1. 引言

前序博客见：

• 有限域的Fast Multiplication和Modular Reduction算法实现

代码实现见：

• https://github.com/risc0/risc0/blob/main/risc0/core/src/field/baby_bear.rs
• https://github.com/risc0/risc0/tree/main/risc0/circuit/rv32im-sys/cxx
• https://github.com/risc0/risc0/blob/main/risc0/circuit/recursion-sys/cxx
• https://github.com/risc0/risc0/tree/main/risc0/build_kernel/kernels/cuda（Babybear域 及其 扩域 的CUDA代码实现）
• https://github.com/risc0/risc0/tree/main/risc0/build_kernel/kernels/metal（Babybear域 及其 扩域 的Metal代码实现）

Babybear域${\mathbb{F}}_p$，其中$p=2^{31}-2^{17}+1=15\ast 2^{17}+1$，取其4-th 扩域${\mathbb{F}}_{p^4}$的不可约多项式为$x^4-11$。对应的sagemath验证脚本为：

sage: p=2**31-2**27+1 
....: R.<x> = GF(p)[] 
....: (x^4 - 11).is_irreducible()                                               
True

对应的域定义为：

/// The BabyBear class is an element of the finite field F_p, where P is the
/// prime number 15*2^27 + 1. Put another way, Fp is basically integer
/// arithmetic modulo P.
///
/// The `Fp` datatype is the core type of all of the operations done within the
/// zero knowledge proofs, and is the smallest 'addressable' datatype, and the
/// base type of which all composite types are built. In many ways, one can
/// imagine it as the word size of a very strange architecture.
///
/// This specific prime P was chosen to:
/// - Be less than 2^31 so that it fits within a 32 bit word and doesn't
///   overflow on addition.
/// - Otherwise have as large a power of 2 in the factors of P-1 as possible.
///
/// This last property is useful for number theoretical transforms (the fast
/// fourier transform equivelant on finite fields). See NTT.h for details.
///
/// The Fp class wraps all the standard arithmetic operations to make the finite
/// field elements look basically like ordinary numbers (which they mostly are).
#[derive(Eq, Clone, Copy, Pod, Zeroable)]
#[repr(transparent)]
pub struct Elem(u32); //F_p
/// Alias for the Baby Bear [Elem]
pub type BabyBearElem = Elem;/// The size of the extension field in elements, 4 in this case.
const EXT_SIZE: usize = 4;/// Instances of `ExtElem` are elements of a finite field `F_p^4`. They are
/// represented as elements of `F_p[X] / (X^4 - 11)`. This large
/// finite field (about `2^128` elements) is used when the security of
/// operations depends on the size of the field. The field extension `ExtElem`
/// has `Elem` as a subfield, so operations on elements of each are compatible.
/// The irreducible polynomial `x^4 - 11` was chosen because `11` is
/// the smallest choice of `B` for `x^4 - B` that makes this polynomial
/// irreducible.
#[derive(Eq, Clone, Copy, Pod, Zeroable)]
#[repr(transparent)]
pub struct ExtElem([Elem; EXT_SIZE]); //F_{p^4}扩域/* struct Fp4 {/// The elements of Fp4, elems[0] + elems[1]*X + elems[2]*X^2 + elems[3]*x^4Fp elems[4];....} */

根据 有限域的Fast Multiplication和Modular Reduction算法实现，BabyBear域运算采用Montgomery形式：



鉴于单个Babybear域元素可 以32位整数表示，2个Babybear域元素$0\le u,v<p$ 乘积可 以64位整数表示，且无需考虑进位情况。对应为：

• $b=2^{32}$
• $n=1$
• $R=b^n=2^{32}$
• 实际代码实现时，由于$n=1$，可预计算出相应的R2值为mod(r^2, p)，相应的M值为mod(1/p,r) 。

sage: p=2**31-2**27+1 
sage: r=2**32                                                                   
sage: mod(r^2, p)                                                               
1172168163
sage: mod(1/p,r)                                                                
2281701377
sage: hex(2281701377)                                                           
'0x88000001'

/// Wrapping multiplication of [Elem]  using Baby Bear field modulus
// Copied from the C++ implementation (fp.h)
const fn mul(lhs: u32, rhs: u32) -> u32 {// uint64_t o64 = uint64_t(a) * uint64_t(b);let mut o64: u64 = (lhs as u64).wrapping_mul(rhs as u64);// uint32_t low = -uint32_t(o64);let low: u32 = 0u32.wrapping_sub(o64 as u32);// uint32_t red = M * low;let red = M.wrapping_mul(low);// o64 += uint64_t(red) * uint64_t(P);o64 += (red as u64).wrapping_mul(P_U64);// uint32_t ret = o64 >> 32;let ret = (o64 >> 32) as u32;// return (ret >= P ? ret - P : ret);if ret >= P {ret - P} else {ret}
}/// Encode to Montgomery form from direct form.
const fn encode(a: u32) -> u32 {mul(R2, a)
}/// Decode from Montgomery form from direct form.
const fn decode(a: u32) -> u32 {mul(1, a)
}

RISC Zero系列博客

• RISC0：Towards a Unified Compilation Framework for Zero Knowledge
• Risc Zero ZKVM：zk-STARKs + RISC-V
• 2023年 ZK Hack以及ZK Summit 9 亮点记
• RISC Zero zkVM 白皮书
• Risc0：使用Continunations来证明任意EVM交易
• Zeth：首个Type 0 zkEVM
• RISC Zero项目简介
• RISC Zero zkVM性能指标
• Continuations：扩展RISC Zero zkVM支持（无限）大计算
• A summary on the FRI low degree test前2页导读
• Reed-Solomon Codes及其与RISC Zero zkVM的关系
• RISC Zero zkVM架构
• RISC-V与RISC Zero zkVM的关系
• 有限域的Fast Multiplication和Modular Reduction算法实现
• RISC Zero的Bonsai证明服务
• RISC Zero ZKP协议中的商多项式
• FRI的Commit、Query以及FRI Batching内部机制
• RISC Zero的手撕STARK
• RISC Zero zkVM guest程序优化技巧 及其 与物理CPU的关键差异
• ZK*FM：RISC Zero zkVM的形式化验证
• Zirgen MLIR：RISC-Zero的ZK-circuits形式化验证
• 以RISC Zero ZK Fraud Proof赋能Optimistic Rollups
• zkSummit10 亮点记
• 技术探秘：在RISC Zero中验证FHE——由隐藏到证明：FHE验证的ZK路径（1）
• 技术探秘：在RISC Zero中验证FHE——RISC Zero应用的DevOps（2）
• RISC Zero STARK证明系统时序图及规范
• RISC Zero zkVM Host & Guest 101
• RISC Zero zk-STARK证明系统代码解析