Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(3738): AVM basic arithmetic operations for non ff types #3881

Merged
merged 40 commits into from
Jan 23, 2024
Merged
Show file tree
Hide file tree
Changes from 36 commits
Commits
Show all changes
40 commits
Select commit Hold shift + click to select a range
8ff7315
PIL relations for u8, u16, u32, u64, u128 additions
jeanmon Dec 20, 2023
0258f34
PIL relations for subtraction of u8, u16, u32, u64, 128 types
jeanmon Dec 21, 2023
8594bfc
3738 - explanations on arithmetic operations PIL relations
jeanmon Jan 2, 2024
d3f0a13
3738 - additions and subtractions re-visited with 16-bit registers
jeanmon Jan 2, 2024
09a4490
Merge branch 'avm-main' into jm/3738-u32-arithmetic
jeanmon Jan 3, 2024
2300f96
3738 - pil relations for multiplication types u8, u16, u32, u64
jeanmon Jan 3, 2024
87b873b
3738 - pil relations for u128 multiplication
jeanmon Jan 3, 2024
f74ca13
Merge branch 'avm-main' into jm/3738-arithmetic-non-ff
jeanmon Jan 5, 2024
55fab70
3738 - First version of Alu trace files
jeanmon Jan 5, 2024
650eec3
3738 - witness generation for addition
jeanmon Jan 8, 2024
31ff1a7
Merge branch 'master' into jm/3738-arithmetic-non-ff
jeanmon Jan 8, 2024
7a64651
Merge branch 'master' into jm/3738-arithmetic-non-ff
jeanmon Jan 8, 2024
115a40a
3738 - create common header file for tests
jeanmon Jan 9, 2024
b9d878f
3738 - rename arithmetic test suite specific for FF
jeanmon Jan 9, 2024
ee53436
3738 - move FF addition to alu chip and create a unit test for u8
jeanmon Jan 9, 2024
95e9e9f
3738 - first unit tests for u8
jeanmon Jan 9, 2024
d365314
3738 - positive unit tests for addition
jeanmon Jan 10, 2024
a93c9b4
3738 - witness generation for subtraction and move ff pil relation to
jeanmon Jan 10, 2024
74e8714
3738 - add unit tests for subtraction and swap u128 addition unit tests
jeanmon Jan 11, 2024
8e4f299
3738 - add witness generation for multiplication with types u8, u16,
jeanmon Jan 11, 2024
0a65b54
3738 - add positive unit tests for addition with type u8, u16, u32, u64
jeanmon Jan 11, 2024
fab58b9
3738 - witness generation for addition over u128
jeanmon Jan 11, 2024
1536b28
3738: style improvement and comments
jeanmon Jan 12, 2024
5d9bda5
3738 - bugfixing PIL relation for u128 multiplication and unit tests
jeanmon Jan 12, 2024
c13c702
Merge branch 'master' into jm/3738-arithmetic-non-ff
jeanmon Jan 12, 2024
ecacbbc
Merge branch 'master' into jm/3738-arithmetic-non-ff
jeanmon Jan 12, 2024
5e7570e
Merge branch 'master' into jm/3738-arithmetic-non-ff
jeanmon Jan 15, 2024
5ab8ffc
3738 - add basic negative unit tests for each operation and type
jeanmon Jan 15, 2024
394d18c
3738 - rewrite addition and subtraction relations according to Zac's
jeanmon Jan 17, 2024
b2ed4f3
3738 - further PIL relation consolidation for add/sub
jeanmon Jan 17, 2024
41391f6
3738 - consolidate multiplication relations for u8, u16, u32, u64
jeanmon Jan 18, 2024
3feb72e
3738 - comparator for memory traces migrated as < operator overload
jeanmon Jan 18, 2024
10eebde
3738 - adding some TODO in comments
jeanmon Jan 18, 2024
7ce1cf6
Merge branch 'master' into jm/3738-arithmetic-non-ff
jeanmon Jan 18, 2024
ce60c4a
Merge branch 'master' into jm/3738-arithmetic-non-ff
jeanmon Jan 19, 2024
23e2dcd
3738 - Re-generate AVM related files with new namespace (after master
jeanmon Jan 19, 2024
2fecc75
Merge branch 'master' into testing-merge-arith
jeanmon Jan 22, 2024
b0d262d
3738 - capitalize enum values
jeanmon Jan 22, 2024
78457db
Merge branch 'master' into jm/3738-arithmetic-non-ff
jeanmon Jan 23, 2024
14f794c
Merge branch 'master' into jm/3738-arithmetic-non-ff
jeanmon Jan 23, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 21 additions & 0 deletions barretenberg/cpp/pil/avm/README.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
This folder contains PIL relations for the AVM.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 !


Applied heuristic to assess the cost of a relation is given below.
This will be used to determine whether it is worth to merge some
relations into one.

N_mul = number of mulitplication in the relation
N_add = number of additions/subtraction in the relation
deg = degree of the relation (total degree of the polynomial)

Relation cost: degree * (N_mul + N_add/4)

Remark: addition/multiplication with a constant counts as well in the above metrics
Remark: For edge case, we prefer keep a good readability rather than merging.

Future: There is an optimization in sumcheck protocol allowing to skip some
rows for relations which are not enabled for them (applies when not
enabled over 2 adjacent rows). However, this feature is not yet enabled
in the AVM context. This might change the decision on whether some relations
should be merged or not. Basically, merging relations would decrease the
likelihood to be disabled over adjacent rows.
201 changes: 201 additions & 0 deletions barretenberg/cpp/pil/avm/alu_chip.pil
Original file line number Diff line number Diff line change
@@ -0,0 +1,201 @@
include "avm_mini.pil";

namespace aluChip(256);

// ========= Table ALU-TR =================================================

// References to main trace table of sub-operations, clk, intermediate
// registers, operation selectors.
// TODO: Think on optimizations to decrease the number of such "copied" columns
pol commit alu_clk;
pol commit alu_ia; // Intermediate registers
pol commit alu_ib;
pol commit alu_ic;
pol commit alu_op_add; // Operation selectors
pol commit alu_op_sub;
pol commit alu_op_mul;
pol commit alu_op_div;

// Flattened boolean instruction tags
pol commit alu_ff_tag;
pol commit alu_u8_tag;
pol commit alu_u16_tag;
pol commit alu_u32_tag;
pol commit alu_u64_tag;
pol commit alu_u128_tag;

// 8-bit slice registers
pol commit alu_u8_r0;
pol commit alu_u8_r1;

// 16-bit slice registers
pol commit alu_u16_r0;
pol commit alu_u16_r1;
pol commit alu_u16_r2;
pol commit alu_u16_r3;
pol commit alu_u16_r4;
pol commit alu_u16_r5;
pol commit alu_u16_r6;
pol commit alu_u16_r7;

// 64-bit slice register
pol commit alu_u64_r0;

// Carry flag
pol commit alu_cf;

// ========= Type Constraints =============================================
// TODO: Range constraints
// - for slice registers
// - intermediate registers ia and ib (inputs) depending on flag (or inherited from previous ops?)
// - intermediate register ic (in some operations it might be inherited based on ia and ib ranges. To be checked.)
// Carry flag: We will have to constraint to ensure that the
// arithmetic expressions are not overflowing finite field size
// Remark: Operation selectors are constrained in the main trace.
// TODO: Enforce the equivalence check for the selectors between both tables.

// Boolean flattened instructions tags
alu_ff_tag * (1 - alu_ff_tag) = 0;
alu_u8_tag * (1 - alu_u8_tag) = 0;
alu_u16_tag * (1 - alu_u16_tag) = 0;
alu_u32_tag * (1 - alu_u32_tag) = 0;
alu_u64_tag * (1 - alu_u64_tag) = 0;
alu_u128_tag * (1 - alu_u128_tag) = 0;

// Operation selectors are copied from main table and do not need to be constrained here.
// TODO: Ensure mutual exclusion of alu_op_add and alu_op_sub as some relations below
// requires it.
// TODO: Similarly, ensure the mutual exclusion of instruction tags

// ========= Inter-table Constraints ======================================
// TODO: Equivalence between intermediate registers, clk, type flag, operation
// An ALU chiplet flag will be introduced in main trace to select relevant rows.


// ========= EXPLANATIONS =================================================
// Main trick for arithmetic operations modulo 2^k is to perform the operation
// over the integers and expressing the result as low + high * 2^k with low
// smaller than 2^k. low is used as the output. This works as long this does
// not underflow/overflow the underlying finite field order (u128 multiplication
// will be handled differently). If we want to prove that c = OP(a,b) where OP
// denotes an arithmetic operation modulo 2^k, we can achieve this with two relations:
// (1) low + high * 2^k - OP'(a,b) = 0
// (2) low - c = 0
//
// where OP' denotes the same operation as OP but over the integers (not mod 2^k).
// We support u8, u16, u32, u64, u128 types and decompose low into
// smaller bit slices, e.g., 16. For instance, low = s_0 + s_1 * 2^16 + s_2 * 2^32 + ...
// The slices have to be range constrained and there is a trade-off between the
// number of registers and complexity of the range constraints.
//
// Optimization: We will capture the relation (1) for all types under the same umbrella
// by re-using the decomposition used for u128 type for the lower types.
// This works because any larger power of 2^k divides 2^l whenever k <= l.
// To be able to express "low" for u8, we need a 8-bit limb for the lowest
// bits. A bit decomposition covering all types is:
// s8_0 + s8_1 * 2^8 + s16_0 * 2^16 + s16_1 * 2^32 ... + s16_6 * 2^112 + carry * 2^128 - OP'(a,b) = 0
// where s8_i's are 8-bit registers and s16's 16-bit registers.
// For type uk, we set low to the k-bit truncated part of register decomposition.
// As example, for u32: low = s8_0 + s8_1 * 2^8 + s16_0 * 2^16
// and for u8: low = s8_0
//
// TODO: It is open whether we might get efficiency gain to use larger registers for the higher
// parts of the bit decomposition.

// ============= Helper polynomial terms ============================
// These are intermediate polynomial terms which are not commited but
// serves to an algebraic expression of commited polynomials in a more concise way.

// Bit slices partial sums
pol sum_8 = alu_u8_r0;
pol sum_16 = sum_8 + alu_u8_r1 * 2**8;
pol sum_32 = sum_16 + alu_u16_r0 * 2**16;
pol sum_64 = sum_32 + alu_u16_r1 * 2**32 + alu_u16_r2 * 2**48;
pol sum_96 = sum_64 + alu_u16_r3 * 2**64 + alu_u16_r4 * 2**80;
pol sum_128 = sum_96 + alu_u16_r5 * 2**96 + alu_u16_r6 * 2**112;

// ========= ADDITION/SUBTRACTION Operation Constraints ===============================
//
// Addition and subtraction relations are very similar and will be consolidated.
// For the addition we have to replace OP'(a,b) in the above relation by a+b and
// for subtraction by a-b. Using operation selector values to toggle "+b" vs. "-b"
// makes the deal with the adaptation that the carry term needs to be subtracted
// instead of being added. To sumarize, for the first relation, addition needs to
// satisfy:
// sum_128 + carry * 2^128 - a - b = 0
// while the subtraction satisfies:
// sum_128 - carry * 2^128 - a + b = 0
//
// Finally, we would like this relation to also satisfy the addition over the finite field.
// For this, we add c in the relation conditoned by the ff type selector alu_ff_tag. We emphasize
// that this relation alone for FF will not imply correctness of the FF addition. We only want
// it to be satisfied. A separate relation will ensure correctness of it.
//
// The second relation will consist in showing that sum_N - c = 0 for N = 8, 16, 32, 64, 128.

#[ALU_ADD_SUB_1]
(alu_op_add + alu_op_sub) * (sum_128 - alu_ia + alu_ff_tag * alu_ic) + (alu_op_add - alu_op_sub) * (alu_cf * 2**128 - alu_ib) = 0;

// Helper polynomial
pol sum_tag = alu_u8_tag * sum_8 + alu_u16_tag * sum_16 + alu_u32_tag * sum_32 + alu_u64_tag * sum_64 + alu_u128_tag * sum_128;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This assumes { alu_u8_tag, alu_u16_tag, alu_u32_tag, alu_u64_tag, alu_u128_tag } are mutually exclusive?

alu_u8_tag + alu_u16_tag + alu_u32_tag + alu_u64_tag + alu_u128_tag - 1 * (alu_u8_tag * alu_u16_tag * alu_u32_tag * alu_u64_tag * alu_u128_tag ) = 0

Would perform this check right? but the degree here is very high, is this to be done later?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Exactly! There is already a TODO in the PIL file about ensuring the mutual exclusion. One potential idea is to use pre-defined lookup which flattens a tag value from the main trace into the flags. This lookup is part of AVM code and would ensure this guarantee. Clearly this is work to be done.

You can see the relavant TODOs here:
https://github.com/AztecProtocol/aztec-packages/blob/jm/3738-arithmetic-non-ff/barretenberg/cpp/pil/avm/alu_chip.pil#L66-L68


#[ALU_ADD_SUB_2]
(alu_op_add + alu_op_sub) * (sum_tag + alu_ff_tag * alu_ia - alu_ic) + alu_ff_tag * (alu_op_add - alu_op_sub) * alu_ib = 0;

// ========= MULTIPLICATION Operation Constraints ===============================

// ff multiplication
#[ALU_MULTIPLICATION_FF]
alu_ff_tag * alu_op_mul * (alu_ia * alu_ib - alu_ic) = 0;


// We need 2k bits to express the product (a*b) over the integer, i.e., for type uk
// we express the product as sum_k (u8 is an exception as we need 8-bit registers)

// We group relations for u8, u16, u32, u64 together.

// Helper polynomial
pol sum_tag_no_128 = alu_u8_tag * sum_8 + alu_u16_tag * sum_16 + alu_u32_tag * sum_32 + alu_u64_tag * sum_64;

#[ALU_MUL_COMMON_1]
(1 - alu_ff_tag - alu_u128_tag) * alu_op_mul * (sum_128 - alu_ia * alu_ib) = 0;

#[ALU_MUL_COMMON_2]
alu_op_mul * (sum_tag_no_128 - (1 - alu_ff_tag - alu_u128_tag) * alu_ic) = 0;

// ========= u128 MULTIPLICATION Operation Constraints ===============================
//
// We express a, b in 64-bit slices: a = a_l + a_h * 2^64
// b = b_l + b_h * 2^64
// We show that c satisfies: a_l * b_l + (a_h * b_l + a_l * b_h) * 2^64 = R * 2^128 + c
// for a R < 2^65. Equivalently:
// a * b_l + a_l * b_h * 2^64 = (CF * 2^64 + R') * 2^128 + c
// for a bit carry flag CF and R' range constrained to 64 bits.
// We use two lines in the execution trace. First line represents a
// as decomposed over 16-bit registers. Second line represents b.
// Selector flag is only toggled in the first line and we access b through
// shifted polynomials.
// R' is stored in alu_u64_r0

// 64-bit lower limb
pol sum_low_64 = alu_u16_r0 + alu_u16_r1 * 2**16 + alu_u16_r2 * 2**32 + alu_u16_r3 * 2**48;

// 64-bit higher limb
pol sum_high_64 = alu_u16_r4 + alu_u16_r5 * 2**16 + alu_u16_r6 * 2**32 + alu_u16_r7 * 2**48;

// 64-bit lower limb for next row
pol sum_low_shifted_64 = alu_u16_r0' + alu_u16_r1' * 2**16 + alu_u16_r2' * 2**32 + alu_u16_r3' * 2**48;

// 64-bit higher limb for next row
pol sum_high_shifted_64 = alu_u16_r4' + alu_u16_r5' * 2**16 + alu_u16_r6' * 2**32 + alu_u16_r7' * 2**48;

// Arithmetic relations
alu_u128_tag * alu_op_mul * (sum_low_64 + sum_high_64 * 2**64 - alu_ia) = 0;
alu_u128_tag * alu_op_mul * (sum_low_shifted_64 + sum_high_shifted_64 * 2**64 - alu_ib) = 0;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need to make sure that no other selectors can be set on the row after when alu_u128_tag is set?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good input. I also thought about it and came to the conclusion that any wrongly added selectors would add a relation and would probably "over-constrain" the trace.
In other words, one would only become stricter.

#[ALU_MULTIPLICATION_OUT_U128]
alu_u128_tag * alu_op_mul * (
alu_ia * sum_low_shifted_64
+ sum_low_64 * sum_high_shifted_64 * 2**64
- (alu_cf * 2**64 + alu_u64_r0) * 2**128
- alu_ic
) = 0;
13 changes: 1 addition & 12 deletions barretenberg/cpp/pil/avm/avm_mini.pil
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@

include "mem_trace.pil";
include "alu_chip.pil";

namespace avmMini(256);

Expand Down Expand Up @@ -102,18 +103,6 @@ namespace avmMini(256);
tag_err * ib = 0;
tag_err * ic = 0;

// Relation for addition over the finite field
#[SUBOP_ADDITION_FF]
sel_op_add * (ia + ib - ic) = 0;

// Relation for subtraction over the finite field
#[SUBOP_SUBTRACTION_FF]
sel_op_sub * (ia - ib - ic) = 0;

// Relation for multiplication over the finite field
#[SUBOP_MULTIPLICATION_FF]
sel_op_mul * (ia * ib - ic) = 0;

// Relation for division over the finite field
// If tag_err == 1 in a division, then ib == 0 and op_err == 1.
#[SUBOP_DIVISION_FF]
Expand Down
Loading