Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
element_impl.hpp
Go to the documentation of this file.
1// === AUDIT STATUS ===
2// internal: { status: Planned, auditors: [], commit: }
3// external_1: { status: not started, auditors: [], commit: }
4// external_2: { status: not started, auditors: [], commit: }
5// =====================
6
7#pragma once
8#include "barretenberg/common/assert.hpp"
9#include "barretenberg/common/bb_bench.hpp"
10#include "barretenberg/common/thread.hpp"
11#include "barretenberg/ecc/groups/element.hpp"
12#include "element.hpp"
13#include <cstdint>
14
15// NOLINTBEGIN(readability-implicit-bool-conversion, cppcoreguidelines-avoid-c-arrays)
16namespace bb::group_elements {
17template <class Fq, class Fr, class T>
18constexpr element<Fq, Fr, T>::element(const Fq& a, const Fq& b, const Fq& c) noexcept
19 : x(a)
20 , y(b)
21 , z(c)
22{}
23
24template <class Fq, class Fr, class T>
25constexpr element<Fq, Fr, T>::element(const element& other) noexcept
26 : x(other.x)
27 , y(other.y)
28 , z(other.z)
29{}
30
31template <class Fq, class Fr, class T>
32constexpr element<Fq, Fr, T>::element(element&& other) noexcept
33 : x(other.x)
34 , y(other.y)
35 , z(other.z)
36{}
37
38template <class Fq, class Fr, class T>
39constexpr element<Fq, Fr, T>::element(const affine_element<Fq, Fr, T>& other) noexcept
40 : x(other.x)
41 , y(other.y)
42 , z(Fq::one())
43{}
44
45template <class Fq, class Fr, class T>
46constexpr element<Fq, Fr, T>& element<Fq, Fr, T>::operator=(const element& other) noexcept
47{
48 if (this == &other) {
49 return *this;
50 }
51 x = other.x;
52 y = other.y;
53 z = other.z;
54 return *this;
55}
56
57template <class Fq, class Fr, class T>
58constexpr element<Fq, Fr, T>& element<Fq, Fr, T>::operator=(element&& other) noexcept
59{
60 x = other.x;
61 y = other.y;
62 z = other.z;
63 return *this;
64}
65
66template <class Fq, class Fr, class T> constexpr element<Fq, Fr, T>::operator affine_element<Fq, Fr, T>() const noexcept
67{
68 if (is_point_at_infinity()) {
69 affine_element<Fq, Fr, T> result;
70 result.x = Fq(0);
71 result.y = Fq(0);
72 result.self_set_infinity();
73 return result;
74 }
75 Fq z_inv = z.invert();
76 Fq zz_inv = z_inv.sqr();
77 Fq zzz_inv = zz_inv * z_inv;
78 affine_element<Fq, Fr, T> result(x * zz_inv, y * zzz_inv);
79 return result;
80}
81
82template <class Fq, class Fr, class T> constexpr void element<Fq, Fr, T>::self_dbl() noexcept
83{
84 if constexpr (Fq::modulus.data[3] >= 0x4000000000000000ULL) {
85 if (is_point_at_infinity()) {
86 return;
87 }
88 } else {
89 if (x.is_msb_set_word()) {
90 return;
91 }
92 }
93
94 // T0 = x*x
95 Fq T0 = x.sqr();
96
97 // T1 = y*y
98 Fq T1 = y.sqr();
99
100 // T2 = T2*T1 = y*y*y*y
101 Fq T2 = T1.sqr();
102
103 // T1 = T1 + x = x + y*y
104 T1 += x;
105
106 // T1 = T1 * T1
107 T1.self_sqr();
108
109 // T3 = T0 + T2 = xx + y*y*y*y
110 Fq T3 = T0 + T2;
111
112 // T1 = T1 - T3 = x*x + y*y*y*y + 2*x*x*y*y*y*y - x*x - y*y*y*y = 2*x*x*y*y*y*y = 2*S
113 T1 -= T3;
114
115 // T1 = 2T1 = 4*S
116 T1 += T1;
117
118 // T3 = 3T0
119 T3 = T0 + T0;
120 T3 += T0;
121 if constexpr (T::has_a) {
122 T3 += (T::a * z.sqr().sqr());
123 }
124
125 // z2 = 2*y*z
126 z += z;
127 z *= y;
128
129 // T0 = 2T1
130 T0 = T1 + T1;
131
132 // x2 = T3*T3
133 x = T3.sqr();
134
135 // x2 = x2 - 2T1
136 x -= T0;
137
138 // T2 = 8T2
139 T2 += T2;
140 T2 += T2;
141 T2 += T2;
142
143 // y2 = T1 - x2
144 y = T1 - x;
145
146 // y2 = y2 * T3 - T2
147 y *= T3;
148 y -= T2;
149}
150
151template <class Fq, class Fr, class T> constexpr element<Fq, Fr, T> element<Fq, Fr, T>::dbl() const noexcept
152{
153 element result(*this);
154 result.self_dbl();
155 return result;
156}
157
158template <class Fq, class Fr, class T>
159constexpr void element<Fq, Fr, T>::self_mixed_add_or_sub(const affine_element<Fq, Fr, T>& other,
160 const uint64_t predicate) noexcept
161{
162 if constexpr (Fq::modulus.data[3] >= 0x4000000000000000ULL) {
163 if (is_point_at_infinity()) {
164 conditional_negate_affine(other, *(affine_element<Fq, Fr, T>*)this, predicate); // NOLINT
165 z = Fq::one();
166 return;
167 }
168 } else {
169 const bool edge_case_trigger = x.is_msb_set() || other.x.is_msb_set();
170 if (edge_case_trigger) {
171 if (x.is_msb_set()) {
172 conditional_negate_affine(other, *(affine_element<Fq, Fr, T>*)this, predicate); // NOLINT
173 z = Fq::one();
174 }
175 return;
176 }
177 }
178
179 // T0 = z1.z1
180 Fq T0 = z.sqr();
181
182 // T1 = x2.t0 - x1 = x2.z1.z1 - x1
183 Fq T1 = other.x * T0;
184 T1 -= x;
185
186 // T2 = T0.z1 = z1.z1.z1
187 // T2 = T2.y2 - y1 = y2.z1.z1.z1 - y1
188 Fq T2 = z * T0;
189 T2 *= other.y;
190 T2.self_conditional_negate(predicate);
191 T2 -= y;
192
193 if (__builtin_expect(T1.is_zero(), 0)) {
194 if (T2.is_zero()) {
195 // y2 equals y1, x2 equals x1, double x1
196 self_dbl();
197 return;
198 }
199 self_set_infinity();
200 return;
201 }
202
203 // T2 = 2T2 = 2(y2.z1.z1.z1 - y1) = R
204 // z3 = z1 + H
205 T2 += T2;
206 z += T1;
207
208 // T3 = T1*T1 = HH
209 Fq T3 = T1.sqr();
210
211 // z3 = z3 - z1z1 - HH
212 T0 += T3;
213
214 // z3 = (z1 + H)*(z1 + H)
215 z.self_sqr();
216 z -= T0;
217
218 // T3 = 4HH
219 T3 += T3;
220 T3 += T3;
221
222 // T1 = T1*T3 = 4HHH
223 T1 *= T3;
224
225 // T3 = T3 * x1 = 4HH*x1
226 T3 *= x;
227
228 // T0 = 2T3
229 T0 = T3 + T3;
230
231 // T0 = T0 + T1 = 2(4HH*x1) + 4HHH
232 T0 += T1;
233 x = T2.sqr();
234
235 // x3 = x3 - T0 = R*R - 8HH*x1 -4HHH
236 x -= T0;
237
238 // T3 = T3 - x3 = 4HH*x1 - x3
239 T3 -= x;
240
241 T1 *= y;
242 T1 += T1;
243
244 // T3 = T2 * T3 = R*(4HH*x1 - x3)
245 T3 *= T2;
246
247 // y3 = T3 - T1
248 y = T3 - T1;
249}
250
251template <class Fq, class Fr, class T>
252constexpr element<Fq, Fr, T> element<Fq, Fr, T>::operator+=(const affine_element<Fq, Fr, T>& other) noexcept
253{
254 if constexpr (Fq::modulus.data[3] >= 0x4000000000000000ULL) {
255 if (is_point_at_infinity()) {
256 *this = { other.x, other.y, Fq::one() };
257 return *this;
258 }
259 } else {
260 const bool edge_case_trigger = x.is_msb_set() || other.x.is_msb_set();
261 if (edge_case_trigger) {
262 if (x.is_msb_set()) {
263 *this = { other.x, other.y, Fq::one() };
264 }
265 return *this;
266 }
267 }
268
269 // T0 = z1.z1
270 Fq T0 = z.sqr();
271
272 // T1 = x2.t0 - x1 = x2.z1.z1 - x1
273 Fq T1 = other.x * T0;
274 T1 -= x;
275
276 // T2 = T0.z1 = z1.z1.z1
277 // T2 = T2.y2 - y1 = y2.z1.z1.z1 - y1
278 Fq T2 = z * T0;
279 T2 *= other.y;
280 T2 -= y;
281
282 if (__builtin_expect(T1.is_zero(), 0)) {
283 if (T2.is_zero()) {
284 self_dbl();
285 return *this;
286 }
287 self_set_infinity();
288 return *this;
289 }
290
291 // T2 = 2T2 = 2(y2.z1.z1.z1 - y1) = R
292 // z3 = z1 + H
293 T2 += T2;
294 z += T1;
295
296 // T3 = T1*T1 = HH
297 Fq T3 = T1.sqr();
298
299 // z3 = z3 - z1z1 - HH
300 T0 += T3;
301
302 // z3 = (z1 + H)*(z1 + H)
303 z.self_sqr();
304 z -= T0;
305
306 // T3 = 4HH
307 T3 += T3;
308 T3 += T3;
309
310 // T1 = T1*T3 = 4HHH
311 T1 *= T3;
312
313 // T3 = T3 * x1 = 4HH*x1
314 T3 *= x;
315
316 // T0 = 2T3
317 T0 = T3 + T3;
318
319 // T0 = T0 + T1 = 2(4HH*x1) + 4HHH
320 T0 += T1;
321 x = T2.sqr();
322
323 // x3 = x3 - T0 = R*R - 8HH*x1 -4HHH
324 x -= T0;
325
326 // T3 = T3 - x3 = 4HH*x1 - x3
327 T3 -= x;
328
329 T1 *= y;
330 T1 += T1;
331
332 // T3 = T2 * T3 = R*(4HH*x1 - x3)
333 T3 *= T2;
334
335 // y3 = T3 - T1
336 y = T3 - T1;
337 return *this;
338}
339
340template <class Fq, class Fr, class T>
341constexpr element<Fq, Fr, T> element<Fq, Fr, T>::operator+(const affine_element<Fq, Fr, T>& other) const noexcept
342{
343 element result(*this);
344 return (result += other);
345}
346
347template <class Fq, class Fr, class T>
348constexpr element<Fq, Fr, T> element<Fq, Fr, T>::operator-=(const affine_element<Fq, Fr, T>& other) noexcept
349{
350 const affine_element<Fq, Fr, T> to_add{ other.x, -other.y };
351 return operator+=(to_add);
352}
353
354template <class Fq, class Fr, class T>
355constexpr element<Fq, Fr, T> element<Fq, Fr, T>::operator-(const affine_element<Fq, Fr, T>& other) const noexcept
356{
357 element result(*this);
358 return (result -= other);
359}
360
361template <class Fq, class Fr, class T>
362constexpr element<Fq, Fr, T> element<Fq, Fr, T>::operator+=(const element& other) noexcept
363{
364 if constexpr (Fq::modulus.data[3] >= 0x4000000000000000ULL) {
365 bool p1_zero = is_point_at_infinity();
366 bool p2_zero = other.is_point_at_infinity();
367 if (__builtin_expect((p1_zero || p2_zero), 0)) {
368 if (p1_zero && !p2_zero) {
369 *this = other;
370 return *this;
371 }
372 if (p2_zero && !p1_zero) {
373 return *this;
374 }
375 self_set_infinity();
376 return *this;
377 }
378 } else {
379 bool p1_zero = x.is_msb_set();
380 bool p2_zero = other.x.is_msb_set();
381 if (__builtin_expect((p1_zero || p2_zero), 0)) {
382 if (p1_zero && !p2_zero) {
383 *this = other;
384 return *this;
385 }
386 if (p2_zero && !p1_zero) {
387 return *this;
388 }
389 self_set_infinity();
390 return *this;
391 }
392 }
393 Fq Z1Z1(z.sqr());
394 Fq Z2Z2(other.z.sqr());
395 Fq S2(Z1Z1 * z);
396 Fq U2(Z1Z1 * other.x);
397 S2 *= other.y;
398 Fq U1(Z2Z2 * x);
399 Fq S1(Z2Z2 * other.z);
400 S1 *= y;
401
402 Fq F(S2 - S1);
403
404 Fq H(U2 - U1);
405
406 if (__builtin_expect(H.is_zero(), 0)) {
407 if (F.is_zero()) {
408 self_dbl();
409 return *this;
410 }
411 self_set_infinity();
412 return *this;
413 }
414
415 F += F;
416
417 Fq I(H + H);
418 I.self_sqr();
419
420 Fq J(H * I);
421
422 U1 *= I;
423
424 U2 = U1 + U1;
425 U2 += J;
426
427 x = F.sqr();
428
429 x -= U2;
430
431 J *= S1;
432 J += J;
433
434 y = U1 - x;
435
436 y *= F;
437
438 y -= J;
439
440 z += other.z;
441
442 Z1Z1 += Z2Z2;
443
444 z.self_sqr();
445 z -= Z1Z1;
446 z *= H;
447 return *this;
448}
449
450template <class Fq, class Fr, class T>
451constexpr element<Fq, Fr, T> element<Fq, Fr, T>::operator+(const element& other) const noexcept
452{
453 element result(*this);
454 return (result += other);
455}
456
457template <class Fq, class Fr, class T>
458constexpr element<Fq, Fr, T> element<Fq, Fr, T>::operator-=(const element& other) noexcept
459{
460 const element to_add{ other.x, -other.y, other.z };
461 return operator+=(to_add);
462}
463
464template <class Fq, class Fr, class T>
465constexpr element<Fq, Fr, T> element<Fq, Fr, T>::operator-(const element& other) const noexcept
466{
467 element result(*this);
468 return (result -= other);
469}
470
471template <class Fq, class Fr, class T> constexpr element<Fq, Fr, T> element<Fq, Fr, T>::operator-() const noexcept
472{
473 return { x, -y, z };
474}
475
476template <class Fq, class Fr, class T>
477element<Fq, Fr, T> element<Fq, Fr, T>::operator*(const Fr& exponent) const noexcept
478{
479 if constexpr (T::USE_ENDOMORPHISM) {
480 return mul_with_endomorphism(exponent);
481 }
482 return mul_without_endomorphism(exponent);
483}
484
485template <class Fq, class Fr, class T> element<Fq, Fr, T> element<Fq, Fr, T>::operator*=(const Fr& exponent) noexcept
486{
487 *this = operator*(exponent);
488 return *this;
489}
490
491template <class Fq, class Fr, class T> constexpr element<Fq, Fr, T> element<Fq, Fr, T>::normalize() const noexcept
492{
493 const affine_element<Fq, Fr, T> converted = *this;
494 return element(converted);
495}
496
497template <class Fq, class Fr, class T> element<Fq, Fr, T> element<Fq, Fr, T>::infinity()
498{
499 element<Fq, Fr, T> e{};
500 e.self_set_infinity();
501 return e;
502}
503
504template <class Fq, class Fr, class T> constexpr element<Fq, Fr, T> element<Fq, Fr, T>::set_infinity() const noexcept
505{
506 element result(*this);
507 result.self_set_infinity();
508 return result;
509}
510
511template <class Fq, class Fr, class T> constexpr void element<Fq, Fr, T>::self_set_infinity() noexcept
512{
513 if constexpr (Fq::modulus.data[3] >= 0x4000000000000000ULL) {
514 // We set the value of x equal to modulus to represent inifinty
515 x.data[0] = Fq::modulus.data[0];
516 x.data[1] = Fq::modulus.data[1];
517 x.data[2] = Fq::modulus.data[2];
518 x.data[3] = Fq::modulus.data[3];
519 } else {
520 (*this).x = Fq::zero();
521 (*this).y = Fq::zero();
522 (*this).z = Fq::zero();
523 x.self_set_msb();
524 }
525}
526
527template <class Fq, class Fr, class T> constexpr bool element<Fq, Fr, T>::is_point_at_infinity() const noexcept
528{
529 if constexpr (Fq::modulus.data[3] >= 0x4000000000000000ULL) {
530 // We check if the value of x is equal to modulus to represent inifinty
531 return ((x.data[0] ^ Fq::modulus.data[0]) | (x.data[1] ^ Fq::modulus.data[1]) |
532 (x.data[2] ^ Fq::modulus.data[2]) | (x.data[3] ^ Fq::modulus.data[3])) == 0;
533 } else {
534 return (x.is_msb_set());
535 }
536}
537
538template <class Fq, class Fr, class T> constexpr bool element<Fq, Fr, T>::on_curve() const noexcept
539{
540 if (is_point_at_infinity()) {
541 return true;
542 }
543 // We specify the point at inifinity not by (0 \lambda 0), so z should not be 0
544 if (z.is_zero()) {
545 return false;
546 }
547 Fq zz = z.sqr();
548 Fq zzzz = zz.sqr();
549 Fq bz_6 = zzzz * zz * T::b;
550 if constexpr (T::has_a) {
551 bz_6 += (x * T::a) * zzzz;
552 }
553 Fq xxx = x.sqr() * x + bz_6;
554 Fq yy = y.sqr();
555 return (xxx == yy);
556}
557
558template <class Fq, class Fr, class T>
559constexpr bool element<Fq, Fr, T>::operator==(const element& other) const noexcept
560{
561 // If one of points is not on curve, we have no business comparing them.
562 if ((!on_curve()) || (!other.on_curve())) {
563 return false;
564 }
565 bool am_infinity = is_point_at_infinity();
566 bool is_infinity = other.is_point_at_infinity();
567 bool both_infinity = am_infinity && is_infinity;
568 // If just one is infinity, then they are obviously not equal.
569 if ((!both_infinity) && (am_infinity || is_infinity)) {
570 return false;
571 }
572 const Fq lhs_zz = z.sqr();
573 const Fq lhs_zzz = lhs_zz * z;
574 const Fq rhs_zz = other.z.sqr();
575 const Fq rhs_zzz = rhs_zz * other.z;
576
577 const Fq lhs_x = x * rhs_zz;
578 const Fq lhs_y = y * rhs_zzz;
579
580 const Fq rhs_x = other.x * lhs_zz;
581 const Fq rhs_y = other.y * lhs_zzz;
582 return both_infinity || ((lhs_x == rhs_x) && (lhs_y == rhs_y));
583}
584
585template <class Fq, class Fr, class T>
586element<Fq, Fr, T> element<Fq, Fr, T>::random_element(numeric::RNG* engine) noexcept
587{
588 if constexpr (T::can_hash_to_curve) {
589 element result = random_coordinates_on_curve(engine);
590 result.z = Fq::random_element(engine);
591 Fq zz = result.z.sqr();
592 Fq zzz = zz * result.z;
593 result.x *= zz;
594 result.y *= zzz;
595 return result;
596 } else {
597 Fr scalar = Fr::random_element(engine);
598 return (element{ T::one_x, T::one_y, Fq::one() } * scalar);
599 }
600}
601
602template <class Fq, class Fr, class T>
603element<Fq, Fr, T> element<Fq, Fr, T>::mul_without_endomorphism(const Fr& scalar) const noexcept
604{
605 const uint256_t converted_scalar(scalar);
606
607 if (converted_scalar == 0) {
608 return element::infinity();
609 }
610
611 element accumulator(*this);
612 const uint64_t maximum_set_bit = converted_scalar.get_msb();
613 // This is simpler and doublings of infinity should be fast. We should think if we want to defend against the
614 // timing leak here (if used with ECDSA it can sometimes lead to private key compromise)
615 for (uint64_t i = maximum_set_bit - 1; i < maximum_set_bit; --i) {
616 accumulator.self_dbl();
617 if (converted_scalar.get_bit(i)) {
618 accumulator += *this;
619 }
620 }
621 return accumulator;
622}
623
624namespace detail {
625// Represents the result of
626using EndoScalars = std::pair<std::array<uint64_t, 2>, std::array<uint64_t, 2>>;
627
636template <typename Element, std::size_t NUM_ROUNDS> struct EndomorphismWnaf {
637 // NUM_WNAF_BITS: Number of bits per window in the WNAF representation.
638 static constexpr size_t NUM_WNAF_BITS = 4;
639 // table: Stores the WNAF representation of the scalars.
640 std::array<uint64_t, NUM_ROUNDS * 2> table;
641 // skew and endo_skew: Indicate if our original scalar is even or odd.
642 bool skew = false;
643 bool endo_skew = false;
644
648 EndomorphismWnaf(const EndoScalars& scalars)
649 {
650 wnaf::fixed_wnaf(&scalars.first[0], &table[0], skew, 0, 2, NUM_WNAF_BITS);
651 wnaf::fixed_wnaf(&scalars.second[0], &table[1], endo_skew, 0, 2, NUM_WNAF_BITS);
652 }
653};
654
655} // namespace detail
656
657template <class Fq, class Fr, class T>
658element<Fq, Fr, T> element<Fq, Fr, T>::mul_with_endomorphism(const Fr& scalar) const noexcept
659{
660 // Consider the infinity flag, return infinity if set
661 if (is_point_at_infinity()) {
662 return element::infinity();
663 }
664 constexpr size_t NUM_ROUNDS = 32;
665 const Fr converted_scalar = scalar.from_montgomery_form();
666
667 if (converted_scalar.is_zero()) {
668 return element::infinity();
669 }
670 static constexpr size_t LOOKUP_SIZE = 8;
671 std::array<element, LOOKUP_SIZE> lookup_table;
672
673 element d2 = dbl();
674 lookup_table[0] = element(*this);
675 for (size_t i = 1; i < LOOKUP_SIZE; ++i) {
676 lookup_table[i] = lookup_table[i - 1] + d2;
677 }
678
679 detail::EndoScalars endo_scalars = Fr::split_into_endomorphism_scalars(converted_scalar);
680 detail::EndomorphismWnaf<element, NUM_ROUNDS> wnaf{ endo_scalars };
681 element accumulator{ T::one_x, T::one_y, Fq::one() };
682 accumulator.self_set_infinity();
683 Fq beta = Fq::cube_root_of_unity();
684
685 for (size_t i = 0; i < NUM_ROUNDS * 2; ++i) {
686 uint64_t wnaf_entry = wnaf.table[i];
687 uint64_t index = wnaf_entry & 0x0fffffffU;
688 bool sign = static_cast<bool>((wnaf_entry >> 31) & 1);
689 const bool is_odd = ((i & 1) == 1);
690 auto to_add = lookup_table[static_cast<size_t>(index)];
691 to_add.y.self_conditional_negate(sign ^ is_odd);
692 if (is_odd) {
693 to_add.x *= beta;
694 }
695 accumulator += to_add;
696
697 if (i != ((2 * NUM_ROUNDS) - 1) && is_odd) {
698 for (size_t j = 0; j < 4; ++j) {
699 accumulator.self_dbl();
700 }
701 }
702 }
703
704 if (wnaf.skew) {
705 accumulator += -lookup_table[0];
706 }
707 if (wnaf.endo_skew) {
708 accumulator += element{ lookup_table[0].x * beta, lookup_table[0].y, lookup_table[0].z };
709 }
710
711 return accumulator;
712}
713
729template <typename Policy, typename AffineElement, typename Fq>
730__attribute__((always_inline)) inline void batch_affine_add_impl(const AffineElement* lhs_base,
731 AffineElement* rhs_base,
732 const size_t num_pairs,
733 Fq* scratch_space) noexcept
734{
735 Fq batch_inversion_accumulator = Fq::one();
736
737 // Forward pass: prepare batch inversion
738 for (size_t i = 0; i < num_pairs; ++i) {
739 const AffineElement& lhs = lhs_base[Policy::template lhs_index<AffineElement>(i)];
740 AffineElement& rhs = rhs_base[Policy::template rhs_index<AffineElement>(i)];
741 Fq& scratch = scratch_space[i];
742
743 scratch = lhs.x + rhs.x;
744 rhs.x -= lhs.x;
745 rhs.y -= lhs.y;
746 rhs.y *= batch_inversion_accumulator;
747 batch_inversion_accumulator *= (rhs.x);
748 }
749
750 if (batch_inversion_accumulator == Fq::zero()) {
751 throw_or_abort("attempted to invert zero in batch_affine_add_impl");
752 }
753 batch_inversion_accumulator = batch_inversion_accumulator.invert();
754
755 // Backward pass: compute additions
756 for (size_t i_plus_1 = num_pairs; i_plus_1 > 0; --i_plus_1) {
757 size_t i = i_plus_1 - 1;
758
759 const AffineElement& lhs = lhs_base[Policy::template lhs_index<AffineElement>(i)];
760 AffineElement& rhs = rhs_base[Policy::template rhs_index<AffineElement>(i)];
761 AffineElement& output = rhs_base[Policy::template output_index<AffineElement>(i, num_pairs)];
762 Fq& scratch = scratch_space[i];
763
764 if constexpr (Policy::ENABLE_PREFETCH) {
765 Policy::prefetch_iteration(rhs_base, scratch_space, i, num_pairs);
766 }
767
768 rhs.y *= batch_inversion_accumulator;
769 batch_inversion_accumulator *= rhs.x;
770 rhs.x = rhs.y.sqr();
771 output.x = rhs.x - scratch;
772 scratch = lhs.x - output.x;
773 scratch *= rhs.y;
774 output.y = scratch - lhs.y;
775 }
776}
777
791template <typename AffineElement, typename Fq>
792__attribute__((always_inline)) inline void batch_affine_double_impl(AffineElement* points,
793 const size_t num_points,
794 Fq* scratch_space) noexcept
795{
796 Fq batch_inversion_accumulator = Fq::one();
797
798 // Forward pass: prepare batch inversion
799 for (size_t i = 0; i < num_points; ++i) {
800 scratch_space[i] = points[i].x.sqr();
801 scratch_space[i] = scratch_space[i] + scratch_space[i] + scratch_space[i];
802 scratch_space[i] *= batch_inversion_accumulator;
803 batch_inversion_accumulator *= (points[i].y + points[i].y);
804 }
805
806 if (batch_inversion_accumulator == Fq::zero()) {
807 throw_or_abort("attempted to invert zero in batch_affine_double_impl");
808 }
809 batch_inversion_accumulator = batch_inversion_accumulator.invert();
810
811 // Backward pass: compute doublings
812 Fq temp_x;
813 for (size_t i_plus_1 = num_points; i_plus_1 > 0; --i_plus_1) {
814 size_t i = i_plus_1 - 1;
815
816 scratch_space[i] *= batch_inversion_accumulator;
817 batch_inversion_accumulator *= (points[i].y + points[i].y);
818
819 temp_x = points[i].x;
820 points[i].x = scratch_space[i].sqr() - (points[i].x + points[i].x);
821 points[i].y = scratch_space[i] * (temp_x - points[i].x) - points[i].y;
822 }
823}
824
836template <class Fq, class Fr, class T>
837void element<Fq, Fr, T>::batch_affine_add(const std::span<affine_element<Fq, Fr, T>>& first_group,
838 const std::span<affine_element<Fq, Fr, T>>& second_group,
839 const std::span<affine_element<Fq, Fr, T>>& results) noexcept
840{
841 using affine_element = affine_element<Fq, Fr, T>;
842 const size_t num_points = first_group.size();
843 BB_ASSERT_EQ(second_group.size(), first_group.size());
844
845 // Space for temporary values
846 std::vector<Fq> scratch_space(num_points);
847
848 parallel_for_heuristic(
849 num_points, [&](size_t i) { results[i] = first_group[i]; }, thread_heuristics::FF_COPY_COST * 2);
850
851 // Perform batch affine addition. Uses ParallelArrayPolicy: (lhs[i], rhs[i]) -> rhs[i] with sequential output (no
852 // prefetch)
853 parallel_for_heuristic(
854 num_points,
855 [&](size_t start, size_t end, BB_UNUSED size_t chunk_index) {
856 batch_affine_add_impl<ParallelArrayPolicy, affine_element, Fq>(
857 &second_group[start], &results[start], end - start, &scratch_space[start]);
858 },
859 thread_heuristics::FF_ADDITION_COST * 6 + thread_heuristics::FF_MULTIPLICATION_COST * 6);
860}
861
872template <class Fq, class Fr, class T>
873std::vector<affine_element<Fq, Fr, T>> element<Fq, Fr, T>::batch_mul_with_endomorphism(
874 const std::span<const affine_element<Fq, Fr, T>>& points, const Fr& scalar) noexcept
875{
876 BB_BENCH();
877 using affine_element = affine_element<Fq, Fr, T>;
878 const size_t num_points = points.size();
879
880 // Space for temporary values
881 std::vector<Fq> scratch_space(num_points);
882
883 // We compute the resulting point through WNAF by evaluating (the (\sum_i (16ⁱ⋅
884 // (a_i ∈ {-15,-13,-11,-9,-7,-5,-3,-1,1,3,5,7,9,11,13,15}))) - skew), where skew is 0 or 1. The result of the sum is
885 // always odd and skew is used to reconstruct an even scalar. This means that to construct scalar p-1, where p is
886 // the order of the scalar field, we first compute p through the sums and then subtract -1. Howver, since we are
887 // computing p⋅Point, we get a point at infinity, which is an edgecase, and we don't want to handle edgecases in the
888 // hot loop since the slow the computation down. So it's better to just handle it here.
889 if (scalar == -Fr::one()) {
890 std::vector<affine_element> results(num_points);
891 parallel_for_heuristic(num_points, [&](size_t i) { results[i] = -points[i]; }, thread_heuristics::FF_COPY_COST);
892 return results;
893 }
894 // Compute wnaf for scalar
895 const Fr converted_scalar = scalar.from_montgomery_form();
896
897 // If the scalar is zero, just set results to the point at infinity
898 if (converted_scalar.is_zero()) {
899 affine_element result{ Fq::zero(), Fq::zero() };
900 result.self_set_infinity();
901 std::vector<affine_element> results(num_points);
902 parallel_for_heuristic(num_points, [&](size_t i) { results[i] = result; }, thread_heuristics::FF_COPY_COST);
903 return results;
904 }
905
906 constexpr size_t LOOKUP_SIZE = 8;
907 constexpr size_t NUM_ROUNDS = 32;
908
909 detail::EndoScalars endo_scalars = Fr::split_into_endomorphism_scalars(converted_scalar);
910 detail::EndomorphismWnaf<element, NUM_ROUNDS> wnaf{ endo_scalars };
911
912 std::vector<affine_element> work_elements(num_points);
913 std::array<std::vector<affine_element>, LOOKUP_SIZE> lookup_table;
914 for (auto& table : lookup_table) {
915 table.resize(num_points);
916 }
917 std::vector<affine_element> temp_point_vector(num_points);
918
919 auto execute_range = [&](size_t start, size_t end) {
920 // Perform batch affine addition in parallel
921 const auto add_chunked = [&](const affine_element* lhs, affine_element* rhs) {
922 batch_affine_add_impl<ParallelArrayPolicy, affine_element, Fq>(
923 &lhs[start], &rhs[start], end - start, &scratch_space[start]);
924 };
925
926 // Perform point doubling in parallel
927 const auto double_chunked = [&](affine_element* lhs) {
928 batch_affine_double_impl<affine_element, Fq>(&lhs[start], end - start, &scratch_space[start]);
929 };
930
931 // Initialize first entries in lookup table
932 for (size_t i = start; i < end; ++i) {
933 if (points[i].is_point_at_infinity()) {
934 temp_point_vector[i] = affine_element::one();
935 lookup_table[0][i] = affine_element::one();
936 } else {
937 temp_point_vector[i] = points[i];
938 lookup_table[0][i] = points[i];
939 }
940 }
941 // Costruct lookup table
942 double_chunked(&temp_point_vector[0]);
943 for (size_t j = 1; j < LOOKUP_SIZE; ++j) {
944 for (size_t i = start; i < end; ++i) {
945 lookup_table[j][i] = lookup_table[j - 1][i];
946 }
947 add_chunked(&temp_point_vector[0], &lookup_table[j][0]);
948 }
949
950 constexpr Fq beta = Fq::cube_root_of_unity();
951 uint64_t wnaf_entry = 0;
952 uint64_t index = 0;
953 bool sign = 0;
954 // Prepare elements for the first batch addition
955 for (size_t j = 0; j < 2; ++j) {
956 wnaf_entry = wnaf.table[j];
957 index = wnaf_entry & 0x0fffffffU;
958 sign = static_cast<bool>((wnaf_entry >> 31) & 1);
959 const bool is_odd = ((j & 1) == 1);
960 for (size_t i = start; i < end; ++i) {
961 auto to_add = lookup_table[static_cast<size_t>(index)][i];
962 to_add.y.self_conditional_negate(sign ^ is_odd);
963 if (is_odd) {
964 to_add.x *= beta;
965 }
966 if (j == 0) {
967 work_elements[i] = to_add;
968 } else {
969 temp_point_vector[i] = to_add;
970 }
971 }
972 }
973 add_chunked(&temp_point_vector[0], &work_elements[0]);
974 // Run through SM logic in wnaf form (excluding the skew)
975 for (size_t j = 2; j < NUM_ROUNDS * 2; ++j) {
976 wnaf_entry = wnaf.table[j];
977 index = wnaf_entry & 0x0fffffffU;
978 sign = static_cast<bool>((wnaf_entry >> 31) & 1);
979 const bool is_odd = ((j & 1) == 1);
980 if (!is_odd) {
981 for (size_t k = 0; k < 4; ++k) {
982 double_chunked(&work_elements[0]);
983 }
984 }
985 for (size_t i = start; i < end; ++i) {
986 auto to_add = lookup_table[static_cast<size_t>(index)][i];
987 to_add.y.self_conditional_negate(sign ^ is_odd);
988 if (is_odd) {
989 to_add.x *= beta;
990 }
991 temp_point_vector[i] = to_add;
992 }
993 add_chunked(&temp_point_vector[0], &work_elements[0]);
994 }
995 // Apply skew for the first endo scalar
996 if (wnaf.skew) {
997 for (size_t i = start; i < end; ++i) {
998 temp_point_vector[i] = -lookup_table[0][i];
999 }
1000 add_chunked(&temp_point_vector[0], &work_elements[0]);
1001 }
1002 // Apply skew for the second endo scalar
1003 if (wnaf.endo_skew) {
1004 for (size_t i = start; i < end; ++i) {
1005 temp_point_vector[i] = lookup_table[0][i];
1006 temp_point_vector[i].x *= beta;
1007 }
1008 add_chunked(&temp_point_vector[0], &work_elements[0]);
1009 }
1010 // handle points at infinity explicitly
1011 for (size_t i = start; i < end; ++i) {
1012 work_elements[i] = points[i].is_point_at_infinity() ? work_elements[i].set_infinity() : work_elements[i];
1013 }
1014 };
1015 parallel_for_range(num_points, execute_range);
1016
1017 return work_elements;
1018}
1019
1020template <typename Fq, typename Fr, typename T>
1021void element<Fq, Fr, T>::conditional_negate_affine(const affine_element<Fq, Fr, T>& in,
1022 affine_element<Fq, Fr, T>& out,
1023 const uint64_t predicate) noexcept
1024{
1025 out = { in.x, predicate ? -in.y : in.y };
1026}
1027
1028template <typename Fq, typename Fr, typename T>
1029void element<Fq, Fr, T>::batch_normalize(element* elements, const size_t num_elements) noexcept
1030{
1031 std::vector<Fq> temporaries;
1032 temporaries.reserve(num_elements * 2);
1033 Fq accumulator = Fq::one();
1034
1035 // Iterate over the points, computing the product of their z-coordinates.
1036 // At each iteration, store the currently-accumulated z-coordinate in `temporaries`
1037 for (size_t i = 0; i < num_elements; ++i) {
1038 temporaries.emplace_back(accumulator);
1039 if (!elements[i].is_point_at_infinity()) {
1040 accumulator *= elements[i].z;
1041 }
1042 }
1043 // For the rest of this method we refer to the product of all z-coordinates as the 'global' z-coordinate
1044 // Invert the global z-coordinate and store in `accumulator`
1045 accumulator = accumulator.invert();
1046
1069 for (size_t i = num_elements - 1; i < num_elements; --i) {
1070 if (!elements[i].is_point_at_infinity()) {
1071 Fq z_inv = accumulator * temporaries[i];
1072 Fq zz_inv = z_inv.sqr();
1073 elements[i].x *= zz_inv;
1074 elements[i].y *= (zz_inv * z_inv);
1075 accumulator *= elements[i].z;
1076 }
1077 elements[i].z = Fq::one();
1078 }
1079}
1080
1081template <typename Fq, typename Fr, typename T>
1082template <typename>
1083element<Fq, Fr, T> element<Fq, Fr, T>::random_coordinates_on_curve(numeric::RNG* engine) noexcept
1084{
1085 bool found_one = false;
1086 Fq yy;
1087 Fq x;
1088 Fq y;
1089 while (!found_one) {
1090 x = Fq::random_element(engine);
1091 yy = x.sqr() * x + T::b;
1092 if constexpr (T::has_a) {
1093 yy += (x * T::a);
1094 }
1095 auto [found_root, y1] = yy.sqrt();
1096 y = y1;
1097 found_one = found_root;
1098 }
1099 return { x, y, Fq::one() };
1100}
1101
1102} // namespace bb::group_elements
1103// NOLINTEND(readability-implicit-bool-conversion, cppcoreguidelines-avoid-c-arrays)
BB_ASSERT_EQ
#define BB_ASSERT_EQ(actual, expected,...)
Definition assert.hpp:83
bb_bench.hpp
BB_BENCH
#define BB_BENCH()
Definition bb_bench.hpp:229
bb::group_elements::affine_element
Definition affine_element.hpp:22
bb::group_elements::affine_element::self_set_infinity
constexpr void self_set_infinity() noexcept
Definition affine_element_impl.hpp:110
bb::group_elements::affine_element::x
Fq x
Definition affine_element.hpp:202
bb::group_elements::affine_element::y
Fq y
Definition affine_element.hpp:203
bb::group_elements::affine_element::one
static constexpr affine_element one() noexcept
Definition affine_element.hpp:47
bb::group_elements::element
element class. Implements ecc group arithmetic using Jacobian coordinates See https://hyperelliptic....
Definition element.hpp:33
bb::group_elements::element::operator*=
element operator*=(const Fr &exponent) noexcept
Definition element_impl.hpp:485
bb::group_elements::element::set_infinity
BB_INLINE constexpr element set_infinity() const noexcept
Definition element_impl.hpp:504
bb::group_elements::element::mul_with_endomorphism
element mul_with_endomorphism(const Fr &scalar) const noexcept
Definition element_impl.hpp:658
bb::group_elements::element::infinity
static element infinity()
Definition element_impl.hpp:497
bb::group_elements::element::y
Fq y
Definition element.hpp:120
bb::group_elements::element::batch_mul_with_endomorphism
static std::vector< affine_element< Fq, Fr, Params > > batch_mul_with_endomorphism(const std::span< const affine_element< Fq, Fr, Params > > &points, const Fr &scalar) noexcept
Multiply each point by the same scalar.
Definition element_impl.hpp:873
bb::group_elements::element::operator-=
constexpr element operator-=(const element &other) noexcept
Definition element_impl.hpp:458
bb::group_elements::element::operator-
constexpr element operator-() const noexcept
Definition element_impl.hpp:471
bb::group_elements::element::z
Fq z
Definition element.hpp:121
bb::group_elements::element::operator+
friend constexpr element operator+(const affine_element< Fq, Fr, Params > &left, const element &right) noexcept
Definition element.hpp:75
bb::group_elements::element::dbl
constexpr element dbl() const noexcept
Definition element_impl.hpp:151
bb::group_elements::element::normalize
constexpr element normalize() const noexcept
Definition element_impl.hpp:491
bb::group_elements::element::self_dbl
constexpr void self_dbl() noexcept
Definition element_impl.hpp:82
bb::group_elements::element::random_element
static element random_element(numeric::RNG *engine=nullptr) noexcept
Definition element_impl.hpp:586
bb::group_elements::element::batch_normalize
static void batch_normalize(element *elements, size_t num_elements) noexcept
Definition element_impl.hpp:1029
bb::group_elements::element::operator+=
constexpr element operator+=(const element &other) noexcept
Definition element_impl.hpp:362
bb::group_elements::element::batch_affine_add
static void batch_affine_add(const std::span< affine_element< Fq, Fr, Params > > &first_group, const std::span< affine_element< Fq, Fr, Params > > &second_group, const std::span< affine_element< Fq, Fr, Params > > &results) noexcept
Pairwise affine add points in first and second group.
Definition element_impl.hpp:837
bb::group_elements::element::on_curve
BB_INLINE constexpr bool on_curve() const noexcept
Definition element_impl.hpp:538
bb::group_elements::element::operator==
BB_INLINE constexpr bool operator==(const element &other) const noexcept
Definition element_impl.hpp:559
bb::group_elements::element::operator*
element operator*(const Fr &exponent) const noexcept
Definition element_impl.hpp:477
bb::group_elements::element::self_mixed_add_or_sub
constexpr void self_mixed_add_or_sub(const affine_element< Fq, Fr, Params > &other, uint64_t predicate) noexcept
Definition element_impl.hpp:159
bb::group_elements::element::x
Fq x
Definition element.hpp:119
bb::group_elements::element::element
element() noexcept=default
bb::group_elements::element::conditional_negate_affine
static void conditional_negate_affine(const affine_element< Fq, Fr, Params > &in, affine_element< Fq, Fr, Params > &out, uint64_t predicate) noexcept
Definition element_impl.hpp:1021
bb::group_elements::element::random_coordinates_on_curve
static element random_coordinates_on_curve(numeric::RNG *engine=nullptr) noexcept
bb::group_elements::element::mul_without_endomorphism
element mul_without_endomorphism(const Fr &scalar) const noexcept
Definition element_impl.hpp:603
bb::group_elements::element::operator=
constexpr element & operator=(const element &other) noexcept
Definition element_impl.hpp:46
bb::group_elements::element::self_set_infinity
BB_INLINE constexpr void self_set_infinity() noexcept
Definition element_impl.hpp:511
bb::group_elements::element::is_point_at_infinity
BB_INLINE constexpr bool is_point_at_infinity() const noexcept
Definition element_impl.hpp:527
bb::numeric::uint256_t
Definition uint256.hpp:32
bb::numeric::uint256_t::get_bit
constexpr bool get_bit(uint64_t bit_index) const
Definition uint256_impl.hpp:319
bb::numeric::uint256_t::data
uint64_t data[4]
Definition uint256.hpp:216
bb::numeric::uint256_t::get_msb
constexpr uint64_t get_msb() const
Definition uint256_impl.hpp:329
BB_UNUSED
#define BB_UNUSED
Definition compiler_hints.hpp:30
a
FF a
Definition field_gt.test.cpp:52
b
FF b
Definition field_gt.test.cpp:53
engine
numeric::RNG & engine
Definition eccvm_transcript.test.cpp:285
bb::group_elements::detail::EndoScalars
std::pair< std::array< uint64_t, 2 >, std::array< uint64_t, 2 > > EndoScalars
Definition element_impl.hpp:626
bb::group_elements
Definition affine_element.hpp:19
bb::group_elements::__attribute__
__attribute__((always_inline)) inline void batch_affine_add_impl(const AffineElement *lhs_base
Core batch affine addition using Montgomery's batch inversion trick.
bb::group_elements::num_pairs
AffineElement const size_t num_pairs
Definition element_impl.hpp:732
bb::group_elements::temp_x
Fq temp_x
Definition element_impl.hpp:812
bb::group_elements::num_points
const size_t num_points
Definition element_impl.hpp:793
bb::group_elements::rhs_base
AffineElement * rhs_base
Definition element_impl.hpp:731
bb::group_elements::noexcept
AffineElement const size_t Fq *scratch_space noexcept
Definition element_impl.hpp:734
bb::group_elements::batch_inversion_accumulator
batch_inversion_accumulator
Definition element_impl.hpp:753
bb::stdlib::element
std::conditional_t< IsGoblinBigGroup< C, Fq, Fr, G >, element_goblin::goblin_element< C, goblin_field< C >, Fr, G >, element_default::element< C, Fq, Fr, G > > element
element wraps either element_default::element or element_goblin::goblin_element depending on parametr...
Definition biggroup.hpp:978
bb::thread_heuristics::FF_COPY_COST
constexpr size_t FF_COPY_COST
Definition thread.hpp:144
bb::thread_heuristics::FF_ADDITION_COST
constexpr size_t FF_ADDITION_COST
Definition thread.hpp:132
bb::thread_heuristics::FF_MULTIPLICATION_COST
constexpr size_t FF_MULTIPLICATION_COST
Definition thread.hpp:134
bb::wnaf::fixed_wnaf
void fixed_wnaf(const uint64_t *scalar, uint64_t *wnaf, bool &skew_map, const uint64_t point_index, const uint64_t num_points, const size_t wnaf_bits) noexcept
Performs fixed-window non-adjacent form (WNAF) computation for scalar multiplication.
Definition wnaf.hpp:178
bb::operator*
Univariate< Fr, domain_end > operator*(const Fr &ff, const Univariate< Fr, domain_end > &uv)
Definition univariate.hpp:567
bb::parallel_for_heuristic
void parallel_for_heuristic(size_t num_points, const std::function< void(size_t, size_t, size_t)> &func, size_t heuristic_cost)
Split a loop into several loops running in parallel based on operations in 1 iteration.
Definition thread.cpp:171
bb::parallel_for_range
void parallel_for_range(size_t num_points, const std::function< void(size_t, size_t)> &func, size_t no_multhreading_if_less_or_equal)
Split a loop into several loops running in parallel.
Definition thread.cpp:141
std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13
bb::field< Bn254FqParams >::cube_root_of_unity
static constexpr field cube_root_of_unity()
Definition field_declarations.hpp:220
bb::field< Bn254FqParams >::one
static constexpr field one()
Definition field_declarations.hpp:244
bb::field< Bn254FqParams >::modulus
static constexpr uint256_t modulus
Definition field_declarations.hpp:199
bb::field< Bn254FrParams >::split_into_endomorphism_scalars
static void split_into_endomorphism_scalars(const field &k, field &k1, field &k2)
Definition field_declarations.hpp:433
bb::field::self_sqr
BB_INLINE constexpr void self_sqr() &noexcept
Definition field_impl.hpp:82
bb::field::invert
constexpr field invert() const noexcept
Definition field_impl.hpp:377
bb::field::is_msb_set
BB_INLINE constexpr bool is_msb_set() const noexcept
Definition field_impl.hpp:648
bb::field< Bn254FqParams >::random_element
static field random_element(numeric::RNG *engine=nullptr) noexcept
Definition field_impl.hpp:677
bb::field::sqr
BB_INLINE constexpr field sqr() const noexcept
Definition field_impl.hpp:69
bb::field::is_zero
BB_INLINE constexpr bool is_zero() const noexcept
Definition field_impl.hpp:658
bb::field::from_montgomery_form
BB_INLINE constexpr field from_montgomery_form() const noexcept
Definition field_impl.hpp:300
bb::field< Bn254FqParams >::zero
static constexpr field zero()
Definition field_declarations.hpp:242
bb::group_elements::detail::EndomorphismWnaf
Handles the WNAF computation for scalars that are split using an endomorphism, achieved through split...
Definition element_impl.hpp:636
bb::group_elements::detail::EndomorphismWnaf::EndomorphismWnaf
EndomorphismWnaf(const EndoScalars &scalars)
Definition element_impl.hpp:648
bb::group_elements::detail::EndomorphismWnaf::table
std::array< uint64_t, NUM_ROUNDS *2 > table
Definition element_impl.hpp:640
bb::group_elements::detail::EndomorphismWnaf::endo_skew
bool endo_skew
Definition element_impl.hpp:643
bb::group_elements::detail::EndomorphismWnaf::skew
bool skew
Definition element_impl.hpp:642
bb::group_elements::detail::EndomorphismWnaf::NUM_WNAF_BITS
static constexpr size_t NUM_WNAF_BITS
Definition element_impl.hpp:638
throw_or_abort
void throw_or_abort(std::string const &err)
Definition throw_or_abort.hpp:6
Fq
curve::BN254::BaseField Fq
Definition translator.fuzzer.hpp:21