Skip to content

chore: makes ec addition opcode unsafe #8814

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
guipublic wants to merge 54 commits into
base: next
Choose a base branch
from
Open

chore: makes ec addition opcode unsafe #8814

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
54 commits
Select commit Hold shift + click to select a range
4725f75
the return of ec add unsafe
guipublic Sep 26, 2024
2c35a92
fix test case
guipublic Sep 26, 2024
6c14ad3
Merge branch 'master' into gd/unsafe_ec_add2
guipublic Sep 26, 2024
bbff2f1
Merge branch 'master' into gd/unsafe_ec_add2
guipublic Oct 1, 2024
5b5fc0a
Merge branch 'master' into gd/unsafe_ec_add2
guipublic Oct 1, 2024
32de43a
force CI to run e2e
guipublic Oct 1, 2024
2f3ea01
Merge branch 'master' into gd/unsafe_ec_add2
guipublic Oct 2, 2024
da1604f
Merge branch 'master' into gd/unsafe_ec_add2
guipublic Oct 3, 2024
3c60dcb
chore: remove unused header in public executor (#8990)
Maddiaa0 Oct 3, 2024
6baa710
Merge branch 'master' into gd/unsafe_ec_add2
guipublic Oct 3, 2024
d81f826
Merge branch 'master' into gd/unsafe_ec_add2
guipublic Oct 3, 2024
98c7ebe
Merge branch 'master' into gd/unsafe_ec_add2
guipublic Oct 4, 2024
bab195f
Merge branch 'master' into gd/unsafe_ec_add2
guipublic Oct 4, 2024
bb57173
Merge branch 'master' into gd/unsafe_ec_add2
guipublic Oct 10, 2024
249ab55
Merge branch 'master' into gd/unsafe_ec_add2
TomAFrench Apr 15, 2025
8e08f66
Merge aranch 'master' into gd/unsafe_ec_add2
guipublic Apr 16, 2025
a0576c1
allow infinite points for ec_add
guipublic Apr 16, 2025
2cdf9ad
Merge branch 'master' into gd/unsafe_ec_add2
guipublic Apr 22, 2025
6aa64f2
Merge branch 'master' into gd/unsafe_ec_add2
guipublic May 12, 2025
01a50ac
Merge branch 'master' into gd/unsafe_ec_add2
guipublic May 12, 2025
e3e8220
Merge branch 'master' into gd/unsafe_ec_add2
guipublic May 12, 2025
06ef800
only allow compile time 'is_infinite'
guipublic May 15, 2025
6519918
Merge branch 'master' into gd/unsafe_ec_add2
guipublic May 15, 2025
3a05675
Merge branch 'master' into gd/unsafe_ec_add2
guipublic May 16, 2025
56861f3
avoid failing check when there is no witness assignment
guipublic May 16, 2025
525a63f
Merge branch 'master' into gd/unsafe_ec_add2
guipublic May 20, 2025
304b758
Merge branch 'next' into gd/unsafe_ec_add2
guipublic Jun 25, 2025
8b4809c
fix merge
guipublic Jun 25, 2025
403c972
implement the all-or-nothing witness/constant for ec-add
guipublic Jun 27, 2025
99ebdf5
Merge branch 'next' into gd/unsafe_ec_add2
guipublic Jun 27, 2025
22b2e93
code review
guipublic Jun 27, 2025
877231c
Merge branch 'next' into gd/unsafe_ec_add2
guipublic Jun 27, 2025
b8b5f75
Merge branch 'next' into gd/unsafe_ec_add2
guipublic Jun 30, 2025
c78a883
update Noir
guipublic Jun 30, 2025
c5156dc
Merge branch 'next' into gd/unsafe_ec_add2
guipublic Jun 30, 2025
cdf21c2
Clean up function descriptions
Rumata888 Jun 30, 2025
298cd7d
Merge branch 'next' into gd/unsafe_ec_add2
guipublic Jun 30, 2025
e47b58b
Merge branch 'next' into gd/unsafe_ec_add2
guipublic Jul 1, 2025
f899533
Merge branch 'next' into gd/unsafe_ec_add2
TomAFrench Jul 2, 2025
d3a2daf
fix unit test
guipublic Jul 2, 2025
5feed4b
update vks
guipublic Jul 3, 2025
85e2b90
Merge branch 'next' into gd/unsafe_ec_add2
guipublic Jul 3, 2025
0cf8994
Merge branch 'next' into gd/unsafe_ec_add2
guipublic Jul 3, 2025
f0cf778
update vks
guipublic Jul 3, 2025
b64714b
Merge branch 'next' into gd/unsafe_ec_add2
guipublic Jul 4, 2025
6f4a199
Merge branch 'next' into gd/unsafe_ec_add2
guipublic Jul 4, 2025
2c133a8
updates cargo.lock
guipublic Jul 4, 2025
ef05a7d
handle opposite points
guipublic Jul 4, 2025
f4ae114
updates cargo.lock
guipublic Jul 4, 2025
b521f62
Merge branch 'next' into gd/unsafe_ec_add2
guipublic Jul 8, 2025
c872ab2
update vks
guipublic Jul 9, 2025
ef821e3
code review: check the x coordinates are distinct
guipublic Jul 9, 2025
f8555e8
add unit tests
guipublic Jul 11, 2025
c3bdb9b
Merge branch 'next' into gd/unsafe_ec_add2
guipublic Jul 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
162 changes: 155 additions & 7 deletions barretenberg/cpp/src/barretenberg/dsl/acir_format/ec_operations.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
// =====================

#include "ec_operations.hpp"
#include "barretenberg/dsl/acir_format/witness_constant.hpp"
#include "barretenberg/ecc/curves/bn254/fr.hpp"
#include "barretenberg/ecc/curves/grumpkin/grumpkin.hpp"
#include "barretenberg/ecc/groups/affine_element.hpp"
Expand All @@ -13,19 +14,165 @@

namespace acir_format {

/**
* @brief Creates a constraint for an EC addition operation
*
* @param builder Circuit builder
* @param input The input to the EC addition operation (contains information about input witnesses/constants)
* @param has_valid_witness_assignments Whether the witness assignments are valid (if we are just constructing a circuit
* to get the verification key, we might not have a valid witness)
*
* @details This function creates a constraint for an EC addition operation. The mode of operation is as follows:
* It assumes that the points are on the curve. Then:
* - If it is known that the points are the same (either witness ids are identical or constant values are identical),
* it doubles the point. In this case, it can handle the case of a point at infinity.
* - If it is known that the points are at infinity or not (controlling boolean for both is a constant), it will return
* the other point if one is at infinity.
* - If it is known that the points are opposite, it will return the infinity point.
* - If it is known that the points have the same abscissa at this stage, it will return an error.
* - If none of the points are at infinity, it assumes that they have distinct abscissa and adds them.
* - If it is not known whether the points are points at infinity, it will return an error.
*
*/
template <typename Builder>
void create_ec_add_constraint(Builder& builder, const EcAdd& input, bool has_valid_witness_assignments)
{
// Input to cycle_group points
// Cycle_group points are used by BB to lay out constraints on Grumpkin curve points
using cycle_group_ct = bb::stdlib::cycle_group<Builder>;

auto input1_point = to_grumpkin_point(
input.input1_x, input.input1_y, input.input1_infinite, has_valid_witness_assignments, builder);
auto input2_point = to_grumpkin_point(
input.input2_x, input.input2_y, input.input2_infinite, has_valid_witness_assignments, builder);
// Check if operands are the 'same' (same witness or same constant value).
bool x_match = false;
if (!input.input1_x.is_constant && !input.input2_x.is_constant) {
x_match = (input.input1_x.index == input.input2_x.index);
} else {
if (input.input1_x.is_constant && input.input2_x.is_constant) {
x_match = (input.input1_x.value == input.input2_x.value);
}
}
bool y_match = false;
if (!input.input1_y.is_constant && !input.input2_y.is_constant) {
y_match = (input.input1_y.index == input.input2_y.index);
} else {
if (input.input1_y.is_constant && input.input2_y.is_constant) {
y_match = (input.input1_y.value == input.input2_y.value);
}
}

cycle_group_ct result;
// If operands are the same, we double.
// Note that the doubling function handles the infinity case
if (x_match && y_match) {
cycle_group_ct input1_point;

// When there are no valid witness assignements, we need to define dummy values that will
// satisfy the doubling constraints, which we can do easily when the inputs are witness.
// If the is_infinity is a witness, we can simply set it to 1
// Or, if the coordinates are witness, we can simply set them to a valid point on the curve (G1)
if (!input.input1_infinite.is_constant || (!input.input1_x.is_constant && !input.input1_y.is_constant)) {
input1_point = to_grumpkin_point(input.input1_x,
input.input1_y,
input.input1_infinite,
has_valid_witness_assignments,
/*use_g1=*/true,
builder);
} else {
// If not, the coordinates are mixed constant/witness, and we generate witness so that the point is using
// only witnesses.
input1_point = to_witness_grumpkin_point(input.input1_x,
input.input1_y,
input.input1_infinite,
has_valid_witness_assignments,
/*use_g1=*/true,
builder);
}
result = input1_point.dbl();
} else {
// Regular addition
// if one point is (constant) zero, we simply return the other point.
if (input.input2_infinite.is_constant && input.input1_infinite.is_constant) {
if (get_value(input.input1_infinite, builder) == 1) {
// input1 is infinity, so we can just return input2
result = to_witness_grumpkin_point(input.input2_x,
input.input2_y,
input.input2_infinite,
has_valid_witness_assignments,
/*use_g1=*/false,
builder);

} else if (get_value(input.input2_infinite, builder) == 1) {
// input2 is infinity, so we can just return input1
result = to_witness_grumpkin_point(input.input1_x,
input.input1_y,
input.input1_infinite,
has_valid_witness_assignments,
/*use_g1=*/true,
builder);
} else if (x_match && !y_match) {
if (input.input1_y.is_constant && input.input2_y.is_constant) {
// we know x1==x2 and y1!=y2, so we assume the points are opposite
result = cycle_group_ct(bb::fr::zero(), bb::fr::zero(), true);
} else {
ASSERT(false,
"Unsupported EC ADDITION UNSAFE; asbcissas should be disctinct, or the points should be "
"identical "
"(doubling)");
}
} else {
cycle_group_ct input1_point;
cycle_group_ct input2_point;
// all or nothing: the inputs must be all constant or all witness. Cf #1108 for more details.
if (!input.input1_x.is_constant || !input.input1_y.is_constant || !input.input1_infinite.is_constant ||
!input.input2_x.is_constant || !input.input2_y.is_constant || !input.input2_infinite.is_constant) {
// One of the input is a witness, so we ensure that all inputs are witness, by creating witness for
// constant values.
input1_point = to_witness_grumpkin_point(input.input1_x,
input.input1_y,
input.input1_infinite,
has_valid_witness_assignments,
/*use_g1=*/true,
builder);
input2_point = to_witness_grumpkin_point(input.input2_x,
input.input2_y,
input.input2_infinite,
has_valid_witness_assignments,
/*use_g1=*/false,
builder);

} else {
input1_point = to_grumpkin_point(input.input1_x,
input.input1_y,
input.input1_infinite,
has_valid_witness_assignments,
/*use_g1=*/true,
builder);
input2_point = to_grumpkin_point(input.input2_x,
input.input2_y,
input.input2_infinite,
has_valid_witness_assignments,
/*use_g1=*/false,
builder);
}
// both points are not infinity, so we can use unconditional_add
if (has_valid_witness_assignments) {
// Runtime check that the inputs have not the same x coordinate, as assumed by the function.
ASSERT(input1_point.x.get_value() != input2_point.x.get_value());
}
// Check that the x coordinates are distincts.
// This function is not supposed to make any check so that the checks can be added by the developer
// when required, for best performance. However this is a critical assumption so we still check it for
// now. We should make the test optional via an additional parameter in the future.
auto x_match = input1_point.x - input2_point.x;
x_match.assert_is_not_zero(
"Unsupported EC ADDITION UNSAFE; asbcissas should be disctinct, or the points should be identical "
"(doubling)");
result = input1_point.unconditional_add(input2_point);
Copy link
Contributor

@Rumata888 Rumata888 Jun 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why are you using unconditional add? Are you checking that the inputs are different? If the values are the same, this could allow you to create any point as a result

Copy link
Contributor Author

@guipublic guipublic Jun 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the whole point of the PR, the checks have been moved on the Noir side so that we can avoid them in some cases. See this comment in the PR description:
"It will allow Aztec protocol circuit to use directly the opcode when the 'safety' is already known (and implied by previous operations)."

Copy link
Contributor

@Rumata888 Rumata888 Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You shouldn't remove the difference!=zero check. It is always necessary. There is no case that it is not necessary, when you are performing non-doubling additions.

Copy link
Contributor Author

@guipublic guipublic Jul 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I disagree, else the function unconditional_add() would not exist. See the comments of the function:

  •    Only use this method if you know the x-coordinates of the operands cannot collide and none of the operands is a point at infinity

For instance it is used for batch mul:

  •     If `unconditional_add = true`, we use `::unconditional_add` instead of `::checked_unconditional_add`. Use with caution! Only should be `true` if we're doing an ULTRA fixed-base MSM so we know the points cannot collide with the offset generators.

Copy link
Contributor

@Rumata888 Rumata888 Jul 4, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The function unconditional add is only used in 2 cases:

  1. We know that the values provided are from a CRS and getting a combination of those that would be equal is tantamount to solving the discrete log
  2. We use it in our own batch mul, when we specifically want to save 1 gate by batching non-zero checks.

However, these are extremely rare situations. It is extremely dangerous to leave the operation like this by default, because then it does not ensure the correctness of additions at all in 99% of cases. If you really want to allow the developer to disable this particular check, then there should be a setting that allows this (with loud disclaimers). It shouldn't be by default

Copy link
Contributor Author

@guipublic guipublic Jul 4, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I will add a setting then.
In fact no, I will add the check because I don't want to have to change ACIR format.
I'll add the setting later, if this PR manage to go through!

Copy link
Contributor Author

@guipublic guipublic Jul 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

}
} else {
// Some points could be at infinity, which is not supported by the function
ASSERT(false, "Unsupported EC ADDITION UNSAFE; is_infinite status must be known at compile time");
}
}

// Addition
cycle_group_ct result = input1_point + input2_point;
cycle_group_ct standard_result = result.get_standard_form();
auto x_normalized = standard_result.x.normalize();
auto y_normalized = standard_result.y.normalize();
Expand All @@ -41,6 +188,7 @@ void create_ec_add_constraint(Builder& builder, const EcAdd& input, bool has_val
} else {
builder.assert_equal(y_normalized.witness_index, input.result_y);
}

if (infinite.is_constant()) {
builder.fix_witness(input.result_infinite, infinite.get_value());
} else {
Expand Down
Loading
Loading