Clearmatics Libsnark  0.1
C++ library for zkSNARK proofs
weierstrass_g2_gadget.hpp
Go to the documentation of this file.
1 
15 #ifndef WEIERSTRASS_G2_GADGET_HPP_
16 #define WEIERSTRASS_G2_GADGET_HPP_
17 
18 #include "libsnark/gadgetlib1/gadget.hpp"
19 #include "libsnark/gadgetlib1/gadgets/curves/scalar_multiplication.hpp"
20 #include "libsnark/gadgetlib1/gadgets/fields/fp2_gadgets.hpp"
21 #include "libsnark/gadgetlib1/gadgets/pairing/pairing_params.hpp"
22 
23 #include <libff/algebra/curves/public_params.hpp>
24 #include <libff/algebra/fields/fp2.hpp>
25 #include <memory>
26 
27 namespace libsnark
28 {
29 
31 template<typename ppT> class G2_variable : public gadget<libff::Fr<ppT>>
32 {
33 public:
34  typedef libff::Fr<ppT> FieldT;
35  typedef libff::Fqe<other_curve<ppT>> FqeT;
36  typedef libff::Fqk<other_curve<ppT>> FqkT;
37 
38  std::shared_ptr<Fqe_variable<ppT>> X;
39  std::shared_ptr<Fqe_variable<ppT>> Y;
40 
41  pb_linear_combination_array<FieldT> all_vars;
42 
43  G2_variable(protoboard<FieldT> &pb, const std::string &annotation_prefix);
44  G2_variable(
45  protoboard<FieldT> &pb,
46  const libff::G2<other_curve<ppT>> &Q,
47  const std::string &annotation_prefix);
48 
49  G2_variable(
50  protoboard<FieldT> &pb,
51  const Fqe_variable<ppT> &X,
52  const Fqe_variable<ppT> &Y,
53  const std::string &annotation_prefix);
54 
55  G2_variable operator-() const;
56 
57  void generate_r1cs_witness(const libff::G2<other_curve<ppT>> &Q);
58 
59  libff::G2<other_curve<ppT>> get_element() const;
60 
61  // (See a comment in r1cs_ppzksnark_verifier_gadget.hpp about why
62  // we mark this function noinline.) TODO: remove later
63  static size_t __attribute__((noinline)) size_in_bits();
64  static size_t num_variables();
65 };
66 
70 template<typename ppT>
71 class G2_variable_selector_gadget : public gadget<libff::Fr<ppT>>
72 {
73 public:
74  using Field = libff::Fr<ppT>;
75 
76  const pb_linear_combination<Field> selector;
77  const G2_variable<ppT> zero_case;
78  const G2_variable<ppT> one_case;
79  G2_variable<ppT> result;
80  Fqe_mul_by_lc_gadget<ppT> mul_select_X;
81  Fqe_mul_by_lc_gadget<ppT> mul_select_Y;
82 
83  G2_variable_selector_gadget(
84  protoboard<Field> &pb,
85  const pb_linear_combination<Field> &selector,
86  const G2_variable<ppT> &zero_case,
87  const G2_variable<ppT> &one_case,
88  const G2_variable<ppT> &result,
89  const std::string &annotation_prefix);
90 
91  void generate_r1cs_constraints();
92  void generate_r1cs_witness();
93 };
94 
96 template<typename ppT> class G2_checker_gadget : public gadget<libff::Fr<ppT>>
97 {
98 public:
99  typedef libff::Fr<ppT> FieldT;
100  typedef libff::Fqe<other_curve<ppT>> FqeT;
101  typedef libff::Fqk<other_curve<ppT>> FqkT;
102 
103  G2_variable<ppT> Q;
104 
105  std::shared_ptr<Fqe_variable<ppT>> Xsquared;
106  std::shared_ptr<Fqe_variable<ppT>> Ysquared;
107  std::shared_ptr<Fqe_variable<ppT>> Xsquared_plus_a;
108  std::shared_ptr<Fqe_variable<ppT>> Ysquared_minus_b;
109 
110  std::shared_ptr<Fqe_sqr_gadget<ppT>> compute_Xsquared;
111  std::shared_ptr<Fqe_sqr_gadget<ppT>> compute_Ysquared;
112  std::shared_ptr<Fqe_mul_gadget<ppT>> curve_equation;
113 
114  G2_checker_gadget(
115  protoboard<FieldT> &pb,
116  const G2_variable<ppT> &Q,
117  const std::string &annotation_prefix);
118  void generate_r1cs_constraints();
119  void generate_r1cs_witness();
120 };
121 
123 template<typename wppT> class G2_add_gadget : public gadget<libff::Fr<wppT>>
124 {
125 public:
126  G2_variable<wppT> A;
127  G2_variable<wppT> B;
128  G2_variable<wppT> result;
129 
130  Fqe_variable<wppT> lambda;
131 
132  // For curve points A = (Ax, Ay), B = (Bx, By), we have that
133  // A + B = R = (Rx, Ry) is given by:
134  //
135  // Rx = lambda^2 - Ax - Bx
136  // Ry = lambda*(Ax - Rx) - Ay
137  // where lambda = (By - Ay) / (Bx - Ax)
138 
139  // lambda = (By - Ay) / (Bx - Ax)
140  // <=> lambda * (Bx - Ax) = By - Ay
141  Fqe_mul_gadget<wppT> lambda_constraint;
142 
143  // Rx = lambda^2 - Ax - Bx
144  // <=> lambda^2 = Rx + Ax + Bx
145  Fqe_mul_gadget<wppT> Rx_constraint;
146 
147  // Ry = lambda * (Ax - Rx) - Ay
148  // <=> lambda * (Ax - Rx) = Ry + Ay
149  Fqe_mul_gadget<wppT> Ry_constraint;
150 
151  G2_add_gadget(
152  protoboard<libff::Fr<wppT>> &pb,
153  const G2_variable<wppT> &A,
154  const G2_variable<wppT> &B,
155  const G2_variable<wppT> &result,
156  const std::string &annotation_prefix);
157  void generate_r1cs_constraints();
158  void generate_r1cs_witness();
159 };
160 
162 template<typename wppT> class G2_dbl_gadget : public gadget<libff::Fr<wppT>>
163 {
164 public:
165  using nppT = other_curve<wppT>;
166 
167  G2_variable<wppT> A;
168  G2_variable<wppT> result;
169 
170  Fqe_variable<wppT> lambda;
171 
172  // For a curve point A = (Ax, Ay), we have that A + A = B = (Bx, By) is
173  // given by:
174  //
175  // Bx = lambda^2 - 2 * Ax
176  // By = lambda*(Ax - Bx) - Ay
177  // where lambda = (3 * Ax^2) / 2 * Ay
178 
179  // Ax_squared = Ax * Ax
180  Fqe_mul_gadget<wppT> Ax_squared_constraint;
181 
182  // lambda = (3 * Ax^2 + a) / 2 * Ay
183  // <=> lambda * (Ay + Ay) = 3 * Ax_squared + a
184  Fqe_mul_gadget<wppT> lambda_constraint;
185 
186  // Bx = lambda^2 - 2 * Ax
187  // <=> lambda * lambda = Bx + Ax + Ax
188  Fqe_mul_gadget<wppT> Bx_constraint;
189 
190  // By = lambda * (Ax - Bx) - Ay
191  // <=> lambda * (Ax - Bx) = By + Ay
192  Fqe_mul_gadget<wppT> By_constraint;
193 
194  G2_dbl_gadget(
195  protoboard<libff::Fr<wppT>> &pb,
196  const G2_variable<wppT> &A,
197  const G2_variable<wppT> &result,
198  const std::string &annotation_prefix);
199  void generate_r1cs_constraints();
200  void generate_r1cs_witness();
201 };
202 
204 template<typename wppT>
205 class G2_equality_gadget : public gadget<libff::Fr<wppT>>
206 {
207 public:
208  using nppT = other_curve<wppT>;
209  using FqeT = libff::Fqe<nppT>;
210 
211  G2_variable<wppT> _A;
212  G2_variable<wppT> _B;
213 
214  G2_equality_gadget(
215  protoboard<libff::Fr<wppT>> &pb,
216  const G2_variable<wppT> &A,
217  const G2_variable<wppT> &B,
218  const std::string &annotation_prefix);
219  void generate_r1cs_constraints();
220  void generate_r1cs_witness();
221 
222 private:
223  // There is no generic way to iterate over the components of Fp?_variable,
224  // so this method must be specialized per field extension. However, the
225  // version that expects 2 components may still compile on Fp3_variable,
226  // say. Hence we specify Fp2_variable explicitly in the parameters to avoid
227  // callers accidentally using this for other pairings and passing in
228  // Fp?_variable.
229  void generate_fpe_equality_constraints(
230  const Fp2_variable<FqeT> &a, const Fp2_variable<FqeT> &b);
231 };
232 
235 template<typename wppT, mp_size_t scalarLimbs>
236 using G2_mul_by_const_scalar_gadget = point_mul_by_const_scalar_gadget<
237  libff::G2<other_curve<wppT>>,
238  G2_variable<wppT>,
239  G2_add_gadget<wppT>,
240  G2_dbl_gadget<wppT>,
241  libff::bigint<scalarLimbs>>;
242 
243 template<typename wppT>
244 using G2_variable_or_identity =
245  variable_or_identity<wppT, libff::G2<other_curve<wppT>>, G2_variable<wppT>>;
246 
247 template<typename wppT>
248 using G2_variable_or_identity_selector_gadget = variable_or_identity_selector<
249  wppT,
250  libff::G2<other_curve<wppT>>,
251  G2_variable<wppT>,
252  G2_variable_selector_gadget<wppT>>;
253 
254 template<typename wppT>
255 using G2_variable_and_variable_or_identity_selector_gadget =
256  variable_and_variable_or_identity_selector<
257  wppT,
258  libff::G2<other_curve<wppT>>,
259  G2_variable<wppT>,
260  G2_variable_selector_gadget<wppT>>;
261 
262 template<typename wppT>
263 using G2_add_variable_or_identity_gadget = add_variable_or_identity<
264  wppT,
265  libff::G2<other_curve<wppT>>,
266  G2_variable<wppT>,
267  G2_variable_selector_gadget<wppT>,
268  G2_add_gadget<wppT>>;
269 
270 template<typename wppT>
271 using G2_add_variable_and_variable_or_identity_gadget =
272  add_variable_and_variable_or_identity<
273  wppT,
274  libff::G2<other_curve<wppT>>,
275  G2_variable<wppT>,
276  G2_variable_selector_gadget<wppT>,
277  G2_add_gadget<wppT>>;
278 
279 template<typename wppT>
280 using G2_dbl_variable_or_identity_gadget = dbl_variable_or_identity<
281  wppT,
282  libff::G2<other_curve<wppT>>,
283  G2_variable<wppT>,
284  G2_dbl_gadget<wppT>>;
285 
286 template<typename wppT>
287 using G2_mul_by_scalar_gadget = point_mul_by_scalar_gadget<
288  wppT,
289  libff::G2<other_curve<wppT>>,
290  G2_variable<wppT>,
291  G2_variable_selector_gadget<wppT>,
292  G2_add_gadget<wppT>,
293  G2_dbl_gadget<wppT>>;
294 
295 } // namespace libsnark
296 
297 #include <libsnark/gadgetlib1/gadgets/curves/weierstrass_g2_gadget.tcc>
298 
299 #endif // WEIERSTRASS_G2_GADGET_HPP_
libsnark::G2_dbl_gadget::result
G2_variable< wppT > result
Definition: weierstrass_g2_gadget.hpp:168
libsnark::G2_dbl_gadget::Bx_constraint
Fqe_mul_gadget< wppT > Bx_constraint
Definition: weierstrass_g2_gadget.hpp:188
libsnark::G2_checker_gadget::Ysquared
std::shared_ptr< Fqe_variable< ppT > > Ysquared
Definition: weierstrass_g2_gadget.hpp:106
libsnark::G2_add_gadget::generate_r1cs_constraints
void generate_r1cs_constraints()
libsnark::G2_checker_gadget::FqkT
libff::Fqk< other_curve< ppT > > FqkT
Definition: weierstrass_g2_gadget.hpp:101
libsnark::G2_dbl_gadget::Ax_squared_constraint
Fqe_mul_gadget< wppT > Ax_squared_constraint
Definition: weierstrass_g2_gadget.hpp:180
libsnark::G2_checker_gadget::G2_checker_gadget
G2_checker_gadget(protoboard< FieldT > &pb, const G2_variable< ppT > &Q, const std::string &annotation_prefix)
libsnark::G2_add_gadget::generate_r1cs_witness
void generate_r1cs_witness()
libsnark::G2_variable::G2_variable
G2_variable(protoboard< FieldT > &pb, const std::string &annotation_prefix)
libsnark::G2_variable::get_element
libff::G2< other_curve< ppT > > get_element() const
libsnark::G2_checker_gadget::Xsquared_plus_a
std::shared_ptr< Fqe_variable< ppT > > Xsquared_plus_a
Definition: weierstrass_g2_gadget.hpp:107
libsnark::G2_dbl_gadget::lambda_constraint
Fqe_mul_gadget< wppT > lambda_constraint
Definition: weierstrass_g2_gadget.hpp:184
libsnark::G2_equality_gadget::_B
G2_variable< wppT > _B
Definition: weierstrass_g2_gadget.hpp:212
libsnark::gadget< libff::Fr< ppT > >::annotation_prefix
const std::string annotation_prefix
Definition: gadget.hpp:20
scalar_multiplication.hpp
libsnark::G2_variable
Gadget that represents a G2 variable.
Definition: weierstrass_g2_gadget.hpp:31
libsnark::G2_variable::operator-
G2_variable operator-() const
libsnark::G2_add_gadget::lambda_constraint
Fqe_mul_gadget< wppT > lambda_constraint
Definition: weierstrass_g2_gadget.hpp:141
libsnark::G2_dbl_gadget
Double a G2 point.
Definition: weierstrass_g2_gadget.hpp:162
libsnark
Definition: accumulation_vector.hpp:18
libsnark::G2_variable_selector_gadget::one_case
const G2_variable< ppT > one_case
Definition: weierstrass_g2_gadget.hpp:78
libsnark::G2_checker_gadget::curve_equation
std::shared_ptr< Fqe_mul_gadget< ppT > > curve_equation
Definition: weierstrass_g2_gadget.hpp:112
libsnark::G2_variable::__attribute__
static size_t __attribute__((noinline)) size_in_bits()
libsnark::G2_variable::num_variables
static size_t num_variables()
libsnark::G2_checker_gadget::Ysquared_minus_b
std::shared_ptr< Fqe_variable< ppT > > Ysquared_minus_b
Definition: weierstrass_g2_gadget.hpp:108
libsnark::G2_variable_selector_gadget::generate_r1cs_constraints
void generate_r1cs_constraints()
libsnark::Fp2_variable
Definition: fp2_gadgets.hpp:27
libsnark::G2_add_gadget::Rx_constraint
Fqe_mul_gadget< wppT > Rx_constraint
Definition: weierstrass_g2_gadget.hpp:145
fp2_gadgets.hpp
libsnark::G2_variable::Y
std::shared_ptr< Fqe_variable< ppT > > Y
Definition: weierstrass_g2_gadget.hpp:39
libsnark::gadget< libff::Fr< ppT > >::pb
protoboard< libff::Fr< ppT > > & pb
Definition: gadget.hpp:19
libsnark::G2_dbl_gadget::lambda
Fqe_variable< wppT > lambda
Definition: weierstrass_g2_gadget.hpp:170
libsnark::G2_checker_gadget::Q
G2_variable< ppT > Q
Definition: weierstrass_g2_gadget.hpp:103
libsnark::G2_variable_selector_gadget::selector
const pb_linear_combination< Field > selector
Definition: weierstrass_g2_gadget.hpp:76
libsnark::G2_variable::FqeT
libff::Fqe< other_curve< ppT > > FqeT
Definition: weierstrass_g2_gadget.hpp:35
libsnark::G2_add_gadget::G2_add_gadget
G2_add_gadget(protoboard< libff::Fr< wppT >> &pb, const G2_variable< wppT > &A, const G2_variable< wppT > &B, const G2_variable< wppT > &result, const std::string &annotation_prefix)
libsnark::G2_variable_selector_gadget::result
G2_variable< ppT > result
Definition: weierstrass_g2_gadget.hpp:79
gadget.hpp
libsnark::G2_checker_gadget::FieldT
libff::Fr< ppT > FieldT
Definition: weierstrass_g2_gadget.hpp:99
libsnark::dbl_variable_or_identity
Definition: scalar_multiplication.hpp:269
libsnark::G2_variable_selector_gadget::generate_r1cs_witness
void generate_r1cs_witness()
libsnark::gadget
Definition: gadget.hpp:16
libsnark::add_variable_or_identity
Definition: scalar_multiplication.hpp:151
libsnark::G2_variable::FqkT
libff::Fqk< other_curve< ppT > > FqkT
Definition: weierstrass_g2_gadget.hpp:36
libsnark::G2_add_gadget::B
G2_variable< wppT > B
Definition: weierstrass_g2_gadget.hpp:127
libsnark::G2_dbl_gadget::By_constraint
Fqe_mul_gadget< wppT > By_constraint
Definition: weierstrass_g2_gadget.hpp:192
libsnark::G2_checker_gadget::compute_Xsquared
std::shared_ptr< Fqe_sqr_gadget< ppT > > compute_Xsquared
Definition: weierstrass_g2_gadget.hpp:110
libsnark::G2_checker_gadget::generate_r1cs_constraints
void generate_r1cs_constraints()
libsnark::G2_variable::FieldT
libff::Fr< ppT > FieldT
Definition: weierstrass_g2_gadget.hpp:34
libsnark::G2_checker_gadget::generate_r1cs_witness
void generate_r1cs_witness()
libsnark::G2_checker_gadget::Xsquared
std::shared_ptr< Fqe_variable< ppT > > Xsquared
Definition: weierstrass_g2_gadget.hpp:105
libsnark::G2_variable::X
std::shared_ptr< Fqe_variable< ppT > > X
Definition: weierstrass_g2_gadget.hpp:38
libsnark::G2_equality_gadget::FqeT
libff::Fqe< nppT > FqeT
Definition: weierstrass_g2_gadget.hpp:209
libsnark::pb_linear_combination_array
Definition: pb_variable.hpp:118
libsnark::Fqe_mul_gadget
typename pairing_selector< ppT >::Fqe_mul_gadget_type Fqe_mul_gadget
Definition: pairing_params.hpp:98
libsnark::G2_add_gadget::lambda
Fqe_variable< wppT > lambda
Definition: weierstrass_g2_gadget.hpp:130
pairing_params.hpp
libsnark::G2_variable_selector_gadget::Field
libff::Fr< ppT > Field
Definition: weierstrass_g2_gadget.hpp:74
libsnark::G2_dbl_gadget::nppT
other_curve< wppT > nppT
Definition: weierstrass_g2_gadget.hpp:165
libsnark::pb_linear_combination< Field >
libsnark::variable_or_identity_selector
Selector gadget for variable_or_identity.
Definition: scalar_multiplication.hpp:81
libsnark::Fqe_mul_by_lc_gadget
typename pairing_selector< ppT >::Fqe_mul_by_lc_gadget_type Fqe_mul_by_lc_gadget
Definition: pairing_params.hpp:102
libsnark::G2_checker_gadget::FqeT
libff::Fqe< other_curve< ppT > > FqeT
Definition: weierstrass_g2_gadget.hpp:100
libsnark::variable_or_identity
Definition: scalar_multiplication.hpp:35
libsnark::G2_dbl_gadget::G2_dbl_gadget
G2_dbl_gadget(protoboard< libff::Fr< wppT >> &pb, const G2_variable< wppT > &A, const G2_variable< wppT > &result, const std::string &annotation_prefix)
libsnark::G2_dbl_gadget::A
G2_variable< wppT > A
Definition: weierstrass_g2_gadget.hpp:167
libsnark::G2_add_gadget::result
G2_variable< wppT > result
Definition: weierstrass_g2_gadget.hpp:128
libsnark::G2_equality_gadget::nppT
other_curve< wppT > nppT
Definition: weierstrass_g2_gadget.hpp:208
libsnark::G2_equality_gadget::generate_r1cs_witness
void generate_r1cs_witness()
libsnark::G2_equality_gadget::G2_equality_gadget
G2_equality_gadget(protoboard< libff::Fr< wppT >> &pb, const G2_variable< wppT > &A, const G2_variable< wppT > &B, const std::string &annotation_prefix)
libsnark::Fqe_variable
typename pairing_selector< ppT >::Fqe_variable_type Fqe_variable
Definition: pairing_params.hpp:95
libsnark::G2_checker_gadget
Gadget that creates constraints for the validity of a G2 variable.
Definition: weierstrass_g2_gadget.hpp:96
libsnark::G2_equality_gadget::_A
G2_variable< wppT > _A
Definition: weierstrass_g2_gadget.hpp:211
libsnark::other_curve
typename pairing_selector< ppT >::other_curve_type other_curve
Definition: pairing_params.hpp:117
libsnark::G2_add_gadget::Ry_constraint
Fqe_mul_gadget< wppT > Ry_constraint
Definition: weierstrass_g2_gadget.hpp:149
libsnark::G2_variable::generate_r1cs_witness
void generate_r1cs_witness(const libff::G2< other_curve< ppT >> &Q)
libsnark::G2_add_gadget
Gadget to add 2 G2 points.
Definition: weierstrass_g2_gadget.hpp:123
libsnark::G2_variable::all_vars
pb_linear_combination_array< FieldT > all_vars
Definition: weierstrass_g2_gadget.hpp:41
libsnark::G2_add_gadget::A
G2_variable< wppT > A
Definition: weierstrass_g2_gadget.hpp:126
libsnark::G2_variable_selector_gadget
Definition: weierstrass_g2_gadget.hpp:71
libsnark::G2_dbl_gadget::generate_r1cs_witness
void generate_r1cs_witness()
libsnark::G2_dbl_gadget::generate_r1cs_constraints
void generate_r1cs_constraints()
libsnark::G2_variable_selector_gadget::mul_select_X
Fqe_mul_by_lc_gadget< ppT > mul_select_X
Definition: weierstrass_g2_gadget.hpp:80
libsnark::G2_variable_selector_gadget::mul_select_Y
Fqe_mul_by_lc_gadget< ppT > mul_select_Y
Definition: weierstrass_g2_gadget.hpp:81
libsnark::G2_variable_selector_gadget::G2_variable_selector_gadget
G2_variable_selector_gadget(protoboard< Field > &pb, const pb_linear_combination< Field > &selector, const G2_variable< ppT > &zero_case, const G2_variable< ppT > &one_case, const G2_variable< ppT > &result, const std::string &annotation_prefix)
libsnark::G2_equality_gadget
Check equality of 2 G2 points.
Definition: weierstrass_g2_gadget.hpp:205
libsnark::add_variable_and_variable_or_identity
Definition: scalar_multiplication.hpp:224
weierstrass_g2_gadget.tcc
libsnark::G2_equality_gadget::generate_r1cs_constraints
void generate_r1cs_constraints()
libsnark::G2_variable_selector_gadget::zero_case
const G2_variable< ppT > zero_case
Definition: weierstrass_g2_gadget.hpp:77
libsnark::G2_checker_gadget::compute_Ysquared
std::shared_ptr< Fqe_sqr_gadget< ppT > > compute_Ysquared
Definition: weierstrass_g2_gadget.hpp:111
libsnark::point_mul_by_scalar_gadget
Definition: scalar_multiplication.hpp:342
libsnark::point_mul_by_const_scalar_gadget
Definition: scalar_multiplication.hpp:310
libsnark::variable_and_variable_or_identity_selector
Selector gadget for a variable_or_identity, and a variable.
Definition: scalar_multiplication.hpp:116
libsnark::protoboard
Definition: pb_variable.hpp:22
Generated on Wed Jan 25 2023 11:05:57 for Clearmatics Libsnark by   doxygen 1.8.17