Implement Fp4 for BabyBear Field in PIL (#1707)

onurinanc · web-flow · commit 14225aa1d122 · 2024-09-03T15:15:44.000Z
Solves the issue in #1691 You can run the test using `--field bb`
diff --git a/pipeline/tests/powdr_std.rs b/pipeline/tests/powdr_std.rs
@@ -1,6 +1,6 @@
 use std::sync::Arc;
 
-use powdr_number::{BigInt, Bn254Field, GoldilocksField};
+use powdr_number::{BabyBearField, BigInt, Bn254Field, GoldilocksField};
 
 use powdr_pil_analyzer::evaluator::Value;
 use powdr_pipeline::{
@@ -343,6 +343,27 @@ fn fp2() {
     evaluate_function(&analyzed, "std::math::fp2::test::inverse", vec![]);
 }
 
+#[test]
+fn fp4() {
+    let analyzed = std_analyzed::<GoldilocksField>();
+    evaluate_function(&analyzed, "std::math::fp4::test::add", vec![]);
+    evaluate_function(&analyzed, "std::math::fp4::test::sub", vec![]);
+    evaluate_function(&analyzed, "std::math::fp4::test::mul", vec![]);
+    evaluate_function(&analyzed, "std::math::fp4::test::inverse", vec![]);
+
+    let analyzed = std_analyzed::<Bn254Field>();
+    evaluate_function(&analyzed, "std::math::fp4::test::add", vec![]);
+    evaluate_function(&analyzed, "std::math::fp4::test::sub", vec![]);
+    evaluate_function(&analyzed, "std::math::fp4::test::mul", vec![]);
+    evaluate_function(&analyzed, "std::math::fp4::test::inverse", vec![]);
+
+    let analyzed = std_analyzed::<BabyBearField>();
+    evaluate_function(&analyzed, "std::math::fp4::test::add", vec![]);
+    evaluate_function(&analyzed, "std::math::fp4::test::sub", vec![]);
+    evaluate_function(&analyzed, "std::math::fp4::test::mul", vec![]);
+    evaluate_function(&analyzed, "std::math::fp4::test::inverse", vec![]);
+}
+
 #[test]
 fn sort() {
     let test_inputs = vec![
diff --git a/std/field.asm b/std/field.asm
@@ -4,11 +4,13 @@ let modulus: -> int = [];
 
 let GOLDILOCKS_PRIME: int = 0xffffffff00000001;
 let BN254_PRIME: int = 0x30644e72e131a029b85045b68181585d2833e84879b9709143e1f593f0000001;
+let BABYBEAR_PRIME: int = 0x78000001;
 
 /// All known fields
 enum KnownField {
     Goldilocks,
-    BN254
+    BN254,
+    BabyBear
 }
 
 /// Checks whether the function is called in a context where it is operating on
@@ -19,12 +21,17 @@ let known_field: -> Option<KnownField> = || if modulus() == GOLDILOCKS_PRIME {
     if modulus() == BN254_PRIME {
         Option::Some(KnownField::BN254)
     } else {
-        Option::None
+        if modulus() == BABYBEAR_PRIME {
+            Option::Some(KnownField::BabyBear)
+        } else {
+            Option::None
+        }
     }
 };
 
 let require_known_field: KnownField, (-> string) -> () = |f, err| match (f, known_field()) {
     (KnownField::Goldilocks, Option::Some(KnownField::Goldilocks)) => (),
     (KnownField::BN254, Option::Some(KnownField::BN254)) => (),
+    (KnownField::BabyBear, Option::Some(KnownField::BabyBear)) => (),
     _ => std::check::panic(err()),
 };
diff --git a/std/math/ff.asm b/std/math/ff.asm
@@ -1,3 +1,6 @@
+use std::convert::fe;
+use std::convert::int;
+
 /// Inverts `x` in the finite field with modulus `modulus`.
 /// Assumes that `modulus` is prime, but does not check it.
 let inverse = |x, modulus|
@@ -12,6 +15,9 @@ let inverse = |x, modulus|
         reduce(r, modulus)
     };
 
+/// Field inversion (defined on fe instead of int)
+let inv_field: fe -> fe = |x| fe(inverse(int(x), std::field::modulus()));
+
 /// Computes `x + y` modulo the modulus.
 let add = |x, y, modulus| reduce(x + y, modulus);
 
diff --git a/std/math/fp2.asm b/std/math/fp2.asm
@@ -5,13 +5,24 @@ use std::check::panic;
 use std::convert::fe;
 use std::convert::int;
 use std::convert::expr;
-use std::field::modulus;
 use std::field::known_field;
 use std::field::KnownField;
+use std::math::ff::inv_field;
 use std::prover::eval;
 
+/// Corresponding Sage code to test irreduciblity
+/// BabyBear = 2^27 * 15 + 1
+/// M31 = 2^31 - 1
+/// BN254 = 21888242871839275222246405745257275088548364400416034343698204186575808495617
+/// GL = 0xffffffff00000001
+/// F = GF(GL)
+/// R.<x> = PolynomialRing(F)
+/// f = x^2 - 7
+/// f.is_irreducible()
+
 /// An element of the extension field over the implied base field (which has to be either
 /// the Goldilocks or the BN254 field) relative to the irreducible polynomial X^2 - 7,
+/// (This irreducible polynomial also works for Mersenne31)
 /// where Fp2(a0, a1) is interpreted as a0 + a1 * X.
 /// T is assumed to either be fe, expr or any other object whose algebraic operations
 /// are compatible with fe.
@@ -69,9 +80,6 @@ let constrain_eq_ext: Fp2<expr>, Fp2<expr> -> Constr[] = |a, b| match (a, b) {
     (Fp2::Fp2(a0, a1), Fp2::Fp2(b0, b1)) => [a0 = b0, a1 = b1]
 };
 
-/// Field inversion (defined on fe instead of int)
-let inv_field: fe -> fe = |x| fe(std::math::ff::inverse(int(x), modulus()));
-
 /// Extension field inversion
 let inv_ext: Fp2<fe> -> Fp2<fe> = |a| match a {
     // The inverse of (a0, a1) is a point (b0, b1) such that:
diff --git a/std/math/fp4.asm b/std/math/fp4.asm
@@ -0,0 +1,213 @@
+use std::check::assert;
+use std::check::panic;
+use std::convert::fe;
+use std::convert::int;
+use std::convert::expr;
+use std::math::ff::inv_field;
+use std::prover::eval;
+
+/// An element of the extension field over the fields (BabyBear, Goldilocks, and BN254)
+/// relative to the polynomial X^4 - 11, which is irreducible all of the above fields
+/// where Fp4(a0, a1, a2, a3) is interpreted as a0 + a1 * X + a2 * X^2 + a3 * X^3
+/// T is assumed to either be fe, expr or any other object whose algebraic operations
+/// are compatible with fe.
+enum Fp4<T> {
+    Fp4(T, T, T, T)
+}
+
+/// Converts a base field element to the extension field
+let<T: FromLiteral> from_base: T -> Fp4<T> = |x| Fp4::Fp4(x, 0, 0, 0);
+
+/// Addition for extension field
+let<T: Add> add_ext: Fp4<T>, Fp4<T> -> Fp4<T> = |a, b| match (a, b) {
+    (Fp4::Fp4(a0, a1, a2, a3), Fp4::Fp4(b0, b1, b2, b3)) => Fp4::Fp4(
+        a0 + b0,
+        a1 + b1,
+        a2 + b2,
+        a3 + b3
+    )
+};
+
+/// Subtraction for extension field
+let<T: Sub> sub_ext: Fp4<T>, Fp4<T> -> Fp4<T> = |a, b| match (a, b) {
+    (Fp4::Fp4(a0, a1, a2, a3), Fp4::Fp4(b0, b1, b2, b3)) => Fp4::Fp4(
+        a0 - b0,
+        a1 - b1,
+        a2 - b2,
+        a3 - b3
+    )
+};
+
+/// Multiplication for the extension field:
+/// Multiply out the polynomial representations, and then reduce modulo
+/// `x^4 - B`, which means powers >= 4 get shifted back 4 and
+/// multiplied by `beta`.
+///
+/// Multiplication modulo the polynomial x^4 - 11. We'll use the fact
+/// that x^4 == 11 (mod x^4 - 11), so:
+/// (a0 + a1 * x + a2 * x^2 + a3 * x^3) * (b0 + b1 * x + b2 * x^2 + b3 * x^3) = 
+/// a0 * b0 + NBETA * (a1 * b3 + a2 * b2 + a3 * b1)
+/// + (a0 * b1 + a1 * b0 + NBETA * (a2 * b3 + a3 * b2)) * X
+/// + (a0 * b2 + a1 * b1 + a2 * b0 + NBETA * (a3 * b3)) * X^2
+/// + (a0 * b3 + a1 * b2 + a2 * b1 + a3 * b0) * X^3
+let<T: Add + FromLiteral + Mul> mul_ext: Fp4<T>, Fp4<T> -> Fp4<T> = |a, b| match (a, b) {
+    (Fp4::Fp4(a0, a1, a2, a3), Fp4::Fp4(b0, b1, b2, b3)) => Fp4::Fp4(
+        a0 * b0 + 11 * (a1 * b3 + a2 * b2 + a3 * b1),
+        a0 * b1 + a1 * b0 + 11 * (a2 * b3 + a3 * b2),
+        a0 * b2 + a1 * b1 + a2 * b0 + 11 * (a3 * b3),
+        a0 * b3 + a1 * b2 + a2 * b1 + a3 * b0
+    )
+};
+
+/// Inversion for an Fp4 element
+/// The inverse of (a0, a1, a2, a3) is a point (b0, b1, b2, b3) such that:
+/// (a0 + a1 * x + a2 * x^2 + a3 * x^3) (b0 + b1 * x + b2 * x^2 + b3 * x^3) = 1 (mod x^4 - 11)
+/// Calculating inverse of z as following
+/// a * z = 1, where z is the inverse of a
+/// z = 1 / a
+/// Multiply each side with a' where a' = a0 - a1 * x + a2 * x^2 - a3 * x^3
+/// z = a' / (a * a')
+/// Substitute (a * a') = b after multipliying (a * a')
+/// b = b0 + b * x^2 (Since the multiplication of a * a' doesn't result x and x^3 parts)
+/// By substituting x^4 = 11, we have
+/// b0 = a0 * a0 - 11 * (a1 * (a3 + a3) - a2 * a2);
+/// b2 = a0 * (a2 + a2) - a1 * a1 - 11 * (a3 * a3);
+/// z = a' / b
+/// Multiply each side with b' where b' = b0 - b0 * x^2
+/// z = (a' * b') / (b * b')
+/// Multiplying (b * b') results c = b0^2 * b2^2 * 11
+/// z = (a' * b') / c
+/// z = (a' * b') * ('inverse' of c)
+/// z = a' * (b0^2 * ic - 11 b2^2 * ic)
+/// z = (a0 * b0 - 11 * a2 * b2) * 1
+///   + (-1 * a1 * b0 + 11 * a3 * b2) * x
+///   + (-1 * a0 * b2 + a2 * b0) * x^2
+///   + (a1 * b2 - a3 * b0) * x^3
+let inv_ext: Fp4<fe> -> Fp4<fe> = |a| match a {
+    Fp4::Fp4(a0, a1, a2, a3) => {
+        let b0 = a0 * a0 - 11 * (a1 * (a3 + a3) - a2 * a2);
+        let b2 = a0 * (a2 + a2) - a1 * a1 - 11 * (a3 * a3);
+        let c = b0 * b0 - 11 * b2 * b2;
+        let ic = inv_field(c);
+        let b_0 = b0 * ic;
+        let b_2 = b2 * ic;
+        Fp4::Fp4(
+            a0 * b_0 - 11 * a2 * b_2,
+            -1 * a1 * b_0 + 11 * a3 * b_2,
+            -1 * a0 * b_2 + a2 * b_0,
+            a1 * b_2 - a3 * b_0
+        )
+    }
+};
+
+/// Converts an Fp4<expr> into an Fp4<fe>
+let eval_ext: Fp4<expr> -> Fp4<fe> = query |a| match a {
+    Fp4::Fp4(a0, a1, a2, a3) => Fp4::Fp4(eval(a0), eval(a1), eval(a2), eval(a3))
+};
+
+/// Converts an Fp4<fe> into an Fp4<expr>
+let expr_ext: Fp4<fe> -> Fp4<expr> = |a| match a {
+    Fp4::Fp4(a0, a1, a2, a3) => Fp4::Fp4(expr(a0), expr(a1), expr(a2), expr(a3))
+};
+
+/// Checks the equality of two Fp4 elements
+let eq_ext: Fp4<fe>, Fp4<fe> -> bool = |a, b| match (a, b) {
+    (Fp4::Fp4(a0, a1, a2, a3), Fp4::Fp4(b0, b1, b2, b3)) => (a0 == b0) && (a1 == b1) && (a2 == b2) && (a3 == b3)
+};
+
+/// Returns constraints that two Fp4 elements are equal
+let constrain_eq_ext: Fp4<expr>, Fp4<expr> -> Constr[] = |a, b| match (a, b) {
+    (Fp4::Fp4(a0, a1, a2, a3), Fp4::Fp4(b0, b1, b2, b3)) => [a0 = b0, a1 = b1, a2 = b2, a3 = b3]
+};
+
+/// Applies the next operator to both components of the extension field element
+let next_ext: Fp4<expr> -> Fp4<expr> = |a| match a {
+    Fp4::Fp4(a0, a1, a2, a3) => Fp4::Fp4(a0', a1', a2', a3')
+};
+
+/// Returns the two components of the extension field element as a tuple
+let<T> unpack_ext: Fp4<T> -> (T, T, T, T) = |a| match a {
+    Fp4::Fp4(a0, a1, a2, a3) => (a0, a1, a2, a3)
+};
+
+/// Returns the two components of the extension field element as an array
+let<T> unpack_ext_array: Fp4<T> -> T[] = |a| match a {
+    Fp4::Fp4(a0, a1, a2, a3) => [a0, a1, a2, a3]
+};
+
+mod test {
+    use super::Fp4;
+    use super::from_base;
+    use super::add_ext;
+    use super::sub_ext;
+    use super::mul_ext;
+    use super::inv_ext;
+    use super::eq_ext;
+    use std::check::assert;
+    use std::array::map;
+
+    let add = || {
+        let test_add = |a, b, c| assert(eq_ext(add_ext(a, b), c), || "Wrong addition result");
+
+        // Test adding 0
+        let _ = test_add(from_base(0), from_base(0), from_base(0));
+        let _ = test_add(Fp4::Fp4(123, 1234, 1, 2), from_base(0), Fp4::Fp4(123, 1234, 1, 2));
+        let _ = test_add(from_base(0), Fp4::Fp4(123, 1234, 123, 1334), Fp4::Fp4(123, 1234, 123, 1334));
+
+        // Add arbitrary elements
+        let _ = test_add(Fp4::Fp4(123, 1234, 123, 122), Fp4::Fp4(567, 5678, 250, 678), Fp4::Fp4(690, 6912, 373, 800));
+        test_add(Fp4::Fp4(-1, -1, -1, -1), Fp4::Fp4(3, 4, 5, 6), Fp4::Fp4(2, 3, 4, 5));
+
+        // Add to the modulo
+        test_add(Fp4::Fp4(-11, -11, -11, -11), Fp4::Fp4(0, 0, 0, 0), Fp4::Fp4(-11, -11, -11, -11));
+
+        // p - 1 + 1 = 0
+        test_add(Fp4::Fp4(-1, 0, 0, 0), Fp4::Fp4(1, 0, 0, 0), from_base(0));
+    };
+
+    let sub = || {
+        let test_sub = |a, b, c| assert(eq_ext(sub_ext(a, b), c), || "Wrong subtraction result");
+
+        // Test subtracting 0
+        let _ = test_sub(from_base(0), from_base(0), from_base(0));
+        let _ = test_sub(Fp4::Fp4(123, 1234, 124, 1235), from_base(0), Fp4::Fp4(123, 1234, 124, 1235));
+
+        // Subtract arbitrary elements
+        let _ = test_sub(Fp4::Fp4(123, 1234, 248, 5000), Fp4::Fp4(567, 5678, 300, 2380), Fp4::Fp4(123 - 567, 1234 - 5678, 248 - 300, 5000 - 2380));
+        test_sub(Fp4::Fp4(-1, -1, 0, 0), Fp4::Fp4(0x78000000, 1, 0, 0), Fp4::Fp4(-0x78000000 - 1, -2, 0, 0))
+    };
+
+    let mul = || {
+        let test_mul = |a, b, c| assert(eq_ext(mul_ext(a, b), c), || "Wrong multiplication result");
+
+        // Test multiplication by 1
+        let _ = test_mul(from_base(1), from_base(1), from_base(1));
+        let _ = test_mul(Fp4::Fp4(123, 1234, 280, 400), from_base(1), Fp4::Fp4(123, 1234, 280, 400));
+        let _ = test_mul(from_base(1), Fp4::Fp4(123, 1234, 12, 15), Fp4::Fp4(123, 1234, 12, 15));
+
+        // Test multiplication by 0
+        let _ = test_mul(Fp4::Fp4(123, 1234, 234, 500), from_base(0), from_base(0));
+        let _ = test_mul(from_base(0), Fp4::Fp4(123, 1234, 33, 200), from_base(0));
+
+        // Multiply arbitrary elements
+        test_mul(Fp4::Fp4(1, 2, 3, 4), Fp4::Fp4(5, 6, 7, 8), Fp4::Fp4(676, 588, 386, 60));
+
+        // Multiplication with field overflow
+        //2013265921
+        test_mul(Fp4::Fp4(-1, -2, -3, -4), Fp4::Fp4(-3, 4, 4, 5), Fp4::Fp4(-415, -339, -223, -13));
+    };
+
+    let inverse = || {
+        let test_elements = [
+            from_base(1),
+            Fp4::Fp4(123, 1234, 1, 2),
+            Fp4::Fp4(-1, 500, 3, 5)
+        ];
+
+        map(test_elements, |x| {
+            let mul_with_inverse = mul_ext(x, inv_ext(x));
+
+            assert(eq_ext(mul_with_inverse, from_base(1)), || "Should be 1")
+        })
+    };
+}
diff --git a/std/math/mod.asm b/std/math/mod.asm
@@ -1,2 +1,3 @@
 mod ff;
-mod fp2;
+mod fp2;
+mod fp4;
