UNPKG

o1js

Version:

TypeScript framework for zk-SNARKs and zkApps

github.com/o1-labs/o1js/

o1-labs/o1js

343 lines (302 loc) 9.69 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
import { Fq } from '../../bindings/crypto/finite-field.js'; import { Scalar as SignableFq } from '../../mina-signer/src/curve-bigint.js'; import { Field, checkBitLength } from './field.js'; import { FieldVar } from './core/fieldvar.js'; import { Bool } from './bool.js'; import { ShiftedScalar, field3ToShiftedScalar, fieldToShiftedScalar, } from './gadgets/native-curve.js'; import { isConstant } from './gadgets/common.js'; import { Provable } from './provable.js'; import { assert } from '../util/assert.js'; import type { HashInput } from './types/provable-derivers.js'; import { field3FromBits } from './gadgets/foreign-field.js'; export { Scalar, ScalarConst }; type ScalarConst = [0, bigint]; /** * Represents a {@link Scalar}. */ class Scalar implements ShiftedScalar { /** * We represent a scalar s in shifted form t = s - 2^255 mod q, * split into its low bit (t & 1) and high 254 bits (t >> 1). * The reason is that we can efficiently compute the scalar multiplication `(t + 2^255) * P = s * P`. */ lowBit: Bool; high254: Field; static ORDER = Fq.modulus; private constructor(lowBit: Bool, high254: Field) { this.lowBit = lowBit; this.high254 = high254; } /** * Create a constant {@link Scalar} from a bigint, number, string or Scalar. * * If the input is too large, it is reduced modulo the scalar field size. */ static from(s: Scalar | bigint | number | string): Scalar { if (s instanceof Scalar) return s; let t = Fq.mod(BigInt(s) - (1n << 255n)); let lowBit = new Bool((t & 1n) === 1n); let high254 = new Field(t >> 1n); return new Scalar(lowBit, high254); } /** * Provable method to convert a {@link ShiftedScalar} to a {@link Scalar}. */ static fromShiftedScalar(s: ShiftedScalar) { return new Scalar(s.lowBit, s.high254); } /** * Provable method to convert a {@link Field} into a {@link Scalar}. * * This is always possible and unambiguous, since the scalar field is larger than the base field. */ static fromField(s: Field): Scalar { let { lowBit, high254 } = fieldToShiftedScalar(s); return new Scalar(lowBit, high254); } /** * Check whether this {@link Scalar} is a hard-coded constant in the constraint system. * If a {@link Scalar} is constructed outside provable code, it is a constant. */ isConstant() { let { lowBit, high254 } = this; return isConstant(lowBit, high254); } /** * Convert this {@link Scalar} into a constant if it isn't already. * * If the scalar is a variable, this only works inside `asProver` or `witness` blocks. * * See {@link FieldVar} for an explanation of constants vs. variables. */ toConstant(): Scalar { if (this.isConstant()) return this; return Provable.toConstant(Scalar, this); } /** * Convert this {@link Scalar} into a bigint */ toBigInt() { let { lowBit, high254 } = this.toConstant(); let t = lowBit.toField().toBigInt() + 2n * high254.toBigInt(); return Fq.mod(t + (1n << 255n)); } /** * Creates a Scalar from an array of {@link Bool}. * This method is provable. */ static fromBits(bits: Bool[]): Scalar { let length = bits.length; checkBitLength('Scalar.fromBits()', length, 255); // convert bits to a 3-limb bigint let sBig = field3FromBits(bits); // convert to shifted representation let { lowBit, high254 } = field3ToShiftedScalar(sBig); return new Scalar(lowBit, high254); } /** * Returns a random {@link Scalar}. * Randomness can not be proven inside a circuit! */ static random() { return Scalar.from(Fq.random()); } // operations on constant scalars /** * Negate a scalar field element. * * **Warning**: This method is not available for provable code. */ neg() { let x = assertConstant(this, 'neg'); let z = Fq.negate(x); return Scalar.from(z); } /** * Add scalar field elements. * * **Warning**: This method is not available for provable code. */ add(y: Scalar) { let x = assertConstant(this, 'add'); let y0 = assertConstant(y, 'add'); let z = Fq.add(x, y0); return Scalar.from(z); } /** * Subtract scalar field elements. * * **Warning**: This method is not available for provable code. */ sub(y: Scalar) { let x = assertConstant(this, 'sub'); let y0 = assertConstant(y, 'sub'); let z = Fq.sub(x, y0); return Scalar.from(z); } /** * Multiply scalar field elements. * * **Warning**: This method is not available for provable code. */ mul(y: Scalar) { let x = assertConstant(this, 'mul'); let y0 = assertConstant(y, 'mul'); let z = Fq.mul(x, y0); return Scalar.from(z); } /** * Divide scalar field elements. * Throws if the denominator is zero. * * **Warning**: This method is not available for provable code. */ div(y: Scalar) { let x = assertConstant(this, 'div'); let y0 = assertConstant(y, 'div'); let z = Fq.div(x, y0); if (z === undefined) throw Error('Scalar.div(): Division by zero'); return Scalar.from(z); } /** * Serialize a Scalar into a Field element plus one bit, where the bit is represented as a Bool. * * **Warning**: This method is not available for provable code. * * Note: Since the Scalar field is slightly larger than the base Field, an additional high bit * is needed to represent all Scalars. However, for a random Scalar, the high bit will be `false` with overwhelming probability. */ toFieldsCompressed(): { field: Field; highBit: Bool } { let s = assertConstant(this, 'toFieldsCompressed'); let lowBitSize = BigInt(Fq.sizeInBits - 1); let lowBitMask = (1n << lowBitSize) - 1n; return { field: new Field(s & lowBitMask), highBit: new Bool(s >> lowBitSize === 1n), }; } // internal stuff // Provable<Scalar> /** * Part of the {@link Provable} interface. * * Serialize a {@link Scalar} into an array of {@link Field} elements. * * **Warning**: This function is for internal usage. It returns 255 field elements * which represent the Scalar in a shifted, bitwise format. * The fields are not constrained to be boolean. */ static toFields(x: Scalar) { return [x.lowBit.toField(), x.high254]; } /** * Serialize this Scalar to Field elements. * * **Warning**: This function is for internal usage. It returns 255 field elements * which represent the Scalar in a shifted, bitwise format. * The fields are not constrained to be boolean. * * Check out {@link Scalar.toFieldsCompressed} for a user-friendly serialization * that can be used outside proofs. */ toFields(): Field[] { return Scalar.toFields(this); } /** * **Warning**: This function is mainly for internal use. Normally it is not intended to be used by a zkApp developer. * * This function is the implementation of `ProvableExtended.toInput()` for the {@link Scalar} type. * * @param value - The {@link Scalar} element to get the `input` array. * * @return An object where the `fields` key is a {@link Field} array of length 1 created from this {@link Field}. * */ static toInput(x: Scalar): HashInput { return { fields: [x.high254], packed: [[x.lowBit.toField(), 1]] }; } /** * Part of the {@link Provable} interface. * * Serialize a {@link Scalar} into its auxiliary data, which are empty. */ static toAuxiliary() { return []; } /** * Part of the {@link Provable} interface. * * Creates a data structure from an array of serialized {@link Field} elements. */ static fromFields(fields: Field[]): Scalar { assert( fields.length === 2, `Scalar.fromFields(): expected 2 fields, got ${fields.length}` ); let lowBit = Bool.Unsafe.fromField(fields[0]); let high254 = fields[1]; return new Scalar(lowBit, high254); } /** * Part of the {@link Provable} interface. * * Returns the size of this type in {@link Field} elements. */ static sizeInFields(): number { return 2; } /** * Part of the {@link Provable} interface. */ static check(s: Scalar) { /** * It is not necessary to constrain the range of high254, because the only provable operation on Scalar * which relies on that range is scalar multiplication -- which constrains the range itself. */ return Bool.check(s.lowBit); } static toValue(x: Scalar) { return x.toBigInt(); } static fromValue(x: bigint) { return Scalar.from(x); } // ProvableExtended<Scalar> /** * Serialize a {@link Scalar} to a JSON string. * This operation does _not_ affect the circuit and can't be used to prove anything about the string representation of the Scalar. */ static toJSON(x: Scalar) { let s = assertConstant(x, 'toJSON'); return s.toString(); } /** * Serializes this Scalar to a string */ toJSON() { return Scalar.toJSON(this); } /** * Deserialize a JSON structure into a {@link Scalar}. * This operation does _not_ affect the circuit and can't be used to prove anything about the string representation of the Scalar. */ static fromJSON(x: string) { return Scalar.from(SignableFq.fromJSON(x)); } static empty() { return Scalar.from(0n); } } // internal helpers function assertConstant(x: Scalar, name: string): bigint { assert( x.isConstant(), `${name}() is not available in provable code. That means it can't be called in a @method or similar environment, and there's no alternative implemented to achieve that.` ); return x.toBigInt(); }