Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
field.cpp
Go to the documentation of this file.
1// === AUDIT STATUS ===
2// internal: { status: Complete, auditors: [Sergei], commit: 458fb330efa8c470567ab4b84a8a92a58b00586a}
3// external_1: { status: Complete, auditors: [@ed25519, @JakubHeba (Spearbit)], commit:
4// 4433c06ae693451c6f69a2f63b7da6628078d872}
5// external_2: { status: not started, auditors: [], commit: }
6// =====================
7
8#include "field.hpp"
9#include "../bool/bool.hpp"
10#include "../circuit_builders/circuit_builders.hpp"
11#include "barretenberg/common/assert.hpp"
12#include "barretenberg/ecc/curves/grumpkin/grumpkin.hpp"
13#include "field_utils.hpp"
14#include <functional>
15
16using namespace bb;
17
18namespace bb::stdlib {
19
20template <typename Builder>
21field_t<Builder>::field_t(Builder* parent_context)
22 : context(parent_context)
23 , additive_constant(bb::fr::zero())
24 , multiplicative_constant(bb::fr::one())
25 , witness_index(IS_CONSTANT)
26{}
27
28template <typename Builder>
29field_t<Builder>::field_t(const witness_t<Builder>& value)
30 : context(value.context)
31 , additive_constant(bb::fr::zero())
32 , multiplicative_constant(bb::fr::one())
33 , witness_index(value.witness_index)
34{
35 set_free_witness_tag();
36}
37
38template <typename Builder>
39field_t<Builder>::field_t(Builder* parent_context, const bb::fr& value)
40 : context(parent_context)
41 , additive_constant(value)
42 , multiplicative_constant(bb::fr::one())
43 , witness_index(IS_CONSTANT)
44{}
45
46template <typename Builder>
61
62template <typename Builder>
63field_t<Builder> field_t<Builder>::from_witness_index(Builder* ctx, const uint32_t witness_index)
64{
65 field_t<Builder> result(ctx);
66 result.witness_index = witness_index;
67 return result;
68}
69
76template <typename Builder> field_t<Builder>::operator bool_t<Builder>() const
77{
78 // If `this` is a constant field_t element, the resulting bool is also constant.
79 // In this case, `additive_constant` uniquely determines the value of `this`.
80 // After ensuring that `additive_constant` \in {0, 1}, we set the `.witness_bool` field of `result` to match the
81 // value of `additive_constant`.
82 if (is_constant()) {
83 BB_ASSERT(additive_constant == bb::fr::one() || additive_constant == bb::fr::zero(),
84 "Attempting to create a bool_t from a witness_t not satisfying x^2 - x = 0");
85 bool_t<Builder> result(context);
86 result.witness_bool = (additive_constant == bb::fr::one());
87 result.set_origin_tag(tag);
88 return result;
89 }
90
91 const bool add_constant_check = (additive_constant == bb::fr::zero());
92 const bool mul_constant_check = (multiplicative_constant == bb::fr::one());
93 const bool inverted_check = (additive_constant == bb::fr::one()) && (multiplicative_constant == bb::fr::neg_one());
94 bool result_inverted = false;
95 // Process the elements of the form
96 // a = a.v * 1 + 0 and a = a.v * (-1) + 1
97 // They do not need to be normalized if `a.v` is constrained to be boolean. In the first case, we have
98 // a == a.v,
99 // and in the second case
100 // a == ¬(a.v).
101 // The distinction between the cases is tracked by the .witness_inverted field of bool_t.
102 uint32_t witness_idx = witness_index;
103 if ((add_constant_check && mul_constant_check) || inverted_check) {
104 result_inverted = inverted_check;
105 } else {
106 // In general, the witness has to be normalized.
107 witness_idx = normalize().witness_index;
108 }
109 // Get the normalized value of the witness
110 bb::fr witness = context->get_variable(witness_idx);
111 BB_ASSERT(witness == bb::fr::zero() || witness == bb::fr::one(),
112 "Attempting to create a bool_t from a witness_t not satisfying x^2 - x = 0");
113 bool_t result(context, witness == bb::fr::one());
114 result.witness_inverted = result_inverted;
115 result.witness_index = witness_idx;
116 context->create_bool_gate(witness_idx);
117 result.set_origin_tag(tag);
118 return result;
119}
120
125template <typename Builder> field_t<Builder> field_t<Builder>::operator+(const field_t& other) const
126{
127 Builder* ctx = validate_context(other.context, context);
128 field_t<Builder> result(ctx);
129 // Ensure that non-constant circuit elements can not be added without context
130 BB_ASSERT(ctx || (is_constant() && other.is_constant()));
131
132 if (witness_indices_match(*this, other) && !is_constant()) {
133 // If summands represent the same circuit variable, i.e. their witness indices coincide, we just need to update
134 // the scaling factors of this variable.
135 result.additive_constant = additive_constant + other.additive_constant;
136 result.multiplicative_constant = multiplicative_constant + other.multiplicative_constant;
137 result.witness_index = witness_index;
138 } else if (is_constant() && other.is_constant()) {
139 // both inputs are constant - don't add a gate
140 result.additive_constant = additive_constant + other.additive_constant;
141 } else if (!is_constant() && other.is_constant()) {
142 // one input is constant - don't add a gate, but update scaling factors
143 result.additive_constant = additive_constant + other.additive_constant;
144 result.multiplicative_constant = multiplicative_constant;
145 result.witness_index = witness_index;
146 } else if (is_constant() && !other.is_constant()) {
147 result.additive_constant = additive_constant + other.additive_constant;
148 result.multiplicative_constant = other.multiplicative_constant;
149 result.witness_index = other.witness_index;
150 } else {
151 // The summands are distinct circuit variables, the result needs to be constrained.
152 // a + b = a.v * a.mul + b.v * b.mul + (a.add + b.add)
153 // which leads to the constraint
154 // a.v * q_l + b.v * q_r + result.v * q_o + q_c = 0,
155 // where q_l, q_r, q_0, and q_c are the selectors storing corresponding scaling factors.
156 bb::fr left = ctx->get_variable(witness_index); // =: a.v
157 bb::fr right = ctx->get_variable(other.witness_index); // =: b.v
158 bb::fr result_value = left * multiplicative_constant;
159 result_value += right * other.multiplicative_constant;
160 result_value += additive_constant;
161 result_value += other.additive_constant;
162 result.witness_index = ctx->add_variable(result_value);
163
164 ctx->create_add_gate({ .a = witness_index,
165 .b = other.witness_index,
166 .c = result.witness_index,
167 .a_scaling = multiplicative_constant,
168 .b_scaling = other.multiplicative_constant,
169 .c_scaling = bb::fr::neg_one(),
170 .const_scaling = (additive_constant + other.additive_constant) });
171 }
172 result.tag = OriginTag(tag, other.tag);
173 return result;
174}
178template <typename Builder> field_t<Builder> field_t<Builder>::operator-(const field_t& other) const
179{
180 field_t<Builder> rhs(other);
181 rhs.additive_constant.self_neg();
182 if (!rhs.is_constant()) {
183 // Negate the multiplicative constant of the rhs then feed to `+` operator
184 rhs.multiplicative_constant.self_neg();
185 }
186 return operator+(rhs);
187}
188
193template <typename Builder> field_t<Builder> field_t<Builder>::operator*(const field_t& other) const
194{
195 Builder* ctx = validate_context(other.context, context);
196 field_t<Builder> result(ctx);
197 // Ensure that non-constant circuit elements can not be multiplied without context
198 BB_ASSERT(ctx || (is_constant() && other.is_constant()));
199
200 if (is_constant() && other.is_constant()) {
201 // Both inputs are constant - don't add a gate.
202 // The value of a constant is tracked in `.additive_constant`.
203 result.additive_constant = additive_constant * other.additive_constant;
204 } else if (!is_constant() && other.is_constant()) {
205
206 // Here and in the next case, only one input is not constant: don't add a gate, but update scaling factors.
207 // More concretely, let:
208 // a := this;
209 // b := other;
210 // a.v := ctx->variables[a.witness_index], the value of a;
211 // b.v := ctx->variables[b.witness_index], the value of b;
212 // .mul = .multiplicative_constant
213 // .add = .additive_constant
214 // Value of this = a.v * a.mul + a.add;
215 // Value of other = b.add
216 // Value of result = a * b = a.v * [a.mul * b.add] + [a.add * b.add]
217 // ^ ^result.mul ^result.add
218 // ^result.v
219
220 result.additive_constant = additive_constant * other.additive_constant;
221 result.multiplicative_constant = multiplicative_constant * other.additive_constant;
222 // We simply updated the scaling factors of `*this`, so `witness_index` of `result` must be equal to
223 // `this->witness_index`.
224 result.witness_index = witness_index;
225 } else if (is_constant() && !other.is_constant()) {
226 // Only one input is not constant: don't add a gate, but update scaling factors
227 result.additive_constant = additive_constant * other.additive_constant;
228 result.multiplicative_constant = other.multiplicative_constant * additive_constant;
229 // We simply updated the scaling factors of `other`, so `witness_index` of `result` must be equal to
230 // `other->witness_index`.
231 result.witness_index = other.witness_index;
232 } else {
251 bb::fr T0;
252 bb::fr q_m;
253 bb::fr q_l;
254 bb::fr q_r;
255 bb::fr q_c;
256
257 // Compute selector values
258 q_c = additive_constant * other.additive_constant;
259 q_r = additive_constant * other.multiplicative_constant;
260 q_l = multiplicative_constant * other.additive_constant;
261 q_m = multiplicative_constant * other.multiplicative_constant;
262
263 bb::fr left = context->get_variable(witness_index); // =: a.v
264 bb::fr right = context->get_variable(other.witness_index); // =: b.v
265 bb::fr result_value;
266
267 result_value = left * right;
268 result_value *= q_m;
269 // Scale `b.v` by the constant `a_mul * b_add`
270 T0 = left * q_l;
271 result_value += T0;
272 // Scale `a.v` by the constant `a_add * b_mul`
273 T0 = right * q_r;
274 result_value += T0;
275 result_value += q_c;
276 result.witness_index = ctx->add_variable(result_value);
277 // Constrain
278 // a.v * b.v * q_m + a.v * q_l + b_v * q_r + q_c + result.v * q_o = 0
279 ctx->create_arithmetic_gate({ .a = witness_index,
280 .b = other.witness_index,
281 .c = result.witness_index,
282 .q_m = q_m,
283 .q_l = q_l,
284 .q_r = q_r,
285 .q_o = bb::fr::neg_one(),
286 .q_c = q_c });
287 }
288 result.tag = OriginTag(tag, other.tag);
289 return result;
290}
291
303template <typename Builder> field_t<Builder> field_t<Builder>::operator/(const field_t& other) const
304{
305 // If the denominator is a constant 0, the division is aborted. Otherwise, it is constrained to be non-zero.
306 other.assert_is_not_zero("field_t::operator/ divisor is 0");
307 return divide_no_zero_check(other);
308}
309
313template <typename Builder> field_t<Builder> field_t<Builder>::divide_no_zero_check(const field_t& other) const
314{
315
316 // Let
317 // a := this;
318 // b := other;
319 // q := a / b;
320 Builder* ctx = validate_context(context, other.context);
321 field_t<Builder> result(ctx);
322 // Ensure that non-constant circuit elements can not be divided without context
323 BB_ASSERT(ctx || (is_constant() && other.is_constant()));
324
325 bb::fr additive_multiplier = bb::fr::one();
326
327 if (is_constant() && other.is_constant()) {
328 // Both inputs are constant, the result is given by
329 // q = a.add / b.add, if b != 0.
330 // q = a.add , if b == 0
331 if (!(other.additive_constant == bb::fr::zero())) {
332 additive_multiplier = other.additive_constant.invert();
333 }
334 result.additive_constant = additive_constant * additive_multiplier;
335 } else if (!is_constant() && other.is_constant()) {
336 // The numerator is a circuit variable, the denominator is a constant.
337 // The result is obtained by updating the circuit variable `a`
338 // q = a.v * [a.mul / b.add] + a.add / b.add, if b != 0.
339 // q = a , if b == 0
340 // with q.witness_index = a.witness_index.
341 if (!(other.additive_constant == bb::fr::zero())) {
342 additive_multiplier = other.additive_constant.invert();
343 }
344 result.additive_constant = additive_constant * additive_multiplier;
345 result.multiplicative_constant = multiplicative_constant * additive_multiplier;
346 result.witness_index = witness_index;
347 } else if (is_constant() && !other.is_constant()) {
348 // The numerator is a constant, the denominator is a circuit variable.
349 // If a == 0, the result is a constant 0, otherwise the result is a new variable that has to be constrained.
350 if (get_value() == 0) {
351 result.additive_constant = 0;
352 result.multiplicative_constant = 1;
353 result.witness_index = IS_CONSTANT;
354 } else {
355 bb::fr numerator = get_value();
356 bb::fr denominator_inv = other.get_value();
357 denominator_inv = denominator_inv.is_zero() ? 0 : denominator_inv.invert();
358
359 bb::fr out(numerator * denominator_inv);
360 result.witness_index = ctx->add_variable(out);
361 // Define non-zero selector values for an arithmetic gate
362 // q_m := b.mul
363 // q_l := b.add
364 // q_c := a (= a.add, since a is constant)
365 bb::fr q_m = other.multiplicative_constant;
366 bb::fr q_l = other.additive_constant;
367 bb::fr q_c = -get_value();
368 // The value of the quotient q = a / b has to satisfy
369 // q * (b.v * b.mul + b.add) = a
370 // Create an arithmetic gate to constrain the quotient.
371 // q * b.v * q_m + q * q_l + 0 * b + 0 * c + q_c = 0
372 ctx->create_arithmetic_gate({ .a = result.witness_index,
373 .b = other.witness_index,
374 .c = result.witness_index,
375 .q_m = q_m,
376 .q_l = q_l,
377 .q_r = 0,
378 .q_o = 0,
379 .q_c = q_c });
380 }
381 } else {
382 // Both numerator and denominator are circuit variables. Create a new circuit variable with the value a / b.
383 bb::fr numerator = get_value();
384 bb::fr denominator_inv = other.get_value();
385 denominator_inv = denominator_inv.is_zero() ? 0 : denominator_inv.invert();
386
387 bb::fr out(numerator * denominator_inv);
388 result.witness_index = ctx->add_variable(out);
389
390 // The value of the quotient q = a / b has to satisfy
391 // q * (b.v * b.mul + b.add) = a.v * a.mul + a.add
392 // Create an arithmetic gate to constrain the quotient
393 // q * b.v * q_m + q * q_l + 0 * c + a.v * q_o + q_c = 0,
394 // where the selector values are defined as follows:
395 // q_m = b.mul;
396 // q_l = b.add;
397 // q_r = 0;
398 // q_o = - a.mul;
399 // q_c = - a.add.
400 bb::fr q_m = other.multiplicative_constant;
401 bb::fr q_l = other.additive_constant;
402 bb::fr q_r = bb::fr::zero();
403 bb::fr q_o = -multiplicative_constant;
404 bb::fr q_c = -additive_constant;
405
406 ctx->create_arithmetic_gate({ .a = result.witness_index,
407 .b = other.witness_index,
408 .c = witness_index,
409 .q_m = q_m,
410 .q_l = q_l,
411 .q_r = q_r,
412 .q_o = q_o,
413 .q_c = q_c });
414 }
415 result.tag = OriginTag(tag, other.tag);
416 return result;
417}
418
423template <typename Builder> field_t<Builder> field_t<Builder>::pow(const uint32_t& exponent) const
424{
425 if (is_constant()) {
426 return field_t(get_value().pow(exponent));
427 }
428 if (exponent == 0) {
429 return field_t(bb::fr::one());
430 }
431
432 bool accumulator_initialized = false;
433 field_t<Builder> accumulator;
434 field_t<Builder> running_power = *this;
435 auto shifted_exponent = exponent;
436
437 // Square and multiply, there's no need to constrain the exponent bit decomposition, as it is an integer constant.
438 while (shifted_exponent != 0) {
439 if (shifted_exponent & 1) {
440 if (!accumulator_initialized) {
441 accumulator = running_power;
442 accumulator_initialized = true;
443 } else {
444 accumulator *= running_power;
445 }
446 }
447 if (shifted_exponent >= 2) {
448 // Don't update `running_power` if `shifted_exponent` = 1, as it won't be used anywhere.
449 running_power = running_power.sqr();
450 }
451 shifted_exponent >>= 1;
452 }
453 return accumulator;
454}
455
460template <typename Builder> field_t<Builder> field_t<Builder>::pow(const field_t& exponent) const
461{
462 uint256_t exponent_value = exponent.get_value();
463 BB_ASSERT_LT(exponent_value.get_msb(), 32U, "Exponent too large in field_t::pow");
464
465 if (is_constant() && exponent.is_constant()) {
466 return field_t(get_value().pow(exponent_value));
467 }
468 // Use the constant version that perfoms only the necessary multiplications if the exponent is constant
469 if (exponent.is_constant()) {
470 return pow(static_cast<uint32_t>(exponent_value));
471 }
472
473 auto* ctx = validate_context(context, exponent.context);
474
475 std::array<bool_t<Builder>, 32> exponent_bits;
476 // Collect individual bits as bool_t's
477 for (size_t i = 0; i < exponent_bits.size(); ++i) {
478 uint256_t value_bit = exponent_value & 1;
479 bool_t<Builder> bit;
480 bit = bool_t<Builder>(witness_t<Builder>(ctx, value_bit.data[0]));
481 bit.set_origin_tag(exponent.tag);
482 exponent_bits[31 - i] = bit;
483 exponent_value >>= 1;
484 }
485
486 field_t<Builder> exponent_accumulator(bb::fr::zero());
487 for (const auto& bit : exponent_bits) {
488 exponent_accumulator += exponent_accumulator;
489 exponent_accumulator += bit;
490 }
491 // Constrain the sum of bool_t bits to be equal to the original exponent value.
492 exponent.assert_equal(exponent_accumulator, "field_t::pow exponent accumulator incorrect");
493
494 // Compute the result of exponentiation
495 field_t accumulator(ctx, bb::fr::one());
496 const field_t one(bb::fr::one());
497 for (size_t i = 0; i < 32; ++i) {
498 accumulator *= accumulator;
499 // If current bit == 1, multiply by the base, else propagate the accumulator
500 const field_t multiplier = conditional_assign_internal(exponent_bits[i], *this, one);
501 accumulator *= multiplier;
502 }
503 accumulator = accumulator.normalize();
504 accumulator.tag = OriginTag(tag, exponent.tag);
505 return accumulator;
506}
507
511template <typename Builder> field_t<Builder> field_t<Builder>::madd(const field_t& to_mul, const field_t& to_add) const
512{
513 Builder* ctx = validate_context<Builder>(context, to_mul.context, to_add.context);
514
515 const bool mul_by_const = is_constant() || to_mul.is_constant();
516
517 if (mul_by_const) {
518 // If at least one of the multiplicands is constant, `madd` is efficiently handled by `*` and `+`
519 // operators.
520 return ((*this) * to_mul + to_add);
521 }
522
523 // Let:
524 // a = this;
525 // b = to_mul;
526 // c = to_add;
527 // a.v = ctx->variables[this.witness_index];
528 // b.v = ctx->variables[to_mul.witness_index];
529 // c.v = ctx->variables[to_add.witness_index];
530 // .mul = .multiplicative_constant;
531 // .add = .additive_constant.
532 //
533 // result = a * b + c
534 // = (a.v * a.mul + a.add) * (b.v * b.mul + b.add) + (c.v * c.mul + c.add)
535 // = a.v * b.v * [a.mul * b.mul] + a.v * [a.mul * b.add] + b.v * [b.mul + a.add] + c.v * [c.mul]
536 // + [a.add * b.add + c.add]
537 // = a.v * b.v * [ mul_scaling ] + a.v * [ a_scaling ] + b.v * [ b_scaling ] + c.v * [ c_scaling ]
538 // + [ const_scaling ]
539
540 bb::fr mul_scaling = multiplicative_constant * to_mul.multiplicative_constant;
541 bb::fr a_scaling = multiplicative_constant * to_mul.additive_constant;
542 bb::fr b_scaling = to_mul.multiplicative_constant * additive_constant;
543 bb::fr c_scaling = to_add.multiplicative_constant;
544 bb::fr const_scaling = additive_constant * to_mul.additive_constant + to_add.additive_constant;
545
546 // Note: the value of a constant field_t is wholly tracked by the field_t's `additive_constant` member, which is
547 // accounted for in the above-calculated selectors (`q_`'s). Therefore no witness (`variables[witness_index]`)
548 // exists for constants, and so the field_t's corresponding wire value is set to `0` in the gate equation.
549 bb::fr a = is_constant() ? bb::fr::zero() : ctx->get_variable(witness_index);
550 bb::fr b = to_mul.is_constant() ? bb::fr::zero() : ctx->get_variable(to_mul.witness_index);
551 bb::fr c = to_add.is_constant() ? bb::fr::zero() : ctx->get_variable(to_add.witness_index);
552
553 bb::fr out = a * b * mul_scaling + a * a_scaling + b * b_scaling + c * c_scaling + const_scaling;
554
555 field_t<Builder> result(ctx);
556 result.witness_index = ctx->add_variable(out);
557 ctx->create_big_mul_add_gate({
558 .a = is_constant() ? ctx->zero_idx() : witness_index,
559 .b = to_mul.is_constant() ? ctx->zero_idx() : to_mul.witness_index,
560 .c = to_add.is_constant() ? ctx->zero_idx() : to_add.witness_index,
561 .d = result.witness_index,
562 .mul_scaling = mul_scaling,
563 .a_scaling = a_scaling,
564 .b_scaling = b_scaling,
565 .c_scaling = c_scaling,
566 .d_scaling = bb::fr::neg_one(),
567 .const_scaling = const_scaling,
568 });
569 result.tag = OriginTag(tag, to_mul.tag, to_add.tag);
570 return result;
571}
572
576template <typename Builder> field_t<Builder> field_t<Builder>::add_two(const field_t& add_b, const field_t& add_c) const
577{
578 const bool has_const_summand = is_constant() || add_b.is_constant() || add_c.is_constant();
579
580 if (has_const_summand) {
581 // If at least one of the summands is constant, the summation is efficiently handled by `+` operator
582 return (*this) + add_b + add_c;
583 }
584 Builder* ctx = validate_context<Builder>(context, add_b.context, add_c.context);
585
586 // Let d := a + (b+c), where
587 // a := *this;
588 // b := add_b;
589 // c := add_c;
590 // define selector values by
591 // mul_scaling := 0
592 // a_scaling := a_mul;
593 // b_scaling := b_mul;
594 // c_scaling := c_mul;
595 // d_scaling := -1;
596 // const_scaling := a_add + b_add + c_add;
597 // Create a `big_mul_gate` to constrain
598 // a * b * mul_scaling + a * a_scaling + b * b_scaling + c * c_scaling + d * d_scaling + const_scaling = 0
599
600 bb::fr a_scaling = multiplicative_constant;
601 bb::fr b_scaling = add_b.multiplicative_constant;
602 bb::fr c_scaling = add_c.multiplicative_constant;
603 bb::fr const_scaling = additive_constant + add_b.additive_constant + add_c.additive_constant;
604
605 // Compute the sum of values of all summands
606 bb::fr a = is_constant() ? bb::fr::zero() : ctx->get_variable(witness_index);
607 bb::fr b = add_b.is_constant() ? bb::fr::zero() : ctx->get_variable(add_b.witness_index);
608 bb::fr c = add_c.is_constant() ? bb::fr::zero() : ctx->get_variable(add_c.witness_index);
609
610 bb::fr out = a * a_scaling + b * b_scaling + c * c_scaling + const_scaling;
611
612 field_t<Builder> result(ctx);
613 result.witness_index = ctx->add_variable(out);
614
615 // Constrain the result
616 ctx->create_big_mul_add_gate({
617 .a = is_constant() ? ctx->zero_idx() : witness_index,
618 .b = add_b.is_constant() ? ctx->zero_idx() : add_b.witness_index,
619 .c = add_c.is_constant() ? ctx->zero_idx() : add_c.witness_index,
620 .d = result.witness_index,
621 .mul_scaling = bb::fr::zero(),
622 .a_scaling = a_scaling,
623 .b_scaling = b_scaling,
624 .c_scaling = c_scaling,
625 .d_scaling = bb::fr::neg_one(),
626 .const_scaling = const_scaling,
627 });
628 result.tag = OriginTag(tag, add_b.tag, add_c.tag);
629 return result;
630}
631
639template <typename Builder> field_t<Builder> field_t<Builder>::normalize() const
640{
641 if (is_normalized()) {
642 return *this;
643 }
644 BB_ASSERT(context);
645
646 // Value of this = this.v * this.mul + this.add; // where this.v = context->variables[this.witness_index]
647 // Normalised result = result.v * 1 + 0; // where result.v = this.v * this.mul + this.add
648 // We need a new gate to enforce that the `result` was correctly calculated from `this`.
649 field_t<Builder> result(context);
650 bb::fr value = context->get_variable(witness_index);
651
652 result.witness_index = context->add_variable(value * multiplicative_constant + additive_constant);
653 result.additive_constant = bb::fr::zero();
654 result.multiplicative_constant = bb::fr::one();
655
656 // The aim of a new `add` gate is to constrain
657 // this.v * this.mul + this.add == result.v
658 // Let
659 // a_scaling := this.mul;
660 // b_scaling := 0;
661 // c_scaling := -1;
662 // const_scaling := this.add;
663 // The `add` gate enforces the relation
664 // this.v * a_scaling + result.v * c_scaling + const_scaling = 0
665
666 context->create_add_gate({ .a = witness_index,
667 .b = context->zero_idx(),
668 .c = result.witness_index,
669 .a_scaling = multiplicative_constant,
670 .b_scaling = bb::fr::zero(),
671 .c_scaling = bb::fr::neg_one(),
672 .const_scaling = additive_constant });
673 result.tag = tag;
674 return result;
675}
676
680template <typename Builder> void field_t<Builder>::assert_is_zero(std::string const& msg) const
681{
682
683 if (is_constant()) {
684 BB_ASSERT_EQ(additive_constant == bb::fr::zero(), true, msg);
685 return;
686 }
687
688 if ((get_value() != bb::fr::zero()) && !context->failed()) {
689 context->failure(msg);
690 }
691 // Aim of a new arithmetic gate: constrain this.v * this.mul + this.add == 0
692 // I.e.:
693 // this.v * 0 * [ 0 ] + this.v * [this.mul] + 0 * [ 0 ] + 0 * [ 0 ] + [this.add] == 0
694 // this.v * 0 * [q_m] + this.v * [ q_l ] + 0 * [q_r] + 0 * [q_o] + [ q_c ] == 0
695
696 context->create_arithmetic_gate({
697 .a = witness_index,
698 .b = context->zero_idx(),
699 .c = context->zero_idx(),
700 .q_m = bb::fr::zero(),
701 .q_l = multiplicative_constant,
702 .q_r = bb::fr::zero(),
703 .q_o = bb::fr::zero(),
704 .q_c = additive_constant,
705 });
706}
707
711template <typename Builder> void field_t<Builder>::assert_is_not_zero(std::string const& msg) const
712{
713
714 if (is_constant()) {
715 BB_ASSERT_EQ(additive_constant != bb::fr::zero(), true, msg);
716 return;
717 }
718
719 if ((get_value() == bb::fr::zero()) && !context->failed()) {
720 context->failure(msg);
721 }
722
723 bb::fr inverse_value = (get_value() == bb::fr::zero()) ? bb::fr::zero() : get_value().invert();
724
725 field_t<Builder> inverse(witness_t<Builder>(context, inverse_value));
726
727 // inverse is added in the circuit for checking that field element is not zero
728 // and it won't be used anymore, so it's needed to add this element in used witnesses
729 mark_witness_as_used(inverse);
730
731 // Aim of a new arithmetic gate: `this` has an inverse (hence is not zero).
732 // I.e.:
733 // (this.v * this.mul + this.add) * inverse.v == 1;
734 // <=> this.v * inverse.v * [this.mul] + this.v * [ 0 ] + inverse.v * [this.add] + 0 * [ 0 ] + [ -1] == 0
735 // <=> this.v * inverse.v * [ q_m ] + this.v * [q_l] + inverse.v * [ q_r ] + 0 * [q_o] + [q_c] == 0
736
737 // (a * mul_const + add_const) * b - 1 = 0
738 context->create_arithmetic_gate({
739 .a = witness_index, // input value
740 .b = inverse.witness_index, // inverse
741 .c = context->zero_idx(), // no output
742 .q_m = multiplicative_constant, // a * b * mul_const
743 .q_l = bb::fr::zero(), // a * 0
744 .q_r = additive_constant, // b * mul_const
745 .q_o = bb::fr::zero(), // c * 0
746 .q_c = bb::fr::neg_one(), // -1
747 });
748}
749
776template <typename Builder> bool_t<Builder> field_t<Builder>::is_zero() const
777{
778 bb::fr native_value = get_value();
779 const bool is_zero_raw = native_value.is_zero();
780
781 if (is_constant()) {
782 // Create a constant bool_t
783 bool_t is_zero(context, is_zero_raw);
784 is_zero.set_origin_tag(get_origin_tag());
785 return is_zero;
786 }
787
788 bool_t is_zero = witness_t(context, is_zero_raw);
789
790 // This can be done out of circuit, as `is_zero = true` implies `I = 1`.
791 bb::fr inverse_native = (is_zero_raw) ? bb::fr::one() : native_value.invert();
792
793 field_t inverse = witness_t(context, inverse_native);
794
795 // Note that `evaluate_polynomial_identity(a, b, c, d)` checks that `a * b + c + d = 0`, so we are using it for the
796 // constraints 1) and 2) above.
797 // More precisely, to check that `a * I - 1 + is_zero = 0`, it creates a `big_mul_gate` given by the equation:
798 // a.v * I.v * mul_scaling + a.v * a_scaling + I.v * b_scaling + is_zero.v * c_scaling + (-1) * d_scaling +
799 // const_scaling = 0
800 // where
801 // muk_scaling := a.mul * I.mul;
802 // a_scaling := a.mul * I.add;
803 // b_scaling := I.mul * a.add;
804 // c_scaling := 1;
805 // d_scaling := 0;
806 // const_scaling := a.add * I.add + is_zero.add - 1;
807 field_t::evaluate_polynomial_identity(*this, inverse, is_zero, bb::fr::neg_one());
808
809 // To check that `-is_zero * I + is_zero = 0`, create a `big_mul_gate` given by the equation:
810 // is_zero.v * (-I).v * mul_scaling + is_zero.v * a_scaling + (-I).v * b_scaling + is_zero.v * c_scaling + 0 *
811 // d_scaling + const_scaling = 0
812 // where
813 // mul_scaling := is_zero.mul * (-I).mul;
814 // a_scaling := is_zero.mul * (-I).add;
815 // b_scaling := (-I).mul * is_zero.add;
816 // c_scaling := is_zero.mul;
817 // d_scaling := 0;
818 // const_scaling := is_zero.add * (-I).add + is_zero.add;
819 field_t::evaluate_polynomial_identity(is_zero, -inverse, is_zero, bb::fr::zero());
820 is_zero.set_origin_tag(tag);
821 return is_zero;
822}
829template <typename Builder> bb::fr field_t<Builder>::get_value() const
830{
831 if (!is_constant()) {
832 BB_ASSERT(context);
833 return (multiplicative_constant * context->get_variable(witness_index)) + additive_constant;
834 }
835 BB_ASSERT_DEBUG(multiplicative_constant == bb::fr::one());
836 // A constant field_t's value is tracked wholly by its additive_constant member.
837 return additive_constant;
838}
839
843template <typename Builder> bool_t<Builder> field_t<Builder>::operator==(const field_t& other) const
844{
845 return ((*this) - other).is_zero();
846}
847
851template <typename Builder> bool_t<Builder> field_t<Builder>::operator!=(const field_t& other) const
852{
853 return !operator==(other);
854}
855
859template <typename Builder>
860field_t<Builder> field_t<Builder>::conditional_negate(const bool_t<Builder>& predicate) const
861{
862 if (predicate.is_constant()) {
863 field_t result = predicate.get_value() ? -(*this) : *this;
864 result.set_origin_tag(OriginTag(get_origin_tag(), predicate.get_origin_tag()));
865 return result;
866 }
867 // Compute
868 // `predicate` * ( -2 * a ) + a.
869 // If predicate's value == true, then the output is `-a`, else it's `a`
870 static constexpr bb::fr minus_two(-2);
871 return field_t(predicate).madd(*this * minus_two, *this);
872}
873
885template <typename Builder>
886field_t<Builder> field_t<Builder>::conditional_assign_internal(const bool_t<Builder>& predicate,
887 const field_t& lhs,
888 const field_t& rhs)
889{
890 // If the predicate is constant, the conditional assignment can be done out of circuit
891 if (predicate.is_constant()) {
892 auto result = field_t(predicate.get_value() ? lhs : rhs);
893 result.set_origin_tag(OriginTag(predicate.get_origin_tag(), lhs.get_origin_tag(), rhs.get_origin_tag()));
894 return result;
895 }
896 // If lhs and rhs are the same witness or constant, just return it
897 if (witness_indices_match(lhs, rhs) && (lhs.additive_constant == rhs.additive_constant) &&
898 (lhs.multiplicative_constant == rhs.multiplicative_constant)) {
899 return lhs;
900 }
901
902 return (lhs - rhs).madd(predicate, rhs);
903}
904
909template <typename Builder>
910void field_t<Builder>::create_range_constraint(const size_t num_bits, std::string const& msg) const
911{
912 if (num_bits == 0) {
913 assert_is_zero("0-bit range_constraint on non-zero field_t.");
914 } else {
915 if (is_constant()) {
916 BB_ASSERT_LT(uint256_t(get_value()).get_msb(), num_bits, msg);
917 } else {
918 context->create_limbed_range_constraint(
919 normalize().witness_index, num_bits, bb::UltraCircuitBuilder::DEFAULT_PLOOKUP_RANGE_BITNUM, msg);
920 }
921 }
922}
923
931template <typename Builder> void field_t<Builder>::assert_equal(const field_t& rhs, std::string const& msg) const
932{
933 const field_t lhs = *this;
934 Builder* ctx = validate_context(lhs.get_context(), rhs.get_context());
935 if (lhs.is_constant() && rhs.is_constant()) {
936 BB_ASSERT_EQ(lhs.get_value(), rhs.get_value(), "field_t::assert_equal: constants are not equal");
937 return;
938 }
939 if (lhs.is_constant()) {
940 ctx->assert_equal_constant(rhs.get_witness_index(), lhs.get_value(), msg);
941 } else if (rhs.is_constant()) {
942 ctx->assert_equal_constant(lhs.get_witness_index(), rhs.get_value(), msg);
943 } else {
944 // Both are witnesses - save original tags and clear them to allow different transcript/free witness sources
945 // (e.g., proving 2 separate properties about same object through 2 different transcripts)
946 const auto lhs_original_tag = lhs.get_origin_tag();
947 const auto rhs_original_tag = rhs.get_origin_tag();
948 lhs.set_origin_tag(OriginTag());
949 rhs.set_origin_tag(OriginTag());
950
951 if (lhs.is_normalized() || rhs.is_normalized()) {
952 ctx->assert_equal(lhs.get_witness_index(), rhs.get_witness_index(), msg);
953 } else {
954 // Instead of creating 2 gates for normalizing both witnesses and applying a copy constraint, we use a
955 // single `add` gate constraining a - b = 0
956 ctx->create_add_gate({ .a = lhs.witness_index,
957 .b = rhs.witness_index,
958 .c = ctx->zero_idx(),
959 .a_scaling = lhs.multiplicative_constant,
960 .b_scaling = -rhs.multiplicative_constant,
961 .c_scaling = 0,
962 .const_scaling = lhs.additive_constant - rhs.additive_constant });
963 if ((lhs.get_value() != rhs.get_value()) && !ctx->failed()) {
964 ctx->failure(msg);
965 }
966 }
967
968 // Restore tags
969 lhs.set_origin_tag(lhs_original_tag);
970 rhs.set_origin_tag(rhs_original_tag);
971 }
972}
976template <typename Builder> void field_t<Builder>::assert_not_equal(const field_t& rhs, std::string const& msg) const
977{
978 const field_t lhs = *this;
979 const field_t diff = lhs - rhs;
980 diff.assert_is_not_zero(msg);
981}
985template <typename Builder>
986void field_t<Builder>::assert_is_in_set(const std::vector<field_t>& set, std::string const& msg) const
987{
988 const field_t input = *this;
989 field_t product = (input - set[0]);
990 for (size_t i = 1; i < set.size(); i++) {
991 product *= (input - set[i]);
992 }
993 product.assert_is_zero(msg);
994}
995
1003template <typename Builder>
1004std::array<field_t<Builder>, 4> field_t<Builder>::preprocess_two_bit_table(const field_t& T0,
1005 const field_t& T1,
1006 const field_t& T2,
1007 const field_t& T3)
1008{
1009
1010 std::array<field_t, 4> table;
1011 table[0] = T0; // const coeff
1012 table[1] = T1 - T0; // t0 coeff
1013 table[2] = T2 - T0; // t1 coeff
1014 table[3] = T3.add_two(-table[2], -T1); // t0t1 coeff
1015 return table;
1016}
1017
1021template <typename Builder>
1022std::array<field_t<Builder>, 8> field_t<Builder>::preprocess_three_bit_table(const field_t& T0,
1023 const field_t& T1,
1024 const field_t& T2,
1025 const field_t& T3,
1026 const field_t& T4,
1027 const field_t& T5,
1028 const field_t& T6,
1029 const field_t& T7)
1030{
1031 std::array<field_t, 8> table;
1032 table[0] = T0; // const coeff
1033 table[1] = T1 - T0; // t0 coeff
1034 table[2] = T2 - T0; // t1 coeff
1035 table[3] = T4 - T0; // t2 coeff
1036 table[4] = T3.add_two(-table[2], -T1); // t0t1 coeff
1037 table[5] = T5.add_two(-table[3], -T1); // t0t2 coeff
1038 table[6] = T6.add_two(-table[3], -T2); // t1t2 coeff
1039 table[7] = T7.add_two(-T6 - T5, T4 - table[4]); // t0t1t2 coeff
1040 return table;
1041}
1042
1047template <typename Builder>
1048field_t<Builder> field_t<Builder>::select_from_two_bit_table(const std::array<field_t, 4>& table,
1049 const bool_t<Builder>& t1,
1050 const bool_t<Builder>& t0)
1051{
1052 field_t R0 = field_t(t1).madd(table[3], table[1]);
1053 field_t R1 = R0.madd(field_t(t0), table[0]);
1054 field_t R2 = field_t(t1).madd(table[2], R1);
1055 return R2;
1056}
1057
1069template <typename Builder>
1070field_t<Builder> field_t<Builder>::select_from_three_bit_table(const std::array<field_t, 8>& table,
1071 const bool_t<Builder>& t2,
1072 const bool_t<Builder>& t1,
1073 const bool_t<Builder>& t0)
1074{
1075 field_t R0 = field_t(t0).madd(table[7], table[6]);
1076 field_t R1 = field_t(t1).madd(R0, table[3]);
1077 field_t R2 = field_t(t2).madd(R1, table[0]);
1078 field_t R3 = field_t(t0).madd(table[4], table[2]);
1079 field_t R4 = field_t(t1).madd(R3, R2);
1080 field_t R5 = field_t(t2).madd(table[5], table[1]);
1081 field_t R6 = field_t(t0).madd(R5, R4);
1082 return R6;
1083}
1084
1088template <typename Builder>
1089void field_t<Builder>::evaluate_linear_identity(
1090 const field_t& a, const field_t& b, const field_t& c, const field_t& d, const std::string& msg)
1091{
1092 Builder* ctx = validate_context(a.context, b.context, c.context, d.context);
1093
1094 if (a.is_constant() && b.is_constant() && c.is_constant() && d.is_constant()) {
1095 BB_ASSERT_EQ(a.get_value() + b.get_value() + c.get_value() + d.get_value(), 0);
1096 return;
1097 }
1098
1099 const bool identity_holds = (a.get_value() + b.get_value() + c.get_value() + d.get_value()).is_zero();
1100 if (!identity_holds && !ctx->failed()) {
1101 ctx->failure(msg);
1102 }
1103
1104 // validate that a + b + c + d = 0
1105 bb::fr const_scaling = a.additive_constant + b.additive_constant + c.additive_constant + d.additive_constant;
1106
1107 ctx->create_big_add_gate({
1108 .a = a.is_constant() ? ctx->zero_idx() : a.witness_index,
1109 .b = b.is_constant() ? ctx->zero_idx() : b.witness_index,
1110 .c = c.is_constant() ? ctx->zero_idx() : c.witness_index,
1111 .d = d.is_constant() ? ctx->zero_idx() : d.witness_index,
1112 .a_scaling = a.multiplicative_constant,
1113 .b_scaling = b.multiplicative_constant,
1114 .c_scaling = c.multiplicative_constant,
1115 .d_scaling = d.multiplicative_constant,
1116 .const_scaling = const_scaling,
1117 });
1118}
1124template <typename Builder>
1125void field_t<Builder>::evaluate_polynomial_identity(
1126 const field_t& a, const field_t& b, const field_t& c, const field_t& d, const std::string& msg)
1127{
1128 if (a.is_constant() && b.is_constant() && c.is_constant() && d.is_constant()) {
1129 BB_ASSERT((a.get_value() * b.get_value() + c.get_value() + d.get_value()).is_zero());
1130 return;
1131 }
1132
1133 Builder* ctx = validate_context(a.context, b.context, c.context, d.context);
1134
1135 const bool identity_holds = ((a.get_value() * b.get_value()) + c.get_value() + d.get_value()).is_zero();
1136 if (!identity_holds && !ctx->failed()) {
1137 ctx->failure(msg);
1138 }
1139
1140 // validate that a * b + c + d = 0
1141 bb::fr mul_scaling = a.multiplicative_constant * b.multiplicative_constant;
1142 bb::fr a_scaling = a.multiplicative_constant * b.additive_constant;
1143 bb::fr b_scaling = b.multiplicative_constant * a.additive_constant;
1144 bb::fr c_scaling = c.multiplicative_constant;
1145 bb::fr d_scaling = d.multiplicative_constant;
1146 bb::fr const_scaling = a.additive_constant * b.additive_constant + c.additive_constant + d.additive_constant;
1147
1148 ctx->create_big_mul_add_gate({
1149 .a = a.is_constant() ? ctx->zero_idx() : a.witness_index,
1150 .b = b.is_constant() ? ctx->zero_idx() : b.witness_index,
1151 .c = c.is_constant() ? ctx->zero_idx() : c.witness_index,
1152 .d = d.is_constant() ? ctx->zero_idx() : d.witness_index,
1153 .mul_scaling = mul_scaling,
1154 .a_scaling = a_scaling,
1155 .b_scaling = b_scaling,
1156 .c_scaling = c_scaling,
1157 .d_scaling = d_scaling,
1158 .const_scaling = const_scaling,
1159 });
1160}
1161
1168template <typename Builder> field_t<Builder> field_t<Builder>::accumulate(const std::vector<field_t>& input)
1169{
1170 if (input.empty()) {
1171 return field_t(bb::fr::zero());
1172 }
1173
1174 if (input.size() == 1) {
1175 return input[0].normalize();
1176 }
1177
1178 std::vector<field_t> accumulator;
1179 field_t constant_term = bb::fr::zero();
1180
1181 // Remove constant terms from input field elements
1182 for (const auto& element : input) {
1183 if (element.is_constant()) {
1184 constant_term += element;
1185 } else {
1186 accumulator.emplace_back(element);
1187 }
1188 }
1189 if (accumulator.empty()) {
1190 return constant_term;
1191 }
1192 // Add the accumulated constant term to the first witness. It does not create any gates - only the additive
1193 // constant of `accumulator[0]` is updated.
1194 accumulator[0] += constant_term;
1195
1196 // At this point, the `accumulator` vector consisting of witnesses is not empty, so we can extract the context.
1197 Builder* ctx = validate_context<Builder>(accumulator);
1198
1199 // Step 2: compute output value
1200 size_t num_elements = accumulator.size();
1201 bb::fr output = bb::fr::zero();
1202 for (const auto& acc : accumulator) {
1203 output += acc.get_value();
1204 }
1205
1206 // Pad the accumulator with zeroes so that its size is a multiple of 3.
1207 const size_t num_padding_wires = (num_elements % 3) == 0 ? 0 : 3 - (num_elements % 3);
1208 for (size_t i = 0; i < num_padding_wires; ++i) {
1209 accumulator.emplace_back(field_t<Builder>::from_witness_index(ctx, ctx->zero_idx()));
1210 }
1211 num_elements = accumulator.size();
1212 const size_t num_gates = (num_elements / 3);
1213 // Last gate is handled separetely
1214 const size_t last_gate_idx = num_gates - 1;
1215
1216 field_t total = witness_t(ctx, output);
1217 field_t accumulating_total = total;
1218
1219 // Let
1220 // a_i := accumulator[3*i];
1221 // b_i := accumulator[3*i+1];
1222 // c_i := accumulator[3*i+2];
1223 // d_0 := total;
1224 // d_i := total - \sum_(j < 3*i) accumulator[j];
1225 // which leads us to equations
1226 // d_{i+1} = d_{i} - a_i - b_i - c_i for i = 0, ..., last_idx - 1;
1227 // 0 = d_{i} - a_i - b_i - c_i for i = last_gate_idx,
1228 // that are turned into constraints below.
1229
1230 for (size_t i = 0; i < last_gate_idx; ++i) {
1231 // For i < last_gate_idx, we create a `big_add_gate` constraint
1232 // a_i.v * a_scaling + b_i.v * b_scaling + c_i.v * c_scaling + d_i.v * d_scaling + const_scaling +
1233 // w_4_omega = 0
1234 // where
1235 // a_scaling := a_i.mul
1236 // b_scaling := b_i.mul
1237 // c_scaling := c_i.mul
1238 // d_scaling := -1
1239 // const_scaling := a_i.add + b_i.add + c_i.add
1240 // w_4_omega := d_{i+1}
1241 ctx->create_big_add_gate(
1242 {
1243 .a = accumulator[3 * i].witness_index,
1244 .b = accumulator[3 * i + 1].witness_index,
1245 .c = accumulator[3 * i + 2].witness_index,
1246 .d = accumulating_total.witness_index,
1247 .a_scaling = accumulator[3 * i].multiplicative_constant,
1248 .b_scaling = accumulator[3 * i + 1].multiplicative_constant,
1249 .c_scaling = accumulator[3 * i + 2].multiplicative_constant,
1250 .d_scaling = -1,
1251 .const_scaling = accumulator[3 * i].additive_constant + accumulator[3 * i + 1].additive_constant +
1252 accumulator[3 * i + 2].additive_constant,
1253 },
1254 /*use_next_gate_w_4 = */ true);
1255 bb::fr new_total = accumulating_total.get_value() - accumulator[3 * i].get_value() -
1256 accumulator[3 * i + 1].get_value() - accumulator[3 * i + 2].get_value();
1257 accumulating_total = witness_t<Builder>(ctx, new_total);
1258 }
1259
1260 // For i = last_gate_idx, we create a `big_add_gate` constraining
1261 // a_i.v * a_scaling + b_i.v * b_scaling + c_i.v * c_scaling + d_i.v * d_scaling + const_scaling = 0
1262 ctx->create_big_add_gate({
1263 .a = accumulator[3 * last_gate_idx].witness_index,
1264 .b = accumulator[3 * last_gate_idx + 1].witness_index,
1265 .c = accumulator[3 * last_gate_idx + 2].witness_index,
1266 .d = accumulating_total.witness_index,
1267 .a_scaling = accumulator[3 * last_gate_idx].multiplicative_constant,
1268 .b_scaling = accumulator[3 * last_gate_idx + 1].multiplicative_constant,
1269 .c_scaling = accumulator[3 * last_gate_idx + 2].multiplicative_constant,
1270 .d_scaling = -1,
1271 .const_scaling = accumulator[3 * last_gate_idx].additive_constant +
1272 accumulator[3 * last_gate_idx + 1].additive_constant +
1273 accumulator[3 * last_gate_idx + 2].additive_constant,
1274 });
1275 OriginTag new_tag{};
1276 for (const auto& single_input : input) {
1277 new_tag = OriginTag(new_tag, single_input.tag);
1278 }
1279 total.tag = new_tag;
1280 return total.normalize();
1281}
1282
1291template <typename Builder>
1292std::pair<field_t<Builder>, field_t<Builder>> field_t<Builder>::no_wrap_split_at(const size_t lsb_index,
1293 const size_t num_bits) const
1294{
1295 BB_ASSERT(lsb_index < num_bits);
1296 BB_ASSERT(num_bits <= grumpkin::MAX_NO_WRAP_INTEGER_BIT_LENGTH);
1297
1298 const uint256_t value = get_value();
1299 const uint256_t hi = value >> lsb_index;
1300 const uint256_t lo = value % (uint256_t(1) << lsb_index);
1301
1302 if (is_constant()) {
1303 // If `*this` is constant, we can return the split values directly
1304 BB_ASSERT(lo + (hi << lsb_index) == value);
1305 return std::make_pair(field_t<Builder>(lo), field_t<Builder>(hi));
1306 }
1307
1308 // Handle edge case when lsb_index == 0
1309 if (lsb_index == 0) {
1310 BB_ASSERT(hi == value);
1311 BB_ASSERT(lo == 0);
1312 create_range_constraint(num_bits, "split_at: hi value too large.");
1313 return std::make_pair(field_t<Builder>(0), *this);
1314 }
1315
1316 Builder* ctx = get_context();
1317 BB_ASSERT(ctx != nullptr);
1318
1319 field_t<Builder> lo_wit(witness_t(ctx, lo));
1320 field_t<Builder> hi_wit(witness_t(ctx, hi));
1321
1322 // Ensure that `lo_wit` is in the range [0, 2^lsb_index - 1]
1323 lo_wit.create_range_constraint(lsb_index, "split_at: lo value too large.");
1324
1325 // Ensure that `hi_wit` is in the range [0, 2^(num_bits - lsb_index) - 1]
1326 hi_wit.create_range_constraint(num_bits - lsb_index, "split_at: hi value too large.");
1327
1328 // Check that *this = lo_wit + hi_wit * 2^{lsb_index}
1329 const field_t<Builder> reconstructed = lo_wit + (hi_wit * field_t<Builder>(uint256_t(1) << lsb_index));
1330 assert_equal(reconstructed, "split_at: decomposition failed");
1331
1332 // Set the origin tag for both witnesses
1333 lo_wit.set_origin_tag(tag);
1334 hi_wit.set_origin_tag(tag);
1335
1336 return std::make_pair(lo_wit, hi_wit);
1337}
1338
1339template class field_t<bb::UltraCircuitBuilder>;
1340template class field_t<bb::MegaCircuitBuilder>;
1341
1342} // namespace bb::stdlib
BB_ASSERT
#define BB_ASSERT(expression,...)
Definition assert.hpp:70
BB_ASSERT_DEBUG
#define BB_ASSERT_DEBUG(expression,...)
Definition assert.hpp:55
BB_ASSERT_EQ
#define BB_ASSERT_EQ(actual, expected,...)
Definition assert.hpp:83
BB_ASSERT_LT
#define BB_ASSERT_LT(left, right,...)
Definition assert.hpp:143
bb::UltraCircuitBuilder_::DEFAULT_PLOOKUP_RANGE_BITNUM
static constexpr size_t DEFAULT_PLOOKUP_RANGE_BITNUM
Definition ultra_circuit_builder.hpp:53
bb::numeric::uint256_t
Definition uint256.hpp:32
bb::numeric::uint256_t::data
uint64_t data[4]
Definition uint256.hpp:216
bb::numeric::uint256_t::get_msb
constexpr uint64_t get_msb() const
Definition uint256_impl.hpp:329
bb::stdlib::bool_t
Implements boolean logic in-circuit.
Definition bool.hpp:60
bb::stdlib::bool_t::get_value
bool get_value() const
Definition bool.hpp:125
bb::stdlib::bool_t::is_constant
bool is_constant() const
Definition bool.hpp:127
bb::stdlib::bool_t::set_origin_tag
void set_origin_tag(const OriginTag &new_tag) const
Definition bool.hpp:154
bb::stdlib::bool_t::witness_bool
bool witness_bool
Definition bool.hpp:169
bb::stdlib::bool_t::witness_index
uint32_t witness_index
Index of the witness in the builder's witness vector.
Definition bool.hpp:178
bb::stdlib::bool_t::witness_inverted
bool witness_inverted
Definition bool.hpp:170
bb::stdlib::bool_t::tag
OriginTag tag
Definition bool.hpp:179
bb::stdlib::bool_t::get_origin_tag
OriginTag get_origin_tag() const
Definition bool.hpp:155
bb::stdlib::field_t
Definition field.hpp:46
bb::stdlib::field_t< Builder >::assert_is_zero
void assert_is_zero(std::string const &msg="field_t::assert_is_zero") const
Enforce a copy constraint between *this and 0 stored at zero_idx of the Builder.
Definition field.cpp:680
bb::stdlib::field_t< Builder >::conditional_negate
field_t conditional_negate(const bool_t< Builder > &predicate) const
If predicate's value == true, negate the value, else keep it unchanged.
Definition field.cpp:860
bb::stdlib::field_t::Builder
Builder_ Builder
Definition field.hpp:48
bb::stdlib::field_t< Builder >::assert_is_in_set
void assert_is_in_set(const std::vector< field_t > &set, std::string const &msg="field_t::assert_not_in_set") const
Constrain *this \in set by enforcing that P(X) = \prod_{s \in set} (X - s) is 0 at X = *this.
Definition field.cpp:986
bb::stdlib::field_t::assert_equal
void assert_equal(const field_t &rhs, std::string const &msg="field_t::assert_equal") const
Copy constraint: constrain that *this field is equal to rhs element.
Definition field.cpp:931
bb::stdlib::field_t< Builder >::assert_not_equal
void assert_not_equal(const field_t &rhs, std::string const &msg="field_t::assert_not_equal") const
Constrain *this to be not equal to rhs.
Definition field.cpp:976
bb::stdlib::field_t::is_normalized
bool is_normalized() const
Definition field.hpp:431
bb::stdlib::field_t< Builder >::madd
field_t madd(const field_t &to_mul, const field_t &to_add) const
Definition field.cpp:511
bb::stdlib::field_t< Builder >::from_witness_index
static field_t from_witness_index(Builder *ctx, uint32_t witness_index)
Definition field.cpp:63
bb::stdlib::field_t< Builder >::operator+
field_t operator+(const field_t &other) const
Field addition operator.
Definition field.cpp:125
bb::stdlib::field_t< Builder >::operator!=
bool_t< Builder > operator!=(const field_t &other) const
Compute a bool_t equal to (a != b)
Definition field.cpp:851
bb::stdlib::field_t::additive_constant
bb::fr additive_constant
Definition field.hpp:94
bb::stdlib::field_t< Builder >::select_from_three_bit_table
static field_t select_from_three_bit_table(const std::array< field_t, 8 > &table, const bool_t< Builder > &t2, const bool_t< Builder > &t1, const bool_t< Builder > &t0)
Given a multilinear polynomial in 3 variables, which is represented by a table of monomial coefficien...
Definition field.cpp:1070
bb::stdlib::field_t< Builder >::evaluate_polynomial_identity
static void evaluate_polynomial_identity(const field_t &a, const field_t &b, const field_t &c, const field_t &d, const std::string &msg="field_t::evaluate_polynomial_identity")
Given a, b, c, d, constrain a * b + c + d = 0 by creating a big_mul_gate.
Definition field.cpp:1125
bb::stdlib::field_t< Builder >::accumulate
static field_t accumulate(const std::vector< field_t > &input)
Efficiently compute the sum of vector entries. Using big_add_gate we reduce the number of gates neede...
Definition field.cpp:1168
bb::stdlib::field_t::tag
OriginTag tag
Definition field.hpp:148
bb::stdlib::field_t< Builder >::operator-
field_t operator-() const
Definition field.hpp:336
bb::stdlib::field_t< Builder >::create_range_constraint
void create_range_constraint(size_t num_bits, std::string const &msg="field_t::range_constraint") const
Let x = *this.normalize(), constrain x.v < 2^{num_bits}.
Definition field.cpp:910
bb::stdlib::field_t< Builder >::divide_no_zero_check
field_t divide_no_zero_check(const field_t &other) const
Given field elements a = *this and b = other, output a / b without checking whether b = 0.
Definition field.cpp:313
bb::stdlib::field_t::context
Builder * context
Definition field.hpp:57
bb::stdlib::field_t< Builder >::preprocess_three_bit_table
static std::array< field_t, 8 > preprocess_three_bit_table(const field_t &T0, const field_t &T1, const field_t &T2, const field_t &T3, const field_t &T4, const field_t &T5, const field_t &T6, const field_t &T7)
Given a table T of size 8, outputs the monomial coefficients of the multilinear polynomial in t0,...
Definition field.cpp:1022
bb::stdlib::field_t::multiplicative_constant
bb::fr multiplicative_constant
Definition field.hpp:95
bb::stdlib::field_t::get_context
Builder * get_context() const
Definition field.hpp:420
bb::stdlib::field_t::sqr
field_t sqr() const
Definition field.hpp:272
bb::stdlib::field_t< Builder >::conditional_assign_internal
static field_t conditional_assign_internal(const bool_t< Builder > &predicate, const field_t &lhs, const field_t &rhs)
If predicate == true then return lhs, else return rhs.
Definition field.cpp:886
bb::stdlib::field_t::get_origin_tag
OriginTag get_origin_tag() const
Definition field.hpp:347
bb::stdlib::field_t::get_value
bb::fr get_value() const
Given a := *this, compute its value given by a.v * a.mul + a.add.
Definition field.cpp:829
bb::stdlib::field_t< Builder >::operator*
field_t operator*(const field_t &other) const
Field multiplication operator.
Definition field.cpp:193
bb::stdlib::field_t< Builder >::field_t
field_t(Builder *parent_context=nullptr)
Definition field.cpp:21
bb::stdlib::field_t::normalize
field_t normalize() const
Return a new element, where the in-circuit witness contains the actual represented value (multiplicat...
Definition field.cpp:639
bb::stdlib::field_t< Builder >::select_from_two_bit_table
static field_t select_from_two_bit_table(const std::array< field_t, 4 > &table, const bool_t< Builder > &t1, const bool_t< Builder > &t0)
Given a multilinear polynomial in 2 variables, which is represented by a table of monomial coefficien...
Definition field.cpp:1048
bb::stdlib::field_t< Builder >::is_zero
bool_t< Builder > is_zero() const
Validate whether a field_t element is zero.
Definition field.cpp:776
bb::stdlib::field_t< Builder >::pow
field_t pow(const uint32_t &exponent) const
Raise this field element to the power of the provided uint32_t exponent.
Definition field.cpp:423
bb::stdlib::field_t< Builder >::evaluate_linear_identity
static void evaluate_linear_identity(const field_t &a, const field_t &b, const field_t &c, const field_t &d, const std::string &msg="field_t::evaluate_linear_identity")
Constrain a + b + c + d to be equal to 0.
Definition field.cpp:1089
bb::stdlib::field_t::is_constant
bool is_constant() const
Definition field.hpp:430
bb::stdlib::field_t< Builder >::preprocess_two_bit_table
static std::array< field_t, 4 > preprocess_two_bit_table(const field_t &T0, const field_t &T1, const field_t &T2, const field_t &T3)
Given a table T of size 4, outputs the monomial coefficients of the multilinear polynomial in t0,...
Definition field.cpp:1004
bb::stdlib::field_t::set_free_witness_tag
void set_free_witness_tag()
Set the free witness flag for the field element's tag.
Definition field.hpp:352
bb::stdlib::field_t::set_origin_tag
void set_origin_tag(const OriginTag &new_tag) const
Definition field.hpp:346
bb::stdlib::field_t::witness_index
uint32_t witness_index
Definition field.hpp:145
bb::stdlib::field_t< Builder >::add_two
field_t add_two(const field_t &add_b, const field_t &add_c) const
Efficiently compute (this + a + b) using big_mul gate.
Definition field.cpp:576
bb::stdlib::field_t< Builder >::no_wrap_split_at
std::pair< field_t< Builder >, field_t< Builder > > no_wrap_split_at(const size_t lsb_index, const size_t num_bits=grumpkin::MAX_NO_WRAP_INTEGER_BIT_LENGTH) const
Splits the field element into (lo, hi), where:
Definition field.cpp:1292
bb::stdlib::field_t::assert_is_not_zero
void assert_is_not_zero(std::string const &msg="field_t::assert_is_not_zero") const
Constrain *this to be non-zero by establishing that it has an inverse.
Definition field.cpp:711
bb::stdlib::field_t< Builder >::operator/
field_t operator/(const field_t &other) const
Since in divide_no_zero_check, we check by the constraint , if , we can set to any value and it wil...
Definition field.cpp:303
bb::stdlib::field_t< Builder >::operator==
bool_t< Builder > operator==(const field_t &other) const
Compute a bool_t equal to (a == b)
Definition field.cpp:843
bb::stdlib::field_t::get_witness_index
uint32_t get_witness_index() const
Get the witness index of the current field element.
Definition field.hpp:507
bb::stdlib::witness_t
Definition witness.hpp:16
context
StrictMock< MockContext > context
Definition data_copy.test.cpp:59
a
FF a
Definition field_gt.test.cpp:52
b
FF b
Definition field_gt.test.cpp:53
field_utils.hpp
bb::grumpkin::MAX_NO_WRAP_INTEGER_BIT_LENGTH
constexpr size_t MAX_NO_WRAP_INTEGER_BIT_LENGTH
Definition grumpkin.hpp:15
bb::numeric::get_msb
constexpr T get_msb(const T in)
Definition get_msb.hpp:47
bb::stdlib::validate_context
T * validate_context(T *ptr)
Definition field.hpp:17
bb::stdlib::element
std::conditional_t< IsGoblinBigGroup< C, Fq, Fr, G >, element_goblin::goblin_element< C, goblin_field< C >, Fr, G >, element_default::element< C, Fq, Fr, G > > element
element wraps either element_default::element or element_goblin::goblin_element depending on parametr...
Definition biggroup.hpp:995
bb::stdlib::mark_witness_as_used
void mark_witness_as_used(const field_t< Builder > &field)
Mark a field_t witness as used (for UltraBuilder only).
Definition field_utils.cpp:97
bb
Entry point for Barretenberg command-line interface.
Definition api.hpp:5
bb::operator+
Univariate< Fr, domain_end > operator+(const Fr &ff, const Univariate< Fr, domain_end > &uv)
Definition univariate.hpp:555
std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13
value
FF value
Definition public_data_tree.test.cpp:97
bb::field< Bn254FrParams >::neg_one
static constexpr field neg_one()
Definition field_declarations.hpp:243
bb::field< Bn254FrParams >::one
static constexpr field one()
Definition field_declarations.hpp:244
bb::field::invert
constexpr field invert() const noexcept
Definition field_impl.hpp:377
bb::field::self_neg
BB_INLINE constexpr void self_neg() &noexcept
Definition field_impl.hpp:203
bb::field::is_zero
BB_INLINE constexpr bool is_zero() const noexcept
Definition field_impl.hpp:658
bb::field< Bn254FrParams >::zero
static constexpr field zero()
Definition field_declarations.hpp:242