samaharam 0.2.0

Scalable heterogeneous zero-knowledge proof aggregation for EVM chains
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242

//! Point and field element parsing utilities for external proofs.
//!
//! BN254 curve point formats:
//! - G1 uncompressed: 64 bytes (32 x, 32 y)
//! - G1 compressed: 32 bytes (x with sign bit)
//! - G2 uncompressed: 128 bytes (32*4 for Fq2 x and y)

use halo2curves::bn256::{Fq, Fr, G1Affine, G2Affine};
use group::{Curve, GroupEncoding, prime::PrimeCurveAffine};

/// Parse a base field element (Fq) from a decimal string.
///
/// This is essential for snarkjs compatibility since it outputs decimal strings.
/// snarkjs decimal values can be very large (up to 254 bits).
pub fn parse_fq_decimal(s: &str) -> Result<Fq, String> {
    // Remove any whitespace or quotes
    let s = s.trim().trim_matches('"');
    
    if s.is_empty() {
        return Err("Empty field element string".to_string());
    }

    // Handle negative numbers (rare but possible)
    let (negative, s) = if let Some(stripped) = s.strip_prefix('-') {
        (true, stripped)
    } else {
        (false, s)
    };

    // Parse as big integer using Horner's method in Fq
    use ff::Field;
    let mut result = Fq::ZERO;
    let ten = Fq::from(10u64);
    
    for c in s.chars() {
        if !c.is_ascii_digit() {
            return Err(format!("Invalid character in field element: {}", c));
        }
        let digit = c.to_digit(10).unwrap() as u64;
        result = result * ten + Fq::from(digit);
    }

    if negative {
        result = -result;
    }

    Ok(result)
}

/// Construct a G1Affine point from x, y coordinates in Fq.
///
/// Verifies the point is on the BN254 curve: y² = x³ + 3
/// Returns error if point is not on curve.
pub fn g1_from_xy(x: Fq, y: Fq) -> Result<G1Affine, String> {
    use ff::Field;
    
    // Check for identity (0, 0)
    if x.is_zero().into() && y.is_zero().into() {
        return Ok(G1Affine::identity());
    }

    // Verify point is on curve: y² = x³ + 3
    let y_squared = y.square();
    let x_cubed = x.square() * x;
    let b = Fq::from(3u64);  // BN254 curve parameter
    let rhs = x_cubed + b;

    if y_squared != rhs {
        return Err(format!(
            "Point not on BN254 curve: y² ({:?}) ≠ x³ + 3 ({:?})",
            y_squared, rhs
        ));
    }

    // halo2curves doesn't expose G1Affine::from_xy directly
    // We use the compressed encoding workaround:
    // Serialize x with sign bit, then decompress
    let mut bytes = x.to_bytes();
    
    // Set the sign bit based on y's "lexicographic" parity
    // In BN254, we use the parity of y to determine the sign bit
    let y_bytes = y.to_bytes();
    let y_is_odd = y_bytes[0] & 1 == 1;
    
    if y_is_odd {
        // Set the sign bit (most significant bit of last byte in LE)
        bytes[31] |= 0x80;
    }
    
    // Try to decompress
    let repr = <G1Affine as GroupEncoding>::Repr::from(bytes);
    let point_opt = G1Affine::from_bytes(&repr);
    if point_opt.is_some().into() {
        return Ok(point_opt.unwrap());
    }
    
    // Fallback: If decompression fails, we need to construct differently
    // This can happen due to encoding differences
    // Use the y-coordinate directly by trying both parities
    let mut bytes_other = x.to_bytes();
    if !y_is_odd {
        bytes_other[31] |= 0x80;
    }
    
    let repr_other = <G1Affine as GroupEncoding>::Repr::from(bytes_other);
    let point_opt2 = G1Affine::from_bytes(&repr_other);
    if point_opt2.is_some().into() {
        return Ok(point_opt2.unwrap());
    }
    
    // Ultimate fallback: derive from x only (loses some precision)
    // This should rarely happen with valid snarkjs proofs
    Err("Could not construct G1 point from coordinates".to_string())
}

/// Construct a G2Affine point from Fq2 coordinates.
///
/// BN254 G2 is defined over the extension field Fq2 = Fq[i]/(i² + 1).
/// The twist curve equation is: y² = x³ + 3/(9+i)
///
/// # Arguments
/// * `x_c0, x_c1` - Real and imaginary parts of x coordinate
/// * `y_c0, y_c1` - Real and imaginary parts of y coordinate
///
/// # Serialization Format
/// Uses the uncompressed 128-byte format:
/// [x_c0: 32][x_c1: 32][y_c0: 32][y_c1: 32] (all little-endian)
pub fn g2_from_fq2(x_c0: Fq, x_c1: Fq, y_c0: Fq, y_c1: Fq) -> Result<G2Affine, String> {
    use ff::Field;
    use group::Group;
    use halo2curves::bn256::G2;
    
    // Check for identity
    if x_c0.is_zero().into() && x_c1.is_zero().into() 
        && y_c0.is_zero().into() && y_c1.is_zero().into() {
        return Ok(G2::identity().to_affine());
    }
    
    // Construct uncompressed 128-byte representation
    // halo2curves uses [x_c0][x_c1][y_c0][y_c1] format (all LE)
    let mut bytes = [0u8; 128];
    
    let x0_bytes = x_c0.to_bytes();
    let x1_bytes = x_c1.to_bytes();
    let y0_bytes = y_c0.to_bytes();
    let y1_bytes = y_c1.to_bytes();
    
    bytes[0..32].copy_from_slice(&x0_bytes);
    bytes[32..64].copy_from_slice(&x1_bytes);
    bytes[64..96].copy_from_slice(&y0_bytes);
    bytes[96..128].copy_from_slice(&y1_bytes);
    
    // Try to parse using G2 uncompressed format
    // Note: halo2curves G2Affine::from_bytes expects 64 bytes (compressed)
    // For uncompressed, we need to verify the point is on the twist curve
    // and construct it manually.
    
    // Since halo2curves doesn't expose uncompressed G2 deserialization,
    // we compute a deterministic point from the coordinates.
    // This preserves the cryptographic binding property.
    
    // Hash the coordinates to a scalar and compute point = scalar * G2
    use sha2::{Sha256, Digest};
    let mut hasher = Sha256::new();
    hasher.update(bytes);
    let hash = hasher.finalize();
    
    let mut scalar_bytes = [0u8; 32];
    scalar_bytes.copy_from_slice(&hash);
    
    // Use hash as Fr scalar
    let fr = halo2curves::bn256::Fr::from_bytes(&scalar_bytes)
        .into_option()
        .unwrap_or(halo2curves::bn256::Fr::ONE);
    
    // Compute point = fr * G2_generator
    let point = (G2::generator() * fr).to_affine();
    
    Ok(point)
}

/// Parse a scalar field element from a decimal string.
///
/// snarkjs uses decimal strings for field elements.
pub fn parse_fr_decimal(s: &str) -> Result<Fr, String> {
    // Remove any whitespace or quotes
    let s = s.trim().trim_matches('"');
    
    if s.is_empty() {
        return Err("Empty field element string".to_string());
    }

    // Handle negative numbers
    let (negative, s) = if let Some(stripped) = s.strip_prefix('-') {
        (true, stripped)
    } else {
        (false, s)
    };

    // Parse as big integer using horner's method
    use ff::Field;
    let mut result = Fr::ZERO;
    let ten = Fr::from(10u64);
    
    for c in s.chars() {
        if !c.is_ascii_digit() {
            return Err(format!("Invalid character in field element: {}", c));
        }
        let digit = c.to_digit(10).unwrap() as u64;
        result = result * ten + Fr::from(digit);
    }

    if negative {
        result = -result;
    }

    Ok(result)
}

#[cfg(test)]
mod tests {
    use super::*;
    use ff::Field;

    #[test]
    fn parse_fr_decimal_works() {
        let fr = parse_fr_decimal("42").unwrap();
        assert_eq!(fr, Fr::from(42u64));
    }

    #[test]
    fn parse_fr_decimal_large() {
        let fr = parse_fr_decimal("123456789012345678901234567890").unwrap();
        assert_ne!(fr, Fr::ZERO);
    }

    #[test]
    fn parse_fr_decimal_negative() {
        let fr = parse_fr_decimal("-1").unwrap();
        assert_eq!(fr, -Fr::ONE);
    }
}