Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
fq.hpp
Go to the documentation of this file.
1// === AUDIT STATUS ===
2// internal: { status: not started, auditors: [], date: YYYY-MM-DD }
3// external_1: { status: not started, auditors: [], date: YYYY-MM-DD }
4// external_2: { status: not started, auditors: [], date: YYYY-MM-DD }
5// =====================
6
7#pragma once
8
9#include <cstdint>
10#include <iomanip>
11
12#include "../../fields/field.hpp"
13#include "barretenberg/ecc/curves/bn254/fr.hpp"
14#include "barretenberg/stdlib/primitives/bigfield/constants.hpp"
15
16// NOLINTBEGIN(cppcoreguidelines-avoid-c-arrays)
17namespace bb {
18
19class Bn254FqParams {
20 // There is a helper script in ecc/fields/parameter_helper.py that can be used to extract these parameters from the
21 // source code
22 public:
23 // A little-endian representation of the modulus split into 4 64-bit words
24 static constexpr uint64_t modulus_0 = 0x3C208C16D87CFD47UL;
25 static constexpr uint64_t modulus_1 = 0x97816a916871ca8dUL;
26 static constexpr uint64_t modulus_2 = 0xb85045b68181585dUL;
27 static constexpr uint64_t modulus_3 = 0x30644e72e131a029UL;
28
29 // A little-endian representation of R^2 modulo the modulus (R=2^256 mod modulus) split into 4 64-bit words
30 // This paremeter is used to convert an element of Fq in standard from to Montgomery form
31 static constexpr uint64_t r_squared_0 = 0xF32CFC5B538AFA89UL;
32 static constexpr uint64_t r_squared_1 = 0xB5E71911D44501FBUL;
33 static constexpr uint64_t r_squared_2 = 0x47AB1EFF0A417FF6UL;
34 static constexpr uint64_t r_squared_3 = 0x06D89F71CAB8351FUL;
35
36 // A little-endian representation of the cube root of 1 in Fq in Montgomery form split into 4 64-bit words
37 static constexpr uint64_t cube_root_0 = 0x71930c11d782e155UL;
38 static constexpr uint64_t cube_root_1 = 0xa6bb947cffbe3323UL;
39 static constexpr uint64_t cube_root_2 = 0xaa303344d4741444UL;
40 static constexpr uint64_t cube_root_3 = 0x2c3b3f0d26594943UL;
41
42 // A little-endian representation of the modulus split into 9 29-bit limbs
43 // This is used in wasm because we can only do multiplication with 64-bit result instead of 128-bit like in x86_64
44 static constexpr uint64_t modulus_wasm_0 = 0x187cfd47;
45 static constexpr uint64_t modulus_wasm_1 = 0x10460b6;
46 static constexpr uint64_t modulus_wasm_2 = 0x1c72a34f;
47 static constexpr uint64_t modulus_wasm_3 = 0x2d522d0;
48 static constexpr uint64_t modulus_wasm_4 = 0x1585d978;
49 static constexpr uint64_t modulus_wasm_5 = 0x2db40c0;
50 static constexpr uint64_t modulus_wasm_6 = 0xa6e141;
51 static constexpr uint64_t modulus_wasm_7 = 0xe5c2634;
52 static constexpr uint64_t modulus_wasm_8 = 0x30644e;
53
54 // A little-endian representation of R^2 modulo the modulus (R=2^261 mod modulus) split into 4 64-bit words
55 // We use 2^261 in wasm, because 261=29*9, the 9 29-bit limbs used for arithmetic in
56 static constexpr uint64_t r_squared_wasm_0 = 0xe1a2a074659bac10UL;
57 static constexpr uint64_t r_squared_wasm_1 = 0x639855865406005aUL;
58 static constexpr uint64_t r_squared_wasm_2 = 0xff54c5802d3e2632UL;
59 static constexpr uint64_t r_squared_wasm_3 = 0x2a11a68c34ea65a6UL;
60
61 // A little-endian representation of the cube root of 1 in Fq in Montgomery form for wasm (R=2^261 mod modulus)
62 // split into 4 64-bit words
63 static constexpr uint64_t cube_root_wasm_0 = 0x62b1a3a46a337995UL;
64 static constexpr uint64_t cube_root_wasm_1 = 0xadc97d2722e2726eUL;
65 static constexpr uint64_t cube_root_wasm_2 = 0x64ee82ede2db85faUL;
66 static constexpr uint64_t cube_root_wasm_3 = 0x0c0afea1488a03bbUL;
67
68 // Not used for Fq, but required for all field types
69 static constexpr uint64_t primitive_root_0 = 0UL;
70 static constexpr uint64_t primitive_root_1 = 0UL;
71 static constexpr uint64_t primitive_root_2 = 0UL;
72 static constexpr uint64_t primitive_root_3 = 0UL;
73
74 // Not used for Fq, but required for all field types
75 static constexpr uint64_t primitive_root_wasm_0 = 0x0000000000000000UL;
76 static constexpr uint64_t primitive_root_wasm_1 = 0x0000000000000000UL;
77 static constexpr uint64_t primitive_root_wasm_2 = 0x0000000000000000UL;
78 static constexpr uint64_t primitive_root_wasm_3 = 0x0000000000000000UL;
79
80 // Parameters used for quickly splitting a scalar into two endomorphism scalars for faster scalar multiplication
81 // For specifics on how these have been derived, ask @zac-williamson
82 static constexpr uint64_t endo_g1_lo = 0x7a7bd9d4391eb18d;
83 static constexpr uint64_t endo_g1_mid = 0x4ccef014a773d2cfUL;
84 static constexpr uint64_t endo_g1_hi = 0x0000000000000002UL;
85 static constexpr uint64_t endo_g2_lo = 0xd91d232ec7e0b3d2UL;
86 static constexpr uint64_t endo_g2_mid = 0x0000000000000002UL;
87 static constexpr uint64_t endo_minus_b1_lo = 0x8211bbeb7d4f1129UL;
88 static constexpr uint64_t endo_minus_b1_mid = 0x6f4d8248eeb859fcUL;
89 static constexpr uint64_t endo_b2_lo = 0x89d3256894d213e2UL;
90 static constexpr uint64_t endo_b2_mid = 0UL;
91
92 // -(Modulus^-1) mod 2^64
93 // This is used to compute k = r_inv * lower_limb(scalar), such that scalar + k*modulus in integers would have 0 in
94 // the lowest limb By performing this sequentially for 4 limbs, we get an 8-limb representation of the scalar, where
95 // the lowest 4 limbs are zeros. Then we can immediately divide by 2^256 by simply getting rid of the lowest 4 limbs
96 static constexpr uint64_t r_inv = 0x87d20782e4866389UL;
97
98 // 2^(-64) mod Modulus
99 // Used in the reduction mechanism from https://hackmd.io/@Ingonyama/Barret-Montgomery
100 // Instead of computing k, we multiply the lowest limb by this value and then add to the following 5 limbs.
101 // This saves us from having to compute k
102 static constexpr uint64_t r_inv_0 = 0x327d7c1b18f7bd41UL;
103 static constexpr uint64_t r_inv_1 = 0xdb8ed52f824ed32fUL;
104 static constexpr uint64_t r_inv_2 = 0x29b67b05eb29a6a1UL;
105 static constexpr uint64_t r_inv_3 = 0x19ac99126b459ddaUL;
106
107 // 2^(-29) mod Modulus
108 // Used in the reduction mechanism from https://hackmd.io/@Ingonyama/Barret-Montgomery
109 // Instead of computing k, we multiply the lowest limb by this value and then add to the following 10 limbs.
110 // This saves us from having to compute k
111 static constexpr uint64_t r_inv_wasm_0 = 0x17789a9f;
112 static constexpr uint64_t r_inv_wasm_1 = 0x5ffc3dc;
113 static constexpr uint64_t r_inv_wasm_2 = 0xd6bde42;
114 static constexpr uint64_t r_inv_wasm_3 = 0x1cf152e3;
115 static constexpr uint64_t r_inv_wasm_4 = 0x18eb055f;
116 static constexpr uint64_t r_inv_wasm_5 = 0xed815e2;
117 static constexpr uint64_t r_inv_wasm_6 = 0x16626d2;
118 static constexpr uint64_t r_inv_wasm_7 = 0xb8bab0f;
119 static constexpr uint64_t r_inv_wasm_8 = 0x6d7c4;
120
121 // Coset generators in Montgomery form for R=2^256 mod Modulus. Used in FFT-based proving systems
122 static constexpr uint64_t coset_generators_0[8]{
123 0x7a17caa950ad28d7ULL, 0x4d750e37163c3674ULL, 0x20d251c4dbcb4411ULL, 0xf42f9552a15a51aeULL,
124 0x4f4bc0b2b5ef64bdULL, 0x22a904407b7e725aULL, 0xf60647ce410d7ff7ULL, 0xc9638b5c069c8d94ULL,
125 };
126 static constexpr uint64_t coset_generators_1[8]{
127 0x1f6ac17ae15521b9ULL, 0x29e3aca3d71c2cf7ULL, 0x345c97cccce33835ULL, 0x3ed582f5c2aa4372ULL,
128 0x1a4b98fbe78db996ULL, 0x24c48424dd54c4d4ULL, 0x2f3d6f4dd31bd011ULL, 0x39b65a76c8e2db4fULL,
129 };
130 static constexpr uint64_t coset_generators_2[8]{
131 0x334bea4e696bd284ULL, 0x99ba8dbde1e518b0ULL, 0x29312d5a5e5edcULL, 0x6697d49cd2d7a508ULL,
132 0x5c65ec9f484e3a79ULL, 0xc2d4900ec0c780a5ULL, 0x2943337e3940c6d1ULL, 0x8fb1d6edb1ba0cfdULL,
133 };
134 static constexpr uint64_t coset_generators_3[8]{
135 0x2a1f6744ce179d8eULL, 0x3829df06681f7cbdULL, 0x463456c802275bedULL, 0x543ece899c2f3b1cULL,
136 0x180a96573d3d9f8ULL, 0xf8b21270ddbb927ULL, 0x1d9598e8a7e39857ULL, 0x2ba010aa41eb7786ULL,
137 };
138
139 // Coset generators in Montgomery form for R=2^261 mod Modulus. Used in FFT-based proving systems
140 static constexpr uint64_t coset_generators_wasm_0[8] = { 0xeb8a8ec140766463ULL, 0xfded87957d76333dULL,
141 0x4c710c8092f2ff5eULL, 0x9af4916ba86fcb7fULL,
142 0xe9781656bdec97a0ULL, 0xfbdb0f2afaec667aULL,
143 0x4a5e94161069329bULL, 0x98e2190125e5febcULL };
144 static constexpr uint64_t coset_generators_wasm_1[8] = { 0xf2b1f20626a3da49ULL, 0x56c12d76cb13587fULL,
145 0x5251d378d7f4a143ULL, 0x4de2797ae4d5ea06ULL,
146 0x49731f7cf1b732c9ULL, 0xad825aed9626b0ffULL,
147 0xa91300efa307f9c3ULL, 0xa4a3a6f1afe94286ULL };
148 static constexpr uint64_t coset_generators_wasm_2[8] = { 0xf905ef8d84d5fea4ULL, 0x93b7a45b84f1507eULL,
149 0xe6b99ee0068dfab5ULL, 0x39bb9964882aa4ecULL,
150 0x8cbd93e909c74f23ULL, 0x276f48b709e2a0fcULL,
151 0x7a71433b8b7f4b33ULL, 0xcd733dc00d1bf56aULL };
152 static constexpr uint64_t coset_generators_wasm_3[8] = { 0x2958a27c02b7cd5fULL, 0x06bc8a3277c371abULL,
153 0x1484c05bce00b620ULL, 0x224cf685243dfa96ULL,
154 0x30152cae7a7b3f0bULL, 0x0d791464ef86e357ULL,
155 0x1b414a8e45c427ccULL, 0x290980b79c016c41ULL };
156
157 // used in msgpack schema serialization
158 static constexpr char schema_name[] = "fq";
159 static constexpr bool has_high_2adicity = false;
160
161 // The modulus is larger than BN254 scalar field modulus, so it maps to two BN254 scalars
162 static constexpr size_t NUM_BN254_SCALARS = 2;
163 static constexpr size_t MAX_BITS_PER_ENDOMORPHISM_SCALAR = 128;
164
165 // A point in Fq is represented as a bigfield element in the public inputs, so 4 public inputs
166 static constexpr size_t PUBLIC_INPUTS_SIZE = BIGFIELD_PUBLIC_INPUTS_SIZE;
167};
168
169using fq = field<Bn254FqParams>;
170
171template <> template <> inline fq fq::reconstruct_from_public(const std::span<const bb::fr, PUBLIC_INPUTS_SIZE>& limbs)
172{
173 const uint256_t limb = static_cast<uint256_t>(limbs[0]) +
174 (static_cast<uint256_t>(limbs[1]) << bb::stdlib::NUM_LIMB_BITS_IN_FIELD_SIMULATION) +
175 (static_cast<uint256_t>(limbs[2]) << (bb::stdlib::NUM_LIMB_BITS_IN_FIELD_SIMULATION * 2)) +
176 (static_cast<uint256_t>(limbs[3]) << (bb::stdlib::NUM_LIMB_BITS_IN_FIELD_SIMULATION * 3));
177
178 return fq(limb);
179}
180
181} // namespace bb
182
183// NOLINTEND(cppcoreguidelines-avoid-c-arrays)
bb::Bn254FqParams::primitive_root_wasm_2
static constexpr uint64_t primitive_root_wasm_2
Definition fq.hpp:77
bb::Bn254FqParams::cube_root_wasm_1
static constexpr uint64_t cube_root_wasm_1
Definition fq.hpp:64
bb::Bn254FqParams::coset_generators_wasm_2
static constexpr uint64_t coset_generators_wasm_2[8]
Definition fq.hpp:148
bb::Bn254FqParams::modulus_0
static constexpr uint64_t modulus_0
Definition fq.hpp:24
bb::Bn254FqParams::primitive_root_wasm_0
static constexpr uint64_t primitive_root_wasm_0
Definition fq.hpp:75
bb::Bn254FqParams::r_inv_1
static constexpr uint64_t r_inv_1
Definition fq.hpp:103
bb::Bn254FqParams::r_inv_wasm_6
static constexpr uint64_t r_inv_wasm_6
Definition fq.hpp:117
bb::Bn254FqParams::primitive_root_wasm_3
static constexpr uint64_t primitive_root_wasm_3
Definition fq.hpp:78
bb::Bn254FqParams::r_inv_wasm_4
static constexpr uint64_t r_inv_wasm_4
Definition fq.hpp:115
bb::Bn254FqParams::coset_generators_0
static constexpr uint64_t coset_generators_0[8]
Definition fq.hpp:122
bb::Bn254FqParams::MAX_BITS_PER_ENDOMORPHISM_SCALAR
static constexpr size_t MAX_BITS_PER_ENDOMORPHISM_SCALAR
Definition fq.hpp:163
bb::Bn254FqParams::modulus_wasm_0
static constexpr uint64_t modulus_wasm_0
Definition fq.hpp:44
bb::Bn254FqParams::modulus_wasm_5
static constexpr uint64_t modulus_wasm_5
Definition fq.hpp:49
bb::Bn254FqParams::modulus_wasm_4
static constexpr uint64_t modulus_wasm_4
Definition fq.hpp:48
bb::Bn254FqParams::r_squared_3
static constexpr uint64_t r_squared_3
Definition fq.hpp:34
bb::Bn254FqParams::r_inv_wasm_8
static constexpr uint64_t r_inv_wasm_8
Definition fq.hpp:119
bb::Bn254FqParams::r_inv_wasm_2
static constexpr uint64_t r_inv_wasm_2
Definition fq.hpp:113
bb::Bn254FqParams::r_squared_2
static constexpr uint64_t r_squared_2
Definition fq.hpp:33
bb::Bn254FqParams::endo_b2_mid
static constexpr uint64_t endo_b2_mid
Definition fq.hpp:90
bb::Bn254FqParams::cube_root_wasm_3
static constexpr uint64_t cube_root_wasm_3
Definition fq.hpp:66
bb::Bn254FqParams::coset_generators_2
static constexpr uint64_t coset_generators_2[8]
Definition fq.hpp:130
bb::Bn254FqParams::modulus_wasm_7
static constexpr uint64_t modulus_wasm_7
Definition fq.hpp:51
bb::Bn254FqParams::modulus_wasm_1
static constexpr uint64_t modulus_wasm_1
Definition fq.hpp:45
bb::Bn254FqParams::endo_g2_lo
static constexpr uint64_t endo_g2_lo
Definition fq.hpp:85
bb::Bn254FqParams::modulus_3
static constexpr uint64_t modulus_3
Definition fq.hpp:27
bb::Bn254FqParams::r_squared_wasm_0
static constexpr uint64_t r_squared_wasm_0
Definition fq.hpp:56
bb::Bn254FqParams::coset_generators_wasm_3
static constexpr uint64_t coset_generators_wasm_3[8]
Definition fq.hpp:152
bb::Bn254FqParams::r_inv_3
static constexpr uint64_t r_inv_3
Definition fq.hpp:105
bb::Bn254FqParams::r_inv_2
static constexpr uint64_t r_inv_2
Definition fq.hpp:104
bb::Bn254FqParams::primitive_root_0
static constexpr uint64_t primitive_root_0
Definition fq.hpp:69
bb::Bn254FqParams::modulus_1
static constexpr uint64_t modulus_1
Definition fq.hpp:25
bb::Bn254FqParams::r_inv_wasm_0
static constexpr uint64_t r_inv_wasm_0
Definition fq.hpp:111
bb::Bn254FqParams::cube_root_wasm_0
static constexpr uint64_t cube_root_wasm_0
Definition fq.hpp:63
bb::Bn254FqParams::r_inv_wasm_7
static constexpr uint64_t r_inv_wasm_7
Definition fq.hpp:118
bb::Bn254FqParams::coset_generators_3
static constexpr uint64_t coset_generators_3[8]
Definition fq.hpp:134
bb::Bn254FqParams::primitive_root_2
static constexpr uint64_t primitive_root_2
Definition fq.hpp:71
bb::Bn254FqParams::endo_g1_mid
static constexpr uint64_t endo_g1_mid
Definition fq.hpp:83
bb::Bn254FqParams::r_squared_0
static constexpr uint64_t r_squared_0
Definition fq.hpp:31
bb::Bn254FqParams::endo_minus_b1_mid
static constexpr uint64_t endo_minus_b1_mid
Definition fq.hpp:88
bb::Bn254FqParams::cube_root_wasm_2
static constexpr uint64_t cube_root_wasm_2
Definition fq.hpp:65
bb::Bn254FqParams::modulus_2
static constexpr uint64_t modulus_2
Definition fq.hpp:26
bb::Bn254FqParams::modulus_wasm_8
static constexpr uint64_t modulus_wasm_8
Definition fq.hpp:52
bb::Bn254FqParams::coset_generators_1
static constexpr uint64_t coset_generators_1[8]
Definition fq.hpp:126
bb::Bn254FqParams::r_squared_1
static constexpr uint64_t r_squared_1
Definition fq.hpp:32
bb::Bn254FqParams::modulus_wasm_2
static constexpr uint64_t modulus_wasm_2
Definition fq.hpp:46
bb::Bn254FqParams::r_inv_wasm_3
static constexpr uint64_t r_inv_wasm_3
Definition fq.hpp:114
bb::Bn254FqParams::r_squared_wasm_1
static constexpr uint64_t r_squared_wasm_1
Definition fq.hpp:57
bb::Bn254FqParams::cube_root_1
static constexpr uint64_t cube_root_1
Definition fq.hpp:38
bb::Bn254FqParams::endo_g1_lo
static constexpr uint64_t endo_g1_lo
Definition fq.hpp:82
bb::Bn254FqParams::cube_root_0
static constexpr uint64_t cube_root_0
Definition fq.hpp:37
bb::Bn254FqParams::r_inv_0
static constexpr uint64_t r_inv_0
Definition fq.hpp:102
bb::Bn254FqParams::r_squared_wasm_3
static constexpr uint64_t r_squared_wasm_3
Definition fq.hpp:59
bb::Bn254FqParams::cube_root_2
static constexpr uint64_t cube_root_2
Definition fq.hpp:39
bb::Bn254FqParams::r_squared_wasm_2
static constexpr uint64_t r_squared_wasm_2
Definition fq.hpp:58
bb::Bn254FqParams::primitive_root_3
static constexpr uint64_t primitive_root_3
Definition fq.hpp:72
bb::Bn254FqParams::NUM_BN254_SCALARS
static constexpr size_t NUM_BN254_SCALARS
Definition fq.hpp:162
bb::Bn254FqParams::r_inv_wasm_5
static constexpr uint64_t r_inv_wasm_5
Definition fq.hpp:116
bb::Bn254FqParams::primitive_root_1
static constexpr uint64_t primitive_root_1
Definition fq.hpp:70
bb::Bn254FqParams::schema_name
static constexpr char schema_name[]
Definition fq.hpp:158
bb::Bn254FqParams::cube_root_3
static constexpr uint64_t cube_root_3
Definition fq.hpp:40
bb::Bn254FqParams::endo_b2_lo
static constexpr uint64_t endo_b2_lo
Definition fq.hpp:89
bb::Bn254FqParams::r_inv_wasm_1
static constexpr uint64_t r_inv_wasm_1
Definition fq.hpp:112
bb::Bn254FqParams::modulus_wasm_6
static constexpr uint64_t modulus_wasm_6
Definition fq.hpp:50
bb::Bn254FqParams::coset_generators_wasm_1
static constexpr uint64_t coset_generators_wasm_1[8]
Definition fq.hpp:144
bb::Bn254FqParams::primitive_root_wasm_1
static constexpr uint64_t primitive_root_wasm_1
Definition fq.hpp:76
bb::Bn254FqParams::modulus_wasm_3
static constexpr uint64_t modulus_wasm_3
Definition fq.hpp:47
bb::Bn254FqParams::endo_g1_hi
static constexpr uint64_t endo_g1_hi
Definition fq.hpp:84
bb::Bn254FqParams::has_high_2adicity
static constexpr bool has_high_2adicity
Definition fq.hpp:159
bb::Bn254FqParams::endo_minus_b1_lo
static constexpr uint64_t endo_minus_b1_lo
Definition fq.hpp:87
bb::Bn254FqParams::PUBLIC_INPUTS_SIZE
static constexpr size_t PUBLIC_INPUTS_SIZE
Definition fq.hpp:166
bb::Bn254FqParams::coset_generators_wasm_0
static constexpr uint64_t coset_generators_wasm_0[8]
Definition fq.hpp:140
bb::Bn254FqParams::r_inv
static constexpr uint64_t r_inv
Definition fq.hpp:96
bb::Bn254FqParams::endo_g2_mid
static constexpr uint64_t endo_g2_mid
Definition fq.hpp:86
bb::numeric::uint256_t
Definition uint256.hpp:32
bb
Entry point for Barretenberg command-line interface.
Definition acir_format_getters.cpp:6
std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13
bb::field< Bn254FqParams >::reconstruct_from_public
static field reconstruct_from_public(const std::span< const field< V >, PUBLIC_INPUTS_SIZE > &limbs)