bls12381: Add map_to_g2 implementation #35
Conversation
wwared
changed the title
wwared
force-pushed
the
blshashtog2
branch
3 times, most recently
from
736ad52
to
a321a74
Compare
There was a problem hiding this comment.
Thanks a lot @wwared, this looks amazing, notably because of the thorough testing.
| let mut rng = rand::thread_rng(); | ||
| let n = Scalar::random(&mut rng); | ||
| let a = G1Affine::from(G1Projective::generator() * n); |
There was a problem hiding this comment.
This is not meant as criticism, but your testing life would I feel be a lot easier with proptest, specifically with its closure-style invocation:
https://docs.rs/proptest/latest/proptest/macro.proptest.html#closure-style-invocation
I'm in favor of adding instances of Arbitrary for core types wherever useful, and for foreign types, you can look at how Arecibo does it here:
https://github.com/lurk-lab/arecibo/blob/74792f9324e317020a11d265d7379aca7ca99f66/src/r1cs/util.rs
There was a problem hiding this comment.
Yeah, I think you're very right. I haven't gotten around to integrating proptest yet but I think implementing Arbitrary for the EC types would've made my life easier, I'll probably do it before the hash_to_g2 PR is finished
* replace psi with correct version, add psi2 * clear_cofactor and subgroup_check for G2 working * initial G1 subgroup check skeleton
One of the problems seems to be that constant elements (e.g. created with `from_dec`) do not seem to work correctly with some operations. Specifically, the `.neg()` calls for `xi` and `a` were just not doing anything. This needs more investigation.
* Add assert_is_on_curve for both G1 and G2 * Fix G1 phi endomorphism, subgroup_check, add tests * Update Cargo.toml to enable "experimental" feature for exposing hash_to_g2 stuff in bls12_381 * Fix README link * Remove handful of unnecessary constant allocations * Make sgn0 work for constants and add handful more test cases * Remove debug and commented out code chunks * Remove debug panic!s
Also undo the pub(crate) changes
This requires a small change in pairing.rs to prevent overflow Also change the default limb counts to 55/7, which gives a significant reduction in constraints for BN256
The TODOs aren't as relevant because the current choice already uses fewer contraints than the alternative
|
@wwared I have pushed a rebased version of this branch to https://github.com/lurk-lab/bellpepper-gadgets/tree/blshashtog2_rebased, which I believe is just a plain vanilla rebase of this PR. I will stamp this PR the minute it's reset to that branch (or something better, in case I have made a mistake). @wwared please also link with @samuelburnham to make sure you have the ability to merge your own PRs on this repo, you should absolutely not be blocked on somebody merging your (approved) PRs in any circumstance. |
Also fix a few poorly named namespaces
I'm finishing rebasing the branch right now, running the tests to ensure I didn't screw anything up and double checking that I didn't reintroduce anything, will force push once everything is green.
Will do! |
| @@ -19,8 +19,8 @@ num-bigint = { workspace = true, features = ["rand"] } | |||
| num-integer = { workspace = true } | |||
| num-traits = { workspace = true} | |||
| rand = { workspace = true} | |||
| bls12_381 = { git = "https://github.com/wrinqle/bls12_381" } | |||
| bls12_381 = { git = "https://github.com/wrinqle/bls12_381", features = ["experimental"] } | |||
|
@wwared You're good to merge! |
This PR adds a
map_to_g2function following RFC 9380, with implementation heavily based on circom-pairing's bls12_381_hash_to_G2.The following pieces are included:
assert_subgroup_check()for both G1 and G2clear_cofactor()for G2assert_is_on_curve()for both G1 and G2phi()andpsi()/psi2()endomorphisms for G1 and G2 respectivelyscalar_mul_by_seed_square()for G1 subgroup checkopt_simple_swu2()andiso3_map()functionssgn0()function added to bellpepper-emulatedmap_to_g2()function for turning a pair of Fp2 elements into a G2 pointAny constants added were either taken directly from the RFC or from circom-pairing's source code.
This PR requires this additional commit to the bls12_381 fork exposing a few extra private crate members, mainly to support the new tests. The feature
experimentalis necessary to include thehash_to_g2module. This PR also adds short docstrings for most useful g1 and g2 functions and some minor refactors.Additional improvements and cleanup included in the PR:
Fp12Element::square()that resulted in the majority of performance gainsThe current constraint count for one pairing is now 7.1M constraints (down from >20M), and two pairings take 17M constraints. A
map_to_g2()call takes 1.4M constraints. 🎉 (However, the pairing tests remain commented out because they take over 60 seconds to run, and themulti_pairingtest requires too much RAM, so CI fails trying to run them)Future work in upcoming PRs:
hash_to_curvesection of RFC 9380add_or_doubleimplementation based on gnark'sAddUnifiedpairing(),map_to_g2()) will simply fail due to a division by zero, but these edge cases should be properly documented and tested (and fixed if they should not fail)