Module ark_r1cs_std::fields::nonnative

Expand description

This module contains a generic implementation of “nonnative” prime field variables. It emulates Fp arithmetic using Fq operations, where p != q.

Overview

This module implements a field gadget for a prime field Fp over another prime field Fq where p != q.

When writing constraint systems for many cryptographic proofs, we are restricted to a native field (e.g., the scalar field of the pairing-friendly curve). This can be inconvenient; for example, the recursive composition of proofs via cycles of curves requires the verifier to compute over a non-native field.

The library makes it possible to write computations over a non-native field in the same way one would write computations over the native field. This naturally introduces additional overhead, which we minimize using a variety of optimizations. (Nevertheless, the overhead is still substantial, and native fields should be used where possible.)

Usage

Because NonNativeFieldVar implements the FieldVar trait in arkworks, we can treat it like a native field variable (FpVar).

We can do the standard field operations, such as +, -, and *. See the following example:

use ark_r1cs_std::fields::nonnative::NonNativeFieldVar;
use ark_bls12_377::{Fr, Fq};


let a = NonNativeFieldVar::<Fr, Fq>::new_witness(ns!(cs, "a"), || Ok(a_value))?;
let b = NonNativeFieldVar::<Fr, Fq>::new_witness(ns!(cs, "b"), || Ok(b_value))?;

// add
let a_plus_b = &a + &b;

// sub
let a_minus_b = &a - &b;

// multiply
let a_times_b = &a * &b;

// enforce equality
a.enforce_equal(&b)?;

Advanced optimization

After each multiplication, our library internally performs a reduce operation, which reduces an intermediate type NonNativeFieldMulResultVar to the normalized type NonNativeFieldVar. This enables a user to seamlessly perform a sequence of operations without worrying about the underlying details.

However, this operation is expensive and is sometimes avoidable. We can reduce the number of constraints by using this intermediate type, which only supports additions. To multiply, it must be reduced back to NonNativeFieldVar. See below for a skeleton example.

To compute a * b + c * d, the straightforward (but more expensive) implementation is as follows:

let a_times_b = &a * &b;
let c_times_d = &c * &d;
let res = &a_times_b + &c_times_d;

This performs two reduce operations in total, one for each multiplication.

We can save one reduction by using the NonNativeFieldMulResultVar, as follows:

let a_times_b = a.mul_without_reduce(&b)?;
let c_times_d = c.mul_without_reduce(&d)?;
let res = (&a_times_b + &c_times_d)?.reduce()?;

It performs only one reduce operation and is roughly 2x faster than the first implementation.

Inspiration and basic design

This implementation employs the standard idea of using multiple limbs to represent an element of the target field. For example, an element in the TargetField may be represented by three BaseField elements (i.e., the limbs).

TargetField -> limb 1, limb 2, and limb 3 (each is a BaseField element)

After some computation, the limbs become saturated and need to be reduced, in order to engage in more computation.

We heavily use the optimization techniques in [KPS18] and [OWWB20]. Both works have their own open-source libraries: xJsnark and bellman-bignat. Compared with these, this module works with the arkworks ecosystem. It also provides the option (based on an optimization_goal for the constraint system) to optimize for constraint density instead of number of constraints, which improves efficiency in proof systems like Marlin.

References

[KPS18]: A. E. Kosba, C. Papamanthou, and E. Shi. “xJsnark: a framework for efficient verifiable computation,” in Proceedings of the 39th Symposium on Security and Privacy, ser. S&P ’18, 2018, pp. 944–961.

[OWWB20]: A. Ozdemir, R. S. Wahby, B. Whitehat, and D. Boneh. “Scaling verifiable computation using efficient set accumulators,” in Proceedings of the 29th USENIX Security Symposium, ser. Security ’20, 2020.

Modules

params

Utilities for sampling parameters for non-native field gadgets

Structs

AllocatedNonNativeFieldMulResultVar

The allocated form of NonNativeFieldMulResultVar (introduced below)

AllocatedNonNativeFieldVar

The allocated version of NonNativeFieldVar (introduced below)

NonNativeFieldConfig

Parameters for a specific NonNativeFieldVar instantiation

Enums

NonNativeFieldMulResultVar

An intermediate representation especially for the result of a multiplication, containing more limbs. It is intended for advanced usage to improve the efficiency.

NonNativeFieldVar

A gadget for representing non-native (TargetField) field elements over the constraint field (BaseField).