feat: map-to-curve relations

[yelhousni]

Description

Add increment-and-check map-to-curve gadgets for short Weierstrass curves, implementing the constructions from https://eprint.iacr.org/2026/590.pdf.

Two methods are provided:

• X-increment: encodes X = M·256 + K, verifies Y² = X³ + aX + b, and checks a 2^S-th root witness for inverse-exclusion. Only practical for low 2-adicity fields (S ≤ 4).
• Y-increment: encodes Y = M·256 + K, verifies Y² = X³ + aX + b. Simpler (no inverse-exclusion witness), works for any 2-adicity, recommended for j=0 curves to avoid the algebraic attack from the paper.

N.B. Currently go.mod points to the commit Consensys/gnark-crypto@2c33f2d. We need to change that once that PR get merged.

Packages

std/algebra/emulated/maptocurve/

Generic emulated map-to-curve for any supported curve;

• BN254 (y² = x³ + 3): x-increment and y-increment
• secp256k1 (y² = x³ + 7): x-increment and y-increment
• P-256/secp256r1 (y² = x³ − 3x + b): x-increment and y-increment (y-increment uses Cardano cubic solver from feat(p256): add e2 and cardano solver gnark-crypto#831)

std/algebra/native/maptocurve_grumpkin/

Native y-increment for Grumpkin (y² = x³ − 17), compiled over BN254.

std/algebra/native/maptocurve_bls12377/

Native y-increment for BLS12-377 (y² = x³ + 1), compiled over BW6-761.

Constraint counts

Curve	Method	R1CS	SCS (PLONK)
Emulated
BN254	x-increment	977	3,705
BN254	y-increment	754	2,831
secp256k1	x-increment	967	3,675
secp256k1	y-increment	754	2,810
P-256	x-increment	1,065	4,082
P-256	y-increment	858	3,217
Native
Grumpkin	y-increment	15	37
BLS12-377	y-increment	15	37

Type of change

• New feature (non-breaking change which adds functionality)

How has this been tested?

All tests verify circuit satisfiability via test.CheckCircuit (both Groth16 and PLONK backends):

• TestXIncrementEmulatedBN254 — x-increment on BN254
• TestXIncrementEmulatedSecp256k1 — x-increment on secp256k1
• TestXIncrementEmulatedP256 — x-increment on P-256
• TestYIncrementEmulatedBN254 — y-increment on BN254
• TestYIncrementEmulatedSecp256k1 — y-increment on secp256k1
• TestYIncrementEmulatedP256 — y-increment on P-256 (Cardano solver)
• TestYIncrement (maptocurve_grumpkin) — native y-increment on Grumpkin
• TestYIncrement (maptocurve_bls12377) — native y-increment on BLS12-377

go test ./std/algebra/emulated/maptocurve/...
go test ./std/algebra/native/maptocurve_grumpkin/...
go test ./std/algebra/native/maptocurve_bls12377/...

How has this been benchmarked?

• Constraint count benchmarks for all curves and methods (R1CS + SCS), on Macbook Pro M5

go test -bench=. ./std/algebra/emulated/maptocurve/
go test -bench=. ./std/algebra/native/maptocurve_grumpkin/
go test -bench=. ./std/algebra/native/maptocurve_bls12377/

Checklist:

• I have performed a self-review of my code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have added tests that prove my fix is effective or that my feature works
• I did not modify files generated from templates
• golangci-lint does not output errors locally
• New and existing unit tests pass locally with my changes
• Any dependent changes have been merged and published in downstream modules

---

Note

Medium Risk
Adds new constraint-system gadgets and hint logic for mapping messages to curve points; correctness relies on hint implementations and new cube-root functionality across multiple curves/fields.

Overview
Adds new std/algebra/emulated/maptocurve gadgets implementing x-increment and y-increment map-to-curve relations for short Weierstrass curves, backed by new solver hints that search k∈[0,256) and validate the curve equation (with an extra 2^S-root witness for x-increment).

Introduces native y-increment gadgets for Grumpkin and BLS12-377, with associated hints, tests, and constraint-count benchmarks.

Updates the generated tinyfield code by adding Element.Cbrt/Element.Cube, switching internal parallel execution to gnark-crypto/parallel.Execute, modernizing loop idioms, and bumps dependencies (notably gnark-crypto and x/sync).

^{Reviewed by Cursor Bugbot for commit 4248b17. Bugbot is set up for automated code reviews on this repo. Configure here.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	golang/​github.com/​consensys/​gnark-crypto@​v0.20.1 ⏵ v0.20.2-0.20260403203858-2c33f2d1c64f	+1
	golang/​golang.org/​x/​sync@​v0.19.0 ⏵ v0.20.0

View full report

[Copilot]

Pull request overview

Adds increment-and-check map-to-curve gadgets (from the referenced paper) for short Weierstrass curves, with both emulated and native implementations, plus tests/benchmarks and a dependency bump to support required crypto primitives.

Changes:

• Introduces a generic emulated maptocurve package supporting X-increment and Y-increment for BN254, secp256k1, and P-256 (incl. Cardano solver path).
• Adds native Y-increment gadgets for Grumpkin (over BN254) and BLS12-377 (over BW6-761), including hint plumbing and basic tests/benchmarks.
• Updates go.mod / go.sum (notably gnark-crypto) to pull in required functionality.

Reviewed changes

Copilot reviewed 13 out of 14 changed files in this pull request and generated 9 comments.

Show a summary per file

File	Description
std/algebra/native/maptocurve_grumpkin/maptocurve.go	Native Grumpkin Y-increment gadget (constraints: curve equation + k range).
std/algebra/native/maptocurve_grumpkin/hints.go	Hint to search k ∈ [0,256) and compute cube root witness.
std/algebra/native/maptocurve_grumpkin/maptocurve_test.go	Satisfiability + benchmark harness for the native gadget.
std/algebra/native/maptocurve_grumpkin/doc.go	Package documentation / compilation curve notes.
std/algebra/native/maptocurve_bls12377/maptocurve.go	Native BLS12-377 Y-increment gadget (over BW6-761 scalar field).
std/algebra/native/maptocurve_bls12377/hints.go	Hint to search k ∈ [0,256) and compute cube root witness.
std/algebra/native/maptocurve_bls12377/maptocurve_test.go	Satisfiability + benchmark harness for the native gadget.
std/algebra/native/maptocurve_bls12377/doc.go	Package documentation / compilation curve notes.
std/algebra/emulated/maptocurve/maptocurve.go	Generic emulated Mapper implementing X-increment and Y-increment gadgets.
std/algebra/emulated/maptocurve/hints.go	Emulated hints for BN254, secp256k1, and P-256 (x/y increment).
std/algebra/emulated/maptocurve/maptocurve_test.go	Satisfiability tests + benchmarks for emulated gadgets.
std/algebra/emulated/maptocurve/doc.go	Package-level documentation describing both methods and tradeoffs.
go.mod	Bumps deps (incl. gnark-crypto) needed for curve operations/solvers.
go.sum	Corresponding checksum updates.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 4248b17. Configure here.}

[cursor]

Exported constant S defined but never used

Low Severity

The exported constant S = 46 is defined but never referenced anywhere in the package or in external callers. The y-increment method deliberately avoids the inverse-exclusion witness (which uses 2-adicity), so S serves no purpose here. It adds confusion since a reader might wonder whether the 2-adicity check was accidentally omitted.

 

^{Reviewed by Cursor Bugbot for commit 4248b17. Configure here.}