Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
Functions
bb::plookup::aes128_tables Namespace Reference

Functions

std::array< bb::fr, 2 > get_aes_sparse_normalization_values_from_key (const std::array< uint64_t, 2 > key)
 Normalizes the sparse form by mapping from sparse form to bytes and back to sparse form.
 
BasicTable generate_aes_sparse_normalization_table (BasicTableId id, const size_t table_index)
 Generates a BasicTable for normalizing 4 sparse digits back to valid sparse form.
 
MultiTable get_aes_normalization_table (const MultiTableId id=AES_NORMALIZE)
 Creates a MultiTable for normalizing 8 sparse digits back to binary digits.
 
MultiTable get_aes_input_table (const MultiTableId id=AES_INPUT)
 Creates a MultiTable for converting a 128-bit AES input block into 16 sparse-form bytes.
 
std::array< bb::fr, 2 > get_aes_sbox_values_from_key (const std::array< uint64_t, 2 > key)
 Computes AES S-box substitution and a derived value for MixColumns, returning both in sparse form.
 
BasicTable generate_aes_sbox_table (BasicTableId id, const size_t table_index)
 Generates a plookup table for AES S-box substitution with precomputed MixColumns values.
 
MultiTable get_aes_sbox_table (const MultiTableId id=AES_SBOX)
 

Function Documentation

◆ generate_aes_sbox_table()

BasicTable bb::plookup::aes128_tables::generate_aes_sbox_table ( BasicTableId  id,
const size_t  table_index 
)
inline

Generates a plookup table for AES S-box substitution with precomputed MixColumns values.

This table provides the core non-linear operation of AES (SubBytes) combined with a precomputed value needed for MixColumns, all stored in sparse form for efficient XOR operations in circuits.

Table structure (256 entries, one per byte value):

  • Column 1: Input byte in sparse form (base-9 representation)
  • Column 2: S(input) — the S-box output in sparse form
  • Column 3: S(input) ⊕ xtime(S(input)) — equals S(input) × 3 in GF(2^8), in sparse form

The third column precomputes the value needed for MixColumns multiplication by 3, since 3 = 2 ⊕ 1, so a × 3 = xtime(a) ⊕ a.

Step sizes are all 0 because this table is used for individual byte lookups, not for accumulating multiple slices into a larger value.

Parameters
idThe identifier for this lookup table
table_indexIndex of this table in the table registry
Returns
BasicTable The constructed 256-entry S-box lookup table

Definition at line 241 of file aes128.hpp.

◆ generate_aes_sparse_normalization_table()

BasicTable bb::plookup::aes128_tables::generate_aes_sparse_normalization_table ( BasicTableId  id,
const size_t  table_index 
)
inline

Generates a BasicTable for normalizing 4 sparse digits back to valid sparse form.

In sparse-form XOR computation, adding two sparse values can produce digits > 1. For example, if two bits are both 1, their sparse digits add to 2. This table extracts the LSB of each digit to recover the actual XOR result.

The table processes 4 sparse digits at a time (base-9, so 9^4 = 6561 entries). For each digit d ∈ {0..8}, the normalized value is (d & 1):

  • Even digits (0, 2, 4, 6, 8) → 0 (XOR result is 0)
  • Odd digits (1, 3, 5, 7) → 1 (XOR result is 1)

Table structure:

  • C1 (input): All 9^4 possible 4-digit sparse values (i*9³ + j*9² + k*9 + m)
  • C2 (output): Normalized sparse value with each digit reduced to its LSB
  • C3: Unused (always 0)

Example: Input sparse value representing digits [2, 1, 0, 3]

  • Input: 2*729 + 1*81 + 0*9 + 3 = 1542
  • Output: 0*729 + 1*81 + 0*9 + 1 = 82 (digits become [0, 1, 0, 1])

Step sizes of 6561 (= 9^4) allow the MultiTable (AES_NORMALIZE) to combine two 4-digit lookups to normalize a full 8-digit sparse byte.

Parameters
idThe BasicTableId to assign (AES_SPARSE_NORMALIZE)
table_indexIndex of this table in the table registry
Returns
BasicTable configured for 4-digit sparse normalization

Definition at line 60 of file aes128.hpp.

◆ get_aes_input_table()

MultiTable bb::plookup::aes128_tables::get_aes_input_table ( const MultiTableId  id = AES_INPUT)
inline

Creates a MultiTable for converting a 128-bit AES input block into 16 sparse-form bytes.

This table decomposes a 128-bit field element (representing an AES block) into 16 individual bytes and converts each byte to sparse base-9 representation. This is used at the start of AES encryption to prepare the input state for sparse-form arithmetic.

Table structure:

  • 16 entries (one per byte in the 128-bit block)
  • Each entry references the AES_SPARSE_MAP BasicTable (256-entry byte-to-sparse lookup)
  • Slice size of 256 per entry (8 bits = 1 byte)

The MultiTable accumulator coefficients (256, 0, 0) indicate:

  • Column 1: Accumulates input bytes with step size 256 (2^8) for byte decomposition
  • Columns 2 & 3: Not accumulated (step size 0), values are read individually

Usage: Given a 128-bit input packed as a field element, the plookup machinery will:

  1. Decompose it into 16 bytes (lsb order)
  2. Look up each byte in AES_SPARSE_MAP to get its sparse representation
  3. Return the 16 sparse bytes for use in subsequent AES operations
Parameters
idThe MultiTableId to assign (defaults to AES_INPUT)
Returns
MultiTable configured for 128-bit to sparse byte conversion

Definition at line 165 of file aes128.hpp.

◆ get_aes_normalization_table()

MultiTable bb::plookup::aes128_tables::get_aes_normalization_table ( const MultiTableId  id = AES_NORMALIZE)
inline

Creates a MultiTable for normalizing 8 sparse digits back to binary digits.

This table decomposes a 8-digit sparse value into 2, 4-digit sparse values (upper and lower) and normalizes each of them. This is used to normalize the sparse form of the input block before the AES S-box lookup.

Parameters
idThe MultiTableId to assign (AES_NORMALIZE)
Returns
MultiTable configured for 8-digit sparse normalization

Definition at line 116 of file aes128.hpp.

◆ get_aes_sbox_table()

MultiTable bb::plookup::aes128_tables::get_aes_sbox_table ( const MultiTableId  id = AES_SBOX)
inline

Definition at line 267 of file aes128.hpp.

◆ get_aes_sbox_values_from_key()

std::array< bb::fr, 2 > bb::plookup::aes128_tables::get_aes_sbox_values_from_key ( const std::array< uint64_t, 2 >  key)
inline

Computes AES S-box substitution and a derived value for MixColumns, returning both in sparse form.

This function performs two operations needed for efficient AES circuit implementation: 

     1. **S-box substitution**: Converts the sparse input back to a byte, applies the AES S-box
        lookup, and returns the result in sparse form.

     2. **Swizzled value for MixColumns**: Computes S(x) ⊕ xtime(S(x)), where xtime is
        multiplication by 2 in GF(2^8) using the AES irreducible polynomial (x^8 + x^4 + x^3 + x + 1).
        This equals S(x) * 3 in GF(2^8), which is used in the MixColumns step.

     The xtime operation is: xtime(a) = (a << 1) ⊕ (0x1b if MSB of a is 1, else 0)
     where 0x1b represents the reduction polynomial coefficients.

     By precomputing both S(x) and S(x) ⊕ xtime(S(x)) in a single lookup, the MixColumns
     operation can be performed efficiently using only additions of sparse representations.
Parameters
keyArray where key[0] contains the input byte in sparse form (key[1] unused)
Returns
std::array<bb::fr, 2> where:
  • [0] = S(byte) in sparse form (the S-box output)
  • [1] = S(byte) ⊕ xtime(S(byte)) in sparse form (S(byte) * 3 in GF(2^8))

Definition at line 203 of file aes128.hpp.

◆ get_aes_sparse_normalization_values_from_key()

std::array< bb::fr, 2 > bb::plookup::aes128_tables::get_aes_sparse_normalization_values_from_key ( const std::array< uint64_t, 2 >  key)
inline

Normalizes the sparse form by mapping from sparse form to bytes and back to sparse form.

Parameters
keyThe lookup key; key[0] is the sparse input value, key[1] is unused
Returns
{normalized_value, 0} where normalized_value has one output bit per input sparse digit

Definition at line 26 of file aes128.hpp.