bool_t from witness constructor supports range constraints

Author: iakovenkos

barretenberg/cpp/src/barretenberg/stdlib/honk_verifier/ultra_recursive_verifier.test.cpp

@@ -291,7 +291,7 @@ template <typename RecursiveFlavor> class RecursiveVerifierTest : public testing
         }
         // Check the size of the recursive verifier
         if constexpr (std::same_as<RecursiveFlavor, MegaZKRecursiveFlavor_<UltraCircuitBuilder>>) {
-            uint32_t NUM_GATES_EXPECTED = 797234;
+            uint32_t NUM_GATES_EXPECTED = 797170;
             ASSERT_EQ(static_cast<uint32_t>(outer_circuit.get_num_finalized_gates()), NUM_GATES_EXPECTED)
                 << "MegaZKHonk Recursive verifier changed in Ultra gate count! Update this value if you "
                    "are sure this is expected.";

barretenberg/cpp/src/barretenberg/stdlib/primitives/biggroup/biggroup.hpp

@@ -370,7 +370,13 @@ template <class Builder_, class Fq, class Fr, class NativeGroup> class element {
     }
 
     bool_ct is_point_at_infinity() const { return _is_infinity; }
-    void set_point_at_infinity(const bool_ct& is_infinity) { _is_infinity = is_infinity; }
+    void set_point_at_infinity(const bool_ct& is_infinity, const bool& add_to_used_witnesses = false)
+    {
+        _is_infinity = is_infinity.normalize();
+        if (add_to_used_witnesses) {
+            _is_infinity.get_context()->update_used_witnesses(_is_infinity.get_normalized_witness_index());
+        };
+    }
     element get_standard_form() const;
 
     void set_origin_tag(OriginTag tag) const

barretenberg/cpp/src/barretenberg/stdlib/primitives/biggroup/biggroup_impl.hpp

@@ -89,6 +89,7 @@ element<C, Fq, Fr, G> element<C, Fq, Fr, G>::operator+(const element& other) con
     const bool_ct double_predicate = (x_coordinates_match && y_coordinates_match);
     const bool_ct lhs_infinity = is_point_at_infinity();
     const bool_ct rhs_infinity = other.is_point_at_infinity();
+    const bool_ct has_infinity_input = lhs_infinity || rhs_infinity;
 
     // Compute the gradient `lambda`. If we add, `lambda = (y2 - y1)/(x2 - x1)`, else `lambda = 3x1*x1/2y1
     const Fq add_lambda_numerator = other.y - y;
@@ -103,8 +104,8 @@ element<C, Fq, Fr, G> element<C, Fq, Fr, G>::operator+(const element& other) con
     // divide by zero error.
     // Note: if either inputs are points at infinity we will not use the result of this computation.
     Fq safe_edgecase_denominator = Fq(1);
-    lambda_denominator = Fq::conditional_assign(
-        lhs_infinity || rhs_infinity || infinity_predicate, safe_edgecase_denominator, lambda_denominator);
+    lambda_denominator =
+        Fq::conditional_assign(has_infinity_input || infinity_predicate, safe_edgecase_denominator, lambda_denominator);
     const Fq lambda = Fq::div_without_denominator_check({ lambda_numerator }, lambda_denominator);
 
     const Fq x3 = lambda.sqradd({ -other.x, -x });
@@ -122,15 +123,8 @@ element<C, Fq, Fr, G> element<C, Fq, Fr, G>::operator+(const element& other) con
     // yes = infinity_predicate && !lhs_infinity && !rhs_infinity
     // yes = lhs_infinity && rhs_infinity
     // n.b. can likely optimize this
-    bool_ct result_is_infinity = infinity_predicate && (!lhs_infinity && !rhs_infinity);
-    if constexpr (IsUltraBuilder<C>) {
-        result_is_infinity.get_context()->update_used_witnesses(result_is_infinity.get_normalized_witness_index());
-    }
-    result_is_infinity = result_is_infinity || (lhs_infinity && rhs_infinity);
-    if constexpr (IsUltraBuilder<C>) {
-        result_is_infinity.get_context()->update_used_witnesses(result_is_infinity.get_normalized_witness_index());
-    }
-    result.set_point_at_infinity(result_is_infinity);
+    bool_ct result_is_infinity = (infinity_predicate && !has_infinity_input) || (lhs_infinity && rhs_infinity);
+    result.set_point_at_infinity(result_is_infinity, /* add_to_used_witnesses */ true);
 
     result.set_origin_tag(OriginTag(get_origin_tag(), other.get_origin_tag()));
     return result;
@@ -167,6 +161,7 @@ element<C, Fq, Fr, G> element<C, Fq, Fr, G>::operator-(const element& other) con
     const bool_ct double_predicate = (x_coordinates_match && !y_coordinates_match);
     const bool_ct lhs_infinity = is_point_at_infinity();
     const bool_ct rhs_infinity = other.is_point_at_infinity();
+    const bool_ct has_infinity_input = lhs_infinity || rhs_infinity;
 
     // Compute the gradient `lambda`. If we add, `lambda = (y2 - y1)/(x2 - x1)`, else `lambda = 3x1*x1/2y1
     const Fq add_lambda_numerator = -other.y - y;
@@ -181,8 +176,8 @@ element<C, Fq, Fr, G> element<C, Fq, Fr, G>::operator-(const element& other) con
     // divide by zero error.
     // (if either inputs are points at infinity we will not use the result of this computation)
     Fq safe_edgecase_denominator = Fq(1);
-    lambda_denominator = Fq::conditional_assign(
-        lhs_infinity || rhs_infinity || infinity_predicate, safe_edgecase_denominator, lambda_denominator);
+    lambda_denominator =
+        Fq::conditional_assign(has_infinity_input || infinity_predicate, safe_edgecase_denominator, lambda_denominator);
     const Fq lambda = Fq::div_without_denominator_check({ lambda_numerator }, lambda_denominator);
 
     const Fq x3 = lambda.sqradd({ -other.x, -x });
@@ -200,15 +195,9 @@ element<C, Fq, Fr, G> element<C, Fq, Fr, G>::operator-(const element& other) con
     // yes = infinity_predicate && !lhs_infinity && !rhs_infinity
     // yes = lhs_infinity && rhs_infinity
     // n.b. can likely optimize this
-    bool_ct result_is_infinity = infinity_predicate && (!lhs_infinity && !rhs_infinity);
-    if constexpr (IsUltraBuilder<C>) {
-        result_is_infinity.get_context()->update_used_witnesses(result_is_infinity.get_normalized_witness_index());
-    }
-    result_is_infinity = result_is_infinity || (lhs_infinity && rhs_infinity);
-    if constexpr (IsUltraBuilder<C>) {
-        result_is_infinity.get_context()->update_used_witnesses(result_is_infinity.get_normalized_witness_index());
-    }
-    result.set_point_at_infinity(result_is_infinity);
+    bool_ct result_is_infinity = (infinity_predicate && !has_infinity_input) || (lhs_infinity && rhs_infinity);
+
+    result.set_point_at_infinity(result_is_infinity, /* add_to_used_witnesses */ true);
     result.set_origin_tag(OriginTag(get_origin_tag(), other.get_origin_tag()));
     return result;
 }

barretenberg/cpp/src/barretenberg/stdlib/primitives/biggroup/biggroup_nafs.hpp

@@ -480,6 +480,8 @@ std::vector<bool_t<C>> element<C, Fq, Fr, G>::compute_naf(const Fr& scalar, cons
 {
     // We are not handling the case of odd bit lengths here.
     BB_ASSERT_EQ(max_num_bits % 2, 0U);
+    // Apply range constraint gates instead of arithmetic gates to constrain boolean witnesses
+    static constexpr bool use_bool_range_constraint = true;
 
     C* ctx = scalar.context;
     uint512_t scalar_multiplier_512 = uint512_t(uint256_t(scalar.get_value()) % Fr::modulus);
@@ -495,22 +497,18 @@ std::vector<bool_t<C>> element<C, Fq, Fr, G>::compute_naf(const Fr& scalar, cons
     // if boolean is false => do NOT flip y
     // if boolean is true => DO flip y
     // first entry is skew. i.e. do we subtract one from the final result or not
-    if (scalar_multiplier.get_bit(0) == false) {
-        // add skew
-        naf_entries[num_rounds] = bool_ct(witness_t(ctx, true));
-        scalar_multiplier += uint256_t(1);
-    } else {
-        naf_entries[num_rounds] = bool_ct(witness_t(ctx, false));
-    }
+    naf_entries[num_rounds] = bool_ct(witness_t(ctx, !scalar_multiplier.get_bit(0)), use_bool_range_constraint);
+    scalar_multiplier += uint256_t(!scalar_multiplier.get_bit(0));
+
     // We need to manually propagate the origin tag
     naf_entries[num_rounds].set_origin_tag(scalar.get_origin_tag());
 
     for (size_t i = 0; i < num_rounds - 1; ++i) {
         bool next_entry = scalar_multiplier.get_bit(i + 1);
         // if the next entry is false, we need to flip the sign of the current entry. i.e. make negative
-        // This is a VERY hacky workaround to ensure that UltraBuilder will apply a basic
-        // range constraint per bool, and not a full 1-bit range gate
-        bool_ct bit(witness_t<C>(ctx, !next_entry));
+        // Apply a basic range constraint per bool, and not a full 1-bit range gate. Results in ~`num_rounds`/4 gates
+        // per scalar.
+        bool_ct bit(witness_t<C>(ctx, !next_entry), use_bool_range_constraint);
 
         naf_entries[num_rounds - i - 1] = bit;
 

barretenberg/cpp/src/barretenberg/stdlib/primitives/bool/bool.cpp

@@ -32,16 +32,25 @@ bool_t<Builder>::bool_t(Builder* parent_context)
 /**
  * @brief Construct a `bool_t` object from a witness, note that the value stored at `witness_index` is constrained to be
  * 0 or 1.
+ * @param value A witness, which is constrained to be boolean inside of this constructor.
+ * @param use_range_constraint In case we need to create `bool_t` in a loop, it is more efficient to apply the range
+ * constraint gates instead of creating arithmetic gates.
  */
 template <typename Builder>
-bool_t<Builder>::bool_t(const witness_t<Builder>& value)
+bool_t<Builder>::bool_t(const witness_t<Builder>& value, const bool& use_range_constraint)
     : context(value.context)
 {
     ASSERT((value.witness == bb::fr::zero()) || (value.witness == bb::fr::one()),
            "bool_t: witness value is not 0 or 1");
     witness_index = value.witness_index;
-    // Constrain x := other.witness by the relation x^2 = x
-    context->create_bool_gate(witness_index);
+
+    if (use_range_constraint) {
+        // Create a range constraint gate
+        context->create_new_range_constraint(witness_index, 3, "bool_t: witness value is not 0 or 1");
+    } else {
+        // Create an arithmetic gate to enforce the relation x^2 = x
+        context->create_bool_gate(witness_index);
+    }
     witness_bool = (value.witness == bb::fr::one());
     witness_inverted = false;
     set_free_witness_tag();
@@ -135,7 +144,7 @@ template <typename Builder> bool_t<Builder>& bool_t<Builder>::operator=(bool_t&&
     return *this;
 }
 /**
- * @brief Assigns a `witness_t` to a `bool_t`. As above,  he value stored at `witness_index` is constrained to be
+ * @brief Assigns a `witness_t` to a `bool_t`. As above,  the value stored at `witness_index` is constrained to be
  * 0 or 1.
  */
 template <typename Builder> bool_t<Builder>& bool_t<Builder>::operator=(const witness_t<Builder>& other)

barretenberg/cpp/src/barretenberg/stdlib/primitives/bool/bool.hpp

@@ -61,7 +61,7 @@ template <typename Builder> class bool_t {
     bool_t(const bool value = false);
     bool_t(Builder* parent_context);
     bool_t(Builder* parent_context, const bool value);
-    bool_t(const witness_t<Builder>& value);
+    bool_t(const witness_t<Builder>& value, const bool& use_range_constraint = false);
     bool_t(const bool_t& other);
     bool_t(bool_t&& other);
 

barretenberg/cpp/src/barretenberg/stdlib/primitives/bool/bool.test.cpp

@@ -151,6 +151,39 @@ template <class Builder_> class BoolTest : public ::testing::Test {
                                   "((other.witness == bb::fr::one()) || (other.witness == bb::fr::zero()))");
         };
     }
+
+    void test_construct_from_witness_range_constraint()
+    {
+        const bool use_range_constraint = true;
+
+        for (size_t num_inputs = 1; num_inputs < 50; num_inputs++) {
+            Builder builder = Builder();
+            size_t num_gates_start = builder.get_estimated_num_finalized_gates();
+
+            std::vector<uint32_t> indices;
+            for (size_t idx = 0; idx < num_inputs; idx++) {
+                indices.push_back(
+                    bool_ct(witness_ct(&builder, idx % 2), use_range_constraint).get_normalized_witness_index());
+            }
+
+            const size_t sorted_list_size = num_inputs + 2;
+
+            // Pin down the gate numbers. The point is that it is more efficient to use this constructor to constrain a
+            // batch of bool_t elements.
+            size_t expected = (num_inputs == 1) ? 4 : (sorted_list_size / 4) + 3;
+
+            EXPECT_EQ(builder.get_estimated_num_finalized_gates() - num_gates_start, expected);
+
+            builder.create_dummy_constraints(indices);
+
+            EXPECT_TRUE(CircuitChecker::check(builder));
+        }
+
+        // Failure test
+        Builder builder = Builder();
+        EXPECT_THROW_OR_ABORT(auto new_bool = bool_ct(witness_ct(&builder, 2), use_range_constraint),
+                              "bool_t: witness value is not 0 or 1");
+    }
     void test_AND()
     {
         test_binary_op(
@@ -451,6 +484,10 @@ TYPED_TEST(BoolTest, ConstructFromWitness)
 {
     TestFixture::test_construct_from_witness();
 }
+TYPED_TEST(BoolTest, ConstructFromWitnessRangeConstraint)
+{
+    TestFixture::test_construct_from_witness_range_constraint();
+}
 
 TYPED_TEST(BoolTest, Normalization)
 {

barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/ultra_circuit_builder.cpp

@@ -1131,17 +1131,17 @@ template <typename ExecutionTrace> void UltraCircuitBuilder_<ExecutionTrace>::pr
 }
 
 /*
- Create range constraint:
-  * add variable index to a list of range constrained variables
-  * data structures: vector of lists, each list contains:
-  *    - the range size
-  *    - the list of variables in the range
-  *    - a generalized permutation tag
-  *
-  * create range constraint parameters: variable index && range size
-  *
-  * std::map<uint64_t, RangeList> range_lists;
-*/
+ * Create range constraint:
+ * add variable index to a list of range constrained variables
+ * data structures: vector of lists, each list contains:
+ *    - the range size
+ *    - the list of variables in the range
+ *    - a generalized permutation tag
+ *
+ * create range constraint parameters: variable index && range size
+ *
+ * std::map<uint64_t, RangeList> range_lists;
+ */
 // Check for a sequence of variables that neighboring differences are at most 3 (used for batched range checkj)
 template <typename ExecutionTrace>
 void UltraCircuitBuilder_<ExecutionTrace>::create_sort_constraint(const std::vector<uint32_t>& variable_index)
@@ -1180,7 +1180,7 @@ void UltraCircuitBuilder_<ExecutionTrace>::create_sort_constraint(const std::vec
 }
 
 // useful to put variables in the witness that aren't already used - e.g. the dummy variables of the range constraint in
-// multiples of three
+// multiples of four
 template <typename ExecutionTrace>
 void UltraCircuitBuilder_<ExecutionTrace>::create_dummy_constraints(const std::vector<uint32_t>& variable_index)
 {