From 95c543f6e0caeca6cb0c310b243072c2e18ffe22 Mon Sep 17 00:00:00 2001
From: Csaba Kiraly <csaba.kiraly@gmail.com>
Date: Wed, 4 May 2022 16:11:58 +0200
Subject: [PATCH] enabling PoR over BN254 curves

To enable the use of BN254, change the value of
`C` in backend_constantine.nim to `BN254_Snarks`

This also requires https://github.com/mratsim/constantine/pull/193

Signed-off-by: Csaba Kiraly <csaba.kiraly@gmail.com>
---
 .../backends/backend_constantine.nim          | 32 +++++++++++++++++--
 vendor/constantine                            |  2 +-
 2 files changed, 30 insertions(+), 4 deletions(-)

diff --git a/dagger/storageproofs/backends/backend_constantine.nim b/dagger/storageproofs/backends/backend_constantine.nim
index ad474a81..2218c79a 100644
--- a/dagger/storageproofs/backends/backend_constantine.nim
+++ b/dagger/storageproofs/backends/backend_constantine.nim
@@ -37,6 +37,8 @@ when defined(debugConstantine):
   import   constantine/math/config/type_bigint
   export `$`
 
+#set up curve and G1/G2
+#const C = BN254_Snarks
 const C = BLS12_381
 
 type
@@ -133,14 +135,30 @@ proc ec_hash_to_g1*(dst: var ec_p1,
                        aug: openArray[char]) =
   sha256.hashToCurve(128, dst, aug, msg, domainSepTag) #TODO: fix k
 
-proc verifyPairings*(a1: ec_p1, a2: ec_p2, b1: ec_p1, b2: ec_p2) : bool =
+proc verifyPairingsNaive[C](a1: ECP_ShortW_Jac[Fp[C], G1], a2: ec_p2, b1: ec_p1, b2: ec_p2) : bool =
+  # first parameter is in extended form to allow inference of C
+  var
+    e1, e2: Fp12[C]
+    a1aff, b1aff {.noInit.}: ec_p1_affine
+    a2aff, b2aff {.noInit.}: ec_p2_affine
+  a1aff.affine(a1)
+  b1aff.affine(b1)
+  a2aff.affine(a2)
+  b2aff.affine(b2)
+  pairing(e1, a1aff, a2aff)
+  pairing(e2, b1aff, b2aff)
+  return (e1 == e2).bool()
+
+proc verifyPairingsNeg[C](a1: ECP_ShortW_Jac[Fp[C], G1], a2: ec_p2, b1: ec_p1, b2: ec_p2) : bool =
+  # first parameter is in extended form to allow inference of C
   when C.getEmbeddingDegree() == 12:
     var gt {.noInit.}: Fp12[C]
   else:
     {.error: "Not implemented: signature on k=" & $C.getEmbeddingDegree() & " for curve " & $$C.}
 
-  var a1aff, b1aff {.noInit.}: ec_p1_affine
-  var a2aff, negb2aff {.noInit.}: ec_p2_affine
+  var
+    a1aff, b1aff {.noInit.}: ec_p1_affine
+    a2aff, negb2aff {.noInit.}: ec_p2_affine
   a1aff.affine(a1)
   b1aff.affine(b1)
   a2aff.affine(a2)
@@ -149,6 +167,14 @@ proc verifyPairings*(a1: ec_p1, a2: ec_p2, b1: ec_p1, b2: ec_p2) : bool =
   gt.pairing([a1aff, b1aff], [a2aff, negb2aff])
   return gt.isOne().bool()
 
+proc verifyPairings*(a1: ec_p1, a2: ec_p2, b1: ec_p1, b2: ec_p2) : bool =
+  ## Wrapper to select verify pairings implementation
+  when C == BLS12_381:
+    verifyPairingsNeg(a1, a2, b1, b2)
+  else:
+    verifyPairingsNaive(a1, a2, b1, b2)
+
+
 func ec_from_bytes*(
        dst: var Signature,
        raw: array[96, byte] or array[192, byte]
diff --git a/vendor/constantine b/vendor/constantine
index 65eedd1c..4d3de57b 160000
--- a/vendor/constantine
+++ b/vendor/constantine
@@ -1 +1 @@
-Subproject commit 65eedd1cf70389d188db01fb4f3b6c8e76cc3594
+Subproject commit 4d3de57bbfaf065b7b41d73a9acabc73507bd039