Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
fq.hpp
Go to the documentation of this file.
1// === AUDIT STATUS ===
2// internal: { status: Completed, auditors: [Federico], commit: }
3// external_1: { status: not started, auditors: [], commit: }
4// external_2: { status: not started, auditors: [], commit: }
5// =====================
6
7#pragma once
8
9#include <cstdint>
10#include <iomanip>
11
12#include "../../fields/field.hpp"
13#include "barretenberg/ecc/curves/bn254/fr.hpp"
14#include "barretenberg/stdlib/primitives/bigfield/constants.hpp"
15
16// NOLINTBEGIN(cppcoreguidelines-avoid-c-arrays)
17namespace bb {
18
28class Bn254FqParams {
29 public:
30 // A little-endian representation of the modulus split into 4 64-bit words
31 static constexpr uint64_t modulus_0 = 0x3C208C16D87CFD47UL;
32 static constexpr uint64_t modulus_1 = 0x97816a916871ca8dUL;
33 static constexpr uint64_t modulus_2 = 0xb85045b68181585dUL;
34 static constexpr uint64_t modulus_3 = 0x30644e72e131a029UL;
35
36 // A little-endian representation of R^2 modulo the modulus (R=2^256 mod modulus) split into 4 64-bit words
37 // This parameter is used to convert an element of Fq in standard form to Montgomery form
38 static constexpr uint64_t r_squared_0 = 0xF32CFC5B538AFA89UL;
39 static constexpr uint64_t r_squared_1 = 0xB5E71911D44501FBUL;
40 static constexpr uint64_t r_squared_2 = 0x47AB1EFF0A417FF6UL;
41 static constexpr uint64_t r_squared_3 = 0x06D89F71CAB8351FUL;
42
43 // -(Modulus^-1) mod 2^64
44 // This constant is used during multiplication: given an 8-limb representation of the multiplication of two field
45 // elements, for each of the lowest four limbs we compute: k_i = r_inv * limb_i and we add 2^{64 * i} * k_i * p to
46 // the result of the multiplication. In this way we zero out the lowest four limbs of the multiplication and we can
47 // divide by 2^256 by taking the highest four limbs. See field_docs.hpp for more details.
48 static constexpr uint64_t r_inv = 0x87d20782e4866389UL;
49
50 // 2^(-64) mod Modulus
51 // Used in the reduction mechanism, see field_docs.md
52 // Instead of computing k, we multiply the lowest limb by this value and then add to the following 5 limbs.
53 // This saves us from having to compute k
54 static constexpr uint64_t r_inv_0 = 0x327d7c1b18f7bd41UL;
55 static constexpr uint64_t r_inv_1 = 0xdb8ed52f824ed32fUL;
56 static constexpr uint64_t r_inv_2 = 0x29b67b05eb29a6a1UL;
57 static constexpr uint64_t r_inv_3 = 0x19ac99126b459ddaUL;
58
59 // A little-endian representation of the cube root of 1 in Fq in Montgomery form split into 4 64-bit words
60 static constexpr uint64_t cube_root_0 = 0x71930c11d782e155UL;
61 static constexpr uint64_t cube_root_1 = 0xa6bb947cffbe3323UL;
62 static constexpr uint64_t cube_root_2 = 0xaa303344d4741444UL;
63 static constexpr uint64_t cube_root_3 = 0x2c3b3f0d26594943UL;
64
65 // Not used for Fq, but required for all field types
66 static constexpr uint64_t primitive_root_0 = 0UL;
67 static constexpr uint64_t primitive_root_1 = 0UL;
68 static constexpr uint64_t primitive_root_2 = 0UL;
69 static constexpr uint64_t primitive_root_3 = 0UL;
70
71 // Coset generators in Montgomery form for R=2^256 mod Modulus. Used in FFT-based proving systems
72 static constexpr uint64_t coset_generator_0 = 0x7a17caa950ad28d7ULL;
73 static constexpr uint64_t coset_generator_1 = 0x1f6ac17ae15521b9ULL;
74 static constexpr uint64_t coset_generator_2 = 0x334bea4e696bd284ULL;
75 static constexpr uint64_t coset_generator_3 = 0x2a1f6744ce179d8eULL;
76
77 // A little-endian representation of the modulus split into 9 29-bit limbs
78 // This is used in wasm because we can only do multiplication with 64-bit result instead of 128-bit like in x86_64
79 static constexpr uint64_t modulus_wasm_0 = 0x187cfd47;
80 static constexpr uint64_t modulus_wasm_1 = 0x10460b6;
81 static constexpr uint64_t modulus_wasm_2 = 0x1c72a34f;
82 static constexpr uint64_t modulus_wasm_3 = 0x2d522d0;
83 static constexpr uint64_t modulus_wasm_4 = 0x1585d978;
84 static constexpr uint64_t modulus_wasm_5 = 0x2db40c0;
85 static constexpr uint64_t modulus_wasm_6 = 0xa6e141;
86 static constexpr uint64_t modulus_wasm_7 = 0xe5c2634;
87 static constexpr uint64_t modulus_wasm_8 = 0x30644e;
88
89 // A little-endian representation of R^2 modulo the modulus (R=2^261 mod modulus) split into 4 64-bit words
90 // We use 2^261 in wasm, because 261=29*9, the 9 29-bit limbs used for arithmetic in
91 static constexpr uint64_t r_squared_wasm_0 = 0xe1a2a074659bac10UL;
92 static constexpr uint64_t r_squared_wasm_1 = 0x639855865406005aUL;
93 static constexpr uint64_t r_squared_wasm_2 = 0xff54c5802d3e2632UL;
94 static constexpr uint64_t r_squared_wasm_3 = 0x2a11a68c34ea65a6UL;
95
96 // 2^(-29) mod Modulus
97 // Used in the reduction mechanism, see field_docs.md
98 // Instead of computing k, we multiply the lowest limb by this value and then add to the following 10 limbs.
99 // This saves us from having to compute k
100 static constexpr uint64_t r_inv_wasm_0 = 0x17789a9f;
101 static constexpr uint64_t r_inv_wasm_1 = 0x5ffc3dc;
102 static constexpr uint64_t r_inv_wasm_2 = 0xd6bde42;
103 static constexpr uint64_t r_inv_wasm_3 = 0x1cf152e3;
104 static constexpr uint64_t r_inv_wasm_4 = 0x18eb055f;
105 static constexpr uint64_t r_inv_wasm_5 = 0xed815e2;
106 static constexpr uint64_t r_inv_wasm_6 = 0x16626d2;
107 static constexpr uint64_t r_inv_wasm_7 = 0xb8bab0f;
108 static constexpr uint64_t r_inv_wasm_8 = 0x6d7c4;
109
110 // A little-endian representation of the cube root of 1 in Fq in Montgomery form for wasm (R=2^261 mod modulus)
111 // split into 4 64-bit words
112 static constexpr uint64_t cube_root_wasm_0 = 0x62b1a3a46a337995UL;
113 static constexpr uint64_t cube_root_wasm_1 = 0xadc97d2722e2726eUL;
114 static constexpr uint64_t cube_root_wasm_2 = 0x64ee82ede2db85faUL;
115 static constexpr uint64_t cube_root_wasm_3 = 0x0c0afea1488a03bbUL;
116
117 // Not used for Fq, but required for all field types
118 static constexpr uint64_t primitive_root_wasm_0 = 0x0000000000000000UL;
119 static constexpr uint64_t primitive_root_wasm_1 = 0x0000000000000000UL;
120 static constexpr uint64_t primitive_root_wasm_2 = 0x0000000000000000UL;
121 static constexpr uint64_t primitive_root_wasm_3 = 0x0000000000000000UL;
122
123 // Coset generators in Montgomery form for R=2^261 mod Modulus. Used in FFT-based proving systems
124 static constexpr uint64_t coset_generator_wasm_0 = 0xeb8a8ec140766463ULL;
125 static constexpr uint64_t coset_generator_wasm_1 = 0xf2b1f20626a3da49ULL;
126 static constexpr uint64_t coset_generator_wasm_2 = 0xf905ef8d84d5fea4ULL;
127 static constexpr uint64_t coset_generator_wasm_3 = 0x2958a27c02b7cd5fULL;
128
129 // Parameters used for quickly splitting a scalar into two endomorphism scalars for faster scalar multiplication
130 // For specifics on how these have been derived, see ecc/fields/endomorphim_scalars.py
131 static constexpr uint64_t endo_g1_lo = 0x7a7bd9d4391eb18d;
132 static constexpr uint64_t endo_g1_mid = 0x4ccef014a773d2cfUL;
133 static constexpr uint64_t endo_g1_hi = 0x0000000000000002UL;
134 static constexpr uint64_t endo_g2_lo = 0xd91d232ec7e0b3d2UL;
135 static constexpr uint64_t endo_g2_mid = 0x0000000000000002UL;
136 static constexpr uint64_t endo_minus_b1_lo = 0x8211bbeb7d4f1129UL;
137 static constexpr uint64_t endo_minus_b1_mid = 0x6f4d8248eeb859fcUL;
138 static constexpr uint64_t endo_b2_lo = 0x89d3256894d213e2UL;
139 static constexpr uint64_t endo_b2_mid = 0UL;
140
141 // used in msgpack schema serialization
142 static constexpr char schema_name[] = "fq";
143 static constexpr bool has_high_2adicity = false;
144
145 // The modulus is larger than BN254 scalar field modulus, so it maps to two BN254 scalars
146 static constexpr size_t NUM_BN254_SCALARS = 2;
147 static constexpr size_t MAX_BITS_PER_ENDOMORPHISM_SCALAR = 128;
148
149 // A point in Fq is represented using 2 field elements in the public inputs (matching Codec)
150 static constexpr size_t PUBLIC_INPUTS_SIZE = BIGFIELD_PUBLIC_INPUTS_SIZE;
151};
152
153using fq = field<Bn254FqParams>;
154
155} // namespace bb
156
157// NOLINTEND(cppcoreguidelines-avoid-c-arrays)
bb::Bn254FqParams
Parameters defining the base field of the BN254 curve.
Definition fq.hpp:28
bb::Bn254FqParams::primitive_root_wasm_2
static constexpr uint64_t primitive_root_wasm_2
Definition fq.hpp:120
bb::Bn254FqParams::cube_root_wasm_1
static constexpr uint64_t cube_root_wasm_1
Definition fq.hpp:113
bb::Bn254FqParams::coset_generator_0
static constexpr uint64_t coset_generator_0
Definition fq.hpp:72
bb::Bn254FqParams::modulus_0
static constexpr uint64_t modulus_0
Definition fq.hpp:31
bb::Bn254FqParams::primitive_root_wasm_0
static constexpr uint64_t primitive_root_wasm_0
Definition fq.hpp:118
bb::Bn254FqParams::r_inv_1
static constexpr uint64_t r_inv_1
Definition fq.hpp:55
bb::Bn254FqParams::r_inv_wasm_6
static constexpr uint64_t r_inv_wasm_6
Definition fq.hpp:106
bb::Bn254FqParams::coset_generator_2
static constexpr uint64_t coset_generator_2
Definition fq.hpp:74
bb::Bn254FqParams::primitive_root_wasm_3
static constexpr uint64_t primitive_root_wasm_3
Definition fq.hpp:121
bb::Bn254FqParams::r_inv_wasm_4
static constexpr uint64_t r_inv_wasm_4
Definition fq.hpp:104
bb::Bn254FqParams::coset_generator_1
static constexpr uint64_t coset_generator_1
Definition fq.hpp:73
bb::Bn254FqParams::MAX_BITS_PER_ENDOMORPHISM_SCALAR
static constexpr size_t MAX_BITS_PER_ENDOMORPHISM_SCALAR
Definition fq.hpp:147
bb::Bn254FqParams::modulus_wasm_0
static constexpr uint64_t modulus_wasm_0
Definition fq.hpp:79
bb::Bn254FqParams::modulus_wasm_5
static constexpr uint64_t modulus_wasm_5
Definition fq.hpp:84
bb::Bn254FqParams::modulus_wasm_4
static constexpr uint64_t modulus_wasm_4
Definition fq.hpp:83
bb::Bn254FqParams::r_squared_3
static constexpr uint64_t r_squared_3
Definition fq.hpp:41
bb::Bn254FqParams::r_inv_wasm_8
static constexpr uint64_t r_inv_wasm_8
Definition fq.hpp:108
bb::Bn254FqParams::r_inv_wasm_2
static constexpr uint64_t r_inv_wasm_2
Definition fq.hpp:102
bb::Bn254FqParams::r_squared_2
static constexpr uint64_t r_squared_2
Definition fq.hpp:40
bb::Bn254FqParams::endo_b2_mid
static constexpr uint64_t endo_b2_mid
Definition fq.hpp:139
bb::Bn254FqParams::cube_root_wasm_3
static constexpr uint64_t cube_root_wasm_3
Definition fq.hpp:115
bb::Bn254FqParams::modulus_wasm_7
static constexpr uint64_t modulus_wasm_7
Definition fq.hpp:86
bb::Bn254FqParams::modulus_wasm_1
static constexpr uint64_t modulus_wasm_1
Definition fq.hpp:80
bb::Bn254FqParams::endo_g2_lo
static constexpr uint64_t endo_g2_lo
Definition fq.hpp:134
bb::Bn254FqParams::modulus_3
static constexpr uint64_t modulus_3
Definition fq.hpp:34
bb::Bn254FqParams::r_squared_wasm_0
static constexpr uint64_t r_squared_wasm_0
Definition fq.hpp:91
bb::Bn254FqParams::coset_generator_wasm_1
static constexpr uint64_t coset_generator_wasm_1
Definition fq.hpp:125
bb::Bn254FqParams::r_inv_3
static constexpr uint64_t r_inv_3
Definition fq.hpp:57
bb::Bn254FqParams::r_inv_2
static constexpr uint64_t r_inv_2
Definition fq.hpp:56
bb::Bn254FqParams::primitive_root_0
static constexpr uint64_t primitive_root_0
Definition fq.hpp:66
bb::Bn254FqParams::coset_generator_wasm_2
static constexpr uint64_t coset_generator_wasm_2
Definition fq.hpp:126
bb::Bn254FqParams::modulus_1
static constexpr uint64_t modulus_1
Definition fq.hpp:32
bb::Bn254FqParams::coset_generator_3
static constexpr uint64_t coset_generator_3
Definition fq.hpp:75
bb::Bn254FqParams::r_inv_wasm_0
static constexpr uint64_t r_inv_wasm_0
Definition fq.hpp:100
bb::Bn254FqParams::cube_root_wasm_0
static constexpr uint64_t cube_root_wasm_0
Definition fq.hpp:112
bb::Bn254FqParams::r_inv_wasm_7
static constexpr uint64_t r_inv_wasm_7
Definition fq.hpp:107
bb::Bn254FqParams::primitive_root_2
static constexpr uint64_t primitive_root_2
Definition fq.hpp:68
bb::Bn254FqParams::endo_g1_mid
static constexpr uint64_t endo_g1_mid
Definition fq.hpp:132
bb::Bn254FqParams::r_squared_0
static constexpr uint64_t r_squared_0
Definition fq.hpp:38
bb::Bn254FqParams::coset_generator_wasm_3
static constexpr uint64_t coset_generator_wasm_3
Definition fq.hpp:127
bb::Bn254FqParams::endo_minus_b1_mid
static constexpr uint64_t endo_minus_b1_mid
Definition fq.hpp:137
bb::Bn254FqParams::cube_root_wasm_2
static constexpr uint64_t cube_root_wasm_2
Definition fq.hpp:114
bb::Bn254FqParams::modulus_2
static constexpr uint64_t modulus_2
Definition fq.hpp:33
bb::Bn254FqParams::modulus_wasm_8
static constexpr uint64_t modulus_wasm_8
Definition fq.hpp:87
bb::Bn254FqParams::r_squared_1
static constexpr uint64_t r_squared_1
Definition fq.hpp:39
bb::Bn254FqParams::modulus_wasm_2
static constexpr uint64_t modulus_wasm_2
Definition fq.hpp:81
bb::Bn254FqParams::r_inv_wasm_3
static constexpr uint64_t r_inv_wasm_3
Definition fq.hpp:103
bb::Bn254FqParams::r_squared_wasm_1
static constexpr uint64_t r_squared_wasm_1
Definition fq.hpp:92
bb::Bn254FqParams::cube_root_1
static constexpr uint64_t cube_root_1
Definition fq.hpp:61
bb::Bn254FqParams::endo_g1_lo
static constexpr uint64_t endo_g1_lo
Definition fq.hpp:131
bb::Bn254FqParams::cube_root_0
static constexpr uint64_t cube_root_0
Definition fq.hpp:60
bb::Bn254FqParams::r_inv_0
static constexpr uint64_t r_inv_0
Definition fq.hpp:54
bb::Bn254FqParams::r_squared_wasm_3
static constexpr uint64_t r_squared_wasm_3
Definition fq.hpp:94
bb::Bn254FqParams::cube_root_2
static constexpr uint64_t cube_root_2
Definition fq.hpp:62
bb::Bn254FqParams::r_squared_wasm_2
static constexpr uint64_t r_squared_wasm_2
Definition fq.hpp:93
bb::Bn254FqParams::primitive_root_3
static constexpr uint64_t primitive_root_3
Definition fq.hpp:69
bb::Bn254FqParams::NUM_BN254_SCALARS
static constexpr size_t NUM_BN254_SCALARS
Definition fq.hpp:146
bb::Bn254FqParams::r_inv_wasm_5
static constexpr uint64_t r_inv_wasm_5
Definition fq.hpp:105
bb::Bn254FqParams::primitive_root_1
static constexpr uint64_t primitive_root_1
Definition fq.hpp:67
bb::Bn254FqParams::schema_name
static constexpr char schema_name[]
Definition fq.hpp:142
bb::Bn254FqParams::cube_root_3
static constexpr uint64_t cube_root_3
Definition fq.hpp:63
bb::Bn254FqParams::endo_b2_lo
static constexpr uint64_t endo_b2_lo
Definition fq.hpp:138
bb::Bn254FqParams::r_inv_wasm_1
static constexpr uint64_t r_inv_wasm_1
Definition fq.hpp:101
bb::Bn254FqParams::modulus_wasm_6
static constexpr uint64_t modulus_wasm_6
Definition fq.hpp:85
bb::Bn254FqParams::primitive_root_wasm_1
static constexpr uint64_t primitive_root_wasm_1
Definition fq.hpp:119
bb::Bn254FqParams::coset_generator_wasm_0
static constexpr uint64_t coset_generator_wasm_0
Definition fq.hpp:124
bb::Bn254FqParams::modulus_wasm_3
static constexpr uint64_t modulus_wasm_3
Definition fq.hpp:82
bb::Bn254FqParams::endo_g1_hi
static constexpr uint64_t endo_g1_hi
Definition fq.hpp:133
bb::Bn254FqParams::has_high_2adicity
static constexpr bool has_high_2adicity
Definition fq.hpp:143
bb::Bn254FqParams::endo_minus_b1_lo
static constexpr uint64_t endo_minus_b1_lo
Definition fq.hpp:136
bb::Bn254FqParams::PUBLIC_INPUTS_SIZE
static constexpr size_t PUBLIC_INPUTS_SIZE
Definition fq.hpp:150
bb::Bn254FqParams::r_inv
static constexpr uint64_t r_inv
Definition fq.hpp:48
bb::Bn254FqParams::endo_g2_mid
static constexpr uint64_t endo_g2_mid
Definition fq.hpp:135
bb
Entry point for Barretenberg command-line interface.
Definition api.hpp:5