Refactor Ginger-Lib

Cargo.toml

@@ -38,6 +38,7 @@ debug = true
 # [patch.'https://github.com/HorizenOfficial/ginger-lib']
 # algebra = { path = './algebra' }
 # r1cs-core = { path = "./r1cs/core" }
+# r1cs-std = { path = "./r1cs/gadgets/std" }
 
 # [patch.'https://github.com/HorizenLabs/marlin']
 # marlin = { path = '../marlin' }

README.md

@@ -35,7 +35,7 @@ The high-level structure of the repository is as follows:
 
 * [`algebra`](algebra):  implements the mathematical base components:  large integers, finite fields, elliptic curves, and fast Fourier transform.
 * [`primitives`](primitives): serves basic cryptographic primitives (such as hash functions and Merkle trees, signature schemes, verifiable random functions).
-* [`proof-systems`](proof-systems): This is the main crate for the Darlin protocol suite. It provides the traits and structs for proof carrying data and the above mentioned proof systems. [Groth16](https://ia.cr/2016/260) and [GM17](https://ia.cr/2017/540) proving systems have been kept too for backward compatibility.
+* [`proof-systems`](proof-systems): This is the main crate for the Darlin protocol suite. It provides the traits and structs for proof carrying data and the above mentioned proof systems.
 * [`r1cs-core`](r1cs/core): Defines core functionalities for rank-1 constraint systems (the circuit synthesizer). 
 * [`r1cs-std`](r1cs/gadgets/std): This crate contains elementary "standard" circuits (or, "gadgets"): Boolean operations, native field and elliptic curve arithmetics.  
 * [`r1cs-crypto`](r1cs/gadgets/crypto): Provides the circuits for various cryptographic primitives, such as the Poseidon hash, signature schemes, and SNARK verifiers.

algebra/Cargo.toml

@@ -39,6 +39,7 @@ num-traits = { version = "=0.2.14", default-features = false }
 colored = { version = "=2.0.0", optional = true }
 rayon = { version = "=1.5.1", optional = true }
 clippy = { version = "=0.0.302", optional = true }
+itertools = "0.10.2"
 
 unroll = "=0.1.5"
 

algebra/benches/criterion_msm/variable_msm_tweedle.rs

@@ -77,7 +77,7 @@ fn variable_msm(c: &mut Criterion) {
                 b.iter_batched(
                     || {
                         let (v, g) = load_data(samples);
-                        (v, DeeJacobian::batch_into_affine(g.as_slice()).unwrap())
+                        (v, DeeJacobian::batch_into_affine(g).unwrap())
                     },
                     |(v, g)| {
                         add_to_trace!(

algebra/src/curves/check_curve_parameters.sage

@@ -60,6 +60,7 @@ filename = sys.argv[1]
 with open(filename) as myfile:
     readfile = myfile.read()
 
+# TODO: Handle the Montgomery and Twisted Edwards parameters too.
 #### Checking if the file contains Short Weierstrass parameters. If not, the check is interrupted.
 #### If there are Twisted Edwards and Montgomery parameters, they are discarded.
 if 'SWModelParameters' in readfile:
@@ -199,19 +200,21 @@ if endo_mul_is_used:
         print("WARNING! ENDO_COEFF AND ENDO_SCALAR ARE NOT CONSISTENT!")
 
 
-########## Checking that shortest vector in the lattice ([1,zeta_r),[0,r]) is long enough #########
-## The Halo paper (https://eprint.iacr.org/2019/1021.pdf) proves the injectivity of the endo_mul map.
-## The injectivity of the map (a,b) |-> a\zeta_r + b for a,b in [0,A] (essential for using add_unsafe)
-## is equivalent the lattice condition below.
+# ########## Checking that shortest vector in the lattice ([1,zeta_r),[0,r]) is long enough #########
+# The security of the endomorphism-based scalar multiplication(as well as its optimized gadget) relies on the injectivity of the map 
+#                           L: (a,b) -> a * zeta_r + b, 
+# restricted to scalars a, b from the interval [0, A], where A = 2^(lambda/2 + 1) + 2^(lambda/2) -1, 
+# see https://eprint.iacr.org/2019/1021.pdf. Unlike in this paper, we conclude the injectivity from the following lattice argument:
 ## a*zeta_r + b = a'*zeta_r + b' mod r   for a,a',b,b' in [0,A] 
 ## is equivalent to the fact that there are non-zero solutions to 
 ##      a * zeta_r = b mod r      for a,b in [-A,A].
 ## Then it would exists c such that
 ##      b = a * zeta_r + c * r.
-## Any such solution correspond to a point of the lattice spanned by (1, zeta_r) and (0, r).
+## Observe that, if (a,b) is a solution of the equation above, then it is also a point
+## of the lattice spanned by (1, zeta_r) and (0, r) of length at most \sqrt(2) * A.
 ##      (a, b) = (a, c) * (1  zeta_r)
 ##                        (0    r )
-## The injectivity is equivalent to the fact that the intersection between this lattice and [-A, A]^2
+## The injectivity of the map L is equivalent to the fact that the intersection between this lattice and [-A, A]^2
 ## is trivial. To verify this we first compute a LLL reduced basis {v,w} and
 ## then check if at least one of v, w, v + w, v - w is belongs to such a square.
 ## If not, there can't be other lattice points in the square.

algebra/src/curves/ed25519/mod.rs

@@ -55,7 +55,7 @@ const TE_Y: Fq = field_new!(
     ])
 );
 
-/// The curve ed25519 in https://en.wikipedia.org/wiki/EdDSA#Ed25519
+/// The curve ed25519 describe in https://en.wikipedia.org/wiki/Curve25519.
 /// is a twisted Edwards curve. These curves have equations of the
 /// form: ax² + y² = 1 - dx²y².
 /// over some base finite field Fq.

algebra/src/curves/ed25519/tests.rs

@@ -24,7 +24,7 @@ mod twisted_edwards {
     use super::*;
     #[test]
     fn test_curve() {
-        curve_tests::<TEEd25519>(true);
+        curve_tests::<TEEd25519>();
         edwards_tests::<Ed25519Parameters>()
     }
 
@@ -48,7 +48,7 @@ mod short_weierstrass {
     use super::*;
     #[test]
     fn test_curve() {
-        curve_tests::<SWEd25519>(false);
+        curve_tests::<SWEd25519>();
         sw_jacobian_tests::<Ed25519Parameters>()
     }
 

algebra/src/curves/mod.rs

@@ -29,6 +29,10 @@ pub mod tests;
 pub use self::models::*;
 
 /// Projective representation of an elliptic curve point.
+/// This trait t serves curve-specific functions not covered
+/// by the Group trait, in particular representation-specific
+/// (i.e. mixed-type) arithmetic functions, that usually are
+/// significantly faster.
 pub trait Curve:
     Group
     + Copy // TODO: Let's consider removing this
@@ -71,10 +75,10 @@ pub trait Curve:
 
     /// Convert, if possible, a batch of `self` points to their affine equivalent.
     #[inline]
-    fn batch_into_affine<'a>(vec_self: &'a [Self]) -> Result<Vec<Self::AffineRep>, Error> {
+    fn batch_into_affine(vec_self: Vec<Self>) -> Result<Vec<Self::AffineRep>, Error> {
         vec_self
-            .iter()
-            .map(|&projective| projective.into_affine())
+            .into_iter()
+            .map(|projective| projective.into_affine())
             .collect::<Result<Vec<_>, _>>()
     }
 
@@ -93,7 +97,8 @@ pub trait Curve:
     /// Add assign an affine point `other` to `self`, using mixed addition formulas.
     fn add_assign_affine(&mut self, other: &Self::AffineRep);
 
-    /// Add, pairwise, the elements of each vector in `to_add`
+    /// Given a batch of vectors, collapses them into single-element vectors carrying
+    /// their respective additive totals.   
     fn add_in_place_affine_many(to_add: &mut [Vec<Self::AffineRep>]);
 
     /// Multiply `self` by the scalar represented by `bits`. 
@@ -117,24 +122,6 @@ pub trait Curve:
     /// Multiply `self` by the inverse of the cofactor in `Self::ScalarField`.
     fn scale_by_cofactor_inv(&self) -> Self;
 
-    /// Normalize `self` so that conversion to affine is cheap. Output the normalized point.
-    fn normalize(&self) -> Self;
-
-    /// Normalize `self` so that conversion to affine is cheap.
-    fn normalize_assign(&mut self);
-
-    /// Return true if `self` is normalized, false otherwise.
-    fn is_normalized(&self) -> bool;
-
-    /// Normalize a slice of projective elements so that conversion to affine is cheap.
-    fn batch_normalization(v: &mut [Self]);
-
-    /// Normalize a slice of projective elements and outputs a vector containing the affine equivalents.
-    fn batch_normalization_into_affine(mut v: Vec<Self>) -> Result<Vec<Self::AffineRep>, Error> {
-        Self::batch_normalization(v.as_mut_slice());
-        Self::batch_into_affine(v.as_slice())
-    }
-
     /// Returns a fixed generator of unknown exponent.
     #[must_use]
     fn prime_subgroup_generator() -> Self;
@@ -164,11 +151,14 @@ pub trait Curve:
     /// If and only if `parity` is set will the odd y-coordinate be selected.
     fn get_point_from_x_and_parity(x: Self::BaseField, parity: bool) -> Option<Self>;
 
-    /// Returns a curve point if the set of bytes forms a valid curve point,
-    /// otherwise returns None. This function is primarily intended for sampling
-    /// random group elements from a hash-function or RNG output.
-    /// The sampled point is not guaranteed to be in the prime order subgroup.
-    fn from_random_bytes(bytes: &[u8]) -> Option<Self>;
+    /// Attempts to construct a valid curve point given a set of bytes.
+    /// It should differ from a classic deserialization function in that it will
+    /// try to "force" the deserialization of a valid curve point by manipulating
+    /// the input bytes accordingly (e.g. read a coordinate and sign flag from the
+    /// bytes muting the bits above the modulus).
+    /// This function is primarily intended for sampling random curve points from
+    /// a hash-function or RNG output.
+    fn force_deserialize(bytes: &[u8]) -> Option<Self>;
 }
 
 /// The `EndoMulCurve` trait for curves that have a non-trivial endomorphism