bulletproof improvements

adecaro · adecaro · commit 6ec92a2e68b8 · 2026-01-21T14:49:32.000+01:00
Signed-off-by: Angelo De Caro &lt;adc@zurich.ibm.com&gt;
diff --git a/go.mod b/go.mod
@@ -8,7 +8,7 @@ require (
 	github.com/DATA-DOG/go-sqlmock v1.5.2
 	github.com/IBM/idemix v0.0.2-0.20250313153527-832db18b9478
 	github.com/IBM/idemix/bccsp/types v0.0.0-20250313153527-832db18b9478
-	github.com/IBM/mathlib v0.0.3-0.20251210060400-7e58831c9abe
+	github.com/IBM/mathlib v0.0.3-0.20251210155508-86dd03c0dc42
 	github.com/dgraph-io/ristretto/v2 v2.3.0
 	github.com/gin-gonic/gin v1.10.0
 	github.com/google/pprof v0.0.0-20250403155104-27863c87afa6
diff --git a/go.sum b/go.sum
@@ -643,8 +643,8 @@ github.com/IBM/idemix/bccsp/schemes/weak-bb v0.0.0-20250313153527-832db18b9478 h
 github.com/IBM/idemix/bccsp/schemes/weak-bb v0.0.0-20250313153527-832db18b9478/go.mod h1:k4Q5EYKRnYC6t80ipSCY3G8H4FdcxRa8jjlsJdGfNCY=
 github.com/IBM/idemix/bccsp/types v0.0.0-20250313153527-832db18b9478 h1:Uzmcb4pNb54/fbAjnrZTiJwWV74+twP60N4qBGm4PvU=
 github.com/IBM/idemix/bccsp/types v0.0.0-20250313153527-832db18b9478/go.mod h1:Pi1QIuIZ+1OXIbnYe27vNwJOnSq2WvkHRT/sfweTw8E=
-github.com/IBM/mathlib v0.0.3-0.20251210060400-7e58831c9abe h1:EwFXJqfqz0lnsOtqSEswQ0kond3a8waLUfIXbaTgB4A=
-github.com/IBM/mathlib v0.0.3-0.20251210060400-7e58831c9abe/go.mod h1:rq67W1H6L1eorrE7DZ/HcSY/pfMDjbPWOx12SeUfQDk=
+github.com/IBM/mathlib v0.0.3-0.20251210155508-86dd03c0dc42 h1:1jsS5+0xrluqw6fAZF466C15JZyTX4m9oN4Ueluh7dY=
+github.com/IBM/mathlib v0.0.3-0.20251210155508-86dd03c0dc42/go.mod h1:rq67W1H6L1eorrE7DZ/HcSY/pfMDjbPWOx12SeUfQDk=
 github.com/JohnCGriffin/overflow v0.0.0-20211019200055-46fa312c352c/go.mod h1:X0CRv0ky0k6m906ixxpzmDRLvX58TFUKS2eePweuyxk=
 github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible h1:1G1pk05UrOh0NlF1oeaaix1x8XzrfjIDK47TY0Zehcw=
 github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible/go.mod h1:r7JcOSlj0wfOMncg0iLm8Leh48TZaKVeNIfJntJ2wa0=
diff --git a/token/core/common/crypto/math/curves.go b/token/core/common/crypto/math/curves.go
@@ -25,17 +25,17 @@ func init() {
 	math.Curves = append(
 		math.Curves,
 		math.NewCurve(
-			NewCurveWithFastRNG(bls12381.NewBls12_381BBS()),
-			math.NewG1(bls12381.NewBls12_381BBS().GenG1(), BLS12_381_BBS_GURVY_FAST_RNG),
-			math.NewG2(bls12381.NewBls12_381BBS().GenG2(), BLS12_381_BBS_GURVY_FAST_RNG),
-			math.NewGt(bls12381.NewBls12_381BBS().GenGt(), BLS12_381_BBS_GURVY_FAST_RNG),
-			math.NewZr(bls12381.NewBls12_381().GroupOrder(), BLS12_381_BBS_GURVY_FAST_RNG),
-			bls12381.NewBls12_381BBS().CoordinateByteSize(),
-			bls12381.NewBls12_381BBS().G1ByteSize(),
-			bls12381.NewBls12_381BBS().CompressedG1ByteSize(),
-			bls12381.NewBls12_381BBS().G2ByteSize(),
-			bls12381.NewBls12_381BBS().CompressedG2ByteSize(),
-			bls12381.NewBls12_381BBS().ScalarByteSize(),
+			NewCurveWithFastRNG(bls12381.NewBBSCurve()),
+			math.NewG1(bls12381.NewBBSCurve().GenG1(), BLS12_381_BBS_GURVY_FAST_RNG),
+			math.NewG2(bls12381.NewBBSCurve().GenG2(), BLS12_381_BBS_GURVY_FAST_RNG),
+			math.NewGt(bls12381.NewBBSCurve().GenGt(), BLS12_381_BBS_GURVY_FAST_RNG),
+			math.NewZr(bls12381.NewCurve().GroupOrder(), BLS12_381_BBS_GURVY_FAST_RNG),
+			bls12381.NewBBSCurve().CoordinateByteSize(),
+			bls12381.NewBBSCurve().G1ByteSize(),
+			bls12381.NewBBSCurve().CompressedG1ByteSize(),
+			bls12381.NewBBSCurve().G2ByteSize(),
+			bls12381.NewBBSCurve().CompressedG2ByteSize(),
+			bls12381.NewBBSCurve().ScalarByteSize(),
 			BLS12_381_BBS_GURVY_FAST_RNG,
 		),
 	)
diff --git a/token/core/zkatdlog/nogh/v1/crypto/rp/bulletproof.go b/token/core/zkatdlog/nogh/v1/crypto/rp/bulletproof.go
@@ -275,6 +275,8 @@ func (p *rangeProver) preprocess() ([]*math.Zr, []*math.Zr, *math.Zr, *RangeProo
 	}
 	rho := p.Curve.NewRandomZr(rand)
 	eta := p.Curve.NewRandomZr(rand)
+	one := p.Curve.NewZrFromInt(1)
+	two := p.Curve.NewZrFromInt(2)
 	for i := range p.BitLength {
 		b := 1 << i & p.value
 		if b > 0 {
@@ -283,7 +285,7 @@ func (p *rangeProver) preprocess() ([]*math.Zr, []*math.Zr, *math.Zr, *RangeProo
 		// this is an array of the bits b_i of p.value
 		left[i] = p.Curve.NewZrFromUint64(b)
 		// this is an array of b_i - 1
-		right[i] = p.Curve.ModSub(left[i], p.Curve.NewZrFromInt(1), p.Curve.GroupOrder)
+		right[i] = p.Curve.ModSub(left[i], one, p.Curve.GroupOrder)
 		// these are randomly generated arrays
 		randomLeft[i] = p.Curve.NewRandomZr(rand)
 		randomRight[i] = p.Curve.NewRandomZr(rand)
@@ -315,7 +317,7 @@ func (p *rangeProver) preprocess() ([]*math.Zr, []*math.Zr, *math.Zr, *RangeProo
 
 	zPrime := make([]*math.Zr, len(left))
 	// z^2
-	zSquare := z.PowMod(p.Curve.NewZrFromInt(2))
+	zSquare := z.PowMod(two)
 	var y2i *math.Zr
 	for i := range left {
 		// compute L_i - z
@@ -324,7 +326,7 @@ func (p *rangeProver) preprocess() ([]*math.Zr, []*math.Zr, *math.Zr, *RangeProo
 		rightPrime[i] = p.Curve.ModAdd(right[i], z, p.Curve.GroupOrder)
 		// compute y^i
 		if i == 0 {
-			y2i = p.Curve.NewZrFromInt(1)
+			y2i = one
 		} else {
 			y2i = p.Curve.ModMul(y, y2i, p.Curve.GroupOrder)
 		}
@@ -333,7 +335,7 @@ func (p *rangeProver) preprocess() ([]*math.Zr, []*math.Zr, *math.Zr, *RangeProo
 		// compute V_iy^i
 		randRightPrime[i] = p.Curve.ModMul(randomRight[i], y2i, p.Curve.GroupOrder)
 		// compute 2^iz^2
-		zPrime[i] = p.Curve.ModMul(zSquare, p.Curve.NewZrFromInt(2).PowMod(p.Curve.NewZrFromInt(int64(i))), p.Curve.GroupOrder)
+		zPrime[i] = p.Curve.ModMul(zSquare, two.PowMod(p.Curve.NewZrFromInt(int64(i))), p.Curve.GroupOrder)
 	}
 
 	// compute \sum y^iV_i(L_i-z)
@@ -344,15 +346,13 @@ func (p *rangeProver) preprocess() ([]*math.Zr, []*math.Zr, *math.Zr, *RangeProo
 	t1 = p.Curve.ModAdd(t1, InnerProduct(zPrime, randomLeft, p.Curve), p.Curve.GroupOrder)
 	// commit to t1
 	tau1 := p.Curve.NewRandomZr(rand)
-	T1 := p.CommitmentGenerators[0].Mul(t1)
-	T1.Add(p.CommitmentGenerators[1].Mul(tau1))
+	T1 := p.CommitmentGenerators[0].Mul2(t1, p.CommitmentGenerators[1], tau1)
 
 	// compute = \sum y^iU_iV_i
 	t2 := InnerProduct(randomLeft, randRightPrime, p.Curve)
 	// commit to t2
 	tau2 := p.Curve.NewRandomZr(rand)
-	T2 := p.CommitmentGenerators[0].Mul(t2)
-	T2.Add(p.CommitmentGenerators[1].Mul(tau2))
+	T2 := p.CommitmentGenerators[0].Mul2(t2, p.CommitmentGenerators[1], tau2)
 
 	// compute challenge x
 	array = common.GetG1Array([]*math.G1{T1, T2})
@@ -368,14 +368,14 @@ func (p *rangeProver) preprocess() ([]*math.Zr, []*math.Zr, *math.Zr, *RangeProo
 	// f(z, y) = \sum (z-z^2)*y^i - z^3*2^i
 	for i := 0; i < len(left); i++ {
 		// compute (L_i-z) + xU_i
-		left[i] = p.Curve.ModAdd(leftPrime[i], p.Curve.ModMul(x, randomLeft[i], p.Curve.GroupOrder), p.Curve.GroupOrder)
+		left[i] = p.Curve.ModAddMul2(leftPrime[i], one, x, randomLeft[i], p.Curve.GroupOrder)
 		// compute y^i((R_i+z)+xV_i)+2^iz^2
 		right[i] = p.Curve.ModAdd(rightPrime[i], p.Curve.ModMul(x, randRightPrime[i], p.Curve.GroupOrder), p.Curve.GroupOrder)
 		right[i] = p.Curve.ModAdd(right[i], zPrime[i], p.Curve.GroupOrder)
 	}
 	// tau = t1x + t2x^2 + z^2p.blindingFactor
 	tau := p.Curve.ModMul(x, tau1, p.Curve.GroupOrder)
-	tau = p.Curve.ModAdd(tau, p.Curve.ModMul(tau2, x.PowMod(p.Curve.NewZrFromInt(2)), p.Curve.GroupOrder), p.Curve.GroupOrder)
+	tau = p.Curve.ModAdd(tau, p.Curve.ModMul(tau2, x.PowMod(two), p.Curve.GroupOrder), p.Curve.GroupOrder)
 	tau = p.Curve.ModAdd(tau, p.Curve.ModMul(zSquare, p.blindingFactor, p.Curve.GroupOrder), p.Curve.GroupOrder)
 
 	// delta = rho + eta*x
diff --git a/token/core/zkatdlog/nogh/v1/crypto/rp/bulletproof_test.go b/token/core/zkatdlog/nogh/v1/crypto/rp/bulletproof_test.go
@@ -13,6 +13,7 @@ import (
 	"testing"
 
 	math "github.com/IBM/mathlib"
+	"github.com/hyperledger-labs/fabric-smart-client/node/start/profile"
 	"github.com/hyperledger-labs/fabric-token-sdk/token/core/zkatdlog/nogh/v1/crypto/rp"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -108,6 +109,10 @@ func TestBFProofVerify(t *testing.T) {
 }
 
 func BenchmarkBFProver(b *testing.B) {
+	pp, err := profile.New(profile.WithAll(), profile.WithPath("./profile"))
+	require.NoError(b, err)
+	require.NoError(b, pp.Start())
+	defer pp.Stop()
 	envs := make([]*bfSetup, 0, 128)
 	for i := 0; i < 128; i++ {
 		setup, err := NewBfSetup(math.BLS12_381_BBS_GURVY)
diff --git a/token/core/zkatdlog/nogh/v1/crypto/rp/ipa.go b/token/core/zkatdlog/nogh/v1/crypto/rp/ipa.go
@@ -203,7 +203,7 @@ func (p *ipaProver) reduce(X, com *mathlib.G1) (*mathlib.Zr, *mathlib.Zr, []*mat
 
 		// compute 1/x
 		xInv := x.Copy()
-		xInv.InvModP(p.Curve.GroupOrder)
+		xInv.InvModOrder()
 
 		// reduce the generators by 1/2, as a function of the old generators and x and 1/x
 		leftGen, rightGen = reduceGenerators(leftGen, rightGen, x, xInv)
@@ -213,7 +213,7 @@ func (p *ipaProver) reduce(X, com *mathlib.G1) (*mathlib.Zr, *mathlib.Zr, []*mat
 
 		xSquare := p.Curve.ModMul(x, x, p.Curve.GroupOrder)
 		xSquareInv := xSquare.Copy()
-		xSquareInv.InvModP(p.Curve.GroupOrder)
+		xSquareInv.InvModOrder()
 
 		// compute the commitment to left, right and their inner product
 		CPrime := LArray[i].Mul2(xSquare, RArray[i], xSquareInv)
@@ -311,13 +311,13 @@ func (v *ipaVerifier) Verify(proof *IPA) error {
 		x = v.Curve.HashToZr(raw)
 		// 1/x
 		xInv := x.Copy()
-		xInv.InvModP(v.Curve.GroupOrder)
+		xInv.InvModOrder()
 
 		// x^2
 		xSquare := v.Curve.ModMul(x, x, v.Curve.GroupOrder)
 		// 1/x^2
 		xSquareInv := xSquare.Copy()
-		xSquareInv.InvModP(v.Curve.GroupOrder)
+		xSquareInv.InvModOrder()
 		// compute a commitment to the reduced vectors and their inner product
 		CPrime := proof.L[i].Mul2(xSquare, proof.R[i], xSquareInv)
 		CPrime.Add(C)
diff --git a/token/services/identity/storage/kvs/hashicorp/go.mod b/token/services/identity/storage/kvs/hashicorp/go.mod
@@ -20,7 +20,7 @@ require (
 	github.com/IBM/idemix v0.0.2-0.20250313153527-832db18b9478 // indirect
 	github.com/IBM/idemix/bccsp/schemes/weak-bb v0.0.0-20250313153527-832db18b9478 // indirect
 	github.com/IBM/idemix/bccsp/types v0.0.0-20250313153527-832db18b9478 // indirect
-	github.com/IBM/mathlib v0.0.3-0.20251210060400-7e58831c9abe // indirect
+	github.com/IBM/mathlib v0.0.3-0.20251210155508-86dd03c0dc42 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bits-and-blooms/bitset v1.20.0 // indirect
diff --git a/token/services/identity/storage/kvs/hashicorp/go.sum b/token/services/identity/storage/kvs/hashicorp/go.sum
@@ -11,8 +11,8 @@ github.com/IBM/idemix/bccsp/schemes/weak-bb v0.0.0-20250313153527-832db18b9478 h
 github.com/IBM/idemix/bccsp/schemes/weak-bb v0.0.0-20250313153527-832db18b9478/go.mod h1:k4Q5EYKRnYC6t80ipSCY3G8H4FdcxRa8jjlsJdGfNCY=
 github.com/IBM/idemix/bccsp/types v0.0.0-20250313153527-832db18b9478 h1:Uzmcb4pNb54/fbAjnrZTiJwWV74+twP60N4qBGm4PvU=
 github.com/IBM/idemix/bccsp/types v0.0.0-20250313153527-832db18b9478/go.mod h1:Pi1QIuIZ+1OXIbnYe27vNwJOnSq2WvkHRT/sfweTw8E=
-github.com/IBM/mathlib v0.0.3-0.20251210060400-7e58831c9abe h1:EwFXJqfqz0lnsOtqSEswQ0kond3a8waLUfIXbaTgB4A=
-github.com/IBM/mathlib v0.0.3-0.20251210060400-7e58831c9abe/go.mod h1:rq67W1H6L1eorrE7DZ/HcSY/pfMDjbPWOx12SeUfQDk=
+github.com/IBM/mathlib v0.0.3-0.20251210155508-86dd03c0dc42 h1:1jsS5+0xrluqw6fAZF466C15JZyTX4m9oN4Ueluh7dY=
+github.com/IBM/mathlib v0.0.3-0.20251210155508-86dd03c0dc42/go.mod h1:rq67W1H6L1eorrE7DZ/HcSY/pfMDjbPWOx12SeUfQDk=
 github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0=
 github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
 github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
