How to compare two field elements in Arithmetic Circuit?

Question

Given two field elements as input of Arithmetic Circuit (consists of adding gates and multiplicating gates only), how could I output the bigger one? Or, how to place the gates in order to distinguish which one is bigger (using Arithmetic Circuit)? Could you please describe the method in picture?

In Zero-knowledge Proof, the statement to be proved would be described in a standard form first, such as Boolean Circuit / Arithmetic Circuits / R1CS. General proof schemes could deal with any kind of statement, so that any type of function could be conveyed by Arithmetic Circuit. Then, if Boolean Circuit can implement the comparison function, I think Arithmetic Circuit would definitely be able to do the same thing. A majority of online materials look like "you can compile any statement into R1CS easily". But when it comes to the specific way to implement a function (I mean, how to place the gates in a circuit), there are few discussions on the Internet. Most results from the search engine are "full-adder" "xor gate" "introduction to zk-SNARKs" "verilog" "circuit complexity" and so on, which is not helpful enough.

I know comparison can be implemented easily on Boolean Circuits, but I still need to implement it on Arithmetic Circuits, which consists of adding gates and multiplicating gates only. I used to think it is an easy target, but I discovered that I probably underestimated its difficulty. My classmate told me that "such an Arithmetic Circuit would be very complex", but even then, I am still wondering how complex (in specific) it would be. There is another Q&A on StackExchange (Boolean Circuits vs Arithmetic Circuits) that has introduced a method to emulate boolean gates on Arithmetic Circuits, which I thought would be helpful to me. However, I could not verify its validity. For example, 2 and 5 = 0010 and 0101 = 0000, but according to the QA, the result would be 2·5=10 (1010).

I want to implement a comparison function described above using Arithmetic Circuit (just ciruit, no need to be zero-knowledge), could you please teach me how to place the adding gates and multiplicating gates? If it would be a very complex circuit, how to analyze that how many gates are exactly enough?

Answer 1

You have misread my answer here. When converting a boolean circuit into an equivalent arithmetic circuit, you need to

(1) Take your inputs over the field and convert them into bitstrings (e.g. through their integer representation if you use a prime order field)

(2) Encode each bit individually as the 0 or 1 element of the field

(3) Emulate the standard boolean basis $\{\mathsf{not}, \wedge, \oplus\}$ using arithmetic operations. Concretely:

• $\mathsf{not}(x) = 1-x$
• $x \wedge y = x \cdot y$
• $x \oplus y = x + y - 2x\cdot y$,

where $-, +,\cdot$ are substraction, addition, and product over the field. Here, the operations are only performed on individual bits $x$ and $y$ (encoded as the 0-element or the 1-element of the field).

Back to your question: it is not possible to write an arithmetic circuit that will directly take as inputs two field elements and output the result of the comparison (there are impossibility results for that, though I don't have a pointer in mind right now).

EDIT: more precisely, this is possible, but only for arithmetic circuits over small fields. Concretely, the size of the circuit might blow up by a factor proportional to the field size $|\mathbb{F}|$, which becomes exponentially large as soon as we use exponential-size fields.

If you want instead the blow-up to be polynomial in $\log|\mathbb{F}|$, you need to first do the bit decomposition of the (representation of your) field elements, and input the individual bits of the representation to the arithmetic circuit. Then the arithmetic circuit can emulate an arbitrary boolean circuit of your choice, such as comparison, with only a $\mathsf{poly}(\log|\mathbb{F}|)$ slowdown.

Answer 2

As far as I know, "the bigger one" has no canonical definition in a finite field. At least, there is no total order compatible with addition, that is such that $a\le b$ and $a'\le b'$ implies $a+a'\le b+b'$ (as we have in fields $\mathbb Q$ and $\mathbb R$).

Thus, we first need to select some ordering criteria. A most natural candidate definition uses a mapping of the field $\mathbb F_{p^k}$ to $[0,p^k)$ (the non-negative integers less than $p^k$) as follows: consider the polynomial representing a field element as with all the terms of the polynomial in $[0,p)$, and evaluate that polynomial‡ in $\mathbb N$ at point $p$. We then build a total order on the field from the canonical total order in $\mathbb N$.

Once we have defined "the bigger one" one way or another, that defines a $\max$ function from $\mathbb F_{p^k}\times\mathbb F_{p^k}$ to $\mathbb F_{p^k}$. And there is a generic method to implement any function with such domain using an arithmetic circuit, as a polynomial of the two inputs:

• for each $J$ in the field we can build a Lagrange polynomials $P_J(X)$ with coefficients in the field evaluating to $1$ if $X=J$ and $0$ otherwise, per$$P_J(X)=-\prod_{I\ne J}(X-I)$$
• and now $\max(X,Y)$ can be built as a polynomial, per$$\max(X,Y)=\sum_{I,J}\bigl(\max(I,J)\,P_I(X)\,P_J(Y)\bigr)$$

This polynomial can be developed into the sum of terms $U_{i,j}\,X^i\,Y^j$ with $i,j\in[0,p^k)$ where $U_{i,j}$, $X$ and $Y$ are elements of the field $\mathbb F_{p^k}$. At least $U_{0,0}$ is zero, and $U_{i,j}=U_{j,i}$.

Example: For field $\mathbb F_7$ and the above definition, $\max(x,y)$ is $(3 x^6 y^2+3 x^6 y+x^5 y^3+6 x^5 y+4 x^4 y^4+3 x^4 y^2+x^3 y^5+3 x^3 y^3+3 x^3 y+3 x^2 y^6+3 x^2 y^4+x^2 y^2+3 x y^6+6 x y^5+3 x y^3+2 x y+x+y)\bmod 7$.

I wonder if there are much simpler expressions of that polynomial, and/or if one even simpler can be made by loosening the order.

[Clarified] I'm willing to trust the other answer+comment's statement that it's provably impossible to craft an arithmetic circuit of size polynomial in $k\log p$ that implements $\max(X,Y)$ as defined above.

---

‡ _{For $k=1$, this is comparison in $[0,p)$. For $p=2$, this is unsigned binary conversion then comparison in $[0,2^k)$. More generally this is base-$p$ conversion then comparison in $[0,p^k)$.}