Perf: revisiting field extensions in std/

std/algebra/emulated/fields_bls12381/e12.go

@@ -49,8 +49,8 @@ func (e Ext12) Mul(x, y *E12) *E12 {
 	a = e.Ext6.Mul(a, b)
 	b = e.Ext6.Mul(&x.C0, &y.C0)
 	c := e.Ext6.Mul(&x.C1, &y.C1)
-	z1 := e.Ext6.Sub(a, b)
-	z1 = e.Ext6.Sub(z1, c)
+	d := e.Ext6.Add(c, b)
+	z1 := e.Ext6.Sub(a, d)
 	z0 := e.Ext6.MulByNonResidue(c)
 	z0 = e.Ext6.Add(z0, b)
 	return &E12{
@@ -101,8 +101,7 @@ func (e Ext12) IsZero(z *E12) frontend.Variable {
 func (e Ext12) Square(x *E12) *E12 {
 	c0 := e.Ext6.Sub(&x.C0, &x.C1)
 	c3 := e.Ext6.MulByNonResidue(&x.C1)
-	c3 = e.Ext6.Neg(c3)
-	c3 = e.Ext6.Add(&x.C0, c3)
+	c3 = e.Ext6.Sub(&x.C0, c3)
 	c2 := e.Ext6.Mul(&x.C0, &x.C1)
 	c0 = e.Ext6.Mul(c0, c3)
 	c0 = e.Ext6.Add(c0, c2)

std/algebra/emulated/fields_bls12381/e12_pairing.go

@@ -93,8 +93,8 @@ func (e *Ext12) MulBy014(z *E12, c0, c1 *E2) *E12 {
 
 	zC1 := e.Ext6.Add(&z.C1, &z.C0)
 	zC1 = e.Ext6.MulBy01(zC1, c0, d)
-	zC1 = e.Ext6.Sub(zC1, a)
-	zC1 = e.Ext6.Sub(zC1, &b)
+	tmp := e.Ext6.Add(&b, a)
+	zC1 = e.Ext6.Sub(zC1, tmp)
 	zC0 := e.Ext6.MulByNonResidue(&b)
 	zC0 = e.Ext6.Add(zC0, a)
 
@@ -124,8 +124,8 @@ func (e Ext12) Mul014By014(d0, d1, c0, c1 *E2) [5]*E2 {
 	tmp := e.Ext2.Add(c0, c1)
 	x01 := e.Ext2.Add(d0, d1)
 	x01 = e.Ext2.Mul(x01, tmp)
-	x01 = e.Ext2.Sub(x01, x0)
-	x01 = e.Ext2.Sub(x01, x1)
+	tmp = e.Ext2.Add(x1, x0)
+	x01 = e.Ext2.Sub(x01, tmp)
 	x14 := e.Ext2.Add(c1, d1)
 
 	zC0B0 := e.Ext2.NonResidue()
@@ -148,8 +148,8 @@ func (e *Ext12) MulBy01245(z *E12, x [5]*E2) *E12 {
 	a = e.Ext6.Mul(a, b)
 	b = e.Ext6.Mul(&z.C0, c0)
 	c := e.Ext6.MulBy12(&z.C1, x[3], x[4])
-	z1 := e.Ext6.Sub(a, b)
-	z1 = e.Ext6.Sub(z1, c)
+	d := e.Ext6.Add(c, b)
+	z1 := e.Ext6.Sub(a, d)
 	z0 := e.Ext6.MulByNonResidue(c)
 	z0 = e.Ext6.Add(z0, b)
 	return &E12{

std/algebra/emulated/fields_bls12381/e2.go

@@ -59,8 +59,8 @@ func NewExt2(api frontend.API) *Ext2 {
 }
 
 func (e Ext2) MulByElement(x *E2, y *baseEl) *E2 {
-	z0 := e.fp.MulMod(&x.A0, y)
-	z1 := e.fp.MulMod(&x.A1, y)
+	z0 := e.fp.Mul(&x.A0, y)
+	z1 := e.fp.Mul(&x.A1, y)
 	return &E2{
 		A0: *z0,
 		A1: *z1,
@@ -110,9 +110,9 @@ func (e Ext2) MulByNonResidue1Power1(x *E2) *E2 {
 // MulByNonResidue1Power2 returns x*(1+u)^(2*(p^1-1)/6)
 func (e Ext2) MulByNonResidue1Power2(x *E2) *E2 {
 	element := emulated.ValueOf[emulated.BLS12381Fp]("4002409555221667392624310435006688643935503118305586438271171395842971157480381377015405980053539358417135540939436")
-	a := e.fp.MulMod(&x.A1, &element)
+	a := e.fp.Mul(&x.A1, &element)
 	a = e.fp.Neg(a)
-	b := e.fp.MulMod(&x.A0, &element)
+	b := e.fp.Mul(&x.A0, &element)
 	return &E2{
 		A0: *a,
 		A1: *b,
@@ -128,8 +128,8 @@ func (e Ext2) MulByNonResidue1Power3(x *E2) *E2 {
 func (e Ext2) MulByNonResidue1Power4(x *E2) *E2 {
 	element := emulated.ValueOf[emulated.BLS12381Fp]("4002409555221667392624310435006688643935503118305586438271171395842971157480381377015405980053539358417135540939437")
 	return &E2{
-		A0: *e.fp.MulMod(&x.A0, &element),
-		A1: *e.fp.MulMod(&x.A1, &element),
+		A0: *e.fp.Mul(&x.A0, &element),
+		A1: *e.fp.Mul(&x.A1, &element),
 	}
 }
 
@@ -142,59 +142,62 @@ func (e Ext2) MulByNonResidue1Power5(x *E2) *E2 {
 func (e Ext2) MulByNonResidue2Power1(x *E2) *E2 {
 	element := emulated.ValueOf[emulated.BLS12381Fp]("793479390729215512621379701633421447060886740281060493010456487427281649075476305620758731620351")
 	return &E2{
-		A0: *e.fp.MulMod(&x.A0, &element),
-		A1: *e.fp.MulMod(&x.A1, &element),
+		A0: *e.fp.Mul(&x.A0, &element),
+		A1: *e.fp.Mul(&x.A1, &element),
 	}
 }
 
 // MulByNonResidue2Power2 returns x*(1+u)^(2*(p^2-1)/6)
 func (e Ext2) MulByNonResidue2Power2(x *E2) *E2 {
 	element := emulated.ValueOf[emulated.BLS12381Fp]("793479390729215512621379701633421447060886740281060493010456487427281649075476305620758731620350")
 	return &E2{
-		A0: *e.fp.MulMod(&x.A0, &element),
-		A1: *e.fp.MulMod(&x.A1, &element),
+		A0: *e.fp.Mul(&x.A0, &element),
+		A1: *e.fp.Mul(&x.A1, &element),
 	}
 }
 
 // MulByNonResidue2Power3 returns x*(1+u)^(3*(p^2-1)/6)
 func (e Ext2) MulByNonResidue2Power3(x *E2) *E2 {
 	element := emulated.ValueOf[emulated.BLS12381Fp]("4002409555221667393417789825735904156556882819939007885332058136124031650490837864442687629129015664037894272559786")
 	return &E2{
-		A0: *e.fp.MulMod(&x.A0, &element),
-		A1: *e.fp.MulMod(&x.A1, &element),
+		A0: *e.fp.Mul(&x.A0, &element),
+		A1: *e.fp.Mul(&x.A1, &element),
 	}
 }
 
 // MulByNonResidue2Power4 returns x*(1+u)^(4*(p^2-1)/6)
 func (e Ext2) MulByNonResidue2Power4(x *E2) *E2 {
 	element := emulated.ValueOf[emulated.BLS12381Fp]("4002409555221667392624310435006688643935503118305586438271171395842971157480381377015405980053539358417135540939436")
 	return &E2{
-		A0: *e.fp.MulMod(&x.A0, &element),
-		A1: *e.fp.MulMod(&x.A1, &element),
+		A0: *e.fp.Mul(&x.A0, &element),
+		A1: *e.fp.Mul(&x.A1, &element),
 	}
 }
 
 // MulByNonResidue2Power5 returns x*(1+u)^(5*(p^2-1)/6)
 func (e Ext2) MulByNonResidue2Power5(x *E2) *E2 {
 	element := emulated.ValueOf[emulated.BLS12381Fp]("4002409555221667392624310435006688643935503118305586438271171395842971157480381377015405980053539358417135540939437")
 	return &E2{
-		A0: *e.fp.MulMod(&x.A0, &element),
-		A1: *e.fp.MulMod(&x.A1, &element),
+		A0: *e.fp.Mul(&x.A0, &element),
+		A1: *e.fp.Mul(&x.A1, &element),
 	}
 }
 
 func (e Ext2) Mul(x, y *E2) *E2 {
-	a := e.fp.Add(&x.A0, &x.A1)
-	b := e.fp.Add(&y.A0, &y.A1)
-	a = e.fp.MulMod(a, b)
-	b = e.fp.MulMod(&x.A0, &y.A0)
-	c := e.fp.MulMod(&x.A1, &y.A1)
-	z1 := e.fp.Sub(a, b)
-	z1 = e.fp.Sub(z1, c)
-	z0 := e.fp.Sub(b, c)
+
+	v0 := e.fp.Mul(&x.A0, &y.A0)
+	v1 := e.fp.Mul(&x.A1, &y.A1)
+
+	b0 := e.fp.Sub(v0, v1)
+	b1 := e.fp.Add(&x.A0, &x.A1)
+	tmp := e.fp.Add(&y.A0, &y.A1)
+	b1 = e.fp.Mul(b1, tmp)
+	tmp = e.fp.Add(v0, v1)
+	b1 = e.fp.Sub(b1, tmp)
+
 	return &E2{
-		A0: *z0,
-		A1: *z1,
+		A0: *b0,
+		A1: *b1,
 	}
 }
 
@@ -242,6 +245,7 @@ func (e Ext2) Zero() *E2 {
 		A1: *z1,
 	}
 }
+
 func (e Ext2) IsZero(z *E2) frontend.Variable {
 	a0 := e.fp.IsZero(&z.A0)
 	a1 := e.fp.IsZero(&z.A1)
@@ -260,8 +264,8 @@ func (e Ext2) NonResidue() *E2 {
 func (e Ext2) Square(x *E2) *E2 {
 	a := e.fp.Add(&x.A0, &x.A1)
 	b := e.fp.Sub(&x.A0, &x.A1)
-	a = e.fp.MulMod(a, b)
-	b = e.fp.MulMod(&x.A0, &x.A1)
+	a = e.fp.Mul(a, b)
+	b = e.fp.Mul(&x.A0, &x.A1)
 	b = e.fp.MulConst(b, big.NewInt(2))
 	return &E2{
 		A0: *a,

std/algebra/emulated/fields_bls12381/e6.go

@@ -86,22 +86,22 @@ func (e Ext6) Mul(x, y *E6) *E6 {
 	c0 := e.Ext2.Add(&x.B1, &x.B2)
 	tmp := e.Ext2.Add(&y.B1, &y.B2)
 	c0 = e.Ext2.Mul(c0, tmp)
-	c0 = e.Ext2.Sub(c0, t1)
-	c0 = e.Ext2.Sub(c0, t2)
+	tmp = e.Ext2.Add(t2, t1)
+	c0 = e.Ext2.Sub(c0, tmp)
 	c0 = e.Ext2.MulByNonResidue(c0)
 	c0 = e.Ext2.Add(c0, t0)
 	c1 := e.Ext2.Add(&x.B0, &x.B1)
 	tmp = e.Ext2.Add(&y.B0, &y.B1)
 	c1 = e.Ext2.Mul(c1, tmp)
-	c1 = e.Ext2.Sub(c1, t0)
-	c1 = e.Ext2.Sub(c1, t1)
+	tmp = e.Ext2.Add(t0, t1)
+	c1 = e.Ext2.Sub(c1, tmp)
 	tmp = e.Ext2.MulByNonResidue(t2)
 	c1 = e.Ext2.Add(c1, tmp)
 	tmp = e.Ext2.Add(&x.B0, &x.B2)
 	c2 := e.Ext2.Add(&y.B0, &y.B2)
 	c2 = e.Ext2.Mul(c2, tmp)
-	c2 = e.Ext2.Sub(c2, t0)
-	c2 = e.Ext2.Sub(c2, t2)
+	tmp = e.Ext2.Add(t0, t2)
+	c2 = e.Ext2.Sub(c2, tmp)
 	c2 = e.Ext2.Add(c2, t1)
 	return &E6{
 		B0: *c0,
@@ -166,8 +166,8 @@ func (e Ext6) MulBy12(x *E6, b1, b2 *E2) *E6 {
 	c0 := e.Ext2.Add(&x.B1, &x.B2)
 	tmp := e.Ext2.Add(b1, b2)
 	c0 = e.Ext2.Mul(c0, tmp)
-	c0 = e.Ext2.Sub(c0, t1)
-	c0 = e.Ext2.Sub(c0, t2)
+	tmp = e.Ext2.Add(t1, t2)
+	c0 = e.Ext2.Sub(c0, tmp)
 	c0 = e.Ext2.MulByNonResidue(c0)
 	c1 := e.Ext2.Add(&x.B0, &x.B1)
 	c1 = e.Ext2.Mul(c1, b1)
@@ -207,7 +207,13 @@ func (e Ext6) MulBy0(z *E6, c0 *E2) *E6 {
 	}
 }
 
-// MulBy01 multiplication by sparse element (c0,c1,0)
+// MulBy01 multiplies z by an E6 sparse element of the form
+//
+//	E6{
+//		B0: c0,
+//		B1: c1,
+//		B2: 0,
+//	}
 func (e Ext6) MulBy01(z *E6, c0, c1 *E2) *E6 {
 	a := e.Ext2.Mul(&z.B0, c0)
 	b := e.Ext2.Mul(&z.B1, c1)
@@ -224,8 +230,8 @@ func (e Ext6) MulBy01(z *E6, c0, c1 *E2) *E6 {
 	t1 := e.Ext2.Add(c0, c1)
 	tmp = e.Ext2.Add(&z.B0, &z.B1)
 	t1 = e.Ext2.Mul(t1, tmp)
-	t1 = e.Ext2.Sub(t1, a)
-	t1 = e.Ext2.Sub(t1, b)
+	tmp = e.Ext2.Add(a, b)
+	t1 = e.Ext2.Sub(t1, tmp)
 	return &E6{
 		B0: *t0,
 		B1: *t1,

std/algebra/emulated/fields_bn254/e12.go

@@ -49,8 +49,8 @@ func (e Ext12) Mul(x, y *E12) *E12 {
 	a = e.Ext6.Mul(a, b)
 	b = e.Ext6.Mul(&x.C0, &y.C0)
 	c := e.Ext6.Mul(&x.C1, &y.C1)
-	z1 := e.Ext6.Sub(a, b)
-	z1 = e.Ext6.Sub(z1, c)
+	d := e.Ext6.Add(c, b)
+	z1 := e.Ext6.Sub(a, d)
 	z0 := e.Ext6.MulByNonResidue(c)
 	z0 = e.Ext6.Add(z0, b)
 	return &E12{
@@ -101,8 +101,7 @@ func (e Ext12) IsZero(z *E12) frontend.Variable {
 func (e Ext12) Square(x *E12) *E12 {
 	c0 := e.Ext6.Sub(&x.C0, &x.C1)
 	c3 := e.Ext6.MulByNonResidue(&x.C1)
-	c3 = e.Ext6.Neg(c3)
-	c3 = e.Ext6.Add(&x.C0, c3)
+	c3 = e.Ext6.Sub(&x.C0, c3)
 	c2 := e.Ext6.Mul(&x.C0, &x.C1)
 	c0 = e.Ext6.Mul(c0, c3)
 	c0 = e.Ext6.Add(c0, c2)

std/algebra/emulated/fields_bn254/e12_pairing.go

@@ -154,8 +154,8 @@ func (e *Ext12) Mul034By034(d3, d4, c3, c4 *E2) [5]*E2 {
 	tmp := e.Ext2.Add(c3, c4)
 	x34 := e.Ext2.Add(d3, d4)
 	x34 = e.Ext2.Mul(x34, tmp)
-	x34 = e.Ext2.Sub(x34, x3)
-	x34 = e.Ext2.Sub(x34, x4)
+	tmp = e.Ext2.Add(x4, x3)
+	x34 = e.Ext2.Sub(x34, tmp)
 
 	zC0B0 := e.Ext2.MulByNonResidue(x4)
 	zC0B0 = e.Ext2.Add(zC0B0, e.Ext2.One())
@@ -181,8 +181,8 @@ func (e *Ext12) MulBy01234(z *E12, x [5]*E2) *E12 {
 	a = e.Ext6.Mul(a, b)
 	b = e.Ext6.Mul(&z.C0, c0)
 	c := e.Ext6.MulBy01(&z.C1, x[3], x[4])
-	z1 := e.Ext6.Sub(a, b)
-	z1 = e.Ext6.Sub(z1, c)
+	d := e.Ext6.Add(c, b)
+	z1 := e.Ext6.Sub(a, d)
 	z0 := e.Ext6.MulByNonResidue(c)
 	z0 = e.Ext6.Add(z0, b)
 	return &E12{
@@ -211,8 +211,8 @@ func (e *Ext12) Mul01234By034(x [5]*E2, z3, z4 *E2) *E12 {
 	b := e.Ext6.Add(c0, c1)
 	a = e.Ext6.Mul(a, b)
 	c := e.Ext6.Mul01By01(z3, z4, x[3], x[4])
-	z1 := e.Ext6.Sub(a, c0)
-	z1 = e.Ext6.Sub(z1, c)
+	b = e.Ext6.Add(c0, c)
+	z1 := e.Ext6.Sub(a, b)
 	z0 := e.Ext6.MulByNonResidue(c)
 	z0 = e.Ext6.Add(z0, c0)
 	return &E12{