- Generated by
1.9.8
|
Barretenberg
The ZK-SNARK library at the core of Aztec
|
#include <bigfield.hpp>
Classes | |
| struct | Basis |
| struct | Limb |
| Represents a single limb of a bigfield element, with its value and maximum value. More... | |
Public Types | |
| using | View = bigfield |
| using | CoefficientAccumulator = bigfield |
| using | TParams = T |
| using | native = bb::field< T > |
| using | field_ct = field_t< Builder > |
Public Member Functions | |
| bigfield (const field_t< Builder > &low_bits, const field_t< Builder > &high_bits, const bool can_overflow=false, const size_t maximum_bitlength=0) | |
| Constructs a new bigfield object from two field elements representing the low and high bits. | |
| bigfield (Builder *parent_context=nullptr) | |
| Constructs a zero bigfield object: all limbs are set to zero. | |
| bigfield (Builder *parent_context, const uint256_t &value) | |
| Constructs a new bigfield object from a uint256_t value. | |
| bigfield (const uint256_t &value) | |
| bigfield (const int value) | |
| Constructs a new bigfield object from an int value. We first need to to construct a field element from the value to avoid bugs that have to do with the value being negative. | |
| bigfield (const unsigned long value) | |
| bigfield (const unsigned long long value) | |
| bigfield (const native value) | |
| Construct a new bigfield object from bb::fq. We first convert to uint256_t as field elements are in Montgomery form internally. | |
| bigfield (const byte_array< Builder > &bytes) | |
| Constructs a bigfield element from a 256-bit byte array. | |
| bigfield (const bigfield &other) | |
| bigfield (bigfield &&other) noexcept | |
| ~bigfield ()=default | |
| bigfield & | operator= (const bigfield &other) |
| bigfield & | operator= (bigfield &&other) noexcept |
| uint512_t | get_value () const |
| uint512_t | get_maximum_value () const |
| bigfield | add_to_lower_limb (const field_t< Builder > &other, const uint256_t &other_maximum_value) const |
| Add a field element to the lower limb. CAUTION (the element has to be constrained before using this function) | |
| bigfield | operator+ (const bigfield &other) const |
| Adds two bigfield elements. Inputs are reduced to the modulus if necessary. Requires 4 gates if both elements are witnesses. | |
| bigfield | add_two (const bigfield &add_a, const bigfield &add_b) const |
| Create constraints for summing three bigfield elements efficiently. | |
| bigfield | operator- (const bigfield &other) const |
| Subtraction operator. | |
| bigfield | operator* (const bigfield &other) const |
| Evaluate a non-native field multiplication: (a * b = c mod p) where p == target_basis.modulus. | |
| bigfield | operator/ (const bigfield &other) const |
| bigfield | operator- () const |
Negation operator, works by subtracting this from zero. | |
| bigfield | operator+= (const bigfield &other) |
| bigfield | operator-= (const bigfield &other) |
| bigfield | operator*= (const bigfield &other) |
| bigfield | operator/= (const bigfield &other) |
| bigfield | sqr () const |
| Square operator, computes a * a = c mod p. | |
| bigfield | sqradd (const std::vector< bigfield > &to_add) const |
| Square and add operator, computes a * a + ...to_add = c mod p. | |
| bigfield | pow (const uint32_t exponent) const |
| Raise the bigfield element to the power of (out-of-circuit) exponent. | |
| bigfield | madd (const bigfield &to_mul, const std::vector< bigfield > &to_add) const |
| Compute a * b + ...to_add = c mod p. | |
| bigfield | div_without_denominator_check (const bigfield &denominator) |
| bigfield | conditional_negate (const bool_t< Builder > &predicate) const |
| bigfield | conditional_select (const bigfield &other, const bool_t< Builder > &predicate) const |
| Create an element which is equal to either this or other based on the predicate. | |
| bool_t< Builder > | operator== (const bigfield &other) const |
| Validate whether two bigfield elements are equal to each other. | |
| void | assert_zero_if (const bool_t< Builder > &predicate, std::string const &msg="bigfield::assert_zero_if failed") const |
| void | assert_is_in_field (std::string const &msg="bigfield::assert_is_in_field") const |
| void | assert_less_than (const uint256_t &upper_limit, std::string const &msg="bigfield::assert_less_than") const |
| void | reduce_mod_target_modulus () const |
| void | assert_equal (const bigfield &other, std::string const &msg="bigfield::assert_equal") const |
| void | assert_is_not_equal (const bigfield &other, std::string const &msg="bigfield: prime limb diff is zero, but expected non-zero") const |
| bool_t< Builder > | is_less_than (const uint256_t &upper_limit, std::string const &msg="bigfield::is_less_than") const |
| void | self_reduce () const |
| Reduce the bigfield element modulo the target modulus. | |
| bool | is_constant () const |
| Check if the bigfield is constant, i.e. its prime limb is constant. | |
| bigfield | invert () const |
| Inverting function with the assumption that the bigfield element we are calling invert on is not zero. | |
| void | convert_constant_to_fixed_witness (Builder *builder) |
| void | fix_witness () |
| Builder * | get_context () const |
| void | set_origin_tag (const bb::OriginTag &tag) const |
| void | clear_round_provenance () const |
| bb::OriginTag | get_origin_tag () const |
| void | set_free_witness_tag () |
| Set the free witness flag for the bigfield. | |
| void | unset_free_witness_tag () |
| Unset the free witness flag for the bigfield. | |
| uint32_t | set_public () const |
| Set the witness indices for the limbs of the bigfield to public. | |
Static Public Member Functions | |
| static bigfield | unsafe_construct_from_limbs (const field_t< Builder > &a, const field_t< Builder > &b, const field_t< Builder > &c, const field_t< Builder > &d, const bool can_overflow=false) |
| Construct a bigfield element from binary limbs that are already reduced. | |
| static bigfield | construct_from_limbs (const field_t< Builder > &a, const field_t< Builder > &b, const field_t< Builder > &c, const field_t< Builder > &d, const bool can_overflow=false) |
| Construct a bigfield element from binary limbs that are already reduced and ensure they are range constrained. | |
| static bigfield | unsafe_construct_from_limbs (const field_t< Builder > &a, const field_t< Builder > &b, const field_t< Builder > &c, const field_t< Builder > &d, const field_t< Builder > &prime_limb, const bool can_overflow=false) |
| Construct a bigfield element from binary limbs and a prime basis limb that are already reduced. | |
| static bigfield | create_from_u512_as_witness (Builder *ctx, const uint512_t &value, const bool can_overflow=false, const size_t maximum_bitlength=0) |
| Creates a bigfield element from a uint512_t. Bigfield element is constructed as a witness and not a circuit constant. | |
| static bigfield | from_witness (Builder *ctx, const bb::field< T > &input) |
| template<typename OT > | |
| static bigfield | from_witness (Builder *ctx, const OT &input)=delete |
| static void | perform_reductions_for_mult_madd (std::vector< bigfield > &mul_left, std::vector< bigfield > &mul_right, const std::vector< bigfield > &to_add) |
| Performs individual reductions on the supplied elements as well as more complex reductions to prevent CRT modulus overflow and to fit the quotient inside the range proof. | |
| static bigfield | mult_madd (const std::vector< bigfield > &mul_left, const std::vector< bigfield > &mul_right, const std::vector< bigfield > &to_add, bool fix_remainder_to_zero=false) |
| static bigfield | dual_madd (const bigfield &left_a, const bigfield &right_a, const bigfield &left_b, const bigfield &right_b, const std::vector< bigfield > &to_add) |
| static bigfield | msub_div (const std::vector< bigfield > &mul_left, const std::vector< bigfield > &mul_right, const bigfield &divisor, const std::vector< bigfield > &to_sub, bool enable_divisor_nz_check=true) |
| static bigfield | sum (const std::vector< bigfield > &terms) |
| Create constraints for summing these terms. | |
| static bigfield | internal_div (const std::vector< bigfield > &numerators, const bigfield &denominator, bool check_for_zero) |
| static bigfield | div_without_denominator_check (const std::vector< bigfield > &numerators, const bigfield &denominator) |
| static bigfield | div_check_denominator_nonzero (const std::vector< bigfield > &numerators, const bigfield &denominator) |
| static bigfield | conditional_assign (const bool_t< Builder > &predicate, const bigfield &lhs, const bigfield &rhs) |
| static bigfield | one () |
| static bigfield | zero () |
| static constexpr bigfield | unreduced_zero () |
| Create an unreduced 0 ~ p*k, where p*k is the minimal multiple of modulus that should be reduced. | |
| static constexpr uint512_t | get_maximum_unreduced_value () |
| static constexpr uint512_t | get_prohibited_value () |
| static constexpr uint1024_t | get_maximum_crt_product () |
| Compute the maximum product of two bigfield elements in CRT: M = 2^t * n. | |
| static size_t | get_quotient_max_bits (const std::vector< uint1024_t > &remainders_max) |
| Compute the maximum number of bits for quotient range proof to protect against CRT underflow. | |
| static bool | mul_product_overflows_crt_modulus (const uint1024_t &a_max, const uint1024_t &b_max, const std::vector< bigfield > &to_add) |
| static bool | mul_product_overflows_crt_modulus (const std::vector< uint512_t > &as_max, const std::vector< uint512_t > &bs_max, const std::vector< bigfield > &to_add) |
| static constexpr uint256_t | get_maximum_unreduced_limb_value () |
| static constexpr uint256_t | get_prohibited_limb_value () |
Public Attributes | |
| Builder * | context |
| std::array< Limb, NUM_LIMBS > | binary_basis_limbs |
| Represents a bigfield element in the binary basis. A bigfield element is represented as a combination of 4 binary basis limbs: a = a[0] + a[1] * 2^L + a[2] * 2^2L + a[3] * 2^3L. | |
| field_t< Builder > | prime_basis_limb |
| Represents a bigfield element in the prime basis: (a mod n) where n is the native modulus. | |
Static Public Attributes | |
| static constexpr size_t | PUBLIC_INPUTS_SIZE = BIGFIELD_PUBLIC_INPUTS_SIZE |
| static constexpr size_t | NUM_LIMBS = 4 |
| static constexpr uint256_t | modulus = (uint256_t(T::modulus_0, T::modulus_1, T::modulus_2, T::modulus_3)) |
| static constexpr uint512_t | modulus_u512 = static_cast<uint512_t>(modulus) |
| static constexpr uint64_t | NUM_LIMB_BITS = NUM_LIMB_BITS_IN_FIELD_SIMULATION |
| static constexpr uint64_t | NUM_LAST_LIMB_BITS = modulus_u512.get_msb() + 1 - (NUM_LIMB_BITS * 3) |
| static const uint1024_t | DEFAULT_MAXIMUM_REMAINDER |
| static constexpr uint256_t | DEFAULT_MAXIMUM_LIMB = (uint256_t(1) << NUM_LIMB_BITS) - uint256_t(1) |
| static constexpr uint256_t | DEFAULT_MAXIMUM_MOST_SIGNIFICANT_LIMB |
| static constexpr uint64_t | LOG2_BINARY_MODULUS = NUM_LIMB_BITS * NUM_LIMBS |
| static constexpr bool | is_composite = true |
| static constexpr size_t | MAXIMUM_SUMMAND_COUNT_LOG = 4 |
| static constexpr size_t | MAXIMUM_SUMMAND_COUNT = 1 << MAXIMUM_SUMMAND_COUNT_LOG |
| static constexpr Basis | prime_basis { uint512_t(bb::fr::modulus), bb::fr::modulus.get_msb() + 1 } |
| static constexpr Basis | binary_basis { uint512_t(1) << LOG2_BINARY_MODULUS, LOG2_BINARY_MODULUS } |
| static constexpr Basis | target_basis { modulus_u512, static_cast<size_t>(modulus_u512.get_msb() + 1) } |
| static constexpr bb::fr | shift_1 = bb::fr(uint256_t(1) << NUM_LIMB_BITS) |
| static constexpr bb::fr | shift_2 = bb::fr(uint256_t(1) << (NUM_LIMB_BITS * 2)) |
| static constexpr bb::fr | shift_3 = bb::fr(uint256_t(1) << (NUM_LIMB_BITS * 3)) |
| static constexpr bb::fr | negative_prime_modulus_mod_native_basis = -bb::fr(uint256_t(target_basis.modulus)) |
| static constexpr uint512_t | negative_prime_modulus_mod_binary_basis = binary_basis.modulus - target_basis.modulus |
| static constexpr std::array< uint256_t, NUM_LIMBS > | neg_modulus_mod_binary_basis_limbs_u256 |
| static constexpr std::array< bb::fr, NUM_LIMBS > | neg_modulus_mod_binary_basis_limbs |
| static constexpr uint64_t | MAX_ADDITION_LOG = 10 |
| static constexpr uint64_t | MAXIMUM_LIMB_SIZE_THAT_WOULDNT_OVERFLOW |
| static constexpr uint64_t | MAX_UNREDUCED_LIMB_BITS = NUM_LIMB_BITS + MAX_ADDITION_LOG |
| static constexpr uint64_t | PROHIBITED_LIMB_BITS = MAX_UNREDUCED_LIMB_BITS + 5 |
Private Member Functions | |
| void | unsafe_assert_less_than (const uint256_t &upper_limit, std::string const &msg="bigfield::unsafe_assert_less_than") const |
| Assert that the current bigfield is less than the given upper limit. | |
| std::array< uint32_t, NUM_LIMBS > | get_binary_basis_limb_witness_indices () const |
| Get the witness indices of the (normalized) binary basis limbs. | |
| void | reduction_check () const |
| Check if the bigfield element needs to be reduced. | |
| void | sanity_check () const |
| Perform a sanity check on a value that is about to interact with another value. | |
| std::array< uint256_t, NUM_LIMBS > | get_binary_basis_limb_maximums () |
| Get the maximum values of the binary basis limbs. | |
Static Private Member Functions | |
| static std::array< uint32_t, 2 > | decompose_non_native_field_double_width_limb (Builder *ctx, const uint32_t limb_idx, const size_t num_limb_bits=(2 *NUM_LIMB_BITS)) |
| Decompose a single witness into two limbs, range constrained to NUM_LIMB_BITS (68) and num_limb_bits - NUM_LIMB_BITS, respectively. | |
| static std::pair< uint512_t, uint512_t > | compute_quotient_remainder_values (const bigfield &a, const bigfield &b, const std::vector< bigfield > &to_add) |
| Compute the quotient and remainder values for dividing (a * b + (to_add[0] + ... + to_add[-1])) with p. | |
| static uint512_t | compute_maximum_quotient_value (const std::vector< uint512_t > &as, const std::vector< uint512_t > &bs, const std::vector< uint512_t > &to_add) |
| Compute the maximum possible value of quotient of a*b+\sum(to_add) | |
| static std::pair< bool, size_t > | get_quotient_reduction_info (const std::vector< uint512_t > &as_max, const std::vector< uint512_t > &bs_max, const std::vector< bigfield > &to_add, const std::vector< uint1024_t > &remainders_max={ DEFAULT_MAXIMUM_REMAINDER }) |
| Check for 2 conditions (CRT modulus is overflown or the maximum quotient doesn't fit into range proof). Also returns the length of quotient's range proof if there is no need to reduce. | |
| static void | unsafe_evaluate_multiply_add (const bigfield &input_left, const bigfield &input_to_mul, const std::vector< bigfield > &to_add, const bigfield &input_quotient, const std::vector< bigfield > &input_remainders) |
| Evaluate a multiply add identity with several added elements and several remainders. | |
| static void | unsafe_evaluate_multiple_multiply_add (const std::vector< bigfield > &input_left, const std::vector< bigfield > &input_right, const std::vector< bigfield > &to_add, const bigfield &input_quotient, const std::vector< bigfield > &input_remainders) |
| Evaluate a relation involving multiple multiplications and additions. | |
| static void | unsafe_evaluate_square_add (const bigfield &left, const std::vector< bigfield > &to_add, const bigfield "ient, const bigfield &remainder) |
| Evaluate a square with several additions. | |
| static std::pair< uint512_t, uint512_t > | compute_partial_schoolbook_multiplication (const std::array< uint256_t, NUM_LIMBS > &a_limbs, const std::array< uint256_t, NUM_LIMBS > &b_limbs) |
| Compute the partial multiplication of two uint256_t arrays using schoolbook multiplication. | |
Friends | |
| class | bigfield_test_access |
Definition at line 22 of file bigfield.hpp.
| using bb::stdlib::bigfield< Builder, T >::CoefficientAccumulator = bigfield |
Definition at line 26 of file bigfield.hpp.
| using bb::stdlib::bigfield< Builder, T >::field_ct = field_t<Builder> |
Definition at line 29 of file bigfield.hpp.
| using bb::stdlib::bigfield< Builder, T >::native = bb::field<T> |
Definition at line 28 of file bigfield.hpp.
| using bb::stdlib::bigfield< Builder, T >::TParams = T |
Definition at line 27 of file bigfield.hpp.
| using bb::stdlib::bigfield< Builder, T >::View = bigfield |
Definition at line 25 of file bigfield.hpp.
| bb::stdlib::bigfield< Builder, T >::bigfield | ( | const field_t< Builder > & | low_bits, |
| const field_t< Builder > & | high_bits, | ||
| const bool | can_overflow = false, |
||
| const size_t | maximum_bitlength = 0 |
||
| ) |
Constructs a new bigfield object from two field elements representing the low and high bits.
| low_bits | The field element representing the low 2L bits of the bigfield. |
| high_bits | The field element representing the high 2L bits of the bigfield. |
| can_overflow | Whether the bigfield can overflow the modulus. |
| maximum_bitlength | The maximum bitlength of the bigfield. If 0, it defaults to |p| (target modulus bitlength). |
Definition at line 49 of file bigfield_impl.hpp.
| bb::stdlib::bigfield< Builder, T >::bigfield | ( | Builder * | parent_context = nullptr | ) |
Constructs a zero bigfield object: all limbs are set to zero.
This constructor is used to create a bigfield element without any context. It is useful for creating bigfield elements that will be later assigned to a context.
Definition at line 25 of file bigfield_impl.hpp.
| bb::stdlib::bigfield< Builder, T >::bigfield | ( | Builder * | parent_context, |
| const uint256_t & | value | ||
| ) |
Constructs a new bigfield object from a uint256_t value.
| parent_context | The circuit context in which the bigfield element will be created. |
| value | The uint256_t value to be converted to a bigfield element. |
Definition at line 35 of file bigfield_impl.hpp.
|
inlineexplicit |
Definition at line 118 of file bigfield.hpp.
|
inline |
Constructs a new bigfield object from an int value. We first need to to construct a field element from the value to avoid bugs that have to do with the value being negative.
Definition at line 127 of file bigfield.hpp.
|
inline |
Definition at line 132 of file bigfield.hpp.
|
inline |
Definition at line 137 of file bigfield.hpp.
|
inline |
Construct a new bigfield object from bb::fq. We first convert to uint256_t as field elements are in Montgomery form internally.
| value |
Definition at line 147 of file bigfield.hpp.
| bb::stdlib::bigfield< Builder, T >::bigfield | ( | const byte_array< Builder > & | bytes | ) |
Constructs a bigfield element from a 256-bit byte array.
This constructor interprets the input byte array as a 256-bit little-endian integer, and decomposes it into 4 limbs as follows:
| bytes | The 32-byte input representing the 256-bit integer (little-endian). |
Definition at line 218 of file bigfield_impl.hpp.
| bb::stdlib::bigfield< Builder, T >::bigfield | ( | const bigfield< Builder, T > & | other | ) |
Definition at line 123 of file bigfield_impl.hpp.
|
noexcept |
Definition at line 133 of file bigfield_impl.hpp.
|
default |
| bigfield< Builder, T > bb::stdlib::bigfield< Builder, T >::add_to_lower_limb | ( | const field_t< Builder > & | other, |
| const uint256_t & | other_maximum_value | ||
| ) | const |
Add a field element to the lower limb. CAUTION (the element has to be constrained before using this function)
Sometimes we need to add a small constrained value to a bigfield element (for example, a boolean value), but we don't want to construct a full bigfield element for that as it would take too many gates. If the maximum value of the field element being added is small enough, we can simply add it to the lowest limb and increase its maximum value. That will create 2 additional constraints instead of 5/3 needed to add 2 bigfield elements and several needed to construct a bigfield element.
| Builder | Builder |
| T | Field Parameters |
| other | Field element that will be added to the lower |
| other_maximum_value | The maximum value of other |
Definition at line 325 of file bigfield_impl.hpp.
| bigfield< Builder, T > bb::stdlib::bigfield< Builder, T >::add_two | ( | const bigfield< Builder, T > & | add_a, |
| const bigfield< Builder, T > & | add_b | ||
| ) | const |
Create constraints for summing three bigfield elements efficiently.
| Builder | |
| T |
| add_a | |
| add_b |
Uses five gates (one for each limb) to add three bigfield elements.
Definition at line 456 of file bigfield_impl.hpp.
| void bb::stdlib::bigfield< Builder, T >::assert_equal | ( | const bigfield< Builder, T > & | other, |
| std::string const & | msg = "bigfield< Builder, T >::assert_equal" |
||
| ) | const |
Definition at line 2004 of file bigfield_impl.hpp.
| void bb::stdlib::bigfield< Builder, T >::assert_is_in_field | ( | std::string const & | msg = "bigfield< Builder, T >::assert_is_in_field" | ) | const |
Definition at line 1826 of file bigfield_impl.hpp.
| void bb::stdlib::bigfield< Builder, T >::assert_is_not_equal | ( | const bigfield< Builder, T > & | other, |
| std::string const & | msg = "bigfield< Builder, T >: prime limb diff is zero, but expected non-zero" |
||
| ) | const |
Definition at line 2081 of file bigfield_impl.hpp.
| void bb::stdlib::bigfield< Builder, T >::assert_less_than | ( | const uint256_t & | upper_limit, |
| std::string const & | msg = "bigfield< Builder, T >::assert_less_than" |
||
| ) | const |
Definition at line 1834 of file bigfield_impl.hpp.
| void bb::stdlib::bigfield< Builder, T >::assert_zero_if | ( | const bool_t< Builder > & | predicate, |
| std::string const & | msg = "bigfield< Builder, T >::assert_zero_if failed" |
||
| ) | const |
Definition at line 1808 of file bigfield_impl.hpp.
|
inline |
Definition at line 698 of file bigfield.hpp.
|
staticprivate |
Compute the maximum possible value of quotient of a*b+\sum(to_add)
| as | Multiplicands |
| bs | Multipliers |
| to_add | Added elements |
Definition at line 2782 of file bigfield_impl.hpp.
|
staticprivate |
Compute the partial multiplication of two uint256_t arrays using schoolbook multiplication.
| a_limbs | |
| b_limbs |
Regular schoolbook multiplication of two arrays each with L = 4 limbs will produce a result of size 2 * L - 1 = 7. In this context, we can ignore the last three limbs as those terms have multiplicands: (2^4L, 2^5L, 2^6L) and since we are working modulo 2^t = 2^4L, those terms will always be zero. This is why we call this helper function "partial schoolbook multiplication".
Definition at line 2836 of file bigfield_impl.hpp.
|
staticprivate |
Compute the quotient and remainder values for dividing (a * b + (to_add[0] + ... + to_add[-1])) with p.
| a | Left multiplicand |
| b | Right multiplier |
| to_add | Vector of elements to add |
Definition at line 2760 of file bigfield_impl.hpp.
|
inlinestatic |
Definition at line 568 of file bigfield.hpp.
| bigfield< Builder, T > bb::stdlib::bigfield< Builder, T >::conditional_negate | ( | const bool_t< Builder > & | predicate | ) | const |
Definition at line 1590 of file bigfield_impl.hpp.
| bigfield< Builder, T > bb::stdlib::bigfield< Builder, T >::conditional_select | ( | const bigfield< Builder, T > & | other, |
| const bool_t< Builder > & | predicate | ||
| ) | const |
Create an element which is equal to either this or other based on the predicate.
| Builder | |
| T |
| other | The other bigfield element |
| predicate | Predicate controlling the result (0 for this, 1 for the other) |
Definition at line 1620 of file bigfield_impl.hpp.
|
inlinestatic |
Construct a bigfield element from binary limbs that are already reduced and ensure they are range constrained.
Definition at line 186 of file bigfield.hpp.
|
inline |
Create a witness form a constant. This way the value of the witness is fixed and public.
Definition at line 665 of file bigfield.hpp.
|
static |
Creates a bigfield element from a uint512_t. Bigfield element is constructed as a witness and not a circuit constant.
| ctx | |
| value | |
| can_overflow | Can the input value have more than log2(modulus) bits? |
| maximum_bitlength | Provide the explicit maximum bitlength if known. Otherwise bigfield max value will be either log2(modulus) bits iff can_overflow = false, or (4 * NUM_LIMB_BITS) iff can_overflow = true |
This method is 1 gate more efficient than constructing from 2 field_ct elements.
Definition at line 143 of file bigfield_impl.hpp.
|
staticprivate |
Decompose a single witness into two limbs, range constrained to NUM_LIMB_BITS (68) and num_limb_bits - NUM_LIMB_BITS, respectively.
Doesn't create gates constraining the limbs to each other.
| ctx | The circuit context |
| limb_idx | The index of the limb that will be decomposed |
| num_limb_bits | The range we want to constrain the original limb to |
Definition at line 2870 of file bigfield_impl.hpp.
|
static |
Div method with constraints for denominator!=0.
Similar to operator/ but numerator can be linear sum of multiple elements
Definition at line 893 of file bigfield_impl.hpp.
| bigfield< Builder, T > bb::stdlib::bigfield< Builder, T >::div_without_denominator_check | ( | const bigfield< Builder, T > & | denominator | ) |
Definition at line 882 of file bigfield_impl.hpp.
|
static |
Div method without constraining denominator!=0.
Similar to operator/ but numerator can be linear sum of multiple elements
Definition at line 875 of file bigfield_impl.hpp.
|
static |
Compute (left_a * right_a) + (left_b * right_b) + ...to_add = c mod p
This is cheaper than two multiplication operations, as the above only requires one quotient/remainder
Definition at line 1449 of file bigfield_impl.hpp.
|
inline |
Fix a witness. The value of the witness is constrained with a selector
Definition at line 677 of file bigfield.hpp.
|
inlinestatic |
Definition at line 297 of file bigfield.hpp.
|
staticdelete |
|
inlineprivate |
Get the maximum values of the binary basis limbs.
Definition at line 1131 of file bigfield.hpp.
|
inlineprivate |
Get the witness indices of the (normalized) binary basis limbs.
Definition at line 965 of file bigfield.hpp.
|
inline |
Definition at line 689 of file bigfield.hpp.
|
inlinestaticconstexpr |
Compute the maximum product of two bigfield elements in CRT: M = 2^t * n.
When we multiply two bigfield elements a and b, we need to check that: a * b = q * p + r, where q is the quotient, r is the remainder, and p is the size of the non-native field. With the CRT, we should have both sizes less than the maximum product M = 2^t * n.
Definition at line 813 of file bigfield.hpp.
|
inlinestaticconstexpr |
Definition at line 937 of file bigfield.hpp.
|
inlinestaticconstexpr |
Definition at line 766 of file bigfield.hpp.
| uint512_t bb::stdlib::bigfield< Builder, T >::get_maximum_value | ( | ) | const |
Definition at line 315 of file bigfield_impl.hpp.
|
inline |
Definition at line 706 of file bigfield.hpp.
|
inlinestaticconstexpr |
Definition at line 943 of file bigfield.hpp.
|
inlinestaticconstexpr |
Definition at line 796 of file bigfield.hpp.
|
inlinestatic |
Compute the maximum number of bits for quotient range proof to protect against CRT underflow.
When multiplying a and b, we need to check that: a * b = q * p + r, and each side of the equation is less than the maximum product M = 2^t * n. The quotient q is a size of the non-native field, and we need to ensure it fits within the available bits. q * p + r < M ==> q < (M - r_max) / p
| remainders_max | Maximum sizes of resulting remainders |
Definition at line 829 of file bigfield.hpp.
|
staticprivate |
Check for 2 conditions (CRT modulus is overflown or the maximum quotient doesn't fit into range proof). Also returns the length of quotient's range proof if there is no need to reduce.
| as_max | Vector of left multiplicands' maximum values |
| bs_max | Vector of right multiplicands' maximum values |
| to_add | Vector of added bigfield values |
Definition at line 2805 of file bigfield_impl.hpp.
| uint512_t bb::stdlib::bigfield< Builder, T >::get_value | ( | ) | const |
Definition at line 306 of file bigfield_impl.hpp.
|
static |
Division of a sum with an optional check if divisor is zero. Should not be used outside of class.
| numerators | Vector of numerators |
| denominator | Denominator |
| check_for_zero | If the zero check should be enabled |
Definition at line 782 of file bigfield_impl.hpp.
|
inline |
Inverting function with the assumption that the bigfield element we are calling invert on is not zero.
Definition at line 622 of file bigfield.hpp.
|
inline |
Check if the bigfield is constant, i.e. its prime limb is constant.
We use assertions to ensure that all limbs are consistent in their constant status.
Definition at line 603 of file bigfield.hpp.
| bool_t< Builder > bb::stdlib::bigfield< Builder, T >::is_less_than | ( | const uint256_t & | upper_limit, |
| std::string const & | msg = "bigfield< Builder, T >::is_less_than" |
||
| ) | const |
Definition at line 1867 of file bigfield_impl.hpp.
| bigfield< Builder, T > bb::stdlib::bigfield< Builder, T >::madd | ( | const bigfield< Builder, T > & | to_mul, |
| const std::vector< bigfield< Builder, T > > & | to_add | ||
| ) | const |
Compute a * b + ...to_add = c mod p.
| to_mul | Bigfield element to multiply by |
| to_add | Vector of elements to add |
Definition at line 1054 of file bigfield_impl.hpp.
|
static |
multiply, subtract, divide. This method computes:
result = -(\sum{mul_left[i] * mul_right[i]} + ...to_add) / divisor
Algorithm is constructed in this way to ensure that all computed terms are positive
i.e. we evaluate: result * divisor + (\sum{mul_left[i] * mul_right[i]) + ...to_add) = 0
It is critical that ALL the terms on the LHS are positive to eliminate the possiblity of underflows when calling evaluate_multiple_multiply_add
only requires one quotient and remainder + overflow limbs
We proxy this to mult_madd, so it only requires one quotient and remainder + overflow limbs
Definition at line 1486 of file bigfield_impl.hpp.
|
inlinestatic |
Check that the maximum value of a sum of bigfield productc with added values overflows ctf modulus.
| as_max | Vector of multiplicands' maximum values |
| b_max | Vector of multipliers' maximum values |
| to_add | Vector of field elements to be added |
Definition at line 875 of file bigfield.hpp.
|
inlinestatic |
Check that the maximum value of a bigfield product with added values overflows crt modulus.
| a_max | multiplicand maximum value |
| b_max | multiplier maximum value |
| to_add | vector of field elements to be added |
Definition at line 849 of file bigfield.hpp.
|
static |
Evaluate the sum of products and additional values safely.
| mul_left | Vector of bigfield multiplicands |
| mul_right | Vector of bigfield multipliers |
| to_add | Vector of bigfield elements to add to the sum of products |
Definition at line 1260 of file bigfield_impl.hpp.
|
inlinestatic |
Create a public one constant
Definition at line 627 of file bigfield.hpp.
| bigfield< Builder, T > bb::stdlib::bigfield< Builder, T >::operator* | ( | const bigfield< Builder, T > & | other | ) | const |
Evaluate a non-native field multiplication: (a * b = c mod p) where p == target_basis.modulus.
| other |
We compute quotient term q and remainder c and evaluate that: a * b - q * p - c = 0 mod modulus_u512 (binary basis modulus, currently 2**272) a * b - q * p - c = 0 mod circuit modulus We also check that: a * b < M and q * p - c < M, where M = (2^t * n) is CRT modulus.
Definition at line 696 of file bigfield_impl.hpp.
|
inline |
Definition at line 469 of file bigfield.hpp.
| bigfield< Builder, T > bb::stdlib::bigfield< Builder, T >::operator+ | ( | const bigfield< Builder, T > & | other | ) | const |
Adds two bigfield elements. Inputs are reduced to the modulus if necessary. Requires 4 gates if both elements are witnesses.
Naive addition of two bigfield elements would require 5 gates: 4 gates to add the binary basis limbs and 1 gate to add the prime basis limbs. However, if both elements are witnesses, we can use an optimized addition trick that uses 4 gates instead of 5. In this case, we add the prime basis limbs and one of the binary basis limbs in a single gate.
| Builder | |
| T |
| other |
Definition at line 365 of file bigfield_impl.hpp.
|
inline |
Definition at line 459 of file bigfield.hpp.
|
inline |
Negation operator, works by subtracting this from zero.
Definition at line 457 of file bigfield.hpp.
| bigfield< Builder, T > bb::stdlib::bigfield< Builder, T >::operator- | ( | const bigfield< Builder, T > & | other | ) | const |
Subtraction operator.
| other |
Uses lazy reduction techniques (similar to operator+) to save on field reductions. Instead of computing *this - other, we compute a constant X = s * p and compute: *this + X - other to ensure we do not underflow. Note that NOT enough to ensure that the integer value of *this + X - other does not underflow. We must ALSO ensure that each LIMB of the result does not underflow. Based on this condition, we compute the minimum value of s such that, for each limb i, the following result is positive: *this.limb[i] + X.limb[i] - other.limb[i] ≥ 0.
Plookup bigfield subtractoin
We have a special addition gate we can toggle, that will compute: (w_1 + w_4 - w_4_omega + q_arith = 0) This is in addition to the regular addition gate
We can arrange our wires in memory like this:
| 1 | 2 | 3 | 4 | |--—|--—|--—|--—| | b.p | a.0 | b.0 | c.p | (b.p + c.p - a.p = 0) AND (a.0 - b.0 - c.0 = 0) | a.p | a.1 | b.1 | c.0 | (a.1 - b.1 - c.1 = 0) | a.2 | b.2 | c.2 | c.1 | (a.2 - b.2 - c.2 = 0) | a.3 | b.3 | c.3 | — | (a.3 - b.3 - c.3 = 0)
Step 1: For each limb compute the MAXIMUM value we will have to borrow from the next significant limb
i.e. if we assume that *this = 0 and other = other.maximum_value, how many bits do we need to borrow from the next significant limb to ensure each limb value is positive?
N.B. for this segment maximum_value really refers to maximum NEGATIVE value of the result
Step 2: Compute the constant value X = m * p we must add to the result to ensure EVERY limb is >= 0
We need to find a value X where X.limb[3] > limb_3_maximum_value. As long as the above holds, we can borrow bits from X.limb[3] to ensure less significant limbs are positive
Start by setting constant_to_add = p
Step 3: Compute offset terms t0, t1, t2, t3 that we add to our result to ensure each limb is positive
t3 represents the value we are BORROWING from constant_to_add.limb[3] t2, t1, t0 are the terms we will ADD to constant_to_add.limb[2], constant_to_add.limb[1], constant_to_add.limb[0]
Borrow propagation table: ┌───────┬─────────────────────────────────┬──────────────────────────────────┐ │ Limb │ Value received FROM next limb │ Value given TO previous limb │ ├───────┼─────────────────────────────────┼──────────────────────────────────┤ │ 0 │ 2^limb_0_borrow_shift │ 0 │ │ 1 │ 2^limb_1_borrow_shift │ 2^(limb_0_borrow_shift - L) │ │ 2 │ 2^limb_2_borrow_shift │ 2^(limb_1_borrow_shift - L) │ │ 3 │ 0 │ 2^(limb_2_borrow_shift - L) │ └───────┴─────────────────────────────────┴──────────────────────────────────┘
i.e. The net value we add to constant_to_add is 0. We must ensure that: t3 = t0 + (t1 << NUM_LIMB_BITS) + (t2 << NUM_LIMB_BITS * 2)
e.g. the value we borrow to produce t0 is subtracted from t1, the value we borrow from t1 is subtracted from t2 the value we borrow from t2 is equal to t3
Compute the limbs of constant_to_add, including our offset terms t0, t1, t2, t3 that ensure each result limb is positive
Update the maximum possible value of the result. We assume here that (*this.value) = 0
Compute the binary basis limbs of our result
Compute the prime basis limb of the result
Definition at line 498 of file bigfield_impl.hpp.
|
inline |
Definition at line 464 of file bigfield.hpp.
| bigfield< Builder, T > bb::stdlib::bigfield< Builder, T >::operator/ | ( | const bigfield< Builder, T > & | other | ) | const |
Division operator: a / b. Creates constraints for division in the circuit and checks b != 0. If you need a variant without the zero check, use div_without_denominator_check.
| other | The denominator. |
To evaluate (a / b = c mod p), we instead evaluate (c * b = a mod p), where p is the target modulus. We also check that b != 0.
Definition at line 740 of file bigfield_impl.hpp.
|
inline |
Definition at line 474 of file bigfield.hpp.
|
noexcept |
Definition at line 295 of file bigfield_impl.hpp.
| bigfield< Builder, T > & bb::stdlib::bigfield< Builder, T >::operator= | ( | const bigfield< Builder, T > & | other | ) |
Definition at line 281 of file bigfield_impl.hpp.
| bool_t< Builder > bb::stdlib::bigfield< Builder, T >::operator== | ( | const bigfield< Builder, T > & | other | ) | const |
Validate whether two bigfield elements are equal to each other.
To evaluate whether (a == b), we use result boolean r to evaluate the following logic: (n.b all algebra involving bigfield elements is done in the bigfield)
r == 1 , a - b == 0r == 0, a - b posesses an inverse I i.e. (a - b) * I - 1 == 0 We efficiently evaluate this logic by evaluating a single expression (a - b)*X = Y We use conditional assignment logic to define X, Y to be the following: If r == 1 then X = 1, Y = 0 If r == 0 then X = I, Y = 1 This allows us to evaluate operator== using only 1 bigfield multiplication operation. We can check the product equals 0 or 1 by directly evaluating the binary basis/prime basis limbs of Y. i.e. if r == 1 then (a - b)*X should have 0 for all limb values if r == 0 then (a - b)*X should have 1 in the least significant binary basis limb and 0 elsewhere | Builder | |
| T |
| other |
Definition at line 1713 of file bigfield_impl.hpp.
|
static |
Performs individual reductions on the supplied elements as well as more complex reductions to prevent CRT modulus overflow and to fit the quotient inside the range proof.
| Builder | builder |
| T | basefield |
| mul_left | |
| mul_right | |
| to_add |
Definition at line 1129 of file bigfield_impl.hpp.
| bigfield< Builder, T > bb::stdlib::bigfield< Builder, T >::pow | ( | const uint32_t | exponent | ) | const |
Raise the bigfield element to the power of (out-of-circuit) exponent.
| exponent | The exponent to raise the bigfield element to. |
Uses the square-and-multiply algorithm to compute a^exponent mod p.
NOTE(https://github.com/AztecProtocol/barretenberg/issues/1014) Improve the efficiency of this function using sliding window method.
Definition at line 1001 of file bigfield_impl.hpp.
| void bb::stdlib::bigfield< Builder, T >::reduce_mod_target_modulus | ( | ) | const |
Definition at line 1916 of file bigfield_impl.hpp.
|
private |
Check if the bigfield element needs to be reduced.
This function checks if the bigfield element is within the valid range and reduces it if necessary. When multiplying bigfield elements a and b, we need to ensure that each side of the equation: a * b = q * p + r (a) holds modulo the size of the native field n, (b) holds modulo the size of the bigger ring 2^t. (c) is less than the maximum value: M = 2^t * n. This implies a, b must always be less than √M, and their limbs must be less than the maximum limb value.
Given a bigfield element c, this function applies these checks: (i) c < √M (see note below). (ii) each limb (binary basis) of c is less than the maximum limb value.
These checks prevent our field arithmetic from overflowing the native modulus boundary, whilst ensuring we can still use the chinese remainder theorem to validate field multiplications with a reduced number of range checks.
Note: We actually apply a stricter bound, see get_maximum_unreduced_value for an explanation.
Definition at line 1754 of file bigfield_impl.hpp.
|
private |
Perform a sanity check on a value that is about to interact with another value.
ASSERTs that the value of all limbs is less than or equal to the prohibited maximum value. Checks that the maximum value of the whole element is also less than a prohibited maximum value.
Definition at line 1793 of file bigfield_impl.hpp.
| void bb::stdlib::bigfield< Builder, T >::self_reduce | ( | ) | const |
Reduce the bigfield element modulo the target modulus.
This function modifies the bigfield element in place to ensure that it is reduced modulo the target modulus. It is marked as const because it modifies the internal state of the bigfield element without changing its logical value.
Definition at line 2123 of file bigfield_impl.hpp.
|
inline |
Set the free witness flag for the bigfield.
Definition at line 718 of file bigfield.hpp.
|
inline |
Definition at line 691 of file bigfield.hpp.
|
inline |
Set the witness indices for the limbs of the bigfield to public.
Bigfield is represented in public inputs using 2 limbs (lo, hi), matching the Codec representation. lo = limb0 + limb1 * 2^NUM_LIMB_BITS, hi = limb2 + limb3 * 2^NUM_LIMB_BITS
Definition at line 743 of file bigfield.hpp.
| bigfield< Builder, T > bb::stdlib::bigfield< Builder, T >::sqr | ( | ) | const |
Square operator, computes a * a = c mod p.
Costs the same as operator* as it just sets a = b. NOTE(https://github.com/AztecProtocol/aztec-packages/issues/15089): Can optimize this further to save a gate.
Definition at line 899 of file bigfield_impl.hpp.
| bigfield< Builder, T > bb::stdlib::bigfield< Builder, T >::sqradd | ( | const std::vector< bigfield< Builder, T > > & | to_add | ) | const |
Square and add operator, computes a * a + ...to_add = c mod p.
| to_add | The bigfield element to add to the square. |
We can chain multiple additions to a square/multiply with a single quotient/remainder. Chaining the additions here is cheaper than calling operator+ because we can combine some gates in evaluate_multiply_add
Definition at line 930 of file bigfield_impl.hpp.
|
static |
Create constraints for summing these terms.
| Builder | |
| T |
| terms |
Definition at line 754 of file bigfield_impl.hpp.
|
inlinestaticconstexpr |
Create an unreduced 0 ~ p*k, where p*k is the minimal multiple of modulus that should be reduced.
We need it for division. If we always add this element during division, then we never run into the formula-breaking situation
Definition at line 648 of file bigfield.hpp.
|
private |
Assert that the current bigfield is less than the given upper limit.
| upper_limit |
Definition at line 1930 of file bigfield_impl.hpp.
|
inlinestatic |
Construct a bigfield element from binary limbs that are already reduced.
This API should only be used by bigfield and other stdlib members for efficiency and with extreme care. We need it in cases where we precompute and reduce the elements, for example, and then put them in a table
Definition at line 158 of file bigfield.hpp.
|
inlinestatic |
Construct a bigfield element from binary limbs and a prime basis limb that are already reduced.
This API should only be used by bigfield and other stdlib members for efficiency and with extreme care. We need it in cases where we precompute and reduce the elements, for example, and then put them in a table
Definition at line 233 of file bigfield.hpp.
|
staticprivate |
Evaluate a relation involving multiple multiplications and additions.
| input_left | Vector of left multiplication operands. |
| input_right | Vector of right multiplication operands. |
| to_add | Vector of elements to add to the product. |
| input_quotient | Quotient term. |
| input_remainders | Vector of remainders. |
This function evaluates the relationship: (a[0] * b[0] + ... + (a[-1] * b[-1])) + (to_add[0] + .. + to_add[-1]) - q * p - (r[0] + .. + r[-1]) = 0 mod 2^t (a[0] * b[0] + ... + (a[-1] * b[-1])) + (to_add[0] + .. + to_add[-1]) - q * p - (r[0] + .. + r[-1]) = 0 mod n
msub_div for more details on how this is used.Step 1: Compute the maximum potential value of our product limbs
max_lo = maximum value of limb products that span the range 0 - 2^{3L} max_hi = maximum value of limb products that span the range 2^{2L} - 2^{5L}
Definition at line 2408 of file bigfield_impl.hpp.
|
staticprivate |
Evaluate a multiply add identity with several added elements and several remainders.
| left | Left multiplicand |
| right | Right multiplicand |
| to_add | Vector of elements to add |
| quotient | Quotient term |
| remainders | Vector of remainders |
This function evaluates the relationship: a * b + (to_add[0] + .. + to_add[-1]) - q * p - (r[0] + .. + r[-1]) = 0 mod 2^t (binary basis modulus) a * b + (to_add[0] + .. + to_add[-1]) - q * p - (r[0] + .. + r[-1]) = 0 mod n (circuit modulus)
Definition at line 2170 of file bigfield_impl.hpp.
|
staticprivate |
Evaluate a square with several additions.
| left | Left multiplicand |
| to_add | Vector of elements to add |
| quotient | Quotient term |
| remainder | Remainder term |
This function evaluates the relationship: (a * a) + (to_add[0] + .. + to_add[-1]) - q * p - r = 0 mod 2^t (binary basis modulus) (a * a) + (to_add[0] + .. + to_add[-1]) - q * p - r = 0 mod n (circuit modulus)
Definition at line 2736 of file bigfield_impl.hpp.
|
inline |
Unset the free witness flag for the bigfield.
Definition at line 729 of file bigfield.hpp.
|
inlinestatic |
Create a public zero constant
Definition at line 636 of file bigfield.hpp.
|
friend |
Definition at line 948 of file bigfield.hpp.
|
staticconstexpr |
Definition at line 337 of file bigfield.hpp.
|
mutable |
Represents a bigfield element in the binary basis. A bigfield element is represented as a combination of 4 binary basis limbs: a = a[0] + a[1] * 2^L + a[2] * 2^2L + a[3] * 2^3L.
Definition at line 81 of file bigfield.hpp.
| Builder* bb::stdlib::bigfield< Builder, T >::context |
Definition at line 75 of file bigfield.hpp.
|
staticconstexpr |
Definition at line 326 of file bigfield.hpp.
|
staticconstexpr |
Definition at line 327 of file bigfield.hpp.
|
inlinestatic |
Definition at line 324 of file bigfield.hpp.
|
staticconstexpr |
Definition at line 330 of file bigfield.hpp.
|
staticconstexpr |
Definition at line 329 of file bigfield.hpp.
|
staticconstexpr |
Definition at line 899 of file bigfield.hpp.
|
staticconstexpr |
Definition at line 930 of file bigfield.hpp.
|
staticconstexpr |
Definition at line 924 of file bigfield.hpp.
|
staticconstexpr |
Definition at line 334 of file bigfield.hpp.
|
staticconstexpr |
Definition at line 333 of file bigfield.hpp.
|
staticconstexpr |
Definition at line 315 of file bigfield.hpp.
|
staticconstexpr |
Definition at line 316 of file bigfield.hpp.
|
staticconstexpr |
Definition at line 350 of file bigfield.hpp.
|
staticconstexpr |
Definition at line 344 of file bigfield.hpp.
|
staticconstexpr |
Definition at line 343 of file bigfield.hpp.
|
staticconstexpr |
Definition at line 342 of file bigfield.hpp.
|
staticconstexpr |
Definition at line 318 of file bigfield.hpp.
|
staticconstexpr |
Definition at line 317 of file bigfield.hpp.
|
staticconstexpr |
Definition at line 73 of file bigfield.hpp.
|
staticconstexpr |
Definition at line 336 of file bigfield.hpp.
|
mutable |
Represents a bigfield element in the prime basis: (a mod n) where n is the native modulus.
Definition at line 86 of file bigfield.hpp.
|
staticconstexpr |
Definition at line 934 of file bigfield.hpp.
|
staticconstexpr |
Definition at line 32 of file bigfield.hpp.
|
staticconstexpr |
Definition at line 339 of file bigfield.hpp.
|
staticconstexpr |
Definition at line 340 of file bigfield.hpp.
|
staticconstexpr |
Definition at line 341 of file bigfield.hpp.
|
staticconstexpr |
Definition at line 338 of file bigfield.hpp.
1.9.8