blueprint/include/nil/crypto3/zk/components/algebra/curves/weierstrass/element_g1.hpp
Go to the documentation of this file.
1 //---------------------------------------------------------------------------//
2 // Copyright (c) 2018-2021 Mikhail Komarov <nemo@nil.foundation>
3 // Copyright (c) 2020-2021 Nikita Kaskov <nbering@nil.foundation>
4 //
5 // MIT License
6 //
7 // Permission is hereby granted, free of charge, to any person obtaining a copy
8 // of this software and associated documentation files (the "Software"), to deal
9 // in the Software without restriction, including without limitation the rights
10 // to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
11 // copies of the Software, and to permit persons to whom the Software is
12 // furnished to do so, subject to the following conditions:
13 //
14 // The above copyright notice and this permission notice shall be included in all
15 // copies or substantial portions of the Software.
16 //
17 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
18 // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
19 // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
20 // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
21 // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
22 // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
23 // SOFTWARE.
24 //---------------------------------------------------------------------------//
25 // @file Declaration of interfaces for G1 components.
26 //
27 // The components verify curve arithmetic in G1 = E(F) where E/F: y^2 = x^3 + A * X + B
28 // is an elliptic curve over F in short Weierstrass form.
29 //---------------------------------------------------------------------------//
30 
31 #ifndef CRYPTO3_ZK_BLUEPRINT_WEIERSTRASS_G1_COMPONENT_HPP
32 #define CRYPTO3_ZK_BLUEPRINT_WEIERSTRASS_G1_COMPONENT_HPP
33 
34 #include <nil/crypto3/zk/components/component.hpp>
35 #include <nil/crypto3/zk/components/algebra/fields/element_fp.hpp>
36 
37 #include <nil/crypto3/zk/components/blueprint_variable.hpp>
38 
39 namespace nil {
40  namespace crypto3 {
41  namespace zk {
42  namespace components {
43 
47  template<typename CurveType>
48  class element_g1 : public component<typename CurveType::scalar_field_type> {
49 
50  using underlying_field_type = typename CurveType::scalar_field_type;
51  using underlying_element_type = element_fp<underlying_field_type>;
52 
53  public:
54  underlying_element_type X;
55  underlying_element_type Y;
56 
57  blueprint_linear_combination_vector<underlying_field_type> all_vars;
58 
59  element_g1(blueprint<underlying_field_type> &bp) : component<underlying_field_type>(bp) {
60 
61  blueprint_variable<underlying_field_type> X_var, Y_var;
62 
63  X_var.allocate(bp);
64  Y_var.allocate(bp);
65 
66  X = underlying_element_type(X_var);
67  Y = underlying_element_type(Y_var);
68 
69  all_vars.emplace_back(X);
70  all_vars.emplace_back(Y);
71  }
72 
73  element_g1(blueprint<underlying_field_type> &bp,
74  const typename CurveType::pairing::pair_curve_type::template g1_type<>::value_type &P) :
75  component<underlying_field_type>(bp) {
76  typename CurveType::pairing::pair_curve_type::template g1_type<>::value_type Pcopy = P.to_affine();
77 
78  X.assign(bp, Pcopy.X);
79  Y.assign(bp, Pcopy.Y);
80  X.evaluate(bp);
81  Y.evaluate(bp);
82  all_vars.emplace_back(X);
83  all_vars.emplace_back(Y);
84  }
85 
86  void generate_r1cs_witness(
87  const typename CurveType::pairing::pair_curve_type::template g1_type<>::value_type &el) {
88  typename CurveType::pairing::pair_curve_type::template g1_type<>::value_type el_normalized =
89  el.to_affine();
90 
91  this->bp.lc_val(X) = el_normalized.X;
92  this->bp.lc_val(Y) = el_normalized.Y;
93  }
94 
95  // (See a comment in r1cs_ppzksnark_verifier_component.hpp about why
96  // we mark this function noinline.) TODO: remove later
97  static std::size_t __attribute__((noinline)) size_in_bits() {
98  return 2 * underlying_field_type::modulus_bits;
99  }
100  static std::size_t num_variables() {
101  return 2;
102  }
103  };
104 
108  template<typename CurveType>
109  class element_g1_is_well_formed : public component<typename CurveType::scalar_field_type> {
110 
111  using underlying_field_type = typename CurveType::scalar_field_type;
112 
113  public:
114  element_g1<CurveType> P;
115  blueprint_variable<underlying_field_type> P_X_squared;
116  blueprint_variable<underlying_field_type> P_Y_squared;
117 
118  element_g1_is_well_formed(blueprint<underlying_field_type> &bp, const element_g1<CurveType> &P) :
119  component<underlying_field_type>(bp), P(P) {
120  P_X_squared.allocate(bp);
121  P_Y_squared.allocate(bp);
122  }
123  void generate_r1cs_constraints() {
124  this->bp.add_r1cs_constraint(
125  snark::r1cs_constraint<underlying_field_type>({P.X}, {P.X}, {P_X_squared}));
126  this->bp.add_r1cs_constraint(
127  snark::r1cs_constraint<underlying_field_type>({P.Y}, {P.Y}, {P_Y_squared}));
128  this->bp.add_r1cs_constraint(snark::r1cs_constraint<underlying_field_type>(
129  {P.X},
130  {P_X_squared,
131  blueprint_variable<underlying_field_type>(0) * CurveType::pairing::pair_curve_type::a},
132  {P_Y_squared, blueprint_variable<underlying_field_type>(0) *
133  (-CurveType::pairing::pair_curve_type::b)}));
134  }
135  void generate_r1cs_witness() {
136  this->bp.val(P_X_squared) = this->bp.lc_val(P.X).squared();
137  this->bp.val(P_Y_squared) = this->bp.lc_val(P.Y).squared();
138  }
139  };
140 
144  template<typename CurveType>
145  class element_g1_add : public component<typename CurveType::scalar_field_type> {
146 
147  using underlying_field_type = typename CurveType::scalar_field_type;
148 
149  public:
150  blueprint_variable<underlying_field_type> lambda;
151  blueprint_variable<underlying_field_type> inv;
152 
153  element_g1<CurveType> A;
154  element_g1<CurveType> B;
155  element_g1<CurveType> C;
156 
157  element_g1_add(blueprint<underlying_field_type> &bp,
158  const element_g1<CurveType> &A,
159  const element_g1<CurveType> &B,
160  const element_g1<CurveType> &C) :
161  component<underlying_field_type>(bp),
162  A(A), B(B), C(C) {
163  /*
164  lambda = (B.y - A.y)/(B.x - A.x)
165  C.x = lambda^2 - A.x - B.x
166  C.y = lambda(A.x - C.x) - A.y
167 
168  Special cases:
169 
170  doubling: if B.y = A.y and B.x = A.x then lambda is unbound and
171  C = (lambda^2, lambda^3)
172 
173  addition of negative point: if B.y = -A.y and B.x = A.x then no
174  lambda can satisfy the first equation unless B.y - A.y = 0. But
175  then this reduces to doubling.
176 
177  So we need to check that A.x - B.x != 0, which can be done by
178  enforcing I * (B.x - A.x) = 1
179  */
180  lambda.allocate(bp);
181  inv.allocate(bp);
182  }
183  void generate_r1cs_constraints() {
184  this->bp.add_r1cs_constraint(snark::r1cs_constraint<underlying_field_type>(
185  {lambda}, {B.X, A.X * (-1)}, {B.Y, A.Y * (-1)}));
186 
187  this->bp.add_r1cs_constraint(
188  snark::r1cs_constraint<underlying_field_type>({lambda}, {lambda}, {C.X, A.X, B.X}));
189 
190  this->bp.add_r1cs_constraint(
191  snark::r1cs_constraint<underlying_field_type>({lambda}, {A.X, C.X * (-1)}, {C.Y, A.Y}));
192 
193  this->bp.add_r1cs_constraint(snark::r1cs_constraint<underlying_field_type>(
194  {inv}, {B.X, A.X * (-1)}, {blueprint_variable<underlying_field_type>(0)}));
195  }
196  void generate_r1cs_witness() {
197  this->bp.val(inv) = (this->bp.lc_val(B.X) - this->bp.lc_val(A.X)).inversed();
198  this->bp.val(lambda) = (this->bp.lc_val(B.Y) - this->bp.lc_val(A.Y)) * this->bp.val(inv);
199  this->bp.lc_val(C.X) =
200  this->bp.val(lambda).squared() - this->bp.lc_val(A.X) - this->bp.lc_val(B.X);
201  this->bp.lc_val(C.Y) =
202  this->bp.val(lambda) * (this->bp.lc_val(A.X) - this->bp.lc_val(C.X)) - this->bp.lc_val(A.Y);
203  }
204  };
205 
209  template<typename CurveType>
210  class element_g1_doubled : public component<typename CurveType::scalar_field_type> {
211 
212  using underlying_field_type = typename CurveType::scalar_field_type;
213 
214  public:
215  blueprint_variable<underlying_field_type> Xsquared;
216  blueprint_variable<underlying_field_type> lambda;
217 
218  element_g1<CurveType> A;
219  element_g1<CurveType> B;
220 
221  element_g1_doubled(blueprint<underlying_field_type> &bp,
222  const element_g1<CurveType> &A,
223  const element_g1<CurveType> &B) :
224  component<underlying_field_type>(bp),
225  A(A), B(B) {
226  Xsquared.allocate(bp);
227  lambda.allocate(bp);
228  }
229  void generate_r1cs_constraints() {
230  this->bp.add_r1cs_constraint(
231  snark::r1cs_constraint<underlying_field_type>({A.X}, {A.X}, {Xsquared}));
232 
233  this->bp.add_r1cs_constraint(snark::r1cs_constraint<underlying_field_type>(
234  {lambda * 2},
235  {A.Y},
236  {Xsquared * 3, blueprint_variable<underlying_field_type>(0x00) *
237  CurveType::pairing::pair_curve_type::a}));
238 
239  this->bp.add_r1cs_constraint(
240  snark::r1cs_constraint<underlying_field_type>({lambda}, {lambda}, {B.X, A.X * 2}));
241 
242  this->bp.add_r1cs_constraint(
243  snark::r1cs_constraint<underlying_field_type>({lambda}, {A.X, B.X * (-1)}, {B.Y, A.Y}));
244  }
245  void generate_r1cs_witness() {
246  this->bp.val(Xsquared) = this->bp.lc_val(A.X).squared();
247  this->bp.val(lambda) =
248  (typename underlying_field_type::value_type(0x03) * this->bp.val(Xsquared) +
249  CurveType::pairing::pair_curve_type::a) *
250  (typename underlying_field_type::value_type(0x02) * this->bp.lc_val(A.Y)).inversed();
251  this->bp.lc_val(B.X) = this->bp.val(lambda).squared() -
252  typename underlying_field_type::value_type(0x02) * this->bp.lc_val(A.X);
253  this->bp.lc_val(B.Y) =
254  this->bp.val(lambda) * (this->bp.lc_val(A.X) - this->bp.lc_val(B.X)) - this->bp.lc_val(A.Y);
255  }
256  };
257  } // namespace components
258  } // namespace zk
259  } // namespace crypto3
260 } // namespace nil
261 
262 #endif // CRYPTO3_ZK_BLUEPRINT_WEIERSTRASS_G1_COMPONENT_HPP
blueprint_variable.hpp
nil::crypto3::zk::components::blueprint_linear_combination_vector< underlying_field_type >
nil::crypto3::zk::components::blueprint_linear_combination
Definition: blueprint_linear_combination.hpp:47
nil::crypto3::zk::components::blueprint_linear_combination::assign
void assign(blueprint< field_type > &bp, const snark::linear_combination< field_type > &lc)
Definition: blueprint_linear_combination.hpp:65
nil::crypto3::zk::components::blueprint_linear_combination::evaluate
void evaluate(blueprint< field_type > &bp) const
Definition: blueprint_linear_combination.hpp:71
nil::crypto3::zk::components::blueprint_variable< underlying_field_type >
nil::crypto3::zk::components::blueprint_variable::allocate
void allocate(blueprint< FieldType > &bp)
Definition: blueprint_variable.hpp:51
nil::crypto3::zk::components::blueprint
Definition: blueprint.hpp:46
nil::crypto3::zk::components::component
Definition: component.hpp:37
nil::crypto3::zk::components::component< CurveType::scalar_field_type >::bp
blueprint< CurveType::scalar_field_type > & bp
Definition: component.hpp:39
nil::crypto3::zk::components::element_g1_add::A
element_g1< CurveType > A
Definition: blueprint/include/nil/crypto3/zk/components/algebra/curves/weierstrass/element_g1.hpp:153
nil::crypto3::zk::components::element_g1_add::generate_r1cs_constraints
void generate_r1cs_constraints()
Definition: blueprint/include/nil/crypto3/zk/components/algebra/curves/weierstrass/element_g1.hpp:183
nil::crypto3::zk::components::element_g1_add::C
element_g1< CurveType > C
Definition: blueprint/include/nil/crypto3/zk/components/algebra/curves/weierstrass/element_g1.hpp:155
nil::crypto3::zk::components::element_g1_add::element_g1_add
element_g1_add(blueprint< underlying_field_type > &bp, const element_g1< CurveType > &A, const element_g1< CurveType > &B, const element_g1< CurveType > &C)
Definition: blueprint/include/nil/crypto3/zk/components/algebra/curves/weierstrass/element_g1.hpp:157
nil::crypto3::zk::components::element_g1_add::lambda
blueprint_variable< underlying_field_type > lambda
Definition: blueprint/include/nil/crypto3/zk/components/algebra/curves/weierstrass/element_g1.hpp:150
nil::crypto3::zk::components::element_g1_add::B
element_g1< CurveType > B
Definition: blueprint/include/nil/crypto3/zk/components/algebra/curves/weierstrass/element_g1.hpp:154
nil::crypto3::zk::components::element_g1_add::generate_r1cs_witness
void generate_r1cs_witness()
Definition: blueprint/include/nil/crypto3/zk/components/algebra/curves/weierstrass/element_g1.hpp:196
nil::crypto3::zk::components::element_g1_add::inv
blueprint_variable< underlying_field_type > inv
Definition: blueprint/include/nil/crypto3/zk/components/algebra/curves/weierstrass/element_g1.hpp:151
nil::crypto3::zk::components::element_g1_doubled
Definition: blueprint/include/nil/crypto3/zk/components/algebra/curves/weierstrass/element_g1.hpp:210
nil::crypto3::zk::components::element_g1_doubled::element_g1_doubled
element_g1_doubled(blueprint< underlying_field_type > &bp, const element_g1< CurveType > &A, const element_g1< CurveType > &B)
Definition: blueprint/include/nil/crypto3/zk/components/algebra/curves/weierstrass/element_g1.hpp:221
nil::crypto3::zk::components::element_g1_doubled::lambda
blueprint_variable< underlying_field_type > lambda
Definition: blueprint/include/nil/crypto3/zk/components/algebra/curves/weierstrass/element_g1.hpp:216
nil::crypto3::zk::components::element_g1_doubled::generate_r1cs_witness
void generate_r1cs_witness()
Definition: blueprint/include/nil/crypto3/zk/components/algebra/curves/weierstrass/element_g1.hpp:245
nil::crypto3::zk::components::element_g1_doubled::Xsquared
blueprint_variable< underlying_field_type > Xsquared
Definition: blueprint/include/nil/crypto3/zk/components/algebra/curves/weierstrass/element_g1.hpp:215
nil::crypto3::zk::components::element_g1_doubled::generate_r1cs_constraints
void generate_r1cs_constraints()
Definition: blueprint/include/nil/crypto3/zk/components/algebra/curves/weierstrass/element_g1.hpp:229
nil::crypto3::zk::components::element_g1_doubled::A
element_g1< CurveType > A
Definition: blueprint/include/nil/crypto3/zk/components/algebra/curves/weierstrass/element_g1.hpp:218
nil::crypto3::zk::components::element_g1_doubled::B
element_g1< CurveType > B
Definition: blueprint/include/nil/crypto3/zk/components/algebra/curves/weierstrass/element_g1.hpp:219
nil::crypto3::zk::components::element_g1_is_well_formed::generate_r1cs_witness
void generate_r1cs_witness()
Definition: blueprint/include/nil/crypto3/zk/components/algebra/curves/weierstrass/element_g1.hpp:135
nil::crypto3::zk::components::element_g1_is_well_formed::P_Y_squared
blueprint_variable< underlying_field_type > P_Y_squared
Definition: blueprint/include/nil/crypto3/zk/components/algebra/curves/weierstrass/element_g1.hpp:116
nil::crypto3::zk::components::element_g1_is_well_formed::generate_r1cs_constraints
void generate_r1cs_constraints()
Definition: blueprint/include/nil/crypto3/zk/components/algebra/curves/weierstrass/element_g1.hpp:123
nil::crypto3::zk::components::element_g1_is_well_formed::P_X_squared
blueprint_variable< underlying_field_type > P_X_squared
Definition: blueprint/include/nil/crypto3/zk/components/algebra/curves/weierstrass/element_g1.hpp:115
nil::crypto3::zk::components::element_g1_is_well_formed::element_g1_is_well_formed
element_g1_is_well_formed(blueprint< underlying_field_type > &bp, const element_g1< CurveType > &P)
Definition: blueprint/include/nil/crypto3/zk/components/algebra/curves/weierstrass/element_g1.hpp:118
nil::crypto3::zk::components::element_g1_is_well_formed::P
element_g1< CurveType > P
Definition: blueprint/include/nil/crypto3/zk/components/algebra/curves/edwards/element_g1.hpp:118
nil::crypto3::zk::components::element_g1
Definition: blueprint/include/nil/crypto3/zk/components/algebra/curves/edwards/element_g1.hpp:51
nil::crypto3::zk::components::element_g1::element_g1
element_g1(blueprint< underlying_field_type > &bp, const typename CurveType::pairing::pair_curve_type::template g1_type<>::value_type &P)
Definition: blueprint/include/nil/crypto3/zk/components/algebra/curves/weierstrass/element_g1.hpp:73
nil::crypto3::zk::components::element_g1::element_g1
element_g1(blueprint< underlying_field_type > &bp)
Definition: blueprint/include/nil/crypto3/zk/components/algebra/curves/weierstrass/element_g1.hpp:59
nil::crypto3::zk::components::element_g1::X
underlying_element_type X
Definition: blueprint/include/nil/crypto3/zk/components/algebra/curves/edwards/element_g1.hpp:56
nil::crypto3::zk::components::element_g1::generate_r1cs_witness
void generate_r1cs_witness(const typename CurveType::pairing::pair_curve_type::template g1_type<>::value_type &el)
Definition: blueprint/include/nil/crypto3/zk/components/algebra/curves/weierstrass/element_g1.hpp:86
nil::crypto3::zk::components::element_g1::Y
underlying_element_type Y
Definition: blueprint/include/nil/crypto3/zk/components/algebra/curves/edwards/element_g1.hpp:57
nil::crypto3::zk::components::element_g1::__attribute__
static std::size_t __attribute__((noinline)) size_in_bits()
Definition: blueprint/include/nil/crypto3/zk/components/algebra/curves/weierstrass/element_g1.hpp:97
nil::crypto3::zk::components::element_g1::all_vars
blueprint_linear_combination_vector< scalar_field_type > all_vars
Definition: blueprint/include/nil/crypto3/zk/components/algebra/curves/edwards/element_g1.hpp:59
nil::crypto3::zk::components::element_g1::all_vars
blueprint_linear_combination_vector< underlying_field_type > all_vars
Definition: blueprint/include/nil/crypto3/zk/components/algebra/curves/weierstrass/element_g1.hpp:57
nil::crypto3::zk::components::element_g1::num_variables
static std::size_t num_variables()
Definition: blueprint/include/nil/crypto3/zk/components/algebra/curves/weierstrass/element_g1.hpp:100
element_fp.hpp
nil
Definition: pair.hpp:31
nil::crypto3::zk::snark::r1cs_constraint
Definition: r1cs.hpp:60