chore: Standardise native public input handling

barretenberg/cpp/src/barretenberg/api/api_ultra_honk.cpp

@@ -10,7 +10,7 @@
 #include "barretenberg/dsl/acir_proofs/honk_contract.hpp"
 #include "barretenberg/dsl/acir_proofs/honk_zk_contract.hpp"
 #include "barretenberg/honk/proof_system/types/proof.hpp"
-#include "barretenberg/honk/types/aggregation_object_type.hpp"
+#include "barretenberg/special_public_inputs/special_public_inputs.hpp"
 #include "barretenberg/srs/global_crs.hpp"
 
 namespace bb {
@@ -87,16 +87,22 @@ PubInputsProofAndKey<Flavor> _prove(const bool compute_vk,
     UltraProver_<Flavor> prover{ proving_key, vk };
 
     Proof concat_pi_and_proof = prover.construct_proof();
-    size_t num_inner_public_inputs = prover.proving_key->num_public_inputs();
-    // Loose check that the public inputs contain a pairing point accumulator, doesn't catch everything.
-    BB_ASSERT_GTE(prover.proving_key->num_public_inputs(),
-                  PAIRING_POINTS_SIZE,
-                  "Public inputs should contain a pairing point accumulator.");
-    num_inner_public_inputs -= PAIRING_POINTS_SIZE;
-    if constexpr (HasIPAAccumulator<Flavor>) {
-        BB_ASSERT_GTE(num_inner_public_inputs, IPA_CLAIM_SIZE, "Public inputs should contain an IPA claim.");
-        num_inner_public_inputs -= IPA_CLAIM_SIZE;
-    }
+    // Compute number of inner public inputs. Perform loose checks that the public inputs contain enough data.
+    auto num_inner_public_inputs = [&]() {
+        size_t num_public_inputs = prover.proving_key->num_public_inputs();
+        if constexpr (HasIPAAccumulator<Flavor>) {
+            BB_ASSERT_GTE(num_public_inputs,
+                          RollupIO::PUBLIC_INPUTS_SIZE,
+                          "Public inputs should contain a pairing point accumulator and an IPA claim.");
+            return num_public_inputs - RollupIO::PUBLIC_INPUTS_SIZE;
+        } else {
+            BB_ASSERT_GTE(num_public_inputs,
+                          DefaultIO::PUBLIC_INPUTS_SIZE,
+                          "Public inputs should contain a pairing point accumulator.");
+            return num_public_inputs - DefaultIO::PUBLIC_INPUTS_SIZE;
+        }
+    }();
+
     // We split the inner public inputs, which are stored at the front of the proof, from the rest of the proof. Now,
     // the "proof" refers to everything except the inner public inputs.
     PublicInputsAndProof<Proof> public_inputs_and_proof{

barretenberg/cpp/src/barretenberg/api/prove_tube.cpp

@@ -3,6 +3,7 @@
 #include "barretenberg/common/map.hpp"
 #include "barretenberg/honk/proof_system/types/proof.hpp"
 #include "barretenberg/stdlib/client_ivc_verifier/client_ivc_recursive_verifier.hpp"
+#include "barretenberg/stdlib/special_public_inputs/special_public_inputs.hpp"
 
 namespace bb {
 /**
@@ -17,6 +18,8 @@ void prove_tube(const std::string& output_path, const std::string& vk_path)
 
     using Builder = UltraCircuitBuilder;
     using StdlibProof = ClientIVCRecursiveVerifier::StdlibProof;
+    using HidingKernelIO = stdlib::recursion::honk::HidingKernelIO<Builder>;
+    using RollupIO = stdlib::recursion::honk::RollupIO;
 
     std::string proof_path = output_path + "/proof";
 
@@ -34,7 +37,7 @@ void prove_tube(const std::string& output_path, const std::string& vk_path)
     // The public inputs in the proof are propagated to the base rollup by making them public inputs of this circuit.
     // Exclude the public inputs of the Hiding Kernel: the pairing points are handled separately, the ecc op tables are
     // not needed after this point
-    auto num_inner_public_inputs = vk.mega->num_public_inputs - HidingKernelIO<Builder>::PUBLIC_INPUTS_SIZE;
+    auto num_inner_public_inputs = vk.mega->num_public_inputs - HidingKernelIO::PUBLIC_INPUTS_SIZE;
     for (size_t i = 0; i < num_inner_public_inputs; i++) {
         stdlib_proof.mega_proof[i].set_public();
     }

barretenberg/cpp/src/barretenberg/bb/cli.cpp

@@ -25,7 +25,6 @@
 #include "barretenberg/bbapi/c_bind.hpp"
 #include "barretenberg/common/thread.hpp"
 #include "barretenberg/flavor/ultra_rollup_flavor.hpp"
-#include "barretenberg/honk/types/aggregation_object_type.hpp"
 #include "barretenberg/srs/factories/native_crs_factory.hpp"
 #include "barretenberg/srs/global_crs.hpp"
 #include <fstream>

barretenberg/cpp/src/barretenberg/bbapi/bbapi_ultra_honk.cpp

@@ -7,7 +7,6 @@
 #include "barretenberg/dsl/acir_format/acir_to_constraint_buf.hpp"
 #include "barretenberg/dsl/acir_format/serde/witness_stack.hpp"
 #include "barretenberg/flavor/mega_flavor.hpp"
-#include "barretenberg/honk/types/aggregation_object_type.hpp"
 #include "barretenberg/ultra_honk/decider_proving_key.hpp"
 #include "barretenberg/ultra_honk/ultra_prover.hpp"
 #include "barretenberg/ultra_honk/ultra_verifier.hpp"

barretenberg/cpp/src/barretenberg/commitment_schemes/claim.hpp

@@ -7,7 +7,6 @@
 #pragma once
 
 #include "barretenberg/commitment_schemes/commitment_key.hpp"
-#include "barretenberg/honk/types/aggregation_object_type.hpp"
 #include "barretenberg/polynomials/polynomial.hpp"
 #include "barretenberg/stdlib/primitives/curves/grumpkin.hpp"
 
@@ -64,8 +63,10 @@ template <typename Curve> class OpeningClaim {
     // commitment to univariate polynomial p(X)
     Commitment commitment;
 
-    // Size of public inputs representation of an opening claim over Grumpkin
-    static constexpr size_t PUBLIC_INPUTS_SIZE = IPA_CLAIM_SIZE;
+    static constexpr bool IS_GRUMPKIN =
+        std::is_same_v<Curve, curve::Grumpkin> || std::is_same_v<Curve, stdlib::grumpkin<UltraCircuitBuilder>>;
+    // Size of public inputs representation of an opening claim over Grumpkin: 2 * 4 + 2 = 10
+    static constexpr size_t PUBLIC_INPUTS_SIZE = IS_GRUMPKIN ? GRUMPKIN_OPENING_CLAIM_SIZE : INVALID_PUBLIC_INPUTS_SIZE;
 
     /**
      * @brief Set the witness indices for the opening claim to public
@@ -91,8 +92,6 @@ template <typename Curve> class OpeningClaim {
         const std::span<const stdlib::field_t<Builder>, PUBLIC_INPUTS_SIZE>& limbs)
         requires(std::is_same_v<Curve, stdlib::grumpkin<UltraCircuitBuilder>>)
     {
-        BB_ASSERT_EQ(2 * Fr::PUBLIC_INPUTS_SIZE + Commitment::PUBLIC_INPUTS_SIZE, PUBLIC_INPUTS_SIZE);
-
         const size_t FIELD_SIZE = Fr::PUBLIC_INPUTS_SIZE;
         const size_t COMMITMENT_SIZE = Commitment::PUBLIC_INPUTS_SIZE;
         std::span<const stdlib::field_t<Builder>, FIELD_SIZE> challenge_limbs{ limbs.data(), FIELD_SIZE };
@@ -111,19 +110,18 @@ template <typename Curve> class OpeningClaim {
      * @note Implemented for native curve::Grumpkin for use with IPA.
      *
      */
-    static OpeningClaim<Curve> reconstruct_from_public(const std::span<const bb::fr, IPA_CLAIM_SIZE>& ipa_claim_limbs)
+    static OpeningClaim<Curve> reconstruct_from_public(const std::span<const bb::fr, PUBLIC_INPUTS_SIZE>& limbs)
         requires(std::is_same_v<Curve, curve::Grumpkin>)
     {
-        size_t index = 0;
-        std::span<const bb::fr> challenge_limbs = ipa_claim_limbs.subspan(index, FQ_PUBLIC_INPUT_SIZE);
-        index += FQ_PUBLIC_INPUT_SIZE;
-        std::span<const bb::fr> evaluation_limbs = ipa_claim_limbs.subspan(index, FQ_PUBLIC_INPUT_SIZE);
-        index += FQ_PUBLIC_INPUT_SIZE;
-        std::span<const bb::fr> point_limbs = ipa_claim_limbs.subspan(index, 2 * FR_PUBLIC_INPUTS_SIZE);
-
-        auto challenge = fq::reconstruct_from_public(challenge_limbs);
-        auto evaluation = fq::reconstruct_from_public(evaluation_limbs);
-        typename Curve::AffineElement commitment = Curve::AffineElement::reconstruct_from_public(point_limbs);
+        const size_t FIELD_SIZE = Fr::PUBLIC_INPUTS_SIZE;
+        const size_t COMMITMENT_SIZE = Commitment::PUBLIC_INPUTS_SIZE;
+        std::span<const bb::fr, FIELD_SIZE> challenge_limbs{ limbs.data(), FIELD_SIZE };
+        std::span<const bb::fr, FIELD_SIZE> evaluation_limbs{ limbs.data() + FIELD_SIZE, FIELD_SIZE };
+        std::span<const bb::fr, COMMITMENT_SIZE> commitment_limbs{ limbs.data() + 2 * FIELD_SIZE, COMMITMENT_SIZE };
+
+        Fr challenge = Fr::reconstruct_from_public(challenge_limbs);
+        Fr evaluation = Fr::reconstruct_from_public(evaluation_limbs);
+        Commitment commitment = Commitment::reconstruct_from_public(commitment_limbs);
 
         return OpeningClaim<Curve>{ { challenge, evaluation }, commitment };
     }

barretenberg/cpp/src/barretenberg/commitment_schemes/pairing_points.hpp

@@ -8,7 +8,6 @@
 
 #include "barretenberg/commitment_schemes/commitment_key.hpp"
 #include "barretenberg/commitment_schemes/verification_key.hpp"
-#include "barretenberg/honk/types/aggregation_object_type.hpp"
 #include "barretenberg/polynomials/polynomial.hpp"
 #include "barretenberg/stdlib/primitives/curves/grumpkin.hpp"
 
@@ -30,6 +29,8 @@ class PairingPoints {
     using VerifierCK = VerifierCommitmentKey<curve::BN254>;
 
   public:
+    static constexpr size_t PUBLIC_INPUTS_SIZE = PAIRING_POINTS_SIZE;
+
     Point P0 = Point::infinity();
     Point P1 = Point::infinity();
 
@@ -43,10 +44,13 @@ class PairingPoints {
      * @brief Reconstruct the pairing points from limbs stored on the public inputs.
      *
      */
-    static PairingPoints reconstruct_from_public(const std::span<const Fr, PAIRING_POINTS_SIZE>& limbs_in)
+    static PairingPoints reconstruct_from_public(const std::span<const Fr, PUBLIC_INPUTS_SIZE>& limbs_in)
     {
-        Point P0 = Point::reconstruct_from_public(limbs_in.subspan(0, 2 * FQ_PUBLIC_INPUT_SIZE));
-        Point P1 = Point::reconstruct_from_public(limbs_in.subspan(2 * FQ_PUBLIC_INPUT_SIZE, 2 * FQ_PUBLIC_INPUT_SIZE));
+        const std::span<const bb::fr, Point::PUBLIC_INPUTS_SIZE> P0_limbs(limbs_in.data(), Point::PUBLIC_INPUTS_SIZE);
+        const std::span<const bb::fr, Point::PUBLIC_INPUTS_SIZE> P1_limbs(limbs_in.data() + Point::PUBLIC_INPUTS_SIZE,
+                                                                          Point::PUBLIC_INPUTS_SIZE);
+        Point P0 = Point::reconstruct_from_public(P0_limbs);
+        Point P1 = Point::reconstruct_from_public(P1_limbs);
 
         return PairingPoints{ P0, P1 };
     }

barretenberg/cpp/src/barretenberg/dsl/acir_format/honk_recursion_constraint.cpp

@@ -11,7 +11,6 @@
 #include "barretenberg/flavor/ultra_recursive_flavor.hpp"
 #include "barretenberg/flavor/ultra_rollup_recursive_flavor.hpp"
 #include "barretenberg/flavor/ultra_zk_recursive_flavor.hpp"
-#include "barretenberg/honk/types/aggregation_object_type.hpp"
 #include "barretenberg/stdlib/honk_verifier/ultra_recursive_verifier.hpp"
 #include "barretenberg/stdlib/pairing_points.hpp"
 #include "barretenberg/stdlib/primitives/bigfield/constants.hpp"
@@ -55,6 +54,9 @@ void create_dummy_vkey_and_proof(typename Flavor::CircuitBuilder& builder,
 {
     using Builder = typename Flavor::CircuitBuilder;
     using NativeFlavor = typename Flavor::NativeFlavor;
+
+    static constexpr size_t IPA_CLAIM_SIZE = stdlib::recursion::honk::RollupIO::IpaClaim::PUBLIC_INPUTS_SIZE;
+
     // Set vkey->circuit_size correctly based on the proof size
     BB_ASSERT_EQ(proof_size, NativeFlavor::PROOF_LENGTH_WITHOUT_PUB_INPUTS);
     // a lambda that adds dummy commitments (libra and gemini)
@@ -83,10 +85,8 @@ void create_dummy_vkey_and_proof(typename Flavor::CircuitBuilder& builder,
     // Third key field is the pub inputs offset
     uint32_t pub_inputs_offset = NativeFlavor::has_zero_row ? 1 : 0;
     builder.set_variable(key_fields[offset++].witness_index, pub_inputs_offset);
-    size_t num_inner_public_inputs = public_inputs_size - bb::PAIRING_POINTS_SIZE;
-    if constexpr (HasIPAAccumulator<Flavor>) {
-        num_inner_public_inputs -= bb::IPA_CLAIM_SIZE;
-    }
+    size_t num_inner_public_inputs = HasIPAAccumulator<Flavor> ? public_inputs_size - bb::RollupIO::PUBLIC_INPUTS_SIZE
+                                                               : public_inputs_size - bb::DefaultIO::PUBLIC_INPUTS_SIZE;
 
     for (size_t i = 0; i < Flavor::NUM_PRECOMPUTED_ENTITIES; ++i) {
         set_dummy_commitment(offset);
@@ -110,7 +110,7 @@ void create_dummy_vkey_and_proof(typename Flavor::CircuitBuilder& builder,
     // IPA claim
     // TODO(https://github.com/AztecProtocol/barretenberg/issues/1392): Don't use random elements here.
     if constexpr (HasIPAAccumulator<Flavor>) {
-        for (size_t i = 0; i < bb::IPA_CLAIM_SIZE; i++) {
+        for (size_t i = 0; i < IPA_CLAIM_SIZE; i++) {
             set_dummy_evaluation(offset);
         }
     }
@@ -257,11 +257,13 @@ HonkRecursionConstraintOutput<typename Flavor::CircuitBuilder> create_honk_recur
         size_t size_of_proof_with_no_pub_inputs = input.proof.size();
         size_t total_num_public_inputs = input.public_inputs.size();
         if constexpr (HasIPAAccumulator<Flavor>) {
+            using RollupIO = stdlib::recursion::honk::RollupIO;
             size_of_proof_with_no_pub_inputs -= RollupIO::PUBLIC_INPUTS_SIZE;
             total_num_public_inputs += RollupIO::PUBLIC_INPUTS_SIZE;
         } else {
-            size_of_proof_with_no_pub_inputs -= DefaultIO<Builder>::PUBLIC_INPUTS_SIZE;
-            total_num_public_inputs += DefaultIO<Builder>::PUBLIC_INPUTS_SIZE;
+            using DefaultIO = stdlib::recursion::honk::DefaultIO<Builder>;
+            size_of_proof_with_no_pub_inputs -= DefaultIO::PUBLIC_INPUTS_SIZE;
+            total_num_public_inputs += DefaultIO::PUBLIC_INPUTS_SIZE;
         }
 
         create_dummy_vkey_and_proof<Flavor>(

barretenberg/cpp/src/barretenberg/dsl/acir_format/ivc_recursion_constraint.cpp

@@ -11,7 +11,6 @@
 #include "barretenberg/flavor/flavor.hpp"
 #include "barretenberg/flavor/ultra_recursive_flavor.hpp"
 #include "barretenberg/flavor/ultra_rollup_recursive_flavor.hpp"
-#include "barretenberg/honk/types/aggregation_object_type.hpp"
 #include "barretenberg/stdlib/honk_verifier/ultra_recursive_verifier.hpp"
 #include "barretenberg/stdlib/pairing_points.hpp"
 #include "barretenberg/stdlib/primitives/bigfield/constants.hpp"

barretenberg/cpp/src/barretenberg/dsl/acir_format/mock_verifier_inputs.cpp

@@ -8,7 +8,6 @@
 #include "barretenberg/flavor/flavor.hpp"
 #include "barretenberg/flavor/ultra_recursive_flavor.hpp"
 #include "barretenberg/flavor/ultra_rollup_recursive_flavor.hpp"
-#include "barretenberg/honk/types/aggregation_object_type.hpp"
 #include "barretenberg/stdlib/honk_verifier/ultra_recursive_verifier.hpp"
 #include "barretenberg/stdlib/pairing_points.hpp"
 #include "barretenberg/stdlib/primitives/bigfield/constants.hpp"

barretenberg/cpp/src/barretenberg/dsl/acir_format/proof_surgeon.hpp

@@ -10,8 +10,8 @@
 #include "barretenberg/ecc/curves/bn254/fr.hpp"
 #include "barretenberg/flavor/flavor.hpp"
 #include "barretenberg/honk/proof_system/types/proof.hpp"
-#include "barretenberg/honk/types/aggregation_object_type.hpp"
 #include "barretenberg/serialize/msgpack.hpp"
+#include "barretenberg/special_public_inputs/special_public_inputs.hpp"
 #include "barretenberg/stdlib/proof/proof.hpp"
 #include <barretenberg/common/container.hpp>
 #include <cstdint>
@@ -46,10 +46,9 @@ class ProofSurgeon {
 
         // Get public inputs by cutting them out of the proof
         size_t num_public_inputs_to_extract =
-            static_cast<uint32_t>(verification_key->num_public_inputs) - bb::PAIRING_POINTS_SIZE;
-        if (ipa_accumulation) {
-            num_public_inputs_to_extract -= bb::IPA_CLAIM_SIZE;
-        }
+            ipa_accumulation
+                ? static_cast<uint32_t>(verification_key->num_public_inputs) - bb::RollupIO::PUBLIC_INPUTS_SIZE
+                : static_cast<uint32_t>(verification_key->num_public_inputs) - bb::DefaultIO::PUBLIC_INPUTS_SIZE;
         debug("proof size: ", proof.size());
         debug("number of public inputs to extract: ", num_public_inputs_to_extract);
         std::vector<FF> public_inputs =

barretenberg/cpp/src/barretenberg/ecc/curves/bn254/fq.hpp

@@ -16,11 +16,6 @@
 // NOLINTBEGIN(cppcoreguidelines-avoid-c-arrays)
 namespace bb {
 
-// TODO(https://github.com/AztecProtocol/barretenberg/issues/1478): Can we define this constant as part of the
-// parameters and make it avaiable via the interface of field<T>?
-// A point in Fq is represented with 4 public inputs
-static constexpr size_t FQ_PUBLIC_INPUT_SIZE = 4;
-
 class Bn254FqParams {
     // There is a helper script in ecc/fields/parameter_helper.py that can be used to extract these parameters from the
     // source code
@@ -166,15 +161,15 @@ class Bn254FqParams {
     // The modulus is larger than BN254 scalar field modulus, so it maps to two BN254 scalars
     static constexpr size_t NUM_BN254_SCALARS = 2;
     static constexpr size_t MAX_BITS_PER_ENDOMORPHISM_SCALAR = 128;
+
+    // A point in Fq is represented as a bigfield element in the public inputs, so 4 public inputs
+    static constexpr size_t PUBLIC_INPUTS_SIZE = BIGFIELD_PUBLIC_INPUTS_SIZE;
 };
 
 using fq = field<Bn254FqParams>;
 
-template <> template <> inline fq fq::reconstruct_from_public(const std::span<const bb::fr>& limbs)
+template <> template <> inline fq fq::reconstruct_from_public(const std::span<const bb::fr, PUBLIC_INPUTS_SIZE>& limbs)
 {
-    // A point in Fq is represented with 4 public inputs
-    BB_ASSERT_EQ(limbs.size(), FQ_PUBLIC_INPUT_SIZE, "Incorrect number of limbs");
-
     const uint256_t limb = static_cast<uint256_t>(limbs[0]) +
                            (static_cast<uint256_t>(limbs[1]) << bb::stdlib::NUM_LIMB_BITS_IN_FIELD_SIMULATION) +
                            (static_cast<uint256_t>(limbs[2]) << (bb::stdlib::NUM_LIMB_BITS_IN_FIELD_SIMULATION * 2)) +

barretenberg/cpp/src/barretenberg/ecc/curves/bn254/fr.hpp

@@ -11,14 +11,12 @@
 #include <ostream>
 
 #include "../../fields/field.hpp"
+#include "barretenberg/honk/types/public_inputs_type.hpp"
 
 // NOLINTBEGIN(cppcoreguidelines-avoid-c-arrays)
 
 namespace bb {
 
-// A point in Fr is represented with 1 public input
-static constexpr size_t FR_PUBLIC_INPUTS_SIZE = 1;
-
 class Bn254FrParams {
     // There is a helper script in ecc/fields/parameter_helper.py that can be used to extract these parameters from the
   public:
@@ -168,15 +166,15 @@ class Bn254FrParams {
     // This is a BN254 scalar, so it represents one BN254 scalar
     static constexpr size_t NUM_BN254_SCALARS = 1;
     static constexpr size_t MAX_BITS_PER_ENDOMORPHISM_SCALAR = 128;
+
+    // A point in Fr is represented with 1 public input
+    static constexpr size_t PUBLIC_INPUTS_SIZE = FR_PUBLIC_INPUTS_SIZE;
 };
 
 using fr = field<Bn254FrParams>;
 
-template <> template <> inline fr fr::reconstruct_from_public(const std::span<const fr>& limbs)
+template <> template <> inline fr fr::reconstruct_from_public(const std::span<const fr, PUBLIC_INPUTS_SIZE>& limbs)
 {
-
-    BB_ASSERT_EQ(limbs.size(), FR_PUBLIC_INPUTS_SIZE, "Incorrect number of limbs");
-
     return fr(limbs[0]);
 }
 

barretenberg/cpp/src/barretenberg/ecc/curves/bn254/g1.hpp

@@ -40,24 +40,3 @@ inline std::string msgpack_schema_name(bb::g1::affine_element const& /*unused*/)
 {
     return "G1AffineElement";
 }
-
-// Specialize the reconstruct from public method
-template <>
-inline bb::g1::affine_element bb::g1::affine_element::reconstruct_from_public(const std::span<const bb::fr>& limbs)
-{
-    BB_ASSERT_EQ(limbs.size(), 2 * FQ_PUBLIC_INPUT_SIZE, "Incorrect number of limbs");
-
-    auto x_limbs = limbs.subspan(0, FQ_PUBLIC_INPUT_SIZE);
-    auto y_limbs = limbs.subspan(FQ_PUBLIC_INPUT_SIZE, FQ_PUBLIC_INPUT_SIZE);
-
-    affine_element result;
-    result.x = Fq::reconstruct_from_public(x_limbs);
-    result.y = Fq::reconstruct_from_public(y_limbs);
-
-    if (result.x == Fq::zero() && result.y == Fq::zero()) {
-        result.self_set_infinity();
-    }
-
-    ASSERT(result.on_curve());
-    return result;
-}

barretenberg/cpp/src/barretenberg/ecc/curves/bn254/g2.hpp

@@ -37,4 +37,4 @@ struct Bn254G2Params {
 };
 
 using g2 = group<fq2, fr, Bn254G2Params>;
-} // namespace bb
+} // namespace bb

barretenberg/cpp/src/barretenberg/ecc/curves/grumpkin/grumpkin.hpp

@@ -79,25 +79,3 @@ class Grumpkin {
     static constexpr uint32_t LIBRA_UNIVARIATES_LENGTH = 3;
 };
 } // namespace bb::curve
-
-// Specialize the reconstruct from public method
-template <>
-inline bb::grumpkin::g1::affine_element bb::grumpkin::g1::affine_element::reconstruct_from_public(
-    const std::span<const bb::fr>& limbs)
-{
-    BB_ASSERT_EQ(limbs.size(), 2 * FR_PUBLIC_INPUTS_SIZE, "Incorrect number of limbs");
-
-    auto x_limbs = limbs.subspan(0, FR_PUBLIC_INPUTS_SIZE);
-    auto y_limbs = limbs.subspan(FR_PUBLIC_INPUTS_SIZE, FR_PUBLIC_INPUTS_SIZE);
-
-    affine_element result;
-    result.x = Fq::reconstruct_from_public(x_limbs);
-    result.y = Fq::reconstruct_from_public(y_limbs);
-
-    if (result.x == Fq::zero() && result.y == Fq::zero()) {
-        result.self_set_infinity();
-    }
-
-    ASSERT(result.on_curve());
-    return result;
-}