chore: Native curve audit

barretenberg/cpp/src/barretenberg/ecc/curves/bn254/bn254.hpp

@@ -1,5 +1,5 @@
 // === AUDIT STATUS ===
-// internal:    { status: Planned, auditors: [], commit: }
+// internal:    { status: Completed, auditors: [Federico], commit: }
 // external_1:  { status: not started, auditors: [], commit: }
 // external_2:  { status: not started, auditors: [], commit: }
 // =====================
@@ -25,18 +25,16 @@ class BN254 {
     using TargetField = bb::fq12;
 
     static constexpr const char* name = "BN254";
-    // TODO(#673): This flag is temporary. It is needed in the verifier classes (GeminiVerifier, etc.) while these
-    // classes are instantiated with "native" curve types. Eventually, the verifier classes will be instantiated only
-    // with stdlib types, and "native" verification will be acheived via a simulated builder.
     static constexpr bool is_stdlib_type = false;
 
     // Required by SmallSubgroupIPA argument. This constant needs to divide the size of the multiplicative subgroup of
     // the ScalarField and satisfy SUBGROUP_SIZE > CONST_PROOF_SIZE_LOG_N * Flavor::BATCHED_RELATION_PARTIAL_LENGTH, for
     // each BN254-Flavor, since in every round of Sumcheck, the prover sends Flavor::BATCHED_RELATION_PARTIAL_LENGTH
     // elements to the verifier.
     static constexpr size_t SUBGROUP_SIZE = 256;
-    // BN254's scalar field has a multiplicative subgroup of order 2^28. It is generated by 5. The generator below is
-    // 5^{2^{20}}. To avoid inversion in the recursive verifier, we also store the inverse of the chosen generator.
+    // BN254's scalar field has a multiplicative subgroup of order 2^28. It is generated by 5^{(r-1) / 2^28}. The
+    // generator below is 5^{(r-1) / 2^8} (so it has order 8). To avoid inversion in the recursive verifier, we also
+    // store the inverse of the chosen generator.
     static constexpr ScalarField subgroup_generator =
         ScalarField(uint256_t("0x07b0c561a6148404f086204a9f36ffb0617942546750f230c893619174a57a76"));
     static constexpr ScalarField subgroup_generator_inverse =

barretenberg/cpp/src/barretenberg/ecc/curves/bn254/bn254.test.cpp

@@ -0,0 +1,25 @@
+/**
+ * @brief Tests that verify the correctness of BN-254 field constants
+ *
+ */
+#include "bn254.hpp"
+#include "barretenberg/numeric/uint256/uint256.hpp"
+#include <array>
+#include <gtest/gtest.h>
+
+using namespace bb;
+
+// ================================
+// BN254 Constants Tests
+// ================================
+
+TEST(Bn254Constants, SubgroupGenerator)
+{
+    fr subgroup_generator = bb::curve::BN254::subgroup_generator;
+    fr subgroup_generator_inverse = bb::curve::BN254::subgroup_generator_inverse;
+    fr expected = fr(5).pow((fr::modulus - 1) / (uint256_t(1) << 8));
+    fr expected_inverse = expected.invert();
+
+    EXPECT_EQ(subgroup_generator, expected);
+    EXPECT_EQ(subgroup_generator_inverse, expected_inverse);
+}