-
Notifications
You must be signed in to change notification settings - Fork 305
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Elliptic Curve Virtual Machine Circuit #1268
Conversation
added missing relation to msm)_relation
added missing relation to msm)_relation
*/ | ||
std::get<11>(accumulator) += precompute_select * scalar_sum_new * scaled_transition; | ||
// (2, 3 combined): q_transition * (pc - pc_shift - 1) + (-q_transition + 1) * (pc_shift - pc) | ||
// => q_transition * (2 * (pc - pc_shift) - 1) + (pc_shift - pc) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This formula doesn't match the one you have in the code.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I...think it does? I rewrote the comment formula to better match the code. Can you double check this as I am fairly confident the formula matches
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In the code you are multiplying the whole ((2 * (pc - pc_shift) - 1) + (pc_shift - pc)) by q_transition. In the comments just the (-2* pc_delta -1)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oh got it. Thanks for spotting that Kesha, will update.
std::get<18>(accumulator) += precompute_select_zero * round; | ||
std::get<19>(accumulator) += precompute_select_zero * pc; | ||
|
||
// TODO(@zac-williamson) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Issue?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
|
||
/** | ||
* @brief Validate `op` opcode is well formed. | ||
* `op` is defined to be q_reset_accumulator + 2 * q_eq + 2 * q_mul + 4 * q_add, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should be 1, 2,4, 8, tight?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, thanks for spotting will change
* @brief Validate `op` opcode is well formed. | ||
* `op` is defined to be q_reset_accumulator + 2 * q_eq + 2 * q_mul + 4 * q_add, | ||
* where q_reset_accumulator, q_eq, q_mul, q_add are all boolean | ||
* (todo, bool constrain?) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please create an issue
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@@ -0,0 +1,273 @@ | |||
#include "barretenberg/crypto/generators/generator_data.hpp" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is no check for reset opcode
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The eq
circuit builder method actually creates both an eq
and a reset
opcode. I've renamed to eq
to eq_and_reset
to better describe its function.
|
||
/** | ||
* @brief Expression for the StandardArithmetic gate. | ||
* @dbetails The relation is defined as C(extended_edges(X)...) = |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Leftover comments
.../cpp/barretenberg/cpp/src/barretenberg/proof_system/relations/ecc_vm/ecc_lookup_relation.cpp
Outdated
Show resolved
Hide resolved
...its/cpp/barretenberg/cpp/src/barretenberg/proof_system/relations/ecc_vm/ecc_set_relation.hpp
Outdated
Show resolved
Hide resolved
wnaf_slice += wnaf_slice; | ||
wnaf_slice += s1; | ||
|
||
// todo can optimize |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Issues?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What's the issue? Sorry could you clarify?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you create issues for these todos?
* @brief First term: tuple of (pc, round, wnaf_slice), computed when slicing scalar multipliers into slices, | ||
* as part of ECCVMWnafRelation. | ||
* If precompute_select = 1, tuple entry = (wnaf-slice + point-counter * beta + msm-round * beta_sqr). | ||
* There are 4 tuple entires per row. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Typo
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
could you clarify? what's the typo?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
4 tuple "entires" per row
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks, fixed
...its/cpp/barretenberg/cpp/src/barretenberg/proof_system/relations/ecc_vm/ecc_set_relation.cpp
Outdated
Show resolved
Hide resolved
...barretenberg/cpp/src/barretenberg/proof_system/relations/ecc_vm/ecc_point_table_relation.hpp
Outdated
Show resolved
Hide resolved
...its/cpp/barretenberg/cpp/src/barretenberg/proof_system/relations/ecc_vm/ecc_msm_relation.hpp
Outdated
Show resolved
Hide resolved
...its/cpp/barretenberg/cpp/src/barretenberg/proof_system/relations/ecc_vm/ecc_msm_relation.cpp
Outdated
Show resolved
Hide resolved
std::get<9>(accumulator) += (x4_delta * collision_inverse4 - add_fourth_point) * scaling_factor; | ||
|
||
// Validate that if q_add = 1 or q_skew = 1, add1 also is 1 | ||
// TODO(@zac-williamson) Once we have a stable base to work off of, remove q_add1 and replace with q_msm_add + |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Issue?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
✅ #2222
🤖 I have created a release *beep* *boop* --- <details><summary>aztec-packages: 0.7.4</summary> ## [0.7.4](aztec-packages-v0.7.3...aztec-packages-v0.7.4) (2023-09-15) ### Features * Elliptic Curve Virtual Machine Circuit ([#1268](#1268)) ([f85ecd9](f85ecd9)) * Exposing nargo version via `NodeInfo` ([#2333](#2333)) ([1c2669c](1c2669c)), closes [#2332](#2332) * Migrate accounts to auth witness ([#2281](#2281)) ([91152af](91152af)), closes [#2043](#2043) ### Bug Fixes * Aztec-nr mirror url ([#2321](#2321)) ([aaf7f67](aaf7f67)) * **build:** Fixed paths on s3 deployments ([#2335](#2335)) ([38c7979](38c7979)) ### Miscellaneous * Do not format boxes with global format ([#2326](#2326)) ([2fe845f](2fe845f)) * Remove native token ([#2280](#2280)) ([4032d01](4032d01)) * Rename getAccounts to getRegisteredAccounts ([#2330](#2330)) ([c7f3776](c7f3776)) </details> <details><summary>barretenberg.js: 0.7.4</summary> ## [0.7.4](barretenberg.js-v0.7.3...barretenberg.js-v0.7.4) (2023-09-15) ### Miscellaneous * **barretenberg.js:** Synchronize aztec-packages versions </details> <details><summary>barretenberg: 0.7.4</summary> ## [0.7.4](barretenberg-v0.7.3...barretenberg-v0.7.4) (2023-09-15) ### Features * Elliptic Curve Virtual Machine Circuit ([#1268](#1268)) ([f85ecd9](f85ecd9)) </details> --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
This is a 6000-line PR with no description. |
Not one of the new classes in circuit_builder/eccvm has a description. |
I've added a description to the PR. mea culpa.
Kesha very kindly has offered to add these. My intention was to thoroughly document all the new classes, these ones I completely forgot about, my bad. |
Description
This PR defines a new Honk flavour, ECCVM, that describes a circuit that evaluates a virtual machine designed to compute elliptic curve operations.
A full specification of the ECCVM is at https://hackmd.io/@aztec-network/rJ5xhuCsn?type=view
The intention is to use the ECCVM to efficiently evaluate large numbers of elliptic curve multiscalar multiplications over the grumpkin curve, inside a BN254 circuit.
The ECCVM is agnostic to the underlying curves, however. The only requirement is that the ECCVM operations are over a curve whose coordinate field is equal to the
ECCVM::FF
prime field (which is parametrisable).This PR adds the following key entities:
ECCVMCircuitBuilder
: constructs an ECCVM circuit given an opcode trace for the ECCVM. This class also defines the ECCVM instruction set and can be used to assemble an ECCVM opcode traceA full specification of the ECCVM is at https://hackmd.io/@aztec-network/rJ5xhuCsn?type=view
Checklist: