feat: twisted Edwards curve support with new execution

.codespellignore

@@ -2,4 +2,5 @@ InOut
 inout
 LoadE
 SelectE
-ser
+ser
+te

Cargo.toml

@@ -58,6 +58,7 @@ members = [
     "extensions/ecc/transpiler",
     "extensions/ecc/guest",
     "extensions/ecc/sw-macros",
+    "extensions/ecc/te-macros",
     "extensions/ecc/tests",
     "extensions/pairing/circuit",
     "extensions/pairing/guest",
@@ -164,6 +165,7 @@ openvm-ecc-circuit = { path = "extensions/ecc/circuit", default-features = false
 openvm-ecc-transpiler = { path = "extensions/ecc/transpiler", default-features = false }
 openvm-ecc-guest = { path = "extensions/ecc/guest", default-features = false }
 openvm-ecc-sw-macros = { path = "extensions/ecc/sw-macros", default-features = false }
+openvm-ecc-te-macros = { path = "extensions/ecc/te-macros", default-features = false }
 openvm-pairing-circuit = { path = "extensions/pairing/circuit", default-features = false }
 openvm-pairing-transpiler = { path = "extensions/pairing/transpiler", default-features = false }
 openvm-pairing-guest = { path = "extensions/pairing/guest", default-features = false }

benchmarks/execute/benches/execute.rs

@@ -22,7 +22,7 @@ use openvm_continuations::{
     verifier::{common::types::VmVerifierPvs, leaf::types::LeafVmVerifierInput},
     SC,
 };
-use openvm_ecc_circuit::{EccCpuProverExt, WeierstrassExtension, WeierstrassExtensionExecutor};
+use openvm_ecc_circuit::{EccCpuProverExt, EccExtension, EccExtensionExecutor};
 use openvm_ecc_transpiler::EccTranspilerExtension;
 use openvm_keccak256_circuit::{Keccak256, Keccak256CpuProverExt, Keccak256Executor};
 use openvm_keccak256_transpiler::Keccak256TranspilerExtension;
@@ -97,7 +97,7 @@ pub struct ExecuteConfig {
     #[extension]
     pub fp2: Fp2Extension,
     #[extension]
-    pub weierstrass: WeierstrassExtension,
+    pub ecc: EccExtension,
     #[extension(generics = true)]
     pub pairing: PairingExtension,
 }
@@ -121,7 +121,7 @@ impl Default for ExecuteConfig {
                 BN254_COMPLEX_STRUCT_NAME.to_string(),
                 bn_config.modulus.clone(),
             )]),
-            weierstrass: WeierstrassExtension::new(vec![bn_config.clone()]),
+            ecc: EccExtension::new(vec![bn_config.clone()], vec![]),
             pairing: PairingExtension::new(vec![PairingCurve::Bn254]),
         }
     }
@@ -179,11 +179,7 @@ where
             inventory,
         )?;
         VmProverExtension::<E, _, _>::extend_prover(&AlgebraCpuProverExt, &config.fp2, inventory)?;
-        VmProverExtension::<E, _, _>::extend_prover(
-            &EccCpuProverExt,
-            &config.weierstrass,
-            inventory,
-        )?;
+        VmProverExtension::<E, _, _>::extend_prover(&EccCpuProverExt, &config.ecc, inventory)?;
         VmProverExtension::<E, _, _>::extend_prover(&PairingProverExt, &config.pairing, inventory)?;
         Ok(chip_complex)
     }

benchmarks/guest/ecrecover/openvm.toml

@@ -9,9 +9,10 @@ supported_moduli = [
     "115792089237316195423570985008687907852837564279074904382605163141518161494337",
 ]
 
-[[app_vm_config.ecc.supported_curves]]
+[[app_vm_config.ecc.supported_sw_curves]]
 struct_name = "Secp256k1Point"
 modulus = "115792089237316195423570985008687907853269984665640564039457584007908834671663"
 scalar = "115792089237316195423570985008687907852837564279074904382605163141518161494337"
+[app_vm_config.ecc.supported_sw_curves.coeffs]
 a = "0"
 b = "7"

benchmarks/guest/ecrecover/openvm_init.rs

@@ -1,3 +1,4 @@
 // This file is automatically generated by cargo openvm. Do not rename or edit.
 openvm_algebra_guest::moduli_macros::moduli_init! { "115792089237316195423570985008687907853269984665640564039457584007908834671663", "115792089237316195423570985008687907852837564279074904382605163141518161494337" }
 openvm_ecc_guest::sw_macros::sw_init! { "Secp256k1Point" }
+openvm_ecc_guest::te_macros::te_init! {  }

benchmarks/guest/kitchen-sink/openvm.toml

@@ -39,31 +39,35 @@ supported_moduli = [
     ],
 ]
 
-[[app_vm_config.ecc.supported_curves]]
+[[app_vm_config.ecc.supported_sw_curves]]
 struct_name = "Secp256k1Point"
 modulus = "115792089237316195423570985008687907853269984665640564039457584007908834671663"
 scalar = "115792089237316195423570985008687907852837564279074904382605163141518161494337"
+[app_vm_config.ecc.supported_sw_curves.coeffs]
 a = "0"
 b = "7"
 
-[[app_vm_config.ecc.supported_curves]]
+[[app_vm_config.ecc.supported_sw_curves]]
 struct_name = "P256Point"
 modulus = "115792089210356248762697446949407573530086143415290314195533631308867097853951"
 scalar = "115792089210356248762697446949407573529996955224135760342422259061068512044369"
+[app_vm_config.ecc.supported_sw_curves.coeffs]
 a = "115792089210356248762697446949407573530086143415290314195533631308867097853948"
 b = "41058363725152142129326129780047268409114441015993725554835256314039467401291"
 
-[[app_vm_config.ecc.supported_curves]]
+[[app_vm_config.ecc.supported_sw_curves]]
 struct_name = "Bn254G1Affine"
 modulus = "21888242871839275222246405745257275088696311157297823662689037894645226208583"
 scalar = "21888242871839275222246405745257275088548364400416034343698204186575808495617"
+[app_vm_config.ecc.supported_sw_curves.coeffs]
 a = "0"
 b = "3"
 
-[[app_vm_config.ecc.supported_curves]]
+[[app_vm_config.ecc.supported_sw_curves]]
 struct_name = "Bls12_381G1Affine"
 modulus = "4002409555221667393417789825735904156556882819939007885332058136124031650490837864442687629129015664037894272559787"
 scalar = "52435875175126190479447740508185965837690552500527637822603658699938581184513"
+[app_vm_config.ecc.supported_sw_curves.coeffs]
 a = "0"
 b = "4"
 

benchmarks/guest/pairing/openvm.toml

@@ -21,9 +21,10 @@ supported_moduli = [
 supported_curves = ["Bn254"]
 
 # bn254 (alt bn128)
-[[app_vm_config.ecc.supported_curves]]
+[[app_vm_config.ecc.supported_sw_curves]]
 struct_name = "Bn254G1Affine"
 modulus = "21888242871839275222246405745257275088696311157297823662689037894645226208583"
 scalar = "21888242871839275222246405745257275088548364400416034343698204186575808495617"
+[app_vm_config.ecc.supported_sw_curves.coeffs]
 a = "0"
 b = "3"

book/src/custom-extensions/ecc.md

@@ -17,12 +17,20 @@ Developers can enable arbitrary Weierstrass curves by configuring this extension
 - `WeierstrassPoint` trait:
   It represents an affine point on a Weierstrass elliptic curve and it extends `Group`.
 
-  - `Coordinate` type is the type of the coordinates of the point, and it implements `IntMod`.
-  - `x()`, `y()` are used to get the affine coordinates
+  - `Coordinate` type is the type of the coordinates of the point, and it implements `Field`.
+  - `x()`, `y()` are used to get the affine coordinates.
   - `from_xy` is a constructor for the point, which checks if the point is either identity or on the affine curve.
   - The point supports elliptic curve operations through intrinsic functions `add_ne_nonidentity` and `double_nonidentity`.
   - `decompress`: Sometimes an elliptic curve point is compressed and represented by its `x` coordinate and the odd/even parity of the `y` coordinate. `decompress` is used to decompress the point back to `(x, y)`.
 
+- `TwistedEdwardsPoint` trait:
+  It represents an affine point on a twisted Edwards elliptic curve and it extends `Group`.
+
+  - `Coordinate` type is the type of the coordinates of the point, and it implements `Field`.
+  - `x()`, `y()` are used to get the affine coordinates.
+  - `from_xy` is a constructor for the point, which checks if the point is on the affine curve.
+  - The point supports elliptic curve addition through the `add_impl` method.
+
 - `msm`: for multi-scalar multiplication.
 
 - `ecdsa`: for doing ECDSA signature verification and public key recovery from signature.
@@ -31,17 +39,20 @@ Developers can enable arbitrary Weierstrass curves by configuring this extension
 
 For elliptic curve cryptography, the `openvm-ecc-guest` crate provides macros similar to those in [`openvm-algebra-guest`](./algebra.md):
 
-1. **Declare**: Use `sw_declare!` to define elliptic curves over the previously declared moduli. For example:
+1. **Declare**: Use `sw_declare!` or `te_declare!` to define short Weierstrass or twisted Edwards elliptic curves, respectively, over the previously declared moduli. For example:
 
 ```rust
 sw_declare! {
     Bls12_381G1Affine { mod_type = Bls12_381Fp, b = BLS12_381_B },
     P256Affine { mod_type = P256Coord, a = P256_A, b = P256_B },
 }
+te_declare! {
+    Edwards25519 { mod_type = Edwards25519Coord, a = CURVE_A, d = CURVE_D },
+}
 ```
+This creates `Bls12_381G1Affine` and `P256Affine` structs which implement the `Group` and `WeierstrassPoint` traits, and the `Edwards25519` struct which implements the `Group` and `TwistedEdwardsPoint` traits. The underlying memory layout of the structs uses the memory layout of the `Bls12_381Fp`, `P256Coord`, and `Edwards25519Coord` structs, respectively.
 
-Each declared curve must specify the `mod_type` (implementing `IntMod`) and a constant `b` for the Weierstrass curve equation \\(y^2 = x^3 + ax + b\\). `a` is optional and defaults to 0 for short Weierstrass curves.
-This creates `Bls12_381G1Affine` and `P256Affine` structs which implement the `Group` and `WeierstrassPoint` traits. The underlying memory layout of the structs uses the memory layout of the `Bls12_381Fp` and `P256Coord` structs, respectively.
+Each declared curve must specify the `mod_type` (implementing `Field`) and a constant `b` for the Weierstrass curve equation \\(y^2 = x^3 + ax + b\\) or `a` and `d` for the twisted Edwards curve equation \\(ax^2 + y^2 = 1 + dx^2y^2\\). For short Weierstrass curves, `a` is optional and defaults to 0.
 
 2. **Init**: Called once, the [`openvm::init!` macro](./overview.md#automating-the-init-step) produces a call to `sw_init!` that enumerates these curves and allows the compiler to produce optimized instructions:
 
@@ -51,17 +62,21 @@ openvm::init!();
 sw_init! {
     "Bls12_381G1Affine", "P256Affine",
 }
+te_init! {
+    Edwards25519,
+}
 */
 ```
 
 **Summary**:
 
-- `sw_declare!`: Declares elliptic curve structures.
+- `sw_declare!`: Declares short Weierstrass elliptic curve structures.
+- `te_declare!`: Declares twisted Edwards elliptic curve structures.
 - `init!`: Initializes them once, linking them to the underlying moduli.
 
-To use elliptic curve operations on a struct defined with `sw_declare!`, it is expected that the struct for the curve's coordinate field was defined using `moduli_declare!`. In particular, the coordinate field needs to be initialized and set up as described in the [algebra extension](./algebra.md) chapter.
+To use elliptic curve operations on a struct defined with `sw_declare!` or `te_declare!`, it is expected that the struct for the curve's coordinate field was defined using `moduli_declare!`. In particular, the coordinate field needs to be initialized and set up as described in the [algebra extension](./algebra.md) chapter.
 
-For the basic operations provided by the `WeierstrassPoint` trait, the scalar field is not needed. For the ECDSA functions in the `ecdsa` module, the scalar field must also be declared, initialized, and set up.
+For the basic operations provided by the `WeierstrassPoint` or `TwistedEdwardsPoint` traits, the scalar field is not needed. For the ECDSA functions in the `ecdsa` module, the scalar field must also be declared, initialized, and set up.
 
 ## ECDSA
 

book/src/custom-extensions/overview.md

@@ -60,20 +60,39 @@ supported_moduli = ["<modulus_1>", "<modulus_2>", ...]
 [app_vm_config.pairing]
 supported_curves = ["Bls12_381", "Bn254"]
 
-[[app_vm_config.ecc.supported_curves]]
-struct_name = "<curve_name_1>"
+[[app_vm_config.ecc.supported_sw_curves]]
+struct_name = "<sw_curve_name_1>"
 modulus = "<modulus_1>"
 scalar = "<scalar_1>"
+[app_vm_config.ecc.supported_sw_curves.coeffs]
 a = "<a_1>"
 b = "<b_1>"
 
-[[app_vm_config.ecc.supported_curves]]
-struct_name = "<curve_name_2>"
+[[app_vm_config.ecc.supported_sw_curves]]
+struct_name = "<sw_curve_name_2>"
 modulus = "<modulus_2>"
 scalar = "<scalar_2>"
+[app_vm_config.ecc.supported_sw_curves.coeffs]
 a = "<a_2>"
 b = "<b_2>"
+
+[[app_vm_config.ecc.supported_te_curves]]
+struct_name = "<te_curve_name_1>"
+modulus = "<modulus_1>"
+scalar = "<scalar_1>"
+[app_vm_config.ecc.supported_te_curves.coeffs]
+a = "<a_1>"
+d = "<d_1>"
+
+[[app_vm_config.ecc.supported_te_curves]]
+struct_name = "<te_curve_name_2>"
+modulus = "<modulus_2>"
+scalar = "<scalar_2>"
+[app_vm_config.ecc.supported_te_curves.coeffs]
+a = "<a_2>"
+d = "<d_2>"
+`
 ```
 
 `rv32i`, `io`, and `rv32m` need to be always included if you make an `openvm.toml` file while the rest are optional and should be included if you want to use the corresponding extension.
-All moduli and scalars must be provided in decimal format. Currently `pairing` supports only pre-defined `Bls12_381` and `Bn254` curves. To add more `ecc` curves you need to add more `[[app_vm_config.ecc.supported_curves]]` entries.
+All moduli and scalars must be provided in decimal format. Currently `pairing` supports only pre-defined `Bls12_381` and `Bn254` curves. To add more `ecc` curves you need to add more `[[app_vm_config.ecc.supported_sw_curves]]` or `[[app_vm_config.ecc.supported_te_curves]]` entries.

book/src/guest-libs/k256.md

@@ -40,17 +40,18 @@ For the guest program to build successfully, all used moduli and curves must be
 [app_vm_config.modular]
 supported_moduli = ["115792089237316195423570985008687907853269984665640564039457584007908834671663", "115792089237316195423570985008687907852837564279074904382605163141518161494337"]
 
-[[app_vm_config.ecc.supported_curves]]
+[[app_vm_config.ecc.supported_sw_curves]]
 struct_name = "Secp256k1Point"
 modulus = "115792089237316195423570985008687907853269984665640564039457584007908834671663"
 scalar = "115792089237316195423570985008687907852837564279074904382605163141518161494337"
+[app_vm_config.ecc.supported_sw_curves.coeffs]
 a = "0"
 b = "7"
 ```
 
 The `supported_moduli` parameter is a list of moduli that the guest program will use. As mentioned in the [algebra extension](../custom-extensions/algebra.md) chapter, the order of moduli in `[app_vm_config.modular]` must match the order in the `moduli_init!` macro.
 
-The `ecc.supported_curves` parameter is a list of supported curves that the guest program will use. They must be provided in decimal format in the `.toml` file. For multiple curves create multiple `[[app_vm_config.ecc.supported_curves]]` sections. The order of curves in `[[app_vm_config.ecc.supported_curves]]` must match the order in the `sw_init!` macro.
-Also, the `struct_name` field must be the name of the elliptic curve struct created by `sw_declare!`.
+The `ecc.supported_curves` parameter is a list of supported curves that the guest program will use. They must be provided in decimal format in the `.toml` file. For multiple curves create multiple `[[app_vm_config.ecc.supported_sw_curves]]`/`[[app_vm_config.ecc.supported_te_curves]]` sections. The order of curves in `[[app_vm_config.ecc.supported_sw/te_curves]]` must match the order in the `sw_init!`/`te_init!` macros respectively.
+Also, the `struct_name` field must be the name of the elliptic curve struct created by `sw_declare!`/`te_declare!`.
 In this example, the `Secp256k1Point` struct is created in `openvm_ecc_guest::k256`.
 

book/src/guest-libs/p256.md

@@ -11,15 +11,16 @@ For the guest program to build successfully, all used moduli and curves must be
 [app_vm_config.modular]
 supported_moduli = ["115792089210356248762697446949407573530086143415290314195533631308867097853951", "115792089210356248762697446949407573529996955224135760342422259061068512044369"]
 
-[[app_vm_config.ecc.supported_curves]]
+[[app_vm_config.ecc.supported_sw_curves]]
 struct_name = "P256Point"
 modulus = "115792089210356248762697446949407573530086143415290314195533631308867097853951"
 scalar = "115792089210356248762697446949407573529996955224135760342422259061068512044369"
+[app_vm_config.ecc.supported_sw_curves.coeffs]
 a = "115792089210356248762697446949407573530086143415290314195533631308867097853948"
 b = "41058363725152142129326129780047268409114441015993725554835256314039467401291"
 ```
 
 The `supported_moduli` parameter is a list of moduli that the guest program will use. As mentioned in the [algebra extension](../custom-extensions/algebra.md) chapter, the order of moduli in `[app_vm_config.modular]` must match the order in the `moduli_init!` macro.
 
-The `ecc.supported_curves` parameter is a list of supported curves that the guest program will use. They must be provided in decimal format in the `.toml` file. For multiple curves create multiple `[[app_vm_config.ecc.supported_curves]]` sections. The order of curves in `[[app_vm_config.ecc.supported_curves]]` must match the order in the `sw_init!` macro.
-Also, the `struct_name` field must be the name of the elliptic curve struct created by `sw_declare!`.
+The `ecc.supported_curves` parameter is a list of supported curves that the guest program will use. They must be provided in decimal format in the `.toml` file. For multiple curves create multiple `[[app_vm_config.ecc.supported_sw_curves]]`/`[[app_vm_config.ecc.supported_te_curves]]` sections. The order of curves in `[[app_vm_config.ecc.supported_sw_curves]]`/`[[app_vm_config.ecc.supported_te_curves]]`  must match the order in the `sw_init!`/`te_init!` macros respectively.
+Also, the `struct_name` field must be the name of the elliptic curve struct created by `sw_declare!`/`te_declare!`.

crates/circuits/mod-builder/src/builder.rs

@@ -418,6 +418,7 @@ impl<AB: InteractionBuilder> SubAir<AB> for FieldExpr {
         for i in 0..self.constraints.len() {
             let expr = self.constraints[i]
                 .evaluate_overflow_expr::<AB>(&inputs, &vars, &constants, &flags);
+
             self.check_carry_mod_to_zero.eval(
                 builder,
                 (

crates/circuits/poseidon2-air/src/babybear.rs

@@ -18,7 +18,7 @@ pub(crate) fn horizen_to_p3_babybear(horizen_babybear: HorizenBabyBear) -> BabyB
 }
 
 pub(crate) fn horizen_round_consts() -> Poseidon2Constants<BabyBear> {
-    let p3_rc16: Vec<Vec<BabyBear>> = RC16
+    let p3_rc16: Vec<Vec<_>> = RC16
         .iter()
         .map(|round| {
             round
@@ -29,18 +29,10 @@ pub(crate) fn horizen_round_consts() -> Poseidon2Constants<BabyBear> {
         .collect();
     let p_end = BABY_BEAR_POSEIDON2_HALF_FULL_ROUNDS + BABY_BEAR_POSEIDON2_PARTIAL_ROUNDS;
 
-    let beginning_full_round_constants: [[BabyBear; POSEIDON2_WIDTH];
-        BABY_BEAR_POSEIDON2_HALF_FULL_ROUNDS] = from_fn(|i| p3_rc16[i].clone().try_into().unwrap());
-    let partial_round_constants: [BabyBear; BABY_BEAR_POSEIDON2_PARTIAL_ROUNDS] =
-        from_fn(|i| p3_rc16[i + BABY_BEAR_POSEIDON2_HALF_FULL_ROUNDS][0]);
-    let ending_full_round_constants: [[BabyBear; POSEIDON2_WIDTH];
-        BABY_BEAR_POSEIDON2_HALF_FULL_ROUNDS] =
-        from_fn(|i| p3_rc16[i + p_end].clone().try_into().unwrap());
-
     Poseidon2Constants {
-        beginning_full_round_constants,
-        partial_round_constants,
-        ending_full_round_constants,
+        beginning_full_round_constants: from_fn(|i| p3_rc16[i].clone().try_into().unwrap()),
+        partial_round_constants: from_fn(|i| p3_rc16[i + BABY_BEAR_POSEIDON2_HALF_FULL_ROUNDS][0]),
+        ending_full_round_constants: from_fn(|i| p3_rc16[i + p_end].clone().try_into().unwrap()),
     }
 }