Get bits from non-native allocation #45
Conversation
|
I will take a look soon. There is a challenge about the interface, which I will find, hopefully, a cute solution.
Indeed thanks for your code, as the current version of the gadget is largely based on yours. We actually only partly migrate your machinery. The current version does not track the maximal value, so there can be redundancy. |
src/allocated_nonnative_field_var.rs
Outdated
| if mode == AllocationMode::Witness { | ||
| for limb in limbs.iter().rev().take(params.num_limbs - 1) { | ||
| bits.extend( | ||
| Reducer::<TargetField, BaseField>::limb_to_bits(limb, params.bits_per_limb)? | ||
| .into_iter() | ||
| .rev(), | ||
| ); | ||
| } | ||
|
|
||
| bits.extend( | ||
| Reducer::<TargetField, BaseField>::limb_to_bits( | ||
| &limbs[0], | ||
| TargetField::size_in_bits() - (params.num_limbs - 1) * params.bits_per_limb, | ||
| )? | ||
| .into_iter() | ||
| .rev(), | ||
| ); | ||
| } |
There was a problem hiding this comment.
I think when the mode is not Witness, we can still generate bits easily:
- if
mode == Constant, we can returnBoolean::Constantvalues (this requires no constraints) - if
mode == Input, we can just reuse the existing machinery for themode == Witnesscase.
If the concern is adding potentially unnecessary constraints, we can make a helper function which generates bits only if a flag is true.
There was a problem hiding this comment.
Yes, my concern is that when mode == Input, our current allocation gadget, which uses this function as a black box, would generate the bits, which would be unnecessary.
Maybe let us extend this function so that one can specify, via a bool, whether or not bits are wanted.
Yeah. Probably returning an
That's the challenge. One solution is to split the machinery into two private functions. One builds the limbs, and the other does the range-checks. Then, Happy to make the change if that sounds promising to you. |
|
Yeah, that sounds like a good strategy! |
Co-authored-by: Pratyush Mishra <[email protected]>
Co-authored-by: Pratyush Mishra <[email protected]>
Description
When doing nonnative arithmetic, bit-allocating witnesses requires a non-trivial number of constraints. This PR adds an allocation function which also returns the bits, instead of just dropping them. That way if you need the bits, you don't have to duplicate constraints.
Motivation: In a recent circuit, I wanted to (a) bit-allocate some non-native field elements (b) do some simple (and cheap!) math on them and (c) do some other stuff with the bits. It seemed that bit-allocation would actually be a bottleneck here, so de-duplicating that work was important. Figured I'd submit the patch upstream, in case you wanted it.
Design: Basically I just moved the allocation code to a new fn that exposes the bits, and had the original allocation function call the new one.
P.S. Thanks for putting this library together. It's very nice to not have to roll my own multiprecision machinery again :)
Before we can merge this PR, please make sure that all the following items have been
checked off. If any of the checklist items are not applicable, please leave them but
write a little note why.
Pendingsection inCHANGELOG.mdFiles changedin the Github PR explorer