arnaucube
/
go-circom-prover-verifier
mirror of https://github.com/arnaucube/go-circom-prover-verifier.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
53 Commits
16 Branches
2 Tags
11 MiB
Tree: 86621a0dbe
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '86621a0dbe'
${ noResults }
go-circom-prover-verifier/prover/gextra.go

443 lines
12 KiB
Raw Normal View History

G1 Functionality to precomput G1 tables
4 years ago
Added G2 and included tables to prover
4 years ago
G1 Functionality to precomput G1 tables
4 years ago
Added G2 and included tables to prover
4 years ago
G1 Functionality to precomput G1 tables
4 years ago
Added G2 and included tables to prover
4 years ago
G1 Functionality to precomput G1 tables
4 years ago
Added G2 and included tables to prover
4 years ago
G1 Functionality to precomput G1 tables
4 years ago
Added G2 and included tables to prover
4 years ago
G1 Functionality to precomput G1 tables
4 years ago
Added G2 and included tables to prover
4 years ago
G1 Functionality to precomput G1 tables
4 years ago
Added G2 and included tables to prover
4 years ago
G1 Functionality to precomput G1 tables
4 years ago
Added G2 and included tables to prover
4 years ago
G1 Functionality to precomput G1 tables
4 years ago
Added G2 and included tables to prover
4 years ago
G1 Functionality to precomput G1 tables
4 years ago
Added G2 and included tables to prover
4 years ago
G1 Functionality to precomput G1 tables
4 years ago
Added G2 and included tables to prover
4 years ago
G1 Functionality to precomput G1 tables
4 years ago
Added G2 and included tables to prover
4 years ago
G1 Functionality to precomput G1 tables
4 years ago
Added G2 and included tables to prover
4 years ago
G1 Functionality to precomput G1 tables
4 years ago
Added G2 and included tables to prover
4 years ago
G1 Functionality to precomput G1 tables
4 years ago
  1. package prover
  3. import (
  4. "math/big"
  5. bn256 "github.com/ethereum/go-ethereum/crypto/bn256/cloudflare"
  6. cryptoConstants "github.com/iden3/go-iden3-crypto/constants"
  7. )
  9. type TableG1 struct{
  10. data []*bn256.G1
  11. }
  14. func (t TableG1) GetData() []*bn256.G1 {
  15. return t.data
  16. }
  19. // Compute table of gsize elements as ::
  20. // Table[0] = Inf
  21. // Table[1] = a[0]
  22. // Table[2] = a[1]
  23. // Table[3] = a[0]+a[1]
  24. // .....
  25. // Table[(1<<gsize)-1] = a[0]+a[1]+...+a[gsize-1]
  26. func (t *TableG1) NewTableG1(a []*bn256.G1, gsize int){
  27. // EC table
  28. table := make([]*bn256.G1, 0)
  30. // We need at least gsize elements. If not enough, fill with 0
  31. a_ext := make([]*bn256.G1, 0)
  32. a_ext = append(a_ext, a...)
  34. for i:=len(a); i<gsize; i++ {
  35. a_ext = append(a_ext,new(bn256.G1).ScalarBaseMult(big.NewInt(0)))
  36. }
  38. elG1 := new(bn256.G1).ScalarBaseMult(big.NewInt(0))
  39. table = append(table,elG1)
  40. last_pow2 := 1
  41. nelems := 0
  42. for i :=1; i< 1<<gsize; i++ {
  43. elG1 := new(bn256.G1)
  44. // if power of 2
  45. if i & (i-1) == 0{
  46. last_pow2 = i
  47. elG1.Set(a_ext[nelems])
  48. nelems++
  49. } else {
  50. elG1.Add(table[last_pow2], table[i-last_pow2])
  51. // TODO bn256 doesn't export MakeAffine function. We need to fork repo
  52. //table[i].MakeAffine()
  53. }
  54. table = append(table, elG1)
  55. }
  56. t.data = table
  57. }
  59. // Multiply scalar by precomputed table of G1 elements
  60. func (t *TableG1) MulTableG1(k []*big.Int, Q_prev *bn256.G1, gsize int) *bn256.G1 {
  61. // We need at least gsize elements. If not enough, fill with 0
  62. k_ext := make([]*big.Int, 0)
  63. k_ext = append(k_ext, k...)
  65. for i:=len(k); i < gsize; i++ {
  66. k_ext = append(k_ext,new(big.Int).SetUint64(0))
  67. }
  69. Q := new(bn256.G1).ScalarBaseMult(big.NewInt(0))
  71. msb := getMsb(k_ext)
  73. for i := msb-1; i >= 0; i-- {
  74. // TODO. bn256 doesn't export double operation. We will need to fork repo and export it
  75. Q = new(bn256.G1).Add(Q,Q)
  76. b := getBit(k_ext,i)
  77. if b != 0 {
  78. // TODO. bn256 doesn't export mixed addition (Jacobian + Affine), which is more efficient.
  79. Q.Add(Q, t.data[b])
  80. }
  81. }
  82. if Q_prev != nil {
  83. return Q.Add(Q,Q_prev)
  84. } else {
  85. return Q
  86. }
  87. }
  89. // Multiply scalar by precomputed table of G1 elements without intermediate doubling
  90. func MulTableNoDoubleG1(t []TableG1, k []*big.Int, Q_prev *bn256.G1, gsize int) *bn256.G1 {
  91. // We need at least gsize elements. If not enough, fill with 0
  92. min_nelems := len(t) * gsize
  93. k_ext := make([]*big.Int, 0)
  94. k_ext = append(k_ext, k...)
  95. for i := len(k); i < min_nelems; i++ {
  96. k_ext = append(k_ext,new(big.Int).SetUint64(0))
  97. }
  98. // Init Adders
  99. nbitsQ := cryptoConstants.Q.BitLen()
  100. Q := make([]*bn256.G1,nbitsQ)
  102. for i:=0; i< nbitsQ; i++ {
  103. Q[i] = new(bn256.G1).ScalarBaseMult(big.NewInt(0))
  104. }
  106. // Perform bitwise addition
  107. for j:=0; j < len(t); j++ {
  108. msb := getMsb(k_ext[j*gsize:(j+1)*gsize])
  110. for i := msb-1; i >= 0; i-- {
  111. b := getBit(k_ext[j*gsize:(j+1)*gsize],i)
  112. if b != 0 {
  113. // TODO. bn256 doesn't export mixed addition (Jacobian + Affine), which is more efficient.
  114. Q[i].Add(Q[i], t[j].data[b])
  115. }
  116. }
  117. }
  119. // Consolidate Addition
  120. R := new(bn256.G1).Set(Q[nbitsQ-1])
  121. for i:=nbitsQ-1; i>0; i-- {
  122. // TODO. bn256 doesn't export double operation. We will need to fork repo and export it
  123. R = new(bn256.G1).Add(R,R)
  124. R.Add(R,Q[i-1])
  125. }
  127. if Q_prev != nil {
  128. return R.Add(R,Q_prev)
  129. } else {
  130. return R
  131. }
  132. }
  134. // Compute tables within function. This solution should still be faster than std multiplication
  135. // for gsize = 7
  136. func ScalarMultG1(a []*bn256.G1, k []*big.Int, Q_prev *bn256.G1, gsize int) *bn256.G1 {
  137. ntables := int((len(a) + gsize - 1) / gsize)
  138. table := TableG1{}
  139. Q:= new(bn256.G1).ScalarBaseMult(new(big.Int))
  141. for i:=0; i<ntables-1; i++ {
  142. table.NewTableG1( a[i*gsize:(i+1)*gsize], gsize)
  143. Q = table.MulTableG1(k[i*gsize:(i+1)*gsize], Q, gsize)
  144. }
  145. table.NewTableG1( a[(ntables-1)*gsize:], gsize)
  146. Q = table.MulTableG1(k[(ntables-1)*gsize:], Q, gsize)
  148. if Q_prev != nil {
  149. return Q.Add(Q,Q_prev)
  150. } else {
  151. return Q
  152. }
  153. }
  155. // Multiply scalar by precomputed table of G1 elements without intermediate doubling
  156. func ScalarMultNoDoubleG1(a []*bn256.G1, k []*big.Int, Q_prev *bn256.G1, gsize int) *bn256.G1 {
  157. ntables := int((len(a) + gsize - 1) / gsize)
  158. table := TableG1{}
  160. // We need at least gsize elements. If not enough, fill with 0
  161. min_nelems := ntables * gsize
  162. k_ext := make([]*big.Int, 0)
  163. k_ext = append(k_ext, k...)
  164. for i := len(k); i < min_nelems; i++ {
  165. k_ext = append(k_ext,new(big.Int).SetUint64(0))
  166. }
  167. // Init Adders
  168. nbitsQ := cryptoConstants.Q.BitLen()
  169. Q := make([]*bn256.G1,nbitsQ)
  171. for i:=0; i< nbitsQ; i++ {
  172. Q[i] = new(bn256.G1).ScalarBaseMult(big.NewInt(0))
  173. }
  175. // Perform bitwise addition
  176. for j:=0; j < ntables-1; j++ {
  177. table.NewTableG1( a[j*gsize:(j+1)*gsize], gsize)
  178. msb := getMsb(k_ext[j*gsize:(j+1)*gsize])
  180. for i := msb-1; i >= 0; i-- {
  181. b := getBit(k_ext[j*gsize:(j+1)*gsize],i)
  182. if b != 0 {
  183. // TODO. bn256 doesn't export mixed addition (Jacobian + Affine), which is more efficient.
  184. Q[i].Add(Q[i], table.data[b])
  185. }
  186. }
  187. }
  188. table.NewTableG1( a[(ntables-1)*gsize:], gsize)
  189. msb := getMsb(k_ext[(ntables-1)*gsize:])
  191. for i := msb-1; i >= 0; i-- {
  192. b := getBit(k_ext[(ntables-1)*gsize:],i)
  193. if b != 0 {
  194. // TODO. bn256 doesn't export mixed addition (Jacobian + Affine), which is more efficient.
  195. Q[i].Add(Q[i], table.data[b])
  196. }
  197. }
  199. // Consolidate Addition
  200. R := new(bn256.G1).Set(Q[nbitsQ-1])
  201. for i:=nbitsQ-1; i>0; i-- {
  202. // TODO. bn256 doesn't export double operation. We will need to fork repo and export it
  203. R = new(bn256.G1).Add(R,R)
  204. R.Add(R,Q[i-1])
  205. }
  206. if Q_prev != nil {
  207. return R.Add(R,Q_prev)
  208. } else {
  209. return R
  210. }
  211. }
  213. /////
  215. // TODO - How can avoid replicating code in G2?
  216. //G2
  218. type TableG2 struct{
  219. data []*bn256.G2
  220. }
  223. func (t TableG2) GetData() []*bn256.G2 {
  224. return t.data
  225. }
  228. // Compute table of gsize elements as ::
  229. // Table[0] = Inf
  230. // Table[1] = a[0]
  231. // Table[2] = a[1]
  232. // Table[3] = a[0]+a[1]
  233. // .....
  234. // Table[(1<<gsize)-1] = a[0]+a[1]+...+a[gsize-1]
  235. func (t *TableG2) NewTableG2(a []*bn256.G2, gsize int){
  236. // EC table
  237. table := make([]*bn256.G2, 0)
  239. // We need at least gsize elements. If not enough, fill with 0
  240. a_ext := make([]*bn256.G2, 0)
  241. a_ext = append(a_ext, a...)
  243. for i:=len(a); i<gsize; i++ {
  244. a_ext = append(a_ext,new(bn256.G2).ScalarBaseMult(big.NewInt(0)))
  245. }
  247. elG2 := new(bn256.G2).ScalarBaseMult(big.NewInt(0))
  248. table = append(table,elG2)
  249. last_pow2 := 1
  250. nelems := 0
  251. for i :=1; i< 1<<gsize; i++ {
  252. elG2 := new(bn256.G2)
  253. // if power of 2
  254. if i & (i-1) == 0{
  255. last_pow2 = i
  256. elG2.Set(a_ext[nelems])
  257. nelems++
  258. } else {
  259. elG2.Add(table[last_pow2], table[i-last_pow2])
  260. // TODO bn256 doesn't export MakeAffine function. We need to fork repo
  261. //table[i].MakeAffine()
  262. }
  263. table = append(table, elG2)
  264. }
  265. t.data = table
  266. }
  268. // Multiply scalar by precomputed table of G2 elements
  269. func (t *TableG2) MulTableG2(k []*big.Int, Q_prev *bn256.G2, gsize int) *bn256.G2 {
  270. // We need at least gsize elements. If not enough, fill with 0
  271. k_ext := make([]*big.Int, 0)
  272. k_ext = append(k_ext, k...)
  274. for i:=len(k); i < gsize; i++ {
  275. k_ext = append(k_ext,new(big.Int).SetUint64(0))
  276. }
  278. Q := new(bn256.G2).ScalarBaseMult(big.NewInt(0))
  280. msb := getMsb(k_ext)
  282. for i := msb-1; i >= 0; i-- {
  283. // TODO. bn256 doesn't export double operation. We will need to fork repo and export it
  284. Q = new(bn256.G2).Add(Q,Q)
  285. b := getBit(k_ext,i)
  286. if b != 0 {
  287. // TODO. bn256 doesn't export mixed addition (Jacobian + Affine), which is more efficient.
  288. Q.Add(Q, t.data[b])
  289. }
  290. }
  291. if Q_prev != nil {
  292. return Q.Add(Q, Q_prev)
  293. } else {
  294. return Q
  295. }
  296. }
  298. // Multiply scalar by precomputed table of G2 elements without intermediate doubling
  299. func MulTableNoDoubleG2(t []TableG2, k []*big.Int, Q_prev *bn256.G2, gsize int) *bn256.G2 {
  300. // We need at least gsize elements. If not enough, fill with 0
  301. min_nelems := len(t) * gsize
  302. k_ext := make([]*big.Int, 0)
  303. k_ext = append(k_ext, k...)
  304. for i := len(k); i < min_nelems; i++ {
  305. k_ext = append(k_ext,new(big.Int).SetUint64(0))
  306. }
  307. // Init Adders
  308. nbitsQ := cryptoConstants.Q.BitLen()
  309. Q := make([]*bn256.G2,nbitsQ)
  311. for i:=0; i< nbitsQ; i++ {
  312. Q[i] = new(bn256.G2).ScalarBaseMult(big.NewInt(0))
  313. }
  315. // Perform bitwise addition
  316. for j:=0; j < len(t); j++ {
  317. msb := getMsb(k_ext[j*gsize:(j+1)*gsize])
  319. for i := msb-1; i >= 0; i-- {
  320. b := getBit(k_ext[j*gsize:(j+1)*gsize],i)
  321. if b != 0 {
  322. // TODO. bn256 doesn't export mixed addition (Jacobian + Affine), which is more efficient.
  323. Q[i].Add(Q[i], t[j].data[b])
  324. }
  325. }
  326. }
  328. // Consolidate Addition
  329. R := new(bn256.G2).Set(Q[nbitsQ-1])
  330. for i:=nbitsQ-1; i>0; i-- {
  331. // TODO. bn256 doesn't export double operation. We will need to fork repo and export it
  332. R = new(bn256.G2).Add(R,R)
  333. R.Add(R,Q[i-1])
  334. }
  335. if Q_prev != nil {
  336. return R.Add(R,Q_prev)
  337. } else {
  338. return R
  339. }
  340. }
  342. // Compute tables within function. This solution should still be faster than std multiplication
  343. // for gsize = 7
  344. func ScalarMultG2(a []*bn256.G2, k []*big.Int, Q_prev *bn256.G2, gsize int) *bn256.G2 {
  345. ntables := int((len(a) + gsize - 1) / gsize)
  346. table := TableG2{}
  347. Q:= new(bn256.G2).ScalarBaseMult(new(big.Int))
  349. for i:=0; i<ntables-1; i++ {
  350. table.NewTableG2( a[i*gsize:(i+1)*gsize], gsize)
  351. Q = table.MulTableG2(k[i*gsize:(i+1)*gsize], Q, gsize)
  352. }
  353. table.NewTableG2( a[(ntables-1)*gsize:], gsize)
  354. Q = table.MulTableG2(k[(ntables-1)*gsize:], Q, gsize)
  356. if Q_prev != nil {
  357. return Q.Add(Q,Q_prev)
  358. } else {
  359. return Q
  360. }
  361. }
  363. // Multiply scalar by precomputed table of G2 elements without intermediate doubling
  364. func ScalarMultNoDoubleG2(a []*bn256.G2, k []*big.Int, Q_prev *bn256.G2, gsize int) *bn256.G2 {
  365. ntables := int((len(a) + gsize - 1) / gsize)
  366. table := TableG2{}
  368. // We need at least gsize elements. If not enough, fill with 0
  369. min_nelems := ntables * gsize
  370. k_ext := make([]*big.Int, 0)
  371. k_ext = append(k_ext, k...)
  372. for i := len(k); i < min_nelems; i++ {
  373. k_ext = append(k_ext,new(big.Int).SetUint64(0))
  374. }
  375. // Init Adders
  376. nbitsQ := cryptoConstants.Q.BitLen()
  377. Q := make([]*bn256.G2,nbitsQ)
  379. for i:=0; i< nbitsQ; i++ {
  380. Q[i] = new(bn256.G2).ScalarBaseMult(big.NewInt(0))
  381. }
  383. // Perform bitwise addition
  384. for j:=0; j < ntables-1; j++ {
  385. table.NewTableG2( a[j*gsize:(j+1)*gsize], gsize)
  386. msb := getMsb(k_ext[j*gsize:(j+1)*gsize])
  388. for i := msb-1; i >= 0; i-- {
  389. b := getBit(k_ext[j*gsize:(j+1)*gsize],i)
  390. if b != 0 {
  391. // TODO. bn256 doesn't export mixed addition (Jacobian + Affine), which is more efficient.
  392. Q[i].Add(Q[i], table.data[b])
  393. }
  394. }
  395. }
  396. table.NewTableG2( a[(ntables-1)*gsize:], gsize)
  397. msb := getMsb(k_ext[(ntables-1)*gsize:])
  399. for i := msb-1; i >= 0; i-- {
  400. b := getBit(k_ext[(ntables-1)*gsize:],i)
  401. if b != 0 {
  402. // TODO. bn256 doesn't export mixed addition (Jacobian + Affine), which is more efficient.
  403. Q[i].Add(Q[i], table.data[b])
  404. }
  405. }
  407. // Consolidate Addition
  408. R := new(bn256.G2).Set(Q[nbitsQ-1])
  409. for i:=nbitsQ-1; i>0; i-- {
  410. // TODO. bn256 doesn't export double operation. We will need to fork repo and export it
  411. R = new(bn256.G2).Add(R,R)
  412. R.Add(R,Q[i-1])
  413. }
  414. if Q_prev != nil {
  415. return R.Add(R,Q_prev)
  416. } else {
  417. return R
  418. }
  419. }
  421. // Return most significant bit position in a group of Big Integers
  422. func getMsb(k []*big.Int) int{
  423. msb := 0
  425. for _, el := range(k){
  426. tmp_msb := el.BitLen()
  427. if tmp_msb > msb {
  428. msb = tmp_msb
  429. }
  430. }
  431. return msb
  432. }
  434. // Return ith bit in group of Big Integers
  435. func getBit(k []*big.Int, i int) uint {
  436. table_idx := uint(0)
  438. for idx, el := range(k){
  439. b := el.Bit(i)
  440. table_idx += (b << idx)
  441. }
  442. return table_idx
  443. }