Barretenberg: src/barretenberg/stdlib/primitives/biggroup/biggroup_secp256k1.hpp Source File

// === AUDIT STATUS ===

// internal:    { status: not started, auditors: [], date: YYYY-MM-DD }

// external_1:  { status: not started, auditors: [], date: YYYY-MM-DD }

// external_2:  { status: not started, auditors: [], date: YYYY-MM-DD }

// =====================


#pragma once

#include "barretenberg/stdlib/primitives/biggroup/biggroup.hpp"

namespace bb::stdlib::element_default {


template <typename C, class Fq, class Fr, class G>

template <typename, typename>


element<C, Fq, Fr, G> element<C, Fq, Fr, G>::secp256k1_ecdsa_mul(const element& pubkey, const Fr& u1, const Fr& u2)

{

    const auto [u1_lo_wnaf, u1_hi_wnaf] = compute_secp256k1_endo_wnaf<8, 2, 3>(u1, false);

    const auto [u2_lo_wnaf, u2_hi_wnaf] = compute_secp256k1_endo_wnaf<4, 0, 1>(u2, false);


    auto P1 = element::one(pubkey.get_context());

    auto P2 = pubkey;

    const auto P1_table =

        element::eight_bit_fixed_base_table(element::eight_bit_fixed_base_table::CurveType::SECP256K1, false);

    const auto endoP1_table =

        element::eight_bit_fixed_base_table(element::eight_bit_fixed_base_table::CurveType::SECP256K1, true);

    const auto [P2_table, endoP2_table] = create_endo_pair_four_bit_table_plookup(P2);


    // Initialize our accumulator

    auto accumulator = P2_table[u2_lo_wnaf.wnaf[0]];


    for (size_t i = 0; i < 16; ++i) {

        accumulator = accumulator.dbl();

        accumulator = accumulator.dbl();


        // u2_hi_wnaf.wnaf[2 * i] is a field_t element (as are the other wnafs).

        // See `stdlib/memory/rom_table.hpp` for how indirect array accesses are implemented in Ultra

        const auto& add_1 = endoP2_table[u2_hi_wnaf.wnaf[2 * i]];

        const auto& add_2 = P2_table[u2_lo_wnaf.wnaf[2 * i + 1]];

        const auto& add_3 = endoP1_table[u1_hi_wnaf.wnaf[i]];

        const auto& add_4 = P1_table[u1_lo_wnaf.wnaf[i]];

        const auto& add_5 = endoP2_table[u2_hi_wnaf.wnaf[2 * i + 1]];

        const auto& add_6 = P2_table[u2_lo_wnaf.wnaf[2 * i + 2]];


        accumulator = accumulator.multiple_montgomery_ladder({ element::chain_add_accumulator(add_1),

                                                               element::chain_add_accumulator(add_2),

                                                               element::chain_add_accumulator(add_3) });


        accumulator = accumulator.multiple_montgomery_ladder({ element::chain_add_accumulator(add_4),

                                                               element::chain_add_accumulator(add_5),

                                                               element::chain_add_accumulator(add_6) });

    }


    const auto& add_1 = endoP1_table[u1_hi_wnaf.least_significant_wnaf_fragment];

    const auto& add_2 = endoP2_table[u2_hi_wnaf.least_significant_wnaf_fragment];

    const auto& add_3 = P1_table[u1_lo_wnaf.least_significant_wnaf_fragment];

    accumulator += add_1;

    accumulator += add_2;

    accumulator += add_3;


    const auto conditional_add = [](const element& accumulator,

                                    const element& base_point,

                                    const bool_ct& positive_skew,

                                    const bool_ct& negative_skew) {

        auto to_add = base_point;

        to_add.y = to_add.y.conditional_negate(negative_skew);

        element result = accumulator + to_add;


        // when computing the wNAF we have already validated that positive_skew and negative_skew cannot both be true

        bool_ct skew_combined = positive_skew ^ negative_skew;

        result = accumulator.conditional_select(result, skew_combined);

        return result;

    };


    accumulator = conditional_add(accumulator, P1, u1_lo_wnaf.positive_skew, u1_lo_wnaf.negative_skew);

    accumulator = conditional_add(accumulator, endoP1_table[128], u1_hi_wnaf.positive_skew, u1_hi_wnaf.negative_skew);

    accumulator = conditional_add(accumulator, P2, u2_lo_wnaf.positive_skew, u2_lo_wnaf.negative_skew);

    accumulator = conditional_add(accumulator, endoP2_table[8], u2_hi_wnaf.positive_skew, u2_hi_wnaf.negative_skew);


    return accumulator;

}


} // namespace bb::stdlib::element_default

biggroup.hpp

bb::stdlib::bool_t
Implements boolean logic in-circuit.
Definition bool.hpp:59

bb::stdlib::element_default::element
Definition biggroup.hpp:25

bb::stdlib::element_default::element::get_context
Builder * get_context() const
Definition biggroup.hpp:427

bb::stdlib::element_default::element::conditional_select
element conditional_select(const element &other, const bool_ct &predicate) const
Selects this if predicate is false, other if predicate is true.
Definition biggroup.hpp:264

bb::stdlib::element_default
Definition biggroup.hpp:22

bb::field< Bn254FrParams >