Add jubjub

Cargo.toml

@@ -24,6 +24,7 @@ ark-std = { version = "0.3" }
 bincode = "1.3.3"
 
 [dependencies]
+bitvec = "1"
 subtle = "2.4"
 ff = "0.13.0"
 group = "0.13.0"

src/bls12_381/fp.rs

@@ -3,17 +3,16 @@
 
 use core::fmt;
 use core::ops::{Add, Mul, Neg, Sub};
-use std::convert::TryFrom;
-use std::ops::{Deref};
 use ff::{Field, PrimeField, WithSmallOrderMulGroup};
 use rand_core::RngCore;
+use std::convert::TryFrom;
+use std::ops::Deref;
 use subtle::{Choice, ConditionallySelectable, ConstantTimeEq, CtOption};
 
 use crate::util::{adc, mac, sbb};
 use crate::{
-    impl_add_binop_specify_output, impl_binops_additive,
-    impl_binops_additive_specify_output, impl_binops_multiplicative,
-    impl_binops_multiplicative_mixed, impl_sub_binop_specify_output,
+    impl_add_binop_specify_output, impl_binops_additive, impl_binops_additive_specify_output,
+    impl_binops_multiplicative, impl_binops_multiplicative_mixed, impl_sub_binop_specify_output,
 };
 
 // The internal representation of this type is six 64-bit unsigned
@@ -77,9 +76,7 @@ impl WithSmallOrderMulGroup<3> for Fp {
     const ZETA: Self = ZETA;
 }
 
-use crate::{
-    impl_sum_prod,
-};
+use crate::impl_sum_prod;
 impl_sum_prod!(Fp);
 
 /// 2^-1
@@ -118,9 +115,9 @@ const ZETA: Fp = Fp::from_raw_unchecked([
 ]);
 
 impl From<u64> for Fp {
-fn from(val: u64) -> Fp {
-    Fp([val, 0, 0, 0, 0, 0])
-}
+    fn from(val: u64) -> Fp {
+        Fp([val, 0, 0, 0, 0, 0])
+    }
 }
 
 impl Field for Fp {

src/bls12_381/fp12.rs

@@ -6,12 +6,11 @@ use core::fmt;
 use core::ops::{Add, Mul, Neg, Sub};
 use subtle::{Choice, ConditionallySelectable, ConstantTimeEq, CtOption};
 
-use rand_core::RngCore;
 use crate::{
-    impl_add_binop_specify_output, impl_binops_additive,
-    impl_binops_additive_specify_output, impl_binops_multiplicative,
-    impl_binops_multiplicative_mixed, impl_sub_binop_specify_output,
+    impl_add_binop_specify_output, impl_binops_additive, impl_binops_additive_specify_output,
+    impl_binops_multiplicative, impl_binops_multiplicative_mixed, impl_sub_binop_specify_output,
 };
+use rand_core::RngCore;
 
 /// This represents an element $c_0 + c_1 w$ of $\mathbb{F}_{p^12} = \mathbb{F}_{p^6} / w^2 - v$.
 pub struct Fp12 {
@@ -647,4 +646,3 @@ fn test_arithmetic() {
             .frobenius_map()
     );
 }
-

src/bls12_381/fp2.rs

@@ -2,17 +2,16 @@
 
 use core::fmt;
 use core::ops::{Add, Mul, Neg, Sub};
-use std::convert::TryInto;
-use std::ops::{BitAnd, Deref};
 use ff::{Field, PrimeField, WithSmallOrderMulGroup};
 use rand_core::RngCore;
+use std::convert::TryInto;
+use std::ops::{BitAnd, Deref};
 use subtle::{Choice, ConditionallySelectable, ConstantTimeEq, CtOption};
 
 use crate::bls12_381::fp::Fp;
 use crate::{
-    impl_add_binop_specify_output, impl_binops_additive,
-    impl_binops_additive_specify_output, impl_binops_multiplicative,
-    impl_binops_multiplicative_mixed, impl_sub_binop_specify_output,
+    impl_add_binop_specify_output, impl_binops_additive, impl_binops_additive_specify_output,
+    impl_binops_multiplicative, impl_binops_multiplicative_mixed, impl_sub_binop_specify_output,
 };
 
 #[derive(Copy, Clone)]
@@ -76,25 +75,27 @@ impl AsMut<[u8]> for Fp2Repr {
     }
 }
 
-use crate::{
-    impl_sum_prod,
-};
+use crate::impl_sum_prod;
 impl_sum_prod!(Fp2);
 
 /// 2^-1
-const TWO_INV: Fp2 = Fp2{ c0: Fp([
-    0x1804_0000_0001_5554,
-    0x8550_0005_3ab0_0001,
-    0x633c_b57c_253c_276f,
-    0x6e22_d1ec_31eb_b502,
-    0xd391_6126_f2d1_4ca2,
-    0x17fb_b857_1a00_6596,
-]),
-    c1: Fp([0, 0, 0, 0, 0, 0])
+const TWO_INV: Fp2 = Fp2 {
+    c0: Fp([
+        0x1804_0000_0001_5554,
+        0x8550_0005_3ab0_0001,
+        0x633c_b57c_253c_276f,
+        0x6e22_d1ec_31eb_b502,
+        0xd391_6126_f2d1_4ca2,
+        0x17fb_b857_1a00_6596,
+    ]),
+    c1: Fp([0, 0, 0, 0, 0, 0]),
 };
 
 /// Computed using sage, GF(0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab).primitive_element()
-const MULTIPLICATIVE_GENERATOR: Fp2 = Fp2 { c0: Fp([0x02, 0x00, 0x00, 0x00, 0x00, 0x00]), c1: Fp([0, 0, 0, 0, 0, 0]) };
+const MULTIPLICATIVE_GENERATOR: Fp2 = Fp2 {
+    c0: Fp([0x02, 0x00, 0x00, 0x00, 0x00, 0x00]),
+    c1: Fp([0, 0, 0, 0, 0, 0]),
+};
 
 // TODO: Can we simply put 0 here::
 const ROOT_OF_UNITY: Fp2 = Fp2::zero();
@@ -107,21 +108,24 @@ const DELTA: Fp2 = Fp2::zero();
 
 impl From<u64> for Fp2 {
     fn from(val: u64) -> Fp2 {
-        Fp2{ c0: Fp([val, 0, 0, 0, 0, 0]), c1: Fp([0, 0, 0, 0, 0, 0]) }
+        Fp2 {
+            c0: Fp([val, 0, 0, 0, 0, 0]),
+            c1: Fp([0, 0, 0, 0, 0, 0]),
+        }
     }
 }
 
 // Fp::ZETA^2
 const ZETA: Fp2 = Fp2 {
     c0: Fp([
-           0xcd03c9e48671f071,
-           0x5dab22461fcda5d2,
-           0x587042afd3851b95,
-           0x8eb60ebe01bacb9e,
-           0x3f97d6e83d050d2,
-           0x18f0206554638741,
+        0xcd03c9e48671f071,
+        0x5dab22461fcda5d2,
+        0x587042afd3851b95,
+        0x8eb60ebe01bacb9e,
+        0x3f97d6e83d050d2,
+        0x18f0206554638741,
     ]),
-    c1: Fp([0, 0, 0, 0, 0, 0])
+    c1: Fp([0, 0, 0, 0, 0, 0]),
 };
 
 impl Field for Fp2 {

src/bls12_381/fp6.rs

@@ -5,12 +5,11 @@ use core::fmt;
 use core::ops::{Add, Mul, Neg, Sub};
 use subtle::{Choice, ConditionallySelectable, ConstantTimeEq, CtOption};
 
-use rand_core::RngCore;
 use crate::{
-    impl_add_binop_specify_output, impl_binops_additive,
-    impl_binops_additive_specify_output, impl_binops_multiplicative,
-    impl_binops_multiplicative_mixed, impl_sub_binop_specify_output,
+    impl_add_binop_specify_output, impl_binops_additive, impl_binops_additive_specify_output,
+    impl_binops_multiplicative, impl_binops_multiplicative_mixed, impl_sub_binop_specify_output,
 };
+use rand_core::RngCore;
 
 /// This represents an element $c_0 + c_1 v + c_2 v^2$ of $\mathbb{F}_{p^6} = \mathbb{F}_{p^2} / v^3 - u - 1$.
 pub struct Fp6 {

src/bls12_381/g1.rs

@@ -20,9 +20,8 @@ use pasta_curves::arithmetic::{Coordinates, CurveAffine, CurveExt};
 use crate::bls12_381::fp::Fp;
 use crate::bls12_381::Scalar;
 use crate::{
-    impl_add_binop_specify_output, impl_binops_additive,
-    impl_binops_additive_specify_output, impl_binops_multiplicative,
-    impl_binops_multiplicative_mixed, impl_sub_binop_specify_output,
+    impl_add_binop_specify_output, impl_binops_additive, impl_binops_additive_specify_output,
+    impl_binops_multiplicative, impl_binops_multiplicative_mixed, impl_sub_binop_specify_output,
 };
 /// This is an element of $\mathbb{G}_1$ represented in the affine coordinate space.
 /// It is ideal to keep elements in this representation to reduce memory usage and
@@ -620,17 +619,17 @@ impl CurveAffine for G1Affine {
 
     fn is_on_curve(&self) -> Choice {
         // y^2 - x^3 ?= b
-        (self.y.square() - self.x.square() * self.x).ct_eq(&B)
-            | self.is_identity()
+        (self.y.square() - self.x.square() * self.x).ct_eq(&B) | self.is_identity()
     }
 
     fn coordinates(&self) -> CtOption<Coordinates<Self>> {
-        Coordinates::from_xy( self.x, self.y )
+        Coordinates::from_xy(self.x, self.y)
     }
 
     fn from_xy(x: Self::Base, y: Self::Base) -> CtOption<Self> {
         let p = G1Affine {
-            x, y,
+            x,
+            y,
             infinity: Choice::from(0),
         };
         CtOption::new(p, p.is_on_curve())
@@ -646,7 +645,6 @@ impl CurveAffine for G1Affine {
 }
 
 impl CurveExt for G1Projective {
-
     type ScalarExt = Scalar;
     type Base = Fp;
     type AffineExt = G1Affine;
@@ -668,7 +666,6 @@ impl CurveExt for G1Projective {
         (x, y, self.z)
     }
 
-
     fn hash_to_curve<'a>(_: &'a str) -> Box<dyn Fn(&[u8]) -> Self + 'a> {
         unimplemented!(); // todo: it is implemented :tada:
     }
@@ -677,9 +674,8 @@ impl CurveExt for G1Projective {
         // Check (Y/Z)^2 = (X/Z)^3 + b
         // <=>    Z Y^2 -  X^3 = Z^3 b
 
-        (self.z * self.y.square()  - self.x.square() * self.x)
-            .ct_eq(&(self.z.square() * self.z * B))
-        | self.z.is_zero()
+        (self.z * self.y.square() - self.x.square() * self.x).ct_eq(&(self.z.square() * self.z * B))
+            | self.z.is_zero()
     }
 
     fn b() -> Self::Base {
@@ -696,9 +692,9 @@ impl CurveExt for G1Projective {
         let p_x = x * z_inv;
         let p_y = y * z_inv.square();
         let p = G1Projective {
-            x:p_x,
-            y:Fp::conditional_select(&p_y, &Fp::one(), z.is_zero()),
-            z
+            x: p_x,
+            y: Fp::conditional_select(&p_y, &Fp::one(), z.is_zero()),
+            z,
         };
         CtOption::new(p, p.is_on_curve())
     }

src/bls12_381/g2.rs

@@ -19,11 +19,10 @@ use ff::WithSmallOrderMulGroup;
 
 use crate::bls12_381::fp::Fp;
 use crate::bls12_381::fp2::Fp2;
-use crate::bls12_381::{Scalar};
+use crate::bls12_381::Scalar;
 use crate::{
-    impl_add_binop_specify_output, impl_binops_additive,
-    impl_binops_additive_specify_output, impl_binops_multiplicative,
-    impl_binops_multiplicative_mixed, impl_sub_binop_specify_output,
+    impl_add_binop_specify_output, impl_binops_additive, impl_binops_additive_specify_output,
+    impl_binops_multiplicative, impl_binops_multiplicative_mixed, impl_sub_binop_specify_output,
 };
 /// This is an element of $\mathbb{G}_2$ represented in the affine coordinate space.
 /// It is ideal to keep elements in this representation to reduce memory usage and
@@ -673,17 +672,17 @@ impl CurveAffine for G2Affine {
 
     fn is_on_curve(&self) -> Choice {
         // y^2 - x^3 ?= b
-        (self.y.square() - self.x.square() * self.x).ct_eq(&B)
-            | self.is_identity()
+        (self.y.square() - self.x.square() * self.x).ct_eq(&B) | self.is_identity()
     }
 
     fn coordinates(&self) -> CtOption<Coordinates<Self>> {
-        Coordinates::from_xy( self.x, self.y )
+        Coordinates::from_xy(self.x, self.y)
     }
 
     fn from_xy(x: Self::Base, y: Self::Base) -> CtOption<Self> {
         let p = G2Affine {
-            x, y,
+            x,
+            y,
             infinity: Choice::from(0),
         };
         CtOption::new(p, p.is_on_curve())
@@ -699,7 +698,6 @@ impl CurveAffine for G2Affine {
 }
 
 impl CurveExt for G2Projective {
-
     type ScalarExt = Scalar;
     type Base = Fp2;
     type AffineExt = G2Affine;
@@ -721,7 +719,6 @@ impl CurveExt for G2Projective {
         (x, y, self.z)
     }
 
-
     fn hash_to_curve<'a>(_: &'a str) -> Box<dyn Fn(&[u8]) -> Self + 'a> {
         unimplemented!(); // todo: it is implemented :tada:
     }
@@ -730,8 +727,7 @@ impl CurveExt for G2Projective {
         // Check (Y/Z)^2 = (X/Z)^3 + b
         // <=>    Z Y^2 -  X^3 = Z^3 b
 
-        (self.z * self.y.square()  - self.x.square() * self.x)
-            .ct_eq(&(self.z.square() * self.z * B))
+        (self.z * self.y.square() - self.x.square() * self.x).ct_eq(&(self.z.square() * self.z * B))
             | self.z.is_zero()
     }
 
@@ -749,9 +745,9 @@ impl CurveExt for G2Projective {
         let p_x = x * z_inv;
         let p_y = y * z_inv.square();
         let p = G2Projective {
-            x:p_x,
-            y:Fp2::conditional_select(&p_y, &Fp2::one(), z.is_zero()),
-            z
+            x: p_x,
+            y: Fp2::conditional_select(&p_y, &Fp2::one(), z.is_zero()),
+            z,
         };
         CtOption::new(p, p.is_on_curve())
     }

src/bls12_381/mod.rs

@@ -4,15 +4,14 @@ mod fp2;
 mod fp6;
 mod g1;
 mod g2;
-mod scalar;
 mod pairings;
+mod scalar;
 
 pub use fp::*;
 pub use fp12::*;
 pub use fp2::*;
 pub use fp6::*;
-pub use scalar::*;
 pub use g1::*;
 pub use g2::*;
 pub use pairings::*;
-
+pub use scalar::*;

src/bls12_381/pairings.rs

@@ -4,26 +4,24 @@ use crate::bls12_381::fp2::Fp2;
 use crate::bls12_381::fp6::Fp6;
 use crate::bls12_381::{G1Affine, G1Projective, G2Affine, G2Projective, Scalar};
 
+use crate::pairing::{Engine, PairingCurveAffine};
 use core::borrow::Borrow;
 use core::fmt;
 use core::iter::Sum;
 use core::ops::{Add, AddAssign, Mul, Neg, Sub};
 use group::Group;
-use crate::pairing::{Engine, PairingCurveAffine};
 use rand_core::RngCore;
 use subtle::{Choice, ConditionallySelectable, ConstantTimeEq};
 
+use crate::pairing::MultiMillerLoop;
 use crate::{
-    impl_add_binop_specify_output, impl_binops_additive,
-    impl_binops_additive_specify_output, impl_binops_multiplicative,
-    impl_binops_multiplicative_mixed, impl_sub_binop_specify_output,
+    impl_add_binop_specify_output, impl_binops_additive, impl_binops_additive_specify_output,
+    impl_binops_multiplicative, impl_binops_multiplicative_mixed, impl_sub_binop_specify_output,
 };
-use crate::pairing::MultiMillerLoop;
 
 pub(crate) const BLS_X: u64 = 0xd201_0000_0001_0000;
 pub(crate) const BLS_X_IS_NEGATIVE: bool = true;
 
-
 /// Represents results of a Miller loop, one of the most expensive portions
 /// of the pairing function. `MillerLoopResult`s cannot be compared with each
 /// other until `.final_exponentiation()` is called, which is also expensive.