16#include "../circuit_builders/circuit_builders.hpp"
19#include "../field/field.hpp"
24template <
typename Builder,
typename T>
34template <
typename Builder,
typename T>
48template <
typename Builder,
typename T>
51 const bool can_overflow,
52 const size_t maximum_bitlength)
55 BB_ASSERT((can_overflow ==
true && maximum_bitlength == 0) ||
56 (can_overflow ==
false && (maximum_bitlength == 0 || maximum_bitlength > (3 * NUM_LIMB_BITS))));
69 const auto limb_witnesses =
84 uint64_t num_last_limb_bits = (can_overflow) ? NUM_LIMB_BITS : NUM_LAST_LIMB_BITS;
87 if (maximum_bitlength > 0) {
90 num_last_limb_bits = maximum_bitlength - (3 * NUM_LIMB_BITS);
93 const uint64_t num_high_limb_bits = NUM_LIMB_BITS + num_last_limb_bits;
96 const auto limb_witnesses = decompose_non_native_field_double_width_limb(
107 binary_basis_limbs[0] = Limb(limb_0, DEFAULT_MAXIMUM_LIMB);
108 binary_basis_limbs[1] = Limb(limb_1, DEFAULT_MAXIMUM_LIMB);
109 binary_basis_limbs[2] = Limb(limb_2, DEFAULT_MAXIMUM_LIMB);
110 if (maximum_bitlength > 0) {
111 uint256_t max_limb_value = (
uint256_t(1) << (maximum_bitlength - (3 * NUM_LIMB_BITS))) - 1;
112 binary_basis_limbs[3] = Limb(limb_3, max_limb_value);
114 binary_basis_limbs[3] =
115 Limb(limb_3, can_overflow ? DEFAULT_MAXIMUM_LIMB : DEFAULT_MAXIMUM_MOST_SIGNIFICANT_LIMB);
117 prime_basis_limb = low_bits_in + (high_bits_in * shift_2);
119 set_origin_tag(new_tag);
122template <
typename Builder,
typename T>
125 , binary_basis_limbs{ other.binary_basis_limbs[0],
126 other.binary_basis_limbs[1],
127 other.binary_basis_limbs[2],
128 other.binary_basis_limbs[3] }
129 , prime_basis_limb(other.prime_basis_limb)
132template <
typename Builder,
typename T>
135 , binary_basis_limbs{ other.binary_basis_limbs[0],
136 other.binary_basis_limbs[1],
137 other.binary_basis_limbs[2],
138 other.binary_basis_limbs[3] }
139 , prime_basis_limb(other.prime_basis_limb)
142template <
typename Builder,
typename T>
145 const bool can_overflow,
146 const size_t maximum_bitlength)
148 BB_ASSERT((can_overflow ==
true && maximum_bitlength == 0) ||
149 (can_overflow ==
false && (maximum_bitlength == 0 || maximum_bitlength > (3 * NUM_LIMB_BITS))));
151 limbs[0] =
value.slice(0, NUM_LIMB_BITS).lo;
152 limbs[1] =
value.slice(NUM_LIMB_BITS, NUM_LIMB_BITS * 2).lo;
153 limbs[2] =
value.slice(NUM_LIMB_BITS * 2, NUM_LIMB_BITS * 3).lo;
154 limbs[3] =
value.slice(NUM_LIMB_BITS * 3, NUM_LIMB_BITS * 4).lo;
181 ctx->create_unconstrained_gate(
182 ctx->blocks.arithmetic, ctx->zero_idx(), ctx->zero_idx(), ctx->zero_idx(), limb_0.
get_witness_index());
184 uint64_t num_last_limb_bits = (can_overflow) ? NUM_LIMB_BITS : NUM_LAST_LIMB_BITS;
191 Limb(limb_3, can_overflow ? DEFAULT_MAXIMUM_LIMB : DEFAULT_MAXIMUM_MOST_SIGNIFICANT_LIMB);
194 if (maximum_bitlength > 0) {
196 num_last_limb_bits = maximum_bitlength - (3 * NUM_LIMB_BITS);
203 static_cast<size_t>(NUM_LIMB_BITS),
204 static_cast<size_t>(NUM_LIMB_BITS),
205 "bigfield::create_from_u512_as_witness: limb 0 or 1 too large");
208 static_cast<size_t>(NUM_LIMB_BITS),
209 static_cast<size_t>(num_last_limb_bits),
210 "bigfield::create_from_u512_as_witness: limb 2 or 3 too large");
222 const uint64_t byte_val =
uint256_t(split_byte.get_value()).
data[0];
223 const uint64_t lo_nibble_val = byte_val & 15ULL;
224 const uint64_t hi_nibble_val = byte_val >> 4;
239 const auto reconstruct_two_limbs = [&split_byte_into_nibbles](
Builder* ctx,
243 const auto [lo_nibble, hi_nibble] = split_byte_into_nibbles(ctx, split_byte);
270 const auto [limb0, limb1] = reconstruct_two_limbs(ctx, lo_8_bytes, lolo_8_bytes, lo_split_byte);
271 const auto [limb2, limb3] = reconstruct_two_limbs(ctx, hi_8_bytes, mid_8_bytes, mid_split_byte);
275 const auto num_last_limb_bits = 256 - (NUM_LIMB_BITS * 3);
276 res.binary_basis_limbs[3].maximum_value = (uint64_t(1) << num_last_limb_bits);
283 if (
this == &other) {
298 binary_basis_limbs[0] = other.binary_basis_limbs[0];
299 binary_basis_limbs[1] = other.binary_basis_limbs[1];
300 binary_basis_limbs[2] = other.binary_basis_limbs[2];
301 binary_basis_limbs[3] = other.binary_basis_limbs[3];
302 prime_basis_limb = other.prime_basis_limb;
312 return t0 + (t1 << (NUM_LIMB_BITS)) + (t2 << (2 * NUM_LIMB_BITS)) + (t3 << (3 * NUM_LIMB_BITS));
321 return t0 + t1 + t2 + t3;
324template <
typename Builder,
typename T>
326 const uint256_t& other_maximum_value)
const
330 uint512_t(get_maximum_unreduced_limb_value()));
342 for (
size_t i = 1; i < NUM_LIMBS; i++) {
346 binary_basis_limbs[i].maximum_value);
356 result.
binary_basis_limbs[0].maximum_value = binary_basis_limbs[0].maximum_value + other_maximum_value;
364template <
typename Builder,
typename T>
399 bool both_witness = !is_constant() && !other.
is_constant();
400 bool both_prime_limb_multiplicative_constant_one =
402 if (both_prime_limb_multiplicative_constant_one && both_witness) {
403 bool limbconst = is_constant() || other.
is_constant() ||
411 for (
size_t i = 0; i < NUM_LIMBS; ++i) {
412 const auto& x_limb = binary_basis_limbs[i].element;
415 x_scaled[i] = { x_limb.witness_index, x_limb.multiplicative_constant };
416 y_scaled[i] = { y_limb.witness_index, y_limb.multiplicative_constant };
417 c_adds[i] =
bb::fr(x_limb.additive_constant + y_limb.additive_constant);
421 uint32_t x_prime(prime_basis_limb.witness_index);
425 const auto output_witnesses =
426 ctx->evaluate_non_native_field_addition({ x_scaled[0], y_scaled[0], c_adds[0] },
427 { x_scaled[1], y_scaled[1], c_adds[1] },
428 { x_scaled[2], y_scaled[2], c_adds[2] },
429 { x_scaled[3], y_scaled[3], c_adds[3] },
430 { x_prime, y_prime, c_prime });
455template <
typename Builder,
typename T>
497template <
typename Builder,
typename T>
505 uint512_t left = get_value() % modulus_u512;
507 uint512_t out = (left + modulus_u512 - right) % modulus_u512;
516 uint512_t neg_right = (modulus_u512 - right) % modulus_u512;
539 bigfield result(ctx);
552 uint64_t limb_0_borrow_shift =
std::max(limb_0_maximum_value.
get_msb() + 1, NUM_LIMB_BITS);
559 uint64_t limb_1_borrow_shift =
std::max(limb_1_maximum_value.
get_msb() + 1, NUM_LIMB_BITS);
562 uint64_t limb_2_borrow_shift =
std::max(limb_2_maximum_value.
get_msb() + 1, NUM_LIMB_BITS);
577 uint512_t constant_to_add = constant_to_add_factor.
lo * modulus_u512;
620 result.
binary_basis_limbs[0].maximum_value = binary_basis_limbs[0].maximum_value + to_add_0;
621 result.
binary_basis_limbs[1].maximum_value = binary_basis_limbs[1].maximum_value + to_add_1;
622 result.
binary_basis_limbs[2].maximum_value = binary_basis_limbs[2].maximum_value + to_add_2;
623 result.
binary_basis_limbs[3].maximum_value = binary_basis_limbs[3].maximum_value + to_add_3;
633 bool both_witness = !is_constant() && !other.
is_constant();
634 bool both_prime_limb_multiplicative_constant_one =
636 if (both_prime_limb_multiplicative_constant_one && both_witness) {
637 bool limbconst = is_constant() || other.
is_constant() ||
646 for (
size_t i = 0; i < NUM_LIMBS; ++i) {
650 x_scaled[i] = { x_limb.witness_index, x_limb.multiplicative_constant };
651 y_scaled[i] = { y_limb.witness_index, y_limb.multiplicative_constant };
652 c_diffs[i] =
bb::fr(x_limb.additive_constant - y_limb.additive_constant);
656 uint32_t x_prime(prime_basis_limb.witness_index);
659 uint512_t constant_to_add_mod_native = (constant_to_add) % prime_basis.modulus;
660 c_prime +=
bb::fr(constant_to_add_mod_native.lo);
662 const auto output_witnesses =
663 ctx->evaluate_non_native_field_subtraction({ x_scaled[0], y_scaled[0], c_diffs[0] },
664 { x_scaled[1], y_scaled[1], c_diffs[1] },
665 { x_scaled[2], y_scaled[2], c_diffs[2] },
666 { x_scaled[3], y_scaled[3], c_diffs[3] },
667 { x_prime, y_prime, c_prime });
688 uint512_t constant_to_add_mod_native = (constant_to_add) % prime_basis.modulus;
689 field_t prime_basis_to_add(ctx,
bb::fr(constant_to_add_mod_native.lo));
695template <
typename Builder,
typename T>
703 const auto [quotient_value, remainder_value] = compute_quotient_remainder_values(*
this, other, {});
718 auto [reduction_required, num_quotient_bits] =
719 get_quotient_reduction_info({ get_maximum_value() }, { other.
get_maximum_value() }, {});
720 if (reduction_required) {
726 return (*this).operator*(other);
728 quotient = create_from_u512_as_witness(ctx, quotient_value,
false, num_quotient_bits);
729 remainder = create_from_u512_as_witness(ctx, remainder_value);
733 unsafe_evaluate_multiply_add(*
this, other, {}, quotient, { remainder });
739template <
typename Builder,
typename T>
743 return internal_div({ *
this }, other,
true);
753template <
typename Builder,
typename T>
758 if (terms.size() == 1) {
763 for (
size_t i = 1; i < (terms.size() + 1) / 2; i++) {
764 acc = acc.
add_two(terms[2 * i - 1], terms[2 * i]);
766 if ((terms.size() & 1) == 0) {
767 acc += terms[terms.size() - 1];
781template <
typename Builder,
typename T>
787 if (numerators.empty()) {
788 if (check_for_zero) {
798 bool numerator_constant =
true;
800 for (
const auto& numerator_element : numerators) {
801 ctx = (ctx ==
nullptr) ? numerator_element.get_context() : ctx;
802 numerator_element.reduction_check();
803 numerator_values += numerator_element.get_value();
804 numerator_constant = numerator_constant && (numerator_element.is_constant());
812 const uint1024_t modulus(target_basis.modulus);
816 inverse_value = right.
lo.invmod(target_basis.modulus).lo;
819 inverse_value = ((left * inverse_1024) % modulus).
lo;
822 (
uint1024_t(inverse_value) * right + unreduced_zero().get_value() - left) / modulus;
827 if (numerator_constant && denominator.
is_constant()) {
828 if (check_for_zero) {
840 for (
const auto& n : numerators) {
841 numerator_max.push_back(n.get_maximum_value());
844 auto [reduction_required, num_quotient_bits] =
845 get_quotient_reduction_info({
static_cast<uint512_t>(DEFAULT_MAXIMUM_REMAINDER) },
847 { unreduced_zero() },
849 if (reduction_required) {
852 return internal_div(numerators, denominator, check_for_zero);
855 if (check_for_zero) {
859 quotient = create_from_u512_as_witness(ctx, quotient_value,
false, num_quotient_bits);
860 inverse = create_from_u512_as_witness(ctx, inverse_value);
864 unsafe_evaluate_multiply_add(denominator, inverse, { unreduced_zero() }, quotient, numerators);
874template <
typename Builder,
typename T>
878 return internal_div(numerators, denominator,
false);
881template <
typename Builder,
typename T>
884 return internal_div({ *
this }, denominator,
false);
892template <
typename Builder,
typename T>
896 return internal_div(numerators, denominator,
true);
904 const auto [quotient_value, remainder_value] = compute_quotient_remainder_values(*
this, *
this, {});
913 auto [reduction_required, num_quotient_bits] = get_quotient_reduction_info(
914 { get_maximum_value() }, { get_maximum_value() }, {}, { DEFAULT_MAXIMUM_REMAINDER });
915 if (reduction_required) {
920 quotient = create_from_u512_as_witness(ctx, quotient_value,
false, num_quotient_bits);
921 remainder = create_from_u512_as_witness(ctx, remainder_value);
924 unsafe_evaluate_square_add(*
this, {}, quotient, remainder);
925 remainder.set_origin_tag(get_origin_tag());
929template <
typename Builder,
typename T>
938 bool add_constant =
true;
939 for (
const auto& add_element : to_add) {
940 add_element.reduction_check();
942 add_constant = add_constant && (add_element.is_constant());
948 const uint1024_t modulus(target_basis.modulus);
955 const auto [quotient_1024, remainder_1024] = (left * right + add_right).divmod(modulus);
966 const auto [quotient_1024, remainder_1024] = (left * right).divmod(modulus);
968 for (
auto& add_element : to_add) {
969 new_to_add.push_back(add_element);
972 new_to_add.push_back(bigfield(ctx, remainder_1024.lo.lo));
973 return sum(new_to_add);
978 auto [reduction_required, num_quotient_bits] = get_quotient_reduction_info(
979 { get_maximum_value() }, { get_maximum_value() }, to_add, { DEFAULT_MAXIMUM_REMAINDER });
981 if (reduction_required) {
983 return sqradd(to_add);
985 const auto [quotient_1024, remainder_1024] = (left * right + add_right).divmod(modulus);
987 uint256_t remainder_value = remainder_1024.lo.lo;
989 quotient = create_from_u512_as_witness(ctx, quotient_value,
false, num_quotient_bits);
990 remainder = create_from_u512_as_witness(ctx, remainder_value);
997 unsafe_evaluate_square_add(*
this, to_add, quotient, remainder);
1004 if (exponent == 0) {
1009 if (is_constant()) {
1010 auto base_val = get_value();
1012 uint512_t base = base_val % modulus_u512;
1013 uint32_t shifted_exponent = exponent;
1016 while (shifted_exponent > 0) {
1017 if (shifted_exponent & 1) {
1021 shifted_exponent >>= 1;
1026 bool accumulator_initialized =
false;
1027 bigfield accumulator;
1028 bigfield running_power = *
this;
1029 uint32_t shifted_exponent = exponent;
1032 while (shifted_exponent != 0) {
1033 if (shifted_exponent & 1) {
1034 if (!accumulator_initialized) {
1035 accumulator = running_power;
1036 accumulator_initialized =
true;
1038 accumulator *= running_power;
1041 shifted_exponent >>= 1;
1046 if (shifted_exponent != 0) {
1047 running_power = running_power.sqr();
1053template <
typename Builder,
typename T>
1062 bool add_constant =
true;
1064 for (
const auto& add_element : to_add) {
1065 add_element.reduction_check();
1067 add_constant = add_constant && (add_element.is_constant());
1073 const uint1024_t modulus(target_basis.modulus);
1075 const auto [quotient_1024, remainder_1024] = (left * mul_right + add_right).divmod(modulus);
1077 const uint512_t quotient_value = quotient_1024.
lo;
1078 const uint512_t remainder_value = remainder_1024.
lo;
1082 if (is_constant() && to_mul.
is_constant() && add_constant) {
1085 }
else if (is_constant() && to_mul.
is_constant()) {
1086 const auto [_, mul_remainder_1024] = (left * mul_right).divmod(modulus);
1091 auto [reduction_required, num_quotient_bits] = get_quotient_reduction_info(
1092 { get_maximum_value() }, { to_mul.
get_maximum_value() }, to_add, { DEFAULT_MAXIMUM_REMAINDER });
1093 if (reduction_required) {
1099 return (*this).madd(to_mul, to_add);
1101 quotient = create_from_u512_as_witness(ctx, quotient_value,
false, num_quotient_bits);
1102 remainder = create_from_u512_as_witness(ctx, remainder_value);
1106 OriginTag new_tag = OriginTag(get_origin_tag(), to_mul.
get_origin_tag());
1107 for (
auto&
element : to_add) {
1108 new_tag = OriginTag(new_tag,
element.get_origin_tag());
1112 unsafe_evaluate_multiply_add(*
this, to_mul, to_add, quotient, { remainder });
1128template <
typename Builder,
typename T>
1137 const size_t number_of_products = mul_left.size();
1142 max_values_left.reserve(number_of_products);
1143 max_values_right.reserve(number_of_products);
1145 for (
auto& left_element : mul_left) {
1146 left_element.reduction_check();
1147 max_values_left.emplace_back(left_element.get_maximum_value());
1150 for (
auto& right_element : mul_right) {
1151 right_element.reduction_check();
1152 max_values_right.emplace_back(right_element.get_maximum_value());
1162 get_quotient_reduction_info(max_values_left, max_values_right, to_add, { DEFAULT_MAXIMUM_REMAINDER }));
1164 if (reduction_required) {
1177 size_t number_of_products) {
1178 maxval_updates.resize(0);
1179 maxval_updates.reserve(number_of_products * 2);
1181 for (
size_t i = 0; i < number_of_products; i++) {
1184 uint1024_t original_product = original_left * original_right;
1185 if (m_left[i].is_constant()) {
1189 uint1024_t new_product = DEFAULT_MAXIMUM_REMAINDER * original_right;
1190 if (new_product > original_product) {
1193 maxval_updates.emplace_back(
1196 if (m_right[i].is_constant()) {
1200 uint1024_t new_product = DEFAULT_MAXIMUM_REMAINDER * original_left;
1201 if (new_product > original_product) {
1204 maxval_updates.emplace_back(
1218 while (reduction_required) {
1220 compute_updates(maximum_value_updates, mul_left, mul_right, number_of_products);
1223 std::sort(maximum_value_updates.begin(), maximum_value_updates.end(), compare_update_tuples);
1226 auto [update_size, largest_update_product_index, multiplicand_index] = maximum_value_updates[0];
1231 if (multiplicand_index == 0) {
1232 mul_left[largest_update_product_index].self_reduce();
1234 mul_right[largest_update_product_index].self_reduce();
1237 for (
size_t i = 0; i < number_of_products; i++) {
1238 max_values_left[i] = mul_left[i].get_maximum_value();
1239 max_values_right[i] = mul_right[i].get_maximum_value();
1242 get_quotient_reduction_info(max_values_left, max_values_right, to_add, { DEFAULT_MAXIMUM_REMAINDER }));
1259template <
typename Builder,
typename T>
1263 bool fix_remainder_to_zero)
1272 const size_t number_of_products = mul_left.size();
1274 const uint1024_t modulus(target_basis.modulus);
1279 bool add_constant =
true;
1284 for (
auto [left_element, right_element] :
zip_view(mul_left, mul_right)) {
1285 new_tag =
OriginTag(new_tag,
OriginTag(left_element.get_origin_tag(), right_element.get_origin_tag()));
1287 for (
auto&
element : to_add) {
1291 for (
const auto& add_element : to_add) {
1292 add_element.reduction_check();
1293 if (add_element.is_constant()) {
1294 add_right_constant_sum +=
uint1024_t(add_element.get_value());
1296 add_constant =
false;
1297 new_to_add.push_back(add_element);
1306 bool product_sum_constant =
true;
1307 for (
size_t i = 0; i < number_of_products; i++) {
1308 if (mutable_mul_left[i].is_constant() && mutable_mul_right[i].is_constant()) {
1310 sum_of_constant_products +=
1314 new_input_left.push_back(mutable_mul_left[i]);
1315 new_input_right.push_back(mutable_mul_right[i]);
1316 product_sum_constant =
false;
1322 for (
auto& el : mutable_mul_left) {
1330 for (
auto& el : mutable_mul_right) {
1337 if (product_sum_constant) {
1340 const auto [quotient_1024, remainder_1024] =
1341 (sum_of_constant_products + add_right_constant_sum).divmod(modulus);
1342 BB_ASSERT(!fix_remainder_to_zero || remainder_1024 == 0);
1347 const auto [quotient_1024, remainder_1024] =
1348 (sum_of_constant_products + add_right_constant_sum).divmod(modulus);
1353 result =
sum(new_to_add);
1357 result =
sum(new_to_add);
1359 if (fix_remainder_to_zero) {
1372 const auto [_, constant_part_remainder_1024] = (sum_of_constant_products + add_right_constant_sum).divmod(modulus);
1373 const uint256_t constant_part_remainder_256 = constant_part_remainder_1024.lo.lo;
1375 if (constant_part_remainder_256 !=
uint256_t(0)) {
1376 new_to_add.push_back(
bigfield(ctx, constant_part_remainder_256));
1381 for (
const auto& add_element : new_to_add) {
1383 add_element.reduction_check();
1384 add_right_final_sum +=
uint1024_t(add_element.get_value());
1386 add_right_maximum +=
uint1024_t(add_element.get_maximum_value());
1388 const size_t final_number_of_products = new_input_left.size();
1391 worst_case_product_sum =
uint1024_t(final_number_of_products) *
uint1024_t(DEFAULT_MAXIMUM_REMAINDER) *
1395 BB_ASSERT_LT(worst_case_product_sum + add_right_maximum, get_maximum_crt_product());
1399 perform_reductions_for_mult_madd(new_input_left, new_input_right, new_to_add);
1401 for (
size_t i = 0; i < final_number_of_products; i++) {
1402 sum_of_products_final +=
uint1024_t(new_input_left[i].get_value()) *
uint1024_t(new_input_right[i].get_value());
1406 const size_t num_quotient_bits = get_quotient_max_bits({ DEFAULT_MAXIMUM_REMAINDER });
1409 const auto [quotient_1024, remainder_1024] = (sum_of_products_final + add_right_final_sum).divmod(modulus);
1413 if (fix_remainder_to_zero) {
1417 const uint512_t quotient_value = quotient_1024.
lo;
1418 const uint512_t remainder_value = remainder_1024.
lo;
1423 quotient = create_from_u512_as_witness(ctx, quotient_value,
false, num_quotient_bits);
1425 if (fix_remainder_to_zero) {
1431 remainder = create_from_u512_as_witness(ctx, remainder_value);
1438 unsafe_evaluate_multiple_multiply_add(new_input_left, new_input_right, new_to_add, quotient, { remainder });
1448template <
typename Builder,
typename T>
1464 return mult_madd(mul_left, mul_right, to_add);
1485template <
typename Builder,
typename T>
1490 bool enable_divisor_nz_check)
1494 BB_ASSERT((divisor.
get_value() % modulus_u512) != 0,
"bigfield: Division by zero in msub_div");
1497 for (
auto [left_element, right_element] :
zip_view(mul_left, mul_right)) {
1498 new_tag =
OriginTag(new_tag,
OriginTag(left_element.get_origin_tag(), right_element.get_origin_tag()));
1500 for (
auto&
element : to_sub) {
1506 for (
auto& el : mul_left) {
1507 if (el.context != NULL) {
1514 for (
auto& el : mul_right) {
1515 if (el.context != NULL) {
1522 for (
auto& el : to_sub) {
1523 if (el.context != NULL) {
1529 const size_t num_multiplications = mul_left.size();
1530 native product_native = 0;
1531 bool products_constant =
true;
1534 if (enable_divisor_nz_check) {
1539 for (
size_t i = 0; i < num_multiplications; ++i) {
1540 const native mul_left_native(
uint512_t(mul_left[i].get_value() % modulus_u512).lo);
1541 const native mul_right_native(
uint512_t(mul_right[i].get_value() % modulus_u512).lo);
1542 product_native += (mul_left_native * -mul_right_native);
1543 products_constant = products_constant && mul_left[i].is_constant() && mul_right[i].is_constant();
1548 bool sub_constant =
true;
1549 for (
const auto& sub : to_sub) {
1550 sub_native += (
uint512_t(sub.get_value() % modulus_u512).
lo);
1551 sub_constant = sub_constant && sub.is_constant();
1557 const native result_native = (product_native - sub_native) / divisor_native;
1562 if (sub_constant && products_constant && divisor.
is_constant()) {
1570 bigfield result = create_from_u512_as_witness(ctx, result_value.
lo);
1577 for (
const auto& in : mul_left) {
1578 eval_left.emplace_back(in);
1580 for (
const auto& in : mul_right) {
1581 eval_right.emplace_back(in);
1584 mult_madd(eval_left, eval_right, to_sub,
true);
1589template <
typename Builder,
typename T>
1595 auto result = *
this;
1598 uint512_t out_val = (modulus_u512 - get_value()) % modulus_u512;
1619template <
typename Builder,
typename T>
1633 const bool is_add_constant_same =
a.additive_constant ==
b.additive_constant;
1634 const bool is_mul_constant_same =
a.multiplicative_constant ==
b.multiplicative_constant;
1635 return is_witness_index_same && is_add_constant_same && is_mul_constant_same;
1642 bool is_prime_limb_same = is_limb_same(prime_basis_limb, other.
prime_basis_limb);
1643 if (is_limb_0_same && is_limb_1_same && is_limb_2_same && is_limb_3_same && is_prime_limb_same) {
1669 other.
binary_basis_limbs[0].element - binary_basis_limbs[0].element, binary_basis_limbs[0].element);
1671 other.
binary_basis_limbs[1].element - binary_basis_limbs[1].element, binary_basis_limbs[1].element);
1673 other.
binary_basis_limbs[2].element - binary_basis_limbs[2].element, binary_basis_limbs[2].element);
1675 other.
binary_basis_limbs[3].element - binary_basis_limbs[3].element, binary_basis_limbs[3].element);
1716 auto lhs = get_value() % modulus_u512;
1717 auto rhs = other.
get_value() % modulus_u512;
1718 bool is_equal_raw = (lhs == rhs);
1720 return is_equal_raw;
1732 native inverse_native = is_equal_raw ? 0 : diff_native.
invert();
1741 bigfield product = diff * multiplicand;
1756 if (is_constant()) {
1757 uint256_t reduced_value = (get_value() % modulus_u512).lo;
1760 const auto origin_tags = std::vector({ binary_basis_limbs[0].element.get_origin_tag(),
1761 binary_basis_limbs[1].
element.get_origin_tag(),
1762 binary_basis_limbs[2].element.get_origin_tag(),
1763 binary_basis_limbs[3].element.get_origin_tag(),
1764 prime_basis_limb.get_origin_tag() });
1775 binary_basis_limbs[1].element.set_origin_tag(origin_tags[1]);
1776 binary_basis_limbs[2].element.set_origin_tag(origin_tags[2]);
1777 binary_basis_limbs[3].element.set_origin_tag(origin_tags[3]);
1778 prime_basis_limb.set_origin_tag(origin_tags[4]);
1782 uint256_t maximum_unreduced_limb_value = get_maximum_unreduced_limb_value();
1783 bool limb_overflow_test_0 = binary_basis_limbs[0].maximum_value > maximum_unreduced_limb_value;
1784 bool limb_overflow_test_1 = binary_basis_limbs[1].maximum_value > maximum_unreduced_limb_value;
1785 bool limb_overflow_test_2 = binary_basis_limbs[2].maximum_value > maximum_unreduced_limb_value;
1786 bool limb_overflow_test_3 = binary_basis_limbs[3].maximum_value > maximum_unreduced_limb_value;
1787 if (get_maximum_value() > get_maximum_unreduced_value() || limb_overflow_test_0 || limb_overflow_test_1 ||
1788 limb_overflow_test_2 || limb_overflow_test_3) {
1796 uint256_t prohibited_limb_value = get_prohibited_limb_value();
1797 bool limb_overflow_test_0 = binary_basis_limbs[0].maximum_value > prohibited_limb_value;
1798 bool limb_overflow_test_1 = binary_basis_limbs[1].maximum_value > prohibited_limb_value;
1799 bool limb_overflow_test_2 = binary_basis_limbs[2].maximum_value > prohibited_limb_value;
1800 bool limb_overflow_test_3 = binary_basis_limbs[3].maximum_value > prohibited_limb_value;
1803 BB_ASSERT(!(get_maximum_value() > get_prohibited_value() || limb_overflow_test_0 || limb_overflow_test_1 ||
1804 limb_overflow_test_2 || limb_overflow_test_3));
1807template <
typename Builder,
typename T>
1812 (binary_basis_limbs[0].element * predicate_field).assert_is_zero(msg +
": binary limb 0 not zero");
1813 (binary_basis_limbs[1].element * predicate_field).assert_is_zero(msg +
": binary limb 1 not zero");
1814 (binary_basis_limbs[2].element * predicate_field).assert_is_zero(msg +
": binary limb 2 not zero");
1815 (binary_basis_limbs[3].element * predicate_field).assert_is_zero(msg +
": binary limb 3 not zero");
1816 (prime_basis_limb * predicate_field).assert_is_zero(msg +
": prime limb not zero");
1828 assert_less_than(modulus, msg ==
"bigfield::assert_is_in_field" ?
"bigfield::assert_less_than" : msg);
1833template <
typename Builder,
typename T>
1837 if (is_constant()) {
1838 BB_ASSERT((get_value() % modulus_u512).lo < upper_limit, msg);
1842 bool is_default_msg = msg ==
"bigfield::assert_less_than";
1847 auto ctx = get_context();
1848 ctx->range_constrain_two_limbs(binary_basis_limbs[0].
element.get_witness_index(),
1849 binary_basis_limbs[1].element.get_witness_index(),
1850 static_cast<size_t>(NUM_LIMB_BITS),
1851 static_cast<size_t>(NUM_LIMB_BITS),
1852 is_default_msg ?
"bigfield::assert_less_than: limb 0 or 1 too large" : msg);
1855 ctx->range_constrain_two_limbs(binary_basis_limbs[2].
element.get_witness_index(),
1856 binary_basis_limbs[3].element.get_witness_index(),
1857 static_cast<size_t>(NUM_LIMB_BITS),
1858 static_cast<size_t>(NUM_LAST_LIMB_BITS),
1859 is_default_msg ?
"bigfield::assert_less_than: limb 2 or 3 too large" : msg);
1862 unsafe_assert_less_than(upper_limit, is_default_msg ?
"bigfield::unsafe_assert_less_than" : msg);
1866template <
typename Builder,
typename T>
1869 bool is_default_msg = msg ==
"bigfield::is_less_than";
1874 ctx->range_constrain_two_limbs(binary_basis_limbs[0].
element.get_witness_index(),
1875 binary_basis_limbs[1].element.get_witness_index(),
1876 static_cast<size_t>(NUM_LIMB_BITS),
1877 static_cast<size_t>(NUM_LIMB_BITS),
1878 is_default_msg ?
"bigfield::is_less_than: limb 0 or 1 too large" : msg);
1880 ctx->range_constrain_two_limbs(binary_basis_limbs[2].
element.get_witness_index(),
1881 binary_basis_limbs[3].element.get_witness_index(),
1882 static_cast<size_t>(NUM_LIMB_BITS),
1883 static_cast<size_t>(NUM_LIMB_BITS),
1884 is_default_msg ?
"bigfield::is_less_than: limb 2 or 3 too large" : msg);
1886 const uint256_t upper_limit_value_0 = upper_limit.
slice(0, NUM_LIMB_BITS);
1887 const uint256_t upper_limit_value_1 = upper_limit.
slice(NUM_LIMB_BITS, NUM_LIMB_BITS * 2);
1888 const uint256_t upper_limit_value_2 = upper_limit.
slice(NUM_LIMB_BITS * 2, NUM_LIMB_BITS * 3);
1889 const uint256_t upper_limit_value_3 = upper_limit.
slice(NUM_LIMB_BITS * 3, NUM_LIMB_BITS * 4);
1892 binary_basis_limbs[3].element.template ranged_less_than<NUM_LIMB_BITS>(
field_t<Builder>(upper_limit_value_3));
1896 binary_basis_limbs[2].element.template ranged_less_than<NUM_LIMB_BITS>(
field_t<Builder>(upper_limit_value_2));
1900 binary_basis_limbs[1].element.template ranged_less_than<NUM_LIMB_BITS>(
field_t<Builder>(upper_limit_value_1));
1904 binary_basis_limbs[0].element.template ranged_less_than<NUM_LIMB_BITS>(
field_t<Builder>(upper_limit_value_0));
1908 third_limb_is_smaller || (third_limb_is_equal && second_limb_is_smaller) ||
1909 (third_limb_is_equal && second_limb_is_equal && first_limb_is_smaller) ||
1910 (third_limb_is_equal && second_limb_is_equal && first_limb_is_equal && zeroth_limb_is_smaller);
1924 unsafe_assert_less_than(modulus);
1929template <
typename Builder,
typename T>
1934 if (is_constant()) {
1945 const uint256_t upper_limit_value_0 = strict_upper_limit.
slice(0, NUM_LIMB_BITS);
1946 const uint256_t upper_limit_value_1 = strict_upper_limit.
slice(NUM_LIMB_BITS, NUM_LIMB_BITS * 2);
1947 const uint256_t upper_limit_value_2 = strict_upper_limit.
slice(NUM_LIMB_BITS * 2, NUM_LIMB_BITS * 3);
1948 const uint256_t upper_limit_value_3 = strict_upper_limit.
slice(NUM_LIMB_BITS * 3, NUM_LIMB_BITS * 4);
1951 const uint256_t val_1 =
value.slice(NUM_LIMB_BITS, NUM_LIMB_BITS * 2);
1952 const uint256_t val_2 =
value.slice(NUM_LIMB_BITS * 2, NUM_LIMB_BITS * 3);
1954 bool borrow_0_value = val_0 > upper_limit_value_0;
1955 bool borrow_1_value = (val_1 +
uint256_t(borrow_0_value)) > (upper_limit_value_1);
1956 bool borrow_2_value = (val_2 +
uint256_t(borrow_1_value)) > (upper_limit_value_2);
1976 upper_limit_0 - binary_basis_limbs[0].element + (
static_cast<field_t<Builder>>(borrow_0) * shift_1);
1984 get_context()->range_constrain_two_limbs(
1987 static_cast<size_t>(NUM_LIMB_BITS),
1988 static_cast<size_t>(NUM_LIMB_BITS),
1989 msg ==
"bigfield::unsafe_assert_less_than" ?
"bigfield::unsafe_assert_less_than: r0 or r1 too large" : msg);
1990 get_context()->range_constrain_two_limbs(
1993 static_cast<size_t>(NUM_LIMB_BITS),
1994 static_cast<size_t>(NUM_LIMB_BITS),
1995 msg ==
"bigfield::unsafe_assert_less_than" ?
"bigfield::unsafe_assert_less_than: r2 or r3 too large" : msg);
2003template <
typename Builder,
typename T>
2008 std::cerr <<
"bigfield: calling assert equal on 2 CONSTANT bigfield elements...is this intended?" <<
std::endl;
2009 BB_ASSERT_EQ(get_value(), other.
get_value(),
"We expect constants to be less than the target modulus");
2031 }
else if (is_constant()) {
2036 uint512_t lhs_reduced_value = get_value() % modulus_u512;
2038 if ((lhs_reduced_value != rhs_reduced_value) && !get_context()->failed()) {
2039 get_context()->failure(msg);
2043 const auto original_tag = get_origin_tag();
2046 set_origin_tag(empty_tag);
2051 const uint512_t modulus(target_basis.modulus);
2053 const auto [quotient_512, remainder_512] = (diff_val).divmod(modulus);
2054 if (remainder_512 != 0) {
2059 const size_t num_quotient_bits = get_quotient_max_bits({ 0 });
2061 witness_t(ctx,
fr(quotient_512.slice(NUM_LIMB_BITS * 2, NUM_LIMB_BITS * 4).lo)),
2064 unsafe_evaluate_multiply_add(diff, { one() }, {}, quotient, { zero() });
2067 set_origin_tag(original_tag);
2080template <
typename Builder,
typename T>
2084 const auto get_overload_count = [target_modulus = modulus_u512](
const uint512_t& maximum_value) {
2086 size_t overload_count = 0;
2087 while (target <= maximum_value) {
2089 target += target_modulus;
2091 return overload_count;
2093 const size_t lhs_overload_count = get_overload_count(get_maximum_value());
2094 const size_t rhs_overload_count = get_overload_count(other.
get_maximum_value());
2102 auto diff = base_diff;
2107 for (
size_t i = 0; i < lhs_overload_count; ++i) {
2108 diff = diff * (base_diff - prime_basis_accumulator);
2109 prime_basis_accumulator += prime_basis;
2111 prime_basis_accumulator = prime_basis;
2112 for (
size_t i = 0; i < rhs_overload_count; ++i) {
2113 diff = diff * (base_diff + prime_basis_accumulator);
2114 prime_basis_accumulator += prime_basis;
2127 if (is_constant()) {
2131 const auto [quotient_value, remainder_value] = get_value().divmod(target_basis.modulus);
2135 uint512_t maximum_quotient_size = get_maximum_value() / target_basis.modulus;
2136 uint64_t maximum_quotient_bits = maximum_quotient_size.
get_msb() + 1;
2137 if ((maximum_quotient_bits & 1ULL) == 1ULL) {
2138 ++maximum_quotient_bits;
2142 uint32_t quotient_limb_index =
context->add_variable(
bb::fr(quotient_value.
lo));
2145 static_cast<size_t>(maximum_quotient_bits));
2148 get_maximum_crt_product());
2159 unsafe_evaluate_multiply_add(*
this, one(), {}, quotient, { remainder });
2160 binary_basis_limbs[0] =
2166 set_origin_tag(new_tag);
2169template <
typename Builder,
typename T>
2178 BB_ASSERT_LTE(input_remainders.size(), MAXIMUM_SUMMAND_COUNT);
2183 for (
auto& el : to_add) {
2186 for (
auto& el : input_remainders) {
2194 bigfield quotient = input_quotient;
2209 std::tie(max_q_neg_p_lo, max_q_neg_p_hi) = compute_partial_schoolbook_multiplication(
2215 for (
const auto& remainder : input_remainders) {
2236 (max_remainders_lo + ((
uint256_t(1) << (2 * NUM_LIMB_BITS)) - 1)) >> (2 * NUM_LIMB_BITS);
2241 for (
size_t i = 0; i < to_add.size(); ++i) {
2242 max_a0 += to_add[i].binary_basis_limbs[0].maximum_value +
2243 (to_add[i].binary_basis_limbs[1].maximum_value << NUM_LIMB_BITS);
2244 max_a1 += to_add[i].binary_basis_limbs[2].maximum_value +
2245 (to_add[i].binary_basis_limbs[3].maximum_value << NUM_LIMB_BITS);
2247 const uint512_t max_lo = max_ab_lo + max_q_neg_p_lo + max_remainders_lo + max_a0;
2248 const uint512_t max_lo_carry = max_lo >> (2 * NUM_LIMB_BITS);
2249 const uint512_t max_hi = max_ab_hi + max_q_neg_p_hi + max_a1 + max_lo_carry;
2251 uint64_t max_lo_bits = (max_lo.
get_msb() + 1);
2252 uint64_t max_hi_bits = max_hi.
get_msb() + 1;
2254 BB_ASSERT(max_lo_bits > (2 * NUM_LIMB_BITS));
2255 BB_ASSERT(max_hi_bits > (2 * NUM_LIMB_BITS));
2257 uint64_t carry_lo_msb = max_lo_bits - (2 * NUM_LIMB_BITS);
2258 uint64_t carry_hi_msb = max_hi_bits - (2 * NUM_LIMB_BITS);
2260 if (max_lo_bits < (2 * NUM_LIMB_BITS)) {
2263 if (max_hi_bits < (2 * NUM_LIMB_BITS)) {
2295 const auto convert_constant_to_fixed_witness = [ctx](
const bigfield& input) {
2298 auto original_tag = input.get_origin_tag();
2302 ctx, ctx->put_constant_variable(input.binary_basis_limbs[0].element.get_value()));
2304 ctx, ctx->put_constant_variable(input.binary_basis_limbs[1].element.get_value()));
2306 ctx, ctx->put_constant_variable(input.binary_basis_limbs[2].element.get_value()));
2308 ctx, ctx->put_constant_variable(input.binary_basis_limbs[3].element.get_value()));
2315 left = convert_constant_to_fixed_witness(left);
2318 to_mul = convert_constant_to_fixed_witness(to_mul);
2321 quotient = convert_constant_to_fixed_witness(quotient);
2323 if (remainders[0].is_constant()) {
2324 remainders[0] = convert_constant_to_fixed_witness(remainders[0]);
2330 for (
size_t i = 1; i < remainders.size(); ++i) {
2331 limb_0_accumulator.emplace_back(remainders[i].binary_basis_limbs[0].
element);
2332 limb_0_accumulator.emplace_back(remainders[i].binary_basis_limbs[1].
element * shift_1);
2333 limb_2_accumulator.emplace_back(remainders[i].binary_basis_limbs[2].
element);
2334 limb_2_accumulator.emplace_back(remainders[i].binary_basis_limbs[3].
element * shift_1);
2335 prime_limb_accumulator.emplace_back(remainders[i].prime_basis_limb);
2337 for (
const auto& add : to_add) {
2338 limb_0_accumulator.emplace_back(-add.binary_basis_limbs[0].element);
2339 limb_0_accumulator.emplace_back(-add.binary_basis_limbs[1].element * shift_1);
2340 limb_2_accumulator.emplace_back(-add.binary_basis_limbs[2].element);
2341 limb_2_accumulator.emplace_back(-add.binary_basis_limbs[3].element * shift_1);
2342 prime_limb_accumulator.emplace_back(-add.prime_basis_limb);
2345 const auto& t0 = remainders[0].binary_basis_limbs[1].element;
2346 const auto& t1 = remainders[0].binary_basis_limbs[3].element;
2347 bool needs_normalize = (t0.additive_constant != 0 || t0.multiplicative_constant != 1);
2348 needs_normalize = needs_normalize || (t1.additive_constant != 0 || t1.multiplicative_constant != 1);
2350 if (needs_normalize) {
2351 limb_0_accumulator.emplace_back(remainders[0].binary_basis_limbs[1].
element * shift_1);
2352 limb_2_accumulator.emplace_back(remainders[0].binary_basis_limbs[3].
element * shift_1);
2358 : remainders[0].binary_basis_limbs[1].element,
2361 : remainders[0].binary_basis_limbs[3].element,
2370 remainder_limbs[0].get_witness_index(),
2371 remainder_limbs[1].get_witness_index(),
2372 remainder_limbs[2].get_witness_index(),
2373 remainder_limbs[3].get_witness_index(),
2375 { neg_modulus_mod_binary_basis_limbs[0],
2376 neg_modulus_mod_binary_basis_limbs[1],
2377 neg_modulus_mod_binary_basis_limbs[2],
2378 neg_modulus_mod_binary_basis_limbs[3] },
2382 const auto [lo_idx, hi_idx] = ctx->evaluate_non_native_field_multiplication(witnesses);
2387 -remainder_prime_limb,
2388 "bigfield: prime limb identity failed");
2395 if (carry_lo_msb <= 70 && carry_hi_msb <= 70) {
2398 static_cast<size_t>(carry_hi_msb),
2399 static_cast<size_t>(carry_lo_msb),
2400 "bigfield::unsafe_evaluate_multiply_add: carries too large");
2407template <
typename Builder,
typename T>
2417 BB_ASSERT_LTE(input_remainders.size(), MAXIMUM_SUMMAND_COUNT);
2420 bool is_left_constant =
true;
2421 for (
auto& el : input_left) {
2423 is_left_constant &= el.is_constant();
2425 bool is_right_constant =
true;
2426 for (
auto& el : input_right) {
2428 is_right_constant &= el.is_constant();
2430 for (
auto& el : to_add) {
2434 for (
auto& el : input_remainders) {
2439 BB_ASSERT(!is_left_constant || !is_right_constant);
2444 bigfield quotient = input_quotient;
2445 const size_t num_multiplications = input_left.size();
2449 for (
const auto& el : input_left) {
2455 if (ctx ==
nullptr) {
2456 for (
const auto& el : input_right) {
2477 for (
const auto& remainder : input_remainders) {
2498 (max_remainders_lo + ((
uint256_t(1) << (2 * NUM_LIMB_BITS)) - 1)) >> (2 * NUM_LIMB_BITS);
2502 const auto [max_q_neg_p_lo, max_q_neg_p_hi] = compute_partial_schoolbook_multiplication(
2506 max_lo += max_q_neg_p_lo + max_remainders_lo;
2507 max_hi += max_q_neg_p_hi;
2512 for (
size_t i = 0; i < to_add.size(); ++i) {
2513 max_a0 += to_add[i].binary_basis_limbs[0].maximum_value +
2514 (to_add[i].binary_basis_limbs[1].maximum_value << NUM_LIMB_BITS);
2515 max_a1 += to_add[i].binary_basis_limbs[2].maximum_value +
2516 (to_add[i].binary_basis_limbs[3].maximum_value << NUM_LIMB_BITS);
2522 for (
size_t i = 0; i < num_multiplications; ++i) {
2523 const auto [product_lo, product_hi] = compute_partial_schoolbook_multiplication(
2524 left[i].get_binary_basis_limb_maximums(), right[i].get_binary_basis_limb_maximums());
2525 max_lo += product_lo;
2526 max_hi += product_hi;
2529 const uint512_t max_lo_carry = max_lo >> (2 * NUM_LIMB_BITS);
2530 max_hi += max_lo_carry;
2533 uint64_t max_lo_bits = (max_lo.
get_msb() + 1);
2534 uint64_t max_hi_bits = max_hi.
get_msb() + 1;
2564 const auto convert_constant_to_fixed_witness = [ctx](
const bigfield& input) {
2568 auto original_tag = input.get_origin_tag();
2572 ctx, ctx->put_constant_variable(input.binary_basis_limbs[0].element.get_value()));
2574 ctx, ctx->put_constant_variable(input.binary_basis_limbs[1].element.get_value()));
2576 ctx, ctx->put_constant_variable(input.binary_basis_limbs[2].element.get_value()));
2578 ctx, ctx->put_constant_variable(input.binary_basis_limbs[3].element.get_value()));
2599 for (
size_t i = 0; i < num_multiplications; ++i) {
2600 if (left[i].is_constant()) {
2601 left[i] = convert_constant_to_fixed_witness(left[i]);
2603 if (right[i].is_constant()) {
2604 right[i] = convert_constant_to_fixed_witness(right[i]);
2609 left[i].get_binary_basis_limb_witness_indices(),
2610 right[i].get_binary_basis_limb_witness_indices(),
2613 const auto [lo_2_idx, hi_2_idx] = ctx->queue_partial_non_native_field_multiplication(mul_witnesses);
2623 limb_0_accumulator.emplace_back(-lo_2);
2624 limb_2_accumulator.emplace_back(-hi_2);
2625 prime_limb_accumulator.emplace_back(-(left[i].prime_basis_limb * right[i].prime_basis_limb));
2629 quotient = convert_constant_to_fixed_witness(quotient);
2632 bool no_remainders = remainders.empty();
2633 if (!no_remainders) {
2634 limb_0_accumulator.emplace_back(remainders[0].binary_basis_limbs[0].
element);
2635 limb_2_accumulator.emplace_back(remainders[0].binary_basis_limbs[2].
element);
2636 prime_limb_accumulator.emplace_back(remainders[0].prime_basis_limb);
2638 for (
size_t i = 1; i < remainders.size(); ++i) {
2639 limb_0_accumulator.emplace_back(remainders[i].binary_basis_limbs[0].
element);
2640 limb_0_accumulator.emplace_back(remainders[i].binary_basis_limbs[1].
element * shift_1);
2641 limb_2_accumulator.emplace_back(remainders[i].binary_basis_limbs[2].
element);
2642 limb_2_accumulator.emplace_back(remainders[i].binary_basis_limbs[3].
element * shift_1);
2643 prime_limb_accumulator.emplace_back(remainders[i].prime_basis_limb);
2645 for (
const auto& add : to_add) {
2646 limb_0_accumulator.emplace_back(-add.binary_basis_limbs[0].element);
2647 limb_0_accumulator.emplace_back(-add.binary_basis_limbs[1].element * shift_1);
2648 limb_2_accumulator.emplace_back(-add.binary_basis_limbs[2].element);
2649 limb_2_accumulator.emplace_back(-add.binary_basis_limbs[3].element * shift_1);
2650 prime_limb_accumulator.emplace_back(-add.prime_basis_limb);
2664 : remainders[0].binary_basis_limbs[1].element;
2669 : remainders[0].binary_basis_limbs[3].element;
2682 left[0].get_binary_basis_limb_witness_indices(),
2683 right[0].get_binary_basis_limb_witness_indices(),
2686 remainder_limbs[0].get_witness_index(),
2687 remainder_limbs[1].get_witness_index(),
2688 remainder_limbs[2].get_witness_index(),
2689 remainder_limbs[3].get_witness_index(),
2691 { neg_modulus_mod_binary_basis_limbs[0],
2692 neg_modulus_mod_binary_basis_limbs[1],
2693 neg_modulus_mod_binary_basis_limbs[2],
2694 neg_modulus_mod_binary_basis_limbs[3] },
2697 const auto [lo_1_idx, hi_1_idx] = ctx->evaluate_non_native_field_multiplication(witnesses);
2700 right[0].prime_basis_limb,
2702 -remainder_prime_limb,
2703 "bigfield: prime limb identity failed");
2708 BB_ASSERT(max_lo_bits > (2 * NUM_LIMB_BITS));
2709 BB_ASSERT(max_hi_bits > (2 * NUM_LIMB_BITS));
2711 uint64_t carry_lo_msb = max_lo_bits - (2 * NUM_LIMB_BITS);
2712 uint64_t carry_hi_msb = max_hi_bits - (2 * NUM_LIMB_BITS);
2714 if (max_lo_bits < (2 * NUM_LIMB_BITS)) {
2717 if (max_hi_bits < (2 * NUM_LIMB_BITS)) {
2723 if (carry_lo_msb <= 70 && carry_hi_msb <= 70) {
2726 static_cast<size_t>(carry_hi_msb),
2727 static_cast<size_t>(carry_lo_msb),
2728 "bigfield::unsafe_evaluate_multiply_add: carries too large");
2735template <
typename Builder,
typename T>
2756 unsafe_evaluate_multiply_add(left, left, to_add, quotient, { remainder });
2759template <
typename Builder,
typename T>
2766 for (
const auto& add_element : to_add) {
2767 add_element.reduction_check();
2774 const uint1024_t modulus(target_basis.modulus);
2776 const auto [quotient_1024, remainder_1024] = (left * right + add_right).divmod(modulus);
2778 return { quotient_1024.lo, remainder_1024.lo };
2781template <
typename Builder,
typename T>
2790 for (
const auto& add_element : to_add) {
2794 for (
size_t i = 0; i < as.size(); i++) {
2798 const uint1024_t modulus(target_basis.modulus);
2800 const auto [quotient_1024, remainder_1024] = (product_sum + add_right).divmod(modulus);
2802 return quotient_1024.lo;
2804template <
typename Builder,
typename T>
2814 BB_ASSERT_LTE(remainders_max.size(), MAXIMUM_SUMMAND_COUNT);
2817 if (mul_product_overflows_crt_modulus(as_max, bs_max, to_add)) {
2820 const size_t num_quotient_bits = get_quotient_max_bits(remainders_max);
2822 for (
auto& added_element : to_add) {
2823 to_add_max.push_back(added_element.get_maximum_value());
2826 const uint512_t maximum_quotient = compute_maximum_quotient_value(as_max, bs_max, to_add_max);
2829 if (maximum_quotient >= (
uint512_t(1) << num_quotient_bits)) {
2835template <
typename Builder,
typename T>
2839 const uint512_t b0_inner = (a_limbs[1] * b_limbs[0]);
2840 const uint512_t b1_inner = (a_limbs[0] * b_limbs[1]);
2841 const uint512_t c0_inner = (a_limbs[1] * b_limbs[1]);
2842 const uint512_t c1_inner = (a_limbs[2] * b_limbs[0]);
2843 const uint512_t c2_inner = (a_limbs[0] * b_limbs[2]);
2844 const uint512_t d0_inner = (a_limbs[3] * b_limbs[0]);
2845 const uint512_t d1_inner = (a_limbs[2] * b_limbs[1]);
2846 const uint512_t d2_inner = (a_limbs[1] * b_limbs[2]);
2847 const uint512_t d3_inner = (a_limbs[0] * b_limbs[3]);
2849 const uint512_t r0_inner = (a_limbs[0] * b_limbs[0]);
2850 const uint512_t r1_inner = b0_inner + b1_inner;
2851 const uint512_t r2_inner = c0_inner + c1_inner + c2_inner;
2852 const uint512_t r3_inner = d0_inner + d1_inner + d2_inner + d3_inner;
2853 const uint512_t lo_val = r0_inner + (r1_inner << NUM_LIMB_BITS);
2854 const uint512_t hi_val = r2_inner + (r3_inner << NUM_LIMB_BITS);
2869template <
typename Builder,
typename T>
2871 const uint32_t limb_idx,
2872 const size_t num_limb_bits)
2881 const uint32_t low_idx = ctx->add_variable(
bb::fr(low));
2882 const uint32_t hi_idx = ctx->add_variable(
bb::fr(hi));
2885 const size_t lo_bits = NUM_LIMB_BITS;
2886 const size_t hi_bits = num_limb_bits - NUM_LIMB_BITS;
2887 ctx->range_constrain_two_limbs(
2888 low_idx, hi_idx, lo_bits, hi_bits,
"decompose_non_native_field_double_width_limb: limbs too large");
2890 return std::array<uint32_t, 2>{ low_idx, hi_idx };
#define BB_ASSERT(expression,...)
#define BB_ASSERT_GT(left, right,...)
#define BB_ASSERT_EQ(actual, expected,...)
#define BB_ASSERT_LTE(left, right,...)
#define BB_ASSERT_LT(left, right,...)
constexpr uint256_t slice(uint64_t start, uint64_t end) const
constexpr uint64_t get_msb() const
constexpr uintx slice(const uint64_t start, const uint64_t end) const
constexpr uint64_t get_msb() const
static void unsafe_evaluate_multiple_multiply_add(const std::vector< bigfield > &input_left, const std::vector< bigfield > &input_right, const std::vector< bigfield > &to_add, const bigfield &input_quotient, const std::vector< bigfield > &input_remainders)
Evaluate a relation involving multiple multiplications and additions.
static bigfield conditional_assign(const bool_t< Builder > &predicate, const bigfield &lhs, const bigfield &rhs)
static bigfield msub_div(const std::vector< bigfield > &mul_left, const std::vector< bigfield > &mul_right, const bigfield &divisor, const std::vector< bigfield > &to_sub, bool enable_divisor_nz_check=true)
Builder * get_context() const
bigfield operator*(const bigfield &other) const
Evaluate a non-native field multiplication: (a * b = c mod p) where p == target_basis....
bigfield conditional_select(const bigfield &other, const bool_t< Builder > &predicate) const
Create an element which is equal to either this or other based on the predicate.
static bigfield div_check_denominator_nonzero(const std::vector< bigfield > &numerators, const bigfield &denominator)
static bigfield sum(const std::vector< bigfield > &terms)
Create constraints for summing these terms.
bigfield(const field_t< Builder > &low_bits, const field_t< Builder > &high_bits, const bool can_overflow=false, const size_t maximum_bitlength=0)
Constructs a new bigfield object from two field elements representing the low and high bits.
static void unsafe_evaluate_square_add(const bigfield &left, const std::vector< bigfield > &to_add, const bigfield "ient, const bigfield &remainder)
Evaluate a square with several additions.
bigfield madd(const bigfield &to_mul, const std::vector< bigfield > &to_add) const
Compute a * b + ...to_add = c mod p.
bigfield conditional_negate(const bool_t< Builder > &predicate) const
static bigfield mult_madd(const std::vector< bigfield > &mul_left, const std::vector< bigfield > &mul_right, const std::vector< bigfield > &to_add, bool fix_remainder_to_zero=false)
void set_origin_tag(const bb::OriginTag &tag) const
uint512_t get_value() const
void assert_is_in_field(std::string const &msg="bigfield::assert_is_in_field") const
static bigfield internal_div(const std::vector< bigfield > &numerators, const bigfield &denominator, bool check_for_zero)
void assert_less_than(const uint256_t &upper_limit, std::string const &msg="bigfield::assert_less_than") const
bigfield add_to_lower_limb(const field_t< Builder > &other, const uint256_t &other_maximum_value) const
Add a field element to the lower limb. CAUTION (the element has to be constrained before using this f...
void set_free_witness_tag()
Set the free witness flag for the bigfield.
bigfield & operator=(const bigfield &other)
void convert_constant_to_fixed_witness(Builder *builder)
uint512_t get_maximum_value() const
std::array< uint256_t, NUM_LIMBS > get_binary_basis_limb_maximums()
Get the maximum values of the binary basis limbs.
static uint512_t compute_maximum_quotient_value(const std::vector< uint512_t > &as, const std::vector< uint512_t > &bs, const std::vector< uint512_t > &to_add)
Compute the maximum possible value of quotient of a*b+\sum(to_add)
bigfield sqradd(const std::vector< bigfield > &to_add) const
Square and add operator, computes a * a + ...to_add = c mod p.
bigfield add_two(const bigfield &add_a, const bigfield &add_b) const
Create constraints for summing three bigfield elements efficiently.
std::array< uint32_t, NUM_LIMBS > get_binary_basis_limb_witness_indices() const
Get the witness indices of the (normalized) binary basis limbs.
bb::OriginTag get_origin_tag() const
static bigfield from_witness(Builder *ctx, const bb::field< T > &input)
void reduction_check() const
Check if the bigfield element needs to be reduced.
void assert_zero_if(const bool_t< Builder > &predicate, std::string const &msg="bigfield::assert_zero_if failed") const
static constexpr uint256_t modulus
bool_t< Builder > is_less_than(const uint256_t &upper_limit, std::string const &msg="bigfield::is_less_than") const
static bigfield dual_madd(const bigfield &left_a, const bigfield &right_a, const bigfield &left_b, const bigfield &right_b, const std::vector< bigfield > &to_add)
bigfield sqr() const
Square operator, computes a * a = c mod p.
static void perform_reductions_for_mult_madd(std::vector< bigfield > &mul_left, std::vector< bigfield > &mul_right, const std::vector< bigfield > &to_add)
Performs individual reductions on the supplied elements as well as more complex reductions to prevent...
bool is_constant() const
Check if the bigfield is constant, i.e. its prime limb is constant.
static std::array< uint32_t, 2 > decompose_non_native_field_double_width_limb(Builder *ctx, const uint32_t limb_idx, const size_t num_limb_bits=(2 *NUM_LIMB_BITS))
Decompose a single witness into two limbs, range constrained to NUM_LIMB_BITS (68) and num_limb_bits ...
void reduce_mod_target_modulus() const
static std::pair< uint512_t, uint512_t > compute_quotient_remainder_values(const bigfield &a, const bigfield &b, const std::vector< bigfield > &to_add)
Compute the quotient and remainder values for dividing (a * b + (to_add[0] + ... + to_add[-1])) with ...
void unsafe_assert_less_than(const uint256_t &upper_limit, std::string const &msg="bigfield::unsafe_assert_less_than") const
Assert that the current bigfield is less than the given upper limit.
bigfield operator+(const bigfield &other) const
Adds two bigfield elements. Inputs are reduced to the modulus if necessary. Requires 4 gates if both ...
void assert_equal(const bigfield &other, std::string const &msg="bigfield::assert_equal") const
static bigfield create_from_u512_as_witness(Builder *ctx, const uint512_t &value, const bool can_overflow=false, const size_t maximum_bitlength=0)
Creates a bigfield element from a uint512_t. Bigfield element is constructed as a witness and not a c...
bigfield pow(const uint32_t exponent) const
Raise the bigfield element to the power of (out-of-circuit) exponent.
static std::pair< bool, size_t > get_quotient_reduction_info(const std::vector< uint512_t > &as_max, const std::vector< uint512_t > &bs_max, const std::vector< bigfield > &to_add, const std::vector< uint1024_t > &remainders_max={ DEFAULT_MAXIMUM_REMAINDER })
Check for 2 conditions (CRT modulus is overflown or the maximum quotient doesn't fit into range proof...
static bigfield unsafe_construct_from_limbs(const field_t< Builder > &a, const field_t< Builder > &b, const field_t< Builder > &c, const field_t< Builder > &d, const bool can_overflow=false)
Construct a bigfield element from binary limbs that are already reduced.
void sanity_check() const
Perform a sanity check on a value that is about to interact with another value.
static void unsafe_evaluate_multiply_add(const bigfield &input_left, const bigfield &input_to_mul, const std::vector< bigfield > &to_add, const bigfield &input_quotient, const std::vector< bigfield > &input_remainders)
Evaluate a multiply add identity with several added elements and several remainders.
field_t< Builder > prime_basis_limb
Represents a bigfield element in the prime basis: (a mod n) where n is the native modulus.
static bigfield div_without_denominator_check(const std::vector< bigfield > &numerators, const bigfield &denominator)
std::array< Limb, NUM_LIMBS > binary_basis_limbs
Represents a bigfield element in the binary basis. A bigfield element is represented as a combination...
bool_t< Builder > operator==(const bigfield &other) const
Validate whether two bigfield elements are equal to each other.
bigfield operator-() const
Negation operator, works by subtracting this from zero.
static std::pair< uint512_t, uint512_t > compute_partial_schoolbook_multiplication(const std::array< uint256_t, NUM_LIMBS > &a_limbs, const std::array< uint256_t, NUM_LIMBS > &b_limbs)
Compute the partial multiplication of two uint256_t arrays using schoolbook multiplication.
void self_reduce() const
Reduce the bigfield element modulo the target modulus.
void assert_is_not_equal(const bigfield &other, std::string const &msg="bigfield: prime limb diff is zero, but expected non-zero") const
bigfield operator/(const bigfield &other) const
Implements boolean logic in-circuit.
void set_origin_tag(const OriginTag &new_tag) const
void unset_free_witness_tag()
OriginTag get_origin_tag() const
Represents a dynamic array of bytes in-circuit.
byte_array slice(size_t offset) const
Slice bytes from the byte array starting at offset. Does not add any constraints.
Builder * get_context() const
bb::OriginTag get_origin_tag() const
void assert_is_zero(std::string const &msg="field_t::assert_is_zero") const
Enforce a copy constraint between *this and 0 stored at zero_idx of the Builder.
void assert_equal(const field_t &rhs, std::string const &msg="field_t::assert_equal") const
Copy constraint: constrain that *this field is equal to rhs element.
field_t madd(const field_t &to_mul, const field_t &to_add) const
static field_t from_witness_index(Builder *ctx, uint32_t witness_index)
static void evaluate_polynomial_identity(const field_t &a, const field_t &b, const field_t &c, const field_t &d, const std::string &msg="field_t::evaluate_polynomial_identity")
Given a, b, c, d, constrain a * b + c + d = 0 by creating a big_mul_gate.
static field_t accumulate(const std::vector< field_t > &input)
Efficiently compute the sum of vector entries. Using big_add_gate we reduce the number of gates neede...
static bool witness_indices_match(const field_t &a, const field_t &b)
Check if two field elements have the same witness index (for identity checks).
void create_range_constraint(size_t num_bits, std::string const &msg="field_t::range_constraint") const
Let x = *this.normalize(), constrain x.v < 2^{num_bits}.
bb::fr multiplicative_constant
static field_t conditional_assign_internal(const bool_t< Builder > &predicate, const field_t &lhs, const field_t &rhs)
If predicate == true then return lhs, else return rhs.
bb::fr get_value() const
Given a := *this, compute its value given by a.v * a.mul + a.add.
static void evaluate_linear_identity(const field_t &a, const field_t &b, const field_t &c, const field_t &d, const std::string &msg="field_t::evaluate_linear_identity")
Constrain a + b + c + d to be equal to 0.
void set_origin_tag(const OriginTag &new_tag) const
field_t add_two(const field_t &add_b, const field_t &add_c) const
Efficiently compute (this + a + b) using big_mul gate.
void assert_is_not_zero(std::string const &msg="field_t::assert_is_not_zero") const
Constrain *this to be non-zero by establishing that it has an inverse.
uint32_t get_witness_index() const
Get the witness index of the current field element.
StrictMock< MockContext > context
stdlib::field_t< Builder > field_ct
void add_values(TreeType &tree, const std::vector< NullifierLeafValue > &values)
uintx< uint256_t > uint512_t
uintx< uint512_t > uint1024_t
std::conditional_t< IsGoblinBigGroup< C, Fq, Fr, G >, element_goblin::goblin_element< C, goblin_field< C >, Fr, G >, element_default::element< C, Fq, Fr, G > > element
element wraps either element_default::element or element_goblin::goblin_element depending on parametr...
Entry point for Barretenberg command-line interface.
Univariate< Fr, domain_end > operator+(const Fr &ff, const Univariate< Fr, domain_end > &uv)
field< Bn254FrParams > fr
C slice(C const &container, size_t start)
Inner sum(Cont< Inner, Args... > const &in)
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
This file contains part of the logic for the Origin Tag mechanism that tracks the use of in-circuit p...
static OriginTag constant()
constexpr field invert() const noexcept
Represents a single limb of a bigfield element, with its value and maximum value.
void throw_or_abort(std::string const &err)
1.9.8