ScalarMul on Bandersnatch (#263)

* perf(std/tEd): first bit in ScalarMul handled separately * perf(std/tEd): rearrange Double --> less constraints * perf(std/EdDSA): rearrange eddsa verify (-1 addtion, -1 MustBeOnCurve) * perf(std/tEd): Lookup2 for first 2 bits in ScalarMulFixedBase * perf(std/tEd): FixedPoint should be hidden by the API * test(tEd): test scalarMul for all curves and schemes * fix(tEd): case when scalar size is odd * fix(tEd): case when scalar size is odd * refactor(eddsa): rearrange eddsa verif as cofactor clearing counts * feat(tEd): implements double-base scalar mul * perf(EdDSA): eddsa gadget using double-base scalar mul * perf(bandersnatch): apply tEd perf changes to Bandersnatch * fix: fixed wrong bigInt op in plonk api * style(eddsa, tEd): no benchmarks * style(eddsa, tEd): no benchmarks * perf(bandersnatch): GLV scalar mul in-circuit * test(twistededwards): randomise test * refactor(bandersnatch): review PR 263 * fix(bandersnatch): curveID in hint not checked * fix(bandersnatch): check curveID for endomorphism availability * style(bandersnatch): correct comment * style(bandersnatch): correct comment about negative scalars * fix(bandersnatch): increase scalars size bound to 129 + comments * fix: hint signature in bandersnatch matches new format * refactor: eddsa factorizing and code cleaning (#285) * build: updated to latest gnark-crypto * build: updated to latest gnark-crypto * refactor: introduce Curve interface in std/ and updated eddsa tests * feat: added std/eddsa publicKey and signature assign helpers * refactor(std): merged twistededwards and bandersnatch. IsOnCurve failing for bandersnatch * fix: closes #283. ensure test.Assert compile cache handles different object of same type * fix: use UnsafeAddr instead of UnsafePointer to be retro compatible * fix: fix previous commit * test: test all twisted ed curve operations * Fixes #283 : ensure test.Assert compile cache handles different objects of same type (#284) * fix: closes #283. ensure test.Assert compile cache handles different object of same type * fix: use UnsafeAddr instead of UnsafePointer to be retro compatible * fix: fix previous commit * fix: apply pr patch * style: make twistededwards/Point methods package private * style: fix gosec errors in std/eddsa * feat: disable GLV mul in bandersnatch until #268 is fixed Co-authored-by: Thomas Piellard <thomas.piellard@consensys.net> Co-authored-by: Gautam Botrel <gautam.botrel@gmail.com>
Consensys · Mar 24, 2022 · aab0884 · aab0884
1 parent 9fbb538
commit aab0884
Show file tree

Hide file tree

Showing 18 changed files with 1,145 additions and 1,921 deletions.
diff --git a/examples/rollup/circuit.go b/examples/rollup/circuit.go
@@ -17,6 +17,7 @@ limitations under the License.
 package rollup
 
 import (
+	tedwards "github.com/consensys/gnark-crypto/ecc/twistededwards"
 	"github.com/consensys/gnark/frontend"
 	"github.com/consensys/gnark/std/accumulator/merkle"
 	"github.com/consensys/gnark/std/algebra/twistededwards"
@@ -87,18 +88,8 @@ type TransferConstraints struct {
 }
 
 func (circuit *Circuit) postInit(api frontend.API) error {
-	// edward curve params
-	params, err := twistededwards.NewEdCurve(api.Compiler().Curve())
-	if err != nil {
-		return err
-	}
 
 	for i := 0; i < batchSize; i++ {
-		// setting sender public key
-		circuit.PublicKeysSender[i].Curve = params
-
-		// setting receiver public key
-		circuit.PublicKeysReceiver[i].Curve = params
 
 		// setting the sender accounts before update
 		circuit.SenderAccountsBefore[i].PubKey = circuit.PublicKeysSender[i]
@@ -163,7 +154,13 @@ func verifyTransferSignature(api frontend.API, t TransferConstraints, hFunc mimc
 	hFunc.Write(t.Nonce, t.Amount, t.SenderPubKey.A.X, t.SenderPubKey.A.Y, t.ReceiverPubKey.A.X, t.ReceiverPubKey.A.Y)
 	htransfer := hFunc.Sum()
 
-	err := eddsa.Verify(api, t.Signature, htransfer, t.SenderPubKey)
+	curve, err := twistededwards.NewEdCurve(api, tedwards.BN254)
+	if err != nil {
+		return err
+	}
+
+	hFunc.Reset()
+	err = eddsa.Verify(curve, t.Signature, htransfer, t.SenderPubKey, &hFunc)
 	if err != nil {
 		return err
 	}

diff --git a/examples/rollup/rollup_test.go b/examples/rollup/rollup_test.go
@@ -154,7 +154,12 @@ func createAccount(i int) (Account, eddsa.PrivateKey) {
 	src := rand.NewSource(int64(i))
 	r := rand.New(src)
 
-	privkey, _ = eddsa.GenerateKey(r)
+	pkey, err := eddsa.GenerateKey(r)
+	if err != nil {
+		panic(err)
+	}
+	privkey = *pkey
+
 	acc.pubKey = privkey.PublicKey
 
 	return acc, privkey

diff --git a/frontend/compile.go b/frontend/compile.go
@@ -81,6 +81,7 @@ func parseCircuit(builder Builder, circuit Circuit) (err error) {
 	// leafs are Constraints that need to be initialized in the context of compiling a circuit
 	var handler schema.LeafHandler = func(visibility schema.Visibility, name string, tInput reflect.Value) error {
 		if tInput.CanSet() {
+			// log.Trace().Str("name", name).Str("visibility", visibility.String()).Msg("init input wire")
 			switch visibility {
 			case schema.Secret:
 				tInput.Set(reflect.ValueOf(builder.AddSecretVariable(name)))

diff --git a/go.mod b/go.mod
@@ -4,8 +4,8 @@ go 1.17
 
 require (
 	github.com/consensys/bavard v0.1.10
-	github.com/consensys/gnark-crypto v0.6.1
-	github.com/fxamacker/cbor/v2 v2.4.0
+	github.com/consensys/gnark-crypto v0.6.2-0.20220317143658-fb0d80a11bf4
+	github.com/fxamacker/cbor/v2 v2.2.0
 	github.com/leanovate/gopter v0.2.9
 	github.com/rs/zerolog v1.26.1
 	github.com/stretchr/testify v1.7.1

diff --git a/go.sum b/go.sum
@@ -1,15 +1,14 @@
-github.com/consensys/bavard v0.1.9/go.mod h1:9ItSMtA/dXMAiL7BG6bqW2m3NdSEObYWoH223nGHukI=
 github.com/consensys/bavard v0.1.10 h1:1I/IvY7bkX/O7QLNCEuV2+YBKdTetzw3gnBbvFaWiEE=
 github.com/consensys/bavard v0.1.10/go.mod h1:9ItSMtA/dXMAiL7BG6bqW2m3NdSEObYWoH223nGHukI=
-github.com/consensys/gnark-crypto v0.6.1 h1:MuWaJyWzSw8wQUOfiZOlRwYjfweIj8dM/u2NN6m0O04=
-github.com/consensys/gnark-crypto v0.6.1/go.mod h1:s41Bl3YIpNgu/zdvlSzf/xZkyV8MUmoBY96RmuB8x70=
+github.com/consensys/gnark-crypto v0.6.2-0.20220317143658-fb0d80a11bf4 h1:ZsuTwNqDe83xtYP8SplQ9iOoXgOoLg9WzP04VfqOjGc=
+github.com/consensys/gnark-crypto v0.6.2-0.20220317143658-fb0d80a11bf4/go.mod h1:BnexKTAHX6j7zpGXR/s6E/R0tyYtbnXlbhIMQkNdcPs=
 github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/fxamacker/cbor/v2 v2.4.0 h1:ri0ArlOR+5XunOP8CRUowT0pSJOwhW098ZCUyskZD88=
-github.com/fxamacker/cbor/v2 v2.4.0/go.mod h1:TA1xS00nchWmaBnEIxPSE5oHLuJBAVvqrtAnWBwBCVo=
+github.com/fxamacker/cbor/v2 v2.2.0 h1:6eXqdDDe588rSYAi1HfZKbx6YYQO4mxQ9eC6xYpU/JQ=
+github.com/fxamacker/cbor/v2 v2.2.0/go.mod h1:TA1xS00nchWmaBnEIxPSE5oHLuJBAVvqrtAnWBwBCVo=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/google/subcommands v1.2.0/go.mod h1:ZjhPrFU+Olkh9WazFPsl27BQ4UPiG37m3yTrtFlrHVk=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=

diff --git a/internal/stats/latest.stats b/internal/stats/latest.stats
diff --git a/std/algebra/twistededwards/bandersnatch/curve.go b/std/algebra/twistededwards/bandersnatch/curve.go
diff --git a/std/algebra/twistededwards/bandersnatch/point.go b/std/algebra/twistededwards/bandersnatch/point.go