Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
pairing.hpp
Go to the documentation of this file.
1// === AUDIT STATUS ===
2// internal: { status: Completed, auditors: [Federico], commit: }
3// external_1: { status: not started, auditors: [], commit: }
4// external_2: { status: not started, auditors: [], commit: }
5// =====================
6
7#pragma once
8
9#include <random>
10
11#include "./fq12.hpp"
12#include "./fq2.hpp"
13#include "./fq6.hpp"
14#include "./g1.hpp"
15#include "./g2.hpp"
16
17namespace bb::pairing {
18
19// Number of iterations in the Miller loop, equal to the length minus 1 of the signed bit decomposition of (6 * z + 2),
20// where z is the parameter of BN254
21constexpr size_t loop_length = 64;
22// Bit length minus 1 of the parameter z of BN254
23constexpr size_t z_loop_length = 62;
24// Number of lines required by the Miller loop: equal to
25// loop_length (tangent lines) +
26// len([i for i in range(loop_length) if loop_bits[i] != 0]) (addition lines) +
27// 2 (final two lines)
28constexpr size_t precomputed_coefficients_length = 87;
29
30// Signed bit decomposition (from MSB to LSB) of (6 * z + 2) where z is the parameter of BN254, used in the Miller loop.
31// \f$6z + 2 = \sum_{i} b_i 2^i + 2^{64}\f$ where b_i = 1 if loop_bits[loop_length - i - 1] = 1, b_i = -1 if
32// loop_bits[loop_length - i - 1] = 3 and b_i = 0 if loop_bits[loop_length - i - 1] = 0
33constexpr std::array<uint8_t, loop_length> loop_bits{ 1, 0, 1, 0, 0, 0, 3, 0, 3, 0, 0, 0, 3, 0, 1, 0, 3, 0, 0, 3, 0, 0,
34 0, 0, 0, 1, 0, 0, 3, 0, 1, 0, 0, 3, 0, 0, 0, 0, 3, 0, 1, 0, 0, 0,
35 3, 0, 3, 0, 0, 1, 0, 0, 0, 3, 0, 0, 3, 0, 1, 0, 1, 0, 0, 0 };
36
37// Bit decomposition of z (from MSB to LSB): \f$\sum_{i} b_i 2^i + 2^{64}\f$ where b_i = 1 if z_loop_bits[z_loop_length
38// - i - 1] = 1 and b_i = 0 if z_loop_bits[z_loop_length - i - 1] = 0
39constexpr std::array<bool, z_loop_length> z_loop_bits{
40 false, false, false, true, false, false, true, true, true, false, true, false, false, true, true, false,
41 false, true, false, false, true, false, true, false, true, true, false, true, false, false, false, true,
42 false, false, true, false, true, false, false, true, true, false, true, false, false, true, false, false,
43 false, false, true, false, false, true, true, true, true, true, false, false, false, true
44};
45
46// ======================
47// Miller loop
48// ======================
52
59struct g2Projective {
60 fq2 x;
61 fq2 y;
62 fq2 z;
63};
64
72struct g1Projective {
73 fq x;
74 fq y;
75 fq z;
76};
77
88constexpr void doubling_step_for_miller_loop(g2Projective& work_point, fq12::ell_coeffs& line);
89
104constexpr void mixed_addition_step_for_miller_loop(const g2Projective& Q,
105 g2Projective& work_point,
106 fq12::ell_coeffs& line);
107
127constexpr void precompute_miller_lines(const g2Projective& Q, miller_lines& lines);
128
129// Overload when the function is called with a g2::element
130constexpr void precompute_miller_lines(const g2::element& Q, miller_lines& lines);
131
146constexpr fq12 miller_loop(const g1::affine_element& P, const miller_lines& lines);
147
160constexpr fq12 miller_loop_batch(const g1::affine_element* points, const miller_lines* lines, size_t num_pairs);
161
162// ======================
163// Final exponentiation
164// ======================
165
173constexpr fq12 final_exponentiation_easy_part(const fq12& elt);
174
180constexpr fq12 final_exponentiation_exp_by_z(const fq12& elt);
181
193constexpr fq12 final_exponentiation_tricky_part(const fq12& elt);
194
195// ======================
196// Pairing
197//
198// NOTE: All points supplied for pairing calculations are checked to be on the curve. This is equivalent to a subgroup
199// membership check for points in G1 = BN254. We don't implement subgroup membership checks for G2 because the only
200// place in the codebase where we use pairings is in PairingPoints::check(), which takes two points P1, P2 in G1
201// and checks e(P1, [1]) * e(P2, [x]) = 1. The points [1] and [x] are taken from the SRS, so we know they belong to G2.
202//
203// ======================
204
212constexpr fq12 reduced_ate_pairing(const g1::affine_element& P_affine, const g2::affine_element& Q_affine);
213
224inline fq12 reduced_ate_pairing_batch(const g1::affine_element* P_affines,
225 const g2::affine_element* Q_affines,
226 size_t num_points);
227
237inline fq12 reduced_ate_pairing_batch_precomputed(const g1::affine_element* P_affines,
238 const miller_lines* lines,
239 size_t num_points);
240
241} // namespace bb::pairing
242
243#include "./pairing_impl.hpp"
bb::group_elements::affine_element
Definition affine_element.hpp:27
bb::group_elements::element
element class. Implements ecc group arithmetic using Jacobian coordinates See https://hyperelliptic....
Definition element.hpp:33
bb::pairing::precomputed_coefficients_length
constexpr size_t precomputed_coefficients_length
Definition pairing.hpp:28
bb::pairing::doubling_step_for_miller_loop
constexpr void doubling_step_for_miller_loop(g2Projective &work_point, fq12::ell_coeffs &line)
Doubling step for Miller loop calculation.
Definition pairing_impl.hpp:42
bb::pairing::final_exponentiation_exp_by_z
constexpr fq12 final_exponentiation_exp_by_z(const fq12 &elt)
Definition pairing_impl.hpp:220
bb::pairing::loop_bits
constexpr std::array< uint8_t, loop_length > loop_bits
Definition pairing.hpp:33
bb::pairing::final_exponentiation_tricky_part
constexpr fq12 final_exponentiation_tricky_part(const fq12 &elt)
Definition pairing_impl.hpp:233
bb::pairing::reduced_ate_pairing_batch_precomputed
fq12 reduced_ate_pairing_batch_precomputed(const g1::affine_element *P_affines, const miller_lines *lines, const size_t num_points)
Definition pairing_impl.hpp:284
bb::pairing::reduced_ate_pairing
constexpr fq12 reduced_ate_pairing(const g1::affine_element &P_affine, const g2::affine_element &Q_affine)
Definition pairing_impl.hpp:258
bb::pairing::final_exponentiation_easy_part
constexpr fq12 final_exponentiation_easy_part(const fq12 &elt)
Definition pairing_impl.hpp:213
bb::pairing::mixed_addition_step_for_miller_loop
constexpr void mixed_addition_step_for_miller_loop(const g2Projective &Q, g2Projective &work_point, fq12::ell_coeffs &line)
Addition step for Miller loop calculation.
Definition pairing_impl.hpp:64
bb::pairing::miller_loop_batch
constexpr fq12 miller_loop_batch(const g1::affine_element *points, const miller_lines *lines, size_t num_pairs)
Compute the Miller loop for multiple pairs of points.
Definition pairing_impl.hpp:165
bb::pairing::precompute_miller_lines
constexpr void precompute_miller_lines(const g2Projective &Q, miller_lines &lines)
Precomputation of Miller lines for a point Q in G2.
Definition pairing_impl.hpp:90
bb::pairing::z_loop_length
constexpr size_t z_loop_length
Definition pairing.hpp:23
bb::pairing::loop_length
constexpr size_t loop_length
Definition pairing.hpp:21
bb::pairing::reduced_ate_pairing_batch
fq12 reduced_ate_pairing_batch(const g1::affine_element *P_affines, const g2::affine_element *Q_affines, const size_t num_points)
Definition pairing_impl.hpp:300
bb::pairing::z_loop_bits
constexpr std::array< bool, z_loop_length > z_loop_bits
Definition pairing.hpp:39
bb::pairing::miller_loop
constexpr fq12 miller_loop(const g1::affine_element &P, const miller_lines &lines)
Miller loop implementation.
Definition pairing_impl.hpp:124
std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13
pairing_impl.hpp
bb::field12::ell_coeffs
Definition field12.hpp:50
bb::pairing::g1Projective
Struct representing a point in G1 in homogeneous projective coordinates.
Definition pairing.hpp:72
bb::pairing::miller_lines
Definition pairing.hpp:49
bb::pairing::miller_lines::lines
std::array< fq12::ell_coeffs, precomputed_coefficients_length > lines
Definition pairing.hpp:50