feat: Big Integer Implementation for Cryptographic Applications

[qalisander]

This pr adds Uint<..> bigintegers, and implementation of basic arithmetic operations on integers in Montgomery form. That introduces significant gas cost cut, for finite field arithmetic.
Poseidon hash computation got around 8 times cheaper compare to what was before.
And cheaper than Solidity Assembly poseidon hash.

Resolves #481

PR Checklist

• Tests
• Documentation
• Changelog

[netlify]

✅ Deploy Preview for contracts-stylus canceled.

Name	Link
🔨 Latest commit	e43eb87
🔍 Latest deploy log	https://app.netlify.com/sites/contracts-stylus/deploys/679bbb726f40b2000852e4c4

[codecov]

Codecov Report

Attention: Patch coverage is 70.25393% with 246 lines in your changes missing coverage. Please review.

Project coverage is 84.1%. Comparing base (5d612e6) to head (e43eb87).
Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
lib/crypto/src/arithmetic/uint.rs	66.2%	182 Missing ⚠️
lib/crypto/src/field/fp.rs	69.5%	64 Missing ⚠️

Additional details and impacted files

Files with missing lines	Coverage Δ
lib/crypto/src/arithmetic/limb.rs	100.0% <100.0%> (ø)
lib/crypto/src/field/mod.rs	100.0% <ø> (ø)
lib/crypto/src/field/prime.rs	0.0% <ø> (ø)
lib/crypto/src/poseidon2/mod.rs	93.2% <ø> (ø)
lib/crypto/src/field/fp.rs	59.6% <69.5%> (+10.9%)	⬆️
lib/crypto/src/arithmetic/uint.rs	66.2% <66.2%> (ø)

[bidzyyys]

It's great you have done these benchmarks but I am not a fan of maintaining akr-ff or poseidon-renegades. We may want. to have just a separated branch with these benchmarks.

[qalisander]

I was about to drop it. It is just for comparison, when I was optimizing it

[bidzyyys]

Left some comments + many warnings from CI.
Overall great progress @qalisander!

[bidzyyys]

1. Can't you have jus return a < b?
2. What if a == b?

[qalisander]

If they're equal go to next. As I remember it is code for geq comparison

[bidzyyys]

I do not like these asserts but I believe it is the only way to assure proper execution :(

[qalisander]

I think I've already dropped this code:D

[bidzyyys]

If you are about checked_add you should implement the proper trait then.

[qalisander]

I've thought about about names, and constant ct_checked_add and checked_add_assign that returns boolean seems rational to me

[bidzyyys]

Fuzzing here is super needed 😅 @0xNeshi

[0xNeshi]

Proptests would be a bare minimum I'd say 😃

[qalisander]

Yeah. We will try to add more proptests, but currently: the best warranty gives poseidon, that computes valid hash on each instance

[qalisander]

Just one wrong addition/multiplication or messed up index and hash will be totally different from the other implementations

[0xNeshi]

I'd say there's still value in testing the primitives, not just the upper-layer stuff. There can always be an edge case that might cause an issue, but would rarely pop up in the upper-layer test (e.g. for poseidon)

[qalisander]

The whole point of ct_* prefix is to distinguish constant function from runtime function.
E.g. we can have geq for runtime and ct_geq for compile time.

Also same convention applied to ct_for! macro, that adds convenience of for but in const context.
p.s. for cycle is not available in const context

[bidzyyys]

Great progress, left some comments.

[bidzyyys]

Nit: I do not like k, i, l for loop iterations, prefer more self-descriptive names to not mess them.

[0xNeshi]

In this (complex) case I have to agree

[qalisander]

Attach link

[bidzyyys]

Only few comments left.

Please:

• update CHANGELOG.md
• add GH Issue describing how we should add prop tests and fuzzing to this Big Integer implementation

[0xNeshi]

My one big critique is terse/missing doc comments.

I think for the sake of our future selves, and for the sake of our audit team, we should have clear doc comments for each function.

This is especially important if we plan to make this bigint implementation into a separate crate that we want to share with the world

[0xNeshi]

This is a very terse doc comment.

See LLM's suggestion

Suggested change

	/// Compute `-M^{-1} mod 2^64`.
	/// Computes the Montgomery modular inverse `-MODULUS^{-1} mod 2^64` for the field modulus.
	///
	/// This is a constant function that computes the modular multiplicative inverse of
	/// the negative field modulus, modulo 2^64. This value is crucial for Montgomery arithmetic
	/// operations in the field.
	///
	/// The calculation uses the fact that for a 64-bit value:
	/// - We only need the lowest limb of the modulus
	/// - The Euler totient φ(2^64) = 2^63
	/// - Therefore we can compute the inverse by raising to power (2^63 - 1)

[0xNeshi]

I think the audit team will thank us

[0xNeshi]

In this (complex) case I have to agree

[0xNeshi]

See previous comment on how to link to a paper in a cleaner way

[0xNeshi]

Inlining everything is the way to reducing gas cost in all cases? 🤔
I just noticed that many lib/crypto functions are inlined, but not all. Shouldn't we then be inlining everything?

Did you measure the impact of not using #[inline]?
Shouldn't link-time optimizations perform the same optimization? Stylus projects have this option ON by default, and so do we.

[qalisander]

Increased binary size is also an impact of aggressive inlines #[inline(always)]. It is usually a tradeoff
Yeah, measured. Impact with inlines seems significant

[qalisander]

Actually I've checked most of them and also #[inline(always)] vs normal #[inline]. The first one gives more impact sometimes

[0xNeshi]

Did you measure in Release mode or in Debug mode?

[qalisander]

@bidzyyys this issue for proptests

[bidzyyys]

Looks good to me!

[0xNeshi]

*clicks tongue* Noice!