* First draft of 256-bit addition.
* Update comment.
* cargo fmt
* Rename addition evaluation file.
* Port ALU logic from SZ.
* Give a name to some magic numbers.
* `addition.rs` -> `add.rs`; fix carry propagation in add; impl sub.
* Clippy.
* Combine hi and lo parts of the output.
* Implement MUL.
* Suppress Clippy's attempt to make my code even harder to read.
* Next draft of MUL.
* Make all limbs (i.e. input and output) 16-bits.
* Tidying.
* Use iterators instead of building arrays.
* Documentation.
* Clippy is wrong; also cargo fmt.
* Un-refactor equality checking, since it was wrong for sub.
* Daniel comments.
* Daniel comments.
* Rename folder 'alu' -> 'arithmetic'.
* Rename file.
* Finish changing name ALU -> Arithmetic Unit.
* Finish removing dependency on array_zip feature.
* Remove operations that will be handled elsewhere.
* Rename var; tidy up.
* Clean up columns; mark places where range-checks need to be done.
* Import all names in 'columns' to reduce verbiage.
* cargo fmt
* Fix aux_in calculation in mul.
* Remove redundant 'allow's; more precise range-check size.
* Document functions.
* Document MUL instruction verification technique.
* Initial tests for ADD.
* Minor test fixes; add test for SUB.
* Fix bugs in generate functions.
* Fix SUB verification; refactor equality verification.
* cargo fmt
* Add test for MUL and fix some bugs.
* Update doc.
* Quiet incorrect clippy error.
* Initial implementation of ADDMOD and MOD.
* Fixes to addmod.
* Update doc.
* Do 1000 random tests instead of just 1.
* Documentation fix.
* Working version of ADDMOD.
* Working version of MOD.
* Name magic number; do multiple MUL tests.
* Add code and test for special case; add some docs.
* Fix spelling mistake.
* Simplify asserts.
* Tidy comment.
* Remove unused module.
* cargo fmt
* Check that output is reduced.
* Add conversion of canonical `i64` to a `Field64`.
* Handle zero modulus within degree constraint.
* cargo fmt
* Fix some comments.
* Check that the top half of the product is zero!
* Start of refactor.
* Refactoring.
* Remove zero and reduction handling from addmod.
* Refactoring; renaming; bug fixes.
* Reuse intermediate calculations across all modular operations; don't negate quot poly unnecessarily.
* Fix bug where last elt of q*m wasn't checked.
* Refactoring.
* Move circuit poly functions to utils.rs.
* Rename ADDMOD stuff to MODULAR.
* Rename module addmod -> modular.
* Handle zero modulus.
* Verify that output is reduced.
* Implement recursive version of modular circuits.
* clippy
* Tidy up i64 -> Field conversion following Jacqui's comments.
* cargo fmt
* Improved documentation.
* Address Jacqui's comments.
* Save some gates by using builder.arithmetic_extension().
These appear to be unused for extension fields, so we're free to change the mapping without breaking anything.
As the TODO says, the mapping that's currently implemented doesn't seem natural or useful. It seems more natural to treat the `BigUint` as a base field element, potentially in a non-canonical form.
It seems redundant in most contexts, e.g. `use plonky2::field::extension_field::Extendable;`. One could import `extension_field`, but it's not that common in Rust, and `field::extension` is now about as short.
* Halo2 style lookup arguments in System Zero
It's a really nice and simple protocol, particularly for the verifier since the constraints are trivial (aside from the underlying batched permutation checks, which we already support). See the [Halo2 book](https://zcash.github.io/halo2/design/proving-system/lookup.html) and this [talk](https://www.youtube.com/watch?v=YlTt12s7vGE&t=5237s) by @daira.
Previously we generated the whole trace in row-wise form, but it's much more efficient to generate these "permuted" columns column-wise. So I changed our STARK framework to accept the trace in column-wise form. STARK impls now have the flexibility to do some generation row-wise and some column-wise (without extra costs; there's a single transpose as before).
* sorting
* fixes
* PR feedback
* into_iter
* timing
* Initial implementation of quintic extensions.
* Update to/from_biguint() methods.
* Draft of fast multiplication on quintic extensions over 64-bit base.
* cargo fmt
* Typo.
* Document functions (a bit).
* Refactor reduction step.
* Change multiplication call so that LLVM generates better assembly.
* Use one main accumulator instead of two minor ones; faster reduce.
* Use one main accumulator in square too; clean up redundant code.
* Call faster routines from Mul and Square impls.
* Fix reduction function.
* Fix square calculation.
* Slightly faster reduction.
* Clean up names and types.
* cargo fmt
* Move extension field mul/sqr specialisations to their own file.
* Rename functions to have unique prefix.
* Add faster quadratic multiplication/squaring.
* Faster quartic multiplication and squaring.
* cargo fmt
* clippy
* Alternative reduce160 function.
* Typo.
* Remove alternative reduction function.
* Remove delayed reduction implementation of squaring.
* Enforce assumptions about extension generators.
* Make the accumulation variable a u32 instead of u64.
* Add test to trigger carry branch in reduce160.
* cargo fmt
* Some documentation.
* Clippy; improved comments.
* cargo fmt
* Remove redundant Square specialisations.
* Fix reduce*() visibility.
* Faster reduce160 from Jakub.
* Change mul-by-const functions to operate on 160 bits instead of 128.
* Move code for extensions of GoldilocksField to its own file.
* Batch multiple perm args into one Z and compute Z columnwise
It's slightly complex because we batch `constraint_degree - 1` permutation arguments into a single `Z` polynomial. This is a slight generalization of the [technique](https://zcash.github.io/halo2/design/proving-system/lookup.html) described in the Halo2 book.
Without this batching, we would simply have `num_challenges` random challenges (betas and gammas). With this batching, however, we need to use different randomness for each permutation argument within the same batch. Hence we end up generating `batch_size * num_challenges` challenges for all permutation arguments.
* Feedback + updates for recursion code
