‍Warning: This document provides a technical overview of the Translator Circuit used in the Goblin Plonk proving system. It is intended for understanding the design and optimizations. The code is the source of truth for implementation specifics.

Overview

The Translator circuit is a critical component of the Goblin Plonk proving system in Aztec. It serves as a bridge between the Mega and ECCVM circuits.

Curve	Base Field	Scalar Field	Usage
BN254	$\mathbb{F}_q$	$\mathbb{F}_r$	Used in Mega circuits
Grumpkin	$\mathbb{F}_r$	$\mathbb{F}_q$	Used in ECCVM for efficient EC operations

When proving recursive circuits with Mega circuit builder, we accumulate elliptic curve operations in an EccOpQueue. Proving these ECC operations is delegated to the ECCVM circuit, which operates over the Grumpkin curve. However, the same operations have different representations in the two circuits because:

Mega circuit operates over the BN254 scalar field $\mathbb{F}_r$ so elements in $\mathbb{F}_q$ are non-native (i.e., since $q > r$ they need to be decomposed into limbs in $\mathbb{F}_r$)
ECCVM operates over the Grumpkin scalar field $\mathbb{F}_q$ so elements in $\mathbb{F}_q$ (as well as $\mathbb{F}_r$) are circuit native

For example, consider the operation $(z \cdot P)$ where $P \equiv (P_x, P_y) \in \mathbb{F}_q^2$ is a point on the curve and $z \in \mathbb{F}_r$ is a scalar. The ECCVM arithmetisation represents this operation (in 1 row) as:

Opcode	$x$-coordinate	$y$-coordinate	Scalar $z_1$	Scalar $z_2$	Full scalar $z$
`MUL`	$P_x$	$P_y$	$z_1$	$z_2$	$z$

The Mega circuit arithmetisation represents the same operation (in 2 rows) as:

Column 1	Column 2	Column 3	Column 4
`MUL`	$P_{x, \textsf{lo}}$	$P_{x, \textsf{hi}}$	$P_{y, \textsf{lo}}$
$0$	$P_{y, \textsf{hi}}$	$z_1$	$z_2$

where $P_x = (P_{x, \textsf{lo}} + 2^{136} \cdot P_{x, \textsf{hi}}), \ P_y = (P_{y, \textsf{lo}} + 2^{136} \cdot P_{y, \textsf{hi}})$ and the scalar $z = (z_1 + 2^{128} \cdot z_2)$. Note that the limbs $P_{x/y, \textsf{lo}}, P_{x/y, \textsf{hi}}$ are elements in $\mathbb{F}_r$.

We need to prove that these two representations are consistent, i.e., that the polynomial evaluations computed in the ECCVM circuit (over $\mathbb{F}_q$) match those computed in the Mega circuit (over $\mathbb{F}_r$). The Translator circuit is a custom circuit designed to solve this problem. It:

Receives the ECC op queue in Mega arithmetisation and the batched polynomial evaluation problem from ECCVM (operating over $\mathbb{F}_q$),
Computes the batched polynomial evaluation using non-native field arithmetic in $\mathbb{F}_r$ and,
Verifies that the result matches the evaluation provided by ECCVM.

High-Level Statement

The Translator proves that the ECCVM's batched polynomial evaluation of the ECC operations is computed correctly. Given:

A sequence of UltraOp operations from the EccOpQueue (each containing: $\text{op}, P_x, P_y, z_1, z_2$)
An evaluation challenge $x \in \mathbb{F}_q$
A batching challenge $v \in \mathbb{F}_q$

Prove that: $$\boxed{\text{accumulator}_{\text{final}} = \sum_{i=0}^{n-1} x^{n-1-i} \cdot \left( \text{op}_i + v \cdot P_x^{(i)} + v^2 \cdot P_y^{(i)} + v^3 \cdot z_1^{(i)} + v^4 \cdot z_2^{(i)} \right) \pmod{q}}$$

The batching via powers of $v$ combines the 5 values per operation into a single field element, and the powers of $x$ combine all operations into a single accumulator.

Specifically, for each accumulation step (every 2 rows), prove:

$$\text{acc}_{\text{curr}} = \text{acc}_{\text{prev}} \cdot x + \text{op} + P_x \cdot v + P_y \cdot v^2 + z_1 \cdot v^3 + z_2 \cdot v^4 \pmod{q}$$

Note that we process the EccOpQueue in reverse order while computing the accumulator in steps:

$$ \begin{aligned} \textcolor{orange}{\text{acc}_0} &= \textcolor{lightgrey}{0} \cdot x + \text{op}_{n-1} + P_x^{(n-1)} \cdot v + P_y^{(n-1)} \cdot v^2 + z_1^{(n-1)} \cdot v^3 + z_2^{(n-1)} \cdot v^4 \ \textcolor{lightgreen}{\text{acc}_1} &= \textcolor{orange}{\text{acc}_0} \cdot x + \text{op}_{n-2} + P_x^{(n-2)} \cdot v + P_y^{(n-2)} \cdot v^2 + z_1^{(n-2)} \cdot v^3 + z_2^{(n-2)} \cdot v^4 \ \textcolor{skyblue}{\text{acc}_2} &= \textcolor{lightgreen}{\text{acc}_1} \cdot x + \text{op}_{n-3} + P_x^{(n-3)} \cdot v + P_y^{(n-3)} \cdot v^2 + z_1^{(n-3)} \cdot v^3 + z_2^{(n-3)} \cdot v^4 \ &\ \ \vdots \ \textcolor{brown}{\text{acc}_{n-2}} &= \textcolor{grey}{\text{acc}_{n-3}} \cdot x + \text{op}_1 + P_x^{(1)} \cdot v + P_y^{(1)} \cdot v^2 + z_1^{(1)} \cdot v^3 + z_2^{(1)} \cdot v^4 \ \textcolor{violet}{\text{acc}_{n-1}} &= \textcolor{brown}{\text{acc}_{n-2}} \cdot x + \text{op}_0 + P_x^{(0)} \cdot v + P_y^{(0)} \cdot v^2 + z_1^{(0)} \cdot v^3 + z_2^{(0)} \cdot v^4 \ \end{aligned} $$

The final accumulator value $\textcolor{violet}{\text{acc}_{n-1}}$ is what we need to verify against the ECCVM's output. Note that the "previous" accumulator for the last operation must be 0.

Method: Since we cannot directly compute in $\mathbb{F}_q$ using $\mathbb{F}_r$ arithmetic (as $q \neq r$, and in fact $q > r$), we use non-native field arithmetic. Similar to the technique in bigfield, we prove the equation holds in integers:

$$\text{acc}_{\text{prev}} \cdot x + \text{op} + P_x \cdot v + P_y \cdot v^2 + z_1 \cdot v^3 + z_2 \cdot v^4 - \text{quotient} \cdot q - \text{acc}_{\text{curr}} = 0$$

We verify this by proving the equation holds:

modulo $2^{272}$ (via 68-bit limb arithmetic split into two 136-bit checks)
modulo $r$ (natively in $\mathbb{F}_r$)
with range constraints on all limbs (prevents overflow/underflow)

By the Chinese Remainder Theorem, since $2^{272} \cdot r > 2^{514}$ exceeds the maximum possible value, the equation must hold in integers, and thus modulo $q$. More details on this relation are in RELATIONS.md.

Witness Trace Structure

The Translator circuit has 81 witness columns, organized into:

4 columns: EccOpQueue transcript ($\texttt{op}, P_x, P_y, z_1, z_2$ encoded across 2 rows)
13 columns: Limb decompositions (68-bit limbs for non-native arithmetic)
64 columns: Microlimb decompositions (14-bit microlimbs for range constraints)

The circuit operates on a 2-row cycle structure. Each EccOpQueue entry occupies exactly 2 rows:

Row $2i$ (Even rows): Computation rows where the non-native field relation is actively checked
Row $2i+1$ (Odd rows): Data storage rows that hold values accessed via shifts

While enforcing constraints on the even rows, we can access values from the "next" row (which is odd) using shifted column polynomials. As hinted earlier, the "previous" accumulator value needed for computation is stored at odd row $(2i+1)$. This value becomes the "current" accumulator for the next even row $(2i+2)$:

Operation index	$0$	$1$	$\quad \dots \quad$	$(n-2)$	$(n-1)$
Current accumulator	$\textcolor{violet}{\text{acc}_{n-1}}$	$\textcolor{brown}{\text{acc}_{n-2}}$	$\quad \dots \quad$	$\textcolor{lightgreen}{\text{acc}_{1}}$	$\textcolor{orange}{\text{acc}_{0}}$
Previous accumulator	$\textcolor{brown}{\text{acc}_{n-2}}$	$\textcolor{grey}{\text{acc}_{n-3}}$	$\quad \dots \quad$	$\textcolor{orange}{\text{acc}_{0}}$	$0$

1. EccOpQueue Transcript Columns (4 columns)

These columns directly represent the EccOpQueue transcript:

Column Name	Even Row $(2i)$	Odd Row $(2i+1)$	Description
`OP`	$\texttt{op} \in 0, 3, 4, 8

Table of Contents

Overview

High-Level Statement

Witness Trace Structure

1. EccOpQueue Transcript Columns (4 columns)