Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
ultra_circuit_builder.cpp
Go to the documentation of this file.
1// === AUDIT STATUS ===
2// internal: { status: not started, auditors: [], date: YYYY-MM-DD }
3// external_1: { status: not started, auditors: [], date: YYYY-MM-DD }
4// external_2: { status: not started, auditors: [], date: YYYY-MM-DD }
5// =====================
6
12#include "ultra_circuit_builder.hpp"
13#include "barretenberg/common/assert.hpp"
14#include "barretenberg/common/ref_vector.hpp"
15#include "barretenberg/crypto/poseidon2/poseidon2_params.hpp"
16#include "rom_ram_logic.hpp"
17
18#include "barretenberg/crypto/sha256/sha256.hpp"
19#include "barretenberg/serialize/msgpack_impl.hpp"
20#include <execution>
21#include <unordered_map>
22#include <unordered_set>
23
24namespace bb {
25
26template <typename ExecutionTrace>
27void UltraCircuitBuilder_<ExecutionTrace>::finalize_circuit(const bool ensure_nonzero)
28{
54 if (!circuit_finalized) {
55 if (ensure_nonzero) {
56 add_gates_to_ensure_all_polys_are_non_zero();
57 }
58 process_non_native_field_multiplications();
59#ifndef ULTRA_FUZZ
60 this->rom_ram_logic.process_ROM_arrays(this);
61 this->rom_ram_logic.process_RAM_arrays(this);
62 process_range_lists();
63#endif
64 populate_public_inputs_block();
65 circuit_finalized = true;
66 } else {
67 // Gates added after first call to finalize will not be processed since finalization is only performed once
68 info("WARNING: Redundant call to finalize_circuit(). Is this intentional?");
69 }
70}
71
75template <typename ExecutionTrace> void UltraCircuitBuilder_<ExecutionTrace>::populate_public_inputs_block()
76{
77 BB_BENCH_NAME("populate_public_inputs_block");
78
79 // Update the public inputs block
80 for (const auto& idx : this->public_inputs()) {
81 // first two wires get a copy of the public inputs
82 blocks.pub_inputs.populate_wires(idx, idx, this->zero_idx(), this->zero_idx());
83 for (auto& selector : this->blocks.pub_inputs.get_selectors()) {
84 selector.emplace_back(0);
85 }
86 }
87}
88
94// TODO(#423): This function adds valid (but arbitrary) gates to ensure that the circuit which includes
95// them will not result in any zero-polynomials. It also ensures that the first coefficient of the wire
96// polynomials is zero, which is required for them to be shiftable.
97template <typename ExecutionTrace>
98void UltraCircuitBuilder_<ExecutionTrace>::add_gates_to_ensure_all_polys_are_non_zero()
99{
100 // q_m, q_1, q_2, q_3, q_4
101 blocks.arithmetic.populate_wires(this->zero_idx(), this->zero_idx(), this->zero_idx(), this->zero_idx());
102 blocks.arithmetic.q_m().emplace_back(1);
103 blocks.arithmetic.q_1().emplace_back(1);
104 blocks.arithmetic.q_2().emplace_back(1);
105 blocks.arithmetic.q_3().emplace_back(1);
106 blocks.arithmetic.q_4().emplace_back(1);
107 blocks.arithmetic.q_c().emplace_back(0);
108 blocks.arithmetic.set_gate_selector(0);
109 check_selector_length_consistency();
110 this->increment_num_gates();
111
112 // q_delta_range
113 blocks.delta_range.populate_wires(this->zero_idx(), this->zero_idx(), this->zero_idx(), this->zero_idx());
114 blocks.delta_range.q_m().emplace_back(0);
115 blocks.delta_range.q_1().emplace_back(0);
116 blocks.delta_range.q_2().emplace_back(0);
117 blocks.delta_range.q_3().emplace_back(0);
118 blocks.delta_range.q_4().emplace_back(0);
119 blocks.delta_range.q_c().emplace_back(0);
120 blocks.delta_range.set_gate_selector(1);
121
122 check_selector_length_consistency();
123 this->increment_num_gates();
124 create_unconstrained_gate(
125 blocks.delta_range, this->zero_idx(), this->zero_idx(), this->zero_idx(), this->zero_idx());
126
127 // q_elliptic
128 blocks.elliptic.populate_wires(this->zero_idx(), this->zero_idx(), this->zero_idx(), this->zero_idx());
129 blocks.elliptic.q_m().emplace_back(0);
130 blocks.elliptic.q_1().emplace_back(0);
131 blocks.elliptic.q_2().emplace_back(0);
132 blocks.elliptic.q_3().emplace_back(0);
133 blocks.elliptic.q_4().emplace_back(0);
134 blocks.elliptic.q_c().emplace_back(0);
135 blocks.elliptic.set_gate_selector(1);
136 check_selector_length_consistency();
137 this->increment_num_gates();
138 create_unconstrained_gate(blocks.elliptic, this->zero_idx(), this->zero_idx(), this->zero_idx(), this->zero_idx());
139
140 // q_memory
141 blocks.memory.populate_wires(this->zero_idx(), this->zero_idx(), this->zero_idx(), this->zero_idx());
142 blocks.memory.q_m().emplace_back(0);
143 blocks.memory.q_1().emplace_back(0);
144 blocks.memory.q_2().emplace_back(0);
145 blocks.memory.q_3().emplace_back(0);
146 blocks.memory.q_4().emplace_back(0);
147 blocks.memory.q_c().emplace_back(0);
148 blocks.memory.set_gate_selector(1);
149 check_selector_length_consistency();
150 this->increment_num_gates();
151 create_unconstrained_gate(blocks.memory, this->zero_idx(), this->zero_idx(), this->zero_idx(), this->zero_idx());
152
153 // q_nnf
154 blocks.nnf.populate_wires(this->zero_idx(), this->zero_idx(), this->zero_idx(), this->zero_idx());
155 blocks.nnf.q_m().emplace_back(0);
156 blocks.nnf.q_1().emplace_back(0);
157 blocks.nnf.q_2().emplace_back(0);
158 blocks.nnf.q_3().emplace_back(0);
159 blocks.nnf.q_4().emplace_back(0);
160 blocks.nnf.q_c().emplace_back(0);
161 blocks.nnf.set_gate_selector(1);
162 check_selector_length_consistency();
163 this->increment_num_gates();
164 create_unconstrained_gate(blocks.nnf, this->zero_idx(), this->zero_idx(), this->zero_idx(), this->zero_idx());
165
166 // Add nonzero values in w_4 and q_c (q_4*w_4 + q_c --> 1*1 - 1 = 0)
167 uint32_t one_idx = put_constant_variable(FF::one());
168 create_big_add_gate({ this->zero_idx(), this->zero_idx(), this->zero_idx(), one_idx, 0, 0, 0, 1, -1 });
169
170 // Take care of all polys related to lookups (q_lookup, tables, sorted, etc)
171 // by doing a dummy lookup with a special table.
172 // Note: the 4th table poly is the table index: this is not the value of the table
173 // type enum but rather the index of the table in the list of all tables utilized
174 // in the circuit. Therefore we naively need two different basic tables (indices 0, 1)
175 // to get a non-zero value in table_4.
176 // The multitable operates on 2-bit values, so the maximum is 3
177 uint32_t left_value = 3;
178 uint32_t right_value = 3;
179
180 FF left_witness_value = fr{ left_value, 0, 0, 0 }.to_montgomery_form();
181 FF right_witness_value = fr{ right_value, 0, 0, 0 }.to_montgomery_form();
182
183 uint32_t left_witness_index = this->add_variable(left_witness_value);
184 uint32_t right_witness_index = this->add_variable(right_witness_value);
185 const auto dummy_accumulators = plookup::get_lookup_accumulators(
186 plookup::MultiTableId::HONK_DUMMY_MULTI, left_witness_value, right_witness_value, true);
187 auto read_data = create_gates_from_plookup_accumulators(
188 plookup::MultiTableId::HONK_DUMMY_MULTI, dummy_accumulators, left_witness_index, right_witness_index);
189
190 update_used_witnesses(left_witness_index);
191 update_used_witnesses(right_witness_index);
192 std::array<std::vector<uint32_t>, 3> parse_read_data{ read_data[plookup::ColumnIdx::C1],
193 read_data[plookup::ColumnIdx::C2],
194 read_data[plookup::ColumnIdx::C3] };
195 for (const auto& column : parse_read_data) {
196 update_used_witnesses(column);
197 update_finalize_witnesses(column);
198 }
199
200 // mock a poseidon external gate, with all zeros as input
201 blocks.poseidon2_external.populate_wires(this->zero_idx(), this->zero_idx(), this->zero_idx(), this->zero_idx());
202 blocks.poseidon2_external.q_m().emplace_back(0);
203 blocks.poseidon2_external.q_1().emplace_back(0);
204 blocks.poseidon2_external.q_2().emplace_back(0);
205 blocks.poseidon2_external.q_3().emplace_back(0);
206 blocks.poseidon2_external.q_c().emplace_back(0);
207 blocks.poseidon2_external.q_4().emplace_back(0);
208 blocks.poseidon2_external.set_gate_selector(1);
209 check_selector_length_consistency();
210 this->increment_num_gates();
211
212 // unconstrained gate to be read into by previous poseidon external gate via shifts
213 create_unconstrained_gate(
214 blocks.poseidon2_external, this->zero_idx(), this->zero_idx(), this->zero_idx(), this->zero_idx());
215
216 // mock a poseidon internal gate, with all zeros as input
217 blocks.poseidon2_internal.populate_wires(this->zero_idx(), this->zero_idx(), this->zero_idx(), this->zero_idx());
218 blocks.poseidon2_internal.q_m().emplace_back(0);
219 blocks.poseidon2_internal.q_1().emplace_back(0);
220 blocks.poseidon2_internal.q_2().emplace_back(0);
221 blocks.poseidon2_internal.q_3().emplace_back(0);
222 blocks.poseidon2_internal.q_c().emplace_back(0);
223 blocks.poseidon2_internal.q_4().emplace_back(0);
224 blocks.poseidon2_internal.set_gate_selector(1);
225 check_selector_length_consistency();
226 this->increment_num_gates();
227
228 // dummy gate to be read into by previous poseidon internal gate via shifts
229 create_unconstrained_gate(
230 blocks.poseidon2_internal, this->zero_idx(), this->zero_idx(), this->zero_idx(), this->zero_idx());
231}
232
241template <typename ExecutionTrace> void UltraCircuitBuilder_<ExecutionTrace>::create_add_gate(const add_triple_<FF>& in)
242{
243 // Delegate to create_big_add_gate with 4th wire set to zero
244 create_big_add_gate({ .a = in.a,
245 .b = in.b,
246 .c = in.c,
247 .d = this->zero_idx(),
248 .a_scaling = in.a_scaling,
249 .b_scaling = in.b_scaling,
250 .c_scaling = in.c_scaling,
251 .d_scaling = 0,
252 .const_scaling = in.const_scaling });
253}
254
263template <typename ExecutionTrace>
264void UltraCircuitBuilder_<ExecutionTrace>::create_big_mul_add_gate(const mul_quad_<FF>& in,
265 const bool include_next_gate_w_4)
266{
267 this->assert_valid_variables({ in.a, in.b, in.c, in.d });
268 blocks.arithmetic.populate_wires(in.a, in.b, in.c, in.d);
269 // If include_next_gate_w_4 is true then we set q_arith = 2. In this case, the linear term in the ArithmeticRelation
270 // is scaled by a factor of 2. We compensate here by scaling the quadratic term by 2 to achieve the constraint:
271 // 2 * [q_m * w_1 * w_2 + \sum_{i=1..4} q_i * w_i + q_c + w_4_shift] = 0
272 const FF mul_scaling = include_next_gate_w_4 ? in.mul_scaling * FF(2) : in.mul_scaling;
273 blocks.arithmetic.q_m().emplace_back(mul_scaling);
274 blocks.arithmetic.q_1().emplace_back(in.a_scaling);
275 blocks.arithmetic.q_2().emplace_back(in.b_scaling);
276 blocks.arithmetic.q_3().emplace_back(in.c_scaling);
277 blocks.arithmetic.q_c().emplace_back(in.const_scaling);
278 blocks.arithmetic.q_4().emplace_back(in.d_scaling);
279 blocks.arithmetic.set_gate_selector(include_next_gate_w_4 ? 2 : 1);
280 check_selector_length_consistency();
281 this->increment_num_gates();
282}
283
292template <typename ExecutionTrace>
293void UltraCircuitBuilder_<ExecutionTrace>::create_big_add_gate(const add_quad_<FF>& in,
294 const bool include_next_gate_w_4)
295{
296 this->assert_valid_variables({ in.a, in.b, in.c, in.d });
297 blocks.arithmetic.populate_wires(in.a, in.b, in.c, in.d);
298 blocks.arithmetic.q_m().emplace_back(0);
299 blocks.arithmetic.q_1().emplace_back(in.a_scaling);
300 blocks.arithmetic.q_2().emplace_back(in.b_scaling);
301 blocks.arithmetic.q_3().emplace_back(in.c_scaling);
302 blocks.arithmetic.q_c().emplace_back(in.const_scaling);
303 blocks.arithmetic.q_4().emplace_back(in.d_scaling);
304 blocks.arithmetic.set_gate_selector(include_next_gate_w_4 ? 2 : 1);
305 check_selector_length_consistency();
306 this->increment_num_gates();
307}
308
314template <typename ExecutionTrace>
315void UltraCircuitBuilder_<ExecutionTrace>::create_bool_gate(const uint32_t variable_index)
316{
317 this->assert_valid_variables({ variable_index });
318
319 blocks.arithmetic.populate_wires(variable_index, variable_index, this->zero_idx(), this->zero_idx());
320 blocks.arithmetic.q_m().emplace_back(1);
321 blocks.arithmetic.q_1().emplace_back(-1);
322 blocks.arithmetic.q_2().emplace_back(0);
323 blocks.arithmetic.q_3().emplace_back(0);
324 blocks.arithmetic.q_c().emplace_back(0);
325 blocks.arithmetic.q_4().emplace_back(0);
326 blocks.arithmetic.set_gate_selector(1);
327 check_selector_length_consistency();
328 this->increment_num_gates();
329}
330
337template <typename ExecutionTrace>
338void UltraCircuitBuilder_<ExecutionTrace>::create_arithmetic_gate(const arithmetic_triple_<FF>& in)
339{
340 this->assert_valid_variables({ in.a, in.b, in.c });
341
342 blocks.arithmetic.populate_wires(in.a, in.b, in.c, this->zero_idx());
343 blocks.arithmetic.q_m().emplace_back(in.q_m);
344 blocks.arithmetic.q_1().emplace_back(in.q_l);
345 blocks.arithmetic.q_2().emplace_back(in.q_r);
346 blocks.arithmetic.q_3().emplace_back(in.q_o);
347 blocks.arithmetic.q_c().emplace_back(in.q_c);
348 blocks.arithmetic.q_4().emplace_back(0);
349 blocks.arithmetic.set_gate_selector(1);
350 check_selector_length_consistency();
351 this->increment_num_gates();
352}
353
370template <typename ExecutionTrace>
371void UltraCircuitBuilder_<ExecutionTrace>::create_ecc_add_gate(const ecc_add_gate_<FF>& in)
372{
373 this->assert_valid_variables({ in.x1, in.x2, in.x3, in.y1, in.y2, in.y3 });
374
375 auto& block = blocks.elliptic;
376
377 // Determine whether we can fuse this addition operation into the previous gate in the block
378 bool can_fuse_into_previous_gate =
379 block.size() > 0 && /* a previous gate exists in the block */
380 block.w_r()[block.size() - 1] == in.x1 && /* output x coord of previous gate is input of this one */
381 block.w_o()[block.size() - 1] == in.y1; /* output y coord of previous gate is input of this one */
382
383 if (can_fuse_into_previous_gate) {
384 block.q_1().set(block.size() - 1, in.sign_coefficient); // set q_sign of previous gate
385 block.q_elliptic().set(block.size() - 1, 1); // set q_ecc of previous gate to 1
386 } else {
387 block.populate_wires(this->zero_idx(), in.x1, in.y1, this->zero_idx());
388 block.q_3().emplace_back(0);
389 block.q_4().emplace_back(0);
390 block.q_1().emplace_back(in.sign_coefficient);
391
392 block.q_2().emplace_back(0);
393 block.q_m().emplace_back(0);
394 block.q_c().emplace_back(0);
395 block.set_gate_selector(1);
396 check_selector_length_consistency();
397 this->increment_num_gates();
398 }
399 // Create the unconstrained gate with the output of the doubling to be read into by the previous gate via shifts
400 create_unconstrained_gate(block, in.x2, in.x3, in.y3, in.y2);
401}
402
419template <typename ExecutionTrace>
420void UltraCircuitBuilder_<ExecutionTrace>::create_ecc_dbl_gate(const ecc_dbl_gate_<FF>& in)
421{
422 this->assert_valid_variables({ in.x1, in.x3, in.y1, in.y3 });
423
424 auto& block = blocks.elliptic;
425
426 // Determine whether we can fuse this doubling operation into the previous gate in the block
427 bool can_fuse_into_previous_gate =
428 block.size() > 0 && /* a previous gate exists in the block */
429 block.w_r()[block.size() - 1] == in.x1 && /* output x coord of previous gate is input of this one */
430 block.w_o()[block.size() - 1] == in.y1; /* output y coord of previous gate is input of this one */
431
432 // If possible, update the previous gate to be the first gate in the pair, otherwise create a new gate
433 if (can_fuse_into_previous_gate) {
434 block.q_elliptic().set(block.size() - 1, 1); // set q_ecc of previous gate to 1
435 block.q_m().set(block.size() - 1, 1); // set q_m (q_is_double) of previous gate to 1
436 } else {
437 block.populate_wires(this->zero_idx(), in.x1, in.y1, this->zero_idx());
438 block.q_m().emplace_back(1);
439 block.q_1().emplace_back(0);
440 block.q_2().emplace_back(0);
441 block.q_3().emplace_back(0);
442 block.q_c().emplace_back(0);
443 block.q_4().emplace_back(0);
444 block.set_gate_selector(1);
445 check_selector_length_consistency();
446 this->increment_num_gates();
447 }
448 // Create the unconstrained gate with the output of the doubling to be read into by the previous gate via shifts
449 create_unconstrained_gate(block, this->zero_idx(), in.x3, in.y3, this->zero_idx());
450}
451
458template <typename ExecutionTrace>
459void UltraCircuitBuilder_<ExecutionTrace>::fix_witness(const uint32_t witness_index, const FF& witness_value)
460{
461 this->assert_valid_variables({ witness_index });
462
463 blocks.arithmetic.populate_wires(witness_index, this->zero_idx(), this->zero_idx(), this->zero_idx());
464 blocks.arithmetic.q_m().emplace_back(0);
465 blocks.arithmetic.q_1().emplace_back(1);
466 blocks.arithmetic.q_2().emplace_back(0);
467 blocks.arithmetic.q_3().emplace_back(0);
468 blocks.arithmetic.q_c().emplace_back(-witness_value);
469 blocks.arithmetic.q_4().emplace_back(0);
470 blocks.arithmetic.set_gate_selector(1);
471 check_selector_length_consistency();
472 this->increment_num_gates();
473}
474
475template <typename ExecutionTrace>
476uint32_t UltraCircuitBuilder_<ExecutionTrace>::put_constant_variable(const FF& variable)
477{
478 if (constant_variable_indices.contains(variable)) {
479 return constant_variable_indices.at(variable);
480 } else {
481 uint32_t variable_index = this->add_variable(variable);
482 fix_witness(variable_index, variable);
483 constant_variable_indices.insert({ variable, variable_index });
484 return variable_index;
485 }
486}
487
496template <typename ExecutionTrace>
497plookup::BasicTable& UltraCircuitBuilder_<ExecutionTrace>::get_table(const plookup::BasicTableId id)
498{
499 for (plookup::BasicTable& table : lookup_tables) {
500 if (table.id == id) {
501 return table;
502 }
503 }
504 // Table doesn't exist! So try to create it.
505 lookup_tables.emplace_back(plookup::create_basic_table(id, lookup_tables.size()));
506 return lookup_tables.back();
507}
508
535template <typename ExecutionTrace>
536plookup::ReadData<uint32_t> UltraCircuitBuilder_<ExecutionTrace>::create_gates_from_plookup_accumulators(
537 const plookup::MultiTableId& id,
538 const plookup::ReadData<FF>& read_values,
539 const uint32_t key_a_index,
540 std::optional<uint32_t> key_b_index)
541{
542 using plookup::ColumnIdx;
543
544 const auto& multi_table = plookup::get_multitable(id);
545 const size_t num_lookups = read_values[ColumnIdx::C1].size();
546 plookup::ReadData<uint32_t> read_data;
547
548 for (size_t i = 0; i < num_lookups; ++i) {
549 const bool is_first_lookup = (i == 0);
550 const bool is_last_lookup = (i == num_lookups - 1);
551
552 // Get basic lookup table; construct and add to builder.lookup_tables if not already present
553 plookup::BasicTable& table = get_table(multi_table.basic_table_ids[i]);
554 table.lookup_gates.emplace_back(read_values.lookup_entries[i]);
555
556 // Create witness variables: first lookup reuses user's input indices, subsequent create new variables
557 const auto first_idx = is_first_lookup ? key_a_index : this->add_variable(read_values[ColumnIdx::C1][i]);
558 const auto second_idx = (is_first_lookup && key_b_index.has_value())
559 ? *key_b_index
560 : this->add_variable(read_values[ColumnIdx::C2][i]);
561 const auto third_idx = this->add_variable(read_values[ColumnIdx::C3][i]);
562
563 read_data[ColumnIdx::C1].push_back(first_idx);
564 read_data[ColumnIdx::C2].push_back(second_idx);
565 read_data[ColumnIdx::C3].push_back(third_idx);
566 this->assert_valid_variables({ first_idx, second_idx, third_idx });
567
568 // Populate lookup gate: wire values and selectors
569 blocks.lookup.populate_wires(first_idx, second_idx, third_idx, this->zero_idx());
570 blocks.lookup.set_gate_selector(1); // mark as lookup gate
571 blocks.lookup.q_3().emplace_back(FF(table.table_index)); // unique table identifier
572 // Step size coefficients: zero for last lookup (no next accumulator), negative step sizes otherwise
573 blocks.lookup.q_2().emplace_back(is_last_lookup ? 0 : -multi_table.column_1_step_sizes[i + 1]);
574 blocks.lookup.q_m().emplace_back(is_last_lookup ? 0 : -multi_table.column_2_step_sizes[i + 1]);
575 blocks.lookup.q_c().emplace_back(is_last_lookup ? 0 : -multi_table.column_3_step_sizes[i + 1]);
576 blocks.lookup.q_1().emplace_back(0); // unused
577 blocks.lookup.q_4().emplace_back(0); // unused
578
579 check_selector_length_consistency();
580 this->increment_num_gates();
581 }
582 return read_data;
583}
584
588template <typename ExecutionTrace>
589typename UltraCircuitBuilder_<ExecutionTrace>::RangeList UltraCircuitBuilder_<ExecutionTrace>::create_range_list(
590 const uint64_t target_range)
591{
592 RangeList result;
593 const auto range_tag = get_new_tag(); // current_tag + 1;
594 const auto tau_tag = get_new_tag(); // current_tag + 2;
595 set_tau_transposition(range_tag, tau_tag);
596 result.target_range = target_range;
597 result.range_tag = range_tag;
598 result.tau_tag = tau_tag;
599
600 uint64_t num_multiples_of_three = (target_range / DEFAULT_PLOOKUP_RANGE_STEP_SIZE);
601
602 // AUDITTODO: This is not reserving the correct amount of space. Ensure this isn't indicative of a larger issue.
603 result.variable_indices.reserve((uint32_t)num_multiples_of_three);
604 for (uint64_t i = 0; i <= num_multiples_of_three; ++i) {
605 const uint32_t index = this->add_variable(fr(i * DEFAULT_PLOOKUP_RANGE_STEP_SIZE));
606 result.variable_indices.emplace_back(index);
607 assign_tag(index, result.range_tag);
608 }
609 {
610 const uint32_t index = this->add_variable(fr(target_range));
611 result.variable_indices.emplace_back(index);
612 assign_tag(index, result.range_tag);
613 }
614 // Need this because these variables will not appear in the witness otherwise
615 create_unconstrained_gates(result.variable_indices);
616
617 return result;
618}
619
620// range constraint a value by decomposing it into limbs whose size should be the default range constraint size
621
622template <typename ExecutionTrace>
623std::vector<uint32_t> UltraCircuitBuilder_<ExecutionTrace>::decompose_into_default_range(
624 const uint32_t variable_index, const uint64_t num_bits, const uint64_t target_range_bitnum, std::string const& msg)
625{
626 this->assert_valid_variables({ variable_index });
627
628 BB_ASSERT_GT(num_bits, 0U);
629
630 uint256_t val = (uint256_t)(this->get_variable(variable_index));
631
632 // If the value is out of range, set the CircuitBuilder error to the given msg.
633 if (val.get_msb() >= num_bits && !this->failed()) {
634 this->failure(msg);
635 }
636
637 const uint64_t sublimb_mask = (1ULL << target_range_bitnum) - 1;
638
652 std::vector<uint64_t> sublimbs;
653 std::vector<uint32_t> sublimb_indices;
654
655 const bool has_remainder_bits = (num_bits % target_range_bitnum != 0);
656 const uint64_t num_limbs = (num_bits / target_range_bitnum) + has_remainder_bits;
657 const uint64_t last_limb_size = num_bits - ((num_bits / target_range_bitnum) * target_range_bitnum);
658 const uint64_t last_limb_range = ((uint64_t)1 << last_limb_size) - 1;
659
660 uint256_t accumulator = val;
661 for (size_t i = 0; i < num_limbs; ++i) {
662 sublimbs.push_back(accumulator.data[0] & sublimb_mask);
663 accumulator = accumulator >> target_range_bitnum;
664 }
665 for (size_t i = 0; i < sublimbs.size(); ++i) {
666 const auto limb_idx = this->add_variable(bb::fr(sublimbs[i]));
667 sublimb_indices.emplace_back(limb_idx);
668 if ((i == sublimbs.size() - 1) && has_remainder_bits) {
669 create_new_range_constraint(limb_idx, last_limb_range);
670 } else {
671 create_new_range_constraint(limb_idx, sublimb_mask);
672 }
673 }
674
675 const uint64_t num_limb_triples = (num_limbs / 3) + ((num_limbs % 3) != 0);
676 const uint64_t leftovers = (num_limbs % 3) == 0 ? 3 : (num_limbs % 3);
677
678 accumulator = val;
679 uint32_t accumulator_idx = variable_index;
680
681 for (size_t i = 0; i < num_limb_triples; ++i) {
682 const bool real_limbs[3]{
683 (i == (num_limb_triples - 1) && (leftovers < 1)) ? false : true,
684 (i == (num_limb_triples - 1) && (leftovers < 2)) ? false : true,
685 (i == (num_limb_triples - 1) && (leftovers < 3)) ? false : true,
686 };
687
688 const uint64_t round_sublimbs[3]{
689 real_limbs[0] ? sublimbs[3 * i] : 0,
690 real_limbs[1] ? sublimbs[3 * i + 1] : 0,
691 real_limbs[2] ? sublimbs[3 * i + 2] : 0,
692 };
693 const uint32_t new_limbs[3]{
694 real_limbs[0] ? sublimb_indices[3 * i] : this->zero_idx(),
695 real_limbs[1] ? sublimb_indices[3 * i + 1] : this->zero_idx(),
696 real_limbs[2] ? sublimb_indices[3 * i + 2] : this->zero_idx(),
697 };
698 const uint64_t shifts[3]{
699 target_range_bitnum * (3 * i),
700 target_range_bitnum * (3 * i + 1),
701 target_range_bitnum * (3 * i + 2),
702 };
703 uint256_t new_accumulator = accumulator - (uint256_t(round_sublimbs[0]) << shifts[0]) -
704 (uint256_t(round_sublimbs[1]) << shifts[1]) -
705 (uint256_t(round_sublimbs[2]) << shifts[2]);
706
707 create_big_add_gate(
708 {
709 new_limbs[0],
710 new_limbs[1],
711 new_limbs[2],
712 accumulator_idx,
713 uint256_t(1) << shifts[0],
714 uint256_t(1) << shifts[1],
715 uint256_t(1) << shifts[2],
716 -1,
717 0,
718 },
719 ((i == num_limb_triples - 1) ? false : true));
720 // TODO(https://github.com/AztecProtocol/barretenberg/issues/1450): this is probably creating an unused
721 // wire/variable in the circuit, in the last iteration of the loop.
722 accumulator_idx = this->add_variable(fr(new_accumulator));
723 accumulator = new_accumulator;
724 }
725 return sublimb_indices;
726}
727
737template <typename ExecutionTrace>
738void UltraCircuitBuilder_<ExecutionTrace>::create_new_range_constraint(const uint32_t variable_index,
739 const uint64_t target_range,
740 std::string const msg)
741{
742 const bool is_out_of_range = (uint256_t(this->get_variable(variable_index)).data[0] > target_range);
743 if (is_out_of_range && !this->failed()) {
744 this->failure(msg);
745 }
746 if (range_lists.count(target_range) == 0) {
747 range_lists.insert({ target_range, create_range_list(target_range) });
748 }
749
750 const auto existing_tag = this->real_variable_tags[this->real_variable_index[variable_index]];
751 auto& list = range_lists[target_range];
752
753 // If the variable's tag matches the target range list's tag, do nothing.
754 if (existing_tag != list.range_tag) {
755 // If the variable is 'untagged' (i.e., it has the dummy tag), assign it the appropriate tag.
756 // Otherwise, find the range for which the variable has already been tagged.
757 if (existing_tag != DUMMY_TAG) {
758 bool found_tag = false;
759 for (const auto& r : range_lists) {
760 if (r.second.range_tag == existing_tag) {
761 found_tag = true;
762 if (r.first < target_range) {
763 // The variable already has a more restrictive range check, so do nothing.
764 return;
765 } else {
766 // The range constraint we are trying to impose is more restrictive than the existing range
767 // constraint. It would be difficult to remove an existing range check. Instead deep-copy the
768 // variable and apply a range check to new variable
769 const uint32_t copied_witness = this->add_variable(this->get_variable(variable_index));
770 create_add_gate({ .a = variable_index,
771 .b = copied_witness,
772 .c = this->zero_idx(),
773 .a_scaling = 1,
774 .b_scaling = -1,
775 .c_scaling = 0,
776 .const_scaling = 0 });
777 // Recurse with new witness that has no tag attached.
778 create_new_range_constraint(copied_witness, target_range, msg);
779 return;
780 }
781 }
782 }
783 BB_ASSERT(found_tag);
784 }
785 assign_tag(variable_index, list.range_tag);
786 list.variable_indices.emplace_back(variable_index);
787 }
788}
789
790template <typename ExecutionTrace> void UltraCircuitBuilder_<ExecutionTrace>::process_range_list(RangeList& list)
791{
792 this->assert_valid_variables(list.variable_indices);
793
794 BB_ASSERT_GT(list.variable_indices.size(), 0U);
795
796 // replace witness index in variable_indices with the real variable index i.e. if a copy constraint has been
797 // applied on a variable after it was range constrained, this makes sure the indices in list point to the updated
798 // index in the range list so the set equivalence does not fail
799 for (uint32_t& x : list.variable_indices) {
800 x = this->real_variable_index[x];
801 }
802 // remove duplicate witness indices to prevent the sorted list set size being wrong!
803 std::sort(list.variable_indices.begin(), list.variable_indices.end());
804 auto back_iterator = std::unique(list.variable_indices.begin(), list.variable_indices.end());
805 list.variable_indices.erase(back_iterator, list.variable_indices.end());
806
807 // go over variables
808 // iterate over each variable and create mirror variable with same value - with tau tag
809 // need to make sure that, in original list, increments of at most 3
810 std::vector<uint32_t> sorted_list;
811 sorted_list.reserve(list.variable_indices.size());
812 for (const auto variable_index : list.variable_indices) {
813 const auto& field_element = this->get_variable(variable_index);
814 const uint32_t shrinked_value = (uint32_t)field_element.from_montgomery_form().data[0];
815 sorted_list.emplace_back(shrinked_value);
816 }
817
818#ifdef NO_PAR_ALGOS
819 std::sort(sorted_list.begin(), sorted_list.end());
820#else
821 std::sort(std::execution::par_unseq, sorted_list.begin(), sorted_list.end());
822#endif
823 // list must be padded to a multipe of 4 and larger than 4 (gate_width)
824 constexpr size_t gate_width = NUM_WIRES;
825 size_t padding = (gate_width - (list.variable_indices.size() % gate_width)) % gate_width;
826
827 std::vector<uint32_t> indices;
828 indices.reserve(padding + sorted_list.size());
829
830 if (list.variable_indices.size() <= gate_width) {
831 padding += gate_width;
832 }
833 for (size_t i = 0; i < padding; ++i) {
834 indices.emplace_back(this->zero_idx());
835 }
836 for (const auto sorted_value : sorted_list) {
837 const uint32_t index = this->add_variable(fr(sorted_value));
838 assign_tag(index, list.tau_tag);
839 indices.emplace_back(index);
840 }
841 create_sort_constraint_with_edges(indices, 0, list.target_range);
842}
843
844template <typename ExecutionTrace> void UltraCircuitBuilder_<ExecutionTrace>::process_range_lists()
845{
846 for (auto& i : range_lists) {
847 process_range_list(i.second);
848 }
849}
850
851/*
852 * Create range constraint:
853 * add variable index to a list of range constrained variables
854 * data structures: vector of lists, each list contains:
855 * - the range size
856 * - the list of variables in the range
857 * - a generalized permutation tag
858 *
859 * create range constraint parameters: variable index && range size
860 *
861 * std::map<uint64_t, RangeList> range_lists;
862 */
863// Check for a sequence of variables that neighboring differences are at most 3 (used for batched range checkj)
864template <typename ExecutionTrace>
865void UltraCircuitBuilder_<ExecutionTrace>::create_sort_constraint(const std::vector<uint32_t>& variable_index)
866{
867 constexpr size_t gate_width = NUM_WIRES;
868 BB_ASSERT_EQ(variable_index.size() % gate_width, 0U);
869 this->assert_valid_variables(variable_index);
870
871 for (size_t i = 0; i < variable_index.size(); i += gate_width) {
872 blocks.delta_range.populate_wires(
873 variable_index[i], variable_index[i + 1], variable_index[i + 2], variable_index[i + 3]);
874
875 this->increment_num_gates();
876 blocks.delta_range.q_m().emplace_back(0);
877 blocks.delta_range.q_1().emplace_back(0);
878 blocks.delta_range.q_2().emplace_back(0);
879 blocks.delta_range.q_3().emplace_back(0);
880 blocks.delta_range.q_c().emplace_back(0);
881 blocks.delta_range.q_4().emplace_back(0);
882 blocks.delta_range.set_gate_selector(1);
883 check_selector_length_consistency();
884 }
885 // dummy gate needed because of sort widget's check of next row
886 create_unconstrained_gate(blocks.delta_range,
887 variable_index[variable_index.size() - 1],
888 this->zero_idx(),
889 this->zero_idx(),
890 this->zero_idx());
891}
892
893// useful to put variables in the witness that aren't already used - e.g. the dummy variables of the range constraint in
894// multiples of four
895template <typename ExecutionTrace>
896void UltraCircuitBuilder_<ExecutionTrace>::create_unconstrained_gates(const std::vector<uint32_t>& variable_index)
897{
898 std::vector<uint32_t> padded_list = variable_index;
899 constexpr size_t gate_width = NUM_WIRES;
900 const uint64_t padding = (gate_width - (padded_list.size() % gate_width)) % gate_width;
901 for (uint64_t i = 0; i < padding; ++i) {
902 padded_list.emplace_back(this->zero_idx());
903 }
904 this->assert_valid_variables(variable_index);
905 this->assert_valid_variables(padded_list);
906
907 for (size_t i = 0; i < padded_list.size(); i += gate_width) {
908 create_unconstrained_gate(
909 blocks.arithmetic, padded_list[i], padded_list[i + 1], padded_list[i + 2], padded_list[i + 3]);
910 }
911}
912
913// Check for a sequence of variables that neighboring differences are at most 3 (used for batched range checks)
914template <typename ExecutionTrace>
915void UltraCircuitBuilder_<ExecutionTrace>::create_sort_constraint_with_edges(
916 const std::vector<uint32_t>& variable_index, const FF& start, const FF& end)
917{
918 // Convenient to assume size is at least 8 (gate_width = 4) for separate gates for start and end conditions
919 constexpr size_t gate_width = NUM_WIRES;
920 BB_ASSERT_EQ(variable_index.size() % gate_width, 0U);
921 BB_ASSERT_GT(variable_index.size(), gate_width);
922 this->assert_valid_variables(variable_index);
923
924 auto& block = blocks.delta_range;
925
926 // Add an arithmetic gate to ensure the first input is equal to the start value of the range being checked
927 create_add_gate({ variable_index[0], this->zero_idx(), this->zero_idx(), 1, 0, 0, -start });
928
929 // enforce range check for all but the final row
930 for (size_t i = 0; i < variable_index.size() - gate_width; i += gate_width) {
931
932 block.populate_wires(variable_index[i], variable_index[i + 1], variable_index[i + 2], variable_index[i + 3]);
933 this->increment_num_gates();
934 block.q_m().emplace_back(0);
935 block.q_1().emplace_back(0);
936 block.q_2().emplace_back(0);
937 block.q_3().emplace_back(0);
938 block.q_c().emplace_back(0);
939 block.q_4().emplace_back(0);
940 block.set_gate_selector(1);
941 check_selector_length_consistency();
942 }
943 // enforce range checks of last row and ending at end
944 if (variable_index.size() > gate_width) {
945 block.populate_wires(variable_index[variable_index.size() - 4],
946 variable_index[variable_index.size() - 3],
947 variable_index[variable_index.size() - 2],
948 variable_index[variable_index.size() - 1]);
949 this->increment_num_gates();
950 block.q_m().emplace_back(0);
951 block.q_1().emplace_back(0);
952 block.q_2().emplace_back(0);
953 block.q_3().emplace_back(0);
954 block.q_c().emplace_back(0);
955 block.q_4().emplace_back(0);
956 block.set_gate_selector(1);
957 check_selector_length_consistency();
958 }
959
960 // NOTE(https://github.com/AztecProtocol/barretenberg/issues/879): Optimisation opportunity to use a single gate
961 // (and remove dummy gate). This used to be a single gate before trace sorting based on gate types. The dummy gate
962 // has been added to allow the previous gate to access the required wire data via shifts, allowing the arithmetic
963 // gate to occur out of sequence. More details on the linked Github issue.
964 create_unconstrained_gate(
965 block, variable_index[variable_index.size() - 1], this->zero_idx(), this->zero_idx(), this->zero_idx());
966 create_add_gate({ variable_index[variable_index.size() - 1], this->zero_idx(), this->zero_idx(), 1, 0, 0, -end });
967}
968
991template <typename ExecutionTrace>
992void UltraCircuitBuilder_<ExecutionTrace>::apply_memory_selectors(const MEMORY_SELECTORS type)
993{
994 auto& block = blocks.memory;
995 block.set_gate_selector(type == MEMORY_SELECTORS::MEM_NONE ? 0 : 1);
996 switch (type) {
997 case MEMORY_SELECTORS::ROM_CONSISTENCY_CHECK: {
998 // Memory read gate used with the sorted list of memory reads.
999 // Apply sorted memory read checks with the following additional check:
1000 // 1. Assert that if index field across two gates does not change, the value field does not change.
1001 // Used for ROM reads and RAM reads across write/read boundaries
1002 block.q_1().emplace_back(1);
1003 block.q_2().emplace_back(1);
1004 block.q_3().emplace_back(0);
1005 block.q_4().emplace_back(0);
1006 block.q_m().emplace_back(0);
1007 block.q_c().emplace_back(0);
1008 check_selector_length_consistency();
1009 break;
1010 }
1011 case MEMORY_SELECTORS::RAM_CONSISTENCY_CHECK: {
1012 // Memory read gate used with the sorted list of memory reads.
1013 // 1. Validate adjacent index values across 2 gates increases by 0 or 1
1014 // 2. Validate record computation (r = read_write_flag + index * \eta + \timestamp * \eta^2 + value * \eta^3)
1015 // 3. If adjacent index values across 2 gates does not change, and the next gate's read_write_flag is set to
1016 // 'read', validate adjacent values do not change Used for ROM reads and RAM reads across read/write boundaries
1017 block.q_1().emplace_back(0);
1018 block.q_2().emplace_back(0);
1019 block.q_3().emplace_back(1);
1020 block.q_4().emplace_back(0);
1021 block.q_m().emplace_back(0);
1022 block.q_c().emplace_back(0);
1023 check_selector_length_consistency();
1024 break;
1025 }
1026 case MEMORY_SELECTORS::RAM_TIMESTAMP_CHECK: {
1027 // For two adjacent RAM entries that share the same index, validate the timestamp value is monotonically
1028 // increasing
1029 block.q_1().emplace_back(1);
1030 block.q_2().emplace_back(0);
1031 block.q_3().emplace_back(0);
1032 block.q_4().emplace_back(1);
1033 block.q_m().emplace_back(0);
1034 block.q_c().emplace_back(0);
1035 check_selector_length_consistency();
1036 break;
1037 }
1038 case MEMORY_SELECTORS::ROM_READ: {
1039 // Memory read gate for reading memory cells. Also used for the _initialization_ of ROM memory cells.
1040 // Validates record witness computation (r = read_write_flag + index * \eta + timestamp * \eta^2 + value *
1041 // \eta^3)
1042 block.q_1().emplace_back(1);
1043 block.q_2().emplace_back(0);
1044 block.q_3().emplace_back(0);
1045 block.q_4().emplace_back(0);
1046 block.q_m().emplace_back(1); // validate record witness is correctly computed
1047 block.q_c().emplace_back(0); // read/write flag stored in q_c
1048 check_selector_length_consistency();
1049 break;
1050 }
1051 case MEMORY_SELECTORS::RAM_READ: {
1052 // Memory read gate for reading memory cells.
1053 // Validates record witness computation (r = read_write_flag + index * \eta + timestamp * \eta^2 + value *
1054 // \eta^3)
1055 block.q_1().emplace_back(1);
1056 block.q_2().emplace_back(0);
1057 block.q_3().emplace_back(0);
1058 block.q_4().emplace_back(0);
1059 block.q_m().emplace_back(1); // validate record witness is correctly computed
1060 block.q_c().emplace_back(0); // read/write flag stored in q_c
1061 check_selector_length_consistency();
1062 break;
1063 }
1064 case MEMORY_SELECTORS::RAM_WRITE: {
1065 // Memory read gate for writing memory cells.
1066 // Validates record witness computation (r = read_write_flag + index * \eta + timestamp * \eta^2 + value *
1067 // \eta^3)
1068 block.q_1().emplace_back(1);
1069 block.q_2().emplace_back(0);
1070 block.q_3().emplace_back(0);
1071 block.q_4().emplace_back(0);
1072 block.q_m().emplace_back(1); // validate record witness is correctly computed
1073 block.q_c().emplace_back(1); // read/write flag stored in q_c
1074 check_selector_length_consistency();
1075 break;
1076 }
1077 default: {
1078 block.q_1().emplace_back(0);
1079 block.q_2().emplace_back(0);
1080 block.q_3().emplace_back(0);
1081 block.q_4().emplace_back(0);
1082 block.q_m().emplace_back(0);
1083 block.q_c().emplace_back(0);
1084 check_selector_length_consistency();
1085 break;
1086 }
1087 }
1088}
1089
1113template <typename ExecutionTrace>
1114void UltraCircuitBuilder_<ExecutionTrace>::apply_nnf_selectors(const NNF_SELECTORS type)
1115{
1116 auto& block = blocks.nnf;
1117 block.set_gate_selector(type == NNF_SELECTORS::NNF_NONE ? 0 : 1);
1118 switch (type) {
1119 case NNF_SELECTORS::LIMB_ACCUMULATE_1: {
1120 block.q_1().emplace_back(0);
1121 block.q_2().emplace_back(0);
1122 block.q_3().emplace_back(1);
1123 block.q_4().emplace_back(1);
1124 block.q_m().emplace_back(0);
1125 block.q_c().emplace_back(0);
1126 check_selector_length_consistency();
1127 break;
1128 }
1129 case NNF_SELECTORS::LIMB_ACCUMULATE_2: {
1130 block.q_1().emplace_back(0);
1131 block.q_2().emplace_back(0);
1132 block.q_3().emplace_back(1);
1133 block.q_4().emplace_back(0);
1134 block.q_m().emplace_back(1);
1135 block.q_c().emplace_back(0);
1136 check_selector_length_consistency();
1137 break;
1138 }
1139 case NNF_SELECTORS::NON_NATIVE_FIELD_1: {
1140 block.q_1().emplace_back(0);
1141 block.q_2().emplace_back(1);
1142 block.q_3().emplace_back(1);
1143 block.q_4().emplace_back(0);
1144 block.q_m().emplace_back(0);
1145 block.q_c().emplace_back(0);
1146 check_selector_length_consistency();
1147 break;
1148 }
1149 case NNF_SELECTORS::NON_NATIVE_FIELD_2: {
1150 block.q_1().emplace_back(0);
1151 block.q_2().emplace_back(1);
1152 block.q_3().emplace_back(0);
1153 block.q_4().emplace_back(1);
1154 block.q_m().emplace_back(0);
1155 block.q_c().emplace_back(0);
1156 check_selector_length_consistency();
1157 break;
1158 }
1159 case NNF_SELECTORS::NON_NATIVE_FIELD_3: {
1160 block.q_1().emplace_back(0);
1161 block.q_2().emplace_back(1);
1162 block.q_3().emplace_back(0);
1163 block.q_4().emplace_back(0);
1164 block.q_m().emplace_back(1);
1165 block.q_c().emplace_back(0);
1166 check_selector_length_consistency();
1167 break;
1168 }
1169 default: {
1170 block.q_1().emplace_back(0);
1171 block.q_2().emplace_back(0);
1172 block.q_3().emplace_back(0);
1173 block.q_4().emplace_back(0);
1174 block.q_m().emplace_back(0);
1175 block.q_c().emplace_back(0);
1176 check_selector_length_consistency();
1177 break;
1178 }
1179 }
1180}
1181
1192template <typename ExecutionTrace>
1193void UltraCircuitBuilder_<ExecutionTrace>::range_constrain_two_limbs(const uint32_t lo_idx,
1194 const uint32_t hi_idx,
1195 const size_t lo_limb_bits,
1196 const size_t hi_limb_bits,
1197 std::string const& msg)
1198{
1199 // Validate limbs are <= 70 bits. If limbs are larger we require more witnesses and cannot use our limb accumulation
1200 // custom gate
1201 BB_ASSERT_LTE(lo_limb_bits, 14U * 5U);
1202 BB_ASSERT_LTE(hi_limb_bits, 14U * 5U);
1203
1204 // If the value is larger than the range, we log the error in builder
1205 const bool is_lo_out_of_range = (uint256_t(this->get_variable(lo_idx)) >= (uint256_t(1) << lo_limb_bits));
1206 if (is_lo_out_of_range && !this->failed()) {
1207 this->failure(msg + ": lo limb.");
1208 }
1209 const bool is_hi_out_of_range = (uint256_t(this->get_variable(hi_idx)) >= (uint256_t(1) << hi_limb_bits));
1210 if (is_hi_out_of_range && !this->failed()) {
1211 this->failure(msg + ": hi limb.");
1212 }
1213
1214 // Sometimes we try to use limbs that are too large. It's easier to catch this issue here
1215 const auto get_sublimbs = [&](const uint32_t& limb_idx, const std::array<uint64_t, 5>& sublimb_masks) {
1216 const uint256_t limb = this->get_variable(limb_idx);
1217 // we can use constant 2^14 - 1 mask here. If the sublimb value exceeds the expected value then witness will
1218 // fail the range check below
1219 // We also use zero_idx to substitute variables that should be zero
1220 constexpr uint256_t MAX_SUBLIMB_MASK = (uint256_t(1) << 14) - 1;
1221 std::array<uint32_t, 5> sublimb_indices;
1222 sublimb_indices[0] = sublimb_masks[0] != 0 ? this->add_variable(fr(limb & MAX_SUBLIMB_MASK)) : this->zero_idx();
1223 sublimb_indices[1] =
1224 sublimb_masks[1] != 0 ? this->add_variable(fr((limb >> 14) & MAX_SUBLIMB_MASK)) : this->zero_idx();
1225 sublimb_indices[2] =
1226 sublimb_masks[2] != 0 ? this->add_variable(fr((limb >> 28) & MAX_SUBLIMB_MASK)) : this->zero_idx();
1227 sublimb_indices[3] =
1228 sublimb_masks[3] != 0 ? this->add_variable(fr((limb >> 42) & MAX_SUBLIMB_MASK)) : this->zero_idx();
1229 sublimb_indices[4] =
1230 sublimb_masks[4] != 0 ? this->add_variable(fr((limb >> 56) & MAX_SUBLIMB_MASK)) : this->zero_idx();
1231 return sublimb_indices;
1232 };
1233
1234 const auto get_limb_masks = [](size_t limb_bits) {
1235 std::array<uint64_t, 5> sublimb_masks;
1236 sublimb_masks[0] = limb_bits >= 14 ? 14 : limb_bits;
1237 sublimb_masks[1] = limb_bits >= 28 ? 14 : (limb_bits > 14 ? limb_bits - 14 : 0);
1238 sublimb_masks[2] = limb_bits >= 42 ? 14 : (limb_bits > 28 ? limb_bits - 28 : 0);
1239 sublimb_masks[3] = limb_bits >= 56 ? 14 : (limb_bits > 42 ? limb_bits - 42 : 0);
1240 sublimb_masks[4] = (limb_bits > 56 ? limb_bits - 56 : 0);
1241
1242 for (auto& mask : sublimb_masks) {
1243 mask = (1ULL << mask) - 1ULL;
1244 }
1245 return sublimb_masks;
1246 };
1247
1248 const auto lo_masks = get_limb_masks(lo_limb_bits);
1249 const auto hi_masks = get_limb_masks(hi_limb_bits);
1250 const std::array<uint32_t, 5> lo_sublimbs = get_sublimbs(lo_idx, lo_masks);
1251 const std::array<uint32_t, 5> hi_sublimbs = get_sublimbs(hi_idx, hi_masks);
1252
1253 blocks.nnf.populate_wires(lo_sublimbs[0], lo_sublimbs[1], lo_sublimbs[2], lo_idx);
1254 blocks.nnf.populate_wires(lo_sublimbs[3], lo_sublimbs[4], hi_sublimbs[0], hi_sublimbs[1]);
1255 blocks.nnf.populate_wires(hi_sublimbs[2], hi_sublimbs[3], hi_sublimbs[4], hi_idx);
1256
1257 apply_nnf_selectors(NNF_SELECTORS::LIMB_ACCUMULATE_1);
1258 apply_nnf_selectors(NNF_SELECTORS::LIMB_ACCUMULATE_2);
1259 apply_nnf_selectors(NNF_SELECTORS::NNF_NONE);
1260 this->increment_num_gates(3);
1261
1262 for (size_t i = 0; i < 5; i++) {
1263 if (lo_masks[i] != 0) {
1264 create_new_range_constraint(lo_sublimbs[i], lo_masks[i], "ultra_circuit_builder: sublimb of low too large");
1265 }
1266 if (hi_masks[i] != 0) {
1267 create_new_range_constraint(hi_sublimbs[i], hi_masks[i], "ultra_circuit_builder: sublimb of hi too large");
1268 }
1269 }
1270};
1271
1287template <typename ExecutionTrace>
1288std::array<uint32_t, 2> UltraCircuitBuilder_<ExecutionTrace>::evaluate_non_native_field_multiplication(
1289 const non_native_multiplication_witnesses<FF>& input)
1290{
1291 const auto [a0, a1, a2, a3] = std::array{ this->get_variable(input.a[0]),
1292 this->get_variable(input.a[1]),
1293 this->get_variable(input.a[2]),
1294 this->get_variable(input.a[3]) };
1295 const auto [b0, b1, b2, b3] = std::array{ this->get_variable(input.b[0]),
1296 this->get_variable(input.b[1]),
1297 this->get_variable(input.b[2]),
1298 this->get_variable(input.b[3]) };
1299 const auto [q0, q1, q2, q3] = std::array{ this->get_variable(input.q[0]),
1300 this->get_variable(input.q[1]),
1301 this->get_variable(input.q[2]),
1302 this->get_variable(input.q[3]) };
1303 const auto [r0, r1, r2, r3] = std::array{ this->get_variable(input.r[0]),
1304 this->get_variable(input.r[1]),
1305 this->get_variable(input.r[2]),
1306 this->get_variable(input.r[3]) };
1307 const auto& p_neg = input.neg_modulus;
1308
1309 constexpr FF LIMB_SHIFT = uint256_t(1) << DEFAULT_NON_NATIVE_FIELD_LIMB_BITS;
1310 constexpr FF LIMB_RSHIFT = FF(1) / FF(uint256_t(1) << DEFAULT_NON_NATIVE_FIELD_LIMB_BITS);
1311 constexpr FF LIMB_RSHIFT_2 = FF(1) / FF(uint256_t(1) << (2 * DEFAULT_NON_NATIVE_FIELD_LIMB_BITS));
1312
1313 // lo_0 = (a0·b0 - r0) + (a1·b0 + a0·b1)·2^L
1314 FF lo_0 = (a0 * b0 - r0) + (a1 * b0 + a0 * b1) * LIMB_SHIFT;
1315 // lo_1 = (lo_0 + q0·p0' + (q1·p0' + q0·p1' - r1)·2^L) / 2^2L
1316 FF lo_1 = (lo_0 + q0 * p_neg[0] + (q1 * p_neg[0] + q0 * p_neg[1] - r1) * LIMB_SHIFT) * LIMB_RSHIFT_2;
1317
1318 // hi_0 = (a2·b0 + a0·b2) + (a0·b3 + a3·b0 - r3)·2^L
1319 FF hi_0 = (a2 * b0 + a0 * b2) + (a0 * b3 + a3 * b0 - r3) * LIMB_SHIFT;
1320 // hi_1 = hi_0 + (a1·b1 - r2) + (a1·b2 + a2·b1)·2^L
1321 FF hi_1 = hi_0 + (a1 * b1 - r2) + (a1 * b2 + a2 * b1) * LIMB_SHIFT;
1322 // hi_2 = hi_1 + lo_1 + q2·p0' + (q3·p0' + q2·p1')·2^L
1323 FF hi_2 = hi_1 + lo_1 + q2 * p_neg[0] + (q3 * p_neg[0] + q2 * p_neg[1]) * LIMB_SHIFT;
1324 // hi_3 = (hi_2 + q0·p2' + q1·p1' + (q0·p3' + q1·p2')·2^L) / 2^2L
1325 FF hi_3 = (hi_2 + q0 * p_neg[2] + q1 * p_neg[1] + (q0 * p_neg[3] + q1 * p_neg[2]) * LIMB_SHIFT) * LIMB_RSHIFT_2;
1326
1327 const uint32_t lo_0_idx = this->add_variable(lo_0);
1328 const uint32_t lo_1_idx = this->add_variable(lo_1);
1329 const uint32_t hi_0_idx = this->add_variable(hi_0);
1330 const uint32_t hi_1_idx = this->add_variable(hi_1);
1331 const uint32_t hi_2_idx = this->add_variable(hi_2);
1332 const uint32_t hi_3_idx = this->add_variable(hi_3);
1333
1334 // Gate 1: big_add_gate to validate lo_1
1335 // (lo_0 + q_0(p_0 + p_1*2^b) + q_1(p_0*2^b) - (r_1)2^b)2^-2b - lo_1 = 0
1336 // This constraint requires two rows in the trace: an arithmetic gate plus an unconstrained arithmetic gate
1337 // containing lo_0 in wire 4 so that the previous gate can access it via shifts. (We cannot use the next nnf gate
1338 // for this purpose since our trace is sorted by gate type).
1339 create_big_add_gate({ input.q[0],
1340 input.q[1],
1341 input.r[1],
1342 lo_1_idx,
1343 input.neg_modulus[0] + input.neg_modulus[1] * LIMB_SHIFT,
1344 input.neg_modulus[0] * LIMB_SHIFT,
1345 -LIMB_SHIFT,
1346 -LIMB_SHIFT.sqr(),
1347 0 },
1348 /*include_next_gate_w_4*/ true);
1349 // Gate 2: unconstrained gate to provide lo_0 via w_4_shift for gate 1
1350 create_unconstrained_gate(blocks.arithmetic, this->zero_idx(), this->zero_idx(), this->zero_idx(), lo_0_idx);
1351
1352 //
1353 // a = (a3 || a2 || a1 || a0) = (a3 * 2^b + a2) * 2^b + (a1 * 2^b + a0)
1354 // b = (b3 || b2 || b1 || b0) = (b3 * 2^b + b2) * 2^b + (b1 * 2^b + b0)
1355 //
1356 // Gate 3: NNF gate to check if lo_0 was computed correctly
1357 // The gate structure for the nnf gates is as follows:
1358 //
1359 // | a1 | b1 | r0 | lo_0 | <-- Gate 3: check lo_0
1360 // | a0 | b0 | a3 | b3 |
1361 // | a2 | b2 | r3 | hi_0 |
1362 // | a1 | b1 | r2 | hi_1 |
1363 //
1364 // Constraint: lo_0 = (a1 * b0 + a0 * b1) * 2^b + (a0 * b0) - r0
1365 // w4 = (w1 * w'2 + w'1 * w2) * 2^b + (w'1 * w'2) - w3
1366 //
1367 blocks.nnf.populate_wires(input.a[1], input.b[1], input.r[0], lo_0_idx);
1368 apply_nnf_selectors(NNF_SELECTORS::NON_NATIVE_FIELD_1);
1369 this->increment_num_gates();
1370
1371 //
1372 // Gate 4: NNF gate to check if hi_0 was computed correctly
1373 //
1374 // | a1 | b1 | r0 | lo_0 |
1375 // | a0 | b0 | a3 | b3 | <-- Gate 4: check hi_0
1376 // | a2 | b2 | r3 | hi_0 |
1377 // | a1 | b1 | r2 | hi_1 |
1378 //
1379 // Constraint: hi_0 = (a0 * b3 + a3 * b0 - r3) * 2^b + (a0 * b2 + a2 * b0)
1380 // w'4 = (w1 * w4 + w2 * w3 - w'3) * 2^b + (w1 * w'2 + w'1 * w2)
1381 //
1382 blocks.nnf.populate_wires(input.a[0], input.b[0], input.a[3], input.b[3]);
1383 apply_nnf_selectors(NNF_SELECTORS::NON_NATIVE_FIELD_2);
1384 this->increment_num_gates();
1385
1386 //
1387 // Gate 5: NNF gate to check if hi_1 was computed correctly
1388 //
1389 // | a1 | b1 | r0 | lo_0 |
1390 // | a0 | b0 | a3 | b3 |
1391 // | a2 | b2 | r3 | hi_0 | <-- Gate 5: check hi_1
1392 // | a1 | b1 | r2 | hi_1 |
1393 //
1394 // Constraint: hi_1 = hi_0 + (a2 * b1 + a1 * b2) * 2^b + (a1 * b1) - r2
1395 // w'4 = w4 + (w1 * w'2 + w'1 * w2) * 2^b + (w'1 * w'2) - w'3
1396 //
1397 blocks.nnf.populate_wires(input.a[2], input.b[2], input.r[3], hi_0_idx);
1398 apply_nnf_selectors(NNF_SELECTORS::NON_NATIVE_FIELD_3);
1399 this->increment_num_gates();
1400
1401 //
1402 // Gate 6: NNF gate with no constraints (q_nnf=0, truly unconstrained)
1403 // Provides values a[1], b[1], r[2], hi_1 to Gate 5 via shifts (w'1, w'2, w'3, w'4)
1404 //
1405 blocks.nnf.populate_wires(input.a[1], input.b[1], input.r[2], hi_1_idx);
1406 apply_nnf_selectors(NNF_SELECTORS::NNF_NONE);
1407 this->increment_num_gates();
1408
1409 //
1410 // Gate 7: big_add_gate to validate hi_2
1411 //
1412 // hi_2 - hi_1 - lo_1 - q[2](p[1].2^b + p[0]) - q[3](p[0].2^b) = 0
1413 //
1414 create_big_add_gate(
1415 {
1416 input.q[2],
1417 input.q[3],
1418 lo_1_idx,
1419 hi_1_idx,
1420 -input.neg_modulus[1] * LIMB_SHIFT - input.neg_modulus[0],
1421 -input.neg_modulus[0] * LIMB_SHIFT,
1422 -1,
1423 -1,
1424 0,
1425 },
1426 /*include_next_gate_w_4*/ true);
1427
1428 //
1429 // Gate 8: big_add_gate to validate hi_3 (provides hi_2 in w_4 for gate 7)
1430 //
1431 // hi_3 - (hi_2 - q[0](p[3].2^b + p[2]) - q[1](p[2].2^b + p[1])).2^-2b = 0
1432 //
1433 create_big_add_gate({
1434 hi_3_idx,
1435 input.q[0],
1436 input.q[1],
1437 hi_2_idx,
1438 -1,
1439 input.neg_modulus[3] * LIMB_RSHIFT + input.neg_modulus[2] * LIMB_RSHIFT_2,
1440 input.neg_modulus[2] * LIMB_RSHIFT + input.neg_modulus[1] * LIMB_RSHIFT_2,
1441 LIMB_RSHIFT_2,
1442 0,
1443 });
1444
1445 return std::array<uint32_t, 2>{ lo_1_idx, hi_3_idx };
1446}
1447
1454template <typename ExecutionTrace> void UltraCircuitBuilder_<ExecutionTrace>::process_non_native_field_multiplications()
1455{
1456 for (size_t i = 0; i < cached_partial_non_native_field_multiplications.size(); ++i) {
1457 auto& c = cached_partial_non_native_field_multiplications[i];
1458 for (size_t j = 0; j < c.a.size(); ++j) {
1459 c.a[j] = this->real_variable_index[c.a[j]];
1460 c.b[j] = this->real_variable_index[c.b[j]];
1461 }
1462 }
1463 cached_partial_non_native_field_multiplication::deduplicate(cached_partial_non_native_field_multiplications, this);
1464
1465 // iterate over the cached items and create constraints
1466 for (const auto& input : cached_partial_non_native_field_multiplications) {
1467
1468 blocks.nnf.populate_wires(input.a[1], input.b[1], this->zero_idx(), input.lo_0);
1469 apply_nnf_selectors(NNF_SELECTORS::NON_NATIVE_FIELD_1);
1470 this->increment_num_gates();
1471
1472 blocks.nnf.populate_wires(input.a[0], input.b[0], input.a[3], input.b[3]);
1473 apply_nnf_selectors(NNF_SELECTORS::NON_NATIVE_FIELD_2);
1474 this->increment_num_gates();
1475
1476 blocks.nnf.populate_wires(input.a[2], input.b[2], this->zero_idx(), input.hi_0);
1477 apply_nnf_selectors(NNF_SELECTORS::NON_NATIVE_FIELD_3);
1478 this->increment_num_gates();
1479
1480 blocks.nnf.populate_wires(input.a[1], input.b[1], this->zero_idx(), input.hi_1);
1481 apply_nnf_selectors(NNF_SELECTORS::NNF_NONE);
1482 this->increment_num_gates();
1483 }
1484}
1485
1492template <typename ExecutionTrace>
1493std::array<uint32_t, 2> UltraCircuitBuilder_<ExecutionTrace>::queue_partial_non_native_field_multiplication(
1494 const non_native_partial_multiplication_witnesses<FF>& input)
1495{
1496 std::array<fr, 4> a{
1497 this->get_variable(input.a[0]),
1498 this->get_variable(input.a[1]),
1499 this->get_variable(input.a[2]),
1500 this->get_variable(input.a[3]),
1501 };
1502 std::array<fr, 4> b{
1503 this->get_variable(input.b[0]),
1504 this->get_variable(input.b[1]),
1505 this->get_variable(input.b[2]),
1506 this->get_variable(input.b[3]),
1507 };
1508
1509 constexpr FF LIMB_SHIFT = uint256_t(1) << DEFAULT_NON_NATIVE_FIELD_LIMB_BITS;
1510
1511 FF lo_0 = a[0] * b[0] + ((a[1] * b[0] + a[0] * b[1]) * LIMB_SHIFT);
1512 FF hi_0 = a[2] * b[0] + a[0] * b[2] + ((a[0] * b[3] + a[3] * b[0]) * LIMB_SHIFT);
1513 FF hi_1 = hi_0 + a[1] * b[1] + ((a[1] * b[2] + a[2] * b[1]) * LIMB_SHIFT);
1514
1515 const uint32_t lo_0_idx = this->add_variable(lo_0);
1516 const uint32_t hi_0_idx = this->add_variable(hi_0);
1517 const uint32_t hi_1_idx = this->add_variable(hi_1);
1518
1519 // Add witnesses into the multiplication cache (duplicates removed during circuit finalization)
1520 cached_partial_non_native_field_multiplication cache_entry{
1521 .a = input.a,
1522 .b = input.b,
1523 .lo_0 = lo_0_idx,
1524 .hi_0 = hi_0_idx,
1525 .hi_1 = hi_1_idx,
1526 };
1527 cached_partial_non_native_field_multiplications.emplace_back(cache_entry);
1528 return std::array<uint32_t, 2>{ lo_0_idx, hi_1_idx };
1529}
1530
1536template <typename ExecutionTrace>
1537std::array<uint32_t, 5> UltraCircuitBuilder_<ExecutionTrace>::evaluate_non_native_field_addition(
1538 add_simple limb0, add_simple limb1, add_simple limb2, add_simple limb3, std::tuple<uint32_t, uint32_t, FF> limbp)
1539{
1540 const uint32_t& x_0 = std::get<0>(limb0).first;
1541 const uint32_t& x_1 = std::get<0>(limb1).first;
1542 const uint32_t& x_2 = std::get<0>(limb2).first;
1543 const uint32_t& x_3 = std::get<0>(limb3).first;
1544 const uint32_t& x_p = std::get<0>(limbp);
1545
1546 const FF& x_mulconst0 = std::get<0>(limb0).second;
1547 const FF& x_mulconst1 = std::get<0>(limb1).second;
1548 const FF& x_mulconst2 = std::get<0>(limb2).second;
1549 const FF& x_mulconst3 = std::get<0>(limb3).second;
1550
1551 const uint32_t& y_0 = std::get<1>(limb0).first;
1552 const uint32_t& y_1 = std::get<1>(limb1).first;
1553 const uint32_t& y_2 = std::get<1>(limb2).first;
1554 const uint32_t& y_3 = std::get<1>(limb3).first;
1555 const uint32_t& y_p = std::get<1>(limbp);
1556
1557 const FF& y_mulconst0 = std::get<1>(limb0).second;
1558 const FF& y_mulconst1 = std::get<1>(limb1).second;
1559 const FF& y_mulconst2 = std::get<1>(limb2).second;
1560 const FF& y_mulconst3 = std::get<1>(limb3).second;
1561
1562 // constant additive terms
1563 const FF& addconst0 = std::get<2>(limb0);
1564 const FF& addconst1 = std::get<2>(limb1);
1565 const FF& addconst2 = std::get<2>(limb2);
1566 const FF& addconst3 = std::get<2>(limb3);
1567 const FF& addconstp = std::get<2>(limbp);
1568
1569 // get value of result limbs
1570 const FF z_0value = (this->get_variable(x_0) * x_mulconst0) + (this->get_variable(y_0) * y_mulconst0) + addconst0;
1571 const FF z_1value = (this->get_variable(x_1) * x_mulconst1) + (this->get_variable(y_1) * y_mulconst1) + addconst1;
1572 const FF z_2value = (this->get_variable(x_2) * x_mulconst2) + (this->get_variable(y_2) * y_mulconst2) + addconst2;
1573 const FF z_3value = (this->get_variable(x_3) * x_mulconst3) + (this->get_variable(y_3) * y_mulconst3) + addconst3;
1574 const FF z_pvalue = this->get_variable(x_p) + this->get_variable(y_p) + addconstp;
1575
1576 const uint32_t z_0 = this->add_variable(z_0value);
1577 const uint32_t z_1 = this->add_variable(z_1value);
1578 const uint32_t z_2 = this->add_variable(z_2value);
1579 const uint32_t z_3 = this->add_variable(z_3value);
1580 const uint32_t z_p = this->add_variable(z_pvalue);
1581
1603 auto& block = blocks.arithmetic;
1604 block.populate_wires(y_p, x_0, y_0, x_p);
1605 block.populate_wires(z_p, x_1, y_1, z_0);
1606 block.populate_wires(x_2, y_2, z_2, z_1);
1607 block.populate_wires(x_3, y_3, z_3, this->zero_idx());
1608
1609 // When q_arith == 3, w_4_shift is scaled by 2 (see ArithmeticRelation for details). Therefore, for consistency we
1610 // also scale each linear term by this factor of 2 so that the constraint is effectively:
1611 // (q_l * w_1) + (q_r * w_2) + (q_o * w_3) + (q_4 * w_4) + q_c + w_4_shift = 0
1612 const FF linear_term_scale_factor = 2;
1613 block.q_m().emplace_back(addconstp);
1614 block.q_1().emplace_back(0);
1615 block.q_2().emplace_back(-x_mulconst0 * linear_term_scale_factor);
1616 block.q_3().emplace_back(-y_mulconst0 * linear_term_scale_factor);
1617 block.q_4().emplace_back(0);
1618 block.q_c().emplace_back(-addconst0 * linear_term_scale_factor);
1619 block.set_gate_selector(3);
1620
1621 block.q_m().emplace_back(0);
1622 block.q_1().emplace_back(0);
1623 block.q_2().emplace_back(-x_mulconst1);
1624 block.q_3().emplace_back(-y_mulconst1);
1625 block.q_4().emplace_back(0);
1626 block.q_c().emplace_back(-addconst1);
1627 block.set_gate_selector(2);
1628
1629 block.q_m().emplace_back(0);
1630 block.q_1().emplace_back(-x_mulconst2);
1631 block.q_2().emplace_back(-y_mulconst2);
1632 block.q_3().emplace_back(1);
1633 block.q_4().emplace_back(0);
1634 block.q_c().emplace_back(-addconst2);
1635 block.set_gate_selector(1);
1636
1637 block.q_m().emplace_back(0);
1638 block.q_1().emplace_back(-x_mulconst3);
1639 block.q_2().emplace_back(-y_mulconst3);
1640 block.q_3().emplace_back(1);
1641 block.q_4().emplace_back(0);
1642 block.q_c().emplace_back(-addconst3);
1643 block.set_gate_selector(1);
1644
1645 check_selector_length_consistency();
1646
1647 this->increment_num_gates(4);
1648 return std::array<uint32_t, 5>{
1649 z_0, z_1, z_2, z_3, z_p,
1650 };
1651}
1652
1658template <typename ExecutionTrace>
1659std::array<uint32_t, 5> UltraCircuitBuilder_<ExecutionTrace>::evaluate_non_native_field_subtraction(
1660 add_simple limb0, add_simple limb1, add_simple limb2, add_simple limb3, std::tuple<uint32_t, uint32_t, FF> limbp)
1661{
1662 const uint32_t& x_0 = std::get<0>(limb0).first;
1663 const uint32_t& x_1 = std::get<0>(limb1).first;
1664 const uint32_t& x_2 = std::get<0>(limb2).first;
1665 const uint32_t& x_3 = std::get<0>(limb3).first;
1666 const uint32_t& x_p = std::get<0>(limbp);
1667
1668 const FF& x_mulconst0 = std::get<0>(limb0).second;
1669 const FF& x_mulconst1 = std::get<0>(limb1).second;
1670 const FF& x_mulconst2 = std::get<0>(limb2).second;
1671 const FF& x_mulconst3 = std::get<0>(limb3).second;
1672
1673 const uint32_t& y_0 = std::get<1>(limb0).first;
1674 const uint32_t& y_1 = std::get<1>(limb1).first;
1675 const uint32_t& y_2 = std::get<1>(limb2).first;
1676 const uint32_t& y_3 = std::get<1>(limb3).first;
1677 const uint32_t& y_p = std::get<1>(limbp);
1678
1679 const FF& y_mulconst0 = std::get<1>(limb0).second;
1680 const FF& y_mulconst1 = std::get<1>(limb1).second;
1681 const FF& y_mulconst2 = std::get<1>(limb2).second;
1682 const FF& y_mulconst3 = std::get<1>(limb3).second;
1683
1684 // constant additive terms
1685 const FF& addconst0 = std::get<2>(limb0);
1686 const FF& addconst1 = std::get<2>(limb1);
1687 const FF& addconst2 = std::get<2>(limb2);
1688 const FF& addconst3 = std::get<2>(limb3);
1689 const FF& addconstp = std::get<2>(limbp);
1690
1691 // get value of result limbs
1692 const FF z_0value = (this->get_variable(x_0) * x_mulconst0) - (this->get_variable(y_0) * y_mulconst0) + addconst0;
1693 const FF z_1value = (this->get_variable(x_1) * x_mulconst1) - (this->get_variable(y_1) * y_mulconst1) + addconst1;
1694 const FF z_2value = (this->get_variable(x_2) * x_mulconst2) - (this->get_variable(y_2) * y_mulconst2) + addconst2;
1695 const FF z_3value = (this->get_variable(x_3) * x_mulconst3) - (this->get_variable(y_3) * y_mulconst3) + addconst3;
1696 const FF z_pvalue = this->get_variable(x_p) - this->get_variable(y_p) + addconstp;
1697
1698 const uint32_t z_0 = this->add_variable(z_0value);
1699 const uint32_t z_1 = this->add_variable(z_1value);
1700 const uint32_t z_2 = this->add_variable(z_2value);
1701 const uint32_t z_3 = this->add_variable(z_3value);
1702 const uint32_t z_p = this->add_variable(z_pvalue);
1703
1728 auto& block = blocks.arithmetic;
1729 block.populate_wires(y_p, x_0, y_0, z_p);
1730 block.populate_wires(x_p, x_1, y_1, z_0);
1731 block.populate_wires(x_2, y_2, z_2, z_1);
1732 block.populate_wires(x_3, y_3, z_3, this->zero_idx());
1733
1734 // When q_arith == 3, w_4_shift is scaled by 2 (see ArithmeticRelation for details). Therefore, for consistency we
1735 // also scale each linear term by this factor of 2 so that the constraint is effectively:
1736 // (q_l * w_1) + (q_r * w_2) + (q_o * w_3) + (q_4 * w_4) + q_c + w_4_shift = 0
1737 const FF linear_term_scale_factor = 2;
1738 block.q_m().emplace_back(-addconstp);
1739 block.q_1().emplace_back(0);
1740 block.q_2().emplace_back(-x_mulconst0 * linear_term_scale_factor);
1741 block.q_3().emplace_back(y_mulconst0 * linear_term_scale_factor);
1742 block.q_4().emplace_back(0);
1743 block.q_c().emplace_back(-addconst0 * linear_term_scale_factor);
1744 block.set_gate_selector(3);
1745
1746 block.q_m().emplace_back(0);
1747 block.q_1().emplace_back(0);
1748 block.q_2().emplace_back(-x_mulconst1);
1749 block.q_3().emplace_back(y_mulconst1);
1750 block.q_4().emplace_back(0);
1751 block.q_c().emplace_back(-addconst1);
1752 block.set_gate_selector(2);
1753
1754 block.q_m().emplace_back(0);
1755 block.q_1().emplace_back(-x_mulconst2);
1756 block.q_2().emplace_back(y_mulconst2);
1757 block.q_3().emplace_back(1);
1758 block.q_4().emplace_back(0);
1759 block.q_c().emplace_back(-addconst2);
1760 block.set_gate_selector(1);
1761
1762 block.q_m().emplace_back(0);
1763 block.q_1().emplace_back(-x_mulconst3);
1764 block.q_2().emplace_back(y_mulconst3);
1765 block.q_3().emplace_back(1);
1766 block.q_4().emplace_back(0);
1767 block.q_c().emplace_back(-addconst3);
1768 block.set_gate_selector(1);
1769
1770 check_selector_length_consistency();
1771
1772 this->increment_num_gates(4);
1773 return std::array<uint32_t, 5>{
1774 z_0, z_1, z_2, z_3, z_p,
1775 };
1776}
1777
1787template <typename ExecutionTrace>
1788size_t UltraCircuitBuilder_<ExecutionTrace>::create_ROM_array(const size_t array_size)
1789{
1790 return this->rom_ram_logic.create_ROM_array(array_size);
1791}
1792
1802template <typename ExecutionTrace>
1803size_t UltraCircuitBuilder_<ExecutionTrace>::create_RAM_array(const size_t array_size)
1804{
1805 return this->rom_ram_logic.create_RAM_array(array_size);
1806}
1807
1815template <typename ExecutionTrace>
1816void UltraCircuitBuilder_<ExecutionTrace>::init_RAM_element(const size_t ram_id,
1817 const size_t index_value,
1818 const uint32_t value_witness)
1819{
1820 this->rom_ram_logic.init_RAM_element(this, ram_id, index_value, value_witness);
1821}
1822
1823template <typename ExecutionTrace>
1824uint32_t UltraCircuitBuilder_<ExecutionTrace>::read_RAM_array(const size_t ram_id, const uint32_t index_witness)
1825{
1826 return this->rom_ram_logic.read_RAM_array(this, ram_id, index_witness);
1827}
1828
1829template <typename ExecutionTrace>
1830void UltraCircuitBuilder_<ExecutionTrace>::write_RAM_array(const size_t ram_id,
1831 const uint32_t index_witness,
1832 const uint32_t value_witness)
1833{
1834 this->rom_ram_logic.write_RAM_array(this, ram_id, index_witness, value_witness);
1835}
1836
1852template <typename ExecutionTrace>
1853void UltraCircuitBuilder_<ExecutionTrace>::set_ROM_element(const size_t rom_id,
1854 const size_t index_value,
1855 const uint32_t value_witness)
1856{
1857 this->rom_ram_logic.set_ROM_element(this, rom_id, index_value, value_witness);
1858}
1859
1867template <typename ExecutionTrace>
1868void UltraCircuitBuilder_<ExecutionTrace>::set_ROM_element_pair(const size_t rom_id,
1869 const size_t index_value,
1870 const std::array<uint32_t, 2>& value_witnesses)
1871{
1872 this->rom_ram_logic.set_ROM_element_pair(this, rom_id, index_value, value_witnesses);
1873}
1874
1882template <typename ExecutionTrace>
1883uint32_t UltraCircuitBuilder_<ExecutionTrace>::read_ROM_array(const size_t rom_id, const uint32_t index_witness)
1884{
1885 return this->rom_ram_logic.read_ROM_array(this, rom_id, index_witness);
1886}
1887
1895template <typename ExecutionTrace>
1896std::array<uint32_t, 2> UltraCircuitBuilder_<ExecutionTrace>::read_ROM_array_pair(const size_t rom_id,
1897 const uint32_t index_witness)
1898{
1899 return this->rom_ram_logic.read_ROM_array_pair(this, rom_id, index_witness);
1900}
1901
1905template <typename FF>
1906void UltraCircuitBuilder_<FF>::create_poseidon2_external_gate(const poseidon2_external_gate_<FF>& in)
1907{
1908 auto& block = this->blocks.poseidon2_external;
1909 block.populate_wires(in.a, in.b, in.c, in.d);
1910 block.q_m().emplace_back(0);
1911 block.q_1().emplace_back(crypto::Poseidon2Bn254ScalarFieldParams::round_constants[in.round_idx][0]);
1912 block.q_2().emplace_back(crypto::Poseidon2Bn254ScalarFieldParams::round_constants[in.round_idx][1]);
1913 block.q_3().emplace_back(crypto::Poseidon2Bn254ScalarFieldParams::round_constants[in.round_idx][2]);
1914 block.q_c().emplace_back(0);
1915 block.q_4().emplace_back(crypto::Poseidon2Bn254ScalarFieldParams::round_constants[in.round_idx][3]);
1916 block.set_gate_selector(1);
1917 this->check_selector_length_consistency();
1918 this->increment_num_gates();
1919}
1920
1924template <typename FF>
1925void UltraCircuitBuilder_<FF>::create_poseidon2_internal_gate(const poseidon2_internal_gate_<FF>& in)
1926{
1927 auto& block = this->blocks.poseidon2_internal;
1928 block.populate_wires(in.a, in.b, in.c, in.d);
1929 block.q_m().emplace_back(0);
1930 block.q_1().emplace_back(crypto::Poseidon2Bn254ScalarFieldParams::round_constants[in.round_idx][0]);
1931 block.q_2().emplace_back(0);
1932 block.q_3().emplace_back(0);
1933 block.q_c().emplace_back(0);
1934 block.q_4().emplace_back(0);
1935 block.set_gate_selector(1);
1936 this->check_selector_length_consistency();
1937 this->increment_num_gates();
1938}
1939
1946template <typename ExecutionTrace> msgpack::sbuffer UltraCircuitBuilder_<ExecutionTrace>::export_circuit()
1947{
1948 // You should not name `zero` by yourself
1949 // but it will be rewritten anyway
1950 auto first_zero_idx = this->get_first_variable_in_class(this->zero_idx());
1951 if (!this->variable_names.contains(first_zero_idx)) {
1952 this->set_variable_name(this->zero_idx(), "zero");
1953 } else {
1954 this->variable_names[first_zero_idx] = "zero";
1955 }
1956 using base = CircuitBuilderBase<FF>;
1957 CircuitSchemaInternal<FF> cir;
1958
1959 std::array<uint64_t, 4> modulus = {
1960 FF::Params::modulus_0, FF::Params::modulus_1, FF::Params::modulus_2, FF::Params::modulus_3
1961 };
1962 std::stringstream buf;
1963 buf << std::hex << std::setfill('0') << std::setw(16) << modulus[3] << std::setw(16) << modulus[2] << std::setw(16)
1964 << modulus[1] << std::setw(16) << modulus[0];
1965
1966 cir.modulus = buf.str();
1967
1968 for (uint32_t i = 0; i < this->num_public_inputs(); i++) {
1969 cir.public_inps.push_back(this->real_variable_index[this->public_inputs()[i]]);
1970 }
1971
1972 for (auto& tup : base::variable_names) {
1973 cir.vars_of_interest.insert({ this->real_variable_index[tup.first], tup.second });
1974 }
1975
1976 for (const auto& var : this->get_variables()) {
1977 cir.variables.push_back(var);
1978 }
1979
1980 FF curve_b;
1981 if constexpr (FF::modulus == bb::fq::modulus) {
1982 curve_b = bb::g1::curve_b;
1983 } else if constexpr (FF::modulus == grumpkin::fq::modulus) {
1984 curve_b = grumpkin::g1::curve_b;
1985 } else {
1986 curve_b = 0;
1987 }
1988
1989 for (auto& block : blocks.get()) {
1990 std::vector<std::vector<FF>> block_selectors;
1991 std::vector<std::vector<uint32_t>> block_wires;
1992 for (size_t idx = 0; idx < block.size(); ++idx) {
1993 std::vector<FF> tmp_sel = { block.q_m()[idx],
1994 block.q_1()[idx],
1995 block.q_2()[idx],
1996 block.q_3()[idx],
1997 block.q_4()[idx],
1998 block.q_c()[idx],
1999 block.q_arith()[idx],
2000 block.q_delta_range()[idx],
2001 block.q_elliptic()[idx],
2002 block.q_memory()[idx],
2003 block.q_nnf()[idx],
2004 block.q_lookup()[idx],
2005 curve_b };
2006
2007 std::vector<uint32_t> tmp_w = {
2008 this->real_variable_index[block.w_l()[idx]],
2009 this->real_variable_index[block.w_r()[idx]],
2010 this->real_variable_index[block.w_o()[idx]],
2011 this->real_variable_index[block.w_4()[idx]],
2012 };
2013
2014 if (idx < block.size() - 1) {
2015 tmp_w.push_back(block.w_l()[idx + 1]);
2016 tmp_w.push_back(block.w_r()[idx + 1]);
2017 tmp_w.push_back(block.w_o()[idx + 1]);
2018 tmp_w.push_back(block.w_4()[idx + 1]);
2019 } else {
2020 tmp_w.push_back(0);
2021 tmp_w.push_back(0);
2022 tmp_w.push_back(0);
2023 tmp_w.push_back(0);
2024 }
2025
2026 block_selectors.push_back(tmp_sel);
2027 block_wires.push_back(tmp_w);
2028 }
2029 cir.selectors.push_back(block_selectors);
2030 cir.wires.push_back(block_wires);
2031 }
2032
2033 cir.real_variable_index = this->real_variable_index;
2034
2035 for (const auto& table : this->lookup_tables) {
2036 const FF table_index(table.table_index);
2037 info("Table no: ", table.table_index);
2038 std::vector<std::vector<FF>> tmp_table;
2039 for (size_t i = 0; i < table.size(); ++i) {
2040 tmp_table.push_back({ table.column_1[i], table.column_2[i], table.column_3[i] });
2041 }
2042 cir.lookup_tables.push_back(tmp_table);
2043 }
2044
2045 cir.real_variable_tags = this->real_variable_tags;
2046
2047 for (const auto& list : range_lists) {
2048 cir.range_tags[list.second.range_tag] = list.first;
2049 }
2050
2051 for (auto& rom_table : this->rom_ram_logic.rom_arrays) {
2052 std::sort(rom_table.records.begin(), rom_table.records.end());
2053
2054 std::vector<std::vector<uint32_t>> table;
2055 table.reserve(rom_table.records.size());
2056 for (const auto& rom_entry : rom_table.records) {
2057 table.push_back({
2058 this->real_variable_index[rom_entry.index_witness],
2059 this->real_variable_index[rom_entry.value_column1_witness],
2060 this->real_variable_index[rom_entry.value_column2_witness],
2061 });
2062 }
2063 cir.rom_records.push_back(table);
2064 cir.rom_states.push_back(rom_table.state);
2065 }
2066
2067 for (auto& ram_table : this->rom_ram_logic.ram_arrays) {
2068 std::sort(ram_table.records.begin(), ram_table.records.end());
2069
2070 std::vector<std::vector<uint32_t>> table;
2071 table.reserve(ram_table.records.size());
2072 for (const auto& ram_entry : ram_table.records) {
2073 table.push_back({ this->real_variable_index[ram_entry.index_witness],
2074 this->real_variable_index[ram_entry.value_witness],
2075 this->real_variable_index[ram_entry.timestamp_witness],
2076 ram_entry.access_type });
2077 }
2078 cir.ram_records.push_back(table);
2079 cir.ram_states.push_back(ram_table.state);
2080 }
2081
2082 cir.circuit_finalized = this->circuit_finalized;
2083
2084 msgpack::sbuffer buffer;
2085 msgpack::pack(buffer, cir);
2086 return buffer;
2087}
2088
2089template class UltraCircuitBuilder_<UltraExecutionTraceBlocks>;
2090template class UltraCircuitBuilder_<MegaExecutionTraceBlocks>;
2091
2092} // namespace bb
BB_ASSERT
#define BB_ASSERT(expression,...)
Definition assert.hpp:67
BB_ASSERT_GT
#define BB_ASSERT_GT(left, right,...)
Definition assert.hpp:107
BB_ASSERT_EQ
#define BB_ASSERT_EQ(actual, expected,...)
Definition assert.hpp:77
BB_ASSERT_LTE
#define BB_ASSERT_LTE(left, right,...)
Definition assert.hpp:152
FF
bb::field< bb::Bn254FrParams > FF
Definition field.cpp:22
BB_BENCH_NAME
#define BB_BENCH_NAME(name)
Definition bb_bench.hpp:219
bb::UltraCircuitBuilder_
Definition ultra_circuit_builder.hpp:41
bb::UltraCircuitBuilder_::fix_witness
void fix_witness(const uint32_t witness_index, const FF &witness_value)
Add a gate equating a particular witness to a constant, fixing its value.
Definition ultra_circuit_builder.cpp:459
bb::UltraCircuitBuilder_::init_RAM_element
void init_RAM_element(const size_t ram_id, const size_t index_value, const uint32_t value_witness)
Initialize a RAM cell to equal value_witness
Definition ultra_circuit_builder.cpp:1816
bb::UltraCircuitBuilder_::create_ecc_dbl_gate
void create_ecc_dbl_gate(const ecc_dbl_gate_< FF > &in)
Create an elliptic curve doubling gate.
Definition ultra_circuit_builder.cpp:420
bb::UltraCircuitBuilder_::add_gates_to_ensure_all_polys_are_non_zero
void add_gates_to_ensure_all_polys_are_non_zero()
Ensure all polynomials have at least one non-zero coefficient to avoid commiting to the zero-polynomi...
Definition ultra_circuit_builder.cpp:98
bb::UltraCircuitBuilder_::process_range_list
void process_range_list(RangeList &list)
Definition ultra_circuit_builder.cpp:790
bb::UltraCircuitBuilder_::create_poseidon2_internal_gate
void create_poseidon2_internal_gate(const poseidon2_internal_gate_< FF > &in)
Poseidon2 internal round gate, activates the q_poseidon2_internal selector and relation.
Definition ultra_circuit_builder.cpp:1925
bb::UltraCircuitBuilder_::create_RAM_array
size_t create_RAM_array(const size_t array_size)
Create a new updatable memory region.
Definition ultra_circuit_builder.cpp:1803
bb::UltraCircuitBuilder_::MEMORY_SELECTORS
MEMORY_SELECTORS
Definition ultra_circuit_builder.hpp:58
bb::UltraCircuitBuilder_::create_big_mul_add_gate
void create_big_mul_add_gate(const mul_quad_< FF > &in, const bool use_next_gate_w_4=false)
Create a big multiplication-addition gate, where in.a * in.b * in.mul_scaling + in....
Definition ultra_circuit_builder.cpp:264
bb::UltraCircuitBuilder_::process_range_lists
void process_range_lists()
Definition ultra_circuit_builder.cpp:844
bb::UltraCircuitBuilder_::decompose_into_default_range
std::vector< uint32_t > decompose_into_default_range(const uint32_t variable_index, const uint64_t num_bits, const uint64_t target_range_bitnum=DEFAULT_PLOOKUP_RANGE_BITNUM, std::string const &msg="decompose_into_default_range")
Definition ultra_circuit_builder.cpp:623
bb::UltraCircuitBuilder_::export_circuit
msgpack::sbuffer export_circuit() override
Definition ultra_circuit_builder.cpp:1946
bb::UltraCircuitBuilder_::create_sort_constraint_with_edges
void create_sort_constraint_with_edges(const std::vector< uint32_t > &variable_index, const FF &, const FF &)
Definition ultra_circuit_builder.cpp:915
bb::UltraCircuitBuilder_::add_simple
std::tuple< scaled_witness, scaled_witness, FF > add_simple
Definition ultra_circuit_builder.hpp:527
bb::UltraCircuitBuilder_::read_RAM_array
uint32_t read_RAM_array(const size_t ram_id, const uint32_t index_witness)
Definition ultra_circuit_builder.cpp:1824
bb::UltraCircuitBuilder_::create_unconstrained_gates
void create_unconstrained_gates(const std::vector< uint32_t > &variable_index)
Definition ultra_circuit_builder.cpp:896
bb::UltraCircuitBuilder_::create_add_gate
void create_add_gate(const add_triple_< FF > &in)
Create an addition gate, where in.a * in.a_scaling + in.b * in.b_scaling + in.c * in....
Definition ultra_circuit_builder.cpp:241
bb::UltraCircuitBuilder_::create_big_add_gate
void create_big_add_gate(const add_quad_< FF > &in, const bool use_next_gate_w_4=false)
Create a big addition gate, where in.a * in.a_scaling + in.b * in.b_scaling + in.c * in....
Definition ultra_circuit_builder.cpp:293
bb::UltraCircuitBuilder_::FF
typename ExecutionTrace::FF FF
Definition ultra_circuit_builder.hpp:44
bb::UltraCircuitBuilder_::evaluate_non_native_field_addition
std::array< uint32_t, 5 > evaluate_non_native_field_addition(add_simple limb0, add_simple limb1, add_simple limb2, add_simple limb3, std::tuple< uint32_t, uint32_t, FF > limbp)
Construct gates for non-native field addition.
Definition ultra_circuit_builder.cpp:1537
bb::UltraCircuitBuilder_::create_ROM_array
size_t create_ROM_array(const size_t array_size)
Create a new read-only memory region (a.k.a. ROM table)
Definition ultra_circuit_builder.cpp:1788
bb::UltraCircuitBuilder_::create_gates_from_plookup_accumulators
plookup::ReadData< uint32_t > create_gates_from_plookup_accumulators(const plookup::MultiTableId &id, const plookup::ReadData< FF > &read_values, const uint32_t key_a_index, std::optional< uint32_t > key_b_index=std::nullopt)
Create gates from pre-computed accumulator values which simultaneously establish individual basic-tab...
Definition ultra_circuit_builder.cpp:536
bb::UltraCircuitBuilder_::get_table
plookup::BasicTable & get_table(const plookup::BasicTableId id)
Get the basic table with provided ID from the set of tables for the present circuit; create it if it ...
Definition ultra_circuit_builder.cpp:497
bb::UltraCircuitBuilder_::apply_nnf_selectors
void apply_nnf_selectors(const NNF_SELECTORS type)
Enable the nnf gate of particular type.
Definition ultra_circuit_builder.cpp:1114
bb::UltraCircuitBuilder_::create_ecc_add_gate
void create_ecc_add_gate(const ecc_add_gate_< FF > &in)
Create an elliptic curve addition gate.
Definition ultra_circuit_builder.cpp:371
bb::UltraCircuitBuilder_::finalize_circuit
void finalize_circuit(const bool ensure_nonzero)
Definition ultra_circuit_builder.cpp:27
bb::UltraCircuitBuilder_::create_sort_constraint
void create_sort_constraint(const std::vector< uint32_t > &variable_index)
Definition ultra_circuit_builder.cpp:865
bb::UltraCircuitBuilder_::create_poseidon2_external_gate
void create_poseidon2_external_gate(const poseidon2_external_gate_< FF > &in)
Poseidon2 external round gate, activates the q_poseidon2_external selector and relation.
Definition ultra_circuit_builder.cpp:1906
bb::UltraCircuitBuilder_::evaluate_non_native_field_multiplication
std::array< uint32_t, 2 > evaluate_non_native_field_multiplication(const non_native_multiplication_witnesses< FF > &input)
Create gates for a full non-native field multiplication identity a * b = q * p + r.
Definition ultra_circuit_builder.cpp:1288
bb::UltraCircuitBuilder_::populate_public_inputs_block
void populate_public_inputs_block()
Copy the public input idx data into the public inputs trace block.
Definition ultra_circuit_builder.cpp:75
bb::UltraCircuitBuilder_::read_ROM_array
uint32_t read_ROM_array(const size_t rom_id, const uint32_t index_witness)
Read a single element from ROM.
Definition ultra_circuit_builder.cpp:1883
bb::UltraCircuitBuilder_::create_range_list
RangeList create_range_list(const uint64_t target_range)
Definition ultra_circuit_builder.cpp:589
bb::UltraCircuitBuilder_::put_constant_variable
uint32_t put_constant_variable(const FF &variable)
Definition ultra_circuit_builder.cpp:476
bb::UltraCircuitBuilder_::set_ROM_element
void set_ROM_element(const size_t rom_id, const size_t index_value, const uint32_t value_witness)
Initialize a rom cell to equal value_witness
Definition ultra_circuit_builder.cpp:1853
bb::UltraCircuitBuilder_::create_bool_gate
void create_bool_gate(const uint32_t a)
Generate an arithmetic gate equivalent to x^2 - x = 0, which forces x to be 0 or 1.
Definition ultra_circuit_builder.cpp:315
bb::UltraCircuitBuilder_::write_RAM_array
void write_RAM_array(const size_t ram_id, const uint32_t index_witness, const uint32_t value_witness)
Definition ultra_circuit_builder.cpp:1830
bb::UltraCircuitBuilder_::set_ROM_element_pair
void set_ROM_element_pair(const size_t rom_id, const size_t index_value, const std::array< uint32_t, 2 > &value_witnesses)
Initialize a ROM array element with a pair of witness values.
Definition ultra_circuit_builder.cpp:1868
bb::UltraCircuitBuilder_::read_ROM_array_pair
std::array< uint32_t, 2 > read_ROM_array_pair(const size_t rom_id, const uint32_t index_witness)
Read a pair of elements from ROM.
Definition ultra_circuit_builder.cpp:1896
bb::UltraCircuitBuilder_::NNF_SELECTORS
NNF_SELECTORS
Definition ultra_circuit_builder.hpp:68
bb::UltraCircuitBuilder_::range_constrain_two_limbs
void range_constrain_two_limbs(const uint32_t lo_idx, const uint32_t hi_idx, const size_t lo_limb_bits=DEFAULT_NON_NATIVE_FIELD_LIMB_BITS, const size_t hi_limb_bits=DEFAULT_NON_NATIVE_FIELD_LIMB_BITS, std::string const &msg="range_constrain_two_limbs")
Definition ultra_circuit_builder.cpp:1193
bb::UltraCircuitBuilder_::queue_partial_non_native_field_multiplication
std::array< uint32_t, 2 > queue_partial_non_native_field_multiplication(const non_native_partial_multiplication_witnesses< FF > &input)
Queue the addition of gates constraining the limb-multiplication part of a non native field mul.
Definition ultra_circuit_builder.cpp:1493
bb::UltraCircuitBuilder_::evaluate_non_native_field_subtraction
std::array< uint32_t, 5 > evaluate_non_native_field_subtraction(add_simple limb0, add_simple limb1, add_simple limb2, add_simple limb3, std::tuple< uint32_t, uint32_t, FF > limbp)
Construct gates for non-native field subtraction.
Definition ultra_circuit_builder.cpp:1659
bb::UltraCircuitBuilder_::apply_memory_selectors
void apply_memory_selectors(const MEMORY_SELECTORS type)
Enable the memory gate of particular type.
Definition ultra_circuit_builder.cpp:992
bb::UltraCircuitBuilder_::process_non_native_field_multiplications
void process_non_native_field_multiplications()
Iterates over the cached_non_native_field_multiplication objects, removes duplicates,...
Definition ultra_circuit_builder.cpp:1454
bb::UltraCircuitBuilder_::create_new_range_constraint
void create_new_range_constraint(const uint32_t variable_index, const uint64_t target_range, std::string const msg="create_new_range_constraint")
Constrain a variable to a range.
Definition ultra_circuit_builder.cpp:738
bb::UltraCircuitBuilder_::create_arithmetic_gate
void create_arithmetic_gate(const arithmetic_triple_< FF > &in)
A plonk gate with disabled (set to zero) fourth wire. q_m * a * b + q_1 * a + q_2 * b + q_3.
Definition ultra_circuit_builder.cpp:338
bb::group::curve_b
static constexpr Fq curve_b
Definition group.hpp:51
bb::numeric::uint256_t
Definition uint256.hpp:32
bb::numeric::uint256_t::data
uint64_t data[4]
Definition uint256.hpp:207
bb::numeric::uint256_t::get_msb
constexpr uint64_t get_msb() const
Definition uint256_impl.hpp:329
bb::plookup::ReadData
Container type for lookup table reads.
Definition types.hpp:341
bb::plookup::ReadData::lookup_entries
std::vector< BasicTable::LookupEntry > lookup_entries
Definition types.hpp:347
info
void info(Args... args)
Definition log.hpp:75
a
FF a
Definition field_gt.test.cpp:52
b
FF b
Definition field_gt.test.cpp:53
buf
uint8_t const * buf
Definition data_store.hpp:9
buffer
uint8_t buffer[RANDOM_BUFFER_SIZE]
Definition engine.cpp:34
msgpack_impl.hpp
bb::plookup::get_lookup_accumulators
ReadData< bb::fr > get_lookup_accumulators(const MultiTableId id, const fr &key_a, const fr &key_b, const bool is_2_to_1_lookup)
Given a table ID and the key(s) for a key-value lookup, return the lookup accumulators.
Definition plookup_tables.cpp:138
bb::plookup::HONK_DUMMY_MULTI
@ HONK_DUMMY_MULTI
Definition types.hpp:116
bb::plookup::create_basic_table
BasicTable create_basic_table(const BasicTableId id, const size_t index)
Definition plookup_tables.cpp:223
bb::plookup::get_multitable
const MultiTable & get_multitable(const MultiTableId id)
Return the multitable with the provided ID; construct all MultiTables if not constructed already.
Definition plookup_tables.cpp:116
bb
Entry point for Barretenberg command-line interface.
Definition api.hpp:5
bb::fr
field< Bn254FrParams > fr
Definition fr.hpp:174
std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13
poseidon2_params.hpp
ref_vector.hpp
rom_ram_logic.hpp
bb::CircuitSchemaInternal
Serialized state of a circuit.
Definition circuit_builder_base.hpp:291
bb::CircuitSchemaInternal::selectors
std::vector< std::vector< std::vector< FF > > > selectors
Definition circuit_builder_base.hpp:296
bb::CircuitSchemaInternal::real_variable_index
std::vector< uint32_t > real_variable_index
Definition circuit_builder_base.hpp:298
bb::CircuitSchemaInternal::range_tags
std::unordered_map< uint32_t, uint64_t > range_tags
Definition circuit_builder_base.hpp:301
bb::CircuitSchemaInternal::vars_of_interest
std::unordered_map< uint32_t, std::string > vars_of_interest
Definition circuit_builder_base.hpp:294
bb::CircuitSchemaInternal::ram_states
std::vector< std::vector< uint32_t > > ram_states
Definition circuit_builder_base.hpp:305
bb::CircuitSchemaInternal::rom_states
std::vector< std::vector< std::array< uint32_t, 2 > > > rom_states
Definition circuit_builder_base.hpp:303
bb::CircuitSchemaInternal::ram_records
std::vector< std::vector< std::vector< uint32_t > > > ram_records
Definition circuit_builder_base.hpp:304
bb::CircuitSchemaInternal::rom_records
std::vector< std::vector< std::vector< uint32_t > > > rom_records
Definition circuit_builder_base.hpp:302
bb::CircuitSchemaInternal::lookup_tables
std::vector< std::vector< std::vector< FF > > > lookup_tables
Definition circuit_builder_base.hpp:299
bb::CircuitSchemaInternal::real_variable_tags
std::vector< uint32_t > real_variable_tags
Definition circuit_builder_base.hpp:300
bb::CircuitSchemaInternal::public_inps
std::vector< uint32_t > public_inps
Definition circuit_builder_base.hpp:293
bb::CircuitSchemaInternal::wires
std::vector< std::vector< std::vector< uint32_t > > > wires
Definition circuit_builder_base.hpp:297
bb::UltraCircuitBuilder_::RangeList
Definition ultra_circuit_builder.hpp:77
bb::UltraCircuitBuilder_::RangeList::range_tag
uint32_t range_tag
Definition ultra_circuit_builder.hpp:79
bb::UltraCircuitBuilder_::RangeList::target_range
uint64_t target_range
Definition ultra_circuit_builder.hpp:78
bb::UltraCircuitBuilder_::RangeList::tau_tag
uint32_t tau_tag
Definition ultra_circuit_builder.hpp:80
bb::UltraCircuitBuilder_::RangeList::variable_indices
std::vector< uint32_t > variable_indices
Definition ultra_circuit_builder.hpp:81
bb::UltraCircuitBuilder_::cached_partial_non_native_field_multiplication
Used to store instructions to create partial_non_native_field_multiplication gates.
Definition ultra_circuit_builder.hpp:95
bb::UltraCircuitBuilder_::cached_partial_non_native_field_multiplication::a
std::array< uint32_t, 4 > a
Definition ultra_circuit_builder.hpp:96
bb::add_quad_
Definition gate_data.hpp:26
bb::add_quad_::a
uint32_t a
Definition gate_data.hpp:27
bb::add_quad_::b
uint32_t b
Definition gate_data.hpp:28
bb::add_quad_::const_scaling
FF const_scaling
Definition gate_data.hpp:35
bb::add_quad_::a_scaling
FF a_scaling
Definition gate_data.hpp:31
bb::add_quad_::c_scaling
FF c_scaling
Definition gate_data.hpp:33
bb::add_quad_::d
uint32_t d
Definition gate_data.hpp:30
bb::add_quad_::b_scaling
FF b_scaling
Definition gate_data.hpp:32
bb::add_quad_::c
uint32_t c
Definition gate_data.hpp:29
bb::add_quad_::d_scaling
FF d_scaling
Definition gate_data.hpp:34
bb::add_triple_
Definition gate_data.hpp:16
bb::add_triple_::a
uint32_t a
Definition gate_data.hpp:17
bb::add_triple_::const_scaling
FF const_scaling
Definition gate_data.hpp:23
bb::add_triple_::b_scaling
FF b_scaling
Definition gate_data.hpp:21
bb::add_triple_::c_scaling
FF c_scaling
Definition gate_data.hpp:22
bb::add_triple_::c
uint32_t c
Definition gate_data.hpp:19
bb::add_triple_::a_scaling
FF a_scaling
Definition gate_data.hpp:20
bb::add_triple_::b
uint32_t b
Definition gate_data.hpp:18
bb::arithmetic_triple_
Definition gate_data.hpp:57
bb::arithmetic_triple_::q_m
FF q_m
Definition gate_data.hpp:61
bb::arithmetic_triple_::q_o
FF q_o
Definition gate_data.hpp:64
bb::arithmetic_triple_::q_r
FF q_r
Definition gate_data.hpp:63
bb::arithmetic_triple_::q_c
FF q_c
Definition gate_data.hpp:65
bb::arithmetic_triple_::c
uint32_t c
Definition gate_data.hpp:60
bb::arithmetic_triple_::a
uint32_t a
Definition gate_data.hpp:58
bb::arithmetic_triple_::q_l
FF q_l
Definition gate_data.hpp:62
bb::arithmetic_triple_::b
uint32_t b
Definition gate_data.hpp:59
bb::crypto::Poseidon2Bn254ScalarFieldParams::round_constants
static constexpr std::array< std::array< FF, t >, rounds_f+rounds_p > round_constants
Definition poseidon2_params.hpp:58
bb::ecc_add_gate_
Definition gate_data.hpp:127
bb::ecc_add_gate_::x1
uint32_t x1
Definition gate_data.hpp:128
bb::ecc_add_gate_::x2
uint32_t x2
Definition gate_data.hpp:130
bb::ecc_add_gate_::y2
uint32_t y2
Definition gate_data.hpp:131
bb::ecc_add_gate_::y1
uint32_t y1
Definition gate_data.hpp:129
bb::ecc_add_gate_::y3
uint32_t y3
Definition gate_data.hpp:133
bb::ecc_add_gate_::x3
uint32_t x3
Definition gate_data.hpp:132
bb::ecc_add_gate_::sign_coefficient
FF sign_coefficient
Definition gate_data.hpp:134
bb::ecc_dbl_gate_
Definition gate_data.hpp:136
bb::ecc_dbl_gate_::x1
uint32_t x1
Definition gate_data.hpp:137
bb::ecc_dbl_gate_::y1
uint32_t y1
Definition gate_data.hpp:138
bb::ecc_dbl_gate_::x3
uint32_t x3
Definition gate_data.hpp:139
bb::ecc_dbl_gate_::y3
uint32_t y3
Definition gate_data.hpp:140
bb::field< bb::Bn254FrParams >::modulus
static constexpr uint256_t modulus
Definition field_declarations.hpp:197
bb::field::to_montgomery_form
BB_INLINE constexpr field to_montgomery_form() const noexcept
Definition field_impl.hpp:282
bb::mul_quad_
Definition gate_data.hpp:37
bb::mul_quad_::b
uint32_t b
Definition gate_data.hpp:39
bb::mul_quad_::const_scaling
FF const_scaling
Definition gate_data.hpp:47
bb::mul_quad_::a
uint32_t a
Definition gate_data.hpp:38
bb::mul_quad_::mul_scaling
FF mul_scaling
Definition gate_data.hpp:42
bb::mul_quad_::c_scaling
FF c_scaling
Definition gate_data.hpp:45
bb::mul_quad_::d_scaling
FF d_scaling
Definition gate_data.hpp:46
bb::mul_quad_::d
uint32_t d
Definition gate_data.hpp:41
bb::mul_quad_::b_scaling
FF b_scaling
Definition gate_data.hpp:44
bb::mul_quad_::a_scaling
FF a_scaling
Definition gate_data.hpp:43
bb::mul_quad_::c
uint32_t c
Definition gate_data.hpp:40
bb::non_native_multiplication_witnesses
Definition ultra_circuit_builder.hpp:25
bb::non_native_multiplication_witnesses::a
std::array< uint32_t, 4 > a
Definition ultra_circuit_builder.hpp:27
bb::non_native_multiplication_witnesses::q
std::array< uint32_t, 4 > q
Definition ultra_circuit_builder.hpp:29
bb::non_native_multiplication_witnesses::b
std::array< uint32_t, 4 > b
Definition ultra_circuit_builder.hpp:28
bb::non_native_multiplication_witnesses::r
std::array< uint32_t, 4 > r
Definition ultra_circuit_builder.hpp:30
bb::non_native_multiplication_witnesses::neg_modulus
std::array< FF, 4 > neg_modulus
Definition ultra_circuit_builder.hpp:31
bb::non_native_partial_multiplication_witnesses
Definition ultra_circuit_builder.hpp:34
bb::non_native_partial_multiplication_witnesses::b
std::array< uint32_t, 4 > b
Definition ultra_circuit_builder.hpp:37
bb::non_native_partial_multiplication_witnesses::a
std::array< uint32_t, 4 > a
Definition ultra_circuit_builder.hpp:36
bb::plookup::BasicTable
A basic table from which we can perform lookups (for example, an xor table)
Definition types.hpp:271
bb::plookup::BasicTable::lookup_gates
std::vector< LookupEntry > lookup_gates
Definition types.hpp:307
bb::plookup::BasicTable::size
size_t size() const
Definition types.hpp:318
bb::plookup::BasicTable::column_3
std::vector< bb::fr > column_3
Definition types.hpp:306
bb::plookup::BasicTable::column_2
std::vector< bb::fr > column_2
Definition types.hpp:305
bb::plookup::BasicTable::column_1
std::vector< bb::fr > column_1
Definition types.hpp:304
bb::poseidon2_external_gate_
Definition gate_data.hpp:149
bb::poseidon2_external_gate_::a
uint32_t a
Definition gate_data.hpp:150
bb::poseidon2_external_gate_::d
uint32_t d
Definition gate_data.hpp:153
bb::poseidon2_external_gate_::round_idx
size_t round_idx
Definition gate_data.hpp:154
bb::poseidon2_external_gate_::c
uint32_t c
Definition gate_data.hpp:152
bb::poseidon2_external_gate_::b
uint32_t b
Definition gate_data.hpp:151
bb::poseidon2_internal_gate_
Definition gate_data.hpp:158
bb::poseidon2_internal_gate_::a
uint32_t a
Definition gate_data.hpp:159
bb::poseidon2_internal_gate_::d
uint32_t d
Definition gate_data.hpp:162
bb::poseidon2_internal_gate_::c
uint32_t c
Definition gate_data.hpp:161
bb::poseidon2_internal_gate_::round_idx
size_t round_idx
Definition gate_data.hpp:163
bb::poseidon2_internal_gate_::b
uint32_t b
Definition gate_data.hpp:160
ultra_circuit_builder.hpp