feat: implement flag based recursive groth16 and EdDSA check (#1647)

Co-authored-by: Lucas Menendez <[email protected]>
Co-authored-by: Copilot <[email protected]>

Author: 3 people

std/algebra/native/fields_bls12377/e12.go

@@ -518,3 +518,11 @@ func (e *E12) AssertIsEqual(api frontend.API, other E12) {
 	e.C0.AssertIsEqual(api, other.C0)
 	e.C1.AssertIsEqual(api, other.C1)
 }
+
+// IsEqual returns a variable that is 1 if self == other, 0 otherwise
+func (e *E12) IsEqual(api frontend.API, other E12) frontend.Variable {
+	return api.And(
+		e.C0.IsEqual(api, other.C0),
+		e.C1.IsEqual(api, other.C1),
+	)
+}

std/algebra/native/fields_bls12377/e12_test.go

@@ -350,7 +350,7 @@ func TestDivFp12(t *testing.T) {
 	witness.C.Assign(&c)
 
 	assert := test.NewAssert(t)
-	assert.SolvingSucceeded(&e12Div{}, &witness, test.WithCurves(ecc.BW6_761))
+	assert.CheckCircuit(&e12Div{}, test.WithValidAssignment(&witness), test.WithCurves(ecc.BW6_761))
 }
 
 type fp12FixedExpo struct {
@@ -427,3 +427,34 @@ func TestFp12MulBy034(t *testing.T) {
 	assert.CheckCircuit(&circuit, test.WithValidAssignment(&witness), test.WithCurves(ecc.BW6_761))
 
 }
+
+type fp12IsEqual struct {
+	A, B E12
+	Eq   frontend.Variable `gnark:",public"`
+}
+
+func (circuit *fp12IsEqual) Define(api frontend.API) error {
+	isEqual := circuit.A.IsEqual(api, circuit.B)
+	api.AssertIsEqual(isEqual, circuit.Eq)
+	return nil
+}
+
+func TestE12IsEqual(t *testing.T) {
+
+	// witness values
+	var a, b bls12377.E12
+	_, _ = a.SetRandom()
+	_, _ = b.SetRandom()
+
+	var witness, witness2 fp12IsEqual
+	witness.A.Assign(&a)
+	witness.B.Assign(&a)
+	witness.Eq = 1
+
+	witness2.A.Assign(&a)
+	witness2.B.Assign(&b)
+	witness2.Eq = 0
+
+	assert := test.NewAssert(t)
+	assert.CheckCircuit(&fp12IsEqual{}, test.WithValidAssignment(&witness), test.WithValidAssignment(&witness2), test.WithCurves(ecc.BW6_761))
+}

std/algebra/native/fields_bls12377/e2.go

@@ -182,6 +182,14 @@ func (e *E2) AssertIsEqual(api frontend.API, other E2) {
 	api.AssertIsEqual(e.A1, other.A1)
 }
 
+// IsEqual returns 1 if e is equal to other, 0 otherwise
+func (e *E2) IsEqual(api frontend.API, other E2) frontend.Variable {
+	return api.And(
+		api.IsZero(api.Sub(e.A0, other.A0)),
+		api.IsZero(api.Sub(e.A1, other.A1)),
+	)
+}
+
 // Select sets e to r1 if b=1, r2 otherwise
 func (e *E2) Select(api frontend.API, b frontend.Variable, r1, r2 E2) *E2 {
 

std/algebra/native/fields_bls12377/e2_test.go

@@ -39,7 +39,7 @@ func TestAddFp2(t *testing.T) {
 	witness.C.Assign(&c)
 
 	assert := test.NewAssert(t)
-	assert.SolvingSucceeded(&e2Add{}, &witness, test.WithCurves(ecc.BW6_761))
+	assert.CheckCircuit(&e2Add{}, test.WithValidAssignment(&witness), test.WithCurves(ecc.BW6_761))
 
 }
 
@@ -98,7 +98,7 @@ func TestMulFp2(t *testing.T) {
 	witness.C.Assign(&c)
 
 	assert := test.NewAssert(t)
-	assert.SolvingSucceeded(&e2Mul{}, &witness, test.WithCurves(ecc.BW6_761))
+	assert.CheckCircuit(&e2Mul{}, test.WithValidAssignment(&witness), test.WithCurves(ecc.BW6_761))
 
 }
 
@@ -128,7 +128,7 @@ func TestDivFp2(t *testing.T) {
 	witness.C.Assign(&c)
 
 	assert := test.NewAssert(t)
-	assert.SolvingSucceeded(&e2Div{}, &witness, test.WithCurves(ecc.BW6_761))
+	assert.CheckCircuit(&e2Div{}, test.WithValidAssignment(&witness), test.WithCurves(ecc.BW6_761))
 
 }
 
@@ -228,3 +228,35 @@ func TestInverseFp2(t *testing.T) {
 	assert.CheckCircuit(&circuit, test.WithValidAssignment(&witness), test.WithCurves(ecc.BW6_761))
 
 }
+
+type fp2IsEqual struct {
+	A      E2
+	B      E2                `gnark:",public"`
+	Result frontend.Variable `gnark:",public"`
+}
+
+func (c *fp2IsEqual) Define(api frontend.API) error {
+	res := c.A.IsEqual(api, c.B)
+	api.AssertIsEqual(res, c.Result)
+	return nil
+}
+
+func TestIsEqualFp2(t *testing.T) {
+	assert := test.NewAssert(t)
+
+	var circuit, validWitness, validWitness2 fp2IsEqual
+	var a bls12377.E2
+	var b bls12377.E2
+	a.SetRandom()
+	b.SetRandom()
+
+	validWitness.A.Assign(&a)
+	validWitness.B.Assign(&a)
+	validWitness.Result = 1
+
+	validWitness2.A.Assign(&a)
+	validWitness2.B.Assign(&b)
+	validWitness2.Result = 0
+
+	assert.CheckCircuit(&circuit, test.WithValidAssignment(&validWitness), test.WithValidAssignment(&validWitness2), test.WithCurves(ecc.BW6_761))
+}

std/algebra/native/fields_bls12377/e6.go

@@ -345,6 +345,17 @@ func (e *E6) AssertIsEqual(api frontend.API, other E6) {
 	e.B2.AssertIsEqual(api, other.B2)
 }
 
+// IsEqual returns 1 if e is equal to other, 0 otherwise
+func (e *E6) IsEqual(api frontend.API, other E6) frontend.Variable {
+	b0Equal := e.B0.IsEqual(api, other.B0)
+	b1Equal := e.B1.IsEqual(api, other.B1)
+	b2Equal := e.B2.IsEqual(api, other.B2)
+	// inputs are already boolean, so multiplication suffices.
+	isEqual := api.Mul(b0Equal, b1Equal, b2Equal)
+	api.Compiler().MarkBoolean(isEqual)
+	return isEqual
+}
+
 // MulByE2 multiplies an element in E6 by an element in E2
 func (e *E6) MulByE2(api frontend.API, e1 E6, e2 E2) *E6 {
 	e.B0.Mul(api, e1.B0, e2)

std/algebra/native/fields_bls12377/e6_test.go

@@ -271,5 +271,36 @@ func TestDivFp6(t *testing.T) {
 	witness.C.Assign(&c)
 
 	assert := test.NewAssert(t)
-	assert.SolvingSucceeded(&e6Div{}, &witness, test.WithCurves(ecc.BW6_761))
+	assert.CheckCircuit(&e6Div{}, test.WithValidAssignment(&witness), test.WithCurves(ecc.BW6_761))
+}
+
+type e6IsEqual struct {
+	A, B E6
+	Eq   frontend.Variable `gnark:",public"`
+}
+
+func (circuit *e6IsEqual) Define(api frontend.API) error {
+	isEqual := circuit.A.IsEqual(api, circuit.B)
+	api.AssertIsEqual(isEqual, circuit.Eq)
+	return nil
+}
+
+func TestE6IsEqual(t *testing.T) {
+
+	// witness values
+	var a, b bls12377.E6
+	_, _ = a.SetRandom()
+	_, _ = b.SetRandom()
+
+	var witness, witness2 e6IsEqual
+	witness.A.Assign(&a)
+	witness.B.Assign(&a)
+	witness.Eq = 1
+
+	witness2.A.Assign(&a)
+	witness2.B.Assign(&b)
+	witness2.Eq = 0
+
+	assert := test.NewAssert(t)
+	assert.CheckCircuit(&e6IsEqual{}, test.WithValidAssignment(&witness), test.WithValidAssignment(&witness2), test.WithCurves(ecc.BW6_761))
 }

std/algebra/native/sw_bls12377/pairing2.go

@@ -111,42 +111,6 @@ func (c *Curve) AssertIsEqual(P, Q *G1Affine) {
 	P.AssertIsEqual(c.api, *Q)
 }
 
-func (pr *Pairing) IsEqual(x, y *GT) frontend.Variable {
-	diff0 := pr.api.Sub(&x.C0.B0.A0, &y.C0.B0.A0)
-	diff1 := pr.api.Sub(&x.C0.B0.A1, &y.C0.B0.A1)
-	diff2 := pr.api.Sub(&x.C0.B0.A0, &y.C0.B0.A0)
-	diff3 := pr.api.Sub(&x.C0.B1.A1, &y.C0.B1.A1)
-	diff4 := pr.api.Sub(&x.C0.B1.A0, &y.C0.B1.A0)
-	diff5 := pr.api.Sub(&x.C0.B1.A1, &y.C0.B1.A1)
-	diff6 := pr.api.Sub(&x.C1.B0.A0, &y.C1.B0.A0)
-	diff7 := pr.api.Sub(&x.C1.B0.A1, &y.C1.B0.A1)
-	diff8 := pr.api.Sub(&x.C1.B0.A0, &y.C1.B0.A0)
-	diff9 := pr.api.Sub(&x.C1.B1.A1, &y.C1.B1.A1)
-	diff10 := pr.api.Sub(&x.C1.B1.A0, &y.C1.B1.A0)
-	diff11 := pr.api.Sub(&x.C1.B1.A1, &y.C1.B1.A1)
-
-	isZero0 := pr.api.IsZero(diff0)
-	isZero1 := pr.api.IsZero(diff1)
-	isZero2 := pr.api.IsZero(diff2)
-	isZero3 := pr.api.IsZero(diff3)
-	isZero4 := pr.api.IsZero(diff4)
-	isZero5 := pr.api.IsZero(diff5)
-	isZero6 := pr.api.IsZero(diff6)
-	isZero7 := pr.api.IsZero(diff7)
-	isZero8 := pr.api.IsZero(diff8)
-	isZero9 := pr.api.IsZero(diff9)
-	isZero10 := pr.api.IsZero(diff10)
-	isZero11 := pr.api.IsZero(diff11)
-
-	return pr.api.And(
-		pr.api.And(
-			pr.api.And(pr.api.And(isZero0, isZero1), pr.api.And(isZero2, isZero3)),
-			pr.api.And(pr.api.And(isZero4, isZero5), pr.api.And(isZero6, isZero7)),
-		),
-		pr.api.And(pr.api.And(isZero8, isZero9), pr.api.And(isZero10, isZero11)),
-	)
-}
-
 // Neg negates P and returns the result. Does not modify P.
 func (c *Curve) Neg(P *G1Affine) *G1Affine {
 	res := &G1Affine{
@@ -367,6 +331,11 @@ func (pr *Pairing) AssertIsEqual(e1, e2 *GT) {
 	e1.AssertIsEqual(pr.api, *e2)
 }
 
+// IsEqual returns 1 if x is equal to y, 0 otherwise.
+func (pr *Pairing) IsEqual(x, y *GT) frontend.Variable {
+	return x.IsEqual(pr.api, *y)
+}
+
 func (pr *Pairing) MuxG2(sel frontend.Variable, inputs ...*G2Affine) *G2Affine {
 	if len(inputs) == 0 {
 		return nil

std/recursion/groth16/verifier.go

@@ -606,16 +606,26 @@ func NewVerifier[FR emulated.FieldParams, G1El algebra.G1ElementT, G2El algebra.
 // AssertProof asserts that the SNARK proof holds for the given witness and
 // verifying key.
 func (v *Verifier[FR, G1El, G2El, GtEl]) AssertProof(vk VerifyingKey[G1El, G2El, GtEl], proof Proof[G1El, G2El], witness Witness[FR], opts ...VerifierOption) error {
+	isValid, err := v.IsValidProof(vk, proof, witness, opts...)
+	if err != nil {
+		return err
+	}
+	v.api.AssertIsEqual(isValid, 1)
+	return nil
+}
+
+// IsValidProof returns a variable that is 1 if the proof is valid and 0 otherwise.
+func (v *Verifier[FR, G1El, G2El, GtEl]) IsValidProof(vk VerifyingKey[G1El, G2El, GtEl], proof Proof[G1El, G2El], witness Witness[FR], opts ...VerifierOption) (frontend.Variable, error) {
 	if len(vk.CommitmentKeys) != len(proof.Commitments) {
-		return fmt.Errorf("invalid number of commitments, got %d, expected %d", len(proof.Commitments), len(vk.CommitmentKeys))
+		return 0, fmt.Errorf("invalid number of commitments, got %d, expected %d", len(proof.Commitments), len(vk.CommitmentKeys))
 	}
 	if len(vk.CommitmentKeys) != len(vk.PublicAndCommitmentCommitted) {
-		return fmt.Errorf("invalid number of commitment keys, got %d, expected %d", len(vk.CommitmentKeys), len(vk.PublicAndCommitmentCommitted))
+		return 0, fmt.Errorf("invalid number of commitment keys, got %d, expected %d", len(vk.CommitmentKeys), len(vk.PublicAndCommitmentCommitted))
 	}
 	var fr FR
 	nbPublicVars := len(vk.G1.K) - len(vk.PublicAndCommitmentCommitted)
 	if len(witness.Public) != nbPublicVars-1 {
-		return fmt.Errorf("invalid witness size, got %d, expected %d (public - ONE_WIRE)", len(witness.Public), len(vk.G1.K)-1)
+		return 0, fmt.Errorf("invalid witness size, got %d, expected %d (public - ONE_WIRE)", len(witness.Public), len(vk.G1.K)-1)
 	}
 
 	inP := make([]*G1El, len(vk.G1.K)-1) // first is for the one wire, we add it manually after MSM
@@ -629,11 +639,11 @@ func (v *Verifier[FR, G1El, G2El, GtEl]) AssertProof(vk VerifyingKey[G1El, G2El,
 
 	opt, err := newCfg(opts...)
 	if err != nil {
-		return fmt.Errorf("apply options: %w", err)
+		return 0, fmt.Errorf("apply options: %w", err)
 	}
 	hashToField, err := recursion.NewHash(v.api, fr.Modulus(), true)
 	if err != nil {
-		return fmt.Errorf("hash to field: %w", err)
+		return 0, fmt.Errorf("hash to field: %w", err)
 	}
 
 	maxNbPublicCommitted := 0
@@ -662,16 +672,16 @@ func (v *Verifier[FR, G1El, G2El, GtEl]) AssertProof(vk VerifyingKey[G1El, G2El,
 		// explicitly do not verify the commitment as there is nothing
 	case 1:
 		if err = v.commitment.AssertCommitment(proof.Commitments[0], proof.CommitmentPok, vk.CommitmentKeys[0], opt.pedopt...); err != nil {
-			return fmt.Errorf("assert commitment: %w", err)
+			return 0, fmt.Errorf("assert commitment: %w", err)
 		}
 	default:
 		// TODO: we support only a single commitment in the recursion for now
-		return fmt.Errorf("multiple commitments are not supported")
+		return 0, fmt.Errorf("multiple commitments are not supported")
 	}
 
 	kSum, err := v.curve.MultiScalarMul(inP, inS, opt.algopt...)
 	if err != nil {
-		return fmt.Errorf("multi scalar mul: %w", err)
+		return 0, fmt.Errorf("multi scalar mul: %w", err)
 	}
 	kSum = v.curve.Add(kSum, &vk.G1.K[0])
 
@@ -686,10 +696,9 @@ func (v *Verifier[FR, G1El, G2El, GtEl]) AssertProof(vk VerifyingKey[G1El, G2El,
 	}
 	pairing, err := v.pairing.Pair([]*G1El{kSum, &proof.Krs, &proof.Ar}, []*G2El{&vk.G2.GammaNeg, &vk.G2.DeltaNeg, &proof.Bs})
 	if err != nil {
-		return fmt.Errorf("pairing: %w", err)
+		return 0, fmt.Errorf("pairing: %w", err)
 	}
-	v.pairing.AssertIsEqual(pairing, &vk.E)
-	return nil
+	return v.pairing.IsEqual(pairing, &vk.E), nil
 }
 
 // SwitchVerification key switches the verification key based on the provided