diff --git a/std/algebra/defaults.go b/std/algebra/defaults.go index 3c78897959..69407d0565 100644 --- a/std/algebra/defaults.go +++ b/std/algebra/defaults.go @@ -53,31 +53,31 @@ func GetCurve[S ScalarT, G1El G1ElementT](api frontend.API) (Curve[S, G1El], err // GetPairing returns the [Pairing] implementation corresponding to the groups // type parameters. The method allows to have a fully generic implementation // without taking into consideration the initialization differences. -func GetPairing[G1El G1ElementT, G2El G2ElementT, GtEl GtElementT](api frontend.API) (Pairing[G1El, G2El, GtEl], error) { - var ret Pairing[G1El, G2El, GtEl] +func GetPairing[G1El G1ElementT, G2El G2ElementT, GtEl GtElementT, L LinesT](api frontend.API) (Pairing[G1El, G2El, GtEl, LinesT], error) { + var ret Pairing[G1El, G2El, GtEl, LinesT] switch s := any(&ret).(type) { - case *Pairing[sw_bn254.G1Affine, sw_bn254.G2Affine, sw_bn254.GTEl]: + case *Pairing[sw_bn254.G1Affine, sw_bn254.G2Affine, sw_bn254.GTEl, sw_bn254.LineEvaluation]: p, err := sw_bn254.NewPairing(api) if err != nil { return ret, fmt.Errorf("new pairing: %w", err) } *s = p - case *Pairing[sw_bw6761.G1Affine, sw_bw6761.G2Affine, sw_bw6761.GTEl]: + case *Pairing[sw_bw6761.G1Affine, sw_bw6761.G2Affine, sw_bw6761.GTEl, sw_bw6761.LineEvaluation]: p, err := sw_bw6761.NewPairing(api) if err != nil { return ret, fmt.Errorf("new pairing: %w", err) } *s = p - case *Pairing[sw_bls12381.G1Affine, sw_bls12381.G2Affine, sw_bls12381.GTEl]: + case *Pairing[sw_bls12381.G1Affine, sw_bls12381.G2Affine, sw_bls12381.GTEl, sw_bls12381.LineEvaluation]: p, err := sw_bls12381.NewPairing(api) if err != nil { return ret, fmt.Errorf("new pairing: %w", err) } *s = p - case *Pairing[sw_bls12377.G1Affine, sw_bls12377.G2Affine, sw_bls12377.GT]: + case *Pairing[sw_bls12377.G1Affine, sw_bls12377.G2Affine, sw_bls12377.GT, sw_bls12377.LineEvaluation]: p := sw_bls12377.NewPairing(api) *s = p - case *Pairing[sw_bls24315.G1Affine, sw_bls24315.G2Affine, sw_bls24315.GT]: + case *Pairing[sw_bls24315.G1Affine, sw_bls24315.G2Affine, sw_bls24315.GT, sw_bls24315.LineEvaluation]: p := sw_bls24315.NewPairing(api) *s = p default: diff --git a/std/algebra/emulated/sw_bls12381/pairing.go b/std/algebra/emulated/sw_bls12381/pairing.go index 1c3d38da0f..19e7bf1c6d 100644 --- a/std/algebra/emulated/sw_bls12381/pairing.go +++ b/std/algebra/emulated/sw_bls12381/pairing.go @@ -210,11 +210,11 @@ func (pr Pairing) finalExponentiation(e *GTEl, unsafe bool) *GTEl { return &result } -// lineEvaluation represents a sparse Fp12 Elmt (result of the line evaluation) +// LineEvaluation represents a sparse Fp12 Elmt (result of the line evaluation) // line: 1 - R0(x/y) - R1(1/y) = 0 instead of R0'*y - R1'*x - R2' = 0 This // makes the multiplication by lines (MulBy014) and between lines (Mul014By014) // circuit-efficient. -type lineEvaluation struct { +type LineEvaluation struct { R0, R1 fields_bls12381.E2 } @@ -325,7 +325,7 @@ func (pr Pairing) MillerLoop(P []*G1Affine, Q []*G2Affine) (*GTEl, error) { res := pr.Ext12.One() - var l1, l2 *lineEvaluation + var l1, l2 *LineEvaluation Qacc := make([]*G2Affine, n) yInv := make([]*emulated.Element[emulated.BLS12381Fp], n) xNegOverY := make([]*emulated.Element[emulated.BLS12381Fp], n) @@ -359,7 +359,7 @@ func (pr Pairing) MillerLoop(P []*G1Affine, Q []*G2Affine) (*GTEl, error) { res.C0.B0 = *pr.MulByElement(&l1.R1, yInv[0]) res.C1.B1 = *pr.Ext2.One() // line evaluation at P[0] - l2 = &lineEvaluation{ + l2 = &LineEvaluation{ R0: *pr.MulByElement(&l2.R0, xNegOverY[0]), R1: *pr.MulByElement(&l2.R1, yInv[0]), } @@ -384,12 +384,12 @@ func (pr Pairing) MillerLoop(P []*G1Affine, Q []*G2Affine) (*GTEl, error) { // l2 the line ℓ passing 2Q[k] and Q[k] Qacc[k], l1, l2 = pr.tripleStep(Qacc[k]) // line evaluation at P[k] - l1 = &lineEvaluation{ + l1 = &LineEvaluation{ R0: *pr.MulByElement(&l1.R0, xNegOverY[k]), R1: *pr.MulByElement(&l1.R1, yInv[k]), } // line evaluation at P[k] - l2 = &lineEvaluation{ + l2 = &LineEvaluation{ R0: *pr.MulByElement(&l2.R0, xNegOverY[k]), R1: *pr.MulByElement(&l2.R1, yInv[k]), } @@ -411,7 +411,7 @@ func (pr Pairing) MillerLoop(P []*G1Affine, Q []*G2Affine) (*GTEl, error) { // Qacc[k] ← 2Qacc[k] and l1 the tangent ℓ passing 2Qacc[k] Qacc[k], l1 = pr.doubleStep(Qacc[k]) // line evaluation at P[k] - l1 = &lineEvaluation{ + l1 = &LineEvaluation{ R0: *pr.MulByElement(&l1.R0, xNegOverY[k]), R1: *pr.MulByElement(&l1.R1, yInv[k]), } @@ -425,12 +425,12 @@ func (pr Pairing) MillerLoop(P []*G1Affine, Q []*G2Affine) (*GTEl, error) { // l2 the line ℓ passing (Qacc[k]+Q[k]) and Qacc[k] Qacc[k], l1, l2 = pr.doubleAndAddStep(Qacc[k], Q[k]) // line evaluation at P[k] - l1 = &lineEvaluation{ + l1 = &LineEvaluation{ R0: *pr.MulByElement(&l1.R0, xNegOverY[k]), R1: *pr.MulByElement(&l1.R1, yInv[k]), } // line evaluation at P[k] - l2 = &lineEvaluation{ + l2 = &LineEvaluation{ R0: *pr.MulByElement(&l2.R0, xNegOverY[k]), R1: *pr.MulByElement(&l2.R1, yInv[k]), } @@ -448,7 +448,7 @@ func (pr Pairing) MillerLoop(P []*G1Affine, Q []*G2Affine) (*GTEl, error) { // l1 the tangent ℓ passing 2Qacc[k] l1 = pr.tangentCompute(Qacc[k]) // line evaluation at P[k] - l1 = &lineEvaluation{ + l1 = &LineEvaluation{ R0: *pr.MulByElement(&l1.R0, xNegOverY[k]), R1: *pr.MulByElement(&l1.R1, yInv[k]), } @@ -464,9 +464,9 @@ func (pr Pairing) MillerLoop(P []*G1Affine, Q []*G2Affine) (*GTEl, error) { // doubleAndAddStep doubles p1 and adds p2 to the result in affine coordinates, and evaluates the line in Miller loop // https://eprint.iacr.org/2022/1162 (Section 6.1) -func (pr Pairing) doubleAndAddStep(p1, p2 *G2Affine) (*G2Affine, *lineEvaluation, *lineEvaluation) { +func (pr Pairing) doubleAndAddStep(p1, p2 *G2Affine) (*G2Affine, *LineEvaluation, *LineEvaluation) { - var line1, line2 lineEvaluation + var line1, line2 LineEvaluation var p G2Affine // compute λ1 = (y2-y1)/(x2-x1) @@ -516,10 +516,10 @@ func (pr Pairing) doubleAndAddStep(p1, p2 *G2Affine) (*G2Affine, *lineEvaluation // doubleStep doubles a point in affine coordinates, and evaluates the line in Miller loop // https://eprint.iacr.org/2022/1162 (Section 6.1) -func (pr Pairing) doubleStep(p1 *G2Affine) (*G2Affine, *lineEvaluation) { +func (pr Pairing) doubleStep(p1 *G2Affine) (*G2Affine, *LineEvaluation) { var p G2Affine - var line lineEvaluation + var line LineEvaluation // λ = 3x²/2y n := pr.Ext2.Square(&p1.X) @@ -551,7 +551,7 @@ func (pr Pairing) doubleStep(p1 *G2Affine) (*G2Affine, *lineEvaluation) { // addStep adds two points in affine coordinates, and evaluates the line in Miller loop // https://eprint.iacr.org/2022/1162 (Section 6.1) -func (pr Pairing) addStep(p1, p2 *G2Affine) (*G2Affine, *lineEvaluation) { +func (pr Pairing) addStep(p1, p2 *G2Affine) (*G2Affine, *LineEvaluation) { // compute λ = (y2-y1)/(x2-x1) p2ypy := pr.Ext2.Sub(&p2.Y, &p1.Y) @@ -572,7 +572,7 @@ func (pr Pairing) addStep(p1, p2 *G2Affine) (*G2Affine, *lineEvaluation) { res.X = *xr res.Y = *yr - var line lineEvaluation + var line LineEvaluation line.R0 = *λ line.R1 = *pr.Ext2.Mul(λ, &p1.X) line.R1 = *pr.Ext2.Sub(&line.R1, &p1.Y) @@ -582,9 +582,9 @@ func (pr Pairing) addStep(p1, p2 *G2Affine) (*G2Affine, *lineEvaluation) { } // tripleStep triples p1 in affine coordinates, and evaluates the line in Miller loop -func (pr Pairing) tripleStep(p1 *G2Affine) (*G2Affine, *lineEvaluation, *lineEvaluation) { +func (pr Pairing) tripleStep(p1 *G2Affine) (*G2Affine, *LineEvaluation, *LineEvaluation) { - var line1, line2 lineEvaluation + var line1, line2 LineEvaluation var res G2Affine // λ1 = 3x²/2y @@ -632,7 +632,7 @@ func (pr Pairing) tripleStep(p1 *G2Affine) (*G2Affine, *lineEvaluation, *lineEva } // tangentCompute computes the line that goes through p1 and p2 but does not compute p1+p2 -func (pr Pairing) tangentCompute(p1 *G2Affine) *lineEvaluation { +func (pr Pairing) tangentCompute(p1 *G2Affine) *LineEvaluation { // λ = 3x²/2y n := pr.Ext2.Square(&p1.X) @@ -641,7 +641,7 @@ func (pr Pairing) tangentCompute(p1 *G2Affine) *lineEvaluation { d := pr.Ext2.Double(&p1.Y) λ := pr.Ext2.DivUnchecked(n, d) - var line lineEvaluation + var line LineEvaluation line.R0 = *λ line.R1 = *pr.Ext2.Mul(λ, &p1.X) line.R1 = *pr.Ext2.Sub(&line.R1, &p1.Y) @@ -656,7 +656,7 @@ func (pr Pairing) tangentCompute(p1 *G2Affine) *lineEvaluation { // MillerLoopFixedQ computes the multi-Miller loop as in MillerLoop // but Qᵢ are fixed points in G2 known in advance. -func (pr Pairing) MillerLoopFixedQ(P []*G1Affine, lines [][2][63]lineEvaluation) (*GTEl, error) { +func (pr Pairing) MillerLoopFixedQ(P []*G1Affine, lines [][2][63]LineEvaluation) (*GTEl, error) { // check input size match n := len(P) @@ -752,7 +752,7 @@ func (pr Pairing) MillerLoopFixedQ(P []*G1Affine, lines [][2][63]lineEvaluation) // ∏ᵢ e(Pᵢ, Qᵢ) where Qᵢ are fixed points known in advance. // // This function doesn't check that the inputs are in the correct subgroup. See IsInSubGroup. -func (pr Pairing) PairFixedQ(P []*G1Affine, lines [][2][63]lineEvaluation) (*GTEl, error) { +func (pr Pairing) PairFixedQ(P []*G1Affine, lines [][2][63]LineEvaluation) (*GTEl, error) { f, err := pr.MillerLoopFixedQ(P, lines) if err != nil { return nil, err @@ -764,7 +764,7 @@ func (pr Pairing) PairFixedQ(P []*G1Affine, lines [][2][63]lineEvaluation) (*GTE // ∏ᵢ e(Pᵢ, Qᵢ) =? 1 where Qᵢ are fixed points known in advance. // // This function doesn't check that the inputs are in the correct subgroups. -func (pr Pairing) PairingFixedQCheck(P []*G1Affine, lines [][2][63]lineEvaluation) error { +func (pr Pairing) PairingFixedQCheck(P []*G1Affine, lines [][2][63]LineEvaluation) error { f, err := pr.PairFixedQ(P, lines) if err != nil { return err diff --git a/std/algebra/emulated/sw_bls12381/pairing_test.go b/std/algebra/emulated/sw_bls12381/pairing_test.go index 83af14d314..4a102788a0 100644 --- a/std/algebra/emulated/sw_bls12381/pairing_test.go +++ b/std/algebra/emulated/sw_bls12381/pairing_test.go @@ -243,7 +243,7 @@ func TestGroupMembershipSolve(t *testing.T) { type PairFixedCircuit struct { InG1 G1Affine - Lines [2][63]lineEvaluation + Lines [2][63]LineEvaluation Res GTEl } @@ -252,7 +252,7 @@ func (c *PairFixedCircuit) Define(api frontend.API) error { if err != nil { return fmt.Errorf("new pairing: %w", err) } - res, err := pairing.PairFixedQ([]*G1Affine{&c.InG1}, [][2][63]lineEvaluation{c.Lines}) + res, err := pairing.PairFixedQ([]*G1Affine{&c.InG1}, [][2][63]LineEvaluation{c.Lines}) if err != nil { return fmt.Errorf("pair: %w", err) } @@ -278,8 +278,8 @@ func TestPairFixedTestSolve(t *testing.T) { type DoublePairFixedCircuit struct { In1G1 G1Affine In2G1 G1Affine - Lines1 [2][63]lineEvaluation - Lines2 [2][63]lineEvaluation + Lines1 [2][63]LineEvaluation + Lines2 [2][63]LineEvaluation Res GTEl } @@ -288,7 +288,7 @@ func (c *DoublePairFixedCircuit) Define(api frontend.API) error { if err != nil { return fmt.Errorf("new pairing: %w", err) } - res, err := pairing.PairFixedQ([]*G1Affine{&c.In1G1, &c.In2G1}, [][2][63]lineEvaluation{c.Lines1, c.Lines2}) + res, err := pairing.PairFixedQ([]*G1Affine{&c.In1G1, &c.In2G1}, [][2][63]LineEvaluation{c.Lines1, c.Lines2}) if err != nil { return fmt.Errorf("pair: %w", err) } diff --git a/std/algebra/emulated/sw_bls12381/precomputations.go b/std/algebra/emulated/sw_bls12381/precomputations.go index 4e841378a9..c02c0df176 100644 --- a/std/algebra/emulated/sw_bls12381/precomputations.go +++ b/std/algebra/emulated/sw_bls12381/precomputations.go @@ -15,18 +15,18 @@ import ( // Q.Y.A0 = 0xce5d527727d6e118cc9cdc6da2e351aadfd9baa8cbdd3a76d429a695160d12c923ac9cc3baca289e193548608b82801 // Q.Y.A1 = 0x606c4a02ea734cc32acd2b02bc28b99cb3e287e85a763af267492ab572e99ab3f370d275cec1da1aaa9075ff05f79be -var precomputedLines [2][63]lineEvaluation +var precomputedLines [2][63]LineEvaluation var precomputedLinesOnce sync.Once -func getPrecomputedLines() [2][63]lineEvaluation { +func getPrecomputedLines() [2][63]LineEvaluation { precomputedLinesOnce.Do(func() { precomputedLines = computePrecomputedLines() }) return precomputedLines } -func computePrecomputedLines() [2][63]lineEvaluation { - var PrecomputedLines [2][63]lineEvaluation +func computePrecomputedLines() [2][63]LineEvaluation { + var PrecomputedLines [2][63]LineEvaluation _, _, _, G2AffGen := bls12381.Generators() lines := bls12381.PrecomputeLines(G2AffGen) for j := 0; j < 63; j++ { diff --git a/std/algebra/emulated/sw_bn254/pairing.go b/std/algebra/emulated/sw_bn254/pairing.go index d1ef70e487..ea2790fa1e 100644 --- a/std/algebra/emulated/sw_bn254/pairing.go +++ b/std/algebra/emulated/sw_bn254/pairing.go @@ -312,11 +312,11 @@ var loopCounter = [66]int8{ -1, 0, -1, 0, 0, 0, 1, 0, -1, 0, 1, } -// lineEvaluation represents a sparse Fp12 Elmt (result of the line evaluation) +// LineEvaluation represents a sparse Fp12 Elmt (result of the line evaluation) // line: 1 + R0(x/y) + R1(1/y) = 0 instead of R0'*y + R1'*x + R2' = 0 This // makes the multiplication by lines (MulBy034) and between lines (Mul034By034) // circuit-efficient. -type lineEvaluation struct { +type LineEvaluation struct { R0, R1 fields_bn254.E2 } @@ -332,7 +332,7 @@ func (pr Pairing) MillerLoop(P []*G1Affine, Q []*G2Affine) (*GTEl, error) { res := pr.Ext12.One() var prodLines [5]*fields_bn254.E2 - var l1, l2 *lineEvaluation + var l1, l2 *LineEvaluation Qacc := make([]*G2Affine, n) QNeg := make([]*G2Affine, n) yInv := make([]*emulated.Element[emulated.BN254Fp], n) @@ -374,7 +374,7 @@ func (pr Pairing) MillerLoop(P []*G1Affine, Q []*G2Affine) (*GTEl, error) { Qacc[1], l1 = pr.doubleStep(Qacc[1]) // line evaluation at P[1] - l1 = &lineEvaluation{ + l1 = &LineEvaluation{ R0: *pr.MulByElement(&l1.R0, xNegOverY[1]), R1: *pr.MulByElement(&l1.R1, yInv[1]), } @@ -401,7 +401,7 @@ func (pr Pairing) MillerLoop(P []*G1Affine, Q []*G2Affine) (*GTEl, error) { Qacc[2], l1 = pr.doubleStep(Qacc[2]) // line evaluation at P[1] - l1 = &lineEvaluation{ + l1 = &LineEvaluation{ R0: *pr.MulByElement(&l1.R0, xNegOverY[2]), R1: *pr.MulByElement(&l1.R1, yInv[2]), } @@ -415,7 +415,7 @@ func (pr Pairing) MillerLoop(P []*G1Affine, Q []*G2Affine) (*GTEl, error) { Qacc[k], l1 = pr.doubleStep(Qacc[k]) // line evaluation at P[k] - l1 = &lineEvaluation{ + l1 = &LineEvaluation{ R0: *pr.MulByElement(&l1.R0, xNegOverY[k]), R1: *pr.MulByElement(&l1.R1, yInv[k]), } @@ -440,7 +440,7 @@ func (pr Pairing) MillerLoop(P []*G1Affine, Q []*G2Affine) (*GTEl, error) { l2 = pr.lineCompute(Qacc[k], QNeg[k]) // line evaluation at P[k] - l2 = &lineEvaluation{ + l2 = &LineEvaluation{ R0: *pr.MulByElement(&l2.R0, xNegOverY[k]), R1: *pr.MulByElement(&l2.R1, yInv[k]), } @@ -450,7 +450,7 @@ func (pr Pairing) MillerLoop(P []*G1Affine, Q []*G2Affine) (*GTEl, error) { Qacc[k], l1 = pr.addStep(Qacc[k], Q[k]) // line evaluation at P[k] - l1 = &lineEvaluation{ + l1 = &LineEvaluation{ R0: *pr.MulByElement(&l1.R0, xNegOverY[k]), R1: *pr.MulByElement(&l1.R1, yInv[k]), } @@ -461,7 +461,7 @@ func (pr Pairing) MillerLoop(P []*G1Affine, Q []*G2Affine) (*GTEl, error) { res = pr.MulBy01234(res, prodLines) } - l1s := make([]*lineEvaluation, n) + l1s := make([]*LineEvaluation, n) for i := 62; i >= 0; i-- { // mutualize the square among n Miller loops // (∏ᵢfᵢ)² @@ -476,7 +476,7 @@ func (pr Pairing) MillerLoop(P []*G1Affine, Q []*G2Affine) (*GTEl, error) { Qacc[k], l1s[k] = pr.doubleStep(Qacc[k]) // line evaluation at P[k] - l1s[k] = &lineEvaluation{ + l1s[k] = &LineEvaluation{ R0: *pr.MulByElement(&l1s[k].R0, xNegOverY[k]), R1: *pr.MulByElement(&l1s[k].R1, yInv[k]), } @@ -508,13 +508,13 @@ func (pr Pairing) MillerLoop(P []*G1Affine, Q []*G2Affine) (*GTEl, error) { Qacc[k], l1, l2 = pr.doubleAndAddStep(Qacc[k], Q[k]) // line evaluation at P[k] - l1 = &lineEvaluation{ + l1 = &LineEvaluation{ R0: *pr.MulByElement(&l1.R0, xNegOverY[k]), R1: *pr.MulByElement(&l1.R1, yInv[k]), } // line evaluation at P[k] - l2 = &lineEvaluation{ + l2 = &LineEvaluation{ R0: *pr.MulByElement(&l2.R0, xNegOverY[k]), R1: *pr.MulByElement(&l2.R1, yInv[k]), } @@ -534,13 +534,13 @@ func (pr Pairing) MillerLoop(P []*G1Affine, Q []*G2Affine) (*GTEl, error) { Qacc[k], l1, l2 = pr.doubleAndAddStep(Qacc[k], QNeg[k]) // line evaluation at P[k] - l1 = &lineEvaluation{ + l1 = &LineEvaluation{ R0: *pr.MulByElement(&l1.R0, xNegOverY[k]), R1: *pr.MulByElement(&l1.R1, yInv[k]), } // line evaluation at P[k] - l2 = &lineEvaluation{ + l2 = &LineEvaluation{ R0: *pr.MulByElement(&l2.R0, xNegOverY[k]), R1: *pr.MulByElement(&l2.R1, yInv[k]), } @@ -584,7 +584,7 @@ func (pr Pairing) MillerLoop(P []*G1Affine, Q []*G2Affine) (*GTEl, error) { Qacc[k], l1 = pr.addStep(Qacc[k], Q1) // line evaluation at P[k] - l1 = &lineEvaluation{ + l1 = &LineEvaluation{ R0: *pr.Ext2.MulByElement(&l1.R0, xNegOverY[k]), R1: *pr.Ext2.MulByElement(&l1.R1, yInv[k]), } @@ -592,7 +592,7 @@ func (pr Pairing) MillerLoop(P []*G1Affine, Q []*G2Affine) (*GTEl, error) { // l2 the line passing Qacc[k] and -π²(Q) l2 = pr.lineCompute(Qacc[k], Q2) // line evaluation at P[k] - l2 = &lineEvaluation{ + l2 = &LineEvaluation{ R0: *pr.MulByElement(&l2.R0, xNegOverY[k]), R1: *pr.MulByElement(&l2.R1, yInv[k]), } @@ -609,9 +609,9 @@ func (pr Pairing) MillerLoop(P []*G1Affine, Q []*G2Affine) (*GTEl, error) { // doubleAndAddStep doubles p1 and adds p2 to the result in affine coordinates, and evaluates the line in Miller loop // https://eprint.iacr.org/2022/1162 (Section 6.1) -func (pr Pairing) doubleAndAddStep(p1, p2 *G2Affine) (*G2Affine, *lineEvaluation, *lineEvaluation) { +func (pr Pairing) doubleAndAddStep(p1, p2 *G2Affine) (*G2Affine, *LineEvaluation, *LineEvaluation) { - var line1, line2 lineEvaluation + var line1, line2 LineEvaluation var p G2Affine // compute λ1 = (y2-y1)/(x2-x1) @@ -661,10 +661,10 @@ func (pr Pairing) doubleAndAddStep(p1, p2 *G2Affine) (*G2Affine, *lineEvaluation // doubleStep doubles a point in affine coordinates, and evaluates the line in Miller loop // https://eprint.iacr.org/2022/1162 (Section 6.1) -func (pr Pairing) doubleStep(p1 *G2Affine) (*G2Affine, *lineEvaluation) { +func (pr Pairing) doubleStep(p1 *G2Affine) (*G2Affine, *LineEvaluation) { var p G2Affine - var line lineEvaluation + var line LineEvaluation // λ = 3x²/2y n := pr.Ext2.Square(&p1.X) @@ -696,7 +696,7 @@ func (pr Pairing) doubleStep(p1 *G2Affine) (*G2Affine, *lineEvaluation) { // addStep adds two points in affine coordinates, and evaluates the line in Miller loop // https://eprint.iacr.org/2022/1162 (Section 6.1) -func (pr Pairing) addStep(p1, p2 *G2Affine) (*G2Affine, *lineEvaluation) { +func (pr Pairing) addStep(p1, p2 *G2Affine) (*G2Affine, *LineEvaluation) { // compute λ = (y2-y1)/(x2-x1) p2ypy := pr.Ext2.Sub(&p2.Y, &p1.Y) @@ -717,7 +717,7 @@ func (pr Pairing) addStep(p1, p2 *G2Affine) (*G2Affine, *lineEvaluation) { res.X = *xr res.Y = *yr - var line lineEvaluation + var line LineEvaluation line.R0 = *λ line.R1 = *pr.Ext2.Mul(λ, &p1.X) line.R1 = *pr.Ext2.Sub(&line.R1, &p1.Y) @@ -727,14 +727,14 @@ func (pr Pairing) addStep(p1, p2 *G2Affine) (*G2Affine, *lineEvaluation) { } // lineCompute computes the line that goes through p1 and p2 but does not compute p1+p2 -func (pr Pairing) lineCompute(p1, p2 *G2Affine) *lineEvaluation { +func (pr Pairing) lineCompute(p1, p2 *G2Affine) *LineEvaluation { // compute λ = (y2-y1)/(x2-x1) qypy := pr.Ext2.Sub(&p2.Y, &p1.Y) qxpx := pr.Ext2.Sub(&p2.X, &p1.X) λ := pr.Ext2.DivUnchecked(qypy, qxpx) - var line lineEvaluation + var line LineEvaluation line.R0 = *λ line.R1 = *pr.Ext2.Mul(λ, &p1.X) line.R1 = *pr.Ext2.Sub(&line.R1, &p1.Y) @@ -772,7 +772,7 @@ func (pr Pairing) FinalExponentiationIsOne(e *GTEl) { // MillerLoopFixedQ computes the multi-Miller loop as in MillerLoop // but Qᵢ are fixed points in G2 known in advance. -func (pr Pairing) MillerLoopFixedQ(P []*G1Affine, lines [][2][66]lineEvaluation) (*GTEl, error) { +func (pr Pairing) MillerLoopFixedQ(P []*G1Affine, lines [][2][66]LineEvaluation) (*GTEl, error) { // check input size match n := len(P) @@ -910,7 +910,7 @@ func (pr Pairing) MillerLoopFixedQ(P []*G1Affine, lines [][2][66]lineEvaluation) // ∏ᵢ e(Pᵢ, Qᵢ) where Qᵢ are fixed points known in advance. // // This function doesn't check that the inputs are in the correct subgroup. See IsInSubGroup. -func (pr Pairing) PairFixedQ(P []*G1Affine, lines [][2][66]lineEvaluation) (*GTEl, error) { +func (pr Pairing) PairFixedQ(P []*G1Affine, lines [][2][66]LineEvaluation) (*GTEl, error) { f, err := pr.MillerLoopFixedQ(P, lines) if err != nil { return nil, err @@ -922,7 +922,7 @@ func (pr Pairing) PairFixedQ(P []*G1Affine, lines [][2][66]lineEvaluation) (*GTE // ∏ᵢ e(Pᵢ, Qᵢ) =? 1 where Qᵢ are fixed points known in advance. // // This function doesn't check that the inputs are in the correct subgroups. -func (pr Pairing) PairingFixedQCheck(P []*G1Affine, lines [][2][66]lineEvaluation) error { +func (pr Pairing) PairingFixedQCheck(P []*G1Affine, lines [][2][66]LineEvaluation) error { f, err := pr.PairFixedQ(P, lines) if err != nil { return err diff --git a/std/algebra/emulated/sw_bn254/pairing_test.go b/std/algebra/emulated/sw_bn254/pairing_test.go index 107592a12c..c239402336 100644 --- a/std/algebra/emulated/sw_bn254/pairing_test.go +++ b/std/algebra/emulated/sw_bn254/pairing_test.go @@ -251,7 +251,7 @@ func TestGroupMembershipSolve(t *testing.T) { type PairFixedCircuit struct { InG1 G1Affine - Lines [2][66]lineEvaluation + Lines [2][66]LineEvaluation Res GTEl } @@ -260,7 +260,7 @@ func (c *PairFixedCircuit) Define(api frontend.API) error { if err != nil { return fmt.Errorf("new pairing: %w", err) } - res, err := pairing.PairFixedQ([]*G1Affine{&c.InG1}, [][2][66]lineEvaluation{c.Lines}) + res, err := pairing.PairFixedQ([]*G1Affine{&c.InG1}, [][2][66]LineEvaluation{c.Lines}) if err != nil { return fmt.Errorf("pair: %w", err) } @@ -286,8 +286,8 @@ func TestPairFixedTestSolve(t *testing.T) { type DoublePairFixedCircuit struct { In1G1 G1Affine In2G1 G1Affine - Lines1 [2][66]lineEvaluation - Lines2 [2][66]lineEvaluation + Lines1 [2][66]LineEvaluation + Lines2 [2][66]LineEvaluation Res GTEl } @@ -296,7 +296,7 @@ func (c *DoublePairFixedCircuit) Define(api frontend.API) error { if err != nil { return fmt.Errorf("new pairing: %w", err) } - res, err := pairing.PairFixedQ([]*G1Affine{&c.In1G1, &c.In2G1}, [][2][66]lineEvaluation{c.Lines1, c.Lines2}) + res, err := pairing.PairFixedQ([]*G1Affine{&c.In1G1, &c.In2G1}, [][2][66]LineEvaluation{c.Lines1, c.Lines2}) if err != nil { return fmt.Errorf("pair: %w", err) } diff --git a/std/algebra/emulated/sw_bn254/precomputations.go b/std/algebra/emulated/sw_bn254/precomputations.go index 222bdc7579..d90ceca79c 100644 --- a/std/algebra/emulated/sw_bn254/precomputations.go +++ b/std/algebra/emulated/sw_bn254/precomputations.go @@ -14,18 +14,18 @@ import ( // Q.X.A1 = 0x198e9393920d483a7260bfb731fb5d25f1aa493335a9e71297e485b7aef312c2 // Q.Y.A0 = 0x12c85ea5db8c6deb4aab71808dcb408fe3d1e7690c43d37b4ce6cc0166fa7daa // Q.Y.A1 = 0x90689d0585ff075ec9e99ad690c3395bc4b313370b38ef355acdadcd122975b -var precomputedLines [2][66]lineEvaluation +var precomputedLines [2][66]LineEvaluation var precomputedLinesOnce sync.Once -func getPrecomputedLines() [2][66]lineEvaluation { +func getPrecomputedLines() [2][66]LineEvaluation { precomputedLinesOnce.Do(func() { precomputedLines = computePrecomputeLines() }) return precomputedLines } -func computePrecomputeLines() [2][66]lineEvaluation { - var PrecomputedLines [2][66]lineEvaluation +func computePrecomputeLines() [2][66]LineEvaluation { + var PrecomputedLines [2][66]LineEvaluation _, _, _, G2AffGen := bn254.Generators() lines := bn254.PrecomputeLines(G2AffGen) for j := 0; j < 65; j++ { diff --git a/std/algebra/emulated/sw_bw6761/pairing.go b/std/algebra/emulated/sw_bw6761/pairing.go index 8db57c3b70..e9ca889aa1 100644 --- a/std/algebra/emulated/sw_bw6761/pairing.go +++ b/std/algebra/emulated/sw_bw6761/pairing.go @@ -97,10 +97,10 @@ func (pr Pairing) FinalExponentiation(z *GTEl) *GTEl { return result } -// lineEvaluation represents a sparse Fp6 Elmt (result of the line evaluation) +// LineEvaluation represents a sparse Fp6 Elmt (result of the line evaluation) // line: 1 + R0(x/y) + R1(1/y) = 0 instead of R0'*y + R1'*x + R2' = 0 This // makes the multiplication by lines (MulBy014) -type lineEvaluation struct { +type LineEvaluation struct { R0, R1 emulated.Element[emulated.BW6761Fp] } @@ -207,7 +207,7 @@ func (pr Pairing) MillerLoop(P []*G1Affine, Q []*G2Affine) (*GTEl, error) { // f_{x₀+1+λ(x₀³-x₀²-x₀),Q}(P) result := pr.Ext6.One() - var l0, l1 *lineEvaluation + var l0, l1 *LineEvaluation var prodLines [5]*emulated.Element[emulated.BW6761Fp] // i = 188, separately to avoid an E6 Square @@ -232,7 +232,7 @@ func (pr Pairing) MillerLoop(P []*G1Affine, Q []*G2Affine) (*GTEl, error) { // k = 1, separately to avoid MulBy014 (res × ℓ) // (res is also a line at this point, so we use Mul014By014 ℓ × ℓ) accQ[1], l0 = pr.doubleStep(accQ[1]) - l0 = &lineEvaluation{ + l0 = &LineEvaluation{ R0: *pr.curveF.MulMod(&l0.R0, xNegOverY[1]), R1: *pr.curveF.MulMod(&l0.R1, yInv[1]), } @@ -255,7 +255,7 @@ func (pr Pairing) MillerLoop(P []*G1Affine, Q []*G2Affine) (*GTEl, error) { // k = 2, separately to avoid MulBy014 (res × ℓ) // (res has a zero E2 element, so we use Mul01234By034) accQ[2], l0 = pr.doubleStep(accQ[2]) - l0 = &lineEvaluation{ + l0 = &LineEvaluation{ R0: *pr.curveF.MulMod(&l0.R0, xNegOverY[2]), R1: *pr.curveF.MulMod(&l0.R1, yInv[2]), } @@ -264,7 +264,7 @@ func (pr Pairing) MillerLoop(P []*G1Affine, Q []*G2Affine) (*GTEl, error) { // k >= 3 for k := 3; k < n; k++ { accQ[k], l0 = pr.doubleStep(accQ[k]) - l0 = &lineEvaluation{ + l0 = &LineEvaluation{ R0: *pr.curveF.MulMod(&l0.R0, xNegOverY[k]), R1: *pr.curveF.MulMod(&l0.R1, yInv[k]), } @@ -285,55 +285,55 @@ func (pr Pairing) MillerLoop(P []*G1Affine, Q []*G2Affine) (*GTEl, error) { // static loop counters. case -3: accQ[k], l0, l1 = pr.doubleAndAddStep(accQ[k], imQneg[k]) - l0 = &lineEvaluation{ + l0 = &LineEvaluation{ R0: *pr.curveF.MulMod(&l0.R0, xNegOverY[k]), R1: *pr.curveF.MulMod(&l0.R1, yInv[k]), } result = pr.MulBy014(result, &l0.R1, &l0.R0) - l1 = &lineEvaluation{ + l1 = &LineEvaluation{ R0: *pr.curveF.MulMod(&l1.R0, xNegOverY[k]), R1: *pr.curveF.MulMod(&l1.R1, yInv[k]), } result = pr.MulBy014(result, &l1.R1, &l1.R0) case -1: accQ[k], l0, l1 = pr.doubleAndAddStep(accQ[k], negQ[k]) - l0 = &lineEvaluation{ + l0 = &LineEvaluation{ R0: *pr.curveF.MulMod(&l0.R0, xNegOverY[k]), R1: *pr.curveF.MulMod(&l0.R1, yInv[k]), } result = pr.MulBy014(result, &l0.R1, &l0.R0) - l1 = &lineEvaluation{ + l1 = &LineEvaluation{ R0: *pr.curveF.MulMod(&l1.R0, xNegOverY[k]), R1: *pr.curveF.MulMod(&l1.R1, yInv[k]), } result = pr.MulBy014(result, &l1.R1, &l1.R0) case 0: accQ[k], l0 = pr.doubleStep(accQ[k]) - l0 = &lineEvaluation{ + l0 = &LineEvaluation{ R0: *pr.curveF.MulMod(&l0.R0, xNegOverY[k]), R1: *pr.curveF.MulMod(&l0.R1, yInv[k]), } result = pr.MulBy014(result, &l0.R1, &l0.R0) case 1: accQ[k], l0, l1 = pr.doubleAndAddStep(accQ[k], Q[k]) - l0 = &lineEvaluation{ + l0 = &LineEvaluation{ R0: *pr.curveF.MulMod(&l0.R0, xNegOverY[k]), R1: *pr.curveF.MulMod(&l0.R1, yInv[k]), } result = pr.MulBy014(result, &l0.R1, &l0.R0) - l1 = &lineEvaluation{ + l1 = &LineEvaluation{ R0: *pr.curveF.MulMod(&l1.R0, xNegOverY[k]), R1: *pr.curveF.MulMod(&l1.R1, yInv[k]), } result = pr.MulBy014(result, &l1.R1, &l1.R0) case 3: accQ[k], l0, l1 = pr.doubleAndAddStep(accQ[k], imQ[k]) - l0 = &lineEvaluation{ + l0 = &LineEvaluation{ R0: *pr.curveF.MulMod(&l0.R0, xNegOverY[k]), R1: *pr.curveF.MulMod(&l0.R1, yInv[k]), } result = pr.MulBy014(result, &l0.R1, &l0.R0) - l1 = &lineEvaluation{ + l1 = &LineEvaluation{ R0: *pr.curveF.MulMod(&l1.R0, xNegOverY[k]), R1: *pr.curveF.MulMod(&l1.R1, yInv[k]), } @@ -356,7 +356,7 @@ func (pr Pairing) MillerLoop(P []*G1Affine, Q []*G2Affine) (*GTEl, error) { result = pr.Square(result) for k := 0; k < n; k++ { l0 = pr.tangentCompute(accQ[k]) - l0 = &lineEvaluation{ + l0 = &LineEvaluation{ R0: *pr.curveF.MulMod(&l0.R0, xNegOverY[k]), R1: *pr.curveF.MulMod(&l0.R1, yInv[k]), } @@ -369,7 +369,7 @@ func (pr Pairing) MillerLoop(P []*G1Affine, Q []*G2Affine) (*GTEl, error) { // addStep adds two points in affine coordinates, and evaluates the line in Miller loop // https://eprint.iacr.org/2022/1162 (Section 6.1) -func (pr Pairing) addStep(p1, p2 *G2Affine) (*G2Affine, *lineEvaluation) { +func (pr Pairing) addStep(p1, p2 *G2Affine) (*G2Affine, *LineEvaluation) { // compute λ = (y2-y1)/(x2-x1) p2ypy := pr.curveF.Sub(&p2.Y, &p1.Y) @@ -390,7 +390,7 @@ func (pr Pairing) addStep(p1, p2 *G2Affine) (*G2Affine, *lineEvaluation) { res.X = *xr res.Y = *yr - var line lineEvaluation + var line LineEvaluation line.R0 = *λ line.R1 = *pr.curveF.Mul(λ, &p1.X) line.R1 = *pr.curveF.Sub(&line.R1, &p1.Y) @@ -401,9 +401,9 @@ func (pr Pairing) addStep(p1, p2 *G2Affine) (*G2Affine, *lineEvaluation) { // doubleAndAddStep doubles p1 and adds p2 to the result in affine coordinates, and evaluates the line in Miller loop // https://eprint.iacr.org/2022/1162 (Section 6.1) -func (pr Pairing) doubleAndAddStep(p1, p2 *G2Affine) (*G2Affine, *lineEvaluation, *lineEvaluation) { +func (pr Pairing) doubleAndAddStep(p1, p2 *G2Affine) (*G2Affine, *LineEvaluation, *LineEvaluation) { - var line1, line2 lineEvaluation + var line1, line2 LineEvaluation var p G2Affine // compute λ1 = (y2-y1)/(x2-x1) @@ -453,10 +453,10 @@ func (pr Pairing) doubleAndAddStep(p1, p2 *G2Affine) (*G2Affine, *lineEvaluation // doubleStep doubles a point in affine coordinates, and evaluates the line in Miller loop // https://eprint.iacr.org/2022/1162 (Section 6.1) -func (pr Pairing) doubleStep(p1 *G2Affine) (*G2Affine, *lineEvaluation) { +func (pr Pairing) doubleStep(p1 *G2Affine) (*G2Affine, *LineEvaluation) { var p G2Affine - var line lineEvaluation + var line LineEvaluation // λ = 3x²/2y n := pr.curveF.Mul(&p1.X, &p1.X) @@ -487,7 +487,7 @@ func (pr Pairing) doubleStep(p1 *G2Affine) (*G2Affine, *lineEvaluation) { } // tangentCompute computes the line that goes through p1 and p2 but does not compute p1+p2 -func (pr Pairing) tangentCompute(p1 *G2Affine) *lineEvaluation { +func (pr Pairing) tangentCompute(p1 *G2Affine) *LineEvaluation { // λ = 3x²/2y n := pr.curveF.Mul(&p1.X, &p1.X) @@ -496,7 +496,7 @@ func (pr Pairing) tangentCompute(p1 *G2Affine) *lineEvaluation { d := pr.curveF.Add(&p1.Y, &p1.Y) λ := pr.curveF.Div(n, d) - var line lineEvaluation + var line LineEvaluation line.R0 = *λ line.R1 = *pr.curveF.Mul(λ, &p1.X) line.R1 = *pr.curveF.Sub(&line.R1, &p1.Y) @@ -511,7 +511,7 @@ func (pr Pairing) tangentCompute(p1 *G2Affine) *lineEvaluation { // MillerLoopFixedQ computes the multi-Miller loop as in MillerLoop // but Qᵢ are fixed points in G2 known in advance. -func (pr Pairing) MillerLoopFixedQ(P []*G1Affine, lines [][2][189]lineEvaluation) (*GTEl, error) { +func (pr Pairing) MillerLoopFixedQ(P []*G1Affine, lines [][2][189]LineEvaluation) (*GTEl, error) { // check input size match n := len(P) @@ -622,7 +622,7 @@ func (pr Pairing) MillerLoopFixedQ(P []*G1Affine, lines [][2][189]lineEvaluation // ∏ᵢ e(Pᵢ, Qᵢ) where Qᵢ are fixed points known in advance. // // This function doesn't check that the inputs are in the correct subgroup. See IsInSubGroup. -func (pr Pairing) PairFixedQ(P []*G1Affine, lines [][2][189]lineEvaluation) (*GTEl, error) { +func (pr Pairing) PairFixedQ(P []*G1Affine, lines [][2][189]LineEvaluation) (*GTEl, error) { f, err := pr.MillerLoopFixedQ(P, lines) if err != nil { return nil, err @@ -634,7 +634,7 @@ func (pr Pairing) PairFixedQ(P []*G1Affine, lines [][2][189]lineEvaluation) (*GT // ∏ᵢ e(Pᵢ, Qᵢ) =? 1 where Qᵢ are fixed points known in advance. // // This function doesn't check that the inputs are in the correct subgroups. -func (pr Pairing) PairingFixedQCheck(P []*G1Affine, lines [][2][189]lineEvaluation) error { +func (pr Pairing) PairingFixedQCheck(P []*G1Affine, lines [][2][189]LineEvaluation) error { f, err := pr.PairFixedQ(P, lines) if err != nil { return err diff --git a/std/algebra/emulated/sw_bw6761/pairing_test.go b/std/algebra/emulated/sw_bw6761/pairing_test.go index 61ad7e2cd4..eea0de0e44 100644 --- a/std/algebra/emulated/sw_bw6761/pairing_test.go +++ b/std/algebra/emulated/sw_bw6761/pairing_test.go @@ -183,7 +183,7 @@ func TestPairingCheckTestSolve(t *testing.T) { type PairFixedCircuit struct { InG1 G1Affine - Lines [2][189]lineEvaluation + Lines [2][189]LineEvaluation Res GTEl } @@ -192,7 +192,7 @@ func (c *PairFixedCircuit) Define(api frontend.API) error { if err != nil { return fmt.Errorf("new pairing: %w", err) } - res, err := pairing.PairFixedQ([]*G1Affine{&c.InG1}, [][2][189]lineEvaluation{c.Lines}) + res, err := pairing.PairFixedQ([]*G1Affine{&c.InG1}, [][2][189]LineEvaluation{c.Lines}) if err != nil { return fmt.Errorf("pair: %w", err) } @@ -218,8 +218,8 @@ func TestPairFixedTestSolve(t *testing.T) { type DoublePairFixedCircuit struct { In1G1 G1Affine In2G1 G1Affine - Lines1 [2][189]lineEvaluation - Lines2 [2][189]lineEvaluation + Lines1 [2][189]LineEvaluation + Lines2 [2][189]LineEvaluation Res GTEl } @@ -228,7 +228,7 @@ func (c *DoublePairFixedCircuit) Define(api frontend.API) error { if err != nil { return fmt.Errorf("new pairing: %w", err) } - res, err := pairing.PairFixedQ([]*G1Affine{&c.In1G1, &c.In2G1}, [][2][189]lineEvaluation{c.Lines1, c.Lines2}) + res, err := pairing.PairFixedQ([]*G1Affine{&c.In1G1, &c.In2G1}, [][2][189]LineEvaluation{c.Lines1, c.Lines2}) if err != nil { return fmt.Errorf("pair: %w", err) } diff --git a/std/algebra/emulated/sw_bw6761/precomputations.go b/std/algebra/emulated/sw_bw6761/precomputations.go index 1557344468..d16b5f1666 100644 --- a/std/algebra/emulated/sw_bw6761/precomputations.go +++ b/std/algebra/emulated/sw_bw6761/precomputations.go @@ -13,18 +13,18 @@ import ( // Q.X = 0x110133241d9b816c852a82e69d660f9d61053aac5a7115f4c06201013890f6d26b41c5dab3da268734ec3f1f09feb58c5bbcae9ac70e7c7963317a300e1b6bace6948cb3cd208d700e96efbc2ad54b06410cf4fe1bf995ba830c194cd025f1c // Q.Y = 0x17c3357761369f8179eb10e4b6d2dc26b7cf9acec2181c81a78e2753ffe3160a1d86c80b95a59c94c97eb733293fef64f293dbd2c712b88906c170ffa823003ea96fcd504affc758aa2d3a3c5a02a591ec0594f9eac689eb70a16728c73b61 -var precomputedLines [2][189]lineEvaluation +var precomputedLines [2][189]LineEvaluation var precomputedLinesOnce sync.Once -func getPrecomputedLines() [2][189]lineEvaluation { +func getPrecomputedLines() [2][189]LineEvaluation { precomputedLinesOnce.Do(func() { precomputedLines = computePrecomputedLines() }) return precomputedLines } -func computePrecomputedLines() [2][189]lineEvaluation { - var PrecomputedLines [2][189]lineEvaluation +func computePrecomputedLines() [2][189]LineEvaluation { + var PrecomputedLines [2][189]LineEvaluation _, _, _, G2AffGen := bw6761.Generators() lines := bw6761.PrecomputeLines(G2AffGen) for j := 0; j < 189; j++ { diff --git a/std/algebra/interfaces.go b/std/algebra/interfaces.go index ba91297ba1..0803a531bb 100644 --- a/std/algebra/interfaces.go +++ b/std/algebra/interfaces.go @@ -1,5 +1,6 @@ package algebra +type LinesT any type ScalarT any type GroupElementT any type G1ElementT GroupElementT @@ -36,7 +37,7 @@ type Curve[S ScalarT, G1El G1ElementT] interface { // Pairing allows to compute the bi-linear pairing of G1 and G2 elements. // Additionally, the interface provides steps used in pairing computation and a // dedicated optimised pairing check. -type Pairing[G1El G1ElementT, G2El G2ElementT, GtEl GtElementT] interface { +type Pairing[G1El G1ElementT, G2El G2ElementT, GtEl GtElementT, L LinesT] interface { // MillerLoop computes the Miller loop of the input pairs. It returns error // when the inputs are of mismatching length. It does not modify the inputs. MillerLoop([]*G1El, []*G2El) (*GtEl, error) @@ -55,7 +56,7 @@ type Pairing[G1El G1ElementT, G2El G2ElementT, GtEl GtElementT] interface { // PairingFixedQCheck is the same as PairingCheck but of size 2 and // where one of the G2El argument is the fixed canonical generator of G2. - PairingFixedQCheck([]*G1El, []*G2El) error + PairingFixedQCheck([]*G1El, [][2][189]L) error // AssertIsEqual asserts the equality of the inputs. AssertIsEqual(*GtEl, *GtEl) diff --git a/std/algebra/native/sw_bls12377/pairing.go b/std/algebra/native/sw_bls12377/pairing.go index 090c879b81..cf1a6c91c4 100644 --- a/std/algebra/native/sw_bls12377/pairing.go +++ b/std/algebra/native/sw_bls12377/pairing.go @@ -29,11 +29,11 @@ type GT = fields_bls12377.E12 // binary decomposition of x₀=9586122913090633729 little endian var loopCounter = [64]int8{1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 1, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, 0, 1} -// lineEvaluation represents a sparse Fp12 Elmt (result of the line evaluation) +// LineEvaluation represents a sparse Fp12 Elmt (result of the line evaluation) // line: 1 + R0(x/y) + R1(1/y) = 0 instead of R0'*y + R1'*x + R2' = 0 This // makes the multiplication by lines (MulBy034) and between lines (Mul034By034) // circuit-efficient. -type lineEvaluation struct { +type LineEvaluation struct { R0, R1 fields_bls12377.E2 } @@ -50,7 +50,7 @@ func MillerLoop(api frontend.API, P []G1Affine, Q []G2Affine) (GT, error) { res.SetOne() var prodLines [5]fields_bls12377.E2 - var l1, l2 lineEvaluation + var l1, l2 LineEvaluation Qacc := make([]G2Affine, n) yInv := make([]frontend.Variable, n) xNegOverY := make([]frontend.Variable, n) @@ -291,10 +291,10 @@ func PairingCheck(api frontend.API, P []G1Affine, Q []G2Affine) error { // doubleAndAddStep doubles p1 and adds p2 to the result in affine coordinates, and evaluates the line in Miller loop // https://eprint.iacr.org/2022/1162 (Section 6.1) -func doubleAndAddStep(api frontend.API, p1, p2 *G2Affine) (G2Affine, lineEvaluation, lineEvaluation) { +func doubleAndAddStep(api frontend.API, p1, p2 *G2Affine) (G2Affine, LineEvaluation, LineEvaluation) { var n, d, l1, l2, x3, x4, y4 fields_bls12377.E2 - var line1, line2 lineEvaluation + var line1, line2 LineEvaluation var p G2Affine // compute lambda1 = (y2-y1)/(x2-x1) @@ -341,11 +341,11 @@ func doubleAndAddStep(api frontend.API, p1, p2 *G2Affine) (G2Affine, lineEvaluat // doubleStep doubles a point in affine coordinates, and evaluates the line in Miller loop // https://eprint.iacr.org/2022/1162 (Section 6.1) -func doubleStep(api frontend.API, p1 *G2Affine) (G2Affine, lineEvaluation) { +func doubleStep(api frontend.API, p1 *G2Affine) (G2Affine, LineEvaluation) { var n, d, l, xr, yr fields_bls12377.E2 var p G2Affine - var line lineEvaluation + var line LineEvaluation // lambda = 3*p1.x**2/2*p.y n.Square(api, p1.X).MulByFp(api, n, 3) @@ -373,10 +373,10 @@ func doubleStep(api frontend.API, p1 *G2Affine) (G2Affine, lineEvaluation) { } // linesCompute computes the lines that goes through p1 and p2, and (p1+p2) and p1 but does not compute 2p1+p2 -func linesCompute(api frontend.API, p1, p2 *G2Affine) (lineEvaluation, lineEvaluation) { +func linesCompute(api frontend.API, p1, p2 *G2Affine) (LineEvaluation, LineEvaluation) { var n, d, l1, l2, x3 fields_bls12377.E2 - var line1, line2 lineEvaluation + var line1, line2 LineEvaluation // compute lambda1 = (y2-y1)/(x2-x1) n.Sub(api, p1.Y, p2.Y) @@ -412,7 +412,7 @@ func linesCompute(api frontend.API, p1, p2 *G2Affine) (lineEvaluation, lineEvalu // MillerLoopFixedQ computes the multi-Miller loop as in MillerLoop // but Qᵢ are fixed points in G2 known in advance. -func MillerLoopFixedQ(api frontend.API, P []G1Affine, lines [][2][63]lineEvaluation) (GT, error) { +func MillerLoopFixedQ(api frontend.API, P []G1Affine, lines [][2][63]LineEvaluation) (GT, error) { // check input size match n := len(P) @@ -563,7 +563,7 @@ func MillerLoopFixedQ(api frontend.API, P []G1Affine, lines [][2][63]lineEvaluat // e(P, g2), where g2 is fixed. // // This function doesn't check that the inputs are in the correct subgroups. -func PairFixedQ(api frontend.API, P []G1Affine, lines [][2][63]lineEvaluation) (GT, error) { +func PairFixedQ(api frontend.API, P []G1Affine, lines [][2][63]LineEvaluation) (GT, error) { f, err := MillerLoopFixedQ(api, P, lines) if err != nil { return GT{}, err @@ -575,7 +575,7 @@ func PairFixedQ(api frontend.API, P []G1Affine, lines [][2][63]lineEvaluation) ( // ∏ᵢ e(Pᵢ, Qᵢ) =? 1 where Qᵢ are fixed. // // This function doesn't check that the inputs are in the correct subgroups -func PairingFixedQCheck(api frontend.API, P []G1Affine, lines [][2][63]lineEvaluation) error { +func PairingFixedQCheck(api frontend.API, P []G1Affine, lines [][2][63]LineEvaluation) error { f, err := PairFixedQ(api, P, lines) if err != nil { return err diff --git a/std/algebra/native/sw_bls12377/pairing2.go b/std/algebra/native/sw_bls12377/pairing2.go index 55d0be4966..88be77e601 100644 --- a/std/algebra/native/sw_bls12377/pairing2.go +++ b/std/algebra/native/sw_bls12377/pairing2.go @@ -161,7 +161,7 @@ func (p *Pairing) PairingCheck(P []*G1Affine, Q []*G2Affine) error { // PairingFixedQCheck computes the multi-pairing of the input pairs and asserts that // the result is an identity element in the target group. It returns an error if // there is a mismatch between the lengths of the inputs. -func (p *Pairing) PairingFixedQCheck(P []*G1Affine, lines [][2][63]lineEvaluation) error { +func (p *Pairing) PairingFixedQCheck(P []*G1Affine, lines [][2][63]LineEvaluation) error { inP := make([]G1Affine, len(P)) for i := range P { inP[i] = *P[i] diff --git a/std/algebra/native/sw_bls12377/pairing_test.go b/std/algebra/native/sw_bls12377/pairing_test.go index a0121f30bd..6541d5e53c 100644 --- a/std/algebra/native/sw_bls12377/pairing_test.go +++ b/std/algebra/native/sw_bls12377/pairing_test.go @@ -128,13 +128,13 @@ func TestTriplePairingBLS377(t *testing.T) { type pairingFixedBLS377 struct { P G1Affine - Lines [2][63]lineEvaluation + Lines [2][63]LineEvaluation pairingRes bls12377.GT } func (circuit *pairingFixedBLS377) Define(api frontend.API) error { - pairingRes, _ := PairFixedQ(api, []G1Affine{circuit.P}, [][2][63]lineEvaluation{circuit.Lines}) + pairingRes, _ := PairFixedQ(api, []G1Affine{circuit.P}, [][2][63]LineEvaluation{circuit.Lines}) mustbeEq(api, pairingRes, &circuit.pairingRes) @@ -162,14 +162,14 @@ func TestPairingFixedBLS377(t *testing.T) { type doublePairingFixedBLS377 struct { P0 G1Affine P1 G1Affine - Line0 [2][63]lineEvaluation - Line1 [2][63]lineEvaluation + Line0 [2][63]LineEvaluation + Line1 [2][63]LineEvaluation pairingRes bls12377.GT } func (circuit *doublePairingFixedBLS377) Define(api frontend.API) error { - pairingRes, _ := PairFixedQ(api, []G1Affine{circuit.P0, circuit.P1}, [][2][63]lineEvaluation{circuit.Line0, circuit.Line1}) + pairingRes, _ := PairFixedQ(api, []G1Affine{circuit.P0, circuit.P1}, [][2][63]LineEvaluation{circuit.Line0, circuit.Line1}) mustbeEq(api, pairingRes, &circuit.pairingRes) diff --git a/std/algebra/native/sw_bls12377/precomputations.go b/std/algebra/native/sw_bls12377/precomputations.go index 12cb55b13e..c9ccb98264 100644 --- a/std/algebra/native/sw_bls12377/precomputations.go +++ b/std/algebra/native/sw_bls12377/precomputations.go @@ -30,18 +30,18 @@ import ( // Q.Y.A0 = 0x690d665d446f7bd960736bcbb2efb4de03ed7274b49a58e458c282f832d204f2cf88886d8c7c2ef094094409fd4ddf // Q.Y.A1 = 0xf8169fd28355189e549da3151a70aa61ef11ac3d591bf12463b01acee304c24279b83f5e52270bd9a1cdd185eb8f93 -var precomputedLines [2][63]lineEvaluation +var precomputedLines [2][63]LineEvaluation var precomputedLinesOnce sync.Once -func getPrecomputedLines() [2][63]lineEvaluation { +func getPrecomputedLines() [2][63]LineEvaluation { precomputedLinesOnce.Do(func() { precomputedLines = computePrecomputedLines() }) return precomputedLines } -func computePrecomputedLines() [2][63]lineEvaluation { - var PrecomputedLines [2][63]lineEvaluation +func computePrecomputedLines() [2][63]LineEvaluation { + var PrecomputedLines [2][63]LineEvaluation _, _, _, G2AffGen := bls12377.Generators() lines := bls12377.PrecomputeLines(G2AffGen) for j := 0; j < 63; j++ { diff --git a/std/algebra/native/sw_bls24315/pairing.go b/std/algebra/native/sw_bls24315/pairing.go index 6d808afdf5..795a9ebae0 100644 --- a/std/algebra/native/sw_bls24315/pairing.go +++ b/std/algebra/native/sw_bls24315/pairing.go @@ -30,10 +30,10 @@ var loopCounter = [33]int8{ -1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, -1, 0, 0, 0, 0, 0, 0, 0, -1, 0, 1, } -// lineEvaluation represents a sparse Fp12 Elmt (result of the line evaluation) +// LineEvaluation represents a sparse Fp12 Elmt (result of the line evaluation) // line: 1 + R0(x/y) + R1(1/y) = 0 instead of R0'*y + R1'*x + R2' = 0 This // makes the multiplication by lines (MulBy034) and between lines (Mul034By034) -type lineEvaluation struct { +type LineEvaluation struct { R0, R1 fields_bls24315.E4 } @@ -50,7 +50,7 @@ func MillerLoop(api frontend.API, P []G1Affine, Q []G2Affine) (GT, error) { res.SetOne() var prodLines [5]fields_bls24315.E4 - var l1, l2 lineEvaluation + var l1, l2 LineEvaluation Qacc := make([]G2Affine, n) Qneg := make([]G2Affine, n) yInv := make([]frontend.Variable, n) @@ -308,10 +308,10 @@ func PairingCheck(api frontend.API, P []G1Affine, Q []G2Affine) error { // doubleAndAddStep doubles p1 and adds p2 to the result in affine coordinates, and evaluates the line in Miller loop // https://eprint.iacr.org/2022/1162 (Section 6.1) -func doubleAndAddStep(api frontend.API, p1, p2 *G2Affine) (G2Affine, lineEvaluation, lineEvaluation) { +func doubleAndAddStep(api frontend.API, p1, p2 *G2Affine) (G2Affine, LineEvaluation, LineEvaluation) { var n, d, l1, l2, x3, x4, y4 fields_bls24315.E4 - var line1, line2 lineEvaluation + var line1, line2 LineEvaluation var p G2Affine // compute lambda1 = (y2-y1)/(x2-x1) @@ -358,11 +358,11 @@ func doubleAndAddStep(api frontend.API, p1, p2 *G2Affine) (G2Affine, lineEvaluat // doubleStep doubles a point in affine coordinates, and evaluates the line in Miller loop // https://eprint.iacr.org/2022/1162 (Section 6.1) -func doubleStep(api frontend.API, p1 *G2Affine) (G2Affine, lineEvaluation) { +func doubleStep(api frontend.API, p1 *G2Affine) (G2Affine, LineEvaluation) { var n, d, l, xr, yr fields_bls24315.E4 var p G2Affine - var line lineEvaluation + var line LineEvaluation // lambda = 3*p1.x**2/2*p.y n.Square(api, p1.X).MulByFp(api, n, 3) @@ -391,7 +391,7 @@ func doubleStep(api frontend.API, p1 *G2Affine) (G2Affine, lineEvaluation) { // addStep adds two points in affine coordinates, and evaluates the line in Miller loop // https://eprint.iacr.org/2022/1162 (Section 6.1) -func addStep(api frontend.API, p1, p2 *G2Affine) (G2Affine, lineEvaluation) { +func addStep(api frontend.API, p1, p2 *G2Affine) (G2Affine, LineEvaluation) { var p2ypy, p2xpx, λ, λλ, pxrx, λpxrx, xr, yr fields_bls24315.E4 // compute λ = (y2-y1)/(x2-x1) @@ -413,7 +413,7 @@ func addStep(api frontend.API, p1, p2 *G2Affine) (G2Affine, lineEvaluation) { res.X = xr res.Y = yr - var line lineEvaluation + var line LineEvaluation line.R0 = λ line.R1.Mul(api, λ, p1.X) line.R1.Sub(api, line.R1, p1.Y) @@ -423,10 +423,10 @@ func addStep(api frontend.API, p1, p2 *G2Affine) (G2Affine, lineEvaluation) { } // linesCompute computes the lines that goes through p1 and p2, and (p1+p2) and p1 but does not compute 2p1+p2 -func linesCompute(api frontend.API, p1, p2 *G2Affine) (lineEvaluation, lineEvaluation) { +func linesCompute(api frontend.API, p1, p2 *G2Affine) (LineEvaluation, LineEvaluation) { var n, d, l1, l2, x3 fields_bls24315.E4 - var line1, line2 lineEvaluation + var line1, line2 LineEvaluation // compute lambda1 = (y2-y1)/(x2-x1) n.Sub(api, p1.Y, p2.Y) @@ -457,7 +457,7 @@ func linesCompute(api frontend.API, p1, p2 *G2Affine) (lineEvaluation, lineEvalu } // lineCompute computes the line that goes through p1 and p2 but does not compute p1+p2 -func lineCompute(api frontend.API, p1, p2 *G2Affine) lineEvaluation { +func lineCompute(api frontend.API, p1, p2 *G2Affine) LineEvaluation { var qypy, qxpx, λ fields_bls24315.E4 @@ -466,7 +466,7 @@ func lineCompute(api frontend.API, p1, p2 *G2Affine) lineEvaluation { qxpx.Sub(api, p2.X, p1.X) λ.DivUnchecked(api, qypy, qxpx) - var line lineEvaluation + var line LineEvaluation line.R0 = λ line.R1.Mul(api, λ, p1.X) line.R1.Sub(api, line.R1, p1.Y) @@ -481,7 +481,7 @@ func lineCompute(api frontend.API, p1, p2 *G2Affine) lineEvaluation { // MillerLoopFixedQ computes the multi-Miller loop as in MillerLoop // but Qᵢ are fixed points in G2 known in advance. -func MillerLoopFixedQ(api frontend.API, P []G1Affine, lines [][2][32]lineEvaluation) (GT, error) { +func MillerLoopFixedQ(api frontend.API, P []G1Affine, lines [][2][32]LineEvaluation) (GT, error) { // check input size match n := len(P) @@ -491,7 +491,7 @@ func MillerLoopFixedQ(api frontend.API, P []G1Affine, lines [][2][32]lineEvaluat var res GT res.SetOne() - var l1, l2 lineEvaluation + var l1, l2 LineEvaluation // precomputations yInv := make([]frontend.Variable, n) @@ -555,7 +555,7 @@ func MillerLoopFixedQ(api frontend.API, P []G1Affine, lines [][2][32]lineEvaluat // e(P, g2), where g2 is fixed. // // This function doesn't check that the inputs are in the correct subgroups. -func PairFixedQ(api frontend.API, P []G1Affine, lines [][2][32]lineEvaluation) (GT, error) { +func PairFixedQ(api frontend.API, P []G1Affine, lines [][2][32]LineEvaluation) (GT, error) { f, err := MillerLoopFixedQ(api, P, lines) if err != nil { return GT{}, err @@ -567,7 +567,7 @@ func PairFixedQ(api frontend.API, P []G1Affine, lines [][2][32]lineEvaluation) ( // ∏ᵢ e(Pᵢ, Qᵢ) =? 1 where Qᵢ are fixed. // // This function doesn't check that the inputs are in the correct subgroups -func PairingFixedQCheck(api frontend.API, P []G1Affine, lines [][2][32]lineEvaluation) error { +func PairingFixedQCheck(api frontend.API, P []G1Affine, lines [][2][32]LineEvaluation) error { f, err := PairFixedQ(api, P, lines) if err != nil { return err diff --git a/std/algebra/native/sw_bls24315/pairing2.go b/std/algebra/native/sw_bls24315/pairing2.go index 7becb5930c..dec9a857fc 100644 --- a/std/algebra/native/sw_bls24315/pairing2.go +++ b/std/algebra/native/sw_bls24315/pairing2.go @@ -161,7 +161,7 @@ func (p *Pairing) PairingCheck(P []*G1Affine, Q []*G2Affine) error { // PairingFixedQCheck computes the multi-pairing of the input pairs and asserts that // the result is an identity element in the target group. It returns an error if // there is a mismatch between the lengths of the inputs. -func (p *Pairing) PairingFixedQCheck(P []*G1Affine, lines [][2][32]lineEvaluation) error { +func (p *Pairing) PairingFixedQCheck(P []*G1Affine, lines [][2][32]LineEvaluation) error { inP := make([]G1Affine, len(P)) for i := range P { inP[i] = *P[i] diff --git a/std/algebra/native/sw_bls24315/pairing_test.go b/std/algebra/native/sw_bls24315/pairing_test.go index 3c467d9d2e..58f4a9701d 100644 --- a/std/algebra/native/sw_bls24315/pairing_test.go +++ b/std/algebra/native/sw_bls24315/pairing_test.go @@ -129,13 +129,13 @@ func TestTriplePairingBLS24315(t *testing.T) { type pairingFixedBLS315 struct { P G1Affine - Lines [2][32]lineEvaluation + Lines [2][32]LineEvaluation pairingRes bls24315.GT } func (circuit *pairingFixedBLS315) Define(api frontend.API) error { - pairingRes, _ := PairFixedQ(api, []G1Affine{circuit.P}, [][2][32]lineEvaluation{circuit.Lines}) + pairingRes, _ := PairFixedQ(api, []G1Affine{circuit.P}, [][2][32]LineEvaluation{circuit.Lines}) mustbeEq(api, pairingRes, &circuit.pairingRes) @@ -163,14 +163,14 @@ func TestPairingFixedBLS315(t *testing.T) { type doublePairingFixedBLS315 struct { P0 G1Affine P1 G1Affine - Line0 [2][32]lineEvaluation - Line1 [2][32]lineEvaluation + Line0 [2][32]LineEvaluation + Line1 [2][32]LineEvaluation pairingRes bls24315.GT } func (circuit *doublePairingFixedBLS315) Define(api frontend.API) error { - pairingRes, _ := PairFixedQ(api, []G1Affine{circuit.P0, circuit.P1}, [][2][32]lineEvaluation{circuit.Line0, circuit.Line1}) + pairingRes, _ := PairFixedQ(api, []G1Affine{circuit.P0, circuit.P1}, [][2][32]LineEvaluation{circuit.Line0, circuit.Line1}) mustbeEq(api, pairingRes, &circuit.pairingRes) diff --git a/std/algebra/native/sw_bls24315/precomputations.go b/std/algebra/native/sw_bls24315/precomputations.go index 3d1470b6ae..8710b2c00a 100644 --- a/std/algebra/native/sw_bls24315/precomputations.go +++ b/std/algebra/native/sw_bls24315/precomputations.go @@ -34,18 +34,18 @@ import ( // Q.Y.B1.A0 = 0x1b38dd0c5ec49a0883a950c631c688eb3b01f45b7c0d2990cd99052005ebf2fa9e7043bbd605ef5 // Q.Y.B1.A1 = 0x495d6de2e4fed6be3e1d24dd724163e01d88643f7e83d31528ab0a80ced619175a1a104574ac83 -var precomputedLines [2][32]lineEvaluation +var precomputedLines [2][32]LineEvaluation var precomputedLinesOnce sync.Once -func getPrecomputedLines() [2][32]lineEvaluation { +func getPrecomputedLines() [2][32]LineEvaluation { precomputedLinesOnce.Do(func() { precomputedLines = computePrecomputedLines() }) return precomputedLines } -func computePrecomputedLines() [2][32]lineEvaluation { - var PrecomputedLines [2][32]lineEvaluation +func computePrecomputedLines() [2][32]LineEvaluation { + var PrecomputedLines [2][32]LineEvaluation _, _, _, G2AffGen := bls24315.Generators() lines := bls24315.PrecomputeLines(G2AffGen) for j := 0; j < 32; j++ {