chore: update to ff/group 0.13 (#166)

* chore: update to ff/group 0.13 and associated dependencies

Updates:
- zkcrypto/ff, zkcrypto/group to 0.13,
- bellperson to 0.25,
- pasta_curves to 0.5.1, and removes the fil_pasta_curves fork
- pasta-msm should no longer need a fork (WIP)

Adapts source in function, mostly for const usage and API updates.

* expose the portable feature of pasta-MSM

* update pointer to pasta-msm

* Clippy

---------

Co-authored-by: François Garillot <francois@garillot.net>

Cargo.toml

@@ -11,17 +11,17 @@ license-file = "LICENSE"
 keywords = ["zkSNARKs", "cryptography", "proofs"]
 
 [dependencies]
-bellperson = { version = "0.24", default-features = false }
-ff = { version = "0.12.0", features = ["derive"] }
+bellperson = { version = "0.25", default-features = false }
+ff = { version = "0.13.0", features = ["derive"] }
 digest = "0.8.1"
 sha3 = "0.8.2"
 rayon = "1.3.0"
 rand_core = { version = "0.6.0", default-features = false }
 rand_chacha = "0.3"
 itertools = "0.9.0"
 subtle = "2.4"
-pasta_curves = { version = "0.5.2", features = ["repr-c", "serde"], package = "fil_pasta_curves" }
-neptune = { version = "8.1.0", default-features = false }
+pasta_curves = { version = "0.5", features = ["repr-c", "serde"] }
+neptune = { version = "9.0.0", default-features = false }
 generic-array = "0.14.4"
 num-bigint = { version = "0.4", features = ["serde", "rand"] }
 num-traits = "0.2"
@@ -34,7 +34,7 @@ byteorder = "1.4.3"
 thiserror = "1.0" 
 
 [target.'cfg(any(target_arch = "x86_64", target_arch = "aarch64"))'.dependencies]
-pasta-msm = { version = "0.1.0", package = "lurk-pasta-msm" }
+pasta-msm = { version = "0.1.4" }
 
 [dev-dependencies]
 criterion = "0.3.1"
@@ -51,5 +51,7 @@ harness = false
 
 [features]
 default = []
+# Compiles in portable mode, w/o ISA extensions => binary can be executed on all systems.
+portable = ["pasta-msm/portable"]
 cuda = ["neptune/cuda", "neptune/pasta", "neptune/arity24"]
 opencl = ["neptune/opencl", "neptune/pasta", "neptune/arity24"]

examples/signature.rs

@@ -73,7 +73,7 @@ where
   }
 
   fn mul_bits<B: AsRef<[u64]>>(s: &G::Scalar, bits: BitIterator<B>) -> G::Scalar {
-    let mut x = G::Scalar::zero();
+    let mut x = G::Scalar::ZERO;
     for bit in bits {
       x = x.double();
 
@@ -88,14 +88,14 @@ where
     assert_eq!(digest.len(), 64);
     let mut bits: [u64; 8] = [0; 8];
     LittleEndian::read_u64_into(digest, &mut bits);
-    Self::mul_bits(&G::Scalar::one(), BitIterator::new(bits))
+    Self::mul_bits(&G::Scalar::ONE, BitIterator::new(bits))
   }
 
   pub fn to_uniform_32(digest: &[u8]) -> G::Scalar {
     assert_eq!(digest.len(), 32);
     let mut bits: [u64; 4] = [0; 4];
     LittleEndian::read_u64_into(digest, &mut bits);
-    Self::mul_bits(&G::Scalar::one(), BitIterator::new(bits))
+    Self::mul_bits(&G::Scalar::ONE, BitIterator::new(bits))
   }
 
   pub fn hash_to_scalar(persona: &[u8], a: &[u8], b: &[u8]) -> G::Scalar {

src/bellperson/mod.rs

@@ -20,15 +20,15 @@ mod tests {
     cs: &mut CS,
   ) -> Result<(), SynthesisError> {
     // get two bits as input and check that they are indeed bits
-    let a = AllocatedNum::alloc(cs.namespace(|| "a"), || Ok(Fr::one()))?;
+    let a = AllocatedNum::alloc(cs.namespace(|| "a"), || Ok(Fr::ONE))?;
     let _ = a.inputize(cs.namespace(|| "a is input"));
     cs.enforce(
       || "check a is 0 or 1",
       |lc| lc + CS::one() - a.get_variable(),
       |lc| lc + a.get_variable(),
       |lc| lc,
     );
-    let b = AllocatedNum::alloc(cs.namespace(|| "b"), || Ok(Fr::one()))?;
+    let b = AllocatedNum::alloc(cs.namespace(|| "b"), || Ok(Fr::ONE))?;
     let _ = b.inputize(cs.namespace(|| "b is input"));
     cs.enforce(
       || "check b is 0 or 1",

src/bellperson/r1cs.rs

@@ -102,7 +102,7 @@ fn add_constraint<S: PrimeField>(
 ) {
   let (A, B, C, nn) = X;
   let n = **nn;
-  let one = S::one();
+  let one = S::ONE;
 
   let add_constraint_component = |index: Index, coeff, V: &mut Vec<_>| {
     match index {

src/bellperson/shape_cs.rs

@@ -73,7 +73,7 @@ fn proc_lc<Scalar: PrimeField>(
   for (var, &coeff) in terms.iter() {
     map
       .entry(OrderedVariable(var))
-      .or_insert_with(Scalar::zero)
+      .or_insert_with(|| Scalar::ZERO)
       .add_assign(&coeff);
   }
 
@@ -144,7 +144,7 @@ where
       writeln!(s, "INPUT {}", &input).unwrap()
     }
 
-    let negone = -<G::Scalar>::one();
+    let negone = -<G::Scalar>::ONE;
 
     let powers_of_two = (0..G::Scalar::NUM_BITS)
       .map(|i| G::Scalar::from(2u64).pow_vartime([u64::from(i)]))
@@ -161,7 +161,7 @@ where
         }
         is_first = false;
 
-        if coeff != <G::Scalar>::one() && coeff != negone {
+        if coeff != <G::Scalar>::ONE && coeff != negone {
           for (i, x) in powers_of_two.iter().enumerate() {
             if x == &coeff {
               write!(s, "2^{i} . ").unwrap();

src/bellperson/solver.rs

@@ -91,7 +91,7 @@ where
   type Root = Self;
 
   fn new() -> Self {
-    let input_assignment = vec![G::Scalar::one()];
+    let input_assignment = vec![G::Scalar::ONE];
     let mut d = DensityTracker::new();
     d.add_element();
 

src/circuit.rs

@@ -146,7 +146,7 @@ impl<G: Group, SC: StepCircuit<G::Base>> NovaAugmentedCircuit<G, SC> {
       .collect::<Result<Vec<AllocatedNum<G::Base>>, _>>()?;
 
     // Allocate zi. If inputs.zi is not provided (base case) allocate default value 0
-    let zero = vec![G::Base::zero(); arity];
+    let zero = vec![G::Base::ZERO; arity];
     let z_i = (0..arity)
       .map(|i| {
         AllocatedNum::alloc(cs.namespace(|| format!("zi_{i}")), || {
@@ -318,7 +318,7 @@ impl<G: Group, SC: StepCircuit<G::Base>> Circuit<<G as Group>::Base>
 
     // Compute i + 1
     let i_new = AllocatedNum::alloc(cs.namespace(|| "i + 1"), || {
-      Ok(*i.get_value().get()? + G::Base::one())
+      Ok(*i.get_value().get()? + G::Base::ONE)
     })?;
     cs.enforce(
       || "check i + 1",
@@ -417,7 +417,7 @@ mod tests {
     assert_eq!(cs.num_constraints(), 10347);
 
     // Execute the base case for the primary
-    let zero1 = <<G2 as Group>::Base as Field>::zero();
+    let zero1 = <<G2 as Group>::Base as Field>::ZERO;
     let mut cs1: SatisfyingAssignment<G1> = SatisfyingAssignment::new();
     let inputs1: NovaAugmentedCircuitInputs<G2> = NovaAugmentedCircuitInputs::new(
       shape2.get_digest(),
@@ -441,7 +441,7 @@ mod tests {
     assert!(shape1.is_sat(&ck1, &inst1, &witness1).is_ok());
 
     // Execute the base case for the secondary
-    let zero2 = <<G1 as Group>::Base as Field>::zero();
+    let zero2 = <<G1 as Group>::Base as Field>::ZERO;
     let mut cs2: SatisfyingAssignment<G2> = SatisfyingAssignment::new();
     let inputs2: NovaAugmentedCircuitInputs<G1> = NovaAugmentedCircuitInputs::new(
       shape1.get_digest(),

src/gadgets/ecc.rs

@@ -43,16 +43,16 @@ where
     CS: ConstraintSystem<G::Base>,
   {
     let x = AllocatedNum::alloc(cs.namespace(|| "x"), || {
-      Ok(coords.map_or(G::Base::zero(), |c| c.0))
+      Ok(coords.map_or(G::Base::ZERO, |c| c.0))
     })?;
     let y = AllocatedNum::alloc(cs.namespace(|| "y"), || {
-      Ok(coords.map_or(G::Base::zero(), |c| c.1))
+      Ok(coords.map_or(G::Base::ZERO, |c| c.1))
     })?;
     let is_infinity = AllocatedNum::alloc(cs.namespace(|| "is_infinity"), || {
       Ok(if coords.map_or(true, |c| c.2) {
-        G::Base::one()
+        G::Base::ONE
       } else {
-        G::Base::zero()
+        G::Base::ZERO
       })
     })?;
     cs.enforce(
@@ -177,9 +177,9 @@ where
     // NOT(NOT(self.is_ifninity) AND NOT(other.is_infinity))
     let at_least_one_inf = AllocatedNum::alloc(cs.namespace(|| "at least one inf"), || {
       Ok(
-        G::Base::one()
-          - (G::Base::one() - *self.is_infinity.get_value().get()?)
-            * (G::Base::one() - *other.is_infinity.get_value().get()?),
+        G::Base::ONE
+          - (G::Base::ONE - *self.is_infinity.get_value().get()?)
+            * (G::Base::ONE - *other.is_infinity.get_value().get()?),
       )
     })?;
     cs.enforce(
@@ -193,7 +193,7 @@ where
     let x_diff_is_actual =
       AllocatedNum::alloc(cs.namespace(|| "allocate x_diff_is_actual"), || {
         Ok(if *equal_x.get_value().get()? {
-          G::Base::one()
+          G::Base::ONE
         } else {
           *at_least_one_inf.get_value().get()?
         })
@@ -215,9 +215,9 @@ where
     )?;
 
     let lambda = AllocatedNum::alloc(cs.namespace(|| "lambda"), || {
-      let x_diff_inv = if *x_diff_is_actual.get_value().get()? == G::Base::one() {
+      let x_diff_inv = if *x_diff_is_actual.get_value().get()? == G::Base::ONE {
         // Set to default
-        G::Base::one()
+        G::Base::ONE
       } else {
         // Set to the actual inverse
         (*other.x.get_value().get()? - *self.x.get_value().get()?)
@@ -328,7 +328,7 @@ where
     //  * (G::Base::from(2)) * self.y).invert().unwrap();
     /*************************************************************/
 
-    // Compute tmp = (G::Base::one() + G::Base::one())* self.y ? self != inf : 1
+    // Compute tmp = (G::Base::ONE + G::Base::ONE)* self.y ? self != inf : 1
     let tmp_actual = AllocatedNum::alloc(cs.namespace(|| "tmp_actual"), || {
       Ok(*self.y.get_value().get()? + *self.y.get_value().get()?)
     })?;
@@ -354,9 +354,9 @@ where
     );
 
     let lambda = AllocatedNum::alloc(cs.namespace(|| "alloc lambda"), || {
-      let tmp_inv = if *self.is_infinity.get_value().get()? == G::Base::one() {
+      let tmp_inv = if *self.is_infinity.get_value().get()? == G::Base::ONE {
         // Return default value 1
-        G::Base::one()
+        G::Base::ONE
       } else {
         // Return the actual inverse
         (*tmp.get_value().get()?).invert().unwrap()
@@ -622,7 +622,7 @@ where
     // allocate a free variable that an honest prover sets to lambda = (y2-y1)/(x2-x1)
     let lambda = AllocatedNum::alloc(cs.namespace(|| "lambda"), || {
       if *other.x.get_value().get()? == *self.x.get_value().get()? {
-        Ok(G::Base::one())
+        Ok(G::Base::ONE)
       } else {
         Ok(
           (*other.y.get_value().get()? - *self.y.get_value().get()?)
@@ -688,8 +688,8 @@ where
     let lambda = AllocatedNum::alloc(cs.namespace(|| "lambda"), || {
       let n = G::Base::from(3) * x_sq.get_value().get()? + G::get_curve_params().0;
       let d = G::Base::from(2) * *self.y.get_value().get()?;
-      if d == G::Base::zero() {
-        Ok(G::Base::one())
+      if d == G::Base::ZERO {
+        Ok(G::Base::ONE)
       } else {
         Ok(n * d.invert().unwrap())
       }
@@ -803,8 +803,8 @@ mod tests {
         } else {
           // if self.x == other.x and self.y != other.y then return infinity
           Self {
-            x: G::Base::zero(),
-            y: G::Base::zero(),
+            x: G::Base::ZERO,
+            y: G::Base::ZERO,
             is_infinity: true,
           }
         }
@@ -836,18 +836,16 @@ mod tests {
     pub fn double(&self) -> Self {
       if self.is_infinity {
         return Self {
-          x: G::Base::zero(),
-          y: G::Base::zero(),
+          x: G::Base::ZERO,
+          y: G::Base::ZERO,
           is_infinity: true,
         };
       }
 
       let lambda = G::Base::from(3)
         * self.x
         * self.x
-        * ((G::Base::one() + G::Base::one()) * self.y)
-          .invert()
-          .unwrap();
+        * ((G::Base::ONE + G::Base::ONE) * self.y).invert().unwrap();
       let x = lambda * lambda - self.x - self.x;
       let y = lambda * (self.x - x) - self.y;
       Self {
@@ -859,8 +857,8 @@ mod tests {
 
     pub fn scalar_mul(&self, scalar: &G::Scalar) -> Self {
       let mut res = Self {
-        x: G::Base::zero(),
-        y: G::Base::zero(),
+        x: G::Base::ZERO,
+        y: G::Base::ZERO,
         is_infinity: true,
       };
 
@@ -985,12 +983,12 @@ mod tests {
     let a_p: Point<G1> = Point::new(
       a.x.get_value().unwrap(),
       a.y.get_value().unwrap(),
-      a.is_infinity.get_value().unwrap() == <G1 as Group>::Base::one(),
+      a.is_infinity.get_value().unwrap() == <G1 as Group>::Base::ONE,
     );
     let e_p: Point<G1> = Point::new(
       e.x.get_value().unwrap(),
       e.y.get_value().unwrap(),
-      e.is_infinity.get_value().unwrap() == <G1 as Group>::Base::one(),
+      e.is_infinity.get_value().unwrap() == <G1 as Group>::Base::ONE,
     );
     let e_new = a_p.scalar_mul(&s);
     assert!(e_p.x == e_new.x && e_p.y == e_new.y);
@@ -1025,12 +1023,12 @@ mod tests {
     let a_p: Point<G1> = Point::new(
       a.x.get_value().unwrap(),
       a.y.get_value().unwrap(),
-      a.is_infinity.get_value().unwrap() == <G1 as Group>::Base::one(),
+      a.is_infinity.get_value().unwrap() == <G1 as Group>::Base::ONE,
     );
     let e_p: Point<G1> = Point::new(
       e.x.get_value().unwrap(),
       e.y.get_value().unwrap(),
-      e.is_infinity.get_value().unwrap() == <G1 as Group>::Base::one(),
+      e.is_infinity.get_value().unwrap() == <G1 as Group>::Base::ONE,
     );
     let e_new = a_p.add(&a_p);
     assert!(e_p.x == e_new.x && e_p.y == e_new.y);
@@ -1047,7 +1045,7 @@ mod tests {
     inputize_allocted_point(&a, cs.namespace(|| "inputize a")).unwrap();
     let mut b = a.clone();
     b.y = AllocatedNum::alloc(cs.namespace(|| "allocate negation of a"), || {
-      Ok(G::Base::zero())
+      Ok(G::Base::ZERO)
     })
     .unwrap();
     inputize_allocted_point(&b, cs.namespace(|| "inputize b")).unwrap();
@@ -1070,7 +1068,7 @@ mod tests {
     let e_p: Point<G1> = Point::new(
       e.x.get_value().unwrap(),
       e.y.get_value().unwrap(),
-      e.is_infinity.get_value().unwrap() == <G1 as Group>::Base::one(),
+      e.is_infinity.get_value().unwrap() == <G1 as Group>::Base::ONE,
     );
     assert!(e_p.is_infinity);
     // Make sure that it is satisfiable