ark-ec defines traits and algorithms for working with different kinds of additive groups, with a focus on groups arising from elliptic curves. It further provides concrete instantiations of these traits for various elliptic curve models, including popular families of pairing-friendly curves such as the BLS12 family of curves.
Implementations of particular curves using these curve models can be found in arkworks-rs/curves.
Group traitMany cryptographic protocols use as core building-blocks prime-order groups. The Group trait is an abstraction that represents elements of such abelian prime-order groups. It provides methods for performing common operations on group elements:
``rust
use ark_ec::Group;
use ark_ff::{PrimeField, Field};
// We'll use the BLS12-381 G1 curve for this example.
// This group has a prime orderr, and is associated with a prime fieldFr`.
use arktestcurves::bls12381::{G1Projective as G, Fr as ScalarField};
use arkstd::{Zero, UniformRand, ops::Mul};
let mut rng = arkstd::testrng(); // Let's sample uniformly random group elements: let a = G::rand(&mut rng); let b = G::rand(&mut rng);
// We can add elements, ... let c = a + b; // ... subtract them, ... let d = a - b; // ... and double them. asserteq!(c + d, a.double()); // We can also negate elements, ... let e = -a; // ... and check that negation satisfies the basic group law asserteq!(e + a, G::zero());
// We can also multiply group elements by elements of the corresponding scalar field // (an act known as scalar multiplication) let scalar = ScalarField::rand(&mut rng); let e = c.mul(scalar); let f = e.mul(scalar.inverse().unwrap()); assert_eq!(f, c); ```
While the Group trait already produces scalar multiplication routines, in many cases one can take advantage of
the group structure to perform scalar multiplication more efficiently. To allow such specialization, ark-ec provides
the ScalarMul and VariableBaseMSM traits. The latter trait computes an "inner product" between a vector of scalars s and a vector of group elements g. That is, it computes s.iter().zip(g).map(|(s, g)| g * s).sum().
``rust
use ark_ec::{Group, VariableBaseMSM};
use ark_ff::{PrimeField, Field};
// We'll use the BLS12-381 G1 curve for this example.
// This group has a prime orderr, and is associated with a prime fieldFr`.
use arktestcurves::bls12381::{G1Projective as G, G1Affine as GAffine, Fr as ScalarField};
use arkstd::{Zero, UniformRand};
let mut rng = arkstd::testrng(); // Let's sample uniformly random group elements: let a = GAffine::rand(&mut rng); let b = GAffine::rand(&mut rng);
let s1 = ScalarField::rand(&mut rng); let s2 = ScalarField::rand(&mut rng);
// Note that we're using the GAffine type here, as opposed to G.
// This is because MSMs are more efficient when the group elements are in affine form. (See below for why.)
//
// The VariableBaseMSM trait allows specializing the input group element representation to allow
// for more efficient implementations.
let result = G::msm(&[a, b], &[s1, s2]);
assert_eq!(result, a * s1 + b * s2);
```
There are two traits that are important when working with elliptic curves
over finite fields: [CurveGroup], and [AffineRepr]. Both traits
represent elements of the same curve, but provide different underlying representations.
In particular, the [CurveGroup] representation of a curve point is generally
more efficient for arithmetic, but does not provide a unique representative
for a curve point. An [AffineRepr] representation, on the other hand, is unique,
but is slower for most arithmetic operations. Let's explore how and when to use
these:
```rust use arkec::{AffineRepr, Group, CurveGroup, VariableBaseMSM}; use arkff::{PrimeField, Field}; use arktestcurves::bls12381::{G1Projective as G, G1Affine as GAffine, Fr as ScalarField}; use arkstd::{Zero, UniformRand};
let mut rng = arkstd::testrng();
// Let's generate an elliptic curve group element in the CurveGroup representation
let a = G::rand(&mut rng);
// We can convert it the AffineRepr representation...
let aaff = a.intoaffine();
// ... and check that the two representations are equal.
asserteq!(aaff, a);
// We can also convert back to the CurveGroup representation:
asserteq!(a, aaff.into_group());
// As a general rule, most group operations are slower when elements
// are represented as AffineRepr. However, adding an AffineRepr
// point to a CurveGroup one is usually slightly more efficient than
// adding two CurveGroup points.
let d = a + aaff;
asserteq!(d, a.double());
// This efficiency also translates into more efficient scalar multiplication routines. let scalar = ScalarField::rand(&mut rng); let mulresult = aaff * scalar; asserteq!(a * scalar, mulresult);
// Finally, while not recommended, users can directly construct group elements
// from the x and y coordinates of the curve points. This is useful when implementing algorithms
// like hash-to-curve.
let ax = aaff.x;
let ay = aaff.y;
let isatinfinity = aaff.iszero();
// This check ensures that new_a is indeed in the curve group, and in particular
// is within the prime-order group.
let newa = GAffine::new(ax, ay);
asserteq!(aaff, newa);
assert!(newa.isoncurve());
assert!(newa.isincorrectsubgroupassumingoncurve());
```
Besides the foregoing abstract interfaces for elliptic curve groups, ark-ec also provides
the following concrete instantiations of common elliptic curve models:
AffineRepr in this case is in typical Short Weierstrass point representation, and the CurveGroup is using points in Jacobian Coordinates.AffineRepr in this case is in standard Twisted Edwards curve representation, whereas the CurveGroup uses points in Extended Twisted Edwards Coordinates.Pairing is a trait that defines the interface for a pairing-friendly elliptic curve. Besides the general interface, we provide concrete instantiations of popular pairing-friendly families of curves, such as the Barreto-Lynn-Scott and Barreto-Naehrig families.
```rust use arkec::{pairing::Pairing, AffineRepr}; use arkff::Field; use ark_std::UniformRand;
use arktestcurves::bls12381::{Bls12381, G1Projective as G1, G2Projective as G2, Fq12 as Fq12}; use arktestcurves::bls12_381::Fr as ScalarField;
// The pairing engine is parameterized by the scalar field of the curve. let mut rng = arkstd::testrng(); let s = ScalarField::rand(&mut rng); let a = G1::rand(&mut rng); let b = G2::rand(&mut rng);
// We can compute the pairing of two points on the curve, either monolithically... let e1 = Bls12381::pairing(a, b); // ... or in two steps. First, we compute the Miller loop... let mlresult = Bls12381::millerloop(a, b); // ... and then the final exponentiation. let e2 = Bls12381::finalexponentiation(mlresult).unwrap(); asserteq!(e1, e2); ```
ark-ec also provides traits for hashing to elliptic curve groups. The HashToCurve trait allows users to hash arbitrary byte strings to elliptic curve group elements, and allows using different hashing strategies.