chore(bb): avoid compile-time hash-to-curve

.test_patterns.yml

@@ -181,6 +181,10 @@ tests:
     error_regex: "Exceeded timeout of 120000"
     owners:
       - *sean
+  - regex: "p2p/src/services/reqresp/reqresp.test.ts"
+    error_regex: "CodeError: writable end state is .writing. not .ready."
+    owners:
+      - *sean
   - regex: "p2p/src/services/reqresp/reqresp.test.ts"
     error_regex: "✕ should stop after max retry attempts"
     owners:

barretenberg/cpp/CMakePresets.json

@@ -767,7 +767,7 @@
       "configurePreset": "wasm-threads",
       "inheritConfigureEnvironment": true,
       "jobs": 0,
-      "targets": ["barretenberg.wasm", "barretenberg.wasm.gz", "bb_cli_bench"]
+      "targets": ["barretenberg.wasm", "barretenberg.wasm.gz"]
     },
     {
       "name": "xray",

barretenberg/cpp/bootstrap.sh

@@ -107,7 +107,12 @@ function build_wasm {
 function build_wasm_threads {
   set -eu
   if ! cache_download barretenberg-wasm-threads-$hash.zst; then
-    build_preset wasm-threads
+    if [ "$(arch)" == "amd64" ] && [ "$CI" -eq 1 ]; then
+      # We only want to sanity check that we haven't broken wasm ecc ops in merge queue.
+      build_preset wasm-threads --target barretenberg.wasm barretenberg.wasm.gz ecc_tests
+    else
+      build_preset wasm-threads
+    fi
     cache_upload barretenberg-wasm-threads-$hash.zst build-wasm-threads/bin
   fi
 }
@@ -199,7 +204,9 @@ function test_cmds {
         echo -e "$prefix barretenberg/cpp/scripts/run_test.sh $bin_name $test"
       done || (echo "Failed to list tests in $bin" && exit 1)
   done
-  if [ "$(arch)" == "amd64" ] && [ "$CI" -eq 1 ]; then
+  if [ "$(arch)" == "amd64" ] && [ "$CI_FULL" -eq 1 ]; then
+    # We only want to sanity check that we haven't broken wasm ecc in merge queue.
+    echo "$hash barretenberg/cpp/scripts/wasmtime.sh barretenberg/cpp/build-wasm-threads/bin/ecc_tests"
     # If in amd64 CI, iterate asan_tests, creating a gtest invocation for each.
     for bin_name in "${!asan_tests[@]}"; do
       local filter=${asan_tests[$bin_name]}
@@ -296,8 +303,8 @@ case "$cmd" in
     fi
 
     # Recreation of logic from bench.
-    ../../yarn-project/end-to-end/bootstrap.sh generate_example_app_ivc_inputs
-    ../../barretenberg/cpp/scripts/ci_benchmark_ivc_flows.sh $(pwd)/../../yarn-project/end-to-end/example-app-ivc-inputs-out $(pwd)/bench-out
+    ../../yarn-project/end-to-end/bootstrap.sh build_bench
+    ../../yarn-project/end-to-end/bootstrap.sh bench_cmds | grep barretenberg/cpp/scripts/ci_benchmark_ivc_flows.sh | STRICT_SCHEDULING=1 parallelise
     ;;
   "hash")
     echo $hash

barretenberg/cpp/cmake/module.cmake

@@ -98,7 +98,6 @@ function(barretenberg_module MODULE_NAME)
             PRIVATE
             ${TRACY_LIBS}
             GTest::gtest
-            GTest::gtest_main
             GTest::gmock_main
             ${TBB_IMPORTED_TARGETS}
         )

barretenberg/cpp/scripts/ci_benchmark_ivc_flows.sh

@@ -79,7 +79,7 @@ function client_ivc_flow {
   mkdir -p "$output"
   export MEMUSAGE_OUT="$output/peak-memory-mb.txt"
 
-  run_bb_cli_bench "$runtime" "$output" "prove -o $output --ivc_inputs_path $flow_folder/ivc-inputs.msgpack --scheme client_ivc"
+  run_bb_cli_bench "$runtime" "$output" "prove -o $output --ivc_inputs_path $flow_folder/ivc-inputs.msgpack --scheme client_ivc -v"
 
   local end=$(date +%s%N)
   local elapsed_ns=$(( end - start ))

barretenberg/cpp/scripts/wasmtime.sh

@@ -2,12 +2,11 @@
 # Helper for passing environment variables to wasm and common config.
 # Allows accessing ~/.bb-crs and ./ (more can be added as parameters to this script).
 set -eu
-
+export WASMTIME_BACKTRACE_DETAILS=1
 exec wasmtime run \
   -Wthreads=y \
   -Sthreads=y \
-  --env HARDWARE_CONCURRENCY \
-  --env WASM_BACKTRACE_DETAILS=1 \
+  ${HARDWARE_CONCURRENCY:+--env HARDWARE_CONCURRENCY} \
   --env HOME \
   ${MAIN_ARGS:+--env MAIN_ARGS} \
   --dir=$HOME/.bb-crs \

barretenberg/cpp/src/barretenberg/benchmark/client_ivc_bench/client_ivc.bench.cpp

@@ -43,7 +43,6 @@ BENCHMARK_DEFINE_F(ClientIVCBench, Full)(benchmark::State& state)
         ivc.prove();
     }
 }
-
 /**
  * @brief Benchmark the prover work for the full PG-Goblin IVC protocol
  * @details Processes "dense" circuits of size 2^17 in a size 2^20 structured trace

barretenberg/cpp/src/barretenberg/benchmark/goblin_bench/eccvm.bench.cpp

@@ -19,7 +19,7 @@ Builder generate_trace(size_t target_num_gates)
     using G1 = typename Flavor::CycleGroup;
     using Fr = typename G1::Fr;
 
-    auto generators = G1::derive_generators("test generators", 2);
+    auto generators = get_precomputed_generators<G1, "test generators", 2>();
 
     typename G1::element a = generators[0];
     typename G1::element b = generators[1];

barretenberg/cpp/src/barretenberg/circuit_checker/translator_circuit_checker.cpp

@@ -356,7 +356,7 @@ bool TranslatorCircuitChecker::check(const Builder& circuit)
             //
             // We also limit computation on limbs of op, z_1 and z_2, since we know that op has only the lowest
             // limb and z_1 and z_2 have only the two lowest limbs
-            const std::array<Fr, 5> NEGATIVE_MODULUS_LIMBS = Builder::NEGATIVE_MODULUS_LIMBS;
+            constexpr std::array<Fr, 5> NEGATIVE_MODULUS_LIMBS = Builder::NEGATIVE_MODULUS_LIMBS;
             const uint256_t SHIFT_1 = Builder::SHIFT_1;
             const uint256_t SHIFT_2 = Builder::SHIFT_2;
             const uint256_t SHIFT_3 = Builder::SHIFT_3;
@@ -470,4 +470,4 @@ bool TranslatorCircuitChecker::check(const Builder& circuit)
     }
     return true;
 };
-}; // namespace bb
+}; // namespace bb

barretenberg/cpp/src/barretenberg/circuit_checker/ultra_circuit_builder.test.cpp

@@ -61,7 +61,7 @@ TEST(UltraCircuitBuilder, CreateGatesFromPlookupAccumulators)
     {
         const auto mask = plookup::fixed_base::table::MAX_TABLE_SIZE - 1;
 
-        grumpkin::g1::affine_element base_point = plookup::fixed_base::table::LHS_GENERATOR_POINT;
+        grumpkin::g1::affine_element base_point = plookup::fixed_base::table::lhs_generator_point();
         std::vector<uint8_t> input_buf;
         write(input_buf, base_point);
         const auto offset_generators =

barretenberg/cpp/src/barretenberg/crypto/generators/generator_data.hpp

@@ -9,6 +9,8 @@
 #include "barretenberg/common/container.hpp"
 #include "barretenberg/ecc/curves/bn254/bn254.hpp"
 #include "barretenberg/ecc/curves/grumpkin/grumpkin.hpp"
+#include "barretenberg/ecc/groups/group.hpp"
+#include "barretenberg/ecc/groups/precomputed_generators_grumpkin_impl.hpp"
 #include <array>
 #include <map>
 #include <optional>
@@ -53,20 +55,12 @@ template <typename Curve> class generator_data {
     static inline constexpr std::string_view DEFAULT_DOMAIN_SEPARATOR = "DEFAULT_DOMAIN_SEPARATOR";
     inline constexpr generator_data() = default;
 
-    static inline constexpr std::array<AffineElement, DEFAULT_NUM_GENERATORS> make_precomputed_generators()
-    {
-        std::array<AffineElement, DEFAULT_NUM_GENERATORS> output;
-        std::vector<AffineElement> res = Group::derive_generators(DEFAULT_DOMAIN_SEPARATOR, DEFAULT_NUM_GENERATORS, 0);
-        std::copy(res.begin(), res.end(), output.begin());
-        return output;
-    }
-
     /**
-     * @brief Precompute a small number of generators at compile time. For small pedersen commitments + pedersen hashes,
-     * this prevents us from having to derive generators at runtime
+     * @brief We precompute and hard-code a small number of generators. For small pedersen commitments + pedersen
+     * hashes, this prevents us from having to derive generators at runtime
      */
-    static inline constexpr std::array<AffineElement, DEFAULT_NUM_GENERATORS> precomputed_generators =
-        make_precomputed_generators();
+    static constexpr std::span<const AffineElement> precomputed_generators =
+        get_precomputed_generators<Group, "DEFAULT_DOMAIN_SEPARATOR", DEFAULT_NUM_GENERATORS, 0>();
 
     [[nodiscard]] inline GeneratorView get(const size_t num_generators,
                                            const size_t generator_offset = 0,
@@ -149,4 +143,4 @@ template <typename Curve> struct GeneratorContext {
         , domain_separator(_domain_separator)
     {}
 };
-} // namespace bb::crypto
+} // namespace bb::crypto

barretenberg/cpp/src/barretenberg/crypto/generators/generator_data.test.cpp

@@ -8,7 +8,7 @@ namespace bb::crypto {
 
 TEST(GeneratorContext, DeriveDefaultGenerators)
 {
-    auto default_generators = generator_data<curve::Grumpkin>::make_precomputed_generators();
+    auto default_generators = generator_data<curve::Grumpkin>::precomputed_generators;
     std::vector<grumpkin::g1::affine_element> expected_default_generators;
 
     expected_default_generators.emplace_back(grumpkin::g1::affine_element(
@@ -42,4 +42,4 @@ TEST(GeneratorContext, DeriveDefaultGenerators)
     }
 }
 
-} // namespace bb::crypto
+} // namespace bb::crypto

barretenberg/cpp/src/barretenberg/crypto/pedersen_hash/pedersen.hpp

@@ -8,18 +8,19 @@
 
 #include "../generators/generator_data.hpp"
 #include "barretenberg/ecc/curves/grumpkin/grumpkin.hpp"
+#include "barretenberg/ecc/groups/precomputed_generators_grumpkin_impl.hpp"
 namespace bb::crypto {
 /**
  * @brief Performs pedersen hashes!
  *
- * To hash to a size-n list of field elements `x`, we return the X-coordinate of:
+ * To hash a size-n list of field elements `v`, we return the X-coordinate of:
  *
- *      Hash(x) = n.[h] + Commit(x)
+ *      Hash(v) = n * [h] + Commit(v, g)
  *
  * Where `g` is a list of generator points defined by `generator_data`
  * And `h` is a unique generator whose domain separator is the string `pedersen_hash_length`.
  *
- * The addition of `n.[h]` into the hash is to prevent length-extension attacks.
+ * The addition of `n * [h]` into the hash is to prevent length-extension attacks.
  * It also ensures that the hash output is never the point at infinity.
  *
  * It is neccessary that all generator points are linearly independent of one another,
@@ -34,7 +35,8 @@ template <typename Curve> class pedersen_hash_base {
     using Fr = typename Curve::ScalarField;
     using Group = typename Curve::Group;
     using GeneratorContext = typename crypto::GeneratorContext<Curve>;
-    inline static constexpr AffineElement length_generator = Group::derive_generators("pedersen_hash_length", 1)[0];
+    inline static constexpr AffineElement length_generator =
+        get_precomputed_generators<Group, "pedersen_hash_length", 1>()[0];
     static Fq hash(const std::vector<Fq>& inputs, GeneratorContext context = {});
     static Fq hash_buffer(const std::vector<uint8_t>& input, GeneratorContext context = {});
 

barretenberg/cpp/src/barretenberg/crypto/schnorr/multisig.hpp

@@ -39,8 +39,8 @@ template <typename G1, typename HashRegNon, typename HashSig = Blake2sHasher> cl
     static_assert(!std::is_same_v<HashRegNon, HashSig>);
 
   public:
-    using Fq = typename G1::coordinate_field;
-    using Fr = typename G1::subgroup_field;
+    using Fq = typename G1::Fq;
+    using Fr = typename G1::Fr;
     using affine_element = typename G1::affine_element;
     using element = typename G1::element;
     using key_pair = crypto::schnorr_key_pair<Fr, G1>;

barretenberg/cpp/src/barretenberg/crypto/schnorr/proof_of_possession.hpp

@@ -22,8 +22,8 @@ namespace bb::crypto {
  * @tparam Hash function used to derive the Fiat-Shamir challenge
  */
 template <typename G1, typename Hash> struct SchnorrProofOfPossession {
-    using Fq = typename G1::coordinate_field;
-    using Fr = typename G1::subgroup_field;
+    using Fq = typename G1::Fq;
+    using Fr = typename G1::Fr;
     using affine_element = typename G1::affine_element;
     using element = typename G1::element;
     using key_pair = crypto::schnorr_key_pair<Fr, G1>;

barretenberg/cpp/src/barretenberg/crypto/schnorr/schnorr.tcc

@@ -40,7 +40,7 @@ static auto schnorr_generate_challenge(const std::string& message,
                                        const typename G1::affine_element& pubkey,
                                        const typename G1::affine_element& R)
 {
-    using Fq = typename G1::coordinate_field;
+    using Fq = typename G1::Fq;
     // create challenge message pedersen_commitment(R.x, pubkey)
     Fq compressed_keys = crypto::pedersen_hash::hash({ R.x, pubkey.x, pubkey.y });
     std::vector<uint8_t> e_buffer;

barretenberg/cpp/src/barretenberg/ecc/curves/bn254/fq.test.cpp

@@ -118,10 +118,10 @@ TEST(fq, MulShortIntegers)
     constexpr fq b{ 0xb, 0, 0, 0 };
     constexpr uint256_t a_original(a);
     constexpr uint256_t b_original(b);
-    constexpr uint256_t prod_expected = (uint512_t(a_original) * uint512_t(b_original) % uint512_t(fq::modulus)).lo;
-    constexpr fq const_expected = prod_expected;
+    uint256_t prod_expected = (uint512_t(a_original) * uint512_t(b_original) % uint512_t(fq::modulus)).lo;
+    fq const_expected = prod_expected;
     constexpr fq const_result = a * b;
-    static_assert(const_result == const_expected);
+    ASSERT(const_result == const_expected);
 
     fq c;
     fq d;
@@ -541,4 +541,4 @@ TEST(fq, EquivalentRandomness)
     uint512_t q(fq::modulus);
     constexpr auto pow_2_256 = fq(uint256_t(1) << 128).sqr();
     EXPECT_EQ(random_lo + pow_2_256 * random_hi, fq((random_uint512 % q).lo));
-}
+}

barretenberg/cpp/src/barretenberg/ecc/curves/bn254/g1.test.cpp

@@ -1,4 +1,6 @@
 #include "g1.hpp"
+#include "barretenberg/circuit_checker/circuit_checker.hpp"
+#include "barretenberg/ecc/groups/precomputed_generators_bn254_impl.hpp"
 #include <gtest/gtest.h>
 
 using namespace bb;
@@ -418,3 +420,11 @@ TEST(g1, InitializationCheck)
     EXPECT_NO_THROW(write<g1::affine_element>({}));
 }
 #endif
+
+TEST(g1, CheckPrecomputedGenerators)
+{
+    ASSERT_TRUE((bb::check_precomputed_generators<g1, "biggroup table offset generator", 1UL>()));
+    ASSERT_TRUE((bb::check_precomputed_generators<g1, "biggroup offset generator", 1UL>()));
+    ASSERT_TRUE((bb::check_precomputed_generators<g1, "ECCVM_OFFSET_GENERATOR", 1UL>()));
+    ASSERT_TRUE((bb::check_precomputed_generators<g1, "test generators", 2UL>()));
+}

barretenberg/cpp/src/barretenberg/ecc/curves/grumpkin/grumpkin.hpp

@@ -78,4 +78,4 @@ class Grumpkin {
     // length 3 is sufficient.
     static constexpr uint32_t LIBRA_UNIVARIATES_LENGTH = 3;
 };
-} // namespace bb::curve
+} // namespace bb::curve

barretenberg/cpp/src/barretenberg/ecc/curves/grumpkin/grumpkin.test.cpp

@@ -1,4 +1,5 @@
 #include "grumpkin.hpp"
+#include "barretenberg/ecc/groups/precomputed_generators_grumpkin_impl.hpp"
 #include <chrono>
 #include <gtest/gtest.h>
 
@@ -329,3 +330,9 @@ TEST(grumpkin, BadPoints)
     }
     EXPECT_TRUE(res);
 }
+
+TEST(grumpkin, CheckPrecomputedGenerators)
+{
+    ASSERT_TRUE((bb::check_precomputed_generators<grumpkin::g1, "pedersen_hash_length", 1UL>()));
+    ASSERT_TRUE((bb::check_precomputed_generators<grumpkin::g1, "DEFAULT_DOMAIN_SEPARATOR", 8UL>()));
+}

barretenberg/cpp/src/barretenberg/ecc/curves/secp256k1/secp256k1.test.cpp

@@ -73,7 +73,7 @@ TEST(secp256k1, TestToMontgomeryForm)
 #if defined(__SIZEOF_INT128__) && !defined(__wasm__)
         constexpr uint512_t R = uint512_t(0, 1);
 #else
-        constexpr uint512_t R = (uint512_t(1) << (29 * 9)) % uint512_t(test_fq_mod);
+        const uint512_t R = (uint512_t(1) << (29 * 9)) % uint512_t(test_fq_mod);
 #endif
         uint512_t aR = uint512_t(a_raw) * R;
         uint256_t expected = (aR % uint512_t(test_fq_mod)).lo;

barretenberg/cpp/src/barretenberg/ecc/curves/secp256r1/secp256r1.test.cpp

@@ -1,4 +1,5 @@
 #include "secp256r1.hpp"
+#include "barretenberg/ecc/groups/precomputed_generators_secp256r1_impl.hpp"
 #include "barretenberg/numeric/random/engine.hpp"
 #include <gtest/gtest.h>
 
@@ -73,7 +74,7 @@ TEST(secp256r1, TestToMontgomeryForm)
 #if defined(__SIZEOF_INT128__) && !defined(__wasm__)
         constexpr uint512_t R = uint512_t(0, 1);
 #else
-        constexpr uint512_t R = (uint512_t(1) << (29 * 9)) % uint512_t(test_fq_mod);
+        const uint512_t R = (uint512_t(1) << (29 * 9)) % uint512_t(test_fq_mod);
 #endif
         uint512_t aR = uint512_t(a_raw) * R;
         uint256_t expected = (aR % uint512_t(test_fq_mod)).lo;
@@ -450,4 +451,22 @@ TEST(secp256r1, MontgomeryMulBigBug)
     secp256r1::fr expected(uint256_t{ 0x57abc6aa0349c084, 0x65b21b232a4cb7a5, 0x5ba781948b0fcd6e, 0xd6e9e0644bda12f7 });
     EXPECT_EQ((a_sqr == expected), true);
 }
-#endif
+#endif
+
+TEST(secp256r1, CheckPrecomputedGenerators)
+{
+    ASSERT_TRUE((bb::check_precomputed_generators<secp256r1::g1, "biggroup offset generator", 1UL>()));
+    ASSERT_TRUE((bb::check_precomputed_generators<secp256r1::g1, "biggroup table offset generator", 1UL>()));
+}
+
+// Hacky: wasm does not properly find main() from gmock_main.
+// We only want to run wasm tests specifically for ecc ops as our field handling is different.
+// We need to make sure the hardcoded generators make sense.
+// As this is our narrow focus, we hack this so ecc_tests can run.
+#ifdef __wasm__
+GTEST_API_ int main(int argc, char** argv)
+{
+    testing::InitGoogleTest(&argc, argv);
+    return RUN_ALL_TESTS();
+}
+#endif

barretenberg/cpp/src/barretenberg/ecc/groups/affine_element.hpp

@@ -17,10 +17,11 @@
 namespace bb::group_elements {
 template <typename T>
 concept SupportsHashToCurve = T::can_hash_to_curve;
-template <typename Fq_, typename Fr_, typename Params> class alignas(64) affine_element {
+template <typename Fq_, typename Fr_, typename Params_> class alignas(64) affine_element {
   public:
     using Fq = Fq_;
     using Fr = Fr_;
+    using Params = Params_;
 
     using in_buf = const uint8_t*;
     using vec_in_buf = const uint8_t*;

barretenberg/cpp/src/barretenberg/ecc/groups/affine_element_impl.hpp

@@ -237,7 +237,6 @@ template <class Fq, class Fr, class T>
 constexpr affine_element<Fq, Fr, T> affine_element<Fq, Fr, T>::hash_to_curve(const std::vector<uint8_t>& seed,
                                                                              uint8_t attempt_count) noexcept
     requires SupportsHashToCurve<T>
-
 {
     std::vector<uint8_t> target_seed(seed);
     // expand by 2 bytes to cover incremental hash attempts

barretenberg/cpp/src/barretenberg/ecc/groups/element.hpp

@@ -40,7 +40,7 @@ template <class Fq, class Fr, class Params> class alignas(32) element {
     constexpr element(const element& other) noexcept;
     constexpr element(element&& other) noexcept;
     constexpr element(const affine_element<Fq, Fr, Params>& other) noexcept;
-    constexpr ~element() noexcept = default;
+    ~element() noexcept = default;
 
     static constexpr element one() noexcept { return { Params::one_x, Params::one_y, Fq::one() }; };
     static constexpr element zero() noexcept