Added Twisted Edwards chip

Author: Avaneesh-axiom

Cargo.lock

@@ -59,6 +59,7 @@ members = [
     "extensions/ecc/transpiler",
     "extensions/ecc/guest",
     "extensions/ecc/sw-setup",
+    "extensions/ecc/te-setup",
     "extensions/ecc/tests",
     "extensions/pairing/circuit",
     "extensions/pairing/transpiler",
@@ -159,6 +160,7 @@ openvm-ecc-circuit = { path = "extensions/ecc/circuit", default-features = false
 openvm-ecc-transpiler = { path = "extensions/ecc/transpiler", default-features = false }
 openvm-ecc-guest = { path = "extensions/ecc/guest", default-features = false }
 openvm-ecc-sw-setup = { path = "extensions/ecc/sw-setup", default-features = false }
+openvm-ecc-te-setup = { path = "extensions/ecc/te-setup", default-features = false }
 openvm-pairing-circuit = { path = "extensions/pairing/circuit", default-features = false }
 openvm-pairing-transpiler = { path = "extensions/pairing/transpiler", default-features = false }
 openvm-pairing-guest = { path = "extensions/pairing/guest", default-features = false }
@@ -248,6 +250,7 @@ k256 = { version = "0.13.3", default-features = false }
 elliptic-curve = { version = "0.13.8", default-features = false }
 ecdsa = { version = "0.16.9", default-features = false }
 num-bigint = { version = "0.4.6", default-features = false }
+num-bigint-dig = { version = "0.8.4", default-features = false }
 num-integer = { version = "0.1.46", default-features = false }
 num-traits = { version = "0.2.19", default-features = false }
 ff = { version = "0.13.0", default-features = false }

Cargo.toml

@@ -21,6 +21,7 @@ openvm-rv32-adapters = { workspace = true }
 openvm-ecc-transpiler = { workspace = true }
 
 num-bigint = { workspace = true }
+num-bigint-dig = { workspace = true }
 num-traits = { workspace = true }
 strum = { workspace = true }
 derive_more = { workspace = true }

extensions/ecc/circuit/Cargo.toml

@@ -0,0 +1 @@
+Twisted Edwards (te) curve operations

extensions/ecc/circuit/src/edwards_chip/README.md

@@ -0,0 +1,41 @@
+use std::{cell::RefCell, rc::Rc};
+
+use num_bigint::BigUint;
+use num_traits::One;
+use openvm_circuit_primitives::var_range::VariableRangeCheckerBus;
+use openvm_mod_circuit_builder::{ExprBuilder, ExprBuilderConfig, FieldExpr};
+
+pub fn ec_add_expr(
+    config: ExprBuilderConfig, // The coordinate field.
+    range_bus: VariableRangeCheckerBus,
+    a_biguint: BigUint,
+    d_biguint: BigUint,
+) -> FieldExpr {
+    config.check_valid();
+    let builder = ExprBuilder::new(config, range_bus.range_max_bits);
+    let builder = Rc::new(RefCell::new(builder));
+
+    let x1 = ExprBuilder::new_input(builder.clone());
+    let y1 = ExprBuilder::new_input(builder.clone());
+    let x2 = ExprBuilder::new_input(builder.clone());
+    let y2 = ExprBuilder::new_input(builder.clone());
+    let a = ExprBuilder::new_const(builder.clone(), a_biguint.clone());
+    let d = ExprBuilder::new_const(builder.clone(), d_biguint.clone());
+    let one = ExprBuilder::new_const(builder.clone(), BigUint::one());
+
+    let x1y2 = x1.clone() * y2.clone();
+    let x2y1 = x2.clone() * y1.clone();
+    let y1y2 = y1 * y2;
+    let x1x2 = x1 * x2;
+    let dx1x2y1y2 = d * x1x2.clone() * y1y2.clone();
+
+    let mut x3 = (x1y2 + x2y1) / (one.clone() + dx1x2y1y2.clone());
+    let mut y3 = (y1y2 - a * x1x2) / (one - dx1x2y1y2);
+
+    x3.save_output();
+    y3.save_output();
+
+    let builder = builder.borrow().clone();
+
+    FieldExpr::new_with_setup_values(builder, range_bus, true, vec![a_biguint, d_biguint])
+}

extensions/ecc/circuit/src/edwards_chip/add.rs

@@ -0,0 +1,77 @@
+mod add;
+pub use add::*;
+
+#[cfg(test)]
+mod tests;
+
+use std::sync::{Arc, Mutex};
+
+use openvm_circuit::{arch::VmChipWrapper, system::memory::OfflineMemory};
+use openvm_circuit_derive::InstructionExecutor;
+use openvm_circuit_primitives::var_range::SharedVariableRangeCheckerChip;
+use openvm_circuit_primitives_derive::{BytesStateful, Chip, ChipUsageGetter};
+use openvm_ecc_transpiler::Rv32EdwardsOpcode;
+use openvm_mod_circuit_builder::{ExprBuilderConfig, FieldExpressionCoreChip};
+use openvm_rv32_adapters::Rv32VecHeapAdapterChip;
+use openvm_stark_backend::p3_field::PrimeField32;
+
+/// BLOCK_SIZE: how many cells do we read at a time, must be a power of 2.
+/// BLOCKS: how many blocks do we need to represent one input or output
+/// For example, for bls12_381, BLOCK_SIZE = 16, each element has 3 blocks and with two elements per input AffinePoint, BLOCKS = 6.
+/// For secp256k1, BLOCK_SIZE = 32, BLOCKS = 2.
+#[derive(Chip, ChipUsageGetter, InstructionExecutor, BytesStateful)]
+pub struct TeEcAddChip<F: PrimeField32, const BLOCKS: usize, const BLOCK_SIZE: usize>(
+    VmChipWrapper<
+        F,
+        Rv32VecHeapAdapterChip<F, 2, BLOCKS, BLOCKS, BLOCK_SIZE, BLOCK_SIZE>,
+        FieldExpressionCoreChip,
+    >,
+);
+
+// converts from num_bigint::BigUint to num_bigint_dig::BigInt in order to use num_bigint_dig::algorithms::jacobi
+fn num_bigint_to_num_bigint_dig(x: &num_bigint::BigUint) -> num_bigint_dig::BigInt {
+    num_bigint_dig::BigInt::from_bytes_le(num_bigint_dig::Sign::Plus, &x.to_bytes_le())
+}
+
+impl<F: PrimeField32, const BLOCKS: usize, const BLOCK_SIZE: usize>
+    TeEcAddChip<F, BLOCKS, BLOCK_SIZE>
+{
+    pub fn new(
+        adapter: Rv32VecHeapAdapterChip<F, 2, BLOCKS, BLOCKS, BLOCK_SIZE, BLOCK_SIZE>,
+        config: ExprBuilderConfig,
+        offset: usize,
+        a: num_bigint::BigUint,
+        d: num_bigint::BigUint,
+        range_checker: SharedVariableRangeCheckerChip,
+        offline_memory: Arc<Mutex<OfflineMemory<F>>>,
+    ) -> Self {
+        // Ensure that the addition operation is complete
+        assert!(
+            num_bigint_dig::algorithms::jacobi(
+                &num_bigint_to_num_bigint_dig(&a),
+                &num_bigint_to_num_bigint_dig(&config.modulus)
+            ) == 1
+        );
+        assert!(
+            num_bigint_dig::algorithms::jacobi(
+                &num_bigint_to_num_bigint_dig(&d),
+                &num_bigint_to_num_bigint_dig(&config.modulus)
+            ) == -1
+        );
+
+        let expr = ec_add_expr(config, range_checker.bus(), a, d);
+        let core = FieldExpressionCoreChip::new(
+            expr,
+            offset,
+            vec![
+                Rv32EdwardsOpcode::EC_ADD as usize,
+                Rv32EdwardsOpcode::SETUP_EC_ADD as usize,
+            ],
+            vec![],
+            range_checker,
+            "TeEcAdd",
+            true,
+        );
+        Self(VmChipWrapper::new(adapter, core, offline_memory))
+    }
+}

extensions/ecc/circuit/src/edwards_chip/mod.rs

@@ -0,0 +1,189 @@
+use std::str::FromStr;
+
+use num_bigint::BigUint;
+use num_traits::FromPrimitive;
+use openvm_circuit::arch::{testing::VmChipTestBuilder, BITWISE_OP_LOOKUP_BUS};
+use openvm_circuit_primitives::{
+    bigint::utils::big_uint_to_limbs,
+    bitwise_op_lookup::{BitwiseOperationLookupBus, SharedBitwiseOperationLookupChip},
+};
+use openvm_ecc_transpiler::Rv32EdwardsOpcode;
+use openvm_instructions::{riscv::RV32_CELL_BITS, LocalOpcode};
+use openvm_mod_circuit_builder::{test_utils::biguint_to_limbs, ExprBuilderConfig, FieldExpr};
+use openvm_rv32_adapters::{rv32_write_heap_default, Rv32VecHeapAdapterChip};
+use openvm_stark_backend::p3_field::FieldAlgebra;
+use openvm_stark_sdk::p3_baby_bear::BabyBear;
+
+use super::TeEcAddChip;
+
+const NUM_LIMBS: usize = 32;
+const LIMB_BITS: usize = 8;
+const BLOCK_SIZE: usize = 32;
+type F = BabyBear;
+
+lazy_static::lazy_static! {
+    pub static ref SampleEcPoints: Vec<(BigUint, BigUint)> = {
+        // Base point of edwards25519
+        let x1 = BigUint::from_str(
+            "15112221349535400772501151409588531511454012693041857206046113283949847762202",
+        )
+        .unwrap();
+        let y1 = BigUint::from_str(
+            "46316835694926478169428394003475163141307993866256225615783033603165251855960",
+        )
+        .unwrap();
+
+        // random point on edwards25519
+        let x2 = BigUint::from_u32(2).unwrap();
+        let y2 = BigUint::from_str(
+            "11879831548380997166425477238087913000047176376829905612296558668626594440753",
+        )
+        .unwrap();
+
+        // This is the sum of (x1, y1) and (x2, y2).
+        let x3 = BigUint::from_str(
+            "44969869612046584870714054830543834361257841801051546235130567688769346152934",
+        )
+        .unwrap();
+        let y3 = BigUint::from_str(
+            "50796027728050908782231253190819121962159170739537197094456293084373503699602",
+        )
+        .unwrap();
+
+        // This is 2 * (x1, y1)
+        let x4 = BigUint::from_str(
+            "39226743113244985161159605482495583316761443760287217110659799046557361995496",
+        )
+        .unwrap();
+        let y4 = BigUint::from_str(
+            "12570354238812836652656274015246690354874018829607973815551555426027032771563",
+        )
+        .unwrap();
+
+        vec![(x1, y1), (x2, y2), (x3, y3), (x4, y4)]
+    };
+
+    pub static ref Edwards25519_Prime: BigUint = BigUint::from_str(
+        "57896044618658097711785492504343953926634992332820282019728792003956564819949",
+    )
+    .unwrap();
+
+    pub static ref Edwards25519_A: BigUint = BigUint::from_str(
+        "57896044618658097711785492504343953926634992332820282019728792003956564819948",
+    )
+    .unwrap();
+
+    pub static ref Edwards25519_D: BigUint = BigUint::from_str(
+        "37095705934669439343138083508754565189542113879843219016388785533085940283555",
+    )
+    .unwrap();
+
+    pub static ref Edwards25519_A_LIMBS: [BabyBear; NUM_LIMBS] =
+        big_uint_to_limbs(&Edwards25519_A, LIMB_BITS)
+            .into_iter()
+            .map(BabyBear::from_canonical_usize)
+            .collect::<Vec<_>>()
+            .try_into()
+            .unwrap();
+    pub static ref Edwards25519_D_LIMBS: [BabyBear; NUM_LIMBS] =
+        big_uint_to_limbs(&Edwards25519_D, LIMB_BITS)
+            .into_iter()
+            .map(BabyBear::from_canonical_usize)
+            .collect::<Vec<_>>()
+            .try_into()
+            .unwrap();
+}
+
+fn prime_limbs(expr: &FieldExpr) -> Vec<BabyBear> {
+    expr.prime_limbs
+        .iter()
+        .map(|n| BabyBear::from_canonical_usize(*n))
+        .collect::<Vec<_>>()
+}
+
+#[test]
+fn test_add() {
+    let mut tester: VmChipTestBuilder<F> = VmChipTestBuilder::default();
+    let config = ExprBuilderConfig {
+        modulus: Edwards25519_Prime.clone(),
+        num_limbs: NUM_LIMBS,
+        limb_bits: LIMB_BITS,
+    };
+    let bitwise_bus = BitwiseOperationLookupBus::new(BITWISE_OP_LOOKUP_BUS);
+    let bitwise_chip = SharedBitwiseOperationLookupChip::<RV32_CELL_BITS>::new(bitwise_bus);
+    let adapter = Rv32VecHeapAdapterChip::<F, 2, 2, 2, BLOCK_SIZE, BLOCK_SIZE>::new(
+        tester.execution_bus(),
+        tester.program_bus(),
+        tester.memory_bridge(),
+        tester.address_bits(),
+        bitwise_chip.clone(),
+    );
+    let mut chip = TeEcAddChip::new(
+        adapter,
+        config,
+        Rv32EdwardsOpcode::CLASS_OFFSET,
+        Edwards25519_A.clone(),
+        Edwards25519_D.clone(),
+        tester.range_checker(),
+        tester.offline_memory_mutex_arc(),
+    );
+    //assert_eq!(chip.0.core.expr().builder.num_variables, 12);
+    assert_eq!(chip.0.core.air.expr.builder.num_variables, 12);
+
+    let (p1_x, p1_y) = SampleEcPoints[0].clone();
+    let (p2_x, p2_y) = SampleEcPoints[1].clone();
+
+    let p1_x_limbs =
+        biguint_to_limbs::<NUM_LIMBS>(p1_x.clone(), LIMB_BITS).map(BabyBear::from_canonical_u32);
+    let p1_y_limbs =
+        biguint_to_limbs::<NUM_LIMBS>(p1_y.clone(), LIMB_BITS).map(BabyBear::from_canonical_u32);
+    let p2_x_limbs =
+        biguint_to_limbs::<NUM_LIMBS>(p2_x.clone(), LIMB_BITS).map(BabyBear::from_canonical_u32);
+    let p2_y_limbs =
+        biguint_to_limbs::<NUM_LIMBS>(p2_y.clone(), LIMB_BITS).map(BabyBear::from_canonical_u32);
+
+    let r = chip
+        .0
+        .core
+        //.expr()
+        .air
+        .expr
+        .execute(vec![p1_x, p1_y, p2_x, p2_y], vec![true]);
+    assert_eq!(r.len(), 12);
+
+    let outputs = chip
+        .0
+        .core
+        .air
+        .output_indices()
+        .iter()
+        .map(|i| &r[*i])
+        .collect::<Vec<_>>();
+    assert_eq!(outputs[0], &SampleEcPoints[2].0);
+    assert_eq!(outputs[1], &SampleEcPoints[2].1);
+
+    //let prime_limbs: [BabyBear; NUM_LIMBS] = prime_limbs(chip.0.core.expr()).try_into().unwrap();
+    let prime_limbs: [BabyBear; NUM_LIMBS] = prime_limbs(&chip.0.core.air.expr).try_into().unwrap();
+    let mut one_limbs = [BabyBear::ONE; NUM_LIMBS];
+    one_limbs[0] = BabyBear::ONE;
+    let setup_instruction = rv32_write_heap_default(
+        &mut tester,
+        vec![prime_limbs, *Edwards25519_A_LIMBS],
+        vec![*Edwards25519_D_LIMBS],
+        chip.0.core.air.offset + Rv32EdwardsOpcode::SETUP_EC_ADD as usize,
+    );
+    tester.execute(&mut chip, &setup_instruction);
+
+    let instruction = rv32_write_heap_default(
+        &mut tester,
+        vec![p1_x_limbs, p1_y_limbs],
+        vec![p2_x_limbs, p2_y_limbs],
+        chip.0.core.air.offset + Rv32EdwardsOpcode::EC_ADD as usize,
+    );
+
+    tester.execute(&mut chip, &instruction);
+
+    let tester = tester.build().load(chip).load(bitwise_chip).finalize();
+
+    tester.simple_test().expect("Verification failed");
+}

extensions/ecc/circuit/src/edwards_chip/tests.rs

@@ -4,5 +4,8 @@ pub use weierstrass_chip::*;
 mod weierstrass_extension;
 pub use weierstrass_extension::*;
 
+mod edwards_chip;
+pub use edwards_chip::*;
+
 mod config;
 pub use config::*;