feat: map-to-curve relations

[yelhousni]

Description

Add increment-and-check map-to-curve gadgets for short Weierstrass curves, implementing the constructions from https://eprint.iacr.org/2026/590.pdf.

Two methods are provided:

• X-increment: encodes X = M·256 + K, verifies Y² = X³ + aX + b, and checks a 2^S-th root witness for inverse-exclusion. Only practical for low 2-adicity fields (S ≤ 4).
• Y-increment: encodes Y = M·256 + K, verifies Y² = X³ + aX + b. Simpler (no inverse-exclusion witness), works for any 2-adicity, recommended for j=0 curves to avoid the algebraic attack from the paper.

N.B. Currently go.mod points to the commit Consensys/gnark-crypto@2c33f2d. We need to change that once that PR get merged.

Packages

std/algebra/emulated/maptocurve/

Generic emulated map-to-curve for any supported curve;

• BN254 (y² = x³ + 3): x-increment and y-increment
• secp256k1 (y² = x³ + 7): x-increment and y-increment
• P-256/secp256r1 (y² = x³ − 3x + b): x-increment and y-increment (y-increment uses Cardano cubic solver from feat(p256): add e2 and cardano solver gnark-crypto#831)

std/algebra/native/maptocurve_grumpkin/

Native y-increment for Grumpkin (y² = x³ − 17), compiled over BN254.

std/algebra/native/maptocurve_bls12377/

Native y-increment for BLS12-377 (y² = x³ + 1), compiled over BW6-761.

Constraint counts

Curve	Method	R1CS	SCS (PLONK)
Emulated
BN254	x-increment	977	3,705
BN254	y-increment	754	2,831
secp256k1	x-increment	967	3,675
secp256k1	y-increment	754	2,810
P-256	x-increment	1,065	4,082
P-256	y-increment	858	3,217
Native
Grumpkin	y-increment	15	37
BLS12-377	y-increment	15	37

Type of change

• New feature (non-breaking change which adds functionality)

How has this been tested?

All tests verify circuit satisfiability via test.CheckCircuit (both Groth16 and PLONK backends):

• TestXIncrementEmulatedBN254 — x-increment on BN254
• TestXIncrementEmulatedSecp256k1 — x-increment on secp256k1
• TestXIncrementEmulatedP256 — x-increment on P-256
• TestYIncrementEmulatedBN254 — y-increment on BN254
• TestYIncrementEmulatedSecp256k1 — y-increment on secp256k1
• TestYIncrementEmulatedP256 — y-increment on P-256 (Cardano solver)
• TestYIncrement (maptocurve_grumpkin) — native y-increment on Grumpkin
• TestYIncrement (maptocurve_bls12377) — native y-increment on BLS12-377

go test ./std/algebra/emulated/maptocurve/...
go test ./std/algebra/native/maptocurve_grumpkin/...
go test ./std/algebra/native/maptocurve_bls12377/...

How has this been benchmarked?

• Constraint count benchmarks for all curves and methods (R1CS + SCS), on Macbook Pro M5

go test -bench=. ./std/algebra/emulated/maptocurve/
go test -bench=. ./std/algebra/native/maptocurve_grumpkin/
go test -bench=. ./std/algebra/native/maptocurve_bls12377/

Checklist:

• I have performed a self-review of my code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have added tests that prove my fix is effective or that my feature works
• I did not modify files generated from templates
• golangci-lint does not output errors locally
• New and existing unit tests pass locally with my changes
• Any dependent changes have been merged and published in downstream modules

---

Note

Medium Risk
Adds new constraint gadgets and solver hints for map-to-curve, which affect cryptographic correctness and circuit soundness despite being additive. Also bumps gnark-crypto and tweaks generated field/vector code, which could change arithmetic behavior if regressions slip in.

Overview
Adds new increment-and-check map-to-curve gadgets for short Weierstrass curves.

Introduces std/algebra/emulated/maptocurve with Mapper.XIncrement and Mapper.YIncrement, backed by registered solver hints that search k∈[0,256) and return witnesses for BN254, secp256k1, and P-256 (including Cardano-based cubic solving for P-256).

Adds native YIncrement gadgets for BLS12-377 and Grumpkin (both hint-driven), plus corresponding tests/benchmarks. Updates generated tinyfield code to add Cbrt/Cube, modernizes some loops/types, and switches vector async decoding to gnark-crypto/parallel. Dependency versions are bumped in go.mod/go.sum (notably gnark-crypto and x/sync).

^{Reviewed by Cursor Bugbot for commit cb97775. Bugbot is set up for automated code reviews on this repo. Configure here.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	golang/​github.com/​consensys/​gnark-crypto@​v0.20.1 ⏵ v0.20.2-0.20260403203858-2c33f2d1c64f	+1
	golang/​golang.org/​x/​sync@​v0.19.0 ⏵ v0.20.0

View full report

[Copilot]

Pull request overview

Adds increment-and-check map-to-curve gadgets (from the referenced paper) for short Weierstrass curves, with both emulated and native implementations, plus tests/benchmarks and a dependency bump to support required crypto primitives.

Changes:

• Introduces a generic emulated maptocurve package supporting X-increment and Y-increment for BN254, secp256k1, and P-256 (incl. Cardano solver path).
• Adds native Y-increment gadgets for Grumpkin (over BN254) and BLS12-377 (over BW6-761), including hint plumbing and basic tests/benchmarks.
• Updates go.mod / go.sum (notably gnark-crypto) to pull in required functionality.

Reviewed changes

Copilot reviewed 13 out of 14 changed files in this pull request and generated 9 comments.

Show a summary per file

File	Description
std/algebra/native/maptocurve_grumpkin/maptocurve.go	Native Grumpkin Y-increment gadget (constraints: curve equation + k range).
std/algebra/native/maptocurve_grumpkin/hints.go	Hint to search k ∈ [0,256) and compute cube root witness.
std/algebra/native/maptocurve_grumpkin/maptocurve_test.go	Satisfiability + benchmark harness for the native gadget.
std/algebra/native/maptocurve_grumpkin/doc.go	Package documentation / compilation curve notes.
std/algebra/native/maptocurve_bls12377/maptocurve.go	Native BLS12-377 Y-increment gadget (over BW6-761 scalar field).
std/algebra/native/maptocurve_bls12377/hints.go	Hint to search k ∈ [0,256) and compute cube root witness.
std/algebra/native/maptocurve_bls12377/maptocurve_test.go	Satisfiability + benchmark harness for the native gadget.
std/algebra/native/maptocurve_bls12377/doc.go	Package documentation / compilation curve notes.
std/algebra/emulated/maptocurve/maptocurve.go	Generic emulated Mapper implementing X-increment and Y-increment gadgets.
std/algebra/emulated/maptocurve/hints.go	Emulated hints for BN254, secp256k1, and P-256 (x/y increment).
std/algebra/emulated/maptocurve/maptocurve_test.go	Satisfiability tests + benchmarks for emulated gadgets.
std/algebra/emulated/maptocurve/doc.go	Package-level documentation describing both methods and tradeoffs.
go.mod	Bumps deps (incl. gnark-crypto) needed for curve operations/solvers.
go.sum	Corresponding checksum updates.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}