provekit-skyscraper 0.1.0

Skyscraper hash function implementation over BN254
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129

//! Bn254 scalar field modular reduction routines.
//!
//! TODO: These should live in some field arithmetic crate.

use {
    crate::{
        arithmetic::{less_than, overflowing_sub, sub},
        constants::{MODULUS, MODULUS_N_MINUS_RC},
    },
    core::hint::cold_path,
};

/// Fully reduce any input to [0, M)
#[inline(always)]
pub fn reduce(x: [u64; 4]) -> [u64; 4] {
    reduce_1(reduce_partial(x))
}

/// Reduces an input by at most M.
/// Accepts inputs in the range [0, 2^256)
/// Optimized for likely x < M, e.g. a partially reduced input.
#[inline(always)]
pub fn reduce_1(x: [u64; 4]) -> [u64; 4] {
    let (r, borrow) = overflowing_sub(x, MODULUS[1]);
    if borrow {
        x
    } else {
        cold_path();
        r
    }
}

/// Reduce any input to [0, M + ϵ)
#[inline(always)]
pub fn reduce_partial(x: [u64; 4]) -> [u64; 4] {
    // The compiler should turn this division by constant into an umulh.
    let multiple = (x[3] / (MODULUS[1][3] + 1)) as usize;
    let r = sub(x, MODULUS[multiple]);
    debug_assert!(r[3] < MODULUS[1][3] + 3);
    r
}

/// Combined partial reduction and add round constant
/// Input can be any value.
/// Output is in range [0, 2M + ϵ)  (TODO: Analyse more carefully)
/// TODO: Maybe with a round dependend lookup factor it can be [0, M + ϵ)
#[inline(always)]
pub fn reduce_partial_add_rc(x: [u64; 4], rc: usize) -> [u64; 4] {
    // The compiler should turn this division by constant into an umulh.
    let multiple = (x[3] / (MODULUS[1][3] + 1)) as usize;
    let (r, borrow) = overflowing_sub(x, MODULUS_N_MINUS_RC[multiple][rc]);
    debug_assert!(!borrow || multiple == 0);
    debug_assert!(less_than(r, MODULUS[2]));
    r
}

/// Vectorized version of [`reduce_partial_add_rc`]
#[inline(always)]
pub fn reduce_partial_add_rcv<const N: usize>(x: [[u64; 4]; N], rc: usize) -> [[u64; 4]; N] {
    x.map(|x| reduce_partial_add_rc(x, rc))
}

#[cfg(test)]
mod tests {
    #![allow(clippy::needless_range_loop)]

    use {
        super::*,
        crate::{arithmetic::add, constants::ROUND_CONSTANTS},
        ark_bn254::Fr,
        ark_ff::{BigInt, PrimeField},
        proptest::proptest,
    };

    #[test]
    fn test_reduce() {
        proptest!(|(x: [u64; 4])| {
            let e = Fr::new(BigInt(x)).into_bigint().0;
            let r = reduce(x);
            assert_eq!(r, e);
        })
    }

    #[test]
    fn test_reduce_partial() {
        proptest!(|(x: [u64; 4])| {
            let e = reduce(x);
            let r = reduce_partial(x);
            assert_eq!(reduce(r), e);
            assert!(r[3] < MODULUS[1][3] + 3);
        })
    }

    #[test]
    fn test_reduce_partial_max() {
        for i in 0..6 {
            let mut x = [u64::MAX; 4];
            x[3] = MODULUS[i][3] + 1;
            let e = reduce(x);
            let r = reduce_partial(x);
            assert_eq!(reduce(r), e);
            assert!(r[3] < MODULUS[1][3] + 3);
        }
    }

    #[test]
    fn test_reduce_partial_add_rc() {
        proptest!(|(x: [u64; 4], rc in 0_usize..18)| {
            let e = reduce(add(reduce(x), ROUND_CONSTANTS[rc]));
            let r = reduce_partial_add_rc(x, rc);
            assert_eq!(reduce(r), e);
            assert!(less_than(r, MODULUS[2]))
        })
    }

    #[test]
    fn test_reduce_partial_add_rc_max() {
        for i in 0..6 {
            for rc in 0..18 {
                let mut x = [u64::MAX; 4];
                x[3] = MODULUS[i][3] + 1;
                let e = reduce(add(reduce(x), ROUND_CONSTANTS[rc]));
                let r = reduce_partial_add_rc(x, rc);
                assert_eq!(reduce(r), e);
                assert!(r[3] < MODULUS[2][3]);
            }
        }
    }
}