core_utils/circuit/

ops.rs

use std::iter::repeat_n;

use ff::Field;
use num_traits::{One, Zero};
use primitives::algebra::{
    field::{FieldExtension, SubfieldElement},
    BoxedUint,
};
use serde::{Deserialize, Serialize};
use typenum::Unsigned;

use crate::{
    errors::{AbortError, FaultyPeer},
    types::Label,
};

#[derive(Debug, Clone, PartialEq, Serialize, Deserialize)]
pub enum FieldUnaryOp {
    Neg,
    // Computes the multiplicative inverse. Note: for 0 we return 0.
    MulInverse,
    // Extracts a specified bit from a field element
    BitExtract {
        little_endian_bit_idx: u16,
        signed: bool,
    },
    Sqrt,
    Pow {
        exp: BoxedUint,
    },
}

impl FieldUnaryOp {
    // TODO: see if returning CtOption could make more sense
    pub fn eval<F: FieldExtension>(
        &self,
        label: Label,
        x: SubfieldElement<F>,
    ) -> Result<SubfieldElement<F>, AbortError> {
        match self {
            FieldUnaryOp::Neg => Ok(-x),
            FieldUnaryOp::MulInverse => {
                if x == SubfieldElement::<F>::zero() {
                    Ok(SubfieldElement::<F>::zero())
                } else {
                    Ok(x.invert().unwrap())
                }
            }
            FieldUnaryOp::BitExtract {
                little_endian_bit_idx: idx,
                signed,
            } => {
                let bit = if *signed && x > -x {
                    !(-SubfieldElement::<F>::one() - x)
                        .to_biguint()
                        .bit(*idx as u64)
                } else {
                    x.to_biguint().bit(*idx as u64)
                };
                Ok(SubfieldElement::<F>::from(bit))
            }
            FieldUnaryOp::Sqrt => {
                let (choice, sqrt) =
                    SubfieldElement::<F>::sqrt_ratio(&x, &SubfieldElement::<F>::one());
                if !bool::from(choice) {
                    return Err(AbortError::quadratic_non_residue(label, FaultyPeer::Local));
                }
                Ok(sqrt)
            }
            FieldUnaryOp::Pow { exp } => Ok(x.pow(exp)),
        }
    }
}

#[derive(Debug, Clone, Copy, PartialEq, Serialize, Deserialize)]
pub enum FieldBinaryOp {
    Add,
    Mul,
    EuclDiv,
    Mod,
    Gt,
    Ge,
    Eq,
    Xor,
    Or,
}

impl FieldBinaryOp {
    pub fn eval<F: FieldExtension>(
        &self,
        x: SubfieldElement<F>,
        y: SubfieldElement<F>,
        label: Label,
    ) -> Result<SubfieldElement<F>, AbortError> {
        match self {
            FieldBinaryOp::Add => Ok(x + y),
            FieldBinaryOp::Mul => Ok(x * y),
            FieldBinaryOp::EuclDiv => euclidean_division::<F>(x, y, label),
            FieldBinaryOp::Mod => modulo::<F>(x, y, label),
            FieldBinaryOp::Gt => Ok(SubfieldElement::<F>::from(x > y)),
            FieldBinaryOp::Ge => Ok(SubfieldElement::<F>::from(x >= y)),
            FieldBinaryOp::Eq => Ok(SubfieldElement::<F>::from(x == y)),
            FieldBinaryOp::Xor => Ok(x + y - SubfieldElement::<F>::from(2u32) * x * y),
            FieldBinaryOp::Or => Ok(x + y - x * y),
        }
    }
}

fn euclidean_division<F: FieldExtension>(
    x: SubfieldElement<F>,
    y: SubfieldElement<F>,
    label: Label,
) -> Result<SubfieldElement<F>, AbortError> {
    if y == SubfieldElement::<F>::zero() {
        return Err(AbortError::division_by_zero(label, FaultyPeer::Local));
    }

    // Convert to BigUint
    let x = x.to_biguint();
    let y = y.to_biguint();

    let div = (x / y).to_bytes_be();
    // Pad with zeroes as big-endian
    let div = repeat_n(0, F::FieldBytesSize::USIZE - div.len())
        .chain(div)
        .collect::<Vec<_>>();

    Ok(SubfieldElement::<F>::from_be_bytes(&div).unwrap())
}

fn modulo<F: FieldExtension>(
    x: SubfieldElement<F>,
    y: SubfieldElement<F>,
    label: Label,
) -> Result<SubfieldElement<F>, AbortError> {
    if y == SubfieldElement::<F>::zero() {
        return Err(AbortError::division_by_zero(label, FaultyPeer::Local));
    }

    // Convert to BigUint
    let x = x.to_biguint();
    let y = y.to_biguint();

    let modulo = x.modpow(&num_bigint::BigUint::from(1u32), &y).to_bytes_be();
    // Pad with zeroes as big-endian
    let modulo = repeat_n(0, F::FieldBytesSize::USIZE - modulo.len())
        .chain(modulo)
        .collect::<Vec<_>>();

    Ok(SubfieldElement::<F>::from_be_bytes(&modulo).unwrap())
}

#[cfg(test)]
mod tests {
    use primitives::algebra::{
        elliptic_curve::{BaseField, Curve25519Ristretto as C, Scalar, ScalarField},
        field::SubfieldElement,
    };

    use super::*;

    #[test]
    fn test_scalar_unary_op() {
        let mut rng = primitives::random::test_rng();
        let x = SubfieldElement::<ScalarField<C>>::random(&mut rng);
        let label = Label::task(0);
        let neg = FieldUnaryOp::Neg;
        let mul_inverse = FieldUnaryOp::MulInverse;

        assert_eq!(neg.eval::<ScalarField<C>>(label, x), Ok(-x));
        assert_eq!(
            mul_inverse.eval::<ScalarField<C>>(label, x),
            Ok(x.invert().unwrap())
        );
    }

    #[test]
    fn test_scalar_binary_op() {
        let mut rng = primitives::random::test_rng();
        let x = SubfieldElement::<ScalarField<C>>::random(&mut rng);
        let y = SubfieldElement::<ScalarField<C>>::random(&mut rng);
        let label = Label::task(0);

        let add = FieldBinaryOp::Add;
        let mul = FieldBinaryOp::Mul;
        let eucl_div = FieldBinaryOp::EuclDiv;
        let modulo_op = FieldBinaryOp::Mod;
        let gt = FieldBinaryOp::Gt;
        let ge = FieldBinaryOp::Ge;
        let eq = FieldBinaryOp::Eq;

        assert_eq!(add.eval::<ScalarField<C>>(x, y, label), Ok(x + y));
        assert_eq!(mul.eval::<ScalarField<C>>(x, y, label), Ok(x * y));
        assert_eq!(
            eucl_div.eval::<ScalarField<C>>(x, y, label),
            euclidean_division::<ScalarField<C>>(x, y, label)
        );
        assert_eq!(
            modulo_op.eval::<ScalarField<C>>(x, y, label),
            modulo::<ScalarField<C>>(x, y, label)
        );
        assert_eq!(
            gt.eval::<ScalarField<C>>(x, y, label),
            Ok(SubfieldElement::<ScalarField<C>>::from(x > y))
        );
        assert_eq!(
            ge.eval::<ScalarField<C>>(x, y, label),
            Ok(SubfieldElement::<ScalarField<C>>::from(x >= y))
        );
        assert_eq!(
            eq.eval::<ScalarField<C>>(x, y, label),
            Ok(SubfieldElement::<ScalarField<C>>::from(x == y))
        );
    }

    #[test]
    fn test_boolean_binary_op() {
        let and = FieldBinaryOp::Mul;
        let or = FieldBinaryOp::Or;
        let xor = FieldBinaryOp::Xor;
        let label = Label::task(0);
        for bool_x in [false, true] {
            for bool_y in [false, true] {
                let scalar_x = SubfieldElement::<ScalarField<C>>::from(bool_x);
                let scalar_y = SubfieldElement::<ScalarField<C>>::from(bool_y);
                assert_eq!(
                    and.eval::<ScalarField<C>>(scalar_x, scalar_y, label),
                    Ok((bool_x && bool_y).into())
                );
                assert_eq!(
                    or.eval::<ScalarField<C>>(scalar_x, scalar_y, label),
                    Ok((bool_x || bool_y).into())
                );
                assert_eq!(
                    xor.eval::<ScalarField<C>>(scalar_x, scalar_y, label),
                    Ok((bool_x ^ bool_y).into())
                );
            }
        }
    }

    #[test]
    fn test_euclidian_division() {
        let x = SubfieldElement::<ScalarField<C>>::from(37u32);
        let y = SubfieldElement::<ScalarField<C>>::from(12u32);
        let label = Label::task(0);

        let result = euclidean_division::<ScalarField<C>>(x, y, label).unwrap();
        assert_eq!(result, SubfieldElement::<ScalarField<C>>::from(37u32 / 12));
    }

    #[test]
    fn test_modulo() {
        let x = SubfieldElement::<ScalarField<C>>::from(37u32);
        let y = SubfieldElement::<ScalarField<C>>::from(12u32);
        let label = Label::task(0);

        let result = modulo::<ScalarField<C>>(x, y, label).unwrap();
        assert_eq!(result, SubfieldElement::<ScalarField<C>>::from(37u32 % 12));
    }

    #[test]
    fn test_signed_bit_extract() {
        let x = -Scalar::<C>::from(9u32);
        let label = Label::task(0);
        for i in 0..5 {
            let op = FieldUnaryOp::BitExtract {
                little_endian_bit_idx: i,
                signed: true,
            };
            let result = op.eval::<ScalarField<C>>(label, x);
            assert_eq!(result.unwrap(), ((-9i32 >> i) & 1 == 1).into())
        }
    }

    #[test]
    fn test_sqrt() {
        let mut rng = primitives::random::test_rng();
        let x = SubfieldElement::<ScalarField<C>>::random(&mut rng);
        let label = Label::task(0);
        let result = FieldUnaryOp::Sqrt
            .eval::<ScalarField<C>>(label, x * x)
            .unwrap();

        assert_eq!(result * result, x * x)
    }

    #[test]
    fn test_pow() {
        let mut rng = primitives::random::test_rng();
        let x = SubfieldElement::<BaseField<C>>::random(&mut rng);
        let label = Label::task(0);
        let five = BoxedUint::from(vec![5u64]);
        let five_inv = BoxedUint::from(vec![
            14757395258967641281,
            14757395258967641292,
            14757395258967641292,
            5534023222112865484,
        ]);
        let x_pow_5 = FieldUnaryOp::Pow { exp: five }
            .eval::<BaseField<C>>(label, x)
            .unwrap();
        let x_again = FieldUnaryOp::Pow { exp: five_inv }
            .eval::<BaseField<C>>(label, x_pow_5)
            .unwrap();

        assert_eq!(x_again, x)
    }
}