Documentation
¶
Overview ¶
Package sw_bls12377 implements the arithmetics of G1, G2 and the pairing computation on BLS12-377 as a SNARK circuit over BW6-761. These two curves form a 2-chain so the operations use native field arithmetic.
References: BW6-761: https://eprint.iacr.org/2020/351 Pairings in R1CS: https://eprint.iacr.org/2022/1162
Index ¶
- Variables
- type G1Affine
- func (p *G1Affine) AddAssign(api frontend.API, p1 G1Affine) *G1Affine
- func (p *G1Affine) AssertIsEqual(api frontend.API, other G1Affine)
- func (p *G1Affine) Assign(p1 *bls12377.G1Affine)
- func (p *G1Affine) Double(api frontend.API, p1 G1Affine) *G1Affine
- func (p *G1Affine) DoubleAndAdd(api frontend.API, p1, p2 *G1Affine) *G1Affine
- func (p *G1Affine) FromJac(api frontend.API, p1 G1Jac) *G1Affine
- func (p *G1Affine) Neg(api frontend.API, p1 G1Affine) *G1Affine
- func (P *G1Affine) ScalarMul(api frontend.API, Q G1Affine, s interface{}) *G1Affine
- func (P *G1Affine) ScalarMulBase(api frontend.API, s frontend.Variable) *G1Affine
- func (p *G1Affine) Select(api frontend.API, b frontend.Variable, p1, p2 G1Affine) *G1Affine
- type G1Jac
- type G2Affine
- func (p *G2Affine) AddAssign(api frontend.API, p1 G2Affine) *G2Affine
- func (p *G2Affine) AssertIsEqual(api frontend.API, other G2Affine)
- func (p *G2Affine) Assign(p1 *bls12377.G2Affine)
- func (p *G2Affine) Double(api frontend.API, p1 G2Affine) *G2Affine
- func (p *G2Affine) DoubleAndAdd(api frontend.API, p1, p2 *G2Affine) *G2Affine
- func (p *G2Affine) FromJac(api frontend.API, p1 G2Jac) *G2Affine
- func (p *G2Affine) Neg(api frontend.API, p1 G2Affine) *G2Affine
- func (P *G2Affine) ScalarMul(api frontend.API, Q G2Affine, s interface{}) *G2Affine
- func (P *G2Affine) ScalarMulBase(api frontend.API, s frontend.Variable) *G2Affine
- func (p *G2Affine) Select(api frontend.API, b frontend.Variable, p1, p2 G2Affine) *G2Affine
- type G2Jac
- type GT
- func FinalExponentiation(api frontend.API, e1 GT) GT
- func MillerLoop(api frontend.API, P []G1Affine, Q []G2Affine) (GT, error)
- func MillerLoopFixedQ(api frontend.API, P G1Affine) (GT, error)
- func Pair(api frontend.API, P []G1Affine, Q []G2Affine) (GT, error)
- func PairFixedQ(api frontend.API, P G1Affine) (GT, error)
Constants ¶
This section is empty.
Variables ¶
var DecomposeScalarG1 = func(scalarField *big.Int, inputs []*big.Int, res []*big.Int) error { cc := getInnerCurveConfig(scalarField) sp := ecc.SplitScalar(inputs[0], cc.glvBasis) res[0].Set(&(sp[0])) res[1].Set(&(sp[1])) one := big.NewInt(1) for res[0].Cmp(cc.lambda) < 1 && res[1].Cmp(cc.lambda) < 1 { res[0].Add(res[0], cc.lambda) res[0].Add(res[0], one) res[1].Add(res[1], cc.lambda) } res[2].Mul(res[1], cc.lambda).Add(res[2], res[0]) res[2].Sub(res[2], inputs[0]) res[2].Div(res[2], cc.fr) return nil }
var DecomposeScalarG2 = func(scalarField *big.Int, inputs []*big.Int, res []*big.Int) error { cc := getInnerCurveConfig(scalarField) sp := ecc.SplitScalar(inputs[0], cc.glvBasis) res[0].Set(&(sp[0])) res[1].Set(&(sp[1])) one := big.NewInt(1) for res[0].Cmp(cc.lambda) < 1 && res[1].Cmp(cc.lambda) < 1 { res[0].Add(res[0], cc.lambda) res[0].Add(res[0], one) res[1].Add(res[1], cc.lambda) } res[2].Mul(res[1], cc.lambda).Add(res[2], res[0]) res[2].Sub(res[2], inputs[0]) res[2].Div(res[2], cc.fr) return nil }
Functions ¶
This section is empty.
Types ¶
type G1Affine ¶
G1Affine point in affine coords
func (*G1Affine) AddAssign ¶
AddAssign adds p1 to p using the affine formulas with division, and return p
func (*G1Affine) AssertIsEqual ¶
AssertIsEqual constraint self to be equal to other into the given constraint system
func (*G1Affine) DoubleAndAdd ¶
DoubleAndAdd computes 2*p1+p in affine coords
func (*G1Affine) ScalarMul ¶
ScalarMul sets P = [s] Q and returns P.
The method chooses an implementation based on scalar s. If it is constant, then the compiled circuit depends on s. If it is variable type, then the circuit is independent of the inputs.
func (*G1Affine) ScalarMulBase ¶
ScalarMulBase computes s * g1 and returns it, where g1 is the fixed generator. It doesn't modify s.
type G1Jac ¶
G1Jac point in Jacobian coords
func (*G1Jac) AssertIsEqual ¶
AssertIsEqual constraint self to be equal to other into the given constraint system
func (*G1Jac) DoubleAssign ¶
DoubleAssign doubles the receiver point in jacobian coords and returns it
type G2Affine ¶
type G2Affine struct {
X, Y fields_bls12377.E2
}
G2Affine point in affine coords
func (*G2Affine) AssertIsEqual ¶
AssertIsEqual constraint self to be equal to other into the given constraint system
func (*G2Affine) Double ¶
Double compute 2*p1, assign the result to p and return it Only for curve with j invariant 0 (a=0).
func (*G2Affine) DoubleAndAdd ¶
DoubleAndAdd computes 2*p1+p2 in affine coords
func (*G2Affine) ScalarMul ¶
ScalarMul sets P = [s] Q and returns P.
The method chooses an implementation based on scalar s. If it is constant, then the compiled circuit depends on s. If it is variable type, then the circuit is independent of the inputs.
func (*G2Affine) ScalarMulBase ¶
ScalarMulBase computes s * g2 and returns it, where g2 is the fixed generator. It doesn't modify s.
type G2Jac ¶
type G2Jac struct {
X, Y, Z fields_bls12377.E2
}
G2Jac point in Jacobian coords
func (*G2Jac) AssertIsEqual ¶
AssertIsEqual constraint self to be equal to other into the given constraint system
type GT ¶
type GT = fields_bls12377.E12
GT target group of the pairing
func FinalExponentiation ¶
FinalExponentiation computes the exponentiation e1ᵈ where d = (p¹²-1)/r = (p¹²-1)/Φ₁₂(p) ⋅ Φ₁₂(p)/r = (p⁶-1)(p²+1)(p⁴ - p² +1)/r we use instead d=s ⋅ (p⁶-1)(p²+1)(p⁴ - p² +1)/r where s is the cofactor 3 (Hayashida et al.)
func MillerLoop ¶
MillerLoop computes the product of n miller loops (n can be 1) ∏ᵢ { fᵢ_{x₀,Q}(P) }
func MillerLoopFixedQ ¶
MillerLoopFixed computes the single Miller loop fᵢ_{u,g2}(P), where g2 is fixed.
Source Files