Introduced Hopwood optimized vbSM gadget

r1cs/gadgets/crypto/src/nizk/gm17/mod.rs

@@ -159,7 +159,9 @@ for Gm17VerifierGadget<PairingE, ConstraintF, P>
                 .enumerate()
                 {
                     let input_bits = input.to_bits(cs.ns(|| format!("Input {}", i)))?;
-                    g_psi = b.mul_bits(cs.ns(|| format!("Mul {}", i)), &g_psi, input_bits.iter())?;
+                    g_psi = b
+                        .mul_bits(cs.ns(|| format!("Mul {}", i)), input_bits.iter())?
+                        .add(cs.ns(|| format!("Add {}", i)), &g_psi)?;
                     input_len += 1;
                 }
             // Check that the input and the query in the verification are of the

r1cs/gadgets/crypto/src/nizk/groth16/mod.rs

@@ -149,7 +149,9 @@ for Groth16VerifierGadget<PairingE, ConstraintF, P>
                 .enumerate()
                 {
                     let input_bits = input.to_bits(cs.ns(|| format!("Input {}", i)))?;
-                    g_ic = b.mul_bits(cs.ns(|| format!("Mul {}", i)), &g_ic, input_bits.iter())?;
+                    g_ic = b
+                        .mul_bits(cs.ns(|| format!("Mul {}", i)), input_bits.iter())?
+                        .add(cs.ns(|| format!("Add {}", i)), &g_ic)?;
                     input_len += 1;
                 }
             // Check that the input and the query in the verification are of the

r1cs/gadgets/crypto/src/signature/schnorr/field_based_schnorr.rs

@@ -23,7 +23,6 @@ use std::{
     borrow::Borrow,
     marker::PhantomData,
 };
-use rand::rngs::OsRng;
 use primitives::signature::schnorr::field_based_schnorr::FieldBasedSchnorrPk;
 use r1cs_std::alloc::ConstantGadget;
 
@@ -366,21 +365,7 @@ impl<ConstraintF, G, GG, H, HG> FieldBasedSchnorrSigVerificationGadget<Constrain
             e_bits
         };
 
-        // Random shift to avoid exceptional cases if add is incomplete.
-        // With overwhelming probability the circuit will be satisfiable,
-        // otherwise the prover can sample another shift by re-running
-        // the proof creation.
-        let shift = GG::alloc(cs.ns(|| "alloc random shift"), || {
-            let mut rng = OsRng::default();
-            Ok(loop {
-                let r = G::rand(&mut rng);
-                if !r.is_zero() { break(r) }
-            })
-        })?;
-
-        let neg_e_times_pk = public_key
-            .mul_bits(cs.ns(|| "pk * e + shift"), &shift, e_bits.as_slice().iter().rev())?
-            .negate(cs.ns(|| "- (pk * e + shift)"))?;
+        let neg_e_times_pk = public_key.mul_bits(cs.ns(|| "pk * e"), e_bits.as_slice().iter().rev())?;
 
         //Enforce s * G and R' = s*G - e*pk
         let mut s_bits = {
@@ -409,12 +394,11 @@ impl<ConstraintF, G, GG, H, HG> FieldBasedSchnorrSigVerificationGadget<Constrain
         let g = GG::from_value(cs.ns(|| "hardcode generator"), &G::prime_subgroup_generator());
         let r_prime = GG::mul_bits_fixed_base(
             &g.get_constant(),
-            cs.ns(|| "(s * G + shift)"),
-            &shift,
+            cs.ns(|| "(s * G)"),
             s_bits.as_slice()
             )?
             // If add is incomplete, and s * G - e * pk = 0, the circuit of the add won't be satisfiable
-            .add(cs.ns(|| "s * G - e * pk "), &neg_e_times_pk)?;
+            .sub(cs.ns(|| "s * G - e * pk "), &neg_e_times_pk)?;
 
         let r_prime_coords = r_prime.to_field_gadget_elements(cs.ns(|| "r_prime to fes"))?;
 

r1cs/gadgets/crypto/src/signature/schnorr/mod.rs

@@ -76,11 +76,13 @@ for SchnorrRandomizePkGadget<G, ConstraintF, GG>
             .iter()
             .flat_map(|b| b.into_bits_le())
             .collect::<Vec<_>>();
-        let rand_pk = base.mul_bits(
-            &mut cs.ns(|| "Compute Randomizer"),
-            &public_key.pub_key,
-            randomness.iter(),
-        )?;
+        let rand_pk = {
+            let base_pow_rand = base.mul_bits(
+                &mut cs.ns(|| "Compute randomizer"),
+                randomness.iter(),
+            )?;
+            public_key.pub_key.add(cs.ns(|| "Randomize pk"), &base_pow_rand)
+        }?;
         Ok(SchnorrSigGadgetPk {
             pub_key: rand_pk,
             _group:  PhantomData,

r1cs/gadgets/crypto/src/vrf/ecvrf/mod.rs

@@ -23,7 +23,6 @@ use std::{
     marker::PhantomData,
     borrow::Borrow,
 };
-use rand::rngs::OsRng;
 use primitives::vrf::ecvrf::FieldBasedEcVrfPk;
 use r1cs_std::bits::boolean::Boolean;
 
@@ -346,42 +345,27 @@ for FieldBasedEcVrfProofVerificationGadget<ConstraintF, G, GG, FH, FHG, GH, GHG>
             &G::prime_subgroup_generator()
         );
 
-        // Random shift to avoid exceptional cases if add is incomplete.
-        // With overwhelming probability the circuit will be satisfiable,
-        // otherwise the prover can sample another shift by re-running
-        // the proof creation.
-        let shift = GG::alloc(cs.ns(|| "alloc random shift"), || {
-            let mut rng = OsRng::default();
-            Ok(loop {
-                let r = G::rand(&mut rng);
-                if !r.is_zero() { break(r) }
-            })
-        })?;
-
         //Check u = g^s - pk^c
         let u =
         {
-            let neg_c_times_pk = public_key.pk
-                .mul_bits(cs.ns(|| "pk * c + shift"), &shift, c_bits.as_slice().iter().rev())?
-                .negate(cs.ns(|| "- (c * pk + shift)"))?;
+            let c_times_pk = public_key.pk
+                .mul_bits(cs.ns(|| "pk * c"), c_bits.as_slice().iter().rev())?;
             GG::mul_bits_fixed_base(&g.get_constant(),
-                                    cs.ns(|| "(s * G + shift)"),
-                                    &shift,
+                                    cs.ns(|| "s * G"),
                                     s_bits.as_slice())?
             // If add is incomplete, and s * G - c * pk = 0, the circuit of the add won't be satisfiable
-            .add(cs.ns(|| "(s * G) - (c * pk)"), &neg_c_times_pk)?
+            .sub(cs.ns(|| "(s * G) - (c * pk)"), &c_times_pk)?
         };
 
         //Check v = mh^s - gamma^c
         let v =
         {
-            let neg_c_times_gamma = proof.gamma
-                .mul_bits(cs.ns(|| "c * gamma + shift"), &shift, c_bits.as_slice().iter().rev())?
-                .negate(cs.ns(|| "- (c * gamma + shift)"))?;
+            let c_times_gamma = proof.gamma
+                .mul_bits(cs.ns(|| "c * gamma"), c_bits.as_slice().iter().rev())?;
             message_on_curve
-                .mul_bits(cs.ns(|| "(s * mh + shift)"), &shift, s_bits.as_slice().iter())?
+                .mul_bits(cs.ns(|| "s * mh"), s_bits.as_slice().iter())?
                 // If add is incomplete, and s * mh - c * gamma = 0, the circuit of the add won't be satisfiable
-                .add(cs.ns(|| "(s * mh) - (c * gamma"), &neg_c_times_gamma)?
+                .sub(cs.ns(|| "(s * mh) - (c * gamma"), &c_times_gamma)?
         };
 
         // Check c' = H(m||pk.x||u.x||v.x)

r1cs/gadgets/std/Cargo.toml

@@ -54,4 +54,4 @@ density-optimized = []
 paste = "1.0"
 rand = { version = "0.8.4" }
 rand_xorshift = { version = "0.3.0" }
-r1cs-std = { path = "../std", features = ["bls12_381", "jubjub", "tweedle", "secp256k1", "bn_382", "nonnative"] }
+r1cs-std = { path = "../std", features = ["bls12_381", "jubjub", "tweedle", "secp256k1", "bn_382", "nonnative", "density-optimized"] }