Namespaces
namespace	aes128

namespace	blake_util

namespace	element_default

namespace	element_goblin

namespace	field_conversion

namespace	field_conversion_tests

namespace	recursion

Classes
class	address

class	address_t

class	bigfield

class	Blake2s

class	Blake3s

struct	bn254

class	bool_t
	Implements boolean logic in-circuit. More...

class	byte_array
	Represents a dynamic array of bytes in-circuit. More...

class	cycle_group
	cycle_group represents a group Element of the proving system's embedded curve i.e. a curve with a cofactor 1 defined over a field equal to the circuit's native field Builder::FF More...

class	cycle_scalar
	cycle_scalar represents a member of the cycle curve SCALAR FIELD. This is NOT the native circuit field type. i.e. for a BN254 circuit, cycle_group will be Grumpkin and cycle_scalar will be Grumpkin::ScalarField (BN254 native field is BN254::ScalarField == Grumpkin::BaseField) More...

class	databus

class	DataBusDepot
	Class for managing propagation of databus return data commitments used in consistency checks. More...

class	DynamicArray
	A dynamic array of field elements. More...

struct	ecdsa_signature

class	field_t

class	FieldSponge
	Implements the circuit form of a cryptographic sponge over prime fields. Implements the sponge specification from the Community Cryptographic Specification Project see https://github.com/C2SP/C2SP/blob/792c1254124f625d459bfe34417e8f6bdd02eb28/poseidon-sponge.md (Note: this spec was not accepted into the C2SP repo, we might want to reference something else!) More...

class	goblin_field
	goblin_field wraps x/y coordinates of bn254 group elements when using goblin More...

struct	grumpkin
	Curve grumpkin in circuit setting. More...

class	keccak
	KECCAAAAAAAAAAK. More...

class	logic

class	pedersen_commitment

class	pedersen_hash
	stdlib class that evaluates in-circuit pedersen hashes, consistent with behavior in crypto::pedersen_hash More...

class	plookup_read

class	poseidon2
	stdlib class that evaluates in-circuit poseidon2 hashes, consistent with behavior in crypto::poseidon2 More...

class	Poseidon2Permutation

class	Proof
	A simple wrapper around a vector of stdlib field elements representing a proof. More...

class	public_witness_t

class	PublicInputComponent
	A wrapper class for serializing objects to and from the public inputs of a circuit. More...

class	ram_table

class	rom_table

class	safe_uint_t

struct	schnorr_signature_bits

struct	secp256k1

struct	secp256r1

class	SHA256

class	straus_lookup_table
	straus_lookup_table computes a lookup table of size 1 << table_bits More...

class	straus_scalar_slice
	straus_scalar_slice decomposes an input scalar into `table_bits` bit-slices. Used in `batch_mul`, which ses the Straus multiscalar multiplication algorithm. More...

class	twin_rom_table

class	witness_t

Concepts
concept	IsBigGroup

concept	IsGoblinBigGroup

concept	IsUltraArithmetic

concept	IsSerializableToAndFromPublicInputs
	A concept defining requirements for types that are to be serialized to and from the public inputs of a circuit via the PublicInputComponent class.

Typedefs
template<typename C , typename Fq , typename Fr , typename G >
using	element = std::conditional_t< IsGoblinBigGroup< C, Fq, Fr, G >, element_goblin::goblin_element< C, goblin_field< C >, Fr, G >, element_default::element< C, Fq, Fr, G > >
	element wraps either element_default::element or element_goblin::goblin_element depending on parametrisation

Functions
template<typename Builder , typename Curve , typename Fq , typename Fr , typename G1 >
bool_t< Builder >	ecdsa_verify_signature (const stdlib::byte_array< Builder > &hashed_message, const G1 &public_key, const ecdsa_signature< Builder > &sig)
	Verify ECDSA signature. Returns bool_t(true/false) depending on whether the signature is valid or not.

template<typename Builder , typename Curve , typename Fq , typename Fr , typename G1 >
void	validate_inputs (const stdlib::byte_array< Builder > &hashed_message, const G1 &public_key, const ecdsa_signature< Builder > &sig)
	Validate the inputs used by the verification function and return messages if they produce an invalid circuit.

template<typename Builder >
void	generate_ecdsa_verification_test_circuit (Builder &builder, size_t num_iterations)
	Generate a simple ecdsa verification circuit for testing purposes.

template<typename C >
schnorr_signature_bits< C >	schnorr_convert_signature (C *context, const crypto::schnorr_signature &signature)
	Instantiate a witness containing the signature (s, e) as a quadruple of field_t elements (s_lo, s_hi, e_lo, e_hi).

template<typename C >
std::array< field_t< C >, 2 >	schnorr_verify_signature_internal (const byte_array< C > &message, const cycle_group< C > &pub_key, const schnorr_signature_bits< C > &sig)
	Make the computations needed to verify a signature (s, e), i.e., compute e' = hash(([s]g + [e]pub).x \| message) and return e'.

template<typename C >
void	schnorr_verify_signature (const byte_array< C > &message, const cycle_group< C > &pub_key, const schnorr_signature_bits< C > &sig)
	Verify that a signature (s, e) is valid, i.e., compute e' = hash(([s]g + [e]pub).x \| message) and check that e' == e is true.

template<typename C >
bool_t< C >	schnorr_signature_verification_result (const byte_array< C > &message, const cycle_group< C > &pub_key, const schnorr_signature_bits< C > &sig)
	Attempt to verify a signature (s, e) and return the result, i.e., compute e' = hash(([s]g + [e]pub).x \| message) and return the boolean witness e' == e.

	VERIFY_SIGNATURE_INTERNAL (bb::UltraCircuitBuilder)

	VERIFY_SIGNATURE_INTERNAL (bb::MegaCircuitBuilder)

	VERIFY_SIGNATURE (bb::UltraCircuitBuilder)

	VERIFY_SIGNATURE (bb::MegaCircuitBuilder)

	SIGNATURE_VERIFICATION_RESULT (bb::UltraCircuitBuilder)

	SIGNATURE_VERIFICATION_RESULT (bb::MegaCircuitBuilder)

	CONVERT_SIGNATURE (bb::UltraCircuitBuilder)

	CONVERT_SIGNATURE (bb::MegaCircuitBuilder)

template<typename Builder >
void	generate_keccak_test_circuit (Builder &builder, size_t num_iterations)
	Generate a simple keccak circuit for testing purposes.

template void	generate_keccak_test_circuit (bb::UltraCircuitBuilder &, size_t)

template void	generate_keccak_test_circuit (bb::MegaCircuitBuilder &, size_t)

constexpr size_t	get_num_blocks (const size_t num_bits)

template<typename B >
void	read (B &it, address &addr)

template<typename B >
void	write (B &buf, address const &addr)

template<typename C , typename T >
std::ostream &	operator<< (std::ostream &os, bigfield< T, C > const &v)

template<typename C >
std::ostream &	operator<< (std::ostream &os, goblin_field< C > const &v)

template<typename T >
std::ostream &	operator<< (std::ostream &os, bool_t< T > const &v)

template<typename Builder >
std::ostream &	operator<< (std::ostream &os, byte_array< Builder > const &arr)

template<typename Builder , size_t SIZE>
field_t< Builder >	array_length (std::array< field_t< Builder >, SIZE > const &arr)

template<typename Builder , size_t SIZE>
field_t< Builder >	array_pop (std::array< field_t< Builder >, SIZE > const &arr)

template<typename Builder , size_t SIZE>
void	array_push (std::array< field_t< Builder >, SIZE > &arr, field_t< Builder > const &value)

template<typename Builder , size_t SIZE>
size_t	array_push (std::array< std::optional< field_t< Builder > >, SIZE > &arr, field_t< Builder > const &value)

template<typename T , size_t SIZE>
size_t	array_push (std::array< std::shared_ptr< T >, SIZE > &arr, std::shared_ptr< T > const &value)

template<typename Builder , typename T , size_t SIZE>
void	array_push (std::array< T, SIZE > &arr, T const &value)

template<typename Builder , size_t SIZE>
stdlib::bool_t< Builder >	is_array_empty (std::array< field_t< Builder >, SIZE > const &arr)

template<typename Builder , size_t size_1, size_t size_2>
void	push_array_to_array (std::array< field_t< Builder >, size_1 > const &source, std::array< field_t< Builder >, size_2 > &target)

template<typename T >
T *	validate_context (T *ptr)

template<typename T , typename... Ts>
T *	validate_context (T first, Ts ... rest)

template<typename T , typename Container >
T *	validate_context (const Container &elements)

template<typename Builder >
std::ostream &	operator<< (std::ostream &os, field_t< Builder > const &v)

template<typename Builder >
std::ostream &	operator<< (std::ostream &os, cycle_group< Builder > const &v)

template<typename Builder >
std::ostream &	operator<< (std::ostream &os, safe_uint_t< Builder > const &v)

Detailed Description

Optimizations:

use lookup tables for basic XOR operations
replace use of uint32 with basic field_t type

Typedef Documentation

◆ element

template<typename C , typename Fq , typename Fr , typename G >

using bb::stdlib::element = typedef std::conditional_t<IsGoblinBigGroup<C, Fq, Fr, G>, element_goblin::goblin_element<C, goblin_field<C>, Fr, G>, element_default::element<C, Fq, Fr, G> >

element wraps either element_default::element or element_goblin::goblin_element depending on parametrisation

if C = MegaBuilder, G = bn254, Fq = bigfield<C, bb::Bn254FqParams>, Fr = field_t then we're cooking

Definition at line 1053 of file biggroup.hpp.

Function Documentation

◆ array_length()

template<typename Builder , size_t SIZE>

field_t< Builder > bb::stdlib::array_length ( std::array< field_t< Builder >, SIZE > const & arr )

Gets the number of contiguous nonzero values of an array from the start. Note: This assumes 0 always means 'not used', so be careful. As soon as we locate 0, we stop the counting. If you actually want 0 to be counted, you'll need something else.

Definition at line 19 of file array.hpp.

◆ array_pop()

template<typename Builder , size_t SIZE>

field_t< Builder > bb::stdlib::array_pop ( std::array< field_t< Builder >, SIZE > const & arr )

Note: doesn't remove the last element from the array; only returns it! Note: this assumes 0 always means 'not used', so be careful. If you actually want 0 to be counted, you'll need something else. If it returns 0, the array is considered 'empty'.

Definition at line 39 of file array.hpp.

◆ array_push() [1/4]

template<typename Builder , size_t SIZE>

void bb::stdlib::array_push	(	std::array< field_t< Builder >, SIZE > &	arr,
		field_t< Builder > const &	value
	)

Note: this assumes 0 always means 'not used', so be careful. If you actually want 0 to be counted, you'll need something else.

Definition at line 60 of file array.hpp.

◆ array_push() [2/4]

template<typename Builder , size_t SIZE>

size_t bb::stdlib::array_push	(	std::array< std::optional< field_t< Builder > >, SIZE > &	arr,
		field_t< Builder > const &	value
	)

inline

Note: this assumes 0 always means 'not used', so be careful. If you actually want 0 to be counted, you'll need something else.

Definition at line 77 of file array.hpp.

◆ array_push() [3/4]

template<typename T , size_t SIZE>

size_t bb::stdlib::array_push	(	std::array< std::shared_ptr< T >, SIZE > &	arr,
		std::shared_ptr< T > const &	value
	)

inline

Note: this assumes 0 always means 'not used', so be careful. If you actually want 0 to be counted, you'll need something else.

Definition at line 93 of file array.hpp.

◆ array_push() [4/4]

template<typename Builder , typename T , size_t SIZE>

void bb::stdlib::array_push	(	std::array< T, SIZE > &	arr,
		T const &	value
	)

inline

Note: this assumes 0 always means 'not used', so be careful. If you actually want 0 to be counted, you'll need something else.

Definition at line 108 of file array.hpp.

◆ CONVERT_SIGNATURE() [1/2]

bb::stdlib::CONVERT_SIGNATURE ( bb::MegaCircuitBuilder )

◆ CONVERT_SIGNATURE() [2/2]

bb::stdlib::CONVERT_SIGNATURE ( bb::UltraCircuitBuilder )

◆ ecdsa_verify_signature()

template<typename Builder , typename Curve , typename Fq , typename Fr , typename G1 >

bool_t< Builder > bb::stdlib::ecdsa_verify_signature	(	const stdlib::byte_array< Builder > &	hashed_message,
		const G1 &	public_key,
		const ecdsa_signature< Builder > &	sig
	)

Verify ECDSA signature. Returns bool_t(true/false) depending on whether the signature is valid or not.

Fix the following notation:

\(E\) is an elliptic curve over the base field \(\mathbb{F}_q\).
\(G\) is a generator of the group of points of \(E\), the order of \(G\) is \(n\).
\(a \in \mathbb{F}_n^{\ast}\) is a private key, and \(P := aG\) is the associated public key
\(\mathbf{H}\) is a hash function

Given a message \(m\), a couple \((r,s)\) is a valid signature for the message \(m\) with respect to the public key \(P\) if:

\(P\) is a point on \(E\)
\(0 < r < n\)
\(0 < s < (n+1) / 2\)
Define \(e := \mathbf{H}(m) \mod n\) and \(Q := e s^{-1} G + r s^{-1} P \)
\(Q\) is not the point at infinity
\(Q_x = r \mod n\) (note that \(Q_x \in \mathbb{F}_q\))

Note

The requirement of step 2. is to avoid signature malleability: if \((r,s)\) is a valid signature for message \(m\) and public key \(P\), so is \((r,n-s)\). We protect against malleability by enforcing that \(s\) is always the lowest of the two possible values.

In Ethereum signatures contain also a recovery byte \(v\) which is used to recover the public key for which the signature is to be validated. As we receive the public key as part of the inputs to the verification function, we do not handle the recovery byte. The signature which is the input to the verification function is given by \((r,s)\). The users of the verification function should handle the recovery byte if that is in their interest.

This function verifies that sig is a valid signature for the public key public_key. The function returns an in-circuit boolean value which bears witness to whether the signature verification was successfull or not. The boolean is NOT constrained to be equal to bool_t(true).

The circuit introduces constraints for the following assertions:

\(P\) is on the curve
\(H(m) < n\)
\(0 < r < n\)
\(0 < s < (n+1)/2\)
\(Q := H(m) s^{-1} G + r s^{-1} P\) is not the point at infinity Therefore, if the witnesses passed to this function do not satisfy these constraints, the resulting circuit will be unsatisfied. If a user wants to use the verification inside a in-circuit branch, then they need to supply valid data for \(P, r, s\), even though \((r,s)\) doesn't need to be a valid signature.

Template Parameters

Builder
Curve
Fq
Fr
G1

Parameters

hashed_message
public_key
sig

Returns: bool_t<Builder>

Definition at line 128 of file ecdsa_impl.hpp.

◆ generate_ecdsa_verification_test_circuit()

template<typename Builder >

void bb::stdlib::generate_ecdsa_verification_test_circuit	(	Builder &	builder,
		size_t	num_iterations
	)

Generate a simple ecdsa verification circuit for testing purposes.

Template Parameters

Builder

Parameters

builder
num_iterations	number of signature verifications to perform

Definition at line 229 of file ecdsa_impl.hpp.

◆ generate_keccak_test_circuit() [1/3]

template void bb::stdlib::generate_keccak_test_circuit	(	bb::MegaCircuitBuilder &	,
		size_t
	)

◆ generate_keccak_test_circuit() [2/3]

template void bb::stdlib::generate_keccak_test_circuit	(	bb::UltraCircuitBuilder &	,
		size_t
	)

◆ generate_keccak_test_circuit() [3/3]

template<typename Builder >

void bb::stdlib::generate_keccak_test_circuit	(	Builder &	builder,
		size_t	num_iterations
	)

Generate a simple keccak circuit for testing purposes.

Template Parameters

Builder

Parameters

builder
num_iterations	number of hashes to perform

Definition at line 794 of file keccak.cpp.

◆ get_num_blocks()

constexpr size_t bb::stdlib::get_num_blocks ( const size_t num_bits )

constexpr

Definition at line 19 of file sha256.cpp.

◆ is_array_empty()

template<typename Builder , size_t SIZE>

stdlib::bool_t< Builder > bb::stdlib::is_array_empty ( std::array< field_t< Builder >, SIZE > const & arr )

Note: this assumes 0 always means 'not used', so be careful. If you actually want 0 to be counted, you'll need something else.

Definition at line 125 of file array.hpp.

◆ operator<<() [1/7]

template<typename C , typename T >

std::ostream & bb::stdlib::operator<<	(	std::ostream &	os,
		bigfield< T, C > const &	v
	)

inline

Definition at line 1126 of file bigfield.hpp.

◆ operator<<() [2/7]

template<typename T >

std::ostream & bb::stdlib::operator<<	(	std::ostream &	os,
		bool_t< T > const &	v
	)

inline

Definition at line 137 of file bool.hpp.

◆ operator<<() [3/7]

template<typename Builder >

std::ostream & bb::stdlib::operator<<	(	std::ostream &	os,
		byte_array< Builder > const &	arr
	)

inline

Definition at line 122 of file byte_array.hpp.

◆ operator<<() [4/7]

template<typename Builder >

std::ostream & bb::stdlib::operator<<	(	std::ostream &	os,
		cycle_group< Builder > const &	v
	)

inline

Definition at line 237 of file cycle_group.hpp.

◆ operator<<() [5/7]

template<typename Builder >

std::ostream & bb::stdlib::operator<<	(	std::ostream &	os,
		field_t< Builder > const &	v
	)

inline

Definition at line 520 of file field.hpp.

◆ operator<<() [6/7]

template<typename C >

std::ostream & bb::stdlib::operator<<	(	std::ostream &	os,
		goblin_field< C > const &	v
	)

inline

Definition at line 204 of file goblin_field.hpp.

◆ operator<<() [7/7]

template<typename Builder >

std::ostream & bb::stdlib::operator<<	(	std::ostream &	os,
		safe_uint_t< Builder > const &	v
	)

inline

Definition at line 216 of file safe_uint.hpp.

◆ push_array_to_array()

template<typename Builder , size_t size_1, size_t size_2>

void bb::stdlib::push_array_to_array	(	std::array< field_t< Builder >, size_1 > const &	source,
		std::array< field_t< Builder >, size_2 > &	target
	)

Inserts the source array at the first zero-valued index of the target array. Fails if the source array is too large vs the remaining capacity of the target array.

Definition at line 140 of file array.hpp.

◆ read()

template<typename B >

void bb::stdlib::read	(	B &	it,
		address &	addr
	)

Definition at line 54 of file address.hpp.

◆ schnorr_convert_signature()

template<typename C >

schnorr_signature_bits< C > bb::stdlib::schnorr_convert_signature	(	C *	context,
		const crypto::schnorr_signature &	signature
	)

Instantiate a witness containing the signature (s, e) as a quadruple of field_t elements (s_lo, s_hi, e_lo, e_hi).

Definition at line 22 of file schnorr.cpp.

◆ schnorr_signature_verification_result()

template<typename C >

bool_t< C > bb::stdlib::schnorr_signature_verification_result	(	const byte_array< C > &	message,
		const cycle_group< C > &	pub_key,
		const schnorr_signature_bits< C > &	sig
	)

Attempt to verify a signature (s, e) and return the result, i.e., compute e' = hash(([s]g + [e]pub).x | message) and return the boolean witness e' == e.

Definition at line 90 of file schnorr.cpp.

◆ schnorr_verify_signature()

template<typename C >

void bb::stdlib::schnorr_verify_signature	(	const byte_array< C > &	message,
		const cycle_group< C > &	pub_key,
		const schnorr_signature_bits< C > &	sig
	)

Verify that a signature (s, e) is valid, i.e., compute e' = hash(([s]g + [e]pub).x | message) and check that e' == e is true.

Definition at line 75 of file schnorr.cpp.

◆ schnorr_verify_signature_internal()

template<typename C >

std::array< field_t< C >, 2 > bb::stdlib::schnorr_verify_signature_internal	(	const byte_array< C > &	message,
		const cycle_group< C > &	pub_key,
		const schnorr_signature_bits< C > &	sig
	)

Make the computations needed to verify a signature (s, e), i.e., compute e' = hash(([s]g + [e]pub).x | message) and return e'.

Ultra: ~5018 gates, excluding gates required to init the Ultra range check (~1,169k for fixed/variable_base_mul, ~4k for blake2s) for a string of length = 34.

Definition at line 46 of file schnorr.cpp.

◆ SIGNATURE_VERIFICATION_RESULT() [1/2]

bb::stdlib::SIGNATURE_VERIFICATION_RESULT ( bb::MegaCircuitBuilder )

◆ SIGNATURE_VERIFICATION_RESULT() [2/2]

bb::stdlib::SIGNATURE_VERIFICATION_RESULT ( bb::UltraCircuitBuilder )

◆ validate_context() [1/3]

template<typename T , typename Container >

T * bb::stdlib::validate_context ( const Container & elements )

Definition at line 35 of file field.hpp.

◆ validate_context() [2/3]

template<typename T , typename... Ts>

T * bb::stdlib::validate_context	(	T *	first,
		Ts *...	rest
	)

Definition at line 22 of file field.hpp.

◆ validate_context() [3/3]

template<typename T >

T * bb::stdlib::validate_context ( T * ptr )

Definition at line 16 of file field.hpp.

◆ validate_inputs()

template<typename Builder , typename Curve , typename Fq , typename Fr , typename G1 >

void bb::stdlib::validate_inputs	(	const stdlib::byte_array< Builder > &	hashed_message,
		const G1 &	public_key,
		const ecdsa_signature< Builder > &	sig
	)

Validate the inputs used by the verification function and return messages if they produce an invalid circuit.

Template Parameters

Builder
Curve
Fq
Fr
G1

Parameters

hashed_message
public_key
sig
scalar_mul_result

Definition at line 34 of file ecdsa_impl.hpp.

◆ VERIFY_SIGNATURE() [1/2]

bb::stdlib::VERIFY_SIGNATURE ( bb::MegaCircuitBuilder )

◆ VERIFY_SIGNATURE() [2/2]

bb::stdlib::VERIFY_SIGNATURE ( bb::UltraCircuitBuilder )

◆ VERIFY_SIGNATURE_INTERNAL() [1/2]

bb::stdlib::VERIFY_SIGNATURE_INTERNAL ( bb::MegaCircuitBuilder )

◆ VERIFY_SIGNATURE_INTERNAL() [2/2]

bb::stdlib::VERIFY_SIGNATURE_INTERNAL ( bb::UltraCircuitBuilder )

◆ write()

template<typename B >

void bb::stdlib::write	(	B &	buf,
		address const &	addr
	)

Definition at line 62 of file address.hpp.

Namespaces

Classes

Concepts

Typedefs

Functions

Detailed Description

Typedef Documentation

◆ element

Function Documentation

◆ array_length()

◆ array_pop()

◆ array_push() [1/4]

◆ array_push() [2/4]

◆ array_push() [3/4]

◆ array_push() [4/4]

◆ CONVERT_SIGNATURE() [1/2]

◆ CONVERT_SIGNATURE() [2/2]

◆ ecdsa_verify_signature()

◆ generate_ecdsa_verification_test_circuit()

◆ generate_keccak_test_circuit() [1/3]

◆ generate_keccak_test_circuit() [2/3]

◆ generate_keccak_test_circuit() [3/3]

◆ get_num_blocks()

◆ is_array_empty()

◆ operator<<() [1/7]

◆ operator<<() [2/7]

◆ operator<<() [3/7]

◆ operator<<() [4/7]

◆ operator<<() [5/7]

◆ operator<<() [6/7]

◆ operator<<() [7/7]

◆ push_array_to_array()

◆ read()

◆ schnorr_convert_signature()

◆ schnorr_signature_verification_result()

◆ schnorr_verify_signature()

◆ schnorr_verify_signature_internal()

◆ SIGNATURE_VERIFICATION_RESULT() [1/2]

◆ SIGNATURE_VERIFICATION_RESULT() [2/2]

◆ validate_context() [1/3]

◆ validate_context() [2/3]

◆ validate_context() [3/3]

◆ validate_inputs()

◆ VERIFY_SIGNATURE() [1/2]

◆ VERIFY_SIGNATURE() [2/2]

◆ VERIFY_SIGNATURE_INTERNAL() [1/2]

◆ VERIFY_SIGNATURE_INTERNAL() [2/2]

◆ write()