✖️ Modular exponentiation implementation

[ZamDimon]

What ❔

This pull request adds the modular exponentiation (modexp) implementation, that is, performing an operation $b^e \; \text{mod} \; m$.

While implementing the modexp, we have also implemented the modular multiplication (modmul) that calculates $a \times b \; \text{mod} \; m$.

Why ❔

To further have the modexp precompile, we need the corresponding implementation over a tuple of (UInt256<F>, UInt256<F>, UInt256<F>).

Checklist

• PR title corresponds to the body of PR (we generate changelog entries from PRs).
• Tests for the changes have been added / updated.
• Documentation comments have been added / updated.
• Code has been formatted via zk fmt and zk lint.

[jules]

could it potentially be cheaper to do this with a.to_low() rather than making a UInt512 for b and incurring the extra constraints during the sub?

[jules]

what i mean here is something like this:

let high = a.to_high();
let under_256 = high.is_zero(cs);
let over_256 = under_256.negated(cs);
let low = a.to_low();
let (sub, overflow) = b.overflowing_sub(cs, low);
let a_equal_b = sub.is_zero(cs);
Boolean::multi_or(cs, &[overflow, a_equal_b, over_256])

i think it may be a little cheaper

[ZamDimon]

Yeah, sub for two UInt256<F> should be indeed much cheaper than for two UInt512<F>, fixed!

[jules]

small nit: they are represented as arrays of UInt32, not UInt8 :)

[ZamDimon]

Oooops, indeed my bad, fixed :)

[ZamDimon]

modexp will be transferred to era-zkevm_circuits and will not be included in era-boojum. Therefore, we close this pull request. For helper gadgets, see PR #38.