|
barretenberg
|
group class. Represents an elliptic curve group element. Group is parametrised by coordinate_field and subgroup_field More...
#include <group.hpp>
Public Types | |
| using | coordinate_field = _coordinate_field |
| using | subgroup_field = _subgroup_field |
| using | element = group_elements::element< coordinate_field, subgroup_field, GroupParams > |
| using | affine_element = group_elements::affine_element< coordinate_field, subgroup_field, GroupParams > |
| using | Fq = coordinate_field |
| using | Fr = subgroup_field |
Static Public Member Functions | |
| static constexpr std::vector< affine_element > | derive_generators (const std::vector< uint8_t > &domain_separator_bytes, const size_t num_generators, const size_t starting_index=0) |
| Derives generator points via hash-to-curve. | |
| static constexpr std::vector< affine_element > | derive_generators (const std::string_view &domain_separator, const size_t num_generators, const size_t starting_index=0) |
| static BBERG_INLINE void | conditional_negate_affine (const affine_element *src, affine_element *dest, uint64_t predicate) |
Static Public Attributes | |
| static constexpr bool | USE_ENDOMORPHISM = GroupParams::USE_ENDOMORPHISM |
| static constexpr bool | has_a = GroupParams::has_a |
| static constexpr element | one { GroupParams::one_x, GroupParams::one_y, coordinate_field::one() } |
| static constexpr element | point_at_infinity = one.set_infinity() |
| static constexpr affine_element | affine_one { GroupParams::one_x, GroupParams::one_y } |
| static constexpr affine_element | affine_point_at_infinity = affine_one.set_infinity() |
| static constexpr coordinate_field | curve_a = GroupParams::a |
| static constexpr coordinate_field | curve_b = GroupParams::b |
group class. Represents an elliptic curve group element. Group is parametrised by coordinate_field and subgroup_field
Note: Currently subgroup checks are NOT IMPLEMENTED Our current Plonk implementation uses G1 points that have a cofactor of 1. All G2 points are precomputed (generator [1]_2 and trusted setup point [x]_2). Explicitly assume precomputed points are valid members of the prime-order subgroup for G2.
| coordinate_field | |
| subgroup_field | |
| GroupParams |
|
inlinestaticconstexpr |
Derives generator points via hash-to-curve.
ALGORITHM DESCRIPTION:
count upwards from 0 b. append count to the preimage buffer as a 1-byte integer in big-endian form c. compute BLAKE3 hash of concat(preimage buffer, 0) d. compute BLAKE3 hash of concat(preimage buffer, 1) e. interpret (c, d) as (hi, low) limbs of a 512-bit integer f. reduce 512-bit integer modulo coordinate_field to produce x-coordinate g. attempt to derive y-coordinate. If not successful go to step (a) and continue h. if parity of y-coordinate's least significant bit does not match parity of most significant bit of (d), invert y-coordinate. j. return (x, y)NOTE: In step 3b it is sufficient to use 1 byte to store count. Step 3 has a 50% chance of returning, the probability of count exceeding 256 is 1 in 2^256 NOTE: The domain separator is included to ensure that it is possible to derive independent sets of index-addressable generators. NOTE: we produce 64 bytes of BLAKE3 output when producing x-coordinate field element, to ensure that x-coordinate is uniformly randomly distributed in the field. Using a 256-bit input adds significant bias when reducing modulo a ~256-bit coordinate_field NOTE: We ensure y-parity is linked to preimage hash because there is no canonical deterministic square root algorithm (i.e. if a field element has a square root, there are two of them and field::sqrt may return either one)
| num_generators | |
| domain_separator |
1.9.6