Feature/bn254 neg trait (#1630)

Implement `Neg` trait for `G1Affine`. This is useful for verifying
Groth16 proofs.

### What

- Introduce an `Fq` newtype wrapping `BytesN<FP_SERIALIZED_SIZE>` as the
BN254 base field element
- Implement `Neg` for `Fq`
- Implement `Neg` for `G1Affine` by:

### Why

- We need this operation to make cheaper groth16 verification on the
bn254 curve. BLS has implemented this feature as well.

### Known limitations

- Negation is implemented only for G1Affine; G2Affine and other types
(e.g. projective representations) do not yet have Neg implementations.

---------

Co-authored-by: Siddharth Suresh <siddharth@stellar.org>

Author: Oghma

soroban-sdk/src/crypto.rs

@@ -12,6 +12,7 @@ pub(crate) mod poseidon2_params;
 pub mod poseidon2_sponge;
 pub(crate) mod poseidon_params;
 pub mod poseidon_sponge;
+pub(crate) mod utils;
 pub use bn254::Fr as BnScalar;
 pub use poseidon2_sponge::Poseidon2Sponge;
 pub use poseidon_sponge::PoseidonSponge;

soroban-sdk/src/crypto/bls12_381.rs

@@ -1,6 +1,7 @@
 #[cfg(not(target_family = "wasm"))]
 use crate::xdr::ScVal;
 use crate::{
+    crypto::utils::BigInt,
     env::internal::{self, BytesObject, U256Val, U64Val},
     impl_bytesn_repr,
     unwrap::{UnwrapInfallible, UnwrapOptimized},
@@ -23,65 +24,6 @@ pub struct Bls12_381 {
     env: Env,
 }
 
-// This routine was copied with slight modification from the arkworks library:
-// https://github.com/arkworks-rs/algebra/blob/bf1c9b22b30325ef4df4f701dedcb6dea904c587/ff/src/biginteger/arithmetic.rs#L66-L79
-fn sbb_for_sub_with_borrow(a: &mut u64, b: u64, borrow: u8) -> u8 {
-    let tmp = (1u128 << 64) + u128::from(*a) - u128::from(b) - u128::from(borrow);
-    // casting is safe here because `tmp` can only exceed u64 by a single
-    // (borrow) bit, which we capture in the next line.
-    *a = tmp as u64;
-    u8::from(tmp >> 64 == 0)
-}
-
-#[derive(Debug)]
-pub(crate) struct BigInt<const N: usize>(pub [u64; N]);
-
-impl<const N: usize> BigInt<N> {
-    pub fn sub_with_borrow(&mut self, other: &Self) -> bool {
-        let mut borrow = 0;
-        for i in 0..N {
-            borrow = sbb_for_sub_with_borrow(&mut self.0[i], other.0[i], borrow);
-        }
-        borrow != 0
-    }
-
-    pub fn copy_into_array<const M: usize>(&self, slice: &mut [u8; M]) {
-        const {
-            if M != N * 8 {
-                panic!("BigInt::copy_into_array with mismatched array length")
-            }
-        }
-
-        for i in 0..N {
-            let limb_bytes = self.0[N - 1 - i].to_be_bytes();
-            slice[i * 8..(i + 1) * 8].copy_from_slice(&limb_bytes);
-        }
-    }
-
-    pub fn is_zero(&self) -> bool {
-        self.0 == [0; N]
-    }
-}
-
-impl<const N: usize, const M: usize> From<&BytesN<M>> for BigInt<N> {
-    fn from(bytes: &BytesN<M>) -> Self {
-        if M != N * 8 {
-            panic!("BytesN::Into<BigInt> - length mismatch")
-        }
-
-        let array = bytes.to_array();
-        let mut limbs = [0u64; N];
-        for i in 0..N {
-            let start = i * 8;
-            let end = start + 8;
-            let mut chunk = [0u8; 8];
-            chunk.copy_from_slice(&array[start..end]);
-            limbs[N - 1 - i] = u64::from_be_bytes(chunk);
-        }
-        BigInt(limbs)
-    }
-}
-
 /// `G1Affine` is a point in the G1 group (subgroup defined over the base field
 ///  `Fq`) of the BLS12-381 elliptic curve
 ///

soroban-sdk/src/crypto/bn254.rs

@@ -1,6 +1,7 @@
 #[cfg(not(target_family = "wasm"))]
 use crate::xdr::ScVal;
 use crate::{
+    crypto::utils::BigInt,
     env::internal::{self, BytesObject, U256Val},
     impl_bytesn_repr,
     unwrap::{UnwrapInfallible, UnwrapOptimized},
@@ -9,7 +10,7 @@ use crate::{
 use core::{
     cmp::Ordering,
     fmt::Debug,
-    ops::{Add, Mul},
+    ops::{Add, Mul, Neg},
 };
 
 const FP_SERIALIZED_SIZE: usize = 32; // Size in bytes of a serialized Fp element in BN254. The field modulus is 254 bits, requiring 32 bytes (256 bits).
@@ -23,7 +24,7 @@ pub struct Bn254 {
 }
 
 /// `G1Affine` is a point in the G1 group (subgroup defined over the base field
-/// `Fq` with prime order `q =
+/// `Fp` with prime order `q =
 /// 0x30644e72e131a029b85045b68181585d97816a916871ca8d3c208c16d87cfd47`) of the
 /// BN254 elliptic curve
 ///
@@ -37,7 +38,7 @@ pub struct Bn254 {
 pub struct G1Affine(BytesN<G1_SERIALIZED_SIZE>);
 
 /// `G2Affine` is a point in the G2 group (subgroup defined over the quadratic
-/// extension field `Fq2`) of the BN254 elliptic curve
+/// extension field `Fp2`) of the BN254 elliptic curve
 ///
 /// # Serialization:
 /// - The 128 bytes represent the **uncompressed encoding** of a point in G2.
@@ -58,15 +59,81 @@ pub struct G2Affine(BytesN<G2_SERIALIZED_SIZE>);
 #[repr(transparent)]
 pub struct Fr(U256);
 
+/// `Fp` represents an element of the base field `Fp` of the BN254 elliptic curve
+///
+/// # Serialization:
+/// - The 32 bytes represent the **big-endian encoding** of an element in the
+///   field `Fp`. The value is serialized as a big-endian integer.
+#[derive(Clone)]
+#[repr(transparent)]
+pub struct Fp(BytesN<FP_SERIALIZED_SIZE>);
+
 impl_bytesn_repr!(G1Affine, G1_SERIALIZED_SIZE);
 impl_bytesn_repr!(G2Affine, G2_SERIALIZED_SIZE);
+impl_bytesn_repr!(Fp, FP_SERIALIZED_SIZE);
 
 impl G1Affine {
     pub fn env(&self) -> &Env {
         self.0.env()
     }
 }
 
+impl Fp {
+    pub fn env(&self) -> &Env {
+        self.0.env()
+    }
+
+    // `Fp` represents an element in the base field of the BN254 elliptic curve.
+    // For an element a ∈ Fp, its negation `-a` is defined as:
+    //   a + (-a) = 0 (mod p)
+    // where `p` is the field modulus, and to make a valid point coordinate on the
+    // curve, `a` also must be within the field range (i.e., 0 ≤ a < p).
+    fn checked_neg(&self) -> Option<Fp> {
+        let fq_bigint: BigInt<4> = (&self.0).into();
+        if fq_bigint.is_zero() {
+            return Some(self.clone());
+        }
+
+        //BN254 base field modulus
+        const BN254_MODULUS: [u64; 4] = [
+            4332616871279656263,
+            10917124144477883021,
+            13281191951274694749,
+            3486998266802970665,
+        ];
+        let mut res = BigInt(BN254_MODULUS);
+
+        // Compute modulus - value
+        let borrow = res.sub_with_borrow(&fq_bigint);
+        if borrow {
+            return None;
+        }
+
+        let mut bytes = [0u8; FP_SERIALIZED_SIZE];
+        res.copy_into_array(&mut bytes);
+        Some(Fp::from_array(self.env(), &bytes))
+    }
+}
+
+impl Neg for &Fp {
+    type Output = Fp;
+
+    fn neg(self) -> Self::Output {
+        match self.checked_neg() {
+            Some(v) => v,
+            None => sdk_panic!("invalid input - Fp is larger than the field modulus"),
+        }
+    }
+}
+
+impl Neg for Fp {
+    type Output = Fp;
+
+    fn neg(self) -> Self::Output {
+        (&self).neg()
+    }
+}
+
 impl Add for G1Affine {
     type Output = G1Affine;
 
@@ -83,6 +150,32 @@ impl Mul<Fr> for G1Affine {
     }
 }
 
+// G1Affine represents a point (X, Y) on the BN254 curve where X, Y ∈ Fr
+// Negation of (X, Y) is defined as (X, -Y)
+impl Neg for &G1Affine {
+    type Output = G1Affine;
+
+    fn neg(self) -> Self::Output {
+        let mut inner: Bytes = (&self.0).into();
+        let y = Fp::try_from_val(
+            inner.env(),
+            inner.slice(FP_SERIALIZED_SIZE as u32..).as_val(),
+        )
+        .unwrap_optimized();
+        let neg_y = -y;
+        inner.copy_from_slice(FP_SERIALIZED_SIZE as u32, &neg_y.to_array());
+        G1Affine::from_bytes(BytesN::try_from_val(inner.env(), inner.as_val()).unwrap_optimized())
+    }
+}
+
+impl Neg for G1Affine {
+    type Output = G1Affine;
+
+    fn neg(self) -> Self::Output {
+        (&self).neg()
+    }
+}
+
 impl G2Affine {
     pub fn env(&self) -> &Env {
         self.0.env()
@@ -219,7 +312,7 @@ impl Bn254 {
     ///
     /// This function computes the pairing for each pair of points in the
     /// provided vectors `vp1` (G1 points) and `vp2` (G2 points) and verifies if
-    /// the product of all pairings is equal to 1 in the target group Fq12.
+    /// the product of all pairings is equal to 1 in the target group Fp.
     ///
     /// # Returns:
     /// - `true` if the pairing check holds (i.e., the product of pairings equals 1),

soroban-sdk/src/crypto/utils.rs

@@ -0,0 +1,60 @@
+use crate::BytesN;
+
+// This routine was copied with slight modification from the arkworks library:
+// https://github.com/arkworks-rs/algebra/blob/bf1c9b22b30325ef4df4f701dedcb6dea904c587/ff/src/biginteger/arithmetic.rs#L66-L79
+fn sbb_for_sub_with_borrow(a: &mut u64, b: u64, borrow: u8) -> u8 {
+    let tmp = (1u128 << 64) + u128::from(*a) - u128::from(b) - u128::from(borrow);
+    // casting is safe here because `tmp` can only exceed u64 by a single
+    // (borrow) bit, which we capture in the next line.
+    *a = tmp as u64;
+    u8::from(tmp >> 64 == 0)
+}
+
+#[derive(Debug)]
+pub(crate) struct BigInt<const N: usize>(pub [u64; N]);
+
+impl<const N: usize> BigInt<N> {
+    pub fn sub_with_borrow(&mut self, other: &Self) -> bool {
+        let mut borrow = 0;
+        for i in 0..N {
+            borrow = sbb_for_sub_with_borrow(&mut self.0[i], other.0[i], borrow);
+        }
+        borrow != 0
+    }
+
+    pub fn copy_into_array<const M: usize>(&self, slice: &mut [u8; M]) {
+        const {
+            if M != N * 8 {
+                panic!("BigInt::copy_into_array with mismatched array length")
+            }
+        }
+
+        for i in 0..N {
+            let limb_bytes = self.0[N - 1 - i].to_be_bytes();
+            slice[i * 8..(i + 1) * 8].copy_from_slice(&limb_bytes);
+        }
+    }
+
+    pub fn is_zero(&self) -> bool {
+        self.0 == [0; N]
+    }
+}
+
+impl<const N: usize, const M: usize> From<&BytesN<M>> for BigInt<N> {
+    fn from(bytes: &BytesN<M>) -> Self {
+        if M != N * 8 {
+            panic!("BytesN::Into<BigInt> - length mismatch")
+        }
+
+        let array = bytes.to_array();
+        let mut limbs = [0u64; N];
+        for i in 0..N {
+            let start = i * 8;
+            let end = start + 8;
+            let mut chunk = [0u8; 8];
+            chunk.copy_from_slice(&array[start..end]);
+            limbs[N - 1 - i] = u64::from_be_bytes(chunk);
+        }
+        BigInt(limbs)
+    }
+}

tests/bn254/src/lib.rs

@@ -126,4 +126,21 @@ mod test {
         // This should return true for valid pairing
         assert!(client.verify_pairing(&proof));
     }
+
+    #[test]
+    fn test_g1_negation() {
+        let env = Env::default();
+
+        let negated_input = "00000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000002000000000000000000000000000000000000000000000000000000000000000130644e72e131a029b85045b68181585d97816a916871ca8d3c208c16d87cfd45";
+        let bytes = hex::decode(negated_input).unwrap();
+        assert_eq!(bytes.len(), 128);
+
+        let g1_bytes: [u8; 64] = bytes[0..64].try_into().unwrap();
+        let g1_negaed_bytes: [u8; 64] = bytes[64..128].try_into().unwrap();
+
+        let g1 = G1Affine::from_array(&env, &g1_bytes);
+        let g1_negated = G1Affine::from_array(&env, &g1_negaed_bytes);
+
+        assert_eq!(-g1, g1_negated);
+    }
 }