Non native field custom logic (first draft)

We wish to evaluate \[a * b = q * p + r\] where \(a, b, q, p, r\) are members of non-native field \(\mathbb{F}_p\).

Our arithmetic circuit evaluates arithmetic operations modulo \(r\), the 'circuit modulus'

Notation

a0, a1, a2, a3 : 4 limbs of \(a\)
b0, b1, b2, b3 : 4 limbs of \(b\)
r0, r1, r2, r3 : 4 limbs of output 'remainder' \(r\)
q0, q1, q2, q3 : 4 limbs of quotient \(q\)
p0, p1, p2, p3 : 4 limbs of non-native field prime \(p\). When these appear in polynomial identities, they are assumed to be circuit constants and not wire values
lo0, hi0, hi1 : temporary variables that represent 'lo' and 'hi' limbs respectively
lo1, hi2 : output 'lo' and 'hi' limbs, both of which must be range constrained for the non-native field multiplication to be correctly evaluated
b is the number of bits in each of the 4 limbs that compose a non-native field element

Layout of circuit memory

The rationale behind this layout is to ensure that all equations that involve limbs of the non-native field prime \(p\) can be evaluated using regular arithmetic gates. This reduces the number of custom gates required, and allows for the non-native field prime to not be hardcoded (i.e. can support multiple prime fields. To clarify, the prime field still needs to be a circuit constant, it is just that this constant can vary without having to affect the custom gate logic).

This does require regular arithmetic gates to include column 4 of the subsequent gate.

Gate	Column 1	Column 2	Column 3	Column 4
1	\(q_0\)	\(q_1\)	\(r_1\)	\(lo_1\)
2	\(a_1\)	\(b_1\)	\(r_0\)	\(lo_0\)
3	\(a_0\)	\(b_0\)	\(a_3\)	\(b_3\)
4	\(a_2\)	\(b_2\)	\(r_3\)	\(hi_0\)
5	\(a_1\)	\(b_1\)	\(r_2\)	\(hi_1\)
6	\(q_2\)	\(q_3\)	\(lo_1\)	\(hi_1\)
7	–-	–-	–-	\(hi_2\)

Gate 7 can be merged with the first gate of a sublimb accumulation gate

Gate equations

1. \(lo_1 = (lo_0 - q_0p_0 - (q_1p_1 + r_1) 2^b) 2^{-2b}\)
1. \(lo_0 = a_0b_0 - r_0 + (a_1b_0 + a_0b_1)2^b\)
1. \(hi_0 = a_2b_0 + a_0b_2 -r_32^b + (a_0b_3 + a_3b_0)2^b\)
1. \(hi_1 = hi_0 + a_1b_1 - r_2 + (a_1b_2 + a_2b_1) 2^b\)
1. \(hi_2 = (hi_1 + lo_1 - q_2p_2 - q_3p_3 2^b)2^{-2b}\)

Gate equations (2, 3, 4) as polynomial identities

\[ \bar{w}_1\bar{w}_2 + (w_1\bar{w}_2 + \bar{w}_1w_2)2^b - w_3 - w_4 = 0 \]

\[ \bar{w}_1w_2 + w_1\bar{w}_2 + (w_1w_4 + w_2w_3 - \bar{w}_3)2^b - \bar{w}_4 = 0 \]

\[ \bar{w}_1\bar{w}_2 + (\bar{w}_1w_2 + \bar{w}_2w_1)2^b + w_4 - \bar{w}_3 - \bar{w}_4 = 0 \]

Selector polynomial layout

We can evaluate all of the additional logic using a single auxiliary selector polynomial, \(Q_x(X)\)
We can repurpose arithmetic selector polynomials to toggle on/off specific gates.

Specifically we can compose a product of two of the 6 Plonk arithmetic selectors and \(q_f\) to select for a gate equation. This produces 15 distinct terms we can reserve for custom gates.

Custom sublimb accumulation logic and prime-limb evaluation

We can repurpose some of the above selectors to efficiently accumulate sublimbs into a limb.

If we assume 5 sublimbs constitute a limb, we can use a sublimb size of 14 bits and obtain 70-bit limbs.

We can accumulate 2 limbs in 3 gates. We use notation s0, s1, s2, s3, s4 and v0, v1, v2, v3, v4 to describe the sublimbs of two limbs l0, l1.

In addition, we can chain a gate to the end of 4 sublimb-accumulations to evaluate the prime-field representation (lr) of the limbs l0, l1, l2, l3. The gate layout is:

Gate	Column 1	Column 2	Column 3	Column 4
7	\(s_0\)	\(s_1\)	\(s_2\)	\(l_0\)
8	\(s_3\)	\(s_4\)	\(v_0\)	\(v_1\)
9	\(v_2\)	\(v_3\)	\(v_4\)	\(l_1\)

With gate equations:

\(l_0 = s_0 + s_12^{14} + s_22^{28} + s_32^{42} + s_42^{56}\)
\(l_1 = v_0 + v_12^{14} + v_22^{28} + v_32^{42} + v_42^{56}\)

Combined Arithmetic Identity

\[ q_xq_2q_3\bigg( \bar{w}_1\bar{w}_2 + (w_1\bar{w}_2 + \bar{w}_1w_2)2^b - w_3 - w_4 \bigg) \\ + q_xq_2q_4\bigg( \bar{w}_1w_2 + w_1\bar{w}_2 + (w_1w_4 + w_2w_3 - \bar{w}_3)2^b - \bar{w}_4 \bigg) \\ + q_xq_2q_m \bigg( \bar{w}_1\bar{w}_2 + (\bar{w}_1w_2 + \bar{w}_2w_1)2^b + w_4 - \bar{w}_3 - \bar{w}_4 \bigg) \\ + q_xq_3q_4 \bigg( w_1 + w_22^{14} + w_32^{28} + \bar{w}_12^{42} + \bar{w}_22^{56} - w_4 \bigg) \\ + q_xq_3q_m \bigg( w_3 + w_42^{14} + \bar{w}_12^{28} + \bar{w}_22^{42} + \bar{w}_32^{56} - \bar{w}_4 \bigg) \]

None of the above terms need to be linearly independent from one another, as only one term will be active for any given gate.

Accounting for duplicate terms, the total number of field multiplications required to evaluate the above is 23.

Gate costs for evaluating non-native field multiplication

6 gates to range-constrain \(r\)
6 gates to range-constrain \(q\)
3 gates to range-constrain both \(lo_1\) and \(hi_2\)
6 gates to evaluate non-native field arithmetic
2 gates to evaluate prime-field limbs of \(r\) and \(q\)
1 gate to evaluate prime-field identity \(a_rb_r - q_rp_r - r_r = 0 \text{ mod } r\)

Discounting the extra gates from the sorted-list component of the range check, the gate cost is 24.

We add 50 additional wires into the sorted list, adding the equivalent of 12.5 gates.

This brings the total gate cost to 36.5 gates.

Three limb version

Gate	Column 1	Column 2	Column 3	Column 4
1	\(a_0\)	\(b_0\)	\(q_0\)	\(lo\)
2	\(a_1\)	\(b_1\)	\(q_1\)	\(mid\)
3	\(a_2\)	\(b_2\)	\(q_2\)	\(hi'\)
4	\(a_0\)	\(b_0\)	\(q_0\)	\(hi\)

Gate equations

\(lo = a_0b_0 - p_0 q_0 - r_0\)
\(mid = a_1b_0 + a_0b_1 -q_1p_0 - q_0p_1 -r_1 lo/2^t\)
\(hi' = a_1b_1 - q_1p_1 + mid/2^t\)
\(hi = hi' + a_2b_0 + a_0b_2 -q_2p_0 - q_0p_2\)

Range checks:

Check that \(lo,mid,hi\) start with \(t\) zeroes