Rework ConstraintSystem API to improve ergonomics

algebra-core/src/biginteger/macros.rs

@@ -169,7 +169,7 @@ macro_rules! bigint_impl {
             #[inline]
             fn to_bits(&self) -> Vec<bool> {
                 let mut res = Vec::with_capacity(256);
-                for b in BitIterator::new(self.0) {
+                for b in BitIteratorBE::new(self.0) {
                     res.push(b);
                 }
                 res

algebra-core/src/biginteger/mod.rs

@@ -1,6 +1,6 @@
 use crate::{
     bytes::{FromBytes, ToBytes},
-    fields::BitIterator,
+    fields::BitIteratorBE,
     io::{Read, Result as IoResult, Write},
     CanonicalDeserialize, CanonicalSerialize, ConstantSerializedSize, SerializationError,
     UniformRand, Vec,

algebra-core/src/bytes.rs

@@ -152,12 +152,12 @@ macro_rules! to_bytes {
 macro_rules! push_to_vec {
     ($buf:expr, $y:expr, $($x:expr),*) => ({
         {
-            ToBytes::write(&$y, &mut $buf)
+            $crate::ToBytes::write(&$y, &mut $buf)
         }.and({$crate::push_to_vec!($buf, $($x),*)})
     });
 
     ($buf:expr, $x:expr) => ({
-        ToBytes::write(&$x, &mut $buf)
+        $crate::ToBytes::write(&$x, &mut $buf)
     })
 }
 
@@ -311,7 +311,6 @@ impl<T: FromBytes> FromBytes for Option<T> {
 
 #[cfg(test)]
 mod test {
-    use super::ToBytes;
     use crate::Vec;
     #[test]
     fn test_macro_empty() {

algebra-core/src/curves/mod.rs

@@ -180,17 +180,9 @@ pub trait ProjectiveCurve:
     /// Performs scalar multiplication of this element.
     fn mul<S: Into<<Self::ScalarField as PrimeField>::BigInt>>(mut self, other: S) -> Self {
         let mut res = Self::zero();
-
-        let mut found_one = false;
-
-        for i in crate::fields::BitIterator::new(other.into()) {
-            if found_one {
-                res.double_in_place();
-            } else {
-                found_one = i;
-            }
-
-            if i {
+        for b in crate::fields::BitIteratorBE::without_leading_zeros(other.into()) {
+            res.double_in_place();
+            if b {
                 res += self;
             }
         }

algebra-core/src/curves/models/bls12/g2.rs

@@ -6,7 +6,7 @@ use crate::{
         short_weierstrass_jacobian::{GroupAffine, GroupProjective},
         AffineCurve,
     },
-    fields::{BitIterator, Field, Fp2},
+    fields::{BitIteratorBE, Field, Fp2},
     io::{Result as IoResult, Write},
     Vec,
 };
@@ -75,7 +75,7 @@ impl<P: Bls12Parameters> From<G2Affine<P>> for G2Prepared<P> {
             z: Fp2::one(),
         };
 
-        for i in BitIterator::new(P::X).skip(1) {
+        for i in BitIteratorBE::new(P::X).skip(1) {
             ell_coeffs.push(doubling_step::<P>(&mut r, &two_inv));
 
             if i {

algebra-core/src/curves/models/bls12/mod.rs

@@ -7,7 +7,7 @@ use crate::{
         fp12_2over3over2::{Fp12, Fp12Parameters},
         fp2::Fp2Parameters,
         fp6_3over2::Fp6Parameters,
-        BitIterator, Field, Fp2, PrimeField, SquareRootField,
+        BitIteratorBE, Field, Fp2, PrimeField, SquareRootField,
     },
 };
 use num_traits::One;
@@ -105,7 +105,7 @@ impl<P: Bls12Parameters> PairingEngine for Bls12<P> {
 
         let mut f = Self::Fqk::one();
 
-        for i in BitIterator::new(P::X).skip(1) {
+        for i in BitIteratorBE::new(P::X).skip(1) {
             f.square_in_place();
 
             for (p, ref mut coeffs) in &mut pairs {

algebra-core/src/curves/models/bw6/g2.rs

@@ -6,7 +6,7 @@ use crate::{
         short_weierstrass_jacobian::{GroupAffine, GroupProjective},
         AffineCurve,
     },
-    fields::{BitIterator, Field},
+    fields::{BitIteratorBE, Field},
     io::{Result as IoResult, Write},
     Vec,
 };
@@ -83,7 +83,7 @@ impl<P: BW6Parameters> From<G2Affine<P>> for G2Prepared<P> {
             z: P::Fp::one(),
         };
 
-        for i in BitIterator::new(P::ATE_LOOP_COUNT_1).skip(1) {
+        for i in BitIteratorBE::new(P::ATE_LOOP_COUNT_1).skip(1) {
             ell_coeffs_1.push(doubling_step::<P>(&mut r));
 
             if i {

algebra-core/src/curves/models/bw6/mod.rs

@@ -6,7 +6,7 @@ use crate::{
     fields::{
         fp3::Fp3Parameters,
         fp6_2over3::{Fp6, Fp6Parameters},
-        BitIterator, Field, PrimeField, SquareRootField,
+        BitIteratorBE, Field, PrimeField, SquareRootField,
     },
 };
 use num_traits::One;
@@ -238,7 +238,7 @@ impl<P: BW6Parameters> PairingEngine for BW6<P> {
         // f_{u+1,Q}(P)
         let mut f_1 = Self::Fqk::one();
 
-        for i in BitIterator::new(P::ATE_LOOP_COUNT_1).skip(1) {
+        for i in BitIteratorBE::new(P::ATE_LOOP_COUNT_1).skip(1) {
             f_1.square_in_place();
 
             for (p, ref mut coeffs) in &mut pairs_1 {

algebra-core/src/curves/models/mnt4/g1.rs

@@ -14,6 +14,7 @@ pub type G1Projective<P> = GroupProjective<<P as MNT4Parameters>::G1Parameters>;
 
 #[derive(Derivative)]
 #[derivative(
+    Copy(bound = "P: MNT4Parameters"),
     Clone(bound = "P: MNT4Parameters"),
     Debug(bound = "P: MNT4Parameters"),
     PartialEq(bound = "P: MNT4Parameters"),

algebra-core/src/curves/models/mnt4/mod.rs

@@ -6,7 +6,7 @@ use crate::{
     fields::{
         fp2::{Fp2, Fp2Parameters},
         fp4::{Fp4, Fp4Parameters},
-        BitIterator, Field, PrimeField, SquareRootField,
+        BitIteratorBE, Field, PrimeField, SquareRootField,
     },
     One, Zero,
 };
@@ -33,9 +33,10 @@ pub trait MNT4Parameters: 'static {
     const FINAL_EXPONENT_LAST_CHUNK_W0_IS_NEG: bool;
     const FINAL_EXPONENT_LAST_CHUNK_ABS_OF_W0: <Self::Fp as PrimeField>::BigInt;
     type Fp: PrimeField + SquareRootField + Into<<Self::Fp as PrimeField>::BigInt>;
+    type Fr: PrimeField + SquareRootField + Into<<Self::Fr as PrimeField>::BigInt>;
     type Fp2Params: Fp2Parameters<Fp = Self::Fp>;
     type Fp4Params: Fp4Parameters<Fp2Params = Self::Fp2Params>;
-    type G1Parameters: SWModelParameters<BaseField = Self::Fp>;
+    type G1Parameters: SWModelParameters<BaseField = Self::Fp, ScalarField = Self::Fr>;
     type G2Parameters: SWModelParameters<
         BaseField = Fp2<Self::Fp2Params>,
         ScalarField = <Self::G1Parameters as ModelParameters>::ScalarField,
@@ -110,18 +111,9 @@ impl<P: MNT4Parameters> MNT4<P> {
         let mut dbl_idx: usize = 0;
         let mut add_idx: usize = 0;
 
-        let mut found_one = false;
-
-        for bit in BitIterator::new(P::ATE_LOOP_COUNT) {
-            // code below gets executed for all bits (EXCEPT the MSB itself) of
-            // mnt6_param_p (skipping leading zeros) in MSB to LSB order
-            if !found_one && bit {
-                found_one = true;
-                continue;
-            } else if !found_one {
-                continue;
-            }
-
+        // code below gets executed for all bits (EXCEPT the MSB itself) of
+        // mnt6_param_p (skipping leading zeros) in MSB to LSB order
+        for bit in BitIteratorBE::without_leading_zeros(P::ATE_LOOP_COUNT).skip(1) {
             let dc = &q.double_coefficients[dbl_idx];
             dbl_idx += 1;
 
@@ -188,12 +180,11 @@ impl<P: MNT4Parameters> MNT4<P> {
         elt_q.frobenius_map(1);
 
         let w1_part = elt_q.cyclotomic_exp(&P::FINAL_EXPONENT_LAST_CHUNK_1);
-        let w0_part;
-        if P::FINAL_EXPONENT_LAST_CHUNK_W0_IS_NEG {
-            w0_part = elt_inv_clone.cyclotomic_exp(&P::FINAL_EXPONENT_LAST_CHUNK_ABS_OF_W0);
+        let w0_part = if P::FINAL_EXPONENT_LAST_CHUNK_W0_IS_NEG {
+            elt_inv_clone.cyclotomic_exp(&P::FINAL_EXPONENT_LAST_CHUNK_ABS_OF_W0)
         } else {
-            w0_part = elt_clone.cyclotomic_exp(&P::FINAL_EXPONENT_LAST_CHUNK_ABS_OF_W0);
-        }
+            elt_clone.cyclotomic_exp(&P::FINAL_EXPONENT_LAST_CHUNK_ABS_OF_W0)
+        };
 
         w1_part * &w0_part
     }

algebra-core/src/curves/models/mnt6/g1.rs

@@ -14,6 +14,7 @@ pub type G1Projective<P> = GroupProjective<<P as MNT6Parameters>::G1Parameters>;
 
 #[derive(Derivative)]
 #[derivative(
+    Copy(bound = "P: MNT6Parameters"),
     Clone(bound = "P: MNT6Parameters"),
     Debug(bound = "P: MNT6Parameters"),
     PartialEq(bound = "P: MNT6Parameters"),

algebra-core/src/curves/models/mnt6/mod.rs

@@ -6,7 +6,7 @@ use crate::{
     fields::{
         fp3::{Fp3, Fp3Parameters},
         fp6_2over3::{Fp6, Fp6Parameters},
-        BitIterator, Field, PrimeField, SquareRootField,
+        BitIteratorBE, Field, PrimeField, SquareRootField,
     },
     One, Zero,
 };
@@ -33,9 +33,10 @@ pub trait MNT6Parameters: 'static {
     const FINAL_EXPONENT_LAST_CHUNK_W0_IS_NEG: bool;
     const FINAL_EXPONENT_LAST_CHUNK_ABS_OF_W0: <Self::Fp as PrimeField>::BigInt;
     type Fp: PrimeField + SquareRootField + Into<<Self::Fp as PrimeField>::BigInt>;
+    type Fr: PrimeField + SquareRootField + Into<<Self::Fr as PrimeField>::BigInt>;
     type Fp3Params: Fp3Parameters<Fp = Self::Fp>;
     type Fp6Params: Fp6Parameters<Fp3Params = Self::Fp3Params>;
-    type G1Parameters: SWModelParameters<BaseField = Self::Fp>;
+    type G1Parameters: SWModelParameters<BaseField = Self::Fp, ScalarField = Self::Fr>;
     type G2Parameters: SWModelParameters<
         BaseField = Fp3<Self::Fp3Params>,
         ScalarField = <Self::G1Parameters as ModelParameters>::ScalarField,
@@ -60,8 +61,9 @@ impl<P: MNT6Parameters> MNT6<P> {
 
         let d_eight = d.double().double().double();
 
-        let x = -(e + &e + &e + &e) + &g;
-        let y = -d_eight + &(f * &(e + &e - &x));
+        let e2 = e.double();
+        let x = g - &e2.double();
+        let y = -d_eight + &(f * &(e2 - &x));
         let z = (r.y + &r.z).square() - &c - &r.z.square();
         let t = z.square();
 
@@ -89,10 +91,11 @@ impl<P: MNT6Parameters> MNT6<P> {
         let e = i + &i + &i + &i;
         let j = h * &e;
         let v = r.x * &e;
-        let l1 = d - &(r.y + &r.y);
+        let ry2 = r.y.double();
+        let l1 = d - &ry2;
 
         let x = l1.square() - &j - &(v + &v);
-        let y = l1 * &(v - &x) - &(j * &(r.y + &r.y));
+        let y = l1 * &(v - &x) - &(j * &ry2);
         let z = (r.z + &h).square() - &r.t - &i;
         let t = z.square();
 
@@ -110,23 +113,14 @@ impl<P: MNT6Parameters> MNT6<P> {
         let mut dbl_idx: usize = 0;
         let mut add_idx: usize = 0;
 
-        let mut found_one = false;
-
-        for bit in BitIterator::new(P::ATE_LOOP_COUNT) {
-            // code below gets executed for all bits (EXCEPT the MSB itself) of
-            // mnt6_param_p (skipping leading zeros) in MSB to LSB order
-            if !found_one && bit {
-                found_one = true;
-                continue;
-            } else if !found_one {
-                continue;
-            }
-
+        // code below gets executed for all bits (EXCEPT the MSB itself) of
+        // mnt6_param_p (skipping leading zeros) in MSB to LSB order
+        for bit in BitIteratorBE::without_leading_zeros(P::ATE_LOOP_COUNT).skip(1) {
             let dc = &q.double_coefficients[dbl_idx];
             dbl_idx += 1;
 
             let g_rr_at_p = Fp6::new(
-                -dc.c_4c - &(dc.c_j * &p.x_twist) + &dc.c_l,
+                dc.c_l - &dc.c_4c - &(dc.c_j * &p.x_twist),
                 dc.c_h * &p.y_twist,
             );
 
@@ -193,12 +187,11 @@ impl<P: MNT6Parameters> MNT6<P> {
         elt_q.frobenius_map(1);
 
         let w1_part = elt_q.cyclotomic_exp(&P::FINAL_EXPONENT_LAST_CHUNK_1);
-        let w0_part;
-        if P::FINAL_EXPONENT_LAST_CHUNK_W0_IS_NEG {
-            w0_part = elt_inv_clone.cyclotomic_exp(&P::FINAL_EXPONENT_LAST_CHUNK_ABS_OF_W0);
+        let w0_part = if P::FINAL_EXPONENT_LAST_CHUNK_W0_IS_NEG {
+            elt_inv_clone.cyclotomic_exp(&P::FINAL_EXPONENT_LAST_CHUNK_ABS_OF_W0)
         } else {
-            w0_part = elt_clone.cyclotomic_exp(&P::FINAL_EXPONENT_LAST_CHUNK_ABS_OF_W0);
-        }
+            elt_clone.cyclotomic_exp(&P::FINAL_EXPONENT_LAST_CHUNK_ABS_OF_W0)
+        };
 
         w1_part * &w0_part
     }

algebra-core/src/curves/models/short_weierstrass_jacobian.rs

@@ -19,7 +19,7 @@ use rand::{
 use crate::{
     bytes::{FromBytes, ToBytes},
     curves::{AffineCurve, ProjectiveCurve},
-    fields::{BitIterator, Field, PrimeField, SquareRootField},
+    fields::{BitIteratorBE, Field, PrimeField, SquareRootField},
 };
 
 #[cfg(feature = "parallel")]
@@ -34,6 +34,7 @@ use rayon::prelude::*;
     Debug(bound = "P: Parameters"),
     Hash(bound = "P: Parameters")
 )]
+#[must_use]
 pub struct GroupAffine<P: Parameters> {
     pub x: P::BaseField,
     pub y: P::BaseField,
@@ -42,6 +43,18 @@ pub struct GroupAffine<P: Parameters> {
     _params: PhantomData<P>,
 }
 
+impl<P: Parameters> PartialEq<GroupProjective<P>> for GroupAffine<P> {
+    fn eq(&self, other: &GroupProjective<P>) -> bool {
+        self.into_projective() == *other
+    }
+}
+
+impl<P: Parameters> PartialEq<GroupAffine<P>> for GroupProjective<P> {
+    fn eq(&self, other: &GroupAffine<P>) -> bool {
+        *self == other.into_projective()
+    }
+}
+
 impl<P: Parameters> Display for GroupAffine<P> {
     fn fmt(&self, f: &mut Formatter<'_>) -> FmtResult {
         if self.infinity {
@@ -63,13 +76,16 @@ impl<P: Parameters> GroupAffine<P> {
     }
 
     pub fn scale_by_cofactor(&self) -> GroupProjective<P> {
-        let cofactor = BitIterator::new(P::COFACTOR);
+        let cofactor = BitIteratorBE::new(P::COFACTOR);
         self.mul_bits(cofactor)
     }
 
-    pub(crate) fn mul_bits<S: AsRef<[u64]>>(&self, bits: BitIterator<S>) -> GroupProjective<P> {
+    /// Multiplies `self` by the scalar represented by `bits`. `bits` must be a big-endian
+    /// bit-wise decomposition of the scalar.
+    pub(crate) fn mul_bits(&self, bits: impl Iterator<Item = bool>) -> GroupProjective<P> {
         let mut res = GroupProjective::zero();
-        for i in bits {
+        // Skip leading zeros.
+        for i in bits.skip_while(|b| !b) {
             res.double_in_place();
             if i {
                 res.add_assign_mixed(&self)
@@ -108,7 +124,7 @@ impl<P: Parameters> GroupAffine<P> {
     }
 
     pub fn is_in_correct_subgroup_assuming_on_curve(&self) -> bool {
-        self.mul_bits(BitIterator::new(P::ScalarField::characteristic()))
+        self.mul_bits(BitIteratorBE::new(P::ScalarField::characteristic()))
             .is_zero()
     }
 }
@@ -174,7 +190,7 @@ impl<P: Parameters> AffineCurve for GroupAffine<P> {
 
     #[inline]
     fn mul<S: Into<<Self::ScalarField as PrimeField>::BigInt>>(&self, by: S) -> GroupProjective<P> {
-        let bits = BitIterator::new(by.into());
+        let bits = BitIteratorBE::new(by.into());
         self.mul_bits(bits)
     }
 
@@ -235,10 +251,12 @@ impl<P: Parameters> Default for GroupAffine<P> {
     Debug(bound = "P: Parameters"),
     Hash(bound = "P: Parameters")
 )]
+#[must_use]
 pub struct GroupProjective<P: Parameters> {
     pub x: P::BaseField,
     pub y: P::BaseField,
     pub z: P::BaseField,
+    #[derivative(Debug = "ignore")]
     _params: PhantomData<P>,
 }