|
| | goblin_element ()=default |
| |
| | goblin_element (const typename NativeGroup::affine_element &input) |
| |
| | goblin_element (const Fq &x, const Fq &y) |
| |
| | goblin_element (const Fq &x, const Fq &y, const bool_ct is_infinity) |
| |
| | goblin_element (const goblin_element &other)=default |
| |
| | goblin_element (goblin_element &&other) noexcept=default |
| |
| goblin_element & | operator= (const goblin_element &other)=default |
| |
| goblin_element & | operator= (goblin_element &&other) noexcept=default |
| |
| | ~goblin_element ()=default |
| |
| void | incomplete_assert_equal (const goblin_element &other, const std::string msg="goblin_element::incomplete_assert_equal") const |
| | Asserts that two goblin elements are equal (i.e., x, y coordinates and infinity flag are all equal).
|
| |
| void | convert_constant_to_fixed_witness (Builder *builder) |
| | Creates fixed witnesses from a constant element.
|
| |
| void | fix_witness () |
| |
| void | validate_on_curve () const |
| |
| goblin_element | checked_unconditional_add (const goblin_element &other) const |
| |
| goblin_element | checked_unconditional_subtract (const goblin_element &other) const |
| |
| goblin_element | operator+ (const goblin_element &other) const |
| |
| goblin_element | operator- (const goblin_element &other) const |
| |
| goblin_element | operator- () const |
| |
| goblin_element | operator+= (const goblin_element &other) |
| |
| goblin_element | operator-= (const goblin_element &other) |
| |
| std::array< goblin_element, 2 > | checked_unconditional_add_sub (const goblin_element &other) const |
| |
| goblin_element | operator* (const Fr &scalar) const |
| |
| goblin_element | conditional_negate (const bool_ct &predicate) const |
| |
| goblin_element | conditional_select (const goblin_element &other, const bool_ct &predicate) const |
| | Selects this if predicate is false, other if predicate is true.
|
| |
| goblin_element | normalize () const |
| |
| goblin_element | reduce () const |
| |
| goblin_element | dbl () const |
| |
| NativeGroup::affine_element | get_value () const |
| |
| Builder * | get_context () const |
| |
| Builder * | get_context (const goblin_element &other) const |
| |
| bool_ct | is_point_at_infinity () const |
| |
| void | set_point_at_infinity (const bool_ct &is_infinity) |
| |
| goblin_element | get_standard_form () const |
| | Enforce x and y coordinates of a point to be (0,0) in the case of point at infinity.
|
| |
| OriginTag | get_origin_tag () const |
| |
| void | set_origin_tag (const OriginTag &tag) const |
| |
| void | set_free_witness_tag () |
| | Set the free witness flag for the goblin element's tags.
|
| |
| void | unset_free_witness_tag () |
| | Unset the free witness flag for the goblin element's tags.
|
| |
| uint32_t | set_public () const |
| | Set the witness indices representing the goblin element to public.
|
| |
template<class Builder_, class
Fq, class
Fr, class NativeGroup>
class bb::stdlib::element_goblin::goblin_element< Builder_, Fq, Fr, NativeGroup >
Custom element class for when using goblin.
When using goblin (builder = MEGA and element = bn254), the assumptions and heuristics we apply vary considerably to the "default" case, justifying a separate class (we use a using declaration to make element map to goblin_element if the correct parametrisation is used, see the IsGoblinBigGroup concept for details) Differences between goblin and regular biggroup elements:
- state model is different (x/y coordinates are 2 136-bit field_t members instead of 4 68-bit field_t members)
- on-curve checks are not applied in-circuit (they are applied in the ECCVM circuit)
- we do not need to range-constrain the coordinates to be 136-bits (applied in the Translator circuit)
- Template Parameters
-
| Builder | |
| Fq | |
| Fr | |
| NativeGroup | |
Definition at line 38 of file biggroup_goblin.hpp.
template<typename
C , class
Fq , class
Fr , class
G >
| goblin_element< C, Fq, Fr, G > bb::stdlib::element_goblin::goblin_element< C, Fq, Fr, G >::batch_mul |
( |
const std::vector< goblin_element< Builder_, Fq, Fr, NativeGroup > > & |
points, |
|
|
const std::vector< Fr > & |
scalars, |
|
|
const size_t |
max_num_bits = 0, |
|
|
const bool |
handle_edge_cases = false |
|
) |
| |
|
static |
Goblin style batch multiplication.
In goblin-style arithmetization, the operands (points/scalars) for each mul-accumulate operation are decomposed into smaller components and written to an operation queue via the builder. The components are also added as witness variables. This function adds constraints demonstrating the fidelity of the point/scalar decompositions given the indices of the components in the variables array. The actual mul-accumulate operations are performed natively (without constraints) under the hood, and the final result is obtained by queueing an equality operation via the builder. The components of the result are returned as indices into the variables array from which the resulting accumulator point is re-constructed.
- Note
- Because this is the only method for performing Goblin-style group operations (Issue #707), it is sometimes used in situations where one of the scalars is 1 (e.g. to perform P = P_0 + z*P_1). In this case, we perform a simple add accumulate instead of a mul-then_accumulate.
- Template Parameters
-
| C | CircuitBuilder |
| Fq | Base field |
| Fr | Scalar field |
| G | Native group |
- Parameters
-
| points | |
| scalars | |
| max_num_bits | |
- Returns
- element<C, Fq, Fr, G>
Definition at line 38 of file biggroup_goblin_impl.hpp.
template<class Builder_ , class
Fq , class
Fr , class NativeGroup >
| void bb::stdlib::element_goblin::goblin_element< Builder_, Fq, Fr, NativeGroup >::incomplete_assert_equal |
( |
const goblin_element< Builder_, Fq, Fr, NativeGroup > & |
other, |
|
|
const std::string |
msg = "goblin_element< Builder_, Fq, Fr, NativeGroup >::incomplete_assert_equal" |
|
) |
| const |
|
inline |
Asserts that two goblin elements are equal (i.e., x, y coordinates and infinity flag are all equal).
- Parameters
-
Note that checking the coordinates as well as the infinity flag opens up the possibility of honest prover unable to satisfy constraints if both points are at infinity but have different x, y. This is not a problem in practice as we should never have multiple representations of the point at infinity in a circuit.
Definition at line 80 of file biggroup_goblin.hpp.
template<class Builder_ , class
Fq , class
Fr , class NativeGroup >
Set the witness indices representing the goblin element to public.
Even though the coordinates of a goblin element are goblin field elements which may be represented using two native field elements, we store them in the public inputs as if they were bigfield elements, each of which is represented by four native field elements. This uniformity is imposed for simplicity but could be reconsidered if desired.
- Returns
- uint32_t The index into the public inputs array at which the representation of the goblin element starts
Definition at line 401 of file biggroup_goblin.hpp.
1.9.8