Barretenberg: src/barretenberg/stdlib/primitives/group/straus_lookup_table.cpp Source File

// === AUDIT STATUS ===

// internal:    { status: not started, auditors: [], date: YYYY-MM-DD }

// external_1:  { status: not started, auditors: [], date: YYYY-MM-DD }

// external_2:  { status: not started, auditors: [], date: YYYY-MM-DD }

// =====================


#include "./straus_lookup_table.hpp"

#include "./cycle_group.hpp"

#include "barretenberg/stdlib/primitives/circuit_builders/circuit_builders.hpp"


namespace bb::stdlib {


template <typename Builder>

std::vector<typename straus_lookup_table<Builder>::Element> straus_lookup_table<


    Builder>::compute_straus_lookup_table_hints(const Element& base_point,

                                                const Element& offset_generator,

                                                size_t table_bits)

{

    const size_t table_size = 1UL << table_bits;

    Element base = base_point.is_point_at_infinity() ? Group::one : base_point;

    std::vector<Element> hints;

    hints.emplace_back(offset_generator);

    for (size_t i = 1; i < table_size; ++i) {

        hints.emplace_back(hints[i - 1] + base);

    }

    return hints;

}


template <typename Builder>


straus_lookup_table<Builder>::straus_lookup_table(Builder* context,

                                                  const cycle_group<Builder>& base_point,

                                                  const cycle_group<Builder>& offset_generator,

                                                  size_t table_bits,

                                                  std::optional<std::span<AffineElement>> hints)

    : _table_bits(table_bits)

    , _context(context)

    , tag(OriginTag(base_point.get_origin_tag(), offset_generator.get_origin_tag()))

{

    constexpr bool IS_ULTRA = Builder::CIRCUIT_TYPE == CircuitType::ULTRA;


    const size_t table_size = 1UL << table_bits;

    point_table.resize(table_size);

    point_table[0] = offset_generator;


    // We want to support the case where input points are points at infinity.

    // If base point is at infinity, we want every point in the table to just be `generator_point`.

    // We achieve this via the following:

    // 1: We create a "work_point" that is base_point if not at infinity, otherwise is just 1

    // 2: When computing the point table, we use "work_point" in additions instead of the "base_point" (to prevent

    //    x-coordinate collisions in honest case) 3: When assigning to the point table, we conditionally assign either

    //    the output of the point addition (if not at infinity) or the generator point (if at infinity)

    // Note: if `base_point.is_point_at_infinity()` is constant, these conditional assigns produce zero gate overhead

    cycle_group<Builder> fallback_point(Group::affine_one);

    field_t modded_x = field_t::conditional_assign(base_point.is_point_at_infinity(), fallback_point.x, base_point.x);

    field_t modded_y = field_t::conditional_assign(base_point.is_point_at_infinity(), fallback_point.y, base_point.y);

    cycle_group<Builder> modded_base_point(modded_x, modded_y, false);


    // if the input point is constant, it is cheaper to fix the point as a witness and then derive the table, than it is

    // to derive the table and fix its witnesses to be constant! (due to group additions = 1 gate, and fixing x/y coords

    // to be constant = 2 gates)

    if (base_point.is_constant() && !base_point.is_point_at_infinity().get_value()) {

        modded_base_point = cycle_group<Builder>::from_constant_witness(_context, modded_base_point.get_value());

        point_table[0] = cycle_group<Builder>::from_constant_witness(_context, offset_generator.get_value());

        for (size_t i = 1; i < table_size; ++i) {

            std::optional<AffineElement> hint =

                hints.has_value() ? std::optional<AffineElement>(hints.value()[i - 1]) : std::nullopt;

            point_table[i] = point_table[i - 1].unconditional_add(modded_base_point, hint);

        }

    } else {

        std::vector<std::tuple<field_t, field_t>> x_coordinate_checks;

        // ensure all of the ecc add gates are lined up so that we can pay 1 gate per add and not 2

        for (size_t i = 1; i < table_size; ++i) {

            std::optional<AffineElement> hint =

                hints.has_value() ? std::optional<AffineElement>(hints.value()[i - 1]) : std::nullopt;

            x_coordinate_checks.emplace_back(point_table[i - 1].x, modded_base_point.x);

            point_table[i] = point_table[i - 1].unconditional_add(modded_base_point, hint);

        }


        // batch the x-coordinate checks together

        // because `assert_is_not_zero` witness generation needs a modular inversion (expensive)

        field_t coordinate_check_product = 1;

        for (auto& [x1, x2] : x_coordinate_checks) {

            auto x_diff = x2 - x1;

            coordinate_check_product *= x_diff;

        }

        coordinate_check_product.assert_is_not_zero("straus_lookup_table x-coordinate collision");


        for (size_t i = 1; i < table_size; ++i) {

            point_table[i] = cycle_group<Builder>::conditional_assign(

                base_point.is_point_at_infinity(), offset_generator, point_table[i]);

        }

    }

    if constexpr (IS_ULTRA) {

        rom_id = context->create_ROM_array(table_size);

        for (size_t i = 0; i < table_size; ++i) {

            if (point_table[i].is_constant()) {

                auto element = point_table[i].get_value();

                point_table[i] = cycle_group<Builder>::from_constant_witness(_context, element);

                point_table[i].x.assert_equal(element.x);

                point_table[i].y.assert_equal(element.y);

            }

            context->set_ROM_element_pair(

                rom_id,

                i,

                std::array<uint32_t, 2>{ point_table[i].x.get_witness_index(), point_table[i].y.get_witness_index() });

        }

    } else {

        BB_ASSERT_EQ(table_bits, 1U);

    }

}


template <typename Builder> cycle_group<Builder> straus_lookup_table<Builder>::read(const field_t& _index)

{

    constexpr bool IS_ULTRA = Builder::CIRCUIT_TYPE == CircuitType::ULTRA;


    if constexpr (IS_ULTRA) {

        field_t index(_index);

        if (index.is_constant()) {

            using witness_t = stdlib::witness_t<Builder>;

            index = witness_t(_context, _index.get_value());

            index.assert_equal(_index.get_value());

        }

        auto output_indices = _context->read_ROM_array_pair(rom_id, index.get_witness_index());

        field_t x = field_t::from_witness_index(_context, output_indices[0]);

        field_t y = field_t::from_witness_index(_context, output_indices[1]);

        // Merge tag of table with tag of index

        x.set_origin_tag(OriginTag(tag, _index.get_origin_tag()));

        y.set_origin_tag(OriginTag(tag, _index.get_origin_tag()));

        return cycle_group<Builder>(x, y, /*is_infinity=*/false);

    }

    field_t x = _index * (point_table[1].x - point_table[0].x) + point_table[0].x;

    field_t y = _index * (point_table[1].y - point_table[0].y) + point_table[0].y;


    // Merge tag of table with tag of index

    x.set_origin_tag(OriginTag(tag, _index.get_origin_tag()));

    y.set_origin_tag(OriginTag(tag, _index.get_origin_tag()));

    return cycle_group<Builder>(x, y, /*is_infinity=*/false);

}


template class straus_lookup_table<bb::UltraCircuitBuilder>;

template class straus_lookup_table<bb::MegaCircuitBuilder>;


} // namespace bb::stdlib

BB_ASSERT_EQ
#define BB_ASSERT_EQ(actual, expected,...)
Definition assert.hpp:59

circuit_builders.hpp

bb::ECCVMCircuitBuilder
Definition eccvm_circuit_builder.hpp:24

bb::stdlib::bool_t::get_value
bool get_value() const
Definition bool.hpp:109

bb::stdlib::cycle_group
cycle_group represents a group Element of the proving system's embedded curve i.e....
Definition cycle_group.hpp:36

bb::stdlib::cycle_group::from_constant_witness
static cycle_group from_constant_witness(Builder *_context, const AffineElement &_in)
Converts a native AffineElement into a witness, but constrains the witness values to be known constan...
Definition cycle_group.cpp:181

bb::stdlib::cycle_group::x
field_t x
Definition cycle_group.hpp:210

bb::stdlib::cycle_group::conditional_assign
static cycle_group conditional_assign(const bool_t &predicate, const cycle_group &lhs, const cycle_group &rhs)
Definition cycle_group.cpp:1309

bb::stdlib::cycle_group::is_point_at_infinity
bool_t is_point_at_infinity() const
Definition cycle_group.hpp:87

bb::stdlib::cycle_group::y
field_t y
Definition cycle_group.hpp:211

bb::stdlib::cycle_group::get_value
AffineElement get_value() const
Definition cycle_group.cpp:214

bb::stdlib::cycle_group::is_constant
bool is_constant() const
Definition cycle_group.hpp:86

bb::stdlib::field_t< Builder >

bb::stdlib::field_t::assert_equal
void assert_equal(const field_t &rhs, std::string const &msg="field_t::assert_equal") const
Copy constraint: constrain that *this field is equal to rhs element.
Definition field.cpp:929

bb::stdlib::field_t< Builder >::from_witness_index
static field_t from_witness_index(Builder *ctx, uint32_t witness_index)
Definition field.cpp:59

bb::stdlib::field_t< Builder >::conditional_assign
static field_t conditional_assign(const bool_t< Builder > &predicate, const field_t &lhs, const field_t &rhs)
If predicate == true then return lhs, else return rhs.
Definition field.cpp:884

bb::stdlib::field_t::get_origin_tag
OriginTag get_origin_tag() const
Definition field.hpp:333

bb::stdlib::field_t::get_value
bb::fr get_value() const
Given a := *this, compute its value given by a.v * a.mul + a.add.
Definition field.cpp:827

bb::stdlib::field_t::is_constant
bool is_constant() const
Definition field.hpp:399

bb::stdlib::field_t::set_origin_tag
void set_origin_tag(const OriginTag &new_tag) const
Definition field.hpp:332

bb::stdlib::field_t::assert_is_not_zero
void assert_is_not_zero(std::string const &msg="field_t::assert_is_not_zero") const
Constrain *this to be non-zero by establishing that it has an inverse.
Definition field.cpp:707

bb::stdlib::field_t::get_witness_index
uint32_t get_witness_index() const
Get the witness index of the current field element.
Definition field.hpp:461

bb::stdlib::straus_lookup_table
straus_lookup_table computes a lookup table of size 1 << table_bits
Definition straus_lookup_table.hpp:44

bb::stdlib::straus_lookup_table::_context
Builder * _context
Definition straus_lookup_table.hpp:64

bb::stdlib::straus_lookup_table::Element
typename Curve::Element Element
Definition straus_lookup_table.hpp:49

bb::stdlib::straus_lookup_table::point_table
std::vector< cycle_group< Builder > > point_table
Definition straus_lookup_table.hpp:65

bb::stdlib::straus_lookup_table::straus_lookup_table
straus_lookup_table()=default

bb::stdlib::straus_lookup_table::rom_id
size_t rom_id
Definition straus_lookup_table.hpp:66

bb::stdlib::straus_lookup_table::read
cycle_group< Builder > read(const field_t &index)
Given an _index witness, return straus_lookup_table[index]
Definition straus_lookup_table.cpp:146

bb::stdlib::witness_t
Definition witness.hpp:16

context
StrictMock< MockContext > context
Definition data_copy.test.cpp:55

cycle_group.hpp

bb::stdlib
Definition graph_description_goblin.test.cpp:13

bb::stdlib::element
std::conditional_t< IsGoblinBigGroup< C, Fq, Fr, G >, element_goblin::goblin_element< C, goblin_field< C >, Fr, G >, element_default::element< C, Fq, Fr, G > > element
element wraps either element_default::element or element_goblin::goblin_element depending on parametr...
Definition biggroup.hpp:1055

bb::CircuitType::ULTRA
@ ULTRA

std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13

straus_lookup_table.hpp

bb::OriginTag
Definition origin_tag.hpp:64