.mul(cs.ns(|| "r.x * rz2_inv"), &rz2_inv)?;
let minus_r_affine_y =
r.y.negate(cs.ns(|| "-r.y"))?
.mul(cs.ns(|| "-r.y * rz3_inv"), &rz3_inv)?;
let minus_r_affine_x = &r.x * &rz2_inv;
let minus_r_affine_y = r.y.negate()? * &rz3_inv;
let add_result = PairingGadget::<P>::mixed_addition_step_for_flipped_miller_loop(
cs.ns(|| "mixed_addition step"),
let add_result = PairingVar::<P>::mixed_addition_step_for_flipped_miller_loop(
&minus_r_affine_x,
&minus_r_affine_y,
&r,
@ -423,72 +299,45 @@ impl G2PreparedGadget

{
#[derive(Derivative)]
#[derivative(Clone(bound = "P: MNT6Parameters"), Debug(bound = "P: MNT6Parameters"))]
pub struct AteDoubleCoefficientsGadget<P: MNT6Parameters> {
pub c_h: Fp3Gadget<P::Fp3Params, P::Fp>,
pub c_4c: Fp3Gadget<P::Fp3Params, P::Fp>,
pub c_j: Fp3Gadget<P::Fp3Params, P::Fp>,
pub c_l: Fp3Gadget<P::Fp3Params, P::Fp>,
pub struct AteDoubleCoefficientsVar<P: MNT6Parameters> {
pub c_h: Fp3Var<P::Fp3Params>,
pub c_4c: Fp3Var<P::Fp3Params>,
pub c_j: Fp3Var<P::Fp3Params>,
pub c_l: Fp3Var<P::Fp3Params>,
}
impl<P: MNT6Parameters> AllocGadget<AteDoubleCoefficients<P>, P::Fp>
for AteDoubleCoefficientsGadget<P>
{
fn alloc_constant<T, CS: ConstraintSystem<P::Fp>>(
mut cs: CS,
t: T,
) -> Result<Self, SynthesisError>
where
T: Borrow<AteDoubleCoefficients<P>>,
{
let obj = t.borrow();
let c_h_gadget =
Fp3Gadget::<P::Fp3Params, P::Fp>::alloc_constant(&mut cs.ns(|| "c_h"), &obj.c_h)?;
let c_4c_gadget =
Fp3Gadget::<P::Fp3Params, P::Fp>::alloc_constant(&mut cs.ns(|| "c_4c"), &obj.c_4c)?;
let c_j_gadget =
Fp3Gadget::<P::Fp3Params, P::Fp>::alloc_constant(&mut cs.ns(|| "c_j"), &obj.c_j)?;
let c_l_gadget =
Fp3Gadget::<P::Fp3Params, P::Fp>::alloc_constant(&mut cs.ns(|| "c_l"), &obj.c_l)?;
impl<P: MNT6Parameters> AllocVar<AteDoubleCoefficients<P>, P::Fp> for AteDoubleCoefficientsVar<P> {
fn new_variable<T: Borrow<AteDoubleCoefficients<P>>>(
cs: impl Into<Namespace<P::Fp>>,
f: impl FnOnce() -> Result<T, SynthesisError>,
mode: AllocationMode,
) -> Result<Self, SynthesisError> {
let ns = cs.into();
let cs = ns.cs();
let c_prep = f().map(|c| c.borrow().clone());
let c = c_prep.as_ref().map_err(|e| *e);
let c_h = Fp3Var::new_variable(cs.ns("c_h"), || c.map(|c| c.c_h), mode)?;
let c_4c = Fp3Var::new_variable(cs.ns("c_4c"), || c.map(|c| c.c_4c), mode)?;
let c_j = Fp3Var::new_variable(cs.ns("c_j"), || c.map(|c| c.c_j), mode)?;
let c_l = Fp3Var::new_variable(cs.ns("c_l"), || c.map(|c| c.c_l), mode)?;
Ok(Self {
c_h: c_h_gadget,
c_4c: c_4c_gadget,
c_j: c_j_gadget,
c_l: c_l_gadget,
c_h,
c_4c,
c_j,
c_l,
})
}
fn alloc<F, T, CS: ConstraintSystem<P::Fp>>(_cs: CS, _f: F) -> Result<Self, SynthesisError>
where
F: FnOnce() -> Result<T, SynthesisError>,
T: Borrow<AteDoubleCoefficients<P>>,
{
todo!()
}
fn alloc_input<F, T, CS: ConstraintSystem<P::Fp>>(
_cs: CS,
_f: F,
) -> Result<Self, SynthesisError>
where
F: FnOnce() -> Result<T, SynthesisError>,
T: Borrow<AteDoubleCoefficients<P>>,
{
todo!()
}
}
impl<P: MNT6Parameters> ToBytesGadget<P::Fp> for AteDoubleCoefficientsGadget<P> {
impl<P: MNT6Parameters> ToBytesGadget<P::Fp> for AteDoubleCoefficientsVar<P> {
#[inline]
fn to_bytes<CS: ConstraintSystem<P::Fp>>(
&self,
mut cs: CS,
) -> Result<Vec<UInt8>, SynthesisError> {
let mut c_h = self.c_h.to_bytes(&mut cs.ns(|| "c_h to bytes"))?;
let mut c_4c = self.c_4c.to_bytes(&mut cs.ns(|| "c_4c to bytes"))?;
let mut c_j = self.c_j.to_bytes(&mut cs.ns(|| "c_j to bytes"))?;
let mut c_l = self.c_l.to_bytes(&mut cs.ns(|| "c_l to bytes"))?;
fn to_bytes(&self) -> Result<Vec<UInt8<P::Fp>>, SynthesisError> {
let mut c_h = self.c_h.to_bytes()?;
let mut c_4c = self.c_4c.to_bytes()?;
let mut c_j = self.c_j.to_bytes()?;
let mut c_l = self.c_l.to_bytes()?;
c_h.append(&mut c_4c);
c_h.append(&mut c_j);
@ -496,22 +345,11 @@ impl ToBytesGadget for AteDoubleCoefficientsGadget
Ok(c_h)
}
fn to_non_unique_bytes<CS: ConstraintSystem<P::Fp>>(
&self,
mut cs: CS,
) -> Result<Vec<UInt8>, SynthesisError> {
let mut c_h = self
.c_h
.to_non_unique_bytes(&mut cs.ns(|| "c_h to bytes"))?;
let mut c_4c = self
.c_4c
.to_non_unique_bytes(&mut cs.ns(|| "c_4c to bytes"))?;
let mut c_j = self
.c_j
.to_non_unique_bytes(&mut cs.ns(|| "c_j to bytes"))?;
let mut c_l = self
.c_l
.to_non_unique_bytes(&mut cs.ns(|| "c_l to bytes"))?;
fn to_non_unique_bytes(&self) -> Result<Vec<UInt8<P::Fp>>, SynthesisError> {
let mut c_h = self.c_h.to_non_unique_bytes()?;
let mut c_4c = self.c_4c.to_non_unique_bytes()?;
let mut c_j = self.c_j.to_non_unique_bytes()?;
let mut c_l = self.c_l.to_non_unique_bytes()?;
c_h.append(&mut c_4c);
c_h.append(&mut c_j);
@ -520,111 +358,78 @@ impl ToBytesGadget for AteDoubleCoefficientsGadget
}
}
impl<P: MNT6Parameters> AteDoubleCoefficientsGadget<P> {
pub fn get_value(&self) -> Option<AteDoubleCoefficients<P>> {
match (
self.c_h.get_value(),
self.c_4c.get_value(),
self.c_j.get_value(),
self.c_l.get_value(),
) {
(Some(c_h), Some(c_4c), Some(c_j), Some(c_l)) => Some(AteDoubleCoefficients {
c_h,
c_4c,
c_j,
c_l,
}),
_ => None,
}
impl<P: MNT6Parameters> AteDoubleCoefficientsVar<P> {
pub fn value(&self) -> Result<AteDoubleCoefficients<P>, SynthesisError> {
let c_h = self.c_h.value()?;
let c_4c = self.c_4c.value()?;
let c_j = self.c_j.value()?;
let c_l = self.c_l.value()?;
Ok(AteDoubleCoefficients {
c_h,
c_4c,
c_j,
c_l,
})
}
}
#[derive(Derivative)]
#[derivative(Clone(bound = "P: MNT6Parameters"), Debug(bound = "P: MNT6Parameters"))]
pub struct AteAdditionCoefficientsGadget<P: MNT6Parameters> {
pub c_l1: Fp3Gadget<P::Fp3Params, P::Fp>,
pub c_rz: Fp3Gadget<P::Fp3Params, P::Fp>,
pub struct AteAdditionCoefficientsVar<P: MNT6Parameters> {
pub c_l1: Fp3Var<P::Fp3Params>,
pub c_rz: Fp3Var<P::Fp3Params>,
}
impl<P: MNT6Parameters> AllocGadget<AteAdditionCoefficients<P>, P::Fp>
for AteAdditionCoefficientsGadget<P>
impl<P: MNT6Parameters> AllocVar<AteAdditionCoefficients<P>, P::Fp>
for AteAdditionCoefficientsVar<P>
{
fn alloc_constant<T, CS: ConstraintSystem<P::Fp>>(
mut cs: CS,
t: T,
) -> Result<Self, SynthesisError>
where
T: Borrow<AteAdditionCoefficients<P>>,
{
let t = t.borrow();
let c_l1 = Fp3Gadget::alloc_constant(&mut cs.ns(|| "c_l1"), &t.c_l1)?;
let c_rz = Fp3Gadget::alloc_constant(&mut cs.ns(|| "c_rz"), &t.c_rz)?;
Ok(Self { c_l1, c_rz })
}
fn new_variable<T: Borrow<AteAdditionCoefficients<P>>>(
cs: impl Into<Namespace<P::Fp>>,
f: impl FnOnce() -> Result<T, SynthesisError>,
mode: AllocationMode,
) -> Result<Self, SynthesisError> {
let ns = cs.into();
let cs = ns.cs();
fn alloc<F, T, CS: ConstraintSystem<P::Fp>>(_cs: CS, _f: F) -> Result<Self, SynthesisError>
where
F: FnOnce() -> Result<T, SynthesisError>,
T: Borrow<AteAdditionCoefficients<P>>,
{
todo!()
}
let c_prep = f().map(|c| c.borrow().clone());
let c = c_prep.as_ref().map_err(|e| *e);
fn alloc_input<F, T, CS: ConstraintSystem<P::Fp>>(
_cs: CS,
_f: F,
) -> Result<Self, SynthesisError>
where
F: FnOnce() -> Result<T, SynthesisError>,
T: Borrow<AteAdditionCoefficients<P>>,
{
todo!()
let c_l1 = Fp3Var::new_variable(cs.ns("c_l1"), || c.map(|c| c.c_l1), mode)?;
let c_rz = Fp3Var::new_variable(cs.ns("c_rz"), || c.map(|c| c.c_rz), mode)?;
Ok(Self { c_l1, c_rz })
}
}
impl<P: MNT6Parameters> ToBytesGadget<P::Fp> for AteAdditionCoefficientsGadget<P> {
impl<P: MNT6Parameters> ToBytesGadget<P::Fp> for AteAdditionCoefficientsVar<P> {
#[inline]
fn to_bytes<CS: ConstraintSystem<P::Fp>>(
&self,
mut cs: CS,
) -> Result<Vec<UInt8>, SynthesisError> {
let mut c_l1 = self.c_l1.to_bytes(&mut cs.ns(|| "c_l1 to bytes"))?;
let mut c_rz = self.c_rz.to_bytes(&mut cs.ns(|| "c_rz to bytes"))?;
fn to_bytes(&self) -> Result<Vec<UInt8<P::Fp>>, SynthesisError> {
let mut c_l1 = self.c_l1.to_bytes()?;
let mut c_rz = self.c_rz.to_bytes()?;
c_l1.append(&mut c_rz);
Ok(c_l1)
}
fn to_non_unique_bytes<CS: ConstraintSystem<P::Fp>>(
&self,
mut cs: CS,
) -> Result<Vec<UInt8>, SynthesisError> {
let mut c_l1 = self
.c_l1
.to_non_unique_bytes(&mut cs.ns(|| "c_l1 to bytes"))?;
let mut c_rz = self
.c_rz
.to_non_unique_bytes(&mut cs.ns(|| "c_rz to bytes"))?;
fn to_non_unique_bytes(&self) -> Result<Vec<UInt8<P::Fp>>, SynthesisError> {
let mut c_l1 = self.c_l1.to_non_unique_bytes()?;
let mut c_rz = self.c_rz.to_non_unique_bytes()?;
c_l1.append(&mut c_rz);
Ok(c_l1)
}
}
impl<P: MNT6Parameters> AteAdditionCoefficientsGadget<P> {
pub fn get_value(&self) -> Option<AteAdditionCoefficients<P>> {
match (self.c_l1.get_value(), self.c_rz.get_value()) {
(Some(c_l1), Some(c_rz)) => Some(AteAdditionCoefficients { c_l1, c_rz }),
_ => None,
}
impl<P: MNT6Parameters> AteAdditionCoefficientsVar<P> {
pub fn value(&self) -> Result<AteAdditionCoefficients<P>, SynthesisError> {
let c_l1 = self.c_l1.value()?;
let c_rz = self.c_rz.value()?;
Ok(AteAdditionCoefficients { c_l1, c_rz })
}
}
pub struct G2ProjectiveExtendedGadget<P: MNT6Parameters> {
pub x: Fp3Gadget<P::Fp3Params, P::Fp>,
pub y: Fp3Gadget<P::Fp3Params, P::Fp>,
pub z: Fp3Gadget<P::Fp3Params, P::Fp>,
pub t: Fp3Gadget<P::Fp3Params, P::Fp>,
pub struct G2ProjectiveExtendedVar<P: MNT6Parameters> {
pub x: Fp3Var<P::Fp3Params>,
pub y: Fp3Var<P::Fp3Params>,
pub z: Fp3Var<P::Fp3Params>,
pub t: Fp3Var<P::Fp3Params>,
}

+ 565
- 621
r1cs-std/src/groups/curves/short_weierstrass/mod.rs
File diff suppressed because it is too large
View File


+ 680
- 1236
r1cs-std/src/groups/curves/twisted_edwards/mod.rs
File diff suppressed because it is too large
View File


+ 128
- 136
r1cs-std/src/groups/mod.rs
View File

@ -1,222 +1,214 @@
use crate::prelude::*;
use algebra::{Field, Group};
use r1cs_core::{ConstraintSystem, SynthesisError};
use algebra::{Field, ProjectiveCurve};
use core::ops::{Add, AddAssign, Sub, SubAssign};
use r1cs_core::{Namespace, SynthesisError};
use core::{borrow::Borrow, fmt::Debug};
pub mod curves;
pub use self::curves::short_weierstrass::{bls12, mnt4, mnt6};
pub use self::curves::short_weierstrass::bls12;
pub use self::curves::short_weierstrass::mnt4;
pub use self::curves::short_weierstrass::mnt6;
pub trait GroupGadget<G: Group, ConstraintF: Field>:
/// A hack used to work around the lack of implied bounds.
pub trait GroupOpsBounds<'a, F, T: 'a>:
Sized
+ Add<&'a T, Output = T>
+ Sub<&'a T, Output = T>
+ Add<T, Output = T>
+ Sub<T, Output = T>
+ Add<F, Output = T>
+ Sub<F, Output = T>
{
}
pub trait CurveVar<C: ProjectiveCurve, ConstraintF: Field>:
'static
+ Sized
+ Clone
+ Debug
+ R1CSVar<ConstraintF, Value = C>
+ ToBitsGadget<ConstraintF>
+ ToBytesGadget<ConstraintF>
+ NEqGadget<ConstraintF>
+ EqGadget<ConstraintF>
+ ToBitsGadget<ConstraintF>
+ CondSelectGadget<ConstraintF>
+ AllocGadget<G, ConstraintF>
+ Clone
+ Debug
+ AllocVar<C, ConstraintF>
+ AllocVar<C::Affine, ConstraintF>
+ for<'a> GroupOpsBounds<'a, C, Self>
+ for<'a> AddAssign<&'a Self>
+ for<'a> SubAssign<&'a Self>
+ AddAssign<C>
+ SubAssign<C>
+ AddAssign<Self>
+ SubAssign<Self>
{
type Value: Debug;
type Variable;
fn get_value(&self) -> Option<Self::Value>;
fn get_variable(&self) -> Self::Variable;
fn zero<CS: ConstraintSystem<ConstraintF>>(cs: CS) -> Result<Self, SynthesisError>;
fn constant(other: C) -> Self;
fn add<CS: ConstraintSystem<ConstraintF>>(
&self,
cs: CS,
other: &Self,
) -> Result<Self, SynthesisError>;
fn zero() -> Self;
fn sub<CS: ConstraintSystem<ConstraintF>>(
&self,
mut cs: CS,
other: &Self,
) -> Result<Self, SynthesisError> {
let neg_other = other.negate(cs.ns(|| "Negate other"))?;
self.add(cs.ns(|| "Self - other"), &neg_other)
fn is_zero(&self) -> Result<Boolean<ConstraintF>, SynthesisError> {
self.is_eq(&Self::zero())
}
fn add_constant<CS: ConstraintSystem<ConstraintF>>(
&self,
cs: CS,
other: &G,
/// Allocate a variable in the subgroup without checking if it's in the
/// prime-order subgroup
fn new_variable_omit_prime_order_check(
cs: impl Into<Namespace<ConstraintF>>,
f: impl FnOnce() -> Result<C, SynthesisError>,
mode: AllocationMode,
) -> Result<Self, SynthesisError>;
fn sub_constant<CS: ConstraintSystem<ConstraintF>>(
&self,
mut cs: CS,
other: &G,
) -> Result<Self, SynthesisError> {
let neg_other = -(*other);
self.add_constant(cs.ns(|| "Self - other"), &neg_other)
/// Enforce that `self` is in the prime-order subgroup.
fn enforce_prime_order(&self) -> Result<(), SynthesisError>;
fn double(&self) -> Result<Self, SynthesisError> {
let mut result = self.clone();
result.double_in_place()?;
Ok(result)
}
fn double_in_place<CS: ConstraintSystem<ConstraintF>>(
&mut self,
cs: CS,
) -> Result<(), SynthesisError>;
fn double_in_place(&mut self) -> Result<(), SynthesisError>;
fn negate<CS: ConstraintSystem<ConstraintF>>(&self, cs: CS) -> Result<Self, SynthesisError>;
fn negate(&self) -> Result<Self, SynthesisError>;
/// Inputs must be specified in *little-endian* form.
/// If the addition law is incomplete for the identity element,
/// `result` must not be the identity element.
fn mul_bits<'a, CS: ConstraintSystem<ConstraintF>>(
fn mul_bits<'a>(
&self,
mut cs: CS,
result: &Self,
bits: impl Iterator<Item = &'a Boolean>,
bits: impl Iterator<Item = &'a Boolean<ConstraintF>>,
) -> Result<Self, SynthesisError> {
let mut power = self.clone();
let mut result = result.clone();
for (i, bit) in bits.enumerate() {
let new_encoded = result.add(&mut cs.ns(|| format!("Add {}-th power", i)), &power)?;
result = Self::conditionally_select(
&mut cs.ns(|| format!("Select {}", i)),
bit.borrow(),
&new_encoded,
&result,
)?;
power.double_in_place(&mut cs.ns(|| format!("{}-th Doubling", i)))?;
let mut result = Self::zero();
for bit in bits {
let new_encoded = result.clone() + &power;
result = bit.borrow().select(&new_encoded, &result)?;
power.double_in_place()?;
}
Ok(result)
}
fn precomputed_base_scalar_mul<'a, CS, I, B>(
fn precomputed_base_scalar_mul<'a, I, B>(
&mut self,
mut cs: CS,
scalar_bits_with_base_powers: I,
) -> Result<(), SynthesisError>
where
CS: ConstraintSystem<ConstraintF>,
I: Iterator<Item = (B, &'a G)>,
B: Borrow<Boolean>,
G: 'a,
I: Iterator<Item = (B, &'a C)>,
B: Borrow<Boolean<ConstraintF>>,
C: 'a,
{
for (i, (bit, base_power)) in scalar_bits_with_base_powers.enumerate() {
let new_encoded = self.add_constant(
&mut cs.ns(|| format!("Add {}-th base power", i)),
&base_power,
)?;
*self = Self::conditionally_select(
&mut cs.ns(|| format!("Conditional Select {}", i)),
bit.borrow(),
&new_encoded,
&self,
)?;
for (bit, base_power) in scalar_bits_with_base_powers {
let new_encoded = self.clone() + *base_power;
*self = bit.borrow().select(&new_encoded, self)?;
}
Ok(())
}
fn precomputed_base_3_bit_signed_digit_scalar_mul<'a, CS, I, J, B>(
_: CS,
fn precomputed_base_3_bit_signed_digit_scalar_mul<'a, I, J, B>(
_: &[B],
_: &[J],
) -> Result<Self, SynthesisError>
where
CS: ConstraintSystem<ConstraintF>,
I: Borrow<[Boolean]>,
I: Borrow<[Boolean<ConstraintF>]>,
J: Borrow<[I]>,
B: Borrow<[G]>,
B: Borrow<[C]>,
{
Err(SynthesisError::AssignmentMissing)
}
fn precomputed_base_multiscalar_mul<'a, CS, T, I, B>(
mut cs: CS,
fn precomputed_base_multiscalar_mul<'a, T, I, B>(
bases: &[B],
scalars: I,
) -> Result<Self, SynthesisError>
where
CS: ConstraintSystem<ConstraintF>,
T: 'a + ToBitsGadget<ConstraintF> + ?Sized,
I: Iterator<Item = &'a T>,
B: Borrow<[G]>,
B: Borrow<[C]>,
{
let mut result = Self::zero(&mut cs.ns(|| "Declare Result"))?;
let mut result = Self::zero();
// Compute ∏(h_i^{m_i}) for all i.
for (i, (bits, base_powers)) in scalars.zip(bases).enumerate() {
for (bits, base_powers) in scalars.zip(bases) {
let base_powers = base_powers.borrow();
let bits = bits.to_bits(&mut cs.ns(|| format!("Convert Scalar {} to bits", i)))?;
result.precomputed_base_scalar_mul(
cs.ns(|| format!("Chunk {}", i)),
bits.iter().zip(base_powers),
)?;
let bits = bits.to_bits()?;
result.precomputed_base_scalar_mul(bits.iter().zip(base_powers))?;
}
Ok(result)
}
fn cost_of_add() -> usize;
fn cost_of_double() -> usize;
}
#[cfg(test)]
mod test {
use algebra::{test_rng, Field};
use r1cs_core::ConstraintSystem;
use algebra::{test_rng, Field, ProjectiveCurve};
use r1cs_core::{ConstraintSystem, SynthesisError};
use crate::{prelude::*, test_constraint_system::TestConstraintSystem};
use algebra::groups::Group;
use crate::prelude::*;
pub(crate) fn group_test<ConstraintF: Field, G: Group, GG: GroupGadget<G, ConstraintF>>() {
let mut cs = TestConstraintSystem::<ConstraintF>::new();
pub(crate) fn group_test<C: ProjectiveCurve, ConstraintF: Field, GG: CurveVar<C, ConstraintF>>(
) -> Result<(), SynthesisError>
where
for<'a> &'a GG: GroupOpsBounds<'a, C, GG>,
{
let cs = ConstraintSystem::<ConstraintF>::new_ref();
let mut rng = test_rng();
let a_native = G::rand(&mut rng);
let b_native = G::rand(&mut rng);
let a = GG::alloc(&mut cs.ns(|| "generate_a"), || Ok(a_native)).unwrap();
let b = GG::alloc(&mut cs.ns(|| "generate_b"), || Ok(b_native)).unwrap();
let a_native = C::rand(&mut rng);
let b_native = C::rand(&mut rng);
let a = GG::new_witness(cs.ns("generate_a"), || Ok(a_native)).unwrap();
let b = GG::new_witness(cs.ns("generate_b"), || Ok(b_native)).unwrap();
let zero = GG::zero(cs.ns(|| "Zero")).unwrap();
assert_eq!(zero, zero);
let zero = GG::zero();
assert_eq!(zero.value()?, zero.value()?);
// a == a
assert_eq!(a, a);
assert_eq!(a.value()?, a.value()?);
// a + 0 = a
assert_eq!(a.add(cs.ns(|| "a_plus_zero"), &zero).unwrap(), a);
assert_eq!((&a + &zero).value()?, a.value()?);
// a - 0 = a
assert_eq!(a.sub(cs.ns(|| "a_minus_zero"), &zero).unwrap(), a);
assert_eq!((&a - &zero).value()?, a.value()?);
// a - a = 0
assert_eq!(a.sub(cs.ns(|| "a_minus_a"), &a).unwrap(), zero);
assert_eq!((&a - &a).value()?, zero.value()?);
// a + b = b + a
let a_b = a.add(cs.ns(|| "a_plus_b"), &b).unwrap();
let b_a = b.add(cs.ns(|| "b_plus_a"), &a).unwrap();
assert_eq!(a_b, b_a);
let a_b = &a + &b;
let b_a = &b + &a;
assert_eq!(a_b.value()?, b_a.value()?);
a_b.enforce_equal(&b_a)?;
assert!(cs.is_satisfied().unwrap());
// (a + b) + a = a + (b + a)
let ab_a = a_b.add(&mut cs.ns(|| "a_b_plus_a"), &a).unwrap();
let a_ba = a.add(&mut cs.ns(|| "a_plus_b_a"), &b_a).unwrap();
assert_eq!(ab_a, a_ba);
let ab_a = &a_b + &a;
let a_ba = &a + &b_a;
assert_eq!(ab_a.value()?, a_ba.value()?);
ab_a.enforce_equal(&a_ba)?;
assert!(cs.is_satisfied().unwrap());
// a.double() = a + a
let a_a = a.add(cs.ns(|| "a + a"), &a).unwrap();
let a_a = &a + &a;
let mut a2 = a.clone();
a2.double_in_place(cs.ns(|| "2a")).unwrap();
assert_eq!(a2, a_a);
a2.double_in_place()?;
a2.enforce_equal(&a_a)?;
assert_eq!(a2.value()?, a_native.double());
assert_eq!(a_a.value()?, a_native.double());
assert_eq!(a2.value()?, a_a.value()?);
assert!(cs.is_satisfied().unwrap());
// b.double() = b + b
let mut b2 = b.clone();
b2.double_in_place(cs.ns(|| "2b")).unwrap();
let b_b = b.add(cs.ns(|| "b + b"), &b).unwrap();
assert_eq!(b2, b_b);
let _ = a.to_bytes(&mut cs.ns(|| "ToBytes")).unwrap();
let _ = a
.to_non_unique_bytes(&mut cs.ns(|| "ToBytes Strict"))
.unwrap();
let _ = b.to_bytes(&mut cs.ns(|| "b ToBytes")).unwrap();
let _ = b
.to_non_unique_bytes(&mut cs.ns(|| "b ToBytes Strict"))
.unwrap();
if !cs.is_satisfied() {
b2.double_in_place()?;
let b_b = &b + &b;
b2.enforce_equal(&b_b)?;
assert!(cs.is_satisfied().unwrap());
assert_eq!(b2.value()?, b_b.value()?);
let _ = a.to_bytes()?;
let _ = a.to_non_unique_bytes()?;
let _ = b.to_bytes()?;
let _ = b.to_non_unique_bytes()?;
if !cs.is_satisfied().unwrap() {
println!("{:?}", cs.which_is_unsatisfied().unwrap());
}
assert!(cs.is_satisfied());
assert!(cs.is_satisfied().unwrap());
Ok(())
}
}

Write Preview
Loading…
Cancel
Save