From 5bbc4af609325b3b52ce81f66a803727ae713f33 Mon Sep 17 00:00:00 2001 From: Dream Wu Date: Mon, 21 Oct 2024 16:20:38 +0800 Subject: [PATCH 1/6] fix ecc double for p256 --- halo2-ecc/src/ecc/mod.rs | 27 +++++++++++++++++---------- 1 file changed, 17 insertions(+), 10 deletions(-) diff --git a/halo2-ecc/src/ecc/mod.rs b/halo2-ecc/src/ecc/mod.rs index 972f0f6c..b25413eb 100644 --- a/halo2-ecc/src/ecc/mod.rs +++ b/halo2-ecc/src/ecc/mod.rs @@ -138,24 +138,31 @@ pub fn ec_sub_unequal>( // formula from https://crypto.stanford.edu/pbc/notes/elliptic/explicit.html // assume y != 0 (otherwise 2P = O) -// lamb = 3x^2 / (2 y) % p +// lamb = 3x^2 + a / (2 y) % p // x_3 = out[0] = lambda^2 - 2 x % p // y_3 = out[1] = lambda (x - x_3) - y % p // we precompute lambda and constrain (2y) * lambda = 3 x^2 (mod p) // then we compute x_3 = lambda^2 - 2 x (mod p) // y_3 = lambda (x - x_3) - y (mod p) -pub fn ec_double>( +pub fn ec_double, C>( chip: &FC, ctx: &mut Context, P: &EcPoint, -) -> EcPoint { +) -> EcPoint + where C : CurveAffine, + { // removed optimization that computes `2 * lambda` while assigning witness to `lambda` simultaneously, in favor of readability. The difference is just copying `lambda` once let two_y = chip.scalar_mul_no_carry(ctx, &P.y, 2); let three_x = chip.scalar_mul_no_carry(ctx, &P.x, 3); let three_x_sq = chip.mul_no_carry(ctx, &three_x, &P.x); - let lambda = chip.divide_unsafe(ctx, &three_x_sq, &two_y); - + + // add a, for secp256k1 a = 0, for secp256r1, a > 0 + let a_const = FC::fe_to_constant(C::a()); + let three_x_plus_a = chip.add_constant_no_carry(ctx, &three_x_sq, a_const); + + let lambda = chip.divide_unsafe(ctx, &three_x_plus_a, &two_y); + // x_3 = lambda^2 - 2 x % p let lambda_sq = chip.mul_no_carry(ctx, &lambda, &lambda); let two_x = chip.scalar_mul_no_carry(ctx, &P.x, 2); @@ -292,7 +299,7 @@ where cached_points.push(P.clone()); for idx in 2..cache_size { if idx == 2 { - let double = ec_double(chip, ctx, P /*, b*/); + let double = ec_double::(chip, ctx, P /*, b*/); cached_points.push(double.clone()); } else { let new_point = ec_add_unequal(chip, ctx, &cached_points[idx - 1], P, false); @@ -311,7 +318,7 @@ where for idx in 1..num_windows { let mut mult_point = curr_point.clone(); for _ in 0..window_bits { - mult_point = ec_double(chip, ctx, &mult_point); + mult_point = ec_double::(chip, ctx, &mult_point); } let add_point = ec_select_from_bits::( chip, @@ -430,7 +437,7 @@ where let mut rand_start_vec = Vec::with_capacity(k + window_bits); rand_start_vec.push(base); for idx in 1..(k + window_bits) { - let base_mult = ec_double(chip, ctx, &rand_start_vec[idx - 1]); + let base_mult = ec_double::(chip, ctx, &rand_start_vec[idx - 1]); rand_start_vec.push(base_mult); } assert!(rand_start_vec.len() >= k + window_bits); @@ -481,7 +488,7 @@ where // compute \sum_i x_i P_i + (2^{k + 1} - 1) * A for idx in 0..num_windows { for _ in 0..window_bits { - curr_point = ec_double(chip, ctx, &curr_point); + curr_point = ec_double::(chip, ctx, &curr_point); } for (cached_points, rounded_bits) in cached_points.chunks(cache_size).zip(rounded_bits.chunks(rounded_bitlen)) @@ -692,7 +699,7 @@ impl> EccChip { ctx: &mut Context, P: &EcPoint, ) -> EcPoint { - ec_double(&self.field_chip, ctx, P) + ec_double::(&self.field_chip, ctx, P) } pub fn is_equal( From aaf07a21a31fd0681618a4469a28d2c3e7b221d8 Mon Sep 17 00:00:00 2001 From: Dream Wu Date: Mon, 21 Oct 2024 21:27:58 +0800 Subject: [PATCH 2/6] update ec_double with genric type --- halo2-ecc/src/bn254/pairing.rs | 9 ++++++--- halo2-ecc/src/ecc/ecdsa.rs | 2 +- halo2-ecc/src/ecc/mod.rs | 17 +++++++++++------ halo2-ecc/src/ecc/pippenger.rs | 17 +++++++++-------- 4 files changed, 27 insertions(+), 18 deletions(-) diff --git a/halo2-ecc/src/bn254/pairing.rs b/halo2-ecc/src/bn254/pairing.rs index 08e2fe06..2cd7f6fb 100644 --- a/halo2-ecc/src/bn254/pairing.rs +++ b/halo2-ecc/src/bn254/pairing.rs @@ -6,6 +6,7 @@ use crate::halo2_proofs::{ halo2curves::bn256::{self, G1Affine, G2Affine, SIX_U_PLUS_2_NAF}, halo2curves::bn256::{Fq, Fq2, FROBENIUS_COEFF_FQ12_C1}, plonk::ConstraintSystem, + arithmetic::CurveAffine, }; use crate::{ ecc::{EcPoint, EccChip}, @@ -215,13 +216,15 @@ pub fn fp12_multiply_with_line_equal( // - `0 <= loop_count < r` and `loop_count < p` (to avoid [loop_count]Q' = Frob_p(Q')) // - x^3 + b = 0 has no solution in Fp2, i.e., the y-coordinate of Q cannot be 0. -pub fn miller_loop_BN( +pub fn miller_loop_BN( ecc_chip: &EccChip>, ctx: &mut Context, Q: &EcPoint>, P: &EcPoint>, pseudo_binary_encoding: &[i8], -) -> FqPoint { +) -> FqPoint + where C: CurveAffine>, +{ let mut i = pseudo_binary_encoding.len() - 1; while pseudo_binary_encoding[i] == 0 { i -= 1; @@ -262,7 +265,7 @@ pub fn miller_loop_BN( let f_sq = fp12_chip.mul(ctx, &f, &f); f = fp12_multiply_with_line_equal::(ecc_chip.field_chip(), ctx, &f_sq, &R, P); } - R = ecc_chip.double(ctx, &R); + R = ecc_chip.double::(ctx, &R); assert!(pseudo_binary_encoding[i] <= 1 && pseudo_binary_encoding[i] >= -1); if pseudo_binary_encoding[i] != 0 { diff --git a/halo2-ecc/src/ecc/ecdsa.rs b/halo2-ecc/src/ecc/ecdsa.rs index 6f940874..e81ea664 100644 --- a/halo2-ecc/src/ecc/ecdsa.rs +++ b/halo2-ecc/src/ecc/ecdsa.rs @@ -56,7 +56,7 @@ where base_chip.limb_bits, fixed_window_bits, ); - let u2_mul = scalar_multiply::( + let u2_mul = scalar_multiply::( base_chip, ctx, pubkey, diff --git a/halo2-ecc/src/ecc/mod.rs b/halo2-ecc/src/ecc/mod.rs index b25413eb..590ad57d 100644 --- a/halo2-ecc/src/ecc/mod.rs +++ b/halo2-ecc/src/ecc/mod.rs @@ -236,7 +236,7 @@ where // - `scalar_i < 2^{max_bits} for all i` (constrained by num_to_bits) // - `max_bits <= modulus::.bits()` // * P has order given by the scalar field modulus -pub fn scalar_multiply( +pub fn scalar_multiply( chip: &FC, ctx: &mut Context, P: &EcPoint, @@ -246,6 +246,7 @@ pub fn scalar_multiply( ) -> EcPoint where FC: FieldChip + Selectable, + C: CurveAffineExt, { assert!(!scalar.is_empty()); assert!((max_bits as u64) <= modulus::().bits()); @@ -694,11 +695,13 @@ impl> EccChip { ec_sub_unequal(&self.field_chip, ctx, P, Q, is_strict) } - pub fn double( + pub fn double( &self, ctx: &mut Context, P: &EcPoint, - ) -> EcPoint { + ) -> EcPoint + where C: CurveAffine + { ec_double::(&self.field_chip, ctx, P) } @@ -758,15 +761,17 @@ where ec_select(&self.field_chip, ctx, P, Q, condition) } - pub fn scalar_mult( + pub fn scalar_mult( &self, ctx: &mut Context, P: &EcPoint, scalar: &Vec>, max_bits: usize, window_bits: usize, - ) -> EcPoint { - scalar_multiply::(&self.field_chip, ctx, P, scalar, max_bits, window_bits) + ) -> EcPoint + where C: CurveAffine + { + scalar_multiply::(&self.field_chip, ctx, P, scalar, max_bits, window_bits) } // TODO: put a check in place that scalar is < modulus of C::Scalar diff --git a/halo2-ecc/src/ecc/pippenger.rs b/halo2-ecc/src/ecc/pippenger.rs index b713966e..2274082e 100644 --- a/halo2-ecc/src/ecc/pippenger.rs +++ b/halo2-ecc/src/ecc/pippenger.rs @@ -12,7 +12,7 @@ use halo2_base::{gates::GateInstructions, utils::CurveAffineExt, AssignedValue, // Output: // * new_points: length `points.len() * radix` // * new_bool_scalars: 2d array `ceil(scalar_bits / radix)` by `points.len() * radix` -pub fn decompose( +pub fn decompose( chip: &FC, ctx: &mut Context, points: &[EcPoint], @@ -23,6 +23,7 @@ pub fn decompose( where F: PrimeField, FC: FieldChip, + C: CurveAffineExt, { assert_eq!(points.len(), scalars.len()); let scalar_bits = max_scalar_bits_per_cell * scalars[0].len(); @@ -38,7 +39,7 @@ where new_points.push(g); for _ in 1..radix { // if radix > 1, this does not work if `points` contains identity point - g = ec_double(chip, ctx, new_points.last().unwrap()); + g = ec_double::(chip, ctx, new_points.last().unwrap()); new_points.push(g); } let mut bits = Vec::with_capacity(scalar_bits); @@ -88,7 +89,7 @@ where // for later addition collision-prevension, we need a different random point per round // we take 2^round * rand_base if round > 0 { - rand_point = ec_double(chip, ctx, &rand_point); + rand_point = ec_double::(chip, ctx, &rand_point); } // stores { rand_point, rand_point + points[0], rand_point + points[1], rand_point + points[0] + points[1] , ... } // since rand_point is random, we can always use add_unequal (with strict constraint checking that the points are indeed unequal and not negative of each other) @@ -129,7 +130,7 @@ where } // we have acc[j] = G'[j] + (2^num_rounds - 1) * rand_base - rand_point = ec_double(chip, ctx, &rand_point); + rand_point = ec_double::(chip, ctx, &rand_point); rand_point = ec_sub_unequal(chip, ctx, &rand_point, &rand_base, false); (acc, rand_point) @@ -149,7 +150,7 @@ where C: CurveAffineExt, { let (points, bool_scalars) = - decompose::(chip, ctx, points, scalars, max_scalar_bits_per_cell, radix); + decompose::(chip, ctx, points, scalars, max_scalar_bits_per_cell, radix); /* let t = bool_scalars.len(); @@ -179,8 +180,8 @@ where let mut rand_sum = rand_point.clone(); for g in agg.iter().rev() { for _ in 0..radix { - sum = ec_double(chip, ctx, &sum); - rand_sum = ec_double(chip, ctx, &rand_sum); + sum = ec_double::(chip, ctx, &sum); + rand_sum = ec_double::(chip, ctx, &rand_sum); } sum = ec_add_unequal(chip, ctx, &sum, g, true); chip.enforce_less_than(ctx, sum.x()); @@ -192,7 +193,7 @@ where } if radix == 1 { - rand_sum = ec_double(chip, ctx, &rand_sum); + rand_sum = ec_double::(chip, ctx, &rand_sum); // assume 2^t != +-1 mod modulus::() rand_sum = ec_sub_unequal(chip, ctx, &rand_sum, &rand_point, false); } From 71358882b1d56d87c0546cc7146f1ec32fe95032 Mon Sep 17 00:00:00 2001 From: Rohit Narurkar Date: Mon, 21 Oct 2024 22:50:31 +0100 Subject: [PATCH 3/6] fix and fmt --- Cargo.lock | 37 ++++++++++++++++++++++++++++++++-- Cargo.toml | 6 ++++++ halo2-ecc/src/bn254/pairing.rs | 20 ++++++++++-------- halo2-ecc/src/ecc/mod.rs | 21 ++++++++++--------- halo2-ecc/src/ecc/pippenger.rs | 6 +++--- 5 files changed, 68 insertions(+), 22 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index f836a1c2..fc1699b2 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -159,6 +159,19 @@ version = "0.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8d696c370c750c948ada61c69a0ee2cbbb9c50b1019ddb86d9317157a99c2cae" +[[package]] +name = "bls12_381" +version = "0.8.0" +source = "git+https://github.com/scroll-tech/bls12_381?branch=feat/impl_scalar_field#2c515f73a2462fef8681c8e884edf1710f52b22a" +dependencies = [ + "ff 0.13.0", + "group 0.13.0", + "pairing", + "pasta_curves 0.5.1", + "rand_core", + "subtle", +] + [[package]] name = "bumpalo" version = "3.12.1" @@ -993,15 +1006,17 @@ dependencies = [ [[package]] name = "halo2curves" version = "0.1.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e6b1142bd1059aacde1b477e0c80c142910f1ceae67fc619311d6a17428007ab" +source = "git+https://github.com/scroll-tech/halo2curves?branch=v0.1.0#a495a7b11ad13e5cd0cca7ca5d737b398cfaf1b7" dependencies = [ "blake2b_simd", + "bls12_381", "ff 0.13.0", "group 0.13.0", "lazy_static", + "maybe-rayon", "num-bigint", "num-traits", + "pairing", "pasta_curves 0.5.1", "paste", "rand", @@ -1293,6 +1308,15 @@ dependencies = [ "cfg-if 1.0.0", ] +[[package]] +name = "maybe-rayon" +version = "0.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8ea1f30cedd69f0a2954655f7188c6a834246d2bcf1e315e2ac40c4b24dc9519" +dependencies = [ + "cfg-if 1.0.0", +] + [[package]] name = "memchr" version = "2.5.0" @@ -1452,6 +1476,15 @@ version = "6.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ceedf44fb00f2d1984b0bc98102627ce622e083e49a5bacdb3e514fa4238e267" +[[package]] +name = "pairing" +version = "0.23.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "81fec4625e73cf41ef4bb6846cafa6d44736525f442ba45e407c4a000a13996f" +dependencies = [ + "group 0.13.0", +] + [[package]] name = "parking_lot" version = "0.12.1" diff --git a/Cargo.toml b/Cargo.toml index 82e5a55a..3351d9aa 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -44,3 +44,9 @@ debug = true [patch."https://github.com/axiom-crypto/halo2-lib.git"] halo2-base = { path = "./halo2-base" } halo2-ecc = { path = "./halo2-ecc" } + +[patch.crates-io] +halo2curves = { git = "https://github.com/scroll-tech/halo2curves", branch = "v0.1.0" } + +[patch."https://github.com/privacy-scaling-explorations/bls12_381"] +bls12_381 = { git = "https://github.com/scroll-tech/bls12_381", branch = "feat/impl_scalar_field" } diff --git a/halo2-ecc/src/bn254/pairing.rs b/halo2-ecc/src/bn254/pairing.rs index 2cd7f6fb..8fded38c 100644 --- a/halo2-ecc/src/bn254/pairing.rs +++ b/halo2-ecc/src/bn254/pairing.rs @@ -2,11 +2,11 @@ use super::{Fp12Chip, Fp2Chip, FpChip, FpPoint, FqPoint}; use crate::fields::PrimeField; use crate::halo2_proofs::{ + arithmetic::CurveAffine, circuit::Value, halo2curves::bn256::{self, G1Affine, G2Affine, SIX_U_PLUS_2_NAF}, halo2curves::bn256::{Fq, Fq2, FROBENIUS_COEFF_FQ12_C1}, plonk::ConstraintSystem, - arithmetic::CurveAffine, }; use crate::{ ecc::{EcPoint, EccChip}, @@ -222,8 +222,9 @@ pub fn miller_loop_BN( Q: &EcPoint>, P: &EcPoint>, pseudo_binary_encoding: &[i8], -) -> FqPoint - where C: CurveAffine>, +) -> FqPoint +where + C: CurveAffine, { let mut i = pseudo_binary_encoding.len() - 1; while pseudo_binary_encoding[i] == 0 { @@ -303,12 +304,15 @@ pub fn miller_loop_BN( // let pairs = [(a_i, b_i)], a_i in G_1, b_i in G_2 // output is Prod_i e'(a_i, b_i), where e'(a_i, b_i) is the output of `miller_loop_BN(b_i, a_i)` -pub fn multi_miller_loop_BN( +pub fn multi_miller_loop_BN( ecc_chip: &EccChip>, ctx: &mut Context, pairs: Vec<(&EcPoint>, &EcPoint>)>, pseudo_binary_encoding: &[i8], -) -> FqPoint { +) -> FqPoint +where + C: CurveAffine, +{ let mut i = pseudo_binary_encoding.len() - 1; while pseudo_binary_encoding[i] == 0 { i -= 1; @@ -357,7 +361,7 @@ pub fn multi_miller_loop_BN( } } for r in r.iter_mut() { - *r = ecc_chip.double(ctx, &r); + *r = ecc_chip.double::(ctx, &r); } assert!(pseudo_binary_encoding[i] <= 1 && pseudo_binary_encoding[i] >= -1); @@ -520,7 +524,7 @@ impl PairingChip { ) -> FqPoint { let fp2_chip = Fp2Chip::::construct(self.fp_chip.clone()); let g2_chip = EccChip::construct(fp2_chip); - miller_loop_BN::( + miller_loop_BN::( &g2_chip, ctx, Q, @@ -536,7 +540,7 @@ impl PairingChip { ) -> FqPoint { let fp2_chip = Fp2Chip::::construct(self.fp_chip.clone()); let g2_chip = EccChip::construct(fp2_chip); - multi_miller_loop_BN::( + multi_miller_loop_BN::( &g2_chip, ctx, pairs, diff --git a/halo2-ecc/src/ecc/mod.rs b/halo2-ecc/src/ecc/mod.rs index 590ad57d..cd0b594f 100644 --- a/halo2-ecc/src/ecc/mod.rs +++ b/halo2-ecc/src/ecc/mod.rs @@ -150,19 +150,20 @@ pub fn ec_double, C>( ctx: &mut Context, P: &EcPoint, ) -> EcPoint - where C : CurveAffine, - { +where + C: CurveAffine, +{ // removed optimization that computes `2 * lambda` while assigning witness to `lambda` simultaneously, in favor of readability. The difference is just copying `lambda` once let two_y = chip.scalar_mul_no_carry(ctx, &P.y, 2); let three_x = chip.scalar_mul_no_carry(ctx, &P.x, 3); let three_x_sq = chip.mul_no_carry(ctx, &three_x, &P.x); - + // add a, for secp256k1 a = 0, for secp256r1, a > 0 let a_const = FC::fe_to_constant(C::a()); let three_x_plus_a = chip.add_constant_no_carry(ctx, &three_x_sq, a_const); - + let lambda = chip.divide_unsafe(ctx, &three_x_plus_a, &two_y); - + // x_3 = lambda^2 - 2 x % p let lambda_sq = chip.mul_no_carry(ctx, &lambda, &lambda); let two_x = chip.scalar_mul_no_carry(ctx, &P.x, 2); @@ -700,8 +701,9 @@ impl> EccChip { ctx: &mut Context, P: &EcPoint, ) -> EcPoint - where C: CurveAffine - { + where + C: CurveAffine, + { ec_double::(&self.field_chip, ctx, P) } @@ -769,8 +771,9 @@ where max_bits: usize, window_bits: usize, ) -> EcPoint - where C: CurveAffine - { + where + C: CurveAffine, + { scalar_multiply::(&self.field_chip, ctx, P, scalar, max_bits, window_bits) } diff --git a/halo2-ecc/src/ecc/pippenger.rs b/halo2-ecc/src/ecc/pippenger.rs index 2274082e..2871421c 100644 --- a/halo2-ecc/src/ecc/pippenger.rs +++ b/halo2-ecc/src/ecc/pippenger.rs @@ -12,7 +12,7 @@ use halo2_base::{gates::GateInstructions, utils::CurveAffineExt, AssignedValue, // Output: // * new_points: length `points.len() * radix` // * new_bool_scalars: 2d array `ceil(scalar_bits / radix)` by `points.len() * radix` -pub fn decompose( +pub fn decompose( chip: &FC, ctx: &mut Context, points: &[EcPoint], @@ -23,7 +23,7 @@ pub fn decompose( where F: PrimeField, FC: FieldChip, - C: CurveAffineExt, + C: CurveAffineExt, { assert_eq!(points.len(), scalars.len()); let scalar_bits = max_scalar_bits_per_cell * scalars[0].len(); @@ -39,7 +39,7 @@ where new_points.push(g); for _ in 1..radix { // if radix > 1, this does not work if `points` contains identity point - g = ec_double::(chip, ctx, new_points.last().unwrap()); + g = ec_double::(chip, ctx, new_points.last().unwrap()); new_points.push(g); } let mut bits = Vec::with_capacity(scalar_bits); From b8cb83364193b1f8fd27d395e25aa2626269051f Mon Sep 17 00:00:00 2001 From: Rohit Narurkar Date: Mon, 21 Oct 2024 23:06:36 +0100 Subject: [PATCH 4/6] fix --tests compilation --- halo2-ecc/src/bn254/tests/fixed_base_msm.rs | 1 + halo2-ecc/src/bn254/tests/msm.rs | 4 ++-- halo2-ecc/src/ecc/tests.rs | 2 +- halo2-ecc/src/fields/tests.rs | 2 ++ halo2-ecc/src/secp256k1/tests/ecdsa.rs | 1 + 5 files changed, 7 insertions(+), 3 deletions(-) diff --git a/halo2-ecc/src/bn254/tests/fixed_base_msm.rs b/halo2-ecc/src/bn254/tests/fixed_base_msm.rs index c7239d9d..424acacf 100644 --- a/halo2-ecc/src/bn254/tests/fixed_base_msm.rs +++ b/halo2-ecc/src/bn254/tests/fixed_base_msm.rs @@ -1,3 +1,4 @@ +use ff::Field; use std::{env::var, fs::File}; #[allow(unused_imports)] diff --git a/halo2-ecc/src/bn254/tests/msm.rs b/halo2-ecc/src/bn254/tests/msm.rs index e2d3d716..4e68e6f7 100644 --- a/halo2-ecc/src/bn254/tests/msm.rs +++ b/halo2-ecc/src/bn254/tests/msm.rs @@ -1,6 +1,6 @@ -use std::{env::var, fs::File}; - +use ff::Field; use halo2_base::SKIP_FIRST_PASS; +use std::{env::var, fs::File}; use super::*; diff --git a/halo2-ecc/src/ecc/tests.rs b/halo2-ecc/src/ecc/tests.rs index 8fe0c382..1b5589f5 100644 --- a/halo2-ecc/src/ecc/tests.rs +++ b/halo2-ecc/src/ecc/tests.rs @@ -110,7 +110,7 @@ impl Circuit for MyCircuit { // test double { - let doub = chip.double(ctx, &P_assigned); + let doub = chip.double::(ctx, &P_assigned); assert_eq!( value_to_option(doub.x.truncation.to_bigint(config.limb_bits)), value_to_option(doub.x.value.clone()) diff --git a/halo2-ecc/src/fields/tests.rs b/halo2-ecc/src/fields/tests.rs index eb8de39b..26c1f778 100644 --- a/halo2-ecc/src/fields/tests.rs +++ b/halo2-ecc/src/fields/tests.rs @@ -10,6 +10,7 @@ mod fp { halo2curves::bn256::{Fq, Fr}, plonk::*, }; + use ff::Field; use halo2_base::{ utils::{fe_to_biguint, modulus}, SKIP_FIRST_PASS, @@ -141,6 +142,7 @@ mod fp12 { halo2curves::bn256::{Fq, Fq12, Fr}, plonk::*, }; + use ff::Field; use halo2_base::utils::modulus; use halo2_base::SKIP_FIRST_PASS; use std::marker::PhantomData; diff --git a/halo2-ecc/src/secp256k1/tests/ecdsa.rs b/halo2-ecc/src/secp256k1/tests/ecdsa.rs index 6b17d91b..ad9a869f 100644 --- a/halo2-ecc/src/secp256k1/tests/ecdsa.rs +++ b/halo2-ecc/src/secp256k1/tests/ecdsa.rs @@ -1,6 +1,7 @@ #![allow(non_snake_case)] use crate::fields::PrimeField; use ark_std::{end_timer, start_timer}; +use ff::Field; use halo2_base::SKIP_FIRST_PASS; use serde::{Deserialize, Serialize}; use std::fs::File; From 8598a59f75cefea31e3cbab5ab74b7655808cf23 Mon Sep 17 00:00:00 2001 From: Dream Wu Date: Tue, 22 Oct 2024 17:57:43 +0800 Subject: [PATCH 5/6] remove patch --- Cargo.lock | 37 ++----------------------------------- Cargo.toml | 5 ----- halo2-ecc/src/ecc/mod.rs | 2 +- 3 files changed, 3 insertions(+), 41 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index fc1699b2..f836a1c2 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -159,19 +159,6 @@ version = "0.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8d696c370c750c948ada61c69a0ee2cbbb9c50b1019ddb86d9317157a99c2cae" -[[package]] -name = "bls12_381" -version = "0.8.0" -source = "git+https://github.com/scroll-tech/bls12_381?branch=feat/impl_scalar_field#2c515f73a2462fef8681c8e884edf1710f52b22a" -dependencies = [ - "ff 0.13.0", - "group 0.13.0", - "pairing", - "pasta_curves 0.5.1", - "rand_core", - "subtle", -] - [[package]] name = "bumpalo" version = "3.12.1" @@ -1006,17 +993,15 @@ dependencies = [ [[package]] name = "halo2curves" version = "0.1.0" -source = "git+https://github.com/scroll-tech/halo2curves?branch=v0.1.0#a495a7b11ad13e5cd0cca7ca5d737b398cfaf1b7" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e6b1142bd1059aacde1b477e0c80c142910f1ceae67fc619311d6a17428007ab" dependencies = [ "blake2b_simd", - "bls12_381", "ff 0.13.0", "group 0.13.0", "lazy_static", - "maybe-rayon", "num-bigint", "num-traits", - "pairing", "pasta_curves 0.5.1", "paste", "rand", @@ -1308,15 +1293,6 @@ dependencies = [ "cfg-if 1.0.0", ] -[[package]] -name = "maybe-rayon" -version = "0.1.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8ea1f30cedd69f0a2954655f7188c6a834246d2bcf1e315e2ac40c4b24dc9519" -dependencies = [ - "cfg-if 1.0.0", -] - [[package]] name = "memchr" version = "2.5.0" @@ -1476,15 +1452,6 @@ version = "6.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ceedf44fb00f2d1984b0bc98102627ce622e083e49a5bacdb3e514fa4238e267" -[[package]] -name = "pairing" -version = "0.23.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "81fec4625e73cf41ef4bb6846cafa6d44736525f442ba45e407c4a000a13996f" -dependencies = [ - "group 0.13.0", -] - [[package]] name = "parking_lot" version = "0.12.1" diff --git a/Cargo.toml b/Cargo.toml index 3351d9aa..83ffd337 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -45,8 +45,3 @@ debug = true halo2-base = { path = "./halo2-base" } halo2-ecc = { path = "./halo2-ecc" } -[patch.crates-io] -halo2curves = { git = "https://github.com/scroll-tech/halo2curves", branch = "v0.1.0" } - -[patch."https://github.com/privacy-scaling-explorations/bls12_381"] -bls12_381 = { git = "https://github.com/scroll-tech/bls12_381", branch = "feat/impl_scalar_field" } diff --git a/halo2-ecc/src/ecc/mod.rs b/halo2-ecc/src/ecc/mod.rs index cd0b594f..3b1586b2 100644 --- a/halo2-ecc/src/ecc/mod.rs +++ b/halo2-ecc/src/ecc/mod.rs @@ -142,7 +142,7 @@ pub fn ec_sub_unequal>( // x_3 = out[0] = lambda^2 - 2 x % p // y_3 = out[1] = lambda (x - x_3) - y % p -// we precompute lambda and constrain (2y) * lambda = 3 x^2 (mod p) +// we precompute lambda and constrain (2y) * lambda = 3 x^2 + a(mod p) // then we compute x_3 = lambda^2 - 2 x (mod p) // y_3 = lambda (x - x_3) - y (mod p) pub fn ec_double, C>( From f533846c55602aea51cfacbb7b30cf46479c1446 Mon Sep 17 00:00:00 2001 From: Dream Wu Date: Tue, 22 Oct 2024 18:00:10 +0800 Subject: [PATCH 6/6] remove blank --- Cargo.toml | 1 - 1 file changed, 1 deletion(-) diff --git a/Cargo.toml b/Cargo.toml index 83ffd337..82e5a55a 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -44,4 +44,3 @@ debug = true [patch."https://github.com/axiom-crypto/halo2-lib.git"] halo2-base = { path = "./halo2-base" } halo2-ecc = { path = "./halo2-ecc" } -