Aztec Emulated Field and Group Operations for Efficient Large Number Arithmetic

This note aims to detail our thoughts on a particular short post from researchers at Aztec, the team behind the original PLONK zk-SNARKs. Due to the original post's short form, some of the details are not altogether clear to us. It requires some leaps of logic or creativity in certain parts. Therefore, the explainations in this note might be a bit misleading in parts and should be taken with a grain of salt.Nevertheless, we will take the burden of possibility of being mistaken and write out what we understood from the original post.

Further, the methods in these notes (or methods similar to them) are implemented in the following repository, https://github.com/privacy-scaling-explorations/halo2wrong, to create efficient circuits for ECDSA verification algorithm which uses large fields.

Motivation

In some circuits such as DSA, we are frequently interested in representing modulo arithmetic over a large prime field, equations of the sort

a \cdot b = r mod p

where

p

is a large prime. Typically, a witness

(a, b, r, q, p)

is produced and the integer constraint

a \cdot b = q \cdot p + r

is included as part of the polynomial commitment. Using non-native arithmetic discussed in this note, we can replace these types of constraints with (multiple) constraints over smaller numbers. Therefore, our goal in this note is to emulate certain expensive constraints in a different way.

Setup

Let us consider the setting and the naive approach. We are given a prime number

p

. We are interested in building a circuit for

a \cdot b mod p

. The input variables

a, b

must be in the range

[0, p)

. Otherwise, we would simply use the equivalent modulo statement with smaller numbers

(a mod p) \cdot (b mod p) mod p

We are interested in finding a non-negative integer

r

s.t.

a \cdot b = r mod p

and

r

is the smallest such number, which means

r

is in the range

[0, p)

as well. Given a candidate for

r

, we wish to build a constraint that ensures

r

matches

(a, b, p)

. This would require us to introduce an advice variable

q

(to show the existence of) that satisfies

a \cdot b = q \cdot p + r

, which is a unique positive number. Since

a \cdot b < p^{2}

and the least value

r

can take is

0

a \cdot b - r = q \cdot p < p^{2}

. This would imply

q

is in the same range

[0, p)

. Therefore, all the relevant variables aside from

p

itself are in the same range,

a, b, q, r \in [0, p)

If we are willing to deal with values in the range

[0, p^{2})

in our circuit constraints, we can simply ensure that

a \cdot b - q \cdot p - r = 0

. However, this may not be desirable if

p

is a large prime in the order of

2^{256}

for example. In the rest of this note, we build the same constraint in a different way, circumventing the computation of

a \cdot b

q \cdot p

for a given

(a, b, q, p, r)

Native Field Constraint

We begin by considering a method to ensure

a \cdot b - q \cdot p - r = 0 mod n

for a prime

n < p

without computing

a \cdot b

q \cdot p

. Since the above equality implies

(a \mod n) \cdot (b \mod n) - (q mod n) \cdot (p mod n) - (r mod n) = 0 mod n

, we can write it with new variables

{a_{n}, b_{n}, q_{n}, p_{n}, r_{n}}

s.t.

a = a_{n} mod n

etc. respectively. In order to accomplish this, we consider a new set of constraints with advice variables

{v_{a}, v_{b}, v_{q}, v_{p}, v_{r}}

\begin{array}{r} (1) & v_{a} \cdot n + a_{n} = a \\ (2) & v_{b} \cdot n + b_{n} = b \\ (3) & v_{q} \cdot n + q_{n} = q \\ (4) & v_{p} \cdot n + p_{n} = p \\ (5) & v_{r} \cdot n + r_{n} = r \end{array}

Based on

{a_{n}, b_{n}, q_{n}, p_{n}, r_{n}}

, we can simply re-write the additional overall constraint as

a_{n} \cdot b_{n} - q_{n} \cdot p_{n} - r_{n} = 0 mod n

or in an integer constraint form as,

\begin{array}{r} (6) & v_{overall} \cdot n = a_{n} \cdot b_{n} - q_{n} \cdot p_{n} - r_{n} . \end{array}

Note that

a_{n} \cdot b_{n} - q_{n} \cdot p_{n} - r_{n}

itself does not need to be

0

, unlike

a \cdot b - q \cdot p - r

. These are all integer constraints over numbers smaller than

n

besides

{a, b, q, p, r}

{a, b, q, p, r}

appear in constraints in Eq. 1-5 on their own without any multiplications with other numbers. Therefore, these constraint could be computed efficiently with small numbers.

For a given

(a, b, q, p, r, v_{a}, v_{b}, v_{q}, v_{p}, v_{r}, v_{overall})

that follows constraints in Eq. 1-6, it is guaranteed that

a \cdot b - q \cdot p - r = 0 mod n

. However,

a \cdot b - q \cdot p - r = 0

is not guaranteed. In order to satisfy

a \cdot b - q \cdot p - r = 0

, we will need the additional constraints we introduce in the next section.

Constraint decomposition in modulo
$2^{T}$ ring, where
$p < 2^{T}$

In the following,

p^{'} = - p mod 2^{T}

or more concretely

p^{'} = 2^{T} - p

. It is easy to see that

a \cdot b - q \cdot p = a \cdot b + q \cdot p^{'} \mod 2^{T}

Assume

T

is a given integer that is a multiple of

4

. We will write integers such as

a, b

in binary notation as a concatenation of multiple bit subsections, sometimes called limbs, as follows.

Consider limbs of size

B = T / 4

. Then an integer

a \in [0, 2^{T} - 1]

could be written as

4

limbs,

a = [a_{3}, a_{2}, a_{1}, a_{0}]

, each of which is a number

a_{i} \in [0, 2^{B} - 1]

that can be represented as a sequence of

B

bits, with

a = \sum_{i = 0 : 3} a_{i} \cdot 2^{i B}

. Given

a, b, q, p^{'} \in [0, 2^{T} - 1]

, we can write the following equation for

a \cdot b + q \cdot p^{'}

\begin{aligned} a \cdot b + q \cdot p^{'} & mod 2^{T} = [a_{3}, a_{2}, a_{1}, a_{0}] \cdot [b_{3}, b_{2}, b_{1}, b_{0}] + [q_{3}, q_{2}, q_{1}, q_{0}] \cdot [p_{3}^{'}, p_{2}^{'}, p_{1}^{'}, p_{0}^{'}] \\ (7) & = & (a_{0} \cdot b_{0} + q_{0} \cdot p_{0}^{'}) \cdot 2^{0 B} + \\ (8) & (a_{1} \cdot b_{0} + a_{0} \cdot b_{1} + q_{1} \cdot p_{0}^{'} + q_{0} \cdot p_{1}^{'}) \cdot 2^{1 B} + \\ (9) & (a_{2} \cdot b_{0} + a_{0} \cdot b_{2} + a_{1} \cdot b_{1} + q_{2} \cdot p_{0}^{'} + q_{0} \cdot p_{2}^{'} + q_{1} \cdot p_{1}^{'}) \cdot 2^{2 B} + \\ (10) & (a_{3} \cdot b_{0} + a_{0} \cdot b_{3} + a_{1} \cdot b_{2} + a_{2} \cdot b_{1} + q_{3} \cdot p_{0}^{'} + q_{0} \cdot p_{3}^{'} + q_{1} \cdot p_{2}^{'} + q_{2} \cdot p_{1}^{'}) \cdot 2^{3 B} \\ = & t_{0} \cdot 2^{0 B} + t_{1} \cdot 2^{1 B} + t_{2} \cdot 2^{2 B} + t_{3} \cdot 2^{3 B} \end{aligned}

Note that we do not have terms that involve

a_{3} \cdot b_{3}

in these equations, even though they would appear in

a \cdot b + q \cdot p^{'}

. The reason for this is simple: the term that involves

a_{3} \cdot b_{3}

would be

a_{3} \cdot b_{3} \cdot 2^{(3 + 3) B}

and since

3 + 3 \geq 4

, this number is divisible by

2^{T} = 2^{4 B}

and is zero modulo

2^{T}

. The same is true for any

a_{i} \cdot b_{j}

and

q_{i} \cdot p_{j}^{'}

with

i + j \geq 4

This leaves us

10

different terms for

a \cdot b

(and

10

terms for

q \cdot p^{'}

) that are grouped together by the index sum

i + j \in {0, 1, 2, 3}

in each line of Eq. 7-10 respectively. Once we group them in this way, we can factor out

2^{(i + j) B}

in each line, according to the position

(i, j)

of the limbs of the original numbers involved in the multiplications. Based on this grouping, we can create intermediate variables

t_{i + j} \in {t_{0}, t_{1}, t_{2}, t_{3}}

\begin{matrix} a \cdot b + q \cdot p^{'} mod 2^{T} = t_{3} \cdot 2^{3 B} + t_{2} \cdot 2^{2 B} + t_{1} \cdot 2^{1 B} + t_{0} \cdot 2^{0 B} \end{matrix}

which can take values in the following ranges:

\begin{matrix} t_{0} \in [0, 2^{2 B + 1} - 1] \\ t_{1} \in [0, 2^{2 B + 2} - 1] \\ t_{2} \in [0, 2^{2 B + 3} - 1] \\ t_{3} \in [0, 2^{2 B + 3} - 1] \end{matrix}

If the number of elements in each sum

t_{i}

is represented by

v_{i}

, the formula for the range for each sum can be given as

t_{i} \in [0, 2^{2 B + ⌈ \log_{2} v_{i} ⌉} - 1]

. The exponent

2 B + ⌈ \log_{2} v_{i} ⌉

for the bound above will be explained through

t_{2}

\begin{array}{r} t_{2} = a_{2} \cdot b_{0} + a_{0} \cdot b_{2} + a_{1} \cdot b_{1} + q_{2} \cdot p_{0}^{'} + q_{0} \cdot p_{2}^{'} + q_{1} \cdot p_{1}^{'} \end{array}

As we can see, it consists of a summation of

6

terms where each element is the multiplication of two numbers in the range

[0, 2^{B} - 1]

. When we multiply two such numbers, we end up with a number in the range

[0, 2^{2 B + 1} - 1]

+ 1

2^{2 B + 1}

comes from the fact that there might be an additional carry bit after the multiplication. Further, when we add

6

such numbers, we end up with a number in the range

[0, 6 (2^{2 B + 1} - 1)]

. This range can be (minimally) expanded above to a bit friendly range

[0, 2^{⌈ \log_{2} 6 ⌉} \cdot 2^{2 B} - 6 + 5] = [0, 2^{2 B + ⌈ \log_{2} 6 ⌉} - 1]

that encompasses

[0, 6 (2^{2 B + 1} - 1)]

Let

t = t_{3} \cdot 2^{3 B} + t_{2} \cdot 2^{2 B} + t_{1} \cdot 2^{1 B} + t_{0} \cdot 2^{0 B}

. Note that

t

itself does not need to be less than

2^{T} = 2^{4 B}

. Its calculation only throws away some parts of

a \cdot b + q \cdot p^{'}

that do not contribute to the modulo result but not all. Therefore, if

a \cdot b + q \cdot p^{'} = r \mod 2^{T}

with

r < 2^{T}

, it is not guaranteed that

t = r

. However, the last

T

bits of

t

are certainly going to equal

r

(the reason a power of two such as

2^{T}

is convenient).

Image Not Showing Possible Reasons

The image file may be corrupted
The server hosting the image is unavailable
The image path is incorrect
The image format is not supported

Learn More →

Further, if we consider the

B

-bit limb decomposition,

r = [r_{3}, r_{2}, r_{1}, r_{0}]

r_{0}

is the last

B

bits of

y_{0} = t_{0} + 0

, i.e.

y_{0} - r_{0} = z_{0} \cdot 2^{B}

for some non-negative integer

z_{0}

. Similarly,

r_{1}

is the last

B

bits of

y_{1} = t_{1} + z_{0}

with

y_{1} - r_{1} = z_{1} \cdot 2^{B}

. We can write the all the limbs of

r

in a similar fashion:

\begin{aligned} y_{0} & = t_{0} + 0, y_{0} - r_{0} = z_{0} \cdot 2^{B} \\ y_{1} & = t_{1} + z_{0}, y_{1} - r_{1} = z_{1} \cdot 2^{B} \\ y_{2} & = t_{2} + z_{1}, y_{2} - r_{2} = z_{2} \cdot 2^{B} \\ y_{2} & = t_{3} + z_{2}, y_{3} - r_{3} = z_{3} \cdot 2^{B} \end{aligned}

Removing the intermediate variables

y

, we get

\begin{aligned} (11) & t_{0} + 0 - r_{0} & = z_{0} \cdot 2^{B} \\ (12) & t_{1} + z_{0} - r_{1} & = z_{1} \cdot 2^{B} \\ (13) & t_{2} + z_{1} - r_{2} & = z_{2} \cdot 2^{B} \\ (14) & t_{3} + z_{2} - r_{3} & = z_{3} \cdot 2^{B} . \end{aligned}

In this section, we have demonstrated a sets of integer constraints in Eq. 11-14 that can be used to ensure

a \cdot b + q \cdot p^{'} = r \mod 2^{T}

, which also ensures

a \cdot b - q \cdot p - r = 0 \mod 2^{T}

. Note that we accomplish this without ever computing

a \cdot b

q \cdot p

but by working directly with their

B

-bit limbs in the constraints.

To summarize, for a given

([a_{3}, a_{2}, a_{1}, a_{0}], [b_{3}, b_{2}, b_{1}, b_{0}], [q_{3}, q_{2}, q_{1}, q_{0}], [p_{3}^{'}, p_{2}^{'}, p_{1}^{'}, p_{0}^{'}],

[r_{3}, r_{2}, r_{1}, r_{0}], t_{3}, t_{2}, t_{1}, t_{0}, z_{3}, z_{2}, z_{1}, z_{0})

that satisfies the constraints in Eq. 11-14, along with constraints that ensures

p^{'} = 2^{T} - p

\begin{array}{r} (15) & p_{0}^{'} + p_{0} + 0 = 2^{B} \\ (16) & p_{1}^{'} + p_{1} + 1 = 2^{B} \\ (17) & p_{2}^{'} + p_{2} + 1 = 2^{B} \\ (18) & p_{3}^{'} + p_{3} + 1 = 2^{B} \end{array}

it is guaranteed that

a \cdot b - q \cdot p - r = 0 \mod 2^{T}

(but not

a \cdot b - q \cdot p - r = 0

on their own).

We finally note that constraints from the previous section in Eq. 1-6 can be written in the

B

-bit limb form as well, to match the constraints in this section.

A different version from the original post: The above is our version of how we would do this constraint decomposition.

A different version of this that combines a pair of limbs

[r_{3}, r_{2}]

and

[r_{1}, r_{0}]

into the constraints is given below (the original formulation in the blog post that this note is based on).

\begin{matrix} u_{0} = (t_{1} \cdot 2^{B} + t_{0}) - (r_{1} \cdot 2^{B} + r_{0}) \\ u_{0} + 0 = v_{0} \cdot 2^{2 B} \\ u_{1} = (t_{3} \cdot 2^{B} + t_{2}) - (r_{3} \cdot 2^{B} + r_{2}) \\ u_{1} + v_{0} = v_{1} \cdot 2^{2 B} \end{matrix}

In the image below, we demostrate this idea.

Image Not Showing Possible Reasons

The image file may be corrupted
The server hosting the image is unavailable
The image path is incorrect
The image format is not supported

Learn More →

It is hard to tell what we gain from this particular formulation, which was given in the original post instead of our formulation above. There are

4

constraints in each case and in the latter, there are multiplications with

2^{2 B}

which makes the numbers such as

u_{0}

and

u_{1}

quite a bit larger. We believe our formutation should be more efficient but it is difficult to be certain.

Applying the Chinese Remainder Theorem

We have shown constraints that allow us to restrict

(a, b, q, p, r)

such that

a \cdot b - q \cdot p - r = 0 \mod n

and

a \cdot b - q \cdot p - r = 0 \mod 2^{T}

. However, these do not guarantee that

a \cdot b - q \cdot p - r = 0

without the modulo as

a \cdot b - q \cdot p - r = 0 \mod n

is valid when

a \cdot b - q \cdot p - r

\geq n

and a multiple of

n

. Similarly,

a \cdot b - q \cdot p - r \geq 2^{T}

and is a multiple of

2^{T}

is allowed (this is a distinct possibility since

a \cdot b \in [0, p^{2} \approx 2^{252})

). Therefore, individually, these constraints do not ensure

a \cdot b - q \cdot p - r = 0

However, since

n

and

2^{T}

are coprimes (

n

is a prime

> 2

), i.e.

gcd (n, 2^{T}) = 1

, we can invoke the constant-case CRT, which states,

\begin{aligned} a \cdot b - q \cdot p - r = 0 \mod n \land & a \cdot b - q \cdot p - r = 0 \mod 2^{T} \\ ⟷ & a \cdot b - q \cdot p - r = 0 \mod (n \cdot 2^{T}) \end{aligned}

Therefore, satisfying these constraints jointly means that

a \cdot b - q \cdot p - r = 0 \mod (n \cdot 2^{T})

is also satisfied. Does this guarantee that

a \cdot b - q \cdot p - r = 0

? Not necessarily, as it could be that

a \cdot b - q \cdot p - r \geq n \cdot 2^{T}

and is a multiple of

n \cdot 2^{T}

. However, if we chose

(n, T)

large enough s.t. this is not possible, then satisfying these constraints jointly will mean that

a \cdot b - q \cdot p - r = 0

In order to accomplish this, we need to enforce

a \cdot b - q \cdot p - r < n \cdot 2^{T}

by choosing

(n, T)

s.t.

p^{2} < n \cdot 2^{T}

, as we already know the allowed ranges of variables,

a, b, q, r \in [0, p)

. We know that

n < p

. Therefore, it must be true that

2^{T} > p

. Therefore,

T

must be large enough to satisfy

p^{2} < n \cdot 2^{T}

but at the same time, it needs to be small enough that

B = T / 4

is sufficiently small to justify the multitude of constraints that involve numbers in the range

[0, 2^{B})

Motivation

Setup

Native Field Constraint

Constraint decomposition in modulo 2T ring, where p<2T

Applying the Chinese Remainder Theorem

Read more

Vector Commitments

Set Commitments

Single-element Commitments

Elements of Commitment Schemes

Constraint decomposition in modulo
$2^{T}$ ring, where
$p < 2^{T}$