Gro16 verifier gadget

CMakeLists.txt

@@ -81,6 +81,12 @@ option(
   ON
 )
 
+option(
+  USE_ASAN
+  "Enable Address Sanitizer"
+  OFF
+)
+
 set(
   OPT_FLAGS
   ""
@@ -220,6 +226,13 @@ if("${USE_ASM}")
   add_definitions(-DUSE_ASM)
 endif()
 
+if("${USE_ASAN}")
+  set(
+    CMAKE_CXX_FLAGS
+    "${CMAKE_CXX_FLAGS} -fsanitize=address"
+  )
+endif()
+
 if("${USE_LINKED_LIBRARIES}")
   # libfqfft
   find_path(LIBFQFFT_INCLUDE_DIR NAMES libfqfft)

libsnark/gadgetlib1/gadgets/pairing/mnt_pairing_params.hpp

@@ -24,6 +24,7 @@
 #include <libsnark/gadgetlib1/gadgets/fields/fp4_gadgets.hpp>
 #include <libsnark/gadgetlib1/gadgets/fields/fp6_gadgets.hpp>
 #include <libsnark/gadgetlib1/gadgets/pairing/pairing_params.hpp>
+#include <libsnark/gadgetlib1/gadgets/pairing/weierstrass_miller_loop.hpp>
 
 namespace libsnark {
 
@@ -61,6 +62,7 @@ class pairing_selector<libff::mnt4_pp> {
 
     typedef libff::mnt6_pp other_curve_type;
 
+    typedef mnt_miller_loop_gadget<libff::mnt4_pp> miller_loop_gadget;
     typedef mnt_e_over_e_miller_loop_gadget<libff::mnt4_pp> e_over_e_miller_loop_gadget_type;
     typedef mnt_e_times_e_over_e_miller_loop_gadget<libff::mnt4_pp> e_times_e_over_e_miller_loop_gadget_type;
     typedef mnt4_final_exp_gadget<libff::mnt4_pp> final_exp_gadget_type;
@@ -91,6 +93,7 @@ class pairing_selector<libff::mnt6_pp> {
 
     typedef libff::mnt4_pp other_curve_type;
 
+    typedef mnt_miller_loop_gadget<libff::mnt6_pp> miller_loop_gadget;
     typedef mnt_e_over_e_miller_loop_gadget<libff::mnt6_pp> e_over_e_miller_loop_gadget_type;
     typedef mnt_e_times_e_over_e_miller_loop_gadget<libff::mnt6_pp> e_times_e_over_e_miller_loop_gadget_type;
     typedef mnt6_final_exp_gadget<libff::mnt6_pp> final_exp_gadget_type;

libsnark/gadgetlib1/gadgets/pairing/pairing_checks.hpp

@@ -88,6 +88,61 @@ class check_e_equals_ee_gadget : public gadget<libff::Fr<ppT> > {
     void generate_r1cs_witness();
 };
 
+
+/** Pair of precomputed inputs for pairing */
+template<typename ppT>
+class pairing_input_pair
+{
+public:
+    const G1_precomputation<ppT> &g1;
+    const G2_precomputation<ppT> &g2;
+
+    pairing_input_pair( const G1_precomputation<ppT> &_g1, const G2_precomputation<ppT> &_g2 )
+    : g1(_g1), g2(_g2)
+    {}
+};
+
+
+/**
+* Compute the product of multiple pairings
+*
+*   e(P1,Q1) * e(P2,Q2) * ... * e(Pn,Qn)
+*
+* Equivalent to Ethereum ECPAIRING opcode.
+*
+* Caller must precompute the inputs.
+*/
+template<typename ppT>
+class pairing_product_gadget : public gadget<libff::Fr<ppT> > {
+public:
+    typedef libff::Fr<ppT> FieldT;
+
+    std::vector<Fqk_variable<ppT> > m_miller_results;
+    std::vector<miller_loop_gadget<ppT> > m_miller_loops;
+    std::vector<Fqk_variable<ppT> > m_product_results;
+    std::vector<Fqk_mul_gadget<ppT> > m_product;
+    std::shared_ptr<final_exp_gadget<ppT> > m_final_exp;
+    pb_variable<FieldT> result_is_one;
+
+    pairing_product_gadget(protoboard<FieldT> &pb,
+                           const std::vector<pairing_input_pair<ppT>> &pairs,
+                           const std::string &annotation_prefix);
+
+    pairing_product_gadget(protoboard<FieldT> &pb,
+                           const std::vector<pairing_input_pair<ppT>> &pairs,
+                           const std::vector<Fqk_variable<ppT>> &precomputed_loops,
+                           const std::string &annotation_prefix);
+
+    void generate_r1cs_constraints();
+    void generate_r1cs_witness();
+
+    Fqk_variable<ppT>& result();
+
+    /** before final exponentiation */
+    Fqk_variable<ppT>& raw_result();
+};
+
+
 } // libsnark
 
 #include <libsnark/gadgetlib1/gadgets/pairing/pairing_checks.tcc>

libsnark/gadgetlib1/gadgets/pairing/pairing_checks.tcc

@@ -14,6 +14,7 @@
 #ifndef PAIRING_CHECKS_TCC_
 #define PAIRING_CHECKS_TCC_
 
+
 namespace libsnark {
 
 template<typename ppT>
@@ -88,6 +89,113 @@ void check_e_equals_ee_gadget<ppT>::generate_r1cs_witness()
     check_finexp->generate_r1cs_witness();
 }
 
+
+
+template<typename ppT>
+pairing_product_gadget<ppT>::pairing_product_gadget(
+    protoboard<FieldT> &pb,
+    const std::vector<pairing_input_pair<ppT>> &pairs,
+    const std::vector<Fqk_variable<ppT>> &precomputed_loops,
+    const std::string &annotation_prefix
+) :
+    gadget<FieldT>(pb, annotation_prefix)
+{
+    assert( pairs.size() > 0 );
+    result_is_one.allocate(pb, FMT(annotation_prefix, ".result_is_one"));
+
+    // XXX: must be reserved, otherwise emplace_back will call destructor on miller loop during move which invalidates shared_ptr
+    m_miller_results.reserve(pairs.size());
+    m_miller_loops.reserve(pairs.size());
+    if( pairs.size() > 1 )
+    {
+        const auto x = pairs.size() - 1 + precomputed_loops.size();
+        m_product_results.reserve(x);
+        m_product.reserve(x);
+    }
+
+    // Compute miller loops of e(P_i,Q_i), and compute their product
+    int i = 0;
+    for( const auto &p_ref : pairs )
+    {
+        m_miller_results.emplace_back(pb, FMT(annotation_prefix, ".result_%d", i));
+        m_miller_loops.emplace_back(pb, p_ref.g1, p_ref.g2, m_miller_results[i], FMT(annotation_prefix, ".miller_loop_%d", i));
+
+        if( i > 0 )
+        {
+            const auto &last_result = raw_result();
+            m_product_results.emplace_back(pb, FMT(annotation_prefix, ".product_result_%d", i));
+            m_product.emplace_back(pb, last_result, m_miller_results.back(), m_product_results.back(), FMT(annotation_prefix, ".product_%d", i));
+        }
+
+        i += 1;
+    }
+
+    // Include precomputed pairings in the resulting product
+    for( const auto &x: precomputed_loops )
+    {
+        const auto &last_result = raw_result();
+        m_product_results.emplace_back(pb, FMT(annotation_prefix, ".product_result_%d", i));
+        m_product.emplace_back(pb, last_result, x, m_product_results.back(), FMT(annotation_prefix, ".product_%d", i));
+        i += 1;
+    }
+
+    m_final_exp.reset(new final_exp_gadget<ppT>(pb, raw_result(), result_is_one, FMT(annotation_prefix, ".check_is_one")));
+}
+
+
+template<typename ppT>
+pairing_product_gadget<ppT>::pairing_product_gadget(
+    protoboard<FieldT> &pb,
+    const std::vector<pairing_input_pair<ppT>> &pairs,
+    const std::string &annotation_prefix
+) :
+    pairing_product_gadget(pb, pairs, {}, annotation_prefix)
+{}
+
+
+template<typename ppT>
+void pairing_product_gadget<ppT>::generate_r1cs_constraints()
+{
+    for( auto &m : m_miller_loops )
+        m.generate_r1cs_constraints();
+
+    for( auto &p : m_product )
+        p.generate_r1cs_constraints();
+
+    m_final_exp->generate_r1cs_constraints();
+}
+
+
+template<typename ppT>
+void pairing_product_gadget<ppT>::generate_r1cs_witness()
+{
+    for( auto &m : m_miller_loops )
+        m.generate_r1cs_witness();
+
+    for( auto &p : m_product )
+        p.generate_r1cs_witness();
+
+    m_final_exp->generate_r1cs_witness();
+}
+
+
+template<typename ppT>
+Fqk_variable<ppT>& pairing_product_gadget<ppT>::result()
+{
+    return *m_final_exp->result;
+}
+
+
+template<typename ppT>
+Fqk_variable<ppT>& pairing_product_gadget<ppT>::raw_result()
+{
+    if( m_product_results.size() > 0 )
+        return m_product_results.back();
+
+    return m_miller_results[0];
+}
+
+
 } // libsnark
 
 #endif // PAIRING_CHECKS_TCC_

libsnark/gadgetlib1/gadgets/pairing/pairing_params.hpp

@@ -104,6 +104,9 @@ using Fqk_sqr_gadget = typename pairing_selector<ppT>::Fqk_sqr_gadget_type;
 template<typename ppT>
 using other_curve = typename pairing_selector<ppT>::other_curve_type;
 
+template<typename ppT>
+using miller_loop_gadget = typename pairing_selector<ppT>::miller_loop_gadget;
+
 template<typename ppT>
 using e_over_e_miller_loop_gadget = typename pairing_selector<ppT>::e_over_e_miller_loop_gadget_type;
 template<typename ppT>