Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
g1.test.cpp
Go to the documentation of this file.
1#include "g1.hpp"
2#include "barretenberg/circuit_checker/circuit_checker.hpp"
3#include "barretenberg/ecc/groups/precomputed_generators_bn254_impl.hpp"
4#include <gtest/gtest.h>
5
6using namespace bb;
7
8namespace {
9// Double-and-add scalar mul without endomorphism, used as reference for differential testing.
10template <typename Group, typename Fr>
11typename Group::affine_element naive_scalar_mul(const typename Group::element& base, const Fr& scalar)
12{
13 typename Group::element acc = Group::point_at_infinity;
14 typename Group::element runner = base;
15 uint256_t bits(scalar);
16 for (size_t i = 0; i < 256; ++i) {
17 if (bits.get_bit(i)) {
18 acc = acc + runner;
19 }
20 runner = runner.dbl();
21 }
22 return typename Group::affine_element(acc);
23}
24} // namespace
25
26TEST(g1, RandomElement)
27{
28 g1::element result = g1::element::random_element();
29 EXPECT_EQ(result.on_curve(), true);
30}
31
32TEST(g1, RandomAffineElement)
33{
34 g1::affine_element result = g1::element::random_element();
35 EXPECT_EQ(result.on_curve(), true);
36}
37
38TEST(g1, Eq)
39{
40 g1::element a = g1::element::random_element();
41 g1::element b = a.normalize();
42
43 EXPECT_EQ(a == b, true);
44 EXPECT_EQ(a == a, true);
45
46 b.self_set_infinity();
47
48 EXPECT_EQ(a == b, false);
49 g1::element c = g1::element::random_element();
50
51 EXPECT_EQ(a == c, false);
52
53 a.self_set_infinity();
54
55 EXPECT_EQ(a == b, true);
56}
57
58TEST(g1, MixedAddCheckAgainstConstants)
59{
60 fq a_x{ 0x92716caa6cac6d26, 0x1e6e234136736544, 0x1bb04588cde00af0, 0x9a2ac922d97e6f5 };
61 fq a_y{ 0x9e693aeb52d79d2d, 0xf0c1895a61e5e975, 0x18cd7f5310ced70f, 0xac67920a22939ad };
62 fq a_z{ 0xfef593c9ce1df132, 0xe0486f801303c27d, 0x9bbd01ab881dc08e, 0x2a589badf38ec0f9 };
63 fq b_x{ 0xa1ec5d1398660db8, 0x6be3e1f6fd5d8ab1, 0x69173397dd272e11, 0x12575bbfe1198886 };
64 fq b_y{ 0xcfbfd4441138823e, 0xb5f817e28a1ef904, 0xefb7c5629dcc1c42, 0x1a9ed3d6f846230e };
65 fq expected_x{ 0x2a9d0201fccca20, 0x36f969b294f31776, 0xee5534422a6f646, 0x911dbc6b02310b6 };
66 fq expected_y{ 0x14c30aaeb4f135ef, 0x9c27c128ea2017a1, 0xf9b7d80c8315eabf, 0x35e628df8add760 };
67 fq expected_z{ 0xa43fe96673d10eb3, 0x88fbe6351753d410, 0x45c21cc9d99cb7d, 0x3018020aa6e9ede5 };
68 g1::element lhs;
69 g1::affine_element rhs;
70 g1::element result;
71 g1::element expected;
72 lhs.x = a_x.to_montgomery_form();
73 lhs.y = a_y.to_montgomery_form();
74 lhs.z = a_z.to_montgomery_form();
75 rhs.x = b_x.to_montgomery_form();
76 rhs.y = b_y.to_montgomery_form();
77 expected.x = expected_x.to_montgomery_form();
78 expected.y = expected_y.to_montgomery_form();
79 expected.z = expected_z.to_montgomery_form();
80 result = lhs + rhs;
81
82 EXPECT_EQ(result == expected, true);
83}
84
85TEST(g1, DblCheckAgainstConstants)
86{
87 fq a_x{ 0x8d1703aa518d827f, 0xd19cc40779f54f63, 0xabc11ce30d02728c, 0x10938940de3cbeec };
88 fq a_y{ 0xcf1798994f1258b4, 0x36307a354ad90a25, 0xcd84adb348c63007, 0x6266b85241aff3f };
89 fq a_z{ 0xe213e18fd2df7044, 0xb2f42355982c5bc8, 0xf65cf5150a3a9da1, 0xc43bde08b03aca2 };
90 fq expected_x{ 0xd5c6473044b2e67c, 0x89b185ea20951f3a, 0x4ac597219cf47467, 0x2d00482f63b12c86 };
91 fq expected_y{ 0x4e7e6c06a87e4314, 0x906a877a71735161, 0xaa7b9893cc370d39, 0x62f206bef795a05 };
92 fq expected_z{ 0x8813bdca7b0b115a, 0x929104dffdfabd22, 0x3fff575136879112, 0x18a299c1f683bdca };
93 g1::element lhs;
94 g1::element result;
95 g1::element expected;
96 lhs.x = a_x.to_montgomery_form();
97 lhs.y = a_y.to_montgomery_form();
98 lhs.z = a_z.to_montgomery_form();
99 expected.x = expected_x.to_montgomery_form();
100 expected.y = expected_y.to_montgomery_form();
101 expected.z = expected_z.to_montgomery_form();
102
103 result = lhs.dbl();
104 result.self_dbl();
105 result.self_dbl();
106
107 EXPECT_EQ(result == expected, true);
108}
109
110TEST(g1, AddCheckAgainstConstants)
111{
112 fq a_x{ 0x184b38afc6e2e09a, 0x4965cd1c3687f635, 0x334da8e7539e71c4, 0xf708d16cfe6e14 };
113 fq a_y{ 0x2a6ff6ffc739b3b6, 0x70761d618b513b9, 0xbf1645401de26ba1, 0x114a1616c164b980 };
114 fq a_z{ 0x10143ade26bbd57a, 0x98cf4e1f6c214053, 0x6bfdc534f6b00006, 0x1875e5068ababf2c };
115 fq b_x{ 0xafdb8a15c98bf74c, 0xac54df622a8d991a, 0xc6e5ae1f3dad4ec8, 0x1bd3fb4a59e19b52 };
116 fq b_y{ 0x21b3bb529bec20c0, 0xaabd496406ffb8c1, 0xcd3526c26ac5bdcb, 0x187ada6b8693c184 };
117 fq b_z{ 0xffcd440a228ed652, 0x8a795c8f234145f1, 0xd5279cdbabb05b95, 0xbdf19ba16fc607a };
118 fq expected_x{ 0x18764da36aa4cd81, 0xd15388d1fea9f3d3, 0xeb7c437de4bbd748, 0x2f09b712adf6f18f };
119 fq expected_y{ 0x50c5f3cab191498c, 0xe50aa3ce802ea3b5, 0xd9d6125b82ebeff8, 0x27e91ba0686e54fe };
120 fq expected_z{ 0xe4b81ef75fedf95, 0xf608edef14913c75, 0xfd9e178143224c96, 0xa8ae44990c8accd };
121 g1::element lhs;
122 g1::element rhs;
123 g1::element result;
124 g1::element expected;
125
126 lhs.x = a_x.to_montgomery_form();
127 lhs.y = a_y.to_montgomery_form();
128 lhs.z = a_z.to_montgomery_form();
129 rhs.x = b_x.to_montgomery_form();
130 rhs.y = b_y.to_montgomery_form();
131 rhs.z = b_z.to_montgomery_form();
132 expected.x = expected_x.to_montgomery_form();
133 expected.y = expected_y.to_montgomery_form();
134 expected.z = expected_z.to_montgomery_form();
135
136 result = lhs + rhs;
137
138 EXPECT_EQ(result == expected, true);
139}
140
141TEST(g1, AddExceptionTestInfinity)
142{
143 g1::element lhs = g1::element::random_element();
144 g1::element rhs;
145 g1::element result;
146
147 rhs = -lhs;
148
149 result = lhs + rhs;
150
151 EXPECT_EQ(result.is_point_at_infinity(), true);
152
153 g1::element rhs_b;
154 rhs_b = rhs;
155 rhs_b.self_set_infinity();
156
157 result = lhs + rhs_b;
158
159 EXPECT_EQ(lhs == result, true);
160
161 lhs.self_set_infinity();
162 result = lhs + rhs;
163
164 EXPECT_EQ(rhs == result, true);
165}
166
167TEST(g1, TestInfinity)
168{
169 g1::affine_element inf_affine = g1::affine_element::infinity();
170 EXPECT_EQ(inf_affine.is_point_at_infinity(), true);
171
172 g1::element inf_element = g1::element::infinity();
173 EXPECT_EQ(inf_element.is_point_at_infinity(), true);
174}
175
176TEST(g1, AddExceptionTestDbl)
177{
178 g1::element lhs = g1::element::random_element();
179 g1::element rhs;
180 rhs = lhs;
181
182 g1::element result;
183 g1::element expected;
184
185 result = lhs + rhs;
186 expected = lhs.dbl();
187
188 EXPECT_EQ(result == expected, true);
189}
190
191TEST(g1, AddAffineTest)
192{
193 g1::element lhs = g1::element::random_element();
194 g1::affine_element lhs_affine(lhs);
195
196 g1::element rhs = g1::element::random_element();
197 g1::affine_element rhs_affine(rhs);
198
199 g1::element expected = lhs + rhs;
200 g1::affine_element result = lhs_affine + rhs_affine;
201 EXPECT_EQ(g1::element(result) == expected, true);
202}
203
204TEST(g1, AddDblConsistency)
205{
206 g1::element a = g1::element::random_element();
207 g1::element b = g1::element::random_element();
208
209 g1::element c;
210 g1::element d;
211 g1::element add_result;
212 g1::element dbl_result;
213
214 c = a + b;
215 b = -b;
216 d = a + b;
217
218 add_result = c + d;
219 dbl_result = a.dbl();
220
221 EXPECT_EQ(add_result == dbl_result, true);
222}
223
224TEST(g1, AddDblConsistencyRepeated)
225{
226 g1::element a = g1::element::random_element();
227 g1::element b;
228 g1::element c;
229 g1::element d;
230 g1::element e;
231
232 g1::element result;
233 g1::element expected;
234
235 b = a.dbl(); // b = 2a
236 c = b.dbl(); // c = 4a
237
238 d = a + b; // d = 3a
239 e = a + c; // e = 5a
240 result = d + e; // result = 8a
241
242 expected = c.dbl(); // expected = 8a
243
244 EXPECT_EQ(result == expected, true);
245}
246
247TEST(g1, MixedAddExceptionTestInfinity)
248{
249 g1::element lhs = g1::one;
250 g1::affine_element rhs = g1::element::random_element();
251 fq::__copy(rhs.x, lhs.x);
252 lhs.y = -rhs.y;
253
254 g1::element result;
255 result = lhs + rhs;
256
257 EXPECT_EQ(result.is_point_at_infinity(), true);
258
259 lhs.self_set_infinity();
260 result = lhs + rhs;
261 g1::element rhs_c;
262 rhs_c = g1::element(rhs);
263
264 EXPECT_EQ(rhs_c == result, true);
265}
266
267TEST(g1, MixedAddExceptionTestDbl)
268{
269 g1::affine_element rhs = g1::element::random_element();
270 g1::element lhs;
271 lhs = g1::element(rhs);
272
273 g1::element result;
274 g1::element expected;
275 result = lhs + rhs;
276
277 expected = lhs.dbl();
278
279 EXPECT_EQ(result == expected, true);
280}
281
282TEST(g1, AddMixedAddConsistencyCheck)
283{
284 g1::affine_element rhs = g1::element::random_element();
285 g1::element lhs = g1::element::random_element();
286 g1::element rhs_b;
287 rhs_b = g1::element(rhs);
288
289 g1::element add_result;
290 g1::element mixed_add_result;
291 add_result = lhs + rhs_b;
292 mixed_add_result = lhs + rhs;
293
294 EXPECT_EQ(add_result == mixed_add_result, true);
295}
296
297TEST(g1, BatchNormalize)
298{
299 size_t num_points = 2;
300 std::vector<g1::element> points(num_points);
301 std::vector<g1::element> normalized(num_points);
302 for (size_t i = 0; i < num_points; ++i) {
303 g1::element a = g1::element::random_element();
304 g1::element b = g1::element::random_element();
305 points[i] = a + b;
306 normalized[i] = points[i];
307 }
308 g1::element::batch_normalize(&normalized[0], num_points);
309
310 for (size_t i = 0; i < num_points; ++i) {
311 fq zz;
312 fq zzz;
313 fq result_x;
314 fq result_y;
315 zz = points[i].z.sqr();
316 zzz = points[i].z * zz;
317 result_x = normalized[i].x * zz;
318 result_y = normalized[i].y * zzz;
319
320 EXPECT_EQ((result_x == points[i].x), true);
321 EXPECT_EQ((result_y == points[i].y), true);
322 }
323}
324
325TEST(g1, GroupExponentiationCheckAgainstConstants)
326{
327 fr a{ 0xb67299b792199cf0, 0xc1da7df1e7e12768, 0x692e427911532edf, 0x13dd85e87dc89978 };
328 a.self_to_montgomery_form();
329
330 fq expected_x{ 0x9bf840faf1b4ba00, 0xe81b7260d068e663, 0x7610c9a658d2c443, 0x278307cd3d0cddb0 };
331 fq expected_y{ 0xf6ed5fb779ebecb, 0x414ca771acbe183c, 0xe3692cb56dfbdb67, 0x3d3c5ed19b080a3 };
332
333 g1::affine_element expected;
334 expected.x = expected_x.to_montgomery_form();
335 expected.y = expected_y.to_montgomery_form();
336
337 g1::affine_element result(g1::one * a);
338
339 EXPECT_EQ(result == expected, true);
340}
341
342TEST(g1, OperatorOrdering)
343{
344 // fq a_x{ 0x92716caa6cac6d26, 0x1e6e234136736544, 0x1bb04588cde00af0, 0x9a2ac922d97e6f5 };
345 // fq a_y{ 0x9e693aeb52d79d2d, 0xf0c1895a61e5e975, 0x18cd7f5310ced70f, 0xac67920a22939ad };
346 // fq a_z{ 0xfef593c9ce1df132, 0xe0486f801303c27d, 0x9bbd01ab881dc08e, 0x2a589badf38ec0f9 };
347 fr scalar{ 0xcfbfd4441138823e, 0xb5f817e28a1ef904, 0xefb7c5629dcc1c42, 0x1a9ed3d6f846230e };
348 // fq expected_x{ 0x2a9d0201fccca20, 0x36f969b294f31776, 0xee5534422a6f646, 0x911dbc6b02310b6 };
349 // fq expected_y{ 0x14c30aaeb4f135ef, 0x9c27c128ea2017a1, 0xf9b7d80c8315eabf, 0x35e628df8add760 };
350 // fq expected_z{ 0xa43fe96673d10eb3, 0x88fbe6351753d410, 0x45c21cc9d99cb7d, 0x3018020aa6e9ede5 };
351
352 g1::element a = g1::one;
353 g1::affine_element b(a);
354
355 g1::element c = a + b;
356 g1::element d = b + a;
357 EXPECT_EQ(c, d);
358
359 g1::element e = a * scalar;
360 g1::element f = b * scalar;
361 g1::affine_element g = b * scalar;
362 g1::affine_element h = a * scalar;
363 EXPECT_EQ(e, f);
364 EXPECT_EQ(g, h);
365}
366
367TEST(g1, GroupExponentiationZeroAndOne)
368{
369 g1::affine_element result(g1::one * fr::zero());
370
371 EXPECT_EQ(result.is_point_at_infinity(), true);
372
373 result = g1::one * fr::one();
374
375 EXPECT_EQ(result == g1::affine_one, true);
376}
377
378TEST(g1, GroupExponentiationConsistencyCheck)
379{
380 fr a = fr::random_element();
381 fr b = fr::random_element();
382
383 fr c;
384 c = a * b;
385
386 g1::affine_element input = g1::affine_one;
387 g1::affine_element result(g1::element(input) * a);
388 result = g1::affine_element(g1::element(result) * b);
389
390 g1::affine_element expected = g1::affine_element(g1::element(input) * c);
391
392 EXPECT_EQ(result == expected, true);
393}
394
395TEST(g1, DeriveGenerators)
396{
397 constexpr size_t num_generators = 128;
398 auto result = g1::derive_generators("test domain", 128);
399
400 const auto is_unique = [&result](const g1::affine_element& y, const size_t j) {
401 for (size_t i = 0; i < result.size(); ++i) {
402 if ((i != j) && result[i] == y) {
403 return false;
404 }
405 }
406 return true;
407 };
408
409 for (size_t k = 0; k < num_generators; ++k) {
410 EXPECT_EQ(is_unique(result[k], k), true);
411 EXPECT_EQ(result[k].on_curve(), true);
412 }
413}
414
415TEST(g1, Serialize)
416{
417 g1::affine_element expected = g1::element::random_element();
418
419 std::vector<uint8_t> buffer(sizeof(g1::affine_element));
420
421 g1::affine_element::serialize_to_buffer(expected, &buffer[0]);
422
423 g1::affine_element result = g1::affine_element::serialize_from_buffer(&buffer[0]);
424
425 EXPECT_EQ(result == expected, true);
426}
427template <class T> void write(const T t)
428{
429 FILE* fp = fopen("/dev/null", "wb");
430 static_cast<void>(fwrite(&t, sizeof(t), 1, fp));
431 static_cast<void>(fclose(fp));
432}
433
434#if !defined(__wasm__)
435TEST(g1, InitializationCheck)
436{
437 // NOLINTNEXTLINE not our fault googletest uses `goto`!
438 EXPECT_NO_THROW(write<g1::affine_element>({}));
439}
440#endif
441
442TEST(g1, CheckPrecomputedGenerators)
443{
444 ASSERT_TRUE((bb::check_precomputed_generators<g1, "biggroup table offset generator", 1UL>()));
445 ASSERT_TRUE((bb::check_precomputed_generators<g1, "biggroup offset generator", 1UL>()));
446 ASSERT_TRUE((bb::check_precomputed_generators<g1, "ECCVM_OFFSET_GENERATOR", 1UL>()));
447 ASSERT_TRUE((bb::check_precomputed_generators<g1, "test generators", 2UL>()));
448}
449
450// Regression: boundary scalars k = ceil(m * 2^256 / endo_g2) (from endomorphism_scalars.py)
451// previously triggered the negative-k2 bug in split_into_endomorphism_scalars, producing wrong
452// scalar multiplication results. We test boundaries and random samples within each band.
453TEST(g1, ScalarMulNegativeK2Regression)
454{
455 // clang-format off
456 struct test_case { std::array<uint64_t, 4> limbs; const char* tag; };
457 const std::array<test_case, 3> boundary_cases = {{
458 {{ 0x01624731e1195570, 0x3ba491482db4da14, 0x59e26bcea0d48bac, 0x0 }, "m=1"},
459 {{ 0x02c48e63c232aadf, 0x774922905b69b428, 0xb3c4d79d41a91758, 0x0 }, "m=2"},
460 {{ 0x0426d595a34c004e, 0xb2edb3d8891e8e3c, 0x0da7436be27da304, 0x1 }, "m=3"},
461 }};
462 // clang-format on
463
464 for (const auto& tc : boundary_cases) {
465 fr base_scalar{ tc.limbs[0], tc.limbs[1], tc.limbs[2], tc.limbs[3] };
466 base_scalar.self_to_montgomery_form();
467
468 g1::affine_element endo_result(g1::one * base_scalar);
469 g1::affine_element naive_result = naive_scalar_mul<g1, fr>(g1::one, base_scalar);
470 EXPECT_EQ(naive_result.on_curve(), true) << tc.tag;
471 EXPECT_EQ(endo_result.on_curve(), true) << tc.tag;
472 EXPECT_EQ(endo_result, naive_result) << tc.tag;
473
474 // Random samples within the formerly-buggy band (~2^123-2^126 wide; 122-bit offsets).
475 for (size_t i = 0; i < 100; ++i) {
476 uint256_t rand_bits(fr::random_element());
477 uint256_t offset_int = (rand_bits & ((uint256_t(1) << 122) - 1)) + 1;
478 fr scalar = base_scalar + fr(offset_int);
479
480 g1::affine_element endo_res(g1::one * scalar);
481 g1::affine_element naive_res = naive_scalar_mul<g1, fr>(g1::one, scalar);
482 EXPECT_EQ(naive_res.on_curve(), true) << tc.tag << " offset " << i;
483 EXPECT_EQ(endo_res.on_curve(), true) << tc.tag << " offset " << i;
484 EXPECT_EQ(endo_res, naive_res) << tc.tag << " offset " << i;
485 }
486 }
487}
circuit_checker.hpp
bb::group_elements::affine_element
Definition affine_element.hpp:27
bb::group_elements::affine_element::is_point_at_infinity
constexpr bool is_point_at_infinity() const noexcept
Definition affine_element_impl.hpp:113
bb::group_elements::affine_element::x
Fq x
Definition affine_element.hpp:203
bb::group_elements::affine_element::on_curve
constexpr bool on_curve() const noexcept
Definition affine_element_impl.hpp:125
bb::group_elements::affine_element::y
Fq y
Definition affine_element.hpp:204
bb::group_elements::element
element class. Implements ecc group arithmetic using Jacobian coordinates See https://hyperelliptic....
Definition element.hpp:33
bb::group_elements::element::y
Fq y
Definition element.hpp:119
bb::group_elements::element::z
Fq z
Definition element.hpp:120
bb::group_elements::element::dbl
constexpr element dbl() const noexcept
Definition element_impl.hpp:151
bb::group_elements::element::self_dbl
constexpr void self_dbl() noexcept
Definition element_impl.hpp:82
bb::group_elements::element::on_curve
BB_INLINE constexpr bool on_curve() const noexcept
Definition element_impl.hpp:445
bb::group_elements::element::x
Fq x
Definition element.hpp:118
bb::group_elements::element::self_set_infinity
BB_INLINE constexpr void self_set_infinity() noexcept
Definition element_impl.hpp:418
bb::group_elements::element::is_point_at_infinity
BB_INLINE constexpr bool is_point_at_infinity() const noexcept
Definition element_impl.hpp:434
bb::group
group class. Represents an elliptic curve group element. Group is parametrised by Fq and Fr
Definition group.hpp:36
bb::group::affine_element
group_elements::affine_element< Fq, Fr, Params > affine_element
Definition group.hpp:42
bb::group::one
static constexpr element one
Definition group.hpp:46
bb::group::affine_one
static constexpr affine_element affine_one
Definition group.hpp:48
bb::group::element
group_elements::element< Fq, Fr, Params > element
Definition group.hpp:41
bb::group::derive_generators
static std::vector< affine_element > derive_generators(const std::vector< uint8_t > &domain_separator_bytes, const size_t num_generators, const size_t starting_index=0)
Derives generator points via hash-to-curve.
Definition group.hpp:87
bb::numeric::uint256_t
Definition uint256.hpp:32
a
FF a
Definition field_gt.test.cpp:52
b
FF b
Definition field_gt.test.cpp:53
buffer
std::unique_ptr< uint8_t[]> buffer
Definition engine.cpp:50
write
void write(const T t)
Definition g1.test.cpp:427
bb
Entry point for Barretenberg command-line interface.
Definition api.hpp:5
bb::fr
field< Bn254FrParams > fr
Definition fr.hpp:174
bb::TEST
TEST(BoomerangMegaCircuitBuilder, BasicCircuit)
Definition graph_description_megacircuitbuilder.test.cpp:22
std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13
precomputed_generators_bn254_impl.hpp
bb::field< Bn254FrParams >::one
static constexpr field one()
Definition field_declarations.hpp:274
bb::field::to_montgomery_form
BB_INLINE constexpr field to_montgomery_form() const noexcept
Definition field_impl.hpp:296
bb::field< Bn254FrParams >::random_element
static field random_element(numeric::RNG *engine=nullptr) noexcept
Definition field_impl.hpp:783
bb::field::sqr
BB_INLINE constexpr field sqr() const noexcept
Definition field_impl.hpp:69
bb::field< Bn254FqParams >::__copy
static BB_INLINE void __copy(const field &a, field &r) noexcept
Definition field_declarations.hpp:612
bb::field::self_to_montgomery_form
BB_INLINE constexpr void self_to_montgomery_form() &noexcept
Definition field_impl.hpp:309
bb::field< Bn254FrParams >::zero
static constexpr field zero()
Definition field_declarations.hpp:272