Barretenberg: src/barretenberg/ecc/curves/grumpkin/grumpkin.test.cpp Source File

#include "grumpkin.hpp"

#include "barretenberg/ecc/groups/precomputed_generators_grumpkin_impl.hpp"

#include <gtest/gtest.h>


using namespace bb;


namespace {

// Double-and-add scalar mul without endomorphism, used as reference for differential testing.

template <typename Group, typename Fr>

typename Group::affine_element naive_scalar_mul(const typename Group::element& base, const Fr& scalar)

{

    typename Group::element acc = Group::point_at_infinity;

    typename Group::element runner = base;

    uint256_t bits(scalar);

    for (size_t i = 0; i < 256; ++i) {

        if (bits.get_bit(i)) {

            acc = acc + runner;

        }

        runner = runner.dbl();

    }

    return typename Group::affine_element(acc);

}

} // namespace


// =========================

// Parameter-related tests

// =========================


TEST(grumpkin, CheckB)

{

    auto b = grumpkin::g1::curve_b;

    fr seventeen = 17;

    EXPECT_EQ(seventeen, -b);

}


TEST(grumpkin, SubgroupGenerator)

{

    bb::fq subgroup_generator = bb::curve::Grumpkin::subgroup_generator;

    bb::fq subgroup_generator_inverse = bb::curve::Grumpkin::subgroup_generator_inverse;


    EXPECT_NE(subgroup_generator.pow(3), fq::one());

    EXPECT_NE(subgroup_generator.pow(29), fq::one());

    EXPECT_EQ(subgroup_generator.pow(87), fq::one());

    EXPECT_EQ(subgroup_generator * subgroup_generator_inverse, fq::one());

}


TEST(grumpkin, OneYIsCorrect)

{

    fr one_y = bb::grumpkin::G1Params::one_y;

    auto [_, expected] = (bb::grumpkin::G1Params::b + fr::one()).sqrt();


    EXPECT_EQ(one_y, -expected);

}


// =========================

// Group-related tests

// =========================


// Checks for "bad points" in terms of sharing a y-coordinate as explained here:

// https://github.com/AztecProtocol/aztec2-internal/issues/437


TEST(grumpkin, BadPoints)

{

    auto beta = grumpkin::fr::cube_root_of_unity();

    auto beta_sqr = beta * beta;

    bool res = true;

    grumpkin::fr c(1);

    for (size_t i = 0; i < 256; i++) {

        auto val = c / (grumpkin::fr(1) + c);

        if (val == beta || val == beta_sqr) {

            res = false;

        }

        c *= grumpkin::fr(4);

    }

    EXPECT_TRUE(res);

}


TEST(grumpkin, CheckPrecomputedGenerators)

{

    ASSERT_TRUE((bb::check_precomputed_generators<grumpkin::g1, "pedersen_hash_length", 1UL>()));

    ASSERT_TRUE((bb::check_precomputed_generators<grumpkin::g1, "DEFAULT_DOMAIN_SEPARATOR", 8UL>()));

}


// Regression: boundary scalars k = ceil(m * 2^256 / endo_g2) (from endomorphism_scalars.py)

// previously triggered the negative-k2 bug in split_into_endomorphism_scalars, producing wrong

// scalar multiplication results. We test boundaries and random samples within each band.


TEST(grumpkin, ScalarMulNegativeK2Regression)

{

    // clang-format off

    struct test_case { std::array<uint64_t, 4> limbs; const char* tag; };

    const std::array<test_case, 3> boundary_cases = {{

        {{ 0x71922da036dca5f4, 0xd970a56127fb8227, 0x59e26bcea0d48bac, 0x0 }, "m=1"},

        {{ 0xe3245b406db94be8, 0xb2e14ac24ff7044e, 0xb3c4d79d41a91759, 0x0 }, "m=2"},

        {{ 0x54b688e0a495f1dc, 0x8c51f02377f28676, 0x0da7436be27da306, 0x1 }, "m=3"},

    }};

    // clang-format on


    for (const auto& tc : boundary_cases) {

        grumpkin::fr base_scalar{ tc.limbs[0], tc.limbs[1], tc.limbs[2], tc.limbs[3] };

        base_scalar.self_to_montgomery_form();


        grumpkin::g1::affine_element endo_result(grumpkin::g1::one * base_scalar);

        grumpkin::g1::affine_element naive_result =

            naive_scalar_mul<grumpkin::g1, grumpkin::fr>(grumpkin::g1::one, base_scalar);

        EXPECT_EQ(naive_result.on_curve(), true) << tc.tag;

        EXPECT_EQ(endo_result.on_curve(), true) << tc.tag;

        EXPECT_EQ(endo_result, naive_result) << tc.tag;


        // Random samples within the formerly-buggy band (~2^123-2^126 wide; 122-bit offsets).

        for (size_t i = 0; i < 100; ++i) {

            uint256_t rand_bits(grumpkin::fr::random_element());

            uint256_t offset_int = (rand_bits & ((uint256_t(1) << 122) - 1)) + 1;

            grumpkin::fr scalar = base_scalar + grumpkin::fr(offset_int);


            grumpkin::g1::affine_element endo_res(grumpkin::g1::one * scalar);

            grumpkin::g1::affine_element naive_res =

                naive_scalar_mul<grumpkin::g1, grumpkin::fr>(grumpkin::g1::one, scalar);

            EXPECT_EQ(naive_res.on_curve(), true) << tc.tag << " offset " << i;

            EXPECT_EQ(endo_res.on_curve(), true) << tc.tag << " offset " << i;

            EXPECT_EQ(endo_res, naive_res) << tc.tag << " offset " << i;

        }

    }

}


bb::curve::Grumpkin::subgroup_generator_inverse
static constexpr ScalarField subgroup_generator_inverse
Definition grumpkin.hpp:79

bb::curve::Grumpkin::subgroup_generator
static constexpr ScalarField subgroup_generator
Definition grumpkin.hpp:77

bb::group_elements::affine_element
Definition affine_element.hpp:27

bb::group_elements::affine_element::on_curve
constexpr bool on_curve() const noexcept
Definition affine_element_impl.hpp:125

bb::group::one
static constexpr element one
Definition group.hpp:48

bb::group::curve_b
static constexpr Fq curve_b
Definition group.hpp:53

bb::numeric::uint256_t
Definition uint256.hpp:32

VariableRefMutationOptions::tag
@ tag

b
FF b
Definition field_gt.test.cpp:53

bb::grumpkin::fr
bb::fq fr
Definition grumpkin.hpp:21

bb
Entry point for Barretenberg command-line interface.
Definition api.hpp:5

bb::TEST
TEST(BoomerangMegaCircuitBuilder, BasicCircuit)
Definition graph_description_megacircuitbuilder.test.cpp:22

std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13

precomputed_generators_grumpkin_impl.hpp

grumpkin.hpp

bb::field< Bn254FrParams >

bb::field< Bn254FqParams >::cube_root_of_unity
static constexpr field cube_root_of_unity()
Definition field_declarations.hpp:255

bb::field< Bn254FqParams >::one
static constexpr field one()
Definition field_declarations.hpp:279

bb::field::pow
BB_INLINE constexpr field pow(const uint256_t &exponent) const noexcept
Definition field_impl.hpp:361

bb::field< Bn254FqParams >::random_element
static field random_element(numeric::RNG *engine=nullptr) noexcept
Definition field_impl.hpp:777

bb::field::self_to_montgomery_form
BB_INLINE constexpr void self_to_montgomery_form() &noexcept
Definition field_impl.hpp:298

bb::grumpkin::G1Params::one_y
static constexpr bb::fr one_y
Definition grumpkin.hpp:41

bb::grumpkin::G1Params::b
static constexpr bb::fr b
Definition grumpkin.hpp:30