Barretenberg: src/barretenberg/stdlib/primitives/group/cycle_scalar.cpp Source File

// === AUDIT STATUS ===

// internal:    { status: not started, auditors: [], date: YYYY-MM-DD }

// external_1:  { status: not started, auditors: [], date: YYYY-MM-DD }

// external_2:  { status: not started, auditors: [], date: YYYY-MM-DD }

// =====================


#include "./cycle_scalar.hpp"

#include "./cycle_group.hpp"

#include "barretenberg/common/assert.hpp"

#include "barretenberg/stdlib/primitives/circuit_builders/circuit_builders.hpp"

#include "barretenberg/stdlib/primitives/field/field_utils.hpp"


namespace bb::stdlib {


template <typename Builder>


cycle_scalar<Builder>::cycle_scalar(const field_t& _lo, const field_t& _hi)

    : lo(_lo)

    , hi(_hi)

{}


template <typename Builder> cycle_scalar<Builder>::cycle_scalar(const ScalarField& in)

{

    const uint256_t value(in);

    const auto [lo_v, hi_v] = decompose_into_lo_hi_u256(value);

    lo = lo_v;

    hi = hi_v;

}


template <typename Builder>


cycle_scalar<Builder> cycle_scalar<Builder>::from_witness(Builder* context, const ScalarField& value)

{

    const uint256_t value_u256(value);

    const auto [lo_v, hi_v] = decompose_into_lo_hi_u256(value_u256);

    field_t lo = witness_t<Builder>(context, lo_v);

    field_t hi = witness_t<Builder>(context, hi_v);

    lo.set_free_witness_tag();

    hi.set_free_witness_tag();

    return cycle_scalar(lo, hi);

}


template <typename Builder>


cycle_scalar<Builder> cycle_scalar<Builder>::from_u256_witness(Builder* context, const uint256_t& bitstring)

{

    const size_t num_bits = 256;

    const uint256_t lo_v = bitstring.slice(0, LO_BITS);

    const uint256_t hi_v = bitstring.slice(LO_BITS, num_bits);

    auto lo = field_t::from_witness(context, lo_v);

    auto hi = field_t::from_witness(context, hi_v);

    return cycle_scalar{

        lo, hi, num_bits, /*skip_primality_test=*/true, /*use_bn254_scalar_field_for_primality_test=*/false

    };

}


template <typename Builder> cycle_scalar<Builder> cycle_scalar<Builder>::create_from_bn254_scalar(const field_t& in)

{

    // Use split_unique with skip_range_constraints=true since the range constraints are implicit

    // in the lookup arguments used in scalar multiplication and thus do not need to be applied here.

    auto [lo, hi] = split_unique(in, LO_BITS, /*skip_range_constraints=*/true);

    // AUDITTODO: we skip the primality test in the constructor here since its done in split_unique. Eventually

    // the skip_primality_test logic will be removed entirely and constraints will always be applied immediately on

    // construction.

    return cycle_scalar{

        lo, hi, NUM_BITS, /*skip_primality_test=*/true, /*use_bn254_scalar_field_for_primality_test=*/true

    };

}


template <typename Builder> cycle_scalar<Builder>::cycle_scalar(BigScalarField& scalar)

{

    constexpr uint64_t NUM_LIMB_BITS = BigScalarField::NUM_LIMB_BITS;


    if (scalar.is_constant()) {

        const uint256_t value((scalar.get_value() % uint512_t(ScalarField::modulus)).lo);

        const auto [value_lo, value_hi] = decompose_into_lo_hi_u256(value);


        lo = value_lo;

        hi = value_hi;

        lo.set_origin_tag(scalar.get_origin_tag());

        hi.set_origin_tag(scalar.get_origin_tag());

        return;

    }


    // Step 1: Ensure the bigfield scalar fits into LO_BITS + HI_BITS by reducing if necessary. Note: we can tolerate

    // the scalar being > ScalarField::modulus, because performing a scalar mul implicitly performs a modular reduction.

    if (scalar.get_maximum_value() >= (uint512_t(1) << (LO_BITS + HI_BITS))) {

        scalar.self_reduce();

    }


    field_t limb0 = scalar.binary_basis_limbs[0].element;

    field_t limb1 = scalar.binary_basis_limbs[1].element;

    field_t limb2 = scalar.binary_basis_limbs[2].element;

    field_t limb3 = scalar.binary_basis_limbs[3].element;


    uint256_t limb1_max = scalar.binary_basis_limbs[1].maximum_value;


    // Step 2: Ensure that limb0 only contains at most NUM_LIMB_BITS. If not, slice off the excess and add it into limb1

    uint256_t limb0_max = scalar.binary_basis_limbs[0].maximum_value;

    if (limb0_max > BigScalarField::DEFAULT_MAXIMUM_LIMB) {


        // Split limb0 into lo (NUM_LIMB_BITS) and hi (remaining bits) slices. Note that no_wrap_split_at enforces range

        // constraints of NUM_LIMB_BITS and (limb0_max_bits - NUM_LIMB_BITS) respectively on the slices.

        const auto limb0_max_bits = static_cast<size_t>(limb0_max.get_msb() + 1);

        auto [limb0_lo, limb0_hi] = limb0.no_wrap_split_at(NUM_LIMB_BITS, limb0_max_bits);


        // Move the high bits from limb0 into limb1

        limb0 = limb0_lo;

        limb1 += limb0_hi;

        uint256_t limb0_hi_max = limb0_max >> NUM_LIMB_BITS;

        limb1_max += limb0_hi_max;

    }


    // Sanity check that limb1 is the limb that contributes both to *this.lo and *this.hi

    BB_ASSERT_GT(NUM_LIMB_BITS * 2, LO_BITS);

    BB_ASSERT_LT(NUM_LIMB_BITS, LO_BITS);


    // Step 3: limb1 contributes to both *this.lo and *this.hi. Compute the values of the two limb1 slices

    const size_t lo_bits_in_limb_1 = LO_BITS - NUM_LIMB_BITS;

    const auto limb1_max_bits = static_cast<size_t>(limb1_max.get_msb() + 1);

    auto [limb1_lo, limb1_hi] = limb1.no_wrap_split_at(lo_bits_in_limb_1, limb1_max_bits);


    // Propagate the origin tag to the chunks of limb1

    limb1_lo.set_origin_tag(limb1.get_origin_tag());

    limb1_hi.set_origin_tag(limb1.get_origin_tag());


    // Step 4: Construct *this.lo out of limb0 and limb1_lo

    lo = limb0 + (limb1_lo * BigScalarField::shift_1);


    // Step 5: Construct *this.hi out of limb1_hi, limb2 and limb3

    const uint256_t limb_2_shift = uint256_t(1) << ((2 * NUM_LIMB_BITS) - LO_BITS);

    const uint256_t limb_3_shift = uint256_t(1) << ((3 * NUM_LIMB_BITS) - LO_BITS);

    hi = limb1_hi.add_two(limb2 * limb_2_shift, limb3 * limb_3_shift);


    // Manually propagate the origin tag of the scalar to the lo/hi limbs

    lo.set_origin_tag(scalar.get_origin_tag());

    hi.set_origin_tag(scalar.get_origin_tag());

};


template <typename Builder> bool cycle_scalar<Builder>::is_constant() const

{

    return (lo.is_constant() && hi.is_constant());

}


template <typename Builder> void cycle_scalar<Builder>::validate_scalar_is_in_field() const

{

    if (!_skip_primality_test) {

        const uint256_t& field_modulus =

            _use_bn254_scalar_field_for_primality_test ? field_t::native::modulus : ScalarField::modulus;

        validate_split_in_field(lo, hi, LO_BITS, field_modulus);

    }

}


template <typename Builder> typename cycle_scalar<Builder>::ScalarField cycle_scalar<Builder>::get_value() const

{

    uint256_t lo_v(lo.get_value());

    uint256_t hi_v(hi.get_value());

    return ScalarField(lo_v + (hi_v << LO_BITS));

}


template class cycle_scalar<bb::UltraCircuitBuilder>;

template class cycle_scalar<bb::MegaCircuitBuilder>;


} // namespace bb::stdlib

assert.hpp

BB_ASSERT_GT
#define BB_ASSERT_GT(left, right,...)
Definition assert.hpp:118

BB_ASSERT_LT
#define BB_ASSERT_LT(left, right,...)
Definition assert.hpp:148

circuit_builders.hpp

bb::ECCVMCircuitBuilder
Definition eccvm_circuit_builder.hpp:24

bb::numeric::uint256_t
Definition uint256.hpp:32

bb::numeric::uint256_t::slice
constexpr uint256_t slice(uint64_t start, uint64_t end) const
Definition uint256_impl.hpp:291

bb::numeric::uint256_t::get_msb
constexpr uint64_t get_msb() const
Definition uint256_impl.hpp:330

bb::numeric::uintx< uint256_t >

bb::stdlib::bigfield
Definition bigfield.hpp:21

bb::stdlib::bigfield::get_value
uint512_t get_value() const
Definition bigfield_impl.hpp:304

bb::stdlib::bigfield::get_maximum_value
uint512_t get_maximum_value() const
Definition bigfield_impl.hpp:313

bb::stdlib::bigfield::get_origin_tag
bb::OriginTag get_origin_tag() const
Definition bigfield.hpp:711

bb::stdlib::bigfield::is_constant
bool is_constant() const
Check if the bigfield is constant, i.e. its prime limb is constant.
Definition bigfield.hpp:615

bb::stdlib::bigfield::binary_basis_limbs
std::array< Limb, NUM_LIMBS > binary_basis_limbs
Represents a bigfield element in the binary basis. A bigfield element is represented as a combination...
Definition bigfield.hpp:80

bb::stdlib::bigfield::self_reduce
void self_reduce() const
Definition bigfield_impl.hpp:2058

bb::stdlib::cycle_scalar
Represents a member of the Grumpkin curve scalar field (i.e. BN254 base field).
Definition cycle_scalar.hpp:30

bb::stdlib::cycle_scalar::ScalarField
typename Curve::ScalarField ScalarField
Definition cycle_scalar.hpp:34

bb::stdlib::cycle_scalar::from_u256_witness
static cycle_scalar from_u256_witness(Builder *context, const uint256_t &bitstring)
Construct a cycle scalar from a uint256_t witness bitstring.
Definition cycle_scalar.cpp:68

bb::stdlib::cycle_scalar::get_value
ScalarField get_value() const
Definition cycle_scalar.cpp:228

bb::stdlib::cycle_scalar::cycle_scalar
cycle_scalar(const field_t &_lo, const field_t &_hi, const size_t bits, const bool skip_primality_test, const bool use_bn254_scalar_field_for_primality_test)
Definition cycle_scalar.hpp:62

bb::stdlib::cycle_scalar::from_witness
static cycle_scalar from_witness(Builder *context, const ScalarField &value)
Construct a cycle scalar from a witness value in the Grumpkin scalar field.
Definition cycle_scalar.cpp:45

bb::stdlib::cycle_scalar::validate_scalar_is_in_field
void validate_scalar_is_in_field() const
Validates that the scalar (lo + hi * 2^LO_BITS) is less than the appropriate field modulus.
Definition cycle_scalar.cpp:219

bb::stdlib::cycle_scalar::is_constant
bool is_constant() const
Definition cycle_scalar.cpp:205

bb::stdlib::cycle_scalar::create_from_bn254_scalar
static cycle_scalar create_from_bn254_scalar(const field_t &_in)
Construct a cycle scalar (grumpkin scalar field element) from a bn254 scalar field element.
Definition cycle_scalar.cpp:89

bb::stdlib::field_t< Builder >

bb::stdlib::field_t::get_origin_tag
OriginTag get_origin_tag() const
Definition field.hpp:333

bb::stdlib::field_t< Builder >::modulus
static constexpr uint256_t modulus
Definition field.hpp:212

bb::stdlib::field_t< Builder >::from_witness
static field_t from_witness(Builder *ctx, const bb::fr &input)
Definition field.hpp:432

bb::stdlib::field_t::set_free_witness_tag
void set_free_witness_tag()
Set the free witness flag for the field element's tag.
Definition field.hpp:338

bb::stdlib::field_t::no_wrap_split_at
std::pair< field_t< Builder >, field_t< Builder > > no_wrap_split_at(const size_t lsb_index, const size_t num_bits=grumpkin::MAX_NO_WRAP_INTEGER_BIT_LENGTH) const
Splits the field element into (lo, hi), where:
Definition field.cpp:1281

bb::stdlib::witness_t
Definition witness.hpp:16

context
StrictMock< MockContext > context
Definition data_copy.test.cpp:58

cycle_group.hpp

cycle_scalar.hpp

field_utils.hpp

bb::stdlib
Definition graph_description_goblin.test.cpp:13

bb::stdlib::split_unique
std::pair< field_t< Builder >, field_t< Builder > > split_unique(const field_t< Builder > &field, const size_t lo_bits, const bool skip_range_constraints)
Split a bn254 scalar field element into unique lo and hi limbs.
Definition field_utils.cpp:47

bb::stdlib::validate_split_in_field
void validate_split_in_field(const field_t< Builder > &lo, const field_t< Builder > &hi, const size_t lo_bits, const uint256_t &field_modulus)
Validates that lo + hi * 2^lo_bits < field_modulus.
Definition field_utils.cpp:14

value
FF value
Definition public_data_tree.test.cpp:97