Barretenberg: src/barretenberg/stdlib/primitives/group/cycle_group.hpp Source File

// === AUDIT STATUS ===

// internal:    { status: not started, auditors: [], date: YYYY-MM-DD }

// external_1:  { status: not started, auditors: [], date: YYYY-MM-DD }

// external_2:  { status: not started, auditors: [], date: YYYY-MM-DD }

// =====================


#pragma once


#include "barretenberg/crypto/pedersen_commitment/pedersen.hpp"

#include "barretenberg/ecc/curves/grumpkin/grumpkin.hpp"

#include "barretenberg/stdlib/primitives/bigfield/bigfield.hpp"

#include "barretenberg/stdlib/primitives/bool/bool.hpp"

#include "barretenberg/stdlib/primitives/circuit_builders/circuit_builders.hpp"

#include "barretenberg/stdlib/primitives/field/field.hpp"

#include "barretenberg/stdlib/primitives/group/cycle_scalar.hpp"

#include "barretenberg/stdlib/primitives/group/straus_lookup_table.hpp"

#include "barretenberg/stdlib/primitives/group/straus_scalar_slice.hpp"

#include "barretenberg/stdlib_circuit_builders/plookup_tables/fixed_base/fixed_base_params.hpp"

#include "barretenberg/transcript/origin_tag.hpp"

#include <optional>


namespace bb::stdlib {


template <typename Builder>

concept IsUltraArithmetic = (Builder::CIRCUIT_TYPE == CircuitType::ULTRA);


template <typename Builder> class cycle_group {

  public:

    using field_t = stdlib::field_t<Builder>;

    using bool_t = stdlib::bool_t<Builder>;

    using witness_t = stdlib::witness_t<Builder>;

    using FF = typename Builder::FF;

    using Curve = typename Builder::EmbeddedCurve;

    using Group = typename Curve::Group;

    using Element = typename Curve::Element;

    using AffineElement = typename Curve::AffineElement;

    using GeneratorContext = crypto::GeneratorContext<Curve>;

    using ScalarField = typename Curve::ScalarField;

    using BigScalarField = stdlib::bigfield<Builder, typename ScalarField::Params>;


    static constexpr size_t STANDARD_NUM_TABLE_BITS = 1;

    static constexpr size_t ULTRA_NUM_TABLE_BITS = 4;

    static constexpr bool IS_ULTRA = Builder::CIRCUIT_TYPE == CircuitType::ULTRA;

    static constexpr size_t TABLE_BITS = IS_ULTRA ? ULTRA_NUM_TABLE_BITS : STANDARD_NUM_TABLE_BITS;

    static constexpr size_t NUM_BITS = ScalarField::modulus.get_msb() + 1;

    static constexpr size_t NUM_ROUNDS = (NUM_BITS + TABLE_BITS - 1) / TABLE_BITS;

    inline static constexpr std::string_view OFFSET_GENERATOR_DOMAIN_SEPARATOR = "cycle_group_offset_generator";


    // Since the cycle_group base field is the circuit's native field, it can be stored using two public inputs.

    static constexpr size_t PUBLIC_INPUTS_SIZE = 2;


    using cycle_scalar = ::bb::stdlib::cycle_scalar<Builder>;

    using straus_lookup_table = ::bb::stdlib::straus_lookup_table<Builder>;

    using straus_scalar_slice = ::bb::stdlib::straus_scalar_slice<Builder>;


  private:


    struct batch_mul_internal_output {

        cycle_group accumulator;

        AffineElement offset_generator_delta;

    };


  public:

    cycle_group(Builder* _context = nullptr);

    cycle_group(field_t _x, field_t _y, bool_t _is_infinity);

    cycle_group(const FF& _x, const FF& _y, bool _is_infinity);

    cycle_group(const AffineElement& _in);

    static cycle_group one(Builder* _context);

    static cycle_group from_witness(Builder* _context, const AffineElement& _in);

    static cycle_group from_constant_witness(Builder* _context, const AffineElement& _in);

    Builder* get_context(const cycle_group& other) const;

    Builder* get_context() const { return context; }

    AffineElement get_value() const;

    [[nodiscard]] bool is_constant() const { return _is_constant; }

    bool_t is_point_at_infinity() const { return _is_infinity; }

    void set_point_at_infinity(const bool_t& is_infinity);

    void standardize();

    bool is_standard() const { return this->_is_standard; };

    cycle_group get_standard_form();

    void validate_is_on_curve() const;

    cycle_group dbl(const std::optional<AffineElement> hint = std::nullopt) const

        requires IsUltraArithmetic<Builder>;

    cycle_group unconditional_add(const cycle_group& other,

                                  const std::optional<AffineElement> hint = std::nullopt) const

        requires IsUltraArithmetic<Builder>;

    cycle_group unconditional_subtract(const cycle_group& other,

                                       const std::optional<AffineElement> hint = std::nullopt) const;

    cycle_group checked_unconditional_add(const cycle_group& other,

                                          const std::optional<AffineElement> hint = std::nullopt) const;

    cycle_group checked_unconditional_subtract(const cycle_group& other,

                                               const std::optional<AffineElement> hint = std::nullopt) const;

    cycle_group operator+(const cycle_group& other) const;

    cycle_group operator-(const cycle_group& other) const;

    cycle_group operator-() const;

    cycle_group& operator+=(const cycle_group& other);

    cycle_group& operator-=(const cycle_group& other);


    static cycle_group batch_mul(const std::vector<cycle_group>& base_points,

                                 const std::vector<BigScalarField>& scalars,

                                 GeneratorContext context = {})

    {

        std::vector<cycle_scalar> cycle_scalars;

        for (auto scalar : scalars) {

            cycle_scalars.emplace_back(scalar);

        }

        return batch_mul(base_points, cycle_scalars, context);

    }


    static cycle_group batch_mul(const std::vector<cycle_group>& base_points,

                                 const std::vector<cycle_scalar>& scalars,

                                 GeneratorContext context = {});

    cycle_group operator*(const cycle_scalar& scalar) const;

    cycle_group& operator*=(const cycle_scalar& scalar);

    cycle_group operator*(const BigScalarField& scalar) const;

    cycle_group& operator*=(const BigScalarField& scalar);

    bool_t operator==(cycle_group& other);

    void assert_equal(cycle_group& other, std::string const& msg = "cycle_group::assert_equal");

    static cycle_group conditional_assign(const bool_t& predicate, const cycle_group& lhs, const cycle_group& rhs);

    cycle_group operator/(const cycle_group& other) const;


    void set_origin_tag(OriginTag tag) const

    {

        x.set_origin_tag(tag);

        y.set_origin_tag(tag);

        _is_infinity.set_origin_tag(tag);

    }


    OriginTag get_origin_tag() const

    {

        return OriginTag(x.get_origin_tag(), y.get_origin_tag(), _is_infinity.get_origin_tag());

    }


    void set_free_witness_tag()

    {

        x.set_free_witness_tag();

        y.set_free_witness_tag();

        _is_infinity.set_free_witness_tag();

    }


    void unset_free_witness_tag()

    {

        x.unset_free_witness_tag();

        y.unset_free_witness_tag();

        _is_infinity.unset_free_witness_tag();

    }


    void fix_witness()

    {

        // Origin tags should be updated within

        x.fix_witness();

        y.fix_witness();

        _is_infinity.fix_witness();


        // This is now effectively a constant

        unset_free_witness_tag();

    }


    uint32_t set_public()

    {

        uint32_t start_idx = x.set_public();

        y.set_public();

        return start_idx;

    }


    static cycle_group reconstruct_from_public(const std::span<const field_t, 2>& limbs)

    {

        return cycle_group(limbs[0], limbs[1], false);

    }


    field_t x;

    field_t y;


  private:

    bool_t _is_infinity;

    bool _is_constant;

    // The point is considered to be `standard` or in `standard form` when:

    // - It's not a point at infinity, and the coordinates belong to the curve

    // - It's a point at infinity and both of the coordinates are set to be 0. (0, 0)

    // Most of the time it is true, so we won't need to do extra conditional_assign

    // during `get_standard_form`, `assert_equal` or `==` calls

    // However sometimes it won't be the case(due to some previous design choices),

    // so we can handle these cases using this flag

    bool _is_standard;

    Builder* context;


    static batch_mul_internal_output _variable_base_batch_mul_internal(std::span<cycle_scalar> scalars,

                                                                       std::span<cycle_group> base_points,

                                                                       std::span<AffineElement const> offset_generators,

                                                                       bool unconditional_add);


    static batch_mul_internal_output _fixed_base_batch_mul_internal(std::span<cycle_scalar> scalars,

                                                                    std::span<AffineElement> base_points,

                                                                    std::span<AffineElement const> offset_generators)

        requires IsUltraArithmetic<Builder>;

};


template <typename Builder> inline std::ostream& operator<<(std::ostream& os, cycle_group<Builder> const& v)

{

    return os << "{ " << v.x << ", " << v.y << " }";

}


} // namespace bb::stdlib

bigfield.hpp

circuit_builders.hpp

bb::ECCVMCircuitBuilder
Definition eccvm_circuit_builder.hpp:24

bb::ECCVMCircuitBuilder::FF
grumpkin::fr FF
Definition eccvm_circuit_builder.hpp:27

bb::curve::Grumpkin::Element
typename Group::element Element
Definition grumpkin.hpp:55

bb::curve::Grumpkin::Group
typename grumpkin::g1 Group
Definition grumpkin.hpp:54

bb::curve::Grumpkin::AffineElement
typename Group::affine_element AffineElement
Definition grumpkin.hpp:56

bb::curve::Grumpkin::ScalarField
bb::fq ScalarField
Definition grumpkin.hpp:52

bb::stdlib::bigfield
Definition bigfield.hpp:21

bb::stdlib::bool_t
Implements boolean logic in-circuit.
Definition bool.hpp:59

bb::stdlib::bool_t::fix_witness
void fix_witness()
Definition bool.hpp:123

bb::stdlib::bool_t::set_origin_tag
void set_origin_tag(const OriginTag &new_tag) const
Definition bool.hpp:119

bb::stdlib::bool_t::set_free_witness_tag
void set_free_witness_tag()
Definition bool.hpp:121

bb::stdlib::bool_t::unset_free_witness_tag
void unset_free_witness_tag()
Definition bool.hpp:122

bb::stdlib::bool_t::get_origin_tag
OriginTag get_origin_tag() const
Definition bool.hpp:120

bb::stdlib::cycle_group
cycle_group represents a group Element of the proving system's embedded curve i.e....
Definition cycle_group.hpp:36

bb::stdlib::cycle_group::Group
typename Curve::Group Group
Definition cycle_group.hpp:43

bb::stdlib::cycle_group::from_constant_witness
static cycle_group from_constant_witness(Builder *_context, const AffineElement &_in)
Converts a native AffineElement into a witness, but constrains the witness values to be known constan...
Definition cycle_group.cpp:181

bb::stdlib::cycle_group::bool_t
stdlib::bool_t< Builder > bool_t
Definition cycle_group.hpp:39

bb::stdlib::cycle_group::operator*=
cycle_group & operator*=(const cycle_scalar &scalar)
Definition cycle_group.cpp:1274

bb::stdlib::cycle_group::standardize
void standardize()
Get the point to the standard form. If the point is a point at infinity, ensure the coordinates are (...
Definition cycle_group.cpp:323

bb::stdlib::cycle_group::_fixed_base_batch_mul_internal
static batch_mul_internal_output _fixed_base_batch_mul_internal(std::span< cycle_scalar > scalars, std::span< AffineElement > base_points, std::span< AffineElement const > offset_generators)
Internal algorithm to perform a fixed-base batch mul for ULTRA Builder.
Definition cycle_group.cpp:1005

bb::stdlib::cycle_group::get_standard_form
cycle_group get_standard_form()
Get point in standard form. If the point is a point at infinity, ensure the coordinates are (0,...
Definition cycle_group.cpp:244

bb::stdlib::cycle_group::Element
typename Curve::Element Element
Definition cycle_group.hpp:44

bb::stdlib::cycle_group::operator==
bool_t operator==(cycle_group &other)
Definition cycle_group.cpp:1291

bb::stdlib::cycle_group::NUM_ROUNDS
static constexpr size_t NUM_ROUNDS
Definition cycle_group.hpp:55

bb::stdlib::cycle_group::Curve
typename Builder::EmbeddedCurve Curve
Definition cycle_group.hpp:42

bb::stdlib::cycle_group::x
field_t x
Definition cycle_group.hpp:210

bb::stdlib::cycle_group::operator-=
cycle_group & operator-=(const cycle_group &other)
Definition cycle_group.cpp:791

bb::stdlib::cycle_group::conditional_assign
static cycle_group conditional_assign(const bool_t &predicate, const cycle_group &lhs, const cycle_group &rhs)
Definition cycle_group.cpp:1309

bb::stdlib::cycle_group::NUM_BITS
static constexpr size_t NUM_BITS
Definition cycle_group.hpp:54

bb::stdlib::cycle_group::unset_free_witness_tag
void unset_free_witness_tag()
Unset the free witness flag for the cycle_group's tags.
Definition cycle_group.hpp:165

bb::stdlib::cycle_group::fix_witness
void fix_witness()
Definition cycle_group.hpp:175

bb::stdlib::cycle_group::_is_standard
bool _is_standard
Definition cycle_group.hpp:223

bb::stdlib::cycle_group::reconstruct_from_public
static cycle_group reconstruct_from_public(const std::span< const field_t, 2 > &limbs)
Reconstruct a cycle_group from limbs (generally stored in the public inputs)
Definition cycle_group.hpp:205

bb::stdlib::cycle_group::checked_unconditional_subtract
cycle_group checked_unconditional_subtract(const cycle_group &other, const std::optional< AffineElement > hint=std::nullopt) const
Will evaluate ECC point subtraction over *this and other. Uses incomplete addition formula If incompl...
Definition cycle_group.cpp:598

bb::stdlib::cycle_group::from_witness
static cycle_group from_witness(Builder *_context, const AffineElement &_in)
Converts an AffineElement into a circuit witness.
Definition cycle_group.cpp:146

bb::stdlib::cycle_group::operator-
cycle_group operator-() const
Negates a point.
Definition cycle_group.cpp:775

bb::stdlib::cycle_group::one
static cycle_group one(Builder *_context)
Construct a cycle_group representation of Group::one.
Definition cycle_group.cpp:126

bb::stdlib::cycle_group::set_free_witness_tag
void set_free_witness_tag()
Set the free witness flag for the cycle_group's tags.
Definition cycle_group.hpp:155

bb::stdlib::cycle_group::set_origin_tag
void set_origin_tag(OriginTag tag) const
Set the origin tag for x, y and _is_infinity members of cycle_group.
Definition cycle_group.hpp:136

bb::stdlib::cycle_group::GeneratorContext
crypto::GeneratorContext< Curve > GeneratorContext
Definition cycle_group.hpp:46

bb::stdlib::cycle_group::TABLE_BITS
static constexpr size_t TABLE_BITS
Definition cycle_group.hpp:53

bb::stdlib::cycle_group::operator/
cycle_group operator/(const cycle_group &other) const
Definition cycle_group.cpp:1334

bb::stdlib::cycle_group::operator+=
cycle_group & operator+=(const cycle_group &other)
Definition cycle_group.cpp:785

bb::stdlib::cycle_group::validate_is_on_curve
void validate_is_on_curve() const
On-curve check.
Definition cycle_group.cpp:228

bb::stdlib::cycle_group::is_point_at_infinity
bool_t is_point_at_infinity() const
Definition cycle_group.hpp:87

bb::stdlib::cycle_group::is_standard
bool is_standard() const
Definition cycle_group.hpp:90

bb::stdlib::cycle_group::STANDARD_NUM_TABLE_BITS
static constexpr size_t STANDARD_NUM_TABLE_BITS
Definition cycle_group.hpp:50

bb::stdlib::cycle_group::_is_infinity
bool_t _is_infinity
Definition cycle_group.hpp:214

bb::stdlib::cycle_group::_variable_base_batch_mul_internal
static batch_mul_internal_output _variable_base_batch_mul_internal(std::span< cycle_scalar > scalars, std::span< cycle_group > base_points, std::span< AffineElement const > offset_generators, bool unconditional_add)
Internal algorithm to perform a variable-base batch mul.
Definition cycle_group.cpp:824

bb::stdlib::cycle_group::FF
typename Builder::FF FF
Definition cycle_group.hpp:41

bb::stdlib::cycle_group::y
field_t y
Definition cycle_group.hpp:211

bb::stdlib::cycle_group::cycle_group
cycle_group(Builder *_context=nullptr)
Construct a new cycle group<Builder>::cycle group object defaults to a constant point at infinity.
Definition cycle_group.cpp:29

bb::stdlib::cycle_group::PUBLIC_INPUTS_SIZE
static constexpr size_t PUBLIC_INPUTS_SIZE
Definition cycle_group.hpp:59

bb::stdlib::cycle_group::get_value
AffineElement get_value() const
Definition cycle_group.cpp:214

bb::stdlib::cycle_group::get_origin_tag
OriginTag get_origin_tag() const
Get the origin tag of cycle_group (a merege of origin tags of x, y and _is_infinity members)
Definition cycle_group.hpp:147

bb::stdlib::cycle_group::operator*
cycle_group operator*(const cycle_scalar &scalar) const
Definition cycle_group.cpp:1269

bb::stdlib::cycle_group::BigScalarField
stdlib::bigfield< Builder, typename ScalarField::Params > BigScalarField
Definition cycle_group.hpp:48

bb::stdlib::cycle_group::assert_equal
void assert_equal(cycle_group &other, std::string const &msg="cycle_group::assert_equal")
Definition cycle_group.cpp:1299

bb::stdlib::cycle_group::ScalarField
typename Curve::ScalarField ScalarField
Definition cycle_group.hpp:47

bb::stdlib::cycle_group::set_point_at_infinity
void set_point_at_infinity(const bool_t &is_infinity)
Set the point to the point at infinity. Depending on constant'ness of the predicate put the coordinat...
Definition cycle_group.cpp:255

bb::stdlib::cycle_group::dbl
cycle_group dbl(const std::optional< AffineElement > hint=std::nullopt) const
Evaluates a doubling. Uses Ultra double gate.
Definition cycle_group.cpp:349

bb::stdlib::cycle_group::operator+
cycle_group operator+(const cycle_group &other) const
Will evaluate ECC point addition over *this and other. This method uses complete addition i....
Definition cycle_group.cpp:620

bb::stdlib::cycle_group::IS_ULTRA
static constexpr bool IS_ULTRA
Definition cycle_group.hpp:52

bb::stdlib::cycle_group::_is_constant
bool _is_constant
Definition cycle_group.hpp:215

bb::stdlib::cycle_group::ULTRA_NUM_TABLE_BITS
static constexpr size_t ULTRA_NUM_TABLE_BITS
Definition cycle_group.hpp:51

bb::stdlib::cycle_group::AffineElement
typename Curve::AffineElement AffineElement
Definition cycle_group.hpp:45

bb::stdlib::cycle_group::cycle_scalar
::bb::stdlib::cycle_scalar< Builder > cycle_scalar
Definition cycle_group.hpp:61

bb::stdlib::cycle_group::unconditional_subtract
cycle_group unconditional_subtract(const cycle_group &other, const std::optional< AffineElement > hint=std::nullopt) const
will evaluate ECC point subtraction over *this and other. Incomplete addition formula edge cases are ...
Definition cycle_group.cpp:496

bb::stdlib::cycle_group::is_constant
bool is_constant() const
Definition cycle_group.hpp:86

bb::stdlib::cycle_group::get_context
Builder * get_context() const
Definition cycle_group.hpp:84

bb::stdlib::cycle_group::checked_unconditional_add
cycle_group checked_unconditional_add(const cycle_group &other, const std::optional< AffineElement > hint=std::nullopt) const
Will evaluate ECC point addition over *this and other. Uses incomplete addition formula If incomplete...
Definition cycle_group.cpp:572

bb::stdlib::cycle_group::set_public
uint32_t set_public()
Set the witness indices representing the cycle_group to public.
Definition cycle_group.hpp:190

bb::stdlib::cycle_group::OFFSET_GENERATOR_DOMAIN_SEPARATOR
static constexpr std::string_view OFFSET_GENERATOR_DOMAIN_SEPARATOR
Definition cycle_group.hpp:56

bb::stdlib::cycle_group::batch_mul
static cycle_group batch_mul(const std::vector< cycle_group > &base_points, const std::vector< BigScalarField > &scalars, GeneratorContext context={})
Definition cycle_group.hpp:109

bb::stdlib::cycle_group::context
Builder * context
Definition cycle_group.hpp:224

bb::stdlib::cycle_group::unconditional_add
cycle_group unconditional_add(const cycle_group &other, const std::optional< AffineElement > hint=std::nullopt) const
Will evaluate ECC point addition over *this and other. Incomplete addition formula edge cases are NOT...
Definition cycle_group.cpp:426

bb::stdlib::cycle_scalar
cycle_scalar represents a member of the cycle curve SCALAR FIELD. This is NOT the native circuit fiel...
Definition cycle_scalar.hpp:34

bb::stdlib::field_t< Builder >

bb::stdlib::field_t::set_public
uint32_t set_public() const
Definition field.hpp:404

bb::stdlib::field_t::unset_free_witness_tag
void unset_free_witness_tag() const
Unset the free witness flag for the field element's tag.
Definition field.hpp:343

bb::stdlib::field_t::get_origin_tag
OriginTag get_origin_tag() const
Definition field.hpp:333

bb::stdlib::field_t::set_free_witness_tag
void set_free_witness_tag()
Set the free witness flag for the field element's tag.
Definition field.hpp:338

bb::stdlib::field_t::set_origin_tag
void set_origin_tag(const OriginTag &new_tag) const
Definition field.hpp:332

bb::stdlib::field_t::fix_witness
void fix_witness()
Definition field.hpp:441

bb::stdlib::straus_lookup_table
straus_lookup_table computes a lookup table of size 1 << table_bits
Definition straus_lookup_table.hpp:44

bb::stdlib::straus_scalar_slice
straus_scalar_slice decomposes an input scalar into table_bits bit-slices. Used in batch_mul,...
Definition straus_scalar_slice.hpp:24

bb::stdlib::witness_t
Definition witness.hpp:16

bb::stdlib::IsUltraArithmetic
Definition cycle_group.hpp:25

pedersen.hpp

cycle_scalar.hpp

grumpkin.hpp

fixed_base_params.hpp

bb::numeric::operator<<
std::ostream & operator<<(std::ostream &os, uint256_t const &a)
Definition uint256.hpp:246

bb::stdlib
Definition graph_description_goblin.test.cpp:13

bb::CircuitType::ULTRA
@ ULTRA

std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13

origin_tag.hpp
This file contains part of the logic for the Origin Tag mechanism that tracks the use of in-circuit p...

bool.hpp

field.hpp

straus_lookup_table.hpp

straus_scalar_slice.hpp

bb::OriginTag
Definition origin_tag.hpp:64

bb::crypto::GeneratorContext
Definition generator_data.hpp:133

bb::stdlib::cycle_group::batch_mul_internal_output
Stores temporary variables produced by internal multiplication algorithms.
Definition cycle_group.hpp:70

bb::stdlib::cycle_group::batch_mul_internal_output::offset_generator_delta
AffineElement offset_generator_delta
Definition cycle_group.hpp:72

bb::stdlib::cycle_group::batch_mul_internal_output::accumulator
cycle_group accumulator
Definition cycle_group.hpp:71