bn254.hpp

Go to the documentation of this file.

// === AUDIT STATUS ===
// internal:    { status: Completed, auditors: [Federico], commit: }
// external_1:  { status: not started, auditors: [], commit: }
// external_2:  { status: not started, auditors: [], commit: }
// =====================
 
#pragma once
#include "../bigfield/bigfield.hpp"
#include "../biggroup/biggroup.hpp"
#include "../field/field.hpp"
#include "barretenberg/ecc/curves/types.hpp"
 
namespace bb::stdlib {
 
template <typename CircuitBuilder> struct bn254 {
    static constexpr bb::CurveType type = bb::CurveType::BN254;
    static constexpr bool is_stdlib_type = true;
    using NativeCurve = curve::BN254;
 
    // Corresponding native types (used exclusively for testing)
    using ScalarFieldNative = curve::BN254::ScalarField;
    using BaseFieldNative = curve::BN254::BaseField;
    using GroupNative = curve::BN254::Group;
    using ElementNative = GroupNative::element;
    using AffineElementNative = GroupNative::affine_element;
 
    // Stdlib types corresponding to those defined in the native description of the curve.
    // Note: its useful to have these type names match the native analog exactly so that components that digest a Curve
    // (e.g. Gemini) can be agnostic as to whether they're operating on native or stdlib types.
    using ScalarField = field_t<CircuitBuilder>;
    using Group = element<CircuitBuilder, bigfield<CircuitBuilder, bb::Bn254FqParams>, ScalarField, GroupNative>;
    using BaseField = Group::BaseField;
    using Element = Group;
    using AffineElement = Group;
 
    // Additional types with no analog in the native description of the curve
    using Builder = CircuitBuilder;
 
    // Required by SmallSubgroupIPA argument. This constant needs to divide the size of the multiplicative subgroup of
    // the ScalarField and satisfy SUBGROUP_SIZE > CONST_PROOF_SIZE_LOG_N * Flavor::BATCHED_RELATION_PARTIAL_LENGTH, for
    // each BN254-Flavor, since in every round of Sumcheck, the prover sends Flavor::BATCHED_RELATION_PARTIAL_LENGTH
    // elements to the verifier.
    static constexpr size_t SUBGROUP_SIZE = 256;
    // BN254's scalar field has a multiplicative subgroup of order 2^28. It is generated by 5^{(r-1) / 2^28}. The
    // generator below is 5^{(r-1) / 2^8} (so it has order 8). To avoid inversion in the recursive verifier, we also
    // store the inverse of the chosen generator.
    static constexpr bb::fr subgroup_generator =
        bb::fr(uint256_t("0x07b0c561a6148404f086204a9f36ffb0617942546750f230c893619174a57a76"));
    static constexpr bb::fr subgroup_generator_inverse =
        bb::fr(uint256_t("0x204bd3277422fad364751ad938e2b5e6a54cf8c68712848a692c553d0329f5d6"));
    // The length of the polynomials used to mask the Sumcheck Round Univariates. Computed as
    // max(BATCHED_PARTIAL_RELATION_LENGTH) for BN254 Flavors with ZK
    static constexpr uint32_t LIBRA_UNIVARIATES_LENGTH = 9;
 
}; // namespace bn254
 
} // namespace bb::stdlib