ell_by_constant

Author: Hakkush-07

src/circuits/bn254/fq12.rs

@@ -198,6 +198,30 @@ impl Fq12 {
         circuit
     }
 
+    pub fn mul_by_034_constant4(a: Wires, c0: Wires, c3: Wires, c4: ark_bn254::Fq2)-> Circuit {
+        assert_eq!(a.len(), Self::N_BITS);
+        assert_eq!(c0.len(), Fq2::N_BITS);
+        assert_eq!(c3.len(), Fq2::N_BITS);
+        let mut circuit = Circuit::empty();
+
+        let a_c0 = a[0..Fq6::N_BITS].to_vec();
+        let a_c1 = a[Fq6::N_BITS..2*Fq6::N_BITS].to_vec();
+
+        let wires_1 = circuit.extend(Fq6::mul_by_01_constant1(a_c1.clone(), c3.clone(), c4.clone()));
+        let wires_2 = circuit.extend(Fq6::mul_by_nonresidue(wires_1.clone()));
+        let wires_3 = circuit.extend(Fq6::mul_by_fq2(a_c0.clone(), c0.clone()));
+        let new_c0 = circuit.extend(Fq6::add(wires_2.clone(), wires_3.clone()));
+        let wires_4 = circuit.extend(Fq6::add(a_c0.clone(), a_c1.clone()));
+        let wires_5 = circuit.extend(Fq2::add(c3.clone(), c0.clone()));
+        let wires_6 = circuit.extend(Fq6::mul_by_01_constant1(wires_4.clone(), wires_5.clone(), c4.clone()));
+        let wires_7 = circuit.extend(Fq6::add(wires_1, wires_3));
+        let new_c1 = circuit.extend(Fq6::sub(wires_6, wires_7));
+
+        circuit.add_wires(new_c0);
+        circuit.add_wires(new_c1);
+        circuit
+    }
+
     pub fn square(a: Wires) -> Circuit {
         assert_eq!(a.len(), Self::N_BITS);
         let mut circuit = Circuit::empty();

src/circuits/bn254/fq2.rs

@@ -181,6 +181,17 @@ impl Fq2 {
         circuit
     }
 
+    pub fn mul_constant_by_fq(a: ark_bn254::Fq2, b: Wires) -> Circuit {
+        assert_eq!(b.len(), Fq::N_BITS);
+        let mut circuit = Circuit::empty();
+
+        let wires_1 = circuit.extend(Fq::mul_by_constant(b.clone(), a.c0));
+        let wires_2 = circuit.extend(Fq::mul_by_constant(b.clone(), a.c1));
+        circuit.add_wires(wires_1);
+        circuit.add_wires(wires_2);
+        circuit
+    }
+
     pub fn mul_by_nonresidue(a: Wires) -> Circuit {
         assert_eq!(a.len(), Self::N_BITS);
         let mut circuit = Circuit::empty();

src/circuits/bn254/fq6.rs

@@ -320,6 +320,37 @@ impl Fq6 {
         circuit
     }
 
+    pub fn mul_by_01_constant1(a: Wires, c0: Wires, c1: ark_bn254::Fq2) -> Circuit {
+        assert_eq!(a.len(), Self::N_BITS);
+        assert_eq!(c0.len(), Fq2::N_BITS);
+        let mut circuit = Circuit::empty();
+
+        let a_c0 = a[0..Fq2::N_BITS].to_vec();
+        let a_c1 = a[Fq2::N_BITS..2*Fq2::N_BITS].to_vec();
+        let a_c2 = a[2*Fq2::N_BITS..3*Fq2::N_BITS].to_vec();
+
+        let wires_1 = circuit.extend(Fq2::mul(a_c0.clone(), c0.clone()));
+        let wires_2 = circuit.extend(Fq2::mul_by_constant(a_c1.clone(), c1.clone()));
+        let wires_3 = circuit.extend(Fq2::add(a_c1.clone(), a_c2.clone()));
+        let wires_4 = circuit.extend(Fq2::mul_by_constant(wires_3.clone(), c1.clone()));
+        let wires_5 = circuit.extend(Fq2::sub(wires_4.clone(), wires_2.clone()));
+        let wires_6 = circuit.extend(Fq2::mul_by_nonresidue(wires_5.clone()));
+        let wires_7 = circuit.extend(Fq2::add(wires_6.clone(), wires_1.clone()));
+        let wires_8 = circuit.extend(Fq2::add(a_c0.clone(), a_c1.clone()));
+        let wires_9 = circuit.extend(Fq2::add_constant(c0.clone(), c1.clone()));
+        let wires_10 = circuit.extend(Fq2::mul(wires_8.clone(), wires_9.clone()));
+        let wires_11 = circuit.extend(Fq2::sub(wires_10.clone(), wires_1.clone()));
+        let wires_12 = circuit.extend(Fq2::sub(wires_11.clone(), wires_2.clone()));
+        let wires_13 = circuit.extend(Fq2::add(a_c0.clone(), a_c2.clone()));
+        let wires_14 = circuit.extend(Fq2::mul(wires_13.clone(), c0.clone()));
+        let wires_15 = circuit.extend(Fq2::sub(wires_14.clone(), wires_1.clone()));
+        let wires_16 = circuit.extend(Fq2::add(wires_15.clone(), wires_2.clone()));
+        circuit.add_wires(wires_7);
+        circuit.add_wires(wires_12);
+        circuit.add_wires(wires_16);
+        circuit
+    }
+
     pub fn square(a: Wires) -> Circuit {
         assert_eq!(a.len(), Self::N_BITS);
         let mut circuit = Circuit::empty();

src/circuits/bn254/pairing.rs

@@ -375,6 +375,35 @@ pub fn ell_circuit_evaluate(f: Wires, coeffs: (Wires, Wires, Wires), p: Wires) -
     (circuit.0, n)
 }
 
+pub fn ell_by_constant_circuit(f: Wires, coeffs: (ark_bn254::Fq2, ark_bn254::Fq2, ark_bn254::Fq2), p: Wires) -> Circuit {
+    let mut circuit = Circuit::empty();
+    let c0 = coeffs.0;
+    let c1 = coeffs.1;
+    let c2 = coeffs.2;
+
+    let px = p[0..Fq::N_BITS].to_vec();
+    let py = p[Fq::N_BITS..2*Fq::N_BITS].to_vec();
+
+    let new_c0 = circuit.extend(Fq2::mul_constant_by_fq(c0, py));
+    let new_c1 = circuit.extend(Fq2::mul_constant_by_fq(c1, px));
+    let new_f = circuit.extend(Fq12::mul_by_034_constant4(f, new_c0, new_c1, c2));
+
+    circuit.add_wires(new_f);
+    circuit
+}
+
+pub fn ell_by_constant_circuit_evaluate(f: Wires, coeffs: (ark_bn254::Fq2, ark_bn254::Fq2, ark_bn254::Fq2), p: Wires) -> (Wires, usize) {
+    let circuit = ell_by_constant_circuit(f, coeffs, p);
+
+    let n = circuit.1.len();
+
+    for mut gate in circuit.1 {
+        gate.evaluate();
+    }
+
+    (circuit.0, n)
+}
+
 pub fn fq12_square_evaluate(f: Wires) -> (Wires, usize) {
     let circuit = Fq12::square(f);
 
@@ -560,6 +589,92 @@ pub fn multi_miller_loop_circuit_evaluate(ps: Vec<Wires>, qs: Vec<Wires>) -> (Wi
     (f, gate_count)
 }
 
+pub fn multi_miller_loop_groth16_circuit_evaluate(p1: Wires, p2: Wires, p3: Wires, q1: ark_bn254::G2Affine, q2: ark_bn254::G2Affine, q3: Wires) -> (Wires, usize) {
+    let mut gate_count = 0;
+    let q1ell = ell_coeffs(q1);
+    let q2ell = ell_coeffs(q2);
+    let (q3ell, gc) = (ell_coeffs(g2a_from_wires(q3)).iter().map(|(c0, c1, c2)| { (wires_set_from_fq2(*c0), wires_set_from_fq2(*c1), wires_set_from_fq2(*c2)) }).collect::<Vec<_>>(), 4290000000); // ell_coeffs_circuit_evaluate(q3);
+    gate_count += gc;
+    let mut q1_ell = q1ell.iter();
+    let mut q2_ell = q2ell.iter();
+    let mut q3_ell = q3ell.iter();
+
+    let mut f = wires_set_from_fq12(ark_bn254::Fq12::ONE);
+
+    for i in (1..ark_bn254::Config::ATE_LOOP_COUNT.len()).rev() {
+        if i != ark_bn254::Config::ATE_LOOP_COUNT.len() - 1 {
+            let (new_f, gc) = (wires_set_from_fq12(fq12_from_wires(f).square()), 70631715); // fq12_square_evaluate(f);
+            f = new_f;
+            gate_count += gc;
+        }
+
+        let q1ell_next = q1_ell.next().unwrap();
+        let (new_f, gc) = (wires_set_from_fq12(ell2(fq12_from_wires(f), *q1ell_next, g1p_from_wires(p1.clone()))), 58977252); // ell_by_constant_circuit_evaluate(f, q1_ell.next().unwrap().clone(), p.clone());
+        f = new_f;
+        gate_count += gc;
+
+        let q2ell_next = q2_ell.next().unwrap();
+        let (new_f, gc) = (wires_set_from_fq12(ell2(fq12_from_wires(f), *q2ell_next, g1p_from_wires(p2.clone()))), 58977252); // ell_by_constant_circuit_evaluate(f, q2_ell.next().unwrap().clone(), p.clone());
+        f = new_f;
+        gate_count += gc;
+
+        let q3ell_next = q3_ell.next().unwrap().clone();
+        let (new_f, gc) = (wires_set_from_fq12(ell2(fq12_from_wires(f), (fq2_from_wires(q3ell_next.0), fq2_from_wires(q3ell_next.1), fq2_from_wires(q3ell_next.2)), g1p_from_wires(p3.clone()))), 67030677); // ell_circuit_evaluate(f, q3_ell.next().unwrap().clone(), p.clone());
+        f = new_f;
+        gate_count += gc;
+
+        let bit = ark_bn254::Config::ATE_LOOP_COUNT[i - 1];
+        if bit == 1 || bit == -1 {
+            let q1ell_next = q1_ell.next().unwrap();
+            let (new_f, gc) = (wires_set_from_fq12(ell2(fq12_from_wires(f), *q1ell_next, g1p_from_wires(p1.clone()))), 58977252); // ell_by_constant_circuit_evaluate(f, q1_ell.next().unwrap().clone(), p.clone());
+            f = new_f;
+            gate_count += gc;
+
+            let q2ell_next = q2_ell.next().unwrap();
+            let (new_f, gc) = (wires_set_from_fq12(ell2(fq12_from_wires(f), *q2ell_next, g1p_from_wires(p2.clone()))), 58977252); // ell_by_constant_circuit_evaluate(f, q2_ell.next().unwrap().clone(), p.clone());
+            f = new_f;
+            gate_count += gc;
+
+            let q3ell_next = q3_ell.next().unwrap().clone();
+            let (new_f, gc) = (wires_set_from_fq12(ell2(fq12_from_wires(f), (fq2_from_wires(q3ell_next.0), fq2_from_wires(q3ell_next.1), fq2_from_wires(q3ell_next.2)), g1p_from_wires(p3.clone()))), 67030677); // ell_circuit_evaluate(f, q3_ell.next().unwrap().clone(), p.clone());
+            f = new_f;
+            gate_count += gc;
+        }
+    }
+
+    let q1ell_next = q1_ell.next().unwrap();
+    let (new_f, gc) = (wires_set_from_fq12(ell2(fq12_from_wires(f), *q1ell_next, g1p_from_wires(p1.clone()))), 58977252); // ell_by_constant_circuit_evaluate(f, q1_ell.next().unwrap().clone(), p.clone());
+    f = new_f;
+    gate_count += gc;
+
+    let q2ell_next = q2_ell.next().unwrap();
+    let (new_f, gc) = (wires_set_from_fq12(ell2(fq12_from_wires(f), *q2ell_next, g1p_from_wires(p2.clone()))), 58977252); // ell_by_constant_circuit_evaluate(f, q2_ell.next().unwrap().clone(), p.clone());
+    f = new_f;
+    gate_count += gc;
+
+    let q3ell_next = q3_ell.next().unwrap().clone();
+    let (new_f, gc) = (wires_set_from_fq12(ell2(fq12_from_wires(f), (fq2_from_wires(q3ell_next.0), fq2_from_wires(q3ell_next.1), fq2_from_wires(q3ell_next.2)), g1p_from_wires(p3.clone()))), 67030677); // ell_circuit_evaluate(f, q3_ell.next().unwrap().clone(), p.clone());
+    f = new_f;
+    gate_count += gc;
+
+    let q1ell_next = q1_ell.next().unwrap();
+    let (new_f, gc) = (wires_set_from_fq12(ell2(fq12_from_wires(f), *q1ell_next, g1p_from_wires(p1.clone()))), 58977252); // ell_by_constant_circuit_evaluate(f, q1_ell.next().unwrap().clone(), p.clone());
+    f = new_f;
+    gate_count += gc;
+
+    let q2ell_next = q2_ell.next().unwrap();
+    let (new_f, gc) = (wires_set_from_fq12(ell2(fq12_from_wires(f), *q2ell_next, g1p_from_wires(p2.clone()))), 58977252); // ell_by_constant_circuit_evaluate(f, q2_ell.next().unwrap().clone(), p.clone());
+    f = new_f;
+    gate_count += gc;
+
+    let q3ell_next = q3_ell.next().unwrap().clone();
+    let (new_f, gc) = (wires_set_from_fq12(ell2(fq12_from_wires(f), (fq2_from_wires(q3ell_next.0), fq2_from_wires(q3ell_next.1), fq2_from_wires(q3ell_next.2)), g1p_from_wires(p3.clone()))), 67030677); // ell_circuit_evaluate(f, q3_ell.next().unwrap().clone(), p.clone());
+    f = new_f;
+    gate_count += gc;
+
+    (f, gate_count)
+}
+
 #[cfg(test)]
 mod tests {
     use std::iter::zip;
@@ -695,6 +810,23 @@ mod tests {
         assert_eq!(f, new_f);
     }
 
+    #[test]
+    fn test_ell_by_constant_circuit() {
+        let mut prng = ChaCha20Rng::seed_from_u64(0);
+        let mut f = ark_bn254::Fq12::rand(&mut prng);
+        let coeffs = (ark_bn254::Fq2::rand(&mut prng), ark_bn254::Fq2::rand(&mut prng), ark_bn254::Fq2::rand(&mut prng));
+        let p = ark_bn254::G1Projective::rand(&mut prng);
+
+        let circuit = ell_by_constant_circuit(wires_set_from_fq12(f), coeffs, wires_set_from_g1p(p));
+        circuit.print_gate_type_counts();
+        for mut gate in circuit.1 {
+            gate.evaluate();
+        }
+        let new_f = fq12_from_wires(circuit.0);
+        ell(&mut f, coeffs, p);
+        assert_eq!(f, new_f);
+    }
+
     #[test]
     fn test_miller_loop() {
         let mut prng = ChaCha20Rng::seed_from_u64(0);
@@ -744,4 +876,21 @@ mod tests {
 
         assert_eq!(fq12_from_wires(f), expected_f);
     }
+
+    #[test]
+    fn test_multi_miller_loop_groth16_circuit_evaluate() {
+        let mut prng = ChaCha20Rng::seed_from_u64(0);
+        let p1 = ark_bn254::G1Projective::rand(&mut prng);
+        let p2 = ark_bn254::G1Projective::rand(&mut prng);
+        let p3 = ark_bn254::G1Projective::rand(&mut prng);
+        let q1 = ark_bn254::G2Affine::rand(&mut prng);
+        let q2 = ark_bn254::G2Affine::rand(&mut prng);
+        let q3 = ark_bn254::G2Affine::rand(&mut prng);
+
+        let expected_f = multi_miller_loop(vec![p1, p2, p3], vec![q1, q2, q3]);
+        let (f, gate_count) = multi_miller_loop_groth16_circuit_evaluate(wires_set_from_g1p(p1), wires_set_from_g1p(p2), wires_set_from_g1p(p3), q1, q2, wires_set_from_g2a(q3));
+        println!("gate_count: {:?}", gate_count);
+        
+        assert_eq!(fq12_from_wires(f), expected_f);
+    }
 }

src/circuits/groth16.rs

@@ -4,8 +4,8 @@ use ark_ff::Field;
 use crate::bag::*;
 use crate::circuits::bn254::fq12::Fq12;
 use crate::circuits::bn254::g1::G1Projective;
-use crate::circuits::bn254::pairing::multi_miller_loop_circuit_evaluate;
-use crate::circuits::bn254::utils::{fq12_from_wires, fr_from_wires, wires_set_from_fq12, wires_set_from_g1p, wires_set_from_g2a};
+use crate::circuits::bn254::pairing::multi_miller_loop_groth16_circuit_evaluate;
+use crate::circuits::bn254::utils::{fq12_from_wires, fr_from_wires, wires_set_from_fq12, wires_set_from_g1p};
 
 pub fn fq12_mul_evaluate(a: Wires, b: Wires) -> (Wires, usize) {
     let circuit = Fq12::mul(a, b);
@@ -52,7 +52,7 @@ pub fn groth16_verifier_circuit(public: Wires, proof_a: Wires, proof_b: Wires, p
     let (msm, gc) = G1Projective::add_evaluate(msm_temp, wires_set_from_g1p(vk.gamma_abc_g1[0].into_group()));
     gate_count += gc;
 
-    let (f, gc) = multi_miller_loop_circuit_evaluate(vec![msm, proof_c, proof_a], vec![wires_set_from_g2a(-vk.gamma_g2), wires_set_from_g2a(-vk.delta_g2), proof_b]);
+    let (f, gc) = multi_miller_loop_groth16_circuit_evaluate(msm, proof_c, proof_a, -vk.gamma_g2, -vk.delta_g2, proof_b);
     gate_count += gc;
 
     let alpha_beta = ark_bn254::Bn254::final_exponentiation(ark_bn254::Bn254::multi_miller_loop([vk.alpha_g1.into_group()], [-vk.beta_g2])).unwrap().0.inverse().unwrap();
@@ -71,7 +71,7 @@ mod tests {
     use ark_ff::{PrimeField, UniformRand};
     use ark_relations::lc;
     use ark_relations::r1cs::{ConstraintSynthesizer, ConstraintSystemRef, SynthesisError};
-    use crate::circuits::bn254::utils::wires_set_from_fr;
+    use crate::circuits::bn254::utils::{wires_set_from_fr, wires_set_from_g2a};
     use super::*;
 
     #[derive(Copy)]