port some optimizations from plonky2 fork (#18)

lighterabc · web-flow · commit 5442047238d1 · 2025-12-11T19:01:29.000+03:00
elliottech/plonky2#10 It is %20-25 faster
diff --git a/field/field_test.go b/field/field_test.go
@@ -187,6 +187,80 @@ func TestSquareF(t *testing.T) {
 	}
 }
 
+func TestMulAccF(t *testing.T) {
+	for _, x := range inputs {
+		for _, y := range inputs {
+			for _, z := range inputs {
+				fX := g.GoldilocksField(x)
+				fY := g.GoldilocksField(y)
+				fZ := g.GoldilocksField(z)
+				mulAcc := g.MulAccF(fX, fY, fZ).ToCanonicalUint64()
+				expected := SumMod(x, MulMod(y, z))
+				if mulAcc != expected {
+					t.Fatalf("Expected %d + %d * %d = %d, but got %d", x, y, z, expected, mulAcc)
+				}
+			}
+		}
+	}
+}
+
+func TestReduce128Bit(t *testing.T) {
+	testValues := []g.UInt128{
+		{0, 0},
+		{1, 0},
+		{math.MaxUint64, math.MaxUint64},
+		{0, g.ORDER + 1},
+		{0, g.ORDER - 1},
+		{0, 1},
+		{0, math.MaxUint64},
+		{math.MaxUint64, 0},
+	}
+
+	for _, val := range testValues {
+		reduced := g.Reduce128Bit(val)
+		bigVal := new(big.Int).SetUint64(val.Hi)
+		bigVal.Lsh(bigVal, 64)
+		bigVal.Add(bigVal, new(big.Int).SetUint64(val.Lo))
+		bigOrder := new(big.Int).SetUint64(g.ORDER)
+		bigVal.Mod(bigVal, bigOrder)
+		expected := bigVal.Uint64()
+		if reduced.ToCanonicalUint64() != expected {
+			t.Fatalf("Expected reduction of %v to be %d, but got %d", val, expected, reduced.ToCanonicalUint64())
+		}
+	}
+}
+
+func TestReduce96Bit(t *testing.T) {
+	testValues := []g.UInt128{
+		{0, 0},
+		{1, 0},
+		{math.MaxUint32, math.MaxUint64},
+		{0, g.ORDER + 1},
+		{0, g.ORDER - 1},
+		{0, 1},
+		{0, math.MaxUint64},
+		{math.MaxUint32, 0},
+	}
+
+	for _, val := range testValues {
+		reduced := g.Reduce96Bit(val)
+		bigVal := new(big.Int).SetUint64(val.Hi)
+		bigVal.Lsh(bigVal, 64)
+		bigVal.Add(bigVal, new(big.Int).SetUint64(val.Lo))
+
+		if bigVal.BitLen() > 96 {
+			t.Fatalf("Input %v exceeds 96 bits", val)
+		}
+
+		bigOrder := new(big.Int).SetUint64(g.ORDER)
+		bigVal.Mod(bigVal, bigOrder)
+		expected := bigVal.Uint64()
+		if reduced.ToCanonicalUint64() != expected {
+			t.Fatalf("Expected reduction of %v to be %d, but got %d", val, expected, reduced.ToCanonicalUint64())
+		}
+	}
+}
+
 func TestSubFDoubleWraparound(t *testing.T) {
 	/*
 		let (a, b) = (F::from_canonical_u64((F::ORDER + 1u64) / 2u64), F::TWO);
diff --git a/field/goldilocks/goldilocks_plonky2.go b/field/goldilocks/goldilocks_plonky2.go
@@ -47,6 +47,7 @@ func (z GoldilocksField) ToCanonicalUint64() uint64 {
 	return x
 }
 
+// lhs, rhs in non-canonical form
 func AddF(lhs, rhs GoldilocksField) GoldilocksField {
 	sum, over := bits.Add64(uint64(lhs), uint64(rhs), 0)
 	sum, over = bits.Add64(sum, over*EPSILON, 0)
@@ -58,10 +59,18 @@ func AddF(lhs, rhs GoldilocksField) GoldilocksField {
 	return GoldilocksField(sum)
 }
 
+// Assuming lhs or rhs is in the field, i.e. x < ORDER and other in non-canonical form(u64). This assumption can be used to remove second overflow check.
+func AddCanonicalUint64(lhs GoldilocksField, rhs uint64) GoldilocksField {
+	sum, over := bits.Add64(uint64(lhs), uint64(rhs), 0)
+	// if overflowed, sum := lhs + rhs - 2^64 => sum + EPSILON = lhs + rhs - 2^64 + 2^32 -1 = lhs + rhs - ORDER < ORDER + 2^64 - ORDER = 2^64, so there is no overflow in this case.
+	return GoldilocksField(sum + over*EPSILON)
+}
+
 func DoubleF(lhs GoldilocksField) GoldilocksField {
 	return AddF(lhs, lhs)
 }
 
+// lhs, rhs in non-canonical form
 func SubF(lhs, rhs GoldilocksField) GoldilocksField {
 	diff, borrow := bits.Sub64(uint64(lhs), uint64(rhs), 0)
 	diff, borrow = bits.Sub64(diff, borrow*EPSILON, 0)
@@ -73,6 +82,7 @@ func SubF(lhs, rhs GoldilocksField) GoldilocksField {
 	return GoldilocksField(diff)
 }
 
+// lhs, rhs in non-canonical form
 func MulF(lhs, rhs GoldilocksField) GoldilocksField {
 	x_hi, x_lo := bits.Mul64(uint64(lhs), uint64(rhs))
 
@@ -95,6 +105,12 @@ func SquareF(x GoldilocksField) GoldilocksField {
 	return MulF(x, x)
 }
 
+// Returns self + x * y
+func MulAccF(self, x, y GoldilocksField) GoldilocksField {
+	// u64 + u64 * u64 cannot overflow.
+	return Reduce128Bit(AddUInt128(AsUInt128(self), MulUInt64(uint64(x), uint64(y))))
+}
+
 func ExpPowerOf2(x GoldilocksField, n uint) GoldilocksField {
 	z := x
 	for i := uint(0); i < n; i++ {
@@ -121,6 +137,7 @@ func SampleF() GoldilocksField {
 	return GoldilocksField(rng.Uint64())
 }
 
+// Canonical representation
 func ToLittleEndianBytesF(z GoldilocksField) []byte {
 	res := make([]byte, Bytes)
 	binary.LittleEndian.PutUint64(res, z.ToCanonicalUint64())
@@ -131,6 +148,53 @@ func FromCanonicalLittleEndianBytesF(b []byte) GoldilocksField {
 	return GoldilocksField(binary.LittleEndian.Uint64(b))
 }
 
+type UInt128 struct {
+	Hi, Lo uint64
+}
+
+// NonCanonical conversion
+func AsUInt128(f GoldilocksField) UInt128 {
+	u := uint64(f)
+	return UInt128{0, u}
+}
+
+func AddUInt128(x, y UInt128) UInt128 {
+	var carry uint64
+	var z UInt128
+	z.Lo, carry = bits.Add64(x.Lo, y.Lo, 0)
+	z.Hi = x.Hi + y.Hi + carry
+	return z
+}
+
+func MulUInt64(x, y uint64) UInt128 {
+	hi, lo := bits.Mul64(x, y)
+	return UInt128{hi, lo}
+}
+
+// Assumes x is 96-bit number
+func Reduce96Bit(x UInt128) GoldilocksField {
+	t1 := x.Hi * EPSILON
+	resWrapped, carry := bits.Add64(x.Lo, t1, 0)
+
+	return GoldilocksField(resWrapped) + GoldilocksField(carry*EPSILON)
+}
+
+func Reduce128Bit(x UInt128) GoldilocksField {
+	x_hi_hi := x.Hi >> 32
+	x_hi_lo := x.Hi & EPSILON
+
+	t0, borrow := bits.Sub64(x.Lo, x_hi_hi, 0)
+	if borrow == 1 {
+		branchHint()
+		t0 -= EPSILON
+	}
+	t1 := x_hi_lo * EPSILON
+
+	resWrapped, carry := bits.Add64(t0, t1, 0)
+	t2 := resWrapped + EPSILON*carry
+	return GoldilocksField(t2)
+}
+
 // func (z *GoldilocksField) Inverse(x *GoldilocksField) *GoldilocksField {
 // 	if x.IsZero() {
 // 		z.SetZero()
diff --git a/hash/poseidon2_goldilocks_plonky2/poseidon2.go b/hash/poseidon2_goldilocks_plonky2/poseidon2.go
@@ -149,51 +149,80 @@ func partialRounds(state *[WIDTH]g.GoldilocksField) {
 }
 
 func externalLinearLayer(s *[WIDTH]g.GoldilocksField) {
-	for i := 0; i < 3; i++ { // 4 size window
-		var t0, t1, t2, t3, t4, t5, t6 g.GoldilocksField
-		t0 = g.AddF(s[4*i], s[4*i+1])   // s0+s1
-		t1 = g.AddF(s[4*i+2], s[4*i+3]) // s2+s3
-		t2 = g.AddF(t0, t1)             // t0+t1 = s0+s1+s2+s3
-		t3 = g.AddF(t2, s[4*i+1])       // t2+s1 = s0+2s1+s2+s3
-		t4 = g.AddF(t2, s[4*i+3])       // t2+s3 = s0+s1+s2+2s3
-		t5 = g.DoubleF(s[4*i])          // 2s0
-		t6 = g.DoubleF(s[4*i+2])        // 2s2
-		s[4*i] = g.AddF(t3, t0)
-		s[4*i+1] = g.AddF(t6, t3)
-		s[4*i+2] = g.AddF(t1, t4)
-		s[4*i+3] = g.AddF(t5, t4)
+	s128 := [WIDTH]g.UInt128{}
+	for i := 0; i < WIDTH; i++ {
+		s128[i] = g.AsUInt128(s[i])
 	}
 
-	sums := [4]g.GoldilocksField{}
-	for k := 0; k < 4; k++ {
-		for j := 0; j < WIDTH; j += 4 {
-			sums[k] = g.AddF(sums[k], s[j+k])
-		}
-	}
+	externalLinearLayer128(&s128)
+
 	for i := 0; i < WIDTH; i++ {
-		s[i] = g.AddF(s[i], sums[i%4])
+		s[i] = g.Reduce96Bit(s128[i])
 	}
 }
 
-func internalLinearLayer(state *[WIDTH]g.GoldilocksField) {
-	sum := state[0]
-	for i := 1; i < WIDTH; i++ {
-		sum = g.AddF(sum, state[i])
+func externalLinearLayer128(s *[WIDTH]g.UInt128) {
+	for i := 0; i < WIDTH; i += 4 {
+		t01 := g.AddUInt128(s[i], s[i+1])
+		t23 := g.AddUInt128(s[i+2], s[i+3])
+		t0123 := g.AddUInt128(t01, t23)
+
+		x0 := s[i]
+		x2 := s[i+2]
+
+		s[i] = g.AddUInt128(g.AddUInt128(t0123, t01), s[i+1])
+		s[i+1] = g.AddUInt128(g.AddUInt128(g.AddUInt128(t0123, s[i+1]), x2), x2)
+		s[i+2] = g.AddUInt128(g.AddUInt128(t0123, t23), s[i+3])
+		s[i+3] = g.AddUInt128(g.AddUInt128(g.AddUInt128(t0123, s[i+3]), x0), x0)
 	}
+
+	sums := [4]g.UInt128{}
+	for i := 0; i < 4; i++ {
+		sums[i] = g.AddUInt128(g.AddUInt128(s[i], s[i+4]), s[i+8])
+	}
+
 	for i := 0; i < WIDTH; i++ {
-		state[i] = g.MulF(state[i], MATRIX_DIAG_12_U64[i])
-		state[i] = g.AddF(state[i], sum)
+		s[i] = g.AddUInt128(s[i], sums[i%4])
 	}
 }
 
+func internalLinearLayer(state *[WIDTH]g.GoldilocksField) {
+	sum := g.AsUInt128(state[0])
+	sum = g.AddUInt128(sum, g.AsUInt128(state[1]))
+	sum = g.AddUInt128(sum, g.AsUInt128(state[2]))
+	sum = g.AddUInt128(sum, g.AsUInt128(state[3]))
+	sum = g.AddUInt128(sum, g.AsUInt128(state[4]))
+	sum = g.AddUInt128(sum, g.AsUInt128(state[5]))
+	sum = g.AddUInt128(sum, g.AsUInt128(state[6]))
+	sum = g.AddUInt128(sum, g.AsUInt128(state[7]))
+	sum = g.AddUInt128(sum, g.AsUInt128(state[8]))
+	sum = g.AddUInt128(sum, g.AsUInt128(state[9]))
+	sum = g.AddUInt128(sum, g.AsUInt128(state[10]))
+	sum = g.AddUInt128(sum, g.AsUInt128(state[11]))
+	sumF := g.Reduce96Bit(sum)
+
+	state[0] = g.MulAccF(sumF, state[0], MATRIX_DIAG_12_U64[0])
+	state[1] = g.MulAccF(sumF, state[1], MATRIX_DIAG_12_U64[1])
+	state[2] = g.MulAccF(sumF, state[2], MATRIX_DIAG_12_U64[2])
+	state[3] = g.MulAccF(sumF, state[3], MATRIX_DIAG_12_U64[3])
+	state[4] = g.MulAccF(sumF, state[4], MATRIX_DIAG_12_U64[4])
+	state[5] = g.MulAccF(sumF, state[5], MATRIX_DIAG_12_U64[5])
+	state[6] = g.MulAccF(sumF, state[6], MATRIX_DIAG_12_U64[6])
+	state[7] = g.MulAccF(sumF, state[7], MATRIX_DIAG_12_U64[7])
+	state[8] = g.MulAccF(sumF, state[8], MATRIX_DIAG_12_U64[8])
+	state[9] = g.MulAccF(sumF, state[9], MATRIX_DIAG_12_U64[9])
+	state[10] = g.MulAccF(sumF, state[10], MATRIX_DIAG_12_U64[10])
+	state[11] = g.MulAccF(sumF, state[11], MATRIX_DIAG_12_U64[11])
+}
+
 func addRC(state *[WIDTH]g.GoldilocksField, externalRound int) {
 	for i := 0; i < WIDTH; i++ {
-		state[i] = g.AddF(state[i], EXTERNAL_CONSTANTS[externalRound][i])
+		state[i] = g.AddCanonicalUint64(state[i], uint64(EXTERNAL_CONSTANTS[externalRound][i]))
 	}
 }
 
 func addRCI(state *[WIDTH]g.GoldilocksField, round int) {
-	state[0] = g.AddF(state[0], INTERNAL_CONSTANTS[round])
+	state[0] = g.AddCanonicalUint64(state[0], uint64(INTERNAL_CONSTANTS[round]))
 }
 
 func sbox(state *[WIDTH]g.GoldilocksField) {
diff --git a/hash/poseidon2_goldilocks_plonky2/poseidon2_test.go b/hash/poseidon2_goldilocks_plonky2/poseidon2_test.go
@@ -283,3 +283,21 @@ func TestHashToQuinticExtension(t *testing.T) {
 		}
 	}
 }
+
+func TestConstantsAreInTheField(t *testing.T) {
+	for r := 0; r < ROUNDS_F; r++ {
+		for i := 0; i < WIDTH; i++ {
+			if uint64(EXTERNAL_CONSTANTS[r][i]) >= g.ORDER {
+				t.Logf("External constant at round %d, index %d is not in the field: %d", r, i, EXTERNAL_CONSTANTS[r][i])
+				t.Fail()
+			}
+		}
+	}
+
+	for r := 0; r < ROUNDS_P; r++ {
+		if uint64(INTERNAL_CONSTANTS[r]) >= g.ORDER {
+			t.Logf("Internal constant at round %d is not in the field: %d", r, INTERNAL_CONSTANTS[r])
+			t.Fail()
+		}
+	}
+}
