Skip to content

feat: add field extension support over native fields #1493

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ivokub merged 10 commits into from
May 20, 2025
Merged

feat: add field extension support over native fields #1493

ivokub merged 10 commits into from
May 20, 2025

Conversation

@ivokub
Copy link
Collaborator

@ivokub ivokub commented May 13, 2025

Description

For the upcoming support for the non-native arithmetic over native small fields we need to perform multiplication checks in a field extension to obtain the required soundness level. Instead of doing an ad-hoc implementation in the field emulation package, we separate it into a standard interface so it could be reused.

The implementation is currently very basic and supports only specific types of field extensions (x^d + a and x^d + 1). Will extend the package if the need arises.

Currently it doesn't support inversion and division as there wasn't direct need for it directly in the field emulation package. However, if we want to support logderivative argument in native small field, then we need to have inversion/division. However, gnark wouldn't directly have backends targeting small fields and the selector columns and witness assignment would be exported to Linea prover, which would handle range checks itself. And currently range checks is the only use case we would need logderivative argument.

But I think it would be good to have in case we would have some other lookup usages in circuits used for Linea. @yelhousni, @ThomasPiellard - do we have a good reference for a generic inversion algorithm in gnark or gnark-crypto over any field and extension?

Type of change

  • New feature (non-breaking change which adds functionality)

How has this been tested?

  • TestReduce
  • TestAdd
  • TestSub
  • TestMul

How has this been benchmarked?

Checklist:

  • I have performed a self-review of my code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have added tests that prove my fix is effective or that my feature works
  • I did not modify files generated from templates
  • golangci-lint does not output errors locally
  • New and existing unit tests pass locally with my changes
  • Any dependent changes have been merged and published in downstream modules

@ivokub ivokub added this to the v0.13.0 milestone May 13, 2025
@ivokub ivokub requested review from Copilot and yelhousni May 13, 2025 12:33
@ivokub ivokub self-assigned this May 13, 2025
@ivokub ivokub added type: new feature type: consolidate strengthen an existing feature labels May 13, 2025
Copilot AI reviewed May 13, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR introduces support for field extensions over native fields to enable non‐native arithmetic operations in small fields.

  • Added configurable options to set field extensions or degrees.
  • Implemented basic arithmetic operations (reduce, add, sub, mul) over extension fields.
  • Provided comprehensive tests for extension field operations.

Reviewed Changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File Description
std/math/fieldextension/option.go Added configuration options for specifying field extension details.
std/math/fieldextension/fieldextension_test.go Added unit tests for Reduce, Add, Sub, and Mul functions.
std/math/fieldextension/fieldextension.go Implemented extension field arithmetic functions.
std/math/fieldextension/default_extensions.go Defined default extension polynomials.

@ivokub
Copy link
Collaborator Author

ivokub commented May 16, 2025

I think I'll skip the inverse for now, it is not needed for the field emulation over smallfield for now. We can implement it in the future when such need arises.

So, it is ready for review for now.

This was referenced May 16, 2025
Merged
Merged
@yelhousni
Copy link
Contributor

yelhousni commented May 19, 2025

For the inverse, we implement it in gnark-crypto generically for ext. 2 and 3 as in Alg.8 and 17 resp. in https://eprint.iacr.org/2010/354.pdf.

yelhousni
yelhousni approved these changes May 19, 2025
View reviewed changes
Copy link
Contributor

@yelhousni yelhousni left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. Although 2 remarks:

  • what is the point of having a generic implementation only for baby/koala bear? we can have Mul() optimised if we specialise the implementation.
  • we can also add Square() as a separate method.

@ivokub
Copy link
Collaborator Author

ivokub commented May 19, 2025

Looks good. Although 2 remarks:

  • what is the point of having a generic implementation only for baby/koala bear? we can have Mul() optimised if we specialise the implementation.
  • we can also add Square() as a separate method.

You're right, we don't particularly need generic implementation. I started doing it in the context of field emulation over small field (particularly see https://github.com/Consensys/gnark/pull/1495/files#diff-d4ac9a2f1804d448a0c0743b58bc4494e0eff8e396cb6ae48d58ff01befeaee2L169-R205 and https://github.com/Consensys/gnark/pull/1495/files#diff-d4ac9a2f1804d448a0c0743b58bc4494e0eff8e396cb6ae48d58ff01befeaee2R969-R999, i.e. we compute a(x)*b(x) == c(x) + k(x)*p(x) + 2^e q(x) for random challenge x which is in the field extension and all coefficients of the polynomials are in the field).

Particularly - we don't need to be compatible with the koala/baby-bear extensions we have in gnark-crypto, I'm only interested in having degree high enough that SZ is sound. Thats why I'm using the direct simple extension (x^n-a).

But for some reason I though it would be useful if we have a general interface for any possible direct extension. Imo the interface would support it, I just didn't implement it yet.

So, if you would have ideas how to optimize Mul if we make any assumptions then I'm all in for that, it is quite heavy part and any constraint saved adds up quickly.
And we could also do Square(), right now imo there wasn't use case for that.

Another thing - imo we may not need to call Reduce that much for the checks a(x)*b(x) == c(x) + k(x)*p(x) + 2^e q(x). We could do non-reducing multiplications, move everything to the left-hand-side and then do a single reduction and check the result is zero.

@ivokub ivokub merged commit 19ac6d9 into master May 20, 2025
6 checks passed
@ivokub ivokub deleted the feat/native-field-extension branch May 20, 2025 09:36
@ivokub
Copy link
Collaborator Author

ivokub commented May 20, 2025
edited
Loading

Merged currently as is - it is good enough for unblocking the rest of the PRs, but there are still many things to do to make the gadget more performant and useful. Will create issue for that.

@ivokub ivokub mentioned this pull request May 20, 2025
Open
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@yelhousni yelhousni yelhousni approved these changes

Assignees

@ivokub ivokub

Labels

type: consolidate strengthen an existing feature type: new feature

Projects

None yet

Milestone

v0.13.0

Development

Successfully merging this pull request may close these issues.

3 participants

@ivokub @yelhousni