Documentation ¶
Overview ¶
Package sw_bls12377 implements the arithmetics of G1, G2 and the pairing computation on BLS12-377 as a SNARK circuit over BW6-761. These two curves form a 2-chain so the operations use native field arithmetic.
References: BW6-761: https://eprint.iacr.org/2020/351 Pairings in R1CS: https://eprint.iacr.org/2022/1162
Index ¶
- func GetHints() []solver.Hint
- func PairingCheck(api frontend.API, P []G1Affine, Q []G2Affine) error
- type Curve
- func (c *Curve) Add(P, Q *G1Affine) *G1Affine
- func (c *Curve) AddUnified(P, Q *G1Affine) *G1Affine
- func (c *Curve) AssertIsEqual(P, Q *G1Affine)
- func (c *Curve) Lookup2(b1, b2 frontend.Variable, p1, p2, p3, p4 *G1Affine) *G1Affine
- func (c *Curve) MarshalG1(P G1Affine, opts ...algopts.AlgebraOption) []frontend.Variable
- func (c *Curve) MarshalScalar(s Scalar, opts ...algopts.AlgebraOption) []frontend.Variable
- func (c *Curve) MultiScalarMul(P []*G1Affine, scalars []*Scalar, opts ...algopts.AlgebraOption) (*G1Affine, error)
- func (c *Curve) Mux(sel frontend.Variable, inputs ...*G1Affine) *G1Affine
- func (c *Curve) Neg(P *G1Affine) *G1Affine
- func (c *Curve) ScalarMul(P *G1Affine, s *Scalar, opts ...algopts.AlgebraOption) *G1Affine
- func (c *Curve) ScalarMulBase(s *Scalar, opts ...algopts.AlgebraOption) *G1Affine
- func (c *Curve) Select(b frontend.Variable, p1, p2 *G1Affine) *G1Affine
- type G1Affine
- func (p *G1Affine) AddAssign(api frontend.API, p1 G1Affine) *G1Affine
- func (p *G1Affine) AddUnified(api frontend.API, q G1Affine) *G1Affine
- func (p *G1Affine) AssertIsEqual(api frontend.API, other G1Affine)
- func (p *G1Affine) Assign(p1 *bls12377.G1Affine)
- func (p *G1Affine) Double(api frontend.API, p1 G1Affine) *G1Affine
- func (p *G1Affine) DoubleAndAdd(api frontend.API, p1, p2 *G1Affine) *G1Affine
- func (p *G1Affine) Lookup2(api frontend.API, b1, b2 frontend.Variable, p1, p2, p3, p4 G1Affine) *G1Affine
- func (p *G1Affine) Neg(api frontend.API, p1 G1Affine) *G1Affine
- func (P *G1Affine) ScalarMul(api frontend.API, Q G1Affine, s interface{}, opts ...algopts.AlgebraOption) *G1Affine
- func (P *G1Affine) ScalarMulBase(api frontend.API, s frontend.Variable, opts ...algopts.AlgebraOption) *G1Affine
- func (p *G1Affine) Select(api frontend.API, b frontend.Variable, p1, p2 G1Affine) *G1Affine
- type G2Affine
- type GT
- type Pairing
- func (p *Pairing) AssertIsEqual(e1, e2 *GT)
- func (c *Pairing) AssertIsOnCurve(p *G1Affine)
- func (c *Pairing) AssertIsOnG1(P *G1Affine)
- func (c *Pairing) AssertIsOnG2(P *G2Affine)
- func (c *Pairing) AssertIsOnTwist(p *G2Affine)
- func (p *Pairing) FinalExponentiation(e *GT) *GT
- func (p *Pairing) MillerLoop(P []*G1Affine, Q []*G2Affine) (*GT, error)
- func (p *Pairing) Pair(P []*G1Affine, Q []*G2Affine) (*GT, error)
- func (p *Pairing) PairingCheck(P []*G1Affine, Q []*G2Affine) error
- type Scalar
- type ScalarField
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
Types ¶
type Curve ¶ added in v0.9.1
type Curve struct {
// contains filtered or unexported fields
}
Curve allows G1 operations in BLS12-377.
func (*Curve) Add ¶ added in v0.9.1
Add points P and Q and return the result. Does not modify the inputs.
func (*Curve) AddUnified ¶ added in v0.10.0
AddUnified adds any two points and returns the sum. It does not modify the input points.
func (*Curve) AssertIsEqual ¶ added in v0.9.1
AssertIsEqual asserts the equality of P and Q.
func (*Curve) Lookup2 ¶ added in v0.10.0
Lookup2 performs a 2-bit lookup between p1, p2, p3, p4 based on bits b0 and b1. Returns:
- p1 if b0=0 and b1=0,
- p2 if b0=1 and b1=0,
- p3 if b0=0 and b1=1,
- p4 if b0=1 and b1=1.
func (*Curve) MarshalG1 ¶ added in v0.10.0
MarshalG1 returns [P.X || P.Y] in binary. Both P.X and P.Y are in little endian.
func (*Curve) MarshalScalar ¶ added in v0.10.0
MarshalScalar returns
func (*Curve) MultiScalarMul ¶ added in v0.9.1
func (c *Curve) MultiScalarMul(P []*G1Affine, scalars []*Scalar, opts ...algopts.AlgebraOption) (*G1Affine, error)
MultiScalarMul computes ∑scalars_i * P_i and returns it. It doesn't modify the inputs. It returns an error if there is a mismatch in the lengths of the inputs.
func (*Curve) Mux ¶ added in v0.10.0
Mux performs a lookup from the inputs and returns inputs[sel]. It is most efficient for power of two lengths of the inputs, but works for any number of inputs.
func (*Curve) ScalarMul ¶ added in v0.9.1
ScalarMul computes scalar*P and returns the result. It doesn't modify the inputs.
func (*Curve) ScalarMulBase ¶ added in v0.9.1
func (c *Curve) ScalarMulBase(s *Scalar, opts ...algopts.AlgebraOption) *G1Affine
ScalarMulBase computes scalar*G where G is the standard base point of the curve. It doesn't modify the scalar.
type G1Affine ¶
G1Affine point in affine coords
func NewG1Affine ¶ added in v0.9.1
NewG1Affine allocates a witness from the native G1 element and returns it.
func (*G1Affine) AddAssign ¶
AddAssign adds p1 to p using the affine formulas with division, and return p
func (*G1Affine) AddUnified ¶ added in v0.10.0
func (*G1Affine) AssertIsEqual ¶
AssertIsEqual constraint self to be equal to other into the given constraint system
func (*G1Affine) DoubleAndAdd ¶
DoubleAndAdd computes 2*p1+p in affine coords
func (*G1Affine) Lookup2 ¶ added in v0.10.0
func (p *G1Affine) Lookup2(api frontend.API, b1, b2 frontend.Variable, p1, p2, p3, p4 G1Affine) *G1Affine
Lookup2 performs a 2-bit lookup between p1, p2, p3, p4 based on bits b0 and b1. Returns:
- p1 if b0=0 and b1=0,
- p2 if b0=1 and b1=0,
- p3 if b0=0 and b1=1,
- p4 if b0=1 and b1=1.
func (*G1Affine) ScalarMul ¶
func (P *G1Affine) ScalarMul(api frontend.API, Q G1Affine, s interface{}, opts ...algopts.AlgebraOption) *G1Affine
ScalarMul sets P = [s] Q and returns P.
The method chooses an implementation based on scalar s. If it is constant, then the compiled circuit depends on s. If it is variable type, then the circuit is independent of the inputs.
func (*G1Affine) ScalarMulBase ¶
func (P *G1Affine) ScalarMulBase(api frontend.API, s frontend.Variable, opts ...algopts.AlgebraOption) *G1Affine
ScalarMulBase computes s * g1 and returns it, where g1 is the fixed generator. It doesn't modify s.
type G2Affine ¶
type G2Affine struct { P g2AffP Lines *lineEvaluations }
G2Affine point in affine coords
func NewG2Affine ¶ added in v0.9.1
func NewG2AffineFixed ¶ added in v0.10.0
NewG2AffineFixed returns witness of v with precomputations for efficient pairing computation.
func NewG2AffineFixedPlaceholder ¶ added in v0.10.0
func NewG2AffineFixedPlaceholder() G2Affine
NewG2AffineFixedPlaceholder returns a placeholder for the circuit compilation when witness will be given with line precomputations using NewG2AffineFixed.
type GT ¶
type GT = fields_bls12377.E12
GT target group of the pairing
func FinalExponentiation ¶
FinalExponentiation computes the exponentiation e1ᵈ where d = (p¹²-1)/r = (p¹²-1)/Φ₁₂(p) ⋅ Φ₁₂(p)/r = (p⁶-1)(p²+1)(p⁴ - p² +1)/r we use instead d=s ⋅ (p⁶-1)(p²+1)(p⁴ - p² +1)/r where s is the cofactor 3 (Hayashida et al.)
func MillerLoop ¶
MillerLoop computes the product of n miller loops (n can be 1) ∏ᵢ { fᵢ_{x₀,Q}(P) }
type Pairing ¶ added in v0.9.1
type Pairing struct {
// contains filtered or unexported fields
}
Pairing allows computing pairing-related operations in BLS12-377.
func NewPairing ¶ added in v0.9.1
NewPairing initializes a Pairing instance.
func (*Pairing) AssertIsEqual ¶ added in v0.9.1
AssertIsEqual asserts the equality of the target group elements.
func (*Pairing) AssertIsOnCurve ¶ added in v0.10.0
AssertIsOnCurve asserts if p belongs to the curve. It doesn't modify p.
func (*Pairing) AssertIsOnG1 ¶ added in v0.10.0
func (*Pairing) AssertIsOnG2 ¶ added in v0.10.0
func (*Pairing) AssertIsOnTwist ¶ added in v0.10.0
AssertIsOnTwist asserts if p belongs to the curve. It doesn't modify p.
func (*Pairing) FinalExponentiation ¶ added in v0.9.1
FinalExponentiation performs the final exponentiation on the target group element. It doesn't modify the input.
func (*Pairing) MillerLoop ¶ added in v0.9.1
MillerLoop computes the Miller loop between the pairs of inputs. It doesn't modify the inputs. It returns an error if there is a mismatch between the lengths of the inputs.
func (*Pairing) PairingCheck ¶ added in v0.9.1
PairingCheck computes the multi-pairing of the input pairs and asserts that the result is an identity element in the target group. It returns an error if there is a mismatch between the lengths of the inputs.
type Scalar ¶ added in v0.9.1
type Scalar = emulated.Element[ScalarField]
Scalar is a scalar in the groups. As the implementation is defined on a 2-chain, then this type is an alias to frontend.Variable.
func NewScalar ¶ added in v0.10.0
func NewScalar(v fr_bls12377.Element) Scalar
NewScalar allocates a witness from the native scalar and returns it.
type ScalarField ¶ added in v0.10.0
type ScalarField = emparams.BLS12377Fr
ScalarField defines the emulated.FieldParams implementation on a one limb of the scalar field.