How to generate two points on different curves from the same bigint value in a circuit?

[txhsl]

I'm totally a beginner with zk and gnark, and I want to generate a BLS12381 point and a Secp256k1 point in a circuit, but I come up with some problems.

The proposal is to verify an encryption of a BLS12381 scalar with a Secp256k1 public key, and the idea is to use the same bigint value to generate a BLS12381 point for commitment and a Secp256k1 point for encryption. So I have a secret bigint f, an encrypted C on Secp256k1 as ciphertext and a commitment F on BLS12381 to verify.

To realize this, I tried the following codes to encrypt a bigint.

type EccCircuit[Secp256k1Fp, Secp256k1Fr emulated.FieldParams] struct {
	Msg frontend.Variable
	R   frontend.Variable `gnark:",public"`
	Cpr CipherText[Secp256k1Fp]     `gnark:",public"`
	Pub PublicKey[Secp256k1Fp, Secp256k1Fr]   `gnark:",public"`
}

func (c *EccCircuit[Secp256k1Fp, Secp256k1Fr]) Define(api frontend.API) error {
	c.Pub.VerifyEncrypt(api, sw_emulated.GetCurveParams[Secp256k1Fp](), c.Msg, c.R, c.Cpr)
	return nil
}

type PublicKey[Secp256k1Fp, Secp256k1Fr emulated.FieldParams] sw_emulated.AffinePoint[Secp256k1Fp]

type CipherText[Secp256k1Fp emulated.FieldParams] struct {
	C, R sw_emulated.AffinePoint[Secp256k1Fp]
}

func (pk PublicKey[Secp256k1Fp, Secp256k1Fr]) VerifyEncrypt(
	api frontend.API,
	params sw_emulated.CurveParams,
	msg frontend.Variable,
	r frontend.Variable,
	cipher CipherText[Secp256k1Fp],
) {
	cr, err := sw_emulated.New[Secp256k1Fp, Secp256k1Fr](api, params)
	if err != nil {
		panic(err)
	}
	baseApi, err := emulated.NewField[Secp256k1Fp](api)
	if err != nil {
		panic(err)
	}
	// Convert bigint to scalar
	scalarM := ToFieldElement[Secp256k1Fr](api, msg)
	scalarR := ToFieldElement[Secp256k1Fr](api, r)

	// C = M + rpk
	pkpt := sw_emulated.AffinePoint[Secp256k1Fp](pk)
	bigR := cr.ScalarMulBase(scalarR)
	bigC := cr.JointScalarMulBase(&pkpt, scalarR, scalarM)

	rx := baseApi.Reduce(&bigR.X)
	rxBits := baseApi.ToBits(rx)
	rbits := baseApi.ToBits(&cipher.R.X)
	if len(rbits) != len(rxBits) {
		panic("non-equal lengths")
	}
	for i := range rbits {
		api.AssertIsEqual(rbits[i], rxBits[i])
	}

	cx := baseApi.Reduce(&bigC.X)
	cxBits := baseApi.ToBits(cx)
	cbits := baseApi.ToBits(&cipher.C.X)
	if len(cbits) != len(cxBits) {
		panic("non-equal lengths")
	}
	for i := range cbits {
		api.AssertIsEqual(cbits[i], cxBits[i])
	}
}

func ToFieldElement[Fr emulated.FieldParams](api frontend.API, input frontend.Variable) *emulated.Element[Fr] {
	f, err := emulated.NewField[Fr](api)
	if err != nil {
		panic(err)
	}

	return f.NewElement(input)
}

I used NewElement() to convert a big.Int from frontend.Variable to Secp256k1Fr, because I plan to convert this big.Int from frontend.Variable to BLS12381Fr as well.

The test with test.IsSolved(&circuit, &witness, ecc.BN254.ScalarField()) succeeded but failed with assert.ProverSucceeded(&circuit, &witness), with an error message parse circuit: enforcing modulus width element with inexact number of limbs, and I found the big.Int value I passed in became some expr.LinearExpression thing.

So how can I pass in a big.Int value into a circuit and convert it to some Fr things? Or is there any other idea that can realize verifying an encryption of a BLS12381 scalar with a Secp256k1 public key with gnark?

[doubiliu]

@ivokub

[ivokub]

Sorry, I had missed the discussion. I'll look into it

[ivokub]

@txhsl - I'm sorry, I do not fully follow what you are trying to do. By encryption do you mean a la ElGamal encryption?

Lets say you have a msg which is a message (lets say currently it is in Secp256k1 scalar field a la element in Secp256k1Fr). Then, you also have some secret key (an integer which we can represent both as a scalar field element of Secp and BLS12-381 element, meaning that we need to have sk < Secp256kFr_modulus and sk < BLS12381Fr_modulus).

Now, you compute the public keys PK_BLS = sk * BLS_generator and PK_SECP = sk * SECP_generator. You also compute enc = ElGamal(sk, msg) and signature=Sign(sk, msg). And then in circuit you want to show that enc and signature are for the same msg and same sk?

[ivokub]

And that in-circuit big.Int converts to expr.LinearExpression instance is expected - essentially it is some variable which can take any value (depends on the input witness and the computations). You have to use the assertions to make claims about the variable (a la api.IsEqual etc.)

[ivokub]

Now, when working in-circuit we have a slight problem - we strongly type the field elements. So it means that emulated.Element[Secp256k1Fr] is not directly comparable to emulated.Element[BLS12381Fr] even if the integer values are the same. To perform integer comparison you have to convert the value from one field to another using binary decomposition.

[txhsl]

So it means that emulated.Element[Secp256k1Fr] is not directly comparable to emulated.Element[BLS12381Fr] even if the integer values are the same. To perform integer comparison you have to convert the value from one field to another using binary decomposition.

Yes, I see. We are trying other ways to prove an AES encryption in Secp256k1 with related commitment in BLS12381.

And that in-circuit big.Int converts to expr.LinearExpression instance is expected - essentially it is some variable which can take any value (depends on the input witness and the computations). You have to use the assertions to make claims about the variable (a la api.IsEqual etc.)

Really helpful suggestions, thank you.