Feat: add purego ext 6 over koalabear and babybear fields#772
Merged
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
gbotrel
previously approved these changes
Dec 15, 2025
Collaborator
gbotrel
left a comment
gbotrel
left a comment
There was a problem hiding this comment.
lgtm, just add goimports to your flow half of the files are modified / staticcheck doesn't pass because of this :)
9 tasks
|
Hello! I am curious, what is the current state of performance of the degree 6 extension for koala-bear (in particular vs degree 5 if you have any number), and which algorithm is the fastest on gnark? (is it Toom3?) Thanks in advance ;) |
Collaborator
|
Review pass from 2026-05-07. I did not find blocking issues in this pass. The targeted extension-field packages compile and pass locally, and GitHub checks are green at the PR head I reviewed. Verification run locally:
|
AlexandreBelling
previously approved these changes
May 8, 2026
- Fix Exp/ExpInt64 doc strings: (mod q⁴) → (mod q⁶) (copy-paste from E4). - E6.MulByElement: copy y locally to match MulByE2's aliasing-safe pattern. - E6.Exp: skip leading zero bits of the most-significant byte. ~4% faster on a 200-bit exponent (5318 vs 5523 ns/op on Apple M5 Max), no allocations beyond the existing one for big.Int negation. - E6D.Inverse: convert in-place via toTowerInto/setFromTower helpers instead of allocating two heap structs via ToTower/FromTower. - FromTower/ToTower: document the v=w, u=w³-1 isomorphism. - Fix typo: "We then we re-arrange" → "We then re-arrange". - Add Halve docstring. - Add BenchmarkE6DMulNaive and Exp tests for negative big.Int and k > int64. Benchmarks also revealed that mulNaive is currently ~45% faster than mulMontgomery6 on koalabear (27.5 vs 49.6 ns/op) and ~62% faster on babybear (29.2 vs 76.1 ns/op) — Montgomery6's 17M-vs-36M tradeoff loses to schoolbook when Fr.Mul is a few cycles, and `interpolate` returning &v forces a heap allocation per call. Worth revisiting the Mul default in a follow-up. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
gbotrel
approved these changes
May 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
We might need extension 6 over koalabear instead of 4 for higher security. This PR implements purego ext 6 over koala/baby bears.
Type of change
How has this been tested?
Corresponding tests implemented in
e6_test.goHow has this been benchmarked?
Benchmarks in
e6_test.goChecklist:
golangci-lintdoes not output errors locallyNote
Medium Risk
Adds new extension-field arithmetic (
E6/E6D) and changes non-residue multiplication APIs used by higher-degree operations, so correctness/performance regressions are possible despite property tests and benches.Overview
Adds degree-6 extension field support for
babybearandkoalabearby generating newE6(tower overE2) andE6D(directFr[w]/(...)) implementations, including batch inversion, exponentiation, division, and conversion between tower/direct representations.Renames/clarifies non-residue helpers across extensions:
MulByNonResidue→MulByQuadraticNonResidue, removes the old inverse helper, and (forbabybear/koalabear) introducesMulByCubicNonResidueused by the newE6formulas;E4is updated accordingly. Generator templates and docs are updated to emit the new files and document extension-6 constructions, and new property tests/benchmarks are added for theE6/E6DAPIs.Reviewed by Cursor Bugbot for commit da0499e. Bugbot is set up for automated code reviews on this repo. Configure here.