Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
cycle_group.hpp
Go to the documentation of this file.
1// === AUDIT STATUS ===
2// internal: { status: Complete, auditors: [Luke], commit: a48c205d6dcd4338f5b83b4fda18bff6015be07b}
3// external_1: { status: Complete, auditors: [Sherlock], commit: 13c1b927c6c }
4// external_2: { status: not started, auditors: [], commit: }
5// =====================
6
7#pragma once
8
9#include "barretenberg/crypto/pedersen_commitment/pedersen.hpp"
10#include "barretenberg/ecc/curves/grumpkin/grumpkin.hpp"
11#include "barretenberg/stdlib/primitives/bigfield/bigfield.hpp"
12#include "barretenberg/stdlib/primitives/bool/bool.hpp"
13#include "barretenberg/stdlib/primitives/circuit_builders/circuit_builders.hpp"
14#include "barretenberg/stdlib/primitives/field/field.hpp"
15#include "barretenberg/stdlib/primitives/group/cycle_scalar.hpp"
16#include "barretenberg/stdlib/primitives/group/straus_lookup_table.hpp"
17#include "barretenberg/stdlib/primitives/group/straus_plookup_table.hpp"
18#include "barretenberg/stdlib/primitives/group/straus_scalar_slice.hpp"
19#include "barretenberg/stdlib_circuit_builders/plookup_tables/fixed_base/fixed_base_params.hpp"
20#include "barretenberg/transcript/origin_tag.hpp"
21#include <optional>
22
23namespace bb::stdlib {
24
40template <typename Builder> class cycle_group {
41 public:
42 using field_t = stdlib::field_t<Builder>;
43 using BaseField = field_t;
44 using bool_t = stdlib::bool_t<Builder>;
45 using witness_t = stdlib::witness_t<Builder>;
46
47 using Curve = bb::curve::Grumpkin;
48 using Group = bb::grumpkin::g1;
49 using Element = bb::grumpkin::g1::element;
50 using AffineElement = bb::grumpkin::g1::affine_element;
51 using GeneratorContext = crypto::GeneratorContext<Curve>;
52
53 using BigScalarField = stdlib::bigfield<Builder, bb::fq::Params>;
54 using cycle_scalar = ::bb::stdlib::cycle_scalar<Builder>;
55 using straus_lookup_table = ::bb::stdlib::straus_lookup_table<Builder>;
56 using straus_plookup_table = ::bb::stdlib::straus_plookup_table<Builder>;
57 using straus_scalar_slices = ::bb::stdlib::straus_scalar_slices<Builder>;
58
59 // Bit-size for scalars represented in the ROM lookup tables used in the variable-base MSM algorithm
60 static constexpr size_t ROM_TABLE_BITS = 4;
61 static constexpr size_t NUM_BITS_FULL_FIELD_SIZE = bb::fq::modulus.get_msb() + 1;
62 // Domain separator for generating offset generator points in the variable-base MSM algorithm
63 static constexpr std::string_view OFFSET_GENERATOR_DOMAIN_SEPARATOR = "cycle_group_offset_generator";
64
65 // Since the cycle_group base field is the circuit's native field, it can be stored using two public inputs.
66 static constexpr size_t PUBLIC_INPUTS_SIZE = 2;
67
68 private:
77
78 public:
79 cycle_group(Builder* _context = nullptr);
80 // Construct from coordinates. Infinity is auto-detected from (x == 0 && y == 0).
81 explicit cycle_group(const field_t& x, const field_t& y, bool assert_on_curve = true);
82 cycle_group(const AffineElement& _in);
83 static cycle_group one(Builder* _context);
84 static cycle_group constant_infinity(Builder* _context = nullptr);
85 static cycle_group from_witness(Builder* _context, const AffineElement& _in);
86 static cycle_group from_constant_witness(Builder* _context, const AffineElement& _in);
87 Builder* get_context(const cycle_group& other) const;
88 Builder* get_context() const { return context; }
89 AffineElement get_value() const;
90
91 // Coordinate accessors (non-owning, const reference)
92 const field_t& x() const { return _x; }
93 const field_t& y() const { return _y; }
94 [[nodiscard]] bool is_constant() const
95 {
96 return _x.is_constant() && _y.is_constant() && _is_infinity.is_constant();
97 }
98 bool_t is_point_at_infinity() const { return _is_infinity; }
99 [[nodiscard]] bool is_constant_point_at_infinity() const
100 {
101 return _is_infinity.is_constant() && _is_infinity.get_value();
102 }
103 void standardize();
104 void validate_on_curve() const;
105
106 cycle_group dbl(const std::optional<AffineElement> hint = std::nullopt) const;
107 cycle_group unconditional_add(const cycle_group& other,
108 const std::optional<AffineElement> hint = std::nullopt) const;
109 cycle_group unconditional_subtract(const cycle_group& other,
110 const std::optional<AffineElement> hint = std::nullopt) const;
111 cycle_group checked_unconditional_add(const cycle_group& other,
112 const std::optional<AffineElement> hint = std::nullopt) const;
113 cycle_group checked_unconditional_subtract(const cycle_group& other,
114 const std::optional<AffineElement> hint = std::nullopt) const;
115 cycle_group operator+(const cycle_group& other) const;
116 cycle_group operator-(const cycle_group& other) const;
117 cycle_group operator-() const;
118 cycle_group& operator+=(const cycle_group& other);
119 cycle_group& operator-=(const cycle_group& other);
120 static cycle_group batch_mul(const std::vector<cycle_group>& base_points,
121 const std::vector<BigScalarField>& scalars,
122 GeneratorContext context = {})
123 {
124 std::vector<cycle_scalar> cycle_scalars;
125 for (auto scalar : scalars) {
126 cycle_scalars.emplace_back(scalar);
127 }
128 return batch_mul(base_points, cycle_scalars, context);
129 }
130 static cycle_group batch_mul(const std::vector<cycle_group>& base_points,
131 const std::vector<cycle_scalar>& scalars,
132 const GeneratorContext& context = {});
133
134 static cycle_group fixed_batch_mul(const std::vector<cycle_group>& constant_points,
135 const std::vector<BigScalarField>& scalars,
136 GeneratorContext context = {},
137 size_t table_bits = ROM_TABLE_BITS)
138 {
139 std::vector<cycle_scalar> cycle_scalars;
140 for (auto scalar : scalars) {
141 cycle_scalars.emplace_back(scalar);
142 }
143 return fixed_batch_mul(constant_points, cycle_scalars, context, table_bits);
144 }
145 static cycle_group fixed_batch_mul(const std::vector<cycle_group>& constant_points,
146 const std::vector<cycle_scalar>& scalars,
147 const GeneratorContext& context = {},
148 size_t table_bits = ROM_TABLE_BITS);
149 cycle_group operator*(const cycle_scalar& scalar) const;
150 cycle_group& operator*=(const cycle_scalar& scalar);
151 cycle_group operator*(const BigScalarField& scalar) const;
152 cycle_group& operator*=(const BigScalarField& scalar);
153 bool_t operator==(cycle_group& other);
154 void assert_equal(cycle_group& other, std::string const& msg = "cycle_group::assert_equal");
155 static cycle_group conditional_assign(const bool_t& predicate, const cycle_group& lhs, const cycle_group& rhs);
156
168
178
188
198
202 void fix_witness()
203 {
204 // Origin tags should be updated within
205 _x.fix_witness();
206 _y.fix_witness();
207 _is_infinity.fix_witness();
208
209 // This is now effectively a constant
210 unset_free_witness_tag();
211 }
217 uint32_t set_public()
218 {
219 standardize(); // if point is at infinity, ensure coordinates are (0,0).
220 uint32_t start_idx = _x.set_public();
221 _y.set_public();
222 return start_idx;
223 }
224
225 private:
226 // Allow straus_lookup_table and straus_plookup_table to access the private constructor for efficiency
227 friend class ::bb::stdlib::straus_lookup_table<Builder>;
228 friend class ::bb::stdlib::straus_plookup_table<Builder>;
229
230 // Private constructor that allows explicit control over infinity flag.
231 // Use public constructors or factory methods instead - they auto-detect infinity from coordinates.
232 cycle_group(const field_t& x, const field_t& y, bool_t is_infinity, bool assert_on_curve);
233
234 field_t _x;
235 field_t _y;
236 bool_t _is_infinity;
237 Builder* context;
238
239 static batch_mul_internal_output _variable_base_batch_mul_internal(std::span<cycle_scalar> scalars,
240 std::span<cycle_group> base_points,
241 std::span<AffineElement const> offset_generators,
242 bool unconditional_add);
243
244 static batch_mul_internal_output _fixed_base_batch_mul_internal(std::span<cycle_scalar> scalars,
245 std::span<AffineElement> base_points);
246
247 static batch_mul_internal_output _fixed_base_plookup_batch_mul_internal(
248 std::span<cycle_scalar> scalars,
249 std::span<AffineElement const> base_points,
250 std::span<AffineElement const> offset_generators,
251 size_t table_bits = ROM_TABLE_BITS);
252
253 // Internal implementation for unconditional_add and unconditional_subtract
254 cycle_group _unconditional_add_or_subtract(const cycle_group& other,
255 bool is_addition,
256 const std::optional<AffineElement> hint) const;
257};
258
259template <typename Builder> inline std::ostream& operator<<(std::ostream& os, cycle_group<Builder> const& v)
260{
261 return os << "{ " << v.x() << ", " << v.y() << " }";
262}
263} // namespace bb::stdlib
circuit_builders.hpp
bb::group_elements::affine_element
Definition affine_element.hpp:27
bb::group_elements::element
element class. Implements ecc group arithmetic using Jacobian coordinates See https://hyperelliptic....
Definition element.hpp:35
bb::group
group class. Represents an elliptic curve group element. Group is parametrised by Fq and Fr
Definition group.hpp:38
bb::group::affine_element
group_elements::affine_element< Fq, Fr, Params > affine_element
Definition group.hpp:44
bb::group::element
group_elements::element< Fq, Fr, Params > element
Definition group.hpp:43
bb::numeric::uint256_t::get_msb
constexpr uint64_t get_msb() const
Definition uint256_impl.hpp:376
bb::stdlib::bool_t
Implements boolean logic in-circuit.
Definition bool.hpp:60
bb::stdlib::bool_t::get_value
bool get_value() const
Definition bool.hpp:125
bb::stdlib::bool_t::fix_witness
void fix_witness()
Definition bool.hpp:159
bb::stdlib::bool_t::is_constant
bool is_constant() const
Definition bool.hpp:127
bb::stdlib::bool_t::set_origin_tag
void set_origin_tag(const OriginTag &new_tag) const
Definition bool.hpp:154
bb::stdlib::bool_t::set_free_witness_tag
void set_free_witness_tag()
Definition bool.hpp:156
bb::stdlib::bool_t::unset_free_witness_tag
void unset_free_witness_tag()
Definition bool.hpp:157
bb::stdlib::bool_t::get_origin_tag
OriginTag get_origin_tag() const
Definition bool.hpp:155
bb::stdlib::cycle_group
cycle_group represents a group Element of the proving system's embedded curve, i.e....
Definition cycle_group.hpp:40
bb::stdlib::cycle_group::dbl
cycle_group dbl(const std::optional< AffineElement > hint=std::nullopt) const
Evaluates a point doubling using Ultra ECC double gate (if non-constant)
Definition cycle_group.cpp:298
bb::stdlib::cycle_group::x
const field_t & x() const
Definition cycle_group.hpp:92
bb::stdlib::cycle_group::from_constant_witness
static cycle_group from_constant_witness(Builder *_context, const AffineElement &_in)
Converts a native AffineElement into a witness, but constrains the witness values to be known constan...
Definition cycle_group.cpp:215
bb::stdlib::cycle_group::bool_t
stdlib::bool_t< Builder > bool_t
Definition cycle_group.hpp:44
bb::stdlib::cycle_group::operator*=
cycle_group & operator*=(const cycle_scalar &scalar)
Definition cycle_group.cpp:1370
bb::stdlib::cycle_group::standardize
void standardize()
Convert the point to standard form.
Definition cycle_group.cpp:274
bb::stdlib::cycle_group::unconditional_add
cycle_group unconditional_add(const cycle_group &other, const std::optional< AffineElement > hint=std::nullopt) const
Evaluate incomplete ECC point addition over *this and other.
Definition cycle_group.cpp:448
bb::stdlib::cycle_group::validate_on_curve
void validate_on_curve() const
On-curve check.
Definition cycle_group.cpp:257
bb::stdlib::cycle_group::operator==
bool_t operator==(cycle_group &other)
Definition cycle_group.cpp:1387
bb::stdlib::cycle_group::operator-=
cycle_group & operator-=(const cycle_group &other)
Definition cycle_group.cpp:705
bb::stdlib::cycle_group::conditional_assign
static cycle_group conditional_assign(const bool_t &predicate, const cycle_group &lhs, const cycle_group &rhs)
Definition cycle_group.cpp:1405
bb::stdlib::cycle_group::unset_free_witness_tag
void unset_free_witness_tag()
Unset the free witness flag for the cycle_group's tags.
Definition cycle_group.hpp:192
bb::stdlib::cycle_group::fix_witness
void fix_witness()
Definition cycle_group.hpp:202
bb::stdlib::cycle_group::checked_unconditional_subtract
cycle_group checked_unconditional_subtract(const cycle_group &other, const std::optional< AffineElement > hint=std::nullopt) const
Evaluate incomplete ECC point subtraction over *this and other, with x-coordinate collision checks.
Definition cycle_group.cpp:504
bb::stdlib::cycle_group::_unconditional_add_or_subtract
cycle_group _unconditional_add_or_subtract(const cycle_group &other, bool is_addition, const std::optional< AffineElement > hint) const
Will evaluate ECC point addition or subtraction over *this and other.
Definition cycle_group.cpp:369
bb::stdlib::cycle_group::_y
field_t _y
Definition cycle_group.hpp:235
bb::stdlib::cycle_group::from_witness
static cycle_group from_witness(Builder *_context, const AffineElement &_in)
Converts an AffineElement into a circuit witness.
Definition cycle_group.cpp:189
bb::stdlib::cycle_group::operator-
cycle_group operator-() const
Negates a point.
Definition cycle_group.cpp:689
bb::stdlib::cycle_group::one
static cycle_group one(Builder *_context)
Construct a constant cycle_group representation of Group::one.
Definition cycle_group.cpp:148
bb::stdlib::cycle_group::set_free_witness_tag
void set_free_witness_tag()
Set the free witness flag for the cycle_group's tags.
Definition cycle_group.hpp:182
bb::stdlib::cycle_group::set_origin_tag
void set_origin_tag(OriginTag tag) const
Set the origin tag for x, y and _is_infinity members of cycle_group.
Definition cycle_group.hpp:162
bb::stdlib::cycle_group::GeneratorContext
crypto::GeneratorContext< Curve > GeneratorContext
Definition cycle_group.hpp:51
bb::stdlib::cycle_group::operator+=
cycle_group & operator+=(const cycle_group &other)
Definition cycle_group.cpp:699
bb::stdlib::cycle_group::_fixed_base_plookup_batch_mul_internal
static batch_mul_internal_output _fixed_base_plookup_batch_mul_internal(std::span< cycle_scalar > scalars, std::span< AffineElement const > base_points, std::span< AffineElement const > offset_generators, size_t table_bits=ROM_TABLE_BITS)
Internal algorithm to perform a fixed-base batch mul using plookup tables.
Definition cycle_group.cpp:989
bb::stdlib::cycle_group::AffineElement
bb::grumpkin::g1::affine_element AffineElement
Definition cycle_group.hpp:50
bb::stdlib::cycle_group::constant_infinity
static cycle_group constant_infinity(Builder *_context=nullptr)
Construct a constant point at infinity.
Definition cycle_group.cpp:160
bb::stdlib::cycle_group::is_constant_point_at_infinity
bool is_constant_point_at_infinity() const
Definition cycle_group.hpp:99
bb::stdlib::cycle_group::fixed_batch_mul
static cycle_group fixed_batch_mul(const std::vector< cycle_group > &constant_points, const std::vector< BigScalarField > &scalars, GeneratorContext context={}, size_t table_bits=ROM_TABLE_BITS)
Definition cycle_group.hpp:134
bb::stdlib::cycle_group::is_point_at_infinity
bool_t is_point_at_infinity() const
Definition cycle_group.hpp:98
bb::stdlib::cycle_group::_is_infinity
bool_t _is_infinity
Definition cycle_group.hpp:236
bb::stdlib::cycle_group::y
const field_t & y() const
Definition cycle_group.hpp:93
bb::stdlib::cycle_group::_variable_base_batch_mul_internal
static batch_mul_internal_output _variable_base_batch_mul_internal(std::span< cycle_scalar > scalars, std::span< cycle_group > base_points, std::span< AffineElement const > offset_generators, bool unconditional_add)
Internal logic to perform a variable-base batch mul using the Straus MSM algorithm.
Definition cycle_group.cpp:732
bb::stdlib::cycle_group::BigScalarField
stdlib::bigfield< Builder, bb::fq::Params > BigScalarField
Definition cycle_group.hpp:53
bb::stdlib::cycle_group::ROM_TABLE_BITS
static constexpr size_t ROM_TABLE_BITS
Definition cycle_group.hpp:60
bb::stdlib::cycle_group::NUM_BITS_FULL_FIELD_SIZE
static constexpr size_t NUM_BITS_FULL_FIELD_SIZE
Definition cycle_group.hpp:61
bb::stdlib::cycle_group::field_t
stdlib::field_t< Builder > field_t
Definition cycle_group.hpp:42
bb::stdlib::cycle_group::cycle_group
cycle_group(Builder *_context=nullptr)
Construct a new constant point at infinity cycle group object.
Definition cycle_group.cpp:28
bb::stdlib::cycle_group::PUBLIC_INPUTS_SIZE
static constexpr size_t PUBLIC_INPUTS_SIZE
Definition cycle_group.hpp:66
bb::stdlib::cycle_group::get_value
AffineElement get_value() const
Definition cycle_group.cpp:241
bb::stdlib::cycle_group::get_origin_tag
OriginTag get_origin_tag() const
Get the origin tag of cycle_group (a merege of origin tags of x, y and _is_infinity members)
Definition cycle_group.hpp:174
bb::stdlib::cycle_group::operator*
cycle_group operator*(const cycle_scalar &scalar) const
Definition cycle_group.cpp:1365
bb::stdlib::cycle_group::_fixed_base_batch_mul_internal
static batch_mul_internal_output _fixed_base_batch_mul_internal(std::span< cycle_scalar > scalars, std::span< AffineElement > base_points)
Internal algorithm to perform a fixed-base batch mul.
Definition cycle_group.cpp:897
bb::stdlib::cycle_group::assert_equal
void assert_equal(cycle_group &other, std::string const &msg="cycle_group::assert_equal")
Definition cycle_group.cpp:1395
bb::stdlib::cycle_group::_x
field_t _x
Definition cycle_group.hpp:234
bb::stdlib::cycle_group::operator+
cycle_group operator+(const cycle_group &other) const
Evaluate ECC point addition over *this and other.
Definition cycle_group.cpp:531
bb::stdlib::cycle_group::cycle_scalar
::bb::stdlib::cycle_scalar< Builder > cycle_scalar
Definition cycle_group.hpp:54
bb::stdlib::cycle_group::unconditional_subtract
cycle_group unconditional_subtract(const cycle_group &other, const std::optional< AffineElement > hint=std::nullopt) const
Evaluate incomplete ECC point subtraction over *this and other.
Definition cycle_group.cpp:461
bb::stdlib::cycle_group::is_constant
bool is_constant() const
Definition cycle_group.hpp:94
bb::stdlib::cycle_group::get_context
Builder * get_context() const
Definition cycle_group.hpp:88
bb::stdlib::cycle_group::checked_unconditional_add
cycle_group checked_unconditional_add(const cycle_group &other, const std::optional< AffineElement > hint=std::nullopt) const
Evaluate incomplete ECC point addition over *this and other, with x-coordinate collision checks.
Definition cycle_group.cpp:479
bb::stdlib::cycle_group::set_public
uint32_t set_public()
Set the witness indices representing the cycle_group to public.
Definition cycle_group.hpp:217
bb::stdlib::cycle_group::OFFSET_GENERATOR_DOMAIN_SEPARATOR
static constexpr std::string_view OFFSET_GENERATOR_DOMAIN_SEPARATOR
Definition cycle_group.hpp:63
bb::stdlib::cycle_group::batch_mul
static cycle_group batch_mul(const std::vector< cycle_group > &base_points, const std::vector< BigScalarField > &scalars, GeneratorContext context={})
Definition cycle_group.hpp:120
bb::stdlib::cycle_group::context
Builder * context
Definition cycle_group.hpp:237
bb::stdlib::cycle_scalar
Represents a member of the Grumpkin curve scalar field (i.e. BN254 base field).
Definition cycle_scalar.hpp:31
bb::stdlib::field_t< Builder >
bb::stdlib::field_t::set_public
uint32_t set_public() const
Definition field.hpp:447
bb::stdlib::field_t::unset_free_witness_tag
void unset_free_witness_tag() const
Unset the free witness flag for the field element's tag.
Definition field.hpp:369
bb::stdlib::field_t::get_origin_tag
OriginTag get_origin_tag() const
Definition field.hpp:359
bb::stdlib::field_t::is_constant
bool is_constant() const
Definition field.hpp:442
bb::stdlib::field_t::set_free_witness_tag
void set_free_witness_tag()
Set the free witness flag for the field element's tag.
Definition field.hpp:364
bb::stdlib::field_t::set_origin_tag
void set_origin_tag(const OriginTag &new_tag) const
Definition field.hpp:358
bb::stdlib::field_t::fix_witness
void fix_witness()
Definition field.hpp:488
bb::stdlib::straus_lookup_table
straus_lookup_table computes a lookup table of size 1 << table_bits
Definition straus_lookup_table.hpp:44
bb::stdlib::straus_plookup_table
straus_plookup_table computes a plookup-based lookup table of size 1 << table_bits
Definition straus_plookup_table.hpp:31
bb::stdlib::straus_scalar_slices
straus_scalar_slices decomposes an input scalar into bit-slices of size table_bits....
Definition straus_scalar_slice.hpp:24
bb::stdlib::witness_t
Definition witness.hpp:16
cycle_scalar.hpp
fixed_base_params.hpp
bb::grumpkin::g1
bb::group< bb::fr, bb::fq, G1Params > g1
Definition grumpkin.hpp:46
bb::numeric::operator<<
std::ostream & operator<<(std::ostream &os, uint256_t const &a)
Definition uint256.hpp:258
std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13
origin_tag.hpp
This file contains part of the logic for the Origin Tag mechanism that tracks the use of in-circuit p...
pedersen.hpp
straus_lookup_table.hpp
straus_plookup_table.hpp
straus_scalar_slice.hpp
bb::field< Bn254FqParams >::modulus
static constexpr uint256_t modulus
Definition field_declarations.hpp:234
bb::stdlib::cycle_group::batch_mul_internal_output
Stores temporary variables produced by internal multiplication algorithms.
Definition cycle_group.hpp:73
bb::stdlib::cycle_group::batch_mul_internal_output::offset_generator_delta
AffineElement offset_generator_delta
Definition cycle_group.hpp:75
bb::stdlib::cycle_group::batch_mul_internal_output::accumulator
cycle_group accumulator
Definition cycle_group.hpp:74