move subclasses to their own files

Author: ledwards2225

barretenberg/cpp/src/barretenberg/stdlib/primitives/group/cycle_group.cpp

@@ -6,6 +6,9 @@
 
 #pragma once
 
+#include "./cycle_scalar.hpp"
+#include "./straus_lookup_table.hpp"
+#include "./straus_scalar_slice.hpp"
 #include "barretenberg/crypto/pedersen_commitment/pedersen.hpp"
 #include "barretenberg/ecc/curves/grumpkin/grumpkin.hpp"
 #include "barretenberg/stdlib/primitives/bigfield/bigfield.hpp"
@@ -55,157 +58,9 @@ template <typename Builder> class cycle_group {
     // Since the cycle_group base field is the circuit's native field, it can be stored using two public inputs.
     static constexpr size_t PUBLIC_INPUTS_SIZE = 2;
 
-  private:
-  public:
-    /**
-     * @brief cycle_scalar represents a member of the cycle curve SCALAR FIELD.
-     *        This is NOT the native circuit field type.
-     *        i.e. for a BN254 circuit, cycle_group will be Grumpkin and cycle_scalar will be Grumpkin::ScalarField
-     *        (BN254 native field is BN254::ScalarField == Grumpkin::BaseField)
-     *
-     * @details We convert scalar multiplication inputs into cycle_scalars to enable scalar multiplication to be
-     * *complete* i.e. Grumpkin points multiplied by BN254 scalars does not produce a cyclic group
-     * as BN254::ScalarField < Grumpkin::ScalarField
-     * This complexity *should* not leak outside the cycle_group / cycle_scalar implementations, as cycle_scalar
-     * performs all required conversions if the input scalars are stdlib::field_t elements
-     *
-     * @note We opted to create a new class to represent `cycle_scalar` instead of using `bigfield`,
-     * as `bigfield` is inefficient in this context. All required range checks for `cycle_scalar` can be obtained for
-     * free from the `batch_mul` algorithm, making the range checks performed by `bigfield` largely redundant.
-     */
-    struct cycle_scalar {
-        static constexpr size_t LO_BITS = field_t::native::Params::MAX_BITS_PER_ENDOMORPHISM_SCALAR;
-        static constexpr size_t HI_BITS = NUM_BITS - LO_BITS;
-        field_t lo;
-        field_t hi;
-
-      private:
-        size_t _num_bits = NUM_BITS;
-        bool _skip_primality_test = false;
-        // if our scalar multiplier is a bn254 FF scalar (e.g. pedersen hash),
-        // we want to validate the cycle_scalar < bn254::fr::modulus *not* grumpkin::fr::modulus
-        bool _use_bn254_scalar_field_for_primality_test = false;
-
-      public:
-        cycle_scalar(const field_t& _lo,
-                     const field_t& _hi,
-                     const size_t bits,
-                     const bool skip_primality_test,
-                     const bool use_bn254_scalar_field_for_primality_test)
-            : lo(_lo)
-            , hi(_hi)
-            , _num_bits(bits)
-            , _skip_primality_test(skip_primality_test)
-            , _use_bn254_scalar_field_for_primality_test(use_bn254_scalar_field_for_primality_test) {};
-        cycle_scalar(const ScalarField& _in = 0);
-        cycle_scalar(const field_t& _lo, const field_t& _hi);
-        cycle_scalar(const field_t& _in);
-        static cycle_scalar from_witness(Builder* context, const ScalarField& value);
-        static cycle_scalar from_witness_bitstring(Builder* context, const uint256_t& bitstring, size_t num_bits);
-        static cycle_scalar create_from_bn254_scalar(const field_t& _in, bool skip_primality_test = false);
-        [[nodiscard]] bool is_constant() const;
-        ScalarField get_value() const;
-        Builder* get_context() const { return lo.get_context() != nullptr ? lo.get_context() : hi.get_context(); }
-        [[nodiscard]] size_t num_bits() const { return _num_bits; }
-        [[nodiscard]] bool skip_primality_test() const { return _skip_primality_test; }
-        [[nodiscard]] bool use_bn254_scalar_field_for_primality_test() const
-        {
-            return _use_bn254_scalar_field_for_primality_test;
-        }
-        void validate_scalar_is_in_field() const;
-
-        explicit cycle_scalar(BigScalarField&);
-        /**
-         * @brief Get the origin tag of the cycle_scalar (a merge of the lo and hi tags)
-         *
-         * @return OriginTag
-         */
-        OriginTag get_origin_tag() const { return OriginTag(lo.get_origin_tag(), hi.get_origin_tag()); }
-        /**
-         * @brief Set the origin tag of lo and hi members of cycle scalar
-         *
-         * @param tag
-         */
-        void set_origin_tag(const OriginTag& tag) const
-        {
-            lo.set_origin_tag(tag);
-            hi.set_origin_tag(tag);
-        }
-        /**
-         * @brief Set the free witness flag for the cycle scalar's tags
-         */
-        void set_free_witness_tag()
-        {
-            lo.set_free_witness_tag();
-            hi.set_free_witness_tag();
-        }
-        /**
-         * @brief Unset the free witness flag for the cycle scalar's tags
-         */
-        void unset_free_witness_tag()
-        {
-            lo.unset_free_witness_tag();
-            hi.unset_free_witness_tag();
-        }
-    };
-
-    /**
-     * @brief straus_scalar_slice decomposes an input scalar into `table_bits` bit-slices.
-     * Used in `batch_mul`, which ses the Straus multiscalar multiplication algorithm.
-     *
-     */
-    struct straus_scalar_slice {
-        straus_scalar_slice(Builder* context, const cycle_scalar& scalars, size_t table_bits);
-        std::optional<field_t> read(size_t index);
-        size_t _table_bits;
-        std::vector<field_t> slices;
-        std::vector<uint64_t> slices_native;
-    };
-
-    /**
-     * @brief straus_lookup_table computes a lookup table of size 1 << table_bits
-     *
-     * @details for an input base_point [P] and offset_generator point [G], where N = 1 << table_bits, the following is
-     * computed:
-     *
-     * { [G] + 0.[P], [G] + 1.[P], ..., [G] + (N - 1).[P] }
-     *
-     * The point [G] is used to ensure that we do not have to handle the point at infinity associated with 0.[P].
-     *
-     * For an HONEST Prover, the probability of [G] and [P] colliding is equivalent to solving the dlog problem.
-     * This allows us to partially ignore the incomplete addition formula edge-cases for short Weierstrass curves.
-     *
-     * When adding group elements in `batch_mul`, we can constrain+assert the x-coordinates of the operand points do not
-     * match. An honest prover will never trigger the case where x-coordinates match due to the above. Validating
-     * x-coordinates do not match is much cheaper than evaluating the full complete addition formulae for short
-     * Weierstrass curves.
-     *
-     * @note For the case of fixed-base scalar multipliation, all input points are defined at circuit compile.
-     * We can ensure that all Provers cannot create point collisions between the base points and offset generators.
-     * For this restricted case we can skip the x-coordiante collision checks when performing group operations.
-     *
-     * @note straus_lookup_table uses Ultra ROM tables if available. If not, we use simple conditional assignment
-     * constraints and restrict the table size to be 1 bit.
-     */
-    struct straus_lookup_table {
-      public:
-        static std::vector<Element> compute_straus_lookup_table_hints(const Element& base_point,
-                                                                      const Element& offset_generator,
-                                                                      size_t table_bits);
-
-        straus_lookup_table() = default;
-        straus_lookup_table(Builder* context,
-                            const cycle_group& base_point,
-                            const cycle_group& offset_generator,
-                            size_t table_bits,
-                            std::optional<std::span<AffineElement>> hints = std::nullopt);
-        cycle_group read(const field_t& index);
-        size_t _table_bits;
-        Builder* _context;
-        std::vector<cycle_group> point_table;
-        size_t rom_id = 0;
-        OriginTag tag{};
-    };
+    using cycle_scalar = ::bb::stdlib::cycle_scalar<Builder>;
+    using straus_scalar_slice = ::bb::stdlib::straus_scalar_slice<Builder>;
+    using straus_lookup_table = ::bb::stdlib::straus_lookup_table<Builder>;
 
   private:
     /**
@@ -276,23 +131,41 @@ template <typename Builder> class cycle_group {
      *
      * @param tag
      */
-    void set_origin_tag(OriginTag tag) const;
+    void set_origin_tag(OriginTag tag) const
+    {
+        x.set_origin_tag(tag);
+        y.set_origin_tag(tag);
+        _is_infinity.set_origin_tag(tag);
+    }
     /**
      * @brief Get the origin tag of cycle_group (a merege of origin tags of x, y and _is_infinity members)
      *
      * @return OriginTag
      */
-    OriginTag get_origin_tag() const;
+    OriginTag get_origin_tag() const
+    {
+        return OriginTag(x.get_origin_tag(), y.get_origin_tag(), _is_infinity.get_origin_tag());
+    }
 
     /**
      * @brief Set the free witness flag for the cycle_group's tags
      */
-    void set_free_witness_tag();
+    void set_free_witness_tag()
+    {
+        x.set_free_witness_tag();
+        y.set_free_witness_tag();
+        _is_infinity.set_free_witness_tag();
+    }
 
     /**
      * @brief Unset the free witness flag for the cycle_group's tags
      */
-    void unset_free_witness_tag();
+    void unset_free_witness_tag()
+    {
+        x.unset_free_witness_tag();
+        y.unset_free_witness_tag();
+        _is_infinity.unset_free_witness_tag();
+    }
 
     /**
      * Fix a witness. The value of the witness is constrained with a selector