C bindings for Banderwagon

[Richa-iitr]

Added C bindings for verkle-ipa.

[mratsim]

Thanks for the contributions.

I think this should be split into 3 steps:

1. C bindings for banderwagon fr, fp, ec
2. Creating a proper wrapper for the Ethereumn specific instantiation of IPA. Currently the generic code is forwarded (i.e. constantine/commitments/eth_verkle_ipa.nim) but protocol-specific constants/types should be wrapped and exposed in a proper procedure in the root constantine/eth_verkle_ipa.nim and only there can C bindings be generated from.
3. Actually do the C bindings.

[mratsim]

All the fields and curves related struct should be defined in constantine/include/constantine/curves/banderwagon.h

This would be similar to pallas and vesta as they don't use pairings:

constantine/bindings/lib_curves.nim

Lines 68 to 100 in 2c3de87

	type
	bn254_snarks_fr = Fr[BN254_Snarks]
	bn254_snarks_fp = Fp[BN254_Snarks]
	bn254_snarks_fp2 = Fp2[BN254_Snarks]
	bn254_snarks_g1_aff = EC_ShortW_Aff[Fp[BN254_Snarks], G1]
	bn254_snarks_g1_jac = EC_ShortW_Jac[Fp[BN254_Snarks], G1]
	bn254_snarks_g1_prj = EC_ShortW_Prj[Fp[BN254_Snarks], G1]
	bn254_snarks_g2_aff = EC_ShortW_Aff[Fp2[BN254_Snarks], G2]
	bn254_snarks_g2_jac = EC_ShortW_Jac[Fp2[BN254_Snarks], G2]
	bn254_snarks_g2_prj = EC_ShortW_Prj[Fp2[BN254_Snarks], G2]
	collectBindings(cBindings_bn254_snarks):
	genBindingsField(big254, bn254_snarks_fr)
	genBindingsField(big254, bn254_snarks_fp)
	genBindingsFieldSqrt(bn254_snarks_fp)
	genBindingsExtField(bn254_snarks_fp2)
	genBindingsExtFieldSqrt(bn254_snarks_fp2)
	genBindings_EC_ShortW_Affine(bn254_snarks_g1_aff, bn254_snarks_fp)
	genBindings_EC_ShortW_NonAffine(bn254_snarks_g1_jac, bn254_snarks_g1_aff, big254, bn254_snarks_fr)
	genBindings_EC_ShortW_NonAffine(bn254_snarks_g1_prj, bn254_snarks_g1_aff, big254, bn254_snarks_fr)
	genBindings_EC_ShortW_Affine(bn254_snarks_g2_aff, bn254_snarks_fp2)
	genBindings_EC_ShortW_NonAffine(bn254_snarks_g2_jac, bn254_snarks_g2_aff, big254, bn254_snarks_fr)
	genBindings_EC_ShortW_NonAffine(bn254_snarks_g2_prj, bn254_snarks_g2_aff, big254, bn254_snarks_fr)
	genBindings_EC_hash_to_curve(bn254_snarks_g1_aff, svdw, sha256, k = 128)
	genBindings_EC_hash_to_curve(bn254_snarks_g1_jac, svdw, sha256, k = 128)
	genBindings_EC_hash_to_curve(bn254_snarks_g1_prj, svdw, sha256, k = 128)
	genBindings_EC_hash_to_curve(bn254_snarks_g2_aff, svdw, sha256, k = 128)
	genBindings_EC_hash_to_curve(bn254_snarks_g2_jac, svdw, sha256, k = 128)
	genBindings_EC_hash_to_curve(bn254_snarks_g2_prj, svdw, sha256, k = 128)
	collectBindings(cBindings_bn254_snarks_parallel):
	genParallelBindings_EC_ShortW_NonAffine(bn254_snarks_g1_jac, bn254_snarks_g1_aff, bn254_snarks_fr)
	genParallelBindings_EC_ShortW_NonAffine(bn254_snarks_g1_prj, bn254_snarks_g1_aff, bn254_snarks_fr)

However Banderwagon is an Edwards curve so the template there might need an adaptation.
I don't remember what I add in mind as differences between short-weierstrass and twisted edwards, maybe it was just the affine<->jacobian<->projective coordinate conversion and that could be done as a separate template, see

constantine/bindings/c_curve_decls.nim

Lines 314 to 432 in 2c3de87

	template genBindings_EC_ShortW_Affine*(EC, Field: untyped) =
	when appType == "lib":
	{.push noconv, dynlib, exportc, raises: [].} # No exceptions allowed
	else:
	{.push noconv, exportc, raises: [].} # No exceptions allowed
	# --------------------------------------------------------------------------------------
	func `ctt _ EC _ is_eq`(P, Q: EC): SecretBool =
	P == Q
	func `ctt _ EC _ is_neutral`(P: EC): SecretBool =
	P.isNeutral()
	func `ctt _ EC _ set_neutral`(P: var EC) =
	P.setNeutral()
	func `ctt _ EC _ ccopy`(P: var EC, Q: EC, ctl: SecretBool) =
	P.ccopy(Q, ctl)
	func `ctt _ EC _ is_on_curve`(x, y: Field): SecretBool =
	isOnCurve(x, y, EC.G)
	func `ctt _ EC _ neg`(P: var EC, Q: EC) =
	P.neg(Q)
	func `ctt _ EC _ neg_in_place`(P: var EC) =
	P.neg()
	{.pop.}
	template genBindings_EC_ShortW_NonAffine*(EC, EcAff, ScalarBig, ScalarField: untyped) =
	# TODO: remove the need of explicit ScalarBig and ScalarField
	when appType == "lib":
	{.push noconv, dynlib, exportc, raises: [].} # No exceptions allowed
	else:
	{.push noconv, exportc, raises: [].} # No exceptions allowed
	# --------------------------------------------------------------------------------------
	func `ctt _ EC _ is_eq`(P, Q: EC): SecretBool =
	P == Q
	func `ctt _ EC _ is_neutral`(P: EC): SecretBool =
	P.isNeutral()
	func `ctt _ EC _ set_neutral`(P: var EC) =
	P.setNeutral()
	func `ctt _ EC _ ccopy`(P: var EC, Q: EC, ctl: SecretBool) =
	P.ccopy(Q, ctl)
	func `ctt _ EC _ neg`(P: var EC, Q: EC) =
	P.neg(Q)
	func `ctt _ EC _ neg_in_place`(P: var EC) =
	P.neg()
	func `ctt _ EC _ cneg_in_place`(P: var EC, ctl: SecretBool) =
	P.neg()
	func `ctt _ EC _ sum`(r: var EC, P, Q: EC) =
	r.sum(P, Q)
	func `ctt _ EC _ add_in_place`(P: var EC, Q: EC) =
	P += Q
	func `ctt _ EC _ diff`(r: var EC, P, Q: EC) =
	r.diff(P, Q)
	func `ctt _ EC _ double`(r: var EC, P: EC) =
	r.double(P)
	func `ctt _ EC _ double_in_place`(P: var EC) =
	P.double()
	func `ctt _ EC _ affine`(dst: var EcAff, src: EC) =
	dst.affine(src)
	func `ctt _ EC _ from_affine`(dst: var EC, src: EcAff) =
	dst.fromAffine(src)
	func `ctt _ EC _ batch_affine`(dst: ptr UncheckedArray[EcAff], src: ptr UncheckedArray[EC], n: csize_t) =
	dst.batchAffine(src, cast[int](n))
	func `ctt _ EC _ scalar_mul_big_coef`(
	P: var EC, scalar: ScalarBig) =
	P.scalarMul(scalar)
	func `ctt _ EC _ scalar_mul_fr_coef`(
	P: var EC, scalar: ScalarField) =
	P.scalarMul(scalar)
	func `ctt _ EC _ scalar_mul_big_coef_vartime`(
	P: var EC, scalar: ScalarBig) =
	P.scalarMul_vartime(scalar)
	func `ctt _ EC _ scalar_mul_fr_coef_vartime`(
	P: var EC, scalar: ScalarField) =
	P.scalarMul_vartime(scalar)
	func `ctt _ EC _ multi_scalar_mul_big_coefs_vartime`(
	r: var EC,
	coefs: ptr UncheckedArray[ScalarBig],
	points: ptr UncheckedArray[EcAff],
	len: csize_t) =
	r.multiScalarMul_vartime(coefs, points, cast[int](len))
	func `ctt _ EC _ multi_scalar_mul_fr_coefs_vartime`(
	r: var EC,
	coefs: ptr UncheckedArray[ScalarField],
	points: ptr UncheckedArray[EcAff],
	len: csize_t)=
	r.multiScalarMul_vartime(coefs, points, cast[int](len))
	{.pop.}

[Richa-iitr]

@mratsim i resolved this and added separate header for banderwagon. Please review and suggest changes. Also how can i verify things are working as expected?

[mratsim]

Good question, I don't have a testsuite for the C API of elliptic curves. It's not ideal but for now we can skip it merge as-is and focus on the C API for the full protocol.

[mratsim]

You cannot emulate generics with union types.

Whatever the platform, the storage reserved will be 64-bit / 8 bytes per entry here.
But if Nim uses 32-bit inputs in an array a, the C code will read both entries with a[0] and will read past the buffer with a[1].

Hence generic procedures cannot be wrapped in C directly.

[Richa-iitr]

Understood, will think of another way here.

[mratsim]

This is not the proper level of exports as this is a generic procedure.

Export should happen at fully specified protocol level (i.e. curve, field, hash functions, N: static int input sizes are known).

In this case, this means having proper instantiated ipa_commit here:

constantine/constantine/ethereum_verkle_ipa.nim

Lines 285 to 292 in 2c3de87

	# TODO: proper IPA wrapper for https://github.com/status-im/nim-eth-verkle
	#
	# For now we reexport
	# - eth_verkle_ipa
	# - sha256 for transcripts
	export eth_verkle_ipa
	export hashes

and tagging those with libPrefix.

[Richa-iitr]

is there any example of a wrapper i can follow to understand?
If i am not wrong something like this

constantine/constantine/ethereum_verkle_ipa.nim

Lines 230 to 245 in 2c3de87

	func mapToScalarField*(res: var Fr[Banderwagon], p: EC_TwEdw[Fp[Banderwagon]]): bool {.discardable.} =
	## This function takes the x/y value from the above function as Fp element
	## and convert that to bytes in Big Endian,
	## and then load that to a Fr element
	##
	## Spec : https://hackmd.io/wliPP_RMT4emsucVuCqfHA?view#MapToFieldElement
	var baseField: Fp[Banderwagon]
	var baseFieldBytes: array[32, byte]
	baseField.mapToBaseField(p) # compute the defined mapping
	let check1 = baseFieldBytes.marshalBE(baseField) # Fp -> bytes
	let check2 = res.unmarshalBE(baseFieldBytes) # bytes -> Fr
	return check1 and check2

can be exported directly?

[mratsim]

Yes, anything with generics cannot be exported and need a concretely typed wrapper.

[mratsim]

ditto

[mratsim]

ditto

[mratsim]

the protocol has fixed size polynomials. Nim static int are similar to generics and cannot be represented with C runtime parameters. Instead a no generic/no static procedure should be implemented at the croot of the project in constantine/ethereum_verkle_ipa.nim

[mratsim]

ditto for all structs up to here

[mratsim]

It's more useful to provide:

• either ctt_eth_verkle_ipa_proof_sizeof() and ctt_eth_verkle_ipa_multiproof_sizeof() and let the caller do their allocation / destruction
• or ctt_eth_verkle_ipa_proof_create() / ctt_eth_verkle_ipa_proof_destroy()
  and ctt_eth_verkle_ipa_multiproof_create() / ctt_eth_verkle_ipa_multiproof_destroy()

[mratsim]

The PR looks good for a merge if we remove the protocols/ethereum_verkle_ipa.h. Its rewrite can be done separately.

[Richa-iitr]

The PR looks good for a merge if we remove the protocols/ethereum_verkle_ipa.h. Its rewrite can be done separately.

removed the file, please review

[mratsim]

As mentioned in my previous review (#477 (review)), the PR needs to be separated in elliptic curve API which are well documented and a Verkle API.

For now, let's delete all the Verkle API changes as they cannot be used as-is and I am unsure myself on how to design the API. Furthermore the future of the Verkle Tree upgrade is in flux at the moment.

[mratsim]

The file should be reverted and not modified.

This approach doubles object size while we only need aff or prj coordinates. The serialized code should just use EthVerkleIpaProofBytes and unsure yet on the C API of the internal proof type, maybe will hide it behind an opaque pointer.

[mratsim]

A user will not know what serialization to use between prj and aff, this will lead to errors and so is not the correct API.

[mratsim]

File to delete so the PR is focused on Banderwagon

[mratsim]

File to delete so the PR is focused on Banderwagon / twisted edwards

[Richa-iitr]

@mratsim i have reverted the verkle api changes, the pr is ready for review.

[mratsim]

LGTM, merging after the files have an extra empty line