plonky2/src/gadgets/arithmetic.rs

use std::borrow::Borrow;

use crate::field::extension_field::Extendable;
use crate::gates::exponentiation::ExponentiationGate;
use crate::iop::target::Target;
use crate::plonk::circuit_builder::CircuitBuilder;
use crate::util::log2_ceil;

impl<F: Extendable<D>, const D: usize> CircuitBuilder<F, D> {
    /// Computes `-x`.
    pub fn neg(&mut self, x: Target) -> Target {
        let neg_one = self.neg_one();
        self.mul(x, neg_one)
    }

    /// Computes `x^2`.
    pub fn square(&mut self, x: Target) -> Target {
        self.mul(x, x)
    }

    /// Computes `x^3`.
    pub fn cube(&mut self, x: Target) -> Target {
        let xe = self.convert_to_ext(x);
        self.mul_three_extension(xe, xe, xe).to_target_array()[0]
    }

    /// Computes `const_0 * multiplicand_0 * multiplicand_1 + const_1 * addend`.
    pub fn arithmetic(
        &mut self,
        const_0: F,
        multiplicand_0: Target,
        multiplicand_1: Target,
        const_1: F,
        addend: Target,
    ) -> Target {
        let multiplicand_0_ext = self.convert_to_ext(multiplicand_0);
        let multiplicand_1_ext = self.convert_to_ext(multiplicand_1);
        let addend_ext = self.convert_to_ext(addend);

        self.arithmetic_extension(
            const_0,
            const_1,
            multiplicand_0_ext,
            multiplicand_1_ext,
            addend_ext,
        )
        .0[0]
    }

    /// Computes `x * y + z`.
    pub fn mul_add(&mut self, x: Target, y: Target, z: Target) -> Target {
        self.arithmetic(F::ONE, x, y, F::ONE, z)
    }

    /// Computes `x * y - z`.
    pub fn mul_sub(&mut self, x: Target, y: Target, z: Target) -> Target {
        self.arithmetic(F::ONE, x, y, F::NEG_ONE, z)
    }

    /// Computes `x + y`.
    pub fn add(&mut self, x: Target, y: Target) -> Target {
        let one = self.one();
        // x + y = 1 * x * 1 + 1 * y
        self.arithmetic(F::ONE, x, one, F::ONE, y)
    }

    /// Add `n` `Target`s with `ceil(n/2) + 1` `ArithmeticExtensionGate`s.
    // TODO: Can be made `2*D` times more efficient by using all wires of an `ArithmeticExtensionGate`.
    pub fn add_many(&mut self, terms: &[Target]) -> Target {
        let terms_ext = terms
            .iter()
            .map(|&t| self.convert_to_ext(t))
            .collect::<Vec<_>>();
        self.add_many_extension(&terms_ext).to_target_array()[0]
    }

    /// Computes `x - y`.
    pub fn sub(&mut self, x: Target, y: Target) -> Target {
        let one = self.one();
        // x - y = 1 * x * 1 + (-1) * y
        self.arithmetic(F::ONE, x, one, F::NEG_ONE, y)
    }

    /// Computes `x * y`.
    pub fn mul(&mut self, x: Target, y: Target) -> Target {
        // x * y = 1 * x * y + 0 * x
        self.arithmetic(F::ONE, x, y, F::ZERO, x)
    }

    /// Multiply `n` `Target`s with `ceil(n/2) + 1` `ArithmeticExtensionGate`s.
    pub fn mul_many(&mut self, terms: &[Target]) -> Target {
        let terms_ext = terms
            .iter()
            .map(|&t| self.convert_to_ext(t))
            .collect::<Vec<_>>();
        self.mul_many_extension(&terms_ext).to_target_array()[0]
    }

    /// Exponentiate `base` to the power of `2^power_log`.
    // TODO: Test
    pub fn exp_power_of_2(&mut self, mut base: Target, power_log: usize) -> Target {
        for _ in 0..power_log {
            base = self.square(base);
        }
        base
    }

    // TODO: Test
    /// Exponentiate `base` to the power of `exponent`, given by its little-endian bits.
    pub fn exp_from_bits(
        &mut self,
        base: Target,
        exponent_bits: impl Iterator<Item = impl Borrow<Target>>,
    ) -> Target {
        let zero = self.zero();
        let gate = ExponentiationGate::new(self.config.clone());
        let num_power_bits = gate.num_power_bits;
        let mut exp_bits_vec: Vec<Target> = exponent_bits.map(|b| *b.borrow()).collect();
        while exp_bits_vec.len() < num_power_bits {
            exp_bits_vec.push(zero);
        }
        let gate_index = self.add_gate(gate.clone(), vec![]);

        self.route(base, Target::wire(gate_index, gate.wire_base()));
        exp_bits_vec.iter().enumerate().for_each(|(i, bit)| {
            self.route(*bit, Target::wire(gate_index, gate.wire_power_bit(i)));
        });

        Target::wire(gate_index, gate.wire_output())
    }

    // TODO: Test
    /// Exponentiate `base` to the power of `exponent`, where `exponent < 2^num_bits`.
    pub fn exp(&mut self, base: Target, exponent: Target, num_bits: usize) -> Target {
        let exponent_bits = self.split_le(exponent, num_bits);

        self.exp_from_bits(base, exponent_bits.iter())
    }

    /// Exponentiate `base` to the power of a known `exponent`.
    // TODO: Test
    pub fn exp_u64(&mut self, base: Target, exponent: u64) -> Target {
        let exp_target = self.constant(F::from_canonical_u64(exponent));
        let num_bits = log2_ceil(exponent as usize + 1);
        self.exp(base, exp_target, num_bits)
    }

    /// Computes `x / y`. Results in an unsatisfiable instance if `y = 0`.
    pub fn div(&mut self, x: Target, y: Target) -> Target {
        let y_inv = self.inverse(y);
        self.mul(x, y_inv)
    }

    /// Computes `q = x / y` by witnessing `q` and requiring that `q * y = x`. This can be unsafe in
    /// some cases, as it allows `0 / 0 = <anything>`.
    pub fn div_unsafe(&mut self, x: Target, y: Target) -> Target {
        // Check for special cases where we can determine the result without an `ArithmeticGate`.
        let zero = self.zero();
        let one = self.one();
        if x == zero {
            return zero;
        }
        if y == one {
            return x;
        }
        if let (Some(x_const), Some(y_const)) =
            (self.target_as_constant(x), self.target_as_constant(y))
        {
            return self.constant(x_const / y_const);
        }

        let x_ext = self.convert_to_ext(x);
        let y_ext = self.convert_to_ext(y);
        self.div_unsafe_extension(x_ext, y_ext).0[0]
    }

    /// Computes `1 / x`. Results in an unsatisfiable instance if `x = 0`.
    pub fn inverse(&mut self, x: Target) -> Target {
        let x_ext = self.convert_to_ext(x);
        self.inverse_extension(x_ext).0[0]
    }
}
Make `exp_complement_bits` take an iterator to avoid cloning. 2021-07-22 16:18:13 +02:00			`use std::borrow::Borrow;`

Clippy 2021-06-25 16:49:29 +02:00			`use crate::field::extension_field::Extendable;`
exponentiation gadget 2021-07-28 10:56:12 -07:00			`use crate::gates::exponentiation::ExponentiationGate;`
Move stuff around (#135) No functional changes here. The biggest change was moving certain files into new directories like `plonk` and `iop` (for things like `Challenger` that could be used in STARKs or other IOPs). I also split a few files, renames, etc, but again nothing functional, so I don't think a careful review is necessary (just a sanity check). 2021-07-29 22:00:29 -07:00			`use crate::iop::target::Target;`
			`use crate::plonk::circuit_builder::CircuitBuilder;`
fixes to exp functions 2021-07-28 13:38:41 -07:00			`use crate::util::log2_ceil;`
No more polynomial programming abstraction It was too expensive. 2021-03-28 15:36:51 -07:00
Draw challenge points from the extension field (#51) * Draw challenge points from the extension field * Now building * Misc * Default eval_unfiltered_base * fmt * A few field settings * Add to Sage * Display tweak * eval_filtered_base * Quartic in bench * Missing methods * Fix tests * PR feedback 2021-05-30 13:25:53 -07:00			`impl<F: Extendable<D>, const D: usize> CircuitBuilder<F, D> {`
Recursive evaluation of GMiMCGate If we did it all with `ArithmeticGate`s, the main loop (with ~101 iterations of cubing and a couple adds) would be fairly expensive, so this uses a (much smaller) custom gate called `GMiMCEvalGate` which does all the computations for one iteration of that loop. 2021-04-27 13:16:24 -07:00			/// Computes `-x`.
Arithmetic & permutation gadgets 2021-04-02 15:29:21 -07:00			`pub fn neg(&mut self, x: Target) -> Target {`
			`let neg_one = self.neg_one();`
			`self.mul(x, neg_one)`
			`}`

Recursive evaluation of GMiMCGate If we did it all with `ArithmeticGate`s, the main loop (with ~101 iterations of cubing and a couple adds) would be fairly expensive, so this uses a (much smaller) custom gate called `GMiMCEvalGate` which does all the computations for one iteration of that loop. 2021-04-27 13:16:24 -07:00			/// Computes `x^2`.
			`pub fn square(&mut self, x: Target) -> Target {`
			`self.mul(x, x)`
			`}`

			/// Computes `x^3`.
			`pub fn cube(&mut self, x: Target) -> Target {`
Change `{add\|mul}_many` and `cube` 2021-07-21 17:41:22 +02:00			`let xe = self.convert_to_ext(x);`
			`self.mul_three_extension(xe, xe, xe).to_target_array()[0]`
Recursive evaluation of GMiMCGate If we did it all with `ArithmeticGate`s, the main loop (with ~101 iterations of cubing and a couple adds) would be fairly expensive, so this uses a (much smaller) custom gate called `GMiMCEvalGate` which does all the computations for one iteration of that loop. 2021-04-27 13:16:24 -07:00			`}`

Basic arithmetic methods 2021-04-21 11:47:18 -07:00			/// Computes `const_0 * multiplicand_0 * multiplicand_1 + const_1 * addend`.
			`pub fn arithmetic(`
			`&mut self,`
			`const_0: F,`
			`multiplicand_0: Target,`
			`multiplicand_1: Target,`
			`const_1: F,`
			`addend: Target,`
			`) -> Target {`
Remove `ArithmeticGate` 2021-06-25 13:53:14 +02:00			`let multiplicand_0_ext = self.convert_to_ext(multiplicand_0);`
			`let multiplicand_1_ext = self.convert_to_ext(multiplicand_1);`
			`let addend_ext = self.convert_to_ext(addend);`

			`self.arithmetic_extension(`
			`const_0,`
			`const_1,`
			`multiplicand_0_ext,`
			`multiplicand_1_ext,`
			`addend_ext,`
			`)`
			`.0[0]`
Arithmetic & permutation gadgets 2021-04-02 15:29:21 -07:00			`}`

Recursive evaluation of GMiMCGate If we did it all with `ArithmeticGate`s, the main loop (with ~101 iterations of cubing and a couple adds) would be fairly expensive, so this uses a (much smaller) custom gate called `GMiMCEvalGate` which does all the computations for one iteration of that loop. 2021-04-27 13:16:24 -07:00			/// Computes `x * y + z`.
			`pub fn mul_add(&mut self, x: Target, y: Target, z: Target) -> Target {`
			`self.arithmetic(F::ONE, x, y, F::ONE, z)`
			`}`

			/// Computes `x * y - z`.
			`pub fn mul_sub(&mut self, x: Target, y: Target, z: Target) -> Target {`
			`self.arithmetic(F::ONE, x, y, F::NEG_ONE, z)`
			`}`

			/// Computes `x + y`.
Basic arithmetic methods 2021-04-21 11:47:18 -07:00			`pub fn add(&mut self, x: Target, y: Target) -> Target {`
			`let one = self.one();`
			`// x + y = 1 * x * 1 + 1 * y`
			`self.arithmetic(F::ONE, x, one, F::ONE, y)`
			`}`

Change `{add\|mul}_many` and `cube` 2021-07-21 17:41:22 +02:00			/// Add `n` `Target`s with `ceil(n/2) + 1` `ArithmeticExtensionGate`s.
Rearrange files 2021-06-25 16:45:02 +02:00			// TODO: Can be made `2*D` times more efficient by using all wires of an `ArithmeticExtensionGate`.
Arithmetic & permutation gadgets 2021-04-02 15:29:21 -07:00			`pub fn add_many(&mut self, terms: &[Target]) -> Target {`
Change `{add\|mul}_many` and `cube` 2021-07-21 17:41:22 +02:00			`let terms_ext = terms`
			`.iter()`
			`.map(\|&t\| self.convert_to_ext(t))`
			`.collect::<Vec<_>>();`
			`self.add_many_extension(&terms_ext).to_target_array()[0]`
No more polynomial programming abstraction It was too expensive. 2021-03-28 15:36:51 -07:00			`}`

Recursive evaluation of GMiMCGate If we did it all with `ArithmeticGate`s, the main loop (with ~101 iterations of cubing and a couple adds) would be fairly expensive, so this uses a (much smaller) custom gate called `GMiMCEvalGate` which does all the computations for one iteration of that loop. 2021-04-27 13:16:24 -07:00			/// Computes `x - y`.
No more polynomial programming abstraction It was too expensive. 2021-03-28 15:36:51 -07:00			`pub fn sub(&mut self, x: Target, y: Target) -> Target {`
Basic arithmetic methods 2021-04-21 11:47:18 -07:00			`let one = self.one();`
			`// x - y = 1 * x * 1 + (-1) * y`
			`self.arithmetic(F::ONE, x, one, F::NEG_ONE, y)`
No more polynomial programming abstraction It was too expensive. 2021-03-28 15:36:51 -07:00			`}`

Recursive evaluation of GMiMCGate If we did it all with `ArithmeticGate`s, the main loop (with ~101 iterations of cubing and a couple adds) would be fairly expensive, so this uses a (much smaller) custom gate called `GMiMCEvalGate` which does all the computations for one iteration of that loop. 2021-04-27 13:16:24 -07:00			/// Computes `x * y`.
No more polynomial programming abstraction It was too expensive. 2021-03-28 15:36:51 -07:00			`pub fn mul(&mut self, x: Target, y: Target) -> Target {`
Basic arithmetic methods 2021-04-21 11:47:18 -07:00			`// x * y = 1 * x * y + 0 * x`
			`self.arithmetic(F::ONE, x, y, F::ZERO, x)`
No more polynomial programming abstraction It was too expensive. 2021-03-28 15:36:51 -07:00			`}`

Change `{add\|mul}_many` and `cube` 2021-07-21 17:41:22 +02:00			/// Multiply `n` `Target`s with `ceil(n/2) + 1` `ArithmeticExtensionGate`s.
Arithmetic & permutation gadgets 2021-04-02 15:29:21 -07:00			`pub fn mul_many(&mut self, terms: &[Target]) -> Target {`
Change `{add\|mul}_many` and `cube` 2021-07-21 17:41:22 +02:00			`let terms_ext = terms`
			`.iter()`
			`.map(\|&t\| self.convert_to_ext(t))`
			`.collect::<Vec<_>>();`
			`self.mul_many_extension(&terms_ext).to_target_array()[0]`
Arithmetic & permutation gadgets 2021-04-02 15:29:21 -07:00			`}`

FRI tweaks (#111) - Call `exp_power_of_2` instead of manual squaring - Replace `evaluations[i]` with `evals` 2021-07-20 12:49:02 -07:00			/// Exponentiate `base` to the power of `2^power_log`.
			`// TODO: Test`
			`pub fn exp_power_of_2(&mut self, mut base: Target, power_log: usize) -> Target {`
			`for _ in 0..power_log {`
			`base = self.square(base);`
Arithmetic & permutation gadgets 2021-04-02 15:29:21 -07:00			`}`
FRI tweaks (#111) - Call `exp_power_of_2` instead of manual squaring - Replace `evaluations[i]` with `evals` 2021-07-20 12:49:02 -07:00			`base`
Arithmetic & permutation gadgets 2021-04-02 15:29:21 -07:00			`}`

Working ReducingFactorTarget 2021-06-25 16:27:20 +02:00			`// TODO: Test`
Replace rotation with exp in `compute_evaluation` 2021-07-20 15:25:03 +02:00			/// Exponentiate `base` to the power of `exponent`, given by its little-endian bits.
Forgot to exponentiate from bits in computation of `subgroup_x`. Saves 80 gates. 2021-07-23 08:53:00 +02:00			`pub fn exp_from_bits(`
			`&mut self,`
			`base: Target,`
			`exponent_bits: impl Iterator<Item = impl Borrow<Target>>,`
			`) -> Target {`
Small nits for the exponentiation gate 2021-08-02 13:12:50 +02:00			`let zero = self.zero();`
new exp gate takes in CircuitConfig and determines num_bits 2021-07-29 10:26:46 -07:00			`let gate = ExponentiationGate::new(self.config.clone());`
fix 2021-07-29 15:15:40 -07:00			`let num_power_bits = gate.num_power_bits;`
			`let mut exp_bits_vec: Vec<Target> = exponent_bits.map(\|b\| *b.borrow()).collect();`
			`while exp_bits_vec.len() < num_power_bits {`
Small nits for the exponentiation gate 2021-08-02 13:12:50 +02:00			`exp_bits_vec.push(zero);`
fix 2021-07-29 15:15:40 -07:00			`}`
fixes to exp functions 2021-07-28 13:38:41 -07:00			`let gate_index = self.add_gate(gate.clone(), vec![]);`
Added in-circuit `reverse_bits` and `exp`. 2021-06-09 17:39:45 +02:00
fix 2021-07-28 17:37:26 -07:00			`self.route(base, Target::wire(gate_index, gate.wire_base()));`
fixes to exp functions 2021-07-28 13:38:41 -07:00			`exp_bits_vec.iter().enumerate().for_each(\|(i, bit)\| {`
			`self.route(*bit, Target::wire(gate_index, gate.wire_power_bit(i)));`
			`});`
Added in-circuit `reverse_bits` and `exp`. 2021-06-09 17:39:45 +02:00
fixes to exp functions 2021-07-28 13:38:41 -07:00			`Target::wire(gate_index, gate.wire_output())`
Added in-circuit `reverse_bits` and `exp`. 2021-06-09 17:39:45 +02:00			`}`

Replace rotation with exp in `compute_evaluation` 2021-07-20 15:25:03 +02:00			`// TODO: Test`
			/// Exponentiate `base` to the power of `exponent`, where `exponent < 2^num_bits`.
			`pub fn exp(&mut self, base: Target, exponent: Target, num_bits: usize) -> Target {`
			`let exponent_bits = self.split_le(exponent, num_bits);`
exponentiation gadget 2021-07-28 10:56:12 -07:00
fixes to exp functions 2021-07-28 13:38:41 -07:00			`self.exp_from_bits(base, exponent_bits.iter())`
Replace rotation with exp in `compute_evaluation` 2021-07-20 15:25:03 +02:00			`}`

Working ReducingFactorTarget 2021-06-25 16:27:20 +02:00			/// Exponentiate `base` to the power of a known `exponent`.
			`// TODO: Test`
			`pub fn exp_u64(&mut self, base: Target, exponent: u64) -> Target {`
exponentiation gadget 2021-07-28 10:56:12 -07:00			`let exp_target = self.constant(F::from_canonical_u64(exponent));`
fixes to exp functions 2021-07-28 13:38:41 -07:00			`let num_bits = log2_ceil(exponent as usize + 1);`
			`self.exp(base, exp_target, num_bits)`
Working ReducingFactorTarget 2021-06-25 16:27:20 +02:00			`}`

Division related changes (#99) * Division related changes - Simplify `div_unsafe_extension` using virtual targets - Add methods for inversion and safe division As a followup I'll switch some calls to safe division. * Test safe division also * add_virtual_extension_target 2021-07-18 23:05:57 -07:00			/// Computes `x / y`. Results in an unsatisfiable instance if `y = 0`.
			`pub fn div(&mut self, x: Target, y: Target) -> Target {`
			`let y_inv = self.inverse(y);`
			`self.mul(x, y_inv)`
			`}`

Basic arithmetic methods 2021-04-21 11:47:18 -07:00			/// Computes `q = x / y` by witnessing `q` and requiring that `q * y = x`. This can be unsafe in
			/// some cases, as it allows `0 / 0 = <anything>`.
			`pub fn div_unsafe(&mut self, x: Target, y: Target) -> Target {`
			// Check for special cases where we can determine the result without an `ArithmeticGate`.
			`let zero = self.zero();`
			`let one = self.one();`
			`if x == zero {`
			`return zero;`
			`}`
			`if y == one {`
			`return x;`
			`}`
Seed Challenger with a hash of the instance I think this is the recommended way to apply Fiat-Shamir, to avoid any possible attacks like taking someone else's proof and using it to prove a slightly different statement. 2021-04-22 16:32:57 -07:00			`if let (Some(x_const), Some(y_const)) =`
			`(self.target_as_constant(x), self.target_as_constant(y))`
			`{`
Basic arithmetic methods 2021-04-21 11:47:18 -07:00			`return self.constant(x_const / y_const);`
			`}`

Remove `ArithmeticGate` 2021-06-25 13:53:14 +02:00			`let x_ext = self.convert_to_ext(x);`
			`let y_ext = self.convert_to_ext(y);`
			`self.div_unsafe_extension(x_ext, y_ext).0[0]`
Basic arithmetic methods 2021-04-21 11:47:18 -07:00			`}`
Division related changes (#99) * Division related changes - Simplify `div_unsafe_extension` using virtual targets - Add methods for inversion and safe division As a followup I'll switch some calls to safe division. * Test safe division also * add_virtual_extension_target 2021-07-18 23:05:57 -07:00
			/// Computes `1 / x`. Results in an unsatisfiable instance if `x = 0`.
			`pub fn inverse(&mut self, x: Target) -> Target {`
			`let x_ext = self.convert_to_ext(x);`
			`self.inverse_extension(x_ext).0[0]`
			`}`
Division gadget for extension field 2021-06-07 17:55:27 +02:00			`}`