K=4 compressed internal-round relation for Poseidon2. More...

#include <poseidon2_quad_internal_relation.hpp>

Public Types
using	FF = FF_

using	QuadParams = crypto::Poseidon2QuadBn254Params

Static Public Member Functions
template<typename AllEntities >
static bool	skip (const AllEntities &in)
	Skip when the selector is identically zero on this row.

template<typename ContainerOverSubrelations , typename AllEntities , typename Parameters >
static void	accumulate (ContainerOverSubrelations &evals, const AllEntities &in, const Parameters &, const FF &scaling_factor)

Static Public Attributes
static constexpr std::array< size_t, 4 >	SUBRELATION_PARTIAL_LENGTHS

static constexpr fr	D1 = QuadParams::D1

static constexpr fr	SIGMA_PLUS_2 = QuadParams::SIGMA + fr(2)

static constexpr fr	B3_U0_COEF = SIGMA_PLUS_2 * D1 - QuadParams::SIGMA - fr(3)

static constexpr fr	D1_MINUS_3 = D1 - fr(3)

Detailed Description

template<typename FF_>
class bb::Poseidon2QuadInternalRelationImpl< FF_ >

K=4 compressed internal-round relation for Poseidon2.

Each active row stores state[0] at four consecutive internal rounds: w_l = s_0^{(0)}, w_r = s_0^{(1)}, w_o = s_0^{(2)}, w_4 = s_0^{(3)} and uses q_l, q_r, q_o, q_4 as the four current-round constants. For a non-terminal row, q_m, q_c, q_5 contain the next quad's first three constants.

Poseidon2QuadBn254Params provides closed-form coefficients for the state after four rounds: (out_0, out_1, out_2, out_3). This relation connects that output to the next compressed row: A_0: out_0 = w_l_shift (direct) A_1: out_1 + out_2 + out_3 = b_1_next A_2: D_2 out_1 + D_3 out_2 + D_4 out_3 = b_2_next A_3: D_2^2 out_1 + D_3^2 out_2 + D_4^2 out_3 = b_3_next where b_k_next are the Vandermonde right-hand sides reconstructed from the shifted row.

High-level picture. The relation never recovers any hidden-lane vector — at runtime there is no matrix inversion and no committed s_1, s_2, s_3 anywhere. Instead, both sides of the cross-row hidden-lane equation are computed as linear combinations of committed wires, and only those linear combinations are compared. The trick is:

Predicted output (from current row): the full state vector at internal round 4(i+1) — i.e. one round past the four rounds covered by this quad — is denoted (out_0, out_1, out_2, out_3). Each component is a fixed linear combination of the current row's committed lane-0 chain and S-box outputs (u_0..u_3), precomputed as the closed-form matrix C in Poseidon2QuadBn254Params::tables.closed_form. Then apply V to the predicted hidden lanes (out_1, out_2, out_3) — that's also a fixed linear combination of the same wires, precomputed as forward_vandermonde_lhs. Call the result LHS_k for k = 1, 2, 3.
Encoded next-row input (from next row): the next row's start-of-row hidden lanes (s_1', s_2', s_3') are NOT committed. But Theorem (1) of QUAD_THEOREM.md says V · (s_1', s_2', s_3')^T = (b_1', b_2', b_3') where the b'-formulas express b_k' as an explicit linear combination of the next row's committed lane-0 chain and S-box outputs (using the next quad's first three round constants, carried on this row in q_m, q_c, q_5 because Mega lacks shifted selectors). So V · (next row's hidden input) is computable without ever committing the hidden input — call this RHS_k.
Set them equal:
- lane 0: out_0 = w_l_shift directly (subrelation A_0).
- lanes 1..3: LHS_k = RHS_k for k = 1, 2, 3 (subrelations A_1, A_2, A_3). Both sides are polynomials in committed wires; the verifier evaluates them and checks equality. No hidden lanes are ever materialized; no V^{-1} is ever applied at runtime.

Why equality of encodings suffices. We're really enforcing V · (out_1, out_2, out_3)^T = V · (s_1', s_2', s_3')^T. Because V is invertible (D_2, D_3, D_4 pairwise distinct, statically asserted in poseidon2_quad_params.hpp), this is mathematically equivalent to the desired (out_1, out_2, out_3) = (s_1', s_2', s_3').

Degree: each subrelation has degree 5 in any single sumcheck variable (all S-boxes land on distinct wires). Plus selector + gate separator = 7.

Definition at line 61 of file poseidon2_quad_internal_relation.hpp.

Member Typedef Documentation

◆ FF

template<typename FF_ >

using bb::Poseidon2QuadInternalRelationImpl< FF_ >::FF = FF_

Definition at line 63 of file poseidon2_quad_internal_relation.hpp.

◆ QuadParams

template<typename FF_ >

using bb::Poseidon2QuadInternalRelationImpl< FF_ >::QuadParams = crypto::Poseidon2QuadBn254Params

Definition at line 64 of file poseidon2_quad_internal_relation.hpp.

Member Function Documentation

◆ accumulate()

template<typename FF_ >

template<typename ContainerOverSubrelations , typename AllEntities , typename Parameters >

static void bb::Poseidon2QuadInternalRelationImpl< FF_ >::accumulate	(	ContainerOverSubrelations &	evals,
		const AllEntities &	in,
		const Parameters &	,
		const FF &	scaling_factor
	)

inlinestatic

Definition at line 88 of file poseidon2_quad_internal_relation.hpp.

◆ skip()

template<typename FF_ >

template<typename AllEntities >

static bool bb::Poseidon2QuadInternalRelationImpl< FF_ >::skip ( const AllEntities & in )

template<typename FF_ >

constexpr std::array<size_t, 4> bb::Poseidon2QuadInternalRelationImpl< FF_ >::SUBRELATION_PARTIAL_LENGTHS

staticconstexpr

Initial value:

Definition at line 66 of file poseidon2_quad_internal_relation.hpp.

The documentation for this class was generated from the following file:

src/barretenberg/relations/poseidon2_quad_internal_relation.hpp

Public Types

Static Public Member Functions

Static Public Attributes

Detailed Description

Member Typedef Documentation

◆ FF

◆ QuadParams

Member Function Documentation

◆ accumulate()

◆ skip()

Member Data Documentation

◆ B3_U0_COEF

◆ D1

◆ D1_MINUS_3

◆ SIGMA_PLUS_2

◆ SUBRELATION_PARTIAL_LENGTHS