Barretenberg: src/barretenberg/vm2/simulation/gadgets/ecc.cpp Source File

#include "barretenberg/vm2/simulation/gadgets/ecc.hpp"

#include "barretenberg/vm2/common/field.hpp"

#include "barretenberg/vm2/common/uint1.hpp"

#include "barretenberg/vm2/simulation/events/ecc_events.hpp"


namespace bb::avm2::simulation {


namespace {


class InternalEccException : public std::runtime_error {

  public:

    using std::runtime_error::runtime_error; // Inherit the constructor.

};


} // namespace


EmbeddedCurvePoint Ecc::add(const EmbeddedCurvePoint& p, const EmbeddedCurvePoint& q)

{

    // Check if points are on the curve. These will throw an unexpected exception if they fail.

    BB_ASSERT(p.on_curve(), "Point p is not on the curve");

    BB_ASSERT(q.on_curve(), "Point q is not on the curve");


    EmbeddedCurvePoint result = p + q;

    add_events.emit({ .p = p, .q = q, .result = result });

    return result;

}


EmbeddedCurvePoint Ecc::scalar_mul(const EmbeddedCurvePoint& point, const FF& scalar)

{

    // This is bad - the scalar mul circuit assumes that the point is on the curve.

    // This will throw an unexpected exception if it fails.

    BB_ASSERT(point.on_curve(), "Point must be on the curve for scalar multiplication");


    // FF bit size == 254.

    auto intermediate_states = std::vector<ScalarMulIntermediateState>(254);

    // Emits ToRadixEvent, see #[TO_RADIX] in scalar_mul.pil.

    auto bits = to_radix.to_le_bits(scalar, 254).first;


    // First iteration does conditional assignment instead of addition. Note: in circuit we perform reverse aggregation,

    // so the corresponding constraints for below are gated by 'end'.


    // See 'Temp Computation' section in scalar_mul.pil.

    EmbeddedCurvePoint temp = point;

    bool bit = bits[0];


    // See 'Result Computation' section in scalar_mul.pil.

    EmbeddedCurvePoint result = bit ? temp : EmbeddedCurvePoint::infinity();

    intermediate_states[0] = { result, temp, bit };


    for (size_t i = 1; i < 254; i++) {

        bit = bits[i];

        // Emits EccAddEvent, see #[DOUBLE] in scalar_mul.pil.

        temp = add(temp, temp);

        if (bit) {

            // Emits EccAddEvent, see #[ADD] in scalar_mul.pil.

            result = add(result, temp);

        }

        intermediate_states[i] = { result, temp, bit };

    }

    scalar_mul_events.emit(

        { .point = point, .scalar = scalar, .intermediate_states = std::move(intermediate_states), .result = result });

    return result;

}


void Ecc::add(MemoryInterface& memory,

              const EmbeddedCurvePoint& p,

              const EmbeddedCurvePoint& q,

              MemoryAddress dst_address)

{

    uint32_t execution_clk = execution_id_manager.get_execution_id();

    uint16_t space_id = memory.get_space_id();


    try {

        // The resulting EmbeddedCurvePoint is (x, y), stored at dst_address and dst_address + 1 respectively.

        // Therefore, the maximum address that needs to be written to is dst_address + 1.

        uint64_t max_write_address = static_cast<uint64_t>(dst_address) + 1;

        // Emits GreaterThanEvent, see #[CHECK_DST_ADDR_IN_RANGE] in ecc_mem.pil.

        if (gt.gt(max_write_address, AVM_HIGHEST_MEM_ADDRESS)) {

            throw InternalEccException("dst address out of range");

        }


        if (!p.on_curve() || !q.on_curve()) {

            throw InternalEccException("One of the points is not on the curve");

        }


        // Emits EccAddEvent, see #[INPUT_OUTPUT_ECC_ADD] in ecc_mem.pil.

        EmbeddedCurvePoint result = add(p, q); // Cannot throw since we have checked on_curve().


        // Emits MemoryEvents, see #[WRITE_MEM_i] for i = 0, 1 in ecc_mem.pil.

        memory.set(dst_address, MemoryValue::from<FF>(result.x()));

        memory.set(dst_address + 1, MemoryValue::from<FF>(result.y()));


        add_memory_events.emit({ .execution_clk = execution_clk,

                                 .space_id = space_id,

                                 .p = p,

                                 .q = q,

                                 .result = result,

                                 .dst_address = dst_address });

    } catch (const InternalEccException& e) {

        // Note this point is technically infinity, but we are treating it as 'empty' to corresponds

        // to default values the circuit will assign. Since we have caught an InternalEccException,

        // we have an error which the circuit should recognise and assign sel_should_exec == 0, so res will not be

        // treated as inf.

        EmbeddedCurvePoint res = EmbeddedCurvePoint(0, 0);

        add_memory_events.emit({ .execution_clk = execution_clk,

                                 .space_id = space_id,

                                 .p = p,

                                 .q = q,

                                 .result = res,

                                 .dst_address = dst_address });

        throw EccException("Add failed: " + std::string(e.what()));

    }

}


} // namespace bb::avm2::simulation

BB_ASSERT
#define BB_ASSERT(expression,...)
Definition assert.hpp:70

AVM_HIGHEST_MEM_ADDRESS
#define AVM_HIGHEST_MEM_ADDRESS
Definition aztec_constants.hpp:44

bb::avm2::StandardAffinePoint< AvmFlavorSettings::EmbeddedCurve::AffineElement >

bb::avm2::StandardAffinePoint< AvmFlavorSettings::EmbeddedCurve::AffineElement >::infinity
static const StandardAffinePoint & infinity()
Definition standard_affine_point.hpp:82

bb::avm2::StandardAffinePoint::x
constexpr const BaseField & x() const noexcept
Definition standard_affine_point.hpp:78

bb::avm2::StandardAffinePoint::y
constexpr const BaseField & y() const noexcept
Definition standard_affine_point.hpp:80

bb::avm2::StandardAffinePoint::on_curve
constexpr bool on_curve() const noexcept
Definition standard_affine_point.hpp:74

bb::avm2::gt
Definition gt.hpp:33

bb::avm2::memory
Definition memory.hpp:36

bb::avm2::simulation::Ecc::scalar_mul_events
EventEmitterInterface< ScalarMulEvent > & scalar_mul_events
Definition ecc.hpp:40

bb::avm2::simulation::Ecc::add
EmbeddedCurvePoint add(const EmbeddedCurvePoint &p, const EmbeddedCurvePoint &q) override
Adds Grumpkin curve points P and Q and emits an EccAddEvent. Corresponds to the non-memory aware subt...
Definition ecc.cpp:30

bb::avm2::simulation::Ecc::scalar_mul
EmbeddedCurvePoint scalar_mul(const EmbeddedCurvePoint &point, const FF &scalar) override
Performs scalar multiplication of an FF value with a Grumpkin curve point using the double and add al...
Definition ecc.cpp:55

bb::avm2::simulation::Ecc::add_memory_events
EventEmitterInterface< EccAddMemoryEvent > & add_memory_events
Definition ecc.hpp:41

bb::avm2::simulation::Ecc::execution_id_manager
ExecutionIdManagerInterface & execution_id_manager
Definition ecc.hpp:44

bb::avm2::simulation::Ecc::add_events
EventEmitterInterface< EccAddEvent > & add_events
Definition ecc.hpp:39

bb::avm2::simulation::ExecutionIdGetterInterface::get_execution_id
virtual uint32_t get_execution_id() const =0

bb::avm2::simulation::MemoryInterface
Definition memory.hpp:10

bb::avm2::to_radix
Definition to_radix.hpp:35

CalldataCopyMutationOptions::dst_address
@ dst_address

ecc_events.hpp

bb::avm2::simulation
AVM range check gadget for witness generation.
Definition address_derivation_event.hpp:6

bb::avm2::FF
AvmFlavorSettings::FF FF
Definition field.hpp:10

bb::avm2::EmbeddedCurvePoint
StandardAffinePoint< AvmFlavorSettings::EmbeddedCurve::AffineElement > EmbeddedCurvePoint
Definition field.hpp:12

bb::avm2::MemoryAddress
uint32_t MemoryAddress
Definition memory_types.hpp:11

std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13

ecc.hpp

bb::avm2::simulation::EccException
Definition ecc_events.hpp:8

uint1.hpp

field.hpp