Merge branch 'master' into chore/gkr-gateregistry

Author: Tabaie

std/algebra/emulated/sw_bls12381/pairing.go

@@ -185,6 +185,120 @@ func (pr Pairing) AssertIsEqual(x, y *GTEl) {
 	pr.Ext12.AssertIsEqual(x, y)
 }
 
+func (pr Pairing) MuxG2(sel frontend.Variable, inputs ...*G2Affine) *G2Affine {
+	if len(inputs) == 0 {
+		return nil
+	}
+	if len(inputs) == 1 {
+		pr.api.AssertIsEqual(sel, 0)
+		return inputs[0]
+	}
+	for i := 1; i < len(inputs); i++ {
+		if (inputs[0].Lines == nil) != (inputs[i].Lines == nil) {
+			panic("muxing points with and without precomputed lines")
+		}
+	}
+	var ret G2Affine
+	XA0 := make([]*emulated.Element[BaseField], len(inputs))
+	XA1 := make([]*emulated.Element[BaseField], len(inputs))
+	YA0 := make([]*emulated.Element[BaseField], len(inputs))
+	YA1 := make([]*emulated.Element[BaseField], len(inputs))
+	for i := range inputs {
+		XA0[i] = &inputs[i].P.X.A0
+		XA1[i] = &inputs[i].P.X.A1
+		YA0[i] = &inputs[i].P.Y.A0
+		YA1[i] = &inputs[i].P.Y.A1
+	}
+	ret.P.X.A0 = *pr.curveF.Mux(sel, XA0...)
+	ret.P.X.A1 = *pr.curveF.Mux(sel, XA1...)
+	ret.P.Y.A0 = *pr.curveF.Mux(sel, YA0...)
+	ret.P.Y.A1 = *pr.curveF.Mux(sel, YA1...)
+
+	if inputs[0].Lines == nil {
+		return &ret
+	}
+
+	// switch precomputed lines
+	ret.Lines = new(lineEvaluations)
+	for j := range inputs[0].Lines[0] {
+		lineR0A0 := make([]*emulated.Element[BaseField], len(inputs))
+		lineR0A1 := make([]*emulated.Element[BaseField], len(inputs))
+		lineR1A0 := make([]*emulated.Element[BaseField], len(inputs))
+		lineR1A1 := make([]*emulated.Element[BaseField], len(inputs))
+		for k := 0; k < 2; k++ {
+			for i := range inputs {
+				lineR0A0[i] = &inputs[i].Lines[k][j].R0.A0
+				lineR0A1[i] = &inputs[i].Lines[k][j].R0.A1
+				lineR1A0[i] = &inputs[i].Lines[k][j].R1.A0
+				lineR1A1[i] = &inputs[i].Lines[k][j].R1.A1
+			}
+			le := &lineEvaluation{
+				R0: fields_bls12381.E2{
+					A0: *pr.curveF.Mux(sel, lineR0A0...),
+					A1: *pr.curveF.Mux(sel, lineR0A1...),
+				},
+				R1: fields_bls12381.E2{
+					A0: *pr.curveF.Mux(sel, lineR1A0...),
+					A1: *pr.curveF.Mux(sel, lineR1A1...),
+				},
+			}
+			ret.Lines[k][j] = le
+		}
+	}
+
+	return &ret
+}
+
+func (pr Pairing) MuxGt(sel frontend.Variable, inputs ...*GTEl) *GTEl {
+	if len(inputs) == 0 {
+		return nil
+	}
+	if len(inputs) == 1 {
+		pr.api.AssertIsEqual(sel, 0)
+		return inputs[0]
+	}
+	var ret GTEl
+	A0s := make([]*emulated.Element[BaseField], len(inputs))
+	A1s := make([]*emulated.Element[BaseField], len(inputs))
+	A2s := make([]*emulated.Element[BaseField], len(inputs))
+	A3s := make([]*emulated.Element[BaseField], len(inputs))
+	A4s := make([]*emulated.Element[BaseField], len(inputs))
+	A5s := make([]*emulated.Element[BaseField], len(inputs))
+	A6s := make([]*emulated.Element[BaseField], len(inputs))
+	A7s := make([]*emulated.Element[BaseField], len(inputs))
+	A8s := make([]*emulated.Element[BaseField], len(inputs))
+	A9s := make([]*emulated.Element[BaseField], len(inputs))
+	A10s := make([]*emulated.Element[BaseField], len(inputs))
+	A11s := make([]*emulated.Element[BaseField], len(inputs))
+	for i := range inputs {
+		A0s[i] = &inputs[i].A0
+		A1s[i] = &inputs[i].A1
+		A2s[i] = &inputs[i].A2
+		A3s[i] = &inputs[i].A3
+		A4s[i] = &inputs[i].A4
+		A5s[i] = &inputs[i].A5
+		A6s[i] = &inputs[i].A6
+		A7s[i] = &inputs[i].A7
+		A8s[i] = &inputs[i].A8
+		A9s[i] = &inputs[i].A9
+		A10s[i] = &inputs[i].A10
+		A11s[i] = &inputs[i].A11
+	}
+	ret.A0 = *pr.curveF.Mux(sel, A0s...)
+	ret.A1 = *pr.curveF.Mux(sel, A1s...)
+	ret.A2 = *pr.curveF.Mux(sel, A2s...)
+	ret.A3 = *pr.curveF.Mux(sel, A3s...)
+	ret.A4 = *pr.curveF.Mux(sel, A4s...)
+	ret.A5 = *pr.curveF.Mux(sel, A5s...)
+	ret.A6 = *pr.curveF.Mux(sel, A6s...)
+	ret.A7 = *pr.curveF.Mux(sel, A7s...)
+	ret.A8 = *pr.curveF.Mux(sel, A8s...)
+	ret.A9 = *pr.curveF.Mux(sel, A9s...)
+	ret.A10 = *pr.curveF.Mux(sel, A10s...)
+	ret.A11 = *pr.curveF.Mux(sel, A11s...)
+	return &ret
+}
+
 func (pr Pairing) AssertIsOnCurve(P *G1Affine) {
 	pr.curve.AssertIsOnCurve(P)
 }

std/algebra/emulated/sw_bls12381/pairing_test.go

@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"crypto/rand"
 	"fmt"
+	"math/big"
 	"testing"
 
 	"github.com/consensys/gnark-crypto/ecc"
@@ -302,6 +303,96 @@ func TestGroupMembershipSolve(t *testing.T) {
 	assert.NoError(err)
 }
 
+type MuxesCircuits struct {
+	InG2       []G2Affine
+	InGt       []GTEl
+	SelG2      frontend.Variable
+	SelGt      frontend.Variable
+	ExpectedG2 G2Affine
+	ExpectedGt GTEl
+}
+
+func (c *MuxesCircuits) Define(api frontend.API) error {
+	g2api := NewG2(api)
+	pairing, err := NewPairing(api)
+	if err != nil {
+		return fmt.Errorf("new pairing: %w", err)
+	}
+	var inG2 []*G2Affine
+	for i := range c.InG2 {
+		inG2 = append(inG2, &c.InG2[i])
+	}
+	var inGt []*GTEl
+	for i := range c.InGt {
+		inGt = append(inGt, &c.InGt[i])
+	}
+	g2 := pairing.MuxG2(c.SelG2, inG2...)
+	gt := pairing.MuxGt(c.SelGt, inGt...)
+	if len(c.InG2) == 0 {
+		if g2 != nil {
+			return fmt.Errorf("mux G2: expected nil, got %v", g2)
+		}
+	} else {
+		g2api.AssertIsEqual(g2, &c.ExpectedG2)
+	}
+	if len(c.InGt) == 0 {
+		if gt != nil {
+			return fmt.Errorf("mux Gt: expected nil, got %v", gt)
+		}
+	} else {
+		pairing.AssertIsEqual(gt, &c.ExpectedGt)
+	}
+	return nil
+}
+
+func TestPairingMuxes(t *testing.T) {
+	assert := test.NewAssert(t)
+	var err error
+	for _, nbPairs := range []int{0, 1, 2, 3, 4, 5} {
+		assert.Run(func(assert *test.Assert) {
+			g2s := make([]bls12381.G2Affine, nbPairs)
+			gts := make([]bls12381.GT, nbPairs)
+			var p bls12381.G1Affine
+			witG2s := make([]G2Affine, nbPairs)
+			witGts := make([]GTEl, nbPairs)
+			for i := range nbPairs {
+				p, g2s[i] = randomG1G2Affines()
+				gts[i], err = bls12381.Pair([]bls12381.G1Affine{p}, []bls12381.G2Affine{g2s[i]})
+				assert.NoError(err)
+				witG2s[i] = NewG2Affine(g2s[i])
+				witGts[i] = NewGTEl(gts[i])
+			}
+			circuit := MuxesCircuits{InG2: make([]G2Affine, nbPairs), InGt: make([]GTEl, nbPairs)}
+			var witness MuxesCircuits
+			if nbPairs > 0 {
+				selG2, err := rand.Int(rand.Reader, big.NewInt(int64(nbPairs)))
+				assert.NoError(err)
+				selGt, err := rand.Int(rand.Reader, big.NewInt(int64(nbPairs)))
+				assert.NoError(err)
+				expectedG2 := witG2s[selG2.Int64()]
+				expectedGt := witGts[selGt.Int64()]
+				witness = MuxesCircuits{
+					InG2:       witG2s,
+					InGt:       witGts,
+					SelG2:      selG2,
+					SelGt:      selGt,
+					ExpectedG2: expectedG2,
+					ExpectedGt: expectedGt,
+				}
+			} else {
+				witness = MuxesCircuits{
+					InG2:  witG2s,
+					InGt:  witGts,
+					SelG2: big.NewInt(0),
+					SelGt: big.NewInt(0),
+				}
+			}
+			err = test.IsSolved(&circuit, &witness, ecc.BN254.ScalarField())
+			assert.NoError(err)
+		}, fmt.Sprintf("nbPairs=%d", nbPairs))
+	}
+}
+
 // bench
 func BenchmarkPairing(b *testing.B) {
 	// e(a,2b) * e(-2a,b) == 1

std/algebra/emulated/sw_bn254/pairing.go

@@ -313,6 +313,120 @@ func (pr Pairing) AssertIsOnCurve(P *G1Affine) {
 	pr.curve.AssertIsOnCurve(P)
 }
 
+func (pr Pairing) MuxG2(sel frontend.Variable, inputs ...*G2Affine) *G2Affine {
+	if len(inputs) == 0 {
+		return nil
+	}
+	if len(inputs) == 1 {
+		pr.api.AssertIsEqual(sel, 0)
+		return inputs[0]
+	}
+	for i := 1; i < len(inputs); i++ {
+		if (inputs[0].Lines == nil) != (inputs[i].Lines == nil) {
+			panic("muxing points with and without precomputed lines")
+		}
+	}
+	var ret G2Affine
+	XA0 := make([]*emulated.Element[BaseField], len(inputs))
+	XA1 := make([]*emulated.Element[BaseField], len(inputs))
+	YA0 := make([]*emulated.Element[BaseField], len(inputs))
+	YA1 := make([]*emulated.Element[BaseField], len(inputs))
+	for i := range inputs {
+		XA0[i] = &inputs[i].P.X.A0
+		XA1[i] = &inputs[i].P.X.A1
+		YA0[i] = &inputs[i].P.Y.A0
+		YA1[i] = &inputs[i].P.Y.A1
+	}
+	ret.P.X.A0 = *pr.curveF.Mux(sel, XA0...)
+	ret.P.X.A1 = *pr.curveF.Mux(sel, XA1...)
+	ret.P.Y.A0 = *pr.curveF.Mux(sel, YA0...)
+	ret.P.Y.A1 = *pr.curveF.Mux(sel, YA1...)
+
+	if inputs[0].Lines == nil {
+		return &ret
+	}
+
+	// switch precomputed lines
+	ret.Lines = new(lineEvaluations)
+	for j := range inputs[0].Lines[0] {
+		lineR0A0 := make([]*emulated.Element[BaseField], len(inputs))
+		lineR0A1 := make([]*emulated.Element[BaseField], len(inputs))
+		lineR1A0 := make([]*emulated.Element[BaseField], len(inputs))
+		lineR1A1 := make([]*emulated.Element[BaseField], len(inputs))
+		for k := 0; k < 2; k++ {
+			for i := range inputs {
+				lineR0A0[i] = &inputs[i].Lines[k][j].R0.A0
+				lineR0A1[i] = &inputs[i].Lines[k][j].R0.A1
+				lineR1A0[i] = &inputs[i].Lines[k][j].R1.A0
+				lineR1A1[i] = &inputs[i].Lines[k][j].R1.A1
+			}
+			le := &lineEvaluation{
+				R0: fields_bn254.E2{
+					A0: *pr.curveF.Mux(sel, lineR0A0...),
+					A1: *pr.curveF.Mux(sel, lineR0A1...),
+				},
+				R1: fields_bn254.E2{
+					A0: *pr.curveF.Mux(sel, lineR1A0...),
+					A1: *pr.curveF.Mux(sel, lineR1A1...),
+				},
+			}
+			ret.Lines[k][j] = le
+		}
+	}
+
+	return &ret
+}
+
+func (pr Pairing) MuxGt(sel frontend.Variable, inputs ...*GTEl) *GTEl {
+	if len(inputs) == 0 {
+		return nil
+	}
+	if len(inputs) == 1 {
+		pr.api.AssertIsEqual(sel, 0)
+		return inputs[0]
+	}
+	var ret GTEl
+	A0s := make([]*emulated.Element[BaseField], len(inputs))
+	A1s := make([]*emulated.Element[BaseField], len(inputs))
+	A2s := make([]*emulated.Element[BaseField], len(inputs))
+	A3s := make([]*emulated.Element[BaseField], len(inputs))
+	A4s := make([]*emulated.Element[BaseField], len(inputs))
+	A5s := make([]*emulated.Element[BaseField], len(inputs))
+	A6s := make([]*emulated.Element[BaseField], len(inputs))
+	A7s := make([]*emulated.Element[BaseField], len(inputs))
+	A8s := make([]*emulated.Element[BaseField], len(inputs))
+	A9s := make([]*emulated.Element[BaseField], len(inputs))
+	A10s := make([]*emulated.Element[BaseField], len(inputs))
+	A11s := make([]*emulated.Element[BaseField], len(inputs))
+	for i := range inputs {
+		A0s[i] = &inputs[i].A0
+		A1s[i] = &inputs[i].A1
+		A2s[i] = &inputs[i].A2
+		A3s[i] = &inputs[i].A3
+		A4s[i] = &inputs[i].A4
+		A5s[i] = &inputs[i].A5
+		A6s[i] = &inputs[i].A6
+		A7s[i] = &inputs[i].A7
+		A8s[i] = &inputs[i].A8
+		A9s[i] = &inputs[i].A9
+		A10s[i] = &inputs[i].A10
+		A11s[i] = &inputs[i].A11
+	}
+	ret.A0 = *pr.curveF.Mux(sel, A0s...)
+	ret.A1 = *pr.curveF.Mux(sel, A1s...)
+	ret.A2 = *pr.curveF.Mux(sel, A2s...)
+	ret.A3 = *pr.curveF.Mux(sel, A3s...)
+	ret.A4 = *pr.curveF.Mux(sel, A4s...)
+	ret.A5 = *pr.curveF.Mux(sel, A5s...)
+	ret.A6 = *pr.curveF.Mux(sel, A6s...)
+	ret.A7 = *pr.curveF.Mux(sel, A7s...)
+	ret.A8 = *pr.curveF.Mux(sel, A8s...)
+	ret.A9 = *pr.curveF.Mux(sel, A9s...)
+	ret.A10 = *pr.curveF.Mux(sel, A10s...)
+	ret.A11 = *pr.curveF.Mux(sel, A11s...)
+	return &ret
+}
+
 func (pr Pairing) computeTwistEquation(Q *G2Affine) (left, right *fields_bn254.E2) {
 	// Twist: Y² == X³ + aX + b, where a=0 and b=3/(9+u)
 	// (X,Y) ∈ {Y² == X³ + aX + b} U (0,0)