fare count fixes

Author: iakovenkos

barretenberg/cpp/src/barretenberg/dsl/acir_format/gate_count_constants.hpp

@@ -147,7 +147,7 @@ inline constexpr size_t HIDING_KERNEL_ULTRA_OPS = 124;
 // ========================================
 
 // Gate count for ECCVM recursive verifier (Ultra-arithmetized)
-inline constexpr size_t ECCVM_RECURSIVE_VERIFIER_GATE_COUNT = 220533;
+inline constexpr size_t ECCVM_RECURSIVE_VERIFIER_GATE_COUNT = 220399;
 
 // ========================================
 // Goblin AVM Recursive Verifier Constants

barretenberg/cpp/src/barretenberg/special_public_inputs/special_public_inputs.hpp

@@ -22,21 +22,18 @@ class DefaultIO {
     using FF = curve::BN254::ScalarField;
     using PublicPairingPoints = PublicInputComponent<PairingPoints<curve::BN254>>;
 
-    static constexpr size_t PUBLIC_INPUTS_SIZE = DEFAULT_PUBLIC_INPUTS_SIZE;
+    static constexpr size_t PUBLIC_INPUTS_SIZE = PairingPoints<curve::BN254>::PUBLIC_INPUTS_SIZE;
     static constexpr bool HasIPA = false;
 
     PairingPoints<curve::BN254> pairing_inputs;
 
     /**
      * @brief Reconstructs the IO components from a public inputs array.
-     *
-     * @param public_inputs Public inputs array containing the serialized kernel public inputs.
      */
     void reconstruct_from_public(const std::vector<FF>& public_inputs)
     {
         // Assumes that the app-io public inputs are at the end of the public_inputs vector
         uint32_t index = static_cast<uint32_t>(public_inputs.size() - PUBLIC_INPUTS_SIZE);
-
         pairing_inputs = PublicPairingPoints::reconstruct(public_inputs, PublicComponentKey{ index });
     }
 
@@ -61,7 +58,8 @@ class HidingKernelIO {
     using PublicPairingPoints = PublicInputComponent<PairingPoints<curve::BN254>>;
     using PublicPoint = PublicInputComponent<G1>;
 
-    static constexpr size_t PUBLIC_INPUTS_SIZE = HIDING_KERNEL_PUBLIC_INPUTS_SIZE;
+    static constexpr size_t PUBLIC_INPUTS_SIZE =
+        PairingPoints<curve::BN254>::PUBLIC_INPUTS_SIZE + G1::PUBLIC_INPUTS_SIZE * (1 + MegaCircuitBuilder::NUM_WIRES);
     static constexpr bool HasIPA = false;
 
     PairingPoints<curve::BN254> pairing_inputs;
@@ -70,8 +68,6 @@ class HidingKernelIO {
 
     /**
      * @brief Reconstructs the IO components from a public inputs array.
-     *
-     * @param public_inputs Public inputs array containing the serialized kernel public inputs.
      */
     void reconstruct_from_public(const std::vector<FF>& public_inputs)
     {
@@ -108,20 +104,19 @@ class RollupIO {
     using PublicPairingPoints = PublicInputComponent<PairingPoints<curve::BN254>>;
     using PublicIpaClaim = PublicInputComponent<IpaClaim>;
 
-    static constexpr size_t PUBLIC_INPUTS_SIZE = ROLLUP_PUBLIC_INPUTS_SIZE;
+    static constexpr size_t PUBLIC_INPUTS_SIZE =
+        PairingPoints<curve::BN254>::PUBLIC_INPUTS_SIZE + IpaClaim::PUBLIC_INPUTS_SIZE;
     static constexpr bool HasIPA = true;
 
     PairingPoints<curve::BN254> pairing_inputs;
     IpaClaim ipa_claim;
 
     /**
      * @brief Reconstructs the IO components from a public inputs array.
-     *
-     * @param public_inputs Public inputs array containing the serialized kernel public inputs.
      */
     void reconstruct_from_public(const std::vector<FF>& public_inputs)
     {
-        // Assumes that the app-io public inputs are at the end of the public_inputs vector
+        // Assumes that the rollup-io public inputs are at the end of the public_inputs vector
         uint32_t index = static_cast<uint32_t>(public_inputs.size() - PUBLIC_INPUTS_SIZE);
 
         pairing_inputs = PublicPairingPoints::reconstruct(public_inputs, PublicComponentKey{ index });

barretenberg/cpp/src/barretenberg/stdlib/primitives/pairing_points.hpp

@@ -16,16 +16,36 @@
 
 namespace bb::stdlib::recursion {
 
+// Combined limbs for default pairing points: lo = limb0 + limb1 * 2^68, hi = limb2 + limb3 * 2^68
+// These are the source of truth, used in set_default_to_public() to avoid expensive bigfield operations.
+static constexpr bb::fr DEFAULT_PP_P0_X_LO =
+    bb::fr("0x000000000000000000000000000000b75c020998797da7842ab5d6d1986846cf");
+static constexpr bb::fr DEFAULT_PP_P0_X_HI =
+    bb::fr("0x0000000000000000000000000000000000031e97a575e9d05a107acb64952eca");
+static constexpr bb::fr DEFAULT_PP_P0_Y_LO =
+    bb::fr("0x000000000000000000000000000000c410db10a01750aebb5666547acf8bd5a4");
+static constexpr bb::fr DEFAULT_PP_P0_Y_HI =
+    bb::fr("0x0000000000000000000000000000000000178cbf4206471d722669117f9758a4");
+static constexpr bb::fr DEFAULT_PP_P1_X_LO =
+    bb::fr("0x0000000000000000000000000000007fd51009034b3357f0e91b8a11e7842c38");
+static constexpr bb::fr DEFAULT_PP_P1_X_HI =
+    bb::fr("0x00000000000000000000000000000000000f94656a2ca489889939f81e9c7402");
+static constexpr bb::fr DEFAULT_PP_P1_Y_LO =
+    bb::fr("0x00000000000000000000000000000093fe27776f50224bd6fb128b46c1ddb67f");
+static constexpr bb::fr DEFAULT_PP_P1_Y_HI =
+    bb::fr("0x00000000000000000000000000000000001b52c2020d7464a0c80c0da527a081");
+
 // TODO(https://github.com/AztecProtocol/barretenberg/issues/911): These are pairing points extracted from a
 // valid proof. This is a workaround because we can't represent the point at infinity in biggroup yet.
+// Derived from the combined limbs above: fq = lo + hi * 2^136
 static constexpr bb::fq DEFAULT_PAIRING_POINT_P0_X =
-    bb::fq("0x031e97a575e9d05a107acb64952ecab75c020998797da7842ab5d6d1986846cf");
+    bb::fq(uint256_t(DEFAULT_PP_P0_X_LO) + (uint256_t(DEFAULT_PP_P0_X_HI) << 136));
 static constexpr bb::fq DEFAULT_PAIRING_POINT_P0_Y =
-    bb::fq("0x178cbf4206471d722669117f9758a4c410db10a01750aebb5666547acf8bd5a4");
+    bb::fq(uint256_t(DEFAULT_PP_P0_Y_LO) + (uint256_t(DEFAULT_PP_P0_Y_HI) << 136));
 static constexpr bb::fq DEFAULT_PAIRING_POINT_P1_X =
-    bb::fq("0x0f94656a2ca489889939f81e9c74027fd51009034b3357f0e91b8a11e7842c38");
+    bb::fq(uint256_t(DEFAULT_PP_P1_X_LO) + (uint256_t(DEFAULT_PP_P1_X_HI) << 136));
 static constexpr bb::fq DEFAULT_PAIRING_POINT_P1_Y =
-    bb::fq("0x1b52c2020d7464a0c80c0da527a08193fe27776f50224bd6fb128b46c1ddb67f");
+    bb::fq(uint256_t(DEFAULT_PP_P1_Y_LO) + (uint256_t(DEFAULT_PP_P1_Y_HI) << 136));
 
 /**
  * @brief An object storing two EC points that represent the inputs to a pairing check.
@@ -81,11 +101,21 @@ template <typename Curve> struct PairingPoints {
     {}
 
     // Array-like accessors for Codec compatibility
-    Group& operator[](size_t idx) { return idx == 0 ? P0 : P1; }
+    // Non-const version sets has_data since it's called during assignment (e.g., by Codec deserialization)
+    Group& operator[](size_t idx)
+    {
+        has_data = true;
+        return idx == 0 ? P0 : P1;
+    }
     const Group& operator[](size_t idx) const { return idx == 0 ? P0 : P1; }
 
     // Iterator support for range-based for (required by Codec)
-    Group* begin() { return &P0; }
+    // Non-const begin() sets has_data since it's called during Codec deserialization
+    Group* begin()
+    {
+        has_data = true;
+        return &P0;
+    }
     Group* end() { return &P1 + 1; }
     const Group* begin() const { return &P0; }
     const Group* end() const { return &P1 + 1; }
@@ -244,16 +274,34 @@ template <typename Curve> struct PairingPoints {
 
     /**
      * @brief Set the witness indices for the default limbs of the pairing points to public.
-     * @details Creates default pairing points as witnesses, then sets them public.
+     * @details Optimized version that directly sets precomputed Fr limb values as public inputs,
+     *          avoiding expensive bigfield operations. The default pairing points satisfy the
+     *          pairing equation, which is verified at compile time via static assertion.
      *
      * @return uint32_t The index into the public inputs array at which the representation is stored
      */
     static uint32_t set_default_to_public(Builder* builder)
     {
-        PairingPoints pp = construct_default();
-        pp.P0.convert_constant_to_fixed_witness(builder);
-        pp.P1.convert_constant_to_fixed_witness(builder);
-        return pp.set_public();
+        // Directly add precomputed combined limbs as public inputs, bypassing bigfield's self_reduce.
+        // These values encode the default pairing points in the format used by bigfield::set_public().
+        // Order: P0.x (lo, hi), P0.y (lo, hi), P1.x (lo, hi), P1.y (lo, hi)
+        // Each fix_witness call adds 1 gate to constrain the value at the VK level.
+        auto add_fixed_public = [&](const bb::fr& value) {
+            uint32_t idx = builder->add_public_variable(value);
+            builder->fix_witness(idx, value);
+            return idx;
+        };
+
+        uint32_t start_idx = add_fixed_public(DEFAULT_PP_P0_X_LO);
+        add_fixed_public(DEFAULT_PP_P0_X_HI);
+        add_fixed_public(DEFAULT_PP_P0_Y_LO);
+        add_fixed_public(DEFAULT_PP_P0_Y_HI);
+        add_fixed_public(DEFAULT_PP_P1_X_LO);
+        add_fixed_public(DEFAULT_PP_P1_X_HI);
+        add_fixed_public(DEFAULT_PP_P1_Y_LO);
+        add_fixed_public(DEFAULT_PP_P1_Y_HI);
+
+        return start_idx;
     }
 
     /**

barretenberg/cpp/src/barretenberg/stdlib/primitives/pairing_points.test.cpp

@@ -19,11 +19,9 @@ TYPED_TEST_SUITE(PairingPointsTests, Curves);
 TYPED_TEST(PairingPointsTests, ConstructDefault)
 {
     using Builder = typename TypeParam::Builder;
-    // Ultra uses bigfield which requires range constraints for self_reduce() when setting public inputs.
-    // This looks expensive (1853 gates) but gets amortized in real circuits since most range tables
-    // already exist from other bigfield operations.
-    // Mega uses goblin_field (2 limbs) which is much cheaper (8 gates).
-    static constexpr size_t NUM_GATES_ADDED = IsMegaBuilder<Builder> ? 8 : 1853;
+    // Both builders now use the optimized path: 8 fix_witness gates for the 8 combined limbs.
+    // This bypasses bigfield's expensive self_reduce() for Ultra.
+    static constexpr size_t NUM_GATES_ADDED = 8;
 
     Builder builder;