Merge pull request #866 from Consensys/feat/bw6761-kzg

Feat: BW6-761 KZG gadget
Consensys · Oct 18, 2023 · 73146fd · 73146fd
2 parents 063cad6 + de51e29
commit 73146fd
Show file tree

Hide file tree

Showing 7 changed files with 325 additions and 1 deletion.
diff --git a/std/algebra/defaults.go b/std/algebra/defaults.go
@@ -4,9 +4,12 @@ import (
 	"fmt"
 
 	"github.com/consensys/gnark/frontend"
+	"github.com/consensys/gnark/std/algebra/emulated/sw_bls12381"
 	"github.com/consensys/gnark/std/algebra/emulated/sw_bn254"
+	"github.com/consensys/gnark/std/algebra/emulated/sw_bw6761"
 	"github.com/consensys/gnark/std/algebra/emulated/sw_emulated"
 	"github.com/consensys/gnark/std/algebra/native/sw_bls12377"
+	"github.com/consensys/gnark/std/algebra/native/sw_bls24315"
 	"github.com/consensys/gnark/std/math/emulated/emparams"
 )
 
@@ -23,9 +26,24 @@ func GetCurve[S ScalarT, G1El G1ElementT](api frontend.API) (Curve[S, G1El], err
 			return ret, fmt.Errorf("new curve: %w", err)
 		}
 		*s = c
+	case *Curve[sw_bw6761.Scalar, sw_bw6761.G1Affine]:
+		c, err := sw_emulated.New[emparams.BW6761Fp, emparams.BW6761Fr](api, sw_emulated.GetBW6761Params())
+		if err != nil {
+			return ret, fmt.Errorf("new curve: %w", err)
+		}
+		*s = c
+	case *Curve[sw_bls12381.Scalar, sw_bls12381.G1Affine]:
+		c, err := sw_emulated.New[emparams.BLS12381Fp, emparams.BLS12381Fr](api, sw_emulated.GetBLS12381Params())
+		if err != nil {
+			return ret, fmt.Errorf("new curve: %w", err)
+		}
+		*s = c
 	case *Curve[sw_bls12377.Scalar, sw_bls12377.G1Affine]:
 		c := sw_bls12377.NewCurve(api)
 		*s = c
+	case *Curve[sw_bls24315.Scalar, sw_bls24315.G1Affine]:
+		c := sw_bls24315.NewCurve(api)
+		*s = c
 	default:
 		return ret, fmt.Errorf("unknown type parametrisation")
 	}
@@ -44,9 +62,24 @@ func GetPairing[G1El G1ElementT, G2El G2ElementT, GtEl GtElementT](api frontend.
 			return ret, fmt.Errorf("new pairing: %w", err)
 		}
 		*s = p
+	case *Pairing[sw_bw6761.G1Affine, sw_bw6761.G2Affine, sw_bw6761.GTEl]:
+		p, err := sw_bw6761.NewPairing(api)
+		if err != nil {
+			return ret, fmt.Errorf("new pairing: %w", err)
+		}
+		*s = p
+	case *Pairing[sw_bls12381.G1Affine, sw_bls12381.G2Affine, sw_bls12381.GTEl]:
+		p, err := sw_bls12381.NewPairing(api)
+		if err != nil {
+			return ret, fmt.Errorf("new pairing: %w", err)
+		}
+		*s = p
 	case *Pairing[sw_bls12377.G1Affine, sw_bls12377.G2Affine, sw_bls12377.GT]:
 		p := sw_bls12377.NewPairing(api)
 		*s = p
+	case *Pairing[sw_bls24315.G1Affine, sw_bls24315.G2Affine, sw_bls24315.GT]:
+		p := sw_bls24315.NewPairing(api)
+		*s = p
 	default:
 		return ret, fmt.Errorf("unknown type parametrisation")
 	}

diff --git a/std/algebra/emulated/sw_bw6761/g1.go b/std/algebra/emulated/sw_bw6761/g1.go
@@ -2,15 +2,28 @@ package sw_bw6761
 
 import (
 	bw6761 "github.com/consensys/gnark-crypto/ecc/bw6-761"
+	fr_bw6761 "github.com/consensys/gnark-crypto/ecc/bw6-761/fr"
 	"github.com/consensys/gnark/std/algebra/emulated/sw_emulated"
 	"github.com/consensys/gnark/std/math/emulated"
 )
 
+// G1Affine is the point in G1. It is an alias to the generic emulated affine
+// point.
 type G1Affine = sw_emulated.AffinePoint[emulated.BW6761Fp]
 
+// Scalar is the scalar in the groups. It is an alias to the emulated element
+// defined over the scalar field of the groups.
+type Scalar = emulated.Element[emulated.BW6761Fr]
+
+// NewG1Affine allocates a witness from the native G1 element and returns it.
 func NewG1Affine(v bw6761.G1Affine) G1Affine {
 	return G1Affine{
 		X: emulated.ValueOf[emulated.BW6761Fp](v.X),
 		Y: emulated.ValueOf[emulated.BW6761Fp](v.Y),
 	}
 }
+
+// NewScalar allocates a witness from the native scalar and returns it.
+func NewScalar(v fr_bw6761.Element) Scalar {
+	return emulated.ValueOf[emulated.BW6761Fr](v)
+}
diff --git a/std/algebra/emulated/sw_emulated/params.go b/std/algebra/emulated/sw_emulated/params.go
@@ -6,6 +6,7 @@ import (
 
 	bls12381 "github.com/consensys/gnark-crypto/ecc/bls12-381"
 	"github.com/consensys/gnark-crypto/ecc/bn254"
+	bw6761 "github.com/consensys/gnark-crypto/ecc/bw6-761"
 	"github.com/consensys/gnark-crypto/ecc/secp256k1"
 	"github.com/consensys/gnark/std/math/emulated"
 )
@@ -96,6 +97,20 @@ func GetP384Params() CurveParams {
 	}
 }
 
+// GetBW6761Params returns the curve parameters for the curve BW6-761.
+// When initialising new curve, use the base field [emulated.BW6761Fp] and scalar
+// field [emulated.BW6761Fr].
+func GetBW6761Params() CurveParams {
+	_, _, g1aff, _ := bw6761.Generators()
+	return CurveParams{
+		A:  big.NewInt(0),
+		B:  big.NewInt(-1),
+		Gx: g1aff.X.BigInt(new(big.Int)),
+		Gy: g1aff.Y.BigInt(new(big.Int)),
+		Gm: computeBW6761Table(),
+	}
+}
+
 // GetCurveParams returns suitable curve parameters given the parametric type
 // Base as base field. It caches the parameters and modifying the values in the
 // parameters struct leads to undefined behaviour.
@@ -112,6 +127,8 @@ func GetCurveParams[Base emulated.FieldParams]() CurveParams {
 		return p256Params
 	case emulated.P384Fp{}.Modulus().String():
 		return p384Params
+	case emulated.BW6761Fp{}.Modulus().String():
+		return bw6761Params
 	default:
 		panic("no stored parameters")
 	}
@@ -123,6 +140,7 @@ var (
 	bls12381Params  CurveParams
 	p256Params      CurveParams
 	p384Params      CurveParams
+	bw6761Params    CurveParams
 )
 
 func init() {
@@ -131,4 +149,5 @@ func init() {
 	bls12381Params = GetBLS12381Params()
 	p256Params = GetP256Params()
 	p384Params = GetP384Params()
+	bw6761Params = GetBW6761Params()
 }
diff --git a/std/algebra/emulated/sw_emulated/params_compute.go b/std/algebra/emulated/sw_emulated/params_compute.go
@@ -6,6 +6,7 @@ import (
 
 	bls12381 "github.com/consensys/gnark-crypto/ecc/bls12-381"
 	"github.com/consensys/gnark-crypto/ecc/bn254"
+	bw6761 "github.com/consensys/gnark-crypto/ecc/bw6-761"
 	"github.com/consensys/gnark-crypto/ecc/secp256k1"
 )
 
@@ -130,3 +131,29 @@ func computeP384Table() [][2]*big.Int {
 	}
 	return table
 }
+
+func computeBW6761Table() [][2]*big.Int {
+	Gjac, _, _, _ := bw6761.Generators()
+	table := make([][2]*big.Int, 377)
+	tmp := new(bw6761.G1Jac).Set(&Gjac)
+	aff := new(bw6761.G1Affine)
+	jac := new(bw6761.G1Jac)
+	for i := 1; i < 377; i++ {
+		tmp = tmp.Double(tmp)
+		switch i {
+		case 1, 2:
+			jac.Set(tmp).AddAssign(&Gjac)
+			aff.FromJacobian(jac)
+			table[i-1] = [2]*big.Int{aff.X.BigInt(new(big.Int)), aff.Y.BigInt(new(big.Int))}
+		case 3:
+			jac.Set(tmp).SubAssign(&Gjac)
+			aff.FromJacobian(jac)
+			table[i-1] = [2]*big.Int{aff.X.BigInt(new(big.Int)), aff.Y.BigInt(new(big.Int))}
+			fallthrough
+		default:
+			aff.FromJacobian(tmp)
+			table[i] = [2]*big.Int{aff.X.BigInt(new(big.Int)), aff.Y.BigInt(new(big.Int))}
+		}
+	}
+	return table
+}
diff --git a/std/algebra/emulated/sw_emulated/point_test.go b/std/algebra/emulated/sw_emulated/point_test.go
@@ -11,6 +11,8 @@ import (
 	fr_bls381 "github.com/consensys/gnark-crypto/ecc/bls12-381/fr"
 	"github.com/consensys/gnark-crypto/ecc/bn254"
 	fr_bn "github.com/consensys/gnark-crypto/ecc/bn254/fr"
+	bw6761 "github.com/consensys/gnark-crypto/ecc/bw6-761"
+	fr_bw6761 "github.com/consensys/gnark-crypto/ecc/bw6-761/fr"
 	"github.com/consensys/gnark-crypto/ecc/secp256k1"
 	fp_secp "github.com/consensys/gnark-crypto/ecc/secp256k1/fp"
 	fr_secp "github.com/consensys/gnark-crypto/ecc/secp256k1/fr"
@@ -400,7 +402,7 @@ func TestScalarMulBase2(t *testing.T) {
 func TestScalarMulBase3(t *testing.T) {
 	assert := test.NewAssert(t)
 	_, _, g, _ := bls12381.Generators()
-	var r fr_bn.Element
+	var r fr_bls381.Element
 	_, _ = r.SetRandom()
 	s := new(big.Int)
 	r.BigInt(s)
@@ -419,6 +421,28 @@ func TestScalarMulBase3(t *testing.T) {
 	assert.NoError(err)
 }
 
+func TestScalarMulBase4(t *testing.T) {
+	assert := test.NewAssert(t)
+	_, _, g, _ := bw6761.Generators()
+	var r fr_bw6761.Element
+	_, _ = r.SetRandom()
+	s := new(big.Int)
+	r.BigInt(s)
+	var S bw6761.G1Affine
+	S.ScalarMultiplication(&g, s)
+
+	circuit := ScalarMulBaseTest[emulated.BW6761Fp, emulated.BW6761Fr]{}
+	witness := ScalarMulBaseTest[emulated.BW6761Fp, emulated.BW6761Fr]{
+		S: emulated.ValueOf[emulated.BW6761Fr](s),
+		Q: AffinePoint[emulated.BW6761Fp]{
+			X: emulated.ValueOf[emulated.BW6761Fp](S.X),
+			Y: emulated.ValueOf[emulated.BW6761Fp](S.Y),
+		},
+	}
+	err := test.IsSolved(&circuit, &witness, testCurve.ScalarField())
+	assert.NoError(err)
+}
+
 type ScalarMulTest[T, S emulated.FieldParams] struct {
 	P, Q AffinePoint[T]
 	S    emulated.Element[S]
@@ -558,6 +582,32 @@ func TestScalarMul5(t *testing.T) {
 	assert.NoError(err)
 }
 
+func TestScalarMul6(t *testing.T) {
+	assert := test.NewAssert(t)
+	var r fr_bw6761.Element
+	_, _ = r.SetRandom()
+	s := new(big.Int)
+	r.BigInt(s)
+	var res bw6761.G1Affine
+	_, _, gen, _ := bw6761.Generators()
+	res.ScalarMultiplication(&gen, s)
+
+	circuit := ScalarMulTest[emulated.BW6761Fp, emulated.BW6761Fr]{}
+	witness := ScalarMulTest[emulated.BW6761Fp, emulated.BW6761Fr]{
+		S: emulated.ValueOf[emulated.BW6761Fr](s),
+		P: AffinePoint[emulated.BW6761Fp]{
+			X: emulated.ValueOf[emulated.BW6761Fp](gen.X),
+			Y: emulated.ValueOf[emulated.BW6761Fp](gen.Y),
+		},
+		Q: AffinePoint[emulated.BW6761Fp]{
+			X: emulated.ValueOf[emulated.BW6761Fp](res.X),
+			Y: emulated.ValueOf[emulated.BW6761Fp](res.Y),
+		},
+	}
+	err := test.IsSolved(&circuit, &witness, testCurve.ScalarField())
+	assert.NoError(err)
+}
+
 type ScalarMulEdgeCasesTest[T, S emulated.FieldParams] struct {
 	P, R AffinePoint[T]
 	S    emulated.Element[S]

diff --git a/std/commitments/kzg/verifier.go b/std/commitments/kzg/verifier.go
@@ -26,9 +26,13 @@ import (
 	"github.com/consensys/gnark-crypto/ecc/bn254"
 	fr_bn254 "github.com/consensys/gnark-crypto/ecc/bn254/fr"
 	kzg_bn254 "github.com/consensys/gnark-crypto/ecc/bn254/kzg"
+	bw6761 "github.com/consensys/gnark-crypto/ecc/bw6-761"
+	fr_bw6761 "github.com/consensys/gnark-crypto/ecc/bw6-761/fr"
+	kzg_bw6761 "github.com/consensys/gnark-crypto/ecc/bw6-761/kzg"
 	"github.com/consensys/gnark/std/algebra"
 	"github.com/consensys/gnark/std/algebra/emulated/sw_bls12381"
 	"github.com/consensys/gnark/std/algebra/emulated/sw_bn254"
+	"github.com/consensys/gnark/std/algebra/emulated/sw_bw6761"
 	"github.com/consensys/gnark/std/algebra/native/sw_bls12377"
 	"github.com/consensys/gnark/std/algebra/native/sw_bls24315"
 )
@@ -63,6 +67,12 @@ func ValueOfCommitment[G1El algebra.G1ElementT](cmt any) (Commitment[G1El], erro
 			return ret, fmt.Errorf("mismatching types %T %T", ret, cmt)
 		}
 		s.G1El = sw_bls12381.NewG1Affine(tCmt)
+	case *Commitment[sw_bw6761.G1Affine]:
+		tCmt, ok := cmt.(bw6761.G1Affine)
+		if !ok {
+			return ret, fmt.Errorf("mismatching types %T %T", ret, cmt)
+		}
+		s.G1El = sw_bw6761.NewG1Affine(tCmt)
 	case *Commitment[sw_bls24315.G1Affine]:
 		tCmt, ok := cmt.(bls24315.G1Affine)
 		if !ok {
@@ -126,6 +136,18 @@ func ValueOfOpeningProof[S algebra.ScalarT, G1El algebra.G1ElementT](point any,
 		s.QuotientPoly = sw_bls12381.NewG1Affine(tProof.H)
 		s.ClaimedValue = sw_bls12381.NewScalar(tProof.ClaimedValue)
 		s.Point = sw_bls12381.NewScalar(tPoint)
+	case *OpeningProof[sw_bw6761.Scalar, sw_bw6761.G1Affine]:
+		tProof, ok := proof.(kzg_bw6761.OpeningProof)
+		if !ok {
+			return ret, fmt.Errorf("mismatching types %T %T", ret, proof)
+		}
+		tPoint, ok := point.(fr_bw6761.Element)
+		if !ok {
+			return ret, fmt.Errorf("mismatching types %T %T", ret, point)
+		}
+		s.QuotientPoly = sw_bw6761.NewG1Affine(tProof.H)
+		s.ClaimedValue = sw_bw6761.NewScalar(tProof.ClaimedValue)
+		s.Point = sw_bw6761.NewScalar(tPoint)
 	case *OpeningProof[sw_bls24315.Scalar, sw_bls24315.G1Affine]:
 		tProof, ok := proof.(kzg_bls24315.OpeningProof)
 		if !ok {
@@ -177,6 +199,13 @@ func ValueOfVerifyingKey[G2El algebra.G2ElementT](vk any) (VerifyingKey[G2El], e
 		}
 		s.SRS[0] = sw_bls12381.NewG2Affine(tVk.G2[0])
 		s.SRS[1] = sw_bls12381.NewG2Affine(tVk.G2[1])
+	case *VerifyingKey[sw_bw6761.G2Affine]:
+		tVk, ok := vk.(kzg_bw6761.VerifyingKey)
+		if !ok {
+			return ret, fmt.Errorf("mismatching types %T %T", ret, vk)
+		}
+		s.SRS[0] = sw_bw6761.NewG2Affine(tVk.G2[0])
+		s.SRS[1] = sw_bw6761.NewG2Affine(tVk.G2[1])
 	case *VerifyingKey[sw_bls24315.G2Affine]:
 		tVk, ok := vk.(kzg_bls24315.VerifyingKey)
 		if !ok {