precomputation.hpp
Go to the documentation of this file.
1 //---------------------------------------------------------------------------//
2 // Copyright (c) 2018-2021 Mikhail Komarov <nemo@nil.foundation>
3 // Copyright (c) 2020-2021 Nikita Kaskov <nbering@nil.foundation>
4 //
5 // MIT License
6 //
7 // Permission is hereby granted, free of charge, to any person obtaining a copy
8 // of this software and associated documentation files (the "Software"), to deal
9 // in the Software without restriction, including without limitation the rights
10 // to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
11 // copies of the Software, and to permit persons to whom the Software is
12 // furnished to do so, subject to the following conditions:
13 //
14 // The above copyright notice and this permission notice shall be included in all
15 // copies or substantial portions of the Software.
16 //
17 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
18 // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
19 // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
20 // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
21 // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
22 // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
23 // SOFTWARE.
24 //---------------------------------------------------------------------------//
25 // @file Declaration of interfaces for pairing precomputation components.
26 //
27 // The components verify correct precomputation of values for the G1 and G2 elements.
28 //---------------------------------------------------------------------------//
29 
30 #ifndef CRYPTO3_ZK_BLUEPRINT_AS_WAKSMAN_HPP
31 #define CRYPTO3_ZK_BLUEPRINT_AS_WAKSMAN_HPP
32 
33 #include <memory>
34 
35 #include <nil/crypto3/algebra/algorithms/pair.hpp>
36 
37 #include <nil/crypto3/algebra/curves/mnt4.hpp>
38 #include <nil/crypto3/algebra/curves/mnt6.hpp>
39 
40 #include <nil/crypto3/zk/components/algebra/curves/weierstrass/element_g1.hpp>
41 #include <nil/crypto3/zk/components/algebra/curves/weierstrass/element_g2.hpp>
42 
43 #include <nil/crypto3/zk/components/algebra/pairing/detail/mnt4.hpp>
44 #include <nil/crypto3/zk/components/algebra/pairing/detail/mnt6.hpp>
45 
46 namespace nil {
47  namespace crypto3 {
48  namespace zk {
49  namespace components {
50 
51  using namespace nil::crypto3::algebra::pairing;
52 
53  /**************************** G1 Precomputation ******************************/
54 
58  template<typename CurveType>
59  class g1_precomputation {
60  typedef typename CurveType::pairing::fp_type FieldType;
61  using component_policy = detail::basic_pairing_component_policy<CurveType>;
62 
63  public:
64  std::shared_ptr<element_g1<CurveType>> P;
65  std::shared_ptr<typename component_policy::Fqe_variable_type> PY_twist_squared;
66 
67  g1_precomputation() {
68  // will be filled in precompute_G1_component, so do nothing here
69  }
70 
71  g1_precomputation(blueprint<FieldType> &bp,
72  const typename CurveType::pairing::pair_curve_type::template g1_type<>::value_type &P_val) {
73  typename CurveType::pairing::pair_curve_type::template g1_type<>::value_type P_val_copy =
74  P_val.to_affine();
75  P.reset(new element_g1<CurveType>(bp, P_val_copy));
76  PY_twist_squared.reset(new typename component_policy::Fqe_variable_type(
77  bp,
78  P_val_copy.Y() *
79  CurveType::pairing::pair_curve_type::template g2_type<>::value_type::twist.squared()));
80  }
81  };
82 
86  template<typename CurveType>
87  class precompute_G1_component : public component<typename CurveType::scalar_field_type> {
88  using curve_type = CurveType;
89  using component_policy = detail::basic_pairing_component_policy<CurveType>;
90 
91  public:
92  using fqk_type = typename CurveType::pairing::pair_curve_type::pairing::fqk_type;
93 
94  g1_precomputation<CurveType> &precomp; // must be a reference.
95 
96  /* two possible pre-computations one for mnt4 and one for mnt6 */
97  template<typename FieldType>
98  precompute_G1_component(
99  blueprint<FieldType> &bp,
100  const element_g1<CurveType> &P,
101  g1_precomputation<CurveType> &precomp, // will allocate this inside
102  const typename std::enable_if<fqk_type::arity == 4, typename FieldType::value_type>::type & =
103  typename FieldType::value_type()) :
104  component<FieldType>(bp),
105  precomp(precomp) {
106 
107  using twist_curve_type = nil::crypto3::algebra::curves::mnt4<298>;
108 
109  blueprint_linear_combination<FieldType> c0, c1;
110  c0.assign(bp, P.Y * ((twist_curve_type::pairing::twist).squared().data[0]));
111  c1.assign(bp, P.Y * ((twist_curve_type::pairing::twist).squared().data[1]));
112 
113  precomp.P.reset(new element_g1<CurveType>(P));
114  precomp.PY_twist_squared.reset(new typename component_policy::Fqe_variable_type(bp, c0, c1));
115  }
116 
117  template<typename FieldType>
118  precompute_G1_component(
119  blueprint<FieldType> &bp,
120  const element_g1<CurveType> &P,
121  g1_precomputation<CurveType> &precomp, // will allocate this inside
122  const typename std::enable_if<fqk_type::arity == 6, typename FieldType::value_type>::type & =
123  typename FieldType::value_type()) :
124  component<FieldType>(bp),
125  precomp(precomp) {
126 
127  using twist_curve_type = nil::crypto3::algebra::curves::mnt6<298>;
128 
129  blueprint_linear_combination<FieldType> c0, c1, c2;
130  c0.assign(bp, P.Y * ((twist_curve_type::pairing::twist).squared().data[0]));
131  c1.assign(bp, P.Y * ((twist_curve_type::pairing::twist).squared().data[1]));
132  c2.assign(bp, P.Y * ((twist_curve_type::pairing::twist).squared().data[2]));
133 
134  precomp.P.reset(new element_g1<CurveType>(P));
135  precomp.PY_twist_squared.reset(new
136  typename component_policy::Fqe_variable_type(bp, c0, c1, c2));
137  }
138 
139  void generate_r1cs_constraints() {
140  /* the same for neither CurveType = mnt4 nor CurveType = mnt6 */
141  }
142 
143  void generate_r1cs_witness() {
144  precomp.PY_twist_squared
145  ->evaluate(); /* the same for both CurveType = mnt4 and CurveType = mnt6 */
146  }
147  };
148 
149  /**************************** G2 Precomputation ******************************/
150 
154  template<typename CurveType>
155  class precompute_G2_component_coeffs {
156  using component_policy = detail::basic_pairing_component_policy<CurveType>;
157 
158  public:
159  typedef typename CurveType::pairing::fp_type FieldType;
160 
161  std::shared_ptr<typename component_policy::Fqe_variable_type> RX;
162  std::shared_ptr<typename component_policy::Fqe_variable_type> RY;
163  std::shared_ptr<typename component_policy::Fqe_variable_type> gamma;
164  std::shared_ptr<typename component_policy::Fqe_variable_type> gamma_X;
165 
166  precompute_G2_component_coeffs() {
167  // we will be filled in precomputed case of precompute_G2_component, so do nothing here
168  }
169 
170  precompute_G2_component_coeffs(blueprint<FieldType> &bp) {
171  RX.reset(new typename component_policy::Fqe_variable_type(bp));
172  RY.reset(new typename component_policy::Fqe_variable_type(bp));
173  gamma.reset(new typename component_policy::Fqe_variable_type(bp));
174  gamma_X.reset(new typename component_policy::Fqe_variable_type(bp));
175  }
176 
177  precompute_G2_component_coeffs(blueprint<FieldType> &bp, const element_g2<CurveType> &Q) {
178  RX.reset(new typename component_policy::Fqe_variable_type(*(Q.X)));
179  RY.reset(new typename component_policy::Fqe_variable_type(*(Q.Y)));
180  gamma.reset(new typename component_policy::Fqe_variable_type(bp));
181  gamma_X.reset(new typename component_policy::Fqe_variable_type(bp));
182  }
183  };
184 
188  template<typename CurveType>
189  class g2_precomputation {
190  using component_policy = detail::basic_pairing_component_policy<CurveType>;
191 
192  public:
193  typedef typename CurveType::pairing::fp_type FieldType;
194 
195  std::shared_ptr<element_g2<CurveType>> Q;
196 
197  std::vector<std::shared_ptr<precompute_G2_component_coeffs<CurveType>>> coeffs;
198 
199  g2_precomputation() {
200  }
201  g2_precomputation(blueprint<FieldType> &bp,
202  const typename CurveType::pairing::pair_curve_type::template g2_type<>::value_type &Q_val) {
203  Q.reset(new element_g2<CurveType>(bp, Q_val));
204  const typename CurveType::pairing::pair_curve_type::pairing::affine_ate_g2_precomp
205  native_precomp =
206  affine_ate_precompute_g2<typename CurveType::pairing::pair_curve_type>(Q_val);
207 
208  coeffs.resize(native_precomp.coeffs.size() +
209  1); // the last precomp remains for convenient programming
210  for (std::size_t i = 0; i < native_precomp.coeffs.size(); ++i) {
211  coeffs[i].reset(new precompute_G2_component_coeffs<CurveType>());
212  coeffs[i]->RX.reset(
213  new typename component_policy::Fqe_variable_type(bp, native_precomp.coeffs[i].old_RX));
214  coeffs[i]->RY.reset(
215  new typename component_policy::Fqe_variable_type(bp, native_precomp.coeffs[i].old_RY));
216  coeffs[i]->gamma.reset(
217  new typename component_policy::Fqe_variable_type(bp, native_precomp.coeffs[i].gamma));
218  coeffs[i]->gamma_X.reset(
219  new typename component_policy::Fqe_variable_type(bp, native_precomp.coeffs[i].gamma_X));
220  }
221  }
222  };
223 
243  template<typename CurveType>
244  class precompute_G2_component_doubling_step : public component<typename CurveType::scalar_field_type> {
245  using component_policy = detail::basic_pairing_component_policy<CurveType>;
246 
247  public:
248  typedef typename CurveType::pairing::fp_type FieldType;
249  using fqe_type = typename CurveType::pairing::pair_curve_type::pairing::fqe_type;
250 
251  precompute_G2_component_coeffs<CurveType> cur;
252  precompute_G2_component_coeffs<CurveType> next;
253 
254  std::shared_ptr<typename component_policy::Fqe_variable_type> RXsquared;
255  std::shared_ptr<typename component_policy::Fqe_sqr_component_type> compute_RXsquared;
256  std::shared_ptr<typename component_policy::Fqe_variable_type> three_RXsquared_plus_a;
257  std::shared_ptr<typename component_policy::Fqe_variable_type> two_RY;
258  std::shared_ptr<typename component_policy::Fqe_mul_component_type> compute_gamma;
259  std::shared_ptr<typename component_policy::Fqe_mul_component_type> compute_gamma_X;
260 
261  std::shared_ptr<typename component_policy::Fqe_variable_type> next_RX_plus_two_RX;
262  std::shared_ptr<typename component_policy::Fqe_sqr_component_type> compute_next_RX;
263 
264  std::shared_ptr<typename component_policy::Fqe_variable_type> RX_minus_next_RX;
265  std::shared_ptr<typename component_policy::Fqe_variable_type> RY_plus_next_RY;
266  std::shared_ptr<typename component_policy::Fqe_mul_component_type> compute_next_RY;
267 
268  precompute_G2_component_doubling_step(blueprint<FieldType> &bp,
269  const precompute_G2_component_coeffs<CurveType> &cur,
270  const precompute_G2_component_coeffs<CurveType> &next) :
271  component<FieldType>(bp),
272  cur(cur), next(next) {
273  RXsquared.reset(new typename component_policy::Fqe_variable_type(bp));
274  compute_RXsquared.reset(
275  new typename component_policy::Fqe_sqr_component_type(bp, *(cur.RX), *RXsquared));
276  three_RXsquared_plus_a.reset(new typename component_policy::Fqe_variable_type(
277  (*RXsquared) * typename FieldType::value_type(0x03) +
278  detail::basic_pairing_component_policy<
279  typename CurveType::pairing::pair_curve_type>::g2_coeff_a));
280 
281  two_RY.reset(new typename component_policy::Fqe_variable_type(
282  *(cur.RY) * typename FieldType::value_type(0x02)));
283 
284  compute_gamma.reset(new typename component_policy::Fqe_mul_component_type(
285  bp, *(cur.gamma), *two_RY, *three_RXsquared_plus_a));
286  compute_gamma_X.reset(new typename component_policy::Fqe_mul_component_type(
287  bp, *(cur.gamma), *(cur.RX), *(cur.gamma_X)));
288 
289  next_RX_plus_two_RX.reset(new typename component_policy::Fqe_variable_type(
290  *(next.RX) + *(cur.RX) * typename FieldType::value_type(0x02)));
291  compute_next_RX.reset(new typename component_policy::Fqe_sqr_component_type(
292  bp, *(cur.gamma), *next_RX_plus_two_RX));
293 
294  RX_minus_next_RX.reset(new typename component_policy::Fqe_variable_type(
295  *(cur.RX) + *(next.RX) * (-FieldType::value_type::one())));
296  RY_plus_next_RY.reset(new typename component_policy::Fqe_variable_type(*(cur.RY) + *(next.RY)));
297  compute_next_RY.reset(new typename component_policy::Fqe_mul_component_type(
298  bp, *(cur.gamma), *RX_minus_next_RX, *RY_plus_next_RY));
299  }
300 
301  void generate_r1cs_constraints() {
302  compute_RXsquared->generate_r1cs_constraints();
303  compute_gamma->generate_r1cs_constraints();
304  compute_gamma_X->generate_r1cs_constraints();
305  compute_next_RX->generate_r1cs_constraints();
306  compute_next_RY->generate_r1cs_constraints();
307  }
308 
309  void generate_r1cs_witness() {
310  compute_RXsquared->generate_r1cs_witness();
311  two_RY->evaluate();
312  three_RXsquared_plus_a->evaluate();
313 
314  const typename fqe_type::value_type three_RXsquared_plus_a_val =
315  three_RXsquared_plus_a->get_element();
316  const typename fqe_type::value_type two_RY_val = two_RY->get_element();
317  const typename fqe_type::value_type gamma_val =
318  three_RXsquared_plus_a_val * two_RY_val.inversed();
319  cur.gamma->generate_r1cs_witness(gamma_val);
320 
321  compute_gamma->generate_r1cs_witness();
322  compute_gamma_X->generate_r1cs_witness();
323 
324  const typename fqe_type::value_type RX_val = cur.RX->get_element();
325  const typename fqe_type::value_type RY_val = cur.RY->get_element();
326  const typename fqe_type::value_type next_RX_val = gamma_val.squared() - RX_val - RX_val;
327  const typename fqe_type::value_type next_RY_val = gamma_val * (RX_val - next_RX_val) - RY_val;
328 
329  next.RX->generate_r1cs_witness(next_RX_val);
330  next.RY->generate_r1cs_witness(next_RY_val);
331 
332  RX_minus_next_RX->evaluate();
333  RY_plus_next_RY->evaluate();
334 
335  compute_next_RX->generate_r1cs_witness();
336  compute_next_RY->generate_r1cs_witness();
337  }
338  };
339 
357  template<typename CurveType>
358  class precompute_G2_component_addition_step : public component<typename CurveType::scalar_field_type> {
359  using component_policy = detail::basic_pairing_component_policy<CurveType>;
360 
361  public:
362  typedef typename CurveType::pairing::fp_type FieldType;
363  using fqe_type = typename CurveType::pairing::pair_curve_type::pairing::fqe_type;
364 
365  bool invert_Q;
366  precompute_G2_component_coeffs<CurveType> cur;
367  precompute_G2_component_coeffs<CurveType> next;
368  element_g2<CurveType> Q;
369 
370  std::shared_ptr<typename component_policy::Fqe_variable_type> RY_minus_QY;
371  std::shared_ptr<typename component_policy::Fqe_variable_type> RX_minus_QX;
372  std::shared_ptr<typename component_policy::Fqe_mul_component_type> compute_gamma;
373  std::shared_ptr<typename component_policy::Fqe_mul_component_type> compute_gamma_X;
374 
375  std::shared_ptr<typename component_policy::Fqe_variable_type> next_RX_plus_RX_plus_QX;
376  std::shared_ptr<typename component_policy::Fqe_sqr_component_type> compute_next_RX;
377 
378  std::shared_ptr<typename component_policy::Fqe_variable_type> RX_minus_next_RX;
379  std::shared_ptr<typename component_policy::Fqe_variable_type> RY_plus_next_RY;
380  std::shared_ptr<typename component_policy::Fqe_mul_component_type> compute_next_RY;
381 
382  precompute_G2_component_addition_step(blueprint<FieldType> &bp,
383  const bool invert_Q,
384  const precompute_G2_component_coeffs<CurveType> &cur,
385  const precompute_G2_component_coeffs<CurveType> &next,
386  const element_g2<CurveType> &Q) :
387  component<FieldType>(bp),
388  invert_Q(invert_Q), cur(cur), next(next), Q(Q) {
389  RY_minus_QY.reset(new typename component_policy::Fqe_variable_type(
390  *(cur.RY) +
391  *(Q.Y) * (!invert_Q ? -FieldType::value_type::one() : FieldType::value_type::one())));
392 
393  RX_minus_QX.reset(new typename component_policy::Fqe_variable_type(
394  *(cur.RX) + *(Q.X) * (-FieldType::value_type::one())));
395  compute_gamma.reset(new typename component_policy::Fqe_mul_component_type(
396  bp, *(cur.gamma), *RX_minus_QX, *RY_minus_QY));
397  compute_gamma_X.reset(new typename component_policy::Fqe_mul_component_type(
398  bp, *(cur.gamma), *(Q.X), *(cur.gamma_X)));
399 
400  next_RX_plus_RX_plus_QX.reset(
401  new typename component_policy::Fqe_variable_type(*(next.RX) + *(cur.RX) + *(Q.X)));
402  compute_next_RX.reset(new typename component_policy::Fqe_sqr_component_type(
403  bp, *(cur.gamma), *next_RX_plus_RX_plus_QX));
404 
405  RX_minus_next_RX.reset(new typename component_policy::Fqe_variable_type(
406  *(cur.RX) + *(next.RX) * (-FieldType::value_type::one())));
407  RY_plus_next_RY.reset(new typename component_policy::Fqe_variable_type(*(cur.RY) + *(next.RY)));
408  compute_next_RY.reset(new typename component_policy::Fqe_mul_component_type(
409  bp, *(cur.gamma), *RX_minus_next_RX, *RY_plus_next_RY));
410  }
411 
412  void generate_r1cs_constraints() {
413  compute_gamma->generate_r1cs_constraints();
414  compute_gamma_X->generate_r1cs_constraints();
415  compute_next_RX->generate_r1cs_constraints();
416  compute_next_RY->generate_r1cs_constraints();
417  }
418 
419  void generate_r1cs_witness() {
420  RY_minus_QY->evaluate();
421  RX_minus_QX->evaluate();
422 
423  const typename fqe_type::value_type RY_minus_QY_val = RY_minus_QY->get_element();
424  const typename fqe_type::value_type RX_minus_QX_val = RX_minus_QX->get_element();
425  const typename fqe_type::value_type gamma_val = RY_minus_QY_val * RX_minus_QX_val.inversed();
426  cur.gamma->generate_r1cs_witness(gamma_val);
427 
428  compute_gamma->generate_r1cs_witness();
429  compute_gamma_X->generate_r1cs_witness();
430 
431  const typename fqe_type::value_type RX_val = cur.RX->get_element();
432  const typename fqe_type::value_type RY_val = cur.RY->get_element();
433  const typename fqe_type::value_type QX_val = Q.X->get_element();
434  const typename fqe_type::value_type next_RX_val = gamma_val.squared() - RX_val - QX_val;
435  const typename fqe_type::value_type next_RY_val = gamma_val * (RX_val - next_RX_val) - RY_val;
436 
437  next.RX->generate_r1cs_witness(next_RX_val);
438  next.RY->generate_r1cs_witness(next_RY_val);
439 
440  next_RX_plus_RX_plus_QX->evaluate();
441  RX_minus_next_RX->evaluate();
442  RY_plus_next_RY->evaluate();
443 
444  compute_next_RX->generate_r1cs_witness();
445  compute_next_RY->generate_r1cs_witness();
446  }
447  };
448 
452  template<typename CurveType>
453  class precompute_G2_component : public component<typename CurveType::scalar_field_type> {
454  using component_policy = detail::basic_pairing_component_policy<CurveType>;
455 
456  public:
457  typedef typename CurveType::pairing::fp_type FieldType;
458 
459  std::vector<std::shared_ptr<precompute_G2_component_addition_step<CurveType>>> addition_steps;
460  std::vector<std::shared_ptr<precompute_G2_component_doubling_step<CurveType>>> doubling_steps;
461 
462  std::size_t add_count;
463  std::size_t dbl_count;
464 
465  g2_precomputation<CurveType> &precomp; // important to have a reference here
466 
467  precompute_G2_component(blueprint<FieldType> &bp,
468  const element_g2<CurveType> &Q,
469  g2_precomputation<CurveType> &precomp) :
470  component<FieldType>(bp),
471  precomp(precomp) {
472  precomp.Q.reset(new element_g2<CurveType>(Q));
473 
474  std::size_t coeff_count = 1; // the last RX/RY are unused in Miller loop, but will need
475  // to get allocated somehow
476  this->add_count = 0;
477  this->dbl_count = 0;
478 
479  bool found_nonzero = false;
480  std::vector<long> NAF = find_wnaf(1, CurveType::pairing::pairing_loop_count);
481 
482  for (long i = NAF.size() - 1; i >= 0; --i) {
483  if (!found_nonzero) {
484  /* this skips the MSB itself */
485  found_nonzero |= (NAF[i] != 0);
486  continue;
487  }
488 
489  ++dbl_count;
490  ++coeff_count;
491 
492  if (NAF[i] != 0) {
493  ++add_count;
494  ++coeff_count;
495  }
496  }
497 
498  precomp.coeffs.resize(coeff_count);
499  addition_steps.resize(add_count);
500  doubling_steps.resize(dbl_count);
501 
502  precomp.coeffs[0].reset(new precompute_G2_component_coeffs<CurveType>(bp, Q));
503  for (std::size_t i = 1; i < coeff_count; ++i) {
504  precomp.coeffs[i].reset(new precompute_G2_component_coeffs<CurveType>(bp));
505  }
506 
507  std::size_t add_id = 0;
508  std::size_t dbl_id = 0;
509  std::size_t coeff_id = 0;
510 
511  found_nonzero = false;
512  for (long i = NAF.size() - 1; i >= 0; --i) {
513  if (!found_nonzero) {
514  /* this skips the MSB itself */
515  found_nonzero |= (NAF[i] != 0);
516  continue;
517  }
518 
519  doubling_steps[dbl_id].reset(new precompute_G2_component_doubling_step<CurveType>(
520  bp, *(precomp.coeffs[coeff_id]), *(precomp.coeffs[coeff_id + 1])));
521  ++dbl_id;
522  ++coeff_id;
523 
524  if (NAF[i] != 0) {
525  addition_steps[add_id].reset(new precompute_G2_component_addition_step<CurveType>(
526  bp, NAF[i] < 0, *(precomp.coeffs[coeff_id]), *(precomp.coeffs[coeff_id + 1]), Q));
527  ++add_id;
528  ++coeff_id;
529  }
530  }
531  }
532 
533  void generate_r1cs_constraints() {
534  for (std::size_t i = 0; i < dbl_count; ++i) {
535  doubling_steps[i]->generate_r1cs_constraints();
536  }
537 
538  for (std::size_t i = 0; i < add_count; ++i) {
539  addition_steps[i]->generate_r1cs_constraints();
540  }
541  }
542 
543  void generate_r1cs_witness() {
544  precomp.coeffs[0]->RX->generate_r1cs_witness(precomp.Q->X->get_element());
545  precomp.coeffs[0]->RY->generate_r1cs_witness(precomp.Q->Y->get_element());
546 
547  std::size_t add_id = 0;
548  std::size_t dbl_id = 0;
549 
550  bool found_nonzero = false;
551  std::vector<long> NAF = find_wnaf(1, CurveType::pairing::pairing_loop_count);
552 
553  for (long i = NAF.size() - 1; i >= 0; --i) {
554  if (!found_nonzero) {
555  /* this skips the MSB itself */
556  found_nonzero |= (NAF[i] != 0);
557  continue;
558  }
559 
560  doubling_steps[dbl_id]->generate_r1cs_witness();
561  ++dbl_id;
562 
563  if (NAF[i] != 0) {
564  addition_steps[add_id]->generate_r1cs_witness();
565  ++add_id;
566  }
567  }
568  }
569  };
570  } // namespace components
571  } // namespace zk
572  } // namespace crypto3
573 } // namespace nil
574 
575 #endif // CRYPTO3_ZK_BLUEPRINT_AS_WAKSMAN_HPP
element_g1.hpp
element_g2.hpp
nil::crypto3::zk::components::blueprint_linear_combination
Definition: blueprint_linear_combination.hpp:47
nil::crypto3::zk::components::blueprint_linear_combination::assign
void assign(blueprint< field_type > &bp, const snark::linear_combination< field_type > &lc)
Definition: blueprint_linear_combination.hpp:65
nil::crypto3::zk::components::blueprint
Definition: blueprint.hpp:46
nil::crypto3::zk::components::component
Definition: component.hpp:37
nil::crypto3::zk::components::detail::basic_pairing_component_policy
Definition: blueprint/include/nil/crypto3/zk/components/algebra/pairing/detail/mnt4.hpp:46
nil::crypto3::zk::components::element_g1
Definition: blueprint/include/nil/crypto3/zk/components/algebra/curves/edwards/element_g1.hpp:51
nil::crypto3::zk::components::element_g1::Y
underlying_element_type Y
Definition: blueprint/include/nil/crypto3/zk/components/algebra/curves/edwards/element_g1.hpp:57
nil::crypto3::zk::components::element_g2
Definition: blueprint/include/nil/crypto3/zk/components/algebra/curves/weierstrass/element_g2.hpp:55
nil::crypto3::zk::components::element_g2::Y
std::shared_ptr< typename component_policy::Fqe_variable_type > Y
Definition: blueprint/include/nil/crypto3/zk/components/algebra/curves/weierstrass/element_g2.hpp:68
nil::crypto3::zk::components::element_g2::X
std::shared_ptr< typename component_policy::Fqe_variable_type > X
Definition: blueprint/include/nil/crypto3/zk/components/algebra/curves/weierstrass/element_g2.hpp:67
nil::crypto3::zk::components::g1_precomputation
Definition: precomputation.hpp:59
nil::crypto3::zk::components::g1_precomputation::PY_twist_squared
std::shared_ptr< typename component_policy::Fqe_variable_type > PY_twist_squared
Definition: precomputation.hpp:65
nil::crypto3::zk::components::g1_precomputation::g1_precomputation
g1_precomputation(blueprint< FieldType > &bp, const typename CurveType::pairing::pair_curve_type::template g1_type<>::value_type &P_val)
Definition: precomputation.hpp:71
nil::crypto3::zk::components::g1_precomputation::P
std::shared_ptr< element_g1< CurveType > > P
Definition: precomputation.hpp:64
nil::crypto3::zk::components::g1_precomputation::g1_precomputation
g1_precomputation()
Definition: precomputation.hpp:67
nil::crypto3::zk::components::g2_precomputation
Definition: precomputation.hpp:189
nil::crypto3::zk::components::g2_precomputation::Q
std::shared_ptr< element_g2< CurveType > > Q
Definition: precomputation.hpp:195
nil::crypto3::zk::components::g2_precomputation::FieldType
CurveType::pairing::fp_type FieldType
Definition: precomputation.hpp:193
nil::crypto3::zk::components::g2_precomputation::g2_precomputation
g2_precomputation()
Definition: precomputation.hpp:199
nil::crypto3::zk::components::g2_precomputation::g2_precomputation
g2_precomputation(blueprint< FieldType > &bp, const typename CurveType::pairing::pair_curve_type::template g2_type<>::value_type &Q_val)
Definition: precomputation.hpp:201
nil::crypto3::zk::components::g2_precomputation::coeffs
std::vector< std::shared_ptr< precompute_G2_component_coeffs< CurveType > > > coeffs
Definition: precomputation.hpp:197
nil::crypto3::zk::components::precompute_G1_component
Definition: precomputation.hpp:87
nil::crypto3::zk::components::precompute_G1_component::fqk_type
typename CurveType::pairing::pair_curve_type::pairing::fqk_type fqk_type
Definition: precomputation.hpp:92
nil::crypto3::zk::components::precompute_G1_component::generate_r1cs_witness
void generate_r1cs_witness()
Definition: precomputation.hpp:143
nil::crypto3::zk::components::precompute_G1_component::precompute_G1_component
precompute_G1_component(blueprint< FieldType > &bp, const element_g1< CurveType > &P, g1_precomputation< CurveType > &precomp, const typename std::enable_if< fqk_type::arity==6, typename FieldType::value_type >::type &=typename FieldType::value_type())
Definition: precomputation.hpp:118
nil::crypto3::zk::components::precompute_G1_component::precomp
g1_precomputation< CurveType > & precomp
Definition: precomputation.hpp:94
nil::crypto3::zk::components::precompute_G1_component::generate_r1cs_constraints
void generate_r1cs_constraints()
Definition: precomputation.hpp:139
nil::crypto3::zk::components::precompute_G1_component::precompute_G1_component
precompute_G1_component(blueprint< FieldType > &bp, const element_g1< CurveType > &P, g1_precomputation< CurveType > &precomp, const typename std::enable_if< fqk_type::arity==4, typename FieldType::value_type >::type &=typename FieldType::value_type())
Definition: precomputation.hpp:98
nil::crypto3::zk::components::precompute_G2_component_addition_step
Definition: precomputation.hpp:358
nil::crypto3::zk::components::precompute_G2_component_addition_step::precompute_G2_component_addition_step
precompute_G2_component_addition_step(blueprint< FieldType > &bp, const bool invert_Q, const precompute_G2_component_coeffs< CurveType > &cur, const precompute_G2_component_coeffs< CurveType > &next, const element_g2< CurveType > &Q)
Definition: precomputation.hpp:382
nil::crypto3::zk::components::precompute_G2_component_addition_step::invert_Q
bool invert_Q
Definition: precomputation.hpp:365
nil::crypto3::zk::components::precompute_G2_component_addition_step::RY_minus_QY
std::shared_ptr< typename component_policy::Fqe_variable_type > RY_minus_QY
Definition: precomputation.hpp:370
nil::crypto3::zk::components::precompute_G2_component_addition_step::RX_minus_next_RX
std::shared_ptr< typename component_policy::Fqe_variable_type > RX_minus_next_RX
Definition: precomputation.hpp:378
nil::crypto3::zk::components::precompute_G2_component_addition_step::cur
precompute_G2_component_coeffs< CurveType > cur
Definition: precomputation.hpp:366
nil::crypto3::zk::components::precompute_G2_component_addition_step::FieldType
CurveType::pairing::fp_type FieldType
Definition: precomputation.hpp:362
nil::crypto3::zk::components::precompute_G2_component_addition_step::compute_gamma_X
std::shared_ptr< typename component_policy::Fqe_mul_component_type > compute_gamma_X
Definition: precomputation.hpp:373
nil::crypto3::zk::components::precompute_G2_component_addition_step::generate_r1cs_witness
void generate_r1cs_witness()
Definition: precomputation.hpp:419
nil::crypto3::zk::components::precompute_G2_component_addition_step::RX_minus_QX
std::shared_ptr< typename component_policy::Fqe_variable_type > RX_minus_QX
Definition: precomputation.hpp:371
nil::crypto3::zk::components::precompute_G2_component_addition_step::compute_gamma
std::shared_ptr< typename component_policy::Fqe_mul_component_type > compute_gamma
Definition: precomputation.hpp:372
nil::crypto3::zk::components::precompute_G2_component_addition_step::next
precompute_G2_component_coeffs< CurveType > next
Definition: precomputation.hpp:367
nil::crypto3::zk::components::precompute_G2_component_addition_step::Q
element_g2< CurveType > Q
Definition: precomputation.hpp:368
nil::crypto3::zk::components::precompute_G2_component_addition_step::RY_plus_next_RY
std::shared_ptr< typename component_policy::Fqe_variable_type > RY_plus_next_RY
Definition: precomputation.hpp:379
nil::crypto3::zk::components::precompute_G2_component_addition_step::next_RX_plus_RX_plus_QX
std::shared_ptr< typename component_policy::Fqe_variable_type > next_RX_plus_RX_plus_QX
Definition: precomputation.hpp:375
nil::crypto3::zk::components::precompute_G2_component_addition_step::generate_r1cs_constraints
void generate_r1cs_constraints()
Definition: precomputation.hpp:412
nil::crypto3::zk::components::precompute_G2_component_addition_step::compute_next_RX
std::shared_ptr< typename component_policy::Fqe_sqr_component_type > compute_next_RX
Definition: precomputation.hpp:376
nil::crypto3::zk::components::precompute_G2_component_addition_step::fqe_type
typename CurveType::pairing::pair_curve_type::pairing::fqe_type fqe_type
Definition: precomputation.hpp:363
nil::crypto3::zk::components::precompute_G2_component_addition_step::compute_next_RY
std::shared_ptr< typename component_policy::Fqe_mul_component_type > compute_next_RY
Definition: precomputation.hpp:380
nil::crypto3::zk::components::precompute_G2_component_coeffs
Definition: precomputation.hpp:155
nil::crypto3::zk::components::precompute_G2_component_coeffs::gamma_X
std::shared_ptr< typename component_policy::Fqe_variable_type > gamma_X
Definition: precomputation.hpp:164
nil::crypto3::zk::components::precompute_G2_component_coeffs::RX
std::shared_ptr< typename component_policy::Fqe_variable_type > RX
Definition: precomputation.hpp:161
nil::crypto3::zk::components::precompute_G2_component_coeffs::RY
std::shared_ptr< typename component_policy::Fqe_variable_type > RY
Definition: precomputation.hpp:162
nil::crypto3::zk::components::precompute_G2_component_coeffs::precompute_G2_component_coeffs
precompute_G2_component_coeffs(blueprint< FieldType > &bp)
Definition: precomputation.hpp:170
nil::crypto3::zk::components::precompute_G2_component_coeffs::precompute_G2_component_coeffs
precompute_G2_component_coeffs()
Definition: precomputation.hpp:166
nil::crypto3::zk::components::precompute_G2_component_coeffs::precompute_G2_component_coeffs
precompute_G2_component_coeffs(blueprint< FieldType > &bp, const element_g2< CurveType > &Q)
Definition: precomputation.hpp:177
nil::crypto3::zk::components::precompute_G2_component_coeffs::FieldType
CurveType::pairing::fp_type FieldType
Definition: precomputation.hpp:159
nil::crypto3::zk::components::precompute_G2_component_coeffs::gamma
std::shared_ptr< typename component_policy::Fqe_variable_type > gamma
Definition: precomputation.hpp:163
nil::crypto3::zk::components::precompute_G2_component_doubling_step
Definition: precomputation.hpp:244
nil::crypto3::zk::components::precompute_G2_component_doubling_step::RY_plus_next_RY
std::shared_ptr< typename component_policy::Fqe_variable_type > RY_plus_next_RY
Definition: precomputation.hpp:265
nil::crypto3::zk::components::precompute_G2_component_doubling_step::RX_minus_next_RX
std::shared_ptr< typename component_policy::Fqe_variable_type > RX_minus_next_RX
Definition: precomputation.hpp:264
nil::crypto3::zk::components::precompute_G2_component_doubling_step::fqe_type
typename CurveType::pairing::pair_curve_type::pairing::fqe_type fqe_type
Definition: precomputation.hpp:249
nil::crypto3::zk::components::precompute_G2_component_doubling_step::compute_gamma_X
std::shared_ptr< typename component_policy::Fqe_mul_component_type > compute_gamma_X
Definition: precomputation.hpp:259
nil::crypto3::zk::components::precompute_G2_component_doubling_step::generate_r1cs_constraints
void generate_r1cs_constraints()
Definition: precomputation.hpp:301
nil::crypto3::zk::components::precompute_G2_component_doubling_step::compute_next_RX
std::shared_ptr< typename component_policy::Fqe_sqr_component_type > compute_next_RX
Definition: precomputation.hpp:262
nil::crypto3::zk::components::precompute_G2_component_doubling_step::generate_r1cs_witness
void generate_r1cs_witness()
Definition: precomputation.hpp:309
nil::crypto3::zk::components::precompute_G2_component_doubling_step::compute_gamma
std::shared_ptr< typename component_policy::Fqe_mul_component_type > compute_gamma
Definition: precomputation.hpp:258
nil::crypto3::zk::components::precompute_G2_component_doubling_step::two_RY
std::shared_ptr< typename component_policy::Fqe_variable_type > two_RY
Definition: precomputation.hpp:257
nil::crypto3::zk::components::precompute_G2_component_doubling_step::precompute_G2_component_doubling_step
precompute_G2_component_doubling_step(blueprint< FieldType > &bp, const precompute_G2_component_coeffs< CurveType > &cur, const precompute_G2_component_coeffs< CurveType > &next)
Definition: precomputation.hpp:268
nil::crypto3::zk::components::precompute_G2_component_doubling_step::next_RX_plus_two_RX
std::shared_ptr< typename component_policy::Fqe_variable_type > next_RX_plus_two_RX
Definition: precomputation.hpp:261
nil::crypto3::zk::components::precompute_G2_component_doubling_step::cur
precompute_G2_component_coeffs< CurveType > cur
Definition: precomputation.hpp:251
nil::crypto3::zk::components::precompute_G2_component_doubling_step::compute_next_RY
std::shared_ptr< typename component_policy::Fqe_mul_component_type > compute_next_RY
Definition: precomputation.hpp:266
nil::crypto3::zk::components::precompute_G2_component_doubling_step::three_RXsquared_plus_a
std::shared_ptr< typename component_policy::Fqe_variable_type > three_RXsquared_plus_a
Definition: precomputation.hpp:256
nil::crypto3::zk::components::precompute_G2_component_doubling_step::next
precompute_G2_component_coeffs< CurveType > next
Definition: precomputation.hpp:252
nil::crypto3::zk::components::precompute_G2_component_doubling_step::compute_RXsquared
std::shared_ptr< typename component_policy::Fqe_sqr_component_type > compute_RXsquared
Definition: precomputation.hpp:255
nil::crypto3::zk::components::precompute_G2_component_doubling_step::RXsquared
std::shared_ptr< typename component_policy::Fqe_variable_type > RXsquared
Definition: precomputation.hpp:254
nil::crypto3::zk::components::precompute_G2_component_doubling_step::FieldType
CurveType::pairing::fp_type FieldType
Definition: precomputation.hpp:248
nil::crypto3::zk::components::precompute_G2_component
Definition: precomputation.hpp:453
nil::crypto3::zk::components::precompute_G2_component::precompute_G2_component
precompute_G2_component(blueprint< FieldType > &bp, const element_g2< CurveType > &Q, g2_precomputation< CurveType > &precomp)
Definition: precomputation.hpp:467
nil::crypto3::zk::components::precompute_G2_component::dbl_count
std::size_t dbl_count
Definition: precomputation.hpp:463
nil::crypto3::zk::components::precompute_G2_component::generate_r1cs_constraints
void generate_r1cs_constraints()
Definition: precomputation.hpp:533
nil::crypto3::zk::components::precompute_G2_component::generate_r1cs_witness
void generate_r1cs_witness()
Definition: precomputation.hpp:543
nil::crypto3::zk::components::precompute_G2_component::add_count
std::size_t add_count
Definition: precomputation.hpp:462
nil::crypto3::zk::components::precompute_G2_component::doubling_steps
std::vector< std::shared_ptr< precompute_G2_component_doubling_step< CurveType > > > doubling_steps
Definition: precomputation.hpp:460
nil::crypto3::zk::components::precompute_G2_component::FieldType
CurveType::pairing::fp_type FieldType
Definition: precomputation.hpp:457
nil::crypto3::zk::components::precompute_G2_component::precomp
g2_precomputation< CurveType > & precomp
Definition: precomputation.hpp:465
nil::crypto3::zk::components::precompute_G2_component::addition_steps
std::vector< std::shared_ptr< precompute_G2_component_addition_step< CurveType > > > addition_steps
Definition: precomputation.hpp:459
nil::crypto3::algebra::pairing
Definition: pairing/alt_bn128.hpp:42
nil
Definition: pair.hpp:31
nil::crypto3::algebra::curves::mnt4
A struct representing a mnt4 curve.
Definition: algebra/include/nil/crypto3/algebra/curves/mnt4.hpp:46
nil::crypto3::algebra::curves::mnt6
A struct representing a mnt6 curve.
Definition: algebra/include/nil/crypto3/algebra/curves/mnt6.hpp:46