barretenberg-doxygen/3f0fad0de81d472cf71c03df11cf01ed6e7e09e0/cycle__group_8hpp_source.html

#pragma once


#include "barretenberg/crypto/pedersen_commitment/pedersen.hpp"

#include "barretenberg/ecc/curves/grumpkin/grumpkin.hpp"

#include "barretenberg/proof_system/plookup_tables/fixed_base/fixed_base_params.hpp"

#include "barretenberg/stdlib/primitives/bool/bool.hpp"

#include "barretenberg/stdlib/primitives/circuit_builders/circuit_builders.hpp"

#include "barretenberg/stdlib/primitives/field/field.hpp"

#include <optional>


namespace proof_system::plonk::stdlib {


template <typename Composer>

concept IsUltraArithmetic = (Composer::CIRCUIT_TYPE == CircuitType::ULTRA);

template <typename Composer>

concept IsNotUltraArithmetic = (Composer::CIRCUIT_TYPE != CircuitType::ULTRA);


template <typename Composer> class cycle_group {

  public:

    using field_t = stdlib::field_t<Composer>;

    using bool_t = stdlib::bool_t<Composer>;

    using witness_t = stdlib::witness_t<Composer>;

    using FF = typename Composer::FF;

    using Curve = typename Composer::EmbeddedCurve;

    using Group = typename Curve::Group;

    using Element = typename Curve::Element;

    using AffineElement = typename Curve::AffineElement;

    using GeneratorContext = crypto::GeneratorContext<Curve>;

    using ScalarField = typename Curve::ScalarField;


    static constexpr size_t STANDARD_NUM_TABLE_BITS = 1;

    static constexpr size_t ULTRA_NUM_TABLE_BITS = 4;

    static constexpr bool IS_ULTRA = Composer::CIRCUIT_TYPE == CircuitType::ULTRA;

    static constexpr size_t TABLE_BITS = IS_ULTRA ? ULTRA_NUM_TABLE_BITS : STANDARD_NUM_TABLE_BITS;

    static constexpr size_t NUM_BITS = ScalarField::modulus.get_msb() + 1;

    static constexpr size_t NUM_ROUNDS = (NUM_BITS + TABLE_BITS - 1) / TABLE_BITS;

    inline static constexpr std::string_view OFFSET_GENERATOR_DOMAIN_SEPARATOR = "cycle_group_offset_generator";


  private:

  public:

    struct cycle_scalar {

        static constexpr size_t LO_BITS = plookup::FixedBaseParams::BITS_PER_LO_SCALAR;

        static constexpr size_t HI_BITS = NUM_BITS - LO_BITS;

        field_t lo;

        field_t hi;


      private:

        size_t _num_bits = NUM_BITS;

        bool _skip_primality_test = false;

        // if our scalar multiplier is a bn254 FF scalar (e.g. pedersen hash),

        // we want to validate the cycle_scalar < bn254::fr::modulus *not* grumpkin::fr::modulus

        bool _use_bn254_scalar_field_for_primality_test = false;


      public:

        cycle_scalar(const field_t& _lo,

                     const field_t& _hi,

                     const size_t bits,

                     const bool skip_primality_test,

                     const bool use_bn254_scalar_field_for_primality_test)

            : lo(_lo)

            , hi(_hi)

            , _num_bits(bits)

            , _skip_primality_test(skip_primality_test)

            , _use_bn254_scalar_field_for_primality_test(use_bn254_scalar_field_for_primality_test){};

        cycle_scalar(const ScalarField& _in = 0);

        cycle_scalar(const field_t& _lo, const field_t& _hi);

        cycle_scalar(const field_t& _in);

        static cycle_scalar from_witness(Composer* context, const ScalarField& value);

        static cycle_scalar from_witness_bitstring(Composer* context, const uint256_t& bitstring, size_t num_bits);

        static cycle_scalar create_from_bn254_scalar(const field_t& _in, bool skip_primality_test = false);

        [[nodiscard]] bool is_constant() const;

        ScalarField get_value() const;

        Composer* get_context() const { return lo.get_context() != nullptr ? lo.get_context() : hi.get_context(); }

        [[nodiscard]] size_t num_bits() const { return _num_bits; }

        [[nodiscard]] bool skip_primality_test() const { return _skip_primality_test; }

        [[nodiscard]] bool use_bn254_scalar_field_for_primality_test() const

        {

            return _use_bn254_scalar_field_for_primality_test;

        }

        void validate_scalar_is_in_field() const;

    };


    struct straus_scalar_slice {

        straus_scalar_slice(Composer* context, const cycle_scalar& scalars, size_t table_bits);

        std::optional<field_t> read(size_t index);

        size_t _table_bits;

        std::vector<field_t> slices;

    };


    struct straus_lookup_table {

      public:

        straus_lookup_table() = default;

        straus_lookup_table(Composer* context,

                            const cycle_group& base_point,

                            const cycle_group& offset_generator,

                            size_t table_bits);

        cycle_group read(const field_t& index);

        size_t _table_bits;

        Composer* _context;

        std::vector<cycle_group> point_table;

        size_t rom_id = 0;

    };


  private:

    struct batch_mul_internal_output {

        cycle_group accumulator;

        AffineElement offset_generator_delta;

    };


  public:

    cycle_group(Composer* _context = nullptr);

    cycle_group(field_t _x, field_t _y, bool_t _is_infinity);

    cycle_group(const FF& _x, const FF& _y, bool _is_infinity);

    cycle_group(const AffineElement& _in);

    static cycle_group from_witness(Composer* _context, const AffineElement& _in);

    static cycle_group from_constant_witness(Composer* _context, const AffineElement& _in);

    Composer* get_context(const cycle_group& other) const;

    Composer* get_context() const { return context; }

    AffineElement get_value() const;

    [[nodiscard]] bool is_constant() const { return _is_constant; }

    bool_t is_point_at_infinity() const { return _is_infinity; }

    void set_point_at_infinity(const bool_t& is_infinity) { _is_infinity = is_infinity; }

    void validate_is_on_curve() const;

    cycle_group dbl() const

        requires IsUltraArithmetic<Composer>;

    cycle_group dbl() const

        requires IsNotUltraArithmetic<Composer>;

    cycle_group unconditional_add(const cycle_group& other) const

        requires IsUltraArithmetic<Composer>;

    cycle_group unconditional_add(const cycle_group& other) const

        requires IsNotUltraArithmetic<Composer>;

    cycle_group unconditional_subtract(const cycle_group& other) const;

    cycle_group checked_unconditional_add(const cycle_group& other) const;

    cycle_group checked_unconditional_subtract(const cycle_group& other) const;

    cycle_group operator+(const cycle_group& other) const;

    cycle_group operator-(const cycle_group& other) const;

    cycle_group operator-() const;

    cycle_group& operator+=(const cycle_group& other);

    cycle_group& operator-=(const cycle_group& other);

    static cycle_group batch_mul(const std::vector<cycle_scalar>& scalars,

                                 const std::vector<cycle_group>& base_points,

                                 GeneratorContext context = {});

    cycle_group operator*(const cycle_scalar& scalar) const;

    cycle_group& operator*=(const cycle_scalar& scalar);

    bool_t operator==(const cycle_group& other) const;

    void assert_equal(const cycle_group& other, std::string const& msg = "cycle_group::assert_equal") const;

    static cycle_group conditional_assign(const bool_t& predicate, const cycle_group& lhs, const cycle_group& rhs);

    cycle_group operator/(const cycle_group& other) const;

    field_t x;

    field_t y;


  private:

    bool_t _is_infinity;

    bool _is_constant;

    Composer* context;


    static batch_mul_internal_output _variable_base_batch_mul_internal(std::span<cycle_scalar> scalars,

                                                                       std::span<cycle_group> base_points,

                                                                       std::span<AffineElement const> offset_generators,

                                                                       bool unconditional_add);


    static batch_mul_internal_output _fixed_base_batch_mul_internal(std::span<cycle_scalar> scalars,

                                                                    std::span<AffineElement> base_points,

                                                                    std::span<AffineElement const> offset_generators)

        requires IsUltraArithmetic<Composer>;

    static batch_mul_internal_output _fixed_base_batch_mul_internal(std::span<cycle_scalar> scalars,

                                                                    std::span<AffineElement> base_points,

                                                                    std::span<AffineElement const> offset_generators)

        requires IsNotUltraArithmetic<Composer>;

};


template <typename ComposerContext>

inline std::ostream& operator<<(std::ostream& os, cycle_group<ComposerContext> const& v)

{

    return os << v.get_value();

}


EXTERN_STDLIB_TYPE(cycle_group);


} // namespace proof_system::plonk::stdlib

numeric::uint256_t
Definition: uint256.hpp:25

proof_system::plonk::StandardComposer
Definition: standard_composer.hpp:14

proof_system::plonk::stdlib::bool_t< Composer >

proof_system::plonk::stdlib::cycle_group
cycle_group represents a group Element of the proving system's embedded curve i.e....
Definition: cycle_group.hpp:27

proof_system::plonk::stdlib::cycle_group::validate_is_on_curve
void validate_is_on_curve() const
On-curve check.
Definition: cycle_group.cpp:156

proof_system::plonk::stdlib::cycle_group::checked_unconditional_add
cycle_group checked_unconditional_add(const cycle_group &other) const
Will evaluate ECC point addition over *this and other. Uses incomplete addition formula If incomplete...
Definition: cycle_group.cpp:365

proof_system::plonk::stdlib::cycle_group::dbl
cycle_group dbl() const
Evaluates a doubling. Does not use Ultra double gate.
Definition: cycle_group.cpp:174

proof_system::plonk::stdlib::cycle_group::batch_mul
static cycle_group batch_mul(const std::vector< cycle_scalar > &scalars, const std::vector< cycle_group > &base_points, GeneratorContext context={})
Multiscalar multiplication algorithm.
Definition: cycle_group.cpp:1185

proof_system::plonk::stdlib::cycle_group::unconditional_add
cycle_group unconditional_add(const cycle_group &other) const
Will evaluate ECC point addition over *this and other. Incomplete addition formula edge cases are NOT...
Definition: cycle_group.cpp:234

proof_system::plonk::stdlib::cycle_group::from_witness
static cycle_group from_witness(Composer *_context, const AffineElement &_in)
Converts an AffineElement into a circuit witness.
Definition: cycle_group.cpp:97

proof_system::plonk::stdlib::cycle_group::from_constant_witness
static cycle_group from_constant_witness(Composer *_context, const AffineElement &_in)
Converts a native AffineElement into a witness, but constrains the witness values to be known constan...
Definition: cycle_group.cpp:121

proof_system::plonk::stdlib::cycle_group::checked_unconditional_subtract
cycle_group checked_unconditional_subtract(const cycle_group &other) const
Will evaluate ECC point subtraction over *this and other. Uses incomplete addition formula If incompl...
Definition: cycle_group.cpp:385

proof_system::plonk::stdlib::cycle_group::unconditional_subtract
cycle_group unconditional_subtract(const cycle_group &other) const
will evaluate ECC point subtraction over *this and other. Incomplete addition formula edge cases are ...
Definition: cycle_group.cpp:309

proof_system::plonk::stdlib::field_t< Composer >

proof_system::plonk::stdlib::witness_t
Definition: witness.hpp:10

proof_system::plonk::stdlib::IsNotUltraArithmetic
Definition: cycle_group.hpp:16

proof_system::plonk::stdlib::IsUltraArithmetic
Definition: cycle_group.hpp:14

crypto::GeneratorContext
Definition: generator_data.hpp:133

proof_system::plonk::stdlib::cycle_group::cycle_scalar
cycle_scalar represents a member of the cycle curve SCALAR FIELD. This is NOT the native circuit fiel...
Definition: cycle_group.hpp:66

proof_system::plonk::stdlib::cycle_group::cycle_scalar::validate_scalar_is_in_field
void validate_scalar_is_in_field() const
Checks that a cycle_scalar value is smaller than a prime field modulus when evaluated over the INTEGE...
Definition: cycle_group.cpp:645

proof_system::plonk::stdlib::cycle_group::cycle_scalar::create_from_bn254_scalar
static cycle_scalar create_from_bn254_scalar(const field_t &_in, bool skip_primality_test=false)
Use when we want to multiply a group element by a string of bits of known size. N....
Definition: cycle_group.cpp:610

proof_system::plonk::stdlib::cycle_group::cycle_scalar::from_witness_bitstring
static cycle_scalar from_witness_bitstring(Composer *context, const uint256_t &bitstring, size_t num_bits)
Use when we want to multiply a group element by a string of bits of known size. N....
Definition: cycle_group.cpp:587

proof_system::plonk::stdlib::cycle_group::straus_lookup_table
straus_lookup_table computes a lookup table of size 1 << table_bits
Definition: cycle_group.hpp:145

proof_system::plonk::stdlib::cycle_group::straus_lookup_table::read
cycle_group read(const field_t &index)
Given an _index witness, return straus_lookup_table[index]
Definition: cycle_group.cpp:852

proof_system::plonk::stdlib::cycle_group::straus_scalar_slice
straus_scalar_slice decomposes an input scalar into table_bits bit-slices. Used in batch_mul,...
Definition: cycle_group.hpp:113

proof_system::plonk::stdlib::cycle_group::straus_scalar_slice::read
std::optional< field_t > read(size_t index)
Return a bit-slice associated with round index.
Definition: cycle_group.cpp:773