arnaucube
/
go-snark-study
mirror of https://github.com/arnaucube/go-snark-study.git
1
1
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
37 Commits
1 Branch
4 Tags
109 MiB
Tree: 1bf5a75f01
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '1bf5a75f01'
${ noResults }
go-snark-study/bn128/g2.go

235 lines
4.4 KiB
Raw Normal View History

bn128 pairing, r1cs to qap
6 years ago
r1cs to qap over finite field
6 years ago
bn128 pairing, r1cs to qap
6 years ago
refactoring: - avoid code duplication on cmd - interface for proof system
5 years ago
bn128 pairing, r1cs to qap
6 years ago
r1cs to qap over finite field
6 years ago
bn128 pairing, r1cs to qap
6 years ago
refactoring: - avoid code duplication on cmd - interface for proof system
5 years ago
r1cs to qap over finite field
6 years ago
bn128 pairing, r1cs to qap
6 years ago
refactoring: - avoid code duplication on cmd - interface for proof system
5 years ago
bn128 pairing, r1cs to qap
6 years ago
refactoring: - avoid code duplication on cmd - interface for proof system
5 years ago
bn128 pairing, r1cs to qap
6 years ago
refactoring: - avoid code duplication on cmd - interface for proof system
5 years ago
bn128 pairing, r1cs to qap
6 years ago
refactoring: - avoid code duplication on cmd - interface for proof system
5 years ago
bn128 pairing, r1cs to qap
6 years ago
refactoring: - avoid code duplication on cmd - interface for proof system
5 years ago
bn128 pairing, r1cs to qap
6 years ago
refactoring: - avoid code duplication on cmd - interface for proof system
5 years ago
bn128 pairing, r1cs to qap
6 years ago
refactoring: - avoid code duplication on cmd - interface for proof system
5 years ago
bn128 pairing, r1cs to qap
6 years ago
refactoring: - avoid code duplication on cmd - interface for proof system
5 years ago
bn128 pairing, r1cs to qap
6 years ago
refactoring: - avoid code duplication on cmd - interface for proof system
5 years ago
bn128 pairing, r1cs to qap
6 years ago
  1. package bn128
  3. import (
  4. "math/big"
  6. "github.com/arnaucube/go-snark/fields"
  7. )
  9. // G2 is ...
  10. type G2 struct {
  11. F fields.Fq2
  12. G [3][2]*big.Int
  13. }
  15. // NewG2 is ...
  16. func NewG2(f fields.Fq2, g [2][2]*big.Int) G2 {
  17. var g2 G2
  18. g2.F = f
  19. g2.G = [3][2]*big.Int{
  20. g[0],
  21. g[1],
  22. g2.F.One(),
  23. }
  24. return g2
  25. }
  27. // Zero is ...
  28. func (g2 G2) Zero() [3][2]*big.Int {
  29. return [3][2]*big.Int{g2.F.Zero(), g2.F.One(), g2.F.Zero()}
  30. }
  32. // IsZero is ...
  33. func (g2 G2) IsZero(p [3][2]*big.Int) bool {
  34. return g2.F.IsZero(p[2])
  35. }
  37. // Add is ...
  38. func (g2 G2) Add(p1, p2 [3][2]*big.Int) [3][2]*big.Int {
  40. // https://en.wikibooks.org/wiki/Cryptography/Prime_Curve/Jacobian_Coordinates
  41. // https://github.com/zcash/zcash/blob/master/src/snark/libsnark/algebra/curves/alt_bn128/alt_bn128_g2.cpp#L208
  42. // http://hyperelliptic.org/EFD/g2p/auto-code/shortw/jacobian-0/addition/add-2007-bl.op3
  44. if g2.IsZero(p1) {
  45. return p2
  46. }
  47. if g2.IsZero(p2) {
  48. return p1
  49. }
  51. x1 := p1[0]
  52. y1 := p1[1]
  53. z1 := p1[2]
  54. x2 := p2[0]
  55. y2 := p2[1]
  56. z2 := p2[2]
  58. z1z1 := g2.F.Square(z1)
  59. z2z2 := g2.F.Square(z2)
  61. u1 := g2.F.Mul(x1, z2z2)
  62. u2 := g2.F.Mul(x2, z1z1)
  64. t0 := g2.F.Mul(z2, z2z2)
  65. s1 := g2.F.Mul(y1, t0)
  67. t1 := g2.F.Mul(z1, z1z1)
  68. s2 := g2.F.Mul(y2, t1)
  70. h := g2.F.Sub(u2, u1)
  71. t2 := g2.F.Add(h, h)
  72. i := g2.F.Square(t2)
  73. j := g2.F.Mul(h, i)
  74. t3 := g2.F.Sub(s2, s1)
  75. r := g2.F.Add(t3, t3)
  76. v := g2.F.Mul(u1, i)
  77. t4 := g2.F.Square(r)
  78. t5 := g2.F.Add(v, v)
  79. t6 := g2.F.Sub(t4, j)
  80. x3 := g2.F.Sub(t6, t5)
  81. t7 := g2.F.Sub(v, x3)
  82. t8 := g2.F.Mul(s1, j)
  83. t9 := g2.F.Add(t8, t8)
  84. t10 := g2.F.Mul(r, t7)
  86. y3 := g2.F.Sub(t10, t9)
  88. t11 := g2.F.Add(z1, z2)
  89. t12 := g2.F.Square(t11)
  90. t13 := g2.F.Sub(t12, z1z1)
  91. t14 := g2.F.Sub(t13, z2z2)
  92. z3 := g2.F.Mul(t14, h)
  94. return [3][2]*big.Int{x3, y3, z3}
  95. }
  97. // Neg is ...
  98. func (g2 G2) Neg(p [3][2]*big.Int) [3][2]*big.Int {
  99. return [3][2]*big.Int{
  100. p[0],
  101. g2.F.Neg(p[1]),
  102. p[2],
  103. }
  104. }
  106. // Sub is ...
  107. func (g2 G2) Sub(a, b [3][2]*big.Int) [3][2]*big.Int {
  108. return g2.Add(a, g2.Neg(b))
  109. }
  111. // Double is ...
  112. func (g2 G2) Double(p [3][2]*big.Int) [3][2]*big.Int {
  114. // https://en.wikibooks.org/wiki/Cryptography/Prime_Curve/Jacobian_Coordinates
  115. // http://hyperelliptic.org/EFD/g2p/auto-code/shortw/jacobian-0/doubling/dbl-2009-l.op3
  116. // https://github.com/zcash/zcash/blob/master/src/snark/libsnark/algebra/curves/alt_bn128/alt_bn128_g2.cpp#L325
  118. if g2.IsZero(p) {
  119. return p
  120. }
  122. a := g2.F.Square(p[0])
  123. b := g2.F.Square(p[1])
  124. c := g2.F.Square(b)
  126. t0 := g2.F.Add(p[0], b)
  127. t1 := g2.F.Square(t0)
  128. t2 := g2.F.Sub(t1, a)
  129. t3 := g2.F.Sub(t2, c)
  131. d := g2.F.Double(t3)
  132. e := g2.F.Add(g2.F.Add(a, a), a)
  133. f := g2.F.Square(e)
  135. t4 := g2.F.Double(d)
  136. x3 := g2.F.Sub(f, t4)
  138. t5 := g2.F.Sub(d, x3)
  139. twoC := g2.F.Add(c, c)
  140. fourC := g2.F.Add(twoC, twoC)
  141. t6 := g2.F.Add(fourC, fourC)
  142. t7 := g2.F.Mul(e, t5)
  143. y3 := g2.F.Sub(t7, t6)
  145. t8 := g2.F.Mul(p[1], p[2])
  146. z3 := g2.F.Double(t8)
  148. return [3][2]*big.Int{x3, y3, z3}
  149. }
  151. // MulScalar is ...
  152. func (g2 G2) MulScalar(p [3][2]*big.Int, e *big.Int) [3][2]*big.Int {
  153. // https://en.wikipedia.org/wiki/Elliptic_curve_point_multiplication#Double-and-add
  155. q := [3][2]*big.Int{g2.F.Zero(), g2.F.Zero(), g2.F.Zero()}
  156. d := g2.F.F.Copy(e) // d := e
  157. r := p
  159. /*
  160. here are three possible implementations:
  161. */
  163. /* index decreasing: */
  164. for i := d.BitLen() - 1; i >= 0; i-- {
  165. q = g2.Double(q)
  166. if d.Bit(i) == 1 {
  167. q = g2.Add(q, r)
  168. }
  169. }
  171. /* index increasing: */
  172. // for i := 0; i <= d.BitLen(); i++ {
  173. // if d.Bit(i) == 1 {
  174. // q = g2.Add(q, r)
  175. // }
  176. // r = g2.Double(r)
  177. // }
  179. // foundone := false
  180. // for i := d.BitLen(); i >= 0; i-- {
  181. // if foundone {
  182. // q = g2.Double(q)
  183. // }
  184. // if d.Bit(i) == 1 {
  185. // foundone = true
  186. // q = g2.Add(q, r)
  187. // }
  188. // }
  190. return q
  191. }
  193. // Affine is ...
  194. func (g2 G2) Affine(p [3][2]*big.Int) [3][2]*big.Int {
  195. if g2.IsZero(p) {
  196. return g2.Zero()
  197. }
  199. zinv := g2.F.Inverse(p[2])
  200. zinv2 := g2.F.Square(zinv)
  201. x := g2.F.Mul(p[0], zinv2)
  203. zinv3 := g2.F.Mul(zinv2, zinv)
  204. y := g2.F.Mul(p[1], zinv3)
  206. return [3][2]*big.Int{
  207. g2.F.Affine(x),
  208. g2.F.Affine(y),
  209. g2.F.One(),
  210. }
  211. }
  213. // Equal is ...
  214. func (g2 G2) Equal(p1, p2 [3][2]*big.Int) bool {
  215. if g2.IsZero(p1) {
  216. return g2.IsZero(p2)
  217. }
  218. if g2.IsZero(p2) {
  219. return g2.IsZero(p1)
  220. }
  222. z1z1 := g2.F.Square(p1[2])
  223. z2z2 := g2.F.Square(p2[2])
  225. u1 := g2.F.Mul(p1[0], z2z2)
  226. u2 := g2.F.Mul(p2[0], z1z1)
  228. z1cub := g2.F.Mul(p1[2], z1z1)
  229. z2cub := g2.F.Mul(p2[2], z2z2)
  231. s1 := g2.F.Mul(p1[1], z2cub)
  232. s2 := g2.F.Mul(p2[1], z1cub)
  234. return g2.F.Equal(u1, u2) && g2.F.Equal(s1, s2)
  235. }