Foreign fields 3: Addition

[mitschabaude]

• adds a ForeignField gadget namespace with methods for addition, subtraction and general sums using non-native modular arithmetic.
• enhances the constraintSystem() test runner introduced in Foreign fields 2: Test DSL to detect broken gate chains #1241 so that it becomes very easy to check methods of a zkprogram

closes #1152
closes #1180

depends on bindings PRs o1-labs/o1js-bindings#203 and o1-labs/o1js-bindings#205

Proof that we can save range checks in sum()

An optimization used here is to not range-check intermediate results in addition chains of length > 2, i.e. what is exposed as sum(). The reasoning why this is sound is as follows:

Assume we are doing an addition chain over summands $a_0,\ldots,a_n$. Let's denote the lower input limbs by $a_i^{(01)}$ and the high limb by $a_i^{(2)}$. Each FFadd gate individually proves that

$$ a_i^{(01)} + a_{i+1}^{(01)} - o_i f^{(01)} - c_i 2^{2\ell} = r_i^{(01)} \mod{n} $$

$$ a_i^{(2)} + a_{i+1}^{(2)} - o_i f^{(2)} + c_i = r_i^{(2)} \mod{n} $$

where $o_i$ and $c_i$ are overflow and carry, and $n$ is the native modulus. Since addition modulo $n$ is associative, a full chain of ffadd gates proves the following equations about the final output $r$:

$$ a_0^{(01)} + \ldots + a_{n}^{(01)} - (o_1 + \ldots + o_n) f^{(01)} - (c_1 + \ldots + c_n) 2^{2\ell} = r^{(01)} \mod{n} $$

$$ a_0^{(2)} + \ldots + a_{n}^{(2)} - (o_1 + \ldots + o_n) f^{(2)} + (c_1 + \ldots + c_n) = r^{(2)} \mod{n} $$

Since we assume the inputs $a_i$ to be range-checked, and both $o_i$ and $c_i$ are 0 or 1 or -1, and the final output $r$ is range-checked as well, the difference of left and right hand side is too small to overflow the native field:

$$ |LHS - RHS| < n $$

This is enough to conclude that $LHS = RHS$ over the integers. Which in this case just means that we are doing correct addition or subtraction modulo the foreign field.

[rbonichon]

Are these function declarations?
Why is the second declaration needed (it's the same type as the implementation right below)?

[mitschabaude]

This is how you declare if there are two different function signatures. The third one is not exposed, it's the "internal" signature used in writing the function. So if I remove the second one, consumers only see the first one

[mitschabaude]

some notes for reviewers!

[mitschabaude]

the code for the new gadgets! please review carefully

[mitschabaude]

I'm a bit conflicted about this. I sometimes got the feedback that it's confusing how o1js APIs are a mix of provable and non-provable methods. I'm not sure if putting them on a separate sub-namespace of Gadgets is enough separation. In any case, these helper methods are essential to reduce boiler-plate of interacting with all foreign field and foreign curve gadgets, and I also didn't feel good about another top-level export for them.

[mitschabaude]

note: this is how to get a type namespace alongside a value namespace. It's possible to use the same name if the type namespace is only types. We could've also put everything in a single namespace, but I prefer the syntax for writing JS objects over the clunky namespace syntax which isn't even real JS (just a TS addition to the language).

[mitschabaude]

This is a continuation of #1241. I figured I could make writing constraint system tests for zkprogram methods even easier by reading the input types off the zkprogram.

[mitschabaude]

changes in this file are in support of the new constraintSystem.fromZkProgram()

[mitschabaude]

exposing the private input types on zkprogram seems consistent, since we already expose the public input types and the methods

[querolita]

What is this exactly for?

[mitschabaude]

It's in support of a testing utility I added: #1220 (comment)
You can ignore it, it's not related to the circuit gadgets added here :D

[mitschabaude]

this was a bug which accidentally broke Experimental.ZkProgram, fixed it while I was here

[mitschabaude]

additions here are in support of the foreign field unit tests

[mitschabaude]

random generator for foreign fields, for tests

[querolita]

Approving with minor comments

[querolita]

Maybe clarify here what's the highest and lowest limbs?

[querolita]

Is sum being exposed or just add, sub and sumchain?

[mitschabaude]

sum() is exposed! it is actually the same as sumchain in OCaml, I renamed it because I think the "chain" aspect is more about the internal implementation and less important for users

[querolita]

what's the meaning of this notation =>?

[mitschabaude]

this is an inline function, called arrow function in JS. in Rust you'd call it a closure

[querolita]

But maybe the last gate could be a FFMul0 for example, in case someone wanted to use that output for the left input of a multiplication, no?

[querolita]

I guess we had to provide some kind of tradeoff between ease-of-use and functionality 💭

[mitschabaude]

I completely agree, this isn't yet the best version of the sumchain gadget. Wait for the ECDSA PR, there I needed chaining into ffmul and I came up with an API which is both easy to use and flexible

[querolita]

Oh I see, so you still provide "fine grain" access to this in case the user wants to create a more efficient circuit.

[querolita]

Why would we like to support foreign field zero? Is that even a thing?

[mitschabaude]

yes I think it could be useful if you want to do plain bigint addition (not modulo a field)

[querolita]

what's twoLMask?

[querolita]

Oh this is 2^176 - 1 perhaps?

[querolita]

Oh it is indeed 😄

[querolita]

What is this exactly for?

[querolita]

Why are you using this size?

[mitschabaude]

because the biguint random generator I'm passing it in needs the bit size to be a power of 2 (for efficiency)

[Trivo25]

I would prefer if we could name this toBigint3, similar to toField3 for consistency