Consensys · ivokub · Jan 8, 2024 · Jan 27, 2024 · Jan 27, 2024 · Jan 28, 2024
diff --git a/std/algebra/emulated/sw_bls12381/g2_test.go b/std/algebra/emulated/sw_bls12381/g2_test.go
@@ -51,16 +51,22 @@ func TestScalarMulG2TestSolve(t *testing.T) {
 }
 
 type addG2Circuit struct {
-	In1, In2 G2Affine
-	Res      G2Affine
+	In1, In2   G2Affine
+	Res        G2Affine
+	unifiedAdd bool // if true, use the unified addition method
 }
 
 func (c *addG2Circuit) Define(api frontend.API) error {
 	g2, err := NewG2(api)
 	if err != nil {
 		return fmt.Errorf("new G2 struct: %w", err)
 	}
-	res := g2.add(&c.In1, &c.In2)
+	var res *G2Affine
+	if c.unifiedAdd {
+		res = g2.AddUnified(&c.In1, &c.In2)
+	} else {
+		res = g2.add(&c.In1, &c.In2)
+	}
 	g2.AssertIsEqual(res, &c.Res)
 	return nil
 }
@@ -76,10 +82,118 @@ func TestAddG2TestSolve(t *testing.T) {
 		In2: NewG2Affine(in2),
 		Res: NewG2Affine(res),
 	}
-	err := test.IsSolved(&addG2Circuit{}, &witness, ecc.BN254.ScalarField())
+	err := test.IsSolved(&addG2Circuit{unifiedAdd: false}, &witness, ecc.BN254.ScalarField())
+	assert.NoError(err, "expected success for random inputs")
+}
+
+func TestAddG2FailureCaseTestSolve(t *testing.T) {
+	assert := test.NewAssert(t)
+	_, in1 := randomG1G2Affines()
+	var res bls12381.G2Affine
+	res.Double(&in1)
+	witness := addG2Circuit{
+		In1: NewG2Affine(in1),
+		In2: NewG2Affine(in1),
+		Res: NewG2Affine(res),
+	}
+	err := test.IsSolved(&addG2Circuit{unifiedAdd: false}, &witness, ecc.BN254.ScalarField())
+	// the add() function cannot handle identical inputs
+	assert.Error(err, "expected solver error for identical inputs")
+}
+
+func TestAddG2UnifiedTestSolveAdd(t *testing.T) {
+	assert := test.NewAssert(t)
+	_, in1 := randomG1G2Affines()
+	_, in2 := randomG1G2Affines()
+	var res bls12381.G2Affine
+	res.Add(&in1, &in2)
+	witness := addG2Circuit{
+		In1: NewG2Affine(in1),
+		In2: NewG2Affine(in2),
+		Res: NewG2Affine(res),
+	}
+	err := test.IsSolved(&addG2Circuit{unifiedAdd: true}, &witness, ecc.BN254.ScalarField())
 	assert.NoError(err)
 }
 
+func TestAddG2UnifiedTestSolveDbl(t *testing.T) {
+	assert := test.NewAssert(t)
+	_, in1 := randomG1G2Affines()
+	var res bls12381.G2Affine
+	res.Double(&in1)
+	witness := addG2Circuit{
+		In1: NewG2Affine(in1),
+		In2: NewG2Affine(in1),
+		Res: NewG2Affine(res),
+	}
+	err := test.IsSolved(&addG2Circuit{unifiedAdd: true}, &witness, ecc.BN254.ScalarField())
+	assert.NoError(err)
+}
+
+func TestAddG2UnifiedTestSolveEdgeCases(t *testing.T) {
+	assert := test.NewAssert(t)
+	_, p := randomG1G2Affines()
+	var np, zero bls12381.G2Affine
+	np.Neg(&p)
+	zero.Sub(&p, &p)
+
+	assert.Run(func(assert *test.Assert) {
+		// p + (-p) == (0, 0)
+		witness := addG2Circuit{
+			In1: NewG2Affine(p),
+			In2: NewG2Affine(np),
+			Res: NewG2Affine(zero),
+		}
+		err := test.IsSolved(&addG2Circuit{unifiedAdd: true}, &witness, ecc.BN254.ScalarField())
+		assert.NoError(err)
+	}, "case=inverse")
+
+	assert.Run(func(assert *test.Assert) {
+		// (-p) + p == (0, 0)
+		witness2 := addG2Circuit{
+			In1: NewG2Affine(np),
+			In2: NewG2Affine(p),
+			Res: NewG2Affine(zero),
+		}
+		err := test.IsSolved(&addG2Circuit{unifiedAdd: true}, &witness2, ecc.BN254.ScalarField())
+		assert.NoError(err)
+	}, "case=inverse2")
+
+	assert.Run(func(assert *test.Assert) {
+		// p + (0, 0) == p
+		witness3 := addG2Circuit{
+			In1: NewG2Affine(p),
+			In2: NewG2Affine(zero),
+			Res: NewG2Affine(p),
+		}
+		err := test.IsSolved(&addG2Circuit{unifiedAdd: true}, &witness3, ecc.BN254.ScalarField())
+		assert.NoError(err)
+	}, "case=zero")
+
+	assert.Run(func(assert *test.Assert) {
+		// (0, 0) + p == p
+		witness4 := addG2Circuit{
+			In1: NewG2Affine(zero),
+			In2: NewG2Affine(p),
+			Res: NewG2Affine(p),
+		}
+		err := test.IsSolved(&addG2Circuit{unifiedAdd: true}, &witness4, ecc.BN254.ScalarField())
+		assert.NoError(err)
+	}, "case=zero2")
+
+	assert.Run(func(assert *test.Assert) {
+		// (0, 0) + (0, 0) == (0, 0)
+		witness5 := addG2Circuit{
+			In1: NewG2Affine(zero),
+			In2: NewG2Affine(zero),
+			Res: NewG2Affine(zero),
+		}
+		err5 := test.IsSolved(&addG2Circuit{unifiedAdd: true}, &witness5, ecc.BN254.ScalarField())
+		assert.NoError(err5)
+	}, "case=zero3")
+
+}
+
 type doubleG2Circuit struct {
 	In1 G2Affine
 	Res G2Affine

diff --git a/std/algebra/emulated/sw_bls12381/map_to_g1.go b/std/algebra/emulated/sw_bls12381/map_to_g1.go
@@ -6,6 +6,10 @@ import (
 	"github.com/consensys/gnark-crypto/ecc/bls12-381/fp"
 	"github.com/consensys/gnark-crypto/ecc/bls12-381/hash_to_curve"
 	"github.com/consensys/gnark/frontend"
+	"github.com/consensys/gnark/std/conversion"
+	"github.com/consensys/gnark/std/hash/expand"
+	"github.com/consensys/gnark/std/math/emulated"
+	"github.com/consensys/gnark/std/math/uints"
 )
 
 func (g1 *G1) evalFixedPolynomial(monic bool, coefficients []fp.Element, x *baseEl) *baseEl {
@@ -180,3 +184,95 @@ func (g1 *G1) MapToG1(u *baseEl) (*G1Affine, error) {
 	z = g1.ClearCofactor(z)
 	return z, nil
 }
+
+// EncodeToG1 hashes a message to a point on the G1 curve using the SSWU map as
+// defined in [RFC9380]. It is faster than [G1.HashToG1], but the result is not
+// uniformly distributed. Unsuitable as a random oracle.
+//
+// dst stands for "domain separation tag", a string unique to the construction
+// using the hash function
+//
+// // This method corresponds to the [bls12381.EncodeToG1] method in gnark-crypto.
+//
+// [RFC9380]: https://www.rfc-editor.org/rfc/rfc9380.html#roadmap
+func (g1 *G1) EncodeToG1(msg []uints.U8, dst []byte) (*G1Affine, error) {
+	uniformBytes, err := expand.ExpandMsgXmd(g1.api, msg, dst, secureBaseElementLen)
+	if err != nil {
+		return nil, fmt.Errorf("expand msg: %w", err)
+	}
+	el, err := secureBytesToElement(g1.api, g1.curveF, uniformBytes)
+	if err != nil {
+		return nil, fmt.Errorf("bytes to element: %w", err)
+	}
+	R, err := g1.MapToCurve1(el)
+	if err != nil {
+		return nil, fmt.Errorf("map to curve: %w", err)
+	}
+	R = g1.isogeny(R)
+	R = g1.ClearCofactor(R)
+	return R, nil
+}
+
+// HashToG1 hashes a message to a point on the G1 curve using the SSWU map as
+// defined in [RFC9380]. It is slower than [G1.EncodeToG1], but usable as a
+// random oracle.
+//
+// dst stands for "domain separation tag", a string unique to the construction
+// using the hash function.
+//
+// This method corresponds to the [bls12381.HashToG1] method in gnark-crypto.
+//
+// [RFC9380]: https://www.rfc-editor.org/rfc/rfc9380.html#roadmap
+func (g1 *G1) HashToG1(msg []uints.U8, dst []byte) (*G1Affine, error) {
+	els := make([]*baseEl, 2)
+	uniformBytes, err := expand.ExpandMsgXmd(g1.api, msg, dst, len(els)*secureBaseElementLen)
+	if err != nil {
+		return nil, fmt.Errorf("expand msg: %w", err)
+	}
+	for i := range els {
+		els[i], err = secureBytesToElement(g1.api, g1.curveF, uniformBytes[i*secureBaseElementLen:(i+1)*secureBaseElementLen])
+		if err != nil {
+			return nil, fmt.Errorf("bytes to element: %w", err)
+		}
+	}
+	Q0, err := g1.MapToCurve1(els[0])
+	if err != nil {
+		return nil, fmt.Errorf("map to curve Q0: %w", err)
+	}
+	Q1, err := g1.MapToCurve1(els[1])
+	if err != nil {
+		return nil, fmt.Errorf("map to curve Q1: %w", err)
+	}
+	R0 := g1.isogeny(Q0)
+	R1 := g1.isogeny(Q1)
+	R := g1.add(R0, R1)
+	R = g1.ClearCofactor(R)
+	return R, nil
+}
+
+func secureBytesToElement(api frontend.API, f *emulated.Field[BaseField], data []uints.U8) (*emulated.Element[BaseField], error) {
+	// we have sampled more bytes than is needed to serialize to field element.
+	// The goal is to have more uniform distribution of the output.
+	//
+	// However, we cannot easily initialize non-native elements with more than 48 bytes. So we instead look at
+	// x * 2^376 + y, where x are first 17 bytes and y are the last 47 bytes.
+	if len(data) != secureBaseElementLen {
+		return nil, fmt.Errorf("expected %d bytes, got %d", secureBaseElementLen, len(data))
+	}
+
+	hib := data[:secureBaseElementLen-fp.Bytes+1]
+	lob := data[secureBaseElementLen-fp.Bytes+1 : secureBaseElementLen]
+	// coeff is 2^376 % Fp
+	coeff := f.NewElement("153914086704665934422965000391185991426092731525255651046673021110334850669910978950836977558144201721900890587136")
+	hi, err := conversion.BytesToEmulated[BaseField](api, hib, conversion.WithAllowOverflow())
+	if err != nil {
+		return nil, fmt.Errorf("convert hi bytes to emulated element: %w", err)
+	}
+	lo, err := conversion.BytesToEmulated[BaseField](api, lob, conversion.WithAllowOverflow())
+	if err != nil {
+		return nil, fmt.Errorf("convert lo bytes to emulated element: %w", err)
+	}
+	res := f.Mul(hi, coeff)
+	res = f.Add(res, lo)
+	return res, nil
+}
diff --git a/std/algebra/emulated/sw_bls12381/map_to_g1_test.go b/std/algebra/emulated/sw_bls12381/map_to_g1_test.go
@@ -1,6 +1,7 @@
 package sw_bls12381
 
 import (
+	"crypto/rand"
 	"fmt"
 	"testing"
 
@@ -10,6 +11,7 @@ import (
 	"github.com/consensys/gnark-crypto/ecc/bls12-381/hash_to_curve"
 	"github.com/consensys/gnark/frontend"
 	"github.com/consensys/gnark/std/math/emulated"
+	"github.com/consensys/gnark/std/math/uints"
 	"github.com/consensys/gnark/test"
 )
 
@@ -145,3 +147,79 @@ func TestIsogenyG1(t *testing.T) {
 	err := test.IsSolved(&IsogenyG1Circuit{}, &witness, ecc.BN254.ScalarField())
 	assert.NoError(err)
 }
+
+type EncodeToG1Circuit struct {
+	Msg []uints.U8
+	Res G1Affine
+	Dst []byte
+}
+
+func (c *EncodeToG1Circuit) Define(api frontend.API) error {
+	g, err := NewG1(api)
+	if err != nil {
+		return fmt.Errorf("new G1: %w", err)
+	}
+	res, err := g.EncodeToG1(c.Msg, []byte(c.Dst))
+	if err != nil {
+		return fmt.Errorf("encode to G1: %w", err)
+	}
+
+	g.AssertIsEqual(res, &c.Res)
+	return nil
+}
+
+func TestEncodeToG1(t *testing.T) {
+	assert := test.NewAssert(t)
+	dst := []byte("BLS12381G1Test")
+	for _, msgLen := range []int{0, 1, 31, 32, 33, 63, 64, 65} {
+		assert.Run(func(assert *test.Assert) {
+			msg := make([]byte, msgLen)
+			_, err := rand.Reader.Read(msg)
+			assert.NoError(err, "failed to generate random message")
+			res, err := bls12381.EncodeToG1(msg, dst)
+			assert.NoError(err, "failed to encode message to G1")
+			circuit := EncodeToG1Circuit{Msg: make([]uints.U8, msgLen), Dst: dst}
+			witness := EncodeToG1Circuit{Msg: uints.NewU8Array(msg), Res: NewG1Affine(res)}
+			err = test.IsSolved(&circuit, &witness, ecc.BN254.ScalarField())
+			assert.NoError(err, "solving failed")
+		}, fmt.Sprintf("msgLen=%d", msgLen))
+	}
+}
+
+type HashToG1Circuit struct {
+	Msg []uints.U8
+	Res G1Affine
+	Dst []byte
+}
+
+func (c *HashToG1Circuit) Define(api frontend.API) error {
+	g, err := NewG1(api)
+	if err != nil {
+		return fmt.Errorf("new G1: %w", err)
+	}
+	res, err := g.HashToG1(c.Msg, []byte(c.Dst))
+	if err != nil {
+		return fmt.Errorf("hash to G1: %w", err)
+	}
+
+	g.AssertIsEqual(res, &c.Res)
+	return nil
+}
+
+func TestHashToG1(t *testing.T) {
+	assert := test.NewAssert(t)
+	dst := []byte("BLS12381G1Test")
+	for _, msgLen := range []int{0, 1, 31, 32, 33, 63, 64, 65} {
+		assert.Run(func(assert *test.Assert) {
+			msg := make([]byte, msgLen)
+			_, err := rand.Reader.Read(msg)
+			assert.NoError(err, "failed to generate random message")
+			res, err := bls12381.HashToG1(msg, dst)
+			assert.NoError(err, "failed to hash message to G1")
+			circuit := HashToG1Circuit{Msg: make([]uints.U8, msgLen), Dst: dst}
+			witness := HashToG1Circuit{Msg: uints.NewU8Array(msg), Res: NewG1Affine(res)}
+			err = test.IsSolved(&circuit, &witness, ecc.BN254.ScalarField())
+			assert.NoError(err, "solving failed")
+		}, fmt.Sprintf("msgLen=%d", msgLen))
+	}
+}