|
@@ -13,6 +13,93 @@ using namespace libsnark;
|
|
|
// _private variables_ are values known only to the prover
|
|
|
// and change in each use of the circuit
|
|
|
|
|
|
+// The elliptic curve we're operating on must have a _modulus_ that is
|
|
|
+// the same as the _order_ of the underlying SNARK curve (BN128, MNT4,
|
|
|
+// etc.). So we need to be able to specify a suitable curve and
|
|
|
+// generators for each such underlying SNARK curve.
|
|
|
+template<typename FieldT>
|
|
|
+struct curveParams {
|
|
|
+ // Some generators
|
|
|
+ static FieldT Gx, Gy, Hx, Hy, Cx, Cy, Ax, Ay;
|
|
|
+};
|
|
|
+
|
|
|
+typedef libff::Fr<libff::bn128_pp> BN128Fr;
|
|
|
+typedef curveParams<BN128Fr> BN128Params;
|
|
|
+typedef libff::Fr<libff::mnt4_pp> MNT4Fr;
|
|
|
+typedef curveParams<MNT4Fr> MNT4Params;
|
|
|
+typedef libff::Fr<libff::mnt6_pp> MNT6Fr;
|
|
|
+typedef curveParams<MNT6Fr> MNT6Params;
|
|
|
+
|
|
|
+void init_curveparams(void) {
|
|
|
+ // BN128 has order 21888242871839275222246405745257275088548364400416034343698204186575808495617.
|
|
|
+ // The curve we use has that number as a modulus, equation
|
|
|
+ // y^2 = x^3 - 3*x + 7950939520449436327800262930799465135910802758673292356620796789196167463969,
|
|
|
+ // order 21888242871839275222246405745257275088760161411100494528458776273921456643749,
|
|
|
+ // and twist order 21888242871839275222246405745257275088336567389731574158937632099230160347487
|
|
|
+ BN128Params::Gx = BN128Fr(0);
|
|
|
+ BN128Params::Gy = BN128Fr("11977228949870389393715360594190192321220966033310912010610740966317727761886");
|
|
|
+ BN128Params::Hx = BN128Fr(1);
|
|
|
+ BN128Params::Hy = BN128Fr("21803877843449984883423225223478944275188924769286999517937427649571474907279");
|
|
|
+ BN128Params::Cx = BN128Fr(2);
|
|
|
+ BN128Params::Cy = BN128Fr("4950745124018817972378217179409499695353526031437053848725554590521829916331");
|
|
|
+ BN128Params::Ax = BN128Fr(4);
|
|
|
+ BN128Params::Ay = BN128Fr("1929778687269876629657252589535788315400602403700102541701561325064015752665");
|
|
|
+
|
|
|
+ // MNT4 has order 475922286169261325753349249653048451545124878552823515553267735739164647307408490559963137.
|
|
|
+ // The curve we use has that number as a modulus, equation
|
|
|
+ // y^2 = x^3 - 3*x + 231167148323223259519222248276530122498019837271767399092881541755570759528915690054257617,
|
|
|
+ // order 475922286169261325753349249653048451545124877609388602970058907680650183700694415633043899,
|
|
|
+ // and twist order 475922286169261325753349249653048451545124879496258428136476563797679110914122565486882377
|
|
|
+ MNT4Params::Gx = MNT4Fr(0);
|
|
|
+ MNT4Params::Gy = MNT4Fr("69340010096176642671075936244233205591761175107929619077175443746098492155210682688004000");
|
|
|
+ MNT4Params::Hx = MNT4Fr(4);
|
|
|
+ MNT4Params::Hy = MNT4Fr("89962085395108430328776481330922276788164520703635405311225917405228387147951802989614963");
|
|
|
+ MNT4Params::Cx = MNT4Fr(5);
|
|
|
+ MNT4Params::Cy = MNT4Fr("52902001285898935334481582927659505082867000922458881015269230130767369971501119682509581");
|
|
|
+ MNT4Params::Ax = MNT4Fr(13);
|
|
|
+ MNT4Params::Ay = MNT4Fr("121053423448209007180763047755032137130187089528003831161099799540651189694573076331882906");
|
|
|
+
|
|
|
+ // MNT6 has order 475922286169261325753349249653048451545124879242694725395555128576210262817955800483758081
|
|
|
+ // The curve we use has that number as a modulus, equation
|
|
|
+ // y^2 = x^3 - 3*x + 24546313041565681523715355676371506472020535518551005057500340479469011985449670363024622,
|
|
|
+ // order 475922286169261325753349249653048451545124878803858277348714592806990498327174348276061263,
|
|
|
+ // and twist order 475922286169261325753349249653048451545124879681531173442395664345430027308737252691454901
|
|
|
+ MNT6Params::Gx = MNT6Fr(6);
|
|
|
+ MNT6Params::Gy = MNT6Fr("24197108752891306593933912637919640614809244712814357996916386860820196450211056738894088");
|
|
|
+ MNT6Params::Hx = MNT6Fr(7);
|
|
|
+ MNT6Params::Hy = MNT6Fr("38986684752414230937697051240187730249331222579878762386361563720275249449300503095108315");
|
|
|
+ MNT6Params::Cx = MNT6Fr(10);
|
|
|
+ MNT6Params::Cy = MNT6Fr("16456076723096839034614236624058053946787958080849874304391400047777491942015349039526487");
|
|
|
+ MNT6Params::Ax = MNT6Fr(15);
|
|
|
+ MNT6Params::Ay = MNT6Fr("217167731603808417993030053532106278784760282438477394477321645018696010454906317296597425");
|
|
|
+}
|
|
|
+
|
|
|
+// These need to be here for the linker to work
|
|
|
+template<> BN128Fr BN128Params::Gx = 0;
|
|
|
+template<> BN128Fr BN128Params::Gy = 0;
|
|
|
+template<> BN128Fr BN128Params::Hx = 0;
|
|
|
+template<> BN128Fr BN128Params::Hy = 0;
|
|
|
+template<> BN128Fr BN128Params::Cx = 0;
|
|
|
+template<> BN128Fr BN128Params::Cy = 0;
|
|
|
+template<> BN128Fr BN128Params::Ax = 0;
|
|
|
+template<> BN128Fr BN128Params::Ay = 0;
|
|
|
+template<> MNT4Fr MNT4Params::Gx = 0;
|
|
|
+template<> MNT4Fr MNT4Params::Gy = 0;
|
|
|
+template<> MNT4Fr MNT4Params::Hx = 0;
|
|
|
+template<> MNT4Fr MNT4Params::Hy = 0;
|
|
|
+template<> MNT4Fr MNT4Params::Cx = 0;
|
|
|
+template<> MNT4Fr MNT4Params::Cy = 0;
|
|
|
+template<> MNT4Fr MNT4Params::Ax = 0;
|
|
|
+template<> MNT4Fr MNT4Params::Ay = 0;
|
|
|
+template<> MNT6Fr MNT6Params::Gx = 0;
|
|
|
+template<> MNT6Fr MNT6Params::Gy = 0;
|
|
|
+template<> MNT6Fr MNT6Params::Hx = 0;
|
|
|
+template<> MNT6Fr MNT6Params::Hy = 0;
|
|
|
+template<> MNT6Fr MNT6Params::Cx = 0;
|
|
|
+template<> MNT6Fr MNT6Params::Cy = 0;
|
|
|
+template<> MNT6Fr MNT6Params::Ax = 0;
|
|
|
+template<> MNT6Fr MNT6Params::Ay = 0;
|
|
|
+
|
|
|
// Double a constant EC point (inx,iny) to yield (outx,outy). The input
|
|
|
// point must not be the point at infinity.
|
|
|
template<typename FieldT>
|
|
@@ -403,7 +490,6 @@ public:
|
|
|
template<typename FieldT>
|
|
|
class ec_constant_scalarmul_vec_accum_gadget : public gadget<FieldT> {
|
|
|
private:
|
|
|
- FieldT Cx, Cy;
|
|
|
pb_variable_array<FieldT> accumx, accumy;
|
|
|
std::vector<ec_4_constant_add_gadget<FieldT> > fouradders;
|
|
|
std::vector<ec_2_constant_add_gadget<FieldT> > twoadders;
|
|
@@ -427,9 +513,6 @@ public:
|
|
|
const FieldT &Px, const FieldT &Py,
|
|
|
FieldT &AXSx, FieldT &AXSy) :
|
|
|
gadget<FieldT>(pb, "ec_constant_scalarmul_vec_accum_gadget"),
|
|
|
- // Precomputed coordinates of C
|
|
|
- Cx(2),
|
|
|
- Cy("4950745124018817972378217179409499695353526031437053848725554590521829916331"),
|
|
|
outx(outx), outy(outy), Ax(Ax), Ay(Ay), svec(svec), Px(Px), Py(Py)
|
|
|
{
|
|
|
size_t numbits = svec.size();
|
|
@@ -454,13 +537,16 @@ public:
|
|
|
|
|
|
if (i == numbits-1) {
|
|
|
FieldT twoiPCx, twoiPCy;
|
|
|
- ec_add_points(twoiPCx, twoiPCy, twoiPx, twoiPy, Cx, Cy);
|
|
|
+ ec_add_points(twoiPCx, twoiPCy, twoiPx, twoiPy,
|
|
|
+ curveParams<FieldT>::Cx, curveParams<FieldT>::Cy);
|
|
|
|
|
|
twoadders.emplace_back(this->pb,
|
|
|
outx, outy,
|
|
|
(i == 0 ? Ax : accumx[accnext-1]),
|
|
|
(i == 0 ? Ay : accumy[accnext-1]),
|
|
|
- svec[i], Cx, Cy, twoiPCx, twoiPCy);
|
|
|
+ svec[i],
|
|
|
+ curveParams<FieldT>::Cx, curveParams<FieldT>::Cy,
|
|
|
+ twoiPCx, twoiPCy);
|
|
|
|
|
|
// This makes i odd, but also exits the loop with
|
|
|
// i = numbits and accnext = (numbits-1)/2
|
|
@@ -472,9 +558,11 @@ public:
|
|
|
FieldT twoi2Px, twoi2Py;
|
|
|
FieldT twoi1PCx, twoi1PCy, twoi2PCx, twoi2PCy, twoi3PCx, twoi3PCy;
|
|
|
|
|
|
- ec_add_points(twoi1PCx, twoi1PCy, twoiPx, twoiPy, Cx, Cy);
|
|
|
+ ec_add_points(twoi1PCx, twoi1PCy, twoiPx, twoiPy,
|
|
|
+ curveParams<FieldT>::Cx, curveParams<FieldT>::Cy);
|
|
|
ec_double_point(twoi2Px, twoi2Py, twoiPx, twoiPy);
|
|
|
- ec_add_points(twoi2PCx, twoi2PCy, twoi2Px, twoi2Py, Cx, Cy);
|
|
|
+ ec_add_points(twoi2PCx, twoi2PCy, twoi2Px, twoi2Py,
|
|
|
+ curveParams<FieldT>::Cx, curveParams<FieldT>::Cy);
|
|
|
ec_add_points(twoi3PCx, twoi3PCy, twoi2Px, twoi2Py,
|
|
|
twoi1PCx, twoi1PCy);
|
|
|
|
|
@@ -483,7 +571,9 @@ public:
|
|
|
(i == numbits-2 ? outy : accumy[accnext]),
|
|
|
(i == 0 ? Ax : accumx[accnext-1]),
|
|
|
(i == 0 ? Ay : accumy[accnext-1]),
|
|
|
- svec[i], svec[i+1], Cx, Cy, twoi1PCx, twoi1PCy,
|
|
|
+ svec[i], svec[i+1],
|
|
|
+ curveParams<FieldT>::Cx, curveParams<FieldT>::Cy,
|
|
|
+ twoi1PCx, twoi1PCy,
|
|
|
twoi2PCx, twoi2PCy, twoi3PCx, twoi3PCy);
|
|
|
|
|
|
// If i == numbits-2, we write directly to out and not accum above, and
|
|
@@ -496,7 +586,8 @@ public:
|
|
|
}
|
|
|
|
|
|
FieldT newAXSx, newAXSy;
|
|
|
- ec_add_points(newAXSx, newAXSy, AXSx, AXSy, Cx, Cy);
|
|
|
+ ec_add_points(newAXSx, newAXSy, AXSx, AXSy,
|
|
|
+ curveParams<FieldT>::Cx, curveParams<FieldT>::Cy);
|
|
|
AXSx = newAXSx;
|
|
|
AXSy = newAXSy;
|
|
|
}
|
|
@@ -579,7 +670,7 @@ public:
|
|
|
template<typename FieldT>
|
|
|
class ec_constant_scalarmul_vec_gadget : public gadget<FieldT> {
|
|
|
private:
|
|
|
- FieldT Cx, Cy, Ax, Ay, AXSx, AXSy;
|
|
|
+ FieldT AXSx, AXSy;
|
|
|
pb_variable<FieldT> accinx, acciny, accoutx, accouty;
|
|
|
std::vector<ec_constant_scalarmul_vec_accum_gadget<FieldT> > scalarmuls;
|
|
|
std::vector<ec_constant_add_gadget<FieldT> > adders;
|
|
@@ -594,15 +685,10 @@ public:
|
|
|
const pb_variable_array<FieldT> &svec,
|
|
|
const FieldT &Px, const FieldT &Py) :
|
|
|
gadget<FieldT>(pb, "ec_constant_scalarmul_vec_gadget"),
|
|
|
- // Precomputed coordinates of C and A
|
|
|
- Cx(2),
|
|
|
- Cy("4950745124018817972378217179409499695353526031437053848725554590521829916331"),
|
|
|
- Ax(4),
|
|
|
- Ay("1929778687269876629657252589535788315400602403700102541701561325064015752665"),
|
|
|
outx(outx), outy(outy), svec(svec), Px(Px), Py(Py)
|
|
|
{
|
|
|
- AXSx = Ax;
|
|
|
- AXSy = Ay;
|
|
|
+ AXSx = curveParams<FieldT>::Ax;
|
|
|
+ AXSy = curveParams<FieldT>::Ay;
|
|
|
accinx.allocate(this->pb, "accinx");
|
|
|
acciny.allocate(this->pb, "acciny");
|
|
|
accoutx.allocate(this->pb, "accoutx");
|
|
@@ -614,16 +700,16 @@ public:
|
|
|
|
|
|
void generate_r1cs_constraints()
|
|
|
{
|
|
|
- this->pb.add_r1cs_constraint(r1cs_constraint<FieldT>(accinx, 1, Ax));
|
|
|
- this->pb.add_r1cs_constraint(r1cs_constraint<FieldT>(acciny, 1, Ay));
|
|
|
+ this->pb.add_r1cs_constraint(r1cs_constraint<FieldT>(accinx, 1, curveParams<FieldT>::Ax));
|
|
|
+ this->pb.add_r1cs_constraint(r1cs_constraint<FieldT>(acciny, 1, curveParams<FieldT>::Ay));
|
|
|
scalarmuls[0].generate_r1cs_constraints();
|
|
|
adders[0].generate_r1cs_constraints();
|
|
|
}
|
|
|
|
|
|
void generate_r1cs_witness()
|
|
|
{
|
|
|
- this->pb.val(accinx) = Ax;
|
|
|
- this->pb.val(acciny) = Ay;
|
|
|
+ this->pb.val(accinx) = curveParams<FieldT>::Ax;
|
|
|
+ this->pb.val(acciny) = curveParams<FieldT>::Ay;
|
|
|
scalarmuls[0].generate_r1cs_witness();
|
|
|
adders[0].generate_r1cs_witness();
|
|
|
}
|
|
@@ -692,7 +778,6 @@ class ec_scalarmul_gadget;
|
|
|
template<typename FieldT>
|
|
|
class ec_scalarmul_vec_accum_gadget : public gadget<FieldT> {
|
|
|
private:
|
|
|
- FieldT Cx, Cy;
|
|
|
pb_variable_array<FieldT> accumx, accumy;
|
|
|
pb_variable_array<FieldT> twoiPx, twoiPy;
|
|
|
std::vector<ec_constant_add_gadget<FieldT> > cadders;
|
|
@@ -719,9 +804,6 @@ public:
|
|
|
bool Ptable_fill_values,
|
|
|
FieldT &AXSx, FieldT &AXSy) :
|
|
|
gadget<FieldT>(pb, "ec_scalarmul_vec_accum_gadget"),
|
|
|
- // Precomputed coordinates of C
|
|
|
- Cx(2),
|
|
|
- Cy("4950745124018817972378217179409499695353526031437053848725554590521829916331"),
|
|
|
outx(outx), outy(outy), Ax(Ax), Ay(Ay), svec(svec),
|
|
|
Px(Px), Py(Py), Ptable(Ptable),
|
|
|
Ptable_set_constraints(Ptable_set_constraints),
|
|
@@ -737,7 +819,7 @@ public:
|
|
|
if (numbits > 0) {
|
|
|
// Add P and C to get Ptable[0,1] = P+C
|
|
|
cadders.emplace_back(this->pb, Ptable[0], Ptable[1],
|
|
|
- Px, Py, Cx, Cy);
|
|
|
+ Px, Py, curveParams<FieldT>::Cx, curveParams<FieldT>::Cy);
|
|
|
}
|
|
|
if (numbits > 1) {
|
|
|
// Add P and P+C to get Ptable[2,3] = 2*P+C
|
|
@@ -755,7 +837,7 @@ public:
|
|
|
cadders.emplace_back(this->pb,
|
|
|
twoiPx[i-2], twoiPy[i-2],
|
|
|
Ptable[2*(i-1)], Ptable[2*(i-1)+1],
|
|
|
- Cx, -Cy);
|
|
|
+ curveParams<FieldT>::Cx, -curveParams<FieldT>::Cy);
|
|
|
|
|
|
// Compute 2^{i}*P + C = (2^{i-1}*P + C) + (2^{i-1}*P)
|
|
|
adders.emplace_back(this->pb,
|
|
@@ -774,10 +856,10 @@ public:
|
|
|
(i == numbits-1 ? outy : accumy[i]),
|
|
|
(i == 0 ? Ax : accumx[i-1]),
|
|
|
(i == 0 ? Ay : accumy[i-1]),
|
|
|
- svec[i], Cx, Cy, Ptable[2*i], Ptable[2*i+1]);
|
|
|
+ svec[i], curveParams<FieldT>::Cx, curveParams<FieldT>::Cy, Ptable[2*i], Ptable[2*i+1]);
|
|
|
|
|
|
FieldT newAXSx, newAXSy;
|
|
|
- ec_add_points(newAXSx, newAXSy, AXSx, AXSy, Cx, Cy);
|
|
|
+ ec_add_points(newAXSx, newAXSy, AXSx, AXSy, curveParams<FieldT>::Cx, curveParams<FieldT>::Cy);
|
|
|
AXSx = newAXSx;
|
|
|
AXSy = newAXSy;
|
|
|
}
|
|
@@ -907,7 +989,7 @@ public:
|
|
|
template<typename FieldT>
|
|
|
class ec_scalarmul_vec_gadget : public gadget<FieldT> {
|
|
|
private:
|
|
|
- FieldT Cx, Cy, Ax, Ay, AXSx, AXSy;
|
|
|
+ FieldT AXSx, AXSy;
|
|
|
pb_variable<FieldT> accinx, acciny, accoutx, accouty;
|
|
|
std::vector<ec_scalarmul_vec_accum_gadget<FieldT> > scalarmuls;
|
|
|
std::vector<ec_constant_add_gadget<FieldT> > adders;
|
|
@@ -928,18 +1010,13 @@ public:
|
|
|
bool Ptable_set_constraints,
|
|
|
bool Ptable_fill_values) :
|
|
|
gadget<FieldT>(pb, "ec_scalarmul_vec_gadget"),
|
|
|
- // Precomputed coordinates of C and A
|
|
|
- Cx(2),
|
|
|
- Cy("4950745124018817972378217179409499695353526031437053848725554590521829916331"),
|
|
|
- Ax(4),
|
|
|
- Ay("1929778687269876629657252589535788315400602403700102541701561325064015752665"),
|
|
|
outx(outx), outy(outy), svec(svec),
|
|
|
Px(Px), Py(Py), Ptable(Ptable),
|
|
|
Ptable_set_constraints(Ptable_set_constraints),
|
|
|
Ptable_fill_values(Ptable_fill_values)
|
|
|
{
|
|
|
- AXSx = Ax;
|
|
|
- AXSy = Ay;
|
|
|
+ AXSx = curveParams<FieldT>::Ax;
|
|
|
+ AXSy = curveParams<FieldT>::Ay;
|
|
|
accinx.allocate(this->pb, "accinx");
|
|
|
acciny.allocate(this->pb, "acciny");
|
|
|
accoutx.allocate(this->pb, "accoutx");
|
|
@@ -953,16 +1030,16 @@ public:
|
|
|
|
|
|
void generate_r1cs_constraints()
|
|
|
{
|
|
|
- this->pb.add_r1cs_constraint(r1cs_constraint<FieldT>(accinx, 1, Ax));
|
|
|
- this->pb.add_r1cs_constraint(r1cs_constraint<FieldT>(acciny, 1, Ay));
|
|
|
+ this->pb.add_r1cs_constraint(r1cs_constraint<FieldT>(accinx, 1, curveParams<FieldT>::Ax));
|
|
|
+ this->pb.add_r1cs_constraint(r1cs_constraint<FieldT>(acciny, 1, curveParams<FieldT>::Ay));
|
|
|
scalarmuls[0].generate_r1cs_constraints();
|
|
|
adders[0].generate_r1cs_constraints();
|
|
|
}
|
|
|
|
|
|
void generate_r1cs_witness()
|
|
|
{
|
|
|
- this->pb.val(accinx) = Ax;
|
|
|
- this->pb.val(acciny) = Ay;
|
|
|
+ this->pb.val(accinx) = curveParams<FieldT>::Ax;
|
|
|
+ this->pb.val(acciny) = curveParams<FieldT>::Ay;
|
|
|
scalarmuls[0].generate_r1cs_witness();
|
|
|
adders[0].generate_r1cs_witness();
|
|
|
}
|
|
@@ -1036,9 +1113,6 @@ public:
|
|
|
const pb_variable<FieldT> &Px,
|
|
|
const pb_variable<FieldT> &Py)
|
|
|
{
|
|
|
- const FieldT Cx(2);
|
|
|
- const FieldT Cy("4950745124018817972378217179409499695353526031437053848725554590521829916331");
|
|
|
-
|
|
|
assert(Ptable.size() % 2 == 0);
|
|
|
size_t numbits = Ptable.size() / 2;
|
|
|
|
|
@@ -1050,7 +1124,8 @@ public:
|
|
|
|
|
|
// Compute 2^i * P + C
|
|
|
FieldT twoiPCx, twoiPCy;
|
|
|
- ec_add_points(twoiPCx, twoiPCy, twoiPx, twoiPy, Cx, Cy);
|
|
|
+ ec_add_points(twoiPCx, twoiPCy, twoiPx, twoiPy,
|
|
|
+ curveParams<FieldT>::Cx, curveParams<FieldT>::Cy);
|
|
|
pb.val(Ptable[2*i]) = twoiPCx;
|
|
|
pb.val(Ptable[2*i+1]) = twoiPCy;
|
|
|
|
|
@@ -1070,7 +1145,6 @@ private:
|
|
|
pb_variable<FieldT> accinx, acciny, accmidx, accmidy, accoutx, accouty;
|
|
|
std::vector<ec_constant_scalarmul_accum_gadget<FieldT> > mulgadgets;
|
|
|
std::vector<ec_constant_add_gadget<FieldT> > addgadget;
|
|
|
- const FieldT Gx, Gy, Hx, Hy, Ax, Ay;
|
|
|
|
|
|
public:
|
|
|
const pb_variable<FieldT> outx, outy, a, b;
|
|
@@ -1081,14 +1155,7 @@ public:
|
|
|
const pb_variable<FieldT> &a,
|
|
|
const pb_variable<FieldT> &b) :
|
|
|
gadget<FieldT>(pb, "ec_pedersen_gadget"),
|
|
|
- outx(outx), outy(outy), a(a), b(b),
|
|
|
- // Precomputed coordinates of G, H, and A
|
|
|
- Gx(0),
|
|
|
- Gy("11977228949870389393715360594190192321220966033310912010610740966317727761886"),
|
|
|
- Hx(1),
|
|
|
- Hy("21803877843449984883423225223478944275188924769286999517937427649571474907279"),
|
|
|
- Ax(4),
|
|
|
- Ay("1929778687269876629657252589535788315400602403700102541701561325064015752665")
|
|
|
+ outx(outx), outy(outy), a(a), b(b)
|
|
|
{
|
|
|
// Allocate variables to protoboard
|
|
|
// The strings (like "x") are only for debugging purposes
|
|
@@ -1101,22 +1168,22 @@ public:
|
|
|
accouty.allocate(this->pb, "accouty");
|
|
|
|
|
|
// Initialize the accumulator
|
|
|
- FieldT AXSx = Ax;
|
|
|
- FieldT AXSy = Ay;
|
|
|
- this->pb.add_r1cs_constraint(r1cs_constraint<FieldT>(accinx, 1, Ax));
|
|
|
- this->pb.add_r1cs_constraint(r1cs_constraint<FieldT>(acciny, 1, Ay));
|
|
|
+ FieldT AXSx = curveParams<FieldT>::Ax;
|
|
|
+ FieldT AXSy = curveParams<FieldT>::Ay;
|
|
|
+ this->pb.add_r1cs_constraint(r1cs_constraint<FieldT>(accinx, 1, curveParams<FieldT>::Ax));
|
|
|
+ this->pb.add_r1cs_constraint(r1cs_constraint<FieldT>(acciny, 1, curveParams<FieldT>::Ay));
|
|
|
|
|
|
// Initialize the gadgets
|
|
|
- mulgadgets.emplace_back(this->pb, accmidx, accmidy, accinx, acciny, a, Gx, Gy, AXSx, AXSy);
|
|
|
- mulgadgets.emplace_back(this->pb, accoutx, accouty, accmidx, accmidy, b, Hx, Hy, AXSx, AXSy);
|
|
|
+ mulgadgets.emplace_back(this->pb, accmidx, accmidy, accinx, acciny, a,
|
|
|
+ curveParams<FieldT>::Gx, curveParams<FieldT>::Gy, AXSx, AXSy);
|
|
|
+ mulgadgets.emplace_back(this->pb, accoutx, accouty, accmidx, accmidy, b,
|
|
|
+ curveParams<FieldT>::Hx, curveParams<FieldT>::Hy, AXSx, AXSy);
|
|
|
// Subtract the accumulator excess to get the result
|
|
|
addgadget.emplace_back(this->pb, outx, outy, accoutx, accouty, AXSx, -AXSy);
|
|
|
}
|
|
|
|
|
|
void generate_r1cs_constraints()
|
|
|
{
|
|
|
- this->pb.val(accinx) = Ax;
|
|
|
- this->pb.val(acciny) = Ay;
|
|
|
mulgadgets[0].generate_r1cs_constraints();
|
|
|
mulgadgets[1].generate_r1cs_constraints();
|
|
|
addgadget[0].generate_r1cs_constraints();
|
|
@@ -1124,6 +1191,8 @@ public:
|
|
|
|
|
|
void generate_r1cs_witness()
|
|
|
{
|
|
|
+ this->pb.val(accinx) = curveParams<FieldT>::Ax;
|
|
|
+ this->pb.val(acciny) = curveParams<FieldT>::Ay;
|
|
|
mulgadgets[0].generate_r1cs_witness();
|
|
|
mulgadgets[1].generate_r1cs_witness();
|
|
|
addgadget[0].generate_r1cs_witness();
|