bn254.hpp

Go to the documentation of this file.

// === AUDIT STATUS ===
// internal:    { status: not started, auditors: [], date: YYYY-MM-DD }
// external_1:  { status: not started, auditors: [], date: YYYY-MM-DD }
// external_2:  { status: not started, auditors: [], date: YYYY-MM-DD }
// =====================
 
#pragma once
#include "../bn254/fq.hpp"
#include "../bn254/fq12.hpp"
#include "../bn254/fq2.hpp"
#include "../bn254/fr.hpp"
#include "../bn254/g1.hpp"
#include "../bn254/g2.hpp"
 
namespace bb::curve {
class BN254 {
  public:
    using ScalarField = bb::fr;
    using BaseField = bb::fq;
    using Group = typename bb::g1;
    using Element = typename Group::element;
    using AffineElement = typename Group::affine_element;
    using G2AffineElement = typename bb::g2::affine_element;
    using G2BaseField = typename bb::fq2;
    using TargetField = bb::fq12;
 
    static constexpr const char* name = "BN254";
    // TODO(#673): This flag is temporary. It is needed in the verifier classes (GeminiVerifier, etc.) while these
    // classes are instantiated with "native" curve types. Eventually, the verifier classes will be instantiated only
    // with stdlib types, and "native" verification will be acheived via a simulated builder.
    static constexpr bool is_stdlib_type = false;
 
    // Required by SmallSubgroupIPA argument. This constant needs to divide the size of the multiplicative subgroup of
    // the ScalarField and satisfy SUBGROUP_SIZE > CONST_PROOF_SIZE_LOG_N * Flavor::BATCHED_RELATION_PARTIAL_LENGTH, for
    // each BN254-Flavor, since in every round of Sumcheck, the prover sends Flavor::BATCHED_RELATION_PARTIAL_LENGTH
    // elements to the verifier.
    static constexpr size_t SUBGROUP_SIZE = 256;
    // BN254's scalar field has a multiplicative subgroup of order 2^28. It is generated by 5. The generator below is
    // 5^{2^{20}}. To avoid inversion in the recursive verifier, we also store the inverse of the chosen generator.
    static constexpr ScalarField subgroup_generator =
        ScalarField(uint256_t("0x07b0c561a6148404f086204a9f36ffb0617942546750f230c893619174a57a76"));
    static constexpr ScalarField subgroup_generator_inverse =
        ScalarField(uint256_t("0x204bd3277422fad364751ad938e2b5e6a54cf8c68712848a692c553d0329f5d6"));
    // The length of the polynomials used to mask the Sumcheck Round Univariates. Computed as
    // max(BATCHED_PARTIAL_RELATION_LENGTH) for BN254 Flavors with ZK
    static constexpr uint32_t LIBRA_UNIVARIATES_LENGTH = 9;
};
} // namespace bb::curve