Add pairing gadgets (depends on #26)

.github/workflows/ci.yml

@@ -30,6 +30,7 @@ jobs:
     - name: configure
       env:
         CXX: ${{ matrix.compiler }}
+        CXXFLAGS: "-Werror"
       run: mkdir build && cd build && cmake ..
     - name: build
       run: cd build && make

.gitignore

@@ -49,3 +49,4 @@ libsnark/zk_proof_systems/zksnark/ram_zksnark/profiling/profile_ram_zksnark
 libsnark/zk_proof_systems/zksnark/ram_zksnark/tests/test_ram_zksnark
 
 build
+*~

libsnark/CMakeLists.txt

@@ -152,9 +152,7 @@ if ("${IS_LIBSNARK_PARENT}")
     add_dependencies(check ${TEST_NAME})
   endfunction()
 
-  libsnark_test(common_routing_algorithms_test common/routing_algorithms/tests/test_routing_algorithms.cpp)
   libsnark_test(gadgetlib1_simple_test gadgetlib1/tests/gadgetlib1_test.cpp)
-  libsnark_test(gadgetlib1_r1cs_ppzksnark_verifier_gadget_test gadgetlib1/gadgets/verifiers/tests/test_r1cs_ppzksnark_verifier_gadget.cpp)
   libsnark_test(gadgetlib2_adapters_test gadgetlib2/tests/adapters_UTEST.cpp)
   libsnark_test(gadgetlib2_constraint_test gadgetlib2/tests/constraint_UTEST.cpp)
   libsnark_test(gadgetlib2_gadget_test gadgetlib2/tests/gadget_UTEST.cpp)
@@ -190,6 +188,16 @@ if ("${IS_LIBSNARK_PARENT}")
   libsnark_test(test_set_commitment_gadget gadgetlib1/gadgets/set_commitment/tests/test_set_commitment_gadget.cpp)
   libsnark_test(test_sha256_gadget gadgetlib1/gadgets/hashes/sha256/tests/test_sha256_gadget.cpp)
   libsnark_test(test_polynomial_commitments polynomial_commitments/tests/test_polynomial_commitments.cpp)
+  libsnark_test(test_common_routing_algorithms common/routing_algorithms/tests/test_routing_algorithms.cpp)
+  libsnark_test(test_pairing gadgetlib1/tests/test_pairing.cpp)
+  libsnark_test(test_fp6_3over2_gadgets gadgetlib1/tests/test_fp6_3over2_gadgets.cpp)
+  libsnark_test(test_fp12_2over3over2_gadgets gadgetlib1/tests/test_fp12_2over3over2_gadgets.cpp)
+  libsnark_test(test_curve_gadgets gadgetlib1/tests/test_curve_gadgets.cpp)
+  libsnark_test(test_bls12_377_membership_checks gadgetlib1/tests/test_bls12_377_membership_checks.cpp)
+  libsnark_test(test_bls12_377_pairing gadgetlib1/tests/test_bls12_377_pairing.cpp)
+  libsnark_test(test_pairing_checks gadgetlib1/tests/test_pairing_checks.cpp)
+  libsnark_test(test_r1cs_ppzksnark_verifier_gadget gadgetlib1/tests/test_r1cs_ppzksnark_verifier_gadget.cpp)
+  libsnark_test(test_r1cs_gg_ppzksnark_verifier_gadget gadgetlib1/tests/test_r1cs_gg_ppzksnark_verifier_gadget.cpp)
 
   # TODO (howardwu): Resolve runtime on targets:
   # libsnark_test(gadgetlib1_fooram_test gadgetlib1/gadgets/cpu_checkers/foora# m/examples/test_fooram.cpp)

libsnark/gadgetlib1/gadgets/basic_gadgets.hpp

@@ -29,6 +29,10 @@ void generate_r1cs_equals_const_constraint(
     const FieldT &c,
     const std::string &annotation_prefix = "");
 
+/// Constrain a bit array to be equal to the binary encoding of some linear
+/// combination. Supports computing the bits from the linear combination, and
+/// vice-versa. Also supports constraining the bit array values to be boolean
+/// if this is not verified elsewhere.
 template<typename FieldT> class packing_gadget : public gadget<FieldT>
 {
 private:

libsnark/gadgetlib1/gadgets/curves/scalar_multiplication.hpp

@@ -0,0 +1,54 @@
+/** @file
+ *****************************************************************************
+ * @author     This file is part of libsnark, developed by Clearmatics Ltd
+ *             (originally developed by SCIPR Lab) and contributors
+ *             (see AUTHORS).
+ * @copyright  MIT license (see LICENSE file)
+ *****************************************************************************/
+
+#ifndef LIBSNARK_GADGETLIB1_GADGETS_CURVE_SCALAR_MULTIPLICATION_HPP_
+#define LIBSNARK_GADGETLIB1_GADGETS_CURVE_SCALAR_MULTIPLICATION_HPP_
+
+#include "libsnark/gadgetlib1/gadget.hpp"
+
+#include <memory>
+
+namespace libsnark
+{
+
+/// Generic gadget to perform scalar multiplication of group variables. Used by
+/// the individual group element implementations.
+template<
+    typename groupT,
+    typename groupVariableT,
+    typename add_gadget,
+    typename dbl_gadget,
+    typename scalarT>
+class point_mul_by_const_scalar_gadget
+    : public gadget<typename groupT::base_field>
+{
+public:
+    using FieldT = typename groupT::base_field;
+
+    const scalarT _scalar;
+    const groupVariableT _result;
+    std::vector<std::shared_ptr<add_gadget>> _add_gadgets;
+    std::vector<std::shared_ptr<dbl_gadget>> _dbl_gadgets;
+
+    point_mul_by_const_scalar_gadget(
+        protoboard<FieldT> &pb,
+        const scalarT &scalar,
+        const groupVariableT &P,
+        const groupVariableT &result,
+        const std::string &annotation_prefix);
+
+    void generate_r1cs_constraints();
+    void generate_r1cs_witness();
+    const groupVariableT &result() const;
+};
+
+} // namespace libsnark
+
+#include "libsnark/gadgetlib1/gadgets/curves/scalar_multiplication.tcc"
+
+#endif // LIBSNARK_GADGETLIB1_GADGETS_CURVE_SCALAR_MULTIPLICATION_HPP_

libsnark/gadgetlib1/gadgets/curves/scalar_multiplication.tcc

@@ -0,0 +1,164 @@
+/** @file
+ *****************************************************************************
+ * @author     This file is part of libsnark, developed by Clearmatics Ltd
+ *             (originally developed by SCIPR Lab) and contributors
+ *             (see AUTHORS).
+ * @copyright  MIT license (see LICENSE file)
+ *****************************************************************************/
+
+#ifndef LIBSNARK_GADGETLIB1_GADGETS_CURVE_SCALAR_MULTIPLICATION_TCC_
+#define LIBSNARK_GADGETLIB1_GADGETS_CURVE_SCALAR_MULTIPLICATION_TCC_
+
+#include "libsnark/gadgetlib1/gadgets/curves/scalar_multiplication.hpp"
+
+namespace libsnark
+{
+
+template<
+    typename groupT,
+    typename groupVariableT,
+    typename add_gadget,
+    typename dbl_gadget,
+    typename scalarT>
+point_mul_by_const_scalar_gadget<
+    groupT,
+    groupVariableT,
+    add_gadget,
+    dbl_gadget,
+    scalarT>::
+    point_mul_by_const_scalar_gadget(
+        protoboard<FieldT> &pb,
+        const scalarT &scalar,
+        const groupVariableT &P,
+        const groupVariableT &result,
+        const std::string &annotation_prefix)
+    : gadget<FieldT>(pb, annotation_prefix), _scalar(scalar), _result(result)
+{
+    const size_t last_bit = _scalar.num_bits() - 1;
+    const groupVariableT *last_value = &P;
+
+    // Temporary vector of intermediate variables. Reserve the maximum number
+    // of possible entries to ensure no reallocation (i.e. last_value is always
+    // valid).
+    std::vector<groupVariableT> values;
+    values.reserve(2 * last_bit);
+
+    for (size_t i = last_bit - 1; i > 0; --i) {
+        // Double
+        values.emplace_back(pb, FMT(annotation_prefix, " value[%zu]", i));
+        _dbl_gadgets.emplace_back(new dbl_gadget(
+            pb,
+            *last_value,
+            values.back(),
+            FMT(annotation_prefix, " double[%zu]", i)));
+        last_value = &values.back();
+
+        // Add
+        if (_scalar.test_bit(i)) {
+            values.emplace_back(pb, FMT(annotation_prefix, " value[%zu]", i));
+            _add_gadgets.emplace_back(new add_gadget(
+                pb,
+                *last_value,
+                P,
+                values.back(),
+                FMT(annotation_prefix, " add[%zu]", i)));
+            last_value = &values.back();
+        }
+    }
+
+    // Depending on the value of the final (lowest-order) bit, perform final
+    // double or double-and-add into result.
+
+    if (_scalar.test_bit(0)) {
+        // Double
+        values.emplace_back(pb, FMT(annotation_prefix, " value[0]"));
+        _dbl_gadgets.emplace_back(new dbl_gadget(
+            pb,
+            *last_value,
+            values.back(),
+            FMT(annotation_prefix, " double[0]")));
+        last_value = &values.back();
+
+        // Add into result
+        _add_gadgets.emplace_back(new add_gadget(
+            pb, *last_value, P, result, FMT(annotation_prefix, " add[0]")));
+    } else {
+        // Double
+        _dbl_gadgets.emplace_back(new dbl_gadget(
+            pb, *last_value, result, FMT(annotation_prefix, " double[0]")));
+    }
+}
+
+template<
+    typename groupT,
+    typename groupVariableT,
+    typename add_gadget,
+    typename dbl_gadget,
+    typename scalarT>
+void point_mul_by_const_scalar_gadget<
+    groupT,
+    groupVariableT,
+    add_gadget,
+    dbl_gadget,
+    scalarT>::generate_r1cs_constraints()
+{
+    const size_t last_bit = _scalar.num_bits() - 1;
+    size_t dbl_idx = 0;
+    size_t add_idx = 0;
+    for (ssize_t i = last_bit - 1; i >= 0; --i) {
+        // Double gadget constraints
+        _dbl_gadgets[dbl_idx++]->generate_r1cs_constraints();
+
+        // Add gadget constraints
+        if (_scalar.test_bit(i)) {
+            _add_gadgets[add_idx++]->generate_r1cs_constraints();
+        }
+    }
+}
+
+template<
+    typename groupT,
+    typename groupVariableT,
+    typename add_gadget,
+    typename dbl_gadget,
+    typename scalarT>
+void point_mul_by_const_scalar_gadget<
+    groupT,
+    groupVariableT,
+    add_gadget,
+    dbl_gadget,
+    scalarT>::generate_r1cs_witness()
+{
+    const size_t last_bit = _scalar.num_bits() - 1;
+    size_t dbl_idx = 0;
+    size_t add_idx = 0;
+    for (ssize_t i = last_bit - 1; i >= 0; --i) {
+        // Double gadget constraints
+        _dbl_gadgets[dbl_idx++]->generate_r1cs_witness();
+
+        // Add gadget constraints
+        if (_scalar.test_bit(i)) {
+            _add_gadgets[add_idx++]->generate_r1cs_witness();
+        }
+    }
+}
+
+template<
+    typename groupT,
+    typename groupVariableT,
+    typename add_gadget,
+    typename dbl_gadget,
+    typename scalarT>
+const groupVariableT &point_mul_by_const_scalar_gadget<
+    groupT,
+    groupVariableT,
+    add_gadget,
+    dbl_gadget,
+    scalarT>::result() const
+{
+    return _result;
+}
+
+} // namespace libsnark
+
+#endif // LIBSNARK_GADGETLIB1_GADGETS_CURVE_SCALAR_MULTIPLICATION_TCC_

libsnark/gadgetlib1/gadgets/curves/weierstrass_g1_gadget.hpp

@@ -15,9 +15,11 @@
 #ifndef WEIERSTRASS_G1_GADGET_HPP_
 #define WEIERSTRASS_G1_GADGET_HPP_
 
+#include "libsnark/gadgetlib1/gadget.hpp"
+#include "libsnark/gadgetlib1/gadgets/curves/scalar_multiplication.hpp"
+#include "libsnark/gadgetlib1/gadgets/pairing/pairing_params.hpp"
+
 #include <libff/algebra/curves/public_params.hpp>
-#include <libsnark/gadgetlib1/gadget.hpp>
-#include <libsnark/gadgetlib1/gadgets/pairing/pairing_params.hpp>
 
 namespace libsnark
 {
@@ -43,12 +45,40 @@ template<typename ppT> class G1_variable : public gadget<libff::Fr<ppT>>
 
     void generate_r1cs_witness(const libff::G1<other_curve<ppT>> &elt);
 
+    libff::G1<other_curve<ppT>> get_element() const;
+
     // (See a comment in r1cs_ppzksnark_verifier_gadget.hpp about why
     // we mark this function noinline.) TODO: remove later
     static size_t __attribute__((noinline)) size_in_bits();
     static size_t num_variables();
 };
 
+/// Depending on the value of a selector variable (which must be 0 or
+/// 1), choose between two G1_variable objects (zero_case and
+/// one_case),
+template<typename ppT>
+class G1_variable_selector_gadget : public gadget<libff::Fr<ppT>>
+{
+public:
+    using Field = libff::Fr<ppT>;
+
+    const pb_linear_combination<Field> selector;
+    const G1_variable<ppT> zero_case;
+    const G1_variable<ppT> one_case;
+    G1_variable<ppT> result;
+
+    G1_variable_selector_gadget(
+        protoboard<Field> &pb,
+        const pb_linear_combination<Field> &selector,
+        const G1_variable<ppT> &zero_case,
+        const G1_variable<ppT> &one_case,
+        const G1_variable<ppT> &result,
+        const std::string &annotation_prefix);
+
+    void generate_r1cs_constraints();
+    void generate_r1cs_witness();
+};
+
 /**
  * Gadget that creates constraints for the validity of a G1 variable.
  */
@@ -82,13 +112,13 @@ template<typename ppT> class G1_add_gadget : public gadget<libff::Fr<ppT>>
 
     G1_variable<ppT> A;
     G1_variable<ppT> B;
-    G1_variable<ppT> C;
+    G1_variable<ppT> result;
 
     G1_add_gadget(
         protoboard<FieldT> &pb,
         const G1_variable<ppT> &A,
         const G1_variable<ppT> &B,
-        const G1_variable<ppT> &C,
+        const G1_variable<ppT> &result,
         const std::string &annotation_prefix);
     void generate_r1cs_constraints();
     void generate_r1cs_witness();
@@ -106,12 +136,12 @@ template<typename ppT> class G1_dbl_gadget : public gadget<libff::Fr<ppT>>
     pb_variable<FieldT> lambda;
 
     G1_variable<ppT> A;
-    G1_variable<ppT> B;
+    G1_variable<ppT> result;
 
     G1_dbl_gadget(
         protoboard<FieldT> &pb,
         const G1_variable<ppT> &A,
-        const G1_variable<ppT> &B,
+        const G1_variable<ppT> &result,
         const std::string &annotation_prefix);
     void generate_r1cs_constraints();
     void generate_r1cs_witness();
@@ -153,6 +183,16 @@ class G1_multiscalar_mul_gadget : public gadget<libff::Fr<ppT>>
     void generate_r1cs_witness();
 };
 
+/// Multiplication by constant scalar (leverages
+/// point_mul_by_const_scalar_gadget - scalar_multiplication.hpp).
+template<typename wppT, mp_size_t scalarLimbs>
+using G1_mul_by_const_scalar_gadget = point_mul_by_const_scalar_gadget<
+    libff::G1<other_curve<wppT>>,
+    G1_variable<wppT>,
+    G1_add_gadget<wppT>,
+    G1_dbl_gadget<wppT>,
+    libff::bigint<scalarLimbs>>;
+
 } // namespace libsnark
 
 #include <libsnark/gadgetlib1/gadgets/curves/weierstrass_g1_gadget.tcc>