Documentation
¶
Overview ¶
Package sw_bls24315 implements the arithmetics of G1, G2 and the pairing computation on BLS24-315 as a SNARK circuit over BW6-633. These two curves form a 2-chain so the operations use native field arithmetic.
References: BLS24-315/BW6-633: https://eprint.iacr.org/2021/1359 Pairings in R1CS: https://eprint.iacr.org/2022/1162
Index ¶
- Variables
- func PairingCheck(api frontend.API, P []G1Affine, Q []G2Affine) error
- type Curve
- func (c *Curve) Add(P, Q *G1Affine) *G1Affine
- func (c *Curve) AddUnified(P, Q *G1Affine) *G1Affine
- func (c *Curve) AssertIsEqual(P, Q *G1Affine)
- func (c *Curve) Lookup2(b1, b2 frontend.Variable, p1, p2, p3, p4 *G1Affine) *G1Affine
- func (c *Curve) MarshalG1(P G1Affine) []frontend.Variable
- func (c *Curve) MarshalScalar(s Scalar) []frontend.Variable
- func (c *Curve) MultiScalarMul(P []*G1Affine, scalars []*Scalar, opts ...algopts.AlgebraOption) (*G1Affine, error)
- func (c *Curve) Mux(sel frontend.Variable, inputs ...*G1Affine) *G1Affine
- func (c *Curve) Neg(P *G1Affine) *G1Affine
- func (c *Curve) ScalarMul(P *G1Affine, s *Scalar, opts ...algopts.AlgebraOption) *G1Affine
- func (c *Curve) ScalarMulBase(s *Scalar, opts ...algopts.AlgebraOption) *G1Affine
- func (c *Curve) Select(b frontend.Variable, p1, p2 *G1Affine) *G1Affine
- type G1Affine
- func (p *G1Affine) AddAssign(api frontend.API, p1 G1Affine) *G1Affine
- func (p *G1Affine) AddUnified(api frontend.API, q G1Affine) *G1Affine
- func (p *G1Affine) AssertIsEqual(api frontend.API, other G1Affine)
- func (p *G1Affine) Assign(p1 *bls24315.G1Affine)
- func (p *G1Affine) Double(api frontend.API, p1 G1Affine) *G1Affine
- func (p *G1Affine) DoubleAndAdd(api frontend.API, p1, p2 *G1Affine) *G1Affine
- func (p *G1Affine) Lookup2(api frontend.API, b1, b2 frontend.Variable, p1, p2, p3, p4 G1Affine) *G1Affine
- func (p *G1Affine) Neg(api frontend.API, p1 G1Affine) *G1Affine
- func (P *G1Affine) ScalarMul(api frontend.API, Q G1Affine, s interface{}, opts ...algopts.AlgebraOption) *G1Affine
- func (P *G1Affine) ScalarMulBase(api frontend.API, s frontend.Variable, opts ...algopts.AlgebraOption) *G1Affine
- func (p *G1Affine) Select(api frontend.API, b frontend.Variable, p1, p2 G1Affine) *G1Affine
- type G2Affine
- type GT
- type Pairing
- type Scalar
- type ScalarField
Constants ¶
This section is empty.
Variables ¶
var DecomposeScalarG1 = func(scalarField *big.Int, inputs []*big.Int, res []*big.Int) error { cc := getInnerCurveConfig(scalarField) sp := ecc.SplitScalar(inputs[0], cc.glvBasis) res[0].Set(&(sp[0])) res[1].Set(&(sp[1])) one := big.NewInt(1) for res[0].Cmp(cc.lambda) < 1 && res[1].Cmp(cc.lambda) < 1 { res[0].Add(res[0], cc.lambda) res[0].Add(res[0], one) res[1].Add(res[1], cc.lambda) } res[2].Mul(res[1], cc.lambda).Add(res[2], res[0]) res[2].Sub(res[2], inputs[0]) res[2].Div(res[2], cc.fr) return nil }
var DecomposeScalarG2 = func(scalarField *big.Int, inputs []*big.Int, res []*big.Int) error { cc := getInnerCurveConfig(scalarField) sp := ecc.SplitScalar(inputs[0], cc.glvBasis) res[0].Set(&(sp[0])) res[1].Set(&(sp[1])) one := big.NewInt(1) for res[0].Cmp(cc.lambda) < 1 && res[1].Cmp(cc.lambda) < 1 { res[0].Add(res[0], cc.lambda) res[0].Add(res[0], one) res[1].Add(res[1], cc.lambda) } res[2].Mul(res[1], cc.lambda).Add(res[2], res[0]) res[2].Sub(res[2], inputs[0]) res[2].Div(res[2], cc.fr) return nil }
Functions ¶
func PairingCheck ¶
PairingCheck calculates the reduced pairing for a set of points and asserts if the result is One ∏ᵢ e(Pᵢ, Qᵢ) =? 1
This function doesn't check that the inputs are in the correct subgroups. See AssertIsOnG1 and AssertIsOnG2.
Types ¶
type Curve ¶
type Curve struct {
// contains filtered or unexported fields
}
Curve allows G1 operations in BLS24-315.
func (*Curve) AddUnified ¶
AddUnified adds any two points and returns the sum. It does not modify the input points.
func (*Curve) AssertIsEqual ¶
AssertIsEqual asserts the equality of P and Q.
func (*Curve) Lookup2 ¶
Lookup2 performs a 2-bit lookup between p1, p2, p3, p4 based on bits b0 and b1. Returns:
- p1 if b0=0 and b1=0,
- p2 if b0=1 and b1=0,
- p3 if b0=0 and b1=1,
- p4 if b0=1 and b1=1.
func (*Curve) MarshalG1 ¶
MarshalG1 returns [P.X || P.Y] in binary. Both P.X and P.Y are in little endian.
func (*Curve) MarshalScalar ¶
MarshalScalar returns
func (*Curve) MultiScalarMul ¶
func (c *Curve) MultiScalarMul(P []*G1Affine, scalars []*Scalar, opts ...algopts.AlgebraOption) (*G1Affine, error)
MultiScalarMul computes ∑scalars_i * P_i and returns it. It doesn't modify the inputs. It returns an error if there is a mismatch in the lengths of the inputs.
func (*Curve) Mux ¶
Mux performs a lookup from the inputs and returns inputs[sel]. It is most efficient for power of two lengths of the inputs, but works for any number of inputs.
func (*Curve) ScalarMul ¶
ScalarMul computes scalar*P and returns the result. It doesn't modify the inputs.
func (*Curve) ScalarMulBase ¶
func (c *Curve) ScalarMulBase(s *Scalar, opts ...algopts.AlgebraOption) *G1Affine
ScalarMulBase computes scalar*G where G is the standard base point of the curve. It doesn't modify the scalar.
type G1Affine ¶
G1Affine point in affine coords
func NewG1Affine ¶
NewG1Affine allocates a witness from the native G1 element and returns it.
func (*G1Affine) AddAssign ¶
AddAssign adds p1 to p using the affine formulas with division, and return p
func (*G1Affine) AssertIsEqual ¶
AssertIsEqual constraint self to be equal to other into the given constraint system
func (*G1Affine) DoubleAndAdd ¶
DoubleAndAdd computes 2*p1+p in affine coords
func (*G1Affine) Lookup2 ¶
func (p *G1Affine) Lookup2(api frontend.API, b1, b2 frontend.Variable, p1, p2, p3, p4 G1Affine) *G1Affine
Lookup2 performs a 2-bit lookup between p1, p2, p3, p4 based on bits b0 and b1. Returns:
- p1 if b0=0 and b1=0,
- p2 if b0=1 and b1=0,
- p3 if b0=0 and b1=1,
- p4 if b0=1 and b1=1.
func (*G1Affine) ScalarMul ¶
func (P *G1Affine) ScalarMul(api frontend.API, Q G1Affine, s interface{}, opts ...algopts.AlgebraOption) *G1Affine
ScalarMul sets P = [s] Q and returns P.
The method chooses an implementation based on scalar s. If it is constant, then the compiled circuit depends on s. If it is variable type, then the circuit is independent of the inputs.
func (*G1Affine) ScalarMulBase ¶
func (P *G1Affine) ScalarMulBase(api frontend.API, s frontend.Variable, opts ...algopts.AlgebraOption) *G1Affine
ScalarMulBase computes s * g1 and returns it, where g1 is the fixed generator. It doesn't modify s.
type G2Affine ¶
type G2Affine struct {
P g2AffP
Lines *lineEvaluations
}
G2Affine point in affine coords
func NewG2Affine ¶
func NewG2AffineFixed ¶
NewG2AffineFixed returns witness of v with precomputations for efficient pairing computation.
func NewG2AffineFixedPlaceholder ¶
func NewG2AffineFixedPlaceholder() G2Affine
NewG2AffineFixedPlaceholder returns a placeholder for the circuit compilation when witness will be given with line precomputations using NewG2AffineFixed.
type GT ¶
type GT = fields_bls24315.E24
GT target group of the pairing
func FinalExponentiation ¶
FinalExponentiation computes the exponentiation e1ᵈ where d = (p²⁴-1)/r = (p²⁴-1)/Φ₂₄(p) ⋅ Φ₂₄(p)/r = (p¹²-1)(p⁴+1)(p⁸ - p⁴ +1)/r we use instead d=s ⋅ (p¹²-1)(p⁴+1)(p⁸ - p⁴ +1)/r where s is the cofactor 3 (Hayashida et al.)
func MillerLoop ¶
MillerLoop computes the product of n miller loops (n can be 1) ∏ᵢ { fᵢ_{x₀,Q}(P) }
type Pairing ¶
type Pairing struct {
// contains filtered or unexported fields
}
Pairing allows computing pairing-related operations in BLS24-315.
func NewPairing ¶
NewPairing initializes a Pairing instance.
func (*Pairing) AssertIsEqual ¶
AssertIsEqual asserts the equality of the target group elements.
func (*Pairing) FinalExponentiation ¶
FinalExponentiation performs the final exponentiation on the target group element. It doesn't modify the input.
func (*Pairing) MillerLoop ¶
MillerLoop computes the Miller loop between the pairs of inputs. It doesn't modify the inputs. It returns an error if there is a mismatch betwen the lengths of the inputs.
func (*Pairing) PairingCheck ¶
PairingCheck computes the multi-pairing of the input pairs and asserts that the result is an identity element in the target group. It returns an error if there is a mismatch between the lengths of the inputs.
type Scalar ¶
type Scalar = emulated.Element[ScalarField]
Scalar is a scalar in the groups. As the implementation is defined on a 2-chain, then this type is an alias to frontend.Variable.
func NewScalar ¶
func NewScalar(v fr_bls24315.Element) Scalar
NewScalar allocates a witness from the native scalar and returns it.
type ScalarField ¶
type ScalarField = emparams.BLS12315Fr
ScalarField defines the emulated.FieldParams implementation on a one limb of the scalar field.
Source Files