group class. Represents an elliptic curve group element. Group is parametrised by Fq and Fr
More...
template<typename Fq_, typename Fr_, typename
Params>
class bb::group< Fq_, Fr_, Params >
group class. Represents an elliptic curve group element. Group is parametrised by Fq and Fr
Note: BN254 / Grumpkin G1 have cofactor 1, so affine_element::on_curve() is itself a subgroup check. BN254 G2 has a non-trivial cofactor, so callers that accept externally-supplied G2 bytes must additionally invoke affine_element::is_in_prime_subgroup() to reject cofactor-subgroup points before they reach pairing-based verifiers; routine internal G2 arithmetic stays inside the prime-order subgroup because every starting point is the precomputed generator [1]_2 or the SRS point [x]_2.
- Template Parameters
-
Definition at line 38 of file group.hpp.
template<typename Fq_ , typename Fr_ , typename
Params >
| static std::vector< affine_element > bb::group< Fq_, Fr_, Params >::derive_generators |
( |
const std::vector< uint8_t > & |
domain_separator_bytes, |
|
|
const size_t |
num_generators, |
|
|
const size_t |
starting_index = 0 |
|
) |
| |
|
inlinestatic |
Derives generator points via hash-to-curve.
ALGORITHM DESCRIPTION:
- Each generator has an associated "generator index" described by its location in the vector
- a 64-byte preimage buffer is generated with the following structure: bytes 0-31: BLAKE3 hash of domain_separator bytes 32-63: generator index in big-endian form
- The hash-to-curve algorithm is used to hash the above into a group element: a. iterate
count upwards from 0 b. append count to the preimage buffer as a 1-byte integer in big-endian form c. compute BLAKE3 hash of concat(preimage buffer, 0) d. compute BLAKE3 hash of concat(preimage buffer, 1) e. interpret (c, d) as (hi, low) limbs of a 512-bit integer f. reduce 512-bit integer modulo Fq to produce x-coordinate g. attempt to derive y-coordinate. If not successful go to step (a) and continue h. if parity of y-coordinate's least significant bit does not match parity of most significant bit of (d), invert y-coordinate. j. return (x, y)
NOTE: In step 3b it is sufficient to use 1 byte (uint8_t) to store count (called attempt_count in hash_to_curve). For BN254/Grumpkin, approximately half of all Fq field elements are quadratic residues, so each attempt succeeds with probability ~1/2. The probability of needing more than N attempts is ~2^-N, making P(count > 255) ≈ 2^-255 — negligible for any practical use. The type uint8_t is therefore intentional, not a bug. NOTE: The domain separator is included to ensure that it is possible to derive independent sets of index-addressable generators. NOTE: we produce 64 bytes of BLAKE3 output when producing x-coordinate field element, to ensure that x-coordinate is uniformly randomly distributed in the field. Using a 256-bit input adds significant bias when reducing modulo a ~256-bit Fq NOTE: We ensure y-parity is linked to preimage hash because there is no canonical deterministic square root algorithm (i.e. if a field element has a square root, there are two of them and field::sqrt may return either one)
- Parameters
-
| num_generators | |
| domain_separator | |
- Returns
- std::vector<affine_element>
Definition at line 92 of file group.hpp.
1.9.8