16#include "../circuit_builders/circuit_builders.hpp"
19#include "../field/field.hpp"
24template <
typename Builder,
typename T>
31template <
typename Builder,
typename T>
43template <
typename Builder,
typename T>
46 const bool can_overflow,
47 const size_t maximum_bitlength)
50 ASSERT((can_overflow ==
true && maximum_bitlength == 0) ||
51 (can_overflow ==
false && (maximum_bitlength == 0 || maximum_bitlength > (3 * NUM_LIMB_BITS))));
64 const auto limb_witnesses =
79 uint64_t num_last_limb_bits = (can_overflow) ? NUM_LIMB_BITS : NUM_LAST_LIMB_BITS;
82 if (maximum_bitlength > 0) {
84 num_last_limb_bits = maximum_bitlength - (3 * NUM_LIMB_BITS);
87 const uint64_t num_high_limb_bits = NUM_LIMB_BITS + num_last_limb_bits;
90 const auto limb_witnesses =
context->decompose_non_native_field_double_width_limb(
101 binary_basis_limbs[0] = Limb(limb_0, DEFAULT_MAXIMUM_LIMB);
102 binary_basis_limbs[1] = Limb(limb_1, DEFAULT_MAXIMUM_LIMB);
103 binary_basis_limbs[2] = Limb(limb_2, DEFAULT_MAXIMUM_LIMB);
104 if (maximum_bitlength > 0) {
105 uint256_t max_limb_value = (
uint256_t(1) << (maximum_bitlength - (3 * NUM_LIMB_BITS))) - 1;
106 binary_basis_limbs[3] = Limb(limb_3, max_limb_value);
108 binary_basis_limbs[3] =
109 Limb(limb_3, can_overflow ? DEFAULT_MAXIMUM_LIMB : DEFAULT_MAXIMUM_MOST_SIGNIFICANT_LIMB);
111 prime_basis_limb = low_bits_in + (high_bits_in * shift_2);
113 set_origin_tag(new_tag);
116template <
typename Builder,
typename T>
119 , binary_basis_limbs{ other.binary_basis_limbs[0],
120 other.binary_basis_limbs[1],
121 other.binary_basis_limbs[2],
122 other.binary_basis_limbs[3] }
123 , prime_basis_limb(other.prime_basis_limb)
126template <
typename Builder,
typename T>
130 other.binary_basis_limbs[1],
131 other.binary_basis_limbs[2],
132 other.binary_basis_limbs[3] }
133 , prime_basis_limb(other.prime_basis_limb)
136template <
typename Builder,
typename T>
139 const bool can_overflow,
140 const size_t maximum_bitlength)
142 ASSERT((can_overflow ==
true && maximum_bitlength == 0) ||
143 (can_overflow ==
false && (maximum_bitlength == 0 || maximum_bitlength > (3 * NUM_LIMB_BITS))));
145 limbs[0] =
value.slice(0, NUM_LIMB_BITS).lo;
146 limbs[1] =
value.slice(NUM_LIMB_BITS, NUM_LIMB_BITS * 2).lo;
147 limbs[2] =
value.slice(NUM_LIMB_BITS * 2, NUM_LIMB_BITS * 3).lo;
148 limbs[3] =
value.slice(NUM_LIMB_BITS * 3, NUM_LIMB_BITS * 4).lo;
175 ctx->create_dummy_gate(
178 uint64_t num_last_limb_bits = (can_overflow) ? NUM_LIMB_BITS : NUM_LAST_LIMB_BITS;
185 Limb(limb_3, can_overflow ? DEFAULT_MAXIMUM_LIMB : DEFAULT_MAXIMUM_MOST_SIGNIFICANT_LIMB);
188 if (maximum_bitlength > 0) {
190 num_last_limb_bits = maximum_bitlength - (3 * NUM_LIMB_BITS);
197 static_cast<size_t>(NUM_LIMB_BITS),
198 static_cast<size_t>(NUM_LIMB_BITS));
201 static_cast<size_t>(NUM_LIMB_BITS),
202 static_cast<size_t>(num_last_limb_bits));
214 const uint64_t byte_val =
uint256_t(split_byte.get_value()).
data[0];
215 const uint64_t lo_nibble_val = byte_val & 15ULL;
216 const uint64_t hi_nibble_val = byte_val >> 4;
229 const auto reconstruct_two_limbs = [&split_byte_into_nibbles](
Builder* ctx,
233 const auto [lo_nibble, hi_nibble] = split_byte_into_nibbles(ctx, split_byte);
260 const auto [limb0, limb1] = reconstruct_two_limbs(ctx, lo_8_bytes, lolo_8_bytes, lo_split_byte);
261 const auto [limb2, limb3] = reconstruct_two_limbs(ctx, hi_8_bytes, mid_8_bytes, mid_split_byte);
265 const auto num_last_limb_bits = 256 - (NUM_LIMB_BITS * 3);
266 res.binary_basis_limbs[3].maximum_value = (uint64_t(1) << num_last_limb_bits);
273 if (
this == &other) {
288 binary_basis_limbs[0] = other.binary_basis_limbs[0];
289 binary_basis_limbs[1] = other.binary_basis_limbs[1];
290 binary_basis_limbs[2] = other.binary_basis_limbs[2];
291 binary_basis_limbs[3] = other.binary_basis_limbs[3];
292 prime_basis_limb = other.prime_basis_limb;
302 return t0 + (t1 << (NUM_LIMB_BITS)) + (t2 << (2 * NUM_LIMB_BITS)) + (t3 << (3 * NUM_LIMB_BITS));
311 return t0 + t1 + t2 + t3;
314template <
typename Builder,
typename T>
316 const uint256_t& other_maximum_value)
const
320 uint512_t(get_maximum_unreduced_limb_value()));
332 for (
size_t i = 1; i < 4; i++) {
336 binary_basis_limbs[i].maximum_value);
346 result.
binary_basis_limbs[0].maximum_value = binary_basis_limbs[0].maximum_value + other_maximum_value;
354template <
typename Builder,
typename T>
389 bool both_witness = !is_constant() && !other.
is_constant();
390 bool both_prime_limb_multiplicative_constant_one =
392 if (both_prime_limb_multiplicative_constant_one && both_witness) {
393 bool limbconst = binary_basis_limbs[0].element.is_constant();
394 limbconst = limbconst || binary_basis_limbs[1].element.is_constant();
395 limbconst = limbconst || binary_basis_limbs[2].element.is_constant();
396 limbconst = limbconst || binary_basis_limbs[3].element.is_constant();
397 limbconst = limbconst || prime_basis_limb.is_constant();
405 (prime_basis_limb.get_witness_index() ==
414 for (
size_t i = 0; i < NUM_LIMBS; ++i) {
415 const auto& x_limb = binary_basis_limbs[i].element;
418 x_scaled[i] = { x_limb.witness_index, x_limb.multiplicative_constant };
419 y_scaled[i] = { y_limb.witness_index, y_limb.multiplicative_constant };
420 c_adds[i] =
bb::fr(x_limb.additive_constant + y_limb.additive_constant);
424 uint32_t x_prime(prime_basis_limb.witness_index);
428 const auto output_witnesses =
429 ctx->evaluate_non_native_field_addition({ x_scaled[0], y_scaled[0], c_adds[0] },
430 { x_scaled[1], y_scaled[1], c_adds[1] },
431 { x_scaled[2], y_scaled[2], c_adds[2] },
432 { x_scaled[3], y_scaled[3], c_adds[3] },
433 { x_prime, y_prime, c_prime });
458template <
typename Builder,
typename T>
500template <
typename Builder,
typename T>
508 uint512_t left = get_value() % modulus_u512;
510 uint512_t out = (left + modulus_u512 - right) % modulus_u512;
519 uint512_t neg_right = (modulus_u512 - right) % modulus_u512;
540 bigfield result(ctx);
553 uint64_t limb_0_borrow_shift =
std::max(limb_0_maximum_value.
get_msb() + 1, NUM_LIMB_BITS);
560 uint64_t limb_1_borrow_shift =
std::max(limb_1_maximum_value.
get_msb() + 1, NUM_LIMB_BITS);
563 uint64_t limb_2_borrow_shift =
std::max(limb_2_maximum_value.
get_msb() + 1, NUM_LIMB_BITS);
578 uint512_t constant_to_add = constant_to_add_factor.
lo * modulus_u512;
621 result.
binary_basis_limbs[0].maximum_value = binary_basis_limbs[0].maximum_value + to_add_0;
622 result.
binary_basis_limbs[1].maximum_value = binary_basis_limbs[1].maximum_value + to_add_1;
623 result.
binary_basis_limbs[2].maximum_value = binary_basis_limbs[2].maximum_value + to_add_2;
624 result.
binary_basis_limbs[3].maximum_value = binary_basis_limbs[3].maximum_value + to_add_3;
634 bool both_witness = !is_constant() && !other.
is_constant();
635 bool both_prime_limb_multiplicative_constant_one =
637 if (both_prime_limb_multiplicative_constant_one && both_witness) {
642 limbconst = limbconst || prime_basis_limb.is_constant();
648 limbconst = limbconst ||
649 (prime_basis_limb.witness_index ==
658 for (
size_t i = 0; i < NUM_LIMBS; ++i) {
662 x_scaled[i] = { x_limb.witness_index, x_limb.multiplicative_constant };
663 y_scaled[i] = { y_limb.witness_index, y_limb.multiplicative_constant };
664 c_diffs[i] =
bb::fr(x_limb.additive_constant - y_limb.additive_constant);
668 uint32_t x_prime(prime_basis_limb.witness_index);
671 uint512_t constant_to_add_mod_native = (constant_to_add) % prime_basis.modulus;
672 c_prime +=
bb::fr(constant_to_add_mod_native.lo);
674 const auto output_witnesses =
675 ctx->evaluate_non_native_field_subtraction({ x_scaled[0], y_scaled[0], c_diffs[0] },
676 { x_scaled[1], y_scaled[1], c_diffs[1] },
677 { x_scaled[2], y_scaled[2], c_diffs[2] },
678 { x_scaled[3], y_scaled[3], c_diffs[3] },
679 { x_prime, y_prime, c_prime });
700 uint512_t constant_to_add_mod_native = (constant_to_add) % prime_basis.modulus;
701 field_t prime_basis_to_add(ctx,
bb::fr(constant_to_add_mod_native.lo));
707template <
typename Builder,
typename T>
715 const auto [quotient_value, remainder_value] = compute_quotient_remainder_values(*
this, other, {});
730 auto [reduction_required, num_quotient_bits] =
731 get_quotient_reduction_info({ get_maximum_value() }, { other.
get_maximum_value() }, {});
732 if (reduction_required) {
738 return (*this).operator*(other);
740 quotient = create_from_u512_as_witness(ctx, quotient_value,
false, num_quotient_bits);
741 remainder = create_from_u512_as_witness(ctx, remainder_value);
745 unsafe_evaluate_multiply_add(*
this, other, {}, quotient, { remainder });
751template <
typename Builder,
typename T>
755 return internal_div({ *
this }, other,
true);
765template <
typename Builder,
typename T>
770 if (terms.size() == 1) {
775 for (
size_t i = 1; i < (terms.size() + 1) / 2; i++) {
776 acc = acc.
add_two(terms[2 * i - 1], terms[2 * i]);
778 if ((terms.size() & 1) == 0) {
779 acc += terms[terms.size() - 1];
793template <
typename Builder,
typename T>
799 if (numerators.empty()) {
806 bool numerator_constant =
true;
808 for (
const auto& numerator_element : numerators) {
809 ctx = (ctx ==
nullptr) ? numerator_element.get_context() : ctx;
810 numerator_element.reduction_check();
811 numerator_values += numerator_element.get_value();
812 numerator_constant = numerator_constant && (numerator_element.is_constant());
813 tag =
OriginTag(tag, numerator_element.get_origin_tag());
820 const uint1024_t modulus(target_basis.modulus);
824 inverse_value = right.
lo.invmod(target_basis.modulus).lo;
827 inverse_value = ((left * inverse_1024) % modulus).
lo;
830 (
uint1024_t(inverse_value) * right + unreduced_zero().get_value() - left) / modulus;
835 if (numerator_constant && denominator.
is_constant()) {
844 for (
const auto& n : numerators) {
845 numerator_max.push_back(n.get_maximum_value());
848 auto [reduction_required, num_quotient_bits] =
849 get_quotient_reduction_info({
static_cast<uint512_t>(DEFAULT_MAXIMUM_REMAINDER) },
851 { unreduced_zero() },
853 if (reduction_required) {
856 return internal_div(numerators, denominator, check_for_zero);
859 if (check_for_zero) {
863 quotient = create_from_u512_as_witness(ctx, quotient_value,
false, num_quotient_bits);
864 inverse = create_from_u512_as_witness(ctx, inverse_value);
868 unsafe_evaluate_multiply_add(denominator, inverse, { unreduced_zero() }, quotient, numerators);
878template <
typename Builder,
typename T>
882 return internal_div(numerators, denominator,
false);
885template <
typename Builder,
typename T>
888 return internal_div({ *
this }, denominator,
false);
896template <
typename Builder,
typename T>
900 return internal_div(numerators, denominator,
true);
908 const auto [quotient_value, remainder_value] = compute_quotient_remainder_values(*
this, *
this, {});
917 auto [reduction_required, num_quotient_bits] = get_quotient_reduction_info(
918 { get_maximum_value() }, { get_maximum_value() }, {}, { DEFAULT_MAXIMUM_REMAINDER });
919 if (reduction_required) {
924 quotient = create_from_u512_as_witness(ctx, quotient_value,
false, num_quotient_bits);
925 remainder = create_from_u512_as_witness(ctx, remainder_value);
928 unsafe_evaluate_square_add(*
this, {}, quotient, remainder);
929 remainder.set_origin_tag(get_origin_tag());
933template <
typename Builder,
typename T>
942 bool add_constant =
true;
943 for (
const auto& add_element : to_add) {
944 add_element.reduction_check();
946 add_constant = add_constant && (add_element.is_constant());
952 const uint1024_t modulus(target_basis.modulus);
959 const auto [quotient_1024, remainder_1024] = (left * right + add_right).divmod(modulus);
970 const auto [quotient_1024, remainder_1024] = (left * right).divmod(modulus);
972 for (
auto& add_element : to_add) {
973 new_to_add.push_back(add_element);
976 new_to_add.push_back(
bigfield(ctx, remainder_1024.lo.lo));
977 return sum(new_to_add);
982 auto [reduction_required, num_quotient_bits] = get_quotient_reduction_info(
983 { get_maximum_value() }, { get_maximum_value() }, to_add, { DEFAULT_MAXIMUM_REMAINDER });
985 if (reduction_required) {
987 return sqradd(to_add);
989 const auto [quotient_1024, remainder_1024] = (left * right + add_right).divmod(modulus);
991 uint256_t remainder_value = remainder_1024.lo.lo;
993 quotient = create_from_u512_as_witness(ctx, quotient_value,
false, num_quotient_bits);
994 remainder = create_from_u512_as_witness(ctx, remainder_value);
1001 unsafe_evaluate_square_add(*
this, to_add, quotient, remainder);
1008 if (exponent == 0) {
1013 if (is_constant()) {
1014 auto base_val = get_value();
1016 uint512_t base = base_val % modulus_u512;
1017 uint32_t shifted_exponent = exponent;
1020 while (shifted_exponent > 0) {
1021 if (shifted_exponent & 1) {
1025 shifted_exponent >>= 1;
1030 bool accumulator_initialized =
false;
1031 bigfield accumulator;
1032 bigfield running_power = *
this;
1033 uint32_t shifted_exponent = exponent;
1036 while (shifted_exponent != 0) {
1037 if (shifted_exponent & 1) {
1038 if (!accumulator_initialized) {
1039 accumulator = running_power;
1040 accumulator_initialized =
true;
1042 accumulator *= running_power;
1045 shifted_exponent >>= 1;
1050 if (shifted_exponent != 0) {
1051 running_power = running_power.sqr();
1057template <
typename Builder,
typename T>
1066 bool add_constant =
true;
1068 for (
const auto& add_element : to_add) {
1069 add_element.reduction_check();
1071 add_constant = add_constant && (add_element.is_constant());
1077 const uint1024_t modulus(target_basis.modulus);
1079 const auto [quotient_1024, remainder_1024] = (left * mul_right + add_right).divmod(modulus);
1081 const uint512_t quotient_value = quotient_1024.
lo;
1082 const uint512_t remainder_value = remainder_1024.
lo;
1086 if (is_constant() && to_mul.
is_constant() && add_constant) {
1089 }
else if (is_constant() && to_mul.
is_constant()) {
1090 const auto [_, mul_remainder_1024] = (left * mul_right).divmod(modulus);
1095 auto [reduction_required, num_quotient_bits] = get_quotient_reduction_info(
1096 { get_maximum_value() }, { to_mul.
get_maximum_value() }, to_add, { DEFAULT_MAXIMUM_REMAINDER });
1097 if (reduction_required) {
1103 return (*this).madd(to_mul, to_add);
1105 quotient = create_from_u512_as_witness(ctx, quotient_value,
false, num_quotient_bits);
1106 remainder = create_from_u512_as_witness(ctx, remainder_value);
1110 OriginTag new_tag = OriginTag(get_origin_tag(), to_mul.
get_origin_tag());
1111 for (
auto&
element : to_add) {
1112 new_tag = OriginTag(new_tag,
element.get_origin_tag());
1116 unsafe_evaluate_multiply_add(*
this, to_mul, to_add, quotient, { remainder });
1132template <
typename Builder,
typename T>
1141 const size_t number_of_products = mul_left.size();
1146 max_values_left.reserve(number_of_products);
1147 max_values_right.reserve(number_of_products);
1149 for (
auto& left_element : mul_left) {
1150 left_element.reduction_check();
1151 max_values_left.emplace_back(left_element.get_maximum_value());
1154 for (
auto& right_element : mul_right) {
1155 right_element.reduction_check();
1156 max_values_right.emplace_back(right_element.get_maximum_value());
1166 get_quotient_reduction_info(max_values_left, max_values_right, to_add, { DEFAULT_MAXIMUM_REMAINDER }));
1168 if (reduction_required) {
1181 size_t number_of_products) {
1182 maxval_updates.resize(0);
1183 maxval_updates.reserve(number_of_products * 2);
1185 for (
size_t i = 0; i < number_of_products; i++) {
1188 uint1024_t original_product = original_left * original_right;
1189 if (m_left[i].is_constant()) {
1193 uint1024_t new_product = DEFAULT_MAXIMUM_REMAINDER * original_right;
1194 if (new_product > original_product) {
1197 maxval_updates.emplace_back(
1200 if (m_right[i].is_constant()) {
1204 uint1024_t new_product = DEFAULT_MAXIMUM_REMAINDER * original_left;
1205 if (new_product > original_product) {
1208 maxval_updates.emplace_back(
1222 while (reduction_required) {
1224 compute_updates(maximum_value_updates, mul_left, mul_right, number_of_products);
1227 std::sort(maximum_value_updates.begin(), maximum_value_updates.end(), compare_update_tuples);
1230 auto [update_size, largest_update_product_index, multiplicand_index] = maximum_value_updates[0];
1235 if (multiplicand_index == 0) {
1236 mul_left[largest_update_product_index].self_reduce();
1238 mul_right[largest_update_product_index].self_reduce();
1241 for (
size_t i = 0; i < number_of_products; i++) {
1242 max_values_left[i] = mul_left[i].get_maximum_value();
1243 max_values_right[i] = mul_right[i].get_maximum_value();
1246 get_quotient_reduction_info(max_values_left, max_values_right, to_add, { DEFAULT_MAXIMUM_REMAINDER }));
1263template <
typename Builder,
typename T>
1267 bool fix_remainder_to_zero)
1276 const size_t number_of_products = mul_left.size();
1278 const uint1024_t modulus(target_basis.modulus);
1283 bool add_constant =
true;
1288 for (
auto [left_element, right_element] :
zip_view(mul_left, mul_right)) {
1289 new_tag =
OriginTag(new_tag,
OriginTag(left_element.get_origin_tag(), right_element.get_origin_tag()));
1291 for (
auto&
element : to_add) {
1295 for (
const auto& add_element : to_add) {
1296 add_element.reduction_check();
1297 if (add_element.is_constant()) {
1298 add_right_constant_sum +=
uint1024_t(add_element.get_value());
1300 add_constant =
false;
1301 new_to_add.push_back(add_element);
1310 bool product_sum_constant =
true;
1311 for (
size_t i = 0; i < number_of_products; i++) {
1312 if (mutable_mul_left[i].is_constant() && mutable_mul_right[i].is_constant()) {
1314 sum_of_constant_products +=
1318 new_input_left.push_back(mutable_mul_left[i]);
1319 new_input_right.push_back(mutable_mul_right[i]);
1320 product_sum_constant =
false;
1326 for (
auto& el : mutable_mul_left) {
1334 for (
auto& el : mutable_mul_right) {
1341 if (product_sum_constant) {
1344 const auto [quotient_1024, remainder_1024] =
1345 (sum_of_constant_products + add_right_constant_sum).divmod(modulus);
1346 ASSERT(!fix_remainder_to_zero || remainder_1024 == 0);
1351 const auto [quotient_1024, remainder_1024] =
1352 (sum_of_constant_products + add_right_constant_sum).divmod(modulus);
1357 result =
sum(new_to_add);
1361 result =
sum(new_to_add);
1363 if (fix_remainder_to_zero) {
1376 const auto [_, constant_part_remainder_1024] = (sum_of_constant_products + add_right_constant_sum).divmod(modulus);
1377 const uint256_t constant_part_remainder_256 = constant_part_remainder_1024.lo.lo;
1379 if (constant_part_remainder_256 !=
uint256_t(0)) {
1380 new_to_add.push_back(
bigfield(ctx, constant_part_remainder_256));
1385 for (
const auto& add_element : new_to_add) {
1387 add_element.reduction_check();
1388 add_right_final_sum +=
uint1024_t(add_element.get_value());
1390 add_right_maximum +=
uint1024_t(add_element.get_maximum_value());
1392 const size_t final_number_of_products = new_input_left.size();
1395 worst_case_product_sum =
uint1024_t(final_number_of_products) *
uint1024_t(DEFAULT_MAXIMUM_REMAINDER) *
1399 BB_ASSERT_LT(worst_case_product_sum + add_right_maximum, get_maximum_crt_product());
1403 perform_reductions_for_mult_madd(new_input_left, new_input_right, new_to_add);
1405 for (
size_t i = 0; i < final_number_of_products; i++) {
1406 sum_of_products_final +=
uint1024_t(new_input_left[i].get_value()) *
uint1024_t(new_input_right[i].get_value());
1410 const size_t num_quotient_bits = get_quotient_max_bits({ DEFAULT_MAXIMUM_REMAINDER });
1413 const auto [quotient_1024, remainder_1024] = (sum_of_products_final + add_right_final_sum).divmod(modulus);
1417 if (fix_remainder_to_zero) {
1421 const uint512_t quotient_value = quotient_1024.
lo;
1422 const uint512_t remainder_value = remainder_1024.
lo;
1427 quotient = create_from_u512_as_witness(ctx, quotient_value,
false, num_quotient_bits);
1429 if (fix_remainder_to_zero) {
1435 remainder = create_from_u512_as_witness(ctx, remainder_value);
1442 unsafe_evaluate_multiple_multiply_add(new_input_left, new_input_right, new_to_add, quotient, { remainder });
1452template <
typename Builder,
typename T>
1468 return mult_madd(mul_left, mul_right, to_add);
1489template <
typename Builder,
typename T>
1494 bool enable_divisor_nz_check)
1501 for (
auto [left_element, right_element] :
zip_view(mul_left, mul_right)) {
1502 new_tag =
OriginTag(new_tag,
OriginTag(left_element.get_origin_tag(), right_element.get_origin_tag()));
1504 for (
auto&
element : to_sub) {
1510 for (
auto& el : mul_left) {
1511 if (el.context != NULL) {
1518 for (
auto& el : mul_right) {
1519 if (el.context != NULL) {
1526 for (
auto& el : to_sub) {
1527 if (el.context != NULL) {
1533 const size_t num_multiplications = mul_left.size();
1534 native product_native = 0;
1535 bool products_constant =
true;
1538 if (enable_divisor_nz_check) {
1543 for (
size_t i = 0; i < num_multiplications; ++i) {
1544 const native mul_left_native(
uint512_t(mul_left[i].get_value() % modulus_u512).lo);
1545 const native mul_right_native(
uint512_t(mul_right[i].get_value() % modulus_u512).lo);
1546 product_native += (mul_left_native * -mul_right_native);
1547 products_constant = products_constant && mul_left[i].is_constant() && mul_right[i].is_constant();
1552 bool sub_constant =
true;
1553 for (
const auto& sub : to_sub) {
1554 sub_native += (
uint512_t(sub.get_value() % modulus_u512).
lo);
1555 sub_constant = sub_constant && sub.is_constant();
1561 const native result_native = (product_native - sub_native) / divisor_native;
1566 if (sub_constant && products_constant && divisor.
is_constant()) {
1574 bigfield result = create_from_u512_as_witness(ctx, result_value.
lo);
1581 for (
const auto& in : mul_left) {
1582 eval_left.emplace_back(in);
1584 for (
const auto& in : mul_right) {
1585 eval_right.emplace_back(in);
1588 mult_madd(eval_left, eval_right, to_sub,
true);
1593template <
typename Builder,
typename T>
1599 auto result = *
this;
1602 uint512_t out_val = (modulus_u512 - get_value()) % modulus_u512;
1623template <
typename Builder,
typename T>
1637 const bool is_witness_index_same =
a.get_witness_index() ==
b.get_witness_index();
1638 const bool is_add_constant_same =
a.additive_constant ==
b.additive_constant;
1639 const bool is_mul_constant_same =
a.multiplicative_constant ==
b.multiplicative_constant;
1640 return is_witness_index_same && is_add_constant_same && is_mul_constant_same;
1647 bool is_prime_limb_same = is_limb_same(prime_basis_limb, other.
prime_basis_limb);
1648 if (is_limb_0_same && is_limb_1_same && is_limb_2_same && is_limb_3_same && is_prime_limb_same) {
1674 other.
binary_basis_limbs[0].element - binary_basis_limbs[0].element, binary_basis_limbs[0].element);
1676 other.
binary_basis_limbs[1].element - binary_basis_limbs[1].element, binary_basis_limbs[1].element);
1678 other.
binary_basis_limbs[2].element - binary_basis_limbs[2].element, binary_basis_limbs[2].element);
1680 other.
binary_basis_limbs[3].element - binary_basis_limbs[3].element, binary_basis_limbs[3].element);
1721 auto lhs = get_value() % modulus_u512;
1722 auto rhs = other.
get_value() % modulus_u512;
1723 bool is_equal_raw = (lhs == rhs);
1725 return is_equal_raw;
1737 native inverse_native = is_equal_raw ? 0 : diff_native.
invert();
1746 bigfield product = diff * multiplicand;
1761 if (is_constant()) {
1762 uint256_t reduced_value = (get_value() % modulus_u512).lo;
1765 const auto origin_tags = std::vector({ binary_basis_limbs[0].element.get_origin_tag(),
1766 binary_basis_limbs[1].
element.get_origin_tag(),
1767 binary_basis_limbs[2].element.get_origin_tag(),
1768 binary_basis_limbs[3].element.get_origin_tag(),
1769 prime_basis_limb.get_origin_tag() });
1780 binary_basis_limbs[1].element.set_origin_tag(origin_tags[1]);
1781 binary_basis_limbs[2].element.set_origin_tag(origin_tags[2]);
1782 binary_basis_limbs[3].element.set_origin_tag(origin_tags[3]);
1783 prime_basis_limb.set_origin_tag(origin_tags[4]);
1787 uint256_t maximum_unreduced_limb_value = get_maximum_unreduced_limb_value();
1788 bool limb_overflow_test_0 = binary_basis_limbs[0].maximum_value > maximum_unreduced_limb_value;
1789 bool limb_overflow_test_1 = binary_basis_limbs[1].maximum_value > maximum_unreduced_limb_value;
1790 bool limb_overflow_test_2 = binary_basis_limbs[2].maximum_value > maximum_unreduced_limb_value;
1791 bool limb_overflow_test_3 = binary_basis_limbs[3].maximum_value > maximum_unreduced_limb_value;
1792 if (get_maximum_value() > get_maximum_unreduced_value() || limb_overflow_test_0 || limb_overflow_test_1 ||
1793 limb_overflow_test_2 || limb_overflow_test_3) {
1801 uint256_t prohibited_limb_value = get_prohibited_limb_value();
1802 bool limb_overflow_test_0 = binary_basis_limbs[0].maximum_value > prohibited_limb_value;
1803 bool limb_overflow_test_1 = binary_basis_limbs[1].maximum_value > prohibited_limb_value;
1804 bool limb_overflow_test_2 = binary_basis_limbs[2].maximum_value > prohibited_limb_value;
1805 bool limb_overflow_test_3 = binary_basis_limbs[3].maximum_value > prohibited_limb_value;
1808 ASSERT(!(get_maximum_value() > get_prohibited_value() || limb_overflow_test_0 || limb_overflow_test_1 ||
1809 limb_overflow_test_2 || limb_overflow_test_3));
1821 assert_less_than(modulus);
1828 if (is_constant()) {
1833 ASSERT(upper_limit != 0);
1840 const uint256_t upper_limit_value_0 = strict_upper_limit.
slice(0, NUM_LIMB_BITS);
1841 const uint256_t upper_limit_value_1 = strict_upper_limit.
slice(NUM_LIMB_BITS, NUM_LIMB_BITS * 2);
1842 const uint256_t upper_limit_value_2 = strict_upper_limit.
slice(NUM_LIMB_BITS * 2, NUM_LIMB_BITS * 3);
1843 const uint256_t upper_limit_value_3 = strict_upper_limit.
slice(NUM_LIMB_BITS * 3, NUM_LIMB_BITS * 4);
1846 const uint256_t val_1 =
value.slice(NUM_LIMB_BITS, NUM_LIMB_BITS * 2);
1847 const uint256_t val_2 =
value.slice(NUM_LIMB_BITS * 2, NUM_LIMB_BITS * 3);
1849 bool borrow_0_value = val_0 > upper_limit_value_0;
1850 bool borrow_1_value = (val_1 +
uint256_t(borrow_0_value)) > (upper_limit_value_1);
1851 bool borrow_2_value = (val_2 +
uint256_t(borrow_1_value)) > (upper_limit_value_2);
1867 upper_limit_0 - binary_basis_limbs[0].element +
static_cast<field_t<Builder>>(borrow_0) * shift_1;
1893 std::cerr <<
"bigfield: calling assert equal on 2 CONSTANT bigfield elements...is this intended?" <<
std::endl;
1894 BB_ASSERT_EQ(get_value(), other.
get_value(),
"We expect constants to be less than the target modulus");
1916 }
else if (is_constant()) {
1923 const uint512_t modulus(target_basis.modulus);
1925 const auto [quotient_512, remainder_512] = (diff_val).divmod(modulus);
1926 if (remainder_512 != 0) {
1931 const size_t num_quotient_bits = get_quotient_max_bits({ 0 });
1933 witness_t(ctx,
fr(quotient_512.slice(NUM_LIMB_BITS * 2, NUM_LIMB_BITS * 4).lo)),
1936 unsafe_evaluate_multiply_add(diff, { one() }, {}, quotient, { zero() });
1951 const auto get_overload_count = [target_modulus = modulus_u512](
const uint512_t& maximum_value) {
1953 size_t overload_count = 0;
1954 while (target <= maximum_value) {
1956 target += target_modulus;
1958 return overload_count;
1960 const size_t lhs_overload_count = get_overload_count(get_maximum_value());
1961 const size_t rhs_overload_count = get_overload_count(other.
get_maximum_value());
1969 auto diff = base_diff;
1974 for (
size_t i = 0; i < lhs_overload_count; ++i) {
1975 diff = diff * (base_diff - prime_basis_accumulator);
1976 prime_basis_accumulator += prime_basis;
1978 prime_basis_accumulator = prime_basis;
1979 for (
size_t i = 0; i < rhs_overload_count; ++i) {
1980 diff = diff * (base_diff + prime_basis_accumulator);
1981 prime_basis_accumulator += prime_basis;
1994 if (is_constant()) {
1998 const auto [quotient_value, remainder_value] = get_value().divmod(target_basis.modulus);
2002 uint512_t maximum_quotient_size = get_maximum_value() / target_basis.modulus;
2003 uint64_t maximum_quotient_bits = maximum_quotient_size.
get_msb() + 1;
2004 if ((maximum_quotient_bits & 1ULL) == 1ULL) {
2005 ++maximum_quotient_bits;
2009 uint32_t quotient_limb_index =
context->add_variable(
bb::fr(quotient_value.
lo));
2012 static_cast<size_t>(maximum_quotient_bits));
2015 get_maximum_crt_product());
2026 unsafe_evaluate_multiply_add(*
this, one(), {}, quotient, { remainder });
2027 binary_basis_limbs[0] =
2033 set_origin_tag(new_tag);
2036template <
typename Builder,
typename T>
2045 BB_ASSERT_LTE(input_remainders.size(), MAXIMUM_SUMMAND_COUNT);
2050 for (
auto& el : to_add) {
2053 for (
auto& el : input_remainders) {
2061 bigfield quotient = input_quotient;
2076 std::tie(max_q_neg_p_lo, max_q_neg_p_hi) =
2082 for (
const auto& remainder : input_remainders) {
2086 uint256_t borrow_lo_value = max_remainders_lo >> (2 * NUM_LIMB_BITS);
2091 for (
size_t i = 0; i < to_add.size(); ++i) {
2092 max_a0 += to_add[i].binary_basis_limbs[0].maximum_value +
2093 (to_add[i].binary_basis_limbs[1].maximum_value << NUM_LIMB_BITS);
2094 max_a1 += to_add[i].binary_basis_limbs[2].maximum_value +
2095 (to_add[i].binary_basis_limbs[3].maximum_value << NUM_LIMB_BITS);
2097 const uint512_t max_lo = max_ab_lo + max_q_neg_p_lo + max_remainders_lo + max_a0;
2098 const uint512_t max_lo_carry = max_lo >> (2 * NUM_LIMB_BITS);
2099 const uint512_t max_hi = max_ab_hi + max_q_neg_p_hi + max_a1 + max_lo_carry;
2101 uint64_t max_lo_bits = (max_lo.
get_msb() + 1);
2102 uint64_t max_hi_bits = max_hi.
get_msb() + 1;
2104 uint64_t carry_lo_msb = max_lo_bits - (2 * NUM_LIMB_BITS);
2105 uint64_t carry_hi_msb = max_hi_bits - (2 * NUM_LIMB_BITS);
2107 if (max_lo_bits < (2 * NUM_LIMB_BITS)) {
2110 if (max_hi_bits < (2 * NUM_LIMB_BITS)) {
2142 const auto convert_constant_to_fixed_witness = [ctx](
const bigfield& input) {
2147 ctx, ctx->put_constant_variable(input.binary_basis_limbs[0].element.get_value()));
2149 ctx, ctx->put_constant_variable(input.binary_basis_limbs[1].element.get_value()));
2151 ctx, ctx->put_constant_variable(input.binary_basis_limbs[2].element.get_value()));
2153 ctx, ctx->put_constant_variable(input.binary_basis_limbs[3].element.get_value()));
2158 left = convert_constant_to_fixed_witness(left);
2161 to_mul = convert_constant_to_fixed_witness(to_mul);
2164 quotient = convert_constant_to_fixed_witness(quotient);
2166 if (remainders[0].is_constant()) {
2167 remainders[0] = convert_constant_to_fixed_witness(remainders[0]);
2173 for (
size_t i = 1; i < remainders.size(); ++i) {
2174 limb_0_accumulator.emplace_back(remainders[i].binary_basis_limbs[0].
element);
2175 limb_0_accumulator.emplace_back(remainders[i].binary_basis_limbs[1].
element * shift_1);
2176 limb_2_accumulator.emplace_back(remainders[i].binary_basis_limbs[2].
element);
2177 limb_2_accumulator.emplace_back(remainders[i].binary_basis_limbs[3].
element * shift_1);
2178 prime_limb_accumulator.emplace_back(remainders[i].prime_basis_limb);
2180 for (
const auto& add : to_add) {
2181 limb_0_accumulator.emplace_back(-add.binary_basis_limbs[0].element);
2182 limb_0_accumulator.emplace_back(-add.binary_basis_limbs[1].element * shift_1);
2183 limb_2_accumulator.emplace_back(-add.binary_basis_limbs[2].element);
2184 limb_2_accumulator.emplace_back(-add.binary_basis_limbs[3].element * shift_1);
2185 prime_limb_accumulator.emplace_back(-add.prime_basis_limb);
2188 const auto& t0 = remainders[0].binary_basis_limbs[1].element;
2189 const auto& t1 = remainders[0].binary_basis_limbs[3].element;
2190 bool needs_normalize = (t0.additive_constant != 0 || t0.multiplicative_constant != 1);
2191 needs_normalize = needs_normalize || (t1.additive_constant != 0 || t1.multiplicative_constant != 1);
2193 if (needs_normalize) {
2194 limb_0_accumulator.emplace_back(remainders[0].binary_basis_limbs[1].
element * shift_1);
2195 limb_2_accumulator.emplace_back(remainders[0].binary_basis_limbs[3].
element * shift_1);
2201 : remainders[0].binary_basis_limbs[1].element,
2204 : remainders[0].binary_basis_limbs[3].element,
2213 remainder_limbs[0].get_normalized_witness_index(),
2214 remainder_limbs[1].get_normalized_witness_index(),
2215 remainder_limbs[2].get_normalized_witness_index(),
2216 remainder_limbs[3].get_normalized_witness_index(),
2218 { neg_modulus_limbs[0], neg_modulus_limbs[1], neg_modulus_limbs[2], neg_modulus_limbs[3] },
2222 const auto [lo_idx, hi_idx] = ctx->evaluate_non_native_field_multiplication(witnesses);
2233 if (carry_lo_msb <= 70 && carry_hi_msb <= 70) {
2236 static_cast<size_t>(carry_hi_msb),
2237 static_cast<size_t>(carry_lo_msb));
2244template <
typename Builder,
typename T>
2254 BB_ASSERT_LTE(input_remainders.size(), MAXIMUM_SUMMAND_COUNT);
2259 bool is_left_constant =
true;
2260 for (
auto& el : input_left) {
2262 is_left_constant &= el.is_constant();
2264 bool is_right_constant =
true;
2265 for (
auto& el : input_right) {
2267 is_right_constant &= el.is_constant();
2269 for (
auto& el : to_add) {
2273 for (
auto& el : input_remainders) {
2278 ASSERT(!is_left_constant || !is_right_constant);
2283 bigfield quotient = input_quotient;
2284 const size_t num_multiplications = input_left.size();
2288 for (
const auto& el : input_left) {
2294 if (ctx ==
nullptr) {
2295 for (
const auto& el : input_right) {
2317 for (
const auto& remainder : input_remainders) {
2321 uint256_t borrow_lo_value = max_remainders_lo >> (2 * NUM_LIMB_BITS);
2325 const auto [max_q_neg_p_lo, max_q_neg_p_hi] =
2329 max_lo += max_q_neg_p_lo + max_remainders_lo;
2330 max_hi += max_q_neg_p_hi;
2335 for (
size_t i = 0; i < to_add.size(); ++i) {
2336 max_a0 += to_add[i].binary_basis_limbs[0].maximum_value +
2337 (to_add[i].binary_basis_limbs[1].maximum_value << NUM_LIMB_BITS);
2338 max_a1 += to_add[i].binary_basis_limbs[2].maximum_value +
2339 (to_add[i].binary_basis_limbs[3].maximum_value << NUM_LIMB_BITS);
2345 for (
size_t i = 0; i < num_multiplications; ++i) {
2346 const auto [product_lo, product_hi] = compute_partial_schoolbook_multiplication(
2347 left[i].get_binary_basis_limb_maximums(), right[i].get_binary_basis_limb_maximums());
2348 max_lo += product_lo;
2349 max_hi += product_hi;
2352 const uint512_t max_lo_carry = max_lo >> (2 * NUM_LIMB_BITS);
2353 max_hi += max_lo_carry;
2356 uint64_t max_lo_bits = (max_lo.
get_msb() + 1);
2357 uint64_t max_hi_bits = max_hi.
get_msb() + 1;
2387 const auto convert_constant_to_fixed_witness = [ctx](
const bigfield& input) {
2388 ASSERT(input.is_constant());
2393 ctx, ctx->put_constant_variable(input.binary_basis_limbs[0].element.get_value()));
2395 ctx, ctx->put_constant_variable(input.binary_basis_limbs[1].element.get_value()));
2397 ctx, ctx->put_constant_variable(input.binary_basis_limbs[2].element.get_value()));
2399 ctx, ctx->put_constant_variable(input.binary_basis_limbs[3].element.get_value()));
2418 for (
size_t i = 0; i < num_multiplications; ++i) {
2419 if (left[i].is_constant()) {
2420 left[i] = convert_constant_to_fixed_witness(left[i]);
2422 if (right[i].is_constant()) {
2423 right[i] = convert_constant_to_fixed_witness(right[i]);
2428 left[i].get_binary_basis_limb_witness_indices(),
2429 right[i].get_binary_basis_limb_witness_indices(),
2432 const auto [lo_2_idx, hi_2_idx] = ctx->queue_partial_non_native_field_multiplication(mul_witnesses);
2437 limb_0_accumulator.emplace_back(-lo_2);
2438 limb_2_accumulator.emplace_back(-hi_2);
2439 prime_limb_accumulator.emplace_back(-(left[i].prime_basis_limb * right[i].prime_basis_limb));
2443 quotient = convert_constant_to_fixed_witness(quotient);
2446 bool no_remainders = remainders.empty();
2447 if (!no_remainders) {
2448 limb_0_accumulator.emplace_back(remainders[0].binary_basis_limbs[0].
element);
2449 limb_2_accumulator.emplace_back(remainders[0].binary_basis_limbs[2].
element);
2450 prime_limb_accumulator.emplace_back(remainders[0].prime_basis_limb);
2452 for (
size_t i = 1; i < remainders.size(); ++i) {
2453 limb_0_accumulator.emplace_back(remainders[i].binary_basis_limbs[0].
element);
2454 limb_0_accumulator.emplace_back(remainders[i].binary_basis_limbs[1].
element * shift_1);
2455 limb_2_accumulator.emplace_back(remainders[i].binary_basis_limbs[2].
element);
2456 limb_2_accumulator.emplace_back(remainders[i].binary_basis_limbs[3].
element * shift_1);
2457 prime_limb_accumulator.emplace_back(remainders[i].prime_basis_limb);
2459 for (
const auto& add : to_add) {
2460 limb_0_accumulator.emplace_back(-add.binary_basis_limbs[0].element);
2461 limb_0_accumulator.emplace_back(-add.binary_basis_limbs[1].element * shift_1);
2462 limb_2_accumulator.emplace_back(-add.binary_basis_limbs[2].element);
2463 limb_2_accumulator.emplace_back(-add.binary_basis_limbs[3].element * shift_1);
2464 prime_limb_accumulator.emplace_back(-add.prime_basis_limb);
2478 : remainders[0].binary_basis_limbs[1].element;
2483 : remainders[0].binary_basis_limbs[3].element;
2496 left[0].get_binary_basis_limb_witness_indices(),
2497 right[0].get_binary_basis_limb_witness_indices(),
2500 remainder_limbs[0].get_normalized_witness_index(),
2501 remainder_limbs[1].get_normalized_witness_index(),
2502 remainder_limbs[2].get_normalized_witness_index(),
2503 remainder_limbs[3].get_normalized_witness_index(),
2505 { neg_modulus_limbs[0], neg_modulus_limbs[1], neg_modulus_limbs[2], neg_modulus_limbs[3] },
2508 const auto [lo_1_idx, hi_1_idx] = ctx->evaluate_non_native_field_multiplication(witnesses);
2513 right[0].prime_basis_limb,
2515 -remainder_prime_limb);
2520 uint64_t carry_lo_msb = max_lo_bits - (2 * NUM_LIMB_BITS);
2521 uint64_t carry_hi_msb = max_hi_bits - (2 * NUM_LIMB_BITS);
2523 if (max_lo_bits < (2 * NUM_LIMB_BITS)) {
2526 if (max_hi_bits < (2 * NUM_LIMB_BITS)) {
2532 if (carry_lo_msb <= 70 && carry_hi_msb <= 70) {
2535 static_cast<size_t>(carry_hi_msb),
2536 static_cast<size_t>(carry_lo_msb));
2543template <
typename Builder,
typename T>
2564 unsafe_evaluate_multiply_add(left, left, to_add, quotient, { remainder });
2567template <
typename Builder,
typename T>
2574 for (
const auto& add_element : to_add) {
2575 add_element.reduction_check();
2582 const uint1024_t modulus(target_basis.modulus);
2584 const auto [quotient_1024, remainder_1024] = (left * right + add_right).divmod(modulus);
2586 return { quotient_1024.lo, remainder_1024.lo };
2589template <
typename Builder,
typename T>
2598 for (
const auto& add_element : to_add) {
2602 for (
size_t i = 0; i < as.size(); i++) {
2606 const uint1024_t modulus(target_basis.modulus);
2608 const auto [quotient_1024, remainder_1024] = (product_sum + add_right).divmod(modulus);
2610 return quotient_1024.lo;
2612template <
typename Builder,
typename T>
2622 BB_ASSERT_LTE(remainders_max.size(), MAXIMUM_SUMMAND_COUNT);
2625 if (mul_product_overflows_crt_modulus(as_max, bs_max, to_add)) {
2628 const size_t num_quotient_bits = get_quotient_max_bits(remainders_max);
2630 for (
auto& added_element : to_add) {
2631 to_add_max.push_back(added_element.get_maximum_value());
2634 const uint512_t maximum_quotient = compute_maximum_quotient_value(as_max, bs_max, to_add_max);
2637 if (maximum_quotient >= (
uint512_t(1) << num_quotient_bits)) {
2643template <
typename Builder,
typename T>
2647 const uint512_t b0_inner = (a_limbs[1] * b_limbs[0]);
2648 const uint512_t b1_inner = (a_limbs[0] * b_limbs[1]);
2649 const uint512_t c0_inner = (a_limbs[1] * b_limbs[1]);
2650 const uint512_t c1_inner = (a_limbs[2] * b_limbs[0]);
2651 const uint512_t c2_inner = (a_limbs[0] * b_limbs[2]);
2652 const uint512_t d0_inner = (a_limbs[3] * b_limbs[0]);
2653 const uint512_t d1_inner = (a_limbs[2] * b_limbs[1]);
2654 const uint512_t d2_inner = (a_limbs[1] * b_limbs[2]);
2655 const uint512_t d3_inner = (a_limbs[0] * b_limbs[3]);
2657 const uint512_t r0_inner = (a_limbs[0] * b_limbs[0]);
2658 const uint512_t r1_inner = b0_inner + b1_inner;
2659 const uint512_t r2_inner = c0_inner + c1_inner + c2_inner;
2660 const uint512_t r3_inner = d0_inner + d1_inner + d2_inner + d3_inner;
2661 const uint512_t lo_val = r0_inner + (r1_inner << NUM_LIMB_BITS);
2662 const uint512_t hi_val = r2_inner + (r3_inner << NUM_LIMB_BITS);
#define BB_ASSERT_GT(left, right,...)
#define BB_ASSERT_EQ(actual, expected,...)
#define BB_ASSERT_LTE(left, right,...)
#define BB_ASSERT_LT(left, right,...)
#define ASSERT(expression,...)
constexpr uint256_t slice(uint64_t start, uint64_t end) const
constexpr uint64_t get_msb() const
constexpr uintx slice(const uint64_t start, const uint64_t end) const
constexpr uint64_t get_msb() const
static void unsafe_evaluate_multiple_multiply_add(const std::vector< bigfield > &input_left, const std::vector< bigfield > &input_right, const std::vector< bigfield > &to_add, const bigfield &input_quotient, const std::vector< bigfield > &input_remainders)
Evaluate a relation involving multiple multiplications and additions.
static bigfield conditional_assign(const bool_t< Builder > &predicate, const bigfield &lhs, const bigfield &rhs)
void assert_is_not_equal(const bigfield &other) const
Builder * get_context() const
bigfield operator*(const bigfield &other) const
Evaluate a non-native field multiplication: (a * b = c mod p) where p == target_basis....
bigfield conditional_select(const bigfield &other, const bool_t< Builder > &predicate) const
Create an element which is equal to either this or other based on the predicate.
static bigfield div_check_denominator_nonzero(const std::vector< bigfield > &numerators, const bigfield &denominator)
static bigfield sum(const std::vector< bigfield > &terms)
Create constraints for summing these terms.
bigfield(const field_t< Builder > &low_bits, const field_t< Builder > &high_bits, const bool can_overflow=false, const size_t maximum_bitlength=0)
Constructs a new bigfield object from two field elements representing the low and high bits.
static void unsafe_evaluate_square_add(const bigfield &left, const std::vector< bigfield > &to_add, const bigfield "ient, const bigfield &remainder)
Evaluate a square with several additions.
bigfield madd(const bigfield &to_mul, const std::vector< bigfield > &to_add) const
Compute a * b + ...to_add = c mod p.
bigfield conditional_negate(const bool_t< Builder > &predicate) const
static bigfield mult_madd(const std::vector< bigfield > &mul_left, const std::vector< bigfield > &mul_right, const std::vector< bigfield > &to_add, bool fix_remainder_to_zero=false)
void set_origin_tag(const bb::OriginTag &tag) const
uint512_t get_value() const
static bigfield internal_div(const std::vector< bigfield > &numerators, const bigfield &denominator, bool check_for_zero)
static bigfield msub_div(const std::vector< bigfield > &mul_left, const std::vector< bigfield > &mul_right, const bigfield &divisor, const std::vector< bigfield > &to_sub, bool enable_divisor_nz_check=false)
void assert_equal(const bigfield &other) const
bigfield add_to_lower_limb(const field_t< Builder > &other, const uint256_t &other_maximum_value) const
Add a field element to the lower limb. CAUTION (the element has to be constrained before using this f...
void set_free_witness_tag()
Set the free witness flag for the bigfield.
bigfield & operator=(const bigfield &other)
void convert_constant_to_fixed_witness(Builder *builder)
void assert_is_in_field() const
uint512_t get_maximum_value() const
std::array< uint256_t, NUM_LIMBS > get_binary_basis_limb_maximums()
Get the maximum values of the binary basis limbs.
static uint512_t compute_maximum_quotient_value(const std::vector< uint512_t > &as, const std::vector< uint512_t > &bs, const std::vector< uint512_t > &to_add)
Compute the maximum possible value of quotient of a*b+\sum(to_add)
bigfield sqradd(const std::vector< bigfield > &to_add) const
Square and add operator, computes a * a + ...to_add = c mod p.
bigfield add_two(const bigfield &add_a, const bigfield &add_b) const
Create constraints for summing three bigfield elements efficiently.
std::array< uint32_t, NUM_LIMBS > get_binary_basis_limb_witness_indices() const
Get the witness indices of the (normalized) binary basis limbs.
bb::OriginTag get_origin_tag() const
static bigfield from_witness(Builder *ctx, const bb::field< T > &input)
void reduction_check() const
Check if the bigfield element needs to be reduced.
static constexpr uint256_t modulus
static bigfield dual_madd(const bigfield &left_a, const bigfield &right_a, const bigfield &left_b, const bigfield &right_b, const std::vector< bigfield > &to_add)
bigfield sqr() const
Square operator, computes a * a = c mod p.
static void perform_reductions_for_mult_madd(std::vector< bigfield > &mul_left, std::vector< bigfield > &mul_right, const std::vector< bigfield > &to_add)
Performs individual reductions on the supplied elements as well as more complex reductions to prevent...
bool is_constant() const
Check if the bigfield is constant, i.e. its prime limb is constant.
static std::pair< uint512_t, uint512_t > compute_quotient_remainder_values(const bigfield &a, const bigfield &b, const std::vector< bigfield > &to_add)
Compute the quotient and remainder values for dividing (a * b + (to_add[0] + ... + to_add[-1])) with ...
bigfield operator+(const bigfield &other) const
Adds two bigfield elements. Inputs are reduced to the modulus if necessary. Requires 4 gates if both ...
static bigfield create_from_u512_as_witness(Builder *ctx, const uint512_t &value, const bool can_overflow=false, const size_t maximum_bitlength=0)
Creates a bigfield element from a uint512_t. Bigfield element is constructed as a witness and not a c...
bigfield pow(const uint32_t exponent) const
Raise the bigfield element to the power of (out-of-circuit) exponent.
static std::pair< bool, size_t > get_quotient_reduction_info(const std::vector< uint512_t > &as_max, const std::vector< uint512_t > &bs_max, const std::vector< bigfield > &to_add, const std::vector< uint1024_t > &remainders_max={ DEFAULT_MAXIMUM_REMAINDER })
Check for 2 conditions (CRT modulus is overflown or the maximum quotient doesn't fit into range proof...
static bigfield unsafe_construct_from_limbs(const field_t< Builder > &a, const field_t< Builder > &b, const field_t< Builder > &c, const field_t< Builder > &d, const bool can_overflow=false)
Construct a bigfield element from binary limbs that are already reduced.
void sanity_check() const
Perform a sanity check on a value that is about to interact with another value.
void assert_less_than(const uint256_t &upper_limit) const
static void unsafe_evaluate_multiply_add(const bigfield &input_left, const bigfield &input_to_mul, const std::vector< bigfield > &to_add, const bigfield &input_quotient, const std::vector< bigfield > &input_remainders)
Evaluate a multiply add identity with several added elements and several remainders.
field_t< Builder > prime_basis_limb
Represents a bigfield element in the prime basis: (a mod n) where n is the native modulus.
static bigfield div_without_denominator_check(const std::vector< bigfield > &numerators, const bigfield &denominator)
std::array< Limb, NUM_LIMBS > binary_basis_limbs
Represents a bigfield element in the binary basis. A bigfield element is represented as a combination...
bool_t< Builder > operator==(const bigfield &other) const
Validate whether two bigfield elements are equal to each other.
bigfield operator-() const
Negation operator, works by subtracting this from zero.
static std::pair< uint512_t, uint512_t > compute_partial_schoolbook_multiplication(const std::array< uint256_t, NUM_LIMBS > &a_limbs, const std::array< uint256_t, NUM_LIMBS > &b_limbs)
Compute the partial multiplication of two uint256_t arrays using schoolbook multiplication.
bigfield operator/(const bigfield &other) const
Implements boolean logic in-circuit.
void set_origin_tag(const OriginTag &new_tag) const
OriginTag get_origin_tag() const
Represents a dynamic array of bytes in-circuit.
byte_array slice(size_t offset) const
Slice bytes from the byte array starting at offset. Does not add any constraints.
Builder * get_context() const
bb::OriginTag get_origin_tag() const
void assert_is_zero(std::string const &msg="field_t::assert_is_zero") const
Enforce a copy constraint between *this and 0 stored at zero_idx of the Builder.
void assert_equal(const field_t &rhs, std::string const &msg="field_t::assert_equal") const
Copy constraint: constrain that *this field is equal to rhs element.
field_t madd(const field_t &to_mul, const field_t &to_add) const
static field_t from_witness_index(Builder *ctx, uint32_t witness_index)
static field_t accumulate(const std::vector< field_t > &input)
Efficiently compute the sum of vector entries. Using big_add_gate we reduce the number of gates neede...
static void evaluate_polynomial_identity(const field_t &a, const field_t &b, const field_t &c, const field_t &d)
Given a, b, c, d, constrain a * b + c + d = 0 by creating a big_mul_gate.
void create_range_constraint(size_t num_bits, std::string const &msg="field_t::range_constraint") const
Let x = *this.normalize(), constrain x.v < 2^{num_bits}.
static field_t conditional_assign(const bool_t< Builder > &predicate, const field_t &lhs, const field_t &rhs)
If predicate == true then return lhs, else return rhs.
bb::fr multiplicative_constant
bb::fr get_value() const
Given a := *this, compute its value given by a.v * a.mul + a.add.
field_t normalize() const
Return a new element, where the in-circuit witness contains the actual represented value (multiplicat...
static void evaluate_linear_identity(const field_t &a, const field_t &b, const field_t &c, const field_t &d)
Constrain a + b + c + d to be equal to 0.
uint32_t get_normalized_witness_index() const
Get the index of a normalized version of this element.
void set_origin_tag(const OriginTag &new_tag) const
field_t add_two(const field_t &add_b, const field_t &add_c) const
Efficiently compute (this + a + b) using big_mul gate.
void assert_is_not_zero(std::string const &msg="field_t::assert_is_not_zero") const
Constrain *this to be non-zero by establishing that it has an inverse.
uint32_t get_witness_index() const
Get the witness index of the current field element.
StrictMock< MockContext > context
stdlib::field_t< Builder > field_ct
void add_values(TreeType &tree, const std::vector< NullifierLeafValue > &values)
uintx< uint256_t > uint512_t
uintx< uint512_t > uint1024_t
std::conditional_t< IsGoblinBigGroup< C, Fq, Fr, G >, element_goblin::goblin_element< C, goblin_field< C >, Fr, G >, element_default::element< C, Fq, Fr, G > > element
element wraps either element_default::element or element_goblin::goblin_element depending on parametr...
Entry point for Barretenberg command-line interface.
Univariate< Fr, domain_end, domain_start, skip_count > operator+(const Fr &ff, const Univariate< Fr, domain_end, domain_start, skip_count > &uv)
field< Bn254FrParams > fr
C slice(C const &container, size_t start)
Inner sum(Cont< Inner, Args... > const &in)
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
This file contains part of the logic for the Origin Tag mechanism that tracks the use of in-circuit p...
constexpr field invert() const noexcept
Represents a single limb of a bigfield element, with its value and maximum value.
void throw_or_abort(std::string const &err)
1.9.8