Merge pull request #4 from jsign/jsign-migrate-ipa

innerproductargument: support for Gt

Author: jsign

group/g1.go

@@ -1,10 +1,12 @@
 package group
 
 import (
+	"fmt"
 	"math/big"
 
 	bls12381 "github.com/consensys/gnark-crypto/ecc/bls12-381"
 	"github.com/consensys/gnark-crypto/ecc/bls12-381/fr"
+	"github.com/jsign/curdleproofs/common"
 )
 
 type GroupG1 struct {
@@ -45,6 +47,26 @@ func (z *G1Element) AddAssign(e Element) Element {
 	return z
 }
 
+func (z *G1Element) Add(a, b Element) Element {
+	aa := a.(*G1Element).inner
+	bb := b.(*G1Element).inner
+	z.inner.Set(&aa)
+	z.inner.AddAssign(&bb)
+	return z
+}
+
+func (z *G1Element) MultiExp(base []Element, scalars []fr.Element) (Element, error) {
+	jacs := make([]bls12381.G1Jac, len(base))
+	for i := 0; i < len(base); i++ {
+		jacs[i] = base[i].(*G1Element).inner
+	}
+	affs := bls12381.BatchJacobianToAffineG1(jacs)
+	if _, err := z.inner.MultiExp(affs, scalars, common.MultiExpConf); err != nil {
+		return nil, fmt.Errorf("g1 multiexp: %s", err)
+	}
+	return z, nil
+}
+
 func (z *G1Element) Equal(e Element) bool {
 	ee := e.(*G1Element).inner
 	return z.inner.Equal(&ee)

group/group.go

@@ -1,7 +1,10 @@
 package group
 
 import (
+	"fmt"
+
 	"github.com/consensys/gnark-crypto/ecc/bls12-381/fr"
+	"github.com/jsign/curdleproofs/common"
 )
 
 type Group interface {
@@ -11,9 +14,11 @@ type Group interface {
 type Element interface {
 	ScalarMultiplication(e Element, scalar fr.Element) Element
 	Set(e Element) Element
+	Add(a, b Element) Element
 	AddAssign(e Element) Element
 	Equal(e Element) bool
 	Bytes() []byte
+	MultiExp([]Element, []fr.Element) (Element, error)
 }
 
 type GroupCommitment struct {
@@ -68,3 +73,73 @@ func (gc *GroupCommitment) Mul(scalar fr.Element) GroupCommitment {
 func (t GroupCommitment) Eq(cm GroupCommitment) bool {
 	return t.T_1.Equal(cm.T_1) && t.T_2.Equal(cm.T_2)
 }
+
+type MsmAccumulator struct {
+	g             Group
+	A_c           Element
+	baseScalarMap []msmCoeff
+}
+
+type msmCoeff struct {
+	basis  Element
+	scalar fr.Element
+}
+
+func NewMsmAccumulator(g Group) *MsmAccumulator {
+	return &MsmAccumulator{
+		g:             g,
+		A_c:           g.CreateElement(),
+		baseScalarMap: nil,
+	}
+}
+
+func (ma *MsmAccumulator) AccumulateCheck(
+	C Element,
+	scalar []fr.Element,
+	basis []Element,
+	rand *common.Rand) error {
+	if len(basis) != len(scalar) {
+		return fmt.Errorf("x and v must have the same length")
+	}
+
+	alpha, err := rand.GetFr()
+	if err != nil {
+		return fmt.Errorf("get random scalar: %s", err)
+	}
+
+	var tmp fr.Element
+outer:
+	for i := 0; i < len(basis); i++ {
+		tmp.Mul(&alpha, &scalar[i])
+
+		for j := range ma.baseScalarMap {
+			if ma.baseScalarMap[j].basis.Equal(basis[i]) {
+				var scalar fr.Element
+				scalar.Add(&ma.baseScalarMap[j].scalar, &tmp)
+				ma.baseScalarMap[j].scalar = scalar
+				continue outer
+			}
+		}
+		ma.baseScalarMap = append(ma.baseScalarMap, msmCoeff{basis: basis[i], scalar: tmp})
+	}
+	ma.A_c.AddAssign(C.ScalarMultiplication(C, alpha))
+
+	return nil
+}
+
+func (ma *MsmAccumulator) Verify() (bool, error) {
+	x := make([]fr.Element, 0, len(ma.baseScalarMap))
+	v := make([]Element, 0, len(ma.baseScalarMap))
+
+	for _, coeff := range ma.baseScalarMap {
+		v = append(v, coeff.basis)
+		x = append(x, coeff.scalar)
+	}
+
+	msmRes := ma.g.CreateElement()
+	if _, err := msmRes.MultiExp(v, x); err != nil {
+		return false, fmt.Errorf("computing msm: %s", err)
+	}
+
+	return msmRes.Equal(ma.A_c), nil
+}

group/gt.go

@@ -45,6 +45,23 @@ func (z *GtElement) AddAssign(e Element) Element {
 	return z
 }
 
+func (z *GtElement) Add(a, b Element) Element {
+	z.Set(a)
+	z.AddAssign(b)
+	return z
+}
+
+func (z *GtElement) MultiExp(basis []Element, scalars []fr.Element) (Element, error) {
+	// Maybe quite naive; but it works. Prob could use some Pippenger algorithm?
+	z.inner = bls12381.GT{}
+	for i := 0; i < len(basis); i++ {
+		var tmp GtElement
+		tmp.ScalarMultiplication(basis[i], scalars[i])
+		z.AddAssign(&tmp)
+	}
+	return z, nil
+}
+
 func (z *GtElement) Equal(e Element) bool {
 	ee := e.(*GtElement).inner
 	return z.inner.Equal(&ee)