Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
biggroup_impl.hpp
Go to the documentation of this file.
1// === AUDIT STATUS ===
2// internal: { status: Complete, auditors: [Suyash], commit: 553c5eb82901955c638b943065acd3e47fc918c0}
3// external_1: { status: not started, auditors: [], commit: }
4// external_2: { status: not started, auditors: [], commit: }
5// =====================
6
7#pragma once
8
9#include "../circuit_builders/circuit_builders.hpp"
10#include "../plookup/plookup.hpp"
11#include "barretenberg/common/assert.hpp"
12#include "barretenberg/ecc/groups/precomputed_generators.hpp"
13#include "barretenberg/numeric/general/general.hpp"
14#include "barretenberg/stdlib/primitives/biggroup/biggroup.hpp"
15#include "barretenberg/transcript/origin_tag.hpp"
16
17namespace bb::stdlib::element_default {
18
19template <typename C, class Fq, class Fr, class G>
20element<C, Fq, Fr, G>::element()
21 : _x()
22 , _y()
23 , _is_infinity()
24{}
25
26template <typename C, class Fq, class Fr, class G>
27element<C, Fq, Fr, G>::element(const typename G::affine_element& input)
28 : _x(nullptr, input.x)
29 , _y(nullptr, input.y)
30 , _is_infinity(nullptr, input.is_point_at_infinity())
31{}
32
33template <typename C, class Fq, class Fr, class G>
34element<C, Fq, Fr, G>::element(const Fq& x_in, const Fq& y_in, const bool assert_on_curve)
35 : _x(x_in)
36 , _y(y_in)
37 , _is_infinity(_x.get_context() ? _x.get_context() : _y.get_context(), false)
38{
39 if (assert_on_curve) {
40 validate_on_curve();
41 }
42}
43
44template <typename C, class Fq, class Fr, class G>
45element<C, Fq, Fr, G>::element(const Fq& x_in, const Fq& y_in, const bool_ct& is_infinity, const bool assert_on_curve)
46 : _x(x_in)
47 , _y(y_in)
48 , _is_infinity(is_infinity)
49{
50 if (assert_on_curve) {
51 validate_on_curve();
52 }
53}
54
55template <typename C, class Fq, class Fr, class G>
56element<C, Fq, Fr, G>::element(const element& other)
57 : _x(other._x)
58 , _y(other._y)
59 , _is_infinity(other.is_point_at_infinity())
60{}
61
62template <typename C, class Fq, class Fr, class G>
63element<C, Fq, Fr, G>::element(element&& other) noexcept
64 : _x(other._x)
65 , _y(other._y)
66 , _is_infinity(other.is_point_at_infinity())
67{}
68
69template <typename C, class Fq, class Fr, class G>
70element<C, Fq, Fr, G>& element<C, Fq, Fr, G>::operator=(const element& other)
71{
72 if (&other == this) {
73 return *this;
74 }
75 _x = other._x;
76 _y = other._y;
77 _is_infinity = other.is_point_at_infinity();
78 return *this;
79}
80
81template <typename C, class Fq, class Fr, class G>
82element<C, Fq, Fr, G>& element<C, Fq, Fr, G>::operator=(element&& other) noexcept
83{
84 if (&other == this) {
85 return *this;
86 }
87 _x = other._x;
88 _y = other._y;
89 _is_infinity = other.is_point_at_infinity();
90 return *this;
91}
92
93template <typename C, class Fq, class Fr, class G>
94element<C, Fq, Fr, G> element<C, Fq, Fr, G>::operator+(const element& other) const
95{
96 // Adding in `x_coordinates_match` ensures that lambda will always be well-formed
97 // Our curve has the form y² = x³ + ax + b (or y² = x³ + b when a = 0).
98 // If (x₁, y₁), (x₂, y₂) have x₁ == x₂, the generic formula for lambda has a division by 0.
99 // Then y₁ == y₂ (i.e. we are doubling) or y₂ == -y₁ (the sum is infinity).
100 // These cases have special addition formulae. The following booleans allow us to handle these cases uniformly.
101 const bool_ct x_coordinates_match = other._x == _x;
102 const bool_ct y_coordinates_match = (_y == other._y);
103 const bool_ct infinity_predicate = (x_coordinates_match && !y_coordinates_match);
104 const bool_ct double_predicate = (x_coordinates_match && y_coordinates_match);
105 const bool_ct lhs_infinity = is_point_at_infinity();
106 const bool_ct rhs_infinity = other.is_point_at_infinity();
107 const bool_ct has_infinity_input = lhs_infinity || rhs_infinity;
108
109 // NOTE: For valid points on the curve, specifically for bn254 or secp256k1 or secp256r1, y = 0 cannot occur.
110 // For points not on the curve, having y = 0 will lead to a failure while performing the division below.
111 // We could enforce in circuit that y = 0 results in point at infinity, or that y != 0 always.
112 // However, this would be an unnecessary constraint for valid points on the curve.
113 // So we perform a native check here to catch any accidental misuse of this function.
114 const typename G::Fq y_value = uint256_t(_y.get_value());
115 BB_ASSERT_EQ((y_value == 0), false, "Attempting to add a point with y = 0, not allowed.");
116
117 // Compute the gradient λ. If we add, λ = (y₂ - y₁)/(x₂ - x₁)
118 // For doubling: λ = (3x₁² + a)/(2y₁) if curve has 'a', else λ = 3x₁²/(2y₁)
119 const Fq add_lambda_numerator = other._y - _y;
120 const Fq xx = _x * _x;
121 Fq dbl_lambda_numerator = xx + xx + xx; // 3x²
122 if constexpr (G::has_a) {
123 // Curve equation: y² = x³ + ax + b
124 // Doubling formula numerator: 3x² + a
125 const Fq a(get_context(), uint256_t(G::curve_a));
126 dbl_lambda_numerator = dbl_lambda_numerator + a;
127 }
128 const Fq lambda_numerator = Fq::conditional_assign(double_predicate, dbl_lambda_numerator, add_lambda_numerator);
129
130 const Fq add_lambda_denominator = other._x - _x;
131 const Fq dbl_lambda_denominator = _y + _y;
132 Fq lambda_denominator = Fq::conditional_assign(double_predicate, dbl_lambda_denominator, add_lambda_denominator);
133
134 // If either input is a point at infinity, or if the result would be infinity, set lambda_denominator to 1
135 // to prevent division by zero. Cases where result is infinity: x₁ == x₂ but y₁ != y₂ (points are inverses)
136 const bool_ct safe_denominator_needed = has_infinity_input || infinity_predicate;
137 lambda_denominator = Fq::conditional_assign(safe_denominator_needed, Fq(1), lambda_denominator);
138 const Fq lambda = Fq::div_without_denominator_check({ lambda_numerator }, lambda_denominator);
139
140 // Compute resulting point coordinates: x₃ = λ² - x₁ - x₂, y₃ = λ(x₁ - x₃) - y₁
141 const Fq x3 = lambda.sqradd({ -other._x, -_x });
142 const Fq y3 = lambda.madd(_x - x3, { -_y });
143 element result(x3, y3, /*assert_on_curve=*/false);
144
145 // if lhs infinity, return rhs
146 result._x = Fq::conditional_assign(lhs_infinity, other._x, result._x);
147 result._y = Fq::conditional_assign(lhs_infinity, other._y, result._y);
148 // if rhs infinity, return lhs
149 result._x = Fq::conditional_assign(rhs_infinity, _x, result._x);
150 result._y = Fq::conditional_assign(rhs_infinity, _y, result._y);
151
152 // Determine if result is point at infinity:
153 // - If x₁ == x₂ and y₁ == -y₂ (i.e., points are inverses), result is ∞
154 // - If both inputs are ∞, result is ∞
155 bool_ct result_is_infinity = (infinity_predicate && !has_infinity_input) || (lhs_infinity && rhs_infinity);
156 result.set_point_at_infinity(result_is_infinity, /* add_to_used_witnesses */ true);
157
158 result.set_origin_tag(OriginTag(get_origin_tag(), other.get_origin_tag()));
159 return result;
160}
161
169template <typename C, class Fq, class Fr, class G>
170element<C, Fq, Fr, G> element<C, Fq, Fr, G>::get_standard_form() const
171{
172
173 const bool_ct is_infinity = is_point_at_infinity();
174 element result(*this);
175 const Fq zero = Fq::zero();
176 result._x = Fq::conditional_assign(is_infinity, zero, this->_x);
177 result._y = Fq::conditional_assign(is_infinity, zero, this->_y);
178 return result;
179}
180
181template <typename C, class Fq, class Fr, class G>
182element<C, Fq, Fr, G> element<C, Fq, Fr, G>::operator-(const element& other) const
183{
184 // Adding in `x_coordinates_match` ensures that lambda will always be well-formed
185 // Our curve has the form y² = x³ + ax + b (or y² = x³ + b when a = 0).
186 // If (x₁, y₁), (x₂, y₂) have x₁ == x₂, the generic formula for lambda has a division by 0.
187 // For subtraction P₁ - P₂ = P₁ + (-P₂), where -P₂ = (x₂, -y₂):
188 // - If y₁ == -y₂ (i.e., x₁ == x₂ and y₁ == -y₂), this becomes doubling: P₁ + P₁
189 // - If y₁ == y₂ (i.e., x₁ == x₂ and y₁ == y₂), result is infinity: P₁ - P₁ = ∞
190 // These cases have special addition formulae. The following booleans allow us to handle these cases uniformly.
191 const bool_ct x_coordinates_match = other._x == _x;
192 const bool_ct y_coordinates_match = (_y == other._y);
193 const bool_ct infinity_predicate = (x_coordinates_match && y_coordinates_match);
194 const bool_ct double_predicate = (x_coordinates_match && !y_coordinates_match);
195 const bool_ct lhs_infinity = is_point_at_infinity();
196 const bool_ct rhs_infinity = other.is_point_at_infinity();
197 const bool_ct has_infinity_input = lhs_infinity || rhs_infinity;
198
199 // Compute the gradient λ. For subtraction, λ = (-y₂ - y₁)/(x₂ - x₁)
200 // For doubling: λ = (3x₁² + a)/(2y₁) if curve has 'a', else λ = 3x₁²/(2y₁)
201 const Fq add_lambda_numerator = -other._y - _y;
202 const Fq xx = _x * _x;
203 Fq dbl_lambda_numerator = xx + xx + xx; // 3x²
204 if constexpr (G::has_a) {
205 // Curve equation: y² = x³ + ax + b
206 // Doubling formula numerator: 3x² + a
207 const Fq a(get_context(), uint256_t(G::curve_a));
208 dbl_lambda_numerator = dbl_lambda_numerator + a;
209 }
210 const Fq lambda_numerator = Fq::conditional_assign(double_predicate, dbl_lambda_numerator, add_lambda_numerator);
211
212 const Fq add_lambda_denominator = other._x - _x;
213 const Fq dbl_lambda_denominator = _y + _y;
214 Fq lambda_denominator = Fq::conditional_assign(double_predicate, dbl_lambda_denominator, add_lambda_denominator);
215
216 // If either input is a point at infinity, or if the result would be infinity (x₁ == x₂ and y₁ == y₂),
217 // set lambda_denominator to 1 to prevent division by zero. The lambda value won't be used in these cases.
218 lambda_denominator = Fq::conditional_assign(has_infinity_input || infinity_predicate, Fq(1), lambda_denominator);
219 const Fq lambda = Fq::div_without_denominator_check({ lambda_numerator }, lambda_denominator);
220
221 // Compute resulting point coordinates: x₃ = λ² - x₁ - x₂, y₃ = λ(x₁ - x₃) - y₁
222 const Fq x3 = lambda.sqradd({ -other._x, -_x });
223 const Fq y3 = lambda.madd(_x - x3, { -_y });
224 element result(x3, y3, /*assert_on_curve=*/false);
225
226 // if lhs infinity, return -rhs (negated rhs point)
227 result._x = Fq::conditional_assign(lhs_infinity, other._x, result._x);
228 result._y = Fq::conditional_assign(lhs_infinity, -other._y, result._y);
229 // if rhs infinity, return lhs
230 result._x = Fq::conditional_assign(rhs_infinity, _x, result._x);
231 result._y = Fq::conditional_assign(rhs_infinity, _y, result._y);
232
233 // Determine if result is point at infinity:
234 // - If x₁ == x₂ and y₁ == y₂ (i.e., P₁ - P₁), result is ∞
235 // - If both inputs are ∞, result is ∞
236 bool_ct result_is_infinity = (infinity_predicate && !has_infinity_input) || (lhs_infinity && rhs_infinity);
237
238 result.set_point_at_infinity(result_is_infinity, /* add_to_used_witnesses */ true);
239 result.set_origin_tag(OriginTag(get_origin_tag(), other.get_origin_tag()));
240 return result;
241}
242
243template <typename C, class Fq, class Fr, class G>
244element<C, Fq, Fr, G> element<C, Fq, Fr, G>::checked_unconditional_add(const element& other) const
245{
246 other._x.assert_is_not_equal(_x);
247 const Fq lambda = Fq::div_without_denominator_check({ other._y, -_y }, (other._x - _x));
248 const Fq x3 = lambda.sqradd({ -other._x, -_x });
249 const Fq y3 = lambda.madd(_x - x3, { -_y });
250 return element(x3, y3, /*assert_on_curve=*/false);
251}
252
253template <typename C, class Fq, class Fr, class G>
254element<C, Fq, Fr, G> element<C, Fq, Fr, G>::checked_unconditional_subtract(const element& other) const
255{
256
257 other._x.assert_is_not_equal(_x);
258 const Fq lambda = Fq::div_without_denominator_check({ other._y, _y }, (other._x - _x));
259 const Fq x_3 = lambda.sqradd({ -other._x, -_x });
260 const Fq y_3 = lambda.madd(x_3 - _x, { -_y });
261
262 return element(x_3, y_3, /*assert_on_curve=*/false);
263}
264
279template <typename C, class Fq, class Fr, class G>
280std::array<element<C, Fq, Fr, G>, 2> element<C, Fq, Fr, G>::checked_unconditional_add_sub(const element& other) const
281{
282 // validate we can use incomplete addition formulae
283 other._x.assert_is_not_equal(_x);
284
285 const Fq denominator = other._x - _x;
286 const Fq x2x1 = -(other._x + _x);
287
288 const Fq lambda1 = Fq::div_without_denominator_check({ other._y, -_y }, denominator);
289 const Fq x_3 = lambda1.sqradd({ x2x1 });
290 const Fq y_3 = lambda1.madd(_x - x_3, { -_y });
291 const Fq lambda2 = Fq::div_without_denominator_check({ -other._y, -_y }, denominator);
292 const Fq x_4 = lambda2.sqradd({ x2x1 });
293 const Fq y_4 = lambda2.madd(_x - x_4, { -_y });
294
295 return { element(x_3, y_3, /*assert_on_curve=*/false), element(x_4, y_4, /*assert_on_curve=*/false) };
296}
297
298template <typename C, class Fq, class Fr, class G> element<C, Fq, Fr, G> element<C, Fq, Fr, G>::dbl() const
299{
300 // NOTE: For valid points on the curve, specifically for bn254 or secp256k1 or secp256r1, y = 0 cannot occur.
301 // For points not on the curve, having y = 0 will lead to a failure while performing the division below.
302 // We could enforce in circuit that y = 0 results in point at infinity, or that y != 0 always.
303 // However, this would be an unnecessary constraint for valid points on the curve.
304 // So we perform a native check here to catch any accidental misuse of this function.
305 const typename G::Fq y_value = uint256_t(_y.get_value());
306 BB_ASSERT_EQ((y_value == 0), false, "Attempting to dbl a point with y = 0, not allowed.");
307
308 Fq two_x = _x + _x;
309 if constexpr (G::has_a) {
310 // Curve equation: y² = x³ + ax + b
311 Fq a(get_context(), uint256_t(G::curve_a));
312
313 // Compute neg_lambda = -λ = -(3x² + a) / (2y)
314 // msub_div computes: -(Σᵢ aᵢ·bᵢ + Σⱼ cⱼ) / d = -(x·(3x) + a) / (2y) = -(3x² + a) / (2y)
315 Fq neg_lambda = Fq::msub_div({ _x }, { (two_x + _x) }, (_y + _y), { a }, /*enable_divisor_nz_check*/ false);
316
317 // Compute x₃ = λ² - 2x
318 // Since neg_lambda = -λ, we have: (-λ)² - 2x = λ² - 2x
319 Fq x_3 = neg_lambda.sqradd({ -(two_x) });
320
321 // Compute y₃ = λ(x - x₃) - y
322 // Using neg_lambda = -λ: (-λ)(x₃ - x) + (-y) = -λ(x₃ - x) - y = λ(x - x₃) - y
323 Fq y_3 = neg_lambda.madd(x_3 - _x, { -_y });
324
325 element result(x_3, y_3, /*assert_on_curve=*/false);
326 result.set_point_at_infinity(is_point_at_infinity(), /* add_to_used_witnesses */ true);
327 return result;
328 }
329
330 // Curve equation when a = 0: y² = x³ + b
331 // Compute neg_lambda = -λ = -3x² / (2y)
332 // msub_div computes: -(Σᵢ aᵢ·bᵢ) / d = -(x·(3x)) / (2y) = -3x² / (2y)
333 Fq neg_lambda = Fq::msub_div({ _x }, { (two_x + _x) }, (_y + _y), {}, /*enable_divisor_nz_check*/ false);
334
335 // Compute x₃ = λ² - 2x
336 // Since neg_lambda = -λ, we have: (-λ)² - 2x = λ² - 2x
337 Fq x_3 = neg_lambda.sqradd({ -(two_x) });
338
339 // Compute y₃ = λ(x - x₃) - y
340 // Using neg_lambda = -λ: (-λ)(x₃ - x) + (-y) = -λ(x₃ - x) - y = λ(x - x₃) - y
341 Fq y_3 = neg_lambda.madd(x_3 - _x, { -_y });
342
343 element result = element(x_3, y_3, /*assert_on_curve=*/false);
344 result.set_point_at_infinity(is_point_at_infinity(), /* add_to_used_witnesses */ true);
345 return result;
346}
347
354template <typename C, class Fq, class Fr, class G>
355typename element<C, Fq, Fr, G>::chain_add_accumulator element<C, Fq, Fr, G>::chain_add_start(const element& p1,
356 const element& p2)
357{
358 chain_add_accumulator output;
359 output.x1_prev = p1._x;
360 output.y1_prev = p1._y;
361
362 // Require x₁ ≠ x₂ for incomplete addition formula
363 p1._x.assert_is_not_equal(p2._x);
364
365 // Compute λ = (y₂ - y₁)/(x₂ - x₁)
366 const Fq lambda = Fq::div_without_denominator_check({ p2._y, -p1._y }, (p2._x - p1._x));
367
368 // Compute x₃ = λ² - x₁ - x₂
369 const Fq x3 = lambda.sqradd({ -p2._x, -p1._x });
370 output.x3_prev = x3;
371 output.lambda_prev = lambda;
372 return output;
373}
374
392template <typename C, class Fq, class Fr, class G>
393typename element<C, Fq, Fr, G>::chain_add_accumulator element<C, Fq, Fr, G>::chain_add(const element& p1,
394 const chain_add_accumulator& acc)
395{
396 // If accumulator has a full y-coordinate, use chain_add_start instead
397 if (acc.is_full_element) {
398 return chain_add_start(p1, element(acc.x3_prev, acc.y3_prev, /*assert_on_curve=*/false));
399 }
400
401 // Require x₁ ≠ x₂ for incomplete addition formula
402 p1._x.assert_is_not_equal(acc.x3_prev);
403
404 // Compute λ = (y₂ - y₁)/(x₂ - x₁), but we don't have y₂!
405 // We know that y₂ = lambda_prev * (x1_prev - x₂) - y1_prev from the previous addition.
406 //
407 // Derivation:
408 // λ(x₂ - x₁) = y₂ - y₁
409 // λ(x₂ - x₁) = lambda_prev * (x1_prev - x₂) - y1_prev - y₁
410 // λ(x₂ - x₁) = -lambda_prev * (x₂ - x1_prev) - y1_prev - y₁
411 // λ = -(lambda_prev * (x₂ - x1_prev) + y1_prev + y₁) / (x₂ - x₁)
412 //
413 auto& x2 = acc.x3_prev;
414 const auto lambda = Fq::msub_div({ acc.lambda_prev },
415 { (x2 - acc.x1_prev) },
416 (x2 - p1._x),
417 { acc.y1_prev, p1._y },
418 /*enable_divisor_nz_check*/ false); // Divisor is non-zero as x₂ ≠ x₁ is enforced
419
420 // Compute x₃ = λ² - x₂ - x₁
421 const auto x3 = lambda.sqradd({ -x2, -p1._x });
422
423 // Update the accumulator
424 chain_add_accumulator output;
425 output.x3_prev = x3;
426 output.x1_prev = p1._x;
427 output.y1_prev = p1._y;
428 output.lambda_prev = lambda;
429
430 return output;
431}
432
438template <typename C, class Fq, class Fr, class G>
439element<C, Fq, Fr, G> element<C, Fq, Fr, G>::chain_add_end(const chain_add_accumulator& acc)
440{
441 // If accumulator already has a full y-coordinate, return it directly
442 if (acc.is_full_element) {
443 return element(acc.x3_prev, acc.y3_prev, /*assert_on_curve=*/false);
444 }
445
446 // Compute y₃ = λ(x₁ - x₃) - y₁
447 // where λ, x₁, y₁ are from the previous addition stored in the accumulator
448 auto& x3 = acc.x3_prev;
449 auto& lambda = acc.lambda_prev;
450
451 Fq y3 = lambda.madd((acc.x1_prev - x3), { -acc.y1_prev });
452 return element(x3, y3, /*assert_on_curve=*/false);
453}
454
474template <typename C, class Fq, class Fr, class G>
475element<C, Fq, Fr, G> element<C, Fq, Fr, G>::multiple_montgomery_ladder(
476 const std::vector<chain_add_accumulator>& add) const
477{
478 struct composite_y {
479 std::vector<Fq> mul_left;
480 std::vector<Fq> mul_right;
481 std::vector<Fq> add;
482 bool is_negative = false;
483 };
484
485 // Handle edge case of empty input
486 if (add.empty()) {
487 return *this;
488 }
489
490 // Let A = (x, y) and P = (x₁, y₁)
491 // For the first point P, we want to compute: (2A + P) = (A + P) + A
492 // We first need to check if x ≠ x₁.
493 x().assert_is_not_equal(add[0].x3_prev, "biggroup::multiple_montgomery_ladder: x-coordinates must be distinct.");
494
495 // Compute λ₁ for computing the first addition: (A + P)
496 Fq lambda1;
497 if (!add[0].is_full_element) {
498 // Case 1: P is an accumulator (i.e., it lacks a y-coordinate)
499 // λ₁ = (y - y₁) / (x - x₁)
500 // = -(y₁ - y) / (x - x₁)
501 // = -(λ₁_ₚᵣₑᵥ * (x₁_ₚᵣₑᵥ - x₁) - y₁_ₚᵣₑᵥ - y) / (x - x₁)
502 //
503 // NOTE: msub_div computes -(∑ᵢ aᵢ * bᵢ + ∑ⱼcⱼ) / d
504 lambda1 = Fq::msub_div({ add[0].lambda_prev }, // numerator left multiplicands: λ₁_ₚᵣₑᵥ
505 { add[0].x1_prev - add[0].x3_prev }, // numerator right multiplicands: (x₁_ₚᵣₑᵥ - x₁)
506 (x() - add[0].x3_prev), // denominator: (x - x₁)
507 { -add[0].y1_prev, -y() }, // numerator additions: -y₁_ₚᵣₑᵥ - y
508 /*enable_divisor_nz_check*/ false); // divisor check is not needed as x ≠ x₁ is enforced
509 } else {
510 // Case 2: P is a full element (i.e., it has a y-coordinate)
511 // λ₁ = (y - y₁) / (x - x₁)
512 //
513 lambda1 = Fq::div_without_denominator_check({ y() - add[0].y3_prev }, (x() - add[0].x3_prev));
514 }
515
516 // Using λ₁, compute x₃ for (A + P):
517 // x₃ = λ₁.λ₁ - x₁ - x
518 Fq x_3 = lambda1.madd(lambda1, { -add[0].x3_prev, -x() });
519
520 // Compute λ₂ for the addition (A + P) + A:
521 // λ₂ = (y - y₃) / (x - x₃)
522 // = (y - (λ₁ * (x - x₃) - y)) / (x - x₃) (substituting y₃)
523 // = (2y) / (x - x₃) - λ₁
524 //
525 x().assert_is_not_equal(x_3, "biggroup::multiple_montgomery_ladder: x-coordinates must be distinct.");
526 Fq lambda2 = Fq::div_without_denominator_check({ y() + y() }, (x() - x_3)) - lambda1;
527
528 // Using λ₂, compute x₄ for the final result:
529 // x₄ = λ₂.λ₂ - x₃ - x
530 Fq x_4 = lambda2.sqradd({ -x_3, -x() });
531
532 // Compute y₄ for the final result:
533 // y₄ = λ₂ * (x - x₄) - y
534 //
535 // However, we don't actually compute y₄ here. Instead, we build a "composite" y value that contains
536 // the components needed to compute y₄ later. This is done to avoid the explicit multiplication here.
537 //
538 // We store the result as either y₄ or -y₄, depending on whether the number of points added
539 // is even or odd. This sign adjustment simplifies the handling of subsequent additions in the loop below.
540 // +y₄ = λ₂ * (x - x₄) - y
541 // -y₄ = λ₂ * (x₄ - x) + y
542 const bool num_points_even = ((add.size() & 1ULL) == 0);
543 composite_y previous_y;
544 previous_y.add.emplace_back(num_points_even ? y() : -y());
545 previous_y.mul_left.emplace_back(lambda2);
546 previous_y.mul_right.emplace_back(num_points_even ? x_4 - x() : x() - x_4);
547 previous_y.is_negative = num_points_even;
548
549 // Handle remaining iterations (i > 0) in a loop
550 Fq previous_x = x_4;
551 for (size_t i = 1; i < add.size(); ++i) {
552 // Let x = previous_x, y = previous_y
553 // Let P = (xᵢ, yᵢ) be the next point to add (represented by add[i])
554 // Ensure x-coordinates are distinct: x ≠ xᵢ
555 previous_x.assert_is_not_equal(add[i].x3_prev,
556 "biggroup::multiple_montgomery_ladder: x-coordinates must be distinct.");
557
558 // Determine sign adjustment based on previous y's sign
559 // If the previous y was positive, we need to negate the y-component from add[i]
560 const bool negate_add_y = !previous_y.is_negative;
561
562 // Build λ₁ numerator components from previous composite y and current accumulator
563 std::vector<Fq> lambda1_left = previous_y.mul_left;
564 std::vector<Fq> lambda1_right = previous_y.mul_right;
565 std::vector<Fq> lambda1_add = previous_y.add;
566
567 if (!add[i].is_full_element) {
568 // Case 1: add[i] is an accumulator (lacks y-coordinate)
569 // λ₁ = (y - yᵢ) / (x - xᵢ)
570 // = -(yᵢ - y) / (x - xᵢ)
571 // = -(λᵢ_ₚᵣₑᵥ * (xᵢ_ₚᵣₑᵥ - xᵢ) - yᵢ_ₚᵣₑᵥ - y) / (x - xᵢ)
572 //
573 // If (previous) y is stored as positive, we compute λ₁ as:
574 // λ₁ = -(λᵢ_ₚᵣₑᵥ * (xᵢ - xᵢ_ₚᵣₑᵥ) + yᵢ_ₚᵣₑᵥ + y) / (xᵢ - x)
575 //
576 lambda1_left.emplace_back(add[i].lambda_prev);
577 lambda1_right.emplace_back(negate_add_y ? add[i].x3_prev - add[i].x1_prev
578 : add[i].x1_prev - add[i].x3_prev);
579 lambda1_add.emplace_back(negate_add_y ? add[i].y1_prev : -add[i].y1_prev);
580 } else {
581 // Case 2: add[i] is a full element (has y-coordinate)
582 // λ₁ = (yᵢ - y) / (xᵢ - x)
583 //
584 // If previous y is positive, we compute λ₁ as:
585 // λ₁ = -(y - yᵢ) / (xᵢ - x)
586 //
587 lambda1_add.emplace_back(negate_add_y ? -add[i].y3_prev : add[i].y3_prev);
588 }
589
590 // Compute λ₁
591 Fq denominator = negate_add_y ? add[i].x3_prev - previous_x : previous_x - add[i].x3_prev;
592 Fq lambda1 =
593 Fq::msub_div(lambda1_left, lambda1_right, denominator, lambda1_add, /*enable_divisor_nz_check*/ false);
594
595 // Using λ₁, compute x₃ for (previous + P):
596 // x₃ = λ₁.λ₁ - xᵢ - x
597 // y₃ = λ₁ * (x - x₃) - y (we don't compute this explicitly)
598 Fq x_3 = lambda1.madd(lambda1, { -add[i].x3_prev, -previous_x });
599
600 // Compute λ₂ using previous composite y
601 // λ₂ = (y - y₃) / (x - x₃)
602 // = (y - (λ₁ * (x - x₃) - y)) / (x - x₃) (substituting y₃)
603 // = (2y) / (x - x₃) - λ₁
604 // = -2(y / (x₃ - x)) - λ₁
605 //
606 previous_x.assert_is_not_equal(x_3, "biggroup::multiple_montgomery_ladder: x-coordinates must be distinct.");
607 Fq l2_denominator = previous_y.is_negative ? previous_x - x_3 : x_3 - previous_x;
608 Fq partial_lambda2 = Fq::msub_div(previous_y.mul_left,
609 previous_y.mul_right,
610 l2_denominator,
611 previous_y.add,
612 /*enable_divisor_nz_check*/ false);
613 partial_lambda2 = partial_lambda2 + partial_lambda2;
614 lambda2 = partial_lambda2 - lambda1;
615
616 // Using λ₂, compute x₄ for the final result of this iteration:
617 // x₄ = λ₂.λ₂ - x₃ - x
618 x_4 = lambda2.sqradd({ -x_3, -previous_x });
619
620 // Build composite y for this iteration
621 // y₄ = λ₂ * (x - x₄) - y
622 // However, we don't actually compute y₄ explicitly, we rather store components to compute it later.
623 // We store the result as either y₄ or -y₄, depending on the sign of previous_y.
624 // +y₄ = λ₂ * (x - x₄) - y
625 // -y₄ = λ₂ * (x₄ - x) + y
626 composite_y y_4;
627 y_4.is_negative = !previous_y.is_negative;
628 y_4.mul_left.emplace_back(lambda2);
629 y_4.mul_right.emplace_back(previous_y.is_negative ? previous_x - x_4 : x_4 - previous_x);
630
631 // Append terms from previous_y to y_4. We want to make sure the terms above are added into the start
632 // of y_4. This is to ensure they are cached correctly when
633 // `builder::evaluate_partial_non_native_field_multiplication` is called. (the 1st mul_left, mul_right elements
634 // will trigger builder::evaluate_non_native_field_multiplication
635 // when Fq::mult_madd is called - this term cannot be cached so we want to make sure it is unique)
636 std::copy(previous_y.mul_left.begin(), previous_y.mul_left.end(), std::back_inserter(y_4.mul_left));
637 std::copy(previous_y.mul_right.begin(), previous_y.mul_right.end(), std::back_inserter(y_4.mul_right));
638 std::copy(previous_y.add.begin(), previous_y.add.end(), std::back_inserter(y_4.add));
639
640 previous_x = x_4;
641 previous_y = y_4;
642 }
643
644 Fq x_out = previous_x;
645
646 BB_ASSERT(!previous_y.is_negative);
647
648 Fq y_out = Fq::mult_madd(previous_y.mul_left, previous_y.mul_right, previous_y.add);
649 return element(x_out, y_out, /*assert_on_curve=*/false);
650}
651
689template <typename C, class Fq, class Fr, class G>
690std::pair<element<C, Fq, Fr, G>, element<C, Fq, Fr, G>> element<C, Fq, Fr, G>::compute_offset_generators(
691 const size_t num_rounds)
692{
693 constexpr typename G::affine_element offset_generator =
694 get_precomputed_generators<G, "biggroup offset generator", 1>()[0];
695
696 const uint256_t offset_multiplier = uint256_t(1) << uint256_t(num_rounds - 1);
697
698 const typename G::affine_element offset_generator_end = typename G::element(offset_generator) * offset_multiplier;
699 return std::make_pair<element, element>(offset_generator, offset_generator_end);
700}
701
702template <typename C, class Fq, class Fr, class G>
703element<C, Fq, Fr, G> element<C, Fq, Fr, G>::process_strauss_msm_rounds(const std::vector<element>& points,
704 const std::vector<Fr>& scalars,
705 const size_t max_num_bits)
706{
707 // Sanity checks
708 BB_ASSERT_GT(points.size(), 0ULL, "process_strauss_msm: points cannot be empty");
709 BB_ASSERT_EQ(points.size(), scalars.size(), "process_strauss_msm: points and scalars size mismatch");
710
711 // Check that all scalars are in range
712 for (const auto& scalar : scalars) {
713 const size_t num_scalar_bits = static_cast<size_t>(uint512_t(scalar.get_value()).get_msb()) + 1ULL;
714 BB_ASSERT_LTE(num_scalar_bits, max_num_bits, "process_strauss_msm: scalar out of range");
715 }
716
717 // Constant parameters
718 const size_t num_rounds = max_num_bits;
719 const size_t msm_size = scalars.size();
720
721 // Compute ROM lookup table for points. Example if we have 3 points G1, G2, G3:
722 // ┌───────┬─────────────────┐
723 // │ Index │ Point │
724 // ├───────┼─────────────────┤
725 // │ 0 │ G1 + G2 + G3 │
726 // │ 1 │ G1 + G2 - G3 │
727 // │ 2 │ G1 - G2 + G3 │
728 // │ 3 │ G1 - G2 - G3 │
729 // │ 4 │ -G1 + G2 + G3 │
730 // │ 5 │ -G1 + G2 - G3 │
731 // │ 6 │ -G1 - G2 + G3 │
732 // │ 7 │ -G1 - G2 - G3 │
733 // └───────┴─────────────────┘
734 batch_lookup_table point_table(points);
735
736 // Compute NAF representations of scalars
737 std::vector<std::vector<bool_ct>> naf_entries;
738 for (size_t i = 0; i < msm_size; ++i) {
739 naf_entries.emplace_back(compute_naf(scalars[i], num_rounds));
740 }
741
742 // We choose a deterministic offset generator based on the number of rounds.
743 // We compute both the initial and final offset generators: G_offset, 2ⁿ⁻¹ * G_offset.
744 const auto [offset_generator_start, offset_generator_end] = compute_offset_generators(num_rounds);
745
746 // Initialize accumulator with offset generator + first NAF column.
747 element accumulator =
748 element::chain_add_end(element::chain_add(offset_generator_start, point_table.get_chain_initial_entry()));
749
750 // Process 4 NAF entries per iteration (for the remaining (num_rounds - 1) rounds)
751 constexpr size_t num_rounds_per_iteration = 4;
752 const size_t num_iterations = numeric::ceil_div((num_rounds - 1), num_rounds_per_iteration);
753 const size_t num_rounds_per_final_iteration = (num_rounds - 1) - ((num_iterations - 1) * num_rounds_per_iteration);
754
755 for (size_t i = 0; i < num_iterations; ++i) {
756 std::vector<element::chain_add_accumulator> to_add;
757 const size_t inner_num_rounds =
758 (i != num_iterations - 1) ? num_rounds_per_iteration : num_rounds_per_final_iteration;
759 for (size_t j = 0; j < inner_num_rounds; ++j) {
760 // Gather the NAF columns for this iteration
761 std::vector<bool_ct> nafs(msm_size);
762 for (size_t k = 0; k < msm_size; ++k) {
763 nafs[k] = (naf_entries[k][(i * num_rounds_per_iteration) + j + 1]);
764 }
765 to_add.emplace_back(point_table.get_chain_add_accumulator(nafs));
766 }
767
768 // Once we have looked-up all points from the four NAF columns, we update the accumulator as:
769 // accumulator = 2.(2.(2.(2.accumulator + to_add[0]) + to_add[1]) + to_add[2]) + to_add[3]
770 // = 2⁴.accumulator + 2³.to_add[0] + 2².to_add[1] + 2¹.to_add[2] + to_add[3]
771 accumulator = accumulator.multiple_montgomery_ladder(to_add);
772 }
773
774 // Subtract the skew factors (if any)
775 for (size_t i = 0; i < msm_size; ++i) {
776 element skew = accumulator - points[i];
777 accumulator = accumulator.conditional_select(skew, naf_entries[i][num_rounds]);
778 }
779
780 // Subtract the scaled offset generator
781 accumulator = accumulator - offset_generator_end;
782
783 return accumulator;
784}
785
819template <typename C, class Fq, class Fr, class G>
820element<C, Fq, Fr, G> element<C, Fq, Fr, G>::batch_mul(const std::vector<element>& _points,
821 const std::vector<Fr>& _scalars,
822 const size_t max_num_bits,
823 const bool with_edgecases,
824 const Fr& masking_scalar)
825{
826 // Sanity check input sizes
827 BB_ASSERT_GT(_points.size(), 0ULL, "biggroup batch_mul: no points provided for batch multiplication");
828 BB_ASSERT_EQ(_points.size(), _scalars.size(), "biggroup batch_mul: points and scalars size mismatch");
829
830 // Replace (∞, scalar) pairs by the pair (G, 0).
831 auto [points, scalars] = handle_points_at_infinity(_points, _scalars);
832
833 BB_ASSERT_LTE(points.size(), _points.size());
834 BB_ASSERT_EQ(points.size(),
835 scalars.size(),
836 "biggroup batch_mul: points and scalars size mismatch after handling points at infinity");
837
838 // If batch_mul actually performs batch multiplication on the points and scalars, subprocedures can do
839 // operations like addition or subtraction of points, which can trigger OriginTag security mechanisms
840 // even though the final result satisfies the security logic. For example
841 // result = submitted_in_round_0 * challenge_from_round_0 + submitted_in_round_1 * challenge_in_round_1
842 // will trigger it, because the addition of submitted_in_round_0 to submitted_in_round_1 is dangerous by itself.
843 // To avoid this, we remove the tags, merge them separately and set the result appropriately
844 OriginTag tag = OriginTag::constant(); // Initialize as CONSTANT so merging with input tags works correctly
845 auto empty_tag = OriginTag::constant(); // Disable origin checking during intermediate operations
846 for (size_t i = 0; i < _points.size(); i++) {
847 tag = OriginTag(tag, OriginTag(_points[i].get_origin_tag(), _scalars[i].get_origin_tag()));
848 }
849 for (size_t i = 0; i < scalars.size(); i++) {
850 points[i].set_origin_tag(empty_tag);
851 scalars[i].set_origin_tag(empty_tag);
852 }
853
854 // Accumulate constant-constant pairs out of circuit
855 bool has_constant_terms = false;
856 typename G::element constant_accumulator = G::element::infinity();
857 std::vector<element> new_points;
858 std::vector<Fr> new_scalars;
859 for (size_t i = 0; i < points.size(); ++i) {
860 if (points[i].is_constant() && scalars[i].is_constant()) {
861 const auto& point_value = typename G::element(points[i].get_value());
862 const auto& scalar_value = typename G::Fr(scalars[i].get_value());
863 constant_accumulator += (point_value * scalar_value);
864 has_constant_terms = true;
865 } else {
866 new_points.emplace_back(points[i]);
867 new_scalars.emplace_back(scalars[i]);
868 }
869 }
870 points = new_points;
871 scalars = new_scalars;
872
873 // If with_edgecases is false, masking_scalar must be constant and equal to 1 (as it is unused).
874 if (!with_edgecases) {
875 BB_ASSERT_EQ(
876 masking_scalar.is_constant() && masking_scalar.get_value() == 1,
877 true,
878 "biggroup batch_mul: masking_scalar must be constant (and equal to 1) when with_edgecases is false");
879 }
880
881 if (with_edgecases) {
882 // If points are linearly dependent, we randomise them using a masking scalar.
883 // We do this to ensure that the x-coordinates of the points are all distinct. This is required
884 // while creating the ROM lookup table with the points.
885 std::tie(points, scalars) = mask_points(points, scalars, masking_scalar);
886 }
887
888 BB_ASSERT_EQ(
889 points.size(), scalars.size(), "biggroup batch_mul: points and scalars size mismatch after handling edgecases");
890
891 // Separate out zero scalars and corresponding points (because NAF(0) = NAF(modulus) which is 254 bits long)
892 // Also add the last point and scalar to big_points and big_scalars (because its a 254-bit scalar)
893 // We do this only if max_num_bits != 0 (i.e. we are not forced to use 254 bits anyway)
894 const size_t original_size = scalars.size();
895 std::vector<Fr> big_scalars;
896 std::vector<element> big_points;
897 std::vector<Fr> small_scalars;
898 std::vector<element> small_points;
899 for (size_t i = 0; i < original_size; ++i) {
900 if (max_num_bits == 0) {
901 big_points.emplace_back(points[i]);
902 big_scalars.emplace_back(scalars[i]);
903 } else {
904 const bool is_last_scalar_big = ((i == original_size - 1) && with_edgecases);
905 if (scalars[i].get_value() == 0 || is_last_scalar_big) {
906 big_points.emplace_back(points[i]);
907 big_scalars.emplace_back(scalars[i]);
908 } else {
909 small_points.emplace_back(points[i]);
910 small_scalars.emplace_back(scalars[i]);
911 }
912 }
913 }
914
915 BB_ASSERT_EQ(original_size,
916 small_points.size() + big_points.size(),
917 "biggroup batch_mul: points size mismatch after separating big scalars");
918 BB_ASSERT_EQ(big_points.size(),
919 big_scalars.size(),
920 "biggroup batch_mul: big points and scalars size mismatch after separating big scalars");
921 BB_ASSERT_EQ(small_points.size(),
922 small_scalars.size(),
923 "biggroup batch_mul: small points and scalars size mismatch after separating big scalars");
924
925 const size_t max_num_bits_in_field = Fr::modulus.get_msb() + 1;
926
927 element accumulator;
928 bool accumulator_initialized = false;
929
930 // Check if we'll need to process any witness points
931
932 // Initialize accumulator with constant terms if they exist, OR if there are no remaining points
933 // (to handle the case where all points were filtered out by handle_points_at_infinity)
934 const bool has_no_points = big_points.empty() && small_points.empty();
935 if (has_constant_terms || has_no_points) {
936 accumulator = element(constant_accumulator);
937 accumulator_initialized = true;
938 }
939
940 if (!big_points.empty()) {
941 // Process big scalars separately
942 element big_result = element::process_strauss_msm_rounds(big_points, big_scalars, max_num_bits_in_field);
943 accumulator = accumulator_initialized ? accumulator + big_result : big_result;
944 accumulator_initialized = true;
945 }
946
947 if (!small_points.empty()) {
948 // Process small scalars
949 const size_t effective_max_num_bits = (max_num_bits == 0) ? max_num_bits_in_field : max_num_bits;
950 element small_result = element::process_strauss_msm_rounds(small_points, small_scalars, effective_max_num_bits);
951 accumulator = accumulator_initialized ? accumulator + small_result : small_result;
952 accumulator_initialized = true;
953 }
954
955 accumulator.set_origin_tag(tag);
956 return accumulator;
957}
961template <typename C, class Fq, class Fr, class G>
962element<C, Fq, Fr, G> element<C, Fq, Fr, G>::operator*(const Fr& scalar) const
963{
964 // Use `scalar_mul` method without specifying the length of `scalar`.
965 return scalar_mul(scalar);
966}
967
968template <typename C, class Fq, class Fr, class G>
977element<C, Fq, Fr, G> element<C, Fq, Fr, G>::scalar_mul(const Fr& scalar, const size_t max_num_bits) const
978{
1002 return element::batch_mul({ *this }, { scalar }, max_num_bits, /*with_edgecases=*/false);
1003}
1004} // namespace bb::stdlib::element_default
BB_ASSERT
#define BB_ASSERT(expression,...)
Definition assert.hpp:70
BB_ASSERT_GT
#define BB_ASSERT_GT(left, right,...)
Definition assert.hpp:113
BB_ASSERT_EQ
#define BB_ASSERT_EQ(actual, expected,...)
Definition assert.hpp:83
BB_ASSERT_LTE
#define BB_ASSERT_LTE(left, right,...)
Definition assert.hpp:158
bb::numeric::uint256_t
Definition uint256.hpp:32
bb::numeric::uint256_t::get_msb
constexpr uint64_t get_msb() const
Definition uint256_impl.hpp:329
bb::numeric::uintx::get_msb
constexpr uint64_t get_msb() const
Definition uintx.hpp:69
bb::stdlib::bool_t
Implements boolean logic in-circuit.
Definition bool.hpp:60
bb::stdlib::element_default::element
Definition biggroup.hpp:26
bb::stdlib::element_default::element::multiple_montgomery_ladder
element multiple_montgomery_ladder(const std::vector< chain_add_accumulator > &to_add) const
Perform repeated iterations of the montgomery ladder algorithm.
Definition biggroup_impl.hpp:475
bb::stdlib::element_default::element::validate_on_curve
void validate_on_curve(std::string const &msg="biggroup::validate_on_curve") const
Check that the point is on the curve.
Definition biggroup.hpp:97
bb::stdlib::element_default::element::_x
Fq _x
Definition biggroup.hpp:431
bb::stdlib::element_default::element::_y
Fq _y
Definition biggroup.hpp:432
bb::stdlib::element_default::element::set_origin_tag
void set_origin_tag(OriginTag tag) const
Definition biggroup.hpp:388
bb::stdlib::element_default::element::set_point_at_infinity
void set_point_at_infinity(const bool_ct &is_infinity, const bool &add_to_used_witnesses=false)
Definition biggroup.hpp:379
bb::stdlib::element_default::element::get_origin_tag
OriginTag get_origin_tag() const
Definition biggroup.hpp:402
bb::stdlib::element_default::element::conditional_select
element conditional_select(const element &other, const bool_ct &predicate) const
Selects this if predicate is false, other if predicate is true.
Definition biggroup.hpp:220
bb::stdlib::element_default::element::is_point_at_infinity
bool_ct is_point_at_infinity() const
Definition biggroup.hpp:378
a
FF a
Definition field_gt.test.cpp:52
G
#define G(r, i, a, b, c, d)
Definition blake2s.cpp:116
bb::numeric::ceil_div
constexpr T ceil_div(const T &numerator, const T &denominator)
Computes the ceiling of the division of two integral types.
Definition general.hpp:23
bb::numeric::uint512_t
uintx< uint256_t > uint512_t
Definition uintx.hpp:307
bb::stdlib::element_default
Definition biggroup.hpp:23
bb::get_precomputed_generators
constexpr std::span< const typename Group::affine_element > get_precomputed_generators()
Definition precomputed_generators.hpp:51
std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13
origin_tag.hpp
This file contains part of the logic for the Origin Tag mechanism that tracks the use of in-circuit p...
precomputed_generators.hpp
bb::OriginTag::constant
static OriginTag constant()
Definition origin_tag.hpp:174
bb::field< Bn254FrParams >::modulus
static constexpr uint256_t modulus
Definition field_declarations.hpp:199
bb::field< Bn254FqParams >::zero
static constexpr field zero()
Definition field_declarations.hpp:242
bb::stdlib::element_default::element::batch_lookup_table_plookup
Definition biggroup.hpp:666
bb::stdlib::element_default::element::batch_lookup_table_plookup::get_chain_initial_entry
chain_add_accumulator get_chain_initial_entry() const
Definition biggroup.hpp:759
bb::stdlib::element_default::element::batch_lookup_table_plookup::get_chain_add_accumulator
element::chain_add_accumulator get_chain_add_accumulator(std::vector< bool_ct > &naf_entries) const
Definition biggroup.hpp:790
bb::stdlib::element_default::element::chain_add_accumulator
Definition biggroup.hpp:288
bb::stdlib::element_default::element::chain_add_accumulator::is_full_element
bool is_full_element
Definition biggroup.hpp:294
bb::stdlib::element_default::element::chain_add_accumulator::lambda_prev
Fq lambda_prev
Definition biggroup.hpp:291
bb::stdlib::element_default::element::chain_add_accumulator::x1_prev
Fq x1_prev
Definition biggroup.hpp:289
bb::stdlib::element_default::element::chain_add_accumulator::y1_prev
Fq y1_prev
Definition biggroup.hpp:290
bb::stdlib::element_default::element::chain_add_accumulator::x3_prev
Fq x3_prev
Definition biggroup.hpp:292
bb::stdlib::element_default::element::chain_add_accumulator::y3_prev
Fq y3_prev
Definition biggroup.hpp:293
Fq
curve::BN254::BaseField Fq
Definition translator.fuzzer.hpp:21