feat: map-to-curve relations

[yelhousni]

Description

Add increment-and-check map-to-curve gadgets for short Weierstrass curves, implementing the constructions from https://eprint.iacr.org/2026/590.pdf.

Two methods are provided:

• X-increment: encodes X = M·256 + K, verifies Y² = X³ + aX + b, and checks a 2^S-th root witness for inverse-exclusion. Only practical for low 2-adicity fields (S ≤ 4).
• Y-increment: encodes Y = M·256 + K, verifies Y² = X³ + aX + b. Simpler (no inverse-exclusion witness), works for any 2-adicity, recommended for j=0 curves to avoid the algebraic attack from the paper.

Packages

std/algebra/emulated/maptocurve/

Generic emulated map-to-curve for any supported curve;

• BN254 (y² = x³ + 3): x-increment and y-increment
• secp256k1 (y² = x³ + 7): x-increment and y-increment
• P-256/secp256r1 (y² = x³ − 3x + b): x-increment and y-increment (y-increment uses Cardano cubic solver from feat(p256): add e2 and cardano solver gnark-crypto#831)

std/algebra/native/maptocurve_grumpkin/

Native y-increment for Grumpkin (y² = x³ − 17), compiled over BN254.

std/algebra/native/maptocurve_bls12377/

Native y-increment for BLS12-377 (y² = x³ + 1), compiled over BW6-761.

Constraint counts

Curve	Method	R1CS	SCS (PLONK)
Emulated
BN254	x-increment	977	3,705
BN254	y-increment	754	2,831
secp256k1	x-increment	967	3,675
secp256k1	y-increment	754	2,810
P-256	x-increment	1,065	4,082
P-256	y-increment	858	3,217
Native
Grumpkin	y-increment	15	37
BLS12-377	y-increment	15	37

Type of change

• New feature (non-breaking change which adds functionality)

How has this been tested?

All tests verify circuit satisfiability via test.CheckCircuit (both Groth16 and PLONK backends):

• TestXIncrementEmulatedBN254 — x-increment on BN254
• TestXIncrementEmulatedSecp256k1 — x-increment on secp256k1
• TestXIncrementEmulatedP256 — x-increment on P-256
• TestYIncrementEmulatedBN254 — y-increment on BN254
• TestYIncrementEmulatedSecp256k1 — y-increment on secp256k1
• TestYIncrementEmulatedP256 — y-increment on P-256 (Cardano solver)
• TestYIncrement (maptocurve_grumpkin) — native y-increment on Grumpkin
• TestYIncrement (maptocurve_bls12377) — native y-increment on BLS12-377

go test ./std/algebra/emulated/maptocurve/...
go test ./std/algebra/native/maptocurve_grumpkin/...
go test ./std/algebra/native/maptocurve_bls12377/...

How has this been benchmarked?

• Constraint count benchmarks for all curves and methods (R1CS + SCS), on Macbook Pro M5

go test -bench=. ./std/algebra/emulated/maptocurve/
go test -bench=. ./std/algebra/native/maptocurve_grumpkin/
go test -bench=. ./std/algebra/native/maptocurve_bls12377/

Checklist:

• I have performed a self-review of my code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have added tests that prove my fix is effective or that my feature works
• I did not modify files generated from templates
• golangci-lint does not output errors locally
• New and existing unit tests pass locally with my changes
• Any dependent changes have been merged and published in downstream modules

---

Note

High Risk
Adds new hint-driven map-to-curve relations and updates core crypto dependencies; incorrect hint logic or curve checks could lead to unsound constraints or invalid witnesses in proofs.

Overview
Introduces new increment-and-check map-to-curve gadgets for short Weierstrass curves. Adds a generic emulated std/algebra/emulated/maptocurve Mapper supporting both XIncrement (includes inverse-exclusion 2^S-th-root witness) and YIncrement, with solver hints that search k ∈ [0,256) and dispatch by field modulus (BN254, secp256k1, P-256 via secp256r1.CardanoRoots).

Adds native y-increment gadgets for Grumpkin and BLS12-377 (std/algebra/native/maptocurve_grumpkin, std/algebra/native/maptocurve_bls12377) with corresponding hints, circuit tests, and constraint-count benchmarks.

Updates dependencies (notably github.com/consensys/gnark-crypto) and refreshes generated internal/smallfields/tinyfield code: adds Element.Cbrt/Cube plus tests/benchmarks, replaces a local parallel execute helper with gnark-crypto/parallel.Execute, and applies minor loop/type modernizations.

^{Reviewed by Cursor Bugbot for commit dcd26b6. Bugbot is set up for automated code reviews on this repo. Configure here.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	golang/​github.com/​consensys/​gnark-crypto@​v0.20.1 ⏵ v0.20.2-0.20260403203858-2c33f2d1c64f	+1
	golang/​golang.org/​x/​sync@​v0.19.0 ⏵ v0.20.0

View full report

[Copilot]

Pull request overview

Adds increment-and-check map-to-curve gadgets (from the referenced paper) for short Weierstrass curves, with both emulated and native implementations, plus tests/benchmarks and a dependency bump to support required crypto primitives.

Changes:

• Introduces a generic emulated maptocurve package supporting X-increment and Y-increment for BN254, secp256k1, and P-256 (incl. Cardano solver path).
• Adds native Y-increment gadgets for Grumpkin (over BN254) and BLS12-377 (over BW6-761), including hint plumbing and basic tests/benchmarks.
• Updates go.mod / go.sum (notably gnark-crypto) to pull in required functionality.

Reviewed changes

Copilot reviewed 13 out of 14 changed files in this pull request and generated 9 comments.

Show a summary per file

File	Description
std/algebra/native/maptocurve_grumpkin/maptocurve.go	Native Grumpkin Y-increment gadget (constraints: curve equation + k range).
std/algebra/native/maptocurve_grumpkin/hints.go	Hint to search k ∈ [0,256) and compute cube root witness.
std/algebra/native/maptocurve_grumpkin/maptocurve_test.go	Satisfiability + benchmark harness for the native gadget.
std/algebra/native/maptocurve_grumpkin/doc.go	Package documentation / compilation curve notes.
std/algebra/native/maptocurve_bls12377/maptocurve.go	Native BLS12-377 Y-increment gadget (over BW6-761 scalar field).
std/algebra/native/maptocurve_bls12377/hints.go	Hint to search k ∈ [0,256) and compute cube root witness.
std/algebra/native/maptocurve_bls12377/maptocurve_test.go	Satisfiability + benchmark harness for the native gadget.
std/algebra/native/maptocurve_bls12377/doc.go	Package documentation / compilation curve notes.
std/algebra/emulated/maptocurve/maptocurve.go	Generic emulated Mapper implementing X-increment and Y-increment gadgets.
std/algebra/emulated/maptocurve/hints.go	Emulated hints for BN254, secp256k1, and P-256 (x/y increment).
std/algebra/emulated/maptocurve/maptocurve_test.go	Satisfiability tests + benchmarks for emulated gadgets.
std/algebra/emulated/maptocurve/doc.go	Package-level documentation describing both methods and tradeoffs.
go.mod	Bumps deps (incl. gnark-crypto) needed for curve operations/solvers.
go.sum	Corresponding checksum updates.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 4248b17. Configure here.}

[gbotrel]

Review pass from 2026-05-07.

I did not find blocking issues in this pass. The gnark-crypto dependency PR #831 is already merged, and the map-to-curve gadgets compile and solve in the targeted native/emulated packages I checked.

Verification run locally:

• go test ./std/algebra/emulated/maptocurve/... ./std/algebra/native/maptocurve_grumpkin/... ./std/algebra/native/maptocurve_bls12377/...
• go test ./internal/smallfields/tinyfield