Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
field.cpp
Go to the documentation of this file.
1// === AUDIT STATUS ===
2// internal: { status: Complete, auditors: [Sergei], commit: 458fb330efa8c470567ab4b84a8a92a58b00586a}
3// external_1: { status: Complete, auditors: [@ed25519, @JakubHeba (Spearbit)], commit:
4// 4433c06ae693451c6f69a2f63b7da6628078d872}
5// external_2: { status: not started, auditors: [], commit: }
6// =====================
7
8#include "field.hpp"
9#include "../bool/bool.hpp"
10#include "../circuit_builders/circuit_builders.hpp"
11#include "barretenberg/common/assert.hpp"
12#include "barretenberg/ecc/curves/grumpkin/grumpkin.hpp"
13#include "field_utils.hpp"
14#include <functional>
15
16using namespace bb;
17
18namespace bb::stdlib {
19
20template <typename Builder>
21field_t<Builder>::field_t(Builder* parent_context)
22 : context(parent_context)
23 , additive_constant(bb::fr::zero())
24 , multiplicative_constant(bb::fr::one())
25 , witness_index(IS_CONSTANT)
26{
27 tag = OriginTag::constant();
28}
29
30template <typename Builder>
31field_t<Builder>::field_t(const witness_t<Builder>& value)
32 : context(value.context)
33 , additive_constant(bb::fr::zero())
34 , multiplicative_constant(bb::fr::one())
35 , witness_index(value.witness_index)
36{
37 set_free_witness_tag();
38}
39
40template <typename Builder>
41field_t<Builder>::field_t(Builder* parent_context, const bb::fr& value)
42 : context(parent_context)
43 , additive_constant(value)
44 , multiplicative_constant(bb::fr::one())
45 , witness_index(IS_CONSTANT)
46{
47 tag = OriginTag::constant();
48}
49
50template <typename Builder>
65
66template <typename Builder>
67field_t<Builder> field_t<Builder>::from_witness_index(Builder* ctx, const uint32_t witness_index)
68{
69 field_t<Builder> result(ctx);
70 result.witness_index = witness_index;
71 // Since this is now a witness (not a constant), set the free witness tag
72 // The caller should set the appropriate tag if this element has a known provenance
73 result.set_free_witness_tag();
74 return result;
75}
76
83template <typename Builder> field_t<Builder>::operator bool_t<Builder>() const
84{
85 // If `this` is a constant field_t element, the resulting bool is also constant.
86 // In this case, `additive_constant` uniquely determines the value of `this`.
87 // After ensuring that `additive_constant` \in {0, 1}, we set the `.witness_bool` field of `result` to match the
88 // value of `additive_constant`.
89 if (is_constant()) {
90 BB_ASSERT(additive_constant == bb::fr::one() || additive_constant == bb::fr::zero(),
91 "Attempting to create a bool_t from a witness_t not satisfying x^2 - x = 0");
92 bool_t<Builder> result(context);
93 result.witness_bool = (additive_constant == bb::fr::one());
94 result.set_origin_tag(tag);
95 return result;
96 }
97
98 const bool add_constant_check = (additive_constant == bb::fr::zero());
99 const bool mul_constant_check = (multiplicative_constant == bb::fr::one());
100 const bool inverted_check = (additive_constant == bb::fr::one()) && (multiplicative_constant == bb::fr::neg_one());
101 bool result_inverted = false;
102 // Process the elements of the form
103 // a = a.v * 1 + 0 and a = a.v * (-1) + 1
104 // They do not need to be normalized if `a.v` is constrained to be boolean. In the first case, we have
105 // a == a.v,
106 // and in the second case
107 // a == ¬(a.v).
108 // The distinction between the cases is tracked by the .witness_inverted field of bool_t.
109 uint32_t witness_idx = witness_index;
110 if ((add_constant_check && mul_constant_check) || inverted_check) {
111 result_inverted = inverted_check;
112 } else {
113 // In general, the witness has to be normalized.
114 witness_idx = normalize().witness_index;
115 }
116 // Get the normalized value of the witness
117 bb::fr witness = context->get_variable(witness_idx);
118 BB_ASSERT(witness == bb::fr::zero() || witness == bb::fr::one(),
119 "Attempting to create a bool_t from a witness_t not satisfying x^2 - x = 0");
120 bool_t result(context, witness == bb::fr::one());
121 result.witness_inverted = result_inverted;
122 result.witness_index = witness_idx;
123 context->create_bool_gate(witness_idx);
124 result.set_origin_tag(tag);
125 return result;
126}
127
132template <typename Builder> field_t<Builder> field_t<Builder>::operator+(const field_t& other) const
133{
134 Builder* ctx = validate_context(other.context, context);
135 field_t<Builder> result(ctx);
136 // Ensure that non-constant circuit elements can not be added without context
137 BB_ASSERT(ctx || (is_constant() && other.is_constant()));
138
139 if (witness_indices_match(*this, other) && !is_constant()) {
140 // If summands represent the same circuit variable, i.e. their witness indices coincide, we just need to update
141 // the scaling factors of this variable.
142 result.additive_constant = additive_constant + other.additive_constant;
143 result.multiplicative_constant = multiplicative_constant + other.multiplicative_constant;
144 result.witness_index = witness_index;
145 } else if (is_constant() && other.is_constant()) {
146 // both inputs are constant - don't add a gate
147 result.additive_constant = additive_constant + other.additive_constant;
148 } else if (!is_constant() && other.is_constant()) {
149 // one input is constant - don't add a gate, but update scaling factors
150 result.additive_constant = additive_constant + other.additive_constant;
151 result.multiplicative_constant = multiplicative_constant;
152 result.witness_index = witness_index;
153 } else if (is_constant() && !other.is_constant()) {
154 result.additive_constant = additive_constant + other.additive_constant;
155 result.multiplicative_constant = other.multiplicative_constant;
156 result.witness_index = other.witness_index;
157 } else {
158 // The summands are distinct circuit variables, the result needs to be constrained.
159 // a + b = a.v * a.mul + b.v * b.mul + (a.add + b.add)
160 // which leads to the constraint
161 // a.v * q_l + b.v * q_r + result.v * q_o + q_c = 0,
162 // where q_l, q_r, q_0, and q_c are the selectors storing corresponding scaling factors.
163 bb::fr left = ctx->get_variable(witness_index); // =: a.v
164 bb::fr right = ctx->get_variable(other.witness_index); // =: b.v
165 bb::fr result_value = left * multiplicative_constant;
166 result_value += right * other.multiplicative_constant;
167 result_value += additive_constant;
168 result_value += other.additive_constant;
169 result.witness_index = ctx->add_variable(result_value);
170
171 ctx->create_add_gate({ .a = witness_index,
172 .b = other.witness_index,
173 .c = result.witness_index,
174 .a_scaling = multiplicative_constant,
175 .b_scaling = other.multiplicative_constant,
176 .c_scaling = bb::fr::neg_one(),
177 .const_scaling = (additive_constant + other.additive_constant) });
178 }
179 result.tag = OriginTag(tag, other.tag);
180 return result;
181}
185template <typename Builder> field_t<Builder> field_t<Builder>::operator-(const field_t& other) const
186{
187 field_t<Builder> rhs(other);
188 rhs.additive_constant.self_neg();
189 if (!rhs.is_constant()) {
190 // Negate the multiplicative constant of the rhs then feed to `+` operator
191 rhs.multiplicative_constant.self_neg();
192 }
193 return operator+(rhs);
194}
195
200template <typename Builder> field_t<Builder> field_t<Builder>::operator*(const field_t& other) const
201{
202 Builder* ctx = validate_context(other.context, context);
203 field_t<Builder> result(ctx);
204 // Ensure that non-constant circuit elements can not be multiplied without context
205 BB_ASSERT(ctx || (is_constant() && other.is_constant()));
206
207 if (is_constant() && other.is_constant()) {
208 // Both inputs are constant - don't add a gate.
209 // The value of a constant is tracked in `.additive_constant`.
210 result.additive_constant = additive_constant * other.additive_constant;
211 } else if (!is_constant() && other.is_constant()) {
212
213 // Here and in the next case, only one input is not constant: don't add a gate, but update scaling factors.
214 // More concretely, let:
215 // a := this;
216 // b := other;
217 // a.v := ctx->variables[a.witness_index], the value of a;
218 // b.v := ctx->variables[b.witness_index], the value of b;
219 // .mul = .multiplicative_constant
220 // .add = .additive_constant
221 // Value of this = a.v * a.mul + a.add;
222 // Value of other = b.add
223 // Value of result = a * b = a.v * [a.mul * b.add] + [a.add * b.add]
224 // ^ ^result.mul ^result.add
225 // ^result.v
226
227 result.additive_constant = additive_constant * other.additive_constant;
228 result.multiplicative_constant = multiplicative_constant * other.additive_constant;
229 // We simply updated the scaling factors of `*this`, so `witness_index` of `result` must be equal to
230 // `this->witness_index`.
231 result.witness_index = witness_index;
232 } else if (is_constant() && !other.is_constant()) {
233 // Only one input is not constant: don't add a gate, but update scaling factors
234 result.additive_constant = additive_constant * other.additive_constant;
235 result.multiplicative_constant = other.multiplicative_constant * additive_constant;
236 // We simply updated the scaling factors of `other`, so `witness_index` of `result` must be equal to
237 // `other->witness_index`.
238 result.witness_index = other.witness_index;
239 } else {
258 bb::fr T0;
259 bb::fr q_m;
260 bb::fr q_l;
261 bb::fr q_r;
262 bb::fr q_c;
263
264 // Compute selector values
265 q_c = additive_constant * other.additive_constant;
266 q_r = additive_constant * other.multiplicative_constant;
267 q_l = multiplicative_constant * other.additive_constant;
268 q_m = multiplicative_constant * other.multiplicative_constant;
269
270 bb::fr left = context->get_variable(witness_index); // =: a.v
271 bb::fr right = context->get_variable(other.witness_index); // =: b.v
272 bb::fr result_value;
273
274 result_value = left * right;
275 result_value *= q_m;
276 // Scale `b.v` by the constant `a_mul * b_add`
277 T0 = left * q_l;
278 result_value += T0;
279 // Scale `a.v` by the constant `a_add * b_mul`
280 T0 = right * q_r;
281 result_value += T0;
282 result_value += q_c;
283 result.witness_index = ctx->add_variable(result_value);
284 // Constrain
285 // a.v * b.v * q_m + a.v * q_l + b_v * q_r + q_c + result.v * q_o = 0
286 ctx->create_arithmetic_gate({ .a = witness_index,
287 .b = other.witness_index,
288 .c = result.witness_index,
289 .q_m = q_m,
290 .q_l = q_l,
291 .q_r = q_r,
292 .q_o = bb::fr::neg_one(),
293 .q_c = q_c });
294 }
295 result.tag = OriginTag(tag, other.tag);
296 return result;
297}
298
310template <typename Builder> field_t<Builder> field_t<Builder>::operator/(const field_t& other) const
311{
312 // If the denominator is a constant 0, the division is aborted. Otherwise, it is constrained to be non-zero.
313 other.assert_is_not_zero("field_t::operator/ divisor is 0");
314 return divide_no_zero_check(other);
315}
316
320template <typename Builder> field_t<Builder> field_t<Builder>::divide_no_zero_check(const field_t& other) const
321{
322
323 // Let
324 // a := this;
325 // b := other;
326 // q := a / b;
327 Builder* ctx = validate_context(context, other.context);
328 field_t<Builder> result(ctx);
329 // Ensure that non-constant circuit elements can not be divided without context
330 BB_ASSERT(ctx || (is_constant() && other.is_constant()));
331
332 bb::fr additive_multiplier = bb::fr::one();
333
334 if (is_constant() && other.is_constant()) {
335 // Both inputs are constant, the result is given by
336 // q = a.add / b.add, if b != 0.
337 // q = a.add , if b == 0
338 if (!(other.additive_constant == bb::fr::zero())) {
339 additive_multiplier = other.additive_constant.invert();
340 }
341 result.additive_constant = additive_constant * additive_multiplier;
342 } else if (!is_constant() && other.is_constant()) {
343 // The numerator is a circuit variable, the denominator is a constant.
344 // The result is obtained by updating the circuit variable `a`
345 // q = a.v * [a.mul / b.add] + a.add / b.add, if b != 0.
346 // q = a , if b == 0
347 // with q.witness_index = a.witness_index.
348 if (!(other.additive_constant == bb::fr::zero())) {
349 additive_multiplier = other.additive_constant.invert();
350 }
351 result.additive_constant = additive_constant * additive_multiplier;
352 result.multiplicative_constant = multiplicative_constant * additive_multiplier;
353 result.witness_index = witness_index;
354 } else if (is_constant() && !other.is_constant()) {
355 // The numerator is a constant, the denominator is a circuit variable.
356 // If a == 0, the result is a constant 0, otherwise the result is a new variable that has to be constrained.
357 if (get_value() == 0) {
358 result.additive_constant = 0;
359 result.multiplicative_constant = 1;
360 result.witness_index = IS_CONSTANT;
361 } else {
362 bb::fr numerator = get_value();
363 bb::fr denominator_inv = other.get_value();
364 denominator_inv = denominator_inv.is_zero() ? 0 : denominator_inv.invert();
365
366 bb::fr out(numerator * denominator_inv);
367 result.witness_index = ctx->add_variable(out);
368 // Define non-zero selector values for an arithmetic gate
369 // q_m := b.mul
370 // q_l := b.add
371 // q_c := a (= a.add, since a is constant)
372 bb::fr q_m = other.multiplicative_constant;
373 bb::fr q_l = other.additive_constant;
374 bb::fr q_c = -get_value();
375 // The value of the quotient q = a / b has to satisfy
376 // q * (b.v * b.mul + b.add) = a
377 // Create an arithmetic gate to constrain the quotient.
378 // q * b.v * q_m + q * q_l + 0 * b + 0 * c + q_c = 0
379 ctx->create_arithmetic_gate({ .a = result.witness_index,
380 .b = other.witness_index,
381 .c = result.witness_index,
382 .q_m = q_m,
383 .q_l = q_l,
384 .q_r = 0,
385 .q_o = 0,
386 .q_c = q_c });
387 }
388 } else {
389 // Both numerator and denominator are circuit variables. Create a new circuit variable with the value a / b.
390 bb::fr numerator = get_value();
391 bb::fr denominator_inv = other.get_value();
392 denominator_inv = denominator_inv.is_zero() ? 0 : denominator_inv.invert();
393
394 bb::fr out(numerator * denominator_inv);
395 result.witness_index = ctx->add_variable(out);
396
397 // The value of the quotient q = a / b has to satisfy
398 // q * (b.v * b.mul + b.add) = a.v * a.mul + a.add
399 // Create an arithmetic gate to constrain the quotient
400 // q * b.v * q_m + q * q_l + 0 * c + a.v * q_o + q_c = 0,
401 // where the selector values are defined as follows:
402 // q_m = b.mul;
403 // q_l = b.add;
404 // q_r = 0;
405 // q_o = - a.mul;
406 // q_c = - a.add.
407 bb::fr q_m = other.multiplicative_constant;
408 bb::fr q_l = other.additive_constant;
409 bb::fr q_r = bb::fr::zero();
410 bb::fr q_o = -multiplicative_constant;
411 bb::fr q_c = -additive_constant;
412
413 ctx->create_arithmetic_gate({ .a = result.witness_index,
414 .b = other.witness_index,
415 .c = witness_index,
416 .q_m = q_m,
417 .q_l = q_l,
418 .q_r = q_r,
419 .q_o = q_o,
420 .q_c = q_c });
421 }
422 result.tag = OriginTag(tag, other.tag);
423 return result;
424}
425
430template <typename Builder> field_t<Builder> field_t<Builder>::pow(const uint32_t& exponent) const
431{
432 if (is_constant()) {
433 return field_t(get_value().pow(exponent));
434 }
435 if (exponent == 0) {
436 return field_t(bb::fr::one());
437 }
438
439 bool accumulator_initialized = false;
440 field_t<Builder> accumulator;
441 field_t<Builder> running_power = *this;
442 auto shifted_exponent = exponent;
443
444 // Square and multiply, there's no need to constrain the exponent bit decomposition, as it is an integer constant.
445 while (shifted_exponent != 0) {
446 if (shifted_exponent & 1) {
447 if (!accumulator_initialized) {
448 accumulator = running_power;
449 accumulator_initialized = true;
450 } else {
451 accumulator *= running_power;
452 }
453 }
454 if (shifted_exponent >= 2) {
455 // Don't update `running_power` if `shifted_exponent` = 1, as it won't be used anywhere.
456 running_power = running_power.sqr();
457 }
458 shifted_exponent >>= 1;
459 }
460 return accumulator;
461}
462
467template <typename Builder> field_t<Builder> field_t<Builder>::pow(const field_t& exponent) const
468{
469 uint256_t exponent_value = exponent.get_value();
470 BB_ASSERT_LT(exponent_value.get_msb(), 32U, "Exponent too large in field_t::pow");
471
472 if (is_constant() && exponent.is_constant()) {
473 return field_t(get_value().pow(exponent_value));
474 }
475 // Use the constant version that perfoms only the necessary multiplications if the exponent is constant
476 if (exponent.is_constant()) {
477 return pow(static_cast<uint32_t>(exponent_value));
478 }
479
480 auto* ctx = validate_context(context, exponent.context);
481
482 std::array<bool_t<Builder>, 32> exponent_bits;
483 // Collect individual bits as bool_t's
484 for (size_t i = 0; i < exponent_bits.size(); ++i) {
485 uint256_t value_bit = exponent_value & 1;
486 bool_t<Builder> bit;
487 bit = bool_t<Builder>(witness_t<Builder>(ctx, value_bit.data[0]));
488 bit.set_origin_tag(exponent.tag);
489 exponent_bits[31 - i] = bit;
490 exponent_value >>= 1;
491 }
492
493 field_t<Builder> exponent_accumulator(bb::fr::zero());
494 for (const auto& bit : exponent_bits) {
495 exponent_accumulator += exponent_accumulator;
496 exponent_accumulator += bit;
497 }
498 // Constrain the sum of bool_t bits to be equal to the original exponent value.
499 exponent.assert_equal(exponent_accumulator, "field_t::pow exponent accumulator incorrect");
500
501 // Compute the result of exponentiation
502 field_t accumulator(ctx, bb::fr::one());
503 const field_t one(bb::fr::one());
504 for (size_t i = 0; i < 32; ++i) {
505 accumulator *= accumulator;
506 // If current bit == 1, multiply by the base, else propagate the accumulator
507 const field_t multiplier = conditional_assign_internal(exponent_bits[i], *this, one);
508 accumulator *= multiplier;
509 }
510 accumulator = accumulator.normalize();
511 accumulator.tag = OriginTag(tag, exponent.tag);
512 return accumulator;
513}
514
518template <typename Builder> field_t<Builder> field_t<Builder>::madd(const field_t& to_mul, const field_t& to_add) const
519{
520 Builder* ctx = validate_context<Builder>(context, to_mul.context, to_add.context);
521
522 const bool mul_by_const = is_constant() || to_mul.is_constant();
523
524 if (mul_by_const) {
525 // If at least one of the multiplicands is constant, `madd` is efficiently handled by `*` and `+`
526 // operators.
527 return ((*this) * to_mul + to_add);
528 }
529
530 // Let:
531 // a = this;
532 // b = to_mul;
533 // c = to_add;
534 // a.v = ctx->variables[this.witness_index];
535 // b.v = ctx->variables[to_mul.witness_index];
536 // c.v = ctx->variables[to_add.witness_index];
537 // .mul = .multiplicative_constant;
538 // .add = .additive_constant.
539 //
540 // result = a * b + c
541 // = (a.v * a.mul + a.add) * (b.v * b.mul + b.add) + (c.v * c.mul + c.add)
542 // = a.v * b.v * [a.mul * b.mul] + a.v * [a.mul * b.add] + b.v * [b.mul + a.add] + c.v * [c.mul]
543 // + [a.add * b.add + c.add]
544 // = a.v * b.v * [ mul_scaling ] + a.v * [ a_scaling ] + b.v * [ b_scaling ] + c.v * [ c_scaling ]
545 // + [ const_scaling ]
546
547 bb::fr mul_scaling = multiplicative_constant * to_mul.multiplicative_constant;
548 bb::fr a_scaling = multiplicative_constant * to_mul.additive_constant;
549 bb::fr b_scaling = to_mul.multiplicative_constant * additive_constant;
550 bb::fr c_scaling = to_add.multiplicative_constant;
551 bb::fr const_scaling = additive_constant * to_mul.additive_constant + to_add.additive_constant;
552
553 // Note: the value of a constant field_t is wholly tracked by the field_t's `additive_constant` member, which is
554 // accounted for in the above-calculated selectors (`q_`'s). Therefore no witness (`variables[witness_index]`)
555 // exists for constants, and so the field_t's corresponding wire value is set to `0` in the gate equation.
556 bb::fr a = is_constant() ? bb::fr::zero() : ctx->get_variable(witness_index);
557 bb::fr b = to_mul.is_constant() ? bb::fr::zero() : ctx->get_variable(to_mul.witness_index);
558 bb::fr c = to_add.is_constant() ? bb::fr::zero() : ctx->get_variable(to_add.witness_index);
559
560 bb::fr out = a * b * mul_scaling + a * a_scaling + b * b_scaling + c * c_scaling + const_scaling;
561
562 field_t<Builder> result(ctx);
563 result.witness_index = ctx->add_variable(out);
564 ctx->create_big_mul_add_gate({
565 .a = is_constant() ? ctx->zero_idx() : witness_index,
566 .b = to_mul.is_constant() ? ctx->zero_idx() : to_mul.witness_index,
567 .c = to_add.is_constant() ? ctx->zero_idx() : to_add.witness_index,
568 .d = result.witness_index,
569 .mul_scaling = mul_scaling,
570 .a_scaling = a_scaling,
571 .b_scaling = b_scaling,
572 .c_scaling = c_scaling,
573 .d_scaling = bb::fr::neg_one(),
574 .const_scaling = const_scaling,
575 });
576 result.tag = OriginTag(tag, to_mul.tag, to_add.tag);
577 return result;
578}
579
583template <typename Builder> field_t<Builder> field_t<Builder>::add_two(const field_t& add_b, const field_t& add_c) const
584{
585 const bool has_const_summand = is_constant() || add_b.is_constant() || add_c.is_constant();
586
587 if (has_const_summand) {
588 // If at least one of the summands is constant, the summation is efficiently handled by `+` operator
589 return (*this) + add_b + add_c;
590 }
591 Builder* ctx = validate_context<Builder>(context, add_b.context, add_c.context);
592
593 // Let d := a + (b+c), where
594 // a := *this;
595 // b := add_b;
596 // c := add_c;
597 // define selector values by
598 // mul_scaling := 0
599 // a_scaling := a_mul;
600 // b_scaling := b_mul;
601 // c_scaling := c_mul;
602 // d_scaling := -1;
603 // const_scaling := a_add + b_add + c_add;
604 // Create a `big_mul_gate` to constrain
605 // a * b * mul_scaling + a * a_scaling + b * b_scaling + c * c_scaling + d * d_scaling + const_scaling = 0
606
607 bb::fr a_scaling = multiplicative_constant;
608 bb::fr b_scaling = add_b.multiplicative_constant;
609 bb::fr c_scaling = add_c.multiplicative_constant;
610 bb::fr const_scaling = additive_constant + add_b.additive_constant + add_c.additive_constant;
611
612 // Compute the sum of values of all summands
613 bb::fr a = is_constant() ? bb::fr::zero() : ctx->get_variable(witness_index);
614 bb::fr b = add_b.is_constant() ? bb::fr::zero() : ctx->get_variable(add_b.witness_index);
615 bb::fr c = add_c.is_constant() ? bb::fr::zero() : ctx->get_variable(add_c.witness_index);
616
617 bb::fr out = a * a_scaling + b * b_scaling + c * c_scaling + const_scaling;
618
619 field_t<Builder> result(ctx);
620 result.witness_index = ctx->add_variable(out);
621
622 // Constrain the result
623 ctx->create_big_mul_add_gate({
624 .a = is_constant() ? ctx->zero_idx() : witness_index,
625 .b = add_b.is_constant() ? ctx->zero_idx() : add_b.witness_index,
626 .c = add_c.is_constant() ? ctx->zero_idx() : add_c.witness_index,
627 .d = result.witness_index,
628 .mul_scaling = bb::fr::zero(),
629 .a_scaling = a_scaling,
630 .b_scaling = b_scaling,
631 .c_scaling = c_scaling,
632 .d_scaling = bb::fr::neg_one(),
633 .const_scaling = const_scaling,
634 });
635 result.tag = OriginTag(tag, add_b.tag, add_c.tag);
636 return result;
637}
638
646template <typename Builder> field_t<Builder> field_t<Builder>::normalize() const
647{
648 if (is_normalized()) {
649 return *this;
650 }
651 BB_ASSERT(context);
652
653 // Value of this = this.v * this.mul + this.add; // where this.v = context->variables[this.witness_index]
654 // Normalised result = result.v * 1 + 0; // where result.v = this.v * this.mul + this.add
655 // We need a new gate to enforce that the `result` was correctly calculated from `this`.
656 field_t<Builder> result(context);
657 bb::fr value = context->get_variable(witness_index);
658
659 result.witness_index = context->add_variable(value * multiplicative_constant + additive_constant);
660 result.additive_constant = bb::fr::zero();
661 result.multiplicative_constant = bb::fr::one();
662
663 // The aim of a new `add` gate is to constrain
664 // this.v * this.mul + this.add == result.v
665 // Let
666 // a_scaling := this.mul;
667 // b_scaling := 0;
668 // c_scaling := -1;
669 // const_scaling := this.add;
670 // The `add` gate enforces the relation
671 // this.v * a_scaling + result.v * c_scaling + const_scaling = 0
672
673 context->create_add_gate({ .a = witness_index,
674 .b = context->zero_idx(),
675 .c = result.witness_index,
676 .a_scaling = multiplicative_constant,
677 .b_scaling = bb::fr::zero(),
678 .c_scaling = bb::fr::neg_one(),
679 .const_scaling = additive_constant });
680 result.tag = tag;
681 return result;
682}
683
687template <typename Builder> void field_t<Builder>::assert_is_zero(std::string const& msg) const
688{
689
690 if (is_constant()) {
691 BB_ASSERT_EQ(additive_constant == bb::fr::zero(), true, msg);
692 return;
693 }
694
695 if ((get_value() != bb::fr::zero()) && !context->failed()) {
696 context->failure(msg);
697 }
698 // Aim of a new arithmetic gate: constrain this.v * this.mul + this.add == 0
699 // I.e.:
700 // this.v * 0 * [ 0 ] + this.v * [this.mul] + 0 * [ 0 ] + 0 * [ 0 ] + [this.add] == 0
701 // this.v * 0 * [q_m] + this.v * [ q_l ] + 0 * [q_r] + 0 * [q_o] + [ q_c ] == 0
702
703 context->create_arithmetic_gate({
704 .a = witness_index,
705 .b = context->zero_idx(),
706 .c = context->zero_idx(),
707 .q_m = bb::fr::zero(),
708 .q_l = multiplicative_constant,
709 .q_r = bb::fr::zero(),
710 .q_o = bb::fr::zero(),
711 .q_c = additive_constant,
712 });
713}
714
718template <typename Builder> void field_t<Builder>::assert_is_not_zero(std::string const& msg) const
719{
720
721 if (is_constant()) {
722 BB_ASSERT_EQ(additive_constant != bb::fr::zero(), true, msg);
723 return;
724 }
725
726 if ((get_value() == bb::fr::zero()) && !context->failed()) {
727 context->failure(msg);
728 }
729
730 bb::fr inverse_value = (get_value() == bb::fr::zero()) ? bb::fr::zero() : get_value().invert();
731
732 field_t<Builder> inverse(witness_t<Builder>(context, inverse_value));
733
734 // inverse is added in the circuit for checking that field element is not zero
735 // and it won't be used anymore, so it's needed to add this element in used witnesses
736 mark_witness_as_used(inverse);
737
738 // Aim of a new arithmetic gate: `this` has an inverse (hence is not zero).
739 // I.e.:
740 // (this.v * this.mul + this.add) * inverse.v == 1;
741 // <=> this.v * inverse.v * [this.mul] + this.v * [ 0 ] + inverse.v * [this.add] + 0 * [ 0 ] + [ -1] == 0
742 // <=> this.v * inverse.v * [ q_m ] + this.v * [q_l] + inverse.v * [ q_r ] + 0 * [q_o] + [q_c] == 0
743
744 // (a * mul_const + add_const) * b - 1 = 0
745 context->create_arithmetic_gate({
746 .a = witness_index, // input value
747 .b = inverse.witness_index, // inverse
748 .c = context->zero_idx(), // no output
749 .q_m = multiplicative_constant, // a * b * mul_const
750 .q_l = bb::fr::zero(), // a * 0
751 .q_r = additive_constant, // b * mul_const
752 .q_o = bb::fr::zero(), // c * 0
753 .q_c = bb::fr::neg_one(), // -1
754 });
755}
756
783template <typename Builder> bool_t<Builder> field_t<Builder>::is_zero() const
784{
785 bb::fr native_value = get_value();
786 const bool is_zero_raw = native_value.is_zero();
787
788 if (is_constant()) {
789 // Create a constant bool_t
790 bool_t is_zero(context, is_zero_raw);
791 is_zero.set_origin_tag(get_origin_tag());
792 return is_zero;
793 }
794
795 bool_t is_zero = witness_t(context, is_zero_raw);
796
797 // This can be done out of circuit, as `is_zero = true` implies `I = 1`.
798 bb::fr inverse_native = (is_zero_raw) ? bb::fr::one() : native_value.invert();
799
800 field_t inverse = witness_t(context, inverse_native);
801
802 // Note that `evaluate_polynomial_identity(a, b, c, d)` checks that `a * b + c + d = 0`, so we are using it for the
803 // constraints 1) and 2) above.
804 // More precisely, to check that `a * I - 1 + is_zero = 0`, it creates a `big_mul_gate` given by the equation:
805 // a.v * I.v * mul_scaling + a.v * a_scaling + I.v * b_scaling + is_zero.v * c_scaling + (-1) * d_scaling +
806 // const_scaling = 0
807 // where
808 // muk_scaling := a.mul * I.mul;
809 // a_scaling := a.mul * I.add;
810 // b_scaling := I.mul * a.add;
811 // c_scaling := 1;
812 // d_scaling := 0;
813 // const_scaling := a.add * I.add + is_zero.add - 1;
814 field_t::evaluate_polynomial_identity(*this, inverse, is_zero, bb::fr::neg_one());
815
816 // To check that `-is_zero * I + is_zero = 0`, create a `big_mul_gate` given by the equation:
817 // is_zero.v * (-I).v * mul_scaling + is_zero.v * a_scaling + (-I).v * b_scaling + is_zero.v * c_scaling + 0 *
818 // d_scaling + const_scaling = 0
819 // where
820 // mul_scaling := is_zero.mul * (-I).mul;
821 // a_scaling := is_zero.mul * (-I).add;
822 // b_scaling := (-I).mul * is_zero.add;
823 // c_scaling := is_zero.mul;
824 // d_scaling := 0;
825 // const_scaling := is_zero.add * (-I).add + is_zero.add;
826 field_t::evaluate_polynomial_identity(is_zero, -inverse, is_zero, bb::fr::zero());
827 is_zero.set_origin_tag(tag);
828 return is_zero;
829}
836template <typename Builder> bb::fr field_t<Builder>::get_value() const
837{
838 if (!is_constant()) {
839 BB_ASSERT(context);
840 return (multiplicative_constant * context->get_variable(witness_index)) + additive_constant;
841 }
842 BB_ASSERT_DEBUG(multiplicative_constant == bb::fr::one());
843 // A constant field_t's value is tracked wholly by its additive_constant member.
844 return additive_constant;
845}
846
850template <typename Builder> bool_t<Builder> field_t<Builder>::operator==(const field_t& other) const
851{
852 return ((*this) - other).is_zero();
853}
854
858template <typename Builder> bool_t<Builder> field_t<Builder>::operator!=(const field_t& other) const
859{
860 return !operator==(other);
861}
862
866template <typename Builder>
867field_t<Builder> field_t<Builder>::conditional_negate(const bool_t<Builder>& predicate) const
868{
869 if (predicate.is_constant()) {
870 field_t result = predicate.get_value() ? -(*this) : *this;
871 result.set_origin_tag(OriginTag(get_origin_tag(), predicate.get_origin_tag()));
872 return result;
873 }
874 // Compute
875 // `predicate` * ( -2 * a ) + a.
876 // If predicate's value == true, then the output is `-a`, else it's `a`
877 static constexpr bb::fr minus_two(-2);
878 return field_t(predicate).madd(*this * minus_two, *this);
879}
880
892template <typename Builder>
893field_t<Builder> field_t<Builder>::conditional_assign_internal(const bool_t<Builder>& predicate,
894 const field_t& lhs,
895 const field_t& rhs)
896{
897 // If the predicate is constant, the conditional assignment can be done out of circuit
898 if (predicate.is_constant()) {
899 auto result = field_t(predicate.get_value() ? lhs : rhs);
900 result.set_origin_tag(OriginTag(predicate.get_origin_tag(), lhs.get_origin_tag(), rhs.get_origin_tag()));
901 return result;
902 }
903 // If lhs and rhs are the same witness or constant, just return it (but still merge tags)
904 if (witness_indices_match(lhs, rhs) && (lhs.additive_constant == rhs.additive_constant) &&
905 (lhs.multiplicative_constant == rhs.multiplicative_constant)) {
906 auto result = lhs;
907 result.set_origin_tag(OriginTag(predicate.get_origin_tag(), lhs.get_origin_tag(), rhs.get_origin_tag()));
908 return result;
909 }
910
911 return (lhs - rhs).madd(predicate, rhs);
912}
913
918template <typename Builder>
919void field_t<Builder>::create_range_constraint(const size_t num_bits, std::string const& msg) const
920{
921 if (num_bits == 0) {
922 assert_is_zero("0-bit range_constraint on non-zero field_t.");
923 } else {
924 if (is_constant()) {
925 BB_ASSERT_LT(uint256_t(get_value()).get_msb(), num_bits, msg);
926 } else {
927 context->create_limbed_range_constraint(
928 normalize().witness_index, num_bits, bb::UltraCircuitBuilder::DEFAULT_PLOOKUP_RANGE_BITNUM, msg);
929 }
930 }
931}
932
940template <typename Builder> void field_t<Builder>::assert_equal(const field_t& rhs, std::string const& msg) const
941{
942 const field_t lhs = *this;
943 Builder* ctx = validate_context(lhs.get_context(), rhs.get_context());
944 if (lhs.is_constant() && rhs.is_constant()) {
945 BB_ASSERT_EQ(lhs.get_value(), rhs.get_value(), "field_t::assert_equal: constants are not equal");
946 return;
947 }
948 if (lhs.is_constant()) {
949 ctx->assert_equal_constant(rhs.get_witness_index(), lhs.get_value(), msg);
950 } else if (rhs.is_constant()) {
951 ctx->assert_equal_constant(lhs.get_witness_index(), rhs.get_value(), msg);
952 } else {
953 // Both are witnesses - save original tags and clear them to allow different transcript/free witness sources
954 // (e.g., proving 2 separate properties about same object through 2 different transcripts)
955 const auto lhs_original_tag = lhs.get_origin_tag();
956 const auto rhs_original_tag = rhs.get_origin_tag();
957 auto empty_tag = OriginTag::constant(); // Disable origin checking during intermediate operations
958 lhs.set_origin_tag(empty_tag);
959 rhs.set_origin_tag(empty_tag);
960
961 if (lhs.is_normalized() || rhs.is_normalized()) {
962 ctx->assert_equal(lhs.get_witness_index(), rhs.get_witness_index(), msg);
963 } else {
964 // Instead of creating 2 gates for normalizing both witnesses and applying a copy constraint, we use a
965 // single `add` gate constraining a - b = 0
966 ctx->create_add_gate({ .a = lhs.witness_index,
967 .b = rhs.witness_index,
968 .c = ctx->zero_idx(),
969 .a_scaling = lhs.multiplicative_constant,
970 .b_scaling = -rhs.multiplicative_constant,
971 .c_scaling = 0,
972 .const_scaling = lhs.additive_constant - rhs.additive_constant });
973 if ((lhs.get_value() != rhs.get_value()) && !ctx->failed()) {
974 ctx->failure(msg);
975 }
976 }
977
978 // Restore tags
979 lhs.set_origin_tag(lhs_original_tag);
980 rhs.set_origin_tag(rhs_original_tag);
981 }
982}
986template <typename Builder> void field_t<Builder>::assert_not_equal(const field_t& rhs, std::string const& msg) const
987{
988 const field_t lhs = *this;
989 const field_t diff = lhs - rhs;
990 diff.assert_is_not_zero(msg);
991}
995template <typename Builder>
996void field_t<Builder>::assert_is_in_set(const std::vector<field_t>& set, std::string const& msg) const
997{
998 const field_t input = *this;
999 field_t product = (input - set[0]);
1000 for (size_t i = 1; i < set.size(); i++) {
1001 product *= (input - set[i]);
1002 }
1003 product.assert_is_zero(msg);
1004}
1005
1013template <typename Builder>
1014std::array<field_t<Builder>, 4> field_t<Builder>::preprocess_two_bit_table(const field_t& T0,
1015 const field_t& T1,
1016 const field_t& T2,
1017 const field_t& T3)
1018{
1019
1020 std::array<field_t, 4> table;
1021 table[0] = T0; // const coeff
1022 table[1] = T1 - T0; // t0 coeff
1023 table[2] = T2 - T0; // t1 coeff
1024 table[3] = T3.add_two(-table[2], -T1); // t0t1 coeff
1025 return table;
1026}
1027
1031template <typename Builder>
1032std::array<field_t<Builder>, 8> field_t<Builder>::preprocess_three_bit_table(const field_t& T0,
1033 const field_t& T1,
1034 const field_t& T2,
1035 const field_t& T3,
1036 const field_t& T4,
1037 const field_t& T5,
1038 const field_t& T6,
1039 const field_t& T7)
1040{
1041 std::array<field_t, 8> table;
1042 table[0] = T0; // const coeff
1043 table[1] = T1 - T0; // t0 coeff
1044 table[2] = T2 - T0; // t1 coeff
1045 table[3] = T4 - T0; // t2 coeff
1046 table[4] = T3.add_two(-table[2], -T1); // t0t1 coeff
1047 table[5] = T5.add_two(-table[3], -T1); // t0t2 coeff
1048 table[6] = T6.add_two(-table[3], -T2); // t1t2 coeff
1049 table[7] = T7.add_two(-T6 - T5, T4 - table[4]); // t0t1t2 coeff
1050 return table;
1051}
1052
1057template <typename Builder>
1058field_t<Builder> field_t<Builder>::select_from_two_bit_table(const std::array<field_t, 4>& table,
1059 const bool_t<Builder>& t1,
1060 const bool_t<Builder>& t0)
1061{
1062 field_t R0 = field_t(t1).madd(table[3], table[1]);
1063 field_t R1 = R0.madd(field_t(t0), table[0]);
1064 field_t R2 = field_t(t1).madd(table[2], R1);
1065 return R2;
1066}
1067
1079template <typename Builder>
1080field_t<Builder> field_t<Builder>::select_from_three_bit_table(const std::array<field_t, 8>& table,
1081 const bool_t<Builder>& t2,
1082 const bool_t<Builder>& t1,
1083 const bool_t<Builder>& t0)
1084{
1085 field_t R0 = field_t(t0).madd(table[7], table[6]);
1086 field_t R1 = field_t(t1).madd(R0, table[3]);
1087 field_t R2 = field_t(t2).madd(R1, table[0]);
1088 field_t R3 = field_t(t0).madd(table[4], table[2]);
1089 field_t R4 = field_t(t1).madd(R3, R2);
1090 field_t R5 = field_t(t2).madd(table[5], table[1]);
1091 field_t R6 = field_t(t0).madd(R5, R4);
1092 return R6;
1093}
1094
1098template <typename Builder>
1099void field_t<Builder>::evaluate_linear_identity(
1100 const field_t& a, const field_t& b, const field_t& c, const field_t& d, const std::string& msg)
1101{
1102 Builder* ctx = validate_context(a.context, b.context, c.context, d.context);
1103
1104 if (a.is_constant() && b.is_constant() && c.is_constant() && d.is_constant()) {
1105 BB_ASSERT_EQ(a.get_value() + b.get_value() + c.get_value() + d.get_value(), 0);
1106 return;
1107 }
1108
1109 const bool identity_holds = (a.get_value() + b.get_value() + c.get_value() + d.get_value()).is_zero();
1110 if (!identity_holds && !ctx->failed()) {
1111 ctx->failure(msg);
1112 }
1113
1114 // validate that a + b + c + d = 0
1115 bb::fr const_scaling = a.additive_constant + b.additive_constant + c.additive_constant + d.additive_constant;
1116
1117 ctx->create_big_add_gate({
1118 .a = a.is_constant() ? ctx->zero_idx() : a.witness_index,
1119 .b = b.is_constant() ? ctx->zero_idx() : b.witness_index,
1120 .c = c.is_constant() ? ctx->zero_idx() : c.witness_index,
1121 .d = d.is_constant() ? ctx->zero_idx() : d.witness_index,
1122 .a_scaling = a.multiplicative_constant,
1123 .b_scaling = b.multiplicative_constant,
1124 .c_scaling = c.multiplicative_constant,
1125 .d_scaling = d.multiplicative_constant,
1126 .const_scaling = const_scaling,
1127 });
1128}
1134template <typename Builder>
1135void field_t<Builder>::evaluate_polynomial_identity(
1136 const field_t& a, const field_t& b, const field_t& c, const field_t& d, const std::string& msg)
1137{
1138 if (a.is_constant() && b.is_constant() && c.is_constant() && d.is_constant()) {
1139 BB_ASSERT((a.get_value() * b.get_value() + c.get_value() + d.get_value()).is_zero());
1140 return;
1141 }
1142
1143 Builder* ctx = validate_context(a.context, b.context, c.context, d.context);
1144
1145 const bool identity_holds = ((a.get_value() * b.get_value()) + c.get_value() + d.get_value()).is_zero();
1146 if (!identity_holds && !ctx->failed()) {
1147 ctx->failure(msg);
1148 }
1149
1150 // validate that a * b + c + d = 0
1151 bb::fr mul_scaling = a.multiplicative_constant * b.multiplicative_constant;
1152 bb::fr a_scaling = a.multiplicative_constant * b.additive_constant;
1153 bb::fr b_scaling = b.multiplicative_constant * a.additive_constant;
1154 bb::fr c_scaling = c.multiplicative_constant;
1155 bb::fr d_scaling = d.multiplicative_constant;
1156 bb::fr const_scaling = a.additive_constant * b.additive_constant + c.additive_constant + d.additive_constant;
1157
1158 ctx->create_big_mul_add_gate({
1159 .a = a.is_constant() ? ctx->zero_idx() : a.witness_index,
1160 .b = b.is_constant() ? ctx->zero_idx() : b.witness_index,
1161 .c = c.is_constant() ? ctx->zero_idx() : c.witness_index,
1162 .d = d.is_constant() ? ctx->zero_idx() : d.witness_index,
1163 .mul_scaling = mul_scaling,
1164 .a_scaling = a_scaling,
1165 .b_scaling = b_scaling,
1166 .c_scaling = c_scaling,
1167 .d_scaling = d_scaling,
1168 .const_scaling = const_scaling,
1169 });
1170}
1171
1178template <typename Builder> field_t<Builder> field_t<Builder>::accumulate(const std::vector<field_t>& input)
1179{
1180 if (input.empty()) {
1181 return field_t(bb::fr::zero());
1182 }
1183
1184 if (input.size() == 1) {
1185 return input[0].normalize();
1186 }
1187
1188 std::vector<field_t> accumulator;
1189 field_t constant_term = bb::fr::zero();
1190
1191 // Remove constant terms from input field elements
1192 for (const auto& element : input) {
1193 if (element.is_constant()) {
1194 constant_term += element;
1195 } else {
1196 accumulator.emplace_back(element);
1197 }
1198 }
1199 if (accumulator.empty()) {
1200 return constant_term;
1201 }
1202 // Add the accumulated constant term to the first witness. It does not create any gates - only the additive
1203 // constant of `accumulator[0]` is updated.
1204 accumulator[0] += constant_term;
1205
1206 // At this point, the `accumulator` vector consisting of witnesses is not empty, so we can extract the context.
1207 Builder* ctx = validate_context<Builder>(accumulator);
1208
1209 // Step 2: compute output value
1210 size_t num_elements = accumulator.size();
1211 bb::fr output = bb::fr::zero();
1212 for (const auto& acc : accumulator) {
1213 output += acc.get_value();
1214 }
1215
1216 // Pad the accumulator with zeroes so that its size is a multiple of 3.
1217 const size_t num_padding_wires = (num_elements % 3) == 0 ? 0 : 3 - (num_elements % 3);
1218 for (size_t i = 0; i < num_padding_wires; ++i) {
1219 accumulator.emplace_back(field_t<Builder>::from_witness_index(ctx, ctx->zero_idx()));
1220 }
1221 num_elements = accumulator.size();
1222 const size_t num_gates = (num_elements / 3);
1223 // Last gate is handled separetely
1224 const size_t last_gate_idx = num_gates - 1;
1225
1226 field_t total = witness_t(ctx, output);
1227 field_t accumulating_total = total;
1228
1229 // Let
1230 // a_i := accumulator[3*i];
1231 // b_i := accumulator[3*i+1];
1232 // c_i := accumulator[3*i+2];
1233 // d_0 := total;
1234 // d_i := total - \sum_(j < 3*i) accumulator[j];
1235 // which leads us to equations
1236 // d_{i+1} = d_{i} - a_i - b_i - c_i for i = 0, ..., last_idx - 1;
1237 // 0 = d_{i} - a_i - b_i - c_i for i = last_gate_idx,
1238 // that are turned into constraints below.
1239
1240 for (size_t i = 0; i < last_gate_idx; ++i) {
1241 // For i < last_gate_idx, we create a `big_add_gate` constraint
1242 // a_i.v * a_scaling + b_i.v * b_scaling + c_i.v * c_scaling + d_i.v * d_scaling + const_scaling +
1243 // w_4_omega = 0
1244 // where
1245 // a_scaling := a_i.mul
1246 // b_scaling := b_i.mul
1247 // c_scaling := c_i.mul
1248 // d_scaling := -1
1249 // const_scaling := a_i.add + b_i.add + c_i.add
1250 // w_4_omega := d_{i+1}
1251 ctx->create_big_add_gate(
1252 {
1253 .a = accumulator[3 * i].witness_index,
1254 .b = accumulator[3 * i + 1].witness_index,
1255 .c = accumulator[3 * i + 2].witness_index,
1256 .d = accumulating_total.witness_index,
1257 .a_scaling = accumulator[3 * i].multiplicative_constant,
1258 .b_scaling = accumulator[3 * i + 1].multiplicative_constant,
1259 .c_scaling = accumulator[3 * i + 2].multiplicative_constant,
1260 .d_scaling = -1,
1261 .const_scaling = accumulator[3 * i].additive_constant + accumulator[3 * i + 1].additive_constant +
1262 accumulator[3 * i + 2].additive_constant,
1263 },
1264 /*use_next_gate_w_4 = */ true);
1265 bb::fr new_total = accumulating_total.get_value() - accumulator[3 * i].get_value() -
1266 accumulator[3 * i + 1].get_value() - accumulator[3 * i + 2].get_value();
1267 accumulating_total = witness_t<Builder>(ctx, new_total);
1268 }
1269
1270 // For i = last_gate_idx, we create a `big_add_gate` constraining
1271 // a_i.v * a_scaling + b_i.v * b_scaling + c_i.v * c_scaling + d_i.v * d_scaling + const_scaling = 0
1272 ctx->create_big_add_gate({
1273 .a = accumulator[3 * last_gate_idx].witness_index,
1274 .b = accumulator[3 * last_gate_idx + 1].witness_index,
1275 .c = accumulator[3 * last_gate_idx + 2].witness_index,
1276 .d = accumulating_total.witness_index,
1277 .a_scaling = accumulator[3 * last_gate_idx].multiplicative_constant,
1278 .b_scaling = accumulator[3 * last_gate_idx + 1].multiplicative_constant,
1279 .c_scaling = accumulator[3 * last_gate_idx + 2].multiplicative_constant,
1280 .d_scaling = -1,
1281 .const_scaling = accumulator[3 * last_gate_idx].additive_constant +
1282 accumulator[3 * last_gate_idx + 1].additive_constant +
1283 accumulator[3 * last_gate_idx + 2].additive_constant,
1284 });
1285 OriginTag new_tag = OriginTag::constant(); // Initialize as CONSTANT so merging with input tags works correctly
1286 for (const auto& single_input : input) {
1287 new_tag = OriginTag(new_tag, single_input.tag);
1288 }
1289 total.tag = new_tag;
1290 return total.normalize();
1291}
1292
1301template <typename Builder>
1302std::pair<field_t<Builder>, field_t<Builder>> field_t<Builder>::no_wrap_split_at(const size_t lsb_index,
1303 const size_t num_bits) const
1304{
1305 BB_ASSERT(lsb_index < num_bits);
1306 BB_ASSERT(num_bits <= grumpkin::MAX_NO_WRAP_INTEGER_BIT_LENGTH);
1307
1308 const uint256_t value = get_value();
1309 const uint256_t hi = value >> lsb_index;
1310 const uint256_t lo = value % (uint256_t(1) << lsb_index);
1311
1312 if (is_constant()) {
1313 // If `*this` is constant, we can return the split values directly
1314 BB_ASSERT(lo + (hi << lsb_index) == value);
1315 return std::make_pair(field_t<Builder>(lo), field_t<Builder>(hi));
1316 }
1317
1318 // Handle edge case when lsb_index == 0
1319 if (lsb_index == 0) {
1320 BB_ASSERT(hi == value);
1321 BB_ASSERT(lo == 0);
1322 create_range_constraint(num_bits, "split_at: hi value too large.");
1323 return std::make_pair(field_t<Builder>(0), *this);
1324 }
1325
1326 Builder* ctx = get_context();
1327 BB_ASSERT(ctx != nullptr);
1328
1329 field_t<Builder> lo_wit(witness_t(ctx, lo));
1330 field_t<Builder> hi_wit(witness_t(ctx, hi));
1331
1332 // Ensure that `lo_wit` is in the range [0, 2^lsb_index - 1]
1333 lo_wit.create_range_constraint(lsb_index, "split_at: lo value too large.");
1334
1335 // Ensure that `hi_wit` is in the range [0, 2^(num_bits - lsb_index) - 1]
1336 hi_wit.create_range_constraint(num_bits - lsb_index, "split_at: hi value too large.");
1337
1338 // Check that *this = lo_wit + hi_wit * 2^{lsb_index}
1339 const field_t<Builder> reconstructed = lo_wit + (hi_wit * field_t<Builder>(uint256_t(1) << lsb_index));
1340 assert_equal(reconstructed, "split_at: decomposition failed");
1341
1342 // Set the origin tag for both witnesses
1343 lo_wit.set_origin_tag(tag);
1344 hi_wit.set_origin_tag(tag);
1345
1346 return std::make_pair(lo_wit, hi_wit);
1347}
1348
1349template class field_t<bb::UltraCircuitBuilder>;
1350template class field_t<bb::MegaCircuitBuilder>;
1351
1352} // namespace bb::stdlib
BB_ASSERT
#define BB_ASSERT(expression,...)
Definition assert.hpp:70
BB_ASSERT_DEBUG
#define BB_ASSERT_DEBUG(expression,...)
Definition assert.hpp:55
BB_ASSERT_EQ
#define BB_ASSERT_EQ(actual, expected,...)
Definition assert.hpp:83
BB_ASSERT_LT
#define BB_ASSERT_LT(left, right,...)
Definition assert.hpp:143
bb::UltraCircuitBuilder_::DEFAULT_PLOOKUP_RANGE_BITNUM
static constexpr size_t DEFAULT_PLOOKUP_RANGE_BITNUM
Definition ultra_circuit_builder.hpp:52
bb::numeric::uint256_t
Definition uint256.hpp:32
bb::numeric::uint256_t::data
uint64_t data[4]
Definition uint256.hpp:219
bb::numeric::uint256_t::get_msb
constexpr uint64_t get_msb() const
Definition uint256_impl.hpp:368
bb::stdlib::bool_t
Implements boolean logic in-circuit.
Definition bool.hpp:60
bb::stdlib::bool_t::get_value
bool get_value() const
Definition bool.hpp:125
bb::stdlib::bool_t::is_constant
bool is_constant() const
Definition bool.hpp:127
bb::stdlib::bool_t::set_origin_tag
void set_origin_tag(const OriginTag &new_tag) const
Definition bool.hpp:154
bb::stdlib::bool_t::witness_bool
bool witness_bool
Definition bool.hpp:169
bb::stdlib::bool_t::witness_index
uint32_t witness_index
Index of the witness in the builder's witness vector.
Definition bool.hpp:178
bb::stdlib::bool_t::witness_inverted
bool witness_inverted
Definition bool.hpp:170
bb::stdlib::bool_t::tag
OriginTag tag
Definition bool.hpp:179
bb::stdlib::bool_t::get_origin_tag
OriginTag get_origin_tag() const
Definition bool.hpp:155
bb::stdlib::field_t
Definition field.hpp:46
bb::stdlib::field_t< Builder >::assert_is_zero
void assert_is_zero(std::string const &msg="field_t::assert_is_zero") const
Enforce a copy constraint between *this and 0 stored at zero_idx of the Builder.
Definition field.cpp:687
bb::stdlib::field_t< Builder >::conditional_negate
field_t conditional_negate(const bool_t< Builder > &predicate) const
If predicate's value == true, negate the value, else keep it unchanged.
Definition field.cpp:867
bb::stdlib::field_t::Builder
Builder_ Builder
Definition field.hpp:48
bb::stdlib::field_t< Builder >::assert_is_in_set
void assert_is_in_set(const std::vector< field_t > &set, std::string const &msg="field_t::assert_not_in_set") const
Constrain *this \in set by enforcing that P(X) = \prod_{s \in set} (X - s) is 0 at X = *this.
Definition field.cpp:996
bb::stdlib::field_t::assert_equal
void assert_equal(const field_t &rhs, std::string const &msg="field_t::assert_equal") const
Copy constraint: constrain that *this field is equal to rhs element.
Definition field.cpp:940
bb::stdlib::field_t< Builder >::assert_not_equal
void assert_not_equal(const field_t &rhs, std::string const &msg="field_t::assert_not_equal") const
Constrain *this to be not equal to rhs.
Definition field.cpp:986
bb::stdlib::field_t::is_normalized
bool is_normalized() const
Definition field.hpp:442
bb::stdlib::field_t< Builder >::madd
field_t madd(const field_t &to_mul, const field_t &to_add) const
Definition field.cpp:518
bb::stdlib::field_t< Builder >::from_witness_index
static field_t from_witness_index(Builder *ctx, uint32_t witness_index)
Definition field.cpp:67
bb::stdlib::field_t< Builder >::operator+
field_t operator+(const field_t &other) const
Field addition operator.
Definition field.cpp:132
bb::stdlib::field_t< Builder >::operator!=
bool_t< Builder > operator!=(const field_t &other) const
Compute a bool_t equal to (a != b)
Definition field.cpp:858
bb::stdlib::field_t::additive_constant
bb::fr additive_constant
Definition field.hpp:94
bb::stdlib::field_t< Builder >::select_from_three_bit_table
static field_t select_from_three_bit_table(const std::array< field_t, 8 > &table, const bool_t< Builder > &t2, const bool_t< Builder > &t1, const bool_t< Builder > &t0)
Given a multilinear polynomial in 3 variables, which is represented by a table of monomial coefficien...
Definition field.cpp:1080
bb::stdlib::field_t< Builder >::evaluate_polynomial_identity
static void evaluate_polynomial_identity(const field_t &a, const field_t &b, const field_t &c, const field_t &d, const std::string &msg="field_t::evaluate_polynomial_identity")
Given a, b, c, d, constrain a * b + c + d = 0 by creating a big_mul_gate.
Definition field.cpp:1135
bb::stdlib::field_t< Builder >::accumulate
static field_t accumulate(const std::vector< field_t > &input)
Efficiently compute the sum of vector entries. Using big_add_gate we reduce the number of gates neede...
Definition field.cpp:1178
bb::stdlib::field_t::tag
OriginTag tag
Definition field.hpp:148
bb::stdlib::field_t< Builder >::operator-
field_t operator-() const
Definition field.hpp:347
bb::stdlib::field_t< Builder >::create_range_constraint
void create_range_constraint(size_t num_bits, std::string const &msg="field_t::range_constraint") const
Let x = *this.normalize(), constrain x.v < 2^{num_bits}.
Definition field.cpp:919
bb::stdlib::field_t< Builder >::divide_no_zero_check
field_t divide_no_zero_check(const field_t &other) const
Given field elements a = *this and b = other, output a / b without checking whether b = 0.
Definition field.cpp:320
bb::stdlib::field_t::context
Builder * context
Definition field.hpp:57
bb::stdlib::field_t< Builder >::preprocess_three_bit_table
static std::array< field_t, 8 > preprocess_three_bit_table(const field_t &T0, const field_t &T1, const field_t &T2, const field_t &T3, const field_t &T4, const field_t &T5, const field_t &T6, const field_t &T7)
Given a table T of size 8, outputs the monomial coefficients of the multilinear polynomial in t0,...
Definition field.cpp:1032
bb::stdlib::field_t::multiplicative_constant
bb::fr multiplicative_constant
Definition field.hpp:95
bb::stdlib::field_t::get_context
Builder * get_context() const
Definition field.hpp:431
bb::stdlib::field_t::sqr
field_t sqr() const
Definition field.hpp:283
bb::stdlib::field_t< Builder >::conditional_assign_internal
static field_t conditional_assign_internal(const bool_t< Builder > &predicate, const field_t &lhs, const field_t &rhs)
If predicate == true then return lhs, else return rhs.
Definition field.cpp:893
bb::stdlib::field_t::get_origin_tag
OriginTag get_origin_tag() const
Definition field.hpp:358
bb::stdlib::field_t::get_value
bb::fr get_value() const
Given a := *this, compute its value given by a.v * a.mul + a.add.
Definition field.cpp:836
bb::stdlib::field_t< Builder >::operator*
field_t operator*(const field_t &other) const
Field multiplication operator.
Definition field.cpp:200
bb::stdlib::field_t< Builder >::field_t
field_t(Builder *parent_context=nullptr)
Definition field.cpp:21
bb::stdlib::field_t::normalize
field_t normalize() const
Return a new element, where the in-circuit witness contains the actual represented value (multiplicat...
Definition field.cpp:646
bb::stdlib::field_t< Builder >::select_from_two_bit_table
static field_t select_from_two_bit_table(const std::array< field_t, 4 > &table, const bool_t< Builder > &t1, const bool_t< Builder > &t0)
Given a multilinear polynomial in 2 variables, which is represented by a table of monomial coefficien...
Definition field.cpp:1058
bb::stdlib::field_t< Builder >::is_zero
bool_t< Builder > is_zero() const
Validate whether a field_t element is zero.
Definition field.cpp:783
bb::stdlib::field_t< Builder >::pow
field_t pow(const uint32_t &exponent) const
Raise this field element to the power of the provided uint32_t exponent.
Definition field.cpp:430
bb::stdlib::field_t< Builder >::evaluate_linear_identity
static void evaluate_linear_identity(const field_t &a, const field_t &b, const field_t &c, const field_t &d, const std::string &msg="field_t::evaluate_linear_identity")
Constrain a + b + c + d to be equal to 0.
Definition field.cpp:1099
bb::stdlib::field_t::is_constant
bool is_constant() const
Definition field.hpp:441
bb::stdlib::field_t< Builder >::preprocess_two_bit_table
static std::array< field_t, 4 > preprocess_two_bit_table(const field_t &T0, const field_t &T1, const field_t &T2, const field_t &T3)
Given a table T of size 4, outputs the monomial coefficients of the multilinear polynomial in t0,...
Definition field.cpp:1014
bb::stdlib::field_t::set_free_witness_tag
void set_free_witness_tag()
Set the free witness flag for the field element's tag.
Definition field.hpp:363
bb::stdlib::field_t::set_origin_tag
void set_origin_tag(const OriginTag &new_tag) const
Definition field.hpp:357
bb::stdlib::field_t::witness_index
uint32_t witness_index
Definition field.hpp:145
bb::stdlib::field_t< Builder >::add_two
field_t add_two(const field_t &add_b, const field_t &add_c) const
Efficiently compute (this + a + b) using big_mul gate.
Definition field.cpp:583
bb::stdlib::field_t< Builder >::no_wrap_split_at
std::pair< field_t< Builder >, field_t< Builder > > no_wrap_split_at(const size_t lsb_index, const size_t num_bits=grumpkin::MAX_NO_WRAP_INTEGER_BIT_LENGTH) const
Splits the field element into (lo, hi), where:
Definition field.cpp:1302
bb::stdlib::field_t::assert_is_not_zero
void assert_is_not_zero(std::string const &msg="field_t::assert_is_not_zero") const
Constrain *this to be non-zero by establishing that it has an inverse.
Definition field.cpp:718
bb::stdlib::field_t< Builder >::operator/
field_t operator/(const field_t &other) const
Since in divide_no_zero_check, we check by the constraint , if , we can set to any value and it wil...
Definition field.cpp:310
bb::stdlib::field_t< Builder >::operator==
bool_t< Builder > operator==(const field_t &other) const
Compute a bool_t equal to (a == b)
Definition field.cpp:850
bb::stdlib::field_t::get_witness_index
uint32_t get_witness_index() const
Get the witness index of the current field element.
Definition field.hpp:518
bb::stdlib::witness_t
Definition witness.hpp:16
context
StrictMock< MockContext > context
Definition data_copy.test.cpp:59
a
FF a
Definition field_gt.test.cpp:52
b
FF b
Definition field_gt.test.cpp:53
value
FF value
Definition indexed_tree_check.test.cpp:67
field_utils.hpp
bb::grumpkin::MAX_NO_WRAP_INTEGER_BIT_LENGTH
constexpr size_t MAX_NO_WRAP_INTEGER_BIT_LENGTH
Definition grumpkin.hpp:16
bb::numeric::get_msb
constexpr T get_msb(const T in)
Definition get_msb.hpp:49
bb::stdlib::validate_context
T * validate_context(T *ptr)
Definition field.hpp:17
bb::stdlib::element
std::conditional_t< IsGoblinBigGroup< C, Fq, Fr, G >, element_goblin::goblin_element< C, goblin_field< C >, Fr, G >, element_default::element< C, Fq, Fr, G > > element
element wraps either element_default::element or element_goblin::goblin_element depending on parametr...
Definition biggroup.hpp:1023
bb::stdlib::mark_witness_as_used
void mark_witness_as_used(const field_t< Builder > &field)
Mark a field_t witness as used (for UltraBuilder only).
Definition field_utils.cpp:107
bb
Entry point for Barretenberg command-line interface.
Definition api.hpp:5
bb::operator+
Univariate< Fr, domain_end > operator+(const Fr &ff, const Univariate< Fr, domain_end > &uv)
Definition univariate.hpp:554
std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13
bb::OriginTag::constant
static OriginTag constant()
Definition origin_tag.hpp:181
bb::field< Bn254FrParams >::neg_one
static constexpr field neg_one()
Definition field_declarations.hpp:278
bb::field< Bn254FrParams >::one
static constexpr field one()
Definition field_declarations.hpp:279
bb::field::invert
constexpr field invert() const noexcept
Definition field_impl.hpp:397
bb::field::is_zero
BB_INLINE constexpr bool is_zero() const noexcept
Definition field_impl.hpp:764
bb::field< Bn254FrParams >::zero
static constexpr field zero()
Definition field_declarations.hpp:277