miller_loop.hpp
Go to the documentation of this file.
1 //---------------------------------------------------------------------------//
2 // Copyright (c) 2018-2021 Mikhail Komarov <nemo@nil.foundation>
3 // Copyright (c) 2020-2021 Nikita Kaskov <nbering@nil.foundation>
4 //
5 // MIT License
6 //
7 // Permission is hereby granted, free of charge, to any person obtaining a copy
8 // of this software and associated documentation files (the "Software"), to deal
9 // in the Software without restriction, including without limitation the rights
10 // to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
11 // copies of the Software, and to permit persons to whom the Software is
12 // furnished to do so, subject to the following conditions:
13 //
14 // The above copyright notice and this permission notice shall be included in all
15 // copies or substantial portions of the Software.
16 //
17 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
18 // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
19 // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
20 // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
21 // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
22 // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
23 // SOFTWARE.
24 //---------------------------------------------------------------------------//
25 // @file Declaration of interfaces for components for Miller loops.
26 //
27 // The components verify computations of (single or multiple simultaneous) Miller loops.
28 //---------------------------------------------------------------------------//
29 
30 #ifndef CRYPTO3_ZK_BLUEPRINT_WEIERSTRASS_MILLER_LOOP_HPP
31 #define CRYPTO3_ZK_BLUEPRINT_WEIERSTRASS_MILLER_LOOP_HPP
32 
33 #include <memory>
34 
35 #include <nil/crypto3/algebra/algorithms/pair.hpp>
36 
37 #include <nil/crypto3/zk/components/algebra/pairing/detail/mnt4.hpp>
38 #include <nil/crypto3/zk/components/algebra/pairing/detail/mnt6.hpp>
39 
40 #include <nil/crypto3/zk/components/algebra/pairing/weierstrass/precomputation.hpp>
41 
42 namespace nil {
43  namespace crypto3 {
44  namespace zk {
45  namespace components {
46 
47  using namespace nil::crypto3::algebra::pairing;
48 
61  template<typename CurveType>
62  class mnt_miller_loop_dbl_line_eval : public component<typename CurveType::scalar_field_type> {
63 
64  typedef typename CurveType::pairing::fp_type field_type;
65  using fqe_type = typename CurveType::pairing::pair_curve_type::pairing::fqe_type;
66 
67  using component_policy = detail::basic_pairing_component_policy<CurveType>;
68 
69  public:
70  g1_precomputation<CurveType> prec_P;
71  precompute_G2_component_coeffs<CurveType> c;
72  std::shared_ptr<typename component_policy::Fqk_variable_type>
73  &g_RR_at_P; // reference from outside
74 
75  std::shared_ptr<typename component_policy::Fqe_variable_type> gamma_twist;
76  std::shared_ptr<typename component_policy::Fqe_variable_type> g_RR_at_P_c1;
77  std::shared_ptr<typename component_policy::Fqe_mul_by_lc_component_type> compute_g_RR_at_P_c1;
78 
79  mnt_miller_loop_dbl_line_eval(
80  blueprint<field_type> &bp,
81  const g1_precomputation<CurveType> &prec_P,
82  const precompute_G2_component_coeffs<CurveType> &c,
83  std::shared_ptr<typename component_policy::Fqk_variable_type> &g_RR_at_P) :
84  component<field_type>(bp),
85  prec_P(prec_P), c(c), g_RR_at_P(g_RR_at_P) {
86 
87  gamma_twist.reset(new typename component_policy::Fqe_variable_type(c.gamma->mul_by_X()));
88  // prec_P.PX * c.gamma_twist = c.gamma_X - c.old_RY - g_RR_at_P_c1
89  if (gamma_twist->is_constant()) {
90  gamma_twist->evaluate();
91  const typename fqe_type::value_type gamma_twist_const = gamma_twist->get_element();
92  g_RR_at_P_c1.reset(new typename component_policy::Fqe_variable_type(
93  typename component_policy::Fqe_variable_type(this->bp, -gamma_twist_const,
94  prec_P.P->X) +
95  *(c.gamma_X) + *(c.RY) * (-field_type::value_type::one())));
96  } else if (prec_P.P->X.is_constant()) {
97  prec_P.P->X.evaluate(bp);
98  const typename field_type::value_type P_X_const = prec_P.P->X.constant_term();
99  g_RR_at_P_c1.reset(new typename component_policy::Fqe_variable_type(
100  *gamma_twist * (-P_X_const) + *(c.gamma_X) +
101  *(c.RY) * (-field_type::value_type::one())));
102  } else {
103  g_RR_at_P_c1.reset(new typename component_policy::Fqe_variable_type(bp));
104  compute_g_RR_at_P_c1.reset(new typename component_policy::Fqe_mul_by_lc_component_type(
105  bp, *gamma_twist, prec_P.P->X,
106  *(c.gamma_X) + *(c.RY) * (-field_type::value_type::one()) +
107  (*g_RR_at_P_c1) * (-field_type::value_type::one())));
108  }
109  g_RR_at_P.reset(new typename component_policy::Fqk_variable_type(bp, *(prec_P.PY_twist_squared),
110  *g_RR_at_P_c1));
111  }
112 
113  void generate_r1cs_constraints() {
114  if (!gamma_twist->is_constant() && !prec_P.P->X.is_constant()) {
115  compute_g_RR_at_P_c1->generate_r1cs_constraints();
116  }
117  }
118 
119  void generate_r1cs_witness() {
120  gamma_twist->evaluate();
121  const typename fqe_type::value_type gamma_twist_val = gamma_twist->get_element();
122  const typename field_type::value_type PX_val = this->bp.lc_val(prec_P.P->X);
123  const typename fqe_type::value_type gamma_X_val = c.gamma_X->get_element();
124  const typename fqe_type::value_type RY_val = c.RY->get_element();
125  const typename fqe_type::value_type g_RR_at_P_c1_val =
126  -PX_val * gamma_twist_val + gamma_X_val - RY_val;
127  g_RR_at_P_c1->generate_r1cs_witness(g_RR_at_P_c1_val);
128 
129  if (!gamma_twist->is_constant() && !prec_P.P->X.is_constant()) {
130  compute_g_RR_at_P_c1->generate_r1cs_witness();
131  }
132  g_RR_at_P->evaluate();
133  }
134  };
135 
148  template<typename CurveType>
149  class mnt_miller_loop_add_line_eval : public component<typename CurveType::scalar_field_type> {
150 
151  typedef typename CurveType::pairing::fp_type field_type;
152  using fqe_type = typename CurveType::pairing::pair_curve_type::pairing::fqe_type;
153 
154  using component_policy = detail::basic_pairing_component_policy<CurveType>;
155 
156  public:
157  bool invert_Q;
158  g1_precomputation<CurveType> prec_P;
159  precompute_G2_component_coeffs<CurveType> c;
160  element_g2<CurveType> Q;
161  std::shared_ptr<typename component_policy::Fqk_variable_type>
162  &g_RQ_at_P; // reference from outside
163 
164  std::shared_ptr<typename component_policy::Fqe_variable_type> gamma_twist;
165  std::shared_ptr<typename component_policy::Fqe_variable_type> g_RQ_at_P_c1;
166  std::shared_ptr<typename component_policy::Fqe_mul_by_lc_component_type> compute_g_RQ_at_P_c1;
167 
168  mnt_miller_loop_add_line_eval(
169  blueprint<field_type> &bp,
170  const bool invert_Q,
171  const g1_precomputation<CurveType> &prec_P,
172  const precompute_G2_component_coeffs<CurveType> &c,
173  const element_g2<CurveType> &Q,
174  std::shared_ptr<typename component_policy::Fqk_variable_type> &g_RQ_at_P) :
175  component<field_type>(bp),
176  invert_Q(invert_Q), prec_P(prec_P), c(c), Q(Q), g_RQ_at_P(g_RQ_at_P) {
177  gamma_twist.reset(new typename component_policy::Fqe_variable_type(c.gamma->mul_by_X()));
178  // prec_P.PX * c.gamma_twist = c.gamma_X - prec_Q.QY - g_RQ_at_P_c1
179  if (gamma_twist->is_constant()) {
180  gamma_twist->evaluate();
181  const typename fqe_type::value_type gamma_twist_const = gamma_twist->get_element();
182  g_RQ_at_P_c1.reset(new typename component_policy::Fqe_variable_type(
183  typename component_policy::Fqe_variable_type(this->bp, -gamma_twist_const,
184  prec_P.P->X) +
185  *(c.gamma_X) +
186  *(Q.Y) * (!invert_Q ? -field_type::value_type::one() : field_type::value_type::one())));
187  } else if (prec_P.P->X.is_constant()) {
188  prec_P.P->X.evaluate(bp);
189  const typename field_type::value_type P_X_const = prec_P.P->X.constant_term();
190  g_RQ_at_P_c1.reset(new typename component_policy::Fqe_variable_type(
191  *gamma_twist * (-P_X_const) + *(c.gamma_X) +
192  *(Q.Y) * (!invert_Q ? -field_type::value_type::one() : field_type::value_type::one())));
193  } else {
194  g_RQ_at_P_c1.reset(new typename component_policy::Fqe_variable_type(bp));
195  compute_g_RQ_at_P_c1.reset(new typename component_policy::Fqe_mul_by_lc_component_type(
196  bp, *gamma_twist, prec_P.P->X,
197  *(c.gamma_X) +
198  *(Q.Y) *
199  (!invert_Q ? -field_type::value_type::one() : field_type::value_type::one()) +
200  (*g_RQ_at_P_c1) * (-field_type::value_type::one())));
201  }
202  g_RQ_at_P.reset(new typename component_policy::Fqk_variable_type(bp, *(prec_P.PY_twist_squared),
203  *g_RQ_at_P_c1));
204  }
205  void generate_r1cs_constraints() {
206  if (!gamma_twist->is_constant() && !prec_P.P->X.is_constant()) {
207  compute_g_RQ_at_P_c1->generate_r1cs_constraints();
208  }
209  }
210  void generate_r1cs_witness() {
211  gamma_twist->evaluate();
212  const typename fqe_type::value_type gamma_twist_val = gamma_twist->get_element();
213  const typename field_type::value_type PX_val = this->bp.lc_val(prec_P.P->X);
214  const typename fqe_type::value_type gamma_X_val = c.gamma_X->get_element();
215  const typename fqe_type::value_type QY_val = Q.Y->get_element();
216  const typename fqe_type::value_type g_RQ_at_P_c1_val =
217  -PX_val * gamma_twist_val + gamma_X_val + (!invert_Q ? -QY_val : QY_val);
218  g_RQ_at_P_c1->generate_r1cs_witness(g_RQ_at_P_c1_val);
219 
220  if (!gamma_twist->is_constant() && !prec_P.P->X.is_constant()) {
221  compute_g_RQ_at_P_c1->generate_r1cs_witness();
222  }
223  g_RQ_at_P->evaluate();
224  }
225  };
226 
230  template<typename CurveType>
231  class mnt_miller_loop_component : public component<typename CurveType::scalar_field_type> {
232 
233  typedef typename CurveType::pairing::fp_type field_type;
234  using fqk_type = typename CurveType::pairing::pair_curve_type::pairing::fqk_type;
235 
236  using component_policy = detail::basic_pairing_component_policy<CurveType>;
237 
238  public:
239  std::vector<std::shared_ptr<typename component_policy::Fqk_variable_type>> g_RR_at_Ps;
240  std::vector<std::shared_ptr<typename component_policy::Fqk_variable_type>> g_RQ_at_Ps;
241  std::vector<std::shared_ptr<typename component_policy::Fqk_variable_type>> fs;
242 
243  std::vector<std::shared_ptr<mnt_miller_loop_add_line_eval<CurveType>>> addition_steps;
244  std::vector<std::shared_ptr<mnt_miller_loop_dbl_line_eval<CurveType>>> doubling_steps;
245 
246  std::vector<std::shared_ptr<typename component_policy::Fqk_special_mul_component_type>> dbl_muls;
247  std::vector<std::shared_ptr<typename component_policy::Fqk_sqr_component_type>> dbl_sqrs;
248  std::vector<std::shared_ptr<typename component_policy::Fqk_special_mul_component_type>> add_muls;
249 
250  std::size_t f_count;
251  std::size_t add_count;
252  std::size_t dbl_count;
253 
254  g1_precomputation<CurveType> prec_P;
255  g2_precomputation<CurveType> prec_Q;
256  typename component_policy::Fqk_variable_type result;
257 
258  mnt_miller_loop_component(blueprint<field_type> &bp,
259  const g1_precomputation<CurveType> &prec_P,
260  const g2_precomputation<CurveType> &prec_Q,
261  const typename component_policy::Fqk_variable_type &result) :
262  component<field_type>(bp),
263  prec_P(prec_P), prec_Q(prec_Q), result(result) {
264 
265  f_count = add_count = dbl_count = 0;
266 
267  bool found_nonzero = false;
268  std::vector<long> NAF = find_wnaf(1, CurveType::pairing::pairing_loop_count);
269  for (long i = NAF.size() - 1; i >= 0; --i) {
270  if (!found_nonzero) {
271  /* this skips the MSB itself */
272  found_nonzero |= (NAF[i] != 0);
273  continue;
274  }
275 
276  ++dbl_count;
277  f_count += 2;
278 
279  if (NAF[i] != 0) {
280  ++add_count;
281  f_count += 1;
282  }
283  }
284 
285  fs.resize(f_count);
286  doubling_steps.resize(dbl_count);
287  addition_steps.resize(add_count);
288  g_RR_at_Ps.resize(dbl_count);
289  g_RQ_at_Ps.resize(add_count);
290 
291  for (std::size_t i = 0; i < f_count; ++i) {
292  fs[i].reset(new typename component_policy::Fqk_variable_type(bp));
293  }
294 
295  dbl_sqrs.resize(dbl_count);
296  dbl_muls.resize(dbl_count);
297  add_muls.resize(add_count);
298 
299  std::size_t add_id = 0;
300  std::size_t dbl_id = 0;
301  std::size_t f_id = 0;
302  std::size_t prec_id = 0;
303 
304  found_nonzero = false;
305  for (long i = NAF.size() - 1; i >= 0; --i) {
306  if (!found_nonzero) {
307  /* this skips the MSB itself */
308  found_nonzero |= (NAF[i] != 0);
309  continue;
310  }
311 
312  doubling_steps[dbl_id].reset(new mnt_miller_loop_dbl_line_eval<CurveType>(
313  bp, prec_P, *prec_Q.coeffs[prec_id], g_RR_at_Ps[dbl_id]));
314  ++prec_id;
315  dbl_sqrs[dbl_id].reset(
316  new typename component_policy::Fqk_sqr_component_type(bp, *fs[f_id], *fs[f_id + 1]));
317  ++f_id;
318  dbl_muls[dbl_id].reset(new typename component_policy::Fqk_special_mul_component_type(
319  bp, *fs[f_id], *g_RR_at_Ps[dbl_id], (f_id + 1 == f_count ? result : *fs[f_id + 1])));
320  ++f_id;
321  ++dbl_id;
322 
323  if (NAF[i] != 0) {
324  addition_steps[add_id].reset(new mnt_miller_loop_add_line_eval<CurveType>(
325  bp, NAF[i] < 0, prec_P, *prec_Q.coeffs[prec_id], *prec_Q.Q, g_RQ_at_Ps[add_id]));
326  ++prec_id;
327  add_muls[add_id].reset(new typename component_policy::Fqk_special_mul_component_type(
328  bp, *fs[f_id], *g_RQ_at_Ps[add_id],
329  (f_id + 1 == f_count ? result : *fs[f_id + 1])));
330  ++f_id;
331  ++add_id;
332  }
333  }
334  }
335  void generate_r1cs_constraints() {
336  fs[0]->generate_r1cs_equals_const_constraints(fqk_type::value_type::one());
337 
338  for (std::size_t i = 0; i < dbl_count; ++i) {
339  doubling_steps[i]->generate_r1cs_constraints();
340  dbl_sqrs[i]->generate_r1cs_constraints();
341  dbl_muls[i]->generate_r1cs_constraints();
342  }
343 
344  for (std::size_t i = 0; i < add_count; ++i) {
345  addition_steps[i]->generate_r1cs_constraints();
346  add_muls[i]->generate_r1cs_constraints();
347  }
348  }
349  void generate_r1cs_witness() {
350  fs[0]->generate_r1cs_witness(fqk_type::value_type::one());
351 
352  std::size_t add_id = 0;
353  std::size_t dbl_id = 0;
354 
355  bool found_nonzero = false;
356  std::vector<long> NAF = find_wnaf(1, CurveType::pairing::pairing_loop_count);
357  for (long i = NAF.size() - 1; i >= 0; --i) {
358  if (!found_nonzero) {
359  /* this skips the MSB itself */
360  found_nonzero |= (NAF[i] != 0);
361  continue;
362  }
363 
364  doubling_steps[dbl_id]->generate_r1cs_witness();
365  dbl_sqrs[dbl_id]->generate_r1cs_witness();
366  dbl_muls[dbl_id]->generate_r1cs_witness();
367  ++dbl_id;
368 
369  if (NAF[i] != 0) {
370  addition_steps[add_id]->generate_r1cs_witness();
371  add_muls[add_id]->generate_r1cs_witness();
372  ++add_id;
373  }
374  }
375  }
376  };
377 
381  template<typename CurveType>
382  class mnt_e_over_e_miller_loop_component : public component<typename CurveType::scalar_field_type> {
383 
384  typedef typename CurveType::pairing::fp_type field_type;
385  using fqe_type = typename CurveType::pairing::pair_curve_type::pairing::fqe_type;
386  using fqk_type = typename CurveType::pairing::pair_curve_type::pairing::fqk_type;
387 
388  using component_policy = detail::basic_pairing_component_policy<CurveType>;
389 
390  public:
391  std::vector<std::shared_ptr<typename component_policy::Fqk_variable_type>> g_RR_at_P1s;
392  std::vector<std::shared_ptr<typename component_policy::Fqk_variable_type>> g_RQ_at_P1s;
393  std::vector<std::shared_ptr<typename component_policy::Fqk_variable_type>> g_RR_at_P2s;
394  std::vector<std::shared_ptr<typename component_policy::Fqk_variable_type>> g_RQ_at_P2s;
395  std::vector<std::shared_ptr<typename component_policy::Fqk_variable_type>> fs;
396 
397  std::vector<std::shared_ptr<mnt_miller_loop_add_line_eval<CurveType>>> addition_steps1;
398  std::vector<std::shared_ptr<mnt_miller_loop_dbl_line_eval<CurveType>>> doubling_steps1;
399  std::vector<std::shared_ptr<mnt_miller_loop_add_line_eval<CurveType>>> addition_steps2;
400  std::vector<std::shared_ptr<mnt_miller_loop_dbl_line_eval<CurveType>>> doubling_steps2;
401 
402  std::vector<std::shared_ptr<typename component_policy::Fqk_sqr_component_type>> dbl_sqrs;
403  std::vector<std::shared_ptr<typename component_policy::Fqk_special_mul_component_type>> dbl_muls1;
404  std::vector<std::shared_ptr<typename component_policy::Fqk_special_mul_component_type>> add_muls1;
405  std::vector<std::shared_ptr<typename component_policy::Fqk_special_mul_component_type>> dbl_muls2;
406  std::vector<std::shared_ptr<typename component_policy::Fqk_special_mul_component_type>> add_muls2;
407 
408  std::size_t f_count;
409  std::size_t add_count;
410  std::size_t dbl_count;
411 
412  g1_precomputation<CurveType> prec_P1;
413  g2_precomputation<CurveType> prec_Q1;
414  g1_precomputation<CurveType> prec_P2;
415  g2_precomputation<CurveType> prec_Q2;
416  typename component_policy::Fqk_variable_type result;
417 
418  mnt_e_over_e_miller_loop_component(blueprint<field_type> &bp,
419  const g1_precomputation<CurveType> &prec_P1,
420  const g2_precomputation<CurveType> &prec_Q1,
421  const g1_precomputation<CurveType> &prec_P2,
422  const g2_precomputation<CurveType> &prec_Q2,
423  const typename component_policy::Fqk_variable_type &result) :
424  component<field_type>(bp),
425  prec_P1(prec_P1), prec_Q1(prec_Q1), prec_P2(prec_P2), prec_Q2(prec_Q2), result(result) {
426 
427  f_count = add_count = dbl_count = 0;
428 
429  bool found_nonzero = false;
430  std::vector<long> NAF = find_wnaf(1, CurveType::pairing::pairing_loop_count);
431 
432  for (long i = NAF.size() - 1; i >= 0; --i) {
433  if (!found_nonzero) {
434  /* this skips the MSB itself */
435  found_nonzero |= (NAF[i] != 0);
436  continue;
437  }
438 
439  ++dbl_count;
440  f_count += 3;
441 
442  if (NAF[i] != 0) {
443  ++add_count;
444  f_count += 2;
445  }
446  }
447 
448  fs.resize(f_count);
449  doubling_steps1.resize(dbl_count);
450  addition_steps1.resize(add_count);
451  doubling_steps2.resize(dbl_count);
452  addition_steps2.resize(add_count);
453  g_RR_at_P1s.resize(dbl_count);
454  g_RQ_at_P1s.resize(add_count);
455  g_RR_at_P2s.resize(dbl_count);
456  g_RQ_at_P2s.resize(add_count);
457 
458  for (std::size_t i = 0; i < f_count; ++i) {
459  fs[i].reset(new typename component_policy::Fqk_variable_type(bp));
460  }
461 
462  dbl_sqrs.resize(dbl_count);
463  dbl_muls1.resize(dbl_count);
464  add_muls1.resize(add_count);
465  dbl_muls2.resize(dbl_count);
466  add_muls2.resize(add_count);
467 
468  std::size_t add_id = 0;
469  std::size_t dbl_id = 0;
470  std::size_t f_id = 0;
471  std::size_t prec_id = 0;
472 
473  found_nonzero = false;
474  for (long i = NAF.size() - 1; i >= 0; --i) {
475  if (!found_nonzero) {
476  /* this skips the MSB itself */
477  found_nonzero |= (NAF[i] != 0);
478  continue;
479  }
480 
481  doubling_steps1[dbl_id].reset(new mnt_miller_loop_dbl_line_eval<CurveType>(
482  bp, prec_P1, *prec_Q1.coeffs[prec_id], g_RR_at_P1s[dbl_id]));
483  doubling_steps2[dbl_id].reset(new mnt_miller_loop_dbl_line_eval<CurveType>(
484  bp, prec_P2, *prec_Q2.coeffs[prec_id], g_RR_at_P2s[dbl_id]));
485  ++prec_id;
486 
487  dbl_sqrs[dbl_id].reset(
488  new typename component_policy::Fqk_sqr_component_type(bp, *fs[f_id], *fs[f_id + 1]));
489  ++f_id;
490  dbl_muls1[dbl_id].reset(new typename component_policy::Fqk_special_mul_component_type(
491  bp, *fs[f_id], *g_RR_at_P1s[dbl_id], *fs[f_id + 1]));
492  ++f_id;
493  dbl_muls2[dbl_id].reset(new typename component_policy::Fqk_special_mul_component_type(
494  bp, (f_id + 1 == f_count ? result : *fs[f_id + 1]), *g_RR_at_P2s[dbl_id], *fs[f_id]));
495  ++f_id;
496  ++dbl_id;
497 
498  if (NAF[i] != 0) {
499  addition_steps1[add_id].reset(new mnt_miller_loop_add_line_eval<CurveType>(
500  bp, NAF[i] < 0, prec_P1, *prec_Q1.coeffs[prec_id], *prec_Q1.Q,
501  g_RQ_at_P1s[add_id]));
502  addition_steps2[add_id].reset(new mnt_miller_loop_add_line_eval<CurveType>(
503  bp, NAF[i] < 0, prec_P2, *prec_Q2.coeffs[prec_id], *prec_Q2.Q,
504  g_RQ_at_P2s[add_id]));
505  ++prec_id;
506  add_muls1[add_id].reset(new typename component_policy::Fqk_special_mul_component_type(
507  bp, *fs[f_id], *g_RQ_at_P1s[add_id], *fs[f_id + 1]));
508  ++f_id;
509  add_muls2[add_id].reset(new typename component_policy::Fqk_special_mul_component_type(
510  bp, (f_id + 1 == f_count ? result : *fs[f_id + 1]), *g_RQ_at_P2s[add_id],
511  *fs[f_id]));
512  ++f_id;
513  ++add_id;
514  }
515  }
516  }
517  void generate_r1cs_constraints() {
518  fs[0]->generate_r1cs_equals_const_constraints(fqk_type::value_type::one());
519 
520  for (std::size_t i = 0; i < dbl_count; ++i) {
521  doubling_steps1[i]->generate_r1cs_constraints();
522  doubling_steps2[i]->generate_r1cs_constraints();
523  dbl_sqrs[i]->generate_r1cs_constraints();
524  dbl_muls1[i]->generate_r1cs_constraints();
525  dbl_muls2[i]->generate_r1cs_constraints();
526  }
527 
528  for (std::size_t i = 0; i < add_count; ++i) {
529  addition_steps1[i]->generate_r1cs_constraints();
530  addition_steps2[i]->generate_r1cs_constraints();
531  add_muls1[i]->generate_r1cs_constraints();
532  add_muls2[i]->generate_r1cs_constraints();
533  }
534  }
535  void generate_r1cs_witness() {
536  fs[0]->generate_r1cs_witness(fqk_type::value_type::one());
537 
538  std::size_t add_id = 0;
539  std::size_t dbl_id = 0;
540  std::size_t f_id = 0;
541 
542  bool found_nonzero = false;
543  std::vector<long> NAF = find_wnaf(1, CurveType::pairing::pairing_loop_count);
544 
545  for (long i = NAF.size() - 1; i >= 0; --i) {
546  if (!found_nonzero) {
547  /* this skips the MSB itself */
548  found_nonzero |= (NAF[i] != 0);
549  continue;
550  }
551 
552  doubling_steps1[dbl_id]->generate_r1cs_witness();
553  doubling_steps2[dbl_id]->generate_r1cs_witness();
554  dbl_sqrs[dbl_id]->generate_r1cs_witness();
555  ++f_id;
556  dbl_muls1[dbl_id]->generate_r1cs_witness();
557  ++f_id;
558  (f_id + 1 == f_count ? result : *fs[f_id + 1])
559  .generate_r1cs_witness(fs[f_id]->get_element() *
560  g_RR_at_P2s[dbl_id]->get_element().inversed());
561  dbl_muls2[dbl_id]->generate_r1cs_witness();
562  ++f_id;
563  ++dbl_id;
564 
565  if (NAF[i] != 0) {
566  addition_steps1[add_id]->generate_r1cs_witness();
567  addition_steps2[add_id]->generate_r1cs_witness();
568  add_muls1[add_id]->generate_r1cs_witness();
569  ++f_id;
570  (f_id + 1 == f_count ? result : *fs[f_id + 1])
571  .generate_r1cs_witness(fs[f_id]->get_element() *
572  g_RQ_at_P2s[add_id]->get_element().inversed());
573  add_muls2[add_id]->generate_r1cs_witness();
574  ++f_id;
575  ++add_id;
576  }
577  }
578  }
579  };
580 
584  template<typename CurveType>
585  class mnt_e_times_e_over_e_miller_loop_component
586  : public component<typename CurveType::scalar_field_type> {
587 
588  typedef typename CurveType::pairing::fp_type field_type;
589  using fqe_type = typename CurveType::pairing::pair_curve_type::pairing::fqe_type;
590  using fqk_type = typename CurveType::pairing::pair_curve_type::pairing::fqk_type;
591 
592  using component_policy = detail::basic_pairing_component_policy<CurveType>;
593 
594  public:
595  std::vector<std::shared_ptr<typename component_policy::Fqk_variable_type>> g_RR_at_P1s;
596  std::vector<std::shared_ptr<typename component_policy::Fqk_variable_type>> g_RQ_at_P1s;
597  std::vector<std::shared_ptr<typename component_policy::Fqk_variable_type>> g_RR_at_P2s;
598  std::vector<std::shared_ptr<typename component_policy::Fqk_variable_type>> g_RQ_at_P2s;
599  std::vector<std::shared_ptr<typename component_policy::Fqk_variable_type>> g_RR_at_P3s;
600  std::vector<std::shared_ptr<typename component_policy::Fqk_variable_type>> g_RQ_at_P3s;
601  std::vector<std::shared_ptr<typename component_policy::Fqk_variable_type>> fs;
602 
603  std::vector<std::shared_ptr<mnt_miller_loop_add_line_eval<CurveType>>> addition_steps1;
604  std::vector<std::shared_ptr<mnt_miller_loop_dbl_line_eval<CurveType>>> doubling_steps1;
605  std::vector<std::shared_ptr<mnt_miller_loop_add_line_eval<CurveType>>> addition_steps2;
606  std::vector<std::shared_ptr<mnt_miller_loop_dbl_line_eval<CurveType>>> doubling_steps2;
607  std::vector<std::shared_ptr<mnt_miller_loop_add_line_eval<CurveType>>> addition_steps3;
608  std::vector<std::shared_ptr<mnt_miller_loop_dbl_line_eval<CurveType>>> doubling_steps3;
609 
610  std::vector<std::shared_ptr<typename component_policy::Fqk_sqr_component_type>> dbl_sqrs;
611  std::vector<std::shared_ptr<typename component_policy::Fqk_special_mul_component_type>> dbl_muls1;
612  std::vector<std::shared_ptr<typename component_policy::Fqk_special_mul_component_type>> add_muls1;
613  std::vector<std::shared_ptr<typename component_policy::Fqk_special_mul_component_type>> dbl_muls2;
614  std::vector<std::shared_ptr<typename component_policy::Fqk_special_mul_component_type>> add_muls2;
615  std::vector<std::shared_ptr<typename component_policy::Fqk_special_mul_component_type>> dbl_muls3;
616  std::vector<std::shared_ptr<typename component_policy::Fqk_special_mul_component_type>> add_muls3;
617 
618  std::size_t f_count;
619  std::size_t add_count;
620  std::size_t dbl_count;
621 
622  g1_precomputation<CurveType> prec_P1;
623  g2_precomputation<CurveType> prec_Q1;
624  g1_precomputation<CurveType> prec_P2;
625  g2_precomputation<CurveType> prec_Q2;
626  g1_precomputation<CurveType> prec_P3;
627  g2_precomputation<CurveType> prec_Q3;
628  typename component_policy::Fqk_variable_type result;
629 
630  mnt_e_times_e_over_e_miller_loop_component(
631  blueprint<field_type> &bp,
632  const g1_precomputation<CurveType> &prec_P1,
633  const g2_precomputation<CurveType> &prec_Q1,
634  const g1_precomputation<CurveType> &prec_P2,
635  const g2_precomputation<CurveType> &prec_Q2,
636  const g1_precomputation<CurveType> &prec_P3,
637  const g2_precomputation<CurveType> &prec_Q3,
638  const typename component_policy::Fqk_variable_type &result) :
639  component<field_type>(bp),
640  prec_P1(prec_P1), prec_Q1(prec_Q1), prec_P2(prec_P2), prec_Q2(prec_Q2), prec_P3(prec_P3),
641  prec_Q3(prec_Q3), result(result) {
642 
643  f_count = add_count = dbl_count = 0;
644 
645  bool found_nonzero = false;
646  std::vector<long> NAF = find_wnaf(1, CurveType::pairing::pairing_loop_count);
647 
648  for (long i = NAF.size() - 1; i >= 0; --i) {
649  if (!found_nonzero) {
650  /* this skips the MSB itself */
651  found_nonzero |= (NAF[i] != 0);
652  continue;
653  }
654 
655  ++dbl_count;
656  f_count += 4;
657 
658  if (NAF[i] != 0) {
659  ++add_count;
660  f_count += 3;
661  }
662  }
663 
664  fs.resize(f_count);
665  doubling_steps1.resize(dbl_count);
666  addition_steps1.resize(add_count);
667  doubling_steps2.resize(dbl_count);
668  addition_steps2.resize(add_count);
669  doubling_steps3.resize(dbl_count);
670  addition_steps3.resize(add_count);
671  g_RR_at_P1s.resize(dbl_count);
672  g_RQ_at_P1s.resize(add_count);
673  g_RR_at_P2s.resize(dbl_count);
674  g_RQ_at_P2s.resize(add_count);
675  g_RR_at_P3s.resize(dbl_count);
676  g_RQ_at_P3s.resize(add_count);
677 
678  for (std::size_t i = 0; i < f_count; ++i) {
679  fs[i].reset(new typename component_policy::Fqk_variable_type(bp));
680  }
681 
682  dbl_sqrs.resize(dbl_count);
683  dbl_muls1.resize(dbl_count);
684  add_muls1.resize(add_count);
685  dbl_muls2.resize(dbl_count);
686  add_muls2.resize(add_count);
687  dbl_muls3.resize(dbl_count);
688  add_muls3.resize(add_count);
689 
690  std::size_t add_id = 0;
691  std::size_t dbl_id = 0;
692  std::size_t f_id = 0;
693  std::size_t prec_id = 0;
694 
695  found_nonzero = false;
696  for (long i = NAF.size() - 1; i >= 0; --i) {
697  if (!found_nonzero) {
698  /* this skips the MSB itself */
699  found_nonzero |= (NAF[i] != 0);
700  continue;
701  }
702 
703  doubling_steps1[dbl_id].reset(new mnt_miller_loop_dbl_line_eval<CurveType>(
704  bp, prec_P1, *prec_Q1.coeffs[prec_id], g_RR_at_P1s[dbl_id]));
705  doubling_steps2[dbl_id].reset(new mnt_miller_loop_dbl_line_eval<CurveType>(
706  bp, prec_P2, *prec_Q2.coeffs[prec_id], g_RR_at_P2s[dbl_id]));
707  doubling_steps3[dbl_id].reset(new mnt_miller_loop_dbl_line_eval<CurveType>(
708  bp, prec_P3, *prec_Q3.coeffs[prec_id], g_RR_at_P3s[dbl_id]));
709  ++prec_id;
710 
711  dbl_sqrs[dbl_id].reset(
712  new typename component_policy::Fqk_sqr_component_type(bp, *fs[f_id], *fs[f_id + 1]));
713  ++f_id;
714  dbl_muls1[dbl_id].reset(new typename component_policy::Fqk_special_mul_component_type(
715  bp, *fs[f_id], *g_RR_at_P1s[dbl_id], *fs[f_id + 1]));
716  ++f_id;
717  dbl_muls2[dbl_id].reset(new typename component_policy::Fqk_special_mul_component_type(
718  bp, *fs[f_id], *g_RR_at_P2s[dbl_id], *fs[f_id + 1]));
719  ++f_id;
720  dbl_muls3[dbl_id].reset(new typename component_policy::Fqk_special_mul_component_type(
721  bp, (f_id + 1 == f_count ? result : *fs[f_id + 1]), *g_RR_at_P3s[dbl_id], *fs[f_id]));
722  ++f_id;
723  ++dbl_id;
724 
725  if (NAF[i] != 0) {
726  addition_steps1[add_id].reset(new mnt_miller_loop_add_line_eval<CurveType>(
727  bp, NAF[i] < 0, prec_P1, *prec_Q1.coeffs[prec_id], *prec_Q1.Q,
728  g_RQ_at_P1s[add_id]));
729  addition_steps2[add_id].reset(new mnt_miller_loop_add_line_eval<CurveType>(
730  bp, NAF[i] < 0, prec_P2, *prec_Q2.coeffs[prec_id], *prec_Q2.Q,
731  g_RQ_at_P2s[add_id]));
732  addition_steps3[add_id].reset(new mnt_miller_loop_add_line_eval<CurveType>(
733  bp, NAF[i] < 0, prec_P3, *prec_Q3.coeffs[prec_id], *prec_Q3.Q,
734  g_RQ_at_P3s[add_id]));
735  ++prec_id;
736  add_muls1[add_id].reset(new typename component_policy::Fqk_special_mul_component_type(
737  bp, *fs[f_id], *g_RQ_at_P1s[add_id], *fs[f_id + 1]));
738  ++f_id;
739  add_muls2[add_id].reset(new typename component_policy::Fqk_special_mul_component_type(
740  bp, *fs[f_id], *g_RQ_at_P2s[add_id], *fs[f_id + 1]));
741  ++f_id;
742  add_muls3[add_id].reset(new typename component_policy::Fqk_special_mul_component_type(
743  bp, (f_id + 1 == f_count ? result : *fs[f_id + 1]), *g_RQ_at_P3s[add_id],
744  *fs[f_id]));
745  ++f_id;
746  ++add_id;
747  }
748  }
749  }
750  void generate_r1cs_constraints() {
751  fs[0]->generate_r1cs_equals_const_constraints(fqk_type::value_type::one());
752 
753  for (std::size_t i = 0; i < dbl_count; ++i) {
754  doubling_steps1[i]->generate_r1cs_constraints();
755  doubling_steps2[i]->generate_r1cs_constraints();
756  doubling_steps3[i]->generate_r1cs_constraints();
757  dbl_sqrs[i]->generate_r1cs_constraints();
758  dbl_muls1[i]->generate_r1cs_constraints();
759  dbl_muls2[i]->generate_r1cs_constraints();
760  dbl_muls3[i]->generate_r1cs_constraints();
761  }
762 
763  for (std::size_t i = 0; i < add_count; ++i) {
764  addition_steps1[i]->generate_r1cs_constraints();
765  addition_steps2[i]->generate_r1cs_constraints();
766  addition_steps3[i]->generate_r1cs_constraints();
767  add_muls1[i]->generate_r1cs_constraints();
768  add_muls2[i]->generate_r1cs_constraints();
769  add_muls3[i]->generate_r1cs_constraints();
770  }
771  }
772  void generate_r1cs_witness() {
773  fs[0]->generate_r1cs_witness(fqk_type::value_type::one());
774 
775  std::size_t add_id = 0;
776  std::size_t dbl_id = 0;
777  std::size_t f_id = 0;
778 
779  bool found_nonzero = false;
780  std::vector<long> NAF = find_wnaf(1, CurveType::pairing::pairing_loop_count);
781 
782  for (long i = NAF.size() - 1; i >= 0; --i) {
783  if (!found_nonzero) {
784  /* this skips the MSB itself */
785  found_nonzero |= (NAF[i] != 0);
786  continue;
787  }
788 
789  doubling_steps1[dbl_id]->generate_r1cs_witness();
790  doubling_steps2[dbl_id]->generate_r1cs_witness();
791  doubling_steps3[dbl_id]->generate_r1cs_witness();
792  dbl_sqrs[dbl_id]->generate_r1cs_witness();
793  ++f_id;
794  dbl_muls1[dbl_id]->generate_r1cs_witness();
795  ++f_id;
796  dbl_muls2[dbl_id]->generate_r1cs_witness();
797  ++f_id;
798  (f_id + 1 == f_count ? result : *fs[f_id + 1])
799  .generate_r1cs_witness(fs[f_id]->get_element() *
800  g_RR_at_P3s[dbl_id]->get_element().inversed());
801  dbl_muls3[dbl_id]->generate_r1cs_witness();
802  ++f_id;
803  ++dbl_id;
804 
805  if (NAF[i] != 0) {
806  addition_steps1[add_id]->generate_r1cs_witness();
807  addition_steps2[add_id]->generate_r1cs_witness();
808  addition_steps3[add_id]->generate_r1cs_witness();
809  add_muls1[add_id]->generate_r1cs_witness();
810  ++f_id;
811  add_muls2[add_id]->generate_r1cs_witness();
812  ++f_id;
813  (f_id + 1 == f_count ? result : *fs[f_id + 1])
814  .generate_r1cs_witness(fs[f_id]->get_element() *
815  g_RQ_at_P3s[add_id]->get_element().inversed());
816  add_muls3[add_id]->generate_r1cs_witness();
817  ++f_id;
818  ++add_id;
819  }
820  }
821  }
822  };
823 
824  } // namespace components
825  } // namespace zk
826  } // namespace crypto3
827 } // namespace nil
828 
829 #endif // CRYPTO3_ZK_BLUEPRINT_WEIERSTRASS_MILLER_LOOP_HPP
nil::crypto3::zk::components::blueprint
Definition: blueprint.hpp:46
nil::crypto3::zk::components::component
Definition: component.hpp:37
nil::crypto3::zk::components::detail::basic_pairing_component_policy
Definition: blueprint/include/nil/crypto3/zk/components/algebra/pairing/detail/mnt4.hpp:46
nil::crypto3::zk::components::element_g2
Definition: blueprint/include/nil/crypto3/zk/components/algebra/curves/weierstrass/element_g2.hpp:55
nil::crypto3::zk::components::element_g2::Y
std::shared_ptr< typename component_policy::Fqe_variable_type > Y
Definition: blueprint/include/nil/crypto3/zk/components/algebra/curves/weierstrass/element_g2.hpp:68
nil::crypto3::zk::components::g1_precomputation
Definition: precomputation.hpp:59
nil::crypto3::zk::components::g1_precomputation::PY_twist_squared
std::shared_ptr< typename component_policy::Fqe_variable_type > PY_twist_squared
Definition: precomputation.hpp:65
nil::crypto3::zk::components::g1_precomputation::P
std::shared_ptr< element_g1< CurveType > > P
Definition: precomputation.hpp:64
nil::crypto3::zk::components::g2_precomputation
Definition: precomputation.hpp:189
nil::crypto3::zk::components::g2_precomputation::Q
std::shared_ptr< element_g2< CurveType > > Q
Definition: precomputation.hpp:195
nil::crypto3::zk::components::g2_precomputation::coeffs
std::vector< std::shared_ptr< precompute_G2_component_coeffs< CurveType > > > coeffs
Definition: precomputation.hpp:197
nil::crypto3::zk::components::mnt_e_over_e_miller_loop_component
Definition: miller_loop.hpp:382
nil::crypto3::zk::components::mnt_e_over_e_miller_loop_component::doubling_steps2
std::vector< std::shared_ptr< mnt_miller_loop_dbl_line_eval< CurveType > > > doubling_steps2
Definition: miller_loop.hpp:400
nil::crypto3::zk::components::mnt_e_over_e_miller_loop_component::fs
std::vector< std::shared_ptr< typename component_policy::Fqk_variable_type > > fs
Definition: miller_loop.hpp:395
nil::crypto3::zk::components::mnt_e_over_e_miller_loop_component::dbl_count
std::size_t dbl_count
Definition: miller_loop.hpp:410
nil::crypto3::zk::components::mnt_e_over_e_miller_loop_component::dbl_muls2
std::vector< std::shared_ptr< typename component_policy::Fqk_special_mul_component_type > > dbl_muls2
Definition: miller_loop.hpp:405
nil::crypto3::zk::components::mnt_e_over_e_miller_loop_component::g_RQ_at_P2s
std::vector< std::shared_ptr< typename component_policy::Fqk_variable_type > > g_RQ_at_P2s
Definition: miller_loop.hpp:394
nil::crypto3::zk::components::mnt_e_over_e_miller_loop_component::g_RR_at_P1s
std::vector< std::shared_ptr< typename component_policy::Fqk_variable_type > > g_RR_at_P1s
Definition: miller_loop.hpp:391
nil::crypto3::zk::components::mnt_e_over_e_miller_loop_component::add_muls2
std::vector< std::shared_ptr< typename component_policy::Fqk_special_mul_component_type > > add_muls2
Definition: miller_loop.hpp:406
nil::crypto3::zk::components::mnt_e_over_e_miller_loop_component::add_muls1
std::vector< std::shared_ptr< typename component_policy::Fqk_special_mul_component_type > > add_muls1
Definition: miller_loop.hpp:404
nil::crypto3::zk::components::mnt_e_over_e_miller_loop_component::g_RR_at_P2s
std::vector< std::shared_ptr< typename component_policy::Fqk_variable_type > > g_RR_at_P2s
Definition: miller_loop.hpp:393
nil::crypto3::zk::components::mnt_e_over_e_miller_loop_component::prec_P2
g1_precomputation< CurveType > prec_P2
Definition: miller_loop.hpp:414
nil::crypto3::zk::components::mnt_e_over_e_miller_loop_component::f_count
std::size_t f_count
Definition: miller_loop.hpp:408
nil::crypto3::zk::components::mnt_e_over_e_miller_loop_component::addition_steps2
std::vector< std::shared_ptr< mnt_miller_loop_add_line_eval< CurveType > > > addition_steps2
Definition: miller_loop.hpp:399
nil::crypto3::zk::components::mnt_e_over_e_miller_loop_component::dbl_sqrs
std::vector< std::shared_ptr< typename component_policy::Fqk_sqr_component_type > > dbl_sqrs
Definition: miller_loop.hpp:402
nil::crypto3::zk::components::mnt_e_over_e_miller_loop_component::prec_Q2
g2_precomputation< CurveType > prec_Q2
Definition: miller_loop.hpp:415
nil::crypto3::zk::components::mnt_e_over_e_miller_loop_component::result
component_policy::Fqk_variable_type result
Definition: miller_loop.hpp:416
nil::crypto3::zk::components::mnt_e_over_e_miller_loop_component::addition_steps1
std::vector< std::shared_ptr< mnt_miller_loop_add_line_eval< CurveType > > > addition_steps1
Definition: miller_loop.hpp:397
nil::crypto3::zk::components::mnt_e_over_e_miller_loop_component::mnt_e_over_e_miller_loop_component
mnt_e_over_e_miller_loop_component(blueprint< field_type > &bp, const g1_precomputation< CurveType > &prec_P1, const g2_precomputation< CurveType > &prec_Q1, const g1_precomputation< CurveType > &prec_P2, const g2_precomputation< CurveType > &prec_Q2, const typename component_policy::Fqk_variable_type &result)
Definition: miller_loop.hpp:418
nil::crypto3::zk::components::mnt_e_over_e_miller_loop_component::g_RQ_at_P1s
std::vector< std::shared_ptr< typename component_policy::Fqk_variable_type > > g_RQ_at_P1s
Definition: miller_loop.hpp:392
nil::crypto3::zk::components::mnt_e_over_e_miller_loop_component::generate_r1cs_witness
void generate_r1cs_witness()
Definition: miller_loop.hpp:535
nil::crypto3::zk::components::mnt_e_over_e_miller_loop_component::dbl_muls1
std::vector< std::shared_ptr< typename component_policy::Fqk_special_mul_component_type > > dbl_muls1
Definition: miller_loop.hpp:403
nil::crypto3::zk::components::mnt_e_over_e_miller_loop_component::add_count
std::size_t add_count
Definition: miller_loop.hpp:409
nil::crypto3::zk::components::mnt_e_over_e_miller_loop_component::prec_P1
g1_precomputation< CurveType > prec_P1
Definition: miller_loop.hpp:412
nil::crypto3::zk::components::mnt_e_over_e_miller_loop_component::doubling_steps1
std::vector< std::shared_ptr< mnt_miller_loop_dbl_line_eval< CurveType > > > doubling_steps1
Definition: miller_loop.hpp:398
nil::crypto3::zk::components::mnt_e_over_e_miller_loop_component::generate_r1cs_constraints
void generate_r1cs_constraints()
Definition: miller_loop.hpp:517
nil::crypto3::zk::components::mnt_e_over_e_miller_loop_component::prec_Q1
g2_precomputation< CurveType > prec_Q1
Definition: miller_loop.hpp:413
nil::crypto3::zk::components::mnt_e_times_e_over_e_miller_loop_component
Definition: miller_loop.hpp:586
nil::crypto3::zk::components::mnt_e_times_e_over_e_miller_loop_component::add_muls1
std::vector< std::shared_ptr< typename component_policy::Fqk_special_mul_component_type > > add_muls1
Definition: miller_loop.hpp:612
nil::crypto3::zk::components::mnt_e_times_e_over_e_miller_loop_component::fs
std::vector< std::shared_ptr< typename component_policy::Fqk_variable_type > > fs
Definition: miller_loop.hpp:601
nil::crypto3::zk::components::mnt_e_times_e_over_e_miller_loop_component::g_RQ_at_P1s
std::vector< std::shared_ptr< typename component_policy::Fqk_variable_type > > g_RQ_at_P1s
Definition: miller_loop.hpp:596
nil::crypto3::zk::components::mnt_e_times_e_over_e_miller_loop_component::addition_steps1
std::vector< std::shared_ptr< mnt_miller_loop_add_line_eval< CurveType > > > addition_steps1
Definition: miller_loop.hpp:603
nil::crypto3::zk::components::mnt_e_times_e_over_e_miller_loop_component::g_RQ_at_P3s
std::vector< std::shared_ptr< typename component_policy::Fqk_variable_type > > g_RQ_at_P3s
Definition: miller_loop.hpp:600
nil::crypto3::zk::components::mnt_e_times_e_over_e_miller_loop_component::generate_r1cs_witness
void generate_r1cs_witness()
Definition: miller_loop.hpp:772
nil::crypto3::zk::components::mnt_e_times_e_over_e_miller_loop_component::g_RR_at_P1s
std::vector< std::shared_ptr< typename component_policy::Fqk_variable_type > > g_RR_at_P1s
Definition: miller_loop.hpp:595
nil::crypto3::zk::components::mnt_e_times_e_over_e_miller_loop_component::add_count
std::size_t add_count
Definition: miller_loop.hpp:619
nil::crypto3::zk::components::mnt_e_times_e_over_e_miller_loop_component::add_muls3
std::vector< std::shared_ptr< typename component_policy::Fqk_special_mul_component_type > > add_muls3
Definition: miller_loop.hpp:616
nil::crypto3::zk::components::mnt_e_times_e_over_e_miller_loop_component::addition_steps2
std::vector< std::shared_ptr< mnt_miller_loop_add_line_eval< CurveType > > > addition_steps2
Definition: miller_loop.hpp:605
nil::crypto3::zk::components::mnt_e_times_e_over_e_miller_loop_component::f_count
std::size_t f_count
Definition: miller_loop.hpp:618
nil::crypto3::zk::components::mnt_e_times_e_over_e_miller_loop_component::prec_P2
g1_precomputation< CurveType > prec_P2
Definition: miller_loop.hpp:624
nil::crypto3::zk::components::mnt_e_times_e_over_e_miller_loop_component::prec_Q1
g2_precomputation< CurveType > prec_Q1
Definition: miller_loop.hpp:623
nil::crypto3::zk::components::mnt_e_times_e_over_e_miller_loop_component::dbl_muls2
std::vector< std::shared_ptr< typename component_policy::Fqk_special_mul_component_type > > dbl_muls2
Definition: miller_loop.hpp:613
nil::crypto3::zk::components::mnt_e_times_e_over_e_miller_loop_component::dbl_muls1
std::vector< std::shared_ptr< typename component_policy::Fqk_special_mul_component_type > > dbl_muls1
Definition: miller_loop.hpp:611
nil::crypto3::zk::components::mnt_e_times_e_over_e_miller_loop_component::dbl_muls3
std::vector< std::shared_ptr< typename component_policy::Fqk_special_mul_component_type > > dbl_muls3
Definition: miller_loop.hpp:615
nil::crypto3::zk::components::mnt_e_times_e_over_e_miller_loop_component::addition_steps3
std::vector< std::shared_ptr< mnt_miller_loop_add_line_eval< CurveType > > > addition_steps3
Definition: miller_loop.hpp:607
nil::crypto3::zk::components::mnt_e_times_e_over_e_miller_loop_component::dbl_count
std::size_t dbl_count
Definition: miller_loop.hpp:620
nil::crypto3::zk::components::mnt_e_times_e_over_e_miller_loop_component::doubling_steps2
std::vector< std::shared_ptr< mnt_miller_loop_dbl_line_eval< CurveType > > > doubling_steps2
Definition: miller_loop.hpp:606
nil::crypto3::zk::components::mnt_e_times_e_over_e_miller_loop_component::prec_Q3
g2_precomputation< CurveType > prec_Q3
Definition: miller_loop.hpp:627
nil::crypto3::zk::components::mnt_e_times_e_over_e_miller_loop_component::g_RR_at_P3s
std::vector< std::shared_ptr< typename component_policy::Fqk_variable_type > > g_RR_at_P3s
Definition: miller_loop.hpp:599
nil::crypto3::zk::components::mnt_e_times_e_over_e_miller_loop_component::add_muls2
std::vector< std::shared_ptr< typename component_policy::Fqk_special_mul_component_type > > add_muls2
Definition: miller_loop.hpp:614
nil::crypto3::zk::components::mnt_e_times_e_over_e_miller_loop_component::g_RR_at_P2s
std::vector< std::shared_ptr< typename component_policy::Fqk_variable_type > > g_RR_at_P2s
Definition: miller_loop.hpp:597
nil::crypto3::zk::components::mnt_e_times_e_over_e_miller_loop_component::prec_Q2
g2_precomputation< CurveType > prec_Q2
Definition: miller_loop.hpp:625
nil::crypto3::zk::components::mnt_e_times_e_over_e_miller_loop_component::prec_P1
g1_precomputation< CurveType > prec_P1
Definition: miller_loop.hpp:622
nil::crypto3::zk::components::mnt_e_times_e_over_e_miller_loop_component::doubling_steps3
std::vector< std::shared_ptr< mnt_miller_loop_dbl_line_eval< CurveType > > > doubling_steps3
Definition: miller_loop.hpp:608
nil::crypto3::zk::components::mnt_e_times_e_over_e_miller_loop_component::result
component_policy::Fqk_variable_type result
Definition: miller_loop.hpp:628
nil::crypto3::zk::components::mnt_e_times_e_over_e_miller_loop_component::mnt_e_times_e_over_e_miller_loop_component
mnt_e_times_e_over_e_miller_loop_component(blueprint< field_type > &bp, const g1_precomputation< CurveType > &prec_P1, const g2_precomputation< CurveType > &prec_Q1, const g1_precomputation< CurveType > &prec_P2, const g2_precomputation< CurveType > &prec_Q2, const g1_precomputation< CurveType > &prec_P3, const g2_precomputation< CurveType > &prec_Q3, const typename component_policy::Fqk_variable_type &result)
Definition: miller_loop.hpp:630
nil::crypto3::zk::components::mnt_e_times_e_over_e_miller_loop_component::doubling_steps1
std::vector< std::shared_ptr< mnt_miller_loop_dbl_line_eval< CurveType > > > doubling_steps1
Definition: miller_loop.hpp:604
nil::crypto3::zk::components::mnt_e_times_e_over_e_miller_loop_component::dbl_sqrs
std::vector< std::shared_ptr< typename component_policy::Fqk_sqr_component_type > > dbl_sqrs
Definition: miller_loop.hpp:610
nil::crypto3::zk::components::mnt_e_times_e_over_e_miller_loop_component::generate_r1cs_constraints
void generate_r1cs_constraints()
Definition: miller_loop.hpp:750
nil::crypto3::zk::components::mnt_e_times_e_over_e_miller_loop_component::g_RQ_at_P2s
std::vector< std::shared_ptr< typename component_policy::Fqk_variable_type > > g_RQ_at_P2s
Definition: miller_loop.hpp:598
nil::crypto3::zk::components::mnt_e_times_e_over_e_miller_loop_component::prec_P3
g1_precomputation< CurveType > prec_P3
Definition: miller_loop.hpp:626
nil::crypto3::zk::components::mnt_miller_loop_add_line_eval
Definition: miller_loop.hpp:149
nil::crypto3::zk::components::mnt_miller_loop_add_line_eval::generate_r1cs_constraints
void generate_r1cs_constraints()
Definition: miller_loop.hpp:205
nil::crypto3::zk::components::mnt_miller_loop_add_line_eval::compute_g_RQ_at_P_c1
std::shared_ptr< typename component_policy::Fqe_mul_by_lc_component_type > compute_g_RQ_at_P_c1
Definition: miller_loop.hpp:166
nil::crypto3::zk::components::mnt_miller_loop_add_line_eval::prec_P
g1_precomputation< CurveType > prec_P
Definition: miller_loop.hpp:158
nil::crypto3::zk::components::mnt_miller_loop_add_line_eval::c
precompute_G2_component_coeffs< CurveType > c
Definition: miller_loop.hpp:159
nil::crypto3::zk::components::mnt_miller_loop_add_line_eval::g_RQ_at_P_c1
std::shared_ptr< typename component_policy::Fqe_variable_type > g_RQ_at_P_c1
Definition: miller_loop.hpp:165
nil::crypto3::zk::components::mnt_miller_loop_add_line_eval::Q
element_g2< CurveType > Q
Definition: miller_loop.hpp:160
nil::crypto3::zk::components::mnt_miller_loop_add_line_eval::generate_r1cs_witness
void generate_r1cs_witness()
Definition: miller_loop.hpp:210
nil::crypto3::zk::components::mnt_miller_loop_add_line_eval::invert_Q
bool invert_Q
Definition: miller_loop.hpp:157
nil::crypto3::zk::components::mnt_miller_loop_add_line_eval::gamma_twist
std::shared_ptr< typename component_policy::Fqe_variable_type > gamma_twist
Definition: miller_loop.hpp:164
nil::crypto3::zk::components::mnt_miller_loop_add_line_eval::g_RQ_at_P
std::shared_ptr< typename component_policy::Fqk_variable_type > & g_RQ_at_P
Definition: miller_loop.hpp:162
nil::crypto3::zk::components::mnt_miller_loop_add_line_eval::mnt_miller_loop_add_line_eval
mnt_miller_loop_add_line_eval(blueprint< field_type > &bp, const bool invert_Q, const g1_precomputation< CurveType > &prec_P, const precompute_G2_component_coeffs< CurveType > &c, const element_g2< CurveType > &Q, std::shared_ptr< typename component_policy::Fqk_variable_type > &g_RQ_at_P)
Definition: miller_loop.hpp:168
nil::crypto3::zk::components::mnt_miller_loop_component
Definition: miller_loop.hpp:231
nil::crypto3::zk::components::mnt_miller_loop_component::add_count
std::size_t add_count
Definition: miller_loop.hpp:251
nil::crypto3::zk::components::mnt_miller_loop_component::addition_steps
std::vector< std::shared_ptr< mnt_miller_loop_add_line_eval< CurveType > > > addition_steps
Definition: miller_loop.hpp:243
nil::crypto3::zk::components::mnt_miller_loop_component::dbl_sqrs
std::vector< std::shared_ptr< typename component_policy::Fqk_sqr_component_type > > dbl_sqrs
Definition: miller_loop.hpp:247
nil::crypto3::zk::components::mnt_miller_loop_component::dbl_count
std::size_t dbl_count
Definition: miller_loop.hpp:252
nil::crypto3::zk::components::mnt_miller_loop_component::generate_r1cs_constraints
void generate_r1cs_constraints()
Definition: miller_loop.hpp:335
nil::crypto3::zk::components::mnt_miller_loop_component::fs
std::vector< std::shared_ptr< typename component_policy::Fqk_variable_type > > fs
Definition: miller_loop.hpp:241
nil::crypto3::zk::components::mnt_miller_loop_component::result
component_policy::Fqk_variable_type result
Definition: miller_loop.hpp:256
nil::crypto3::zk::components::mnt_miller_loop_component::doubling_steps
std::vector< std::shared_ptr< mnt_miller_loop_dbl_line_eval< CurveType > > > doubling_steps
Definition: miller_loop.hpp:244
nil::crypto3::zk::components::mnt_miller_loop_component::dbl_muls
std::vector< std::shared_ptr< typename component_policy::Fqk_special_mul_component_type > > dbl_muls
Definition: miller_loop.hpp:246
nil::crypto3::zk::components::mnt_miller_loop_component::mnt_miller_loop_component
mnt_miller_loop_component(blueprint< field_type > &bp, const g1_precomputation< CurveType > &prec_P, const g2_precomputation< CurveType > &prec_Q, const typename component_policy::Fqk_variable_type &result)
Definition: miller_loop.hpp:258
nil::crypto3::zk::components::mnt_miller_loop_component::f_count
std::size_t f_count
Definition: miller_loop.hpp:250
nil::crypto3::zk::components::mnt_miller_loop_component::g_RR_at_Ps
std::vector< std::shared_ptr< typename component_policy::Fqk_variable_type > > g_RR_at_Ps
Definition: miller_loop.hpp:239
nil::crypto3::zk::components::mnt_miller_loop_component::prec_P
g1_precomputation< CurveType > prec_P
Definition: miller_loop.hpp:254
nil::crypto3::zk::components::mnt_miller_loop_component::add_muls
std::vector< std::shared_ptr< typename component_policy::Fqk_special_mul_component_type > > add_muls
Definition: miller_loop.hpp:248
nil::crypto3::zk::components::mnt_miller_loop_component::generate_r1cs_witness
void generate_r1cs_witness()
Definition: miller_loop.hpp:349
nil::crypto3::zk::components::mnt_miller_loop_component::prec_Q
g2_precomputation< CurveType > prec_Q
Definition: miller_loop.hpp:255
nil::crypto3::zk::components::mnt_miller_loop_component::g_RQ_at_Ps
std::vector< std::shared_ptr< typename component_policy::Fqk_variable_type > > g_RQ_at_Ps
Definition: miller_loop.hpp:240
nil::crypto3::zk::components::mnt_miller_loop_dbl_line_eval
Definition: miller_loop.hpp:62
nil::crypto3::zk::components::mnt_miller_loop_dbl_line_eval::g_RR_at_P_c1
std::shared_ptr< typename component_policy::Fqe_variable_type > g_RR_at_P_c1
Definition: miller_loop.hpp:76
nil::crypto3::zk::components::mnt_miller_loop_dbl_line_eval::generate_r1cs_witness
void generate_r1cs_witness()
Definition: miller_loop.hpp:119
nil::crypto3::zk::components::mnt_miller_loop_dbl_line_eval::c
precompute_G2_component_coeffs< CurveType > c
Definition: miller_loop.hpp:71
nil::crypto3::zk::components::mnt_miller_loop_dbl_line_eval::compute_g_RR_at_P_c1
std::shared_ptr< typename component_policy::Fqe_mul_by_lc_component_type > compute_g_RR_at_P_c1
Definition: miller_loop.hpp:77
nil::crypto3::zk::components::mnt_miller_loop_dbl_line_eval::gamma_twist
std::shared_ptr< typename component_policy::Fqe_variable_type > gamma_twist
Definition: miller_loop.hpp:75
nil::crypto3::zk::components::mnt_miller_loop_dbl_line_eval::mnt_miller_loop_dbl_line_eval
mnt_miller_loop_dbl_line_eval(blueprint< field_type > &bp, const g1_precomputation< CurveType > &prec_P, const precompute_G2_component_coeffs< CurveType > &c, std::shared_ptr< typename component_policy::Fqk_variable_type > &g_RR_at_P)
Definition: miller_loop.hpp:79
nil::crypto3::zk::components::mnt_miller_loop_dbl_line_eval::generate_r1cs_constraints
void generate_r1cs_constraints()
Definition: miller_loop.hpp:113
nil::crypto3::zk::components::mnt_miller_loop_dbl_line_eval::g_RR_at_P
std::shared_ptr< typename component_policy::Fqk_variable_type > & g_RR_at_P
Definition: miller_loop.hpp:73
nil::crypto3::zk::components::mnt_miller_loop_dbl_line_eval::prec_P
g1_precomputation< CurveType > prec_P
Definition: miller_loop.hpp:70
nil::crypto3::zk::components::precompute_G2_component_coeffs
Definition: precomputation.hpp:155
nil::crypto3::zk::components::precompute_G2_component_coeffs::gamma_X
std::shared_ptr< typename component_policy::Fqe_variable_type > gamma_X
Definition: precomputation.hpp:164
nil::crypto3::zk::components::precompute_G2_component_coeffs::RY
std::shared_ptr< typename component_policy::Fqe_variable_type > RY
Definition: precomputation.hpp:162
nil::crypto3::zk::components::precompute_G2_component_coeffs::gamma
std::shared_ptr< typename component_policy::Fqe_variable_type > gamma
Definition: precomputation.hpp:163
nil::crypto3::algebra::pairing
Definition: pairing/alt_bn128.hpp:42
nil
Definition: pair.hpp:31