chore: unify splitting scalars interface#20805
Merged
notnotraju merged 10 commits intomerge-train/barretenbergfrom Mar 4, 2026
Merged
chore: unify splitting scalars interface#20805notnotraju merged 10 commits intomerge-train/barretenbergfrom
notnotraju merged 10 commits intomerge-train/barretenbergfrom
Conversation
…alar multiplication Tests for the negative-k2 bug in split_into_endomorphism_scalars (Fr and Fq), plus EC-level scalar multiplication tests (g1 and grumpkin) showing the bug produces wrong points. Includes endomorphism_scalars.py for deriving the boundary scalars. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…and changed the tests to be regression tests accordingly.
…ztec-packages into rk/splitting-scalars-edge-case
…d secpk1 (to at least generate parameters)
notnotraju
commented
Feb 24, 2026
| static constexpr uint64_t endo_g2_hihi = 0xE4437ED6010E8828ULL; | ||
| // 256-bit-shift constants: g1 = floor((-b1) * 2^256 / r), g2 = floor(b2 * 2^256 / r) | ||
| // See endomorphism_scalars.py compute_splitting_constants() for derivation. | ||
| static constexpr uint64_t endo_g1_lo = 0x6F547FA90ABFE4C4ULL; |
Contributor
Author
There was a problem hiding this comment.
need new constants here
notnotraju
commented
Feb 24, 2026
| * hold k2. This function will be called in either the BN254 base/scalar field | ||
| * or the generic, secp256k1 branch. | ||
| */ | ||
| static field compute_endomorphism_k2(const field& input) |
Contributor
Author
There was a problem hiding this comment.
generic shared method which uses mul_512, computes a sort of raw k2.
notnotraju
force-pushed
the
rk/splitting-scalars-unify
branch
from
fa5c62f to
2dd7c69
Compare
notnotraju
force-pushed
the
rk/splitting-scalars-unify
branch
from
2dd7c69 to
f9be7ca
Compare
notnotraju
commented
Feb 24, 2026
| * The result is a raw (non-Montgomery) `field` whose low 128-or-129 bits | ||
| * hold k2. This function will be called in either the BN254 base/scalar field | ||
| * or the generic, secp256k1 branch. | ||
| */ |
Contributor
Author
There was a problem hiding this comment.
both branches call this method now.
notnotraju
commented
Feb 24, 2026
| }; | ||
| } | ||
|
|
||
| static void split_into_endomorphism_scalars_384(const field& input, field& k1_out, field& k2_out) |
Contributor
Author
There was a problem hiding this comment.
absolutely not necessary. fixed constants accordingly.
… can be bigger than 2^128.
Base automatically changed from
rk/splitting-scalars-edge-case
to
merge-train/barretenberg
February 27, 2026 11:57
…k/splitting-scalars-unify
…ases for fq and fr are so close to each other
notnotraju
added
the
bberg-int-audit
github-merge-queue bot
pushed a commit
that referenced
this pull request
Mar 6, 2026
BEGIN_COMMIT_OVERRIDE fix: add -g0 to zig presets to eliminate 11GB debug info bloat (#21071) fix: resolve flaky p2p_client test race condition on ARM64 (#21088) chore: remove domain iteration macros and address backing memory race (#20988) fix: [ECCVM] added domain separation for the multiset equality check. (#20352) feat: hybrid CRS hash verification — 8MB chunks, parallel, span-based (#21113) chore: unify splitting scalars interface (#20805) chore: add a unique id to each origin tag (#20924) chore: Native curve audit (#20936) chore: Update bootstrap in test vk haven't changed script (#21153) fix: use reduced form in WASM FromMontgomeryForm test (#21164) chore: erase ephemeral secrets from memory in schnorr and aes (#21106) chore: suppress clangd target triple version diagnostic (#21180) feat: Optimise new claim calculation (#21179) docs: add Quick Start build instructions to barretenberg README (#20951) feat: batched chonk verification (#21083) fix: link libc++ instead of libstdc++ for Rust FFI on Linux (#21203) fix: [ECCVM] in the transcript table, no-ops force the next accumulator to be 0. (#20849) fix: resolve merge-train conflict with next (zig wrapper scripts + -g0) (#21201) fix: [ECCVM] rare edge case completeness issue when `z1 == 0` but `z2 != 0` (#20858) fix: use actual data extent for CommitmentKey in HypernovaDeciderProver (#21206) END_COMMIT_OVERRIDE
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
In
bb, we use the scalar splitting for a few fields: the base and scalar fields of BN254, as well as the scalar field of secp256k1. Formerly, in the latter, we used a "384-bit" shift. This is unnecessary: rounding was not the main difference. (The difference is in the former fields, the GLV lattice basis is unusually short, which implies that the scalar splitting can be taken to both have 128 bits; forsecp256k1::fr, neither statement is true, and indeed the scalars can have as much as 129 bits. In this branch, then, we return field elements.)The interfaces have been unified, as much as they can.