feat: add Pectra BLS12-381 elliptic curve precompiles

internal/stats/latest_stats.csv

@@ -153,14 +153,14 @@ pairing_bls12377,bls24_315,plonk,0,0
 pairing_bls12377,bls24_317,plonk,0,0
 pairing_bls12377,bw6_761,plonk,51280,51280
 pairing_bls12377,bw6_633,plonk,0,0
-pairing_bls12381,bn254,groth16,947528,1567714
+pairing_bls12381,bn254,groth16,949444,1570802
 pairing_bls12381,bls12_377,groth16,0,0
 pairing_bls12381,bls12_381,groth16,0,0
 pairing_bls12381,bls24_315,groth16,0,0
 pairing_bls12381,bls24_317,groth16,0,0
 pairing_bls12381,bw6_761,groth16,0,0
 pairing_bls12381,bw6_633,groth16,0,0
-pairing_bls12381,bn254,plonk,3642638,3233378
+pairing_bls12381,bn254,plonk,3649555,3239775
 pairing_bls12381,bls12_377,plonk,0,0
 pairing_bls12381,bls12_381,plonk,0,0
 pairing_bls12381,bls24_315,plonk,0,0

std/algebra/emulated/fields_bls12381/e2.go

@@ -292,6 +292,14 @@ func (e Ext2) AssertIsEqual(x, y *E2) {
 	e.fp.AssertIsEqual(&x.A1, &y.A1)
 }
 
+func (e Ext2) IsEqual(x, y *E2) frontend.Variable {
+	xDiff := e.fp.Sub(&x.A0, &y.A0)
+	yDiff := e.fp.Sub(&x.A1, &y.A1)
+	xIsZero := e.fp.IsZero(xDiff)
+	yIsZero := e.fp.IsZero(yDiff)
+	return e.api.And(xIsZero, yIsZero)
+}
+
 func FromE2(y *bls12381.E2) E2 {
 	return E2{
 		A0: emulated.ValueOf[emulated.BLS12381Fp](y.A0),

std/algebra/emulated/sw_bls12381/g1.go

@@ -28,6 +28,7 @@ func NewG1Affine(v bls12381.G1Affine) G1Affine {
 }
 
 type G1 struct {
+	api    frontend.API
 	curveF *emulated.Field[BaseField]
 	w      *emulated.Element[BaseField]
 }
@@ -39,11 +40,21 @@ func NewG1(api frontend.API) (*G1, error) {
 	}
 	w := emulated.ValueOf[BaseField]("4002409555221667392624310435006688643935503118305586438271171395842971157480381377015405980053539358417135540939436")
 	return &G1{
+		api:    api,
 		curveF: ba,
 		w:      &w,
 	}, nil
 }
 
+func (g1 G1) neg(p *G1Affine) *G1Affine {
+	xr := &p.X
+	yr := g1.curveF.Neg(&p.Y)
+	return &G1Affine{
+		X: *xr,
+		Y: *yr,
+	}
+}
+
 func (g1 *G1) phi(q *G1Affine) *G1Affine {
 	x := g1.curveF.Mul(&q.X, g1.w)
 
@@ -157,6 +168,55 @@ func (g1 *G1) scalarMulBySeedSquare(q *G1Affine) *G1Affine {
 	return z
 }
 
+func (g1 *G1) computeCurveEquation(P *G1Affine) (left, right *baseEl) {
+	// Curve: Y² == X³ + aX + b, where a=0 and b=4
+	// (X,Y) ∈ {Y² == X³ + aX + b} U (0,0)
+
+	// if P=(0,0) we assign b=0 otherwise 4, and continue
+	selector := g1.api.And(g1.curveF.IsZero(&P.X), g1.curveF.IsZero(&P.Y))
+	four := emulated.ValueOf[BaseField]("4")
+	b := g1.curveF.Select(selector, g1.curveF.Zero(), &four)
+
+	left = g1.curveF.Mul(&P.Y, &P.Y)
+	right = g1.curveF.Mul(&P.X, &P.X)
+	right = g1.curveF.Mul(right, &P.X)
+	right = g1.curveF.Add(right, b)
+	return left, right
+}
+
+func (g1 *G1) AssertIsOnCurve(P *G1Affine) {
+	left, right := g1.computeCurveEquation(P)
+	g1.curveF.AssertIsEqual(left, right)
+}
+
+func (g1 *G1) AssertIsOnG1(P *G1Affine) {
+	// 1- Check P is on the curve
+	g1.AssertIsOnCurve(P)
+
+	// 2- Check P has the right subgroup order
+	// [x²]ϕ(P)
+	phiP := g1.phi(P)
+	_P := g1.scalarMulBySeedSquare(phiP)
+	_P = g1.neg(_P)
+
+	// [r]Q == 0 <==>  P = -[x²]ϕ(P)
+	g1.AssertIsEqual(_P, P)
+}
+
+// AssertIsEqual asserts that p and q are the same point.
+func (g1 *G1) AssertIsEqual(p, q *G1Affine) {
+	g1.curveF.AssertIsEqual(&p.X, &q.X)
+	g1.curveF.AssertIsEqual(&p.Y, &q.Y)
+}
+
+func (g1 *G1) IsEqual(p, q *G1Affine) frontend.Variable {
+	xDiff := g1.curveF.Sub(&p.X, &q.X)
+	yDiff := g1.curveF.Sub(&p.Y, &q.Y)
+	xIsZero := g1.curveF.IsZero(xDiff)
+	yIsZero := g1.curveF.IsZero(yDiff)
+	return g1.api.And(xIsZero, yIsZero)
+}
+
 // NewScalar allocates a witness from the native scalar and returns it.
 func NewScalar(v fr_bls12381.Element) Scalar {
 	return emulated.ValueOf[ScalarField](v)