element_fp6_2over3.hpp
Go to the documentation of this file.
1 //---------------------------------------------------------------------------//
2 // Copyright (c) 2018-2021 Mikhail Komarov <nemo@nil.foundation>
3 // Copyright (c) 2020-2021 Nikita Kaskov <nbering@nil.foundation>
4 //
5 // MIT License
6 //
7 // Permission is hereby granted, free of charge, to any person obtaining a copy
8 // of this software and associated documentation files (the "Software"), to deal
9 // in the Software without restriction, including without limitation the rights
10 // to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
11 // copies of the Software, and to permit persons to whom the Software is
12 // furnished to do so, subject to the following conditions:
13 //
14 // The above copyright notice and this permission notice shall be included in all
15 // copies or substantial portions of the Software.
16 //
17 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
18 // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
19 // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
20 // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
21 // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
22 // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
23 // SOFTWARE.
24 //---------------------------------------------------------------------------//
25 // @file Declaration of interfaces for Fp6 components.
26 //
27 // The components verify field arithmetic in Fp6 = Fp3[Y]/(Y^2-X) where
28 // Fp3 = Fp[X]/(X^3-non_residue) and non_residue is in Fp.
29 //---------------------------------------------------------------------------//
30 
31 #ifndef CRYPTO3_ZK_BLUEPRINT_FP6_2OVER3_COMPONENTS_HPP
32 #define CRYPTO3_ZK_BLUEPRINT_FP6_2OVER3_COMPONENTS_HPP
33 
34 #include <nil/crypto3/zk/components/component.hpp>
35 #include <nil/crypto3/zk/components/algebra/fields/element_fp2.hpp>
36 #include <nil/crypto3/zk/components/algebra/fields/element_fp3.hpp>
37 
38 #include <nil/crypto3/zk/components/blueprint_variable.hpp>
39 
40 namespace nil {
41  namespace crypto3 {
42  namespace zk {
43  namespace components {
44 
45  /******************************** element_fp6_2over3 ************************************/
46 
50  template<typename FieldType> // Fp6 2over3
51  class element_fp6_2over3 : public component<typename FieldType::base_field_type> {
52 
53  using field_type = FieldType;
54  using base_field_type = typename field_type::base_field_type;
55  using underlying_field_type = typename field_type::underlying_field_type;
56 
57  using underlying_element_type = element_fp3<underlying_field_type>;
58 
59  using data_type =
60  std::array<underlying_element_type, field_type::arity / underlying_field_type::arity>;
61 
62  public:
63  data_type data;
64 
65  element_fp6_2over3(blueprint<base_field_type> &bp) :
66  component<base_field_type>(bp),
67  data({underlying_element_type(bp), underlying_element_type(bp)}) {
68  }
69 
70  element_fp6_2over3(blueprint<base_field_type> &bp, const typename field_type::value_type &el) :
71  component<base_field_type>(bp),
72  data({underlying_element_type(bp, el.data[0]), underlying_element_type(bp, el.data[1])}) {
73  }
74 
75  element_fp6_2over3(blueprint<base_field_type> &bp, const underlying_element_type &in_data0,
76  const underlying_element_type &in_data1) :
77  component<base_field_type>(bp),
78  data({underlying_element_type(in_data0), underlying_element_type(in_data1)}) {
79  }
80 
81  void generate_r1cs_equals_const_constraints(const typename field_type::value_type &el) {
82  data[0].generate_r1cs_equals_const_constraints(el.data[0]);
83  data[1].generate_r1cs_equals_const_constraints(el.data[1]);
84  }
85 
86  void generate_r1cs_witness(const typename field_type::value_type &el) {
87  data[0].generate_r1cs_witness(el.data[0]);
88  data[1].generate_r1cs_witness(el.data[1]);
89  }
90 
91  typename field_type::value_type get_element() {
92  typename field_type::value_type el;
93  el.data[0] = data[0].get_element();
94  el.data[1] = data[1].get_element();
95  return el;
96  }
97 
98  element_fp6_2over3<field_type> Frobenius_map(const std::size_t power) const {
99  blueprint_linear_combination<base_field_type> new_c0c0, new_c0c1, new_c0c2, new_c1c0, new_c1c1,
100  new_c1c2;
101  new_c0c0.assign(this->bp, data[0].data[0]);
102  new_c0c1.assign(this->bp,
103  data[0].data[1] *
104  underlying_field_type::value_type::Frobenius_coeffs_c1[power % 3]);
105  new_c0c2.assign(this->bp,
106  data[0].data[2] *
107  underlying_field_type::value_type::Frobenius_coeffs_c2[power % 3]);
108  new_c1c0.assign(this->bp,
109  data[1].data[0] * field_type::value_type::Frobenius_coeffs_c1[power % 6]);
110  new_c1c1.assign(this->bp,
111  data[1].data[1] *
112  (field_type::value_type::Frobenius_coeffs_c1[power % 6] *
113  underlying_field_type::value_type::Frobenius_coeffs_c1[power % 3]));
114  new_c1c2.assign(this->bp,
115  data[1].data[2] *
116  (field_type::value_type::Frobenius_coeffs_c1[power % 6] *
117  underlying_field_type::value_type::Frobenius_coeffs_c2[power % 3]));
118 
119  return element_fp6_2over3<field_type>(
120  this->bp,
121  underlying_element_type(this->bp, new_c0c0, new_c0c1, new_c0c2),
122  underlying_element_type(this->bp, new_c1c0, new_c1c1, new_c1c2));
123  }
124 
125  void evaluate() const {
126  data[0].evaluate();
127  data[1].evaluate();
128  }
129  };
130 
131  /******************************** element_fp6_2over3_mul ************************************/
132 
136  template<typename FieldType>
137  class element_fp6_2over3_mul : public component<typename FieldType::base_field_type> {
138 
139  using field_type = FieldType;
140  using base_field_type = typename field_type::base_field_type;
141  using underlying_field_type = typename field_type::underlying_field_type;
142 
143  using underlying_element_type = element_fp3<underlying_field_type>;
144 
145  public:
146  element_fp6_2over3<field_type> A;
147  element_fp6_2over3<field_type> B;
148  element_fp6_2over3<field_type> result;
149 
150  blueprint_linear_combination<base_field_type> v0_c0;
151  blueprint_linear_combination<base_field_type> v0_c1;
152  blueprint_linear_combination<base_field_type> v0_c2;
153 
154  blueprint_linear_combination<base_field_type> Ac0_plus_Ac1_c0;
155  blueprint_linear_combination<base_field_type> Ac0_plus_Ac1_c1;
156  blueprint_linear_combination<base_field_type> Ac0_plus_Ac1_c2;
157  std::shared_ptr<underlying_element_type> Ac0_plus_Ac1;
158 
159  std::shared_ptr<underlying_element_type> v0;
160  std::shared_ptr<underlying_element_type> v1;
161 
162  blueprint_linear_combination<base_field_type> Bc0_plus_Bc1_c0;
163  blueprint_linear_combination<base_field_type> Bc0_plus_Bc1_c1;
164  blueprint_linear_combination<base_field_type> Bc0_plus_Bc1_c2;
165  std::shared_ptr<underlying_element_type> Bc0_plus_Bc1;
166 
167  blueprint_linear_combination<base_field_type> result_c1_plus_v0_plus_v1_c0;
168  blueprint_linear_combination<base_field_type> result_c1_plus_v0_plus_v1_c1;
169  blueprint_linear_combination<base_field_type> result_c1_plus_v0_plus_v1_c2;
170  std::shared_ptr<underlying_element_type> result_c1_plus_v0_plus_v1;
171 
172  std::shared_ptr<element_fp3_mul<underlying_field_type>> compute_v0;
173  std::shared_ptr<element_fp3_mul<underlying_field_type>> compute_v1;
174  std::shared_ptr<element_fp3_mul<underlying_field_type>> compute_result_c1;
175 
176  element_fp6_2over3_mul(blueprint<base_field_type> &bp,
177  const element_fp6_2over3<field_type> &A,
178  const element_fp6_2over3<field_type> &B,
179  const element_fp6_2over3<field_type> &result) :
180  component<base_field_type>(bp),
181  A(A), B(B), result(result) {
182  /*
183  Karatsuba multiplication for Fp6 as a quadratic extension of Fp3:
184  v0 = A.data[0] * B.data[0]
185  v1 = A.data[1] * B.data[1]
186  result.data[0] = v0 + non_residue * v1
187  result.data[1] = (A.data[0] + A.data[1]) * (B.data[0] + B.data[1]) - v0 - v1
188  where "non_residue * elem" := (non_residue * elem.data[2], elem.data[0], elem.data[1])
189 
190  Enforced with 3 element_fp3_mul's that ensure that:
191  A.data[1] * B.data[1] = v1
192  A.data[0] * B.data[0] = v0
193  (A.data[0]+A.data[1])*(B.data[0]+B.data[1]) = result.data[1] + v0 + v1
194 
195  Reference:
196  "Multiplication and Squaring on Pairing-Friendly Fields"
197  Devegili, OhEigeartaigh, Scott, Dahab
198  */
199  v1.reset(new underlying_element_type(bp));
200 
201  compute_v1.reset(new element_fp3_mul<underlying_field_type>(bp, A.data[1], B.data[1], *v1));
202 
203  v0_c0.assign(bp, result.data[0].data[0] - field_type::value_type::non_residue * v1->data[2]);
204 
205  v0_c1.assign(bp, result.data[0].data[1] - v1->data[0]);
206  v0_c2.assign(bp, result.data[0].data[2] - v1->data[1]);
207  v0.reset(new underlying_element_type(bp, v0_c0, v0_c1, v0_c2));
208 
209  compute_v0.reset(new element_fp3_mul<underlying_field_type>(bp, A.data[0], B.data[0], *v0));
210 
211  Ac0_plus_Ac1_c0.assign(bp, A.data[0].data[0] + A.data[1].data[0]);
212  Ac0_plus_Ac1_c1.assign(bp, A.data[0].data[1] + A.data[1].data[1]);
213  Ac0_plus_Ac1_c2.assign(bp, A.data[0].data[2] + A.data[1].data[2]);
214  Ac0_plus_Ac1.reset(
215  new underlying_element_type(bp, Ac0_plus_Ac1_c0, Ac0_plus_Ac1_c1, Ac0_plus_Ac1_c2));
216 
217  Bc0_plus_Bc1_c0.assign(bp, B.data[0].data[0] + B.data[1].data[0]);
218  Bc0_plus_Bc1_c1.assign(bp, B.data[0].data[1] + B.data[1].data[1]);
219  Bc0_plus_Bc1_c2.assign(bp, B.data[0].data[2] + B.data[1].data[2]);
220  Bc0_plus_Bc1.reset(
221  new underlying_element_type(bp, Bc0_plus_Bc1_c0, Bc0_plus_Bc1_c1, Bc0_plus_Bc1_c2));
222 
223  result_c1_plus_v0_plus_v1_c0.assign(bp, result.data[1].data[0] + v0->data[0] + v1->data[0]);
224  result_c1_plus_v0_plus_v1_c1.assign(bp, result.data[1].data[1] + v0->data[1] + v1->data[1]);
225  result_c1_plus_v0_plus_v1_c2.assign(bp, result.data[1].data[2] + v0->data[2] + v1->data[2]);
226  result_c1_plus_v0_plus_v1.reset(new underlying_element_type(bp,
227  result_c1_plus_v0_plus_v1_c0,
228  result_c1_plus_v0_plus_v1_c1,
229  result_c1_plus_v0_plus_v1_c2));
230 
231  compute_result_c1.reset(new element_fp3_mul<underlying_field_type>(
232  bp, *Ac0_plus_Ac1, *Bc0_plus_Bc1, *result_c1_plus_v0_plus_v1));
233  }
234 
235  void generate_r1cs_constraints() {
236  compute_v0->generate_r1cs_constraints();
237  compute_v1->generate_r1cs_constraints();
238  compute_result_c1->generate_r1cs_constraints();
239  }
240 
241  void generate_r1cs_witness() {
242  compute_v0->generate_r1cs_witness();
243  compute_v1->generate_r1cs_witness();
244 
245  Ac0_plus_Ac1_c0.evaluate(this->bp);
246  Ac0_plus_Ac1_c1.evaluate(this->bp);
247  Ac0_plus_Ac1_c2.evaluate(this->bp);
248 
249  Bc0_plus_Bc1_c0.evaluate(this->bp);
250  Bc0_plus_Bc1_c1.evaluate(this->bp);
251  Bc0_plus_Bc1_c2.evaluate(this->bp);
252 
253  compute_result_c1->generate_r1cs_witness();
254 
255  const typename field_type::value_type Aval = A.get_element();
256  const typename field_type::value_type Bval = B.get_element();
257  const typename field_type::value_type Rval = Aval * Bval;
258 
259  result.generate_r1cs_witness(Rval);
260 
261  result_c1_plus_v0_plus_v1_c0.evaluate(this->bp);
262  result_c1_plus_v0_plus_v1_c1.evaluate(this->bp);
263  result_c1_plus_v0_plus_v1_c2.evaluate(this->bp);
264 
265  compute_result_c1->generate_r1cs_witness();
266  }
267  };
268 
269  /******************************** element_fp6_2over3_mul_by_2345
270  * ************************************/
271 
276  template<typename FieldType>
277  class element_fp6_2over3_mul_by_2345 : public component<typename FieldType::base_field_type> {
278  using field_type = FieldType;
279  using base_field_type = typename field_type::base_field_type;
280  using underlying_field_type = typename field_type::underlying_field_type;
281 
282  using underlying_element_type = element_fp3<underlying_field_type>;
283 
284  public:
285  element_fp6_2over3<field_type> A;
286  element_fp6_2over3<field_type> B;
287  element_fp6_2over3<field_type> result;
288 
289  blueprint_linear_combination<base_field_type> v0_c0;
290  blueprint_linear_combination<base_field_type> v0_c1;
291  blueprint_linear_combination<base_field_type> v0_c2;
292 
293  blueprint_linear_combination<base_field_type> Ac0_plus_Ac1_c0;
294  blueprint_linear_combination<base_field_type> Ac0_plus_Ac1_c1;
295  blueprint_linear_combination<base_field_type> Ac0_plus_Ac1_c2;
296  std::shared_ptr<underlying_element_type> Ac0_plus_Ac1;
297 
298  std::shared_ptr<underlying_element_type> v0;
299  std::shared_ptr<underlying_element_type> v1;
300 
301  blueprint_linear_combination<base_field_type> Bc0_plus_Bc1_c0;
302  blueprint_linear_combination<base_field_type> Bc0_plus_Bc1_c1;
303  blueprint_linear_combination<base_field_type> Bc0_plus_Bc1_c2;
304  std::shared_ptr<underlying_element_type> Bc0_plus_Bc1;
305 
306  blueprint_linear_combination<base_field_type> result_c1_plus_v0_plus_v1_c0;
307  blueprint_linear_combination<base_field_type> result_c1_plus_v0_plus_v1_c1;
308  blueprint_linear_combination<base_field_type> result_c1_plus_v0_plus_v1_c2;
309  std::shared_ptr<underlying_element_type> result_c1_plus_v0_plus_v1;
310 
311  std::shared_ptr<element_fp3_mul<underlying_field_type>> compute_v1;
312  std::shared_ptr<element_fp3_mul<underlying_field_type>> compute_result_c1;
313 
314  element_fp6_2over3_mul_by_2345(blueprint<base_field_type> &bp,
315  const element_fp6_2over3<field_type> &A,
316  const element_fp6_2over3<field_type> &B,
317  const element_fp6_2over3<field_type> &result) :
318  component<base_field_type>(bp),
319  A(A), B(B), result(result) {
320  /*
321  Karatsuba multiplication for Fp6 as a quadratic extension of Fp3:
322  v0 = A.data[0] * B.data[0]
323  v1 = A.data[1] * B.data[1]
324  result.data[0] = v0 + non_residue * v1
325  result.data[1] = (A.data[0] + A.data[1]) * (B.data[0] + B.data[1]) - v0 - v1
326  where "non_residue * elem" := (non_residue * elem.data[2], elem.data[0], elem.data[1])
327 
328  We know that B.data[0].data[0] = B.data[0].data[1] = 0
329 
330  Enforced with 2 element_fp3_mul's that ensure that:
331  A.data[1] * B.data[1] = v1
332  (A.data[0]+A.data[1])*(B.data[0]+B.data[1]) = result.data[1] + v0 + v1
333 
334  And one multiplication (three direct constraints) that enforces A.data[0] * B.data[0]
335  = v0, where B.data[0].data[0] = B.data[0].data[1] = 0.
336 
337  Note that (u + v * X + t * X^2) * (0 + 0 * X + z * X^2) =
338  (v * z * non_residue + t * z * non_residue * X + u * z * X^2)
339 
340  Reference:
341  "Multiplication and Squaring on Pairing-Friendly Fields"
342  Devegili, OhEigeartaigh, Scott, Dahab
343  */
344  v1.reset(new underlying_element_type(bp));
345  compute_v1.reset(new element_fp3_mul<underlying_field_type>(bp, A.data[1], B.data[1], *v1));
346 
347  /* we inline result.data[0] in v0 as follows: v0 = (result.data[0].data[0] -
348  * field_type::value_type::non_residue * v1->data[2],
349  * result.data[0].data[1] - v1->data[0], result.data[0].data[2] - v1->data[1]) */
350  v0.reset(new underlying_element_type(bp));
351 
352  Ac0_plus_Ac1_c0.assign(bp, A.data[0].data[0] + A.data[1].data[0]);
353  Ac0_plus_Ac1_c1.assign(bp, A.data[0].data[1] + A.data[1].data[1]);
354  Ac0_plus_Ac1_c2.assign(bp, A.data[0].data[2] + A.data[1].data[2]);
355  Ac0_plus_Ac1.reset(
356  new underlying_element_type(bp, Ac0_plus_Ac1_c0, Ac0_plus_Ac1_c1, Ac0_plus_Ac1_c2));
357 
358  Bc0_plus_Bc1_c0.assign(bp, B.data[0].data[0] + B.data[1].data[0]);
359  Bc0_plus_Bc1_c1.assign(bp, B.data[0].data[1] + B.data[1].data[1]);
360  Bc0_plus_Bc1_c2.assign(bp, B.data[0].data[2] + B.data[1].data[2]);
361  Bc0_plus_Bc1.reset(
362  new underlying_element_type(bp, Bc0_plus_Bc1_c0, Bc0_plus_Bc1_c1, Bc0_plus_Bc1_c2));
363 
364  result_c1_plus_v0_plus_v1_c0.assign(bp, result.data[1].data[0] + v0->data[0] + v1->data[0]);
365  result_c1_plus_v0_plus_v1_c1.assign(bp, result.data[1].data[1] + v0->data[1] + v1->data[1]);
366  result_c1_plus_v0_plus_v1_c2.assign(bp, result.data[1].data[2] + v0->data[2] + v1->data[2]);
367  result_c1_plus_v0_plus_v1.reset(new underlying_element_type(bp,
368  result_c1_plus_v0_plus_v1_c0,
369  result_c1_plus_v0_plus_v1_c1,
370  result_c1_plus_v0_plus_v1_c2));
371 
372  compute_result_c1.reset(new element_fp3_mul<underlying_field_type>(
373  bp, *Ac0_plus_Ac1, *Bc0_plus_Bc1, *result_c1_plus_v0_plus_v1));
374  }
375 
376  void generate_r1cs_constraints() {
377  compute_v1->generate_r1cs_constraints();
378  this->bp.add_r1cs_constraint(snark::r1cs_constraint<base_field_type>(
379  A.data[0].data[1], underlying_field_type::value_type::non_residue * B.data[0].data[2],
380  result.data[0].data[0] - field_type::value_type::non_residue * v1->data[2]));
381 
382  this->bp.add_r1cs_constraint(snark::r1cs_constraint<base_field_type>(
383  A.data[0].data[2], underlying_field_type::value_type::non_residue * B.data[0].data[2],
384  result.data[0].data[1] - v1->data[0]));
385 
386  this->bp.add_r1cs_constraint(snark::r1cs_constraint<base_field_type>(
387  A.data[0].data[0], B.data[0].data[2], result.data[0].data[2] - v1->data[1]));
388  compute_result_c1->generate_r1cs_constraints();
389  }
390 
391  void generate_r1cs_witness() {
392  compute_v1->generate_r1cs_witness();
393 
394  const typename underlying_field_type::value_type A_c0_val = A.data[0].get_element();
395  const typename underlying_field_type::value_type B_c0_val = B.data[0].get_element();
396  assert(B_c0_val.data[0].is_zero());
397  assert(B_c0_val.data[1].is_zero());
398 
399  const typename underlying_field_type::value_type v0_val = A_c0_val * B_c0_val;
400  v0->generate_r1cs_witness(v0_val);
401 
402  Ac0_plus_Ac1_c0.evaluate(this->bp);
403  Ac0_plus_Ac1_c1.evaluate(this->bp);
404  Ac0_plus_Ac1_c2.evaluate(this->bp);
405 
406  Bc0_plus_Bc1_c0.evaluate(this->bp);
407  Bc0_plus_Bc1_c1.evaluate(this->bp);
408  Bc0_plus_Bc1_c2.evaluate(this->bp);
409 
410  compute_result_c1->generate_r1cs_witness();
411 
412  const typename field_type::value_type Aval = A.get_element();
413  const typename field_type::value_type Bval = B.get_element();
414  const typename field_type::value_type Rval = Aval * Bval;
415 
416  result.generate_r1cs_witness(Rval);
417 
418  result_c1_plus_v0_plus_v1_c0.evaluate(this->bp);
419  result_c1_plus_v0_plus_v1_c1.evaluate(this->bp);
420  result_c1_plus_v0_plus_v1_c2.evaluate(this->bp);
421 
422  compute_result_c1->generate_r1cs_witness();
423  }
424  };
425 
426  /******************************** element_fp6_2over3_squared ************************************/
427 
431  template<typename FieldType>
432  class element_fp6_2over3_squared : public component<typename FieldType::base_field_type> {
433 
434  using field_type = FieldType;
435  using base_field_type = typename field_type::base_field_type;
436  using underlying_field_type = typename field_type::underlying_field_type;
437 
438  using underlying_element_type = element_fp3<underlying_field_type>;
439 
440  public:
441  element_fp6_2over3<field_type> A;
442  element_fp6_2over3<field_type> result;
443 
444  std::shared_ptr<element_fp6_2over3_mul<field_type>> mul;
445 
446  element_fp6_2over3_squared(blueprint<base_field_type> &bp,
447  const element_fp6_2over3<field_type> &A,
448  const element_fp6_2over3<field_type> &result) :
449  component<base_field_type>(bp),
450  A(A), result(result) {
451  mul.reset(new element_fp6_2over3_mul<field_type>(bp, A, A, result));
452  }
453 
454  void generate_r1cs_constraints() {
455  mul->generate_r1cs_constraints();
456  }
457 
458  void generate_r1cs_witness() {
459  mul->generate_r1cs_witness();
460  }
461  };
462 
463  /******************************** element_fp6_2over3_cyclotomic_squared
464  * ************************************/
465 
469  template<typename FieldType>
470  class element_fp6_2over3_cyclotomic_squared : public component<typename FieldType::base_field_type> {
471 
472  using field_type = FieldType;
473  using base_field_type = typename field_type::base_field_type;
474  using underlying_field_type = typename field_type::underlying_field_type;
475 
476  using underlying_element_type = element_fp3<underlying_field_type>;
477 
478  typedef typename field_type::underlying_field_type Fp2T;
479 
480  public:
481  element_fp6_2over3<field_type> A;
482  element_fp6_2over3<field_type> result;
483 
484  std::shared_ptr<element_fp2<Fp2T>> a;
485  std::shared_ptr<element_fp2<Fp2T>> b;
486  std::shared_ptr<element_fp2<Fp2T>> c;
487 
488  blueprint_linear_combination<base_field_type> asq_c0;
489  blueprint_linear_combination<base_field_type> asq_c1;
490 
491  blueprint_linear_combination<base_field_type> bsq_c0;
492  blueprint_linear_combination<base_field_type> bsq_c1;
493 
494  blueprint_linear_combination<base_field_type> csq_c0;
495  blueprint_linear_combination<base_field_type> csq_c1;
496 
497  std::shared_ptr<element_fp2<Fp2T>> asq;
498  std::shared_ptr<element_fp2<Fp2T>> bsq;
499  std::shared_ptr<element_fp2<Fp2T>> csq;
500 
501  std::shared_ptr<element_fp2_squared<Fp2T>> compute_asq;
502  std::shared_ptr<element_fp2_squared<Fp2T>> compute_bsq;
503  std::shared_ptr<element_fp2_squared<Fp2T>> compute_csq;
504 
505  element_fp6_2over3_cyclotomic_squared(blueprint<base_field_type> &bp,
506  const element_fp6_2over3<field_type> &A,
507  const element_fp6_2over3<field_type> &result) :
508  component<base_field_type>(bp),
509  A(A), result(result) {
510  /*
511  underlying_field_type a = underlying_field_type(data[0].data[0], data[1].data[1]);
512  underlying_field_type b = underlying_field_type(data[1].data[0], data[0].data[2]);
513  underlying_field_type c = underlying_field_type(data[0].data[1], data[1].data[2]);
514 
515  underlying_field_type asq = a.squared();
516  underlying_field_type bsq = b.squared();
517  underlying_field_type csq = c.squared();
518 
519  result.data[0].data[0] = 3 * asq_a - 2 * a_a;
520  result.data[1].data[1] = 3 * asq_b + 2 * a_b;
521 
522  result.data[0].data[1] = 3 * bsq_a - 2 * c_a;
523  result.data[1].data[2] = 3 * bsq_b + 2 * c_b;
524 
525  result.data[0].data[2] = 3 * csq_a - 2 * b_b;
526  result.data[1].data[0] = 3 * my_Fp3::non_residue * csq_b + 2 * b_a;
527 
528  return Fp6_2over3_model<n, mbodulus>(my_Fp3(A_a, C_a, B_b),
529  my_Fp3(B_a, A_b, C_b))
530  */
531  a.reset(new element_fp2<Fp2T>(bp, A.data[0].data[0], A.data[1].data[1]));
532  b.reset(new element_fp2<Fp2T>(bp, A.data[1].data[0], A.data[0].data[2]));
533  c.reset(new element_fp2<Fp2T>(bp, A.data[0].data[1], A.data[1].data[2]));
534 
535  asq_c0.assign(bp, (result.data[0].data[0] + 2 * a->data[0]) *
536  typename base_field_type::value_type(3).inversed());
537  asq_c1.assign(bp, (result.data[1].data[1] - 2 * a->data[1]) *
538  typename base_field_type::value_type(3).inversed());
539 
540  bsq_c0.assign(bp, (result.data[0].data[1] + 2 * c->data[0]) *
541  typename base_field_type::value_type(3).inversed());
542  bsq_c1.assign(bp, (result.data[1].data[2] - 2 * c->data[1]) *
543  typename base_field_type::value_type(3).inversed());
544 
545  csq_c0.assign(bp, (result.data[0].data[2] + 2 * b->data[1]) *
546  typename base_field_type::value_type(3).inversed());
547  csq_c1.assign(
548  bp,
549  (result.data[1].data[0] - 2 * b->data[0]) *
550  (typename base_field_type::value_type(3) * Fp2T::value_type::non_residue).inversed());
551 
552  asq.reset(new element_fp2<Fp2T>(bp, asq_c0, asq_c1));
553  bsq.reset(new element_fp2<Fp2T>(bp, bsq_c0, bsq_c1));
554  csq.reset(new element_fp2<Fp2T>(bp, csq_c0, csq_c1));
555 
556  compute_asq.reset(new element_fp2_squared<Fp2T>(bp, *a, *asq));
557  compute_bsq.reset(new element_fp2_squared<Fp2T>(bp, *b, *bsq));
558  compute_csq.reset(new element_fp2_squared<Fp2T>(bp, *c, *csq));
559  }
560 
561  void generate_r1cs_constraints() {
562  compute_asq->generate_r1cs_constraints();
563  compute_bsq->generate_r1cs_constraints();
564  compute_csq->generate_r1cs_constraints();
565  }
566 
567  void generate_r1cs_witness() {
568  const typename field_type::value_type Aval = A.get_element();
569  const typename field_type::value_type Rval = Aval.cyclotomic_squared();
570 
571  result.generate_r1cs_witness(Rval);
572 
573  asq->evaluate();
574  bsq->evaluate();
575  csq->evaluate();
576 
577  compute_asq->generate_r1cs_witness();
578  compute_bsq->generate_r1cs_witness();
579  compute_csq->generate_r1cs_witness();
580  }
581  };
582  } // namespace components
583  } // namespace zk
584  } // namespace crypto3
585 } // namespace nil
586 
587 #endif // CRYPTO3_ZK_BLUEPRINT_FP6_2OVER3_COMPONENTS_HPP
blueprint_variable.hpp
nil::crypto3::zk::components::blueprint_linear_combination< base_field_type >
nil::crypto3::zk::components::blueprint_linear_combination::assign
void assign(blueprint< field_type > &bp, const snark::linear_combination< field_type > &lc)
Definition: blueprint_linear_combination.hpp:65
nil::crypto3::zk::components::blueprint_linear_combination::evaluate
void evaluate(blueprint< field_type > &bp) const
Definition: blueprint_linear_combination.hpp:71
nil::crypto3::zk::components::blueprint
Definition: blueprint.hpp:46
nil::crypto3::zk::components::component
Definition: component.hpp:37
nil::crypto3::zk::components::component< FieldType::base_field_type >::bp
blueprint< FieldType > & bp
Definition: component.hpp:39
nil::crypto3::zk::components::element_fp6_2over3_cyclotomic_squared
Definition: element_fp6_2over3.hpp:470
nil::crypto3::zk::components::element_fp6_2over3_cyclotomic_squared::result
element_fp6_2over3< field_type > result
Definition: element_fp6_2over3.hpp:482
nil::crypto3::zk::components::element_fp6_2over3_cyclotomic_squared::bsq
std::shared_ptr< element_fp2< Fp2T > > bsq
Definition: element_fp6_2over3.hpp:498
nil::crypto3::zk::components::element_fp6_2over3_cyclotomic_squared::c
std::shared_ptr< element_fp2< Fp2T > > c
Definition: element_fp6_2over3.hpp:486
nil::crypto3::zk::components::element_fp6_2over3_cyclotomic_squared::generate_r1cs_constraints
void generate_r1cs_constraints()
Definition: element_fp6_2over3.hpp:561
nil::crypto3::zk::components::element_fp6_2over3_cyclotomic_squared::compute_csq
std::shared_ptr< element_fp2_squared< Fp2T > > compute_csq
Definition: element_fp6_2over3.hpp:503
nil::crypto3::zk::components::element_fp6_2over3_cyclotomic_squared::element_fp6_2over3_cyclotomic_squared
element_fp6_2over3_cyclotomic_squared(blueprint< base_field_type > &bp, const element_fp6_2over3< field_type > &A, const element_fp6_2over3< field_type > &result)
Definition: element_fp6_2over3.hpp:505
nil::crypto3::zk::components::element_fp6_2over3_cyclotomic_squared::asq
std::shared_ptr< element_fp2< Fp2T > > asq
Definition: element_fp6_2over3.hpp:497
nil::crypto3::zk::components::element_fp6_2over3_cyclotomic_squared::asq_c1
blueprint_linear_combination< base_field_type > asq_c1
Definition: element_fp6_2over3.hpp:489
nil::crypto3::zk::components::element_fp6_2over3_cyclotomic_squared::generate_r1cs_witness
void generate_r1cs_witness()
Definition: element_fp6_2over3.hpp:567
nil::crypto3::zk::components::element_fp6_2over3_cyclotomic_squared::compute_asq
std::shared_ptr< element_fp2_squared< Fp2T > > compute_asq
Definition: element_fp6_2over3.hpp:501
nil::crypto3::zk::components::element_fp6_2over3_cyclotomic_squared::b
std::shared_ptr< element_fp2< Fp2T > > b
Definition: element_fp6_2over3.hpp:485
nil::crypto3::zk::components::element_fp6_2over3_cyclotomic_squared::asq_c0
blueprint_linear_combination< base_field_type > asq_c0
Definition: element_fp6_2over3.hpp:488
nil::crypto3::zk::components::element_fp6_2over3_cyclotomic_squared::csq
std::shared_ptr< element_fp2< Fp2T > > csq
Definition: element_fp6_2over3.hpp:499
nil::crypto3::zk::components::element_fp6_2over3_cyclotomic_squared::bsq_c1
blueprint_linear_combination< base_field_type > bsq_c1
Definition: element_fp6_2over3.hpp:492
nil::crypto3::zk::components::element_fp6_2over3_cyclotomic_squared::A
element_fp6_2over3< field_type > A
Definition: element_fp6_2over3.hpp:481
nil::crypto3::zk::components::element_fp6_2over3_cyclotomic_squared::a
std::shared_ptr< element_fp2< Fp2T > > a
Definition: element_fp6_2over3.hpp:484
nil::crypto3::zk::components::element_fp6_2over3_cyclotomic_squared::csq_c0
blueprint_linear_combination< base_field_type > csq_c0
Definition: element_fp6_2over3.hpp:494
nil::crypto3::zk::components::element_fp6_2over3_cyclotomic_squared::csq_c1
blueprint_linear_combination< base_field_type > csq_c1
Definition: element_fp6_2over3.hpp:495
nil::crypto3::zk::components::element_fp6_2over3_cyclotomic_squared::bsq_c0
blueprint_linear_combination< base_field_type > bsq_c0
Definition: element_fp6_2over3.hpp:491
nil::crypto3::zk::components::element_fp6_2over3_cyclotomic_squared::compute_bsq
std::shared_ptr< element_fp2_squared< Fp2T > > compute_bsq
Definition: element_fp6_2over3.hpp:502
nil::crypto3::zk::components::element_fp6_2over3_mul_by_2345
Definition: element_fp6_2over3.hpp:277
nil::crypto3::zk::components::element_fp6_2over3_mul_by_2345::v0
std::shared_ptr< underlying_element_type > v0
Definition: element_fp6_2over3.hpp:298
nil::crypto3::zk::components::element_fp6_2over3_mul_by_2345::element_fp6_2over3_mul_by_2345
element_fp6_2over3_mul_by_2345(blueprint< base_field_type > &bp, const element_fp6_2over3< field_type > &A, const element_fp6_2over3< field_type > &B, const element_fp6_2over3< field_type > &result)
Definition: element_fp6_2over3.hpp:314
nil::crypto3::zk::components::element_fp6_2over3_mul_by_2345::B
element_fp6_2over3< field_type > B
Definition: element_fp6_2over3.hpp:286
nil::crypto3::zk::components::element_fp6_2over3_mul_by_2345::result_c1_plus_v0_plus_v1_c0
blueprint_linear_combination< base_field_type > result_c1_plus_v0_plus_v1_c0
Definition: element_fp6_2over3.hpp:306
nil::crypto3::zk::components::element_fp6_2over3_mul_by_2345::A
element_fp6_2over3< field_type > A
Definition: element_fp6_2over3.hpp:285
nil::crypto3::zk::components::element_fp6_2over3_mul_by_2345::v0_c0
blueprint_linear_combination< base_field_type > v0_c0
Definition: element_fp6_2over3.hpp:289
nil::crypto3::zk::components::element_fp6_2over3_mul_by_2345::result
element_fp6_2over3< field_type > result
Definition: element_fp6_2over3.hpp:287
nil::crypto3::zk::components::element_fp6_2over3_mul_by_2345::v0_c2
blueprint_linear_combination< base_field_type > v0_c2
Definition: element_fp6_2over3.hpp:291
nil::crypto3::zk::components::element_fp6_2over3_mul_by_2345::Bc0_plus_Bc1_c2
blueprint_linear_combination< base_field_type > Bc0_plus_Bc1_c2
Definition: element_fp6_2over3.hpp:303
nil::crypto3::zk::components::element_fp6_2over3_mul_by_2345::v1
std::shared_ptr< underlying_element_type > v1
Definition: element_fp6_2over3.hpp:299
nil::crypto3::zk::components::element_fp6_2over3_mul_by_2345::Bc0_plus_Bc1_c1
blueprint_linear_combination< base_field_type > Bc0_plus_Bc1_c1
Definition: element_fp6_2over3.hpp:302
nil::crypto3::zk::components::element_fp6_2over3_mul_by_2345::Bc0_plus_Bc1_c0
blueprint_linear_combination< base_field_type > Bc0_plus_Bc1_c0
Definition: element_fp6_2over3.hpp:301
nil::crypto3::zk::components::element_fp6_2over3_mul_by_2345::Ac0_plus_Ac1_c0
blueprint_linear_combination< base_field_type > Ac0_plus_Ac1_c0
Definition: element_fp6_2over3.hpp:293
nil::crypto3::zk::components::element_fp6_2over3_mul_by_2345::Bc0_plus_Bc1
std::shared_ptr< underlying_element_type > Bc0_plus_Bc1
Definition: element_fp6_2over3.hpp:304
nil::crypto3::zk::components::element_fp6_2over3_mul_by_2345::result_c1_plus_v0_plus_v1
std::shared_ptr< underlying_element_type > result_c1_plus_v0_plus_v1
Definition: element_fp6_2over3.hpp:309
nil::crypto3::zk::components::element_fp6_2over3_mul_by_2345::result_c1_plus_v0_plus_v1_c1
blueprint_linear_combination< base_field_type > result_c1_plus_v0_plus_v1_c1
Definition: element_fp6_2over3.hpp:307
nil::crypto3::zk::components::element_fp6_2over3_mul_by_2345::compute_v1
std::shared_ptr< element_fp3_mul< underlying_field_type > > compute_v1
Definition: element_fp6_2over3.hpp:311
nil::crypto3::zk::components::element_fp6_2over3_mul_by_2345::Ac0_plus_Ac1_c1
blueprint_linear_combination< base_field_type > Ac0_plus_Ac1_c1
Definition: element_fp6_2over3.hpp:294
nil::crypto3::zk::components::element_fp6_2over3_mul_by_2345::generate_r1cs_witness
void generate_r1cs_witness()
Definition: element_fp6_2over3.hpp:391
nil::crypto3::zk::components::element_fp6_2over3_mul_by_2345::generate_r1cs_constraints
void generate_r1cs_constraints()
Definition: element_fp6_2over3.hpp:376
nil::crypto3::zk::components::element_fp6_2over3_mul_by_2345::v0_c1
blueprint_linear_combination< base_field_type > v0_c1
Definition: element_fp6_2over3.hpp:290
nil::crypto3::zk::components::element_fp6_2over3_mul_by_2345::Ac0_plus_Ac1
std::shared_ptr< underlying_element_type > Ac0_plus_Ac1
Definition: element_fp6_2over3.hpp:296
nil::crypto3::zk::components::element_fp6_2over3_mul_by_2345::result_c1_plus_v0_plus_v1_c2
blueprint_linear_combination< base_field_type > result_c1_plus_v0_plus_v1_c2
Definition: element_fp6_2over3.hpp:308
nil::crypto3::zk::components::element_fp6_2over3_mul_by_2345::compute_result_c1
std::shared_ptr< element_fp3_mul< underlying_field_type > > compute_result_c1
Definition: element_fp6_2over3.hpp:312
nil::crypto3::zk::components::element_fp6_2over3_mul_by_2345::Ac0_plus_Ac1_c2
blueprint_linear_combination< base_field_type > Ac0_plus_Ac1_c2
Definition: element_fp6_2over3.hpp:295
nil::crypto3::zk::components::element_fp6_2over3_mul
Definition: element_fp6_2over3.hpp:137
nil::crypto3::zk::components::element_fp6_2over3_mul::result_c1_plus_v0_plus_v1_c1
blueprint_linear_combination< base_field_type > result_c1_plus_v0_plus_v1_c1
Definition: element_fp6_2over3.hpp:168
nil::crypto3::zk::components::element_fp6_2over3_mul::result_c1_plus_v0_plus_v1_c0
blueprint_linear_combination< base_field_type > result_c1_plus_v0_plus_v1_c0
Definition: element_fp6_2over3.hpp:167
nil::crypto3::zk::components::element_fp6_2over3_mul::result
element_fp6_2over3< field_type > result
Definition: element_fp6_2over3.hpp:148
nil::crypto3::zk::components::element_fp6_2over3_mul::Ac0_plus_Ac1_c1
blueprint_linear_combination< base_field_type > Ac0_plus_Ac1_c1
Definition: element_fp6_2over3.hpp:155
nil::crypto3::zk::components::element_fp6_2over3_mul::Ac0_plus_Ac1_c2
blueprint_linear_combination< base_field_type > Ac0_plus_Ac1_c2
Definition: element_fp6_2over3.hpp:156
nil::crypto3::zk::components::element_fp6_2over3_mul::Ac0_plus_Ac1
std::shared_ptr< underlying_element_type > Ac0_plus_Ac1
Definition: element_fp6_2over3.hpp:157
nil::crypto3::zk::components::element_fp6_2over3_mul::v0_c1
blueprint_linear_combination< base_field_type > v0_c1
Definition: element_fp6_2over3.hpp:151
nil::crypto3::zk::components::element_fp6_2over3_mul::v0_c2
blueprint_linear_combination< base_field_type > v0_c2
Definition: element_fp6_2over3.hpp:152
nil::crypto3::zk::components::element_fp6_2over3_mul::compute_v0
std::shared_ptr< element_fp3_mul< underlying_field_type > > compute_v0
Definition: element_fp6_2over3.hpp:172
nil::crypto3::zk::components::element_fp6_2over3_mul::result_c1_plus_v0_plus_v1
std::shared_ptr< underlying_element_type > result_c1_plus_v0_plus_v1
Definition: element_fp6_2over3.hpp:170
nil::crypto3::zk::components::element_fp6_2over3_mul::generate_r1cs_witness
void generate_r1cs_witness()
Definition: element_fp6_2over3.hpp:241
nil::crypto3::zk::components::element_fp6_2over3_mul::v1
std::shared_ptr< underlying_element_type > v1
Definition: element_fp6_2over3.hpp:160
nil::crypto3::zk::components::element_fp6_2over3_mul::Ac0_plus_Ac1_c0
blueprint_linear_combination< base_field_type > Ac0_plus_Ac1_c0
Definition: element_fp6_2over3.hpp:154
nil::crypto3::zk::components::element_fp6_2over3_mul::result_c1_plus_v0_plus_v1_c2
blueprint_linear_combination< base_field_type > result_c1_plus_v0_plus_v1_c2
Definition: element_fp6_2over3.hpp:169
nil::crypto3::zk::components::element_fp6_2over3_mul::B
element_fp6_2over3< field_type > B
Definition: element_fp6_2over3.hpp:147
nil::crypto3::zk::components::element_fp6_2over3_mul::Bc0_plus_Bc1
std::shared_ptr< underlying_element_type > Bc0_plus_Bc1
Definition: element_fp6_2over3.hpp:165
nil::crypto3::zk::components::element_fp6_2over3_mul::compute_result_c1
std::shared_ptr< element_fp3_mul< underlying_field_type > > compute_result_c1
Definition: element_fp6_2over3.hpp:174
nil::crypto3::zk::components::element_fp6_2over3_mul::v0_c0
blueprint_linear_combination< base_field_type > v0_c0
Definition: element_fp6_2over3.hpp:150
nil::crypto3::zk::components::element_fp6_2over3_mul::v0
std::shared_ptr< underlying_element_type > v0
Definition: element_fp6_2over3.hpp:159
nil::crypto3::zk::components::element_fp6_2over3_mul::A
element_fp6_2over3< field_type > A
Definition: element_fp6_2over3.hpp:146
nil::crypto3::zk::components::element_fp6_2over3_mul::generate_r1cs_constraints
void generate_r1cs_constraints()
Definition: element_fp6_2over3.hpp:235
nil::crypto3::zk::components::element_fp6_2over3_mul::Bc0_plus_Bc1_c0
blueprint_linear_combination< base_field_type > Bc0_plus_Bc1_c0
Definition: element_fp6_2over3.hpp:162
nil::crypto3::zk::components::element_fp6_2over3_mul::Bc0_plus_Bc1_c1
blueprint_linear_combination< base_field_type > Bc0_plus_Bc1_c1
Definition: element_fp6_2over3.hpp:163
nil::crypto3::zk::components::element_fp6_2over3_mul::element_fp6_2over3_mul
element_fp6_2over3_mul(blueprint< base_field_type > &bp, const element_fp6_2over3< field_type > &A, const element_fp6_2over3< field_type > &B, const element_fp6_2over3< field_type > &result)
Definition: element_fp6_2over3.hpp:176
nil::crypto3::zk::components::element_fp6_2over3_mul::compute_v1
std::shared_ptr< element_fp3_mul< underlying_field_type > > compute_v1
Definition: element_fp6_2over3.hpp:173
nil::crypto3::zk::components::element_fp6_2over3_mul::Bc0_plus_Bc1_c2
blueprint_linear_combination< base_field_type > Bc0_plus_Bc1_c2
Definition: element_fp6_2over3.hpp:164
nil::crypto3::zk::components::element_fp6_2over3_squared
Definition: element_fp6_2over3.hpp:432
nil::crypto3::zk::components::element_fp6_2over3_squared::element_fp6_2over3_squared
element_fp6_2over3_squared(blueprint< base_field_type > &bp, const element_fp6_2over3< field_type > &A, const element_fp6_2over3< field_type > &result)
Definition: element_fp6_2over3.hpp:446
nil::crypto3::zk::components::element_fp6_2over3_squared::A
element_fp6_2over3< field_type > A
Definition: element_fp6_2over3.hpp:441
nil::crypto3::zk::components::element_fp6_2over3_squared::generate_r1cs_witness
void generate_r1cs_witness()
Definition: element_fp6_2over3.hpp:458
nil::crypto3::zk::components::element_fp6_2over3_squared::mul
std::shared_ptr< element_fp6_2over3_mul< field_type > > mul
Definition: element_fp6_2over3.hpp:444
nil::crypto3::zk::components::element_fp6_2over3_squared::result
element_fp6_2over3< field_type > result
Definition: element_fp6_2over3.hpp:442
nil::crypto3::zk::components::element_fp6_2over3_squared::generate_r1cs_constraints
void generate_r1cs_constraints()
Definition: element_fp6_2over3.hpp:454
nil::crypto3::zk::components::element_fp6_2over3
Definition: element_fp6_2over3.hpp:51
nil::crypto3::zk::components::element_fp6_2over3::generate_r1cs_equals_const_constraints
void generate_r1cs_equals_const_constraints(const typename field_type::value_type &el)
Definition: element_fp6_2over3.hpp:81
nil::crypto3::zk::components::element_fp6_2over3::get_element
field_type::value_type get_element()
Definition: element_fp6_2over3.hpp:91
nil::crypto3::zk::components::element_fp6_2over3::element_fp6_2over3
element_fp6_2over3(blueprint< base_field_type > &bp, const underlying_element_type &in_data0, const underlying_element_type &in_data1)
Definition: element_fp6_2over3.hpp:75
nil::crypto3::zk::components::element_fp6_2over3::element_fp6_2over3
element_fp6_2over3(blueprint< base_field_type > &bp, const typename field_type::value_type &el)
Definition: element_fp6_2over3.hpp:70
nil::crypto3::zk::components::element_fp6_2over3::data
data_type data
Definition: element_fp6_2over3.hpp:63
nil::crypto3::zk::components::element_fp6_2over3::element_fp6_2over3
element_fp6_2over3(blueprint< base_field_type > &bp)
Definition: element_fp6_2over3.hpp:65
nil::crypto3::zk::components::element_fp6_2over3::Frobenius_map
element_fp6_2over3< field_type > Frobenius_map(const std::size_t power) const
Definition: element_fp6_2over3.hpp:98
nil::crypto3::zk::components::element_fp6_2over3::generate_r1cs_witness
void generate_r1cs_witness(const typename field_type::value_type &el)
Definition: element_fp6_2over3.hpp:86
nil::crypto3::zk::components::element_fp6_2over3::evaluate
void evaluate() const
Definition: element_fp6_2over3.hpp:125
element_fp2.hpp
element_fp3.hpp
nil::crypto3::math::expressions::detail::parser::power
nil::crypto3::math::expressions::detail::parser::power_ power
nil
Definition: pair.hpp:31
nil::crypto3::zk::components::element_fp2_squared
Definition: element_fp2.hpp:301
nil::crypto3::zk::components::element_fp2
Definition: element_fp2.hpp:52
nil::crypto3::zk::components::element_fp3_mul
Definition: element_fp3.hpp:219
nil::crypto3::zk::components::element_fp3
Definition: element_fp3.hpp:52
nil::crypto3::zk::snark::r1cs_constraint
Definition: r1cs.hpp:60