diff --git a/backend/groth16/bls12-377/marshal_test.go b/backend/groth16/bls12-377/marshal_test.go index 1859b21e08..e2228b1432 100644 --- a/backend/groth16/bls12-377/marshal_test.go +++ b/backend/groth16/bls12-377/marshal_test.go @@ -108,7 +108,7 @@ func TestVerifyingKeySerialization(t *testing.T) { for j := range bases[i] { bases[i][j] = elem elem.Add(&elem, &p1) - vk.CommitmentKeys = append(vk.CommitmentKeys, pedersen.VerifyingKey{G: p2, GSigma: p2}) + vk.CommitmentKeys = append(vk.CommitmentKeys, pedersen.VerifyingKey{G: p2, GSigmaNeg: p2}) } } assert.NoError(t, err) diff --git a/backend/groth16/bls12-381/marshal_test.go b/backend/groth16/bls12-381/marshal_test.go index 83b2008995..3f8e9ab0cb 100644 --- a/backend/groth16/bls12-381/marshal_test.go +++ b/backend/groth16/bls12-381/marshal_test.go @@ -108,7 +108,7 @@ func TestVerifyingKeySerialization(t *testing.T) { for j := range bases[i] { bases[i][j] = elem elem.Add(&elem, &p1) - vk.CommitmentKeys = append(vk.CommitmentKeys, pedersen.VerifyingKey{G: p2, GSigma: p2}) + vk.CommitmentKeys = append(vk.CommitmentKeys, pedersen.VerifyingKey{G: p2, GSigmaNeg: p2}) } } assert.NoError(t, err) diff --git a/backend/groth16/bls24-315/marshal_test.go b/backend/groth16/bls24-315/marshal_test.go index d7e5e2d933..bf667dc189 100644 --- a/backend/groth16/bls24-315/marshal_test.go +++ b/backend/groth16/bls24-315/marshal_test.go @@ -108,7 +108,7 @@ func TestVerifyingKeySerialization(t *testing.T) { for j := range bases[i] { bases[i][j] = elem elem.Add(&elem, &p1) - vk.CommitmentKeys = append(vk.CommitmentKeys, pedersen.VerifyingKey{G: p2, GSigma: p2}) + vk.CommitmentKeys = append(vk.CommitmentKeys, pedersen.VerifyingKey{G: p2, GSigmaNeg: p2}) } } assert.NoError(t, err) diff --git a/backend/groth16/bls24-317/marshal_test.go b/backend/groth16/bls24-317/marshal_test.go index b105bc2181..816c340d3b 100644 --- a/backend/groth16/bls24-317/marshal_test.go +++ b/backend/groth16/bls24-317/marshal_test.go @@ -108,7 +108,7 @@ func TestVerifyingKeySerialization(t *testing.T) { for j := range bases[i] { bases[i][j] = elem elem.Add(&elem, &p1) - vk.CommitmentKeys = append(vk.CommitmentKeys, pedersen.VerifyingKey{G: p2, GSigma: p2}) + vk.CommitmentKeys = append(vk.CommitmentKeys, pedersen.VerifyingKey{G: p2, GSigmaNeg: p2}) } } assert.NoError(t, err) diff --git a/backend/groth16/bn254/marshal_test.go b/backend/groth16/bn254/marshal_test.go index d59c54e85f..567371f1fb 100644 --- a/backend/groth16/bn254/marshal_test.go +++ b/backend/groth16/bn254/marshal_test.go @@ -108,7 +108,7 @@ func TestVerifyingKeySerialization(t *testing.T) { for j := range bases[i] { bases[i][j] = elem elem.Add(&elem, &p1) - vk.CommitmentKeys = append(vk.CommitmentKeys, pedersen.VerifyingKey{G: p2, GSigma: p2}) + vk.CommitmentKeys = append(vk.CommitmentKeys, pedersen.VerifyingKey{G: p2, GSigmaNeg: p2}) } } assert.NoError(t, err) diff --git a/backend/groth16/bn254/solidity.go b/backend/groth16/bn254/solidity.go index 47793bdf7e..95dfb9a696 100644 --- a/backend/groth16/bn254/solidity.go +++ b/backend/groth16/bn254/solidity.go @@ -104,11 +104,11 @@ contract Verifier { uint256 constant PEDERSEN_G_Y_0 = {{ (fpstr $cmtVk0.G.Y.A0) }}; uint256 constant PEDERSEN_G_Y_1 = {{ (fpstr $cmtVk0.G.Y.A1) }}; - // Pedersen GSigma point in G2 in powers of i - uint256 constant PEDERSEN_GSIGMA_X_0 = {{ (fpstr $cmtVk0.GSigma.X.A0) }}; - uint256 constant PEDERSEN_GSIGMA_X_1 = {{ (fpstr $cmtVk0.GSigma.X.A1) }}; - uint256 constant PEDERSEN_GSIGMA_Y_0 = {{ (fpstr $cmtVk0.GSigma.Y.A0) }}; - uint256 constant PEDERSEN_GSIGMA_Y_1 = {{ (fpstr $cmtVk0.GSigma.Y.A1) }}; + // Pedersen GSigmaNeg point in G2 in powers of i + uint256 constant PEDERSEN_GSIGMANEG_X_0 = {{ (fpstr $cmtVk0.GSigmaNeg.X.A0) }}; + uint256 constant PEDERSEN_GSIGMANEG_X_1 = {{ (fpstr $cmtVk0.GSigmaNeg.X.A1) }}; + uint256 constant PEDERSEN_GSIGMANEG_Y_0 = {{ (fpstr $cmtVk0.GSigmaNeg.Y.A0) }}; + uint256 constant PEDERSEN_GSIGMANEG_Y_1 = {{ (fpstr $cmtVk0.GSigmaNeg.Y.A1) }}; {{- end }} // Constant and public input points @@ -579,10 +579,10 @@ contract Verifier { // Commitments pairings[ 0] = commitments[0]; pairings[ 1] = commitments[1]; - pairings[ 2] = PEDERSEN_GSIGMA_X_1; - pairings[ 3] = PEDERSEN_GSIGMA_X_0; - pairings[ 4] = PEDERSEN_GSIGMA_Y_1; - pairings[ 5] = PEDERSEN_GSIGMA_Y_0; + pairings[ 2] = PEDERSEN_GSIGMANEG_X_1; + pairings[ 3] = PEDERSEN_GSIGMANEG_X_0; + pairings[ 4] = PEDERSEN_GSIGMANEG_Y_1; + pairings[ 5] = PEDERSEN_GSIGMANEG_Y_0; pairings[ 6] = Px; pairings[ 7] = Py; pairings[ 8] = PEDERSEN_G_X_1; @@ -730,10 +730,10 @@ contract Verifier { let f := mload(0x40) calldatacopy(f, commitments, 0x40) // Copy Commitments - mstore(add(f, 0x40), PEDERSEN_GSIGMA_X_1) - mstore(add(f, 0x60), PEDERSEN_GSIGMA_X_0) - mstore(add(f, 0x80), PEDERSEN_GSIGMA_Y_1) - mstore(add(f, 0xa0), PEDERSEN_GSIGMA_Y_0) + mstore(add(f, 0x40), PEDERSEN_GSIGMANEG_X_1) + mstore(add(f, 0x60), PEDERSEN_GSIGMANEG_X_0) + mstore(add(f, 0x80), PEDERSEN_GSIGMANEG_Y_1) + mstore(add(f, 0xa0), PEDERSEN_GSIGMANEG_Y_0) calldatacopy(add(f, 0xc0), commitmentPok, 0x40) mstore(add(f, 0x100), PEDERSEN_G_X_1) mstore(add(f, 0x120), PEDERSEN_G_X_0) diff --git a/backend/groth16/bw6-633/marshal_test.go b/backend/groth16/bw6-633/marshal_test.go index 53fa6e8573..d3e7e1262d 100644 --- a/backend/groth16/bw6-633/marshal_test.go +++ b/backend/groth16/bw6-633/marshal_test.go @@ -108,7 +108,7 @@ func TestVerifyingKeySerialization(t *testing.T) { for j := range bases[i] { bases[i][j] = elem elem.Add(&elem, &p1) - vk.CommitmentKeys = append(vk.CommitmentKeys, pedersen.VerifyingKey{G: p2, GSigma: p2}) + vk.CommitmentKeys = append(vk.CommitmentKeys, pedersen.VerifyingKey{G: p2, GSigmaNeg: p2}) } } assert.NoError(t, err) diff --git a/backend/groth16/bw6-761/marshal_test.go b/backend/groth16/bw6-761/marshal_test.go index ab8fbc8667..7538b33fd0 100644 --- a/backend/groth16/bw6-761/marshal_test.go +++ b/backend/groth16/bw6-761/marshal_test.go @@ -108,7 +108,7 @@ func TestVerifyingKeySerialization(t *testing.T) { for j := range bases[i] { bases[i][j] = elem elem.Add(&elem, &p1) - vk.CommitmentKeys = append(vk.CommitmentKeys, pedersen.VerifyingKey{G: p2, GSigma: p2}) + vk.CommitmentKeys = append(vk.CommitmentKeys, pedersen.VerifyingKey{G: p2, GSigmaNeg: p2}) } } assert.NoError(t, err) diff --git a/go.mod b/go.mod index eb53a39b14..062037f1de 100644 --- a/go.mod +++ b/go.mod @@ -7,9 +7,9 @@ toolchain go1.22.6 require ( github.com/bits-and-blooms/bitset v1.14.2 github.com/blang/semver/v4 v4.0.0 - github.com/consensys/bavard v0.1.13 + github.com/consensys/bavard v0.1.15 github.com/consensys/compress v0.2.5 - github.com/consensys/gnark-crypto v0.14.1-0.20240909142611-e6b99e74cec1 + github.com/consensys/gnark-crypto v0.14.1-0.20241002214024-485db50997ef github.com/fxamacker/cbor/v2 v2.7.0 github.com/google/go-cmp v0.6.0 github.com/google/pprof v0.0.0-20240727154555-813a5fbdbec8 diff --git a/go.sum b/go.sum index ce9397ffbf..a705f27256 100644 --- a/go.sum +++ b/go.sum @@ -57,12 +57,12 @@ github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDk github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= -github.com/consensys/bavard v0.1.13 h1:oLhMLOFGTLdlda/kma4VOJazblc7IM5y5QPd2A/YjhQ= -github.com/consensys/bavard v0.1.13/go.mod h1:9ItSMtA/dXMAiL7BG6bqW2m3NdSEObYWoH223nGHukI= +github.com/consensys/bavard v0.1.15 h1:fxv2mg1afRMJvZgpwEgLmyr2MsQwaAYcyKf31UBHzw4= +github.com/consensys/bavard v0.1.15/go.mod h1:9ItSMtA/dXMAiL7BG6bqW2m3NdSEObYWoH223nGHukI= github.com/consensys/compress v0.2.5 h1:gJr1hKzbOD36JFsF1AN8lfXz1yevnJi1YolffY19Ntk= github.com/consensys/compress v0.2.5/go.mod h1:pyM+ZXiNUh7/0+AUjUf9RKUM6vSH7T/fsn5LLS0j1Tk= -github.com/consensys/gnark-crypto v0.14.1-0.20240909142611-e6b99e74cec1 h1:xsKDyn8I+lnrLFsJL6bbDavs7xTrmKeQE/xe/htVt3I= -github.com/consensys/gnark-crypto v0.14.1-0.20240909142611-e6b99e74cec1/go.mod h1:CU4UijNPsHawiVGNxe9co07FkzCeWHHrb1li/n1XoU0= +github.com/consensys/gnark-crypto v0.14.1-0.20241002214024-485db50997ef h1:ZK7HNEFMkTslyLKLbWpDATuZYUWbOcjm8yl50rL9XdQ= +github.com/consensys/gnark-crypto v0.14.1-0.20241002214024-485db50997ef/go.mod h1:AL8vs/7MyZ0P93tcNDkUWVwf2rWLUGFUP/1iqiF7h4E= github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= diff --git a/internal/generator/backend/template/zkpschemes/groth16/tests/groth16.marshal.go.tmpl b/internal/generator/backend/template/zkpschemes/groth16/tests/groth16.marshal.go.tmpl index 6997043589..76046dc5eb 100644 --- a/internal/generator/backend/template/zkpschemes/groth16/tests/groth16.marshal.go.tmpl +++ b/internal/generator/backend/template/zkpschemes/groth16/tests/groth16.marshal.go.tmpl @@ -92,7 +92,7 @@ func TestVerifyingKeySerialization(t *testing.T) { for j := range bases[i] { bases[i][j] = elem elem.Add(&elem, &p1) - vk.CommitmentKeys = append(vk.CommitmentKeys, pedersen.VerifyingKey{G: p2, GSigma: p2}) + vk.CommitmentKeys = append(vk.CommitmentKeys, pedersen.VerifyingKey{G: p2, GSigmaNeg: p2}) } } assert.NoError(t, err) diff --git a/internal/tinyfield/element_test.go b/internal/tinyfield/element_test.go index 93664bddb2..ca73355dc9 100644 --- a/internal/tinyfield/element_test.go +++ b/internal/tinyfield/element_test.go @@ -652,6 +652,77 @@ func TestElementLexicographicallyLargest(t *testing.T) { } +func TestElementVecOps(t *testing.T) { + assert := require.New(t) + + const N = 7 + a := make(Vector, N) + b := make(Vector, N) + c := make(Vector, N) + for i := 0; i < N; i++ { + a[i].SetRandom() + b[i].SetRandom() + } + + // Vector addition + c.Add(a, b) + for i := 0; i < N; i++ { + var expected Element + expected.Add(&a[i], &b[i]) + assert.True(c[i].Equal(&expected), "Vector addition failed") + } + + // Vector subtraction + c.Sub(a, b) + for i := 0; i < N; i++ { + var expected Element + expected.Sub(&a[i], &b[i]) + assert.True(c[i].Equal(&expected), "Vector subtraction failed") + } + + // Vector scaling + c.ScalarMul(a, &b[0]) + for i := 0; i < N; i++ { + var expected Element + expected.Mul(&a[i], &b[0]) + assert.True(c[i].Equal(&expected), "Vector scaling failed") + } +} + +func BenchmarkElementVecOps(b *testing.B) { + // note; to benchmark against "no asm" version, use the following + // build tag: -tags purego + const N = 1024 + a1 := make(Vector, N) + b1 := make(Vector, N) + c1 := make(Vector, N) + for i := 0; i < N; i++ { + a1[i].SetRandom() + b1[i].SetRandom() + } + + b.Run("Add", func(b *testing.B) { + b.ResetTimer() + for i := 0; i < b.N; i++ { + c1.Add(a1, b1) + } + }) + + b.Run("Sub", func(b *testing.B) { + b.ResetTimer() + for i := 0; i < b.N; i++ { + c1.Sub(a1, b1) + } + }) + + b.Run("ScalarMul", func(b *testing.B) { + b.ResetTimer() + for i := 0; i < b.N; i++ { + c1.ScalarMul(a1, &b1[0]) + } + }) +} + func TestElementAdd(t *testing.T) { t.Parallel() parameters := gopter.DefaultTestParameters() diff --git a/internal/tinyfield/vector.go b/internal/tinyfield/vector.go index 9ef47d3cda..69da421988 100644 --- a/internal/tinyfield/vector.go +++ b/internal/tinyfield/vector.go @@ -196,6 +196,51 @@ func (vector Vector) Swap(i, j int) { vector[i], vector[j] = vector[j], vector[i] } +// Add adds two vectors element-wise and stores the result in self. +// It panics if the vectors don't have the same length. +func (vector *Vector) Add(a, b Vector) { + addVecGeneric(*vector, a, b) +} + +// Sub subtracts two vectors element-wise and stores the result in self. +// It panics if the vectors don't have the same length. +func (vector *Vector) Sub(a, b Vector) { + subVecGeneric(*vector, a, b) +} + +// ScalarMul multiplies a vector by a scalar element-wise and stores the result in self. +// It panics if the vectors don't have the same length. +func (vector *Vector) ScalarMul(a Vector, b *Element) { + scalarMulVecGeneric(*vector, a, b) +} + +func addVecGeneric(res, a, b Vector) { + if len(a) != len(b) || len(a) != len(res) { + panic("vector.Add: vectors don't have the same length") + } + for i := 0; i < len(a); i++ { + res[i].Add(&a[i], &b[i]) + } +} + +func subVecGeneric(res, a, b Vector) { + if len(a) != len(b) || len(a) != len(res) { + panic("vector.Sub: vectors don't have the same length") + } + for i := 0; i < len(a); i++ { + res[i].Sub(&a[i], &b[i]) + } +} + +func scalarMulVecGeneric(res, a Vector, b *Element) { + if len(a) != len(res) { + panic("vector.ScalarMul: vectors don't have the same length") + } + for i := 0; i < len(a); i++ { + res[i].Mul(&a[i], b) + } +} + // TODO @gbotrel make a public package out of that. // execute executes the work function in parallel. // this is copy paste from internal/parallel/parallel.go diff --git a/std/commitments/pedersen/assignment.go b/std/commitments/pedersen/assignment.go index 8822c58187..1c36d595a2 100644 --- a/std/commitments/pedersen/assignment.go +++ b/std/commitments/pedersen/assignment.go @@ -34,35 +34,35 @@ func ValueOfVerifyingKey[G2El algebra.G2ElementT](vk any) (VerifyingKey[G2El], e return ret, fmt.Errorf("expected *ped_bls12377.VerifyingKey, got %T", vk) } s.G = sw_bls12377.NewG2Affine(tVk.G) - s.GSigma = sw_bls12377.NewG2Affine(tVk.GSigma) + s.GSigmaNeg = sw_bls12377.NewG2Affine(tVk.GSigmaNeg) case *VerifyingKey[sw_bls12381.G2Affine]: tVk, ok := vk.(*ped_bls12381.VerifyingKey) if !ok { return ret, fmt.Errorf("expected *ped_bls12381.VerifyingKey, got %T", vk) } s.G = sw_bls12381.NewG2Affine(tVk.G) - s.GSigma = sw_bls12381.NewG2Affine(tVk.GSigma) + s.GSigmaNeg = sw_bls12381.NewG2Affine(tVk.GSigmaNeg) case *VerifyingKey[sw_bls24315.G2Affine]: tVk, ok := vk.(*ped_bls24315.VerifyingKey) if !ok { return ret, fmt.Errorf("expected *ped_bls24315.VerifyingKey, got %T", vk) } s.G = sw_bls24315.NewG2Affine(tVk.G) - s.GSigma = sw_bls24315.NewG2Affine(tVk.GSigma) + s.GSigmaNeg = sw_bls24315.NewG2Affine(tVk.GSigmaNeg) case *VerifyingKey[sw_bw6761.G2Affine]: tVk, ok := vk.(*ped_bw6761.VerifyingKey) if !ok { return ret, fmt.Errorf("expected *ped_bw6761.VerifyingKey, got %T", vk) } s.G = sw_bw6761.NewG2Affine(tVk.G) - s.GSigma = sw_bw6761.NewG2Affine(tVk.GSigma) + s.GSigmaNeg = sw_bw6761.NewG2Affine(tVk.GSigmaNeg) case *VerifyingKey[sw_bn254.G2Affine]: tVk, ok := vk.(*ped_bn254.VerifyingKey) if !ok { return ret, fmt.Errorf("expected *ped_bn254.VerifyingKey, got %T", vk) } s.G = sw_bn254.NewG2Affine(tVk.G) - s.GSigma = sw_bn254.NewG2Affine(tVk.GSigma) + s.GSigmaNeg = sw_bn254.NewG2Affine(tVk.GSigmaNeg) default: panic(fmt.Sprintf("unknown parametric type: %T", s)) } @@ -82,35 +82,35 @@ func ValueOfVerifyingKeyFixed[G2El algebra.G2ElementT](vk any) (VerifyingKey[G2E return ret, fmt.Errorf("expected *ped_bls12377.VerifyingKey, got %T", vk) } s.G = sw_bls12377.NewG2AffineFixed(tVk.G) - s.GSigma = sw_bls12377.NewG2AffineFixed(tVk.GSigma) + s.GSigmaNeg = sw_bls12377.NewG2AffineFixed(tVk.GSigmaNeg) case *VerifyingKey[sw_bls12381.G2Affine]: tVk, ok := vk.(*ped_bls12381.VerifyingKey) if !ok { return ret, fmt.Errorf("expected *ped_bls12381.VerifyingKey, got %T", vk) } s.G = sw_bls12381.NewG2AffineFixed(tVk.G) - s.GSigma = sw_bls12381.NewG2AffineFixed(tVk.GSigma) + s.GSigmaNeg = sw_bls12381.NewG2AffineFixed(tVk.GSigmaNeg) case *VerifyingKey[sw_bls24315.G2Affine]: tVk, ok := vk.(*ped_bls24315.VerifyingKey) if !ok { return ret, fmt.Errorf("expected *ped_bls24315.VerifyingKey, got %T", vk) } s.G = sw_bls24315.NewG2AffineFixed(tVk.G) - s.GSigma = sw_bls24315.NewG2AffineFixed(tVk.GSigma) + s.GSigmaNeg = sw_bls24315.NewG2AffineFixed(tVk.GSigmaNeg) case *VerifyingKey[sw_bw6761.G2Affine]: tVk, ok := vk.(*ped_bw6761.VerifyingKey) if !ok { return ret, fmt.Errorf("expected *ped_bw6761.VerifyingKey, got %T", vk) } s.G = sw_bw6761.NewG2AffineFixed(tVk.G) - s.GSigma = sw_bw6761.NewG2AffineFixed(tVk.GSigma) + s.GSigmaNeg = sw_bw6761.NewG2AffineFixed(tVk.GSigmaNeg) case *VerifyingKey[sw_bn254.G2Affine]: tVk, ok := vk.(*ped_bn254.VerifyingKey) if !ok { return ret, fmt.Errorf("expected *ped_bn254.VerifyingKey, got %T", vk) } s.G = sw_bn254.NewG2AffineFixed(tVk.G) - s.GSigma = sw_bn254.NewG2AffineFixed(tVk.GSigma) + s.GSigmaNeg = sw_bn254.NewG2AffineFixed(tVk.GSigmaNeg) default: return ret, fmt.Errorf("unknown parametric type: %T", s) } diff --git a/std/commitments/pedersen/verifier.go b/std/commitments/pedersen/verifier.go index b1a9afed05..77cd596be6 100644 --- a/std/commitments/pedersen/verifier.go +++ b/std/commitments/pedersen/verifier.go @@ -21,8 +21,8 @@ type KnowledgeProof[G1El algebra.G1ElementT] struct { // VerifyingKey is a verifying key for Pedersen vector commitments. type VerifyingKey[G2El algebra.G2ElementT] struct { - G G2El - GSigma G2El // (-1/σ)[G] for toxic σ + G G2El + GSigmaNeg G2El // (-1/σ)[G] for toxic σ } // Verifier verifies the knowledge proofs for a Pedersen commitments @@ -63,7 +63,7 @@ func (v *Verifier[FR, G1El, G2El, GtEl]) AssertCommitment(commitment Commitment[ v.pairing.AssertIsOnG1(&knowledgeProof.G1El) } - if err = v.pairing.PairingCheck([]*G1El{&commitment.G1El, &knowledgeProof.G1El}, []*G2El{&vk.GSigma, &vk.G}); err != nil { + if err = v.pairing.PairingCheck([]*G1El{&commitment.G1El, &knowledgeProof.G1El}, []*G2El{&vk.GSigmaNeg, &vk.G}); err != nil { return fmt.Errorf("pairing check failed: %w", err) } return nil