groth16 without montgomery is done

Author: Hakkush-07

src/circuits/bn254/finalexp.rs

@@ -0,0 +1,226 @@
+use ark_ec::bn::BnConfig;
+use ark_ff::{BitIteratorBE, CyclotomicMultSubgroup, Field};
+use crate::{bag::*, circuits::bn254::{fq12::Fq12, utils::{fq12_from_wires, wires_set_from_fq12}}};
+
+pub fn conjugate(f: ark_bn254::Fq12) -> ark_bn254::Fq12 {
+    ark_bn254::Fq12::new(f.c0, -f.c1)
+}
+
+pub fn cyclotomic_exp(f: ark_bn254::Fq12) -> ark_bn254::Fq12 {
+    let mut res = ark_bn254::Fq12::ONE;
+    let mut found_nonzero = false;
+    for value in BitIteratorBE::without_leading_zeros(ark_bn254::Config::X.as_ref()).map(|e| e as i8) {
+        if found_nonzero {
+            res.square_in_place(); // cyclotomic_square_in_place
+        }
+
+        if value != 0 {
+            found_nonzero = true;
+
+            if value > 0 {
+                res *= &f;
+            }
+        }
+    }
+    res
+}
+
+pub fn cyclotomic_exp_evaluate(f: Wires) -> (Wires, GateCount) {
+    let mut res = wires_set_from_fq12(ark_bn254::Fq12::ONE);
+    let mut gate_count = GateCount::zero();
+    let mut found_nonzero = false;
+    for value in BitIteratorBE::without_leading_zeros(ark_bn254::Config::X.as_ref()).map(|e| e as i8).collect::<Vec<_>>() {
+        if found_nonzero {
+            let (wires1, gc) = (wires_set_from_fq12(fq12_from_wires(res.clone()).square()), GateCount::fq12_square()); //Fq12::square_evaluate(res.clone());
+            res = wires1;
+            gate_count += gc;
+        }
+
+        if value != 0 {
+            found_nonzero = true;
+
+            if value > 0 {
+                let (wires2, gc) = (wires_set_from_fq12(fq12_from_wires(res.clone()) * fq12_from_wires(f.clone())), GateCount::fq12_mul()); // Fq12::mul_evaluate(res.clone(), f.clone());
+                res = wires2;
+                gate_count+=gc;
+            }
+        }
+    }
+    (res, gate_count)
+}
+
+pub fn cyclotomic_exp_fastinv(f: ark_bn254::Fq12) -> ark_bn254::Fq12 {
+    let self_inverse = f.cyclotomic_inverse().unwrap();
+    let mut res = ark_bn254::Fq12::ONE;
+    let mut found_nonzero = false;
+    for value in ark_ff::biginteger::arithmetic::find_naf(ark_bn254::Config::X.as_ref()).into_iter().rev() {
+        if found_nonzero {
+            res.square_in_place(); // cyclotomic_square_in_place
+        }
+
+        if value != 0 {
+            found_nonzero = true;
+
+            if value > 0 {
+                res *= &f;
+            } else {
+                res *= &self_inverse;
+            }
+        }
+    }
+    res
+}
+
+pub fn exp_by_neg_x(f: ark_bn254::Fq12) -> ark_bn254::Fq12 {
+    conjugate(cyclotomic_exp(f))
+}
+
+pub fn exp_by_neg_x_evaluate(f: Wires) -> (Wires, GateCount) {
+    let mut gate_count = GateCount::zero();
+    let (f2, gc) = cyclotomic_exp_evaluate(f);
+    gate_count += gc;
+    let (f3, gc) = Fq12::conjugate_evaluate(f2);
+    gate_count += gc;
+    (f3, gate_count)
+}
+
+pub fn final_exponentiation(f: ark_bn254::Fq12) -> ark_bn254::Fq12 {
+    let u = f.inverse().unwrap() * conjugate(f);
+    let r = u.frobenius_map(2) * u;
+    let y0 = exp_by_neg_x(r);
+    let y1 = y0.square();
+    let y2 = y1.square();
+    let y3 = y2 * &y1;
+    let y4 = exp_by_neg_x(y3);
+    let y5 = y4.square();
+    let y6 = exp_by_neg_x(y5);
+    let y7 = conjugate(y3);
+    let y8 = conjugate(y6);
+    let y9 = y8 * &y4;
+    let y10 = y9 * &y7;
+    let y11 = y10 * &y1;
+    let y12 = y10 * &y4;
+    let y13 = y12 * &r;
+    let y14 = y11.frobenius_map(1);
+    let y15 = y14 * &y13;
+    let y16 = y10.frobenius_map(2);
+    let y17 = y16 * &y15;
+    let r2 = conjugate(r);
+    let y18 = r2 * &y11;
+    let y19 = y18.frobenius_map(3);
+    let y20 = y19 * &y17;
+    y20
+}
+
+pub fn final_exponentiation_evaluate(f: Wires) -> (Wires, GateCount) {
+    let mut gate_count = GateCount::zero();
+    let (f_inv, gc) = (wires_set_from_fq12(fq12_from_wires(f.clone()).inverse().unwrap()), GateCount::fq12_inverse());
+    gate_count += gc;
+    let (f_conjugate, gc) = Fq12::conjugate_evaluate(f.clone());
+    gate_count += gc;
+    let (u, gc) = (wires_set_from_fq12(fq12_from_wires(f_inv) * fq12_from_wires(f_conjugate)), GateCount::fq12_mul()); // Fq12::mul_evaluate(f_inv, f_conjugate);
+    gate_count += gc;
+    let (u_frobenius, gc) = Fq12::frobenius_evaluate(u.clone(), 2);
+    gate_count += gc;
+    let (r, gc) = (wires_set_from_fq12(fq12_from_wires(u_frobenius) * fq12_from_wires(u.clone())), GateCount::fq12_mul()); // Fq12::mul_evaluate(u_frobenius, u.clone());
+    gate_count += gc;
+    let (y0, gc) = exp_by_neg_x_evaluate(r.clone());
+    gate_count += gc;
+    let (y1, gc) = (wires_set_from_fq12(fq12_from_wires(y0).square()), GateCount::fq12_square()); // Fq12::square_evaluate(y0);
+    gate_count += gc;
+    let (y2, gc) = (wires_set_from_fq12(fq12_from_wires(y1.clone()).square()), GateCount::fq12_square()); // Fq12::square_evaluate(y1.clone());
+    gate_count += gc;
+    let (y3, gc) = (wires_set_from_fq12(fq12_from_wires(y1.clone()) * fq12_from_wires(y2)), GateCount::fq12_mul()); // Fq12::mul_evaluate(y1.clone(), y2);
+    gate_count += gc;
+    let (y4, gc) = exp_by_neg_x_evaluate(y3.clone());
+    gate_count += gc;
+    let (y5, gc) = (wires_set_from_fq12(fq12_from_wires(y4.clone()).square()), GateCount::fq12_square()); // Fq12::square_evaluate(y4.clone());
+    gate_count += gc;
+    let (y6, gc) = exp_by_neg_x_evaluate(y5);
+    gate_count += gc;
+    let (y7, gc) = Fq12::conjugate_evaluate(y3);
+    gate_count += gc;
+    let (y8, gc) = Fq12::conjugate_evaluate(y6);
+    gate_count += gc;
+    let (y9, gc) = (wires_set_from_fq12(fq12_from_wires(y8) * fq12_from_wires(y4.clone())), GateCount::fq12_mul()); // Fq12::mul_evaluate(y8, y4.clone());
+    gate_count += gc;
+    let (y10, gc) = (wires_set_from_fq12(fq12_from_wires(y9) * fq12_from_wires(y7)), GateCount::fq12_mul()); // Fq12::mul_evaluate(y9, y7);
+    gate_count += gc;
+    let (y11, gc) = (wires_set_from_fq12(fq12_from_wires(y10.clone()) * fq12_from_wires(y1)), GateCount::fq12_mul()); // Fq12::mul_evaluate(y10.clone(), y1);
+    gate_count += gc;
+    let (y12, gc) = (wires_set_from_fq12(fq12_from_wires(y10.clone()) * fq12_from_wires(y4)), GateCount::fq12_mul()); // Fq12::mul_evaluate(y10.clone(), y4);
+    gate_count += gc;
+    let (y13, gc) = (wires_set_from_fq12(fq12_from_wires(y12) * fq12_from_wires(r.clone())), GateCount::fq12_mul()); // Fq12::mul_evaluate(y12, r.clone());
+    gate_count += gc;
+    let (y14, gc) = Fq12::frobenius_evaluate(y11.clone(), 1);
+    gate_count += gc;
+    let (y15, gc) = (wires_set_from_fq12(fq12_from_wires(y14) * fq12_from_wires(y13)), GateCount::fq12_mul()); // Fq12::mul_evaluate(y14, y13);
+    gate_count += gc;
+    let (y16, gc) = Fq12::frobenius_evaluate(y10, 2);
+    gate_count += gc;
+    let (y17, gc) = (wires_set_from_fq12(fq12_from_wires(y16) * fq12_from_wires(y15)), GateCount::fq12_mul()); // Fq12::mul_evaluate(y16, y15);
+    gate_count += gc;
+    let (r2, gc) = Fq12::conjugate_evaluate(r);
+    gate_count += gc;
+    let (y18, gc) = (wires_set_from_fq12(fq12_from_wires(r2) * fq12_from_wires(y11)), GateCount::fq12_mul()); // Fq12::mul_evaluate(r2, y11);
+    gate_count += gc;
+    let (y19, gc) = Fq12::frobenius_evaluate(y18, 3);
+    gate_count += gc;
+    let (y20, gc) = (wires_set_from_fq12(fq12_from_wires(y19) * fq12_from_wires(y17)), GateCount::fq12_mul()); // Fq12::mul_evaluate(y19, y17);
+    gate_count += gc;
+    (y20, gate_count)
+}
+
+#[cfg(test)]
+mod tests {
+    use ark_ec::{bn::BnConfig, pairing::{MillerLoopOutput, Pairing}};
+    use ark_ff::{CyclotomicMultSubgroup, UniformRand};
+    use ark_std::rand::SeedableRng;
+    use rand_chacha::ChaCha20Rng;
+    use crate::circuits::bn254::{finalexp::{cyclotomic_exp, cyclotomic_exp_evaluate, cyclotomic_exp_fastinv, final_exponentiation, final_exponentiation_evaluate}, utils::{fq12_from_wires, wires_set_from_fq12}};
+
+    #[test]
+    fn test_cyclotomic_exp() {
+        let mut prng = ChaCha20Rng::seed_from_u64(0);
+        let f = ark_bn254::Fq12::rand(&mut prng);
+
+        let c = f.cyclotomic_exp(ark_bn254::Config::X);
+        let d = cyclotomic_exp(f);
+        let e = cyclotomic_exp_fastinv(f);
+        assert_eq!(c, d);
+        assert_eq!(c, e);
+    }
+
+    #[test]
+    fn test_cyclotomic_exp_evaluate() {
+        let mut prng = ChaCha20Rng::seed_from_u64(0);
+        let f = ark_bn254::Fq12::rand(&mut prng);
+
+        let c = cyclotomic_exp(f); // f.cyclotomic_exp(ark_bn254::Config::X);
+        let (d, gate_count)  = cyclotomic_exp_evaluate(wires_set_from_fq12(f));
+        gate_count.print();
+        assert_eq!(c, fq12_from_wires(d));
+    }
+
+    #[test]
+    fn test_final_exponentiation() {
+        let mut prng = ChaCha20Rng::seed_from_u64(0);
+        let f = ark_bn254::Fq12::rand(&mut prng);
+
+        let c = ark_bn254::Bn254::final_exponentiation(MillerLoopOutput(f)).unwrap().0;
+        let d = final_exponentiation(f);
+        assert_eq!(c, d);
+    }
+
+    #[test]
+    fn test_final_exponentiation_evaluate() {
+        let mut prng = ChaCha20Rng::seed_from_u64(0);
+        let f = ark_bn254::Fq12::rand(&mut prng);
+
+        let c = ark_bn254::Bn254::final_exponentiation(MillerLoopOutput(f)).unwrap().0;
+        let (d, gate_count) = final_exponentiation_evaluate(wires_set_from_fq12(f));
+        gate_count.print();
+        
+        assert_eq!(fq12_from_wires(d), c);
+    }
+}

src/circuits/bn254/g1.rs

@@ -324,7 +324,7 @@ mod tests {
 
     #[test]
     fn test_g1p_multiplexer() {
-        let w = 12;
+        let w = 4;
         let n = 2_usize.pow(w as u32);
         let a: Vec<ark_bn254::G1Projective> = (0..n).map(|_| { random_g1p() }).collect();
         let s: Wires = (0..w).map(|_| { Rc::new(RefCell::new(Wire::new())) }).collect();

src/circuits/bn254/mod.rs

@@ -8,3 +8,4 @@ pub mod fr;
 pub mod g1;
 pub mod g2;
 pub mod pairing;
+pub mod finalexp;

src/circuits/groth16.rs

@@ -2,6 +2,7 @@ use ark_ec::pairing::{MillerLoopOutput, Pairing};
 use ark_ec::{AffineRepr, VariableBaseMSM};
 use ark_ff::Field;
 use crate::bag::*;
+use crate::circuits::bn254::finalexp::final_exponentiation_evaluate;
 use crate::circuits::bn254::fq12::Fq12;
 use crate::circuits::bn254::g1::G1Projective;
 use crate::circuits::bn254::pairing::multi_miller_loop_groth16_evaluate;
@@ -32,7 +33,8 @@ pub fn groth16_verifier_evaluate(public: Wires, proof_a: Wires, proof_b: Wires,
     gate_count += gc;
 
     let alpha_beta = ark_bn254::Bn254::final_exponentiation(ark_bn254::Bn254::multi_miller_loop([vk.alpha_g1.into_group()], [-vk.beta_g2])).unwrap().0.inverse().unwrap();
-    let f = wires_set_from_fq12(ark_bn254::Bn254::final_exponentiation(MillerLoopOutput(fq12_from_wires(f))).unwrap().0);
+    let (f, gc) = final_exponentiation_evaluate(f); // wires_set_from_fq12(ark_bn254::Bn254::final_exponentiation(MillerLoopOutput(fq12_from_wires(f))).unwrap().0);
+    gate_count += gc;
 
     let (result, gc) = Fq12::equal_constant_evaluate(f, alpha_beta);
     gate_count += gc;

src/core/gate.rs

@@ -339,12 +339,12 @@ impl GateCount {
 impl GateCount {
     pub fn msm() -> Self {
         Self {
-            and: 0,
-            or: 0,
-            xor: 0,
-            nand: 0,
-            not: 0,
-            xnor: 0,
+            and: 128808400,
+            or: 76938400,
+            xor: 102685425,
+            nand: 213127590,
+            not: 123282230,
+            xnor: 51296850,
             nimp: 0,
             nsor: 0,
         }
@@ -363,6 +363,32 @@ impl GateCount {
         }
     }
 
+    pub fn fq12_mul() -> Self {
+        Self {
+            and: 14793358,
+            or: 8875324,
+            xor: 11846173,
+            nand: 17836896,
+            not: 11985288,
+            xnor: 5912170,
+            nimp: 0,
+            nsor: 0,
+        }
+    }
+
+    pub fn fq12_inverse() -> Self {
+        Self {
+            and: 41464294,
+            or: 22347965,
+            xor: 32020868,
+            nand: 43551348,
+            not: 28864311,
+            xnor: 13277144,
+            nimp: 0,
+            nsor: 0,
+        }
+    }
+
     pub fn double_in_place() -> Self {
         Self {
             and: 9224370,