Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
pairing_points.hpp
Go to the documentation of this file.
1// === AUDIT STATUS ===
2// internal: { status: complete, auditors: [Luke], commit: }
3// external_1: { status: not started, auditors: [], commit: }
4// external_2: { status: not started, auditors: [], commit: }
5// =====================
6
7#pragma once
8#include "barretenberg/commitment_schemes/pairing_points.hpp"
9#include "barretenberg/common/assert.hpp"
10#include "barretenberg/stdlib/primitives/curves/bn254.hpp"
11#include "barretenberg/stdlib/primitives/field/field.hpp"
12#include "barretenberg/stdlib/primitives/field/field_conversion.hpp"
13#include "barretenberg/stdlib_circuit_builders/mega_circuit_builder.hpp"
14#include "barretenberg/transcript/transcript.hpp"
15#include <type_traits>
16
17namespace bb::stdlib::recursion {
18
26template <typename Curve> struct PairingPoints {
27 using Builder = typename Curve::Builder;
28 using Group = Curve::Group;
29 using Fq = Curve::BaseField;
30 using Fr = Curve::ScalarField;
31
32 // Number of bb::fr field elements used to represent pairing points in public inputs
33 static constexpr size_t PUBLIC_INPUTS_SIZE = PAIRING_POINTS_SIZE;
34
35 uint32_t tag_index = 0; // Index of the tag for tracking pairing point aggregation
36
37 Group& P0() { return _points[0]; }
38 Group& P1() { return _points[1]; }
39 const Group& P0() const { return _points[0]; }
40 const Group& P1() const { return _points[1]; }
41
42 bool is_populated() const { return has_data_; }
43 bool is_default() const { return is_default_; }
44
45 PairingPoints() = default;
46
47 PairingPoints(const Group& p0, const Group& p1)
48 : _points{ p0, p1 }
49 , has_data_(true)
50 {
51 Builder* builder = validate_context<Builder>(p0.get_context(), p1.get_context());
52 if (builder != nullptr) {
53 tag_index = builder->pairing_points_tagging.create_pairing_point_tag();
54 }
55
56#ifndef NDEBUG
57 bb::PairingPoints<typename Curve::NativeCurve> native_pp(P0().get_value(), P1().get_value());
58 info("Are Pairing Points with tag ", tag_index, " valid? ", native_pp.check() ? "true" : "false");
59#endif
60 }
61
65 static PairingPoints reconstruct_from_public(
66 const std::span<const stdlib::field_t<Builder>, PUBLIC_INPUTS_SIZE>& limbs)
67 {
68 using Codec = StdlibCodec<stdlib::field_t<Builder>>;
69 constexpr size_t GROUP_SIZE = Codec::template calc_num_fields<Group>();
70 Group p0 = Codec::template deserialize_from_fields<Group>(limbs.template subspan<0, GROUP_SIZE>());
71 Group p1 = Codec::template deserialize_from_fields<Group>(limbs.template subspan<GROUP_SIZE, GROUP_SIZE>());
72 return PairingPoints(p0, p1);
73 }
74
75 // Iterator support (used by validate_context to extract Builder* from the contained group elements)
76 auto begin() { return _points.begin(); }
77 auto end() { return _points.end(); }
78 auto begin() const { return _points.begin(); }
79 auto end() const { return _points.end(); }
80
96 static PairingPoints aggregate_multiple(std::vector<PairingPoints>& pairing_points, bool handle_edge_cases = true)
97 {
98 size_t num_points = pairing_points.size();
99 BB_ASSERT_GT(num_points, 1UL, "This method should be used only with more than one pairing point.");
100
101 std::vector<Group> first_components;
102 first_components.reserve(num_points);
103 std::vector<Group> second_components;
104 second_components.reserve(num_points);
105 for (const auto& points : pairing_points) {
106 first_components.emplace_back(points.P0());
107 second_components.emplace_back(points.P1());
108 }
109
110 // Fiat-Shamir: hash all points for binding, but only need n-1 challenges
111 StdlibTranscript<Builder> transcript{};
112 std::vector<std::string> labels;
113 labels.reserve(num_points - 1); // Only need n-1 challenges
114 for (size_t idx = 0; auto [first, second] : zip_view(first_components, second_components)) {
115 transcript.add_to_hash_buffer("first_component_" + std::to_string(idx), first);
116 transcript.add_to_hash_buffer("second_component_" + std::to_string(idx), second);
117 // Generate challenges for points 1..n-1 (skip the first point)
118 if (idx > 0) {
119 labels.emplace_back("pp_aggregation_challenge_" + std::to_string(idx));
120 }
121 idx++;
122 }
123
124 std::vector<Fr> challenges = transcript.template get_challenges<Fr>(labels);
125
126 // Aggregate: P_agg = P₀ + r₁·P₁ + r₂·P₂ + ... + rₙ₋₁·Pₙ₋₁
127 Group P0;
128 Group P1;
129
130 // For MegaCircuitBuilder (Goblin): batch_mul optimizes constant scalar 1 (uses add instead of mul)
131 // so we can include all points in a single batch_mul with scalar [1, r₁, r₂, ..., rₙ₋₁]
132 // For UltraCircuitBuilder: no optimization for witness point × constant(1), so keep first point separate
133 if constexpr (std::is_same_v<Builder, MegaCircuitBuilder>) {
134 // Single batch_mul for all points (efficient for Goblin with constant scalar 1)
135 std::vector<Fr> scalars;
136 scalars.reserve(num_points);
137 scalars.push_back(Fr(1)); // Optimized by Goblin: add instead of mul
138 scalars.insert(scalars.end(), challenges.begin(), challenges.end());
139
140 P0 = Group::batch_mul(first_components, scalars);
141 P1 = Group::batch_mul(second_components, scalars);
142 } else {
143 // Use first point as base, then batch_mul remaining points
144 std::vector<Group> remaining_first(first_components.begin() + 1, first_components.end());
145 std::vector<Group> remaining_second(second_components.begin() + 1, second_components.end());
146
147 P0 = first_components[0];
148 P1 = second_components[0];
149
150 P0 += Group::batch_mul(remaining_first, challenges, 128, handle_edge_cases);
151 P1 += Group::batch_mul(remaining_second, challenges, 128, handle_edge_cases);
152 }
153
154 PairingPoints aggregated_points(P0, P1);
155
156 // Merge tags
157 Builder* builder = P0.get_context();
158 if (builder != nullptr) {
159 for (const auto& points : pairing_points) {
160 builder->pairing_points_tagging.merge_pairing_point_tags(aggregated_points.tag_index, points.tag_index);
161 }
162 }
163
164 return aggregated_points;
165 }
166
174 void aggregate(PairingPoints const& other)
175 {
176 BB_ASSERT(other.has_data_, "Cannot aggregate null pairing points.");
177
178 // If LHS is empty, simply set it equal to the incoming pairing points
179 if (!this->has_data_ && other.has_data_) {
180 *this = other;
181 return;
182 }
183 // Use transcript to hash all four points to derive a binding challenge
184 StdlibTranscript<Builder> transcript{};
185 transcript.add_to_hash_buffer("Accumulator_P0", P0());
186 transcript.add_to_hash_buffer("Accumulator_P1", P1());
187 transcript.add_to_hash_buffer("Aggregated_P0", other.P0());
188 transcript.add_to_hash_buffer("Aggregated_P1", other.P1());
189 auto recursion_separator =
190 transcript.template get_challenge<typename Curve::ScalarField>("recursion_separator");
191 is_default_ = false; // After aggregation, points are no longer default
192 // If Mega Builder is in use, the EC operations are deferred via Goblin.
193 // batch_mul with constant scalar 1 is optimal here (Goblin uses add instead of mul).
194 if constexpr (std::is_same_v<Builder, MegaCircuitBuilder>) {
195 // Goblin: batch_mul with constant scalar 1 uses add instead of mul
196 P0() = Group::batch_mul({ P0(), other.P0() }, { 1, recursion_separator });
197 P1() = Group::batch_mul({ P1(), other.P1() }, { 1, recursion_separator });
198 } else {
199 // Ultra: 128-bit scalar mul to save gates
200 Group point_to_aggregate = other.P0().scalar_mul(recursion_separator, 128);
201 P0() += point_to_aggregate;
202 point_to_aggregate = other.P1().scalar_mul(recursion_separator, 128);
203 P1() += point_to_aggregate;
204 }
205
206 // Merge the tags in the builder
207 Builder* builder = P0().get_context();
208 if (builder != nullptr) {
209 builder->pairing_points_tagging.merge_pairing_point_tags(this->tag_index, other.tag_index);
210 }
211
212#ifndef NDEBUG
213 bb::PairingPoints<typename Curve::NativeCurve> native_pp(P0().get_value(), P1().get_value());
214 info("Are aggregated Pairing Points with tag ", tag_index, " valid? ", native_pp.check() ? "true" : "false");
215#endif
216 }
217
225 uint32_t set_public(Builder* ctx = nullptr)
226 {
227 BB_ASSERT(this->has_data_, "Calling set_public on empty pairing points.");
228 if (is_default_) {
229 Builder* builder = validate_context<Builder>(ctx, P0().get_context(), P1().get_context());
230 BB_ASSERT(builder != nullptr, "set_public on default pairing points requires a builder context.");
231 return set_default_to_public(builder);
232 }
233 Builder* builder = validate_context<Builder>(ctx, P0().get_context(), P1().get_context());
234 builder->pairing_points_tagging.set_public_pairing_points();
235 uint32_t start_idx = P0().set_public();
236 P1().set_public();
237 return start_idx;
238 }
239
243 void fix_witness()
244 {
245 BB_ASSERT(this->has_data_, "Calling fix_witness on empty pairing points.");
246 P0().fix_witness();
247 P1().fix_witness();
248 }
249
254 bool check() const
255 {
256 BB_ASSERT(this->has_data_, "Calling check on empty pairing points.");
257 bb::PairingPoints<typename Curve::NativeCurve> native_pp(P0().get_value(), P1().get_value());
258 return native_pp.check();
259 }
260
268 static uint32_t set_default_to_public(Builder* builder)
269 {
270 builder->pairing_points_tagging.set_public_pairing_points();
271 // Infinity is represented as (0,0) in biggroup. Directly add zero limbs as public inputs, bypassing bigfield's
272 // self_reduce.
273 uint32_t start_idx = static_cast<uint32_t>(builder->num_public_inputs());
274 for (size_t i = 0; i < PUBLIC_INPUTS_SIZE; i++) {
275 uint32_t idx = builder->add_public_variable(bb::fr(0));
276 builder->fix_witness(idx, bb::fr(0));
277 }
278 return start_idx;
279 }
280
285 static PairingPoints construct_default()
286 {
287 Group P0(Fq(0), Fq(0), /*assert_on_curve=*/false);
288 Group P1(Fq(0), Fq(0), /*assert_on_curve=*/false);
289 PairingPoints pp(P0, P1);
290 pp.is_default_ = true;
291 return pp;
292 }
293
294 private:
295 std::array<Group, 2> _points;
296 bool has_data_ = false;
297 bool is_default_ = false; // True for default (infinity) pairing points from construct_default()
298};
299
300template <typename NCT> std::ostream& operator<<(std::ostream& os, PairingPoints<NCT> const& as)
301{
302 return os << "P0: " << as.P0() << "\n"
303 << "P1: " << as.P1() << "\n"
304 << "is_populated: " << as.is_populated() << "\n"
305 << "tag_index: " << as.tag_index << "\n";
306}
307
308} // namespace bb::stdlib::recursion
BB_ASSERT
#define BB_ASSERT(expression,...)
Definition assert.hpp:70
BB_ASSERT_GT
#define BB_ASSERT_GT(left, right,...)
Definition assert.hpp:113
bb::BaseTranscript
Common transcript class for both parties. Stores the data for the current round, as well as the manif...
Definition transcript.hpp:41
bb::BaseTranscript::add_to_hash_buffer
void add_to_hash_buffer(const std::string &label, const T &element)
Adds an element to the transcript.
Definition transcript.hpp:315
bb::PairingPoints
An object storing two EC points that represent the inputs to a pairing check.
Definition pairing_points.hpp:22
bb::PairingPoints::check
bool check() const
Verify the pairing equation e(P0, [1]₂) · e(P1, [x]₂) = 1.
Definition pairing_points.hpp:77
bb::curve::Grumpkin::Group
typename grumpkin::g1 Group
Definition grumpkin.hpp:63
bb::stdlib::field_t
Definition field.hpp:46
zip_view
Definition zip_view.hpp:166
pairing_points.hpp
info
#define info(...)
Definition log.hpp:93
builder
AluTraceBuilder builder
Definition alu.test.cpp:124
mega_circuit_builder.hpp
bb::stdlib::recursion::operator<<
std::ostream & operator<<(std::ostream &os, PairingPoints< NCT > const &as)
Definition pairing_points.hpp:300
std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13
std::to_string
std::string to_string(bb::avm2::ValueTag tag)
Definition tagged_value.cpp:402
field_conversion.hpp
StdlibCodec for in-circuit (recursive) verification transcript handling.
bb::stdlib::recursion::PairingPoints
An object storing two EC points that represent the inputs to a pairing check.
Definition pairing_points.hpp:26
bb::stdlib::recursion::PairingPoints::PUBLIC_INPUTS_SIZE
static constexpr size_t PUBLIC_INPUTS_SIZE
Definition pairing_points.hpp:33
bb::stdlib::recursion::PairingPoints::check
bool check() const
Perform native pairing check on the witness values.
Definition pairing_points.hpp:254
bb::stdlib::recursion::PairingPoints::set_default_to_public
static uint32_t set_default_to_public(Builder *builder)
Set the witness indices for the default (infinity) pairing points to public.
Definition pairing_points.hpp:268
bb::stdlib::recursion::PairingPoints::aggregate_multiple
static PairingPoints aggregate_multiple(std::vector< PairingPoints > &pairing_points, bool handle_edge_cases=true)
Aggregate multiple PairingPoints using random linear combination.
Definition pairing_points.hpp:96
bb::stdlib::recursion::PairingPoints::reconstruct_from_public
static PairingPoints reconstruct_from_public(const std::span< const stdlib::field_t< Builder >, PUBLIC_INPUTS_SIZE > &limbs)
Reconstruct PairingPoints from public input limbs.
Definition pairing_points.hpp:65
bb::stdlib::recursion::PairingPoints::aggregate
void aggregate(PairingPoints const &other)
Aggregate another PairingPoints into this one via random linear combination.
Definition pairing_points.hpp:174
bb::stdlib::recursion::PairingPoints::construct_default
static PairingPoints construct_default()
Construct default pairing points (both at infinity).
Definition pairing_points.hpp:285
bb::stdlib::recursion::PairingPoints::fix_witness
void fix_witness()
Record the witness values of pairing points' coordinates in the selectors.
Definition pairing_points.hpp:243
bb::stdlib::recursion::PairingPoints::set_public
uint32_t set_public(Builder *ctx=nullptr)
Set the witness indices for the pairing points to public.
Definition pairing_points.hpp:225
bb::stdlib::recursion::PairingPoints::PairingPoints
PairingPoints(const Group &p0, const Group &p1)
Definition pairing_points.hpp:47