Emulated BW6-761 pairing #420
Replies: 5 comments 17 replies
-
Hi Sir @ivokub , thanks for your comment, right now I can print out the data. I already changed every e6_pairing_test.go:60:
Error Trace: D:\Projects\mygo\src\Zecrey\SherLzp\gnark\std\algebra\pairing_bw6761\e6_pairing_test.go:60
Error: Received unexpected error:
[assertIsEqual] 45103312938095893 == 477448877165663509
bits.toBinary
conversion_binary.go:93
bits.ToBase
conversion.go:25
bits.ToBinary
conversion_binary.go:18
emulated.(*Field[...]).EnforceWidth
field_assert.go:135
emulated.(*Field[...]).PackLimbs
field.go:114
emulated.(*Field[...]).computeQuoHint
hints.go:141
emulated.(*Field[...]).AssertIsEqual
field_assert.go:158
emulated.(*Field[...]).Reduce
field_ops.go:226
pairing_bw6761.ext3.Set
e3.go:347
pairing_bw6761.ext6.Set
e6.go:360
pairing_bw6761.ext6.CyclotomicSquareCompressed
e6.go:127
pairing_bw6761.ext6.nSquareCompressed
e6_pairing.go:33
pairing_bw6761.ext6.Expt
e6_pairing.go:58
pairing_bw6761.(*e6Expt).Define
e6_pairing_test.go:41
Test: TestExptFp6
--- FAIL: TestExptFp6 (1.28s) I check every operation in gnark-crypto and it seems no problem. In addition, I already make tests for each operation in |
Beta Was this translation helpful? Give feedback.
-
Hi sir, @ivokub , I think I finally found the problem. Could you tell me why these two methods will give different results? z := fp.Add(x, x)
z = fp.Add(z, z)
z = fp.Neg(z) nonResidue := emulated.NewElement[emulated.BW6761Fp](-4)
z := fp.Mul(x, &nonResidue) |
Beta Was this translation helpful? Give feedback.
-
And when I change the method to the following, sometimes it will give the same result: z := fp.Neg(z)
z = fp.Add(z, z)
z = fp.Add(z, z) |
Beta Was this translation helpful? Give feedback.
-
You can try this fix: diff --git a/std/math/emulated/field_assert.go b/std/math/emulated/field_assert.go
index e068f11a..1bdcbbc4 100644
--- a/std/math/emulated/field_assert.go
+++ b/std/math/emulated/field_assert.go
@@ -125,10 +125,10 @@ func (f *Field[T]) EnforceWidth(a *Element[T]) {
// TODO @gbotrel why check all the limbs here? if len(e.Limbs) <= modulus
// && last limb <= bits[lastLimbs] modulus, we're good ?
limbNbBits := int(f.fParams.BitsPerLimb())
- if i == len(a.Limbs)-1 {
- // take only required bits from the most significant limb
- limbNbBits = ((f.fParams.Modulus().BitLen() - 1) % int(f.fParams.BitsPerLimb())) + 1
- }
+ // if i == len(a.Limbs)-1 {
+ // // take only required bits from the most significant limb
+ // limbNbBits = ((f.fParams.Modulus().BitLen() - 1) % int(f.fParams.BitsPerLimb())) + 1
+ // }
// bits.ToBinary restricts the least significant NbDigits to be equal to
// the limb value. This is sufficient to restrict for the bitlength and
// we can discard the bits themselves. So when enforcing the widths of the limbs, I had assumed that I only enforce for the cases when the integer value is smaller than modulus. But actually for the coefficient I will implement a proper fix later to separate between two cases (to save a few constraints), but I think that for now this should work for you and should be sound. Now there is another error, but I think this is due to some other problem. Maybe you can spot it. But if it seems to be a problem in field emulation, then can have a look. |
Beta Was this translation helpful? Give feedback.
-
Hi sir @ivokub , what's the usage of this method? Is that required? https://github.com/ConsenSys/gnark/blob/develop/std/math/emulated/field.go#L114 |
Beta Was this translation helpful? Give feedback.
-
This discussion is a continuation of the thread in #395.
@SherLzp, I have some code which helps debugging pairing implementation in-circuit. First, to use the debug code, you need to use the test engine (instead of compiling the circuit and solving it).
First, add the following functions (in field emulation
std/math/emulated/debug.go
):and (in
std/algebra/pairing_bn254/debug.go
):Now, you can print out the intermediate values by calling
fmt.Println(pairing.ext12(gtEl))
in-circuit. The output corresponds to the output with calling.String()
methods on field elements in gnark-crypto.Beta Was this translation helpful? Give feedback.
All reactions