feat: Pairing check hint for target_os != zkvm (#1253)

* pairing check hint for target_os != zkvm

* Use current macro

* Lints and imports

* Fix lints

* Fix paths

* Update feature gate

Author: ytham

extensions/pairing/guest/src/bls12_381/mod.rs

@@ -7,6 +7,8 @@ use openvm_ecc_guest::{weierstrass::IntrinsicCurve, CyclicGroup, Group};
 mod fp12;
 mod fp2;
 mod pairing;
+#[cfg(all(feature = "halo2curves", not(target_os = "zkvm")))]
+pub(crate) mod utils;
 
 pub use fp12::*;
 pub use fp2::*;

extensions/pairing/guest/src/bls12_381/pairing.rs

@@ -20,6 +20,15 @@ use crate::pairing::{
     Evaluatable, EvaluatedLine, FromLineMType, LineMulMType, MillerStep, MultiMillerLoop,
     PairingCheck, PairingCheckError, PairingIntrinsics, UnevaluatedLine,
 };
+#[cfg(all(feature = "halo2curves", not(target_os = "zkvm")))]
+use crate::{
+    bls12_381::utils::{
+        convert_bls12381_fp2_to_halo2_fq2, convert_bls12381_fp_to_halo2_fq,
+        convert_bls12381_halo2_fq12_to_fp12,
+    },
+    halo2curves_shims::bls12_381::Bls12_381 as Halo2CurvesBls12_381,
+    pairing::FinalExp,
+};
 
 // TODO[jpw]: make macro
 impl Evaluatable<Fp, Fp2> for UnevaluatedLine<Fp2> {
@@ -275,7 +284,35 @@ impl PairingCheck for Bls12_381 {
     ) -> (Self::Fp12, Self::Fp12) {
         #[cfg(not(target_os = "zkvm"))]
         {
-            todo!()
+            #[cfg(not(feature = "halo2curves"))]
+            panic!("`halo2curves` feature must be enabled to use pairing check hint on host");
+
+            #[cfg(feature = "halo2curves")]
+            {
+                let p_halo2 = P
+                    .iter()
+                    .map(|p| {
+                        AffinePoint::new(
+                            convert_bls12381_fp_to_halo2_fq(p.x.clone()),
+                            convert_bls12381_fp_to_halo2_fq(p.y.clone()),
+                        )
+                    })
+                    .collect::<Vec<_>>();
+                let q_halo2 = Q
+                    .iter()
+                    .map(|q| {
+                        AffinePoint::new(
+                            convert_bls12381_fp2_to_halo2_fq2(q.x.clone()),
+                            convert_bls12381_fp2_to_halo2_fq2(q.y.clone()),
+                        )
+                    })
+                    .collect::<Vec<_>>();
+                let fq12 = Halo2CurvesBls12_381::multi_miller_loop(&p_halo2, &q_halo2);
+                let (c_fq12, s_fq12) = Halo2CurvesBls12_381::final_exp_hint(&fq12);
+                let c = convert_bls12381_halo2_fq12_to_fp12(c_fq12);
+                let s = convert_bls12381_halo2_fq12_to_fp12(s_fq12);
+                (c, s)
+            }
         }
         #[cfg(target_os = "zkvm")]
         {

extensions/pairing/guest/src/bls12_381/tests.rs

@@ -1,5 +1,3 @@
-use alloc::vec::Vec;
-
 use group::ff::Field;
 use halo2curves_axiom::bls12_381::{
     Fq, Fq12, Fq2, Fq6, G1Affine, G2Affine, G2Prepared, MillerLoopResult, FROBENIUS_COEFF_FQ12_C1,
@@ -10,59 +8,20 @@ use rand::{rngs::StdRng, SeedableRng};
 
 use super::{Fp, Fp12, Fp2};
 use crate::{
-    bls12_381::{Bls12_381, G2Affine as OpenVmG2Affine},
+    bls12_381::{
+        utils::{
+            convert_bls12381_fp12_to_halo2_fq12, convert_bls12381_halo2_fq12_to_fp12,
+            convert_bls12381_halo2_fq2_to_fp2, convert_bls12381_halo2_fq_to_fp,
+            convert_g2_affine_halo2_to_openvm,
+        },
+        Bls12_381, G2Affine as OpenVmG2Affine,
+    },
     pairing::{
-        fp2_invert_assign, fp6_invert_assign, fp6_square_assign, MultiMillerLoop, PairingIntrinsics,
+        fp2_invert_assign, fp6_invert_assign, fp6_square_assign, FinalExp, MultiMillerLoop,
+        PairingCheck, PairingIntrinsics,
     },
 };
 
-fn convert_bls12381_halo2_fq_to_fp(x: Fq) -> Fp {
-    let bytes = x.to_bytes();
-    Fp::from_le_bytes(&bytes)
-}
-
-fn convert_bls12381_halo2_fq2_to_fp2(x: Fq2) -> Fp2 {
-    Fp2::new(
-        convert_bls12381_halo2_fq_to_fp(x.c0),
-        convert_bls12381_halo2_fq_to_fp(x.c1),
-    )
-}
-
-fn convert_bls12381_halo2_fq12_to_fp12(x: Fq12) -> Fp12 {
-    Fp12 {
-        c: x.to_coeffs().map(convert_bls12381_halo2_fq2_to_fp2),
-    }
-}
-
-fn convert_bls12381_fp_to_halo2_fq(x: Fp) -> Fq {
-    let bytes =
-        x.0.chunks(8)
-            .map(|b| u64::from_le_bytes(b.try_into().unwrap()))
-            .collect::<Vec<_>>()
-            .try_into()
-            .unwrap();
-    Fq::from_raw_unchecked(bytes)
-}
-
-fn convert_bls12381_fp2_to_halo2_fq2(x: Fp2) -> Fq2 {
-    Fq2 {
-        c0: convert_bls12381_fp_to_halo2_fq(x.c0.clone()),
-        c1: convert_bls12381_fp_to_halo2_fq(x.c1.clone()),
-    }
-}
-
-fn convert_bls12381_fp12_to_halo2_fq12(x: Fp12) -> Fq12 {
-    let c = x.to_coeffs();
-    Fq12::from_coeffs(c.map(convert_bls12381_fp2_to_halo2_fq2))
-}
-
-fn convert_g2_affine_halo2_to_openvm(p: G2Affine) -> OpenVmG2Affine {
-    OpenVmG2Affine::from_xy_unchecked(
-        convert_bls12381_halo2_fq2_to_fp2(p.x),
-        convert_bls12381_halo2_fq2_to_fp2(p.y),
-    )
-}
-
 #[test]
 fn test_bls12381_frobenius_coeffs() {
     #[allow(clippy::needless_range_loop)]
@@ -300,3 +259,39 @@ fn test_bls12381_g2_affine() {
         }
     }
 }
+
+#[test]
+fn test_bls12381_pairing_check_hint_host() {
+    let mut rng = StdRng::seed_from_u64(83);
+    let h2c_p = G1Affine::random(&mut rng);
+    let h2c_q = G2Affine::random(&mut rng);
+
+    let p = AffinePoint {
+        x: convert_bls12381_halo2_fq_to_fp(h2c_p.x),
+        y: convert_bls12381_halo2_fq_to_fp(h2c_p.y),
+    };
+    let q = AffinePoint {
+        x: convert_bls12381_halo2_fq2_to_fp2(h2c_q.x),
+        y: convert_bls12381_halo2_fq2_to_fp2(h2c_q.y),
+    };
+
+    let (c, s) = Bls12_381::pairing_check_hint(&[p], &[q]);
+
+    let p_cmp = AffinePoint {
+        x: h2c_p.x,
+        y: h2c_p.y,
+    };
+    let q_cmp = AffinePoint {
+        x: h2c_q.x,
+        y: h2c_q.y,
+    };
+
+    let f_cmp =
+        crate::halo2curves_shims::bls12_381::Bls12_381::multi_miller_loop(&[p_cmp], &[q_cmp]);
+    let (c_cmp, s_cmp) = crate::halo2curves_shims::bls12_381::Bls12_381::final_exp_hint(&f_cmp);
+    let c_cmp = convert_bls12381_halo2_fq12_to_fp12(c_cmp);
+    let s_cmp = convert_bls12381_halo2_fq12_to_fp12(s_cmp);
+
+    assert_eq!(c, c_cmp);
+    assert_eq!(s, s_cmp);
+}

extensions/pairing/guest/src/bls12_381/utils.rs

@@ -0,0 +1,49 @@
+use halo2curves_axiom::bls12_381::{Fq, Fq12, Fq2, G2Affine};
+use openvm_algebra_guest::{field::FieldExtension, IntMod};
+use openvm_ecc_guest::weierstrass::WeierstrassPoint;
+
+use super::{Fp, Fp12, Fp2};
+use crate::bls12_381::G2Affine as OpenVmG2Affine;
+
+pub(crate) fn convert_bls12381_halo2_fq_to_fp(x: Fq) -> Fp {
+    let bytes = x.to_bytes();
+    Fp::from_le_bytes(&bytes)
+}
+
+pub(crate) fn convert_bls12381_halo2_fq2_to_fp2(x: Fq2) -> Fp2 {
+    Fp2::new(
+        convert_bls12381_halo2_fq_to_fp(x.c0),
+        convert_bls12381_halo2_fq_to_fp(x.c1),
+    )
+}
+
+pub(crate) fn convert_bls12381_halo2_fq12_to_fp12(x: Fq12) -> Fp12 {
+    Fp12 {
+        c: x.to_coeffs().map(convert_bls12381_halo2_fq2_to_fp2),
+    }
+}
+
+pub(crate) fn convert_bls12381_fp_to_halo2_fq(x: Fp) -> Fq {
+    Fq::from_bytes(&x.0).unwrap()
+}
+
+pub(crate) fn convert_bls12381_fp2_to_halo2_fq2(x: Fp2) -> Fq2 {
+    Fq2 {
+        c0: convert_bls12381_fp_to_halo2_fq(x.c0.clone()),
+        c1: convert_bls12381_fp_to_halo2_fq(x.c1.clone()),
+    }
+}
+
+#[allow(unused)]
+pub(crate) fn convert_bls12381_fp12_to_halo2_fq12(x: Fp12) -> Fq12 {
+    let c = x.to_coeffs();
+    Fq12::from_coeffs(c.map(convert_bls12381_fp2_to_halo2_fq2))
+}
+
+#[allow(unused)]
+pub(crate) fn convert_g2_affine_halo2_to_openvm(p: G2Affine) -> OpenVmG2Affine {
+    OpenVmG2Affine::from_xy_unchecked(
+        convert_bls12381_halo2_fq2_to_fp2(p.x),
+        convert_bls12381_halo2_fq2_to_fp2(p.y),
+    )
+}

extensions/pairing/guest/src/bn254/mod.rs

@@ -18,6 +18,8 @@ use crate::pairing::PairingIntrinsics;
 mod fp12;
 mod fp2;
 pub mod pairing;
+#[cfg(all(feature = "halo2curves", not(target_os = "zkvm")))]
+pub(crate) mod utils;
 
 pub use fp12::*;
 pub use fp2::*;

extensions/pairing/guest/src/bn254/pairing.rs

@@ -16,6 +16,15 @@ use crate::pairing::{
     Evaluatable, EvaluatedLine, FromLineDType, LineMulDType, MillerStep, MultiMillerLoop,
     PairingCheck, PairingCheckError, PairingIntrinsics, UnevaluatedLine,
 };
+#[cfg(all(feature = "halo2curves", not(target_os = "zkvm")))]
+use crate::{
+    bn254::utils::{
+        convert_bn254_fp2_to_halo2_fq2, convert_bn254_fp_to_halo2_fq,
+        convert_bn254_halo2_fq12_to_fp12,
+    },
+    halo2curves_shims::bn254::Bn254 as Halo2CurvesBn254,
+    pairing::FinalExp,
+};
 
 // TODO[jpw]: make macro
 impl Evaluatable<Fp, Fp2> for UnevaluatedLine<Fp2> {
@@ -307,7 +316,35 @@ impl PairingCheck for Bn254 {
     ) -> (Self::Fp12, Self::Fp12) {
         #[cfg(not(target_os = "zkvm"))]
         {
-            todo!()
+            #[cfg(not(feature = "halo2curves"))]
+            panic!("`halo2curves` feature must be enabled to use pairing check hint on host");
+
+            #[cfg(feature = "halo2curves")]
+            {
+                let p_halo2 = P
+                    .iter()
+                    .map(|p| {
+                        AffinePoint::new(
+                            convert_bn254_fp_to_halo2_fq(p.x.clone()),
+                            convert_bn254_fp_to_halo2_fq(p.y.clone()),
+                        )
+                    })
+                    .collect::<Vec<_>>();
+                let q_halo2 = Q
+                    .iter()
+                    .map(|q| {
+                        AffinePoint::new(
+                            convert_bn254_fp2_to_halo2_fq2(q.x.clone()),
+                            convert_bn254_fp2_to_halo2_fq2(q.y.clone()),
+                        )
+                    })
+                    .collect::<Vec<_>>();
+                let fq12 = Halo2CurvesBn254::multi_miller_loop(&p_halo2, &q_halo2);
+                let (c_fq12, s_fq12) = Halo2CurvesBn254::final_exp_hint(&fq12);
+                let c = convert_bn254_halo2_fq12_to_fp12(c_fq12);
+                let s = convert_bn254_halo2_fq12_to_fp12(s_fq12);
+                (c, s)
+            }
         }
         #[cfg(target_os = "zkvm")]
         {