- Generated by
1.9.8
|
Barretenberg
The ZK-SNARK library at the core of Aztec
|
cycle_group represents a group Element of the proving system's embedded curve, i.e. a curve with a cofactor 1 defined over a field equal to the circuit's native field Builder::FF More...
#include <cycle_group.hpp>
Classes | |
| struct | batch_mul_internal_output |
| Stores temporary variables produced by internal multiplication algorithms. More... | |
Public Types | |
| using | field_t = stdlib::field_t< Builder > |
| using | BaseField = field_t |
| using | bool_t = stdlib::bool_t< Builder > |
| using | witness_t = stdlib::witness_t< Builder > |
| using | Curve = bb::curve::Grumpkin |
| using | Group = bb::grumpkin::g1 |
| using | Element = bb::grumpkin::g1::element |
| using | AffineElement = bb::grumpkin::g1::affine_element |
| using | GeneratorContext = crypto::GeneratorContext< Curve > |
| using | BigScalarField = stdlib::bigfield< Builder, bb::fq::Params > |
| using | cycle_scalar = ::bb::stdlib::cycle_scalar< Builder > |
| using | straus_lookup_table = ::bb::stdlib::straus_lookup_table< Builder > |
| using | straus_scalar_slices = ::bb::stdlib::straus_scalar_slices< Builder > |
Public Member Functions | |
| cycle_group (Builder *_context=nullptr) | |
| Construct a new constant point at infinity cycle group object. | |
| cycle_group (field_t _x, field_t _y, bool_t _is_infinity) | |
| Construct a new cycle group<Builder>::cycle group object. | |
| cycle_group (const bb::fr &_x, const bb::fr &_y, bool _is_infinity) | |
| Construct a constant cycle_group object from raw field elements and a boolean. | |
| cycle_group (const AffineElement &_in) | |
| Construct a cycle_group object out of an AffineElement object. | |
| Builder * | get_context (const cycle_group &other) const |
| Builder * | get_context () const |
| AffineElement | get_value () const |
| bool | is_constant () const |
| bool_t | is_point_at_infinity () const |
| bool | is_constant_point_at_infinity () const |
| void | standardize () |
| Convert the point to standard form. | |
| bool | is_standard () const |
| cycle_group | get_standard_form () |
| Convert the point to standard form. | |
| void | validate_on_curve () const |
| On-curve check. | |
| cycle_group | dbl (const std::optional< AffineElement > hint=std::nullopt) const |
| Evaluates a point doubling using Ultra ECC double gate (if non-constant) | |
| cycle_group | unconditional_add (const cycle_group &other, const std::optional< AffineElement > hint=std::nullopt) const |
| cycle_group | unconditional_subtract (const cycle_group &other, const std::optional< AffineElement > hint=std::nullopt) const |
| cycle_group | checked_unconditional_add (const cycle_group &other, const std::optional< AffineElement > hint=std::nullopt) const |
Will evaluate ECC point addition over *this and other. | |
| cycle_group | checked_unconditional_subtract (const cycle_group &other, const std::optional< AffineElement > hint=std::nullopt) const |
Will evaluate ECC point subtraction over *this and other. | |
| cycle_group | operator+ (const cycle_group &other) const |
Will evaluate ECC point addition over *this and other. | |
| cycle_group | operator- (const cycle_group &other) const |
Will evaluate ECC point subtraction over *this and other. | |
| cycle_group | operator- () const |
| Negates a point. | |
| cycle_group & | operator+= (const cycle_group &other) |
| cycle_group & | operator-= (const cycle_group &other) |
| cycle_group | operator* (const cycle_scalar &scalar) const |
| cycle_group & | operator*= (const cycle_scalar &scalar) |
| cycle_group | operator* (const BigScalarField &scalar) const |
| cycle_group & | operator*= (const BigScalarField &scalar) |
| bool_t | operator== (cycle_group &other) |
| void | assert_equal (cycle_group &other, std::string const &msg="cycle_group::assert_equal") |
| cycle_group | operator/ (const cycle_group &other) const |
| void | set_origin_tag (OriginTag tag) const |
| Set the origin tag for x, y and _is_infinity members of cycle_group. | |
| OriginTag | get_origin_tag () const |
| Get the origin tag of cycle_group (a merege of origin tags of x, y and _is_infinity members) | |
| void | set_free_witness_tag () |
| Set the free witness flag for the cycle_group's tags. | |
| void | unset_free_witness_tag () |
| Unset the free witness flag for the cycle_group's tags. | |
| void | fix_witness () |
| uint32_t | set_public () |
| Set the witness indices representing the cycle_group to public. | |
Static Public Member Functions | |
| static cycle_group | one (Builder *_context) |
| Construct a constant cycle_group representation of Group::one. | |
| static cycle_group | constant_infinity (Builder *_context=nullptr) |
| Construct a constant point at infinity. | |
| static cycle_group | from_witness (Builder *_context, const AffineElement &_in) |
| Converts an AffineElement into a circuit witness. | |
| static cycle_group | from_constant_witness (Builder *_context, const AffineElement &_in) |
| Converts a native AffineElement into a witness, but constrains the witness values to be known constants. | |
| static cycle_group | batch_mul (const std::vector< cycle_group > &base_points, const std::vector< BigScalarField > &scalars, GeneratorContext context={}) |
| static cycle_group | batch_mul (const std::vector< cycle_group > &base_points, const std::vector< cycle_scalar > &scalars, const GeneratorContext &context={}) |
| Multiscalar multiplication algorithm. | |
| static cycle_group | conditional_assign (const bool_t &predicate, const cycle_group &lhs, const cycle_group &rhs) |
| static cycle_group | reconstruct_from_public (const std::span< const field_t, 2 > &limbs) |
| Reconstruct a cycle_group from limbs (generally stored in the public inputs) | |
Public Attributes | |
| field_t | x |
| field_t | y |
Static Public Attributes | |
| static constexpr size_t | ROM_TABLE_BITS = 4 |
| static constexpr size_t | NUM_BITS_FULL_FIELD_SIZE = bb::fq::modulus.get_msb() + 1 |
| static constexpr std::string_view | OFFSET_GENERATOR_DOMAIN_SEPARATOR = "cycle_group_offset_generator" |
| static constexpr size_t | PUBLIC_INPUTS_SIZE = 2 |
Private Member Functions | |
| cycle_group | _unconditional_add_or_subtract (const cycle_group &other, bool is_addition, const std::optional< AffineElement > hint) const |
Will evaluate ECC point addition or subtraction over *this and other. | |
Static Private Member Functions | |
| static batch_mul_internal_output | _variable_base_batch_mul_internal (std::span< cycle_scalar > scalars, std::span< cycle_group > base_points, std::span< AffineElement const > offset_generators, bool unconditional_add) |
| Internal logic to perform a variable-base batch mul using the Straus MSM algorithm. | |
| static batch_mul_internal_output | _fixed_base_batch_mul_internal (std::span< cycle_scalar > scalars, std::span< AffineElement > base_points) |
| Internal algorithm to perform a fixed-base batch mul. | |
Private Attributes | |
| bool_t | _is_infinity |
| bool | _is_standard |
| Builder * | context |
cycle_group represents a group Element of the proving system's embedded curve, i.e. a curve with a cofactor 1 defined over a field equal to the circuit's native field Builder::FF
In barretenberg, cycle group is used to represent the Grumpkin curve defined over the bn254 scalar field.
| Builder |
Definition at line 31 of file cycle_group.hpp.
| using bb::stdlib::cycle_group< Builder >::AffineElement = bb::grumpkin::g1::affine_element |
Definition at line 41 of file cycle_group.hpp.
| using bb::stdlib::cycle_group< Builder >::BaseField = field_t |
Definition at line 34 of file cycle_group.hpp.
| using bb::stdlib::cycle_group< Builder >::BigScalarField = stdlib::bigfield<Builder, bb::fq::Params> |
Definition at line 44 of file cycle_group.hpp.
| using bb::stdlib::cycle_group< Builder >::bool_t = stdlib::bool_t<Builder> |
Definition at line 35 of file cycle_group.hpp.
| using bb::stdlib::cycle_group< Builder >::Curve = bb::curve::Grumpkin |
Definition at line 38 of file cycle_group.hpp.
| using bb::stdlib::cycle_group< Builder >::cycle_scalar = ::bb::stdlib::cycle_scalar<Builder> |
Definition at line 45 of file cycle_group.hpp.
| using bb::stdlib::cycle_group< Builder >::Element = bb::grumpkin::g1::element |
Definition at line 40 of file cycle_group.hpp.
| using bb::stdlib::cycle_group< Builder >::field_t = stdlib::field_t<Builder> |
Definition at line 33 of file cycle_group.hpp.
| using bb::stdlib::cycle_group< Builder >::GeneratorContext = crypto::GeneratorContext<Curve> |
Definition at line 42 of file cycle_group.hpp.
| using bb::stdlib::cycle_group< Builder >::Group = bb::grumpkin::g1 |
Definition at line 39 of file cycle_group.hpp.
| using bb::stdlib::cycle_group< Builder >::straus_lookup_table = ::bb::stdlib::straus_lookup_table<Builder> |
Definition at line 46 of file cycle_group.hpp.
| using bb::stdlib::cycle_group< Builder >::straus_scalar_slices = ::bb::stdlib::straus_scalar_slices<Builder> |
Definition at line 47 of file cycle_group.hpp.
| using bb::stdlib::cycle_group< Builder >::witness_t = stdlib::witness_t<Builder> |
Definition at line 36 of file cycle_group.hpp.
| bb::stdlib::cycle_group< Builder >::cycle_group | ( | Builder * | _context = nullptr | ) |
Construct a new constant point at infinity cycle group object.
Definition at line 27 of file cycle_group.cpp.
| bb::stdlib::cycle_group< Builder >::cycle_group | ( | field_t | _x, |
| field_t | _y, | ||
| bool_t | is_infinity | ||
| ) |
Construct a new cycle group<Builder>::cycle group object.
| _x | |
| _y | |
| is_infinity |
Definition at line 42 of file cycle_group.cpp.
| bb::stdlib::cycle_group< Builder >::cycle_group | ( | const bb::fr & | _x, |
| const bb::fr & | _y, | ||
| bool | is_infinity | ||
| ) |
Construct a constant cycle_group object from raw field elements and a boolean.
is_infinity is a circuit constant. We EXPLICITLY require that whether this point is infinity/not infinity is known at circuit-construction time and we know this point is on the curve. These checks are not constrained. Use from_witness if these conditions are not met. Examples of when conditions are met: point is a derived from a point that is on the curve + not at infinity. e.g. output of a doubling operation
| Builder |
| _x | |
| _y | |
| is_infinity |
Definition at line 76 of file cycle_group.cpp.
| bb::stdlib::cycle_group< Builder >::cycle_group | ( | const AffineElement & | _in | ) |
Construct a cycle_group object out of an AffineElement object.
Uses convention that the coordinates of the point at infinity are (0,0).
_in is not fixed for a given circuit, use from_witness instead. | Builder |
| _in |
Definition at line 97 of file cycle_group.cpp.
|
staticprivate |
Internal algorithm to perform a fixed-base batch mul.
Computes a batch mul of fixed base points using the Straus multiscalar multiplication algorithm with lookup tables. Each scalar (cycle_scalar) is decomposed into two limbs, lo and hi, with 128 and 126 bits respectively. For each limb we use one of four precomputed plookup multi-tables FIXED_BASE_<LEFT/RIGHT>_<LO/HI> corresponding to the lo/hi limbs of the two generator points supported by this algorithm (defined in bb::plookup::fixed_base::table).
The LO multi-tables consist of fifteen basic tables (14 × 9-bit + 1 × 2-bit = 128 bits) and the HI multi-tables consist of fourteen 9-bit basic tables (14 × 9 = 126 bits). Each basic table stores at index i the precomputed points: \([offset\_generator_i] + k \cdot 2^{table\_bits \cdot i} \cdot [base\_point]\) for \(k = 0, 1, ..., 2^{table\_bits} - 1\). The offset generators prevent point-at-infinity edge cases. The algorithm sums all looked-up points to compute \(scalar \cdot [base\_point] + [sum\_of\_offset\_generators]\). We return both the accumulator and the sum of offset generators, so that it can be subtracted off later.
This approach avoids all point doublings and reduces one scalar mul to ~29 lookups + ~29 ecc addition gates.
| Builder |
| scalars | |
| base_points | |
return cycle_group<Builder>::batch_mul_internal_output
Definition at line 921 of file cycle_group.cpp.
|
private |
Will evaluate ECC point addition or subtraction over *this and other.
Incomplete addition formula edge cases are NOT checked! Only use this method if you know the x-coordinates of the operands cannot collide and none of the operands is a point at infinity. Uses Ultra-arithmetic elliptic curve addition gate.
| Builder |
| other | Point to add/subtract |
| is_addition | : true for addition, false for subtraction |
| hint | : value of output point witness, if known ahead of time (used to avoid modular inversions during witgen) |
Definition at line 409 of file cycle_group.cpp.
|
staticprivate |
Internal logic to perform a variable-base batch mul using the Straus MSM algorithm.
Computes \(\sum_i scalars[i] \cdot base\_points[i]\) using the windowed Straus algorithm with 4-bit windows. The algorithm operates in three phases:
| scalars | Vector of scalar multipliers (must all have the same bit length) |
| base_points | Vector of EC points to multiply (can be constants or witnesses) |
| offset_generators | Precomputed offset points to prevent infinity edge cases (size = base_points.size() + 1) |
| unconditional_add | If true, skip x-coordinate collision checks (safe only when points are guaranteed distinct) |
Definition at line 751 of file cycle_group.cpp.
| void bb::stdlib::cycle_group< Builder >::assert_equal | ( | cycle_group< Builder > & | other, |
| std::string const & | msg = "cycle_group< Builder >::assert_equal" |
||
| ) |
Definition at line 1196 of file cycle_group.cpp.
|
inlinestatic |
Definition at line 107 of file cycle_group.hpp.
|
static |
Multiscalar multiplication algorithm.
Uses the Straus MSM algorithm. batch_mul splits inputs into three categories: Case 1. Point and scalar are both constant: scalar mul can be computed without constraints. Case 2A. Point is constant and one of two specific generators, scalar is a witness: use fixed-base Straus with plookup tables Case 2B. Point is constant but not one of two specific generators, scalar is a witness: use variable-base Straus using ROM tables. Case 3. Point is a witness, scalar is witness or constant: use variable-base Straus using ROM tables.
The results from all 3 categories are combined and returned as a single output point.
generator_data object with the required size and pass it in as a parameter.| Builder |
| scalars | |
| base_points | |
| offset_generator_data |
Definition at line 1032 of file cycle_group.cpp.
| cycle_group< Builder > bb::stdlib::cycle_group< Builder >::checked_unconditional_add | ( | const cycle_group< Builder > & | other, |
| const std::optional< AffineElement > | hint = std::nullopt |
||
| ) | const |
Will evaluate ECC point addition over *this and other.
Uses incomplete addition formula. If incomplete addition formula edge cases are triggered (x-coordinates of operands collide), the constraints produced by this method will be unsatisfiable. Useful when an honest prover will not produce a point collision with overwhelming probability, but a cheating prover will be able to.
| Builder |
| other | Point to add |
| hint | : value of output point witness, if known ahead of time (used to avoid modular inversions during witgen) |
Definition at line 502 of file cycle_group.cpp.
| cycle_group< Builder > bb::stdlib::cycle_group< Builder >::checked_unconditional_subtract | ( | const cycle_group< Builder > & | other, |
| const std::optional< AffineElement > | hint = std::nullopt |
||
| ) | const |
Will evaluate ECC point subtraction over *this and other.
Uses incomplete addition formula. If incomplete addition formula edge cases are triggered (x-coordinates of operands collide), the constraints produced by this method will be unsatisfiable. Useful when an honest prover will not produce a point collision with overwhelming probability, but a cheating prover will be able to.
| Builder |
| other | Point to subtract |
| hint | : value of output point witness, if known ahead of time (used to avoid modular inversions during witgen) |
Definition at line 526 of file cycle_group.cpp.
|
static |
Definition at line 1206 of file cycle_group.cpp.
|
static |
Construct a constant point at infinity.
Definition at line 125 of file cycle_group.cpp.
| cycle_group< Builder > bb::stdlib::cycle_group< Builder >::dbl | ( | const std::optional< AffineElement > | hint = std::nullopt | ) | const |
Evaluates a point doubling using Ultra ECC double gate (if non-constant)
| Builder |
| hint | native result of the doubling (optional; used to avoid modular inversions during witgen) |
Definition at line 339 of file cycle_group.cpp.
|
inline |
Fix a witness. The value of the witness is constrained with a selector
Definition at line 173 of file cycle_group.hpp.
|
static |
Converts a native AffineElement into a witness, but constrains the witness values to be known constants.
| Builder |
| _context | |
| _in |
Definition at line 185 of file cycle_group.cpp.
|
static |
Converts an AffineElement into a circuit witness.
Somewhat expensive as we do an on-curve check and _is_infinity is a witness and not a constant. If an element is being converted where it is known the element is on the curve and/or cannot be point at infinity, it is best to use other methods (e.g. direct conversion of field_t coordinates)
| Builder |
| _context | |
| _in |
Definition at line 153 of file cycle_group.cpp.
|
inline |
Definition at line 78 of file cycle_group.hpp.
| Builder * bb::stdlib::cycle_group< Builder >::get_context | ( | const cycle_group< Builder > & | other | ) | const |
Definition at line 204 of file cycle_group.cpp.
|
inline |
Get the origin tag of cycle_group (a merege of origin tags of x, y and _is_infinity members)
Definition at line 145 of file cycle_group.hpp.
| cycle_group< Builder > bb::stdlib::cycle_group< Builder >::get_standard_form | ( | ) |
Convert the point to standard form.
If the point is a point at infinity, ensure the coordinates are (0,0). If the point is already standard nothing changes.
Definition at line 245 of file cycle_group.cpp.
| cycle_group< Builder >::AffineElement bb::stdlib::cycle_group< Builder >::get_value | ( | ) | const |
Definition at line 212 of file cycle_group.cpp.
|
inline |
Definition at line 80 of file cycle_group.hpp.
|
inline |
Definition at line 82 of file cycle_group.hpp.
|
inline |
Definition at line 81 of file cycle_group.hpp.
|
inline |
Definition at line 90 of file cycle_group.hpp.
|
static |
Construct a constant cycle_group representation of Group::one.
| Builder |
| _context |
Definition at line 112 of file cycle_group.cpp.
| cycle_group< Builder > bb::stdlib::cycle_group< Builder >::operator* | ( | const BigScalarField & | scalar | ) | const |
Definition at line 1177 of file cycle_group.cpp.
| cycle_group< Builder > bb::stdlib::cycle_group< Builder >::operator* | ( | const cycle_scalar & | scalar | ) | const |
Definition at line 1166 of file cycle_group.cpp.
| cycle_group< Builder > & bb::stdlib::cycle_group< Builder >::operator*= | ( | const BigScalarField & | scalar | ) |
Definition at line 1182 of file cycle_group.cpp.
| cycle_group< Builder > & bb::stdlib::cycle_group< Builder >::operator*= | ( | const cycle_scalar & | scalar | ) |
Definition at line 1171 of file cycle_group.cpp.
| cycle_group< Builder > bb::stdlib::cycle_group< Builder >::operator+ | ( | const cycle_group< Builder > & | other | ) | const |
Will evaluate ECC point addition over *this and other.
This method uses complete addition i.e. is compatible with all edge cases and is therefore expensive. To handle the possibility of x-coordinate collisions we evaluate both an addition (modified to avoid division by zero) and and a doubling, then conditionally assign the result.
| Builder |
| other | Point to add |
Definition at line 548 of file cycle_group.cpp.
| cycle_group< Builder > & bb::stdlib::cycle_group< Builder >::operator+= | ( | const cycle_group< Builder > & | other | ) |
Definition at line 718 of file cycle_group.cpp.
| cycle_group< Builder > bb::stdlib::cycle_group< Builder >::operator- | ( | ) | const |
Negates a point.
| Builder |
| other |
Definition at line 708 of file cycle_group.cpp.
| cycle_group< Builder > bb::stdlib::cycle_group< Builder >::operator- | ( | const cycle_group< Builder > & | other | ) | const |
Will evaluate ECC point subtraction over *this and other.
This method uses complete subtraction i.e. is compatible with all edge cases and is therefore expensive. To handle the possibility of x-coordinate collisions we evaluate both a subtraction (modified to avoid division by zero) and a doubling, then conditionally assign the result.
| Builder |
| other | Point to subtract |
Definition at line 622 of file cycle_group.cpp.
| cycle_group< Builder > & bb::stdlib::cycle_group< Builder >::operator-= | ( | const cycle_group< Builder > & | other | ) |
Definition at line 724 of file cycle_group.cpp.
| cycle_group< Builder > bb::stdlib::cycle_group< Builder >::operator/ | ( | const cycle_group< Builder > & | other | ) | const |
Definition at line 1232 of file cycle_group.cpp.
| bool_t< Builder > bb::stdlib::cycle_group< Builder >::operator== | ( | cycle_group< Builder > & | other | ) |
Definition at line 1188 of file cycle_group.cpp.
|
inlinestatic |
Reconstruct a cycle_group from limbs (generally stored in the public inputs)
The base field of the cycle_group curve is the same as the circuit's native field so each coordinate is represented by a single "limb".
| limbs | The coordinates of the cycle_group element |
Definition at line 203 of file cycle_group.hpp.
|
inline |
Set the free witness flag for the cycle_group's tags.
Definition at line 153 of file cycle_group.hpp.
|
inline |
Set the origin tag for x, y and _is_infinity members of cycle_group.
| tag |
Definition at line 134 of file cycle_group.hpp.
|
inline |
Set the witness indices representing the cycle_group to public.
Definition at line 188 of file cycle_group.hpp.
| void bb::stdlib::cycle_group< Builder >::standardize | ( | ) |
Convert the point to standard form.
If the point is a point at infinity, ensure the coordinates are (0,0). If the point is already standard nothing changes.
Definition at line 315 of file cycle_group.cpp.
| cycle_group< Builder > bb::stdlib::cycle_group< Builder >::unconditional_add | ( | const cycle_group< Builder > & | other, |
| const std::optional< AffineElement > | hint = std::nullopt |
||
| ) | const |
Definition at line 477 of file cycle_group.cpp.
| cycle_group< Builder > bb::stdlib::cycle_group< Builder >::unconditional_subtract | ( | const cycle_group< Builder > & | other, |
| const std::optional< AffineElement > | hint = std::nullopt |
||
| ) | const |
Definition at line 484 of file cycle_group.cpp.
|
inline |
Unset the free witness flag for the cycle_group's tags.
Definition at line 163 of file cycle_group.hpp.
| void bb::stdlib::cycle_group< Builder >::validate_on_curve | ( | ) | const |
On-curve check.
Validates that the point satisfies the curve equation \(y^2 = x^3 + b\) or is the point at infinity.
| Builder |
Definition at line 227 of file cycle_group.cpp.
|
private |
Definition at line 214 of file cycle_group.hpp.
|
private |
Definition at line 222 of file cycle_group.hpp.
|
private |
Definition at line 223 of file cycle_group.hpp.
|
staticconstexpr |
Definition at line 51 of file cycle_group.hpp.
|
staticconstexpr |
Definition at line 53 of file cycle_group.hpp.
|
staticconstexpr |
Definition at line 56 of file cycle_group.hpp.
|
staticconstexpr |
Definition at line 50 of file cycle_group.hpp.
| field_t bb::stdlib::cycle_group< Builder >::x |
Definition at line 210 of file cycle_group.hpp.
| field_t bb::stdlib::cycle_group< Builder >::y |
Definition at line 211 of file cycle_group.hpp.
1.9.8