feat(avm): constrain sha256 #11048
feat(avm): constrain sha256 #11048
Conversation
This stack of pull requests is managed by Graphite. Learn more about stacking. |
IlyasRidhuan
force-pushed
the
ir/01-03-feat_constrain_sha256
branch
from
edd1c61 to
1f4a5bf
Compare
IlyasRidhuan
requested review from
jeanmon,
fcarreiro and
Maddiaa0
as code owners
IlyasRidhuan
requested review from
fcarreiro and
dbanks12
and removed request for
fcarreiro and
Maddiaa0
IlyasRidhuan
force-pushed
the
ir/01-03-feat_constrain_sha256
branch
from
1f4a5bf to
87cef77
Compare
| sel * (1 - sel) = 0; | ||
| // For the XOR lookups | ||
| pol commit xor_sel; | ||
| perform_round * (xor_sel - 2) = 0; |
There was a problem hiding this comment.
We should introduce constant for op_id of OR, AND, XOR and use it instead of hardcoded '2'.
| perform_round * (xor_sel - 2) = 0; | ||
| // For the AND lookups | ||
| pol commit and_sel; | ||
| and_sel = 0; |
There was a problem hiding this comment.
Same as above.
Maybe add a note that, once we support constant in a tuple member of a lookup, we will not need to define this column anymore.
|
|
||
| // Counter | ||
| pol commit rounds_remaining; | ||
| start * (rounds_remaining - 64) + perform_round * (rounds_remaining - rounds_remaining' - 1) = 0; |
There was a problem hiding this comment.
Please define a constant for 64.
| }; | ||
|
|
||
| template <typename DestRow> | ||
| void merge_into(DestRow& dest, FixedSha256ConstantsTable::Sha256ConstantsRow const& src, uint32_t multiplicity) |
There was a problem hiding this comment.
| void merge_into(DestRow& dest, FixedSha256ConstantsTable::Sha256ConstantsRow const& src, uint32_t multiplicity) | |
| void merge_into(DestRow& dest, const FixedSha256ConstantsTable::Sha256ConstantsRow& src, uint32_t multiplicity) |
| }; | ||
|
|
||
| template <typename DestRow> | ||
| void merge_into(DestRow& dest, FixedSha256ConstantsTable::Sha256ConstantsRow const& src, uint32_t multiplicity) |
There was a problem hiding this comment.
| void merge_into(DestRow& dest, FixedSha256ConstantsTable::Sha256ConstantsRow const& src, uint32_t multiplicity) | |
| void merge_into(DestRow& dest, const FixedSha256ConstantsTable::Sha256ConstantsRow& src, uint32_t multiplicity) |
| return output; | ||
| } | ||
|
|
||
| static std::tuple<uint32_t, uint32_t> bit_limbs(uint32_t const& a, uint8_t const b) |
There was a problem hiding this comment.
| static std::tuple<uint32_t, uint32_t> bit_limbs(uint32_t const& a, uint8_t const b) | |
| static std::tuple<uint32_t, uint32_t> bit_limbs(const uint32_t a, const uint8_t b) |
| { | ||
|
|
||
| for (size_t i = 0; i < sha256_trace.size(); i++) { | ||
| auto const& src = sha256_trace.at(i); |
There was a problem hiding this comment.
| auto const& src = sha256_trace.at(i); | |
| const auto& src = sha256_trace.at(i); |
IlyasRidhuan
force-pushed
the
ir/01-03-feat_constrain_sha256
branch
from
87cef77 to
eb03f46
Compare
IlyasRidhuan
force-pushed
the
ir/01-03-feat_constrain_sha256
branch
from
eb03f46 to
8c6e5a8
Compare
IlyasRidhuan
changed the base branch from
master
to
ir/01-21-fix_hardcode_value_in_constants
IlyasRidhuan
force-pushed
the
ir/01-03-feat_constrain_sha256
branch
3 times, most recently
from
1f891fb to
c6ffba9
Compare
IlyasRidhuan
force-pushed
the
ir/01-03-feat_constrain_sha256
branch
from
c6ffba9 to
c3f7087
Compare
IlyasRidhuan
force-pushed
the
ir/01-03-feat_constrain_sha256
branch
from
c3f7087 to
6f9fbd0
Compare
|
|
||
| // SHA256 Round Params Lookup | ||
| pol constant sel_sha256_compression; |
There was a problem hiding this comment.
I think you need to do tracegen for these
- add to the precomputed trace
- add it in the tracegen helper
| builder.process(sha256_event_container, trace); | ||
|
|
||
| TestTraceContainer::RowTraceContainer rows = trace.as_rows(); | ||
| rows[0].precomputed_first_row = 1; |
There was a problem hiding this comment.
do you need this? doesnt seem used in the pil file?
| using C = Column; | ||
| using sha256 = bb::avm2::sha256<FF>; | ||
|
|
||
| // This test imports a bunch of external code since hand-generating the sha256 trace is a bit laborious atm. |
There was a problem hiding this comment.
Please add an "empty row test": just a single row with precomputed_first_row = 1 and run the whole relation. This is to check that the relation passes on empty rows (and kind of test skippable). See David's PR.
|
|
||
| TestTraceContainer::RowTraceContainer rows = trace.as_rows(); | ||
| rows[0].precomputed_first_row = 1; | ||
| rows[0].sha256_latch = 1; |
There was a problem hiding this comment.
why isnt tracegen doing this?
|
|
||
| check_relation<sha256>(rows); | ||
| } | ||
|
|
There was a problem hiding this comment.
No negative tests now or no negative tests ever? :)
| } | ||
|
|
||
| // Computes and returns the message schedule (w) value for that round, and inserts witness data into the trace. | ||
| uint32_t Sha256TraceBuilder::compute_w_with_witness(std::array<uint32_t, 16> prev_w_helpers, TraceContainer& trace) |
There was a problem hiding this comment.
I will consider taking the trace in the constructor so that we can eventually avoid passing it everywhere.
| state[6], /*h = g*/ | ||
| }; | ||
| } | ||
|
|
There was a problem hiding this comment.
I will trust you for most of this. But indeed you effort paid off. It's looking much better now!
| @@ -0,0 +1,375 @@ | |||
| include "precomputed.pil"; | |||
| namespace sha256; | |||
| namespace sha256; | ||
|
|
||
| // Memory ops | ||
| pol commit state_offset; |
There was a problem hiding this comment.
We are not indenting in the other files, since there is only 1 namespace expected, does it make sense?
| // binary.start {binary.acc_ia, binary.acc_ib, binary.acc_ic, binary.op_id}; | ||
|
|
||
| pol commit ch; | ||
| // #[LOOKUP_CH_XOR] |
There was a problem hiding this comment.
(not this one)
You can add lookups into precomputed I think. See how David did it.
| // Load 8 elements representing the state from memory. | ||
| for (uint32_t i = 0; i < 8; ++i) { | ||
| auto memory_value = memory.get(state_addr + i).value; | ||
| /*Check Tag is U32 */ |
There was a problem hiding this comment.
missing " ", same below in the other check tag
| // Load 16 elements representing the input from memory. | ||
| for (uint32_t i = 0; i < 16; ++i) { | ||
| auto memory_value = memory.get(input_addr + i).value; | ||
| /*Check Tag is U32 */ |
There was a problem hiding this comment.
Is this an error handling TODO? Do you need to check the tags here? if yes please make explicit
| MemoryAddress output_addr) override; | ||
|
|
||
| private: | ||
| EventEmitterInterface<Sha256CompressionEvent>& events; |
There was a problem hiding this comment.
Please add a TODO that we should be using "deduplicating events" here. I'll build the infra at some point.
Sorry, that was wrong. This is memory aware.
Most of the sha256 constraints. The main things missing are:
We'll delay this until vm2 re-design